Westermo OS Management Guide

Westermo OS Management Guide

RedFox Series

Wolverine Series

Lynx Series

Falcon Series

Viper Series

6101-3201

Westermo OS

Management Guide

WeOS

www.westermo.com

Westermo OS Management Guide

Version 4.17.1-0

Legal information

The contents of this document are provided ”as is”. Except as required by applicable law, no warranties of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose, are made in relation to the accuracy and reliability or contents of this document. Westermo reserves the right to revise this document or withdraw it at any time without prior notice.

Under no circumstances shall Westermo be responsible for any loss of data or income or any special, incidental, and consequential or indirect damages howsoever caused. More information about Westermo can be found at the following

Internet address: http://www.westermo.com

2

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Contents

Legal information

Table of Contents

I Introduction to WeOS and its Management Methods

1 Introduction

1.1 Westermo and its WeOS products

. . . . . . . . . . . . . . . . . . . . .

1.2 Getting Started

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1.3 Introduction to WeOS

. . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1.4 How to read this document

. . . . . . . . . . . . . . . . . . . . . . . . .

1.5 Westermo products running WeOS

. . . . . . . . . . . . . . . . . . . .

2 Quick Start

2.1 Starting the Switch for the First Time

. . . . . . . . . . . . . . . . . . .

2.2 Modifying the IP Setting

. . . . . . . . . . . . . . . . . . . . . . . . . . .

3 Overview of Management Methods

3.1 When to use the WeConfig tool

. . . . . . . . . . . . . . . . . . . . . . .

3.2 When to use the Web

. . . . . . . . . . . . . . . . . . . . . . . . . . . . .

3.3 When to use the CLI

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4 Management via Web Interface

4.1 Document Conventions

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

4.2 Logging in

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4.3 Navigation

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4.4 System Overview

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5 Management via CLI

9

32

33

34

36

39

28

29

29

30

45

10

10

10

11

11

13

15

15

16

2

3

© 2015 Westermo Teleindustri AB

3

Westermo OS Management Guide

Version 4.17.1-0

5.1 Overview of the WeOS CLI hierarchy

. . . . . . . . . . . . . . . . . . .

5.2 Accessing the CLI

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5.3 Using the CLI

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5.4 General CLI commands

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

6 WeOS SNMP Support

6.1 Introduction and feature overview

. . . . . . . . . . . . . . . . . . . . .

6.2 Managing SNMP via the web interface

. . . . . . . . . . . . . . . . . .

6.3 Manage SNMP Settings via the CLI

. . . . . . . . . . . . . . . . . . . .

61

61

71

74

45

47

51

57

II Common Switch Services

78

7 General Switch Maintenance

79

7.1 Overview

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

79

7.2 Maintenance via the Web Interface

. . . . . . . . . . . . . . . . . . . .

115

7.3 Maintenance via the CLI

. . . . . . . . . . . . . . . . . . . . . . . . . . .

129

8 Ethernet Port Management

163

8.1 Overview of Ethernet Port Management

. . . . . . . . . . . . . . . . .

163

8.2 Managing port settings via the web interface

. . . . . . . . . . . . .

178

8.3 Managing port settings via the CLI

. . . . . . . . . . . . . . . . . . . .

181

9 Ethernet Statistics

191

9.1 Ethernet Statistics Overview

. . . . . . . . . . . . . . . . . . . . . . . .

191

9.2 Statistics via the web interface

. . . . . . . . . . . . . . . . . . . . . . .

197

9.3 Statistics via the CLI

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

202

10 SHDSL Port Management

204

10.1 Overview of SHDSL Port Management

. . . . . . . . . . . . . . . . . .

204

10.2 Managing SHDSL ports via the web interface

. . . . . . . . . . . . .

210

10.3 Managing SHDSL ports via the CLI

. . . . . . . . . . . . . . . . . . . .

218

11 ADSL/VDSL Port Management

224

11.1 Overview of ADSL/VDSL Port Management

. . . . . . . . . . . . . . .

224

11.2 Managing ADSL/VDSL ports via the web interface

. . . . . . . . . .

238

11.3 Managing ADSL/VDSL ports via the CLI

. . . . . . . . . . . . . . . . .

250

12 Power Over Ethernet (PoE)

255

12.1 Overview of Power over Ethernet (PoE)

. . . . . . . . . . . . . . . . .

255

12.2 Managing PoE via the web interface

. . . . . . . . . . . . . . . . . . .

259

12.3 Managing PoE via the CLI interface

. . . . . . . . . . . . . . . . . . . .

263

4

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

13 Virtual LAN

268

13.1 VLAN Properties and Management Features

. . . . . . . . . . . . . .

268

13.2 Port-based network access control

. . . . . . . . . . . . . . . . . . . .

279

13.3 Managing VLAN settings via the web interface

. . . . . . . . . . . .

284

13.4 Managing VLAN settings via the CLI

. . . . . . . . . . . . . . . . . . .

294

14 FRNT

306

14.1 Overview of the FRNT protocol and its features

. . . . . . . . . . . .

306

14.2 FRNT and RSTP coexistence

. . . . . . . . . . . . . . . . . . . . . . . . .

309

14.3 Managing FRNT settings via the web interface

. . . . . . . . . . . . .

311

14.4 Managing FRNT settings via the CLI

. . . . . . . . . . . . . . . . . . . .

317

15 Ring Coupling and Dual Homing

320

15.1 Overview

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

321

15.2 Managing via the Web

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

333

15.3 Managing via CLI

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

337

15.4 Feature Parameters

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

346

16 Spanning Tree Protocol - RSTP and STP

347

16.1 Overview of RSTP/STP features

. . . . . . . . . . . . . . . . . . . . . . .

347

16.2 Managing RSTP via the web interface

. . . . . . . . . . . . . . . . . .

353

16.3 Managing RSTP via the CLI

. . . . . . . . . . . . . . . . . . . . . . . . .

357

17 Link Aggregation

362

17.1 Link Aggregation Support in WeOS

. . . . . . . . . . . . . . . . . . . .

362

17.2 Managing Link Aggregation via the Web

. . . . . . . . . . . . . . . . .

372

17.3 Managing Link Aggregation via CLI

. . . . . . . . . . . . . . . . . . . .

376

18 Multicast in Switched Networks

381

18.1 Overview

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

381

18.2 Managing IGMP in the Web Interface

. . . . . . . . . . . . . . . . . . .

387

18.3 Managing IGMP in the CLI

. . . . . . . . . . . . . . . . . . . . . . . . . .

389

19 General Network Settings

393

19.1 Overview

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

393

19.2 Network interfaces

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

394

19.3 General IP settings

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

409

19.4 Managing network interfaces via the web

. . . . . . . . . . . . . . . .

412

19.5 Managing general IP settings via the web

. . . . . . . . . . . . . . . .

418

19.6 Managing network interfaces via the CLI

. . . . . . . . . . . . . . . .

423

19.7 Managing general IP settings via the CLI

. . . . . . . . . . . . . . . .

431

© 2015 Westermo Teleindustri AB

5

Westermo OS Management Guide

Version 4.17.1-0

20 General System Settings

445

20.1 Managing switch identity via Web

. . . . . . . . . . . . . . . . . . . . .

446

20.2 Managing switch identity information via CLI

. . . . . . . . . . . . . .

448

21 Authentication, Authorisation and Accounting

453

21.1 Overview over AAA

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

454

21.2 Managing AAA via the web

. . . . . . . . . . . . . . . . . . . . . . . . .

456

21.3 Managing AAA via the CLI

. . . . . . . . . . . . . . . . . . . . . . . . . .

473

22 DHCP Server

487

22.1 Overview of DHCP Server Support in WeOS

. . . . . . . . . . . . . . .

488

22.2 Configuring DHCP Server Settings via the Web

. . . . . . . . . . . .

499

22.3 Configuring DHCP Server Settings via the CLI

. . . . . . . . . . . . .

503

23 DHCP Relay Agent

514

23.1 Overview of DHCP Relay Agent Support

. . . . . . . . . . . . . . . . .

515

23.2 Configuring DHCP Relay Agent via the Web

. . . . . . . . . . . . . . .

526

23.3 Configuring DHCP Relay Agent via the CLI

. . . . . . . . . . . . . . .

529

24 Alarm handling, LEDs and Digital I/O

535

24.1 Alarm handling features

. . . . . . . . . . . . . . . . . . . . . . . . . . .

535

24.2 Managing Alarms via the Web

. . . . . . . . . . . . . . . . . . . . . . .

547

24.3 Managing Alarms via the CLI

. . . . . . . . . . . . . . . . . . . . . . . .

553

24.4 Digital I/O

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

576

24.5 LEDs

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

579

25 Logging Support

582

25.1 Logging Support in the web interface

. . . . . . . . . . . . . . . . . .

583

25.2 Managing Logging Support via the CLI

. . . . . . . . . . . . . . . . . .

584

III Router/Gateway Services

586

26 IP Routing in WeOS

587

26.1 Summary of WeOS Routing and Router Features

. . . . . . . . . . .

587

26.2 Static unicast routes via Web

. . . . . . . . . . . . . . . . . . . . . . . .

595

26.3 Enabling Routing, Managing Static Routing, etc., via CLI

. . . . . .

598

27 Dynamic Routing with OSPF

600

27.1 Overview of OSPF features

. . . . . . . . . . . . . . . . . . . . . . . . .

600

27.2 OSPF Web

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

614

27.3 Managing OSPF via the CLI

. . . . . . . . . . . . . . . . . . . . . . . . .

618

6

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

28 Dynamic Routing with RIP

630

28.1 Overview of RIP Features

. . . . . . . . . . . . . . . . . . . . . . . . . . .

630

28.2 RIP Web

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

636

28.3 Managing RIP via the CLI

. . . . . . . . . . . . . . . . . . . . . . . . . . .

639

29 IP Multicast Routing

648

29.1 Summary of WeOS Multicast Routing Features

. . . . . . . . . . . . .

648

29.2 Managing Multicast Routing via Web Interface

. . . . . . . . . . . . .

652

29.3 Managing Multicast Routing via CLI

. . . . . . . . . . . . . . . . . . . .

657

30 Virtual Router Redundancy (VRRP)

661

30.1 Introduction to WeOS VRRP support

. . . . . . . . . . . . . . . . . . . .

662

30.2 Managing VRRP via the web interface

. . . . . . . . . . . . . . . . . .

669

30.3 Managing VRRP via the CLI

. . . . . . . . . . . . . . . . . . . . . . . . .

674

31 Firewall Management

682

31.1 Overview

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

683

31.2 Firewall Management via the Web Interface

. . . . . . . . . . . . . .

710

31.3 Firewall Management via the CLI

. . . . . . . . . . . . . . . . . . . . .

733

IV Virtual Private Networks and Tunnels

747

32 Overview of WeOS VPN and Tunnel support

748

32.1 WeOS support for VPNs

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

748

32.2 Tunneling using PPP

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

749

32.3 Tunneling using GRE

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

749

33 PPP Connections

750

33.1 Overview of PPP Properties and Features

. . . . . . . . . . . . . . . .

751

33.2 Managing PPP settings via the web interface

. . . . . . . . . . . . . .

761

33.3 Managing PPP settings via the CLI

. . . . . . . . . . . . . . . . . . . . .

767

34 GRE tunnels

778

34.1 Overview of GRE tunnel Properties and Management Features

. .

778

34.2 Managing GRE settings via the web interface

. . . . . . . . . . . . .

782

34.3 Managing GRE settings via the CLI

. . . . . . . . . . . . . . . . . . . .

784

35 IPsec VPNs

788

35.1 Overview of IPsec VPN Management Features

. . . . . . . . . . . . .

789

35.2 Managing VPN settings via the web interface

. . . . . . . . . . . . .

809

35.3 Managing VPN settings via the CLI

. . . . . . . . . . . . . . . . . . . .

819

© 2015 Westermo Teleindustri AB

7

Westermo OS Management Guide

Version 4.17.1-0

36 SSL VPN

835

36.1 Overview of SSL VPN Management Features

. . . . . . . . . . . . . .

835

36.2 Managing SSL VPN settings via the web interface

. . . . . . . . . .

852

36.3 Managing SSL VPN settings via the CLI

. . . . . . . . . . . . . . . . .

858

37 WeConnect

870

37.1 Installing WeConnect via the Web

. . . . . . . . . . . . . . . . . . . . .

872

37.2 Installing WeConnect via the CLI

. . . . . . . . . . . . . . . . . . . . . .

874

37.3 Troubleshooting

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

876

V Serial Port Management and Applications

880

38 Serial Port Management

881

38.1 Overview of Serial Port Management

. . . . . . . . . . . . . . . . . . .

882

38.2 Managing serial ports via the web interface

. . . . . . . . . . . . . .

885

38.3 Managing serial ports via the CLI interface

. . . . . . . . . . . . . . .

888

39 Serial Over IP

894

39.1 Overview of Serial Over IP

. . . . . . . . . . . . . . . . . . . . . . . . . .

894

39.2 Managing Serial Over IP via the web interface

. . . . . . . . . . . . .

906

39.3 Managing Serial Over IP via the CLI interface

. . . . . . . . . . . . .

913

40 Modbus Gateway

929

40.1 Managing Modbus Gateway via the web interface

. . . . . . . . . .

931

40.2 Managing Modbus Gateway via the CLI interface

. . . . . . . . . . .

935

41 MicroLok II Gateway

947

41.1 Overview of MicroLok Gateway Properties and Management Features

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

947

41.2 Managing MicroLok Gateway via the web interface

. . . . . . . . . .

952

41.3 Managing MicroLok Gateway via the CLI interface

. . . . . . . . . .

956

VI Appendixes

Acronyms and abbreviations

References

Index

963

964

967

971

8

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Part I

Introduction to WeOS and its

Management Methods

© 2015 Westermo Teleindustri AB

9

Westermo OS Management Guide

Version 4.17.1-0

Chapter 1

Introduction

1.1

Westermo and its WeOS products

Westermo provides an extensive set of network products for robust industrial data communications, managed as well as unmanaged products. Westermo’s products are found in diverse set of harsh environment applications, and where robustness and reliability are vital properties.

This guide describes the extensive functionality of managed Westermo products running the Westermo OS (WeOS).

1.2

Getting Started

Please see www.westermo.com

for the latest updated version of this document – the WeOS Management Guide. There you can also find product User Guides, and other support information for your product.

The dedicated User Guide of your product includes information on how to get started with WeOS on your specific product. That is a good place to start if you wish to do the least possible configuration of your switch (i.e., assign appropriate

IP settings) before putting it into your network infrastructure.

If the User Guide of your specific product lacks a section on how to get started with WeOS, please visit the

chapter 2

(Quick Start) of this document.

10

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

1.3

Introduction to WeOS

Westermo OS (WeOS) is a network operating system delivering an extensive set of functionality including layer-2 (basic switching, VLAN, IGMP snooping, etc.), layer-3 (routing, firewall, NAT, etc.), and higher-level services (DHCP, DNS, etc.).

Furthermore, WeOS provides easy management via a Web interface, via the associated WeConfig tool, and via a USB stick. To satisfy even more advanced customer needs, WeOS provides flexible management via a command line interface

(CLI), as well as via SNMP.

WeOS provides two levels of functionality, WeOS Standard and WeOS Extended.

Products running WeOS Standard are outstanding layer-2 switches suitable to build reliable LAN infrastructures. Products running WeOS Extended extends the

WeOS functionality by adding routing capabilities and a rich set of related higher level services (NAT, firewall, VPN, etc.).

1.4

How to read this document

This guide is structured in the following parts:

ˆ

Part I : This part gives general information on WeOS, and introduces the main

methods to manage a WeOS unit (WeConfig, Web, CLI and SNMP)

1

.

The information in

Part I

applies both to products running WeOS Standard and WeOS Extended.

Chapter 1

is this chapter.

Chapter 2

describes how to get started with your WeOS product.

Chapters 3

gives an overview of the different ways to manage a WeOS unit. If you need recommendations of which method to use, please read

chapter 3 .

Chapters 4 -

5

present the WeOS Web and CLI support. Detailed information for Web and CLI Management is provided in the later parts of the document.

Chapters 6

is the main source of information for WeOS SNMP support.

1

For information on how to configure a WeOS unit using a USB memory stick, see

Chapter 7 .

© 2015 Westermo Teleindustri AB

11

12

Westermo OS Management Guide

Version 4.17.1-0

ˆ

Part II : Each of the chapters in this part covers services and features in

common software levels Standard and Extended.

Chapter 7

handles general maintenance task (firmware upgrade, configuration file handling, factory reset, etc.) and tools such as ping, tracer-

oute, which be useful when troubleshooting your network.

Chapters 8 -

12

cover management of Ethernet, SHDSL and xDSL (ADSL/VDSL) ports.

Chapters 13 -

18

concern various layer-2 services in WeOS (VLANs, layer-

2 redundancy (FRNT, RSTP, Link Aggregation), and IGMP Snooping).

Chapter 19

covers network interface configuration including IP address, netmask, etc., as well system wide network settings such as default gateway and DNS.

Chapter 20 -

25

handles various general settings (System Identity), AAA services, DHCP (Server and Relay), and status maintenance (Alarm, Digital I/O, Front Panel LEDs, and logging).

ˆ

Part III

covers WeOS router/gateway services. These features are only applicable to WeOS Extended products.

Chapters 26 -

30

describes static and dynamic routing, and VRRP support in WeOS.

Chapter 31

concerns NAT and Firewall support.

ˆ

Part IV

covers WeOS VPN and tunneling services. These features are only provided for WeOS Extended products.

Chapters 32

gives an overview to VPN and tunneling services.

Chapter 33

covers PPP support (PPP over serial port and PPPoE).

Chapter 34

describes GRE tunneling support.

Chapters 35

and

36

presents VPN support using IPsec and SSL (Open-

VPN).

ˆ

Part V

contains information on serial port configuration ( chapter 38 ) and

applications. These features apply to WeOS products with serial ports, both for WeOS Standard and WeOS Extended.

Chapter 39

describes Serial Over IP and Modem Replacement functionality

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Chapter 40 -

41

cover Modbus Gateway and Microlok Gateway support.

1.5

Westermo products running WeOS

Below you find the list of Westermo products running WeOS, as well as references to their respective User Guide:

ˆ Falcon: User Guide [

41 ] (FDV-206-1D1S). (”Basis” platform)

ˆ Lynx: User Guides [

46

] (Lynx-L110/210) and [ 42 ] (Lynx-L106/206-F2G). (”Ba-

sis” platform)

ˆ Lynx-DSS: User Guides [

43 ] (L108/208-F2G-S2), [ 44 ] (L105/205-S1), and

[ 45 ] (L106/206-S2). (”Basis” platform)

ˆ RedFox Industrial (RFI): User Guides [

48 ] (”Corazon” platform) and [ 47 ] (”At-

las” platform)

ˆ RedFox Industrial Rack (RFIR): User Guide [

49 ] (”Corazon” platform)

ˆ RedFox Rail (RFR): User Guide [

50 ] (RFR-212-FB (”Corazon” platform), and

RFR-12-FB (”Atlas” platform)).

ˆ Wolverine: User Guides [

37 ] (DDW-142), [ 38 ] (DDW-142-485), [ 39 ] (DDW-

225) and [ 40 ] (DDW-226). (”Basis” platform)

ˆ Viper: User Guides [

51 ] (Viper-112/212 and Viper-112/212-T3G) and [ 52 ]

(Viper-112/212-P8 and Viper-112/212-T3G-P8) (”Basis” platform)

Note

Atlas, Basis and Corazon denote HW platforms used by different products.

Products utilising the same HW platform use the same kind of CPU, and have the same amount of RAM and flash memory.

1.5.1

Product hardware details affecting WeOS functionality

The WeOS functionality described in the Management Guide generally applies to all Westermo products running WeOS of the appropriate software level (Standard or Extended). However, where functionality assumes the presence of certain hardware (such as a USB port), those functions are limited to products including

© 2015 Westermo Teleindustri AB

13

Westermo OS Management Guide

Version 4.17.1-0 that hardware. The table below provides a summary of hardware differences affecting the availability of certain WeOS functions. For a more definite description of hardware specifications you are referred to the dedicated User Guide of each product (see

section 1.5

).

Falcon

FDV-206-1D1S

Lynx

L106/206-F2G

L110/210

Lynx-DSS

X

X

X

All Lynx-DSS models

RedFox Industrial &

RedFox Industrial Rack

X

All RFI and RFIR models X

RedFox Rail

All RFR models

Viper

X

X

X

All ”non-PoE’ models

All ”PoE” models

Wolverine

DDW-142

DDW-142-485

DDW-225

DDW-226

X X

2

X X

2

X X

X X

X X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X X

1

X

1

Failover Relay is available on RedFox Rail models ”RFR-12 FB” and ”RFR-212 FB”. See the

related User Guide[ 50 ] for more information on failover relay functionality.

2

The DDW-142 and DDW-142-485 SHDSL ports have support for PAF (SHDSL link bonding).

14

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Chapter 2

Quick Start

This section provides a guide to quickly get started with your switch. Only simple

configuration procedures will be covered

1

. The steps covered concern:

ˆ Get familiar with the factory default setting

ˆ Configuring an appropriate IP address

2.1

Starting the Switch for the First Time

When booting the switch for the first time the switch will use the factory default setting.

The factory default setting makes the switch operate as a manageable layer-2

switch, where all Ethernet ports belong to the same virtual LAN (VLAN)

2

.

ˆ Manageable: The switch is manageable via any of the Ethernet ports. To manage the switch via an Ethernet port you need to know the IP address of the switch (see

table 2.1

). For switches equipped with a console port, the

switch can as well be managed via that port without knowing the IP address of the switch.

1

For more advanced settings, we refer to the remaining chapters of this guide as well as the online help provided via the Web configuration tool and the Command Line Interface (CLI).

2

On Falcon series of switches, all Ethernet ports belong to the default VLAN (VLAN 1), while the xDSL port belongs to a separate VLAN (VLAN 1006). That is, by factory default Falcon operates as a router. See

chapter 11

for more details.

© 2015 Westermo Teleindustri AB

15

Westermo OS Management Guide

Version 4.17.1-0

ˆ Single VLAN: By default all ports on the switch will belong to the same VLAN.

Thus, devices connected to different ports of the switch should be able to communicate with each other right away. For more advanced setups, the ports of the switch can be grouped into different VLANs. In the factory default setting all ports belong to VLAN 1.

The default IP setting for the switch is as shown in

table 2.1

.

Address Netmask Gateway

Primary IP address Dynamic (DHCP) (Dynamic)

Secondary IP address 192.168.2.200

255.255.255.0

(Dynamic)

Disabled

Table 2.1: Factory Default IP settings.

Thus, when you power up your WeOS unit with the factory configuration, you can connect to it via two addresses:

ˆ The static IP address 192.168.2.200: This address is simplest to use if you are setting up a single unit.

ˆ A dynamic address assigned by a DHCP server 3

(if present): This address may be simplest to use if you want to connect and configure multiple new

WeOS units simultaneously.

Note

Before you put your switch into your production network you should change its IP setting according to your network topology. How you change your IP setting is described in the next section.

2.2

Modifying the IP Setting

The switch can be configured with a static IP setting, or it can get its IP address dynamically via DHCP. The latter case is useful if you are running a DHCP server on the same LAN as the switch will be located.

WeOS provides several management tools, which will be presented further in later chapters of this guide. In this chapter we limit the scope to describe how these tools can be used to update the IP settings of the switch.

3

In addition, the unit will autoconfigure itself with a link-local address in the 169.254.x.x range, where ’x’ is in interval 0-255. See

section 19.2.6

for more information.

16

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

ˆ WeConfig: is Westermo’s Network configuration management tool (NCM) made for commissioning and maintenance of components in a network. It replaces the former Westermo tool known as IPConfig. For further information on WeConfig’s features and how to use the tool, see the WeConfig User

Guide[ 54 ].

ˆ Web: Configuration of IP settings via the Web interface is described in

section 2.2.1

.

ˆ CLI: Configuration of IP settings via the Command Line Interface (CLI) is described in

section 2.2.2

.

Hint

If you are not sure what IP address your switch has, use the WeConfig tool,

or the CLI via console method ( section 2.2.2.1

). If neither of these methods

work, please visit

section 7.1.3

for information on how to conduct a factory reset.

© 2015 Westermo Teleindustri AB

17

Westermo OS Management Guide

Version 4.17.1-0

2.2.1

Using the Web Interface to Update the Switch IP Settings

To configure the IP settings via web your switch is required to be located on the same IP subnet as your PC.

To Internet or company Intranet

Switch with default IP setting:

IP address: 192.168.2.200

Netmask: 255.255.255.0

Default gateway: Disabled

Should get the following settings:

IP address: 192.168.55.100

Netmask: 255.255.255.0

Default gateway: 192.168.55.1

WeOS switch

Console Ethernet ports

Router

Router IP address:

192.168.55.1

PC

Host with Web browser.

PC IP address and netmask known, e.g.,

IP address 192.168.55.35 and netmask 255.255.255.0

In this example the switch shall be assigned the IP address 192.168.55.100, netmask 255.255.255.0 and default gateway 192.168.55.1. To achieve this you must

(temporarily) change the IP address of the PC in order to be able to communicate with the switch.

The steps to configure the IP settings via the web interface are as follows:

1. Connect your PC to the switch: Connect your PC to the switch as shown in the figure above.

2. Modifying IP Settings on PC: The IP settings on the PC must be updated to match the default settings on the switch, i.e., the PC should be assigned an

IP address on the 192.168.2.0/24 network, e.g.,

ˆ PC IP address: 192.168.2.1

ˆ PC Netmask: 255.255.255.0

3. Access switch via web browser: Open your web browser and enter URL

http://192.168.2.200 in the browser’s address field. You will be asked to enter a username and a password. Use the factory default account settings shown below:

ˆ Login username: admin

ˆ Password: westermo

18

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

4. Open the Network configuration page: Click on the Configuration topmenu and then on the Network sub-menu and then the Global settings menu.

5. Configure Default Gateway: Now click the edit icon ( ) in the Global Settings frame. The following page should appear.

Fill in the appropriate address in the Default Gateway field. In this example, the default gateway is 192.168.55.1. Click the Apply button. Your switch is configured with a new default gateway.

6. Open Interface Configuration Page: Click on the Configuration top-menu and then on the Network sub-menu and then the Interface sub menu. In

© 2015 Westermo Teleindustri AB

19

Westermo OS Management Guide

Version 4.17.1-0 the Interface page, click the edit icon ( ) on the row for the interface named vlan1. The Interface Configuration Page will appear:

7. Configure Interface IP Settings: Enter the appropriate IP settings for your switch. In this example we would:

(a) Set IP Address Method to static (radio button).

(b) Set Primary Address to 192.168.55.100 with 255.255.255.0 in the

Netmask field.

(c) Remove Secondary Address (192.168.2.200) using the trash icon ( ).

Click the Apply button and your switch is configured with a new IP address.

8. Reconfigure PC’s IP Settings: As the IP address is changed on the switch, you cannot reach it from your PC any longer. To access the switch from the

PC, the PC’s IP settings must be changed again. In this case, we assume it is changed back to its original settings:

ˆ PC IP address: 192.168.55.35

ˆ PC Netmask: 255.255.255.0

ˆ PC Default Gateway: 192.168.55.1

Further management of the switch can be performed via any of the available management tools - WeConfig, Web, SSH/Telnet/CLI or SNMP.

20

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

2.2.2

Using the CLI to Update the Switch IP Settings

The CLI can be accessed in three ways: via the console port (given that the switch is equipped with a console port) or via the Ethernet ports using the Secure Shell

(SSH) or the Telnet protocol.

Section 2.2.2.1

explains how to access the CLI via the console port, and how to update the IP settings.

Section 2.2.2.2

explains how to access the CLI via SSH.

Access with Telnet is also possible, but this is not enabled by default on the switch, and to use it you will first have to access it with one of the other methods and enable this protocol for management. See

Section 7.3.49

(CLI) for information on how to enable the Telnet service on the unit, and then

Section 19.4

(Web) or

Section 19.6.6

for information on how to enable Telnet configuration via interface ”vlan1”.

2.2.2.1

Accessing the CLI via the console port

For WeOS switches equipped with a console port, this port can be used to change

IP address of the switch.

1. Connect your PC to the switch: Connect your PC to the switch as shown in the figure below.

To Internet or company Intranet

Switch with default IP setting:

IP address: 192.168.2.200

Netmask: 255.255.255.0

Default gateway: Disabled

Should get the following settings:

IP address: 192.168.55.100

Netmask: 255.255.255.0

Default gateway: 192.168.55.1

WeOS switch

Console Ethernet ports

Router

Router IP address:

192.168.55.1

PC

Host with terminal emulation program.

PC IP address and netmask known, e.g.,

IP address 192.168.55.35 and netmask 255.255.255.0

Important notice for WeOS Switches equipped with a console port

See the User Guide of your specific product ( section 1.5

) for information

on what Diagnostic Cable to use when connecting to the console port of your specific product.

© 2015 Westermo Teleindustri AB

21

22

Westermo OS Management Guide

Version 4.17.1-0

2. Terminal program: To communicate with the switch via the console port, you need to use a terminal emulation program on your PC, such as Hypertermi-

nal. Ask your system administrator if you need help to install or configure your terminal emulation program.

The following settings should be used when connecting to the console port:

Console Port Parameter Setting

Data rate

Data bits

Stop bits

Parity

Flow control

115200 bits/s

8

1

Off

Off

3. Activating the console: When the switch has finished booting, you will be asked to press the Enter key on your keyboard to activate the console.

4. Logging in: Now you will be asked to enter a username and thereafter a

password. For a switch using the factory default settings, use the following login username and password:

ˆ Login username: admin

ˆ Password: westermo

Below you see a sample printout when logging in on a WeOS switch. (The password is not ”echoed” back to the screen.)

Example

example login: admin

Password:

.--.--.--.-----.-----.------.-----.-.--.--------.-----.

| | | | -__|__ --|_

_| -__| _| . . | _ | http://www.westermo.com

\__/\__/|_____._____| |__| |_____|__| |__|__|__|_____| [email protected]

Robust Industrial Data Communications -- Made Easy

\\/ Westermo WeOS v4.15.0 4.15.0 -- Jun 16 19:10 CEST 2014

Type: ’help’ for help with commands, ’exit’ to logout or leave a context.

example:/#>

5. Listing IP address: Use the CLI command ”show iface” to list information about network interfaces.

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Example

example:/#> show iface

Press Ctrl-C or Q(uit) to quit viewer, Space for next page, <CR> for next line.

Interface Name Oper Address/Length MTU MAC/PtP Address

-----------------------------------------------------------------lo vlan1

UP

UP

127.0.0.1/8

192.168.2.200/24

16436 N/A

1500 00:07:7c:10:de:e1

169.254.145.230/16

-----------------------------------------------------------------------------example:/#>

6. Changing IP address and netmask: To change the switch IP addressing mode

(”static” instead of ”DHCP”), set a static address and netmask, and to skip secondary addresses, use CLI commands ”configure”, ”iface vlan1”,

”inet static”, ”address <IPV4ADDRESS/LEN>”, ”no address secondary” and ”end” as shown below. This example is based on the setup in step

1 ,

and configures the switch with an address (192.168.55.100/24) on the same

IP subnet as the PC.

Example

example:/#> configure example:/config/#> iface vlan1 example:/config/iface-vlan1/#> inet static example:/config/iface-vlan1/#> address 192.168.55.100/24 example:/config/iface-vlan1/#> no address secondary

Remove all secondary IP addresses, are you sure (y/N)? y

Removing all secondary IPs!

example:/config/iface-vlan1/#> end example:/config/#> end

Stopping DHCP Clients ...................................... [ OK ]

Configuration activated.

Remember "copy run start" to save to flash (NVRAM).

example:/#> show iface

Press Ctrl-C or Q(uit) to quit viewer, Space for next page, <CR> for next line.

Interface Name Oper Address/Length MTU MAC/PtP Address

-----------------------------------------------------------------lo vlan1

UP

UP

127.0.0.1/8

192.168.55.100/24

16436

1500

N/A

00:07:7c:10:de:e1

-----------------------------------------------------------------------------example:/#>

7. Set default gateway IP address: The figure below shows the same network setup, but with a router attached to the IP subnet.

With this setup you would like to configure a default gateway IP address to allow management of the switch from outside the local network. This

© 2015 Westermo Teleindustri AB

23

Westermo OS Management Guide

Version 4.17.1-0 can be achieved using CLI commands ”configure”, ”ip”, ”route default

192.168.55.1 <IPADDRESS>”, and ”end” as shown below.

Example

example:/#> configure example:/config/#> ip example:/config/ip/#> route default 192.168.55.1 example:/config/ip/#> end example:/config/#> end

Configuration activated.

Remember "copy run start" to save to flash (NVRAM).

example:/#>

8. Save configuration: Although the configuration changes has been activated, the running configuration must be stored to the startup configuration. Otherwise the changes will be lost if the switch is rebooted.

Example

example:/#> copy running-config startup-config example:/#>

9. You are now done setting the IP address, subnet mask and default gateway of your switch. Logout from the CLI using the ”logout” command.

Further management of the switch can be performed via any of the available management tools - WeConfig, Web, SSH/Telnet/CLI or SNMP.

2.2.2.2

Accessing the CLI via SSH

Configuring the IP settings via SSH/CLI is very similar to configuring them via the console port. The major differences are:

ˆ The IP address of the PC must (temporarily) be changed in order to be able to communicate with the switch, i.e., the PC should have an address on network 192.168.2.0/24, e.g., 192.168.2.1/24.

ˆ After the IP settings have been changed on the switch, the PC is likely to loose contact with the switch. The PC must therefore change its IP address again, and login to the switch again in order to copy the running configuration to the startup configuration.

The steps to configure the IP settings via SSH/CLI are as follows:

1. Connect your PC to the switch: Connect your PC to the switch as shown in the figure below. In this example we assume the switch will get IP address

24

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

192.168.55.100, netmask 255.255.255.0 and default gateway 192.168.55.1.

Switch with default IP setting:

IP address: 192.168.2.200

Netmask: 255.255.255.0

Default gateway: Disabled

Should get the following settings:

IP address: 192.168.55.100

Netmask: 255.255.255.0

Default gateway: 192.168.55.1

WeOS switch

Console Ethernet ports

To Internet or company Intranet

Router

Router IP address:

192.168.55.1

PC

Host with SSHv2 client.

PC IP address and netmask known, e.g.,

IP address 192.168.55.35 and netmask 255.255.255.0

2. Modifying IP Settings on PC: The IP settings on the PC must be updated to match the default settings on the switch, i.e., the PC should be assigned an

IP address on the 192.168.2.0/24 network, e.g.,

ˆ PC IP address: 192.168.2.1

ˆ PC Netmask: 255.255.255.0

ˆ PC Default Gateway: Not needed

3. Connecting and Logging in: When connecting via SSH you will be asked to enter a username and thereafter a password. For a switch using the factory default settings, use the following login username and password:

ˆ Login username: admin

ˆ Password: westermo

The procedure to connect may vary slightly depending on what SSH client you are using. The example below show the connection procedure using

Unix OpenSSH

4

. (On Windows one can use Putty

5

.)

4

OpenSSH, http://www.openssh.com

5

Putty, http://www.chiark.greenend.org.uk/~sgtatham/putty/

© 2015 Westermo Teleindustri AB

25

Westermo OS Management Guide

Version 4.17.1-0

26

Example

[email protected]:~$ ssh [email protected]

The authenticity of host ’192.168.2.200 (192.168.2.200)’ can’t be established.

RSA key fingerprint is 6d:0c:f3:d3:28:d6:d8:43:bc:69:f8:d0:d6:a2:27:87.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ’192.168.2.200’ (RSA) to the list of known hosts.

[email protected]’s password:

.--.--.--.-----.-----.------.-----.-.--.--------.-----.

| | | | -__|__ --|_

_| -__| _| . . | _ | http://www.westermo.com

\__/\__/|_____._____| |__| |_____|__| |__|__|__|_____|

Robust Industrial Data Communications -- Made Easy [email protected]

\\/ Westermo WeOS v4.15.0 4.15.0 -- Jun 16 19:10 CEST 2014

Type: ’help’ for help with commands, ’exit’ to logout or leave a context.

example:/#>

4. Changing IP settings: The switch IP settings are changed with the same

commands as described when accessing the CLI via the console port ( section 2.2.2.1

). In this example we assign IP address, netmask and default

gateway.

Example

example:/#> configure example:/config/#> iface vlan1 example:/config/iface-vlan1/#> inet static example:/config/iface-vlan1/#> address 192.168.55.100/24 example:/config/iface-vlan1/#> no address secondary

Remove all secondary IP addresses, are you sure (y/N)? y

Removing all secondary IPs!

example:/config/iface-vlan1/#> end example:/config/#> ip example:/config/ip/#> route default 192.168.55.1 example:/config/ip/#> end example:/config/#> end

The configuration is now changed, but not yet saved to the startup configuration. However, as the IP address is changed, the SSH connection will be broken.

5. Logging in again to save configuration: To login again, the PC’s IP settings must be changed again. In this case, we assume it is changed back to its original settings:

ˆ PC IP address: 192.168.55.35

ˆ PC Netmask: 255.255.255.0

ˆ PC Default Gateway: 192.168.55.1

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

We can then login again to copy the running configuration to startup configuration.

Example

[email protected]:~$ ssh [email protected]

The authenticity of host ’192.168.55.100 (192.168.55.100)’ can’t be established.

RSA key fingerprint is 6d:0c:f3:d3:28:d6:d8:43:bc:69:f8:d0:d6:a2:27:87.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ’192.168.55.100’ (RSA) to the list of known hosts.

[email protected]’s password:

.--.--.--.-----.-----.------.-----.-.--.--------.-----.

| | | | -__|__ --|_

_| -__| _| . . | _ | http://www.westermo.com

\__/\__/|_____._____| |__| |_____|__| |__|__|__|_____|

Robust Industrial Data Communications -- Made Easy [email protected]

\\/ Westermo WeOS v4.15.0 4.15.0 -- Jun 16 19:10 CEST 2014

Type: ’help’ for help with commands, ’exit’ to logout or leave a context.

example:/#> copy running-config startup-config example:/#>

You are now done setting the IP address, subnet mask and default gateway of your switch. Logout from the CLI using the ”logout” command.

Further management of the switch can be performed via any of the available management tools - WeConfig, Web, SSH/CLI or SNMP.

© 2015 Westermo Teleindustri AB

27

Westermo OS Management Guide

Version 4.17.1-0

Chapter 3

Overview of Management

Methods

WeOS is managed and monitored using the following tools and interfaces:

ˆ WeConfig: is Westermo’s Network configuration management tool (NCM) made for commissioning and maintenance of components in a network. It replaces the former Westermo tool known as IPConfig. For further information on WeConfig’s features and how to use the tool, see the WeConfig User

Guide[ 54 ].

ˆ Web: The WeOS Web interface provides management of essential features.

The Web interface should satisfy the needs of all common use cases.

ˆ CLI: The WeOS Command Line Interface is an industry standard CLI, and provides the most complete management support. The CLI is intended for advanced users requiring fine grain control of the system.

In addition, WeOS provides device management via SNMP (v1/v2c/v3). A set of standard MIBs and the WeOS private MIB are supported, as described in

chapter 6 .

28

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Task

Discover WeOS Devices

Set Device IP Address

Upgrade firmware

Common management tasks

All management tasks

Secure management

WeConfig Web CLI SNMP

X

X

X

(X) (X)

X

X

X

X

X

X

X

X

X

X

X

X

In the following sections the properties of the WeConfig tool, the Web Interface, and the CLI are presented further. These sections give information about what management tool to use for a specific need. For more information on SNMP we refer to

chapter 6 .

3.1

When to use the WeConfig tool

The Westermo configuration management tool, WeConfig, is used for basic configuration and maintenance of WeOS products. It is an ideal tool to upgrade

firmware and manage configuration files (backup and restore) of a large set of

WeOS devices. With WeConfig you to scan, discover and draw maps of the WeOS devices in your network, and you can also conduct some basic configuration of

WeOS units, such as setting the IP address and the default gateway.

For further information on WeConfig’s features and how to use the tool, see the

WeConfig User Guide[ 54 ].

3.2

When to use the Web Interface

The Web interface would be the management interface of choice for most users.

The main advantages of the Web Interface are:

ˆ Easy to use: The Web management interface provides an easy to use method to manage the switch.

ˆ All common features: The web interface includes support for all essential management features, and should therefore meet the needs of most users.

ˆ Secure management: The web interface can be accessed via regular HTTP and secure HTTP (HTTPS). Secure management is also possible via the CLI

(SSHv2) and and SNMP (SNMPv3).

© 2015 Westermo Teleindustri AB

29

Westermo OS Management Guide

Version 4.17.1-0

ˆ Discover other Westermo Switches: The Web contains a discovery service

(IPconfig) similar to what WeConfig provides. (Note, you must still be able to login to one switch in order to make use of this service.)

To use the Web interface, you must know the IP address of your switch. To find

out the switch IP address you may need to use the WeConfig tool

1

, but once you

know it you can do the rest of the management via the Web interface.

The Web interface is introduced in

chapter 4 .

3.3

When to use the Command Line Interface (CLI)

The WeOS CLI aims to serve advanced users. Furthermore, the CLI is the only management tool which cannot be disabled.

Below we list the situations where the CLI is the most suitable management tool.

ˆ Complete set of management features: The CLI includes all the management features available on the switch. If you cannot accomplish your task with any of the other management tools, the CLI may provide the feature you need.

ˆ Discover other Westermo Switches: The CLI contains a discovery service similar to what WeConfig provides, but more rudimentary.

Note

You must still be able to login to one switch in order to make use of this service.

ˆ Secure management: To access the CLI you must either have physical access to the switch (console port), or use the Secure Shell (SSHv2) application to access the CLI remotely. Secure management is also possible via the Web interface (HTTPS) and SNMP (SNMPv3).

ˆ Configuration scripting: With a CLI it is possible to develop automatic configuration scripts, e.g., using the Expect automation and testing tool. Expect extensions exist for many common scripting languages (Ruby, Perl, Tcl).

As with the Web interface, you must know the IP address of your switch before you can access the CLI remotely via SSH (access via the console port is possible

1

For more information about finding the IP address of your switch we refer to the Getting Started guide in

chapter 2 .

30

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0 without knowing the switch IP address). To find out the switch IP address you may need to use the WeConfig tool, but once you know it you can do the rest of the management via SSH/CLI.

The WeOS CLI is introduced in

chapter 5 .

© 2015 Westermo Teleindustri AB

31

Westermo OS Management Guide

Version 4.17.1-0

Chapter 4

Management via Web Interface

WeOS supports device management via web interface. Both HTTP and HTTPS

1 are supported. The design is optimised for style sheet and JavaScript

2

capable web browsers. In addition, the design allows users to access the web interface and all settings without a style sheet and JavaScript capable browser, but then with less guidance and support from the user interface.

When using the Web Management Tool you have to be aware of the following:

ˆ Only one user can be logged in at a time (see

section 4.2

for more information).

ˆ You are automatically logged out after ten (10) minutes of inactivity (see

section 4.2

for more information).

ˆ When you click Apply on a page, the settings on that page are immediately activated.

ˆ When you click Apply on a page, all settings are stored in the startup config-

uration and therefore survive a reboot (see

chapter 7

for more information).

Section 4.2

explains how to access the Web Management Tool and

section 4.3

describes the web menu hierarchy. In

section 4.3

the system overview web pages are presented. Other pages and settings are described per topic in

chapter 20

and following chapters.

1

For HTTPS server authentication, a self-signed certificate is used as of WeOS v4.17.1.

2

JavaScript is a trademark of Oracle Corporation.

32

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

4.1

Document Conventions

Specific conventions for the web part of this document.

Button Text

Buttons are indicated by use of bold type-writer style.

Menu path:

Top Item Sub Item For each page the menu path to the page is described with this syntax. It means: First click the

Top Item menu item and in the sub-menu revealed, click the Sub

Item menu item. See also

section 4.3

.

Menu path:

Top Item Sub Item ⇒ Button Text This is an extension to the Menu

path: Top Item

Sub Item version described above. It tells you to click a button with the text But-

ton Text on the page navigated to by Top Item Sub Item.

Top Item Sub Item (ctx) The button may be an icon. In this case the icon is shown. Additionally in parenthesis a sub-context

(ctx) may be described which will identify a context on the page, normally identified by its header.

© 2015 Westermo Teleindustri AB

33

Westermo OS Management Guide

Version 4.17.1-0

4.2

Logging in

To access the switch through the web interface, enter the appropriate URL (e.g., the factory default IP-address http://192.168.2.200) in the address field of your web-browser. You will then be presented to the login page where you fill in the

username and password, see figure

4.1

.

Figure 4.1: Web login window

Currently there is only a single user account defined, the administrator user account. Note that it is the same user account used for login in CLI. Factory default user account and password are as follows :

ˆ Login: admin

ˆ Password: westermo

Your web session will last for ten (10) minutes after your latest ”web action”.

Clicking a link or button at least every 10 minutes will let you keep the session

34

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0 forever. The same goes for pages with an automatic refresh option, given that a refresh interval of 10 minutes or shorter is selected.

Only one user at a time can be logged into the switch Web Management Tool. If a new user tries to log in the currently logged in user will automatically be logged out.

© 2015 Westermo Teleindustri AB

35

Westermo OS Management Guide

Version 4.17.1-0

4.3

Navigation

After logging in you will be redirected to the start page, see

fig. 4.2

. In the page

header you find the menus used to navigate between different tasks. The menu consists of two rows, the top-menu row, and the sub-menu. For some items you will be presented to a third level sub-menu below the second level sub-menu. Its function is analogously to the second level sub-menu .

To navigate in the menu, click on the top-menu to reveal the associated sub-

menu. Then click on the desired sub-menu item. For example,

fig. 4.2

shows the selection of top-menu Status and sub-menu Summary (i.e., Status Summary).

Figure 4.2: Unit Summary - the first page after logging in.

The top-level menu structure is described below:

ˆ Status - This is where you find status information of the running system (port status, protocol status, etc.)

ˆ Configuration - This is where you configure the unit

ˆ Maintenance - This is where you do firmware upgrades, configuration file backups, view log files, manage port monitoring, etc.

36

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

ˆ Tools - Here you find various tools for trouble-shooting and other purposes

(e.g., ”ping”).

Pages where you can change settings generally contains an Apply and a Cancel button, as shown in

fig. 4.3

. The semantics of the Apply and Cancel buttons are

provided below:

Apply

Applies the changes on the current page. Changes are applied immediately (i.e., no reboot needed), and are also stored in the startup configuration.

Cancel

Discards changes and either returns to an overview page for the context, or reloads current page and thus shows the current settings.

Figure 4.3: Sample web page containing Apply and Cancel buttons.

Pages with lists of ports may have additional information to display, e.g. if the port is included in a port aggregate or bonded with PAF. This is indicated by the background behind the port label is highlighted as shown in

fig. 4.4

. When

hovering a highlighted port the additional information is displayed in a pop-up.

Inside a drop-down menu, the ports are also highlighted, but no pop-ups are presented.

© 2015 Westermo Teleindustri AB

37

Westermo OS Management Guide

Version 4.17.1-0

38

Figure 4.4: Sample web page with port information pop-up.

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

4.4

System Overview

There are two levels of system information, summary and detailed.

4.4.1

System Overview - Summary

Menu path: Status Summary

Fig. 4.5

shows the first page you will be presented to after logging into the switch.

It provides a quick overview of the system, including a list of current alarms.

Figure 4.5: The basic system overview page.

Hostname

Location

An arbitrary name to identify this unit.

An arbitrary description to identify where the unit is located.

ADSL/VDSL Status

Current ADSL/VDSL connection status. Displays negotiation status, IP-address, up/down speed and DSL uptime.

Continued on next page

© 2015 Westermo Teleindustri AB

39

Westermo OS Management Guide

Version 4.17.1-0

Uptime

Continued from previous page

The time passed since last reboot of the unit.

Date

The current date and time. System time is configured manually or set by using a NTP-server.

Running Services

A list of services currently running on the unit.

Alarms

Currently active port and FRNT alarms.

Link alarms are only shown for ports where link

Interfaces

alarm is enabled and when the link is down. FRNT

alarms are only shown for FRNT ports with link down.

Displays the interfaces and their primary addresses.

40

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

4.4.2

System Overview - Detailed

Menu path: Status System

To get more information about the switch you go to the detailed page shown in

fig. 4.6

. This page contains more information on hardware (e.g. versions, article

number, etc.) and system status (e.g. memory usage and CPU load).

Hostname

Location

An arbitrary name to identify this unit.

An arbitrary description to identify unit location.

Contact

An arbitrary description to identify a contact person who has more information about management of the unit and the network.

Uptime

Base MAC Address

System Default

Gateway Address

The time passed since last reboot of the unit.

The base MAC address defines the starting point of the MAC address range used within the unit. This is a unique number assigned to each unit.

The operational default gateway for all VLANs on the unit. Either retrieved dynamically or set statically.

Article Number

The article number for the unit.

Main Firmware

Version

Build Details

The version number of the main firmware.

Product

Model

The build string of the currently running firmware.

Backup Firmware

Version

The version number of the backup firmware.

Main FPGA Version

The version number of the FPGA software.

Boot Loader Version

The version number of the boot loader software.

Serial Number

The units serial number.

The product name.

The product model.

Type

Article No.

Batch ID

Revision

Enabled Redundancy Protocol(s)

VLANs With IGMP

Description for the card in the specified slot.

The article number of the card in the specified slot.

The batch identification of the card in the specified slot.

The revision of the card in the specified slot.

A list of the redundancy protocols currently enabled on the unit.

A list of VLANs on which IGMP is enabled.

Continued on next page

© 2015 Westermo Teleindustri AB

41

SNMP

Alarms

Westermo OS Management Guide

Version 4.17.1-0

Continued from previous page

Shows if SNMP support is enable or disabled.

Currently active port and FRNT alarms.

Link alarms are only shown for ports where link alarm is enabled and link is down.FRNT alarms are only shown for FRNT ports where link alarm is enabled and when the link is down.

42

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Figure 4.6: Detailed system overview page.

© 2015 Westermo Teleindustri AB

43

Westermo OS Management Guide

Version 4.17.1-0

4.4.3

System Environment

Menu path: Status Environment

To get more information about the system environment variables you go to the environment page.

Temperature Shows system temperature i Celsius(C).

Load

Average

The load average is a standard Linux way of measuring system load.

Memory

Usage (%)

A snapshot of RAM (Random Access Memory) usage as percentage of total RAM.

DDM/DOM

1

SFPs

Shows DDM/DOM diagnostics for each SFP.

The black bar for each graph represents the first value which was read after boot up, and the blue bar is current value. The

DDM/DOM information will be polled for each SFP every twelfth hour. Each graph will then be updated and can consist of up to

20 polled entries. By positioning the mouse over a graph, the user will be presented with startup, max and min value. Please note that each graph shows trend over time and not the absolute value, graphs for different SFP should not be compared.

1

DDM/DOM diagnostic information is only available for Westermo DDM SFPs, see the SFP

Transceiver Datasheet of your WeOS product ( www.westermo.com

).

44

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Chapter 5

Management via Command

Line Interface (CLI)

This chapter introduces the command line interface (CLI) tool. Switches running

WeOS include a CLI similar to what is provided by other major vendors of network equipment. The CLI provides a more complete set of management features than the Web interface, the WeConfig tool or SNMP. Thus, when advanced management operations are required, the CLI is the management interface of choice.

The CLI can be accessed via the console port, or remotely via secure shell (SSHv2)

and Telnet

1

.

Section 5.1

introduces the CLI hierarchy and its various contexts.

Section 5.2

explains how to access the CLI interface, and

section 5.3

provides general information on how to use the CLI.

The last section ( section 5.4

) presents CLI commands available in all CLI con-

texts as well as their syntax. Other CLI commands are described per topic in the chapters to follow.

5.1

Overview of the WeOS CLI hierarchy

The WeOS CLI is organised in a hierarchical structure. For management purposes, the use of a hierarchical structure limits the available commands to those relevant for a certain topic. This in turn simplifies switch operation.

1

Telnet server is by default disabled, see also

section 7.3.49

.

© 2015 Westermo Teleindustri AB

45

Westermo OS Management Guide

Version 4.17.1-0

Administrator Execution Context

Global Configuration Context

Specific Execution Contexts

(RMON, Debug, ...)

Specific Configuration Contexts

Figure 5.1: CLI hierarchy

Fig.

5.1

shows an overview of the CLI hierarchy. When the user logs in as ”admin” the user will enter the CLI with ”administrator” privileges in

Admin Exec

context.

(In addition to the ”admin” user, future versions of WeOS are likely to support a

”guest” account with limited privileges.)

Admin Exec

context In

Admin Exec

context the user can execute a set of general monitoring and diagnostic functions, and also manage configuration files and firmware versions. From

Admin Exec

context the user can enter a set of specific execution contexts, e.g., to view RMON statistics.

Global Configuration

context From the

Admin Exec

context the user can enter the

Global Configuration

context. In

Global Configuration

the user can configure device parameters of global significance, such as hostname and loca-

tion of the device. From

Global Configuration

the user can reach contexts specific to certain protocols or device entities such as port, vlan, interface, and FRNT contexts.

A simple example on CLI usage is given below. There you can see how the CLI prompt changes to match the current context.

Example

example:/#> configure example:/config/#> vlan 100 example:/config/vlan-100/#> untagged 1,2 example:/config/vlan-100/#> end example:/config/#> end example:/#>

46

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

5.2

Accessing the command line interface

To login via the console port you need the username and password. Currently there is only a single user account defined, the administrator user account. Factory default account and password:

ˆ Login: admin

ˆ Password: westermo

The same account is used for management via CLI and Web (see

section 4 ). To

reset the administrator password to the default setting, see

chapter 7 .

5.2.1

Accessing CLI via console port

For WeOS switches equipped with a console port, that port can be used to access the CLI. (For information on which WeOS devices that have a console port, see

section 1.5.1

).

Console cable

See the User Guide of your specific product ( section 1.5

) for information on

what Diagnostic Cable to use when connecting to the console port of your specific product.

Recommended Terminal Emulation programs:

ˆ Win32: PuTTY, http://www.chiark.greenend.org.uk/~sgtatham/putty/

ˆ UNIX: There are different terminal emulation programs for different Unix dialects. On Linux minicom is recommended.

The following console port settings are used:

Data rate

Data bits

115200 bits/s

8

Stop bits

Parity

1

None

Flow control

None

The example in below shows how to login via the console port using the PuTTY application. Once you have installed and started PuTTY, configure the appropriate

© 2015 Westermo Teleindustri AB

47

Westermo OS Management Guide

Version 4.17.1-0

Serial settings.

Hint

In this example, the switch is accessible via the logical port ”COM3”, but the USB/serial adapter may be mapped to a different COM port on your PC.

Please check ”Ports (COM and LPT)” in the Windows ”Device Manager” to get information on what COM port to specify.

When the appropriate serial settings have been configured, select the ”Session” view. Select Serial as Connection type as shown in the figure below.

To start the serial connection, press the Open button. The figure below shows the console prompt when logging in to the CLI via the console on a unit named

example.

48

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0 example login: admin

Password:

.--.--.--.-----.-----.------.-----.-.--.--------.-----.

| | | | -__|__ --|_

_| -__| _| . . | _ | http://www.westermo.com

\__/\__/|_____._____| |__| |_____|__| |__|__|__|_____|

Robust Industrial Data Communications -- Made Easy [email protected]

\\/ Westermo WeOS v4.15.0 4.15.0 -- Jun 16 19:10 CEST 2014

Type: ’help’ for help with commands, ’exit’ to logout or leave a context.

example:/#>

5.2.2

Accessing the CLI via SSH or Telnet

To gain access to the CLI via SSH you need a SSH client, the switch IP address, and the account information (username and password).

Recommended SSH Clients:

ˆ Win32: PuTTY, http://www.chiark.greenend.org.uk/~sgtatham/putty/

ˆ UNIX OpenSSH, http://www.openssh.com

The switch IP address can be found using the WeConfig tool, see the WeConfig

User Guide[ 54 ] (additional methods are listed in

section 7.1.3

).

The following example illustrates how to login to the switch using PuTTY from a Windows based host system as user admin. In this example, the switch is a

WeOS switch with IP address 192.168.2.200 (the factory default IP address). See

section 5.2

for information about user accounts and passwords.

In the PuTTY session view, select SSH as Connection type, and enter the IP address of the switch (here 192.168.2.200).

© 2015 Westermo Teleindustri AB

49

Westermo OS Management Guide

Version 4.17.1-0

Click the Open button to start the SSH session. You will be presented to a login prompt (see below), and enter login admin and the associated password.

example login: admin

Password:

.--.--.--.-----.-----.------.-----.-.--.--------.-----.

| | | | -__|__ --|_

_| -__| _| . . | _ | http://www.westermo.com

\__/\__/|_____._____| |__| |_____|__| |__|__|__|_____|

Robust Industrial Data Communications -- Made Easy [email protected]

\\/ Westermo WeOS v4.15.0 4.15.0 -- Jun 16 19:10 CEST 2014

Type: ’help’ for help with commands, ’exit’ to logout or leave a context.

example:/#>

The CLI can be accessed remotely by using a Telnet client, in the same way as using SSH. Of security reasons, use of Telnet is discouraged and therefore disabled by default. In order to manage the unit via Telnet, you must first:

ˆ Enable the Telnet server via the CLI, see

section 7.3.49

.

ˆ Enable telnet management for the desired network interface(s) via the CLI

(see

section 19.6.6

).

50

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

5.3

Using the CLI

5.3.1

Starting out with the CLI

When first entering the CLI you end up in the

Admin Exec

context. In the

Admin

Exec

you can view system status information using various ”show” commands, upgrade system firmware, etc., as well as other functions, which do not affect the system configuration.

To be able to modify the switch configuration you should enter the

Global Configuration

context, by using the ”configure” command as shown below. From the

Global Configuration

you are able to configure system parameters such as its

”hostname” or its ”date”.

Example

example:/#> configure example:/config/#>

As described in

section 5.3.2

you can reach other, specific configuration contexts from the

Global Configuration

context.

Example

example:/#> configure example:/config/#> vlan 100 example:/config/vlan-100/#> untagged 1/1,1/2 example:/config/vlan-100/#> end example:/config/#> end example:/#>

To get help on what commands are available in the current context, use the

”help” command (see example in

fig. 5.2

). First the context specific configu-

ration commands are shown, followed by the commands to show the current configuration settings. At the end, commands available in all contexts are shown

(see also

section 5.4

.).

© 2015 Westermo Teleindustri AB

51

Westermo OS Management Guide

Version 4.17.1-0

Example

example:/config/vlan-100/#> help

Available Commands

============================================================================== enable Enable, or disable this VLAN name <ARG> Set name of VLAN tagged <ARG> untagged <ARG> channel <ARG> priority <ARG> igmp

Set tagged ports

Set untagged ports

Set VLAN channel interface

Set VLAN priority, overrides port priority

Enable, or disable IGMP Snooping show enable show name show tagged show untagged show channel show priority show igmp

Show if VLAN is active or not

Show name of VLAN

Show tagged ports

Show untagged ports

Show VLAN channel interface

Show VLAN priority setting

Show IGMP Snooping status no <ARG> do end leave abort show <ARG>

Prefix, used to disable services or settings.

Shortcut to EXEC mode, e.g. do ping <IP>.

Save settings and return to previous mode.

Save settings and return to EXEC mode.

Cancel all changes and leave this mode.

Show summary, or status.

repeat <ARG> help <ARG>

Repeat next command every second, until Ctrl-C

This help text.

tutorial Brief introduction to the CLI

==============================================================================

<ARG> - Command takes argument(s), see help <command> for further information.

Short forms of commands are possible, see the tutorial for more help.

example:/config/vlan-100/#>

Figure 5.2: Use of the ”help” command to list available commands (here in the

VLAN context).

The ”help” command can also be used to get information on a specific command as shown below.

Example

example:/config/vlan-100/#> help igmp

Syntax:

[no] igmp

Description:

Enable, or disable IGMP Snooping

==============================================================================

The [no] keyword is when you want to disable a service or remove a property.

example:/config/vlan-100/#>

52

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

The CLI supports basic TAB-completion, which can come in handy when you do not know the exact command name, e.g., writing ”fi[TAB]” within the IP context will expand to ”firewall”.

TAB-completion is only able to expand the full command when there is no ambiguity. Otherwise the available alternatives will be listed.

Example

example:/#> d[TAB] do debug date example:/#> d dir delete

Furthermore, when there is no ambiguity it is possible to use an abbreviation of a command instead of the full command (i.e., without using TAB-completion).

Example

example:/#> con example:/config/#>

5.3.2

Entering and leaving CLI contexts

Fig. 5.3

gives a general overview of how to enter and leave the various context in the CLI hierarchy. The commands to move between contexts are further discussed in the text below.

To enter

Global Configuration

context from

Admin Exec

context, the ”configure” command is used. From

Global Configuration

context one can reach several specific configuration contexts, and the command to enter them is context specific, e.g.,:

vlan <VID>

Manage VLAN settings for VLAN with given VID.

port <PORT>

Manage port settings for port with given PORT identifier.

interface <IFNAME>

Manage settings for the given network interface.

By entering the

Global Configuration

context the user is able to interactively change the device configuration, however, configuration changes will not take effect until the user leaves the configuration contexts and returns to the

Admin

Exec

context via the ”end” or ”leave” commands.

When the user returns to

Admin Exec

context, the running-configuration of the switch will be updated. To make the configuration changes permanent the running-

© 2015 Westermo Teleindustri AB

53

Westermo OS Management Guide

Version 4.17.1-0 logout

Login prompt (console/SSH) username & password end/logout

Administrator Execution Context leave port <...> configure end

Port Configuration

Context end

Global Configuration Context vlan <...> end

VLAN Configuration

Context rmon end monitor end ip

RMON

Context end

Port Monitoring

General IP

Config. Context

Context firewall end

Firewall/NAT

Config. Context

Figure 5.3: Moving between CLI contexts. Only a subset of the available contexts is shown. Although not shown, the leave and logout commands can be used from all contexts.

configuration should be saved to the startup-configuration using the ”copy” command, see also

chapter 7 .

It is also possible to leave the configuration contexts without updating the running-

configuration. The commands to leave a context are listed below. More information on these and other general CLI commands can be found in

section 5.4

.

end

Confirms configuration changes conducted in this context and returns to the context immediately above. If issued within the

Global Configuration

context, the user returns to the

Admin

Exec

context and the running-configuration is updated.

leave

Confirms configuration changes made and returns to

Admin

Exec

context. The running-configuration is updated.

Ctrl-Z

An alias for leave. Ends your configuration session and returns to

Admin Exec

context.

Continued on next page

54

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Continued from previous page

abort

Discards configuration changes conducted in this context and returns to the context immediately above. If issued within the

Global Configuration

context, the user returns to the

Admin

Exec

context without updating the running-configuration. If issued in

Admin Exec

context it works the same as logout.

exit

An alias for abort.

Ctrl-D

An alias for abort. Blocked if any text is already input on the command line.

logout

Log out from the CLI. If conducted from within any of the configuration contexts, all configuration changes are discarded

(i.e., the running configuration is not updated).

5.3.3

CLI command conventions

This section describes the CLI command conventions used within this guide. The syntax for a sample set of CLI commands is shown below:

ˆ [no] default-gw <ADDRESS>

ˆ igmp-interval <12|30|70|150>

ˆ show iface [IFNAMELIST]

Convention Description

command syntax

Command syntax is generally written in typewriter style (fixed width)

”command syntax”

Commands described in running text use bold typewriter style enclosed by quotation marks.

UPPERCASE A variable parameter. Enter value according to the description that follows.

lowercase

|

A keyword parameter. Enter value according to the given syntax.

Vertical bar. Used to separate alternative (mutually exclusive) parameters.

< >

[ ]

Angle brackets. Encloses a mandatory parameter.

Squared brackets. Encloses an optional parameter.

Continued on next page

© 2015 Westermo Teleindustri AB

55

Convention

[< >]

Westermo OS Management Guide

Version 4.17.1-0

Continued from previous page

Description

Angle brackets within squared brackets. Encloses a mandatory parameter within an optional choice.

56

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

5.4

General CLI commands

The majority of the CLI commands are specific to a certain context, however, there is a set of CLI commands available in all contexts. These commands are explained further here. The ”configure” command used to enter the

Global

Configuration

context from the

Admin Exec

context, is also covered.

Command Section

no <COMMAND> do end leave abort

Section 5.4.1

Section 5.4.2

Section 5.4.3

Section 5.4.4

Section 5.4.5

logout

Section 5.4.6

repeat <COMMAND>

Section 5.4.7

help [COMMAND] tutorial

Section 5.4.8

Section 5.4.9

configure [terminal]

Section 5.4.10

5.4.1

Negate/disable a setting

Syntax no <COMMAND>

Context All contexts

Usage Depending on context the ”no” command disables or resets a setting to default.

Primarily used within configuration contexts to negate or disable a configuration setting, e.g., in port context ”no flow-control” disables flow control. For some commands, ”no” is used to reset to a default value, e.g., ”no

polling-interval” (NTP client context) sets the NTP polling-interval to its default value (600 seconds).

The ”no” command can also be used to negate/disable certain commands outside the configuration context, e.g., to disable debugging or port monitoring.

Default values Not applicable

© 2015 Westermo Teleindustri AB

57

Westermo OS Management Guide

Version 4.17.1-0

5.4.2

Execute (do) command from Admin Exec context

Syntax do <COMMAND>

Context All contexts

Usage Use the ”do <COMMAND>” to execute a COMMAND available in

Admin Exec

context from any context.

For example, when located in

Global Configuration

context, the user could run ”do show running-config” to see the running configuration, or run

”do ping 192.168.1.1” to ”ping” IP address 192.168.1.1.

Default values Not applicable

5.4.3

End context

Syntax end

Context All contexts

Usage Leave this context and return to the context immediately above. If this command is issued within any of the configuration contexts, the command implies that the configuration changes conducted within that context are confirmed. If the command is issued in the

Global Configuration

context, the user returns to the

Admin Exec

context, and the running-configuration is updated.

Default values Not applicable

5.4.4

Leave context

Syntax leave

Context All contexts

Usage Leave this context and return to the

Admin Exec

context. If this command is issued within any of the configuration contexts, the command implies that the configuration changes conducted are confirmed, and the running-

configuration is updated.

Default values Not applicable

58

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

5.4.5

Abort context

Syntax abort

Context All contexts

Usage Leave this context and return to the context immediately above. If this command is issued within any of the configuration contexts, the command implies that the configuration changes conducted within that context are discarded. If the command is issued in the

Global Configuration

context, the user returns to the

Admin Exec

context without updating the running-

configuration.

Default values Not applicable

5.4.6

Logout

Syntax logout

Context All contexts

Usage Logout from system. If this command is issued within any of the configuration contexts, the command implies that the configuration changes conducted are discarded, i.e., the running-configuration is not updated.

Default values Not applicable

5.4.7

Repeat a command

Syntax repeat <COMMAND>

Context

Admin Exec

context

Usage Repeat COMMAND every second until Ctrl-C is pressed.

Default values Not applicable

5.4.8

On-line help

Syntax help <COMMAND>

Context All contexts

© 2015 Westermo Teleindustri AB

59

Westermo OS Management Guide

Version 4.17.1-0

Usage Show help information specific to a certain context, or a specific command.

Default values If no COMMAND is specified, help information related to the current context is shown.

5.4.9

CLI tutorial

Syntax tutorial

Context All contexts

Usage Show CLI tutorial text.

Default values Not applicable

5.4.10

Entering Global Configuration Context

When a user logs in to the CLI the user will enter the

Admin Exec

context. In

Admin Exec

context the user can view status information and have access to tools such as ping and traceroute, but is not able to perform any configuration.

To configure the device, the user can use the configure command to enter the

Global Configuration

context.

Syntax configure [terminal]

Context

Admin Exec

context

Usage Enter global Configuration Context.

The optional terminal argument is a compatibility keyword, for advanced users. It disables all safe guards (yes-or-no questions), making it possible to paste-in configuration files into the terminal.

Pasting in configuration files can also be done with the copy command as copy con run to copy console to running-config.

Default values Interactive mode (i.e. the ”terminal” argument does not apply by default)

60

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Chapter 6

WeOS SNMP Support

The Simple Network Management Protocol (SNMP) provides a standardised method to manage and monitor IP devices remotely. The WeOS SNMP agent supports

SNMP v1, v2c and v3.

6.1

Introduction and feature overview

Table 6.1

shows WeOS SNMP control features for the Web and CLI interfaces.

Further description of the SNMP support is presented in the

sections 6.1.1

-

6.1.6

.

If you are only interested in knowing how to manage SNMP features via the Web or CLI, please visit

sections 6.2

or

6.3

directly.

6.1.1

SNMP introduction

The Simple Network Management Protocol (SNMP) provides a standardised method to manage and monitor IP devices remotely. In SNMP a manager station can manage a set of status and configuration objects via an SNMP agent on the management unit. The WeOS SNMP agent supports SNMP v1, v2c and v3.

An SNMP manager:

ˆ can send SNMP GET messages to poll status and configuration information from an SNMP agent.

© 2015 Westermo Teleindustri AB

61

Westermo OS Management Guide

Version 4.17.1-0

Feature Web CLI General

( Sec. 6.2

)

( Sec. 6.3

)

Description

General

Enable/disable SNMP

SNMPv1/v2c

Read Community

Write Community

Trap Community

Trap Host

X

X

X

X

X

X

X

X

X

X

Sec. 6.1.2

Sec. 6.1.2

-

6.1.3

Sec. 6.1.3

SNMPv3

Read-Only SNMPv3 User

Read/Write SNMPv3 User

X

X

X

X

Sec. 6.1.4

Table 6.1: WeOS control of SNMP features.

ˆ can send SNMP SET messages to the SNMP agent to modify the device settings (or issue commands such as ’reboot’).

ˆ can get notified by an agent when specific events occur, such as link down event, via SNMP TRAP messages.

The objects manageable via SNMP are defined in a management information base

(MIB). The WeOS MIB support aims at providing SNMP management primarily via standard MIBs to enable easy integration with existing SNMP management tools.

In addition, WeOS includes an enterprise MIB (private MIB) to provide access to

MIB objects not available via the standard MIBs.

6.1.2

SNMP Communities

An SNMP community is a relationship between the manager and managed station. It can be seen as a (very) basic authentication and authorisation mechanism

for SNMP v1 and v2c

1

. Three types of communities are supported:

ˆ Read community: The SNMP read community is used by a manager to read

SNMP MIB objects from a managed station.

Default read community: public

1

See

section 6.1.4

for secure management using SNMPv3.

62

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

SNMP

Manager

Station

Managed

Device

SNMP

Agent

MIB

Internet/Intranet

SNMP

Agent

MIB

Managed

Device

Figure 6.1: Sample SNMP setup, where one manager station controls two devices by communicating with SNMP agents running on the managed devices.

ˆ Write community: The SNMP write community can be used to write (and read) SNMP MIB objects to (from) a managed station. Thus, if the agent has its write community enabled, it is possible to configure the switch via SNMP.

The write community is typically named ”private”.

Default write community: Disabled

ˆ Trap community: The SNMP trap community is used when an agent wants to send a notification to the manager (SNMP Trap). The trap community is typically named ”public”.

Default trap community: trap

Warning

Using the well-known community strings ”public” and ”private” could pose a serious security problem.

6.1.3

Trap Support

SNMP traps are only generated if there is at least one Trap Host (i.e., SNMP management station) defined. Up to three Trap Hosts can be defined. If two or more

Trap Hosts are configured, traps will be sent to all of them.

© 2015 Westermo Teleindustri AB

63

Westermo OS Management Guide

Version 4.17.1-0

The WeOS SNMP trap support is integrated with the WeOS alarm handling system (see

section 24.1

). This means that you as an operator have fine-grained

control of which traps to send. All traps in the list below, except Coldstart and

lldpRemTablesChange, can be controlled via the alarm handling system.

ˆ Link Alarm: A trap is generated on link up or link down, given that Link Alarm is enabled on that specific port (see

sections 24.1.3

and

8.1.5

).

Link Down OID: iso(1).org(3).dod(6).internet(1).snmpV2(6).snmpModules(3).

snmpMIB(1).snmpMIBObjects(1).snmpTraps(5).linkDown(3)

Link Up OID: iso(1).org(3).dod(6).internet(1).snmpV2(6).snmpModules(3).

snmpMIB(1).snmpMIBObjects(1).snmpTraps(5).linkUp(4)

Note

When a port is being reconfigured, link down and link up events are likely to occur. If link-alarm is enabled on that port, a couple of SNMP traps are likely to be generated as a side-effect of the port reconfiguration.

ˆ Cold Start: A trap is generated when a system comes up.

OID: iso(1).org(3).dod(6).internet(1).snmpV2(6).snmpModules(3).

snmpMIB(1).snmpMIBObjects(1).snmpTraps(5).coldStart(1)

ˆ LLDP Remote System Update: A trap is generated when a remote system has updated.

OID: iso(1).std(0).iso8802(8802).ieee802dot1(1).ieee802dot1mibs(1).

lldpMIB(2).lldpNotifications(0).lldpNotificationPrefix(0).lldpRemTablesChange(1)

ˆ Digital-In: A trap is generated when the voltage level on the pins of a digital-in sensor changes from high to low, or low to high.

Digital-In High OID: iso(1).org(3).dod(6).internet(1).private(4).

enterprises(1).westermo(16177).common(2).weos(1).notifications(6).

sensorNotifications(1).sensorNotificationPrefix(0).digitalInHigh(1)

Digital-In Low OID: iso(1).org(3).dod(6).internet(1).private(4).

enterprises(1).westermo(16177).common(2).weos(1).notifications(6).

sensorNotifications(1).sensorNotificationPrefix(0).digitalInLow(2)

ˆ Power Supply: A trap is generated when the voltage level on any of the power feeds changes from high to low, or low to high.

64

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Power Supply High OID: iso(1).org(3).dod(6).internet(1).private(4).

enterprises(1).westermo(16177).common(2).weos(1).notifications(6).

sensorNotifications(1).sensorNotificationPrefix(0).powerSupplyHigh(3)

Power Supply Low OID: iso(1).org(3).dod(6).internet(1).private(4).

enterprises(1).westermo(16177).common(2).weos(1).notifications(6).

sensorNotifications(1).sensorNotificationPrefix(0).powerSupplyLow(4)

ˆ Temperature: A trap is generated when the temperature measured by a built-in temperature sensor reaches the configured rising or falling thresholds.

Temperature High OID: iso(1).org(3).dod(6).internet(1).private(4).

enterprises(1).westermo(16177).common(2).weos(1).notifications(6).

sensorNotifications(1).sensorNotificationPrefix(0).temperatureHigh(5)

Temperature Low OID: iso(1).org(3).dod(6).internet(1).private(4).

enterprises(1).westermo(16177).common(2).weos(1).notifications(6).

sensorNotifications(1).sensorNotificationPrefix(0).temperatureLow(6)

ˆ FRNT Ring Status: A trap is generated when a unit detects a change of

FRNT ring status, i.e., ring up (ring mode) or ring down (bus mode).

FRNT Ring Up OID: iso(1).org(3).dod(6).internet(1).private(4).

enterprises(1).westermo(16177).common(2).weos(1).notifications(6).

frntNotifications(2).frntNotificationPrefix(0).frntRingUp(1)

FRNT Ring Down OID: iso(1).org(3).dod(6).internet(1).private(4).

enterprises(1).westermo(16177).common(2).weos(1).notifications(6).

frntNotifications(2).frntNotificationPrefix(0).frntRingDown(2)

ˆ SNR-margin: On units with a SHDSL/xDSL port traps are generated when the SNR margin falls below (or rises above) a configurable threshold.

OID: iso(1).org(3).dod(6).internet(1).mgmt(2).mib-2(1).transmission(10).

hdsl2ShdslMIB(48).hdsl2ShdslNotifications(0).hdsl2ShdslSNRMarginCrossing(2)

ˆ LFF Status: On units with SHDSL ports, a trap is generated when a unit detects a change in the Link Fault Forward (LFF) status on a SHDSL port, i.e., if the remote end reports that its Ethernet port is up or down.

LFF Remote Up OID: iso(1).org(3).dod(6).internet(1).private(4).

enterprises(1).westermo(16177).common(2).weos(1).notifications(6).

lffNotifications(3).lffNotificationPrefix(0).lffRemoteUp(1)

© 2015 Westermo Teleindustri AB

65

66

Westermo OS Management Guide

Version 4.17.1-0

LFF Remote Fail OID: iso(1).org(3).dod(6).internet(1).private(4).

enterprises(1).westermo(16177).common(2).weos(1).notifications(6).

lffNotifications(3).lffNotificationPrefix(0).lffRemoteFail(2)

ˆ PoE total power consumption: On units with Ethernet ports supporting

Power over Ethernet, traps are generated with the total consumed power rises above (or falls below) a configurable threshold.

Power consumption above threshold OID: iso(1).org(3).dod(6).internet(1).

mgmt(2).mib-2(1).powerEthernetMIB(105).pethNotifications(0).

pethMainPowerUsageOnNotification(2)

Power consumption below threshold OID: iso(1).org(3).dod(6).internet(1).

mgmt(2).mib-2(1).powerEthernetMIB(105).pethNotifications(0).

pethMainPowerUsageOffNotification(3)

ˆ Summary Alarm Status: The summary alarm status (summaryAlarmSta-

tus) follows the status of the ON LED:

when the ON LED turns red, the summaryAlarmStatus has value Warn-

ing (1).

when the ON LED turns green, the summaryAlarmStatus has value OK

(2).

It is possible to get SNMP traps when the summary Alarm Status changes state (see

section 24.3.16

for information of how to enable summary alarm traps). When enabled, a summaryAlarmOK trap is sent when the ON LED turns green, and a summaryAlarmWarning trap is sent when it turns red.

Summary Alarm OK OID: iso(1).org(3).dod(6).internet(1).private(4).

enterprises(1).westermo(16177).common(2).weos(1).notifications(6).

genericNotifications(4).genericNotificationPrefix(0).summaryAlarmOK(1)

Summary Alarm Warning OID: iso(1).org(3).dod(6).internet(1).private(4).

enterprises(1).westermo(16177).common(2).weos(1).notifications(6).

genericNotifications(4).genericNotificationPrefix(0).summaryAlarmWarning(2)

The summary alarm status can be read at the following OID:

iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).westermo(16177).

common(2).weos(1).system(5).eventSystem(2).summaryAlarmStatus(1)

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

6.1.4

Secure management using SNMPv3

To manage a unit securely via SNMP, SNMPv3 should be used. SNMPv3 provides privacy and integrity (per packet authentication) to the SNMP messages.

SNMPv3 introduces the notion of a SNMPv3 user, as opposed to the community concept used in SNMPv1/v2c. The following parameters can be configured for an

SNMPv3 user.

ˆ Read-Only or Read-Write access: Defines whether the user should have read access to the SNMP variables, or be able to read and modify them.

ˆ Security Mode: Three security modes are available:

noAuthnoPriv: No security (i.e., neither authentication, nor encryption)

authNoPriv: Authentication, but no privacy.

authPriv: Authentication and Encryption

Note

As of WeOS v4.17.1, the WeOS SNMP agent accepts SNMP requests of security level authNoPriv also for SNMPv3 users created at level auth-

Priv. This feature is likely to be removed in future WeOS releases.

ˆ Encryption protocol: WeOS offers SNMPv3 data encryption using DES and

AES-128.

ˆ Authentication protocol: WeOS offers SNMPv3 data integrity using using

MD5 and SHA1.

ˆ Scope: A user can be restrained to only access a part of the MIB tree supported by the unit.

The encryption and authentication passwords are strings of 8-16 characters.

ASCII characters 33-126 except ’#’ (ASCII 35) are allowed.

A maximum of 8 SNMPv3 users can be defined, each with their own parameter set.

6.1.4.1

SNMPv3 example

This example illustrates the configuration of an SNMPv3 user on the a WeOS switch. The user alice is grated read-only access to the full MIB tree. Security

© 2015 Westermo Teleindustri AB

67

Westermo OS Management Guide

Version 4.17.1-0 level authNoPriv is used where SHA1 is used as authentication protocol.

Example

example:/#> configure example:/config/#> snmp-server example:/config/snmp/#> rouser alice auth sha1 alicepwd example:/config/snmp/#> leave example:/#> cp running start

Section 6.1.6

lists recommended SNMP management software. Those tools have graphical user interfaces and should be straight forward to use. For a simple test you could also use the (Unix) Net-SNMP ”snmpwalk” command. (Here it is assumed that the switch is accessible on IP address 192.168.2.200 and the

”walk” is limited to the mib-2 system’s group).

Example

mypc:~$ snmpwalk -v3 -u alice -l authNoPriv -a SHA -A alicepwd 192.168.2.200 system

SNMPv2-MIB::sysDescr.0 = STRING: Westermo RedFox Industrial, primary: v4.4.0, backup: v4.

bootloader: v2.01, fpga: v20080626

SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.16177

DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (94018) 0:15:40.18

SNMPv2-MIB::sysContact.0 = STRING:

SNMPv2-MIB::sysName.0 = STRING: redfox

SNMPv2-MIB::sysLocation.0 = STRING:

SNMPv2-MIB::sysServices.0 = INTEGER: 79

SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00

mypc:~$

6.1.5

Supported MIBs

6.1.5.1

Standard MIBs

As of WeOS v4.17.1 the following standard MIBs are supported:

ˆ RFC1213 MIB-2: The original MIB-2 standard MIB.

ˆ RFC2863 Interface MIB: The ifXTable of the IF-MIB is supported.

ˆ RFC2819 RMON MIB: RMON Ethernet statistics (etherStatsTable) is supported.

ˆ RFC4188 Bridge MIB

ˆ RFC4318 RSTP MIB

ˆ RFC4363 Q-BRIDGE MIB: The dot1qVlan group and dot1qVlanStaticTable are supported, enabling support for static VLAN configuration.

68

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

ˆ RFC4836 MAU MIB: The dot3IfMauBasicGroup and dot3IfMauAutoNegGroup of the MAU MIB are supported.

ˆ RFC3635 Ether-like Interface MIB: The dot3StatsTable is supported, enabling monitoring of various error counters for Ethernet ports.

ˆ RFC4133 Entity MIB: The entityPhysical group of the Entity MIB is supported.

It can be used to read unit serial number, firmware version, etc.

ˆ RFC3433 Entity Sensor MIB: The Entity Sensor MIB can be used to monitor the status of unit sensors for temperature, power supply, and ”digital-in”, etc.

ˆ RFC 4319 HDSL2/SHDSL MIB: On products with SHDSL ports, the

hdsl2ShdslSpanConfTable, hdsl2ShdslSpanStatusTable,

hdsl2ShdslInventoryTable and hdsl2ShdslSpanConfProfileTable are supported

(read-only).

ˆ RFC 3621 Power Ethernet MIB: The PoE MIB is supported on products with

PoE ports.

ˆ IEEE 802.1AB LLDP MIB

ˆ RFC2787 VRRPv2 MIB: The vrrpOperations group is supported (read-only).

ˆ RFC6527 VRRPv3 MIB: The vrrpv3Operations group is supported (read-only).

6.1.5.2

Private MIB

To use the WeOS private MIB, two Westermo specific MIB files should be loaded into your SNMP management software (see

section 6.1.6

for information on recommended management software):

ˆ WESTERMO-MIB: Defines the top level objects of the Westermo Private MIB name space.

ˆ WESTERMO-WEOS-MIB: Defines the WeOS branch of the Westermo Private

MIB.

6.1.6

Recommended Management Software

The following SNMP managers are recommended:

© 2015 Westermo Teleindustri AB

69

Westermo OS Management Guide

Version 4.17.1-0

ˆ OidView from ByteSphere 2

.

ˆ MG-SOFT MIB Browser Pro. from MG-SOFT

3

.

ˆ SNMPc from Castlerock Computing 4

.

2 http://www.oidview.com/oidview.html

. OidView is a trademark of BYTESPHERE TECHNOLO-

GIES LLC.

3 http://www.mg-soft.com/mgMibBrowserPE.html

.

4 http://www.castlerock.com/

. SNMPc is a trademark of Castlerock Computing.

70

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

6.2

Managing SNMP via the web interface

Menu path: Configuration SNMP

On the SNMP configuration page you will be presented to the current settings for

SNMP on your switch, see below. You may change the settings by editing the page.

On the lower part of the page there is a list of SNMP v3 Users.

Enabled

Read Community

Check the box to enable SNMP. If you have a

JavaScript enabled browser the other settings will not be displayed unless you check this box.

A community identifier for read access. Leave blank to disable read community.

Write Community

Trap Community

A community identifier for read/write access.

Leave blank to disable write community.

A community identifier for traps. Defaults to community identifier trap.

Trap Host Address 1/2/3

IP address of SNMP trap management station.

None, one , two or three addresses may be filled in. Leave all blank to disable SNMP traps.

© 2015 Westermo Teleindustri AB

71

Westermo OS Management Guide

Version 4.17.1-0

6.2.1

Manage SNMP v3 Users

On the lower part of the SNMP configuration page you will be presented to the list of currently configured SNMP v3 users.

Figure 6.2: Listing of SNMP v3 users.

Type

Name

Auth

Auth.

Passphrase

Crypto

Crypto

Passphrase

OID Tree

Edit

Delete

New User

Access rights for the user.

rwuser

User has read and write access.

rouser

User has read access only.

A text string defining the user. Max 32 characters. Valid characters are ASCII 33-126 except ’#’ (ASCII 35).

Achieve message integrity protection by specifying MD5 or

SHA1 message authentication.

The authentication password is a string of 8-16 characters.

ASCII characters 33-126 except ’#’ (ASCII 35) are allowed.

