Ciena SAOS 6.5.0 software System Software Configuration Guide

Ciena SAOS 6.5.0 software System Software Configuration Guide
Add to My manuals

SAOS is a Service Aware Operating System that provides a consistent foundation for configuring system software on supported Service Delivery Switches. This system software is designed to deliver consistent benefits across all Ethernet deliver, aggregation, and distribution configurations.

advertisement

Assistant Bot

Need help? Our chatbot has already read the manual and is ready to assist you. Feel free to ask any questions about the device, but providing details will make the conversation more productive.

Ciena SAOS 6.5.0 System Software Configuration Guide | Manualzz

Service Aware Operating System

®

SAOS

System Software Configuration Guide

Software Release 6.5.0

MAN-0157-001 - Revision A

June 2009

Copyright Ciena

®

Corporation

Ciena

®

Confidential and Proprietary

LEGAL NOTICES

THIS DOCUMENT CONTAINS CONFIDENTIAL AND TRADE SECRET INFORMATION OF CIENA CORPORATION

AND ITS RECEIPT OR POSSESSION DOES NOT CONVEY ANY RIGHTS TO REPRODUCE OR DISCLOSE ITS

CONTENTS, OR TO MANUFACTURE, USE, OR SELL ANYTHING THAT IT MAY DESCRIBE. REPRODUCTION,

DISCLOSURE, OR USE IN WHOLE OR IN PART WITHOUT THE SPECIFIC WRITTEN AUTHORIZATION OF CIENA

CORPORATION IS STRICTLY FORBIDDEN.

EVERY EFFORT HAS BEEN MADE TO ENSURE THAT THE INFORMATION IN THIS DOCUMENT IS COMPLETE

AND ACCURATE AT THE TIME OF PRINTING; HOWEVER, THE INFORMATION CONTAINED IN THIS DOCUMENT

IS SUBJECT TO CHANGE.

Copyright 2009 Ciena Corporation

Unpublished All Rights Reserved

The material contained in this document is also protected by copyright laws of the United States of America and other countries. It may not be reproduced or distributed in any form by any means, altered in any fashion, or stored in a data base or retrieval system, without express written permission of the Ciena Corporation.

Security

Ciena

®

cannot be responsible for unauthorized use of equipment and will not make allowance or credit for unauthorized use or access.

Contacting Ciena

Corporate Headquarters 410-694-5700 or 800-921-1144 www.ciena.com

Customer Technical Support/Warranty

In North America

1-800-CIENA24 (243-6224)

410-865-4961

In Europe, Middle East, and Africa

800-CIENA-24-7 (800-243-6224-7)

+44-207-012-5508

In Asia-Pacific

800-CIENA-24-7 (800-243-6224-7)

+81-3-3248-4743

Sales and General Information 410-694-5700

In North America

In Europe

In Asia

In Latin America

Training and Documentation

E-mail: [email protected]

E-mail: [email protected]

E-mail: [email protected]

410-694-5700 or 800-207-3714

+44-207-012-5500 (UK)

E-mail: [email protected]

E-mail: [email protected]

E-mail: [email protected]

+81-3-3248-4680 (Japan) E-mail: [email protected]

011-5255-1719-0220 (Mexico City) E-mail: [email protected]

Training

Documentation

877-CIENA-TD (243-6283) or

410-865-8996

877-CIENA-TD (243-6283) or 410-694-8125

E-mail: [email protected]

E-mail: [email protected]

For additional office locations and phone numbers, please visit the Ciena web site at www.ciena.com.

Service Aware Operating System SAOS

Copyright Ciena® Corporation

MAN-0157-001 - Revision A

June 2009

IMPORTANT: PLEASE READ THIS LICENSE AGREEMENT ("AGREEMENT") CAREFULLY BEFORE

INSTALLING OR USING CIENA COMMUNICATIONS, INC. ("Ciena") SOFTWARE, HARDWARE OR

DOCUMENTATION (COLLECTIVELY, THE "EQUIPMENT").

BY INSTALLING OR USING THE EQUIPMENT, YOU ACKNOWLEDGE THAT YOU HAVE READ THIS

AGREEMENT AND AGREE TO BE BOUND BY ITS TERMS AND CONDITIONS.

1. Right to Use License; Restrictions. Subject to these terms, and the payment of all applicable license fees, Ciena grants to you, as end user, a non-exclusive license to use the Ciena software excluding open source components (the

"Software") in object code form solely in connection with, and as embedded within, the Equipment,. You shall have the right to use the Software solely for your own internal use and benefit. You may make one copy of the Software and documentation solely for backup and archival purpose, however you must reproduce and affix all copyright and other proprietary rights notices that appear in or on the original. You may not, without Ciena's prior written consent, (i) sublicense, assign, sell, rent, lend, lease, transfer or otherwise distribute the Software; (ii) grant any rights in the

Software or documentation not expressly authorized herein; (iii) modify the Software nor provide any third person the means to do the same; (iv) create derivative works, translate, disassemble, recompile, reverse engineer or attempt to obtain the source code of the Software in any way; or (v) alter, destroy, or otherwise remove any proprietary notices or labels on or embedded within the Software or documentation. You acknowledge that this license is subject to Section

365 of the U.S. Bankruptcy Code and requires Ciena's consent to any assignment related to a bankruptcy proceeding.

Sole title to the Software and documentation, to any derivative works, and to any associated patents and copyrights, remains with Ciena or its licensors. Ciena reserves to itself and its licensors all rights in the Software and documentation not expressly granted to you. You shall preserve intact any notice of copyright, trademark, logo, legend or other notice of ownership from any original or copies of the Software or documentation. Ciena does not place any restrictions on the open source components that may be distributed along with the Software. Any applicable open source licenses will be distributed to recipient separately.

2. Audit: Upon Ciena's reasonable request, but not more frequently than annually without reasonable cause, you shall permit Ciena to audit the use of the Software at such times as may be mutually agreed upon to ensure compliance with this Agreement.

3. Confidentiality. You agree that you will receive confidential or proprietary information ("Confidential Information") in connection with the purchase, deployment and use of the Equipment. You will not disclose Confidential Information to any third party without prior written consent of Ciena, will use it only for purposes for which it was disclosed, use your best efforts to prevent and protect the contents of the Software from unauthorized disclosure or use, and must treat it with the same degree of care as you do your own similar information, but with no less than reasonable care. You acknowledge that the design and structure of the Software constitute trade secrets and/or copyrighted materials of

Ciena and agree that the Equipment is Confidential Information for purposes of this Agreement.

4. U.S. Government Use. The Software is provided to the Government only with restricted rights and limited rights.

Use, duplication, or disclosure by the Government is subject to restrictions set forth in FAR Sections 52-227-14 and

52-227-19 or DFARS Section 52.227-7013(C)(1)(ii), as applicable.The Equipment and any accompanying technical data (collectively "Materials") are commercial within the meaning of applicable Federal acquisition regulations. These

Materials were developed fully at private expense. U.S. Government use of the Materials is restricted by this

Agreement, and all other U.S. Government use is prohibited. In accordance with FAR 12.212 and DFAR Supplement

227.7202, software delivered to you is commercial computer software and the use of that software is further restricted by this Agreement.

5. Term of License. This license is effective until terminated. Customer may terminate this license at any time by giving written notice to Ciena and destroying or erasing all copies of Software including any documentation. Ciena may terminate this Agreement and your license to the Software immediately by giving you written notice of termination in the event that either (i) you breach any term or condition of this Agreement or (ii) you are wound up other than voluntarily for the purposes of amalgamation or reorganization, have a receiver appointed or enter into liquidation or bankruptcy or analogous process in your home country. Termination shall be without prejudice to any other rights or remedies Ciena may have. In the event of any termination Customer will have no right to keep or use the Software or any copy of the Software for any purpose and Customer shall destroy and erase all copies of such Software in its possession or control, and forward written certification to Ciena that all such copies of Software have been destroyed or erased.

Service Aware Operating System SAOS

Copyright Ciena® Corporation

MAN-0157-001 - Revision A

June 2009

6. Compliance with laws. You agree to comply with all applicable laws, including all import regulations, and to obtain all required licenses and permits related to installation and use of Equipment. Software, including technical data, is subject to U.S. export control laws, including the U.S. Export Administration Act and its associated regulations, and may be subject to export or import regulations in other countries. Customer agrees to comply strictly with all such regulations and acknowledges that it has the responsibility to obtain licenses to export, re-export, or import Software.

7. Limitation of Liability. ANY LIABILITY OF Ciena SHALL BE LIMITED IN THE AGGREGATE TO THE AMOUNTS

PAID BY YOU FOR THE SOFTWARE. THIS LIMITATION APPLIES TO ALL CAUSES OF ACTION, INCLUDING

WITHOUT LIMITATION BREACH OF CONTRACT, BREACH OF WARRANTY, NEGLIGENCE, STRICT LIABILITY,

MISREPRESENTATION AND OTHER TORTS. THE LIMITATIONS OF LIABILITY DESCRIBED IN THIS SECTION

ALSO APPLY TO ANY THIRD-PARTY SUPPLIER OF Ciena. NEITHER Ciena NOR ANY OF ITS THIRD-PARTY

SUPPLIERS SHALL BE LIABLE FOR ANY INJURY, LOSS OR DAMAGE, WHETHER INDIRECT, SPECIAL,

INCIDENTAL OR CONSEQUENTIAL INCLUDING WITHOUT LIMITATION ANY LOST PROFITS, CONTRACTS,

DATA OR PROGRAMS, AND THE COST OF RECOVERING SUCH DATA OR PROGRAMS, EVEN IF INFORMED

OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE.

8. General. Ciena may assign this Agreement to any Ciena affiliate or to a purchaser of the intellectual property rights in the Software, but otherwise neither this Agreement nor any rights hereunder may be assigned nor duties delegated by either party, and any attempt to do so will be void.This Agreement shall be governed by the laws of the State of

Maryland (without regard to the conflict of laws provisions) and shall be enforceable in the courts of Maryland. The

U.N. Convention on Contracts for the International Sale of Goods shall not apply hereto. This Agreement constitutes the complete and exclusive statement of agreement between the parties relating to the license for the Software and supersedes all proposals, communications, purchase orders, and prior agreements, verbal or written, between the parties. If any portion hereof is found to be void or unenforceable, the remaining provisions shall remain in full force and effect. The source code for open source components distributed to an end user is available upon request.

Rev. May 14, 2009

Service Aware Operating System SAOS

Copyright Ciena® Corporation

MAN-0157-001 - Revision A

June 2009

In accordance with our policy to continually enhance the Ciena Corporation family of products, the specifications and information contained in this guide are subject to change at anytime without notice. All statements, information, and recommendations in this guide are believed to be accurate but are presented without warranty of any kind, expressed or implied. Ciena Corporation will not be liable for any damages of any kind arising from the use of this guide, including but not limited to direct, indirect, incidental punitive, and consequential damages. Users must take full responsibility for the application of the products.

This guide contains information protected by copyright. No part of this publication may be photocopied or reproduced in any form without prior written consent from Ciena

Corporation.

The software provided with Ciena Corporation hardware and described in this guide is furnished under and is subject to a license and nondisclosure agreement.

Ethernet to the Subscriber, Fiber to the Subscriber, True Carrier Ethernet, and Ciena are all trademarks of Ciena Corporation.

Other specific product names mentioned herein are trademarks of their respective companies.

System Software Configuration Guide 6.5.0

Document Number: MAN-0157-001

Publication Date: June 2009

© 2009 Ciena Corporation

All Rights Reserved

Service Aware Operating System SAOS

Copyright Ciena® Corporation

MAN-0157-001 - Revision A

June 2009

Copyright and Trademark Guidelines

These copyright and trademark guidelines provide information concerning the proper usage and protection of Ciena Corporation trademarks, registered trademarks, service marks, registered service marks, tradenames, and/or registered tradenames.

Copyright

All content in this guide, including words, names, text, graphics, symbols, logos, icons, images, devices, and/or software, is the property of Ciena Corporation or its content suppliers and is protected by U.S. and international copyright laws. The compilation

(meaning the collection, arrangement, and assembly) of all content in this guide is the exclusive property of Ciena Corporation and is protected by U.S. and international copyright laws. All software mentioned in this guide is the property Ciena Corporation or its software suppliers and protected by U.S. and international copyright laws. The content in this guide may be used as a resource. Any other use, including the reproduction, modification, distribution, transmission, republication, display, or performance, of the content in this guide is strictly prohibited.

Trademarks

Ciena Corporation trademarks may not be used in connection with any product or service that does not belong to Ciena Corporation. Furthermore, Ciena Corporation trademarks may not be used in any manner that is likely to cause confusion among customers or in such a way that it disparages or discredits Ciena Corporation.

Service Aware Operating System SAOS

Copyright Ciena® Corporation

MAN-0157-001 - Revision A

June 2009

Definitions

A trademark is often categorized as a word, name, text, graphic, symbol, logo, icon, image, device, and/or software or any combination used by a corporation to identify their products and distinguish those products from other corporations.

A service mark is typically used to identify a corporation’s services rather than tangible products.

A tradename is commonly used as the name of a corporation or an abbreviation of that name under which normal business activity is conducted. Some tradenames might be used in more than one category; therefore, it is important that the reader be aware of the context for which the tradename is used.

