OmniSwitch 6800/6850/9000 Network Configuration Guide

Part No. 060217-10, Rev. A
June 2006
OmniSwitch 6800 Series
OmniSwitch 6850 Series
OmniSwitch 9000 Series
Network Configuration Guide
www.alcatel.com
This user guide documents release 6.1.1 of the OmniSwitch 9000 Series
and release 6.1.2 of the OmniSwitch 6800 Series and of the OmniSwitch 6850 Series.
The functionality described in this guide is subject to change without notice.
Copyright © 2006 by Alcatel Internetworking, Inc. All rights reserved. This document may not be reproduced in whole or in part without the express written permission of Alcatel Internetworking, Inc.
Alcatel® and the Alcatel logo are registered trademarks of Alcatel. Xylan®, OmniSwitch®, OmniStack®,
and Alcatel OmniVista® are registered trademarks of Alcatel Internetworking, Inc.
OmniAccess™, Omni Switch/Router™, PolicyView™, RouterView™, SwitchManager™, VoiceView™,
WebView™, X-Cell™, X-Vision™, and the Xylan logo are trademarks of Alcatel Internetworking, Inc.
This OmniSwitch product contains components which may be covered by one or more of the following
U.S. Patents:
•U.S. Patent No. 6,339,830
•U.S. Patent No. 6,070,243
•U.S. Patent No. 6,061,368
•U.S. Patent No. 5,394,402
•U.S. Patent No. 6,047,024
•U.S. Patent No. 6,314,106
•U.S. Patent No. 6,542,507
•U.S. Patent No. 6,874,090
26801 West Agoura Road
Calabasas, CA 91301
(818) 880-3500 FAX (818) 880-3505
info@ind.alcatel.com
US Customer Support—(800) 995-2696
International Customer Support—(818) 878-4507
Internet—http://eservice.ind.alcatel.com
page -ii
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Contents
About This Guide ...................................................................................................... xxix
Supported Platforms ...................................................................................................... xxix
Who Should Read this Manual? ..................................................................................... xxx
When Should I Read this Manual? ................................................................................. xxx
What is in this Manual? .................................................................................................. xxx
What is Not in this Manual? .......................................................................................... xxxi
How is the Information Organized? .............................................................................. xxxi
Documentation Roadmap ............................................................................................. xxxii
Related Documentation ............................................................................................... xxxiv
User Manual CD ......................................................................................................... xxxvi
Technical Support ....................................................................................................... xxxvi
Chapter 1
Configuring Ethernet Ports ...................................................................................... 1-1
In This Chapter ................................................................................................................1-1
Ethernet Specifications ....................................................................................................1-2
Ethernet Port Defaults (All Port Types) ..........................................................................1-2
Non Combo Port Defaults ...............................................................................................1-3
Combo Ethernet Port Defaults ........................................................................................1-3
Ethernet Ports Overview .................................................................................................1-4
OmniSwitch 6800 and 6850 Series Combo Ports ....................................................1-4
Valid Port Settings on OmniSwitch 6800 Series Switches ......................................1-5
Valid Port Settings on OmniSwitch 6850 Series Switches ......................................1-5
Valid Port Settings on OmniSwitch 9000 Series Switches ......................................1-6
10/100/1000 Crossover Supported ...........................................................................1-6
Autonegotiation Guidelines ......................................................................................1-7
Setting Ethernet Parameters for All Port Types ..............................................................1-8
Setting Trap Port Link Messages .............................................................................1-8
Enabling Trap Port Link Messages ...................................................................1-8
Disabling Trap Port Link Messages ..................................................................1-8
Resetting Statistics Counters ....................................................................................1-9
Enabling and Disabling Interfaces ...........................................................................1-9
Configuring Flood Rate Limiting ...........................................................................1-10
Flood Only Rate Limiting ...............................................................................1-10
Multicast Flood Rate Limiting ........................................................................1-11
Configuring the Peak Flood Rate Value ..........................................................1-11
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page -iii
Configuring a Port Alias ........................................................................................1-12
Configuring Maximum Frame Sizes ......................................................................1-13
Setting Ethernet Parameters for Non Combo Ports .......................................................1-13
Setting Interface Line Speed ..................................................................................1-14
Configuring Duplex Mode .....................................................................................1-14
Configuring Inter-frame Gap Values ...............................................................1-16
Configuring Autonegotiation and Crossover Settings ...........................................1-17
Enabling and Disabling Autonegotiation ........................................................1-17
Configuring Crossover Settings ......................................................................1-17
Setting Combo Ethernet Port Parameters on OmniSwitch 6800 and 6850 Switches ...1-19
Setting the Combo Port Type and Mode ................................................................1-19
Setting Combo Ports to Forced Fiber ..............................................................1-19
Setting Combo Ports to Preferred Copper .......................................................1-20
Setting Combo Ports to Forced Copper ...........................................................1-20
Setting Combo Ports to Preferred Fiber ..........................................................1-21
Setting Interface Line Speed for Combo Ports .......................................................1-21
Configuring Duplex Mode for Combo Ports ..........................................................1-22
Configuring Autonegotiation and Crossover for Combo Ports ..............................1-23
Enabling and Disabling Autonegotiation for Combo Ports .............................1-23
Configuring Crossover Settings for Combo Ports ...........................................1-24
Combo Port Application Example ................................................................................1-25
Verifying Ethernet Port Configuration ..........................................................................1-27
Chapter 2
Managing Source Learning ................................................................................... 2-1
In This Chapter ................................................................................................................2-1
Source Learning Specifications .......................................................................................2-2
Source Learning Defaults ...............................................................................................2-2
Sample MAC Address Table Configuration ...................................................................2-2
MAC Address Table Overview .......................................................................................2-4
Using Static MAC Addresses ..........................................................................................2-4
Configuring Static MAC Addresses .........................................................................2-5
Static MAC Addresses on Link Aggregate Ports ..............................................2-5
Configuring MAC Address Table Aging Time ..............................................................2-6
Selecting the Source Learning Mode ..............................................................................2-7
Displaying Source Learning Information ........................................................................2-8
Chapter 3
Using 802.1s Multiple Spanning Tree .................................................................. 3-1
In This Chapter ................................................................................................................3-1
MST Specifications .........................................................................................................3-2
Spanning Tree Bridge Parameter Defaults ......................................................................3-2
Spanning Tree Port Parameter Defaults ..........................................................................3-3
MST Region Defaults .....................................................................................................3-3
page -iv
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
MST General Overview ..................................................................................................3-4
How MSTP Works ...................................................................................................3-4
Comparing MSTP with STP and RSTP ...................................................................3-7
What is a Multiple Spanning Tree Instance (MSTI) ................................................3-7
What is a Multiple Spanning Tree Region ...............................................................3-8
What is the Common Spanning Tree .......................................................................3-9
What is the Internal Spanning Tree (IST) Instance ..................................................3-9
What is the Common and Internal Spanning Tree Instance .....................................3-9
MST Configuration Overview ......................................................................................3-10
Using Spanning Tree Configuration Commands ...................................................3-10
Understanding Spanning Tree Modes ....................................................................3-11
MST Interoperability and Migration .............................................................................3-12
Migrating from Flat Mode STP/RSTP to Flat Mode MSTP ..................................3-12
Migrating from 1x1 Mode to Flat Mode MSTP .....................................................3-13
Quick Steps for Configuring an MST Region ...............................................................3-14
Quick Steps for Configuring MSTIs .............................................................................3-16
Verifying the MST Configuration .................................................................................3-19
Chapter 4
Configuring Learned Port Security ........................................................................4-1
In This Chapter ................................................................................................................4-1
Learned Port Security Specifications ..............................................................................4-2
Learned Port Security Defaults ......................................................................................4-2
Sample Learned Port Security Configuration .................................................................4-3
Learned Port Security Overview .....................................................................................4-4
How LPS Authorizes Source MAC Addresses ........................................................4-5
Dynamic Configuration of Authorized MAC Addresses .........................................4-5
Static Configuration of Authorized MAC Addresses ..............................................4-6
Understanding the LPS Table ..................................................................................4-6
Enabling/Disabling Learned Port Security ......................................................................4-7
Configuring a Source Learning Time Limit ....................................................................4-7
Configuring the Number of MAC Addresses Allowed ...................................................4-8
Configuring Authorized MAC Addresses .......................................................................4-8
Configuring an Authorized MAC Address Range ..........................................................4-9
Selecting the Security Violation Mode .........................................................................4-10
Displaying Learned Port Security Information .............................................................4-10
Chapter 5
Configuring VLANs ....................................................................................................5-1
In This Chapter ................................................................................................................5-1
VLAN Specifications ......................................................................................................5-2
VLAN Defaults ..............................................................................................................5-2
Sample VLAN Configuration .........................................................................................5-3
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page -v
VLAN Management Overview .......................................................................................5-4
Creating/Modifying VLANs ...........................................................................................5-5
Adding/Removing a VLAN .....................................................................................5-5
Enabling/Disabling the VLAN Administrative Status .............................................5-6
Modifying the VLAN Description ...........................................................................5-6
Defining VLAN Port Assignments .................................................................................5-7
Changing the Default VLAN Assignment for a Port ...............................................5-7
Configuring Dynamic VLAN Port Assignment .......................................................5-8
Configuring VLAN Rule Classification ............................................................5-8
Enabling/Disabling VLAN Mobile Tag Classification .....................................5-9
Enabling/Disabling Spanning Tree for a VLAN ...........................................................5-10
Enabling/Disabling VLAN Authentication ...................................................................5-11
Configuring VLAN Router Interfaces ..........................................................................5-11
Configuring an IPX Router Interface .....................................................................5-12
Modifying an IPX Router Interface .................................................................5-13
What is Single MAC Router Mode? ......................................................................5-13
Bridging VLANs Across Multiple Switches .................................................................5-14
Verifying the VLAN Configuration ..............................................................................5-15
Chapter 6
Configuring Spanning Tree Parameters ............................................................. 6-1
In This Chapter ................................................................................................................6-1
Spanning Tree Specifications ..........................................................................................6-2
Spanning Tree Bridge Parameter Defaults .....................................................................6-2
Spanning Tree Port Parameter Defaults ..........................................................................6-3
Multiple Spanning Tree (MST) Region Defaults ............................................................6-3
Spanning Tree Overview .................................................................................................6-4
How the Spanning Tree Topology is Calculated .....................................................6-4
Bridge Protocol Data Units (BPDU) .................................................................6-5
Topology Examples ...........................................................................................6-7
Spanning Tree Operating Modes ....................................................................................6-9
Using Flat Spanning Tree Mode ..............................................................................6-9
Using 1x1 Spanning Tree Mode .............................................................................6-10
Configuring STP Bridge Parameters .............................................................................6-12
Bridge Configuration Commands Overview ..........................................................6-12
Selecting the Bridge Protocol .................................................................................6-14
Configuring the Bridge Priority .............................................................................6-15
Configuring the Bridge Hello Time .......................................................................6-16
Configuring the Bridge Max Age Time .................................................................6-17
Configuring the Bridge Forward Delay Time ........................................................6-18
Enabling/Disabling the VLAN BPDU Switching Status .......................................6-19
Configuring the Path Cost Mode ............................................................................6-19
Using Automatic VLAN Containment ...................................................................6-20
Configuring STP Port Parameters .................................................................................6-21
Bridge Configuration Commands Overview ..........................................................6-21
page -vi
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Enabling/Disabling Spanning Tree on a Port .........................................................6-23
Spanning Tree on Link Aggregate Ports .........................................................6-24
Configuring Port Priority .......................................................................................6-24
Port Priority on Link Aggregate Ports .............................................................6-25
Configuring Port Path Cost ....................................................................................6-25
Path Cost for Link Aggregate Ports .................................................................6-27
Configuring Port Mode ..........................................................................................6-28
Mode for Link Aggregate Ports .......................................................................6-28
Configuring Port Connection Type ........................................................................6-29
Connection Type on Link Aggregate Ports .....................................................6-30
Sample Spanning Tree Configuration ...........................................................................6-31
Example Network Overview ..................................................................................6-31
Example Network Configuration Steps ..................................................................6-32
Verifying the Spanning Tree Configuration .................................................................6-34
Chapter 7
Assigning Ports to VLANs ........................................................................................7-1
In This Chapter ................................................................................................................7-1
Port Assignment Specifications ......................................................................................7-2
Port Assignment Defaults ..............................................................................................7-2
Sample VLAN Port Assignment .....................................................................................7-3
Statically Assigning Ports to VLANs .............................................................................7-4
Dynamically Assigning Ports to VLANs ........................................................................7-4
How Dynamic Port Assignment Works ...................................................................7-5
VLAN Mobile Tag Classification .....................................................................7-5
VLAN Rule Classification ................................................................................7-8
Configuring Dynamic VLAN Port Assignment .....................................................7-10
Enabling/Disabling Port Mobility ..........................................................................7-11
Ignoring Bridge Protocol Data Units (BPDU) ................................................7-11
Understanding Mobile Port Properties ..........................................................................7-12
What is a Configured Default VLAN? ...................................................................7-12
What is a Secondary VLAN? .................................................................................7-13
Configuring Mobile Port Properties .......................................................................7-16
Enable/Disable Default VLAN ........................................................................7-16
Enable/Disable Default VLAN Restore ..........................................................7-17
Enable/Disable Port Authentication ................................................................7-17
Enable/Disable 802.1X Port-Based Access Control .......................................7-18
Verifying VLAN Port Associations and Mobile Port Properties ..................................7-19
Understanding ‘show vlan port’ Output .................................................................7-19
Understanding ‘show vlan port mobile’ Output .....................................................7-20
Chapter 8
Configuring Port Mapping .......................................................................................8-1
In This Chapter ................................................................................................................8-1
Port Mapping Specifications ...........................................................................................8-2
Port Mapping Defaults ....................................................................................................8-2
Quick Steps for Configuring Port Mapping ................................................................... 8-2
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page -vii
Creating/Deleting a Port Mapping Session .....................................................................8-3
Creating a Port Mapping Session .............................................................................8-3
Deleting a User/Network Port of a Session .......................................................8-3
Deleting a Port Mapping Session .............................................................................8-3
Enabling/Disabling a Port Mapping Session ...................................................................8-4
Enabling a Port Mapping Session ............................................................................8-4
Disabling a Port Mapping Session ...........................................................................8-4
Configuring a Port Mapping Direction ...........................................................................8-4
Configuring Unidirectional Port Mapping ...............................................................8-4
Restoring Bidirectional Port Mapping .....................................................................8-4
Sample Port Mapping Configuration ..............................................................................8-5
Example Port Mapping Overview ............................................................................8-5
Example Port Mapping Configuration Steps ...........................................................8-6
Verifying the Port Mapping Configuration .....................................................................8-6
Chapter 9
Defining VLAN Rules ................................................................................................. 9-1
In This Chapter ................................................................................................................9-1
VLAN Rules Specifications ............................................................................................9-2
VLAN Rules Defaults ....................................................................................................9-2
Sample VLAN Rule Configuration .................................................................................9-3
VLAN Rules Overview ...................................................................................................9-4
VLAN Rule Types ...................................................................................................9-4
DHCP Rules ......................................................................................................9-5
Binding Rules ....................................................................................................9-6
MAC Address Rules ..........................................................................................9-6
Network Address Rules .....................................................................................9-6
Protocol Rules ...................................................................................................9-6
Port Rules ..........................................................................................................9-7
Understanding VLAN Rule Precedence ..................................................................9-8
Configuring VLAN Rule Definitions ............................................................................9-11
Defining DHCP MAC Address Rules ....................................................................9-12
Defining DHCP MAC Range Rules .......................................................................9-13
Defining DHCP Port Rules ....................................................................................9-13
Defining DHCP Generic Rules ..............................................................................9-14
Defining Binding Rules ..........................................................................................9-14
How to Define a MAC-Port-IP Address Binding Rule ...................................9-15
How to Define a MAC-Port-Protocol Binding Rule .......................................9-15
How to Define a MAC-Port Binding Rule ......................................................9-16
How to Define a MAC-IP Address Binding Rule ...........................................9-16
How to Define an IP-Port Binding Rule ..........................................................9-16
How to Define a Port-Protocol Binding Rule ..................................................9-17
Defining MAC Address Rules ...............................................................................9-17
Defining MAC Range Rules ..................................................................................9-18
Defining IP Network Address Rules ......................................................................9-18
Defining IPX Network Address Rules ...................................................................9-19
Defining Protocol Rules .........................................................................................9-20
Defining Port Rules ................................................................................................9-21
page -viii
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Application Example: DHCP Rules ..............................................................................9-22
The VLANs .....................................................................................................9-22
DHCP Servers and Clients ..............................................................................9-22
Verifying VLAN Rule Configuration ...........................................................................9-25
Chapter 10
Using Interswitch Protocols ...................................................................................10-1
In This Chapter ..............................................................................................................10-1
AIP Specifications .........................................................................................................10-2
AMAP Defaults ............................................................................................................10-2
AMAP Overview ..........................................................................................................10-3
AMAP Transmission States ...................................................................................10-3
Discovery Transmission State .........................................................................10-4
Common Transmission State ...........................................................................10-4
Passive Reception State ...................................................................................10-4
Common Transmission and Remote Switches .......................................................10-5
Configuring AMAP .......................................................................................................10-5
Enabling or Disabling AMAP ................................................................................10-5
Configuring the AMAP Discovery Time-out Interval ...........................................10-5
Configuring the AMAP Common Time-out Interval .............................................10-6
Displaying AMAP Information ..............................................................................10-7
Chapter 11
Configuring 802.1Q .................................................................................................11-1
In this Chapter ...............................................................................................................11-1
802.1Q Specifications ...................................................................................................11-2
802.1Q Defaults Table ..................................................................................................11-2
802.1Q Overview ..........................................................................................................11-3
Configuring an 802.1Q VLAN .....................................................................................11-5
Enabling Tagging on a Port ....................................................................................11-5
Enabling Tagging with Link Aggregation .............................................................11-5
Configuring the Frame Type ..................................................................................11-6
Show 802.1Q Information ......................................................................................11-7
Application Example .....................................................................................................11-8
Verifying 802.1Q Configuration .................................................................................11-10
Chapter 12
Configuring IP ...........................................................................................................12-1
In This Chapter ..............................................................................................................12-1
IP Specifications ............................................................................................................12-2
IP Defaults .....................................................................................................................12-2
Quick Steps for Configuring IP Forwarding .................................................................12-3
IP Overview ..................................................................................................................12-4
IP Protocols ............................................................................................................12-4
Transport Protocols .........................................................................................12-4
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page -ix
Application-Layer Protocols ...........................................................................12-4
Additional IP Protocols ...................................................................................12-5
IP Forwarding ................................................................................................................12-6
Configuring an IP Router Interface ........................................................................12-7
Modifying an IP Router Interface ....................................................................12-8
Removing an IP Router Interface ....................................................................12-8
Configuring a Loopback0 Interface .......................................................................12-9
Loopback0 Address Advertisement ................................................................12-9
Configuring a BGP Peer Session with Loopback0 ..........................................12-9
Creating a Static Route .........................................................................................12-10
Creating a Default Route ......................................................................................12-10
Configuring Address Resolution Protocol (ARP) ................................................12-11
Adding a Permanent Entry to the ARP Table ...............................................12-11
Deleting a Permanent Entry from the ARP Table .........................................12-12
Clearing a Dynamic Entry from the ARP Table ...........................................12-12
Local Proxy ARP ...........................................................................................12-12
ARP Filtering ................................................................................................12-13
IP Configuration ..........................................................................................................12-14
Configuring the Router Primary Address .............................................................12-14
Configuring the Router ID ...................................................................................12-14
Configuring the Time-to-Live (TTL) Value ........................................................12-14
IP-Directed Broadcasts .........................................................................................12-14
Denial of Service (DoS) Filtering ........................................................................12-15
Enabling/Disabling IP Services ............................................................................12-18
Managing IP ................................................................................................................12-20
Internet Control Message Protocol (ICMP) .........................................................12-20
ICMP Control Table ......................................................................................12-23
ICMP Statistics Table ....................................................................................12-23
Using the Ping Command ....................................................................................12-23
Tracing an IP Route ..............................................................................................12-24
Displaying TCP Information ................................................................................12-24
Displaying UDP Information ...............................................................................12-24
Verifying the IP Configuration ...................................................................................12-25
Chapter 13
Configuring Static Link Aggregation .................................................................. 13-1
In This Chapter ..............................................................................................................13-1
Static Link Aggregation Specifications ........................................................................13-2
Static Link Aggregation Default Values .......................................................................13-2
Quick Steps for Configuring Static Link Aggregation .................................................13-3
Static Link Aggregation Overview ...............................................................................13-5
Static Link Aggregation Operation ........................................................................13-5
Relationship to Other Features ...............................................................................13-6
Configuring Static Link Aggregation Groups ...............................................................13-7
Configuring Mandatory Static Link Aggregate Parameters ...................................13-7
Creating and Deleting a Static Link Aggregate Group ..........................................13-8
Creating a Static Aggregate Group ..................................................................13-8
Deleting a Static Aggregate Group ..................................................................13-8
page -x
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Adding and Deleting Ports in a Static Aggregate Group .......................................13-9
Adding Ports to a Static Aggregate Group ......................................................13-9
Removing Ports from a Static Aggregate Group .............................................13-9
Modifying Static Aggregation Group Parameters .......................................................13-10
Modifying the Static Aggregate Group Name .....................................................13-10
Creating a Static Aggregate Group Name .....................................................13-10
Deleting a Static Aggregate Group Name .....................................................13-10
Modifying the Static Aggregate Group Administrative State ..............................13-10
Enabling the Static Aggregate Group Administrative State ..........................13-10
Disabling the Static Aggregate Group Administrative State .........................13-10
Application Example ...................................................................................................13-11
Displaying Static Link Aggregation Configuration and Statistics ..............................13-12
Chapter 14
Configuring Dynamic Link Aggregation ............................................................14-1
In This Chapter ..............................................................................................................14-1
Dynamic ink Aggregation Specifications .....................................................................14-2
Dynamic Link Aggregation Default Values .................................................................14-3
Quick Steps for Configuring Dynamic Link Aggregation ............................................14-4
Dynamic Link Aggregation Overview ..........................................................................14-7
Dynamic Link Aggregation Operation ...................................................................14-7
Relationship to Other Features ...............................................................................14-9
Configuring Dynamic Link Aggregate Groups ...........................................................14-10
Configuring Mandatory Dynamic Link Aggregate Parameters ...........................14-10
Creating and Deleting a Dynamic Aggregate Group ...........................................14-11
Creating a Dynamic Aggregate Group ..........................................................14-11
Deleting a Dynamic Aggregate Group ..........................................................14-11
Configuring Ports to Join and Removing Ports in a Dynamic Aggregate
Group ...................................................................................................................14-12
Configuring Ports To Join a Dynamic Aggregate Group ..............................14-12
Removing Ports from a Dynamic Aggregate Group .....................................14-13
Modifying Dynamic Link Aggregate Group Parameters ............................................14-14
Modifying Dynamic Aggregate Group Parameters .............................................14-14
Modifying the Dynamic Aggregate Group Name .........................................14-14
Modifying the Dynamic Aggregate Group Administrative State ..................14-15
Configuring and Deleting the Dynamic Aggregate Group Actor
Administrative Key ......................................................................................14-15
Modifying the Dynamic Aggregate Group Actor System Priority ...............14-16
Modifying the Dynamic Aggregate Group Actor System ID .......................14-16
Modifying the Dynamic Aggregate Group Partner Administrative Key ......14-17
Modifying the Dynamic Aggregate Group Partner System Priority .............14-17
Modifying the Dynamic Aggregate Group Partner System ID .....................14-18
Modifying Dynamic Link Aggregate Actor Port Parameters ..............................14-18
Modifying the Actor Port System Administrative State ................................14-19
Modifying the Actor Port System ID ............................................................14-20
Modifying the Actor Port System Priority ....................................................14-21
Modifying the Actor Port Priority .................................................................14-22
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page -xi
Modifying Dynamic Aggregate Partner Port Parameters ....................................14-23
Modifying the Partner Port System Administrative State .............................14-23
Modifying the Partner Port Administrative Key ...........................................14-25
Modifying the Partner Port System ID ..........................................................14-25
Modifying the Partner Port System Priority ..................................................14-26
Modifying the Partner Port Administrative Status ........................................14-27
Modifying the Partner Port Priority ...............................................................14-27
Application Examples .................................................................................................14-29
Sample Network Overview ..................................................................................14-29
Link Aggregation and Spanning Tree Example ...................................................14-30
Link Aggregation and QoS Example ...................................................................14-31
Displaying Dynamic Link Aggregation Configuration and Statistics ........................14-33
Chapter 15
Configuring IPv6 ....................................................................................................... 15-1
In This Chapter ..............................................................................................................15-1
IPv6 Specifications ........................................................................................................15-2
IPv6 Defaults ................................................................................................................. 15-2
Quick Steps for Configuring IPv6 Routing ...................................................................15-3
IPv6 Overview ..............................................................................................................15-4
IPv6 Addressing .....................................................................................................15-5
IPv6 Address Notation ....................................................................................15-5
IPv6 Address Prefix Notation ..........................................................................15-6
Autoconfiguration of IPv6 Addresses .............................................................15-6
Tunneling IPv6 over IPv4 ......................................................................................15-7
6to4 Tunnels ....................................................................................................15-7
Configured Tunnels .........................................................................................15-9
Configuring an IPv6 Interface .....................................................................................15-10
Modifying an IPv6 Interface ................................................................................15-11
Removing an IPv6 Interface .................................................................................15-11
Assigning IPv6 Addresses ...........................................................................................15-12
Removing an IPv6 Address ..................................................................................15-13
Configuring IPv6 Tunnel Interfaces ............................................................................15-14
Verifying the IPv6 Configuration ...............................................................................15-15
Chapter 16
Configuring RIP ......................................................................................................... 16-1
In This Chapter ..............................................................................................................16-1
RIP Specifications .........................................................................................................16-2
RIP Defaults .................................................................................................................. 16-2
Quick Steps for Configuring RIP Routing ....................................................................16-3
RIP Overview ................................................................................................................16-4
RIP Version 2 .........................................................................................................16-5
page -xii
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
RIP Routing ...................................................................................................................16-5
Loading RIP ...........................................................................................................16-6
Enabling RIP ..........................................................................................................16-6
Creating a RIP Interface .........................................................................................16-7
Enabling a RIP Interface ........................................................................................16-7
Configuring the RIP Interface Send Option ....................................................16-7
Configuring the RIP Interface Receive Option ...............................................16-8
Configuring the RIP Interface Metric ..............................................................16-8
Configuring the RIP Interface Route Tag .......................................................16-8
RIP Options ...................................................................................................................16-9
Configuring the RIP Forced Hold-Down Interval ..................................................16-9
Enabling a RIP Host Route ....................................................................................16-9
RIP Redistribution .......................................................................................................16-10
Enabling RIP Redistribution ................................................................................16-10
Configuring a RIP Redistribution Policy .............................................................16-10
Configuring a Redistribution Metric .............................................................16-11
Configuring a RIP Redistribution Filter ...............................................................16-11
Creating a Redistribution Filter .....................................................................16-12
Configuring a Redistribution Filter Action ...................................................16-12
Configuring a Redistribution Filter Metric ....................................................16-13
Configuring the Redistribution Filter Route Control Action ........................16-13
Configuring a Redistribution Filter Route Tag .............................................16-13
RIP Security ................................................................................................................16-14
Configuring Authentication Type ........................................................................16-14
Configuring Passwords ........................................................................................16-14
Verifying the RIP Configuration .................................................................................16-15
Chapter 17
Configuring RDP .......................................................................................................17-1
In This Chapter ..............................................................................................................17-1
RDP Specifications .......................................................................................................17-2
RDP Defaults ................................................................................................................17-2
Quick Steps for Configuring RDP ................................................................................17-3
RDP Overview ..............................................................................................................17-5
RDP Interfaces .......................................................................................................17-6
Security Concerns ..................................................................................................17-7
Enabling/Disabling RDP ...............................................................................................17-8
Creating an RDP Interface ............................................................................................17-8
Specifying an Advertisement Destination Address ................................................17-9
Defining the Advertisement Interval ......................................................................17-9
Setting the Maximum Advertisement Interval ................................................17-9
Setting the Minimum Advertisement Interval ...............................................17-10
Setting the Advertisement Lifetime .....................................................................17-10
Setting the Preference Levels for Router IP Addresses .......................................17-10
Verifying the RDP Configuration ...............................................................................17-11
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page -xiii
Chapter 18
Configuring DHCP Relay .........................................................................................18-1
In This Chapter ..............................................................................................................18-1
DHCP Relay Specifications ..........................................................................................18-2
DHCP Relay Defaults ...................................................................................................18-3
Quick Steps for Setting Up DHCP Relay .....................................................................18-4
DHCP Relay Overview .................................................................................................18-5
DHCP .....................................................................................................................18-6
DHCP and the OmniSwitch ...................................................................................18-6
DHCP Relay and Authentication ...........................................................................18-6
External DHCP Relay Application ........................................................................18-7
Internal DHCP Relay .............................................................................................18-8
DHCP Relay Implementation .......................................................................................18-9
Global DHCP .........................................................................................................18-9
Setting the IP Address .....................................................................................18-9
Per-VLAN DHCP ..................................................................................................18-9
Identifying the VLAN .....................................................................................18-9
Configuring BOOTP/DHCP Relay Parameters ...................................................18-10
Setting the Forward Delay ....................................................................................18-10
Setting Maximum Hops .......................................................................................18-11
Setting the Relay Forwarding Option ...................................................................18-11
Using Automatic IP Configuration .............................................................................18-12
Enabling Automatic IP Configuration ..................................................................18-12
Configuring DHCP Security Features .........................................................................18-13
Using the Relay Agent Information Option (Option-82) .....................................18-13
How the Relay Agent Processes DHCP Packets from the Client .................18-13
How the Relay Agent Processes DHCP Packets from the Server .................18-14
Enabling the Relay Agent Information Option-82 ........................................18-14
Configuring a Relay Agent Information Option-82 Policy ...........................18-15
Using DHCP Snooping ........................................................................................18-15
DHCP Snooping Configuration Guidelines ..................................................18-16
Enabling DHCP Snooping .............................................................................18-17
Configuring the Port Trust Mode ..................................................................18-18
Configuring the Port Traffic Suppression Status ...........................................18-19
Configuring Port IP Source Filtering ............................................................18-19
Configuring Rate Limiting ............................................................................18-19
Configuring the DHCP Snooping Binding Table ..........................................18-20
Verifying the DHCP Relay Configuration ..................................................................18-22
Chapter 19
Configuring VRRP ..................................................................................................... 19-1
In This Chapter ..............................................................................................................19-1
VRRP Specifications .....................................................................................................19-2
VRRP Defaults ..............................................................................................................19-2
Quick Steps for Creating a Virtual Router ....................................................................19-3
page -xiv
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
VRRP Overview ............................................................................................................19-4
Why Use VRRP? ....................................................................................................19-5
Definition of a Virtual Router ................................................................................19-5
VRRP MAC Addresses ..........................................................................................19-6
ARP Requests ..................................................................................................19-6
ICMP Redirects ...............................................................................................19-6
VRRP Startup Delay ..............................................................................................19-6
VRRP Tracking ......................................................................................................19-7
Interaction With Other Features ....................................................................................19-7
Configuration Overview ................................................................................................19-8
Basic Virtual Router Configuration .......................................................................19-8
Creating a Virtual Router .......................................................................................19-8
Specifying an IP Address for a Virtual Router ......................................................19-9
Configuring the Advertisement Interval ..............................................................19-10
Configuring Virtual Router Priority .....................................................................19-10
Setting Preemption for Virtual Routers ................................................................19-11
Enabling/Disabling a Virtual Router ....................................................................19-11
Setting VRRP Traps .............................................................................................19-12
Setting VRRP Startup Delay ................................................................................19-12
Creating Tracking Policies ...................................................................................19-13
Associating a Tracking Policy With a Virtual Router ..........................................19-13
Verifying the VRRP Configuration ............................................................................19-14
VRRP Application Example .......................................................................................19-15
VRRP Tracking Example .....................................................................................19-17
Chapter 20
Configuring IPX .........................................................................................................20-1
In This Chapter ..............................................................................................................20-1
IPX Specifications .........................................................................................................20-2
IPX Defaults ..................................................................................................................20-2
Quick Steps for Configuring IPX Routing ....................................................................20-3
IPX Overview ................................................................................................................20-4
IPX Routing ..................................................................................................................20-6
Enabling IPX Routing ............................................................................................20-6
Creating an IPX Router Port ..................................................................................20-6
IPX Router Port Configuration Options ..........................................................20-7
Creating/Deleting a Default Route .........................................................................20-7
Creating/Deleting Static Routes .............................................................................20-8
Configuring Type-20 Packet Forwarding ..............................................................20-8
Configuring Extended RIP and SAP Packets .........................................................20-9
Configuring RIP and SAP Timers ..........................................................................20-9
Using the PING Command ..................................................................................20-10
IPX RIP/SAP Filtering ................................................................................................20-11
Configuring RIP Filters ........................................................................................20-12
Configuring SAP Filters .......................................................................................20-12
Configuring GNS Filters 20-13
IPX RIP/SAP Filter Precedence ....................................................................20-14
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page -xv
Flushing the IPX RIP/SAP Tables .......................................................................20-14
Verifying the IPX Configuration ................................................................................20-15
Chapter 21
Managing Authentication Servers ...................................................................... 21-1
In This Chapter ..............................................................................................................21-1
Authentication Server Specifications ............................................................................21-2
Server Defaults ..............................................................................................................21-3
RADIUS Authentication Servers ...........................................................................21-3
LDAP Authentication Servers ................................................................................21-3
Quick Steps For Configuring Authentication Servers ..................................................21-4
Server Overview ............................................................................................................21-5
Backup Authentication Servers ..............................................................................21-5
Authenticated Switch Access .................................................................................21-5
Authenticated VLANs ............................................................................................21-6
Port-Based Network Access Control (802.1X) ......................................................21-7
ACE/Server ...................................................................................................................21-8
Clearing an ACE/Server Secret ..............................................................................21-8
RADIUS Servers ...........................................................................................................21-9
RADIUS Server Attributes .....................................................................................21-9
Standard Attributes ..........................................................................................21-9
Vendor-Specific Attributes for RADIUS ......................................................21-11
Configuring Functional Privileges on the Server ..........................................21-12
RADIUS Accounting Server Attributes ........................................................21-13
Configuring the RADIUS Client ..........................................................................21-14
LDAP Servers .............................................................................................................21-15
Setting Up the LDAP Authentication Server .......................................................21-15
LDAP Server Details ............................................................................................21-16
LDIF File Structure .......................................................................................21-16
Common Entries ............................................................................................21-16
Directory Entries ...........................................................................................21-17
Directory Searches .........................................................................................21-18
Retrieving Directory Search Results .............................................................21-18
Directory Modifications ................................................................................21-18
Directory Compare and Sort ..........................................................................21-19
The LDAP URL ............................................................................................21-19
Password Policies and Directory Servers ......................................................21-20
Directory Server Schema for LDAP Authentication ............................................21-21
Vendor-Specific Attributes for LDAP Servers ..............................................21-21
LDAP Accounting Attributes ........................................................................21-22
Dynamic Logging ..........................................................................................21-24
Configuring the LDAP Authentication Client .....................................................21-25
Creating an LDAP Authentication Server .....................................................21-26
Modifying an LDAP Authentication Server ..................................................21-26
Setting Up SSL for an LDAP Authentication Server ....................................21-26
Removing an LDAP Authentication Server ..................................................21-27
Verifying the Authentication Server Configuration ....................................................21-27
page -xvi
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Chapter 22
Configuring Authenticated VLANs ......................................................................22-1
In This Chapter ..............................................................................................................22-1
Authenticated Network Overview .................................................................................22-2
AVLAN Configuration Overview .................................................................................22-4
Sample AVLAN Configuration .............................................................................22-5
Setting Up Authentication Clients ................................................................................22-7
Telnet Authentication Client ..................................................................................22-7
Web Browser Authentication Client ......................................................................22-7
Configuring the Web Browser Client Language File ......................................22-8
Required Files for Web Browser Clients .........................................................22-8
SSL for Web Browser Clients .......................................................................22-11
DNS Name and Web Browser Clients ..........................................................22-11
Installing the AV-Client .......................................................................................22-12
Loading the Microsoft DLC Protocol Stack ..................................................22-12
Loading the AV-Client Software ...................................................................22-13
Setting the AV-Client as Primary Network Login ........................................22-18
Configuring the AV-Client Utility ................................................................22-18
Logging Into the Network Through an AV-Client ........................................22-21
Logging Off the AV-Client ...........................................................................22-22
Configuring the AV-Client for DHCP .................................................................22-23
Configuring Authenticated VLANs ............................................................................22-26
Removing a User From an Authenticated Network .............................................22-26
Configuring Authentication IP Addresses ............................................................22-27
Setting Up the Default VLAN for Authentication Clients ...................................22-27
Port Binding and Authenticated VLANs .............................................................22-28
Configuring Authenticated Ports .................................................................................22-28
Setting Up a DNS Path ................................................................................................22-29
Setting Up the DHCP Server .......................................................................................22-29
Enabling DHCP Relay for Authentication Clients ...............................................22-30
Configuring a DHCP Gateway for the Relay .......................................................22-31
Configuring the Server Authority Mode .....................................................................22-32
Configuring Single Mode .....................................................................................22-32
Configuring Multiple Mode .................................................................................22-34
Specifying Accounting Servers ...................................................................................22-35
Verifying the AVLAN Configuration .........................................................................22-36
Chapter 23
Configuring 802.1X ..................................................................................................23-1
In This Chapter ..............................................................................................................23-1
802.1X Specifications ...................................................................................................23-2
802.1X Defaults ............................................................................................................23-2
Quick Steps for Configuring 802.1X ............................................................................23-4
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page -xvii
802.1X Overview ..........................................................................................................23-6
Supplicant Classification ........................................................................................23-6
802.1X Ports and DHCP ..................................................................................23-7
Re-authentication .............................................................................................23-7
802.1X Accounting ................................................................................................23-8
Compared to Authenticated VLANs ......................................................................23-8
Using Access Guardian Policies ...................................................................................23-9
Policy Types ...........................................................................................................23-9
Setting Up Port-Based Network Access Control ........................................................23-11
Setting 802.1X Switch Parameters .......................................................................23-11
Enabling MAC Authentication on the OmniSwitch 6800 and 6850 .............23-11
Enabling 802.1X on Ports ....................................................................................23-11
Configuring 802.1X Port Parameters ...................................................................23-12
Configuring the Port Control Direction .........................................................23-12
Configuring the Port Authorization ...............................................................23-12
Configuring 802.1X Port Timeouts ...............................................................23-12
Configuring the Maximum Number of Requests ..........................................23-13
Re-authenticating an 802.1X Port .................................................................23-13
Initializing an 802.1X Port ............................................................................23-13
Configuring Accounting for 802.1X ....................................................................23-14
Configuring Access Guardian Policies .......................................................................23-14
Verifying the 802.1X Port Configuration ...................................................................23-19
Chapter 24
Managing Policy Servers ....................................................................................... 24-1
In This Chapter ..............................................................................................................24-1
Policy Server Specifications .........................................................................................24-2
Policy Server Defaults ...................................................................................................24-2
Policy Server Overview ................................................................................................24-3
Installing the LDAP Policy Server ................................................................................24-3
Modifying Policy Servers .............................................................................................24-4
Modifying LDAP Policy Server Parameters ..........................................................24-4
Disabling the Policy Server From Downloading Policies ......................................24-4
Modifying the Port Number ...................................................................................24-5
Modifying the Policy Server Username and Password ..........................................24-5
Modifying the Searchbase ......................................................................................24-5
Configuring a Secure Socket Layer for a Policy Server ........................................24-6
Loading Policies From an LDAP Server ................................................................24-6
Removing LDAP Policies From the Switch ..........................................................24-6
Interaction With CLI Policies ................................................................................24-7
Verifying the Policy Server Configuration ...................................................................24-7
Chapter 25
Using ACL Manager ................................................................................................. 25-1
In This Chapter ..............................................................................................................25-1
ACLMAN Defaults .......................................................................................................25-2
Quick Steps for Creating ACLs ....................................................................................25-3
page -xviii
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Quick Steps for Importing ACL Text Files .................................................................. 25-4
ACLMAN Overview .................................................................................................... 25-5
ACLMAN Configuration File ............................................................................... 25-5
ACL Text Files ...................................................................................................... 25-6
ACL Precedence .................................................................................................... 25-6
Interaction With the Alcatel CLI ........................................................................... 25-6
Using the ACLMAN Shell ........................................................................................... 25-7
ACLMAN Modes and Commands ............................................................................... 25-8
Privileged Exec Mode Commands ........................................................................ 25-8
Global Configuration Mode Commands ............................................................... 25-9
Interface Configuration Mode Commands .......................................................... 25-11
Access List Configuration Mode Commands ..................................................... 25-12
Time Range Configuration Mode Commands .................................................... 25-14
ACLMAN User Privileges .................................................................................. 25-14
Supported Protocols and Services .............................................................................. 25-15
Configuring ACLs ...................................................................................................... 25-16
ACL Configuration Methods and Guidelines ..................................................... 25-16
Configuring Numbered Standard and Extended ACLs ....................................... 25-17
Configuring Named Standard and Extended ACLs ............................................ 25-19
Applying an ACL to an Interface ........................................................................ 25-20
Saving the ACL Configuration ........................................................................... 25-20
Editing the ACLMAN Configuration File .......................................................... 25-20
Importing ACL Text Files ................................................................................... 25-21
Verifying the ACLMAN Configuration ..................................................................... 25-22
Using Alcatel CLI to Display ACLMAN Policies .............................................. 25-22
Chapter 26
Configuring QoS ...................................................................................................... 26-1
In This Chapter ............................................................................................................. 26-1
QoS Specifications ....................................................................................................... 26-2
QoS General Overview ................................................................................................ 26-3
QoS Policy Overview ................................................................................................... 26-4
How Policies Are Used ......................................................................................... 26-4
Valid Policies ........................................................................................................ 26-4
Interaction With Other Features ................................................................................... 26-5
Condition Combinations .............................................................................................. 26-6
Action Combinations ................................................................................................... 26-8
QoS Defaults ................................................................................................................ 26-9
Global QoS Defaults ............................................................................................. 26-9
QoS Port Defaults ................................................................................................ 26-10
Policy Rule Defaults ............................................................................................ 26-10
Policy Action Defaults ........................................................................................ 26-11
Default (Built-in) Policies ................................................................................... 26-11
QoS Configuration Overview .................................................................................... 26-12
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page -xix
Configuring Global QoS Parameters ......................................................................... 26-13
Enabling/Disabling QoS ...................................................................................... 26-13
Setting the Global Default Dispositions ...............................................................26-13
Setting the Global Default Servicing Mode .........................................................26-14
Using the QoS Log ...............................................................................................26-14
What Kind of Information Is Logged ............................................................26-14
Number of Lines in the QoS Log ..................................................................26-15
Log Detail Level ............................................................................................26-15
Forwarding Log Events .................................................................................26-15
Forwarding Log Events to the Console .........................................................26-16
Displaying the QoS Log ................................................................................26-16
Clearing the QoS Log ....................................................................................26-17
Classifying Bridged Traffic as Layer 3 ................................................................26-17
Setting the Statistics Interval ................................................................................26-17
Returning the Global Configuration to Defaults ..................................................26-17
Verifying Global Settings .....................................................................................26-18
QoS Ports and Queues .................................................................................................26-19
Shared Queues ......................................................................................................26-19
Prioritizing and Queue Mapping ..........................................................................26-19
Configuring Queuing Schemes ............................................................................26-20
Configuring the Servicing Mode for a Port ...................................................26-21
Configuring the Egress Queue Minimum/Maximum Bandwidth ........................26-22
Trusted and Untrusted Ports .................................................................................26-22
Configuring Trusted Ports .............................................................................26-23
Using Trusted Ports With Policies ................................................................26-23
Verifying the QoS Port and Queue Configuration ...............................................26-24
Creating Policies .........................................................................................................26-25
Quick Steps for Creating Policies ........................................................................26-25
ASCII-File-Only Syntax ......................................................................................26-26
Creating Policy Conditions ..................................................................................26-27
Removing Condition Parameters ...................................................................26-28
Deleting Policy Conditions ...........................................................................26-28
Creating Policy Actions .......................................................................................26-28
Removing Action Parameters ........................................................................26-29
Deleting a Policy Action ...............................................................................26-29
Creating Policy Rules ...........................................................................................26-29
Configuring a Rule Validity Period ...............................................................26-30
Disabling Rules .............................................................................................26-30
Rule Precedence ............................................................................................26-31
Saving Rules ..................................................................................................26-31
Logging Rules ...............................................................................................26-32
Deleting Rules ...............................................................................................26-32
Verifying Policy Configuration ............................................................................26-32
Testing Conditions ...............................................................................................26-33
Using Condition Groups in Policies ............................................................................26-35
ACLs ....................................................................................................................26-35
Sample Group Configuration ...............................................................................26-35
Creating Network Groups ....................................................................................26-36
Creating Services ..................................................................................................26-37
Creating Service Groups ......................................................................................26-38
page -xx
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Creating MAC Groups .........................................................................................26-39
Creating Port Groups ............................................................................................26-40
Port Groups and Maximum Bandwidth .........................................................26-41
Verifying Condition Group Configuration ...........................................................26-43
Using Map Groups ......................................................................................................26-44
Sample Map Group Configuration .......................................................................26-44
How Map Groups Work .......................................................................................26-45
Creating Map Groups ...........................................................................................26-45
Verifying Map Group Configuration ...................................................................26-46
Applying the Configuration ........................................................................................26-47
Deleting the Pending Configuration ..............................................................26-48
Flushing the Configuration ............................................................................26-48
Interaction With LDAP Policies ..........................................................................26-49
Verifying the Applied Policy Configuration ........................................................26-49
Policy Applications .....................................................................................................26-50
Basic QoS Policies ...............................................................................................26-50
Basic Commands ...........................................................................................26-51
Traffic Prioritization Example .......................................................................26-51
Bandwidth Shaping Example ........................................................................26-52
Redirection Policies ..............................................................................................26-52
ICMP Policy Example ..........................................................................................26-53
802.1p and ToS/DSCP Marking and Mapping ....................................................26-53
Policy Based Routing ...........................................................................................26-55
Chapter 27
Configuring ACLs ......................................................................................................27-1
In This Chapter ..............................................................................................................27-1
ACL Specifications .......................................................................................................27-2
ACL Defaults ................................................................................................................27-3
Quick Steps for Creating ACLs ....................................................................................27-4
ACL Overview ..............................................................................................................27-5
Rule Precedence .....................................................................................................27-6
How Precedence is Determined .......................................................................27-6
Interaction With Other Features .............................................................................27-6
Valid Combinations ................................................................................................27-6
ACL Configuration Overview .......................................................................................27-7
Setting the Global Disposition ......................................................................................27-7
Creating Condition Groups For ACLs ..........................................................................27-8
Configuring ACLs .........................................................................................................27-8
Creating Policy Conditions For ACLs ...................................................................27-9
Creating Policy Actions For ACLs ........................................................................27-9
Creating Policy Rules for ACLs ...........................................................................27-10
Layer 2 ACLs .......................................................................................................27-10
Layer 2 ACL Example ...................................................................................27-11
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page -xxi
Layer 3 ACLs .......................................................................................................27-11
Layer 3 ACL: Example 1 ..............................................................................27-12
Layer 3 ACL: Example 2 ..............................................................................27-12
Multicast Filtering ACLs .....................................................................................27-12
Using ACL Security Features .....................................................................................27-14
Configuring a UserPorts Group ............................................................................27-14
Configuring UserPort Traffic Types and Port Behavior ...............................27-15
Configuring a DropServices Group ......................................................................27-15
Configuring a BPDUShutdownPorts Group ........................................................27-16
Configuring ICMP Drop Rules ............................................................................27-17
Configuring TCP Connection Rules ....................................................................27-17
Verifying the ACL Configuration ...............................................................................27-18
ACL Application Example ..........................................................................................27-20
Chapter 28
Configuring IP Multicast Switching ..................................................................... 28-1
In This Chapter ..............................................................................................................28-1
IPMS Specifications ......................................................................................................28-3
IPMSv6 Specifications ..................................................................................................28-3
IPMS Default Values ....................................................................................................28-4
IPMSv6 Default Values ................................................................................................28-4
IPMS Overview .............................................................................................................28-5
IPMS Example .......................................................................................................28-5
Reserved IP Multicast Addresses ...........................................................................28-6
IP Multicast Routing ..............................................................................................28-6
PIM ..................................................................................................................28-7
DVMRP ...........................................................................................................28-7
IGMP Version 3 ..............................................................................................28-7
Configuring IPMS on a Switch .....................................................................................28-8
Enabling and Disabling IP Multicast Status ...........................................................28-8
Enabling IP Multicast Status ...........................................................................28-8
Disabling IP Multicast Status ..........................................................................28-8
Configuring and Restoring the IGMP Version ......................................................28-9
Configuring the IGMP Version .......................................................................28-9
Restoring the IGMP Version ...........................................................................28-9
Configuring and Removing an IGMP Static Neighbor ..........................................28-9
Configuring an IGMP Static Neighbor ............................................................28-9
Removing an IGMP Static Neighbor ............................................................28-10
Configuring and Removing an IGMP Static Querier ...........................................28-10
Configuring an IGMP Static Querier ............................................................28-10
Removing an IGMP Static Querier ...............................................................28-10
Configuring and Removing an IGMP Static Group .............................................28-11
Configuring an IGMP Static Group ..............................................................28-11
Removing an IGMP Static Group .................................................................28-11
page -xxii
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Modifying IPMS Parameters .......................................................................................28-12
Modifying the IGMP Query Interval ...................................................................28-12
Configuring the IGMP Query Interval ..........................................................28-12
Restoring the IGMP Query Interval ..............................................................28-12
Modifying the IGMP Last Member Query Interval .............................................28-12
Configuring the IGMP Last Member Query Interval ....................................28-13
Restoring the IGMP Last Member Query Interval ........................................28-13
Modifying the IGMP Query Response Interval ...................................................28-13
Configuring the IGMP Query Response Interval ..........................................28-13
Restoring the IGMP Query Response Interval ..............................................28-14
Modifying the IGMP Router Timeout .................................................................28-14
Configuring the IGMP Router Timeout ........................................................28-14
Restoring the IGMP Router Timeout ............................................................28-14
Modifying the Source Timeout ............................................................................28-15
Configuring the Source Timeout ...................................................................28-15
Restoring the Source Timeout .......................................................................28-15
Enabling and Disabling IGMP Querying .............................................................28-15
Enabling the IGMP Querying ........................................................................28-16
Disabling the IGMP Querying .......................................................................28-16
Modifying the IGMP Robustness Variable ..........................................................28-16
Configuring the IGMP Robustness variable ..................................................28-16
Restoring the IGMP Robustness Variable .....................................................28-17
Enabling and Disabling the IGMP Spoofing ........................................................28-17
Enabling the IGMP Spoofing ........................................................................28-17
Disabling the IGMP Spoofing .......................................................................28-17
Enabling and Disabling the IGMP Zapping .........................................................28-18
Enabling the IGMP Zapping .........................................................................28-18
Disabling the IGMP Zapping ........................................................................28-18
IPMSv6 Overview .......................................................................................................28-19
IPMSv6 Example .................................................................................................28-19
Reserved IPv6 Multicast Addresses .....................................................................28-20
MLD version 2 .....................................................................................................28-20
Configuring IPMSv6 on a Switch ...............................................................................28-21
Enabling and Disabling IPv6 Multicast Status .....................................................28-21
Enabling IPv6 Multicast Status .....................................................................28-21
Disabling IPv6 Multicast Status ....................................................................28-21
Configuring and Restoring the MLD Version ......................................................28-22
Configuring the MLD Version 2 ...................................................................28-22
Restoring the MLD Version 1 .......................................................................28-22
Configuring and Removing an MLD Static Neighbor .........................................28-22
Configuring an MLD Static Neighbor ...........................................................28-22
Removing an MLD Static Neighbor ..............................................................28-23
Configuring and Removing an MLD Static Querier ............................................28-23
Configuring an MLD Static Querier ..............................................................28-23
Removing an MLD Static Querier ................................................................28-23
Configuring and Removing an MLD Static Group ..............................................28-24
Configuring an MLD Static Group ................................................................28-24
Removing an MLD Static Group ..................................................................28-24
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page -xxiii
Modifying IPMSv6 Parameters ...................................................................................28-25
Modifying the MLD Query Interval .....................................................................28-25
Configuring the MLD Query Interval ...........................................................28-25
Restoring the MLD Query Interval ...............................................................28-25
Modifying the MLD Last Member Query Interval ..............................................28-25
Configuring the MLD Last Member Query Interval .....................................28-25
Restoring the MLD Last Member Query Interval .........................................28-26
Modifying the MLD Query Response Interval ....................................................28-26
Configuring the MLD Query Response Interval ...........................................28-26
Restoring the MLD Query Response Interval ...............................................28-26
Modifying the MLD Router Timeout ...................................................................28-27
Configuring the MLD Router Timeout .........................................................28-27
Restoring the MLD Router Timeout .............................................................28-27
Modifying the Source Timeout ............................................................................28-27
Configuring the Source Timeout ...................................................................28-28
Restoring the Source Timeout .......................................................................28-28
Enabling and Disabling the MLD Querying ........................................................28-28
Enabling the MLD Querying .........................................................................28-28
Disabling the MLD Querying ........................................................................28-28
Modifying the MLD Robustness Variable ...........................................................28-29
Configuring the MLD Robustness Variable ..................................................28-29
Restoring the MLD Robustness Variable ......................................................28-29
Enabling and Disabling the MLD Spoofing .........................................................28-30
Enabling the MLD Spoofing .........................................................................28-30
Disabling the MLD Spoofing ........................................................................28-30
Enabling and Disabling the MLD Zapping ..........................................................28-30
Enabling the MLD Zapping ...........................................................................28-31
Disabling the MLD Zapping .........................................................................28-31
IPMS Application Example ........................................................................................28-32
IPMSv6 Application Example ....................................................................................28-34
Displaying IPMS Configurations and Statistics ..........................................................28-36
Displaying IPMSv6 Configurations and Statistics ......................................................28-37
Chapter 29
Diagnosing Switch Problems ................................................................................29-1
In This Chapter ..............................................................................................................29-1
Port Mirroring Overview ...............................................................................................29-3
Port Mirroring Specifications .................................................................................29-3
Port Mirroring Defaults ..........................................................................................29-3
Quick Steps for Configuring Port Mirroring ..........................................................29-4
Port Monitoring Overview ............................................................................................29-5
Port Monitoring Specifications ..............................................................................29-5
Port Monitoring Defaults .......................................................................................29-5
Quick Steps for Configuring Port Monitoring .......................................................29-6
sFlow Overview ............................................................................................................29-7
sFlow Specifications ..............................................................................................29-7
sFlow Defaults ........................................................................................................29-7
Quick Steps for Configuring sFlow .......................................................................29-8
page -xxiv
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Remote Monitoring (RMON) Overview .....................................................................29-10
RMON Specifications ..........................................................................................29-10
RMON Probe Defaults .........................................................................................29-11
Quick Steps for Enabling/Disabling RMON Probes ............................................29-11
Switch Health Overview .............................................................................................29-12
Switch Health Specifications ...............................................................................29-12
Switch Health Defaults .........................................................................................29-13
Quick Steps for Configuring Switch Health ........................................................29-13
Port Mirroring .............................................................................................................29-14
What Ports Can Be Mirrored? .......................................................................29-14
How Port Mirroring Works ..................................................................................29-14
What Happens to the Mirroring Port ....................................................................29-15
Mirroring on Multiple Ports .................................................................................29-15
Using Port Mirroring with External RMON Probes ............................................29-15
Creating a Mirroring Session ...............................................................................29-17
Unblocking Ports (Protection from Spanning Tree) ............................................29-18
Enabling or Disabling Mirroring Status ...............................................................29-18
Disabling a Mirroring Session (Disabling Mirroring Status) ...............................29-18
Configuring Port Mirroring Direction ..................................................................29-19
Enabling or Disabling a Port Mirroring Session (Shorthand) ..............................29-19
Displaying Port Mirroring Status .........................................................................29-20
Deleting A Mirroring Session ..............................................................................29-20
Port Monitoring ...........................................................................................................29-21
Configuring a Port Monitoring Session ...............................................................29-22
Enabling a Port Monitoring Session .....................................................................29-22
Disabling a Port Monitoring Session ...................................................................29-22
Deleting a Port Monitoring Session .....................................................................29-22
Pausing a Port Monitoring Session ......................................................................29-23
Configuring Port Monitoring Session Persistence ...............................................29-23
Configuring a Port Monitoring Data File .............................................................29-23
Suppressing Port Monitoring File Creation .........................................................29-24
Configuring Port Monitoring Direction ...............................................................29-24
Displaying Port Monitoring Status and Data .......................................................29-25
sFlow ...........................................................................................................................29-26
sFlow Manager .....................................................................................................29-26
Receiver ................................................................................................................29-26
Sampler .................................................................................................................29-27
Poller ....................................................................................................................29-27
Configuring a sFlow Session ................................................................................29-28
Configuring a Fixed Primary Address .................................................................29-29
Displaying a sFlow Receiver ................................................................................29-29
Displaying a sFlow Sampler ................................................................................29-29
Displaying a sFlow Poller ....................................................................................29-30
Displaying a sFlow Agent ....................................................................................29-30
Deleting a sFlow Session .....................................................................................29-31
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page -xxv
Remote Monitoring (RMON) .....................................................................................29-32
Ethernet Statistics ..........................................................................................29-33
History (Control & Statistics) ........................................................................29-33
Alarm .............................................................................................................29-33
Event ..............................................................................................................29-33
Enabling or Disabling RMON Probes ..................................................................29-34
Displaying RMON Tables ....................................................................................29-35
Displaying a List of RMON Probes ..............................................................29-35
Displaying Statistics for a Particular RMON Probe ......................................29-36
Sample Display for Ethernet Statistics Probe ................................................29-36
Sample Display for History Probe .................................................................29-37
Sample Display for Alarm Probe ..................................................................29-37
Displaying a List of RMON Events ..............................................................29-38
Displaying a Specific RMON Event .............................................................29-38
Monitoring Switch Health ...........................................................................................29-39
Configuring Resource and Temperature Thresholds ...........................................29-41
Displaying Health Threshold Limits ....................................................................29-42
Configuring Sampling Intervals ...........................................................................29-43
Viewing Sampling Intervals .................................................................................29-43
Viewing Health Statistics for the Switch .............................................................29-44
Viewing Health Statistics for a Specific Interface ...............................................29-45
Resetting Health Statistics for the Switch ............................................................29-45
Chapter 30
Using Switch Logging .............................................................................................. 30-1
In This Chapter ..............................................................................................................30-1
Switch Logging Specifications .....................................................................................30-2
Switch Logging Defaults ...............................................................................................30-3
Quick Steps for Configuring Switch Logging ..............................................................30-4
Switch Logging Overview ............................................................................................30-5
Switch Logging Commands Overview .........................................................................30-6
Enabling Switch Logging .......................................................................................30-6
Setting the Switch Logging Severity Level ............................................................30-6
Specifying the Severity Level .........................................................................30-8
Removing the Severity Level ..........................................................................30-9
Specifying the Switch Logging Output Device ......................................................30-9
Enabling/Disabling Switch Logging Output to the Console ...........................30-9
Enabling/Disabling Switch Logging Output to Flash Memory .......................30-9
Specifying an IP Address for Switch Logging Output ....................................30-9
Disabling an IP Address from Receiving Switch Logging Output ...............30-10
Displaying Switch Logging Status .......................................................................30-10
Configuring the Switch Logging File Size ...........................................................30-11
Clearing the Switch Logging Files .......................................................................30-11
Displaying Switch Logging Records ....................................................................30-12
page -xxvi
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Appendix A
Software License and Copyright Statements .....................................................A-1
Alcatel License Agreement ............................................................................................A-1
ALCATEL INTERNETWORKING, INC. (“AII”) SOFTWARE LICENSE
AGREEMENT .......................................................................................................A-1
Third Party Licenses and Notices ..................................................................................A-4
A. Booting and Debugging Non-Proprietary Software ..........................................A-4
B. The OpenLDAP Public License: Version 2.4, 8 December 2000 .....................A-4
C. Linux ..................................................................................................................A-5
D. GNU GENERAL PUBLIC LICENSE: Version 2, June 1991 ..........................A-5
E. University of California ...................................................................................A-10
F. Carnegie-Mellon University ............................................................................A-10
G. Random.c .........................................................................................................A-10
H. Apptitude, Inc. .................................................................................................A-11
I. Agranat .............................................................................................................A-11
J. RSA Security Inc. ............................................................................................A-11
K. Sun Microsystems, Inc. ....................................................................................A-11
L. Wind River Systems, Inc. ................................................................................A-12
M. Network Time Protocol Version 4 ...................................................................A-12
Index ...................................................................................................................... Index-1
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page -xxvii
page -xxviii
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
About This Guide
This OmniSwitch 6800/6850/9000 Network Configuration Guide describes how to set up and monitor software features that will allow your switch to operate in a live network environment. The software features
described in this manual are shipped standard with your OmniSwitch 6800 Series, OmniSwitch 6850
Series, and OmniSwitch 9000 Series switches. These features are used when setting up your OmniSwitch
in a network of switches and routers.
Supported Platforms
This information in this guide applies to the following products:
• OmniSwitch 9600
• OmniSwitch 9700
• OmniSwitch 6800 Series
• OmniSwitch 6850 Series
Note. This OmniSwitch Network Configuration Guide covers Release 6.1.1, which is supported on
OmniSwitch 9000 Series switches and 6.1.2, which is supported on the OmniSwitch 6800 and 6850 Series
switches. OmniSwitch 6600 Family, OmniSwitch 7700/7800, and OmniSwitch 8800 switches use Release
5.x. Please refer to the 5.x user guides for those switches.
Unsupported Platforms
The information in this guide does not apply to the following products:
• OmniSwitch (original version with no numeric model name)
• OmniSwitch 6600 Family
• OmniSwitch 7700/7800
• OmniSwitch 8800
• Omni Switch/Router
• OmniStack
• OmniAccess
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page xxix
Who Should Read this Manual?
About This Guide
Who Should Read this Manual?
The audience for this user guide is network administrators and IT support personnel who need to configure, maintain, and monitor switches and routers in a live network. However, anyone wishing to gain
knowledge on how fundamental software features are implemented in the OmniSwitch 9000 Series will
benefit from the material in this configuration guide.
When Should I Read this Manual?
Read this guide as soon as you are ready to integrate your OmniSwitch into your network and you are
ready to set up advanced routing protocols. You should already be familiar with the basics of managing a
single OmniSwitch as described in the OmniSwitch 6800/6850/9000 Switch Management Guide.
The topics and procedures in this manual assume an understanding of the OmniSwitch stacking, directory
structure, and basic switch administration commands and procedures. This manual will help you set up
your switches to communicate with other switches in the network. The topics in this guide include
VLANs, authentication, and Quality of Service (QoS)—features that are typically deployed in a multiswitch environment.
What is in this Manual?
This configuration guide includes information about configuring the following features:
• VLANs, VLAN router ports, mobile ports, and VLAN rules.
• Basic Layer 2 functions, such as Ethernet port parameters, source learning, Spanning Tree, and Alcatel
interswitch protocols (AMAP and GMAP).
• Advanced Layer 2 functions, such as 802.1Q tagging, Link Aggregation, and IP Multicast Switching.
• Basic routing protocols and functions, such as static IP routes, RIP, DHCP Relay, and Virtual Router
Redundancy Protocol (VRRP).
• Security features, such as switch access control, Authenticated VLANs (AVLANs), authentication
servers, and policy management.
• Quality of Service (QoS) and Access Control Lists (ACLs) features, such as policy rules for prioritiz-
ing and filtering traffic, and remapping packet headers.
• Diagnostic tools, such as RMON, port mirroring, and switch logging.
page xxx
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
About This Guide
What is Not in this Manual?
What is Not in this Manual?
The configuration procedures in this manual use Command Line Interface (CLI) commands in all examples. CLI commands are text-based commands used to manage the switch through serial (console port)
connections or via Telnet sessions. Procedures for other switch management methods, such as web-based
(WebView or OmniVista) or SNMP, are outside the scope of this guide.
For information on WebView and SNMP switch management methods consult the OmniSwitch 6800/
6850/9000 Switch Management Guide. Information on using WebView and OmniVista can be found in
the context-sensitive on-line help available with those network management applications.
This guide provides overview material on software features, how-to procedures, and application examples
that will enable you to begin configuring your OmniSwitch. It is not intended as a comprehensive reference to all CLI commands available in the OmniSwitch. For such a reference to all OmniSwitch 6800/
6850/9000 CLI commands, consult the OmniSwitch CLI Reference Guide.
How is the Information Organized?
Chapters in this guide are broken down by software feature. The titles of each chapter include protocol or
features names (e.g., 802.1Q) with which most network professionals will be familiar.
Each software feature chapter includes sections that will satisfy the information requirements of casual
readers, rushed readers, serious detail-oriented readers, advanced users, and beginning users.
Quick Information. Most chapters include a specifications table that lists RFCs and IEEE specifications
supported by the software feature. In addition, this table includes other pertinent information such as minimum and maximum values and sub-feature support. Most chapters also include a defaults table that lists
the default values for important parameters along with the CLI command used to configure the parameter.
Many chapters include a Quick Steps section, which is a procedure covering the basic steps required to get
a software feature up and running.
In-Depth Information. All chapters include overview sections on the software feature as well as on
selected topics of that software feature. Topical sections may often lead into procedure sections that
describe how to configure the feature just described. Serious readers and advanced users will also find the
many application examples, located near the end of chapters, helpful. Application examples include
diagrams of real networks and then provide solutions using the CLI to configure a particular feature, or
more than one feature, within the illustrated network.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page xxxi
Documentation Roadmap
About This Guide
Documentation Roadmap
The OmniSwitch user documentation suite was designed to supply you with information at several critical
junctures of the configuration process. The following section outlines a roadmap of the manuals that will
help you at each stage of the configuration process. Under each stage, we point you to the manual or
manuals that will be most helpful to you.
Stage 1: Using the Switch for the First Time
Pertinent Documentation: Getting Started Guide
Release Notes
A hard-copy OmniSwitch 6800/6850/9000 Getting Started Guide is included with your switch; this guide
provides all the information you need to get your switch up and running the first time. It provides information on unpacking the switch, rack mounting the switch, installing NI modules, unlocking access control,
setting the switch’s IP address, and setting up a password. It also includes succinct overview information
on fundamental aspects of the switch, such as hardware LEDs, the software directory structure, CLI
conventions, and web-based management.
At this time you should also familiarize yourself with the Release Notes that accompanied your switch.
This document includes important information on feature limitations that are not included in other user
guides.
Stage 2: Gaining Familiarity with Basic Switch Functions
Pertinent Documentation: Hardware Users Guide
Switch Management Guide
Once you have your switch up and running, you will want to begin investigating basic aspects of its hardware and software. Information about switch hardware is provided in the OmniSwitch 6800/6850/9000
Hardware Guide. This guide provide specifications, illustrations, and descriptions of all hardware components, such as chassis, power supplies, Chassis Management Modules (CMMs), Network Interface (NI)
modules, and cooling fans. It also includes steps for common procedures, such as removing and installing
switch components.
The OmniSwitch 6800/6850/9000 Switch Management Guide is the primary users guide for the basic software features on a single switch. This guide contains information on the switch directory structure, basic
file and directory utilities, switch access security, SNMP, and web-based management. It is recommended
that you read this guide before connecting your switch to the network.
page xxxii
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
About This Guide
Documentation Roadmap
Stage 3: Integrating the Switch Into a Network
Pertinent Documentation: Network Configuration Guide
Advanced Routing Configuration Guide
When you are ready to connect your switch to the network, you will need to learn how the OmniSwitch
implements fundamental software features, such as 802.1Q, VLANs, Spanning Tree, and network routing
protocols. The OmniSwitch 6800/6850/9000 Network Configuration Guide contains overview information, procedures, and examples on how standard networking technologies are configured in the
OmniSwitch 9000 Series.
The OmniSwitch 6800/6850/9000 Advanced Routing Configuration Guide includes configuration information for networks using advanced routing technologies (OSPF and BGP) and multicast routing protocols
(DVMRP and PIM-SM).
Anytime
The OmniSwitch CLI Reference Guide contains comprehensive information on all CLI commands
supported by the switch. This guide includes syntax, default, usage, example, related CLI command, and
CLI-to-MIB variable mapping information for all CLI commands supported by the switch. This guide can
be consulted anytime during the configuration process to find detailed and specific information on each
CLI command.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page xxxiii
Related Documentation
About This Guide
Related Documentation
The following are the titles and descriptions of all the related OmniSwitch 6800/6850/9000 user manuals:
• OmniSwitch 6800 Series Getting Started Guide
Describes the hardware and software procedures for getting an OmniSwitch 6800 Series switch up and
running. Also provides information on fundamental aspects of OmniSwitch software and stacking
architecture.
• OmniSwitch 6850 Series Getting Started Guide
Describes the hardware and software procedures for getting an OmniSwitch 6850 Series switch up and
running. Also provides information on fundamental aspects of OmniSwitch software and stacking
architecture.
• OmniSwitch 6800 Series Hardware Users Guide
Detailed technical specifications and procedures for the OmniSwitch 6800 Series chassis and components. Also includes comprehensive information on assembling and managing stacked configurations.
• OmniSwitch 6850 Series Hardware User Guide
Complete technical specifications and procedures for all OmniSwitch 6850 Series chassis, power
supplies, and fans. Also includes comprehensive information on assembling and managing stacked
configurations.
• OmniSwitch 9000 Series Getting Started Guide
Describes the hardware and software procedures for getting an OmniSwitch 9000 Series up and
running. Also provides information on fundamental aspects of OmniSwitch software architecture.
• OmniSwitch 9000 Series Hardware Users Guide
Complete technical specifications and procedures for all OmniSwitch 9000 Series chassis, power
supplies, fans, and Network Interface (NI) modules.
• OmniSwitch CLI Reference Guide
Complete reference to all CLI commands supported on the OmniSwitch 9000 Series. Includes syntax
definitions, default values, examples, usage guidelines and CLI-to-MIB variable mappings.
• OmniSwitch 6800/6850/9000 Switch Management Guide
Includes procedures for readying an individual switch for integration into a network. Topics include the
software directory architecture, image rollback protections, authenticated switch access, managing
switch files, system configuration, using SNMP, and using web management software (WebView).
• OmniSwitch 6800/6850/9000 Network Configuration Guide
Includes network configuration procedures and descriptive information on all the major software
features and protocols included in the base software package. Chapters cover Layer 2 information
(Ethernet and VLAN configuration), Layer 3 information (routing protocols, such as RIP), security
options (authenticated VLANs), Quality of Service (QoS), and link aggregation.
page xxxiv
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
About This Guide
Related Documentation
• OmniSwitch 6800/6850/9000 Advanced Routing Configuration Guide
Includes network configuration procedures and descriptive information on all the software features and
protocols included in the advanced routing software package. Chapters cover multicast routing
(DVMRP and PIM-SM), and OSPF.
• Technical Tips, Field Notices
Includes information published by Alcatel’s Customer Support group.
• Release Notes
Includes critical Open Problem Reports, feature exceptions, and other important information on the
features supported in the current release and any limitations to their support.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page xxxv
User Manual CD
About This Guide
User Manual CD
All user guides for the OmniSwitch 9000 Series are included on the User Manual CD that accompanied
your switch. This CD also includes user guides for other Alcatel data enterprise products. In addition, it
contains a stand-alone version of the on-line help system that is embedded in the OmniVista network
management application.
Besides the OmniVista documentation, all documentation on the User Manual CD is in PDF format and
requires the Adobe Acrobat Reader program for viewing. Acrobat Reader freeware is available at
www.adobe.com.
Note. In order to take advantage of the documentation CD’s global search feature, it is recommended that
you select the option for searching PDF files before downloading Acrobat Reader freeware.
To verify that you are using Acrobat Reader with the global search option, look for the following button in
the toolbar:
Note. When printing pages from the documentation PDFs, de-select Fit to Page if it is selected in your
print dialog. Otherwise pages may print with slightly smaller margins.
Technical Support
An Alcatel service agreement brings your company the assurance of 7x24 no-excuses technical support.
You’ll also receive regular software updates to maintain and maximize your Alcatel product’s features and
functionality and on-site hardware replacement through our global network of highly qualified service
delivery partners. Additionally, with 24-hour-a-day access to Alcatel’s Service and Support web page,
you’ll be able to view and update any case (open or closed) that you have reported to Alcatel’s technical
support, open a new case or access helpful release notes, technical bulletins, and manuals. For more information on Alcatel’s Service Programs, see our web page at eservice.ind.alcatel.com, call us at 1-800-9952696, or email us at support@ind.alcatel.com.
page xxxvi
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
1
Configuring Ethernet Ports
The Ethernet software is responsible for a variety of functions that support Ethernet, Gigabit Ethernet, and
10 Gigabit Ethernet ports on OmniSwitch 6800, 6850, and 9000 switches. These functions include diagnostics, software loading, initialization, configuration of line parameters, gathering statistics, and responding to administrative requests from SNMP or CLI.
In This Chapter
This chapter describes your switch’s Ethernet port parameters and how to configure them through the
Command Line Interface (CLI). CLI Commands are used in the configuration examples. For more details
about the syntax of commands, see the OmniSwitch CLI Reference Guide.
Configuration procedures described in this chapter include:
• “Setting Ethernet Parameters for All Port Types” on page 1-8
• “Setting Ethernet Parameters for Non Combo Ports” on page 1-14
• “Setting Combo Ethernet Port Parameters on OmniSwitch 6800 and 6850 Switches” on page 1-18
• “Combo Port Application Example” on page 1-24
For information about CLI commands that can be used to view Ethernet port parameters, see the
OmniSwitch CLI Reference Guide.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 1-1
Ethernet Specifications
Configuring Ethernet Ports
Ethernet Specifications
IEEE Standards Supported
802.3 Carrier Sense Multiple Access with Collision Detection
(CSMA/CD)
802.3u (100BaseTX)
802.3ab (1000BaseT)
802.3z (1000Base-X)
802.3ae (10GBase-X)
Ports Supported
Ethernet (10 Mbps)
Fast Ethernet (100 Mbps)
Gigabit Ethernet (1 Gb/1000 Mbps)
10 Gigabit Ethernet (10 Gb/10000 Mbps)
Switching/Routing Support
Layer 2 Switching/Layer 3 Routing
Backbone Support
Fast Ethernet, Gigabit Ethernet, and 10 Gigabit Ethernet ports
Port Mirroring Support
Fast Ethernet and Gigabit Ethernet ports
802.1Q Hardware Tagging
Fast Ethernet, Gigabit Ethernet, and 10 Gigabit Ethernet ports
Jumbo Frame Configuration
Supported on Gigabit Ethernet and 10 Gigabit Ethernet ports
Maximum Frame Size
1553 bytes (10/100 Mbps)
9216 bytes (1/10 Gbps)
Ethernet Port Defaults (All Port Types)
The following table shows Ethernet port default values.
Parameter Description
Command
Default Value/Comments
Trap Port Link Messages
trap port link
Disabled
Interface Configuration
interfaces admin
Up (Enabled)
Flood Only Rate Limiting
interfaces flood
Enable
Multicast Rate Limiting
interfaces flood multicast Disable
Peak Flood Rate Configuration
interfaces flood rate
4 Mbps (10 Ethernet)
49 Mbps (100 Fast Ethernet)
496 Mbps (1 Gigabit Ethernet)
997 Mbps (10 Gigabit Ethernet)
Interface Alias
interfaces alias
None configured
Inter-Frame Gap
interfaces ifg
12 bytes
Maximum Frame Size
interfaces max frame
1553 (untagged) Ethernet packets
1553 (tagged) Ethernet packets
9216 Gigabit Ethernet packets
page 1-2
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Ethernet Ports
Non Combo Port Defaults
Non Combo Port Defaults
The following table shows non combo port default values.
Parameter Description
Command
Default Value/Comments
Interface Line Speed
interfaces speed
Auto (copper ports)
100 Mbps (fiber ports)
1 Gbps (GNI ports)
10 Gbps (XNI ports)
Duplex Mode
interfaces duplex
Auto (copper ports)/Full (fiber,
GNI and XNI ports)
Autonegotiation
interfaces autoneg
Enable for all copper ports;
Disable for all fiber ports
Crossover
interfaces crossover
Auto for all copper ports;
Disable for all fiber ports
Combo Ethernet Port Defaults
The following table shows combo Ethernet port default values for OmniSwitch 6800 Series switches only.
Parameter Description
Command
Preferred fiber
Forced fiber
Preferred copper
Forced copper
interfaces hybrid
Preferred fiber
preferred-fiber
interfaces hybrid
preferred-copper
interfaces hybrid forcedfiber
interfaces hybrid forcedcopper
Flow (pause)
interfaces hybrid speed
Disabled
Interface Line Speed
interfaces hybrid speed
Auto
Duplex Mode
interfaces hybrid duplex Auto
Autonegotiation
interfaces hybrid
autoneg
Enable
Crossover
interfaces hybrid
crossover
Auto for all copper ports;
Disable for all fiber modules
OmniSwitch 6800/6850/9000 Network Configuration Guide
Default Value/Comments
June 2006
page 1-3
Ethernet Ports Overview
Configuring Ethernet Ports
Ethernet Ports Overview
This chapter describes the Ethernet software CLI commands used for configuring and monitoring your
switch’s Ethernet port parameters. These commands allow you to handle administrative or port-related
requests to and from SNMP, CLI, or WebView.
Note. OmniSwitch 9000 Series switches do not support combo ports. These ports are supported on
OmniSwitch 6800 Series and OmniSwitch 6850 Series switches only.
OmniSwitch 6800 and 6850 Series Combo Ports
All OmniSwitch 6800 and 6850 switches have four ports that are shared between four copper 10/100/1000
RJ-45 connections and four fiber 1Gbps MiniGBIC SFP slots, which can accept any qualified 1Gbps SFP
transceivers. These ports are known as combo ports (also sometimes referred to as “hybrid” ports).
You can use either the copper 10/100/1000 port or the equivalent fiber MiniGBIC SFP port, for example,
but, not both at the same time. By default, combo ports are set to preferred fiber, which means that the
switch will use the fiber MiniGBIC SFP port instead of the equivalent copper RJ-45 port or fiber 100
Mbps port if both ports are enabled and have a valid link. However, if the MiniGBIC SFP port goes down,
the equivalent RJ-45 or fiber 100 Mbps port will come up. This mode can be used if you want to use the
fiber 1 Gbps connection as your main link while having a copper link as a backup.
For example, on the OmniSwitch 6800-48 ports, 45–48 are combo ports. If cables are connected into the
copper port 45 and the fiber port 45, the fiber MiniGBIC SFP link will be the active one. If the MiniGBIC
SFP link goes down then the copper port will automatically become active. No user intervention is
required.
Note. See “Valid Port Settings on OmniSwitch 6800 Series Switches” on page 1-5 and “Valid Port
Settings on OmniSwitch 6850 Series Switches” on page 1-5 for more information on combo ports. In addition, refer to the specific Hardware Users Guide for each type of switch.
The following three additional optional combo port modes are user configurable:
• Preferred copper. In this mode, the switch will use the copper RJ-45 port instead of the equivalent fiber
MiniGBIC SFP port, if both ports are enabled and have a valid link.
• Forced fiber. In this mode, the switch will always use the fiber MiniGBIC SFP port instead of the
equivalent copper RJ-45 port.
• Forced copper. In this mode, the switch will always use the copper RJ-45 port instead of the equiva-
lent fiber MiniGBIC SFP port.
See “Setting the Combo Port Type and Mode” on page 1-18 for more information on configuring combo
ports.
page 1-4
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Ethernet Ports
Ethernet Ports Overview
Valid Port Settings on OmniSwitch 6800 Series Switches
This table below lists valid speed, duplex, and autonegotiation settings for the different OmniSwitch 6800
Series port types.
Chassis Type
(Port Nos.)
Port Type
User-Specified User-Specified Auto
Port Speed
Duplex
Negotiation
(Mbps)
Supported
Supported?
Supported
OmniSwitch 6800-24
(ports 1–20)
Copper twisted pair (RJ-45) auto/10/100/
1000
OmniSwitch 6800-24
(ports 21–24)
Combo copper RJ-45/
Fiber SFP
OmniSwitch 6800-48
(ports 1–44)
Copper twisted pair (RJ-45) auto/10/100/
1000
OmniSwitch 6800-48
(ports 45–48)
Combo copper RJ-45/
Fiber SFP
RJ-45: auto/10/ RJ-45: auto/
100/1000
full/half
SFP: 1000
SFP: full
Yes
OmniSwitch 6800-48
(ports 49–50)
Fiber XFP
10000
Yes
auto/full/half
RJ-45: auto/10/ RJ-45: auto/
100/1000
full/half
SFP: 1000
SFP: full
auto/full/half
full
Yes
Yes
Yes
See the OmniSwitch 6800 Series Hardware Users Guide for more information about the OmniSwitch 6800
hardware that is supported in the current release.
Valid Port Settings on OmniSwitch 6850 Series Switches
This table below lists valid speed, duplex, and autonegotiation settings for the different OmniSwitch 6850
Series port types.
Chassis Type
(Port Nos.)
Port Type
OmniSwitch 6800-24
(ports 1–20)
Copper twisted pair (RJ-45) auto/10/100/
1000
OmniSwitch 6800-24
(ports 21–24)
Combo copper RJ-45/
Fiber SFP
RJ-45: auto/10/ RJ-45: auto/
100/1000
full/half
SFP: 1000
SFP: full
Yes
OmniSwitch 6800-24
(ports 25–26)
Fiber XFP
10000
full
Yes
OmniSwitch 6800-48
(ports 1–44)
Copper twisted pair (RJ-45) auto/10/100/
1000
auto/full/half
Yes
OmniSwitch 6800-48
(ports 45–48)
Combo copper RJ-45/
Fiber SFP
OmniSwitch 6800/6850/9000 Network Configuration Guide
User-Specified User-Specified Auto
Port Speed
Duplex
Negotiation
(Mbps)
Supported
Supported?
Supported
auto/full/half
RJ-45: auto/10/ RJ-45: auto/
100/1000
full/half
SFP: 1000
SFP: full
June 2006
Yes
Yes
page 1-5
Ethernet Ports Overview
Configuring Ethernet Ports
Chassis Type
(Port Nos.)
Port Type
User-Specified User-Specified Auto
Port Speed
Duplex
Negotiation
(Mbps)
Supported
Supported?
Supported
OmniSwitch 6800-48
(ports 49–50)
Fiber XFP
10000
full
Yes
See the OmniSwitch 6850 Series Hardware Users Guide for more information about the OmniSwitch 6850
hardware that is supported in the current release.
Valid Port Settings on OmniSwitch 9000 Series Switches
The table below lists valid speed, duplex, and autonegotiation settings for the different OmniSwitch 9000
port types.
NI Module
Port Number/Type
User-Specified User-Specified Auto
Port Speed
Duplex
Negotiation
(Mbps)
Supported
Supported?
Supported
OS9-GNI-C24 24 Copper twisted pair (RJ-45)
auto/10/100/
1000
auto/full/half
Yes
OS9-GNI-U24 Up to 24 high-density LC ports
1000
full
Yes
OS9-XNI-U2
10000
full
Yes
Up to 2 wire-rate fiber LC
Fast Ethernet, Gigabit Ethernet, and 10 Gigabit Ethernet switching modules can be used as backbone links,
with Gigabit Ethernet and 10 Gigabit Ethernet modules offering additional support for high-speed servers.
All modules support 802.1Q hardware tagging for enhanced compatibility. And all Gigabit and 10 Gigabit
modules support jumbo frame configuration.
See the OmniSwitch 9000 Hardware Users Guide for more information about the OmniSwitch 9000 hardware that is available in the current release
10/100/1000 Crossover Supported
By default, automatic crossover between MDI/MDIX (Media Dependent Interface/Media Dependent Interface with Crossover) media is supported on OmniSwitch 9000 10/100/1000 ports. Therefore, either
straight-through or crossover cable can be used between two OmniSwitch 9000 switches as long as autonegotiation is configured on both sides of the link. See “Configuring Autonegotiation and Crossover
Settings” on page 1-16 for more information.
page 1-6
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Ethernet Ports
Ethernet Ports Overview
Autonegotiation Guidelines
Please note a link will not be established on any copper Ethernet port if any one of the following is true:
• The local port advertises 100 Mbps full duplex and the remote link partner is forced to 100 Mbps full
duplex.
• The local port advertises 100 Mbps full duplex and the remote link partner is forced to 100 Mbps half
duplex.
• The local port advertises 10 Mbps full duplex and the remote link partner is forced to 10 Mbps full
duplex.
• The local port advertises 10 Mbps full duplex and the remote link partner is forced to 10 half duplex.
This is due to the fact that when the local device is set to auto negotiating 10/100 full duplex it senses the
remote device is not auto negotiating. Therefore it resolves to Parallel Detect with Highest Common
Denominator (HCD), which is “10/100 Half” according to IEEE 802.3 Clause 28.2.3.1.
However, since the local device is set to auto negotiating at 10/100 full duplex it cannot form a 10/100
Mbps half duplex link in any of the above mentioned cases. One solution is to configure the local device
to autonegotiation, 10/100 Mbps, with auto or half duplex.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 1-7
Setting Ethernet Parameters for All Port Types
Configuring Ethernet Ports
Setting Ethernet Parameters for All Port Types
The following sections describe how to configure Ethernet port parameters using CLI commands that can
be used on all port types. See “Setting Ethernet Parameters for Non Combo Ports” on page 1-14 for information on configuring non combo ports and see “Setting Combo Ethernet Port Parameters on OmniSwitch
6800 and 6850 Switches” on page 1-18 for more information on configuring combo ports.
Setting Trap Port Link Messages
The trap port link command can be used to enable or disable (the default) trap port link messages on a
specific port, a range of ports, or all ports on a switch (slot). When enabled, a trap message will be
displayed on a Network Management Station (NMS) whenever the port state has changed.
Enabling Trap Port Link Messages
To enable trap port link messages on an entire switch, enter trap followed by the slot number and port
link enable. For example, to enable trap port link messages on all ports on slot 2, enter:
-> trap 2 port link enable
To enable trap port link messages on a single port, enter trap followed by the slot number, a slash (/), the
port number, and port link enable. For example, to enable trap port link messages on slot 2 port 3, enter:
-> trap 2/3 port link enable
To enable trap port link messages on a range of ports, enter trap followed by the slot number, a
slash (/), the first port number, a hyphen (-), the last port number, and port link enable. For example, to
enable trap port link messages ports 3 through 5 on slot 2, enter:
-> trap 2/3-5 port link enable
Disabling Trap Port Link Messages
To disable trap port link messages on an entire switch, enter trap followed by the slot number and port
link disable. For example, to disable trap port link messages on all ports on slot 2, enter:
-> trap 2 port link disable
To disable trap port link messages on a single port, enter trap followed by the slot number, a slash (/), the
port number, and port link disable. For example, to disable trap port link messages on slot 2 port 3, enter:
-> trap 2/3 port link disable
To disable trap port link messages on a range of ports, enter trap followed by the slot number, a
slash (/), the first port number, a hyphen (-), the last port number, and port link disable. For example, to
disable trap port link messages ports 3 through 5 on slot 2, enter:
-> trap 2/3-5 port link disable
page 1-8
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Ethernet Ports
Setting Ethernet Parameters for All Port Types
Resetting Statistics Counters
The interfaces no l2 statistics command is used to reset all Layer 2 statistics counters on a specific port, a
range of ports, or all ports on a switch (slot).
To reset Layer 2 statistics on an entire slot, enter interfaces followed by the slot number and no l2
statistics. For example, to reset all Layer 2 statistics counters on slot 2, enter:
-> interfaces 2 no l2 statistics
To reset Layer 2 statistics on a single port, enter interfaces followed by the slot number, a slash (/), the
port number, and no l2 statistics. For example, to reset all Layer 2 statistics counters on port 3 on slot 2,
enter:
-> interfaces 2/3 no l2 statistics
To reset Layer 2 statistics on a range of ports, enter interfaces followed by the slot number, a slash (/), the
first port number, a hyphen (-), the last port number, and no l2 statistics. For example, to reset all Layer 2
statistics counters on ports 1 through 3 on slot 2, enter:
-> interfaces 2/1-3 no l2 statistics
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to reset all Layer 2 statistics counters on port 3 on slot 2 and document the port as Gigabit Ethernet, enter:
-> interfaces gigaethernet 2/3 no l2 statistics
Note. The show interfaces, show interfaces accounting, and show interfaces counters commands can
be used to display Layer 2 statistics (e.g., input and output errors, deferred frames received, unicast packets transmitted). For information on using these commands, see the OmniSwitch CLI Reference Guide.
Enabling and Disabling Interfaces
The interfaces admin command is used to enable (the default) or disable a specific port, a range of ports,
or all ports on an entire switch (NI module).
To enable or disable an entire slot, enter interfaces followed by the slot number, admin, and the desired
administrative setting (either up or down). For example, to administratively disable slot 2, enter:
-> interfaces 2 admin down
To enable or disable a single port, enter interfaces followed by the slot number, a slash (/), the port
number, admin, and the desired administrative setting (either up or down). For example, to administratively disable port 3 on slot 2, enter:
-> interfaces 2/3 admin down
To enable or disable a range of ports, enter interfaces followed by the slot number, a slash (/), the first
port number, a hyphen (-), the last port number, admin, and the desired administrative setting (either up
or down). For example, to administratively disable ports 1 through 3 on slot 2, enter:
-> interfaces 2/1-3 admin down
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 1-9
Setting Ethernet Parameters for All Port Types
Configuring Ethernet Ports
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to administratively disable port 3 on slot 2 and document the port as
Gigabit Ethernet, enter:
-> interfaces gigaethernet 2/3 admin down
Configuring Flood Rate Limiting
The following subsections describe how to apply a peak flood rate value to limit flooded traffic (see
“Flood Only Rate Limiting” on page 1-10), limit multicast traffic (see “Multicast Flood Rate Limiting” on
page 1-11), and configure the flood rate value for an entire switch (slot), a specific port, or a range of ports
(see “Configuring the Peak Flood Rate Value” on page 1-11).
Flood Only Rate Limiting
The peak flood rate value is always applied to flooded traffic. However, it is also possible to apply this
value to limit the rate of multicast traffic on any given port (see “Multicast Flood Rate Limiting” on
page 1-11). The interfaces flood command automatically disables any multicast flood rate limiting on a
port so that the peak flood rate is only applied to flooded traffic.
Note. Note that the interfaces flood command is only available on OmniSwitch 6800 and 6850 switches.
In addition, the interfaces flood multicast command can also disable multicast flood rate limiting and is
available on the OmniSwitch 6800, 6850, and 9000 switches.
To specify flood only rate limiting for a single port, enter interfaces followed by the slot number, a
slash (/), the port number, and flood. For example, the following command applies flood only rate limiting to port 2/3:
-> interfaces 2/3 flood
To specify flood only rate limiting for a range of ports, enter interfaces followed by the slot number, a
slash (/), the first port number, a hyphen (-), the last port number, and flood. For example, the following
command applies flood only rate limiting to ports 3 through 4 on slot 2:
-> interfaces 2/3-4 flood
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to apply flood only rate limiting to port 8/24 and document the port
as Gigabit Ethernet, enter:
-> interfaces gigaethernet 8/24 flood
To configure the peak rate value used for flood only rate limiting, see “Configuring the Peak Flood Rate
Value” on page 1-11 for more information.
page 1-10
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Ethernet Ports
Setting Ethernet Parameters for All Port Types
Multicast Flood Rate Limiting
The interfaces flood multicast command is used to enable or disable flood rate limiting for multicast traffic on a single port, a range of ports, or all ports on a switch (slot). When multicast flood rate limiting is
enabled, the peak flood rate value for a port is applied to both multicast and flooded traffic.
By default, multicast flood rate limiting is disabled for a port. To apply the peak flood rate value to multicast traffic on a slot, enter interfaces followed by the slot number and flood multicast. For example, to
enable the maximum flood rate for multicast traffic on slot 2, enter:
-> interfaces 2 flood multicast
To apply the peak flood rate value to multicast traffic on a single port, enter interfaces followed by the
slot number, a slash (/), the port number, and flood multicast. For example, to enable the maximum flood
rate for multicast traffic on port 3 on slot 2, enter:
-> interfaces 2/3 flood multicast
To apply the peak flood rate value to multicast traffic on a range of ports, enter interfaces followed by the
slot number, a slash (/), the first port number, a hyphen (-), the last port number, and flood multicast. For
example, to enable the maximum flood rate for multicast traffic on ports 3 through 4 on slot 2, enter:
-> interfaces 2/3-4 flood multicast
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to enable the maximum flood rate for multicast traffic on slot 2 and
document the slot as Gigabit Ethernet, enter:
-> interfaces gigaethernet 2 flood multicast
Note. Enabling multicast flood rate limiting with the interfaces flood multicast command will limit IP
Multicast Switching (IPMS) and non-IPMS multicast traffic.
Configuring the Peak Flood Rate Value
The interfaces flood rate command is used to configure the peak flood rate value on a specific port, a
range of ports, or all ports on a switch (slot) in megabits per second. Note the following regarding the
configuration of this value:
• The interfaces flood rate command configures a maximum ingress flood rate value for an interface.
This peak flood rate value is applied to flooded (unknown destination address, broadcast) and multicast traffic combined. For example, if an interface is configured with a peak flood rate of 500 Mbps,
the 500 Mbps limit is shared by all traffic types.
• On OmniSwitch 6800 and 6850 switches the flood rate can only be accurately configured for 512-byte
packets. The flood rate cannot be accurately set for smaller or larger sized packets. The accuracy/resolution is limited because the switch makes an internal assumption of packet size when it converts
bits/seconds to packets/seconds for the hardware.
• Although you can configure a flood rate equal to the line speed you should not do so. Alcatel recom-
mends that you always configure the flood rate to be less than the line speed.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 1-11
Setting Ethernet Parameters for All Port Types
Configuring Ethernet Ports
By default the following peak flood rate values are used for limiting the rate at which traffic is flooded on
a switch port:
parameter
default
Mbps (10 Ethernet)
4
Mbps (100 Fast Ethernet)
49
Mbps (Gigabit Ethernet)
496
Mbps (10 Gigabit Ethernet)
997
To change the peak flood rate for an entire slot, enter interfaces followed by the slot number, flood rate,
and the flood rate in megabits. For example, to configure the peak flood rate on slot 2 as 49 megabits,
enter:
-> interfaces 2 flood rate 49
To change the peak flood rate for a single port, enter interfaces followed by the slot number, a slash (/),
the port number, flood rate, and the flood rate in megabits. For example, to configure the peak flood rate
on port 3 on slot 2 as 49 megabits, enter:
-> interfaces 2/3 flood rate 49
To change the peak flood rate for a range of ports, enter interfaces followed by the slot number, a slash (/
), the first port number, a hyphen (-), the last port number, flood rate, and the flood rate in megabits. For
example, to configure the peak flood rate on ports 1 through 3 on slot 2 as 49 megabits, enter:
-> interfaces 2/1-3 flood rate 42
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to configure the peak flood rate on port 22 on slot 2 as 49 megabits
and document the port as Gigabit Ethernet, enter:
-> interfaces gigaethernet 2/22 flood rate 49
To specify the type of traffic elligible for rate limiting, see “Flood Only Rate Limiting” on page 1-10 and
“Multicast Flood Rate Limiting” on page 1-11 for more information.
Configuring a Port Alias
The interfaces alias command is used to configure an alias (i.e., description) for a single port. (You
cannot configure an entire switch or a range of ports.) To use this command, enter interfaces followed by
the slot number, a slash (/), the port number, alias, and the text description, which can be up to 40 characters long.
For example, to configure an alias of “ip_phone1” for port 3 on slot 2 enter:
-> interfaces 2/3 alias ip_phone1
Note. Spaces must be contained within quotes (e.g., “IP Phone 1”).
page 1-12
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Ethernet Ports
Setting Ethernet Parameters for All Port Types
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to configure an alias of “ip_phone1” for port 3 on slot 2 and document the port as Gigabit Ethernet, enter:
-> interfaces gigaethernet 2/3 alias ip_phone1
Configuring Maximum Frame Sizes
The interfaces max frame command can be used to configure the maximum frame size (in bytes) on a
specific port, a range of ports, or all ports on a switch. Maximum values for this command range from
1518 bytes (Ethernet packets) for Ethernet or Fast Ethernet ports to 9216 bytes (Gigabit Ethernet packets)
for Gigabit Ethernet ports.
To configure the maximum frame size on an entire slot, enter interfaces followed by the slot number,
max frame, and the frame size in bytes. For example, to set the maximum frame size on slot 2 to 9216
bytes, enter:
-> interfaces 2 max frame 9216
To configure the maximum frame size on a single port, enter interfaces followed by the slot number, a
slash (/), the port number, max frame, and the frame size in bytes. For example, to set the maximum
frame size on port 3 on slot 2 to 9216 bytes, enter:
-> interfaces 2/3 max frame 9216
To configure the maximum frame size on a range of ports, enter interfaces followed by the slot number, a
slash (/), the first port number, a hyphen (-), the last port number, max frame, and the frame size in bytes.
For example, to set the maximum frame size on ports 1 through 3 on slot 2 to 9216 bytes, enter:
-> interfaces 2/1-3 max frame 9216
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to set the maximum frame size on port 3 on slot 2 to 9216 bytes and
document the port as Gigabit Ethernet, enter:
-> interfaces gigaethernet 2/3 max frame 9216
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 1-13
Setting Ethernet Parameters for Non Combo Ports
Configuring Ethernet Ports
Setting Ethernet Parameters for Non Combo Ports
The following sections describe how to use CLI commands to configure non combo ports. (See the tables
in “Valid Port Settings on OmniSwitch 6800 Series Switches” on page 1-5, “Valid Port Settings on
OmniSwitch 6850 Series Switches” on page 1-5, and “Valid Port Settings on OmniSwitch 9000 Series
Switches” on page 1-6 for more information.)
• Ports 1–20 on OmniSwitch 6800-24 and OmniSwitch 6850-24 switches are non combo ports.
• Ports 1–44 on OmniSwitch 6800-48 and OmniSwitch 6850-48 switches are non combo ports.
While you can use the CLI commands described in the following sections to configure combo ports, please
keep in mind that configuration changes made on combo ports configured as either forced fiber or
preferred fiber will only be made on the MiniGBIC SFP fiber ports and not to the copper RJ-45 10/100/
1000 ports.
Similarly, configuration changes made on combo ports configured as either forced copper or preferred
copper, will only be made on the copper RJ-45 10/100/1000 ports and not to the MiniGBIC SFP fiber port.
See “Setting Combo Ethernet Port Parameters on OmniSwitch 6800 and 6850 Switches” on page 1-18 for
more information on configuring combo ports.
Setting Interface Line Speed
The interfaces speed command is used to set the line speed on a specific port, a range of ports, or all ports
on an entire switch (slot) to 10 (10 Mbps Ethernet), 100 (100 Mbps Ethernet), 1000 (1000 Mbps Gigabit
Ethernet), 10000 (10000 Mbps Gigabit Ethernet), or auto (auto-sensing, which is the default). The auto
setting automatically detects and matches the line speed of the attached device.
Note that available settings for the interfaces speed command depend on the available line speeds of your
hardware interface. See “Valid Port Settings on OmniSwitch 6800 Series Switches” on page 1-5, “Valid
Port Settings on OmniSwitch 6850 Series Switches” on page 1-5, or “Valid Port Settings on OmniSwitch
9000 Series Switches” on page 1-6 for more information.
In order to set up a speed and duplex on a port, autonegotiation should be disabled.
