Trademarks Copyright © PLANET Technology Corp. 2016. Contents are subject to revision without prior notice. PLANET is a registered trademark of PLANET Technology Corp. All other trademarks belong to their respective owners.
Contents CHAPTER 1 INTRODUCTION ........................................................................................ 1-1 1.1 PACKET CONTENTS ............................................................................................................................. 1-1 1.2 PRODUCT DESCRIPTION ....................................................................................................................... 1-2 1.3 PRODUCT FEATURES ....................................................................
.4.5 Typical SNMP Configuration Examples ................................................................................ 4-13 4.4.6 SNMP Troubleshooting ......................................................................................................... 4-15 4.5 SWITCH UPGRADE ............................................................................................................................. 4-15 4.5.1 Switch System Files ......................................................................
10.3 ULDP FUNCTION TYPICAL EXAMPLES ............................................................................................ 10-22 10.4 ULDP TROUBLESHOOTING ............................................................................................................ 10-23 CHAPTER 11 LLDP FUNCTION OPERATION CONFIGURATION .............................11-25 11.1 INTRODUCTION TO LLDP FUNCTION ............................................................................................... 11-25 11.
16.4 DDM TROUBLESHOOTING .............................................................................................................. 16-59 CHAPTER 17 LLDP-MED ............................................................................................17-60 17.1 INTRODUCTION TO LLDP-MED ...................................................................................................... 17-60 17.2 LLDP-MED CONFIGURATION TASK SEQUENCE ......................................................................
20.5 MULTI-TO-ONE VLAN TRANSLATION CONFIGURATION .................................................................... 20-88 20.5.1 Introduction to Multi-to-One VLAN Translation ................................................................. 20-88 20.5.2 Multi-to-One VLAN Translation Configuration................................................................... 20-88 20.5.3 Typical Application of Multi-to-One VLAN Translation ...................................................... 20-89 20.5.
22.3 MSTP CONFIGURATION TASK LIST ............................................................................................... 22-116 22.4 MSTP EXAMPLE.......................................................................................................................... 22-121 22.5 MSTP TROUBLESHOOTING .......................................................................................................... 22-125 CHAPTER 23 QOS CONFIGURATION...........................................................
26.4 RIP............................................................................................................................................... 26-15 26.4.1 Introduction to RIP ............................................................................................................ 26-15 26.4.2 RIP Configuration Task List............................................................................................... 26-17 26.4.3 RIP Examples – Typical RIP ..........................................
CHAPTER 31 DHCP CONFIGURATION .....................................................................31-60 31.1 INTRODUCTION TO DHCP............................................................................................................... 31-60 31.2 DHCP SERVER CONFIGURATION .................................................................................................... 31-61 31.3 DHCP RELAY CONFIGURATION ................................................................................................
36.1 INTRODUCTION TO DHCP SNOOPING .............................................................................................. 36-12 36.2 DHCP SNOOPING CONFIGURATION TASK SEQUENCE ...................................................................... 36-13 36.3 DHCP SNOOPING TYPICAL APPLICATION........................................................................................ 36-18 36.4 DHCP SNOOPING TROUBLESHOOTING HELP ...............................................................................
40.3 MULTICAST VLAN EXAMPLES ........................................................................................................ 40-46 CHAPTER 41 ACL CONFIGURATION ........................................................................41-49 41.1 INTRODUCTION TO ACL.................................................................................................................. 41-49 41.1.1 Access-list ....................................................................................................
45.2 SECURITY FEATURE CONFIGURATION ........................................................................................... 45-103 45.2.1 Prevent IP Spoofing Function Configuration Task Sequence ......................................... 45-103 45.2.2 Prevent TCP Unauthorized Label Attack Function Configuration Task Sequence ......... 45-103 45.2.3 Anti Port Cheat Function Configuration Task Sequence................................................. 45-104 45.2.
50.3 MAB EXAMPLE ........................................................................................................................... 50-126 50.4 MAB TROUBLESHOOTING ............................................................................................................ 50-128 CHAPTER 51 PPPOE INTERMEDIATE AGENT CONFIGURATION ........................51-129 51.1 INTRODUCTION TO PPPOE INTERMEDIATE AGENT ......................................................................... 51-129 51.1.
56.2 ULPP CONFIGURATION TASK LIST ................................................................................................. 56-21 56.3 ULPP TYPICAL EXAMPLES ............................................................................................................ 56-24 56.3.1 ULPP Typical Example1.................................................................................................... 56-24 56.3.2 ULPP Typical Example2.....................................................................
CHAPTER 63 NTP FUNCTION CONFIGURATION .....................................................63-52 63.1 INTRODUCTION TO NTP FUNCTION ................................................................................................. 63-52 63.2 NTP FUNCTION CONFIGURATION TASK LIST.................................................................................... 63-52 63.3 TYPICAL EXAMPLES OF NTP FUNCTION .......................................................................................... 63-55 63.
CHAPTER 69 DYING GASP CONFIGURATION .........................................................69-73 69.1 INTRODUCTION TO DYING GASP...................................................................................................... 69-73 69.2 DYING GASP TYPICAL EXAMPLES ................................................................................................... 69-73 69.3 DYING GASP TROUBLESHOOTING ...................................................................................................
User’s Manual of SGS-6340 seriesT Chapter 1 INTRODUCTION Thank you for purchasing PLANET L3 Multi-Port Full Gigabit Stackable Managed Switch, SGS-6340-24T4S/SGS-6340-24P4S/SGS-6340-20S4C4X/SGS-6340-48T4S/SGS-6340-16XR. The descriptions of these models are as follows: SGS-6340-24T4S Layer 3 24-Port 10/100/1000T + 4-Port 1000X SFP Stackable Managed Switch SGS-6340-24P4S Layer 3 24-Port 10/100/1000T 802.
User’s Manual of SGS-6340 seriesT 1.
User’s Manual of SGS-6340 seriesT Abundant IPv6 Support The SGS-6340 Series provides IPv6 management and enterprise-level secure features such as SSH, ACL, WRR and RADIUS authentication. The SGS-6340 Series thus helps the enterprises to step in the IPv6 era with the lowest investment. In addition, you don’t need to replace the network facilities when the IPv6 FTTx edge network is built.
User’s Manual of SGS-6340 seriesT standard-based management software. For text-based management, the SGS-6340 Series can be accessed via Telnet and the console port. Moreover, the SGS-6340 Series offers secure remote management by supporting SSH connection which encrypts the packet content at each session. Flexibility and Extension Solution The SGS-6340-20S4C4X provides twenty-four 100/1000Mbps dual speed SFP Fiber ports, four 1/10Gbps SFP+ Fiber ports, and four 10/100/1000Mbps TP/SFP combo ports.
User’s Manual of SGS-6340 seriesT The SGS-6340-24P4S’s PoE capabilities also help to reduce deployment costs for network devices as a result of freeing from restrictions of power outlet locations. Power and data switching are integrated into one unit, delivered over a single cable and managed centrally. It thus eliminates cost for additional AC wiring and reduces installation time.
User’s Manual of SGS-6340 seriesT 1.
User’s Manual of SGS-6340 seriesT 16K MAC address table, automatic source address learning and aging Supports VLAN - IEEE 802.1Q tag-based VLAN - GVRP for dynamic VLAN management - Up to 256 VLANs groups, out of 4041 VLAN IDs - Provider Bridging (VLAN Q-in-Q, IEEE 802.
User’s Manual of SGS-6340 seriesT Supports ARP inspection IP Source Guard prevents IP spoofing attacks Dynamic ARP Inspection discards ARP packets with invalid MAC address to IP address binding Management Management IP for IPv4 and IPv6 Switch Management Interface - Console/Telnet Command Line Interface - Web switch management - SNMP v1, v2c, and v3 switch management - SSH/SSL secure access BOOTP and DHCP for IP address assignment Firmware upload/download via TFTP or HTTP Protocol
User’s Manual of SGS-6340 seriesT 1.4 Product Specifications Product SGS-6340-24T4S SGS-6340-24P4S SGS-6340-48T4S Hardware Specifications Copper Ports 24 10/100/1000BASE-T 24 10/100/1000BASE-T 48 10/100/1000BASE-T RJ45 auto-MDI/MDI-X RJ45 auto-MDI/MDI-X RJ45 auto-MDI/MDI-X ports ports ports 24 ports with 802.
User’s Manual of SGS-6340 seriesT Management Functions System Configuration Console, Telnet, SSH, Web browser, SNMP v1, v2c and v3 Supports both IPv4 and IPv6 addressing Supports the user IP security inspection for IPv4/IPv6 SNMP Supports MIB and TRAP Supports IPv4/IPv6 FTP/TFTP Supports IPv4/IPv6 NTP Supports RMON 1, 2, 3, 9 four groups Supports the RADIUS authentication for IPv4/IPv6 Telnet user name and Management password Supports IPv4/IPv6 SSH The right configuration for users to adopt RADIUS serve
User’s Manual of SGS-6340 seriesT IP subnet VLAN Bandwidth Control Link Aggregation TX/RX/both IEEE 802.3ad LACP/static trunk Supports 128 groups with 8 ports per trunk group 8 priority queues on all switch ports Supports strict priority and Weighted Round Robin (WRR) CoS policies QoS Traffic classification: - IEEE 802.
User’s Manual of SGS-6340 seriesT RFC 2454 UDP6 MIB RFC 2465 IPv6 MIB RFC 2466 ICMP6 MIB RFC 2573 SNMP v3 notify RFC 2574 SNMP v3 vacm RFC 2674 Bridge MIB Extensions (IEEE 802.1Q MIB) RFC 2674 Bridge MIB Extensions (IEEE 802.1P MIB) Standard Conformance Regulatory Compliance FCC Part 15 Class A, CE Standards Compliance IEEE 802.3 10BASE-T IEEE 802.3u 100BASE-TX IEEE 802.3z Gigabit 1000BASE-SX/LX IEEE 802.3ab Gigabit 1000BASE-T IEEE 802.3x flow control and back pressure IEEE 802.
User’s Manual of SGS-6340 seriesT Product SGS-6340-20S4C4X SGS-6340-16XR Hardware Specifications 4 10/100/1000BASE-T RJ45 Copper Ports auto-MDI/MDI-X ports, shared with -- port-21 to port-24 24 100/1000BASE-X SFP interfaces SFP/mini-GBIC Slots Compatible with 100BASE-FX SFP -- transceiver 4 10GBASE-SR/LR SFP+ interface SFP+ Slots (port-25 to port-28) Compatible with 1000BASE-SX/LX/BX SFP transceiver 16 10GBASE-SR/LR SFP+ interface Compatible with 1000BASE-SX/LX/BX SFP transceiver Console 1 x R
User’s Manual of SGS-6340 seriesT Supports the RADIUS authentication for IPv4/IPv6 Telnet user name and password Supports IPv4/IPv6 SSH The right configuration for users to adopt RADIUS server’s shell management Supports CLI, console, Telnet Supports SNMPv1, v2c and v3 Supports Security IP safety net management function: avoid unlawful landing at non-restrictive area Supports Syslog server for IPv4 and IPv6 Supports TACACS+ Layer 3 Function IP Interface Routing Protocol Routing Table Per VLAN, up to 128
User’s Manual of SGS-6340 seriesT - Port-based WRR IGMP v1/v2/v3 snooping Querier mode support Multicast MLD v1/v2 snooping Querier mode support Multicast VLAN Register (MVR) Supports Standard and Expanded ACL Access Control List IP-based ACL/MAC-based ACL Time-based ACL Up to 512 entries Bandwidth Control At least 64Kbps stream Supports MAC + port binding IPv4/IPv6 + MAC + port binding Security IPv4/IPv6 + port binding Supports MAC filter ARP scanning prevention Authentication SNMP MIBs IEEE 802
User’s Manual of SGS-6340 seriesT IEEE 802.3ad port trunk with LACP IEEE 802.1D Spanning Tree Protocol IEEE 802.1w Rapid Spanning Tree Protocol IEEE 802.1s Multiple Spanning Tree Protocol IEEE 802.1p Class of Service IEEE 802.1Q VLAN tagging IEEE 802.1X port authentication network control IEEE 802.
User’s Manual of SGS-6340 seriesT Chapter 2 INSTALLATION This section describes how to install your Managed Switch and make connections to the Managed Switch. Please read the following topics and perform the procedures in the order being presented. To install your Managed Switch on a desktop or shelf, simply complete the following steps. In this paragraph, we will describe how to install the Managed Switch and the installation points attended to it. 2.1 Hardware Description 2.1.
User’s Manual of SGS-6340 seriesT SGS-6340-16XR Front Panel Figure 2-4 SGS-6340-16XR Front Panel ■ Gigabit TP interface 10/100/1000BASE-T Copper, RJ45 Twisted-pair: Up to 100 meters. ■ Gigabit SFP slots 100/1000BASE-X mini-GBIC slot, SFP (Small Factor Pluggable) transceiver module: From 550 meters to 2km (multi-mode fiber), up to above 10/20/30/40/50/70/120 kilometers (single-mode fiber). Only SGS-6340-20S4C4X supports 100BASE-FX.
User’s Manual of SGS-6340 seriesT 2.1.2 LED Indications The front panel LEDs indicate instant status of port links, data activity, system operation, stack status and system power. SGS-6340-24T4S LED Indication Figure 2-5 SGS-6340-24T4S LED Panel ■ System LED PWR SYS Color Green Off Green Function Lights to indicate that the Switch has power. Power is off. Lights to indicate the system diagnosis is completed. Blinks to indicate boot is enable.
User’s Manual of SGS-6340 seriesT SGS-6340-48T4S LED Indication Figure 2-6 SGS-6340-48P4S LED Panel ■ System LED PWR SYS Color Green Off Green Function Lights to indicate that the Switch has power. Power is off. Lights to indicate the system diagnosis is completed. Blinks to indicate boot is enable.
User’s Manual of SGS-6340 seriesT SGS-6340-24P4S LED Indication Figure 2-7 SGS-6340-24P4S LED Panel ■ System LED PWR SYS Color Green Off Green Function Lights to indicate that the Switch has power. Power is off. Lights to indicate the system diagnosis is completed. Blinks to indicate boot is enable. ■ 10/100/1000BASE-T Interfaces LED Color Function Lights to indicate the link through that port is successfully established LNK/ACT Green port.
User’s Manual of SGS-6340 seriesT SGS-6340-20S4C4X LED Indication Figure 2-8 SGS-6340-20S4C4X LED Panel ■ System LED PWR SYS Color Green Off Green Function Lights to indicate that the Switch has power. Power is off. Lights to indicate the system diagnosis is completed. Blinks to indicate boot is enable.
User’s Manual of SGS-6340 seriesT SGS-6340-16XR LED Indication Figure 2-8 SGS-6340-16XR LED Panel ■ System/Alarm LED PWR SYS FAN Color Green Off Green Function Lights to indicate that the Switch has power. Power is off. Blinks to indicate the system diagnosis is completed. Off System is booting. Red Lights to indicate that the Switch has fan fault.
User’s Manual of SGS-6340 seriesT 2.1.3 Switch Rear Panel The rear panel of the Managed Switch indicates an AC inlet power socket, which accepts input power from 100 to 240V AC, 50-60Hz. Figure 2-9 ~ Figure 2-12 shows the rear panel of this Managed Switch.
User’s Manual of SGS-6340 seriesT ■ AC Power Receptacle For compatibility with electric service in most areas of the world, the Managed Switch’s power supply automatically adjusts to line power in the range of 100-240VAC and 50/60 Hz. Plug the female end of the power cord firmly into the receptacle on the rear panel of the Managed Switch. Plug the other end of the power cord into an electric service outlet then the power will be ready.
User’s Manual of SGS-6340 seriesT 2.2 Installing the Managed Switch This section describes how to install your Managed Switch and make connections to the Managed Switch. Please read the following topics and perform the procedures in the order being presented. To install your Managed Switch on a desktop or shelf, simply complete the following steps. In this paragraph, we will describe how to install the Managed Switch and the installation points attended to it. 2.2.
User’s Manual of SGS-6340 seriesT Step 5: Supply power to the Managed Switch. Connect one end of the power cable to the Managed Switch. Connect the power plug of the power cable into a standard wall outlet. When the Managed Switch receives power, the Power LED should remain solid Green. 2.2.2 Rack Mounting To install the Managed Switch in a 19-inch standard rack, please follow the instructions described below.
User’s Manual of SGS-6340 seriesT Figure 2-15 Mounting SGS-6340 Series in a Rack Step 6: Proceeds with steps 4 and 5 of session 2.2.1 Desktop Installation to connect the network cabling and supply power to the Managed Switch. 2.2.3 Installing the SFP/SFP+ Transceiver The sections describe how to insert an SFP/SFP+ transceiver into an SFP/SFP+ slot. The SFP/SFP+ transceivers are hot-pluggable and hot-swappable.
User’s Manual of SGS-6340 seriesT Approved PLANET SFP/SFP+ Transceivers PLANET Managed Switch supports both single mode and multi-mode SFP/SFP+ transceivers. The following list of approved PLANET SFP/SFP+ transceivers is correct at the time of publication: Fast Ethernet Transceiver (100BASE-X SFP) Connector Interface Model Speed (Mbps) Fiber Mode Distance Wavelength (nm) Operating Temp.
User’s Manual of SGS-6340 seriesT Gigabit Ethernet Transceiver (1000BASE-BX, Single Fiber Bi-directional SFP) Connector Interface Model Speed (Mbps) Fiber Mode Distance Wavelength (TX/RX) Operating Temp.
User’s Manual of SGS-6340 seriesT 1. Before we connect the SGS-6340 Series to the other network device, we have to make sure both sides of the SFP transceivers are with the same media type, for example: 1000BASE-SX to 1000BASE-SX, 1000Bas-LX to 1000BASE-LX. 2. Check whether the fiber-optic cable type matches with the SFP transceiver requirement. To connect to 1000BASE-SX SFP transceiver, please use the multi-mode fiber cable with one side being the male duplex LC connector type.
Chapter 3 Switch Management 3.1 Management Options After purchasing the switch, the user needs to configure the switch for network management. Switch provides two management options: in-band management and out-of-band management. 3.1.1 Out-Of-Band Management Out-of-band management is the management through Console interface. Generally, the user will use out-of-band management for the initial switch configuration, or when in-band management is not available.
Step 2: Entering the HyperTerminal Open the HyperTerminal included in Windows after the connection established. The example below is based on the HyperTerminal included in Windows XP. 1) Click Start menu - All Programs -Accessories -Communication - HyperTerminal. Figure 3-2 Opening Hyper Terminal 2) Type a name for opening HyperTerminal, such as “Switch”.
3) In the “Connect using” drop-list, select the RS-232 serial port used by the PC, e.g., COM1, and click “OK”. Figure 3-4 Opening HyperTerminal 4) COM1 property appears and select “9600” for “Baud rate”, “8” for “Data bits”, “none” for “Parity checksum”, “1” for stop bit and “none” for traffic control; or you can also click “Restore default” and click “OK”.
System is booting, please wait... Bootrom version: 7.1.37 Creation date: Aug 15 2014 - 16:59:42 Testing RAM... 0x10000000 RAM OK. Loading flash:/nos.img ... ## Booting kernel from Legacy Image at 62000100 ... Image Name: Image Type: Data Size: Linux-3.6.5+ ARM Linux Kernel Image (gzip compressed) 11772899 Bytes = 11.2 MiB Load Address: 60008000 Entry Point: 60008000 Verifying Checksum ... OK Uncompressing Kernel Image ... OK Starting kernel ...
3.1.2 In-band Management In-band management refers to the management by login to the switch using Telnet, or using HTTP, or using SNMP management software to configure the switch. In-band management enables management of the switch for some devices attached to the switch. In the case when in-band management fails due to switch configuration changes, out-of-band management can be used for configuring and managing the switch. 3.1.2.
Step 2: Run Telnet Client program. Run Telnet client program included in Windows with the specified Telnet target. Figure 3-7 Run telnet client program included in Windows Step 3: Login to the switch. Login to the Telnet configuration interface. Valid login name and password are required, otherwise, the switch will reject Telnet access. This is the method to protect the switch from unauthorized access.
3.1.2.2 Management via HTTP To manage the switch via HTTP, the following conditions should be met: 1) Switch has an IPv4/IPv6 address configured; 2) The host IPv4/IPv6 address (HTTP client) and the switch’s VLAN interface IPv4/IPv6 address are in the same network segment; 3) If 2) is not met, HTTP client should connect to an IPv4/IPv6 address of the switch via other devices, such as a router.
Step 3: Login to the switch. Login to the Web configuration interface. Valid login name and password are required, otherwise, the switch will reject HTTP access. This is the method to protect the switch from unauthorized access.
Input the right username and password and then the main Web configuration interface is shown below. Figure 3-11 Main Web Configuration Interface When configuring the switch, the name of the switch is composed of English letters. 3.1.2.
CLI interface is familiar to most users. As aforementioned, out-of-band management and Telnet login are all performed through CLI interface to manage the switch. CLI Interface is supported by Shell program, which consists of a set of configuration commands. Those commands are categorized according to their functions in switch configuration and management. Each category represents a different configuration mode.
3.2.1 Configuration Modes Figure 3-12 Shell Configuration Modes 3.2.1.1 User Mode On entering the CLI interface, entering user entry system first. If as common user, it is defaulted to User Mode. The prompt shown is “Switch>“, the symbol “>“ is the prompt for User Mode. When exit command is run under Admin Mode, it will also return to the User Mode. Under User Mode, no configuration to the switch is allowed; only clock time and version information of the switch can be queried. 3.2.1.
3.2.1.3 Global Mode Type the config command under Admin Mode to enter the Global Mode prompt “Switch(config)#”. Use the exit command under other configuration modes such as Port Mode, VLAN mode to return to Global Mode. The user can perform global configuration settings under Global Mode, such as MAC Table, Port Mirroring, VLAN creation, IGMP Snooping start and STP, etc. And the user can go further to Port Mode for configuration of all the interfaces.
3.2.2 Configuration Syntax Switch provides various configuration commands. Although all the commands are different, they all abide by the syntax for Switch configuration commands.
3.2.3 Shortcut Key Support Switch provides several shortcut keys to facilitate user configuration, such as up, down, left, right and blank space. If the terminal does not recognize Up and Down keys, ctrl +p and ctrl +n can be used instead. Key(s) Function Back Space Delete a character before the cursor, and the cursor moves back. Up “↑” Show previous command entered. Up to ten recently entered commands can be shown. Down “↓” Show next command entered.
3.2.5 Input Verification 3.2.5.1 Returned Information: Successful All commands entered through keyboards undergo syntax check by the Shell. Nothing will be returned if the user enters a correct command under corresponding modes and the execution is successful. Returned Information: error Output error message Explanation Unrecognized command or illegal The entered command does not exist, or there is parameter! error in parameter scope, type or format.
Chapter 4 Basic Switch Configuration 4.1 Basic Configuration Basic switch configuration includes commands for entering and exiting the admin mode, for entering and exiting interface mode, for configuring and displaying the switch clock, for displaying the version information of the switch system, etc. Command Explanation Normal User Mode/ Admin Mode The User uses enable command to step into enable [<1-15>] admin mode from normal user mode or modify disable the privilege level of the users.
banner motd no banner motd Configure the information displayed when the login authentication of a Telnet or console user is successful. 4.2 Telnet Management 4.2.1 Telnet 4.2.1.1 Introduction to Telnet Telnet is a simple remote terminal protocol for remote login. Using Telnet, the user can login to a remote host with its IP address of hostname from his own workstation.
Enable command authorization function for the login user with VTY (login with Telnet and SSH). The no command aaa authorization config-commands disables this function. When enabling no aaa authorization config-commands this command and configuring command authorization manner, it will request to authorize when executing some commands.
<1-15> {start-stop | stop-only | none} method1 [method2…] no accounting line {console | vty} command <1-15> Admin Mode Display debug information for Telnet terminal monitor client login to the switch; the no terminal no monitor command disables the debug information. Show the user information who logs in through Telnet or SSH. It includes line show users number, user name and user IP.
4.2.2.2 SSH Server Configuration Task List Command Explanation Global Mode ssh-server enable Enable SSH function on the switch; the no no ssh-server enable command disables SSH function. username [privilege Configure the username and password of ] [password [0 | 7] SSH client software for logging on the ] switch; the no command deletes the no username username.
Switch(config)#ssh-server enable Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 100.100.100.200 255.255.255.0 Switch(Config-if-Vlan1)#exit Switch(config)#username test privilege 15 password 0 test In IPv6 network, the terminal should run SSH client software which supports IPv6, such as putty6. Users should not modify the configuration of the switch except allocating an IPv6 address for the local host. 4.