Achieve message privacy by specifying DES or AES128 message encryption.

The encryption password is a string of 8-16 characters. ASCII characters 33-126 except ’#’ (ASCII 35) are allowed.

Limit access to a certain branch of the supported MIB. Defaults to the whole tree (’1.’)

Click this icon to edit the SNMP v3 user in that table row.

Click this icon to remove a the SNMP v3 user in that table row.

Click on this button to create a new SNMP v3 user.

When clicking the New User button, the SNMP v3 user edit page will be displayed.

72

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Figure 6.3: New SNMP v3 user.

See table above for description of fields.

© 2015 Westermo Teleindustri AB

73

Westermo OS Management Guide

Version 4.17.1-0

6.3

Manage SNMP Settings via the CLI

Command

SNMP Server Configuration

[no] snmp-server

[no] rocommunity <COMMUNITY>

[no] rwcommunity <COMMUNITY>

[no] trapcommunity <COMMUNITY>

[no] host <IPADDR>

[no] rouser <USERNAME>

[auth <md5|sha1> <PASSPHRASE>

[crypto <des|aes128> <PASSPHRASE>]]

[OIDTREE]

[no] rwuser <USERNAME>

[auth <md5|sha1> <PASSPHRASE>

[crypto <des|aes128> <PASSPHRASE>]]

[OIDTREE]

Default Section

Enabled

Section 6.3.1

public

Section 6.3.2

Disabled

Section 6.3.3

trap

Section 6.3.4

Disabled

Section 6.3.5

Disabled

Section 6.3.6

Disabled

Section 6.3.7

SNMP Server Status show snmp-server

Section 6.3.8

6.3.1

Manage SNMP Server

Syntax [no] snmp-server

Context

Global Configuration

context.

Usage Enter

SNMP Server Configuration

context. If the SNMP server is disabled, it will be enabled when issuing the ”snmp-server” command. Use ”no

snmp-server” to disable the SNMP server.

Use ”show snmp-server” to show all SNMP server settings. (Also available as ”show” command within the snmp-server context.)

Default values Enabled.

74

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

6.3.2

Manage SNMP Read Community

Syntax [no] rocommunity <COMMUNITY_STRING>

Context

SNMP Server Configuration

context.

Usage Configure the SNMP Read Community string. Use ”no rocommunity” to disable the SNMP Read Community.

Use ”show rocommunity” to show the SNMP Read Community setting.

Default values rocommunity public

6.3.3

Manage SNMP Write Community

Syntax [no] rwcommunity <COMMUNITY_STRING>

Context

SNMP Server Configuration

context.

Usage Configure the SNMP Write Community string. Use ”no rwcommunity” to disable the SNMP Read Community.

Use ”show rwcommunity” to show the SNMP Write Community setting.

Default values Disabled.

6.3.4

Manage SNMP Trap Community

Syntax [no] trapcommunity <COMMUNITY_STRING>

Context

SNMP Server Configuration

context.

Usage Configure the SNMP Trap Community string. ”no trapcommunity” will reset the trap community to the default string (”trapcommunity trap”).

Use ”show trapcommunity” to show the SNMP Trap Community setting.

Default values trap

6.3.5

Manage SNMP Trap Hosts

Syntax [no] host <IPV4ADDRESS>

© 2015 Westermo Teleindustri AB

75

Westermo OS Management Guide

Version 4.17.1-0

Context

SNMP Server Configuration

context.

Usage Configure a SNMP Trap Host. Up to three trap hosts can be configured (issue the ”trap-host” command multiple times with different IP addresses).

Use ”no host <IPV4ADDRESS>” to remove a trap-host and ”no host” to remove all trap hosts.

Without any defined trap host, SNMP traps will not be sent.

Use ”show host” to show the configured SNMP Trap Hosts.

Default values Disabled.

6.3.6

Manage SNMPv3 Read-Only User

Syntax [no] rouser <USERNAME> [auth <md5|sha1> <PASSPHRASE> [crypto

<des|aes128> <PASSPHRASE>]] [OIDTREE]

Context

SNMP Server Configuration

context.

Usage Configure a SNMP read-only user.

ˆ USERNAME: A text string defining the user. Max 32 characters. Valid characters are ASCII 33-126 except ’#’ (ASCII 35).

ˆ Authentication: Achieve message integrity protection by specifying MD5 or SHA1 message authentication. The authentication password is a string of 8-16 characters. ASCII characters 33-126 except ’#’ (ASCII 35) are allowed.

ˆ Encryption: Achieve message privacy by specifying DES or AES128 message encryption. The encryption password is a string of 8-16 characters. ASCII characters 33-126 except ’#’ (ASCII 35) are allowed.

ˆ OIDTREE: Limit access to a certain branch of the supported MIB. Defaults to the whole tree (’1.’)

Use ”no rouser <USERNAME>” to remove a specific read-only user, or ”no

rouser” to remove all read-only users.

Use ”show rouser” show settings for configured SNMPv3 read-only users.

Default values Disabled.

Examples

76

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

ˆ Authentication and encryption:

”rouser alice auth sha1 alicepwd1 crypto aes128 alicepwd2”

ˆ Authentication with access to dot1dBridge subtree:

”rouser bob auth md5 bobspwd1 1.3.6.1.2.1.17”

6.3.7

Manage SNMPv3 Read-Write User

Syntax [no] rwuser <USERNAME> [auth <md5|sha1> <PASSPHRASE> [crypto

<des|aes128> <PASSPHRASE>]] [OIDTREE]

Context

SNMP Server Configuration

context.

Usage Configure a SNMP read-write user. For more information, see

section 6.3.6

.

Use ”show rwuser” show settings for configured SNMPv3 read-write users.

Default values Disabled.

Examples See

section 6.3.6

.

6.3.8

Show SNMP server status

Syntax show snmp-server

Context

Admin Exec

context.

Usage Show whether SNMP server is running or not.

Examples

SNMP server enabled

Example

example:/#> show snmp-server

SNMP server running as PID: 540 example:/#>

SNMP server disabled (see ”no snmp-server” in

section 6.3.1

).

Example

example:/#> show snmp-server

No SNMP server currently running example:/#>

© 2015 Westermo Teleindustri AB

77

Westermo OS Management Guide

Version 4.17.1-0

Part II

Common Switch Services

78

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Chapter 7

General Switch Maintenance

7.1

Overview

The table below summarises maintenance features available for the different management tools. General descriptions of these features are presented in

sections 7.1.1

-

7.1.10

. If you are only interested in knowing how to manage mainte-

nance features via the Web or CLI, please visit

sections 7.2

or

7.3

directly.

Web

CLI

General Description Feature

Firmware Upgrade

Upgrade primary firmware

Upgrade backup firmware

Upgrade bootloader

View firmware versions

X

X

X

X

Section 7.1.1

X

X

X

-”-

-”-

-”-

Bootstrap Options

Configuration File Media

BOOTP Bootstrap Settings

USB Bootstrap Settings

Login Account management

Set Admin Password

Recover from lost Admin Password

X

X

X

X

X

Section 7.1.2.2

-”-

-”-

Section 21.1.1

Section 7.1.3

Continued on next page

© 2015 Westermo Teleindustri AB

79

80

Westermo OS Management Guide

Version 4.17.1-0

Feature

Configuration Files and Reboot

Reset to Factory Default

Reboot

View Configuration Files

Alternate Configuration Files

Configuration Backup

Configuration Upload

Auto-Backup and Restore (USB)

Configuration Deployment (USB)

Virtual File System

Maintenance of Configuration

Log and USB files

Certificate and Key Management

Upload PKCS#12 Bundle

Upload PEM file

Public Certificate

Private Key

CA Certificate

Upload OpenVPN static key file

Set (non-default) Label

Controlling Management Services

Enable/disable LLDP

Enable/disable Web

Enable/disable IPConfig

Enable/disable SSH

Enable/disable Telnet

Enable/disable SNMP

Maintenance and diagnostic tools

Ping

Traceroute

X

X

(X)

X

X

Continued from previous page

Web

CLI

General Description

X

Section 7.1.3

X

Section 7.1.4

X

-”-

X

Sections 7.1.4

and

7.1.5

X

Sections 7.1.4

and

7.1.5

X

Sections 7.1.4

and

7.1.5

X

Section 7.1.6

Section 7.1.7

(X)

X

X

X

X

X

X

X

X

X

X

X

X

X

Section 7.1.5

-”-

X

Section 7.1.8

X

X

X

X

X

X

X

X

X

X

X

X

X

-”-

-”-

-”-

-”-

-”-

-”-

Section 7.1.9

(See

chapter 6

Section 7.1.10

-”-

)

Continued on next page

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Feature

IPConfig Client

Port Monitoring

Wake-On-Lan

SSH Client

Telnet Client

Tech Support

Other maintenance features

Show System Environment Sensors

Show System Uptime

Show Memory Usage

Show Running Processes

Show Flash Table

Update Flash Table

1

Continued from previous page

Web

CLI

General Description

X

X

X

X

X

X

X

X

-”-

-”-

-”-

X

X

X

X

X

X

X

X

X

X

-”-

7.1.1

WeOS Firmware

A WeOS unit holds two types of firmware:

ˆ System firmware: The system firmware holds the operating system, which is what we usually refers to when we say WeOS. For robustness purposes, a

WeOS unit typically holds two separate system firmware images.

Primary firmware image: The primary firmware image (or primary image) contains the system firmware image loaded by default by the bootloader.

Backup firmware image: The backup firmware image (also known as backup image or secondary image) contains the system firmware image loaded in case an error is encountered while loading the primary image.

1

Ability to update the flash partition table is only available on early RedFox units (Industrial and

Rail), where the flash partition table needs to be modified before upgrading to WeOS 4.3.0 or later.

See

section 7.1.11

for details.

© 2015 Westermo Teleindustri AB

81

Westermo OS Management Guide

Version 4.17.1-0

Hint

It is strongly recommended to use the same system firmware ver-

sion for the primary and backup image. Thereby you ensure that the backup firmware interprets the configuration file the same way the primary firmware does.

For information on how to keep the primary and backup firmware synchronised, see

section 7.1.1.2

.

ˆ Bootloader: The bootloader firmware (or simply ”bootloader”) is the basic firmware run to bootstrap the system. The bootloader will in turn load the system firmware (trying the primary image first).

It is possible to upgrade both the system firmware (primary and secondary image) and the bootloader firmware. As of WeOS v4.17.1, the system firmware can be upgraded via the Web or via the CLI, while the bootloader is only possible to upgrade via the CLI.

Warning

There is no general guarantee that an older system firmware can be loaded into the switch, i.e., downgrade is not generally guaranteed to work. However, if the firmware is downgraded for example from version 4.16.0 to

4.15.1, it is recommended to reboot the switch once the old firmware has been installed. When the switch comes up with the old firmware (here

4.15.1), copy the factory default configuration to the running configuration.

See

section 7.1.4

for more information on configuration files.

7.1.1.1

Upgrading firmware and bootloader

Firmware and bootloader for WeOS products can be downloaded from www.westermo.

com .

The method to upgrade firmware and bootloader differs somewhat if the unit to upgrade is running WeOS 4.13.1 (or later), as compared to units running releases before 4.13.1.

ˆ Units running WeOS 4.13.1 or later: The WeOS firmware and bootloader can be upgraded using a common ”pkg” file in WeOS 4.13.1 and later. This is explained further in

section 7.1.1.1.2

.

82

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Note

WeOS releases older than 4.13.1 (e.g., WeOS 4.13.0 or 4.11.2) are unable to handle ”pkg” files.

ˆ Units running releases earlier than WeOS 4.13.1: When upgrading WeOS units running older versions than WeOS 4.13.1 (e.g., WeOS 4.13.0 or 4.11.2), there are individual firmware and bootloader files per WeOS product. This is described in

section 7.1.1.1.1

.

Hint

If your unit is running a WeOS, e.g., WeOS4.12.0, and you wish to upgrade using a ”pkg” installation file (e.g., ”WeOS-4.14.0.pkg”) you first need to upgrade to WeOS 4.13.1 using the old method in

section 7.1.1.1.1

.

Hint

If the switch reports lack of free memory when trying to upgrade the firmware, try to disable non-essential services on the switch.

7.1.1.1.1

Upgrading when running older firmware than WeOS 4.13.1

Before WeOS 4.13.1 the firmware installation file to use differed per product family. Similarly, there were different bootloader installation files per product. A summary of name conventions is given in the table below:

Product Primary and secondary FW

Bootloader FW

RedFox rwXXXX.img

xscale-redboot-YYY.bin

(e.g., rw4112.img) (e.g., xscale-2.03.bin)

Lynx and lwXXXX.img

Viper (e.g., lw4112.img) imx27-redboot-ZZZ.bin

(e.g., imx27-redboot-4.11.bin)

Wolverine wwXXXX.img

(e.g., ww4112.img)

Falcon fwXXXX.img

(e.g., fw4112.img)

If you run a release older than 4.13.1, and wish to upgrade to 4.14.0 or later, where only ”pkg” files are supported, you must first upgrade to 4.13.1 (or some

© 2015 Westermo Teleindustri AB

83

Westermo OS Management Guide

Version 4.17.1-0

later 4.13.x release) using ”img” files

1

.

Hint

Although any 4.13.x release from 4.13.1 and later can be used as intermediate release when upgrading to pkg files, it is recommended that you use the most recent 4.13.x release. See www.westermo.com

for download of WeOS

4.13 releases.

Below there are examples showing how to upgrade the primary firmware to a

WeOS 4.13 release with support for ”pkg” files (here ”4.13.4” is used) and bootloader via a FTP server (or TFTP server) at 192.168.3.10 on a WeOS Lynx unit.

ˆ Upgrading primary firmware via CLI on a Lynx (before WeOS 4.13.1). Here we upgrade to WeOS 4.13.4 from a FTP server at 192.168.3.10.

Example

example:/#> upgrade primary 192.168.3.10 lw4134.img ...

ˆ Upgrading bootloader via CLI on a Lynx (before WeOS 4.13.1). Here we upgrade the bootloader to ”imx27-redboot-4.11.bin” from a FTP server at

192.168.3.10.

Example

example:/#> upgrade boot 192.168.3.10 imx27-redboot-4.11.bin ...

7.1.1.1.2

Upgrading when running WeOS 4.13.1 (or later)

If you have

WeOS 4.13.1 or later installed, upgrading firmware or bootloader is simplified in the sense that the same installation file (a ”pkg” file) is used for all types of upgrades (bootfile or firmware) on any type of WeOS product.The table below lists the firmware used upgrade system firmware and bootloader.

Bootloader Firmware Product Family System Firmware

(Primary/Secondary Image)

All WeOS products WeOS-X.X.X.pkg

(e.g., WeOS-4.17.1.pkg)

WeOS-X.X.X.pkg

(e.g., WeOS-4.17.1.pkg)

1

WeOS 4.13.1 and later 4.13.x releases are available both as ”img” and ”pkg” files, while only

”pkg” files are available from WeOS4.14.0 and onwards.

84

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Thus, upgrading the primary (or secondary) system firmware image, or the bootloader will be done using the same (pkg) installation file.

Note

If you use TFTP for upgrading with ”pkg” files, make sure your TFTP server

supports large files as defined in RFC2347[ 22 ].

Note

Be aware that upgrade using TFTP may be much slower compared to the FTP or HTTP methods. This is of particular concern if the link you are transfering data through has high latency. Some examples are: ADSL/VDSL/SHDSL links, 3G/4G links or accessing via VPN tunnel.

This is an effect of how the TFTP protocol works.

Every data block that is sent is ACKed by the other end, and the sender will wait for this ACK before sending the next piece of data. FTP and HTTP use TCP for transfer, and TCP has its sliding window algorithm that is much better suited for high latency scenarios.

An example calculation of approximate transfer time for a high latency link:

Let’s say the data is 50 Mbyte (PKG files are often larger than this) and the latency, or round-trip-delay, is: 50 ms.

The standard TFTP block size is 512 bytes.

50 Mbyte divided in 512 byte sized blocks means 102400 blocks.

This translates to 5120 seconds at 50 ms per block, or 1 hour and 25 minutes!

Below you find CLI examples to illustrate upgrading firmware and bootloader using ”pkg” files:

ˆ Upgrading firmware via CLI: Here we upgrade the primary firmware to ’WeOS

4.17.1 from a FTP server (or TFTP server) at 192.168.3.10.:

Example

example:/#> upgrade primary 192.168.3.10 WeOS-4.17.1.pkg

...

ˆ Upgrading bootloader via CLI: Here we upgrade to the bootloader from a FTP server (or TFTP server) at 192.168.3.10.):

© 2015 Westermo Teleindustri AB

85

Westermo OS Management Guide

Version 4.17.1-0

Example

example:/#> upgrade boot 192.168.3.10 WeOS-4.17.1.pkg

...

Note

If your unit has an older version than WeOS 4.13.1 (e.g., WeOS 4.12.1), you are not able to upgrade using WeOS ”pkg” installation files directly. You first need to upgrade to WeOS 4.13.1 (or a later 4.13.x release) using the methods described in

section 7.1.1.1.1

.

7.1.1.2

Keeping Primary and Backup Firmware Synchronised

It is recommended to use the same version for primary and backup firmware.

This ensures that your unit will have same functionality if it boots on the backup firmware as on the primary firmware.

Therefore, when upgrading the primary firmware, you are recommended to upgrade the backup firmware too. This section includes a 4-step example, where it is assumed you wish to upgrade the primary firmware on a WeOS unit from WeOS

4.13.4 to WeOS 4.14.1, i.e., from image ”WeOS-4.13.4.pkg”

2

to ”WeOS-4.14.1.pkg”.

1. Prepare: (This step is not necessary if you did

steps 3

and

4

during an earlier upgrade, or if you have never upgraded your unit.)

Before upgrading the primary firmware, check that the backup firmware is of the same version as the primary (here WeOS 4.13.4), and that the startup configuration file is matching the firmware version.

(a) Startup Configuration file matching current firmware version (here WeOS

4.13.4): The simplest way to ensure that your startup configuration file is in-line with the current firmware version is to click an Apply ”button” in the Web (e.g., Apply in the IGMP configuration page, see

section 18.2

), or to run ”copy running-config startup-config” in the

CLI (see

section 7.3.22

).

Note

From WeOS 4.15.0 and onwards, this step is no longer necessary, as the startup configuration will then automatically be updated inline with the current firmware version. See also

section 7.1.4

.

2

WeOS 4.13.1 and later 4.13.x releases are available both in ”pkg” and ”img” format.

86

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

(b) Verify that version of backup image is the same as the primary firmware:

To find out what firmware version you are using, see Detailed Sys-

tem Overview page in the Web (see

section 4.4.2

) or use the ”show

system-information” in the CLI (see

section 7.3.2

). In the example

below the primary firmware version is 4.13.4 and the backup is 4.9.2.

Example

example:/#> show system-information

System Information

===============================================================================

System Name

System Contact

System Location

System Timezone

: example

:

:

: Etc/UTC

Product Family : Lynx

Architecture

Article number

: mxc

: 3643-0105-007

Boot loader ver.

: 4.11

Main firmware ver. : 4.13.4

... (More info follows) example:/#>

Model : L210

Base MAC Address

Serial Number

: 00:07:7c:10:de:80

: 16975

Active firmware : Main

Backup firmware ver: 4.9.2

If the backup image is of a different version (as in the example above), you should upgrade the backup firmware (to WeOS 4.13.4) before moving to

step 2 . To upgrade the backup firmware (to WeOS 4.13.4), ei-

ther use the Web upgrade facility, see

section 7.2.1

, or use the CLI

”upgrade” command, see

section 7.3.1

. The example below shows an

upgrade of the backup firmware from a FTP/TFTP server at 192.168.3.10.

© 2015 Westermo Teleindustri AB

87

Westermo OS Management Guide

Version 4.17.1-0

88

Example

example:/#> upgrade secondary 192.168.3.10 WeOS-4.13.4.pkg

==> Upgrade in progress, console disabled.

Please stand by ... <==

Connecting to 192.168.3.10:21 (192.168.3.10:21)

WeOS-4.13.4.pkg

100% |*******************************| 57747k 0:00:00 ETA

Checking download ...

Unpacking weos (from /upgrade/download)...

Setting up weos (4.13.4-1)...

Checking lw4134.img ...

Type: CramFS

ID: OK (Lnx2)

Size: OK

CRC: OK 0xDC73D8CD

Flashing /dev/mtd2 ...

100% - [====================================================================]

Updating RedBoot directory with new CRC ...

100% [====================================================================]

Done.

example:/#>

2. Upgrade primary: To upgrade the primary firmware to WeOS 4.14.1, either use the Web upgrade facility (see

section 7.2.1

), or use the CLI ”upgrade”

command from the CLI (see

section 7.3.1

). E.g., use ”upgrade primary

192.168.3.10 WeOS-4.14.1.pkg” to upgrade the primary firmware from a

FTP/TFTP server at 192.168.3.10. Compare with the example in

step 1b .

Note

As you are running your unit on a primary firmware, upgrading the primary firmware implies that the unit will automatically be rebooted when the upgrade finishes.

3. Login and confirm configuration: At the end of the upgrade process, the unit will reboot, using the new primary image if the upgrade procedure succeeded. After logging in again, do the following steps:

(a) Verify configuration: Verify that the unit works as expected, doing whatever tests you find necessary for your use case. If the unit does not work as excepted, you should either consider downgrading to the previous version (here WeOS 4.13.4) or to inspect the running configuration to find and correct the cause of your problems.

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Note

If you decide to downgrade, it is recommended to do that be-

fore changing or saving startup configuration for the new version

(WeOS 4.14.1), as there are no general guarantees that the older

WeOS version can interpret a later configuration file in exact the same way.

(b) Make Startup Configuration file match the new firmware version (here

WeOS 4.14.1): (This is similar to

step 1a , but now for the new firmware.)

If the unit works as expected, store the configuration in-line with the new firmware (WeOS 4.14.1). The simplest way is to click an Apply

”button” in the Web (e.g., Apply in the IGMP configuration page, see

section 18.2

), or to run ”copy running-config startup-config” in

the CLI (see

section 7.3.22

).

Note

From WeOS 4.15.0 and onwards, this step is no longer necessary, as the startup configuration will then automatically be updated inline with the current firmware version. See also

section 7.1.4

.

4. Upgrade backup firmware: The last step is to upgrade the backup firmware to the new WeOS version (here 4.14.1). For this you can use the Web upgrade facility, see

section 7.2.1

, or the CLI ”upgrade” command, e.g.,

”upgrade secondary 192.168.3.10 WeOS-4.14.1.pkg” to upgrade the secondary firmware from a FTP/TFTP server at 192.168.3.10. Compare with the example in

step 1b .

© 2015 Westermo Teleindustri AB

89

Westermo OS Management Guide

Version 4.17.1-0

7.1.2

System bootstrap

During system bootstrap, the bootloader firmware is responsible for loading the

system firmware. This is described further in

section 7.1.2.1

.

As part of the bootstrap, the WeOS unit is also capable of conducting a cable fac-

tory reset ( section 7.1.3.3

. The configuration is typically read from flash (startup-

configuration file), but it is possible to retrieve the configuration from USB ( section 7.1.6

-

7.1.7

), or via BOOTP. Options for controlling these and other bootstrap

related settings is covered in

section 7.1.2.2

.

7.1.2.1

Loading System Firmware (WeOS)

The bootloader attempts to load the primary system firmware image, with fallback to loading the secondary system firmware if fails to load the primary firmware.

As described further below, different WeOS products use different bootloaders

(Barebox, U-boot or RedBoot).

The Barebox bootloader enables you to stop the bootstrap process (from console port, press Ctrl-C at system startup), and enter an interactive boot-menu.

Example

Barebox Boot Menu

1: Primary Partition

2: Secondary Partition

3: Network (BOOTP)

4: System Recovery

5: Shell

Access to the Barebox boot-menu can be password protected ( section 7.1.2.2

).

From the boot-menu you can select which system firmware image (WeOS) to load (primary or secondary image on flash), but you can also choose to download a firmware remotely via TFTP into RAM, by entering the rescue-mode (System

Recovery).

Note

As of WeOS v4.17.1, use of BOOTP in the Barebox boot-menu (alternative

”3.”) is a technology preview. Use of TFTP (rescue mode) or BOOTP is limited to Ethernet ports with ”internal PHY”; SFP ports can for example not be used.

90

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Warning

Do not enter the bootloader shell (option ”3.”) unless you know what you are doing. Use of the bootloader shell is unsupported and can result in a broken unit.

If Barebox fails to load both the primary and secondary firmware, it will enter the rescue-mode, which you can access via the console port. As when entering rescue-mode from the regular boot-menu, you can download a new firmware into

RAM via TFTP. Once the unit has booted, you can login and conduct a regular firmware upgrade (storing the firmware to flash).

In rescue-mode, Barebox also provides a rescue console service (UDP network console), which is useful if you do not have access to a console cable, or if your

WeOS product lacks a console port. The rescue console can be accessed using any tool that can open a UDP socket, e.g., netcat on a Unix system ”nc -u -p

6000 192.168.2.200 6000” if the default IP and UDP port numbers are used; this assumes your PC has IP address 192.168.2.1.

Section 7.1.2.2

gives more information on configuration options related to the rescue console.

WeOS units run different types of bootloaders (Barebox, U-boot or RedBoot), and the boot-menu and rescue-mode features described above only apply to Barebox. The following bootloaders are used by different the different WeOS product platforms.

ˆ Atlas: Products based on the Atlas use the RedBoot bootloader

ˆ Basis: Products based on the Basis also use the RedBoot bootloader

ˆ Corazon: Products based on the Corazon use the U-boot or Barebox bootloader. Barebox is supported from WeOS 4.15.2, and is now the preferred bootloader for Corazon products.

For information about what platform your product has, see

section 4.4.2

(Web), or

section 7.3.2

) (CLI), or see the product list in

section 1.5

.

If you wish to check what type of bootloader (Barebox, U-boot or RedBoot) your unit runs, use the ”show partitions” command as described in

section 7.3.55

.

See

section 7.1.1.1

for information on how to upgrade your bootloader.

7.1.2.2

Bootstrap options

ˆ Configuration Boot Media: WeOS supports two methods to retrieve configu-

© 2015 Westermo Teleindustri AB

91

Westermo OS Management Guide

Version 4.17.1-0 ration file(s): from the on-board flash (default), from TFTP server (by use of

BOOTP), and there are also options to deploy or restore configuration from a USB stick.

Flash: By default the WeOS unit boots using configuration files (startupconfiguration, VPN certificates, etc.) from the (on-board) flash. The configuration on flash is also used as fall-back when other methods fail.

BOOTP: It is possible to bootstrap the configuration using BOOTP. For

this you need a DHCP/BOOTP Server ( section 22 ), and a TFTP Server,

holding the unit’s configuration file. As of WeOS v4.17.1, it is only possible to use BOOTP/TFTP to download the WeOS configuration file (certificates for IPsec, etc., can not be downloaded).

Note

Bootstrapping the configuration file using BOOTP is only possible over the WeOS unit’s Ethernet ports. DSL ports (SHDSL, ADSL,

VDSL) can not be used.

USB: It is possible to retrieve the configuration from a USB stick

3

by

utilising WeOS USB Auto-Backup & Restore ( section 7.1.6

) or WeOS USB

Deployment ( section 7.1.6

) functions

4

. These services have precedence

over bootstrapping from Flash and BOOTP, but can be disabled (see

USB

Bootstrap Settings

below).

ˆ BOOTP Bootstrap Settings: When using BOOTP as configuration boot media, you can specify the BOOTP timeout (default 5 minutes), i.e., the maximum time to wait for the BOOTP/TFTP configuration file download to succeed.

Fall-back is to use configuration on on-board flash.

By default, the downloaded configuration file is only stored in RAM. You can manually store it to flash (e.g., by ”cp running-config startup-config”), but you can also configure the WeOS to store the file to startup-config on flash automatically after download.

ˆ USB Bootstrap Settings: During bootstrap, a WeOS unit checks if there is a

USB stick attached in order to restore

section 7.1.6

) or deploy ( section 7.1.6

)

a configuration from the USB stick.

3

See

section 1.5.1

for WeOS products with USB interfaces, and

section 7.1.5.1

for list of USB sticks verified for use with WeOS.

4

As a technology preview feature, there is also a boot media option referred to as ”boot from

USB”. See WeOS release notes for more information on WeOS technology previews in general and for specific information on the ”boot from USB” function.

92

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Timings: There are two timings related to Bootstrap and USB services:

* Delayed USB backup/restore and USB deploy: (Non-configurable) A

USB media not plugged in (or detected) when the device boots up can still be used to backup/restore or deploy the device configuration up to 30 seconds after power on.

* USB bootstrap timeout: (Configurable) The USB bootstrap timeout halts boot for specified number of seconds, waiting for USB media to settle and be detected by the device. Before the timeout has elapsed and no media has been detected the device is unreachable with all ports remaining in blocking. Default: Disabled (i.e., zero delay)

Hint

Setting a ”USB bootstrap timeout” is useful to avoid a situation where the unit first applies the configuration from on-board flash, and afterwards detects the USB stick and applies USB restore or

deploy (”Delayed USB backup/restore and USB deploy”).

Enable/Disable: USB bootstrap services can be disabled. Disabling USB bootstrap services implies disabling USB Deployment and automatic

USB Backup & Restore features. Manual backup and restore to/from a USB stick is still possible. Default: Enabled

Warning

USB bootstrap services are enabled by default for ease of use and robustness. However, it gives users with physical access to the switch the opportunity to modify or retrieve the configuration without logging in. If unauthorised personnel have physical access to the unit it is recommended to disable USB bootstrap services for security purposes.

Below is an example of how to disable USB Bootstrap services.

© 2015 Westermo Teleindustri AB

93

Westermo OS Management Guide

Version 4.17.1-0

Example

example:/#> boot example:/boot/#> usb example:/boot/usb/#> no enable example:/boot/usb/#> show

Status : Disabled

Timeout : Disabled example:/boot/usb/#> leave example:/#>

ˆ Barebox boot-menu options: Boot options related to the Barebox boot-menu

(boot-menu password, rescue console settings, etc.) are described in

sections 7.3.15

-

7.3.20

.

94

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

7.1.3

What to do if you cannot access your switch

Occasionally you may end up in a situation where you cannot access your switch:

ˆ Forgetting IP address: If you have forgotten what IP address you assigned to your switch, you will no longer be able to access it remotely (Web, SSH, Telnet, SNMP).

Section 7.1.3.1

presents different methods to find the IP address of your switch.

ˆ Forgetting password: If you have forgotten the admin password you assigned to your switch, you should conduct either a factory reset or a pass-

word reset. Both alternatives require that you have physical access to the switch.

Factory Reset: By resetting the switch to the factory default setting the

whole

5

switch configuration (including the ”admin” password)) will be reset to its default values. That is, the ”admin” password will be reset to ”westermo”, thus enabling you to login again.

The way to accomplish a factory reset may differ if the switch has a con-

sole port ( section 7.1.3.2

) or if it lacks a console port ( section 7.1.3.3

).

Password Reset: On switches with a console port there is a possibility to reset the ”admin” password to its default value (”westermo”) without affecting the rest of the configuration, see

section 7.1.3.2

.

ˆ Misconfiguration: You may also lose the ability to access your switch remotely (Web, SSH, Telnet, SNMP, WeConfig) due to misconfiguration, e.g., by disabling all Ethernet ports, or moving them to a VLAN where the switch has no IP address assigned. This case can be resolved by logging into the switch via the console port, and change the configuration appropriately via the CLI (see

chapter 5

on information of how to access the CLI via the console port).

However, if the switch does not have a console port, you may need to conduct a factory reset as described in

section 7.1.3.3

.

5

Only configuration files on unit flash will be affected. Files on an attached USB stick (if present) will not be affected.

© 2015 Westermo Teleindustri AB

95

Westermo OS Management Guide

Version 4.17.1-0

7.1.3.1

Discovering the IP address of your switch

The factory default IP setting enables you to access your switch via IP address

192.168.2.200, as well as via an address assigned via a DHCP server

6

(see

table 7.4

).

Address Netmask Gateway

Primary IP address Dynamic (DHCP) (Dynamic)

Secondary IP address 192.168.2.200

255.255.255.0

(Dynamic)

Disabled

Table 7.4: Factory Default IP settings.

If you have forgotten what IP address you assigned your switch there are several methods to find it out:

1. WeConfig (from PC): The WeConfig tool is designed to scan for (Westermo)

switches on the local network. See the WeConfig User Guide[ 54 ] for de-

tails on how to use the WeConfig tool. This option is probably the simplest method to find the IP address of a switch, but will not work if the IPConfig service has been disabled on your switch (see

section 7.3.46

for information on how to enable/disable IPConfig on your switch).

2. IPConfig client (from switch): The WeOS CLI and the Web contain an IPConfig client scanning facility, thus if you are logged into a switch you are to scan for neighbour switches. As in the previous step, switches can only be discovered this way if they have the IPConfig service enabled.

3. Via console port: On switches equipped with a console port, the IP address of the switch can be found using the switch Command Line Interface (CLI). See

chapter 5

for more information of how to use the CLI. (If you have forgotten the admin password, please see

section 7.1.3.2

).

4. LLDP: If LLDP is enabled ( section 7.1.9

), WeOS announces its presence (in-

cluding its IP address) in LLDP messages. Thus, an LLDP client (or simply a

network sniffer such as Wireshark

7

) can be used to discover the IP address

of the switch.

In case you are not able to discover the IP address by any of these methods, conducting a factory reset will take the switch back to its original IP configuration

6

In addition, the unit will autoconfigure itself with a link-local address in the 169.254.x.x range, where ’x’ is in interval 0-255. See

section 19.2.6

for more information.

7

Wireshark network protocol analyser, http://www.wireshark.org

.

96

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

(as shown in

table 7.4

). See

sections 7.1.3.2

and

7.1.3.3

for information on how to conduct a factory reset.

7.1.3.2

Password or Factory Reset via Console Port

For WeOS switches equipped with a console port, it is possible to conduct a fac-

tory reset or just a password reset using the special accounts (factory or pass-

word). For security reasons, these special accounts can only be used via the

console port. For security hardening purposes, these two special accounts can be disabled in the device’s boot context, in the CLI (see

sections 7.3.10

and

7.3.11

).

ˆ Admin password reset: It is possible to recover from a lost admin password by using the following login and password from the console port. The admin password will be reset to its default value (westermo), and thereby enable you to login to the switch again.

Login: password

Password: reset

ˆ Factory reset: It is possible to reset the switch to factory default settings by

using the following login and password from the console port. The whole

8

switch configuration (including the admin password) will be reset to its factory default setting.

Login: factory

Password: reset

7.1.3.3

Factory Reset without using Console Port

There is a mechanism to conduct a factory reset without using the console port or being logged into the unit – this method is referred to as ”cable factory reset”.

Note

Depending on the type of product, cable factory reset is conducted by connecting one pair of Ethernet ports (single cable) or two pairs of Ethernet ports (two cables) as shown in the table below.

8

Only configuration files on unit flash will be affected. Files on an attached USB stick (if present) will not be affected.

© 2015 Westermo Teleindustri AB

97

Westermo OS Management Guide

Version 4.17.1-0

1. Power off the switch and disconnect all Ethernet cables (including copper and fiber cables) and DSL cables.

2. Connect one pair (or two pairs) of Ethernet ports as described in the table below. The ports need to be connected directly, i.e., not via a hub or switch.

Use a straight cable - not cross-over cable - when connecting a port pair.

Product/Model

Falcon

FDV-206-1D1S

Lynx

L106/206-F2G

L110/210

Lynx-DSS

L105/205-S1

L106/206-S2

L108/208-F2G-S2

RedFox Industrial

All RFI models

RedFox Industrial Rack

All RFIR models

RedFox Rail

RFR-12-FB

Viper

All Viper-12 models

Wolverine

DDW-142

DDW-142-485

DDW-225/226

Ethernet Port Pair 1

port 1 port 4 port 3 port 6 port 3 port 10 port 1 port 4 port 1 port 4 port 3 port 6 port 1/1 port 1/2 port 1 port 2 port X1 port X6 port X1 port X6 port 1 port 2 port 1 port 2 port 2/1 port 2/4

Ethernet Port Pair 2

port 2 port 3 port 4 port 5 port 6 port 7 port 2 port 3 port 2 port 3 port 4 port 5

Not applicable

Not applicable port X2 port X5 port X2 port X5

Not applicable

Not applicable port 2/2 port 2/3

3. Power on the unit.

4. Wait for the unit to start up. Control that the ON LED is flashing red. The

ON LED flashing indicates that the unit is now ready to be reset to factory default. You now have the choice to go ahead with the factory reset, or to skip factory reset and boot as normal.

ˆ Go ahead with factory reset: Acknowledge that you wish to conduct the factory reset by unplugging (one of) the Ethernet cable(s). The ON LED will stop flashing.

98

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

This initiates the factory reset process, and the unit will restart with factory default settings.

ˆ Skip the factory reset: To skip the factory reset process, just wait for approximately 30 seconds after the ON LED starts flashing RED without unplugging (any of) the Ethernet cable(s). The switch will conduct a normal boot with the existing settings.

7.1.4

Configuration Files and Reboot

The system keeps three special configuration files:

ˆ Startup Configuration: The configuration file used by the switch after system boot or reboot. The startup configuration is stored in non-volatile memory

(flash)

9

.

Note

From WeOS 4.15.0 and onwards, the startup configuration is verified to be in-line with the syntax of the current firmware version upon system boot. If there are deviations (which may be the case after a firmware upgrade), the startup configuration is automatically updated.

ˆ Running Configuration: The configuration currently used by the switch. The running configuration is kept in volatile memory (RAM).

The running configuration is identical to the startup configuration when configuration changes are made via the Web interface, the WeConfig tool or

SNMP. That is, when using these methods to manage the switch, a change in the running configuration is immediately copied to the startup configura-

tion.

In contrast, when managing the switch via the CLI, configuration changes only affect the running configuration. Thus, to make CLI changes survive a reboot, you must explicitly copy the running configuration to the startup configuration.

ˆ Factory Default Configuration: The system keeps a factory default configuration file. The factory default file is kept in non-volatile memory (flash) and cannot be overwritten. When the switch is shipped, and after factory reset,

9

As described in

section 7.1.5

, it is possible to keep several configuration files on flash. The

startup configuration file is actually a symbolic name for one of the stored configuration files.

© 2015 Westermo Teleindustri AB

99

Westermo OS Management Guide

Version 4.17.1-0 the startup configuration file is identical to the factory default configuration file.

In addition to these configuration files, it is possible (via CLI) to keep a set of additional configuration files on the switch, which enables easy swapping between alternate configurations.

Warning

Configuring the switch via multiple management interfaces in parallel is discouraged, since it may lead to unexpected behaviour.

For example, consider the case when two users are accessing the switch at the same time, one user via the CLI and another user via the Web interface:

Assume the ”CLI user” makes changes to the running configuration, but of some reason do not wish to copy these changes to the startup configuration

(yet).

If the another user, the ”Web user”, applies a single change using the web management tool, all the changes done to the running configuration (by the

”CLI user”) will be saved to the startup configuration. (Actually clicking the

Apply button, even without changing any values has the same affect.)

7.1.4.1

Account password when loading a configuration file

Configuration files contain information on user account and (hashed) passwords, e.g., for the ”admin” account. Thus, when loading a configuration file to the switch (i.e., overwriting the startup-configuration or running-configuration), the account passwords will also be replaced according to the setting in the new configuration file.

Warning

To copy a new configuration file to the running-config or startup-config while keeping the existing user names and passwords, the lines in the new configuration file containing the ”username” command should be removed before installing the new configuration file.

If you unintentionally happen to loose the admin password because you copied a configuration file including an unknown admin password, see

section 7.1.3

for information on how to regain access to the switch.

100

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

7.1.5

Virtual File System

WeOS keeps various files of interest for the operator:

ˆ Configuration files: By default there is only one configuration file (named

config0.cfg stored on the switch. However, it is possible to create and keep multiple configuration files on the switch, both for backup purposes of for easy shifting between configuration setups. Configuration files are commonly named with the prefix config and will always have ’.cfg’ as extension.

As mentioned in

section 7.1.4

there are also three special configuration files:

Running Configuration: The running configuration is only stored in RAM, thus, it is not kept over a reboot.

Startup Configuration: The startup config is mapped to one of the stored configurations. By default it points to config0.cfg, but the mapping can be changed (using the CLI ”copy” command as described in

section 7.3.22

).

Factory Default Configuration: The factory default configuration file cannot be modified (except through a firmware upgrade). Its available for the purpose of conducting a factory reset.

ˆ Log files: Events are logged in various log files, e.g.:

auth.log

kern.log

messages

mgmt.log

snmpd

ppp.log

For units equipped with a USB port, the operator is also able to access files on a mounted USB stick.

The files are organised in a virtual file system, and are made available both for local and remote access.

© 2015 Westermo Teleindustri AB

101

Westermo OS Management Guide

Version 4.17.1-0

Local File Path Remote File Path

Configuration files cfg://

Log files log://

USB files usb://

/cfg/

/log/

/usb/

Section 7.1.5.1

gives general information on the use of USB memory sticks in

WeOS products.

Section 7.1.5.2

describes available methods for file maintenance when logged into the switch, while

section 7.1.5.3

covers methods available for maintaining files remotely.

7.1.5.1

General information on using USB memory sticks

In order to copy files to/from a USB memory stick attached to USB port of the

WeOS product

10

, the USB memory stick must:

ˆ be partitioned

ˆ be formatted as VFAT or FAT32 on the first partition

As of WeOS v4.17.1 the following USB stick(s) are verified for use with WeOS products:

Westermo USB stick 3641-0190 (Serial number 1195 or higher)[ 50 , 51 , 52 ]

If a factory reset is conducted on the WeOS unit, only files on unit flash (configuration, IPsec certificates, etc.) will be affected by the factory reset. Files on an attached USB stick (if present) will not be affected.

7.1.5.2

File access when logged into the switch

An operator logged in to a switch can copy, download or upload files using the

CLI ”copy” command. Services available when logged into the system include:

ˆ Making local backup copies of files, e.g.,

”copy log://messages log://messages.5”

ˆ Upload or download to/from a remote server via TFTP, FTP, and SCP. (Downloading is also available via HTTP.)

10

For information on WeOS products equipped with a USB port, see

section 1.5.1

, or the User

Guide of your WeOS product (see

section 1.5

).

102

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Upload example using TFTP:

”copy cfg://config0.cfg

tftp://server.example.com/myswitchconfig.txt”

ˆ Copying between systems: The CLI copy command can be used to copy files between remote systems via TFTP, FTP, SCP, and HTTP (HTTP can only be used as source, not destination).

Example copying from HTTP server to TFTP server:

”copy http://server1.example.com/original.txt

tftp://server2.example.com/backup.txt”

7.1.5.3

Remote file access

An operator is able to upload and download files to/from the switch remotely via

SCP. This feature is convenient and saves time, since files can be maintained without the need to log into each switch.

Example with remote file upload:

Example

unix> scp config1.cfg [email protected]:/cfg/

Password for [email protected]: unix>

Example with remote file download:

Example

unix> scp [email protected]:/log/messages .

Password for [email protected]: unix>

© 2015 Westermo Teleindustri AB

103

Westermo OS Management Guide

Version 4.17.1-0

7.1.6

Automatic Backup and Restore to/from USB

On WeOS units equipped with a USB port, a USB memory stick can be used for automatic backup and restore. The intended application for the auto-backup function is to simplify unit replacement in case of unit failure.

Once activated, it works seamlessly. If a stick is already prepared nothing else is needed. If a unit fails you simply replace it, moving the USB stick to the replacement unit. Which must be of same mark and model. At first boot, the replacement unit automatically restores all necessary files from the faulty unit.

Note

The auto-backup and restore function only handles configuration. It does

not handle backup/restore of WeOS firmware images. You must not only ensure that your replacement unit is of the same model as the original unit.

It should also have same WeOS firmware version loaded as the original unit.

Details of how to activate auto-backup, and how to perform restore are provided in

sections 7.1.6.1

-

7.1.6.2

.

Section 7.1.6.3

contains information on USB directories for auto-backup and restore.

7.1.6.1

Procedure for activating auto-backup

ˆ Basic preparations the USB stick: See

section 7.1.5.1

for formatting and partitioning requirement for USB memory sticks used with WeOS units.

ˆ Insert USB stick: Insert the USB stick into WeOS unit and power it up.

ˆ Log in to CLI: Log into the unit (CLI), either via console port or remotely via

SSH (see

section 5.2

).

ˆ Activate auto-backup: Run the CLI ”backup” command.

104

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Example

example:/#> backup

WeOS Auto Backup & Restore for USB Media

===============================================================================

This command initializes a USB media, usually a memory stick, to be used for automatic backup and restore of configuration files (including certificates).

Intended use-case is to have one memory stick for each device in the network to ease replacement of faulty units.

The replacement WeOS unit will at boot automatically restore the backup and seamlessly pick up where the faulty unit left off.

Configuration and certificate files, including private keys (!) are backed up to /usb/westermo/backup/

Activate WeOS auto-backup & restore on this USB stick, are you sure (y/N)? y

Performing initial backup...

Backup done.

example/#>

The configuration files (including certificates and private keys) are now backed up to sub-directories under ”/usb/westermo/backup/” (see

section 7.1.6.3

).

ˆ Keep USB inserted: The USB memory stick should stay attached to the WeOS unit. Any changes to the configuration files on unit flash will be continuously backed-up to USB.

An alternative method to initialise auto-backup is to create the (empty) directory on the USB stick /westermo/backup/ (see

section 7.1.6.3

) before inserting it to the

WeOS unit. When attached, either when inserting it, or when the unit is powered up, all configuration files (including certificates and private keys) will be backed up on the USB automatically.

7.1.6.2

Restoring configuration from USB to replacement unit

When booting a WeOS unit checks if a USB stick is attached. If a USB stick is found with auto-backup activated, the WeOS unit checks if a restore operation should take place or not. This automatic restore operation only takes place at boot-up (configuration file is copied from USB to on-board flash, and used as startup configuration), or within an interval of 30 seconds after boot-up. In the latter case, which can occur if the USB stick is not ready at system boot time, the

WeOS unit starts with and runs the configuration on on-board flash for a short while; restore operation then updates both the startup-configuration and running configuration.

© 2015 Westermo Teleindustri AB

105

Westermo OS Management Guide

Version 4.17.1-0

Note

While replacing a WeOS unit using the USB auto-backup and restore support, it is recommended that the unit is disconnected from the network (see

step 5

in the procedure below), and therefore there should be no problem if the replacement unit runs with the configuration on the on-board flash for a short while. Still, if it is important that the restore operation takes place before the WeOS reads its startup configuration, an additional boot delay can be added (see

section 7.1.2.2

as well as

step 1

in the procedure below).

1. Prepare replacement unit: The replacement should be of the same model as the original unit (e.g., a Lynx L210-F2G should be replaced by another Lynx

L210-F2G), and ensure that it has the same WeOS firmware version loaded as the original unit.

Hint

If you are unsure of what firmware version your original unit was running, you can inspect the configuration file on your USB stick – at the top of the configuration file used as ”startup-configuration” you should see the WeOS version, e.g., WeOS 4.15.2.

It is recommended that the replacement unit has not had the auto-backup

feature activated already. If unsure, please do a factory reset

11

of the replacement unit before proceeding. Use either of the methods described in

section 7.1.3.2

(factory reset via console port),

section 7.1.3.3

(cable factory reset), or

section 7.2.4

(factory reset via web interface).

Optionally, you can then login to the replacement unit and set a USB delay in the boot context. For example, to extend the time to discover a USB stick at boot with up to 10 seconds, use the following commands:

Example

example:/#> boot example:/boot/#> usb example:/boot/usb/#> timeout 10

This gives the USB stick more time to settle at boot, and be ready for use when configuration is activated (see remark at the start of this section).

Suitable USB delay differs depending on what WeOS product you are using

11

Only files on unit flash (configuration file(s), IPsec certificates, etc.) will be affected by the factory reset. Files on an attached USB stick (if present) will not be affected.

106

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

(boot time differs) and what USB stick you are using (see

section 7.1.5.1

for information on USB sticks verified for WeOS).

2. Unplug power of replacement unit: Before inserting the USB memory stick holding the backup configuration you should unplug the power of the replacement unit.

3. Insert USB stick in replacement unit

4. Power up the replacement unit: When the replacement unit boots, the configuration files on USB will automatically be restored to unit flash.

5. Connect network cables: It is recommended to connect the network cables

after powering up the replacement unit. You may also connect them before powering up the unit (see comments on timings for detecting USB stick at the start of this section).

6. Keep USB attached: The USB memory stick should be stay attached to the

WeOS unit. Any changes to the configuration files on unit flash will be continuously backed up to USB.

The automatic restore operation is only done when booting the WeOS unit, or

within 30 seconds after boot-up

12

. If the USB stick (holding backup information) is

inserted into a running unit need to reboot the unit for the auto-restore operation to occur. Alternatively, you can run the CLI ”restore” command to manually trigger it.

Example

example:/#> restore

Restore backup from USB stick and activate to running-config, are you sure (y/N)? y

Stopping DHCP/DNS Server ................................... [ OK ]

Starting DHCP/DNS Server ................................... [ OK ] example:/#>

7.1.6.3

Backup files in USB directory tree

Backup files will be stored on the USB in the following directory tree.

/usb/

+-- westermo/

+-- backup/ <-- Automatic Backup & Restore directory

12

The restore operation is not conducted if ”auto-backup” is already activated on the WeOS unit

and the ”gen.id” counter on the USB and unit flash have the same value, see also

section 7.1.6.3

.

© 2015 Westermo Teleindustri AB

107

Westermo OS Management Guide

Version 4.17.1-0

+-- cfg/

+-- crt/

<-- Configuration files

<-- Certificates and keys

Additional details: The ”/usb/westermo/backup/cfg/” directory will contain some additional files: ”startup-config.lnk” specifies which config file is used as

”startup-configuration”, and ”gen.id” contains a counter. The corresponding ”gen.id” file on unit flash is incremented every time a change on unit flash is detected. For every change the unit flash is synchronised to USB.

During the boot procedure, the ”gen.id” values on USB and unit flash are compared. If equal, it is assumed that the configuration files are synchronised (no restore conducted). This is the case when rebooting a unit with auto-backup activated.

7.1.7

Configuration Deployment via USB

The USB configuration deployment function can be used for several purposes:

ˆ Easy configuration deployment of one or more WeOS units: The USB stick is only attached during unit configuration, and can then be moved to the next unit to be configured.

ˆ To ensure a WeOS unit always boots up with a pre-defined configuration:

In this case, the USB stick will always be attached to the WeOS unit. The configuration on USB is copied to unit flash on every boot.

Note

For this use case, you may consider setting a boot delay ( section 7.1.2.2

) to avoid the risk that your unit starts with and temporarily

uses the configuration on the on-board flash, see below for more explanations.

This ”USB configuration deployment” function differs from ”USB auto-backup and restore” described in

section 7.1.6

in that configuration changes applied after boot only apply to the WeOS unit’s on-board flash – the configuration files on the

USB memory stick are not affected.

ˆ The model and WeOS version of the unit to be configured should match the intended configuration file(s) on the USB memory stick.

ˆ The USB memory stick (prepared for deployment) is inserted before the unit is powered up. When the unit boots up configuration files will be copied from

108

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

USB to unit flash, and used during startup configuration.

ˆ The deployment function is also automatically activated if a USB stick (prepared for deployment) is detected up to 30 seconds after boot-up. In the latter case, which can occur if the USB stick is not ready at system boot time, the WeOS unit starts with and runs the configuration on on-board flash for a short while; deployment operation then updates both the startupconfiguration and running configuration.

Note

To prohibit that the unit first boots using configuration stored on the unit’s on-board flash, you can setting a boot-delay (e.g., ”boot wait

10” to extend the boot time with 10 seconds). By setting the delay large enough, the USB stick gets enough time to be ready when startup configuration is applied. Suitable boot delay differs depending on what

WeOS product you are using (boot time differs) and what USB stick you are using (see

section 7.1.5.1

for information on USB sticks verified for

WeOS)

ˆ The USB configuration deployment function is activated if the directory ”west-

ermo/deploy/” is detected on an attached USB during boot-up. USB configuration deployment has precedence over USB auto-backup and restore.

That is, if the USB memory stick contains both a ”westermo/deploy/” and a ”westermo/backup/” directory, the configuration deployment function will be activated.

Section 7.1.7.1

provides information on the file structure and format of the files in the ”westermo/deploy/” directory.

7.1.7.1

Deployment files in USB directory tree

Deployment configuration files should reside on the USB in the following directory tree.

/usb/

+-- westermo/

+-- deploy/

+-- cfg/

| +-- <FILE>.cfg

<-- USB Deploy

<-- Actual configuration file, e.g., config0.cfg

| +-- startup-config.lnk

<-- Windows style .lnk file

+-- crt/

+-- ...

<-- Certificates and keys

© 2015 Westermo Teleindustri AB

109

Westermo OS Management Guide

Version 4.17.1-0

The startup-config.lnk file holds the file name of the startup configuration file.

The format of this file is:

ˆ No leading directories, to avoid any / or \ confusion

ˆ No end-of-line after file name, to avoid any DOS/UNIX/Mac confusion

ˆ File name stored at first position in file, e.g., config0.cfg

As of WeOS v4.17.1 there is no CLI or Web function for setting up a USB configuration deployment memory stick for use with WeOS. Meanwhile the easiest way might be to

1. perform a USB auto-backup (see

section 7.1.6.1

), and

2. plug the USB stick into a PC and rename the backup directory to deploy.

7.1.8

Certificate and Key Management

WeOS supports upload and management of certificate and key files. As of WeOS v4.17.1, use of certificates is limited to IPsec VPNs and SSL VPNs (OpenVPN), see

chapters 35

and

36 .

It is possible to upload/import PKCS#12 bundles containing public certificate, pri-

vate key and the certificate of the issuing certificate authority (CA certificate).

The PKCS bundle can be password protected (recommended).

It is also possible to upload individual certificate files in PEM format or Open-

VPN static key files. For further information on certificate management, see

sections 7.2.6

(Web) and

7.3

(CLI).

7.1.9

Managing LLDP

The Link Layer Discovery Protocol (LLDP) is a standardised layer 2 protocol (IEEE

802.1AB[ 12 ]), which advertises information about the device itself and its ca-

pabilities to other devices within a LAN. The LLDP protocol also advertises from which port the LLDP packet was sent. This enables the unit to build up a local view of the remote ports on neighbour devices it is connected to for each local

port. This information is then stored in an SNMP MIB (LLDP MIB[ 12 ]), which can

be used by NMS-systems to draw a topology map of the network.

Examples of information advertised by LLDP:

110

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

ˆ Remote port number

ˆ Port capabilities

ˆ IP address (see note below)

ˆ Hostname

ˆ MAC-address

ˆ VLAN ID

In WeOS LLDP frames are advertised every 30 second. If an interface stops receiving frames, the neighbour information is expired after 120 seconds.

Note

The advertised IP address is the address of the ports default VLAN, see

section 13.1.2

.

Note

As of WeOS v4.17.1 LLDP is enabled/disabled globally for all ports.

7.1.10

Maintenance and diagnostic tools

The switch supports a set of maintenance and diagnostic tools:

Ping and Traceroute The standard Ping and Traceroute commands are available via the CLI and the Web, and are useful as basic troubleshooting tools.

Port monitoring The switch supports port monitoring, thus the user can monitor the traffic exchanged on one or more Ethernet ports on a dedicated monitor port. Only correct Ethernet packets will be forward onto the monitor destination port. To monitor occurrence of packet drops due to bad CRC, etc., we refer to the RMON statistics counters, see

chapter 9 .

Note

To observe all traffic on the monitor source ports, the total amount of traffic on the monitor source ports should not exceed the capacity of the monitor destination port.

WeOS IPConfig Client As mentioned in

chapter 3

WeOS provides the WeConfig

PC tool for discovery and rudimentary management of Westermo switches.

© 2015 Westermo Teleindustri AB

111

Westermo OS Management Guide

Version 4.17.1-0

The CLI and the Web provides a similar mechanism (IPConfig client), i.e., once logged into the switch, it is possible to scan for other Westermo units on the same LAN.

Wake-On-Lan A Wake on Lan (WOL) client is available via the CLI and the Web.

This allows a computer to be turned on or woken up by a network message

(magic packet).

Additional features relevant for maintenance and diagnostics are described in

chapter 9

(RMON Statistics),

chapter 25

(Event and Alarm Logging),

chapter 6

(SNMP), and

chapter 24

(Alarm handling, Digital I/O and Front-panel LEDs).

7.1.11

Upgrading early RedFox Units to 4.3.0 or later

Early RedFox units (Industrial and Rail) delivered with WeOS 4.0.0, comes with a flash memory partition unsuitable for the larger firmware image size of WeOS

4.3.x

13

and later.

ˆ How to determine if your RedFox has an old partition table:

For RedFox Industrial, only products shipped with WeOS 4.0.0 came with the old partition table. You can determine if your product has the old partition table by inspecting the product’s model (or the article number) and serial

number – if the serial number is lower than the ones listed below, your product was shipped with the old partition table.

You find information on your product’s type of model, article number, and

serial number via the Web interface (Menu path: Status System, see

section 4.4.2

), or via the CLI ”show system-information” command, see

section 7.3.2

).

Model (Article number) Serial number

RFI-18-F4G-T4G 3641-3300

RFI-14P-F4G

RFI-10P

RFI-18P

3641-3200

3641-3110

3641-3100

< 1190

< 1180

< 1220

< 1111

If you are unsure whether your flash table is already updated, you can use the CLI ”show flash-table” command available on WeOS 4.2.0 and later

(see

section 7.3.54

) to list information on the flash partition table:

13

WeOS 4.3.x refers to all patch releases (4.3.0, 4.3.1, . . . ) of the WeOS 4.3 feature branch.

112

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Main and backup partitions of size 12.5 MB (hex 0x00c80000) means the new partition table is used.

Main partition of size 8.5 MB (hex 0x00880000) and backup of size 7 MB

(hex 0x00700000) means the old partition table is used.

ˆ Do you need to update your partition table?

It is possible to upgrade the primary firmware to WeOS 4.3.x even if your

RedFox has an old partition table. If your RedFox has an old partition table, you must update it in order to:

1. Upgrade your backup firmware (i.e., the firmware on the backup partition) to WeOS 4.3.x or later.

2. Upgrade your primary firmware to a WeOS image larger than 8.5 MByte.

The WeOS 4.3.x image for RedFox is below this limit, but later firmware versions (4.4.x and later) may be larger than 8.5 MB, and then the flash table needs to be updated.

ˆ How to update your flash table:

Warning

Updating the flash partition table will corrupt your system! Configuration files, certificates and backup image will be destroyed.

Although this update facility has been tested extensively by Westermo there are no guarantees it will work flawlessly for all use cases.

Therefore, we do not recommend this action on active running units in the field. Instead, replace the unit with a spare one first.

1. Backup your .cfg files, startup-config and any certificate files to a USB stick or remote (T)FTP/SCP server (see

section 7.3.22

).

2. If you are running WeOS version 4.2.0 or later proceed directly to the next step. If you are running WeOS 4.0.0, you must first upgrade your primary firmware to a later release, e.g., 4.2.0 or 4.3.0 (see

section 7.2.1

or

7.3.1

).

3. Access the CLI via the console port, run the ”flash-table-update” command (see

section 7.3.56

), and wait for it to finish. The unit reboots

when it has completed the update.

© 2015 Westermo Teleindustri AB

113

Westermo OS Management Guide

Version 4.17.1-0

Note

The ”flash-table-update” command is only available on WeOS

4.2.0 and later, and is only visible if you have a RedFox with the old partition table.

4. Restore configuration files, any necessary certificates and the system backup image.

114

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

7.2

Maintenance via the Web Interface

7.2.1

Managing switch firmware via the Web Interface

Menu path: Maintenance F/W Upgrade

On the firmware upgrade page you are able to upgrade firmware by downloading an image using FTP/TFTP or by direct upload via the Web browser.

7.2.1.1

Firmware Upgrade Using File Upload

Image File

Select the file to upload (browser dependent).

Upgrade

Click the Upgrade button to initiate firmware upgrade.

7.2.1.2

Firmware Upgrade Using TFTP/FTP Server

Image name

The file name of the image file on the FTP/TFTP server.

Server address

The IP address of the FTP/TFTP server.

Upgrade

Click the Upgrade button to initiate firmware upgrade.

Note

If you use TFTP for upgrading with ”pkg” files, make sure your TFTP server

supports large files as defined in RFC2347[ 22 ].

© 2015 Westermo Teleindustri AB

115

7.2.2

Port Monitoring

Menu path: Tools Port Monitoring

Westermo OS Management Guide

Version 4.17.1-0

Enabled

Check the box to enable port monitoring. If you have a JavaScript enabled browser the other settings will not be displayed unless you check this box.

Destination Port (Mirror)

Select one port to which data from source ports will be copied (mirrored).

Source Ports (Sniff Ports)

Select one or more ports to monitor by selecting the ports desired sniff mode. Available modes are:

In

Inbound (ingress) traffic.

Out

Outbound (egress) traffic.

Both

Both inbound and outbound traffic.

116

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

7.2.3

Backup and Restore

Menu path: Maintenance Backup&Restore

To create a backup of your switch configuration on your host, visit the backup

and restore page.

Backup

Click this button to download a copy of the running configuration on your switch. You will be asked to open or save the file. Normally chose save to save the file to your host. The behaviour is web browser specific and may also depend on your current browser settings. See

Fig. 7.1

for an example.

File Path

Click the Browse button to browse for the file. The behaviour of the file selection is browser specific.

Restore

Click this button to restore the configuration the configuration described in the file you selected in File Path.

© 2015 Westermo Teleindustri AB

117

Westermo OS Management Guide

Version 4.17.1-0

Figure 7.1: Example save dialogue (this example is from a Firefox browser)

7.2.4

Factory Reset

Menu path: Maintenance Factory reset

To conduct a factory reset, press the Reset button.

Only configuration files on unit flash will be affected by a factory reset. Files on an attached USB stick (if present) will not be affected.

118

© 2015 Westermo Teleindustri AB

7.2.5

Restart

Menu path: Maintenance Restart

To restart the switch press the Restart button.

Westermo OS Management Guide

Version 4.17.1-0

7.2.6

Managing certificates and keys

Menu path: ManagementCertificates

When entering the certificates page you will be presented to a list of all certificates and keys available on your switch. Here you can import or delete certificates/keys.

Type

Label

The type of certificate/key:

Public (regular certificate),

Private (a private key belonging to a regular certificate), CA

(a CA certificate), or OpenVPN (an OpenVPN static key).

A label identifying the certificate/key. Unique per certificate file type (Public, Private, CA and OpenVPN).

Continued on next page

© 2015 Westermo Teleindustri AB

119

Westermo OS Management Guide

Version 4.17.1-0

Common

Name (CN)

Expires

Continued from previous page

The common name (CN) part of the distinguished name (DN) found in the imported certificate’s subject.

The date of expiration for the certificate.

Delete

Click this icon to remove a certificate/key. You will be asked to acknowledge the removal before it is actually executed.

Details

Click this icon to display details regarding a certificate.

Import

Click this button to import a certificate or key.

7.2.6.1

Import Certificates

Menu path: Management Certificates ⇒ Import

When clicking the Import button you will be presented to the certificate import page where you can import PKCS#12 certificate bundles, certificates and private key files in PEM format, or an OpenVPN static key.

Type

File

Mode

Select the type of file to import (PKCS#12 bundle, PEM file or

OpenVPN static key file).

Browse your file system for the file to import by clicking the

Browse ... button.

(Only for PEM files) Declare the type of PEM file to upload:

Public (regular certificate), Private (a private key), or CA (a

CA certificate).

Continued on next page

120

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Label

Continued from previous page

Enter a label for identification of the certificate/key. The filename (base part) will be used as label if left empty. E.g. if uploaded file name is mycert.p12, the label will be mycert

Password

(Only for PKCS#12 bundles) If your certificate bundle is password protected, you have to enter the password or the import will fail.

7.2.6.2

Certificate Details

Menu path: Management Certificates

Label

A unique label identifying the certificate.

Common Name (CN)

The common name (CN) part of the distinguished name (DN) found in the imported certificate subject.

Certificate Dump

A raw dump of the certificate.

To exit the details page, select a menu option in the navigation menu.

© 2015 Westermo Teleindustri AB

121

Westermo OS Management Guide

Version 4.17.1-0

7.2.7

Enable/disable LLDP via the web interface

Menu path: Configuration LLDP

Enabled

Check this box and click Apply to enable LLDP support on the unit.

7.2.8

Show LLDP Status via the web interface

Menu path: Status LLDP

122

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

7.2.9

Ping tool

Ping is useful as a basic diagnostic tool. The output on the web is displayed once the ping command has completed. If the command takes too long to execute the web page may time out.

Menu path: Tools Ping

Address

The network host to send ICMP ECHO RE-

QUEST packets to

Ping Count

Defines the number of ICMP packets to send.

Packet Size

Alters the default size of the ICMP packets.

This only only increases the empty payload of the packet

© 2015 Westermo Teleindustri AB

123

Westermo OS Management Guide

Version 4.17.1-0

7.2.10

Traceroute tool

Trace the route packets take to a network host. The output on the web is displayed once the ping command has completed. If the command takes too long to execute the web page may time out.

Menu path: Tools Trace

Address

The network host

Maximum Hops

Max time-to-live (number of hops).

Maximum Wait time

Set the delay, in seconds, before timing out a probe packet

124

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

7.2.11

IPConfig scan tool

Scan network for IPConfig neighbours. The output on the web is displayed once the ping command has completed. If the command takes too long to execute the web page may time out.

Menu path: Tools IPConfig

Interface

The interface to scan

Flash On LED.

If enabled, this unit will flash the on LED, while scanning

© 2015 Westermo Teleindustri AB

125

Westermo OS Management Guide

Version 4.17.1-0

7.2.12

Wake on Lan

The Wake on Lan (WOL) allows computers to be turned on or woken up by a network message (magic packet).

Menu path: Tools WOL

Interface

The interface to send the magic packet on.

MAC Addresses

The MAC Addresses of the computers to wake

126

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

7.2.13

Tech support

The Tech support collects system information (hardware, status and configuration) and delivers it as a compressed file. Note: The configuration is included with passwords. The file format is compressed tar archive(tar.gzip).The filename has the format of

<LOCATION>_<HOSTNAME>_<YYYYMMDD>_<HHMMSS>.tar.gz, if the location field is not set, the last three octets of the mac-address will be used.

Menu path: Tools Tech Support

Clicking Create will create a Tech support file. Once the file is created you will be presented with the following dialogue.

The Tech support file consist of a number of text files. Configuration files can be found in the /cfg directory of the archive, and log files under the /var/log subdirectory.

© 2015 Westermo Teleindustri AB

127

Westermo OS Management Guide

Version 4.17.1-0

128

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

7.3

Maintenance via the CLI

Command

Firmware Upgrade upgrade <pri|sec|boot>

<IPADDR FILENAME | URI://. . . > show system-information

Default Section

Section 7.3.1

File handling (Configuration, Log, etc.) and Reboot dir <cfg:// | log:// | usb://> copy <FROM_FILE> <TO_FILE> erase <file> show <running-config | startup-config | factory-config | [<filesys>://]FILENAME>

Section 7.3.2

System Boot Options boot

[no] boot-order <flash|bootp>

[no] bootp

[no] timeout <0-1800>

N/A

Flash

N/A

300

offset 1

14

[no] mac <offset <num> | address <MACADDRESS>>

[no] vfs-target <flash|usb>

[no] console

[no] password-reset

Disabled

N/A

Enabled

[no] factory-reset

[no] usb

[no] enable

[no] timeout <1-60>

Enabled

N/A

Enabled

Disabled

[no] loader N/A

[no] login <password|hash> <STRING> Disabled

[no] rescue-port <UDPPORT>

[no] rescue-address <IPADDR>

[no] rescue-netmask <NETMASK>

[no] rescue-peer <IPADDR>

Section 7.3.3

Section 7.3.4

Section 7.3.5

Section 7.3.6

Section 7.3.7

Section 7.3.8

Section 7.3.9

Section 7.3.10

Section 7.3.11

Section 7.3.12

Section 7.3.13

Section 7.3.14

Section 7.3.15

Section 7.3.16

6000

Section 7.3.17

192.168.2.200

Section 7.3.18

255.255.255.0

Section 7.3.19

192.168.2.1

Section 7.3.20

Section 7.3.21

Section 7.3.22

Section 7.3.23

Section 7.3.24

Continued on next page

14

See command description for details and exceptions.

© 2015 Westermo Teleindustri AB

129

Westermo OS Management Guide

Version 4.17.1-0

Command

backup restore reboot

Continued from previous page

Default Section

Section 7.3.25

Section 7.3.26

Section 7.3.27

Certificate and Key Management cert import <pkcs|pem|ovpn> [. . . ] <URI> no cert [force] [LABEL] show cert [LABEL]

Maintenance and Diagnostic tools ping <IPADDR> traceroute <IPADDR> ssh [[email protected]]<IPADDR|DNAME>[/PORT] telnet <IPADDR|DNAME> [PORT] show ipconfig <IFNAME>

[no] monitor

[no] enable destination <PORT> source <PORTLIST>

LLDP Management

[no] lldp

[no] enable admin/22

23

Disabled

Section 7.3.28

Section 7.3.28

Section 7.3.29

Section 7.3.30

Section 7.3.31

Section 7.3.32

Section 7.3.33

Section 7.3.34

Section 7.3.35

Section 7.3.36

Section 7.3.37

Section 7.3.38

Enabled

Section 7.3.39

Section 7.3.40

Show LLDP status show lldp

Section 7.3.41

Configure/View Management Service Settings

[no] web

[no] session-timeout <TIMEOUT> port <PORT> ssl-port <PORT>

[no] ipconfig

[no] read-only

Enabled

10 Min

80

Section 7.3.42

Section 7.3.43

Section 7.3.44

443

Enabled

Section 7.3.45

Section 7.3.46

Disabled

Section 7.3.47

Continued on next page

130

© 2015 Westermo Teleindustri AB

Command

[no] ssh

[no] telnet

[no] snmp-server

Other maintenance commands date [[YYYY-MM-DD ]hh:mm[:ss]]

[no] timezone <TIMEZONE> show timezone [QUERY|SUBSTRING] show env show uptime show memory show processes show flash-table show partitions flash-table-update

Westermo OS Management Guide

Version 4.17.1-0

Continued from previous page

Default Section

Enabled

Disabled

Enabled

Section 7.3.48

Section 7.3.49

Section 6.3.1

Section 20.2.7

Section 20.2.5

Section 20.2.8

Section 7.3.50

Section 7.3.51

Section 7.3.52

Section 7.3.53

Section 7.3.54

Section 7.3.55

Section 7.3.56

7.3.1

Upgrading firmware

Syntax upgrade <pri|sec|boot> <IPADDR> <FILENAME> upgrade <pri|sec|boot> URI://<ADDRESS>/PATH/<FILENAME>

Context

Admin Exec

Usage Upgrade primary, secondary, or bootloader firmware via FTP, TFTP or USB stick. In the first form, upgrade attempts to download and install FILENAME via FTP from a server at IPADDR. If no FTP server is available, the command tries to download the file using TFTP instead.

Note

If you use TFTP for upgrading with ”pkg” files, make sure your TFTP

server supports large files as defined in RFC2347[ 22 ].

The second form uses a URI based format. The same format used in the copy command, not all URIs are supported though, only ftp://, tftp:// and

© 2015 Westermo Teleindustri AB

131

Westermo OS Management Guide

Version 4.17.1-0 usb://. In the usb:// case there is of course no need to give an ADDRESS, and

PATH is optional. Also, some units may not have a USB port.

In the second form of the command it is also possible use an Internet name

(FQDN), instead of just an IP address. For this to work you need to have first setup a valid name server in the configuration.

Before the actual ”Flashing” starts, i.e. when upgrade is still downloading or checking the downloaded image CRC, it is possible to abort the upgrade using Ctrl-C (BREAK). However, once the actual flashing starts the BREAK signal, and other blockable signals, is completely disabled to prevent accidental destruction of the device partition and image contents.

After installing a primary firmware, the switch will automatically be rebooted.

(More precisely: after installing a primary firmware, the switch will automatically be rebooted given that the system booted from the primary image.

Similarly, after installing a secondary firmware, the switch will automatically be rebooted given that the system booted from the secondary image.)

Caution! Only conduct upgrades over a stable network connection. Ensure that the switch is not powered off while the downloaded firmware is being installed.

Default values N/A

Examples ”upgrade primary 192.168.1.1 WeOS-4.15.1.pkg” will download and install a new primary image named WeOS-4.15.1.pkg, from FTP/TFTP server at 192.168.1.1.

”upgrade boot 192.168.1.1 WeOS-4.15.1.pkg” will download and install a new bootloader image included in the pkg file (WeOS-4.15.1.pkg) from a

FTP/TFTP server with 192.168.1.1.

”upgrade pri usb://WeOS-4.15.1.pkg” upgrades primary firmware on a

WeOS unit using pkg file WeOS-4.15.1.pkg present on a USB stick. Check if the USB stick has been mounted first using the ”dir usb://” command.

132

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

7.3.2

Show System Information

Syntax show system-information

Context

Admin Exec

Usage List general system information such as serial number, firmware version, contained hardware, etc.

Default values Not applicable

Example

example:/#> show system-information

System Information

===============================================================================

System Name

System Contact

System Location

System Timezone

: example

:

:

: Etc/UTC

Product Family

Architecture

: RedFox

: mpc85xx

Platform

Article number

: Corazon

: 3641-4015

Boot loader ver.

: 2014.06.0-1

Main firmware ver. : 4.15.2

Manufacturing date : Sep 24, 2014

Model

Base MAC Address

: RFIR-219-F4G-T7G-AC

: 00:07:7c:15:5f:20

Class

Serial Number

: Extended

: 1037

Active firmware : Main

Backup firmware ver: 4.15.2

Card #1 ======================================================================

Type : CPU

Chipset

Article no

: MV88E6352 r1

: 5013-1010

Revision

Batch id

: 0

: 140915-01274960-00001

Channel interfaces : 2

Bandwidth limit : Disabled (for CPU channels)

... (More info follows) example:/#>

7.3.3

Manage Boot Options

Syntax boot

Context

Admin Exec

context

Usage Enter

System Bootstrap

context to configure device specific boot settings. These settings are stored separately, i.e., outside the regular config-

© 2015 Westermo Teleindustri AB

133

Westermo OS Management Guide

Version 4.17.1-0 uration file.

Use ”show boot” to view a summary of the boot option settings.

Default values N/A

Example

example:/#> show boot

Boot order : flash example:/#>

7.3.4

Set Boot Order

Syntax [no] boot-order <flash|bootp|usb>

Context

System Bootstrap

context

Usage Select Boot Order for configuration file

15

.

As of WeOS v4.17.1 the ”boot-order” has the following limitations:

ˆ ”boot-order” can only be used to select a single boot media, not a list.

That is, you can select either ”flash” or ”bootp”, but not both.

Note

The WeOS unit will fall-back to find its startup-configuration from on-board flash when other methods such as ”bootp” fails.

ˆ The alternative ”boot-order usb” (referred to as ”boot from USB”) is only available as technology preview. See WeOS release notes for more information on WeOS technology previews in general and for specific information on the ”boot from USB” function.

Use ”no boot-order” to reset the boot-order to the default setting.

Use ”show boot-order” to view the configured boot order. Flash will listed as second choice if ”boot-order bootp” is set.

Default values Flash

15

Future versions of WeOS may include support for boot order of software image files.

134

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Example

example:/#> boot example:/boot/#> show boot-order flash example:/boot/#> boot-order bootp example:/boot/#> show boot-order bootp, flash example:/boot/#> end example:/#>

7.3.5

Manage BOOTP Bootstrap Settings

Syntax [no] bootp

Context

System Bootstrap

context

Usage Enter

System Bootstrap BOOTP

context to configure settings for BOOTP boot services.

”no bootp” will reset the BOOTP bootstrap settings to default.

Use ”show bootp” to list BOOTP bootstrap settings (also available as ”show” command within the

System Bootstrap BOOTP

context.

Default values N/A

7.3.6

BOOTP timeout

Syntax [no] timeout <0-1800>

Context

System Bootstrap BOOTP

context

Usage Set timeout in seconds to wait for BOOTP server response.

If no BOOTP response is received from the BOOTP/DHCP server, new BOOTP

Requests will be re-transmitted up to the given timeout interval.

To avoid congestion, the Requests are re-transmitted randomised around an exponential back-off interval; the back-off interval is doubled for each request up to 60 seconds.

The BOOTP client will wait one extra back-off interval after the last transmitted request, thus the actual timeout can be roughly 60 seconds longer than configured.

© 2015 Westermo Teleindustri AB

135

Westermo OS Management Guide

Version 4.17.1-0

Use ”no timeout” to reset the timeout to default.

Default values 300 (seconds)

7.3.7

BOOTP source MAC address

Syntax [no] mac <offset <num> | address <MACADDRESS>>

Context

System Bootstrap BOOTP

context

Usage Set MAC address for BOOTP request. The source MAC-address used in

BOOTP request can be:

ˆ offset relative to system base MAC: Typically used this if you wish your product to use a MAC match the MAC of a specific LAN interface on your unit.

ˆ a statically configure MAC: Assign a specific MAC address to use for

BOOTP for this unit.

By default the source MAC is an offset to system base MAC, which would match the MAC assigned to interface vlan1. On most WeOS products this would mean ”mac offset 1” (exceptions are products with more than one

CPU channel; the offset equals the number of CPU channels by default).

Note

See

sec. 7.3.2

and

13.4.14

for information on CPU base MAC and CPU channels. For more information on how a LAN interface is assigned its

MAC address, see

section 19.2.4

.

Use ”no mac” to reset the BOOTP MAC setting to default.

Use ”show mac” to show the BOOTP MAC setting.

Default values offset 1 (or more generally, the offset equals the number of

CPU channels of the product.)

136

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Example

example:/#> show iface

Press Ctrl-C or Q(uit) to quit viewer, Space for next page, <CR> for next line.

Interface Name Oper Address/Length MTU MAC/PtP Address

-----------------------------------------------------------------lo vlan1

UP

UP

127.0.0.1/8

192.168.2.200/24

16436

1500

N/A

00:07:7c:84:91:65

-----------------------------------------------------------------------------example:/#> boot example:/boot/#> bootp example:/boot/bootp/#> show mac

00:07:7c:84:91:65 (offset 1) example:/boot/bootp/#>

7.3.8

Storage of BOOTP configuration file (VFS target)

Syntax [no] vfs-target <flash|usb>

Context

System Bootstrap BOOTP

context

Usage Set virtual file system (VFS) target for configuration file.

Use this setting to save the retrieved file in a non-volatile location. By default all configuration files retrieved over BOOTP are temporary, and will be lost when rebooting the system, unless an operator saves a copy with an explicit

”copy running-config cfg://mybackup.cfg” or similar (e.g., Web ’Apply’ or SNMP Set).

Set to ”vfs-target flash” to automatically save to built-in flash (startup-

config) , or ”vfs-target usb” to save to an external USB stick.

Use ”no vfs-target” to disable the setting to get the default behaviour where the file is stored in RAM only.

Use ”show vfs-target” to show the VFS target setting.

Default values Disabled (i.e., store in RAM only)

7.3.9

Manage Console Settings

Syntax [no] console

Context

System Bootstrap

context

© 2015 Westermo Teleindustri AB

137

Westermo OS Management Guide

Version 4.17.1-0

Usage Enter

System Bootstrap Console

context to configure settings related to the console, or functions only available from the console.

”no console” will reset all console settings to default.

Use ”show console” to list all console settings (also available as ”show” command within the

System Bootstrap Console

context.

Default values N/A

7.3.10

Enable/Disable Console Password Reset

Syntax [no] password-reset

Context

System Bootstrap Console

context

Usage Enable or disable the function to reset the admin user’s password from the console port.

Use ”no password-reset” to disable the password/reset login.

Use ”show password-reset” to show whether it is enabled or disabled.

Default values Enabled

Example

example:/#> boot example:/boot/#> show console

Password reset : Enabled

Factory reset : Disabled example:/boot/#> console example:/boot/console/#> no password-reset example:/boot/console/#> show

Password reset : Disabled

Factory reset : Disabled example:/boot/console/#>

7.3.11

Enable/Disable Console Factory Reset

Syntax [no] factory-reset

Context

System Bootstrap Console

context

Usage Enable or disable the function to reset the device to factory defaults from the console port.

138

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Use ”no factory-reset” to disable the factory/reset login.

Use ”show factory-reset” to show whether it is enabled or disabled.

Default values Enabled

Example

example:/#> boot example:/boot/#> show console

Password reset : Disabled

Factory reset : Enabled example:/boot/#> console example:/boot/console/#> no factory-reset example:/boot/console/#> show

Password reset : Disabled

Factory reset : Disabled example:/boot/console/#>

7.3.12

Manage USB Bootstrap Settings

Syntax [no] usb

Context

System Bootstrap

context

Usage Enter

System Bootstrap USB

context to configure settings for USB boot services.

”no usb” will reset the USB settings to default.

Use ”show usb” to list configured USB settings (also available as ”show” command within the

System Bootstrap USB

context.

Default values N/A

7.3.13

Enable/disable USB Bootstrap Services

Syntax [no] enable

Context

System Bootstrap USB

context

Usage Enable or disable USB bootstrap services.

Use ”no enable” to disable USB bootstrap services: USB automatic backup/restore

© 2015 Westermo Teleindustri AB

139

Westermo OS Management Guide

Version 4.17.1-0

and USB deployment

16

. It is still possible to perform manual ”backup” (see

section 7.3.25

) and manual ”restore” see

section 7.3.26

).

Use ”show enable” to show whether USB bootstrap functionality is enabled or disabled.

Default values Enabled

Example

example:/#> boot example:/boot/#> show usb

Status : Enabled

Timeout : Disabled example:/boot/#> usb example:/boot/usb/#> no enable example:/boot/usb/#> show

Status : Disabled

Timeout : Disabled example:/boot/usb/#>

7.3.14

USB wait timeout

Syntax [no] timeout <1-60>

Context

System Bootstrap USB

context

Usage Set timeout in seconds for USB stick to settle at boot.

Some USB sticks cannot be accessed immediately at power-up. This setting can be used to fine tune the time the system waits for a USB stick to settle.

The system bootup time will be prolonged up to the given timeout, unless the system discovers the USB stick before.

Default values Disabled (no timeout)

16

”no enable” also disables the technology preview feature ”boot from USB”, see also

section 7.3.4

140

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Example

example:/#> boot example:/boot/#> usb example:/boot/usb/#> timeout 10 example:/boot/usb/#> show

Status : Enabled

Timeout : 10 second(s) example:/boot/usb/#> leave example:/#>

7.3.15

Manage bootloader settings (Barebox)

Syntax [no] loader

Context

System Bootstrap

context

Usage Enter

System Bootloader

context to configure settings related to the

(Barebox) bootloader boot-menu. (You enter the boot-menu by pressing

Ctrl-C on the console port when a unit boots.

Note

The

System Bootloader

context is only available for products running the Barebox bootloader.

”no loader” will reset all bootloader settings to default.

Use ”show loader” to list all bootloader settings (also available as ”show” command within the

System Bootloader

context.

Default values N/A

Example

example:/boot/#> show loader

Device Bootloader Configuration:

Login Password: Disabled

Rescue Mode Settings:

Address: 192.168.2.200

Netmask: 255.255.255.0

Peer : 192.168.2.1

Port : 6000 example:/boot/#>

© 2015 Westermo Teleindustri AB

141

Westermo OS Management Guide

Version 4.17.1-0

7.3.16

Setting boot-menu password (Barebox)

Syntax [no] login <password|hash> <STRING>

Context

System Bootloader

context

Usage Configure a boot-menu login password. Setting a boot-menu password is recommended to improve security. When a password is configured, a user must provide the correct password to enter the boot-menu at system bootstrap.

When setting the password, you can either enter it as is (”login password

<STRING>”), or provide a SHA1 hash of the password (”login hash <STRING>”).

Use ”no login” to disable the boot-menu login password.

Use ”show login” to see if a boot-menu login password is set or not.

Default values Disabled (no login)

Example

example:/boot/loader/#> login password TopSecret example:/boot/loader/#> end

Saving bootloader configuration to FLASH

100% / [====================================================================] example:/boot/#>

7.3.17

Setting rescue console UDP port (Barebox)

Syntax [no] rescue-port <UDPPORT>

Context

System Bootloader

context

Usage Configure UDP port for rescue-mode netconsole, e.g., ”rescue-port 12345”.

This is used as the local and remote port number for the UDP rescue console.

Defaults to UDP port 6000.

Use ”no rescue-port” to reset UDP port to the default (6000). Use ”show

rescue-port” to show the configured UDP port.

Default values 6000

142

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

7.3.18

Setting rescue console local IP address (Barebox)

Syntax [no] rescue-address <IPADDR>

Context

System Bootloader

context

Usage Configure local IP address for rescue-mode netconsole, e.g., ”rescue-address

10.0.1.1”. This is used as the local IP for rescue console. Defaults to address 192.168.2.200.

This address is also used as default local IP address when selecting TFTP boot-image download (technology preview) within the boot-menu (at startup).

Use ”no rescue-address” to reset local IP for rescue console to 192.168.2.200.

Use ”show rescue-address” to show the configured address.

Default values 192.168.2.200

7.3.19

Setting rescue console netmask (Barebox)

Syntax [no] rescue-netmask <IPADDR>

Context

System Bootloader

context

Usage Configure local IP address netmask for rescue-mode netconsole, e.g.,

”rescue-netmask 255.255.0.0”. Defaults to netmask 255.255.255.0.