-> interfaces 2 autoneg disable
To set the line speed on an entire switch, enter interfaces followed by the slot number and the desired
speed. For example, to set slot 2 to 100 Mbps, enter:
-> interfaces 2 speed 100
To set the line speed on a single port, enter interfaces followed by the slot number, a slash (/), the port
number, and the desired speed. For example, to set the line speed on slot 2 port 3 at 100 Mbps, enter:
-> interfaces 2/3 speed 100
To set the line speed on a range of ports, enter interfaces followed by the slot number, a slash (/), the first
port number, a hyphen (-), the last port number, and the desired speed. For example, to set the line speed
on ports 1 through 3 on slot 2 at 100 Mbps, enter:
-> interfaces 2/1-3 speed 100
page 1-14
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Ethernet Ports
Setting Ethernet Parameters for Non Combo Ports
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to configure the line speed on slot 2 port 3 at 100 Mbps and document the interface type as Gigabit Ethernet, enter:
-> interfaces gigaethernet 2/3 speed 100
Configuring Duplex Mode
The interfaces duplex command is used to configure the duplex mode on a specific port, a range of ports,
or all ports on a switch (slot) to full (full duplex mode, which is the default on fiber ports), half (half
duplex mode), and auto (autonegotiation, which is the default on copper ports). (The Auto option causes
the switch to advertise all available duplex modes (half/full/both) for the port during autonegotiation.) In
full duplex mode, the interface transmits and receives data simultaneously. In half duplex mode, the interface can only transmit or receive data at a given time.
Note. The Auto option sets both the duplex mode and line speed settings to autonegotiation.
In order to set up a speed and duplex on a port autonegotiation should be disabled.
-> interfaces 2 autoneg disable
To configure the duplex mode on an entire slot, enter interfaces followed by the slot number, duplex, and
the desired duplex setting (auto, full, or half). For example, to set the duplex mode on slot 2 to full, enter:
-> interfaces 2 duplex full
To configure the duplex mode on a single port, enter interfaces followed by the slot number, a slash (/),
the port number, duplex, and the desired duplex setting (auto, full, or half). For example, to set the
duplex mode on port 3 on slot 2 to full, enter:
-> interfaces 2/3 duplex full
To configure the duplex mode on a range of ports, enter interfaces followed by the slot number, a slash (/
), the first port number, a hyphen (-), the last port number, duplex, and the desired duplex setting (auto,
full, or half). For example, to set the duplex mode on ports 1 through 3 on slot 2 to full, enter:
-> interfaces 2/1-3 duplex full
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to set the duplex mode on port 3 on slot 2 and document the port as
Gigabit Ethernet, enter:
-> interfaces gigaethernet 2/3 duplex full
Configuring Inter-frame Gap Values
Inter-frame gap is a measure of the minimum idle time between the end of one frame transmission and the
beginning of another. By default, the inter-frame gap is 12 bytes. The interfaces ifg command can be used
to configure the inter-frame gap value (in bytes) on a specific port, a range of ports, or all ports on a
switch (slot). Values for this command range from 9 to 12 bytes.
Note. This command is only valid on Gigabit ports.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 1-15
Setting Ethernet Parameters for Non Combo Ports
Configuring Ethernet Ports
To configure the inter-frame gap on an entire slot, enter interfaces, followed by the slot number, ifg, and
the desired inter-frame gap value. For example, to set the inter-frame gap value on slot 2 to 10 bytes, enter:
-> interfaces 2 ifg 10
To configure the inter-frame gap on a single port, enter interfaces, followed by the slot number, a slash (/
), the port number, ifg, and the desired inter-frame gap value. For example, to set the inter-frame gap value
on port 20 on slot 2 to 10 bytes, enter:
-> interfaces 2/20 ifg 10
To configure the inter-frame gap on a range of ports, enter interfaces, followed by the slot number, a slash
(/), the first port number, a hyphen (-), the last port number, ifg, and the desired inter-frame gap value. For
example, to set the inter-frame gap value on ports 20 through 22 on slot 2 to 10 bytes, enter:
-> interfaces 2/20-22 ifg 10
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to set the inter-frame gap value on port 20 on slot 2 to 10 bytes and
document the port as Gigabit Ethernet, enter:
-> interfaces gigaethernet 2/20 ifg 10
Note. Since the interfaces ifg command is only supported on Gigabit interfaces, only the gigaethernet
keyword should be used.
Configuring Autonegotiation and Crossover Settings
The following subsections describe how to enable and disable autonegotiation (see “Enabling and
Disabling Autonegotiation” on page 1-16) and configure crossover settings (see “Configuring Crossover
Settings” on page 1-17).
Enabling and Disabling Autonegotiation
By default, autonegotiation is enabled. To enable or disable autonegotiation on a single port, a range of
ports, or an entire slot, use the interfaces autoneg command. (See “Configuring Crossover Settings” on
page 1-17 and “Setting Combo Ethernet Port Parameters on OmniSwitch 6800 and 6850 Switches” on
page 1-18 for more information).
To enable or disable autonegotiation on an entire switch, enter interfaces, followed by the slot number,
autoneg, and either enable or disable. For example, to enable autonegotiation on slot 2, enter:
-> interfaces 2 autoneg enable
To enable or disable autonegotiation on a single port, enter interfaces, followed by the slot number, a
slash (/), the port number, autoneg, and either enable or disable. For example, to enable autonegotiation
on port 3 on slot 2, enter:
-> interfaces 2/3 autoneg enable
To enable or disable autonegotiation on a range of ports, enter interfaces, followed by the slot number, a
slash (/), the first port number, a hyphen (-), the last port number, autoneg, and either enable or disable.
For example, to enable autonegotiation on ports 1 through 3 on slot 2, enter:
-> interfaces 2/1-3 autoneg enable
page 1-16
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Ethernet Ports
Setting Ethernet Parameters for Non Combo Ports
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to enable autonegotiation on port 3 on slot 2 and document the port
as Ethernet, enter:
-> interfaces ethernet 2/3 autoneg enable
Note. Please refer to “Autonegotiation Guidelines” on page 1-7 for guidelines on configuring autonegotiation.
Configuring Crossover Settings
To configure crossover settings on a single port, a range of ports, or an entire slot use the
interfaces crossover command. If autonegotiation is disabled, auto MDIX, auto speed, and auto duplex
are not accepted.
Setting the crossover configuration to auto will configure the interface or interfaces to automatically
detect crossover settings. Setting crossover configuration to mdix will configure the interface or interfaces for MDIX (Media Dependent Interface with Crossover), which is the standard for hubs and switches.
Setting crossover to mdi will configure the interface or interfaces for MDI (Media Dependent Interface),
which is the standard for end stations. And setting the crossover configuration to disable will disable
crossover configuration on an interface or interfaces.
To configure crossover settings on an entire switch, enter interfaces, followed by the slot number, crossover, and the desired setting. For example, to set the crossover configuration to auto on slot 2, enter:
-> interfaces 2 crossover auto
To configure crossover settings on a single port, enter interfaces, followed by the slot number, a slash (/),
the port number, crossover, and the desired setting. For example, to set the crossover configuration to auto
on port 3 on slot 2, enter:
-> interfaces 2/3 crossover auto
To configure crossover settings on a range of ports, enter interfaces, followed by the slot number, a slash
(/), the first port number, a hyphen (-), the last port number, crossover, and the desired setting. For example, to set the crossover configuration to auto on ports 1 through 3 on slot 2, enter:
-> interfaces 2/1-3 crossover auto
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to set the crossover configuration to auto on port 3 on slot 2 and
document the port as Gigabit Ethernet, enter:
-> interfaces gigaethernet 2/3 crossover auto
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 1-17
Setting Combo Ethernet Port Parameters on OmniSwitch 6800 and 6850 Switches
Configuring Ethernet Ports
Setting Combo Ethernet Port Parameters on
OmniSwitch 6800 and 6850 Switches
The following sections describe how to use CLI commands to configure combo ports on OmniSwitch
6800 and 6850 switches only.
• Ports 21–24 on the OmniSwitch 6800-24 and OmniSwitch 6850-24 switches are combo ports.
• Ports 45–48 on the OmniSwitch 6800-48 and OmniSwitch 6850-48 switches are combo ports.
Setting the Combo Port Type and Mode
By default, all combo ports on OmniSwitch 6800 Series and OmniSwitch 6850 Series switches are set to
preferred fiber. The following subsections describe how to set a single combo port, a range of combo
ports, or all combo ports on an entire switch to forced fiber (see “Setting Combo Ports to Forced Fiber” on
page 1-18), preferred copper (“Setting Combo Ports to Preferred Copper” on page 1-19), forced copper
(“Setting Combo Ports to Forced Copper” on page 1-19), and preferred fiber (“Setting Combo Ports to
Preferred Fiber” on page 1-20).
Note. See “OmniSwitch 6800 and 6850 Series Combo Ports” on page 1-4 for an overview of combo port
types and modes.
Setting Combo Ports to Forced Fiber
In forced fiber mode, combo ports will always use the fiber MiniGBIC SFP port instead of the equivalent
copper RJ-45 10/100/1000 port. To set a single combo port, a range of combo ports, or all combo ports on
a switch to forced fiber, use the interfaces hybrid forced-fiber command.
To set all combo ports on an entire switch to forced fiber mode, enter interfaces, followed by the slot
number and hybrid forced-fiber. For example, to set all combo ports on slot 2 to forced fiber, enter:
-> interfaces 2 hybrid forced-fiber
To set a single combo port to forced fiber, enter interfaces, followed by the slot number, a slash (/), the
port number, and hybrid forced-fiber. For example, to set port 47 on slot 1 to forced fiber, enter:
-> interfaces 1/47 hybrid forced-fiber
To set a range of combo ports to forced fiber ports, enter interfaces, followed by the slot number, a
slash (/), the first port number, a hyphen (-), the last port number, and hybrid forced-fiber. For example,
to set combo ports 46 through 48 on slot 1 to forced fiber, enter:
-> interfaces 1/46-48 hybrid forced-fiber
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to set port 47 on slot 1 to forced fiber and document the interface
type as Gigabit Ethernet, enter:
-> interfaces gigaethernet 1/47 hybrid forced-fiber
page 1-18
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Ethernet Ports
Setting Combo Ethernet Port Parameters on OmniSwitch 6800 and 6850 Switches
Setting Combo Ports to Preferred Copper
In preferred copper mode, combo ports will use the copper RJ-45 10/100/1000 port instead of the fiber
MiniGBIC SFP port, if both ports are enabled and have a valid link. If the copper port goes down, then the
switch will automatically switch to the fiber MiniGBIC SFP port. To set a single combo port, a range of
combo ports, or all combo ports on a switch to preferred copper use the interfaces hybrid preferredcopper command.
To set all combo ports on an entire switch to preferred copper mode, enter interfaces, followed by the slot
number and hybrid preferred-copper. For example, to set all combo ports on slot 2 to preferred copper,
enter:
-> interfaces 2 hybrid preferred-copper
To set a single combo port to preferred copper, enter interfaces, followed by the slot number, a slash (/),
the port number, and hybrid preferred-copper. For example, to set port 47 on slot 1 to preferred copper,
enter:
-> interfaces 1/47 hybrid preferred-copper
To set a range of combo ports to preferred copper ports, enter interfaces, followed by the slot number, a
slash (/), the first port number, a hyphen (-), the last port number, and hybrid preferred-copper. For
example, to set combo ports 46 through 48 on slot 1 to preferred copper, enter:
-> interfaces 1/46-48 hybrid preferred-copper
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to set port 47 on slot 1 to preferred copper and document the
interface type as Gigabit Ethernet, enter:
-> interfaces gigaethernet 1/47 hybrid preferred-copper
Setting Combo Ports to Forced Copper
In forced copper mode combo ports will always use the copper RJ-45 10/100/1000 port instead of the
equivalent fiber MiniGBIC SFP port. To set a single combo port, a range of combo ports, or all combo
ports on a switch to forced copper use the interfaces hybrid forced-copper command.
To set all combo ports on an entire switch to forced copper mode, enter interfaces, followed by the slot
number and hybrid forced-copper. For example, to set all combo ports on slot 2 to forced copper, enter:
-> interfaces 2 hybrid forced-copper
To set a single combo port to forced copper, enter interfaces, followed by the slot number, a slash (/), the
port number, and hybrid forced-copper. For example, to set port 47 on slot 1 to forced copper, enter:
-> interfaces 1/47 hybrid forced-copper
To set a range of combo ports to forced copper ports, enter interfaces, followed by the slot number, a
slash (/), the first port number, a hyphen (-), the last port number, and hybrid forced-copper. For example, to set combo ports 46 through 48 on slot 1 to forced copper, enter:
-> interfaces 1/46-48 hybrid forced-copper
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to set port 47 on slot 1 to forced copper and document the interface
type as Gigabit Ethernet, enter:
-> interfaces gigaethernet 1/47 hybrid forced-copper
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 1-19
Setting Combo Ethernet Port Parameters on OmniSwitch 6800 and 6850 Switches
Configuring Ethernet Ports
Setting Combo Ports to Preferred Fiber
In preferred fiber mode (the default), combo ports will use the fiber MiniGBIC SFP port instead of the
copper RJ-45 10/100/1000 port if both ports are enabled and have a valid link. If the fiber port goes down,
then the switch will automatically switch to the copper RJ-45 port. To set a single combo port, a range of
combo ports, or all combo ports on a switch to preferred fiber use the interfaces hybrid preferred-fiber
command.
To set all combo ports on an entire switch to preferred fiber mode, enter interfaces, followed by the slot
number and hybrid preferred-fiber. For example, to set all combo ports on slot 2 to preferred fiber, enter:
-> interfaces 2 hybrid preferred-fiber
To set a single combo port to preferred fiber, enter interfaces, followed by the slot number, a slash (/), the
port number, and hybrid preferred-fiber. For example, to set port 47 on slot 1 to preferred fiber, enter:
-> interfaces 1/47 hybrid preferred-fiber
To set a range of combo ports to preferred fiber ports, enter interfaces, followed by the slot number, a
slash (/), the first port number, a hyphen (-), the last port number, and hybrid preferred-fiber. For example, to set combo ports 46 through 48 on slot 1 to preferred fiber, enter:
-> interfaces 1/46-48 hybrid preferred-fiber
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to set port 47 on slot 1 to preferred fiber and document the interface
type as Gigabit Ethernet, enter:
-> interfaces gigaethernet 1/47 hybrid preferred-fiber
Setting Interface Line Speed for Combo Ports
The interfaces hybrid speed command is used to set the line speed on a specific combo port, a range of
combo ports, or all combo ports on an entire switch (slot) to 10 (10 Mbps Ethernet), 100 (100 Mbps Fast
Ethernet), 1000 (1000 Mbps Gigabit Ethernet, which is the default for combo MiniGBIC SFP ports),
10000 (10000 Mbps Gigabit Ethernet, which is the default for 10 Gigabit ports), or auto (auto-sensing,
which is the default for combo 10/100/1000 ports). The auto setting automatically detects and matches the
line speed of the attached device. (Available settings for this command depend on the available line speeds
of your hardware interface. See “Valid Port Settings on OmniSwitch 6800 Series Switches” on page 1-5
and “Valid Port Settings on OmniSwitch 6850 Series Switches” on page 1-5 for more information.)
Note. In the interface hybrid speed command, the copper keyword is used to configure the copper RJ-45
10/100/1000 port while the fiber keyword is used to configure the fiber MiniGBIC SFP port.
To set the line speed for all combo ports on an entire switch, enter interfaces, followed by the slot
number, hybrid, either fiber or copper, and the desired speed. For example, to set all combo copper ports
on slot 2 to 100 Mbps, enter:
-> interfaces 2 hybrid copper speed 100
Note. using the interface hybrid speed command to set all combo ports on a switch, will not affect the
configurations of the non combo ports.
page 1-20
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Ethernet Ports
Setting Combo Ethernet Port Parameters on OmniSwitch 6800 and 6850 Switches
To set the line speed on a single combo port, enter interfaces, followed by the slot number, a slash (/), the
combo port number, hybrid, either fiber or copper, and the desired speed. For example, to set the line
speed on slot 2 combo copper RJ-45 port 47 to 100 Mbps, enter:
-> interfaces 2/47 hybrid copper speed 100
To set the line speed on a range of combo ports, enter interfaces, followed by the slot number, a slash (/),
the first combo port number, a hyphen (-), the last combo port number, hybrid, either fiber or copper,
and the desired speed. For example, to set the line speed on combo copper ports 46 through 48 on slot 2 to
100 Mbps, enter:
-> interfaces 2/46-48 hybrid copper speed 100
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to configure the line speed on slot 2 combo copper port 47 at 100
Mbps and document the interface type as Gigabit Ethernet, enter:
-> interfaces gigaethernet 2/47 hybrid copper speed 100
Configuring Duplex Mode for Combo Ports
The interfaces hybrid duplex command is used to configure the duplex mode on a specific combo port, a
range of combo ports, or all combo ports on a switch (slot) to full (full duplex mode, which is the default
for 100 Mbps fiber SFP, 1 Gbps fiber SFP, and 1 Gbps XFP ports), half (half duplex mode), auto (autonegotiation, which is the default for copper RJ-45 ports). (The Auto option sets both the duplex mode and
line speed settings to autonegotiation.) In full duplex mode, the interface transmits and receives data
simultaneously. In half duplex mode, the interface can only transmit or receive data at a given time.
(Available settings for this command depend on the available line speeds of your hardware interface. See
“Valid Port Settings on OmniSwitch 6800 Series Switches” on page 1-5 and “Valid Port Settings on
OmniSwitch 6850 Series Switches” on page 1-5 for more information.)
Note. In the interface hybrid duplex command the copper keyword is used to configure the copper RJ45 10/100/1000 port while the fiber keyword is used to configure the fiber MiniGBIC SFP port.
To configure the duplex mode on an entire slot, enter interfaces, followed by the slot number, hybrid,
either fiber or copper, duplex, and the desired duplex setting (auto, full, or half). For example, to set the
duplex mode on all fiber combo ports on slot 2 to full, enter:
-> interfaces 2 hybrid fiber duplex full
Note. using the interface hybrid duplex command to set all combo ports on a switch, will not affect the
configurations of the non combo ports.
To configure the duplex mode on a single combo port, enter interfaces, followed by the slot number, a
slash (/), the combo port number, hybrid, either fiber or copper, duplex, and the desired duplex setting
(auto, full, or half). For example, to set the duplex mode on the fiber combo port 47 on slot 2 to full,
enter:
-> interfaces 2/47 hybrid fiber duplex full
To configure the duplex mode on a range of combo ports, enter interfaces, followed by the slot number, a
slash (/), the first combo port number, a hyphen (-), the last combo port number, hybrid, either fiber or
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 1-21
Setting Combo Ethernet Port Parameters on OmniSwitch 6800 and 6850 Switches
Configuring Ethernet Ports
copper, duplex, and the desired duplex setting (auto, full, or half). For example, to set the duplex mode
on fiber combo ports 45 through 48 on slot 2 to full, enter:
-> interfaces 2/45-48 hybrid fiber duplex full
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to set the duplex mode on the fiber combo port 47 on slot 2 and
document the fiber combo port as Gigabit Ethernet, enter:
-> interfaces gigaethernet 2/47 hybrid fiber duplex full
Configuring Autonegotiation and Crossover for Combo Ports
The following subsections describe how to enable and disable autonegotiation (see “Enabling and
Disabling Autonegotiation for Combo Ports” on page 1-22) and configure crossover settings (see “Configuring Crossover Settings for Combo Ports” on page 1-23) on combo ports.
Enabling and Disabling Autonegotiation for Combo Ports
By default, autonegotiation is enabled. To enable or disable autonegotiation on a single combo port, a
range of combo ports, or all combo ports on an entire slot, use the interfaces hybrid autoneg command.
(See “Configuring Crossover Settings for Combo Ports” on page 1-23 for more information).
Note. In the interface hybrid autoneg command, the copper keyword is used to configure the copper RJ45 10/100/1000 port while the fiber keyword is used to configure the fiber MiniGBIC SFP port.
To enable or disable autonegotiation on all combo ports in an entire switch, enter interfaces, followed by
the slot number, hybrid, either fiber or copper, autoneg, and either enable or disable. For example, to
enable autonegotiation on all copper combo ports on slot 2, enter:
-> interfaces 2 hybrid copper autoneg enable
Note. using the interface hybrid autoneg command to set all combo ports on a switch will not affect the
configurations of the non combo ports.
To enable or disable autonegotiation on a single combo port, enter interfaces, followed by the slot
number, a slash (/), the combo port number, hybrid, either fiber or copper, autoneg, and either enable or
disable. For example, to enable autonegotiation on copper combo port 47 on slot 2, enter:
-> interfaces 2/47 hybrid copper autoneg enable
To enable or disable autonegotiation on a range of combo ports, enter interfaces, followed by the slot
number, a slash (/), the first combo port number, a hyphen (-), the last combo port number, hybrid, either
fiber or copper, autoneg, and either enable or disable. For example, to enable autonegotiation on copper
combo ports 45 through 48 on slot 2, enter:
-> interfaces 2/45-48 hybrid copper autoneg enable
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to enable autonegotiation on copper combo port 47 on slot 2 and
document the combo port as Gigabit Ethernet, enter:
-> interfaces gigaethernet 2/47 hybrid copper autoneg enable
page 1-22
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Ethernet Ports
Setting Combo Ethernet Port Parameters on OmniSwitch 6800 and 6850 Switches
Note. Please refer to “Autonegotiation Guidelines” on page 1-7 for guidelines on configuring autonegotiation.
Configuring Crossover Settings for Combo Ports
To configure crossover settings on a single combo port, a range of combo ports, or all combo ports in an
entire slot, use the interfaces hybrid crossover command. If autonegotiation is disabled, auto MDIX,
auto speed, and auto duplex are not accepted.
Note. In the interface hybrid crossover command, the copper keyword is used to configure the copper
RJ-45 10/100/1000 port while the fiber keyword is used to configure the fiber MiniGBIC SFP port.
Setting the crossover configuration to auto will configure the interface or interfaces to automatically
detect crossover settings. Setting crossover configuration to mdix will configure the interface or interfaces for MDIX (Media Dependent Interface with Crossover), which is the standard for hubs and switches.
Setting crossover to mdi will configure the interface or interfaces for MDI (Media Dependent Interface),
which is the standard for end stations. And setting the crossover configuration to disable will disable
crossover configuration on an interface or interfaces.
To configure crossover settings for all combo ports on an entire switch, enter interfaces, followed by the
slot number, hybrid, either fiber or copper, crossover, and the desired setting. For example, to set the
crossover configuration to auto on for all copper combo ports slot 2, enter:
-> interfaces 2 hybrid copper crossover auto
Note. using the interface hybrid crossover command to set all combo ports on a switch will not affect
the configurations of the non combo ports.
To configure crossover settings on a single combo port, enter interfaces, followed by the slot number, a
slash (/), the combo port number, hybrid, either fiber or copper, crossover, and the desired setting. For
example, to set the crossover configuration to auto on copper combo port 47 on slot 2, enter:
-> interfaces 2/47 hybrid copper crossover auto
To configure crossover settings on a range of combo ports, enter interfaces, followed by the slot number,
a slash (/), the first combo port number, a hyphen (-), the last combo port number, hybrid, either fiber or
copper, crossover, and the desired setting. For example, to set the crossover configuration to auto on
copper combo ports 45 through 48 on slot 2, enter:
-> interfaces 2/45-48 hybrid copper crossover auto
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to set the crossover configuration to auto on copper combo port 47
on slot 2 and document the combo port as Gigabit Ethernet, enter:
-> interfaces gigaethernet hybrid copper 2/3 crossover auto
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 1-23
Combo Port Application Example
Configuring Ethernet Ports
Combo Port Application Example
The figure below shows a sample application example for using OmniSwitch 6800 Series combo ports.
Workstations A and B are connected with 100 Mbps links to copper combo ports 1/45 and 1/46, respectively. (MiniGBIC SFP combo ports 1/45 and 1/46 are unused.) Server A has a primary 1 Gbps fiber
connection to combo MiniGBIC SFP port 1/47 and a backup 100 Mbps connection to copper combo port
1/47. And the OmniSwitch 9700 has a primary 1 Gbps connection to combo MiniGBIC SFP port 1/48 and
a backup 100 MBps connection to copper combo port 1/48.
OmniSwitch 6800 Series Switch
TM
OmniSwitch 9700
OmniSwitch 9700 A connected to MiniGBIC SFP
port 1/48 (primary) and
RJ-45 port 1/48 (backup).
Workstation A connected
to RJ-45 port 1/45.
Workstation B connected
to RJ-45 port 1/46.
100 Mbps
Server A connected to
MiniGBIC SFP port 1/47
(primary) and RJ-45 port
1/47 (backup).
1 Gbps
Combo Port Application Example
Follow the steps below to configure this application example:
1 Set the speed of copper combo ports 1/45 through 1/48 to 100 Mbps with the interfaces hybrid speed
command by entering:
-> interfaces 1/45-48 hybrid copper speed 100
2 Set copper combo ports 1/45 and 1/46 to forced copper mode—which will ensure the links stay up even
if a cable is plugged into MiniGBIC SFP combo ports 1/45/ and 1/46—with the interfaces hybrid forcedcopper command by entering:
-> interfaces 1/45-46 hybrid forced-copper
page 1-24
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Ethernet Ports
Combo Port Application Example
3 Verify that combo ports 1/47 and 1/48 are set to the default setting of preferred fiber (which will make
the MiniGBIC SFP ports 1/47 and 1/48 the primary connections while copper combo ports 1/47 and 1/48
will only become active if the equivalent MiniGBIC SFP ports go down) with the show interfaces status
command as shown below:
-> show interfaces 1/45-48 status
DETECTED
CONFIGURED
Slot/ AutoNego Speed Duplex Hybrid Speed
Duplex Hybrid Trap
Port
(Mbps)
Type
(Mbps)
Mode
LinkUpDown
-----+--------+------+------+------+--------+------+------+-----1/45 Enable
100 Auto
FC
1/45 Enable
1000 Full
FC
1/46 Enable
100 Auto
FC
1/46 Enable
1000 Full
FC
1/47 Enable
1000 Full
PF
1/47 Enable
100 Auto
PF
1/48 Enable
1000 Full
PF
1/48 Enable
100 Auto
PF
-
FF - ForcedFiber PF - PreferredFiber F - Fiber
FC - ForcedCopper PC - PreferredCopper C - Copper
In the output above combo ports 1/47 and 1/48 are set to preferred fiber. (To configure combo ports as
preferred fiber use the interfaces hybrid preferred-fiber command.)
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 1-25
Verifying Ethernet Port Configuration
Configuring Ethernet Ports
Verifying Ethernet Port Configuration
To display information about Ethernet port configuration settings, use the show commands listed in the
following table.
show interfaces flow control
Displays interface flow control wait time settings in nanoseconds.
show interfaces
Displays general interface information, such as hardware, MAC
address, input and output errors.
show interfaces accounting
Displays interface accounting information.
show interfaces counters
Displays interface counters information.
show interfaces counters
errors
Displays interface error frame information for Ethernet and Fast
Ethernet ports.
show interfaces collisions
Displays collision statistics information for Ethernet and Fast Ethernet
ports.
show interfaces status
Displays line status information.
show interfaces port
Displays port status information.
show interfaces ifg
Displays inter-frame gap values.
show interfaces flood rate
Displays peak flood rate settings.
show interfaces traffic
Displays interface traffic statistics.
show interfaces capability
Displays autonegotiation, flow, speed, duplex, and crossover settings.
show interfaces hybrid
Displays general interface information (e.g., hardware, MAC address,
input errors, output errors) for combo ports.
show interfaces hybrid status
Displays line status information for combo ports.
show interfaces hybrid flow
control
Displays interface flow control wait time settings in nanoseconds for
combo ports.
show interfaces hybrid
capability
Displays autonegotiation, flow, speed, duplex, and crossover settings
for combo ports.
show interfaces hybrid
accounting
Displays interface accounting information (e.g., packets received/transmitted, deferred frames received) for combo ports.
show interfaces hybrid
counters
Displays interface counters information (e.g., unicast, broadcast, multicast packets received/transmitted) for combo ports.
show interfaces hybrid
counters errors
Displays interface error frame information (e.g., CRC errors, transit
errors, receive errors) for combo ports.
show interfaces hybrid
collisions
Displays interface collision information (e.g., number of collisions,
number of retries) for combo ports.
show interfaces hybrid traffic
Displays interface traffic statistics for combo ports.
show interfaces hybrid port
Displays interface port status (up or down) for combo ports.
show interfaces hybrid flood
rate
Displays interface peak flood rate settings for combo ports.
show interfaces hybrid ifg
Displays interface inter-frame gap values for combo ports.
These commands can be quite useful in troubleshooting and resolving potential configuration issues or
problems on your switch. For more information about the resulting displays from these commands, see the
OmniSwitch CLI Reference Guide.
page 1-26
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
2
Managing Source
Learning
Transparent bridging relies on a process referred to as source learning to handle traffic flow. Network
devices communicate by sending and receiving data packets that each contain a source MAC address and a
destination MAC address. When packets are received on switch network interface (NI) module ports,
source learning examines each packet and compares the source MAC address to entries in a MAC address
database table. If the table does not contain an entry for the source address, then a new record is created
associating the address with the port it was learned on. If an entry for the source address already exists in
the table, a new one is not created.
Packets are also filtered to determine if the source and destination address are on the same LAN segment.
If the destination address is not found in the MAC address table, then the packet is forwarded to all other
switches that are connected to the same LAN. If the MAC address table does contain a matching entry for
the destination address, then there is no need to forward the packet to the rest of the network.
In This Chapter
This chapter describes how to manage source learning entries in the switch MAC address table (often
referred to as the forwarding or filtering database) through the Command Line Interface (CLI). CLI
commands are used in the configuration examples; for more details about the syntax of commands, see the
OmniSwitch CLI Reference Guide.
Configuration procedures described in this chapter include:
• “Using Static MAC Addresses” on page 2-4.
• “Configuring MAC Address Table Aging Time” on page 2-6.
• “Selecting the Source Learning Mode” on page 2-7.
• “Displaying Source Learning Information” on page 2-8.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 2-1
Source Learning Specifications
Managing Source Learning
Source Learning Specifications
RFCs supported
2674 - Definitions of Managed Objects for Bridges
with Traffic Classes, Multicast Filtering and
Virtual LAN Extensions
IEEE Standards supported
802.1Q - Virtual Bridged Local Area Networks
802.1D - Media Access Control Bridges
Maximum number of learned MAC addresses per
switch
16K
Maximum number of learned MAC addresses total
for a stack of switches
8K
Source Learning Defaults
Parameter Description
Command
Default
Static MAC address management status
mac-address-table
permanent
Static MAC address operating mode
mac-address-table
bridging
MAC address aging timer
mac-address-table aging-time
300 seconds
Source learning mode
source-learning
hardware
Sample MAC Address Table Configuration
The following steps provide a quick tutorial that will create a static MAC address and change the MAC
address aging timer for VLAN 200:
Note. Optional. Creating a static MAC address involves specifying an address that is not already used in
another static entry or already dynamically learned by the switch. To determine if the address is already
known to the MAC address table, enter show mac-address-table. If the address does not appear in the
show mac-address-table output, then it is available to use for configuring a static MAC address entry. For
example,
-> show mac-address-table
Legend: Mac Address: * = address not valid
Vlan
Mac Address
Type
Protocol
Operation
Interface
------+-------------------+--------------+-----------+------------+----------1
00:00:00:00:00:01
learned
0800
bridging
8/ 1
1
00:d0:95:6a:73:9a
learned
aaaa0003
bridging
10/23
Total number of Valid MAC addresses above = 2
The show mac-address-table command is also useful for monitoring general source learning activity and
verifying dynamic VLAN assignments of addresses received on mobile ports.
page 2-2
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Managing Source Learning
Sample MAC Address Table Configuration
1 Create VLAN 200, if it does not already exist, using the following command:
-> vlan 200
2 Assign switch ports 2 through 5 on slot 3 to VLAN 200–if they are not already associated with VLAN
200–using the following command:
-> vlan 200 port default 3/2-5
3 Create a static MAC address entry using the following command to assign address 002D95:5BF30E to
port 3/4 associated with VLAN 200 and to specify a permanent management status for the static address:
-> mac-address-table permanent 00:2d:95:5B:F3:0E 3/4 200
4 Change the MAC address aging time to 1200 seconds (the default is 300 seconds) using the following
command:
-> mac-address-table aging-time 1200
Note. Optional. To verify the static MAC address configuration, enter show mac-address-table. For
example:
-> show mac-address-table
Legend: Mac Address: * = address not valid
Vlan
Mac Address
Type
Protocol
Operation
Interface
------+-------------------+--------------+-----------+------------+----------1
00:00:00:00:00:01
learned
0800
bridging
8/1
1
00:d0:95:6a:73:9a
learned
aaaa0003
bridging
10/23
200
00:2d:95:5b:f3:0e
delontimeout
0
bridging
3/4
Total number of Valid MAC addresses above = 3
To verify the new aging time value, enter show mac-address-table aging-time. For example,
-> show mac-address-table aging-time
Mac Address Aging Time (seconds) = 300
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 2-3
MAC Address Table Overview
Managing Source Learning
MAC Address Table Overview
Source learning builds and maintains the MAC address table on each switch. New MAC address table
entries are created in one of two ways: they are dynamically learned or statically assigned. Dynamically
learned MAC addresses are those that are obtained by the switch when source learning examines data
packets and records the source address and the port and VLAN it was learned on. Static MAC addresses
are user defined addresses that are statically assigned to a port and VLAN using the mac-address-table
command.
Accessing MAC Address Table entries is useful for managing traffic flow and troubleshooting network
device connectivity problems. For example, if a workstation connected to the switch is unable to communicate with another workstation connected to the same switch, the MAC address table might show that one
of these devices was learned on a port that belonged to a different VLAN or the source MAC address of
one of the devices may not appear at all in the address table.
Using Static MAC Addresses
Static MAC addresses are configured using the mac-address-table command. These addresses direct
network traffic to a specific port and VLAN. They are particularly useful when dealing with silent network
devices. These types of devices do not send packets, so their source MAC address is never learned and
recorded in the MAC address table. Assigning a MAC address to the silent device’s port creates a record
in the MAC address table and ensures that packets destined for the silent device are forwarded out that
port.
When defining a static MAC address for a particular slot/port and VLAN, consider the following:
• Configuring static MAC addresses is only supported on non-mobile ports.
• The specified slot/port must already belong to the specified VLAN. Use the vlan port default
command to assign a port to a VLAN before you configure the static MAC address.
• Only traffic from other ports associated with the same VLAN is directed to the static MAC address
slot/port.
• Static MAC addresses are permanent addresses. This means that a static MAC address remains in use
even if the MAC ages out or the switch is rebooted.
• There are two types of static MAC address behavior supported: bridging (default) or filtering. Enter
filtering to set up a denial of service to block potential hostile attacks. Traffic sent to or from a filtered
MAC address is dropped. Enter bridging for regular traffic flow to or from the MAC address. For
more information about Layer 2 filtering, see Chapter 26, “Configuring QoS.”
• If a packet received on a port associated with the same VLAN contains a source address that matches a
static MAC address, the packet is discarded. The same source address on different ports within the
same VLAN is not supported.
• If a static MAC address is configured on a port link that is down or disabled, an asterisk appears to the
right of the MAC address in the show mac-address-table command display. The asterisk indicates that
this is an invalid MAC address. When the port link comes up, however, the MAC address is then
considered valid and the asterisk no longer appears next to the address in the display.
page 2-4
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Managing Source Learning
Using Static MAC Addresses
Configuring Static MAC Addresses
To configure a permanent, bridging static MAC address, enter mac-address-table followed by a MAC
address, slot/port, and the VLAN ID to assign to the MAC address. For example, the following assigns a
MAC address to port 10 on slot 4 associated with VLAN 255:
-> mac-address-table 00:02:DA:00:59:0C 4/10 255
Since permanent and bridging options for a static MAC are default settings, it is not necessary to enter
them as part of the command.
Use the no form of this command to clear MAC address entries from the table. If the MAC address status
type (permanent or learned) is not specified, then only permanent addresses are removed from the table.
The following example removes a MAC address entry that is assigned on port 2 of slot 3 for VLAN 855
from the MAC address table:
-> no mac-address-table 00:00:02:CE:10:37 3/2 855
If a slot/port and VLAN ID are not specified when removing MAC address table entries, then all MACs
defined with the specified status are removed. For example, the following command removes all learned
MAC addresses from the table, regardless of their slot/port or VLAN assignments:
-> no mac-address-table learned
To verify static MAC address configuration and other table entries, use the show mac-address-table
command. For more information about this command, see the OmniSwitch CLI Reference Guide.
Static MAC Addresses on Link Aggregate Ports
Static MAC Addresses are not assigned to physical ports that belong to a link aggregate. Instead, they are
assigned to a link aggregate ID that represents a collection of physical ports. This ID is specified at the
time the link aggregate of ports is created and when using the mac-address-table command.
To configure a permanent, bridging static MAC address on a link aggregate ID, enter mac-address-table
followed by a MAC address, then linkagg followed by the link aggregate ID, and the VLAN ID to assign
to the MAC address. For example, the following assigns a MAC address to link aggregate ID 2 associated
with VLAN 455:
-> mac-address-table 00:95:2A:00:3E:4C linkagg 2 455
For more information about configuring a link aggregate of ports, see Chapter 13, “Configuring Static
Link Aggregation” and Chapter 14, “Configuring Dynamic Link Aggregation.”
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 2-5
Configuring MAC Address Table Aging Time
Managing Source Learning
Configuring MAC Address Table Aging Time
Source learning also tracks MAC address age and removes addresses from the MAC address table that
have aged beyond the aging timer value. When a device stops sending packets, source learning keeps track
of how much time has passed since the last packet was received on the device’s switch port. When this
amount of time exceeds the aging time value, the MAC is aged out of the MAC address table. Source
learning always starts tracking MAC address age from the time since the last packet was received.
By default, the aging time is set to 300 seconds (5 minutes) and is configured on a global basis using the
mac-address-table aging-time command. For example, the following sets the aging time for all VLANs
to 1200 seconds (20 minutes):
-> mac-address-table aging-time 1200
A MAC address learned on any VLAN port will age out if the time since a packet with that address was
last seen on the port exceeds 1200 seconds.
Note. Note that the aging time used is twice the length in time of the actual value specified. For example,
if an aging time of 60 seconds is specified, the MAC will age out after 120 seconds of inactivity.
When using the mac-address-table aging-time command in a switch configuration file (e.g., boot.cfg),
include an instance of this command specifying the VLAN ID for each VLAN configured on the switch.
This is necessary even though if all VLANs will have the same aging time value.
To set the aging time back to the default value, use the no form of the mac-address-table aging-time
command. For example, the following sets the aging time for all VLANs back to the default of 300
seconds:
-> no mac-address-table aging-time
Note. The MAC address table aging time is also used as the timeout value for the Address Resolution
Protocol (ARP) table. This timeout value determines how long the switch retains dynamically learned
ARP table entries. See Chapter 12, “Configuring IP,” for more information.
To display the aging time value for one or all VLANs, use the show mac-address-table aging-time
command. For more information about this command, see the OmniSwitch CLI Reference Guide.
page 2-6
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Managing Source Learning
Selecting the Source Learning Mode
Selecting the Source Learning Mode
There are two types of source learning modes currently available: software and hardware. The software
mode performs all source learning using switch software. The hardware mode takes advantage of hardware resources that are now available to perform source learning tasks. At the present time, it is possible
to select which mode is active for the chassis and/or a given set of ports.
By default, hardware source learning mode is active for the switch. The exception to this is that hardware
source learning is not supported on mobile or Learned Port Security (LPS) ports. As a result, only software source learning is performed on these types of ports.
Selecting which source learning mode a port uses is configurable on a port-by-port or chassis-wide basis
using the source-learning command. For example, the following command selects the software source
learning mode for the entire chassis:
-> source-learning chassis software
When the above command is entered, all ports on the switch will use the software source learning mode,
unless they are configured to use a different mode. For example, the following command selects the hardware source learning mode for ports 3/1 through 3/12:
-> source-learning 3/1-12 hardware
Note that in the above example, a range of port numbers is specified instead of using the chassis keyword.
This specifies that these ports are to use the hardware source learning mode, even though the software
mode is configured for the chassis. The port mode always takes precedence over the chassis mode.
Consider the following items when configuring the source learning mode:
• If a port is a member of a link aggregate, the source learning mode for the link aggregate applies,
which is the default mode for the chassis. Once that port is no longer a member of the aggregate, the
mode configured for that port is applied.
• When mobility is turned off for a port, the port reverts back to using the source learning mode that was
configured for that port. The same is true when an LPS configuration is removed from a port.
• Note that if LPS is disabled on a port but the LPS configuration is not removed, the port is still consid-
ered an LPS port and will only use the software source learning mode.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 2-7
Displaying Source Learning Information
Managing Source Learning
Displaying Source Learning Information
To display MAC Address Table entries, statistics, and aging time values, use the show commands listed
below:
show mac-address-table
Displays a list of all MAC addresses known to the MAC address
table, including static MAC addresses.
show mac-address-table count
Displays a count of the different types of MAC addresses (learned,
permanent, reset, and timeout). Also includes a total count of all
addresses known to the MAC address table.
show mac-address-table aging-time Displays the current MAC address aging timer value by switch or
VLAN.
show source-learning mode
Displays the configured source learning mode for one or more ports.
For more information about the resulting displays from these commands, see the OmniSwitch CLI Reference Guide. An example of the output for the show mac-address-table and show mac-address-table
aging-time commands is also given in “Sample MAC Address Table Configuration” on page 2-2.
page 2-8
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
3
Using 802.1s Multiple
Spanning Tree
The Alcatel Multiple Spanning Tree (MST) implementation provides support for the IEEE 802.1s Multiple Spanning Tree Protocol (MSTP). In addition to the 802.1D Spanning Tree Algorithm and Protocol
(STP) and the 802.1w Rapid Spanning Tree Algorithm and Protocol (RSTP), MSTP also ensures that there
is always only one data path between any two switches for a given Spanning Tree instance to prevent
network loops.
MSTP is an enhancement to the 802.1Q Common Spanning Tree (CST), which is provided when an Alcatel switch is running in the flat Spanning Tree operating mode. The flat mode applies a single spanning
tree instance across all VLAN port connections on a switch. MSTP allows the configuration of Multiple
Spanning Tree Instances (MSTIs) in addition to the CST instance. Each MSTI is mapped to a set of
VLANs. As a result, flat mode can support the forwarding of VLAN traffic over separate data paths.
In addition to 802.1s MSTP support, the 802.1D STP and 802.1w RSTP are still available in either the flat
or 1x1 mode. However, if using 802.1D or 802.1w in the flat mode, the single spanning tree instance per
switch algorithm applies.
In This Chapter
This chapter describes 802.1s MST in general and how MSTP works on the switch. It provides information about configuring MSTP through the Command Line Interface (CLI). For more details about the
syntax of commands, see the OmniSwitch CLI Reference Guide. For more information about Spanning
Tree configuration commands as they apply to all supported protocols (STP, RSTP, and MSTP), see
Chapter 6, “Configuring Spanning Tree Parameters.”
The following topics are included in this chapter as they relate to the Alcatel implementation of the 802.1s
MSTP standard:
• “MST General Overview” on page 3-4.
• “MST Configuration Overview” on page 3-10.
• “Using Spanning Tree Configuration Commands” on page 3-10.
• “MST Interoperability and Migration” on page 3-12.
• “Quick Steps for Configuring an MST Region” on page 3-14.
• “Quick Steps for Configuring MSTIs” on page 3-16.
• “Verifying the MST Configuration” on page 3-19.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 3-1
MST Specifications
Using 802.1s Multiple Spanning Tree
MST Specifications
IEEE Standards supported
802.1D–Media Access Control (MAC) Bridges
802.1w–Rapid Reconfiguration (802.1D Amendment 2)
802.1Q–Virtual Bridged Local Area Networks
802.1s–Multiple Spanning Trees (802.1Q Amendment 3)
Spanning Tree Operating Modes supported Flat mode - one spanning tree instance per switch
1x1 mode - one spanning tree instance per VLAN
Spanning Tree Protocols supported
802.1D Standard Spanning Tree Algorithm and Protocol
(STP)
802.1w Rapid Spanning Tree Algorithm and Protocol (RSTP)
802.1s Multiple Spanning Tree Algorithm and Protocol
(MSTP)
Spanning Tree port eligibility
Fixed ports (non-mobile)
802.1Q tagged ports
Link aggregate of ports
Maximum 1x1 Spanning Tree instances
per switch
252
Maximum flat mode 802.1S Multiple
Spanning Tree Instances (MSTI) per
switch
16 MSTI, in addition to the Common and Internal Spanning
Tree instance (also referred to as MSTI 0).
CLI Command Prefix Recognition
All Spanning Tree commands support prefix recognition. See
the “Using the CLI” chapter in the OmniSwitch 6800/6850/
9000 Switch Management Guide for more information.
Spanning Tree Bridge Parameter Defaults
Parameter Description
Command
Default
Spanning Tree operating mode
bridge mode
1x1 (a separate Spanning Tree
instance for each VLAN)
Spanning Tree protocol
bridge protocol
STP (802.1D) on OmniSwitch
9000
RSTP (802.1w) on OmniSwitch
6800 and 6850.
BPDU switching status.
bridge bpdu-switching
Disabled
Priority value for the Spanning Tree
instance.
bridge priority
32768
Hello time interval between each BPDU
transmission.
bridge hello time
2 seconds
Maximum aging time allowed for Spanning Tree information learned from the
network.
bridge max age
20 seconds
Spanning Tree port state transition time.
bridge forward delay
15 seconds
page 3-2
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Using 802.1s Multiple Spanning Tree
Spanning Tree Port Parameter Defaults
Parameter Description
Command
Default
Automatic VLAN Containment
bridge auto-vlan-containment
Disabled
Spanning Tree Port Parameter Defaults
Parameter Description
Command
Default
Spanning Tree port administrative state
bridge slot/port
Enabled
Spanning Tree port priority value
bridge slot/port priority
7
Spanning Tree port path cost.
bridge slot/port path cost
0 (cost is based on port speed)
Path cost mode
bridge path cost mode
AUTO (16-bit in 1x1 mode, 32bit in flat mode)
Port state management mode
bridge slot/port mode
Dynamic (Spanning Tree Algorithm determines port state)
Type of port connection
bridge slot/port connection auto point to point
MST Region Defaults
Although the following parameter values are specific to the MSTP (802.1s), they are configurable regardless of which mode (flat or 1x1) or protocol is active on the switch.
Parameter Description
Command
Default
The MST region name
bridge mst region name
blank
The revision level for the MST region
bridge mst region revision
level
0
The maximum number of hops authorized for the region
bridge mst region max
hops
20
The number of Multiple Spanning Tree
Instances (MSTI).
bridge msti
1 (flat mode instance)
The VLAN to MSTI mapping.
bridge msti vlan
All VLANs are mapped to the
Common Internal Spanning
Tree (CIST) instance
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 3-3
MST General Overview
Using 802.1s Multiple Spanning Tree
MST General Overview
The Multiple Spanning Tree (MST) feature allows for the mapping of one or more VLANs to a single
Spanning Tree instance, referred to as a Multiple Spanning Tree Instance (MSTI), when the switch is
running in the flat Spanning Tree mode. MST uses the Multiple Spanning Tree Algorithm and Protocol
(MSTP) to define the Spanning Tree path for each MSTI. In addition, MSTP provides the ability to group
switches into MST Regions. An MST Region appears as a single, flat Spanning Tree instance to switches
outside the region.
This section provides an overview of the MST feature that includes the following topics:
• “How MSTP Works” on page 3-4.
• “Comparing MSTP with STP and RSTP” on page 3-7
• “What is a Multiple Spanning Tree Instance (MSTI)” on page 3-7.
• “What is a Multiple Spanning Tree Region” on page 3-8.
• “What is the Internal Spanning Tree (IST) Instance” on page 3-9.
• “What is the Common and Internal Spanning Tree Instance” on page 3-9.
How MSTP Works
MSTP, as defined in the IEEE 802.1s standard, is an enhancement to the IEEE 802.1Q Common Spanning Tree (CST). The CST is a single spanning tree that uses 802.1D (STP) or 802.1w (RSTP) to provide a
loop-free network topology.
The Alcatel flat spanning tree mode applies a single CST instance on a per switch basis. The 1x1 mode is
an Alcatel proprietary implementation that applies a single spanning tree instance on a per VLAN basis.
MSTP is only supported in the flat mode and allows for the configuration of additional spanning tree
instances instead of just the one CST.
On Alcatel 802.1s flat mode switches, the CST is represented by the Common and Internal Spanning Tree
(CIST) instance 0 and exists on all switches. Up to 17 instances, including the CIST, are supported. Each
additional instance created is referred to as a Multiple Spanning Tree Instance (MSTI). An MSTI represents a configurable association between a single Spanning Tree instance and a set of VLANs.
Note that although MSTP provides the ability to define MSTIs while running in the flat mode, port state
and role computations are still automatically calculated by the CST algorithm across all MSTIs. However,
it is possible to configure the priority and/or path cost of a port for a particular MSTI so that a port remains
in a forwarding state for an MSTI instance, even if it is blocked as a result of automatic CST computations for other instances.
The following diagrams help to further explain how MSTP works by comparing how port states are determined on 1x1 STP/RSTP mode, flat mode STP/RSTP, and flat mode MSTP switches.
page 3-4
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Using 802.1s Multiple Spanning Tree
MST General Overview
VLAN 100
3/1
2/1
4/2
5/1
VLAN 200
4/8
||
VLAN 100
VLAN 200
5/2
1x1 Mode STP/RSTP
In the above 1x1 mode example:
• Both switches are running in the 1x1 mode (one Spanning Tree instance per VLAN).
• VLAN 100 and VLAN 200 are each associated with their own Spanning Tree instance.
• The connection between 3/1 and 2/1 is left in a forwarding state because it is part of the VLAN 100
Spanning Tree instance and is the only connection for that instance.
Note that if additional switches containing a VLAN 100 were attached to the switches in this diagram,
the 3/1 to 2/1 connection could also go into blocking if the VLAN 100 Spanning Tree instance determines it is necessary to avoid a network loop.
• The connections between 4/8 and 5/2 and 4/2 and 5/1 are seen as redundant because they are both
controlled by the VLAN 200 Spanning Tree instance and connect to the same switches. The VLAN
200 Spanning Tree instance determines which connection provides the best data path and transitions
the other connection to a blocking state.
VLAN 100
3/1
4/2
VLAN 200
4/8
2/1
||
||
VLAN 100
5/1
VLAN 200
5/2
Flat Mode STP/RSTP (802.1D/802.1w)
In the above flat mode STP/RSTP example:
• Both switches are running in the flat mode. As a result, a single flat mode Spanning Tree instance
applies to the entire switch and compares port connections across VLANs to determine which connection provides the best data path.
• The connection between 3/1 and 2/1 is left forwarding because the flat mode instance determined that
this connection provides the best data path between the two switches.
• The 4/8 to 5/2 connection and the 4/2 to 5/1 connection are considered redundant connections so they
are both blocked in favor of the 3/1 to 2/1 connection.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 3-5
MST General Overview
Using 802.1s Multiple Spanning Tree
VLAN 100
3/1
2/1
4/2
||
5/1
||
5/2
||
3/6
VLAN 100
CIST-0
CIST-0
VLAN 150
4/8
VLAN 200
VLAN 150
VLAN 200
MSTI-2
MSTI-2
2/12
VLAN 250
VLAN 250
Flat Mode MSTP (802.1s)
In the above flat mode MSTP example:
• Both switches are running in the flat mode and using MSTP.
• VLANs 100 and 150 are not associated with an MSTI. By default they are controlled by the CIST
instance 0, which exists on every switch.
• VLANs 200 and 250 are associated with MSTI 2 so their traffic can traverse a path different from that
determined by the CIST.
• Ports are blocked the same way they were blocked in the flat mode STP/RSTP example; all port
connections are compared to each other across VLANs to determine which connection provides the
best path.
However, because VLANs 200 and 250 are associated to MSTI 2, it is possible to change the port path
cost for ports 2/12, 3/6, 4/8 and/or 5/2 so that they provide the best path for MSTI 2 VLANs, but do not
carry CIST VLAN traffic or cause CIST ports to transition to a blocking state.
Another alternative is to assign all VLANs to an MSTI, leaving no VLANs controlled by the CIST. As
a result, the CIST BPDU will only contain MSTI information.
See “Quick Steps for Configuring MSTIs” on page 3-16 for more information about how to direct VLAN
traffic over separate data paths using MSTP.
page 3-6
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Using 802.1s Multiple Spanning Tree
MST General Overview
Comparing MSTP with STP and RSTP
Using MSTP (802.1s) has the following items in common with STP (802.1D) and RSTP (802.1w) protocols:
• Each protocol ensures one data path between any two switches within the network topology. This
prevents network loops from occurring while at the same time allowing for redundant path configuration.
• Each protocol provides automatic reconfiguration of the network Spanning Tree topology in the event
of a connection failure and/or when a switch is added to or removed from the network.
• All three protocols are supported in the flat Spanning Tree operating mode.
• The flat mode CST instance automatically determines port states and roles across VLAN port and
MSTI associations. This is because the CST instance is active on all ports and only one BPDU is used
to forward information for all MSTIs.
• MSTP is based on RSTP.
Using MSTP differs from STP and RSTP as follows:
• MSTP is only supported when the switch is running in the flat Spanning Tree mode. STP and RSTP
are supported in both the 1x1 and flat modes.
• MSTP allows for the configuration of up to 16 Multiple Spanning Tree Instances (MSTI) in addition to
the CST instance. Flat mode STP and RSTP protocols only use the single CST instance for the entire
switch. See “What is a Multiple Spanning Tree Instance (MSTI)” on page 3-7 for more information.
• MSTP applies a single Spanning Tree instance to an MSTI ID number that represents a set of VLANs;
a one to many association. STP and RSTP in the flat mode apply one Spanning Tree instance to all
VLANs; a one to all association. STP and RSTP in the 1x1 mode apply a single Spanning Tree
instance to each existing VLAN; a one to one association.
• The port priority and path cost parameters are configurable for an individual MSTI that represents the
VLAN associated with the port.
• The flat mode 802.1D or 802.1w CST is identified as instance 1. When using MSTP, the CST is identi-
fied as CIST (Common and Internal Spanning Tree) instance 0. See “What is the Common and Internal Spanning Tree Instance” on page 3-9 for more information.
• MSTP allows the segmentation of switches within the network into MST regions. Each region is seen
as a single virtual bridge to the rest of the network, even though multiple switches may belong to the
one region. See “What is a Multiple Spanning Tree Region” on page 3-8 for more information.
• MSTP has lower overhead than a 1x1 configuration. In 1x1 mode, because each VLAN is assigned a
separate Spanning Tree instance, BPDUs are forwarded on the network for each VLAN. MSTP only
forwards one BPDU for the CST that contains information for all configured MSTI on the switch.
What is a Multiple Spanning Tree Instance (MSTI)
An MSTI is a single Spanning Tree instance that represents a group of VLANs. Alcatel switches support
up to 16 MSTIs on one switch. This number is in addition to the Common and Internal Spanning Tree
(CIST) instance 0, which is also known as MSTI 0. The CIST instance exists on every switch. By default,
all VLANs not mapped to an MSTI are associated with the CIST instance. See “What is the Common and
Internal Spanning Tree Instance” on page 3-9 for more information.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 3-7
MST General Overview
Using 802.1s Multiple Spanning Tree
What is a Multiple Spanning Tree Region
A Multiple Spanning Tree region represents a group of 802.1s switches. An MST region appears as a
single, flat mode instance to switches outside the region. A switch can belong to only one region at a time.
The region a switch belongs to is identified by the following configurable attributes, as defined by the
IEEE 802.1s standard:
• Region name–An alphanumeric string up to 32 characters.
• Region revision level–A numerical value between 0 and 65535.
• VLAN to MSTI table–Generated when VLANs are associated with MSTIs. Identifies the VLAN to
MSTI mapping for the switch.
Switches that share the same values for the configuration attributes described above belong to the same
region. For example, in the diagram below:
• Switches A, B, and C all belong to the same region because they all are configured with the same
region name, revision level, and have the same VLANs mapped to the same MSTI.
• The CST for the entire network sees Switches A, B, and C as one virtual bridge that is running a single
Spanning Tree instance. As a result, CST blocks the path between Switch C and Switch E instead of
blocking a path between the MST region switches to avoid a network loop.
• The paths between Switch A and Switch C and the redundant path between Switch B and Switch C
were blocked as a result of the Internal Spanning Tree (IST) computations for the MST Region. See
“What is the Internal Spanning Tree (IST) Instance” on page 3-9 for more information.
Switch D
Switch A
TM
||
OmniSwitch 9700
CST
IST
TM
OmniSwitch 9700
TM
OmniSwitch 9700
OmniSwitch 9700
||
||
Switch B
TM
Switch C
MST Region
Switch E
SST Switches (STP or RSTP)
In addition to the attributes described above, the MST maximum hops parameter defines the number of
bridges authorized to propagate MST BPDU information. In essence, this value defines the size of the
region in that once the maximum number of hops is reached, the BPDU is discarded.
The maximum number of hops for the region is not one of the attributes that defines membership in the
region. See “Quick Steps for Configuring an MST Region” on page 3-14 for a tutorial on how to configure MST region parameters.
page 3-8
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Using 802.1s Multiple Spanning Tree
MST General Overview
What is the Common Spanning Tree
The Common Spanning Tree (CST) is the overall network Spanning Tree topology resulting from STP,
RSTP, and/or MSTP calculations to provide a single data path through the network. CST provides connectivity between MST regions and other MST regions and/or Single Spanning Tree (SST) switches. For
example, in the above diagram, CST calculations detected a network loop created by the connections
between Switch D, Switch E, and the MST Region. As a result, one of the paths was blocked.
What is the Internal Spanning Tree (IST) Instance
The IST instance determines and maintains the CST topology between MST switches that belong to the
same MST region. In other words, the IST is simply a CST that only applies to MST Region switches
while at the same time representing the region as a single Spanning Tree bridge to the network CST.
As shown in the above diagram, the redundant path between Switch B and Switch C is blocked and the
path between Switch A and Switch C is blocked. These blocking decisions were based on IST computations within the MST region. IST sends and receives BPDU to/from the network CST. MSTI within the
region do not communicate with the network CST. As a result, the CST only sees the IST BPDU and
treats the MST region as a single Spanning Tree bridge.
What is the Common and Internal Spanning Tree Instance
The Common and Internal Spanning Tree (CIST) instance is the Spanning Tree calculated by the MST
region IST and the network CST. The CIST is represented by the single Spanning Tree flat mode instance
that is available on all switches. By default, all VLANs are associated to the CIST until they are mapped
to an MSTI.
When using STP (802.1D) or RSTP (802.1w), the CIST is also known as instance 1 or bridge 1. When
using MSTP (802.1s), the CIST is also known as instance 0 or MSTI 0.
Note that when MSTP (802.1s) is the active flat mode protocol, explicit Spanning Tree bridge commands
are required to configure parameter values. Implicit commands are for configuring parameters when the
STP or RSTP protocols are in use. See “Using Spanning Tree Configuration Commands” on page 3-10 for
more information.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 3-9
MST Configuration Overview
Using 802.1s Multiple Spanning Tree
MST Configuration Overview
The following general steps are required to set up a Multiple Spanning Tree (MST) configuration:
• Select the flat Spanning Tree mode. By default, each switch runs in the 1x1 mode. MSTP is only
supported on a flat mode switch. See “Understanding Spanning Tree Modes” on page 3-11 for more
information.
• Select the 802.1s protocol. By default, OmniSwitch 9000 switches use the 802.1D protocol and
OmniSwitch 6800 and 6850 switches us the 802.1w protocol. Selecting 802.1s activates the Multiple
Spanning Tree Protocol (MSTP). See “How MSTP Works” on page 3-4 for more information.
• Configure an MST region name and revision level. Switches that share the same MST region name,
revision level, and VLAN to Multiple Spanning Tree Instance (MSTI) mapping belong to the same
MST region. See “What is a Multiple Spanning Tree Region” on page 3-8 for more information.
• Configure MSTIs. By default, every switch has a Common and Internal Spanning Tree (CIST)
instance 0, which is also referred to as MSTI 0. Configuration of additional MSTI is required to
segment switch VLANs into separate instances. See “What is a Multiple Spanning Tree Instance
(MSTI)” on page 3-7 for more information.
• Map VLANs to MSTI. By default, all existing VLANs are mapped to the CIST instance 0. Associat-
ing a VLAN to an MSTI specifies which Spanning Tree instance will determine the best data path for
traffic carried on the VLAN. In addition, the VLAN-to-MSTI mapping is also one of three MST
configuration attributes used to determine that the switch belongs to a particular MST region.
For a tutorial on setting up an example MST configuration, see “Quick Steps for Configuring an MST
Region” on page 3-14 and “Quick Steps for Configuring MSTIs” on page 3-16.
Using Spanning Tree Configuration Commands
The Alcatel implementation of the 802.1s Multiple Spanning Tree Protocol introduces the concept of
implicit and explicit CLI commands for Spanning Tree configuration and verification. Explicit commands
contain one of the following keywords that specifies the type of Spanning Tree instance to modify:
• cist–command applies to the Common and Internal Spanning Tree instance.
• msti–command applies to the specified 802.1s Multiple Spanning Tree Instance.
• 1x1–command applies to the specified VLAN instance.
Explicit commands allow the configuration of a particular Spanning Tree instance independent of which
mode and/or protocol is currently active on the switch. The configuration, however, does not go active
until the switch is changed to the appropriate mode. For example, if the switch is running in the 1x1 mode,
the following explicit commands changes the MSTI 3 priority to 12288:
-> bridge msti 3 priority 12288
Even though the above command is accepted in the 1x1 mode, the new priority value does not take effect
until the switch mode is changed to flat mode.
Note that explicit commands using the cist and msti keywords are required to define an MSTP (802.1s)
configuration. Implicit commands are only allowed for defining STP or RSTP configurations.
page 3-10
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Using 802.1s Multiple Spanning Tree
MST Configuration Overview
Implicit commands resemble previously implemented Spanning Tree commands, but apply to the appropriate instance based on the current mode and protocol that is active on the switch. For example, if the 1x1
mode is active, the instance number specified with the following command implies a VLAN ID:
-> bridge 255 priority 16384
If the flat mode is active, the single flat mode instance is implied and thus configured by the command.
Since the flat mode instance is implied in this case, there is no need to specify an instance number. For
example, the following command configures the protocol for the flat mode instance:
-> bridge protocol mstp
Similar to previous releases, it is possible to configure the flat mode instance by specifying 1 for the
instance number (e.g., bridge 1 protocol rstp). However, this is only available when the switch is already
running in the flat mode and STP or RSTP is the active protocol.
Note. When a snapshot is taken of the switch configuration, the explicit form of all Spanning Tree
commands is captured. For example, if the priority of MSTI 2 was changed from the default value to a
priority of 16384, then bridge msti 2 priority 16384 is the command captured to reflect this in the snapshot file. In addition, explicit commands are captured for both flat and 1x1 mode configurations.
For more information about Spanning Tree configuration commands as they apply to all supported protocols (STP, RSTP, and MSTP), see Chapter 6, “Configuring Spanning Tree Parameters.”
Understanding Spanning Tree Modes
The switch can operate in one of two Spanning Tree modes: flat and 1x1. The flat mode provides a
Common Spanning Tree (CST) instance that applies across all VLANs by default. This mode supports the
use of the STP (802.1D), RSTP (802.1w), and MSTP (802.1s) protocols. MSTP allows the mapping of
one or more VLANs to a single Spanning Tree instance.
The 1x1 mode is an Alcatel proprietary implementation that automatically calculates a separate Spanning
Tree instance for each VLAN configured on the switch. This mode only supports the use of the STP and
RSTP protocols.
Although MSTP is not supported in the 1x1 mode, it is possible to define an MSTP configuration in this
mode using explicit Spanning Tree commands. See “Using Spanning Tree Configuration Commands” on
page 3-10 for more information about explicit commands.
By default, a switch is running in the 1x1 mode and using the 802.1D protocol when it is first turned on.
See Chapter 6, “Configuring Spanning Tree Parameters,” for more information about Spanning Tree
modes.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 3-11
MST Interoperability and Migration
Using 802.1s Multiple Spanning Tree
MST Interoperability and Migration
Connecting an MSTP (802.1s) switch to a non-MSTP flat mode switch is supported. Since the Common
and Internal Spanning Tree (CIST) controls the flat mode instance on both switches, STP or RSTP can
remain active on the non-MSTP switch within the network topology.
An MSTP switch is part of a Multiple Spanning Tree (MST) Region, which appears as a single, flat mode
instance to the non-MSTP switch. The port that connects the MSTP switch to the non-MSTP switch is
referred to as a boundary port. When a boundary port detects an STP (802.1D) or RSTP (802.1w) BPDU,
it responds with the appropriate protocol BPDU to provide interoperability between the two switches. This
interoperability also serves to indicate the edge of the MST region.
Interoperability between 802.1s MSTP switches and 1x1 mode switches is not recommended. The 1x1
mode is a proprietary implementation that creates a separate Spanning Tree instance for each VLAN
configured on the switch. The 802.1s MSTP implementation is in compliance with the IEEE standard and
is only supported on flat mode switches.
Tagged BPDU transmitted from a 1x1 switch are ignored by a flat mode switch, which can cause a
network loop to go undetected. Although it is not recommended, it may be necessary to temporarily
connect a 1x1 switch to a flat mode switch until migration to MSTP is complete. If this is the case, then
only configure a fixed, untagged connection between VLAN 1 on both switches.
Migrating from Flat Mode STP/RSTP to Flat Mode MSTP
Migrating an STP/RSTP flat mode switch to MSTP is relatively transparent. When STP or RSTP is the
active protocol, the Common and Internal Spanning Tree (CIST) controls the flat mode instance. If on the
same switch the protocol is changed to MSTP, the CIST still controls the flat mode instance.
Note the following when converting a flat mode STP/RSTP switch to MSTP:
• Making a backup copy of the switch boot.cfg file before changing the protocol to MSTP is highly
recommended. Having a backup copy will make it easier to revert to the non-MSTP configuration if
necessary. Once MSTP is active, commands are written in their explicit form and not compatible with
previous releases of Spanning Tree.
• When converting multiple switches, change the protocol to MSTP first on every switch before starting
to configure Multiple Spanning Tree Instances (MSTI).
• Once the protocol is changed, MSTP features are available for configuration. Multiple Spanning Tree
Instances (MSTI) are now configurable for defining data paths for VLAN traffic. See “How MSTP
Works” on page 3-4 for more information.
• Using explicit Spanning Tree commands to define the MSTP configuration is required. Implicit
commands are for configuring STP and RSTP. See “Using Spanning Tree Configuration Commands”
on page 3-10 for more information.
• STP and RSTP use a 16-bit port path cost (PPC) and MSTP uses a 32-bit PPC. When the protocol is
changed to MSTP, the bridge priority and PPC values for the flat mode CIST instance are reset to their
default values.
• It is possible to configure the switch to use 32-bit PPC value for all protocols (see the bridge path cost
mode command page for more information). If this is the case, then the PPC for the CIST is not reset
when the protocol is changed to/from MSTP.
• This implementation of MSTP is compliant with the IEEE 802.1s standard and thus provides intercon-
nectivity with 802.1s compliant systems.
page 3-12
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Using 802.1s Multiple Spanning Tree
MST Interoperability and Migration
Migrating from 1x1 Mode to Flat Mode MSTP
As previously described, the 1x1 mode is an Alcatel proprietary implementation that applies one Spanning Tree instance to each VLAN. For example, if five VLANs exist on the switch, then their are five
Spanning Tree instances active on the switch, unless Spanning Tree is disabled on one of the VLANs.
Note the following when converting a 1x1 mode STP/RSTP switch to flat mode MSTP:
• Making a backup copy of the switch boot.cfg file before changing the protocol to MSTP is highly
recommended. Having a backup copy will make it easier to revert to the non-MSTP configuration if
necessary. Once MSTP is active, commands are written in their explicit form and not compatible with
previous releases of Spanning Tree. If the need arises
• Using MSTP requires changing the switch mode from 1x1 to flat. When the mode is changed from 1x1
to flat, ports still retain their VLAN associations but are now part of a single, flat mode Spanning Tree
instance that spans across all VLANs. As a result, a path that was forwarding traffic in the 1x1 mode
may transition to a blocking state after the mode is changed to flat.
• Once the protocol is changed, MSTP features are available for configuration. Multiple Spanning Tree
Instances (MSTI) are now configurable for defining data paths for VLAN traffic. See “How MSTP
Works” on page 3-4 for more information.
• Note that STP/RSTP use a 16-bit port path cost (PPC) and MSTP uses a 32-bit PPC. When the proto-
col is changed to MSTP, the bridge priority and PPC values for the flat mode CIST instance are reset to
their default values.
• It is possible to configure the switch to use 32-bit PPC value for all protocols (see the bridge path cost
mode command page for more information). If this is the case, then the PPC for the CIST is not reset
when the protocol is changed to/from MSTP.
• This implementation of MSTP is compliant with the IEEE 802.1s standard and thus provides intercon-
nectivity with 802.1s compliant systems.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 3-13
Quick Steps for Configuring an MST Region
Using 802.1s Multiple Spanning Tree
Quick Steps for Configuring an MST Region
An MST region identifies a group of MSTP (802.1s) switches that is seen as a single, flat mode instance
by other regions and/or non-MSTP switches. A region is defined by three attributes: name, revision level,
and a VLAN-to-MSTI mapping. Switches configured with the same value for all three of these attributes
belong to the same MST region.
Note that an additional configurable MST region parameter defines the maximum number of hops authorized for the region but is not considered when determining regional membership.The maximum hops
value is the value used by all bridges within the region when the bridge is acting as the root of the MST
region.
This section provides a tutorial for defining a sample MST region configuration, as shown in the diagram
below...
Switch D
Switch A
TM
||
OmniSwitch 9700
CST
IST
TM
OmniSwitch 9700
TM
OmniSwitch 9700
OmniSwitch 9700
||
||
Switch B
TM
Switch C
MST Region
Switch E
SST Switches (STP or RSTP)
In order for switches A, B, and C in the above diagram to belong to the same MST region, they must all
share the same values for region name, revision level, and configuration digest (VLAN-to-MSTI
mapping).
The following steps are performed on each switch to define Alcatel Marketing as the MST region name,
2000 as the MST region revision level, map exiting VLANs to existing MSTIs, and 3 as the maximum
hops value for the region:
1 Configure an MST Region name using the bridge mst region name command. For example:
-> bridge mst region name “Alcatel Marketing”
2 Configure the MST Region revision level using the bridge mst region revision level command. For
example:
-> bridge mst region revision level 2000
page 3-14
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Using 802.1s Multiple Spanning Tree
Quick Steps for Configuring an MST Region
3 Map VLANs 100 and 200 to MSTI 2 and VLANs 300 and 400 to MSTI 4 using the bridge msti vlan
command to define the configuration digest. For example:
-> bridge msti 2 vlan 100 200
-> bridge msti 4 vlan 300 400
See “Quick Steps for Configuring MSTIs” on page 3-16 for a tutorial on how to create and map MSTIs
to VLANs.
4 Configure 3 as the maximum number of hops for the region using the bridge mst region max hops
command. For example:
-> bridge mst region max hops 3
Note. (Optional) Verify the MST region configuration on each switch with the show spantree mst region
command. For example:
-> show spantree mst region
Configuration Name
: Alcatel Marketing,
Revision Level
: 2000,
Configuration Digest
: 0x922fb3f 31752d68 67fe1155 d0ce8380,
Revision Max hops
: 3,
Cist Instance Number
: 0
All switches configured with the exact same values as shown in the above example are considered
members of the Alcatel Marketing MST region.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 3-15
Quick Steps for Configuring MSTIs
Using 802.1s Multiple Spanning Tree
Quick Steps for Configuring MSTIs
By default the Spanning Tree software is active on all switches and operating in the 1x1 mode using the
standard 802.1D STP (OmniSwitch 9000 default) or 802.1w RSTP (OmniSwitch 6800 and 6850 default).
As a result, a loop-free network topology is automatically calculated based on default 802.1D Spanning
Tree switch, bridge, and port parameter values.
Using Multiple Spanning Tree (MST) requires configuration changes to the default Spanning Tree values
(mode and protocol) as well as defining specific MSTP parameters and instances.
The following steps provide a tutorial for setting up a sample MSTP configuration, as shown in the
diagram below:
3/1
VLAN 100
2/1
VLAN 100
CIST-0
CIST-0
4/2
VLAN 150
4/8
VLAN 200
||
5/1
||
5/2
||
3/6
VLAN 150
VLAN 200
MSTI-1
MSTI-1
2/12
VLAN 250
Switch A
VLAN 250
Switch B
Flat Mode MSTP (802.1s) Quick Steps Example
1 Change the Spanning Tree operating mode, if necessary, on Switch A and Switch B from 1x1 to flat
mode using the bridge mode command. For example:
-> bridge mode flat
Note that defining an MSTP configuration requires the use of explicit Spanning Tree commands, which
are available in both the flat and 1x1 mode. As a result, this step is optional. See “Using Spanning Tree
Configuration Commands” on page 3-10 for more information.
2 Change the Spanning Tree protocol to 802.1s using the bridge protocol command. For example:
-> bridge protocol mstp
3 Create VLANs 100, 200, 300, and 400 using the vlan command. For example:
->
->
->
->
vlan
vlan
vlan
vlan
100
150
200
250
4 Assign switch ports to VLANs, as shown in the above diagram, using the vlan port default command.
For example, the following commands assign ports 3/1, 4/2, 4/8, and 2/12 to VLANs 100, 150, 200, and
250 on Switch A:
-> vlan 100 port default 3/1
-> vlan 150 port default 4/2
page 3-16
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Using 802.1s Multiple Spanning Tree
Quick Steps for Configuring MSTIs
-> vlan 200 port default 4/8
-> vlan 250 port default 2/12
The following commands assign ports 2/1, 5/1, 5/2, and 3/6 to VLANs 100, 150, 200, and 250 on
Switch B:
->
->
->
->
vlan
vlan
vlan
vlan
100
150
200
250
port
port
port
port
default
default
default
default
2/1
5/1
5/2
3/6
5 Create one MSTI using the bridge msti command. For example:
-> bridge msti 1
6 Assign VLANs 200 and 250 to MSTI 1. For example:
-> bridge msti 1 vlan 100 200
By default, all VLANs are associated with the CIST instance. As a result, VLANs 100 and 150 do not
require any configuration to map them to the CIST instance.
7 Configure the port path cost (PPC) for all ports on both switches associated with MSTI 1 to a PPC
value that is lower than the PPC value for the ports associated with the CIST instance using the bridge
msti slot/port path cost command. For example, the PPC for ports associated with the CIST instance is
set to the default of 200,000 for 100 MB connections. The following commands change the PPC value for
ports associated with the MSTI 1 to 20,000:
->
->
->
->
bridge
bridge
bridge
bridge
msti
msti
msti
msti
1
1
1
1
4/8 path cost 20,000
2/12 path cost 20,000
5/2 path cost 20,000
3/6 path cost 20,000
Note that in this example, port connections between VLANs 150, 200, and 250 on each switch initially
were blocked, as shown in the diagram on page 3-16. This is because in flat mode MSTP, each instance is
active on all ports resulting in a comparison of connections independent of VLAN and MSTI associations.
To avoid this and allow VLAN traffic to flow over separate data paths based on MSTI association, Step 7
of this tutorial configures a superior port path cost value for ports associated with MSTI 1. As a result,
MSTI 1 selects one of the data paths between its VLANs as the best path, rather than the CIST data paths,
as shown in the diagram on page 3-18. :
VLAN 100
3/1
2/1
4/2
5/1
VLAN 100
CIST-0
CIST-0
VLAN 150
VLAN 200
||
5/2
4/8
VLAN 150
VLAN 200
MSTI-1
MSTI-1
VLAN 250
2/12
||
3/6
Switch A
OmniSwitch 6800/6850/9000 Network Configuration Guide
VLAN 250
Switch B
June 2006
page 3-17
Quick Steps for Configuring MSTIs
Using 802.1s Multiple Spanning Tree
Flat Mode MSTP (802.1s) with Superior MSTI 1 PPC Values
Note that of the two data paths available to MSTI 1 VLANs, one is still blocked because it is seen as
redundant for that instance. In addition, the CIST data path still remains available for CIST VLAN traffic.
Another solution to this scenario is to assign all VLANs to an MSTI, leaving no VLANs controlled by the
CIST. As a result, the CIST BPDU will only contain MSTI information. See “How MSTP Works” on
page 3-4 for more information.
page 3-18
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Using 802.1s Multiple Spanning Tree
Verifying the MST Configuration
Verifying the MST Configuration
To display information about the MST configuration on the switch, use the show commands listed below:
show spantree cist
Displays the Spanning Tree bridge configuration for the flat mode Common and Internal Spanning Tree (CIST) instance.
show spantree msti
Displays Spanning Tree bridge information for an 802.1s Multiple
Spanning Tree Instance (MSTI).
show spantree cist ports
Displays Spanning Tree port information for the flat mode Common and
Internal Spanning Tree (CIST) instance.
show spantree msti ports
Displays Spanning Tree port information for a flat mode 802.1s Multiple Spanning Tree Instance (MSTI).
show spantree mst region
Displays the Multiple Spanning Tree (MST) region information for the
switch.
show spantree cist vlan-map
Displays the range of VLANs associated with the flat mode Common
and Internal Spanning Tree (CIST) instance.
show spantree msti vlan-map
Displays the range of VLANs associated with the specified Multiple
Spanning Tree Instance (MSTI).
show spantree map-msti
Displays the Multiple Spanning Tree Instance (MSTI) that is associated
to the specified VLAN.
show spantree mst port
Displays a summary of Spanning Tree connection information and
instance associations for the specified port or a link aggregate of ports.
For more information about the resulting displays from these commands, see the OmniSwitch CLI Reference Guide.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 3-19
Verifying the MST Configuration
page 3-20
Using 802.1s Multiple Spanning Tree
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
4
Configuring Learned
Port Security
Learned Port Security (LPS) provides a mechanism for authorizing source learning of MAC addresses on
Ethernet and Gigabit Ethernet ports. The only types of Ethernet ports that LPS does not support are link
aggregate and tagged (trunked) link aggregate ports. Using LPS to control source MAC address learning
provides the following benefits:
• A configurable source learning time limit that applies to all LPS ports.
• A configurable limit on the number of MAC addresses allowed on an LPS port.
• Dynamic configuration of a list of authorized source MAC addresses.
• Static configuration of a list of authorized source MAC addresses.
• Two methods for handling unauthorized traffic: stopping all traffic on the port or only blocking traffic
that violates LPS criteria.
In This Chapter
This chapter describes how to configure LPS parameters through the Command Line Interface (CLI). CLI
commands are used in the configuration examples; for more details about the syntax of commands, see the
OmniSwitch CLI Reference Guide.
Configuration procedures described in this chapter include:
• Enabling LPS for a port on page 4-7.
• Specifying a source learning time limit for all LPS ports on page 4-7.
• Configuring the maximum number of MAC addressees learned per port on page 4-8.
• Configuring a list of authorized MAC addresses for an LPS port on page 4-8.
• Configuring a range of authorized MAC addresses for an LPS port on page 4-9.
• Selecting the security violation mode for an LPS port on page 4-10.
• Displaying LPS configuration information on page 4-10.
For more information about source MAC address learning, see Chapter 2, “Managing Source Learning.”
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 4-1
Learned Port Security Specifications
Configuring Learned Port Security
Learned Port Security Specifications
RFCs supported
Not applicable at this time.
IEEE Standards supported
Not applicable at this time.
Ports eligible for Learned Port Security
Ethernet and gigabit Ethernet ports (fixed, mobile,
802.1Q tagged, and authenticated ports).
Ports not eligible for Learned Port Security
Link aggregate ports.
802.1Q (trunked) link aggregate ports.
Minimum number of learned MAC addresses
allowed per port
1
Maximum number of learned MAC addresses
allowed per port
100
Maximum number of configurable MAC address
ranges per LPS port.
1
Maximum number of learned MAC addresses per
switch
16K
Learned Port Security Defaults
Parameter Description
Command
Default
LPS status for a port.
port-security
disabled
Number of learned MAC addresses
allowed on an LPS port.
port security maximum
1
Source learning time limit.
port-security shutdown
disabled
Configured MAC addresses per LPS port-security mac
port.
none
MAC address range per LPS port.
port-security mac-range
00:00:00:00:00:00–
ff:ff:ff:ff:ff:ff
LPS port violation mode.
port-security violation
restrict
page 4-2
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Learned Port Security
Sample Learned Port Security Configuration
Sample Learned Port Security Configuration
This section provides a quick tutorial that demonstrates the following tasks:
• Enabling LPS on a set of switch ports.
• Defining the maximum number of learned MAC addresses allowed on an LPS port.
• Defining the time limit in which source learning is allowed on all LPS ports.
• Selecting a method for handling unauthorized traffic received on an LPS port.
Note that LPS is supported on Ethernet and gigabit Ethernet fixed, mobile, tagged and authenticated ports.
Link aggregate and tagged (trunked) link aggregate ports are not eligible for LPS monitoring and control.
1 Enable LPS on ports 6 through 12 on slot 3, 4, and 5 using the following command:
-> port-security 3/6-12 4/6-12 5/6-12 enable
2 Set the total number of learned MAC addresses allowed on the same ports to 25 using the following
command:
-> port-security 3/6-12 4/6-12 5/6-12 maximum 25
3 Configure the amount of time in which source learning is allowed on all LPS ports to 30 minutes using
the following command:
-> port-security shutdown 30
4 Select shutdown for the LPS violation mode using the following command:
-> port-security 3/6-12 4/6-12 5/6-12 violation shutdown
Note. Optional. To verify LPS port configurations, use the show port-security. For example:
-> show port-security
Port Security MaxMacs Violation LowMac
HighMac
IndividualMac
MacType
----+--------+-------+---------+-----------------+-------------------+-----------------+----------2/2 enabled
25
restrict 00:20:95:00:00:10 00:20:95:00:00:20
4/8 enabled 100
shutdown 00:00:00:00:00:00 ff:ff:ff:ff:ff:ff 00:da:92:3a:59:0c configured
6/1 enabled
10
shutdown 00:00:00:00:00:00 ff:ff:ff:ff:ff:ff 00:da:92:4b:6a:1d dynamic
00:da:92:5c:7b:2e dynamic
6/5 enabled 100
restrict 00:00:00:00:00:00 ff:ff:ff:ff:ff:ff 00:da:92:00:1a:20 configured
To verify the new source learning time limit value, use the show port-security shutdown command. For
example:
-> show port-security shutdown
LPS Shutdown = 30
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 4-3
Learned Port Security Overview
Configuring Learned Port Security
Learned Port Security Overview
Learned Port Security (LPS) provides a mechanism for controlling network device access on one or more
switch ports. Configurable LPS parameters allow the user to restrict the source learning of host MAC
addresses to:
• A specific amount of time in which the switch allows source learning to occur on all LPS ports.
• A maximum number of learned MAC addresses allowed on the port.
• A list of configured authorized source MAC addresses allowed on the port.
Additional LPS functionality allows the user to specify how the LPS port handles unauthorized traffic. The
following two options are available for this purpose:
• Block only traffic that violates LPS port restrictions; authorized traffic is forwarded on the port.
• Disable the LPS port when unauthorized traffic is received; all traffic is stopped and a port reset is
required to return the port to normal operation.
LPS functionality is supported on the following Ethernet and Gigabit Ethernet port types:
• Fixed (non-mobile)
• Mobile
• 802.1Q tagged
• Authenticated
The following port types are not supported:
• Link aggregate
• Tagged (trunked) link aggregate
• 802.1X
page 4-4
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Learned Port Security
Learned Port Security Overview
How LPS Authorizes Source MAC Addresses
When a packet is received on a port that has LPS enabled, switch software checks the following criteria to
determine if the source MAC address contained in the packet is allowed on the port:
• Is the source learning time window open?
• Is the number of MAC addresses learned on the port below the maximum number allowed?
• Is there a configured authorized MAC address entry for the LPS port that matches the packet’s source
MAC address?
Using the above criteria, the following table shows the conditions under which a MAC address is learned
or blocked on an LPS port:
Time Limit
Max Number
Configured MAC
Result
Open
Below
No entry
No LPS violation; MAC learned
Closed
Below
No entry
LPS violation; MAC blocked
Open
Above
No entry
LPS violation; MAC blocked
Open
Below
Yes; entry matches
No LPS violation; MAC learned
Closed
Below
Yes; entry matches
No LPS violation; MAC learned
Open
Above
Yes; entry matches
LPS violation; MAC blocked
Open
Below
Yes; entry doesn’t match
No LPS violation; MAC learned
Closed
Below
Yes; entry doesn’t match
LPS violation; MAC blocked
Open
Above
Yes; entry doesn’t match
LPS violation; MAC blocked
When a source MAC address violates any of the LPS conditions, the address is considered unauthorized.
The LPS violation mode determines if the unauthorized MAC address is simply blocked on the port or if
the entire port is disabled (see “Selecting the Security Violation Mode” on page 4-10). Regardless of
which mode is selected, notice is sent to the Switch Logging task to indicate that a violation has occurred.
Dynamic Configuration of Authorized MAC Addresses
Once LPS authorizes the learning of a source MAC address, an entry containing the address and the port it
was learned on is made in an LPS database table. This entry is then used as criteria for authorizing future
traffic from this source MAC on that same port. In other words, learned authorized MAC addresses
become configured criteria for an LPS port.
For example, if the source MAC address 00:da:95:00:59:0c is received on port 2/10 and meets the LPS
restrictions defined for that port, then this address and its port are recorded in the LPS table. All traffic that
is received on port 2/10 is compared to the 00:da:95:00:59:0c entry. If any traffic received on this port
consists of packets that do not contain a matching source address, the packets are then subject to the LPS
source learning time limit window and the maximum number of addresses allowed criteria.
When a dynamically configured MAC address is added to the LPS table, it does not become a configured
MAC address entry in the LPS table until the switch configuration file is saved and the switch is rebooted.
If a reboot occurs before this is done, all dynamically learned MAC addresses in the LPS table are cleared.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 4-5
Learned Port Security Overview
Configuring Learned Port Security
Static Configuration of Authorized MAC Addresses
It is also possible to statically configure authorized source MAC address entries into the LPS table. This
type of entry behaves the same way as dynamically configured entries in that it authorizes port access to
traffic that contains a matching source MAC address.
Static source MAC address entries, however, take precedence over dynamically learned entries. For example, if there are 2 static MAC address entries configured for port 2/1 and the maximum number allowed on
port 2/1 is 10, then only 8 dynamically learned MAC addresses are allowed on this port.
Note that source learning of configured authorized MAC addresses is still allowed after the LPS time limit
has expired. However, all learning is stopped if the number of MAC addresses learned meets or exceeds
the maximum number of addresses allowed, even if the LPS time limit has not expired.
There are two ways to define a static source MAC address entry in the LPS table; specify an individual
MAC address or a range of MAC addresses. See “Configuring Authorized MAC Addresses” on page 4-8
and “Configuring an Authorized MAC Address Range” on page 4-9 for more information.
Understanding the LPS Table
The LPS database table is separate from the source learning MAC address table. However, when a MAC is
authorized for learning on an LPS port, an entry is made in the MAC address table in the same manner as
if it was learned on a non-LPS port (see Chapter 2, “Managing Source Learning,” for more information).
In addition to dynamic and configured source MAC address entries, the LPS table also provides the
following information for each eligible LPS port:
• The LPS status for the port; enabled or disabled.
• The maximum number of MAC addresses allowed on the port.
• The violation mode selected for the port; restrict or shutdown.
• Statically configured MAC addresses and MAC address ranges.
• All MAC addresses learned on the port.
• The management status for the MAC address entry; configured or dynamic.
Note that dynamic MAC address entries become configured entries after the switch configuration is saved
and the switch is rebooted. However, any dynamic MAC address entries that are not saved to the switch
configuration are cleared if the switch reboots before the next save.
If the LPS port is shut down or the network device is disconnected from the port, the LPS table entries for
this port are retained, but the source learning MAC address table entries for the same port are automatically cleared. In addition, if an LPS table entry is intentionally cleared from the table, the MAC address for
this entry is automatically cleared from the source learning table at the same time.
To view the contents of the LPS table, use the show port-security command. Refer to the OmniSwitch
CLI Reference Guide for more information about this command.
page 4-6
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Learned Port Security
Enabling/Disabling Learned Port Security
Enabling/Disabling Learned Port Security
By default, LPS is disabled on all switch ports. To enable LPS on a port, use the port-security command.
For example, the following command enables LPS on port 1 of slot 4:
-> port-security 4/1 enable
To enable LPS on multiple ports, specify a range of ports or multiple slots. For example:
-> port-security 4/1-5 enable
-> port-security 5/12-20 6/10-15 enable
Note that when LPS is enabled on an active port, all MAC addresses learned on that port prior to the time
LPS was enabled are cleared from the source learning MAC address table.
To disable LPS on a port, use the port-security command with the disable parameter. For example, the
following command disables LPS on a range of ports:
-> port-security 5/21-24 6/1-4 disable
When LPS is disabled on a port, MAC address entries for that port are retained in the LPS table. The next
time LPS is enabled on the port, the same LPS table entries are again active. If there is a switch reboot
before the switch configuration is saved, however, dynamic MAC address entries are discarded from the
table.
Use the no form of this command to disable LPS and clear all entries (configured and dynamic) in the
LPS table for the specified port. For example:
-> no port-security 5/10
Configuring a Source Learning Time Limit
By default, the source learning time limit is disabled. Use the port-security shutdown command to set the
number of minutes the source learning window is to remain open for LPS ports. While this window is
open, source MAC addresses that comply with LPS port restrictions are authorized for learning on the
related LPS port. The following actions trigger the start of the source learning timer:
• The port-security shutdown command. Each time this command is issued, the timer restarts even if a
current window is still open or a previous window has expired.
• Switch reboot with a port-security shutdown command entry saved in the boot.cfg file.
The LPS source learning time limit is a switch-wide parameter that applies to all LPS enabled ports, not
just one or a group of LPS ports. The following command example sets the time limit value to 30 minutes:
-> port-security shutdown time 30
Once the time limit value expires, source learning of any new dynamic MAC addresses is stopped on all
LPS ports even if the number of addresses learned does not exceed the maximum allowed.
Note. Source learning of configured authorized MAC addresses is still allowed after the LPS time limit
has expired; however, all learning is stopped if the number of MAC addresses learned meets or exceeds
the maximum number of addresses allowed, even if the LPS time limit has not expired.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 4-7
Configuring the Number of MAC Addresses Allowed
Configuring Learned Port Security
Configuring the Number of MAC Addresses
Allowed
By default, one MAC address is allowed on an LPS port. To change this number, enter port-security
followed by the port’s slot/port designation then maximum followed by a number between 1 and 100. For
example, the following command sets the maximum number of MAC addresses learned on port 10 of slot
6 to 75:
-> port-security 6/10 maximum 75
To specify a maximum number of MAC addresses allowed for multiple ports, specify a range of ports or
multiple slots. For example:
-> port-security 1/10-15 maximum 10
-> port-security 2/1-5 4/2-8 5/10-14 maximum 25
Not that configured MAC addresses count towards the maximum number allowed. For example, if there
are 10 configured authorized MAC addresses for an LPS port and the maximum number of addresses
allowed is set to 15, then only 5 dynamically learned MAC address are allowed on this port.
If the maximum number of MAC addresses allowed is reached before the switch LPS time limit expires,
then all source learning of dynamic and configured MAC addresses is stopped on the LPS port.
Configuring Authorized MAC Addresses
To configure a single source MAC address entry in the LPS table, enter port-security followed by the
port’s slot/port designation, then mac followed by a valid MAC address. For example, the following
command configures a MAC address for port 4 on slot 6:
-> port-security 6/4 mac 00:20:da:9f:58:0c
To configure a single source MAC address entry for multiple ports, specify a range of ports or multiple
slots. For example:
-> port-security 4/1-5 mac 00:20:95:41:2e:3f
-> port-security 5/12-20 6/10-15 mac 00:20:da:cf:59:4a
Use the no form of this command to clear configured and/or dynamic MAC address entries from the LPS
table. For example, the following command removes a MAC address entry for port 12 of slot 4 from the
LPS table:
-> port-security 4/12 no mac 00:20:95:00:fa:5c
Note that when a MAC address is cleared from the LPS table, it is automatically cleared from the source
learning MAC address table at the same time.
page 4-8
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Learned Port Security
Configuring an Authorized MAC Address Range
Configuring an Authorized MAC Address Range
By default, each LPS port is set to a range of 00:00:00:00:00:00–ff:ff:ff:ff:ff:ff, which includes all MAC
addresses. If this default is not changed, then addresses received on LPS ports are subject only to the
source learning time limit and maximum number of MAC addresses allowed restrictions for the port.
To configure a source MAC address range for an LPS port, enter port-security followed by the port’s
slot/port designation, then mac-range followed by low and a MAC address, then high and a MAC
address. For example, the following command configures a MAC address range for port 1 on slot 4:
-> port-security 4/1 mac low 00:20:da:00:00:10 high 00:20:da:00:00:50
To configure a source MAC address range for multiple ports, specify a range of ports or multiple slots. For
example:
-> port-security 4/1-5 mac-range low 00:20:da:00:00:10 high 00:20:da:00:00:50
-> port-security 2/1-4 4/5-8 mac-range low 00:20:d0:59:0c:9a high
00:20:d0:59:0c:9f
To set the range back to the default values, enter port-security followed by the port’s slot/port designation then mac-range. Leaving off the low and high MAC addresses will reset the range back to
00:00:00:00:00:00 and ff:ff:ff:ff:ff:ff. For example, the following command sets the authorized MAC
address range to the default values for port 12 of slot 4:
-> port-security 4/12 mac-range
In addition, specifying a low end MAC and a high end MAC is optional. If either one is not specified, the
default value is used. For example, the following commands set the authorized MAC address range on the
specified ports to 00:da:25:59:0c:10–ff:ff:ff:ff:ff:ff and 00:00:00:00:00:00–00:da:25:00:00:9a:
-> port-security 2/8 mac-range low pp:da:25:59:0c
-> port-security 2/10 mac-range high 00:da:25:00:00:9a
Refer to the OmniSwitch CLI Reference Guide for more information about this command.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 4-9
Selecting the Security Violation Mode
Configuring Learned Port Security
Selecting the Security Violation Mode
By default, the security violation mode for an LPS port is set to restrict. In this mode, when an unauthorized MAC address is received on an LPS port, the packet containing the address is blocked. However, all
other packets that contain an authorized source MAC address are allowed to forward on the port.
Note that unauthorized source MAC addresses are not learned in the LPS table but are still recorded in the
source learning MAC address table with a filtered operational status. This allows the user to view MAC
addresses that were attempting unauthorized access to the LPS port.
The other violation mode option is shutdown. In this mode, the LPS port is disabled when an unauthorized MAC address is received; all traffic is prevented from forwarding on the port. After a shutdown
occurs, a manual reset is required to return the port back to normal operation.
To configure the security violation mode for an LPS port, enter port-security followed by the port’s
slot/port designation, then violation followed by restrict or shutdown. For example, the following
command selects the shutdown mode for port 1 on slot 4:
-> port-security 4/1 violation shutdown
To configure the security violation mode for multiple LPS ports, specify a range of ports or multiple slots.
For example:
-> port-security 4/1-10 violation shutdown
-> port-security 1/10-15 2/1-10 violation restrict
Displaying Learned Port Security Information
To display LPS port and table information, use the show commands listed below:
show port-security
Displays Learned Port Security configuration values as well as
MAC addresses learned on the port.
show port-security shutdown
Displays the current time limit value set for source learning on all
LPS enabled ports.
For more information about the resulting display from these commands, see the OmniSwitch CLI Reference Guide. An example of the output for the show port-security and show port-security shutdown
commands is also given in “Sample Learned Port Security Configuration” on page 4-3.
page 4-10
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
5
Configuring VLANs
In a flat bridged network, a broadcast domain is confined to a single LAN segment or even a specific
physical location, such as a department or building floor. In a switch-based network, such as one
comprised of Alcatel switching systems, a broadcast domain—or VLAN— can span multiple physical
switches and can include ports from a variety of media types. For example, a single VLAN could span
three different switches located in different buildings and include 10/100 Ethernet, Gigabit Ethernet,
802.1q tagged ports and/or a link aggregate of ports.
In This Chapter
This chapter describes how to define and manage VLAN configurations through the Command Line Interface (CLI). CLI commands are used in the configuration examples; for more details about the syntax of
commands, see the OmniSwitch CLI Reference Guide.
Configuration procedures described in this chapter include:
• “Creating/Modifying VLANs” on page 5-5.
• “Defining VLAN Port Assignments” on page 5-7.
• “Enabling/Disabling VLAN Mobile Tag Classification” on page 5-9.
• “Enabling/Disabling Spanning Tree for a VLAN” on page 5-10.
• “Enabling/Disabling VLAN Authentication” on page 5-11.
• “Configuring VLAN Router Interfaces” on page 5-11.
• “Bridging VLANs Across Multiple Switches” on page 5-14.
• “Verifying the VLAN Configuration” on page 5-15.
For information about statically and dynamically assigning switch ports to VLANs, see Chapter 7,
“Assigning Ports to VLANs.”
For information about defining VLAN rules that allow dynamic assignment of mobile ports to a VLAN,
see Chapter 9, “Defining VLAN Rules.”
For information about Spanning Tree, see Chapter 6, “Configuring Spanning Tree Parameters.”
For information about routing, see Chapter 12, “Configuring IP.”
For information about Layer 2 VLAN authentication, see Chapter 22, “Configuring Authenticated
VLANs.”
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 5-1
VLAN Specifications
Configuring VLANs
VLAN Specifications
RFCs Supported
2674 - Definitions of Managed Objects for Bridges
with Traffic Classes, Multicast Filtering and Virtual
LAN Extensions
IEEE Standards Supported
802.1Q - Virtual Bridged Local Area Networks
802.1D - Media Access Control Bridges
Maximum VLANs per switch
4094 (based on switch configuration and available
resources)
Maximum VLAN port associations per
switch
32768
Maximum IP router interfaces per switch
4094 (based on switch configuration and available
resources)
Maximum IPX router interfaces per switch
256
Maximum IP router interfaces per VLAN
8
Maximum Spanning Tree VLANs per switch 252
Maximum authenticated VLANs per switch
128
MAC Router Mode Supported
Single
CLI Command Prefix Recognition
All VLAN management commands support prefix
recognition. See the “Using the CLI” chapter in the
OmniSwitch 6800/6850/9000 Switch Management
Guide for more information.
VLAN Defaults
Parameter Description
Command
Default
VLAN identifier (VLAN ID)
vlan
VLAN 1 predefined on each
switch.
VLAN administrative state
vlan
Enabled
VLAN description
vlan name
VLAN identifier (VLAN ID)
VLAN Spanning Tree state
vlan stp
Enabled (Disabled if VLAN
count exceeds 254)
VLAN mobile tag status
vlan mobile-tag
Disabled
VLAN IP router interface
ip interface
VLAN 1 router interface.
VLAN IPX router interface
vlan router ipx
No router interface defined.