2. Manual configuration Command Explanation VLAN Interface Mode ip address Configure IP address of VLAN interface; the [secondary] no command deletes IP address of VLAN no ip address interface. [secondary] ipv6 address [eui-64] aggregation global unicast address, local site no ipv6 address command deletes IPv6 address.
its simplicity and easy implementation; SNMP v2c is an enhanced version of SNMP v1, which supports layered network management; SNMP v3 strengthens the security by adding USM (User-based Security Mode) and VACM (View-based Access Control Model). SNMP protocol provides a simple way of exchange network management information between two points in the network. SNMP employs a polling mechanism of message query, and transmits messages through UDP (a connectionless transport layer protocol).
4.4.2 Introduction to MIB The network management information accessed by NMS is well defined and organized in a Management Information Base (MIB). MIB is pre-defined information which can be accessed by network management protocols. It is in layered and structured form. The pre-defined management information can be obtained from monitored network devices. ISO ASN.1 defines a tree structure for MID. Each MIB organizes all the available information with this tree structure.
4.4.3 Introduction to RMON RMON is the most important expansion of the standard SNMP. RMON is a set of MIB definitions, used to define standard network monitor functions and interfaces, enabling the communication between SNMP management terminals and remote monitors. RMON provides a highly efficient method to monitor actions inside the subnets. MID of RMON consists of 10 groups.
2. Configure SNMP community string Command Explanation Global Mode snmp-server community {ro | rw} {0 | 7} [access {|}] [ipv6-access {|}] [read ] [write ] Configure the community string for the switch; the no command deletes the configured community string. no snmp-server community [access {|}] [ipv6-access {|}] 3.
{|}] no snmp-server user [access {|}] [ipv6-access {|}] 6. Configure group Command Explanation Global Mode snmp-server group {noauthnopriv|authnopriv|authpriv} [[read ] [write ] [notify ]] [access {|}] [ipv6-access Set the group information on the switch.
{noauthnopriv | authnopriv | authpriv}}} v1/v2, this command also configures Trap community string; for SNMP v3, this no snmp-server host command also configures Trap user name { | and security level. The “no” form of this } {v1 | v2c | {v3 command cancels this IPv4 or IPv6 address.
The configuration on the switch is listed below: Switch(config)#snmp-server enable Switch(config)#snmp-server host 1.1.1.5 v1 usertrap Switch(config)#snmp-server enable traps Scenario 3: NMS uses SNMP v3 to obtain information from the switch.
The configuration on the switch is listed below: Switch(config)#snmp-server host 2004:1:2:3::2 v1 usertrap Switch(config)#snmp-server enable traps 4.4.6 SNMP Troubleshooting When users configure the SNMP, the SNMP server may fail to run properly due to physical connection failure and wrong configuration, etc. Users can troubleshoot the problems by following the guide below: Good condition of the physical connection.
save in ROM only. Switch mandates the name of the boot file to be boot.rom. The update method of the system image file and the boot file is the same. The switch supplies the user with two modes of updating: 1. BootROM mode; 2. TFTP and FTP update in Shell mode. This two update method will be explained in details in the following two sections. 4.5.2 BootROM Upgrade There are two methods for BootROM upgrade: TFTP and FTP, which can be selected at BootROM command settings.
Host IP Address: [10.1.1.1] 192.168.1.2 Server IP Address: [10.1.1.2] 192.168.1.66 FTP(1) or TFTP(2): [1] 2 Network interface configure OK. [Boot] Step 4: Enable FTP/TFTP server in the PC. For TFTP, run TFTP server program; for FTP, run FTP server program. Before start downloading upgrade file to the switch, verify the connectivity between the server and the switch by ping from the server.
Write boot.rom OK. [Boot]: Step 8: After successful upgrade, execute run or reboot command in BootROM mode to return to CLI configuration interface. [Boot]: run(or reboot) Other commands in BootROM mode 1. DIR command Used to list existing files in the FLASH. [Boot]: dir boot.rom 327,440 1900-01-01 00:00:00 --SH boot.conf 83 1900-01-01 00:00:00 --SH nos.img 2,431,631 1980-01-01 00:21:34 ---- startup-config temp.img 2,922 1980-01-01 00:09:14 ---2,431,631 1980-01-01 00:00:32 ---- 2.
FTP client to establish management connection on port 21 in the server, and negotiate a data connection through the management connection. There are two types of data connections: active connection and passive connection. In active connection, the client transmits its address and port number for data transmission to the server, the management connection maintains until data transfer is complete.
FLASH: Flash memory is used to save system file and configuration file. System file: including system image file and boot file. System image file: Refers to the compressed file for switch hardware driver and software support program, usually refer to as IMAGE upgrade file. In switch, the system image file is allowed to save in FLASH only. Switch mandates the name of system image file to be uploaded via FTP in Global Mode to be nos.img, other IMAGE system files will be rejected.
4.5.3.2 FTP/TFTP Configuration The configurations of switch as FTP and TFTP clients are almost the same, so the configuration procedures for FTP and TFTP are described together in this manual. 4.5.3.2.1 FTP/TFTP Configuration Task List 1. FTP/TFTP client configuration (1) Upload/download the configuration file or system file. (2) For FTP client, server file list can be checked. 2.
Command Explanation Global Mode ftp-server enable no ftp-server enable Start FTP server, the no command shuts down FTP server and prevents FTP user from logging in. (2)Configure FTP login username and password Command Explanation Global Mode ip ftp username Configure FTP login username and password; password [0 | 7] this no command will delete the username and no ip ftp username password.
(3)Modify TFTP server connection retransmission time Command Explanation Global Mode tftp-server retransmission-number Set the retransmission time for TFTP server. 4.5.3.3 FTP/TFTP Configuration Examples The configuration is the same as IPv4 address or IPv6 address. The example is only for IPv4 address. 10.1.1.2 10.1.1.1 Figure 4-2 Download nos.img file as FTP/TFTP client Scenario 1: The switch is used as FTP/TFTP client.
Switch(config)#exit Switch#copy ftp: //Switch:switch@10.1.1.1/12_30_nos.img nos.img With the above commands, the switch will have the “nos.img” file in the computer downloaded to the FLASH. TFTP Configuration Computer side configuration: Start TFTP server software on the computer and place the “12_30_nos.img” file to the appropriate TFTP server directory on the computer. The configuration procedures of the switch are listed below: Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 10.1.
Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-Vlan1)#no shut Switch(Config-if-Vlan1)#exit Switch(config)#tftp-server enable Computer side configuration: Login to the switch with any TFTP client software, use the “tftp” command to download “nos.img” file from the switch to the computer. Scenario 4: Switch acts as FTP client to view file list on the FTP server.
show.txt snmp.TXT 226 Transfer complete. 4.5.3.4 FTP/TFTP Troubleshooting 4.5.3.4.1 FTP Troubleshooting When upload/download system file with FTP protocol, the connectivity of the link must be ensured, i.e., use the “Ping” command to verify the connectivity between the FTP client and server before running the FTP program. If ping fails, you will need to check for appropriate troubleshooting information to recover the link connectivity.
If the system file and system startup file upgrade through FTP fails, please try to upgrade again or use the BootROM mode to upgrade. 4.5.3.4.2 TFTP Troubleshooting When uploading/downloading system file with TFTP protocol, the connectivity of the link must be ensured, i.e., use the “Ping” command to verify the connectivity between the TFTP client and server before running the TFTP program. If ping fails, you will need to check for appropriate troubleshooting information to recover the link connectivity.
Chapter 5 File System Operations 5.1 Introduction to File Storage Devices File storage devices used in switches mainly include FLASH cards. As the most common storage device, FLASH is usually used to store system image files (IMG files), system boot files (ROM files) and system configuration files (CFG files). Flash can copy, delete, or rename files under Shell or BootROM mode. 5.2 File System Operation Configuration Task List 1. The formatting operation of storage devices 2.
4. Changing the current working directory of the storage device Command Explanation Admin Mode cd Change the current working directory of the storage device. 5. The display operation of the current working directory Command Explanation Admin Mode pwd Display the current working directory. 6.
5.3 Typical Applications Copy an IMG file flash:/nos.img stored in the FLASH on the boardcard, to cf:/nos-6.1.11.0.img. The configuration of the switch is as follows: Switch#copy flash:/nos.img flash:/nos-6.1.11.0.img Copy flash:/nos.img to flash:/nos-6.1.11.0.img? [Y:N] y Copyed file flash:/nos.img to flash:/nos-6.1.11.0.img. 5.
Chapter 6 Cluster Configuration 6.1 Introduction to cluster network management Cluster network management is an in-band configuration management. Unlike CLI, SNMP and Web Config which implement a direct management of the target switches through a management workstation, cluster network management implements a direct management of the target switches (member switches) through an intermediate switch (commander switch). A commander switch can manage multiple member switches.
3) Add or remove a member switch 3. Configure attributes of the cluster in the commander switch 1) Enable or disable automatically adding cluster members 2) Set automatically added members to manually added ones 3) Set or modify the time interval of keep-alive messages on switches in the cluster. 4) Set or modify the max.
2. Create a cluster Command Explanation Global Mode cluster ip-pool Configure the private IP address pool no cluster ip-pool for cluster member devices. cluster commander [] Create or delete a cluster. no cluster commander cluster member {nodes-sn | mac-address [id ] | Add or remove a member switch. auto-to-user} no cluster member {id | mac-address } 3.
cluster keepalive interval Set the keep-alive interval of the no cluster keepalive interval cluster. Set the max. number of lost cluster keepalive loss-count keep-alive messages that can be no cluster keepalive loss-count tolerated in the clusters. 5. Remote cluster network management Command Explanation Admin Mode In the commander switch, this command is used to configure and rcommand member manage member switches.
7. Manage cluster network with snmp Command Explanation Global Mode Enable snmp server function in commander switch and member switch. Note: Ensure the SNMP server function is enabled in member switch when commander switch visiting snmp-server enable member switch by sn. The commander switch visit member switch via configure character string @sw. 6.
2. Configure the member switch Configuration of SW2-SW4 Switch(config)#cluster run 6.4 Cluster Administration Troubleshooting When encountering problems in applying the cluster admin, please check the following possible causes: The command switch should be correctly configured and the automatically added function (cluster auto-add) is enabled. The ports are connected to the command switch and member switch belongs to the cluster vlan.
Chapter 7 Port Configuration 7.1 Introduction to Port Switch contains Cable ports and Combo ports. The Combo ports can be configured as either 1000GX-TX ports or SFP Gigabit fiber ports. If the user needs to configure some network ports, he/she can use the interface Ethernet command to enter the appropriate Ethernet port configuration mode, where stands for one or more ports.
1. Enter the Ethernet port configuration mode Command Explanation Global Mode interface ethernet Enters the network port configuration mode. 2. Configure the properties for the Ethernet ports Command Explanation Port mode media-type {copper | copper-preferred-auto | fiber | sfp-preferred-auto} shutdown no shutdown Sets the combo port mode (combo ports only). Enables/Disables specified ports. description Specifies or cancels the name of specified no description ports.
Enables the storm control function for broadcasts, multicasts and unicasts with storm control {unicast | broadcast | unknown destinations (short for broadcast), multicast} {kbps | pps } and sets the allowed broadcast packet no strom control {unicast | broadcast | number or the bit number passing per multicast}> second; the no format of this command disables the broadcast storm control function.
3. Virtual cable test Command Explanation Admin Mode virtual-cable-test interface ethernet Test virtual cables of the port. 7.3 Port Configuration Example Switch 1 1/7 1/9 1/10 1/12 1/8 Switch 2 Switch 3 Figure 7-1: Port Configuration Example No VLAN has been configured in the switches; default VLAN1 is used.
Switch 2: Switch2(config)#interface ethernet 1/9 Switch2(Config-If-Ethernet1/9)#speed-duplex force100-full Switch2(Config-If-Ethernet1/9)#exit Switch2(config)#interface ethernet 1/10 Switch2(Config-If-Ethernet1/10)#speed-duplex force1g-full Switch2(Config-If-Ethernet1/10)#exit Switch2(config)#monitor session 1 source interface ethernet 1/8;1/9 Switch2(config)#monitor session 1 destination interface ethernet 1/10 Switch 3: Switch3(config)#interface ethernet 1/12 Switch3(Config-If-Ethernet1/12)#speed-duplex f
Chapter 8 Port Isolation Function Configuration 8.1 Introduction to Port Isolation Function Port isolation is an independent port-based function working in an inter-port way, which isolates flows of different ports from each other. With the help of port isolation, users can isolate ports within a VLAN to save VLAN resources and enhance network security.
8.3 Port Isolation Function Typical Examples e1/15 Vlan e1/1 S1 S2 e1/10 S3 Figure 8-1: Typical example of port isolation function The topology and configuration of switches are showed in the figure above, with e1/1, e1/10 and e1/15 all belonging to VLAN 100. The requirement is that, after port isolation is enabled on switch S1, e1/1 and e1/10 on switch S1 cannot communicate with each other, while both of them can communicate with the uplink port e1/15.
Chapter 9 Port Loopback Detection Function Configuration 9.1 Introduction to Port Loopback Detection Function With the development of switches, more and more users begin to access the network through Ethernet switches. In enterprise network, users access the network through Layer 2 switches, which means urgent demands for both internet and the internal Layer 2 interwork.
4. Display and debug the relevant information of port loopback detection 5. Configure the loopback-detection control mode (automatic recovery enabled or not) 1.Configure the time interval of loopback detection Command Explanation Global Mode loopback-detection interval-time no loopback-detection interval-time Configure the time interval of loopback detection.
Display the state and result of the loopback show loopback-detection [interface detection of all ports, if no parameter is ] provided; otherwise, display the state and result of the corresponding ports. 5. Configure the loopback-detection control mode (automatic recovery enabled or not) Command Explanation Global Mode Configure the loopback-detection control loopback-detection control-recovery mode (automatic recovery enabled or not) timeout <0-3600> or recovery time. 9.
Switch(Config-If-Ethernet1/1)#loopback-detection special-vlan 1-3 Switch(Config-If-Ethernet1/1)#loopback-detection control block If adopting the control method of block, MSTP should be globally enabled. And the corresponding relation between the spanning tree instance and the VLAN should be configured. Switch(config)#spanning-tree Switch(config)#spanning-tree mst configuration Switch(Config-Mstp-Region)#instance 1 vlan 1 Switch(Config-Mstp-Region)#instance 2 vlan 2 Switch(Config-Mstp-Region)# 9.
Chapter 10 ULDP Function Configuration 10.1 Introduction to ULDP Function Unidirectional link is a common error state of link in networks, especially in fiber links. Unidirectional link means that only one port of the link can receive messages from the other port, while the latter one can not receive messages from the former one. Since the physical layer of the link is connected and works normal, via the checking mechanism of the physical layer, communication problems between the devices can not be found.
This kind of problem often appears in the following situations: GBIC (Giga Bitrate Interface Converter) or interfaces have problems, software problems, hardware becomes unavailable or operates abnormally. Unidirectional link will cause a series of problems, such as spinning tree topological loop, broadcast black hole. ULDP (Unidirectional Link Detection Protocol) can help avoid disasters that could happen in the situations mentioned above.
1. Enable ULDP function globally Command Explanation Global Mode uldp enable uldp disable Globally enable or disable ULDP function. 2. Enable ULDP function on a port Command Explanation Port Mode uldp enable uldp disable Enable or disable ULDP function on a port. 3. Configure aggressive mode globally Command Explanation Global Mode uldp aggressive-mode no uldp aggressive-mode Set the global working mode. 4.
6. Configure the interval of Hello messages Command Explanation Global Mode uldp hello-interval no uldp hello-interval Configure the interval of Hello messages, ranging from 5 to 100 seconds. The value is 10 seconds by default. 7. Configure the interval of Recovery Command Explanation Global Mode uldp recovery-time no uldp recovery-time Configure the interval of Recovery reset, ranging from 30 to 86400 seconds. The value is 0 second by default. 8.
debug uldp event Enable or disable the debug switch of no debug uldp event event information. debug uldp packet {receive|send} Enable or disable the type of messages no debug uldp packet {receive|send} can be received and sent on all ports. debug uldp {hello|probe|echo| unidir|all} [receive|send] interface ethernet Enable or disable the content detail of a particular type of messages can be no debug uldp {hello|probe|echo| received and sent on the specified port.
Switch B configuration sequence: SwitchB(config)#uldp enable SwitchB(config)#interface ethernet1/3 SwitchB(Config-If-Ethernet1/3)#uldp enable SwitchB(Config-If-Ethernet1/3)#exit SwitchB(config)#interface ethernet 1/4 SwitchB(Config-If-Ethernet1/4)#uldp enable As a result, port g1/1, g1/2 of SWITCH A are all shut down by ULDP, and there is notification information on the CRT terminal of PC1.
The hello interval of sending hello messages can be changed (it is10 seconds by default and ranges from 5 to 100 seconds) so that ULDP can respond faster to connection errors of links in different network environments. But this interval should be less than 1/3 of the STP convergence time. If the interval is too long, a STP loop will be generated before ULDP discovers and shuts down the unidirectional connection port.
Chapter 11 LLDP Function Operation Configuration 11.1 Introduction to LLDP Function Link Layer Discovery Protocol (LLDP) is a new protocol defined in 802.1ab. It enables neighbor devices to send notices of their own state to other devices, and enables all ports of every device to store information about them. If necessary, the ports can also send update information to the neighbor devices directly connected to them, and those neighbor devices will store the information in standard SNMP MIBs.
events like the adding and removing of relative devices instead of details about where and how these devices operate with the network. Layer 2 discovery covers information like which devices have which ports, which switches connect to other devices and so on, it can also display the routs between clients, switches, routers, application servers and network servers. Such details will be very meaningful for schedule and investigate the source of network failure.
2. Configure the port-based LLDP function switch Command Explanation Port Mode lldp enable Configure the port-based LLDP function lldp disable switch. 3. Configure the operating state of port LLDP Command Explanation Port Mode Configure the operating state of port lldp mode (send|receive|both|disable) LLDP. 4.
7. Configure the intervals of sending Trap messages Command Explanation Global Mode Configure the intervals of sending lldp notification interval Trap messages as the specified value or no lldp notification interval default value. 8. Configure to enable the Trap function of the port Command Explanation Port Mode Enable or disable the Trap function of lldp trap the port. 9.
12. Display and debug the relative information of LLDP Command Explanation Admin and Global Mode Display the current LLDP configuration show lldp information. show lldp interface ethernet Display the LLDP configuration information of the current port. Display the information of all kinds of show lldp traffic counters. show lldp neighbors interface Display the information of LLDP ethernet < IFNAME > neighbors of the current port.
In the network topology graph above, the port 1,3 of SWITCH B are connected to port 2,4 of SWITCH A. Port 1 of SWITCH B is configured to message-receiving-only mode, Option TLV of port 4 of SWITCH A is configured as portDes and SysCap.
Chapter 12 Port Channel Configuration 12.1 Introduction to Port Channel To understand Port Channel, Port Group should be introduced first. Port Group is a group of physical ports in the configuration level; only physical ports in the Port Group can take part in link aggregation and become a member port of a Port Channel. Logically, Port Group is not a port but a port sequence.
All ports are in full-duplex mode. All Ports are of the same speed. All ports are Access ports and belong to the same VLAN or are all TRUNK ports, or are all Hybrid ports. If the ports are all TRUNK ports or Hybrid ports, then their “Allowed VLAN” and “Native VLAN” property should also be the same. If Port Channel is configured manually or dynamically on switch, the system will automatically set the port with the smallest number to be Master Port of the Port Channel.
For the dynamic aggregation group, the members of the same group have the same operation Key, for the static aggregation group, the ports of Active have the same operation Key. The port aggregation is that multi-ports are aggregated to form an aggregation group, so as to implement the out/in load balance in each member port of the aggregation group and provides the better reliability. 12.2.1 Static LACP Aggregation Static LACP aggregation is enforced by users configuration, and do not enable LACP protocol.
In an aggregation group, the port which has the smallest port ID and is in the selected state will be the master port while the other ports in the selected state will be the member port. 12.2.3 Port Channel Configuration Task List 1. Create a port group in Global Mode 2. Add ports to the specified group from the Port Mode of respective ports 3. Enter port-channel configuration mode 4. Set load-balance method for port-group 5. Set the system priority of LACP protocol 6.
4. Set load-balance method for port-group Command Explanation Aggregation Port Mode load-balance {src-mac | dst-mac | dst-src-mac | src-ip | dst-ip | dst-src-ip} Set load-balance for port-group. 5. Set the system priority of LACP protocol Command Explanation Global Mode Set the system priority of LACP lacp system-priority protocol, the no command restores no lacp system-priority the default value. 6.
S1 S2 Figure 12-2: Configure Port Channel in LACP The switches in the description below are all switches and as shown in the figure, ports 1, 2, 3, 4 of S1 are access ports and add them to group1 with active mode. Ports 6, 8, 9, 10 of S2 are access ports and add them to group2 with passive mode. All the ports should be connected with cables.
Configuration result: Shell prompts ports aggregated successfully after a while, now ports 1, 2, 3, 4 of S1 form an aggregated port named “Port-Channel1”, ports 6, 8, 9, 10 of S2 form an aggregated port named “Port-Channel2”; can be configured in their respective aggregated port modes. Scenario 2: Configuring Port Channel in ON mode. S1 S2 Figure 12-3: Configure Port Channel in ON mode As shown in the figure, ports 1, 2, 3, 4 of S1 are access ports and add them to group1 with “on” mode.
Switch2 (Config-If-Ethernet1/6)#port-group 2 mode on Switch2 (Config-If-Ethernet1/6)#exit Switch2 (config)#interface ethernet 1/8-10 Switch2(Config-If-Port-Range)#port-group 2 mode on Switch2(Config-If-Port-Range)#exit Configuration result: Add ports 1, 2, 3, 4 of S1 to port-group1 in order, and we can see a group in “on” mode is completely joined forcedly, switch in other ends won’t exchange LACP PDU to complete aggregation.
Chapter 13 MTU Configuration 13.1 Introduction to MTU So far the Jumbo (Jumbo Frame) has not reached a determined standard in the industry (including the format and length of the frame). Normally frames sized within 1519-9000 should be considered jumbo frame. Networks with jumbo frames will increase the speed of the whole network by 2% to 5%. Technically the Jumbo is just a lengthened frame sent and received by the switch. However considering the length of Jumbo frames, they will not be sent to CPU.
Chapter 14 EFM OAM Configuration 14.1 Introduction to EFM OAM Ethernet is designed for Local Area Network at the beginning, but link length and network scope is extended rapidly while Ethernet is also applied to Metropolitan Area Network and Wide Area Network along with development. Due to lack the effectively management mechanism, it affects Ethernet application to Metropolitan Area Network and Wide Area Network, implementing OAM on Ethernet becomes a necessary development trend.
OAM protocol data units (OAMPDU) use destination MAC address 01-80-c2-00-00-02 of protocol, the max. transmission rate is 10Pkt/s. EFM OAM is established on the basis of OAM connection, it provides a link operation management mechanism such as link monitoring, remote fault detection and remote loopback testing, the simple introduction for EFM OAM in the following: 1.
Errored frame seconds event: The number of error frame seconds detected over M seconds can not be less than the low threshold. (Errored frame second: Receiving an errored frame at least in a second.) 3. Remote Fault Detection In a network where traffic is interrupted due to device failures or unavailability, the flag field defined in Ethernet OAMPDUs allows an Ethernet OAM entity to send fault information to its peer.
Shown below is the typical EFM OAM application topology. It is used for point-to-point link and emulational IEEE 802.3 point-to-point link. Device enables EFM OAM through point-to-point connection to monitor the link fault in the First Mile with Ethernet access. For user, the connection between user to telecommunication is “the First Mile”, for service provider, it is “the Last Mile”. Customer Service Provider Customer 802.3ah Ethernet in the First Mile CE 802.
restores the default value. Configure timeout of EFM OAM ethernet-oam timeout connection, no command restores no ethernet-oam timeout the default value. 2. Configure link monitor Command Explanation Port Mode ethernet-oam link-monitor Enable link monitor of EFM OAM, no no ethernet-oam link-monitor command disables link monitor.
3. Configure remote failure Command Explanation Port Mode Enable remote failure detection of EFM OAM (failure means ethernet-oam remote-failure critical-event or link-fault event of the no ethernet-oam remote-failure local), no command disables the function. (optional) ethernet-oam errored-symbol-period Configure the high threshold of threshold high {high-symbols | none} errored symbol period event, no no ethernet-oam errored-symbol-period command restores the default value.
Configuration procedure: (Omitting SNMP and Log configuration in the following) Configuration on CE: CE(config)#interface ethernet1/1 CE (config-if-ethernet1/1)#ethernet-oam mode passive CE (config-if-ethernet1/1)#ethernet-oam CE (config-if-ethernet1/1)#ethernet-oam remote-loopback supported Other parameters use the default configuration. Configuration on PE: PE(config)#interface ethernet 1/1 PE (config-if-ethernet1/1)#ethernet-oam Other parameters use the default configuration.