Use ”no rescue-netmask” to reset netmask for rescue console interface to 255.255.255.0 Use ”show rescue-netmask” to show the configured netmask.

This netmask is also used as default rescue interface netmask when selecting TFTP boot-image download (technology preview) within the boot-menu

(at startup).

Default values 255.255.255.0

7.3.20

Setting rescue console peer IP address (Barebox)

Syntax [no] rescue-peer <IPADDR>

Context

System Bootloader

context

© 2015 Westermo Teleindustri AB

143

Westermo OS Management Guide

Version 4.17.1-0

Usage Configure peer IP address for rescue-mode netconsole, e.g., ”rescue-peer

10.0.1.2”. This is used as the peer IP for rescue console. Defaults to address 192.168.2.1.

This address is also used as default peer IP address when selecting TFTP boot-image download (technology preview) within the boot-menu (at startup).

Use ”no rescue-peer” to reset local IP for rescue console to 192.168.2.1.

Use ”show rescue-peer” to show the configured address.

Default values 192.168.2.1

7.3.21

List Configuration and Log Files

Syntax dir [<cfg:// | log:// | usb://>]

Context

Admin Exec

Usage List files in the configuration file directory, log file directory, or files on a mounted USB memory. When listing configuration files you should be able to see which of the present configuration files that is used as startup file. To map a different configuration file as startup configuration, see the ”copy”

command ( section 7.3.22

).

Default values cfg://

Example

example:/#> dir

==============================================================================

Contents of Config File System

============================================================================== config0.cfg --> startup-config config1.cfg

example:/#>

7.3.22

Copy, Store, Restore or Paste Files

Syntax copy <FROM_FILE> <TO_FILE>

Several methods are available to specify <FROM_FILE> and <TO_FILE>. Local file access methods are listed below:

ˆ Configuration files (default): ”cfg://<FILENAME>”

144

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

ˆ Special configuration files: ”console”, ”running-config”, ”startup-config”, and ”factory-config”.

ˆ Log files: ”log://<FILENAME>”

ˆ USB memory: ”usb://[DIRECTORY/]<FILENAME>”

Remote file access methods:

ˆ TFTP: ”tftp://location[/directory]/filename”

ˆ FTP: ”ftp://[username[:password]@]location[:PORT]

[directory]/filename”

If no username is provided, anonymous ftp login will be used. Default password is [email protected].

ˆ SCP: ”scp://[[email protected]]location[:PORT][/directory]

/filename”

By default username ”admin” will be used.

ˆ HTTP: ”http://location[:PORT][/directory]/filename”

Context

Admin Exec

Usage Copy files, save config, transfer to/from network locations. Copy localto-local, local-to-network and network-to-network. Special files are console, running-config, startup-config and factory-config.

The variant ”copy <FROM> startup-config”, where ”FROM” is a file of the form ”configN[.cfg]” or ”cfg://file.cfg”, changes which configuration file is used as the startup-config. In effect only changing which file startupconfig points to. The contents of the previous file it pointed to remains untouched.

This also means that you can not copy a file directly to startup-config from any VFS. I.e., when copying a file from (T)FTP or USB you must first copy the file to a configN[.cfg] file in the cfg:// VFS.

Please note, the use of the special file ”console” is very similar to the old

DOS style usage. Albeit limited to the usage: ”copy console <FILE>”.

When issuing this command you are presented with a paste area where you can safely type in or paste parts of, or full, configuration files. However, when pasting in partial ”.cfg” file snippets the system will use WeOS defaults for unspecified settings.

Also, the destination file in ”copy console <FILE>” cannot be the console

© 2015 Westermo Teleindustri AB

145

Westermo OS Management Guide

Version 4.17.1-0 itself or factory-config, which is read-only. Hence we recommend using:

”copy console config<N>” or ”copy console running-config”.

Default values N/A

Examples

1. Restore factory default (to running configuration)

Example

example:/#> copy factory-config running-config

Using default factory.cfg found in firmware image.

Stopping Syslog daemon ..................................... [ OK ]

Starting Syslog daemon ..................................... [ OK ] example:/#>

2. Store running configuration to startup configuration

Example

example:/#> copy running-config startup-config example:/#>

3. Copy configuration file from USB to local configuration file config3.

Example

example:/#> copy usb://myconfig.cfg config3

Copying myconfig.cfg to config3 ...

Done.

example:/#>

4. Copy configuration file onto remote server using FTP.

Example

example:/#> copy cfg://config0.cfg ftp://mylogin:[email protected]/myconfig example:/#>

7.3.23

Delete a Configuration File

Syntax erase [filesys://]<FILENAME>

filesys can be ”cfg”, ”log”, or ”usb”, with ”cfg” as default.

Context

Admin Exec

146

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Usage Delete a configuration file, log file or a file on a mounted USB memory.

Default values ”cfg” is the default file system.

Example

example:/#> dir

==============================================================================

Existing Configurations on System

============================================================================== config0 --> startup-config config1 example:/#> erase config1 example:/#> dir

==============================================================================

Existing Configurations on System

============================================================================== config0 --> startup-config example:/#>

7.3.24

Show Configuration File (or other files)

Syntax show <running-config|startup-config|factory-config|

[<filesys>://]<FILENAME>

filesys can be ”cfg”, ”log”, or ”usb”, with ”cfg” as default.

Context

Admin Exec

Usage Show content of a configuration file, log file, or file on a mounted USB memory. Special files are running-config, startup-config and factory-config.

Use the ”dir” command to list files ( section 7.3.21

).

Default values ”cfg” is the default file system.

7.3.25

Activate Auto-Backup

Syntax backup (applicable on units with USB port)

Context

Admin Exec

Usage This command activates WeOS automatic backup and restore for USB media. The directory ”/usb/westermo/backup” is used for this purpose.

See

section 7.1.6

for details.

© 2015 Westermo Teleindustri AB

147

Westermo OS Management Guide

Version 4.17.1-0

Default values Not applicable.

7.3.26

Manual Restore from USB

Syntax restore (applicable on units with USB port)

Context

Admin Exec

Usage Force restore from USB to running-config.

This command can be used to force an auto-restore of backup files from a

USB stick to ”cfg://” and also activate the new startup-config in the system running-config.

See

section 7.1.6

for details.

Default values Not applicable.

7.3.27

Rebooting the Device

Syntax reboot

Context

Admin Exec

Usage Reboot the device. The switch will boot up with its startup-config.

Default values Not applicable.

7.3.28

Import Certificate/Key

Syntax (for PKCS#12)

cert import pkcs [password <PASSWORD>] <URI> [label <LABEL>]

Syntax (for PEM)

cert import pem type <private|public|ca> <URI> [label <LABEL>]

Syntax (for OpenVPN key)

cert import ovpn <URI> [label <LABEL>]

Context

Admin Exec

148

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Usage Import PKCS#12 certificate bundle, individual certificate files in PEM format, or an OpenVPN static key. An optional label name can be specified. By default the label name is set from the file name.

Examples:

ˆ ”cert import pkcs password "secret" ftp://1.2.3.4/bundle.p12”

ˆ ”cert import pem type public usb://remote.crt”

ˆ ”cert import ovpn ftp://1.2.3.4/tls-auth.key label tls”

To remove/delete a certificate by label, use ’force’ to avoid questions:

ˆ ”no cert remote” (Remove certificate file with label ”remote”. There can be different certificate files (of different types) with the same label.

If so, a separate question will be asked for each file before removal.)

ˆ ”no cert force remote”

Default values Not applicable.

7.3.29

List and show details of Certificates

Syntax show cert [LABEL]

Context

Admin Exec

Usage List all certificates, or show details of a specific certificate.

Example to show all certificates, or display/dump a given label:

ˆ ”show cert” (lists all certificates)

ˆ ”show cert remote” (list details of certificate with label ”remote”. There can be different certificate files (of different types) with the same label.

Then all are shown.

Default values Not applicable.

7.3.30

Ping

Syntax ping [-i <IFACE|IPADDR>] [-s <size>] [-c <count>] [-t <TTL>]

[-M <hint>] <HOST>

Context

Admin Exec

context

© 2015 Westermo Teleindustri AB

149

Westermo OS Management Guide

Version 4.17.1-0

Usage Ping a remote host.

Ping is useful as a basic diagnostic tool.

The -i option can be used to select the interface to send ICMP_ECHO on, which is useful in, e.g., VPN setups. The -i option can also be used with an

IP address to spoof the source IP address.

The -M option is used to control where to set the DF (don’t fragment) bit in the ICMP packet. If this bit is set, no one will be allowed to fragment this packet and an error will be generated if the packet is to big to fit in the MTU.

Valid options for hint:

ˆ do: Set the don’t fragment bit, prohibit all fragmentation.

ˆ dont: Never set the don’t fragment bit.

ˆ want: Make a MTU discovery and fragment packet if it is too large to fit in the MTU.

You can use use the domain name or IP address as the host argument, but you need a valid name server setup for domain names to work, see

section 19.7.5

.

Default values Not applicable.

Example

example:/#> ping 192.168.131.1

Ctrl-C to abort

PING 192.168.131.1 (192.168.131.1): 56 data bytes

64 bytes from 192.168.131.1: seq=0 ttl=64 time=4.832 ms

64 bytes from 192.168.131.1: seq=1 ttl=64 time=0.836 ms

64 bytes from 192.168.131.1: seq=2 ttl=64 time=0.810 ms

64 bytes from 192.168.131.1: seq=3 ttl=64 time=0.823 ms

--- 192.168.131.1 ping statistics ---

4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.810/1.825/4.832 ms example:/#>

7.3.31

Traceroute

Syntax traceroute <HOST>

Context

Admin Exec

context

Usage Trace the path the packets take to a remote host.

150

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Traceroute is useful as a basic diagnostic tool.

You can use use the domain name or IP address as the host argument, but you need a valid name server setup for domain names to work, see

section 19.7.5

.

Default values Not applicable.

Example

example:/#> traceroute 192.168.130.41 traceroute to 192.168.130.41 (192.168.130.41), 30 hops max, 40 byte packets

1 192.168.131.1

1.116 ms 0.755 ms 0.806 ms

2 192.168.130.41

0.824 ms 0.705 ms 0.742 ms example:/#>

7.3.32

Remote Login to another device (SSH Client)

Syntax ssh [[email protected]]<IPADDR|DOMAINNAME>[/PORT]

Context

Admin Exec

context.

Usage Login to remote device using SSH.

Default values Default user ”admin”, default (TCP) port number ”22”.

7.3.33

Remote Login to another device (Telnet Client)

Syntax telnet <IPADDR|DOMAINNAME>[:PORT]

Context

Admin Exec

context.

Usage Login to remote device using Telnet.

Default values Default (TCP) port number ”23”.

7.3.34

Show IPConfig Neighbours

Syntax show ipconfig [IFNAME]

Context

Admin Exec

context.

Usage The command has two purposes:

© 2015 Westermo Teleindustri AB

151

Westermo OS Management Guide

Version 4.17.1-0

ˆ Scan the network for IPConfig neighbours on the given interface, i.e., scan for other Westermo devices with the IPConfig service enabled (see

section 7.3.46

).

ˆ Show status of the IPConfig process on the own device, if enabled.

Note: There is another ”show ipconfig” command available in the

Global

Configuration

context, which shows IPConfig server configuration settings, see

section 7.3.46

.

Default values If no interface is given, a scan for IPConfig neighbours is tried on interface vlan1 (if existing).

Example

example:/#> show ipconfig

Using default interface vlan1

MAC IP Ver.

Type Status

===============================================================================

00:07:7c:87:85:23 192.168.2.100/24

00:07:7c:87:85:13 192.168.2.200/24

4.03 Lynx+

4.03 Lynx+

-------------SI

------------RSI

00:07:7c:87:57:a3 192.168.2.201/24

00:07:7c:87:85:d3 192.168.2.225/24

===============================================================================

Process ipconfigd running as PID 475 example:/#>

4.03 Lynx+

4.03 Lynx+

FOC:RING:MN:RSI

MEM:RING:MN:RSI

Explanations to the output:

ˆ MAC: The base MAC address of the discovered device.

ˆ IP: The IP address of the discovered device.

ˆ Version: Software version on the discovered unit. In the example above, all discovered devices are running some variant of 4.3.x software. The platform

generation number (4) and feature release (03) number are shown, but we cannot determine if those units are running 4.3.0, 4.3.1 or some other 4.3.x

patch revision.

ˆ Type: The type of Westermo device discovered.

ˆ Status:

If FRNT is enabled, the role is displayed as ”FOC” (focal point) or ”MEM”

(member switch), and one can also see whether the FRNT ports are up or down: ”M” - FRNT port M is up, ”m” - FRNT port M is down, and so on. Note: the ports ”M” and ”N” refers to the operational state of the

FRNT port, which can differ from their configured role if the ports are connected in the wrong order (swapped).

152

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

If RSTP/STP is enabled on the discovered device, the letter ”R” is shown.

If SNMP is enabled on the discovered device, the letter ”S” is shown.

If IGMP Snooping is enabled on the discovered device, the letter ”I” is shown.

7.3.35

Manage Port Monitoring

Syntax [no] monitor

Context

Admin Exec

context

Usage Use the ”monitor” command to enter the

Port Monitoring

context.

”no monitor” will disable port monitoring (in the same way as ”no enable” within the

Port Monitoring , see section 7.3.36

).

Use ”show monitoring” to show port monitoring settings (also available as

”show” command within the

Port Monitoring

context).

Default values Not applicable.

7.3.36

Enable/disable Port Monitoring

Syntax [no] enable

Context

Port Monitoring

context

Usage Enable port monitoring. Use ”no enable” to disable port monitoring.

Use ”show enable” to list whether port monitoring is enabled or disabled.

Default values no enable (disabled)

7.3.37

Set Mirror Port

Syntax [no] destination <PORT>

Context

Port Monitoring

context

© 2015 Westermo Teleindustri AB

153

Westermo OS Management Guide

Version 4.17.1-0

Usage Set the monitor destination port, i.e., the mirror port.

Use ”show destination” to show currently configured port monitoring destination port.

Default values By default there is no destination port.

7.3.38

Set Monitored Ports

Syntax [no] source <PORTLIST> [ingress] [egress]

Context

Port Monitoring

context

Usage Add/delete/update monitor source port(s), i.e., the ports being monitored.

Use ”show source” to show current set of ports being monitored.

Default values By default there are no source ports. Commands apply both to

”ingress” and ”egress” if neither is specified.

7.3.39

Manage LLDP settings

Syntax [no] lldp

Context

Global Configuration

context.

Usage Enter

LLDP Configuration

context. Use ”no lldp” to disable lldp.

Use ”show lldp” to view the current configuration. Alternatively, you can enter the

LLDP Configuration

context and run ”show” (see example in

section 7.3.40

).

Default values LLDP is enabled by default.

7.3.40

Enable/disable LLDP

Syntax [no] enable

Context

LLDP Configuration

context.

Usage Enable/disable LLDP. Use ”enable” to enable and ”no enable” to disable

LLDP on all LAN ports. (As of WeOS v4.17.1 ”no enable” will be stored as

”no lldp”, see

section 7.3.39

.)

154

© 2015 Westermo Teleindustri AB

Default values LLDP is enabled by default.

Example

example:/config/#> lldp example:/config/lldp/#> enable example:/config/lldp/#> show

LLDP is enabled example:/config/lldp/#>

Westermo OS Management Guide

Version 4.17.1-0

7.3.41

Show LLDP Status

Syntax show lldp

Context

Admin Exec

context.

Usage Show LLDP information about neighbouring devices.

Default values Not applicable.

Example

example:/#> show lldp

-------------------------------------------------------------------------------

LLDP neighbors:

-------------------------------------------------------------------------------

Interface:

Chassis:

ChassisID:

SysName:

SysDescr:

Eth 10, via: LLDP, RID: 1, Time: 0 day, 01:32:31 mac 00:07:7c:84:d7:44 wolverine

Wolverine WeOS v4.9.x

MgmtIP:

Capability:

Capability:

Capability:

Port:

192.168.2.2

Bridge, off

Router, on

Wlan, off

PortID:

PortDescr:

VLAN:

LLDP-MED: mac 00:07:7c:84:d7:47

10/100TX Eth 2/1

1 vlan1

Device Type: Network Connectivity Device

Capability: Capabilities

Capability:

Capability:

Capability:

Capability:

Capability:

Policy

Location

MDI/PSE

MDI/PD

Inventory

-------------------------------------------------------------------------------

© 2015 Westermo Teleindustri AB

155

Westermo OS Management Guide

Version 4.17.1-0

7.3.42

Enable/disable Web Management Interface

Syntax [no] web

Context

Global Configuration

context.

Usage Enable web management interface, and enter

Web Configuration

context. Use ”no web” to disable the web server.

Warning

Then the switch cannot be managed via the Web interface.

Use ”show web” to list current Web configuration settings (also available as

”show” command within the

Web Configuration

context).

Default values Enabled (”web”)

7.3.43

Set Web Management Session Timeout

Syntax [no] session-timeout <TIMEOUT>

Context web context.

Usage Configures the session timeout. (”no session timeout”) disables timeout.

Default values 10 min

7.3.44

Set Web Management HTTP port

Syntax [no] port <PORT>

Context web context.

Usage Configures the HTTP port.

Default values 80

7.3.45

Set Web Management HTTPS port

Syntax [no] ssl-port <PORT>

156

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Context web context.

Usage Configures the HTTPS (SSL) port.

Default values 443

7.3.46

Enable/disable IPConfig Service

Syntax [no] ipconfig

Context

Global Configuration

context.

Usage Enable IPConfig service interface (management of the unit via the Westermo IPConfig protocol), and enter

IPConfig Configuration

context. Use ”no

ipconfig” to disable the IPConfig server

Warning

After this the switch cannot be managed (or detected) via the IPConfig protocol, used by the WeConfig tool.

Use ”show ipconfig” to list whether IPConfig is enabled or disabled. Note:

There is another ”show ipconfig” command available in the

Admin Exec

context, which is used (1) to scan for neighbour Westermo units, and (2) to list status information on the IPConfig server running on this device, see

section 7.3.34

.

Default values Enabled (”ipconfig”)

Examples

1. How to check whether IPConfig service is enabled on my switch:

Example

example:/#> config example:/config/#> show ipconfig

Ipconfig is enabled

Read only mode : Disabled example:/config/#> end

2. How to enable/disable IPConfig service:

Enter Global Configuration context, check the current IPConfig configuration, and modify it if desired. Below is an example of how to disable

IPConfig.

© 2015 Westermo Teleindustri AB

157

Westermo OS Management Guide

Version 4.17.1-0

Example

example:/#> config example:/config/#> show ipconfig

Ipconfig is enabled

Read only mode : Disabled example:/config/#> no ipconfig

Deactivating ipconfig service.

example:/config/#> end

7.3.47

Enable/Disable configuration and upgrade via IPConfig service

Syntax [no] read-only

Context

IPConfig Configuration

context.

Usage The IPConfig service (used by the WeConfig tool) can be used to discover and view status of a unit, but also for some simple configuration (IP address, netmask and default gateway) and firmware upgrade (primary firmware).

By setting IPConfig in ”read-only” mode, no configuration or firmware upgrade is possible via IPConfig service.

Use ”show read-only” to list whether ’read-only’ is enabled or disabled.

Use ”read-only” to activate ’read-only’ mode, and ”no read-only” to set the mode to ’read/write’.

Default values Disabled (”no read-only”, i.e., configuration and upgrading via IPconfig service is possible.)

Examples

How to limit IPConfig service to ’read-only’. That is, disabling configuration and upgrading of the unit via IPConfig, while allowing use of IPConfig to discover the unit and status information retrieval.

Example

example:/#> config example:/config/#> show ipconfig

Ipconfig is enabled

Read only mode : Disabled example:/config/ipconfig/#> read-only

Setting IPconfig read only mode Enabled example:/config/ipconfig/#> end

158

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

7.3.48

Enable/disable SSH Service

Syntax [no] ssh

Context

Global Configuration

context.

Usage Enable SSHv2 management service, and enter

SSH Configuration

context. Use ”no ssh” to disable the SSHv2 server.

Warning

Then the switch cannot be managed via SSHv2.

Use ”show ssh” to list current SSH configuration settings (also available as

”show” command within the

SSH Configuration

context).

Default values Enabled (”ssh”)

7.3.49

Enable/disable Telnet Service

Syntax [no] telnet

Context

Global Configuration

context.

Usage Enable Telnet management service, and enter

Telnet Configuration

context. Use ”no telnet” to disable the Telnet server.

Warning

Then the switch cannot be managed via Telnet.

Use ”show telnet” to list current Telnet configuration settings (also available as ”show” command within the

Telnet Configuration

context).

Default values Disabled (”no telnet”)

7.3.50

Show System Environment Sensors

Syntax show env

Context

Admin Exec

context.

© 2015 Westermo Teleindustri AB

159

Westermo OS Management Guide

Version 4.17.1-0

Usage List available environment sensors, their index, and their current value.

Examples of sensors are power (DC1 and DC2), Digital In, and Temperature sensors.

If the unit is equipped with DDM/DOM capable SFPs

17

, the voltage, bias cur-

rent, Tx power, Rx power and temperature parameters will be listed for each

SFP.

Default values Not applicable.

7.3.51

Show System Uptime

Syntax show uptime

Context

Admin Exec

context.

Usage Show system uptime.

Default values Not applicable.

7.3.52

Show Memory Usage

Syntax show memory

Context

Admin Exec

context.

Usage Show system memory usage.

Default values Not applicable.

7.3.53

Show Running Processes

Syntax show processes

Context

Admin Exec

context.

Usage Show a list of currently running processes.

Default values Not applicable.

17

DDM/DOM diagnostic information is only available for Westermo DDM SFPs, see the SFP

Transceiver Datasheet of your WeOS product ( www.westermo.com

).

160

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

7.3.54

Show Flash Partition Table

Syntax show flash-table

Context

Admin Exec

context.

Usage Show information on the flash partition table.

Default values Not applicable.

7.3.55

Show Partition table

Syntax show partitions

Context

Admin Exec

context.

Usage Show information on the flash partition table. The ”show partitions” is

similar to the ”show flash-table” command ( section 7.3.54

), but presents

the partition table somewhat differently.

Default values Not applicable.

Examples

ˆ Example with a WeOS unit (Basis platform) with RedBoot bootloader (see partition mtd0).

Example

example:/#> show partitions

Partition Name Size

=============================================================================== mtd0 mtd1 mtd2 mtd3 mtd4

RedBoot

Linux_main

Linux_backup

JFFS2

Branding

512.0 KiB

12.5 MiB

12.5 MiB

4.0 MiB

2.1 MiB mtd5 mtd6 example:/#>

RedBoot config

FIS directory

4.0 KiB

128.0 KiB

ˆ Example with WeOS unit (Corazon platform) with U-boot boot-loader

(see partition mtd4).

© 2015 Westermo Teleindustri AB

161

Westermo OS Management Guide

Version 4.17.1-0

Example

example:/#> show partitions

Partition Name Size

=============================================================================== mtd0 mtd1

Linux_main

Linux_backup

56.0 MiB

56.0 MiB mtd2 mtd3 mtd4 example:/#>

Config

U-Boot Config

U-Boot

15.0 MiB

512.0 KiB

512.0 KiB

ˆ Example with WeOS unit (Corazon platform) with Barebox boot-loader

(see partition mtd4).

Example

example:/#> show partitions

Partition Name mtd4 example:/#>

Barebox

Size

=============================================================================== mtd0 Linux_main 56.0 MiB mtd1 mtd2 mtd3

Linux_backup

Config

BareboxEnv

56.0 MiB

15.0 MiB

512.0 KiB

512.0 KiB

7.3.56

Update Flash Partition Table

Syntax flash-table-update

Context

Admin Exec

context.

Usage This command is used to update the flash partition table on early RedFox units, in order to allow firmware upgrades to WeOS release 4.3.0 or later.

For details, see

section 7.1.11

.

Default values Not applicable.

162

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Chapter 8

Ethernet Port Management

By default all ports on the switch are enabled.

Section 8.1

provides general information about the available port settings.

Section 8.2

covers port settings via the Web interface and

section 8.3

port settings via the CLI.

8.1

Overview of Ethernet Port Management

The table below presents available port settings. The features are presented further in the following sections.

Feature

Enable/disable port

Speed-duplex mode

Flow control

Port priority (level)

Port priority mode

Link alarm

Inbound rate limit

Rate Selection

Traffic Selection

Outbound traffic shaping

MDI/MDIX

Fastlink

Web

X

X

X

X

X

X

X

X

CLI

General Description

X

X

Section 8.1.2

X

Section 8.1.3

X

Section 8.1.4

X

Section 8.1.4

X

Section 8.1.5

X

Section 8.1.6

X

X

-”-

-”-

X

X

X

Section 8.1.7

X

Section 8.1.8

(X) (X)

Section 8.1.9

Continued on next page

© 2015 Westermo Teleindustri AB

163

Westermo OS Management Guide

Version 4.17.1-0

Feature

fallback default-VID

PHY fine tuning

Shielded/Unshielded TP cable

TX power mode

Continued from previous page

Web

CLI

General Description

X

Section 8.1.10

X

X

X

View port configuration

View port status

View SFP DDM/DOM diagnostics

X

X

X

X

X

X

Section 8.1.11

8.1.1

Port naming conventions

The convention to name communication ports such as Ethernet ports, DSL ports, and Serial ports differs between WeOS products and product families.

8.1.1.1

Simple numbering

Lynx, Falcon, DDW-142 (Wolverine), RedFox Industrial Rack, RedFox Rail, and

Viper all use a simple port ID to refer to their ports.

ˆ Lynx[

46 ] and RedFox Industrial Rack[ 49

]: Ethernet ports on Lynx and RedFox

Industrial Rack are named 1, 2, 3, . . .

ˆ Falcon[

41

], Lynx-DSS[ 43

] and some Wolverine units (DDW-142[ 37

]): These

units have multiple port types; Ethernet, serial port(s) and xDSL/SHDSL (Falcon/Wolverine), which are numbered individually per port type. For example,

Falcon is equipped with:

four Ethernet ports (numbered 1, 2, 3 and 4),

one xDSL port (numbered 1), and

one serial port (numbered 1).

As Ethernet and xDSL ports can be used in overlapping contexts, e.g., they can be associated with the same VLAN, a port qualifier (”eth” or ”dsl”) is

164

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0 sometimes used to distinguish Ethernet port 1 (”eth 1”) from xDSL port 1

(”dsl 1”).

ˆ RedFox Rail and Viper: Ethernet ports on RedFox Rail and Viper are named

X1, X2, X3, . . .

8.1.1.2

Slot based numbering

RedFox Industrial[ 47 , 48

] and some Wolverine products (DDW-225[ 39 ] and DDW-

226[ 40 ]) use a slotted architecture, and ports are named according to the slot ID

and the port’s position within that slot. For example, port 1/2 would denote the second port in the first slot.

This name convention is used irrespective of port type, e.g., DDW-226 (Wolverine) has two SHDSL ports (1/1-1/2), 4 Ethernet ports (2/1-2/4), and one Serial port

(1/1). Details on the name convention and the slotted architecture is described further below, using RedFox Industrial as example.

Figure 8.1: Three-slot RedFox Industrial switch equipped with a 8-port Gigabit/SFP card (middle slot), and an 8-port 10/100BaseTX card (right slot).

The RedFox Industrial switches come in a two-slot and a three-slot version.

Fig. 8.1

shows a sample three-slot RedFox Industrial equipped with a 4-port Gigabit/SFP

© 2015 Westermo Teleindustri AB

165

Westermo OS Management Guide

Version 4.17.1-0 card (middle slot) and an 8-port 10/100BaseTX card (right slot). The leftmost slot contains the Power/CPU card, which is present on all RedFox Industrial switches.

RedFox Industrial makes use of a slotted architecture with different combinations of interface modules. As mentioned above WeOS numbers the ports based on

slotID/portID, where the

ˆ the slotID denotes the slot’s position within the rack (left to right), and

ˆ the portID denotes the port’s position within the slot (left to right, up to down).

For example, the three Ethernet ports in the leftmost slot (slot 1) are named 1/1

(top), 1/2 (middle). and 1/3 (bottom). The ports in the second slot are named

2/1-2/4 (left side) and 2/5-2/8 (right side), and ports in slot 3 are named 3/1-3/4

(left side) and 3/5-3/8 (right side).

8.1.2

Port speed and duplex modes

By default ports are configured to auto-negotiate speed (10/100/1000 Mbit/s) and duplex modes (half/full) to the ”best” common mode when a link comes up. When configured for auto-negotiation, the resulting speed and duplex mode agreed is shown as part of the port status information.

It is possible to disable auto-negotiation and instead use a static speed and duplex mode setting. When using a static speed and duplex setting, the operator should ensure that the ports on both ends of the link are configured with the same static speed and duplex settings.

Depending on Ethernet port type, the available port speeds will differ:

ˆ Fast Ethernet copper ports: Fast Ethernet copper ports are capable to operate at 10 or 100 Mbit/s.

ˆ Gigabit Ethernet copper ports: Gigabit Ethernet copper ports are capable to operate at 10, 100 or 1000 Mbit/s.

ˆ Gigabit Ethernet fibre ports: Gigabit Ethernet fibre ports are capable to operate at 1000 Mbit/s.

166

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

8.1.3

Flow control

The ports can be configured to use flow control, i.e., to dynamically limit inbound traffic to avoid congestion on outbound ports.

When flow control is enabled on a full duplex port, the switch will send pause

frames (IEEE 802.3x) to limit inbound traffic on this port, if that traffic is causing congestion when sent out on another switch port.

When flow control is enabled on a half duplex port, the switch will use a technique known as back-pressure to limit inbound traffic on this port, if that traffic is causing congestion when sent out on another switch port. (The back-pressure technique enables a switch to force its neighbour to slow down by sending jam-

ming signals on that port, thus emulating a packet collision.)

8.1.4

Layer-2 priority support

Each Ethernet port has four output queues, enabling layer-2 priority support with four traffic classes. The queues are serviced according to strict priority schedul-

ing, i.e., when there are traffic in multiple queues, the packets in the queue with higher priority is serviced first.

A packet’s priority is determined when it enters on a port, and can be classified based on:

ˆ VLAN ID: The switch can be configured to give specific priority to certain

VLANs. This can be useful to, e.g., when providing IP telephony via a dedicated VLAN. Priority based on VLAN ID has precedence over all priority classifications described below.

VLAN ID priority settings are further described in

chapter 13 .

ˆ VLAN tag: For packets carrying a VLAN tag, the packet’s priority can be based on content of the priority bits inside the VLAN tag. The VLAN tag is useful to carry packet priority information on inter-switch links.

Use of VLAN tag priority can be configured per port (see

sections 8.2

and

8.3

).

ˆ IP ToS/DiffServ: For IP packets the priority can be classified based on the content of the IP ToS bits (IPv4) or the IP TC bits (IPv6). Classification based on the IP ToS/Diffserv bits can be useful to provide higher priority to delay sensitive applications, such as IP telephony and remote login, than to

© 2015 Westermo Teleindustri AB

167

Westermo OS Management Guide

Version 4.17.1-0 bulk data applications, such as file transfer, however, it requires that those applications can set the IP ToS/Diffserv bits appropriately.

Use of IP ToS/DiffServ priority can be configured per port (see

sections 8.2

and

8.3

).

ˆ Port Priority: Priority can be classified based on the inbound port.

Use of port priority can be configured per port (see

sections 8.2

and

8.3

).

Furthermore, when priority classification is configured to be based on VLAN tag (or IP ToS/DiffServ), priority will be based on the port priority for untagged (or non-IP respectively) packets.

When priority is classified based on VLAN ID, VLAN tag, or port priority, the priority assigned to a packet will take a value in range 0-7, and be represented by

3 bits (IEEE 802.1p). The mapping of 802.1p priority (8 values) to traffic class

(4 output queues) is shown in

table 8.2

. The rationale behind this mapping is

described in IEEE 802.1Q-2005 (Annex G).

IEEE 802.1p

Queue number/ priority Traffic Class

6

7

4

5

2

3

0

1

0 (lowest)

0

1

1

2

2

3

3 (highest)

Table 8.2: Mapping of IEEE 802.1p priority to Queue/Traffic Class.

When priority is classified based on IP ToS/DiffServ, the priority assigned to a packet will take a value in range 0-63, and be represented by 6 bits (DSCP -

Differentiated Services Code Point). The mapping of DSCP priority (64 values) to traffic class (4 output queues) is shown in

table 8.3

. This mapping is in line

with the use of IP Precedence fields (RFC 1349), and IP DiffServ for best effort and control traffic (RFC 2474), assured forwarding (RFC 2597) and expedited

forwarding (RFC 3246).

Packets sent out on a port with a VLAN tag will carry priority information (802.1p) within their VLAN tag.

168

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

IP Priority bits

Queue bits

5 4 3 2 1 0 1 0

Queue number/

Traffic class

0 0 0 0 0 (lowest)

0 1 0 1 1

1 0 1 0 2

1 1 1 1 3 (highest)

Table 8.3: Mapping of IP priority bits to Queue/Traffic Class.

ˆ For packets where priority was classified based on VLAN ID, VLAN tag, or port priority, the outbound priority (3 bits) will be equal to the determined inbound priority (3 bits).

ˆ When priority is classified based on IP ToS/DiffServ, determining the outbound priority (3 bits) is more complex: the two most significant bits of the outbound priority will be equal to the queue number (i.e., queue bits in

table 8.3

), while the least significant bit of the outbound priority is equal to

the least significant bit of the inbound port’s configured port priority.

E.g., if the packet is put in priority queue 2 (binary ’10’), and the port priority of the inbound port has an odd value (least significant bit is ’1’), the packet will carry priority value 5 (’101’) in its VLAN tag when sent on the outbound port.

Warning

Configuration of layer-2 priority should be handled with care. In particular, mapping user traffic to the highest priority queue is discouraged, since that may affect time critical control traffic, such as FRNT traffic, already mapped to the highest priority queue.

8.1.5

Link alarm

Each Ethernet port on the switch can be configured to indicate alarm when the link comes up or goes down. The alarm is indicated in multiple ways:

ˆ SNMP trap: An SNMP trap will be sent when a link changes state, i.e., both when the link comes up, or when it goes down. This assumes that SNMP is

© 2015 Westermo Teleindustri AB

169

Westermo OS Management Guide

Version 4.17.1-0 enabled, and that a trap host is configured. See

chapter 6

for more information.

ˆ Front panel LEDs: A link alarm may effect both the individual LED of the port, as well as the common status LED for the switch (for definite information about what functions affect the common status LED, see

chapter 24 ):

Individual LED: Each Ethernet port has a LED, which generally indicates

’green’ if the link is up. If there is no link, the LED will indicate ’yellow’ when link alarm is configured.

Common status LED: The switch has a common status LED, labelled

’ON’ on the front panel. This LED will generally indicate ’green’ if all associated functions are OK, and ’red’ if one or more of the associated alarm sources are ’NOT OK’. E.g., if one of the ports configured with link alarm indicates link down, the common status LED will be ’red’.

ˆ Web interface: Link alarms (link down) are indicated on the main Web page, and the port configuration/status page.

ˆ CLI: A link alarm (link down) is indicated by an exclamation mark (’!’) when displaying the port’s status in the CLI.

ˆ Digital I/O: A link alarm can affect the output level of the digital I/O port in the same way as it will affect the common status LED.

For more information on the functionality of the Digital I/O port, see

chapter 24 .

8.1.6

Inbound/Ingress rate limiting

The switch can be configured to limit the rate of a port’s incoming traffic - inbound

rate limiting (also referred to as ingress rate limiting). By default a port will accept packets at a rate up to the link speed, but with inbound rate limiting activated the switch will start dropping packets when data arrives above the given rate threshold.

The inbound rate limiting feature can be useful as a complement to layer-2 priority handling (see

section 8.1.4

) when congestion within the network is to be

avoided.

There are two configuration settings for inbound rate limiting:

170

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

ˆ Rate: Defines the threshold data rate. The web interface provides a predefined set of rates (drop-down list). The CLI allows for more fine-grain rate settings:

in steps of 64 kbit/s in range 64-1000 kbit/s

in steps of 1 Mbit/s in range 1-100 Mbit/s

in steps of 10 Mbit/s in range 100-1000 Mbit/s (on Gigabit Ethernet ports.)

Rate limiting calculations consider the layer-2 bits, i.e., from Ethernet destination MAC address to CRC (interframe gap and preamble bits are not counted).

ˆ Traffic Type: Defines the kind of traffic subject to inbound rate limiting. By default, a configured rate limit will apply to all traffic, however, it is possible to restrain the rate limit to specific (layer-2) traffic types: broadcast, multi-

cast and/or unknown

1

unicast. As of WeOS v4.17.1 selection of traffic types can only be done via the CLI.

1

Unknown unicast traffic is traffic with a unicast destination MAC address not present in the switch forwarding database (see

section 13.4.19

). Unknown unicast traffic is flooded onto all ports

within the (V)LAN.

© 2015 Westermo Teleindustri AB

171

Westermo OS Management Guide

Version 4.17.1-0

8.1.6.1

Restrictions on inbound rate limiting

On RedFox units, some of the interface modules have hardware dependent restrictions regarding the inbound rate limit function. These restrictions are described in this section.

Which Ethernet ports on RedFox have the restrictions described here?

The restrictions apply to Ethernet ports of switchcores MV88E6095 and

MV88E6185. Please see Detailed System Overview page in the Web ( section 4.4.2

) or use the ”show system-information” in the CLI ( section 7.3.2

)

to find definite information about what switchcore(s) is used in your product.

An informative list of products/modules where the restrictions apply is given below:

ˆ RedFox Industrial (RFI) with Corazon platform[

48 ]: Only Ethernet ports

on modules ”F4G” and ”F4G-T4G” (MV88E6185) have these restrictions.

ˆ RedFox Industrial (RFI) with Atlas platform[

47 ]: Ethernet ports on all

modules except module ”F8” have these restrictions.

ˆ RedFox Industrial Rack (RFIR)[

49 ]: Only Ethernet ports in the 8-port

group/module with Gbit/s ports (4 Gbit/s SFP and 4 Gbit/s Copper ports;

MV88E6185) have these restrictions.

ˆ RedFox Rail (RFR) with Corazon platform[

50 ]: No Ethernet ports on the

RFR-212 have these restrictions.

ˆ RedFox Rail (RFR) with Atlas platform (not for sale): All Ethernet ports on the RFR-12 have these restrictions.

ˆ TCP traffic: When the data rate rises above the given threshold on these

Ethernet ports, packets will be dropped in a manner ”punishing” TCP traffic relatively hard. Thus, activating inbound rate limiting applicable to unicast traffic may have an undesired impact on your TCP traffic,.

ˆ Traffic types: When restricting the inbound rate limit to a certain traffic type (broadcast, multicast and/or unknown unicast) on these Ethernet ports, there are dependencies between the settings:

Unknown unicast: Selecting ”unknown unicast” implies that ”unknown unicast”, ”multicast” and ”broadcast” traffic will be subject to inbound rate limiting.

Multicast: Selecting ”multicast” implies that ”multicast” and ”broadcast” traffic will be subject to inbound rate limiting.

172

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Broadcast: Selecting ”broadcast” simply means that ”broadcast” traffic will be subject to inbound rate limiting.

ˆ Rate limiting on Gigabit ports: Maximum rate limit on (MV88E6185) Gigabit ports is 250 Mbit/s. Setting a higher rate limit (e.g., 300 Mbit/s) will result in a rate limit of 250 Mbit/s.

Due to these restrictions, it is recommended that inbound rate limiting is primarily used as a means of storm prevention, on the ports where these restrictions apply.

8.1.7

Outbound/Egress traffic shaping

The switch can be configured to limit the outbound data rate on a port (outbound traffic shaping). By default each port will send at the maximum speed of the link, but with outbound traffic shaping activated the switch will limit the outbound rate to a given threshold. Above that threshold the switch will buffer packets - bursty traffic will be shaped. In case the output buffer is full, additional packets destined for that port will be dropped.

When configuring the threshold rate for outbound traffic shaping, the same settings as for inbound rate limiting (see

section 8.1.6

) applies. For outbound traffic

shaping it is also possible to specify rate in frames per second. The web interface provides a predefined set of rates (drop-down list). The CLI allows for more fine-grain rate settings:

ˆ Bits per second:

in steps of 64 kbit/s in range 64-1000 kbit/s

in steps of 1 Mbit/s in range 1-100 Mbit/s

in steps of 10 Mbit/s in range 100-1000 Mbit/s (on Gigabit Ethernet ports)

ˆ Frames per second: in range 7700-1488000 frames per second

Traffic shaping calculations consider the layer-2 bits, i.e., from Ethernet destination MAC address to CRC (interframe gap and preamble bits are not counted).

© 2015 Westermo Teleindustri AB

173

Westermo OS Management Guide

Version 4.17.1-0

Note

Outbound traffic shaping in frames per second mode is available for Ethernet ports on all WeOS products, with exceptions for ports on some RedFox and

RedFox Industrial Rack models. The Ethernet ports listed to have restrictions for ingress rate limiting (see

section 8.1.6.1

) also lack support for the frames

per second mode.

Furthermore, outbound traffic shaping in frames per second mode is not available available for DSL ports (ADSL/VDSL or SHDSL) ports.

8.1.8

MDI/MDIX crossover

By default a switch is able to sense which pin to use for reception and which to use for transmission (auto MDI/MDIX crossover), thus no external crossover cable is necessary. In addition, a port can be configured statically in MDI (Media

Dependent Interface) or MDIX (crossover) mode.

8.1.9

Fastlink - Fast link-up/link-down on fixed 10/100 Ethernet copper ports

Default port settings in WeOS are aimed at being conformant and compatible with as many devices as possible. Therefore the ports are setup to auto-negotiate speed, duplex and automatically agree with the link partner on which end should cross RX and TX when a straight cable is used. Naturally this takes a bit of time, despite all current products today do this in dedicated PHY circuitry.

To speed things up considerably, a feature called ”Fastlink” can be activated on

fixed 10/100 Mbit/s Ethernet copper ports

2

. This feature basically disables any

IEEE back-offs and timeouts in place to protect against glitches and temporary link loss that otherwise prevent the port from going UP or DOWN. Westermo has put a great deal of effort into making sure that, when enabling Fastlink, glitches and link loss still do not occur.

Enable Fastlink by configuring the port(s) with the following two settings:

ˆ Fixed speed/duplex mode, preferably 100 Mbit full-duplex. That is, autonegotiation of speed/duplex mode is disabled. See

section 8.1.2

for information on port speed/duplex.

2

Fastlink does not apply to Gigabit Ethernet ports, or to any SFP ports.

174

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

ˆ Fixed MDI/MDIX crossover mode, i.e., auto-MDI/MDIX is disabled. See

section 8.1.8

for information on port crossover mode.

In most use-cases auto-negotiation of speed-duplex and MDI/MDIX is still preferable, but enabling Fastlink can improve failover performance in some redundancy applications – we refer to this as the fastlink mode:

ˆ RedFox Rail [

50 ] bypass relay ports[ 50 ]: RedFox Rail routers equipped with

a bypass relay are typically used in train backbones. The four backbone ports, two in each direction, are controlled by a relay, ensuring connectivity between routers on the backbone when one or more routers experience power-loss. The fastlink mode minimises disruption when the bypass relay changes state.

ˆ Layer-2 redundancy: the fastlink mode can improve failover performance for various layer-2 redundancy mechanisms, e.g., when using static link aggre-

gation ( section 17 ).

Note

The fastlink mode requires more precise knowledge of cabling and devices used because all automatic detection is disabled.

E.g., on the RedFox

Rail[ 50 ] bypass relay ports, make sure to setup 100 Mbps Full-Duplex, with

MDI/MDIX mode set to either:

ˆ MDIX in both directions and crossover cables between switches, or

ˆ MDI in one direction, MDIX in the other, with a straight cable

The latter case does however not work when a train car is turned 180°, but may be useful in other setups since straight cables are more commonplace.

8.1.10

Fallback default VID

The fallback default VLAN ID is generally unnecessary to configure.

The purpose of the fallback default-VID is to control what should happen with ”untagged” packets entering a port only configured ”tagged” on a set of VLANs. For more information on VLAN features and the VLAN related terms used throughout this section, see

chapter 13 .

Every port needs to have a ”default VID”. The default VID specifies the VLAN ID an ”untagged” packet should be associated with as it enters that port. A port’s default VID is determined as follows:

© 2015 Westermo Teleindustri AB

175

Westermo OS Management Guide

Version 4.17.1-0

ˆ If a port is associated ”untagged” with a VLAN, that VID will be the port’s default VID. E.g., if a port is associated ”untagged” to VID 10, the port will have VID 10 as its ”default VID”.

ˆ If a port is not associated ”untagged” with any VLAN, the port’s default VID is determined as:

the port’s fallback default VID, given that a fallback default-VID is configured, or

the default VLAN (VID 1), if no fallback default-VID is configured

The fallback default VID can be used to control whether ”untagged” packets should be accepted on a port (only) associated ”tagged” with a set of VLANs.

If the port’s default VID is represented within that set of VLANs, the packet will be accepted. Otherwise it will be dropped.

8.1.11

SFP DDM/DOM Diagnostics

Digital diagnostics monitoring (DDM), also known as digital optics monitoring

(DOM), is a function enabling the user to monitor diagnostic parameters of the

SFP.

WeOS provides diagnostic information for the following DDM parameters.

ˆ Optical TX power

Measures the optic power when transmitting, which can be used for detect-

ing a deteriorating link

3

. The accuracy is better than +/-3dB and the total

range of -40 to +8.2 dBm (0–6.5535 mW).

ˆ Optical RX power

Measures the optic power when receiving, which can be used for detecting a deteriorating link. The accuracy is better than +/-3dB and the total range of -40 to +8.2 dBm (0–6.5535 mW).

ˆ Temperature

The temperature of the SFP should be very close or equal to the temperature of the unit. The temperature accuracy is better than 3 degrees Celsius (°C) and the total range of -128 °C to +128 °C.

3

By comparing the TxPower on a unit with the RxPower on the unit it is connected to, the user can find out the amount of "signal strength" that is lost over the optic link. When the gap between

TxPower and RxPower is increasing, the optic link’s capability to transfer the signal decreases.

176

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

ˆ Bias current

The transmitting bias current can be used to determine how fast an SFP is aging. The accuracy is better than +/- 10% and the total range of 0 - 131 mA.

ˆ Voltage The voltage should always be 3.3V since the SFP’s power supply line is the same as the unit. The accuracy is better than +/-3% and the total range of 0–6.55 V.

DDM/DOM information will only be listed for enabled ports.

Note

DDM support in WeOS is limited to Westermo DDM SFPs, see the SFP

Transceiver Datasheet of your WeOS product ( www.westermo.com

).

© 2015 Westermo Teleindustri AB

177

Westermo OS Management Guide

Version 4.17.1-0

8.2

Managing port settings via the web interface

8.2.1

List Port Settings

Menu path: Configuration Port Port

When entering the port configuration page you will be presented to a list of all ports available on your switch, see

fig. 8.2

. Here you get an overview of the

settings for all ports, and in addition two items of dynamic information - alarms and link status.

Figure 8.2: Port configuration settings overview (this example is from a RedFox

Industrial switch)

Alarm

Port

Enabled

Link

Type

There is an active link alarm associated with the port.

Only shown if link alarm is enabled and the link is down.

The port label.

Shows if the port is enable or disabled

Link status for the port. Up or down.

The port type: Gigabit Ethernet Fibre optic, Gigabit Ethernet, Fast Ethernet Fibre optic or Fast Ethernet.

Continued on next page

178

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Continued from previous page

Speed/Duplex

The speed duplex setting. Auto means speed and duplex will be automatically negotiated. Otherwise the current setting will be shown as speed in Megabit and duplex as

FDX for full duplex and HDX for half duplex. Note! This is not the negotiated speed, it is the configuration setting!

Link Alarm

Enabled

When link alarm is enabled an alarm will be generated if port link is down. Alarms trigger an SNMP trap message to be sent and alarms to be shown on the administration web. In the ports overview table a green check-mark means enabled, and a dash means disabled.

Edit

Click this icon to edit a port’s settings.

To change the settings for a specific port you will have to click the edit icon which will take you to the port setting edit page see

section 8.2.2

.

8.2.2

Edit Port Settings

Menu path: Configuration Port Port

On this page you can change the settings for the port.

© 2015 Westermo Teleindustri AB

179

Westermo OS Management Guide

Version 4.17.1-0

Type

Enable

The port type: Gigabit Ethernet Fibre optic, Gigabit Ethernet,

Fast Ethernet Fibre optic or Fast Ethernet.

Enable/disabled the port

Speed/Duplex

The speed duplex setting. Auto means speed and duplex will be automatically negotiated. Otherwise the current setting will be shown as speed in Megabit and duplex as FDX for full duplex and HDX for half duplex. Note! This is not the negotiated speed, it is the configuration setting!

MDIX mode

How to handle crossover cables. If you connect two units with different port settings (one with mdi and one with mdix) you need a straight-through twisted pair cabling. If you connect two units with the same setting you will need a crossover cabling.

Auto

Automatic detection

mdi

Medium dependent interface

mdix

mdi crossover

Priority Mode

Here you select on what information priority will be based:

Port Based

Based on the port’s priority. See the next item (Priority).

IP

Based on the content of the IP ToS bits (IPv4) or the IP TC bits (IPv6).

VLAN Tag

Based on the content of the (802.1p) priority field inside the received packet’s VLAN tag.

Priority

Inbound Rate

Limit

Outbound

Traffic Shape

The port’s priority level. Zero (0) is low priority and seven

(7) high priority.

Bandwidth limit for inbound traffic. Disabled means no limiting.

Bandwidth limit for outbound traffic. Disabled means no limiting.

Link Alarm

When link alarm is enabled an alarm will be generated if port link is down. Alarms trigger an SNMP trap message to be sent and alarms to be shown on the administration web.

8.2.3

List SFP DDM/DOM diagnostics

For information on how to view SFP DDM/DOM diagnostics, see

section 4.4.3

.

180

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

8.3

Managing port settings via the CLI

The port configuration context can be entered using the ”port <PORT|PORTLIST>” command from the Global Configuration context. When providing a list of ports, the scope of the configuration commands becomes all ports in the list. There is also a specific command, ”ports”, to enter the port context with the scope of all

Ethernet ports of the device.

Command Default Section

port [eth|. . . ] <PORTLIST> ports [eth|. . . ]

Ethernet

Ethernet

[no] enable Enabled

[no] speed-duplex <auto|10-half|10-full| auto

100-half|100-full|. . . >

[no] flow-control

[no] priority <0-7>

[no] priority-mode <tag|ip|port>

[no] link-alarm

Disabled

0 tag

Disabled

Disabled [no] rate-limit <64-1000000>

[match <TYPE>[,<TYPE>,...]]

[no] traffic-shaping <<64-1000000>|

<7700-1488000> fps>

[no] mdix-mode <auto|mdi|mdix>

[no] unshielded

[no] low-power

[no] default-vid <VLAN_ID>

Disabled auto

Section 8.3.1

Section 8.3.2

Section 8.3.3

Section 8.3.4

Section 8.3.5

Section 8.3.6

Section 8.3.7

Section 8.3.8

Section 8.3.9

Section 8.3.10

Section 8.3.11

Unshielded

Section 8.3.12

Low Power

Section 8.3.13

Disabled

Section 8.3.14

Show port status show ports

Show SFP DDM/DOM diagnostics show environment

Section 8.3.15

Section 7.3.50

© 2015 Westermo Teleindustri AB

181

Westermo OS Management Guide

Version 4.17.1-0

8.3.1

Managing Ports

Syntax port [eth|...] <PORT|PORTLIST>

The ”port” command is used for many port types, thus the full command syntax is

”port [eth|dsl|shdsl|xdsl|serial] <PORT|PORTLIST>”.

Context

Global Configuration

context

Usage Enter

Port Configuration

context of the given PORT (or PORTLIST) and port type.

A ”PORTLIST” is a comma separated list of ranges of ports without intermediate spaces, e.g., ”1/1,1/2” on a slotted product, or ”1-3,5” on a non-

slotted product.

The port qualifier keyword ”eth|...” is not needed if the numbers in the

”PORTLIST” are unique to a single type of port. If there are multiple port with the same number (but different types), the port qualifier is needed, e.g., ”port eth 1” and ”port dsl 1”.

For information on using the ”port” command to enter:

ˆ

xDSL Port Configuration

context, see

section 11.3.1

.

ˆ

SHDSL Port Configuration

context, see

section 10.3.1

.

ˆ Serial port context, see

section 38.3.1

.

Use ”show port [eth|...]

[PORT|PORTLIST]” to list port configuration information on one or more ports. Also available as ”show” command within

the Port Configuration .

Default values Not applicable for configuration. For listing configuration ”show

port” information on all ports are listed by default.

Entering port configuration context for Ethernet ports 1-4:

Example

example:/config/#> port 1-4 example:/config/port-eth1-4/#>

This unit has two ports with number 1 (”eth 1” and ”dsl 1”) thus the port qualifier is needed to determine which port to configure:

182

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Example

example:/config/#> port 1

Ambiguous or bad port range or port type: 1 example:/config/#> port dsl 1 example:/config/port-dsl1/#>

8.3.2

Managing all Ports

Syntax ports [eth|dsl|shdsl|xdsl|serial]

Context Global Configuration context

Usage Enter Port Configuration context with the scope of all ports of a specific type (Ethernet, xDSL, etc.).

Default values ”Ethernet” for configuration (i.e., ”ports” will enter

Ethernet

Port Configuration

for all Ethernet ports), and ”All” for showing configuration

(i.e., ”show ports” will list information on all port types).

Listing information on all ports.

Example

example:/config/#> show ports

Ethernet ---------------------------------------- Priority ---- Limit - Default

Port Ena Aneg Speed DPX Flow MDI/X Alarm Mode Level In | Out Vid

===============================================================================

Eth 1 YES YES --NO auto NO tag 0 None None Auto

Eth 2 YES YES --NO auto NO tag 0 None None Auto

Eth 3

Eth 4

YES YES ---

YES YES ---

-

-

NO

NO auto auto

NO tag

NO tag

0

0

None None

None None

Auto

Auto

=============================================================================== xDSL -------------------------------------------- Priority ---- Limit - Default

Port Ena Mode Filter Encap PVC Annex Alarm Mode Level In | Out Vid

===============================================================================

DSL 1 YES adsl YES llc 8/35 A NO tag 0 None None Auto

===============================================================================

Serial --------------------- Data ------- Stop RTS XON ------------------------

Port Ena Type Speed bits Parity bits CTS XOFF Terminate

===============================================================================

Ser 1 YES rs232 115200 8 None 1 OFF OFF N/A

=============================================================================== example:/config/#>

Listing information on a all ports of a specific type

© 2015 Westermo Teleindustri AB

183

Westermo OS Management Guide

Version 4.17.1-0

Example

example:/config/#> show ports dsl xDSL -------------------------------------------- Priority ---- Limit - Default

Port Ena Mode Filter Encap PVC Annex Alarm Mode Level In | Out Vid

===============================================================================

DSL 1 YES adsl YES llc 8/35 A NO tag 0 None None Auto

=============================================================================== example:/config/#>

8.3.3

Port enabling and disabling

Syntax [no] enable

Context

Ethernet Port Configuration

context (also available in

SHDSL Port Configuration

and

xDSL Port Configuration

for products with DSL ports)

Usage Use ”enable” to enable and ”no enable” disable a port.

Use ”show enable” to show whether the port is enabled or disabled.

Default values Ports are enabled by default.

8.3.4

Speed and duplex setting

Syntax [no] speed-duplex <auto|10-half|10-full|100-half|100-full|

1000-half|1000-full>

Context

Ethernet Port Configuration

context.

Usage Set port speed and duplex modes. ”auto” means auto-negotiate, other modes are static configurations specifying 10, 100 or 1000 Mbit/s, and half or full duplex.

”no speed-duplex” will revert to default configuration for the speed-duplex setting, i.e., ”speed-duplex auto”.

Use ”show speed-duplex” to show the port’s speed/duplex setting.

Default values auto

Error messages An attempt to set a port speed not available for this specific port type will render an error message, including information of available port speeds.

184

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

8.3.5

Flow-control setting

Syntax [no] flow-control

Context

Ethernet Port Configuration

context.

Usage Enable or disable IEEE 802.3 flow-control. For full duplex links, flow control will utilise IEEE 802.3 pause frames, and for half duplex links a technique known as back-pressure is used.

The flow control setting is only valid when the speed-duplex mode is set to

”auto”, see

section 8.1.2

.

Use ”show flow-control” to show the port’s flow-control setting.

Default values Disabled (no flow-control)

8.3.6

Port priority setting

Syntax [no] priority <0-7>

Context

Ethernet Port Configuration

context (also available in

SHDSL Port Configuration

and

xDSL Port Configuration

for products with DSL ports)

Usage Set the (IEEE 802.1p) priority associated with the port. Packets coming in on this port will receive this priority unless priority is based on VLAN ID,

VLAN tag or IP ToS/DiffServ bits.

”no priority” will revert to default configuration for the port priority setting, i.e., ”priority 0” (zero).

Use ”show priority” to show the port’s priority setting.

Default values 0 (zero)

8.3.7

Set port priority mode

Syntax [no] priority-mode <tag|ip|port>

Context

Ethernet Port Configuration

context (also available in

SHDSL Port Configuration

and

xDSL Port Configuration

for products with DSL ports)

© 2015 Westermo Teleindustri AB

185

Westermo OS Management Guide

Version 4.17.1-0

Usage Base priority classification for this port on content of VLAN tag (IEEE

802.1p priority bits), content of IP ToS/Diffserv bits, or the port priority configured for this port.

Note

VLAN priority settings (see

section 13.4

) will have precedence over port

priority mode settings.

tag (Default) The packet’s priority is based on the content of the VLAN tag

(802.1p priority bits) of the incoming packet. For packets coming in

untagged, the priority is based on the priority associated with the port, see

section 8.3.6

.

ip The packet’s priority is based on the content of the IP ToS/Diffserv bit of the incoming packet. For non-IP packets coming in on the port (e.g.,

ARP packets), the priority is based on the priority associated with the port, see

section 8.3.6

.

port The packet’s priority is based on the priority associated with the port, see

section 8.3.6

.

Use ”show priority-mode” to show the port’s ”priority mode” setting.

Default values tag

8.3.8

Link alarm

Syntax [no] link-alarm

Context

Ethernet Port Configuration

context (also available in

SHDSL Port Configuration

and

xDSL Port Configuration

for products with DSL ports)

Usage Use ”link-alarm” to enable and ”no link-alarm” disable link-alarm for this port. When enabled, an alarm indication is activated when the link is down.

”show link-alarm” to show the port’s link-alarm setting.

Default values Disabled (”no link-alarm”)

186

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

8.3.9

Inbound rate limiting

Syntax [no] rate-limit <64-1000000> [match <TYPE>[,<TYPE>,...]]

Context

Ethernet Port Configuration

context (also available in

SHDSL Port Configuration

and

xDSL Port Configuration

for products with DSL ports)

Usage Configure inbound rate limit in kbit/s. It is also possible use ISO modifiers k/M/G, e.g., 256k or 10M as specifiers for kbit/s and Mbit/s.

Note

Set values are rounded off to the nearest possible HW setting.

Optionally packet TYPE may be specified using one or more of the specifiers

”all” (all types), ”bc” (broadcast), ”mc” (multicast) or ”u-uni” (unknown unicast) in any combination. If no TYPE is specified (or if the specifier ”all” is given) all packets will be rate limited.

Note

All WeOS products except RedFox and RedFox Industrial Rack support any combination of types. As stated in

section 8.1.6.1

, the traffic type

selection on RedFox and RedFox Industrial Rack implicitly adds ”bc” if

”mc” is specified, and adds both ”bc,mc” if ”u-uni” is specified.

Use ”no rate-limit” to disable inbound rate limiting.

Use ”show rate-limit” to show the port’s inbound rate limit setting.

Default values Disabled (”no rate-limit”)

8.3.10

Outbound traffic shaping

Syntax [no] traffic-shaping <<64-1000000>|<7700-1488000> fps>

Context

Ethernet Port Configuration

context (also available in

SHDSL Port Configuration

and

xDSL Port Configuration

for products with DSL ports, albeit not fps)

Usage Configure outbound traffic shaping in kbit/s or frames per second. It is also possible use ISO modifiers k/M/G, e.g., 256k or 10M as specifiers for kbit/s and Mbit/s.

© 2015 Westermo Teleindustri AB

187

Westermo OS Management Guide

Version 4.17.1-0

Note

Set values are rounded off to the nearest possible HW setting.

Use ”no traffic-shaping” to disable outbound traffic shaping.

Use ”show traffic-shaping” to show the port’s outbound traffic shaping setting.

Default values Disabled (”no traffic-shaping”)

8.3.11

Cable crossover setting

Syntax [no] mdix-mode <auto|mdi|mdix>

Context

Ethernet Port Configuration

context.

Usage Configuration of Cable Crossover setting. ”auto” means automatic crossover mode, ”mdix” sets port to crossover mode (MDIX) and ”mdi” sets port to

MDI mode. This command is not valid for fibre ports.

”no mdix-mode” resets the MDIX mode to the default setting (”auto”).

Use ”show mdix-mode” to show the port’s cable crossover setting.

Default values auto.

8.3.12

Adapting PHY Receiver to Shielded or Unshielded Cable

Syntax [no] shielded

Context

Ethernet Port Configuration

context.

Usage Fine tune the PHY receiver to the cable characteristics of shielded or unshielded TP cables. This setting applies to 10/100 Base-TX ports, excluding

SFP/SFF ports as well as ports also capable of 1000 Mbit/s speeds.

Use ”shielded” to adapt the PHY receiver to the use of shielded TP cables.

Use ”no shielded” to adapt the PHY receiver to the use of unshielded TP cables.

188

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Note

This setting is only expected to be used by customers with special requirements - the default setting should be sufficient for most use cases.

Use ”show shielded” to show the port’s ”shielded” setting.

Default values Unshielded (no shielded).

8.3.13

Enable/disable Low Power Mode on TX Data Signalling

Syntax [no] low-power

Context

Ethernet Port Configuration

context.

Usage It possible to select between two signal power modes on the Ethernet data signalling pins for 10/100 Base-TX ports. (This setting applies to 10/100

Base-TX ports, excluding SFP/SFF ports as well as ports also capable of 1000

Mbit/s speeds.)

The low-power mode is sufficient in most use cases, but for long cables or cables with specific characteristics it may be necessary to disable low-power

mode.

Use ”low-power” and ”no low-power” respectively to enable/disable lowpower mode on this Ethernet port.

Note

This setting is only expected to be used by customers with special requirements - the default setting should be sufficient for most use cases.

Use ”show low-power” to show whether the PHY (TX Data Signalling) lowpower mode is enabled or disabled.

Default values Low-Power (low-power).

8.3.14

Fallback default VLAN

Syntax [no] default-vid <VLAN_ID>

Context

Ethernet Port Configuration

context (also available in

SHDSL Port Configuration

and

xDSL Port Configuration

for products with DSL ports)

© 2015 Westermo Teleindustri AB

189

Westermo OS Management Guide

Version 4.17.1-0

Usage Configuration of (fallback) default-VID for this port. The default-VID configuration is only valid when this port is not configured ”untagged” on any

VLAN.

Use ”no default-vid” to clear the (fallback) default VID setting (the default-

VID setting will also be cleared whenever the port is associated ”untagged” with any VLAN).

When cleared (”no default-vid”), VLAN ID 1 will be used as the port’s fallback default-VID.

For more information see

section 8.1.10

.

Use ”show default-vid” to show the port’s ”fallback default-VID” setting.

Default values Disabled/cleared (no default-vid).

8.3.15

Show port status (all ports)

Syntax show ports

Context

Admin Exec

context

Usage Show Port status information for all ports.

Default values Not applicable.

190

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Chapter 9

Ethernet Statistics

A set of per port Ethernet statistic counters are available via the Web and via the

CLI. Most of these counters correspond to standard SNMP MIB Ethernet statistics counters from the RMON MIB (RFC 2819), the Interface MIB (RFC 2863) and the

Ether-Like MIB (RFC 3635)

1

. For more information about WeOS SNMP support,

see

chapter 6 .

Section 9.1

gives a general introduction to the Ethernet statistic counters available via Web and CLI.

Sections 9.2

and

9.3

present use of Ethernet statistics via the Web and CLI respectively.

9.1

Ethernet Statistics Overview

The table below provides a summary of the available Ethernet statistics counters.

Sections 9.1.1

-

9.1.8

give more detailed information on their meaning.

Web

CLI

Description Feature

Inbound

Total Bytes

Bytes Good

Bytes Bad

Mean rate

X (X)

X

X

X

2

Section 9.1.1

-”-

-”-

-”-

Continued on next page

1

The Ether-Like MIB is currently not supported in WeOS.

© 2015 Westermo Teleindustri AB

191

192

Westermo OS Management Guide

Version 4.17.1-0

Feature

Total Good Packets

Unicast

Multicast

Broadcast

Pause frames

Size statistics

Dropped

Filtered

Discarded

Erroneous

Undersize

Oversize

Fragments

Jabber

Checksum

PHY Error

Continued from previous page

Web

CLI

Description

X

X

X

(X)

2

X

X

Section 9.1.2

-”-

-”-

X

X

X

X

X

X

X

X

X

X

X

(X)

2

X

X

-”-

-”-

-”-

X

Section 9.1.3

-”-

-”-

Section 9.1.4

-”-

X

X

-”-

-”-

-”-

X

X

-”-

-”-

Outbound

Total Bytes

Mean rate

Total Packets

Unicast

Multicast

Broadcast

Pause frames

Dropped

Filtered

Collisions and Busy Medium

Single

Multiple

Excessive

Late

Other collisions

Deferred

X

(X)

2

X

X

X

X

X X

X

X

X

X

X

Section 9.1.5

X

(X)

2

Section 9.1.6

X

X

X

X

-”-

-”-

-”-

-”-

X

(X)

X

2

Section 9.1.7

-”-

Section 9.1.8

-”-

-”-

-”-

-”-

-”-

-”-

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

9.1.1

Inbound Byte Counters

A set of byte counters (i.e., octet counters) are provided. The number of good bytes is also used to compute a rough estimation of the current inbound data rate.

Bytes Good The number of good bytes/octets received on a port, i.e., the sum of the length of all good Ethernet frames received.

Bytes Bad The number of bad bytes/octets received on a port, i.e., the sum of the length of all bad Ethernet frames received.

Total Bytes The sum of good and bad bytes received on a port (see above).

This would correspond to the RMON MIB etherStatsOctets and the Interface

MIB ifHCInOctets objects.

Mean Rate Rough estimation of the current data rate based on the number of good bytes received during a time interval (2 seconds).

9.1.2

Inbound Counters of Good Packets

The following per port counters for good inbound Ethernet packets are provided.

Unicast packets The number of good packets with a unicast MAC address received on the port.

This would correspond to the Interface MIB ifInUcastPkts object.

Multicast packets The number of good packets with a group MAC address (excluding broadcast) received on the port.

This would correspond to the RMON MIB etherStatsMulticastPkts and the

Interface MIB ifInMulticastPkts objects, except that Pause frames (see below) are not included.

Broadcast packets The number of good packets with a broadcast MAC address received on the port.

This would correspond to the RMON MIB etherStatsBroadcastPkts and the

Interface MIB ifInBroadcastPkts objects.

Pause Frames The number of good flow control packets received.

2

Counters listed within parenthesis (i.e., as ’(X)’) are provided implicitly.

© 2015 Westermo Teleindustri AB

193

Westermo OS Management Guide

Version 4.17.1-0

Packet Size Statistics Counters for good Ethernet packet of the following size intervals are provided: 64 bytes, 65-127 bytes, 128-255 bytes, 256-511 bytes, 512-1023 bytes, and 1024-MAXPKTSIZE bytes, where MAXPKTSIZE is

1632.

These size intervals match the corresponding RMON statistics counters, except for the MAXPKTSIZE (1632 instead of 1518).

9.1.3

Dropped Inbound Packets

Counters for two types of dropped inbound packets are provided. Note, these packets are good Ethernet packets, but are dropped due to the reasons given below.

Filtered Inbound packets dropped due to VLAN mismatch or because the port was in LEARNING, LISTENING or BLOCKING state.

Discarded Packets dropped due to lack of buffer space.

9.1.4

Erroneous Inbound Packets

The following counters for received erroneous packets are provided:

Undersized packet Number of packets smaller than 64 bytes, and with a valid

FCS.

This corresponds to the RMON MIB etherStatsUndersizePkts object.

Oversized packet Number of packets larger than 1632 bytes, and with a valid

FCS.

This corresponds to the RMON MIB etherStatsOversizePkts object, except for the used MAXPKTSIZE (1632 instead of 1518 bytes).

Fragmented packet Number of packets smaller than 64 bytes, with an invalid

FCS.

This corresponds to the RMON MIB etherStatsFragments object.

Jabber Number of packets larger than 1632 bytes, and with an invalid FCS.

This corresponds to the RMON MIB etherStatsJabbers object, except for the used MAXPKTSIZE (1632 instead of 1518 bytes).

Checksum/FCS Error Packets of valid length (64-1632), but with an incorrect

FCS.

194

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

This corresponds to the RMON MIB etherStatsCRCAlignErrors object, except for the used MAXPKTSIZE (1632 instead of 1518 bytes).

PHY Error Signal Number of received packets generating a receive error signal from the Ethernet PHY. (Referred to as InMacRcvErr in the CLI port statistics list)

9.1.5

Outbound Byte Counters

A single outbound byte/octet counter, Outbound Bytes, is provided. It represents the sum of the length of all Ethernet frames sent on the port. This would correspond to the Interface MIB ifHCOutOctets object.

The number of Outbound bytes is also used to calculate a rough estimation of the current sending data rate (Mean Rate, i.e., the number of bytes sent during a time interval (2 seconds).

9.1.6

Outbound Packets Counters

The following per port counters for outbound Ethernet packets are provided.

Unicast packets The number of packets with a unicast destination MAC address sent on the port.

This would correspond to the Interface MIB ifOutUcastPkts object.

Multicast packets The number of packets with a group destination MAC address (excluding broadcast) sent on the port.

This would correspond to the Interface MIB ifOutMulticastPkts objects, except that Pause frames (see below) are not included.

Broadcast packets The number of packets with a broadcast destination MAC address sent on the port.

This would correspond to the Interface MIB ifOutBroadcastPkts objects.

Pause Frames The number of flow control packets sent.

© 2015 Westermo Teleindustri AB

195

Westermo OS Management Guide

Version 4.17.1-0

9.1.7

Dropped Outbound Packets

The counter for a single type of dropped outbound packets is described here

(there is also a second kind, see excessive collisions in

section 9.1.8

).

Filtered Outbound packets dropped outbound policy rules or because the port was in LEARNING, LISTENING or BLOCKING state.

9.1.8

Outbound Collision and Busy Medium Counters

The collision and busy medium counters described here are only relevant for half-duplex links.

Single Collisions The number of packets involved in a single collision, but then sent successfully.

This would correspond to the Ether-like MIB dot3StatsSingleCollisionFrames object.

Multiple Collisions The number of packets involved in more than one collision, but finally sent successfully.

This would correspond to the Ether-like MIB dot3StatsMultipleCollisionFrames object.

Excessive Collisions The number of packets failing (i.e., dropped) due to excessive collisions (16 consecutive collisions).

This would correspond to the Ether-like MIB dot3StatsExcessiveCollisions object.

Late Collisions The number of collisions detected later than a 512-bits time into the packet transmission.

This would correspond to the Ether-like MIB dot3StatsLateCollisions object.

Other Collisions Other collisions than single, multiple, excessive or late collisions discovered on a port.

Total Collisions Computed as the sum of single, multiple, excessive, late and

other collisions.

Deferred (busy medium) The number of packets experiencing a busy medium on its first transmission attempt, and which is later sent successfully, and without experiencing any collision.

This would correspond to the Ether-like MIB dot3StatsDeferredTransmissions object.

196

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

9.2

Statistics via the web interface

Statistics shown in the web administration tool has two views. An overview with a selection of statistics for all ports, including some status information (e.g. if port is blocking or forwarding), and a detailed page with a larger set of statistics.

Note that collection of statistics is started by the first access to the statistics page, and will be halted after a short period of time (to save resources) if no one requests the statistic data. This has the effect that you may need to enter the page once again, by e.g. clicking the menu item, to ensure you are presented to updated statistics data.

9.2.1

Statistics Overview

Menu path: StatusPort

On the port statistics overview page you will be presented to a selection of static data for each port. Additional statistic numbers are presented on the detailed view page.

© 2015 Westermo Teleindustri AB

197

Westermo OS Management Guide

Version 4.17.1-0

Alarm

Port

Link

An alarm icon appears at the start of a line if there is a link alarm on a port.

The port label.

The status of the link. Up or down.

State

FORWARDING

Unit forwards packets. Normal operation.

LEARNING

The port is preparing itself for entering FORWARDING state.

BLOCKING

Unit does not forward any packets.

DISABLED

Port does not participate in operation.

Speed / Duplex

The current speed and duplex negotiated or set on the port.

Total Bytes In

Total number of bytes received on the port.

Total Bytes Out

Total number of bytes sent out on the port.

FCS Errors

Total number of inbound packets with check sum error received on the port.

Details

Auto Refresh

Refresh

Clear All

Click this icon to view more detailed statistics for the port.

Click on a value to make the page reload with updated statistics automatically every 5, 15, 30 or 60 seconds.

Click Off to turn off auto refresh.

Click on this button to reload with updated statistics.

Clear all statistics counters for all ports.

198

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

9.2.2

Detailed Statistics

Menu path: Status Port

When clicking the details-icon in the overview page you will be presented to the detailed statistics page for the port.

© 2015 Westermo Teleindustri AB

199

Westermo OS Management Guide

Version 4.17.1-0

Link Status

Status of link (Up/Down). If a link-alarm is associated with this port, an alarm icon is displayed if the link-alarm is active.

Total Bytes

Broadcast Packets

Multicast Packets

Total number of bytes received (inbound) or transmitted (outbound) on this port.

Total number of good broadcast packets received

(inbound) or transmitted (outbound) on this port.

Total number of good multicast packets received (inbound) or transmitted (outbound) on this port.

Unicast Packets

Dropped Packets

Fragments

Oversize

Total number of good unicast packets received (inbound) or transmitted (outbound) on this port.

Total number of packets received that have been discarded.

Total number of fragmented packets received on this port.

Total number of oversized packets received on this port.

Undersize

Jabber

Frame Checksum

Total number of undersized, but otherwise well formed, packets received on this port.

Total number of packets received on this port larger than the network segment’s maximum transfer unit

(MTU).

Total number of packets received on this port with checksum error.

Traffic Size, Inbound

Number of octets received in different size categories.

Total Collisions

Total number of collisions detected on this port (sum of single, multiple, excessive, late, and other collision counters).

Single Collisions

The number of packets involved in a single collision, but then sent successfully.

Multiple Collisions

The number of packets involved in more than one collision, but finally sent successfully.

Excessive Collisions

The number of packets failing (i.e., dropped) due to excessive collisions (16 consecutive collisions).

Continued on next page

200

© 2015 Westermo Teleindustri AB

Late Collisions

Other collisions

Deferred

Filtered

Auto Refresh

«Previous

Next»

Refresh

Clear Port

Westermo OS Management Guide

Version 4.17.1-0

Continued from previous page

The number of collisions detected later than a 512-

bits time into the packet transmission.

Other collisions than single, multiple, excessive or

late collisions discovered on a port.

The number of packets experiencing a busy medium on its first transmission attempt, and which is later sent successfully, and without experiencing any collision.

Outbound packets dropped outbound policy rules or because the port was in LEARNING, LISTENING or

BLOCKING state.

Click on a value to make the page reload with updated statistics automatically every 5, 15, 30 or 60 seconds. Click Off to turn off auto refresh.

Goto statistics for previous port.

Goto statistics for next port.

Click on this button to reload with updated statistics.

Clear all statistics counters for the port shown.

© 2015 Westermo Teleindustri AB

201

Westermo OS Management Guide

Version 4.17.1-0

9.3

Statistics via the CLI

The table below shows statistic features available via the CLI.

Command

rmon statistics [PORT] clear-stats [PORT] show rmon [PORT]

Default Section

Section 9.3.1

Section 9.3.2

Section 9.3.3

Section 9.3.4

9.3.1

Managing Ethernet Statistics

Syntax rmon

Context

Admin Exec

context

Usage Enter Ethernet statistics context (

RMON Statistics

context). WeOS starts gathering statistics when this command is issued, thus there is a 2 seconds delay before the RMON context is entered.

Default values Not applicable.

9.3.2

List Current Ethernet Statistics

Syntax statistics [PORT]

Context

RMON Statistics

context

Usage Show Ethernet statistics. If no PORT is given (”statistics”, a summary of statistics for all Ethernet ports is presented.

If a PORT is given as argument (e.g., ”statistics 1/1”) detailed statistics for that port is presented.

For information about what the different statistics counters represent, see

section 9.1

.

Default values If no PORT argument is given, a summary of statistics for all

Ethernet ports is presented.

202

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

9.3.3

Clear Ethernet Statistics

Syntax clear-stats [PORT]

Context

RMON Statistics

context

Usage Clear Ethernet statistic counters. If no PORT is given (”clear-stats”, counters for all Ethernet ports are cleared.

If a PORT is given as argument (e.g., ”clear-stats 1/1”) the counters for that port are cleared.

Default values If no PORT argument is given, counters for all Ethernet ports are cleared.

9.3.4

Show Ethernet Statistics

Syntax show rmon [PORT]

Context

Admin Exec

context. Also available as ”show [PORT]” command within the

RMON Statistics

context.

Usage Show Ethernet statistics. This command provides the same information

as the ”statistics” command ( section 9.3.2

). The only difference is that

the ”show rmon [PORT]” command is available from the

Admin Exec

context.

If no PORT is given (”show rmon”, a summary of statistics for all Ethernet ports is presented.

If a PORT is given as argument (e.g., ”show rmon 1/1”) detailed statistics for that port is presented.

For information about what the different statistics counters represent, see

section 9.1

.

Default values If no PORT argument is given, a summary of statistics for all

Ethernet ports is presented.

© 2015 Westermo Teleindustri AB

203

Westermo OS Management Guide

Version 4.17.1-0

Chapter 10

SHDSL Port Management

Wolverine family switches (DDW225/DDW-226/DDW-142/DDW-142-485) are equipped with two SHDSL ports (Symmetric High-speed Digital Subscriber Line), enabling

LAN networks to be extended over legacy copper cabling.

10.1

Overview of SHDSL Port Management

10.1.1

SHDSL overview

With SHDSL Ethernet LANs can be extended over legacy copper cabling. Switches can be connected in a simple point-to-point setup, but also in multi-drop and ring topologies, as shown in

fig. 10.1

.

In a SHDSL connection, the port on one unit shall be configured as Central Of-

fice (CO) and the port on the other unit as Customer Premises Equipment (CPE).

SHDSL ports are named according to the name convention described in

section 8.1.1

). By default 1/1 or DSL 1 is configured as CPE while the 1/2 (or DSL 2)

is configured as CO.

SHDSL support in WeOS is based on Ethernet First Mile (EFM) technology, and

SHDSL can to a large extent be treated in the same way as Ethernet ports, e.g.,

you can add SHDSL ports to VLANs ( chapter 13 ), you can run link-layer redun-

dancy protocols such as FRNT ( chapter 14

) and RSTP ( chapter 16 ) over them,

etc. Settings specific to SHDSL ports are described in

section 10.1.2

while port settings of more general nature is covered in

section 10.1.3

.

204

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Feature

CO/CPE mode selection

DSL link rate

DSL noise margin

G.HS threshold

PAF

Low-Jitter

EMF

Web

CLI

General Description

X

X

X

X

X

X

X

X

X

X

X

X

Section 10.1.1

Section 10.1.1

Section 10.1.1

Section 10.1.2

Section 10.1.2

X

Section 10.1.2

X

Section 10.1.2

-

-

-

10.1.2

10.1.2

10.1.2

Settings in common with Ethernet ports

Enable/disable port

Port priority (level)

Port priority mode

Link alarm

Inbound rate limit

Outbound traffic shaping

Fall-back default-VID

X

X

X

X

X

X

X

Section 10.1.3

X

Section 10.1.3

X

Section 10.1.3

X

Section 10.1.3

X

Section 10.1.3

X

Section 10.1.3

X

Section 10.1.3

View DSL port configuration

View DSL port status

X

X

X

X

10.1.2

Settings specific to SHDSL ports

ˆ Port role: One unit shall be configured as Central Office (CO) and the other unit as Customer Premises Equipment (CPE). CO is the answering central unit. CPE (Customer Premises Equipment) is the unit that initiates the connection. In WeOS the SHDSL ports are named 1/1 and 1/2 in products with slot based numbering and DSL 1 and DSL 2 in products with simple port numbering: by default 1/1 (or DSL 1) is configured as CPE and 1/2 or DSL 2 configured as CO.

ˆ Data rate: For a regular SHDSL connection, data rates can be achieved in the range from 192 kbit/s up to 5696 kbit/s depending on cable characteristics and communication distance. For products supporting turbo-SHDSL, data rates from 32 kbit/s up to 15304 kbit/s are possible. When using PAF in

DDW-142 (and DDW-142-485), data rates up to 30608 kbit/s are possible.

© 2015 Westermo Teleindustri AB

205

Westermo OS Management Guide

Version 4.17.1-0

1/1 DSL 1/2

Ethernet

1/1 DSL 1/2

Ethernet

1/1 DSL 1/2

Ethernet a) point−to−point topology

DSL

Ethernet

1/2

1/1

1/1

1/2

DSL

Ethernet b) point−to−point topology, 2 bonded SHDSL channels

1/1 DSL

Ethernet

1/2 1/1 DSL 1/2

Ethernet c) multi−drop topology

1/1 DSL 1/2

Ethernet

1/1 DSL 1/2

Ethernet

1/1 DSL 1/2

Ethernet

1/2 DSL 1/1

Ethernet

1/2 DSL 1/1

Ethernet d) ring topology (redundancy)

Figure 10.1: SHDSL topologies: Point-to-point (a), point-to-point, 2 bonded SHDSL channels (b), multi-drop (c) and ring (d).

Products with Turbo-speed support

Turbo-speed is supported on all DDW-226 and DDW-142/DDW-142-485

devices, and on all but the earliest DDW-225 devices. To see if your

DDW-225 unit supports turbo-speed SHDSL, inspect its article number, either by reading its attached label, or remotely by viewing the ”Status

⇒ System” Web page or by using the ”show system-information” command in the CLI. If the article number says ”3642-0230” the product lacks turbo-speed support. If it says ”3642-0250”, the product supports turbo-speed.

Turbo-speed data rates can only be achieved if the SHDSL devices at both ends of the connection have turbo-speed support.

206

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

The operator can either specify a fixed data rate to be used, or let the CO and CPE discover the achievable data rate automatically.

Using Auto mode will optimise the data rate for the current SNR conditions.

ˆ Noise margin: The noise margin is the difference between the required SNR for a certain bit rate, and the actual SNR.

When the SHDSL connection data rate is set to auto-negotiation mode, the operator can configure an administrative noise margin (also referred to as

target noise margin or target SNR margin). A large administrative noise

margin gives robustness against SNR fluctuations. But as the required SNR increases with data rate, specifying a a large administrative noise margin may imply that a low data rate is negotiated.

Thus, when configuring the administrative noise margin the operator can optimise the connection for reliability (noise margin 10dB), high speed (noise margin 3dB) or as a tradeoff thereof (normal mode, i.e., noise margin 6dB).

To monitor the quality of the connection, WeOS enables the operator to read the current noise margin.

ˆ G.HS Threshold: The G.HS threshold setting is only needed if the units are located in a noisy environment with SHDSL line cables of good quality, and where a connection can not even be established at SHDSL rate 192kbit/s.

The setting configures a higher threshold of the G.HS idle parameter in order to detect idle. The SHDSL line length capability will be affected, since the G.HS idle threshold and the G.HS signals meet earlier when the G.HS

Threshold is raised.

When enabling GHS threshold, possible settings include ’low(750)’, ’medium

(1500)’, ’high(3000)’ and a custom configured value.

Corresponding values to the fixed value settings are [low-750; medium-

1500; high-3000]. The custom configured value could be set in the range

[0-32767] in steps of 1.

ˆ PAF - PME Aggregation Function: PAF functionality is used to aggregate the 2

SHDSL ports on DDW-142 (and DDW-142-485) to achieve higher bandwidth.

The 2 "bonded" ports can reach rates from 64 kbit/s to 30,6 Mbit/s.

ˆ Low Jitter function: Low Jitter is a SHDSL port specific function that can be used in applications where high accuracy of the Ethernet packet jitter is needed. If enabled the jitter of the latency over the SHDSL link will be minimized.

© 2015 Westermo Teleindustri AB

207

Westermo OS Management Guide

Version 4.17.1-0

This functionality is using a different SHDSL mode compared to default setting, thus the Low Jitter configuration must be set on both SHDSL ports sharing the physical cable.

ˆ EMF - Emergency Freeze function: EMF enabled makes the unit detect exception situations on the SHDSL links. The detection will freeze the SHDSL transceiver parameters temporarily to keep the link up. With this function enabled the unit might avoid a complete SHDSL retrain that could take up to a minute. The unit may lose data even with EMF enabled, but only for a short period of time.

Note

Only the data rate and noise margin settings of the CO are used in the SHDSL connection. These parameters are passed to the CPE during the connection establishment phase.