Categories

Trademarks, service marks, and tradenames generally fall into two categories:

1.

Those that are registered with the United States Patent and Trademark

Office

1

(USPTO).

2.

Those that are being used, but have not yet completed the registration process.

Both categories are protected, although those that are registered provide visible notice of the corporation’s rights and stronger enforcement provisions.

The registration process may take a long period of time before it is finalized, thus pending trademarks, service marks, and tradenames may be in use by the corporation.

Trademarks, service marks, and tradenames must be used with the first mention or most prominent appearance in a publication, but need not be used with each subsequent appearance. If there are multiple uses of trademarks, service marks, and tradenames throughout the publication, an explanatory note on the cover sheet is sufficient.

1. Full information regarding the United States Patent and Trademark Office (USPTO) may be found online at http://www.uspto.gov

Service Aware Operating System SAOS

Copyright Ciena® Corporation

MAN-0157-001 - Revision A

June 2009

ISO Compliance

Service Aware Operating System SAOS

Copyright Ciena® Corporation

MAN-0157-001 - Revision A

June 2009

Important Safety Information

WARNING: This equipment is to be installed and maintained by qualified service personnel only. Refer to the Regulatory Compliance and Safety appendix of the User Guide for additional safety information.

AVERTISSEMENT: Cet équipement doit être installé et entretenu uniquement par un personnel de service qualifié.

WARNUNG: Dieses Gerät darf nur von qualifiziertem Wartungspersonal installiert und gewartet werden.

UPOZORNENIE: Toto zariadenie môže inštalova″ a vykonáva″ na òom údržbu len kvalifikovaný servisný personál.

Service Aware Operating System SAOS

Copyright Ciena® Corporation

MAN-0157-001 - Revision A

June 2009

Service Aware Operating System SAOS

Copyright Ciena® Corporation

MAN-0157-001 - Revision A

June 2009

Chapter 1: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Chapter 2: Chassis Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Enabling the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Configuring the Serial Console Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Configuring the Remote Management Interface . . . . . . . . . . . . . . . . . . . . .10

Configuring the Local Management Interface . . . . . . . . . . . . . . . . . . . . . .11

Chapter 3: Managing Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Access Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Accessing the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Managing Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Configuring Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

Managing Software License Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Configuring DHCP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

Configuring NTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

SSHv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

SFTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36

Customizing the System Shell. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36

Retrieving System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

Chapter 4: VLAN Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43

VLANs and Traffic Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43

Behavior Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46

VLAN/Port Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47

Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55

Port Loopback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56

Port Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56

Chapter 5: Configuring CPU Rate Limiting. . . . . . . . . . . . . . . . . . . . . . . . . 63

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63

Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68

Chapter 6: Configuring IEEE 802.1x Security. . . . . . . . . . . . . . . . . . . . . . . 71

802.1x Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71

Deployment Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73

Using 802.1x with LACP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74

Configuring 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74

Using 802.1x to Authenticate a PC . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77

Troubleshooting 802.1x Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79

Chapter 7: Link Aggregation and LACP . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81

Link Aggregation Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81

Manual Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82

LACP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82

System Software Configuration Guide 6.5.0

i

ii

Configuring Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85

Chapter 8: Monitoring System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Environmental Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89

Monitoring Temperature and Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . .89

Monitoring Power Supply Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90

Monitoring Power On Self Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91

Managing Device Archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92

Displaying Device Identification Attributes . . . . . . . . . . . . . . . . . . . . . . . .93

Displaying Platform Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93

Displaying the Chassis MAC address . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94

Chapter 9: OAM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95

Principles of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95

Feature Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97

Configuring OAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97

Chapter 10: Configuring and Identifying Transceivers . . . . . . . . . . . . . . . 103

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Displaying Transceiver Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Determining Transceiver Speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Disabling and Enabling Transceivers . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Setting the Port Connector Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Chapter 11: Port State Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Principles of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Feature Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Bi-directional Port State Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Configuring Port State Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Chapter 12: Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Service Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

IP Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Chapter 13: Configuring Broadcast Containment . . . . . . . . . . . . . . . . . . . 133

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Configuring Broadcast Containment. . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Chapter 14: Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Ingress Resolved COS Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Traffic Profiling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Ingress R-CoS to Egress CoS Queue Mapping . . . . . . . . . . . . . . . . . . . . . . 151

Congestion Avoidance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Egress Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

System Software Configuration Guide 6.5.0

Egress Shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Configuring Frame Bandwidth Calculation . . . . . . . . . . . . . . . . . . . . . . . 160

Chapter 15: Configuring Multicast Services . . . . . . . . . . . . . . . . . . . . . . . 161

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

IGMP Snooping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Unknown Multicast Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Configuring Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Chapter 16: Layer 2 VPNs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Principles of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Q-in-Q Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Ethernet Virtual Private Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Ethernet Private Line/LAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

EVPL Bundling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Chapter 17: Configuring Connectivity Fault Management . . . . . . . . . . . . . 189

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Maintenance Association Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Configuring CFM Globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Configuring CFM Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Configuring MEPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Configuring Remote MEPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Configuring MIPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Configuring CFM Services for a VLAN Service . . . . . . . . . . . . . . . . . . . . . . 221

Configuring CFM Services for a Virtual Switch . . . . . . . . . . . . . . . . . . . . . 222

CFM Over Q-in-Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

Chapter 18: Configuring L2 Control Frame Tunneling. . . . . . . . . . . . . . . . 235

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

Chapter 19: Configuring TWAMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

Configuring TWAMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

Chapter 20: Configuring MSTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

Chapter 21: Event Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

Principles of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

Flash Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

RAM Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

System Software Configuration Guide 6.5.0

iii

iv

Command Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306

Chapter 22: Configuring SNMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

Configuring Global Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

Configuring SNMPv1/v2c Community Based Security . . . . . . . . . . . . . . . . . 321

Configuring Port Traps and Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

Configuring SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324

Configuring RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340

Chapter 23: Provider Backbone Transport . . . . . . . . . . . . . . . . . . . . . . . 341

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

Connectivity Fault Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346

Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349

Chapter 24: Link Layer Discovery Protocol . . . . . . . . . . . . . . . . . . . . . . . 359

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Principles of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Feature Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

Configuring Link Layer Discovery Protocol . . . . . . . . . . . . . . . . . . . . . . . 363

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366

Chapter 25: System Software Management . . . . . . . . . . . . . . . . . . . . . . . 367

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

Network connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

Release Compatibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

Preparing Files for Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368

Upgrading from a Previous Version of SAOS. . . . . . . . . . . . . . . . . . . . . . . 372

Backup Software Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376

Appendix A: Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Access Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Accessing the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

Navigating the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

Deprecated Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Global Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Protocol/Manager Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

Internet Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539

E-mail Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539

Telephone and Fax. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539

Mailing Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540

Glossary

System Software Configuration Guide 6.5.0

Chapter

Introduction

• • • • • •

1

At a Glance:

Intended Audience

Overview

Structure

Document Conventions

This manual describes how to configure system software on the supported Service

Delivery Switches. This system software is based on a common Service Aware Operating

System (SAOS) code base designed to deliver consistent benefits across all Ethernet deliver, aggregation, and distribution configurations. This system software cannot be installed on other Service Delivery Switches, Service Concentration Switches or Service

Aggregation Switches.

Intended Audience

This publication is intended for users, such as network technicians and system administrators, who will configure system software. It assumes that the intended user(s) possess basic knowledge of, but not limited to:

Proper Hardware Installation

• Proper Hardware Diagnostics

Ethernet Concepts

• IEEE 802 Standards

Open Systems Interconnection (OSI) Seven Layer Model

• Optical Fiber Distribution and Monitoring

Local Area Networks (LAN)

• Virtual Local Area Networks (VLAN)

Overview

This manual provides information and examples for use in configuring system software on any platform that it is installed. It includes an explanation of the key features supported by the devices and provides example configurations for these features. Although these examples are useful in configuration, they are not meant to be used as a configuration template.

System Software Configuration Guide 6.5.0

1

I

NTRODUCTION

Structure

Structure

In addition to this Introduction, this manual includes the following chapters:

Chapter 2 Chassis Setup

Provides details for enabling the Service Delivery Switch and setting up interfaces.

Chapter 3 Managing Configuration

• Describes various tools for accessing the system and managing its configuration.

Chapter 4 VLAN Management

Instructs how to configure VLANs and the ports associated with them.

Chapter 5 Configuring CPU Rate Limiting

• Explains the purpose and configuration of Central Processing Unit (CPU) rate limiting.

Chapter 6 Configuring IEEE 802.1x Security

Discusses IEEE 802.1x security.

Chapter 7 Link Aggregation and LACP

• Discusses the differences between Link Aggregation and LACP. It also explains how to configure them.

Chapter 8 Monitoring System Status

• Explains how to monitor system components, including temperature, power, and device archive information.

Chapter 9 OAM

• Explains how to configure Operations, Administrations, and Maintenance (OAM).

Chapter 10 Configuring and Identifying Transceivers

Explains the compliance, identification, and diagnostics requirements for transceivers.

Instructs how to display vendor, diagnostic, and speed information.

Chapter 11 Port State Mirroring

Explains Port State Mirroring groups and how to configure them.

Chapter 12 Security

• Describes methods for preventing unauthorized access to network resources and services.

Chapter 13 Configuring Broadcast Containment

• Describes how to prevent disruption of services from broadcast storms using broadcast containment.

Chapter 14 Quality of Service

• Describes the features for managing network resources.

Chapter 15 Configuring Multicast Services

Describes the operation and configuration of multicast services.

2 System Software Configuration Guide 6.5.0

I

NTRODUCTION

Structure

Chapter 16 Layer 2 VPNs

Details the operation and configuration of Virtual Private Networks (VPNs).

Chapter 17 Configuring Connectivity Fault Management

• Describes the configuration of Connectivity Fault Management (CFM) the operation and configuration of Virtual Private Networks (VPNs).

Chapter 18 Configuring L2 Control Frame Tunneling

• Describes configure the treatment of Layer 2 (L2) control frames.

Chapter 19 Configuring TWAMP

Describes the implementation and configuration of Two-Way Active Measurement

Protocol (TWAMP) for bi-directional IP performance testing.

Chapter 20 Configuring MSTP

Explains the implementation of the Multiple Spanning Tree Protocol (MSTP).

Chapter 21 Event Logging

• Explains how to configure filters for managing system event logs and display log files.

Chapter 22 Configuring SNMP

Describes the operation and configuration of Simple Network Management Protocol

(SNMP) and remote monitoring (RMON) tools.

Chapter 23 Provider Backbone Transport

Details the implementation of Provider Backbone Transport (PBT) in the core of a Ciena network.

Chapter 24 Link Layer Discovery Protocol

Provides an overview of the Link Layer Discovery Protocol (LLDP) and describes how to configure 802.1AB LLDP on devices running SAOS.

Chapter 25 System Software Management

Instructs how to upgrade and downgrade software.

Command Line Interface

• Describes how to access and navigate the CLI and provides an alphabetical lists of global (industry standard) commands and protocol/manager commands.

Service and Support

• Provides contact information for product support.

Glossary

Defines various networking terms.

System Software Configuration Guide 6.5.0

3

I

NTRODUCTION

Document Conventions

Document Conventions

This section describes content, style, and usage conventions that outline specific categories of information throughout this manual.

Symbols

Symbols denote text that requires special attention. The information contained alongside a symbol corresponds to one of three levels:

WARNING: This symbol is used to highlight information so the user can avoid personal injury.

CAUTION: This symbol is used to highlight information so the user can avoid equipment damage or data loss.

NOTE: This symbol is used to highlight additional information.

4 System Software Configuration Guide 6.5.0

I

NTRODUCTION

Document Conventions

Understanding Command Syntax

A variety of symbols are used to indicate CLI command syntax. These symbols describe how to enter a command. They are not entered as part of the command itself.

Table 1-1, in this chapter summarizes command syntax symbols.

Table 1-1: SAOS Command Syntax Symbols

Symbol

< >

Description

Encloses a variable or literal value that must be specified. Some examples include:

{ }

|

[ ]

{[], [], []}

...

* server <IpHost> priority <NUMBER: 1-7> dns <on|off> description <String[31]>

For server <IpHost>

, the attribute could be entered as server

10.10.11.100

or server www.ciena.com

. With priority

<NUMBER: 1-7>

the text within <> indicates that 1 - 7 are valid values. In the example of dns <on|off>, either the literal value of on or off is valid, such as dns on

. For description <String[31]>

, any string of up to 31 characters is entered.

Encloses a required value or list of required arguments. One or more values or arguments can be specified. For example, in the syntax: module create {slot <SlotListAll>} {model <3000-

2P10L1|3000-24PLM1>} [description <String [1-32]>]

The slot and module are required. The description is optional.

Separates mutually exclusive items in a list, only one of which can be entered.

For example, in the syntax: dhcp client options set subnet <on|off> either on or off must be specified, for example: dhcp client options set subnet on

Encloses an optional value or a list of optional arguments. One or more values or arguments can be specified. For example, in the syntax: arp show [interface <Interface>] you can enter a value for interface <Interface>

or not for example: arp show

Specifies a list of optional items where at least one must be specified.

Indicates the example has been abbreviated and that the actual display contains more information.

Indicates zero or more occurrences of what is preceding.