Ensuring the used board supports remote loopback function. Port should not configure STP, MRPP, ULPP, Flow Control, loopback detection functions after it enables OAM loopback function, because OAM remote loopback function and these functions are mutually exclusive.
Chapter 15 PORT SECURITY 15.1 Introduction to PORT SECURITY Port security is a MAC address-based security mechanism for network access controlling. It is an extension to the existing 802.1x authentication and MAC authentication. It controls the access of unauthorized devices to the network by checking the source MAC address of the received frame and the access to unauthorized devices by checking the destination MAC address of the sent frame.
VLAN, both of them will violate the security of the MAC address. switchport port-security aging {static | time | type {absolute | inactivity}} no switchport port-security violation aging {static | time | type} Enable port-security aging entry of the interface, specify aging time or aging type. Admin Mode clear port-security {all | configured | dynamic | sticky} [[address | interface ] [vlan ]] Clear the secure MAC entry of the interface.
15.
Chapter 16 DDM Configuration 16.1 Introduction to DDM 16.1.1 Brief Introduction to DDM DDM (Digital Diagnostic Monitor) makes the detailed digital diagnostic function standard in SFF-8472 MSA. It sets that the parameter signal is monitored and makes it to digitize on the circuit board of the inner module.
3. Compatibility verification Compatibility verification is used to analyze whether the environment of the module accords the data manual or it is compatible with the corresponding standard, because the module capability is able to be ensured only in the compatible environment. Sometimes, environment parameters exceed the data manual or the corresponding standard, it will make the falling of the module capability that result in the transmission error.
For fiber module, verification mode of the receiving power includes inner verification and outer verification which are decided by the manufacturer. Besides the verification mode of the real-time parameters and the default thresholds are same. 3. Transceiver monitoring Besides checking the real-time working state of the transceiver, the user needs to monitor the detailed status, such as the former abnormity time and the abnormity type.
3. Configure the state of the transceiver monitoring (1) Configure the interval of the transceiver monitoring Command Explanation Global Mode Set the interval of the transceiver transceiver-monitoring interval monitor. The no command sets the no transceiver-monitoring interval interval to be the default interval of 15 minutes. (2)Configure the enable state of the transceiver monitoring Command Explanation Port Mode Set whether the transceiver monitoring is enabled.
(4)Clear the information of the transceiver monitoring Command Explanation Admin Mode clear transceiver threshold-violation [interface Clear the threshold violation of the ethernet ] transceiver monitor. 16.3 Examples of DDM Example1: Ethernet 21 and Ethernet 23 are inserted the fiber module with DDM, Ethernet 24 is inserted the fiber module without DDM, Ethernet 22 does not insert any fiber module, show the DDM information of the fiber module.
SFP found in this port, manufactured by company, on Sep 29 2010. Type is 1000BASE-SX, Link length is 550 m for 50um Multi-Mode Fiber. Link length is 270 m for 62.5um Multi-Mode Fiber. Nominal bit rate is 1300 Mb/s, Laser wavelength is 850 nm.
RX loss of signal Voltage high RX power low Detail diagnostic and threshold information: Diagnostic Realtime Value Threshold High Alarm Low Alarm -------------- ----------- High Warn ----------- Low Warn ------------ --------- Temperature(℃) 33 70 0 70 0 Voltage(V) 7.31(A+) 5.00 0.00 5.00 0.00 Bias current(mA) 6.11(W+) 10.30 0.00 5.00 0.00 RX Power(dBM) -30.54(A-) 9.00 -25.00 9.00 -25.00 TX Power(dBM) -13.01 9.00 -25.00 9.00 -25.
Voltage(V) 7.31(A+) 5.00 Bias current(mA) 6.11(W+) 10.30 RX Power(dBM) -30.54(A-) 9.00 TX Power(dBM) -13.01(A-) 9.00 0.00 5.00 0.00 0.00 5.00 0.00 -25.00 9.00 -25.00 -12.00(-25.00) 9.00 -10.00(-25.00) Example 3: Ethernet 21 is inserted the fiber module with DDM. Enable the transceiver monitoring of the port after showing the transceiver monitoring of the fiber module. Step 1: Show the transceiver monitoring of the fiber module.
Diagnostic Threshold Realtime Value High Alarm ------------ Low Alarm ----------- ----------- High Warn ------------ Low Warn --------- Temperature(℃) 33 70 0 70 0 Voltage(V) 7.31 10.00 0.00 5.00 0.00 Bias current(mA) 3.11 10.30 0.00 5.00 0.00 RX Power(dBM) -30.54(A-) 9.00 -25.00(-34) 9.00 -25.00 TX Power(dBM) -1.01 -12.05 9.00 -10.00 9.00 Ethernet 1/22 transceiver threshold-violation information: Transceiver monitor is disabled. Monitor interval is set to 30 minutes.
Chapter 17 LLDP-MED 17.1 Introduction to LLDP-MED LLDP-MED (Link Layer Discovery Protocol-Media Endpoint Discovery) based on 802.1AB LLDP (Link Layer Discovery Protocol) of IEEE. LLDP provides a standard link layer discovery mode, it sends local device information (including its major capability, management IP address, device ID and port ID) as TLV (type/length/value) triplets in LLDPDU (Link Layer Discovery Protocol Data Unit) to the direct connection neighbors.
command disables the capability. Configure the port to send LLDP-MED Inventory lldp transmit med tlv inventory Management TLVs. The no no lldp transmit med tlv inventory command disables the capability.
When the fast LLDP-MED startup mechanism is enabled, it needs to fast send the LLDP lldp med fast count packets with LLDP-MED TLV, no lldp med fast count this command is used to set the value of the fast sending packets, the no command restores the default value. Admin Mode Show the configuration of the show lldp global LLDP and LLDP-MED. Show the configuration of show lldp [interface ethernet ] LLDP and LLDP-MED on the current port.
SwitchA (Config-If-Ethernet1/1)# lldp transmit med tlv capability SwitchA (Config-If-Ethernet1/1)# lldp transmit med tlv network policy SwitchA (Config-If-Ethernet1/1)# lldp transmit med tlv inventory SwitchB (Config-If-Ethernet1/1)# network policy voice tag tagged vid 10 cos 5 dscp 15 SwitchA (Config-If-Ethernet1/1)# exit SwitchA (config)#interface ethernet1/2 SwitchA (Config-If-Ethernet1/2)# lldp enable SwitchA (Config-If-Ethernet1/2)# lldp mode both 2) Configure Switch B SwitchB (config)#interface ethern
MED Codes: (CAP)Capabilities, (NP) Network Policy (LI) Location Identification, (PSE)Power Source Entity (PD) Power Device, (IN) Inventory MED Capabilities:CAP,NP,PD,IN MED Device Type: Endpoint Class III Media Policy Type :Voice Media Policy :Tagged Media Policy Vlan id :10 Media Policy Priority :3 Media Policy Dscp :5 Power Type : PD Power Source :Primary power source Power Priority :low Power Value :15.4 (Watts) Hardware Revision: Firmware Revision:4.0.1 Software Revision:6.2.30.
PortDesc :Ethernet1/1 SysName :**** SysDesc :***** SysCapSupported :4 SysCapEnabled :4 Explanation: 1) Both Ethernet2 of switch A and Ethernet1 of switch B are the ports of network connection device, they will not send LLDP packets with MED TLV information forwardly. Although configure Ethernet1 of switch B to send MED TLV information, it will not send the related MED information, that results the corresponding Remote table without the related MDE information on Ethernet2 of switch A.
18.1.1 bpdu-tunnel function In MAN application, multi-branches of a corporation may connect with each other by the service provider network. VPN provided by the service provider enables the geographically dispersed networks to form a local LAN, so the service provider needs to provide the tunnel function, namely, data information generated by user’s network is able to arrive at other networks of the same corporation through the service provider network.
1. Configure tunnel MAC address globally Command Explanation Global Mode bpdu-tunnel {stp|gvrp|dot1x} Enable to support the tunnel, the no no bpdu-tunnel {stp|gvrp|dot1x} command disables the function. 2. Configure the port to support the tunnel Command Explanation Port Mode Enable the port to support the tunnel, bpdu-tunnel {stp|gvrp|dot1x} the no command disables the no bpdu-tunnel {stp|gvrp|dot1x} function. 18.
With BPDU Tunnel, Layer 2 protocol packets from user’s networks can be passed through over the service provider network in the following work flow: 1. After receiving a Layer 2 protocol packet from network 1 of user A, PE 1 in the service provider network encapsulates the packet, replaces its destination MAC address with a specific multicast MAC address, and then forwards the packet in the service provider network. 2.
Chapter 19 EEE Energy-saving Configuration 19.1 Introduction to EEE Energy-saving eee is Energy Efficient Ethernet. After the port is enabled this function, switch will detect the port state automatically. If the port is free and there is no data transmission, this port will change to the power saving mode and it will cut down the power of the port to save the energy. 19.2 EEE Energy-saving configuration List 1.
Chapter 20 VLAN Configuration 20.1 VLAN Configuration 20.1.1 Introduction to VLAN VLAN (Virtual Local Area Network) is a technology that divides the logical addresses of devices within the network to separate network segments based on functions, applications or management requirements. By this way, virtual workgroups can be formed regardless of the physical location of the devices. IEEE announced IEEE 802.
Saving network resources Simplifying network management Lowering network cost Enhancing network security Switch Ethernet Ports can work in three kinds of modes: Access, Hybrid and Trunk with each mode having a different processing method in forwarding the packets with tagged or untagged. The ports of Access type only belong to one VLAN, usually they are used to connect the ports of the computer. The ports of Trunk type allow multi-VLANs to pass, receive and send the packets of multi-VLANs.
1. Create or delete VLAN Command Explanation Global Mode vlan WORD Create/delete VLAN or enter VLAN Mode no vlan WORD 2. Set or delete VLAN name Command Explanation VLAN Interface Mode name Set or delete VLAN name. no name 3. Assigning Switch ports for VLAN Command Explanation VLAN Interface Mode switchport interface etherent Assign Switch ports to VLAN. no switchport interface 4.
switchport trunk native vlan Set/delete PVID for Trunk port. no switchport trunk native vlan 6. Set Access port Command Explanation Port Mode Add the current port to the specified switchport access vlan VLAN. The “no” command restores the no switchport access vlan default setting. 7.
10. Set Private VLAN association Command Explanation VLAN Interface Mode private-vlan association Set/delete Private VLAN association. no private-vlan association 11. Specify internal VLAN ID Command Explanation Global Mode Specify internal VLAN ID.
20.1.3 Typical VLAN Application Scenario: VLAN100 VLAN2 VLAN200 PC Workstation Workstation PC PC PC Switch A Trunk Link Switch B PC PC VLAN2 PC Workstation VLAN100 Workstation PC VLAN200 Figure 20-2: Typical VLAN Application Topology The existing LAN is required to be partitioned into 3 VLANs due to security and application requirements. The three VLANs are VLAN2, VLAN100 and VLAN200. Those three VLANs cross two different locations A and B.
Switch A: Switch(config)#vlan 2 Switch(Config-Vlan2)#switchport interface ethernet 1/2-4 Switch (Config-Vlan2)#exit Switch (config)#vlan 100 Switch (Config-Vlan100)#switchport interface ethernet 1/5-7 Switch (Config-Vlan100)#exit Switch (config)#vlan 200 Switch (Config-Vlan200)#switchport interface ethernet 1/8-10 Switch (Config-Vlan200)#exit Switch (config)#interface ethernet 1/11 Switch (Config-If-Ethernet1/11)#switchport mode trunk Switch(Config-If-Ethernet1/11)#exit Switch(config)# Switch B: Switch(conf
20.1.4 Typical Application of Hybrid Port Scenario: internet Switch A Switch B PC1 PC2 Figure 20-3: Typical Application of Hybrid Port PC1 connects to the interface Ethernet 1/7 of Switch B; PC2 connects to the interface Ethernet 1/9 of Switch B; Ethernet 1/10 of Switch A connects to Ethernet 1/10 of Switch B. It is required that PC1 and PC2 cannot mutually access due to reason of the security, but PC1 and PC2 can access other network resources through the gateway Switch A.
The configuration steps are listed below: Switch A: Switch(config)#vlan 10 Switch(Config-Vlan10)#switchport interface ethernet 1/10 Switch B: Switch(config)#vlan 7;9;10 Switch(config)#interface ethernet 1/7 Switch(Config-If-Ethernet1/7)#switchport mode hybrid Switch(Config-If-Ethernet1/7)#switchport hybrid native vlan 7 Switch(Config-If-Ethernet1/7)#switchport hybrid allowed vlan 7;10 untag Switch(Config-If-Ethernet1/7)#exit Switch(Config)#interface Ethernet 1/9 Switch(Config-If-Ethernet1/9)#switchport mode
On the customer port Trunk VLAN 200-300 Unsymmetrical CE1 connection PE1 Customer network 1 This port on PE1 is enabled Q-in-Q and belong to VLAN3 SP network Trunk connection P Trunk connection PE2 This port on PE1 is enabled Q-in-Q and belong to VLAN3 CE2 Unsymmetrical Customer connection network 2 On the customer port Trunk VLAN 200-300 Figure 20-4: Dot1q-tunnel based Internetworking mode As shown in above, after being enabled on the user port, dot1q-tunnel assigns each user an SPVLAN identificat
their network, the user networks do not have to change their original configuration. Detailed description on the application and configuration of dot1q-tunnel will be provided in this section. 20.2.2 Dot1q-tunnel Configuration Configuration Task Sequence of Dot1q-Tunnel: 1. Configure the dot1q-tunnel function on port 2. Configure the global protocol type (TPID) 1.
Configuration procedure is as follows: PE1: Switch(config)#vlan 3 Switch(Config-Vlan3)#switchport interface ethernet 1/1 Switch(Config-Vlan3)#exit Switch(Config)#interface ethernet 1/1 Switch(Config-Ethernet1/1)# dot1q-tunnel enable Switch(Config-Ethernet1/1)# exit Switch(Config)#interface ethernet 1/10 Switch(Config-Ethernet1/10)#switchport mode trunk Switch(Config-Ethernet1/10)#exit Switch(config)#dot1q-tunnel tpid 0x9100 Switch(Config)# PE2: Switch(config)#vlan 3 Switch(Config-Vlan3)#switchport interface
20.3 Selective Q-in-Q Configuration 20.3.1 Introduction to Selective Q-in-Q Selective Q-in-Q is an enhanced application for dot1q tunnel function. It is able to tag packets (they are received by the same port) with different outer VLAN tags based on different inner VLAN tags according to user’s requirement, so it is able to implement packets of different types assigned to different VLANs by selecting different transmission paths. 20.3.
20.3.3 Typical Applications of Selective Q-in-Q Figure 20-5: Selective Q-in-Q application 1. Ethernet1/1 of Switch A provides public network access for PC users and Ethernet 1/2 of Switch A provides public network access for IP phone users. PC users belong to VLAN 100 through VLAN 200, and IP phone users belong to VLAN 201 through VLAN 300. Ethernet 1/9 of Switch A is connected to the public network. 2.
switch(config-if-ethernet1/1)#switchport hybrid allowed vlan 1000 untag # Configure the mapping rules for selective Q-in-Q on Ehernet1/1 to insert VLAN 1000 tag as the outer VLAN tag in packets with the tags of VLAN 100 through VLAN 200. switch(config-if-ethernet1/1)#dot1q-tunnel selective s-vlan 1000 c-vlan 100-200 # Enable selective Q-in-Q on Ethernet1/1.
The configuration on Switch B is similar to that on Switch A and the configuration is as follows: switch(config)#vlan 1000;2000 switch(config)#interface ethernet 1/1 switch(config-if-ethernet1/1)#switchport mode hybrid switch(config-if-ethernet1/1)#switchport hybrid allowed vlan 1000 untag switch(config-if-ethernet1/1)#dot1q-tunnel selective s-vlan 1000 c-vlan 100-200 switch(config-if-ethernet1/1)#dot1q-tunnel selective enable switch(config-if-ethernet1/1)#interface ethernet 1/2 switch(config-if-ethernet1/2
1. Configure the VLAN Translation of the port Command Explanation Port Mode vlan-translation enable Enter/exit the port VLAN translation no vlan-translation enable mode. 2. Configure the VLAN-translation relation of the port Command Explanation Global/Port Mode vlan-translation to Add/delete a VLAN translation relation. in no vlan-translation old-vlan-id in 3.
20.4.3 Typical Application of VLAN Translation Scenario: Edge switches PE1 and PE2 of the ISP internet support the VLAN20 data task between CE1 and CE2 of the client network with VLAN3. The port1/1 of PE1 is connected to CE1; port1/10 is connected to public network; port1/1 of PE2 is connected to CE2; port1/10 is connected to public network.
20.4.4 VLAN Translation Troubleshooting Normally the VLAN Translation is applied on trunk ports. Normally before using the VLAN Translation, the dot1q-tunnel function needs to be enabled first to adapt double tag data packet processes VLAN-translation. When configuring VLAN translation of the egress, make sure native VLAN of the port is not identical with vid of the packet. Otherwise, the tag of the packet will be stripped in advance and the transform of vid cannot be completed.
2. Show the related configuration of Multi-to-One VLAN translation Command Explanation Admin Mode Show the related configuration of show vlan-translation n-to-1 Multi-to-One VLAN translation. 20.5.3 Typical Application of Multi-to-One VLAN Translation Scenario: UserA, userB and userC belong to VLAN1, VLAN2, VLAN3, respectively. Before entering the network layer, data traffic of userA, userB and userC is translated into VLAN 100 by Ethernet1/1 of edge switch1.
Configuration Item Configuration Explanation VLAN Switch1、Switch2 Trunk Port Downlink port 1/1 and uplink port 1/5 of Switch1 and Switch 2 Multi-to-One Downlink port 1/1 of Switch1 and Switch2 VLAN-translation Configuration procedure is as follows: Switch1、Switch2: switch(Config)# vlan 1-3;100 switch(Config-Ethernet1/1)#switchport mode trunk switch(Config-Ethernet1/1)# vlan-translation n-to-1 1-3 to 100 switch(Config)#interface ethernet 1/5 switch(Config-Ethernet1/5)#switchport mode trunk switch(C
The IP subnet based VLAN is divided according to the source IP address and its subnet mask of every host. It assigns corresponding VLAN ID to the data packet according to the subnet segment, leading the data packet to specified VLAN. Its advantage is the same as that of the MAC-based VLAN; the user does not have to change configuration when relocated. The VLAN is divided by the network layer protocol, assigning a different protocol to different VLANs.
2. Set the VLAN to MAC VLAN Command Explanation Global Mode Configure the specified VLAN to MAC mac-vlan vlan VLAN; the “no mac-vlan” command no mac-vlan cancels the MAC VLAN configuration of this VLAN. 3.
6. Configure the correspondence between the Protocols and the VLAN Command Explanation Global Mode protocol-vlan mode {ethernetii etype |llc {dsap ssap }|snap etype } vlan priority no protocol-vlan {mode {ethernetii etype |llc {dsap ssap Add/delete the correspondence between the Protocols and the VLAN, namely specified protocol joins/leaves specified VLAN. }|snap etype }|all} 7.
Switch A Switch B Switch C VLAN100 VLAN200 VLAN300 M Figure 20-8: Typical topology application of dynamic VLAN Configuration Configuration Explanation Items MAC-based VLAN Global configuration on Switch A, Switch B, Switch C.
20.6.4 Dynamic VLAN Troubleshooting On the switch configured with dynamic VLAN, if the two connected equipment (e.g. PC) both belongs to the same dynamic VLAN, first communication between the two equipment may not go through. The solution will be letting the two equipment positively send data packet to the switch (such as ping), to let the switch learn their source MAC, then the two equipment will be able to communicate freely within the dynamic VLAN. Ping 192.168.1.100 Ping 192.168.1.
Figure 20-10: a typical application scene A and G switches are not directly connected in Layer 2 network; BCDEF are intermediate switches connecting A and G. Switch A and G configure VLAN100-1000 manually while BCDEF switches do not. When GVRP is not enabled, A and G cannot communicate with each other, because intermediate switches without relevant VLANs.
timer for GVRP. garp timer leave <500-1200> garp timer leaveall <5000-60000> no garp timer (join | leave | leaveAll) 2. Configure port type Command Explanation Port Mode gvrp Enable/ disable GVRP function of no gvrp port. 3. Enable GVRP function Command Explanation Global Mode gvrp Enable/ disable the global GVRP no gvrp function of port. 20.7.
To enable dynamic VLAN information register and update among switches, GVRP protocol is to be configured in the switch. Configure GVRP in Switch A, B and C, enable Switch B to learn VLAN100 dynamically so that two workstations connected to VLAN100 in Switch A and C can communicate with each other through Switch B without static VLAN100 entries. Configuration Configuration description Item VLAN100 Port 2-6 of Switch A and C. Trunk port Port 11 of Switch A and C, Port 10, 11 of Switch B.
Switch C: Switch(config)# gvrp Switch(config)#vlan 100 Switch(Config-Vlan100)#switchport interface ethernet 1/2-6 Switch(Config-Vlan100)#exit Switch(config)#interface ethernet 1/11 Switch(Config-If-Ethernet1/11)#switchport mode trunk Switch(Config-If-Ethernet1/11)# gvrp Switch(Config-If-Ethernet1/11)#exit 20-99
20.7.4 GVRP Troubleshooting The GARP counter setting for Trunk ports in both ends of Trunk link must be the same, otherwise, GVRP will not work normally. It is recommended to avoid enabling GVRP and RSTP at the same time in switch. If GVRP needs to be enabled, RSTP function for the ports must be disabled first. 20.8 Voice VLAN Configuration 20.8.1 Introduction to Voice VLAN Voice VLAN is specially configured for the user voice data traffic.
20.8.2 Voice VLAN Configuration Voice VLAN Configuration Task Sequence: 1. Set the VLAN to Voice VLAN 2. Add a voice equipment to Voice VLAN 3. Enable the Voice VLAN on the port 1. Configure the VLAN to Voice VLAN Command Explanation Global Mode voice-vlan vlan Set/cancel the VLAN as a Voice VLAN no voice-vlan 2.
20.8.3 Typical Applications of the Voice VLAN Scenario: A company realizes voice communication through configuring Voice VLAN. IP-phone1 and IP-phone2 can be connected to any port of the switch, namely normal communication and interconnected with other switches through the uplink port. IP-phone1 MAC address is 00-30-4f-11-22-33, connect port 1/1 of the switch, IP-phone2 MAC address 00-30-4f-11-22-55, connect port 1/2 of the switch.
switch(Config-If-Ethernet1/1)#exit switch(Config)#interface ethernet 1/2 switch(Config-If-Ethernet1/2)#switchport mode hybrid switch(Config-If-Ethernet1/2)#switchport hybrid allowed vlan 100 untag switch(Config-If-Ethernet1/2)#exit 20.8.4 Voice VLAN Troubleshooting Voice VLAN cannot be applied concurrently with MAC-base VLAN. The Voice VLAN supports maximum 1024 sets of voice equipment; the exceeded number of equipment will not be supported. The Voice VLAN on the port is enabled by default.
Chapter 21 MAC Table Configuration 21.1 Introduction to MAC Table MAC table is a table identifies the mapping relationship between destination MAC addresses and switch ports. MAC addresses can be categorized as static MAC addresses and dynamic MAC addresses.
The topology of the figure above: 4 PCs connected to switch, where PC1 and PC2 belongs to the same physical segment (same collision domain), the physical segment connects to port 1/5 of switch; PC3 and PC4 belongs to the same physical segment that connects to port 1/12 of switch. The initial MAC table contains no address mapping entries. Take the communication of PC1 and PC3 for an example. The MAC address learning process is as follows: 1.
1. Forward data according to the MAC table If PC1 sends a message to PC3, the switch will forward the data received on port 1/5 from port1/12. 2. Filter data according to the MAC table If PC1 sends a message to PC2, the switch, on checking the MAC table, will find PC2 and PC1, which are in the same physical segment and filter the message (i.e. drop this message).
1. Configure the MAC aging-time Command Explanation Global Mode Configure the MAC address aging-time. mac-address-table aging-time <0|aging-time> no mac-address-table aging-time 2.
Show the hash collision mac table. show collision-mac-address-table Admin Mode Clear the hash collision mac table. clear collision-mac-address-table 21.3 Typical Configuration Examples Figure 22-3: MAC Table typical configuration example Scenario: Four PCs as shown in the above figure connect to port 1/5, 1/7, 1/9, 1/11 of switch; all the four PCs belong to the default VLAN1. As required by the network environment, dynamic learning is enabled.