10.1.3

General port settings

The following parameters can be configured for SHDSL ports in the same way as for Ethernet ports. The SHDSL uses Ethernet First Mile (EFM) encapsulation, thus many Ethernet settings apply to the SHDSL ports. More detailed information is found in

chapter 8 .

ˆ Port enable/disable: Ports can be disabled and enabled administratively.

ˆ Port priority mode: Define whether incoming packets should be prioritised based on VLAN tag, VLAN ID, port ID, IP ToS, etc. See also

section 8.1.4

.

ˆ Port priority (level): The inbound priority associated with this port. See also

section 8.1.4

.

ˆ Link alarm: Link status can be configured as an alarm source. See also

section 8.1.5

.

ˆ Inbound rate limit: Setting the inbound rate limit is possible on DSL ports, but is likely of less interest than on Ethernet ports, since the DSL data rates are primarily limited by the rate of the DSL line. See also

sections 8.1.6

and

10.1.2

.

ˆ Outbound traffic shaping: Setting the outbound rate limit (traffic shaping) is possible on DSL ports, but is likely of less interest than on Ethernet ports, since the DSL data rates are primarily limited by the rate of the DSL line.

208

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Furthermore, outbound traffic shaping in frames per second mode is not availble on DSL ports. See also

sections 8.1.7

and

10.1.2

.

ˆ Fall-back default-VID: The fall-back default VID setting is only of interest for the special case when untagged packets are received over a link only associated with tagged VLANs.

Ethernet settings for port speed/duplex mode, and MDI/MDIX mode do not apply to SHDSL ports, thus are not configurable.

Note

As of WeOS v4.17.1, enabling/disabling flow control (as described in section

section 8.1.3

) has no effect on SHDSL ports.

© 2015 Westermo Teleindustri AB

209

Westermo OS Management Guide

Version 4.17.1-0

10.2

Managing SHDSL ports via the web interface

The Web interface provides configuration of SHDSL ports as well as listing of

SHDSL port statistics.

The SHDSL statistics is provided in two views – an overview with a selection of statistics for all SHDSL ports, including some status information, and a detailed page with a larger set of statistics.

10.2.1

List and Edit SHDSL Port Settings

Menu path: Configuration Port SHDSL

On this page you can list and change the settings for the SHDSL ports.

PAF

Port

CO/CPE

PAF aggregates the 2 SHDSL ports to achieve higher bandwidth. The functionality demands that the rate do not differ more the 4 times between port 1 and 2 to ensure good performance. Note: This functionality is only available on DDW-142 and DDW-142-485. Check to enable, un-check to disable.

Default is Disabled.

The SHDSL port label.

To establish a connection between two DSL-ports, one has to be configured as Central Office (CO) and one has to be configured as Customer Premises Equipment (CPE).

Default for port 1/1 is CPE, and default for port 1/2 is CO.

Continued on next page

210

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

DSL Rate

Continued from previous page

Speed setting is only valid if the port is configured as CO (the

CPE rate setting is not used, since the CPE speed automatically follows the CO to which it becomes connected).

See

section 10.1.2

for information on using SHDSL-turbo speed data rates.

Default is Auto.

Mode

The noise-margin mode. The noise-margin mode setting is only valid if the port is configured as CO (the CPE setting is not used, since the CPE noise-margin mode automatically follows the CO to which it becomes connected).

The CO can be configured to choose a faster less reliable speed (High Speed), a slower more reliable speed (Reliable), or a tradeoff between these two objectives (Normal).

Default is Normal.

Link Alarm

When link alarm is enabled an alarm will be generated if port link is down. Alarms trigger an SNMP trap message to be sent and alarms to be shown on the administration web.

Edit

Click this icon to edit a port’s settings.

© 2015 Westermo Teleindustri AB

211

Westermo OS Management Guide

Version 4.17.1-0

10.2.2

Edit Port Settings

Menu path: Configuration Port SHDSL PortNo

On this page you can change the settings for the port.

G.HS Threshold

The G.HS Threshold setting is only needed if the unit are located in a noisy environment with SHDSL line cables of good quality and where a connection can not even be established at SHDSL rate 192kbit/s. The setting configures a higher threshold of the G.HS idle parameter in order to detect idle. The SHDSL line length capability will be affected, since the G.HS idle threshold and the G.HS signals meet earlier when the G.HS Threshold is raised.

When enabling G.HS Threshold, possible settings include

’low’, ’medium’ and ’high’.

Corresponding values to the fixed value settings are [low-

750; medium-1500; high-3000]

If a custom value is configured in CLI, it will be displayed in the drop-down list.

Default is Disabled

Continued on next page

212

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Low Jitter

Link Fault

Forward (LFF)

Emergency

Freeze EMF

Priority Mode

Continued from previous page

The Low Jitter mode can be enabled to minimize the jitter of the latency over the SHDSL link in applications where high accuracy of the Ethernet packet jitter is needed. This functionality is using a different SHDSL mode compared to default setting, thus the Low Jitter configuration must be set on both SHDSL ports sharing the physical cable.

Check to enable, un-check to disable.

Notice: Make sure that you have both line partners configured enabled or disabled.

Default is Disabled.

On devices with SHDSL ports, alarms can be triggered when the remote SHDSL switch indicates it has link down on its Ethernet port. That is, this feature can be used in topologies where an Ethernet is extended over an SHDSL link, and where the remote SHDSL switch (e.g. a DDW-

120) is able to signal that the Ethernet link is down on its side.

Check to enable, un-check to disable.

Default is Disabled.

EMF enabled makes the unit detect exception situations on the SHDSL links. The detection will freeze the SHDSL transceiver parameters temporarily to keep the link up.

With this function enabled the unit might avoid a complete SHDSL retrain that could take up to a minute. The unit may lose data even with this functionality enabled, but only for a short period of time.

Check to enable, un-check to disable.

Default is Enabled.

Here you select on what information priority will be based:

Port Based

Based on the port’s priority. See the next item (Priority).

IP

Based on the content of the IP ToS bits

(IPv4) or the IP TC bits (IPv6).

VLAN Tag

Based on the content of the (802.1p) priority field inside the received packet’s

VLAN tag.

Continued on next page

© 2015 Westermo Teleindustri AB

213

Westermo OS Management Guide

Version 4.17.1-0

Priority

Inbound Rate

Limit

Outbound

Traffic

Shape

Continued from previous page

The port’s priority level. Zero (0) is low priority and seven

(7) high priority.

Bandwidth limit for inbound traffic. Disabled means no limiting.

Bandwidth limit for outbound traffic. Disabled means no limiting.

214

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

10.2.3

SHDSL statistics Overview

Menu path: Status Port SHDSL

On the SHDSL port statistics overview page you will be presented to a selection of static data for each port. Additional statistic numbers are presented on the detailed view page.

Alarm

An alarm icon appears at the start of a line if there is a link alarm on a port.

Port

Negotiation

State

State

The port label. If PAF is configured, the background color of the port identifier is pink

Current state of the DSL-line negotiation.

Possible values are UP_DATA_MODE, INITIALISING, DOWN_READY and DOWN_NOT_READY. Note: if no link is established the normal state for a CO-mode configured port is

DOWN_NOT_READY, for a CPE-configured port the normal state is DOWN_READY.

FORWARDING

Unit forwards packets. Normal operation.

LEARNING

The port is preparing itself for entering

BLOCKING

FORWARDING state.

Unit does not forward any packets.

DISABLED

Port does not participate in operation.

Data Rate

Total Bytes In

Negotiated DSL data rate in bit/s.

Total number of bytes received on the port.

Total Bytes Out

Total number of bytes sent out on the port.

Details

Auto Refresh

Refresh

Click this icon to view more detailed statistics for the port.

Click on a value to make the page reload with updated statistics automatically every 5, 15, 30 or 60 seconds. Click

Off to turn off auto refresh.

Click on this button to reload with updated statistics.

© 2015 Westermo Teleindustri AB

215

Westermo OS Management Guide

Version 4.17.1-0

10.2.4

Detailed SHDSL Port Statistics

Menu path: Status Port SHDSL

When clicking the details-icon in the overview page you will be presented to the detailed statistics page for the SHDSL port.

Link Status

Link Uptime

Status of link, (Up/Down). If a link-alarm is associated with this port, an alarm icon is displayed if the link-alarm is active.

The time since link was established.

Continued on next page

216

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Negotiation State

Data Rate

Continued from previous page

Current state of the DSL-line negotiation.

Possible values are UP_DATA_MODE, INITIALISING,

DOWN_READY and DOWN_NOT_READY. Note: if no link is established the normal state for a CO-mode configured port is DOWN_NOT_READY, for a CPEconfigured port the normal state is DOWN_READY.

Negotiated DSL data rate in bit/s.

Current SNR

Signal to Noise Ratio in dB on this link.

Margin

Negotiations

Total Bytes

Broadcast Packets

Clear Port

Number of negotiations since unit startup.

Total number of bytes received (inbound) or transmitted (outbound) on this port.

Total number of good broadcast packets received

(inbound) or transmitted (outbound) on this port.

Multicast Packets

Next>>

Total number of good multicast packets received (inbound) or transmitted (outbound) on this port.

Unicast Packets

Dropped Packets

Total number of packets received that have been discarded.

Traffic Size, Inbound

Number of octets received in different size categories.

Auto Refresh

Total number of good unicast packets received (inbound) or transmitted (outbound) on this port.

Click on a value to make the page reload with updated statistics automatically every 5, 15, 30 or 60 seconds. Click Off to turn off auto refresh.

<<Previous

Goto statistics for previous port.

Goto statistics for next port.

Refresh

Click on this button to reload with updated statistics.

Clear all statistics counters for the port shown.

© 2015 Westermo Teleindustri AB

217

Westermo OS Management Guide

Version 4.17.1-0

10.3

Managing SHDSL ports via the CLI

The table below shows SHDSL port management features available via the CLI.

Command Default Section

Configure SHDSL port settings port [dsl|shdsl|. . . ] <PORTLIST>

[no] co

[no] speed <auto|auto-5696k|0-15304k> Auto

[no] noise-margin

[no] ghs-threshold <low|medium|high>

Section 10.3.1

Section 10.3.2

Section 10.3.3

Normal

Section 10.3.4

Disabled

Section 10.3.5

[no] paf

[no] low-jitter

[no] emf

Disabled

Section 10.3.6

Disabled

Section 10.3.7

Enabled

Section 10.3.8

Port settings in common with Ethernet ports ( chapter 8 )

[no] enable

[no] priority <0-7>

[no] priority-mode <tag|ip|port>

[no] link-alarm

[no] rate-limit <70-2560>

[no] traffic-shaping <70-2560>

[no] default-vid <VLAN_ID>

Enabled

0 tag

Section 8.3.3

Section 8.3.6

Section 8.3.7

Disabled

Section 8.3.8

Disabled

Section 8.3.9

Disabled

Section 8.3.10

Disabled

Section 8.3.14

Show SHDSL related status and statistics show <dsl|shdsl> show ports show rmon

Section 10.3.9

Section 8.3.15

Section 9.3

10.3.1

Managing SHDSL port settings

Syntax port [dsl|shdsl|...] <PORTLIST>

Context

Global Configuration

context

218

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Usage Enter the

SHDSL Port Configuration

context.

A ”PORTLIST” is a comma separated list of ranges of SHDSL ports without intermediate spaces, e.g., ”1/1,1/2” on a slotted product, or ”1-3,5” on a

non-slotted product.

The port qualifier keyword ”shdsl” (or ”dsl”) is not needed if the numbers in the ”PORTLIST” are unique to DSL ports.

For a more general description of the ”port” command, see

section 8.3.1

.

Use ”show port [dsl|shdsl] [<PORT|PORTLIST>]” port configuration information of the given PORT or PORTLIST. Alternatively, the command ”show” can be run within the

SHDSL Port Configuration

context, to show the configuration of a port (or list of ports).

Default values Not applicable.

10.3.2

Setting SHDSL port mode (CO/CPE)

Syntax [no] co

Context

SHDSL Port Configuration

context

Usage Set the SHDSL port to operate in central office (CO) or customer premises

equipment (CPE) mode.

When connecting switches via SHDSL it is important that one side puts its

SHDSL port in CO mode (”co”) while the other side puts its SHDSL port in

CPE mode (”no co”).

Default values Factory default for DDW-225/226 is to have port 1/1 in CPE mode

(”no co”), and port 1/2 in CO mode (”co”). Factory default for DDW-142

(and DDW-142-485) is to have port DSL 1 in CPE mode (”no co”), and port

DSL2 in CO mode (”co”).

Use ”show co” to show whether the SHDSL port is configured to operate as

Central Office or Customer Premises Equipment.

10.3.3

Setting SHDSL port rate

Syntax [no] speed <auto|auto-5696k|0-5696k|0-15304k>

Context

SHDSL Port Configuration

context

© 2015 Westermo Teleindustri AB

219

Westermo OS Management Guide

Version 4.17.1-0

Usage Set SHDSL port rate, either bye specifying that auto-negotiation should be used, or that a specific fixed rate should be used. Only the ”speed” setting on the CO has affect on the established connection.

ˆ Auto-negotiate: Use ”speed auto”, ”speed 0”, or ”no speed” to let the rate be auto-negotiated between the SHDSL nodes in the extended

SHDSL range 32-15288 kbps on Turbo HW; if not Turbo HW the range is

192-5696 kbps.

Use ”speed auto-5696k” to let the rate be auto-negotiated in the standard SHDSL range 192-5696 kbit/s.

ˆ Fixed rate: Use ”speed RATE”, where RATE is in range ”1k-15304k” on products with Turbo-HW support, and in range ”1k-5096k” on products

without Turbo-HW support, to specify a fixed data rate in kbit/s. Alternatively, specify ”speed 1-15304000” and ”speed 1-5696000” respectively, to specify a fixed data rate in bit/s.

The following fixed rates are supported on all SHDSL products: 192k,

384k, 512k, 768k, 1024k, 1280k, 2048k, 2304k, 2688k, 3072k, 3456k,

3840k, 4224k, 4608k, 4992k, 5376k, and 5696k.

Products with Turbo-HW support the following additional fixed data rates:

32k, 64k, 128k, 6200k, 6712k, 7224k, 7736k, 8248k, 8760k, 9272k,

9784k, 10296k, 10808k, 11320k, 11832k, 12344k, 13112k, 13880k,

14648k and 15304k.

If other rates are specified, WeOS will round the value upwards to the nearest supported rate.

Use ”show speed” to show the SHDSL port’s rate setting.

Default values ”speed auto”

10.3.4

Setting SHDSL port noise-margin

Syntax [no] noise-margin <reliable|normal|high-speed [nonstrict]>

Context

SHDSL Port Configuration

context

Usage Set SHDSL port noise-margin. Note: The noise-margin setting is only relevant when the data rate is set to auto-negotiate (”rate 0”), see

section 10.3.3

).

Available noise-margin modes:

220

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

ˆ Reliable: Select ”noise-margin reliable” to let the rate auto-negotiation optimise for reliability (rather than high data rate).

ˆ High-Speed: Select ”noise-margin high-speed” to let the rate autonegotiation optimise for high data rate (rather than reliability).

ˆ Normal: ”noise-margin normal” is the default setting for the noisemargin, which gives a tradeoff between reliability and high-speed. Alternatively, the command ”no noise-margin” can be used.

Using the parameter nonstrict after the selected noise-margin mode will configure the unit to a less strict algorithm during the connection phase. The resulting current SNR will not necessary match the configured noise-margin mode.

Use ”show noise-margin” to show the SHDSL port’s noise-margin setting.

Default values ”noise-margin normal”

Error messages None defined yet.

10.3.5

Setting SHDSL port G.HS Threshold

Syntax [no] ghs-threshold <low|medium|high>

Context

SHDSL Port Configuration

context

Usage Set SHDSL port to operate with new G.HS Threshold value. The G.HS

Threshold setting is only needed if the unit are located in a noisy environment with SHDSL line cables of good quality and where a connection can not even be established at SHDSL rate 192kbit/s, see

section 10.1.2

. The

setting configures a higher threshold of the G.HS idle parameter in order to detect idle. The SHDSL line length capability will be affected, since the G.HS

idle threshold and the G.HS signals meet earlier when the G.HS Threshold is raised.

When enabling G.HS Threshold, possible settings include”low”, ”medium”,

”high” and a custom configured value. Corresponding values to the fixed value settings are [low-750; medium-1500; high-3000].

The custom configured value could be set in the range [0-32767] in steps of

1.

Use ”no ghs-threshold” to disable the G.HS threshold.

© 2015 Westermo Teleindustri AB

221

Westermo OS Management Guide

Version 4.17.1-0

Use ”show ghs-threshold” to show the SHDSL port’s G.HS Threshold setting.

Default values Disabled (”no ghs-threshold”)

10.3.6

Setting SHDSL PAF mode

Syntax [no] paf

Context

SHDSL Port Configuration

context

Usage Set the SHDSL unit to operate in paf mode.

PAF aggregates the 2 SHDSL ports to achieve higher bandwidth. The functionality demands that the rate do not differ more than 4 times between port 1 and 2 to ensure good performance. Port 2 must be configured to the same role (CO/CPE) as port 1 to get the functionality working.

Note

This functionality is only available on DDW-142 and DDW-142-485.

Use ”show paf” to show whether PAF is enabled or not.

Default values Disabled

10.3.7

Setting SHDSL low jitter mode

Syntax [no] low-jitter

Context

SHDSL Port Configuration

context

Usage Set the SHDSL unit to operate in low jitter mode.

Low Jitter can be enabled to minimize the jitter of the latency over the

SHDSL link in applications where high accuracy of the Ethernet packet jitter is needed. This functionality is using a different SHDSL mode compared to default setting, thus the Low Jitter configuration must be set on both SHDSL ports sharing the physical cable.

Use ”show low-jitter” to show the SHDSL port’s low-jitter setting.

Default values Disabled

222

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

10.3.8

Setting SHDSL emergency freeze mode

Syntax [no] emf

Context

SHDSL Port Configuration

context

Usage Set the SHDSL unit to operate in emf mode.

EMF enabled makes the unit detect exception situations on the SHDSL links.

The detection will freeze the SHDSL transceiver parameters temporarily to keep the link up. With this function enabled the unit might avoid a complete

SHDSL retrain that could take up to a minute. The unit may lose data even with this functionality enabled, but only for a short period of time.

Use ”show emf” to show the SHDSL port’s emergency freeze setting.

Default values Enabled

10.3.9

Show SHDSL port status

Syntax show shdsl

Context

Admin Exec

context.

Usage Show the status of all SHDSL ports.

Default values Not applicable.

© 2015 Westermo Teleindustri AB

223

Westermo OS Management Guide

Version 4.17.1-0

Chapter 11

ADSL/VDSL Port Management

The Falcon-206 is equipped with a xDSL port, i.e., a port capable of operating in either ADSL or VDSL mode. Thus, the Falcon-206 can be used as customer premises equipment (CPE), acting either as switch or router, when connecting to an ISP over an ADSL or VDSL line.

This chapter describes how to setup and manage your xDSL port, as well as the most common configuration steps to connect to your ISP.

11.1

Overview of ADSL/VDSL Port Management

Feature

xDSL mode (ADSL/VDSL) xDSL carrier (POTS/ISDN)

External splitter (filter)

ADSL/ATM specific settings

ATM VPI/VCI

ATM Encapsulation

Restart/retrain xDSL link

View xDSL port configuration

View xDSL port status/statistics xDSL settings in common with Ethernet ports

ISP and network settings

Web

CLI

General Description

X

X

X

X

X

X

Section 11.1.1

Section 11.1.1

Section 11.1.1

X

X

X

X

X

X

X

X

X

X

X

X

X

X

Section 11.1.1

Section 11.1.1

Section 11.1.3

Section 11.1.1

,

-

-

11.1.2

11.1.2

11.1.4

224

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

11.1.1

ADSL/VDSL overview

A Falcon xDSL router is typically used as a broadband router ( fig. 11.1a

, when

connecting a private company network to the Internet via xDSL. An alternative is

to use Falcon as a xDSL/Ethernet bridge ( fig. 11.1b

), to connect a single PC or an

external (non-”xDSL capable”) router to the Internet.

Internet

(via ISP DSLAM)

ADSL/VDSL vlan1006 (pppoe0)

Router,

FW, NAT

Ethernet

Falcon vlan1

Company Private

Network

Internet

(via ISP DSLAM)

ADSL/VDSL vlan1

Switch

(Bridge)

Falcon

Ethernet vlan1

Router

OR single end device

External

Router

Company Private

Network a) Using Falcon as broadband router b) Using Falcon as switch (bridge)

Figure 11.1: Common ADSL/VDSL topologies: a) Using Falcon as broadband router, or b) using Falcon as on xDSL/Ethernet switch (bridge).

When connection your Falcon xDSL unit to your ISP, you may have to configure settings related to the xDSL port as well as IP settings specific to your xDSL provider. To configure your Falcon router for the first time, it is recommended to use the Web based Basic Setup Page, see

section 11.2.1

.

More information on xDSL settings is found below and in

sections 11.1.2

-

11.1.4

.

ˆ xDSL settings:

ADSL or VDSL: As the Falcon can be used both for ADSL and VDSL connections, you may have to configure the xDSL mode.

Default: ADSL

© 2015 Westermo Teleindustri AB

225

226

Westermo OS Management Guide

Version 4.17.1-0

POTS or ISDN carrier: Depending on the kind of telecom network used to carry your xDSL connection, you should configure the Annex setting accordingly: ”Annex A, I, L, and/or M” for POTS carrier networks, or ”Annex B or J” for ISDN carrier networks.

Further details on configuration of the Annex setting:

* Annex setting for ADSL over POTS: For ADSL over POTS carrier,

”Annex A” is base annex implicitly available. Other annexes for

POTS (I, L, M, N) are extensions to Annex A. You can specify to only use Annex A, or you can specify to use additional extensions:

· ”Annex A”: The WeOS unit announces capability of Annex A (ADSL over POTS). This is the default setting of ADSL.

· ”Annex I”: The WeOS unit announces capability of Annex A and I.

Annex I allows for additional encoding techniques for ADSL over

POTS.

· ”Annex L”: The WeOS unit announces capability of Annex A and L.

Annex I allows for additional frequency bands (at lower POTS frequency), and longer reach.

· ”Annex M”: The WeOS unit announces capability of Annex A and M.

Annex I allows for additional frequency bands (at higher POTS frequency).

· ”Annex L-M”: The WeOS unit announces capability of Annex A,

L and M.

* Annex setting for ADSL over ISDN: For ADSL over ISDN carrier,

”Annex B” is base annex implicitly available. Annex J is an extension to Annex B for ADSL over ISDN. You have the following configuration options:

· ”Annex B”: The WeOS unit announces capability of Annex B (ADSL over ISDN).

· ”Annex J”: The WeOS unit announces capability of Annex B and J.

Annex I allows for additional encoding techniques for ADSL over

ISDN.

* Annex setting for VDSL: For VDSL it is possible to let the WeOS unit automatically probe what carrier network is used (by choosing

”Annex A-B”); if this does not work to bring up the VDSL line, one

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0 can manually try the individual settings ”Annex A” and ”Annex B” respectively.

Default: ADSL Annex A (ADSL over POTS)

Use of external Filter (Splitter) or not: If you wish to use your xDSL connection for regular phone calls, the Falcon xDSL port should (1) be connected to a splitter which in turn connects to the (first) telephone jack, and (2) the Falcon xDSL ”filter” setting should be enabled.

Otherwise, the Falcon xDSL port should (1) be connected directly to the

(first) telephone jack, and (2) the Falcon xDSL ”filter” setting should be disabled.

Default: Filter enabled (i.e., it is assumed the Falcon xDSL port is connected via a splitter)

ˆ ADSL specific settings: When using Falcon for ADSL (as opposed to VDSL), a few settings related to ADSL/ATM encapsulation and VPI/VCI may have to be set, see

section 11.1.2

below.

ˆ Use of PPPoE, DHCP or Static IP address assignment: xDSL providers use different schemes to assign IP addresses to their customers. These methods to assign an IP address are not specific to xDSL connections, thus are explained in detail in other chapters:

chapter 33

describes use of PPPoE, and

chapter 19

covers use of DHCP as well as static IP address assignment.

To simplify configuring IP settings appropriate for your xDSL subscription, the Falcon Web interface has a Basic Setup Page, see

section 11.2.1

.

For those who wish to configure Falcon via the CLI,

section 11.1.4

below provides useful information.

Default: DHCP (i.e., acquire your IP address from your ISP via DHCP)

ˆ VLAN settings: By factory default, the xDSL port will belong to VLAN 1006

(untagged), while all Ethernet ports will be belong to VLAN 1 (untagged).

If the Falcon is configured to act as xDSL/Ethernet Bridge via the Basic Setup

Page (see

section 11.2.1

), all ports (xDSL and Ethernet) will be mapped to

VLAN 1.

© 2015 Westermo Teleindustri AB

227

Westermo OS Management Guide

Version 4.17.1-0

11.1.2

ADSL specific settings

There are two types of ADSL specific xDSL settings, and both of them concern the use of ATM as ADSL carrier.

ˆ VPI and VCI: In WeOS you need to define the identifier of your ATM permanent virtual circuit (PVC) to your ADSL provider. This identifier contains two parts, the virtual path identifier (VPI) and the virtual circuit identifier (VCI).

What values to use depends on your ISP provider.

Default: VPI 8 and VCI 35

ˆ ATM Encapsulation: Falcon units support two ATM encapsulation modes:

”bridged LLC” and ”bridged VC-MUX” ([ 9 ]). Which setting to use depends

on your ISP provider.

Default: bridged LLC

There is also an additional ADSL related setting to specify if the ADSL is carried over a POTS telecom network (Annex A, I, L, or M), or an ISDN telecom network

(Annex B or J). However, as of WeOS v4.17.1 the ”annex” setting also applies to

VDSL, see

section 11.1.1

.

Default: Annex A (POTS)

11.1.3

xDSL settings in common with Ethernet ports

The following parameters can be configured for xDSL ports in the same way as for Ethernet ports. In WeOS, VDSL uses Ethernet First Mile (EFM) encapsulation, and ADSL uses ”bridged” LLC or VC-MUX encapsulation (see

section 11.1.2

), thus

many Ethernet settings apply to xDSL ports. More detailed information is found in

chapter 8 .

ˆ Port enable/disable: Ports can be disabled and enabled administratively.

ˆ Port priority mode: Define whether incoming packets should be prioritised based on VLAN tag, VLAN ID, port ID, IP ToS, etc. See also

section 8.1.4

.

ˆ Port priority (level): The inbound priority associated with this port. See also

section 8.1.4

.

ˆ Link alarm: Link status can be configured as an alarm source. See also

section 8.1.5

.

228

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

ˆ Inbound rate limit: Setting the inbound rate limit is possible on DSL ports, but is likely of less interest than on Ethernet ports, since the DSL data rates are primarily limited by the rate of the DSL line. See also

sections 8.1.6

and

11.1.1

.

ˆ Outbound traffic shaping: Setting the outbound rate limit (traffic shaping) is possible on DSL ports, but is likely of less interest than on Ethernet ports, since the DSL data rates are primarily limited by the rate of the DSL line.

Furthermore, outbound traffic shaping in frames per second mode is not available on DSL ports. See also

sections 8.1.7

and

11.1.1

.

ˆ Fall-back default-VID: The fall-back default VID setting is only of interest for the special case when untagged packets are received over a link only associated with tagged VLANs.

Ethernet settings for port speed/duplex mode, and MDI/MDIX mode do not apply to xDSL ports, thus are not configurable.

Note

As of WeOS v4.17.1, enabling/disabling flow control (as described in section

section 8.1.3

) has no effect on xDSL ports.

11.1.4

Connecting to your ISP over an xDSL line

Recommendation: Use Basic Setup in Web

The simplest way to configure your Falcon unit to connect to your ISP is to use the Basic Setup web page, see

section 11.2.1

.

This section is intended (1) for those who wish to configure the Falcon via the CLI, and (2) for those looking for more background details on how to configure Falcon as an xDSL router or bridge.

This section describes the most common steps to configure your Falcon xDSL router to connect to your ISP. Although many configuration settings are affected, setting up your ISP should be straight-forward:

ˆ The factory default configuration of xDSL are adapted to using the Falcon as an xDSL router.

ˆ On the Falcon xDSL router, the web interface includes a basic setup page, for easy configuration of the most common use cases, see

section 11.2.1

.

© 2015 Westermo Teleindustri AB

229

Westermo OS Management Guide

Version 4.17.1-0

A common setup is use Falcon as broadband router when connecting your company network towards the Internet, see

fig. 11.2a

.

An alternative is to use the Falcon as a xDSL/Ethernet bridge to connect a single end device (such as a PC), or to use a separate router to connect your local network, as shown in

fig. 11.2b

.

Internet

(via ISP DSLAM)

Internet

(via ISP DSLAM)

ADSL/VDSL vlan1006 (pppoe0)

Router,

FW, NAT

Ethernet

Falcon vlan1

Company Private

Network

ADSL/VDSL vlan1

Switch

(Bridge)

Falcon

Ethernet

Router

OR single end device

External

Router vlan1

Company Private

Network a) Using Falcon as broadband router b) Using Falcon as switch (bridge)

Figure 11.2: Common ADSL/VDSL topologies: a) Using Falcon as broadband router, or b) using Falcon as an xDSL/Ethernet switch (bridge) with an external router (or single end-device such as a PC) behind.

Section 11.1.4.1

focus on using Falcon as a router, while

section 11.1.4.1

covers on how to use Falcon as a switch (bridge). Both sections assume you have configured the xDSL port settings appropriately for your xDSL subscription (see also

sections 11.1.1

and

11.1.2

).

11.1.4.1

Using Falcon as a Router

By factory default, Falcon is configured as a router:

ˆ Port Segmentation: The xDSL and Ethernet ports are mapped to two

VLANs.

230

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

WAN port: The xDSL port is mapped to VLAN 1006. VLAN 1006 had IGMP snooping disabled, thereby avoiding sending IGMP queries towards your

ISP.

Example

vlan 1006 untagged dsl 1 no igmp

...

LAN ports: The Ethernet ports are used as LAN ports, and are all mapped to the default VLAN, i.e., VLAN 1. VLAN 1 has the same factory default settings as other WeOS products.

Example

vlan 1 untagged eth 1-4 igmp

...

ˆ Network Interface Settings:

ˆ WAN interface: There are three methods to assign the IP address of the WAN interface, and which method to use depends on your xDSL Internet Service

Provider (ISP): (1) acquire it via DHCP, (2) configure a static IP address, or

(3) acquire the IP address via PPPoE. Each method is described below.

By default, Falcon is configured to acquire the WAN interface address via

DHCP.

1. Address via DHCP: The WAN interface will by default use DHCP to get its IP address automatically from the ISP. In addition, interface vlan1006

is assigned admin distance ”1” ( section 19.2.6

), in order to dynami-

cally learn default gateway, DNS server and other global information via DHCP. Management services such as SSH, HTTP (Web), etc. are by default disabled to avoid unauthorised access from the public Internet.

Example

iface vlan1006 inet dhcp distance 1 no management end

2. Static IP address: The WAN interface can be configured to get its IP address assigned statically. If your ISP provides this option, the ISP

© 2015 Westermo Teleindustri AB

231

232

Westermo OS Management Guide

Version 4.17.1-0 will inform you what address to use for your subscription. The example below uses address 192.168.5.4 and netmask 255.255.255.192 to illustrate the method.

Example

iface vlan1006 inet static distance 1 no management address 192.168.5.4/26 end

With static IP assignment you would also need to set the IP address of the default gateway and DNS server(s) (information provided by your

ISP). In the example below the default gateway has address 192.168.5.1, and a DNS server at 192.168.5.2.

ip

Example

route default 192.168.5.1

name-server 192.168.5.2

...

end

3. Address via PPPoE: Some ISPs use PPPoE for authorisation of, and IP address assignment to, their customers. To configure a WAN interface to use PPPoE, a PPPoE instance is created and mapped to the associated

VLAN interface (here vlan1006). This will in turn create a PPPoE interface (here pppoe0), which now acts as our WAN interface. The example below shows the default setting for the PPPoE interface; the admin

distance and management settings are automatically copied from the configuration of interface vlan1006.

Example

pppoe 0 iface vlan1006 ppp-advanced identity [email protected] password sEcReT end end

...

iface pppoe0 inet dynamic mtu 1492 tcp-mss 1412 distance 1 no management end

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

As interface pppoe0 is typically used as upstreams interface, the NAT settings should be adapted, see Routing, Firewall and NAT below.

ˆ LAN interface: The LAN interface vlan1 is by default assigned IP address

192.168.2.200. All management services are enabled on the LAN interface.

Example

iface vlan1 inet static distance 16 management ssh http https ipconfig snmp address 192.168.2.200/24 end

ˆ Routing, Firewall and NAT: Falcon by default has IP forwarding (routing) and NAT enabled. Thereby Falcon can to route packets between a private network on its LAN interface (vlan1) and the public Internet on its WAN interface.

The default firewall and NAT rules will block all incoming traffic on the WAN interface, except for packets belonging to established connections. (Such connections are in turn initiated from the private network, i.e., from the LAN side.) These settings are chosen to limit the risk for security attacks when connecting the Falcon to a public network such as the Internet.

Special firewall deny rules are set up for TCP and UDP port 53 (DNS). These are to prevent the Falcon to become an open DNS relay on the WAN side.

Open DNS relay is considered to be a security problem and can be used for remote attacks of the ISP’s DNS server. DNS relay is enabled on all interfaces and should be filtered away on all interfaces facing public networks. Normal

DNS traffic originating from the inside (from the LAN) will work as expected and is not affected by these rules.

ip

Example

forwarding firewall policy input DROP policy forward DROP filter allow in vlan1 proto icmp filter deny in vlan1006 dport 53 proto udp filter deny in vlan1006 dport 53 proto tcp nat type napt out vlan1006 addfilter enable end

© 2015 Westermo Teleindustri AB

233

Westermo OS Management Guide

Version 4.17.1-0

Adapting Firewall and NAT rules when using PPPoE

When PPPoE is used for WAN IP address assignment (see above), the firewall and NAT rules must be adapted accordingly, i.e., ”vlan1006” should be replaced by ”pppoe0” as shown in the example below.

ip

Example

forwarding firewall policy input DROP policy forward DROP filter allow in vlan1 proto icmp filter deny in pppoe0 dport 53 proto udp filter deny in pppoe0 dport 53 proto tcp nat type napt out pppoe0 addfilter enable end

ˆ Other Configurations: The items above cover the most important configuration settings when connecting a Falcon to your ISP. Notes on a few more settings are given below:

RSTP: Westermo switches running WeOS typically have RSTP enabled on all Ethernet and DSL ports. However, the xDSL port on Falcon have RSTP disabled by default. For more information on RSTP, see

chapter 16 .

VPN: Its possible to use the Falcon as a VPN gateway. For more information on configuring VPNs in WeOS, see

part IV .

DHCP Server: For information on how to make your Falcon act as DHCP server on your local network (vlan1), see

chapter 22 .

11.1.4.2

Using Falcon as a Switch (Bridge)

As shown in

fig. 11.2b

, it is possible to use the Falcon as a xDSL/Ethernet bridge.

That is, the xDSL port does not have to be used as a dedicated router port; instead the Falcon could switch packets between Ethernet and xDSL ports, given that they are mapped to the same VLAN (see

chapter 13 ).

Although it is possible to make the Falcon work as a regular WeOS switch, there are some differences:

ˆ Falcon is a router by default: All WeOS devices can be configured to act as

router or switch. The difference is that Falcon is configured as router in its

234

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0 factory default setting (able to route between the WAN interface vlan1006 and the LAN interface vlan1, while other WeOS devices act as switches by default (all ports on VLAN 1).

ˆ Layer-2 Redundancy (RSTP/FRNT): As the xDSL port is used to connect to a xDSL provider (ISP), the remote end is managed by an external organisation.

Thus, layer-2 redundancy protocols such as RSTP and FRNT should not be used on the xDSL port; for FRNT this is prohibited, and for RSTP it is disabled by default.

The simplest way to configure your Falcon to act as a switch is by using the Basic

Setup Page in the Web interface ( section 11.2.1

). This way, all ports (Ethernet

and xDSL) will be mapped to VLAN 1. The Falcon will then be accessible via the default IP address (IP address 192.168.2.200, netmask 255.255.255.0) unless you have changed the IP settings of interface vlan1. As an alternative to using the

Basic Setup Page, you could achieve the corresponding result by removing VLAN

1006, either via the Web interface ( section 13.3

) or via the CLI ( section 13.4

) as

shown below.

Example

falcon:/#> show vlan

VID Name Oper Untagged/Tagged

---- ---------------- ---- ---------------------------------------------------

1 vlan1 DOWN U:eth 1-4

T:

1006 vlan1006 DOWN U:dsl 1

T:

-----------------------------------------------------------------------------falcon:/#>

© 2015 Westermo Teleindustri AB

235

Westermo OS Management Guide

Version 4.17.1-0

Example

falcon:/#> configure falcon:/config/#> no vlan 1006 falcon:/config/#> end

Port dsl 1 did not belong to any VLAN, setting as untagged in VLAN 1.

vlans: Problem activating settings.

There was some problem activating your configuration changes!

This could result in a non-functional system, continue anyway (y/N)? y

OK, accepting configuration anyway -- please review the running configuration.

Stopping DHCP Clients ...................................... [ OK ]

Configuration activated.

Remember "copy run start" to save to flash (NVRAM).

falcon:/#> show vlan

Press Ctrl-C or Q(uit) to quit viewer, Space for next page, <CR> for next line.

VID Name Oper Untagged/Tagged

---- ---------------- ---- ---------------------------------------------------

1 vlan1 UP U:ALL

T:

-----------------------------------------------------------------------------falcon:/#> cp running-config startup-config falcon:/#>

There are additional setting you may consider changing when running the Falcon as a switch:

ˆ Limit remote management: When the xDSL port is mapped to VLAN 1, the

Falcon will be open for remote management via the xDSL port just as it is via the Ethernet ports on VLAN 1.

This is usually no problem, as the Falcon by default is assigned the default IP address (192.168.2.200) on interface vlan1, and that address is not routable via the ISP. However, if limiting remote management is still a concern, you could, e.g., remove the IP address of interface vlan1. The Falcon can then be managed only via the console port (CLI) instead.

Example

falcon:/#> configure falcon:/config/#> iface vlan1 falcon:/config/iface-vlan1/#> inet static falcon:/config/iface-vlan1/#> show address

192.168.2.200/24 falcon:/config/iface-vlan1/#> no address falcon:/config/iface-vlan1/#> leave

Configuration activated.

Remember "copy run start" to save to flash (NVRAM).

falcon:/#>

ˆ As switch there is no firewall: Acting as a switch, the Falcon no longer serves as a firewall towards the Internet. You should therefore ensure that you

236

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0 protect your local network, typically by running firewall in an external router

(or in a directly attached PC), see

fig. 11.2b

.

ˆ Disable IGMP Snooping: VLAN 1 has IGMP snooping enabled by default. This should be fine even when the xDSL port is on VLAN 1, however, if you have concerns about running IGMP snooping on a port towards your ISP you can disable IGMP snooping on VLAN 1.

Example

falcon:/#> configure falcon:/config/#> vlan 1 falcon:/config/vlan-1/#> no igmp falcon:/config/vlan-1/#> leave

Stopping IGMP Snooping daemon .............................. [ OK ]

Configuration activated.

Remember "copy run start" to save to flash (NVRAM).

falcon:/#>

ˆ Disable IP Forwarding: As long as all ports are mapped to VLAN 1, the Falcon will act as a switch, even though the IP forwarding configuration option is enabled. However, if you have concerns about having IP forwarding enabled, you can disable it.

If you use the Basic Setup Page in the Web interface ( section 11.2.1

) to

configure the Falcon as switch (bridge), IP forwarding will be disabled automatically.

Example

falcon:/#> configure falcon:/config/#> ip falcon:/config/ip/#> no forwarding falcon:/config/ip/#> leave

Configuration activated.

Remember "copy run start" to save to flash (NVRAM).

falcon:/#>

© 2015 Westermo Teleindustri AB

237

Westermo OS Management Guide

Version 4.17.1-0

11.2

Managing ADSL/VDSL ports via the web interface

The Web interface provides configuration of xDSL ports ( sections 11.2.1

-

11.2.3

)

as well as listing of xDSL port statistics.

The xDSL statistics is provided in two views – an overview with a selection of

statistics for all xDSL ports, including some status information ( section 11.2.4

),

and a detailed page with a larger set of statistics ( section 11.2.5

).

11.2.1

Basic Setup for Falcon DSL router

Menu path: Basic Setup

This feature requires a JavaScript enabled web browser. To simplify the setup of the Falcon unit for remote access, a basic setup page is provided with the most basic settings compiled into one view. In many cases this page may be sufficient for setting up the Falcon for remote access.

Note

When you enter the basic setup page and make changes to the configuration and press the apply button, some settings will be reset. See

section 11.2.1.1

below for more information.

Figure 11.3: Basic Setup Profile and Mode

To set up the switch using the Basic Setup, two fundamental settings have to be set first. These two settings control the other options displayed on the page.

WAN Profile

Router

The unit will be set up as a router with a firewall protecting the LAN side from the WAN side.

Bridged

The unit will act as a plain switch.

Continued on next page

238

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Router Mode

DHCP

PPPoE

Static

Continued from previous page

The WAN side will expect a DHCP-server to provide the switch with an IP address.

The WAN side will set up a PPPoE connection with the ISP to provide the internet connection.

The IP address, netmask and gateway will be manually entered.

The DHCP router mode (shown above) does not need any additional settings. The

Static IP and PPPoE router modes require additional settings as described below.

Irrespective of the selected router mode, you may also need to fill out ADSL/VDSL port settings, as shown at the end of this section.

Static IP Settings

Figure 11.4: Basic Setup Static IP

If the static IP mode is selected you are asked to fill in the following entries.

Address

The IPv4 address to assign to the interface.

Netmask

The netmask for the IPv4 address.

Identifies which IP addresses are located on the same subnet.

Continued on next page

© 2015 Westermo Teleindustri AB

239

Westermo OS Management Guide

Version 4.17.1-0

Default

Gateway

Continued from previous page

Statically configured default gateway of the unit. This is the

IP address of the gateway to send packages to when no more specific route can be found in the routing table. This value overrides any value retrieved dynamically (e.g. using DHCP).

Leave empty to enable dynamically retrieved gateway address or if no default gateway should be available.

PPPoE Settings

Figure 11.5: Basic Setup PPPoE

If the PPPoE mode is selected you are asked to fill in the following entries.

Username

The username provided by the PPPoE provider.

Password

The password provided by the PPPoE provider.

240

© 2015 Westermo Teleindustri AB

DSL Settings

Westermo OS Management Guide

Version 4.17.1-0

Figure 11.6: Basic Setup DSL settings

In addition you may have to change the DSL settings if they do not satisfy the requirements from your ISP, see

fig. 11.6

.

Mode

Specify whether the xDSL port should operate ADSL port or VDSL port. Default: ADSL

ATM encapsulation. Default: LLC

ATM

Encapsulation

ATM PVC

Framing

Annex

Filter

Set the appropriate VPI and VCI for the ATM PVC. Default:

VPI 8, VCI 35

Annex A or B can be set for either ADSL or VDSL mode.

Annex L, M, L-M, I and J can only be set for ADSL. The annex I and J options are extensions of ADSL annex A and B. The annex L and M options are extensions of ADSL annex A. The annex A-B option is only available for VDSL mode. Default: Annex A (POTS)

External splitter or not. POTS/ISDN filter. Default: Enabled

© 2015 Westermo Teleindustri AB

241

Westermo OS Management Guide

Version 4.17.1-0

11.2.1.1

Basic Setup Behavior

As noted above, some settings will be reset when applying the basic setup page.

This is what will happen:

ˆ When applying bridged profile:

All but one VLAN is removed and its interface settings are reset.

Details:

All VLANS are removed and VLAN 1 re-created. As a result of this, all advanced settings on VLAN 1 and it’s associated interface will be lost.

All ports are associated untagged to VLAN 1.

The firewall is removed.

IP-forwarding (routing) is turned off.

ˆ When applying a router profile:

All settings for LAN and WAN and its associated interfaces are reset. Firewall rules are reset. All existing PPPoE configurations are removed.

Details:

All VLANS are removed and VLAN 1 (LAN) and VLAN 1006 (WAN) recreated. As a result of this, all advanced settings on VLAN 1 and VLAN

1006 and their associated interfaces will be lost.

The DSL port is associated untagged to VLAN 1006 (WAN).

All remaining ports are associated untagged to VLAN 1 (LAN).

The firewall is removed and then re-created. This will result in loss of all current NAT, Port forwarding and Access rules.

IP-forwarding (routing) is turned on.

In addition for the DHCP and Static modes:

A NAT-rule for external interface VLAN 1006 (WAN) and internal VLAN 1

(LAN) is added.

Firewall filtering rules denying inbound UDP and TCP port 53 (DNS) are added for the external interface VLAN 1006 (WAN).

In addition for the PPPoE mode:

A PPPoE configuration is added.

242

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

A NAT-rule for the PPPoE interface (WAN) and internal VLAN 1 (LAN) is added.

Firewall filtering rules denying inbound UDP and TCP port 53 (DNS) are added for the PPPoE interface (WAN).

Note

Firewall filtering of inbound UDP and TCP port 53 is added to prevent the unit to become an open DNS relay on the WAN side.

Open DNS relay is considered to be a security problem and can be used for remote attacks of the ISP’s DNS server. DNS relay is enabled on all interfaces and should be filtered away on all interfaces facing public networks. Normal

DNS traffic originating from the inside (from the LAN) will work as expected and is not affected by these rules.

© 2015 Westermo Teleindustri AB

243

Westermo OS Management Guide

Version 4.17.1-0

11.2.2

List and Edit ADSL/VDSL Port Settings

Menu path: Configuration Port DSL

When entering the DSL configuration page you will be presented to a list of all

DSL ports available on your switch, see

fig. 11.7

.

Figure 11.7: DSL Port configuration settings overview

Alarm

Port

Enabled

Type

Link Alarm

Enabled

Edit

There is an active link alarm associated with the port.

Only shown if link alarm is enabled and the link is down.

The port label.

A green check-mark means the xDSL port is enabled, and a dash means it is disabled.

ADSL or VDSL

When link alarm is enabled an alarm will be generated if port link is down. Alarms trigger an SNMP trap message to be sent and alarms to be shown on the administration web. In the ports overview table a green check-mark means enabled, and a dash means disabled.

Click this icon to edit a port’s settings.

Restart

Click this icon to retrain the DSL ports.

To change the settings for a specific xDSL port you will have to click the edit icon which will take you to the DSL port setting edit page see

section 11.2.3

.

244

© 2015 Westermo Teleindustri AB

11.2.3

Edit xDSL Port Settings

Menu path: Configuration Port DSL

Westermo OS Management Guide

Version 4.17.1-0

Figure 11.8: DSL port configuration settings edit page

On this page you can change the settings for the xDSL port.

Enabled

Mode

Enable or Disable the port

Specify whether the xDSL port should operate ADSL port or VDSL port. Default: ADSL

ATM Encapsulation

ATM encapsulation. Default: LLC

ATM PVC Framing

Set the appropriate VPI and VCI for the ATM PVC. Default:

VPI 8, VCI 35

Continued on next page

© 2015 Westermo Teleindustri AB

245

Westermo OS Management Guide

Version 4.17.1-0

Annex

Filter

Priority Mode

Port Priority

Inbound Rate

Limit

Outbound Traffic

Shape

Link Alarm

Continued from previous page

Annex A or B can be set for either ADSL or VDSL mode.

Annex L, M, L-M, I and J can only be set for ADSL. The annex I and J options are extensions of ADSL annex A and B. The annex L and M options are extensions of ADSL annex A. The annex A-B option is only available for VDSL mode. Default: Annex A (POTS)

External splitter or not. POTS/ISDN filter. Default: Enabled

Here you select on what information priority will be based:

Port Based

Based on the port’s priority. See the next item (Priority).

IP

Based on the content of the IP ToS bits

(IPv4) or the IP TC bits (IPv6).

VLAN Tag

Based on the content of the (802.1p) priority field inside the received packet’s

VLAN tag.

The port’s priority level.

Bandwidth limit for inbound traffic

Bandwidth limit for outbound traffic

When link alarm is enabled an alarm will be generated if port link is down. Alarms trigger an SNMP trap message to be sent and alarms to be shown on the administration web.

246

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

11.2.4

ADSL/VDSL statistics Overview

Menu path: Status Port DSL

On the DSL port statistics overview page you will be presented to a selection of static data for each port. Additional statistic numbers are presented on the detailed view page.

Note: If only one DSL port is present in the unit, you will be redirected to the detailed statistics and status page.

Alarm

An alarm icon appears at the start of a line if there is a link alarm on a port.

Port

The port label.

Negotiation State

Current state of the DSL-line negotiation.

State

Link state

Downstream Rate

Negotiated DSL downstream rate in bit/s.

Upstream Rate

Negotiated DSL upstream rate in bit/s.

Total Bytes In

Total Bytes Out

Total number of bytes received on the port.

Total number of bytes sent out on the port.

Details

Auto Refresh

Refresh

Click this icon to view more detailed statistics for the port.

Click on a value to make the page reload with updated statistics automatically every 5, 15, 30 or 60 seconds.

Click Off to turn off auto refresh.

Click on this button to reload with updated statistics.

© 2015 Westermo Teleindustri AB

247

Westermo OS Management Guide

Version 4.17.1-0

11.2.5

Detailed ADSL/VDSL Port Statistics

Menu path: Status Port DSL

If only one DSL port is present in the unit, or when clicking the details-icon in the overview page you will be presented to the detailed statistics page for the DSL port.

248

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Link Status

Link Uptime

DSL mode

Negotiation State

Negotiations

Remote Vendor Name

Identifier string of DSLAM vendor.

Rate

Negotiated DSL downstream and upstream rate in bit/s.

SNR (dB)

Upstream and Downstream Signal to Noise Ratio

(SNR) in dB on this link.

Line attn (dB)

Current state of the DSL-line negotiation.

Number of negotiations since unit startup.

Signal attn (dB)

Line attenuation is the loss of signal over distance, in dB, downstream and upstream.

Signal attenuation in dB, downstream and upstream.

Output power (dBm)

Traffic Counters

Output power in dBm, downstream and upstream.

See

section 9.2.2

for details.

Traffic Size, Inbound

Status of link, (Up/Down). If a link-alarm is associated with this port, an alarm icon is displayed if the link-alarm is active.

The time since link was established.

ADSL or VDSL

Auto Refresh

<<Previous

Next>>

See

section 9.2.2

for details.

Click on a value to make the page reload with updated statistics automatically every 5, 15, 30 or

60 seconds. Click Off to turn off auto refresh.

Go to statistics for previous port. Only shown if more than one DSL port available.

Go to statistics for next port. Only shown if more than one DSL port available.

Refresh

Clear Port

Click on this button to reload with updated statistics.

Clear all statistics counters for the port shown.

© 2015 Westermo Teleindustri AB

249

Westermo OS Management Guide

Version 4.17.1-0

11.3

Managing ADSL/VDSL ports via the CLI

The table below shows xDSL port management features available via the CLI.

Command Default Section

Configure ADSL and VDSL port settings port [dsl|xdsl|. . . ] <PORTLIST>

Section 11.3.1

[no] mode <adsl [annex <a|b|i|j|l|m|l-m>] | adsl annex a

Section 11.3.2

vdsl [annex <a|b|a-b>]>

[no] filter Enabled

Section 11.3.3

ADSL specific port settings mode adsl

[no] encap <llc|vcmux>

[no] pvc <VPI/VCI> llc

8/35

Port settings in common with Ethernet ports ( chapter 8 )

[no] enable

[no] priority <0-7>

[no] priority-mode <tag|ip|port>

[no] link-alarm

[no] rate-limit <70-2560>

[no] traffic-shaping <70-2560>

[no] default-vid <VLAN_ID>

Enabled

0 tag

Disabled

Disabled

Disabled

Disabled

Show ADSL/VDSL related status and statistics show dsl show ports show rmon

Section 11.3.4

Section 11.3.5

Section 8.3.3

Section 8.3.6

Section 8.3.7

Section 8.3.8

Section 8.3.9

Section 8.3.10

Section 8.3.14

Section 11.3.6

Section 8.3.15

Section 9.3

11.3.1

Managing xDSL port settings

Syntax port [dsl|xdsl|...] <PORTLIST>

Context

Global Configuration

context

Usage Enter the

xDSL Port Configuration

context.

250

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

A ”PORTLIST” is a comma separated list of ranges of xDSL ports without intermediate spaces, e.g., ”1/1,1/2” on a slotted product, or ”1-3,5” on a

non-slotted product.

The port qualifier keyword ”xdsl” (or ”dsl”) is not needed if the numbers in the ”PORTLIST” are unique to DSL ports.

For a more general description of the ”port” command, see

section 8.3.1

.

Use ”show port dsl <PORT|PORTLIST>” or ”show port xdsl <PORT|

PORTLIST>” to list port configuration information for the given xDSL port(s).

Also available as ”show” command within the

xDSL Port Configuration

context.

Default values Not applicable.

Entering the xDSL configuration context on a Falcon:

Example

falcon:/#> configure falcon:/config/#> port dsl 1 falcon:/config/port-dsl1/#>

Listing configuration information on the xDSL port on a Falcon:

Example

falcon:/config/#> show port dsl 1 xDSL -------------------------------------------- Priority ---- Limit - Default

Port Ena Mode Filter Encap PVC Annex Alarm Mode Level In | Out Vid

===============================================================================

DSL 1 YES adsl YES llc 8/35 A NO tag 0 None None Auto

=============================================================================== falcon:/config/#>

11.3.2

Setting xDSL port mode (ADSL or VDSL) and carrier type

Syntax [no] mode <adsl [annex <a|b|i|j|l|m|l-m> | vdsl [annex <a|b|a-b>>

Context

xDSL Port Configuration

context

Usage Specify whether the xDSL port should operate as ADSL port or VDSL port, and

ˆ ADSL:

© 2015 Westermo Teleindustri AB

251

Westermo OS Management Guide

Version 4.17.1-0

Use ”mode adsl annex <a|i|l|m|l-m>” to specify ADSL mode over a POTS carrier network.

Use ”mode adsl annex <b|j>” to specify ADSL mode over an ISDN carrier network.

For further information on ADSL Annex settings, see

section 11.1.1

.

When selecting ADSL mode, the ADSL specific settings ”encap” ( section 11.3.4

) and ”pvc” ( section 11.3.5

) are enabled.

ˆ VDSL:

Use ”mode vdsl annex a” to specify VDSL mode over a POTS carrier network.

Use ”mode vdsl annex b” to specify VDSL mode over an ISDN carrier network.

Use ”mode vdsl annex a-b” to auto-detect whether your VDSL connection is over a POTS or ISDN carrier. This alternative is usually preferable for VDSL connections due to its simplicity, but the autodetection mechanism may experience problems on long copper cables. If this is the case, please try ”mode vdsl annex a” or ”mode

vdsl annex b” depending on the carrier type of your VDSL connection.

Use ”no mode” to reset the mode setting to the default value.

Use ”show mode” to show whether the xDSL port is set to operate as ADSL or

VDSL port, and the type of carrier network used, Annex A, Annex I, Annex L or Annex M (POTS) or Annex B or Annex J (ISDN). Annex I and J not supported in VDSL mode.

Default values ADSL over POTS (”mode adsl annex a”)

11.3.3

Specify whether external splitter is used or not

Syntax [no] filter

Context

xDSL Port Configuration

context

Usage Specify whether a (external) splitter is used or not, i.e., is the Falcon unit connected directly to the telephone jack or via a splitter.

252

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Use command ”filter” if a splitter is used, and ”no filter” if no splitter is used.

Use ”show filter” to show the xDSL port’s filter setting.

Default values ”filter” (i.e., an external splitter is assumed by default)

11.3.4

Configure ADSL/ATM encapsulation type

Syntax [no] encap <llc|vcmux>

Context

xDSL Port Configuration

context (only available when ADSL mode is used, see

section 11.3.2

)

Usage Specify whether bridged LLC or bridged VC-MUX ATM encapsulation is used. What encapsulation option to use depends on your ADSL provider.

Use command ”llc” to use bridged LLC and ”vcmux” to use bridged VC-

MUX encapsulation.

Use ”no encap” to reset the encapsulation mode to the default setting.

Use ”show encap” to show the xDSL port’s ADSL/ATM encapsulation setting.

Default values ”llc”

11.3.5

Configure ADSL/ATM VPI and VCI

Syntax [no] pvc <VPI/VCI>

Context

xDSL Port Configuration

context (only available when ADSL mode is used, see

section 11.3.2

)

Usage Specify the VCI and VPI used for the ATM PVC by your ADSL provider.

Some examples: ”pvc 0/38” is common in U.K., ”1/32” is common in Germany, while ”pvc 8/35” is common for many other ADSL providers inside and outside Europe.

Use ”no pvc” to reset the PVC to use default VPI/VCI. (In future versions of

WeOS the use of ”no pvc”, as well as the default PVC setting, may change.)

Use ”show pvc” to show the ATM PVC setting, i.e., which VPI and VCI are configured.

© 2015 Westermo Teleindustri AB

253

Westermo OS Management Guide

Version 4.17.1-0

Default values ”pvc 8/35”

11.3.6

Show xDSL port status

Syntax show dsl

Context

Admin Exec

context.

Usage Show the status of all xDSL ports.

Default values Not applicable.

Example

falcon:/#> show dsl

Port, DSL mode

Channel, role

Link state, uptime

: DSL 1, ADSL/Anx-A

: channel 0, role CPE

: UP, 0 Days 0 Hours 7 Mins 15 Secs

Negotiation state

Remote vendor name

: Sync state, 4 changes since boot

: GSPN

Downstream ------------------------

Rate : 8000 kbps

SNR : 12.5 dB

Line attn : 8.3 dB

Signal attn : 8.2 dB

Output power: N/A

Upstream --------------------------

Rate : 832 kbps

SNR

Line attn

: 12.0 dB

: 7.0 dB

Signal attn : 7.0 dB

Output power: 12.4 dB falcon:/#>

254

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Chapter 12

Power Over Ethernet (PoE)

Some WeOS Viper products[ 52 ] have Ethernet ports with support for Power Over

Ethernet (PoE[ 16 ] and PoE+[ 17 ]).

This chapter gives an overview of PoE support in WeOS products ( section 12.1

).

Sections 12.2

and

12.3

concern PoE management support via the Web interface and CLI. PoE related SNMP support is covered in

chapter 6 , while management of

PoE alarms/events is documented in

chapter 24 .

As of WeOS v4.17.1, PoE management via LLDP[ 17 ] is not supported.

12.1

Overview of Power over Ethernet (PoE)

Feature

Per-Port PoE Configuration

Enable/Disable

Allocation Priority

Power Limit

Web

CLI

General Description

X

X

X

X

X

X

Section 12.1.2

-”-

PoE Status

Consumed power

Allocated Power

Detected PoE Units

X

X

X

X

X

X

Sections 12.1.1

Section 12.1.1

-

12.1.2

© 2015 Westermo Teleindustri AB

255

Westermo OS Management Guide

Version 4.17.1-0

12.1.1

PoE Power Classes

When plugging in a PoE unit to a PoE port on the switch, the switch will detect the class of the connected PoE unit, depending on the unit’s resistance and thereby its maximum power consumption.

Table 12.1

lists the maximum power consumption for units of the different PoE classes, as well as the (somewhat higher) power actually allocated by the switch, which considers cable losses. Thus, when admitting a class 0 unit, the switch allocates 15.4 W to ensure 12.94 W reach the PoE unit.

PoE Max Unit Power Allocated

Class Consumption (W) Power (W)

(P

css,nt

)

(P

css,oc

)

0

1

2

3

4

12.94

3.84

6.49

12.95

25.50

15.4

4.0

7.0

15.4

30.0

Table 12.1: Power allocated to and consumed by units of different PoE classes.

It is also possible to configure a maximum power limit on each individual PoE port, see

section 12.1.2

. The power allocated on the port then becomes the minimum

of the (a) configured power limit, and (b) the power allocated for attached unit’s class (as listed in

table 12.1

).

The following additional classification is made for the connected unit depending on resistance:

ˆ Good: Ok. A PoE unit is connected. (Resistance within specification of PoE class 0-4).)

ˆ Open: Ok. Port not connected. (”Infinite” resistance, i.e., open circuit).

ˆ Short: Ok, when non-PoE unit is connected. (Resistance determined as short curcuit.)

ˆ Low: The connected unit is detected as a PoE unit and served, although its the resistance is too low to meet the PoE specification (and too high to be determined as short circuit (non-PoE unit connected)).

ˆ High: The connected unit is detected as a PoE unit and served, although its

256

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0 the resistance is too high to meet the PoE specification (and too low to be determined as unconnected (open curcuit)).

12.1.2

Allocation of PoE Power

There is maximum value for the amount of power a PoE switch can deliver (P

stch,m

),

see the User Guide of your PoE product[ 52 ] for more information on max output

power. When more power is requested than available, the switch will stop/refuse

1

delivering power on the port(s) with lowest priority.

12.1.2.1

Calculating available power, and per-port power limitation

As of WeOS v4.17.1, PoE power is always allocated to handle max consumption by all admitted PoE units. For each port, the max consumption (P

por t,m

) is calculated as the minimum value of:

ˆ (P

css,oc

): The power allocated to units of the attached class (see right column of

table 12.1

).

ˆ (P

por t

mt

): The power limit configured for the port (if any).

The available power is calculated as max output power of the switch

1

, minus the sum the max power for all (admitted) ports.

X

P

be

= P

stch,m

dmtted

P por t,m

If a new PoE unit is attached, its P

css,oc

will be compared to P

be

:

ˆ If there is enough power available to serve the new unit, it will be admitted.

ˆ If there is not enough power available to serve the new unit, the switch will deliver power to the ports with highest priority (see below). Thus, to admit the new unit, one (or more) of the already admitted units will be declined power.

1

To compensate for limited accuracy in measured power consumption, your WeOS PoE unit may allow the measured and allocated power to raise somewhat above the stated P

stch,m

of the product, before power delivery is stopped/refused on some port. The customer should still ensure that PoE equipment attached to the WeOS PoE switch do not use more than P

stch,m

in total.

© 2015 Westermo Teleindustri AB

257

Westermo OS Management Guide

Version 4.17.1-0

Preference Port Configured Tie-break

Order Name Priority Priority

0 (lowest)

1

2

5

6

3

4

7 (highest)

X7

X9

X10

X5

X6

X3

X2

X1 low low low high high critical critical critical

1

4

6

7

5

0

2

3

Table 12.2: Example of allocation preference order for a given PoE priority configuration on a Viper-212-PoE unit.

12.1.2.2

PoE Port Priority

There are three levels of PoE priority (low, high, critical), which can be configured per port. If there is not enough power to serve all attached PoE units, preference will be given to ports with higher priority.

As situations can occur where the switch must chose between two ports of the same level of configured priority, there is a need for a second level ”tie-break”

priority. For Viper-212-PoE[ 52 ] the ”tie-break” priority is as follows (starting with

the lowest tie-break priority): X7(0), X3(1), X9(2), X10(3), X2(4), X1(5), X5(6),

X6(7). The tie-break priority order may become configurable in future WeOS releases.

Table 12.2

illustrates the power allocation preference order in a specific configuration example on a Viper-212-PoE, where ports X1-X3 have been configured with priority critical, X5-X6 with priority high, and X7-X10 have priority low.

258

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

12.2

Managing PoE via the web interface

The Web interface provides configuration of PoE ports as well as listing of global and port specific PoE status.

12.2.1

List PoE Settings

Menu path: Configuration PoE

When entering the PoE configuration page you will be presented to a list of all

PoE ports available on your switch, and their settings.

Port

The port label. (Only PoE capable Ethernet ports are listed.)

PoE Enabled

Shows if PoE is enabled or disabled on the port.

Priority

Shows the configured PoE priority (Low, High or Critical) for the port.

Continued on next page

© 2015 Westermo Teleindustri AB

259

Westermo OS Management Guide

Version 4.17.1-0

Limit

Edit

Continued from previous page

Shows the configured Power Limit for the port (in Watts), or

Disabled if no port specific limit has been set.

Click this icon to edit a port’s PoE settings.

12.2.2

Edit PoE Port Settings

Menu path: Configuration PoE

On this page you can change the PoE settings for the port.

Enabled

Enable/disable PoE on the port

Priority

PoE power allocation priority. When more power is requested than available, power will be dropped on the ports with lowest priority. Possible values:

ˆ Low (Shut down first)

ˆ High

ˆ Critical (Shut down last)

See

section 12.1.2

for more information.

Power Limit

Set port specific power limit. Allowed values are 1-30

(Watts), or Disabled (i.e., no port specific power limit).

260

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

12.2.3

PoE Status

Menu path: Status PoE

On the PoE port status page you will be presented to global and port specific PoE status data.

© 2015 Westermo Teleindustri AB

261

Westermo OS Management Guide

Version 4.17.1-0

Global Status

Maximum Power

The maximum power (in Watts) the switch is able to deliver.

Allocated Power

Allocated power (in Watts). See

section 12.1.2

for information on allocation and classes.

Consumed Power

The total power consumed on all PoE ports.

Power Usage

Percentage of available power currently consumed

(i.e., ”Consumed Power”/”Maximum Power”).

Port Status

Port

PoE Enabled

The PoE port label.

Shows if PoE is enabled or disabled on the port.

Priority

Power Limit

Shows the configured PoE priority (Low, High or Critical) for the port.

Shows the configured power Limit for the port (in

Watts), or Disabled if no port specific limit has been set.

Class

Shows the PoE class (0-4) of the connected PoE unit, or Unknown if the class cannot be determined.

Consumed Power

Currently consumed power (in Watts) by the connected PoE unit.

Detection Details

Additional details on the unit connected to the PoE port (see also the Class column):

ˆ Unknown: Unit Resistance Unknown (e.g. PoE disabled on port)

ˆ Short: Non-PoE unit connected

ˆ Low: PoE Unit connected. Resistance OK, but low

ˆ Good: PoE unit connected. Resistance Good.

ˆ High: PoE Unit connected. Resistance OK, but high

ˆ Open: Nothing Connected

Auto Refresh

Refresh

Click on a value to make the page reload with updated status automatically every 5, 15, 30 or 60 seconds. Click Off to turn off auto refresh.

Click on this button to reload with updated status.

262

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

12.3

Managing PoE via the CLI interface

Command Default Section

Configure PoE settings poe

[no] port <PORTLIST|all>

[no] enable

Section 12.3.1

Section 12.3.2

Enabled

Section 12.3.3

[no] priority <low|high|critical> Low

[no] limit <1-30> Disabled

Section 12.3.4

Section 12.3.5

Show PoE settings show poe [port <PORTLIST|all>] poe port <PORTLIST>|all> show enable show priority show limit

Show PoE status show poe [full] [port <PORTLIST>]

Section 12.3.6

Section 12.3.7

Section 12.3.8

Section 12.3.9

Section 12.3.10

12.3.1

Manage PoE Settings

Syntax poe

Context Global Configuration context.

Usage Enter PoE configuration context.

Default values Not applicable.

Error messages None defined yet.

12.3.2

Manage per-port PoE settings

Syntax [no] port <PORTLIST|all>

Context PoE configuration context.

© 2015 Westermo Teleindustri AB

263

Westermo OS Management Guide

Version 4.17.1-0

Usage Enter PoE port configuration context.

Use ”port <PORTLIST>” to configure per-port settings for the PoE ports in the given list, e.g., ”port X2”, or ”port X1-X5,X10”. Use ”port all” to configure per-port settings for all PoE ports.

Use ”no port <PORTLIST>” to reset PoE port settings to their default values for the given port range.

Default values Not applicable

Error messages None defined yet.

12.3.3

Enable/Disable PoE on a PoE port

Syntax [no] enable

Context PoE Port configuration context.

Usage Enable/disable PoE on this port.

Default values Enabled (”enable”)

Error messages None defined yet.

12.3.4

Set PoE allocation priority

Syntax [no] priority <low|high|critical>

Context PoE Port configuration context.

Usage Configure PoE allocation priority setting (”priority low” is the lowest priority, while ”priority critical” is the highest .

”no priority” will reset priority to default (”priority low”).

See

section 12.1.2

for information on how to select between ports of the same configured priority.

Default values Low (”priority low”)

Error messages None defined yet.

264

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

12.3.5

Set PoE Power Limit

Syntax [no] limit <1-30>

Context PoE Port configuration context.

Usage Configure specific PoE Power limit (in Watts) on this port, e.g., ”limit

20” to limit the delivered power to 20 Watts. The max power delivered is the minimum value of the limit configured for this port, and the power allocated for class of PoE unit attached (see P

css,oc

in

table 12.1

).

Use ”no limit” to remove port specific power limits (max power based solely on P

css,oc

).

Default values Disabled (”no limit”)

Error messages None defined yet.

12.3.6

Show PoE Settings

Syntax show poe [port <PORTLIST|all>]

Context Global Configuration context. configuration context. Also available as

ˆ ”show [port <PORTLIST|all>]” command in PoE configuration context, and as

ˆ ”show” command in PoE Port configuration context

Usage Show global PoE settings and per-port PoE settings. If the ”port <PORTLIST|

all>” parameter is given (or if run in PoE Port configuration context), only port specific settings for the given port(s) are listed.

Default values List PoE settings for all ports.

Error messages None defined yet.

12.3.7

Show Enable/Disable PoE Setting

Syntax show enable

Context PoE Port configuration context.

Usage Show whether PoE is enabled (or disabled) on this port.

© 2015 Westermo Teleindustri AB

265

Westermo OS Management Guide

Version 4.17.1-0

Default values Not applicable

Error messages None defined yet.

12.3.8

Show PoE Allocation Priority Setting

Syntax show priority

Context PoE Port configuration context.

Usage Show PoE allocation priority setting on this port.

Default values Not applicable

Error messages None defined yet.

12.3.9

Show PoE Power Limit Setting

Syntax show limit

Context PoE Port configuration context.

Usage Show PoE power limit setting on this port.

Default values Not applicable

Error messages None defined yet.

12.3.10

Show PoE Settings

Syntax show poe [full] [port <PORTLIST>]

Context Admin Exec context.

Usage Show PoE global and per port status.

Use ”show poe” (or ”show poe port <PORTLIST>”) to list global PoE status information, and a status summary for all PoE ports (or a given subset).

Use ”show poe full” (or ”show poe full port <PORTLIST>”) to list global

PoE status information, and detailed status information for all PoE ports (or a given subset).

Default values Not applicable

266

© 2015 Westermo Teleindustri AB

Error messages None defined yet.

Westermo OS Management Guide

Version 4.17.1-0

© 2015 Westermo Teleindustri AB

267

Westermo OS Management Guide

Version 4.17.1-0

Chapter 13

Virtual LAN

WeOS supports static port based VLANs and VLAN tagging according to IEEE

802.1Q[ 14 ]. In addition, WeOS supports WeOS Adaptive VLAN Trunking (AVT)

to simplify VLAN configuration in larger WeOS networks.

Section 13.1

provides general information about the VLAN properties and VLAN management features in WeOS. This section also covers features available to manage and inspect the MAC forwarding database on WeOS devices.

Section 13.3

covers VLAN settings via the Web interface, and

section 13.4

covers

VLAN and MAC forwarding database settings via the CLI.

13.1

Overview of VLAN Properties and Management

Features

Table 13.1

summarises VLAN management features in WeOS.

Section 13.1.1

provides general VLAN information and

sections 13.1.2

-

13.1.6

contain further information on specific VLAN features.

13.1.1

Introduction to VLANs

Virtual LAN (VLAN) technology is used to create a set of separate LANs over a single physical LAN infrastructure. Each VLAN constitutes a broadcast domain, and traffic on one VLAN is (logically) isolated from traffic on another VLAN. WeOS

268

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Feature

General VLAN functionality

Enable/disable dynamic VLAN

Per VLAN functionality

Add/modify/delete VLAN

Enable/disable VLAN

VLAN name

Untagged/Tagged ports

VLAN priority

IGMP Snooping

VLAN CPU Channel

Forbid ports

Port-based access control

View VLAN settings

View VLAN status

Web

X

X

X

X

X

X

X

X

X

X

CLI

X

General Description

Sec. 13.1.7

X

X

X

Secs. 13.1.1

-

13.1.3

X

X

X

Sec. 13.1.1

X

Sec. 13.1.4

X

Sec. 13.1.5

X

Sec. 13.1.6

X

Sec. 13.1.7

X

Sec. 13.2

MAC forwarding database functionality

Set MAC aging timeout

Set static MAC filters

X

Sec. 13.1.8

X

Sec. 13.1.8

View forwarding database settings

View forwarding database status

X

X

Table 13.1: Summary of VLAN management features.

supports creation of static port based VLANs and VLAN tagging as described further in this section. We start with two examples to explain the terms untagged and tagged.

Fig. 13.1

shows a situation where three networks, the ADMIN VLAN, the OFFICE

VLAN, and the MARKETING VLAN share a single switch.

ˆ Each VLAN is assigned a VLAN identifier, a VLAN ID (VID); in this example

VIDs 1 (ADMIN), 2 (OFFICE) and 3 (MARKETING).

ˆ Each VLAN is assigned a set of ports. In this example ports 1/1-1/2 are associated with the ADMIN VLAN, Ports 2/1-2/4 with the OFFICE VLAN, and ports 2/5-2/8 with the MARKETING VLAN.

© 2015 Westermo Teleindustri AB

269

Westermo OS Management Guide

Version 4.17.1-0

Switch

1/1 1/2 2/1 2/2 2/3 2/4 2/5 2/6 2/7 2/8

VLAN 1

ADMIN

VLAN2

OFFICE

VLAN3

MARKETING

Figure 13.1: VLANs sharing a single switch.

In this example we have assumed that only regular hosts (PCs, servers, etc.; not other switches) attach to the ports of the switch. Traffic sent and received on each switch port are regular Ethernet packets (without VLAN headers), and here we refer to this by saying that the switch ports are associated with their respective VLAN untagged.

Note

A port associated untagged on a VLAN, will send and receive regular Ethernet packets (i.e., without VLAN header) on that port.

Consider the case where a PC attached to port 2/1 of the switch in

fig. 13.1

transmits a broadcast packet. That packet will be forwarded onto all other ports of VLAN 2 (OFFICE), i.e., ports 2/2-2/4, but not to any of the other ports.

Fig. 13.2

shows a situation where three networks, the ADMIN VLAN, the OFFICE

VLAN, and the MARKETING VLAN share two switches as well as the connection between them.

Switch A

1/1 1/2 2/1 2/2 2/3 2/4 2/5 2/6 2/7 2/8

Switch B

1/1 1/2 2/1 2/2 2/3 2/4 2/5 2/6 2/7 2/8

VLAN 1

ADMIN

VLAN2

OFFICE

VLAN3

MARKETING

VLAN 1

ADMIN

VLAN2

OFFICE

VLAN3

MARKETING

Figure 13.2: VLANs sharing two switches and the connection between them.

270

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

ˆ As in the previous example, each VLAN is assigned a VID; in this example

VIDs 1 (ADMIN), 2 (OFFICE) and 3 (MARKETING).

ˆ Each VLAN is assigned a set of ports. (For simplicity of this example, we have chosen to use the same port assignment on both switches.) Port 1/1 is associated (untagged) with the ADMIN VLAN, Ports 2/1-2/4 are associated (untagged) with the OFFICE VLAN, and ports 2/5-2/8 are associated

(untagged) with the MARKETING VLAN.

In addition, port 1/2, where the cable between the two switches is connected, is associated with all three VLANs. In order for the switches to distinguish which

VLAN a packet belongs to when transmitted over a shared connection, the switch will insert a VLAN header (VLAN tag) into the packet, which includes information about the VLAN ID (here 1, 2 or 3). Thus, in this example port 1/2 would be

associated with VLAN 1, 2 and 3 tagged

1

.

Note

A port associated tagged on a VLAN, will send and receive tagged Ethernet packets (i.e., Ethernet packets including a VLAN header) on that port.

Consider the case where a PC attached to port 2/1 of switch A in

fig. 13.2

transmits a broadcast packet. That packet will be forwarded onto ports 2/2-2/4 of switch A untagged, and onto port 1/2 of switch A tagged with VID 2. When the

tagged packet is received on port 1/2 on switch B, that switch can determine that the packet belongs to VLAN 2, and will forward it onto ports 2/1-2/4 untagged.

Note

A port cannot be associated with more than one VLAN untagged. A port cannot be associated both untagged and tagged with the same VLAN.

We refer to the VLAN with VID 1 as the switch default VLAN. Ports not associated with any VLAN (untagged or tagged) will automatically be associated with the default VLAN.

Section 13.1.3

provides more information on the default VLAN.

For each VLAN on a switch, an associated network interface will be created. The name of a VLAN network interface is vlan<VID>, e.g., vlan1 for VLAN 1, and

vlan100 for VLAN 100. The network interface can be assigned an IP address

(IPv4), and the switch can then be managed remotely via that VLAN. It is also

1

It is recommended that a port, which is shared between several VLANs, is associated tagged with all those VLANs, however, it is possible to configure the port untagged on one VLAN and

tagged on all other VLANs without risk for ambiguity.

© 2015 Westermo Teleindustri AB

271

Westermo OS Management Guide

Version 4.17.1-0 possible to route IP traffic between network interfaces. For more information on network interfaces and routing, see

chapter 19 .

Internally, a WeOS switch can have one or more channels to the CPU, where each channel has a capacity of 100 Mbit/s or 1000 Mbit/s.

Section 13.1.6

describes how

VLANs can be mapped to different CPU channels to achieve increased routing performance.

Layer-2 priority was described in a previous chapter, see

section 8.1.4

. In addi-

tion to different per port priority settings, it is possible to assign specific layer-2 priority per VLAN, see

section 13.1.4

.

The switch supports efficient distribution of IP multicast packets by use of IGMP

snooping. See

section 13.1.5

for more information on per VLAN IGMP snooping features.

The switch provides support for dynamic VLANs by WeOS Adaptive VLAN Trunking (AVT). AVT can be used to simplify VLAN configuration in larger WeOS LAN infrastructures. AVT is described further in

section 13.1.7

.

13.1.2

Supported number of VLANs and VLAN integrity

Every VLAN needs to be associated with a unique VLAN ID (VID).

ˆ Switches support configuration of up to 64 simultaneous VLANs

2

.

ˆ Valid VIDs for configuration are in range 1-4094.

ˆ Some VLAN IDs are reserved for specific use - currently this concerns a set of VIDs in use by the FRNT protocol, see

section 14.1.3

.

Switches only accept packets for VLANs to which the inbound port is associated.

Additional rules for accepting a packet is described below:

ˆ When an untagged packet is received on a port, that packet will be mapped to the port’s default VID. If the port is associated with that VLAN (tagged or untagged), the packet will be accepted, otherwise dropped.

ˆ The port’s default VID will be the VID of the VLAN to which the port is associated untagged. If the port is not associated untagged to any VLAN, the default VID is set to the fall-back default-VID (see also

section 8.1.10

) if con-

figured, otherwise to VID 1.

2

Special restriction on DDW-142/DDW-142-485: On these products the limit is 60 VLANs when

FRNT is configured on the unit, and 64 VLANs when FRNT is not configured.

272

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

ˆ Priority tagged packets, i.e., packets with VID 0, will be associated with the port’s default VID.

ˆ Typically tagged packets (VID in range 1-4094) or priority tagged packets

(VID 0) are only accepted on ports where there is at least on VLAN associated

tagged. In addition, the packet will only be accepted if the inbound port is associated (untagged or tagged) the VLAN of the packet.

A common MAC address database is used for all VLANs (shared VLAN learning).

13.1.3

Switch default VLAN

In WeOS the VLAN with VID 1 (VLAN 1) is denoted as the switch default VLAN.

Ports not associated with any VLAN (neither untagged nor tagged) will automatically be configured untagged to the switch default VLAN. This could happen when a port is removed from a VLAN, or when a whole VLAN is removed.

Note

The main purpose of the switch default VLAN is to avoid loss of remote manageability of a switch due to a change in the VLAN configuration. Without a default VLAN, you risk to lose remote access to the switch if the ports used to connect to the switch are removed from all VLANs (unintentionally or deliberately).

With the default VLAN feature, the switch is still manageable via those ports, given that proper IP and firewall settings are configured for the network interface associated with the switch default VLAN.

The switch default VLAN cannot be removed. However, it is possible to remove all ports from the default VLAN by assigning them to other VLANs.

13.1.4

VLAN Priority

It is possible to assign an IEEE 802.1p priority to a VLAN. This feature can be useful when an operator likes to assign a higher priority to traffic on a certain

VLAN, e.g., a VLAN dedicated for IP telephony.

When a VLAN priority is configured, all packets associated with that VLAN will be treated according to the given VLAN priority, rather than basing the packet’s priority on VLAN tag priority, IP ToS/DiffServ or inbound port identifier. For more information on layer-2 priority, see

section 8.1.4

.

© 2015 Westermo Teleindustri AB

273

Westermo OS Management Guide

Version 4.17.1-0

13.1.5

IGMP Snooping and VLANs

Switches use IGMP snooping for efficient distribution of IP(v4) multicast over the

LAN. With IGMP snooping enabled on a VLAN, IP multicast packets will only be forwarded onto ports leading to a receiver of that IP multicast address, or to ports assumed to lead to an IP multicast router.

With IGMP snooping disabled on a VLAN, multicast traffic will be forwarded on all ports of that VLAN, i.e., it is treated similar to broadcast traffic.

By default IGMP snooping is enabled on each newly created VLAN. More information on IGMP Snooping and IGMP Snooping settings is found in

chapter 18 .

13.1.6

Mapping VLANs to a CPU channel

A switch can have one or more channels to the switch CPU, each with a capacity of

100 Mbit/s or 1000 Mbit/s

3

. By default every new VLAN (with a network interface)

is mapped to CPU channel ”0” (zero).

On devices with multiple CPU channels increased routing performance may be achieved by assigning different VLANs to different CPU channels. Assume VLANs

1 and 2 are mapped to the same CPU channel of 100 Mbit/s capacity. Then the maximum theoretical routing throughput between the two VLAN interfaces is 50

Mbit/s full duplex, while the maximum theoretical routing throughput would be

100 Mbit/s full duplex if these VLANs were mapped to different CPU channels.

Note

Routing performance may also be limited by CPU performance, packet size and enabled services.

A VLAN can only be mapped to a single CPU channel.

13.1.7

Dynamic VLANs

WeOS provides dynamic VLAN support via the WeOS Adaptive VLAN Trunking

(AVT) protocol. With AVT enabled, VLAN configuration on inter-switch links is

3

WeOS products with ”Corazon” platform (see

section 1.5

) have 1000 Mbit/s channels to CPU,

while others have 100 Mbit/s channels.

274

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0 simplified - once a switch detects that it is connected to another switch, all VLANs defined on the local switch will automatically be added to that port, see

fig. 13.3

.

Future versions of WeOS may include dynamic VLAN support via the standard

IEEE GVRP[ 14 ] protocol in addition to AVT.

13.1.7.1

Determining Inter-Switch Ports

To determine if a port on a switch is connected to another switch, AVT will utilise information from the FRNT and RSTP protocols:

ˆ FRNT: If FRNT is enabled on the switch, any port configured as an FRNT port will be classified as an inter-switch port by AVT. If FRNT is disabled, or if the FRNT port configuration is changed, AVT will adapt its inter-switch port classification accordingly. For more information on FRNT, see

chapter 14 .

ˆ RSTP: If RSTP is enabled on a port, AVT will consider the reception of an

RSTP or STP message as a sign that it is connected to another switch on the receiving port. The port will continue to be classified as an inter-switch port until the link goes down or until RSTP is disabled on that port. For more information on RSTP, see

chapter 16 .

13.1.7.2

Dynamic addition/deletion of VLANs to Inter-Switch Ports

Once a port has been defined as an inter-switch port, that port will dynamically be associated (tagged) with all VLANs configured on the switch. The exception is when that port has been configured in association mode forbid on some VLAN(s)

- the port will not be associated with those VLANs.

Further details of the mechanism to associate VLANs dynamically to an interswitch port are given below:

ˆ Association mode of dynamically added VLANs: All VLANs configured on the switch will be associated tagged by AVT. This applies even to those VLANs configured untagged on that port.

Fig. 13.3

shows an example.

© 2015 Westermo Teleindustri AB

275

Westermo OS Management Guide

Version 4.17.1-0

Switch A

(AVT and RSTP enabled)

1/1 1/2 2/1 2/2 2/3 2/4 2/5 2/6 2/7 2/8

Switch B

(AVT and RSTP enabled)

1/1 1/2 2/1 2/2 2/3 2/4 2/5 2/6 2/7 2/8

VLAN 1

(untagged)

VLAN2

(untagged)

VLAN3

(untagged)

VLAN 1

(untagged) a) before connecting the switches

VLAN2

(untagged)

VLAN3

(untagged)

Switch A

(AVT and RSTP enabled)

1/1 1/2 2/1 2/2 2/3 2/4 2/5 2/6 2/7 2/8

Switch B

(AVT and RSTP enabled)

1/1 1/2 2/1 2/2 2/3 2/4 2/5 2/6 2/7 2/8

VLAN 1

(untagged)

VLAN2

(untagged)

VLAN3

(untagged)

VLAN 1

(untagged)

VLAN 1, 2 and 3 (all tagged) b) after connecting the switches

VLAN2

(untagged)

VLAN3

(untagged)

Figure 13.3: Using Adaptive VLAN trunking (AVT) to dynamically add VLANs to inter-switch ports.

Note

As AVT only considers the VLANs configured on the (local) switch when adding VLANs to an inter-switch port, the operator of the LAN infrastructure should ensure that all switches have the same set of VLANs defined. Otherwise the VLANs forwarded by different switches will be inconsistent, resulting in lack of full connectivity on some VLAN(s).