VLAN authentication status
vlan authentication
Disabled
VLAN port associations
vlan port default
All ports initially associated
with default VLAN 1.
page 5-2
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring VLANs
Sample VLAN Configuration
Sample VLAN Configuration
The following steps provide a quick tutorial that will create VLAN 255. Also included are steps to define
a VLAN description, IP router interface, and static switch port assignments.
Note. Optional. Creating a new VLAN involves specifying a VLAN ID that is not already assigned to an
existing VLAN. To determine if a VLAN already exists in the switch configuration, enter show vlan. If
VLAN 255 does not appear in the show vlan output, then it does not exist on the switch. For example,
-> show vlan
mble
vlan
admin oper
stree
auth ip ipx
tag
name
+------+------+------+-------+-----+----+----+------+----------+
1
on
off
on
off
off NA
off
VLAN 1
30
on
off
on
off
off NA
on
VLAN 30
400
on
off
on
off
off NA
on
VLAN 400
1 Create VLAN 255 with a description (e.g., Finance IP Network) using the following command:
-> vlan 255 name “Finance IP Network”
2 Define an IP router interface using the following command to assign an IP host address of 21.0.0.10 to
VLAN 255 that will enable routing of VLAN traffic to other subnets:
-> ip interface vlan-255 address 21.0.0.10 vlan 255
3 Assign switch ports 2 through 4 on slot 3 to VLAN 255 using the following command:
-> vlan 255 port default 3/2-4
Note. Optional. To verify the VLAN 255 configuration, use the show vlan command. For example:
-> show vlan 255
Name
: Finance IP Network,
Administrative State: enabled,
Operational State
: disabled,
1x1 Spanning Tree State : enabled,
Flat Spanning Tree State : enabled,
Authentication
: disabled,
IP Router Port
: 21.0.0.10 255.0.0.0
IPX Router Port
: none
Mobile Tag
: off
forward
e2,
To verify that ports 3/2-4 were assigned to VLAN 255, use the show vlan port command. For example:
-> show vlan 255 port
port
type
status
--------+---------+-------------3/2
default
inactive
3/3
default
inactive
3/4
default
inactive
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 5-3
VLAN Management Overview
Configuring VLANs
VLAN Management Overview
One of the main benefits of using VLANs to segment network traffic, is that VLAN configuration and port
assignment is handled through switch software. This eliminates the need to physically change a network
device connection or location when adding or removing devices from the VLAN broadcast domain. The
VLAN management software handles the following VLAN configuration tasks performed on an Alcatel
switch:
• Creating or modifying VLANs.
• Assigning or changing default VLAN port associations (VPAs).
• Enabling or disabling VLAN participation in the current Spanning Tree algorithm.
• Enabling or disabling classification of mobile port traffic by 802.1Q tagged VLAN ID.
• Enabling or disabling VLAN authentication.
• Defining VLAN IPX router interfaces to enable routing of VLAN IPX traffic.
• Enabling or disabling unique MAC address assignments for each router VLAN defined.
• Displaying VLAN configuration information.
In addition to the above tasks, VLAN management software tracks and reports the following information
to other switch software applications:
• VLAN configuration changes, such as adding or deleting VLANs, modifying the status of VLAN prop-
erties (e.g., administrative, Spanning Tree, and authentication status), changing the VLAN description,
or configuring VLAN router interfaces.
• VLAN port associations triggered by VLAN management and other switch software applications, such
as 802.1Q VLAN tagging and dynamic mobile port assignment.
• The VLAN operational state, which is inactive until at least one active switch port is associated with
the VLAN.
page 5-4
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring VLANs
Creating/Modifying VLANs
Creating/Modifying VLANs
The initial configuration for all Alcatel switches consists of a default VLAN 1 and all switch ports are
initially assigned to this VLAN. When a switching module is added to the switch, the module’s physical
ports are also assigned to VLAN 1. If additional VLANs are not configured on the switch, then the entire
switch is treated as one large broadcast domain. All ports will receive all traffic from all other ports.
Up to 4094 VLANs are supported per switch, including default VLAN 1. In compliance with the IEEE
802.1Q standard, each VLAN is identified by a unique number, referred to as the VLAN ID. The user specifies a VLAN ID to create, modify or remove a VLAN and to assign switch ports to a VLAN. When a
packet is received on a port, the port’s VLAN ID is inserted into the packet. The packet is then bridged to
other ports that are assigned to the same VLAN ID. In essence, the VLAN broadcast domain is defined by
a collection of ports and packets assigned to its VLAN ID.
The operational status of a VLAN remains inactive until at least one active switch port is assigned to the
VLAN. This means that VLAN properties, such as Spanning Tree or router interfaces, also remain inactive. Ports are considered active if they are connected to an active network device. Non-active port assignments are allowed, but do not change the VLAN’s operational state.
Ports are either statically or dynamically assigned to VLANs. When a port is assigned to a VLAN, a
VLAN port association (VPA) is created and tracked by VLAN management switch software. For more
information about VPAs, see “Defining VLAN Port Assignments” on page 5-7 and Chapter 7, “Assigning
Ports to VLANs.”
Adding/Removing a VLAN
To add a VLAN to the switch configuration, enter vlan followed by a unique VLAN ID number between
2 and 4094, an optional administrative status, and an optional description. For example, the following
command creates VLAN 755 with a description:
-> vlan 755 enable name “IP Finance Network”
By default, administrative status and Spanning Tree are enabled when the VLAN is created and the VLAN
ID is used for the description if one is not specified. Note that quotation marks are required if the description contains multiple words separated by spaces. If the description consists of only one word or multiple
words separated by another character, such as a hyphen, then quotes are not required.
On the OmniSwitch 6800 and 6850, it is also possible to specify a range of VLAN IDs with the vlan
command. Use a hyphen to indicate a contiguous range and a space to separate multiple VLAN ID entries.
For example, the following command creates VLANs 10 through 15, 100 through 105, and VLAN 200 on
the switch:
-> vlan 10-15 100-105 200 name “Marketing Network”
To remove a VLAN from the switch configuration, use the no form of the vlan command.
-> no vlan 755
-> no vlan 100-105
-> no vlan 10-15 200
When a VLAN is deleted, any router interfaces defined for the VLAN are removed and all VLAN port
associations are dropped. For more information about VLAN router interfaces, see “Configuring VLAN
Router Interfaces” on page 5-11.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 5-5
Creating/Modifying VLANs
Configuring VLANs
Note that up to 253 Spanning Tree instances per switch are supported in the 1x1 Spanning Tree mode.
Since each VLAN with Spanning Tree enabled uses one of these instances, only 253 VLANs can have an
active Spanning Tree instance at any given time.
To create more than 253 VLANs on a switch running in the 1x1 Spanning Tree mode, use the vlan stp
disable, vlan 1x1 stp disable, or vlan flat stp disable command to create a VLAN with Spanning Tree
disabled. See “Enabling/Disabling Spanning Tree for a VLAN” on page 5-10 for more information.
To view a list of VLANs already configured on the switch, use the show vlan command. See “Verifying
the VLAN Configuration” on page 5-15 for more information.
Enabling/Disabling the VLAN Administrative Status
To enable or disable the administrative status for an existing VLAN, enter vlan followed by an existing
VLAN ID and either enable or disable.
-> vlan 755 disable
-> vlan 255 enable
When the administrative status for a VLAN is disabled, VLAN port assignments are retained but traffic is
not forwarded on these ports. If any rules were defined for the VLAN, they are also retained and continue
to classify mobile port traffic. See Chapter 9, “Defining VLAN Rules,” for more information.
Modifying the VLAN Description
To change the description for a VLAN, enter vlan followed by an existing VLAN ID and the keyword
name followed by the new description (up to 32 characters). For example, the following command
changes the description for VLAN 455 to “Marketing IP Network”:
-> vlan 455 name “Marketing IP Network”
Note that quotation marks are required if the description consists of multiple words separated by spaces. If
the description consists of only one word or words are separated by another character, such as a hyphen,
then quotes are not required. For example,
-> vlan 455 name Marketing-IP-Network
page 5-6
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring VLANs
Defining VLAN Port Assignments
Defining VLAN Port Assignments
Alcatel switches support static and dynamic assignment of physical switch ports to a VLAN. Regardless
of how a port is assigned to a VLAN, once the assignment occurs, a VLAN port association (VPA) is
created and tracked by VLAN management software on each switch. To view current VLAN port assignments in the switch configuration, use the show vlan port command.
Methods for statically assigning ports to VLANs include the following:
• Using the vlan port default command to define a new configured default VLAN for both non-mobile
(fixed) and mobile ports. (See “Changing the Default VLAN Assignment for a Port” on page 5-7.)
• Using the vlan 802.1q command to define tagged VLANs for non-mobile ports. This method allows
the switch to bridge traffic for multiple VLANs over one physical port connection. (See Chapter 11,
“Configuring 802.1Q.”)
• Configuring ports as members of a link aggregate that is assigned to a configured default VLAN. (See
Chapter 13, “Configuring Static Link Aggregation,” and Chapter 14, “Configuring Dynamic Link
Aggregation,” for more information.)
Dynamic assignment applies only to mobile ports. When traffic is received on a mobile port, the packets
are classified using one of the following methods to automatically determine VLAN assignment (see
Chapter 7, “Assigning Ports to VLANs,” for more information):
• Packet is tagged with a VLAN ID that matches the ID of another VLAN that has mobile tagging
enabled. (See “Enabling/Disabling VLAN Mobile Tag Classification” on page 5-9.)
• Packet contents matches criteria defined in a VLAN rule. (See “Configuring VLAN Rule Classifica-
tion” on page 5-8 and Chapter 9, “Defining VLAN Rules.”)
Changing the Default VLAN Assignment for a Port
To assign a switch port to a new default VLAN, enter vlan followed by an existing VLAN ID number,
port default, then the slot/port designation. For example, the following command assigns port 5 on slot 2
to VLAN 955:
-> vlan 955 port default 2/5
All ports initially belong to default VLAN 1. When the vlan port default command is used, the port’s
default VLAN assignment is changed to the specified VLAN. In the above example, VLAN 955 is now
the default VLAN for port 5 on slot 2 and this port is no longer associated with VLAN 1.
The vlan port default command is also used to change the default VLAN assignment for an aggregate of
ports. The link aggregate control number is specified instead of a slot and port. For example, the following command assigns link aggregate 10 to VLAN 755:
-> vlan 755 port default 10
For more information about configuring an aggregate of ports, see Chapter 13, “Configuring Static Link
Aggregation,” and Chapter 14, “Configuring Dynamic Link Aggregation.”
Use the no form of the vlan port default command to remove a default VPA. When this is done, VLAN 1
is restored as the port’s default VLAN.
-> vlan 955 no port default 2/5
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 5-7
Defining VLAN Port Assignments
Configuring VLANs
Configuring Dynamic VLAN Port Assignment
Configuring the switch to allow dynamic VLAN port assignment requires the following steps:
1 Use the vlan port mobile command to enable mobility on switch ports that will participate in dynamic
VLAN assignment. See Chapter 7, “Assigning Ports to VLANs,”for detailed procedures.
2 Enable/disable mobile port properties that determine mobile port behavior. See Chapter 7, “Assigning
Ports to VLANs,” for detailed procedures.
3 Create VLANs that will receive and forward mobile port traffic. See “Adding/Removing a VLAN” on
page 5-5 for more information.
4 Configure the method of traffic classification (VLAN rules or tagged VLAN ID) that will trigger
dynamic assignment of mobile ports to the VLANs created in Step 3. See “Configuring VLAN Rule Classification” on page 5-8 and “Enabling/Disabling VLAN Mobile Tag Classification” on page 5-9.
Once the above configuration steps are completed, dynamic VLAN assignment occurs when a device
connected to a mobile port starts to send traffic. This traffic is examined by switch software to determine
which VLAN should carry the traffic based on the type of classification, if any, defined for a particular
VLAN.
Note that VLAN mobile tag classification takes precedence over VLAN rule classification. If a mobile
port receives traffic that matches a VLAN rule and also has an 802.1Q VLAN ID tag for a VLAN with
mobile tagging enabled, the port is dynamically assigned to the mobile tag VLAN and not the matching
rule VLAN.
See Chapter 7, “Assigning Ports to VLANs,” and Chapter 9, “Defining VLAN Rules,” for more information and examples of dynamic VLAN port assignment.
Configuring VLAN Rule Classification
VLAN rule classification triggers dynamic VLAN port assignment when traffic received on a mobile port
matches the criteria defined in a VLAN rule. Different rule types are available for classifying different
types of network device traffic. It is possible to define multiple rules for one VLAN and rules for multiple
VLANs.
The following table provides a list of commands used to define the various types of VLAN rules. For more
detailed information about rule criteria and classification, see Chapter 9, “Defining VLAN Rules.”
Rule Types
Command
DHCP
vlan dhcp mac
vlan dhcp mac range
vlan dhcp port
vlan dhcp generic
Binding
vlan binding mac-ip-port
vlan binding mac-port-protocol
vlan binding mac-port
vlan binding mac-ip
vlan binding ip-port
vlan binding port-protocol
MAC address
vlan mac
vlan mac range
page 5-8
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring VLANs
Defining VLAN Port Assignments
Rule Types
Command
Network address
vlan ip
vlan ipx
Protocol
vlan protocol
Port
vlan port
Enabling/Disabling VLAN Mobile Tag Classification
Use the vlan mobile-tag command to enable or disable the classification of mobile port packets based on
802.1Q VLAN ID tag. For example, the following commands enable the mobile tag attribute for VLAN
1525 and disable it for VLAN 224:
-> vlan 1525 mobile-tag enable
-> vlan 224 mobile-tag disable
If a mobile port that is statically assigned to VLAN 10 receives an 802.1Q tagged packet with a VLAN ID
of 1525, the port and packet are dynamically assigned to VLAN 1525. In this case, the mobile port now
has a VLAN port association defined for VLAN 10 and for VLAN 1525. If a mobile port, however,
receives a tagged packet containing a VLAN ID tag of 224, the packet is discarded because the VLAN
mobile tag classification attribute is disabled on VLAN 224.
In essence, the VLAN mobile tag attribute provides a dynamic 802.1Q tagging capability. Mobile ports
can now receive and process 802.1Q tagged packets destined for a VLAN that has this attribute enabled.
This feature also allows the dynamic assignment of mobile ports to more than one VLAN at the same
time, as discussed in the above example.
VLAN mobile tagging differs from 802.1Q tagging as follows:
VLAN Mobile Tag
802.1Q Tag
Allows mobile ports to receive 802.1Q
tagged packets.
Not supported on mobile ports.
Enabled on the VLAN that will receive
tagged mobile port traffic.
Enabled on fixed ports; tags port traffic
for destination VLAN.
Triggers dynamic assignment of tagged
mobile port traffic to one or more
VLANs.
Statically assigns (tags) fixed ports to one
or more VLANs.
If 802.1Q tagging is required on a fixed (non-mobile) port, then the vlan 802.1q command is still used to
statically tag VLANs for the port. See Chapter 11, “Configuring 802.1Q,” for more information.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 5-9
Enabling/Disabling Spanning Tree for a VLAN
Configuring VLANs
Enabling/Disabling Spanning Tree for a VLAN
When a VLAN is created, an 802.1D standard Spanning Tree Algorithm and Protocol (STP) instance is
enabled for the VLAN by default. On the OmniSwitch 6800 and 6850, an 802.1w Rapid Spanning Tree
Algorithm and Protocol (RSTP) instance is enabled for the VLAN by default.
The spanning tree operating mode set for the switch determines how VLAN ports are evaluated to identify
redundant data paths. If the Spanning Tree switch operating mode is set to flat, then VLAN port connections are checked against other VLAN port connections for redundant data paths. Note that the single flat
mode STP instance is referred to as instance 1 or the CIST (Common and Internal Spanning Tree)
instance, depending on which STP protocol is active.
In the flat mode, if STP instance 1 or the CIST instance is disabled, then it is disabled for all configured
VLANs. However, disabling STP on an individual VLAN will exclude only that VLAN’s ports from the
flat STP algorithm.
If the Spanning Tree operating mode is set to 1x1, there is a single Spanning Tree instance for each VLAN
broadcast domain. Enabling or disabling STP on a VLAN in this mode will include or exclude the VLAN
from the 1x1 STP algorithm.
The vlan stp command is used to enable/disable a Spanning Tree instance for an existing VLAN. In the
following examples, Spanning Tree is disabled on VLAN 255 and enabled on VLAN 755:
-> vlan 255 stp disable
-> vlan 755 stp enable
Note the following when using the vlan stp command. For more information about the vlan stp command,
see the OmniSwitch CLI Reference Guide:
• If the VLAN ID specified with this command is that of a VLAN that does not exist, the VLAN is auto-
matically created.
• This command configures the VLAN STP status for both the 1x1 and flat Spanning Tree modes. Using
the 1x1 or flat parameter with this command, configures the STP status only for the mode specified by
the parameter.
• Up to 253 Spanning Tree instances per switch are supported in the 1x1 Spanning Tree mode. Since
each VLAN with Spanning Tree enabled uses one of these instances, only 253 VLANs can have an
active Spanning Tree instance at any given time.
• To create more than 253 VLANs on a switch running in the 1x1 Spanning Tree mode, use the vlan stp
disable, vlan 1x1 stp disable, or vlan flat stp disable form of this command to create a VLAN with
Spanning Tree disabled.
STP does not become operationally active on a VLAN unless the VLAN is operationally active, which
occurs when at least one active port is assigned to the VLAN. Also, STP is enabled/disabled on individual
ports. So even if STP is enabled for the VLAN, a port assigned to that VLAN must also have STP enabled.
See Chapter 6, “Configuring Spanning Tree Parameters.”
page 5-10
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring VLANs
Enabling/Disabling VLAN Authentication
Enabling/Disabling VLAN Authentication
Layer 2 authentication uses VLAN membership to grant access to network resources. Authenticated
VLANs control membership through a log-in process; this is sometimes called user authentication. A
VLAN must have authentication enabled before it can participate in the Layer 2 authentication process.
To enable/disable authentication on an existing VLAN, use the vlan authentication command. For example, the following commands enable authentication on VLAN 955 and disable it on VLAN 455:
-> vlan 955 authentication enable
-> vlan 455 authentication disable
Once authentication is enabled on a VLAN, then only authenticated mobile port devices can join the
VLAN after completing the appropriate log-in process. To enable authentication on a mobile port, use the
vlan port authenticate command. For more information about mobile port commands and Layer 2
authentication for Alcatel switches, see Chapter 7, “Assigning Ports to VLANs,” and Chapter 22, “Configuring Authenticated VLANs.”
Configuring VLAN Router Interfaces
Network device traffic is bridged (switched) at the Layer 2 level between ports that are assigned to the
same VLAN. However, if a device needs to communicate with another device that belongs to a different
VLAN, then Layer 3 routing is necessary to transmit traffic between the VLANs. Bridging makes the
decision on where to forward packets based on the packet’s destination MAC address; routing makes the
decision on where to forward packets based on the packet’s IP or IPX network address (e.g., IP 21.0.0.10, IPX - 210A).
Alcatel switches support routing of IP and IPX traffic. A VLAN is available for routing when at least one
router interface is defined for that VLAN and at least one active port is associated with the VLAN. Up to
eight IP interfaces and one IPX interface can be configured for each VLAN. The maximum number of IP
interfaces allowed for the entire switch is 4094.
If a VLAN does not have a router interface, the ports associated with that VLAN are in essence firewalled
from other VLANs. For information about how to configure router interfaces, see Chapter 12, “Configuring IP,” and “Configuring an IPX Router Interface” on page 5-12.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 5-11
Configuring VLAN Router Interfaces
Configuring VLANs
Configuring an IPX Router Interface
Use the vlan router ipx command to define an IPX router interface for an existing VLAN. Specify the
following when using this command:
1 The VLAN ID of the router VLAN (can only specify an existing VLAN).
2 The IPX network address to assign to the router interface. An IPX network address consists of eight
hex characters (e.g., 4001690D or 0000210A). If less than eight hex digits are specified, the address is
prefixed with zeros to equal eight digits. For example, if 950A is entered, the actual IPX network address
value is 0000950A.
3 Select one of the following keywords to change the advertisement mode. By default, the advertisement
mode is set to active (RIP and SAP updates are processed):
IPX advertisement mode keywords
rip
active
inactive
triggered
4 IPX router encapsulation (defaults to Ethernet-II). Select one of the following keywords to change the
encapsulation:
IPX encapsulation keywords
e2 or ethernet2
novell
llc
snap
5 A 16-bit value between 0 (the default) and 65535 that specifies the number of ticks for the IPX delay
time. A tick is approximately 1/18th of a second.
The following vlan router ipx command example configures an IPX router interface for VLAN 955 with
an IPX network address of 0000950A that will process RIP and SAP updates, use Ethernet-II encapsulation when generating packets, and have a zero tick delay time value:
-> vlan 955 router ipx 950A active e2 timeticks 0
Specifying the advertisement mode, encapsulation, and delay time value in ticks is optional, so it is not
necessary to enter these parameters as part of the command to accept their default values. For example,
either one of the following commands will create an IPX router interface for VLAN 855 with the same
properties:
-> vlan 855 router ipx 8500100A active e2 timeticks 0
-> vlan 855 router ipx 8500100A
To remove an IPX router interface from a VLAN, use the no form of the vlan router ipx command.
-> vlan 855 no router ipx
page 5-12
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring VLANs
Configuring VLAN Router Interfaces
Modifying an IPX Router Interface
The vlan router ipx command is also used to modify one or more existing IPX router interface parameter
values. For example, the following command changes the existing router interface IPX address for VLAN
955 to 1000450C:
-> vlan 955 router ipx 1000450C
It is not necessary to first remove the IPX router interface from the VLAN. The changes specified will
overwrite existing parameter values. For example, the following command changes the advertisement
mode to RIP only, the encapsulation to LLC, and the delay time value to 1500. The IPX address is not
changed in this example, but is required as part of the command syntax to identify a change to the router
interface:
-> vlan 955 router ipx 1000450C rip llc timeticks 10
Use the show vlan command to verify IPX router changes. For more information about this command, see
the OmniSwitch CLI Reference Guide.
What is Single MAC Router Mode?
The switch operates only in single MAC router mode. In this mode, each router VLAN is assigned the
same MAC address, which is the base chassis MAC address for the switch. This eliminates the need to
allocate additional MAC addresses if more than 32 router VLANs are defined. The number of router
VLANs allowed then is based on the IP interface configuration. See “Configuring VLAN Router Interfaces” on page 5-11 for more information.
To determine the total number of VLANs configured on the switch, and the number of VLANs with IP
router interfaces configured, use the show vlan router mac status command. For more information about
this command, see the OmniSwitch CLI Reference Guide.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 5-13
Bridging VLANs Across Multiple Switches
Configuring VLANs
Bridging VLANs Across Multiple Switches
To create a VLAN bridging domain that extends across multiple switches:
1 Create a VLAN on each switch with the same VLAN ID number (e.g., VLAN 10).
2 If using mobile ports for end user device connections, define VLAN rules that will classify mobile port
traffic into the VLAN created in Step 1.
3 On each switch, assign the ports that will provide connections to other switches to the VLAN created in
Step 1.
4 On each switch, assign the ports that will provide connections to end user devices (e.g., workstations)
to the VLAN created in Step 1. (If using mobile ports, this step will occur automatically when the device
connected to the mobile port starts to send traffic.)
5 Connect switches and end user devices to the assigned ports.
The following diagram shows the physical configuration of an example VLAN bridging domain:
Switch B
Switch C
138.0.0.3
138.0.0.4
3/10
2/2
VLAN 10
VLAN 10
2/1
3/7
VLAN 10
VLAN 10
VLAN 10
VLAN 10
2/3
3/9
2/10
3/2
VLAN 10
VLAN 10
TM
OmniSwitch 9700
VLAN 10
VLAN 10
2/9
3/1
TM
OmniSwitch 9700
VLAN 10
VLAN 10
3/3
3/8
Switch A
Switch D
138.0.0.5
138.0.0.2
VLAN Bridging Domain: Physical Configuration
In the above diagram, VLAN 10 exists on all four switches and the connection ports between these
switches are assigned to VLAN 10. The workstations can communicate with each other because the ports
to which they are connected are also assigned to VLAN 10. It is important to note that connection cables
do not have to connect to the same port on each switch. The key is that the port must belong to the same
VLAN on each switch. To carry multiple VLANs between switches across a single physical connection
cable, use the 802.1Q tagging feature (see Chapter 11, “Configuring 802.1Q”).
page 5-14
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring VLANs
Verifying the VLAN Configuration
The connection between Switch C and D is shown with a broken line because the ports that provide this
connection are in a blocking state. Spanning Tree is active by default on all switches, VLANs and ports.
The Spanning Tree algorithm determined that if all connections between switches were active, a network
loop would exist that could cause unnecessary broadcast traffic on the network. The path between Switch
C and D was shut down to avoid such a loop. See Chapter 6, “Configuring Spanning Tree Parameters,” for
information about how Spanning Tree configures network topologies that are loop free.
The following diagram shows the same bridging domain example as seen by the end user workstations.
Because traffic between these workstations is bridged across physical switch connections within the
VLAN 10 domain, the workstations are basically unaware that the switches even exist. Each workstation
believes that the others are all part of the same VLAN, even though they are physically connected to
different switches.
VLAN 10
138.0.0.3
138.0.0.4
138.0.0.2
138.0.0.5
VLAN Bridging Domain: Logical View
Creating a VLAN bridging domain across multiple switches and/or stacks of switches allows VLAN
members to communicate with each other, even if they are not connected to the same physical switch.
This is how a logical grouping of users can traverse a physical network setup without routing and is one of
the many benefits of using VLANs.
Verifying the VLAN Configuration
To display information about the VLAN configuration for a single switch or a stack of switches, use the
show commands listed below:
show vlan
Displays a list of all VLANs configured on the switch and the status of
related VLAN properties (e.g., admin and Spanning Tree status and
router port definitions).
show vlan port
Displays a list of VLAN port assignments.
show ip interface
Displays VLAN IP router interface information.
show vlan router mac status
Displays the current MAC router operating mode (single or multiple)
and VLAN router port statistics.
For more information about the resulting displays from these commands, see the OmniSwitch CLI Reference Guide. An example of the output for the show vlan and show vlan port commands is also given in
“Sample VLAN Configuration” on page 5-3.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 5-15
Verifying the VLAN Configuration
page 5-16
Configuring VLANs
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
6
Configuring Spanning Tree
Parameters
The Spanning Tree Algorithm and Protocol (STP) is a self-configuring algorithm that maintains a loopfree topology while providing data path redundancy and network scalability. Based on the IEEE 802.1D
standard, the Alcatel STP implementation distributes the Spanning Tree load between the primary
management module and the network interface modules. In the case of a stack of switches, the STP load is
distributed between the primary management switch and other switches in the stack. This functionality
improves network robustness by providing a Spanning Tree that continues to respond to BPDUs and port
link up and down states in the event of a fail over to a backup management module or switch.
The Alcatel distributed implementation also incorporates the following Spanning Tree features:
• Configures a physical topology into a single Spanning Tree to ensure that there is only one data path
between any two switches.
• Supports fault tolerance within the network topology. The Spanning Tree is reconfigured in the event
of a data path or bridge failure or when a new switch is added to the topology.
• Supports two Spanning Tree operating modes; flat (single STP instance per switch) and 1x1 (single
STP instance per VLAN).
• Supports three Spanning Tree Algorithms; 802.1D (STP), 802.1w (RSTP), and 802.1s (MSTP).
• Allows 802.1Q tagged ports and link aggregate logical ports to participate in the calculation of the STP
topology.
The Distributed Spanning Tree software is active on all switches by default. As a result, a loop-free
network topology is automatically calculated based on default Spanning Tree switch, VLAN, and port
parameter values. It is only necessary to configure Spanning Tree parameters to change how the topology
is calculated and maintained.
In This Chapter
This chapter provides an overview about how Spanning Tree works and how to configure Spanning Tree
parameters through the Command Line Interface (CLI). CLI commands are used in the configuration
examples; for more details about the syntax of commands, see the OmniSwitch CLI Reference Guide.
Configuration procedures described in this chapter include:
• Selecting the switch Spanning Tree operating mode (flat or 1x1) on page 6-9.
• Configuring Spanning Tree bridge parameters on page 6-12.
• Configuring Spanning Tree port parameters on page 6-21.
• Configuring an example Spanning Tree topology on page 6-31
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 6-1
Spanning Tree Specifications
Configuring Spanning Tree Parameters
Spanning Tree Specifications
IEEE Standards supported
802.1D–Media Access Control (MAC) Bridges
802.1w–Rapid Reconfiguration (802.1D Amendment 2)
802.1Q–Virtual Bridged Local Area Networks
802.1s–Multiple Spanning Trees (802.1Q Amendment 3)
Spanning Tree Operating Modes supported Flat mode - one spanning tree instance per switch
1x1 mode - one spanning tree instance per VLAN
Spanning Tree Protocols supported
802.1D Standard Spanning Tree Algorithm and Protocol
(STP)
802.1w Rapid Spanning Tree Algorithm and Protocol (RSTP)
802.1s Multiple Spanning Tree Protocol (MSTP)
Spanning Tree port eligibility
Fixed ports (non-mobile)
802.1Q tagged ports
Link aggregate of ports
Number of 1x1 Spanning Tree instances
supported
252
Number of Multiple Spanning Tree
Instances (MSTI) supported
16 MSTI, in addition to the Common and Internal Spanning
Tree instance (also referred to as MSTI 0).
CLI Command Prefix Recognition
All Spanning Tree commands support prefix recognition. See
the “Using the CLI” chapter in the OmniSwitch 6800/6850/
9000 Switch Management Guide for more information.
Spanning Tree Bridge Parameter Defaults
Parameter Description
Command
Default
Spanning Tree operating mode
bridge mode
1x1 (a separate Spanning Tree
instance for each VLAN)
Spanning Tree protocol
bridge protocol
STP (802.1D) on OmniSwitch 9000
RSTP (802.1w) on OmniSwitch
6800 and 6850.
BPDU switching status.
bridge bpdu-switching
Disabled
Priority value for the Spanning
Tree instance.
bridge priority
32768
Hello time interval between each bridge hello time
BPDU transmission.
2 seconds
Maximum aging time allowed
for Spanning Tree information
learned from the network.
bridge max age
20 seconds
Spanning Tree port state transition time.
bridge forward delay
15 seconds
Automatic VLAN Containment
bridge auto-vlan-containment
Disabled
page 6-2
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Spanning Tree Parameters
Spanning Tree Port Parameter Defaults
Spanning Tree Port Parameter Defaults
Parameter Description
Command
Default
Spanning Tree port administrative state
bridge slot/port
Enabled
Spanning Tree port priority value
bridge slot/port priority
7
Spanning Tree port path cost.
bridge slot/port path cost
0 (cost is based on port speed)
Path cost mode
bridge path cost mode
Auto (16-bit in 1x1 mode and
802.1D or 802.1w flat mode,
32-bit in 802.1s flat mode)
Port state management mode
bridge slot/port mode
Dynamic (Spanning Tree Algorithm determines port state)
Type of port connection
bridge slot/port connection auto point to point
Multiple Spanning Tree (MST) Region Defaults
Although the following parameter values are specific to the MSTP (802.1s), they are configurable regardless of which mode (flat or 1x1) or protocol is active on the switch.
Parameter Description
Command
Default
The MST region name
bridge mst region name
blank
The revision level for the MST region
bridge mst region revision
level
0
The maximum number of hops authorized for the region
bridge mst region max
hops
20
The number of Multiple Spanning Tree
Instances (MSTI).
bridge msti
1 (flat mode instance)
The VLAN to MSTI mapping.
bridge msti vlan
All VLANs are mapped to the
Common Internal Spanning
Tree (CIST) instance
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 6-3
Spanning Tree Overview
Configuring Spanning Tree Parameters
Spanning Tree Overview
Alcatel switches support the use of the 802.1D Spanning Tree Algorithm and Protocol (STP), the 802.1w
Rapid Spanning Tree Algorithm and Protocol (RSTP), and the 802.1s Multiple Spanning Tree Protocol
(MSTP).
RSTP expedites topology changes by allowing blocked ports to transition directly into a forwarding state,
bypassing listening and learning states. This provides rapid reconfiguration of the Spanning Tree in the
event of a network path or device failure.
The 802.1w standard is an amendment to the 802.1D document, thus RSTP is based on STP. Regardless of
which one of these two protocols a switch or VLAN is running, it can successfully interoperate with other
switches or VLANs.
MSTP is an enhancement to the 802.1Q Common Spanning Tree (CST), which is provided when an Alcatel switch is running in the flat Spanning Tree operating mode. The flat mode applies a single spanning
tree instance across all VLAN port connections on a switch. MSTP allows the configuration of Multiple
Spanning Tree Instances (MSTIs) in addition to the CST instance. Each MSTI is mapped to a set of
VLANs. As a result, flat mode can now support the forwarding of VLAN traffic over separate data paths.
This section provides a Spanning Tree overview based on RSTP operation and terminology. Although
MSTP is based on RSTP, see Chapter 3, “Using 802.1s Multiple Spanning Tree,” for specific information
about configuring MSTP.
How the Spanning Tree Topology is Calculated
The tree consists of links and bridges that provide a single data path that spans the bridged network. At the
base of the tree is a root bridge. One bridge is elected by all the bridges participating in the network to
serve as the root of the tree. After the root bridge is identified, STP calculates the best path that leads from
each bridge back to the root and blocks any connections that would cause a network loop.
To determine the best path to the root, STP uses the path cost value, which is associated with every port on
each bridge in the network. This value is a configurable weighted measure that indicates the contribution
of the port connection to the entire path leading from the bridge to the root.
In addition, a root path cost value is associated with every bridge. This value is the sum of the path costs
for the port that receives frames on the best path to the root (this value is zero for the root bridge). The
bridge with the lowest root path cost becomes the designated bridge for the LAN, as it provides the shortest path to the root for all bridges connected to the LAN.
During the process of calculating the Spanning Tree topology, each port on every bridge is assigned a port
role based on how the port and/or its bridge will participate in the active Spanning Tree topology. The
following table provides a list of port role types and the port and/or bridge properties that the Spanning
Tree Algorithm examines to determine which role to assign to the port.
Role
Port/Bridge Properties
Root Port
Port connection that provides the shortest path (lowest path cost value) to the
root. The root bridge does not have a root port.
Designated Port
The designated bridge provides the LAN with the shortest path to the root. The
designated port connects the LAN to this bridge.
Backup Port
Any operational port on the designated bridge that is not a root or designated
port. Provides a backup connection for the designated port. A backup port can
only exist when there are redundant designated port connections to the LAN.
page 6-4
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Spanning Tree Parameters
Spanning Tree Overview
Role
Port/Bridge Properties
Alternate Port
Any operational port that is not the root port for its bridge and its bridge is not
the designated bridge for the LAN. An alternate port offers an alternate path to
the root bridge if the root port on its own bridge goes down.
Disabled Port
Port is not operational. If an active connection does come up on the port, it is
assigned an appropriate role.
Note. The distinction between a backup port and an alternate port was introduced with the IEEE 802.1w
standard to help define rapid transition of an alternate port to a root port.
The role a port plays or may potentially play in the active Spanning Tree topology determines the port’s
operating state; discarding, learning or forwarding. The port state is also configurable in that it is possible to enable or disable a port’s administrative status and/or specify a forwarding or blocking state that is
only changed through user intervention.
The Spanning Tree Algorithm only includes ports in its calculations that are operational (link is up) and
have an enabled administrative status. The following table compares and defines 802.1D and 802.1w port
states and their associated port roles:
STP Port State
RSTP Port State
Port State Definition
Port Role
Disabled
Discarding
Port is down or administratively disabled
and is not included in the topology.
Disabled
Blocking
Discarding
Frames are dropped, nothing is learned or
forwarded on the port. Port is temporarily
excluded from topology.
Alternate, Backup
Learning
Learning
Port is learning MAC addresses that are seen Root, Designated
on the port and adding them to the bridge
forwarding table, but not transmitting any
data. Port is included in the active topology.
Forwarding
Forwarding
Port is transmitting and receiving data and is Root, Designated
included in the active topology.
Once the Spanning Tree is calculated, there is only one root bridge, one designated bridge for each LAN,
and one root port on each bridge (except for the root bridge). Data travels back and forth between bridges
over forwarding port connections that form the best, non-redundant path to the root. The active topology
ensures that network loops do not exist.
Bridge Protocol Data Units (BPDU)
Switches send layer 2 frames, referred to as Configuration Bridge Protocol Data Units (BPDU), to relay
information to other switches. The information in these BPDU is used to calculate and reconfigure the
Spanning Tree topology. A Configuration BPDU contains the following information that pertains to the
bridge transmitting the BPDU:
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 6-5
Spanning Tree Overview
Root ID
Configuring Spanning Tree Parameters
The Bridge ID for the bridge that this bridge believes is the root.
Root Path Cost The sum of the Path Costs that lead from the root bridge to this bridge port.
The Path Cost is a configurable parameter value. The IEEE 802.1D standard specifies a
default value that is based on port speed. See “Configuring Port Path Cost” on
page 6-25 for more information.
Bridge ID
An eight-byte hex value that identifies this bridge within the Spanning Tree. The first
two bytes contain a configurable priority value and the remaining six bytes contain a
bridge MAC address. See “Configuring the Bridge Priority” on page 6-15 for more
information.
Each switch chassis is assigned a dedicated base MAC address. This is the MAC
address that is combined with the priority value to provide a unique Bridge ID for the
switch. For more information about the base MAC address, see the appropriate Hardware Users Guide for the switch
Port ID
A 16-bit hex value that identifies the bridge port that transmitted this BPDU. The first 4
bits contain a configurable priority value and the remaining 12 bits contain the physical
switch port number. See “Configuring Port Priority” on page 6-24 for more information.
The sending and receiving of Configuration BPDU between switches participating in the bridged network
is how the root bridge is elected and the best path to the root is determined and then advertised to the rest
of the network. BPDU provide enough information for the STP software running on each switch to determine the following:
• Which bridge will serve as the root bridge.
• The shortest path between each bridge and the root bridge.
• Which bridge will serve as the designated bridge for the LAN.
• Which port on each bridge will serve as the root port.
• The port state (forwarding or discarding) for each bridge port based on the role the port will play in the
active Spanning Tree topology.
The following events trigger the transmitting and/or processing of BPDU in order to discover and maintain the Spanning Tree topology.
• When a bridge first comes up, it assumes it is the root and starts transmitting Configuration BPDU on
all its active ports advertising its own bridge ID as the root bridge ID.
• When a bridge receives BPDU on its root port that contains more attractive information (higher prior-
ity parameters and/or lower path costs), it forwards this information on to other LANs to which it is
connected for consideration.
• When a bridge receives BPDU on its designated port that contains information that is less attractive
(lower priority values and/or higher path costs), it forwards its own information to other LANs to
which it is connected for consideration.
page 6-6
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Spanning Tree Parameters
Spanning Tree Overview
STP evaluates BPDU parameter values to select the best BPDU based on the following order of precedence:
1 The lowest root bridge ID (lowest priority value, then lowest MAC address).
2 The best root path cost.
3 If root path costs are equal, the bridge ID of the bridge sending the BPDU.
4 If the previous three values tie, then the port ID (lowest priority value, then lowest port number).
When a topology change occurs, such as when a link goes down or a switch is added to the network, the
affected bridge sends Topology Change Notification (TCN) BPDU to the designated bridge for its LAN.
The designated bridge will then forward the TCN to the root bridge. The root then sends out a Configuration BPDU and sets a Topology Change (TC) flag within the BPDU to notify other bridges that there is a
change in the configuration information. Once this change is propagated throughout the Spanning Tree
network, the root stops sending BPDU with the TC flag set and the Spanning Tree returns to an active,
stable topology.
Topology Examples
The following diagram shows an example of a physical network topology that incorporates data path
redundancy to ensure fault tolerance. These redundant paths, however, create loops in the network configuration. If a device connected to Switch A sends broadcast packets, Switch A will flood the packets out all
of its active ports. The switches connected to Switch A will in turn flood the broadcast packets out their
active ports, and Switch A will eventually receive the same packets back and the cycle will start over
again. This causes severe congestion on the network, often referred to as a broadcast storm.
Switch C
Switch D
TM
OmniSwitch 9700
TM
Switch A
OmniSwitch 9700
Switch B
Physical Topology Example
The Spanning Tree Algorithm prevents network loops by ensuring that there is always only one active link
between any two switches. This is done by transitioning one of the redundant links into a blocking state,
leaving only one link actively forwarding traffic. If the active link goes down, then Spanning Tree will
transition one of the blocked links to the forwarding state to take over for the downed link. If a new switch
is added to the network, the Spanning Tree topology is automatically recalculated to include the monitoring of links to the new switch.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 6-7
Spanning Tree Overview
Configuring Spanning Tree Parameters
The following diagram shows the logical connectivity of the same physical topology as determined by the
Spanning Tree Algorithm.
Switch D
(Root Bridge)
Switch C
2/3
PC=4
3/8
TM
OmniSwitch 9700
Bridge ID
10, 00:00:00:00:00:01
Bridge ID
13, 00:00:00:00:00:04
2/2
2/1
PC=19
3/9
3/10
PC=100
PC=19
3/2
2/10
Bridge ID
11, 00:00:00:00:00:02
TM
OmniSwitch 9700
PC=19
2/9
Switch A
(Designated Bridge)
Bridge ID
12, 00:00:00:00:00:03
3/1
Switch B
Root Port
Designated Port
PC
Path Cost
Forwarding
Blocking
Active Spanning Tree Topology Example
In the above active Spanning Tree topology example, the following configuration decisions were made as
a result of calculations performed by the Spanning Tree Algorithm:
• Switch D is the root bridge because its bridge ID has a priority value of 10 (the lower the priority value,
the higher the priority the bridge has in the Spanning Tree). If all four switches had the same priority,
then the switch with the lowest MAC address in its bridge ID would become the root.
• Switch A is the designated bridge for Switch B, because it provides the best path for Switch B to the
root bridge.
• Port 2/9 on Switch A is a designated port, because it connects the LAN from Switch B to Switch A.
• All ports on Switch D are designated ports, because Switch D is the root and each port connects to a
LAN.
• Ports 2/10, 3/1, and 3/8 are the root ports for Switches A, B, and C, respectively, because they offer the
shortest path towards the root bridge.
• The port 3/9 connection on Switch C to port 2/2 on Switch D is in a discarding (blocking) state, as the
connection these ports provides is redundant (backup) and has a higher path cost value than the 2/3 to
3/8 connection between the same two switches. As a result, a network loop is avoided.
• The port 3/2 connection on Switch B to port 3/10 on Switch C is also in a discarding (blocking) state,
as the connection these ports provides has a higher path cost to root Switch D than the path between
Switch B and Switch A. As a result, a network loop is avoided.
page 6-8
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Spanning Tree Parameters
Spanning Tree Operating Modes
Spanning Tree Operating Modes
The switch can operate in one of two Spanning Tree modes: flat and 1x1. Both modes apply to the entire
switch and determine whether a single Spanning Tree instance is applied across multiple VLANs (flat
mode) or a single instance is applied to each VLAN (1x1 mode). By default, a switch is running in the 1x1
mode when it is first turned on.
Use the bridge mode command to select the flat or 1x1 Spanning Tree mode.The switch operates in one
mode or the other, however, it is not necessary to reboot the switch when changing modes. To determine
which mode the switch is operating in, use the show spantree command. For more information about this
command, see the OmniSwitch CLI Reference Guide.
Using Flat Spanning Tree Mode
Before selecting the flat Spanning Tree mode, consider the following:
• If STP (802.1D) is the active protocol, then there is one Spanning Tree instance for the entire switch;
port states are determined across VLANs. If MSTP (802.1s) is the active protocol, then multiple
instances up to a total of 17 are allowed. Port states, however, are still determined across VLANs.
• Multiple connections between switches are considered redundant paths even if they are associated with
different VLANs.
• Spanning Tree parameters are configured for the single flat mode instance. For example, if Spanning
Tree is disabled on VLAN 1, then it is disabled for all VLANs. Disabling STP on any other VLAN,
however, only exclude ports associated with that VLAN from the Spanning Tree Algorithm.
• Fixed (untagged) and 802.1Q tagged ports are supported in each VLAN. BPDU, however, are always
untagged.
• When the Spanning Tree mode is changed from 1x1 to flat, ports still retain their VLAN associations
but are now part of a single Spanning Tree instance that spans across all VLANs. As a result, a path
that was forwarding traffic in the 1x1 mode may transition to a blocking state after the mode is
changed to flat.
To change the Spanning Tree operating mode to flat, enter the following command.
-> bridge mode flat
The following diagram shows a flat mode switch with STP (802.1D) as the active protocol. All ports,
regardless of their default VLAN configuration or tagged VLAN assignments, are considered part of one
Spanning Tree instance. To see an example of a flat mode switch with MSTP (802.1s) as the active protocol, see Chapter 3, “Using 802.1s Multiple Spanning Tree.”
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 6-9
Spanning Tree Operating Modes
Configuring Spanning Tree Parameters
Flat STP
Switch
Port 8/3
Default VLAN 2
Port 10/5
Default VLAN 20
Port 1/2
Default VLAN 5
VLAN 10 (tagged)
Port 2/5
Default VLAN 5
VLAN 6 (tagged)
Flat Spanning Tree Example
In the above example, if port 8/3 connects to another switch and port 10/5 connects to that same switch,
the Spanning Tree Algorithm would detect a redundant path and transition one of the ports into a blocking
state. The same holds true for the tagged ports.
Using 1x1 Spanning Tree Mode
Before selecting the 1x1 Spanning Tree operating mode, consider the following:
• A single Spanning Tree instance is enabled for each VLAN configured on the switch. For example, if
there are five VLANs configured on the switch, then there are five separate Spanning Tree instances,
each with its own root VLAN. In essence, a VLAN is a virtual bridge in that it will have its own bridge
ID and configurable STP parameters, such as protocol, priority, hello time, max age, and forward
delay.
• Port state is determined on a per VLAN basis. For example, port connections in VLAN 10 are only
examined for redundancy within VLAN 10 across all switches. If a port in VLAN 10 and a port in
VLAN 20 both connect to the same switch within their respective VLANs, they are not considered
redundant data paths and STP will not block one of them. However, if two ports within VLAN 10 both
connect to the same switch, then STP will transition one of these ports to a blocking state.
• Fixed (untagged) ports participate in the single Spanning Tree instance that applies to their configured
default VLAN.
• 802.1Q tagged ports participate in an 802.1Q Spanning Tree instance that allows the Spanning Tree to
extend across tagged VLANs. As a result, a tagged port may participate in more than one Spanning
Tree instance; one for each VLAN that the port carries.
• If a VLAN contains both fixed and tagged ports, then a hybrid of the two Spanning Tree instances
(single and 802.1Q) is applied. If a VLAN appears as a tag on a port, then the BPDU for that VLAN
are also tagged. However, if a VLAN appears as the configured default VLAN for the port, then BPDU
are not tagged and the single Spanning Tree instance applies.
To change the Spanning Tree operating mode to 1x1, enter the following command:
-> bridge mode 1x1
page 6-10
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Spanning Tree Parameters
Spanning Tree Operating Modes
The following diagram shows a switch running in the 1x1 Spanning Tree mode and shows Spanning Tree
participation for both fixed and tagged ports.
STP 2
STP 3
STP 4
Port 1/3
Default VLAN 5
Switch
Port 1/5
Default VLAN 10
VLAN 2 (tagged)
Port 2/5
Default VLAN 2
VLAN 10 (tagged)
Port 2/3
Default VLAN 5
Port 1/4
Default VLAN 2
Port 2/4
Default VLAN 2
1x1 (single and 802.1Q) Spanning Tree Example
In the above example, STP2 is a single Spanning Tree instance since VLAN 5 contains only fixed ports.
STP 3 and STP 4 are a combination of single and 802.1Q Spanning Tree instances because VLAN 2
contains both fixed and tagged ports. On ports where VLAN 2 is the default VLAN, BPDU are not tagged.
On ports where VLAN 2 is a tagged VLAN, BPDU are also tagged.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 6-11
Configuring STP Bridge Parameters
Configuring Spanning Tree Parameters
Configuring STP Bridge Parameters
The Spanning Tree software is active on all switches by default and uses default bridge and port parameter values to calculate a loop free topology. It is only necessary to configure these parameter values if it is
necessary to change how the topology is calculated and maintained.
Note the following when configuring Spanning Tree bridge parameters:
• When a switch is running in the 1x1 Spanning Tree mode, each VLAN is in essence a virtual bridge
with its own Spanning Tree instance and configurable bridge parameters.
• When the switch is running in the flat mode and STP (802.1D) or RSTP (802.1w) is the active proto-
col, bridge parameter values are only configured for the flat mode instance.
• If MSTP (802.1s) is the active protocol, then the priority value is configurable for each Multiple Span-
ning Tree Instance (MSTI). All other parameters, however, are still only configured for the flat mode
instance and are applied across all MSTIs.
• Bridge parameter values for a VLAN instance are not active unless Spanning Tree is enabled on the
VLAN and at least one active port is assigned to the VLAN. Use the vlan stp command to enable or
disable a VLAN Spanning Tree instance.
• If Spanning Tree is disabled on a VLAN, active ports associated with that VLAN are excluded from
Spanning Tree calculations and will remain in a forwarding state.
• Note that when a switch is running in the flat mode, disabling Spanning Tree on VLAN 1 disables the
instance for all VLANs and all active ports are then excluded from any Spanning Tree calculations and
will remain in a forwarding state.
To view current Spanning Tree bridge parameter values, use the show spantree command. For more
information about this command, see the OmniSwitch CLI Reference Guide.
Bridge Configuration Commands Overview
Spanning Tree bridge commands are available in an implicit form and an explicit form. Implicit
commands resemble commands that were previously released with this feature. The type of instance
configured with these commands is determined by the Spanning Tree operating mode that is active at the
time the command is used. For example, if the 1x1 mode is active, the instance number specified with the
command implies a VLAN ID. If the flat mode is active, the single flat mode instance is implied and thus
configured by the command.
Explicit commands introduce three new keywords: cist, 1x1, and msti. Each of these keywords when used
with a bridge command explicitly identify the type of instance that the command will configure. As a
result, explicit commands only configure the type of instance identified by the explicit keyword, regardless of which mode (1x1 or flat) is active.
The cist keyword specifies the Common and Internal Spanning Tree (CIST) instance. The CIST is the
single Spanning Tree flat mode instance that is available on all switches. When using STP or RSTP, the
CIST is also known as instance 1 or bridge 1. When using MSTP (802.1s), the CIST is also known as
instance 0. In either case, an instance number is not required with cist commands, as there is only one
CIST instance.
The 1x1 keyword indicates that the instance number specified with the command is a VLAN ID. The msti
keyword indicates that the instance number specified with the command is an 802.1s Multiple Spanning
Tree Instance (MSTI).
page 6-12
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Spanning Tree Parameters
Configuring STP Bridge Parameters
Note that explicit commands using the cist and msti keywords are required to define an MSTP (802.1s)
configuration. Implicit commands are only allowed for defining STP or RSTP configurations. See
Chapter 3, “Using 802.1s Multiple Spanning Tree,” for more information about these keywords and using
implicit and explicit commands.
The following is a summary of Spanning Tree bridge configuration commands. For more information
about these commands, see the OmniSwitch CLI Reference Guide.
Commands
Type
Used for ...
bridge protocol
Implicit
Configuring the protocol for a VLAN instance when the
1x1 mode is active or the single Spanning Tree instance
when the flat mode is active.
bridge cist protocol
Explicit
Configuring the protocol for the single flat mode instance.
bridge 1x1 protocol
Explicit
Configuring the protocol for a VLAN instance.
bridge priority
Implicit
Configuring the priority value for a VLAN instance or the
flat mode instance.
bridge cist priority
Explicit
Configuring the priority value for the single flat mode
instance.
bridge msti priority
Explicit
Configuring the protocol for an 802.1s Multiple Spanning
Tree Instance (MSTI).
bridge 1x1 priority
Explicit
Configuring the priority value for a VLAN instance.
bridge hello time
Implicit
Configuring the hello time value for a VLAN instance
when the 1x1 mode is active or the single Spanning Tree
instance when the flat mode is active.
bridge cist hello time
Explicit
Configuring the hello time value for the single flat mode
instance.
bridge 1x1 hello time
Explicit
Configuring the hello time value for a VLAN instance.
bridge max age
Implicit
Configuring the maximum age time value for a VLAN
instance when the 1x1 mode is active or the single Spanning Tree instance when the flat mode is active.
bridge cist max age
Explicit
Configuring the maximum age time value for the single
flat mode instance.
bridge 1x1 max age
Explicit
Configuring the maximum age time value for a VLAN
instance.
bridge forward delay
Implicit
Configuring the forward delay time value for a VLAN
instance when the 1x1 mode is active or the single Spanning Tree instance when the flat mode is active.
bridge cist forward delay
Explicit
Configuring the forward delay time value for the single
flat mode instance.
bridge 1x1 forward delay
Explicit
Configuring the forward delay time value for a VLAN
instance.
bridge bpdu-switching
N/A
Configuring the BPDU switching status for a VLAN.
bridge path cost mode
N/A
Configuring the automatic selection of a 16-bit path cost
for STP/RSTP ports and a 32-bit path cost for MSTP ports
or sets all path costs to use a 32-bit value.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 6-13
Configuring STP Bridge Parameters
Commands
Configuring Spanning Tree Parameters
Type
bridge auto-vlan-containment N/A
Used for ...
Enables or disables Auto VLAN Containment (AVC) for
802.1s instances.
Note. When a snapshot is taken of the switch configuration, the explicit form of all Spanning Tree
commands is captured. For example, if the bridge protocol for the flat mode instance was changed from
STP to MSTP, then bridge cist protocol mstp is the command syntax captured to reflect this in the snapshot file. In addition, explicit commands are captured for both flat and 1x1 mode configurations.
The following sections provide information and procedures for using implicit bridge configuration
commands and also includes explicit command examples.
Selecting the Bridge Protocol
The switch supports three Spanning Tree protocols: STP (802.1D), RSTP (802.1w), and MSTP (802.1s).
On the OmniSwitch 9000, STP is the default active protocol. On the OmniSwitch 6800 and 6850, RSTP is
the default active protocol.
To configure the Spanning Tree protocol for a VLAN instance when the switch is running in the 1x1
mode, enter bridge followed by an existing VLAN ID, then protocol followed by stp or rstp. For example, the following command changes the protocol to RSTP for VLAN 455:
-> bridge 455 protocol rstp
Note that when configuring the protocol value for a VLAN instance, MSTP is not an available option. This
protocol is only supported on the flat mode instance.
In addition, the explicit bridge 1x1 protocol command configures the protocol for a VLAN instance
regardless of which mode (1x1 or flat) is active on the switch. For example, the following command also
changes the protocol for VLAN 455 to RSTP:
-> bridge 1x1 455 protocol rstp
To configure the protocol for the single flat mode instance when the switch is running in either mode (1x1
or flat), use the bridge protocol command but do not specify an instance number. This command configures the flat mode instance by default, so an instance number is not needed, as shown in the following
example:
-> bridge protocol mstp
As in previous releases, it is possible to configure the flat mode instance with the bridge protocol
command by specifying 1 as the instance number (e.g., bridge 1 protocol rstp). However, this is only
available when the switch is already running in the flat mode and STP or RSTP is the active protocol.
In addition, the explicit bridge cist protocol command configures the protocol for the flat mode instance
regardless of which mode (1x1 or flat) is active on the switch. For example, the following command
selects the RSTP protocol for the flat mode instance:
-> bridge cist protocol mstp
page 6-14
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Spanning Tree Parameters
Configuring STP Bridge Parameters
Configuring the Bridge Priority
A bridge is identified within the Spanning Tree by its bridge ID (an eight byte hex number). The first two
bytes of the bridge ID contain a priority value and the remaining six bytes contain a bridge MAC address.
The bridge priority is used to determine which bridge will serve as the root of the Spanning Tree. The
lower the priority value, the higher the priority. If more than one bridge have the same priority, then the
bridge with the lowest MAC address becomes the root.
Note. Configuring a Spanning Tree bridge instance with a priority value that will cause the instance to
become the root is recommended, instead of relying on the comparison of switch base MAC addresses to
determine the root.
If the switch is running in the 1x1 Spanning Tree mode, then a priority value is assigned to each VLAN
instance. If the switch is running in the flat Spanning Tree mode, the priority is assigned to the flat mode
instance or an 802.1s Multiple Spanning Tree Instance (MSTI). In both cases, the default priority value
assigned is 32768. Note that priority values for an MSTI must be multiples of 4096.
To change the bridge priority value for a VLAN instance, specify a VLAN ID with the bridge priority
command when the switch is running in the 1x1 mode. For example, the following command changes the
priority for VLAN 455 to 25590:
-> bridge 455 priority 25590
The explicit bridge 1x1 priority command configures the priority for a VLAN instance when the switch
is running in either mode (1x1 or flat). For example, the following command performs the same function
as the command in the previous example:
-> bridge 1x1 455 priority 25590
To change the bridge priority value for the flat mode instance, use either the bridge priority command or
the bridge cist priority command. Note that both commands are available when the switch is running in
either mode (1x1 or flat) and an instance number is not required. For example, the following commands
change the priority value for the flat mode instance to 12288:
-> bridge priority 12288
-> bridge cist priority 12288
As in previous releases, it is possible to configure the flat mode instance with the bridge protocol
command by specifying 1 as the instance number (e.g., bridge 1 protocol rstp). However, this is only
available when the switch is already running in the flat mode and STP or RSTP is the active protocol.
The bridge priority value is also configurable for an 802.1s Multiple Spanning Tree Instance (MSTI). To
configure this value for an MSTI, use the explicit bridge msti priority command and specify the MSTI
ID for the instance number and a priority value that is a multiple of 4096. For example, the following
command configures the priority value for MSTI 10 to 61440:
-> bridge msti 10 priority 61440
Note that when MSTP (802.1s) is the active flat mode protocol, explicit Spanning Tree bridge commands
are required to configure parameter values. Implicit commands are for configuring parameters when the
STP or RSTP protocols are in use. See Chapter 3, “Using 802.1s Multiple Spanning Tree,” for more information.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 6-15
Configuring STP Bridge Parameters
Configuring Spanning Tree Parameters
Configuring the Bridge Hello Time
The bridge hello time interval is the number of seconds a bridge will wait between transmissions of
Configuration BPDU. When a bridge is attempting to become the root or if it has become the root or a
designated bridge, it sends Configuration BPDU out all forwarding ports once every hello time value.
The hello time propagated in a root bridge Configuration BPDU is the value used by all other bridges in
the tree for their own hello time. Therefore, if this value is changed for the root bridge, all other bridges
associated with the same STP instance will adopt this value as well.
Note that lowering the hello time interval improves the robustness of the Spanning Tree algorithm.
Increasing the hello time interval lowers the overhead of Spanning Tree processing.
If the switch is running in the 1x1 Spanning Tree mode, then a hello time value is defined for each VLAN
instance. If the switch is running in the flat Spanning Tree mode, then a hello time value is defined for the
single flat mode instance. In both cases, the default hello time value used is 2 seconds.
To change the bridge hello time value for a VLAN instance, specify a VLAN ID with the bridge hello
time command when the switch is running in the 1x1 mode. For example, the following command
changes the hello time for VLAN 455 to 5 seconds:
-> bridge 455 hello time 5
The explicit bridge 1x1 hello time command configures the hello time value for a VLAN instance when
the switch is running in either mode (1x1 or flat). For example, the following command performs the same
function as the command in the previous example:
-> bridge 1x1 455 hello time 5
To change the bridge hello time value for the flat mode instance, use either the bridge hello time
command or the bridge cist hello time command. Note that both commands are available when the switch
is running in either mode (1x1 or flat) and an instance number is not required. For example, the following
commands change the hello time value for the flat mode instance to 12288:
-> bridge hello time 10
-> bridge cist hello time 10
As in previous releases, it is possible to configure the flat mode instance with the bridge hello time
command by specifying 1 as the instance number (e.g., bridge 1 hello time 5). However, this is only
available when the switch is already running in the flat mode and STP or RSTP is the active protocol.
Note that the bridge hello time is not configurable for 802.1s Multiple Spanning Tree Instances (MSTI).
These instances inherit the hello time from the flat mode instance (CIST).
page 6-16
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Spanning Tree Parameters
Configuring STP Bridge Parameters
Configuring the Bridge Max Age Time
The bridge max age time specifies how long, in seconds, the bridge retains Spanning Tree information it
receives from Configuration BPDU. When a bridge receives a BPDU, it updates its configuration information and the max age timer is reset. If the max age timer expires before the next BPDU is received, the
bridge will attempt to become the root, designated bridge, or change its root port.
The max age time propagated in a root bridge Configuration BPDU is the value used by all other bridges
in the tree for their own max age time. Therefore, if this value is changed for the root bridge, all other
VLANs associated with the same instance will adopt this value as well.
If the switch is running in the 1x1 Spanning Tree mode, then a max age time value is defined for each
VLAN instance. If the switch is running in the flat Spanning Tree mode, then the max age value is defined
for the flat mode instance. In both cases, the default max age time used is 20 seconds.
Note that configuring a low max age time may cause Spanning Tree to reconfigure the topology more
often.
To change the bridge max age time value for a VLAN instance, specify a VLAN ID with the bridge max
age command when the switch is running in the 1x1 mode. For example, the following command changes
the max age time for VLAN 455 to 10 seconds:
-> bridge 455 max age 10
The explicit bridge 1x1 max age command configures the max age time for a VLAN instance when the
switch is running in either mode (1x1 or flat). For example, the following command performs the same
function as the command in the previous example:
-> bridge 1x1 455 max age 10
To change the max age time value for the flat mode instance, use either the bridge max age command or
the bridge cist max age command. Note that both commands are available when the switch is running in
either mode (1x1 or flat) and an instance number is not required. For example, the following commands
change the max age time for the flat mode instance to 10:
-> bridge max age 10
-> bridge cist max age 10
As in previous releases, it is possible to configure the flat mode instance with the bridge max age
command by specifying 1 as the instance number (e.g., bridge 1 max age 30). However, this is only available when the switch is already running in the flat mode and STP or RSTP is the active protocol.
Note that the max age time is not configurable for 802.1s Multiple Spanning Tree Instances (MSTI).
These instances inherit the max age time from the flat mode instance (CIST).
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 6-17
Configuring STP Bridge Parameters
Configuring Spanning Tree Parameters
Configuring the Bridge Forward Delay Time
The bridge forward delay time specifies how long, in seconds, a port remains in the learning state while it
is transitioning to a forwarding state. In addition, when a topology change occurs, the forward delay time
value is used to age out all dynamically learned addresses in the MAC address forwarding table. For more
information about the MAC address table, see Chapter 2, “Managing Source Learning.”
The forward delay time propagated in a root bridge Configuration BPDU is the value used by all other
bridges in the tree for their own forward delay time. Therefore, if this value is changed for the root bridge,
all other bridges associated with the same instance will adopt this value as well.
If the switch is running in the 1x1 Spanning Tree mode, then a forward delay time value is defined for
each VLAN instance. If the switch is running in the flat Spanning Tree mode, then the forward delay time
value is defined for the flat mode instance. In both cases, the default forward delay time used is 15
seconds.
Note that specifying a low forward delay time may cause temporary network loops, because packets may
get forwarded before Spanning Tree configuration or change notices have reached all nodes in the
network.
To change the bridge forward delay time value for a VLAN instance, specify a VLAN ID with the bridge
forward delay command when the switch is running in the 1x1 mode. For example, the following
command changes the forward delay time for VLAN 455 to 10 seconds:
> bridge 455 forward delay 20
The explicit bridge 1x1 forward delay command configures the forward delay time for a VLAN instance
when the switch is running in either mode (1x1 or flat). For example, the following command performs the
same function as the command in the previous example:
-> bridge 1x1 455 forward delay 20
To change the forward delay time value for the flat mode instance, use either the bridge forward delay
command or the bridge cist forward delay command. Note that both commands are available when the
switch is running in either mode (1x1 or flat) and an instance number is not required. For example, the
following commands change the forward delay time for the flat mode instance to 10:
-> bridge forward delay 10
-> bridge cist forward delay 10
As in previous releases, it is possible to configure the flat mode instance with the bridge forward delay
command by specifying 1 as the instance number (e.g., bridge 1 forward delay 30). However, this is only
available when the switch is already running in the flat mode and STP or RSTP is the active protocol.
Note that the forward delay time is not configurable for 802.1s Multiple Spanning Tree Instances (MSTI).
These instances inherit the forward delay time from the flat mode instance (CIST).
page 6-18
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Spanning Tree Parameters
Configuring STP Bridge Parameters
Enabling/Disabling the VLAN BPDU Switching Status
By default, BPDU are not switched on ports associated with VLANs that have Spanning Tree disabled.
This may result in a network loop if the VLAN has redundant paths to one or more other switches. Allowing VLANs that have Spanning Tree disabled to forward BPDU to all ports in the VLAN, can help to
avoid this problem.
To enable or disable BPDU switching on a VLAN, enter bridge followed by an existing VLAN ID (or
VLAN 1 if using a flat Spanning Tree instance) then bpdu-switching followed by enable or disable. For
example, the following commands enable BPDU switching on VLAN 10 and disable it on VLAN 20:
-> bridge 10 bpdu-switching enable
-> bridge 20 bpdu-switching disable
Note. Make sure that disabling BPDU switching on a Spanning Tree disabled VLAN will not cause
network loops to go undetected.
Configuring the Path Cost Mode
The path cost mode controls whether the switch uses a 16-bit port path cost (PPC) or a 32-bit PPC. When
a 32-bit PPC switch connects to a 16-bit PPC switch, the 32-bit switch will have a higher PPC value that
will advertise an inferior path cost to the 16-bit switch. In this case, it may be desirable to set the 32-bit
switch to use STP or RSTP with a 16-bit PPC value.
By default, the path cost mode is set to automatically use a 16-bit value for all ports that are associated
with an STP (802.1D) instance or an RSTP (802.1w) instance and a 32-bit value for all ports associated
with an MSTP (802.1s) value. It is also possible to set the path cost mode to always use a 32-bit regardless of which protocol is active.
To change the path cost mode, use the bridge path cost mode command and specify either auto (uses
PPC value based on protocol) or 32bit.(always use a 32-bit PPC value). For example, the following
command changes the default path cost mode, which is automatic, to 32-bit mode:
-> bridge path cost mode 32bit
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 6-19
Configuring STP Bridge Parameters
Configuring Spanning Tree Parameters
Using Automatic VLAN Containment
In an 802.1s Multiple Spanning Tree (MST) configuration, it is possible for a port that belongs to a VLAN
that is not a member of an instance to become the root port for that instance. This can cause a topology
change that could lead to a loss of connectivity between VLANs/switches. Enabling Automatic VLAN
Containment (AVC) helps to prevent this from happening by making such a port an undesirable choice for
the root.
When AVC is enabled, it identifies undesirable ports and automatically configures them with an infinite
path cost value. For example, in the following diagram a link exists between VLAN 2 on two different
switches. The ports that provide this link belong to default VLAN 1 but are tagged with VLAN 2. In addition, VLAN 2 is mapped to MSTI 1 on both switches.
VLAN 1
VLAN 1
4/2
MSTI-1
5/1
802.1q tag
VLAN 2
VLAN 2
MSTI-1
In the above diagram, port 4/2 is the Root port and port 5/1 is a Designated port for MSTI 1. AVC is not
enabled. If another link with the same speed and lower port numbers is added to default VLAN 1 on both
switches, the new link becomes the root for MSTI 1 and the tagged link between VLAN 2 is blocked, as
shown below:
3/1
2/1
VLAN 1
MSTI-1
VLAN 2
VLAN 1
4/2
||
802.1q tag
5/1
VLAN 2
MSTI-1
If AVC was enabled in the above example, AVC would have assigned the new link an infinite path cost
value that would make this link undesirable as the root for MSTI 1.
Balancing VLANs across links according to their Multiple Spanning Tree Instance (MSTI) grouping is
highly recommended to ensure that there is not a loss of connectivity during any possible topology
changes. Enabling AVC on the switch is another way to prevent undesirable ports from becoming the root
for an MSTI.
By default AVC is disabled on the switch. Use the bridge auto-vlan-containment command to globally
enable this feature for all 802.1s MSTIs. Once AVC is globally enabled, then it is possible to disable AVC
for individual MSTIs using the same command. For example, the following commands globally enable
AVC and then disable it for MSTI 10:
-> bridge auto-vlan-containment enable
-> bridge msti 10 auto-vlan-containment disable
Note that an administratively set port path cost takes precedence and prevents AVC configuration of the
path cost. The exception to this is if the port path cost is administratively set to zero, which resets the path
cost to the default value. In addition, AVC does not have any effect on root bridges.
page 6-20
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Spanning Tree Parameters
Configuring STP Port Parameters
Configuring STP Port Parameters
The following sections provide information and procedures for using CLI commands to configure STP
port parameters. These parameters determine the behavior of a port for a specific VLAN Spanning Tree
instance (1x1 STP mode) or for a single Spanning Tree instance applied to the entire switch (flat STP
mode).
When a switch is running in the 1x1 STP mode, each VLAN is in essence a virtual STP bridge with its
own STP instance and configurable parameters. To change STP port parameters while running in this
mode, a VLAN ID is specified to identify the VLAN STP instance associated with the specified port.
When a switch is running in the flat Spanning Tree mode, VLAN 1 is specified for the VLAN ID. It is
possible to configure STP parameters on other VLANs while running in this mode, but only VLAN 1
parameter values apply to all Spanning Tree ports.
Only bridged ports participate in the Spanning Tree Algorithm. A port is considered bridged if it meets all
the following criteria:
• Port is either a fixed (non-mobile) port, an 802.1Q tagged port or a link aggregate logical port.
• Spanning tree is enabled on the port.
• Port is assigned to a VLAN that has Spanning Tree enabled.
• Port state (forwarding or blocking) is dynamically determined by the Spanning Tree Algorithm, not
manually set.
Bridge Configuration Commands Overview
Spanning Tree port commands are available in an implicit form and an explicit form. Implicit commands
resemble commands that were previously released with this feature. The type of instance configured with
these commands is determined by the Spanning Tree operating mode that is active at the time the
command is used. For example, if the 1x1 mode is active, the instance number specified with the
command implies a VLAN ID. If the flat mode is active, the single flat mode instance is implied and thus
configured by the command.
Explicit commands introduce three new keywords: cist, 1x1, and msti. Each of these keywords when used
with a port command explicitly identify the type of instance that the command will configure. As a result,
explicit commands only configure the type of instance identified by the explicit keyword regardless of
which mode (1x1 or flat) is active.
The cist keyword specifies the Common and Internal Spanning Tree (CIST) instance. The CIST is the
single Spanning Tree flat mode instance that is available on all switches. When using STP or RSTP, the
CIST is also known as instance 1 or bridge 1. When using MSTP (802.1s), the CIST is also known as
instance 0. In either case, an instance number is not required with cist commands, as there is only one
CIST instance.
The 1x1 keyword indicates that the instance number specified with the command is a VLAN ID. The msti
keyword indicates that the instance number specified with the command is an 802.1s Multiple Spanning
Tree Instance (MSTI).
Note that explicit commands using the cist and msti keywords are required to define an MSTP (802.1s)
configuration. Implicit commands are only allowed for defining STP or RSTP configurations. See
Chapter 3, “Using 802.1s Multiple Spanning Tree,” for more information about these keywords and using
implicit and explicit commands.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 6-21
Configuring STP Port Parameters
Configuring Spanning Tree Parameters
The following is a summary of Spanning Tree port configuration commands. For more information about
these commands, see the OmniSwitch CLI Reference Guide.
Commands
Type
Used for ...
bridge slot/port
Implicit
Configuring the port Spanning Tree status for a VLAN
instance when the 1x1 mode is active or the single Spanning Tree instance when the flat mode is active.
bridge cist slot/port
Explicit
Configuring the port Spanning Tree status for the single
flat mode instance.
bridge 1x1 slot/port
Explicit
Configuring the port Spanning Tree status for a VLAN
instance.
bridge slot/port priority
Implicit
Configuring the port priority value for a VLAN instance
when the 1x1 mode is active or the single Spanning Tree
instance when the flat mode is active.
bridge cist slot/port priority
Explicit
Configuring the port priority value for the single flat
mode instance.
bridge msti slot/port priority
Explicit
Configuring the port priority value for an 802.1s Multiple Spanning Tree Instance (MSTI).
bridge 1x1 slot/port priority
Explicit
Configuring the port priority value for a VLAN instance.
bridge slot/port path cost
Implicit
Configuring the port path cost value for a VLAN
instance when the 1x1 mode is active or the single Spanning Tree instance when the flat mode is active.
bridge cist slot/port path cost
Explicit
Configuring the port path cost value for the single flat
mode instance.
bridge msti slot/port path cost
Explicit
Configuring the port path cost value for an 802.1s Multiple Spanning Tree Instance (MSTI).
bridge 1x1 slot/port path cost
Explicit
Configuring the port path cost value for a VLAN
instance.
bridge slot/port mode
Explicit
Configuring the port Spanning Tree mode (dynamic or
manual) for a VLAN instance when the 1x1 mode is
active or the single Spanning Tree instance when the flat
mode is active.
bridge cist slot/port mode
Implicit
Configuring the port Spanning Tree mode (dynamic or
manual) for the single flat mode instance.
bridge 1x1 slot/port mode
Explicit
Configuring the port Spanning Tree mode (dynamic or
manual) for a VLAN instance.
bridge slot/port connection
Explicit
Configuring the port connection type for a VLAN
instance when the 1x1 mode is active or the single Spanning Tree instance when the flat mode is active.
bridge cist slot/port connection
Implicit
Configuring the port connection type for the single flat
mode instance.
bridge 1x1 slot/port connection
Explicit
Configuring the port connection type for a VLAN
instance.
page 6-22
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Spanning Tree Parameters
Configuring STP Port Parameters
The following sections provide information and procedures for using implicit Spanning Tree port configuration commands and also includes explicit command examples.
Note. When a snapshot is taken of the switch configuration, the explicit form of all Spanning Tree
commands is captured. For example, if the bridge protocol for the flat mode instance was changed from
STP to MSTP, then bridge cist protocol mstp is the command syntax captured to reflect this in the snapshot file. In addition, explicit commands are captured for both flat and 1x1 mode configurations.
Enabling/Disabling Spanning Tree on a Port
By default, Spanning Tree is enabled on all ports. When Spanning Tree is disabled on a port, the port is
put in a forwarding state for the specified instance. For example, if a port is associated with both VLAN
10 and VLAN 20 and Spanning Tree is disabled on the port for VLAN 20, the port state is set to forwarding for VLAN 20. However, the VLAN 10 instance still controls the port’s state as it relates to VLAN 10.
This example assumes the switch is running in the 1x1 Spanning Tree mode.
If the switch is running in the flat Spanning Tree mode, then disabling the port Spanning Tree status
applies across all VLANs associated with the port. The flat mode instance is specified as the port’s
instance, even if the port is associated with multiple VLANs.
To change the port Spanning Tree status for a VLAN instance, specify a VLAN ID with the bridge slot/
port command when the switch is running in the 1x1 mode. For example, the following commands enable
Spanning Tree on port 8/1 for VLAN 10 and disable STP on port 6/2 for VLAN 20:
-> bridge 10 8/1 enable
-> bridge 20 6/2 disable
The explicit bridge 1x1 slot/port command configures the priority for a VLAN instance when the switch
is running in either mode (1x1 or flat). For example, the following commands perform the same function
as the commands in the previous example:
-> bridge 1x1 10 8/1 enable
-> bridge 1x1 20 6/2 disable
To change the port Spanning Tree status for the flat mode instance, use either the bridge slot/port
command or the bridge cist slot/port command. Note that both commands are available when the switch
is running in either mode (1x1 or flat) and an instance number is not required. For example, the following
commands disable the Spanning Tree status on port 1/24 for the flat mode instance:
-> bridge 1/24 disable
-> bridge cist 1/24 disable
As in previous releases, it is possible to configure the flat mode instance with the bridge slot/port
command by specifying 1 as the instance number (e.g., bridge 1 1/24 enable). However, this is only available when the switch is already running in the flat mode and STP or RSTP is the active protocol.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 6-23
Configuring STP Port Parameters
Configuring Spanning Tree Parameters
Spanning Tree on Link Aggregate Ports
Physical ports that belong to a link aggregate do not participate in the Spanning Tree Algorithm. Instead,
the algorithm is applied to the aggregate logical link (virtual port) that represents a collection of physical
ports.
To enable or disable the Spanning Tree status for a link aggregate, use the bridge slot/port commands
described above but specify a link aggregate control number instead of a slot and port. For example, the
following command disables Spanning Tree for link aggregate 10 associated with VLAN 755:
-> bridge 755 10 disable
For more information about configuring an aggregate of ports, see Chapter 13, “Configuring Static Link
Aggregation,” and Chapter 14, “Configuring Dynamic Link Aggregation.”
Configuring Port Priority
A bridge port is identified within the Spanning Tree by its Port ID (a 16-bit or 32-bit hex number). The
first 4 bits of the Port ID contain a priority value and the remaining 12 bits contain the physical switch port
number. The port priority is used to determine which port offers the best path to the root when multiple
paths have the same path cost. The port with the highest priority (lowest numerical priority value) is
selected and the others are put into a blocking state. If the priority values are the same for all ports in the
path, then the port with the lowest physical switch port number is selected.
By default, Spanning Tree is enabled on a port and the port priority value is set to 7. If the switch is
running in the 1x1 Spanning Tree mode, then the port priority applies to the specified VLAN instance
associated with the port. If the switch is running in the flat Spanning Tree mode, then the port priority
applies across all VLANs associated with the port. The flat mode instance is specified as the port’s
instance, even if the port is associated with multiple VLANs.
To change the port priority value for a VLAN instance, specify a VLAN ID with the bridge slot/port
priority command when the switch is running in the 1x1 mode. For example, the following command sets
the priority value for port 8/1 to 3 for the VLAN 10 instance:
-> bridge 10 8/1 priority 3
The explicit bridge cist slot/port priority command configures the port priority value for a VLAN
instance when the switch is running in either mode (1x1 or flat). For example, the following command
performs the same function as the command in the previous example:
-> bridge 1x1 10 8/1 priority 3
To change the port priority value for the flat mode instance, use either the bridge slot/port priority
command or the bridge cist slot/port priority command. Note that both commands are available when
the switch is running in either mode (1x1 or flat) and an instance number is not required. For example, the
following commands change the priority value for port 1/24 for the flat mode instance to 15:
-> bridge 1/24 priority 15
-> bridge cist 1/24 priority 10
As in previous releases, it is possible to configure the flat mode instance with the bridge slot/port priority command by specifying 1 as the instance number (e.g., bridge 1 1/24 priority 15). However, this is
only available when the switch is already running in the flat mode and STP or RSTP is the active protocol.
The port priority value is also configurable for an 802.1s Multiple Spanning Tree Instance (MSTI). To
configure this value for an MSTI, use the explicit bridge msti slot/port priority command and specify the
page 6-24
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Spanning Tree Parameters
Configuring STP Port Parameters
MSTI ID for the instance number. For example, the following command configures the priority value for
port 1/12 for MSTI 10 to 5:
-> bridge msti 10 1/12 priority 5
Note that when MSTP (802.1s) is the active flat mode protocol, explicit Spanning Tree bridge commands
are required to configure parameter values. Implicit commands are for configuring parameters when the
STP or RSTP protocols are in use. See Chapter 3, “Using 802.1s Multiple Spanning Tree,” for more information.
Port Priority on Link Aggregate Ports
Physical ports that belong to a link aggregate do not participate in the Spanning Tree Algorithm. Instead,
the algorithm is applied to the aggregate logical link (virtual port) that represents a collection of physical
ports.
To change the port priority for a link aggregate, use the bridge slot/port priority commands described
above, but specify a link aggregate control number instead of a slot and port. For example, the following
command sets the priority for link aggregate 10 associated with VLAN 755 to 9:
-> bridge 755 10 priority 9
For more information about configuring an aggregate of ports, see Chapter 13, “Configuring Static Link
Aggregation,” and Chapter 14, “Configuring Dynamic Link Aggregation.”
Configuring Port Path Cost
The path cost value specifies the contribution of a port to the path cost towards the root bridge that
includes the port. The root path cost is the sum of all path costs along this same path and is the value
advertised in Configuration BPDU transmitted from active Spanning Tree ports. The lower the cost value,
the closer the switch is to the root.
Note that type of path cost value used depends on which path cost mode is active (automatic or 32-bit). If
the path cost mode is set to automatic, a 16-bit value is used when STP or RSTP is the active protocol and
a 32-bit value is used when MSTP is the active protocol. If the mode is set to 32-bit, then a 32-bit path
cost value is used regardless of which protocol is active. See “Configuring the Path Cost Mode” on
page 6-19 for more information.
If a 32-bit path cost value is in use and the path_cost is set to zero, the following IEEE 802.1s recommended default path cost values based on link speed are used:
Link Speed
IEEE 802.1D
Recommended Value
10 MB
2,000,000
100 MB
200,000
1 GB
20,000
10 Gbps
2,000
Is a 16-bit path cost value is in use and the path_cost is set to zero, the following IEEE 802.1D recommended default path cost values based on link speed are used:
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 6-25
Configuring STP Port Parameters
Configuring Spanning Tree Parameters
Link Speed
IEEE 802.1D
Recommended Value
4 Mbps
250
10 Mbps
100
16 Mbps
62
100 Mbps
19
1 Gbps
4
10 Gbps
2
By default, Spanning Tree is enabled on a port and the path cost is set to zero. If the switch is running in
the 1x1 Spanning Tree mode, then the port path cost applies to the specified VLAN instance associated
with the port. If the switch is running in the flat Spanning Tree mode, then the port path cost applies across
all VLANs associated with the port. The flat mode instance is specified as the port’s instance, even if the
port is associated with other VLANs.
To change the port path cost value for a VLAN instance, specify a VLAN ID with the bridge slot/port
path cost command when the switch is running in the 1x1 mode. For example, the following command
configures a 16-bit path cost value for port 8/1 for VLAN 10 to 19 (the port speed is 100 MB, 19 is the
recommended value).
-> bridge 10 8/1 path cost 19
The explicit bridge 1x1 slot/port path cost command configures the port path cost value for a VLAN
instance when the switch is running in either mode (1x1 or flat). For example, the following command
performs the same function as the command in the previous example:
-> bridge 1x1 10 8/1 path cost 19
To change the port path cost value for the flat mode instance, use either the bridge slot/port path cost
command or the bridge cist slot/port path cost command. Note that both commands are available when
the switch is running in either mode (1x1 or flat) and an instance number is not required. For example, the
following commands configure a 32-bit path cost value for port 1/24 for the flat mode instance to 20,000
(the port speed is 1 GB, 20,000 is the recommended value):
-> bridge 1/24 path cost 20000
-> bridge cist 1/24 path cost 20000
As in previous releases, it is possible to configure the flat mode instance with the bridge slot/port path
cost command by specifying 1 as the instance number (e.g., bridge 1 1/24 path cost 19). However, this is
only available when the switch is already running in the flat mode and STP or RSTP is the active protocol.
The port path cost value is also configurable for an 802.1s Multiple Spanning Tree Instance (MSTI). To
configure this value for an MSTI, use the explicit bridge msti slot/port path cost command and specify
the MSTI ID for the instance number. For example, the following command configures the path cost value
for port 1/12 for MSTI 10 to 19:
-> bridge msti 10 1/12 path cost 19
Note that when MSTP (802.1s) is the active flat mode protocol, explicit Spanning Tree bridge commands
are required to configure parameter values. Implicit commands are for configuring parameters when the
STP or RSTP protocols are in use. See Chapter 3, “Using 802.1s Multiple Spanning Tree,” for more information.
page 6-26
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Spanning Tree Parameters
Configuring STP Port Parameters
Path Cost for Link Aggregate Ports
Physical ports that belong to a link aggregate do not participate in the Spanning Tree Algorithm. Instead,
the algorithm is applied to the aggregate logical link (virtual port) that represents a collection of physical
ports. By default, Spanning Tree is enabled on the aggregate logical link and the path cost value is set to
zero.
If a 32-bit path cost value is in use and the path_cost for a link aggregate is set to zero, the following
default values based on link speed and link aggregate size are used:
Link Speed
Aggregate Size
(number of links)
Default Path
Cost Value
10 MB
2
1,200,000
4
800,000
8
600,000
2
120,000
4
80,000
8
60,000
2
12,000
4
8,000
8
6,000
2
1,200
4
800
8
600
100 MB
1 GB
10 GB
If a 16-bit path cost value is in use and the path_cost for a link aggregate is set to zero, the following
default values based on link speed and link aggregate size are used. Note that for Gigabit ports the aggregate size is not applicable in this case:
Link Speed
Aggregate Size
(number of links)
Default Path
Cost Value
10 Mbps
2
60
4
40
8
30
2
12
4
9
8
7
1 Gbps
N/A
3
10 Gbps
N/A
1
100 Mbps
To change the path cost value for a link aggregate, use the bridge slot/port path cost commands
described above, but specify a link aggregate control number instead of a slot and port. For example, the
following command sets the path cost for link aggregate 10 associated with VLAN 755 to 19:
-> bridge 755 10 path cost 19
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 6-27
Configuring STP Port Parameters
Configuring Spanning Tree Parameters
For more information about configuring an aggregate of ports, see Chapter 13, “Configuring Static Link
Aggregation,” and Chapter 14, “Configuring Dynamic Link Aggregation.”
Configuring Port Mode
There are two port modes supported: manual and dynamic. Manual mode indicates that the port was set by
the user to a forwarding or blocking state. The port will operate in the state selected until the state is manually changed again or the port mode is changed to dynamic. Ports operating in a manual mode state do not
participate in the Spanning Tree Algorithm. Dynamic mode indicates that the active Spanning Tree Algorithm will determine port state.
By default, Spanning Tree is enabled on the port and the port operates in the dynamic mode. If the switch
is running in the 1x1 Spanning Tree mode, then the port mode applies to the specified VLAN instance
associated with the port. If the switch is running in the flat Spanning Tree mode, then the port mode
applies across all VLANs associated with the port. The flat mode instance is specified as the port’s
instance, even if the port is associated with other VLANs.
To change the port Spanning Tree mode for a VLAN instance, specify a VLAN ID with the bridge slot/
port mode command when the switch is running in the 1x1 mode. For example, the following command
sets the mode for port 8/1 for VLAN 10 to forwarding.
-> bridge 10 8/1 mode forwarding
The explicit bridge 1x1 slot/port mode command configures the port mode for a VLAN instance when
the switch is running in either mode (1x1 or flat). For example, the following command performs the same
function as the command in the previous example:
-> bridge 1x1 10 8/1 mode forwarding
To change the port Spanning Tree mode for the flat mode instance, use either the bridge slot/port mode
command or the bridge cist slot/port mode command. Note that both commands are available when the
switch is running in either mode (1x1 or flat) and an instance number is not required. For example, the
following commands configure the Spanning Tree mode on port 1/24 for the flat mode instance:
-> bridge 1/24 mode blocking
-> bridge cist 1/24 mode blocking
As in previous releases, it is possible to configure the flat mode instance with the bridge slot/port mode
command by specifying 1 as the instance number (e.g., bridge 1 1/24 mode dynamic). However, this is
only available when the switch is already running in the flat mode and STP or RSTP is the active protocol.
Mode for Link Aggregate Ports
Physical ports that belong to a link aggregate do not participate in the Spanning Tree Algorithm. Instead,
the algorithm is applied to the aggregate logical link (virtual port) that represents a collection of physical
ports. To change the port mode for a link aggregate, use the bridge slot/port mode commands described
above, but specify a link aggregate control number instead of a slot and port. For example, the following
command sets the port mode for link aggregate 10 associated with VLAN 755 to blocking:
-> bridge 755 10 mode blocking
For more information about configuring an aggregate of ports, see Chapter 13, “Configuring Static Link
Aggregation,” and Chapter 14, “Configuring Dynamic Link Aggregation.”
page 6-28
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Spanning Tree Parameters
Configuring STP Port Parameters
Configuring Port Connection Type
Specifying a port connection type is done when using the Rapid Spanning Tree Algorithm and Protocol
(RSTP), as defined in the IEEE 802.1w standard. RSTP transitions a port from a blocking state directly to
forwarding, bypassing the listening and learning states, to provide a rapid reconfiguration of the Spanning
Tree in the event of a path or root bridge failure. Rapid transition of a port state depends on the port’s
configurable connection type. These types are defined as follows:
• Point-to-point LAN segment (port connects directly to another switch).
• No point-to-point shared media LAN segment (port connects to multiple switches).
• Edge port (port is at the edge of a bridged LAN, does not receive BPDU and has only one MAC
address learned). Edge ports, however, will operationally revert to a point to point or a no point to
point connection type if a BPDU is received on the port.
A port is considered connected to a point-to-point LAN segment if the port belongs to a link aggregate of
ports, or if auto negotiation determines if the port should run in full duplex mode, or if full duplex mode
was administratively set. Otherwise, that port is considered connected to a no point-to-point LAN
segment.
Rapid transition of a designated port to forwarding can only occur if the port’s connection type is defined
as a point to point or an edge port. Defining a port’s connection type as a point to point or as an edge port
makes the port eligible for rapid transition, regardless of what actually connects to the port. However, an
alternate port transition to the role of root port is always allowed regardless of the alternate port’s connection type.
Note. Configure ports that will connect to a host (PC, workstation, server, etc.) as edge ports so that these
ports will transition directly to a forwarding state and not trigger an unwanted topology change when a
device is connected to the port. If a port is configured as a point to point or no point to point connection
type, the switch will assume a topology change when this port goes active and will flush and relearn all
learned MAC addresses for the port’s assigned VLAN.
By default, Spanning Tree is enabled on the port and the connection type is set to auto point to point. The
auto point to point setting determines the connection type based on the operational status of the port.
If the switch is running in the 1x1 Spanning Tree mode, then the connection type applies to the specified
VLAN instance associated with the port. If the switch is running in the flat Spanning Tree mode, then the
connection type applies across all VLANs associated with the port. The flat mode instance is referenced as
the port’s instance, even if the port is associated with other VLANs.
To change the port connection type for a VLAN instance, specify a VLAN ID with the bridge slot/port
connection command when the switch is running in the 1x1 mode. For example, the following command
defines an edge port connection type for port 8/1 associated with VLAN 10.
-> bridge 10 8/1 connection edgeport
The explicit bridge 1x1 slot/port connection command configures the connection type for a VLAN
instance when the switch is running in either mode (1x1 or flat). For example, the following command
performs the same function as the command in the previous example:
-> bridge 1x1 10 8/1 connection edgeport
To change the port Spanning Tree mode for the flat mode instance, use either the bridge slot/port
connection command or the bridge cist slot/port connection command. Note that both commands are
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 6-29
Configuring STP Port Parameters
Configuring Spanning Tree Parameters
available when the switch is running in either mode (1x1 or flat) and an instance number is not required.
For example, the following commands configure the connection type for port 1/24 for the flat mode
instance:
-> bridge 1/24 connection ptp
-> bridge cist 1/24 connection ptp
As in previous releases, it is possible to configure the flat mode instance with the bridge slot/port connection command by specifying 1 as the instance number (e.g., bridge 1 1/24 connection noptp). However,
this is only available when the switch is already running in the flat mode and STP or RSTP is the active
protocol.
Note that the bridge slot/port connection command only configures one port at a time.
Connection Type on Link Aggregate Ports
Physical ports that belong to a link aggregate do not participate in the Spanning Tree Algorithm. Instead,
the algorithm is applied to the aggregate logical link (virtual port) that represents a collection of physical
ports. To change the port connection type for a link aggregate, use the bridge slot/port connection
commands described above, but specify a link aggregate control number instead of a slot and port. For
example, the following command defines the link aggregate 10 associated with VLAN 755 as an edge
port:
-> bridge 755 10 connection edgeport
For more information about configuring an aggregate of ports, see Chapter 13, “Configuring Static Link
Aggregation,” and Chapter 14, “Configuring Dynamic Link Aggregation.”
page 6-30
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Spanning Tree Parameters
Sample Spanning Tree Configuration
Sample Spanning Tree Configuration
This section provides an example network configuration in which the Spanning Tree Algorithm and Protocol has calculated a loop-free topology. In addition, a tutorial is also included that provides steps on how
to configure the example network topology using the Command Line Interface (CLI).
Note that the following example network configuration illustrates using switches operating in the 1x1
Spanning Tree mode and using RSTP (802.1w) to calculate a single data path between VLANs. See
Chapter 3, “Using 802.1s Multiple Spanning Tree,” for an overview and examples of using MSTP
(802.1s).
Example Network Overview
The following diagram shows a four-switch network configuration with an active Spanning Tree topology, which was calculated based on both configured and default Spanning Tree parameter values:
Switch D
(Root Bridge)
VLAN 255 Bridge ID
10, 00:d0:95:00:00:01
Switch C
TM
2/1
2/3
PC=4
3/8
2/2
PC=19
3/9
VLAN 255 Bridge ID
32768, 00:d0:95:00:00:04
OmniSwitch 9700
3/10
PC=19
PC=4
3/2
2/10
2/8
VLAN 255 Bridge ID
32768, 00:d0:95:00:00:02
PC=4
3/3
TM
2/9
PC=4
Switch A
(Designated Bridge)
Forwarding
Blocking
OmniSwitch 9700
3/1
VLAN 255 Bridge ID
32768, 00:d0:95:00:00:03
Switch B
Root Port
Designated Port
PC
Path Cost
Example Active Spanning Tree Topology
In the above example topology:
• Each switch is operating in the 1x1 Spanning Tree mode by default.
• Each switch configuration has a VLAN 255 defined. The Spanning Tree administrative status for this
VLAN was enabled by default when the VLAN was created.
• VLAN 255 on each switch is configured to use the 802.1w (rapid reconfiguration) Spanning Tree
Algorithm and Protocol.
• Ports 2/1-3, 2/8-10, 3/1-3, and 3/8-10 provide connections to other switches and are all assigned to
VLAN 255 on their respective switches. The Spanning Tree administrative status for each port is
enabled by default.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 6-31
Sample Spanning Tree Configuration
Configuring Spanning Tree Parameters
• The path cost for each port connection defaults to a value based on the link speed. For example, the
connection between Switch B and Switch C is a 100 Mbps link, which defaults to a path cost of 19.
• VLAN 255 on Switch D is configured with a Bridge ID priority value of 10, which is less than the
same value for VLAN 255 configured on the other switches. As a result, VLAN 255 was elected the
Spanning Tree root bridge for the VLAN 255 broadcast domain.
• A root port is identified for VLAN 255 on each switch, except the root VLAN 255 switch. The root
port identifies the port that provides the best path to the root VLAN.
• VLAN 255 on Switch A was elected the designated bridge because it offers the best path cost for
Switch B to the root VLAN 255 on Switch D.
• Port 2/9 on Switch A is the designated port for the Switch A to Switch B connection because Switch A
is the designated bridge for Switch B.
• Redundant connections exist between Switch D and Switch C. Ports 2/2 and 3/9 are in a discarding
(blocking) state because this connection has a higher path cost than the connection provided through
ports 2/3 and 3/8. As a result, a network loop condition is avoided.
• Redundant connections also exist between Switch A and Switch B. Although the path cost value for
both of these connections is the same, ports 2/8 and 3/3 are in a discarding state because their port
priority values (not shown) are higher than the same values for ports 2/10 and 3/1.
• The ports that provide the connection between Switch B and Switch C are in a discarding (blocking)
state, because this connection has a higher path cost than the other connections leading to the root
VLAN 255 on Switch D. As a result, a network loop is avoided.
Example Network Configuration Steps
The following steps provide a quick tutorial that configures the active Spanning Tree network topology
shown in the diagram on page 6-31.
1 Create VLAN 255 on Switches A, B, C, and D with “Marketing IP Network” for the VLAN descrip-
tion on each switch using the following command:
-> vlan 255 name "Marketing IP Network"
2 Assign the switch ports that provide connections between each switch to VLAN 255. For example, the
following commands entered on Switches A, B, C, and D, respectively, assign the ports shown in the
example network diagram on page 6-31 to VLAN 255:
->
->
->
->
vlan
vlan
vlan
vlan
255
255
255
255
port
port
port
port
default
default
default
default
2/8-10
3/1-3
3/8-10
2/1-3
3 Change the Spanning Tree protocol for VLAN 255 to 802.1w (rapid reconfiguration) on each switch
using the following command:
-> bridge 255 protocol 1w
page 6-32
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Spanning Tree Parameters
Sample Spanning Tree Configuration
4 Change the bridge priority value for VLAN 255 on Switch D to 10 using the following command
(leave the priority for VLAN 255 on the other three switches set to the default value of 32768):
-> bridge 255 priority 10
VLAN 255 on Switch D will have the lowest Bridge ID priority value of all four switches, which will
qualify it as the Spanning Tree root VLAN for the VLAN 255 broadcast domain.
Note. To verify the VLAN 255 Spanning Tree configuration on each switch use the following show
commands. The following outputs are for example purposes only and may not match values shown in the
sample network configuration:
-> show spantree 255
Spanning Tree Parameters for Vlan 255
Spanning Tree Status :
ON,
Protocol
:
IEEE 802.1W (Fast STP),
mode
: 1X1 (1 STP per Vlan),
Priority
:
32768(0x0FA0),
Bridge ID
:
8000-00:d0:95:00:00:04,
Designated Root
:
000A-00:d0:95:00:00:01,
Cost to Root Bridge :
4,
Root Port
:
Slot 3 Interface 8,
Next Best Root Cost :
0,
Next Best Root Port :
None,
Hold Time
:
1,
Topology Changes
:
3,
Topology age
:
0:4:37
Current Parameters (seconds)
Max Age
=
30,
Forward Delay
=
15,
Hello Time
=
2
Parameters system uses when attempting to become root
System Max Age
=
30,
System Forward Delay =
15,
System Hello Time
=
2
-> show spantree 255 ports
Spanning Tree Port Summary for Vlan 255
Adm Oper Man. Path Desig
Fw Prim. Adm Op
Port Pri St St
mode Cost
Cost Role Tx Port Cnx Cnx Desig Bridge ID
-----+---+---+----+----+-----+-----+----+---+-----+---+---+---------------------3/8
7 ENA FORW
No
4
29 ROOT
1 3/8 NPT NPT 000A-00:d0:95:00:00:01
3/9
7 ENA BLOCK No
19
48 BACK
0 3/9 NPT NPT 8000-00:d0:95:00:00:04
3/10
7 ENA BLOCK No
19
48 ALTN
0 3/10 NPT NPT 8000-00:d0:95:00:00:03
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 6-33
Verifying the Spanning Tree Configuration
Configuring Spanning Tree Parameters
Verifying the Spanning Tree Configuration
To display information about the Spanning Tree configuration on the switch, use the show commands
listed below:
show spantree
Displays VLAN Spanning Tree information, including parameter values
and topology change statistics.
show spantree ports
Displays Spanning Tree information for switch ports, including parameter values and the current port state.
For more information about the resulting displays from these commands, see the OmniSwitch CLI Reference Guide. An example of the output for the show spantree and show spantree ports commands is also
given in “Example Network Configuration Steps” on page 6-32.
page 6-34
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
7
Assigning Ports
to VLANs
Initially all switch ports are non-mobile (fixed) and are assigned to VLAN 1, which is also their configured default VLAN. When additional VLANs are created on the switch, ports are assigned to the VLANs
so that traffic from devices connected to these ports is bridged within the VLAN domain. Switch ports are
either statically or dynamically assigned to VLANs.
Methods for statically assigning ports to VLANs include the following:
• Using the vlan port default command to define a new configured default VLAN for both non-mobile
(fixed) and mobile ports. (See “Statically Assigning Ports to VLANs” on page 7-4.)