21.4 MAC Table Troubleshooting Using the show mac-address-table command, a port is found to be failed to learn the MAC of a device connected to it. Possible reasons: The connected cable is broken. Spanning Tree is enabled and the port is in “discarding” status; or the device is just connected to the port and Spanning Tree is still under calculation, wait until the Spanning Tree calculation finishes, and the port will learn the MAC address.
Enable MAC address binding function for the port and lock the port. When a port is locked, the MAC address learning function switchport port-security for the port will be disabled: the “no no switchport port-security switchport port-security” command disables the MAC address binding function for the port, and restores the MAC address learning function for the port. 2.
When exceeding the maximum number of the configured MAC addresses, MAC address accessing the interface does not switchport port-security violation {protect | recovery | restrict | shutdown} no switchport port-security violation belongs to this interface in MAC address table or a MAC address is configured to several interfaces in same VLAN, both of them will violate the security of the MAC address. 21.5.1.
1. Configure the global SNMP MAC notification Command Explanation Global Mode snmp-server enable traps mac-notification Configure or cancel the global SNMP no snmp-server enable traps mac-notification MAC notification. 2. Configure the global MAC notification Command Explanation Global Mode mac-address-table notification Configure or cancel the global MAC no mac-address-table notification notification. 3.
6. Show the configuration and the data of MAC notification Command Explanation Admin Mode Show the configuration and the data show mac-notification summary of MAC notification. 7. Clear the statistics of MAC notification trap Command Explanation Admin Mode Clear the statistics of MAC clear mac-notification statistics notification trap. 21.6.3 MAC Notification Example IP address of network management station (NMS) is 1.1.1.5, IP address of Agent is 1.1.1.9.
Chapter 22 MSTP Configuration 22.1 Introduction to MSTP The MSTP (Multiple STP) is a new Spanning Tree Protocol which is based on the STP and the RSTP. It runs on all the bridges of a bridged-LAN. It calculates a common and internal spanning tree (CIST) for the bridge-LAN which consists of the bridges running the MSTP, the RSTP and the STP. It also calculates the independent multiple spanning-tree instances (MSTI) for each MST domain (MSTP domain).
Root A Root A B M E MST D F D REGION C Figure 22-1: Example of CIST and MST Region In the above network, if the bridges are running the STP or the RSTP, one port between Bridge M and Bridge B should be blocked. But if the bridges in the yellow range run the MSTP and are configured in the same MST region, MSTP will treat this region as a bridge. Therefore, one port between Bridge B and Root is blocked and one port on Bridge D is blocked. 22.2.
22.2.1.1 Operations between MST Regions If there are multiple regions or legacy 802.1D bridges within the network, MSTP establishes and maintains the CST, which includes all MST regions and all legacy STP bridges in the network. The MST instances combine with the IST at the boundary of the region to become the CST. The MSTI is only valid within its MST region. An MSTI has nothing to do with MSTIs in other MST regions. The bridges in a MST region receive the MST BPDU of other regions through Boundary Ports.
1. Enable MSTP and set the running mode Command Explanation Global and Port Mode spanning-tree no spanning-tree Enable/Disable MSTP. Global Mode spanning-tree mode {mstp|stp|rstp} no spanning-tree mode Set MSTP running mode. Port Mode spanning-tree mcheck Force port migrate to run under MSTP. 2. Configure instance parameters Command Explanation Global Mode spanning-tree mst priority Set bridge priority for specified instance.
function. no spanning-tree [mst ] loopguard 3. Configure MSTP region parameters Command Explanation Global Mode spanning-tree mst configuration Enter MSTP region mode. The no no spanning-tree mst configuration command restores the default setting. MSTP Region Mode instance vlan Create Instance and set mapping no instance [vlan ] between VLAN and Instance. name Set MSTP region name.
5. Configure the fast migrate feature for MSTP Command Explanation Port Mode spanning-tree link-type p2p Set the port link type. {auto|force-true|force-false} no spanning-tree link-type Set and cancel the port to be an spanning-tree portfast [bpdufilter| bpduguard] [recovery <30-3600>] boundary port. bpdufilter receives the BPDU discarding; bpduguard receives the BPDU will disable port; no parameter no spanning-tree portfast receives the BPDU, the port becomes a non-boundary port. 6.
spanning-tree transmit-hold-count Set the max. transmit-hold-count of port. no spanning-tree transmit-hold-count spanning-tree cost-format {dot1d | dot1t} Set port cost format with dot1d or dot1t. 8. Configure the snooping attribute of authentication key Command Explanation Port Mode Set the port to use the authentication spanning-tree digest-snooping string of partner port. The no no spanning-tree digest-snooping command restores to use the generated string. 9.
22.4 MSTP Example The following is a typical MSTP application example: SW1 1 1 SW2 2 2 4 5 1 2X 3 3X 4 6 7 SW3 6X 7X 5X SW4 Figure 22-2: Typical MSTP Application Scenario The connections among the switches are shown in the above figure. All the switches run in the MSTP mode by default, their bridge priority, port priority and port route cost are all in the default values (equal).
By default, the MSTP establishes a tree topology (in blue lines) rooted with Switch A. The ports marked with “x” are in the discarding status, and the other ports are in the forwarding status. Configurations Steps: Step 1: Configure port to VLAN mapping: Create VLAN 20, 30, 40, 50 in Switch 2, Switch 3 and Switch 4. Set ports 1-7 as trunk ports in Switch 2 Switch 3 and Switch 4.
Switch 3: Switch3(config)#vlan 20 Switch3(Config-Vlan20)#exit Switch3(config)#vlan 30 Switch3(Config-Vlan30)#exit Switch3(config)#vlan 40 Switch3(Config-Vlan40)#exit Switch3(config)#vlan 50 Switch3(Config-Vlan50)#exit Switch3(config)#spanning-tree mst configuration Switch3(Config-Mstp-Region)#name mstp Switch3(Config-Mstp-Region)#instance 3 vlan 20;30 Switch3(Config-Mstp-Region)#instance 4 vlan 40;50 Switch3(Config-Mstp-Region)#exit Switch3(config)#interface e1/1-7 Switch3(Config-Port-Range)#switchport mode
Switch4(config)#spanning-tree Switch4(config)#spanning-tree mst 4 priority 0 After the above configuration, Switch1 is the root bridge of the instance 0 of the entire network. In the MSTP region which Switch 2, Switch 3 and Switch 4 belong to, Switch2 is the region root of the instance 0, Switch3 is the region root of the instance 3 and Switch 4 is the region root of the instance 4. The traffic of VLAN 20 and VLAN 30 is sent through the topology of the instance 3.
2 SW2 5X 4 2X 3 3X 4 6 7X SW3 6 7 5 SW4 Figure 22-5: The Topology Of the Instance 4 after the MSTP Calculation 22.5 MSTP Troubleshooting In order to run the MSTP on the switch port, the MSTP has to be enabled globally. If the MSTP is not enabled globally, it can’t be enabled on the port. The MSTP parameters co-work with each other, so the parameters should meet the following conditions. Otherwise, the MSTP may work incorrectly. 2×(Bridge_Forward_Delay -1.0 seconds) >= Bridge_Max.
Chapter 23 QoS Configuration 23.1 Introduction to QoS QoS (Quality of Service) is a set of capabilities that allow you to create differentiated services for network traffic, thereby providing better service for selected network traffic. QoS is a guarantee for service quality of consistent and predictable data transfer service to fulfill program requirements.
DSCP: Differentiated Services Code Point, classification information carried in Layer 3 IP packet header, occupying 6 bits, in the range of 0 to 63, and is downward compatible with IP Precedence. MPLS TC(EXP): A field of the MPLS packets means the service class, there are 3 bits, the ranging from 0 to 7. Internal Priority: The internal priority setting of the switch chip; its valid range relates with the chip; short for Int-Prio or IntP.
The data transfer specifications of IP cover only addresses and services of source and destination, and ensure correct packet transmission using OSI layer 4 or above protocols such as TCP. However, rather than provide a mechanism for providing and protecting packet transmission bandwidth, IP provide bandwidth service by the best effort.
Classification: Classify traffic according to packet classification information and generate internal priority and drop precedence based the classification information. For different packet types and switch configurations, classification is performed differently; the flowchart below explains this in detail.
Policing and remark: Each packet in classified ingress traffic is assigned an internal priority value and a drop precedence value, and can be policed and remarked. Policing can be performed based on the flow to configure different policies that allocate bandwidth to classified traffic, the assigned bandwidth policy may be dual bucket dual color or dual bucket three color. The traffic, will be assigned with different color, can be discarded or passed, for the passed packets, add the remarking action.
Figure 23-6: Queuing and Scheduling process 23.2 QoS Configuration Task List Configure class map Set up a classification rule according to ACL, CoS, VLAN ID, IPv4 Precedent, DSCP, IPV6 FL to classify the data stream. Different classes of data streams will be processed with different policies. Configure a policy map After data steam classification, a policy map can be created to associate with the class map created earlier and enter class mode.
degrading assigning new DSCP value) can be applied to different data streams. You can also define a policy set that can be use in a policy map by several classes. Apply QoS to the ports or the VLAN interfaces Configure the trust mode for ports or bind policies to ports. A policy will only take effect on a port when it is bound to that port. The policy may be bound to the specific VLAN. It is not recommended to synchronously use policy map on VLAN and its port.
] associated to a class. Different policy or no class new DSCP value can be applied to different data streams in class mode; the no command deletes the specified class. Policy Class-map Mode set {ip dscp | ip precedence Assign a new internal priority for the | internal priority classified traffic; the no command | drop precedence | cos cancels the new assigned value.
out-profile means red; In dual bucket mode, there are three colors(green, yellow, red) of messages. in-profile means green, out-profile means red and yellow. drop Drop or transmit the traffic that match no drop the class, the no command cancels the assigned action. transmit no transmit 3. Apply QoS to port or VLAN interface Command Explanation Port Mode mls qos trust dscp Configure port trust; the no command no mls qos trust dscp disables the current trust status of the port.
4. Configure queue management algorithm and weight Command Explanation Port Mode mls qos queue algorithm {sp | wrr | wdrr} Set queue management algorithm, the no mls qos queue algorithm default queue management algorithm is wrr. mls qos queue wrr weight Set queue weight based a port, the default queue weight is 1 2 3 4 5 6 7 8. no mls qos queue wrr weight mls qos queue wdrr weight Configure the queue weight according to the port.
7. Show configuration of QoS Command Explanation Admin Mode show mls qos maps [cos-intp | dscp-intp] Display the configuration of QoS mapping. show class-map [] Display the classified map information of QoS. Display the policy map information of show policy-map [] QoS. show mls qos {interface [] Display QoS configuration information on [policy | queuing] | vlan } a port. 23.
The configuration steps are listed below: Switch#config Switch(config)#access-list 1 permit 192.168.1.0 0.0.0.
As shown in the figure, inside the block is a QoS domain, Switch 1 classifies different traffics and assigns different IP precedences. For example, set CoS precedence for packets from segment 192.168.1.0 to 5 on port ethernet1/1. The port connecting to switch 2 is a trunk port. In Switch 2, set port ethernet 1/1 that connecting to swtich1 to trust cos. Thus inside the QoS domain, packets of different priorities will go to different queues and get a different bandwidth.
Chapter 24 Flow-based Redirection 24.1 Introduction to Flow-based Redirection Flow-based redirection function enables the switch to transmit the data frames meeting some special condition (specified by ACL) to another specified port. The fames meeting a same special condition are called a class of flow, the ingress port of the data frame is called the source port of redirection, and the specified egress port is called the destination port of redirection.
2. Check the current flow-based redirection configuration Command Explanation Admin / Global Mode show flow-based-redirect {interface [ethernet |]} Display the information of current flow-based redirection in the system/port. 24.3 Flow-based Redirection Examples Example: User’s request of configuration is listed as follows: redirecting the frames whose source IP is 192.168.1.111 received from port 1 to port 6, that is sending the frames whose source IP is 192.168.1.
Chapter 25 Flexible Q-in-Q Configuration 25.1 Introduction to Flexible Q-in-Q 25.1.1 Q-in-Q Technique Dot1q-tunnel is also called Q-in-Q (802.1Q-in-802.1Q), which is an expansion of 802.1Q. Its dominating idea is encapsulating the customer VLAN tag (CVLAN tag) to the service provider VLAN tag (SPVLAN tag). The packet with two VLAN tags is transmitted through the backbone network of the ISP internet to provide a simple Layer 2 tunnel for the users.
1. Configure class map Command Explanation Global Mode class-map Create a class-map and enter no class-map class-map mode, the no command deletes the specified class-map.
3. Bind flexible Q-in-Q policy-map to port Command Explanation Port Mode service-policy input Apply a policy-map to a port, the no no service-policy input command deletes the specified policy-map applied to the port. 4. Show flexible Q-in-Q policy-map bound to port Command Explanation Admin Mode show mls qos {interface ethernet Show flexible Q-in-Q configuration on the [] port. 25.
will be packed an external tag 1001 (This tag is unique in public network), enter Broad Band Network-DSCP10 and classfied to BRAS device. DSCP20 (or DSCP30) will be packed an external VLAN tag 2001(or 3001) and classfied to SR device according to the flow rules. The second user can be assigned different DSCPs in DSLAM2. Notice: The assigned DSCP of the second user may be same with the first user and the DSCP value will be also packed an external tag.
25.
2. Configure VLAN interface description Command Explanation VLAN Interface Mode description no description Configure the description information of VLAN interface. The no command will cancel the description information of VLAN interface. 26.2 IP Configuration 26.2.1 Introduction to IPv4, IPv6 IPv4 is the current version of global universal Internet protocol.
packet addresses baffles the end-to-end network security check, IPSec authentication header is such an example. Therefore, in order to solve all kinds of problems existing in IPv4 comprehensively, the next generation Internet Protocol IPv6 designed by IETF has become the only feasible solution at present. First of all, the 128 bits addressing scheme of IPv6 Protocol can guarantee to provide enough globally unique IP addresses for global IP network nodes in the range of time and space.
Avoid the use of Network Address Translation. The purpose of the introduction of NAT mechanism is to share and reuse same address space among different network segments. This mechanism mitigates the problem of the shortage of IPv4 address temporally; meanwhile it adds the burden of address translation process for network device and application.
The configuration Task List of IPv6 is as follows: 1. IPv6 basic configuration (1) Configure interface IPv6 address (2) Configure default gateway 2. IPv6 Neighbor Discovery Configuration (1) Configure DAD neighbor solicitation message number (2) Configure send neighbor solicitation message interval (3) Configure static IPv6 neighbor entries (4) Delete all entries in IPv6 neighbor table 1.
(3) Configure static IPv6 neighbor Entries Command Explanation VLAN Interface Mode ipv6 neighbor Set static neighbor table entries, including interface neighbor IPv6 address, MAC address and two-layer port. no ipv6 neighbor Delete neighbor table entries. 26.2.3 IPv6 Troubleshooting If the connected PC has not obtained IPv6 address, you should check the RA announcement switch (the default is turned off) 26.
26.3.2 Introduction to Default Route Default route is a kind of static route, which is used only when no matching route is found. In the route table, default route in is indicated by a destination address of 0.0.0.0 and a network mask of 0.0.0.0, too. If the route table does not have the destination of a packet and has no default route configured, the packet will be discarded, and an ICMP packet will be sent to the source address indicate the destination address or network is unreachable. 26.3.
26.3.4 Static Route Configuration Examples The figure shown below is a simple network consisting of three Layer 3 switches, the network mask for all switches and PC is 255.255.255.0. PC-A and PC-C are connected via the static route set in SwtichA and SwitchC; PC3 and PC-B are connected via the static route set in SwitchC to SwitchB; PC-B and PC-C is connected via the default route set in SwitchB. PC-C:10.1.5.2 PC-A:10.1.1.2 PC-B:10.1.4.2 Switch C vlan2:10.1.2.2 vlan3:10.1.5.1 vlan1:10.1.3.2 vlan1:10.
Switch(config)#ip route 0.0.0.0 0.0.0.0 10.1.3.2 In this way, ping connectivity can be established between PC-A and PC-C, and PC-B and PC-C. 26.4 RIP 26.4.1 Introduction to RIP RIP is first introduced in ARPANET, this is a protocol dedicated to small, simple networks. RIP is a distance vector routing protocol based on the Bellman-Ford algorithm.
“Triggering update” mechanism defines whenever route metric changed by the gateway, the gateway advertise the update packets immediately, regardless of the 30 second update timer status. There two versions of RIP, version 1 and version 2. RFC1058 introduces RIP-I protocol, RFC2453 introduces RIP-II, which is compatible with RFC1723 and RFC1388. RIP-I updates packets by packets broadcast, subnet mask and authentication is not supported.
26.4.2 RIP Configuration Task List 1. Enable RIP (required) (1) Enable/disable RIP module. (2) Enable interface to send/receive RIP packets 2.
Command Explanation Global Mode router rip Enables RIP; the “no router rip” command no router rip disables RIP. Router and Address Family Mode network no network Enables the segment running RIP protocol; the no network command deletes the segment. 2.
2)Configure interface authentication mode and password Command Explanation VLAN Interface Mode ip rip authentication mode { text| md5} Sets the authentication method; the no ip rip no ip rip authentication mode [text| authentication mode [text| md5] command md5] cancels the authentication action. ip rip authentication string no ip rip authentication string Sets the authentication key; the no ip rip authentication string command means no key is needed.
3)Configure the route deviation Command Explanation Router Mode offset-list {in | out } route metric value when the port sends or [] receives RIP data packet; the no offset-list no offset-list {in|out }[] command >[] removes the deviation table.
distance [ ] [] no distance [ ] Specify the route administratively distance of RIP protocol; the no distance [ ] command restore the default value 120. maximum-prefix Configure the maximum of RIP route; the no [] maximum-prefix no maximum-prefix no maximum-prefix command cancels the no maximum-prefix limit.
Enables sending RIP packets on the interface; ip rip send-packet the “no ip rip send-packet” command disables no ip rip send-packet sending RIP packets on the interface. 4. Delete the specified route in RIP route table Command Explanation Admin Mode clear ip rip route The command deletes a specified route from the {|kernel|static|connected|r RIP route table. ip|ospf|isis|bgp|all} 5.
(2) Display and debug the information about configuration of redistribution of OSPF routing to RIP Command Explanation Admin Mode debug rip redistribute message send To enable or disable debugging messages no debug rip redistribute message send sent by RIP for redistribution of OSPF routing. debug rip redistribute route receive To enable or disable debugging messages no debug rip redistribute route receive received from NSM. 7.
a) Layer 3 SwitchA: Configure the IP address of interface vlan 1 SwitchA#config SwitchA(config)# interface vlan 1 SwitchA(Config-if-Vlan1)# ip address 10.1.1.1 255.255.255.0 SwitchA(config-if-Vlan1)# Configure the IP address of interface vlan 2 SwitchA(config)# vlan 2 SwitchA(Config-Vlan2)# switchport interface ethernet 1/0/2 Set the port Ethernet1/0/1 access vlan 2 successfully SwitchA(Config-Vlan2)# exit SwitchA(config)# interface vlan 2 SwitchA(Config-if-Vlan2)# ip address 20.1.1.1 255.255.255.
SwitchC(config)#router rip SwitchC(config-router)#network vlan 1 SwitchC(config-router)#exit 26.4.4 RIP Examples – RIP aggregation function The application topology as follows: S1 vlan1:192.168.10.1 192.168.20.0/22 192.168.21.0/24 vlan1:192.168.10.2 192.168.22.0/24 S2 192.168.23.0/24 192.168.24.0/24 Figure 26-3 Typical application of RIP aggregation As the above network topology, S2 is connected to S1 through interface vlan1, there are other 4 subnet routers of S2, which are 192.168.21.0/24, 192.168.
to following: First ensure the physic connection is correct Second, ensure the interface and chain protocol are UP (use show interface command) Then initiate the RIP protocol (use router rip command) and configure the segment (use network command) and set RIP protocol parameter on corresponding interfaces, such as the option between RIP-I and RIP-II After that, one feature of RIP protocol should be noticed ---the Layer 3 switch running RIP protocol sending route updating messages to all neighboring
advertisements (LSA) will be sent among neighboring Layer 3 switches. Neighboring Layer 3 switch copy the LSA to their routing table and transfer the information to the rest part of the network. This process is referred to as “flooding”. In this way, firsthand information is sent throughout the network to provide accurate map for creating and updating routes in the network. Link-state routing protocols use cost instead of hops to decide the route. Cost is assigned automatically or manually.
Each OSPF Layer 3 switch maintains a database describing the topology of the whole autonomous system. Each Layer 3 switch gathers the local status information, such as available interface, reachable neighbors, and sends link-state advertisement (sending out link-state information) to exchange link-state information with other OSPF Layer 3 switches to form a link-state database describing the whole autonomous system.
As to autonomous systems mainly advertises exterior link-state, OSPF allow some areas to be configured as STUB areas to reduce the size of the topology database. Type4 LSA (ASBR summary LSA) and type5 LSA (AS external LSA) are not allowed to flood into/through STUB areas. STUB areas must use the default routes, the Layer 3 switches on STUB area edge advertise the default routes to STUB areas by type 3 summary LSA, those default routes only floods inside STUB area and will not get out of STUB area.
2. Configure OSPF protocol parameters (optional) (1) Configure OSPF packet sending mechanism parameters 1) Configure OSPF packet verification 2) Set the OSPF interface to receive only 3) Configure the cost for sending packets from the interface 4) Configure OSPF packet sending timer parameter (timer of broadcast interface sending HELLO packet to poll, timer of neighboring Layer 3 switch invalid timeout, timer of LSA transmission delay and timer of LSA retransmission.
Configure certain segment to certain area, [no] network { | /} area the no [no] network { | area /} command cancels this configuration. (required) 2.
Sets the interval for retransmission of link-state ip ospf retransmit-interval
debug ospf redistribute message send Enable or disable debugging of sending no debug ospf redistribute message command from OSPF process redistributed send to other OSPF process routing. debug ospf redistribute route receive Enable or disable debugging of received no debug ospf redistribute route routing message from NSM for OSPF receive process.
5)Configure to keep a log for OSPF adjacency changes or not Command Explanation OSPF Protocol Configuration Mode log-adjacency-changes detail Configure to keep a log for OSPF adjacency no log-adjacency-changes detail changes or not. 5)Filter the route obtained by OSPF Command Explanation OSPF Protocol Configuration Mode Use access list to filter the route obtained by filter-policy OSPF, the no command cancels the route no filter-policy filtering. 3.
The configuration for Layer 3 Switch1 and Switch5 is shown below: Layer 3 Switch1 Configuration of the IP address for interface vlan1 Switch1#config Switch1(config)# interface vlan 1 Switch1(config-if-vlan1)# ip address 10.1.1.1 255.255.255.0 Switch1(config-if-vlan1)#exit Configuration of the IP address for interface vlan2 Configure the IP address of interface vlan2 Switch1(config)# interface vlan 2 Switch1(config-if-vlan2)# ip address 100.1.1.1 255.255.255.
Layer 3 Switch3: Configuration of the IP address for interface vlan3. Switch3#config Switch3(config)# interface vlan 3 Switch3(config-if-vlan1)# ip address 20.1.1.2 255.255.255.0 Switch3(config-if-vlan3)#no shutdown Switch3(config-if-vlan3)#exit Initiate the OSPF protocol, configure the OSPF area to which interface vlan3 belongs Switch3(config)#router ospf Switch3(config-router)# network 20.1.1.
Configuration of the IP address for interface vlan3 Switch5(config)# interface vlan 3 Switch5(config-if-vlan3)# ip address 30.1.1.1 255.255.255.0 Switch5(config-if-vlan3)#no shutdown Switch5(config-if-vlan3)#exit Enable OSPF protocol, configure the number of the area in which interface vlan2 and vlan3 reside in. Switch5(config)#router ospf Switch5(config-router)# network 30.1.1.0/24 area 0 Switch5(config-router)# network 100.1.1.
To area1, Layer 3 switches SwitchA and SwitchB are both in-area switches, area edge switches SwitchC and SwitchD are responsible for reporting distance cost to all destination outside the area, while they are also responsible for reporting the position of the AS edge Layer 3 switches SwitchD and SwitchF, AS exterior link-state advertisement from SwitchD and SwitchF are flooded throughout the whole autonomous system.
Enable OSPF protocol, configure the area number for interface vlan2. SwitchA(config)#router ospf SwitchA(config-router)#network 10.1.1.0/24 area 1 SwitchA(config-router)#exit Configure simple key authentication. SwitchA(config)#interface vlan 2 SwitchA(config-If-Vlan2)#ip ospf authentication SwitchA(config-If-Vlan2)#ip ospf authentication-key DCS SwitchA(config-If-Vlan2)exit Configure IP address and area number for interface vlan1. SwitchA(config)# interface vlan 1 SwitchA(config-If-Vlan1)#ip address 20.1.