System Software Configuration Guide 6.5.0

5

I

NTRODUCTION

Document Conventions

6 System Software Configuration Guide 6.5.0

Chapter

Chassis Setup

• • • • • •

2

At a Glance:

Enabling the Switch

Configuring the Serial Console Port

Configuring the Remote

Management Interface

Configuring the Local Management

Interface

This chapter provides information on setting up switches so that they can be enabled for configuration over an IP connection.

Enabling the Switch

Switches can be enabled for configuration using either of the following methods:

Enabling the switch manually

Enabling the switch using Dynamic Host Configuration Protocol (DHCP)

Enabling the Switch Manually

Follow these steps to enable the switch manually:

1. Ensure that the chassis is properly mounted, grounded, and installed.

2. Power on the switch.

3. Connect a terminal or PC running terminal emulation software to the serial console port using an RJ-45 cable.

4. Configure the connected terminal with the following settings:

Character size = 8

Parity = None

Stop Bit = 1

Baud Rate = 9600 bps

Control = None

5. Enter the default user name and password:

username = su

password = wwp

6. The switch is now ready for manual configuration.

System Software Configuration Guide 6.5.0

7

C

HASSIS

S

ETUP

Enabling the Switch

Enabling the Switch using DHCP

DHCP is enabled on the remote interface for all devices by default. Devices with a local interface also support DHCP on the local interface. Follow these steps to enable the switch using DHCP:

1. Ensure that the chassis is properly mounted, grounded, and installed.

2. Power on the switch.

3. Connect a terminal or PC running terminal emulation software to the serial console port using an RJ-45 cable.

4. Configure the connected terminal with the following settings:

Character size = 8

• Parity = None

Stop Bit = 1

• Baud Rate = 9600 bps

Control = None

5. Enter the default user name and password:

username = su password = wwp

6. Enable DHCP using the dhcp client enable command.

7. Enter config save to complete the process. The switch is now ready for DHCP configuration.

8 System Software Configuration Guide 6.5.0

C

HASSIS

S

ETUP

Configuring the Serial Console Port

Configuring the Serial Console Port

By default, the serial console port is enabled with the following configuration:

Parity = None

• Stop Bit = 1

Baud Rate = 9600 bps

• Flow Control = None

Currently, this configuration cannot be changed, but you can disable, enable, and display the status of the serial console port.

To disable the serial console port:

> interface serial-console disable

To enable the serial console port:

> interface serial-console enable

To display the status of the serial console port:

> interface serial-console show

+----------------serial console---------------+

| Parameter | Value |

+----------------------+----------------------+

| serial login | enabled |

+----------------------+----------------------+

System Software Configuration Guide 6.5.0

9

C

HASSIS

S

ETUP

Configuring the Remote Management Interface

Configuring the Remote Management Interface

The factory default IP address is 0.0.0.0 with subnet 0.0.0.0 for the remote interface.

These values will be entered if the system is reset to factory defaults. You can modify the remote management interface, including:

• IP address.

Subnet mask.

• Management VLAN.

Gateway.

NOTE: The default priority for the remote management interface defaults to 7, and it is not configurable.

NOTE: The local and remote management interfaces cannot be configured to the same IP subnet.

To modify the remote management interface configuration:

interface remote set {[ip <IpAddress>], [subnet <SubnetMask>], [vlan <Vlan>], [gateway

<IpAddress>}

To disable the remote management interface:

> interface remote disable

To enable the remote management interface:

> interface remote enable

To display the remote management interface configuration:

> interface remote show

+----------------------------------- remote -----------------------------------+

| Parameter | Operational | User | DHCP |

+----------------------+-------------------+-----------------+-----------------+

| IP Address | 172.26.0.26 | 0.0.0.0 | 172.26.0.26 |

| Subnet Mask | 255.255.0.0 | 0.0.0.0 | 0.0.0.0 |

+----------------------+-------------------+-----------------+-----------------+

| Index | 2 | | |

| Admin State | Enabled | | |

| Oper State | Enabled | | |

| Broadcast Address | 172.26.255.255 | | |

| MAC Address | 00:02:a1:07:a4:a0 | | |

| VLAN | 127 | | |

| Priority | 7 | | |

| MTU | 1500 | | |

+----------------------+-------------------+-----------------+-----------------+

10 System Software Configuration Guide 6.5.0

C

HASSIS

S

ETUP

Configuring the Local Management Interface

Configuring the Local Management Interface

The local management interface accepts untagged packets only; all tagged packets are dropped. The factory default IP address is 172.16.233.214 with subnet 255.255.255.0 for the local interface. You can configure the local management interface settings via

DHCP or directly, including:

• IP address.

Subnet mask.

NOTE: The CN 3911 does not support the local management interface.

NOTE: The local and remote management interfaces cannot be configured to the same IP subnet.

To modify the local management interface configuration:

interface local set {[ip <IpAddress>], [subnet <SubnetMask>]}

To disable the local management interface:

> interface local disable

To enable the local management interface:

> interface local enable

To display the local management interface configuration:

> interface local show

+----------------------------------- local -----------------------------------+

| Parameter | Operational | User | DHCP |

+----------------------+-------------------+-----------------+-----------------+

| IP Address | 10.10.120.165 | 172.16.233.214 | 10.10.120.165 |

| Subnet Mask | 255.255.255.0 | 255.255.255.0 | 255.255.255.0 |

+----------------------+-------------------+-----------------+-----------------+

| Index | 3 | | |

| Admin State | Enabled | | |

| Oper State | Enabled | | |

| Broadcast Address | 10.10.120.255 | | |

| MAC Address | 00:02:a1:07:ef:1e | | |

| VLAN | 0 | | |

| Priority | 0 | | |

| MTU | 1500 | | |

+----------------------+-------------------+-----------------+-----------------+

System Software Configuration Guide 6.5.0

11

C

HASSIS

S

ETUP

Configuring the Local Management Interface

12 System Software Configuration Guide 6.5.0

Chapter

Managing Configuration

• • • • • •

3

At a Glance:

Overview

Access Levels

Accessing the CLI

Managing Configuration Files

Managing Software License Keys

Configuring DHCP

Configuring NTP

DNS

SSHv2

SFTP

Customizing the System Shell

Retrieving System Information

This chapter provides explanations for implementing the basic switch set up and describes the various options available to configure it.

Overview

The purpose of this chapter is to present the different tools for managing a Ciena switch.

Following these guidelines will help to streamline network operations by installing and managing the device in the network and help to simplify the troubleshooting process.

Access Levels

When a user account is created, it is assigned an access level. The CLI provides three access levels, including:

Limited User (lu) - able to execute commands that do not change the state of the system in a significant way or change the configuration of the device.

Super User (su) - includes all the privileges of the limited user and can make significant system state changes, modify the device configuration, and perform execute commands including creating user accounts.

The CLI provides two default user names/passwords:

User Name Access Level Password Access Rights

user Limited User <empty> Read-Only

System Software Configuration Guide 6.5.0

13

M

ANAGING

C

ONFIGURATION

Accessing the CLI

Accessing the CLI

To access CLI commands, a session must first be established with the device by establishing a Telnet session or through direct connection to the serial console port.

NOTE: A maximum of 6 Telnet sessions can be connected at the same time.

Accessing the CLI Using Telnet

To access the device through Telnet, the device must have an IP address, the Telnet client must have a route set up to allow access to the device, and the user must have a valid user name and password to log into the system.

To access the CLI using Telnet:

1. Determine the IP address for the device.

2. Obtain a valid user name and logon password.

3. Configure default gateway setup to access the device.

4. Use a Telnet client to connect to the device.

5. At the logon prompt, enter a user name and then a password to access the prompt, for example:

CN 3920 00:02:A1:07:B0:80

SAOS is True Carrier Ethernet TM software.

CN 3920 login: su

Password:

SAOS is True Carrier Ethernet TM software.

Welcome to the shell.

Accessing the CLI Using the Serial Console Port

By default, the serial console port is enabled.

1. Connect a terminal or PC running terminal emulation software to the serial console port using an RJ-45 cable.

2. Configure the connected terminal with the following settings:

• Character size = 8

Parity = None

• Stop Bit = 1

Baud Rate = 9600 bps

• Control = None

3. At the logon prompt, enter a user name and then a password to access the prompt.

14 System Software Configuration Guide 6.5.0

M

ANAGING

C

ONFIGURATION

Managing Configuration Files

Managing Configuration Files

A device can store multiple device configuration files at one time. However, only one configuration file can be active at a time. By default, configuration information is saved to a file called startup-config. the startup-config file is also the default load file. The parameters defined in startup-config are applied when the device reboots

(unless an alternate file is specified). The current configurations on a device are not saved to a configuration file unless specifically saved. This includes configuration changes made using the CLI. If a device is rebooted without saving the configuration, all changes will be lost.

In order to permanently save configuration changes, you must save the current device configurations to a configuration file. To save the current configuration, use the configuration save

command. If you do not specify a file name, the current configuration is written to the default configuration file, startup-config. To save configuration to the default configuration file:

> configuration save

You can use the configuration save command to save the current configuration to an alternate file. To save configuration to an alternate file:

> configuration save filename <FileName>

By saving alternate versions of command files, you can store multiple configuration files for running different configurations of the system. For example, you can save configuration to an alternate file as a backup to restore to a previous configuration or you can store a configuration file for configuring another device of the same family. To activate an alternate command file, use the configuration reset-to-user-config command:

> configuration reset-to-user-config filename <FileName>

You can set alternate configuration files as the default save file so that when a configuration save is performed, the changes will be saved to the alternate configuration file. For example:

> configuration set default-save-filename <FileName>

When the device is rebooted, it will load the default-load file, which may or may not be the same file. However, when the device is rebooted it will load the startup-config file.

To set the alternate command file as the default load file:

> configuration set default-load-filename <FileName>

To display the default save and load files, use the configuration list command:

> configuration list

+-----------------------------------------------------------------------------+

| Configuration Files |

+-----------------------------------------------------------------------------+

| startup-config |

| test |

+-----------------------------------------------------------------------------+

| Default Save File: test |

| Default Load File: test |

+-----------------------------------------------------------------------------+

Configuration files are stored in the /mnt/sysfs/config/ directory. You can delete configuration files from that directory using the rm command.

> rm /mnt/sysfs/config/<FileName>

System Software Configuration Guide 6.5.0

15

M

ANAGING

C

ONFIGURATION

Managing Configuration Files

Configuration File Format

When you save the configuration, each configuration command you have run during the session is written to the configuration file. The commands are saved in different sections based upon the feature and software manager process. You can display the entire configuration file or filter based on the software manager process. Alternately, you can search for a keyword and only display the lines in the configuration containing those keywords.

To display the entire configuration file:

> configuration show

!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! NETWORK CONFIG: vlans

!

vlan create vlan 100,200

!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! CHASSIS CONFIG:

!

!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! SYSTEM CONFIG:

!

system set host-name MyHostName

!

!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! INTERFACE CONFIG:

!

!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! PORT CONFIG: ports

!

!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! NETWORK CONFIG: vlan members and attributes

!

vlan remove vlan 127 port 1 vlan remove vlan 127 port 2 vlan remove vlan 127 port 3 vlan remove vlan 127 port 4 vlan remove vlan 127 port 5 vlan remove vlan 127 port 6 vlan remove vlan 127 port 7 vlan remove vlan 127 port 8

!

!

port set port 1 acceptable-frame-type all port set port 2 acceptable-frame-type all port set port 3 acceptable-frame-type all port set port 4 acceptable-frame-type all port set port 5 acceptable-frame-type all port set port 6 acceptable-frame-type all port set port 7 acceptable-frame-type all port set port 8 acceptable-frame-type all port set port 10 acceptable-frame-type all

!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! PORT STATE GROUP CONFIG:

!

!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! AGING and LEARNING CONFIG:

!

!

16 System Software Configuration Guide 6.5.0

M

ANAGING

C

ONFIGURATION

Managing Configuration Files

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! SERVICE ACCESS CONTROL CONFIG:

!

!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! STATIC MAC CONFIG:

!

!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! LLDP CONFIG:

!

!

To display sections of the configuration file for a specific keyword:

configuration search [file <FileName>] [lines <NUMBER: 0-40>] {string <String [255]>}

Example:

> configuration search string aging lines 5

!

!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! AGING and LEARNING CONFIG:

!

flow aging set time 1800

!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! STATIC MAC CONFIG:

!

!

To manually edit a configuration file:

You can transfer a configuration file to a TFTP server, edit it manually, and then transfer it back to the device. When manually editing files, it is recommended that you follow these guidelines:

Start with a system created configuration file. Creating a configuration file from scratch can cause unexpected results.

Always use a plain text editor rather than a word processing program.

• Preface lines with an exclamation point (!) to add user comments.

Do not modify any system generated lines, as it may cause syntax errors. This rule applies even to system generated comments, such as the header information and section delimiters, such as:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! EXAMPLE MANAGER CONFIG:

!

!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

...

These headers are synchronization points for the merge process that occurs upon reboot. If they are modified, the merge process may fail. Usually, this failure results in a loss of user comments.

While the system software attempts to preserve all user comments, it is possible for them to be removed during the merge process.

System Software Configuration Guide 6.5.0

17

M

ANAGING

C

ONFIGURATION

Configuring Telnet

Configuring Telnet

By default, Telnet server is enabled and supports a maximum of 10 simultaneous sessions.