• Using the vlan 802.1q command to define tagged VLANs for non-mobile ports. This method allows
the switch to bridge traffic for multiple VLANs over one physical port connection. (See Chapter 11,
“Configuring 802.1Q.”)
• Configuring ports as members of a link aggregate that is assigned to a configured default VLAN. (See
Chapter 13, “Configuring Static Link Aggregation,” and Chapter 14, “Configuring Dynamic Link
Aggregation.”)
Dynamic assignment applies only to mobile ports. When traffic is received on a mobile port, the packets
are classified using one of the following methods to determine VLAN assignment (see “Dynamically
Assigning Ports to VLANs” on page 7-4 for more information):
• Packet is tagged with a VLAN ID that matches the ID of another VLAN that has mobile tagging
enabled.
• Packet contents matches criteria defined in a VLAN rule.
Regardless of how a port is assigned to a VLAN, once the assignment occurs, a VLAN port association
(VPA) is created and tracked by VLAN management software on each switch.
In This Chapter
This chapter describes how to statically assign ports to a new default VLAN and configure mobile ports
for dynamic assignment through the Command Line Interface (CLI). CLI commands are used in the
configuration examples; for more details about the syntax of commands, see the OmniSwitch CLI Reference Guide.
Configuration procedures described in this chapter include:
• Statically assigning ports to VLANs on page 7-4.
• Dynamically assigning ports to VLANs (port mobility) page 7-10.
• Configuring mobile port properties (including authentication) on page 7-16.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 7-1
Port Assignment Specifications
Assigning Ports to VLANs
Port Assignment Specifications
IEEE Standards Supported
802.1Q–Virtual Bridged Local Area Networks
802.1D–Media Access Control Bridges
Maximum VLANs per switch and stack
4094 (based on switch configuration and available
resources).
Maximum VLAN port associations
32768
Switch ports eligible for port mobility.
Untagged Ethernet and gigabit Ethernet ports that are
not members of a link aggregate.
Switch ports eligible for dynamic VLAN
assignment.
Mobile ports.
Switch ports eligible for static VLAN
assignment.
Non-mobile (fixed) ports.
Mobile ports.
Uplink ports.
10 gigabit ports.
Link aggregate of ports.
Port Assignment Defaults
Parameter Description
Command
Default
Configured default VLAN
vlan port default
All ports initially associated
with default VLAN 1.
Port mobility
vlan port mobile
Disabled
Bridge mobile port traffic that
doesn’t match any VLAN rules on
the configured default VLAN
vlan port default vlan
Disabled
Drop mobile port dynamic VLAN
vlan port default vlan restore
assignments when learned mobile
port traffic that triggered the assignment ages out
Enabled
Enable Layer 2 authentication on the vlan port authenticate
mobile port
Disabled
Enable 802.1x port-based access
control on a mobile port
Disabled
page 7-2
vlan port 802.1x
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Assigning Ports to VLANs
Sample VLAN Port Assignment
Sample VLAN Port Assignment
The following steps provide a quick tutorial that will create a VLAN, statically assign ports to the VLAN,
and configure mobility on some of the VLAN ports:
1 Create VLAN 255 with a description (e.g., Finance IP Network) using the following command:
-> vlan 255 name "Finance IP Network"
2 Assign switch ports 2 through 5 on slot 3 to VLAN 255 using the following command:
-> vlan 255 port default 3/2-5
VLAN 255 is now the configured default VLAN for ports 2 through 5 on slot 3.
3 Enable mobility on ports 4 and 5 on slot 3 using the following command:
-> vlan port mobile 3/4-5
4 Disable the default VLAN parameter for mobile ports 3/4 and 3/5 using the following command:
-> vlan port 3/4-5 default vlan disable
With this parameter disabled, VLAN 255 will not carry any traffic received on 3/4 or 3/5 that does not
match any VLAN rules configured on the switch.
Note. Optional. To verify that ports 2 through 5 on slot 3 were assigned to VLAN 255, enter show vlan
followed by 255 then port. For example:
-> show vlan 255 port
port
type
status
--------+---------+-------------3/2
default
inactive
3/3
default
inactive
3/4
default
inactive
3/5
default
inactive
To verify the mobile status of ports 4 and 5 on slot 3 and determine which mobile port parameters are
enabled, enter show vlan port mobile followed by a slot and port number. For example:
-> show vlan port mobile 3/4
Mobility
: on,
Config Default Vlan: 255,
Default Vlan Enabled: off,
Default Vlan Perm
: on,
Default Vlan Restore: on,
Authentication
: off,
Ignore BPDUs
: off
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 7-3
Statically Assigning Ports to VLANs
Assigning Ports to VLANs
Statically Assigning Ports to VLANs
The vlan port default command is used to statically assign both mobile and non-mobile ports to another
VLAN. When the assignment is made, the port drops the previous VLAN assignment. For example, the
following command assigns port 2 on slot 3, currently assigned to VLAN 1, to VLAN 755:
-> vlan 755 port default 3/2
Port 3/2 is now assigned to VLAN 755 and no longer associated with VLAN 1. In addition, VLAN 755 is
now the new configured default VLAN for the port.
A configured default VLAN is the VLAN statically assigned to a port. Any time the vlan port default
command is used, the VLAN assignment is static and a new configured default VLAN is defined for the
port. This command is also the only way to change a non-mobile port VLAN assignment. In addition, nonmobile ports can only retain one VLAN assignment, unlike mobile ports that can dynamically associate
with multiple VLANs. See “Dynamically Assigning Ports to VLANs” on page 7-4 for more information
about mobile ports.
Additional methods for statically assigning ports to VLANs include the following:
• Using the vlan 802.1q command to define tagged VLANs for non-mobile ports. This method allows
the switch to bridge traffic for multiple VLANs over one physical port connection. (See Chapter 11,
“Configuring 802.1Q,” for more information.)
• Configuring ports as members of a link aggregate that is assigned to a configured default VLAN. (See
Chapter 13, “Configuring Static Link Aggregation,” and Chapter 14, “Configuring Dynamic Link
Aggregation,” for more information.)
When a port is statically assigned to a VLAN, a VLAN port association (VPA) is created and tracked by
VLAN management software on each switch. To display a list of all VPAs, use the show vlan port
command. For more information, see “Verifying VLAN Port Associations and Mobile Port Properties” on
page 7-19.
Dynamically Assigning Ports to VLANs
Mobile ports are the only types of ports that are eligible for dynamic VLAN assignment. When traffic
received on a mobile port matches pre-defined VLAN criteria, the port and the matching traffic are
assigned to the VLAN without user intervention.
By default, all switch ports are non-mobile (fixed) ports that are statically assigned to a specific VLAN
and can only belong to one default VLAN at a time. The vlan port mobile command is used to enable
mobility on a port. Once enabled, switch software classifies mobile port traffic to determine the appropriate VLAN assignment. Depending on the type of traffic classification used (VLAN rules or VLAN ID
tag), mobile ports can also associate with more than one VLAN.
VLANs do not have a mobile or non-mobile distinction and there is no overall switch setting to invoke the
mobile port feature. Instead, mobility is enabled on individual switch ports and rules are defined for individual VLANs to classify mobile port traffic.
When a port is dynamically assigned to a VLAN, a VLAN port association (VPA) is created and tracked
by VLAN management software on each switch. To display a list of all VPAs, use the show vlan port
command. For more information, see “Verifying VLAN Port Associations and Mobile Port Properties” on
page 7-19.
page 7-4
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Assigning Ports to VLANs
Dynamically Assigning Ports to VLANs
How Dynamic Port Assignment Works
Traffic received on mobile ports is classified using one of the following methods:
• Packet is tagged with a VLAN ID that matches the ID of another VLAN that has mobile tagging
enabled. (See “VLAN Mobile Tag Classification” on page 7-5 for more information.)
• Packet contents matches criteria defined in a VLAN rule. (See “VLAN Rule Classification” on
page 7-8 for more information.)
Classification triggers dynamic assignment of the mobile port and qualifying traffic to the VLAN with the
matching criteria. The following sections further explain the types of classification and provide examples.
VLAN Mobile Tag Classification
VLAN mobile tag classification provides a dynamic 802.1Q tagging capability. This features allows
mobile ports to receive and process 802.1Q tagged packets destined for a VLAN that has mobile tagging
enabled.
The vlan mobile-tag command is used to enable or disable mobile tagging for a specific VLAN (see
Chapter 5, “Configuring VLANs,” for more information). If 802.1Q tagging is required on a fixed (nonmobile) port, then the vlan 802.1q command is still used to statically tag VLANs for the port (see
Chapter 11, “Configuring 802.1Q,” for more information).
Consider the following when using VLAN mobile tag classification:
• Using mobile tagging allows the dynamic assignment of mobile ports to one or more VLANs at the
same time.
• If a mobile port receives a tagged packet with a VLAN ID of a VLAN that does not have mobile
tagging enabled or the VLAN does not exist, the packet is dropped.
• VLAN mobile tag classification takes precedence over VLAN rule classification. If a mobile port
receives traffic that matches a VLAN rule and also has an 802.1Q VLAN ID tag for a VLAN with
mobile tagging enabled, the port is dynamically assigned to the mobile tag VLAN and not the matching rule VLAN.
• If the administrative status of a mobile tag VLAN is disabled, dynamic mobile port assignments are
retained but traffic on these ports is filtered for the disabled VLAN. However, the VLAN mobile tag
attribute remains active and continues to classify mobile port traffic for VLAN membership.
The following example shows how mobile ports are dynamically assigned using VLAN mobile tagging to
classify mobile port traffic. This example includes diagrams showing the initial VLAN port assignment
configuration and a diagram showing how the configuration looks after mobile port traffic is classified.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 7-5
Dynamically Assigning Ports to VLANs
Assigning Ports to VLANs
In the initial VLAN port assignment configuration shown below,
• All three ports have workstations that are configured to send packets with an 802.1Q VLAN ID tag for
three different VLANs (VLAN 2, 3, and 4).
• Mobility is enabled on each of the workstation ports.
• VLAN 1 is the configured default VLAN for each port.
• VLANs 2, 3, and 4 are configured on the switch, each one has VLAN mobile tagging enabled.
OmniSwitch
VLAN 2
Mobile Tag Enabled
VLAN 4
Mobile Tag Enabled
VLAN 1
Default VLAN
VLAN 3
Mobile Tag Enabled
Port 1
Port 2
VLAN ID Tag = 2
VLAN ID Tag = 3
Port 3
VLAN ID Tag = 4
VLAN Mobile Tag Classification: Initial Configuration
As soon as the workstations start sending traffic, switch software checks the 802.1Q VLAN ID tag of the
frames and looks for a VLAN that has the same ID and also has mobile tagging enabled. Since the workstations are sending tagged packets destined for the mobile tag enabled VLANs, each port is assigned to
the appropriate VLAN without user intervention. As the diagram on page 7-7 shows,
• Port 1 is assigned to VLAN 2, because the workstation is transmitting tagged packets destined for
VLAN 2.
• Port 2 is assigned to VLAN 3 because the workstation is transmitting tagged packets destined for
VLAN 3.
• Port 3 is assigned to VLAN 4 because the workstation is transmitting tagged packets destined for
VLAN 4.
• All three ports, however, retain their default VLAN 1 assignment, but now have an additional VLAN
port assignment that carries the matching traffic on the appropriate rule VLAN.
page 7-6
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Assigning Ports to VLANs
Dynamically Assigning Ports to VLANs
OmniSwitch
VLAN 4
VLAN 2
IP Network 140.0.0.0
IP Network 130.0.0.0
VLAN 1
VLAN 3
Default VLAN
Port 1
130.0.0.1
IP Network 138.0.0.0
Port 3
Port 2
138.0.0.1
140.0.0.1
Dynamic VPA
Default VLAN
Tagged Mobile Port Traffic Triggers Dynamic VLAN Assignment
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 7-7
Dynamically Assigning Ports to VLANs
Assigning Ports to VLANs
VLAN Rule Classification
VLAN rule classification triggers dynamic VLAN port assignment when traffic received on a mobile port
matches the criteria defined in a VLAN rule. Different rule types are available for classifying different
types of network device traffic (see Chapter 9, “Defining VLAN Rules,” for more information).
Note the following items when using VLAN rule classification:
• IP network address rules are applied to traffic received on both mobile and fixed ports. If traffic
contains a source IP address that is included in the subnet specified by the rule, the traffic is dropped.
This does not occur, however, if the IP network address rule is configured on the default VLAN for the
fixed port.
• If the contents of a mobile port frame matches the values specified in both an IP network address rule
and a port-protocol binding rule, the IP network address rule takes precedence. However, if the
contents of such frame violates the port-protocol binding rule, the frame is dropped. See Chapter 9,
“Defining VLAN Rules,” for more information about rule precedence.
• When an active device is disconnected from a mobile port and connected to a fixed port, the source
MAC address of that device is not learned on the fixed port until the MAC address has aged out and no
longer appears on the mobile port.
• If a VLAN is administratively disabled, dynamic mobile port assignments are retained but traffic on
these ports is filtered for the disabled VLAN. However, VLAN rules remain active and continue to
classify mobile port traffic for VLAN membership.
• When a VLAN is deleted from the switch configuration, all rules defined for that VLAN are automati-
cally removed and any static or dynamic port assignments are dropped.
The following example illustrates how mobile ports are dynamically assigned using VLAN rules to classify mobile port traffic. This example includes diagrams showing the initial VLAN port assignment
configuration and a diagram showing how the configuration looks after mobile port traffic is classified.
In the initial VLAN port assignment configuration shown on page 7-9,
• All three ports have workstations that belong to three different IP subnets (130.0.0.0, 138.0.0.0, and
140.0.0.0).
• Mobility is enabled on each of the workstation ports.
• VLAN 1 is the configured default VLAN for each port.
• Three additional VLANs are configured on the switch, each one has an IP network address rule defined
for one of the IP subnets.
page 7-8
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Assigning Ports to VLANs
Dynamically Assigning Ports to VLANs
OmniSwitch
VLAN 2
IP Network 130.0.0.0
VLAN 4
IP Network 140.0.0.0
VLAN 1
Default VLAN
VLAN 3
IP Network 138.0.0.0
Port 1
130.0.0.1
Port 3
Port 2
138.0.0.5
140.0.0.3
VLAN Rule Classification: Initial Configuration
As soon as the workstations start sending traffic, switch software checks the source subnet of the frames
and looks for a match with any configured IP network address rules. Since the workstations are sending
traffic that matches a VLAN rule, each port is assigned to the appropriate VLAN without user intervention. As the diagram on page 7-10 shows,
• Port 1 is assigned to VLAN 2, because the workstation is transmitting IP traffic on network 130.0.0.0
that matches the VLAN 2 network address rule.
• Port 2 is assigned to VLAN 3 because the workstation is transmitting IP traffic on network 138.0.0.0
that matches the VLAN 3 network address rule.
• Port 3 is assigned to VLAN 4 because the workstation is transmitting IP traffic on network 140.0.0.0
that matches the VLAN 4 network address rule.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 7-9
Dynamically Assigning Ports to VLANs
Assigning Ports to VLANs
OmniSwitch
VLAN 4
VLAN 2
IP Network 140.0.0.0
IP Network 130.0.0.0
VLAN 1
VLAN 3
Default VLAN
Port 1
130.0.0.1
IP Network 138.0.0.0
Port 3
Port 2
138.0.0.1
140.0.0.1
Dynamic VPA
Default VLAN
Mobile Port Traffic Triggers Dynamic VLAN Assignment
Configuring Dynamic VLAN Port Assignment
Dynamic VLAN port assignment requires the following configuration steps:
1 Use the vlan port mobile command to enable mobility on switch ports that will participate in dynamic
VLAN assignment. See “Enabling/Disabling Port Mobility” on page 7-11 for detailed procedures.
2 Enable/disable mobile port properties that determine mobile port behavior. See “Configuring Mobile
Port Properties” on page 7-16 for detailed procedures.
3 Create VLANs that will receive and forward mobile port traffic. See Chapter 5, “Configuring VLANs,”
for more information.
4 Configure the method of traffic classification (VLAN rules or tagged VLAN ID) that will trigger
dynamic assignment of a mobile port to the VLANs created in Step 3. See “VLAN Rule Classification” on
page 7-8 and “VLAN Mobile Tag Classification” on page 7-5 for more information.
Once the above configuration steps are completed, dynamic VLAN assignment occurs when a device
connected to a mobile port starts to send traffic. This traffic is examined by switch software to determine
which VLAN should carry the traffic based on the type of classification, if any, defined for a particular
VLAN. See “Dynamically Assigning Ports to VLANs” on page 7-4 for more information and examples of
dynamic VLAN port assignment.
page 7-10
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Assigning Ports to VLANs
Dynamically Assigning Ports to VLANs
Enabling/Disabling Port Mobility
To enable mobility on a port, use the vlan port mobile command. For example, the following command
enables mobility on port 1 of slot 4:
-> vlan port mobile 4/1
To enable mobility on multiple ports, specify a range of ports and/or multiple slots.
-> vlan port mobile 4/1-5 5/12-20 6/10-15
Use the no form of this command to disable port mobility.
-> vlan no port mobile 5/21-24 6/1-4
Only Ethernet and gigabit Ethernet ports are eligible to become mobile ports. If any of the following
conditions are true, however, these ports are considered non-mobile ports and are not available for
dynamic VLAN assignment:
• The mobile status for the port is disabled (the default).
• The port is an 802.1Q tagged port.
• The port belongs to a link aggregate of ports.
• Spanning Tree is active on the port and the BPDU ignore status is disabled for the port. (See “Ignoring
Bridge Protocol Data Units (BPDU)” on page 7-11 for more information.)
• The port is configured to mirror other ports.
Note. Mobile ports are automatically trusted ports regardless of the QoS settings. See Chapter 26,
“Configuring QoS,” for more information.
Use the show vlan port mobile command to display a list of ports that are mobile or are eligible to
become mobile. For more information about this command, see the OmniSwitch CLI Reference Guide.
Ignoring Bridge Protocol Data Units (BPDU)
By default, ports that send or receive Spanning Tree Bridge Protocol Data Units (BPDU) are not eligible
for dynamic VLAN assignment. If the switch sees BPDU on a port, it does not attempt to classify the
port’s traffic. The vlan port mobile command, however, provides an optional BPDU ignore parameter. If
this parameter is enabled when mobility is enabled on the port, the switch does not look for BPDU to
determine if the port is eligible for dynamic assignment.
When BPDU ignore is disabled and the mobile port receives a BPDU, mobility is shut off on the port and
the following occurs:
• The Switch Logging feature is notified of the port’s change in mobile status (see Chapter 30, “Using
Switch Logging,” for more information).
• The port becomes a fixed (non-mobile) port that is associated only with its configured default VLAN.
• The port is included in the Spanning Tree algorithm.
• Mobility remains off on the port even if the port’s link is disabled or disconnected. Rebooting the
switch, however, will restore the port’s original mobile status.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 7-11
Understanding Mobile Port Properties
Assigning Ports to VLANs
When BPDU ignore is enabled and the mobile port receives a BPDU, the following occurs:
• The port retains its mobile status and remains eligible for dynamic VLAN assignment.
• The port is not included in the Spanning Tree algorithm.
Note. Enabling BPDU ignore is not recommended. In specific cases where it is required, such as connecting legacy networks to mobile port networks, make sure that ignoring BPDU on a mobile port will not
cause network loops to go undetected. Connectivity problems could also result if a mobile BPDU port
dynamically moves out of its configured default VLAN where it provides traffic flow to/from the network.
The following command enables mobility and BPDU ignore on port 8 of slot 3:
-> vlan port mobile 3/8 BPDU ignore enable
Enabling mobility on an active port that sends or receives BPDU (e.g. ports that connect two switches and
Spanning Tree is enabled on both the ports and their assigned VLANs) is not allowed. If mobility is
required on this type of port, enable mobility and the BPDU ignore parameter when the port is not active.
Understanding Mobile Port Properties
Dynamic assignment of mobile ports occurs without user intervention when mobile port traffic matches
VLAN criteria. When ports are dynamically assigned, however, the following configurable mobile port
properties affect how a port uses its configured default VLAN and how long it retains a VLAN port association (VPA):
Mobile Port Property If enabled
Default VLAN
If disabled
Port traffic that does not match any VLAN Port traffic that does not match any
rules configured on the switch is flooded
VLAN rules is discarded.
on the port’s configured default VLAN.
Restore default VLAN Port does not retain a dynamic VPA when
the traffic that triggered the assignment
ages out of the switch MAC address table
(forwarding database).
Port retains a dynamic VPA when
the qualifying traffic ages out of the
switch MAC address table.
The effects of enabling or disabling mobile port properties are described through the following diagrams:
• How Mobile Port Traffic that Does Not Match any VLAN Rules is Classified on page 7-14.
• How Mobile Port VLAN Assignments Age on page 7-15.
What is a Configured Default VLAN?
Every switch port, mobile or non-mobile, has a configured default VLAN. Initially, this is VLAN 1 for all
ports, but is configurable using the vlan port default command. For more information, see “Statically
Assigning Ports to VLANs” on page 7-4.
To view current VPA information for the switch, use the show vlan port command. Configured default
VLAN associations are identified with a value of default in the type field. For more information, see
“Verifying VLAN Port Associations and Mobile Port Properties” on page 7-19.
page 7-12
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Assigning Ports to VLANs
Understanding Mobile Port Properties
What is a Secondary VLAN?
All mobile ports start out with a configured default VLAN assignment. When mobile port traffic matches
VLAN criteria, the port is assigned to that VLAN. Secondary VLANs are any VLAN a port is subsequently assigned to that is not the configured default VLAN for that port.
A mobile port can obtain more than one secondary VLAN assignment under the following conditions:
• Mobile port receives untagged frames that contain informatiion that matches rules on more than one
VLAN. For example, if a mobile port receives IP and IPX frames and their is an IP protocol rule on
VLAN 10 and an IPX protocol rule on VLAN 20, the mobile port is dynamically assigned to both
VLANs. VLANs 10 and 20 become secondary VLAN assignments for the mobile port.
• Mobile port receives 802.1Q tagged frames that contain a VLAN ID that matches a VLAN that has
VLAN mobile tagging enabled. For example, if a mobile port receives frames tagged for VLAN 10, 20
and 30 and these VLANs have mobile tagging enabled, the mobile port is dynamically assigned to all
three VLANs. VLANs 10, 20, and 30 become secondary VLAN assignments for the mobile port.
VLAN Management software on each switch tracks VPAs. When a mobile port link is disabled and then
enabled, all secondary VLAN assignments for that port are automatically dropped and the port’s original
configured default VLAN assignment is restored. Switch ports are disabled when a device is disconnected
from the port, a configuration change is made to disable the port, or switch power is turned off.
To view current VPA information for the switch, use the show vlan port command. Dynamic secondary
VLAN associations are identified with a value of mobile in the type field. For more information, see
“Verifying VLAN Port Associations and Mobile Port Properties” on page 7-19.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 7-13
Understanding Mobile Port Properties
Assigning Ports to VLANs
OmniSwitch
Configured Default
VLAN 1
VLAN 3
Device connected to a mobile port sends traffic. If the traffic matches
existing VLAN criteria, then the mobile port and its traffic are
dynamically assigned to that VLAN.
If device traffic does not match any VLAN rules, then the default
VLAN property determines if the traffic is forwarded on the port’s
configured default VLAN (VLAN 1 in this example).
If default VLAN is enabled....
If default VLAN is disabled....
Configured Default
VLAN 1
Configured Default
VLAN 1
VLAN 3
VLAN 3
Device traffic that does not match any
VLAN rules is forwarded on the mobile
port’s configured default VLAN.
Device traffic that does not match
any VLAN rules is discarded.
Why enable default VLAN?
Why disable default VLAN?
Ensures that all mobile port device traffic is
carried on at least one VLAN.
Reduces unnecessary traffic flow on a port’s
configured default VLAN.
Restricts dynamic assignment to mobile port
traffic that matches one or more VLAN rules.
How Mobile Port Traffic that Does Not Match any VLAN Rules is Classified
page 7-14
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Assigning Ports to VLANs
Understanding Mobile Port Properties
Secondary
VLAN 2
Configured Default
VLAN 1
Configured Default
VLAN 1
Secondary
VLAN 3
Port assigned to default VLAN 1
or another VLAN using the
vlan port default command.
If restore default VLAN is enabled....
Configured Default
VLAN 1
Port is assigned to other VLANs
when its traffic matches their criteria.
If restore default VLAN is disabled....
Configured Default
VLAN 1
Secondary
VLAN 2
Secondary
VLAN 2
Secondary
VLAN 3
Secondary
VLAN 3
VLAN 2 and VLAN 3 assignments
are retained for the port when port
device traffic ages out of the forwarding database (switch MAC
address table).
VLAN 2 and VLAN 3 assignments are dropped from the port
when port device traffic ages out
of the forwarding database
(switch MAC address table).
Why enable restore default VLAN?
Security. VLANs only contain mobile port
traffic that has recently matched rule criteria.
VPAs created from occasional network users
(e.g., laptop) are not unnecessarily retained.
Why disable restore default VLAN?
VPAs are retained even when port traffic is
idle for some time. When traffic resumes, it is
not necessary to relearn the same VPA again.
Appropriate for devices that only send occasional traffic.
How Mobile Port VLAN Assignments Age
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 7-15
Understanding Mobile Port Properties
Assigning Ports to VLANs
Configuring Mobile Port Properties
Mobile port properties indicate mobile port status and affect port behavior when the port is dynamically
assigned to one or more VLANs. For example, mobile port properties determine the following:
• Should the configured default VLAN forward or discard port traffic that does not match any VLAN
rule criteria.
• Should the port retain or drop a dynamic VPA when traffic that triggered the assignment stops and the
source MAC address learned on the port for that VLAN is aged out. (See Chapter 2, “Managing Source
Learning,” for more information about the aging of MAC addresses.)
• Will the mobile port participate in Layer 2 authentication that provides a login process at the VLAN
and/or port level. (See Chapter 22, “Configuring Authenticated VLANs,” and Chapter 23, “Configuring 802.1X,” for more information.).
This section contains procedures for using the following commands to configure mobile port properties.
For more details about the syntax of commands, see the OmniSwitch CLI Reference Guide.
Command
Description
vlan port default vlan
Enables or disables forwarding of mobile port traffic on the port’s configured default VLAN that does not match any existing VLAN rules.
vlan port default vlan restore
Enables or disables the retention of VLAN port assignments when
mobile port traffic ages out.
vlan port authenticate
Enables or disables authentication on a mobile port.
vlan port 802.1x
Enables or disables 802.1X port-based access control on a mobile port.
Use the show vlan port mobile command to view the current status of these properties for one or more
mobile ports. See “Verifying VLAN Port Associations and Mobile Port Properties” on page 7-19 for more
information.
Enable/Disable Default VLAN
To enable or disable forwarding of mobile port traffic that does not match any VLAN rules on the port’s
configured default VLAN, enter vlan port followed by the port’s slot/port designation then default vlan
followed by enable or disable. For example,
-> vlan port 3/1 default vlan enable
-> vlan port 5/2 default vlan disable
To enable or disable the configured default VLAN on multiple ports, specify a range of ports and/or multiple slots.
-> vlan port 2/1-12 3/10-24 4/3-14 default vlan enable
Note. It is recommended that mobile ports with their default VLAN disabled should not share a VLAN
with any other types of ports (e.g., mobile ports with default VLAN enabled or non-mobile, fixed ports).
See “Understanding Mobile Port Properties” on page 7-12 for an overview and illustrations of how this
property affects mobile port behavior.
page 7-16
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Assigning Ports to VLANs
Understanding Mobile Port Properties
Enable/Disable Default VLAN Restore
To enable or disable default VLAN restore, enter vlan port followed by the port’s slot/port designation
then default vlan restore followed by enable or disable. For example,
-> vlan port 3/1 default vlan restore enable
-> vlan port 5/2 default vlan restore disable
To enable or disable default VLAN restore on multiple ports, specify a range of ports and/or multiple
slots.
-> vlan port 2/1-12 3/10-24 4/3-14 default vlan restore enable
Note the following when changing the restore default VLAN status for a mobile port:
• If a hub is connected to a mobile port, enabling default VLAN restore on that port is recommended.
• VLAN port rule assignments are exempt from the effects of the restore default VLAN status. See
Chapter 9, “Defining VLAN Rules,” for more information about using port rules to forward mobile
port traffic
• When a mobile port link is disabled and then enabled, all secondary VPAs for that port are automati-
cally dropped regardless of the restore default VLAN status for that port. Switch ports are disabled
when a device is disconnected from the port, a configuration change is made to disable the port, or
switch power is turned off.
See “Understanding Mobile Port Properties” on page 7-12 for an overview and illustrations of how this
property affects mobile port behavior.
Enable/Disable Port Authentication
To enable or disable authentication on a mobile port, enter vlan port followed by the port’s slot/port
designation then authenticate followed by enable or disable. For example,
-> vlan port 3/1 authenticate enable
-> vlan port 5/2 authenticate disable
To enable or disable authentication on multiple ports, specify a range of ports and/or multiple slots.
-> vlan port 6/1-32 8/10-24 9/3-14 authenticate enable
Only mobile ports are eligible for authentication. If enabled, the mobile port participates in the Layer 2
authentication process supported by Alcatel switches. This process restricts switch access at the VLAN
level. The user is required to enter a valid login ID and password before gaining membership to a VLAN.
For more information, see Chapter 22, “Configuring Authenticated VLANs.”
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 7-17
Understanding Mobile Port Properties
Assigning Ports to VLANs
Enable/Disable 802.1X Port-Based Access Control
To enable or disable 802.1X on a mobile port, enter vlan port followed by the port’s slot/port designation then 802.1x followed by enable or disable. For example,
-> vlan port 3/1 802.1x enable
-> vlan port 5/2 802.1x disable
To enable or disable 802.1X on multiple ports, specify a range of ports and/or multiple slots.
-> vlan port 6/1-32 8/10-24 9/3-14 802.1x enable
-> vlan port 5/3-6 9/1-4 802.1x disable
Only mobile ports are eligible for 802.1X port-based access control. If enabled, the mobile port participates in the authentication and authorization process defined in the IEEE 802.1X standard and supported
by Alcatel switches. For more information, see Chapter 23, “Configuring 802.1X.”
page 7-18
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Assigning Ports to VLANs
Verifying VLAN Port Associations and Mobile Port Properties
Verifying VLAN Port Associations and Mobile
Port Properties
To display a list of VLAN port assignments or the status of mobile port properties, use the show
commands listed below:
show vlan port
Displays a list of VLAN port assignments, including the type and status
for each assignment
show vlan port mobile
Displays the mobile status and current mobile parameter values for each
port.
Understanding ‘show vlan port’ Output
Each line of the show vlan port command display corresponds to a single VLAN port association (VPA).
In addition to showing the VLAN ID and slot/port number, the VPA type and current status of each association are also provided.
The VPA type indicates that one of the following methods was used to create the VPA:
Type
Description
default
The port was statically assigned to the VLAN using the vlan port default
command. The VLAN is now the port’s configured default VLAN.
qtagged
The port was statically assigned to the VLAN using the vlan 802.1q command. The VLAN is a static secondary VLAN for the 802.1Q tagged port.
mobile
The port is mobile and was dynamically assigned when traffic received on
the port matched VLAN criteria (VLAN rules or tagged VLAN ID). The
VLAN is a dynamic secondary VLAN assignment for the mobile port.
mirror
The port is assigned to the VLAN because it is configured to mirror another
port that is assigned to the same VLAN. For more information about the
Port Mirroring feature, see Chapter 29, “Diagnosing Switch Problems.”
The VPA status indicates one of the following:
Status
Description
inactive
Port is not active (administratively disabled, down, or nothing connected to
the port) for the VPA.
blocking
Port is active, but not forwarding traffic for the VPA.
forwarding
Port is forwarding all traffic for the VPA.
filtering
Mobile port traffic is filtered for the VPA; only traffic received on the port
that matches VLAN rules is forwarded. Occurs when a mobile port’s VLAN
is administratively disabled or the port’s default VLAN status is disabled.
Does not apply to fixed ports.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 7-19
Verifying VLAN Port Associations and Mobile Port Properties
Assigning Ports to VLANs
The following example uses the show vlan port command to display VPA information for all ports in
VLAN 200:
-> show vlan 200 port
port
type
status
--------+---------+-------------3/24
default
inactive
5/11
mobile
forwarding
5/12
qtagged
blocking
The above example output provides the following information:
• VLAN 200 is the configured default VLAN for port 3/24, which is currently not active.
• VLAN 200 is a secondary VLAN for mobile port 5/11, which is currently forwarding traffic for this
VPA.
• VLAN 200 is an 802.1Q tagged VLAN for port 5/12, which is an active port but currently blocked
from forwarding traffic.
Another example of the output for the show vlan port command is also given in “Sample VLAN Port
Assignment” on page 7-3. For more information about the resulting display from this command, see the
OmniSwitch CLI Reference Guide.
Understanding ‘show vlan port mobile’ Output
The show vlan port mobile command provides information regarding a port’s mobile status. If the port is
mobile, the resulting display also provides the current status of the port’s mobile properties. The following example displays mobile port status and property values for ports 8/2 through 8/5:
-> show vlan port mobile
cfg
ignore
port
mobile def authent
enabled
restore
bpdu
-------+--------+----+--------+---------+---------+------8/2
on
200
off
off
on
off
8/3
on
200
off
on
off
off
8/4
on
200 on-avlan
off
on
off
8/5
on
200 on-8021x
on
off
off
Note that the show vlan port mobile command only displays ports that are mobile or are eligible to
become mobile ports. For example, ports that are part of a link aggregate or are configured for 802.1Q
VLAN tagging are not included in the output of this command.
Another example of the output for the show vlan port mobile command is also given in “Sample VLAN
Port Assignment” on page 7-3. For more information about the resulting display from this command, see
the OmniSwitch CLI Reference Guide.
page 7-20
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
8
Configuring Port Mapping
Port Mapping is a security feature, which controls communication between peer users. Each session
comprises a session ID, a set of user ports, and/or a set of network ports. The user ports within a session
cannot communicate with each other and can only communicate via network ports. In a port mapping
session with user port set A and network port set B, the ports in set A can only communicate with the ports
in set B. If set B is empty, the ports in set A can communicate with rest of the ports in the system.
A port mapping session can be configured in the unidirectional or bidirectional mode. In the unidirectional mode, the network ports can communicate with each other within the session. In the bidirectional
mode, the network ports cannot communicate with each other. Network ports of a unidirectional port
mapping session can be shared with other unidirectional sessions, but cannot be shared with any sessions
configured in the bidirectional mode. Network ports of different sessions can communicate with each
other.
Note. Port Mapping is only supported on the OmniSwitch 6800 and 6850 switches for this release.
In This Chapter
This chapter describes the port mapping security feature and explains how to configure the same through
the Command Line Interface (CLI).
Configuration procedures described in this chapter include:
• Creating/Deleting a Port Mapping Session—see “Creating a Port Mapping Session” on page 8-3 or
“Deleting a Port Mapping Session” on page 8-3.
• Enabling/Disabling a Port Mapping Session—see “Enabling a Port Mapping Session” on page 8-4 or
“Disabling a Port Mapping Session” on page 8-4.
• Configuring a Port Mapping Direction—see “Configuring Unidirectional Port Mapping” on page 8-4
and “Restoring Bidirectional Port Mapping” on page 8-4.
• Configuring an example Port Mapping Session—see “Sample Port Mapping Configuration” on
page 8-5.
• Verifying a Port Mapping Session—see “Verifying the Port Mapping Configuration” on page 8-6.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 8-1
Port Mapping Specifications
Configuring Port Mapping
Port Mapping Specifications
Ports Supported
Ethernet (10 Mbps)/Fast Ethernet (100 Mbps)/Gigabit
Ethernet (1 Gb/1000 Mbps)/10 Gigabit Ethernet (10
Gb/10000 Mbps).
Mapping Sessions
Eight sessions supported per standalone switch and
stack.
Platforms Supported
OmniSwitch 6800
OmniSwitch 6850
Platforms Not Supported
OmniSwitch 9000
Port Mapping Defaults
The following table shows port mapping default values.
Parameter Description
CLI Command
Default Value/Comments
Mapping Session
Creation
port mapping user-port network-port No mapping sessions
Mapping Status
configuration
port mapping
Disabled
Port Mapping Direction
port mapping
Bidirectional
Quick Steps for Configuring Port Mapping
Follow the steps below for a quick tutorial on configuring port mapping sessions. Additional information
on how to configure each command is given in the subsections that follow.
1 Create a port mapping session with/without, user/network ports with the port mapping user-port
network-port command. For example:
-> port mapping 8 user-port 1/2 network-port 1/3
2 Enable the port mapping session with the port mapping command. For example:
-> port mapping 8 enable
Note. You can verify the configuration of the port mapping session by entering show port mapping
followed by the session ID
-> show port mapping 3
SessionID
USR-PORT
NETWORK-PORT
-----------+----------------+-----------------8
1/2
1/3
page 8-2
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Port Mapping
Creating/Deleting a Port Mapping Session
You can also verify the status of a port mapping session by using the show port mapping status
command.
Creating/Deleting a Port Mapping Session
Before port mapping can be used, it is necessary to create a port mapping session. The following subsections describe how to create and delete a port mapping session with the port mapping user-port
network-port and port mapping command, respectively.
Creating a Port Mapping Session
To create a port mapping session either with or without the user ports, network ports, or both, use the port
mapping user-port network-port command. For example, to create a port mapping session 8 with a user
port on slot 1 port 2 and a network port on slot 1 port 3, you would enter:
-> port mapping 8 user-port 1/2 network-port 1/3
You can create a port mapping session with link aggregate network ports. For example, to create a port
mapping session 3 with network ports of link aggregation group 7, you would enter:
-> port mapping 3 network-port linkagg 7
You can specify all the ports of a slot to be assigned to a mapping session. For example, to create a port
mapping session 3 with all the ports of slot 1 as network ports, you would enter:
-> port mapping 3 network-port slot 1
You can specify a range of ports to be assigned to a mapping session. For example, to create a port
mapping session 4 with ports 5 through 8 on slot 2 as user ports, you would enter:
-> port mapping 4 user-port 2/5-8
Deleting a User/Network Port of a Session
To delete a user/network port of a port mapping session, use the no form of the port mapping user-port
network-port command. For example, to delete a user port on slot 1 port 3 of a mapping session 8, you
would enter:
-> port mapping 8 no user-port 1/3
Similarly, to delete the network ports of link aggregation group 7 of a mapping session 4, you would enter:
-> port mapping 4 no network-port linkagg 7
Deleting a Port Mapping Session
To delete a previously created mapping session, use the no form of the port mapping command. For
example, to delete the port mapping session 6, you would enter:
-> no port mapping 6
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 8-3
Enabling/Disabling a Port Mapping Session
Configuring Port Mapping
Note. You must delete any attached ports with the port mapping user-port network-port command
before you can delete a port mapping session.
Enabling/Disabling a Port Mapping Session
By default, the port mapping session will be disabled. The following subsections describe how to enable
and disable the port mapping session with the port mapping command.
Enabling a Port Mapping Session
To enable a port mapping session, enter port mapping followed by the session ID and enable.
For example, to enable the port mapping session 5, you would enter:
-> port mapping 5 enable
Disabling a Port Mapping Session
To disable a port mapping session, enter port mapping followed by the session ID and disable.
For example, to disable the port mapping session 5, you would enter:
-> port mapping 5 disable
Configuring a Port Mapping Direction
By default, port mapping sessions are bidirectional. The following subsections describe how to configure
and restore the directional mode of a port mapping session with the port mapping command.
Configuring Unidirectional Port Mapping
To configure a unidirectional port mapping session, enter port mapping followed by the session ID and
unidirectional. For example, to configure the direction of a port mapping session 6 as unidirectional, you
would enter:
-> port mapping 6 unidirectional
Restoring Bidirectional Port Mapping
To restore the direction of a port mapping session to its default (i.e., bidirectional), enter port mapping
followed by the session ID and bidirectional. For example, to restore the direction (i.e., bidirectional) of
the port mapping session 5, you would enter:
-> port mapping 5 bidirectional
Note. To change the direction of an active session with network ports, delete the network ports of the
session, change the direction, and recreate the network ports.
page 8-4
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Port Mapping
Sample Port Mapping Configuration
Sample Port Mapping Configuration
This section provides an example port mapping network configuration. In addition, a tutorial is also
included that provides steps on how to configure the example port mapping session using the Command
Line Interface (CLI).
Example Port Mapping Overview
The following diagram shows a four-switch network configuration with active port mapping sessions. In
the network diagram, the Switch A is configured as follows:
• Port mapping session 1 is created with user ports 2/1, 2/2 and network ports 1/1, 1/2 and is configured
in the unidirectional mode.
• Port mapping session 2 is created with user ports 3/1, 3/2, and 3/3 and network port 1/3.
The Switch D is configured by creating a port mapping session 1 with user ports 2/1, 2/2 and network
ports 1/1.
3/1 3/2 3/3
2/1
Switch C
Switch A
2/1
1/1
2/2
1/2
1/3
1/1
3/1
3/2
Switch D
Switch B
1/1
2/1
2/1
2/2
2/2
3/1
3/1
Port mapping session 1
Port mapping session 2
Example Port Mapping Topology
In the above example topology:
• Ports 2/1 and 2/2 on Switch A do not interact with each other and do not interact with the ports on
Switch B.
• Ports 2/1, 2/2, and 3/1 on Switch B interact with all the ports of the network except with ports 2/1 and
2/2 on Switch A.
• Ports 2/1 and 2/2 on Switch D do not interact with each other but they interact with all the user ports on
Switch A except 3/1, 3/2, and 3/3. They also interact with all the ports on Switch B and Switch C.
• Ports 3/1, 3/2, and 2/1 on Switch C can interact with all the user ports on the network except 3/1, 3/2,
3/3 on Switch A.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 8-5
Verifying the Port Mapping Configuration
Configuring Port Mapping
Example Port Mapping Configuration Steps
The following steps provide a quick tutorial that configures the port mapping session shown in the
diagram on page 8-5.
1 Create two port mapping sessions on Switch A using the following commands:
-> port mapping 1 user-port 2/1-2 network-port 1/1-2
-> port mapping 2 user-port 3/1-3 network-port 1/3
2 Configure session 1 on Switch A in the unidirectional mode using the following command:
-> port mapping 1 unidirectional
3 Enable both the sessions on Switch A using the following commands:
-> port mapping 1 enable
-> port mapping 2 enable
Similarly, create and enable a port mapping session 1 on Switch D by entering the following commands:
-> port mapping 1 user-port 2/1-2 network-port 1/1
-> port mapping 1 enable
Verifying the Port Mapping Configuration
To display information about the port mapping configuration on the switch, use the show commands listed
below:
show port mapping status
Displays the status of one or more port mapping sessions.
show port mapping
Displays the configuration of one or more port mapping sessions.
For more information about the displays that result from these commands, see the OmniSwitch CLI Reference Guide.
page 8-6
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
9
Defining VLAN Rules
VLAN rules are used to classify mobile port traffic for dynamic VLAN port assignment. Rules are defined
by specifying a port, MAC address, protocol, network address, binding, or DHCP criteria to capture
certain types of network device traffic. It is also possible to define multiple rules for the same VLAN. A
mobile port is assigned to a VLAN if its traffic matches any one VLAN rule.
There is an additional method for dynamically assigning mobile ports to VLANs that involves enabling
VLAN mobile tagging. This method is similar to defining rules in that the feature is enabled on the VLAN
that is going to receive the mobile port tagged traffic. The difference, however, is that tagged packets
received on mobile ports are classified by their 802.1Q VLAN ID tag and not by whether or not their
source MAC, network address, or protocol type matches VLAN rule criteria.
In This Chapter
This chapter contains information and procedures for defining VLAN rules through the Command Line
Interface (CLI). CLI commands are used in the configuration examples; for more details about the syntax
of commands, see the OmniSwitch CLI Reference Guide. Refer to Chapter 5, “Configuring VLANs,” and
Chapter 7, “Assigning Ports to VLANs,” for information about the VLAN mobile tagging feature.
Configuration procedures described in this chapter include:
• Defining DHCP rules on page 9-12.
• Defining binding rules to restrict access to specific network devices on page 9-14.
• Defining MAC address rules on page 9-17.
• Defining IP and IPX network address rules on page 9-18.
• Defining protocol rules on page 9-20.
• Defining forwarding-only port rules on page 9-21.
• Verifying the VLAN rule configuration on page 9-25.
For information about creating and managing VLANs, see Chapter 5, “Configuring VLANs.”
For information about enabling port mobility and defining mobile port properties, see Chapter 7, “Assigning Ports to VLANs.”
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 9-1
VLAN Rules Specifications
Defining VLAN Rules
VLAN Rules Specifications
IEEE Standards Supported
802.1Q–Virtual Bridged Local Area Networks
802.1v–VLAN Classification by Protocol and Port
802.1D–Media Access Control Bridges
Maximum number of VLANs per switch
4094 (based on switch configuration and available
resources)
Maximum number of rules per VLAN
Unlimited
Maximum number of rules per switch
8129 of each rule type, except for a DHCP generic
rule because only one is allowed per switch.
Switch ports eligible for VLAN rule classifi- Mobile 10/100 Ethernet and gigabit ports.
cation (dynamic VLAN assignment)
Switch ports not eligible for VLAN rule
classification
Non-mobile (fixed) ports.
Uplink/stack ports.
10 gigabit ports.
802.1Q tagged fixed ports.
Link aggregate ports.
CLI Command Prefix Recognition
All VLAN management commands support prefix
recognition. See the “Using the CLI” chapter in the
OmniSwitch 6800/6850/9000 Switch Management
Guide for more information.
VLAN Rules Defaults
Parameter Description
Command
Default
IP network address rule subnet mask
vlan ip
The IP address class range;
Class A, B, or C.
IPX network address rule encapsulation
vlan ipx
Ethernet-II
page 9-2
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Defining VLAN Rules
Sample VLAN Rule Configuration
Sample VLAN Rule Configuration
The following steps provide a quick tutorial that will create an IP network address and DHCP MAC range
rule for VLAN 255, an IPX protocol rule for VLAN 355, and a MAC-IP-port binding rule for VLAN
1500. The remaining sections of this chapter provide further explanation of all VLAN rules and how they
are defined.
1 Create VLAN 255 with a description (e.g., Finance IP Network) using the following command:
-> vlan 255 name "Finance IP Network"
2 Define an IP network address rule for VLAN 255 that will capture mobile port traffic containing a
network 21.0.0.0 IP source address. For example:
-> vlan 255 ip 21.0.0.0
3 Define a DHCP MAC range rule for VLAN 255 that will capture mobile port DHCP traffic that
contains a source MAC address that falls within the range specified by the rule. For example:
-> vlan 255 dhcp mac 00:DA:95:00:59:10 00:DA:95:00:59:9F
4 Define an IPX protocol rule for VLAN 355 that will capture mobile port traffic containing an IPX
protocol type value. For example:
-> vlan 355 protocol ipx-e2
5 Define a MAC-IP-port binding rule that restricts assignment to VLAN 1500 to traffic received on
mobile port 3/10 containing a MAC address of 00:DA:95:00:CE:3F and an IP address of 21.0.0.43. For
example:
-> vlan 1500 binding mac-ip-port 00:da:95:00:ce:3f 21.0.0.43 3/10
Note. Optional. To verify that the rules in this tutorial were defined for VLANs 255, 355, and 1500, enter
show vlan rules. For example:
-> show vlan rules
Legend: type: * = binding rule
type
vlan
rule
-----------------+------+------------------------------------------------------ip-net
255
21.0.0.0, 255.0.0.0
protocol
355
ipx-e2
mac-ip-port*
1500
00:da:95:00:ce:3f, 21.0.0.43, 3/10
dhcp-mac-range
255
00:da:95:00:59:10, 00:da:95:00:59:9f
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 9-3
VLAN Rules Overview
Defining VLAN Rules
VLAN Rules Overview
The mobile port feature available on the switch allows dynamic VLAN port assignment based on VLAN
rules that are applied to mobile port traffic.When a port is defined as a mobile port, switch software
compares traffic coming in on that port with configured VLAN rules. If any of the mobile port traffic
matches any of the VLAN rules, the port and the matching traffic become a member of that VLAN.
VLANs do not have a mobile or non-mobile distinction and there is no overall switch setting to invoke the
mobile port feature. Instead, mobility is enabled on individual switch ports and rules are defined for individual VLANs to capture mobile port traffic. Refer to Chapter 7, “Assigning Ports to VLANs,” for more
information about using mobile ports and dynamic VLAN port assignments.
It is possible to define multiple rules for one VLAN and rules for multiple VLANs. However, only IP and
IPX protocol rules support the dynamic assignment of one mobile port to multiple VLANs. All other rule
types classify a mobile port into one VLAN, even if the port receives traffic that matches other rules.
VLAN Rule Types
There are several types of configurable VLAN rules available for classifying different types of network
device traffic. There is no limit to the number of rules allowed per VLAN and up to 8,129 of each rule
type is allowed per switch. See “Configuring VLAN Rule Definitions” on page 9-11 for instructions on
how to create a VLAN rule.
The type of rule defined determines the type of traffic that will trigger a dynamic port assignment to the
VLAN and the type of traffic the VLAN will forward within its domain. Refer to the following sections
(listed in the order of rule precedence) for a description of each type of VLAN rule:
Rule
See
DHCP MAC Address
DHCP MAC Range
DHCP Port
DHCP Generic
“DHCP Rules” on page 9-5
MAC-Port-IP Address Binding
MAC-Port-Protocol Binding
MAC-Port Binding
MAC-IP Address Binding
Port-IP Address Binding
Port-Protocol Binding
“Binding Rules” on page 9-6
MAC Address
MAC Address Range
“MAC Address Rules” on page 9-6
Network Address
“Network Address Rules” on page 9-6
Protocol
“Protocol Rules” on page 9-6
Port
“Port Rules” on page 9-7
Use the show vlan rules command to display a list of rules already configured on the switch. For more
information about this command, refer to the OmniSwitch CLI Reference Guide.
page 9-4
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Defining VLAN Rules
VLAN Rules Overview
DHCP Rules
Dynamic Host Configuration Protocol (DHCP) frames are sent from client workstations to request an IP
address from a DHCP server. The server responds with the same type of frames, which contain an IP
address for the client. If clients are connected to mobile ports, DHCP rules are used to classify this type of
traffic for the purposes of transmitting and receiving DHCP frames to and from the server.
When a mobile port receives a DHCP frame that matches a DHCP rule, the port is temporarily assigned to
the VLAN long enough to forward the DHCP requests within the VLAN broadcast domain. The source
MAC address of the DHCP frame, however, is not learned for that VLAN port association. As a result, the
show mac-address-table command output will not contain an entry for the DHCP source MAC address.
The show vlan port command output, however, will contain an entry for the temporary VLAN port association that occurs during this process.
Once a device connected to a mobile port receives an IP address from the DHCP server, the VLAN port
assignment triggered by the device’s DHCP frames matching a VLAN DHCP rule is dropped unless regular port traffic matches another rule on that same VLAN. If this match occurs, or the traffic matches a rule
on another VLAN, then the source MAC address of the mobile port’s frames is learned for that VLAN
port association.
DHCP rules are most often used in combination with IP network address rules. A DHCP client has an IP
address of all zeros (0.0.0.0) until it receives an IP address from a DHCP server, so initially it would not
match any IP network address rules.
Binding rules, MAC address rules, and protocol rules also capture DHCP client traffic. The exception to
this is binding rules that specify an IP address as part of the rule, similar to IP network address rule definitions.
The following DHCP rule types are available:
• DHCP MAC Address
• DHCP MAC Range
• DHCP Port
• DHCP Generic
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 9-5
VLAN Rules Overview
Defining VLAN Rules
Binding Rules
Binding rules restrict VLAN assignment to specific devices by requiring that device traffic match all criteria specified in the rule. As a result, a separate binding rule is required for each device. An unlimited
number of such rules, however, is allowed per VLAN and up to 8129 of each rule type is allowed per
switch. Although DHCP traffic is examined and processed first by switch software, binding rules take
precedence over all other rules.
The following binding rule types are available. The rule type name indicates the criteria the rule uses to
determine if device traffic qualifies for VLAN assignment. For example, the MAC-Port-IP address binding rule requires a matching source MAC and IP address in frames received from a device connected to
the port specified in the rule.
• MAC-port-IP Address
• MAC-port-protocol
• MAC-port
• MAC-IP Address
• port-IP address
• port-protocol
Note that MAC-port-IP and MAC-port binding rules are also supported on Authenticated VLANs
(AVLANs). See “Configuring VLAN Rule Definitions” on page 9-11 and Chapter 22, “Configuring
Authenticated VLANs,” for more information.
MAC Address Rules
MAC address rules determine VLAN assignment based on a device’s source MAC address. This is the
simplest type of rule and provides the maximum degree of control and security. Members of the VLAN
will consist of devices with specific MAC addresses. In addition, once a device joins a MAC address rule
VLAN, it is not eligible to join multiple VLANs even if device traffic matches other VLAN rules.
MAC address rules also capture DHCP traffic, if no other DHCP rule exists that would classify the DHCP
traffic into another VLAN. Therefore, it is not necessary to combine DHCP rules with MAC address rules
for the same VLAN.
Network Address Rules
There are two types of network address rules: IP and IPX. An IP network address rule determines VLAN
mobile port assignment based on a device’s source IP address. An IPX network address rule determines
VLAN mobile port assignment based on a device’s IPX network and encapsulation.
Protocol Rules
Protocol rules determine VLAN assignment based on the protocol a device uses to communicate. When
defining this type of rule, there are several generic protocol values to select from: IP, IPX, AppleTalk, or
DECNet. If none of these are sufficient, it is possible to specify an Ethernet type, Destination and Source
Service Access Protocol (DSAP/SSAP) header values, or a Sub-network Access Protocol (SNAP) type.
Note that specifying a SNAP protocol type restricts classification of mobile port traffic to the ethertype
value found in the IEEE 802.2 SNAP LLC frame header.
page 9-6
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Defining VLAN Rules
VLAN Rules Overview
IP protocol rules also capture DHCP traffic, if no other DHCP rule exists that would classify the DHCP
traffic into another VLAN. Therefore, it is not necessary to combine DHCP rules with IP protocol rules
for the same VLAN.
Port Rules
Port rules are fundamentally different from all other supported rule types, in that traffic is not required to
trigger dynamic assignment of the mobile port to a VLAN. As soon as this type of rule is created, the
specified port is assigned to the VLAN only for the purpose of forwarding broadcast types of VLAN traffic to a device connected to that same port.
Port rules are mostly used for silent devices, such as printers, that require VLAN membership to receive
traffic forwarded from the VLAN. These devices usually don’t send traffic, so they do not trigger dynamic
assignment of their mobile ports to a VLAN.
It is also possible to specify the same port in more than one port rule defined for different VLANs. The
advantage to this is that traffic from multiple VLANs is forwarded out the one mobile port to the silent
device. For example, if port 3 on slot 2 is specified in a port rule defined for VLANs 255, 355, and 755,
then outgoing traffic from all three of these VLANs is forwarded on port 2/3.
Port rules only apply to outgoing mobile port traffic and do not classify incoming traffic. If a mobile port
is specified in a port rule, its incoming traffic is still classified for VLAN assignment in the same manner
as all other mobile port traffic.
VLAN assignments that are defined using port rules are exempt from the port’s default VLAN restore
status. See Chapter 7, “Assigning Ports to VLANs,” for more information regarding a port’s default
VLAN restore status and other mobile port properties.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 9-7
VLAN Rules Overview
Defining VLAN Rules
Understanding VLAN Rule Precedence
In addition to configurable VLAN rule types, there are two internal rule types for processing mobile port
frames. One is referred to as frame type and is used to identify Dynamic Host Configuration Protocol
(DHCP) frames. The second internal rule is referred to as default and identifies frames that do not match
any VLAN rules.
Note. Another type of mobile traffic classification, referred to as VLAN mobile tagging, takes precedence
over all VLAN rules. If a mobile port receives an 802.1Q packet that contains a VLAN ID tag that
matches a VLAN that has mobile tagging enabled, the port and its traffic are assigned to this VLAN, even
if the traffic matches a rule defined on any other VLAN. See Chapter 7, “Assigning Ports to VLANs,” for
more information about VLAN mobile tag classification.
The VLAN rule precedence table on page 9-9 provides a list of all VLAN rules, including the two internal
rules mentioned above, in the order of precedence that switch software applies to classify mobile port
frames. The first column lists the rule type names, the second and third columns describe how the switch
handles frames that match or don’t match rule criteria. The higher the rule is in the list, the higher its level
of precedence.
When a frame is received on a mobile port, switch software starts with rule one in the rule precedence
table and progresses down the list until there is a successful match between rule criteria and frame
contents. The exception to this is if there is a binding rule violation. In this case, the frame is blocked and
its source port is not assigned to the rule’s VLAN.
Each binding rule type contains multiple parameters that are used to determine if a mobile port frame qualifies for assignment to the binding rule VLAN, violates one of the binding rule parameter values, or is
simply allowed on the port but not assigned to the binding rule VLAN. For example, as indicated in the
rule precedence table, a mobile port frame is compared to binding MAC-port rule criteria and processed as
follows:
• If the frame’s source MAC address matches the rule’s MAC address, then the frame’s port must also
match the rule’s port to qualify for assignment to the rule’s VLAN.
• If the frame’s source MAC matches but the frame’s port does not match, then a violation occurs and
the frame is blocked and the port is not assigned to the rule’s VLAN. There is no further attempt to
match this frame to rules of lower precedence.
• If the frame’s source MAC does not match but the frame’s port does match, the frame is allowed but
the port is not assigned to the rule’s VLAN. The frame is then compared to other rules of lower precendence in the table or carried on the mobile port’s default VLAN if the frame does not match any other
VLAN rules and the mobile port’s default VLAN is enabled.
In the above example, the MAC address parameter defines a critical match value for the binding rule. The
port parameter defines a non-critical match value for the binding rule. When a critical match occurs, the
contents of a frame must also match all other paramter values or the frame is dropped. If a non-critical
match occurs, the frame is still processed even if it does not match all other paramters.
page 9-8
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Defining VLAN Rules
VLAN Rules Overview
Precedence Step/Rule Type
Condition
Result
1. Frame Type
Frame is a DHCP frame.
Go to Step 2.
Frame is not a DHCP frame.
Skip Steps 2, 3, 4, and 5.
2. DHCP MAC
DHCP frame contains a matching
source MAC address.
Frame source is assigned to the
rule’s VLAN, but not learned.
3. DHCP MAC Range
DHCP frame contains a source
Frame source is assigned to the
MAC address that falls within a
rule’s VLAN, but not learned.
specified range of MAC addresses.
4. DHCP Port
DHCP frame matches the port
specified in the rule.
Frame source is assigned to the
rule’s VLAN, but not learned.
5. DHCP Generic
DHCP frame.
Frame source is assigned to the
rule’s VLAN, but not learned.
6. MAC-Port-IP Address Binding Frame contains a matching source
MAC address, source port, and
source IP subnet address.
Frame only contains a matching
source MAC address; port and IP
address do not match.
Frame source is assigned to the
rule’s VLAN.
Frame is blocked; its source is
not assigned to the rule’s VLAN.
Frame only contains a matching IP Frame is blocked; its source is
address; source MAC and port do not assigned to the rule’s VLAN.
not match.
7. MAC-Port-Protocol Binding
Frame only contains a matching
port; source MAC and IP address
do not match.
Frame is allowed; its source is
not assigned to the rule’s VLAN.
Frame contains a matching source
MAC address, source port, and
protocol.
Frame source is assigned to the
rule’s VLAN.
Frame only contains a matching
Frame is blocked; its source is
source MAC address; port and pro- not assigned to the rule’s VLAN.
tocol do not match.
Frame only contains a matching
port and/or protocol; source MAC
address does not match.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Frame is allowed; its source is
not assigned to the rule’s VLAN.
page 9-9
VLAN Rules Overview
Defining VLAN Rules
Precedence Step/Rule Type
Condition
Result
8. MAC-Port Binding
Frame contains a matching source
MAC address and source port.
Frame source is assigned to the
rule’s VLAN.
Frame only contains a matching
Frame is blocked; its source is
source MAC address; port does not not assigned to the rule’s VLAN.
match.
Frame only contains a matching
Frame is allowed; its source is
port; source MAC address does not not assigned to the rule’s VLAN.
match.
9. MAC-IP Address Binding
Frame contains a matching source Frame source is assigned to the
MAC address and source IP subnet rule’s VLAN.
address.
Frame only contains a matching
source MAC address; IP address
does not match.
Frame is blocked; its source is
not assigned to the rule’s VLAN.
Frame only contains a matching IP Frame is blocked; its source is
address; source MAC does not
not assigned to the rule’s VLAN.
match.
10. Port-IP Address Binding
11. Port-Protocol Binding
Frame contains a matching source
port and source IP subnet address.
Frame source is assigned to the
rule’s VLAN.
Frame only contains a matching
source IP address; port does not
match.
Frame is blocked; its source is
not assigned to the rule’s VLAN.
Frame only contains a matching
port; source IP address does not
match.
Frame is allowed; its source is
not assigned to the rule’s VLAN.
Frame contains a matching source
port and protocol.
Frame source is assigned to the
rule’s VLAN.
(See note below regarding IP Network Address and Port-Protocol Frame only contains a matching
Binding rule precedence.)
source port; protocol does not
match.
Frame is blocked; its source is
not assigned to the rule’s VLAN.
Frame only contains a matching
protocol; port does not match.
Frame is allowed; its source is
not assigned to the rule’s VLAN.
8. MAC Address
Frames contain a matching source
MAC address.
Frame source is assigned to the
rule’s VLAN.
9. MAC Range
Frame contains a source MAC
Frame source is assigned to the
address that falls within a specified rule’s VLAN.
range of MAC addresses.
page 9-10
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Defining VLAN Rules
Configuring VLAN Rule Definitions
Precedence Step/Rule Type
Condition
Result
10. Network Address
Frame contains a matching IP sub- Frame source is assigned to the
net address, or
rule’s VLAN.
(See note below regarding IP Network Address and Port-Protocol Frame contains a matching IPX
Binding rule precedence.)
network address.
Frame source is assigned to the
rule’s VLAN.
15. Protocol
Frame contains a matching protocol type.
Frame source is assigned to the
rule’s VLAN.
16. Default
Frame does not match any rules.
Frame source is assigned to
mobile port’s default VLAN.
Note. If the contents of a mobile port frame matches the values specified in both an IP network address
rule and a port-protocol binding rule, the IP network address rule takes precedence. However, if the
contents of such frame violates the port-protocol binding rule, the frame is dropped.
Configuring VLAN Rule Definitions
Note the following when configuring rules for a VLAN:
• The VLAN must already exist. Use the vlan command to create a new VLAN or the show vlan
command to verify a VLAN is already configured. Refer to Chapter 5, “Configuring VLANs,” for
more information.
• Which type of rule is needed; DHCP, binding, MAC address, protocol, network address, or port. Refer
to “VLAN Rule Types” on page 9-4 for a summary of rule type definitions.
• IP network address rules are applied to traffic received on both mobile and fixed ports. If traffic
contains a source IP address that is included in the subnet specified by the rule, the traffic is dropped.
This does not occur, however, if the IP network address rule is configured on the default VLAN for the
fixed port.
• If mobile port traffic matches rules defined for more than one VLAN, the mobile port is dynamically
assigned to the VLAN with the higher precedence rule. Refer to “Understanding VLAN Rule Precedence” on page 9-8 for more information.
• It is possible to define multiple rules for the same VLAN, as long as each rule is different. If mobile
port traffic matches only one of the rules, the port and traffic are dynamically assigned to that VLAN.
• There is no limit to the number of rules defined for a single VLAN and up to 8129 rules are allowed
per switch.
• It is possible to create a protocol rule based on Ether type, SNAP type, or DSAP/SSAP values.
However, using predefined rules (such as MAC address, network address, and generic protocol rules)
is recommended to ensure accurate results when capturing mobile port traffic.
• When an active device is disconnected from a mobile port and connected to a fixed port, the source
MAC address of that device is not learned on the fixed port until the MAC address has aged out and no
longer appears on the mobile port.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 9-11
Configuring VLAN Rule Definitions
Defining VLAN Rules
• When a VLAN is administratively disabled, static port and dynamic mobile port assignments are
retained but traffic on these ports is not forwarded. However, VLAN rules remain active and continue
to classify mobile port traffic for VLAN membership.
• When a VLAN is deleted from the switch configuration, all rules defined for that VLAN are automati-
cally removed and any static or dynamic port assignments are dropped.
• It is possible to define MAC-port-IP and MAC-port binding rules for Authenticated VLANs
(AVLANs). However, these rules are not active until the avlan port-bound command is issued for the
AVLAN. Note that these rules only apply to traffic received on authenticated ports. See Chapter 22,
“Configuring Authenticated VLANs,” for more information.
Refer to the following sections (listed in the order of rule precedence) for instructions on how to define
each type of VLAN rule:
Rule
See
DHCP MAC Address
“Defining DHCP MAC Address Rules” on page 9-12
DHCP MAC Range
“Defining DHCP MAC Range Rules” on page 9-13
DHCP Port
“Defining DHCP Port Rules” on page 9-13
DHCP Generic
“Defining DHCP Generic Rules” on page 9-14
MAC-Port-IP Address Binding
MAC-Port Binding
Port-Protocol Binding
“Defining Binding Rules” on page 9-14
MAC Address
“Defining MAC Address Rules” on page 9-17
MAC Address Range
“Defining MAC Range Rules” on page 9-18
Network Address
“Defining IP Network Address Rules” on page 9-18 and
“Defining IPX Network Address Rules” on page 9-19
Protocol
“Defining Protocol Rules” on page 9-20
Port
“Defining Port Rules” on page 9-21
To display a list of VLAN rules already configured on the switch, use the show vlan rules command. For
more information about this command, refer to the OmniSwitch CLI Reference Guide.
Defining DHCP MAC Address Rules
DHCP MAC address rules capture DHCP frames that contain a source MAC address that matches the
MAC address specified in the rule. See “Application Example: DHCP Rules” on page 9-22 for an example of how DHCP port rules are used in a typical network configuration.
To define a DHCP MAC address rule, enter vlan followed by an existing VLAN ID then dhcp mac
followed by a valid MAC address. For example, the following command defines a DHCP MAC address
rule for VLAN 255:
-> vlan 255 dhcp mac 00:00:da:59:0c:11
Only one MAC address is specified when using the vlan dhcp mac command to create a DHCP MAC
rule. Therefore, to specify multiple MAC addresses for the same VLAN, create a DHCP MAC rule for
each address. If dealing with a large number of MAC addresses in sequential order, consider using a
DHCP MAC range rule described in the next section.
page 9-12
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Defining VLAN Rules
Configuring VLAN Rule Definitions
Use the no form of the vlan dhcp mac command to remove a DHCP MAC address rule.
-> vlan 255 no dhcp mac 00:00:da:59:0c:11
Defining DHCP MAC Range Rules
A DHCP MAC range rule is similar to a DHCP MAC address rule, but allows the user to specify a range
of MAC addresses. This is useful when it is necessary to define rules for a large number of sequential
MAC addresses. One DHCP MAC range rule could serve the same purpose as 10 or 20 DHCP MAC
address rules, requiring less work to configure.
DHCP frames that contain a source MAC address that matches the low or high end MAC or that falls
within the range specified by the low and high end MAC trigger dynamic port assignment to the rule’s
VLAN. To define a DHCP MAC range rule, enter vlan followed by an existing VLAN ID then
dhcp mac range followed by valid low and high end MAC addresses. For example, the following
command creates a DHCP MAC range rule for VLAN 1100:
-> vlan 1100 dhcp mac range 00:00:da:00:00:01 00:00:da:00:00:09
Only valid source MAC addresses are allowed for the low and high end boundary MACs. For example,
multicast addresses (e.g., 01:00:00:c5:09:1a) are ignored even if they fall within a specified MAC range
and are not allowed as the low or high end boundary MAC. If an attempt is made to use a multicast
address for one of the boundary MACs, an error message is displayed and the rule is not created.
Use the no form of the vlan dhcp mac range command to remove a DHCP MAC range rule. Note that it
is only necessary to enter the low end MAC address to identify which rule to remove.
-> vlan 1000 no dhcp mac range 00:00:da:00:00:01
Defining DHCP Port Rules
DHCP port rules capture DHCP frames that are received on a mobile port that matches the port specified
in the rule. See “Application Example: DHCP Rules” on page 9-22 for an example of how DHCP port
rules are used in a typical network configuration.
To define a DHCP port rule, enter vlan followed by an existing VLAN ID then dhcp port followed by a
slot/port designation. For example, the following command defines a DHCP port rule for VLAN 255:
-> vlan 255 dhcp port 2/3
To specify multiple ports and/or slots, use a hyphen to specify a range of ports and a space to specify
multiple slots. For example,
-> vlan 255 dhcp port 4/1-5 5/12-20 6/10-15
Use the no form of the vlan dhcp port command to remove a DHCP port rule.
-> vlan 255 no dhcp port 2/10-12 3/1-5 6/1-9
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 9-13
Configuring VLAN Rule Definitions
Defining VLAN Rules
Defining DHCP Generic Rules
DHCP generic rules capture all DHCP traffic that does not match an existing DHCP MAC or DHCP port
rule. If none of these other rules exist, then all DHCP frames are captured regardless of the port they came
in on or the frame’s source MAC address. Only one rule of this type is allowed per switch.
To define a DHCP generic rule, enter vlan followed by an existing VLAN ID then dhcp generic. For
example,
-> vlan 255 dhcp generic
Use the no form of the vlan dhcp generic command to remove a DHCP generic rule.
-> vlan 255 no dhcp generic
Defining Binding Rules
Binding rules require mobile port traffic to match all rule criteria. The criteria consists of one of three
combinations, each of which is a specific binding rule type:
1 The device must attach to a specific switch port and use a specific MAC address and use a specific IP
network address (MAC-port-IP address binding rule).
2 The device must attach to a specific switch port and use a specific source MAC address and use a
specific protocol (MAC-port-Protocol binding rule).
3 The device must use a specific port and a specific source MAC address (MAC-port binding rule).
4 The device must use a specific IP address and use a specific MAC address (MAC-IP address binding
rule).
5 The device must use a specific port and a specific IP address (port-IP address binding rule).
6 The device must attach to a specific switch port and use a specific protocol (port-protocol binding
rule).
If frames do not contain matching criteria, they are compared against other existing VLAN rules of lower
precedence. However, if a frame violates criteria of any one binding rule, it is discarded. Refer to “Understanding VLAN Rule Precedence” on page 9-8 for more information.
Note that MAC-port-IP and MAC-port binding rules are also supported on Authenticated VLANs
(AVLANs). See Chapter 22, “Configuring Authenticated VLANs,” for more information.
The following subsections provide information about how to define each of the binding rule types.
page 9-14
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Defining VLAN Rules
Configuring VLAN Rule Definitions
How to Define a MAC-Port-IP Address Binding Rule
To define a MAC-port-IP address binding rule, enter vlan followed by an existing VLAN ID then
binding mac-ip-port followed by a valid MAC address, IP address, and a slot/port designation. For
example, the following command defines a MAC-port-IP binding rule for VLAN 255:
-> vlan 255 binding mac-ip-port 00:00:da:59:0c:12 21.0.0.10 2/3
In this example, frames received on mobile port 2/3 must contain a source MAC address of
00:00:da:59:0c:12 and a source IP address of 21.0.0.10 to qualify for dynamic assignment to VLAN 255.
Use the no form of the vlan binding mac-ip-port command to remove a MAC-port-IP binding rule. Note
that it is only necessary to enter the rule’s MAC address parameter value to identify which rule to remove.
-> vlan 255 no binding mac-ip-port 00:00:da:59:0c:12
Note that this binding rule type is also supported on AVLANs. See Chapter 22, “Configuring Authenticated VLANs,” for more information.
How to Define a MAC-Port-Protocol Binding Rule
To define a MAC-port-protocol binding rule, enter vlan followed by an existing VLAN ID then
binding mac-port-protocol followed by a valid MAC address, a slot/port designation and a protocol type.
For example, the following commands define a MAC-port-protocol binding rule for VLAN 355 and
VLAN 455:
-> vlan 355 binding mac-port-protocol 00:00:da:59:0c:12 3/1 ip-e2
-> vlan 455 binding mac-port-protocol 00:00:20:11:4a:29 4/1 dsapssap 04/04
The first example command specifies that frames received on mobile port 3/1 must contain a source MAC
address of 00:00:da:59:0c:12 and an IP protocol type to qualify for dynamic assignment to VLAN 355.
The second command specifies that frames received on mobile port 4/1 must contain a source MAC
address of 00:00:20:11:4a:29 and a DSAP/SSAP protocol value of 04/04 to qualify for dynamic assignment to VLAN 455.
The following table lists command keywords for specifying a protocol type:
protocol type keywords
ip-e2
ip-snap
ipx-e2
ipx-novell
ipx-llc
ipx-snap
decnet
appletalk
ethertype
dsapssap
snap
Note that specifying a SNAP protocol type restricts classification of mobile port traffic to the ethertype
value found in the IEEE 802.2 SNAP LLC frame header.
Use the no form of the vlan binding mac-port-protocol command to remove a MAC-port-protocol binding rule. Note that it is only necessary to enter the rule’s MAC address and protocol parameter values to
identify which rule to remove.
-> vlan 455 no binding mac-port-protocol 00:00:20:11:4a:29 dsapssap 04/04
Note that this binding rule type is also supported on AVLANs. See Chapter 22, “Configuring Authenticated VLANs,” for more information.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 9-15
Configuring VLAN Rule Definitions
Defining VLAN Rules
How to Define a MAC-Port Binding Rule
To define a MAC-port binding rule, enter vlan followed by an existing VLAN ID then binding mac-port
followed by a valid MAC address and a slot/port designation. For example, the following command
defines a MAC-port binding rule for VLAN 1500:
-> vlan 1500 binding mac-port 00:02:9a:3e:f1:06 6/10
In this example, frames received on mobile port 6/10 must contain a source MAC address of
00:02:9a:3e:f1:06 to qualify for dynamic assignment to VLAN 1500.
Use the no form of the vlan binding mac-port command to remove a MAC-port binding rule. Note that it
is only necessary to enter the rule’s MAC address parameter value to identify which rule to remove.
-> vlan 1500 no binding mac-port 00:02:9a:3e:f1:06
Note that this binding rule type is also supported on AVLANs. See Chapter 22, “Configuring Authenticated VLANs,” for more information.
How to Define a MAC-IP Address Binding Rule
To define a MAC-IP address binding rule, enter vlan followed by an existing VLAN ID then
binding mac-ip followed by a valid IP subnet address. For example, the following command defines a
MAC-IP binding rule for VLAN 1501:
-> vlan 1501 binding mac-ip 00:02:9a:3e:f1:07 172.16.6.3
In this example, frames received on any mobile port must contain a source MAC address of
00:02:9a:3e:f1:07 and a source IP subnet address of 172.16.6.3 to qualify for dynamic assignment to
VLAN 1501.
Use the no form of the vlan binding mac-ip command to remove a MAC-IP binding rule. Note that it is
only necessary to enter the rule’s MAC address parameter value to identify which rule to remove.
-> vlan 1500 no binding mac-port 00:02:9a:3e:f1:07
How to Define an IP-Port Binding Rule
To define a IP-port binding rule, enter vlan followed by an existing VLAN ID then binding ip-port
followed by a valid IP subnet address and a slot/port designation. For example, the following command
defines an IP-port binding rule for VLAN 1502:
-> vlan 1502 binding ip-port 172.16.6.4 5/12
In this example, frames received on mobile port 5/12 must contain a source IP subnet address of
172.16.6.4 to qualify for dynamic assignment to VLAN 1502.
Use the no form of the vlan binding ip-port command to remove an IP-port binding rule. Note that it is
only necessary to enter the rule’s IP subnet address parameter value to identify which rule to remove.
-> vlan 1502 no binding ip-port 172.16.6.4
Note that this binding rule type is also supported on AVLANs. See Chapter 22, “Configuring Authenticated VLANs,” for more information.
page 9-16
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Defining VLAN Rules
Configuring VLAN Rule Definitions
How to Define a Port-Protocol Binding Rule
To define a port-protocol binding rule, enter vlan followed by an existing VLAN ID then
binding port-protocol followed by a valid MAC address, a slot/port designation and a protocol type. For
example, the following commands define a port-protocol binding rule for VLAN 1503 and VLAN 1504:
-> vlan 1503 binding port-protocol 3/1 ip-snap
-> vlan 1504 binding port-protocol 4/1 dsapssap F0/F0
The first example command specifies that frames received on mobile port 3/1 must contain an IP SNAP
protocol type to qualify for dynamic assignment to VLAN 1503. The second command specifies that
frames received on mobile port 4/1 must contain a DSAP/SSAP protocol value of F0/F0 to qualify for
dynamic assignment to VLAN 1504.
The following table lists command keywords for specifying a protocol type:
protocol type keywords
ip-e2
ip-snap
ipx-e2
ipx-novell
ipx-llc
ipx-snap
decnet
appletalk
ethertype
dsapssap
snap
Note that specifying a SNAP protocol type restricts classification of mobile port traffic to the ethertype
value found in the IEEE 802.2 SNAP LLC frame header.
Use the no form of the vlan binding port-protocol command to remove a port-protocol binding rule.
-> vlan 255 no binding port-protocol 8/12 ethertype 0600
Defining MAC Address Rules
MAC address rules capture frames that contain a source MAC address that matches the MAC address
specified in the rule. The mobile port that receives the matching traffic is dynamically assigned to the
rule’s VLAN. Using MAC address rules, however, limits dynamic port assignment to a single VLAN. A
mobile port can only belong to one MAC address rule VLAN, even if it sends traffic that matches rules
defined for other VLANs.
For example, if VLAN 10 has a MAC address rule defined for 00:00:2a:59:0c:f1 and VLAN 20 has an IP
protocol rule defined, mobile port 4/2 sending IP traffic with a source MAC address of 00:00:2a:59:0c:f1
is only assigned to VLAN 10. All mobile port 4/2 traffic is forwarded on VLAN 10, even though its traffic also matches the VLAN 20 IP protocol rule.
To define a MAC address rule, enter vlan followed by an existing VLAN ID then mac followed by a valid
MAC address. For example, the following command defines a MAC address rule for VLAN 255:
-> vlan 255 mac 00:00:da:59:0c:11
Only one MAC address is specified when using the vlan mac command to create a MAC address rule.
Therefore, to specify multiple MAC addresses for the same VLAN, create a separate rule for each address.
If dealing with a large number of MAC addresses, consider using MAC address range rules described in
the next section.
Use the no form of the vlan mac command to remove a MAC address rule.
-> vlan 255 no mac 00:00:da:59:0c:11
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 9-17
Configuring VLAN Rule Definitions
Defining VLAN Rules
Defining MAC Range Rules
A MAC range rule is similar to a MAC address rule, but allows the user to specify a range of MAC
addresses. This is useful when it is necessary to define rules for a large number of sequential MAC
addresses. One MAC range rule could serve the same purpose as 10 or 20 MAC address rules, requiring
less work to configure.
Frames that contain a source MAC address that matches the low or high end MAC or that falls within the
range specified by the low and high end MAC trigger dynamic port assignment to the rule’s VLAN. As is
the case with MAC address rules, dynamic port assignment is limited to a single VLAN. A mobile port
can only belong to one MAC range rule VLAN, even if it sends traffic that matches rules defined for other
VLANs.
To define a MAC range rule, enter vlan followed by an existing VLAN ID then mac range followed by
valid low and high end MAC addresses. For example, the following command creates a MAC range rule
for VLAN 1000:
-> vlan 1000 mac range 00:00:da:00:00:01 00:00:da:00:00:09
Only valid source MAC addresses are allowed for the low and high end boundary MACs. For example,
multicast addresses (e.g., 01:00:00:c5:09:1a) are ignored even if they fall within a specified MAC range
and are not allowed as the low or high end boundary MAC. If an attempt is made to use a multicast
address for one of the boundary MACs, an error message is displayed and the rule is not created.
Use the no form of the vlan mac range command to remove a MAC range rule. Note that it is only necessary to enter the low end MAC address to identify which rule to remove.
-> vlan 1000 no mac range 00:00:da:00:00:01
Defining IP Network Address Rules
IP network address rules capture frames that contain a source IP subnet address that matches the IP subnet
address specified in the rule. If DHCP is used to provide client workstations with an IP address, consider
using one of the DHCP rules in combination with an IP network address rule. See “Application Example:
DHCP Rules” on page 9-22 for an example of how IP network address and DHCP rules are used in a typical network configuration.
Note. IP network address rules are applied to traffic received on both mobile and fixed (non-mobile) ports.
As a result, fixed port traffic that contains an IP address that is included in the IP subnet specified by the
rule is dropped. However, if the IP network address rule VLAN is also the default VLAN for the fixed
port, then the fixed port traffic is forwarded and not dropped.
To define an IP network address rule, enter vlan followed by an existing VLAN ID then ip followed by a
valid IP network address and an optional subnet mask. For example, the following command creates an IP
network address rule for VLAN 1200:
-> vlan 1200 ip 31.0.0.0 255.0.0.0
In this example, frames received on any mobile port must contain a network 31.0.0.0 source IP address
(e.g., 31.0.0.10, 31.0.0.4) to qualify for dynamic assignment to VLAN 1200.
page 9-18
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Defining VLAN Rules
Configuring VLAN Rule Definitions
If a subnet mask is not specified, the default class for the IP address is used (Class A, B, or C). For example, either one of the following commands will create an IP network address rule for network 134.10.0.0:
-> vlan 1200 ip 134.10.0.0 255.255.0.0
-> vlan 1200 ip 134.10.0.0
The pool of available internet IP addresses is divided up into three classes, as shown in the following
table. Each class includes a range of IP addresses. The range an IP network address belongs to determines
the default class for the IP network when a subnet mask is not specified.
Network Range
Class
1.0.0.0 - 126.0.0.0
A
128.1.0.0 - 191.254.0.0
B
192.0.1.0 - 223.255.254.0
C
Use the no form of the vlan ip command to remove an IP network address rule.
-> vlan 1200 no ip 134.10.0.0
Defining IPX Network Address Rules
IPX network address rules capture frames that contain an IPX network address and encapsulation that
matches the IPX network and encapsulation specified in the rule. This rule only applies to devices that
already have an IPX network address assigned.
To define an IPX network address rule, enter vlan followed by an existing VLAN ID then ipx followed by
a valid IPX network number and an optional encapsulation parameter value. For example, the following
command creates an IPX network address rule for VLAN 1200:
-> vlan 1200 ipx a010590c novell
In this example, frames received on any mobile port must contain an IPX network a010590c address with
a Novell Raw (802.3) encapsulation to qualify for dynamic assignment to VLAN 1200.
IPX network addresses consist of eight hex digits. If an address less than eight digits is entered, the entry
is prefixed with zeros to equal eight characters. For example, the following command results in an IPX
network address rule for network 0000250b:
-> vlan 1210 ipx 250b snap
If an encapsulation parameter value is not specified, this value defaults to Ethernet-II encapsulation. For
example, either one of the following commands creates the same IPX network address rule:
-> vlan 1220 ipx 250c e2
-> vlan 1220 ipx 250c
If the IPX network address rule VLAN is going to route IPX traffic, it is important to specify a rule encapsulation that matches the IPX router port encapsulation. If there is a mismatch, connectivity with other
IPX devices may not occur. See Chapter 5, “Configuring VLANs,” for information about defining VLAN
IPX router ports.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 9-19
Configuring VLAN Rule Definitions
Defining VLAN Rules
The following table lists keywords for specifying an encapsulation value:
IPX encapsulation keywords
e2 or ethernet2
llc
snap
novell
Use the no form of the vlan ipx command to remove an IPX network address rule. Note that it is only
necessary to specify the IPX network address to identify which rule to remove:
-> vlan 1220 no ipx 250c
Defining Protocol Rules
Protocol rules capture frames that contain a protocol type that matches the protocol value specified in the
rule. There are several generic protocol parameter values to select from; IP Ethernet-II, IP SNAP, IPX
Ethernet II, IPX Novell (802.3), IPX LLC (802.2), IPX SNAP, DECNet, and Appletalk. If none of these
are sufficient to capture the desired type of traffic, use the Ethertype, DSAP/SSAP, or SNAP parameters to
define a more specific protocol type value.
To define a protocol rule, enter vlan followed by an existing VLAN ID then protocol followed by a valid
protocol parameter value. For example, the following commands define a protocol rule for VLAN 1503
and VLAN 1504:
-> vlan 1503 protocol ip-snap
-> vlan 1504 protocol dsapssap f0/f0
The first example command specifies that frames received on any mobile port must contain an IP SNAP
protocol type to qualify for dynamic assignment to VLAN 1503. The second command specifies that
frames received on any mobile port must contain a DSAP/SSAP protocol value of f0/f0 to qualify for
dynamic assignment to VLAN 1504.
If an attempt is made to define an Ethertype rule with a protocol type value that is equal to the value
already captured by one of the generic IP or IPX protocol rules, a message displays recommending the use
of the IP or IPX generic rule. The following example shows what happens when an attempt is made to
create a protocol rule with an Ethertype value of 0800 (IP Ethertype):
-> vlan 200 protocol ethertype 0800
ERROR: Part of ip ethernet protocol class - use <vlan # protocol ip-e2> instead
The following table lists keywords for specifying a protocol type:
protocol type keywords
ip-e2
ip-snap
ipx-e2
ipx-novell
ipx-llc
ipx-snap
decnet
appletalk
ethertype
dsapssap
snap
Note that specifying a SNAP protocol type restricts classification of mobile port traffic to the ethertype
value found in the IEEE 802.2 SNAP LLC frame header.
Use the no form of the vlan protocol command to remove a protocol rule.
-> vlan 1504 no protocol dsapssap f0/f0
page 9-20
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Defining VLAN Rules
Configuring VLAN Rule Definitions
Defining Port Rules
Port rules do not require mobile port traffic to trigger dynamic assignment. When this type of rule is
defined, the specified mobile port is immediately assigned to the specified VLAN. As a result, port rules
are often used for silent network devices, which do not trigger dynamic assignment because they do not
send traffic.
Port rules only apply to outgoing mobile port broadcast types of traffic and do not classify incoming traffic. In addition, multiple VLANs can have the same port rule defined. The advantage to this is that broadcast traffic from multiple VLANs is forwarded out one physical mobile port. When a mobile port is
specified in a port rule, however, its incoming traffic is still classified for VLAN assignment in the same
manner as all other mobile port traffic.
To define a port rule, enter vlan followed by an existing VLAN ID then port followed by a mobile
slot/port designation. For example, the following command creates a port rule for VLAN 755:
-> vlan 755 port 2/3
In this example, all traffic on VLAN 755 is flooded out mobile port 2 on slot 3.
Note that it is possible to define a port rule for a non-mobile (fixed, untagged) port, however, the rule is
not active until mobility is enabled on the port.
Use the no form of the vlan port command to remove a port rule.
-> vlan 755 no port 2/3
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 9-21
Application Example: DHCP Rules
Defining VLAN Rules
Application Example: DHCP Rules
This application example shows how Dynamic Host Configuration Protocol (DHCP) port and MAC
address rules are used in a DHCP-based network. DHCP is built on a client-server model in which a designated DHCP server allocates network addresses and delivers configuration parameters to dynamically
configured clients.
Since DHCP clients initially have no IP address, assignment of these clients to a VLAN presents a problem. The switch determines VLAN membership by looking at traffic from source devices. Since the first
traffic transmitted from a source DHCP client does not contain the actual address for the client (because
the server has not allocated the address yet), the client may not have the same VLAN assignment as its
server.
Before the introduction of DHCP port and MAC address rules, various strategies were deployed to use
DHCP with VLANs. Typically these strategies involved IP protocol and network address rules along with
DHCP Relay functionality. These solutions required the grouping of all DHCP clients in a particular
VLAN through a common IP policy.
DHCP port and MAC address rules simplify the configuration of DHCP networks. Instead of relying on
IP-based rules to group all DHCP clients in the same network as a DHCP server, you can manually place
each individual DHCP client in the VLAN or mobile group of your choice.
The VLANs
This application example contains three (3) VLANs. These VLANs are called Test, Production, and
Branch. The Test VLAN connects to the main network, the Production VLAN, through an external router.
The configuration of this VLAN is self-contained, making it easy to duplicate for testing purposes. The
Test VLAN contains its own DHCP server and DHCP clients. The clients gain membership to the VLAN
through DHCP port rules.
The Production VLAN carries most of the traffic in this network. It does not contain a DHCP server, but
does contain DHCP clients that gain membership through DHCP port rules. Two external routers connect
this VLAN to the Test VLAN and a Branch VLAN. One of the external routers—the one connected to the
Branch VLAN—has DHCP Relay functionality enabled. It is through this router that the DHCP clients in
the Production VLAN access the DHCP server in the Branch VLAN.
The Branch VLAN contains a number of DHCP client stations and its own DHCP server. The DHCP
clients gain membership to the VLAN through both DHCP port and MAC address rules. The DHCP server
allocates IP addresses to all Branch and Production VLAN clients.
DHCP Servers and Clients
DHCP clients must communicate with a DHCP server at initialization. The most reliable way to ensure
this communication is for the server and its associated clients to share the same VLAN. However, if the
network configuration does not lend itself to this solution (as the Production VLAN does not in this application example), then the server and clients can communicate through a router with DHCP Relay enabled.
The DHCP servers and clients in this example are either in the same VLAN or are connected through a
router with DHCP Relay. All clients in the Test VLAN receive IP addresses from the server in their
VLAN (Server 1). Likewise, all clients in the Branch VLAN receive IP addresses from their local server
(Server 2). The DHCP clients in the Production VLAN do not have a local DHCP server, so they must rely
on the DHCP Relay functionality in external Router 2 to obtain their IP addresses from the DHCP server
in the Branch VLAN.
Both DHCP servers are assigned to their VLANs through IP network address rules.
page 9-22
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Defining VLAN Rules
Application Example: DHCP Rules
The following table summarizes the VLAN architecture and rules for all devices in this network configuration. The diagram on the following page illustrates this network configuration.
Device
VLAN Membership
Rule Used/Router Role
DHCP Server 1
Test VLAN
IP network address rule=10.15.0.0
DHCP Server 2
Branch VLAN
IP network address rule=10.13.0.0
External Router 1
Test VLAN
Production VLAN
Connects Test VLAN to Production VLAN
External Router 2
Production VLAN
Branch VLAN
DHCP Relay provides access to DHCP server in
Branch VLAN for clients in Production VLAN.
DHCP Client 1
Test VLAN
DHCP Port Rule
DHCP Client 2
Test VLAN
DHCP Port Rule
DHCP Client 3
Production VLAN
DHCP Port Rule
DHCP Client 4
Production VLAN
DHCP Port Rule
DHCP Client 5
Branch VLAN
DHCP Port Rule
DHCP Client 6
Branch VLAN
DHCP Port Rule
DHCP Client 7
Branch VLAN
DHCP MAC Address Rule
DHCP Client 8
Branch VLAN
DHCP MAC Address Rule
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 9-23
Application Example: DHCP Rules
Defining VLAN Rules
OmniSwitch
TM
OmniSwitch 9700
Client 1
DHCP Port
Rule
Server 1
10.15.14.16
Test VLAN
IP Subnet 10.15.X.X
Client 2
DHCP Port
Rule
DHCP Port Rules
Client 3
DHCP
Port Rule
Router 1
No DHCP
Relay
Client 4
DHCP
Port Rule
Production VLAN
IP Subnet 10.15.128.X
DHCP Port Rules
Router 2
DHCP
Relay On
Client 5
DHCP
Port Rule
Branch VLAN
Server 2
10.13.15.17
Client 6
DHCP
Port Rule
IP Subnet 10.13.X.X
DHCP Port/MAC Rules
Client 7
DHCP
MAC
Client 8
DHCP
MAC
DHCP Servers
Both DHCP servers become members in their
respective VLANs via IP subnet rules.
Routers
Router 1 provides connectivity between the Test
VLAN and the Production VLAN. It does not
have Bootp functionality enabled so it cannot
connect DHCP servers and clients from different
VLANs.
Router 2 connects the Production VLAN and the
Branch VLAN. With DHCP Relay enabled, this
router can provide connectivity between the
DHCP server in the Branch VLAN and the DHCP
clients in the Production VLAN.
DHCP Clients
Clients 1 to 6 are assigned to their respective
VLANs through DHCP port rules. Clients 3 and
4 are not in a VLAN with a DHCP server so they
must rely on the server in the Branch VLAN for
initial addressing information. Clients 7 and 8
share a port with other devices, so they are
assigned to the Branch VLAN via DHCP MAC
address rules.
DHCP Port and MAC Rule Application Example
page 9-24
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Defining VLAN Rules
Verifying VLAN Rule Configuration
Verifying VLAN Rule Configuration
To display information about VLAN rules configured on the switch, use the show commands listed below:
show vlan rules
Displays a list of rules for one or all VLANs configured on the switch.
For more information about the resulting display from this command, see the OmniSwitch CLI Reference
Guide. An example of the output for the show vlan rules command is also given in “Sample VLAN Rule
Configuration” on page 9-3.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 9-25
Verifying VLAN Rule Configuration
page 9-26
Defining VLAN Rules
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
10
Using Interswitch
Protocols
Alcatel Interswitch Protocol (AIP) is used to discover adjacent switches in the network. The following
protocol is supported:
• Alcatel Mapping Adjacency Protocol (AMAP), which is used to discover the topology of
OmniSwitches and Omni Switch/Router (Omni S/R). See “AMAP Overview” on page 10-3.
This protocol is described in detail in this chapter.
In This Chapter
This chapter describes the AMAP protocol and how to configure it through the Command Line Interface
(CLI). CLI commands are used in the configuration examples; for more details about the syntax of
commands, see the OmniSwitch CLI Reference Guide.
Configuration procedures described in this chapter include:
• Activating AMAP on page 10-5.
• Configuring the AMAP discovery time-out interval on page 10-5.
• Configuring the AMAP common time-out interval on page 10-6.
For information about statically and dynamically assigning switch ports to VLANs, see Chapter 7,
“Assigning Ports to VLANs.”
For information about defining VLAN rules that allow dynamic assignment of mobile ports to a VLAN,
see Chapter 9, “Defining VLAN Rules.”
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 10-1
AIP Specifications
Using Interswitch Protocols
AIP Specifications
Standards
Not applicable at this time. AMAP is an Alcatel proprietary protocol.
Maximum number of IP addresses
propagated by AMAP
255
AMAP Defaults
Parameter Description
Command
Default
AMAP status
amap
Enabled
Discovery time interval
amap discovery time
30 seconds
Common time interval
amap common time
300 seconds
page 10-2
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Using Interswitch Protocols
AMAP Overview
AMAP Overview
The Alcatel Mapping Adjacency Protocol (AMAP) is used to discover the topology of OmniSwitches in a
particular installation. Using this protocol, each switch determines which OmniSwitches are adjacent to it
by sending and responding to Hello update packets. For the purposes of AMAP, adjacent switches are
those that:
• have a Spanning Tree path between them
• do not have any switch between them on the Spanning Tree path that has AMAP enabled
In the illustration here, all switches are on the Spanning Tree path. OmniSwitch A and OmniSwitch C
have AMAP enabled. OmniSwitch B does not. OmniSwitch A is adjacent to OmniSwitch C and vice
versa. If OmniSwitch B enables AMAP, the adjacency changes. OmniSwitch A would be next to
OmniSwitch B, B would be adjacent to both A and C, and C would be adjacent to B.
Switch A
Switch B
TM
Switch C
OmniSwitch 9700
Spanning Tree Path
AMAP Transmission States
AMAP switch ports are either in the discovery transmission state, common transmission state, or passive
reception state. Ports transition to these states depending on whether or not they receive Hello responses
from adjacent switches.
Note. All Hello packet transmissions are sent to a well-known MAC address (0020da:007004).
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 10-3
AMAP Overview
Using Interswitch Protocols
The transmission states are illustrated here.
Send out Hello packets every discovery
time-out interval (default: 30 seconds)
No Hello packets
received after
3 discovery time-outs
intervals
Discovery
Transmission State
Hello packets received
before
3 discovery time-out
intervals
Passive Reception State
No
Common
Transmission State
Hello packet received
before discovery
time-out interval?
Yes
Any
Hello packet
received?
No
Send out Hello packets every common
time-out interval (default: 300 seconds)
Yes
Discovery Transmission State
When AMAP is active, at startup all active switch ports are in the discovery transmission state. In this
state, ports send out Hello packets and wait for Hello responses. Ports send out Hello packets at a configurable interval called the discovery time-out interval. This interval is 30 seconds by default. The ports send
out Hello packets up to three time-outs of this interval trying to discover adjacent switches.
Any switch ports that receive Hello packets send a Hello response and transition to the common transmission state. Any switch ports that do not receive a Hello response before three discovery time-out intervals
have expired are placed in the passive reception state.
Common Transmission State
In the common transmission state, ports detect adjacent switch failures or disconnects by sending Hello
packets and waiting for Hello responses. Ports send out Hello packets at a configurable interval called the
common time-out interval. This interval is 300 seconds by default. To avoid synchronization with adjacent
switches, the common time-out interval is jittered randomly by plus or minus ten percent.
Ports wait for a Hello response using the discovery time-out interval. If a Hello response is detected within
one discovery time-out interval, the port remains in the common transmission state. If a Hello response is
not detected within one discovery time-out interval, the port reverts to the discovery transmission state.
Passive Reception State
In the passive reception state, switch ports are in receive-only mode. Hello packets are not sent out from
ports in this state and there is no timer on waiting for Hello responses. If the port receives a Hello packet at
any time, it enters the common transmission state and transmits a Hello packet in reply.
If a port transitions to the passive reception state, any remote switch entries for that port are deleted.
page 10-4
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Using Interswitch Protocols
Configuring AMAP
Common Transmission and Remote Switches
If an AMAP switch is connected to multiple AMAP switches via a hub, the switch sends and receives
Hello traffic to and from the remote switches through the same port. If one of the remote switches stops
sending Hello packets and other remote switches continue to send Hello packets, the ports in the common
transmission state will remain in the common transmission state.
The inactive switch will eventually be aged out of the switch’s AMAP database because each remote
switch entry has a “last seen” field that is updated when Hello packets are received. The switch checks the
“last seen” field at least once every common time-out interval. Switch ports that are no longer “seen” may
still retain an entry for up to three common time-out intervals. The slow aging out prevents the port from
sending Hello packets right away to the inactive switch and creating additional unnecessary traffic.
Configuring AMAP
AMAP is active by default. In addition to disabling or enabling AMAP, you can view a list of adjacent
switches or configure the time-out intervals for Hello packet transmission and reception.
Enabling or Disabling AMAP
To display whether or not AMAP is active or inactive, enter the following command:
-> show amap
To activate AMAP on the switch, enter the following command:
-> amap enable
To deactivate AMAP on the switch, enter the following command:
-> amap disable
Configuring the AMAP Discovery Time-out Interval
The discovery time-out interval is used in both the discovery transmission state and the common transmission state to determine how long the port will wait for Hello packets. For ports in the discovery transmission state, this timer is also used as the interval between sending out Hello packets.
Note. Ports in the common transmission state send out Hello packets based on the common time-out interval described later.
The discovery time-out interval is set to 30 seconds by default. To display the current discovery time-out
interval, enter the following command:
-> show amap
To change the discovery time-out interval, use either of these forms of the command with the desired
value (any value between 1 and 65535). Note that the use of the time command keyword is optional. For
example:
-> amap discovery 60
-> amap discovery time 60
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 10-5
Configuring AMAP
Using Interswitch Protocols
Configuring the AMAP Common Time-out Interval
The common time-out interval is used only in the common transmission state to determine the time interval between sending Hello update packets. A switch sends an update for a port just before or after the
common time-out interval expires.