Configure IP address and area number for interface vlan1. SwitchB(config)# interface vlan 1 SwitchB(config-If-Vlan1)#ip address 20.1.2.1 255.255.255.0 SwitchB(config-If-Vlan1)#exit SwitchB(config)#router ospf SwitchB(config-router)#network 20.1.2.0/24 area 1 SwitchB(config-router)#exit SwitchB(config)#exit 3)Switch C: Configure IP address for interface vlan2 SwitchC#config SwitchC(config)# interface vlan 2 SwitchC(config-If-Vlan2)# ip address 10.1.1.3 255.255.255.
Configure MD5 key authentication. SwitchC(config)#interface vlan 1 SwitchC (config-If-Vlan1)#ip ospf authentication message-digest SwitchC (config-If-Vlan1)#ip ospf authentication-key DCS SwitchC (config-If-Vlan1)#exit SwitchC(config)#exit SwitchC# 4)Switch D: Configure IP address for interface VLAN2 SwitchD#config SwitchD(config)# interface vlan 2 SwitchD(config-If-Vlan2)# ip address 10.1.1.4 255.255.255.0 SwitchD(config-If-Vlan2)#exit Enable OSPF protocol, configure the area number for interface VLAN2.
Scenario 3: The function of OSPF importing the routers of other OSPF processes As shown in the following graph, a switch running the OSPF routing protocol connects two networks: network A and network B. Because of some reason, it is required that network A should be able to learn the routers of network B, but network B should not be able to learn the routers of network A. According to that, two OSPF processes can be started respectively on interface VLAN 1 and interface VLAN 2.
26.5.5 Configuration Examples of OSPF VPN Interface Interface vlan1:10.1.1.1/24 vlan1:10.1.1.2/24 SWITCHB SWITCHC SWITCHA Interface Interface vlan2:20.1.1.1/24 vlan1:20.1.1.2/24 Figure 26-7 OSPF VPN Example The above figure shows that a network consists of three Layer 3 switches in which the switchA as PE, SwitchB and SwitchC as CE1 and CE2. The PE is connected to CE1 and CE2 through VLAN1 and VLAN2. The routing messages are exchanged between PE and CE through OSPF protocol.
SwitchA(config-router)#network 10.1.1.0/24 area 0 SwitchA(config-router)#redistribute bgp SwitchA(config-router)#exit SwitchA(config)#router ospf 200 vpnc SwitchA(config-router)#network 20.1.1.0/24 area 0 SwitchA(config-router)#redistribute bgp b) The Layer 3 SwitchB of CE1: Configure the IP address of Ethernet E 1/0/2 SwitchB#config SwitchB(config)# interface Vlan1 SwitchB(config-if-vlan1)# ip address 10.1.1.2 255.255.255.
After that, a OSPF protocol feature should be checked---the OSPF backbone area should be continuous and apply virtual link to ensure it is continuous. if not; all non 0 areas should only be connected to other non 0 area through 0 area; a border Layer 3 switch means that one part of the interfaces of this switch belongs to 0 area, the other part belongs to non 0 area; Layer 3 switch DR should be specified for multi-access network such as broadcast network. 26.6 ARP 26.6.
Chapter 27 ARP Scanning Prevention Function Configuration 27.1 Introduction to ARP Scanning Prevention Function ARP scanning is a common method of network attack. In order to detect all the active hosts in a network segment, the attack source will broadcast lots of ARP messages in the segment, which will take up a large part of the bandwidth of the network. It might even do large-traffic-attack in the network via fake ARP messages to collapse of the network by exhausting the bandwidth.
27.2 ARP Scanning Prevention Configuration Task Sequence 1. Enable the ARP Scanning Prevention function. 2. Configure the threshold of the port-based and IP-based ARP Scanning Prevention 3. Configure trusted ports 4. Configure trusted IP 5. Configure automatic recovery time 6. Display relative information of debug information and ARP scanning 1. Enable the ARP Scanning Prevention function.
4. Configure trusted IP Command Explanation Global Mode anti-arpscan trust ip [] Set the trust attributes of IP. no anti-arpscan trust ip [] 5. Configure automatic recovery time Command Explanation Global Mode anti-arpscan recovery enable Enable or disable the automatic no anti-arpscan recovery enable recovery function. anti-arpscan recovery time Set automatic recovery time. no anti-arpscan recovery time 6.
27.3 ARP Scanning Prevention Typical Examples SWITCH B E1/1 E1/19 SWITCH A E1/2 E1/2 Server 192.168.1.100/24 PC PC Figure 27-1: ARP scanning prevention typical configuration example In the network topology above, port E1/1 of SWITCH B is connected to port E1/19 of SWITCH A, the port E1/2 of SWITCH A is connected to file server (IP address is 192.168.1.100/24), and all the other ports of SWITCH A are connected to common PC.
27.4 ARP Scanning Prevention Troubleshooting Help ARP scanning prevention is disabled by default. After enabling ARP scanning prevention, users can enable the debug switch, “debug anti-arpscan”, to view debug information.
Chapter 28 Prevent ARP Spoofing Configuration 28.1 Overview 28.1.1 ARP (Address Resolution Protocol) Generally speaking, ARP (RFC-826) protocol is mainly responsible of mapping IP address to relevant 48-bit physical address, that is MAC address, for instance, IP address is 192.168.0.1, network card Mac address is 00-30-4F-FD-1D-2B.
relationship configured by attack packets so that the switch makes mistake on transfer packets, and takes an effect on the whole network. Or the switches are made used of by vicious attackers, and they intercept and capture packets transferred by switches or attack other switches, host computers or network equipment.
28.3 Prevent ARP Spoofing Example Switch A B C Equipment Explanation Equipment Configuration Quality switch IP:192.168.2.4; mac: 00-00-00-00-00-04 1 A IP:192.168.2.1; mac: 00-00-00-00-00-01 1 B IP:192.168.1.2; mac: 00-00-00-00-00-02 1 C IP:192.168.2.3; mac: 00-00-00-00-00-03 some There is a normal communication between B and C on above diagram. A wants switch to forward packets sent by B to itself, so need switch sends the packets transfer from B to A.
Switch(Config)#ip arp-security learnprotect Switch(Config)# Switch(config)#ip arp-security convert If the environment changing, it enable to forbid ARP refresh, once it learns ARP property, it wont be refreshed by new ARP reply packet, and protect use data from sniffing.
Chapter 29 ARP GUARD Configuration 29.1 Introduction to ARP GUARD There is serious security vulnerability in the design of ARP protocol, which is any network device, can send ARP messages to advertise the mapping relationship between IP address and MAC address. This provides a chance for ARP cheating. Attackers can send ARP REQUEST messages or ARP REPLY messages to advertise a wrong mapping relationship between IP address and MAC address, causing problems in network communication.
29.2 ARP GUARD Configuration Task List 1.
Chapter 30 Gratuitous ARP Configuration 30.1 Introduction to Gratuitous ARP Gratuitous ARP is a kind of ARP request that is sent by the host with its IP address as the destination of the ARP request. The basic working mode for the switch is as below: The Layer 3 interfaces of the switch can be configured to advertise gratuitous ARP packets period or the switch can be configured to enable to send gratuitous ARP packets in all the interfaces globally. The purpose of gratuitous ARP is as below: 1.
2. Display configurations about gratuitous ARP Command Explanation Admin, Global and VLAN Interface Mode show ip gratuitous-arp [interface VLAN To display configurations about gratuitous <1-4094>] ARP. 30.3 Gratuitous ARP Configuration Example Switch Interface vlan10 192.168.15.254 255.255.255.0 PC1 PC2 PC3 PC4 PC5 Figure 30-1: Gratuitous ARP Configuration Example For the network topology shown in the figure above, interface VLAN10 whose IP address is 192.168.15.
30.4 Gratuitous ARP Troubleshooting Gratuitous ARP is disabled by default. And when gratuitous ARP is enabled, the debugging information about ARP packets can be retrieved through the command debug ARP send. If gratuitous ARP is enabled in global configuration mode, it can be disabled only in global configuration mode. If gratuitous ARP is configured in interface configuration mode, the configuration can only be disabled in interface configuration mode.
Chapter 31 DHCP Configuration 31.1 Introduction to DHCP DHCP [RFC2131] is the acronym for Dynamic Host Configuration Protocol. It is a protocol that assigns IP address dynamically from the address pool as well as other network configuration parameters such as default gateway, DNS server, and default route and host image file position within the network. DHCP is the enhanced version of BOOTP.
that the DHCP packets exchange can be completed between the DHCP client and server. Switch can act as both a DHCP server and a DHCP relay. DHCP server supports not only dynamic IP address assignment, but also manual IP address binding (i.e. specify a specific IP address to a specified MAC address or specified device ID over a long period.
ip dhcp pool Configure DHCP Address pool. The no no ip dhcp pool operation cancels the DHCP Address pool. (2) Configure DHCP address pool parameters Command Explanation DHCP Address Pool Mode Configure the address scope that can be network-address allocated to the address pool. The no [mask | prefix-length] operation of this command cancels the no network-address allocation address pool.
Configure the network parameter specified option {ascii | hex by the option code. The no command | ipaddress } deletes the network parameter specified by no option the option code. Configure the lease period allocated to lease { days [hours][minutes] | infinite } addresses in the address pool. The no no lease command deletes the lease period allocated to addresses in the address pool.
31.3 DHCP Relay Configuration When the DHCP client and server are in different segments, DHCP relay is required to transfer DHCP packets. Adding a DHCP relay makes it unnecessary to configure a DHCP server for each segment, one DHCP server can provide the network configuration parameter for clients from multiple segments, which is not only cost-effective but also management-effective.
1. Enable DHCP relay. Command Explanation Global Mode service dhcp DHCP server and DHCP relay is enabled as the no service dhcp DHCP service is enabled. 2. Configure DHCP relay to forward DHCP broadcast packet. Command Explanation Global Mode ip forward-protocol udp bootps The UDP port 67 is used for DHCP broadcast no ip forward-protocol udp bootps packet forwarding.
configurations for location A and B are shown below. PoolA(network 10.16.1.0) PoolB(network 10.16.2.0) Device IP address Device IP address Default gateway 10.16.1.200 Default gateway 10.16.1.200 10.16.1.201 10.16.1.201 DNS server 10.16.1.202 DNS server 10.16.1.202 WINS server 10.16.1.209 WWW server 10.16.1.209 WINS node type H-node Lease 3 days Lease 1day In location A, a machine with MAC address 00-03-22-23-dc-ab is assigned with a fixed IP address of 10.16.1.
Usage Guide: When a DHCP/BOOTP client is connected to a VLAN1 port of the switch, the client can only get its address from 10.16.1.0/24 instead of 10.16.2.0/24. This is because the broadcast packet from the client will be requesting the IP address in the same segment of the VLAN interface after VLAN interface forwarding, and the VLAN interface IP address is 10.16.1.2/24, therefore the IP address assigned to the client will belong to 10.16.1.0/24. If the DHCP/BOOTP client wants to have an address in 10.16.2.
Switch(Config-if-Vlan2)#ip address 10.1.1.1 255.255.255.0 Switch(Config-if-Vlan2)#exit Switch(config)#ip forward-protocol udp bootps Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip help-address 10.1.1.10 Switch(Config-if-Vlan1)#exit Note: It is recommended to use the combination of command ip forward-protocol udp and ip helper-address . ip help-address can only be configured for ports on layer 3 and cannot be configured on layer 2 ports directly.
switch(config)#ip dhcp relay information option switch(config)#ip dhcp relay share-vlan 1 sub-vlan 3 switch(config-if-vlan1)#ip address 192.168.40.50 255.255.255.0 switch(config-if-vlan1)#ip helper-address 192.168.40.199 31.5 DHCP Troubleshooting If the DHCP clients cannot obtain IP addresses and other network parameters, the following procedures can be followed when DHCP client hardware and cables have been verified ok. Verify the DHCP server is running, start the related DHCP server if not running.
Chapter 32 DHCPv6 Configuration 32.1 Introduction to DHCPv6 DHCPv6 [RFC3315] is the IPv6 version for Dynamic Host Configuration Protocol (DHCP). It is a protocol that assigns IPv6 address as well as other network configuration parameters such as DNS address, and domain name to DHCPv6 client, DHCPv6 is a conditional auto address configuration protocol relative to IPv6.
2. Any DHCP server which receives the request, will reply the client with an ADVERTISE message, which includes the identity of the server –DUID, and its priority. 3. It is possible that the client receives multiple ADVERTISE messages. The client should select one and reply it with a REQUEST message to request the address which is advertised in the ADVERTISE message. 4. The selected DHCPv6 server then confirms the client about the IPv6 address and any other configuration with the REPLY message.
1. To enable/disable DHCPv6 service Command Explanation Global Mode service dhcpv6 To enable DHCPv6 service. no service dhcpv6 2. To configure DHCPv6 address pool (1)To achieve/delete DHCPv6 address pool Command Explanation Global Mode ipv6 dhcp pool no ipv6 dhcp pool To configure DHCPv6 address pool.
3. To enable DHCPv6 server function on port. Command Explanation VLAN Interface Mode ipv6 dhcp server [preference ] [rapid-commit] [allow-hint] no ipv6 dhcp server To enable DHCPv6 server function on specified port, and binding the used DHCPv6 address pool. 32.3 DHCPv6 Relay Delegation Configuration DHCPv6 relay delegation configuration task list as below: 1. To enable/disable DHCPv6 service 2. To configure DHCPv6 relay delegation on port 1.
3. To configure DHCPv6 address pool (1) To achieve/delete DHCPv6 address pool (2) To configure prefix delegation pool used by DHCPv6 address pool (3) To configure static prefix delegation binding (4) To configure other parameters of DHCPv6 address pool 4. To enable DHCPv6 prefix delegation server function on port 1. To enable/delete DHCPv6 service Command Explanation Global Mode service dhcpv6 To enable DHCPv6 service. no service dhcpv6 2.
(3) To configure static prefix delegation binding Command Explanation DHCPv6 Address Pool Mode prefix-delegation [iaid ] [lifetime ] no prefix-delegation To specify IPv6 prefix and any prefix required static binding by client.
1. To enable/disable DHCPv6 service Command Explanation Global Mode service dhcpv6 no service dhcpv6 To enable DHCPv6 service. 2. To enable DHCPv6 prefix delegation client function on port Command Explanation VLAN Interface Mode ipv6 dhcp client pd [rapid-commit] no ipv6 dhcp client pd To enable client prefix delegation request function on specified port, and the prefix obtained associate with universal prefix configured. 32.
Usage guide: Switch3 configuration: Switch3>enable Switch3#config Switch3(config)#service dhcpv6 Switch3(config)#ipv6 dhcp pool EastDormPool Switch3(dhcpv6-EastDormPool-config)#network-address 2001:da8:100:1::1 2001:da8:100:1::100 Switch3(dhcpv6-EastDormPool-config)#excluded-address 2001:da8:100:1::1 Switch3(dhcpv6-EastDormPool-config)#dns-server 2001:da8::20 Switch3(dhcpv6-EastDormPool-config)#dns-server 2001:da8::21 Switch3(dhcpv6-EastDormPool-config)#domain-name dhcpv6.
Switch2 configuration: Switch2>enable Switch2#config Switch2(config)#service dhcpv6 Switch2(config)#interface vlan 1 Switch2(Config-if-Vlan1)#ipv6 address 2001:da8:1:1::2/64 Switch2(Config-if-Vlan1)#exit Switch2(config)#interface vlan 10 Switch2(Config-if-Vlan10)#ipv6 address 2001:da8:10:1::2/64 Switch2(Config-if-Vlan10)#exit Switch2(config)#interface vlan 100 Switch2(Config-if-Vlan100)#ipv6 address 2001:da8:100:1::1/64 Switch2(Config-if-Vlan100)#no ipv6 nd suppress-ra Switch2(Config-if-Vlan100)#ipv6 nd ma
the hosts are connected to, are connected with the port which the DHCPv6 server is connected to.
Chapter 33 DHCP Option 82 Configuration 33.1 Introduction to DHCP Option 82 DHCP option 82 is the Relay Agent Information Option, its option code is 82. DHCP option 82 is aimed at strengthening the security of DHCP servers and improving the IP address configuration policy. The Relay Agent adds option 82 (including the client’s physical access port, the access device ID and other information), to the DHCP request message from the client then forwards the message to DHCP server.
SubOpt: the sequence number of sub-option, the sequence number of Circuit ID sub-option is 1, the sequence number of Remote ID sub-option is 2. Len: the number of bytes in Sub-option Value, not including the two bytes in SubOpt segment and Len segment. 33.1.
33.2 DHCP Option 82 Configuration Task List 1. Enabling the DHCP option 82 of the Relay Agent 2. Configure the DHCP option 82 attributes of the interface 3. Enable the DHCP option 82 of server 4. Configure DHCP option 82 default format of Relay Agent 5. Configure delimiter 6. Configure creation method of option82 7. Diagnose and maintain DHCP option 82 1. Enabling the DHCP option 82 of the Relay Agent.
This command is used to set the retransmitting policy of the system for the received DHCP request message which contains option 82.
3. Enable the DHCP option 82 of server. Command Explanation Global Mode This command is used to enable the switch ip dhcp server relay information enable DHCP server to identify option82. The “no no ip dhcp server relay information ip dhcp server relay information enable” enable command will make the server ignore the option 82. 4.
ip dhcp relay information option Set self-defined format of remote-id for self-defined remote-id format [ascii | relay option82.
In the above example, layer 2 switches Switch1 and Switch2 are both connected to layer 3 switch Switch3, Switch 3 will transmit the request message from DHCP client to DHCP serer as DHCP Relay Agent. It will also transmit the reply message from the server to DHCP client to finish the DHCP protocol procedure. If the DHCP option 82 is disabled, DHCP server cannot distinguish that whether the DHCP client is from the network connected to Switch1 or Switch2.
option subnet-mask 255.255.255.0; option domain-name "example.com.cn"; option domain-name-servers 192.168.10.3; authoritative; pool { range 192.168.102.21 192.168.102.50; default-lease-time 86400; #24 Hours max-lease-time 172800; #48 Hours allow members of "Switch3Vlan2Class1"; } pool { range 192.168.102.51 192.168.102.
To implement the option 82 function of DHCP server, the “debug ip dhcp server packet” command can be used during the operating procedure to display the procedure of data packets processing of the server, including displaying the identified option 82 information of the request message and the option 82 information returned by the reply message.
Chapter 34 DHCP Option 60 and option 43 34.1 Introduction to DHCP Option 60 and Option 43 DHCP server analyzes DHCP packets from DHCP client. If packets with option 60, it will decide whether option 43 is returned to DHCP client according to option 60 of packets and configuration of option 60 and option 43 in DHCP server address pool. Configure the corresponding option 60 and option 43 in DHCP server address pool: 1. Address pool configured option 60 and option 43 at the same time.
dhcp pool mode. Configure option 60 character option 60 ip A.B.C.D string with IP format in ip dhcp pool mode. Configure option 43 character option 43 ip A.B.C.D string with IP format in ip dhcp pool mode. Delete the configured option no option 60 60 in the address pool mode. Delete the configured option no option 43 43 in the address pool mode. 34.
Chapter 35 DHCPv6 Options 37, 38 35.1 Introduction to DHCPv6 Options 37, 38 DHCPv6 (Dynamic Host Configuration Protocol for IPv6) is designed for IPv6 address scheme and is used for assigning IPv6 prefixes, IPv6 addresses and other configuration parameters to hosts. When DHCPv6 client wants to request address and configure parameter of DHCPv6 server from different link, it needs to communicate with server through DHCPv6 relay agent.
35.2 DHCPv6 Options 37, 38 Configuration Task List 1. Dhcpv6 snooping option basic functions configuration 2. Dhcpv6 relay option basic functions configuration 3. Dhcpv6 server option basic functions configuration 1.DHCPv6 snooping option basic functions configuration Command Description Global Mode This command enables ipv6 dhcp snooping remote-id option DHCPv6 SNOOPING to no ipv6 dhcp snooping remote-id option support option 37 option, no command disables it.
drop, the system simply discards it with option 38; keep, the system keeps option 38 unchanged and forwards the packet to the server; replace, the system replaces option 38 of current packet with its own before forwarding it to the server. no command configures the reforwarded policy of DHCPv6 packets with option 38 as replace.
the form of adding option 38 in no ipv6 dhcp snooping subscriber-id received DHCPv6 request packets, of which is the content of subscriber-id in user-defined option 38 and it is a string with a length of less than 128. The no operation restores subscriber-id in option 38 to vlan name together with port name such as "Vlan2+Ethernet1/2". 2.
Layer 3 Interface Mode This command is used to set the form of adding option 37 in received DHCPv6 request packets, of which is the content of remote-id in ipv6 dhcp relay remote-id user-defined option 37 and it is no ipv6 dhcp relay remote-id a string with a length of less than 128. The no operation restores remote-id in option 37 to enterprise-number together with vlan MAC address.
disables it. This command enables DHCPv6 server to support the using of DHCPv6 class during ipv6 dhcp use class address assignment, the no no ipv6 dhcp use class form of this command disables it without removing the relative DHCPv6 class information that has been configured. This command defines a DHCPv6 class and enters ipv6 dhcp class DHCPv6 class mode, the no no ipv6 dhcp class form of this command removes this DHCPv6 class.
This command is used to set address range for a DHCPv6 class in DHCPv6 address pool address range configuration mode, the no no address range command is used to remove the address range. The prefix/plen form is not supported.
35.3 DHCPv6 Options 37, 38 Examples 35.3.1 DHCPv6 Snooping options 37, 38 Example Switch B Interface E1/1 SwitchA Interface E1/2 Interface E1/3 MAC-AA MAC-BB Interface E1/4 MAC-CC Figure 35-1: DHCPv6 Snooping option schematic As shown in the figure above, Mac-AA, Mac-BB and Mac-CC are normal users, connected to untrusted interface 1/2, 1/3 and 1/4 respectively, and they get IP 2010:2, 2010:3 and 2010:4 through DHCPv6 Client; DHCPv6 Server is connected to the trusted interface 1/1.
SwitchA(config-if-vlan1)#ipv6 address 2001:da8:100:1::1 SwitchA(config-if-vlan1)#exit SwitchA(config)#interface ethernet 1/1-4 SwitchA(config-if-port-range)#switchport access vlan 1 SwitchA(config-if-port-range)#exit SwitchA(config)# Switch B configuration: SwitchB(config)#service dhcpv6 SwitchB(config)#ipv6 dhcp server remote-id option SwitchB(config)#ipv6 dhcp server subscriber-id option SwitchB(config)#ipv6 dhcp pool EastDormPool SwitchB(dhcpv6-eastdormpool-config)#network-address 2001:da8:100:1::2 200
2001:da8:100:1::31 2001:da8:100:1::60 SwitchB(dhcpv6-eastdormpool-config)#class CLASS3 SwitchB(dhcpv6-pool-eastdormpool-class-class3-config)#address range 2001:da8:100:1::61 2001:da8:100:1::100 SwitchB(dhcpv6-pool-eastdormpool-class-class3-config)#exit SwitchB(dhcpv6-eastdormpool-config)#exit SwitchB(config)#interface vlan 1 SwitchB(config-if-vlan1)#ipv6 address 2001:da8:100:1::2/64 SwitchB(config-if-vlan1)#ipv6 dhcp server EastDormPool SwitchB(config-if-vlan1)#exit SwitchB(config)# 35.3.
Switch 2 configuration: S2(config)#service dhcpv6 S2(config)#ipv6 dhcp relay remote-id option S2(config)#ipv6 dhcp relay subscriber-id option S2(config)#vlan 10 S2(config-vlan10)#int vlan 10 S2(config-if-vlan10)#ipv6 address 2001:da8:1:::2/64 S2(config-if-vlan10)#ipv6 dhcp relay destination 2001:da8:10:1::1 S2(config-if-vlan10)#exit S2(config)# 35.
Chapter 36 DHCP Snooping Configuration 36.1 Introduction to DHCP Snooping DHCP Snooping means that the switch monitors the IP-getting process of DHCP CLIENT via DHCP protocol. It prevents DHCP attacks and illegal DHCP SERVER by setting trusted ports and untrusted ports. And the DHCP messages from trusted ports can be forwarded without being verified. In typical settings, trusted ports are used to connect DHCP SERVER or DHCP RELAY Proxy, and untrusted ports are used to connect DHCP CLINET.