ˆ Removing dynamically added VLANs: When a port loses its status as interswitch port, all VLANs dynamically added to that port will be removed. The port will then only be associated with the VLANs it has been configured with, and with association mode (tagged or untagged) according to the configuration.

ˆ Prohibiting that a VLAN is added to a port: It is possible to prohibit that some VLAN(s) is dynamically added to a port even when AVT is enabled.

276

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

This feature is useful when the unit acts as a routing switch, where traffic between some ports should be routed rather than switched.

To prohibit that a VLAN is dynamically added to a port, that port should be configured with association mode forbid on that VLAN.

As of WeOS version v4.17.1 the forbid association mode only hinders a port to be added to a VLAN dynamically via AVT. Ports not configured untagged/tagged with any VLAN will still be mapped to the switch default VLAN

(VLAN 1), irrespective if that port is configured as forbid on VLAN 1. For more information about the switch default VLAN, see

section 13.1.3

.

13.1.7.3

Prohibit disabling of Inter-Switch Ports

A port determined as inter-switch port by AVT will not be possible to disable by management (Web, CLI, SNMP, etc.). This feature is added in order to avoid unintentional loss of connectivity to the switch.

13.1.8

MAC forwarding database

WeOS switches maintain a MAC forwarding database holding information about where to forward packets for each known MAC address. As of WeOS v4.17.1 a single MAC forwarding database is used for all VLANs, referred to as shared VLAN

learning in [ 14 ].

13.1.8.1

Managing Unicast MAC addresses

When the switch comes up, it will not know which stations are attached to its ports. The switch inspects the destination MAC address of each incoming packet without finding a match in the forwarding database - unknown unicast MAC addresses will be broadcasted on all ports of the associated VLAN.

The switch will automatically learn the location of stations in the LAN, by inspecting the source MAC address of each incoming packet. Once it knows on which port a certain MAC address resides, all future packets to that station will be forwarded only onto that port.

© 2015 Westermo Teleindustri AB

277

Westermo OS Management Guide

Version 4.17.1-0

Note

Switches ”learn” the location of (unicast) MAC address by inspecting the

”source” MAC address, while they ”forward” packets based on the ”destination” MAC address.

Unicast MAC addresses learnt automatically will stay in the MAC forwarding database until they are aged out – the aging timeout defaults to 300 seconds. The aging timeout is configurable, and aging can be disabled.

13.1.8.2

Managing Broadcast and Multicast MAC addresses

Packets transmitted to the broadcast MAC address (”ff:ff:ff:ff:ff:ff”) will be forwarded onto all ports in the associated VLAN. Other group MAC addresses (here referred to as multicast MAC addresses) are handled differently if IGMP Snooping is enabled or not (see

chapter 18

for detailed information on IGMP Snooping):

ˆ IGMP Snooping Disabled: With IGMP Snooping disabled on a VLAN, packets sent to multicast MAC addresses will be handled in the same way as broadcast, i.e., such packets will be forwarded onto all ports in the associated

VLAN.

ˆ IGMP Snooping Enabled: With IGMP Snooping enabled on a VLAN, packets sent to multicast MAC addresses will be blocked on all ports by default, and only forwarded onto ports (1) where the switch has learnt that there is a host interested in receiving traffic to that multicast MAC address, or (2) which the switch believes lead to a multicast router.

WeOS also allows an operator to manually specify where to forward multicast MAC addresses, i.e., the operator can add static multicast MAC filters. This feature is useful for several reasons:

ˆ IGMP snooping and non-IP multicast: With IGMP snooping enabled, all MAC multicast will be blocked, except those learnt via IGMP snooping. As IGMP snooping only learns MAC multicast based on IP multicast, all other types of

MAC multicast will be blocked.

Adding static MAC filters enables the use of non-IP multicast on VLANs where

IGMP snooping is enabled.

ˆ IGMP Snooping and IP multicast in the 224.0.0.X range: IP multicast in the

224.0.0.X range should be forwarded onto all ports in the VLAN irrespective if any host has indicated interest in that multicast address via IGMP or not.

278

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

In WeOS the operator has the flexibility to select which addresses in the

224.0.0.X range to forward on a LAN, by adding filters for the corresponding multicast MAC address. The factory default configuration includes MAC filters for some of the most common multicast addresses in the 224.0.0.X

range, which are then forwarded onto all ports even if IGMP snooping is enabled.

When specifying the destination port list in a MAC filter, one can specify both regular Ethernet (and DSL) ports, as well as the internal CPU port(s) of the switch.

The latter is used if the multicast packet should be processed by the switch itself.

13.2

Port-based network access control

WeOS supports port-based network access control (PNAC). This security feature is used to stop unauthorised PCs or other equipment to access the network. Authentication is required to gain access. WeOS provides two authentication methods: IEEE 802.1X and MAC based authentication.

Ports with access control enabled (i.e., controlled ports) will by default be ”blocked” for incoming traffic. Only when a connected device has successfully authenticated itself will it be allowed/authorised to send data through the port. Packets from unauthorised devices are still dropped, i.e., only packets with a source MAC address of devices authorised via 802.1X or MAC authentication are allowed.

Incoming broadcast and multicast packets from unauthorised devices will also be blocked. Outgoing broadcast and multicast packets will, however, not be blocked and are sent out as usual on controlled ports. IGMP joining of multicast groups will not work for unauthorised clients, as incoming IGMP join messages are dropped until the client is granted access.

In WeOS, port-based network access control is managed per VLAN. Enabling access control on a VLAN implies that all untagged ports on that VLAN are subject to access control by default. Often some or a few ports need to be excluded from access control, e.g., ports connected to a server, uplink ports (towards Internet), and VLAN trunk ports. These ports can be excluded by a special configuration option in the CLI ”except-auth” (see

section 13.4.17

) or in the web GUI (see

section 13.3.5

).

© 2015 Westermo Teleindustri AB

279

Westermo OS Management Guide

Version 4.17.1-0

Authenticated client

PC

PC

Access controlled ports

Blocked ports

3

4

1

2

Switch

5

6

7

8

Server

INTERNET

Figure 13.4: Port-based network access control

Port-based access control and VLAN trunk ports

As of WeOS v4.17.1, port-based access control is only working as expected for access ports, i.e., ports only associated with a single VLAN (untagged).

VLAN trunk ports (ports associated tagged to one or more VLANs) should be excluded from access control. Although it is possible to have access control enabled on such ports, the behaviour is neither defined nor supported, and may change in future WeOS releases.

In order to acquire access, the connected device needs to authenticate itself to the switch. See

fig. 13.4

for a scenario. The PC on port 1 has authenticated itself, whereas the one on port 2 has not. The first PC is able to access the server or the Internet connection on ports 6 and 8. The second PC or anything connected to ports 3 or 4 will be blocked by the switch until they have authenticated themselves.

The two authentication mechanisms available in WeOS for port-based network access control are described further below: IEEE 802.1X in

section 13.2.1

and

MAC based authentication in

section 13.2.2

.

280

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

13.2.1

Authentication using IEEE 802.1X

WeOS units are able to act as IEEE 802.1X [ 15 ] authenticators. WeOS uses

the RADIUS[ 34 ] protocol with extensions for Extensible Authentication Protocol

(EAP[ 33 ]) to communicate to a backend authentication server.

WeOS neither includes a RADIUS server nor a local authentication server mechanism for 802.1X. Instead the 802.1X authentication server must be provided externally.

As of WeOS v4.17.1, WeOS does not support Authenticator initiation as defined

by §8.4.2.1 in the IEEE 802.1X standard[ 15 ]. The 802.1X client (supplicant) must

initiate the authentication procedure to gain access

4

.

Fig. 13.5

illustrates the principles of a successful authentication with IEEE 802.1X.

In reality the protocol exchanges several messages between the supplicant, the authenticator and the RADIUS backend server (see the standard documents for details). The WeOS unit acts as an IEEE 802.1X authenticator, relaying the EAP messages to the RADIUS server.

When configuring the 802.1X authenticator in WeOS, the RADIUS server (or group of RADIUS servers) must be specified. The procedure is as follows:

1. RADIUS server settings (AAA): Enter the appropriate settings for your RA-

DIUS server(s): IP address, password, etc. See

chapter 21

on Authentication,

Authorisation and Accounting (AAA) for more information.

2. Define RADIUS server group (AAA): (Optional) The RADIUS servers can be grouped together, simplifying configuration in some cases. See

chapter 21

on AAA for more information.

3. Define AAA instance(s) for 802.1X (AAA): To allow individual RADIUS servers or server groups to be used as 802.1X authentication backends, they need to be listed in an 802.1X AAA instance. See

chapter 21

on AAA for more information.

4. Enable 802.1X per VLAN: When 802.1X is enabled on a VLAN, the relevant

AAA instance is defined, thereby defining which RADIUS server(s) to relay

802.1X messages to from this VLAN. See sections

13.3.4

(Web) and

13.4.15

(CLI) for further details.

4

The 802.1X supplicants included with Microsoft Windows, Ubuntu Linux and most other equipment supports supplicant initiation.

© 2015 Westermo Teleindustri AB

281

Westermo OS Management Guide

Version 4.17.1-0

Authentication request with IEEE 802.1X

802.1X capable client

EAPOL Request

PC

1

Switch

5

RADIUS

EAP−Request

2 6

Access controlled ports

3 7

4 8

RADIUS

INTERNET

Successful authentication reply with IEEE 802.1X

Switch

EAPOL Reply

RADIUS

EAP−Success

PC

Unblocked by WeOS

3

4

1

2

5

6

7

8

RADIUS

INTERNET

Figure 13.5: Principles of authentication with IEEE 802.1X and RADIUS

13.2.2

Authentication based on MAC addresses

Authentication can be based on the client’s MAC address. This is often combined with IEEE 802.1X authentication to grant access to 802.1X capable devices and legacy equipment lacking 802.1X support. When combined, MAC authentication will have precedence over 802.1X authentication.

MAC based authentication is not as secure as IEEE 802.1X. Devices are granted

282

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0 access based on the MAC address without any cryptographic authentication exchange, and it is fairly easy to modify the MAC address on a PC and most other equipment.

MAC authentication is set up using lists of one or more MAC address patterns.

MAC patterns may contain a wild-card at the end to match a whole range of addresses. Examples: The pattern 00:11:22:33:44:55 matches exactly one address, while the pattern 00:AA:BB:* matches all addresses beginning with 00:AA:BB.

When enabling MAC authentication on a VLAN in WeOS, the associated MAC list

(white-list) must be specified. The procedure is as follows:

1. Create MAC Authentication List (AAA): Create a MAC list, and add MAC patterns to that list. A MAC pattern by default applies to all ports on the VLAN the MAC list will be mapped to, however, the MAC pattern may apply to a specific port. See

chapter 21

on Authentication, Authorisation and Accounting (AAA) for more information, in particular

sections 21.3.20

-

21.3.23

(CLI), and

21.2.16

(Web).

2. Enable MAC authentication per VLAN: When MAC authentication is enabled on a VLAN, the relevant MAC list is specified, thereby defining which MAC addresses to grant access. Access is granted on all ports, except for MAC patterns limited to a specific port. See sections

13.3.4

(Web) and

13.4.15

(CLI) for further details.

The switch will listen on the controlled ports for Ethernet packets originating from currently unknown MAC addresses. When such a packet arrives, it will use the packet’s source MAC and search through the specified MAC list for a matching entry. If one is found, the port will be opened for the specific MAC address.

Packets that do not match will be discarded (alternatively, such packets can be authentication via 802.1X).

A port will remain open for an authorised MAC as long as traffic flows. If no pack-

ets is received through the port from an authorised MAC address for 5 minutes

5

,

the port will be closed again for this address, and the authentication procedure will be re-done when new packets arrive.

As of WeOS v4.17.1 does not support MAC based authentication with a backend authentication server (e.g, RADIUS).

5

MAC aging time is by default 5 minutes, see

sections 13.1.8.1

and

13.4.2

for more information.

© 2015 Westermo Teleindustri AB

283

Westermo OS Management Guide

Version 4.17.1-0

13.3

Managing VLAN settings via the web interface

Menu path: Configuration VLAN VLANs

When entering the VLAN configuration page you will be presented to a list of all

VLANs configured on your switch, see below. Here you get an overview of the settings for all VLANs and you can create or delete VLANs. The default VLAN

(VID 1) cannot be removed (see

section 13.4.6

). To change the settings for a

specific VLAN, click the edit icon which will take you to the VLAN settings edit page.

VID

Name

The VLAN’s unique identifier.

The name of the VLAN. Automatically generated from VLAN identifier when the VLAN is created using the web tool.

Enabled

Status

Used to enable or disable a VLAN. Ports on a disabled VLAN are temporarily moved to the system default VLAN. A green check-mark means the VLAN is enabled, and a dash means it is disabled.

Current operational status of the VLAN, Up or Down.

Prio

IGMP

VLAN priority setting. Values between 0-7 or disabled. See also

section 13.1.4

. Disabled is shown using a dash.

In the VLAN overview table a green check-mark means that

IGMP snooping is enabled, and a dash means it is disabled, on a specific VLAN. See

section 13.1.5

for more information.

Interface

A list of associated interfaces.

Continued on next page

284

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Port(s)

Continued from previous page

List of ports assigned to each VLAN. Grouped as tagged and

untagged for ports configured statically to this VLAN, or as

dynamic for ports dynamically added to this VLAN by WeOS

Adaptive VLAN Trunking (AVT). (See

section 13.1.7

for more information on AVT).

1/1-1/3 means port 1/1, 1/2 and 1/3, the first and last port, and all ports in-between.

New VLAN

Click this button to create a new VLAN. You will be presented to a form where you can configure the new VLAN.

Edit

Click this icon to edit a VLAN.

Delete

Click this icon to remove a VLAN. You will be asked to acknowledge the removal before it is actually executed.

© 2015 Westermo Teleindustri AB

285

Westermo OS Management Guide

Version 4.17.1-0

13.3.1

Edit VLAN settings using the web interface

Menu path: Configuration VLAN VLANs

When clicking the Edit icon for a VLAN you will be presented to the VLAN edit page.

On VLAN Edit page you can change the settings for the VLAN as described below:

VID

The VLAN’s unique identifier. You cannot change the VID of an already created VLAN.

Enabled

Used to enable or disable a VLAN. Ports on a disabled VLAN are temporarily moved to the system default VLAN. To enable the VLAN - check the box, to disable un-check the box.

Name

The name of the VLAN. You cannot change the VLAN name using the web tool.

Continued on next page

286

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Prio

IGMP

Port

Continued from previous page

VLAN priority setting. Values between 0-7 or disabled. See also

section 13.1.4

. Select the desired VLAN priority in the drop

down list, or select disable to disable VLAN priority.

To enable IGMP snooping on this VLAN - check the box, to disable IGMP un-check the box. See

section 13.1.5

for more information.

The ports on your switch is grouped as on the actual hardware, in slots. To assign a port to the VLAN, check the Tagged or

Untagged check-box located underneath the port label. In the picture above you see all ports but 2/3 associated untagged to

VLAN 1.

A port may not be associated tagged and untagged to the same VLAN at the same time. It may not be associated untagged to more than one VLAN at a time. If you associate a port untagged to a VLAN any existing untagged association to another VLAN on that port will automatically be removed. You will be notified if this happens. For more information on the

tagged and untagged association modes, see

section 13.1.1

.

The Forbidden check-box is used to specify that this port can not be dynamically assigned to this VLAN (see

section 13.1.7

for more information on dynamic VLANs).

© 2015 Westermo Teleindustri AB

287

Westermo OS Management Guide

Version 4.17.1-0

13.3.2

Create a new VLAN using the web interface

Menu path: Configuration VLAN VLANs ⇒ New VLAN

When clicking the New VLAN button you will be presented to the new VLAN page.

The New VLAN and the Edit VLAN pages differ only by the possibility to change the VID (VLAN ID). See

section 13.3.1

for additional attribute descriptions.

VID

The VLAN’s unique identifier.

Name

The VLAN name will be automatically generated when using the web management tool. The name is shown directly when you change and leave the VID field if your browser is JavaScript enabled, otherwise it will be generated when you click the

Apply button.

288

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

13.3.3

Managing Dynamic VLAN using the web interface

This enables WeOS Adaptive Dynamic Trunking (AVT) on the switch. For more information on AVT in

section 13.1.7

.

Menu path: Configuration VLAN Dynamic

© 2015 Westermo Teleindustri AB

289

Westermo OS Management Guide

Version 4.17.1-0

13.3.4

Managing port-based access control using the web interface

Menu path: Configuration VLAN Port Access

The VLAN Port Access page shows an overview of the currently configured VLANs with the port-based access control settings.

VID

Name

The VLAN’s unique identifier.

The name of the VLAN.

802.1X

The description of the referenced 802.1X configuration, a dash means it is disabled.

See

section 21.2.13

for configuration of 802.1X.

MAC auth

The description of the referenced MAC authentication configuration, a dash means it is disabled. See

section 21.2.16

for configuration of MAC authentication

Excluded Ports

List of ports on this VLAN that are excluded from port access control.

Edit

Click this icon to edit the port access configuration for this VLAN.

290

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

13.3.5

Edit port-based access control settings

Menu path: Configuration VLAN Port Access

When clicking the Edit icon for a VLAN you will be presented to the VLAN Port

Access edit page.

VID

Name

802.1X settings

The VLAN’s unique identifier.

The name of the VLAN.

Enable IEEE 802.1X authentication for ports on this

VLAN by selecting a 802.1X configuration. See

section 21.2.13

for how to create and edit the 802.1X

configurations.

Continued on next page

© 2015 Westermo Teleindustri AB

291

Westermo OS Management Guide

Version 4.17.1-0

Continued from previous page

MAC Auth settings

Enable MAC based authentication by selecting a configuration.

See

section 21.2.16

for managing

MAC authentication configurations.

Excluded Ports

The ports on your switch is grouped as on the actual hardware, in slots. Check the box underneath the port label to exclude that port from access control.

An excluded port will be open and does not require authentication. This is suited for uplink ports, trunk ports and for connecting servers. The default for ports is unchecked, thus enabling port access control/authentication. Check-boxes can be shown as disabled, like port 1 and 2 in the above picture. This means that the current VLAN does not have this port as a member and is therefore not relevant for exclusion. See

section 13.3.1

for managing the relations between ports and VLANs.

292

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

13.3.6

Port-based access control statistics

Menu path: Status Port Access

Here you can see an overview over port access status on a per-port basis. The

802.1X column shows if IEEE 802.1X is enabled for a port or not. The MAC auth column shows if MAC based authentication is enabled.

You can also see the current number of authenticated hosts. This value is only showing hosts that have authenticated recently. There may be more hosts on the network that can be authenticated via MAC based authentication but are inactive on the network for the moment. See

section 13.2.2

for information about inactivity and MAC based authentication.

A detailed view of the authenticated hosts is shown if you click on the magnifier icon for a port. This view shows all authenticated host by their MAC address. This list shows hosts that are authenticated with both IEEE 802.1X and MAC based authenticated together.

© 2015 Westermo Teleindustri AB

293

Westermo OS Management Guide

Version 4.17.1-0

13.4

Managing VLAN settings via the CLI

Command

MAC Forwarding Database Configuration fdb

[no] aging-timeout <0|1-3825>

[no] mac <MACADDR> port <PORTLIST>

Default

300

General VLAN Configuration

[no] vlans

[no] dynamic <adaptive> Disabled

Section

Section 13.4.1

Section 13.4.2

Section 13.4.3

Section 13.4.4

Section 13.4.5

Per VLAN Configuration

[no] vlan <VID>

[no] enable name <VLANNAME>

[no] untagged <PORTLIST>

[no] tagged <PORTLIST>

[no] forbid <PORTLIST>

[no] priority <0-7>

[no] igmp channel <CHANNELID>

[no] dot1x-auth <ID>

[no] mac-auth <ID>

[no] except-auth <PORTLIST>

Show Port-Based Access Control Status show dot1x-auth show mac-auth

Enabled

Section 13.4.6

Section 13.4.7

vlan<VID>

Section 13.4.8

Section 13.4.9

Section 13.4.10

Disabled

Enabled

0

Disabled

Disabled

Disabled

Section 13.4.11

Section 13.4.12

Section 13.4.13

Section 13.4.14

Section 13.4.15

Section 13.4.16

Section 13.4.17

Show VLAN Status and MAC Forwarding Database Status show vlans show fdb

Section 13.4.18

Section 13.4.19

Section 13.4.20

Section 13.4.21

294

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

13.4.1

Managing MAC Forwarding Database Settings

Syntax fdb

Context

Global Configuration

context

Usage Use the ”fdb” command to enter the

MAC Forwarding Databas

context

(fdb).

Use ”show fdb” to show current FDB settings (list of configured MAC address filters, and the configured aging timeout). Also available as ”show” command within the

MAC Forwarding Databas .

Default values Not applicable.

13.4.2

Configure MAC Address Aging Timeout

Syntax [no] aging-timeout <0|1-3825>

Context

MAC Forwarding Databas

context (fdb)

Usage Set the aging timeout (in seconds) for unicast MAC addresses learnt dynamically. The configured aging timeout will only be an approximation of the actual aging timeout. The value is first rounded upwards in steps of

15 seconds. The MAC entries will be purged from the forwarding database within 1/7th of the resulting aging timeout.

Use ”no aging-timeout” or ”aging-timeout 0” to disable aging entirely.

Use ”show aging-timeout” to view the current setting.

Default values 300 (seconds)

13.4.3

Configure Static MAC Filter Entries

Syntax [no] mac <MACADDRESS> port <[PORTS] [ALL] [CPU] | [NONE]>

Context

MAC Forwarding Databas

context (fdb)

Usage Add or delete a static MAC address filter. The ”MACADDRESS” is written as a colon separated hexadecimal value, e.g., ”01:23:45:56:89:AB”.

The ”PORTLIST” states the port(s) where packets with the given (destination) MAC address are to be forwarded. As of WeOS v4.17.1, the static MAC

© 2015 Westermo Teleindustri AB

295

Westermo OS Management Guide

Version 4.17.1-0 filters are only intended to be used for multicast MAC addresses (not unicast

MAC or the broadcast MAC addresses).

The ”PORTLIST” can include both visual ports (e.g., ”eth 2/1-2/4” on a slotted WeOS unit) as well as the internal CPU port(s):

ˆ PORT(S): Port, set of or range of ports, e.g. eth 1,3-5

ˆ ALL: All visible ports, excluding internal CPU port(s)

ˆ NONE: No ports, filter this MAC address

ˆ CPU: The internal CPU port(s)

Use ”no MAC <MACADDRESS>” to remove a specific static MAC filter, or ”no

MAC” to remove all static MAC filters.

Use ”show mac” to list configured MAC address entries.

Default values (The factory default configuration includes a set of static MAC filters.)

13.4.4

Managing general VLAN settings

Syntax [no] vlans

Context

Global Configuration

context

Usage Enter the

General VLAN Configuration

context (vlans). The

General VLAN

Configuration

context can be used to configure VLAN settings applicable to all VLANs.

Use ”no vlans” to remove all VLANs except the switch default VLAN (VLAN 1).

All ports will be configured untagged on VLAN 1.

Use ”show vlans” to list all configured VLANs and general VLAN settings.

Default values Not applicable.

13.4.5

Enable dynamic VLAN

Syntax [no] dynamic <adaptive>

Context

General VLAN Configuration

context (vlans)

296

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Usage Use the ”dynamic adaptive” command to enable WeOS Adaptive Dynamic Trunking (AVT) on the switch. For more information on AVT in

section 13.1.7

.

Future versions of WeOS may include support for dynamic VLAN via GVRP in addition to AVT, but currently only AVT is supported.

Use ”no dynamic” to disable dynamic VLAN support.

Use ”show dynamic” to see the dynamic VLAN setting.

Default values Disabled

13.4.6

Managing individual VLANs

Syntax [no] vlan <VID>

Context

Global Configuration

context

Usage Enter

VLAN Configuration

context of the given VID. If this is a new VLAN, the VLAN will be created first upon leaving the VLAN context with end or

leave.

Use ”no vlan <VID>” to remove an existing VLAN. The default VLAN (VLAN 1) cannot be removed. Removal of a VLAN may imply that some ports will no longer be associated with any VLAN - such ports will be configured to the default VLAN (VLAN 1) untagged.

Use ”show vlan” (or ”show vlans”) to list all configured VLANs and general

VLAN settings. Use ”show vlan VID” to list detailed configuration information for a specific VLAN (also available as ”show” command within the

VLAN

Configuration

context of the given VID.

Default values Not applicable.

© 2015 Westermo Teleindustri AB

297

Westermo OS Management Guide

Version 4.17.1-0

Example

example:/config/#> show vlan 1

VLAN ID : 1

Status

Name

Channel

: Enabled

: vlan1

: 0

Priority

Untagged

Tagged

Forbid

IGMP

: Disabled

: U:eth 1-4

: T:

: F:

: Enabled

Learning

802.1Q VLAN

802.1X Auth

MAC Auth

: Enabled

: Enabled

: Disabled

: Disabled

Except Port Auth : example:/config/#>

13.4.7

Enable/disable a VLAN

Syntax [no] enable

Context

VLAN Configuration

context

Usage Enable or disable a VLAN. A disabled VLAN is similar to a deleted VLAN, except that its configuration is stored, and will be activated when the VLAN is enabled. That is, when a VLAN is disabled, its ports may be moved onto the default VLAN (unless they are associated with another VLAN), and any network interface associated with the VLAN will be disabled.

Use ”show enable” to view the current configuration.

Default values enable

13.4.8

VLAN name

Syntax name <ID>

Context

VLAN Configuration

context

Usage Specify VLAN name, i.e., VLAN description. Max 15 characters, only alpha-numerical characters ([a-z,A-Z,0-9]) allowed.

Use ”show name” to view the VLAN name setting.

298

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Default values If no VLAN ”name” command is given, the VLAN name defaults to vlanVID, e.g., vlan100 for VID 100.

13.4.9

Manage untagged ports

Syntax [no] untagged <PORT|PORTLIST>

Context

VLAN Configuration

context

Usage Associate port(s) with this VLAN VID in untagged mode. Only a single

VLAN VID can be associated untagged with each port. Ports associated with a VLAN VID untagged will have that VID as default VID - this will have precedence over any (fall-back) default VID configuration set in port context.

Use ”no untagged <PORTLIST>” to remove untagged ports from a VLAN. If removal of an untagged port implies that the port is no longer associated with any VLAN, that port will be configured to VLAN 1 untagged.

Use ”show untagged” to view ports associated untagged with this VLAN.

Default values Factory default lets all ports be associated with the default VLAN

(VLAN 1) untagged. For new VLANs, ports must explicitly be added.

Error messages

ˆ A notification message is given in case the addition of port as untagged on one VLAN implies that the same port will be removed as untagged on another VLAN.

ˆ A notification message is given in case the addition of port as untagged on one VLAN implies that the same port will be removed as tagged on the same VLAN (a port cannot be associated both tagged and untagged with the same VLAN).

A ”PORTLIST” is a comma separated list of port ranges without intermediate spaces, e.g., ”1/1-1/3,2/3”.

13.4.10

Manage tagged ports

Syntax [no] tagged <PORT|PORTLIST>

Context

VLAN Configuration

context

Usage Associate port(s) with this VLAN VID in tagged mode.

© 2015 Westermo Teleindustri AB

299

Westermo OS Management Guide

Version 4.17.1-0

Use ”no tagged <PORTLIST>” to remove tagged ports from a VLAN. If removal of a tagged port implies that the port is no longer associated with any

VLAN, that port will be configured to VLAN 1 untagged.

Use ”show tagged” to view ports associated tagged with this VLAN.

Default values Not applicable.

Error messages A notification message is given in case the addition of port as tagged on one VLAN implies that the same port will be removed as untagged on the same VLAN (a port cannot be associated both tagged and untagged with the same VLAN).

A ”PORTLIST” is a comma separated list of port ranges without intermediate spaces, e.g., ”1/1-1/3,2/3”.

13.4.11

Manage forbidden ports

Syntax [no] forbid <PORT|PORTLIST>

Context

VLAN Configuration

context

Usage Prohibit that ports are dynamically added (AVT) to this VLAN ID, see also

sections 13.1.7

and

13.4.5

.

Use ”no forbid <PORTLIST>” to remove ports from the list of ports forbidden to be associated with this VLAN.

Use ”show forbidden” to view ports associated forbidden with this VLAN.

Default values Not applicable.

A ”PORTLIST” is a comma separated list of port ranges without intermediate spaces, e.g., ”1/1-1/3,2/3”.

13.4.12

VLAN priority setting

Syntax [no] priority <0-7>

Context

VLAN Configuration

context.

Usage Set the (IEEE 802.1p) priority associated with this VLAN. Incoming packets associated with this VLAN will receive this priority.

300

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

”no priority” will disable VLAN priority for this VLAN. Priority for packets associated with this VLAN will then be based on port priority settings.

Use ”show priority” to view the priority setting for this VLAN.

Default values Disabled (”no priority”).

13.4.13

VLAN IGMP Snooping

Syntax [no] igmp

Context

VLAN Configuration

context.

Usage Enable, or disable IGMP Snooping for this VLAN.

Use ”show igmp” to view the IGMP snooping setting for this VLAN.

Default values IGMP snooping enabled.

13.4.14

CPU channel mapping

Syntax channel <CHANNELID>

Context

VLAN Configuration

context.

Usage Specify CPU channel to use for this VLAN. The channel identifier can take values in the range <0-CHANNELIDMAX>. The purpose of this command is to improve routing performance by mapping VLANs to different CPU channels, see

section 13.1.6

.

Hint

Use the ”show system-information” command (see

section 7.3.2

) to

find out the number of channels.

ˆ Look for the line ”Channel interfaces” in the information of the CPU card to see the number of channels.

ˆ CHANNELIDMAX equals ”number of channels”-1.

Use ”show channel” to view the CPU channel setting for this VLAN.

Default values 0 (zero), i.e., by default all VLANs will use channel 0.

© 2015 Westermo Teleindustri AB

301

Westermo OS Management Guide

Version 4.17.1-0

13.4.15

IEEE 802.1X authentication

Syntax [no] dot1x-auth <ID>

Context

VLAN Configuration

context.

Usage Specify the IEEE 802.1X configuration to be used for this VLAN. Setting this enables port-based access control for all ports untagged in this VLAN, except for the ports defined with ”except-auth” (see

section 13.4.17

). The

ID value references the 802.1X configuration. This configuration is managed in the AAA subsystem, see

chapter 21 . Use ”no dot1x-auth” to disable

IEEE 802.1X authentication for this VLAN.

Use ”show dot1x-auth” to view the IEEE 802.1X authentication setting for this VLAN.

Default values Disabled, i.e. IEEE 802.1X is not used.

13.4.16

MAC based authentication

Syntax [no] mac-auth <ID>

Context

VLAN Configuration

context.

Usage Specify the MAC authentication configuration to be used for this VLAN.

Setting this enables port-based access control for all ports untagged in this

VLAN, except for the ports defined with ”except-auth” (see

section 13.4.17

).

The ID value references the MAC authentication configuration. This configuration is managed in the AAA subsystem, see

chapter 21 . Use ”no

mac-auth” to disable MAC based authentication for this VLAN.

Use ”show mac-auth” to view the MAC based authentication setting for this

VLAN.

Default values Disabled, i.e. MAC based authentication is not used.

13.4.17

Except ports from authentication

Syntax [no] except-auth <PORT|PORTLIST>

Context

VLAN Configuration

context.

302

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Usage Disables port-based access controls for specific ports. This is used together with ”dot1x-auth” and ”mac-auth” to exclude specific ports from needing authentication. This is suitable for uplinks, trunks and ports with servers connected. Use ”no except-auth” to remove all port exceptions, thus enabling access control on all untagged ports in this VLAN.

Use ”show mac-auth” to view ports configured to be excluded from portbased access control for this VLAN.

Default values Disabled, no ports excluded.

13.4.18

Show VLAN status (all VLANs)

Syntax show vlans

Context

Admin Exec

context

Usage Show VLAN status information for all VLANs.

Default values Not applicable.

13.4.19

Show Current MAC Forwarding Database

Syntax show fdb

Context

Admin Exec

context

Usage Show the current state of the MAC forwarding database. This includes the list of MAC addresses known to the switch, and the port(s) to forward packets to each MAC address. The ageing timeout for automatically learnt unicast MAC addresses is also shown.

Default values Not applicable.

© 2015 Westermo Teleindustri AB

303

Westermo OS Management Guide

Version 4.17.1-0

Example

example:/#> show fdb

MAC VLAN State Portvec Port(s)

===============================================================================

00:07:7c:81:de:1a

00:07:7c:81:de:1d

ANY

ANY

0x0f

0x01

0x0

0x0

CPU

CPU

00:0d:88:cd:3a:9c

01:00:5e:00:00:01

01:00:5e:00:00:02

01:00:5e:00:00:04

01:00:5e:00:00:05

ANY

ANY

ANY

ANY

ANY

0x01

0x07

0x07

0x07

0x07

0x1

0x3fff

0x3fff

0x3fff

0x3fff

ETH 1/1

ALL

ALL

ALL

ALL

01:00:5e:00:00:06

01:00:5e:00:00:09

01:00:5e:00:00:0a

01:00:5e:00:00:0d

01:00:5e:00:00:0e

01:00:5e:00:00:12

01:00:5e:00:00:18

01:00:5e:00:00:66

01:00:5e:00:00:6b

01:00:5e:00:00:fb

ANY

ANY

ANY

ANY

ANY

ANY

ANY

ANY

ANY

ANY

01:80:c2:00:00:0e ANY

FDB Aging time: 300 sec.

example:/#>

0x07 0x3fff

0x07 0x3fff

0x07 0x3fff

0x07 0x3fff

0x07

0x07 0x3fff

0x07 0x3fff

0x07 0x3fff

0x07 0x3fff

0x07

0x07

0x3fff

0x3fff

0x3f

ALL

ALL

ALL

ALL

ALL

ALL

ALL

ALL

ALL

ALL

ETH 1/1-ETH 2/4

13.4.20

Show IEEE 802.1X authentication status

Syntax show dot1x-auth

Context

Admin Exec

context

Usage Show hosts that are currently authenticated with IEEE 802.1X.

Default values Not applicable.

13.4.21

Show MAC based authentication status

Syntax show mac-auth

Context

Admin Exec

context

Usage Show hosts that are currently authenticated with MAC based access control.

304

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Note

There may be hosts on the network that matches the MAC authentication filters, but are inactive for the moment. Inactive hosts are flushed out of this list and will be re-authenticated again on resumed activity.

See

section 13.2.2

for details.

Default values Not applicable.

© 2015 Westermo Teleindustri AB

305

Westermo OS Management Guide

Version 4.17.1-0

Chapter 14

FRNT

The Fast Reconfiguration of Network Topology (FRNT) protocol handles fast reconfiguration in switched ring topologies. When rapid convergence in case of link or switch failure is required, FRNT becomes the protocol of choice when it comes to layer-2 resilience and robustness.

In addition to FRNT, WeOS supports the standard RSTP protocol. Management of

RSTP is described in

chapter 16 .

14.1

Overview of the FRNT protocol and its features

The table below summarises FRNT features available via the Web and CLI interfaces. A general description of the FRNT protocol and its features are presented in

sections 14.1.1

and

14.2

. If you are only interested in knowing how to manage

the FRNT features via the Web or CLI, please visit

sections 14.3

or

14.4

directly.

Feature

Enable FRNT

Set FRNT mode (focal-point or member switch)

Set FRNT ring ports

View FRNT Status

Web

CLI

General Description

X

X

X

X

Section 14.1.1

-”-

X

X

X

X

-”-

-”-

306

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

14.1.1

FRNT introduction

The FRNT protocol handles fast reconfiguration in switched ring topologies. One of the switches has the role of FRNT focal point while the other switches are referred to as FRNT members. When the switches are connected in a ring, it is the responsibility of the focal point to break the loop by putting one of its ports

(port ”M”) in blocking mode, see

fig. 14.1

.

Note

In an FRNT ring, only one of the switches can be configured as focal point.

The other switches should be configured as member switches (i.e., non-

”focal-point”).

Member

M N M

Focal

Point

N

Member

M N

Member

M

N

Figure 14.1: FRNT network operating in ring mode. Port ”M” on the Focal Point is in BLOCKING state.

Once a link failure is detected somewhere along the ring, the focal point will put its blocked port (port ”M”) in forwarding mode to establish full connectivity between the switches (see

fig. 14.2

). FRNT is event based: switches detecting

a link down event will immediately send a link down FRNT message towards the focal point. Intermediate switches will forward the FRNT messages with highest priority, and the focal point will open its BLOCKED port (port ”M”) upon receiving the link down message.

Member

M N

Focal point opens redundant path

Focal

Point

M N

Member

M N

Link break

Member

M N

Figure 14.2: FRNT network operating in bus mode due to broken link.

Similarly, when a broken link comes back up again and the ring is fully connected,

© 2015 Westermo Teleindustri AB

307

Westermo OS Management Guide

Version 4.17.1-0 the focal point will react and put its port ”M” back to blocking state.

14.1.2

Guidelines when selecting FRNT ports

When enabling FRNT on a switch, you need to select two ports to use as FRNT

ports – FRNT port ”M” and FRNT port ”N”

1

. Below are some recommendations

and rules when selecting and configuring the FRNT ports.

ˆ Fixed speed, full duplex: When using Ethernet ports as FRNT ports, fixed speed (and full duplex) is recommended over auto-negotiation of speed and duplex mode on the FRNT ports. Avoid using 10 Mbit/s speed.

ˆ Avoid using copper SFPs as FRNT ports: When using Ethernet ports as FRNT ports, choose fixed Ethernet ports or fiber SFPs. Copper SFPs may be used as

FRNT ports, but will generally imply non-negligible degradation of fail-over performance.

ˆ SHDSL ports as FRNT ports: It is possible to use SHDSL ports as FRNT ports, but failover performance is degraded as compared to (fixed) Ethernet ports.

FRNT will not work correctly on SHDSL links with speed below 64 kbit/s.

14.1.3

VLANs used by FRNT

FRNT uses VLAN IDs 4020-4022 and 4032-4033 for its signalling. Thus, when

FRNT is enabled on a switch, these VLANs are implicitly reserved and cannot be configured by the user.

Warning

Note on using intermediate active equipment For FRNT to operate properly, there should not be any ”non-FRNT- enabled” switches (or other active equipment) in the FRNT ring. However, if two FRNT nodes are interconnected via a non-FRNT switch for testing purposes, that intermediate switch must be configured to let VLANs 4020-4022 and 4032-4033 through.

1

In earlier WeOS versions, port ”M” and ”N” have been denoted port ”1” and ”2” respectively.

308

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

14.2

FRNT and RSTP coexistence

With WeOS it is possible to run FRNT and RSTP on the same switch, be it with some topology restrictions. Fig.

14.3

shows an example of such a configuration, where two of the switches in the FRNT ring (thick lines) are running RSTP on the

”non-FRNT” ports.

RSTP

Switch

FRNT

Switch

FRNT/

RSTP

Switch

FRNT

Switch

Loop handled by FRNT

FRNT/

RSTP

Switch

RSTP

Switch

Loop handled by RSTP

Loop handled by RSTP

RSTP

Switch

RSTP

Switch

RSTP

Switch

RSTP

Switch

Figure 14.3: Example of coexistence of FRNT and RSTP.

As both RSTP and FRNT want to control a port’s state (FORWARDING/BLOCKING), only one of the protocols may be activated on each port to avoid protocol conflicts. Therefore, if both FRNT and RSTP are configured to operate on a certain port, FRNT will have precedence to control the port’s state.

Warning

FRNT and RSTP are each able to handle loops within their respective domains, however, if a physical loop is created including some links controlled by RSTP and others by FRNT, a broadcast storm is likely to occur, since neither RSTP nor FRNT is able to discover the loop, see fig.

14.4

. Thus, if RSTP

and FRNT is mixed in the same layer-2 network, the operator must ensure that loops across RSTP and FRNT links never occur.

© 2015 Westermo Teleindustri AB

309

Westermo OS Management Guide

Version 4.17.1-0

RSTP

Switch

RSTP

Switch

Loop handled by RSTP

FRNT

Switch

FRNT/

RSTP

Switch

FRNT

Switch

Loop handled by FRNT

FRNT/

RSTP

Switch

Loop

Causing

Storm!

Loop handled by RSTP

RSTP

Switch

RSTP

Switch

RSTP

Switch

RSTP

Switch

Figure 14.4: Example of loop spanning FRNT and RSTP links - a broadcast storm is likely to occur.

310

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

14.3

Managing FRNT settings via the web interface

14.3.1

Managing FRNT settings

Menu path: Configuration L2 Redundancy FRNT

On the FRNT configuration page you will be presented to the current settings for

FRNT on your switch, see below.

Ring ID

A unique identifier for the FRNT-ring. Currently only one ring is available.

Focal Point

The focal point is the unit in the ring which is responsible for making decisions on topology change. A green checkmark indicates this unit will take the role as focal point in the FRNT ring. A dash indicates the unit will act as a

member unit.

Port M/Port N

FRNT requires two ports to be assigned FRNT-ports.

These are connected to peer units participating in the

FRNT ring. The two ports connected to other units in the

FRNT ring.

Note: Ports with copper SFPs should not be used as FRNT ports, due to slow link down indication on copper SFPs.

See

section 14.1.2

for further guidelines on FRNT port selection.

Couplings

Lists the currently configured FRNT Ring-Couplings associated with this FRNT-ring, and the coupling uplink ports.

Edit

Click this icon to edit an FRNT instance.

Delete

Click this icon to remove an FRNT instance.

If no FRNT instance is configured you may create one by clicking the New button.

© 2015 Westermo Teleindustri AB

311

Westermo OS Management Guide

Version 4.17.1-0

When editing a new or existing instance the page below is displayed.

312

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

The FRNT settings are described in the table above. The lower part contains a section, Couplings, where the FRNT Ring-Couplings, associated with this FRNT instance, is listed. This section will appear after clicking the Apply when a new

FRNT instance is created.

To create a new Coupling instance, click the New Coupling button (visible until

MAX_RING_COUPLING_INSTANCES ( section 15.4

) has been reached). New and

existing Ring-Couplings are edited on the page below:

© 2015 Westermo Teleindustri AB

Continued on next page

313

Westermo OS Management Guide

Version 4.17.1-0

Enabled

Continued from previous page

A green checkbox if the coupling instance is enabled, a minus sign if not. On edit page, check/uncheck box to enable/disable coupling instance.

The interval between two hello messages in mili-seconds.

Hello Time

Uplinks

Port

The uplink port.

Priority

The uplinks priority. Used for calculating active uplink.

Adjustment

Priority adjustment delta for this uplink. Makes the uplink sticky by adjusting the effective priority with this value when uplink becomes active.

Path Cost

The uplinks path cost. Used for calculating active uplink.

Auto (check-box checked) indicates path-cost is automatically calculated (based on link speed).

Delete

Add

Click this icon to remove a coupling instance.

Click this icon to add a new coupling instance.

314

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

14.3.2

FRNT Status and Statistics

Menu path: Status L2 Redundancy FRNT

On this page FRNT status and statistics are presented.

Figure 14.5: FRNT status and statistics in web

FRNT Status and Statistics

Ring

Enabled

Mode

Status

Port M

Port N

Topology

Change Count

Instance ID for the FRNT ring.

Indication if the ring is enabled or not.

Focal point or member.

Ring status, OK or BROKEN.

Status of port operating

1 as FRNT port M.

Status of port operating

1 as FRNT port N.

Number of FRNT topology changes.

Time Since

Last Change

Time since last FRNT topology change.

Continued on next page

© 2015 Westermo Teleindustri AB

315

Westermo OS Management Guide

Version 4.17.1-0

Continued from previous page

Ring Coupling

Local/Global

Port

Active

MAC

Effective Priority

Path-Cost

Speed/Duplex

Hello Time

Synchronized

Link Changes

Local - uplinks located on this switch.

Global - uplinks reported from other switches in the FRNT ring.

The uplink port name, if any available on the distributing unit. Otherwise an information message stating that no uplinks are available.

A green check-mark indicates this is the active uplink for the ring coupling instance.

The MAC address of the unit distributing this piece of uplink information.

The actual priority value used in uplink selection. When configuring an adjustment delta this may differ from the configured priority for an active uplink. Used to minimize uplink changes when an active uplink goes down and up again.

The current path-cost. If auto configuration selected, this value is calculated based on port speed.

Speed duplex on the uplink port. Only applicable for local uplinks.

The configured and effective (negotiated) hello-time on each unit.

A green check-box indicates this uplink has been synchronized with its neighbor. Only applicable for local uplinks.

Number of link changes. Only applicable for local uplinks.

Auto Refresh

Refresh

Click on a value to make the page reload with updated statistics automatically every 5, 15, 30 or 60 seconds.

Click Off to turn off auto refresh.

Click on this button to reload with updated statistics.

1

If the port referred to as FRNT port ”M” and FRNT port ”N” in the FRNT statistics page (operational FRNT ”M” and ”N”) does not match the administratively configured FRNT ”M” and ”N” ports

(see the FRNT configuration page in

section 14.3.1

), the ports are logically swapped/aligned with

the ”M” and ”N” ports of the focal-point.

316

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

14.4

Managing FRNT settings via the CLI

Command

Configure FRNT settings

[no] frnt [ID]

[no] focal-point ring-ports <PORT-M, PORT-N>

Default Section

Section 14.4.1

focal-point

Section 14.4.2

Section 14.4.3

Show FRNT status show rings show ipconfig

Section 14.4.4

Section 7.3.34

14.4.1

Managing FRNT

Syntax [no] frnt [<ID>]

Context

Global Configuration

context

Usage Enter FRNT context of the given FRNT instance ID. Currently only a single

FRNT instance is supported, thus the value of the FRNT ID is ignored.

The FRNT instance is only activated upon the selection of valid FRNT ring ports, see

section 14.4.3

.

Use ”no frnt [ID]” to remove an existing FRNT instance.

Use ”show frnt” to list configured FRNT settings (also available as ”show” command within the

FRNT Configuration

context).

Default values Default ID is 1

14.4.2

FRNT focal point and member switch

Syntax [no] focal-point

Context

FRNT Configuration

context

Usage Configure device to act as FRNT focal point for this FRNT instance. Use

”focal-point” to configure the device to act as an FRNT focal-point, and

”[no] focal-point” to configure the device as an FRNT member switch.

© 2015 Westermo Teleindustri AB

317

Westermo OS Management Guide

Version 4.17.1-0

Use ”show focal-point” to show whether the unit is configured as focalpoint or member switch

Default values focal-point

14.4.3

FRNT Ring Ports

Syntax ring-ports <PORT-M,PORT-N>

Context

FRNT Configuration

context

Usage Set the physical ports (Ethernet ports or SHDSL ports) to use as FRNT ports ”M” and ”N”.

For each FRNT instance, there are two FRNT ports named Port ”M” and Port

”N”. On a member switch Port ”M” and ”N” have similar roles, however, on a focal point their roles differ - when the ring is fully connected the focal point will put its Port ”M” in BLOCKING state.

Note

For restrictions on how to select FRNT ports, see

section 14.1.2

.

Use ”show ring-ports” to show configured FRNT ring ports.

Default values Not applicable

14.4.4

Show FRNT ring status

Syntax show rings

Context

Admin Exec

context.

Usage Show status of configured FRNT rings. This will provide information

ˆ whether the ring is up (ring mode) or if the ring is broken (bus mode).

Note: A focal point switch will detect ring failures located anywhere in the ring, while a member switch can only detect local failures (local

FRNT port is down, or if a neighbour is down).

ˆ If the FRNT ports on this switch are connected in-line with the M/N ports of the focal-point, or if they are logically swapped (i.e., if the FRNT ports’

318

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

administrative M/N state equals the operational M/N state, or if ports are swapped).

ˆ The status of the local FRNT ports (UP/DOWN, FORWARDING/BLOCKING).

Default values Not applicable.

© 2015 Westermo Teleindustri AB

319

Westermo OS Management Guide

Version 4.17.1-0

Chapter 15

FRNT Ring Coupling and

Multi-Link Dual Homing

This chapter describes WeOS FRNT Ring Coupling and Multi-Link Dual Homing, two similar layer-2 (switching) fail-over functions.

FRNT Ring Coupling enables bridging of two or more FRNT rings via multiple layer-2 uplinks. Only one uplink is active at a time, while others are hot stand-by

backups, providing redundancy and loop-free connectivity.

Multi-Link Dual-Homing (or simply ”Dual-Homing”) lets you connect a WeOS switch to a layer-2 topology via multiple uplinks. Optimal fail-over performance is achieved when connecting the dual-homing switch uplinks to a single FRNT ring, or to two adjacent FRNT rings (connected with Ring Coupling), but Dual-Homing can also be used in other layer-2 topologies.

Both FRNT Ring Coupling and Multi-Link Dual-Homing provide fine-grained control of which uplink is to be preferred as active. By default, the link with highest speed/duplex mode is elected. To avoid shifting between active uplinks when a new uplink becomes available, a feature referred to as sticky uplink is provided.

Enabling sticky uplink gives ”zero” fail-over time on link-up and mitigates possible problems with flapping links.

Section 15.1

presents further information on FRNT Ring Coupling and the Multi-

Link Dual-Homing functionality. Web and CLI support for these features are covered in

sections 15.2

and

15.3

respectively.

320

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

15.1

Overview

Feature

FRNT Ring Coupling

Enable

Hello Interval

Define Uplink(s)

Uplink Path-Cost

Uplink Priority

Ring Coupling Status

Web

CLI

General Description

X

X

X

X

X

X

X

X

X

X

X

X

X

X

Section 15.1.1

Section 15.1.1.2

Sections 15.1.1

Section 15.1.3

-”-

and

15.1.3

Multi-Link Dual-Homing

Enable

Synchronized

Multiple Instances

Define Uplink(s)

Uplink Path-Cost

Uplink Priority

Dual-Homing Status

X

X

X

X

X

X

X

Section 15.1.2

X

X

Section 15.1.2.1

X

Section 15.1.2.2

X

Sections 15.1.2

and

15.1.3

X

Section 15.1.3

X

-”-

X

15.1.1

FRNT Ring Coupling

FRNT Ring Coupling (RiCo) enables redundant bridging between two or more

FRNT rings.

Fig. 15.1a

shows a simple example where two RiCo nodes in an FRNT

sub-ring are connected with one uplink each to the FRNT super-ring. A super-ring is a ring without RiCo nodes. It is possible to use more than two RiCo nodes in the sub-ring, and each RiCo node can have more than one uplink, as shown in

fig. 15.1b

.

Only one of the uplinks is forwarding data – the active uplink, ”solid” in

fig. 15.1

,

while the other uplink(s) are hot-standby backups, ”dashed” in

fig. 15.1

. To pre-

vent traffic to flow over backup uplinks the RiCo nodes put all backup uplinks in

BLOCKING state.

In the CLI example below the leftmost Ring Coupling node in

fig. 15.1a

is a WeOS unit configured as an FRNT member switch (see

chapter 14 ) with ring-ports ’1’

© 2015 Westermo Teleindustri AB

321

Westermo OS Management Guide

Version 4.17.1-0

Super−ring

FRNT

Super−ring

FRNT

RiCo RiCo

Sub−ring

FRNT

RiCo RiCo

Sub−ring

FRNT

RiCo a) b)

Figure 15.1: Ring Coupling with two FRNT rings: (a) single uplinks, and (b) multiple uplinks per Ring Coupling node.

and ’2’, and port ’3’ as uplink.

Example

example:/#> configure example:/config/#> frnt

Activating FRNT0 with default settings, remember to change the ring ports!

Invalid settings: No ring ports defined example:/config/frnt-1/#> ring-ports 1,2 example:/config/frnt-1/#> no focal-point example:/config/frnt-1/#> coupling

Creating new instance 1 example:/config/frnt-1/coupling-1/#> uplink 3 example:/config/frnt-1/coupling-1/uplink-eth3/#> priority 100 example:/config/frnt-1/coupling-1/uplink-eth3/#> leave

Starting Fast Redundant Network Topology v0 daemon ......... [ OK ]

Starting Ring bridging/dual-homing daemon .................. [ OK ]

Configuration activated.

Remember "copy run start" to save to flash (NVRAM).

example:/#>

Here, the uplink priority was given the value ”100” to make it the preferred active uplink, the default is 128, for further details see

section 15.1.3

.

It is of course possible to connect multiple sub-rings to one super-ring. The uplinks from the sub-rings can be connected to individual nodes in the super-ring

322

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

(see

fig. 15.2a

) or the nodes in the super-ring can be shared, see fig. 15.2b

.

Sub−ring

FRNT

RiCo RiCo

Super−ring

FRNT

Super−ring

FRNT

RiCo RiCo

Sub−ring

FRNT

RiCo RiCo

Sub−ring

FRNT

RiCo RiCo

Sub−ring

FRNT a) b)

Figure 15.2: Two sub-rings connecting to (a) individual nodes in the super-ring, or

(b) shared nodes in the super-ring.

The topology can be extended even further by connecting sub-rings to sub-rings in a tree structure with a super-ring as root.

Fig. 15.3

shows two examples, a ladder topology (a) and a tree topology (b).

15.1.1.1

Ring Coupling and Routing

FRNT Ring Coupling is a function to connect FRNT rings at layer-2 (switching).

This improves capacity and failover performance compared to layer-3 (routing)

mechanisms such as OSPF ( chapter 27 ). Nevertheless, routing techniques have

© 2015 Westermo Teleindustri AB

323

Westermo OS Management Guide

Version 4.17.1-0

Super−ring

FRNT

RiCo RiCo

Sub−ring

FRNT

RiCo RiCo

Sub−ring

FRNT

Sub−ring

FRNT

RiCo

RiCo

Super−ring

FRNT

Sub−ring

FRNT

RiCo

RiCo

RiCo RiCo

Sub−ring

FRNT

RiCo RiCo

Sub−ring

FRNT

RiCo RiCo

Sub−ring

FRNT

RiCo RiCo

Sub−ring

FRNT a) b)

Figure 15.3: Examples of tree topologies: (a) shows a ”ladder” (a tree without branches), and (b) a more generic tree of FRNT rings.

324

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0 good scalability characteristics as the network is segmented into different broadcast domains.

Although technically feasible, it is strongly recommend to separate ring coupling and routing, localizing the distinct functions in dedicated WeOS units, i.e., do not use RiCo nodes also as routers.

Note

In some cases using RiCo nodes as routers makes sense. To ensure correct operation of the RiCo node, the CPU bandwidth is reduced by default, i.e.,

when ”cpu-bandwidth-limit” is set to ”auto” ( section 20.2.6

) on a WeOS

unit configured for FRNT Ring Coupling or Multi-link Dual-Homing. This in turn reduces routing performance.

This automatic reduction of CPU bandwidth can be overridden by changing

the CPU bandwidth limit setting ( section 20.2.6

).

15.1.1.2

Ring Coupling Hello Interval

RiCo nodes in the same FRNT ring exchange Hello messages as part of the active uplink election process, see also

section 15.1.3

. These Hello messages are trans-

mitted every 100 ms by default. The hello interval can be fine tuned – a lower value gives faster failover, but may have an adverse effect on the CPU usage.

When the CPU usage increases RiCo nodes may not be able to send Hello messages and will time out. This can lead to unpredictable performance and loss of connectivity.

It is recommended that all RiCo nodes within an FRNT ring are configured with the same Hello interval. If there are RiCo nodes with different Hello interval in an

FRNT ring, the protocol will default to the highest interval announced by any RiCo node, i.e., a RiCo node’s effective hello interval may differ from its configured

hello interval. E.g., if you wish to transition from using ”hello-time 100” to

”hello-time 80”, all RiCo nodes will use interval 100 ms until all RiCo node’s in the FRNT ring has been configured with interval 80 ms.

© 2015 Westermo Teleindustri AB

325

Westermo OS Management Guide

Version 4.17.1-0

15.1.2

Multi-Link Dual-Homing

Multi-Link Dual-Homing makes is possible for a WeOS dual-homing node to have redundant connections to an FRNT ring.

Fig. 15.4

shows an example where two dual-homing nodes are connected to the FRNT ring with two connections each.

Dual

Hom.

FRNT

Dual

Hom.

FRNT

Dual

Hom.

Dual

Hom.

a) b)

Figure 15.4: Dual-Homing with single FRNT ring (super-ring). (a) and (b) show the same topology in different ways.

Consider one of the dual-homing nodes in

fig. 15.4a

, assuming it is a WeOS switch

with Ethernet ports ’1’ and ’2’ as uplinks, and where port ’1’ is to be active by default. A possible configuration is given below:

Example

example:/#> configure example:/config/#> dual-homing

Creating new instance 1 example:/config/dual-homing-1/#> uplink 1 example:/config/dual-homing-1/uplink-eth1/#> priority 100 example:/config/dual-homing-1/uplink-eth1/#> end example:/config/dual-homing-1/#> uplink 2 example:/config/dual-homing-1/uplink-eth2/#> leave

Starting Ring bridging/dual-homing daemon .................. [ OK ]

Configuration activated.

Remember "copy run start" to save to flash (NVRAM).

example:/#>

326

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Note

It is possible to connect uplinks of a WeOS dual-homing switch to any layer-2 topology, but failover performance is optimised for FRNT rings.

When connecting uplinks to LAN topologies other than FRNT the synchro-

nised option in dual-homing must be disabled, see

section 15.1.2.1

, other-

wise the uplinks will not come up.

Section 15.1.2.1

describes the synchronised dual-homing function, illustrates how you can combine Multi-Link Dual-Homing and FRNT Ring Coupling, supporting topologies where you can connect the dual-homing uplinks to two adjacent

FRNT rings.

Section 15.1.2.2

presents the possibility of using multiple instances of dual-homing.

15.1.2.1

Synchronized Dual-Homing

WeOS Multi-Link Dual-Homing provides a mechanism referred to as synchronised

dual-homing. Synchronised dual-homing has two purposes:

ˆ Integrity of the uplink: A dual-homing switch monitors uplink connectivity by exchanging specific echo packets with the remote switch. This ensures that a link break is detected even in cases where intermediate transceivers do not propagate link down.

ˆ Define preferred uplink when connecting two adjacent FRNT rings: It is possible to connect the uplinks of a dual-homing node to two adjacent FRNT rings, which in turn are connected by ring coupling. The synchronised dualhoming feature will give preference to the uplink connected to a ring coupling sub-ring, i.e., the ring containing the RiCo nodes. More details later in this section.

If you wish to connect a dual-homing switch to topologies other than FRNT you need to disable the synchronised dual-homing feature in the dual-homing node.

An example is given below where ports 1 and 2 are configured as uplinks to non-

FRNT nodes.

© 2015 Westermo Teleindustri AB

327

Westermo OS Management Guide

Version 4.17.1-0

Example

example:/#> configure example:/config/#> dual-homing

Creating new instance 1 example:/config/dual-homing-1/#> uplink 1 example:/config/dual-homing-1/uplink-eth1/#> priority 100 example:/config/dual-homing-1/uplink-eth1/#> end example:/config/dual-homing-1/#> uplink 2 example:/config/dual-homing-1/uplink-eth2/#> end example:/config/dual-homing-1/#> no synchronized example:/config/dual-homing-1/#> leave

Starting Ring Coupling/Dual-Homing daemon .................. [ OK ]

Configuration activated.

Remember "copy run start" to save to flash (NVRAM).

example:/#>

Additional remarks if you intend to use dual-homing to connect the uplinks to other than FRNT nodes.

ˆ Fail-over performance: Fail-over performance is optimised when connecting the dual-homing node to a single FRNT ring, or to two FRNT rings. (Which in turn may be connected by FRNT ring coupling). In other topologies the switches may temporarily have stale MAC entries in their learning caches for a short period of time (unicast traffic). Furthermore, if IGMP snooping is used multicast traffic will also be disrupted until switches receive new IGMP

Reports via the new uplink.

ˆ Integrity of the uplink: With synchronised dual-homing disabled, the uplink status is determined based on its physical status (up/down). If you wish additional control in this case, you could consider running LACP on the uplink, i.e., you could create a link-aggregate with the uplink as the only member link. See

chapter 17

for further information on LACP and link aggregation.

It is possible to combine the use of Multi-Link Dual-Homing and FRNT Ring Coupling.

Fig. 15.5

shows how a dual-homing node can be connected to two adjacent

FRNT rings, and

fig. 15.6

illustrates an example with several dual homing nodes.

The synchronised dual-homing feature will give preference to the uplink leading to the FRNT ring containing RiCo nodes (the ring coupling ”sub-ring”). This means that the ’left’ dual-homing uplink (port ’1’) in

fig. 15.5

will be active as long as a

RiCo node in that ring is reachable, and in turn has an active uplink.

To ensure that the dual-homing node fail-over to the other uplink (the ’right’ uplink (port ’2’) in

fig. 15.5

) if no RiCo node is reachable via the sub-ring, port

’2’ should be configured with better uplink priority, see also

section 15.1.3

. A

configuration example is given below.

328

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Sub−ring

FRNT

RiCo

RiCo

Super−ring

FRNT

1

Dual

Hom.

2

Figure 15.5: Dual-Homing used in an FRNT Ring Coupling Topology.

Sub−ring Super−ring

Dual

Hom.

FRNT

Dual

Hom.

Dual

Hom.

FRNT

RiCo

RiCo

Figure 15.6: Multiple Dual-Homing nodes in an FRNT Ring Coupling Topology.

Example

example:/#> configure example:/config/#> dual-homing

Creating new instance 1 example:/config/dual-homing-1/#> uplink 1 example:/config/dual-homing-1/uplink-eth1/#> end example:/config/dual-homing-1/#> uplink 2 example:/config/dual-homing-1/uplink-eth2/#> priority 100 example:/config/dual-homing-1/uplink-eth2/#> leave

Starting Ring Coupling/Dual-Homing daemon .................. [ OK ]

Configuration activated.

Remember "copy run start" to save to flash (NVRAM).

example:/#>

© 2015 Westermo Teleindustri AB

329

Westermo OS Management Guide

Version 4.17.1-0

15.1.2.2

Multiple instances of Dual-Homing

It is possible to create multiple dual-homing instances on a WeOS switch. Each instance has its own set of uplinks, referred to as an uplink domain – one of the uplinks in the domain will be active, while the others are backups. A sample topology is shown in

fig. 15.7

.

Sub−ring

RiCo

FRNT

RiCo

Super−ring

FRNT

330

Uplink

Domain A

(Instance 1)

(Instance 2)

Uplink

Domain B

Dual

Hom.

Sub−ring

FRNT

RiCo

RiCo

Super−ring

FRNT

Figure 15.7: Possibility to setup multiple uplink domains for dual-homing.

Warning

The upper and lower LANs in

fig. 15.7

must not have additional interconnections. Otherwise a layer-2 loop would be created via the dual-homing node, unless the dual-homing node has VLAN barriers between uplinks of the different instances.

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

15.1.3

Active uplink election

Both FRNT Ring Coupling and Multi-Link Dual Homing makes use of an uplink election mechanism to determine which of the available uplink that should become

active and which should be backups. For Dual-Homing, the election is handled within the dual-homing node itself, but for FRNT ring coupling the election process the RiCo nodes in the FRNT ring negotiate which uplink should be active.

To determine which uplink is preferred, an cost vector is formed for every uplink

and compared. The uplink with the lowest cost vector is elected as active uplink

1

.

The cost vector consists of the following fields.

ˆ Link speed/duplex Cost: The most significant component of the cost vector depends on the link’s speed and duplex setting. This link speed/duplex component is calculated as shown in

table 15.2

, similar to link cost calcu-

lation in RSTP (see

section 16.1.3

). It is also possible to configure the link

speed/duplex cost manually. Default: Auto (see

table 15.2

)

ˆ Priority: The next component of the cost vector is the uplink priority, which is used when two or more uplinks have the same link speed/duplex cost.

Then the uplink with the lowest priority value is elected as active uplink.

Default: 128

ˆ Base MAC address: (Only for Ring Coupling) If link speed/duplex cost and

uplink priority are equal for two RiCo nodes, the node with the lowest base-

MAC address will win.

ˆ Link/port identity: Finally, if all other components are equal, the port with the lowest port number is elected as active.

Bandwidth Full Duplex Half Duplex Two Aggregated Links

10 Mbps

100 Mbps

1 Gbps

2,000,000

200,000

20,000

4,000,000

400,000

40,000

1,000,000

100,000

10,000

Table 15.2: Link speed & duplex to link cost component translation table. For aggregated links (see

chapter 17 ) the link speed/duplex cost is half the cost of

a single link for the given link speed and duplex mode. This is shown in the right-most column.

1

The exception is dual-homing with synchronised dual-homing enabled. Then uplinks to FRNT rings with reachable Ring Coupling nodes have precedence over other uplinks, see also

section 15.1.2.1

.

© 2015 Westermo Teleindustri AB

331

Westermo OS Management Guide

Version 4.17.1-0

To mitigate issues with flapping uplinks, e.g., caused by bad cables, dual-homing nodes and ring coupling nodes can be configured to use a sticky uplink, as opposed to the deterministic uplink election described above. With sticky uplink enabled, the priority component of an uplink’s cost vector is reduced with a given value (the adjustment value) once that link is elected as active. That is, with sticky uplink configured, the effective priority of an uplink can differ from the

configured priority.

Example

Consider three uplinks with same speed and duplex. Link A has ”priority

100”, link B has ”priority 110” with ”adjustment 20”, and link C has

”priority 120” with ”adjustment 40”. All nodes keep information about each-others announced link cost (100, 110 and 120).

If Link A goes down, link B will take over as it has lower (i.e., better) priority than link

C (110<120), and link B will decrease its effective priority to 90 in its announcements.

If link A comes up again, link B will continue to be active as ”90<100”. The mechanism works in the same way for dual-homing, even though priority is never ”announced” to any other node.

15.1.4

Handling Multicast

To provide fast fail-over of multicast traffic, FRNT Ring Coupling and Multi-Link

Dual-Homing uplinks are added to the list of multicast router ports, see

section 18.1.1

. This is both done at the Ring Coupling nodes and Dual-Homing

nodes, as well as on switches on the remote side of the uplink

2

. This means that

all layer-2 multicast traffic is always sent over the uplinks, even if IGMP snooping is enabled.

2

An exception is when connecting a Dual-Homing uplink to a non-FRNT switch, the fail-over of multicast traffic will instead occur on the next reception of an IGMP Report (if IGMP snooping is enabled). See also

section 15.1.2.1

.

332

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

15.2

Managing via the Web

15.2.1

Managing FRNT Ring Coupling Settings

FRNT ring couplings are set up in the FRNT context, see

section 14.3.1

for further information.

15.2.2

Managing Dual-Homing Settings

Menu path: Configuration L2 Redundancy Dual-Homing

Here the list of currently configured Dual-Homing instances is found.

ID

Enabled

A unique identifier for the dual-homing instance.

A green checkbox if the dual-homing instance is enabled, a minus sign if not.

Uplinks

A list of the uplinks configured for this dual-homing instance.

Synchronized

A green check-box indicates this uplink has been synchronized with its neighbor.

Edit

Click this icon to edit a dual-homing instance.

Delete

Click this icon to remove a dual-homing instance.

Use the New button to create a new Dual-Homing instance.

Up to MAX_DUAL_HOMING_INSTANCES ( section 15.4

) can be created.

© 2015 Westermo Teleindustri AB

333

Westermo OS Management Guide

Version 4.17.1-0

Enabled

Check/uncheck box to enable/disable dual-homing instance.

Synchronized

Check/uncheck box to enable/disable Synchronized mode which requires synchronization with its neighbour.

Uplinks

Port

Priority

Adjustment

Path Cost

The uplink port.

The uplinks priority. Used for calculating active uplink.

Priority adjustment delta for this uplink. Makes the uplink sticky by adjusting the effective priority with this value when uplink becomes active.

The uplinks path cost. Used for calculating active uplink.

Auto (check-box checked) indicates path-cost is automatically calculated (based on link speed).

Delete

Add

Click this icon to remove a dual-homing instance.

Click this icon to add a new dual-homing instance.

334

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

15.2.3

Dual-Homing Status and Statistics

Menu path: Status L2 Redundancy Dual-Homing

On this page dual-homing status and statistics is presented.

Figure 15.8: Dual-homing status and statistics in web

Port

Active

Effective Priority

Path-Cost

Speed/Duplex

Synchronized

Preferred

The uplink port name.

A green check-mark indicates this is the active uplink for the dual-homing instance.

The actual priority value used in uplink selection. When configuring an adjustment delta this may differ from the configured priority for an active uplink. Used to minimize uplink changes when an active uplink goes down and up again.

The current path-cost. If auto configuration selected, this value is calculated based on port speed.

Speed duplex on the uplink port.

A green check-box indicates this uplink has been synchronized with its neighbor. Only applicable for local uplinks.

A green check-box indicates this uplink is preferred.

Continued on next page

© 2015 Westermo Teleindustri AB

335

Westermo OS Management Guide

Version 4.17.1-0

Auto Refresh

Refresh

Continued from previous page

Click on a value to make the page reload with updated statistics automatically every 5, 15, 30 or 60 seconds.

Click Off to turn off auto refresh.

Click on this button to reload with updated statistics.

336

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

15.3

Managing via CLI

Command Default Section

Configure Ring Coupling Settings frnt

[no] coupling [ID]

[no] enable

[no] hello-interval <50..10000>

1

Enabled

Sec. 14.4.1

Sec. 15.3.1

Sec. 15.3.2

100 (msec)

Sec. 15.3.3

[no] uplink <PORT>

[no] path-cost <auto|<COST>> Auto

[no] priority <1..65535> [adjust <DELTA>] 128

Sec. 15.3.4

Sec. 15.3.5

Sec. 15.3.6

Configure Multi-Link Dual-Homing Settings

[no] dual-homing [ID]

[no] enable

[no] synchronized

[no] uplink <PORT>

[no] path-cost <auto|<COST>>

[no] priority <1..65535> [adjust <DELTA>]

1

Enabled

Enabled

FRNT Ring Coupling and Multi-Link Dual-Homing Status show coupling show dual-homing [ID]

Auto

128

Sec. 15.3.7

Sec. 15.3.8

Sec. 15.3.9

Sec. 15.3.10

Sec. 15.3.11

Sec. 15.3.12

Sec. 15.3.13

Sec. 15.3.14

15.3.1

Managing FRNT Ring Coupling

Syntax [no] coupling [ID]

Context

FRNT Configuration

context

Usage Use ”coupling ID” to enter FRNT Ring Coupling Configuration context of the given Ring Coupling instance ID. Currently only a single Ring Coupling instance is supported, thus the value of the coupling ID is ignored. ”coupling

ID” creates an FRNT Ring Coupling instance unless it already exists.

© 2015 Westermo Teleindustri AB

337

Westermo OS Management Guide

Version 4.17.1-0

Use ”no coupling” to remove the ring coupling instance.

Use ”show coupling” to show configuration information for the ring coupling instance. (Also available as ”show” command within the

FRNT Ring

Coupling Configuration

context.)

Default values Default ID is 1

15.3.2

Enable/Disable FRNT Ring Coupling

Syntax [no] enable

Context

FRNT Ring Coupling Configuration

context

Usage Enable or disable an FRNT Ring Coupling instance. Use ”enable” to enable the coupling instance, and ”no enable” to disable the coupling instance (without losing configuration settings for this instance).

Use ”show enable” to show whether the coupling instance is enabled or disabled.

Default values Enabled

15.3.3

Set FRNT Ring Coupling Hello Interval

Syntax [no] hello-interval <50..10000>

Context

FRNT Ring Coupling Configuration

context

Usage Use ”hello-interval VALUE” to set the hello interval (in milliseconds) to be announced by his ring coupling node.

Note

The effective hello-interval used will be the highest interval announced by any ring coupling node in the FRNT ring.

”no hello-interval” resets the configured hello interval to the default setting (100 milliseconds).

Use ”show hello-interval” to show the configured hello interval.

Default values 100 (msec)

338

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

15.3.4

Managing FRNT Ring Coupling Uplink Ports

Syntax [no] uplink [PORT]

Context

FRNT Ring Coupling Configuration

context

Usage Use ”uplink PORT” to define the given port as uplink for this ring coupling node, and enter the Ring Coupling Uplink Configuration context for the

port. A port can be an Ethernet port ( chapter 8

), a DSL port ( chapter 10

and

chapter 11

), or a link aggregate ( chapter 17 ).

Up to MAX_RING_COUPLING_UPLINKS ( section 15.4

) can be created.

Use ”no uplink PORT” to remove the give port as uplink for this ring coupling node, or use ”no uplink” to remove all uplinks for the node.

Use ”show uplink” to list configuration information for all uplinks, and ”show

uplink PORT” to list uplink configuration settings for the given port (also available as ”show” command within the Ring Coupling Uplink Configura-

tion context for the port.)

Default values Not applicable

15.3.5

Set Ring Coupling Uplink Path-Cost

Syntax [no] path-cost <auto|COST>

Context

Ring Coupling Uplink Configuration

context

Usage Configure uplink path-cost. By default, the path-cost depends on the link speed and duplex mode (higher speed gives lower cost). It is also possible to set a cost manually in range 1..2

32

-1 (1..4294967295).

The path-cost is used when electing the active uplink – the link with the lowest cost will be the active uplink. If the costs of two uplinks are equal,

their uplink priority ( section 15.3.6

) is considered. For more details, see

section 15.1.3

.

Use ”path-cost auto” to have the uplink’s path-cost depend on its link speed and duplex mode. Use ”path-cost COST” to set a static path-cost for the uplink. ”no path-cost” will reset the path cost to the default setting

(auto).

”show path-cost” will show the configured uplink path-cost.

© 2015 Westermo Teleindustri AB

339

Westermo OS Management Guide

Version 4.17.1-0

Default values Auto

15.3.6

Set Ring Coupling Uplink Priority

Syntax [no] priority <1..65535> [adjust <DELTA>]

Context

Ring Coupling Uplink Configuration

context

Usage Configure uplink priority, and optionally enable sticky uplink election by setting adjust value.

ˆ Use ”priority VALUE” to set priority value. A lower value increases the chance for this uplink to be elected as active uplink (lower is better).

With equal path-cost ( section 15.3.5

), an uplink with ”priority 100”

is preferred as uplink over an uplink with ”priority 110”.

ˆ Use the optional ”adjust DELTA” setting to improve its priority (i.e.,

lower its priority with the specified ”DELTA”) once the uplink is elected as active uplink. This gives a sticky uplink behaviour where shifting active uplink will be less common.

Consider the following example with uplink A (”priority 100”), uplink

B (”priority 110 adjust 20”), and uplink C (”priority 120 adjust

40”), and where uplink A came up first and is the active uplink. If uplink

A goes down, uplink B takes over as it has lower priority than uplink

C (110 < 120). Uplink B will then apply its adjustment and announce priority to 90 (110 20) in its hello messages. Uplink B will stay as active uplink even if uplink A comes up again (90 < 100).

”show priority” will show the configured uplink priority.

Default values priority 128 (no adjustment)

15.3.7

Managing Multi-Link Dual-Homing

Syntax [no] dual-homing [ID]

Context

Global Configuration

context

Usage Use ”dual-homing ID” to enter Dual-Homing Configuration context of the given Dual-Homing instance ID. Default instance ID is ”1”, thus command ”dual-homing” will enter the context of dual-homing instance 1.

340

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

”dual-homing ID” creates a dual-homing instance with given ID, unless it already exists.

Up to MAX_DUAL_HOMING_INSTANCES ( section 15.4

) can be created.

Use ”no dual-homing ID” to remove a specific dual-homing instance, or

”no dual-homing” to remove all dual-homing instances.

Use ”show dual-homing” to list configuration information on all dual-homing instances, and ”show dual-homing ID” for configuration information on a specific dual-homing instance (also available as ”show” command within the

Dual-Homing Configuration

context).

Default values Default ID is 1

15.3.8

Enable/Disable Multi-Link Dual-Homing

Syntax [no] enable

Context

Dual-Homing Configuration

context

Usage Enable or disable a dual-homing instance. Use ”enable” to enable the dual-homing instance, and ”no enable” to disable the dual-homing instance

(without losing configuration settings for this instance).

Use ”show enable” to show whether the dual-homing instance is enabled or disabled.

Default values Enabled

15.3.9

Synchronized Multi-Link Dual-Homing

Syntax [no] synchronized

Context

Dual-Homing Configuration

context

Usage Enable or disable the dual-homing synchronization feature. When enabled, preference when selecting active uplink will be given to uplinks where the uplink peer announces that it has connectivity to ring-coupling node with active uplink. See

section 15.1.2.1

for more information.

Use ”synchronized” to enable and ”no synchronized” to disable synchronized dual-homing.

© 2015 Westermo Teleindustri AB

341

Westermo OS Management Guide

Version 4.17.1-0

Use ”show synchronized” to show whether synchronized dual-homing is enabled or disabled.

Default values Enabled

15.3.10

Managing Multi-Link Dual-Homing Uplink Ports

Syntax [no] uplink [PORT]

Context

Dual-Homing Configuration

context

Usage Use ”uplink PORT” to define the given port as uplink for this dual-homing node, and enter the Dual-Homing Uplink Configuration context for the port.

A port can be an Ethernet port ( chapter 8

), a DSL port ( chapter 10

and

chapter 11

), or a link aggregate ( chapter 17 ).

Up to MAX_DUAL_HOMING_UPLINKS ( section 15.4

) can be created.

Use ”no uplink PORT” to remove the give port as uplink for this dualhoming node, or use ”no uplink” to remove all uplinks for the node.

Use ”show uplink” to list configuration information for all uplinks, and ”show

uplink PORT” to list uplink configuration settings for the given port (also available as ”show” command within the Dual-Homing Uplink Configuration context for the port.)

Default values Not applicable

15.3.11

Set Multi-Link Dual-Homing Uplink Path-Cost

Syntax [no] path-cost <auto|COST>

Context

Dual-Homing Uplink Configuration

context

Usage Configure uplink path-cost. By default, the path-cost depends on the link speed and duplex mode (higher speed gives lower cost). It is also possible to set a cost manually in range 1..2

32

-1 (1..4294967295).

The path-cost is used when electing the active uplink – the link with the lowest cost will be the active uplink. If the costs of two uplinks are equal,

their uplink priority ( section 15.3.12

) is considered. For more details, see

section 15.1.3

.

342

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Use ”path-cost auto” to have the uplink’s path-cost depend on its link speed and duplex mode. Use ”path-cost COST” to set a static path-cost for the uplink. ”no path-cost” will reset the path cost to the default setting

(auto).

”show path-cost” will show the configured uplink path-cost.

Default values Auto

15.3.12

Set Multi-Link Dual-Homing Uplink Priority

Syntax [no] priority <1..65535> [adjust <DELTA>]

Context

Dual-Homing Uplink Configuration

context

Usage Configure uplink priority, and optionally enable sticky uplink election by setting adjust value.

ˆ Use ”priority VALUE” to set priority value. A lower value increases the chance for this uplink to be elected as active uplink (lower is better).

With equal path-cost ( section 15.3.11

), an uplink with ”priority 100”

is preferred as uplink over an uplink with ”priority 110”.

ˆ Use the optional ”adjust DELTA” setting to improve its priority (i.e.,

lower its priority with the specified ”DELTA”) once the uplink is elected as active uplink. This gives a sticky uplink behaviour where shifting active uplink will be less common.

Consider the following example with uplink A (”priority 100”), uplink

B (”priority 110 adjust 20”), and uplink C (”priority 120 adjust

40”), and where uplink A came up first and is the active uplink. If uplink

A goes down, uplink B takes over as it has lower priority than uplink

C (110 < 120). Uplink B will then apply its adjustment and announce priority to 90 (110 20) in its hello messages. Uplink B will stay as active uplink even if uplink A comes up again (90 < 100).

”show priority” will show the configured uplink priority.

Default values priority 128 (no adjustment)

15.3.13

Show FRNT Ring Coupling Status

Syntax show coupling

© 2015 Westermo Teleindustri AB

343

Westermo OS Management Guide

Version 4.17.1-0

Context

Admin Exec

context

Usage Use ”show coupling” to show status of FRNT Ring Coupling.

Default values Not applicable

Example

example:/#> show coupling

==================================================================== ID 0x0101

Local uplink(s) --------------------------------------------------------------

ID MAC Uplink Prio/Delta Cost Speed Hello

------------------------------------------------------------------------------

>> 7 00:07:7c:84:90:44 eth 7 128/0 200000 100-Full 100(100)ms

Global uplink(s) -------------------------------------------------------------

MAC Uplink Prio Cost Hello

------------------------------------------------------------------------------

00:07:7c:87:85:62 eth 7 128 200000 100(100)ms example:/#>

The active uplink is marked with >>. In this case, lowest MAC address was used as tie-breaker to elect active uplink.

15.3.14

Show Multi-Link Dual-Homing Status

Syntax show dual-homing

Context

Admin Exec

context

Usage Use ”show dual-homing” to show status of Multi-Link Dual-Homing instances.

Default values Not applicable

344

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Example

example:/#> show dual-homing

==============================================================================

Instance ID: 0x0001

Synchronized mode : Enabled

Local uplink(s) --------------------------------------------------------------

ID MAC Uplink Prio/Delta Cost Speed Sync Pref

------------------------------------------------------------------------------

4 00:07:7c:10:df:00 eth 4

>> 3 00:07:7c:10:df:00 eth 3

100/0

128/0

-------

200000

--------

100-Full

No

No

No

No

==============================================================================

Instance ID: 0x0002

Synchronized mode : Enabled

Local uplink(s) --------------------------------------------------------------

ID MAC Uplink Prio/Delta Cost Speed Sync Pref

------------------------------------------------------------------------------

6 00:07:7c:10:df:00 eth 6 128/0 -------------No No

>> 5 00:07:7c:10:df:00 eth 5 128/0 200000 100-Full No No example:/#>

The active uplink is marked with >>. In this case, only one uplink was up in each of the dual-homing instances.

© 2015 Westermo Teleindustri AB

345

15.4

Feature Parameters

MAX_RING_COUPLING_INSTANCES 1

MAX_RING_COUPLING_UPLINKS 4

MAX_DUAL_HOMING_INSTANCES 8

MAX_DUAL_HOMING_UPLINKS 4

Westermo OS Management Guide

Version 4.17.1-0

346

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Chapter 16

Spanning Tree Protocol - RSTP and STP

The spanning tree protocol (STP) and its successor rapid spanning tree protocol

(RSTP) are the standard protocols to support redundancy while avoiding broadcast storms in switched networks. WeOS supports RSTP with fall-back to STP when connecting the switch to another device only capable of STP.

STP/RSTP does not provide the same convergence performance as FRNT, however, STP/RSTP can handle arbitrary switched topologies, while FRNT operates in a ring structure. For information on FRNT, and coexistence between FRNT and

RSTP, see

chapter 14

.

RSTP is disabled at factory default.

16.1

Overview of RSTP/STP features

Table 16.1

provides a summary of available RSTP/STP features in WeOS. Further descriptions of the spanning tree protocol and the available features are provided in

sections 16.1.1

-

16.1.3

.

16.1.1

Spanning Tree Introduction

Loops in switched networks are dangerous, since packets can loop around forever and jam the network - as opposed to IP and routed networks, Ethernet frames do

© 2015 Westermo Teleindustri AB

347

Westermo OS Management Guide

Version 4.17.1-0

Feature

Enable STP

Bridge priority

Max age

Hello time

Forward delay

View general RSTP/STP settings

Web

CLI

General Description

X

X

X

X

X

X

X

X

X

X

X

X

Section 16.1.2

Section 16.1.1

Section 16.1.1

Section 16.1.1

Per Port settings

Enable STP

Admin Edge

Path Cost

View per port RSTP/STP settings

X

X

X

X

X

Section 16.1.1

X

Section 16.1.3

X

View RSTP/STP status X X

Table 16.1: Summary of RSTP/STP features.

not include a hop count by which the switches could decide to drop a packet circulating around. Since a switched network may contain multiple loops, broadcast packets (or other packets flooded by the switches), leads to packet proliferation; this situation is generally referred to as a broadcast storm. On the other hand, loops in switched networks are desirable from a redundancy perspective.

Note

The purpose of the spanning tree protocol is to ensure that an arbitrary

physical LAN topology is turned into a logical tree topology (i.e., loop free) in such a way that all links in the network are still connected (i.e., a spanning

tree). This is accomplished by having the switches put some of their ports in blocking state.

Since loops in switched networks are so dangerous, layer-2 redundancy protocols such as STP and RSTP are very restrictive before putting a link in forwarding state. The main difference between STP and RSTP is that RSTP is able to react quicker to topology changes, thus can open an alternative path if a link in the active tree is broken, i.e., RSTP has shorter convergence time than STP. (FRNT has even faster convergence, see

chapter 14 .)

In RSTP/STP terminology, a switch is referred to as a bridge. Spanning tree is a

348

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

RSTP

Switch

RSTP

Switch

RSTP

Switch

RSTP

Switch

RSTP

Switch

RSTP

Switch

RSTP

Switch

RSTP

Switch

RSTP

Switch

RSTP

Switch

Host Host Host Host Host Host

Figure 16.1: Example of RSTP creating a spanning tree. Dashed links have logically been ”cut off” from the active topology by RSTP, eliminating the loops.

plug-and-play protocol - bridges can use RSTP/STP to form a tree without need for any configuration. However, the protocol provides a set of parameters which the operator can use to fine-tune the network setup. Below is a list of those parameters of specific interest for the WeOS RSTP/STP implementation:

ˆ Bridge priority: Used for root bridge and designated bridge election. See

section 16.1.2

.

ˆ Port/Path cost: Each port is assigned a ”cost”. This is used by each bridge to find the least cost path to the root bridge as part of the tree establishment.