Note. Switches avoid synchronization by jittering the common time-out interval plus or minus 10 percent
of the configured value. For example, if the default common time-out interval is used (300 seconds), the
jitter is plus or minus 30 seconds.
When a Hello packet is received from an adjacent switch before the common time-out interval expires, the
switch sends a Hello reply and restarts the common transmission timer.
The common time-out interval is set to 300 seconds by default. To display the current common time-out
interval, enter the following command:
-> show amap
To change the common time-out interval, use either of these forms of the command with the desired value
(any value between 1 and 65535). Note that the use of the time command keyword is optional. For example:
-> amap common 600
-> amap common time 600
page 10-6
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Using Interswitch Protocols
Configuring AMAP
Displaying AMAP Information
Use the show amap command to view a list of adjacent switches and their associated MAC addresses,
interfaces, VLANs, and IP addresses. For remote switches that stop sending Hello packets and that are
connected via a hub, entries may take up to three times the common time-out intervals to age out of this
table.
The following example shows three interfaces on a local AMAP switch (4/1, 5/1, 7/1) connected to interfaces on two remote switches. Interface 5/1 is connected to a remote switch through a hub.
-> show amap
AMAP:
Operational Status = enabled,
Common
Phase Timeout Interval (seconds) = 300,
Discovery Phase Timeout Interval (seconds) = 30
Remote Host ‘Switch B’ On Port 4/1 Vlan 1:
Remote Device
= OS6800,
Remote Base MAC
= 00:20:da:03:2c:40,
Remote Interface
= 2/1,
Remote VLAN
= 1,
Number of Remote IP Address(es) Configured = 4,
Remote IP(s) =
18.1.1.1
27.0.0.2
192.168.10.1
192.206.184.40
Remote Host ‘Switch C’ On Port 5/1 Vlan 7:
Remote Device
= OS6800,
Remote Base MAC
= 00:20:da:99:96:60,
Remote Interface
= 1/8,
Remote Vlan
= 7,
Number of Remote IP Address(es) Configured = 1,
Remote IP(s) =
192.206.184.20
Remote Host ‘Switch C’ On Port 5/1 Vlan 7:
Remote Device
= OS6800,
Remote Base MAC
= 00:20:da:99:96:60,
Remote Interface
= 2/8,
Remote Vlan
= 255,
Number of Remote IP Address(es) Configured = 1,
Remote IP(s) =
192.206.185.30
Remote Host ‘Switch C’ On Port 7/1 Vlan 455:
Remote Device
= OS6800,
Remote Base MAC
= 00:20:da:99:96:60,
Remote Interface
= 4/8,
Remote Vlan
= 455,
Number of Remote IP Address(es) Configured = 3,
Remote IP(s) =
192.206.183.10
192.206.184.20
192.206.185.30
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 10-7
Configuring AMAP
Using Interswitch Protocols
A visual illustration of these connections is shown here:
Remote interface 2/1
Remote Switch B
0020da:032c40
Switch A (local)
TM
OmniSwitch 9700
Local interface 4/1
Remote Switch C
0020da:999660
Local
interface
7/1
Local interface 5/1
hub
Remote interface 1/8
Remote interface 2/8
Remote interface 4/8
See the OmniSwitch CLI Reference Guide for information about the show amap command.
page 10-8
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
11
Configuring 802.1Q
802.1Q is the IEEE standard for segmenting networks into VLANs. 802.1Q segmentation is done by
adding a specific tag to a packet.
In this Chapter
This chapter describes the basic components of 802.1Q VLANs and how to configure them through the
Command Line Interface (CLI). The CLI commands are used in the configuration examples; for more
details about the syntax of commands, see “802.1Q Commands” in the OmniSwitch CLI Reference Guide.
Configuration procedures described in this chapter include:
• Setting up an 802.1Q VLAN for a specific port. See “Enabling Tagging on a Port” on page 11-5.
• Setting up an 802.1Q VLAN for a link aggregation group. See “Enabling Tagging with Link Aggrega-
tion” on page 11-5.
• Configuring 802.1Q VLAN parameters. See “Configuring the Frame Type” on page 11-6.
For information on creating and managing VLANs, see Chapter 5, “Configuring VLANs.”
For information on creating and managing link aggregation groups, see Chapter 13, “Configuring Static
Link Aggregation” and Chapter 14, “Configuring Dynamic Link Aggregation.”
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 11-1
802.1Q Specifications
Configuring 802.1Q
802.1Q Specifications
IEEE Specification
Draft Standard P802.1Q/D11 IEEE Standards for
Local And Metropolitan Area Network: Virtual
Bridged Local Area Networks, July 30, 1998
Maximum Number of Tagged VLANs per
Port
4093
Maximum Number of Untagged VLANs per One untagged VLAN per port.
Port
Maximum Number of VLAN Port Associa- 32768
tions
Note. Up to 4093 VLANs can be assigned to a tagged port or link aggregation group. However, each
assignment counts as a single VLAN port association. Once the maximum number of VLAN port associations is reached, no more VLANs can be assigned to ports. For more information, see the chapter titled
Chapter 7, “Assigning Ports to VLANs.”
802.1Q Defaults Table
The following table shows the default settings of the configurable 802.1Q parameters.
802.1Q Defaults
Parameter Description
Command
Default Value/Comments
What type of frames accepted
vlan 802.1q frame type
Both tagged and untagged
frames are accepted
page 11-2
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring 802.1Q
802.1Q Overview
802.1Q Overview
Alcatel’s 802.1Q is an IEEE standard for sending frames through the network tagged with VLAN identification. This chapter details procedures for configuring and monitoring 802.1Q tagging on a single port in a
switch or a link aggregation group in a switch.
802.1Q tagging is the IEEE version of VLANs. It is a method for segregating areas of a network into
distinct VLANs. By attaching a label or tag to a packet, the packet can be identified as being from a
specific area or identified as being destined for a specific area.
When enabling a tagged port, you will also need to specify whether only 802.1Q tagged traffic is allowed
on the port, or whether the port accepts both tagged and untagged traffic.
“Tagged” refers to four bytes of reserved space in the header of the packet. The four bytes of “tagging” are
broken down as follows: the first two bytes indicate whether the packet is an 802.1Q packet, and the next
two bytes carry the VLAN identification (VID) and priority.
On the ingress side, packets are classified in a VLAN. After classifying a packet, the switch adds an
802.1Q header to the packet. Egress processing of packets is done by the switch hardware. Packets have
an 802.1Q tag, which may be stripped off based on 802.1Q tagging/stripping rules.
If a port is configured to be a tagged port, then all the untagged traffic (including priority tagged or VLAN
0 traffic) received on the port will be dropped. You do not need to reboot the switch after changing the
configuration parameters.
Note. Priority tagged traffic or traffic from VLAN 0 is used for Quality of Service (QoS) functionality.
802.1Q views priority tagged traffic as untagged traffic.
In OmniSwitch 9000 switches only, mobile ports can be configured to accept 802.1Q traffic by enabling
the VLAN mobile tagging feature as described in Chapter 5, “Configuring VLANs.”
The following diagram illustrates a simple network by using tagged and untagged traffic:
VLAN 1
untagged
VLAN 1
untagged
Stack 1
VLAN 2
tagged
VLAN 3
tagged
port 4/3
tagged
Stack 2
port 2/1
tagged/
untagged
VLAN 2
tagged
VLAN 3
tagged
Tagged and Untagged Traffic Network
Stack 1 and 2 have three VLANs, one for untagged traffic and two for tagged traffic. The ports connecting Stack 1 and 2 are configured in such a manner that Port 4/3 will only accept tagged traffic, while Port
2/1 will accept both tagged and untagged traffic.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 11-3
802.1Q Overview
Configuring 802.1Q
The port can only be assigned to one untagged VLAN (in every case, this will be the default VLAN). In
the example above the default VLAN is VLAN 1. The port can be assigned to as many 802.1Q VLANs as
necessary, up to 4093 per port or 32768 VLAN port associations.
For the purposes of Quality of Service (QoS), 802.1Q ports are always considered to be trusted ports. For
more information on QoS and trusted ports, see Chapter 26, “Configuring QoS.”
Alcatel’s 802.1Q tagging is done at wire speed, providing high-performance throughput of tagged
frames.The procedures below use CLI commands that are thoroughly described in “802.1Q Commands” of
the OmniSwitch CLI Reference Guide.
Note. 802.1Q on the OmniSwitch 6800/6850/9000 does not have the “force tag internal” feature, available on other OmniSwitch products.
page 11-4
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring 802.1Q
Configuring an 802.1Q VLAN
Configuring an 802.1Q VLAN
The following sections detail procedures for creating 802.1Q VLANs and assigning ports to 802.1Q
VLANs.
Enabling Tagging on a Port
To set a port to be a tagged port, you must specify a VLAN identification (VID) number and a port
number. You may also optionally assign a text identification.
For example, to configure port 4 on slot 3 to be a tagged port, enter the following command at the CLI
prompt:
-> vlan 5 802.1q 3/4
Tagging would now be enabled on port 3/4, with a VID of 5.
To add tagging to a port and label it with a text name, you would enter the text identification following the
slot and port number. For example, to enable tagging on port 4 of slot 3 with a text name of port tag, enter
the command in the following manner:
-> vlan 5 802.1q 3/4 “port tag”
The tagged port would now also be labeled port tag. Note that you must use quotes around the text
description.
The VLAN used to handle traffic on the tagged port must be created prior to using the vlan 802.1q
command. Creating a VLAN is described in Chapter 5, “Configuring VLANs.”
For more specific information, see the vlan 802.1q command section in the OmniSwitch CLI Reference
Guide.
Enabling Tagging with Link Aggregation
To enable tagging on link aggregation groups, enter the link aggregation group identification number in
place of the slot and port number, as shown:
-> vlan 5 802.1q 8
(For further information on creating link aggregation groups, see Chapter 13, “Configuring Static Link
Aggregation,” or Chapter 14, “Configuring Dynamic Link Aggregation.”)
To add tagging to a port or link aggregation group and label it with a text name enter the text identification following the slot and port number or link aggregation group identification number. For example, to
enable tagging on link aggregation group 8 with a text name of agg port tag, enter the command in the
following manner:
-> vlan 5 802.1q 8 “agg port tag”
The tagged port would now also be labeled agg port tag. Note that you must use quotes around the text
description.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 11-5
Configuring an 802.1Q VLAN
Configuring 802.1Q
To remove 802.1Q tagging from a selected port, use the same command as above with a no keyword
added, as shown:
-> vlan 5 no 802.1q 8
Note. The link aggregation group must be created first before it can be set to use 802.1Q tagging
For more specific information, see the vlan 802.1q command section in the OmniSwitch CLI Reference
Guide.
Configuring the Frame Type
Once a port has been set to receive and send tagged frames, it will be able to receive or send tagged or
untagged traffic. Tagged traffic will be subject to 802.1Q rules, while untagged traffic will behave as
directed by normal switch operation. (Setting up rules for non-802.1Q traffic is defined in Chapter 5,
“Configuring VLANs.”) A port can also be configured to accept only tagged frames.
To configure a port to only accept tagged frames, enter the frame type command at the CLI prompt:
-> vlan 802.1q 3/4 frame type tagged
To configure a port back to accepting both tagged and untagged traffic, use the same command with the all
keyword, as shown:
-> vlan 802.1q 3/4 frame type all
Note. If you configure a port to accept only VLAN-tagged frames, then any frames received on this port
that do not carry a VLAN identification (i.e., untagged frames or priority-tagged frames) will be discarded
by the ingress rules for this port. Frames that are not discarded by this ingress rule are classified and
processed according to the ingress rules for this port.
When a port is set to support both tagged and untagged traffic, multiple VLANs for 802.1Q traffic can be
added to the port, but only one VLAN can be used to support untagged traffic. The untagged traffic VLAN
will always be the port’s default VLAN.
Note. You cannot configure a link aggregation group to accept only tagged frames.
For more specific information, see the vlan 802.1q frame type command section in the OmniSwitch CLI
Reference Guide.
page 11-6
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring 802.1Q
Configuring an 802.1Q VLAN
Show 802.1Q Information
After configuring a port or link aggregation group to be a tagged port, you can view the settings by using
the show 802.1q command, as demonstrated:
-> show 802.1q 3/4
Acceptable Frame Type
Force Tag Internal
:
:
Any Frame Type
NA
Tagged VLANS
Internal Description
-------------+-------------------------------------------------+
2
TAG PORT 3/4 VLAN 2
-> show 802.1q 2
Tagged VLANS
Internal Description
-------------+-------------------------------------------------+
3
TAG AGGREGATE 2 VLAN 3
To display all VLANs, enter the following command:
-> show vlan port
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 11-7
Application Example
Configuring 802.1Q
Application Example
In this section the steps to create 802.1Q connections between switches are shown.
The following diagram shows a simple network employing 802.1Q on both regular ports and link aggregation groups.
Switch 2
VLAN 1
(untagged)
Stack 1
Port 2/1
(tagged)
Port 1/1
(untagged/
tagged)
VLAN 2
(tagged)
TM
VLAN 1
(untagged)
OmniSwitch 9700
VLAN 2
(tagged)
VLAN 3
(tagged)
Ports
3/1, 3/2
Aggregate
Link 5
Ports
4/1, 4/2
Stack 3
VLAN 1
(untagged)
VLAN 3
(tagged)
The following sections show how to create the network illustrated above.
Connecting Stack 1 and Switch 2 Using 802.1Q
The following steps apply to Stack 1. They will attach port 1/1 to VLAN 2 and set the port to accept
802.1Q tagged traffic and untagged traffic.
1 Create VLAN 2 by entering vlan 2 as shown below (VLAN 1 is the default VLAN for the switch):
-> vlan 2
2 Set port 1/1 as a tagged port and assign it to VLAN 2 by entering the following:
-> vlan 2 802.1q 1/1
3 Check the configuration by using the show 802.1q command as follows:
-> show 802.1q 1/1
Acceptable Frame Type
Force Tag Internal
:
:
Any Frame Type
NA
Tagged VLANS
Internal Description
-------------+-------------------------------------------------+
2
TAG PORT 1/1 VLAN 2
page 11-8
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring 802.1Q
Application Example
The following steps apply to Switch 2. They will attach port 2/1 to VLAN 2 and set the port to accept
802.1Q tagged traffic only:
1 Create VLAN 2 by entering vlan 2 as shown below (VLAN 1 is the default VLAN for the switch):
-> vlan 2
2 Set port 2/1 as a tagged port and assign it to VLAN 2 by entering the following:
-> vlan 2 802.1q 2/1
3 Set port 2/1 to accept only tagged traffic by entering the following:
-> vlan 802.1q 2/1 frame type tagged
4 Check the configuration by using the show 802.1q command, as follows:
-> show 802.1q 2/1
Acceptable Frame Type
Force Tag Internal
:
:
tagged only
NA
Tagged VLANS
Internal Description
-------------+-------------------------------------------------+
2
TAG PORT 2/1 VLAN 2
Connecting Switch 2 and Stack 3 Using 802.1Q
The following steps apply to Switch 2. They will attach ports 3/1 and 3/2 as link aggregation group 5 to
VLAN 3.
1 Configure static aggregate VLAN 5 by entering the following:
-> static linkagg 5 size 2
2 Assign ports 3/1 and 3/2 to static aggregate VLAN 5 by entering the following two commands:
-> static agg 3/1 agg num 5
-> static agg 3/2 agg num 5
3 Create VLAN 3 by entering the following:
-> vlan 3
4 Configure 802.1Q tagging with a tagging ID of 3 on link aggregation group 5 (on VLAN 3) by enter-
ing vlan 3 802.1q 5 as shown below:
-> vlan 3 802.1q 5
5 Check the configuration by using the show 802.1q command as follows:
-> show 802.1q 5
Tagged VLANS
Internal Description
-------------+-------------------------------------------------+
3
TAG AGGREGATE 5 VLAN 3
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 11-9
Verifying 802.1Q Configuration
Configuring 802.1Q
The following steps apply to Stack 3. They will attach ports 4/1 and 4/2 as link aggregation group 5 to
VLAN 3.
1 Configure static link aggregation group 5 by entering the following:
-> static linkagg 5 size 2
2 Assign ports 4/1 and 4/2 to static link aggregation group 5 by entering the following two commands:
-> static agg 4/1 agg num 5
-> static agg 4/2 agg num 5
3 Create VLAN 3 by entering the following:
-> vlan 3
4 Configure 802.1Q tagging with a tagging ID of 3 on static link aggregation group 5 (on VLAN 3) by
entering the following:
-> vlan 3 802.1q 5
5 Check the configuration by using the show 802.1q command, as follows:
-> show 802.1q 5
Tagged VLANS
Internal Description
-------------+-------------------------------------------------+
3
TAG AGGREGATE 5 VLAN 3
Verifying 802.1Q Configuration
To display information about the ports configured to handle tagging, use the following show command:
show 802.1q
Displays 802.1Q tagging information for a single port or a link aggregation group.
For more information about the resulting display, see Chapter 14, “802.1Q Commands,” in the
OmniSwitch CLI Reference Guide.
page 11-10
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
12
Configuring IP
Internet Protocol (IP) is primarily a network-layer (Layer 3) protocol that contains addressing and control
information that enables packets to be forwarded. Along with Transmission Control Protocol (TCP), IP
represents the heart of the Internet protocols. IP has two primary responsibilities, providing connectionless, best-effort delivery of datagrams through an internetwork; and providing fragmentation and reassembly of datagrams to support data links with different Maximum Transmission Unit (MTU) sizes.
Note. IP routing (Layer 3) can be accomplished using static routes or by using one of the IP routing protocols, Routing Information Protocol (RIP) and Open Shortest Path First (OSPF). For more information on
these protocols see Chapter 16, “Configuring RIP,” in this manual; or “Configuring OSPF” in the
OmniSwitch 6800/6850/9000 Advanced Routing Configuration Guide.
There are two versions of Internet Protocol supported, IPv4 and IPv6. For more information about using
IPv6, see Chapter 15, “Configuring IPv6.”
In This Chapter
This chapter describes IP and how to configure it through the Command Line Interface (CLI). It includes
instructions for enabling IP forwarding, as well as basic IP configuration commands (e.g., ip default-ttl).
CLI commands are used in the configuration examples; for more details about the syntax of commands,
see the OmniSwitch CLI Reference Guide. This chapter provides an overview of IP and includes information about the following procedures:
• IP Forwarding
–
–
–
–
Configuring an IP Router Interface (see page 12-7)
Creating a Static Route (see page 12-10)
Creating a Default Route (see page 12-10)
Configuring Address Resolution Protocol (ARP) (see page 12-11)
• IP Configuration
–
–
–
–
–
Configuring the Router Primary Address (see page 12-14)
Configuring the Router ID (see page 12-14)
Configuring the Time-to-Live (TTL) Value (see page 12-14)
IP-Directed Broadcasts (see page 12-14)
Protecting the Switch from Denial of Service (DoS) attacks (see page 12-15)
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 12-1
IP Specifications
Configuring IP
• Managing IP
–
–
–
–
–
Internet Control Message Protocol (ICMP) (see page 12-20)
Using the Ping Command (see page 12-23)
Tracing an IP Route (see page 12-24)
Displaying TCP Information (see page 12-24)
Displaying User Datagram Protocol (UDP) Information (see page 12-24)
IP Specifications
RFCs Supported
RFC 791–Internet Protocol
RFC 792–Internet Control Message Protocol
RFC 826–An Ethernet Address Resolution Protocol
Maximum VLANs per switch
4094 (based on switch configuration and available
resources)
Maximum router interface VLANs per switch 4094 IP and 64 IPX (based on switch configuration and
available resources)
Maximum IP interfaces per VLAN
8
Maximum ARP filters per switch
200
IP Defaults
The following table lists the defaults for IP configuration through the ip command.
Description
Command
Default
IP-Directed Broadcasts
ip directed-broadcast
off
Time-to-Live Value
ip default-ttl
64 (hops)
IP interfaces
ip interface
VLAN 1 interface.
ARP filters
arp filter
0
page 12-2
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring IP
Quick Steps for Configuring IP Forwarding
Quick Steps for Configuring IP Forwarding
Using only IP, which is always enabled on the switch, devices connected to ports on the same VLAN are
able to communicate at Layer 2. The initial configuration for all Alcatel switches consists of a default
VLAN 1. All switch ports are initially assigned to this VLAN. In addition, when an OmniSwitch 6800/
6850 switch is added to a stack of switches or a switching module is added to an OmniSwitch 9000
switch, all ports belonging to the new switch and/or module are also assigned to VLAN 1. If additional
VLANs are not configured on the switch, the entire switch is treated as one large broadcast domain, and
all ports receive all traffic from all other ports.
Note. The operational status of a VLAN remains inactive until at least one active switch port is assigned
to the VLAN. Ports are considered active if they are connected to an active network device. Non-active
port assignments are allowed, but do not change the operational state of the VLAN.
To forward packets to a different VLAN on a switch, you must create a router interface on each VLAN.
The following steps show you how to enable IP forwarding between VLANs “from scratch”. If active
VLANs have already been created on the switch, you only need to create router interfaces on each VLAN
(Steps 5 and 6).
1 Create VLAN 1 with a description (e.g., VLAN 1) by using the vlan command. For example:
-> vlan 1 name “VLAN 1”
2 Create VLAN 2 with a description (e.g., VLAN 2) by using the vlan command. For example:
-> vlan 2 name “VLAN 2”
3 Assign an active port to VLAN 1 by using the vlan port default command. For example, the follow-
ing command assigns port 1 on slot 1 to VLAN 1:
-> vlan 1 port default 1/1
4 Assign an active port to VLAN 2 by using the vlan port default command. For example, the follow-
ing command assigns port 2 on slot 1 to VLAN 2:
-> vlan 2 port default 1/2
5 Create an IP router interface on VLAN 1 using the ip interface command. For example:
-> ip interface vlan-1 address 171.10.1.1 vlan 1
6 Create an IP router interface on VLAN 2 using the ip interface command. For example:
-> ip interface vlan-2 address 171.11.1.1 vlan 2
Note. See Chapter 5, “Configuring VLANs.” for more information about how to create VLANs and
VLAN router interfaces.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 12-3
IP Overview
Configuring IP
IP Overview
IP is a network-layer (Layer 3) protocol that contains addressing and control information that enables
packets to be forwarded on a network. IP is the primary network-layer protocol in the Internet protocol
suite. Along with TCP, IP represents the heart of the Internet protocols.
IP Protocols
IP is associated with several Layer 3 and Layer 4 protocols. These protocols are built into the base code
loaded on the switch. A brief overview of supported IP protocols is included below.
Transport Protocols
IP is both connectionless (it forwards each datagram separately) and unreliable (it does not guarantee
delivery of datagrams). This means that a datagram may be damaged in transit, thrown away by a busy
switch, or simply never make it to its destination. The resolution of these transit problems is to use a Layer
4 transport protocol, such as:
• TCP—A major data transport mechanism that provides reliable, connection-oriented, full-duplex data
streams. While the role of TCP is to add reliability to IP, TCP relies upon IP to do the actual delivering
of datagrams.
• UDP—A secondary transport-layer protocol that uses IP for delivery. UDP is not connection-oriented
and does not provide reliable end-to-end delivery of datagrams. But some applications can safely use
UDP to send datagrams that do not require the extra overhead added by TCP. For more information on
UDP, see Chapter 18, “Configuring DHCP Relay.”
Application-Layer Protocols
Application-layer protocols are used for switch configuration and management:
• Bootstrap Protocol (BOOTP)/Dynamic Host Configuration Protocol (DHCP)—May be used by an end
station to obtain an IP address. The switch provides a DHCP Relay that allows BOOTP requests/replies
to cross different networks.
• Simple Network Management Protocol (SNMP)—Allows communication between SNMP managers
and SNMP agents on an IP network. Network administrators use SNMP to monitor network performance and manage network resources. For more information, see the “Using SNMP” chapter in the
OmniSwitch 6800/6850/9000 Switch Management Guide.
• Telnet—Used for remote connections to a device. You can telnet to a switch and configure the switch
and the network by using the CLI.
• File Transfer Protocol (FTP)—Enables the transfer of files between hosts. This protocol is used to load
new images onto the switch.
page 12-4
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring IP
IP Overview
Additional IP Protocols
There are several additional IP-related protocols that may be used with IP forwarding. These protocols are
included as part of the base code.
• Address Resolution Protocol (ARP)—Used to match the IP address of a device with its physical
(MAC) address. For more information, see “Configuring Address Resolution Protocol (ARP)” on
page 12-11.
• Virtual Router Redundancy Protocol (VRRP)—Used to back up routers. For more information, see
Chapter 19, “Configuring VRRP.”
• Internet Control Message Protocol (ICMP)—Specifies the generation of error messages, test packets,
and informational messages related to IP. ICMP supports the ping command used to determine if hosts
are online. For more information, see “Internet Control Message Protocol (ICMP)” on page 12-20.
• Router Discovery Protocol (RDP)—Used to advertise and discover routers on the LAN. For more
information, see Chapter 17, “Configuring RDP.”
• Multicast Services—Includes IP multicast switching (IPMS). For more information, see Chapter 28,
“Configuring IP Multicast Switching.”
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 12-5
IP Forwarding
Configuring IP
IP Forwarding
Network device traffic is bridged (switched) at the Layer 2 level between ports that are assigned to the
same VLAN. However, if a device needs to communicate with another device that belongs to a different
VLAN, then Layer 3 routing is necessary to transmit traffic between the VLANs. Bridging makes the decision on where to forward packets based on the packet’s destination MAC address; routing makes the decision on where to forward packets based on the packet’s IP network address (e.g., IP - 21.0.0.10).
Alcatel switches support routing of IP traffic. A VLAN is available for routing when at least one router
interface is defined for that VLAN and at least one active port is associated with the VLAN. If a VLAN
does not have a router interface, the ports associated with that VLAN are in essence firewalled from other
VLANs.
IP multinetting is also supported. A network is said to be multinetted when multiple IP subnets are brought
together within a single broadcast domain. It is now possible to configure up to eight IP interfaces per
VLAN. Each interface is configured with a different subnet. As a result, traffic from each configured
subnet can coexist on the same VLAN.
In the illustration below, an IP router interface has been configured on each VLAN. Therefore, workstations connected to ports on VLAN 1 on Switch 1 can communicate with VLAN 2; and workstations
connected to ports on VLAN 3 on Switch 2 can communicate with VLAN 2. Also, ports from both
switches have been assigned to VLAN 2, and a physical connection has been made between the switches.
Therefore, workstations connected to VLAN 1 on Switch 1 can communicate with workstations connected
to VLAN 3 on Switch 2.
Switch 1
TM
Switch 2
OmniSwitch 9700
TM
OmniSwitch 9700
= IP Router Interface
VLAN 1
110.0.0.0
110.0.0.1
VLAN 2
120.0.0.0
Physical
Connection
VLAN 2
120.0.0.0
VLAN 3
130.0.0.0
130.0.0.1
110.0.0.2
130.0.0.2
IP Forwarding
If the switch is running in single MAC router mode, a maximum of 4094 VLANs can have IP interfaces
defined and a maximum of 64 VLANs can have IPX interfaces defined. In this mode, each router VLAN
is assigned the same MAC address, which is the base chassis MAC address for the switch.
See Chapter 5, “Configuring VLANs,” for more information about configuring the IPX router interfaces.
page 12-6
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring IP
IP Forwarding
Configuring an IP Router Interface
IP is enabled by default. Using IP, devices connected to ports on the same VLAN are able to communicate. However, to forward packets to a different VLAN, you must create at least one router interface on
each VLAN.
Use the ip interface command to define up to eight IP interfaces for an existing VLAN. The following
parameter values are configured with this command:
• A unique interface name (text string up to 20 characters) is used to identify the IP interface. Specify-
ing this parameter is required to create or modify an IP interface.
• The VLAN ID of an existing VLAN.
• An IP address to assign to the router interface (e.g., 193.204.173.21). Note that router interface IP
addresses must be unique. You cannot have two router interfaces with the same IP address.
• A subnet mask (defaults to the IP address class).
• The forwarding status for the interface (defaults to forwarding). A forwarding router interface sends IP
frames to other subnets. A router interface that is not forwarding can receive frames from other hosts
on the same subnet.
• An Ethernet-II or SNAP encapsulation for the interface (defaults to Ethernet-II). The encapsulation
determines the framing type the interface uses when generating frames that are forwarded out of
VLAN ports. Select an encapsulation that matches the encapsulation of the majority of VLAN traffic.
• The Local Proxy ARP status for the VLAN. If enabled, traffic within the VLAN is routed instead of
bridged. ARP requests return the MAC address of the IP router interface defined for the VLAN. For
more information about Local Proxy ARP, see “Local Proxy ARP” on page 12-12.
• The primary interface status. Designates the specified IP interface as the primary interface for the
VLAN. By default, the first interface bound to a VLAN becomes the primary interface for that VLAN.
The following ip interface command example creates an IP interface named Marketing with an IP
network address of 21.0.0.1 and binds the interface to VLAN 455:
-> ip interface Marketing address 21.0.0.1 vlan 455
Note. The ip interface command is not supported in Release 5.3.1. For this release use the vlan router ip
command instead. See the OmniSwitch CLI Reference Guide for more information.
The name parameter is the only parameter required with this command. Specifying additional parameters
is only necessary to configure a value other than the default value for that parameter. For example, both of
the following commands will create an IP router interface for VLAN 955 with a class A subnet mask, an
enabled forwarding status, Ethernet-II encapsulation, and a disabled Local Proxy ARP and primary interface status:
-> ip interface Accounting address 71.0.0.1 mask 255.0.0.0 vlan 955 forward e2
no local-proxy-arp no primary
-> ip interface Accounting address 71.0.0.1 vlan 955
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 12-7
IP Forwarding
Configuring IP
Modifying an IP Router Interface
The ip interface command is also used to modify existing IP interface parameter values. It is not necessary to first remove the IP interface and then create it again with the new values. The changes specified
will overwrite existing parameter values. For example, the following command changes the subnet mask
to 255.255.255.0, the forwarding status to no forwarding and the encapsulation to snap by overwriting
existing parameter values defined for the interface. The interface name, Accounting, is specified as part of
the command syntax to identify which interface to change.
-> ip interface Accounting mask 255.255.255.0 no forward snap
Note that when changing the IP address for the interface, the subnet mask will revert back to the default
mask value if it was previously set to a non-default value and it is not specified when changing the IP
address. For example, the following command changes the IP address for the Accounting interface:
-> ip interface Accounting address 40.0.0.1
The subnet mask for the Accounting interface was previously set to 255.255.255.0. The above example
resets the mask to the default value of 255.0.0.0 because 40.0.0.1 is a Class A address and no other mask
was specified with the command. This only occurs when the IP address is modified; all other parameter
values remain unchanged unless otherwise specified.
To avoid the problem in the above example, simply enter the non-default mask value whenever the IP
address is changed for the interface. For example:
-> ip interface Accounting address 40.0.0.1 mask 255.255.255.0
Use the show ip interface command to verify IP router interface changes. For more information about
these commands, see the OmniSwitch CLI Reference Guide.
Removing an IP Router Interface
To remove an IP router interface, use the no form of the ip interface command. Note that it is only necessary to specify the name of the IP interface, as shown in the following example:
-> no ip interface Marketing
To view a list of IP interfaces configured on the switch, use the show ip interface command. For more
information about this command, see the OmniSwitch CLI Reference Guide.
page 12-8
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring IP
IP Forwarding
Configuring a Loopback0 Interface
Loopback0 is the name assigned to an IP interface to identify a consistent address for network management purposes. The Loopback0 interface is not bound to any VLAN, so it will always remain operationally active. This differs from other IP interfaces in that if there are no active ports in the VLAN, all IP
interface associated with that VLAN are not active. In addition, the Loopback0 interface provides a unique
IP address for the switch that is easily identifiable to network management applications.
This type of interface is created in the same manner as all other IP interfaces, using the ip interface
command. To identify a Loopback0 interface, enter Loopback0 for the interface name. For example, the
following command creates the Loopback0 interface with an IP address of 10.11.4.1:
-> ip interface Loopback0 address 10.11.4.1
Note the following when configuring the Loopback0 interface:
• The interface name, “Loopback0”, is case sensitive.
• The admin parameter is the only configurable parameter supported with this type of interface.
• The Loopback0 interface is always active and available.
• Only one Loopback0 interface per switch is allowed.
• Creating this interface does not deduct from the total number of IP interfaces allowed per VLAN or
switch.
Loopback0 Address Advertisement
The Loopback0 IP interface address is automatically advertised by the IGP protocols RIP and OSPF when
the interface is created. There is no additional configuration necessary to trigger advertisement with these
protocols.
Note the following regarding Loopback0 advertisement:
• RIP advertises the host route to the Loopback0 IP interface as a redistributed (directhost) route.
• OSPF advertises the host route to the Loopback0 IP interface in its Router-LSAs (as a Stub link) as an
internal route into all its configured areas.
Configuring a BGP Peer Session with Loopback0
It is possible to create BGP peers using the Loopback0 IP interface address of the peering router and binding the source (i.e., outgoing IP interface for the TCP connection) to its own configured Loopback0 interface. The Loopback0 IP interface address can be used for both Internal and External BGP peer sessions.
For EBGP sessions, if the External peer router is multiple hops away, the ebgp-multihop parameter may
need to be used.
The following example command configures a BGP peering session using a Loopback0 IP interface
address:
-> ip bgp neighbor 2.2.2.2 update-source Loopback0
See the OmniSwitch OmniSwitch 6800/6850/9000 Advanced Routing Configuration Guide for more information.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 12-9
IP Forwarding
Configuring IP
Creating a Static Route
Static routes are user-defined and carry a higher priority than routes created by dynamic routing protocols.
That is, if two routes have the same metric value, the static route has the higher priority. Static routes
allow you to define, or customize, an explicit path to an IP network segment, which is then added to the IP
Forwarding table. Static routes can be created between VLANs to enable devices on these VLANs to
communicate.
Use the ip static-route command to create a static route. You must specify the destination IP address of
the route as well as the IP address of the first hop (gateway) used to reach the destination. For example, to
create a static route to IP address 171.11.0.0 through gateway 171.11.2.1 you would enter:
-> ip static-route 171.11.0.0 gateway 171.11.2.1
The subnet mask is not required if you want to use the natural subnet mask. By default, the switch imposes
a natural mask on the IP address. In the above example, the Class B mask of 255.255.0.0 is implied. If you
do not want to use the natural mask, you must enter a subnet mask. For example, to create a static route to
IP address 10.255.11.0, you would have to enter the Class C mask of 255.255.255.0:
-> ip static-route 10.255.11.0 mask 255.255.255.0 gateway 171.11.2.1
When you create a static route, the default metric value of 1 is used. However, you can change the priority
of the route by increasing its metric value. The lower the metric value, the higher the priority. This metric
is added to the metric cost of the route. The metric range is 1 to 15.
For example:
-> ip static-route 10.255.11.0 mask 255.255.255.0 gateway 171.11.2.1 metric 5
Static routes do not age out of the IP Forwarding table; you must delete them from the table. Use the no ip
static route command to delete a static route. You must specify the destination IP address of the route as
well as the IP address of the first hop (gateway). For example, to delete a static route to IP address
171.11.0.0 through gateway 171.11.2.1 you would enter:
-> no ip static-route 171.11.0.0 gateway 171.11.2.1
The IP Forwarding table includes routes learned through one of the routing protocols (RIP, OSPF, BGP)
as well as any static routes that are configured. Use the show ip route command to display the IP
Forwarding table.
Note. A static route is not active unless the gateway it is using is active.
Creating a Default Route
A default route can be configured for packets destined for networks that are unknown to the switch. Use
the ip static-route command to create a default route. You must specify a default route of 0.0.0.0 with a
subnet mask of 0.0.0.0 and the IP address of the next hop (gateway). For example, to create a default route
through gateway 171.11.2.1 you would enter:
-> ip static-route 0.0.0.0 mask 0.0.0.0 gateway 171.11.2.1
Note. You cannot create a default route by using the EMP port as a gateway.
page 12-10
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring IP
IP Forwarding
Configuring Address Resolution Protocol (ARP)
To send packets on a locally connected network, the switch uses ARP to match the IP address of a device
with its physical (MAC) address. To send a data packet to a device with which it has not previously
communicated, the switch first broadcasts an ARP request packet. The ARP request packet requests the
Ethernet hardware address corresponding to an Internet address. All hosts on the receiving Ethernet
receive the ARP request, but only the host with the specified IP address responds. If present and functioning, the host with the specified IP address responds with an ARP reply packet containing its hardware
address. The switch receives the ARP reply packet, stores the hardware address in its ARP cache for
future use, and begins exchanging packets with the receiving device.
The switch stores the hardware address in its ARP cache (ARP table). The table contains a listing of IP
addresses and their corresponding translations to MAC addresses. Entries in the table are used to translate
32-bit IP addresses into 48-bit Ethernet or IEEE 802.3 hardware addresses. Dynamic addresses remain in
the table until they time out. You can set this time-out value and you can also manually add or delete
permanent addresses to/from the table.
Adding a Permanent Entry to the ARP Table
As described above, dynamic entries remain in the ARP table for a specified time period before they are
automatically removed. However, you can create a permanent entry in the table.
Use the arp command to add a permanent entry to the ARP table. You must enter the IP address of the
entry followed by its physical (MAC) address. For example, to create an entry for IP address 171.11.1.1
with a corresponding physical address of 00:05:02:c0:7f:11, you would enter:
-> arp 171.11.1.1 00:05:02:c0:7f:11
When you add an entry to the ARP table, the IP address and hardware address (MAC address) are
required. Optionally, you may also specify:
• Alias. Use the alias keyword to specify that the switch will act as an alias (proxy) for this IP address.
When the alias option is used, the switch responds to all ARP requests for the specified IP address with
its own MAC address. Note that this option is not related to Proxy ARP as defined in RFC 925.
For example:
-> arp 171.11.1.1 00:05:02:c0:7f:11 alias
Use the show arp command to display the ARP table.
Note. Because most hosts support the use of address resolution protocols to determine and cache address
information (called dynamic address resolution), you generally do not need to specify permanent ARP
entries.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 12-11
IP Forwarding
Configuring IP
Deleting a Permanent Entry from the ARP Table
Permanent entries do not age out of the ARP table. Use the no arp command to delete a permanent entry
from the ARP table. When deleting an ARP entry, you only need to enter the IP address. For example, to
delete an entry for IP address 171.11.1.1, you would enter:
-> no arp 171.11.1.1
Use the show arp command to display the ARP table and verify that the entry was deleted.
Note. You can also use the no arp command to delete a dynamic entry from the table.
Clearing a Dynamic Entry from the ARP Table
Dynamic entries can be cleared using the clear arp-cache command. This command clears all dynamic
entries. Permanent entries must be cleared using the no arp command.
Use the show arp command to display the table and verify that the table was cleared.
Note. Dynamic entries remain in the ARP table until they time out. If the switch does not receive data
from a host for this user-specified time, the entry is removed from the table. If another packet is received
from this host, the switch goes through the discovery process again to add the entry to the table. The
switch uses the MAC Address table time-out value as the ARP time-out value. Use the mac-address-table
aging-time command to set the time-out value.
Local Proxy ARP
The Local Proxy ARP feature is an extension of the Proxy ARP feature, but is enabled on an IP interface
and applies to the VLAN bound to that interface. When Local Proxy ARP is enabled, all ARP requests
received on VLAN member ports are answered with the MAC address of the IP interface that has Local
Proxy ARP enabled. In essence, all VLAN traffic is now routed within the VLAN instead of bridged and
all ARP requests are blocked between ports in the same VLAN.
This feature is intended for use with port mapping applications where VLANs are one-port connections.
This allows hosts on the port mapping device to communicate via the router. ARP packets are still bridged
across multiple ports.
Note that Local Proxy ARP takes precedence over any switch-wide Proxy ARP or ARP function. In addition, it is not necessary to configure Proxy ARP in order to use Local Proxy ARP. The two features are
independent of each other.
By default, Local Proxy ARP is disabled when an IP interface is created. To enable this feature, use the
ip interface command. For example:
-> ip interface Accounting local-proxy-arp
Note. The ip interface command is not supported in Release 5.3.1. For this release use the vlan router ip
command instead. See the OmniSwitch CLI Reference Guide for more information.
page 12-12
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring IP
IP Forwarding
Note that when Local Proxy ARP is enabled for any one IP router interface associated with a VLAN, the
feature is applied to the entire VLAN. It is not necessary to enable it for each interface. However, if the IP
interface that has this feature enabled is moved to another VLAN, Local Proxy ARP is enabled for the
new VLAN and must be enabled on another interface for the old VLAN.
ARP Filtering
ARP filtering is used to determine whether or not the switch responds to ARP requests that contain a
specific IP address. This feature is generally used in conjunction with the Local Proxy ARP application;
however, ARP filtering is available for use on its own and/or with other applications.
By default, no ARP filters exist in the switch configuration. When there are no filters present, all ARP
packets are processed, unless they are blocked or redirected by some other feature.
Use the arp filter command to specify the following parameter values required to create an ARP filter:
• An IP address (e.g., 193.204.173.21) used to determine whether or not an ARP packet is filtered.
• An IP mask (e.g. 255.0.0.0) used to identify which part of the ARP packet IP address is compared to
the filter IP address.
• An optional VLAN ID to specify that the filter is only applied to ARP packets from that VLAN.
• Which ARP packet IP address to use for filtering (sender or target). If the target IP address in the ARP
packet matches a target IP specified in a filter, then the disposition for that filter applies to the ARP
packet. If the sender IP address in the ARP packet matches a sender IP specified in a filter, then the
disposition for that filter applies to the ARP packet.
• The filter disposition (block or allow). If an ARP packet meets filter criteria, the switch is either
blocked from responding to the packet or allowed to respond to the packet depending on the filter
disposition. Packets that do not meet any filter criteria are responded to by the switch.
The following arp filter command example creates an ARP filter, which will block the switch from
responding to ARP packets that contain a sender IP address that starts with 198:
-> arp filter 198.0.0.0 mask 255.0.0.0 sender block
Up to 200 ARP filters can be defined on a single switch. To remove an individual filter, use the no form of
the arp filter command. For example:
-> no arp filter 198.0.0.0
To clear all ARP filters from the switch configuration, use the clear arp filter command. For example:
-> clear arp filter
Use the show arp filter command to verify the ARP filter configuration. For more information about this
and other ARP filter commands, see the OmniSwitch CLI Reference Guide.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 12-13
IP Configuration
Configuring IP
IP Configuration
IP is enabled on the switch by default and there are few options that can, or need to be, configured. This
section provides instructions for some basic IP configuration options.
Configuring the Router Primary Address
The router primary address is used by advanced routing protocols (e.g., OSPF) to identify the switch on
the network. It is also the address that is used to access the switch for management purposes.
Use the ip router primary-address command to configure the router primary address. Enter the
command, followed by the IP address. For example, to configure a router primary address of 172.22.2.115,
you would enter:
-> ip router primary-address 172.22.2.115
Configuring the Router ID
By default, the primary address of the router is used as the router ID. However, if a primary address has
not been configured, the router ID is used by OSPF to identify the switch on the network. The router ID
can be any 32-bit number.
Use the ip router router-id command to configure the router ID. Enter the command, followed by the IP
address. For example, to configure a router ID of 172.22.2.115, you would enter:
-> ip router router-id 172.22.2.115
Configuring the Time-to-Live (TTL) Value
The TTL value is the default value inserted into the TTL field of the IP header of datagrams originating
from the switch whenever a TTL value is not supplied by the transport layer protocol. The value is
measured in hops.
Use the ip default-ttl command to set the TTL value. Enter the command, followed by the TTL value. For
example, to set a TTL value of 75, you would enter:
-> ip default-ttl 75
The default hop count is 64. The valid range is 1 to 255. Use the show ip config command to display the
default TTL value.
IP-Directed Broadcasts
An IP directed broadcast is an IP datagram that has all zeroes or all 1 in the host portion of the destination
IP address. The packet is sent to the broadcast address of a subnet to which the sender is not directly
attached. Directed broadcasts are used in denial-of-service “smurf” attacks. In a smurf attack, a continuous stream of ping requests is sent from a falsified source address to a directed broadcast address, resulting in a large stream of replies, which can overload the host of the source address. By default, the switch
drops directed broadcasts. Typically, directed broadcasts should not be enabled.
page 12-14
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring IP
IP Configuration
Use the ip directed-broadcast command to enable or disable IP-directed broadcasts. For example:
-> ip directed-broadcast off
Use the show ip config command to display the IP-directed broadcast state.
Denial of Service (DoS) Filtering
By default, the switch filters denial of service (DoS) attacks, which are security attacks aimed at devices
that are available on a private network or the Internet. Some of these attacks aim at system bugs or vulnerability (for example, teardrop attacks), while other types of attacks involve generating large volumes of
traffic so that network service will be denied to legitimate network users (such as pepsi attacks). These
attacks include the following:
• ICMP Ping of Death—Ping packets that exceed the largest IP datagram size (65535 bytes) are sent to a
host and hang or crash the system.
• SYN Attack—Floods a system with a series of TCP SYN packets, resulting in the host issuing SYN-
ACK responses. The half open TCP connections can exhaust TCP resources, such that no other TCP
connections are accepted.
• Land Attack—Spoofed packets are sent with the SYN flag set to a host on any open port that is listen-
ing. The machine may hang or reboot in an attempt to respond.
• Teardrop/Bonk/Boink attacks—Bonk/boink/teardrop attacks generate IP fragments in a special way to
exploit IP stack vulnerabilities. If the fragments overlap the way those attacks generate packets, an
attack is recorded. Since teardrop, bonk, and boink all use the same IP fragmentation mechanism to
attack, these is no distinction between detection of these attacks. The old IP fragments in the fragmentation queue is also reaped once the reassemble queue goes above certain size.
• Pepsi Attack—The most common form of UDP flooding directed at harming networks. A pepsi attack
is an attack consisting of a large number of spoofed UDP packets aimed at diagnostic ports on network
devices. This can cause network devices to use up a large amount of CPU time responding to these
packets.
The switch can be set to detect various types of port scans by monitoring for TCP or UDP packets sent to
open or closed ports. Monitoring is done in the following manner:
• Packet penalty values set. TCP and UDP packets destined for open or closed ports are assigned a
penalty value. Each time a packet of this type is received, its assigned penalty value is added to a
running total. This total is cumulative and includes all TCP and UDP packets destined for open or
closed ports.
• Port scan penalty value threshold.The switch is given a port scan penalty value threshold. This
number is the maximum value the running penalty total can achieve before triggering an SNMP trap.
• Decay value. A decay value is set. The running penalty total is divided by the decay value every
minute.
• Trap generation. If the total penalty value exceeds the set port scan penalty value threshold, a trap is
generated to alert the administrator that a port scan may be in progress.
For example, imagine that a switch is set so that TCP and UDP packets destined for closed ports are given
a penalty of 10, TCP packets destined for open ports are given a penalty of 5, and UDP packets destined
for open ports are given a penalty of 20. The decay is set to 2, and the switch port scan penalty value
threshold is set to 2000:
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 12-15
IP Configuration
Configuring IP
.
DoS Settings
UDP/TCP closed = 10
UDP open = 20
TCP open = 5
Threshold = 2000
Decay = 2
TM
OmniSwitch 9700
Penalty Total = 0
In one minute, 10 TCP closed port packets and 10 UDP closed port packets are received. This would bring
the total penalty value to 200, as shown using the following equation:
(10 TCP X 10 penalty) + (10 UDP X 10 penalty) = 200
This value would be divided by 2 (due to the decay) and decreased to 100. The switch would not record a
port scan:
DoS Settings
UDP/TCP closed = 10
UDP open = 20
TCP open = 5
Threshold = 2000
Decay = 2
10 TCP closed port packets
TM
OmniSwitch 9700
10 UDP closed port packets
Do Not
Generate DoS
Attack Warning
Trap
Minute 1 Penalty Total = 100
page 12-16
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring IP
IP Configuration
In the next minute, 10 more TCP and UDP closed port packets are received, along with 200 UDP open
port packets. This would bring the total penalty value to 4300, as shown using the following equation:
(100 previous minute value) + (10 TCP X 10 penalty) + (10 UDP X 10 penalty) +
(200 UDP X 20 penalty) = 4300
This value would be divided by 2 (due to decay) and decreased to 2150. The switch would record a port
scan and generate a trap to warn the administrator:
DoS Settings
UDP/TCP closed = 10
UDP open =20
TCP open = 5
Threshold = 2000
Decay = 2
10 TCP closed port packets
10 UDP closed port packets
TM
OmniSwitch 9700
Generate DoS
Attack Warning
Trap
100 UDP open port packets
Minute 2 Penalty Total = 2150
The above functions and how to set their values are covered in the sections that follow.
Setting Penalty Values
There are three types of traffic you can set a penalty value for:
• TCP/UDP packets bound for closed ports.
• TCP traffic bound for open ports.
• UDP traffic bound for open ports.
Each type has its own command to assign a penalty value. Penalty values can be any non-negative integer. Each time a packet is received that matches an assigned penalty, the total penalty value for the switch
is increased by the penalty value of the packet in question.
To assign a penalty value to TCP/UDP packets bound for a closed port, use the ip dos scan close-portpenalty command with a penalty value. For example, to assign a penalty value of 10 to TCP/UDP packets
destined for closed ports, enter the following:
-> ip dos scan close-port-penalty 10
To assign a penalty value to TCP packets bound for an open port, use the ip dos scan tcp open-portpenalty command with a penalty value. For example, to assign a penalty value of 10 to TCP packets
destined for opened ports, enter the following:
-> ip dos scan tcp open-port-penalty 10
To assign a penalty value to UDP packets bound for an open port, use the ip dos scan udp open-portpenalty command with a penalty value. For example, to assign a penalty value of 10 to TCP/UDP packets
destined for closed ports, enter the following:
-> ip dos scan udp open-port-penalty 10
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 12-17
IP Configuration
Configuring IP
Setting the Port Scan Penalty Value Threshold
The port scan penalty value threshold is the highest point the total penalty value for the switch can reach
before a trap is generated informing the administrator that a port scan is in progress.
To set the port scan penalty value threshold, enter the threshold value with the ip dos scan threshold
command. For example, to set the port scan penalty value threshold to 2000, enter the following:
-> ip dos scan threshold 2000
Setting the Decay Value
The decay value is the amount the total penalty value is divided by every minute. As the switch records
incoming UDP and TCP packets, it adds their assigned penalty values together to create the total penalty
value for the switch. To prevent the switch from registering a port scan from normal traffic, the decay
value is set to lower the total penalty value every minute to compensate from normal traffic flow.
To set the decay value, enter the decay value with the ip dos scan decay command. For example, to set the
decay value to 2, enter the following:
-> ip dos scan decay 2
Enabling DoS Traps
DoS traps must be enabled in order for the switch to warn the administrator that a port scan may be in
progress when the switch’s total penalty value crosses the port scan penalty value threshold.
To enable SNMP trap generation, enter the ip dos trap command, as shown:
-> ip dos trap enable
To disable DoS traps, enter the same ip dos trap command, as shown:
-> ip dos trap disable
Enabling/Disabling IP Services
When a switch initially boots up, all supported TCP/UDP well-known service ports are enabled (open).
Although these ports provide access for essential switch management services, such as telnet, ftp, snmp,
etc., they also are vulnerable to DoS attacks. It is possible to scan open service ports and launch such
attacks based on well-known port information.
The ip service command allows you to selectively disable (close) TCP/UDP well-known service ports and
enable them when necessary. This command only operates on TCP/UDP ports that are opened by default.
It has no effect on ports that are opened by loading applications, such as RIP and BGP.
In addition, the ip service command allows you to designate which port to enable or disable by specifying
the name of a service or the well-known port number associated with that service. For example, both of the
following commands disable the telnet service:
-> no ip service telnet
-> no ip service port 23
Note that specifying a port number requires the use of the optional port keyword.
To enable or disable more than one service in a single command line, enter each service name separated by
a space. For example, the following command enables the telnet, ftp, and snmp service ports:
-> ip service telnet ftp snmp
page 12-18
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring IP
IP Configuration
The following table lists ip service command options for specifying TCP/UDP services and also includes
the well-known port number associated with each service:
service
port
ftp
21
ssh
22
telnet
23
http
80
secure-http
443
avlan-http
260
avlan-secure-http
261
avlan-telnet
259
udp-relay
67
network-time
123
snmp
161
proprietary
1024
proprietary
1025
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 12-19
Managing IP
Configuring IP
Managing IP
The following sections describe IP commands that can be used to monitor and troubleshoot IP forwarding
on the switch.
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP) is a network layer protocol within the IP protocol suite that
provides message packets to report errors and other IP packet processing information back to the source.
ICMP generates several kinds of useful messages, including Destination Unreachable, Echo Request and
Reply, Redirect, Time Exceeded, and Router Advertisement and Solicitation. If an ICMP message cannot
be delivered, a second one is not generated. This prevents an endless flood of ICMP messages.
When an ICMP destination-unreachable message is sent by a switch, it means that the switch is unable to
send the package to its final destination. The switch then discards the original packet. There are two
reasons why a destination might be unreachable. Most commonly, the source host has specified a nonexistent address. Less frequently, the switch does not have a route to the destination. The destinationunreachable messages include four basic types:
• Network-Unreachable Message—Usually means that a failure has occurred in the route lookup of the
destination IP in the packet.
• Host-Unreachable Message—Usually indicates delivery failure, such as an unresolved client's hard-
ware address or an incorrect subnet mask.
• Protocol-Unreachable Message—Usually means that the destination does not support the upper-layer
protocol specified in the packet.
• Port-Unreachable Message—Implies that the TCP/UDP socket or port is not available.
Additional ICMP messages include:
• Echo-Request Message—Generated by the ping command, the message is sent by any host to test node
reachability across an internetwork. The ICMP echo-reply message indicates that the node can be
successfully reached.
• Redirect Message—Sent by the switch to the source host to stimulate more efficient routing. The
switch still forwards the original packet to the destination. ICMP redirect messages allow host routing
tables to remain small because it is necessary to know the address of only one switch, even if that
switch does not provide the best path. Even after receiving an ICMP redirect message, some devices
might continue using the less-efficient route.
• Time-Exceeded Message—Sent by the switch if an IP packet’s TTL field reaches zero. The TTL field
prevents packets from continuously circulating the internetwork if the internetwork contains a routing
loop. Once a packet’s TTL field reaches 0, the switch discards the packet.
page 12-20
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring IP
Managing IP
Activating ICMP Control Messages
ICMP messages are identified by a type and a code. This number pair specifies an ICMP message. For
example, ICMP type 4, code 0, specifies the source quench ICMP message.
To enable or disable an ICMP message, use the icmp type command with the type and code. For example, to enable the source quench the ICMP message (type 4, code 0) enter the following:
-> icmp type 4 code 0 enable
The following table is provide to identify the various ICMP messages, and their type and code:
ICMP Message
Type
Code
echo reply
0
0
network unreachable
0
3
host unreachable
3
1
protocol unreachable
3
2
port unreachable
3
3
frag needed but DF bit set
3
4
source route failed
3
5
destination network unknown
3
6
destination host unknown
3
7
source host isolated
3
8
dest network admin prohibited
3
9
host admin prohibited by filter
3
10
network unreachable for TOS
3
11
host unreachable for TOS
3
12
source quench
4
0
redirect for network
5
0
redirect for host
5
1
redirect for TOS and network
5
2
redirect for TOS and host
5
3
echo request
8
0
router advertisement
9
0
router solicitation
10
0
time exceeded during transmit
11
0
time exceeded during reassembly
11
1
ip header bad
12
0
required option missing
12
1
timestamp request
13
0
timestamp reply
14
0
information request (obsolete)
15
0
information reply (obsolete)
16
0
address mask request
17
0
address mask reply
18
0
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 12-21
Managing IP
Configuring IP
In addition to the icmp type command, several commonly used ICMP messages have been separate CLI
commands for convenience. These commands are listed below with the ICMP message name, type, and
code:
ICMP Message
Command
Network unreachable (type 0, code 3)
icmp unreachable
Host unreachable (type 3, code 1)
icmp unreachable
Protocol unreachable (type 3, code 2)
icmp unreachable
Port unreachable (type 3, code 3)
icmp unreachable
Echo reply (type 0, code 0)
icmp echo
Echo request (type 8, code 0)
icmp echo
Timestamp request (type 13, code 0)
icmp timestamp
Timestamp reply (type 14, code 0)
icmp timestamp
Address Mask request (type 17, code 0)
icmp addr-mask
Address Mask reply (type 18, code 0)
icmp addr-mask
These commands are entered as the icmp type command, only without specifying a type or code. The
echo, timestamp, and address mask commands have options for distinguishing between a request or a
reply, and the unreachable command has options distinguishing between a network, host, protocol, or port.
For example, to enable an echo request message, enter the following:
-> icmp echo request enable
To enable a network unreachable message, enter the following:
-> icmp unreachable net-unreachable enable
See Chapter 22, “IP Commands,” for specifics on the ICMP message commands.
Enabling All ICMP Types
To enable all ICMP message types, use the icmp messages command with the enable keyword. For example:
-> icmp messages enable
To disable all ICMP messages, enter the same command with the disable keyword. For example:
-> icmp messages enable
page 12-22
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring IP
Managing IP
Setting the Minimum Packet Gap
The minimum packet gap is the time required between sending messages of a like type. For instance, if the
minimum packet gap for Address Mask request messages is 40 microseconds, and an Address Mask
message is sent, at least 40 microseconds must pass before another one could be sent.
To set the minimum packet gap, use the min-pkt-gap keyword with any of the ICMP control commands.
For example, to set the Source Quench minimum packet gap to 100 microseconds, enter the following:
-> icmp type 4 code 0 min-pkt-gap 100
Likewise, to set the Timestamp Reply minimum packet gap to 100 microseconds, enter the following:
-> icmp timestamp reply min-pkt-gap 100
The default minimum packet gap for ICMP messages is 0.
ICMP Control Table
The ICMP Control Table displays the ICMP control messages, whether they are enabled or disabled, and
the minimum packet gap times. Use the show icmp control command to display the table.
ICMP Statistics Table
The ICMP Statistics Table displays the ICMP statistics and errors. This data can be used to monitor and
troubleshoot IP on the switch. Use the show icmp statistics command to display the table.
Using the Ping Command
The ping command is used to test whether an IP destination can be reached from the local switch. This
command sends an ICMP echo request to a destination and then waits for a reply. To ping a destination,
enter the ping command and enter either the destination’s IP address or host name. The switch will ping
the destination by using the default frame count, packet size, interval, and time-out parameters (6 frames,
64 bytes, 1 second, and 5 seconds, respectively). For example:
-> ping 172.22.2.115
When you ping a device, the device IP address or host name is required. Optionally, you may also specify:
• Count. Use the count keyword to set the number of frames to be transmitted.
• Size. Use the size keyword to set the size, in bytes, of the data portion of the packet sent for this ping.
You can specify a size or a range of sizes up to 60000.
• Interval. Use the interval keyword to set the frequency, in seconds, that the switch will poll the host.
• Time-out. Use the time-out keyword to set the number of seconds the program will wait for a response
before timing out.
For example, to send a ping with a count of 2, a size of 32 bytes, an interval of 2 seconds, and a time-out
of 10 seconds you would enter:
-> ping 172.22.2.115 count 2 size 32 interval 2 timeout 10
Note. If you change the default values, they will only apply to the current ping. The next time you use the
ping command, the default values will be used unless you enter different values again.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 12-23
Managing IP
Configuring IP
Tracing an IP Route
The traceroute command is used to find the path taken by an IP packet from the local switch to a specified destination. This command displays the individual hops to the destination as well as some timing
information. When using this command, you must enter the name of the destination as part of the
command line (either the IP address or host name). Use the optional max-hop parameter to set a maximum hop count to the destination. If the trace reaches this maximum hop count without reaching the destination, the trace stops.
For example, to perform a traceroute to a device with an IP address of 172.22.2.115 with a maximum hop
count of 10 you would enter:
-> traceroute 172.22.2.115 max-hop 10
Displaying TCP Information
Use the show tcp statistics command to display TCP statistics. Use the show tcp ports command to
display TCP port information.
Displaying UDP Information
UDP is a secondary transport-layer protocol that uses IP for delivery. UDP is not connection-oriented and
does not provide reliable end-to-end delivery of datagrams. But some applications can safely use UDP to
send datagrams that do not require the extra overhead added by TCP. Use the show udp statistics
command to display UDP statistics. Use the show udp ports command to display UDP port information.
page 12-24
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring IP
Verifying the IP Configuration
Verifying the IP Configuration
A summary of the show commands used for verifying the IP configuration is given here:
show ip interface
Displays the usability status of interfaces configured for IP.
show ip route
Displays the IP Forwarding table.
show ip config
Displays IP configuration parameters.
show ip protocols
Displays switch routing protocol information and status.
show ip service
Displays the current status of TCP/UDP service ports. Includes service
name and well-known port number.
show arp
Displays the ARP table.
show arp filter
Displays the ARP filter configuration for the switch (OmniSwitch
9000 only).
show icmp control
This command allows the viewing of the ICMP control settings.
show ip dos config
Displays the configuration parameters of the DoS scan for the switch.
show ip dos statistics
Displays the statistics on detected port scans for the switch.
For more information about the displays that result from these commands, see the OmniSwitch CLI Reference Guide.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 12-25
Verifying the IP Configuration
page 12-26
Configuring IP
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
13
Configuring Static Link
Aggregation
Alcatel’s static link aggregation software allows you to combine several physical links into one large
virtual link known as a link aggregation group. Using link aggregation provides the following benefits:
• Scalability. It is possible to configure up to 32 link aggregation groups that consist of 2, 4, or 8 10-
Mbps, 100-Mbps, 1-Gbps, or 10-Gbps Ethernet links.
• Reliability. If one of the physical links in a link aggregate group goes down (unless it is the last one)
the link aggregate group can still operate.
• Ease of Migration. Link aggregation can ease the transition from 100-Mbps Ethernet backbones to
Gigabit Ethernet backbones.
In This Chapter
This chapter describes the basic components of static link aggregation and how to configure them through
the Command Line Interface (CLI). CLI commands are used in the configuration examples; for more
details about the syntax of commands, see the OmniSwitch CLI Reference Guide.
Configuration procedures described in this chapter include:
• Configuring static link aggregation groups on page 13-7.
• Adding and deleting ports from a static aggregate group on page 13-9.
• Modifying static link aggregation default values on page 13-10.
Note. You can also configure and monitor static link aggregation with WebView, Alcatel’s embedded
web-based device management application. WebView is an interactive and easy-to-use GUI that can be
launched from OmniVista or a web browser. Please refer to WebView’s online documentation for more
information on configuring and monitoring static link aggregation with WebView.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 13-1
Static Link Aggregation Specifications
Configuring Static Link Aggregation
Static Link Aggregation Specifications
The table below lists specifications for static groups.
Maximum number of link aggregation groups
32 (per switch or a stack of switches)
Number of links per group supported
2, 4, or 8 (per switch or a stack of switches)
Range for optional group name
1 to 255 characters
CLI Command Prefix Recognition
All static link aggregation configuration commands
support prefix recognition. (Static link aggregation
show commands do not support prefix recognition.)
See the “Using the CLI” chapter in the OmniSwitch
6800/6850/9000 Switch Management Guide for more
information.
Static Link Aggregation Default Values
The table below lists default values and the commands to modify them for static aggregate groups.
Parameter Description
Command
Default Value/Comments
Administrative State
static linkagg admin state
enabled
Group Name
static linkagg name
No name configured
page 13-2
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Static Link Aggregation
Quick Steps for Configuring Static Link Aggregation
Quick Steps for Configuring Static Link
Aggregation
Follow the steps below for a quick tutorial on configuring a static aggregate link between two switches.
Additional information on how to configure each command is given in the subsections that follow.
1 Create the static aggregate link on the local switch with the static linkagg size command. For example:
-> static linkagg 1 size 4
2 Assign all the necessary ports with the static agg agg num command. For example:
->
->
->
->
static
static
static
static
agg
agg
agg
agg
1/1
1/2
1/3
1/4
agg
agg
agg
agg
num
num
num
num
1
1
1
1
3 Create a VLAN for this static link aggregate group with the vlan command. For example:
-> vlan 10 port default 1
4 Create the equivalent static aggregate link on the remote switch with the static linkagg size command.
For example:
-> static linkagg 1 size 4
5 Assign all the necessary ports with the static agg agg num command. For example:
->
->
->
->
static
static
static
static
agg
agg
agg
agg
1/9 agg num 1
1/10 agg num 1
1/11 agg num 1
1/12 agg num 1
6 Create a VLAN for this static link aggregate group with the vlan command. For example:
-> vlan 10 port default 1
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 13-3
Quick Steps for Configuring Static Link Aggregation
Configuring Static Link Aggregation
Note. Optional. You can verify your static link aggregation settings with the show linkagg command. For
example:
-> show linkagg 1
Static Aggregate
SNMP Id
: 40000001,
Aggregate Number
: 1,
SNMP Descriptor
: Omnichannel Aggregate Number 1 ref 40000001 size 4,
Name
: ,
Admin State
: ENABLED,
Operational State
: UP,
Aggregate Size
: 4,
Number of Selected Ports : 4,
Number of Reserved Ports : 4,
Number of Attached Ports : 4,
Primary Port
: 1/1
You can also use the show linkagg port port command to display information on specific ports. See
“Displaying Static Link Aggregation Configuration and Statistics” on page 13-12 for more information on
the show commands.
An example of what these commands look like entered sequentially on the command line on the local
switch:
->
->
->
->
->
->
static linkagg 1 size 4
static agg 1/1 agg num 1
static agg 1/2 agg num 1
static agg 1/3 agg num 1
static agg 1/4 agg num 1
vlan 10 port default 1
And an example of what these commands look like entered sequentially on the command line on the
remote switch:
->
->
->
->
->
->
page 13-4
static linkagg 1 size 4
static agg 1/9 agg num 1
static agg 1/10 agg num 1
static agg 1/11 agg num 1
static agg 1/12 agg num 1
vlan 10 port default 1
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Static Link Aggregation
Static Link Aggregation Overview
Static Link Aggregation Overview
Link aggregation allows you to combine 2, 4, or 8 physical connections into large virtual connections
known as link aggregation groups. You can configure up to 32 link aggregation groups per a standalone
switch or a stack of switches. Each group can consist of 2, 4, or 8 10-Mbps, 100-Mbps, 1-Gbps, or 10Gbps Ethernet links.
You can create Virtual LANs (VLANs), 802.1Q framing, configure Quality of Service (QoS) conditions,
and other networking features on link aggregation groups because the switch’s software treats these virtual
links just like physical links. (See “Relationship to Other Features” on page 13-6 for more information on
how link aggregation interacts with other software features.)
Load balancing for Layer 2 non-IP packets is on a MAC address basis and for IP packets the balancing
algorithm uses IP address as well. Ports must be of the same speed within the same link aggregate group.
Alcatel’s link aggregation software allows you to configure the following two different types of link
aggregation groups:
• Static link aggregate groups
• Dynamic link aggregate groups
This chapter describes static link aggregation. For information on dynamic link aggregation, please refer
to Chapter 14, “Configuring Dynamic Link Aggregation.”
Static Link Aggregation Operation
Static link aggregate groups are virtual links between two nodes consisting of 2, 4, or 8 10-Mbps, 100Mbps, or 1-or 10-Gbps fixed physical links. You can configure up to 32 link aggregation groups per a
standalone switch or a stack of switches.
Static aggregate groups can be created between:
• two OmniSwitch 6800 switches.
• two OmniSwitch 6850 switches.
• two OmniSwitch 9000 switches.
• an OmniSwitch 6800 switch and an OmniSwitch 6850, OmniSwitch 9000, OmniSwitch 7700/7800,
OmniSwitch 8800, or OmniSwitch 6600 Series switch.
• an OmniSwitch 6850 switch and an OmniSwitch 6800, OmniSwitch 9000, OmniSwitch 7700/7800,
OmniSwitch 8800, or OmniSwitch 6600 Series switch.
• an OmniSwitch 9000 switch and an OmniSwitch 6800, OmniSwitch 6850, OmniSwitch 7700/7800,
OmniSwitch 8800, or OmniSwitch 6600 Series switch.
• an OmniSwitch 6800, 6850, or 9000 switch and an early-generation Alcatel switch, such as an Omni
Switch/Router
However, static aggregate groups cannot be created between OmniSwitch 6800, 6850, or 9000 switches
and some switches from other vendors.
The figure below shows a static aggregate group that has been configured between Switch A and Switch
B. The static aggregate group links four ports on a single OS9-GNI-C24 on Switch A to two ports on one
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 13-5
Static Link Aggregation Overview
Configuring Static Link Aggregation
OS9-GNI-C24 and two ports on another OS9-GNI-C24 on Switch B. The network administrator has
created a separate VLAN for this group so users can use this high speed link.
Switch B
Switch A
Switch software treats the
static aggregate groups as
one large virtual link.
TM
OmniSwitch 9700
TM
OmniSwitch 9700
Static Group
Example of a Static Link Aggregate Group Network
See “Configuring Static Link Aggregation Groups” on page 13-7 for information on using Command Line
Interface (CLI) commands to configure static aggregate groups and see “Displaying Static Link Aggregation Configuration and Statistics” on page 13-12 for information on using CLI to monitor static aggregate
groups.
Relationship to Other Features
Link aggregation groups are supported by other switch software features. The following features have CLI
commands or command parameters that support link aggregation:
• VLANs. For more information on VLANs see Chapter 5, “Configuring VLANs.”
• 802.1Q. For more information on configuring and monitoring 802.1Q see Chapter 11, “Configuring
802.1Q.”
• Spanning Tree. For more information on Spanning Tree see Chapter 6, “Configuring Spanning Tree
Parameters.”
Note. See “Application Example” on page 13-11 for tutorials on using link aggregation with other
features.
page 13-6
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Static Link Aggregation
Configuring Static Link Aggregation Groups
Configuring Static Link Aggregation Groups
This section describes how to use Alcatel’s Command Line Interface (CLI) commands to configure static
link aggregate groups. See “Configuring Mandatory Static Link Aggregate Parameters” on page 13-7 for
more information.
Note. See “Quick Steps for Configuring Static Link Aggregation” on page 13-3 for a brief tutorial on
configuring these mandatory parameters.
Alcatel’s link aggregation software is preconfigured with the default values for static aggregate groups as
shown in the table in “Static Link Aggregation Default Values” on page 13-2. If you need to modify any
of these parameters, please see “Modifying Static Aggregation Group Parameters” on page 13-10 for more
information.
Note. See the “Link Aggregation Commands” chapter in the OmniSwitch CLI Reference Guide for
complete documentation of CLI commands for link aggregation.
Configuring Mandatory Static Link Aggregate Parameters
When configuring static link aggregates on a switch you must perform the following steps:
1 Create the Static Aggregate Group on the Local and Remote Switches. To create a static aggregate
group use the static linkagg size command, which is described in “Creating and Deleting a Static Link
Aggregate Group” on page 13-8.
2 Assign Ports on the Local and Remote Switches to the Static Aggregate Group. To assign ports to
the static aggregate group you use the static agg agg num command, which is described in “Adding and
Deleting Ports in a Static Aggregate Group” on page 13-9.
Note. Depending on the needs of your network you may need to configure additional parameters.
Commands to configure optional static aggregate parameters are described in “Modifying Static Aggregation Group Parameters” on page 13-10.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 13-7
Configuring Static Link Aggregation Groups
Configuring Static Link Aggregation
Creating and Deleting a Static Link Aggregate Group
The following subsections describe how to create and delete static link aggregate groups with the static
linkagg size command.
Creating a Static Aggregate Group
You can create up to 32 static and/or dynamic link aggregation groups per a standalone switch or a stack
of switches. To create a static aggregate group on a switch, enter static linkagg followed by the user-specified aggregate number (which can be 0 through 31), size, and the number of links in the static aggregate
group, which can be 2, 4, or 8.
For example, to create static aggregate group 5 that consists of eight links, on a switch, you would enter:
-> static linkagg 5 size 8
Note. The number of links assigned to a static aggregate group should always be close to the number of
physical links that you plan to use. For example, if you are planning to use 2 physical links you should
create a group with a size of 2 and not 4 or 8.
As an option you can also specify a name and/or the administrative status of the group by entering static
linkagg followed by the user-specified aggregate number, size, the number of links in the static aggregate
group, name, the optional name (which can be up to 255 characters long), admin state, and either enable
or disable (the default is enable).
For example, to create static aggregate group 5 called “static1” consisting of eight links that is administratively disabled enter:
-> static linkagg 5 size 8 name static1 admin state disable
Note. If you want to specify spaces within a name for a static aggregate group the name must be specified
within quotes (e.g., “Static Aggregate Group 5”).
Deleting a Static Aggregate Group
To delete a static aggregation group from a switch use the no form of the static linkagg size command by
entering no static linkagg followed by the number that identifies the group. For example, to remove static
aggregate group 5 from a switch’s configuration you would enter:
-> no static linkagg 5
Note. You must delete any attached ports with the static agg agg num command before you can delete a
static link aggregate group.
page 13-8
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Static Link Aggregation
Configuring Static Link Aggregation Groups
Adding and Deleting Ports in a Static Aggregate Group
The following subsections describe how to add and delete ports in a static aggregate group with the static
agg agg num command.
Adding Ports to a Static Aggregate Group
The number of ports assigned in a static aggregate group can be less than or equal to the maximum size
you specified in the static linkagg size command. To assign a port to a static aggregate group you use the
static agg agg num command by entering static agg followed by the slot number, a slash (/), the port
number, agg num, and the number of the static aggregate group. Ports must be of the same speed (i.e., all
10 Mbps, all 100 Mbps, or all 1 Gbps).
For example, to assign ports 1, 2, and 3 in slot 1 to static aggregate group 10 (which has a size of 4) you
would enter:
-> static agg 1/1 agg num 10
-> static agg 1/2 agg num 10
-> static agg 1/3 agg num 10
Note. A port may belong to only one aggregate group. In addition, mobile ports cannot be aggregated. See
Chapter 7, “Assigning Ports to VLANs,” for more information on mobile ports.
As an option, you can use the ethernet, fastethernet, and gigaethernet keywords before the slot and port
number to document the interface type or make the command look consistent with early-generation Alcatel CLI syntax. For example, to assign port 1 in slot 1 to static aggregate group 10 and document that port
1 in slot 5 is a Giga Ethernet port you would enter:
-> static gigaethernet agg 1/1 agg num 10
Note. The ethernet, fastethernet, and gigaethernet keywords do not modify a port’s configuration. See
Chapter 1, “Configuring Ethernet Ports,” for information on configuring Ethernet ports.
Removing Ports from a Static Aggregate Group
To remove a port from a static aggregate group you use the no form of the static agg agg num command
by entering static agg no followed by the slot number, a slash (/), and the port number. For example, to
remove port 4 in slot 1from a static aggregate group you would enter:
-> static agg no 1/4
Ports must be deleted in the reverse order in which they were assigned. For example, if port 9 through 16
were assigned to static aggregate group 2 you must first delete port 16, then port 15, and so forth. The
following is an example of how to delete ports in the proper sequence from the console:
-> static agg no 1/24
-> static agg no 1/23
-> static agg no 1/22
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 13-9
Modifying Static Aggregation Group Parameters
Configuring Static Link Aggregation
Modifying Static Aggregation Group Parameters
This section describes how to modify the following static aggregate group parameters:
• Static aggregate group name (see “Modifying the Static Aggregate Group Name” on page 13-10)
• Static aggregate group administrative state (see “Modifying the Static Aggregate Group Administra-
tive State” on page 13-10)
Modifying the Static Aggregate Group Name
The following subsections describe how to modify the name of the static aggregate group with the static
linkagg name command.
Creating a Static Aggregate Group Name
To create a name for a static aggregate group by entering static linkagg followed by the number of the
static aggregate group, name, and the user-specified name of the group, which can be up to 255 characters
long. For example, to configure static aggregate group 4 with the name “Finance” you would enter:
-> static linkagg 4 name Finance
Note. If you want to specify spaces within a name for a static aggregate group the name must be specified
within quotes (e.g., “Static Aggregate Group 4”).
Deleting a Static Aggregate Group Name
To remove a name from a static aggregate group you use the no form of the static linkagg name
command by entering static linkagg followed by the number of the static aggregate group and no name.
For example, to remove any user-specified name from static aggregate group 4 you would enter:
-> static linkagg 4 no name
Modifying the Static Aggregate Group Administrative State
By default, the administrative state for a static aggregate group is enabled. The following subsections
describe how to enable and disable the administrative state with the static linkagg admin state command.
Enabling the Static Aggregate Group Administrative State
To enable a static aggregate group by entering static linkagg followed by the number of the group and
admin state enable. For example, to enable static aggregate group 1 you would enter:
-> static linkagg 1 admin state enable
Disabling the Static Aggregate Group Administrative State
To disable a static aggregate group by entering static linkagg followed by the number of the group and
admin state disable. For example, to disable static aggregate group 1 you would enter:
-> static linkagg 1 admin state disable
page 13-10
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Static Link Aggregation
Application Example
Application Example
Static link aggregation groups are treated by the switch’s software the same way it treats individual physical ports. This section demonstrates this by providing a sample network configuration that uses static link
aggregation along with other software features. In addition, a tutorial is provided that shows how to
configure this sample network using Command Line Interface (CLI) commands.
The figure below shows VLAN 8, which has been configured on static aggregate 1 and uses 802.1Q
tagging. The actual physical links connect ports 4/1, 4/2, 4/3, and 4/4 on Switch A to port 2/41, 2/42, 2/43,
and 2/44 on Switch B.
Switch B
Switch A
Static Aggregate Group 1
VLAN 8 with 802.1Q tagging has
been configured to use this group.
Sample Network Using Static Link Aggregation
Follow the steps below to configure this network:
Note. Only the steps to configure the local (i.e., Switch A) switch are provided here since the steps to
configure the remote (i.e., Switch B) switch would not be significantly different.
1 Configure static aggregate group 1 by entering static linkagg 1 size 4 as shown below:
-> static linkagg 1 size 4
2 Assign ports 4/1, 4/2, 4/3, and 4/4 to static aggregate group 1 by entering:
->
->
->
->
static
static
static
static
agg
agg
agg
agg
4/1
4/2
4/3
4/4
agg
agg
agg
agg
num
num
num
num
1
1
1
1
3 Create VLAN 8 by entering:
-> vlan 8
4 Configure 802.1Q tagging with a tagging ID of 8 on static aggregate group 1 (on VLAN 8) by enter-
ing:
-> vlan 8 802.1q 1
5 Repeat steps 1 through 4 on Switch B. All the commands would be the same except you would substi-
tute the appropriate port numbers.
Note. Optional. Use the show 802.1q command to display 802.1Q configurations.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 13-11
Displaying Static Link Aggregation Configuration and Statistics
Configuring Static Link Aggregation
Displaying Static Link Aggregation Configuration
and Statistics
You can use Command Line Interface (CLI) show commands to display the current configuration and
statistics of link aggregation. These commands include the following:
show linkagg
Displays information on link aggregation groups.
show linkagg port
Displays information on link aggregation ports.
When you use the show linkagg command without specifying the link aggregation group number and
when you use the show linkagg port command without specifying the slot and port number these
commands provide a “global” view of switch-wide link aggregate group and link aggregate port information, respectively.
For example, to display global statistics on all link aggregate groups (both static and dynamic) you would
enter:
-> show linkagg
A screen similar to the following would be displayed:
Number Aggregate SNMP Id Size Admin State Oper State
Att/Sel Ports
-------+----------+--------+----+-------------+-------------+------------1
Static
40000001
8
ENABLED
UP
2 2
2
Dynamic
40000002
4
ENABLED
DOWN
0 0
3
Dynamic
40000003
8
ENABLED
DOWN
0 2
4
Static
40000005
2
DISABLED
DOWN
0 0
When you use the show linkagg command with the link aggregation group number and when you use the
show linkagg port command with the slot and port number these commands provide detailed views of
link aggregate group and link aggregate port information, respectively. These detailed views provide
excellent tools for diagnosing and troubleshooting problems.
For example, to display detailed statistics for port 1 in slot 4 that is attached to static link aggregate group
1 you would enter:
-> show linkagg port 4/1
A screen similar to the following would be displayed:
Static Aggregable Port
SNMP Id
Slot/Port
Administrative State
Operational State
Port State
Link State
Selected Agg Number
Port position in the aggregate
Primary port
:
:
:
:
:
:
:
:
:
4001,
4/1,
ENABLED,
DOWN,
CONFIGURED,
DOWN,
2,
0,
NONE
Note. See the “Link Aggregation Commands” chapter in the OmniSwitch CLI Reference Guide for
complete documentation of show commands for link aggregation.
page 13-12
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
14 Configuring Dynamic Link
Aggregation
Alcatel’s dynamic link aggregation software allows you to combine several physical links into one large
virtual link known as a link aggregation group. Using link aggregation provides the following benefits:
• Scalability. It is possible to configure up to 32 link aggregation groups that consist of 2, 4, or 8 10-
Mbps, 100-Mbps, 1-Gbps, or 10-Gbps Ethernet links.
• Reliability. If one of the physical links in a link aggregate group goes down (unless it is the last one)
the link aggregate group can still operate.
• Ease of Migration. Link aggregation can ease the transition from 100-Mbps Ethernet backbones to
Gigabit Ethernet backbones.
In This Chapter
This chapter describes the basic components of dynamic link aggregation and how to configure them
through the Command Line Interface (CLI). CLI commands are used in the configuration examples; for
more details about the syntax of commands, see the OmniSwitch CLI Reference Guide.
Configuration procedures described in this chapter include:
• Configuring dynamic link aggregation groups on page 14-10.
• Configuring ports so they can be aggregated in dynamic link aggregation groups on page 14-12.
• Modifying dynamic link aggregation parameters on page 14-14.
Note. You can also configure and monitor dynamic link aggregation with WebView, Alcatel’s embedded
Web-based device management application. WebView is an interactive and easy-to-use GUI that can be
launched from OmniVista or a Web browser. Please refer to WebView’s online documentation for more
information on configuring and monitoring dynamic link aggregation with WebView.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 14-1
Dynamic ink Aggregation Specifications
Configuring Dynamic Link Aggregation
Dynamic ink Aggregation Specifications
The table below lists specifications for dynamic aggregation groups and ports:
IEEE Specifications Supported
802.3ad — Aggregation of Multiple Link Segments
Maximum number of link aggregation groups
32 (per standalone switch or a stack of switches)
Range for optional group name
1 to 255 characters
Number of links per group supported
2, 4, or 8
Group actor admin key
0 to 65535
Group actor system priority
0 to 65535
Group partner system priority
0 to 65535
Group partner admin key
0 to 65535
Port actor admin key
0 to 65535
Port actor system priority
0 to 255
Port partner admin key
0 to 65535
Port partner admin system priority
0 to 255
Port actor port
0 to 65535
Port actor port priority
0 to 255
Port partner admin port
0 to 65535
Port partner admin port priority
0 to 255
CLI Command Prefix Recognition
All dynamic link aggregation configuration commands support prefix recognition. See the “Using the
CLI” chapter in the OmniSwitch 6800/6850/9000
Switch Management Guide for more information.
page 14-2
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Dynamic Link Aggregation
Dynamic Link Aggregation Default Values
Dynamic Link Aggregation Default Values
The table below lists default values for dynamic aggregate groups.
Parameter Description
Command
Default Value/Comments
Group Administrative State
lacp linkagg admin state
enabled
Group Name
lacp linkagg name
No name configured
Group Actor Administrative Key
lacp linkagg actor admin key
0
Group Actor System Priority
lacp linkagg actor system
priority
0
Group Actor System ID
lacp linkagg actor system id
00:00:00:00:00:00
Group Partner System ID
lacp linkagg partner system id 00:00:00:00:00:00
Group Partner System Priority
lacp linkagg partner system
priority
0
Group Partner Administrative Key
lacp linkagg partner admin
key
0
Actor Port Administrative State
lacp agg actor admin state
active timeout aggregate
Actor Port System ID
lacp agg actor system id
00:00:00:00:00:00
Partner Port System Administrative
State
lacp agg partner admin state
active timeout aggregate
Partner Port Admin System ID
lacp agg partner admin system 00:00:00:00:00:00
id
Partner Port Administrative Key
lacp agg partner admin key
Partner Port Admin System Priority
lacp agg partner admin system 0
priority
Actor Port Priority
lacp agg actor port priority
0
Partner Port Administrative Port
lacp agg partner admin port
0
Partner Port Priority
lacp agg partner admin port
priority
0
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
0
page 14-3
Quick Steps for Configuring Dynamic Link Aggregation
Configuring Dynamic Link Aggregation
Quick Steps for Configuring Dynamic Link
Aggregation
Follow the steps below for a quick tutorial on configuring a dynamic aggregate link between two switches.
Additional information on how to configure each command is given in the subsections that follow.
1 Create the dynamic aggregate group on the local (actor) switch with the lacp linkagg size command as
shown below:
-> lacp linkagg 2 size 8 actor admin key 5
2 Configure ports (the number of ports should be less than or equal to the size value set in step 1) with
the same actor administrative key (which allows them to be aggregated) with the lacp agg actor admin
key command. For example:
->
->
->
->
->
->
->
->
lacp
lacp
lacp
lacp
lacp
lacp
lacp
lacp
agg
agg
agg
agg
agg
agg
agg
agg
1/1
1/4
3/3
5/4
6/1
6/2
7/3
8/1
actor
actor
actor
actor
actor
actor
actor
actor
admin
admin
admin
admin
admin
admin
admin
admin
key
key
key
key
key
key
key
key
5
5
5
5
5
5
5
5
3 Create a VLAN for this dynamic link aggregate group with the vlan command. For example:
-> vlan 2 port default 2
4 Create the equivalent dynamic aggregate group on the remote (partner) switch with the lacp linkagg
size command as shown below:
-> lacp linkagg 2 size 8 actor admin key 5
5 Configure ports (the number of ports should be less than or equal to the size value set in step 4) with
the same actor administrative key (which allows them to be aggregated) with the lacp agg actor admin
key command. For example:
->
->
->
->
->
->
->
->
lacp
lacp
lacp
lacp
lacp
lacp
lacp
lacp
agg
agg
agg
agg
agg
agg
agg
agg
2/1
3/1
3/3
3/6
5/1
5/6
8/1
8/3
actor
actor
actor
actor
actor
actor
actor
actor
admin
admin
admin
admin
admin
admin
admin
admin
key
key
key
key
key
key
key
key
5
5
5
5
5
5
5
5
6 Create a VLAN for this dynamic link aggregate group with the vlan command. For example:
-> vlan 2 port default 2
page 14-4
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Dynamic Link Aggregation
Quick Steps for Configuring Dynamic Link Aggregation
Note. As an option, you can verify your dynamic aggregation group settings with the show linkagg
command on either the actor or the partner switch. For example:
-> show linkagg 2
Dynamic Aggregate
SNMP Id
Aggregate Number
SNMP Descriptor
Name
Admin State
Operational State
Aggregate Size
Number of Selected Ports
Number of Reserved Ports
Number of Attached Ports
Primary Port
LACP
MACAddress
Actor System Id
Actor System Priority
Actor Admin Key
Actor Oper Key
Partner System Id
Partner System Priority
Partner Admin Key
Partner Oper Key
:
:
:
:
:
:
:
:
:
:
:
40000002,
2,
Dynamic Aggregate Number 2 ref 40000002 size 8,
,
ENABLED,
UP,
8,
8,
8,
8,
1/1,
:
:
:
:
:
:
:
:
:
[00:1f:cc:00:00:00],
[00:20:da:81:d5:b0],
0,
5,
0,
[00:20:da:81:d5:b1],
0,
5,
0
You can also use the show linkagg port port command to display information on specific ports. See
“Displaying Dynamic Link Aggregation Configuration and Statistics” on page 14-33 for more information on show commands.
An example of what these commands look like entered sequentially on the command line on the actor
switch:
->
->
->
->
->
->
->
->
->
->
lacp
lacp
lacp
lacp
lacp
lacp
lacp
lacp
lacp
vlan
linkagg 2 size 8 actor admin key 5
agg 1/1 actor admin key 5
agg 1/4 actor admin key 5
agg 3/3 actor admin key 5
agg 5/4 actor admin key 5
agg 6/1 actor admin key 5
agg 6/2 actor admin key 5
agg 7/3 actor admin key 5
agg 8/1 actor admin key 5
2 port default 2
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 14-5
Quick Steps for Configuring Dynamic Link Aggregation
Configuring Dynamic Link Aggregation
An example of what these commands look like entered sequentially on the command line on the partner
switch:
->
->
->
->
->
->
->
->
->
->
page 14-6
lacp
lacp
lacp
lacp
lacp
lacp
lacp
lacp
lacp
vlan
linkagg 2 size 8 actor admin key 5
agg 2/1 actor admin key 5
agg 3/1 actor admin key 5
agg 3/3 actor admin key 5
agg 3/6 actor admin key 5
agg 5/1 actor admin key 5
agg 5/6 actor admin key 5
agg 8/1 actor admin key 5
agg 8/3 actor admin key 5
2 port default 2
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Dynamic Link Aggregation
Dynamic Link Aggregation Overview
Dynamic Link Aggregation Overview
Link aggregation allows you to combine 2, 4, or 8 physical connections into large virtual connections
known as link aggregation groups. You can configure up to 32 link aggregation groups per a standalone
switch or a stack of switches. Each group can consist of 2, 4, or 8 10-Mbps, 100-Mbps, 1-Gbps, or 10Gbps Ethernet links.
You can create Virtual LANs (VLANs), 802.1Q framing, configure Quality of Service (QoS) conditions,
and other networking features on link aggregation groups because switch software treats these virtual links
just like physical links. (See “Relationship to Other Features” on page 14-9 for more information on how
link aggregation interacts with other software features.)
Link aggregation groups are identified by unique MAC addresses, which are created by the switch but can
be modified by the user at any time. Load balancing for Layer 2 non-IP packets is on a MAC address basis
and for IP packets the balancing algorithm uses the IP address as well. Ports must be of the same speed
within the same aggregate group.
Alcatel’s link aggregation software allows you to configure the following two different types of link
aggregation groups:
• Static link aggregate groups
• Dynamic link aggregate groups
This chapter describes dynamic link aggregation. For information on static link aggregation, please refer
to Chapter 13, “Configuring Static Link Aggregation.”
Dynamic Link Aggregation Operation
Dynamic aggregate groups are virtual links between two nodes consisting of 2, 4, or 8 10-Mbps, 100Mbps, or 1-or 10-Gbps fixed physical links. Dynamic aggregate groups use the standard IEEE 802.3ad
Link Aggregation Control Protocol (LACP) to dynamically establish the best possible configuration for
the group. This task is accomplished by special Link Aggregation Control Protocol Data Unit (LACPDU)
frames that are sent and received by switches on both sides of the link to monitor and maintain the
dynamic aggregate group.
The figure on the following page shows a dynamic aggregate group that has been configured between
Switch A and Switch B. The dynamic aggregate group links four ports on Switch A to four ports on
Switch B.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 14-7
Dynamic Link Aggregation Overview
Configuring Dynamic Link Aggregation
Local (Actor) Switch
Remote (Partner) Switch
1. Local (actor) switch sends
requests to establish a
dynamic aggregate group link
to the remote (partner)
switch.
2. Partner switch acknowl-
edges that it can accept this
dynamic group.
3. Actor and partner switches
negotiate parameters for the
dynamic group, producing
optimal settings.
Dynamic Group
4. Actor and partner switches
establish the dynamic aggregate group. LACPDU messages are sent back and forth
to monitor and maintain the
group.
Example of a Dynamic Aggregate Group Network
Dynamic aggregate groups can be created between:
• two OmniSwitch 6800 switches.
• two OmniSwitch 6850 switches.
• two OmniSwitch 9000 switches.
• an OmniSwitch 6800 switch and an OmniSwitch 6850, OmniSwitch 9000, OmniSwitch 7700/7800, or
OmniSwitch 8800 switch or OmniSwitch 6600 Family switch.
• an OmniSwitch 6850 switch and an OmniSwitch 6800, OmniSwitch 9000, OmniSwitch 7700/7800, or
OmniSwitch 8800 switch or OmniSwitch 6600 Family switch.
• an OmniSwitch 9000 switch and an OmniSwitch 6800, OmniSwitch 6850, OmniSwitch 7700/7800,
OmniSwitch 8800, OmniSwitch 6600 Family switch.
• an OmniSwitch 6800, 6850, or 9000 switch and another vendor’s switch if that vendor supports IEEE
802.3ad LACP.
See “Configuring Dynamic Link Aggregate Groups” on page 14-10 for information on using Command
Line Interface (CLI) commands to configure dynamic aggregate groups and see “Displaying Dynamic
Link Aggregation Configuration and Statistics” on page 14-33 for information on using the CLI to monitor dynamic aggregate groups.
page 14-8
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Dynamic Link Aggregation
Dynamic Link Aggregation Overview
Relationship to Other Features
Link aggregation groups are supported by other switch software features. For example, you can configure
802.1Q tagging on link aggregation groups in addition to configuring it on individual ports. The following
features have CLI commands or command parameters that support link aggregation:
• VLANs. For more information on VLANs, see Chapter 5, “Configuring VLANs.”
• 802.1Q. For more information on configuring and monitoring 802.1Q, see Chapter 11, “Configuring
802.1Q.”
• Spanning Tree. For more information on Spanning Tree, see Chapter 6, “Configuring Spanning Tree
Parameters.”
Note. See “Application Examples” on page 14-29 for tutorials on using link aggregation with other
features.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 14-9
Configuring Dynamic Link Aggregate Groups
Configuring Dynamic Link Aggregation
Configuring Dynamic Link Aggregate Groups
This section describes how to use Alcatel’s Command Line Interface (CLI) commands to create, modify,
and delete dynamic aggregate groups. See “Configuring Mandatory Dynamic Link Aggregate Parameters” on page 14-10 for more information.
Note. See “Quick Steps for Configuring Dynamic Link Aggregation” on page 14-4 for a brief tutorial on
configuring these mandatory parameters.
Alcatel’s link aggregation software is preconfigured with the default values for dynamic aggregate groups
and ports shown in the table in “Dynamic Link Aggregation Default Values” on page 14-3. For most
configurations, using only the steps described in “Creating and Deleting a Dynamic Aggregate Group” on
page 14-11 will be necessary to configure a dynamic link aggregate group. However, if you need to
modify any of the parameters listed in the table on page 14-3, please see “Modifying Dynamic Link
Aggregate Group Parameters” on page 14-14 for more information.
Note. See the “Link Aggregation Commands” chapter in the OmniSwitch CLI Reference Guide for
complete documentation of show commands for link aggregation.
Configuring Mandatory Dynamic Link Aggregate Parameters
When configuring LACP link aggregates on a switch you must perform the following steps:
1 Create the Dynamic Aggregate Groups on the Local (Actor) and Remote (Partner) Switches. To
create a dynamic aggregate group use the lacp linkagg size command, which is described in “Creating and
Deleting a Dynamic Aggregate Group” on page 14-11.
2 Configure the Same Administrative Key on the Ports You Want to Join the Dynamic Aggregate
Group. To configure ports with the same administrative key (which allows them to be aggregated), use
the lacp agg actor admin key command, which is described in “Configuring Ports to Join and Removing
Ports in a Dynamic Aggregate Group” on page 14-12.
Note. Depending on the needs of your network you may need to configure additional parameters.
Commands to configure optional dynamic link aggregate parameters are described in “Modifying
Dynamic Link Aggregate Group Parameters” on page 14-14.These commands must be executed after you
create a dynamic aggregate group.
page 14-10
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Dynamic Link Aggregation
Configuring Dynamic Link Aggregate Groups
Creating and Deleting a Dynamic Aggregate Group
The following subsections describe how to create and delete dynamic aggregate groups with the lacp
linkagg size command.
Creating a Dynamic Aggregate Group
To configure a dynamic aggregate group, enter lacp linkagg followed by the user-configured dynamic
aggregate number (which can be from 0 to 31), size, and the maximum number of links that will belong to
this dynamic aggregate group, which can be 2, 4, or 8. For example, to configure the dynamic aggregate
group 2 consisting of eight links enter:
-> lacp linkagg 2 size 8
You can create up to 32 link aggregation (both static and dynamic) groups per a standalone switch or a
stack of switches. In addition, you can also specify optional parameters shown in the table below. These
parameters must be entered after size and the user-specified number of links.
lacp linkagg size keywords
name
actor system priority
partner system priority
admin state enable
admin state disable
actor system id
partner admin key
actor admin key
partner system id
For example, Alcatel recommends assigning the actor admin key when you create the dynamic aggregate
group to help ensure that ports are assigned to the correct group. To create a dynamic aggregate group
with aggregate number 3 consisting of two ports with an admin actor key of 10, for example, enter:
-> lacp linkagg 3 size 2 actor admin key 10
Note. The optional keywords for this command may be entered in any order as long as they are entered
after size and the user-specified number of links.
Deleting a Dynamic Aggregate Group
To remove a dynamic aggregation group configuration from a switch use the no form of the lacp linkagg
size command by entering no lacp linkagg followed by its dynamic aggregate group number.
For example, to delete dynamic aggregate group 2 from a switch’s configuration you would enter:
-> no lacp linkagg 2
Note. You cannot delete a dynamic aggregate group if it has any attached ports. To remove attached ports
you must disable the dynamic aggregate group with the lacp linkagg admin state command, which is
described in “Disabling a Dynamic Aggregate Group” on page 14-15.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 14-11
Configuring Dynamic Link Aggregate Groups
Configuring Dynamic Link Aggregation
Configuring Ports to Join and Removing Ports in a Dynamic
Aggregate Group
The following subsections describe how to configure ports with the same administrative key (which allows
them to be aggregated) or to remove them from a dynamic aggregate group with the lacp agg actor admin
key command.
Configuring Ports To Join a Dynamic Aggregate Group
To configure ports with the same administrative key (which allows them to be aggregated) enter lacp agg
followed by the slot number, a slash (/), the port number, actor admin key, and the user-specified actor
administrative key (which can range from 0 to 65535). Ports must be of the same speed (i.e., all 10 Mbps,
all 100 Mbps, or all 1 Gbps).
For example, to configure ports 1, 2, and 3 in slot 4 with an administrative key of 10 you would enter:
-> lacp agg 4/1 actor admin key 10
-> lacp agg 4/2 actor admin key 10
-> lacp agg 4/3 actor admin key 10
Note. A port may belong to only one aggregate group. In addition, mobile ports cannot be aggregated. See
Chapter 7, “Assigning Ports to VLANs,” for more information on mobile ports.
You must execute the lacp agg actor admin key command on all ports in a dynamic aggregate group. If
not, the ports will be unable to join the group.
In addition, you can also specify optional parameters shown in the table below. These keywords must be
entered after the actor admin key and the user-specified actor administrative key value.
lacp agg actor admin key
keywords
actor admin state
actor system priority
partner admin system priority
partner admin port priority
partner admin state
partner admin system id
actor port priority
actor system id
partner admin keypartner admin
port
Note. The actor admin state and partner admin state keywords have additional parameters, which are
described in “Modifying the Actor Port System Administrative State” on page 14-19 and “Modifying the
Partner Port System Administrative State” on page 14-23, respectively.
All of the optional keywords listed above for this command may be entered in any order as long as they
appear after the actor admin key keywords and their user-specified value.