You can configure Telnet to allow up to 9 limited users, 9 admin users, and 10 super users to log on simultaneously. By default, the maximum number of simultaneous sessions for limited users is 4, admin users is 4, and super users is 5. You can adjust the number of allowed connections per user to ensure proper management and utilization of the device.

To set the maximum number of simultaneous sessions per user access level:

telnet-server set {[max-limited-users <NUMBER:0-9>], [max-super-users <NUMBER:0-10>]}

Example:

> telnet-server set max-limited-users 3 max-super-users 6

To display the configuration and status of active users:

> telnet-server show

+----TELNET GLOBAL CONFIGURATION--+

| Parameter | Value |

+-------------------+--------------+

| Server | enable |

| Max Limited User | 5 |

| Max Super User | 5 |

| Max System Logins | 10 |

+-------------------+--------------+

+--------TELNET GLOBAL STATUS--------+

| Attribute | Value |

+----------------------+-------------+

| Active Limited Users | 0 |

| Active Super Users | 1 |

+----------------------+-------------+

To disable Telnet:

> telnet-server disable

To enable Telnet:

> telnet-server enable

In addition to the Telnet server, devices support a Telnet client for establishing Telnet connections to other Telnet servers specified by a host name or IP address. Optionally, you can log in with the specified user. If left unspecified, the remote system prompts for the user name. Also, you can specify a TCP port other than the default, 23.

To run the Telnet client:

telnet [-l <UserName>] {<IpAddress>} [<port>]

18 System Software Configuration Guide 6.5.0

Example:

> telnet 10.10.121.19

Entering character mode

Escape character is '^]'.

3940 00:02:A1:24:0E:30

SAOS is True Carrier Ethernet TM software.

3940 login: su

Password:

SAOS is True Carrier Ethernet TM software.

Welcome to the shell.

> exit

Goodbye.

>

M

ANAGING

C

ONFIGURATION

Configuring Telnet

System Software Configuration Guide 6.5.0

19

M

ANAGING

C

ONFIGURATION

Managing Software License Keys

Managing Software License Keys

A license is a permit to use a premium feature. A license is considered installed or uninstalled based on the presence of one or more license keys. SAOS comes with the base features with no licensing and premium features that require advanced feature licensing.

SAOS software supports premium features that require an installed license. A premium feature may consist of a portion of an existing feature, or it may consist of multiple features. Contact your Ciena Sales Rep to obtain advanced feature licensing.

The following software license keys are available:

• PBB-TE (not available on the CN 3911 and CN 3920 platforms)

Advanced Security

• Advanced Ethernet (AE)

Advanced OAM (AOAM)

Base features are available with no additional license required, as shown in Table 3-2.

A license key is a data object generated by the Ciena license administrator and installed by an operator. A license key is intended to be used in a single module within a specific chassis. License keys are encrypted and contain no human readable information.

When displaying the status of licenses, a premium feature license shows one of the following statuses:

• Not Installed. Also referred to as an invalid license. This means that none of the operationally enabled modules has a key installed for this license.

• Installed. Also referred to as a valid license. This means that all of the operationally enabled modules have a key installed for this license and all conditional requirements

(described in separate requirements) for such license installation have been satisfied.

Partial License. This means that one or more, but not all, operationally enabled modules have a key installed for this license.

20 System Software Configuration Guide 6.5.0

M

ANAGING

C

ONFIGURATION

Managing Software License Keys

Table 3-2 provides a list of features and software license requirements.

Table 3-1: Software License Details

Premium Feature Description

802.1ad Provider Backbone Bridging (not available on the CN 3911 and CN 3920 platforms)

Software License Required

PBB-TE

Broadcast Containment

Configurable per-port RED Egress Queuing

Configurable Metering Burst Size

Configurable L2 Frame Bandwidth Calculation

EPL Ethernet Private Line and LAN

EVPL Ethernet Virtual Private Line

IGMP Groups - max 128 without a license

Layer-2 Control Frame Tunneling (L2CFT)

802.1x LACP

MAC table size - max 4,000 without a license, 16,000 with a license

(32000 on the CN 3960)

Multicast

Traffic Profiling

Advanced Ethernet

Advanced Ethernet

Advanced Ethernet

Advanced Ethernet

Advanced Ethernet

Advanced Ethernet

Advanced Ethernet

Advanced Ethernet

Advanced Ethernet

Advanced Ethernet

Advanced Ethernet

Advanced Ethernet

• Per port QoS with CIR/EIR per Port

Per-port-per-vlan QoS with CIR/EIR per VLAN

• Ingress CoS Classification 802.1p/.1D

Ingress CoS Classification IPP, DSCP, Ingress Port ID

L2 Priority mapping from IP DSCP/TOS

IP DSCP/TOS mapping from L2 Priority

• Traffic Profile on Port/CVID/CPRI

Named Traffic Profiles

Non-conforming ARP Discard Mode

Port State Mirror Groups

MSTP

Statistics

VLAN create/delete (max 500 VLANs without an AE license max 4094 with a license)

802.3ah EFM (EOAM)

CFM

NTP Hardware Timestamping

Advanced Ethernet

Advanced Ethernet

Advanced Ethernet

Advanced Ethernet

Advanced Ethernet

Advanced OAM

Advanced OAM

Advanced OAM

System Software Configuration Guide 6.5.0

21

M

ANAGING

C

ONFIGURATION

Managing Software License Keys

Hardware-assisted TWAMP

Full TWAMP Responder

TWAMP Sender

Y.1731

SFTP

SNMPv3

SSHv2

TACACS+

Base Feature Description

DHCP

DNS

Dying Gasp

Eight CoS Queues with Default CoS Mapping

Full VLAN Range per Port

Line Rate Switching

MAC Learning and Aging

NTP

RADIUS

RMON

Strict Priority Scheduling

Advanced OAM

Advanced OAM

Advanced OAM

Advanced OAM

Advanced Security

Advanced Security

Advanced Security

Advanced Security

No license required

No license required

No license required

No license required

No license required

No license required

No license required

No license required

No license required

No license required

No license required

To install a license key:

software license install

Example:

> software license install license-key W1SSH2D3E4FGH5

One or more license keys can be stored in a single license file. There is no restriction on the number of keys stored in a license file.

To install license keys from a file:

software license install

Example:

> software license install file license.txt server 172.16.172.100

WORKING: downloading file remote license.txt local /tmp/temp2

22 System Software Configuration Guide 6.5.0

M

ANAGING

C

ONFIGURATION

Configuring DHCP

To install a license key with the device’s XML boot files:

The device will look for the license file tag in the XML file and it will download and process all licenses specified in the license file. A sample XML file is shown below.

<XmlWwpCommandFile>

<XmlCmdPlatformClass name="CN3911"

version="saos-%VERSION%"

operation="upgrade"

serviceAffecting="yes">

</XmlCmdPlatformClass>

<XmlCmdPlatformClass name="brego"

configFilePath="myFolder/my-config-file.txt"

configFileRule="activate"

welcomeBanner="myBannerFile.txt"

licenseFile="myLicenseFile.txt"

<SshKeyFile name="user1.pk2"></SshKeyFile>

<SshKeyFile name="user2.pk2"></SshKeyFile>

<SshKeyFile name="user3.pk2"></SshKeyFile>

version="saos-%VERSION%"

packagePath="folder1/folder2/folder3"

operation="install"

serviceAffecting="no" >

</XmlCmdPlatformClass>

</XmlWwpCommandFile>

To uninstall a license key:

software license uninstall feature-name <String[32]>

Example:

> software license uninstall security

To display the status of licenses:

> software license show

Configuring DHCP

SAOS supports IETF RFC 2131 Dynamic Host Configuration Protocol (DHCP) client on the active and direct control module interfaces for IP address assignment and other IP configuration through DHCP options. By default, DHCP is enabled on the remote management interface.

NOTE: DHCP can only be enabled on one interface at a given time.

DHCP interfaces to the following protocols and managers

• Software Management

NTP

• Interface Config

SYSLOG

• DNS

ARP

System Software Configuration Guide 6.5.0

23

M

ANAGING

C

ONFIGURATION

Configuring DHCP

When you enable DHCP on an interface, it creates a query and sends it to the DHCP server to receive IP configuration. If the interface has an assigned IP address, it creates a request query to renew the current IP address and obtain the configured DHCP options.

Otherwise, it creates a discover query to obtain an IP address and the configured DHCP options. The server replies with the IP address and any configured DHCP options.

24 System Software Configuration Guide 6.5.0

M

ANAGING

C

ONFIGURATION

Configuring DHCP

The DHCP client checks to see if the IP address is already in use by sending a gratuitous

ARP. If it is in use, it sends a decline and re-starts the discover process. When DHCP is disabled, any configuration set through DHCP options are deleted. The configuration and options applied as a result of DHCP are not saved in the configuration file. A reboot requires a new DHCP transaction with the server.

The DHCP client supports the DHCP options as summarized in Table 3-2. A complete list

of DHCP options is defined in RFC 1533.

1

2

Table 3-2: Supported DHCP Options

Option # Name Description

subnet time-offset

Specifies the subnet mask for the interface. Default is on.

Specifies the offset of the client's subnet in seconds from

Coordinated Universal Time (UTC). Default is on.

3 router

6

7

12 dns log-server host-name

Specifies a list of IP addresses for routers on the client's subnet (gateways). Routers should be listed in order of preference. Default is on.

Specifies a list of five Domain Name System (STD 13, RFC

1035 [8]) name servers available to the client. Servers should be listed in order of preference. Default is on.

Specifies a list of MIT-LCS UDP log servers available to the client. Servers should be listed in order of preference. Used by Syslog. Note that this DHCP option provides no mechanism to configure the UDP port for a syslog server. Any syslog servers configured by DHCP will use the default UDP port for syslog. Default is on.

Specifies the name of the client. The name may or may not be qualified with the local domain name. Default is on.

15

42

51

66 domain-name ntp lease-time tftp-server

Specifies the domain name that the client should use when resolving host names via the Domain Name System (DNS).

Default is on.

Specifies a list of IP addresses indicating Network Time

Protocol (NTP) [18] servers available to the client. Servers should be listed in order of preference. Default is on.

Request the lease time for the IP address. The default client lease-time is 1 hour and the default for this option is off.

Used to identify a TFTP server when the 'sname' field in the

DHCP header has been used for DHCP options. The TFTP address is only used to retrieve the command file and then is discarded. Default is on.

-1 boot-file

If Option 66 is received in the DHCP reply and the option is

On, then that IP address is used for the TFTP server, otherwise the value in 'siaddr' is used.

Specifies to use the boot image specified by the DHCP server.

System Software Configuration Guide 6.5.0

25

M

ANAGING

C

ONFIGURATION

Configuring DHCP

To set DHCP options:

dhcp client options set [subnet <on|off>] [time-offset <on|off>] [router <on|off>]

[dns <on|off>] [log-server <on|off>] [host-name <on|off>] [domain-name <on|off>] [ntp

<on|off>] [lease-time <on|off>] [tftp-server <on|off>] [boot-file <on|off>]

To enable or disable the DHCP client:

dhcp client [enable | disable]

To renew the leased IP address:

dhcp client lease renew

To set the interface and discovery interval (1 to 60 seconds):

dhcp client set interface {[<remote>], [discovery-interval <NUMBER: 1-60>]}

To display the current DHCP configuration:

> dhcp client show

+------------------- DHCP CLIENT STATE --------------------+

| Parameter | Value |

+------------------------------------+---------------------+

| Interface Name | tap1 |

| Admin State | Enabled |

| Oper State | Enabled |

| DHCP State | Disabled |

| Discovery Interval | 30 |

| Lease Time (days hh:mm:ss) | 0:00:00:00 |

| Lease Remaining (seconds) | 0 |

| Renewal (T1) Time (seconds) | 0 |

| Rebinding (T2) Time (seconds) | 0 |

| DHCP Server | 0.0.0.0 |

+------------------------------------+---------------------+

+---------------- DHCP/BOOTP OPTIONS STATE ----------------+

| Option | Description | State |

+--------+-----------------------------------------+-------+

| 1 | Subnet Mask Option | On |

| 2 | Time Offset Option | On |

| 3 | Router Option | On |

| 6 | Domain Name Server Option | On |

| 7 | Log Server Option | On |

| 12 | Host Name Option | On |

| 15 | Domain Name Option | On |

| 42 | Network Time Protocol Servers Option | On |

| 51 | Lease Time Option | Off |

| 66 | Tftp Server Name Option | On |

| -1 | Bootfile Name Option | On |

+--------+-----------------------------------------+-------+

26 System Software Configuration Guide 6.5.0

M

ANAGING

C

ONFIGURATION

Configuring NTP

Configuring NTP

With the Network Time Protocol (NTP) client, you can configure a device to automatically synchronize its time and date to a remote NTP server running Coordinated Universal Time

(UTC). By default, the NTP client is disabled, and you can manually configure the date and time. When you enable the NTP client, date and time configuration received from an

NTP server will override any values manually set on the device. MD5 authentication support allows the NTP client to verify that the server is in fact known and trusted.

In broadcast mode, you do not need to configure the NTP client to use a specific server.