See

section 16.1.3

.

ˆ Max age/Hello time: Used to detect that a STP/RSTP neighbour is down. The

max age also puts a protocol limit to the size of the network

1

.

ˆ Forward Delay: Used when operating in STP mode (i.e., not RSTP). Defines the time period by which the protocol can be sure that STP information on a topology change has propagated from one side of the network to the other.

The STP convergence time is limited by twice the forwarding delay (plus the time it takes to detect the topology change).

ˆ Admin Edge: Ports where only end nodes connect are referred to as edge

ports. If a port is only used for connecting hosts (i.e., no risk for loops), it

1

In RSTP the Message Age field in the Hello Messages effectively acts as a hop count, counting the distance from the Root. If the Message Age exceeds the Max Age the packet is dropped. Thus, the setting of the Max Age parameter restricts the size of the RSTP LAN.

© 2015 Westermo Teleindustri AB

349

Westermo OS Management Guide

Version 4.17.1-0 can be configured as an admin edge port.

Access ports and inter-switch ports

It is recommended that all ”inter-switch ports” (ports connecting switches) are configured as ”non-edge ports” (admin edge disabled), and that all ”access ports” (ports where hosts connect) are configured as ”edge ports” (admin edge enabled).

For robustness purposes, all ports are set to ”no admin-edge” when

spanning tree is enabled. To improve performance on ”access ports”

(leading to hosts), these ports should be configured as ”admin-edge”.

When configured as admin edge the port will:

be put in FORWARDING state quickly after system boot, and

be kept in FORWARDING state during periods when the spanning tree topology is changing.

An admin edge assumes the port leads to a host or a router (i.e., not another bridge), and the port is therefore put in FORWARDING state without first verifying that the LAN is still loop free. The bridge will still send Hello Messages on admin edge ports, and will react on any incoming Hello Messages as it would on regular (non-”admin edge”) ports. Thus, even if loops may occur via an admin edge port, the bridge will generally be able to receive the highpriority RSTP messages, and cut the loop by putting the appropriate port in

BLOCKING.

The IEEE std 802.1D-2004 specifies restrictions on the Max age parameter with respect to the Hello time and the Forward delay as shown below. This affects how these parameters can be configured.

ˆ M ge 2 ∗ (Heo tme + 1)

ˆ M ge 2 ∗ (Forrd Dey 1)

Note

Some of the RSTP/STP parameters (Max age, Hello time, and Forward Delay) need to be set consistently throughout all bridges with the LAN infrastructure. Therefore, bridges inherit these parameter values from the current root

bridge, irrespective of the corresponding parameter setting in the bridge itself.

350

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

16.1.2

Bridge Identity

Each bridge is assigned an 8 byte bridge identifier (bridge ID) as shown in

fig. 16.2

.

4 bits

System ID

Extension

12 bits

Unique Bridge Address (MAC)

6 bytes

Priority System ID

Figure 16.2: Structure of bridge ID.

The bridge ID is divided into a priority part (4 bits) and a system ID (60 bits). The bridge with the lowest bridge ID within the LAN will become the root bridge, i.e., lower priority means greater chance to become root bridge. The bridge ID is also used to select a designated bridge on a link, when multiple bridges on the link have the same ”least cost path” to the root bridge.

The format of the bridge ID follows IEEE std. 802.1D-2004 (RSTP). It differs from the structure specified in IEEE std. 802.1D-1998 (STP), where the priority field was 2 bytes and the system ID field was 6 bytes. The change in structure was made with respect to the multiple spanning tree protocol (MSTP) defined in IEEE std. 802.1Q-2005 (WeOS currently does not support MSTP).

ˆ Priority (4 bits): Can take values in range 0-15, where 8 is default. 0 (zero) means highest priority and 15 lowest priority. Compared to the ”old” 2 byte priority field of STP, this is rather a priority factor field, which can be multiplied by 4096 to get the ”old” STP priority.

ˆ System ID Extension (12 bits): Set to all zeros in WeOS.

ˆ Unique Bridge Address: Tie-breaker ensuring the bridge ID will be unique.

WeOS uses the base MAC address assigned to the switch for this field.

16.1.3

Path Cost

Each port is associated with a cost referred to as a path cost. Low-speed links are generally given a high cost, which increases the probability of the port ending up in blocking state (and vice versa), in case spanning tree discovers a loop.

© 2015 Westermo Teleindustri AB

351

Westermo OS Management Guide

Version 4.17.1-0

By default, the path cost of a port is assigned dynamically with values related to the port speed (in-line with the recommendations of IEEE std 802.1D-2004).

The same path costs are used irrespective if the port is operating in RSTP or STP mode.

Port Speed (Mbit/s) RSTP path cost

10

100

1000

2000000

200000

20000

It is also possible to configure the path cost manually. That may be useful to get more fine grain control of which port in the LAN should be put in blocking state.

Setting path costs manually may be desirable when operating a LAN including a mix of RSTP and STP capable, since STP uses a different set of default path costs.

16.1.4

RSTP and STP coexistence

WeOS supports both RSTP and STP, but WeOS always attempts to run RSTP on every spanning-tree enabled port. WeOS automatically shifts to STP mode on a port, if it detects a bridge running STP on that port. Other ports continue operating in RSTP mode. When operating a network including a mix of RSTP and

STP bridges, it may be necessary to configure path costs manually to get the intended spanning tree behaviour, see also

section 16.1.3

.

352

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

16.2

Managing RSTP via the web interface

16.2.1

Managing RSTP Settings

Menu path: Configuration L2 Redundancy RSTP

On the RSTP configuration page you will be presented to the current settings for

RSTP on your switch, see below. You may change the settings by editing the page.

Enabled

Bridge Priority

Check the box to enable RSTP. If you have a

JavaScript enabled browser the other settings will not be displayed unless you check this box.

A priority level used in root bridge selection.

A lower value increases the probability for this switch to be elected as root bridge.

Maximum Age Timeout

The time the unit will wait before considering a neighbour designated bridge is down after the last Hello message was heard from the neighbour.

Continued on next page

© 2015 Westermo Teleindustri AB

353

Westermo OS Management Guide

Version 4.17.1-0

Hello Time Interval

Continued from previous page

The time between two consecutive transmissions of hello messages.

Forward Delay Timeout

The time an interface takes to change from blocking to forwarding state. Only used when operating in STP mode.

Edge Port

Ports connected to end hosts and routers (i.e., not to another switch) can be set as adminedge ports. This avoids unnecessary BLOCK-

ING of such ports at system startup or when a topology change occurs.

It is recommended that this box is checked for every port where it is certain that only end hosts and routers connect. Ports which (may) connect to another switch should un-check this box.

354

© 2015 Westermo Teleindustri AB

16.2.2

RSTP Status and Statistics

Menu path: Status L2 Redundancy RSTP

Westermo OS Management Guide

Version 4.17.1-0

Version

Topology Change

Count

Time Since Last

Topology Change

ID

Always RSTP, with fallback to STP.

Number of RSTP topology changes since switch startup.

Time since last topology change.

The local and elected root bridge ID, used for root bridge and designated bridge election; consists of two parts:

MAC Address

The local MAC-address that is used for bridge ID. If local and root values

Priority

are equal, this switch is root.

Priority value configured on the unit.

Continued on next page

© 2015 Westermo Teleindustri AB

355

Westermo OS Management Guide

Version 4.17.1-0

Root Port

Root Path Cost

Max Age

Hello Time

Forward Delay

Auto Refresh

Refresh

Continued from previous page

The port with the open path to the root switch. If this switch is root, the text Unit is root will be displayed.

Calculated cost to designated root switch.

Used to detect that a STP/RSTP neighbor is down. Current value learnt from BPDUs.

The time between two consecutive transmissions of hello messages. Current value learnt from BPDUs.

Used when operating in STP mode (i.e., not RSTP). Defines the time period by which the protocol can be sure that STP information on a topology change has propagated from one side of the network to the other. Current value learnt from BPDUs.

Click on a value to make the page reload with updated statistics automatically every 5, 15, 30 or 60 seconds.

Click Off to turn off auto refresh.

Click on this button to reload with updated statistics.

Port Status

Label

Port label, identifying the port.

Type

Path Cost

State

Type of port, e.g. Eth for ethernet.

Path cost associated with the port.

FORWARDING

Unit forwards packets. Normal operation.

LEARNING

The port is preparing itself for entering

FORWARDING state.

BLOCKING

Unit does not forward any packets.

DISABLED

Port does not participate in operation.

Edge

If TRUE the port is in admin edge mode and assumes the port leads to a host or a router (i.e., not another bridge), and the port is therefore put in FORWARDING state without first verifying that the LAN is loop free. If FRNT, the port is controlled by FRNT protocol.

Designated Bridge

The designated bridge MAC-address.

356

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

16.3

Managing RSTP via the CLI

Command

Spanning Tree Configuration

[no] spanning-tree priority <0-15|0-65536> max-age-time <6-40> hello-time <1-10> forward-delay <4-30>

Default Section

Disabled

Section 16.3.1

8 (32768)

Section 16.3.2

20

2

15

Section 16.3.3

Section 16.3.4

Section 16.3.5

stp-port <PORTLIST|all>

[no] enable

[no] admin-edge

Enabled

Disabled

[no] path-cost <0-20000000> 0 (Auto)

Section 16.3.6

Section 16.3.7

Section 16.3.8

Section 16.3.9

Spanning Tree Status show spanning-tree

Section 16.3.10

16.3.1

Manage RSTP

Syntax [no] spanning-tree

Context

Global Configuration

context

Usage Enter

Spanning Tree Configuration

context, and activate spanning-tree (if not already activated). Use ”no spanning-tree” to disable spanning-tree and to remove spanning-tree configurations.

Use ”show spanning-tree” to view general spanning-tree settings, given that spanning-tree is enabled (also available as ”show” command within the

Spanning Tree Configuration

context.

Default values Disabled

16.3.2

Bridge Priority Setting

Syntax priority <0-15|0-65535>

Context

Spanning Tree Configuration

context

© 2015 Westermo Teleindustri AB

357

Westermo OS Management Guide

Version 4.17.1-0

Usage Set bridge priority, where a low value means high priority, which increase the probability of being elected as root bridge. Values can be entered in two ways, either in range 0-15, which corresponds to the 4-bit priority field specified in IEEE std 802.1D-2004, or in range 16-65535 which corresponds to the traditional 2 byte priority field defined in IEEE 802.1D-1998. In the latter case, the value is divided by 4096, and stored as a value 0-15. See

section 16.1.2

for more information.

”no priority” resets the bridge priority to the default setting.

Use ”show priority” to view the current bridge priority setting.

Default values 8 (32768)

16.3.3

Max Age Setting

Syntax max-age-time <6-40>

Context

Spanning Tree Configuration

context

Usage Set spanning-tree max age timeout. Since bridges use the max age configured at the root bridge, this parameter setting only matters if this bridge becomes the root bridge.

”no max-age-time” resets the max age timeout to the default setting.

Use ”show max-age-timeout” to view the current max age timeout setting.

Default values 20

Error messages An error message is given if the ”max-age-time” is not given a valid value with respect to ”hello-time” or ”forward-delay”, see

section 16.1.1

.

16.3.4

Hello Interval

Syntax hello-time <1-10>

Context

Spanning Tree Configuration

context

Usage Set spanning-tree hello time interval. Since bridges use the hello time configured at the root bridge, this parameter setting only matters if this bridge becomes the root bridge.

358

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

”no hello-time” resets the hello time to the default setting.

Use ”show hello-time” to view the current hello time setting.

Default values 2 (seconds)

Error messages An error message is given if the ”hello-time” is not given a valid value with respect to ”max-age-time”, see

section 16.1.1

.

16.3.5

Forward Delay

Syntax forward-delay <4-30>

Context

Spanning Tree Configuration

context

Usage Set spanning-tree forward delay. Since bridges use the forward delay configured at the root bridge, this parameter setting only matters if this bridge becomes the root bridge.

”no forward-delay” resets the forward delay to the default setting.

Use ”show forward-delay” to view the current forward delay setting.

Default values 15 (seconds)

Error messages An error message is given if the ”forward-delay” is not given a valid value with respect to ”max-age-time”, see

section 16.1.1

.

16.3.6

Manage RSTP Ports

Syntax [no] stp-port <PORTLIST|all>

Context

Spanning Tree Configuration

context

Usage Enter

Spanning Tree Port Configuration

context to manage per port spanningtree settings for one or more ports.

”no stp-port <PORTLIST|all>” (e.g., ”no stp-port all”) will disable spanning tree for the specified ports.

Use ”show stp-port <PORTLIST|all>” to view the spanning tree settings for the specified port(s).

Default values Not applicable.

© 2015 Westermo Teleindustri AB

359

Westermo OS Management Guide

Version 4.17.1-0

Example

example:/config/spanning-tree/#> show stp-port all

Port Enabled Admin-Edge Path-cost

==============================================================================

Eth 1 YES NO AUTO

Eth 2 YES NO AUTO

Eth 3

Eth 4

YES

YES

YES

YES example:/config/spanning-tree/#>

AUTO

AUTO

16.3.7

Enable Spanning Tree on a Port

Syntax [no] enable

Context

Spanning Tree Port Configuration

context

Usage Enable the spanning tree protocol on a port. Use ”no enable” to disable spanning tree protocol on a port.

Default values Enabled

16.3.8

Admin Edge Setting

Syntax [no] admin-edge

Context

Spanning Tree Port Configuration

context

Usage Configure the port as an access port (”no admin-edge”), or as an inter-

switch port (”admin-edge”).

Note

It is recommended that every port where it is certain that only end hosts and routers connect (but not switches/bridges) are configured as

”admin-edge”. Port which (may) connect to another switch/bridge should be configured as ”no admin-edge”.

Use ”show admin-edge” to view the admin edge setting for this port.

Default values Disabled (”no admin-edge”)

360

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

16.3.9

Path Cost Setting

Syntax [no] path-cost <0-20000000>

Context

Spanning Tree Port Configuration

context

Usage Configure the spanning tree path cost for a port. A low speed link should get a higher cost, a high speed link a lower cost. Use ”path-cost 0” (or

”no path-cost”) to have the path-cost assigned automatically depending on the port speed (see

section 16.1.3

).

Values in range 1-20000000 means a statically configured path cost of the given value.

Use ”show path-cost” to view the path cost setting for this port.

Default values Automatic (”path-cost 0”)

16.3.10

Show RSTP Status

Syntax show spanning-tree

Context

Admin Exec

context.

Usage Show spanning-tree status information, including current port states, root bridge ID, etc..

Default values Not applicable.

© 2015 Westermo Teleindustri AB

361

Westermo OS Management Guide

Version 4.17.1-0

Chapter 17

Link Aggregation

This chapter describes WeOS support for link aggregation (IEEE 802.3ad/802.1AX[ 13 ]).

With link aggregation, two or more Ethernet links can be bundled and treated as a single MAC entity by the upper layer protocols. The primary use is to achieve

redundancy in layer-2 bus topologies. A coarse form of load balancing is also provided, but only if different traffic flows are mapped to different aggregate member links.

WeOS supports the standard Link Aggregation Control Protocol (LACP[ 13 ]) for

aggregation control, but also static aggregation control, where the active set of member links is solely determined based on their link up/down state.

17.1

Link Aggregation Support in WeOS

Feature

Enable/Disable Aggregate

Define Member Ports

Static Aggregation Control

LACP Aggregation Control

Timeout (Short/Long)

Active/Passive

Show Link Aggregate Status

Web

CLI

General Description

X

X

X

X

X

X

X

Section 17.1.1

X

X

X

-”-

X

Section 17.1.2

X

Section 17.1.3

-”-

-”-

362

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

17.1.1

Introduction to Link Aggregation

Link aggregation enables physical links to be bundled together to form a single logical link, an aggregated link, see

fig. 17.1

. Upper layer protocols will treat the

aggregate as a single MAC entity, i.e., as one Ethernet port with its own label, a

MAC address assigned, and so on. In WeOS, aggregates are named ”a0”, ”a1”, etc., and inherit their MAC address from one of their member ports.

Physical view

Switch Switch

Member link Aggregated link

Logical view

Switch Switch

Aggregated link

Figure 17.1: Example of link aggregation with four member links

All member ports in an aggregate are able to forward data. However, the IEEE802.1AX

standard[ 13 ] mandates the aggregate to deliver packets in order per data flow

to avoid problems for upper layer protocols. This means the switch will send all traffic of an individual data flow through the same member link. Other flows may be sent through other member links. The effectiveness of this load balancing depends on several factors:

ˆ The granularity by which the switch can distinguish between different traffic flows: WeOS units determine packet flow based on the combination of the

© 2015 Westermo Teleindustri AB

363

Westermo OS Management Guide

Version 4.17.1-0

source and destination MAC address of the packet

1

(done in hardware).

ˆ The distribution of traffic flows:. If there are many flows (and if they are of

equal load) the ability to load balance improves. This depends on the traffic patterns in your network. Avoiding patterns where all traffic end up with the same source and destination MAC over the aggregate improves the ability

to load balance

2

.

ˆ The mapping of traffic flows to different member links: WeOS units map traffic flows to different (active) member links in a static way. This mapping aims to equalise the number of flows mapped to each member link, but its effectiveness is limited when the number of flows are low.

Note

To summarise, link aggregation should generally be used as a means to achieve redundancy in bus topologies. It may be used to increase data capacity, however, the ability to load balance between the member links is limited and depends on the use case.

When an aggregate is configured in WeOS, the following restrictions apply:

ˆ Ethernet as member ports: Only aggregation of Ethernet ports is supported.

ˆ Member ports explicitly associated with aggregate: For a port to be part of an aggregate, it must explicitly be associated with that aggregate.

ˆ Maximum 8 aggregates: At most 8 aggregates can be configured on a WeOS unit.

ˆ Maximum 8 member ports per aggregate: Each aggregate can have at most

8 member ports.

ˆ Member ports in same slot: In slot based WeOS products (see

section 8.1.1

)

all member ports must reside in the same slot as of WeOS v4.17.1. Similar restrictions apply to WeOS Viper, RedFox Rail (RFR) and RedFox Industrial

Rack (RFIR) products.

A aggregate has state Down when all its member ports have state Down, and the aggregate is Up when at least one of its member ports has state Up.

1

The algorithm to determine flow uses a hash function applied to the packet’s source and destination MAC address.

2

Switching traffic over the link aggregate may improve load balancing as opposed to routing

(routers typically use the same source and destination MAC for all unicast traffic). Multicast flows commonly utilise different destination MACs irrespective if the WeOS units are switching or routing, thus has good load balancing properties.

364

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

The next subsections provide additional information on WeOS support for link aggregates:

sections 17.1.2

(static) and

17.1.3

(LACP) contain information on the methods to control link aggregates in WeOS, while

section 17.1.4

include more details on using link aggregates in various low-layer features in WeOS.

17.1.2

Static Link Aggregates

For static link aggregates the including member ports are the only settings that have to be specified in the configuration. The members in an aggregate do not need to have the same speed settings, although that is the preferred setting

(otherwise the capacity of the aggregate will be unbalanced).

Ports that are included in an aggregate and have link up will be qualified as active ports, and the network traffic will be sent on those links. If a link goes down or up in the aggregate the network traffic will be distributed over the new set of active links. Because an active link in an aggregate is qualified on the link status no

media converters are allowed between statically aggregated ports. Below is a

CLI configuration example where the static link aggregate a1 is configured with member ports 3 and 7 on a WeOS switch.

Example

example:/#> configure example:/config/#> aggregate a1 example:/config/aggregate-a1/#> ports 3,7 example:/config/aggregate-a1/#> type static example:/config/aggregate-a1/#> show

Name : a1

Status

Type

Ports : 3,7 example:/config/aggregate-a1/#> end example:/config/#>

: Enabled

: static

17.1.3

LACP Controlled Link Aggregates

The Link Aggregation Control Protocol (IEEE 802.3ad/802.1AX [ 13 ]) is a standard

method for aggregating member links that have the same speed and duplex mode. The primary advantage over static link aggregation is the ability to confirm that the remote partner can handle aggregation. It is also possible to handle failover when media converters are present.

© 2015 Westermo Teleindustri AB

365

Westermo OS Management Guide

Version 4.17.1-0

LACP relies upon periodic transmission of information and state between the switches. The protocol messages (LACP-PDUs) are sent by the first party (the

Actor) to the second party (the Actor’s protocol Partner) with information about what the Actor knows, both about its own state and that of the Partner.

Switches can be configured to active or passive participation in LACP. Passive

LACP indicates the preference for not transmitting LACP-PDUs unless its Partner is Active LACP, i.e. it does not generate any LACP traffic by its own. Active LACP indicates the preference to participate in the protocol regardless of the Partner setting, i.e. it always generates LACP traffic.

LACP-PDUs are transmitted periodically when either the Actor or the Partner is configured with Active LACP. These transmissions will occur at either a fast or slow transmission rate depending upon the timeout setting (short or long timeout) of the Partner system.

The LACP state is determined by the contents of the LACP-PDUs and can be in any of the following states:

Detached The port is being detached from the aggregator.

Waiting The port is being attached to the aggregator.

Attached The port is attached to the selected aggregator.

Collecting Indicates that the receive function of this link is enabled.

Distributing Indicates that the transmit function of this link is enabled.

The switch will set a member port in forwarding state when LACP state is Dis-

tributing. For all other LACP states the port state will be blocking

3

. The aggregate

is in forwarding state as long as at least one member port is in forwarding state.

Also, the aggregate will be up as long as at least one member port is up.

WeOS assumes that the configured aggregate connects two switches. If the aggregate member ports on one switch is connected to several other switches LACP will only include member ports to one of the neighbours in the active port set:

ˆ Ports to the neighbour with the highest total bandwidth will be selected.

ˆ If several aggregates share the same bandwidth, then the aggregate is selected based on LACP system priority, system identifier, port priority, and

operational key.

3

If RSTP or FRNT are run over the aggregate, those protocols may also decide to set the ports in blocking state.

366

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

In WeOS v4.17.1, the LACP system priority is set to 0x8000 (hex), system identifier is set to the MAC address of the first member port of the aggregate, the port priority is set to 0x8000 (hex), and the operational key is set to the configured aggregate identifier (see

sections 17.2

and

17.3

). More information about

aggregate selection can be found in IEEE 802.3ad/802.1AX [ 13 ].

17.1.4

Link Aggregates and Low layer protocols

17.1.4.1

Link Aggregation and VLAN

Ethernet and DSL ports on WeOS units are associated (untagged or tagged) with one or more VLANs as described in

chapter 13 . Link aggregates can not be

mapped directly to VLANs. Instead the user must add each of the aggregate member ports to the intended VLAN(s).

For the setup in

fig. 17.2

, the physical ports 1-4 are mapped tagged (”tagged

1-4”) to VLANs 1&2 rather than the aggregates (i.e., ”tagged a1,a2” is not possible as of WeOS v4.17.1). An extract of the configuration file is shown below.

Example

vlan 1 name vlan1 untagged 5-7 tagged 1-4 end vlan 2 name vlan2 untagged 8-10 tagged 1-4 end

17.1.4.2

Link Aggregation and Link Alarms

As described in

section 24.1

the operational state (Up/Down) of Ethernet and DSL ports can be used as alarm triggers, i.e., link alarms. When a port is a member of a link aggregate, it is still possible to define link alarms for the individual member ports. It is also possible to create link alarms for the aggregates.

Below is a CLI configuration example where a link alarm is configured for aggregate a1. The aggregate has state Down when all its member ports has state

© 2015 Westermo Teleindustri AB

367

Westermo OS Management Guide

Version 4.17.1-0

Aggregate "a1"

VLAN 1&2

(tagged)

1

2

5 6 7 8 9 10

3

4

Aggregate "a2"

VLAN 1&2

(tagged)

VLAN 1 VLAN 2

(untagged) (untagged)

Figure 17.2: The physical ports 1-4 rather than the logical aggregates (a1 and

a2) are associated with the VLANs (VLAN 1 and 2).

Down, and the aggregate is Up when at least one of its member ports has state

Up.

Example

example:/#> configure example:/config/#> alarm example:/config/alarm/#> trigger link-alarm example:/config/alarm/trigger-2/#> port a1 example:/config/alarm/trigger-2/#> end example:/config/alarm/#>

17.1.4.3

Link Aggregation and unicast/multicast MAC learning

The MAC forwarding database (FDB, see

section 13.1.8

) holds information on

where to forward known MAC addresses. Unicast addresses are learnt dynamically by looking at the source MAC of incoming packets, while multicast addresses

are typically learnt dynamically via IGMP snooping ( chapter 18 ), or entered man-

ually

4

by the operator.

When a (unicast/multicast) MAC address is learnt dynamically on a member port of a link aggregate, all ports of the aggregate are added to the MAC address’ FDB entry, since the link aggregation flow distribution mechanism can map traffic to the MAC address on any member port.

In the example below, aggregate a1 consists of member ports 5 and 6, and IGMP snooping is enabled on the VLAN the ports are associated with. An IGMP report

4

See

section 13.4.3

for CLI command to enter MAC forwarding database entries manually.

368

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0 has been received for IP multicast address 225.1.2.3 (MAC 01:00:5e:01:02:03) on one of the member ports and both ports are added to the forwarding database for that MAC address.

Example

example:/#> sh ip igmp

VID Querier IP Querier MAC Port Interval Timeout

-------------------------------------------------------------------------------

1 192.168.2.200

LOCAL

VID Multicast Group Filtered MAC Addr Active ports

-------------------------------------------------------------------------------

1 225.1.2.3

01:00:5E:01:02:03 a1

-------------------------------------------------------------------------------

Total: 1 filters, max 1200, in 1 VLAN.

example:/#> sh fdb

MAC VLAN State Port(s)

===============================================================================

...

01:00:5e:01:02:03

...

ANY IGMP 5-6

===============================================================================

FDB Aging time: 300 sec.

example:/#>

Similarly, traffic from unicast address 00:07:7c:00:02:61 has come in on one member port, thus both member ports are automatically added to the MAC’s

FDB entry.

Example

example:/#> sh fdb

MAC VLAN State Port(s)

===============================================================================

...

00:07:7c:00:02:61 ANY 294 s 5-6

...

===============================================================================

FDB Aging time: 300 sec.

example:/#>

When adding (multicast) MAC addresses statically to the MAC FDB, each of the individual member ports needs to be specified. Thus, in the example below, with ports 5 and 6 belonging to aggregate a1, the command ”mac 01:00:5e:00:11:22

port 5,6” is used (while ”mac 01:00:5e:00:11:22 port a1” would not work as of WeOS v4.17.1).

© 2015 Westermo Teleindustri AB

369

Westermo OS Management Guide

Version 4.17.1-0

Example

example:/#> example:/#> configure example:/config/#> fdb example:/config/fdb/#> mac 01:00:5e:00:11:22 port 5,6 example:/config/fdb/#> end

17.1.4.4

Running FRNT or RSTP over Link Aggregates

It is possible to run FRNT ( chapter 14

) or RSTP ( chapter 16 ) over a link aggregate.

Fig. 17.3

shows an example of using FRNT together with link aggregation.

Link Aggregates

1

2

Member

3

4

1

2

Member

3

4

M

1

2

Focal

Point

3

4

N

FRNT Ring

1

2

Member

3

4

Figure 17.3: FRNT can run over aggregated links

Additional information on running RSTP over a link aggregate:

ˆ Failover performance: RSTP failover performance may be degraded when running RSTP over a link aggregate as opposed to using regular links.

ˆ Forwarding/Blocking state: An aggregate is forwarding data packets only if both RSTP and the link aggregate itself determine that it should be in forwarding state.

ˆ RSTP link cost: The RSTP link cost can be configured manually. If ”auto” is used for cost calculation, WeOS determines the aggregate link cost based the aggregated bandwidth of the member ports (higher aggregated capacity gives lower RSTP cost).

ˆ Link Up/Down: An aggregate is up if at least one of its member ports are considered up. An aggregate is down if all its member ports are down.

Additional information on running FRNT over a link aggregate:

370

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

ˆ Failover performance: FRNT failover performance may be degraded when running FRNT over a link aggregate as opposed to using regular links.

ˆ Forwarding/Blocking state: An aggregate is forwarding data packets only if both FRNT and the link aggregate itself determine that it should be in forwarding state.

ˆ Link Up/Down: An aggregate is up if at least one of its member ports are considered up. An aggregate is down if all its member ports are down.

ˆ Mixing aggregated and regular links: The topology in

fig. 17.3

uses link aggregation throughout the whole FRNT ring. It is possible to run link aggregation on a subset of the links in the FRNT ring.

17.1.4.5

Link Aggregation and other Low-level WeOS features

Use of link aggregation with other low-level features, e.g., port monitoring ( section 7.1.10

), port access control ( section 13.2

and

chapter 21 ), etc. is not sup-

ported as of WeOS v4.17.1. To use those features together with link aggregation it may be possible to specify the individual member ports in the configuration, however, the behaviour is undefined and its use is unsupported.

© 2015 Westermo Teleindustri AB

371

Westermo OS Management Guide

Version 4.17.1-0

17.2

Link Aggregation Settings and Status via the Web

Interface

17.2.1

Configuring Link Aggregation Settings via the Web Interface

Menu path: Configuration Port Aggregate

On the Link Aggregate overview page all configured link aggregates will be presented in a list, see below.

When first accessing this page link aggregates can be created by pressing the

New button.

Name

Ports

Type

The link aggregate name.

The set of ports defined for this aggregate.

The type of the aggregate, Static or LACP.

Edit

Click this icon to edit an existing aggregate.

New

Delete

Click this icon to remove an aggregate. You will be asked to acknowledge the removal before it is actually executed.

Click the New button to create a new link aggregate.

372

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

17.2.2

Create new link aggregate using the web interface

Menu path: Configuration Port Aggregate ⇒ New

When clicking the New button, you will be presented to the aggregate new page.

Name

The link aggregate name.

Valid values are A{n} or a{n}, where n is an integer.

Ports

Type

The set of ports to be included in this aggregate. Only ports in the same slot may be aggregated together.

The type of the aggregate, Static or LACP.

LACP Mode

Only available for type LACP. Modes:

Active

Always send frames (LACP-PDUs) along the configured links.

Passive

Only send frames (LACP-PDUs) along the configured links if any LACP-PDU frames have been received.

LACP Timeout

Only available for type LACP. The type of the aggregate:

Short

3 seconds

Long

90 seconds

For more information, see

section 17.1

.

© 2015 Westermo Teleindustri AB

373

Westermo OS Management Guide

Version 4.17.1-0

17.2.3

Edit link aggregate settings using the web interface

Menu path: Configuration Port Aggregate

When clicking the Edit icon for an aggregate you will be presented to the aggregate edit page, which is identical to the new page. See

section 17.2.2

for description of fields.

17.2.4

Link Aggregation Status via the Web Interface

Menu path: Status Port Aggregate

This page display status information for the currently configured link aggregates.

Name

Link

The link aggregate name.

The aggregate link status. Up/Down.

MAC

Type

The aggregate MAC address.

The type of the aggregate, Static or LACP.

Port Label

The port label for the ports included in the aggregate.

Port Link

Up/Down.

Continued on next page

374

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Continued from previous page

Port Active

Indicates if this port is an active member of this aggregate.

Port

Link State

The port state for this port.

FORWARDING

Unit forwards packets. Normal operation.

LEARNING

The port is preparing itself for entering

FORWARDING state. (Only applicable if

RSTP/STP is used on the aggregate.)

BLOCKING

DISABLED

Unit does not forward any packets. The port is put in blocking state by LACP, or by STP/RSTP or FRNT if used on the aggregate.

Port does not participate in operation.

Port

LACP State

The LACP negotiation state for this port: DETACHED, WAIT-

ING, ATTACHED, COLLECTING, or DISTRIBUTING. In the

DISTRIBUTING state, the port is ready to send and receive data as part of the aggregate. See

section 17.1.3

or [ 13 ] for

more information.

© 2015 Westermo Teleindustri AB

375

Westermo OS Management Guide

Version 4.17.1-0

17.3

Managing Link Aggregation via CLI

Command Default Section

Configure Link Aggregate

[no] aggregate <AGGREGATE_ID> N/A

[no] enable Enabled

Section 17.3.1

Section 17.3.2

[no] ports <PORTLIST>

[no] type <static|flhp|lacp>

N/A lacp

Section 17.3.3

Section 17.3.4

LACP Specific Settings

[no] active

[no] timeout <short|long>

Aggregate Status show aggregate active short

Section 17.3.5

Section 17.3.6

Section 17.3.7

17.3.1

Manage a Link Aggregate

Syntax [no] aggregate <AGGREGATE_ID>

Context

Global Configuration

context

Usage Create, modify or remove a link aggregate.

Enter the Link Aggregate Configuration context of the given aggregate identifier (a0-aN), where N is a number (up to 8 aggregates can be created). If this is a new link aggregate, the aggregate is created.

Use ”no aggregate <AGGREGATE_ID>” to remove an existing link aggregate, or ”no aggregate” to remove all link aggregates.

Use ”show aggregate” to list configured aggregates. To list details of a configured aggregate, enter its configuration context and run ”show” from there.

Default values When using the ”no aggregate” form (without providing a specific aggregate ID), all link aggregates are removed.

Example Listing configured aggregates, and listing details for a LACP aggregate.

376

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Example

example:/config/#> show aggregate a1 static 1-2 a2 lacp 5-6 example:/config/#> aggregate a2 example:/config/aggregate-a2/#> show

Name

Status

Type

Ports

LACP mode

: a2

: Enabled

: lacp

: 5-6

: active

LACP timeout : short example:/config/aggregate-a2/#>

17.3.2

Enable/disable a Link Aggregate

Syntax [no] enable

Context

Link Aggregate Configuration

context

Usage Enable/disable this aggregate instance. Use ”enable” to enable and ”no

enable” to disable this aggregate. When disabled, the configured member ports will not be part of this aggregate, i.e., they will operate as regular

(non-aggregate) ports.

Use ”show enable” to view the currently configured setting.

Default values Enabled (”enable”)

17.3.3

Configure Link Aggregation Member Ports

Syntax [no] ports <PORTLIST>

Context

Link Aggregate Configuration

context

Usage Add/remove a list of ports to/from the port member set of this link aggregate. Use ”no ports” (without providing a port list) to remove all ports from the member set.

Use ”show ports” to view the currently configured list of ports.

Default values When using the ”no ports” form (without providing a specific

PORTLIST), all ports are removed.

© 2015 Westermo Teleindustri AB

377

Westermo OS Management Guide

Version 4.17.1-0

”PORTLIST” is a comma separated list of port ranges without intermediate spaces, e.g., ”X1-X2,X4”.

17.3.4

Configure Link Aggregate Control Mode

Syntax [no] type <static|flhp|lacp>

Context

Link Aggregate Configuration

context

Usage Set mode/operation for this aggregate. Use ”no type” (without providing a mode) to reset to default value.

Warning

As of WeOS version v4.17.1, the use of FLHP for link aggregation control is provided as a technology preview feature. All use of the FLHP link aggregation control feature except for testing is discouraged.

Use ”show type” to view the currently configured mode.

Default values lacp (”no type”)

17.3.5

Configure LACP Active/Passive Mode

Syntax [no] active

Context

Link Aggregate Configuration

context (only available when aggregate control mode is lacp)

Usage Select LACP mode, i.e. active or passive participation in LACP (see

section 17.1.3

). Use ”active” to select active mode and ”no active” to select

passive mode.

Use ”show active” to view the currently configured setting.

Default values Active (”active”)

17.3.6

Configure LACP Timeout

Syntax [no] timeout <short|long>

378

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Context

Link Aggregate Configuration

context (only available when aggregate control mode is lacp)

Usage Select LACP timeout, i.e. the number of seconds before invalidating received LACP information (see

section 17.1.3

). Use ”timeout short” to set

the timeout to 3 seconds and ”timeout long” to set the timeout to 90 seconds.

Use ”show timeout” to view the currently configured setting.

Default values Short, i.e. 3 seconds (”no timeout”)

17.3.7

Show Status of Link Aggregates

Syntax show aggregates

Context

Admin Exec

context

Usage Display status information for all configured aggregates. The header line displays the aggregate information including the name, its MAC address, and the aggregate control mode.

Each member link is listed with link status, whether or not the link is currently an active member of the aggregate, and the link state.

Aggregates using LACP also displays the LACP state (see

section 17.1.3

)

and partner information. Partner ID is the system id of the peer, port is the remote port, and key is the operational key. In WeOS, the operational key is equal to the aggregate id.

Default values Not applicable

Example In this example an aggregate (a1) is configured. Both member ports are up, but port ’Eth 5’ is unused, since no LACP partner has been discovered on that link.

Example

example:/#> show aggregates

Aggregate a1 MAC: 00:07:7c:00:30:b5 Type: lacp

-------------------------------------------------------------------------------

Port Link Active Link State LACP State Partner ID Port Key

-------------------------------------------------------------------------------

Eth 5 UP No Blocking ATTACHED 00:00:00:00:00:00 0 0

Eth 6 example:/#>

UP Yes Forwarding DISTRIBUTING 00:07:7c:00:02:61 2 1

© 2015 Westermo Teleindustri AB

379

Westermo OS Management Guide

Version 4.17.1-0

Example In this example a static aggregate (a2) is configured. Two member ports are up and ’Eth 9’ is down.

Example

example:/#> show aggregates

Aggregate a2 MAC: 00:07:7c:84:91:6b Type: static

-------------------------------------------------------------------------------

Port Link Active Link State

-------------------------------------------------------------------------------

Eth 7 UP Yes Forwarding

Eth 8

Eth 9 DOWN example:/#>

UP Yes

No

Forwarding

N/A

380

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Chapter 18

Multicast in Switched Networks

This chapter gives a brief overview of multicast, with a focus on IP multicast, and how it can be controlled in a WeOS device using IGMP snooping. The chapter also covers non-IGMP capable devices and how they can be integrated into a network with IGMP enabled.

18.1

Overview

Feature

IGMP Querier Mode

IGMP Query Interval

IGMP Fast Leave

Low Bandwidth Networks

Multicast Router Ports

Multicast Router Timeout

View IGMP Snooping Settings

Web

CLI

General Description

X

X

X

X

X

X

X

X

Section 18.1.1

-”-

X

Section 18.1.3

X

Section 18.1.4

X

Section 18.1.2

X

Section 18.1.1

X

Multicast, as opposed to unicast, is a very efficient means of communicating information to more than one receiver. The main difference between multicast and broadcast is that multicast can be controlled. When disabling its control mechanisms, like IGMP, multicast behaves like broadcast.

Thus, when distributing IP multicast data in a switched network, switches within the LAN can:

© 2015 Westermo Teleindustri AB

381

Westermo OS Management Guide

Version 4.17.1-0

ˆ treat multicast traffic as broadcast, i.e., forward it on all ports (in the same

VLAN), or

ˆ limit forwarding of multicast only to subscribers

The latter method requires switches to inspect Internet Group Management Protocol (IGMP) control messages exchanged by hosts and routers to learn which

ports lead to subscribers – this mechanism is referred to as IGMP snooping[ 4 ].

With IGMP Snooping enabled, WeOS switches dynamically keep track of up to

2048 multicast addresses

1

.

As part of the IGMP snooping support, WeOS also enables a switch to act as IGMP

querier – a role which is usually handled by a multicast router. Having switches with IGMP querier capabilities enables efficient distribution of IP multicast in networks without multicast routers.

Warning

WeOS devices can only limit the broadcast effects of multicast on a Layer-

2 basis, it is therefore important to design IPv4 multicast networks so that groups do not overlap. For example, 225.1.2.3 and 226.1.2.3 map to the same multicast MAC address and will effectively be treated as the same group. This means that both groups will be forwarded by the device and potentially overloading the intended receiver.

See RFC 1112, http://tools.ietf.org/html/rfc1112

, for details on how IP multicast groups map to MAC multicast addresses.

18.1.1

IGMP Snooping

The switch is capable of efficiently distributing IP(v4) multicast traffic on LAN interfaces by means of IGMP snooping. IGMP Snooping is enabled by default per

VLAN, see

section 13.1.5

.

ˆ With IGMP snooping enabled on a VLAN, IP multicast packets are only forwarded to ports leading to a subscriber of that IP multicast group, and to ports leading to an IP multicast router

ˆ With IGMP snooping disabled on a VLAN, multicast traffic is forwarded on all ports in that VLAN, i.e., like broadcast traffic

1

Special restriction for DDW-142 and DDW-142-485: On these products the MAC address database can hold at most 1000 addresses in total (unicast and multicast MAC). Thus, the upper limit for multicast addresses possible to keep track of is roughly 1000.

382

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

ˆ Ports shared between multiple VLANs may have different IGMP snooping settings on different VLANs, i.e., one VLAN may have IGMP snooping enabled and another may have it disabled. The disabled mode takes precedence on such ports, i.e., multicast will be flooded on ports where at least one VLAN has IGMP Snooping disabled

As part of the IGMP snooping functionality, the switch can also act as an IGMP

Querier, and settings for querier mode, and query interval are provided.

Querier mode: By default the switch has auto mode enabled. It relies on the

standard IGMP protocol to elect a designated IGMP querier on each LAN

2

.

With auto mode unknown multicast is flooded to the elected querier, which acts as a distribution point to the rest of the network. Keep this in mind when designing your network, for many use-cases it is valuable information.

The forced querier mode is a non-standard setting specific to WeOS that in some cases can be more fault tolerant. When all switches on a LAN are set to this mode they will all discard the election mechanism of the protocol and always send queries. This not only incurs a notable penalty on the network due to the overhead of IGMP messages flooding the LAN, but it also causes all unknown multicast to be flooded to all switches. This makes the network less vulnerable to the loss of one querier and all multicast is always available to end devices. It is however not recommended due to the broadcast like effects it causes.

In proxy mode, the switch normally only acts as a silent forwarder of IGMP queries (and reports) between the IGMP querier and end devices. However, to prevent loss of multicast traffic in the case when there exist no elected

IGMP querier on a LAN, the switch will initiate queries with the source IP

address 0.0.0.0

3

. This feature of proxy mode can be used to optimise low-

bandwidth setups, see

section 18.1.4

for more information.

On VLANs where the network interface is not assigned an IP address, the switch will automatically fall back to proxy mode, regardless of the querier mode setting.

Query interval: The switch can be configured to send out queries on intervals

12, 30, 70 and 150 seconds, default 12 sec. This interval is also used when timing out multicast to end devices that for some reason stop answering the

2

The querier with the lowest IP address on each LAN is elected. Usually the gateway or multicast router.

3

Address 0.0.0.0 is a special case and is never part of the IGMP querier election process, as clearly stated in the standard.

© 2015 Westermo Teleindustri AB

383

Westermo OS Management Guide

Version 4.17.1-0 queries.

Multicast router timeout: When a multicast router, or a switch acting as IGMP querier, goes down, the lack of IGMP Query messages will cause a reelection to establish a new IGMP querier. This timeout can be configured via the CLI

”multicast-router-timeout” setting. Default: 300 sec.

When a multicast receiver attached to a switch port leaves a multicast group (i.e., stops subscribing to an IP multicast address or is simply disconnected from the port), the IGMP snooping leave latency (the time until the switch stops forwarding the associated multicast data) is within 2-3 times the configured Query Interval.

18.1.2

Multicast Router Ports

When IGMP snooping is enabled, the switch will learn on which ports there are interested receivers of a certain multicast group. It accomplishes this by listening to IGMP Report messages sent by all subscribers. Thus, the switch only forwards multicast on ports leading to members of each specific multicast group.

The switch also forwards all multicast traffic, both subscribed (known) and un-

known, on ports leading to multicast routers. The following ports are considered as multicast router ports:

ˆ Ports configured as multicast router ports

ˆ Ports where IGMP Queries are received, usually queries are sent by multicast routers, but also by IGMP snooping aware switches like WeOS

ˆ FRNT Ring Coupling ports and Multi-link Dual-Homing ports: To provide fast fail-over of multicast traffic, FRNT Ring Coupling and Multi-link Dual-Homing uplinks (see

chapter 15 ) are added to the list of multicast router ports. This

is both done at the Ring Coupling nodes and Dual-Homing nodes, as well as

on switches on the remote side of the uplink

4

.

FRNT ring ports are no longer considered multicast router ports. The Fast Re-

connect feature of FRNT is instead handled per multicast group: if a multicast receiver is located on a ring port, the other ring port is automatically added to

the ATU MAC filter

5

. In case of ring breakage this practice ensures an extremely

low reconfiguration time for multicast over FRNT.

4

An exception is when connecting a Dual-Homing uplink to a non-FRNT switch, the fail-over of multicast traffic will instead occur on the next reception of an IGMP Report (if IGMP snooping is enabled). See also

section 15.1.2.1

.

5

This can be seen using the CLI command ”show fdb”

384

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

18.1.3

IGMP Fast Leave

WeOS IGMP snooping supports IGMP Leave by default and Fast Leave can be enabled on a per-port basis. The CLI ”igmp-fast-leave-ports” setting allows using the keyword ”all”, but Fast Leave is recommended only for access ports.

Example

example:/#> configure example:/config/#> ip example:/config/ip/#> no igmp-fast-leave-ports example:/config/ip/#> igmp-fast-leave-ports eth 3,6 example:/config/ip/#> leave

Configuration activated.

Remember "copy run start" to save to flash (NVRAM).

example:/#> copy run start example:/#> show ip igmp

Static Multicast ports

-------------------------------------------------------------------------------

Static router ports : ---

Dual homing/Coupling ports : ---

FRNT ports : ---

VID Querier IP Querier MAC Port Interval Timeout

-------------------------------------------------------------------------------

1 0.0.0.0

LOCAL

VID Multicast Group Filtered MAC Addr Active ports

-------------------------------------------------------------------------------

1 239.255.255.250

01:00:5E:7F:FF:FA 6

1 224.0.0.251

1 225.1.2.3

01:00:5E:00:00:FB 3, 6

01:00:5E:01:02:03 6

-------------------------------------------------------------------------------

Total: 3 filters, max 2048, in 1 VLAN.

example:/#>

When an IGMP Leave is received on a port configured with Fast Leave it will issue a group specific query for the group being left and then immediately cut the multicast stream for that (multicast MAC) group. With Fast Leave disabled WeOS honors a grace period of, at most, two query intervals for the benefit of multicast receivers attached on downstream port splitters (hubs or unmanaged switches).

When no membership report/reply is received the multicast group will time-out within three query intervals.

© 2015 Westermo Teleindustri AB

385

Westermo OS Management Guide

Version 4.17.1-0

18.1.4

Low Bandwidth Networks

In low-bandwidth topologies, like FRNT over an SHDSL ring, you typically cannot afford wasting bandwidth on unwanted traffic. With the IGMP Proxy Mode and

Fast Leave settings for IGMP snooping this can be avoided.

In the standard auto mode of IGMP all unknown multicast must be forwarded to the elected querier. But if there is no elected querier, or if all switches instead have proxy mode enabled, unknown multicast will be stopped before entering the low-bandwidth ring.

Only when a subscriber appears will the traffic be classified as known and forwarded on the ring to the receiver. By also enabling Fast Leave, on the access port towards the receiver, the multicast overhead can be kept to a near minimum.

386

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

18.2

Managing IGMP in the Web Interface

Global Configuration

Menu path: Configuration IGMP

When entering the IGMP configuration page you will be presented with the global settings for IGMP snooping. Enabling or disabling IGMP is done per VLAN, see

Section 13 .

Querier Mode

Query Interval

The IGMP querier mode should have the same setting across all devices in the same LAN:

Automatic: Automatic querier election. Recommended default

Querier: Forced Querier mode, the device always sends IGMP queries, every Query Interval seconds

Proxy: Fallback mode in which the switch normally does not initiate queries by itself, only forwards queries and reports.

For more information on the modes, see

Section 18.1.1

Number of seconds between each query.

© 2015 Westermo Teleindustri AB

387

Westermo OS Management Guide

Version 4.17.1-0

Fast Leave Ports

Ports where multicast should not linger when receiving IGMP Leave.

Multicast Router Ports

Ports on which to forward all multicast. Useful if the switch fails to automatically detect a multicast router, or when you have a non-IGMP aware end devices.

Click Apply to save and apply the changes.

IGMP Status

Menu path: Configuration IGMP Status

388

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

18.3

Managing IGMP in the CLI

The available general IP settings and monitoring commands are shown below.

Command Default Section

Configure General IGMP Snooping settings ip

[no] igmp-mode <auto|querier|proxy>

[no] igmp-interval <12|30|70|150> auto

12 sec

Section 19.7.1

Section 18.3.1

Section 18.3.2

Disabled

Section 18.3.3

[no] igmp-fast-leave-ports <PORTLIST>

[no] multicast-router-ports <PORTLIST> Disabled

Section 18.3.4

[no] multicast-router-timeout <1-2147483647> 300

Section 18.3.5

Per VLAN IGMP Snooping settings vlan <VID>

[no] igmp

Show IGMP Snooping Status show ip igmp

Enabled

Section 13.4.6

Section 13.4.13

Section 18.3.6

18.3.1

IGMP Querier Mode

Syntax [no] igmp-mode <auto|querier|proxy>

Context

IP Configuration

context

Usage Set IGMP Querier mode. In auto mode the device will participate in the querier election process (querier with lowest IP becomes querier). In forced

querier mode the device will send IGMP queries even if there are other querier present with lower IP address. In proxy mode the device will act as an IGMP proxy, only initiating queries when no other eligible querier is available.

Note: if there is no IP address configured for an interface, the device will fall back to proxy mode regardless of the mode setting.

”no igmp-mode” resets the IGMP Querier mode to the default setting (”auto”).

Use ”show igmp-mode” to view configured IGMP Querier mode (”auto”,

”querier” or ”proxy”).

© 2015 Westermo Teleindustri AB

389

Westermo OS Management Guide

Version 4.17.1-0

Default auto

18.3.2

IGMP Querier Interval

Syntax [no] igmp-interval <12|30|70|150>

Context

IP Configuration

context

Usage Set IGMP Querier interval (seconds). The same interval is used for all interfaces.

”no igmp-interval” resets the IGMP Querier interval to the default setting,

”12” sec.

Use ”show igmp-interval” to view configured IGMP Querier interval.

Default 12 (sec)

18.3.3

IGMP Fast Leave

Syntax [no] igmp-fast-leave-ports <PORTLIST>

Context

IP Configuration

context

Usage Add or remove IGMP Fast Leave ports. For details, see

section 18.1.3

”no igmp-fast-leave-ports <PORTLIST>” removes the specified port(s) and ”no igmp-fast-leave-ports” all ports from the list of IGMP Fast Leave ports.

Use ”show igmp-fast-leave-ports” to view configured multicast router ports.

Default Disabled

A ”PORTLIST” is a comma separated list of port ranges without intermediate spaces, e.g., ”1/1-1/3,2/3”.

18.3.4

Static Multicast Router Port Settings

Syntax [no] multicast-router-ports <PORTLIST>

Context

IP Configuration

context

390

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Usage Add or remove multicast router ports. All (layer-2) multicast traffic will be forwarded on multicast router ports, see

section 18.1.1

.

”no multicast-router-port <PORTLIST>” removes the specified port(s) and ”no multicast-router-port” all ports from the list of multicast router ports.

Use ”show multicast-router-port” to view configured multicast router ports.

Default Disabled

A ”PORTLIST” is a comma separated list of port ranges without intermediate spaces, e.g., ”1/1-1/3,2/3”.

18.3.5

Multicast Router Timeout

Syntax [no] multicast-router-timeout <1-2147483647>

Context

IP Configuration

context

Usage Set the ”other IGMP Querier present” timeout (sec). The same interval is used for all interfaces.

Timeout for learned multicast router ports. With IGMP, and IGMP Snooping for switches, the elected querier is a critical component for successful operation. If it is lost, or suddenly gets a new IP address, another device must take over. This timeout adjusts the timeout before this device can take over.

”no multicast-router-timeout” resets the ”other IGMP Querier present” timeout to the default setting (”300”).

Use ”show multicast-router-timeout” to view configured ”other IGMP

Querier present” timeout.

The timeout should never be set lower than the IGMP Query Interval!

Default 300 (sec)

18.3.6

Show IGMP Snooping Status Information

Syntax show ip igmp

Context

Admin Exec

context

© 2015 Westermo Teleindustri AB

391

Westermo OS Management Guide

Version 4.17.1-0

Usage Show IGMP snooping status information.

Default N/A

392

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Chapter 19

General Interface and Network

Settings

This chapter presents WeOS network interface settings, such as the interface IP address and common IP network settings, e.g., default gateway, DNS server and

NTP server. Topics specific to various routing protocols and services, e.g., RIP,

OSPF, VRRP, etc. are left to

chapters 26 -

31 .

Section 19.1

presents the general concepts of network interfaces in WeOS. It also covers the notion of interface admin distance and management interface, as well as IP related settings for DNS, NTP, etc.

Section 19.4

and

section 19.5

cover management of interfaces and general network settings via the Web interface.

The corresponding CLI settings are divided into

section 19.6

, interface settings,

and

section 19.7

, general network settings.

19.1

Overview

The table below summarises general interface and network features.

Sections 19.2

-

19.3

contain further information on specific interface and network features.

Web CLI Description Feature

Interface settings

Enable/disable interface

MAC address

X X

Section 19.2.1

X

Section 19.2.4

Continued on next page

© 2015 Westermo Teleindustri AB

393

Westermo OS Management Guide

Version 4.17.1-0

Feature

Primary IP address

Secondary IP addresses

Netmask (Prefix Length)

MTU

Interface admin distance

Management interface

ICMP Redirect (sending)

View interface configuration

View interface status

Continued from previous page

Web CLI Description

X

X

X

X

X

X

X

X

X

X

Section 19.2.5

X

Section 19.2.5

X

X

Section 19.2.5

X

X

Section 19.2.6

X

Section 19.2.7

X

Section 19.2.8

General network settings

Default gateway

Enable/disable unicast routing

DNS client support

Set DNS server

Dynamic DNS

DNS search path

DNS proxy server support

NTP (NTP client)

View general network config.

View general network status

X

X

X

X

X

X

X

X

X

Section 19.3.1

X

Section 19.3.3

X ”

X ”

X

Section 19.3.4

X

Section 19.3.2

X

X

19.2

Network interfaces

WeOS supports several kinds of network interfaces:

ˆ LAN/VLAN network interfaces: A network interface is created for every VLAN

configured on the switch ( chapter 13 ).

ˆ PPP network interfaces: (only for WeOS Extended) A network interface is

created for every PPP instance configured on the switch ( chapter 33 ). As of

WeOS v4.17.1, PPP support is available over Ethernet/DSL ports using PPP over Ethernet (PPPoE), and over serial ports with or without external modem.

394

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Serial

Port(1) modem0

1

WeOS Layer 2/3 Switch

Routing vlan1 vlan2 vlan3 pppoe0

(vlan4)

Network

Interfaces

(Routing)

VLAN 1 VLAN 2 VLAN 3 VLAN 4

1 2 3 4 5 6 7 8 9 10

VLANs

(Switching)

Ethernet/DSL

Ports (1−10)

Serial a)

Router modem0 pppoe0 vlan1 vlan2 vlan3 (vlan4)

Network

Interfaces

Switch

VLAN 1

1 2 3 4

Switch

VLAN 2

5 6

Ethernet/DSL b)

6

Switch

VLAN 3

7 8 9

Switch

VLAN 4

10

Figure 19.1: A network interface is associated with each VLAN, and VLANs are in turn associated with Ethernet (or DSL) ports as shown in figure a). Furthermore, when using PPPoE, a PPP network interface will be created and mapped on top of an associated VLAN interface, see pppoe0 and vlan4. The routing switch can conceptually be seen as a router connecting a set of switches, as shown in figure b). In this sample setup, port 6 is shared by VLANs 2 and 3 (by use of VLAN tagging).

ˆ Loopback network interface: The loopback interface lo is a logical network interface, which is always present. Its primary IP address cannot be changed, but it is possible to add secondary IP addresses, which can be useful in some

situations,e.g., for OSPF ( chapter 27 ).

ˆ GRE interfaces: (only for WeOS Extended) For every configured GRE tunnel

( chapter 34 ), an associated GRE network interface is created.

ˆ SSL interfaces: (only for WeOS Extended) For every configured SSL VPN

tunnel ( chapter 36 ), an associated SSL network interface is created.

ˆ Blackhole interface:

WeOS has a hidden blackhole interface (”null0”), which can be used to avoid routing loops in case of incomplete subnetting, or to avoid that VPN traffic is forwarded towards the default gateway when the VPN tunnel is down. See

section 26.1.4.3

.

Fig. 19.1

shows how VLAN interfaces (vlan1-vlan4) are mapped to VLANs and ports, i.e., Ethernet and DSL ports. When using PPPoE, a PPP interface is created on top of a VLAN interface (see pppoe0 and vlan4 in

fig. 19.1

). modem0

represents the network interface when running PPP over a serial port. The GRE and loopback interfaces are logical interfaces not directly associated with any physical port.

© 2015 Westermo Teleindustri AB

395

Westermo OS Management Guide

Version 4.17.1-0

Every network interface can be assigned an IP(v4) address and netmask. By assigning an IP address to an interface, the operator is able to remotely manage the switch via that interface. Furthermore, if routing (IP forwarding) is enabled, the switch is able to forward packets between network interfaces.

Section 19.3

gives a brief overview of WeOS routing features.

chapter 26

gives a more detailed introduction to WeOS routing support, while

chapters 27

and

28

covers dynamic routing with OSPF and RIP.

Note

IP forwarding is not available for products running software level WeOS Standard. However, it is possible to configure static (unicast) routes in WeOS

Standard products as described in

sections 26.2.1

(Web) and

19.7.3

(CLI).

19.2.1

Interface Operational Status (up/down)

For a network interface to get operational status up, it must be enabled in the configuration. But for some types of interfaces there may be additional critera to reach interface (operational) status up, as shown in the list below:

ˆ Loopback network interface: The loopback interface lo is always up.

ˆ LAN/VLAN network interfaces: For a VLAN interface to get status up, the interface must be enabled and its associated VLAN must also be up. In turn, the associated VLAN is up when that VLAN is enabled, and any of its associated ports have link up status. See

chapter 13

for more information on VLANs.

Note

It is possible to circumvent the link status propagation property by configuring a LAN/VLAN network interface as always up (”enable

always”, see

section 19.6.2

). Disabling link status propagation may

significally impact layer-3 protocols such as RIP, OSPF, VRRP, and more

-– the protocols will have to fall-back to other methods to detect linkdown, e.g. hello message timeout and similar. Do not use the ”enable

always” setting unless you really know what you are doing.

ˆ PPP network interfaces: (only for WeOS Extended) For a PPP interface to get status up, the PPP interface (and the associated PPP instance) must be enabled and successfully have carried out the PPP handshaking, including

PPP authentication and IP address negotiation. For PPPoE, this implies that

396

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0 the underlying VLAN interface must also be up. See

chapter 33

for more information on PPP.

ˆ GRE interfaces: (only for WeOS Extended) For a GRE interface to get status

up, the GRE interface (and the associated GRE tunnel instance) must be enabled.

19.2.2

Interface Settings at Factory Default

WeOS products typically have all Ethernet and DSL ports mapped to VLAN 1 by factory default, and the network interface associated with VLAN 1 is named vlan1.

The exception is Falcon, as described later in this section.hus by factory default, a WeOS unit has network interfaces vlan1 and lo (logical ”loopback” interface).

The factory default settings for interfaces vlan1 and lo are presented below. Most of the loopback settings are permanent (non-configurable).

Interface parameters

Factory Default Setting (General) vlan1 lo

Administrative Mode

IP address

Enabled

Dynamic

(DHCP)

Enabled

Static

127.0.0.1

Netmask

(Dynamic) 255.0.0.0

Secondary IP addresses

192.168.2.200

Disabled

Secondary Netmask

255.255.255.0

N/A

MAC address

Auto N/A

16436

MTU

TCP-MSS

Auto (1500)

Disabled

Admin Distance

1

Management Interface

Enabled

1

Disabled

16

Disabled

The interface administrative distance and management interface concepts are described in

sections 19.2.6

and

19.2.7

.

As stated earlier, Falcon has a different factory default settings than other WeOS products. The Ethernet ports are all mapped to VLAN 1 and interface vlan1 as usual, but the Falcon xDSL port resides on a separate VLAN (VLAN 1006) and interface (vlan1006). The factory default settings for the associated interfaces are shown below. Most of the loopback interface (lo) settings are permanent

(non-configurable).

© 2015 Westermo Teleindustri AB

397

Westermo OS Management Guide

Version 4.17.1-0

Interface parameters

Factory Default Setting (Falcon) vlan1 vlan1006 lo

Administrative Mode

IP address

Enabled Enabled

Static Dynamic

192.168.2.200

(DHCP)

Enabled

Static

127.0.0.1

Netmask

255.255.255.0

Secondary IP addresses

Disabled

N/A

Disabled

MAC address

Auto Auto

255.0.0.0

Disabled

N/A

Auto (1500) 16436

MTU

TCP-MSS

Auto (1500)

Disabled

Admin Distance

16

Management Interface

Enabled

1

Disabled

1

Disabled

Disabled

16

Disabled

Note

On Falcon, the xDSL port associated with VLAN 1006 is intended to be used as the upstream ”WAN” port for Internet access. Interface vlan1006 inherits its admin distance from the base interface, which by default is 1. For security reasons, management services are filtered out on vlan1006 by default.

19.2.3

Creating Additional Network Interfaces

As shown in

fig. 19.1

the switch will have one network interface for every VLAN defined on the switch. Thus, additional VLAN network interfaces can be created by creating new VLANs (see

chapter 13 ). Similarly, a PPP network interface is

created for every configured PPP instance, a GRE network interface is created for every configured GRE instance, etc.

The default settings for new VLAN and PPP (PPPoE and PPP over serial/modem) interfaces are shown in the table below, followed by a table presenting default settings for GRE and SSL VPN interfaces (PPP, GRE and SSL VPN interfaces are available for products running software level WeOS Extended).

It is not possible to create additional loopback interfaces. To have additional loopback IP addresses you can instead configure secondary IP addresses on the

lo interface.

1

At factory default, all management services except Telnet are allowed on interface vlan1.

398

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Interface

Parameters

Default Setting vlan<VID> pppoe<ID> modem<ID>

2

Administrative Mode

IP address

Enabled

Static

1

Disabled

Enabled

Dynamic

(IPCP)

3

Enabled

Dynamic

(IPCP)

3

Netmask

Disabled N/A N/A

MAC address

MTU

Auto

Auto (1500)

Admin Distance

16

TCP-MSS

Disabled

Management Interface

Enabled

5

N/A

1492

”Inherited”

1412

4

N/A

Auto (1500)

16

Disabled

”Inherited” Enabled

4

Interface

Parameters

Default Setting gre<ID> ssl<ID>

Administrative Mode

IP address

Enabled Enabled

Static Static

Disabled Disabled

Netmask

MAC address

MTU

Disabled

N/A

1476

Disabled

Auto

6

Auto (1500)

Admin Distance

16 16

TCP-MSS

Disabled

Management Interface

Enabled

5

Disabled

Enabled

5

The interface admin distance and management interface concepts are described in

sections 19.2.6

and

19.2.7

.

VLAN network interfaces will be named according to the associated VLAN ID, e.g., the interface of VLAN 100 will be named vlan100. PPP, GRE and SSL interfaces will

1

The exception is interface vlan1 (VID 1). If vlan1 does not exist, or if it is created without an address method defined, vlan1 will default to acquire its address dynamically via DHCP.

2

Interfaces for PPP over serial port (modem<ID>) are only available for products equipped a serial port.

3

For PPP interfaces, the IP address assignment is handled by the PPP configuration, see

section 33.1.7

.

4

When using PPPoE the default PPP interface MTU is 8 bytes less than the associated VLAN interface MTU, which is typically 1500 bytes.

5

On new interfaces, all management services except Telnet are allowed by default.

6

Only layer-2 SSL interfaces have MAC addresses. As of WeOS v4.17.1 the auto mode picks a random MAC address, however, this may change in the future WeOS releases.

© 2015 Westermo Teleindustri AB

399

Westermo OS Management Guide

Version 4.17.1-0 be named according to their associated instance ID, e.g., pppoe0 is the interface of PPPoE instance ”0”, modem0 is the interface of serial/modem instance ”0”, and so on.

To communicate with the switch via a newly created interface, an IP address must be assigned to the interface, see

section 19.2.5

.

When creating a PPP instance of type PPPoE, the admin distance and management interface properties of the associated VLAN network interface are inherited by the PPP interface. This inheritance does not work in the reverse direction though, i.e., if the PPP instance is removed, the management and admin distance properties of the PPP interface are not passed back to the associated VLAN interface.

Note

With PPPoE, one must specify which VLAN interface to run PPPoE over, e.g., see interface vlan4 in

fig. 19.1

. The resulting PPP interface will be said to

”own” the associated VLAN interface. As of WeOS v4.17.1, it is not possible to access a switch via ”owned” VLAN interfaces — access is only possible via the PPP interface.

19.2.4

VLAN Interface MAC address

Each VLAN network interface will be assigned a MAC address (also known as the Ethernet address, the link address, the hardware address, or the IEEE EUI-48 address).

In WeOS products, each Ethernet port (or DSL port) is assigned a MAC address, and a VLAN interface will by default inherit its MAC address from one of its member ports. It is also possible to manually configure a MAC address for a VLAN interface.

The algorithm to assign VLAN interface MAC address uses the following preference order:

1. If the interface has been configured with a custom MAC address, use that address as the interface MAC address.

2. If the VLAN has one or more ports assigned untagged, use the MAC address of the ”lowest” untagged port as the interface MAC address.

3. If the port has one or more ports assigned tagged, use the MAC address of the ”lowest” tagged port as the interface MAC address.

400

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

4. Use the MAC address of the channel ( section 13.1.6

) associated with the

VLAN.

Consider the sample configuration in

fig. 19.1

. When all interfaces get their MAC

address automatically, interface vlan1 inherits the MAC address of port 1, vlan2 inherits its MAC from port 4, vlan3 from port 7 (assuming port 6 is tagged on

VLAN 3), and interface vlan4 from port 10.

Note

For the automatic MAC assignment methods (steps

2 -

4

above), the MAC address may change when the set of ports associated with the VLAN changes.

When this happens, the WeOS device will submit a gratuitous ARP to update stale ARP caches in neighbour nodes.

For VLANs created dynamically ( section 13.1.7

), no associated network interface

is created. Thus, for such VLANs no interface MAC address is needed.

19.2.5

IP address settings

Each network interface can be assigned a primary IP address and up to 8 sec-

ondary IP addresses, this is sometimes referred to as multinetting, but can also be another address on the same subnet as the primary address. The primary IP address can either be statically or dynamically assigned, depending on the address method configured for the interface (”inet static” or ”inet dynamic”).

The secondary IP addresses can only be statically configured, but can be used with both static and dynamic primary address.

Options for configuring the primary address for different interface types:

ˆ VLAN interfaces: The primary IP address of a VLAN interface can be configured statically, or configured to acquire its address dynamically (DHCP). It is also possible to have a VLAN interface without any IP address.

ˆ PPP interfaces: For PPP interfaces the address setting is set to dynamic, but the actual IP address assignment is handled by the PPP configuration (IPCP), see

section 33.1.7

.

ˆ GRE interfaces: For GRE interfaces, the primary IP address can only be configured statically.

ˆ Loopback interface (lo): The primary IP address of the loopback interface

(lo) is permanently set to 127.0.0.1.

© 2015 Westermo Teleindustri AB

401

Westermo OS Management Guide

Version 4.17.1-0

In the example below, interface vlan2 is assigned a static primary IP address

(”192.168.11.1”) and an additional secondary IP address (”192.168.12.1”), i.e., multinetting is used. Here the IP address netmask (255.255.255.0) for both addresses has been written in prefix length format (’/24’).

Example

example:/config/#> interface vlan2 example:/config/iface-vlan2/#> inet static example:/config/iface-vlan2/#> address 192.168.11.1/24 example:/config/iface-vlan2/#> address 192.168.12.1/24 secondary example:/config/iface-vlan2/#> end example:/config/#>

Interfaces with dynamic address assignment use DHCP to acquire their IP address from a DHCP server, or IPCP for PPP interfaces. If no DHCP server is present, the interface will generally end up without any IP address. The exception is the interface with best admin distance, which will always acquire a link-local IP address. The interface admin distance and link-local address concepts are further described in

section 19.2.6

.

19.2.6

Dynamic Address Assignment and Admin Distance

An interface can be configured to retrieve its IP settings dynamically via DHCP

(VLAN interfaces) or IPCP (PPP interfaces). In addition to interface settings such as IP address and netmask, the switch can also acquire general network settings such as default gateway and DNS server(s) from the DHCP server, or via PPP.

More information on general network settings is given in

section 19.3

.

Multiple network interfaces can acquire their IP settings dynamically, but only one default route, one set of DNS servers, one domain search path and one set of NTP servers can be active at one time in the system. WeOS handles this using a set of precedence rules. When setting up a device with automatic fail-over between multiple upstream connections these rules are important to be aware of.

Prior to WeOS 4.14.0 the precedence was handled by something called the pri-

mary interface. However, this has been replaced with the concept of administra-

tive distance for both static routes and interfaces. Administrative distance is also available to dynamic routing protocols such as OSPF and RIP, see

chapters 27

and

28 , respectively.

The admin distance is a priority value ranging from 1–255, where 255 is treated

402

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0 as infinite distance. E.g., a static route installed with distance 255 is guaranteed to never be activated. WeOS makes use of this in fail-over scenarios with multiple upstream interfaces and ping triggers.

The following list summarises the rules for dynamically retrieved settings and how they are applied to the system.

ˆ Dynamic IP address and netmask are always set on the interface, without affecting any secondary IP address configured statically.

ˆ Default route, domain search path, and DNS servers are always saved, but not necessarily installed.

ˆ Default routes are installed with the configured interface admin distance and the ’best’ route is set as the active default route in the system.

ˆ The interface with the best (lowest) distance wins. If that interface goes down, the default route of the next best interface distance is activated.

ˆ If there are multiple interfaces with lowest distance, the system will select one of those interface as ’best’. A user wishing to have full control of what interface is ’best’ should assign a unique admin distance per interface.

Hint

Assign unique admin distance values to your interfaces.

ˆ A ping trigger can be associated with the interface distance setting. When it signals loss of connectivity, the distance of the associated default route is raised to infinity (255).

ˆ When the best upstream interface has been established, domain search

path, domain name servers (DNS) and network time protocol servers (NTP) are set from that source, unless there exist statically configured settings.

ˆ Statically configured DNS, domain and NTP always win, regardless of any distance.

ˆ NTP server may be acquired from a DHCP server when no NTP server has been configured statically (see

section 19.3.2

).

ˆ The ’primary’ setting in WeOS prior to 4.14.0 is converted to a distance value: the primary interface gets distance 1 and all other interfaces get the default distance, 16.

© 2015 Westermo Teleindustri AB

403

Westermo OS Management Guide

Version 4.17.1-0

ˆ Static configuration of routes, including the default route, competes with routes learned on DHCP client interfaces as well as routes from dynamic routing protocols. An obvious benefit of this is to have a statically configured fallback default route that is activated automatically when no better route is available. This is often referred to as a floating static route.

ˆ The default gateway setting ”ip default-gateway <IPADDR>” is deprecated. Setting up a default gateway in the CLI will install a static default route with distance 1. Use the route command instead (see

section 19.7.3

,

notice the new keyword ’default’ for ’0.0.0.0/0’

Example

example:/config/#> ip route default 192.168.11.1 10

In the example below interface vlan3 is configured to acquire its IP address via

DHCP with distance 1. The system default interface, vlan1 is moved to distance

200 and a floating static route to a gateway reachable via vlan1 is setup with a distance of 200 as well. The default route acquired by DHCP on vlan3 will be installed with distance 1 and will be made the active route.

Example

example:/config/#> interface vlan1 example:/config/iface-vlan1/#> address 192.168.11.2/24 example:/config/iface-vlan1/#> distance 200 example:/config/iface-vlan1/#> end example:/config/#> interface vlan3 example:/config/iface-vlan3/#> inet dhcp example:/config/iface-vlan3/#> distance 1 example:/config/iface-vlan3/#> end example:/config/#> ip default 192.168.11.1 200 example:/config/#>

If no DHCP server is present, an interface configured to use DHCP client for address assignment will end up without any IP address. The exception is the DHCP client interface with the best distance, which will always acquire a link-local IP address in the range 169.254.0.0/16 in addition to any address assigned via DHCP.

The link-local address is taken from the 169.254.0.0/16 range such that address collisions are avoided and that an interface is likely to get the same address every time it comes up.

404

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

19.2.7

Management Interface

The operator can manage the switch remotely in several ways: Web (HTTP/HTTPS),

SSH, Telnet, SNMP and WeConfig (using the IPConfig service). As described in

chapter 7

it is possible to completely disable individual management services, however, there are situations when an operator may wish to limit management access to a certain network interface or VLAN. WeOS provides a powerful mechanism for controlling access to management services on a per interface basis. An interface where one or more management services are enabled is referred to as a management interface.

Interface vlan1: management ssh http https ipconfig snmp

Interface vlan2: no management

Interface vlan3: management ssh

WeOS Switch/Router

1 2 3 4 5 6 7 8

VLAN 3

Internet

VLAN 1 VLAN 2

Figure 19.2: Management service filtering per interface.

Fig. 19.2

gives an example on the flexibility by the management interface feature in WeOS. The switch has three network interfaces – one for each VLAN. VLAN

1 is the administrator’s local LAN with full management capabilities. VLAN 2 is another local LAN for regular in-house users, from which no management is allowed. VLAN 3 is used as the upstream connection; in this example SSH is allowed on this network interface, while other services are disabled.

© 2015 Westermo Teleindustri AB

405

Westermo OS Management Guide

Version 4.17.1-0

Note

WeOS use the term ”management interface” rather than ”management

VLAN”. This is because management is not be limited only to VLAN network interfaces. For example, the operator may wish to manage a switch remotely through a modem connection (i.e., a PPP interface on a switch equipped with a serial port).

The equivalent of a management VLAN can be setup by filtering out management services on all interfaces but the network interfaces associated with that VLAN.

The default behaviour aims to avoid unintentional loss of management access to the switch.

Sections 19.2.2

and

19.2.3

describe the default settings for network interfaces, settings at factory default as well as settings for newly created

interfaces

1

.

Warning

Access to management services on all interfaces is convenient, but may pose a security risk if connected to an untrusted network. By default the device is (typically) manageable via all network interfaces, it is therefore strongly recommended that the operator use the interface management filter to only allow a select set of services, or none, on untrusted networks.

E.g., for an interface connected to the public Internet one should consider disallowing all management services, or perhaps only allow management via secure protocols such as SSH and HTTPS.

Also crucial to cyber security is the password policy and setting up adequately secure passwords when providing management access via an interface connected to an untrusted/public network.

A word of caution is in order, it is entirely possible to get locked out of a device when setting up the management service filter. For devices with a console port this may not be a problem, for others this is the time to be reminded about the

”crossed–cables factory reset” ( section 7.1.3.3

).

However, WeOS actually does implement some safeguards to prevent against locking yourself out. If all management is disabled on all interfaces, the system falls back to enabling secure shell, SSH, access on interface vlan1. Furthermore, if Web (for instance) is the only management service allowed on any interface,

1

As mentioned in

section 19.2.2

factory default on Falcon switches include a separate VLAN for the xDSL port, and the associated interface (vlan1006) has management services disallowed for security purposes.

406

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0 but the Web server has been disabled, the same fall-back solution is triggered.

Hint

From security standpoint it is recommended to separate the management interface from the upstream WAN interfaces, but also from interface vlan1 since it is also the fallback interface in WeOS.

E.g., use interface vlan1 as a LAN interface, with high interface distance, and interface vlan2 as the upstream WAN interface, with distance 1.

If you, e.g., remove the unrelated VLAN 3 without assigning its ports to any other VLAN, then WeOS will automatically place them as untagged in VLAN

1, the default/fallback VLAN. In most cases you do not want those ports ending up on the upstream side . . .

19.2.8

Control Sending of ICMP Redirect

A WeOS router is able to send ICMP Redirect messages when it receives IP packets which could have been routed more optimal. The topology shown in

fig. 19.3

can be used to illustrate a situation where ICMP Redirect is useful.

Internet/Intranet

H1

R1

192.168.1.0/24 optimal path

R2

192.168.2.0/24

H2

Figure 19.3: Example where ICMP Redirect is useful.

Assume that Host 1 (H1) wishes to communicate with Host 2, and that H1 (only) knows about its local subnet (192.168.1.0/24) and its default route pointing to

© 2015 Westermo Teleindustri AB

407

Westermo OS Management Guide

Version 4.17.1-0

Router 1 (R1). In this case all packets from H1 to H2 will go to R1, which in turn sends them back on the same LAN to R2. The packets will be sent twice over the LAN, resulting in waste of network capacity and increased delay. By enabling sending of ICMP Redirect on R1, the router will send ICMP Redirect messages to

H1, informing the host that it can route packets directly to R2. If the host accepts ICMP Redirect messages, it will update its routing table and forward future packets to H2 directly via R2.

In WeOS, the sending of ICMP Redirect messages can be enabled/disabled per network interface. By default sending ICMP Redirect messages is enabled.

Note

A WeOS unit does not accept incoming ICMP redirect messages.

408

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

19.3

General IP settings

The general IP settings provided fall into three categories:

ˆ Routing: Configuration of default gateway, static IP routes, and ability to enable/disable IP forwarding (IP forwarding is available for products running software level WeOS Extended).

ˆ IGMP: Configuration of IGMP snooping parameters such as querier mode,

query interval and static multicast router ports. (IGMP snooping is covered in

chapter 18 .)

ˆ Services: Examples of include settings for DNS and DDNS servers, domain search path, and NTP client settings.

19.3.1

Routing

To manage the WeOS unit remotely, it should generally be configured with a default gateway. It is also possible to configure additional, static IP routes.

WeOS units running software level WeOS Extended are capable of IP forwarding, i.e., it can route incoming IP packets to other interfaces and IP subnets. For unicast, both static routing and dynamic routing (RIP and OSPF) are supported.

Units running WeOS Extended act as routers by default, i.e., IP forwarding is

enabled in the factory default setting.

WeOS units are also able to route IP multicast (static multicast routing). In addition, WeOS devices can efficiently distribute IP multicast packets in a switched

LAN by use of IGMP snooping.

This chapter only covers rudimentary routing features, such as enabling/disabling

IP forwarding and configuring a default gateway. WeOS routing support is described further in

chapters 26 -

30 . IGMP snooping support is covered in

chapter 18 .

19.3.2

Time synchronisation via NTP Server

The switch can synchronise its clock with an external time server via the NTP protocol. Up to 8 NTP servers can be configured, but it is also possible to acquire NTP server(s) via DHCP when no static NTP server is configured (see

section 19.2.6

).

© 2015 Westermo Teleindustri AB

409

Westermo OS Management Guide

Version 4.17.1-0

19.3.3

DNS client - setting DNS server and dynamic DNS

Most users find it is easier to refer to Internet hosts using domain names, e.g., http://www.example.com

, than using IP addresses, e.g., http://93.184.216.

119 . To facilitate the use of the Domain Name System (DNS), WeOS supports configuration of up to two DNS server entries. It is also possible to configure a

domain search path. These settings can also be acquired dynamically via DHCP or PPP (see

section 19.2.6

).

Use of domain names on a switch can be convenient, e.g., when setting up ping triggers, VPN peers or when troubleshooting with tools such as ping or traceroute, see

section 7.1.10

.

It is also convenient to communicate with the switch using domain names. When the switch acquires its IP address dynamically (via DHCP or PPP), maintaining the DNS server entry is cumbersome. To manage this situation, WeOS includes support for dynamic DNS (DDNS). With DDNS enabled, the switch will update its

DNS server entry automatically when acquiring a new IP address.

Examples of supported DDNS providers are:

ˆ dyndns: http://www.dyndns.org

,

ˆ freedns: http://freedns.afraid.org

ˆ no-ip: http://www.no-ip.com

See the CLI or Web online help for a more up-to-date list.

19.3.4

Proxy DNS server

WeOS units are able to act as DNS proxy servers (enabled by default). When enabled, the unit will act as a DNS server and respond to DNS queries for known

hosts:

ˆ either statically added by the ”host” ( section 19.7.8

), see also the ”show

ip host” ( section 19.7.28

) command, or

ˆ hosts for which this unit acts as DHCP server ( chapter 22 ), see also the

”show dhcp-clients” ( section 22.3.20

) command .

As DNS proxy, the WeOS the unit will also act as a caching DNS forwarder; DNS queries of unknown hosts are forwarded to the unit’s own DNS server (see the

410

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

”show ip name-server” command described in

section 19.7.26

), and the an-

swer is cached for fast response of subsequent requests for the same host.

When proxy DNS server is enabled on a WeOS unit, it will accept incoming DNS packets on all its interfaces.

Hint

For security purposes you may wish to avoid accepting DNS packets on some interfaces, e.g., your upstream interface towards the Internet. To block such request you are recommended to configure appropriate deny filter rules, e.g., ”filter deny in vlan1 dport 53 proto udp” and ”filter

deny in vlan1 dport 53 proto tcp” to block incoming DNS request on interface vlan1. For more details on the WeOS firewall, see

chapter 31 .

Alternatively, disable the DNS proxy service.

For WeOS products running software level WeOS Standard attached directly to the Internet, it is recommended to disable the DNS proxy service.

© 2015 Westermo Teleindustri AB

411

Westermo OS Management Guide

Version 4.17.1-0

19.4

Managing network interfaces via the web interface

This section covers network interface settings of the unit.

Settings related to

IGMP snooping is described in

section 18.2

.

Menu path: Configuration Network (IP) Interface

Name

A unique identifier for the interface. Automatically generated from VLAN/PPP/GRE/SSH identifier when the VLAN/PPP/GRE/SSH/ instance is created. lo is the loopback interface. (PPP, GRE and SSH interfaces are available for WeOS Extended.)

Enabled

Shows whether the interface is enabled or disabled. A green checkmark means the interface is enabled, and a dash means it is disabled.

Status

The status of the interface, Up or Down.

Distance

The administrative distance value used for routes acquired on this interface. Route selection is based on this number. A lower value indicates a more preferred route.

Continued on next page

412

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Address method

Address/

Netmask

Edit

Sort by

Continued from previous page

The IPv4 address assignment method used for the interface: Static means the IPv4 address is configured manually, Dynamic means the address is acquired automatically via DHCP (for VLAN interfaces) or is part of the PPP configuration (for PPP interfaces), and Disabled means IPv4 address assignment is disabled on the interface.

The IPv4 address, and its associated netmask, assigned to the interface. The netmask identifies what IP addresses are located on the same subnet. Displays configured IP address, when address method

Static is used. Displays the dynamically assigned address, or Pend-

ing if Dynamic address method is set. Text Disabled is shown if IP address assignment is disabled. Text Owned is shown when there is a PPPoE interface associated with that VLAN interface. Secondary addresses assigned to the interface are also listed.

Click this icon to edit the interface.

The list of interfaces may be sorted either in a default sort order, or by the distance value. Select desired sort order and press apply button.

When clicking the Edit icon for an interface you will be presented to its associated edit page.

© 2015 Westermo Teleindustri AB

413

Westermo OS Management Guide

Version 4.17.1-0

Note: The user support to only display relevant input fields is only available when using a JavaScript enabled browser.

MAC Address

Enabled

Distance

(Only applicable for VLAN interfaces.) The media access control (MAC) address is used for controlling the communication on OSI layer 2. Shows the MAC-address associated to this interface.

The interface may be activated or deactivated by the Enabled setting. Click the check-box to activate/deactivate the interface.

The administrative distance value used for routes acquired on this interface. Route selection is based on this number. A lower value indicates a more preferred route.

IP Address

Enabled

IP Address

Mode

(Only applicable for VLAN interfaces.) When disabling the

IP address, traffic may not be sent to the switch from units connected to the VLAN associated with this interface. The address may be disabled to e.g. prevent administration access from specific VLANs. The IP address mode field, and for static address mode the IP address and netmask fields, will not be visible unless this box has been checked.

Choose Static to manually configure IP address and netmask or Dynamic to let the unit query a DHCP server for address information.(PPP interfaces can only be specified for dynamic IP address, but the actual IP address assignment is handled by the PPP configuration, see

section 33.2

.)

Primary Address

The IPv4 address, and its associated netmask, assigned to the interface. The netmask identifies what IP addresses are located on the same subnet. Not applicable for PPP and loopback interfaces. These fields will only be visible if static IP Address Mode has been selected.

Secondary

Addresses

Address and netmask for the secondary IPv4-addresses associated to this interface. These fields will only be visible if IP Address Enable has been checked. Up to eight secondary IPv4-addresses may be associated to the interface. Click the plus sign to add new lines. Click the to delete a row.

Continued on next page

414

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

MTU

TCP MSS

Management

Services

Continued from previous page

This option is not available for all interface types.

Override

Set a non-default MTU size by entering an override value.

Auto

The interface will let its MTU be the default MTU of the associated link type.

This option is not available for all interface types.

Override

Limit TCP-MSS to the given number of

Auto

bytes.

Lets the TCP-MSS depend on the MTU of the interface This will work fine for typical TCP connections, but is not likely to work over IPsec tunnels or when additional IP header options are in use.

Disabled

Disables TCP-MSS clamping.

Check the boxes for the services that should be accessible from this interface.

Click the Apply button to save and apply the changes.

© 2015 Westermo Teleindustri AB

415

19.4.1

Interface Status

Menu path: Status Interface

Westermo OS Management Guide

Version 4.17.1-0

Name

A unique identifier for the interface. Automatically generated from

VLAN/PPP/GRE/SSH identifier when the VLAN/PPP/GRE/SSH/ instance is created. lo is the loopback interface. (PPP, GRE and SSH interfaces are available for WeOS Extended.)