For example, to configure actor administrative key of 10, a local system ID (MAC address) of
00:20:da:06:ba:d3, and a local priority of 65535 to slot 4 port 1, enter:
-> lacp agg 4/1 actor admin key 10 actor system id 00:20:da:06:ba:d3 actor
system priority 65535
page 14-12
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Dynamic Link Aggregation
Configuring Dynamic Link Aggregate Groups
As an option, you can use the ethernet, fastethernet, and gigaethernet keywords before the slot and port
number to document the interface type or make the command look consistent with early-generation Alcatel CLI syntax. For example, to configure an actor administrative key of 10 and to document that the port
is a 10-Mbps Ethernet port to slot 4 port 1, enter:
-> lacp agg ethernet 4/1 actor admin key 10
Note. The ethernet, fastethernet, and gigaethernet keywords do not modify a port’s configuration. See
Chapter 1, “Configuring Ethernet Ports,” for information on configuring Ethernet ports.
Removing Ports from a Dynamic Aggregate Group
To remove a port from a dynamic aggregate group, use the no form of the lacp agg actor admin key
command by entering lacp agg no followed by the slot number, a slash (/), and the port number.
For example, to remove port 4 in slot 4 from any dynamic aggregate group you would enter:
-> lacp agg no 4/4
Ports must be deleted in the reverse order in which they were configured. For example, if port 9 through
16 were configured to join dynamic aggregate group 2 you must first delete port 16, then port 15, and so
forth. The following is an example of how to delete ports in the proper sequence from the console:
-> lacp agg no 4/24
-> lacp agg no 4/23
-> lacp agg no 4/22
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 14-13
Modifying Dynamic Link Aggregate Group Parameters
Configuring Dynamic Link Aggregation
Modifying Dynamic Link Aggregate Group
Parameters
The table on page 14-3 lists default group and port settings for Alcatel’s dynamic link aggregation software. These parameters ensure compliance with the IEEE 802.3ad specification. For most networks, these
default values do not need to be modified or will be modified automatically by switch software. However,
if you need to modify any of these default settings see the following sections to modify parameters for:
• Dynamic aggregate groups beginning on page 14-14
• Dynamic aggregate actor ports beginning on page 14-18
• Dynamic aggregate partner ports beginning on page 14-23.
Note. You must create a dynamic aggregate group before you can modify group or port parameters. See
“Configuring Dynamic Link Aggregate Groups” on page 14-10 for more information.
Modifying Dynamic Aggregate Group Parameters
This section describes how to modify the following dynamic aggregate group parameters:
• Group name (see “Modifying the Dynamic Aggregate Group Name” on page 14-14)
• Group administrative state (see “Modifying the Dynamic Aggregate Group Administrative State” on
page 14-15)
• Group local (actor) switch actor administrative key (see “Configuring and Deleting the Dynamic
Aggregate Group Actor Administrative Key” on page 14-15)
• Group local (actor) switch system priority (see “Modifying the Dynamic Aggregate Group Actor
System Priority” on page 14-16)
• Group local (actor) switch system ID (see “Modifying the Dynamic Aggregate Group Actor System
ID” on page 14-16)
• Group remote (partner) administrative key (see “Modifying the Dynamic Aggregate Group Partner
Administrative Key” on page 14-17)
• Group remote (partner) system priority (see “Modifying the Dynamic Aggregate Group Partner System
Priority” on page 14-17)
• Group remote (partner) switch system ID (see “Modifying the Dynamic Aggregate Group Partner
System ID” on page 14-18)
Modifying the Dynamic Aggregate Group Name
The following subsections describe how to configure and remove a dynamic aggregate group name with
the lacp linkagg name command.
Configuring a Dynamic Aggregate Group name
To configure a dynamic aggregate group name, enter lacp linkagg followed by the dynamic aggregate
group number, name, and the user-specified name, which can be from 1 to 255 characters long.
page 14-14
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Dynamic Link Aggregation
Modifying Dynamic Link Aggregate Group Parameters
For example, to name dynamic aggregate group 4 “Engineering” you would enter:
-> lacp linkagg 4 name Engineering
Note. If you want to specify spaces within a name, the name must be enclosed in quotes. For example:
-> lacp linkagg 4 name "Engineering Lab"
Deleting a Dynamic Aggregate Group Name
To remove a dynamic aggregate group name from a switch’s configuration use the no form of the lacp
linkagg name command by entering lacp linkagg followed by the dynamic aggregate group number and
no name.
For example, to remove any user-configured name from dynamic aggregate group 4 you would enter:
-> lacp linkagg 4 no name
Modifying the Dynamic Aggregate Group Administrative State
By default, the dynamic aggregate group administrative state is enabled. The following subsections
describe how to enable and disable a dynamic aggregate group’s administrative state with the
lacp linkagg admin state command.
Enabling a Dynamic Aggregate Group
To enable the dynamic aggregate group administrative state, enter lacp linkagg followed by the dynamic
aggregate group number and admin state enable. For example, to enable dynamic aggregate group 4 you
would enter:
-> lacp linkagg 4 admin state enable
Disabling a Dynamic Aggregate Group
To disable a dynamic aggregate group’s administrative state, use the lacp linkagg admin state command
by entering lacp linkagg followed by the dynamic aggregate group number and admin state disable.
For example, to disable dynamic aggregate group 4 you would enter:
-> lacp linkagg 4 admin state disable
Configuring and Deleting the Dynamic Aggregate Group Actor
Administrative Key
The following subsections describe how to configure and delete a dynamic aggregate group actor administrative key with the lacp linkagg actor admin key command.
Configuring a Dynamic Aggregate Actor Administrative Key
To configure the dynamic aggregate group actor switch administrative key enter lacp linkagg followed by
the dynamic aggregate group number, actor admin key, and the value for the administrative key, which
can be 0 through 65535.
For example, to configure dynamic aggregate group 4 with an administrative key of 10 you would enter:
-> lacp linkagg 4 actor admin key 10
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 14-15
Modifying Dynamic Link Aggregate Group Parameters
Configuring Dynamic Link Aggregation
Deleting a Dynamic Aggregate Actor Administrative Key
To remove an actor switch administrative key from a dynamic aggregate group’s configuration use the no
form of the lacp linkagg actor admin key command by entering lacp linkagg followed by the dynamic
aggregate group number and no actor admin key.
For example, to remove an administrative key from dynamic aggregate group 4 you would enter:
-> lacp linkagg 4 no actor admin key
Modifying the Dynamic Aggregate Group Actor System Priority
By default, the dynamic aggregate group actor system priority is 0. The following subsections describe
how to configure a user-specified value and how to restore the value to its default value with the
lacp linkagg actor system priority command.
Configuring a Dynamic Aggregate Group Actor System Priority
You can configure a user-specified dynamic aggregate group actor system priority value to a value ranging from 0 to 65535 by entering lacp linkagg followed by the dynamic aggregate group number, actor
system priority, and the new priority value.
For example, to change the actor system priority of dynamic aggregate group 4 to 2000 you would enter:
-> lacp linkagg 4 actor system priority 2000
Restoring the Dynamic Aggregate Group Actor System Priority
To restore the dynamic aggregate group actor system priority to its default (i.e., 0) value use the no form
of the lacp linkagg actor system priority command by entering lacp linkagg followed by the dynamic
aggregate group number and no actor system priority.
For example, to restore the actor system priority to its default value on dynamic aggregate group 4 you
would enter:
-> lacp linkagg 4 no actor system priority
Modifying the Dynamic Aggregate Group Actor System ID
By default, the dynamic aggregate group actor system ID (MAC address) is 00:00:00:00:00:00. The
following subsections describe how to configure a user-specified value and how to restore the value to its
default value with the lacp linkagg actor system id command.
Configuring a Dynamic Aggregate Group Actor System ID
You can configure a user-specified dynamic aggregate group actor system ID by entering lacp linkagg
followed by the dynamic aggregate group number, actor system id, and the user-specified MAC address
(in the hexadecimal format of xx:xx:xx:xx:xx:xx), which is used as the system ID.
For example, to configure the system ID on dynamic aggregate group 4 as 00:20:da:81:d5:b0 you would
enter:
-> lacp linkagg 4 actor system id 00:20:da:81:d5:b0
page 14-16
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Dynamic Link Aggregation
Modifying Dynamic Link Aggregate Group Parameters
Restoring the Dynamic Aggregate Group Actor System ID
To remove the user-configured actor switch system ID from a dynamic aggregate group’s configuration
use the no form of the lacp linkagg actor system id command by entering lacp linkagg followed by the
dynamic aggregate group number and no actor system id.
For example, to remove the user-configured system ID from dynamic aggregate group 4 you would enter:
-> lacp linkagg 4 no actor system id
Modifying the Dynamic Aggregate Group Partner Administrative Key
By default, the dynamic aggregate group partner administrative key (i.e., the administrative key of the
partner switch) is 0. The following subsections describe how to configure a user-specified value and how
to restore the value to its default value with the lacp linkagg partner admin key command.
Configuring a Dynamic Aggregate Group Partner Administrative Key
You can modify the dynamic aggregate group partner administrative key to a value ranging from 0 to
65535 by entering lacp linkagg followed by the dynamic aggregate group number, partner admin key,
and the value for the administrative key, which can be 0 through 65535.
For example, to set the partner administrative key to 4 on dynamic aggregate group 4 you would enter:
-> lacp linkagg 4 partner admin key 10
Restoring the Dynamic Aggregate Group Partner Administrative Key
To remove a partner administrative key from a dynamic aggregate group’s configuration use the no form
of the lacp linkagg partner admin key command by entering lacp linkagg followed by the dynamic
aggregate group number and no partner admin key.
For example, to remove the user-configured partner administrative key from dynamic aggregate group 4
you would enter:
-> lacp linkagg 4 no partner admin key
Modifying the Dynamic Aggregate Group Partner System Priority
By default, the dynamic aggregate group partner system priority is 0. The following subsections describe
how to configure a user-specified value and how to restore the value to its default value with the
lacp linkagg partner system priority command.
Configuring a Dynamic Aggregate Group Partner System Priority
You can modify the dynamic aggregate group partner system priority to a value ranging from 0 to 65535
by entering lacp linkagg followed by the dynamic aggregate group number, partner system priority, and
the new priority value.
For example, to set the partner system priority on dynamic aggregate group 4 to 2000 you would enter:
-> lacp linkagg 4 partner system priority 2000
Restoring the Dynamic Aggregate Group Partner System Priority
To restore the dynamic aggregate group partner system priority to its default (i.e., 0) value use the no form
of the lacp linkagg partner system priority command by entering lacp linkagg followed by the dynamic
aggregate group number and no partner system priority.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 14-17
Modifying Dynamic Link Aggregate Group Parameters
Configuring Dynamic Link Aggregation
For example, to reset the partner system priority of dynamic aggregate group 4 to its default value you
would enter:
-> lacp linkagg 4 no partner system priority
Modifying the Dynamic Aggregate Group Partner System ID
By default, the dynamic aggregate group partner system ID is 00:00:00:00:00:00. The following subsections describe how to configure a user-specified value and how to restore it to its default value with the
lacp linkagg partner system id command.
Configuring a Dynamic Aggregate Group Partner System ID
You can configure the dynamic aggregate group partner system ID by entering lacp linkagg followed by
the dynamic aggregate group number, partner system id, and the user-specified MAC address (in the
hexadecimal format of xx:xx:xx:xx:xx:xx), which is used as the system ID.
For example, to configure the partner system ID as 00:20:da:81:d5:b0 on dynamic aggregate group 4 you
would enter:
-> lacp linkagg 4 partner system id 00:20:da:81:d5:b0
Restoring the Dynamic Aggregate Group Partner System ID
To remove the user-configured partner switch system ID from the dynamic aggregate group’s configuration, use the no form of the lacp linkagg partner system id command by entering lacp linkagg followed
by the dynamic aggregate group number and no partner system id.
For example, to remove the user-configured partner system ID from dynamic aggregate group 4 you
would enter:
-> lacp linkagg 4 no partner system id
Modifying Dynamic Link Aggregate Actor Port Parameters
This section describes how to modify the following dynamic aggregate actor port parameters:
• Actor port administrative state (see “Modifying the Actor Port System Administrative State” on
page 14-19)
• Actor port system ID (see “Modifying the Actor Port System ID” on page 14-20)
• Actor port system priority (see “Modifying the Actor Port System Priority” on page 14-21)
• Actor port priority (see “Modifying the Actor Port Priority” on page 14-22)
Note. See “Configuring Ports to Join and Removing Ports in a Dynamic Aggregate Group” on page 14-12
for information on modifying a dynamic aggregate group administrative key.
All of the commands to modify actor port parameters allow you to add the ethernet, fastethernet, and
gigaethernet keywords before the slot and port number to document the interface type or make the
command look consistent with early-generation Alcatel CLI syntax. However, these keywords do not
modify a port’s configuration. See Chapter 1, “Configuring Ethernet Ports,” for information on configuring Ethernet ports.
page 14-18
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Dynamic Link Aggregation
Modifying Dynamic Link Aggregate Group Parameters
Note. A port may belong to only one aggregate group. In addition, mobile ports cannot be aggregated. See
Chapter 7, “Assigning Ports to VLANs,” for more information on mobile ports.
Modifying the Actor Port System Administrative State
The system administrative state of a dynamic aggregate group actor port is indicated by bit settings in
Link Aggregation Control Protocol Data Unit (LACPDU) frames sent by the port. By default, bits 0 (indicating that the port is active), 1 (indicating that short timeouts are used for LACPDU frames), and 2 (indicating that this port is available for aggregation) are set in LACPDU frames.
The following subsections describe how to configure user-specified values and how to restore them to
their default values with the lacp agg actor admin state command.
Configuring Actor Port Administrative State Values
To configure an LACP actor port’s system administrative state values by entering lacp agg, the slot
number, a slash (/), the port number, actor admin state, and one or more of the keywords shown in the
table below or none:
lacp agg actor admin state
Keyword
Definition
active
Specifies that bit 0 in LACPDU frames is set, which indicates that the
link is able to exchange LACPDU frames. By default, this bit is set.
timeout
Specifies that bit 1 in LACPDU frames is set, which indicates that a
short time-out is used for LACPDU frames. When this bit is disabled, a
long time-out is used for LACPDU frames. By default, this bit is set.
aggregate
Specifies that bit 2 in LACPDU frames is set, which indicates that the
system considers this link to be a potential candidate for aggregation. If
this bit is not set, the system considers the link to be individual (it can
only operate as a single link). By default, this bit is set.
synchronize
Specifying this keyword has no effect because the system always determines its value. When this bit (bit 3) is set by the system, the port is
allocated to the correct dynamic aggregation group. If this bit is not set
by the system, the port is not allocated to the correct dynamic aggregation group.
collect
Specifying this keyword has no effect because the system always determines its value. When this bit (bit 4) is set by the system, incoming
LACPDU frames are collected from the individual ports that make up
the dynamic aggregate group.
distribute
Specifying this keyword has no effect because the system always determines its value. When this bit (bit 5) is set by the system, distributing
outgoing frames on the port is disabled.
default
Specifying this keyword has no effect because the system always determines its value. When this bit (bit 6) is set by the system, it indicates
that the actor is using defaulted partner information administratively
configured for the partner.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 14-19
Modifying Dynamic Link Aggregate Group Parameters
lacp agg actor admin state
Keyword
expire
Configuring Dynamic Link Aggregation
Definition
Specifying this keyword has no effect because the system always determines its value. When this bit (bit 7) is set by the system, the actor cannot receive LACPDU frames.
Note. Specifying none removes all administrative states from the LACPDU configuration. For example:
-> lacp agg 5/49 actor admin state none
For example, to set bits 0 (active) and 2 (aggregate) on dynamic aggregate actor port 49 in slot 5 you
would enter:
-> lacp agg 5/49 actor admin state active aggregate
As an option you can use the ethernet, fastethernet, and gigaethernet keywords before the slot and port
number to document the interface type or make the command look consistent with early-generation Alcatel CLI syntax. For example, to set bits 0 (active) and 2 (aggregate) on dynamic aggregate actor port 49 in
slot 5 and document that the port is a Gigabit Ethernet port you would enter:
-> lacp agg gigaethernet 5/49 actor admin state active aggregate
Restoring Actor Port Administrative State Values
To restore LACPDU bit settings to their default values, use the lacp agg actor admin state command by
entering no before the active, timeout, and aggregate keywords.
For example, to restore bits 0 (active) and 2 (aggregate) to their default settings on dynamic aggregate
actor port 2 in slot 5 you would enter:
-> lacp agg 5/2 actor admin state no active no aggregate
Note. Since individual bits with the LACPDU frame are set with the lacp agg actor admin state
command you can set some bits on and restore other bits within the same command. For example, if you
wanted to restore bit 2 (aggregate) to its default settings and set bit 0 (active) on dynamic aggregate actor
port 49 in slot 5 you would enter:
-> lacp agg 5/49 actor admin state active no aggregate
Modifying the Actor Port System ID
By default, the actor port system ID (i.e., the MAC address used as the system ID on dynamic aggregate
actor ports) is 00:00:00:00:00:00. The following subsections describe how to configure a user-specified
value and how to restore the value to its default value with the lacp agg actor system id command.
Configuring an Actor Port System ID
You can configure the actor port system ID by entering lacp agg, the slot number, a slash (/), the port
number, actor system id, and the user specified actor port system ID (i.e., MAC address) in the hexadecimal format of xx:xx:xx:xx:xx:xx.
page 14-20
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Dynamic Link Aggregation
Modifying Dynamic Link Aggregate Group Parameters
For example, to modify the system ID of the dynamic aggregate actor port 3 in slot 7 to
00:20:da:06:ba:d3 you would enter:
-> lacp agg 7/3 actor system id 00:20:da:06:ba:d3
As an option, you can use the ethernet, fastethernet, and gigaethernet keywords before the slot and port
number to document the interface type or make the command look consistent with early-generation Alcatel CLI syntax. For example, to modify the system ID of the dynamic aggregate actor port 3 in slot 7 to
00:20:da:06:ba:d3 and document that the port is 10 Mbps Ethernet you would enter:
-> lacp agg ethernet 7/3 actor system id 00:20:da:06:ba:d3
Restoring the Actor Port System ID
To remove a user-configured system ID from a dynamic aggregate group actor port’s configuration use
the no form of the lacp agg actor system id command by entering lacp agg, the slot number, a slash
(/), the port number, and no actor system id.
For example, to remove a user-configured system ID from dynamic aggregate actor port 3 in slot 7 you
would enter:
-> lacp agg 7/3 no actor system id
Modifying the Actor Port System Priority
By default, the actor system priority is 0. The following subsections describe how to configure a userspecified value and how to restore the value to its default value with the lacp agg actor system priority
command.
Configuring an Actor Port System Priority
You can configure the actor system priority to a value ranging from 0 to 255 by entering lacp agg, the slot
number, a slash (/), the port number, actor system priority, and the user-specified actor port system
priority.
For example, to modify the system priority of dynamic aggregate actor port 5 in slot 2 to 200 you would
enter:
-> lacp agg 2/5 actor system priority 200
As an option, you can use the ethernet, fastethernet, and gigaethernet keywords before the slot and port
number to document the interface type or make the command look consistent with early-generation Alcatel CLI syntax. For example, to modify the system priority of dynamic aggregate actor port 5 in slot 2 to
200 and document that the port is a Giga Ethernet port you would enter:
-> lacp agg gigaethernet 2/5 actor system priority 200
Restoring the Actor Port System Priority
To remove a user-configured actor port system priority from a dynamic aggregate group actor port’s
configuration use the no form of the lacp agg actor system priority command by entering lacp agg, the
slot number, a slash (/), the port number, and no actor system priority.
For example, to remove a user-configured system priority from dynamic aggregate actor port 5 in slot 2
you would enter:
-> lacp agg 2/5 no actor system priority
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 14-21
Modifying Dynamic Link Aggregate Group Parameters
Configuring Dynamic Link Aggregation
Modifying the Actor Port Priority
By default, the actor port priority (used to converge dynamic key changes) is 0. The following subsections
describe how to configure a user-specified value and how to restore the value to its default value with the
lacp agg actor port priority command.
Configuring the Actor Port Priority
You can configure the actor port priority to a value ranging from 0 to 255 by entering lacp agg, the slot
number, a slash (/), the port number, actor port priority, and the user-specified actor port priority.
For example, to modify the actor port priority of dynamic aggregate actor port 1 in slot 2 to 100 you would
enter:
-> lacp agg 2/1 actor port priority 100
As an option, you can use the ethernet, fastethernet, and gigaethernet keywords before the slot and port
number to document the interface type or make the command look consistent with early-generation Alcatel CLI syntax. For example, to modify the actor port priority of dynamic aggregate actor port 1 in slot 2 to
100 and document that the port is a Giga Ethernet port you would enter:
-> lacp agg gigaethernet 2/1 actor port priority 100
Restoring the Actor Port Priority
To remove a user configured actor port priority from a dynamic aggregate group actor port’s configuration use the no form of the lacp agg actor port priority command by entering lacp agg, the slot number,
a slash (/), the port number, and no actor port priority.
For example, to remove a user-configured actor priority from dynamic aggregate actor port 1 in slot 2 you
would enter:
-> lacp agg 2/1 no actor port priority
page 14-22
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Dynamic Link Aggregation
Modifying Dynamic Link Aggregate Group Parameters
Modifying Dynamic Aggregate Partner Port Parameters
This section describes how to modify the following dynamic aggregate partner port parameters:
• Partner port system administrative state (see “Modifying the Partner Port System Administrative State”
on page 14-23)
• Partner port administrative key (see “Modifying the Partner Port Administrative Key” on page 14-25)
• Partner port system ID (see “Modifying the Partner Port System ID” on page 14-25)
• Partner port system priority (see “Modifying the Partner Port System Priority” on page 14-26)
• Partner port administrative state (see “Modifying the Partner Port Administrative Status” on
page 14-27)
• Partner port priority (see “Modifying the Partner Port Priority” on page 14-27)
All of the commands to modify partner port parameters allow you to add the ethernet, fastethernet, and
gigaethernet keywords before the slot and port number to document the interface type or make the
command look consistent with early-generation Alcatel CLI syntax. However, these keywords do not
modify a port’s configuration. See Chapter 1, “Configuring Ethernet Ports,” for information on configuring Ethernet ports.
Note. A port may belong to only one aggregate group. In addition, mobile ports cannot be aggregated. See
Chapter 7, “Assigning Ports to VLANs,” for more information on mobile ports.
Modifying the Partner Port System Administrative State
The system administrative state of a dynamic aggregate group partner (i.e., remote switch) port is indicated by bit settings in Link Aggregation Control Protocol Data Unit (LACPDU) frames sent by this port.
By default, bits 0 (indicating that the port is active), 1 (indicating that short timeouts are used for
LACPDU frames), and 2 (indicating that this port is available for aggregation) are set in LACPDU frames.
The following subsections describe how to configure user-specified values and how to restore them to
their default values with the lacp agg partner admin state command.
Configuring Partner Port System Administrative State Values
To configure the dynamic aggregate partner port’s system administrative state values by entering lacp
agg, the slot number, a slash (/), the port number, partner admin state, and one or more of the keywords
shown in the table below or none:
Keyword
Definition
active
Specifies that bit 0 in LACPDU frames is set, which indicates that the
link is able to exchange LACPDU frames. By default, this bit is set.
timeout
Specifies that bit 1 in LACPDU frames is set, which indicates that a
short time-out is used for LACPDU frames. When this bit is disabled, a
long time-out is used for LACPDU frames. By default, this bit is set.
aggregate
Specifies that bit 2 in LACPDU frames is set, which indicates that the
system considers this link to be a potential candidate for aggregation. If
this bit is not set, the system considers the link to be individual (it can
only operate as a single link). By default, this bit is set.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 14-23
Modifying Dynamic Link Aggregate Group Parameters
Configuring Dynamic Link Aggregation
Keyword
Definition
synchronize
Specifies that bit 3 in the partner state octet is enabled. When this bit is
set, the port is allocated to the correct dynamic aggregation group. If
this bit is not enabled, the port is not allocated to the correct aggregation group. By default, this value is disabled.
collect
Specifying this keyword has no effect because the system always determines its value. When this bit (bit 4) is set by the system, incoming
LACPDU frames are collected from the individual ports that make up
the dynamic aggregate group.
distribute
Specifying this keyword has no effect because the system always determines its value. When this bit (bit 5) is set by the system, distributing
outgoing frames on the port is disabled.
default
Specifying this keyword has no effect because the system always determines its value. When this bit (bit 6) is set by the system, it indicates
that the partner is using defaulted actor information administratively
configured for the partner.
expire
Specifying this keyword has no effect because the system always determines its value. When this bit (bit 7) is set by the system, the actor cannot receive LACPDU frames.
Note. Specifying none removes all administrative states from the LACPDU configuration. For example:
-> lacp agg 7/49 partner admin state none
For example, to set bits 0 (active) and 2 (aggregate) on dynamic aggregate partner port 49 in slot 7 you
would enter:
-> lacp agg 7/49 partner admin state active aggregate
As an option, you can use the ethernet, fastethernet, and gigaethernet keywords before the slot and port
number to document the interface type or make the command look consistent with early-generation Alcatel CLI syntax. For example, to set bits 0 (active) and 2 (aggregate) on dynamic aggregate partner port 49
in slot 7 and document that the port is a Gigabit Ethernet port you would enter:
-> lacp agg gigaethernet 7/49 partner admin state active aggregate
Restoring Partner Port System Administrative State Values
To restore LACPDU bit settings to their default values use the no form of the lacp agg partner admin
state command by entering no before the active, timeout, aggregate, or synchronize keywords.
For example, to restore bits 0 (active) and 2 (aggregate) to their default settings on dynamic aggregate
partner port 1 in slot 7 you would enter:
-> lacp agg 7/1 partner admin state no active no aggregate
page 14-24
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Dynamic Link Aggregation
Modifying Dynamic Link Aggregate Group Parameters
Note. Since individual bits with the LACPDU frame are set with the lacp agg partner admin state
command you can set some bits on and restore other bits to default values within the same command. For
example, if you wanted to restore bit 2 (aggregate) to its default settings and set bit 0 (active) on dynamic
aggregate partner port 1 in slot 7 you would enter:
-> lacp agg 7/1 partner admin state active no aggregate
Modifying the Partner Port Administrative Key
By default, the dynamic aggregate partner port’s administrative key is 0. The following subsections
describe how to configure a user-specified value and how to restore the value to its default value with the
lacp agg partner admin key command.
Configuring the Partner Port Administrative Key
You can configure the dynamic aggregate partner port’s administrative key to a value ranging from 0 to
65535 by entering lacp agg, the slot number, a slash (/), the port number, partner admin key, and the
user-specified partner port administrative key.
For example, to modify the administrative key of a dynamic aggregate group partner port 1 in slot 6 to
1000 enter:
-> lacp agg 6/1 partner admin key 1000
As an option, you can use the ethernet, fastethernet, and gigaethernet keywords before the slot and port
number to document the interface type or make the command look consistent with early-generation Alcatel CLI syntax. For example, to modify the administrative key of a dynamic aggregate group partner port 1
in slot 6 to 1000 and document that the port is a 10 Mbps Ethernet port you would enter:
-> lacp agg ethernet 6/1 partner admin key 1000
Restoring the Partner Port Administrative Key
To remove a user-configured administrative key from a dynamic aggregate group partner port’s configuration use the no form of the lacp agg partner admin key command by entering lacp agg, the slot number,
a slash (/), the port number, and no partner admin key.
For example, to remove the user-configured administrative key from dynamic aggregate partner port 1 in
slot 6, enter:
-> lacp agg 6/1 no partner admin key
Modifying the Partner Port System ID
By default, the partner port system ID (i.e., the MAC address used as the system ID on dynamic aggregate partner ports) is 00:00:00:00:00:00. The following subsections describe how to configure a user-specified value and how to restore the value to its default value with the lacp agg partner admin system id
command.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 14-25
Modifying Dynamic Link Aggregate Group Parameters
Configuring Dynamic Link Aggregation
Configuring the Partner Port System ID
You can configure the partner port system ID by entering lacp agg, the slot number, a slash (/), the port
number, partner admin system id, and the user-specified partner administrative system ID (i.e., the MAC
address in hexadecimal format).
For example, to modify the system ID of dynamic aggregate partner port 49 in slot 6 to
00:20:da:06:ba:d3 you would enter:
-> lacp agg 6/49 partner admin system id 00:20:da:06:ba:d3
As an option, you can use the ethernet, fastethernet, and gigaethernet keywords before the slot and port
number to document the interface type or make the command look consistent with early-generation Alcatel CLI syntax. For example, to modify the system ID of dynamic aggregate partner port 49 in slot 6 to
00:20:da:06:ba:d3 and document that the port is a Gigabit Ethernet port you would enter:
-> lacp agg gigaethernet 6/49 partner admin system id 00:20:da:06:ba:d3
Restoring the Partner Port System ID
To remove a user-configured system ID from a dynamic aggregate group partner port’s configuration use
the no form of the lacp agg partner admin system id command by entering lacp agg, the slot number, a
slash (/), the port number, and no partner admin system id.
For example, to remove a user-configured system ID from dynamic aggregate partner port 2 in slot 6 you
would enter:
-> lacp agg 6/2 no partner admin system id
Modifying the Partner Port System Priority
By default, the administrative priority of a dynamic aggregate group partner port is 0. The following
subsections describe how to configure a user-specified value and how to restore the value to its default
value with the lacp agg partner admin system priority command.
Configuring the Partner Port System Priority
You can configure the administrative priority of a dynamic aggregate group partner port to a value ranging from 0 to 255 by entering lacp agg, the slot number, a slash (/), the port number, partner admin
system priority, and the user-specified administrative system priority.
For example, to modify the administrative priority of a dynamic aggregate partner port 49 in slot 4 to 100
you would enter:
-> lacp agg 4/49 partner admin system priority 100
As an option, you can use the ethernet, fastethernet, and gigaethernet keywords before the slot and port
number to document the interface type or make the command look consistent with early-generation Alcatel CLI syntax. For example, to modify the administrative priority of dynamic aggregate partner port 49 in
slot 4 to 100 and specify that the port is a Gigabit Ethernet port you would enter:
-> lacp agg gigaethernet 4/49 partner admin system priority 100
page 14-26
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Dynamic Link Aggregation
Modifying Dynamic Link Aggregate Group Parameters
Restoring the Partner Port System Priority
To remove a user-configured system priority from a dynamic aggregate group partner port’s configuration
use the no form of the lacp agg partner admin system priority command by entering lacp agg, the slot
number, a slash (/), the port number, and no partner admin system priority.
For example, to remove a user-configured system ID from dynamic aggregate partner port 3 in slot 4 you
would enter:
-> lacp agg 4/3 no partner admin system priority
Modifying the Partner Port Administrative Status
By default, the administrative status of a dynamic aggregate group partner port is 0. The following subsections describe how to configure a user-specified value and how to restore the value to its default value
with the lacp agg partner admin port command.
Configuring the Partner Port Administrative Status
You can configure the administrative status of a dynamic aggregate group partner port to a value ranging
from 0 to 65535 by entering lacp agg, the slot number, a slash (/), the port number, partner admin port,
and the user-specified partner port administrative status.
For example, to modify the administrative status of dynamic aggregate partner port 1 in slot 7 to 200 you
would enter:
-> lacp agg 7/1 partner admin port 200
As an option, you can use the ethernet, fastethernet, and gigaethernet keywords before the slot and port
number to document the interface type or make the command look consistent with early-generation Alcatel CLI syntax. For example, to modify the administrative status of dynamic aggregate partner port 1 in
slot 7 to 200 and document that the port is a Giga Ethernet port you would enter:
-> lacp agg gigaethernet 7/1 partner admin port 200
Restoring the Partner Port Administrative Status
To remove a user-configured administrative status from a dynamic aggregate group partner port’s configuration use the no form of the lacp agg partner admin port command by entering lacp agg, the slot
number, a slash (/), the port number, and no partner admin port.
For example, to remove a user-configured administrative status from dynamic aggregate partner port 1 in
slot 7 you would enter:
-> lacp agg 7/1 no partner admin port
Modifying the Partner Port Priority
The default partner port priority is 0. The following subsections describe how to configure a user-specified
value and how to restore the value to its default value with the lacp agg partner admin port priority
command.
Configuring the Partner Port Priority
To configure the partner port priority to a value ranging from 0 to 255 by entering lacp agg, the slot
number, a slash (/), the port number, partner admin port priority, and the user-specified partner port
priority.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 14-27
Modifying Dynamic Link Aggregate Group Parameters
Configuring Dynamic Link Aggregation
For example, to modify the port priority of dynamic aggregate partner port 3 in slot 4 to 100 you would
enter:
-> lacp agg 4/3 partner admin port priority 100
As an option, you can use the ethernet, fastethernet, and gigaethernet keywords before the slot and port
number to document the interface type or make the command look consistent with early-generation Alcatel CLI syntax. For example, to modify the port priority of dynamic aggregate partner port 3 in slot 4 to
100 and document that the port is a Giga Ethernet port you would enter:
-> lacp agg gigaethernet 4/3 partner admin port priority 100
Restoring the Partner Port Priority
To remove a user-configured partner port priority from a dynamic aggregate group partner port’s configuration use the no form of the lacp agg partner admin port priority command by entering lacp agg, the
slot number, a slash (/), the port number, and no partner admin port priority.
For example, to remove a user-configured partner port priority from dynamic aggregate partner port 3 in
slot 4 you would enter:
-> lacp agg 4/3 no partner admin port priority
page 14-28
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Dynamic Link Aggregation
Application Examples
Application Examples
Dynamic link aggregation groups are treated by the switch’s software the same way it treats individual
physical ports.This section demonstrates this feature by providing sample network configurations that use
dynamic aggregation along with other software features. In addition, tutorials are provided that show how
to configure these sample networks by using Command Line Interface (CLI) commands.
Sample Network Overview
The figure below shows two VLANs on Switch A that use two different link aggregation groups. VLAN
10 has been configured on dynamic aggregate group 5 with Spanning Tree Protocol (STP) with the highest (15) priority possible. And VLAN 12 has been configured on dynamic aggregate group 7 with 802.1Q
tagging and 802.1p priority bit settings.
Switch B
TM
OmniSwitch 9700
Switch A
TM
OmniSwitch 9700
Dynamic Aggregate
Group 5
VLAN 10 has been configured to
use this group with Spanning
Tree with a priority of 15.
Switch C
TM
OmniSwitch 9700
Dynamic Aggregate
Group 7
VLAN 12 with 802.1Q tagging
using 802.1p priority has been
configured to use this group.
Sample Network Using Dynamic Link Aggregation
The steps to configure VLAN 10 (Spanning Tree example) are described in “Link Aggregation and Spanning Tree Example” on page 14-30. The steps to configure VLAN 12 (802.1Q and 802.1p example) are
described in “Link Aggregation and QoS Example” on page 14-31.
Note. Although you would need to configure both the local (i.e., Switch A) and remote (i.e., Switches B
and C) switches, only the steps to configure the local switch are provided since the steps to configure the
remote switches are not significantly different.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 14-29
Application Examples
Configuring Dynamic Link Aggregation
Link Aggregation and Spanning Tree Example
As shown in the figure on page 14-29, VLAN 10, which uses the Spanning Tree Protocol (STP) with a
priority of 15, has been configured to use dynamic aggregate group 7. The actual physical links connect
ports 3/9 and 3/10 on Switch A to ports 1/1 and 1/2 on Switch B. Follow the steps below to configure this
network:
Note. Only the steps to configure the local (i.e., Switch A) are provided here since the steps to configure
the remote (i.e., Switch B) would not be significantly different.
1 Configure dynamic aggregate group 5 by entering:
-> lacp linkagg 5 size 2
2 Configure ports 5/5 and 5/6 with the same actor administrative key (5) by entering:
-> lacp agg 3/9 actor admin key 5
-> lacp agg 3/10 actor admin key 5
3 Create VLAN 10 by entering:
-> vlan 10
4 If the Spanning Tree Protocol (STP) has been disabled on this VLAN (STP is enabled by default),
enable it on VLAN 10 by entering:
-> vlan 10 stp enable
Note. Optional. Use the show spantree ports command to determine if the STP is enabled or disabled and
to display other STP parameters. For example:
-> show spantree 10 ports
Spanning Tree Port Summary for Vlan 10
Adm Oper Man. Path Desig
Fw Prim. Adm Op
Port Pri St St
mode Cost Cost Role Tx Port Cnx Cnx Desig Bridge ID
-----+---+---+----+----+-----+-----+----+---+-----+---+---+--------------------3/13 7
ENA FORW No
100
0
DESG 1
3/13 EDG NPT 000A-00:d0:95:6b:0a:c0
2/10 7
ENA FORW No
19
0
DESG 1
2/10 PTP PTP 000A-00:d0:95:6b:0a:c0
5/2
7
ENA DIS No
0
0
DIS
0
5/2
EDG NPT 0000-00:00:00:00:00:00
0/5
7
ENA FORW No
4
0
DESG 1
0/10 PTP PTP 000A-00:d0:95:6b:0a:c0
In the example above the link aggregation group is indicated by the “0” for the slot number.
5 Configure VLAN 10 (which uses dynamic aggregate group 5) to the highest (15) priority possible by
entering:
-> bridge 10 5 mode priority 15
6 Repeat steps 1 through 5 on Switch B. All the commands would be the same except you would substi-
tute the appropriate port numbers.
page 14-30
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Dynamic Link Aggregation
Application Examples
Link Aggregation and QoS Example
As shown in the figure on page 14-29, VLAN 12, which uses 802.1Q frame tagging and 802.1p prioritization, has been configured to use dynamic aggregate group 7. The actual physical links connect ports 4/1,
4/2, 4/3, and 4/4 on Switch A to ports 1/1, 1/2, 1/3, and 1/4 on Switch C (a stack of four OmniSwitch 6800
Series switches). Follow the steps below to configure this network:
Note. Only the steps to configure the local (i.e., Switch A) switch are provided here since the steps to
configure the remote (i.e., Switch C) switch would not be significantly different.
1 Configure dynamic aggregate group 7 by entering:
-> lacp linkagg 7 size 4
2 Configure ports 4/1, 4/2, 4/3, and 4/4 the same actor administrative key (7) by entering:
->
->
->
->
lacp
lacp
lacp
lacp
agg
agg
agg
agg
4/1
4/2
4/3
4/4
actor
actor
actor
actor
admin
admin
admin
admin
key
key
key
key
7
7
7
7
3 Create VLAN 12 by entering:
-> vlan 12
4 Configure 802.1Q tagging with a tagging ID (i.e., VLAN ID) of 12 on dynamic aggregate group 7 by
entering:
-> vlan 12 802.1q 7
5 If the QoS Manager has been disabled (it is enabled by default) enable it by entering:
-> qos enable
Note. Optional. Use the show qos config command to determine if the QoS Manager is enabled or
disabled.
6 Configure a policy condition for VLAN 12 called “vlan12_condition” by entering:
-> policy condition vlan12_condition destination vlan 12
7 Configure an 802.1p policy action with the highest priority possible (i.e., 7) for VLAN 12 called
“vlan12_action” by entering:
-> policy action vlan12_action 802.1P 7
8 Configure a QoS rule called “vlan12_rule” by using the policy condition and policy rules you config-
ured in steps 8 and 9 above by entering:
-> policy rule vlan12_rule enable condition vlan12_condition action
vlan12_action
9 Enable your 802.1p QoS settings by entering qos apply as shown below:
-> qos apply
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 14-31
Application Examples
Configuring Dynamic Link Aggregation
10 Repeat steps 1 through 9 on Switch C. All the commands would be the same except you would substi-
tute the appropriate port numbers.
Note. If you do not use the qos apply command any QoS policies you configured will be lost on the next
switch reboot.
page 14-32
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Dynamic Link Aggregation
Displaying Dynamic Link Aggregation Configuration and Statistics
Displaying Dynamic Link Aggregation
Configuration and Statistics
You can use Command Line Interface (CLI) show commands to display the current configuration and
statistics of link aggregation. These commands include the following:
show linkagg
Displays information on link aggregation groups.
show linkagg port
Displays information on link aggregation ports.
When you use the show linkagg command without specifying the link aggregation group number and
when you use the show linkagg port command without specifying the slot and port number, these
commands provide a “global” view of switch-wide link aggregate group and link aggregate port information, respectively.
For example, to display global statistics on all link aggregate groups (both dynamic and static) you would
enter:
-> show linkagg
A screen similar to the following would be displayed:
Number Aggregate SNMP Id Size Admin State Oper State
Att/Sel Ports
-------+----------+--------+----+-------------+-------------+------------1
Static
40000001
8
ENABLED
UP
2 2
2
Dynamic
40000002
4
ENABLED
DOWN
0 0
3
Dynamic
40000003
8
ENABLED
DOWN
0 2
4
Static
40000005
2
DISABLED
DOWN
0 0
When you use the show linkagg command with the link aggregation group number and when you use the
show linkagg port command with the slot and port number, these commands provide detailed views of
the link aggregate group and port information, respectively. These detailed views provide excellent tools
for diagnosing and troubleshooting problems.
For example, to display detailed statistics for port 1 in slot 2 that is attached to dynamic link aggregate
group 1 you would enter:
-> show linkagg port 2/1
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 14-33
Displaying Dynamic Link Aggregation Configuration and Statistics
Configuring Dynamic Link Aggregation
A screen similar to the following would be displayed:
Dynamic Aggregable Port
SNMP Id
Slot/Port
Administrative State
Operational State
Port State
Link State
Selected Agg Number
Primary port
LACP
Actor System Priority
Actor System Id
Actor Admin Key
Actor Oper Key
Partner Admin System Priority
Partner Oper System Priority
Partner Admin System Id
Partner Oper System Id
Partner Admin Key
Partner Oper Key
Attached Agg Id
Actor Port
Actor Port Priority
Partner Admin Port
Partner Oper Port
Partner Admin Port Priority
Partner Oper Port Priority
Actor Admin State
Actor Oper State
Partner Admin State
Partner Oper State
:
:
:
:
:
:
:
:
2001,
2/1,
ENABLED,
DOWN,
CONFIGURED,
DOWN,
NONE,
UNKNOWN,
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
10,
[00:d0:95:6a:78:3a],
8,
8,
20,
20,
[00:00:00:00:00:00],
[00:00:00:00:00:00],
8,
0,
0,
7,
15,
0,
0,
0,
0,
act1.tim1.agg1.syn0.col0.dis0.def1.exp0
act1.tim1.agg1.syn0.col0.dis0.def1.exp0,
act0.tim0.agg1.syn1.col1.dis1.def1.exp0,
act0.tim0.agg1.syn0.col1.dis1.def1.exp0
Note. See the “Link Aggregation Commands” chapter in the OmniSwitch CLI Reference Guide for
complete documentation of show commands for link aggregation.
page 14-34
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
15
Configuring IPv6
Internet Protocol version 6 (IPv6) is the next generation of Internet Protocol version 4 (IPv4). Both
versions are supported along with the ability to tunnel IPv6 traffic over IPv4. Implementing IPv6 solves
the limited address problem currently facing IPv4, which provides a 32-bit address space. IPv6 increases
the address space available to 128 bits.
Note. IPv6 is only supported on the OmniSwitch 6850 and OmniSwitch 9000 switches for this release.
In This Chapter
This chapter describes IPv6 and how to configure it through Command Line Interface (CLI). The CLI
commands are used in the configuration examples; for more details about the syntax of commands, see the
OmniSwitch CLI Reference Guide.
This chapter provides an overview of IPv6 and includes information about the following procedures:
• “Configuring an IPv6 Interface” on page 15-10.
• “Assigning IPv6 Addresses” on page 15-12.
• “Configuring IPv6 Tunnel Interfaces” on page 15-14.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 15-1
IPv6 Specifications
Configuring IPv6
IPv6 Specifications
RFCs Supported
2460–Internet Protocol, Version 6 (IPv6) Specification
2461–Neighbor Discovery for IP Version 6 (IPv6)
2462–IPv6 Stateless Address Autoconfiguration
2463–Internet Control Message Protocol (ICMPv6) for the
Internet Protocol Version 6 (IPv6) Specification
2464–Transmission of IPv6 Packets Over Ethernet
Networks
2893–Transition Mechanisms for IPv6 Hosts and Routers
3513–Internet Protocol Version 6 (IPv6) Addressing Architecture
3056–Connection of IPv6 Domains via IPv4 Clouds
Maximum IPv6 interfaces
100
Maximum IPv6 global unicast addressess
100
Maximum IPv6 routes when there are no
6000
IPv4 routes present (which includes neighbor
entries, RIPng routes, and static routes)
Maximum IPv6 interfaces per VLAN
1
Maximum IPv6 interfaces per tunnel
1
Maximum IPv6 6to4 tunnels per switch
1
Maximum IPv6 configured tunnels per
switch
255
IPv6 Defaults
The following table lists the defaults for IPv6 configuration through the ip command.
Description
Command
Default
Global status of IPv6 on the
switch
N/A
Enabled
IPv6 interfaces
ipv6 interface
None
page 15-2
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring IPv6
Quick Steps for Configuring IPv6 Routing
Quick Steps for Configuring IPv6 Routing
The following tutorial assumes that VLAN 200 and VLAN 300 already exist in the switch configuration.
For information about how to configure VLANs, see Chapter 5, “Configuring VLANs.”
1 Configure an IPv6 interface for VLAN 200 by using the ipv6 interface command. For example:
-> ipv6 interface v6if-v200 vlan 200
Note that when the IPv6 interface is configured, the switch automatically generates a link-local address
for the interface. This allows for communication with other interfaces and/or devices on the same link,
but does not provide routing between interfaces.
2 Assign a unicast address to the v6if-v200 interface by using the ipv6 address command. For example:
-> ipv6 address 4100:1::/64 eui-64 v6if-v200
3 Configure an IPv6 interface for VLAN 300 by using the ipv6 interface command. For example:
-> ipv6 interface v6if-v300 vlan 300
4 Assign a unicast address to the v6if-v300 interface by using the ipv6 address command. For example:
-> ipv6 address 4100:2::/64 eui-64 v6if-v300
Note. Optional. To verify the IPv6 interface configuration, enter show ipv6 interface For example:
-> show ipv6 interface
Name
IPv6 Address/Prefix Length
Status Device
--------------------+------------------------------------------+-------+----------v6if-v200
fe80::2d0:95ff:fe12:fab5/64
Down
VLAN 200
4100:1::2d0:95ff:fe12:fab5/64
4100:1::/64
v6if-v300
fe80::2d0:95ff:fe12:fab6/64
Down
VLAN 300
4100:2::2d0:95ff:fe12:fab6/64
4100:2::/64
loopback
::1/128
Active Loopback
fe80::1/64
Note that the link-local addresses for the two new interfaces and the loopback interface were automatically created and included in the show ipv6 interface display output. In addition, the subnet router anycast
address that corresponds to the unicast address is also automatically generated for the interface.
5 Enable RIPng for the switch by using the ipv6 load rip command. For example:
-> ipv6 load rip
6 Create a RIPng interface for each of the IPv6 VLAN interfaces by using the ipv6 rip interface
command. For example:
-> ipv6 rip interface v6if-v200
-> ipv6 rip interface v6if-v300
IPv6 routing is now configured for VLAN 200 and VLAN 300 interfaces, but it is not active until at least
one port in each VLAN goes active.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 15-3
IPv6 Overview
Configuring IPv6
IPv6 Overview
IPv6 provides the basic functionality that is offered with IPv4 but includes the following enhancements
and features not available with IPv4:
• Increased IP address size—IPv6 uses a 128-bit address, a substantial increase over the 32-bit IPv4
address size. Providing a larger address size also significantly increases the address space available,
thus eliminating the concern over running out of IP addresses. See “IPv6 Addressing” on page 15-5 for
more information.
• Autoconfiguration of addresses—When an IPv6 interface is created or a device is connected to the
switch, an IPv6 link-local address is automatically assigned for the interface and/or device. See “Autoconfiguration of IPv6 Addresses” on page 15-6 for more information.
• Anycast addresses—A new type of address. Packets sent to an anycast address are delivered to one
member of the anycast group.
• Simplified header format—A simpler IPv6 header format is used to keep the processing and band-
width cost of IPv6 packets as low as possible. As a result, the IPv6 header is only twice the size of the
IPv4 header despite the significant increase in address size.
• Improved support for header options—Improved header option encoding allows more efficient
forwarding, fewer restrictions on the length of options, and greater flexibility to introduce new options.
• Security improvements—Extension definitions provide support for authentication, data integrity, and
confidentiality.
• Neighbor Discovery protocol—A protocol defined for IPv6 that detects neighboring devices on the
same link and the availability of those devices. Additional information that is useful for facilitating the
interaction between devices on the same link is also detected (e.g., neighboring address prefixes,
address resolution, duplicate address detection, link MTU, and hop limit values, etc.).
This implementation of IPv6 also provides the following mechanisms to maintain compatibility between
IPv4 and IPv6:
• Dual-stack support for both IPv4 and IPv6 on the same switch.
• Configuration of IPv6 and IPv4 interfaces on the same VLAN.
• Tunneling of IPv6 traffic over an IPv4 network infrastructure.
• Embedded IPv4 addresses in the four lower-order bits of the IPv6 address.
The remainder of this section provides a brief overview of the new IPv6 address notation, autoconfiguration of addresses, and tunneling of IPv6 over IPv4.
page 15-4
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring IPv6
IPv6 Overview
IPv6 Addressing
One of the main differences between IPv6 and IPv4 is that the address size has increased from 32 bits to
128 bits. Going to a 128-bit address also increases the size of the address space to the point where running
out of IPv6 addresses is not a concern.
The following types of IPv6 addresses are supported:
Unicast—Standard unicast addresses, similar to IPv4.
Multicast—Addresses that represent a group of devices. Traffic sent to a multicast address is delivered to
all members of the multicast group.
Anycast—Traffic that is sent to this type of address is delivered to one member of the anycast group. The
device that receives the traffic is usually the one that is easiest to reach as determined by the active routing protocol.
Note. IPv6 does not support the use of broadcast addresses. This functionality is replaced using improved
multicast addressing capabilities.
IPv6 address types are identified by the high-order bits of the address, as shown in the following table:
Address Type
Binary Prefix
IPv6 Notation
Unspecified
00...0 (128 bits)
::/128
Loopback
00...1 (128 bits)
::1/128
Multicast
11111111
FF00::/8
Link-local unicast
1111111010
FE80::/10
Site-local unicast
1111111011
FEC0::/10
Global unicast
everything else
Note that anycast addresses are unicast addresses that are not identifiable by a known prefix.
IPv6 Address Notation
IPv4 addresses are expressed using dotted decimal notation and consist of four eight-bit octets. If this
same method was used for IPv6 addresses, the address would contain 16 such octets, thus making it difficult to manage. IPv6 addresses are expressed using colon hexidecimal notation and consist of eight 16-bit
words, as shown in the following example:
1234:000F:531F:4567:0000:0000:BCD2:F34A
Note that any field may contain all zeros or all ones. In addition, it is possible to shorten IPv6 addresses by
suppressing leading zeros. For example:
1234:F:531F:4567:0:0:BCD2:F34A
Another method for shortening IPv6 addresses is known as zero compression. When an address contains
contiguous words that consist of all zeros, a double colon (::) is used to identify these words. For example, using zero compression the address 0:0:0:0:1234:531F:BCD2:F34A is expressed as follows:
::1234:531F:BCD2:F34A
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 15-5
IPv6 Overview
Configuring IPv6
Because the last four words of the above address are uncompressed values, the double colon indicates that
the first four words of the address all contain zeros. Note that using the double colon is only allowed once
within a single address. So if the address was1234:531F:0:0:BCD2:F34A:0:0, a double colon could not
replace both sets of zeros. For example, the first two versions of this address shown below are valid, but
the last version is not valid:
1 1234:531F::BCD2:F34A:0:0
2 1234:531F:0:0:BCD2:F34A::
3 1234:531F::BCD2:F34A:: (not valid)
With IPv6 addresses that have long strings of zeros, the benefit of zero compression is more dramatic. For
example, address FF00:0:0:0:0:0:4501:32 becomes FF00::4501:32.
Note that hexidecimal notation used for IPv6 addresses resembles the notation which is used for MAC
addresses. However, it is important to remember that IPv6 addresses still identify a device at the Layer 3
level and MAC addresses identify a device at the Layer 2 level.
Another supported IPv6 address notation includes embedding an IPv4 address as the four lower-order bits
of the IPv6 address. This is especially useful when dealing with a mixed IPv4/IPv6 network. For example:
0:0:0:0:0:0:212.100.13.6
IPv6 Address Prefix Notation
The Classless Inter-Domain Routing (CIDR) notation is used to express IPv6 address prefixes. This notation consists of the 128-bit IPv6 address followed by a slash (/) and a number representing the prefix
length (IPv6-address/prefix-length). For example, the following IPv6 address has a prefix length of 64
bits:
FE80::2D0:95FF:FE12:FAB2/64
Autoconfiguration of IPv6 Addresses
This implementation of IPv6 supports the stateless autoconfiguration of link-local addresses for IPv6
VLAN and tunnel interfaces and for devices when they are connected to the switch. Stateless refers to the
fact that little or no configuration is required to generate such addresses and there is no dependency on an
address configuration server, such as a DHCP server, to provide the addresses.
A link-local address is a private unicast address that identifies an interface or device on the local network.
This type of address allows communication with devices and/or neighboring nodes that are attached to the
same physical link. Routing between link-local addresses is not available, link-local addresses are not
known or advertised to the general network.
When an IPv6 VLAN or a tunnel interface is created or a device is connected to the switch, a link-local
address is automatically generated for the interface or device. This type of address consists of the wellknown IPv6 prefix FE80::/64 combined with an interface ID. The interface ID is derived from the router
MAC address associated with the IPv6 interface or the source MAC address if the address is for a device.
The resulting link-local address resembles the following example:
FE80::2d0:95ff:fe6b:5ccd/64
Note that when this example address was created, the MAC address was modified by complementing the
second bit of the leftmost byte and by inserting the hex values 0xFF and 0xFE between the third and fourth
octets of the address. These modifications were made because IPv6 requires an interface ID that is derived
using Modified EUI-64 format.
page 15-6
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring IPv6
IPv6 Overview
Stateless autoconfiguration is not available for assigning a global unicast or anycast address to an IPv6
interface. In other words, manual configuration is required to assign a non-link-local address to an interface. See “Assigning IPv6 Addresses” on page 15-12 for more information.
Both stateless and stateful autoconfiguration is supported for devices, such as a workstation, when they are
connected to the switch. When the stateless method is used in this instance, the device listens for router
advertisements in order to obtain a subnet prefix. The unicast address for the device is then formed by
combining the subnet prefix with the interface ID for that device.
Stateful autoconfiguration refers to the use of an independent server, such as a DHCP server, to obtain an
IPv6 unicast address and other related information. Of course, manual configuration of an IPv6 address is
always available for devices as well.
Regardless of how an IPv6 address is obtained, duplicate address detection (DAD) is performed before the
address is assigned to an interface or device. If a duplicate is found, the address is not assigned. Note that
DAD is not performed for anycast addresses.
Please refer to RFCs 2462, 2464, and 3513 for more technical information about autoconfiguration and
IPv6 address notation.
Tunneling IPv6 over IPv4
It is likely that IPv6 and IPv4 network infrastructures will coexist for some time, if not indefinitely.
Tunneling provides a mechanism for transitioning an IPv4 network to IPv6 and/or maintaining interoperability between IPv4 and IPv6 networks. This implementation of IPv6 supports tunneling of IPv6 traffic
over IPv4. There are two types of tunnels supported, 6to4 and configured.
Note. RIPng is not supported over 6to4 tunnels. However, it is possible to create a RIPng interface for a
configured tunnel. See “Configuring IPv6 Tunnel Interfaces” on page 15-14 for more information.
6to4 Tunnels
6to4 tunneling provides a mechanism for transporting IPv6 host traffic over an IPv4 network infrastructure to other IPv6 hosts and/or domains without having to configure explicit tunnel endpoints. Instead, an
IPv6 6to4 tunnel interface is created at points in the network where IPv6 packets are encapsulated (IPv4
header added) prior to transmission over the IPv4 network or decapsulated (IPv4 header stripped) for
transmission to an IPv6 destination.
An IPv6 6to4 tunnel interface is identified by its assigned address, which is derived by combining a 6to4
well-known prefix (2002) with a globally unique IPv4 address and embedded as the first 48 bits of an IPv6
address. For example, 2002:d467:8a89::137/64, where D467:8A89 is the hex equivalent of the IPv4
address 212.103.138.137.
6to4 tunnel interfaces are configured on routers and identify a 6to4 site. Because 6to4 tunnels are point-tomulti-point in nature, any one 6to4 router can communicate with one or more other 6to4 routers across the
IPv4 cloud. Two common scenarios for using 6to4 tunnels are described below.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 15-7
IPv6 Overview
Configuring IPv6
6to4 Site to 6to4 Site over IPv4 Domain
In this scenario, isolated IPv6 sites have connectivity over an IPv4 network through 6to4 border routers.
An IPv6 6to4 tunnel interface is configured on each border router and assigned an IPv6 address with the
6to4 well-known prefix, as described above. IPv6 hosts serviced by the 6to4 border router have at least
one IPv6 router interface configured with a 6to4 address. Note that additional IPv6 interfaces or external
IPv6 routing protocols are not required on the 6to4 border router.
The following diagram illustrates the basic traffic flow between IPv6 hosts communicating over an IPv4
domain:
IPv6 6to4
Border Router
IPv6 6to4
Border Router
IPv4 Domain
6to4 Site
6to4 Site
6to4 Host
6to4 Host
In the above diagram:
1 The 6to4 hosts receive 6to4 prefix from Router Advertisement.
2 The 6to4 host sends IPv6 packets to 6to4 border router.
3 The 6to4 border router encapsulates IPv6 packets with IPv4 headers and sends to the destination 6to4
border router over the IPv4 domain.
4 The destination 6to4 border router strips IPv4 header and forwards to 6to4 destination host.
6to4 Site to IPv6 Site over IPv4/IPv6 Domains
In this scenario, 6to4 sites have connectivity to native IPv6 domains through a relay router, which is
connected to both the IPv4 and IPv6 domains. The 6to4 border routers are still used by 6to4 sites for
encapsulating/decapsulating host traffic and providing connectivity across the IPv4 domain. In addition,
each border router has a default IPv6 route pointing to the relay router.
In essence, a relay router is a 6to4 border router on which a 6to4 tunnel interface is configured. However,
a native IPv6 router interface is also required on the relay router to transmit 6to4 traffic to/from IPv6 hosts
connected to an IPv6 domain. Therefore, the relay router participates in both the IPv4 and IPv6 routing
domains.
page 15-8
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring IPv6
IPv6 Overview
The following diagram illustrates the basic traffic flow between native IPv6 hosts and 6to4 sites:
IPv6 6to4
Border Router
IPv6/IPv4 6to4
Relay Router
IPv4 Domain
6to4 Site
IPv6 Domain
IPv6
Router
6to4 Host
IPv6 Site
IPv6 Host
In the above diagram:
1 The 6to4 relay router advertises a route to 2002::/16 on its IPv6 router interface.
2 The IPv6 host traffic received by the relay router that has a next hop address that matches 2002::/16 is
routed to the 6to4 tunnel interface configured on the relay router.
3 The traffic routed to the 6to4 tunnel interface is then encapsulated into IPv4 headers and sent to the
destination 6to4 router over the IPv4 domain.
4 The destination 6to4 router strips the IPv4 header and forwards it to the IPv6 destination host.
For more information about configuring an IPv6 6to4 tunnel interface, see “Configuring an IPv6 Interface” on page 15-10 and “Configuring IPv6 Tunnel Interfaces” on page 15-14. For more detailed information and scenarios by using 6to4 tunnels, refer to RFC 3056.
Configured Tunnels
A configured tunnel is where the endpoint addresses are manually configured to create a point-to-point
tunnel. This type of tunnel is similar to the 6to4 tunnel on which IPv6 packets are encapsulated in IPv4
headers to facilitate communication over an IPv4 network. The difference between the two types of
tunnels is that configured tunnel endpoints require manual configuration, whereas 6to4 tunneling relies on
an embedded IPv4 destination address to identify tunnel endpoints.
For more information about IPv6 configured tunnels, see “Configuring IPv6 Tunnel Interfaces” on
page 15-14. For more detailed information about configured tunnels, refer to RFC 2893. Note that RFC
2893 also discusses automatic tunnels, which are not supported with this implementation of IPv6.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 15-9
Configuring an IPv6 Interface
Configuring IPv6
Configuring an IPv6 Interface
The ipv6 interface command is used to create an IPv6 interface for a VLAN or a tunnel. Note the following when configuring an IPv6 interface:
• A unique interface name is required for both a VLAN and tunnel interface.
• If creating a VLAN interface, the VLAN must already exist. See Chapter 5, “Configuring VLANs,” for
more information.
• If creating a tunnel interface, a tunnel ID or 6to4 is specified. Only one 6to4 tunnel is allowed per
switch, so it is not necessary to specify an ID when creating this type of tunnel.
• If a tunnel ID is specified, then a configured tunnel interface is created. This type of tunnel requires
additional configuration by using the ipv6 interface tunnel source destination command. See
“Configuring IPv6 Tunnel Interfaces” on page 15-14 for more information.
• The following configurable interface parameters are set to their default values unless otherwise speci-
fied when the ip interface command is used:
IPv6 interface parameters
mtu
ra-send
ra-max-interval
ra-managed-config-flag
ra-other-config-flag
ra-reachable-time
ra-retrans-timer
ra-default-lifetime
ra-send-mtu
base-reachable-time
Refer to the ipv6 interface command page in the OmniSwitch CLI Reference Guide for more details
regarding these parameters.
• Each VLAN can have one IPv6 interface. Configuring both an IPv4 and IPv6 interface on the same
VLAN is allowed. Note that the VLAN interfaces of both types are not active until at least one port
associated with the VLAN goes active.
• A link-local address is automatically configured for an IPv6 interface, except for 6to4 tunnels, when
the interface is configured. For more information regarding how this address is formed, see “Autoconfiguration of IPv6 Addresses” on page 15-6.
• Assigning more than one IPv6 address to a single IPv6 interface is allowed.
• Assigning the same link-local address to multiple interfaces is allowed. Each global unicast prefix,
however, can only exist on one interface. For example, if an interface for a VLAN 100 is configured
with an address 4100:1000::1/64, an interface for VLAN 200 cannot have an address 4100:1000::2/64.
• Each IPv6 interface anycast address must also have a unique prefix. However, multiple devices may
share the same anycast address prefix to identify themselves as members of the anycast group.
To create an IPv6 interface for a VLAN or configured tunnel, enter ipv6 interface followed by an interface name, then vlan (or tunnel) followed by a VLAN ID (or tunnel ID). For example, the following two
commands create an IPv6 interface for VLAN 200 and an interface for tunnel 35:
-> ipv6 interface v6if-v200 vlan 200
-> ipv6 interface v6if-tunnel-35 tunnel 35
To create an IPv6 interface for a 6to4 tunnel, use the following command:
-> ipv6 interface v6if-6to4 tunnel 6to4
page 15-10
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring IPv6
Configuring an IPv6 Interface
Use the show ipv6 interface command to verify the interface configuration for the switch. For more information about this command, see the OmniSwitch CLI Reference Guide.
Modifying an IPv6 Interface
The ipv6 interface command is also used to modify existing IPv6 interface parameter values. It is not
necessary to first remove the interface and then create it again with the new values. The changes specified
will overwrite existing parameter values. For example, the following command changes the router advertisement (RA) reachable time and the RA retransmit timer values for interface v6if-v200:
-> ipv6 interface v6if-v200 ra-reachable-time 60000 ra-retrans-time 2000
When an existing interface name is specified with the ipv6 interface command, the command modifies
specified parameters for that interface. If an unknown interface name is entered along with an existing
VLAN or tunnel parameter, a new interface is created with the name specified.
Removing an IPv6 Interface
To remove an IPv6 interface from the switch configuration, use the no form of the ipv6 interface
command. Note that it is only necessary to specify the name of the interface, as shown in the following
example:
-> no ipv6 interface v6if-v200
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 15-11
Assigning IPv6 Addresses
Configuring IPv6
Assigning IPv6 Addresses
As was previously mentioned, when an IPv6 interface is created for a VLAN or a configured tunnel, an
IPv6 link-local address is automatically created for that interface. This is also true when a device, such as a
workstation, is connected to the switch.
Link-local addresses, although private and non-routable, enable interfaces and workstations to communicate with other interfaces and workstations that are connected to the same link. This simplifies getting
devices up and running on the local network. If this level of communication is sufficient, assigning additional addresses is not required.
If it is necessary to identify an interface or device to the entire network, or as a member of a particular
group, or enable an interface to perform routing functions, then configuring additional addresses (e.g.,
global unicast or anycast) is required.
Use the ipv6 address command to manually assign addresses to an existing interface (VLAN or tunnel) or
device. For example, the following command assigns a global unicast address to the VLAN interface
v6if-v200:
-> ipv6 address 4100:1000::20/64 v6if-v200
In the above example, 4100:1000:: is specified as the subnet prefix and 20 is the interface identifier. Note
that the IPv6 address is expressed using CIDR notation to specify the prefix length. In the above example,
/64 indicates a subnet prefix length of 64 bits.
To use the MAC address of an interface or device as the interface ID, specify the eui-64 option with this
command. For example:
-> ipv6 address 4100:1000::/64 eui-64 v6if-v200
The above command example creates address 4100:1000::2d0:95ff:fe12:fab2/64 for interface v6if-v200.
Note the following when configuring IPv6 addresses:
• It is possible to assign more than one address to a single interface.
• Any field of an address may contain all zeros or all ones. The exception to this is that the interface
identifier portion of the address cannot end in zero. If the eui-64 option is specified with the ipv6
address command, this is not an issue.
• The EUI-64 interface identifier takes up the last 64 bits of the 128-bit IPv6 address. If the subnet prefix
combined with the EUI-64 interface ID is longer than 128 bits, an error occurs and the address is not
created.
• A subnet router anycast address is automatically created when a global unicast address is assigned to an
interface. The anycast address is derived from the global address by adding an interface ID of all zeros
to the prefix of the global address. For example, the global address 4100:1000::20/64 generates the
anycast address 4100:1000::/64.
• Devices, such as a PC, are eligible for stateless autoconfiguration of unicast addresses in addition to the
link-local address. If this type of configuration is in use on the network, manual configuration of
addresses is not required.
• IPv6 VLAN or tunnel interfaces are only eligible for stateless autoconfiguration of their link-local
addresses. Manual configuration of addresses is required for all additional addresses.
See “IPv6 Addressing” on page 15-5 for an overview of IPv6 address notation. Refer to RFC 3513 for
more technical address information.
page 15-12
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring IPv6
Assigning IPv6 Addresses
Removing an IPv6 Address
To remove an IPv6 address from an interface, use the no form of the ipv6 address command.
-> no ipv6 address 4100:1000::20/64 v6if-v200
Note that the subnet router anycast address is automatically deleted when the last unicast address of the
same subnet is removed from the interface.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 15-13
Configuring IPv6 Tunnel Interfaces
Configuring IPv6
Configuring IPv6 Tunnel Interfaces
There are two types of tunnels supported, 6to4 and configured. Both types facilitate the interaction of IPv6
networks with IPv4 networks by providing a mechanism for carrying IPv6 traffic over an IPv4 network
infrastructure. This is an important function since it is more than likely that both protocols will need to
coexist within the same network for some time.
A 6to4 tunnel is configured by creating an IPv6 6to4 tunnel interface on a router. This interface is then
assigned an IPv6 address with an embedded well-known 6to4 prefix (e.g., 2002) combined with an IPv4
destination address. This is all done using the ipv6 interface and ipv6 address commands. For example,
the following commands create a 6to4 tunnel interface:
-> ipv6 interface v6if-6to4-192 tunnel 6to4
-> ipv6 address 2002:d467:8a89::/48 v6if-6to4-192
In the above example, 2002 is the well-known prefix that identifies a 6to4 tunnel. The D467:8A89 part of
the address that follows 2002 is the hex equivalent of the IPv4 address 212.103.138.137. Note that an IPv4
interface configured with the embedded IPv4 address is required on the switch. In addition, do not configure a private (e.g., 192.168.10.1), broadcast, or unspecified address as the embedded IPv4 address.
One of the main benefits of 6to4 tunneling is that no other configuration is required to identify tunnel
endpoints. The router that the 6to4 tunnel interface is configured on will encapsulate IPv6 packets in IPv4
headers and send them to the IPv4 destination address where they will be processed. This is particularly
useful in situations where the IPv6 host is isolated.
The second type of tunnel supported is referred to as a configured tunnel. With this type of tunnel it is
necessary to specify an IPv4 address for the source and destination tunnel endpoints. Note that if bidirectional communication is desired, then it is also necessary to create the tunnel interface at each end of the
tunnel.
Creating an IPv6 configured tunnel involves the following general steps:
• Create an IPv6 tunnel interface using the ipv6 interface command.
• Associate an IPv4 source and destination address with the tunnel interface by using the ipv6 interface
tunnel source destination command. These addresses identify the tunnel endpoints.
• Associate an IPv6 address with the tunnel interface by using the ipv6 address command.
• Configure a tunnel interface and associated addresses at the other end of tunnel.
The following example commands create the v6if-tunnel-137 configured tunnel:
-> ipv6 interface v6if-tunnel-137 tunnel 1
-> ipv6 interface v6if-tunnel-137 tunnel source 212.103.138.137 destination
212.109.138.195
-> ipv6 address 4132:4000::/64 eui-64 v6if-tunnel-137
Note that RIPng is not supported over 6to4 tunnels, but is allowed over configured tunnels. To use this
protocol on a configured tunnel, a RIPng interface is created for the tunnel interface. For example, the
following command creates a RIPng interface for tunnel v6if-tunnel-137:
-> ipv6 rip interface v6if-tunnel-137
page 15-14
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring IPv6
Verifying the IPv6 Configuration
Verifying the IPv6 Configuration
A summary of the show commands used for verifying the IPv6 configuration is given here:
show ipv6 interface
Displays the status and configuration of IPv6 interfaces.
show ipv6 tunnel
Displays IPv6 configured tunnel information and whether the 6to4
tunnel is enabled or not.
show ipv6 routes
Displays the IPv6 Forwarding Table.
show ipv6 prefixes
Displays IPv6 subnet prefixes used in router advertisements.
show ipv6 hosts
Displays the IPv6 Local Host Table.
show ipv6 neighbors
Displays the IPv6 Neighbor Table.
show ipv6 traffic
Displays statistics for IPv6 traffic.
show ipv6 icmp statistics
Displays ICMP6 statistics.
show ipv6 pmtu table
Displays the IPv6 Path MTU Table.
show ipv6 tcp ports
Displays TCP Over IPv6 Connection Table. Contains information
about existing TCP connections between IPv6 endpoints.
show ipv6 udp ports
Displays the UDP Over IPv6 Listener Table. Contains information
about UDP/IPv6 endpoints.
For more information about the displays that result from these commands, see the OmniSwitch CLI Reference Guide.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 15-15
Verifying the IPv6 Configuration
page 15-16
Configuring IPv6
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
16
Configuring RIP
Routing Information Protocol (RIP) is a widely used Interior Gateway Protocol (IGP) that uses hop count
as its routing metric. RIP-enabled routers update neighboring routers by transmitting a copy of their own
routing table. The RIP routing table uses the most efficient route to a destination, that is, the route with the
fewest hops and longest matching prefix.
The switch supports RIP version 1 (RIPv1), RIP version 2 (RIPv2), and RIPv2 that is compatible with
RIPv1. It also supports text key and MD5 authentication, on an interface basis, for RIPv2.
In This Chapter
This chapter describes RIP and how to configure it through the Command Line Interface (CLI). It includes
instructions for configuring basic RIP routing and fine-tuning RIP by using optional RIP configuration
parameters (e.g., RIP send/receive option and RIP interface metric). It also details RIP redistribution,
which allows a RIP network to exchange routing information with networks running different protocols
(e.g., OSPF and BGP). CLI commands are used in the configuration examples; for more details about the
syntax of commands, see the OmniSwitch CLI Reference Guide.
This chapter provides an overview of RIP and includes information about the following procedures:
• RIP Routing
–
–
–
–
Loading RIP (see page 16-6)
Enabling RIP (see page 16-6)
Creating a RIP Interface (see page 16-7)
Enabling a RIP Interface (see page 16-7)
• RIP Options
– Configuring the RIP Forced Hold-down Interval (see page 16-9)
– Enabling a RIP Host Route (see page 16-9)
• RIP Redistribution
– Enabling RIP Redistribution (see page 16-10)
– Configuring RIP Redistribution Policies (see page 16-10)
– Configuring RIP Redistribution Filters (see page 16-11)
• RIP Security
– Configuring Authentication Type (see page 16-14)
– Configuring Passwords (see page 16-14)
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 16-1
RIP Specifications
Configuring RIP
RIP Specifications
RFCs Supported
RFC 1058–RIP v1
RFC 2453–RIP v2
RFC 1722–RIP v2 Protocol Applicability Statement
RFC 1724–RIP v2 MIB Extension
Maximum Number of RIP Routes
2048
RIP Defaults
The following table lists the defaults for RIP configuration through the ip rip command.
Description
Command
Default
RIP Status
ip rip status
disable
RIP Forced Hold-down Interval ip rip force-holddowntimer
0
RIP Interface Metric
ip rip interface metric
1
RIP Interface Send Version
ip rip interface send-version
v2
RIP Interface Receive Version
ip rip interface recv-version
both
RIP Host Route
ip rip host-route
enable
RIP Route Tag
ip rip route-tag
0
Redistribution Status
ip rip redist status
disable
Redistribution Metric
ip rip redist metric
0
Redistribution Filter Effect
ip rip redist-filter effect
permit
Redistribution Filter Metric
ip rip redist-filter metric
0
Redistribution Filter Control
ip rip redist-filter redist-control
all-subnets
Redistribution Filter Route Tag
ip rip redist-filter route-tag
0
RIP Interface Authentication
ip rip interface auth-type
none
page 16-2
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring RIP
Quick Steps for Configuring RIP Routing
Quick Steps for Configuring RIP Routing
To forward packets to a device on a different VLAN, you must create a router port on each VLAN. To
route packets by using RIP, you must enable RIP and create a RIP interface on the router port. The following steps show you how to enable RIP routing between VLANs “from scratch”. If active VLANs and
router ports have already been created on the switch, go to Step 7.
1 Create VLAN 1 with a description (e.g., VLAN 1) by using the vlan command. For example:
-> vlan 1 name “VLAN 1”
2 Create VLAN 2 with a description (e.g., VLAN 2) by using the vlan command. For example:
-> vlan 2 name “VLAN 2”
3 Assign an active port to VLAN 1 by using the vlan port default command. For example, the follow-
ing command assigns port 1 on slot 1 to VLAN 1:
-> vlan 1 port default 1/1
4 Assign an active port to VLAN 2 by using the vlan port default command. For example, the follow-
ing command assigns port 2 on slot 1 to VLAN 2:
-> vlan 2 port default 1/2
5 Configure an IP interface to enable IP routing on a VLAN by using ip interface. For example:
-> ip interface vlan-1 address 171.10.1.1 vlan 1
6 Configure an IP interface to enable IP routing on a VLAN by using ip interface. For example:
-> ip interface vlan-2 address 171.11.1.1 vlan 2
7 Load RIP into the switch memory by using the ip load rip command. For example:
-> ip load rip
8 Enable RIP on the switch by using the ip rip status command. For example:
-> ip rip status enable
9 Create an RIP interface on VLAN 1 by using the ip rip interface command. For example:
-> ip rip interface 171.10.1.1
10 Enable the RIP interface by using the ip rip interface status command. For example:
-> ip rip interface 171.10.1.1 status enable
11 Create an RIP interface on VLAN 2 by using the ip rip interface command. For example:
-> ip rip interface 171.11.1.1
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 16-3
RIP Overview
Configuring RIP
12 Enable the RIP interface by using the ip rip interface status command. For example:
-> ip rip interface 171.11.1.1 status enable
13 Enable redistribution of local routes on the switch by using the ip rip redist command. For example:
-> ip rip redist local
14 Use the ip rip redist-filter command to redistribute all local routes. For example:
-> ip rip redist-filter local 0.0.0.0 0.0.0.0
15 Enable RIP redistribution by using the ip rip redist status command. For example:
-> ip rip redist status enable
Note. For more information on VLANs and router ports, see Chapter 5, “Configuring VLANs.”
RIP Overview
In switching, traffic may be transmitted from one media type to another within the same VLAN. Switching happens at Layer 2, the link layer; routing happens at Layer 3, the network layer. In IP routing, traffic
can be transmitted across VLANs. When IP routing is enabled, the switch uses routing protocols to build
routing tables that keep track of stations in the network and decide the best path for forwarding data. When
the switch receives a packet to be routed, it strips off the MAC header and examines the IP header. It looks
up the source/destination address in the routing table, and then adds the appropriate MAC address to the
packet. Calculating routing tables and stripping/adding MAC headers to packets is performed by switch
software.
IP is associated with several Layer 3 routing protocols. RIP is built into the base code loaded onto the
switch. Others are part of Alcatel’s optional Advanced Routing Software. IP supports the following IP
routing protocols:
• RIP—An IGP that defines how routers exchange information. RIP makes routing decisions by using a
“least-cost path” method. RIPv1 and RIPv2 services allow the switch to learn routing information from
neighboring RIP routers. For more information and instructions for configuring RIP, see “RIP Routing” on page 16-5.
• Open Shortest Path First (OSPF)—An IGP that provides a routing function similar to RIP but uses
different techniques to determine the best route for a datagram. OSPF is part of Alcatel’s optional
Advanced Routing Software. For more information see the “Configuring OSPF” chapter in the
OmniSwitch 6800/6850/9000 Advanced Routing Configuration Guide.
When RIP is initially enabled on a switch, it issues a request for routing information, and listens for
responses to the request. If a switch configured to supply RIP hears the request, it responds with a
response packet based on information in its routing database. The response packet contains destination
network addresses and the routing metric for each destination. When a RIP response packet is received,
RIP takes the information and rebuilds the switch’s routing database, adding new routes and “better”
(lower metric) routes to destinations already listed in the database.
RIP uses a hop count metric to measure the distance to a destination. In the RIP metric, a switch advertises directly connected networks at a metric of 1. Networks that are reachable through one other gateway
are 2 hops, networks that are reachable through two gateways are 3 hops, etc. Thus, the number of hops (or
hop count) along a path from a given source to a given destination refers to the number of networks that
page 16-4
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring RIP
RIP Routing
are traversed by a datagram along that path. When a switch receives a routing update that contains a new
or changed destination network entry, the switch adds one to the metric value indicated in the update and
enters the network in the routing table. After updating its routing table, the switch immediately begins
transmitting routing updates to inform other network switches of the change. These updates are sent independently of the regularly scheduled updates. By default, RIP packets are broadcast every 30 seconds,
even if no change has occurred anywhere in a route or service.
RIP deletes routes from the database if the next switch to that destination says the route contains more
than 15 hops. In addition, all routes through a gateway are deleted by RIP if no updates are received from
that gateway for a specified time period. If a gateway is not heard from for 180 seconds, all routes from
that gateway are placed in a hold-down state. If the hold-down timer value is exceeded, the routes are
deleted from the routing database. These intervals also apply to deletion of specific routes.
RIP Version 2
RIP version 2 (RIPv2) adds additional capabilities to RIP. Not all RIPv2 enhancements are compatible
with RIPv1. To avoid supplying information to RIPv1 routes that could be misinterpreted, RIPv2 can only
use non-compatible features when its packets are multicast. Multicast is not supported by RIPv1. On interfaces that are not compatible with IP multicast, the RIPv1-compatible packets used do not contain potentially confusing information. RIPv2 enhancements are listed below.
• Next Hop—RIPv2 can advertise a next hop other than the switch supplying the routing update. This
capability is useful when advertising a static route to a silent switch not using RIP, since packets passing through the silent switch do not have to cross the network twice.
• Network Mask—RIPv1 assumes that all subnetworks of a given network have the same network mask.
It uses this assumption to calculate the network masks for all routes received. This assumption prevents
subnets with different netmasks from being included in RIP packets. RIPv2 adds the ability to specify
the network mask with each network in a packet. Because RIPv1 switches ignore the network mask in
RIPv2 packets, their calculation of the network mask could possibly be wrong. For this reason, RIPv1compatible RIPv2 packets cannot contain networks that would be misinterpreted by RIPv1. These
networks must only be provided in native RIPv2 packets that are multicast.
• Authentication—RIPv2 packets can contain an authentication key that may be used to verify the valid-
ity of the supplied routing data. Authentication may be used in RIPv1-compatible RIPv2 packets, but
RIPv1 switches will ignore authentication information. Authentication is a simple password in which
an authentication key of up to 16 characters is included in the packet. If this key does not match the
configured authentication key, the packet is discarded. For more information on RIP authentication, see
“RIP Security” on page 16-14.
• IP Multicast—IP Multicast Switching (IPMS) is a one-to-many communication technique employed by
emerging applications such as video distribution, news feeds, netcasting, and resource discovery.
Unlike unicast, which sends one packet per destination, multicast sends one packet to all devices in any
subnetwork that has at least one device requesting the multicast traffic. For more information on IPMS,
see Chapter 28, “Configuring IP Multicast Switching.”
RIP Routing
IP routing requires IP router ports to be configured on VLANs and a routing protocol to be enabled and
configured on the switch. RIP also requires a RIP interface to be created and enabled on the routing port.
In the illustration below, a router port and RIP interface have been configured on each VLAN. Therefore,
workstations connected to ports on VLAN 1 on Switch 1 can communicate with VLAN 2; and workstations connected to ports on VLAN 3 on Switch 2 can communicate with VLAN 2. Also, ports from both
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 16-5
RIP Routing
Configuring RIP
switches have been assigned to VLAN 2, and a physical connection has been made between the switches.
Therefore, workstations connected to VLAN 1 on Switch 1 can communicate with workstations connected
to VLAN 3 on Switch 2.
Switch 1
Switch 2
Router Port/
= RIP Interface
RIP Routing Table
VLAN 1
110.0.0.0
110.0.0.1
VLAN 2
120.0.0.0
RIP Routing Table
Physical
Connection
110.0.0.2
VLAN 2
120.0.0.0
VLAN 3
130.0.0.0
130.0.0.1
130.0.0.2
RIP Routing
Loading RIP
When the switch is initially configured, RIP must be loaded into the switch memory. Use the ip load rip
command to load RIP.
To remove RIP from the switch memory, you must manually edit the boot.cfg file. The boot.cfg file is an
ASCII text-based file that controls many of the switch parameters. Open the file and delete all references
to RIP. You must reboot the switch when this is complete.
Note. In simple networks where only IP forwarding is required, you may not want to use RIP. If you are
not using RIP, it is best not to load it to save switch resources.
Enabling RIP
RIP is disabled by default. Use the ip rip status command to enable RIP routing on the switch. For example:
-> ip rip status enable
Use the ip rip status disable command to disable RIP routing on the switch. Use the show ip rip
command to display the current RIP status.
page 16-6
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring RIP
RIP Routing
Creating a RIP Interface
You must create a RIP interface on a VLAN’s IP router port to enable RIP routing. Enter the ip rip interface command followed by the IP address of the VLAN router port. For example, to create a RIP interface on a router port with an IP address of 171.15.0.1 you would enter:
-> ip rip interface 171.15.0.1
Use the no ip rip interface command to delete a RIP interface. Use the show ip rip interface command
to display configuration and error information for a RIP interface.
Note. You can create a RIP interface even if an IP router port has not been configured. However, RIP will
not function unless a RIP interface is created and enabled on an IP router port. For more information on
VLANs and router ports, see Chapter 5, “Configuring VLANs.”.
Enabling a RIP Interface
Once you have created a RIP interface, you must enable it to enable RIP routing. Use the ip rip interface
status command followed by the interface IP address to enable a RIP interface. For example, to enable
RIP routing on a RIP interface 171.15.0.1 you would enter:
-> ip rip interface 171.15.0.1 status enable
To disable an RIP interface, use the disable keyword with the ip rip interface status command. For
example to disable RIP routing on a RIP interface 171.15.0.1 you would enter:
-> ip rip interface 171.15.0.1 status disable
Configuring the RIP Interface Send Option
The RIP Send option defines the type(s) of RIP packets that the interface will send. Using this command
will override RIP default behavior. Other devices must be able to interpret the information provided by
this command or routing information will not be properly exchanged between the switch and other devices
on the network.
Use the ip rip interface send-version command to configure an individual RIP interface Send option.
Enter the IP address of the RIP interface, and then enter a Send option. For example, to configure a RIP
interface 172.22.2.115 to send only RIPv1 packets you would enter:
-> ip rip interface 172.22.2.115 send-version v1
The Send options are:
• v1. Only RIPv1 packets will be sent by the switch.
• v2. Only RIPv2 packets will be sent by the switch.
• v1compatible. Only RIPv2 broadcast packets (not multicast) will be sent by the switch.
• none. Interface will not forward RIP packets.
The default RIP send option is v2.
Use the show ip rip interface command to display the current interface send option.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 16-7
RIP Routing
Configuring RIP
Configuring the RIP Interface Receive Option
The RIP Receive option defines the type(s) of RIP packets that the interface will accept. Using this
command will override RIP default behavior. Other devices must be able to interpret the information
provided by this command or routing information will not be properly exchanged between the switch and
other devices on the network.
Use the ip rip interface recv-version command to configure an individual RIP interface Receive option.
Enter the IP address of the RIP interface, and then enter a Receive option. For example, to configure RIP
interface 172.22.2.115 to receive only RIPv1 packets you would enter:
-> ip rip interface 172.22.2.115 recv-version v1
The Receive options are:
• v1. Only RIPv1 packets will be received by the switch.
• v2. Only RIPv2 packets will be received by the switch.
• both. Both RIPv1 and RIPv2 packets will be received by the switch.
• none. Interface ignores any RIP packets received.
The default RIP receive option is both.
Configuring the RIP Interface Metric
You can set priorities for routes generated by a switch by assigning a metric value to routes generated by
that switch’s RIP interface. For example, routes generated by a neighboring switch may have a hop count
of 1. However, you can lower the priority of routes generated by that switch by increasing the metric value
for routes generated by the RIP interface.
Note. When you configure a metric for a RIP interface, this metric cost is added to the metric of the
incoming route.
Use the ip rip interface metric command to configure the RIP metric or cost for routes generated by a
RIP interface. Enter the IP address of the RIP interface as well as a metric value. For example, to set a
metric value of 2 for the RIP interface 171.15.0.1 you would enter:
-> ip rip interface 171.15.0.1 metric 2
The valid metric range is 1 to 15. The default is 1.
Use the show ip rip interface command to display the current interface metric.
Configuring the RIP Interface Route Tag
Use the ip rip route-tag command to configure a route tag value for routes generated by the RIP interface. This value is used to set priorities for RIP routing. Enter the command and the route tag value. For
example, to set a route tag value of 1 you would enter:
-> ip rip route-tag 1
The valid route tag value range is 1 to 2147483647. The default is 0.
Use the show ip rip command to display the current route tag value.
page 16-8
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring RIP
RIP Options
RIP Options
The following sections detail procedures for configuring RIP options. RIP must be loaded and enabled on
the switch before you can configure any of the RIP configuration options.
Configuring the RIP Forced Hold-Down Interval
The RIP forced hold-down timer value defines an amount of time, in seconds, during which routing information regarding better paths is suppressed. A route enters into a forced hold-down state when an update
packet is received that indicates the route is unreachable and when this timer is set to a non-zero value.
After this timer has expired and if the value is less that 120 seconds, the route enters a hold-down state for
the rest of the period until the remainder of the 120 seconds has also expired. During this time the switch
will accept any advertisements for better paths that are received.
Note that the forced hold-down timer is not the same as the RIP hold-down timer. The RIP hold-down
timer is fixed at 120 seconds and is not configurable. The forced hold-down timer defines a separate interval that overlaps the hold-down state. During the forced hold-down timer interval, the switch will not
accept better routes from other gateways.
Use the ip rip force-holddowntimer command to configure the interval during which a RIP route
remains in a forced hold-down state. Enter the command and the forced hold-down interval value, in
seconds. For example, to set a forced hold-down interval value of 10 seconds you would enter:
-> ip rip force-holddowntimer 10
The valid forced hold-down timer range is 0 to 120. The default is 0.
Use the show ip rip command to display the current forced hold-down timer value.
Enabling a RIP Host Route
A host route differs from a network route, which is a route to a specific network. This command allows a
direct connection to the host without using the RIP table. If a switch is directly attached to a host on a
network, use the ip rip host-route command to enable a default route to the host. For example:
-> ip rip host-route
The default is to enable a default host route.
Use the no ip rip host-route command to disable the host route. Use the show ip rip command to display
the current host route status.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 16-9
RIP Redistribution
Configuring RIP
RIP Redistribution
Redistribution provides a way to exchange routing information between RIP networks and OSPF and BGP
networks. It also redistributes local and static routes into RIP. Basically, redistribution makes a non-RIP
route look like a RIP route. Configuring RIP redistribution consists of the following tasks:
1 Enabling RIP Redistribution
2 Configuring a RIP Redistribution Policy
3 Configuring a RIP Redistribution Filter
– Creating a Filter
– Configuring a Redistribution Filter Action (optional)
– Configuring a Redistribution Metric (optional).
Enabling RIP Redistribution
RIP redistribution is disabled by default. Use the ip rip redist status command to enable redistribution.
For example:
-> ip rip redist status enable
Use the ip rip redist status disable command to disable redistribution. Use the show ip rip command to
display the RIP redistribution status.
Configuring a RIP Redistribution Policy
After enabling RIP redistribution, configure a policy that defines the route types that will be redistributed
into RIP. Only the route types you configure will be redistributed into RIP. When you configure a redistribution policy, RIP is automatically enabled.
Use the ip rip redist command to define the route types that will be redistributed. Enter the command, and
then enter the route type. For example, to redistribute OSPF routes into the RIP you would enter:
-> ip rip redist ospf
The redistribution route types are:
• local. Redistribute local routes into RIP.
• static. Redistribute static routes into RIP.
• ospf. Redistribute routes learned through OSPF into RIP.
Use the no ip rip redist command to delete a redistribution policy. For example, to “turn off” redistribution of OSPF routes you would enter:
-> no ip rip redist ospf
Note. If you are configuring more than one route type, you must repeat the command for each one.
Use the show ip rip redist command to display the status of RIP policies.
page 16-10
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring RIP
RIP Redistribution
Configuring a Redistribution Metric
When redistributing routes into RIP, the metric for the redistributed route is calculated as a summation of
the route’s metric and the corresponding metric in the redistribution policy. This is the case when the
matching filter metric is 0 (the default). However, if the matching redistribution filter metric is set to a
non-zero value, the redistributed route’s metric is set to the filter metric. This gives better control of the
metric when redistributing non-RIP routes into RIP.
Note that if the metric calculated for the redistributed route, as described above, is greater than 15
(RIP_UNREACHABLE) or greater than the metric of an existing pure RIP route, the new route is not
redistributed.
Use the ip rip redist metric command to configure the RIP metric or cost for a route type. Enter the
command, specify the route type to be redistributed, and then enter a metric value. For example:
-> ip rip redist ospf metric 2
The valid metric range is 0 to 15 (default is 0).
Note. You must configure a redistribution policy before configuring a redistribution metric for that type.
See “Configuring a RIP Redistribution Policy” on page 16-10 for information on configuring redistribution policies. If you are configuring a metric value for more than one route type, you must repeat the
command for each one.
Configuring a RIP Redistribution Filter
After configuring a redistribution policy (e.g., OSPF), you must specify what routes will be redistributed
by configuring a redistribution filter. Only routes matching the policy and destination specified in the filter
will be redistributed into RIP. Creating a RIP redistribution filter consists of the following steps:
• Creating a Redistribution Filter
• Configuring the Redistribution Filter Action (optional)
• Configuring the Redistribution Filter Metric (optional)
• Configuring the Redistribution Filter Route Control Action (optional)
• Configuring a Redistribution Filter Route Tag (optional).
Note. You must first configure a redistribution policy before configuring a filter for a route type. See
“Configuring a RIP Redistribution Policy” on page 16-10 for information on configuring redistribution
policies.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 16-11
RIP Redistribution
Configuring RIP
Creating a Redistribution Filter
Use the ip rip redist-filter command to create a RIP redistribution filter. Enter the command, the route
type, and the destination IP address and mask of the traffic you want to redistribute. Only routes matching
the policy and destination specified in the filter will be redistributed into the RIP and passed to the destination. For example, to redistribute OSPF routes destined for the 10.0.0.0 network you would enter:
-> ip rip redist-filter ospf 10.0.0.0 255.0.0.0
Note. A network/subnetwork of 0.0.0.0. 0.0.0.0 will redistribute all routes for the configured route type.
Use the no ip rip redist-filter command to delete a filter. For example, to “turn off” redistribution for
OSPF routes to the 10.0.0.0 network you would enter:
-> no ip rip redist-filter ospf 10.0.0.0 255.0.0.0
Use the show ip rip redist-filter command to display the currently configured redistribution filters.
Note. Local interfaces will not be added to the RIP routing table unless RIP redistribution is enabled and a
filter is added for the local protocol.
Configuring a Redistribution Filter Action
By default, redistribution filters allow (permit) routes that match the criteria specified in the filter to be
redistributed. However, you can use the redistribution filter action feature to “fine-tune” a filter. You may
want to redistribute all routes to a network except routes destined for a particular subnet. In this case, you
would “permit” all traffic to the network but “deny” traffic to a particular subnet.
Use the ip rip redist-filter effect command to configure the redistribution filter action. Enter the
command, specify the route type to be redistributed, enter the destination IP address/mask, and then enter
whether to permit redistribution (permit) or deny redistribution (deny).
For example, if you wanted to redistribute all OSPF routes to the 172.22.0.0 network except routes to
subnetwork 3 you would use the following commands:
-> ip rip redist-filter ospf 172.22.0.0 255.255.0.0 effect permit
-> ip rip redist-filter ospf 172.22.3.0 255.255.255.0 effect deny
page 16-12
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring RIP
RIP Redistribution
Configuring a Redistribution Filter Metric
You can prioritize redistribution of route types to a network by assigning a metric value to a route type(s).
The default redistribution filter metric is 1. However, you can lower the priority of a route type by increasing its metric value. For example, if you want to give priority to OSPF routes to a particular network, you
would set the metric value for the other route types to 2.
Use the ip rip redist-filter metric command to configure a metric value. Enter the command, specify the
route type to be redistributed, enter the destination IP address/mask, and then enter the metric value. For
example, if you wanted to lower the priority of OSPF routes to a network and all other route types were
set to the default metric of 1, you would need to set a metric value of 2 for OSPF routes destined for that
network.
-> ip rip redist-filter metric ospf 172.22.0.0 255.255.0.0 metric 2
Note. If you are configuring a metric value for more than one route type, you must repeat the command
for each one.
The redistribution filter metric range is 0 to 15. The default is 0.
Configuring the Redistribution Filter Route Control Action
In certain cases, the specified route to be filtered will be either an aggregate route or a subnet. In these
cases, the route may comprise several routes. It is possible to redistribute these routes separately or not
using the ip rip redist-filter redist-control command. Enter the command, specify the route type to be
redistributed, enter the destination IP address/mask, and then enter a route control action:
• all-subnets. Redistributes all subnet routes that match this filter, if permitted (default).
• aggregate. Redistributes an aggregate route if there are one or more routes that match this filter.
• no-subnets. Redistributes only those routes that exactly match the redistribution filter.
For example, if the route being filtered is an aggregate or subnet route and the routes that comprise the
aggregate or subnet route should not be redistributed, enter the ip rip redist-filter redist-control
command, and the no-subnets keyword.
-> ip rip redist-filter ospf 172.22.0.0 255.255.0.0 redist-control no-subnets
Note. By default, filters are set to allow subnet routes to be advertised. If this is the filter action required, it
is not necessary to use the redist-control keyword.
Configuring a Redistribution Filter Route Tag
The redistribution route tag specifies the route tag using which routes matching a filter are redistributed
into the RIP. The default value is zero (0), which means that the route tag used will be the one in the route,
if specified.
Use the ip rip redist-filter route-tag command to configure a redistribution route tag. Enter the
command, specify the route type to be redistributed, enter the destination IP address/mask, and then enter
the route tag value. For example, if you wanted to configure a route tag value of 1 for OSPF routes to the
172.22.0.0 network you would enter:
-> ip rip redist-filter ospf 172.22.0.0 255.255.0.0 route-tag 1
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 16-13
RIP Security
Configuring RIP
RIP Security
By default, there is no authentication used for a RIP. However, you can configure a password for a RIP
interface. To configure a password, you must first select the authentication type (simple or MD5), and then
configure a password.
Configuring Authentication Type
If simple or MD5 password authentication is used, both switches on either end of a link must share the
same password. Use the ip rip interface auth-type command to configure the authentication type. Enter
the IP address of the RIP interface, and then enter an authentication type:
• none. No authentication will be used.
• simple. Simple password authentication will be used.
• md5. MD5 authentication will be used.
For example, to configure the RIP interface 172.22.2.115 for simple authentication you would enter:
-> ip rip interface 172.22.2.115 auth-type simple
To configure the RIP interface 172.22.2.115 for MD5 authentication you would enter:
-> ip rip interface 172.22.2.115 md5 auth-type md5
Configuring Passwords
If you configure simple or MD5 authentication you must configure a text string that will be used as the
password for the RIP interface. If a password is used, all switches that are intended to communicate with
each other must share the same password.
After configuring the interface for simple authentication as described above, configure the password for
the interface by using the ip rip interface auth-key command. Enter the IP address of the RIP interface,
and then enter a 16-byte text string. For example to configure a password “nms” you would enter:
-> ip rip interface 172.22.2.115 auth-key nms
page 16-14
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring RIP
Verifying the RIP Configuration
Verifying the RIP Configuration
A summary of the show commands used for verifying the RIP configuration is given here:
show ip rip
Displays the RIP status and general configuration parameters (e.g.,
forced hold-down timer).
show ip rip routes
Displays the RIP routing database. The routing database contains all
the routes learned through RIP.
show ip rip interface
Displays the RIP interface status and configuration.
show ip rip peer
Displays active RIP neighbors (peers).
show ip rip redist
Displays general RIP redistribution parameters.
show ip rip redist-filter
Displays currently configured RIP redistribution filters.
For more information about the displays that result from these commands, see the OmniSwitch CLI Reference Guide.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 16-15
Verifying the RIP Configuration
page 16-16
Configuring RIP
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
17
Configuring RDP
Router Discovery Protocol (RDP) is an extension of ICMP that allows end hosts to discover routers on
their networks. This implementation of RDP supports the router requirements as defined in RFC 1256.
In This Chapter
This chapter describes the RDP feature and how to configure RDP parameters through the Command Line
Interface (CLI). CLI commands are used in the configuration examples; for more details about the syntax
of commands, see the OmniSwitch CLI Reference Guide.
The following procedures are described:
• “Enabling/Disabling RDP” on page 17-8.
• “Creating an RDP Interface” on page 17-8.
• “Specifying an Advertisement Destination Address” on page 17-9.
• “Defining the Advertisement Interval” on page 17-9.
• “Setting the Advertisement Lifetime” on page 17-10.
• “Setting the Preference Levels for Router IP Addresses” on page 17-10.
• “Verifying the RDP Configuration” on page 17-11.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 17-1
RDP Specifications
Configuring RDP
RDP Specifications
RFCs Supported
RFC 1256–ICMP Router Discovery Messages
Router advertisements
Supported
Host solicitations
Only responses to solicitations supported in this
release.
Maximum number of RDP interfaces per One for each available IP interface configured
switch
on the switch.