Instead, the NTP client waits for broadcast servers on the same subnet to broadcast their current time. When the NTP client receives the first message, it will interact with that server to retrieve reliable time. When additional broadcast messages are received from that server, the NTP client will calculate the time difference and adjust the clock accordingly. If broadcast messages are received from several broadcast servers, the client will select the most accurate server to use.

With polling mode (default), you need to specify the host names or IP addresses of NTP servers along with a time interval to request for date and time information. SAOS supports up to 10 NTP servers and a range between 16 - 4096 seconds for the polling interval with

16 seconds as the default.

As the NTP client communicates with the server, the server status is updated. Table 3-3

shows the status values you will see when displaying NTP configuration while the NTP client communicates with NTP servers.

Table 3-3: Server Status

Status Displayed

Reject

Insane

Correct

Standby

Candidate

Selected

SysPeer

PPSPeer

Reaching

ERROR*

Description

Rejected or initial state.

Failed sanity check. Client has yet to be synchronized with the server.

Passed correctness check. Culled from the end of the candidate list.

Discarded by the clustering algorithm.

Included in the final selection test.

Selected for synchronization; but distance exceeds maximum.

Selected for synchronization

Selected for synchronization, PPS signal in use.

Communicating with a potential candidate.

Error occurred with communication.

System Software Configuration Guide 6.5.0

27

M

ANAGING

C

ONFIGURATION

Configuring NTP

To set the mode to broadcast:

> ntp-client set mode broadcast

NOTE: When the device is set in broadcast mode, setting a polling-interval will be ignored by the device.

To set the mode to polling and specify a polling interval:

ntp-client set mode polling polling-interval <NUMBER: 16,32,64,128,256,512,1024,2048,4096>

NOTE: Any number can be entered for the interval value, but the system will round the number down to the nearest allowed value, as shown in the following example.

Example:

> ntp-client set polling-interval 1000

Polling time has been adjusted to 512 seconds

To enable the NTP client:

> ntp-client enable

To disable the NTP client:

> ntp-client disable

To add an NTP server:

You can add a list of NTP servers directly or with a DHCP server using option 42 as shown

in the Configuring DHCP section. To add directly:

ntp-client add server <IpHost>

To remove an NTP server:

ntp-client remove server <IpHost>

28 System Software Configuration Guide 6.5.0

M

ANAGING

C

ONFIGURATION

Configuring NTP

To display NTP state and configured servers:

> ntp-client show

+------------------ NTP CLIENT STATE ------------------+

| Parameter | Value |

+------------------------+-----------------------------+

| Admin State | Enabled |

| Mode | Polling |

| Polling Interval (sec) | 512 |

| Config State | user |

| DHCP NTP Option State | Enabled |

+------------------------+-----------------------------+

+-------------------- NTP CLIENT SERVER CONFIGURATION ------------------+

| | | Config| Admin | Oper | Server |

| IP Address | HostName | State | State | State | Status |

+----------------+-------------------+-------+-------+-------+----------+

| 132.236.56.250 | | user |Enabled|Enabled| SysPeer |

| 192.83.249.31 | | user |Enabled|Enabled| Candidate|

+----------------+-------------------+-------+-------+-------+----------+

To display operational servers:

> ntp-client show oper

+-- OPER NTP SERVERS -------+

| IP Address | Status |

+----------------+----------+

| 132.236.56.250 | SysPeer |

| 192.83.249.31 | Candidate|

+----------------+----------+

To display NTP state only:

> ntp-client show state

+---------------------- NTP STATE ---------------------+

| Parameter | Value |

+------------------------+-----------------------------+

| Admin State | Enabled |

| Mode | Polling |

| Polling Interval (sec) | 16 |

| Config State | user |

| DHCP NTP Option State | Enabled |

+------------------------+-----------------------------+

To display a specific server configuration:

> ntp-client show server 132.236.56.250

+---------------------- NTP CLIENT SERVER CONFIGURATION -----------------------+

| Parameter | Value |

+---------------+--------------------------------------------------------------+

| Host Name | |

| IP Address | 172.25.0.2 |

| Admin State | Enabled |

| Oper State | Enabled |

| Config State | both |

| Server Status | SysPeer |

+---------------+--------------------------------------------------------------+

Configuring MD5 Authentication

To prevent an unwanted network intruder from masquerading as an NTP server, you can configure authentication for the NTP client. Authentication provides a way for the NTP client to verify that a server is a known and trusted NTP source. The authentication

System Software Configuration Guide 6.5.0

29

M

ANAGING

C

ONFIGURATION

Configuring NTP

method supported for the NTP client is RSA Message Digest 5 (MD5) with a private key called keyed-MD5. NTP authentication keys are codes that are encrypted on both the server and client that are used to identify the NTP time server. Each authentication key consists of a key ID and the key itself. MD5 authentication works with both polling and broadcast modes.

NOTE: MD5 authentication is not supported for NTP servers configured with DHCP option 42. When the NTP servers are configured with DHCP, any user configured NTP settings are overridden.

The authentication key number acts as a reference to the specified authentication key.

The actual keys must be identical on both the NTP client and the NTP server. The client may use a subset of the authentication keys specified on the NTP server, and the keys are case sensitive.

In polling mode, the NTP client configuration must specify the association of the key number to a server. When configured, the NTP client sends a request for time to the NTP

Server with corresponding Key and Authentication code. The NTP server, after validating the client's authentication, replies with an encrypted response along with timestamp information. Upon receipt of the timestamp, the NTP client validates the Server's authentication, if valid, time configuration is updated. Otherwise, the time configuration is rejected.

In broadcast mode, since the server is auto-detected by the client, association of the key number to a server cannot be configured at the client. However, the corresponding key number and key values must be configured at the client. The NTP Server will broadcast timestamp information along with the key number and Authentication code encoded in the packet. Upon receipt of the timestamp, the NTP Client decrypts the key and verifies it against a list of trusted keys. If the key matches one of the list of trusted keys, the NTP

Client starts synchronizing with that NTP Server using the same key number and

Authentication code as the Server.

Enabling and Disabling MD5 Authentication

By default, MD5 authentication is disabled for the NTP client.

To enable MD5 authentication:

ntp-client md5-auth enable

Example:

> ntp-client md5-auth enable

To disable MD5 authentication:

ntp-client md5-auth disable

Example:

> ntp-client md5-auth disable

30 System Software Configuration Guide 6.5.0

M

ANAGING

C

ONFIGURATION

Configuring NTP

Adding MD5 Keys

You can add up to 32 MD5 keys. The key ID is a U32 value between 1 and 4294967295. If a key ID is entered or displayed as 0, this value implies there is no key. The MD5 key is a

1 to 31 ASCII character string, and cannot be any of the following characters:

Space ( )

• Double quote (“)

Number sign (#)

• TAB (\t)

Return (\n)

• \0

There are three ways to add a key:

Plain text - Entered directly.

Encrypted key - Enter a key from an MD5 encrypted key generator.

Import from a key file - Transfer a simple tag readable format file to the system and then import keys from it.

When importing from a file, the importing key-file should be in the following format:

<key-id> <type> <encrypted-key-value>

An example key-file that is ready to import is shown below:

1 MD5 !ZS,@S~(\D&1k0V' # MD5 key

2 MD5 yz3O$2*>oS(>o2Mf # MD5 key

3 MD5 T/oI/Hqa!,|NQYgq # MD5 key

Keys imported from a file will be subsequently saved in the config file, when a

“configuration save” is executed.

To add an MD5 key in plain text:

ntp-client md5-auth add key-id <NUMBER:0-4294967295> md5 <MD5AuthKey>

Example:

> ntp-client md5-auth add key-id 1 md5 Key1

To add an MD5 key in encrypted form:

ntp-client md5-auth secret key-id <NUMBER:0-4294967295> md5 <MD5AuthKeyEncrypt>

Example:

ntp-client md5-auth add key-id 1 md5 3bf313a5

To import an MD5 key from a file:

ntp-client md5-auth import filename <FileName>

Example:

> tget 10.25.41.68 ntp_simple_tag.key ntp_simple_tag.key

Received 46 bytes in 0.0 seconds.

Received 2000 bytes/second.

> ntp-client md5-auth import filename ntp_simple_tag.key

System Software Configuration Guide 6.5.0

31

M

ANAGING

C

ONFIGURATION

DNS

Removing an MD5 Key

To remove an MD5 key:

ntp-client md5-auth remove key-id <NUMBER:1-4294967295>

Example:

ntp-client md5-auth remove key-id 1

Displaying MD5 authentication configuration

To display MD5 configuration:

ntp-client md5 show

Example:

> ntp-client md5-auth show

+------------------ NTP CLIENT STATE ------------------+

| Parameter | Value |

+------------------------+-----------------------------+

| Admin State | Enabled |

| MD5 Auth Admin State | Disabled |

| Mode | Polling |

| Polling Interval (sec) | 16 |

| Config State | user |

| DHCP NTP Option State | Enabled |

+------------------------+-----------------------------+

+------------------------------- NTP MD5 AUTH KEYS ----------------------------+

| Key ID | MD5 (Encrypted Value) |

+------------+-----------------------------------------------------------------+

| 11 | 1def01f15eef65 |

| 12 | 1def01f15eef66 |

| 266 | 1def01f15eec6214 |

| 267 | 1def01f15eec6215 |

+------------+-----------------------------------------------------------------+

+---------------------------- NTP SERVER CONFIGURATION ------------------------+

| | MD5 |Config|Admin |Oper |Server |

| IP Address/HostName | Key ID |State |State |State |Status |

+-----------------------------------+-----------+------+------+------+---------+

| 192.83.249.31 | | 0 |user |Ena |Ena | Reject |

| 132.236.56.250 | | 0 |user |Ena |Ena | SysPeer |

+-----------------------------------+-----------+------+------+------+---------+

DNS

The system supports up to three domain name servers that can be prioritized by the administrator. This functionality resolves Hostnames to IP addresses. By default the DNS client is enabled, although no servers are configured.

DNS servers can be configured via DHCP. When both DHCP and the user configure a set of

DNS servers, the servers configured by DHCP will be active (operationally enabled), and the other servers will be inactive.

The following IP addresses cannot be specified as DNS servers:

32 System Software Configuration Guide 6.5.0

M

ANAGING

C

ONFIGURATION

SSHv2

• 0.0.0.0

224.0.0.0 -> 255.255.255.255

• 127.0.0.0 -> 127.255.255.255

An error is returned if an IP address is not resolved.

To add a DNS server to the DNS list:

> dns-client add server <server ip address>

To resolve an IP address or hostname:

> dns-client resolve ip ciena.com

Hostname: ciena.com

IP Address: 192.168.75.20

To define the default domain name that is appended to unqualified host names:

> dns-client set domain-name ciena.com

SSHv2

Secure Shell (SSH) provides remote login and SFTP file transfers. Intended as a more secure replacement of Telnet, SSH verifies and grants access to log in requests by encrypting user ID and passwords. It also supports public key based authentication. In public key based authentication, a password is not required, instead a key pair consisting of a private key and a public key is generated, then encrypted and stored on the server.

The public key must be distributed to the client machine.

NOTE: To enable SSHv2 commands, the Advanced Security feature license must be installed with the software license install command.

Setting Up SSH Server

To set up SSH with the default configuration:

1. Generate the public/private key pair.

>ssh-server key generate

This command generates, encrypts, and then stores the public/private key pair as follows:

> cd /mnt/sysfs/ssh

> ls ssh_host_rsa_key ssh_host_rsa_key.pub

System Software Configuration Guide 6.5.0

33

M

ANAGING

C

ONFIGURATION

SSHv2

SSH user keys can be provisioned using the device’s XML file:

<XmlWwpCommandFile>

<XmlCmdPlatformClass name="CN3911"

version="saos-%VERSION%"

operation="upgrade"

serviceAffecting="yes">

</XmlCmdPlatformClass>

<XmlCmdPlatformClass name="brego"

configFilePath="myFolder/my-config-file.txt"

configFileRule="activate"

welcomeBanner="myBannerFile.txt"

licenseFile="myLicenseFile.txt"

<SshKeyFile name="user1.pk2"></SshKeyFile>

<SshKeyFile name="user2.pk2"></SshKeyFile>

<SshKeyFile name="user3.pk2"></SshKeyFile>

version="saos-%VERSION%"

packagePath="folder1/folder2/folder3"

operation="install"

serviceAffecting="no" >

</XmlCmdPlatformClass>

</XmlWwpCommandFile>

2. Display the current configuration to verify it is correct.

>ssh-server-server show

3. Enable SSH server.

>ssh enable

4. Save the configuration.

>configuration save

Modifying SSH Server

To modify the SSH server settings:

• Add an IP address for each client.

>ssh-server add [ client <IpAddress> ]

The default configuration allows any IP address to connect. Adding clients restricts access to the IP addresses in the client list.

• Change the maximum number of authentication retries and which port listens for SSH requests.

> ssh-server set {[authentication-retries <NUMBER: 1-3>] [listener-port] <NUMBER: 22 -

65535>]

}

The authentication-retries setting determines how many times the SSH server will prompt for a username and password validation if public key encryption fails. The authentication retry counter is incremented when an authentication method fails, even within the same login cycle. For example, with authentication-retries set to 3, when the SSH client fails to authenticate using an RSA public key, and then a DSA public key, each attempt increments the authentication-retries counter and only one prompt for a username and password occurs for that login cycle.

• Remove any clients from which you do not want to accept a connection.