Enabled

Shows whether the interface is enabled or disabled. A green checkmark means the interface is enabled, and a dash means it is disabled.

Status

The status of the interface, Up or Down.Text Owned is shown when there is a PPPoE interface associated with the VLAN interface. The

owner is also displayed within parenthesis.

Distance

The administrative distance value used for routes acquired on this interface. Route selection is based on this number. A lower value indicates a more preferred route.

Address method

The IPv4 address assignment method used for the interface: Static means the IPv4 address is configured manually, Dynamic means the address is acquired automatically via DHCP (for VLAN interfaces) or is part of the PPP configuration (for PPP interfaces), and Disabled means

IPv4 address assignment is disabled on the interface.

Continued on next page

416

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Address/

Netmask

Sort by

Continued from previous page

The IPv4 address, and its associated netmask, assigned to the interface. The netmask identifies what IP addresses are located on the same subnet. Displays configured IP address, when address method

Static is used. Displays the dynamically assigned address, or Pending if Dynamic address method is set. Text Disabled is shown if IP address assignment is disabled. Secondary addresses assigned to the interface are also listed.

The list of interfaces may be sorted either in a default sort order, or by the distance value. Select desired sort order and press apply button.

© 2015 Westermo Teleindustri AB

417

Westermo OS Management Guide

Version 4.17.1-0

19.5

Managing general IP settings via the web interface

This section covers general IP related settings of the unit.

Settings related to

IGMP snooping are described in

section 18.2

.

19.5.1

Global Network Settings Overview

Menu path: Configuration Network(IP) Global settings

When entering the Network(IP) configuration page you will be presented to a list of common network settings.

Global Settings (Default Gateway, Routing and DNS servers)

Configured

Default

Gateway

Active

Default

Gateway

Statically configured default gateway of the unit. This is the

IP address of the gateway to send packages to when no more specific route can be found in the routing table. Empty field indicates that no default gateway address has been statically configured.

The currently active default gateway in use. N/A indicates that no default gateway is in active use. A default gateway cannot be active if no route to the default gateway is available.

Continued on next page

418

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Routing

Domain Name

Server(s)

Edit

Continued from previous page

(only for WeOS Extended) Routing, also known as IPforwarding, allows traffic to flow between VLANs. Use the firewall to protect VLANs from unwanted traffic. Texts Enabled and

Disabled shows routing status.

List manually configured DNS servers. An empty field indicates that no DNS server has been manually configured.

Click this icon to edit ”this part” of the global settings.

These settings are described further in

section 19.5.2

.

To change the settings for a specific Interface click the associated edit icon which will take you to the interface settings edit page. Interface settings are described further in

section 19.4

.

© 2015 Westermo Teleindustri AB

419

Westermo OS Management Guide

Version 4.17.1-0

19.5.2

Edit Common Network Settings

Menu path: Configuration Network (IP) Global settings

Default Gateway

Statically configured default gateway of the unit.

This is the IP address of the gateway to send packages to when no more specific route can be found in the routing table. Leave empty if no default gateway is desired.

Routing

(only for WeOS Extended) Routing, also known as

IP-forwarding, allows traffic to flow between VLANs.

Use the firewall to protect VLANs from unwanted traffic. Check this box to enable routing, uncheck to disable.

Name server 1

Name server 2

IP address of (primary) DNS server.

IP address of (secondary) DNS server.

Click the Apply button to save and apply the changes.

420

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

19.5.3

NTP client

Menu path: Configuration System Date & Time

Figure 19.4: Switch date and time settings, NTP client

Current Date/Time

Shows current date and time. Click the manually set date/time .

icon to

Remote NTP Server

The IP address of a time server to be used to keep the units calendar time synchronised. Leave empty if you do not want to use a time server, or if NTP server should be acquired via DHCP or PPP.

Timezone

Select a timezone region to get adjusted local time.

© 2015 Westermo Teleindustri AB

421

Westermo OS Management Guide

Version 4.17.1-0

19.5.4

DDNS settings

Menu path: Configuration Network (IP) DDNS

Dynamic DNS (DDNS) provider settings

Enabled

Provider

Check this box to enable Dynamic DNS, uncheck to disable.

Select DDNS provider. Example of supported providers:

dyndns

http://www.dyndns.org

,

freedns

http://freedns.afraid.org

, and

no-ip

http://www.no-ip.com

See the online help for more.

SSL

Check this box if your DDNS provider supports HTTPS updates.

Login

Set login username for the account at your DDNS provider

Password

Set login password for the account at your DDNS provider

Hostname

Set the DNS hostname, i.e., registered domain name which should map to the IP address of this your switch. When selecting freedns, the domain name must be followed by a hash value (”HOSTNAME,HASH”); the hash is provided by

FreeDNS).

Interval

Set the interval by which DDNS verifies that the IP address mapping at your DDNS provider matches the IP address of your switch. Maximum 10 days (864000 seconds).

Click the Apply button to save and apply the changes.

422

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

19.6

Managing network interfaces via the CLI

The available interface settings and monitoring commands are shown in the table below:

Command Default Section

iface <IFNAME> inet <static|dynamic>

[no] enable [always]

[no] address <ADDRESS/LEN|

ADDRESS NETMASK> [secondary]

Differs

1

Enabled

Disabled

Sec. 19.6.1

Sec. 19.6.2

Sec. 19.6.3

[no] primary

[no] distance <1-255>

DEPRECATED

Sec. 19.6.4

16

[no] management <[ssh] [telnet] [http] Enabled

2

Sec. 19.6.5

Sec. 19.6.6

[https] [ipconfig] [snmp] | all>

[no] mtu <68-1500>

[no] tcp-mss <40-1460|auto>

[no] redirect

Differs

Differs

1

1

Enabled

Sec. 19.6.8

Sec. 19.6.9

Sec. 19.6.10

Only for VLAN interfaces

[no] mac <X:X:X:X:X:X>

Show interface status show iface [IFNAME]

Auto

Sec. 19.6.7

Sec. 19.6.11

19.6.1

Manage Network Interfaces

Syntax iface <IFNAME> inet <static|dynamic>

Context

Global Configuration

context

Usage Enter

Interface Configuration

context, and specify IP address assignment method.

ˆ ”static” means static IP address assignment. The IP address is configured via the ”[no] address <ADDRESS/LEN|ADDRESS NETMASK>” com-

1

Some interface ”native” default settings depend on the interface type, see

section 19.2.3

.

Section 19.2.2

provides information on ”factory” default settings.

2

By default, all management services except Telnet are allowed on newly created VLAN and

PPP interfaces.

© 2015 Westermo Teleindustri AB

423

Westermo OS Management Guide

Version 4.17.1-0 mand, see

section 19.6.3

.

ˆ If ”dynamic” is selected, the switch attempts to acquire its address via

DHCP (VLAN interfaces) or IPCP (PPP interfaces). If no DHCP server is available, the interface will generally end up without an IP address. The exception is the interface with best admin distance, which will get a

link-local IPv4 address if it fails to get an address via DHCP.

Use ”show iface” to show network interface configuration information of all interfaces. Use ”show iface [IFNAME]” to show configuration information for a specific interface (also available as ”show” command within the

Interface Configuration

of that specific interface).

Default values ”static” for VLAN and GRE interfaces, and ”dynamic” for PPP interfaces. For VLAN interfaces there is one exception – If vlan1 does not exist, or if it is created without an address method defined, vlan1 will default to acquire its address dynamically via DHCP.

19.6.2

Interface Administrative Mode (Enabled or Not Enabled)

Syntax [no] enable [always]

Context

Interface Configuration

context

Usage Bring interface up/down. Note, even if an interface is configured administratively up, its operational status may still be down if the associated VLAN

(or PPP instance) is not up.

Use command ”enable” to configure an interface as up, and ”no enable” to configure the interface as down.

On LAN/VLAN interfaces, it is possible to circumvent the link status propagation property by configuring an interface as always up (”enable always”).

However, disabling link status propagation may significally impact layer-3 protocols such as RIP, OSPF, VRRP, and more -– the protocols will have to fall-back to other methods to detect link-down, e.g. hello message timeout and similar. Do not use the ”enable always” setting unless you really know what you are doing.

Note

An interface configured as always up will in SNMP report ifOperStatus

”testing(3)”.

424

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Use ”show enable” to show whether this interface is configured as administratively enabled (up) or disabled (down).

Default values Enabled (”enable”)

19.6.3

IP Addresses (primary and secondary)

Syntax [no] address <ADDRESS/LEN|ADDRESS NETMASK> [secondary]

Context

Interface Configuration

context

Usage Set static IP address and netmask for an interface.

When static address assignment is chosen (”inet static”, see

section 19.6.1

),

the ”address” command can be used to the primary IP address of the interface, as well as secondary IP addresses of the interface (using the

”secondary”) keyword.

When dynamic address assignment is chosen (”inet dynamic”, see

section 19.6.1

), the ”address” command is limited to assign secondary IP ad-

dresses.

Up to 8 secondary addresses can be configured for an interface.

It is possible to specify the boundary between the network part and the

host specific part of the IP address either as a prefix length (e.g. ”address

192.168.0.1/24”) or as a regular netmask (e.g., ”address 192.168.0.1

255.255.255.0”).

Use ”show address” to show the IP address setting for this interface.

Default values Disabled (no address). That is, newly created interfaces have no IP address configured, see also

section 19.2.3

.

19.6.4

Primary Interface

Syntax [no] primary

Context

Interface Configuration

context

Usage This command is deprecated and only kept for backwards compatibility when upgrading. It is recommend to instead use the interface admin dis-

tance setting ( section 19.6.5

).

© 2015 Westermo Teleindustri AB

425

Westermo OS Management Guide

Version 4.17.1-0

An old configuration file with this setting is converted to set the selected interface as distance 1 and keep other interfaces at their default distance of

16.

For more information, see

section 19.2.6

.

19.6.5

Interface Administrative Distance

Syntax [no] distance <1-255> [trigger ID]

Context

Interface Configuration

context

Usage Administrative distance for routes learned on this interface.

Static routes learned dynamically, e.g. via DHCP, will be installed in the routing table with this administrative distance.

Possible values are 1-255, where 1 is the best and 255 is infinity, it will be visible in the routing table but will never be activated.

Use the form no distance to reset the value to its default value, 16. Use

distance 255 to prevent routes from ever being activated.

A trigger ID may be set, e.g., for monitoring an upstream network with a ping trigger, and dynamically adjusting the default route to infinite distance.

Effectively switching to another upstream interface not only on link loss.

For more information, see

section 19.2.6

.

Default values 16 (no distance)

Notes:

ˆ A PPP interface created via PPPoE will ”inherit” the admin distance setting from its associated VLAN interface.

ˆ The old primary setting on an interface is converted to distance 1 and all other interfaces are shifted downwards in priority.

ˆ This setting does not apply to protocols such as RIP and OSPF.

19.6.6

Management Service Filtering

Syntax [no] management <[ssh][telnet][http][https][ipconfig][snmp]|all>

426

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Context

Interface Configuration

context

Usage Filter management services on this interface.

The setting controls what services are allowed to use on this network interface. E.g., ”management ssh https” adds SSH and HTTPS to the set of services accessible for traffic entering via this interface, and ”no management

http” disallows management via unencrypted HTTP on this interface.

Use ”no management” to filter out access to all management services on this interface.

Use ”management all” to allow all management services on this interface.

Use ”show management” to show the list of currently allowed services via this interface.

Default values All services except ”telnet” are allowed.

Note: PPP interfaces created via PPPoE will inherit the management settings from its associated VLAN interface.

19.6.7

VLAN Interface MAC address

Syntax [no] mac <X:X:X:X:X:X>

Context

Interface Configuration

context

Usage Configure a specific MAC address for this (VLAN) interface. The address is given as a colon-separated hexadecimal string of numbers, e.g., ”mac

00:1a:4b:7b:77:24”. Leading zeros can be ignored. Uppercase or lowercase letters can be used.

Use ”no mac” specify that the interface should get its MAC address automatically.

Use ”show mac” to show the interface MAC setting for this (VLAN) interface.

For more information, see

section 19.2.4

.

Default values Auto (no mac)

19.6.8

Interface MTU Size

Syntax [no] mtu <68-1500>

© 2015 Westermo Teleindustri AB

427

Westermo OS Management Guide

Version 4.17.1-0

Context

Interface Configuration

context

Usage Configure a non-default maximum transmission unit (MTU) size (in bytes) for this interface. The MTU size is the packet size a network interface will pass to the link layer for transmission, i.e., the maximum payload of the link layer protocol.

The default is to let the MTU depend on the type of link layer (auto mode).

For interfaces associated with Ethernet and DSL links this implies a default

MTU of 1500 bytes.

For PPP interfaces (PPPoE), the MTU is set to 8 bytes less than the MTU of the associated VLAN interface, which typically implies a PPP interface MTU of 1492 bytes (1500 8). This value is set at the time of PPP interface creation; if the VLAN interface MTU is changed afterwards, the PPP interface

MTU is not updated automatically. Note: The operational MTU can change based on the PPP connection negotiation, see

section 33.3.19

.

The MTU of GRE interfaces defaults to 1476 bytes.

Use ”mtu <68-1500>” to set a non-default MTU size. Use ”no mtu” to specify that the interface should let its MTU be the default MTU of the associated link type.

Use ”show mtu” to how the interface maximum transfer unit (MTU) size setting.

Default values

ˆ VLAN interfaces: Auto (”no mtu”) For Ethernet and DSL links, this implies MTU 1500 bytes.

ˆ GRE interfaces: 1476 bytes (”mtu 1476”)

ˆ PPP interfaces (PPPoE): Typically 1492 bytes (”mtu 1492”, i.e., 8 bytes less than the associated VLAN interface)

19.6.9

Interface TCP MSS Size

Syntax [no] tcp-mss <40-1460|auto>

Context

Interface Configuration

context

Usage Enable/disable TCP-MSS clamping on this interface.

428

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

TCP-MSS clamping is used to limit the packet size (or more precisely, limit the ”maximum TCP segment size”) of TCP connections over the given interface, and is useful in situations where path MTU discovery of some reason does not work.

Enabling TCP-MSS clamping implies additional packet processing, thus it degrades routing performance somewhat. It is disabled by default on most interface types (exception is PPP interface of type PPPoE).

Use ”tcp-mss <BYTES>” to limit TCP-MSS to the given number of bytes.

Use ”tcp-mss auto” to let the TCP-MSS depend on the MTU of the interface

(”MTU-40”, i.e., interface MTU minus typical size of IP and TCP headers).

This will work fine for typical TCP connections, but is not likely to work over

IPsec tunnels or when additional IP header options are in use.

Use ”no tcp-mss” to disable TCP-MSS clamping.

Use ”show tcp-mss” to show the interface maximum TCP segment size

(MSS).

Default values Disabled (no tcp-mss) (Exception: ”tcp-mss 1412” for PPPoE

PPP interfaces.)

19.6.10

Sending ICMP Redirect messages

Syntax [no] redirect

Context

Interface Configuration

context

Usage Enable/disable sending of ICMP Redirect messages. When enabled on a

WeOS router, the router will send ICMP Redirect messages when detecting that packets coming in on this interface have a more optimal route towards the destination.

Use ”redirect” to enable sending of ICMP Redirect, and ”no redirect” to disable it.

Use ”show redirect” to show if sending of ICMP Redirect is enabled or disabled.

Default values Enabled

© 2015 Westermo Teleindustri AB

429

Westermo OS Management Guide

Version 4.17.1-0

19.6.11

Show Network Interface Status

Syntax show iface [IFNAME]

Context

Admin Exec

context.

Usage Show status information for this interface (or all interfaces). If dynamic address assignment is configured on an interface, this command will display the IP address acquired.

Default values Unless a specific interface is specified, status for all interfaces will be shown.

430

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

19.7

Managing general IP settings via the CLI

The available general IP settings and monitoring commands are shown below.

Command Default Section

Configure general IP settings ip

[no] default-gateway <IPADDR>

[no] route <NETWORK/LEN>

<GATEWAY|IFNAME> [DISTANCE]

[no] forwarding

[no] name-server <IPADDR>

[no] domain <DOMAIN>

[no] domain-proxy

[no] host <FQDN | HOSTNAME> <IPADDR>

Section 19.7.1

(DEPRECATED)

Section 19.7.2

Section 19.7.3

Distance 1

Enabled

Disabled

Disabled

Section 19.7.4

Section 19.7.5

Enabled

Section 19.7.6

Section 19.7.7

Section 19.7.8

[no] ddns

[no] provider <dyndns|freedns|no-ip>

Disabled dyndns

[no] ssl Disabled

[no] login <USERNAME> <PASSWORD> Disabled

[no] hostname <HOSTNAME>[,HASH]

[no] interval <SECONDS>

Disabled

600

Section 19.7.9

Section 19.7.10

Section 19.7.11

Section 19.7.12

Section 19.7.13

Section 19.7.14

icmp

[no] broadcast-ping

[no] ntp

[no] enable

[no] server <FQDN|IPADDR>

[no] enable

[no] poll-interval <SECONDS>

[no] sntp

[no] server <FQDN|IPADDR>

[no] poll-interval <SECONDS>

Enabled

Disabled

Enabled

N/A

Section 19.7.15

Section 19.7.16

Section 19.7.17

Section 19.7.18

Section 19.7.19

Enabled

600 sec

Section 19.7.20

Section 19.7.21

(DEPRECATED)

Section 19.7.22

Disabled

Section 19.7.23

600 sec

Section 19.7.24

Show general IP status show ip route show ip name-server show ip domain show ip host show ntp

Section 19.7.25

Section 19.7.26

Section 19.7.27

Section 19.7.28

Section 19.7.29

© 2015 Westermo Teleindustri AB

431

Westermo OS Management Guide

Version 4.17.1-0

19.7.1

Manage Global IP Settings

Syntax ip

Context

Global Configuration

context

Usage Enter

IP Configuration

context

Use ”show ip” to show general IP configuration settings.

Default values Not applicable.

19.7.2

Configure IP Default Gateway

Syntax [no] default-gateway <ADDRESS>

Context

IP Configuration

context

Usage This command is deprecated and only kept for backwards compatibility when upgrading. It is recommend to instead use the route command since it also has the distance attribute.

A default route configured using this command will always get a distance of 1. With multiple upstream WAN connections using PPPoE or DHCP it is recommended to use the route command instead.

Use ”show gateway” to show configured default gateway.

Default values Disabled (”no default-gateway”)

19.7.3

Configure Static IP Routes

Syntax [no] route <NET MASK | NET/LEN> <GATEWAY | IFNAME> [DISTANCE]

Context

IP Configuration

context

Usage Add or remove a static IP route, including default routes.

The network boundary of the destination subnet can be given as a netmask

(e.g., ”route 192.168.3.0 255.255.255.0 192.168.0.1”) or as a prefix length (e.g., ”route 192.168.3.0/24 192.168.0.1”).

System default routes are setup using the subnet 0.0.0.0 with prefix length

0, but the key keyword ’default’ is much easier to use ”route default

432

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

192.168.0.1”. The optional distance is useful when setting up backup routes in multiple upstream scenarios where interfaces acquire default routes using PPPoE or DHCP.

The destination network is however typically located remotely (specify the next hop gateway, e.g., ”route 192.168.3.0/24 192.168.0.1”), but it is also possible to use the static route command to specify additional directly

connected subnets (specify the local interface, e.g., ”route 192.168.3.0/24

vlan1”).

Use the ”no”-form to remove a static route, e.g., ”no route 192.168.3.0/24

192.168.0.1”.

Use ”show route” to list configured static routes.

Default values Using ”no route” (without a subnet address, etc.) removes all configured static routes.

19.7.4

Manage IP Forwarding

Syntax [no] forwarding

Context

IP Configuration

context

Usage (only for WeOS Extended) Enable/disable IPv4 routing.

Use ”show forwarding” to show whether IP forwarding (routing) is enabled or disabled.

Default values Enabled (”forwarding”)

19.7.5

Name Server (DNS)

Syntax [no] name-server <ADDRESS>

Context

IP Configuration

context

Usage Add/remove name-server (DNS). Two name-servers can be configured call the same ”name-server” command twice.

Run ”no name-server <ADDRESS>” to remove a specific name server, or

”no name-server” to remove all configured name servers.

© 2015 Westermo Teleindustri AB

433

Westermo OS Management Guide

Version 4.17.1-0

If a name server is not configured using the ”name-server” command, name server(s) (and domain search path) can be acquired dynamically from an interface with DHCP address assignment.

Use ”show name-server” to show configured name servers.

Default values Disabled (”no name-server”) Running ”no name-server” (without specifying any name removes all configured name servers.

19.7.6

Domain Search Path

Syntax [no] domain <DOMAIN>

Context

IP Configuration

context

Usage Add/remove domain search path. A single search path can be added.

Run ”no domain” to remove the domain search path.

If a name server is not configured using the ”name-server” command, domain(s) can be acquired dynamically from an interface with DHCP address assignment.

Use ”show domain” to show configured domain search path.

Default values Disabled (”no domain”)

19.7.7

Enable/Disable DNS proxy service

Syntax [no] domain-proxy

Context

IP Configuration

context

Usage Enable or disable DNS proxy support. When enabled, the unit will act as a DNS server and respond to DNS queries for known hosts:

ˆ either statically added by the ”host” ( section 19.7.8

), see also the

”show ip host” ( section 19.7.28

) command, or

ˆ hosts for which this unit acts as DHCP server ( chapter 22 ), see also the

”show dhcp-clients” ( section 22.3.20

) command .

Furthermore, the unit will act as a caching DNS forwarder; DNS queries of unknown hosts are forwarded to the unit’s own DNS server (see the ”show

434

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

ip name-server” command described in

section 19.7.26

), and the answer

is cached for fast response of subsequent requests for the same host.

Use command ”domain-proxy” to enable the DNS proxy service, and ”no

domain-proxy” to disable it.

Use ”show domain-proxy” to view the current setting.

Default values Enabled (”domain-proxy”)

Example

example:/#> show ip host

127.0.0.1 localhost

127.0.1.1 example.local example

192.168.3.11

mypc example:/#> ping mypc

Press Ctrl-C to abort PING mypc (192.168.3.11): 56 data bytes

64 bytes from 192.168.3.11: seq=0 ttl=64 time=1.049 ms

64 bytes from 192.168.3.11: seq=1 ttl=64 time=0.627 ms

ˆC

--- mypc ping statistics ---

2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.627/0.838/1.049 ms example:/#> show dhcp-clients

Lease Time MAC Address IP Address Hostname Client ID

===============================================================================

120 00:07:7c:03:ec:02 192.168.5.106

alice 01:00:07:7c:03:ec:02 example:/#> ping alice

Press Ctrl-C to abort PING alice (192.168.5.106): 56 data bytes

64 bytes from 192.168.5.106: seq=0 ttl=64 time=1.182 ms

64 bytes from 192.168.5.106: seq=1 ttl=64 time=0.754 ms

ˆC

--- alice ping statistics ---

2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.754/0.968/1.182 ms example:/#>

19.7.8

Add static hostname lookup entry

Syntax [no] host <FQDN | HOSTNAME> <IPADDR>

Context

IP Configuration

context

Usage Add or delete entries in the static hostname resolution table (host table).

The table is both used when resolving hostnames of DNS requests originating from the unit itself (e.g., when running ”ping www.example.com” from the CLI command line), and when responding to DNS queries from hosts

(assuming this unit is configured as DNS proxy, see

section 19.7.7

).

© 2015 Westermo Teleindustri AB

435

Westermo OS Management Guide

Version 4.17.1-0

ˆ Hostnames containing a dot (”.”) are interpreted as fully qualified domain names (FQDN).

ˆ Hostnames without a dot are interpreted as simple hostnames. The system will both be able to resolve DNS queries for the hostname, as well as

hostname concatenated with the unit’s domain search path. Use ”show

ip domain” ( section 19.7.27

) to view the unit’s search path domain.

Example

example:/#> configure example:/config/#> ip example:/config/ip/#> domain example.org example:/config/ip/#> host mypc 192.168.10.1 example:/config/ip/#> host www.anotherexample.org 10.0.0.1 example:/config/ip/#> leave example:/#> show ip hosts

127.0.0.1 localhost

127.0.1.1 example.local example

192.168.10.1

10.0.0.1

mypc mypc.example.org

www.anotherexample.org

example:/#> ping mypc

Press Ctrl-C to abort PING mypc (192.168.10.1): 56 data bytes

64 bytes from 192.168.10.1: seq=0 ttl=64 time=8.291 ms

64 bytes from 192.168.10.1: seq=1 ttl=64 time=0.650 ms

ˆC

--- mypc ping statistics ---

2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.650/4.470/8.291 ms example:/#>

Use ”no host <HOSTNAME>” to remove a specific entry in the host table, and ”no host” to remove all configured entries in the host table.

Use ”show host” to view the currently configured static host entries.

Default values Not applicable (no static host entries configured)

19.7.9

Manage DDNS Settings

Syntax [no] ddns

Context

IP Configuration

context

Usage Enter

DDNS Configuration

context. Upon entering the context, the DDNS service will be enabled. However, it will not be activated until valid DDNS parameters (login, etc.) are configured. Use ”no ddns” to disable the DDNS service.

436

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Use ”show ddns” to show configured DDNS settings (also available as ”show” command within the

DDNS Configuration

context).

Default values Disabled (”no ddns”)

19.7.10

Set DDNS Provider

Syntax [no] provider <dyndns|freedns|no-ip>

Context

DDNS Configuration

context

Usage Set DDNS provider. Example of supported providers:

dyndns

http://www.dyndns.org

,

freedns

http://freedns.afraid.org

, and

no-ip

http://www.no-ip.com

For a complete list of supported DDNS providers, type ”help provider”.

Use ”no provider” to return to the default provider setting.

Default values dyndns

19.7.11

Enable HTTPS Updates

Syntax [no] ssl

Context

DDNS Configuration

context

Usage Enable/disable HTTPS updates, if the provider supports it.

Use ”show ssl” to show whether HTTPS updates is enabled or disabled.

Default values Disabled (HTTP)

19.7.12

Set DDNS Login and Password

Syntax [no] login <USERNAME> <PASSWORD>

Context

DDNS Configuration

context

© 2015 Westermo Teleindustri AB

437

Westermo OS Management Guide

Version 4.17.1-0

Usage Set login username and password for your account at your DDNS provider

(see

section 19.7.10

). Use ”no login” to remove a configured DDNS login

setting.

Default values Disabled

19.7.13

Set DDNS Hostname

Syntax [no] hostname <HOSTNAME>[,HASH]

Context

DDNS Configuration

context

Usage Set the DNS hostname, i.e., registered domain name which should map to the IP address of this your switch.

When selecting ”provider freedns”, the domain name must be followed by a hash value (”hostname HOSTNAME,HASH”); the hash is provided by

FreeDNS).

Default values Disabled

19.7.14

Set DDNS interval

Syntax [no] interval <SECONDS>

Context

DDNS Configuration

context

Usage Set the interval by which DDNS verifies that the IP address mapping at your DDNS provider matches the IP address of your switch. Maximum 10 days (864000 seconds).

Use ”no interval” to return to the default provider setting.

Default values 600 (seconds)

19.7.15

Manage ICMP Settings

Syntax icmp

Context

IP Configuration

context

438

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Usage Enter

ICMP Configuration

context.

Use ”show icmp” to show ICMP settings (also available as ”show” command within the

ICMP Configuration

context).

Default values Not applicable.

19.7.16

Enable/disable Broadcast Ping

Syntax [no] broadcast-ping

Context

ICMP Configuration

context

Usage Define whether the switch should respond to broadcast ”ping” (ICMP Echo

Request) messages or not. Responding to broadcast ping is convenient when troubleshooting the network, but can in some situations be considered a security risk.

Use ”no broadcast-ping” to disable responding to broadcast ping messages.

Use ”show broadcast-ping” to show whether the switch is configured to respond to broadcast ping messages or not.

Default values Enabled (”broadcast-ping”)

19.7.17

Manage NTP Settings

Syntax [no] ntp

Context

Global Configuration

context

Usage Enter

NTP Configuration

context by using the ”ntp” command.

Use ”no ntp” to remove all configured NTP settings.

Use ”show ntp” to show NTP settings (also available as ”show” command within the

NTP Configuration

context).

Default values Not applicable.

© 2015 Westermo Teleindustri AB

439

Westermo OS Management Guide

Version 4.17.1-0

19.7.18

Enable/Disable NTP Settings

Syntax [no] enable

Context

NTP Configuration

context

Usage Enable or disable configured NTP settings.

Use ”enable” to enable/activate configured NTP settings. Use ”no enable” to disable/deactivate configured NTP settings (the settings are not removed, only deactivated).

Use ”show enable” to show whether NTP settings are enabled or disabled.

Default values Enabled

19.7.19

Manage (remote) NTP Server(s)

Syntax [no] server <FQDN|IPADDR>

Context

NTP Configuration

context

Usage Add, delete, or manage a remote NTP server with specified IP Address or domain name, to set the time on this unit. Up to 8 NTP servers can be configured. With the ”server <FQDN|IPADDR>” you enter the

NTP Remote

Server Configuration

context for that specific NTP server.

If no (remote) NTP server is configured, the unit can acquire NTP server(s) dynamically from an interface with DHCP address assignment.

Use ”no server <FQDN|IPADDR>” to remove a specific NTP server, or ”no

server” to remove all configured NTP servers.

Use ”show server” to show settings for all configured NTP servers, or ”show

server <FQDN|IPADDR>” to show NTP settings for a specific NTP server (also available as ”show” command within the

NTP Remote Server Configuration

context).

Default values Not applicable

19.7.20

Enable/Disable (remote) NTP Server

Syntax [no] enable

440

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Context

NTP Remote Server Configuration

context

Usage Enable or disable configured settings for this NTP server.

Use ”enable” to enable/activate configured NTP server settings. Use ”no

enable” to disable/deactivate configured NTP server settings (the settings are not removed, only deactivated).

Use ”show enable” to show whether NTP server settings are enabled or disabled.

Default values Enabled

19.7.21

Set NTP Server Poll Interval

Syntax [no] poll-interval <30-720>

Context

NTP Remote Server Configuration

context

Usage Set NTP server poll interval (in seconds) for this NTP server. ”no poll-interval” will reset the poll interval to its default (600 seconds).

Use ”show poll-interval” to show configured poll interval.

Default values 600 (seconds)

19.7.22

Manage NTP Client Settings (Deprecated)

Syntax [no] sntp

Context

Global Configuration

context

Usage Enable NTP client and enter

NTP Client Configuration

context by using the ”sntp” command.

Use ”no sntp” to disable the NTP client service.

Use ”show sntp” to show NTP client settings (also available as ”show” command within the

NTP Client Configuration

context).

Note

The

NTP Client Configuration

context is deprecated and kept for backwards compatibility. NTP client settings is instead handled as part of other NTP settings in the

NTP Configuration , see section 19.7.17

.

© 2015 Westermo Teleindustri AB

441

Westermo OS Management Guide

Version 4.17.1-0

Default values Not applicable.

19.7.23

Set NTP Client (Remote) Server Address (deprecated)

Syntax [no] server <FQDN|IPADDR>

Context

NTP Client Configuration

context

Usage Set IP Address, or domain name, of NTP Server used by this client.

A single NTP server IP address, or a fully qualified domain name, FQDN, can be configured. If disabled, NTP server can be acquired dynamically from an interface with DHCP address assignment.

”no server” to remove a configured NTP server address.

Use ”show server” to show NTP client (remote) server setting.

Note

The ”server” command within

NTP Client Configuration

context is deprecated and kept for backwards compatibility. NTP client settings for remote server is instead handled as part of other NTP settings in the

NTP Remote Server Configuration , see section 19.7.19

.

Default values Disabled

19.7.24

Set NTP Poll Interval (deprecated)

Syntax [no] poll-interval <30-720>

Context

NTP Client Configuration

context

Usage Set NTP server poll interval (in seconds). ”no poll-interval” will reset the poll interval to its default (600 seconds).

Use ”show poll-interval” to show configured poll interval.

Note

The ”poll-interval” command within

NTP Client Configuration

context is deprecated and kept for backwards compatibility. NTP client settings for remote server is instead handled as part of other NTP settings in the

NTP Remote Server Configuration , see

section 19.7.21

.

442

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Default values 600 (seconds)

19.7.25

Show IP Forwarding Table

Syntax show ip route

Context

Admin Exec

context

Usage Show IP Forwarding table (summary of configured routes and routes acquired dynamically).

Default values Not applicable.

19.7.26

Show Name Server and Domain Search Path Status Information

Syntax show ip name-server

Context

Admin Exec

context

Usage Show name-server and domain search path status information (statically configured or acquired dynamically)

19.7.27

Show Domain Search Path Status Information

Syntax show ip domain

Context

Admin Exec

context

Usage Show domain search path status information (statically configured or acquired dynamically)

Example

example:/#> show ip domain example.org

example:/#>

© 2015 Westermo Teleindustri AB

443

Westermo OS Management Guide

Version 4.17.1-0

19.7.28

Show local host table

Syntax show ip hosts

Context

Admin Exec

context

Usage Show the local hostname resolution table. Static hostname resolution

entries configured with the ”host” command ( section 19.7.8

) are listed, as

well as entries for the unit itself (localhost and entries for the unit’s own hostname, see

section 20.2.2

).

Example

example:/#> show ip hosts

127.0.0.1 localhost

127.0.1.1 example.local example

192.168.10.1

10.0.0.1

example:/#> mypc mypc.example.org

www.anotherexample.org

19.7.29

Show NTP Status Information

Syntax show ntp [verbose]

Context

Admin Exec

context

Usage Show NTP status information. An asterisk ’*’ shows which NTP server is used to synchronize the time.

For more information, use ”show ntp

verbose”.

Example

example:/#> show ntp

NTP Client/Server running as PID: 805

210 Number of sources = 2

MS Name/IP address Stratum Poll Reach LastRx Last sample

===============================================================================

^* ntp-anycast.kth.se

^- cecar.ddg.lth.se

2

2

9

9

37

37

370

370

+222us[ -916ms] +/-

-8317us[-8317us] +/-

22ms

81ms

444

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Chapter 20

General System Settings

WeOS provides management of a set of features related to system identity and other general system settings. The table below gives a summary of the features available via the web and CLI management interfaces.

System hostname, location and contact correspond to the associated system objects of the original MIB-2 standard MIB (RFC 1213). For more information on

WeOS SNMP support, see

chapter 6 .

Feature

System Hostname

System Location

System Contact

System Time Zone

System Date/Time

CPU bandwidth limitation

Web

CLI

X

X

X

X

1

X

X

X

X

X

X

X

Section 20.1

covers management of general system settings via the Web interface, and

section 20.2

describes the corresponding features in the CLI.

1

Web configuration of System Time Zone is done as part of the Network settings, see

section 19.5

.

© 2015 Westermo Teleindustri AB

445

Westermo OS Management Guide

Version 4.17.1-0

20.1

Managing switch identity information via the web interface

20.1.1

Manage System Identity Information

Menu path: Configuration System Identity

Fig

20.1

shows the page where you can set hostname, location and contact information for your switch.

Figure 20.1: Switch identity settings example

Hostname

A name to identify this unit. Max 64 characters. Valid characters are A-Z, a-z, 0-9, and hyphen (-). The first character should be alphabetic (A-Z, a-z). Hyphen is not valid as first or last character.

Location

A description to identify where the unit is located. Max 64 characters. Valid characters are ASCII 32-126 except ’#’ (ASCII

35). ”Space” (ASCII 32) is not valid as first or last character.

Contact

A description identifying whom to contact regarding management of the unit. Max 64 characters. Valid characters are ASCII

32-126 except ’#’ (ASCII 35). ”Space” (ASCII 32) is not valid as first or last character.

Change the values to appropriate values for your switch and click the Apply button.

446

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

20.1.2

Set System Date and Time

Menu path: Configuration System Date & Time

Figure 20.2: Switch date and time settings, NTP server

Current Date/Time

Shows current date and time. Click the maually set date/time .

Timezone

icon to

Remote NTP Server

The IP address of a time server to be used to keep the units calendar time synchronised. Leave empty if you do not want to use a time server.

Select a timezone region to get adjusted local time.

© 2015 Westermo Teleindustri AB

447

Westermo OS Management Guide

Version 4.17.1-0

20.2

Managing switch identity information via CLI

Command Default Section

Configure General System Settings system

[no] hostname <ID>

[no] location <ID>

[no] contact <ID>

”family”

1

Section 20.2.1

Section 20.2.2

(empty)

Section 20.2.3

(empty)

Section 20.2.4

[no] timezone <TIMEZONE> Etc/UTC

Section 20.2.5

[no] cpu-bandwidth-limit <auto|<64-100000>| Auto

Section 20.2.6

<7700-1488000> fps>

Set date and time date

View available time zones system show timezone [QUERY|SUBSTRING]

Section 20.2.7

Section 20.2.8

20.2.1

Manage System Identity Information

Syntax system

Context

Global Configuration

context

Usage Enter

General System Configuration

configuration context.

Use ”show system” to show all general system configuration settings (also available as ”show” command within the

General System Configuration ).

Default values Not applicable

20.2.2

System Hostname

Syntax hostname <STRING>

1

The default hostname depends on the product family, e.g., Lynx products have default hostname lynx.

448

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Context

General System Configuration

context

Usage Set system hostname string.

Max 64 characters. Valid characters are A-Z, a-z, 0-9, and hyphen (-). The first character should be alphabetic (A-Z, a-z). Hyphen is not valid as first or last character.

”no hostname” resets the hostname to its default value.

Use ”show hostname” to view the configured hostname setting.

Default values ”family” (The default hostname depends on the product family, e.g., Lynx products have default hostname lynx.)

20.2.3

System Location

Syntax location <STRING>

Context

General System Configuration

context

Usage Set system location string.

Max 64 characters. Valid characters are ASCII 32-126 except ’#’ (ASCII 35).

”Space” (ASCII 32) is not valid as first or last character.

”no location” resets the location string to its default value (empty).

Use ”show location” to view the configured location setting.

Default values (empty)

20.2.4

System Contact

Syntax contact <STRING>

Context

General System Configuration

context

Usage Set system contact string.

Max 64 characters. Valid characters are ASCII 32-126 except ’#’ (ASCII 35).

”Space” (ASCII 32) is not valid as first or last character.

”no contact” resets the contact string to its default value (empty).

Use ”show contact” to view the configured contact setting.

© 2015 Westermo Teleindustri AB

449

Westermo OS Management Guide

Version 4.17.1-0

Default values (empty)

20.2.5

Set System Time Zone

Syntax [no] timezone <TIMEZONE>

Context

General System Configuration

context.

Usage Set system time zone string.

Note

For information of available time zone settings, see

section 20.2.8

.

”no timezone” resets the timezone to its default value (Etc/UTC).

Use ”show timezone” to view the configured timezone setting.

Default values Etc/UTC

20.2.6

CPU bandwidth limitation

Syntax [no] cpu-bandwidth-limit <auto|<64-1000000>|<7700-1488000> fps>

Context

General System Configuration

context

Usage Limit the traffic sent to the CPU in kbit/s or frames per second (traffic

from the CPU is not affected). It is also possible use ISO modifiers k/M/G, e.g., 256k or 10M as specifiers for kbps and Mbps.

Note

CPU bandwidth limit in frames per second mode is available on all

WeOS products, with exceptions for some RedFox models. On Red-

Fox, the frames per second mode is available for products based on the ”Corazon” platform, including RedFox Industrial Rack, newer Red-

Fox Rail (RFR-212-FB)[ 50 ] and newer RedFox Industrial[ 48 ]. But the

frames per second mode is not available on RedFox products based on

the (older) ”Atlas” platform, i.e, RedFox Industrial listed in [ 47 ] or older

RedFox Rail (RFR-12-FB).

Set values are rounded off to the nearest possible HW setting.

450

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Note

Default is ”auto”, which means that system will automatically reduce

CPU bandwidth when critical services are enabled. As of WeOS v4.17.1,

FRNT Ring Bridging or Multi-link Dual-Homing (see

chapter 15 ) are con-

sidered critical, but the set of critical services may change in future

WeOS releases.

A user can override the default with ”no cpu-bandwidth-limit” or any more specific setting (e.g., ”cpu-bandwidth 4M”). However, for critical services it is recommended leave the default ”auto”.

On units with multiple CPU channels (see

section 13.1.6

), the setting will

apply for each of the channels..

Use ”no cpu-bandwidth-limit” to disable CPU bandwidth limitation.

Use ”show cpu-bandwidth-limit” to view the configured CPU bandwidth limit setting.

Default values Auto (”cpu-bandwidth-limit auto”)

20.2.7

Set or show System Date and Time

Syntax date [[YYYY-MM-DD ]hh:mm[:ss]]

Context

Admin Exec

context.

Usage Set system date and time, or only time.

Use ”show date” to view the current date and time.

Default values If no date or time is given, the current date and time will be displayed.

Example

example:/#> date 2013-05-31 10:18

Fri May 31 10:18:00 UTC 2013 example:/#> show date

Fri May 31 10:18:09 UTC 2013 example:/#>

© 2015 Westermo Teleindustri AB

451

Westermo OS Management Guide

Version 4.17.1-0

20.2.8

Show System Time Zone

Syntax show timezone [QUERY|SUBSTRING]

Context

General System Configuration

context.

Usage Show system time zone setting/list available time zones.

When given without any argument (”show timezone”), the configured time zone setting is presented.

When providing an argument, the available time zone settings matching that argument is listed, e.g., issuing the command ”show timezone asia” will list all possible time zone configuration settings for Asia (or more precisely, all available time zones containing the substring ’asia’.) See

section 20.2.5

for information of how to set the system time zone.

Default values Not applicable.

452

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Chapter 21

AAA - Authentication,

Authorisation and Accounting

This chapter describes WeOS AAA support - Authentication, Authorisation and

Accounting. The AAA configuration gathers authentication methods and policies in one place and is referenced from other subsystems in WeOS. Three uses of

AAA are currently supported:

ˆ WeOS unit login: The login password to the unit is part of AAA.

ˆ Port Based Access Control (PNAC): WeOS supports port access control with

IEEE 802.1X and MAC based authentication. This is configured in two different places, in AAA and as settings related to VLAN. The configuration in AAA specifies RADIUS backends and MAC filtering lists, and the configuration in

VLAN which ports are enabled for port access control. See

section 13.2

for an introduction and guidance to configure port based access control with

WeOS.

ˆ PPP Peer Authentication: You can create and use local user database lists to authenticate and authorise your PPP peers. This is typically used for PPP connections in dial-in/server mode (see

section 33 ), but you can also use

this to authenticate and authorise your peer in other PPP modes.

© 2015 Westermo Teleindustri AB

453

Westermo OS Management Guide

Version 4.17.1-0

21.1

Overview over AAA

Feature

Login account management

Local user DB

RADIUS

RADIUS servers

RADIUS server groups

Port Based Access Control

IEEE 802.1X Access

Control Instances

MAC authentication lists

Web

CLI

General Description

X

X

X

X

Section 21.1.1

Section 21.1.2

X

X

X

X

X

X

X

X

21.1.1

Login Account Management

Currently WeOS only supports a single login user account, the admin user account. The same account is used when managing the switch via the Web or via the CLI. Factory default settings for the user account is:

ˆ Login: admin

ˆ Password: westermo

The admin password can be changed, both via the Web and the CLI interfaces.

Account passwords can be at most 64 characters long (longer passwords are trun-

cated). Printable ASCII

1

characters except ”space” (ASCII 33-126) are allowed in the password.

Section 7.1.3

provides information on how to proceed in case you forget the ad-

min password.

21.1.2

User Authentication Lists - Local Databases

Local user databases are useful for storing authentication credentials with no need for any external infrastructure. The lists consist of user name and password pairs which are stored in plain text. In the future it will also be possible to store hashed passwords.

1

American Standard Code for Information Interchange (ASCII), see e.g.

http://en.wikipedia.

org/wiki/ASCII

(accessed May 2009).

454

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Currently local databases can only be used to authenticate PPP peers. A PPP peer can be a user connecting via an external modem or over PPPoE (and in future releases of WeOS, via an L2TP or PPTP VPN tunnel). The most common configuration is to require the peer to authenticate itself when the WeOS device has a server role, but it is also possible to require authentication in a client configuration.

When a local database is created, a numeric ID is associated with it. This ID will be used to reference the database from other contexts within WeOS. Additionally, a description string may also be associated with the instance to make it easier to remember their purpose, i.e. “maintainers”.

© 2015 Westermo Teleindustri AB

455

Westermo OS Management Guide

Version 4.17.1-0

21.2

Managing AAA via the web interface

21.2.1

Login Account Management via the Web Interface

Menu path: Maintenance Password

The only account management feature in the web management tool at the moment is change of the admin password.

New Password

Enter the new password for the admin account.

Repeat New Password

To minimise risk of typing error, enter the new password for the admin account once again.

456

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

21.2.2

Local User Databases

Menu path: Configuration AAA Local User DB

The main page for local user databases shows an overview of created databases.

ID

A unique identifier for the local user database.

Description

The users description of this database.

Edit

Click this icon to edit the user database. See

section 21.2.4

for details.

Delete

New

Click this icon to remove the user database. You will be asked to acknowledge the removal before it is actually executed.

Click this button to add a new user database. See

section 21.2.3

for details. You can create at maximum 4 databases.

© 2015 Westermo Teleindustri AB

457

Westermo OS Management Guide

Version 4.17.1-0

21.2.3

New Local User Database

Menu path: Configuration AAA Local Users DB ⇒ New

ID

The local user database identifier. This is generated automatically in the web interface and can not be changed.

Description

Optional.

A user defined description for this database that will be visible in listings.

After pressing the Apply button, users can be added to the database. See

section 21.2.5

.

21.2.4

Edit a local user database

Menu path: Configuration AAA Local Users DB

See

section 21.2.3

for descriptions of the fields on this page.

458

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

21.2.5

Users

Menu path: Configuration AAA Local Users DB

The users list is displayed on the edit page for the local user database.

Username

A username unique in this database.

New User

Press this button to create a new user in this database. See

section 21.2.6

© 2015 Westermo Teleindustri AB

459

Westermo OS Management Guide

Version 4.17.1-0

21.2.6

New User

Menu path: Configuration AAA Local Users DB

⇒ New User

Username

A username unique in this database.

Password

The password for this user.

21.2.7

Edit User

Menu path: Configuration AAA Local Users DB

(Users table)

See

section 21.2.6

for descriptions of the fields on this page.

460

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

21.2.8

RADIUS overview

Menu path: Configuration AAA RADIUS

The main page for RADIUS shows an overview of configured RADIUS groups and the remote RADIUS server configurations.

21.2.8.1

RADIUS groups in the overview

ID

The RADIUS group identifier

Description

The user defined name of this group

Servers

List of RADIUS servers included in this group. Each server is presented by its description name and the server identifier inside parentheses

Edit

Click this icon to edit the RADIUS group. See

section 21.2.9

for details.

Continued on next page

© 2015 Westermo Teleindustri AB

461

Westermo OS Management Guide

Version 4.17.1-0

Continued from previous page

Delete

Click this icon to remove the RADIUS group. You will be asked to acknowledge the removal before it is actually executed. Removing a group will not remove the config of the included servers.

New Group

Click this button to add a new RADIUS group. See

section 21.2.10

for details. You can create at maximum 2 RADIUS groups.

21.2.8.2

RADIUS servers in the overview

ID

The remote RADIUS server identifier

Description

The user defined name on this server

Address

IP or FQDN of the RADIUS server

Auth Port

The UDP port used for authentication

Edit

Click this icon to edit the remote RADIUS server setting. See

section 21.2.11

for details.

Delete

Click this icon to remove the remote RADIUS server setting. You will be asked to acknowledge the removal before it is actually executed.

New Server

Click this button to add a new remote RADIUS server configuration. See

section 21.2.12

for details. You can define at maximum 6 remote RADIUS configurations.

462

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

21.2.9

Edit a RADIUS group

Menu path: Configuration AAA RADIUS (RADIUS group)

ID

The RADIUS group identifier. This is generated automatically in the web interface and can not be changed.

Description

Optional. A user defined name for this group that will be visible in listings.

Servers

Remote RADIUS servers that are included in this group. The order of this list is important as it defines the order that servers are queried. Select a server in the drop-down list and add it by clicking the plus icon. Use the icon to remove a server from the group. You are limited to max 3 servers per group.

© 2015 Westermo Teleindustri AB

463

Westermo OS Management Guide

Version 4.17.1-0

21.2.10

Add a RADIUS group

Menu path: Configuration AAA RADIUS New Group

See

section 21.2.9

for descriptions of the fields on this page. You can have at maximum 2 RADIUS server groups.

464

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

21.2.11

Edit a remote RADIUS server

Menu path: Configuration AAA RADIUS (RADIUS server)

ID

The remote RADIUS server identifier. This is generated automatically in the web interface and can not be changed.

Description

Optional. A user defined name for this server configuration that will be visible in listings.

Address

Auth Port

Mandatory. The IP number or Fully Qualified Domain

Name (FQDN) to the remote RADIUS server

Mandatory. The UDP port number for RADIUS authentication requests. The default and standardised port number for this is 1812 but can be changed here if needed.

Secret

Optional. A shared secret (password) that should be used to encrypt the communication with this RA-

DIUS server.

© 2015 Westermo Teleindustri AB

465

Westermo OS Management Guide

Version 4.17.1-0

21.2.12

Add a remote RADIUS server

Menu path: Configuration AAA RADIUS New Server

See

section 21.2.11

for descriptions of the fields on this page. You can have at maximum 6 remote RADIUS server configurations.

466

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

21.2.13

IEEE 802.1X authentication

Menu path: Configuration AAA 802.1X

Here you see a listing of currently configured 802.1X instances.

ID

The IEEE 802.1X instance identifier

Enabled

If this instance is active, A green check-mark means yes and a dash means no

Description

The user defined name on this IEEE 802.1X instance

Method

The RADIUS server or group used for this instance

Edit

Click this icon to edit the instance See

tion 21.2.14

for details.

sec-

Delete

New

Click this icon to remove the instance. You will be asked to acknowledge the removal before it is actually executed. Removing an IEEE 802.1X instance will not remove the referenced RADIUS group or server.

Click this button to add a new IEEE 802.1X instance.

See

section 21.2.15

for details. You can currently

only create one instance.

© 2015 Westermo Teleindustri AB

467

Westermo OS Management Guide

Version 4.17.1-0

21.2.14

Edit an IEEE 802.1X instance

Menu path: Configuration AAA 802.1X

ID

Enabled

Check to enable this instance.

Description

Optional. A user defined name for this instance.

Method

The IEEE 802.1X instance identifier. This is generated automatically in the web interface and can not be changed.

Mandatory. Use this drop-down menu to select a

RADIUS group or a remote RADIUS server. RADIUS groups and remote servers are created separately.

See

section 21.2.10

and

section 21.2.12

.

IMPORTANT: Creating an IEEE 802.1X instance does not in itself activate authentication. Port access is managed in the VLAN configuration. See

sections 13.2

and

13.3.4

. The instance here must be referenced from the port access configu-

ration for it to be used!

468

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

21.2.15

Add an IEEE 802.1X instance

Menu path: Configuration AAA 802.1X New

See

section 21.2.14

for descriptions of the fields on this page. You can currently

only configure one IEEE 802.1X instance.

© 2015 Westermo Teleindustri AB

469

Westermo OS Management Guide

Version 4.17.1-0

21.2.16

MAC based authentication

Menu path: Configuration AAA MAC Auth

Here you see a listing of currently configured MAC authentication lists.

ID

Enabled

The MAC authentication list identifier

If this list is active, A green check-mark means yes and a dash means no

Description

The user defined name on this MAC authentication list

Edit

Click this icon to edit the list See details.

section 21.2.17

for

Delete

New List

Click this icon to remove the list. You will be asked to acknowledge the removal before it is actually executed.

Click this button to add a new MAC authentication list. See

section 21.2.18

for details. You can create up to 8 MAC authentication lists.

470

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

21.2.17

Edit a MAC authentication list

Menu path: Configuration AAA MAC Auth

ID

The MAC authentication list identifier. This is generated automatically in the web interface and can not be changed.

Enabled

Check to enable this list.

Description

Optional. A user defined name for this list.

MAC

Optional.

A list of MAC addresses and MAC address patterns.

Single MAC addresses are specified in the format: HH:HH:HH:HH:HH:HH. A wildcard * can be used at the end of the pattern to match a block of addresses. Examples: 00:80:C8:*,

00:D8:AA:2C:85:01. Use the drop-down list to select a port if you want the pattern to only be valid for requests coming in through a specific port. The description field is optional. Add a pattern by clicking on the plus icon. Use the icon to remove a pattern. A list is limited to max 44 addresses/patterns.

IMPORTANT: Creating a MAC authentication list does not in itself activate filtering of addresses. Port access is managed in the VLAN configuration. See

sections 13.2

and

13.3.4

. The created MAC authentication list must be referenced

from the port access configuration for it to be used!

© 2015 Westermo Teleindustri AB

471

Westermo OS Management Guide

Version 4.17.1-0

21.2.18

Add a new MAC authentication list

Menu path: Configuration AAA MAC Auth New List

See

section 21.2.17

for descriptions of the fields on this page.

472

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

21.3

Managing AAA via the CLI

The table below shows AAA management features available via the CLI.

Command

Account management (Login) aaa username <USERNAME> [hash]

<PASSWORD>

Default Section

Section 21.3.1

Section 21.3.2

Local User Database Lists (PPP, . . . ) aaa local-db <ID> [plain]

[no] username <USERNAME><PASSWORD>

[no] description <STRING>

Configure Remote (RADIUS) Server Connectors aaa

[no] remote-server <ID> [type <TYPE>] type <TYPE>

[no] description <STRING>

[no] address <IP | FQDN>

[no] password <PASSWORD>

[no] auth-port <PORT> radius

1812

Configure (RADIUS) Server Groups aaa

[no] server-group <GID> [type <TYPE>] type <TYPE>

[no] description <STRING>

[no] server <ID|ID,ID|ID,ID,ID>

Configure IEEE 802.1X Authentication aaa

[no] dot1x-auth <ID>

[no] enable radius

Enabled

Section 21.3.3

Section 21.3.4

Section 21.3.5

Section 21.3.6

Section 21.3.7

Section 21.3.8

Section 21.3.9

Section 21.3.10

Section 21.3.11

Section 21.3.12

Section 21.3.13

Section 21.3.14

Section 21.3.15

Section 21.3.16

Section 21.3.17

Continued on next page

© 2015 Westermo Teleindustri AB

473

Westermo OS Management Guide

Version 4.17.1-0

Command

[no] description <STRING>

[no] method <group <GID>|server <ID>>

Continued from previous page

Default Section

Section 21.3.18

Section 21.3.19

Configure MAC Authentication Lists aaa

[no] mac-auth <ID>

[no] enable

[no] description <STRING>

[no] mac match <MAC-PATTERN>

[limit <PORT>] [description <STRING>]

Enabled

Section 21.3.20

Section 21.3.21

Section 21.3.22

Section 21.3.23

21.3.1

Manage AAA Settings

Syntax aaa

Context

Global Configuration

Usage Enter

AAA Configuration

context (Authentication, Authorisation and Accounting). The AAA context is used for managing user account settings, etc.

Use ”show aaa” to show all configured AAA settings: list the local users and any configured remote servers, server groups, IEEE 802.1X authentications and MAC authentications.

Default values Not applicable.

21.3.2

Changing Account Password

Syntax username <USERNAME> [hash] <PASSWORD>

Context AAA context

Usage Change password of a certain user account, e.g., the ”admin” account.

By default, the password is entered as clear-text, and saved as a hash.

474

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

The ”hash” keyword is not intended to be used by regular users - instead it is used by the switch itself when reading a configuration file including a hashed password. By adding the ”hash” keyword, the system expects that a hashed password is entered (as opposed to a clear-text password).

Use ”show username <USERNAME>” to show the hashed password for the specified user.

Default values Password is entered in clear-text.

Example Setting the ”admin” password to ”foobar”.

Example

example:/config/aaa/#> username admin foobar example:/config/aaa/#>

21.3.3

Manage Local User Database Lists

Syntax [no] local-db <ID> [<TYPE>]

Context AAA context

Usage Enter

Local User Database Configuration

context to create, modify or remove a local user database.

Use ”local-db <ID>” to create a local database, or to enter the configuration context of an existing database. ”ID” must be a number greater or equal to 0 and is referenced from other commands. As of WeOS v4.17.1, you can specify up to 4 local databases.

An optional ”TYPE” parameter is used to specify how passwords within the database are stored. The only supported type in the current version of WeOS is ”plain”, which means that all passwords are stored as plain text.

Use ”no local-db <ID>” to remove a specific database, or

”no local-db” to remove all configured databases.

To list all configured databases, use ”show local-db”.

Default values The ”TYPE” parameter is ”plain” by default.

© 2015 Westermo Teleindustri AB

475

Westermo OS Management Guide

Version 4.17.1-0

21.3.4

Add/Delete User in Local Database List

Syntax [no] username <USERNAME> <SECRET>

Context

Local User Database Configuration

context

Usage Add or remove users to or from the database.

Use ”username <USERNAME> <SECRET>” to add a new user called ”USERNAME”, whose password is ”SECRET”.

Use ”no username <USERNAME>” to remove a specific user from the database.

To list all the users in the database, use ”show username”. To show the credentials of a particular user, use ”show username <USERNAME>”.

Default values Not Applicable.

Examples

Example

example:/config/aaa/local-db-0/#> username alpha foobar example:/config/aaa/local-db-0/#>

21.3.5

Local Database List Description Setting

Syntax [no] description <STRING>

Context

Local User Database Configuration

context

Usage Set or remove the local user database description string.

Use ”description <STRING>” to set a description for this database.

Use ”no description” to remove the current description.

Use citation marks around the string if you want to have a description containing space characters.

To view the current description, use ”show description”.

Default values Empty.

Examples

476

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Example

example:/config/aaa/local-db-0/#> description PPPUsers

or ...

example:/config/aaa/local-db-0/#> description ’’PPP Users’’

21.3.6

Manage Remote (RADIUS) Server Connectors

Syntax [no] remote-server <ID> [type <TYPE>]

Context

AAA Configuration

context

Usage Enter

Remote Server Configuration

context to create, modify or remove a RADIUS server connector.

Use ”remote-server <ID>” to create a new connector, or to enter the configuration context of an existing connector. ”ID” must be a number greater or equal to 0 and is referenced from other commands. As of WeOS v4.17.1, you can specify up to 6 server connectors.

An optional ”type” parameter is used to specify the type of server. The only supported type in the current version of WeOS is ”radius”.

Use ”no remote-server <ID>” to remove a specific server, or

”no remote-server” to remove all configured servers.

Use ”show remote-server” to list all configured connectors, or

”show remote-server <ID>” to show information on a specific connector.

Default values The ”type” parameter is ”radius” by default.

21.3.7

Set Remote Server Type

Syntax type <TYPE>

Context

Remote Server Configuration

context

Usage Set the remote server type.

Use this command to specify the type of a remote server connector. As of

WeOS v4.17.1, the only supported type is ”radius”.

Use ”show type” to show the configured remote server type.

Default values ”radius”

© 2015 Westermo Teleindustri AB

477

Westermo OS Management Guide

Version 4.17.1-0

21.3.8

Configure Remote Server Description

Syntax [no] description <STRING>

Context

Remote Server Configuration

context

Usage Set or remove the remote server description string.

Use ”description <STRING>” to set a description for this server or

”no description” to remove the current description.

Use citation marks around the string if you want to have a description containing space characters.

Use ”show description” to show the configured remote server description.

Default values Empty.

Examples

Example

example:/config/aaa/remote-server-0/#> description MyRadius

or ...

example:/config/aaa/remote-server-0/#> description ’’Backup server’’

21.3.9

Configure Remote Server Address

Syntax [no] address <IP | FQDN>

Context

Remote Server Configuration

context

Usage Set or remove the remote server address.

Use this command to point out the (RADIUS) server address. You can use an

IP address or a name. Names will be looked up via DNS.

Use ”show address” to show the configured remote server address.

Default values Empty. This will reject authentication for the services using this server.

Examples

478

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Example

example:/config/aaa/remote-server-0/#> address 1.2.3.4

or ...

example:/config/aaa/remote-server-0/#> address myserver.mydomain.se

21.3.10

Configure Remote Server Password

Syntax [no] password <PASSWORD>

Context

Remote Server Configuration

context

Usage Set or remove the remote server password.

Use this command to set the shared secret password to use with this server.

This is used in RADIUS to hash passwords that are sent in the protocol exchange. The hashing is using the MD5 algorithm and that is no longer considered to be secure to attacks.

It is also only used for exchanged passwords and not for other data. Consider setting up a VPN tunnel if you need a secure way to communicate to the remote server.

Use ”show password” to show the configured remote server password setting.

Default values Empty. No hashing will be used for passwords.

21.3.11

Configure Remote Server Authentication Port

Syntax [no] auth-port <PORT>

Context

Remote Server Configuration

context

Usage Set the UDP port number used when communicating with the remote server.

The default value for RADIUS authentication requests is to use the UDP port

1812, but you can override it here. ”no port” will reset the value to the standard port number 1812.

Use ”show auth-port” to show the configured UDP port used for authentication requests to the server.

© 2015 Westermo Teleindustri AB

479

Westermo OS Management Guide

Version 4.17.1-0

Default values 1812

21.3.12

Manage (RADIUS) Server Groups

Syntax [no] server-group <GID> [type <TYPE>]

Context

AAA Configuration

context

Usage Enter

Server Group Configuration

context to create, modify or remove a

RADIUS server group.

Use ”server-group <GID>” to create a new group, or to enter the configuration context of an existing group. ”GID” must be a number greater or equal to 0 and is referenced from other commands.

An optional ”type” parameter is used to specify the type of server. The only supported type in the current version of WeOS is ”radius”. You can specify up to 2 server groups in this version of WeOS.

Use ”no server-group <GID>” to remove a specific group, or

”no server-group” to remove all configured groups.

Use ”show server-group” to list all configured server groups, or ”show

server-group <GID>” to show information on a specific server group (also available as ”show” command within the

Server Group Configuration

context).

Default values The ”type” parameter is ”radius” by default.

21.3.13

Set Server Group Type

Syntax type <TYPE>

Context

Server Group Configuration

context

Usage Set the server group type.

Use this command to specify the type of the servers included in the group.

The only supported type in the current version of WeOS is ”radius”.

Use ”show type” to show the configured server group type.

Default values ”radius”

480

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

21.3.14

Configure Server Group Description

Syntax [no] description <STRING>

Context

Server Group Configuration

context

Usage Set or remove the server group description string.

Use ”description <STRING>” to set a description for this group or

”no description” to remove the current description. Use citation marks around the string if you want to have a description containing space characters.

Use ”show description” to show the configured server group description.

Default values Empty.

Examples

Example

example:/config/aaa/server-group-0/#> description MyGroup

or ...

example:/config/aaa/server-group-0/#> description ’’Backup servers’’

21.3.15

Configure Server Group Members

Syntax [no] server <ID|ID,ID|ID,ID,ID>

Context

Server Group Configuration

context

Usage Set the server(s) that are included in the server group.

Use this command to specify which servers belong to this server group. You can specify up to three servers comma separated by their remote server ID.

Each server must be configured separately before the group is set up. See

section 21.3.6

.

Note

The order of the servers IS important and is used as fall-back order. The first (leftmost) defined server in the group is queried first. If the first server returns an error or does not reply the second is queried and so on.

© 2015 Westermo Teleindustri AB

481

Westermo OS Management Guide

Version 4.17.1-0

Use ”show server” to show the configured members of the server group

(listed order is fall-back order).

Default values Empty. This will reject authentication for the services using this group.

21.3.16

Manage IEEE 802.1X authentication instances

Syntax [no] dot1x-auth <ID>

Context

AAA Configuration

context

Usage Enter

802.1X Configuration

context to create, modify or remove an IEEE

802.1X authentication instance.

Use ”dot1x-auth <ID>” to create a new 802.1X authentication instance, or to enter the configuration context of an existing instance. (As of WeOS v4.17.1 you can only create one 802.1X authentication instance.) ”ID” must be a number greater or equal to 0 and is referenced from other commands.

Important

Creating an IEEE 802.1X authentication instance does not in itself activate authentication. Port access is managed in the VLAN configuration.

See

section 13.2

. The created 802.1X instance must be referenced

from the port access configuration for it to be used!

Use ”no dot1x-auth <ID>” to remove a specific instance, or ”no dot1x-auth” to remove all 802.1X instances.

Use ”show dot1x-auth” to list all 802.1X authentication instances, or ”show

dot1x-auth <ID>” to show information on a specific instance (also available as ”show” command within the

802.1X Configuration

context).

Default values Not applicable.

21.3.17

Enable/Disable an IEEE 802.1X authentication instance

Syntax [no] enable

Context

802.1X Configuration

context

482

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Usage Enable or disable an 802.1X authentication instance.

Use ”no enable” to disable.

Use ”show enable” to show whether this instance is enabled or disabled.

Default values Enabled.

21.3.18

Set IEEE 802.1X authentication instance description

Syntax [no] description <STRING>

Context

802.1X Configuration

context

Usage Set or remove the description string for this 802.1X authentication instance.

Use ”description <STRING>” to set a description or ”no description” to remove the current description. Use citation marks around the string if you want to have a description containing space characters.

Use ”show description” to show the configured instance description setting.

Default values Empty.

Examples

Example

example:/config/aaa/dot1x-auth-0/#> description My_1X_net

or ...

example:/config/aaa/dot1x-auth-0/#> description ’’Employees only’’

21.3.19

Configure IEEE 802.1X authentication back-end servers

Syntax [no] method <group <GID>|server <ID>>

Context

802.1X Configuration

context

Usage Set or remove the back-end method for the 802.1X authentication instance.

© 2015 Westermo Teleindustri AB

483

Westermo OS Management Guide

Version 4.17.1-0

IEEE 802.1X commonly use the RADIUS protocol as back-end. A RADIUS server connection or a server group must be configured separately before you can use the method command. See sections

21.3.6

and

21.3.12

.

Use the syntax ”method group <GID>” to select a specific RADIUS server group as back-end.

Use the syntax ”method server <ID>” to select a specific RADIUS server as back-end.

Use ”no method” to remove the back-end selection setting.

Use ”show method” to show the ID/GID of the configured back-end server or back-end server group.

Default values No backend. 802.1X authentication attempts will fail.

21.3.20

Manage MAC authentication lists

Syntax [no] mac-auth <ID>

Context

AAA Configuration

context

Usage Create, modify or remove a MAC authentication list.

Use ”mac-auth <ID>” to create a new list, or to enter the configuration context of an existing list. ”ID” must be a number greater or equal to 0 and is referenced from other commands. As of WeOS v4.17.1, you can create up to 8 MAC authentication lists.

Important

Creating a MAC authentication list does not in itself activate filtering of addresses. Port access is managed in the VLAN configuration. See

section 13.2

. The created MAC authentication list must be referenced

from the port access configuration for it to be used!

Use ”no mac-auth <ID>” to remove a specific list, or ”no mac-auth” to remove all configured MAC authentication lists.

Use ”show mac-auth” to list all MAC authentication lists, or ”show mac-auth

<ID>” to show information on a specific instance (also available as ”show” command within the

MAC Authentication List Configuration

context).

Default values Not applicable.

484

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

21.3.21

Enable/Disable a MAC authentication list

Syntax [no] enable

Context

MAC Authentication List Configuration

context

Usage Enable or disable a MAC authentication list.

Use ”no enable” to disable.

Use ”show enable” to show whether this list is enabled or disabled.

Default values Enabled.

21.3.22

Set MAC authentication list description

Syntax [no] description <STRING>

Context

MAC Authentication List Configuration

context

Usage Set or remove the description string for this list.

Use ”description <STRING>” to set a description or ”no description” to remove the current description. Use citation marks around the string if you want to have a description containing space characters.

Use ”show description” to show the configured list description setting.

Default values Empty.

Examples

Example

example:/config/aaa/mac-auth-0/#> description MyMACList

or ...

example:/config/aaa/mac-auth-0/#> description ’’Trusted MAC addresses’’

21.3.23

Configure MAC authentication list filters

Syntax [no] mac match <MAC-PATTERN> [limit <PORT>]

[description <STRING>]

Context

MAC Authentication List Configuration

context

© 2015 Westermo Teleindustri AB

485

Westermo OS Management Guide

Version 4.17.1-0

Usage Add or remove MAC filter patterns.

A MAC Authentication List is built up by MAC filter patterns. Use the syntax ”mac match <MAC-PATTERN>” to create a new filter pattern. To match a single MAC address specify the hardware Ethernet MAC in the format

HH:HH:HH:HH:HH:HH as <MAC-PATTERN>. You can also specify whole blocks of addresses by using a wild-card * at the end of the pattern. You can also optionally filter on the port by using the ”limit” argument to this command.

A comment may also be added with the optional ”description” argument.

Use ”no mac match <MAC-PATTERN>” to remove a specific filter, or ”no mac” to remove all filters in this list.

As of WeOS v4.17.1, you can create up to 44 MAC filter patterns per MAC authentication list.

Use ”show mac” to show the defined MAC filter rules for this authentication list.

Default values Empty, no filters.

Examples

Example

mac-auth-0/#> mac match 00:D8:AA:2C:85:01

or with wildcard...

mac-auth-0/#> mac match 00:80:C8:*

or with wildcard, limit filter, and description ...

mac-auth-0/#> mac match 00:D8:BB:C5:* limit 1/2 description ’’Laser printers on 1/2’’

486

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Chapter 22

DHCP Server

The WeOS DHCP server is capable of handing out IP settings to hosts (DHCP clients) on local and remote IP subnets. For each defined IP subnet, the DHCP server can assign IP addresses dynamically from a pool of addresses, but also statically based on

ˆ the port the (DHCP) client is connected to (”one IP per port”, DHCP option 82),

ˆ the DHCP client identifier provided by the connecting client, or

ˆ the MAC address of the connecting client

To serve clients on remote IP subnets, DHCP relay agents would be used to forward the DHCP messages between the clients and the DHCP server. In WeOS you can even configure a DHCP relay agent on the same unit as the DHCP server – this is useful if you wish to hand out addresses per port (DHCP option 82) on the

DHCP server unit itself. For more information on configuring DHCP relay agents, see

chapter 23 .

The WeOS DHCP server is also able to act as a (proxy) DNS server for the DHCP clients it serves (see

section 19.3.4

).

Being part of an embedded system, the WeOS DHCP server does not store the current set of leases in persistent storage. In most use cases this is fine, however if it necessary that the current lease table survives a reboot you are recommended to use a dedicated DHCP server instead.

© 2015 Westermo Teleindustri AB

487

Westermo OS Management Guide

Version 4.17.1-0

22.1

Overview of DHCP Server Support in WeOS

Table 22.1

presents a summary of DHCP server functionality in WeOS.

Feature

Web

CLI

General Description

General DHCP Server Functionality

Enable/disable DHCP Server

Define subnets to serve

Caching DNS server

Enable/Disable Ping check

Server Listening UDP Port

Server Source UDP Port

X

X

X

X

X

X

X

X

Sections 22.1.1

Section 22.1.1

X

Section 22.1.3

-”-

-”-

-

22.1.2

Per Subnet Functionality

Client IP settings

Address pool

Per port (Option 82)

Per client-ID

X

X

X

X

X

X

Per MAC X X

Additional client configuration parameters

Section 22.1.2

-”-

-”-

-”-

Default Gateway

DNS Server

Domain search path

NTP Server

Other features

Define lease time

Deny client (per MAC)

X

X

X

X

X

X

X

X

X

X

X

X

-”-

-”-

-”-

-”-

-”-

-”-

DHCP Server Status

List current clients X

Table 22.1: DHCP server features

22.1.1

Introduction to WeOS DHCP server support

DHCP servers are typically used to dynamically assign IP settings (IP address, netmask, default gateway, etc.) to hosts on the local subnet, see

fig. 22.1a

. The

488

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Intranet/Internet

DHCP pools:

A: 192.168.1.100−150/24 gw 192.168.1.1

B: 192.168.2.100−150/24 gw 192.168.2.1

192.168.1.0/24

.1

DHCP

Server

.1

192.168.2.0/24

PC1 PC2

Intranet/Internet

DHCP pools:

A: 192.168.1.100−150/24 gw 192.168.1.1

B: 192.168.2.100−150/24 gw 192.168.2.1

C: 192.168.3.100−150/24 gw 192.168.3.1

192.168.1.0/24

10.0.1.1

.1

DHCP

Server

.1

192.168.2.0/24

Relay

Agent

.1

192.168.3.0/24

PC1 PC2 PC3 a) b)

Figure 22.1: Sample DHCP use cases: (a) DHCP server serving local subnets, and

(b) serving local and remote subnets.

server maintains an address pool for each served subnet, from which it assigns addresses to DHCP clients currently present on that LAN. Addresses in the pool are maintained dynamically - they are assigned to clients for a configurable time

(DHCP lease time), and if a client goes away, that address can be reused and assigned to another client.

The DHCP server also hands out configuration settings for default gateway and

DNS server(s). For local clients as in

fig. 22.1a

, the DHCP server unit will commonly act as default gateway and DNS server

1

too.

To provide DHCP service on multiple subnets throughout your infrastructure, you could either deploy a DHCP server on each subnet, or you could use DHCP relay

agents to forward DHCP packets between the remote subnet and a central DHCP server, as shown in

fig. 22.1b

.

When configuring the server, there is no major difference if the subnet is local or remote – you will simply define which subnets to serve. When the server receives a DHCP message, it will automatically detect which subnet the request originated from and thereby be able to hand out an address from the pool it has defined for that subnet.

In addition to handing out addresses dynamically from a pool, it is also possible to assign addresses more specifically based on the client’s MAC address, the

client identifier (client-ID) included in the DHCP messages from the client, or the

1

A WeOS unit acts as (proxy) DNS server by default, see

section 19.3.4

© 2015 Westermo Teleindustri AB

489

Westermo OS Management Guide

Version 4.17.1-0 physical port where the client is connected. More information on this is given in

sections 22.1.2

and

22.1.4

.

The DHCP server unit will by default accept incoming DHCP packets on any of its interfaces, including the loopback interface ”lo”. (The exception is those interface where a DHCP relay agent has been configured on the local unit (see

section 22.1.4

) – there DHCP packets will be handled by the relay agent.)

Hint

For security purposes you may wish to avoid accepting DHCP packets on some interfaces, e.g., your upstream interface towards the Internet. To block such request you are recommended to configure appropriate deny filter rules, e.g., ”filter deny in vlan1 dport 67 proto udp” to block incoming DHCP request on interface vlan1. For more details on the WeOS firewall, see

chapter 31 .

By default the DHCP server will check that an address is not in use before offering it to a client. In some rare cases it may be useful to disable this.

22.1.2

Per-subnet DHCP Server Settings

Most DHCP server settings are configured per subnet, where the IP subnet is defined by an IP address (e.g., 10.10.2.0) and subnet mask, which defaults to

255.255.255.0 (/24). For each subnet you can define what IP address to assign to clients, as well as other relevant IP settings.

22.1.2.1

Defining IP Address assignment

The addresses can either be assigned dynamically from an address pool, or be assigned statically depending on the client’s MAC, its DHCP client identifier, or the port to which it is connected.

ˆ Address pool: For each subnet served it is possible to define a pool of addresses for dynamic assignment. The default range is ”100-199”, e.g.,

10.10.2.100-10.10.2.199 on the 10.10.2.0/24 subnet.

It is possible to disable dynamic address allocation using the ”no pool” syntax in the CLI. This is mostly useful in combination with fixed assignment.

490

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

ˆ Fixed assignments: Instead of handing out addresses from a dynamic pool, the WeOS DHCP server enables you to assign addresses with more fine grain control:

Client MAC: You can reserve a specific address to a client with a certain

MAC address.

Client identifier (option 61): You can reserve a specific address to a client including a certain client-identifier in its DHCP messages (DHCP

option 61[ 1 ]). In the DHCP server, you can specify the client-id as a hex-

adecimal sequence (e.g., ”01485b392f34bc”) or as a text string such as

”foobar”.

Note

If the client-id is specified as a text string, it would match a DHCP option 61 holding a hexadecimal sequence of the corresponding

ASCII numbers

a

, e.g., ”foobar” would match an option 61 holding

value ”666f6f626172” (hex).

a

American Standard Code for Information Interchange (ASCII), see e.g.

http:

//en.wikipedia.org/wiki/ASCII (accessed May 2009).

Connected Port (option 82): The server can be configured to assign a specific address to the client connected to a certain switch port (”one IP per port”). This is useful when you wish to replace a client unit, such as a CCTV camera, and ensure that the new unit gets the same IP as the replaced unit.

As described in

chapter 23 , DHCP relay agents can add information

to identify the client’s port in a relay information option (DHCP op-

tion 82[ 28 ]). The DHCP server can then extract relevant information

(circuit-id and remote-id) and use that when assigning the IP address.

WeOS DHCP server allows for flexible specification of circuit-id and remote-

id (both as hexadecimal sequences and text strings), enabling it to work with relay agents of various vendors. E.g., to make the DHCP server hand out a specific IP address to a client unit attached to WeOS Relay Agent with default settings, the DHCP server can be configured as follows:

* Circuit-id: If the client is supposed to connect to Ethernet port 2, then specify ”Eth2” (string) for the circuit-id. If a slotted WeOS product is used, then specify e.g., ”Eth3/5” for Ethernet port 5 on slot 3.

© 2015 Westermo Teleindustri AB

491

Westermo OS Management Guide

Version 4.17.1-0

* Remote-id: The remote-id is optional, but needed to distinguish between relay agents on the same subnet. A WeOS relay agent de-

faults to using its base MAC

2

address as remote-id.. E.g., specify ”00077c8209d0” (hex) for a WeOS relay agent with base MAC

00:07:7c:82:09:d0.

Note: to assign IP addresses per (local) ports on the DHCP server itself in WeOS v4.17.1, you will need to setup a Relay Agent on the same unit (see

section 22.1.4

).

Deny statements: The fixed assignment methods (MAC, Client-id, Option 82) can also be used to deny clients an IP address. To specify this feature, use the keyword ”deny” instead of an IP address in the assignment command.

A note on preference order

A client request associated with a subnet served by the DHCP server will be checked for matching IP assignment entries in the following pref-

erence order

a

: Client-Id (first), MAC address, DHCP Option 82, and fi-

nally Address pool (last).

a

This preference order is used as of WeOS v4.17.1, but may be changed in future releases.

22.1.2.2

Configuration Options other than IP address

In addition to IP address, the WeOS DHCP server allows you configure the following configuration options:

ˆ Lease time: The lease time can be configured in range 120-5256000 seconds. It defaults to 864000 seconds (10 days).

ˆ Netmask: The IP netmask is only configured implicitly, i.e., it is taken from the subnet definition. IP netmask is passed to the client in DHCP option 1.

By default, the netmask is set to 255.255.255.0.

ˆ Router IP address: The DHCP server will pass information about what router

(default gateway) the DHCP client should use. If you leave this blank, the will automatically fill out a value likely to work for the client.

2

To find the base MAC of your WeOS unit, see

sections 4.4.2

(Web) or

7.3.2

(CLI).

492

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Local clients: For DHCP requests originating on the local subnets, the

DHCP server will put its own IP address on that subnet as gateway IP address.

Remote clients: For DHCP requests originating on remote subnets, the

DHCP server will put the IP address of the relay agent as gateway IP address.

The router/gateway IP is passed in DHCP option 3. By default, the gateway setting is empty, i.e., the ”auto” behaviour described above is used.

As of WeOS v4.17.1 there is no way to hinder the DHCP server to send the router/gateway IP address (option 3). This may change in future WeOS releases.

ˆ DNS Server(s): It is possible to specify up to two DNS servers to be passed to the DHCP client (option 6). If no DNS server is specified, the DHCP server will fill in its own IP address as DNS server (the DHCP server unit will act as

DNS forwarder and forward any (non-cached) incoming DNS requests to the name-server(s) configured on the unit, see

chapter 19 ).

As of WeOS v4.17.1 there is no way to hinder the DHCP server to send the

Domain Name Server option (option 6) to the client. This may change in future WeOS releases.

ˆ Domain search path: The DHCP server can be configured to pass a domain

search path to the DHCP client (option 15). (Leaving the setting empty implies that no domain search path is sent to the client.)

ˆ NTP Server(s): The DHCP server can be configured to pass up to two NTP

Servers to the DHCP client (option 42). (Leaving the setting empty implies that no NTP server is sent to the client.)

22.1.3

General DHCP Server settings

WeOS allows you to configure a set of general DHCP server settings. These are advanced settings, and are primarily of interest to users with special demands.

The default values are sufficient in almost all use cases.

ˆ DHCP Server Listening UDP port: The DHCP server listens to UDP port 67 by

default (in-line with RFC2131[ 7 ]). It is possible to set the server port to a

different value. That may be of interest in some specific DHCP relay setups,

© 2015 Westermo Teleindustri AB

493

Westermo OS Management Guide

Version 4.17.1-0 to avoid that the server receives packets directly from clients (in addition to

relayed packets).

Note

It is possible to configure the WeOS relay agent to forward DHCP messages to non-standard UDP ports on the server, see

chapter 23 .

ˆ DHCP Server Source UDP port (client port): The DHCP server will send packets with source UDP port 68 by default. It is possible to set the source UDP port to a non-default value.

ˆ Enable/disable Duplicate Address Detection (ICMP Ping Check): Before a

DHCP server offers a client an address it will check that no-one is already using that address. The server conducts this duplicate address detection mechanism by attempting to ”ping” the IP address a couple of time to verify that it gets no response. Disabling ”ping check” can speed up address assignment.

The ”ping check” mechanism is recommended for robustness and is enabled by default. Only consider disabling ”ping-check” if you are using static leases.

Warning

The WeOS DHCP server does not store the lease table in persistent storage. Disabling ”ping check” can therefore lead to situations where a server reboot causes a host to be assigned an address, which was already assigned to (and in use by) another host.

22.1.4

Running a DHCP server and relay agent on the same unit

There are situations when you wish to run a DHCP relay agent ( chapter 23 ) on

the same WeOS unit as your DHCP server.

ˆ IP per port on DHCP server unit:

Section 22.1.4.1

describes how to use a

DHCP server and a relay agent to assign IP addresses per port on the DHCP server unit itself.

ˆ Non-”DHCP snooping” relay agents in switched topologies:

Section 22.1.4.2

explains how to handle non-”DHCP snooping” relay agents in

switched (as opposed to routed) topologies. (An alternative approach is to let the DHCP server listen to a non-default UDP port, see

section 22.1.3

.)

494

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

22.1.4.1

IP per port on local DHCP server ports

With DHCP option 82, a relay agent can inform the DHCP server which port

(circuit-id) the client is connected to, thereby enabling the server to assign IP addresses per port. In WeOS, the same approach is used when you wish to hand out IP addresses per port on the DHCP server’s local ports.

WeOS Router

DHCP Server

VLAN 1

192.168.2.0/24

1 2 3

Relay Agent

4 5 6

.100

PC

.49

CCTV

VLAN 2

192.168.5.0/24

Figure 22.2: Running both a DHCP Server and a DHCP Relay Agent on the same unit enables you to assign IP address per port on the DHCP server unit.

Fig. 22.2

illustrates an example where the WeOS unit is configured to hand out addresses on interface ”vlan2” (subnet 192.168.5.0/24). Regular hosts, such as the PC, will be assigned their IP addresses from an address pool, but the unit attached to port 6 should always be assigned IP address 192.168.5.49. This can be achieved by configuring a DHCP relay agent on interface ”vlan2”, and to instruct the relay agent to forward DHCP request to the local DHCP server

(address ”127.0.0.1”). Relevant parts of the WeOS configuration is listed in

fig. 22.3

.

The WeOS DHCP relay will by default pass its base-MAC address

3

as remote-id

(”00:07:7c:00:30:b0” in the configuration example in

fig. 22.3

.). As the base-

MAC is unit specific, this setting will not work if you wish to replace the unit, but keep the same configuration file. In such situations, using ”system-name” or

”ip” as remote-id is recommended, see

sections 23.2.1

(Web) and

23.3.9

(CLI) for more information. An example using the system name as remote-id is given in

fig. 22.4

.

3

To find the base MAC of your WeOS unit, see

sections 4.4.2

(Web) or

7.3.2

(CLI).

© 2015 Westermo Teleindustri AB

495

Westermo OS Management Guide

Version 4.17.1-0

Example

dhcp-server subnet 192.168.5.0/24 pool 192.168.5.100 192.168.5.199

lease-time 864000 netmask 255.255.255.0

no gateway no domain end host 1 match option82 circuit-id string "Eth6" remote-id hex 00:07:7c:00:30:b0 address 192.168.5.49

end end dhcp-relay iface vlan2 server 127.0.0.1

option82 discard end

Figure 22.3: Configuration example with DHCP relay and server on same unit, here with base-MAC address as Option82 circuit-ID.

Example

system hostname foobar end dhcp-server subnet 192.168.5.0/24 pool 192.168.5.100 192.168.5.199

lease-time 864000 netmask 255.255.255.0

no gateway no domain end host 1 match option82 circuit-id string "Eth6" remote-id string "foobar" address 192.168.2.49

end end dhcp-relay iface vlan2 server 127.0.0.1

option82 discard remoteid-type system-name end

Figure 22.4: Configuration example with DHCP relay and server on same unit, here with system hostname as Option82 circuit-ID.

496

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

22.1.4.2

Handling non-snooping relay agents in switched topologies

As described in

section 23.1.4

, use of relay agents to add option 82 information

in switched topologies is challenging if the relay agents do not support DHCP snooping. A (broadcast) DHCP message from a client will then result in two messages being forwarded towards the DHCP server - one relayed message including option 82 information, and one regular message being switched and lacking option 82.