LOG Function: When the switch discovers abnormal received packets or automatically recovers, it should send syslog information to Log Server. The Encryption of Private Messages: The communication between the switch and the inner network security management system TrustView uses private messages. And the users can encrypt those messages of version 2. Add authentication option82 Function: It is used with dot1x dhcpoption82 authentication mode.
ip dhcp snooping binding enable no ip dhcp snooping binding enable Enable or disable the DHCP snooping binding function. 3. Enable DHCP Snooping binding ARP function Command Explanation Globe Mode ip dhcp snooping binding arp no ip dhcp snooping binding arp This command is not supported by the switch. 4. Enable DHCP Snooping option82 function Command Explanation Globe Mode ip dhcp snooping information enable no ip dhcp snooping information enable Enable/disable DHCP Snooping option 82 function.
ip user helper-address A.B.C.D [port ] source (secondary|) Set or delete helper server address. no ip user helper-address (secondary|) 8. Set trusted ports Command Explanation Port Mode ip dhcp snooping trust Set or delete the DHCP snooping trust attributes no ip dhcp snooping trust of ports. 9.
11. Add static binding information Command Explanation Globe Mode ip dhcp snooping binding user address interface (ethernet|) Add/delete DHCP snooping static binding list no ip dhcp snooping binding user entries. interface (ethernet|) 12. Set defense actions Command Explanation Port Mode ip dhcp snooping action {shutdown|blackhole} [recovery Set or delete the DHCP snooping automatic ] defense actions of ports. no ip dhcp snooping action 13.
Command Explanation Globe Mode ip dhcp snooping information option subscriber-id format {hex | acsii | vs-hp} This command is used to set subscriber-id format of DHCP snooping option82. ip dhcp snooping information Set the suboption2 (remote ID option) content of option remote-id {standard | option 82 added by DHCP request packets (they } are received by the port).
ip dhcp snooping information Set the suboption1 (circuit ID option) content of option subscriber-id {standard | option 82 added by DHCP request packets (they } are received by the port). The no command sets no ip dhcp snooping information the additive suboption1 (circuit ID option) format option subscriber-id of option 82 as standard.
Configuration sequence is: switch# switch#config switch(config)#ip dhcp snooping enable switch(config)#interface ethernet 1/11 switch(Config-Ethernet1/11)#ip dhcp snooping trust switch(Config-Ethernet1/11)#exit switch(config)#interface ethernet 1/12 switch(Config-Ethernet1/12)#ip dhcp snooping trust switch(Config-Ethernet1/12)#exit switch(config)#interface ethernet 1/1-10 switch(Config-Port-Range)#ip dhcp snooping action shutdown switch(Config-Port-Range)# 36.4 DHCP Snooping Troubleshooting Help 36.4.
Chapter 37 DHCP Snooping Option 82 Configuration 37.1 Introduction to DHCP Snooping Option 82 DHCP option 82 is the Relay Agent Information Option, its option code is 82. DHCP option 82 is aimed at strengthening the security of DHCP servers and improving the IP address configuration policy.
SubOpt: the sequence number of sub-option, the sequence number of Circuit ID sub-option is 1, the sequence number of Remote ID sub-option is 2. Len: the number of bytes in Sub-option Value, not including the two bytes in SubOpt segment and Len segment. 37.1.
37.2 DHCP Snooping Option 82 Configuration Task List 1. Enable DHCP SNOOPING 2. Enable DHCP Snooping binding function 3. Enable DHCP Snooping option 82 binding function 4. Configure trusted ports 1. Enable DHCP SNOOPING Command Explanation Global Mode ip dhcp snooping enable Enable or disable DHCP SNOOPING no ip dhcp snooping enable function. 2.
37.3 DHCP Snooping Option 82 Application Examples DHCP Client PC1 Switch1 Vlan1:eth1/3 DHCP Server Figure 37-1: DHCP option 82 typical application example In the above example, layer 2 Switch1 will transmit the request message from DHCP client to DHCP serer through enable DHCP Snooping. It will also transmit the reply message from the server to DHCP client to finish the DHCP protocol procedure.
default-lease-time 43200; #12 Hours max-lease-time 86400; #24 Hours allow members of "Switch1Vlan1Class1"; } } Now, the DHCP server will allocate addresses for the network nodes from Switch1 within the range of 192.168.102.51 ~ 192.168.102.80. 37.
Chapter 38 IPv4 Multicast Protocol 38.1 IPv4 Multicast Protocol Overview This chapter will give an introduction to the configuration of IPv4 Multicast Protocol. 38.1.1 Introduction to Multicast Various transmission modes can be adopted when the destination of packet (including data, sound and video) transmission is the minority users in the network. One way is to use Unicast mode, i.e.
38.1.2 Multicast Address The destination address of Multicast message uses class D IP address with range from 224.0.0.0 to 239.255.255.255. D class address can not appear in the source IP address field of an IP message. In the process of Unicast data transmission, the transmission path of a data packet is from source address routing to destination address, and the transmission is performed with hop-by-hop principle.
224.0.0.16 Specified SBM 224.0.0.17 All SBMS 224.0.0.18 VRRP 224.0.0.22 IGMP When Ethernet transmits Unicast IP messages, the destination MAC address it uses is the receiver’s MAC address. But in transmitting Multicast packets, the transmission destination is not a specific receiver any more, but a group with uncertain members, thus Multicast MAC address is used. Multicast MAC address is corresponding to Multicast IP address.
In Information Service areas such as online living broadcast, network TV, remote education, remote medicine, real time video/audio meeting, the following applications may be supplied: 1) Application of Multimedia and Streaming Media 2) Data repository, finance application (stock) etc 3) Any data distribution application of “one point to multiple points” In the situation of more and more multimedia operations in IP network, Multicast has tremendous market potential and Multicast operation will be gener
38.2.2 DCSCM Configuration Task List 1. Source Control Configuration 2. Destination Control Configuration 3. Multicast Strategy Configuration 1. Source Control Configuration Source Control Configuration has three parts, of which the first is to enable source control. The command of source control is as follows: Command Explanation Global Mode Enable source control globally, the “no ip multicast source-control” command disables source control globally.
The last is to configure the configured rule to specified port. Note: If the rules being configured will occupy the table entries of hardware, configuring too many rules will result in configuration failure caused by bottom table entries being full, so we suggest user to use the simplest rules if possible.
[no] access-list <6000-7999> {deny|permit} ip {{ }|{host-source The rule used to configure destination {range<2-65535>|}}|any-sou control. This rule does not take effect rce} {{ until it is applied to source IP or }|{host-destination VLAN-MAC and port. Using the NO {range<2-255>|}}|any-d form of it can delete specified rule.
38.2.3 DCSCM Configuration Examples 1. Source Control In order to prevent an Edge Switch from putting out multicast data ad asbitsium, we configure Edge Switch so that only the switch at port Ethernet1/5 is allowed to transmit multicast, and the data group must be 225.1.2.3. Also, switch connected up to port Ethernet1/10 can transmit multicast data without any limit, and we can make the following configuration. EC(config)#access-list 5000 permit ip any host 225.1.2.
In this way, the multicast stream will have a priority of value 4 (Usually this is pretty higher, the higher possible one is protocol data; if higher priority is set, when there is too many multicast data, it might cause abnormal behavior of the switch protocol) when it gets to other switches through this switch. 38.2.4 DCSCM Troubleshooting The effect of DCSCM module itself is similar to ACL, and the problems occurred are usually related to improper configuration.
1. Enable IGMP Snooping Command Explanation Global Mode ip igmp snooping Enables IGMP Snooping. The no operation no ip igmp snooping disables IGMP Snooping function. 2. Configure IGMP Snooping Command Explanation Global Mode Enables IGMP Snooping for specified VLAN. ip igmp snooping vlan The no operation disables IGMP Snooping for no ip igmp snooping vlan specified VLAN.
ip igmp snooping vlan mrouter-port interface no ip igmp snooping vlan mrouter-port interface Configure static mrouter port of vlan. The no form of the command cancels this configuration. ip igmp snooping vlan Enable the function that the specified VLAN mrouter-port learnpim learns mrouter-port (according to pim no ip igmp snooping vlan packets), the no command will disable the mrouter-port learnpim function.
ip igmp snooping vlan static-group [source ] interface [ethernet | Configure static-group on specified port of the port-channel] VLAN. The no form of the command cancels no ip igmp snooping vlan this configuration. static-group [source ] interface [ethernet | port-channel] ip igmp snooping vlan report source-address
Example: As shown in the above figure, a VLAN 100 is configured in the switch and includes ports 1, 2, 6, 10 and 12. Four hosts are connected to port 2, 6, 10 and 12 respectively and the multicast router is connected to port 1. As IGMP Snooping is disabled by default either in the switch or in the VLANs, If IGMP Snooping should be enabled in VLAN 100, the IGMP Snooping should be first enabled for the switch in Global Mode and in VLAN 100 and set port 1 of VLAN 100 to be the mrouter port.
The configuration of Switch2 is the same as the switch in scenario 1, SwitchA takes the place of Multicast Router in scenario 1. Let’s assume VLAN 60 is configured in SwitchA, including ports 1, 2, 10 and 12. Port 1 connects to the multicast server, and port 2 connects to Switch2. In order to send Query at regular interval, IGMP query must be enabled in Global mode and in VLAN60.
Chapter 39 IPv6 Multicast Protocol 39.1 MLD Snooping 39.1.1 Introduction to MLD Snooping MLD, the Multicast Listener Discovery Protocol, is used to realize multicasting in the IPv6. MLD is used by the network equipments such as routers which supports multicast for multicast listener discovery, also used by listeners looking forward to join certain multicast group informing the router to receive data packets from certain multicast address, all of which are done through MLD message exchange.
2. Configure MLD Snooping Command Explanation Global Mode Enable MLD Snooping on specific VLAN. The ipv6 mld snooping vlan “no” form of this command disables MLD no ipv6 mld snooping vlan Snooping on specific VLAN. Configure the number of the groups in which ipv6 mld snooping vlan limit the MLD Snooping can join, and the {group | source } maximum number of sources in each group.
ipv6 mld snooping vlan query-robustness Configure the query robustness, the “no” no ipv6 mld snooping vlan form of this command restores to the default. query-robustness ipv6 mld snooping vlan Configure the suppression query time.
Configuration procedure is as follows. Switch#config Switch(config)#ipv6 mld snooping Switch(config)#ipv6 mld snooping vlan 100 Switch(config)#ipv6 mld snooping vlan 100 mrouter-port interface ethernet 1/1 Multicast configuration: Assume there are two multicast servers: the Multicast Server 1 and the Multicast Server 2, amongst program 1 and 2 are supplied on the Multicast Server 1 while program 3 on the Multicast server 2, using group addresses respectively the Group 1, Group 2 and Group 3.
Scenario 2: MLD L2-general-querier Switch A Switch B Figure 39-2: Switch as MLD Querier Function figure Configuration of switch B is the same as the switches in case 1, and here the switch 1 replaces the Multicast Router in case 1. Assume the vlan 60 configured on it contains port 1, 2, 10 and 12, amongst port 1 is connected to multicast server, port 2 to switch2.
SwitchB#config SwitchB(config)#ipv6 mld snooping SwitchB(config)#ipv6 mld snooping vlan 100 SwitchB(config)#ipv6 mld snooping vlan 100 mrouter interface ethernet 1/1 Multicast configuration: Same as scenario 1 MLD Snooping interception results: Same as scenario 1 39.1.4 MLD Snooping Troubleshooting In configuring and using MLD Snooping, the MLD Snooping server may fail to run properly due to physical connection failure, wrong configuration, etc.
Chapter 40 Multicast VLAN 40.1 Introductions to Multicast VLAN Based on current multicast order method, when orders from users in different VLAN, each VLAN will copy a multicast traffic in this VLAN, which is a great waste of the bandwidth. By configuration of the multicast VLAN, we add the switch port to the multicast VLAN, with the IGMP Snooping/MLD Snooping functions enabled, users from different VLAN will share the same multicast VLAN.
2. Configure the IGMP Snooping Command Explanation Global Mode ip igmp snooping vlan Enable the IGMP Snooping function on the no ip igmp snooping vlan multicast VLAN. The no form of this command disables the IGMP Snooping on the multicast VLAN. ip igmp snooping no ip igmp snooping Enable the IGMP Snooping function. The no form of this command disables the IGMP snooping function. 3.
PC2 are respectively connected to port 1/15 and1/20. The switchB is connected with the switchA through port1/10, which configured as trunk port. VLAN 20 is a multicast VLAN. By configuring multicast vlan, the PC1 and PC2 will receives the multicast data from the multicast VLAN. The following configuration based on the IP address of the switch has been configured and all the equipment are connected correctly.
SwitchB(config)#ip igmp snooping SwitchB(config)#ip igmp snooping vlan 20 When multicast VLAN supports IPv6 multicast, usage is the same as IPv4, but the difference is using with MLD Snooping, so an example is not given.
Chapter 41 ACL Configuration 41.1 Introduction to ACL ACL (Access Control List) is an IP packet filtering mechanism employed in switches, providing network traffic control by granting or denying access the switches, effectively safeguarding the security of networks. The user can lay down a set of rules according to some information specific to packets, each rule describes the action for a packet with certain information matched: “permit” or “deny”.
An access-list can consist of several rules. Filtering of packets compares packet conditions to the rules, from the first rule to the first matched rule; the rest of the rules will not be processed. Global default action applies only to IP packets in the incoming direction on the ports. Global default action applies only when packet flirter is enabled on a port and no ACL is bound to that port, or no binding ACL matches. 41.2 ACL Configuration Task List ACL Configuration Task Sequence: 1.
(2) Configure default action 3. Configuring time range function (1) Create the name of the time range (2) Configure periodic time range (3) Configure absolute time range 4. Bind access-list to an incoming direction of the specified port 5. Clear the filtering information of the specified port 1.
access-list {deny | permit} tcp {{ } | any-source | {host-source }} Creates a numbered TCP [s-port { | range }] extended IP access rule; if the {{ } | any-destination | numbered extended access-list {host-destination }} [d-port { | of specified number does not range }] exist, then an access-list will be [ack+fin+psh+rst+urg+syn] [precedence ] [tos created using this number.
b. Specify multiple “permit” or “deny” rules Command Explanation Standard IP ACL Mode Creates a standard [no] {deny | permit} {{ } | any-source | {host-source }} name-based IP access rule; the “no” form command deletes the name-based standard IP access rule. c. Exit name-based standard IP ACL configuration mode Command Explanation Standard IP ACL Mode Exits name-based standard IP exit ACL configuration mode. (4) Configuring an name-based extended IP access-list a.
[no] {deny | permit} icmp {{ } | any-source | {host-source }} {{ } | any-destination | {host-destination }} [ []] [precedence ] [tos Creates an extended name-based ICMP IP access rule; the no form command deletes this name-based extended IP access rule.
(5) Configuring a numbered standard MAC access-list Command Explanation Global Mode Creates a numbered standard MAC access-list, if the access-list{deny|permit}{any-source-mac|{ho st-source-mac}|{} } access-list already exists, then a rule will add to the current access-list; the “no access-list no access-list “ command deletes a numbered standard MAC access-list.
(7) Configuring a extended MAC access-list based on nomenclature a. Create an extensive MAC access-list based on nomenclature Command Explanation Global Mode Creates an extended name-based MAC access rule mac-access-list extended for other IP protocols; the no no mac-access-list extended form command deletes this name-based extended MAC access rule. b.
[no]{deny|permit}{any-source-mac|{host-source-ma Creates an name-based c}|{}}{any-destin extended MAC access rule ation-mac|{host-destination-mac}|{}}[tagged-eth2 [cos frame; the no form command []] [vlanId []] deletes this name-based [ethertype []]] extended MAC access rule.
sk>}} {any-destination-mac|{host-destination-mac access rule; if the numbered }|{}}igmp extended access-list of {{}|any-source| specified number does not {host-source}} exist, then an access-list will {{}|any-destinati be created using this number.
{host-source}} specified number does not {{}|any-destinati exist, then an access-list will on| {host-destination}} be created using this number. [precedence ] [tos ][time-range] Deletes this numbered extended MAC-IP access no access-list rule. (9) Configuring a extended MAC-IP access-list based on nomenclature a.
{any-destination-mac|{host-destination-mac access rule; the no form }|{}}igmp command deletes this {{}|any-source| name-based extended {host-source}} MAC-IGMP access rule.
{host-source}} {{}|any-destinati on| {host-destination}} [precedence][tos][time-range] c. Exit MAC-IP Configuration Mode Command Explanation Extended name-based MAC-IP access Mode Quit extended name-based exit MAC-IP access mode.
b. Specify multiple permit or deny rules Command Explanation Standard IPv6 ACL Mode [no] {deny | permit} {{} | Creates a standard any-source | {host-source }} name-based IPv6 access rule; the no form command deletes the name-based standard IPv6 access rule. c. Exit name-based standard IP ACL configuration mode Command Explanation Standard IPv6 ACL Mode Exits name-based standard exit IPv6 ACL configuration mode. 2.
(2)Configure periodic time range Command Explanation Time range Mode absolute-periodic {Monday | Tuesday | Wednesday | Thursday | Friday | Saturday | Sunday} to {Monday | Tuesday | Wednesday | Thursday | Configure the time range for Friday | Saturday | Sunday} the request of the week, and periodic every week will run by the {{Monday+Tuesday+Wednesday+Thursday+ time range.
4. Bind access-list to a specific direction of the specified port. Command Explanation Physical Port Mode / VLAN Interface Mode Physical interface mode: Applies an access-list to the specified direction on the port; the no command deletes the access-list bound to the port.
Switch(Config-If-Ethernet1/10)#ip access-group 110 in Switch(Config-If-Ethernet1/10)#exit Switch(config)#exit Configuration result: Switch#show firewall Firewall status: enable. Switch#show access-lists access-list 110(used 1 time(s)) 1 rule(s) access-list 110 deny tcp 10.0.0.0 0.0.0.255 any-destination d-port 21 Switch#show access-group interface ethernet 1/10 interface name:Ethernet1/10 the ingress acl use in firewall is 110, traffic-statistics Disable.
Configuration result: Switch#show firewall Firewall Status: Enable. Switch #show access-lists access-list 1100(used 1 time(s)) access-list 1100 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac untagged-802-3 access-list 1100 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac Switch #show access-group interface ethernet 1/10 interface name:Ethernet1/10 MAC Ingress access-list used is 1100,traffic-statistics Disable.
Configuration result: Switch#show firewall Firewall Status: Enable. Switch#show access-lists access-list 3110(used 1 time(s)) access-list 3110 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac tcp 10.0.0.0 0.0.0.255 any-destination d-port 21 access-list 3110 deny any-source-mac 00-12-11-23-00-00 00-00-00-00-ff-ff icmp any-source 10.0.0.0 0.0.0.255 Switch #show access-group interface ethernet 1/10 interface name:Ethernet1/10 MAC-IP Ingress access-list used is 3110, traffic-statistics Disable.
Configuration result: Switch#show firewall Firewall Status: Enable. Switch#show ipv6 access-lists Ipv6 access-list 600(used 1 time(s)) ipv6 access-list 600 deny 2003:1:1:1::0/64 any-source ipv6 access-list 600 permit 2003:1:1:1:66::0/80 any-source Switch #show access-group interface ethernet 1/10 interface name:Ethernet1/10 IPv6 Ingress access-list used is 600, traffic-statistics Disable.
Ethernet1/2: IP Ingress access-list used is 1, traffic-statistics Disable. Ethernet1/5: IP Ingress access-list used is 1, traffic-statistics Disable. Ethernet1/7: IP Ingress access-list used is 1, traffic-statistics Disable. 41.4 ACL Troubleshooting Checking for entries in the ACL is done in a top-down order and ends whenever an entry is matched. Default rule will be used only if no ACL is bound to the incoming direction of the port, or no ACL entry is matched.
And when the interface mode is changed from trunk mode to access mode, ACL configured in VLAN1 interface mode will be bound to the physical interface. If binding fails, the changing will fail either. When removing a VLAN configuration, if there are any ACLs bound to the VLAN, the ACL will be removed from all the physical interfaces belonging to the VLAN, and it will be bound to VLAN 1 ACL(if ACL is configured in VLAN1). If VLAN 1 ACL binding fails, the VLAN removal operation will fail.
Chapter 42 802.1x Configuration 42.1 Introduction to 802.1x The 802.1x protocol originates from 802.11 protocol, the wireless LAN protocol of IEEE, which is designed to provide a solution to doing authentication when users access a wireless LAN. The LAN defined in IEEE 802 LAN protocol does not provide access authentication, which means as long as the users can access a LAN controlling device (such as a LAN Switch), they will be able to get all the devices or resources in the LAN.
The supplicant system is an entity on one end of the LAN segment, should be authenticated by the access controlling unit on the other end of the link. A Supplicant system usually is a user terminal device. Users start 802.1x authentication by starting supplicant system software. A supplicant system should support EAPOL (Extensible Authentication Protocol over LAN). The authenticator system is another entity on one end of the LAN segment to authenticate the supplicant systems connected.
The controlled and uncontrolled ports are two parts of one port, which means each frame reaching this port is visible on both the controlled and uncontrolled ports. 3. Controlled direction In unauthenticated status, controlled ports can be set as unidirectional controlled or bi-directionally controlled. When the port is bi-directionally controlled, the sending and receiving of all frames is forbidden.
42.1.3 The Encapsulation of EAPOL Messages 1. The Format of EAPOL Data Packets EAPOL is a kind of message encapsulation format defined in 802.1x protocol, and is mainly used to transmit EAP messages between the supplicant system and the authenticator system in order to allow the transmission of EAP messages through the LAN. In IEEE 802/Ethernet LAN environment, the format of EAPOL packet is illustrated in the next figure. The beginning of the EAPOL packet is the Type/Length domain in MAC frames.
Figure 42-4: the Format of EAP Data Packets Code: specifies the type of the EAP packet. There are four of them in total: Request (1),Response(2),Success(3),Failure(4). There is no Data domain in the packets of which the type is Success or Failure, and the value of the Length domains in such packets is 4. The format of Data domains in the packets of which the type is Request and Response is illustrated in the next figure.
Figure 42-6: the Encapsulation of EAP-Message Attribute 2. Message-Authenticator As illustrated in the next figure, this attribute is used in the process of using authentication methods like EAP and CHAP to prevent the access request packets from being eavesdropped. Message-Authenticator should be included in the packets containing the EAP-Message attribute, or the packet will be dropped as an invalid one.
42.1.5 The Authentication Methods of 802.1x The authentication can either be started by supplicant system initiatively or by devices. When the device detects unauthenticated users to access the network, it will send supplicant system EAP-Request/Identity messages to start authentication. On the other hand, the supplicant system can send EAPOL-Start message to the device via supplicant software. 802.
They will be described in details in the following part. Attention: The switch, as the access controlling unit of Pass-through, will not check the content of a particular EAP method, so can support all the EAP methods above and all the EAP authentication methods that may be extended in the future. In EAP relay, if any authentication method in EAP-MD5, EAP-TLS, EAP-TTLS and PEAP is adopted, the authentication methods of the supplicant system and the RADIUS server should be the same. 1.
2. EAP-TLS Authentication Method EAP-TLS is brought up by Microsoft based on EAP and TLS protocols. It uses PKI to protect the id authentication between the supplicant system and the RADIUS server and the dynamically generated session keys, requiring both the supplicant system and the Radius authentication server to possess digital certificate to implement bidirectional authentication. It is the earliest EAP authentication method used in wireless LAN.
3. EAP-TTLS Authentication Method EAP-TTLS is a product of the cooperation of Funk Software and Certicom. It can provide an authentication as strong as that provided by EAP-TLS, but without requiring users to have their own digital certificate. The only request is that the Radius server should have a digital certificate. The authentication of users’ identity is implemented with passwords transmitted in a safely encrypted tunnel established via the certificate of the authentication server.
42.1.5.2 EAP Termination Mode In this mode, EAP messages will be terminated in the access control unit and mapped into RADIUS messages, which is used to implement the authentication, authorization and fee-counting. The basic operation flow is illustrated in the next figure. In EAP termination mode, the access control unit and the RADIUS server can use PAP or CHAP authentication method. The following figure will demonstrate the basic operation flow using CHAP authentication method.
There are three access control methods (the methods to authenticate users): port-based, MAC-based and user-based (IP address+ MAC address+ port). When the port-based method is used, as long as the first user of this port passes the authentication, all the other users can access the network resources without being authenticated. However, once the first user is offline, the network won’t be available to all the other users.
port’s configuration. But the priority of Auto VLAN is higher than that of the user-set VLAN, that is Auto VLAN is the one takes effect when the authentication is finished, while the user-set VLAN do not work until the user become offline. Notes: At present, Auto VLAN can only be used in the port-based access control mode, and on the ports whose link type is Access. 2. Guest VLAN Guest VLAN feature is used to allow the unauthenticated user to access some specified resources.
2) Configure access management method for the port: MAC-based or port-based 3) Configure expanded 802.1x function 4) Configure IPv6 passthrough function of the port 3. User access devices related property configuration (optional) 1. Enable 802.1x function Command Explanation Global Mode dot1x enable Enables the 802.1x function in the switch and ports; the no no dot1x enable command disables the 802.1x function.