>ssh-server remove [client <IpAddress>]

Disable SSH server.

>ssh-server disable

34 System Software Configuration Guide 6.5.0

M

ANAGING

C

ONFIGURATION

SSHv2

Accessing SSH Server

To access SSH Server, you need to install an SSH version 2 client. Table 3-4 shows a list

of tested SSH clients. Other SSH clients may also be compatible but have not been explicitly tested with SAOS.

Table 3-4: Tested SSH Clients

Client

Bitvise Tunnelier

Esh Client

JellyfiSSH

OpenSSH

OpenSSH

OpenSSH

Putty SSH

SecureCRT

SSH Tectia

Version

Version 4.19

Operating System

Windows

Version 3.2 for Windows

Version 4.4

4.5

Version 5.1.4 (build 285) - Official

Release - September 14, 2006

Version 5.0.1.79

Windows

MAC OS X

Windows

OpenSSH_3.9p1, OpenSSL 0.9.7a Feb. 19

2003

RedHat Enterprise Linux

OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May

2006

Fedora Core 6

Release .58

Windows

Windows

Windows

Public Key Authentication

Public key authentication relies on copying the public keys (RSA or DSA) of a user on a remote host to the right location on the device (in this case, the CN 3911). The command.xml file is used to simplify the process of copying the key files, and the file name can contain a path relative to the TFTP directory of the server.

The 'SshKeyFile' tag in the command.xml file can be used to specify the SSH key file for a user. Multiple files can be specified in the command.xml file (one for each user), and all of the public keys for a single user need to be in one file. The format for the key file name should be username.pk2; for example, the key file name for user gss should be gss.pk2.

The key file does not have to be present when SSH is enabled, but it should be in place before the user logs in or the system will resort to password based authentication.

The following is a sample command file:

<XmlWwpCommandFile>

...

...

...

...

...

...

<SshKeyFile name="gss.pk2"/>

<SshKeyFile name="su.pk2"/>

...

System Software Configuration Guide 6.5.0

35

M

ANAGING

C

ONFIGURATION

SFTP

</XmlWwpCommandFile>

The format of the key files should be as specified in http://www.openbsd.org/cgibin/man.cgi?query=sshd&sektion=8 under the section AUTHORIZED_KEYS FILE FORMAT.

The keyfile is stored as /mnt/sysfs/ssh/users/<username/keyfile.

SFTP

Table 3-5: Tested SFTP Clients

Client

Bitvise Tunnelier

Esh Client

JellyfiSSH

OpenSSH

Putty SSH

SecureCRT

SSH Tectia

After setting up the SSH server, you can transfer files with an SFTP client. SFTP uses standard file transfer commands, such as get and put for transferring files. SFTP encrypts the user ID, password, and the file and then transfers the information over the

SSH server port number.

Table 3-5 shows a list of tested SFTP clients. Other SFTP clients may also be compatible

but have not been explicitly tested with SAOS.

Version

Version 4.19

Version 3.2 for Windows

Version 4.4

Version 4.5

Release .58

Version 5.1.4 (build 285) - Official

Release - September 14, 2006

Version 5.0.1.79

Operating System

Windows

Windows

MAC OS X

Windows

Windows

Windows

Windows

Customizing the System Shell

Configuring the Host Name

?

!

The default host name is the model number of the device, such as CN 3940. The host name is displayed in the command prompt. You can set a custom host name to identify the device. The host name length is 2-63 characters without any spaces. At least one character must be alpha (a-z) or a dash (-). IP addresses are not allowed. The host name

%

* is not case sensitive. The following special characters are not allowed:

To set the host name:

system set [host-name <String>]

36 System Software Configuration Guide 6.5.0

M

ANAGING

C

ONFIGURATION

Customizing the System Shell

Example:

>system set host-name myHostName

To reset the host name to default:

> system unset host-name

Setting the Date and Time

If desired, you can manually set the date and time. However, if NTP is enabled, all manual time and date settings will be overridden by the NTP settings. Date and time settings include:

Date - Accepted formats are yyyy-mm-dd, yy-mm-dd, or mm-dd. If the yy-mm-dd format is used the two digits will be added to a base of 2000. For example, 03-01-07 will become 2007-01-01. If you enter a date prior to 01-01-2004, the system will automatically set the date to 01-01-2004 on startup.

Time - Accepted formats are hh:mm:ss or hh:mm.

Time offset - Value range is -2147483648 to 2147483648> seconds from UTC. Positive numbers are east of the UTC; negative numbers are west of the UTC.

Timestamp - Sets the timestamp for system logging entries. When set to ‘local,’ any system timestamps will use the configured time-offset. When set to ‘UTC,’ system timestamps will be based on UTC.

To set the date and time:

system set [date <yyyy-mm-dd>|<yy-mm-dd>|<mm-dd>] [time <hh:mm:ss>|<hh:mm>] [time-offset

<NUMBER: -2147483648...2147483648>] [timestamp <local|UTC>

Example of setting the date and time:

> system set date 2007-06-18 time 09:33

Example of setting the time for Pacific Daylight Time (PDT):

> system set time 09:33 time-offset -25200

Example of setting the time for Pacific Standard Time (PST):

> system set time 09:33 time-offset -28800

Example of setting the time for Eastern Daylight Time (EDT) USA:

> system set time 09:33 time-offset -14400

Example of setting the time for Eastern Standard Time (EST) USA:

> system set time 09:33 time-offset -18000

Ending Inactive Connections

To free up inactive Telnet or SSH connections, you can configure the device to automatically end inactive connections by setting a global inactivity time-out and timer.

By default, the time-out is 10 minutes, and the timer is turned off.

System Software Configuration Guide 6.5.0

37

M

ANAGING

C

ONFIGURATION

Customizing the System Shell

To automatically end inactive connections after a period of inactivity:

>system shell set [global-inactivity-timeout <NUMBER: 1-1500>] [global-inactivity-timer

<on|off>]

To reset the global inactivity time-out and timer to defaults:

>system shell set global-inactivity-timeout global-inactivity-timer

Configuring Lines to Display

By default, when you run a command, all lines are displayed and you are returned to a prompt. When the command displays several lines of information, the first lines can scroll beyond the viewable window. You can configure how many lines to display at a time before the system pauses and prompts for an action to display more lines. For example, setting “more” to on and the number of lines to 5 results in:

> system shell set more on more-lines 5

> system ?

ps information about system processes set set system attributes shell shell configuration show show system attributes

[more 36%] (q,g,space,enter)

To configure more lines for all sessions:

system shell set global-more <on|off> global-more-lines <NUMBER: 0-999>

To reset more lines for all sessions to the defaults:

system shell unset global-more global-more-lines

To configure more lines for your current session:

system shell set more <on|off> more-lines <NUMBER: 0-999>

To reset more lines for your current session to the defaults:

system shell unset more more-lines

Configuring the Welcome Banner

You can create a customized welcome banner in a text file, and set your devices to use the file when Telnet or SSH client sessions are established.

To set the welcome banner:

1. Create a text file with the banner text. For example, the file named myBannerFile.txt has the following text:

*************************************

* Welcome *

*************************************

NOTE: Be sure each line ends with a carriage return. If a line does not end with a carriage return, it will not display.

38 System Software Configuration Guide 6.5.0

M

ANAGING

C

ONFIGURATION

Retrieving System Information

2. Transfer the file to the device to the /flash0 directory.

> tget xxx.xxx.xx.xx myBannerFile.txt /flash0/myBannerFile.txt

Received 23 bytes in 0.0 seconds.

Received 958 bytes/second.

3. Verify the file is stored.

> ls

Directory '/flash0/' config/ archive/ myBannerFile.txt

4. To set the device to use your welcome banner:

> system shell set welcome-banner-file /flash0/myBannerFile.txt

To reset the welcome banner to the defaults:

system shell unset welcome-banner-file

Retrieving System Information

Displaying System Settings

You can display time and CPU load by default or individual system settings, including

• Date

Host name

• Load query

Time

• Time offset

Up time from last re-boot

To display all system settings:

system show [date] [host-name] [load-query] [time-offset] [uptime]

Example:

> system show date host-name load-query time time-offset uptime

Friday December 31, 1999

+------------------------------ HOST NAME -------------------------------+

| Oper | CN 3940 |

| User | CN 3940 |

| DHCP | |

+------+-----------------------------------------------------------------+

+--------- CPU LOAD QUERY -------+

| Interval | Load (%) |

+-----------------+--------------+

| Last 15 minutes | 9 |

| Last 5 minutes | 5 |

| Last 1 minute | 8 |

+-----------------+--------------+

MemTotal: 60664 kB

MemFree: 3420 kB

System Software Configuration Guide 6.5.0

39

M

ANAGING

C

ONFIGURATION

Retrieving System Information

+--------- Global Service Mode ---------+

| Service Mode | None |

+-----------------+---------------------+

+---------------------- TIME Settings ----------------------+

| Parameter | Value |

+---------------------------+-------------------------------+

| Local date and time | Fri Dec 31 17:38:42 1999 |

| Greenwich Mean Time (GMT) | Sat Jan 01 00:38:42 2000 |

| Time Offset (seconds east)| -25200 |

+---------------------------+-------------------------------+

+----------- TIME OFFSET (sec) -----------+

| Operational | User | DHCP |

+-------------+-------------+-------------+

| -25200 | -25200 | 0 |

+-------------+-------------+-------------+

System uptime: 0d 5h 37m 59s

Displaying the System Shell Attributes

To display the system shell attributes:

system shell show

Example:

> system shell show

+--------- Shell Settings -----------------+

| Parameter | Value |

+-----------------------------+------------+

| Global more | on |

| Global more lines | 0 |

| Global inactivity timer | off |

| Global inactivity timeout | 10 min |

| Global login timer | on |

| Global login timeout | 60 sec |

| Session more | on |

| Session more lines | 0 |

| Welcome banner file | (none) |

+-----------------------------+------------+

Displaying System Processes

To display system process information:

system ps show [blockId <String>] [format <wide>]

40 System Software Configuration Guide 6.5.0

M

ANAGING

C

ONFIGURATION

Retrieving System Information

Example of all processes:

> system ps show

PID USER VSZ STAT COMMAND

1 root 3808 S init

2 root 0 SWN [ksoftirqd/0]

3 root 0 SW< [events/0]

4 root 0 SW< [khelper]

5 root 0 SW< [kthread]

6 root 0 SW< [kblockd/0]

27 root 0 SW [pdflush]

28 root 0 SW [pdflush]

30 root 0 SW< [aio/0]

29 root 0 SW [kswapd0]

546 root 0 SW< [kseriod]

553 root 0 SW [mtdblockd]

583 root 0 SWN [jffs2_gcd_mtd5]

664 root 1900 S /sbin/monitor -t /tmp/fifo/mon/saos /sbin/start-saos

669 root 1900 S /sbin/monitor -p -t /tmp/fifo/mon/saos.loader /mnt/ap

670 root 4112 S /usr/sbin/inetd -f

671 su 20428 S -saos

672 root 3872 S /bin/sh /sbin/corewatch.sh

892 root 36968 S /mnt/apps/bin/saos -s

1223 root 3876 S telnetd -i

1224 su 20428 S -saos

1436 root 3876 S telnetd -i

1437 su 20428 S -saos

1810 root 3676 S sleep 15

1811 su 3808 S /bin/sh -l -c ps

1830 su 4176 R ps

Generating a System State Dump File

For troubleshooting purposes, you can generate a system state dump file to a TFTP server. The state dump file contains configuration and status information for major device components all in one file, including:

System configuration

• Interface configuration

Chassis device identification, device archives, and power supplies

• Module configuration, temperature, CPU load, and POST

Port configuration and status

• System process information

Configuration file

• Log files

To generate a system state dump file:

system state-dump tftp-server <IpAddress> file-name <FileName>

System Software Configuration Guide 6.5.0

41

M

ANAGING

C

ONFIGURATION

Retrieving System Information

Example:

> system state-dump tftp-server 192.168.75.100 file-name StateDump.txt

Writing system info

Writing interface info

Writing chassis info

Writing module info

Writing port info

Writing device ID info

Writing fan info

Writing power info

Writing archive info

Writing alarm info

Writing system config

Writing log files

File StateDump.txt transferred to tftp server 192.168.75.100

42 System Software Configuration Guide 6.5.0

Chapter

VLAN Management

• • • • • •

4

At a Glance:

Overview

VLANs and Traffic Flow

Behavior Summary

VLAN/Port Configuration

Port Mirroring

Port Loopback

Port Statistics

This chapter details the function of VLANs. It also details how to configure port settings to switch traffic properly through the network.

Overview

Virtual Local Area Networks (VLANs) are a key element within the system software. A

VLAN is used to group resources that have a common set of requirements, regardless of where they are located physically. They also allow ports on a device to be grouped in order to limit the distribution of unicast, multicast, and broadcast traffic. For example, flooded traffic originating from a particular VLAN can be limited to only other ports belonging to that VLAN. VLANs allow traffic on the same physical connection to be divided into separate services. These services can then be further divided into groups within each service.