10.1.1.1/24

Drop DHCP packets lacking option 82 coming in on port 6

WeOS Router/Switch

DHCP Server

Relay Agent

With

Option 82

10.1.1.2/24

Non−’’DHCP snooping’’

Switch (e.g., "Gbit−") module in RedFox)

Relay Agent

5 6 5 6

1 2 3 4 1 2 3 4

Without

Option 82

DHCP Msg .44

CCTV

Figure 22.5: A non-”DHCP snooping” relay agent (right unit) will likely result in multiple ”copies” of the DHCP messages. This can be handled by running a DHCP

Relay Agent also the DHCP server unit (left unit).

Fig. 22.5

illustrates the situation. All ports are assumed to be on the same VLAN

(e.g., VLAN 1)

1. A broadcast DHCP message is sent by the PC on port 1 of the non-snooping switch. That packet is forwarded onto all ports on the same VLAN including port 5 towards the DHCP server.

2. The packet is also processed by the relay agent process, which adds option

82 information and relays the message (unicast) towards the DHCP server.

3. If both DHCP requests would reach the DHCP server, it is likely that the PC will be handed an address from the pool rather than an address dedicated for that specific port. Or possibly the PC will get multiple responses to its request.

In WeOS you can handle this by running a DHCP relay agent on the DHCP server unit. The relay agent can be configured to drop DHCP packets not including option 82, thus only the relayed packet will be forwarded to the

© 2015 Westermo Teleindustri AB

497

Westermo OS Management Guide

Version 4.17.1-0

DHCP server process.

Below ( page 498 ) sample configurations for the DHCP server and DHCP relay agent units are shown. The CCTV connected to port 1

4

of the (non-snooping) relay agent should be assigned IP address 10.1.1.44/24.

Hint

An alternative approach is to let the DHCP server listen to a non-default UDP port, see

section 22.1.3

. Then the DHCP relay agent must be configured to

send to this UDP port when relaying packets to the server.

Example

-- DHCP Server Unit (IP 10.1.1.1/24) dhcp-server subnet 10.1.1.0/24 pool 10.1.1.100 10.1.1.199

lease-time 864000 netmask 255.255.255.0

gateway 10.1.1.1

no domain end host 1 match option82 circuit-id string "Eth1" remote-id string "10.1.1.2" address 10.1.1.44

end end dhcp-relay iface vlan1 server 127.0.0.1

option82 discard remoteid-type ip port 6 option82 require end end

-- DHCP Relay Agent Unit (IP 10.1.1.2/24) dhcp-relay iface vlan1 server 10.1.1.1

option82 discard remoteid-type ip end

4

If the relay agent unit is a RedFox Industrial, the port labels would be written in slot/id form (1/1,

1/2, etc.). The server configuration would then reflect this, e.g., ”match option82 circuit-id

string "Eth1/2" remote-id string "10.1.1.2"” if the CCTV is connected to port 1/2.

498

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

22.2

Configuring DHCP Server Settings via the Web

The Web interface provides management of DHCP Server.

22.2.1

DHCP Server settings

Menu path: Configuration Network (IP) DHCP-Server

© 2015 Westermo Teleindustri AB

Continued on next page

499

Westermo OS Management Guide

Version 4.17.1-0

Enabled

Continued from previous page

Check the box to enable the DHCP server.

If you have a

JavaScript enabled browser the other settings will not be displayed unless you check this box.

Static DHCP

The static leases for this subnet. To add a lease select type

(MAC, Client-id or Option82) and fill in the values.

To add additional static leases, click on the Add icon ( ).

Subnets

Click on the Edit icon ( )to edit the lease.

The boot server-address/server-name and boot file options may be set on a static lease, overriding any common setting in the advanced server settings section.

Lists the configured DHCP subnets To add a Subnet click on the

"New subnet" button bellow the table. Click on the Edit icon

( )to edit the settings for a specific Subnet.

500

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

22.2.1.1

Advanced DHCP Server settings

Menu path: Configuration Network (IP) DHCP-Server Advanced Settings

Ping Check

Enables/disables the ICMP ping check. By default the DHCP server will check that an address is not in use before offering it to a client. In some rare cases it may be useful to disable this.

Default enabled

Boot Server

Address

Boot Server

Name

Boot File

IP address for server from which the client should retrieve the boot file.

DNS name for server from which the client should retrieve the boot file.

Name of the boot file to retrieve from boot server.

© 2015 Westermo Teleindustri AB

501

Westermo OS Management Guide

Version 4.17.1-0

22.2.2

Edit DHCP Subnet Settings

Menu path: Configuration Network (IP) DHCP-Server

On this page you can change the settings for the Subnet.

Address Pool

Lease Time

IP address pool from which the DHCP server will hand out leases

DHCP address lease time (seconds) for addresses handed out to DHCP clients

Netmask

The netmask option handed to DHCP clients.

Default Gateway

The IP default gateway (default router) option handed to

DHCP clients.

Name Servers

The (DNS) name server option handed to DHCP clients.

NTP Servers

Domain

The time server (NTP) option handed to DHCP clients.

Domain name search path option handed to DHCP clients

502

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

22.3

Configuring DHCP Server Settings via the CLI

Command Default Section

Configure DHCP Server

[no] dhcp-server

[no] enable

[no] ping-check

[no] server-port <UDPPORT>

[no] client-port <UDPPORT>

[no] server-address <IPADDR>

[no] server-name <DOMAINNAME>

[no] file <FILENAME>

[no] host [INDEX]

[no] match <mac <MACADDR> | clientid <hex|string> <CLIENTID> | option82 [remote-id <hex|string>

<REMOTEID>] <circuit-id

<hex|string> <CIRCUITID>>

Disabled

Section 22.3.1

Enabled

Section 22.3.2

Enabled

Section 22.3.3

67

68

Section 22.3.4

Section 22.3.5

Disabled

Section 22.3.6

Disabled

Section 22.3.7

Disabled

Section 22.3.8

1

Section 22.3.9

Section 22.3.10

[no] address <IPADDR|deny>

[no] server-address <IPADDR>

[no] server-name <DOMAINNAME>

[no] file <FILENAME>

Disabled

Disabled

Disabled

Disabled

[no] subnet <IPADDR[/LEN] | IPADDR [MASK]> /24

[no] netmask <NETMASK>

[no] pool <IPADDR_START> Auto

1

Section 22.3.11

Section 22.3.6

Section 22.3.7

Section 22.3.8

Section 22.3.12

Section 22.3.13

Section 22.3.14

<NUM|IPADDR_END>

[no] lease-time <120-5256000>

[no] gateway <IPADDR>

864000

Section 22.3.15

Empty

2

[no] name-server <IPADDR>[,<IPADDR>] Empty

2

Section 22.3.16

Section 22.3.17

[no] domain <DOMAINNAME>

[no] ntp-server <IPADDR>

Disabled

Section 22.3.18

Disabled

Section 22.3.19

View DHCP Server Status show dhcp-clients

Section 22.3.20

1

A pool may be created automatically. See

Section 22.3.14

.

2

Empty values have special meaning here. See

Section 22.3.16

and

Section 22.3.17

.

© 2015 Westermo Teleindustri AB

503

Westermo OS Management Guide

Version 4.17.1-0

22.3.1

Manage DHCP Server

Syntax [no] dhcp-server

Context

Global Configuration

context

Usage Create, modify or remove a DHCP Server.

Enter DHCP server context. If this is a new DHCP server, the DHCP server is created. As a side-effect, a caching (DNS) name server is started, which forwards incoming DNS requests to the DNS server configured for the switch

(see

chapter 19 ).

Use ”no dhcp-server” to remove an existing DHCP server.

Use ”show dhcp-server” to list all settings of a DHCP server. Alternatively, you can run the ”show” command from within the DHCP server context.

Default values Disabled (No DHCP server configured)

22.3.2

Disable DHCP Server

Syntax [no] enable

Context

DHCP Server Configuration

context

Usage Enable/disable the DHCP server. Useful to disable a fully setup DHCP server before deployment, the configuration will remain dormant while disabled.

Use ”no enable” to disable the DHCP server (without losing the DHCP server configuration) and ”enable” to enable the DHCP server.

Use ”show enable” to show whether the DHCP server is configured enabled or disabled.

Default values Enabled

22.3.3

Disable ICMP ”ping” Check

Syntax [no] ping-check

Context

DHCP Server Configuration

context

504

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Usage Enable/disable the ICMP ping check. By default the DHCP server will check that an address is not in use before offering it to a client. In some rare cases it may be useful to disable this.

Use ”no ping-check” to disable the ping-check mechanism, and ”ping-check” to enable it.

Run ”show ping-check” to show whether the ping-check mechanism is configured enabled or disabled.

Default values Enabled

22.3.4

DHCP Server Listening UDP port

Syntax [no] server-port <UDPPORT>

Context

DHCP Server Configuration

context

Usage Set DHCP Server listening (UDP) port in range 1..65535. By default the server listens to UDP port 67. Use ”server-port UDPPORT” to set a nondefault UDP port to listen on. See also

section 23.3.5

for the corresponding

DHCP relay agent setting.

Use ”no server-port” to reset to default value (port 67).

Use ”show server-port” to show current server-port settings.

Default values 67

22.3.5

DHCP Server Source/Client UDP port

Syntax [no] client-port <UDPPORT>

Context

DHCP Server Configuration

context

Usage Set DHCP Server source (UDP) port in range 1..65535. By default the server sends DHCP messages with source UDP port 68. Use ”client-port

UDPPORT” to set a non-default UDP port to send from.

Use ”no client-port” to reset to default value (port 68).

Use ”show client-port” to show current client-port settings.

Default values 68

© 2015 Westermo Teleindustri AB

505

Westermo OS Management Guide

Version 4.17.1-0

22.3.6

Next Server Address – BOOTP ”siaddr”

Syntax [no] tftp-server <IPADDR>

Context

DHCP Server Configuration

or

DHCP Server Host Configuration

context

Usage Set the next-server address siaddr in DHCP and BOOTP messages from the DHCP server, i.e., the IP address of a TFTP server (or other type of file transfer server) used by a BOOTP/DHCP client to retrieve a boot file.

Note

Using the ”tftp-server” command in

DHCP Server Configuration

will apply to all DHCP messages from the server. Using the ”tftp-server” command in

DHCP Server Host Configuration

will apply to a specific host entry.

Use ”no tftp-server” to remove a configured next-server address.

Use ”show tftp-server” to show the next-server setting.

Default values Disabled

22.3.7

Next Server Name – BOOTP ”sname”, DHCP Option 66

Syntax [no] tftp-server-name <DOMAINNAME>

Context

DHCP Server Configuration

or

DHCP Server Host Configuration

context

Usage Set the next-server domain name. It can be used to inform BOOTP/DHCP clients about their next-server to download a boot file, as an alternative to the next-server address (see

section 22.3.6

).

The server name is typically passed within the sname field of a BOOTP/DHCP message, but is instead sent as DHCP option 66 if option overloading applies or if the client has requested DHCP option 66.

Note

Using the ”tftp-server-name” command in

DHCP Server Configuration

will apply to all DHCP messages from the server. Using the

”tftp-server-name” command in

DHCP Server Host Configuration

will apply to a specific host entry.

Use ”no tftp-server-name” to remove a configured next-server name.

506

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Use ”show tftp-server-name” to show the next-server name setting.

Default values Disabled

22.3.8

Bootfile Name – BOOTP ”file”, DHCP Option 67

Syntax [no] bootfile <FILENAME>

Context

DHCP Server Configuration

or

DHCP Server Host Configuration

context

Usage Set the boot filename (as stored at the TFTP server).

The bootfile name is typically passed within the file field of a BOOTP/DHCP message, but is instead sent as DHCP option 67 if option overloading applies or if the client has requested DHCP option 67.

Note

Using the ”bootfile” command in

DHCP Server Configuration

will apply to all DHCP messages from the server. Using the ”bootfile” command in

DHCP Server Host Configuration

will apply to a specific host entry.

Use ”no bootfile” to remove a configured bootfile name.

Use ”show bootfile” to show the next-server name setting.

Default values Disabled

22.3.9

Configure Host Entry

Syntax [no] host [INDEX]

Context

DHCP Server Host Configuration

context

Usage Enter the

DHCP Server Host Configuration

to specify host specific DHCP

Server settings. This is typically used to configure a static lease based on

MAC, Client-ID or port ID (i.e., DHCP Option 82). Up to 64 can be configured.

Each entry is given an index (default 1), e.g., ”host 3” will enter the

DHCP

Server Host Configuration

for entry number 3; the entry will be created if it does not yet exist.

Use ”no host” to remove all configured host entries, and use ”no host

<INDEX>” to remove a specific host entry (e.g. ”no host 3”).

© 2015 Westermo Teleindustri AB

507

Westermo OS Management Guide

Version 4.17.1-0

Use ”show host” to show a list configured host entries, and use ”show host

<INDEX>” to show information on a specific host entry. Alternatively, you can run the ”show” command within the

DHCP Server Host Configuration

context of that specific subnet.

Default values Default index is 1.

22.3.10

Configure Host Entry Match Setting

Syntax [no] match <mac <MACADDR> | clientid <hex|string> CLIENTID> | option82 [remote-id <hex|string> <REMOTEID>] <hex|string> circuit-id <CIRCUITID>>

Context

DHCP Server Host Configuration

context

Usage Specify the match type (mac, clientid or option82) to identify the host for this entry, e.g., ”match mac 12:34:56:78:9a:bc:de”.

Use ”no match” to remove all match settings, and

”no match <mac|clientid|option82>” to remove a match setting of a specific type.

Use ”show match” to show the current match setting for this host entry.

Default values Not applicable.

section 22.3.12

.

22.3.11

Configure Host IP Address or Deny Service

Syntax [no] address <IPADDRESS|deny>

Context

DHCP Server Host Configuration

context

Usage Specify the IP address to assign to this host, e.g., ”address 192.168.1.51”.

Note

To hand out the specified address (e.g., ”192.168.1.51”) the DHCP server must also be configured to serve the associated IP subnet, see

section 22.3.12

for information on the ”subnet” command. Other IP settings (netmask, default gateway, etc.) will be inherited from settings of the associated subnet.

508

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Use ”address deny” to prohibit the host to be served by this DHCP server.

A host must either be assigned an IP address or explicitly be denied an address. ”no address” is not a valid setting, i.e., then the host entry will not be activated.

Use ”show address” to show the current address setting.

Default values None

22.3.12

Configure DHCP Server Subnet

Syntax [no] subnet <IPADDR[/LEN] | IPADDR [NETMASK]>

Context

DHCP Server Configuration

context

Usage Specify a subnet for which the DHCP server will hand out IP addresses, and enter the

DHCP Server Subnet Configuration

for that subnet. Optionally, the subnet netmask can be specified as a prefix length or as a netmask, with ”/24” (”255.255.255.0”) as default. It can later be changed with the

”netmask” command, see

section 22.3.14

.

Use ”no subnet” to remove all configured subnets, and use ”no subnet

IPADDR” to remove a specific subnet.

Use ”show subnet” to show a list configured subnets for the DHCP server, and use ”show subnet IPADDR” to show information on a specific subnet

(alternatively, you can run the ”show” command within the

DHCP Server

Configuration

context of that specific subnet).

The DHCP server can handle up to 1024 subnets.

Default values Default prefix length is 24 (i.e., netmask 255.255.255.0).

22.3.13

Configure DHCP Subnet Netmask

Syntax [no] netmask <NETMASK>

Context

DHCP Server Subnet Configuration

context

Usage Specify/modify the netmask for the subnet to serve, e.g.,

”netmask 255.255.128.0”.

Use ”no netmask” to reset the netmask to its default value.

© 2015 Westermo Teleindustri AB

509

Westermo OS Management Guide

Version 4.17.1-0

Use ”show netmask” to show the current netmask setting.

Default values The netmask defaults to ”255.255.255.0”, however, a different netmask can be specified in the ”subnet” command, see

section 22.3.12

.

22.3.14

Configure DHCP Server Address Pool

Syntax [no] pool <IPADDRESS_START> <NUM|IPADDRESS_END>

Context

DHCP Server Subnet Configuration

context

Usage Specify the IP address pool from which the DHCP server will hand out leases. The end of the address range can be specified as an IP address

(”IPADDRESS_END”), or as a number (”NUM”). ”NUM” specifies the number of addresses in the pool, thus ”IPADDRESS_END” is computed as

PADDRESS_START + NUM 1”.

Use ”no pool” to disable dynamic address assignment. When disabled, only static host entries are allowed in the range defined by the subnet itself and the netmask option.

Use ”show pool” to see the IP addresses in the pool.

Default values A pool based on the configured subnet is automatically setup when creating a new DHCP subnet.

22.3.15

Configure DHCP Server Lease Time

Syntax [no] lease-time <120-5256000>

Context

DHCP Server Subnet Configuration

context

Usage Specify the DHCP address lease time (seconds) for addresses handed out to DHCP clients.

Use ”no lease-time” to reset the lease time setting to its default value.

Use ”show lease-time” to show the current lease-time setting.

Default values 864000 seconds (i.e., 10 days)

510

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

22.3.16

Configure DHCP Server Default Gateway Option

Syntax [no] gateway <IPADDRESS>

Context

DHCP Server Subnet Configuration

context

Usage Specify the IP default gateway (default router) option for leases handed to DHCP clients. A single default gateway can be specified. If no default gateway is specified, the switch IP address on this interface will be provided in the default gateway option for local DHCP clients (that is, the switch will act as default gateway for hosts on local subnets), or the DHCP relay agent

IP address for DHCP requests on remote subnets.

Note

When acting as router for local DHCP clients, please remember to en-

able routing on this unit ( chapter 19 ) and enable appropriate NAT and

firewall rules if necessary ( chapter 31 ).

Use ”no gateway” to remove any statically configured default gateway option.

Use ”show gateway” to list the gateway option settings.

Default values Empty, this means that the switch IP address on this interface will be provided in the default gateway option.

22.3.17

Configure DHCP Server Name Server Option

Syntax [no] name-server <IPADDRESS>[,<IPADDRESS>]

Context

DHCP Server Subnet Configuration

context

Usage Specify name server (DNS) options for leases handed to DHCP clients.

Up to two DNS name servers can be specified, either as comma separated

IP addresses on the command line, or by repeating the command for each address.

Use ”no name-server” to remove all configured name server DHCP options.

If no name server is specified, the switch IP address on this interface will be provided in the name server option (that is, the switch will act as DNS name server for hosts on this interface. In this case, the switch will act as

© 2015 Westermo Teleindustri AB

511

Westermo OS Management Guide

Version 4.17.1-0 a caching name server and forward any (non-cached) incoming requests to the name-server(s) configured on the switch, see

chapter 19 ).

Use ”show name-server” to list DNS name server option settings.

Default values Empty, this means that the switch IP address on this interface will be provided in the name server option.

22.3.18

Configure Domain Name Option

Syntax [no] domain <DOMAIN>

Context

DHCP Server Subnet Configuration

context

Usage Specify the domain name search path option for leases handed to DHCP clients. A single domain name option can be specified.

Use ”no domain” to disable this option.

Use ”show domain” to list domain name option settings.

Default values Disabled, the domain name option will not be used.

22.3.19

Configure NTP Server Option (DHCP Option 42)

Syntax [no] ntp-server <IPADDR>

Context

DHCP Server Subnet Configuration

context

Usage Specify the NTP-server option (DHCP option 42) for leases handed to

DHCP clients, e.g., ”ntp-server 192.168.1.3”. Up to two NTP servers can be specified.

Use ”no ntp-server <IPADDR>” to remove a specific NTP server, or ”no

ntp-server” to disable all NTP server options.

Use ”show ntp-server” to list NTP-server option settings.

Default values Disabled, the NTP-server option will not be used.

22.3.20

Show list of current DHCP clients

Syntax show dhcp-clients

512

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Context

Admin Exec

context

Usage Show list of current DHCP clients.

Default values Not applicable

Example

example:/#> show dhcp-clients

Lease Time MAC Address IP Address Hostname Client ID

===============================================================================

864000 example:/#>

00:07:7c:8a:e2:41 192.168.2.109

*

01:00:07:7c:8a:e2:41

© 2015 Westermo Teleindustri AB

513

Westermo OS Management Guide

Version 4.17.1-0

Chapter 23

DHCP Relay Agent

This chapter describes WeOS DHCP Relay Agent support. For information on

WeOS DHCP Server support, see

chapter 22 .

DHCP Relay Agents relay DHCP messages between DHCP clients on a local LAN to a central DHCP Server, usually located on a remote network. The two most common reasons for using DHCP relay agents are:

ˆ Centralised management: Deploying and managing a DHCP server on every

LAN in your network is cumbersome. By use of relay agents, a central DHCP server can be used, and the management effort is substantially reduced.

Furthermore, if the relay agent is located in a router or switch on the local

LAN, there is no additional equipment cost.

ˆ Assigning IP address per port (DHCP Option 82): In some topologies, you may wish to assign IP addresses based on the switch port a DHCP client connects to. By running a DHCP Relay Agent in the local switch/router, it can include port information when forwarding the DHCP messages (DHCP

Option 82).

For redundancy purposes, the WeOS DHCP Relay Agent enables you to specify up to two DHCP servers, to which the Relay Agent forwards incoming DHCP requests.

In case you wish to hand out addresses per port on the DHCP server unit (as opposed to the DHCP relay agent), WeOS allows you to achieve this by running

a relay agent on the DHCP server unit, see the chapter on DHCP server ( section 22.1.4

).

514

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

23.1

Overview of DHCP Relay Agent Support

The table below lists the features available in the WeOS DHCP Relay Agent.

Feature

General DHCP Relay settings

Enable/disable Relay Agent

Define interfaces to serve

DHCP server IP address

DHCP server UDP port

DHCP Option 82

Enable/Disable DHCP Option 82

Default Policy

Default Circuit-ID type

Remote-ID

DHCP Proxy Mode

Force DHCP Option 54

Web

CLI

General Description

X

X

X

X

X

X

X

X

X

X

X

X

X

X

Section 23.1.1

X

-”-

-”-

-”-

X

Section 23.1.2

-”-

-”-

-”-

-”-

Section 23.1.3

-”-

Per-Port DHCP Relay settings

Enable/Disable DHCP Relay

DHCP Option 82

Policy

Circuit-ID type

X

X

X

X

Section 23.1.4

X

Section 23.1.2

X

-”-

23.1.1

Introduction to DHCP Relay Agents

One of the main reasons for using DHCP relay agents is to simplify DHCP management in larger infrastructures. Instead of deploying and managing a DHCP server on every LAN, a DHCP relay agent present on the LAN can forward DHCP messages between local DHCP clients, and a central DHCP server.

Fig. 23.1

can be used to illustrate the use of DHCP relays and a central DHCP server.

ˆ (V)LAN interfaces: The DHCP relay agents (here RA1-RA3) serve DHCP clients

(here PC1-PC6) on the local LANs. A DHCP relay can serve a single LAN (Relay Agent 1 & 3) or multiple LANs (Relay Agent 2). In WeOS the LANs to serve is selected by configuring which (VLAN) network interfaces the relay agent should listen on.

© 2015 Westermo Teleindustri AB

515

Westermo OS Management Guide

Version 4.17.1-0

DHCP

Server

192.168.100.1

DHCP pools:

A: 192.168.0.100−150/24, gw 192.168.0.1

B: 192.168.1.100−150/24, gw 192.168.1.1

C: 192.168.2.100−150/24, gw 192.168.2.1

D: 192.168.3.100−150/24, gw 192.168.3.1

Intranet/Internet

192.168.0.0/24

DHCP

Relay

Agent

(RA1)

.1

192.168.1.0/24

.1

DHCP

Relay

Agent

(RA2)

.1

192.168.2.0/24

Router

.1

192.168.3.0/24

DHCP

Relay

Agent

(RA3)

.2

PC1 PC2 PC3 PC4 PC5 PC6

Figure 23.1: Sample topology where DHCP relay agents serve local DHCP clients, and forwards DHCP requests to/from a central DHCP server.

ˆ DHCP Servers: The relay agent must also know where to forward the DHCP requests from the local PCs, i.e., the relay agent must be configured with IP address of the DHCP server (here 192.168.100.1). As of WeOS v4.17.1, the relay agent can be configured with up to two DHCP servers. When configuring two DHCP servers, the DHCP relay will forward the DHCP requests to both servers, thereby providing redundancy.

DHCP servers listen to UDP port 67 by default. It is possible configure the

WeOS relay agent to forward packets to a different port on the server, see also

sections 23.1.5

and

22.1.3

.

ˆ Address pools: The DHCP server will in turn be configured with appropriate address pools (here denoted A-D), from which it can hand out addresses to the local PCs.

When a DHCP relay agent receives a DHCP request from a PC, it will add its local IP address into the giaddr field of the DHCP message when forwarding it to the server (e.g., RA1 will set giaddr to 192.168.0.1) when forwarding requests from PC1 to the DHCP server). Based on the giaddr, the DHCP server can distinguish which pool to hand out address from (here ”A”).

516

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

The DHCP server should also be configured with other relevant settings, e.g., default gateway, lease times, etc. (see

chapter 22 ).

ˆ Running relay agents on routers or switches: Relay agents can be run as dedicated servers (RA3), but are typically located inside the local routers

(RA1 and RA2). By running the relay agents inside the routers, deployment and management costs are reduced, since no additional equipment is needed.

Although not shown in

fig. 23.1

, it is also possible to run relay agents on

(layer-2) switches. This is useful when you wish to assign IP addresses based on the physical port the PC connects to (see

section 23.1.2

for information on DHCP Option 82). In such use cases, you may also wish to run several relay agents within the same LAN –

section 23.1.4

provides more information on running relay agents in switched networks.

As of WeOS v4.17.1, it is only possible to run a single relay agent instance per

WeOS unit. This is no major limitation, but implies, e.g., that a relay agent serving multiple LANs (RA2 in

fig. 23.1

) can not be configured to forward the DHCP

requests from different LANs to different sets of DHCP servers.

23.1.2

DHCP Option 82

The relay agent information option (DHCP option 82, see RFC3046[ 28 ]) enables

a relay agent to pass information to the DHCP server regarding which port the

DHCP request came in on. Thus, an option 82 aware DHCP server would be able to assign IP settings (IP address, etc.) to a PC based on the port the PC connects to.

The DHCP option 82 contains two sub-options, Circuit ID and Remote ID:

ˆ Circuit ID: The circuit ID identifies the port on the relay agent, where the

DHCP request was received. Since the circuit ID can only be considered unique within the reporting relay agent, the DHCP server generally needs to consider both the circuit ID and an identifier of the specific relay agent

(e.g.,giaddr or option-82 remote ID, see below) when processing the DHCP request.

In WeOS the circuit ID can be set according to the following methods:

Disabled: When circuit ID is disabled, no circuit ID sub-option is passed as part of the Relay Agent Information option (DHCP option 82).

© 2015 Westermo Teleindustri AB

517

Westermo OS Management Guide

Version 4.17.1-0

Port Name: Selecting the port name method implies that the circuit ID will be represented as Type appended by the port identifier, e.g., Eth1 and DSL1 on a single slot product, or Eth1/1 and DSL1/1 on a multi-slot product (see

section 8.1.1

for more information on WeOS port naming conventions).

Port Description: By selecting the port description method, the circuit

ID will be represented by the port description setting of the associated

port. However, as of WeOS v4.17.1 the port description ( chapter 8 )

can not yet be configured. Until configuration of port description is supported, the circuit ID will fall-back to using the port name, see above.

Manual: You can configure the Circuit-ID manually per port. The Circuit

ID will be sent as a byte sequence (max 9 bytes), and you can choose to enter your manual circuit ID setting either as an ASCII string (max 9 characters) or as hexadecimal number (max 18 hex characters).

ˆ Remote ID: According to RFC3046[

28 ], the purpose of the remote ID should

is to enable the DHCP relay agent to supply a trusted unique identifier of the DHCP client. In practice, it is commonly used as an identifier of the relay agent itself – the option 82 aware DHCP server can then base the IP address assignment on the combination of circuit ID and remote ID. In WeOS the remote ID can be set according to the following methods:

Disabled: When remote ID is disabled, no remote ID sub-option is passed as part of the Relay Agent Information option (DHCP option 82).

MAC: By selecting the MAC method, the unit’s base MAC address (6 bytes, hexadecimal) will be used as remote ID. See

sections 4.4.2

(Web) and

7.3.2

(CLI) for information on how to read the unit’s base MAC address.

IP: By selecting the IP method, the relay agent will use the IP address of the interface where the DHCP request came in as remote ID (i.e., the

giaddr). E.g., if RA2 in

fig. 23.1

receives a DHCP request from PC4, it would use 192.168.2.1 as remote ID.

System Name: By selecting the System Name method, the unit’s configured hostname/system name will be used as remote ID. See

sections 20.1.1

(Web) and

20.2.2

(CLI) for information on how to configure the unit’s hostname/system name.

When configuring a DHCP relay agent in WeOS, use of the relay agent information option is by default disabled. When enabling DHCP option 82, the relay agent will

518

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0 add its relay information option to incoming DHCP requests, unless the request already contains a relay agent information option (added by some ”downstream”

relay agent)

1

.

Below the possible policy settings are listed how the relay agent should handle incoming DHCP requests already containing a relay agent information option. The policy can both be specified globally (i.e., per relay agent), as well as on per port basis.

ˆ Discard: Drop requests already containing a relay agent information option.

ˆ Forward: If the request already contains a relay agent information option, keep that entry when forwarding the request towards your DHCP server(s).

ˆ Replace: If the request already contains a relay agent information option, replace that with your own DHCP option 82 field when forwarding the request towards your DHCP server(s).

ˆ Append: If the request already contains a relay agent information option, append your own relay agent information option field when forwarding the request towards your DHCP server(s).

ˆ Require: Discard requests lacking a relay agent information option. If the request already contains a relay agent information option, keep that entry when forwarding the request towards your DHCP server(s). This option may be useful in topologies including a mix of relay agents supporting and not supporting DHCP snooping (see

sections 23.1.4

, and

22.1.4.2

).

When handling DHCP requests already containing a relay agent information option, the following mechanisms apply to all policies:

ˆ Dropping requests lacking a giaddr: As of WeOS v4.17.1, incoming requests containing a relay agent information option, but lacking a giaddr, will be discarded.

ˆ Keeping existing giaddr: When forward a request which already contains a relay agent information option, the giaddr field will be unchanged.

As of WeOS v4.17.1 no validation is performed by the relay agent on relay agent information option field(s) included in DHCP messages returned from the DHCP

Server. The relay agent information is always removed

2

before passing it back to the DHCP client (PC), or to a relay agent closer to the PC. This behaviour may give

1

The exception is when policy ”Require” is configured - then the packet will be discarded if it does not contain a relay agent information option.

2

If more than one relay information option is included, the last option is removed.

© 2015 Westermo Teleindustri AB

519

Westermo OS Management Guide

Version 4.17.1-0 problems at downstream relay agents when using the Forward, Append, Replace, and Require policies. WeOS handling of packets on the return path from the DHCP server may be modified in upcoming WeOS releases.

23.1.3

DHCP Proxy Mode

According to the RFC2131[ 7 ] a DHCP relay agent would only be involved in the

initial DHCP message, while subsequent DHCP lease renew messages would be sent directly between client and server, as shown in

fig. 23.2

.

For many use-cases however, this behaviour is not desirable. In particular with

Option 82 (see

section 23.1.2

) all DHCP messages from the client to the server

need to have this extra piece of information appended so that the server can properly identify the client. This is called DHCP Proxy Mode, or DHCP Server

Identifier Override, defined in RFC5107[ 18 ].

DHCP

Client

DHCP

Relay

DHCP

Server

DHCP Discover

DHCP Discover

DHCP Offer

DHCP Offer

DHCP Request

DHCP Ack

DHCP Request

DHCP Ack

DHCP Renew Request

DHCP Ack

Figure 23.2: Typically only the initial DHCP exchange is done via the relay agent, while lease renew messages are sent directly (unicast) between client and server.

Most modern DHCP servers support RFC5107[ 18 ], which is a sub-option to Option

82. But some older DHCP servers do not and for this particular case the WeOS

520

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0 relay agent can be configured to forcibly override Option 54, the Server Identity field. In effect, making sure that the client will send all DHCP messages via the relay agent, see

fig. 23.3

.

DHCP

Client

DHCP

Relay

DHCP

Server

DHCP Discover

DHCP Discover

DHCP Offer

DHCP Offer

DHCP Request

DHCP Request

DHCP Ack

DHCP Ack

DHCP Renew Request

DHCP Ack

DHCP Renew Request

DHCP Ack

Figure 23.3: DHCP Proxy Mode, all messages goes via the relay agent.

Hence, there are two levels of DHCP Proxy Mode support in WeOS.

ˆ Hint to server: The WeOS relay agent adds sub-option 11 to option 82 in all DHCP messages forwarded to the server, to hint the server to fill in the

IP address of the relay agent in the DHCP server identity field in the server

responses. If the server supports RFC5107[ 18 ], the relay agent will act as a

server proxy towards the client ( fig. 23.3

).

Note

The WeOS DHCP server ( chapter 22

) supports RFC5107[ 18 ].

ˆ Force identity override: The WeOS relay agent can force server identity override by updating the packets sent towards the DHCP client. This feature can be useful in situations where the DHCP server does not support

RFC5107[ 18 ]. Forcing DHCP server identity override is disabled by default.

© 2015 Westermo Teleindustri AB

521

Westermo OS Management Guide

Version 4.17.1-0

23.1.4

Relay Agents in Switched Networks

The DHCP protocol uses layer-2 broadcast (Destination MAC: ff:ff:ff:ff:ff) for some of its protocol messages. Therefore, a (broadcast) DHCP packet coming in to a switch, will typically be flooded on all ports of the same LAN. This is illustrated in

fig. 23.4

a):

ˆ A broadcast DHCP message comes in on port ”A” of the switch (step ”1a”).

ˆ The message is broadcasted unmodified on all other ports within the LAN

(here ports ”B”-”F”), see step ”1b”.

ˆ In this case, the switch is also running a DHCP relay service on the LAN.

The relay agent will process the incoming DHCP packet, and forwards it to the configured DHCP server, which here happens to reside in the direction of port ”E” (step ”2”). The packet in step ”2” is modified as compared to the initial broadcast packet: It is sent as unicast to the DHCP server, and it contains the relay agents IP address as giaddr. If the relay agent has DHCP option 82 enabled, such information is also added.

Towards

DHCP

Server

2

E

A

Relay

Agent

1b

B C D

F

1b

1b

Towards

DHCP

Server

2

E

A

Relay

Agent

1b

B C D

F

1a

Broadcast

DHCP packet

1b 1b 1b a) No DHCP snooping support

1a

Broadcast

DHCP packet b) DHCP snooping supported

Figure 23.4: Propagation of DHCP broadcast packets in switches running DHCP relay agents. All ports are on the same (V)LAN. The switch in figure a) does not support DHCP snooping, while the switch in figure b) supports DHCP snooping.

As seen in

fig. 23.4

a), using (layer-2) switches as DHCP Relay Agents can result

in multiple versions of a DHCP message to be sent towards the DHCP server: the original request being switched/broadcasted, and the one being relayed by the relay agent process. This will not cause any problems if the DHCP server is located on some remote network; then only the relayed packet will reach the server. However, if the DHCP server is located within the same LAN, adequate support is needed at the DHCP server to know which request to serve and which

522

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0 to ignore (see

section 22.1.4.2

in the DHCP server chapter for more information).

The number of ”copies/versions” of a DHCP request can increase further if a

LAN consists of several switches with DHCP relay agents (discussed later on, see

fig. 23.5

).

To mitigate multiplication of broadcast DHCP messages, some switches support

DHCP snooping (see also

section 23.1.5

for an alternative approach). With DHCP snooping enabled on an Ethernet/DSL port, all DHCP packets will pass through the DHCP relay agent – this includes broadcast and unicast DHCP packets, both

DHCP requests (to server) or DHCP responses (from server) coming in on that port.

Fig. 23.4

b) shows the result when a broadcast DHCP packet comes in on a

port with DHCP snooping enabled.

When configuring a WeOS relay agent on a VLAN interface, all ports on that VLAN will have DHCP snooping enabled

- the exception is products lacking hardware support for DHCP snooping

3

. More

fine-grain control to enable/disable DHCP snooping per port may be supported in later WeOS versions.

DHCP relay service can be disabled on a per port basis. If DHCP relaying is disabled on an Ethernet/DSL port, incoming DHCP packets will be switched as other layer-2 packets (no DHCP snooping), and the DHCP relay agent on the switch will ignore DHCP requests entering the switch on that port.

Fig. 23.5

presents an example where multiple relays are located within the same

VLAN – port 1-6 on all RA units are in the same VLAN, while port 7 on RA1 and

RA2 are associated with another VLAN used and used as upstreams interface. The topology in

fig. 23.5

utilise several WeOS features to achieve a robust network:

FRNT ( chapter 14 ) is used to handle single link failures within the local network.

VRRP ( chapter 30 ) is used to handle router redundancy (RA1 and RA2). A second

DHCP server to protect against DHCP server failure

4

.

The relay agents (RA1-RA5) server DHCP clients connecting to the local access ports (ports 1-4), and will relay each request (unicast) to the configured DHCP server(s). Below a sample DHCP relay configuration is shown, which would be suitable for all relay agents in

fig. 23.5

.

3

In WeOS products, DHCP Snooping is supported on all Ethernet/DSL ports, except for ports of switchcore(s): MV88E6095, MV88E6185 and MV88E6046. Please see Detailed System Overview

page in the Web ( section 4.4.2

) or use the ”show system-information” in the CLI ( section 7.3.2

)

to find information about what switchcore(s) is used in your product.

4

As of WeOS v4.17.1, the WeOS DHCP server ( chapter 22 ) does not provide dedicated DHCP

server failover support, but you can achieve redundancy using ”static” address assignment (no address pools) with the same configuration at both DHCP servers.

© 2015 Westermo Teleindustri AB

523

Westermo OS Management Guide

Version 4.17.1-0

DHCP

Server

IP:10.1.2.3

DHCP

Server

Internet/Intranet

7

6

RA1

5

1 2 3 4

Routers (possibly running VRRP) 7

6

RA2

5

1 2 3 4

5

RA3

6

1 2 3 4

FRNT

Focal Point

5

RA4

6

1 2 3 4

5

RA5

6

1 2 3 4

Figure 23.5: Example with multiple DHCP Relay Agents within the same VLAN

(port 1-6 on all RAs are assumed to be on the same VLAN, e.g., VLAN 1).

Example

dhcp-relay iface vlan1 server 10.1.2.3

option82 discard port 5-6 no enable end end

ˆ DHCP relay has been enabled on interface vlan1 (this assumes that ports

1-6 are all associated with VLAN 1).

ˆ A single DHCP server has been configured (here 10.1.2.3). As of WeOS v4.17.1, up to two DHCP servers can be configured.

ˆ Option 82 is enabled, with policy discard. Option 82 information will be added to all incoming requests. Packets which already include option 82 information will be discarded. Default settings for circuit-id (port name) and

remote-id (base-MAC) will be used.

ˆ DHCP requests coming in on port 5 or 6 will be ignored by the relay agent.

No DHCP snooping will be done on those ports, thus a DHCP request being

524

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0 relayed by RA4 to the DHCP server, will be forwarded through RA5 like any other packet.

23.1.5

Mitigating duplication of DHCP messages by using a different server port

An alternative to address the issue with multiple DHCP requests in switched topologies with non-snooping relay agents is to let the DHCP server listen on a

non-standard UDP port ( section 22.1.3

). The DHCP relay agent can be configured

to forward its packets to this server port ( section 23.1.1

), thus all relayed packets

will reach the server. Packets coming directly from the client will be dropped by server, since they are sent to the regular DHCP server UDP port (67).

Example

-- DHCP Server configuration of non-standard listen port

example-server:/#> configure example-server:/config/#> example-server:/config/#> dhcp-server example-server:/config/dhcp-server/#> server-port 6767 example-server:/config/dhcp-server/#> leave

Stopping DHCP/DNS Server ................................... [ OK ]

Starting DHCP/DNS Server ................................... [ OK ]

Configuration activated.

Remember "copy run start" to save to flash (NVRAM).

example-server:/#>

-- DHCP Relay Agent configuration of non-standard server port

example-relay:/#> configure example-relay:/config/#> dhcp-relay example-relay:/config/dhcp-relay/#> server-port 6767 example-relay:/config/dhcp-relay/#> leave

Stopping DHCP/DNS Server ................................... [ OK ]

Starting DHCP/DNS Server ................................... [ OK ]

Configuration activated.

Remember "copy run start" to save to flash (NVRAM).

Starting DHCP Relay Agent .................................. [ OK ] example-relay:/#>

© 2015 Westermo Teleindustri AB

525

Westermo OS Management Guide

Version 4.17.1-0

23.2

Configuring DHCP Relay Agent via the Web

The Web interface provides management of the DHCP Relay Agent.

23.2.1

DHCP Relay Agent settings

Menu path: Configuration Network (IP) DHCP-Relay

526

Figure 23.6: DHCP Relay Agent settings

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Listening

Interfaces

DHCP

Servers

Global

Option 82

Settings

The Listening Interface specifies on which interface(s) the relay agent will listen for client requests. DHCP server responses may come in through any interface.

The DHCP Servers settings determine to which DHCP servers each DHCP client request will be sent. At most two servers may be configured.

The Global Option 82 Settings determine how the DHCP

Relay Agent Information option, also known as Option 82, will be handled. The policy specify how to treat incoming client requests that already contain an Agent Information option.

ˆ Disable: Do not add option 82 field. Any existing option

82 will be retained.

ˆ Forward: Adds a new option 82 or forwards any existing option 82.

ˆ Append: Appends a new option 82 in addition to any existing option 82.

ˆ Discard: Drops the whole packet if it contains an option

82.

ˆ Replace: Removes any existing option 82 and adds a new option 82.

ˆ Require: Requires that the incoming packet contains an option 82 otherwise it will be dropped.

The Circuit ID setting determines how the Circuit-Id field of option 82 will be filled. It can be one of None, Port Name and Port Description. None will leave this field with zero length, Port Name will fill this field with the port type and name of the port as seen on front foil, stripped of any whitespace. E.g. Eth6 for Ethernet port 6. Lastly Port Description will use the description given to the port in the port settings.

In a similar fashion the Remote ID tells how the remote id field of option 82 will be set. None set its length to zero, IP sets it to the IP address of the inbound interface. MAC uses the base MAC address of the unit. Lastly, System Name uses the hostname of the system.

© 2015 Westermo Teleindustri AB

527

Westermo OS Management Guide

Version 4.17.1-0

23.2.2

DHCP Relay Agent Per-Port Settings

Menu path: Configuration Network (IP) DHCP-Relay Agent Port Specific

Settings Show

Figure 23.7: DHCP-Relay Agent Per-Port Settings page

Enabled

Option 82

Policy

Option 82

Circuit ID

The Enabled checkbox tells whether to enable the relay agent on this port, i.e. whether to listen for client requests on this port or not. If enabled, you can override the global settings.

See

section 23.2.1

for an explanation of the different policy options. In the port specific section, the Policy setting has an additional option Global, indicates that the global policy setting (see

fig. 23.6

) will be used for this port.

See

section 23.2.1

for an explanation of the different circuit ID types. In the port specific section, the Circuit ID setting has additional options for the Circuit ID type.

ˆ Global: Indicates that the global circuit ID setting (see

fig. 23.6

) will be used for this port.

ˆ Manual (hex) and Manual (string): A user specified

hex or string value will be used as circuit ID. Value is entered in the Manual Circuit ID field.

528

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

23.3

Configuring DHCP Relay Agent via the CLI

Command Default Section

Configure DHCP Relay Agent

[no] dhcp-relay

[no] enable

[no] iface <IFACE>

[no] server <IPADDR>

[no] server-port <PORT>

Enabled

Disabled

Disabled

Disabled

[no] force-server-identity Disabled

[no] option82 <forward|discard|append| Disabled replace|require>

[no] circuitid-type <portname| portdescription>

[no] remoteid-type <mac|ip| system-name>

”portname”

”mac”

Section 23.3.1

Section 23.3.2

Section 23.3.3

Section 23.3.4

Section 23.3.5

Section 23.3.6

Section 23.3.7

Section 23.3.8

Section 23.3.9

port <PORTLIST|all>

[no] enable Enabled

[no] option82 <auto|forward|discard| ”auto” append|replace|require>

[no] circuitid-type <auto|portname| portdescription| manual <hex|string> <ID>>

”auto”

View DHCP Relay Agent Settings show dhcp-relay dhcp-relay show port [PORTLIST] ”all”

Section 23.3.10

Section 23.3.11

Section 23.3.12

Section 23.3.13

Section 23.3.14

Section 23.3.15

23.3.1

Manage DHCP Relay Agent

Syntax [no] dhcp-relay

Context

Global Configuration

context

Usage Create, modify or remove the DHCP Relay Agent.

© 2015 Westermo Teleindustri AB

529

Westermo OS Management Guide

Version 4.17.1-0

Enter DHCP relay agent context.

Use ”no dhcp-relay” to remove an existing DHCP relay configuration.

Default values Not applicable.

23.3.2

Enable DHCP Relay Agent

Syntax [no] enable

Context

DHCP Relay Configuration

context

Usage Enable the DHCP Relay Agent.

Default values Enabled.

23.3.3

Listening Interfaces

Syntax [no] iface <IFACE>

Context

DHCP Relay Configuration

context

Usage Specify the interfaces that the relay agent will listen to.

Default values Not applicable.

23.3.4

DHCP Servers (IP addresses)

Syntax [no] server <ADDRESS>

Context

DHCP Relay Configuration

context

Usage Specify the DHCP server that the relay agent will forward requests to.

Default values Not applicable.

23.3.5

DHCP Server UDP port

Syntax [no] server-port <UDPPORT>

Context

DHCP Relay Configuration

context

530

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Usage Specify the DHCP server UDP port that the relay agent will forward requests to. See also

section 22.3.4

for the corresponding DHCP relay agent setting.

Use ”no server-port” to reset to default value (port 67).

Use ”show server-port” to show current server-port settings.

Default values 67

23.3.6

Force DHCP Server Identity Override

Syntax [no] force-server-identity

Context

DHCP Relay Configuration

context

Usage By enabling the force DHCP server override setting, the DHCP relay agent

can work-around older DHCP servers that do not support RFC5107[ 18 ] (a

hint/extension to Option 82) by overriding Option 54 in the server response to the client with the relay agents IP address.

It is recommended to leave this setting disabled and instead either use the

WeOS DHCP server, or upgrade to another RFC compliant DHCP server.

Use ”force-server-identity” to enable force DHCP server override and use ”no force-server-identity” to disable it.

Use ”show force-server-identity” to show the current setting.

Default values Disabled

23.3.7

Option 82

Syntax [no] option82 <forward|discard|append|replace|require>

Context

DHCP Relay Configuration

context

Usage Enable or disable the addition of option 82, a.k.a. relay agent information, to DHCP requests. The policy for how to handle any existing option 82 can optionally be specified as follows.

Forward

Adds a new option 82 or forwards any existing option 82.

© 2015 Westermo Teleindustri AB

531

Westermo OS Management Guide

Version 4.17.1-0

Append

Appends a new option 82 in addition to any existing option 82.

Discard

Drops the whole packet if it contains an option 82.

Replace

Removes any existing option 82 and adds a new option 82.

Require

Requires that the incoming packet contains an option 82 otherwise it will be dropped.

Default values Option 82 is disabled by default, if enabled and policy is omitted it defaults to forward.

23.3.8

Circuit ID Type

Syntax [no] circuitid-type <portname | portdescription>

Context

DHCP Relay Configuration

context

Usage Specify how the circuit id in option 82 will be set. portname will use the name of the port as it is printed on the front foil plus the port type.

For Ethernet ports it will be Eth, so e.g. requests coming in on port 6 will have the Circuit ID set to “Eth6”. portdescription is currently the same as

portname but will use the port description set in the port configuration, as soon as that feature is released.

Default values portname.

23.3.9

Remote ID Type

Syntax [no] remoteid-type <mac | ip | system-name>

Context

DHCP Relay Configuration

context

Usage Specify how the remote id in option 82 will be set. mac will use the base

MAC address of the unit. ip will use the IP address of the inbound interface.

system-name will use the hostname.

Default values mac

532

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

23.3.10

Manage DHCP Relay Agent Per-Port Settings

Syntax port <PORT|PORTS>

Context

DHCP Relay Configuration

context

Usage Modify DHCP Relay Agent configuration for one or several ports.

Default values Not applicable.

23.3.11

Enable/disable DHCP Relay Agent per port

Syntax [no] enable

Context

DHCP Relay Configuration

context

Usage Enable or disable the DHCP Relay Agent on a port.

Default values Enabled.

23.3.12

Option 82 policy per port

Syntax [no] option82 <auto|forward|discard|append|replace|require>

Context

DHCP Relay Port Configuration

context

Usage Enable or disable the addition of option 82 on one ore more ports. The

auto policy uses the same a policy as specified in the DHCP Relay context.

Default values auto.

23.3.13

Option 82 Circuit ID per port

Syntax [no] circuitid-type <auto|portname|portdescription>

Context

DHCP Relay Port Configuration

context

Usage Specify how the circuit id in option 82 will be set for this port. In addition to the keywords defined in

section 23.3.8

auto can be used, meaning the configured circuit ID type in DHCP relay context.

Default values auto.

© 2015 Westermo Teleindustri AB

533

Westermo OS Management Guide

Version 4.17.1-0

23.3.14

Show DHCP Relay Agent Settings

Syntax show dhcp-relay Also available as ”show” command within the

DHCP

Relay Configuration

context context.

Context

Global Configuration

context

Usage Show DHCP relay agent settings.

Default values

23.3.15

Show DHCP Relay Agent Per-port Settings

Syntax show port [PORTLIST] Also available as ”show” command within the

DHCP Relay Port Configuration

context.

Context

DHCP Relay Configuration

context

Usage Show DHCP relay agent per port settings. Furthermore, not only the circuit ID type settings are listed, but also the resulting circuit ID.

Default values If no PORTLIST is given, settings are listed for all ports associated with the given (VLAN) interfaces (see also

section 23.3.3

).

Example

example:/config/dhcp-relay/#> show port

Port Enabled Policy Circuit-ID type

Eth 5

Eth 6

YES

YES auto auto auto auto example:/config/dhcp-relay/#>

(Circuit ID)

==============================================================================

Eth 1 NO auto auto (Eth1)

Eth 2

Eth 3

Eth 4

NO

YES

YES auto auto auto auto auto auto

(Eth2)

(Eth3)

(Eth4)

(Eth5)

(Eth6)

534

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Chapter 24

Alarm handling, Front panel

LEDs and Digital I/O

This chapter describes WeOS features for alarm and event handling ( sections 24.1

-

24.3

). The chapter also covers general information on functionality related to

Digital I/O and front panel LEDs ( sections 24.4

and

24.5

).

24.1

Alarm handling features

The table below summarises the WeOS alarm handling features.

Feature

Configure alarm triggers

Configure alarm actions

Configure alarm targets

View alarm status

1

Web

X

X

X

X

CLI

X

X

X

X

General Description

Sections 24.1.1

Sections 24.1.1

Sections 24.1.1

Section 24.1.5

-

24.1.3

and and

24.1.4

24.1.5

24.1.1

Introduction to the WeOS alarm handling support

The WeOS alarm handling support makes use of the following terminology:

1

In addition to monitoring alarm status via Web and CLI, there are other ways in which an operator can get notified when an alarm is triggered.

© 2015 Westermo Teleindustri AB

535

Alarm triggers

Alarm targets specify:

Alarm type and source(s), e.g., "temperature sensor 1"

Alarm thresholds and condition (e.g., ’alarm’ for temperatures above 50 degrees.)

Alarm severity, e.g., DEBUG, INFO, etc.

Alarm action "index", i.e., point out the action to invoke when the trigger becomes "active" and "inactive".

Westermo OS Management Guide

Version 4.17.1-0

Alarm actions

Alarm actions specify:

Alarm targets

Alarm sources

Examples:

Temperature sensors

Digital In sensors

Link−alarm (ports/interfaces)

RMON counters (ports/interfaces)

FRNT Ring Status

Alarm targets

Examples:

ON LED

Digital Out

SNMP Trap

Logging

Figure 24.1: Overview of WeOS alarm entities: Alarm triggers monitor the state of alarm source, and define conditions and thresholds when to invoke an associated alarm action. The invoked alarm action specifies what alarm target(s) to use to notify the operator.

ˆ Alarm sources: An alarm source is an object being monitored by an alarm

trigger, e.g., the link status (up/down) of an Ethernet port, the input byte counter of a network interface, or the temperature value of a temperature sensor. Alarm sources are described further in

section 24.1.2

.

ˆ Alarm trigger: An alarm trigger monitors alarm sources, and defines the conditions when alarm events occur, i.e., when the trigger becomes active

(alarm situation) or inactive (normal situation).

In addition, the alarm trigger specifies the alarm action to be invoked once an alarm event occurs. Alarm triggers are described further in

section 24.1.3

.

ˆ Alarm actions and alarm targets: When an alarm event occurs, the operator can be notified via SNMP traps, logging, digital-out, and front panel status

LED. These notification mechanisms are referred to as alarm targets.

Instead of mapping triggers directly to targets, a trigger is mapped to an

alarm action (profile). The alarm action defines what specific targets to use when an alarm event occurs. For example, a link alarm trigger for ports 1-3 can be mapped to a specific alarm action, which in turn specifies logging and SNMP traps as targets. Alarm actions and targets are described further

536

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0 in

sections 24.1.4

and

24.1.5

respectively.

24.1.2

Alarm sources

As of WeOS v4.17.1 the following alarm sources are supported:

ˆ Power failure: If the unit is equipped with redundant power feed (or redundant power supply), an alarm can be triggered if one of the feeds lack input power.

Note: if all power is lacking on all feeds, the unit is powerless and cannot trigger alarms via SNMP traps or remote logging. To detect such a situation remotely, the operator could poll the unit (e.g., by pinging the unit on a regular interval). The drawback is that it is difficult to distinguish problems in the intermediate network from problems in the monitored device.

An alternative is to use out-of-band signalling, e.g., via GPRS equipment connected to digital-out to get an alarm notification instantly if a device goes down.

ˆ Link alarm: It is possible to configure link alarm triggers to react when a link goes down (and up).

ˆ Digital-In: Alarms can be triggered depending on the presence of input voltage/current on the Digital-In pins of the Digital I/O connector.

ˆ Temperature sensor alarms: Temperature alarm triggers can be configured to react when the temperature rises above (or falls below) some defined threshold.

ˆ FRNT status: The FRNT ring status trigger will react when an FRNT ring is

broken (bus mode) or healed (ring mode)

1

.

ˆ Hardware failure: Hardware alarms triggers notifies that the unit has detected a hardware failure (typically if an unsupported SFP is inserted).

ˆ SHDSL/xDSL SNR Margin: On devices with SHDSL/xDSL ports, alarms can be triggered when the SNR margin falls below some configured threshold.

ˆ Link Fault Forward (LFF): On devices with SHDSL ports, alarms can be triggered when the remote SHDSL switch indicates it has link down on its Ethernet port. That is, this feature can be used in topologies where an Ethernet

1

Only an FRNT focal point can determine the ring status with certainty.

© 2015 Westermo Teleindustri AB

537

Westermo OS Management Guide

Version 4.17.1-0 is extended over an SHDSL link, and where the remote SHDSL switch (e.g., a DDW-120) is able to signal that the Ethernet link is down on its side.

ˆ Network Connectivity (Ping):

It is possible to have a trigger to monitor network connectivity by using the ping command to a specific host. The remote node is considered unreachable if a configurable number of pings are lost, and considered reachable if the same number of pings are successfully received.

Note

Make sure the remote host responds to ICMP ping. A typical behaviour of many hosts is that ICMP ping is blocked in the host’s firewall.

ˆ PoE Power Usage: On units supporting Power Over Ethernet (PoE), alarms can be triggered when the total power usage raises above (or falls below) some configured threshold.

ˆ Microlok Session Status On units running a Microlok Gateway ( chapter 41 ,

an alarm can be triggered if any of the established sessions go down.

24.1.3

Alarm triggers

An alarm trigger defines the rules for when alarm events should be generated for a monitored alarm source. Alarm triggers also define which alarm action to invoke when an alarm event occurs.

Currently supported alarm trigger types:

ˆ Power failure

ˆ Link alarm

ˆ Digital-In

ˆ Temperature

ˆ FRNT ring status

ˆ Hardware failure (The hardware failure alarm trigger is implicit, and cannot be removed or modified.)

ˆ SNR margin (SHDSL and xDSL ports)

ˆ LFF (SHDSL ports)

538

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

ˆ Timer

ˆ Ping

ˆ PoE power usage

ˆ Microlok Session Status

As the WeOS alarm handling support is designed to include triggers for additional alarm sources, the following description is of more general nature, thus contains more options than needed for the trigger types currently supported.

Note

As of WeOS v4.17.1 there is no support for making an alarm trigger per-

sistent. When an alarm condition is no longer fulfilled, the trigger status will become inactive. As alarms are not persistent, it is not possible for an operator to clear (i.e., acknowledge) an alarm.

24.1.3.1

Specifying what alarm source(s) a trigger should monitor

Different types of alarm triggers operate on different types of alarm sources:

ˆ Power failure: A power failure trigger can monitor one or more power feed sensors. Most WeOS products have two power feeds (single power supply), with a sensor for each power feed. Typically a single power failure trigger is used to monitor both power feed sensors.

ˆ Digital-In: A digital-in trigger can monitor one or more digital-in sensors.

WeOS products typically have a single digital-in sensor.

ˆ Link alarm: Link alarm triggers monitor the operational status (up/down) of

Ethernet or DSL ports. Thus when configuring a link alarm trigger the port

(or ports) to monitor should be specified.

Note

It is possible to define multiple link alarm triggers, where each trigger can monitor different ports and be mapped to different alarm actions.

In the future, link alarm triggers can be extended to monitor the operational status of network interfaces and VLANs in addition to physical ports (Ethernet, SHDSL, etc.).

© 2015 Westermo Teleindustri AB

539

Westermo OS Management Guide

Version 4.17.1-0

ˆ RMON statistics (not yet supported): The alarm source for an RMON trigger is specified by two parameters: (1) the name of the statistics counter

(e.g., etherStatsPkts), and (2) the port (or list of ports) for which this counter should be monitored.

Note

In WeOS the term RMON is used to refer to data traffic statistics in general; not only to the Ethernet statistics defined in the RMON MIB.

Thus, if a counter from the IF-MIB (such as ifHCInUcastPkts is specified, the alarm source could refer to network interfaces or VLANs as well as a physical ports (Ethernet, SHDSL, etc.).

ˆ Temperature: Temperature triggers can apply to one or more temperature sensors.

ˆ FRNT: FRNT triggers can apply to one or more FRNT rings (as of WeOS v4.17.1 only a single FRNT ring is supported).

ˆ Timer: Timer triggers are configured to go off at given time interval. As of WeOS v4.17.1, only daily timers are supported, e.g., ”timeout daily

02:30”, and only apply to ”log” and ”reboot” action targets.

ˆ SNR Margin: An SNR Margin trigger applies to one or more SHDSL/xDSL ports.

ˆ LFF (Link Fault Forward): An LFF trigger applies to one or more SHDSL ports.

ˆ Ping: A connectivity checker, sends an ICMP ping in a configurable interval.

ˆ PoE Power Usage: The WeOS PoE enabled units have a single PoE power module, and its current usage level is used as trigger source (i.e., no need to select a trigger source).

Typically there would be no more than one trigger monitoring the status of a specific alarm source. However, in some cases it would make sense to have multiple triggers monitoring a single alarm source. For example, one could define two temperature triggers for a single temperature sensor, where one trigger reacts if the temperature rises above a warning threshold (say 60

C), and the other if the temperature gets critically high (say 75

C).

540

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

24.1.3.2

Alarm thresholds and trigger output

For the trigger to know when an alarm event has occurred, threshold values for the monitored alarm sources must be configured. Alarm sources which are ’binary’ to their nature (link up/down, power up/down, digital-in high/low, etc.) have thresholds defined implicitly.

For sources which can take values in a wider range (temperature, SNR Margin, received packets within a given time interval, etc.) the alarm thresholds should be configured.

Fig. 24.2

a) illustrates use of alarm thresholds for a temperature

trigger.

Temperature

Alarm event

(rising/high)

Rising threshold

Falling threshold

Alarm event

(falling/low) time a) Temperature status and alarm events.

Alarm trigger "active"

Alarm trigger "inactive" time b) Trigger status with alarm condition "high".

Alarm trigger "active"

Alarm trigger "inactive" time c) Trigger status with alarm condition "low".

Figure 24.2: Example use of rising and falling thresholds for a temperature alarm trigger (a), and alarm condition setting to affect active and inactive trigger status

(b and c).

As can be seen in

fig. 24.2

a), two thresholds are used – a rising threshold and a

falling threshold. Alarm events will be generated when reaching the rising thresh-

© 2015 Westermo Teleindustri AB

541

Westermo OS Management Guide

Version 4.17.1-0 old on the way up, and the falling threshold on the way down. However, once a rising alarm event has occurred, a new rising alarm event cannot be generated

(for that alarm source) before the value has fallen down to the falling threshold

(and vice versa). Thus, the use of separate rising and falling thresholds creates a hysteresis mechanism, which avoids generating multiple alarm events when a monitored value fluctuates around the alarm threshold.

Alarm targets such as Digital-Out and the ON LED provide a summary alarm function (see

section 24.1.5.1

), and these targets assume that every alarm trigger

define the condition when the alarm is active (”alarm” situation) and inactive

(”normal” situation). To define this the alarm condition configuration option is used. To warn the operator for high temperatures, the alarm condition should be set to ”high”, see

fig. 24.2

b). If we instead wish to warn the operator for

low temperatures, the alarm condition should be set to ”low”, see

fig. 24.2

c). A

corresponding example for a Digital-In trigger is shown in

fig. 24.3

.

High (Voltage present)

Low (Voltage non−present) time a) Digital In Sensor state

Alarm trigger "active"

Alarm trigger "inactive" time b) Digital In Trigger State (Alarm condition set to "high")

Alarm trigger "active"

Alarm trigger "inactive" time c) Digital In Trigger State (Alarm condition set to "low")

Figure 24.3: Alarm condition example: The alarm trigger for digital-in can be configured to become active when the signal is high (b) or when it is low (c).

Additional details on threshold settings and properties:

ˆ The rising threshold cannot be set lower than the falling threshold.

ˆ It is possible to use the same value for the rising and falling thresholds.

ˆ Rising alarm events occur if the current sample value is equal or above the rising threshold, and the previously sampled value was below the rising threshold. A rising alarm event will also occur if the first sampled value is equal or above this threshold, and the condition variable is configured as

rising (or any of its equivalents: high or up).

542

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

ˆ Falling alarm events occur if the current sample value is equal or below the falling threshold, and the previously sampled value was above the falling threshold. A falling alarm event will also occur if the first sampled value is equal or below this threshold, and the condition variable is configured as

falling (or any of its equivalents: low or down).

24.1.3.3

Sample types and interval

Two sample types are possible: absolute and delta sampling. With absolute sampling, the value is compared directly to the alarm thresholds. With delta sampling it is the difference between the current sample and the previous sample which is compared to the alarm thresholds.

Alarm sources of counter type, such as RMON data traffic statistics, are well suited for delta sampling. As the delta is computed over a given time interval

(sample interval), the alarm thresholds should be configured with respect to the configured sample interval.

Note

As of WeOS v4.17.1 only absolute sampling is supported, and the sampling interval is not configurable for any trigger type.

24.1.3.4

Alarm severity

For each trigger it is possible to define the severity level of the associated alarm events. The levels defined by Unix Syslog are used:

ˆ EMERG: System is unusable

ˆ ALERT: Action must be taken immediately

ˆ CRIT: Critical conditions

ˆ ERR: Error conditions

ˆ WARNING: Warning conditions

ˆ NOTICE: Normal, but significant, condition

ˆ INFO: Informational message

ˆ DEBUG: Debug-level message

© 2015 Westermo Teleindustri AB

543

Westermo OS Management Guide

Version 4.17.1-0

It is also possible to configure severity level ”NONE”. Alarm events with severity

NONE will not cause SNMP traps to be sent or events to be logged, however, such events can still affect digital-out and ON LED targets.

Note

Severity levels can be configured independently for the events when an alarm trigger becomes ”active” and ”inactive”. Default severity level are

WARNING for ”active” alarm events and NOTICE for ”inactive” alarm events.

24.1.3.5

Mapping triggers to actions

Triggers can be mapped to alarm actions (profiles) that are invoked when an alarm event occurs, for more information see

section 24.1.4

. However, it is also

possible to leave a trigger unmapped, e.g., when defining a ping trigger to adjust

VRRP priority dynamically (see

section 30.1.1

).

24.1.4

Alarm actions - mapping triggers to targets

Instead of mapping triggers directly to alarm targets, each trigger is mapped to an alarm action (alarm action profile). The alarm action specifies which targets to use (SNMP traps, Logging, ON LED, and Digital-Out) when an alarm event occurs.

It is possible to configure several actions (action profiles). Each trigger can be mapped to an individual action, but it is also possible for multiple triggers to share the same action. This can be particularly useful when managing several triggers of similar type, such as different types of RMON triggers.

By default a trigger is mapped to the default alarm action (index 1). The default alarm action cannot be removed.

24.1.5

Alarm presentation (alarm targets)

When an alarm situation occurs, such as an FRNT ring failure, WeOS enables the operator to be notified in numerous ways:

ˆ SNMP trap: Alarms can be configured to generate SNMP traps

2

. See

chapter 6

for general information on SNMP.

2

As of WeOS v4.17.1 there is no support for SNMP traps for timer or hardware alarms.

544

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

ˆ Log files and remote logging: Alarms can be logged locally or passed to a remote logging server. See

chapter 25

for general information on event and alarm logging.

ˆ Digital-Out: On units equipped with a Digital I/O contact, the Digital-Out pins can be used as an alarm target. Similar to the ’ON’ LED, digital-out provides a summary alarm function, where the ’gate’ is closed when the switch is operating ’OK’, and open when any of the associated alarm triggers becomes active (or when the unit has no power).

See

section 24.4

for general information on Digital I/O.

ˆ ’ON’ LED: There are front panel LEDs which can indicate status of specific ports or protocols. There is also a general status LED, which shows a green light when the unit is operating ’OK’, but shows a red light as soon as any of the associated alarm triggers becomes active. Thus, the ’ON’ LED provides a summary alarm function.

See

section 24.5

for general information on front panel LEDs.

ˆ Reboot: (USE WITH CARE) The reboot target is used to make the unit to reboot upon a specified alarm event. The purpose is to provide a way to reboot the unit on a regular basis (i.e., by mapping a timer trigger to an action profile with target reboot, see

section 24.3.2.8

).

In addition, an operator can view the alarm status via the Web and CLI interfaces.

24.1.5.1

Summary alarm

The summary alarm in use by the digital-out and ON LED targets assumes that every alarm trigger define the condition when the alarm is active (”alarm” situation) and inactive (”normal” situation).

ˆ For many triggers this definition is implicit, e.g., a link alarm is active when the port (or interface) is down and inactive it is up.

ˆ Other triggers, such as temperature or digital-in sensor triggers allow for the operator to define if the alarm is active: high or low temperature, voltage signal present or not present, etc. See

section 24.1.3.2

, and in particular figs. 24.2

and

24.3

, for further information on the active and inactive trigger

states.

Working as a summary alarm, digital-out as well as the ON LED will indicate

’alarm’ as soon as any of the associated alarm triggers become active. For the

© 2015 Westermo Teleindustri AB

545

Westermo OS Management Guide

Version 4.17.1-0

ON LED alarm is indicated with a ’red’ light, as shown in

fig. 24.4

. For Digital-Out,

alarm is indicated by having the gate in ’open’ state. See

sections 24.4

and

24.5

for general information on Digital I/O and front panel LEDs.

Trigger 1

Trigger 2

Trigger 3

"active"

"inactive"

"active"

"inactive"

"active"

"inactive" time time time

Target

ON LED

"red"

"green" time

Figure 24.4: Summary alarm example with three alarm triggers mapped to the ON

LED alarm target. The ON LED indicates ’alarm’ (red) when any of the associated triggers are active.

24.1.5.2

Target Severity thresholds

As of WeOS v4.17.1 setting target severity thresholds is not yet supported.

For logging and SNMP trap targets it is possible to filter alarm events depending on severity. E.g., if the SNMP trap target configures its severity threshold to

WARNING, only events of severity level WARNING or higher will cause SNMP traps to be sent.

By default, both logging and SNMP trap targets have severity threshold set to level INFO. See

section 24.1.3.4

for information on how to classify the severity for alarm triggers.

546

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

24.2

Managing Alarms via the Web

24.2.1

Show alarm status

Alarm status is presented in the System Overview and the Detailed System Overview web pages, which are described in

sections 4.4

and

4.4.2

.

Fig. 24.5

shows the System Overview page when a Link Alarm is activated.

Figure 24.5: The basic system overview page with a link alarm activated.

© 2015 Westermo Teleindustri AB

547

Westermo OS Management Guide

Version 4.17.1-0

24.2.2

Trigger configuration overview page

Menu path: Configuration Alarm Triggers

When entering the Alarm configuration page you will be presented to a list of all alarm triggers configured on your unit, see below.

Figure 24.6: The alarm trigger configuration overview page.

Trigger

Type

Enabled

Action

Source

The index number of this trigger.

The trigger type.

A green check-mark means the trigger is enabled, and a dash means it is disabled.

The index of the action profile associated with this trigger.

The action profile controls what targets

(LED, Digital Out, SNMP traps and/or Logging) to invoke for this alarm trigger.

A list of alarm sources associated with this trigger.

For link alarms, this is a list of port numbers, for a power alarm it is the identifiers for the associated power sensors, etc.

Edit

Click this icon to edit a trigger.

Delete

Click this icon to remove a trigger.

New Trigger

Click this button to create a new alarm trigger. You will be presented to a form where you can configure the new trigger.

548

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

24.2.3

Create a new alarm trigger using the web interface

Menu path: Configuration Alarm Triggers ⇒ New Trigger

When clicking the New Trigger button you will be presented to list of trigger types. Select the trigger type and click next to continue.

Figure 24.7: The trigger type selection page.

When clicking the Next button you will be presented to the New trigger page.

Type

Figure 24.8: The alarm trigger creation page.

The type of alarm trigger.

Continued on next page

© 2015 Westermo Teleindustri AB

549

Westermo OS Management Guide

Version 4.17.1-0

Enabled

Severity Active

Continued from previous page

To enable the trigger - check the box, to disable uncheck the box.

Severity level when active

Severity Inactive

Severity level when inactive

Condition

Controls the condition for triggering (High/low)

Sensors

The sensor source for this trigger

Threshold Rising

The Rising threshold is the higher threshold value for the sensor. When the current sample value is higher than this value, and the last sample was lower than this value, an action is triggered. Valid for none binary sensors such as temperature and SNR.

Threshold Falling

The falling threshold is the lower threshold value for the sensor. When the current sample value is less than this value, and the last sample was greater than this value, an action is triggered. Valid for none binary sensors such as temperature and SNR.

Action

Selects the action for the trigger

Port

The ports on your switch is grouped as on the actual hardware, in slots. To get alarms for a a specific port, check the check-box located underneath the port label.

In the picture above you see ports 1/1, 1/2 and 2/1 are marked as alarm sources for this link alarm trigger.

550

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

24.2.4

Create a new alarm trigger with sensor value

Triggers controlled by an analogue sensor, must be configure with threshold value. E.g. if you want to create a trigger that alarms if the temperature gets above a given temperature, you must set the rising threshold value to the alarm temperature. The falling thresholds may be set to the same value, but by using different thresholds (rising higher than falling) one can avoid receiving multiple events when the temperature fluctuates around the alarm threshold.

Figure 24.9: Example of a temperature trigger.

© 2015 Westermo Teleindustri AB

551

Westermo OS Management Guide

Version 4.17.1-0

24.2.5

Action configuration overview page

Menu path: Configuration Alarm Actions

When entering the Alarm action configuration page you will be presented to a list of all alarm actions configured on your unit, see below.

Figure 24.10: The alarm action configuration overview page.

Action

Targets

The index number of this action.

The targets for this action.

Edit

Click this icon to edit an action.

Delete

Click this icon to remove an action.

New action

Click this button to add a new alarm action. You will be presented to a form where you can configure the new action.

552

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

24.3

Managing Alarms via the CLI

The table below shows alarm management features available via the CLI.

Command Default Section

Configure Alarm Configuration Settings alarm

[no] trigger <<INDEX> | <TYPE>>

[no] enable

[no] <port <PORTLIST> | sensor <SENSORIDLIST> | ring <FRNTINSTANCE> timeout <TIMESPEC>

Enabled

Section 24.3.1

Section 24.3.2

Section 24.3.3

Section 24.3.4

peer <FQDN|IPADDR>

[no] severity <<LEVEL> |

[active <LEVEL>] |

Section 24.3.5

[inactive <LEVEL>]> condition <high|low>

Section 24.3.6

threshold <NUM | [rising <NUM>] | rising 0

Section 24.3.7

[falling <NUM>]>

[no] interval <SECONDS>

[no] number <NUM>

[no] outbound <IFNAME>

[no] action <INDEX> falling 0

3

3

Section 24.3.8

Section 24.3.9

Disabled

Section 24.3.10

1

Section 24.3.11

show types

[no] action <INDEX>

[no] target <[log] [snmp] [led] >

[digout] [reboot] [custom]>

[no] custom <COMMAND>

[no] summary-trap log

Disabled

Section 24.3.12

Section 24.3.13

Section 24.3.14

Section 24.3.15

Section 24.3.16

Alarm Status alarm show

Section 24.3.17

Section 24.3.18

© 2015 Westermo Teleindustri AB

553

Westermo OS Management Guide

Version 4.17.1-0

24.3.1

Managing Alarm Settings

Syntax alarm

Context

Global Configuration

context

Usage Enter the

Alarm Configuration

context.

Use command ”show alarm” to list an overview global alarm settings as well as configured alarm triggers and actions.

Default values Not applicable.

24.3.2

Manage Alarm Triggers

Syntax [no] trigger <<INDEX> | <TYPE>>

Context

Alarm Configuration

context

Usage Enter the

Alarm Trigger Configuration

to create, remove or update an alarm trigger.

ˆ Use ”trigger <TYPE>” to create a new trigger and enter the Trigger context, e.g., ”trigger link-alarm” to create a new link-alarm trigger.

Use ”show types” ( section 24.3.12

) to list supported trigger types.

An index will be assigned to each created index. This index can be used to update or remove the trigger, see items below.

ˆ Use ”trigger <INDEX>” to manage an existing trigger.

ˆ Use ”no trigger <INDEX>” to remove an existing trigger.

Use command ”show trigger” to list configured alarm triggers. This is useful to find the index of a trigger, which is needed to edit or remove an existing trigger, see above.

Default values Not applicable.

Some examples of alarm trigger configurations are given in

sections 24.3.2.1

-

24.3.2.11

. Details of individual alarm trigger configuration settings are given in sections 24.3.3

-

24.3.11

.

554

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

24.3.2.1

Link Alarm Trigger Configuration Example

Syntax trigger link-alarm

Context

Alarm Configuration

context

Usage Create a link-alarm trigger, and enter the

Alarm Trigger Configuration

context for this trigger.

Additional settings for link-alarm triggers are listed below. The only mandatory setting is the list of ports - no link-alarm alarm events will occur until ports are defined.

ˆ Port(s) (mandatory): Define the port or ports this link-alarm trigger is associated with.

ˆ Enable/Disable: By default, the trigger is enabled.

ˆ Severity: By default, active severity is WARNING and inactive severity is NOTIFY.

ˆ Action: By default, the trigger is mapped to the default action profile

(action 1).

Example

example:/#> configure example:/config/#> alarm example:/config/alarm/#> trigger link-alarm

Created trigger 2 example:/config/alarm/trigger-2/#> port 1-2 example:/config/alarm/trigger-2/#> end example:/config/alarm/#> show

Trigger Type Enabled Action Source

==============================================

1 power YES 1 1 2

2 link-alarm YES 1 1 2

Action Targets

===============================================================================

1 snmp log led digout

===============================================================================

Summary alarm traps: Disabled example:/config/alarm/#>

© 2015 Westermo Teleindustri AB

555

Westermo OS Management Guide

Version 4.17.1-0

24.3.2.2

Digital-In Trigger Configuration Example

Syntax trigger digin

Context

Alarm Configuration

context

Usage Create a digital-in trigger, and enter the

Alarm Trigger Configuration

context for this trigger.

Additional settings for digital-in triggers are listed below.

ˆ Sensor: By default, digital-in sensor with ID 1 is used. Use ”show env”

(in Admin Exec context) to list available sensors, see

section 7.3.50

.

ˆ Condition: By default, the alarm condition is set to low. That is, high is considered normal and low is considered an alarm situation.

ˆ Enable/Disable: By default, the trigger is enabled.

ˆ Severity: By default, active severity is WARNING and inactive severity is NOTIFY.

ˆ Action: By default, the trigger is mapped to the default action profile

(action 1).

Example

example:/#> configure example:/config/#> alarm example:/config/alarm/#> trigger digin

Created trigger 2 example:/config/alarm/trigger-2/#> end example:/config/alarm/#> show

Trigger Type Enabled Action Source

==============================================

1 power YES 1 1 2

2 digin YES 1 1

Action Targets

===============================================================================

1 snmp log led digout

===============================================================================

Summary alarm traps: Disabled example:/config/alarm/#>

556

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

24.3.2.3

Power Trigger Configuration Example

Syntax trigger power

Context

Alarm Configuration

context

Usage Create a power trigger, and enter the

Alarm Trigger Configuration context

for this trigger.

Additional settings for power triggers are listed below. The only mandatory setting is the list of power sensors - no power alarm events will occur until power sensors are defined.

ˆ Sensor: WeOS units typically have two power sensors; sensor 1 for DC1 and sensor 2 for DC2. Use ”show env” (in Admin Exec context) to list available sensors, see

section 7.3.50

.

ˆ Enable/Disable: By default, the trigger is enabled.

ˆ Severity: By default, active severity is WARNING and inactive severity is NOTIFY.

ˆ Action: By default, the trigger is mapped to the default action profile

(action 1).

Example

example:/#> configure example:/config/#> alarm example:/config/alarm/#> trigger power

Created trigger 1 example:/config/alarm/trigger-1/#> sensor 1,2 example:/config/alarm/trigger-2/#> end example:/config/alarm/#> show

Trigger Type Enabled Action Source

==============================================

1 power YES 1 1 2

Action Targets

===============================================================================

1 snmp log led digout

===============================================================================

Summary alarm traps: Disabled example:/config/alarm/#>

© 2015 Westermo Teleindustri AB

557

Westermo OS Management Guide

Version 4.17.1-0

24.3.2.4

SNR-Margin Trigger Configuration Example

Note, this setting only applies to units equipped with DSL ports.

Syntax trigger snr-margin

Context

Alarm Configuration

context

Usage Create a SNR-margin trigger, and enter the

Alarm Trigger Configuration

context for this trigger.

Additional settings for SNR-margin triggers are listed below. The only mandatory setting is the list of (DSL) ports - no snr-margin alarm events will occur until (DSL) ports are defined.

ˆ Port(s) (mandatory): Define the port or ports this SNR-margin trigger is associated with.

Note: SNR-margin alarms can only be generated for ports where a connection has been established.

ˆ Alarm threshold: As of WeOS v4.17.1 the SNR-margin falling threshold is set to 3 (dB) by default, and the rising threshold to 6 (dB) by default.

ˆ Enable/Disable: By default, the trigger is enabled.

ˆ Condition: By default, the alarm condition is set to low. That is, high is considered normal and low is considered an alarm situation.

ˆ Severity: By default, active severity is WARNING and inactive severity is NOTIFY.

ˆ Action: By default, the trigger is mapped to the default action profile

(action 1).

In this example an SNR-margin trigger is created for DSL ports 1/1 and 1/2, with falling threshold 4 dB and rising threshold 6 dB.

558

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Example

wolverine:/#> configure wolverine:/config/#> alarm wolverine:/config/alarm/#> trigger snr-margin

Created trigger 2 wolverine:/config/alarm/trigger-2/#> port 1/1-1/2 wolverine:/config/alarm/trigger-2/#> threshold falling 4 rising 6 wolverine:/config/alarm/trigger-2/#> end wolverine:/config/alarm/#> show

Trigger Type Enabled Action Source

==============================================

1 power YES

2 snr-margin YES

1 1 2

1 1/1 1/2

Action Targets

===============================================================================

1 snmp log led digout

===============================================================================

Summary alarm traps: Disabled wolverine:/config/alarm/#>

24.3.2.5

Temperature Trigger Configuration Example

Syntax trigger temperature

Context

Alarm Configuration

context

Usage Create a temperature trigger, and enter the

Alarm Trigger Configuration

context for this trigger.

Additional settings for temperature triggers are listed below. The only mandatory setting is the temperature sensor (or list of sensors) - no temperature alarm events will occur until a sensor is defined.

ˆ Sensor(s): Define the temperature sensor(s) this temperature trigger is associated with (default is temperature sensor is ”1”). Use ”show env”

(in Admin Exec context) to list available sensors, see

section 7.3.50

.

ˆ Alarm threshold: As of WeOS v4.17.1 the temperature falling threshold and rising threshold are both set to 0

C by default.

ˆ Enable/Disable: By default, the trigger is enabled.

ˆ Condition: By default, the alarm condition is set to high. That is, temperatures below the falling threshold are considered normal, and temperatures above the rising threshold is considered an alarm situation.

© 2015 Westermo Teleindustri AB

559

Westermo OS Management Guide

Version 4.17.1-0

ˆ Severity: By default, active severity is WARNING and inactive severity is NOTIFY.

ˆ Action: By default, the trigger is mapped to the default action profile

(action 1).

In this example two temperature triggers are created, one to give alarm if the temperature drops below 10

if the temperature rises above 60

C, and a second trigger to create an alarm

C.

Example

example:/config/alarm/#> trigger temperature example:/config/alarm/trigger-2/#> sensor 1 example:/config/alarm/trigger-2/#> threshold falling -10 rising -5 example:/config/alarm/trigger-2/#> condition low example:/config/alarm/trigger-2/#> end example:/config/alarm/#> trigger temperature example:/config/alarm/trigger-3/#> sensor 1 example:/config/alarm/trigger-3/#> threshold falling 55 rising 60 example:/config/alarm/trigger-3/#> condition high example:/config/alarm/trigger-3/#> end example:/config/alarm/#> show

Trigger Type Enabled Action Source

===============================================================================

1 frnt YES

2 temperature YES

3 temperature YES

1

1

1

1

1

1

Action Targets

===============================================================================

1 snmp log led digout

===============================================================================

Summary alarm traps: Disabled example:/config/alarm/#>

24.3.2.6

FRNT Trigger Configuration Example

An FRNT trigger exists in the factory default configuration.

Thus, when FRNT is enabled, FRNT alarms will be presented on the default alarm targets without requiring the user to create a trigger.

Syntax trigger frnt

Context

Alarm Configuration

context

Usage Create an FRNT trigger, and enter the

Alarm Trigger Configuration

context for this trigger.

560

© 2015 Westermo Teleindustri AB

Westermo OS Management Guide

Version 4.17.1-0

Additional settings for digital-in triggers are listed below.

ˆ Ring: By default, FRNT ring ID 1 is used (as of WeOS v4.17.1 only a single FRNT ring is supported, thus other values are invalid.) Use

”show env” (in Admin Exec context) to list available sensors, see

section 7.3.50

.

ˆ Condition: By default, the alarm condition is set to down (or low). That is, ring status up (high) is considered normal and ring down (low) is considered an alarm situation.

ˆ Enable/Disable: By default, the trigger is enabled.

ˆ Severity: By default, active severity is WARNING and inactive severity is NOTIFY.

ˆ Action: By default, the trigger is mapped to the default action profile

(action 1).

Example

example:/#> configure example:/config/#> alarm example:/config/alarm/#> trigger frnt example:/config/alarm/trigger-2/#> end example:/config/alarm/#> show

Trigger Type Enabled Action Source

===============================================================================

1 power

2 frnt

YES

YES

1

1

1 2

Instance 1

Action Targets

===============================================================================

1 snmp log led digout

===============================================================================

Summary alarm traps: Disabled example:/config/alarm/#>

24.3.2.7

LFF Trigger Configuration Example

Note, this setting only applies to units equipped with SHDSL ports.

Syntax trigger lff

Context

Alarm Configuration

context

Usage Create a Link Fault Forward (LFF) trigger, and enter the

Alarm Trigger

Configuration

context for this trigger.

© 2015 Westermo Teleindustri AB

561

Westermo OS Management Guide

Version 4.17.1-0

Additional settings for LFF triggers are listed below. The only mandatory setting is the list of (SHDSL) ports - no LFF alarm events will occur until

(SHDSL) ports are defined.

ˆ Port(s) (mandatory): Define the port or ports this LFF trigger is associated with.

Note: LFF alarms are generated both when detecting that the remote

SHDSL switch indicated LFF, or when the SHDSL link is down.

ˆ Enable/Disable: By default, the trigger is enabled.

ˆ Condition: By default, the alarm condition is set to low. That is, high

(remote link ”up”) is considered normal and low (remote link ”down”) is considered an alarm situation.

ˆ Severity: By default, active severity is WARNING and inactive severity is NOTIFY.

ˆ Action: By default, the trigger is mapped to the default action profile