2) Configure port access management method Command Explanation Port Mode dot1x port-method {macbased | Sets the port access management method; portbased | userbased {standard | the no command restores MAC-based advanced}} access management. no dot1x port-method Sets the maximum number of access users dot1x max-user macbased for the specified port; the no command no dot1x max-user macbased restores the default setting of allowing 1 user.
dot1x accept-mac [interface ] Adds 802.1x address filter table entry, the no command no dot1x accept-mac deletes 802.1x filter address table entries. [interface ] dot1x eapor enable no dot1x eapor enable Enables the EAP relay authentication function in the switch; the no command sets EAP local end authentication.
dot1x re-authenticate Enables IEEE 802.1x re-authentication (no wait timeout [interface ] requires) for all ports or a specified port. 42.3 802.1x Application Example 42.3.
Update server Authenticator server Ethernet1/3 VLAN2 VLAN10 SWITCH Ethernet1/ Ethernet1/6 2 VLAN5 Internet User Figure 42-14: User Joining Guest VLAN As illustrated in the above figure, on the switch port Ethernet1/2, the 802.1x feature is enabled, and the VLAN10 is set as the port’s Guest VLAN. Before the user gets authenticated or when the user fails to do so, port Ethernet1/2 is added to VLAN10, allowing the user to access the Update Server.
Switch(config)#radius-server authentication host 10.1.1.3 Switch(config)#radius-server accounting host 10.1.1.3 Switch(config)#radius-server key test Switch(config)#aaa enable Switch(config)#aaa-accounting enable # Create VLAN100. Switch(config)#vlan 100 # Enable the global 802.1x function Switch(config)#dot1x enable # Enable the 802.1x function on port Ethernet1/2 Switch(config)#interface ethernet1/2 Switch(Config-If-Ethernet1/2)#dot1x enable # Set the link type of the port as access mode.
Using the command of show running-config or show interface ethernet1/2, users can check the configuration of Guest VLAN. When there is no online user, no failed user authentication or no user gets offline successfully, and more authentication-triggering messages (EAP-Request/Identity) are sent than the upper limit defined, users can check whether the Guest VLAN configured on the port takes effect with the command show vlan id 100. 42.3.2 Examples of IPv4 RADIUS Applications 10.1.1.2 10.1.1.
Switch(config)#dot1x enable Switch(config)#interface ethernet 1/2 Switch(Config-Ethernet1/2)#dot1x enable Switch(Config-Ethernet1/2)#dot1x port-control auto Switch(Config-Ethernet1/2)#exit 42.3.3 Examples of IPv6 RADIUS Application 2004:1:2:3::2 2004:1:2:3::1 RADIUS Server 2004:1:2:3::3 Figure 42-17: IPv6 RADIUS Connect the computer to the interface 1/2 of the switch, and enable IEEE802.1x on interface1/2. Use MAC based authentication.
Switch(config)#dot1x enable Switch(config)#interface ethernet 1/2 Switch(Config-If-Ethernet1/2)#dot1x enable Switch(Config-If-Ethernet1/2)#dot1x port-control auto Switch(Config-If-Ethernet1/2)#exit 42.4 802.1x Troubleshooting It is possible that 802.1x be configured on ports and 802.1x authentication be set to auto, t switch can’t be to authenticated state after the user runs 802.1x supplicant software. Here are some possible causes and solutions: If 802.
Chapter 43 The Number Limitation Function of MAC and IP in Port, VLAN Configuration MAC address list is used to identify the mapping relationship between the destination MAC addresses and the ports of switch. There are two kinds of MAC addresses in the list: static MAC address and dynamic MAC address.
Limiting the number of MAC and ARP list entry can avoid DOS attack to a certain extent. When malicious users frequently do MAC or ARP cheating, it will be easy for them to fill the MAC and ARP list entries of the switch, causing successful DOS attacks. To sum up, it is very meaningful to develop the number limitation function of MAC and IP in port, VLAN. Switch can control the number of MAC addresses of ports and the number ARP, ND list entry of ports and VLAN through configuration commands.
1. Enable the number limitation function of MAC and IP on ports Command Explanation Port Mode switchport mac-address dynamic maximum Enable and disable the number limitation no switchport mac-address dynamic function of MAC on the ports. maximum switchport arp dynamic maximum Enable and disable the number limitation no switchport arp dynamic maximum function of ARP on the ports.
switchport mac-address violation {protect Set the violation mode of the port, the no | shutdown} [recovery <5-3600>] command restores the violation mode to no switchport mac-address violation protect. 5. Display and debug the related information of number limitation of MAC and IP on ports Command Explanation Admin Mode show mac-address dynamic count {vlan | interface ethernet Display the number of dynamic MAC in corresponding ports and VLAN.
43.
43.3 The Number Limitation Function of MAC and IP in Port, VLAN Troubleshooting Help The number limitation function of MAC and IP in Port, VLAN is disabled by default, if users need to limit the number of user accessing the network, they can enable it. If the number limitation function of MAC address can not be configured, please check whether Spanning-tree, dot1x, TRUNK is running on the switch and whether the port is configured as a MAC-binding port.
Chapter 44 Operational Configuration of AM Function 44.1 Introduction to AM Function AM (Access Management) means that when a switch receives an IP or ARP message, it will compare the information extracted from the message (such as source IP address or source MAC-IP address) with the configured hardware address pool. If there is an entry in the address pool matching the information (source IP address or source MAC-IP address), the message will be forwarded, otherwise, dumped.
2. Enable AM function on an interface Command Explanation Port Mode Enable/disable AM function on the port. am port When the AM function is enabled on the no am port port, no IP or ARP message will be forwarded by default. 3. Configure the forwarding IP Command Explanation Port Mode am ip-pool no am ip-pool Configure the forwarding IP of the port. 4.
6. Display related configuration information of AM Command Explanation Global Mode Display the AM configuration information show am [interface ] of one port or all ports. 44.3 AM Function Example Internet SWITCH Port1 Port2 HUB1 HUB2 ……… PC1 PC2 PC30 Figure 44-1: a typical configuration example of AM function In the topology above, 30 PCs, after converged by HUB1, connect with interface1 on the switch. The IP addresses of these 30 PCs range from 100.10.10.1 to 100.10.10.30.
44.4 AM Function Troubleshooting AM function is disabled by default, and after it is enabled, related configuration of AM can be made. Users can view the current AM configuration with “show am” command, such as whether the AM is enabled or not, and AM information on each interface, they can also use “show am [interface ]” command to check the AM configuration information on a specific interface. If any operational error happens, the system will display detailed corresponding prompt.
Chapter 45 Security Feature Configuration 45.1 Introduction to Security Feature Before introducing the security features, we here first introduce the DoS. The DoS is short for Denial of Service, which is a simple but effective destructive attack on the internet. The server under DoS attack will drop normal user data packet due to non-stop processing the attacker’s data packet, leading to the denial of the service and worse can lead to leak of sensitive data of the server.
45.2.3 Anti Port Cheat Function Configuration Task Sequence 1. Enable the anti port cheat function Command Explanation Global Mode [no] dosattack-check srcport-equal-dstport enable Enable/disable the prevent-port-cheat function. 45.2.
Configure the max. permitted ICMPv4 net load dosattack-check icmpv4-size length. This command has not effect when used separately, the user have to enable the dosattack-check icmp-attacking enable. 45.3 Security Feature Example Scenario: The User has the following configuration requirements: the switch do not forward data packet whose source IP address is equal to the destination address, and those whose source port is equal to the destination port.
Chapter 46 TACACS+ Configuration 46.1 Introduction to TACACS+ TACACS+ terminal access controller access control protocol is a protocol similar to the radius protocol for control the terminal access to the network. Three independent functions of Authentication, Authorization, Accounting are also available in this protocol.
tacacs-server authentication host Configure the IP address, listening port [port ] number, the value of timeout timer and the [timeout ] [key {0 | 7} key string of the TACACS+ server; the no ] [primary] no tacacs-server authentication host form of this command deletes the TACACS+ authentication server. 3.
TACACS+ authentication server to achieve telnet user authentication. Switch(config)#interface vlan 1 Switch(Config-if-vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-vlan1)#exit Switch(config)#tacacs-server authentication host 10.1.1.3 Switch(config)#tacacs-server key test Switch(config)#authentication line vty login tacacs 46.
Chapter 47 RADIUS Configuration 47.1 Introduction to RADIUS 47.1.1 AAA and RADIUS Introduction AAA is short for Authentication, Authorization and Accounting. it provides a consistent framework for the network management safely. According to the three functions of Authentication, Authorization, Accounting, the framework can meet the access control for the security network in which one can visit the network device and the access-level the user can have and the accounting for the network resource.
Code field (1octets) is the type of the RADIUS packet. Available value for the Code field is shown below: 1 Access-Request 2 Access-Accept 3 Access-Reject 4 Accounting-Request 5 Accounting-Response 11 Access-Challenge Identifier field (1 octet): Identifier for the request and answer packets.
18 Reply-Message 40-59 (reserved for accounting) 19 Callback-Number 60 CHAP-Challenge 20 Callback-Id 61 NAS-Port-Type 21 (unassigned) 62 Port-Limit 22 Framed-Route 63 Login-LAT-Port Length field (1 octet), the length in octets of the attribute including Type, Length and Value fields. Value field, value of the attribute whose content and format is determined by the type and length of the attribute. 47.2 RADIUS Configuration Task List 1.
3. Configure the RADIUS server Command Explanation Global Mode radius-server authentication host { | } [port ] [key {0 | 7} ] [primary] [access-mode {dot1x | telnet}] no radius-server authentication host Specifies the IPv4/IPv6 address and the port number, whether be primary server for RADIUS accounting server; the no command deletes the RADIUS accounting server.
5. Configure the IP address of the RADIUS NAS Command Explanation Global Mode radius nas-ipv4 To configure the source IP address for the no radius nas-ipv4 RADIUS packets for the switch. radius nas-ipv6 To configure the source IPv6 address for no radius nas-ipv6 the RADIUS packets for the switch. 47.3 RADIUS Typical Examples 47.3.1 IPv4 RADIUS Example 10.1.1.2 10.1.1.1 RADIUS Server 10.1.1.3 Figure 47-2: The Topology of IEEE802.
47.3.2 IPv6 RADIUS Example 2004:1:2:3::2 2004:1:2:3::1 RADIUS Server 2004:1:2:3::3 Figure 47-3: The Topology of IPv6 RADIUS configuration A computer connects to a switch, of which the IP address is 2004:1:2:3::2 and connected with a RADIUS authentication server without Ethernet1/2; IP address of the server is 2004:1:2:3::3 and the authentication port is defaulted at 1812, accounting port is defaulted at 1813.
If the RADIUS authentication problem remains unsolved, please use debug aaa and other debugging command and copy the DEBUG message within 3 minutes, send the recorded message to the technical server center of our company.
Chapter 48 SSL Configuration 48.1 Introduction to SSL As the computer networking technology spreads, the security of the network has been taking more and more important impact on the availability and the usability of the networking application. The network security has become one of the greatest barriers of modern networking applications. To protect sensitive data transferred through Web, Netscape introduced the Secure Socket Layer – SSL protocol, for its Web browser. Up till now, SSL 2.0 and 3.
48.1.1 Basic Element of SSL The basic strategy of SSL provides a safety channel for random application data forwarding between two communication programs. In theory, SSL connect is similar with encrypt TCP connect. The position of SSL protocol is under application layer and on the TCP. If the mechanism of the data forwarding in the lower layer is reliable, the data read-in the network will be forwarded to the other program in sequence, lose packet and re-forwarding will not appear.
48.2 SSL Configuration Task List 1. Enable/disable SSL function 2. Configure/delete port number by SSL used 3. Configure/delete secure cipher suite by SSL used 4. Maintenance and diagnose for the SSL function 1. Enable/disable SSL function Command Explanation Global Mode ip http secure-server no ip http secure-server Enable/disable SSL function. 2.
48.3 SSL Typical Example When the Web function is enabled on the switch, SSL can be configured for users to access the web interface on the switch. If the SSL has been configured, communication between the client and the switch will be encrypted through SSL for safety. Firstly, SSL should be enabled on the switch. When the client tries to access the switch through https method, a SSL session will be set up between the switch and the client.
If SSL is enabled, SSL should be restarted after changes on the port configuration and encryption configuration; IE 7.0 or above should be used for use of des-cbc-sha; If the SSL problems remain unsolved after above try, please use debug SSL and other debugging command and copy the DEBUG message within 3 minutes, send the recorded message to technical server center of our company.
Chapter 49 IPv6 Security RA Configuration 49.1 Introduction to IPv6 Security RA In IPv6 networks, the network topology is generally compromised of routers, layer-two switches and IPv6 hosts. Routers usually advertise RA, including link prefix, link MTU and other information, when the IPv6 hosts receive RA, they will create link address, and set the default router as the one sending RA in order to implement IPv6 network communication.
3. Display and debug the related information of IPv6 security RA Command Explanation Admin Mode Enable the debug information of IPv6 debug ipv6 security-ra security RA module, the no operation of no debug ipv6 security-ra this command will disable the output of debug information of IPv6 security RA. show ipv6 security-ra [interface Display the untrusted port and whether ] globally security RA is enabled. 49.
49.4 IPv6 Security RA Troubleshooting Help The function of IPv6 security RA is quite simple, if the function does not meet the expectation after configuring IPv6 security RA: Check if the switch is correctly configured. Check if there are rules conflicting with security RA function configured on the switch, this kind of rules will cause RA messages to be forwarded.
Chapter 50 MAB Configuration 50.1 Introduction to MAB In actual network, the existing device cannot install the authentication client, such as printer, and PDA devices, and cannot process 802.1x authentication. However, to access the network resources, they need to use MAB authentication to replace 802.1x authentication. MAB authentication is a network accessing authentication method based on the accessing port and the MAC address of MAB user.
1. Enable MAB function Command Explanation Global Mode mac-authentication-bypass enable Enable the global MAB authentication no mac-authentication-bypass enable function. Port Mode mac-authentication-bypass enable Enable the port MAB authentication no mac-authentication-bypass enable function. 2.
mac-authentication-bypass Enable the spoofing-garp-check function, spoofing-garp-check enable MAB function will not deal with no mac-authentication-bypass spoofing-garp any more; the no command spoofing-garp-check enable disables the function. Configure the authentication mode and authentication mab {radius | none} priority of MAC address, the no command no authentication mab restores the default authentication mode. 50.
Ethernet 1/2 is a hybrid port, connects to PC2, native vlan of the port is vlan1, and configures guest vlan as vlan8, it joins in vlan1, vlan8 and vlan10 with untag method and enables MAB function. Ethernet 1/3 is an access port, connects to the printer and enables MAB function. Ethernet 1/4 is a trunk port, connects to Switch 2. Ethernet 1/4 is a trunk port of Switch 2, connects to Switch 1.
Switch(config)#interface ethernet 1/2 Switch(config-if-ethernet1/2)#switchport mode hybrid Switch(config-if-ethernet1/2)#switchport hybrid native vlan 1 Switch(config-if-ethernet1/2)#switchport hybrid allowed vlan 1;8;10 untag Switch(config-if-ethernet1/2)#mac-authentication-bypass enable Switch(config-if-ethernet1/2)#mac-authentication-bypass enable guest-vlan 8 Switch(config-if-ethernet1/2)#exit Switch(config)#interface ethernet 1/3 Switch(config-if-ethernet1/3)#switchport mode access Switch(config-if-eth
Chapter 51 PPPoE Intermediate Agent Configuration 51.1 Introduction to PPPoE Intermediate Agent 51.1.1 Brief Introduction to PPPoE PPPoE (Point to Point Protocol over Ethernet) is a protocol that applies PPP protocol to Ethernet. PPP protocol is a link layer protocol that utilizes the communication method of point-to-point. It is usually selected by host dial-up link, for example, the link is line dial-up.
responds to PADO (PPPoE Active Discovery Offer) packet to client according to the received source MAC address of PADI packet; the packet will take server name and service name. 3. Client sends PADR packet: For the third step, client selects a server to process the session according to the received PADO packet. It may receive many PADO packets for PADI.
Figure 51-1: PPPoE IA protocol exchange process 51.1.2.
TLV length field (2 bytes): Specify the length of TAG data field. TLV data field (the length is not specified): Specify the transmitted data of TAG. Tag Type Tag Explanation 0x0000 The end of a series tag in PPPoE data field, it is saved for ensuring the version compatibility and is applied by some packets. 0x0101 Service name. Indicate the supplied services by network. 0x0102 Server name.
Add TLV tag as 0x0105 for PPPoE IA, TAG_LENGTH is length field of vendor tag; 0x00000DE9 is “ADSL Forum” IANA entry of the fixed 4 bytes; 0x01 is type field of Agent Circuit ID, length is length field and Agent Circuit ID value field; 0x02 is type field of Agent Remote ID, length is length field and Agent Remote ID value field.
51.2 PPPoE Intermediate Agent Configuration Task List 1. Enable global PPPoE Intermediate Agent 2. Enable port PPPoE Intermediate Agent Command Explanation Global Mode pppoe intermediate-agent Enable global PPPoE Intermediate Agent no pppoe intermediate-agent function. pppoe intermediate-agent type tr-101 circuit-id access-node-id Configure access node ID field value of no pppoe intermediate-agent type tr-101 circuit ID in added vendor tag.
pppoe intermediate-agent Enable PPPoE Intermediate Agent no pppoe intermediate-agent function of port. pppoe intermediate-agent vendor-tag strip no pppoe intermediate-agent vendor-tag Set vendor tag strip function of port. strip pppoe intermediate-agent trust Set a port as trusted port. no pppoe intermediate-agent trust pppoe intermediate-agent circuit-id Set circuit-id of port. no pppoe intermediate-agent circuit-id pppoe intermediate-agent remote-id Set remote-id of port.
Step 3: Port ethernet1/2 of vlan1 and port ethernet1/3 of vlan 1234 enable PPPoE IA function of port. Switch(config-if-ethernet1/2)#pppoe intermediate-agent Switch(config-if-ethernet1/3)#pppoe intermediate-agent Step 4: Configure pppoe intermediate-agent access-node-id as abcd. Switch(config)#pppoe intermediate-agent type tr-101 circuit-id access-node-id abcd Step 5: Configure circuit ID as aaaa, remote ID as xyz for port ethernet1/3.
Step 5: Configure pppoe intermediate-agent identifier-string as “efgh”, combo mode as spv, delimiter of Slot ID and Port ID as “#”, delimiter of Port ID and Vlan ID as “/”. Switch(config)#pppoe intermediate-agent type tr-101 circuit-id identifier-string efgh option spv delimiter # delimiter / Step 6: Configure circuit-id value as bbbb on port ethernet1/2. Switch(config-if-ethernet1/2)#pppoe intermediate-agent circuit-id bbbb Step 7: Configure remote-id as xyz on ethernet1/3.
Chapter 52 Web Portal Configuration 52.1 Introduction to Web Portal Authentication 802.1x authentication uses the special client to authenticate. The device uses the special layer 2 switch; the authentication server uses RADIUS server; and the format of authentication message uses EAP protocol.
1. Enable/disable web portal authentication globally Command Explanation Global Mode webportal enable Enable/disable web portal authentication no webportal enable globally. 2. Enable/disable web portal authentication of the port Command Explanation Port Mode webportal enable Enable/disable web portal authentication of no webportal enable the port. 3. Configure the max.
6. Enable dhcp snooping binding web portal function Command Explanation Port Mode ip dhcp snooping binding webportal Enable dhcp snooping binding web portal no ip dhcp snooping binding webportal function. 7. Delete the binding information of web portal authentication Command Explanation Admin Mode clear webportal binding {mac WORD | interface |} Delete the binding information of web portal authentication. 52.
In the above figure, pc1 is end-user, there is http browser in it, but no 802.1x authentication client, pc1 wants to access the network through web portal authentication. Switch1 is the accessing device, it configures accounting server’s address and port as RADIUS server’s IP and port, and enable the accounting function.
Chapter 53 VLAN-ACL Configuration 53.1 Introduction to VLAN-ACL The user can configure ACL policy to VLAN to implement the accessing control of all ports in VLAN, and VLAN-ACL enables the user to expediently manage the network. The user only needs to configure ACL policy in VLAN, the corresponding ACL action can takes effect on all member ports of VLAN, but it does not need to solely configure on each member port.
2. Configure VLAN-ACL of MAC type Command Explanation Global Mode vacl mac access-group {<700-1199> | WORD} {in | out} [traffic-statistic] vlan Configure or delete MAC VLAN-ACL. WORD (Egress filtering is not supported by no vacl mac access-group {<700-1199> | switch.) WORD} {in | out} vlan WORD 3. Configure VLAN-ACL of MAC-IP Command Explanation Global Mode vacl mac-ip access-group {<3100-3299> | WORD} {in | out} [traffic-statistic] vlan Configure or delete MAC-IP VLAN-ACL.
6. Clear statistic information of VLAN-ACL Command Explanation Admin Mode Clear the statistic information of VACL. clear vacl [in | out] statistic vlan (Egress filtering is not supported by [] switch.) 53.3 VLAN-ACL Configuration Example A company’s network configuration is shown below. All departments are divided by different VLANs. Technique department is Vlan1 and finance department is Vlan2.
Switch(config)#time-range t1 Switch(config-time-range-t1)#periodic weekdays 9:00:00 to 12:00:00 Switch(config-time-range-t1)#periodic weekdays 13:00:00 to 18:00:00 2) Configure the extended acl_a of IP, at working hours; it only allows to access the resource within the internal network (such as 192.168.0.255). Switch(config)# ip access-list extended vacl_a Switch(config-ip-ext-nacl-vacl_a)# permit ip any-source 192.168.0.0 0.0.0.
Chapter 54 SAVI Configuration 54.1 Introduction to SAVI SAVI (Source Address Validation Improvement) is a security authentication method that provides the granularity level of the node source address. It gets the trusted node information (such as port, MAC address information), namely, anchor information by monitoring the interaction process of the relative protocol packets (such as ND protocol, DHCPv6 protocol) and using CPS (Control Packet Snooping) mechanism.
1. Enable or disable SAVI function Command Explanation Global Mode 2. savi enable Enable the global SAVI function, no no savi enable command disables the function. Enable or disable application scene function for SAVI Command Explanation Global Mode savi ipv6 {dhcp-only | slaac-only | Enable the application scene function for dhcp-slaac} enable SAVI, no command disables the function. no savi ipv6 {dhcp-only | slaac-only | dhcp-slaac} enable 3.
5. Configure the global max-dad-prepare-delay for SAVI Command Explanation Global Mode 6. savi max-dad-prepare-delay Configure the max. redetection lifetime period for SAVI binding, no command no savi max-dad-prepare-delay restores the default value.
10. Configure the filter entry number of IPv6 address Command Explanation Global Mode savi ipv6 mac-binding-limit Configure the corresponding dynamic binding number for the same MAC no savi ipv6 mac-binding-limit address, no command restores the default value. Note: The binding number only limits the dynamic binding, but does not limit the static binding number. 11.
14. Enable or disable ND trust of port Command Explanation Port Mode ipv6 nd snooping trust Configure a port as slaac trust and RA no ipv6 nd snooping trust trust, no command deletes the port’s trust function. 15. Configure the binding number Command Explanation Port Mode savi ipv6 binding num Configure the binding number of a port, no savi ipv6 binding num no command restores the default value.
54.3 SAVI Typical Application In actual application, SAVI function is usually applied in access layer switch to check the validity of node source address on direct-link. There are four typical application scenes for SAVI function: DHCP-Only, Slaac-Only, DHCP-Slaac and Static binding.
Switch1>enable Switch1#config Switch1(config)#savi enable Switch1(config)#savi ipv6 dhcp-slaac enable Switch1(config)#savi check binding probe mode Switch1(config)#interface ethernet1/1 Switch1(config-if-ethernet1/1)#ipv6 dhcp snooping trust Switch1(config-if-ethernet1/1)#ipv6 nd snooping trust Switch1(config-if-ethernet1/1)#exit Switch1(config)#interface ethernet1/12-20 Switch1(config-if-port-range)#savi ipv6 check source ip-address mac-address Switch1(config-if-port-range)#savi ipv6 binding num 4 Switch1(
Chapter 55 MRPP Configuration 55.1 Introduction to MRPP MRPP (Multi-layer Ring Protection Protocol), is a link layer protocol applied on Ethernet loop protection. It can avoid broadcast storm caused by data loop on Ethernet ring, and restore communication among every node on ring network when the Ethernet ring has a break link. MRPP is the expansion of EAPS (Ethernet link automatic protection protocol).