VLANs and Traffic Flow

VLANs determine how traffic is forwarded within a device. The ingress and egress behavior of each port must be taken into account. Five basic rules govern traffic forwarded through the device:

Port VLAN Membership

• Acceptable Frame Types (ingress rule)

Port VLAN ID (PVID) (ingress rule)

• Ingress Filtering (ingress rule)

Ingress Untagged Frames (ingress rule)

• Egress Untagged VLAN (egress rule)

System Software Configuration Guide 6.5.0

43

VLAN M

ANAGEMENT

VLANs and Traffic Flow

Acceptable Frame Types

When a frame arrives at a port on a device with SAOS operating system, it is first examined to determine whether it is a tagged (contains a VLAN ID) or untagged frame.

This is referred to as the frame type. Each port of the device has an associated

Acceptable Frame Types (AFT) parameter that controls whether or not the port will accept untagged frames. A port can be configured to admit ONLY tagged frames or to admit ALL Frames.

The default value of the Acceptable Frame Types parameter is set to “VLAN tagged-only” on ports 9 and 10. In other words, by default, tagged frames are allowed to ingress while untagged or priority-tagged frames (i.e., a frame with no tag header, or a frame with a tag header that carries the null VLAN ID) received on the port are discarded. Tagged frames are then further processed according to the additional ingress rules set on the port. In contrast, if the Acceptable Frame Types parameter is set to “all”, which is the default for ports 1-8, all frames are allowed to ingress, regardless of their tag status.

Port VLAN ID

The full VLAN address range from 1 to 4094 can be supported per port. For untagged or priority-tagged frames, the next ingress rule applied is the Port VLAN ID (PVID). Each port on the device has an associated PVID. By default, the PVID value is the default VLAN ID

(VLAN 1). When an untagged frame arrives at an ingress port (assuming that the port is set to accept all frame types) it may be forwarded to all ports that are members of the configured PVID (depending on additional ingress parameters set on the device). If an ingress frame is not tagged with the VLAN specified by the port’s PVID, then the setting on the port's Ingress Filter will apply.

Similarly, if a port is removed from a VLAN that is also its PVID, the PVID value remains

the same and the port's Ingress Filter setting is therefore applied (refer to the VLAN

Ingress Filter section).

The PVID assignment for aggregated ports is slightly different. When a physical port is added to an aggregation, it inherits the PVID setting of the aggregation group. However, when the port is removed from the aggregation, its own PVID setting becomes valid again.

NOTE: PVIDs can only be set to the VLAN ID of configured VLANs, therefore the VLAN must exist before the corresponding PVID can be assigned. The port does not however, have to be a member of the VLAN in order to assign the PVID.

44 System Software Configuration Guide 6.5.0

VLAN M

ANAGEMENT

VLANs and Traffic Flow

VLAN Ingress Filter

The last parameter applied to ingressing frames is the VLAN Ingress Filter. The VLAN

Ingress Filter forwards or discards a frame based on the VLAN tag. When VLAN Ingress

Filtering is enabled on a port (VLAN Ingress Filtering is enabled by default), an ingressing frame that is tagged with a VLAN to which the ingress port does not belong, will be discarded. For example, assuming that VLAN 200 is configured on the device, if the ingressing frame is tagged with VLAN 200, but the port is not a member of VLAN 200, the frame is discarded.

If VLAN Ingress Filtering is disabled, ports do not consider the VLAN membership of ingressing frames. In the above example, with VLAN Ingress Filtering disabled, the frame tagged with VLAN 200 may be forwarded to all port members of VLAN 200, regardless of whether the ingress port belongs to VLAN 200. However, if VLAN 200 has not been configured on the device, the frame is then dropped.

Ingress Untagged Frames

When you have a port set to accept all frame types, untagged data frames and untagged control frames are allowed to ingress.

You can configure a port’s untagged-data-vid attribute to add (push) a tag containing a

Customer VLAN ID (CVID) on untagged data frames on ingress. In addition to the CVID, the tag will include the port’s ingress fixed .1d priority (ingress-fixed-dot1dpri) setting.

Egress Untagged VLAN

Once a frame reaches its egress port on the device, one final VLAN operation is performed. The Egress Untagged VLAN (EUV) parameter determines whether the egressing frame will be forwarded tagged or untagged. As a frame egresses the device, its VLAN ID is compared to the EUV. If the VLAN ID is the same as the EUV, then the VLAN tag is stripped from the egressing frame and it is sent untagged. If the VLAN ID is not the same as the port’s EUV, then the frame is sent out with its tag intact. By default, the EUV is VLAN 1, as is the PVID. When the PVID is changed, the EUV value automatically updates to match the PVID, until it is explicitly set.

For example, the default PVID and EUV are set to 1. If you set port’s PVID to VLAN 200, and the EUV is automatically set to VLAN 200. A frame that is tagged with VLAN 200 would have its tag stripped as it egresses. In contrast a frame with a VLAN tag of 300 will egress with its tag intact.

However, if you set the EUV to 300, the PVID remains at 200. Now, the frame tagged with

VLAN 200 retains its tag on egress, and the frame with a VLAN tag of 300 has its tag removed.

System Software Configuration Guide 6.5.0

45

VLAN M

ANAGEMENT

Behavior Summary

Behavior Summary

The following tables summarize packet behavior.

Table 4-1: Ingress Behavior

Ingress

Frame

Tagged

AFT

Tagged-only

PVID

N/A

Ingress

Filter

Disabled

Tagged

Tagged

Tagged

Untagged

Untagged

Untagged

Tagged-only

All

All

Tagged-only

All

All

N/A

N/A

N/A

N/A

Any

Any

Behavior

Enabled

Disabled

Enabled

N/A

Disabled

Enabled

The frame is forwarded if the VLAN exists on the device.

The frame is forwarded if the ingress port is a member of the ingressing frame’s VLAN.

The frame is forwarded if the VLAN exists on the device.

The frame is forwarded if the ingress port is a member of the ingressing frame’s VLAN.

The frame is dropped.

The frame is forwarded to all ports that are members of the ingressing port’s PVID.

The frame is forwarded to PVID members only if the ingress port is a member of the PVID.

Table 4-2: Egress Behavior

Frame State EUV State

Tagged VLAN ID = EUV

Tagged VLAN ID ≠ EUV

Egress Behavior

Frame sent untagged.

Frame sent tagged.

46 System Software Configuration Guide 6.5.0

VLAN M

ANAGEMENT

VLAN/Port Configuration

VLAN/Port Configuration

All of the frame forwarding behaviors discussed in this chapter are port-based features, but require VLANs to tie them together. The VLAN can be thought of as an imaginary wire that connects the ingress port to the egress port(s). VLANs must be created using the CLI,

MIB, or the Device Manager, prior to configuring other features on the device. A VLAN is identified by 2 basic parameters:

VLAN ID: value used to identify the VLAN

VLAN Name: (optional) defined by the network operator. VLAN names may not begin with a number

NOTE: A maximum of 500 VLANs are supported without an Advanced Ethernet (AE) license, and up to 4094 VLANs with an AE license.

All commands in the following sections (except “show” commands) require the user to

have super user or admin access level. Refer to the Access Levels section in Appendix 26, on page 377 for information on CLI access privileges.

To create a VLAN and add port members to it:

Step # Description

Step 1 Create the VLAN. The VLAN ID (VID) must be specified, but the name is optional.

Command

vlan create vlan

<VlanIdList> [name

<String[31]>]

If a VLAN name is not specified, a default name will be assigned in the format of

VLAN#<VLAN-id>

. For example if the VID entered is 1000 the VLAN name will be

VLAN#1000

. VLAN names may not begin with a number.

Step 2 Add ports to the VLAN. Ports can be added to the VLAN either by specifying the VLAN name or VID and a port name.

vlan add vlan <VlanList> port <PortNameList>

Step 3 (Optional) Verify the creation of the VLAN.

vlan show

lists all configured VLANs. vlan show port <PortNameList> displays the VLANs to which the specified ports belong. vlan show vlan

<VlanList>

displays information for a specific VLAN.

vlan

show [port

<PortNameList> | vlan

<VlanList>]

Example:

1. > vlan create vlan 300

2. > vlan add vlan 300 port 5

System Software Configuration Guide 6.5.0

47

VLAN M

ANAGEMENT

VLAN/Port Configuration

3. > vlan show vlan 300

+---------------------- VLAN INFO -----------------------+

| Parameter | Value |

+----------------------+---------------------------------+

| VLAN ID | 300 |

| Name | VLAN#300 |

| Features | |

|--------------------------------------------------------+

| VLAN Members |

| Port | VTag | VS-Sub |

|----------+-----------+---------------------------------+

| 5 | 300 | False |

|----------+-----------+---------------------------------+

Port Configuration

The following examples show how to configure a VLAN/port pair to receive traffic in one state and egress it in a particular state (e.g., receive untagged traffic and egress tagged traffic).

Ingress Tagged Traffic, Egressing Tagged

This scenario is basically the default behavior for the device. The only requirement is to add the ingress and egress ports to the same VLAN. Since the EUV and the PVID are set to

VLAN 1 by default, tagged frames will enter the switch and egress the switch with their original tag intact for the VLAN configured.

NOTE: By default, all ports are members of VLAN 1. Frames tagged with VLAN 1 will also be forwarded since the PVID is set to VLAN 1 by default and is not changed in this example.

To configure a port pair that will receive frames tagged with VLAN 300 and egress them with the original tag intact, the following steps are used:

Step # Description

Step 1 Create the VLAN.

Step 2 Add the ingress and egress ports to the VLAN.

Step 3 (Optional) Verify the creation of the VLAN.

Command

vlan create vlan

<VlanList> [name

<VlanList>] vlan add vlan <VlanList> port <PortNameList>} [tag

{<value> | none}] vlan

show [port

<PortNameList> | vlan

<VlanList>]

Example:

1. > vlan create vlan 300

2. > vlan add vlan 300 port 1,5

48 System Software Configuration Guide 6.5.0

VLAN M

ANAGEMENT

VLAN/Port Configuration

3. > vlan show vlan 300

+---------------------- VLAN INFO -----------------------+

| Parameter | Value |

+----------------------+---------------------------------+

| VLAN ID | 300 |

| Name | VLAN#300 |

| Features | |

|--------------------------------------------------------+

| VLAN Members |

| Port | VTag | VS-Sub |

|----------+-----------+---------------------------------+

| 1 | 300 | False |

| 5 | 300 | False |

|----------+-----------+---------------------------------+

Ingress Untagged Traffic, Egressing Untagged

This scenario configures a port pair on VLAN 300 that will receive untagged frames and egress them untagged:

Step # Description Command

Step 1 Create the VLAN.

vlan create vlan

<VlanList> [name

<VlanList>]

Step 2 Add the ingress and egress ports to the VLAN.

vlan add vlan <VlanList> port <PortNameList> [tag

{<value> | none}]

Step 3 Set the AFT on all ports to All. On ports 1-8, this value is the default setting.

port set port

<PortNameList>

[acceptable-frame-type

<'all' | 'tagged-only'>]

Step 4 Set the PVID on all ports to the VLAN used in Step 2.

port set port

<PortNameList> [pvid

<VlanList>]

Step 5 (Optional) Verify the ingress port settings. Note that the egress untagged VLAN automatically changes to the same value as the PVID.

port show port

<PortNameList>

Step 6 (Optional) Verify the egress port settings. Note that the egress untagged VLAN automatically changes to the same value as the PVID.

port show port

<PortNameList>

Example:

1. > vlan create vlan 300

2. > vlan add vlan 300 port 1,5

3. > port set port 1,5 acceptable-frame-type all

4. > port set port 1,5 pvid 300

System Software Configuration Guide 6.5.0

49

VLAN M

ANAGEMENT

VLAN/Port Configuration

5. > port show port 1

+---------------------------- PORT INFO ------------------------------+

| Field | Admin | Oper |

+-------------------------+---------------------+---------------------+

| Type | 10/100/G |

| Description | |

| Spanning Tree State | Forwarding |

| MAC Address | 00:02:a1:07:86:e2 |

| Phy Loopback | Off |

| Link State | Enabled | Enabled |

| State Group Link State | | |

| Mode | rj45 | unknown |

| Speed | 1 Gbps | 100 Mbps |

| Duplex | full | full |

| Flow Control | off | |

| Auto Negotiation | Enabled | |

| Flow Control Advertised | off | |

| PVID | 300 | 300 |

| Untag Ingress Vtag | 1 | 1 |

| Untag Ingress Data Vid | 0 | 0 |

| Fixed Resolved CoS | 0 | 0 |

| Ingress VLAN Filter | Enabled | Enabled |

| Ingress VS Filter | Off | Off |

| Acceptable Frame Type | all | all |

| Egress Untag VLAN | 300 | 300 |

| Max Frame Size | 1526 | 1526 |

| Untagged Data VS | | |

| Untagged Ctrl VS | | |

| Resolved CoS Policy | dot1d-tag1-cos | dot1d-tag1-cos |

| Service Port Type | Subscriber | Subscriber |

| Eth VC EtherType | 8100 | 8100 |

| Eth VC EtherType Policy | all | all |

| Mirror-port | Off | Off |

| Ingress-mirror | | |

| Egress-mirror | | |

| Ingress to Egress QMap | Default-RCOS | Default-RCOS |

| XCVR caps mismatch | <NONE> |

+-------------------------+---------------------+---------------------+

| VLAN Membership | 300 |

+-------------------------+-------------------------------------------+

6. > port show port 5

Changing Tag Status

In this port pair scenario, traffic for the specified VLAN enters one port untagged and egresses its partner port tagged with a specified VLAN ID. When traffic flows in the opposite direction, frames tagged with the specified VLAN will egress untagged.