Advertisement destination addresses
224.0.0.1 (all systems multicast)
255.255.255.255 (broadcast)
RDP Defaults
Parameter Description
CLI Command
Default Value/Comments
RDP status for the switch
ip router-discovery
Disabled
RDP status for switch interfaces
(router VLAN IP addresses)
ip router-discovery
interface
Disabled
Advertisement destination address
for an active RDP interface.
ip router-discovery
interface advertisement-address
All systems multicast (224.0.0.1)
Maximum time between advertise- ip router-discovery
600 seconds
ments sent from an active RDP inter- interface max-adverface
tisement-interval
Minimum time between advertiseip router-discovery
ments sent from an active RDP inter- interface min-adverface
tisement-interval
450 seconds
(0.75 * maximum advertisement interval)
Maximum time IP addresses conip router-discovery
tained in an advertisement packet are interface advertiseconsidered valid
ment-lifetime
1800 seconds
(3 * maximum advertisement interval)
Preference level for IP addresses
ip router-discovery
contained in an advertisement packet interface preferencelevel
0
page 17-2
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring RDP
Quick Steps for Configuring RDP
Quick Steps for Configuring RDP
Configuring RDP involves enabling RDP operation on the switch and creating RDP interfaces to advertise VLAN router IP addresses on the LAN. There is no order of configuration involved. For example, it is
possible to create RDP interfaces even if RDP is not enabled on the switch.
The following steps provide a quick tutorial on how to configure RDP. Each step describes a specific
operation and provides the CLI command syntax for performing that operation.
1 Enable RDP operation on the switch.
-> ip router-discovery enable
Note. Optional. To verify the global RDP configuration for the switch, enter the show ip router-discovery command. The display is similar to the one shown below:
-> show ip router-discovery
Status
=
RDP uptime
=
#Packets Tx
=
#Packets Rx
=
#Send Errors
=
#Recv Errors
=
Enabled,
161636 secs
4,
0,
0,
0,
For more information about this command, refer to the “RDP Commands” chapter in the OmniSwitch CLI
Reference Guide.
2 Use the following command to create an RDP interface for an IP router interface. In this example, an
RDP interface is created for the IP router interface named Marketing (note that the IP interface is referenced by its name).
-> ip router-discovery interface Marketing enable
3 When an RDP interface is created, default values are set for the interface advertisement destination
address, transmission interval, lifetime, and preference level parameters. If you want to change the
default values for these parameters, see “Creating an RDP Interface” on page 17-8.
Note. Optional. To verify the RDP configuration for all RDP interfaces, enter the show ip routerdiscovery interface command. The display is similar to the one shown below:
-> show ip router-discovery interface
IP i/f
RDP i/f VRRP i/f
Next
#Pkts
Name
status
status status(#mast) Advt sent recvd
---------------------+--------+--------+--------------+----+---------Marketing
Disabled Enabled Disabled(0)
9
0
0
Finance IP Network
Disabled Enabled Disabled(0)
3
0
0
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 17-3
Quick Steps for Configuring RDP
Configuring RDP
To verify the configuration for a specific RDP interface, specify the interface name when using the show
ip router-discovery interface command. The display is similar to the one shown below.
-> show ip router-discovery interface Marketing
Name
= Marketing,
IP Address
= 11.255.4.1,
IP Mask
= 255.0.0.0,
IP Interface status
= Enabled,
RDP Interface status
= Enabled,
VRRP Interface status
= Disabled,
Advertisement address
= 224.0.0.1,
Max Advertisement interval
= 600 secs,
Min Advertisement interval
= 450 secs,
Advertisement lifetime
= 1800 secs,
Preference Level
= 0x0,
#Packets sent
= 3,
#Packets received
= 0
For more information about this command, refer to the “RDP Commands” chapter in the OmniSwitch CLI
Reference Guide.
page 17-4
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring RDP
RDP Overview
RDP Overview
End host (clients) sending traffic to other networks need to forward their traffic to a router. In order to do
this, hosts need to find out if one or more routers exist on their LAN, then learn their IP addresses. One
way to discover neighboring routers is to manually configure a list of router IP addresses that the host
reads at startup. Another method available involves listening to routing protocol traffic to gather a list of
router IP addresses.
RDP provides an alternative method for hosts to discover routers on their network that involves the use of
ICMP advertisement and solicitation messages. Using RDP, hosts attached to multicast or broadcast
networks send solicitation messages when they start up. Routers respond to solicitation messages with an
advertisement message that contains the router IP addresses. In addition, routers first send advertisement
messages when their RDP interface becomes active, and then subsequently at random intervals.
When a host receives a router advertisement message, it adds the IP addresses contained in the message to
its list of default router gateways in the order of preference. As a result, the list of router IP addresses is
dynamically created and maintained, eliminating the need for manual configuration of such a list. In addition, hosts do not have to recognize many different routing protocols to discover router IP addresses.
The following diagram illustrates an example of using RDP in a typical network configuration:
RS-1
TM
2/3
H-1
OmniSwitch 9700
1/1
2/4
H-2
RS-2
1/2
Network 17.0.0.0
When interfaces 2/3 and 2/4 on hosts H-1 and H-2, respectively, become active, they transmit router solicitation ICMP messages on Network 17.0.0.0. The RDP enabled routers RS-1 and RS-2 pick up these packets on their RDP interfaces 1/1 and 1/2 and respond with router advertisement ICMP messages. RS-1 and
RS-2 also periodically send out router advertisements on their RDP interfaces.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 17-5
RDP Overview
Configuring RDP
RDP Interfaces
An RDP interface is created by enabling RDP on a VLAN router IP address. Once enabled, the RDP interface becomes active and joins the all-routers IP multicast group (224.0.0.2). The interface then transmits
three initial router advertisement messages at random intervals that are no greater than 16 seconds apart.
This process occurs upon activation to increase the likelihood that end hosts will quickly discover this
router.
After an RDP interface becomes active and transmits its initial advertisements, subsequent advertisements
are transmitted at random intervals that fall between a configurable range of time. This range of time is
defined by specifying a maximum and minimum advertisement interval value. See “Defining the Advertisement Interval” on page 17-9 for more information. Because advertisements are transmitted at random
intervals, the risk of system overload is reduced as advertisements from other routers on the same link are
not likely to transmit at the same time.
It is important to note that advertisements are only transmitted on RDP interfaces if the following conditions are met:
• The RDP global status is enabled on the switch.
• An IP interface exists and is in the enabled state.
• An RDP interface exists and is in the enabled state.
• Whether VRRP is disabled or enabled, there is one or more Master IP addresses for the VLAN. If
VRRP is enabled and if there are no Masters IP addresses, router advertisements are not sent on the
VLAN. (See Chapter 19, “Configuring VRRP,” for more information.)
The router advertisement is a multicast packet sent to the all-systems IP multicast group (224.0.0.1) or the
broadcast address. If VRRP is enabled, the message should be filled with IP addresses obtained from
VRRP Master IP address list; otherwise the IP address of the IP router interface is used.
Note that RDP is not recommended for detecting neighboring router failures, referred to as black holes, in
the network. However, it is possible to use RDP as a supplement for black hole detection by setting RDP
interface advertisement interval and lifetime values to values lower than the default values for these
parameters. See “Defining the Advertisement Interval” on page 17-9 and “Setting the Advertisement Lifetime” on page 17-10 for more information.
page 17-6
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring RDP
RDP Overview
Security Concerns
ICMP RDP packets are not authenticated, which makes them vulnerable to the following attacks:
• Passive monitoring—Attackers can use RDP to re-route traffic from vulnerable systems through the
attacker’s system. This allows the attacker to monitor or record one side of the conversation. However,
the attacker must reside on the same network as the victim for this scenario to work.
• Man in the middle—Attacker modifies any of the outgoing traffic or plays man in the middle, acting
as a proxy between the router and the end host. In this case, the victim thinks that it is communicating
with an end host, not an attacker system. The end host thinks that is it communicating with a router
because the attacker system is passing information through to the host from the router. If the victim is a
secure Web server that uses SSL, the attacker sitting in between the server and an end host could intercept unencrypted traffic. As is the case with passive monitoring, the attacker must reside on the same
network as the victim for this scenario to work.
• Denial of service (DoS)—Remote attackers can spoof these ICMP packets and remotely add bad
default-route entries into a victim’s routing table. This would cause the victim to forward frames to the
wrong address, thus making it impossible for the victim’s traffic to reach other networks. Because of
the large number of vulnerable systems and the fact that this attack will penetrate firewalls that do not
stop incoming ICMP packets, this DoS attack can become quite severe. (See Chapter 12, “Configuring
IP,” and Chapter 26, “Configuring QoS,” for more information about DoS attacks.)
Note. Security concerns associated with using RDP are generic to the feature as defined in RFC 1256 and
not specific to this implementation.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 17-7
Enabling/Disabling RDP
Configuring RDP
Enabling/Disabling RDP
RDP is included in the base software and is available when the switch starts up. However, by default this
feature is not operational until it is enabled on the switch.
To enable RDP operation on the switch, use the following command:
-> ip router-discovery enable
Once enabled, any existing RDP interfaces on the switch that are also enabled will activate and start to
send initial advertisements. See “RDP Interfaces” on page 17-6 for more information.
To disable RDP operation on the switch, use the following command:
-> ip router-discovery disable
Use the show ip router-discovery command to determine the current operational status of RDP on the
switch.
Creating an RDP Interface
An RDP interface is created by enabling RDP for an existing IP router interface, which is then advertised
by RDP as an active router on the local network. Note that an RDP interface is not active unless RDP is
also enabled for the switch.
To create an RDP interface, enter ip router-discovery interface followed by the name of the IP router
interface, and then enable. For example, the following command creates an RDP interface for the IP router
interface named Marketing:
-> ip router-discovery interface Marketing enable
The IP router interface name is the name assigned to the interface when it was first created. For more
information about creating IP router interfaces, see Chapter 12, “Configuring IP.”
The first time an RDP interface is enabled, it is not necessary to enter enable as part of the command.
However, if the interface is subsequently disabled, then entering enable is required the next time this
command is used. For example, the following sequence of commands initially enables an RDP interface
for the Marketing IP router interface, then disables and again enables the same interface:
-> ip router-discovery interface Marketing
-> ip router-discovery interface Marketing disable
-> ip router-discovery interface Marketing enable
When the above RDP interface becomes active, advertisement packets are transmitted on all active ports
that belong to the VLAN associated with the Marketing interface. These packets contain the IP address
associated with the Marketing interface for the purposes of advertising this interface on the network.
When an RDP interface is created, it is automatically configured with the following default parameter
values:
RDP Interface Parameter
Default
Advertisement destination address.
All systems multicast (224.0.0.1)
Advertisement time interval defined by
maximum and minimum values.
Maximum = 600 seconds
Minimum = 450 seconds (0.75 * maximum value)
page 17-8
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring RDP
Creating an RDP Interface
RDP Interface Parameter
Default
Advertisement lifetime.
1800 seconds (3 * maximum value)
Router IP address preference level.
0
It is only necessary to change the above parameter values if the default value is not sufficient. The following subsections provide information about how to configure RDP interface parameters if it is necessary to
use a different value.
Specifying an Advertisement Destination Address
Active RDP interfaces transmit advertisement packets at random intervals and in response to ICMP solicitation messages received from network hosts. These packets are sent to one of two supported destination
addresses, all systems multicast (224.0.0.1) or broadcast (255.255.255.255).
By default, RDP interfaces are configured to use the 224.0.0.1 as the destination address. To change the
RDP destination address, use the ip router-discovery interface advertisement-address command.
For example, the following command changes the destination address to the broadcast address:
-> ip router-discovery interface Marketing advertisement-address broadcast
Enter all-systems-multicast when using this command to change the destination address to 224.0.0.1. For
example:
-> ip router-discovery interface Marketing advertisement-address all-systemsmulticast
Defining the Advertisement Interval
The advertisement interval represents a range of time, in seconds, in which the RDP will transmit advertisement packets at random intervals. This range is defined by configuring a maximum amount of time
that the RDP will not exceed before the next transmission and configuring a minimum amount of time that
the RDP will observe before sending the next transmission. Both of these values are referred to as the
maximum advertisement interval and the minimum advertisement interval.
Note that when an RDP interface becomes active, it transmits 3 advertisement packets at intervals no
greater than 16 seconds. This facilitates a quick discovery of this router on the network. After these initial
transmissions, advertisements occur at random times within the advertisement interval value or in
response to solicitation messages received from network hosts.
Setting the Maximum Advertisement Interval
To set the maximum amount of time, in seconds, that the RDP will allow between advertisements, use the
ip router-discovery interface max-advertisement-interval command. For example, the following
command sets this value to 1500 seconds for the Marketing IP router interface:
-> ip router-discovery interface Marketing max-advertisement-interval 1500
Make sure that the value specified with this command is greater than the current minimum advertisement
interval value. By default, this value is set to 600 seconds.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 17-9
Creating an RDP Interface
Configuring RDP
Setting the Minimum Advertisement Interval
To set the minimum amount of time, in seconds, that the RDP will allow between advertisements, use the
ip router-discovery interface min-advertisement-interval command. For example, the following
command sets this value to 500 seconds for the Marketing IP router interface:
-> ip router-discovery interface Marketing min-advertisement-interval 500
Make sure that the value specified with this command is less than the current maximum advertisement
interval value. By default, this value is set to 0.75 * the default maximum interval value (450 seconds if
the maximum interval is set to its default value of 600 seconds).
Setting the Advertisement Lifetime
The advertisement lifetime value indicates how long, in seconds, the router IP address contained in an
advertisement packet is considered valid by a host. This value is entered into the lifetime field of an advertisement packet so that it is available to hosts that receive these types of packets.
If a host does not receive another packet from the same router before the lifetime value expires, it assumes
the router is no longer available and will drop the router IP address from its table. As a result, it is important that the lifetime value is always greater than the current maximum advertisement interval to ensure
router transmissions occur before the lifetime value expires.
To set the advertisement lifetime value for packets transmitted from a specific RDP interface, use the
ip router-discovery interface advertisement-lifetime command. For example, the following command
sets this value to 3000 seconds for RDP packets sent from the Marketing IP router interface:
-> ip router-discovery interface Marketing advertisement-lifetime 3000
By default, the lifetime value is set to 3 * the current maximum interval value (1800 seconds if the maximum interval is set to its default value of 600 seconds).
Setting the Preference Levels for Router IP Addresses
A preference level is assigned to each router IP address contained within an advertisement packet. Hosts
will select the IP address with this highest preference level to use as the default router gateway address. By
default, this value is set to zero.
To specify a preference level for IP addresses advertised from a specific RDP interface, use the
ip router-discovery interface preference-level command. For example, the following command sets this
value to 10 for the IP address associated with the Marketing IP router interface:
-> ip router-discovery interface Marketing preference-level 10
Note that router IP address preference levels are only compared with the preference levels of other routers
that exist on the same subnet. Set low preference levels to discourage selection of a specific router.
page 17-10
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring RDP
Verifying the RDP Configuration
Verifying the RDP Configuration
To display information about the RDP configuration on the switch, use the show commands listed below:
show ip router-discovery
Displays the current operational status of RDP on the switch. Also
includes the number of advertisement packets transmitted and the number of solicitation packets received by all RDP interfaces on the switch.
show ip routerdiscovery interface
Displays the current RDP status, related parameter values, and RDP
traffic statistics for one or more switch router RDP interfaces.
For more information about the resulting displays from these commands, see the OmniSwitch CLI Reference Guide. An example of the output for the show ip router-discovery and show ip router-discovery
interface commands is also given in “Quick Steps for Configuring RDP” on page 17-3.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 17-11
Verifying the RDP Configuration
page 17-12
Configuring RDP
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
18
Configuring DHCP Relay
The User Datagram Protocol (UDP) is a connectionless transport protocol that runs on top of IP networks.
The DHCP Relay allows you to use nonroutable protocols (such as UDP) in a routing environment. UDP
is used for applications that do not require the establishment of a session and end-to-end error checking.
Email and file transfer are two applications that could use UDP. UDP offers a direct way to send and
receive datagrams over an IP network and is primarily used for broadcasting messages. This chapter
describes the DHCP Relay feature. This feature allows UDP broadcast packets to be forwarded across
VLANs that have IP routing enabled.
In This Chapter
This chapter describes the basic components of DHCP Relay and how to configure them. CLI commands
are used in the configuration examples. For more details about the syntax of commands, see the
OmniSwitch CLI Reference Guide.
Configuration procedures described in this chapter include:
• Quick steps for configuring DHCP Relay on page 18-4.
• Setting the IP address for Global DHCP on page 18-9.
• Identifying the VLAN for Per-VLAN DHCP on page 18-9.
• Enabling BOOTP/DHCP Relay on page 18-10.
• Setting the Forward Delay time on page 18-10.
• Setting the Maximum Hops value on page 18-11.
• Setting the Relay Forwarding Option to Standard, Per-VLAN, or AVLAN on page 18-11.
• Using automatic IP configuration to obtain an IP address for the switch on page 18-12.
• Using the Relay Agent Information Option (Option-82) on page 18-13.
• Using DHCP Snooping on page 18-15.
For information about the IP protocol, see Chapter 12, “Configuring IP.”
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 18-1
DHCP Relay Specifications
Configuring DHCP Relay
DHCP Relay Specifications
Note. The DHCP Relay functionality described in this chapter is supported on the OmniSwitch 6800,
6850, and 9000 switches unless otherwise stated in the following Specifications table or specifically noted
within any section of this chapter.
RFCs Supported
0951–Bootstrap Protocol
1534–Interoperation Between DHCP and BOOTP
1541–Dynamic Host Configuration Protocol
1542–Clarifications and Extensions for the Bootstrap Protocol
2132–DHCP Options and BOOTP Vendor Extensions
3046–DHCP Relay Agent Information Option, 2001
DHCP Relay Implementation
Global DHCP
Per-VLAN DHCP
AVLAN DHCP
DHCP Relay Service
BOOTP/DHCP (Bootstrap Protocol/Dynamic Host Configuration
Protocol)
UDP Port Numbers
67 for Request
68 for Response
IP address allocation
mechanisms
Automatic–DHCP assigns a permanent IP address to a host.
Dynamic–DHCP assigns an IP address to a host for a limited period of
time (or until the host explicitly relinquishes the address).
Manual–The network administrator assigns a host’s IP address and the
DHCP conveys the address assigned by the host.
IP addresses supported for each
Relay Service.
Maximum of 256 IP addresses for each Relay Service.
IP addresses supported for the
Per-VLAN service
Maximum of 8 IP addresses for each VLAN relay service.
Maximum of 256 VLAN relay services.
DHCP Relay Agent Information Supported on OmniSwitch 6800 and 6850; not supported on
Option (Optione-82)
OmniSwitch 9000.
DHCP Relay Agent Information Supported on OmniSwitch 6800 and 6850; not supported on
Option Policy
OmniSwitch 9000.
DHCP Snooping
Supported on OmniSwitch 6800 and 6850; not supported on
OmniSwitch 9000.
Maximum number of DHCP
Snooping VLANs
64 (applies only to OmniSwitch 6800 and 6850)
page 18-2
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring DHCP Relay
DHCP Relay Defaults
DHCP Relay Defaults
The following table describes the default values of the DHCP Relay parameters.
Parameter Description
Command
Default Value/Comments
Forward delay time value for DHCP Relay ip helper forward delay
3 seconds
Maximum number of hops
ip helper maximum hops 4 hops
Packet forwarding option
ip helper standard
ip helper avlan only
ip helper per-vlan only
Standard
Automatic switch IP configuration for
default VLAN 1.
ip helper boot-up
Disabled
Automatic switch IP configuration packet
type (BootP or DHCP)
ip helper boot-up enable BootP
Relay Agent Information Option
ip helper agent-informa- Disabled
tion
Switch-level DHCP Snooping
ip helper dhcp-snooping
Disabled
VLAN-level DHCP Snooping
ip helper dhcp-snooping
vlan
Disabled
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 18-3
Quick Steps for Setting Up DHCP Relay
Configuring DHCP Relay
Quick Steps for Setting Up DHCP Relay
You should configure DHCP Relay on switches where packets are routed between IP networks.
There is no separate command for enabling or disabling the relay service. DHCP Relay is automatically
enabled on the switch whenever a DHCP server IP address is defined. To set up DHCP Relay, proceed as
follows:
1 Identify the IP address of the DHCP server. Where the DHCP server has IP address 128.100.16.1, use
the following command:
-> ip helper address 128.100.16.1
2 Set the forward delay timer for the BOOTP/DHCP relay. To set the timer for a 15 second delay, use the
following command:
-> ip helper forward delay 15
3 Set the maximum hop count value. To set a hop count of 3, use the following command:
-> ip helper maximum hops 3
Note. Optional. To verify the DHCP Relay configuration, enter the show ip helper command. The display
shown for the DHCP Relay configured in the above Quick Steps is shown here:
-> show ip helper
Forward Delay (seconds) = 15
Max number of hops
= 3
Forward option
= standard
Forwarding Address:
128.100.16.1
For more information about this display, see the “DHCP Relay” chapter in the OmniSwitch CLI Reference
Guide.
page 18-4
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring DHCP Relay
DHCP Relay Overview
DHCP Relay Overview
The DHCP Relay service, its corresponding port numbers, and configurable options are as follows:
• DHCP Relay Service: BOOTP/DHCP
• UDP Port Numbers 67/68 for Request/Response
• Configurable options: DHCP server IP address, Forward Delay, Maximum Hops, Forwarding Option,
automatic switch IP configuration
The port numbers indicate the destination port numbers in the UDP header. The DHCP Relay will verify
that the forward delay time (specified by the user) has elapsed before sending the packet down to UDP
with the destination IP address replaced by the address (also specified by the user).
If the relay is configured with multiple IP addresses, then the packet will be sent to all IP address destinations. The DHCP Relay also verifies that the maximum hop count has not been exceeded. If the forward
delay time is not met or the maximum hop count is exceeded, the BOOTP/DHCP packet will be discarded
by the DHCP Relay.
The forwarding option allows you to specify if the relay should operate in the standard, per-VLAN only,
or AVLAN-only mode. The standard mode forwards all DHCP packets on a global relay service. The perVLAN only mode forwards DHCP packets that originate from a specific VLAN. The AVLAN-only mode
only forwards packets received on authenticated ports from non-authenticated clients. See “Setting the
Relay Forwarding Option” on page 18-11 for more information.
An additional function provided by the DHCP Relay service enables automatic IP address configuration
for default VLAN 1 when an unconfigured switch boots up. If this function is enabled, the switch broadcasts a BootP or a DHCP request packet at boot time. When the switch receives an IP address from a
BootP/DHCP server, the address is assigned to default VLAN 1. See “Enabling Automatic IP Configuration” on page 18-12 for more information.
Alternately the relay function may be provided by an external router connected to the switch; in this case,
the relay would be configured on the external router.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 18-5
DHCP Relay Overview
Configuring DHCP Relay
DHCP
DHCP (Dynamic Host Configuration Protocol) provides a framework for passing configuration information to Internet hosts on a TCP/IP network. It is based on the Bootstrap Protocol (BOOTP), adding the
ability to automatically allocate reusable network addresses and additional configuration options. DHCP
consists of the following two components:
• A protocol for delivering host-specific configuration parameters from a DHCP server to a host.
• A mechanism for allocating network addresses to hosts.
DHCP is built on a client-server model in which a designated DHCP server allocates network addresses
and delivers configuration parameters to dynamically configured hosts. It supports the following three
mechanisms for IP address allocation.
Automatic—DHCP assigns a permanent IP address to a host.
Dynamic—DHCP assigns an IP address to a host for a limited period of time (or until the host explicitly relinquishes the address).
Manual—The network administrator assigns a host’s IP address and DHCP simply conveys the
assigned address to the host.
DHCP and the OmniSwitch
The unique characteristics of the DHCP protocol require a good plan before setting up the switch in a
DHCP environment. Since DHCP clients initially have no IP address, placement of these clients in a
VLAN is hard to determine. In simple networks (e.g., one VLAN) rules do not need to be deployed to
support the BOOTP/DHCP relay functionality.
In multiple VLAN network configurations, VLAN rules can be deployed to strategically support the
processing and relay of DHCP packets. The most commonly used rules for this function are IP protocol
rules, IP network address rules, and DHCP rules. All of these classify packets received on mobile ports
based on the packet protocol type, source IP address, or if the packet is a DHCP request. See Chapter 9,
“Defining VLAN Rules,” for more information.
DHCP Relay and Authentication
Authentication clients may use DHCP to get an IP address. For Telnet authentication clients, an IP address
is required for authentication. The DHCP server may be located in the default VLAN, an authenticated
VLAN, or both. If authentication clients will be getting an IP address from a DHCP server located in an
authenticated VLAN, DHCP relay can handle DHCP requests/responses for these clients as well.
There are three relay forwarding options: standard, AVLAN only, and per-VLAN. All three support
DHCP traffic to/from authenticated clients. However, the AVLAN only option specifies that only DHCP
packets received on authenticated ports are processed. See “Setting the Relay Forwarding Option” on
page 18-11 for more information.
Using DHCP Relay with authenticated VLANs and clients also requires relay configuration of the router
port address of the authenticated VLAN. See Chapter 22, “Configuring Authenticated VLANs,” for more
information about this procedure.
page 18-6
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring DHCP Relay
DHCP Relay Overview
External DHCP Relay Application
The DHCP Relay may be configured on a router that is external to the switch. In this application example
the switched network has a single VLAN configured with multiple segments. All of the network hosts are
DHCP-ready, meaning they obtain their network address from the DHCP server. The DHCP server resides
behind an external network router, which supports the DHCP Relay functionality.
One requirement for routing DHCP frames is that the router must support DHCP Relay functionality to be
able to forward DHCP frames. In this example, DHCP Relay is supported within an external router, which
forwards request frames from the incoming router port to the outgoing router port attached to the
OmniSwitch.
OmniSwitch
TM
OmniSwitch 9700
External Router
with
DHCP Relay
125.0.0.1
DHCP Clients
VLAN 1
IN
OUT
125.0.0.2
DHCP Server
130.0.0.11
130.0.0.12
130.0.0.14
130.0.0.15
DHCP Clients
DHCP Clients
130.0.0.13
DHCP Clients
DHCP Clients are Members of the Same VLAN
The external router inserts the subnet address of the first hop segment into the DHCP request frames from
the DHCP clients. This subnet address allows the DHCP server to locate the segment on which the
requesting client resides. In this example, all clients attached to the OmniSwitch are DHCP-ready and will
have the same subnet address (130.0.0.0) inserted into each of the requests by the router’s DHCP Relay
function. The DHCP server will assign a different IP address to each of the clients. The switch does not
need an IP address assigned and all DHCP clients will be members of either a default VLAN or an IP
protocol VLAN.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 18-7
DHCP Relay Overview
Configuring DHCP Relay
Internal DHCP Relay
The internal DHCP Relay is configured using the UDP forwarding feature in the switch, available through
the ip helper address command. For more information, see “DHCP Relay Implementation” on page 18-9.
This application example shows a network with two VLANs, each with multiple segments. All network
clients are DHCP-ready and the DHCP server resides on just one of the VLANs. This example is much
like the first application example, except that the DHCP Relay function is configured inside the switch.
OmniSwitch
DHCP Relay
125.0.0.21
(Router Port IP Address)
130.0.0.21
(Router Port IP Address)
VLAN 2
VLAN 3
130.0.0.14
130.0.0.15
DHCP Clients
125.0.0.1
125.0.0.2
DHCP Client
DHCP Server
130.0.0.13
DHCP Client
DHCP Clients in Two VLANs
During initialization, each network client forwards a DHCP request frame to the DHCP server using the
local broadcast address. For those locally attached stations, the frame will simply be switched.
In this case, the DHCP server and clients must be members of the same VLAN (they could also all be
members of the default VLAN). One way to accomplish this is to use DHCP rules in combination with IP
protocol rules to place all IP frames in the same VLAN. See Chapter 9, “Defining VLAN Rules,” for more
information.
Because the clients in the application example are not members of the same VLAN as the DHCP server,
they must request an IP address via the DHCP Relay routing entity in the switch. When a DHCP request
frame is received by the DHCP Relay entity, it will be forwarded from VLAN 3 to VLAN 2. All the
DHCP-ready clients in VLAN 3 must be members of the same VLAN, and the switch must have the
DHCP Relay function configured.
page 18-8
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring DHCP Relay
DHCP Relay Implementation
DHCP Relay Implementation
The OmniSwitch allows you to configure the DHCP Relay feature in one of two ways. You can set up a
global DHCP request or you can set up the DHCP Relay based on the VLAN of the DHCP request. Both
of these choices provide the same configuration options and capabilities. However, they are mutually
exclusive. The following matrix summarizes the options.
Per-VLAN DHCP Relay Global DHCP Relay
Effect
Disabled
Disabled
DHCP Request is flooded within its VLAN
Disabled
Enabled
DHCP Request is relayed to the Global Relay
Enabled
Disabled
DHCP Request is relayed to the Per-VLAN Relay
Enabled
Enabled
N/A
Global DHCP
For the global DHCP service, you must identify an IP address for the DHCP server.
Setting the IP Address
The DHCP Relay is automatically enabled on a switch whenever a DHCP server IP address is defined by
using the ip helper address command. There is no separate command for enabling or disabling the relay
service. You should configure DHCP Relay on switches where packets are routed between IP networks.
The following command defines a DHCP server address:
-> ip helper address 125.255.17.11
The DHCP Relay forwards BOOTP/DHCP broadcasts to and from the specified address. If multiple
DHCP servers are used, one IP address must be configured for each server. You can configure up to 256
addresses for each relay service.
To delete an IP address, use the no form of the ip helper address command. The IP address specified
with this syntax will be deleted. If an IP address is not specified with this syntax, then all IP helper
addresses are deleted. The following command deletes an IP helper address:
-> ip helper no address 125.255.17.11
Per-VLAN DHCP
For the Per-VLAN DHCP service, you must identify the number of the VLAN that makes the relay
request.
Identifying the VLAN
You may enter one or more server IP addresses to which packets will be sent from a specified VLAN. Do
this by using the ip helper address vlan command. The following syntax will identify the IP address
125.255.17.11 as the DHCP server for VLAN 3.
-> ip helper address 125.255.17.11 vlan 3
The following syntax identifies two DHCP servers for VLAN 4 at two different IP addresses.
-> ip helper address 125.255.17.11 125.255.18.11 vlan 4
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 18-9
DHCP Relay Implementation
Configuring DHCP Relay
To delete an IP address, use the no form of the ip helper address command. The IP address specified with
this syntax will be deleted. If an IP address is not specified with this syntax, then all IP helper addresses
are deleted. The following command deletes an helper address for IP address 125.255.17.11:
-> ip helper no address 125.255.17.11
The following command deletes all IP helper addresses:
-> ip helper no address
Configuring BOOTP/DHCP Relay Parameters
Once the IP address of the DHCP server(s) is defined and the DHCP Relay is configured for either Global
DHCP request or Per-VLAN DHCP request, you can set the following optional parameter values to
configure BOOTP relay.
• The forward delay time.
• The hop count.
• The relay forwarding option.
The only parameter that is required for BOOTP relay is the IP address to the DHCP server or to the next
hop to the DHCP server. The default values can be accepted for forward delay, hop count, and relay
forwarding option.
Alternately the relay function may be provided by an external router connected to the switch; in this case,
the relay would be configured on the external router.
Setting the Forward Delay
Forward Delay is a time period that gives the local server a chance to respond to a client before the relay
forwards it further out in the network.
The UDP packet that the client sends contains the elapsed boot time. This is the amount of time, measured
in seconds, since the client last booted. DHCP Relay will not process the packet unless the client’s elapsed
boot time value is equal to or greater than the configured value of the forward delay time. If a packet
contains an elapsed boot time value that is less than the specified forward delay time value, DHCP Relay
discards the packet.
The forward delay time value applies to all defined IP helper addresses. The following command sets the
forward delay value of 10 seconds.
-> ip helper forward delay 10
The range for the forward delay time value is 0 to 65535 seconds.
page 18-10
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring DHCP Relay
DHCP Relay Implementation
Setting Maximum Hops
This value specifies the maximum number of relays the BOOTP/DHCP packet can go through until it
reaches its server destination. This limit keeps packets from “looping” through the network. If a UDP
packet contains a hop count equal to the hops value, DHCP Relay discards the packet. The following
syntax is used to set a maximum of four hops.
-> ip helper maximum hops 4
The hops value represents the maximum number of relays. The range is from one to 16 hops. The default
maximum hops value is set to four. This maximum hops value only applies to DHCP Relay. All other
switch services will ignore this value.
Setting the Relay Forwarding Option
This value specifies if DHCP Relay should operate in a Standard, AVLAN, or Per-VLAN only forwarding mode. If the AVLAN only option is selected, only DHCP packets received on authenticated ports are
processed. By default, the forwarding option is set to standard. To change the forwarding option value,
enter ip helper followed by standard, avlan only, or per-vlan only. For example,
-> ip helper avlan only
-> ip helper standard
-> ip helper per-vlan only
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 18-11
Using Automatic IP Configuration
Configuring DHCP Relay
Using Automatic IP Configuration
An additional function of the DHCP Relay feature enables a switch to broadcast a BootP or DHCP request
packet at boot time to obtain an IP address for default VLAN 1. This function is separate from the previously described functions (such as Global DHCP, per-VLAN DHCP and related configurable options) in
that enabling or disabling automatic IP configuration does not exclude or prevent other DHCP Relay functionality.
Note. Automatic IP address configuration only supports the assignment of a permanent IP address to the
switch. Make sure that the DHCP server is configured with such an address before using this feature.
Using automatic IP configuration also allows the switch to specify the type of request packet to send;
BootP (the default) or DHCP. When the BootP/DHCP server receives the request packet from the switch,
it processes the request and sends an appropriate reply packet. When the switch receives a reply packet
from the BootP/DHCP server, one or more of the following occurs:
• The router port for VLAN 1 is assigned the IP address provided by the server.
• If the reply packet contains a subnet mask for the IP address, the mask is applied to the VLAN 1 router
port address. Otherwise, a default mask is determined based upon the class of the IP address. For example, if the IP address is a Class A, B, or C address, then 255.0.0.0, 255.255.0.0, or 255.255.255.0 is
used for the subnet mask.
• If the reply packet from the server contains a gateway IP address, then a static route entry of 0.0.0.0 is
created on the switch with the gateway address provided by the server.
Note. If the VLAN 1 router port is already configured with an IP address, the switch does not broadcast a
request packet at boot time even if automatic IP configuration is enabled.
To verify IP router port configuration for VLAN 1, use the show ip interface and show ip route
commands. For more information about these commands, refer to the OmniSwitch CLI Reference Guide.
Enabling Automatic IP Configuration
By default, this function is disabled on the switch. To enable automatic IP configuration and specify the
type of request packet, use the ip helper boot-up command. For example:
-> ip helper boot-up enable DHCP
-> ip helper boot-up enable BOOTP
Once enabled, the next time the switch boots up, DHCP Relay will broadcast a BootP (the default) or
DHCP request packet to obtain an IP address for default VLAN 1.
To disable automatic IP configuration for the switch, use the ip helper boot-up command with the disable
option, as shown below:
-> ip helper boot-up disable
page 18-12
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring DHCP Relay
Configuring DHCP Security Features
Configuring DHCP Security Features
There are two DHCP security features available: DHCP relay agent information option (Option-82) and
DHCP Snooping. The DHCP Option-82 feature enables the relay agent to insert identifying information
into client-originated DHCP packets before the packets are forwarded to the DHCP server. The DHCP
Snooping feature filters DHCP packets between untrusted sources and a trusted DHCP server and builds a
binding database to log DHCP client information.
Although DHCP Option-82 is a subcomponent of DHCP Snooping, these two features are mutually exclusive. If the DHCP Option-82 feature is enabled for the switch, then DHCP Snooping is not available. The
reverse is also true; if DHCP Snooping is enabled, then DHCP Option-82 is not available. In addition, the
following differences exist between these two features:
• DHCP Snooping does require and use the Option-82 data insertion capability, but does not implement
any other behaviors defined in RFC 3046.
• DHCP Snooping will automatically drop client DHCP packets that already have Option-82 informa-
tion present. The DHCP Option-82 feature provides configurable options for dealing with such packets.
• DHCP Snooping is configurable at the switch level and on a per-VLAN basis, but DHCP Option-82 is
only configurable at the switch level.
The following sections provide additional information about each DHCP security feature and how to
configure feature parameters using the Command Line Interface (CLI).
Using the Relay Agent Information Option (Option-82)
This implementation of the DHCP relay agent information option (Option-82) feature is based on the
functionality defined in RFC 3046. By default DHCP Option-82 functionality is disabled. The ip helper
agent-information command is used to enable this feature at the switch level.
When this feature is enabled, communications between a DHCP client and a DHCP server are authenticated by the relay agent. To accomplish this task, the agent adds Option-82 data to the end of the options
field in DHCP packets sent from a client to a DHCP server. Option-82 consists of two suboptions: Circuit
ID and Remote ID. The agent fills in the following information for each of these suboptions:
• Circuit ID—the VLAN ID and slot/port from where the DHCP packet originated.
• Remote ID—the MAC address of the router interface associated with the VLAN ID specified in the
Circuit ID suboption.
The DHCP Option-82 feature is only applicable when DHCP relay is used to forward DHCP packets
between clients and servers associated with different VLANs. In addition, a secure IP network must exist
between the relay agent and the DHCP server.
How the Relay Agent Processes DHCP Packets from the Client
The following table describes how the relay agent processes DHCP packets received from clients when
the Option-82 feature is enabled for the switch:
If the DHCP packet from the client ...
The relay agent ...
Contains a zero gateway IP address (0.0.0.0) and
no Option-82 data.
Inserts Option-82 with unique information to
identify the client source.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 18-13
Configuring DHCP Security Features
Configuring DHCP Relay
If the DHCP packet from the client ...
The relay agent ...
Contains a zero gateway IP address (0.0.0.0) and
Option-82 data.
Drops the packet, keeps the Option-82 data and
forwards the packet, or replaces the Option-82
data with its own Option-82 data and forwards the
packet.
The action performed by the relay agent in this
case is determined by the agent information policy that is configured through the ip helper
agent-information policy command.
By default, this type of DHCP packet is dropped
by the agent.
Contains a non-zero gateway IP address and no
Option-82 data.
Drops the packet without any further processing.
Contains a non-zero gateway IP address and
Option-82 data.
Drops the packet if the gateway IP address
matches a local subnet, otherwise the packet is
forwarded without inserting Option-82 data.
How the Relay Agent Processes DHCP Packets from the Server
Note that if a DHCP server does not support Option-82, the server strips the option from the packet. If the
server does support this option, the server will retain the Option-82 data received and send it back in a
reply packet.
When the relay agent receives a DHCP packet from the DHCP server and the Option-82 feature is
enabled, the agent will:
1 Extract the VLAN ID from the Circuit ID suboption field in the packet and compare the MAC address
of the IP router interface for that VLAN to the MAC address contained in the Remote ID suboption field
in the same packet.
2 If the IP router interface MAC address and the Remote ID MAC address are not the same, then the
agent will drop the packet.
3 If the two MAC addresses match, then a check is made to see if the slot/port value in the Circuit ID
suboption field in the packet matches a port that is associated with the VLAN also identified in the Circuit
ID suboption field.
4 If the slot/port information does not identify an actual port associated with the Circuit ID VLAN, then
the agent will drop the packet.
5 If the slot/port information does identify an actual port associated with the Circuit ID VLAN, then the
agent strips the Option-82 data from the packet and unicasts the packet to the port identified in the Circuit
ID suboption.
page 18-14
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring DHCP Relay
Configuring DHCP Security Features
Enabling the Relay Agent Information Option-82
Use the ip helper agent-information command to enable the DHCP Option-82 feature for the switch. For
example:
-> ip helper agent-information enable
This same command is also used to disable this feature. For example:
-> ip helper agent-information disable
Note that because this feature is not available on a per-VLAN basis, DHCP Option-82 functionality is not
restricted to ports associated with a specific VLAN. Instead, DHCP traffic received on all ports is eligible
for Option-82 data insertion when it is relayed by the agent.
Configuring a Relay Agent Information Option-82 Policy
As previously mentioned, when the relay agent receives a DHCP packet from a client that already contains
Option-82 data, the packet is dropped by default. However, it is possible to configure a DHCP Option-82
policy that directs the relay agent to drop, keep, or replace the existing Option-82 data and then forward
the packet to the server.
To configure a DHCP Option-82 policy, use the ip helper agent-information policy command. The
following parameters are available with this command to specify the policy action:
• drop—The DHCP packet is dropped (the default).
• keep—The existing Option-82 data in the DHCP packet is retained and the packet is forwarded to the
server.
• replace—The existing Option-82 data in the DHCP packet is replaced with local relay agent data and
then forwarded to the server.
For example, the following commands configure DHCP Option-82 policies:
-> ip helper agent-information policy drop
-> ip helper agent-information policy keep
-> ip helper agent-information policy replace
Note that this type of policy applies to all DHCP packets received on all switch ports. In addition, if a
packet that contains existing Option-82 data also contains a gateway IP address that matches a local subnet
address, the relay agent will drop the packet and not apply any existing Option-82 policy.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 18-15
Configuring DHCP Security Features
Configuring DHCP Relay
Using DHCP Snooping
Using DHCP Snooping improves network security by filtering DHCP messages received from devices
outside the network and building and maintaining a binding table (database) to track access information
for such devices.
In order to identify DHCP traffic that originates from outside the network, DHCP Snooping categorizes
ports as either trusted or untrusted. A port is trusted if it is connected to a device inside the network, such
as a DHCP server. A port is untrusted if it is connected to a device outside the network, such as a customer
switch or workstation.
Additional DHCP Snooping functionality provided includes the following:
• Traffic Suppression—Prevents the flooding of DHCP packets on the default VLAN for a DHCP
Snooping port. Note that enabling traffic suppression on a port will prevent DHCP traffic between a
DHCP server and client that belong to the same VLAN domain. See “Configuring the Port Traffic
Suppression Status” on page 18-19 for more information.
• IP Source Filtering—Restricts DHCP Snooping port traffic to only packets that contain the client
source MAC address and IP address. The DHCP Snooping binding table is used to verify the client
information for the port that is enabled for IP source filtering. See “Configuring Port IP Source Filtering” on page 18-19 for more information.
• Rate Limiting—Limits the rate of DHCP packets on the port. This functionality is achieved using the
QoS application to configure ACLs for the port. See “Configuring Rate Limiting” on page 18-19 for
more information.
When DHCP Snooping is first enabled, all ports are considered untrusted. It is important to then configure
ports connected to a DHCP server inside the network as a trusted port. See “Configuring the Port Trust
Mode” on page 18-18 for more information.
If a DHCP packet is received on an untrusted port, then it is considered an untrusted packet. If a DHCP
packet is received on a trusted port, then it is considered a trusted packet. DHCP Snooping only filters
untrusted packets and will drop such packets if one or more of the following conditions are true:
• The packet received is a DHCP server packet, such as a DHCPOFFER, DHCPACK, or DHCPNAK
packet. When a server packet is received on an untrusted port, DHCP Snooping knows that it is not
from a trusted server and discards the packet.
• The source MAC address of the packet and the DHCP client hardware address contained in the packet
are not the same address.
• The packet is a DHCPRELEASE or DHCPDECLINE broadcast message that contains a source MAC
address found in the DHCP Snooping binding table, but the interface information in the binding table
does not match the interface on which the message was received.
• The packet includes a relay agent IP address that is a non-zero value.
• The packet already contains Option-82 data in the options field.
If none of the above are true, then the relay agent accepts and forwards the packet. When the relay agent
receives a DHCPACK packet from a server, the agent extracts the following information to create an entry
in the DHCP Snooping binding table:
• MAC address of the DHCP client.
• IP address for the client that was assigned by the DHCP server.
page 18-16
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring DHCP Relay
Configuring DHCP Security Features
• The port from where the DHCP packet originated.
• The VLAN associated with the port from where the DHCP packet originated.
• The lease time for the assigned IP address.
• The binding entry type; dynamic or static (user-configured).
After extracting the above information and populating the binding table, the agent then forwards the
packet to the port from where the packet originated. Basically, the DHCP Snooping features prevents the
normal flooding of DHCP traffic. Instead, packets are delivered only to the appropriate client and server
ports.
Note that DHCP Snooping only applies to traffic that is relayed between VLANs. If a DHCP server and
client reside within the same VLAN domain, then DHCP Snooping is not applied to communications
between these devices.
DHCP Snooping Configuration Guidelines
Consider the following when configuring the DHCP Snooping feature:
• DHCP Snooping requires the use of the relay agent to process DHCP packets. As a result, DHCP
clients and servers must reside in different VLANs so that the relay agent is engaged to forward packets between the VLAN domains. See “Configuring BOOTP/DHCP Relay Parameters” on page 18-10
for information about how to configure the relay agent on the switch.
• Configure ports connected to DHCP servers within the network as trusted ports. See “Configuring the
Port Trust Mode” on page 18-18 for more information.
• Make sure that Option-82 data insertion is always enabled at the switch or VLAN level. See “Enabling
DHCP Snooping” on page 18-17 for more information.
• The DHCP sever must support the Option-82 feature or at a minimum retain and echo back the Option-
82 data field.
Enabling DHCP Snooping
There are two levels of operation available for the DHCP Snooping feature: switch level or VLAN level.
These two levels are exclusive of each other in that they both can not operate on the switch at the same
time. In addition, if the global DHCP relay agent information option (Option-82) is enabled for the switch,
then DHCP Snooping at any level is not available. See “Using the Relay Agent Information Option
(Option-82)” on page 18-13 for more information.
Note. DHCP Snooping drops server packets received on untrusted ports (ports that connect to devices
outside the network or firewall). It is important to configure ports connected to DHCP servers as trusted
ports so that traffic to/from the server is not dropped.
Switch-level DHCP Snooping
By default, DHCP Snooping is disabled for the switch. To enable this feature at the switch level, use the
ip helper dhcp-snooping command. For example:
-> ip helper dhcp-snooping enable
When DHCP Snooping is enabled at the switch level, all DHCP packets received on all switch ports are
screened/filtered by DHCP Snooping. By default, only client DHCP traffic is allowed on the ports, unless
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 18-17
Configuring DHCP Security Features
Configuring DHCP Relay
the trust mode for a port is configured to block or allow all DHCP traffic. See “Configuring the Port Trust
Mode” on page 18-18 for more information.
In addition, the following functionality is also activated by default when DHCP Snooping is enabled:
• The DHCP Snooping binding table is created and maintained.
• MAC address verification is performed to compare the source MAC address of the DHCP packet with
the client hardware address contained in the packet.
• Option-82 data is inserted into the packet and then DHCP reply packets are only sent to the port from
where the DHCP request originated, instead of flooding these packets to all ports.
To enable or disable any of the above functionality at the switch level, use the following commands:
ip helper dhcp-snooping binding
ip helper dhcp-snooping mac-address verification
ip helper dhcp-snooping option-82 data-insertion
Note the following when disabling DHCP Snooping functionality:
• Disabling Option-82 is not allowed if the binding table is enabled.
• Enabling the binding table is not allowed if Option-82 data insertion is not enabled at either the switch
or VLAN level.
VLAN-Level DHCP Snooping
To enable DHCP Snooping at the VLAN level, use the ip helper dhcp-snooping vlan command. For
example, the following command enables DHCP Snooping for VLAN 200:
-> ip helper dhcp-snooping vlan 200
When this feature is enabled at the VLAN level, DHCP Snooping functionality is only applied to ports that
are associated with a VLAN that has this feature enabled. Up to 64 VLANs can have DHCP Snooping
enabled. Note that enabling DHCP Snooping at the switch level is not allowed if it is enabled for one or
more VLANs.
By default, when DHCP Snooping is enabled for a specific VLAN, MAC address verification and Option82 data insertion is also enabled for the VLAN by default. To disable or enable either of these two
features, use the ip helper dhcp-snooping vlan command with either the mac-address verification or
option-82 data-insertion parameters. For example:
-> ip helper dhcp-snooping vlan 200 mac-address verification disable
-> ip helper dhcp-snooping vlan 200 option-82 data-insertion disable
Note that if the binding table functionality is enabled, disabling Option-82 data insertion for the VLAN is
not allowed. See “Configuring the DHCP Snooping Binding Table” on page 18-20 for more information.
Note. If DHCP Snooping is not enabled for a VLAN, then all ports associated with the VLAN are considered trusted ports. VLAN-level DHCP Snooping does not filter DHCP traffic on ports associated with a
VLAN that does not have this feature enabled.
page 18-18
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring DHCP Relay
Configuring DHCP Security Features
Configuring the Port Trust Mode
The DHCP Snooping trust mode for a port determines whether or not the port accepts all DHCP traffic,
client-only DHCP traffic, or blocks all DHCP traffic. The following trust modes for a port are configurable using the ip helper dhcp-snooping port command:
• client-only—The default mode applied to ports when DHCP Snooping is enabled. This mode restricts
DHCP traffic on the port to only DHCP client-related traffic. When this mode is active for the port, the
port is considered an untrusted interface.
• trust—This mode does not restrict DHCP traffic on the port. When this mode is active on a port, the
port is considered a trusted interface. In this mode the port behaves as if DHCP Snooping is not
enabled.
• block—This mode blocks all DHCP traffic on the port. When this mode is active for the port, the port
is considered an untrusted interface.
To configure the trust mode for one or more ports, use the ip helper dhcp-snooping port command. For
example, the following command changes the trust mode for port 1/12 to blocked:
-> ip helper dhcp-snooping port 1/12 block
It is also possible to specify a range of ports. For example, the following command changes the trust mode
for ports 2/1 through 2/10 to trusted:
-> ip helper dhcp-snooping port 2/1-10 trust
Note that it is necessary to configure ports connected to DHCP servers within the network and/or firewall
as trusted ports so that necessary DHCP traffic to/from the server is not blocked. Configuring the port
mode as trusted also identifies the device connected to that port as a trusted device within the network.
Configuring the Port Traffic Suppression Status
Traffic suppression prevents the flooding of DHCP packets on the default VLAN for a DHCP Snooping
port. By default traffic suppression is enabled for a port. Use the ip helper dhcp-snooping port trafficsuppression command to enable or disable this function for a specific port or range of ports. For example:
-> ip helper dhcp-snooping port 1/10 traffic-suppression enable
-> ip helper dhcp-snooping port 2/1-5 traffic-suppression disable
Note that enabling traffic suppression on a port will prevent DHCP traffic between a DHCP server and
client that belong to the same VLAN domain.
Configuring Port IP Source Filtering
IP source filtering applies to DHCP Snooping ports and restricts port traffic to only packets that contain
the client source MAC address and IP address. The DHCP Snooping binding table is used to verify the
client information for the port that is enabled for IP source filtering.
By default IP source filtering is disabled for a DHCP Snooping port. Use the ip helper dhcp-snooping
port ip-source-filtering command to enable or disable this function for a specific port or range of ports.
For example:
-> ip helper dhcp-snooping port 1/10 ip-source-filtering enable
-> ip helper dhcp-snooping port 2/1-5 ip-source-filtering enable
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 18-19
Configuring DHCP Security Features
Configuring DHCP Relay
Configuring Rate Limiting
To set up DHCP rate limiting from the client, configure a QoS policy rule similar to the one shown in the
following example:
-> policy condition client-dhcp destination udp port 67
-> policy action client-limit maximum bandwidth <rate>
-> policy rule client-limit action client-limit condition client-dhcp
Where <rate> is (packets per second * average packet size) or a specific overall data rate to use for limiting the number of DHCP packets.
In the above rule example, however, DHCP requests are limited on all ports. To narrow the scope of the
rate limiting, add a source port condition to the rule. For example, the following condition specifies 3/2 as
a source port:
-> policy condition client-dhcp source port 3/2
In addition, you can also use the UserPorts port group to apply the rule to all ports that are members of this
group or configure a customized port group. For example:
-> policy condition client-dhcp source port group UserPorts
-> policy port group dhcp-client-ports 3/1-12 3/14
-> policy condition client-dhcp source port group dhcp-client-ports
Note that when QoS policy rules are configured, they do not apply to the switch until the qos apply
command is performed. See Chapter 26, “Configuring QoS,” in the OmniSwitch 6800/6850/9000 Network
Configuration Guide for more information.
Configuring the DHCP Snooping Binding Table
The DHCP Snooping binding table is automatically enabled when DHCP Snooping is enabled at either the
switch or VLAN level. This table is used by DHCP Snooping to filter DHCP traffic that is received on
untrusted ports.
Entries are made in this table when the relay agent receives a DHCPACK packet from a trusted DHCP
server. The agent extracts the client information, populates the binding table with the information and then
forwards the DHCPACK packet to the port where the client request originated.
To enable or disable the DHCP Snooping binding table, use the ip helper dhcp-snooping binding
command. For example:
-> ip helper dhcp-snooping binding enable
-> ip helper dhcp-snooping binding disable
Note that enabling the binding table functionality is not allowed if Option-82 data insertion is not enabled
at either the switch or VLAN level.
In addition, it is also possible to configure static binding table entries. This type of entry is created using
available ip helper dhcp-snooping binding command parameters to define the static entry. For example,
the following command creates a static DHCP client entry:
-> ip helper dhcp-snooping binding 00:2a:95:51:6c:10 port 1/15 address
17.15.3.10 lease-time 3 vlan 200
To remove a static binding table entry, use the no form of the ip helper dhcp-snooping binding
command. For example:
page 18-20
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring DHCP Relay
Configuring DHCP Security Features
-> no ip helper dhcp-snooping binding 00:2a:95:51:6c:10 port 1/15 address
17.15.3.10 lease-time 3 vlan 200
To view the DHCP Snooping binding table contents, use the show ip helper dhcp-snooping binding
command. See the OmniSwitch CLI Reference Guide for example outputs of this command.
Configuring the Binding Table Timeout
The contents of the DHCP Snooping binding table resides in the switch memory. In order to preserve table
entries across switch reboots, the table contents is automatically saved to the dhcpBinding.db file located
in the /flash/switch directory.
The amount of time, in seconds, between each automatic save is referred to as the binding table timeout
value. By default, the timeout value is 300 seconds. To configure this value, use the ip helper dhcpsnooping binding timeout command. For example, the following command sets the timeout value to
1500 seconds:
-> ip helper dhcp-snooping binding timeout 1500
Each time an automatic save is performed, the dhcpBinding.db file is time stamped.
Synchronizing the Binding Table
To synchronize the contents of the dhcpBinding.db file with the binding table contents that resides in
memory, use the ip helper dhcp-snooping binding action command. This command provides two
parameters: purge and renew. Use the purge parameter to clear binding table entries in memory and the
renew parameter to populate the binding table with the contents of the dhcpBinding.db file. For example:
-> ip helper dhcp-snooping binding action purge
-> ip helper dhcp-snooping binding action renew
Synchronizing the binding table is only done when this command is used. There is no automatic triggering of this function. In addition, it is important to note that synchronizing the binding table loads dhcpBinding.db file contents into memory. This is the reverse of saving the binding table contents in memory
to the dhcpBinding.db file, which is done at automatic time intervals as defined by the binding table
timeout value. See “Configuring the Binding Table Timeout” on page 18-20 for more information.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 18-21
Verifying the DHCP Relay Configuration
Configuring DHCP Relay
Verifying the DHCP Relay Configuration
To display information about the DHCP Relay and BOOTP/DHCP, use the show commands listed below.
For more information about the resulting displays from these commands, see the OmniSwitch CLI Reference Guide. An example of the output for the show ip helper command is also given in “Quick Steps for
Setting Up DHCP Relay” on page 18-4.
show ip helper
Displays the current forward delay time, the maximum number of hops,
the forwarding option (standard or AVLAN only), and each of the
DHCP server IP addresses configured. Also displays the current configuration status for the DHCP relay agent information option (Option-82)
and DHCP Snooping features.
show ip helper stats
Displays the number of packets the DHCP Relay service has received
and transmitted, the number of packets dropped due to forward delay
and maximum hops violations, and the number of packets processed
since the last time these statistics were displayed.
show ip helper dhcp-snooping
vlan
Displays a list of VLANs that have DHCP Snooping enabled and
whether or not MAC address verification and Option-82 data insertion
is enabled for each VLAN.
show ip helper dhcp-snooping
port
Displays the DHCP Snooping trust mode for the port and the number of
packets destined for the port that were dropped due to a DHCP Snooping violation.
show ip helper dhcp-snooping
binding
Displays the contents of the DHCP Snooping binding table (database).
page 18-22
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
19
Configuring VRRP
The Virtual Router Redundancy Protocol (VRRP) is a standard router redundancy protocol supported in IP
version 4. It is based on RFC 3768 and provides redundancy by eliminating the single point of failure
inherent in a default route environment.
Note. RFC 3768, which obsoletes RFC 2338, does not include support for authentication types. As a
result, configuring VRRP authentication is no longer supported in this release..
In This Chapter
This chapter describes VRRP and how to configure it through the Command Line Interface (CLI). CLI
commands are used in the configuration examples; for more details about the syntax of commands, see the
OmniSwitch CLI Reference Guide.
This chapter provides an overview of VRRP and includes information about the following:
• Virtual routers—see “Creating a Virtual Router” on page 19-8.
• IP addresses for virtual routers—see “Specifying an IP Address for a Virtual Router” on page 19-9.
• VRRP advertisement interval—see “Configuring the Advertisement Interval” on page 19-10.
• Virtual router priority—see “Configuring Virtual Router Priority” on page 19-10.
• Preempting virtual routers—see “Setting Preemption for Virtual Routers” on page 19-11.
• VRRP traps—see “Setting VRRP Traps” on page 19-12.
• VRRP tracking—see “Creating Tracking Policies” on page 19-13.
• Verifying the VRRP configuration—see “Verifying the VRRP Configuration” on page 19-14.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 19-1
VRRP Specifications
Configuring VRRP
VRRP Specifications
RFCs Supported
RFC 3768–Virtual Router Redundancy Protocol
RFC 2787–Definitions of Managed Objects for the Virtual
Router Redundancy Protocol
Compatible with HSRP?
No
Maximum number of virtual routers
255
Maximum number of IP addresses
1 for the IP address owner; more than 1 address may be
configured if the router is a backup for a master router that
supports multiple addresses
VRRP Defaults
The following table lists the defaults for VRRP configuration through the vrrp command and the relevant
command keywords:
Description
Keyword
Default
Virtual router enabled or disabled
enable | disable | on | off
Virtual routers are disabled (off).
Priority
priority
100
Preempt mode
preempt | no preempt
Preempt mode is enabled.
Advertising interval
advertising] interval
1 second
In addition, other defaults for VRRP include:
Description
Command
Default
VRRP traps
vrrp trap
Disabled
VRRP tracking
vrrp track
Enabled
VRRP delay
vrrp delay
45 seconds
page 19-2
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring VRRP
Quick Steps for Creating a Virtual Router
Quick Steps for Creating a Virtual Router
1 Create a virtual router. Specify a virtual router ID (VRID) and a VLAN ID. For example:
-> vrrp 6 4
The VLAN must already be created on the switch. For information about creating VLANs, see
Chapter 5, “Configuring VLANs.”
2 Configure an IP address for the virtual router.
-> vrrp 6 4 ip 10.10.2.3
3 Repeat steps 1 through 2 on all of the physical switches that will participate in backing up the
address(es) associated with the virtual router.
4 Enable VRRP on each switch.
-> vrrp 6 4 enable
Note. Optional. To verify the VRRP configuration, enter the show vrrp command.The display is similar
to the one shown here:
VRRP trap generation: Enabled
VRRP startup delay: 45 (expired)
IP
Admin
Adv
VRID VLAN Address(es) Status
Priority
Preempt Interval
----+ ----+ -------------+----------+----------+--------+--------6
4
10.10.2.3
Enabled
100
No
1
For more information about this display, see the OmniSwitch CLI Reference Guide.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 19-3
VRRP Overview
Configuring VRRP
VRRP Overview
VRRP allows routers on a LAN to back up a default route. VRRP dynamically assigns responsibility for a
virtual router to a physical router (VRRP router) on the LAN. The virtual router is associated with an IP
address (or set of IP addresses) on the LAN. A virtual router master is elected to forward packets for the
virtual router’s IP address. If the master router becomes unavailable, the highest priority backup router will
transition to the master state.
Note. The IP address that is backed up may be the IP address of a physical router, or it may be a virtual IP
address.
The example provided here is intended for understanding VRRP and does not show a configuration that
would be used in an actual network.
VRRP Routers
OmniSwitch B
OmniSwitch A
Master 1
VRID 1
IP A
Backup 1
IP A
Virtual Router
IP B
default gateway to IP A
client station
VRRP Redundancy Example
In this example, each physical router is configured with a virtual router, VRID 1, which is associated with
IP address A. OmniSwitch A is the master router because it contains the physical interface to which IP
address A is assigned. OmniSwitch B is the backup router. The client is configured with a gateway address
of IP A.
When VRRP is configured on these switches, and both switches are available, OmniSwitch A will respond
to ARP requests for IP address A using the virtual router’s MAC address (00:00:5E:00:01:01) instead of
the physical MAC address assigned to the interface. OmniSwitch A will accept packets sent to the virtual
MAC address and forward them as appropriate; it will also accept packets addressed to IP address A (such
as ICMP ping requests).
OmniSwitch B will respond to ARP requests for IP address B using the interface’s physical MAC address.
It will not respond to ARP requests for IP address A or to the virtual router MAC address.
page 19-4
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring VRRP
VRRP Overview
If OmniSwitch A becomes unavailable, OmniSwitch B becomes the master router. OmniSwitch B will
then respond to ARP requests for IP address A using the virtual router’s MAC address
(00:00:5E:00:01:01). It will also forward packets for IP address B and respond to ARP requests for IP
address B using the OmniSwitch’s physical MAC address. OmniSwitch B, however, cannot accept packets addressed to IP address A (such as ICMP ping requests).
OmniSwitch B uses IP address B to access the LAN, but IP address B is not backed up. If OmniSwitch B
becomes unavailable, IP address B is unavailable.
Why Use VRRP?
An end host may use dynamic routing or router discovery protocols to determine its first hop toward a
particular IP destination. With dynamic routing, large timer values are required and may cause significant
delay in the detection of a dead neighbor.
If an end host uses a static route to its default gateway, this creates a single point of failure if the route
becomes unavailable. End hosts will not be able to detect alternate paths.
In either case, VRRP ensures that an alternate path is always available.
Definition of a Virtual Router
To back up an IP address or addresses using VRRP, a virtual router must be configured on VRRP routers
on a common LAN. A VRRP router is a physical router running VRRP. A virtual router is defined by a
virtual router identifier (VRID) and a set of associated IP addresses on the LAN. (On the OmniSwitch
only one IP address is assigned to an interface, but other VRRP routers may have multiple IP addresses
per interface. In addition, the VRID must be unique.)
Note. A limitation of the OmniSwitch is that a single VRID may only be associated with one VLAN.
Each VRRP router may back up one or more virtual routers. The VRRP router that contains the physical
interfaces to which the virtual router IP addresses are assigned is called the IP address owner. If it is available, the IP address owner will function as the master router. The master router assumes the responsibility
of forwarding packets sent to the IP addresses associated with the virtual router and answering ARP
requests for these addresses.
To minimize network traffic, only the master router sends VRRP advertisements on the LAN. The IP
address assigned to the physical interface on the current master router is used as the source address in
VRRP advertisements. The advertisements communicate to all VRRP routers the priority and state of the
master router associated with the VRID. The advertisements are IP multicast datagrams sent to the VRRP
multicast address 224.0.0.18 (as determined by the Internet Assigned Numbers Authority).
If a master router becomes unavailable, it stops sending VRRP advertisements on the LAN. The backup
routers know the master is unavailable based on the following algorithm:
Master Down Interval = (3 * Advertisement Interval) + Skew Time
where Advertisement Interval is the time interval between VRRP advertisements, and Skew Time is calculated based on the VRRP router’s priority value as follows:
Skew Time = (256 - Priority) / 256
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 19-5
VRRP Overview
Configuring VRRP
If backup routers are configured with priority values that are close in value, there may be a timing conflict,
and the first backup to take over may not be the one with the highest priority; a backup with a higher priority will then preempt the new master. The virtual router may be configured to prohibit any preemption
attempts, except by the IP address owner. An IP address owner, if it is available, will always become
master of any virtual router associated with its IP addresses.
Note. Duplicate IP address/MAC address messages may display when a backup takes over for a master,
depending on the timing of the takeover and the configured advertisement interval. This is particularly true
if more than one backup is configured.
VRRP MAC Addresses
Each virtual router has a single well-known MAC address, which is used as the source in all periodic
VRRP advertisements sent by the master router, any other packets originating from the master router, and
as the MAC address in ARP replies (instead of a VRRP router’s physical MAC address). The address has
the following format:
00-00-5E-00-01-[virtual router ID]
This mapping provides for up to eight virtual routers on an OmniSwitch.
ARP Requests
Each virtual router has a single well-known MAC address, which is used as the MAC address in ARP
replies instead of a VRRP router's physical MAC address. When an end host sends an ARP request to the
master router’s IP address, the master router responds to the ARP request using the virtual router MAC
address. If a backup router takes over for the master, and an end host sends an ARP request, the backup
will reply to the request using the virtual router MAC address.
Gratuitous ARP requests for the virtual router IP address or MAC address are broadcast when the
OmniSwitch becomes the master router. For VRRP interfaces, gratuitous ARP requests/responses are
delayed at system boot until both the IP address and the virtual router MAC address are configured.
If an interface IP address is shared by a virtual router, the routing mechanism does not send a gratutitous
ARP for the IP address (since the virtual router will send a gratuitous ARP). This prevents traffic from
being forwarded to the router before its routing tables are stable.
ICMP Redirects
ICMP redirects are not sent out over VRRP interfaces.
VRRP Startup Delay
When a virtual router reboots and becomes master, it may become master before its routing tables are
populated. This could result in loss of connectivity to the router. To prevent the loss in connectivity, a
delay is used to prevent the router from becoming master before the routing tables are stabilized; the
default delay value is 45 seconds.
The startup delay may be modified to allow more or less time for the router to stabilize its routing tables.
In addition to the startup delay, the switch has an ARP delay (which is not configurable).
page 19-6
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring VRRP
Interaction With Other Features
VRRP Tracking
A virtual router’s priority may be conditionally modified to prevent another router from taking over as
master. Tracking policies are used to conditionally modify the priority setting whenever a slot/port, IP
address and or IP interface associated with a virtual router goes down.
A tracking policy consists of a tracking ID, the value amount used to decrease the priority value, and the
slot/port number, IP address, or IP interface name to be monitored by the policy. The policy is then associated with one or more virtual routers.
Interaction With Other Features
• IP routing—IP routing must be enabled for the VRRP configuration to take effect.
• Router Discovery Protocol (RDP)—If RDP is enabled on the switch, and VRRP is enabled, RDP will
advertise VLAN IP addresses of virtual routers depending on whether there are virtual routers active on
the LAN, and whether those routers are backups or masters. When there are no virtual routers active on
the VLAN (either acting as master or backup), RDP will advertise all VLAN IP addresses. However, if
virtual routers are active, RDP will advertise IP addresses for any master routers; RDP will not advertise IP addresses for backup routers.
For more information about RDP, see Chapter 17, “Configuring RDP.”
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 19-7
Configuration Overview
Configuring VRRP
Configuration Overview
VRRP is part of the base software. At startup, VRRP is loaded onto the switch and is enabled. Virtual
routers must first be configured and enabled as described in the sections. Since VRRP is implemented on
multiple switches in the network, some VRRP parameters must be identical across switches:
• VRRP and ACLs
If QoS filtering rules (Access Control Lists) are configured for Layer 3 traffic on a VRRP router, all of
the VRRP routers on the LAN must be configured with the same filtering rules; otherwise the security
of the network will be compromised. For more information about filtering, see Chapter 27, “Configuring ACLs.”
• Conflicting VRRP Parameters Across Switches
All virtual routers with the same VRID on the LAN should be configured with the same advertisement
interval and IP addresses. If the virtual routers are configured differently, it may result in more than one
virtual router acting as the master router. This in turn would result in duplicate IP and MAC address
messages as well as multiple routers forwarding duplicate packets to the virtual router MAC address.
Use the show vrrp statistics command to check for conflicting parameters. For information about
configuring VRRP parameters, see the remaining sections of this chapter.
Basic Virtual Router Configuration
At least two virtual routers must be configured on the LAN—a master router and a backup router. The
virtual router is identified by a number called the Virtual Router ID (VRID), the VLAN on which the
virtual router is configured, and the IP address or addresses associated with the router. Multiple virtual
routers may be configured on a single physical VRRP router.
Basic commands for setting up virtual routers include:
vrrp
vrrp ip
The next sections describe how to use these commands.
Creating a Virtual Router
To create a virtual router, enter the vrrp command with the desired VRID and the relevant VLAN ID. The
VRID must be a unique number in the range from 1 to 7. The VLAN must already be created on the
switch through the vlan command. For information about creating VLANs, see Chapter 5, “Configuring
VLANs.” For example:
-> vrrp 6 4
This command creates VRID 6 on VLAN 4.
When you create a new virtual router, the VRID ID and a VLAN ID are required. Optionally, you may
also specify:
• Priority (in the range from 1 to 255); use the priority keyword with the desired value. The default is
100. Note that the IP address owner will be automatically assigned a value of 255 if you do not specify
the priority. See “Configuring Virtual Router Priority” on page 19-10 for more information about how
priority is used.
page 19-8
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring VRRP
Configuration Overview
• Preempt mode. By default, preempt mode is enabled. Use no preempt to turn it off, and preempt to
turn it back on. For more information about the preempt mode, see “Setting Preemption for Virtual
Routers” on page 19-11.
• Advertising interval (in seconds). Use the interval keyword with the desired number of seconds for the
delay in sending VRRP advertisement packets. The default is 1 second. See “Configuring the Advertisement Interval” on page 19-10.
The following example creates a virtual router (with VRID 7) on VLAN 2 with a priority of 75. VRRP
messages will be sent at intervals of 2 seconds:
-> vrrp 7 2 priority 75 no preempt interval 2
Note. All virtual routers with the same VRID on the same LAN should be configured with the same
advertising interval; otherwise the network may produce duplicate IP or MAC address messages.
The vrrp command may also be used to specify whether the virtual router is enabled or disabled (it is
disabled by default). However, the virtual router must have an IP address assigned to it before it can be
enabled. Use the vrrp ip command as described in the next section to specify an IP address or addresses.
For more information about the vrrp command syntax, see the OmniSwitch CLI Reference Guide.
Specifying an IP Address for a Virtual Router
An IP address must be specified before a virtual router may be enabled. To specify an IP address for a
virtual router, use the vrrp ip command and the relevant IP address. For example:
-> vrrp 6 4 ip 10.10.2.3
-> vrrp 6 4 enable
In this example, the vrrp ip command specifies that virtual router 6 on VLAN 4 will be used to backup IP
address 10.10.2.3. The virtual router is then enabled with the vrrp command.
Currently the OmniSwitch does not support multiple IP addresses on a single virtual router. If an
OmniSwitch is the IP address owner for a virtual router, then that address must be assigned to the virtual
router. If the OmniSwitch is configured as a backup for a VRRP router that allows more than one IP
address to be assigned to a virtual router, then multiple addresses may be assigned to the virtual router.
To remove an IP address from a virtual router, use the no form of the vrrp ip command. For example:
-> vrrp 6 4 disable
-> vrrp 6 4 no ip 10.10.2.3
In this example, virtual router 6 is disabled. (A virtual router must be disabled before IP addresses may be
added/removed from the router.) IP address 10.10.2.3 is then removed from the virtual router with the no
form of the vrrp ip command.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 19-9
Configuration Overview
Configuring VRRP
Configuring the Advertisement Interval
The advertisement interval is configurable, but all virtual routers with the same VRID should be configured with the same value. Mismatched values will create network problems.
If you change the advertisement interval on the master router when VRRP is already running or if the
advertisement interval is set differently for a master router and a backup router, VRRP packets may be
dropped because the newly configured interval does not match the interval indicated in the packet. The
backup router will then take over and send a gratuitous ARP, which includes the virtual router IP address
and the virtual router MAC address. In addition to creating duplicate IP/MAC address messages, both
routers will begin forwarding packets sent to the virtual router MAC address. This will result in forwarding duplicate packets.
To avoid duplicate addresses and packets, make sure the advertisement interval is configured the same on
both the master and the backup router.
For more information about VRRP and ARP requests, see “ARP Requests” on page 19-6.
To configure the advertisement interval, use the vrrp command with the interval keyword. For example:
-> vrrp 6 4 disable
-> vrrp 6 4 interval 5
In this example, virtual router 6 is disabled. (If you are modifying an existing virtual router, the virtual
router must be disabled before it may be modified.) The vrrp command is then used to set the advertising
interval for virtual router 6 to 5 seconds.
Configuring Virtual Router Priority
VRRP functions with one master virtual router and at least one backup virtual router. A priority value
determines how backup routers will be selected to take over for the master router if it becomes unavailable.
Priority values range from 1 to 254. A value of 255 indicates that the virtual router owns the IP address;
that is, the router contains the real physical interface to which the IP address is assigned. The default priority value is 100; however the switch sets this value to 255 if it detects that this router is the IP address
owner. The value cannot be set to 255 if the router is not the IP address owner. The IP address owner will
always be the master router if it is available.
If more than one backup router is configured, their priority values may be configured with different values,
so that the backup with the higher value will take over for the master. The priority parameter may be used
to control the order in which backup routers will take over for the master. If priority values are the same,
any backup will take over for master.
Note that the switch sets the priority value to zero in the last VRRP advertisement packet before a master
router is disabled (see “Enabling/Disabling a Virtual Router” on page 19-11).
Also, if a router is the IP address owner and the priority value is not set to 255, the switch will set its priority to 255 when the router is enabled.
To set the priority, use the vrrp command with the priority keyword and the desired value. For example:
-> vrrp 6 4 disable
-> vrrp 6 4 priority 50
page 19-10
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring VRRP
Configuration Overview
In this example, virtual router 6 is disabled. (If you are modifying an existing virtual router, the virtual
router must be disabled before it may be modified.) The virtual router priority is then set to 50. The priority value is relative to the priority value configured for other virtual routers backing up the same IP
address. Since the default priority is 100, setting the value to 50 would typically provide a router with
lower priority in the VRRP network.
Setting Preemption for Virtual Routers
When a master virtual router becomes unavailable (goes down for whatever reason), a backup router will
take over. There may be more than one backup router, and if the backup routers have similar priority
values, the backup with the highest priority value may not be the one to take over for the master because
of network traffic loads. If that’s the case, the backup with the higher priority will then preempt the first
backup router.
By default virtual routers are allowed to preempt each other; that is, if the virtual router with the highest
priority will take over if the master router becomes unavailable. The preempt mode may be disabled so
that any backup router that takes over when the master is unavailable will not then be preempted by a
backup with a higher priority.
Note. The virtual router that owns the IP address(es) associated with the physical router always becomes
the master router if is available, regardless of the preempt mode setting and the priority values of the
backup routers.
To disable preemption for a virtual router, use the vrrp command with the no preempt keywords. For
example:
-> vrrp 6 4 disable
-> vrrp 6 4 no preempt
In this example, virtual router 23 is disabled. (If you are modifying an existing virtual router, the virtual
router must be disabled before it may be modified.) The virtual router is then configured to disable
preemption. If this virtual router takes over for an unavailable router, a router with a higher priority will
not be able to preempt it. For more information about priority, see “Configuring Virtual Router Priority”
on page 19-10.
Enabling/Disabling a Virtual Router
Virtual routers are disabled by default. To enable a virtual router, use the vrrp command with the enable
keyword. Note that at least one IP address must be configured for the virtual router through the vrrp ip
command. For example:
-> vrrp 7 3 priority 150
-> vrrp ip 7 3 10.10.2.3
-> vrrp 7 3 enable
In this example, a virtual router is created on VLAN 3 with a VRID of 7. An IP address is then assigned to
the virtual router. The virtual router is then enabled on the switch.
To disable a virtual router, use the disable keyword.
-> vrrp 7 3 disable
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 19-11
Configuration Overview
Configuring VRRP
A virtual router must be disabled before it may be modified. Use the vrrp command to disable the virtual
router first; then use the command again to modify the parameters. For example:
-> vrrp 7 3 disable
-> vrrp 7 3 priority 200
-> vrrp 7 3 enable
In this example, virtual router 7 on VLAN 3 is disabled. The virtual router is then modified to change its
priority setting. (For information about configuring the priority setting, see “Configuring Virtual Router
Priority” on page 19-10.) The virtual router is then re-enabled and will be active on the switch.
To delete a virtual router, use the no form of the vrrp command with the relevant VRID and VLAN ID.
For example:
-> no vrrp 7 3
Virtual router 7 on VLAN 3 is deleted from the configuration. (The virtual router does not have to be
disabled before you delete it.)
Setting VRRP Traps
A VRRP router has the capability to generate VRRP SNMP traps for events defined in the VRRP SNMP
MIB. By default traps are enabled.
In order for VRRP traps to be generated correctly, traps in general must be enabled on the switch through
the SNMP CLI. See the OmniSwitch 6800/6850/9000 Switch Management Guide for more information
about enabling SNMP traps globally.
To disable VRRP traps, use the no form of the vrrp trap command.
-> no vrrp trap
To re-enable traps, enter the vrrp trap command:
-> vrrp trap
Setting VRRP Startup Delay
To set a delay to prevent a router from going active before its routing tables are set up, use the vrrp delay
command.
-> vrrp delay 75
The switch will now wait 75 seconds after a switch reboot before it will be available to take over as master
for another router.
page 19-12
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring VRRP
Configuration Overview
Creating Tracking Policies
To create a tracking policy, use the vrrp track command and specify the amount to decrease a virtual
router’s priority and the slot/port, IP address, or IP interface name to be tracked. For example:
-> vrrp track 3 enable priority 50 20.1.1.3
In this example, a tracking policy ID (3) is created and enabled for IP address 20.1.1.3. If this address goes
inactive, a virtual router associated with this track ID will have its priority decremented by 50. Note that
the enable keyword administratively activates the tracking policy, but the policy does not take effect until
it is associated with one or more virtual routers (see the next section).
Note the following:
• A virtual router must be administratively disabled before a tracking policy for the virtual router can be
added.
• VRRP tracking does not override IP address ownership (the IP address owner will always have prior-
ity to become master, if it is available).
Associating a Tracking Policy With a Virtual Router
To associate a tracking policy with a virtual router, use the vrrp track-association command with the
tracking policy ID number. In this example, virtual router 6 on VLAN 4 is disabled first so that tracking
policy 3 may be associated with it:
-> vrrp 6 4 disable
-> vrrp 6 4 track-association 3
When the virtual router is re-enabled, tracking policy 3 will be used for that virtual router. If VLAN 2
goes down, VRID 6 will have its priority decremented by 50.
A VLAN tracking policy should not be associated with a virtual router on the same VLAN. For example:
-> vrrp 5 2 track-association 3
This configuration is allowed but will not really have an effect. If VLAN 2 goes down, this virtual router
goes down as well and the tracking policy is not applied.
Note. A master and a backup virtual router should not be tracking the same IP address; otherwise, when
the IP address becomes unreachable, both virtual routers will have their priorities decremented, and the
backup may temporarily take over if the master discovers that the IP address is unreachable before the
backup.
Typically you should not configure the same IP address tracking policies on physical VRRP routers that
back up each other; otherwise, the priority will be decremented for both master and backup when the
entity being tracked goes down.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 19-13
Verifying the VRRP Configuration
Configuring VRRP
Verifying the VRRP Configuration
A summary of the show commands used for verifying the VRRP configuration is given here:
show vrrp
Displays the virtual router configuration for all virtual routers or for a
particular virtual router.
show vrrp statistics
Displays statistics about VRRP packets for all virtual routers configured
on the switch or for a particular virtual router.
show vrrp track
Displays information about tracking policies on the switch.
show vrrp track-association
Displays the tracking policies associated with virtual routers.
For more information about the displays that result from these commands, see the OmniSwitch CLI Reference Guide.
page 19-14
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring VRRP
VRRP Application Example
VRRP Application Example
In addition to providing redundancy, VRRP can assist in load balancing outgoing traffic. The figure below
shows two virtual routers with their hosts splitting traffic between them. Half of the hosts are configured
with a default route to virtual router 1’s IP address (10.10.2.250), and the other half are configured with a
default route to virtual router 2’s IP address (10.10.2.245).
VRRP Router
OmniSwitch A
Master 1
VRRP Router
OmniSwitch B
VRID 1
10.10.2.250
Backup 1
Virtual Routers
Backup 2
VRID 2
10.10.2.245
Master 2
10.10.2.250
10.10.2.254
VLAN 5
clients 1 and 2
default gateway 10.10.2.250
clients 3 and 4
default gateway 10.10.2.245
VRRP Redundancy and Load Balancing
The CLI commands used to configure this setup are as follows:
1 First, create two virtual routers for VLAN 5. (Note that VLAN 5 must already be created and available
on the switch.)
-> vrrp 1 5
-> vrrp 2 5
2 Configure the IP addresses for each virtual router.
-> vrrp 1 5 ip 10.10.2.250
-> vrrp 2 5 ip 10.10.2.245
3 Enable the virtual routers.
-> vrrp 1 5 enable
-> vrrp 2 5 enable
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 19-15
VRRP Application Example
Configuring VRRP
Note. The same VRRP configuration must be set up on each switch. The VRRP router that contains, or
owns, the IP address will automatically become the master for that virtual router. If the IP address is a
virtual address, the virtual router with the highest priority will become the master router.
In this scenario, the master of VRID 1 will respond to ARP requests for IP address A using the virtual
router MAC address for VRID 1 (00:00:5E:00:01:01). OmniSwitch 1 is the master for VRID 1 since it
contains the physical interface to which 10.10.2.3 is assigned. If OmniSwitch A should become unavailable, OmniSwitch B will become master for VRID 1.
In the same way, the master of VRID 2 will respond to ARP requests for IP address B using the virtual
router MAC address for VRID 2 (00:00:5E:00:01:02). OmniSwitch B is the master for VRID 2 since it
contains the physical interface to which 10.10.2.245 is assigned. If OmniSwitch B should become unavailable, OmniSwitch A will become master for 10.10.2.245. This configuration provides uninterrupted
service for the end hosts.
page 19-16
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring VRRP
VRRP Application Example
VRRP Tracking Example
The figure below shows two VRRP routers with two virtual routers backing up one IP address on each
VRRP router respectively. Virtual router 1 serves as the default gateway on OmniSwitch A for clients 1
and 2 through IP address 10.10.2.250. For example, if the port that provides access to the Internet on
OmniSwitch A fails, virtual router 1 will continue to be the default router for clients 1 and 2 but clients 1
and 2 will not be able to access the Internet.
VRRP Router
OmniSwitch A
port 3/1
VRRP Router
OmniSwitch B
VRID 1
10.10.2.250
Master 1
port 3/1
Backup 1
Virtual Routers
VRID 2
10.10.2.245
Backup 2
Master 2
10.10.2.210
10.10.2.215
VLAN 5
clients 1 and 2
default gateway 10.10.2.250
clients 3 and 4
default gateway 10.10.2.245
VRRP Tracking Example
In this example, the master for virtual router 1 has a priority of 100 and the backup for virtual router 1 has
a priority of 75. The virtual router configuration for VRID 1 on VRRP router A is as follows:
-> vrrp 1 5 priority 100
The virtual router configuration for VRID 1 on VRRP router B is as follows:
-> vrrp 1 5 priority 75 preempt
To ensure workstation clients 1 and 2 have connectivity to the internet, configure a tracking policy on
VRRP router A to monitor port 3/1 and associate the policy with VRID 1.
-> vrrp track 1 enable priority 50 port 3/1
-> vrrp 1 5 track-association 1
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 19-17
VRRP Application Example
Configuring VRRP
If port 3/1 on VRRP router A goes down, the master for virtual router A is still functioning but workstation clients 1 and 2 will not be able to get to the Internet. With this tracking policy enabled, however,
master router 1’s priority will be temporarily decremented to 50, allowing backup router 1 to take over and
provide connectivity for those workstations. When port 3/1 on VRRP router A comes back up, master 1
will take over again.
Note. The preempt option must be enabled on virtual router 1; otherwise the original master will not be
able to take over. See “Setting Preemption for Virtual Routers” on page 19-11 for more information about
enabling preemption.
page 19-18
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
20
Configuring IPX
The Internet Packet Exchange (IPX) protocol, developed by Novell for NetWare, is a Layer 3 protocol
used to route packets through IPX networks. (NetWare is Novell’s network server operating system.)
In This Chapter
This chapter describes IPX and how to configure it through the Command Line Interface (CLI). It includes
instructions for configuring IPX routing and fine-tuning IPX by using optional IPX configuration parameters (e.g., IPX packet extension and type-20 propagation). It also details IPX filtering, which is used to
control the operation of the IPX RIP/SAP protocols. CLI commands are used in the configuration examples; for more details about the syntax of commands, see the OmniSwitch CLI Reference Guide.
This chapter provides an overview of IPX and includes information about the following procedures:
• IPX Routing
–
–
–
–
–
–
–
–
–
Enabling IPX Routing (see page 20-6)
Creating an IPX Router Port (see page 20-6)
Configuring an IPX Router Port (see page 20-7)
Creating/Deleting a Default Route (see page 20-7)
Creating/Deleting Static Routes (see page 20-8)
Configuring Type-20 Packet Forwarding (see page 20-8)
Configuring Extended RIP/SAP Packets (see page 20-9)
Configuring RIP/SAP Timers (see page 20-9)
Using the Ping Command (see page 20-10)
• IPX RIP/SAP Filtering
–
–
–
–
Configuring Routing Information Protocol (RIP) Filters (see page 20-12)
Configuring Service Address Protocol (SAP) Filters (see page 20-12)
Configuring Get Next Server (GNS) Filters (see page 20-13)
Flushing the IPX RIP/SAP Tables (see page 20-14)
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 20-1
IPX Specifications
Configuring IPX
IPX Specifications
Specifications Supported
IPX RIP and Service Advertising Protocol (SAP) router
specification; version 1.30; May 23, 1996 Part No. 107000029-001
IPX Defaults
The following table lists the defaults for IPX configuration through the ipx command.
Description
Command
Default
IPX Status
ipx routing
enabled
Type-20 Packet Forwarding
ipx type-20-propagation
disabled
Extended RIP/SAP Packets
ipx packet-extension
disabled
RIP/SAP Timers
ipx timers
60 (seconds)
page 20-2
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring IPX
Quick Steps for Configuring IPX Routing
Quick Steps for Configuring IPX Routing
When IPX is enabled, devices connected to ports on the same VLAN are able to communicate. However,
to route packets to a device on a different VLAN, you must create an IPX router port on each VLAN. The
following steps show you how to enable IPX routing between VLANs “from scratch”. If active VLANs
have already been created on the switch, go to step 5.
1 Create VLAN 1 with a description (e.g., VLAN 1) by using the vlan command. For example:
-> vlan 1 name "VLAN 1"
2 Create VLAN 2 with a description (e.g., VLAN 2) by using the vlan command. For example:
-> vlan 2 name "VLAN 2"
3 Assign an active port to VLAN 1 by using the vlan port default command. For example, the follow-
ing command assigns port 1 on slot 1 to VLAN 1:
-> vlan 1 port default 1/1
4 Assign an active port to VLAN 2 by using the vlan port default command. For example, the follow-
ing command assigns port 2 on slot 1 to VLAN 2:
-> vlan 2 port default 1/2
5 Create an IPX router port on VLAN 1 by using the vlan router ipx command. For example:
-> vlan 1 router ipx 00000111
6 Create an IPX router port on VLAN 2 by using the vlan router ipx command. For example:
-> vlan 2 router ipx 00000222
Note. For more information on VLANs and router ports, see Chapter 5, “Configuring VLANs.”
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 20-3
IPX Overview
Configuring IPX
IPX Overview
IPX specifies a connectionless datagram similar to the IP packet of TCP/IP networks. An IPX network
address consists of two parts, a network number and a node number. The IPX network number is assigned
by the network administrator. The node number is the Media Access Control (MAC) address for a network
interface in the end node.
IPX exchanges information by using its own version of RIP, which sends updates every 60 seconds.
NetWare also supports SAP to allow network resources, including file and print servers, to advertise their
network addresses and the services they provide. The user can also define routes. These routes, called
static routes, have higher priority than routes learned through RIP.
When IPX is enabled, devices connected to ports on the same VLAN are able to communicate. However,
to route packets between VLANs, you must create an IPX router port on each VLAN. In the illustration
below, a router port has been configured on each VLAN. Therefore, workstations connected to ports on
VLAN 1 on Switch 1 can communicate with VLAN 2; and workstations connected to ports on VLAN 3 on
Switch 2 can communicate with VLAN 2. Also, ports from both switches have been assigned to VLAN 2,
and a physical connection has been made between the switches. Therefore, workstations connected to
VLAN 1 on Switch 1 can communicate with workstations connected to VLAN 3 on Switch 2.
Switch 1
TM
Switch 2
OmniSwitch 9700
TM
OmniSwitch 9700
= IPX Router Port
RIP Routing Table
RIP Routing Table
VLAN 1
00000111
VLAN 2
00000222
Physical
Connection
Network
111
VLAN 2
00000222
VLAN 3
00000333
Network
333
68:27:43:29:00:00
53:45:72:30:00:00
22:45:67:87:00:00
41:57:67:36:00:00
IPX Routing
In IPX routing, the switch builds routing tables to keep track of optimal destinations for traffic it receives
that is destined for remote IPX networks. The switch sends and receives routing messages or advertisements to/from other switches in the network. When the switch receives an IPX packet, it looks up the
destination network number in its routing table. If the network is directly connected to the switch, the
switch also checks the destination node address.
page 20-4
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring IPX
IPX Overview
IPX is associated with additional protocols built into the switch software. The switch supports the following IPX protocols:
• IPX RIP—Layer 3 protocol used by NetWare routers to exchange IPX routing information. IPX RIP
functions similarly to IP RIP. IPX RIP uses two metrics to calculate the best route, hop count and ticks.
An IPX router periodically transmits packets containing the information currently in its own routing
table to neighboring IPX RIP routers to advertise the best route to an IPX destination.
• SAP—Layer 3 protocol used by NetWare routers to exchange IPX routing information. SAP is similar
in concept to IPX RIP. Just as RIP enables NetWare routers to exchange information about routes, SAP
enables NetWare devices to exchange information about available network services. NetWare workstations use SAP to obtain the network addresses of NetWare servers. IPX routers use SAP to gather
service information and then share it with other IPX routers.
• Sequenced Packet Exchange (SPX)—Transport-layer protocol that provides a reliable end-to-end
communications link by managing packet sequencing and delivery. SPX does not play a direct role in
IPX routing; it simply guarantees the delivery of routed packets.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 20-5
IPX Routing
Configuring IPX
IPX Routing
When IPX is enabled, devices connected to ports on the same VLAN are able to communicate. However,
to route packets to a device on a different VLAN, you must create an IPX router port on each VLAN.
Enabling IPX Routing
IPX is enabled by default. If necessary, use the ipx routing command to enable IPX. Use the no ipx
routing command to disable IPX. Use the show ipx interface command to display IPX router status and
configuration parameters.
Creating an IPX Router Port
You must configure an IPX router port on a VLAN for devices on that VLAN to communicate with
devices on other VLANs. You can only create one IPX router port per VLAN. VLAN router ports are not
active until at least one active physical port is assigned to the VLAN.
If the switch is currently in the single mac router mode, up to 256 router ports are supported (including IP
and IPX). If the switch is in the multiple mac router mode, up to 64 router ports are supported (including
IP and IPX). You can configure an IP and IPX router port on the same VLAN. Both types of router ports
will share the same MAC address for that VLAN.
Use the vlan router ipx command to configure an IPX router port. For example, to create an IPX router
port on VLAN 1 with an IPX address of 1000590C, you would enter:
-> vlan 1 router ipx 1000590C
Note. If fewer than eight hex digits are entered for an IPX network number, the entry is automatically
prefixed with zeros to equal eight digits.
Use the no vlan router ipx command to remove an IPX router port from the VLAN. For example, to
remove an IPX router port on VLAN 1 with an IPX address of 1000590C, you would enter:
-> no vlan 1 router ipx 1000590C
Use the show ipx interface command to display current IPX interface information.
Note. Router port IPX addresses must be unique. You cannot have two router ports with the same IPX
address.
For more information on VLANs, see Chapter 5, “Configuring VLANs.”
page 20-6
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring IPX
IPX Routing
IPX Router Port Configuration Options
When you create an IPX router port by using the vlan router ipx command, RIP routing is enabled using
the default parameters listed below. However, you can use the full command to change the default parameters. Sample configurations are shown at the end of this section.
Routing Type
By default, both RIP and SAP packets are processed (active). However, additional configurations can be
used:
• active. RIP and SAP updates are processed (default).
• rip. RIP updates are processed (SAP is disabled).
• inactive. RIP and SAP updates are not processed, but the router port remains active.
Encapsulation Type
Ethernet 2 encapsulation is the default encapsulation type. However, other types can be configured:
• e2. Ethernet 2 encapsulation (default)
• novell. Novell Raw (802.3) encapsulation
• llc. LLC (802.2) encapsulation
• snap. SNAP encapsulation
Delay
To configure the IPX delay, enter the syntax timeticks and specify the number of ticks for IPX delay time.
A tick is approximately 1/18th of a second. The valid range is 0–65535. The default is 0.
For example, to configure IPX router port 1000590C on VLAN 1 to process only RIP packets with a delay
of 10 you would enter:
-> vlan 1 router ipx 1000590C rip timeticks 10
For more information on optional command syntax see Chapter 20, “VLAN Management Commands” in
the OmniSwitch CLI Reference Guide. For more information on VLANs and configuring router ports, see
Chapter 5, “Configuring VLANs.”
Creating/Deleting a Default Route
A default IPX route can be configured for packets destined for networks unknown to the switch. If RIP is
disabled and a default IPX route is configured, packets can still be forwarded to a switch that knows where
to send them.
Use the ipx default-route command to configure a default route for the switch. Enter the command, then
enter the IPX network number of the first hop used to reach the default route. For example, to configure a
default route by using IPX network 222 for the first hop you would enter:
-> ipx default-route 222
The IPX network number is required. You can also enter the VLAN number of the first hop. For example,
to configure a default route by using VLAN 1 on the 222 network you would enter:
-> ipx default-route 1 222
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 20-7
IPX Routing
Configuring IPX
The network node is only required if the default network is directly connected to the switch. For example,
to create a default route to network 222 (which is directly attached to the switch) you would enter:
-> ipx default-route 222 00:20:da:99:88:77
Use the no ipx default-route command to delete a default route. For example, to delete a default route by
using the 222 network as a first hop you would enter:
-> no ipx default-route 222
Use the show ipx default-route command to display IPX default routes.
Creating/Deleting Static Routes
A static route enables you to send traffic to a switch other than those learned through routing protocols.
Static routes are user-defined and carry a higher priority than routes created by dynamic routing protocols.
That is, if two routes have the same metric value, the static route has the higher priority. Static routes
allow you to define or customize an explicit path to an IP network segment, which is then added to the IP
forwarding table. Static routes can be created between VLANs to enable devices on these VLANs to
communicate.
Use the ipx route command to configure a static route for the switch. Enter the IPX network number of
the route’s final destination, then enter the IPX network and node numbers used to reach the first hop of
the route. You can also enter the optional parameters of hop count (number of hops to the destination
network) and delay. The delay is the time, in ticks, to reach the route’s destination. One tick is equivalent
to 1/18 of a second (approximately 55ms).
For example, to create a static route to network 222 with a first hop network of 0000590C node
00:20:da:99:88:77, you would enter:
-> ipx route 222 590C 00:20:da:99:88:77
Static routes do not age out of the routing tables; however, they can be deleted. Use the no ipx route
command to delete a static route. To delete a static route, you only need to enter the network number of
the destination node. For example, to delete a static route to network 222 you would enter:
-> no ipx route 222
Use the show ipx route command to display IPX routes.
Configuring Type-20 Packet Forwarding
Type 20 is an IPX packet type that refers to any propagated packet. Novell has defined the use of these
packets to support certain protocol implementations, such as NetBIOS. Because these packets are broadcast and propagated across networks, the addresses of those networks (up to eight) are stored in the
packet’s data area. If Type 20 packet forwarding is enabled, the switch receives and propagates Type 20
packets through all its interfaces. If Type 20 packet forwarding is disabled, the switch discards, rather than
propagates, any Type 20 packet it receives. Type 20 packet forwarding is disabled by default. This is
because these packets can cause problems in highly redundant IPX networks by creating what appears to
be a broadcast storm. This problem is aggravated whenever misconfigured PCs are added to a network.
Use the ipx type-20-propagation command to enable or disable Type 20 packet forwarding on the switch.
For example:
-> ipx type-20-propagation enable
page 20-8
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring IPX
IPX Routing
You can also enable or disable Type 20 packet forwarding on a specific VLAN by using the optional
VLAN parameter. For example, to enable Type 20 packet forwarding only on VLAN 1 you would enter:
-> ipx type-20-propagation 1 enable
Use the show ipx type-20-propagation command to display Type 20 packet forwarding status for the
switch.
Configuring Extended RIP and SAP Packets
Larger RIP and SAP packets can be transmitted to reduce network congestion. Other switches and routers
in the network must support larger packet sizes if this feature is configured on the switch. RIP packets can
contain up to 68 network entries. SAP packets can contain up to eight network entries. Extended RIP and
SAP packets are disabled by default.
Use the ipx packet-extension command to enable or disable extended RIP/SAP packets on the switch. For
example:
-> ipx packet-extension enable
You can also enable or disable extended RIP/SAP packets on a specific VLAN by using the optional
VLAN parameter. For example, to enable extended RIP/SAP packets only on VLAN 1 you would enter:
-> ipx packet-extension 1 enable
Use the show ipx packet-extension command to display extended RIP/SAP packet status for the switch.
Configuring RIP and SAP Timers
By default, RIP and SAP packets are broadcast every 60 seconds, even if no change has occurred
anywhere in a route or service. This default may be modified to alleviate network congestion or facilitate
the discovery of network resources.
Use the ipx timers command to set the RIP/SAP broadcast time for the switch. You must set both the RIP
and SAP timer values. For example, to set a RIP timer value of 120 and a SAP timer value of 180 you
would enter:
-> ipx timers 120 180
Use the no ipx timers command to return the timer values to the default of 60.
You can set the RIP/SAP timers on a specific VLAN by using the optional VLAN parameter. For example, to set a RIP timer value of 120 and a SAP timer value of 180 on VLAN 1 you would enter:
-> ipx timers 1 120 180
Use the show ipx timers command to display the current RIP/SAP timer values.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 20-9
IPX Routing
Configuring IPX
Using the PING Command
The ping command is used to test the reachability of certain types of IPX nodes. The software supports
two different types of IPX pings:
• Novell—Used to test the reachability of NetWare servers currently running the NetWare Loadable
Module called IPXRTR.NLM. This type cannot be used to reach NetWare workstations running
IPXODI. Novell uses a unique type of ping for this purpose (implemented by their IPXPNG.EXE
program). This type of ping is not currently supported by the switch software. Other vendors’ switches
may respond to this type of ping.
• Alcatel—Used to test the reachability of Alcatel switches on which IPX routing is enabled.
Network devices that do not recognize the specific type of IPX ping request sent from the switch will not
respond at all. This lack of a response does not necessarily mean that a specific network device is inactive
or missing. Therefore, you might want to try using both types before concluding that the network device is
“unreachable.”
Use the ping ipx command to ping an IPX node. Enter the command, followed by the network and
network node number of the device you want to ping. The packet will use the default parameters for count
(5), size (64), time-out (1), and type (novell). For example, to ping an IPX device (node
00:20:da:05:16:94) on IPX network 304 you would enter:
-> ping ipx 304 00:20:da:05:16:94
When you ping a device, the device IPX address and node are required. Optionally, you may also specify:
• Count. Use the count keyword to set the number of packets to be transmitted.