3. nodes Each switch is named after a node on Ethernet. The node has some types: Primary node: each ring has a primary node, it is main node to detect and defend. Transfer node: except for primary node, other nodes are transfer nodes on each ring. The node role is determined by user configuration. As shown Figure 55-1, Switch A is primary node of Ring 1, Switch B. Switch C; Switch D and Switch E are transfer nodes of Ring 1. 4.
MAC address. LINK-UP-FLUSH_FDB packet After primary detects ring failure to restore normal, and uses packet from primary port, and informs each transfer node to refresh own MAC address. 55.1.3 MRPP Protocol Operation System 1. Link Down Alarm System When transfer node finds themselves belonging to MRPP ring port Down, it sends link Down packet to primary node immediately.
1) Globally enable MRPP Command Explanation Global Mode mrpp enable no mrpp enable Globally enable and disable MRPP. 2) Configure MRPP ring Command Explanation Global Mode mrpp ring Create MRPP ring. The “no” command no mrpp ring deletes MRPP ring and its configuration. MRPP Ring Mode control-vlan Configure control VLAN ID, format “no” no control-vlan deletes configured control VLAN ID.
4) Configure the compatible mode Command Explanation Global Mode Enable the compatible mode for ERRP, the mrpp errp compatible no command disables the compatible no mrpp errp compatible mode. Enable the compatible mode for EAPS, the mrpp eaps compatible no command disables the compatible no mrpp eaps compatible mode. errp domain Create ERRP domain, the no command no errp domain deletes the configured ERRP domain.
The above topology often occurs on using MRPP protocol. The multi switch constitutes a single MRPP ring, all of the switches only are configured an MRPP ring 4000, thereby constitutes a single MRPP ring. In the above configuration, SWITCH A configuration is primary node of MRPP ring 4000, and configures E1/1 to primary port and E1/2 to secondary port. Other switches are secondary nodes of MRPP ring, configures primary port and secondary port separately.
SWITCH C configuration Task Sequence: Switch(Config)#mrpp enable Switch(Config)#mrpp ring 4000 Switch(mrpp-ring-4000)#control-vlan 4000 Switch(mrpp-ring-4000)#enable Switch(mrpp-ring-4000)#exit Switch(Config)#interface ethernet 1/1 Switch(config-If-Ethernet1/1)#mrpp ring 4000 primary-port Switch(config-If-Ethernet1/1)#interface ethernet 1/2 Switch(config-If-Ethernet1/2)#mrpp ring 4000 secondary-port Switch(config-If-Ethernet1/2)#exit Switch(Config)# SWITCH D configuration Task Sequence: Switch(Config)#mrpp
The convergence time of MRPP ring net is relative to the response mode of up/down. If use poll mode, the convergence time as hundreds of milliseconds in simple ring net, if use interrupt mode, the convergence time within 50 milliseconds. Generally, the port is configured as poll mode, interrupt mode is only applied to better performance environment, but the security of poll mode is better than interrupt mode, port-scan-mode {interrupt | poll} command can be consulted.
Chapter 56 ULPP Configuration 56.1 Introduction to ULPP Each ULPP group has two uplink ports, they are master port and slave port. The port may be a physical port or a port channel. The member ports of ULPP group have three states: Forwarding, Standby, Down. Normally, only one port at the forwarding state, the other port is blocked at the Standby state. When the master port has the link problem, the master port becomes down state, and the slave port is switched to forwarding state.
When the uplink switch is happening, the primary forwarding entries of the device will not be applied to new topology in the network. In the figure, SwitchA configures ULPP, the portA1 as the master port at forwarding state, here the MAC address of PC is learned by Switch D from portD3. After this, portA1 has the problem, the traffic is switched to portA2 to be forwarded. If there is the data sent to PC by SwitchD, still the data will be forwarded from portD3, and will be lost.
1. Create ULPP group globally Command Explanation Global Mode 2. ulpp group Configure and delete ULPP group no ulpp group globally. Configure ULPP group Command Explanation ULPP Group Mode Configure the preemption mode of preemption mode ULPP group. The no operation no preemption mode deletes the preemption mode. Configure the preemption delay, the preemption delay no operation restores the default no preemption delay value 30s.
Enable or disable receiving the flush ulpp flush enable mac packets which update the MAC ulpp flush disable mac 3. address. ulpp flush enable arp Enable or disable receiving the flush ulpp flush disable arp packets which delete ARP. ulpp flush enable mac-vlan Enable or disable receiving the flush ulpp flush disable mac-vlan packets of mac-vlan type. ulpp group master Configure or delete the master port no ulpp group master of ULPP group.
56.3 ULPP Typical Examples 56.3.1 ULPP Typical Example1 Switch D Switch B E1/1 E1/2 Switch C E1/1 E1/2 Switch A Figure 56-3: ULPP typical example1 The above topology is the typical application environment of ULPP protocol. SwitchA has two uplinks, they are SwitchB and SwitchC. When any protocols are not enabled, this topology forms a ring. For avoiding the loopback, SwitchA can configure ULPP protocol, the master port and the slave port of ULPP group.
Switch(ulpp-group-1)#control vlan 10 Switch(ulpp-group-1)#exit Switch(Config)#interface ethernet 1/1 Switch(config-If-Ethernet1/1)# ulpp group 1 master Switch(config-If-Ethernet1/1)#exit Switch(Config)#interface Ethernet 1/2 Switch(config-If-Ethernet1/2)# ulpp group 1 slave Switch(config-If-Ethernet1/2)#exit SwitchB configuration task list: Switch(Config)#vlan 10 Switch(Config-vlan10)#switchport interface ethernet 1/1 Switch(Config-vlan10)#exit Switch(Config)#interface ethernet 1/1 Switch(config-If-Ethernet
56.3.2 ULPP Typical Example2 Switch D Switch B E1/1 Vlan 1-100 E1/2 Switch C E1/1 E1/2 Vlan 101-200 Switch A Figure 56-4: ULPP typical example2 ULPP can implement the VLAN-based load balance. As the picture illustrated, SwitchA configures two ULPP groups: port E1/1 is the master port and port 1/2 is the slave port in group1, port 1/2 is the master port and port 1/1 is the slave port in group2. The VLANs protected by group1 are 1-100 and by group2 are 101-200.
Switch(config-If-Ethernet1/1)#ulpp group 1 master Switch(config-If-Ethernet1/1)#ulpp group 2 slave Switch(config-If-Ethernet1/1)#exit Switch(Config)#interface Ethernet 1/2 Switch(config-If-Ethernet1/2)#switchport mode trunk Switch(config-If-Ethernet1/2)# ulpp group 1 slave Switch(config-If-Ethernet1/2)# ulpp group 2 master Switch(config-If-Ethernet1/2)#exit SwitchB configuration task list: Switch(Config)#interface ethernet 1/1 Switch(config-If-Ethernet1/1)#switchport mode trunk Switch(config-If-Ethernet1/1)
Chapter 57 ULSM Configuration 57.1 Introduction to ULSM ULSM (Uplink State Monitor) is used to process the port state synchronization. Each ULSM group is made up of the uplink port and the downlink port, both the uplink port and the downlink port may be multiple. The port may be a physical port or a port channel, but it can not be a member port of a port channel, and each port only belongs to one ULSM group. The uplink port is the monitored port of ULSM group.
57.2 ULSM Configuration Task List 1. Create ULSM group globally 2. Configure ULSM group 3. Show and debug the relating information of ULSM 1. Create ULSM group globally Command explanation Global Mode ulsm group no ulsm group Configure and delete ULSM group globally. 2.
57.3 ULSM Typical Example Switch D E1/3 E1/4 Switch B E1/1 E1/2 E1/1 Switch C E1/2 Switch A Figure 57-2: ULSM typical example The above topology is the typical application environment which is used by ULSM and ULPP protocol. ULSM is used to process the port state synchronization, its independent running is useless, so it usually associates with ULPP protocol to use. In the topology, SwitchA enables ULPP protocol, it is used to switch the uplink.
SwitchB configuration task list: Switch(Config)#ulsm group 1 Switch(Config)#interface ethernet 1/1 Switch(config-If-Ethernet1/1)#ulsm group 1 downlink Switch(config-If-Ethernet1/1)#exit Switch(Config)#interface ethernet 1/3 Switch(config-If-Ethernet1/3)#ulsm group 1 uplink Switch(config-If-Ethernet1/3)#exit SwitchC configuration task list: Switch(Config)#ulsm group 1 Switch(Config)#interface ethernet 1/2 Switch(config-If-Ethernet1/2)#ulsm group 1 downlink Switch(config-If-Ethernet1/2)#exit Switch(Config)#in
Chapter 58 Mirror Configuration 58.1 Introduction to Mirror Mirror functions include port mirror function, CPU mirror function, flow mirror function. Port mirror refers to the duplication of data frames sent/received on a port to another port. The duplicated port is referred to as mirror source port and the duplicating port is referred to as mirror destination port.
{interface | cpu} {rx| tx| deletes mirror source port. both} no monitor session source {interface | cpu} 3. Specify flow mirror source Command Explanation Global Mode monitor session source {interface Specifies flow mirror source } access-group {rx|tx|both} port and apply rule; the no no monitor session source {interface command deletes flow mirror } access-group source port. 58.
58.4 Device Mirror Troubleshooting If problems occur on configuring port mirroring, please check the following first for causes: Whether the mirror destination port is a member of a TRUNK group or not; if yes, modify the TRUNK group.
Chapter 59 sFlow Configuration 59.1 Introduction to sFlow The sFlow (RFC 3176) is a protocol based on standard network export and used on monitoring the network traffic information developed by InMon Company. The monitored switch or router sends date to the client analyzer through its main operations such as sampling and statistic, then the analyzer will analyze according to the user requirements so as to monitor the network.
2. Configure the sFlow proxy address Command Explanation Global Mode sflow agent-address Configure the source IP address applied by no sflow agent-address the sFlow proxy; the “no” form of the command deletes this address. 3. Configure the sFlow proxy priority Command Explanation Global Mode sflow priority Configure the priority when sFlow receives no sflow priority packet from the hardware; the “no sflow priority” command restores to the default 4.
7. Configure the sFlow statistic sampling interval Command Explanation Port Mode sflow counter-interval Configure the max. interval when sFlow no sflow counter-interval performing statistic sampling. The “no” form of this command deletes 8. Configure the analyzer used by sFlow Command Explanation Global Mode sflow analyzer sflowtrend Configure the analyzer used by sFlow, the no no sflow analyzer sflowtrend command deletes the analyzer. 59.
Switch (Config-If-Ethernet1/2)#sflow rate input 20000 Switch (Config-If-Ethernet1/2)#sflow rate output 20000 Switch (Config-If-Ethernet1/2)#sflow counter-interval 40 59.4 sFlow Troubleshooting In configuring and using sFlow, the sFlow server may fail to run properly due to physical connection failure, wrong configuration, etc. The user should ensure the following: Ensure the physical connection is correct Guarantee the address of the sFlow analyzer configured under global or port mode is accessible.
Chapter 60 RSPAN Configuration 60.1 Introduction to RSPAN Port mirroring refers to the duplication of data frames sent/received on a port to another port. The duplicated port is referred to as mirror source port and the duplicating port is referred to as mirror destination port. It is more convenience for network administrator to monitor and manage the network and diagnostic after the mirroring function achieved.
To be noticed: Normal mode is introduced by default. When using the normal mode, datagrams with reserved MAC addresses cannot be broadcasted. For chassis switches, at most 4 mirror destination ports are supported, and source or destination port of one mirror session can be configured on each line card. For box switches, only one mirror session can be configured. The number of the source mirror ports is not limited, and can be one or more. Multiple source ports are not restricted to be in the same VLAN.
60.2 RSPAN Configuration Task List 1. Configure RSPAN VLAN 2. Configure mirror source port(cpu) 3. Configure mirror destination port 4. Configure reflector port 5. Configure remote VLAN of mirror group 1. Configure RSPAN VLAN Command Explanation VLAN Mode To configure the specified VLAN as RSPAN remote-span VLAN. The no command will remove the no remote-span configuration of RSPAN VLAN. 2.
4. Configure reflector port Command Explanation Global Mode monitor session reflector-port To configure the interface to reflector port; The no command deletes the reflector no monitor session port. reflector-port 5.
Two configuration solutions can be chosen for RSPAN: the first is without reflector port, and the other is with reflector port. For the first one, only one fixed port can be connected to the intermediate switch. However, no reflector port has to be configured. This maximizes the usage of witch ports. For the latter one, the port connected to the intermediate switch is not fixed. Datagrams can be broadcasted in the RSPAN VLAN through the loopback, which is much more flexible.
Switch(config)#vlan 5 Switch(Config-Vlan5)#remote-span Switch(Config-Vlan5)#exit Switch(config)#interface ethernet 1/9 Switch(Config-If-Ethernet1/9)#switchport mode trunk Switch(Config-If-Ethernet1/9)#exit Switch(config)#interface ethernet 1/10 Switch(Config-If-Ethernet1/10)#switchport access vlan 5 Switch(Config-If-Ethernet1/10)#exit Solution 2: Source switch: Interface ethernet 1/1 is the source port. Interface ethernet 1/2 is the TRUNK port, which is connected to the intermediate switch.
Switch(config)#vlan 5 Switch(Config-Vlan5)#remote-span Switch(Config-Vlan5)#exit Switch(config)#interface ethernet 1/6-7 Switch(Config-If-Port-Range)#switchport mode trunk Switch(Config-If-Port-Range)#exit Destination switch: Interface ethernet1/9 is the source port which is connected to the source switch. Interface ethernet1/10 is the destination port which is connected to the monitor. This port is required to be configured as an access port, and belong to the RSPAN VLAN. RSPAN VLAN is 5.
Chapter 61 ERSPAN 61.1 Introduction to ERSPAN ERSPAN(Encapsulated Remote Switched Port Analyzer)eliminates the limitation that the source port and the destination port must be located on the same switch. This feature makes it possible for the source port and the destination port to be located on different devices in the network, and facilitates the network administrator to manage remote switches.
3. Appoint the mirror destination, and the destination can be the physical port or the tunnel Command Explanation Global Mode monitor session destination tunnel interface desmac < MAC Appoint the mirror destination address > desIP < Dest IP address > scrIP < Source to be the physical port or the IP address tunnel; the no command no monitor session destination tunnel deletes the mirror destination. interface 61.
Before configuring layer-3 remote port mirroring, make sure that you have created a GRE tunnel that connects the source and destination device, and ensure the normal transmitting for GRE tunnel. The configuration of Layer 3 remote port mirror needs to be processed on the source and destination devices, respectively.
SwitchB (config-router)#network 0.0.0.0/0 area 0 SwitchB (config-router)#exit (4) Configure Device C (the destination device) # Create interface Tunne1, and configure an IP address and mask for it. SwitchC(config)#interface tunnel 1 SwitchC (config-if-tunnel1)# tunnel mode gre ip SwitchC (config-if-tunnel1)#ip address 50.1.1.2 255.255.255.0 # Configure Tunnel1 to operate in GRE tunnel mode, and configure source and destination IP addresses for it. SwitchC (config-if-tunnel1)# tunnel source 40.1.1.
Chapter 62 SNTP Configuration 62.1 Introduction to SNTP The Network Time Protocol (NTP) is widely used for clock synchronization for global computers connected to the Internet. NTP can assess packet sending/receiving delay in the network, and estimate the computer’s clock deviation independently, so as to achieve high accuracy in network computer clocking. In most positions, NTP can provide accuracy from 1 to 50ms according to the characteristics of the synchronization source and network route.
62.2 Typical Examples of SNTP Configuration SNTP/NTP SERVER SNTP/NTP SERVER … … SWITCH SWITCH SWITCH Figure 62-2: Typical SNTP Configuration All switches in the autonomous zone are required to perform time synchronization, which is done through two redundant SNTP/NTP servers. For time to be synchronized, the network must be properly configured. There should be reachable route between any switch and the two SNTP/NTP servers. For example, assume the IP addresses of the SNTP/NTP servers are 10.1.1.
Chapter 63 NTP Function Configuration 63.1 Introduction to NTP Function The NTP (Network Time Protocol) synchronizes timekeeping spans WAN and LAN among distributed time servers and clients, it can get millisecond precision. The introduction of event, state, transmit function and action are defined in RFC-1305. The purpose of using NTP is to keep consistent timekeeping among all clock-dependent devices within the network so that the devices can provide diverse applications based on the consistent time.
ntp server { | } [version ] [key ] no ntp server { | To enable the specified time server of time source. } 3. To configure the max. number of broadcast or multicast servers supported by the NTP client Command Explication Global Mode Set the max. number of broadcast or ntp broadcast server count multicast servers supported by the NTP no ntp broadcast server count client.
ntp trusted-key no ntp trusted-key To configure trusted key. 7. To specified some interface as NTP multicast client interface Command Explication Vlan Mode ntp multicast client To configure specified interface to receive no ntp multicast client NTP multicast packets. ntp ipv6 multicast client To configure specified interface to receive no ntp ipv6 multicast client IPv6 NTP multicast packets. 8.
debug ntp sync To enable debug switch of time no debug ntp sync synchronize information. debug ntp events To enable debug switch of NTP event no debug ntp events information. 63.
Chapter 64 Summer Time Configuration 64.1 Introduction to Summer Time Summer time is also called daylight saving time, it is a time system for saving energy sources. In summer the time is advanced 1 hour to keep early hours, reduce the lighting, so as to save electrolighting. The rule that adopt summer time is different in each country. At present, almost 110 countries implement summer time.
64.3 Examples of Summer Time Example1: The configuration requirement in the following: The summer time from 23:00 on April 1st, 2012 to 00:00 on October 1st, 2012, clock offset as 1 hour, and summer time is named as 2012. Configuration procedure is as follows: Switch(config)# clock summer-time 2012 absolute 23:00 2012.4.1 00:00 2012.10.
Chapter 65 DNSv4/v6 Configuration 65.1 Introduction to DNS DNS (Domain Name System) is a distributed database used by TCP/IP applications to translate domain names into corresponding IPv4/IPv6 addresses. With DNS, you can use easy-to-remember and signification domain names in some applications and let the DNS server translate them into correct IPv4/IPv6 addresses. There are two types of DNS services, static and dynamic, which supplement each other in application.
65.2 DNSv4/v6 Configuration Task List 1. To enable/disable DNS function 2. To configure/delete DNS server 3. To configure/delete domain name suffix 4. To delete the domain entry of specified address in dynamic cache 5. To enable DNS dynamic domain name resolution 6. Enable/disable DNS SERVER function 7. Configure the max. number of client information in the switch queue 8. Configure the timeout value of caching the client information on the switch 9.
clear dynamic-host { | To delete the domain entry of specified | all} address in dynamic cache. 5. To enable DNS dynamic domain name resolution Command Explanation Global Mode dns lookup {ipv4 | ipv6} To enable DNS dynamic domain name resolution. 6. Enable/disable DNS SERVER function Command Explanation Global Mode ip dns server no ip dns server Enable/disable DNS SERVER function. 7. Configure the max.
9. Monitor and diagnosis of DNS function Command Explanation Admin Mode To show the configured DNS server show dns name-server information. To show the configured DNS domain name show dns domain-list suffix information. To show the dynamic domain name show dns hosts information of resolved by switch. Display the configured global DNS show dns config information on the switch. Display the DNS Client information show dns client maintained by the switch.
DNS SERVER IP:219.240.250.101 IPv6:2001::1 client SWITCH INTERNET Figure 65-2: DNS SERVER typical environment The figure above is an application of DNS SERVER. Under some circumstances, the client PC doesn’t know the real DNS SERVER, and points to the switch instead. The switch plays the role of a DNS SERVER in two steps: Enable the global DNS SERVER function, configure the IP address of the real DNS server.
65.4 DNS Troubleshooting In configuring and using DNS, the DNS may fail due to reasons such as physical connection failure or wrong configurations. The user should ensure the following: First make sure good condition of the TACACS+ server physical connection; Second all interface and link protocols are in the UP state (use “show interface” command); Then please make sure that the DNS dynamic lookup function is enabled (use the “ip domain-lookup” command) before enabling the DNS CLIENT function.
Chapter 66 Monitor and Debug When the users configures the switch, they will need to verify whether the configurations are correct and the switch is operating as expected, and in network failure, the users will also need to diagnostic the problem. Switch provides various debug commands including ping, telnet, show and debug, etc. to help the users to check system configuration, operating status and locate problem causes. 66.
66.4 Traceroute6 The Traceroute6 function is used on testing the gateways passed through by the data packets from the source equipment to the destination equipment, to verify the accessibility and locate the network failure. The principle of the Traceroute6 under IPv6 is the same as that under IPv4, which adopts the hop limit field of the ICMPv6 and IPv6 header. First, Traceroute6 sends an IPv6 datagram (including source address, destination address and packet sent time) whose HOPLIMIT is set to 1.
Display the switch parameter configuration written in the Flash Memory at current operation state, which is normally the show startup-config configuration file applied in next time the switch starts up. Display the VLAN port mode and the show switchport interface [ethernet belonging VLAN number of the switch as ] well as the Trunk port information. show tcp Display the TCP connection status show tcp ipv6 established currently on the switch.
The log information is classified to four level of severities by which the information will be filtered According to the severity level the log information can be auto outputted to corresponding log channel. 66.7.1.
threshold is set to debugging, all information will be outputted and if set to critical, only critical, alerts and emergencies will be outputted. The following table summarizes the log information severity level and brief description. Note: these severity levels are in accordance with the standard UNIX/LINUX syslog.
66.7.2 System Log Configuration System Log Configuration Task Sequence: 1. Display and clear log buffer zone 2. Configure the log host output channel 3. Enable/disable the log executed-commands 4. Display the log source 5. Display executed-commands state 1. Display and clear log buffer zone Command Description Admin Mode show logging buffered [ level {critical | Show detailed log information in the log warnings} | range buffer channel. ] Clear log buffer zone information.
4. Display the log source Command Description Admin Mode show logging source mstp 5. Show the log information source of MSTP module. Display executed-commands state Command Description Admin Mode show logging executed-commands Show the state of logging state executed-commands 66.7.3 System Log Configuration Example Example 1: When managing VLAN the IPv4 address of the switch is 100.100.100.1, and the IPv4 address of the remote log server is 100.100.100.5.
Chapter 67 Reload Switch after Specified Time 67.1 Introduction to Reload Switch after Specified Time Reload switch after specified time is to reboot the switch without shutdown its power after a specified period of time, usually when updating the switch version. The switch can be rebooted after a period of time instead of immediately after its version being updated successfully. 67.2 Reload Switch after Specified Time Task List 1.
Chapter 68 Debugging and Diagnosis for Packets Received and Sent by CPU 68.1 Introduction to Debugging and Diagnosis for Packets Received and Sent by CPU The following commands are used to debug and diagnose the packets received and sent by CPU, and are supposed to be used with the help of the technical support. 68.2 Debugging and Diagnosis for Packets Received and Sent by CPU Task List Command Explanation Global Mode cpu-rx-ratelimit protocol Set the max.
Chapter 69 Dying Gasp Configuration 69.1 Introduction to Dying Gasp Dying gasp is power failure alarm function. It means that at the case of power failure, the switch can also send information through the ethernet ports to notice the other switch that it is power failure. Dying gasp is enabled as default, but it could run normally with the snmp management function. So the layer 3 interface should be configured on switch and make it connect to snmp management server. snmp trap should be configured orderly.
Chapter 70 PoE Configuration 70.1 Introduction to PoE PoE (Power over Ethernet) is a technology to provide direct currents for some IP-based terminals (such as IP phones, APs of wireless LANs and network cameras) while transmitting data to them. Such DC-receiving devices are called PD (Powered Device). The max. distance of reliable power supply provided by PoE is 100 meters. IEEE 802.
power inline max Globally set the max. output power of PoE. no power inline max 3. Globally set the power management mode Command Explanation Global Mode power inline police enable no power inline police enable Enable/disable the power priority management policy mode. 4. Globally set non-standard PD detection mode Command Explanation Global Mode power inline legacy enable Set whether or not to provide power for non-standard IEEE no power inline legacy enable PD. 5.
8. Set the power priority on specified ports Command Explanation Port Mode power inline priority {critical | high | low} Set the power priority on specified ports. 70.3 Typical Application of PoE Requirements of Network Deployment Set the max. output power of SGS-6340-24P4S to 370W, assuming that the default max. power can satisfy the requirements. Ethernet interface 1/0/2 is connected to an IP phone. Ethernet interface 1/0/4 is connected to a wireless AP.
Switch(Config)# power inline enable Globally set the max. power to 370W: Switch(Config)# power inline max. 370 Globally enable the priority policy of power management: Switch(Config)# power inline police enable Set the priority of Port 1/0/2 to critical: Switch(Config-Ethernet1/0/2)# power inline priority critical Set the max. output power of Port 1/0/6 to 9000mW: Switch(Config-Ethernet1/0/6)#power inline max. 9000 70.