• Size. Use the size keyword to set the size, in bytes, of the data portion of the packet sent for this ping.
The valid range is 1 to 8192.
• Timeout. Use the timeout keyword to set the number of seconds the program will wait for a response
before timing out.
• Type. Use the type keyword to specify the packet type you want to send (novell or alcatel). Use the
novell packet type to test the reachability of NetWare servers running the NetWare Loadable Module
(IPXRTR.NLM). This type cannot be used to reach NetWare workstations running IPXODI. You can
use the alcatel packet type to test the reachability of the Alcatel switches on which IPX routing is
enabled. However, Alcatel switches will respond to either type.
For example, to send a ping with a count of 2, a size of 32 bytes, a time-out of 10 seconds, that is an alcatel type packet you would enter:
-> ping ipx 304 00:20:da:05:16:94 count 2 size 32 timeout 10 type alcatel
Note. If you change the default values they will only apply to the current ping. The next time you use the
ping command, the default values will be used unless you enter different values again.
page 20-10
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring IPX
IPX RIP/SAP Filtering
IPX RIP/SAP Filtering
The IPX RIP/SAP Filtering feature give you a means of controlling the operation of the IPX RIP/SAP
protocols. By using IPX RIP/SAP filters, you can minimize the number of entries put in the IPX RIP
Routing and SAP Bindery Tables, improve overall network performance by eliminating unnecessary traffic, and control users’ access to NetWare services. For example:
• RIP Input and Output filters can be used to isolate entire network segments (and/or switches) to make
the network appear differently to the different segments.
• RIP Input and Output filters can be used to reduce the amount of traffic needed to advertise routes that
should not be used by a particular network segment.
• SAP Input and Output filters can be used to improve performance by limiting the amount of SAP traf-
fic. For example, because printing is generally a local operation, there’s no need to advertise print servers to remote networks. A SAP filter can be used in this case to restrict “Print Server Advertisement”
SAPs.
Five types of IPX RIP/SAP filters are available:
• RIP Input Filters. Control which networks are allowed into the routing table when IPX RIP updates
are received.
• RIP Output Filters. Control the list of networks included in routing updates sent by the switch. These
filters control which networks the switch advertises in its IPX RIP updates.
• SAP Input Filters. Control the SAP updates received by the switch prior to a switch accepting infor-
mation about a service. The switch will filter all incoming service advertisements received before
accepting information about a service.
• SAP Output Filters. Control which services are included in SAP updates sent by the switch. The
switch applies the SAP output filters prior to sending SAP packets.
• GNS Output Filters. Control which servers are included in the GNS responses sent by the switch.
All types of IPX Filters can be configured either to allow or to block traffic. The default setting for all
filters is to allow traffic. Therefore, you will typically have to define only a filter to block traffic.
However, defining a filter to allow certain traffic may be useful in situations where a more generic filter
has been defined to block the majority of the traffic. For example, you could use a filter to allow traffic
from a specific host on a network where all other traffic has been blocked. A discussion of the precedence
of “allow” filters appears later in this section. Keep in mind that precedence applies only to “allow” filters,
not to “block” filters.
Note. You can apply filters to all router interfaces by defining a “global” filter, or you can limit the filter
to specific interfaces.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 20-11
IPX RIP/SAP Filtering
Configuring IPX
Configuring RIP Filters
IPX RIP filters allow you to minimize the number of entries put in the IPX RIP routing table. RIP input
filters control which networks are allowed into the routing table when IPX RIP updates are received. RIP
output filters control which networks the switch advertises in its IPX RIP updates.
Use the ipx filter rip command to configure a RIP input or output filter. To configure a global filter that
will be applied to all traffic, enter the command, specify whether it is an input (in) or output (out) filter,
then specify whether you want the filter to allow or block traffic. For example, to create a filter that will
block all the incoming RIP packets you would enter:
-> ipx filter rip in block
You can narrow the filter by specifying a VLAN. For example, to create a filter that will block all the
incoming RIP packets from VLAN 1 you would enter:
-> ipx filter 1 rip in block
You can also narrow the filter by specifying a network. You must enter the network number and the
network mask. For example, to create a filter that will block the incoming RIP packets from network 40
and its subnets you would enter:
-> ipx filter rip in block 40 mask ffffffff
Use the no ipx rip filter command to delete a RIP filter. For example, to delete a global RIP filter that was
configured to block incoming RIP packets you would enter:
-> no ipx filter rip in block
Use the optional syntax to delete a filter for a specific VLAN or network. If you are deleting the filter for a
specific network you can also enter the network mask. To delete a filter from all VLANs/networks, use
only the basic command syntax (e.g., no ipx filter rip in allow).
Use the show ipx filter command to display all IPX filters.
Note. RIP filters work only on switches running the RIP protocol. They do not work on switches running
the NLSP protocol. Use RIP filters with care because they can partition a physical network into two or
more segments.
Configuring SAP Filters
IPX SAP filters allow you to minimize the number of entries put in the SAP Bindery Table. SAP input
filters control the SAP updates received by the switch prior to a switch accepting information about a
service. The switch will filter all incoming service advertisements received before accepting information
about a service. SAP output filters control which services are included in the SAP updates sent by the
switch.
Use the ipx filter sap command to configure a SAP input or output filter. To configure a global filter that
will be applied to all traffic, enter the command, specify the SAP packet type to be filtered (all – all SAP
packets, or a specific 4-digit hex SAP type), specify whether it is an input (in) or output (out) filter, then
specify whether you want the filter to allow or block traffic. For example, to block all SAP updates sent by
the switch you would enter:
-> ipx filter sap all out block
page 20-12
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring IPX
IPX RIP/SAP Filtering
You can narrow the filter by specifying a VLAN and a SAP type. For example, to create a filter that will
block 0004 (NetWare File Server) SAP updates from being sent to VLAN 1 you would enter:
-> ipx filter 1 sap 0004 out block
You can also narrow the filter by specifying a network. You must enter the network number and the
network mask. For example, to create a filter that will block 0004 SAP updates from being sent to network
222 and its subnets you would enter:
-> ipx filter sap 0004 out block 222 mask ffffffff
Use the no ipx sap filter command to delete a SAP filter. For example, to delete a global SAP filter that
was configured to block incoming SAP packets you would enter:
-> no ipx filter sap in block
Use the optional syntax to delete a filter for a specific VLAN or network. If you are deleting the filter for a
specific network, you can also enter the network mask. To delete a filter from all VLANs/networks, use
only the basic command syntax (e.g., no ipx filter sap in allow).
Use the show ipx filter command to display all IPX filters.
Configuring GNS Filters
GNS output filters control which servers are included in the GNS responses sent by the switch. GNS
supports output filters only.
Use the ipx filter gns command to configure a GNS filter. To configure a global filter that will be applied
to all traffic, enter the command, specify the GNS packet type to be filtered (all – all GNS packets or a
specific 4-digit hex GNS type), specify whether it is an input (in) or output (out) filter, then specify
whether you want the filter to allow or block traffic. For example, to block all GNS updates you would
enter:
-> ipx filter gns all out block
You can narrow the filter by specifying a VLAN. For example to block all GNS updates sent to VLAN 1
you would enter:
-> ipx filter 1 gns all out block
You can also narrow the filter by specifying a network. You must enter the network number and the
network mask. For example, to create a filter that will block updates sent to network 222 and its subnets
you would enter:
-> ipx filter gns all out block 222 mask ffffffff
Use the no ipx gns filter command to delete a GNS filter. For example, to delete a global GNS filter that
was configured to block all GNS updates you would enter:
-> no ipx filter gns all out block
Use the show ipx filter command to display all IPX filters.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 20-13
IPX RIP/SAP Filtering
Configuring IPX
IPX RIP/SAP Filter Precedence
Whenever you use multiple “allow” filters you must first define a filter to block all RIPs or SAPs. Then,
all of the subsequent “allow” filters of the same type must be at least as specific in all areas for the filters
to work. Note that filtering precedence is related only to “allow” filters. Multiple “block” filters can be
defined with varying specificity in each of the areas of the filter.
For example, consider a switch that knows of multiple Type 0004 SAPs on various networks, including a
network with an address of “40.” The switch also knows of various types of SAPs on Network 40. For this
example, you want to block all SAP updates coming from Network 40, but you want to allow all Type
0004 SAPs, including the ones that come from Network 40. To meet these objectives, you would configure the following filters:
Filter 1
ipx filter sap all in block 40 mask ffffffff
This filter will block all SAP Type updates on all nodes of network 40.
Filter 2
ipx filter sap 0004 in allow 40 mask ffffffff
This filter will allow only SAP Type 0004 updates on all nodes of network 40. It is more specific than the
block filter so only SAP Type 0004 updates will be allowed.
The filters shown below will not work for our example because in Filter 2 the type of service is less
specific than the type defined in Filter 1. All Type 0004 SAPs will be blocked by the filter.
Filter 1
ipx filter sap 0004 in block 40 mask ffffffff
This filter will block only SAP Type 0004 updates on all nodes of network 40.
Filter 2
ipx filter sap all in allow 40 mask ffffffff
This filter will allow all SAP Types on all nodes of network 40. It is less specific than the block filter so all
SAP updates will be allowed.
Flushing the IPX RIP/SAP Tables
When you flush the RIP/SAP table(s), only routes learned by RIP and SAP are deleted; static routes are
not removed. The RIP Table and SAP Bindery Tables can contain a maximum of 2,000 entries each.
Use the clear ipx route command to flush the IPX RIP and/or SAP Bindery Tables. Enter the command,
followed by the table that you want to clear (rip, sap, or all). For example to clear all dynamic entries from
both the RIP and SAP tables you would enter:
-> clear ipx route all
Use the show ipx route command to display the IPX RIP Routing Table.
page 20-14
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring IPX
Verifying the IPX Configuration
Verifying the IPX Configuration
A summary of the show commands used for verifying the IPX configuration is given here:
show ipx interface
Displays current IPX interface configuration information.
show ipx route
Displays IPX routing table information.
show ipx filter
Displays currently configured IPX RIP, SAP, and GNS filters.
show ipx type-20-propagation
Displays the current status of Type 20 packet forwarding.
show ipx packet-extension
Displays the current status of the extended RIP/SAP packet feature.
show ipx timers
Displays the current RIP and SAP timer values.
For more information about the displays that result from these commands, see the OmniSwitch CLI Reference Guide.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 20-15
Verifying the IPX Configuration
page 20-16
Configuring IPX
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
21
Managing Authentication
Servers
This chapter describes authentication servers and how they are used with the switch. The types of servers
described include Remote Authentication Dial-In User Service (RADIUS), Lightweight Directory Access
Protocol (LDAP), and SecurID’s ACE/Server.
In This Chapter
The chapter includes some information about attributes that must be configured on the servers, but it
primarily addresses configuring the switch through the Command Line Interface (CLI) to communicate
with the servers to retrieve authentication information about users.
Configuration procedures described include:
• Configuring an ACE/Server. This procedure is described in “ACE/Server” on page 21-8.
• Configuring a RADIUS Server. This procedure is described in “RADIUS Servers” on page 21-9.
• Configuring an LDAP Server. This procedure is described in “LDAP Servers” on page 21-15.
For information about using servers for authenticating users to manage the switch, see the “Switch Security” chapter in the OmniSwitch 6800/6850/9000 Switch Management Guide.
For information about using servers to retrieve authentication information for Layer 2 Authentication users
(authenticated VLANs), see Chapter 22, “Configuring Authenticated VLANs.”
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 21-1
Authentication Server Specifications
Managing Authentication Servers
Authentication Server Specifications
RADIUS RFCs Supported
RFC 2865–Remote Authentication Dial In User Service (RADIUS)
RFC 2866–RADIUS Accounting
RFC 2867–RADIUS Accounting Modifications for Tunnel Protocol Support
RFC 2868–RADIUS Attributes for Tunnel Protocol Support
RFC 2809–Implementation of L2TP Compulsory Tunneling via
RADIUS
RFC 2869–RADIUS Extensions
RFC 2548–Microsoft Vendor-specific RADIUS Attributes
RFC 2882–Network Access Servers Requirements: Extended
RADIUS Practices
LDAP RFCs Supported
RFC 1789–Connectionless Lightweight X.5000 Directory Access
Protocol
RFC 2247–Using Domains in LDAP/X.500 Distinguished Names
RFC 2251–Lightweight Directory Access Protocol (v3)
RFC 2252–Lightweight Directory Access Protocol (v3): Attribute
Syntax Definitions
RFC 2253–Lightweight Directory Access Protocol (v3): UTF-8
String Representation of Distinguished Names
RFC 2254–The String Representation of LDAP Search Filters
RFC 2256–A Summary of the X.500(96) User Schema for Use
with LDAPv3
Other RFCs
RFC 2574–User-based Security Model (USM) for version 3 of the
Simple Network Management Protocol (SNMPv3)
RFC 2924–Accounting Attributes and Record Formats
RFC 2975–Introduction to Accounting Management
RFC 2989–Criteria for Evaluating AAA Protocols for Network
Access
Maximum number of authentication 4 (not including any backup servers)
servers in single authority mode
Maximum number of authentication 4 per VLAN (not including any backup servers)
servers in multiple authority mode
Maximum number of servers per
Authenticated Switch Access type
4 (not including any backup servers)
CLI Command Prefix Recognition
The aaa radius-server and aaa ldap-server commands support
prefix recognition. See the “Using the CLI” chapter in the
OmniSwitch 6800/6850/9000 Switch Management Guide for more
information.
page 21-2
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Managing Authentication Servers
Server Defaults
Server Defaults
The defaults for authentication server configuration on the switch are listed in the tables in the next
sections.
RADIUS Authentication Servers
Defaults for the aaa radius-server command are as follows:
Description
Keyword
Default
Number of retries on the server before the
switch tries a backup server
retransmit
3
Timeout for server replies to authentication
requests
timeout
2
UDP destination port for authentication
auth-port
1645*
UDP destination port for accounting
acct-port
1646*
* The port defaults are based on the older RADIUS standards; some servers are set up with port numbers
based on the newer standards (ports 1812 and 1813 respectively).
LDAP Authentication Servers
Defaults for the aaa ldap-server command are as follows:
Description
Keyword
Default
The port number for the server
port
389 (SSL disabled)
636 (SSL enabled)
Number of retries on the server before the
switch tries a backup server
retransmit
3
Timeout for server replies to authentication
requests
timeout
2
Whether a Secure Socket Layer is configured ssl | no ssl
for the server
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
no ssl
page 21-3
Quick Steps For Configuring Authentication Servers
Managing Authentication Servers
Quick Steps For Configuring Authentication
Servers
1 For RADIUS or LDAP servers, configure user attribute information on the servers. See “RADIUS
Servers” on page 21-9 and “LDAP Servers” on page 21-15.
2 Use the aaa radius-server and/or the aaa ldap-server command to configure the authentication
server(s). For example:
-> aaa radius-server rad1 host 10.10.2.1 10.10.3.5 key amadeus
-> aaa ldap-server ldap2 host 10.10.3.4 dn cn=manager password tpub base c=us
Note. (Optional) Verify the server configuration by entering the show aaa server command. For example:
-> show aaa server
Server name = rad1
Server type
IP Address 1
IP Address 2
Retry number
Timeout (in sec)
Authentication port
Accounting port
Server name = ldap2
Server type
IP Address 1
Port
Domain name
Search base
Retry number
Timeout (in sec)
=
=
=
=
=
=
=
RADIUS,
10.10.2.1,
10.10.3.5
3,
2,
1645,
1646
=
=
=
=
=
=
=
LDAP,
10.10.3.4,
389,
cn=manager,
c=us,
3,
2,
See the CLI Reference Guide for information about the fields in this display.
3 If you are using ACE/Server, there is no required switch configuration; however, you must FTP the
sdconf.rec file from the server to the switch’s /network directory.
4 Configure authentication on the switch. This step is described in other chapters. For a quick overview
of using the configured authentication servers with Authenticated VLANs, see “AVLAN Configuration
Overview” on page 22-4. For a quick overview of using the configured authentication servers with
Authenticated Switch Access, see the OmniSwitch 6800/6850/9000 Switch Management Guide.
page 21-4
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Managing Authentication Servers
Server Overview
Server Overview
Authentication servers are sometimes refered to as AAA servers (authentication, authorization, and
accounting). These servers are used for storing information about users who want to manage the switch
(Authenticated Switch Access) and users who need access to a particular VLAN or VLANs (Authenticated VLANs).
RADIUS or LDAP servers may be used for Authenticated Switch Access and/or Authenticated VLANs.
Another type of server, SecurID’s ACE/Server, may be used for authenticated switch access only; the
ACE/Server is an authentication-only server (no authorization or accounting). Only RADIUS servers are
supported for 802.1X Port-Based Network Access Control.
The following table describes how each type of server may be used with the switch:
Server Type
Authenticated Switch
Access
Authenticated VLANs
802.1X Port-Based
Network Access Control
ACE/Server
yes (except SNMP)
no
no
RADIUS
yes (except SNMP)
yes
yes
LDAP
yes (including SNMP)
yes
no
Backup Authentication Servers
Each RADIUS and LDAP server may have one backup host (of the same type) configured through the aaa
radius-server and aaa ldap-server commands respectively. In addition, each authentication method
(Authenticated Switch Access, Authenticated VLANs, or 802.1X) may specify a list of backup authentication servers that includes servers of different types (if supported on the feature).
The switch uses the first available authentication server to attempt to authenticate users. If user information is not found on the first available server, the authentication attempts fails.
Authenticated Switch Access
When RADIUS and/or LDAP servers are set up for Authenticated Switch Access, the switch polls the
server for user login information. The switch also polls the server for privilege information (authorization) if it has been configured on the server; otherwise, the local user database is polled for the privileges.
For RADIUS and LDAP, additional servers may be configured as backups.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 21-5
Server Overview
Managing Authentication Servers
A RADIUS server supporting the challenge and response mechanism as defined in RADIUS RFC 2865
may access an ACE/Server for authentication purposes. The ACE/Server is then used for user authentication, and the RADIUS server is used for user authorization.
End Station
End Station
LDAP or RADIUS
Server
login request
ACE/Server
login request
OmniSwitch 6648
The switch polls the server
and receives login and privilege information about the
user.
OmniSwitch
The switch polls the server
for login information, and
checks the switch for privilege information.
OmniSwitch 6648
user
privileges
OmniSwitch
Servers Used for Authenticated Switch Access
Authenticated VLANs
For authenticated VLANs, authentication servers contain a database of user names and passwords, challenges/responses, and other authentication criteria such as time-of-day access. The Authenticated VLAN
attribute is required on servers set up in multiple authority mode.
Servers may be configured using one of two different modes, single authority mode or multiple authority
mode. The mode specifies how the servers are set up for authentication: single authority mode uses a
single list (an authentication server and any backups) to poll with authentication requests. Multiple authority mode uses multiple lists, one list for each authenticated VLAN. For more information about authority
modes and Authenticated VLANs, see Chapter 22, “Configuring Authenticated VLANs.”
OmniSwitch
RADIUS or LDAP servers
The switch polls the servers
for login information to
authenticate users through
the switch.
Authenticated
VLAN 1
Authenticated
VLAN 2
Ethernet clients
Servers Used for Authenticated VLANs
page 21-6
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Managing Authentication Servers
Server Overview
Port-Based Network Access Control (802.1X)
For devices authenticating on an 802.1X port on the switch, only RADIUS authentication servers are
supported. The RADIUS server contains a database of user names and passwords, and may also contain
challenges/responses and other authentication criteria.
Authentication
Server
Authenticator PAE
Supplicant
authentication
request
login request
PC
OmniSwitch
authorization
granted
RADIUS server
Basic 802.1X Components
For more information about configuring 802.1X ports on the switch, see Chapter 23, “Configuring
802.1X.”
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 21-7
ACE/Server
Managing Authentication Servers
ACE/Server
An external ACE/Server may be used for authenticated switch access. It cannot be used for Layer 2
authentication or for policy management. Attributes are not supported on ACE/Servers. These values must
be configured on the switch through the user commands. See the “Switch Security” chapter of the
OmniSwitch 6800/6850/9000 Switch Management Guide for more information about setting up the local
user database.
Since an ACE/Server does not store or send user privilege information to the switch, user privileges for
Secur/ID logins are determined by the switch. When a user attempts to log into the switch, the user ID and
password is sent to the ACE/Server. The server determines whether the login is valid. If the login is valid,
the user privileges must be determined. The switch checks its user database for the user’s privileges. If the
user is not in the database, the switch uses the default privilege, which is determined by the default user
account. For information about the default user account, see the “Switch Security” chapter of the
OmniSwitch 6800/6850/9000 Switch Management Guide.
There are no server-specific parameters that must be configured for the switch to communicate with an
attached ACE/Server; however, you must FTP the sdconf.rec file from the server to the switch’s
/network directory. This file is required so that the switch will know the IP address of the ACE/Server.
For information about loading files onto the switch, see the OmniSwitch 6800/6850/9000 Switch Management Guide.
The ACE client in the switch is version 4.1; it does not support the replicating and locking feature of ACE
5.0, but it may be used with an ACE 5.0 server if a legacy configuration file is loaded on the server. The
legacy configuration must specify authentication to two specific servers (master and slave). See the RSA
Security ACE/Server documentation for more information.
To display information about any servers configured for authentication, use the show aaa server
command. For more information about the output for this command, see the OmniSwitch CLI Reference
Guide.
Also, you may need to clear the ACE/Server secret occasionally because of misconfiguration or required
changes in configuration. Clearing the secret is described in the next section.
Clearing an ACE/Server Secret
The ACE/Server generates “secrets” that it sends to clients for authentication. While you cannot configure
the secret on the switch, you can clear it. The secret may need to be cleared because the server and the
switch get out of synch. See the RSA Security ACE/Server documentation for more information about the
server secret.
To clear the secret on the switch, enter the following command:
-> aaa ace-server clear
When you clear the secret on the switch, the secret must also be cleared on the ACE/Server as described
by the RSA Security ACE/Server documentation.
page 21-8
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Managing Authentication Servers
RADIUS Servers
RADIUS Servers
RADIUS is a standard authentication and accounting protocol defined in RFC 2865 and RFC 2866. A
built-in RADIUS client is available in the switch. A RADIUS server that supports Vendor Specific
Attributes (VSAs) is required. The Alcatel attributes may include VLAN information, time-of-day, or
slot/port restrictions.
RADIUS Server Attributes
RADIUS servers and RADIUS accounting servers are configured with particular attributes defined in RFC
2138 and RFC 2139, respectively. These attributes carry specific authentication, authorization, and configuration details about RADIUS requests to and replies from the server. This section describes the attributes
and how to configure them on the server.
Standard Attributes
The following tables list RADIUS server attributes 1–39 and 60–63, their descriptions, and whether the
Alcatel RADIUS client in the switch supports them. Attribute 26 is for vendor-specific information and is
discussed in “Vendor-Specific Attributes for RADIUS” on page 21-11. Attributes 40–59 are used for
RADIUS accounting servers and are listed in “RADIUS Accounting Server Attributes” on page 21-13.
Num. Standard Attribute
Notes
1 User-Name
Used in access-request and account-request packets.
2 User-Password
—
3 CHAP-Password
Not supported.
4 NAS-IP-Address
Sent with every access-request. Specifies which switches a
user may have access to. More than one of these attributes is
allowed per user.
5 NAS-Port
Virtual port number sent with access-request and accountrequest packets. Slot/port information is supplied in attribute
26 (vendor-specific).
6
7
8
9
10
11
12
13
14
15
16
Service-Type
Framed-Protocol
Framed-IP-Address
Framed-IP-Netmask
Framed-Routing
Filter-Id
Framed-MTU
Framed-Compression
Login-IP-Host
Login-Service
Login-TCP-Port
Not supported. These attributes are used for dial-up sessions;
not applicable to the RADIUS client in the switch.
17 Unassigned
—
18 Reply-Message
Multiple reply messages are supported, but the length of all
the reply messages returned in one access-accept or accessreject packet cannot exceed 256 characters.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 21-9
RADIUS Servers
Managing Authentication Servers
Num. Standard Attribute
19
20
21
22
23
Notes
Callback-Number
Callback-Id
Unassigned
Frame-Route
Framed-IPX-Network
Not supported. These attributes are used for dial-up sessions;
not applicable to the RADIUS client in the switch.
24 State
Sent in challenge/response packets.
25 Class
Used to pass information from the server to the client and
passed unchanged to the accounting server as part of the
accounting-request packet.
26 Vendor-Specific
See “Vendor-Specific Attributes for RADIUS” on
page 21-11.
27 Session-Timeout
Not supported.
28 Idle-Timeout
Not supported.
29
30
31
32
33
34
35
36
37
38
39
60
61
62
63
Not supported. These attributes are used for dial-up sessions;
not applicable to the RADIUS client in the switch.
page 21-10
Termination-Action
Called-Station-Id
Calling-Station-Id
NAS-Identifier
Proxy-State
Login-LAT-Service
Login-LAT-Node
Login-LAT-Group
Framed-AppleTalk-Link
Framed-AppleTalk-Network
Framed-AppleTalk-Zone
CHAP-Challenge
NAS-Port-Type
Port-Limit
Login-LAT-Port
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Managing Authentication Servers
RADIUS Servers
Vendor-Specific Attributes for RADIUS
The Alcatel RADIUS client supports attribute 26, which includes a vendor ID and some additional subattributes called subtypes. The vendor ID and the subtypes collectively are called Vendor Specific
Attributes (VSAs). Alcatel, through partnering arrangements, has included these VSAs in some vendors’
RADIUS server configurations.
The attribute subtypes are defined in the server’s dictionary file. If you are using single authority mode,
the first VSA subtype, Alcatel-Auth-Vlan, must be defined on the server for each authenticated VLAN.
Alcatel’s vendor ID is 800 (SMI Network Management Private Enterprise Code).
The following are VSAs for RADIUS servers:
Num. RADIUS VSA
Type
Description
1 Alcatel-Auth-Group
integer
The authenticated VLAN number. The only protocol
associated with this attribute is Ethernet II. If other
protocols are required, use the protocol attribute
instead.
2 Alcatel-Slot-Port
string
Slot(s)/port(s) valid for the user.
3 Alcatel-Time-of-Day
string
The time of day valid for the user to authenticate.
4 Alcatel-Client-IP-Addr
address
The IP address used for Telnet only.
5 Alcatel-Group-Desc
string
Description of the authenticated VLAN.
6 Alcatel-Port-Desc
string
Description of the port.
8 Alcatel-Auth-Group-Protocol
string
The protocol associated with the VLAN. Must be
configured for access to other protocols. Values
include: IP_E2, IP_SNAP, IPX_E2, IPX_NOV,
IPX_LLC, IPX_SNAP.
9 Alcatel-Asa-Access
string
Specifies that the user has access to the switch. The
only valid value is all.
39 Alcatel-Acce-Priv-F-R1
hex.
Configures functional read privileges for the user.
40 Alcatel-Acce-Priv-F-R2
hex.
Configures functional read privileges for the user.
41 Alcatel-Acce-Priv-F-W1
hex.
Configures functional write privileges for the user.
42 Alcatel-Acce-Priv-F-W2
hex.
Configures functional write privileges for the user.
The Alcatel-Auth-Group attribute is used for Ethernet II only. If a different protocol, or more than one
protocol is required, use the Alcatel-Auth-Group-Protocol attribute instead. For example:
Alcatel-Auth-Group-Protocol 23: IP_E2 IP_SNAP
Alcatel-Auth-Group-Protocol 24: IPX_E2
In this example, authenticated users on VLAN 23 may use Ethernet II or SNAP encapsulation. Authenticated users on VLAN 24 may use IPX with Ethernet II.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 21-11
RADIUS Servers
Managing Authentication Servers
Configuring Functional Privileges on the Server
Configuring the functional privileges attributes (Alcatel-Acce-Priv-F-x) can be cumbersome because it
requires using read and write bitmasks for command families on the switch.
1 To display the functional bitmasks of the desired command families, use the show aaa priv hexa
command.
2 On the RADIUS server, configure the functional privilege attributes with the bitmask values.
Note. For more information about configuring users on the switch, see the “Switch Security” chapter in
the OmniSwitch 6800/6850/9000 Switch Management Guide.
page 21-12
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Managing Authentication Servers
RADIUS Servers
RADIUS Accounting Server Attributes
The following table lists the standard attributes supported for RADIUS accounting servers. The attributes
in the radius.ini file may be modified if necessary.
Num. Standard Attribute
Description
1 User-Name
Used in access-request and account-request packets.
4 NAS-IP-Address
Sent with every access-request. Specifies which switches a
user may have access to. More than one of these attributes is
allowed per user.
5 NAS-Port
Virtual port number sent with access-request and accountrequest packets. Slot/port information is supplied in attribute
26 (vendor-specific).
25 Class
Used to pass information from the server to the client and
passed unchanged to the accounting server as part of the
accounting-request packet.
40 Acct-Status-Type
Four values should be included in the dictionary file: 1 (acctstart), 2 (acct-stop), 6 (failure), and 7 (acct-on). Start and stop
correspond to login/logout. The accounting-on message is sent
when the RADIUS client is started. This attribute also includes
an accounting-off value, which is not supported.
42 Acct-Input-Octets
(Authenticated VLANs only) Tracked per port.
43 Acct-Output-Octets
(Authenticated VLANs only) Tracked per port.
44 Acct-Session
Unique accounting ID. (For authenticated VLAN users, Alcatel uses the client’s MAC address.)
45 Acct-Authentic
Indicates how the client is authenticated; standard values (1–3)
are not used. Vendor specific values should be used instead:
AUTH-AVCLIENT (4)
AUTH-TELNET (5)
AUTH-HTTP (6)
AUTH-NONE (0)
46 Acct-Session
The start and stop time for a user’s session can be determined
from the accounting log.
47 Acct-Input-Packets
(Authenticated VLANs only) Tracked per port.
48 Acct-Output-Packets
(Authenticated VLANs only) Tracked per port.
49 Acct-Terminal-Cause
Indicates how the session was terminated:
NAS-ERROR
USER-ERROR
LOST CARRIER
USER-REQUEST
STATUS-FAIL
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 21-13
RADIUS Servers
Managing Authentication Servers
The following table lists the VSAs supported for RADIUS accounting servers. The attributes in the
radius.ini file may be modified if necessary.
Num. Accounting VSA
Type
Description
1
Alcatel-Auth-Group
integer
The authenticated VLAN number. The only protocol
associated with this attribute is Ethernet II. If other
protocols are required, use the protocol attribute
instead.
2
Alcatel-Slot-Port
string
Slot(s)/port(s) valid for the user.
4
Alcatel-Client-IP-Addr
dotted
decimal
The IP address used for Telnet only.
5
Alcatel-Group-Desc
string
Description of the authenticated VLAN.
Configuring the RADIUS Client
Use the aaa radius-server command to configure RADIUS parameters on the switch.
RADIUS server keywords
key
host
retransmit
timeout
auth-port
acct-port
When creating a new server, at least one host name or IP address (specified by the host keyword) is
required as well as the shared secret (specified by the key keyword).
In this example, the server name is rad1, the host address is 10.10.2.1, the backup address is 10.10.3.5,
and the shared secret is amadeus. Note that the shared secret must be configured exactly the same as on
the server.
-> aaa radius-server rad1 host 10.10.2.1 10.10.3.5 key amadeus
To modify a RADIUS server, enter the server name and the desired parameter to be modified.
-> aaa radius-server rad1 key mozart
If you are modifying the server and have just entered the aaa radius-server command to create or modify
the server, you can use command prefix recognition. For example:
-> aaa radius-server rad1 retransmit 5
-> timeout 5
For information about server defaults, see “Server Defaults” on page 21-3.
To remove a RADIUS server, use the no form of the command:
-> no aaa radius-server rad1
Note that only one server may be deleted at a time.
page 21-14
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Managing Authentication Servers
LDAP Servers
LDAP Servers
Lightweight Directory Access Protocol (LDAP) is a standard directory server protocol. The LDAP client
in the switch is based on several RFCs: 1798, 2247, 2251, 2252, 2253, 2254, 2255, and 2256. The protocol was developed as a way to use directory services over TCP/IP and to simplify the directory access
protocol (DAP) defined as part of the Open Systems Interconnection (OSI) effort. Originally it was a
front-end for X.500 DAP.
The protocol synchronizes and governs the communications between the LDAP client and the LDAP
server. The protocol also dictates how its databases of information, which are normally stored in hierarchical form, are searched, from the root directory down to distinct entries.
In addition, LDAP has its own format that permits LDAP-enabled Web browsers to perform directory
searches over TCP/IP.
Setting Up the LDAP Authentication Server
1 Install the directory server software on the server.
2 Copy the relevant schema LDIF files from the Alcatel software CD to the configuration directory on
the server. (Each server type has a command line tool or a GUI tool for importing LDIF files.) Database
LDIF files may also be copied and used as templates. The schema files and the database files are specific
to the server type. The files available on the Alcatel software CD include the following:
aaa_schema.microsoft.ldif
aaa_schema.netscape.ldif
aaa_schema.novell.ldif
aaa_schema.openldap.schema
aaa_schema.sun.ldif
aaa_database.microsoft.ldif
aaa_database.netscape.ldif
aaa_database.novell.ldif
aaa_database.openldap.ldif
aaa_database.sun.ldif
3 After the server files have been imported, restart the server.
Note. Schema checking should be enabled on the server.
Information in the server files must match information configured on the switch through the
aaa ldap-server command. For example, the port number configured on the server must be the same as
the port number configured on the switch. See “Configuring the LDAP Authentication Client” on
page 21-25 for information about using this command.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 21-15
LDAP Servers
Managing Authentication Servers
LDAP Server Details
LDAP servers must be configured with the properly defined LDAP schema and correct database suffix,
including well-populated data. LDAP schema is extensible, permitting entry of user-defined schema as
needed.
LDAP servers are also able to import and export directory databases using LDIF (LDAP Data Interchange
Format).
LDIF File Structure
LDIF is used to transfer data to LDAP servers in order to build directories or modify LDAP databases.
LDIF files specify multiple directory entries or changes to multiple entries, but not both. The file is in
simple text format and can be created or modified in any text editor. In addition, LDIF files import and
export binary data encoded according to the base 64 convention used with MIME (Multipurpose Internet
Mail Extensions) to send various media file types, such as JPEG graphics, through electronic mail.
An LDIF file entry used to define an organizational unit would look like this:
dn: <distinguished name>
objectClass: top
objectClass: organizationalUnit
ou: <organizational unit name>
<list of optional attributes>
Below are definitions of some LDIF file entries:
entries
definition
dn: <distinguished name>
Defines the DN (required).
objectClass: top
Defines top object class (at least one is required). Object
class defines the list of attributes required and allowed in
directory server entries.
objectClass: organizationalUnit
Specifies that organizational unit should be part of the
object class.
ou: <organizationalUnit name>
Defines the organizational unit’s name.
<list of attritbutes>
Defines the list of optional entry attributes.
Common Entries
The most common LDIF entries describe people in companies and organizations. The structure for such an
entry might look like the following:
dn: <distinguished name>
objectClass: top
objectClass: person
objectClass: organizational Person
cn: <common name>
sn: <surname>
<list of optional attributes>
page 21-16
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Managing Authentication Servers
LDAP Servers
This is how the entry would appear with actual data in it.
dn: uid=yname, ou=people, o=yourcompany
objectClass: top
objectClass: person
objectClass: organizational Person
cn: your name
sn: last name
givenname: first name
uid: yname
ou: people
description:
<list of optional attributes>
...
Directory Entries
Directory entries are used to store data in directory servers. LDAP–enabled directory entries contain information about an object (person, place, or thing) in the form of a Distinguished Name (DN) that should be
created in compliance with the LDAP protocol naming conventions.
Distinguished names are constructed from Relative Distinguished Names (RDNs), related entries that
share no more than one attribute value with a DN. RDNs are the components of DNs, and DNs are string
representations of entry names in directory servers.
Distinguished names typically consist of descriptive information about the entries they name, and
frequently include the full names of individuals in a network, their email addresses, TCP/IP addresses,
with related attributes such as a department name, used to further distinguish the DN. Entries include one
or more object classes, and often a number of attributes that are defined by values.
Object classes define all required and optional attributes (a set of object classes is referred to as a
“schema”). As a minimum, every entry must include the DN and one defined object class, like the name of
an organization. Attributes required by a particular object class must also be defined. Some commonly
used attributes that comprise a DN include the following:
Country (c), State or Province (st), Locality (l),
Organization (o), Organization Unit (ou),
and Common Name (cn)
Although each attribute would necessarily have its own values, the attribute syntax determines what kind
of values are allowed for a particular attribute, e.g., (c=US), where country is the attribute and US is the
value. Extra consideration for attribute language codes will be necessary if entries are made in more than
one language.
Entries are usually based on physical locations and established policies in a Directory Information Tree
(DIT); the DN locates an entry in the hierarchy of the tree. Alias entries pointing to other entries can also
be used to circumvent the hierarchy during searches for entries.
Once a directory is set up, DN attributes should thereafter be specified in the same order to keep the directory paths consistent. DN attributes are separated by commas as shown in this example:
cn=your name, ou=your function, o= your company, c=US
As there are other conventions used, please refer to the appropriate RFC specification for further details.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 21-17
LDAP Servers
Managing Authentication Servers
In addition to managing attributes in directory entries, LDAP makes the descriptive information stored in
the entries accessible to other applications. The general structure of entries in a directory tree is shown in
the following illustration. It also includes example entries at various branches in the tree.
ROOT
dn=c=US
c=Canada
c=US
dn=o=your company,c=US
st=Arizona
o=your company
st=California
ou=department
ou=function
cn=your full name
ou=section
cn=co-worker full name
cn=your full name, ou=your function, o=your company, c=US
Directory Information Tree
Directory Searches
DNs are always the starting point for searches unless indicated otherwise in the directory schema.
Searches involve the use of various criteria including scopes and filters which must be predefined, and
utility routines, such as Sort. Searches should be limited in scope to specific durations and areas of the
directory. Some other parameters used to control LDAP searches include the size of the search and
whether to include attributes associated with name searches.
Base objects and scopes are specified in the searches, and indicate where to search in the directory. Filters
are used to specify entries to select in a given scope. The filters are used to test the existence of object
class attributes, and enable LDAP to emulate a “read” of entry listings during the searches. All search preferences are implemented by means of a filter in the search. Filtered searches are based on some component of the DN.
Retrieving Directory Search Results
Results of directory searches are individually delivered to the LDAP client. LDAP referrals to other servers are not returned to the LDAP client, only results or errors. If referrals are issued, the server is responsible for them, although the LDAP client will retrieve results of asynchronous operations.
Directory Modifications
Modifications to directory entries contain changes to DN entry attribute values, and are submitted to the
server by an LDAP client application. The LDAP-enabled directory server uses the DNs to find the entries
to either add or modify their attribute values.
Attributes are automatically created for requests to add values if the attributes are not already contained in
the entries.
page 21-18
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Managing Authentication Servers
LDAP Servers
All attributes are automatically deleted when requests to delete the last value of an attribute are submitted.
Attributes can also be deleted by specifying delete value operations without attaching any values.
Modified attribute values are replaced with other given values by submitting replace requests to the server,
which then translates and performs the requests.
Directory Compare and Sort
LDAP will compare directory entries with given attribute values to find the information it needs. The
Compare function in LDAP uses a DN as the identity of an entry, and searches the directory with the type
and value of an attribute. Compare is similar to the Search function, but simpler.
LDAP will also sort entries by their types and attributes. For the Sort function, there are essentially two
methods of sorting through directory entries. One is to sort by entries where the DN (Distinguished Name)
is the sort key. The other is to sort by attributes with multiple values.
The LDAP URL
LDAP URLs are used to send search requests to directory servers over TCP/IP on the internet, using the
protocol prefix: ldap://. (Searches over SSL would use the same prefix with an “s” at the
end, i.e., ldaps://.)
LDAP URLs are entered in the command line of any web browser, just as HTTP or FTP URLs are
entered. When LDAP searches are initiated LDAP checks the validity of the LDAP URLs, parsing the
various components contained within the URLs to process the searches. LDAP URLs can specify and
implement complex or simple searches of a directory depending on what is submitted in the URLs.
Searches performed directly with LDAP URLs are affected by the LDAP session parameters described
above.
In the case of multiple directory servers, LDAP URLS are also used for referrals to other directory servers
when a particular directory server does not contain any portion of requested IP address information.
Search requests generated through LDAP URLs are not authenticated.
Searches are based on entries for attribute data pairs.
The syntax for TCP/IP LDAP URLs is as follows:
ldap://<hostname>:<port>/<base_dn>?attributes>?<scope>?<filter>
An example might be:
ldap://ldap.company name.xxx/o=company name%inc./,c=US>
(base search including all attributes/object classes in scope).
LDAP URLs use the percent symbol to represent commas in the DN. The following table shows the basic
components of LDAP URLs.
components
description
<ldap>
Specifies TCP/IP connection for LDAP protocol. (The <ldaps>
prefix specifies SSL connection for LDAP protocol.)
<hostname>
Host name of directory server or computer, or its IP address (in dotted decimal format).
<port>
TCP/IP port number for directory server. If using TCP/IP and
default port number (389), port need not be specified in the URL.
SSL port number for directory server (default is 636).
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 21-19
LDAP Servers
Managing Authentication Servers
components
description
<base_dn>
DN of directory entry where search is initiated.
<attributes>
Attributes to be returned for entry search results. All attributes are
returned if search attributes are not specified.
<scope>
Different results are retrieved depending on the scopes associated
with entry searches.
“base” search: retrieves information about distinguished name as
specified in URL. This is a <base_dn> search. Base searches are
assumed when the scope is not designated.
“one” (one-level) search: retrieves information about entries one
level under distinguished name (<base_dn> as specified in the
URL, excluding the base entry.
“sub” (subtree) search: retrieves information about entries from all
levels under the distinguished name (<base_dn>) as specified in
the URL, including the base entry.
<filter>
Search filters are applied to entries within specified search scopes.
Default filter objectClass=* is used when filters are not designated.
(Automatic search filtering not yet available.)
Password Policies and Directory Servers
Password policies applied to user accounts vary slightly from one directory server to another. Normally,
only the password changing policies can be set by users through the directory server graphical user interface (GUI). Other policies accessible only to Network Administrators through the directory server GUI
may include one or more of the following operational parameters.
• Log-in Restrictions
• Change Password
• Check Password Syntax
• Password Minimum Length
• Send Expiration Warnings
• Password History
• Account Lockout
• Reset Password Failure Count
• LDAP Error Messages (e.g., Invalid Username/Password, Server Data Error, etc.)
For instructions on installing LDAP-enabled directory servers, refer to the vendor-specific instructions.
page 21-20
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Managing Authentication Servers
LDAP Servers
Directory Server Schema for LDAP Authentication
Object classes and attributes will need to be modified accordingly to include LDAP authentication in the
network (object classes and attributes are used specifically here to map user account information contained
in the directory servers).
• All LDAP-enabled directory servers require entry of an auxiliary objectClass:passwordObject for user
password policy information.
• Another auxiliary objectClass: password policy is used by the directory server to apply the password
policy for the entire server. There is only one entry of this object for the database server.
Note. Server schema extensions should be configured before the aaa ldap-server command is configured.
Vendor-Specific Attributes for LDAP Servers
The following are Vendor Specific Attributes (VSAs) for Authenticated Switch Access and/or Layer 2
Authentication:
attribute
description
bop-asa-func-priv-read-1
Read privileges for the user.
bop-asa-func-priv-read-2
Read privileges for the user.
bop-asa-func-priv-write-1
Write privileges for the user.
bop-asa-func-priv-write-2
Write privileges for the user.
bop-asa-allowed-access
Whether the user has access to configure the switch.
bop-asa-snmp-level-security
Whether the user may have SNMP access, and the
type of SNMP protocol used.
bop-shakey
A key computed from the user password with the
alp2key tool.
bop-md5key
A key computed from the user password with the
alp2key tool.
allowedtime
The periods of time the user is allowed to log into the
switch.
switchgroups
The VLAN ID and protocol (IP_E2, IP_SNAP,
IPX_E2, IPX_NOV, IPX_LLC, IPX_SNAP).
Configuring Functional Privileges on the Server
Configuring the functional privileges attributes (bop-asa-func-priv-read-1, bop-asa-func-priv-read-2,
bop-asa-func-priv-write-1, bop-asa-func-priv-write-2) requires using read and write bitmasks for
command families on the switch.
1 To display the functional bitmasks of the desired command families, use the show aaa priv hexa
command.
2 On the LDAP server, configure the functional privilege attributes with the bitmask values.
For more information about configuring users on the switch, see the Switch Security chapter of the
OmniSwitch 6800/6850/9000 Switch Management Guide.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 21-21
LDAP Servers
Managing Authentication Servers
Configuring Authentication Key Attributes
The alp2key tool is provided on the Alcatel software CD for computing SNMP authentication keys.The
alp2key application is supplied in two versions, one for Unix (Solaris 2.5.1 or higher) and one for
Windows (NT 4.0 and higher).
To configure the bop-shakey or bop-md5key attributes on the server:
1 Use the alp2key application to calculate the authentication key from the password of the user. The
switch automatically computes the authentication key, but for security reasons the key is never displayed
in the CLI.
2 Cut and paste the key to the relevant attribute on the server.
An example using the alp2key tool to compute the SHA and MD5 keys for mypassword:
ors40595{}128: alp2key mypassword
bop-shakey: 0xb1112e3472ae836ec2b4d3f453023b9853d9d07c
bop-md5key: 0xeb3ad6ba929441a0ff64083d021c07f1
ors40595{}129:
Note. The bop-shakey and bop-md5key values must be recomputed and copied to the server any time a
user’s password is changed.
LDAP Accounting Attributes
Logging and accounting features include Account Start, Stop and Fail Times, and Dynamic Log. Typically, the Login and Logout logs can be accessed from the directory server software. Additional third-party
software is required to retrieve and reset the log information to the directory servers for billing purposes.
The following sections describe accounting server attributes.
AccountStartTime
User account start times are tracked in the AccountStartTime attribute of the user’s directory entry that
keeps the time stamp and accounting information of user log-ins. The following fields (separated by
carriage returns “|”) are contained in the Login log. Some fields are only used for Layer 2 Authentication.
Fields Included For Any Type of Authentication
• User account ID or username client entered to log-in: variable length digits.
• Time Stamp (YYYYMMDDHHMMSS (YYYY:year, MM:month, DD:day, HH:hour, MM:minute,
SS:second)
• Switch serial number: Alcatel.BOP.<switch name>.<MAC address>
• Client IP address: variable length digits.
page 21-22
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Managing Authentication Servers
LDAP Servers
Fields Included for Layer 2 Authentication Only
• Client MAC address: xx:xx:xx:xx:xx:xx:xx (alphanumeric).
• Switch VLAN number client joins in multiple authority mode (0=single authority; 2=multiple author-
ity); variable-length digits.
• Switch slot number to which client connects: nn
• Switch port number to which client connects: nn
• Switch virtual interface to which client connects: nn
AccountStopTime
User account stop times are tracked in the AccountStopTime attribute that keeps the time stamp and
accounting information of successful user log-outs. The same fields as above (separated by carriage
returns “|”) are contained in the Logout log. A different carriage return such as the # sign may be used in
some situations. Additionally, these fields are included but apply only to the Logout log:
Fields For Any Type of Authentication
• Log-out reason code, for example LOGOFF(18) or DISCONNECTED BY ADMIN(19)
• User account ID or username client entered to log-in: variable length digits.
Fields For Layer 2 Authentication Only
• Number of bytes received on the port during the client’s session from log-in to log-out: variable length
digits.
• Number of bytes sent on the port during the client’s session from log-in to log-out: variable length
digits.
• Number of frames received on the port during the client’s session from log-in to log-out: variable
length digits.
• Number of frames sent on the port during the clients session from log-in to log-out: variable length
digits.
AccountFailTime
The AccountFailTime attribute log records the time stamp and accounting information of unsuccessful
user log-ins. The same fields in the Login Log—which are also part of the Logout log (separated by
carriage returns “|”)—are contained in the Login Fail log. A different carriage return such as the # sign
may be used in some situations. Additionally, these fields are included but apply only to the Login Fail
log.
• User account ID or username client entered to log-in: variable length digits.
• Log-in fail error code: nn. For error code descriptions refer to the vendor-specific listing for the
specific directory server in use.
• Log-out reason code, for example PASSWORD EXPIRED(7) or AUTHENTICATION FAILURE(21)
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 21-23
LDAP Servers
Managing Authentication Servers
Dynamic Logging
Dynamic logging may be performed by an LDAP-enabled directory server if an LDAP server is configured first in the list of authentication servers configured through the the aaa accounting vlan or aaa
accounting session command. Any other servers configured are used for accounting (storing history
records) only. For example:
-> aaa accounting session ldap2 rad1 rad2
In this example, server ldap2 will be used for dynamic logging, and servers rad1 and rad2 will be used
for accounting.
If you specify a RADIUS server first, all of the servers specified will be used for recording history records
(not logging). For example:
-> aaa accounting session rad1 ldap2
In this example, both the rad1 and ldap2 servers will be used for history only. Dynamic logging will not
take place on the LDAP server.
Dynamic entries are stored in the LDAP-enabled directory server database from the time the user successfully logs in until the user logs out. The entries are removed when the user logs out.
• Entries are associated with the switch the user is logged into.
• Each dynamic entry contains information about the user’s connection. The related attribute in the
server is bop-loggedusers.
A specific object class called alcatelBopSwitchLogging contains three attributes as follows:
Attribute
Description
bop-basemac
MAC range, which uniquely identifies the switch
bop-switchname
Host name of the switch.
bop-loggedusers
Current activity records for every user logged
onto the switch identified by bop-basemac.
Each switch that is connected to the LDAP-enabled directory server will have a DN starting with bopbasemac-xxxxx, ou=bop-logging. If the organizational unit ou=bop.logging exists somewhere in the tree
under searchbase, logging records are written on the server. See the server manufacturer’s documentation
for more information about setting up the server.
page 21-24
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Managing Authentication Servers
LDAP Servers
The bop-loggedusers attribute is a formatted string with the following syntax:
loggingMode : accessType ipAddress port macAddress vlanList userName
The fields are defined here:
Field
Possible Values
loggingMode
ASA x—for an authenticated user session, where x is the number of the session
AVLAN—for Authenticated VLAN session in single authority
mode
AVLAN y—for Authenticated VLAN session in multiple
authority mode, where y is relevant VLAN
accessType
Any one of the following: CONSOLE, MODEM, TELNET,
HTTP, FTP, XCAP
ipAddress
The string IP followed by the IP address of the user.
port
(For Authenticated VLAN users only.) The string PORT followed by the slot/port number.
macAddress
(For Authenticated VLAN users only.) The string MAC followed by the MAC address of the user.
vlanList
(For Authenticated VLAN users only.) The string VLAN followed by the list of VLANs the user is authorized (for singlemode authority).
userName
The login name of the user.
For example:
“ASA
0
:
CONSOLE IP 65.97.233.108
Jones”
Configuring the LDAP Authentication Client
Use the aaa ldap-server command to configure LDAP authentication parameters on the switch. The
server name, host name or IP address, distinguished name, password, and the search base name are
required for setting up the server. Optionally, a backup host name or IP address may be configured, as
well as the number of retransmit tries, the timeout for authentication requests, and whether or not a secure
Socket Layer (SSL) is enabled between the switch and the server.
Note. The server should be configured with the appropriate schema before the aaa ldap-server command
is configured.
The keywords for the aaa ldap-server command are listed here:
Required for creating:
optional:
host
dn
password
base
type
retransmit
timeout
port
ssl
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 21-25
LDAP Servers
Managing Authentication Servers
Creating an LDAP Authentication Server
An example of creating an LDAP server:
-> aaa ldap-server ldap2 host 10.10.3.4 dn cn=manager password tpub base c=us
In this example, the switch will be able to communicate with an LDAP server (called ldap2) that has an IP
address of 10.10.3.4, a domain name of cn=manager, a password of tpub, and a searchbase of c=us. These
parameters must match the same parameters configured on the server itself.
Note. The distinguished name must be different from the searchbase name.
Modifying an LDAP Authentication Server
To modify an LDAP authentication server, use the aaa ldap-server command with the server name; or, if
you have just entered the aaa ldap-server command to create or modify the server, you can use command
prefix recognition. For example:
-> aaa ldap-server ldap2 password my_pass
-> timeout 4
In this example, an existing LDAP server is modified with a different password, and then the timeout is
modified on a separate line. These two command lines are equivalent to:
-> aaa ldap-server ldap2 password my_pass timeout 4
Setting Up SSL for an LDAP Authentication Server
A Secure Socket Layer (SSL) may be set up on the server for additional security. When SSL is enabled,
the server’s identity will be authenticated. The authentication requires a certificate from a Certification
Authority (CA). If the CA providing the certificate is well-known, the certificate is automatically extracted
from the Kbase.img file on the switch (certs.pem). If the CA is not well-known, the CA’s certificate must
be transfered to the switch via FTP to the /flash/certified or /flash/working directory and should be named
optcerts.pem. The switch merges either or both of these files into a file called ldapcerts.pem.
To set up SSL on the server, specify ssl with the aaa ldap-server command:
-> aaa ldap-server ldap2 ssl
The switch automatically sets the port number to 636 when SSL is enabled. The 636 port number is typically used on LDAP servers for SSL. The port number on the switch must match the port number configured on the server. If the port number on the server is different from the default, use the aaa ldap-server
command with the port keyword to configure the port number. For example, if the server port number is
635, enter the following:
-> aaa ldap-server ldap2 port 635
The switch will now be able to communicate with the server on port 635.
To remove SSL from the server, use no with the ssl keyword. For example:
-> aaa ldap-server ldap2 no ssl
SSL is now disabled for the server.
page 21-26
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Managing Authentication Servers
Verifying the Authentication Server Configuration
Removing an LDAP Authentication Server
To delete an LDAP server from the switch configuration, use the no form of the command with the relevant server name.
-> no aaa ldap-server topanga5
The topanga5 server is removed from the configuration.
Verifying the Authentication Server Configuration
To display information about authentication servers, use the following command:
show aaa server
Displays information about a particular AAA server or AAA servers.
An example of the output for this command is given in “Quick Steps For Configuring Authentication
Servers” on page 21-4. For more information about the output of this command, see the OmniSwitch CLI
Reference Guide.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 21-27
Verifying the Authentication Server Configuration
page 21-28
Managing Authentication Servers
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
22 Configuring
Authenticated VLANs
Authenticated VLANs control user access to network resources based on VLAN assignment and a user
log-in process; the process is sometimes called user authentication or Layer 2 Authentication. (Another
type of security is device authentication, which is set up through the use of port-binding VLAN policies or
static port assignment. See Chapter 9, “Defining VLAN Rules.”) In this chapter, the terms authenticated
VLANs (AVLANs) and Layer 2 Authentication are synonymous.
Layer 2 Authentication is different from another feature in the switch called Authenticated Switch Access,
which is used to grant individual users access to manage the switch. For more information about Authenticated Switch Access, see the “Switch Security” chapter in the OmniSwitch 6800/6850/9000 Switch
Management Guide.
In This Chapter
This chapter describes authenticated VLANs and how to configure them through the Command Line Interface (CLI). CLI commands are used in the configuration examples; for more details about the syntax of
commands, see the OmniSwitch CLI Reference Guide.
The authentication components described in this chapter include:
• Authentication clients—see “Setting Up Authentication Clients” on page 22-7.
• Authenticated VLANs—see “Configuring Authenticated VLANs” on page 22-26.
• Authentication ports—see “Configuring Authenticated Ports” on page 22-28.
• DHCP server—see “Setting Up the DHCP Server” on page 22-29.
• Authentication server authority mode—see “Configuring the Server Authority Mode” on
page 22-32.
• Accounting servers—see “Specifying Accounting Servers” on page 22-35.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 22-1
Authenticated Network Overview
Configuring Authenticated VLANs
Authenticated Network Overview
An authenticated network involves several components as shown in this illustration.
RADIUS or LDAP servers
Authentication agent
in the switch
Authentication port
Authenticated
VLAN
Authenticated
VLAN
Authentication clients
Authentication Network Components
DHCP server
This chapter describes all of these components in detail, except the external authentication servers, which
are described in Chapter 21, “Managing Authentication Servers.” A brief overview of the components is
given here:
Authentication servers—A RADIUS or LDAP server must be configured in the network. The server
contains a database of user information that the switch checks whenever a user tries to authenticate
through the switch. (Note that the local user database on the switch may not be used for Layer 2 authentication.) Backup servers may be configured for the authentication server.
• RADIUS or LDAP server. Follow the manufacturer’s instructions for your particular server. The
external server may also be used for Authenticated Switch Access. Server details, such as RADIUS
attributes and LDAP schema information, are given in Chapter 21, “Managing Authentication Servers.”
• RADIUS or LDAP client in the switch. The switch must be set up to communicate with the RADIUS
or LDAP server. This chapter briefly describes the switch configuration. See Chapter 21, “Managing
Authentication Servers,” for detailed information about setting up switch parameters for authentication
servers.
Authentication clients—Authentication clients login through the switch to get access to authenticated
VLANs. There are three types of clients:
• AV-Client. This is an Alcatel-proprietary authentication client. The AV-Client does not require an IP
address prior to authentication. The client software must be installed on the user’s end station. This
chapter describes how to install and configure the client. See “Installing the AV-Client” on page 22-12.
• Telnet client. Any standard Telnet client may be used. A IP address is required prior to authentication.
An overview of the Telnet client is provided in “Setting Up Authentication Clients” on page 22-7.
page 22-2
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Authenticated VLANs
Authenticated Network Overview
• Web browser client. Any standard Web browser may be used (Netscape or Internet Explorer). An IP
address is required prior to authentication. See “Web Browser Authentication Client” on page 22-7 for
more information about Web browser clients.
Authenticated VLANs—At least one authenticated VLAN must be configured. See “Configuring
Authenticated VLANs” on page 22-26.
Authentication port—At least one mobile port must be configured on the switch as an authentication
port. This is the physical port through which authentication clients are attached to the switch. See “Configuring Authenticated Ports” on page 22-28
DHCP Server—A DHCP server can provide IP addresses to clients prior to authentication. After authentication, any client can obtain an IP address in an authenticated VLAN to which the client is allowed
access. A relay to the server must be set up on the switch. See “Setting Up the DHCP Server” on
page 22-29.
Authentication agent in the switch—Authentication is enabled when the server(s) and the server authority mode is specified on the switch. See “Configuring the Server Authority Mode” on page 22-32.
These components are described in more detail in the next sections.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 22-3
AVLAN Configuration Overview
Configuring Authenticated VLANs
AVLAN Configuration Overview
Configuring authenticated VLANs requires several major steps. The steps are outlined here and described
throughout this chapter. See “Sample AVLAN Configuration” on page 22-5 for a quick overview of
implementing the commands used in these procedures.
1 Set up authentication clients. See “Setting Up Authentication Clients” on page 22-7.
2 Configure at least one authenticated VLAN. A router port must be set up in at least one authenti-
cated VLAN for the DHCP relay. See “Configuring Authenticated VLANs” on page 22-26.
3 Configure at least one authenticated mobile port. Required for connecting the clients to the switch.
See “Configuring Authenticated Ports” on page 22-28.
4 Set up the DHCP server. Required if you are using Telnet or Web browser clients. Required for any
clients that need to get IP addresses after authentication. See “Setting Up the DHCP Server” on
page 22-29.
5 Configure the authentication server authority mode. See “Configuring the Server Authority Mode”
on page 22-32.
6 Specify accounting servers for authentication sessions. Optional; accounting may also be done
through the switch logging feature in the switch. See “Specifying Accounting Servers” on page 22-35.
The following is a summary of commands used in these procedures.
Commands
Used for ...
vlan authentication
Enabling authentication on VLAN(s)
ip interface
Setting up a router port on the authenticated
VLAN.
vlan port mobile
vlan port authenticate
Creating authenticated port(s)
aaa avlan dns
Configuring a DNS name; required for Web
browser clients
ip helper address
aaa avlan default dhcp
ip helper avlan only
Configuring the DHCP server; required for for
Telnet and Web browser clients.
aaa vlan no
Removing a user from an authenticated VLAN
aaa ldap-server
aaa radius-server
Setting up switch communication with authentication servers
aaa authentication vlan single-mode
aaa authentication vlan multiple-mode
Enabling authentication and setting the authority
mode for servers
aaa accounting vlan
Specifying accounting for AVLAN sessions.
page 22-4
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Authenticated VLANs
AVLAN Configuration Overview
Sample AVLAN Configuration
1 Enable at least one authenticated VLAN:
-> vlan 2 authentication enable
Note that this command does not create a VLAN; the VLAN must already be created. For information
about creating VLANs, see Chapter 5, “Configuring VLANs.”
The VLAN must also have an IP router interface if Telnet or Web browser clients will be authenticating
into this VLAN. The following command configures an IP router interface on VLAN 2:
-> ip interface vlan-2 address 10.10.2.20 vlan 2
2 Create and enable at least one mobile authenticated port. The port must be in VLAN 1, the default
VLAN on the switch.
-> vlan port mobile 3/1
-> vlan port 3/1 authenticate enable
3 Set up a DNS path if users will be authenticating through a Web browser:
-> aaa avlan dns auth.company
4 Set up a path to a DHCP server if users will be getting IP addresses from DHCP. The IP helper address
is the IP address of the DHCP server; the AVLAN default DHCP address is the address of any router port
configured on the VLAN.
-> ip helper address 10.10.2.5
-> aaa avlan default dhcp 10.10.2.20
If the relay will be used for authentication only, enter the ip helper avlan only command:
-> ip helper avlan only
Note. To check the DNS and DHCP authentication configuration, enter the show aaa avlan config
command. For example:
-> show aaa avlan config
default DHCP relay address = 192.9.33.222
authentication DNS name
= authent.company.com
For more information about this command, see the OmniSwitch CLI Reference Guide.
5 Configure the switch to communicate with the authentication servers. Use the aaa radius-server or
aaa ldap-server command. For example:
-> aaa radius-server rad1 host 10.10.1.2 key wwwtoe timeout 3
-> aaa ldap server ldap2 host 199.1.1.1 dn manager password foo base c=us
See Chapter 21, “Managing Authentication Servers,” for more information about setting up external servers for authentication.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 22-5
AVLAN Configuration Overview
Configuring Authenticated VLANs
6 Enable authentication by specifying the authentication mode (single mode or multiple mode) and the
server. Use the RADIUS or LDAP server name(s) configured in step 5. For example:
-> aaa authentication vlan single-mode rad1 rad2
7 Set up an accounting server (for RADIUS or LDAP) for authentication sessions.
-> aaa accounting vlan rad3 local
Note. Verify the authentication server configuration by entering the show aaa authentication vlan
command or verify the accounting server configuration by entering the show aaa accounting vlan
command. For example:
-> show aaa authentication vlan
All authenticated vlans
1rst authentication server = rad1,
2nd authentication server
= ldap2
-> show aaa accounting vlan
All authenticated vlans
1rst authentication server = rad3,
2nd authentication server
= local
For more information about these commands, see the OmniSwitch CLI Reference Guide.
page 22-6
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Authenticated VLANs
Setting Up Authentication Clients
Setting Up Authentication Clients
The following sections describe the Telnet authentication client, Web browser authentication client, and
Alcatel’s proprietary AV-Client. For information about removing a particular client from an authenticated
network, see “Removing a User From an Authenticated Network” on page 22-26.
An overview of authentication clients is given in the following table:
Type of Client Secure
Single
Sign-on
IP Address IP Release/
Platforms Supported
Required
Renew
AV-Client
no
yes
no
automatic
Windows only (except ME)
Telnet
no
no
yes
manual
Windows
Linux
Mac OS 9.x (no Telnet by default)
Mac OS X.1
Web Browser
(HTTP)
yes
(SSL)
no
yes
automatic
Windows (IE version 4.72 and later;
Netscape version 4.7 and later)
Linux (Netscape version 4.75 and later)
Mac OS 9.x (IE versions 5.5 and later,
including 5.0 and 5.14)
Mac OS X.1 (IE versions between 5.0
and 5.5, except 5.0, 5.5, and 5.14)
Telnet Authentication Client
Telnet clients authenticate through a Telnet session.
• Make sure a Telnet client is available on the client station. No specialized authentication client soft-
ware is required on Telnet client workstations.
• Provide an IP address for the client. Telnet clients require an address prior to authentication. The
address may be statically assigned if the authentication network is set up in single authority mode with
one authenticated VLAN. The address may be assigned dynamically if a DHCP server is located in the
network. DHCP is required in networks with multiple authenticated VLANs.
• Configure a DHCP server. Telnet clients may get IP addresses via a DHCP server prior to authenti-
cating or after authentication in order to move into a different VLAN. When multiple authenticated
VLANs are configured, after the client authenticates the client must issue a DHCP release/renew
request in order to be moved into the correct VLAN. Typically Telnet clients cannot automatically do a
release/renew and must be manually configured. For information about configuring the DHCP server,
see “Setting Up the DHCP Server” on page 22-29.
Web Browser Authentication Client
Web browser clients authenticate through the switch via any standard Web browser software (Netscape
Navigator or Internet Explorer).
• Make sure a standard browser is available on the client station. No specialized client software is
required.
• Provide an IP address for the client. Web browser clients require an address prior to authentication.
The address may be statically assigned if the authentication network is set up in single authority mode
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 22-7
Setting Up Authentication Clients
Configuring Authenticated VLANs
with one authenticated VLAN. The address may be assigned dynamically if a DHCP server is located
in the network. DHCP is required in networks with multiple authenticated VLANs.
• Configure a DHCP server. Web browser clients may get IP addresses via a DHCP server prior to
authenticating or after authentication in order to move into a different VLAN. When multiple authenticated VLANs are configured, after the client authenticates the client must issue a DHCP release/renew
request in order to be moved into the correct VLAN. Web browser clients automatically issue DHCP
release/renew requests after authentication. For more information, see “Setting Up the DHCP Server”
on page 22-29.
• Configure a DNS name on the switch. A DNS name must be configured so that users may enter a
URL rather than an IP address in the browser command line. For more information, see “Setting Up a
DNS Path” on page 22-29.
Configuring the Web Browser Client Language File
If you want the Web browser client to display the username and password prompts in another language,
modify the label.txt file with the desired prompts.
The label.txt file is available in the /flash/switch directory when you install the Ksecu.img file as
described in the next section.
The file may be edited with any text editor, and the format of the username and password prompts is as
follows:
Username="username_string"
Password="password_string"
Use the aaa avlan http language command to enable this file. For example:
-> aaa avlan http language
The label.txt file will be used for Web browser authentication clients.
Note. If you want to return to the default language (English) for the Web browser prompts, delete the
contents of the file.
Required Files for Web Browser Clients
Make sure the /flash/switch/avlan directory is available on the switch. The directory must be manually
installed using the install command to load Ksecu.img. The Ksecu.img file is available in the working
directory on the switch. When the Ksecu.img file is installed, the /flash/switch/avlan directory will be
available on the switch.
Important. When you install the Ksecu.img file after initial installation, any files in the /flash/switch/
avlan directory will be overwritten.
The /flash/switch/avlan directory contains authentication HTML pages for the client that may be modified
(to include a company logo, for example). The names of these files are: topA.html, topB.html,
bottomA.html, bottomB.html, and myLogo.gif.
The directory also contains files that must be installed on Mac OS Web browser clients as described in the
next sections.
page 22-8
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Authenticated VLANs
Setting Up Authentication Clients
Installing Files for Mac OS 9.x Clients
1 In the browser URL command line, enter the authentication DNS name (configured through the aaa
avlan dns command). The authentication page displays.
2 Click on the link to download the installation software. The javlanInstall.sit file is copied to the Mac
desktop.
3 Double-click the javlanInstall.sit file on the desktop.
4 Double-click on the application javlanInstall AppleScript inside the newly created directory. The work-
station is now setup for authentication.
Installing Files for Mac OSX.1 Clients
The installation must be done at the root. Root access is not automatic in OSX.1. A password must be set
to activate it.
Disconnect the Mac’s network connection before setting root access. Otherwise, the NetInfo Manager
application in the Mac OS will send multiple DNS requests, and the process to set root access will take
longer.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 22-9
Setting Up Authentication Clients
Configuring Authenticated VLANs
To set root access:
1 Open the NetInfo from the HardDisk/Application/Utilities folder.
2 Select Domain > Security > Authenticate. Enter the administrator’s password if required.
3 Select Domain > Security > Enable Root. Enter the password.
4 Select System Preferences/Login and select the login prompt to display when opening a new session.
5 Quit the current session and relogon as the root user.
6 Make sure Ethernet-DCHP is selected in the Network Utility.
7 Reconnect the Ethernet cable.
8 If you are using a self-signed SSL certificate, or the certificate provided by Alcatel (wv-cert.pem), see
“DNS Name and Web Browser Clients” on page 22-11.
To set up the Mac OSX.1 for authentication:
1 In the browser URL command line, enter the DNS name configured on the switch (see the next section
for setting up the DNS name for Mac OSX clients). The authentication page displays.
2 Click on the link to download the installation software. The avlanInstall.tar file is copied to the Mac
desktop.
3 Double-click on the avlanInstall.tar file.
4 Make sure that Java is enabled in the browser application.
5 Make sure the SSL certificate is installed correctly (see “SSL for Web Browser Clients” on
page 22-11) and that the DNS name configured on the switch matches the DNS name in the certificate (see
“DNS Name and Web Browser Clients” on page 22-11).
page 22-10
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Authenticated VLANs
Setting Up Authentication Clients
SSL for Web Browser Clients
A Secure Socket Layer (SSL) is used to authenticate Web browser clients. A certificate from a Certification Authority (CA) or a self-signed (private) certificate must be installed on the switch. A self-signed
certificate is provided by Alcatel (wv-cert.pem). If you are using a well-known certificate or some other
self-signed certificate, you should replace the wv-cert.pem file with the relevant file.
Web browser clients will automatically recognize well-known SSL certificates, but if a self-signed certificate (such as the wv-cert.pem file) is used, the client will not automatically recognize the certificate.
Windows, Linux, and Mac OS 9 Clients
If you are using the wv-cert.pem file or another self-signed certificate, the client will not recognize the
certificate, and a warning message will display on the client; however, the client will be allowed to
authenticate.
Mac OSX.1 Clients
On Mac OSX.1, if you are using the wv-cert.pem file or another self-signed certificate, the certificate file
must be FTP’d to the workstation and installed with the keytool command as follows:
1 FTP the wv-cert.pem file (or the relevant certificate file) from the /flash/switch directory on the switch
to the workstation.
2 On the Mac workstation, open a Terminal application at the root (see the previous section for informa-
tion about enabling root access). Enter the following command:
keytool -import -keystore <path to JDK installation>/lib/security/cacerts -alias ALCATEL_AVLAN
- file <path to certificate file>
For example:
keytool -import -keystore /System/Library/Frameworks/JavaVM.framework/Versions/
1.3.1/Home/lib/security/cacerts -alias ALCATEL_AVLAN - file/Users/endalat/
Destop/wv-cert.pem
Note. The keytool command requires a password. By default, the password is changeit.
DNS Name and Web Browser Clients
For Mac OSX.1 clients, the DNS name in the certificate must match the DNS name configured on the
switch through the aaa avlan dns command. If the DNS names do not match, the Java applet in the client
cannot be loaded and the client cannot authenticate. (For other clients, if the DNS names do not match, a
warning will display when the client attempts to authenticate; however, the client is still allowed to
authenticate.)
The wv-cert.pem certificate contains a default DNS name (webview). To configure the DNS name on the
switch, enter the aaa avlan dns command with the DNS name matching the one in the certificate. For
example:
-> aaa dns avlan webview
On the browser workstation, the authentication user must enter the DNS name in the browser command
line to display the authentication page.
For more information about configuring a DNS name, see “Setting Up a DNS Path” on page 22-29.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 22-11
Setting Up Authentication Clients
Configuring Authenticated VLANs
Installing the AV-Client
The AV-Client is a proprietary Windows-based application that is installed on client end stations. The
installation instructions are provided in this chapter.
The AV-Client does not require an IP address in order to authenticate; the client relies on the DLC protocol (rather than IP) to communicate with the authentication agent in the switch. After authentication, the
client may issue a DHCP release/renew request to get an IP address; a utility in the client software may be
used to configure this automatic request. For information about configuring the utility, see “Configuring
the AV-Client Utility” on page 22-18.
The AV-Client software requires three main installation steps as listed here. These steps are slightly different depending on the version of Windows you are using.
• Load the Microsoft DLC protocol stack. See “Loading the Microsoft DLC Protocol Stack” on
page 22-12.
• Load the AV-Client software. See “Loading the AV-Client Software” on page 22-13.
• Set the AV-Client as primary network login (Windows 95 and 98). See “Setting the AV-Client as
Primary Network Login” on page 22-18.
• Configure the AV-Client for DHCP (optional). See “Configuring the AV-Client Utility” on
page 22-18.
Loading the Microsoft DLC Protocol Stack
Windows 2000 and Windows NT
You must have the DLC protocol installed on your Windows PC workstation before you install the AVClient. The installation of the DLC protocol stack may require files from the Windows distribution software. Make sure to have your Windows media available during this procedure. Follow these steps to load
the protocol on a Windows workstation.
1 From your Windows desktop, select Start > Settings > Control Panel.
2 Double-click the Network icon. When the Network window opens, select the Protocols tab.
3 Click the Add button and the Select Network Protocol window appears.
4 Select the DLC protocol from the list of Network Protocols. Click OK.
5 Follow the screen prompts requesting Windows files.
Windows 98
1 From your Windows desktop, select Start > Settings > Control Panel.
2 Double-click the Network icon. When the Network window opens, select the Configuration tab.
3 Click the Add button and the Select Network Component Type window appears.
4 Select Protocol and click the Add button.
5 When the Select Network Protocol window appears, select Microsoft from the list of manufacturers
and Microsoft 32-bit DLC from the list of Network Protocols. Click OK.
6 Follow the prompts requesting Windows files.
page 22-12
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Authenticated VLANs
Setting Up Authentication Clients
Windows 95
Install the 32-bit DLC protocol program and the update patch from the Microsoft FTP site
(ftp.microsoft.com). From the FTP site, download the MSDLC32.EXE and DLC32UPD.EXE files (or the
latest DLC protocol update). These files are self-extracting zip files. Follow these steps:
1 Double-click the MSDLC32.EXE file in the folder to which you want to download the file.
Note. Do not run MSDLC32.EXE file in the Windows or Windows/System folders. If you downloaded
the file to either of these locations, copy it to a temporary folder on your hard disk or copy it to an installation diskette before double-clicking on it.
2 From your Windows desktop, select Start > Settings > Control Panel.
3 Double-click the Network icon in the Control Panel.
4 In the Network dialog box, click on the Add button.
5 In the Select Network Component Type dialog box, double-click on the Protocol network component.
6 In the Select Network Protocol dialog box, click on the Have Disk button.
7 Specify the drive and path where the MSDLC32.EXE files (you should have already extracted them)
are located. For example, if you created an installation diskette, you would enter
<drive letter>:\
If you created a temporary folder on your hard disk, then you would enter
C:\<folder name>
where folder name is the directory or path into which you copied the MSDLC32.EXE files. Click OK.
8 Click “Microsoft 32-bit DLC”, then click OK again.
9 When prompted, insert the Windows 95 disks so that other network components can be reinstalled.
10 When prompted, shut down your computer and restart Windows 95. This restart is required for the
DLC protocol stack to load on the system.
11 Next, the DLC protocol stack update must be loaded. Double click the DLC32UPD.EXE file. The
program will install itself. After installing the update, it is recommended that the system be rebooted.
Loading the AV-Client Software
Windows 2000 and Windows NT
1 Download the AV-Client from the Alcatel website onto the Windows desktop.
2 Double-click the AV-Client icon. The installation routine begins and the following window displays:
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 22-13
Setting Up Authentication Clients
Configuring Authenticated VLANs
3 We recommend that you follow the instructions on the screen regarding closing all Windows programs
before proceeding with the installation. Click on the Next button. The following window displays.
page 22-14
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Authenticated VLANs
Setting Up Authentication Clients
4 From this window you may install the client at the default destination folder shown on the screen or
you may click the Browse button to select a different directory. Click on the Next button. The software
loads, and the following window displays.
5 This window gives you the option of restarting your PC workstation now, or later. You cannot use the
AV-Client until you restart your computer. If you decide to restart now, be sure to remove any disks from
their drives. Click the Finish button to end the installation procedure.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 22-15
Setting Up Authentication Clients
Configuring Authenticated VLANs
Windows 95 and Windows 98
1 Download the AV-Client from the Alcatel website onto the Windows desktop.
2 Double-click the AV-Client icon. The installation routine begins and the following window displays:
3 We recommend that you follow the instructions on the screen regarding closing all Windows programs
before proceeding with the installation. Click on the Next button. The following window displays:
.
page 22-16
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Authenticated VLANs
Setting Up Authentication Clients
4 From this window you may install the client at the default destination folder shown on the screen or
you may click the Browse button to select a different directory. Click on the Next button. The software
loads, and the following window displays.
5 This window recommends that you read a text file included with the client before you exit the install
shield. Click on the box next to “View the single sign-on Notes” to select this option. Click on the Finish
button to end the installation process. Remember that you must restart your computer before you can run
the AV-Client.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 22-17
Setting Up Authentication Clients
Configuring Authenticated VLANs
Setting the AV-Client as Primary Network Login
Windows 95 and Windows 98
If your operating system is Windows 95 or Windows 98, you must configure the AV-Client as the primary
network login. This is done via the Windows Control Panel. From your Windows desktop, select Start >
Settings > Control Panel. Double-click on the Network icon on the Control Panel window. From the
Configuration Tab, proceed as follows:
1 Click the Add button.
2 Select the “Client” from the list and click the Add button. The “Select Network Client Window”
displays.
3 You can click the Have Disk button, enter the correct path for your disk drive in the space provided
and click OK. You can also browse to the directory where the AV-Client is installed and click OK. Select
“Alcatel AVLAN Login Provider”.
4 Select Alcatel AVLAN Login Provider as the Primary Network Login on the Configuration tab.
5 Complete the setup as prompted by Windows.
Note. Make sure to have your Windows 95 or 98 media available during this procedure.
Configuring the AV-Client Utility
The AV-Client includes a utility for configuring client options. To run the utility, install the AV-Client and
reboot the PC workstation. From your Windows desktop, select Start > Settings > Control Panel. Doubleclick on the Authenticated VLANs Client icon in the Control Panel window. You can also access the utility by pointing your mouse to the AV-Client icon on the Windows system tray and executing a right click
to select Settings. The following screen displays:
page 22-18
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Authenticated VLANs
Setting Up Authentication Clients
Selecting a Dialog Mode
The AV-Client has two dialog modes, basic and extended. In basic dialog mode, the client prompts the
user for a username and a password only. In extended mode, which is required for multiple authority
authentication, the client login screen also prompts the user for a VLAN number and optional challenge
code. These additional authentication parameters are defined when the authentication server is configured
in multiple authority mode.
You can set the dialog mode from the AV-Client’s Control Panel Window. The basic dialog mode is
enabled by default. To enable extended mode, de-select basic mode by clicking “Basic dialog mode.” The
Apply button will activate. Click the Apply button. The next time the AV-Client is started extended mode
will be enabled.
Enabling/disabling the AV-Client at Startup
1 To enable/disable the AV-Client at startup, from your Windows desktop, select Start, Settings, Control
Panel to access the AV-Client configuration utility. Select the AV-Client tab.
2 Click on the box next to “Enable AV-Client Service at Logon.” The check mark in the box will disap-
pear and the Apply button will activate.
3 To apply the change, click the Apply button. When you click the OK button, the screen will close, the
change will take effect and the AV-Client will be disabled at logon. If you decide not to implement the
change, click the Cancel button and the screen will close.
Note. If you disable the AV-Client at startup, you can activate VLAN authentication by pointing your
mouse to the AV-Client icon on the Windows stem tray and right-clicking to select Logon.
Automatic Client or NOS Logoff
The default configuration of the client is to logoff the authentication client when the user logs off the desktop. You can configure the client so the workstation is automatically logged off when the user logs off.
To set this option, access the AV-Client configuration utility and click the box next to the “Automatically
log client off or NOS logoff” option. When the option activates, you then have the option of setting a time
delay between the moment the user logs off the workstation and the moment the client logs out of server
operations.
Note. If the user reboots the PC workstation, the client’s session with the network server is automatically
terminated.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 22-19
Setting Up Authentication Clients
Configuring Authenticated VLANs
Viewing AV-Client Components
The configuration utility includes a screen that lists each component, version and build date for the AVClient. To view this screen, click on the Version tab and a screen similar to the following will display.
page 22-20
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Authenticated VLANs
Setting Up Authentication Clients
Logging Into the Network Through an AV-Client
Once the AV-Client software has been loaded on a user’s PC workstation, an AV-Client icon will be
created on the Windows desktop in the task bar. Follow these steps to log into the authentication network:
1 Right click the AV-Client icon and select Logon. The following login screen displays:
2 Enter the user name for this device in the “Login Name?” field. This user name is configured on the
authentication server.
3 Enter the password for this user in the “Password?” field. If the client is set up for basic dialog mode
and the user enters the correct password, the user is authenticated. If the client is set up for extended mode,
the user will be prompted to enter the VLAN ID and challenge. After all required user information is
entered, the following message displays:
User xxxx authenticated by <Authentication Type> authentication
The user is now logged into the network and has access to all network resources in the VLAN with which
this user shares membership.
Note. If authentication is successful but an error was made while configuring VLANs, the user station
may not move into the VLAN the user requested.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 22-21
Setting Up Authentication Clients
Configuring Authenticated VLANs
Logging Off the AV-Client
1 To log off the AV-Client, point your mouse to the AV-Client icon in your Windows system tray and
execute a right-click to select Logoff. The following screen displays.
2 To continue the procedure, click the Logoff button. The following screen indicates that the AV-Client
is sending a logoff request to the authentication server.
The next message on the screen indicates that the AV-Client is requesting an IP address in the default
VLAN. The client is removed from the authenticated VLAN and placed in the default VLAN.
When the AV-Client is logged into the network, the AV-Client icon on the Windows desktop has a
blue background. When the logoff procedure is completed, the screen disappears and the background
is gone from the AV-Client icon.
page 22-22
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Authenticated VLANs
Setting Up Authentication Clients
Configuring the AV-Client for DHCP
For an AV-Client, DHCP configuration is not required. AV-Clients do not require an IP address to authenticate, but they may want an IP address for IP communication in an authenticated VLAN.
Note. If the AV-Client will be used with DHCP, the DHCP server must be configured as described in
“Setting Up the DHCP Server” on page 22-29.
At startup, an AV-Client user PC workstation will issue a Windows DHCP request if the AV-Client’s
DHCP release/renew feature is enabled. This feature is disabled by default. The AV-Client is capable of
obtaining an address from the default client VLAN or whatever VLAN it authenticates into if a DHCP
server is located in the VLAN.
The DHCP tab of the configuration utility gives you several options for managing DHCP when it is
enabled. You also have the option of disabling DHCP operations.
Delay for IP Address Request
• You can specify a delay between the moment the client workstation moves into an authentication
VLAN and the moment a DHCP request is issued for an IP address.
• You can specify a delay between the moment the client workstation moves into the default VLAN and
the moment a DHCP request is issued for an IP address.
Releasing the IP Address
• You can specify a delay between the moment the client workstation logs off the network and the
DHCP releases the IP address assigned to the client.
• You can configure the utility so that DHCP releases the IP address before the client workstation leaves
the default VLAN.
Note. A delay between DHCP release and client logoff is recommended because the DHCP server’s MAC
address may be timed out in the AV-Client’s ARP table. If that is the case, the client must send an ARP
packet to discover the DHCP server’s MAC address before it can send the release packet. If the logoff
packet is sent to the switch before the release packet gets sent, then the IP address will never be released.
Increasing the value of the delay parameter can prevent this from happening.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 22-23
Setting Up Authentication Clients
Configuring Authenticated VLANs
1 To configure the DHCP parameters, access the AV-Client configuration utility and select the DHCP
tab. The following screen displays:
2 Click the box next to “Enable DHCP Operations”. Several options will activate in the utility window as
shown in the following screen. When you click on a box next to an option, the option is activated in the
configuration window.
3 When you click one of the features, an indicator is activated directly below the feature. Specify the
number of seconds for the delay for the selected feature.
page 22-24
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Authenticated VLANs
Setting Up Authentication Clients
4 To apply the change, click the Apply button. When you click the OK button, the screen will close and
the change will take effect. If you decide not to implement the change, click the Cancel button and the
screen will close without implementing a change.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 22-25
Configuring Authenticated VLANs
Configuring Authenticated VLANs
Configuring Authenticated VLANs
At least one authenticated VLAN must be configured on the switch. For more information about VLANs
in general, see Chapter 5, “Configuring VLANs.”
To configure an authenticated VLAN, use the vlan authentication command to enable authentication on
an existing VLAN. For example:
-> vlan 2 authentication enable
Note that the specified VLAN (in this case, VLAN 2) must already exist on the switch. A router port must
also be configured for the VLAN (with the ip interfacecommand) so that a DHCP relay may be set up.
For example:
-> vlan 2 router ip 10.10.2.20
See “Setting Up the DHCP Server” on page 22-29 for more information about setting up a DHCP server.
Removing a User From an Authenticated Network
To remove a user from authenticated VLANs, enter the aaa vlan no command with the user’s MAC
address. If the user’s MAC address is unknown, enter the show avlan user command first. Specify the
VLAN ID or slot number to get information about a particular VLAN or slot only. For example:
-> show avlan user 23
name
Mac Address
Slot
Port
Vlan
---------------------------------------------------------------user1
00:20:da:05:f6:23
02
02
23
In this example, user1 is authenticated into VLAN 23 and is using MAC address 00:20:da:05:f6:23. To
remove user1 from authenticated VLAN 23, enter the aaa vlan no command with the MAC address. For
example:
-> aaa avlan no 00:20:da:05:f6:23
When this command is entered, user1 will be removed from VLAN 23. If the switch is set up so that
authenticated users may traffic in the default VLAN, the user will be placed into the default VLAN of the
authentication port. (See “Setting Up the Default VLAN for Authentication Clients” on page 22-27 for
information about setting up the switch so that authentication clients may traffic in the default VLAN prior
to authentication.)
For more information about the output display for the aaa avlan no and show avlan user commands, see
the OmniSwitch CLI Reference Guide.
Note. The MAC addresses of users may also be found in the log files generated by accounting servers.
page 22-26
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Authenticated VLANs
Configuring Authenticated VLANs
Configuring Authentication IP Addresses
Authentication clients connect to an IP address on the switch for authentication. (Web browser clients may
enter a DNS name rather than the IP address; see “Setting Up a DNS Path” on page 22-29). When the
router port is set up for an authenticated VLAN (through the ip interface command), the switch automatically sets up an authentication address for that authenticated VLAN based on the router port address. The
authentication address uses the same mask as the router port address and includes .253 at the end of the
address.
For example, if the router port address for authenticated VLAN 3 is 10.10.2.20, the authentication address
will be 10.10.2.253. This address is modifiable through the avlan auth-ip command; the address,
however, must use the same mask as the router port address. For example:
-> avlan auth-ip 3 10.10.2.80
This changes the authentication address for VLAN 3 to 10.10.2.80. The authentication IP address is also
used for the DNS address (see “Setting Up a DNS Path” on page 22-29).
Note. When modifying the authentication address for a specific VLAN, make sure that the new address
does not match an IP router interface address for the same VLAN. IP address resolution problems can
occur if these two addresses are not unique.
To display authentication addresses, use the show aaa avlan auth-ip command.
Setting Up the Default VLAN for Authentication Clients
By default, authentication users cannot traffic in the default VLAN prior to authentication; however, the
switch may be configured to enable the default VLAN so that users may traffic in the default VLAN prior
to authentication.
The default VLAN is the default VLAN for the authentication port, the physical port through which
authentication clients are connected to the switch. The authentication port is specified through the vlan
port authenticate command. See “Configuring Authenticated Ports” on page 22-28.
Use the avlan default-traffic command to enable the default VLAN for authentication traffic.
-> avlan default-traffic enable
When this command is enabled, any authentication client initially belongs to the default VLAN of the
authentication port through which the client is connected. After authentication, if a client is removed from
an authenticated VLAN through the aaa avlan no command, the client is moved to the default VLAN.
To disable any default VLAN for authentication traffic, use the disable keyword with the command:
-> avlan default-traffic disable
WARNING: Traffic on default vlan is DISABLED.
Existing users on default vlan are not flushed.
Users now do not belong to and cannot traffic in the default VLAN prior to authentication. Note that any
existing users in the default VLAN are not flushed.
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 22-27
Configuring Authenticated Ports
Configuring Authenticated VLANs
Port Binding and Authenticated VLANs
By default, authenticated VLANs do not support port binding rules. These rules are used for assigning
devices to authenticated VLANs when device traffic coming in on an authenticated port matches criteria
specified in the rule.
You can globally enable the switch so that port binding rules may be enabled on any authenticated VLAN
on the switch.
The port binding rule types that are allowed on authenticated VLANs are as follows:
• MAC-Port-IP address
• MAC-Port
The MAC-port-protocol, MAC-IP address, port-IP address, and Port-Protocol binding rules are not
supported on authenticated VLANs. In addition to the above binding rule types, however, a MAC range
rule may also be applied to authenticated ports. For more information about port binding and MAC range
rules and how to configure them, see Chapter 9, “Defining VLAN Rules.”
To enable port binding and MAC range rules on authenticated VLANs, use the avlan port-bound
command with the enable keyword.
-> avlan port-bound enable
This command allows some port binding rules (MAC-Port-IP address, MAC-Port, Port-IP address, and
MAC-Port-Protocol) and MAC range rules to be used on any authenticated VLAN.
To disable port binding rules on authenticated VLANs, use the disable keyword with the command:
-> avlan port-bound disable
This command disables port binding rules on all authenticated VLANs.
Configuring Authenticated Ports
At least one mobile port must be configured as the physical port through which authentication clients
connect to the switch.
To create a mobile port, use the vlan port mobile command.
-> vlan port mobile 3/1
To enable authentication on the mobile port, use the vlan port authenticate command:
-> vlan port 3/1 authenticate enable
For more information about the configuring VLAN ports, see Chapter 7, “Assigning Ports to VLANs.”
By default, authentication clients cannot traffic in the default VLAN for the authentication port unless the
avlan default-traffic command is enabled. See “Setting Up the Default VLAN for Authentication
Clients” on page 22-27.
page 22-28
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Authenticated VLANs
Setting Up a DNS Path
Setting Up a DNS Path
A Domain Name Server (DNS) name may be configured so that Web browser clients may enter a URL on
the browser command line instead of an authentication IP address. A Domain Name Server must be set up
in the network for resolving the name to the authentication IP address.
There may be multiple authentication IP addresses on the switch (if multiple authenticated VLANs are set
up); however, there is only one authentication DNS path or host name. When the client enters the DNS
path, the switch determines the IP authentication address based on the client’s IP address, and the browser
authentication page is displayed.
Typically the client address is provided by DHCP; DHCP also supplies DNS IP addresses to the client.
(The DHCP server must be configured with DNS addresses that correspond to the authenticated VLANs.)
See “Setting Up the DHCP Server” on page 22-29 for more information about DHCP and authentication.
For more information about authentication IP addresses, see “Configuring Authentication IP Addresses”
on page 22-27.
To configure a DNS path, use the aaa avlan dns command. For example:
-> aaa avlan dns name auth.company
When this command is configured, a Web browser client may enter auth.company in the browser
command line to initiate the authentication process.
To remove a DNS path from the configuration, use the no form of the command. For example:
-> no aaa avlan dns
The DNS path is removed from the configuration, and Web browser clients must enter the authentication
IP address to initiate the authentication process.
Setting Up the DHCP Server
DHCP is a convenient way to assign IP addresses to an authentication client. DHCP will also serve DNS
IP addresses to clients.
There may be one DHCP server that serves all authenticated VLANs or a DHCP server for each authenticated VLAN. The DHCP server may be located in the default VLAN, an authenticated VLAN, or both.
Typically a DHCP server is located in an authenticated VLAN. Each server must be configured with IP
addresses corresponding to the authenticated VLANs for which it will serve addresses.
A DHCP relay must be set up if authentication clients and the DHCP server are located in different
VLANs, or if authentication clients do not belong to any VLAN. Telnet and Web browser authentication
clients require IP addresses prior to authentication as well as after authenticating. The relay may be used to
serve IP addresses both before and after authentication.
Note. For more information about configuring DHCP relay in general, see Chapter 18, “Configuring
DHCP Relay.”
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 22-29
Setting Up the DHCP Server
Configuring Authenticated VLANs
Before Authentication
Normally, authentication clients cannot traffic in the default VLAN, so authentication clients do not
belong to any VLAN when they connect to the switch. Even if DHCP relay is enabled, the DHCP discovery process cannot take place. To address this issue, a DHCP gateway address must be configured so that
the DHCP relay “knows” which router port address to use for serving initial IP addresses. (See “Configuring a DHCP Gateway for the Relay” on page 22-31 for information about configuring the gateway
address.)
Note. The switch may be set up so that authentication clients will belong to the default VLAN prior to
authentication (see “Setting Up the Default VLAN for Authentication Clients” on page 22-27). If a DHCP
server is located in the default VLAN, clients may obtain initial IP addresses from this server without
using a relay. However, the DHCP server is typically not located in a default VLAN because it is more
difficult to manage from an authenticated part of the network.
After Authentication
When the client authenticates, the client is moved into the allowed VLAN based on VLAN information
sent from an authentication server (single mode authority) or based on VLAN information configured
directly on the switch (multiple mode authority).
For information about authentication server authority modes, see “Configuring the Server Authority
Mode” on page 22-32.
After authentication a client may be moved into a VLAN in which the client’s current IP address does not
correspond. This will happen if the DHCP gateway address for assigning initial IP addresses is the router
port of an authenticated VLAN to which the client does not belong. (See “Configuring a DHCP Gateway
for the Relay” on page 22-31.)
In this case, clients will send DHCP release/renew requests to get an address in the authenticated VLAN to
which they have access; DHCP relay must be enabled so that the request can be forwarded to the appropriate VLAN.
Note. Telnet clients typically require manual configuration for IP address release/renew. Web browser
clients will initiate their release/renew process automatically.
Enabling DHCP Relay for Authentication Clients
To enable DHCP relay, specify the DHCP server with the ip helper address command.
-> ip helper address 10.10.2.3
DHCP is automatically enabled on the switch whenever a DHCP server address is defined. For more information about using the ip helper address command, see Chapter 18, “Configuring DHCP Relay.”
If multiple DHCP servers are used, one IP address must be configured for each server. The default VLAN
DHCP gateway must also be specified so that Telnet and Web browser clients can obtain IP addresses
prior to authentication. See the next section for more information.
If you want to specify that the relay only be used for packets coming in on an authenticated port, enter the
ip helper avlan only command.
-> ip helper avlan only
page 22-30
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Authenticated VLANs
Setting Up the DHCP Server
When this command is specified, the switch will act as a relay for authentication DHCP packets only; nonauthentication DHCP packets will not be relayed. For more information about using the ip helper avlan
only command, see Chapter 18, “Configuring DHCP Relay.”
Configuring a DHCP Gateway for the Relay
The default authenticated VLAN DHCP gateway must also be configured through the aaa avlan default
dhcp command so that Telnet and Web browser clients can obtain IP addresses prior to authentication.
This gateway is a router port in any of the authenticated VLANs in the network. It specifies the scope into
which an authentication client receives an initial IP address. For example:
-> aaa avlan default dhcp 192.10.10.22
Telnet and Web browser clients will initially receive an IP address in this scope. (After authentication,
these clients may require a new IP address if they do not belong to the VLAN associated with this gateway address.)
To remove a gateway address from the configuration, use the no form of the aaa avlan default dhcp
command. For example:
-> no aaa avlan default dhcp
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 22-31
Configuring the Server Authority Mode
Configuring Authenticated VLANs
Configuring the Server Authority Mode
Authentication servers for Layer 2 authentication are configured in one of two modes: single authority or
multiple authority. Single authority mode uses a single list of servers (one primary server and up to three
backups) to poll with authentication requests. Multiple authority mode uses multiple lists of servers and
backups, one list for each authenticated VLAN.
Note. Only one mode is valid on the switch at one time.
At least one server must be configured in either mode. Up to three backup servers total may be specified.
The CLI commands required for specifying the servers are as follows:
aaa authentication vlan single-mode
aaa authentication vlan multiple-mode
Note. Each RADIUS and LDAP server may each have an additional backup host of the same type configured through the aaa radius-server and aaa ldap-server commands.
In addition, the aaa accounting vlan command may be used to set up an accounting server or servers to
keep track of user session statistics. Setting up servers for accounting is described in “Specifying Accounting Servers” on page 22-35.
Configuring Single Mode
This mode should be used when all authenticated VLANs on the switch are using a single authentication
server (with optional backups) configured with VLAN information. When this mode is configured, a client
is authenticated into a particular VLAN or VLANs. (For the client to be authenticated into multiple
VLANs, each VLAN must be configured for a different protocol.)
When a client first makes a connection to the switch, the agent in the switch polls the authentication server
for a match with a client’s user name and password. If the authentication server is down, the first backup
server is polled. The switch uses the first available server to attempt to authenticate the user. (If a match is
not found on that server, the authentication attempt fails. The switch does not try the next server in the
list.)
If a match is found on the first available server, the authentication server sends a message to the agent in
the switch that includes the VLAN IDs to which the client is allowed access. The agent then moves the
MAC address of the client out of the default VLAN and into the appropriate authenticated VLAN(s).
In the illustration shown here, the Ethernet clients connect to the switch and initially belong to VLAN 1.
Additional VLANs have been configured as authenticated VLANs. LDAP and RADIUS servers are
configured with VLAN ID information for the clients.
page 22-32
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
Configuring Authenticated VLANs
Configuring the Server Authority Mode
Authenticated
VLAN 2
VLAN 1
TM
Authentication Clients
Authenticated
VLAN 3
OmniSwitch 9700
OmniSwitch
Authenticated
VLAN 4
LDAP or RADIUS
servers
Authentication Network—Single Mode
To configure authentication in single mode, use the aaa authentication vlan command with the
single-mode keyword and name(s) of the relevant server and any backups.. At least one server must be
specified; the maximum is four servers. For example:
-> aaa authentication vlan single-mode ldap1 ldap2
In this example, authenticated VLANs are enabled on the switch in single mode. All authenticated VLANs
on the switch will use ldap1 to attempt to authenticate users. If ldap1 becomes unavailable, the switch
will use backup server ldap2. Both servers contain user information, including which VLANs users may
be authenticated through. (The servers must have been previously set up with the aaa ldap-server
command. For more information about setting up authentication servers, see Chapter 21, “Managing
Authentication Servers.”)
To disable authenticated VLANs, use the no form of the command. Note that the mode does not have to
specified. For example:
-> no aaa authentication vlan
OmniSwitch 6800/6850/9000 Network Configuration Guide
June 2006
page 22-33
Configuring the Server Authority Mode
Configuring Authenticated VLANs
Configuring Multiple Mode
Multiple authority mode associates different servers with particular VLANs. This mode is typically used
when one party is providing the network and another is providing the server.
When this mode is configured, a client is first prompted to select a VLAN. After the VLAN is selected, the
client then enters a user name and password. The server configured for that particular authenticated VLAN
is polled for a match. (If the server is unavailable, the switch polls the first backup server, if one is configured.) If a match is not found on the first available server, the authentication attempt fails. If a match is
found, the client’s MAC address is moved into that VLAN.
A server in multiple authority mode does not have to be configured with VLAN information. If