In our example, untagged frames ingressing on port 1 will egress port 5 tagged with a

VLAN ID of 300. Frames that ingress on port 5 with a VLAN tag of 300 will egress port 1 untagged.

50 System Software Configuration Guide 6.5.0

VLAN M

ANAGEMENT

VLAN/Port Configuration

Assume now that port 1 is connected to the subscriber while port 5 connects to the provider network, the frame will pass between the subscriber and the provider networks, but the VLAN tag of 300, which may only have meaning in the provider network, will never be seen in the customer’s network.

Step # Description Command

Step 1 Create a VLAN.

vlan create vlan

<VlanList> [name

<VlanList>]

Step 2 Add the ingress and egress ports to the VLAN.

vlan add vlan <VlanList> port <PortNameList>

Step 3 Set the PVID on the ingress ports to the VLAN used in Step

2.

port set port

<PortNameList> [pvid

<VlanList>]

Step 4 Set the AFT on all ports to All. On ports 1-8, this value is the default setting.

port set port

<PortNameList>

[acceptable-frame-type

<'all' | 'tagged-only'>]

Step 5 (Optional) Verify the ingress port settings.

port show port

<PortNameList>

Step 6 Set the EUV on the egress port (provider port) to a VLAN that is different than the VLAN used in Step 2. Note that the value used does not have to correspond to an existing

VLAN.

port set port

<PortNameList> [egressuntag-vlan <VlanList>]

Step 7 (Optional) Verify the egress port settings.

port show port

<PortNameList>

Example:

1. > vlan create vlan 300

2. > vlan add vlan 300 port 1,5

3. > port set port 1,5 acceptable-frame-type all

4. > port set port 1 pvid 300

5. > port show port 1

6. > port set port 5 egress-untag-vlan 4094

System Software Configuration Guide 6.5.0

51

VLAN M

ANAGEMENT

VLAN/Port Configuration

7. > port show port 5

+---------------------------- PORT INFO ------------------------------+

| Field | Admin | Oper |

+-------------------------+---------------------+---------------------+

| Type | 10/100/G |

| Description | |

| Spanning Tree State | Forwarding |

| MAC Address | 00:02:a1:07:86:e2 |

| Phy Loopback | Off |

| Link State | Enabled | Enabled |

| State Group Link State | | |

| Mode | rj45 | unknown |

| Speed | 1 Gbps | 100 Mbps |

| Duplex | full | full |

| Flow Control | off | |

| Auto Negotiation | Enabled | |

| Flow Control Advertised | off | |

| PVID | 300 | 300 |

| Untag Ingress Vtag | 1 | 1 |

| Untag Ingress Data Vid | 0 | 0 |

| Fixed Resolved CoS | 0 | 0 |

| Ingress VLAN Filter | Enabled | Enabled |

| Ingress VS Filter | Off | Off |

| Acceptable Frame Type | all | all |

| Egress Untag VLAN | 4094 | 4094 |

| Max Frame Size | 1526 | 1526 |

| Untagged Data VS | | |

| Untagged Ctrl VS | | |

| Resolved CoS Policy | dot1d-tag1-cos | dot1d-tag1-cos |

| Service Port Type | Subscriber | Subscriber |

| Eth VC EtherType | 8100 | 8100 |

| Eth VC EtherType Policy | all | all |

| Mirror-port | Off | Off |

| Ingress-mirror | | |

| Egress-mirror | | |

| Ingress to Egress QMap | Default-RCOS | Default-RCOS |

| XCVR caps mismatch | <NONE> |

+-------------------------+---------------------+---------------------+

| VLAN Membership | 300 |

+-------------------------+-------------------------------------------+

Pushing a VID Tag on Untagged Data Frames

When you have the port set to accept all frame types, untagged data frames are allowed to ingress. You can configure the ingress port to add (push) a tag on the frame containing the specified Customer VLAN ID (CVID) and the ingress fixed .1d priority for untagged data frames on ingress. After processing, the header is removed leaving the CVID intact. The

CVID tag is automatically removed (popped) on egress.

Step # Description

Step 1 Create a VLAN.

Step 2 Add the ingress and egress ports to the VLAN.

Command

vlan create vlan

<VlanList> [name

<VlanList>] vlan add vlan <VlanList> port <PortNameList> [tag

{<value> | none}]

52 System Software Configuration Guide 6.5.0

VLAN M

ANAGEMENT

VLAN/Port Configuration

Step # Description Command

Step 3 Set the ingress untagged data VID on the ingress port.

Note that the value used does not have to correspond to an existing VLAN.

port set port

<PortNameList> untaggeddata-vid <VlanId>

Step 4 Set the AFT on all ports to All. On ports 1-8, this value is the default setting.

port set port

<PortNameList>

[acceptable-frame-type

<'all' | 'tagged-only'>]

Step 5 (Optional) Set the ingress fixed .1d priority on the ingress port. port set port

<PortNameList> ingressfixed-dot1dpri <NUMBER: 0-

7>

Step 6 (Optional) Verify the port settings.

port show port

<PortNameList>

Example:

1. > vlan create vlan 4000

2. > vlan add vlan 4000 port 1,5

3. > port set port 1 untagged-data-vid 100

4. > port set port 1,5 acceptable-frame-type all

5. > port set port 1 ingress-fixed-dot1dpri 4

6. > port show port 1

Hybrid Traffic

This scenario configures a port pair that will receive either tagged or untagged frames.

Tagged frames will egress with their original tag intact and untagged frames will egress untagged.

In this example, any traffic tagged with VLAN 300 will enter the switch tagged and leave the switch still tagged with VLAN 300, while untagged traffic will enter untagged and leave untagged. The follow commands are used for this scenario:

Step # Description Command

Step 1 Create a VLAN.

vlan create vlan

<VlanList> [name

<VlanList>]

Step 2 Add the ingress and egress ports to the VLAN.

vlan add vlan <VlanList> port <PortNameList> [tag

{<value> | none}]

Step 3 Set the AFT on the ingress ports to All. On ports 1-8, this value is the default.

port set port

<PortNameList>

[acceptable-frame-type

<'all' | 'tagged-only'>]

Step 4 Set the PVID on the ingress ports to VLAN 1 (this is the default setting).

port set port

<PortNameList> [pvid

<VlanList>]

System Software Configuration Guide 6.5.0

53

VLAN M

ANAGEMENT

VLAN/Port Configuration

Step # Description

Step 5 Set the EUV on the egress ports to VLAN 1 (this is the default setting).

Step 6 (Optional) Verify the ingress port settings.

Step 7 (Optional) Verify the egress port settings.

Command

port set port

<PortNameList> [egressuntag-vlan <VlanList>] port show port

<PortNameList> port show port

<PortNameList>

Example:

1. > vlan create vlan 300

2. > vlan add vlan 300 port 1,5

3. > port set port 1,5 acceptable-frame-type all

4. > port set port 1 pvid 1

5. > port set port 5 egress-untag-vlan 1

6. > port show port 1

7. > port show port 5

Tagged Ethernet Port Emulation

In this example, the standard behavior of a tagged Ethernet port is emulated. Standard tagged Ethernet ports will accept tagged frames and drop all untagged frames.

In the following example, VLAN filtering is disabled, allowing all tagged frames to ingress if the VLAN they are tagged with has been configured on the device. Frames that are tagged with a VLAN ID of 300 will egress untagged. To drop frames that are tagged with a VLAN to which the ingress port does not belong, do not disable VLAN Ingress Filtering.

Step # Description Command

Step 1 Create a VLAN.

vlan create vlan

<VlanList> [name

<VlanList>]

Step 2 Add the ingress and egress ports to the VLAN.

vlan add vlan <VlanList> port <PortNameList> [tag

{<value> | none}]

Step 3 Set the AFT on the ports to Tagged-Only (Tagged-Only is the default setting for ports 9 and 10).

port set port

<PortNameList>

[acceptable-frame-type

<'all' | 'tagged-only'>]

Step 4 Disable Ingress VLAN Filtering on the ports. VLAN Ingress

Filtering should only be disabled if the ingress port is not a member of the tagged frame’s VLAN.

port set <PortNameList>

[vlan-ingress-filter

<'on' | 'off'>]

Step 5 Set the EUV on the ports to the VLAN used in Step 2.

port set port

<PortNameList> [egressuntag-vlan <VlanList>]

Step 6 (Optional) Verify the ingress port settings.

port show port

<PortNameList>

54 System Software Configuration Guide 6.5.0

VLAN M

ANAGEMENT

Port Mirroring

Step # Description

Step 7 (Optional) Verify the egress port settings.

Command

port show port

<PortNameList>

CLI Example:

1. > vlan create vlan 300

2. > vlan add vlan 300 port 1,5

3. > port set port 1,5 acceptable-frame-type tagged-only

4. > port set port 1,5 vlan-ingress-filter off

5. > port set port 1,5 egress-untag-vlan 300

6. > port show port 1

7. > port show port 5

Port Mirroring

To monitor ingress and egress traffic, you can configure another port to “mirror” the traffic of a specified port, or define up to 5 port state mirror groups (PSMGs). By attaching a protocol analyzer to the port, you can monitor and analyze traffic. Port mirroring actions can only be configured on physical ports.

Monitoring traffic on a port is a two-step process. First, port mirroring must be enabled on the port that is to be the mirror port. Next, direct the input traffic, output traffic, or both to the mirror port (the port to which the analyzer is attached).

Any port can be designated as a mirror port, but only one mirror port can be assigned at a time. However, the ingress/egress traffic from multiple ports can be mapped to a single mirror port. Port mirroring configuration persists after a reboot if the device configuration has been saved.

Each PSMG has a source port group and a list of destination ports. A port can be added to a PSMG in either the source group or destination port list. A port can only be a member of one PSMG at a time.

It should be noted that a port defined as a mirror port will continue to transmit/receive normally based on its configuration, such as its VLAN membership. It may be beneficial to manually remove all configuration on the mirror port and place it in a designated mirror VLAN to isolate the desired traffic.

The following example configures a mirror port to analyze the ingress and egress traffic from port 6 using port 3 as the mirror port.

To configure port mirroring, the following steps are used:

Step # Description Command

Step 1 Enable port mirroring on port 3.

port set port

<PortNameList> mirrorport on

Step 2 Configure port 6 to mirror its Ingress and Egress traffic to port 3.

port set port

<PortNameList> ingressmirror <PortName> egressmirror <PortName>

System Software Configuration Guide 6.5.0

55

VLAN M

ANAGEMENT

Port Loopback

Step # Description

Step 3 Display the configuration for port 3 (optional).

Step 4 Display the configuration for port 6 (optional).

Command

port show port

<PortNameList>

[capabilities]

[statistics] port show port

<PortNameList>

CLI Example:

1. > port set port 3 mirror-port on

2. > port set port 6 ingress-mirror 3 egress-mirror 3

3. > port show port 3

4. > port show port 6

Port Loopback

External loopback is supported where data that is received on a port in loopback mode will egress the same port, and the loopback occurs in the PHY.

Loopback can be enabled on any physical port independently, regardless of VLAN membership. Setting the loopback attribute automatically sets the port’s learn limit to 0, with an action of 'forward'. When the loopback setting is 'off', the configured learn limit is then re-applied.

NOTE: If more than two ports within the same VLAN are configured to participate in a loopback test, there is a danger of creating a broadcast storm.

CLI Example:

The following example starts a loopback on port 5.

1. Enable loopback on port 5.

port set port 5 loopback on

2. Stop the loopback test.

port set port 5 loopback off

Port Statistics

The system software tracks statistics per port including:

RxBytes - Number of bytes received in good and bad packets including Frame Check

Sequence (FCS) bytes and excluding framing bits.

RxPkts - Number of packets received, including good and bad.

RxCrcErrorPkts - Number of packets received with CRC errors.

RxMcastPkts - Number of good multicast packets received.

RxBcastPkts - Number of good broadcast packets received.

56 System Software Configuration Guide 6.5.0

VLAN M

ANAGEMENT

Port Statistics

UndersizePkts - Number of packets received that were less than 64 bytes long

(excluding framing bits, but including Frame Check Sequence (FCS) bytes) and were otherwise well formed.

OversizePkts - Number of packets received that were longer than 1518 bytes

(excluding framing bits, but including FCS bytes) and were otherwise well formed.

FragmentsPkts - Number of packets received that were less than 64 bytes in length

(excluding framing bits but including FCS bytes) and had either a bad FCS with an integral number of bytes (FCS Error) or a bad FCS with a non-integral number of bytes

(Alignment Error).

JabbersPkts - Number of packets received that were longer than 1518 bytes (excluding framing bits, but including FCS bytes), and had either a bad FCS with an integral number of bytes (FCS Error) or a bad FCS with a non-integral number of bytes

(Alignment Error).

RxPausePkts - Number of received pause packets.

64OctsPkts - Number of packets (including bad packets) received that were 64 bytes in length (excluding framing bits but including FCS bytes).

65To127OctsPkts -Number of packets (including bad packets) received that were between 65 and 127 bytes in length inclusive (excluding framing bits but including FCS bytes).

128To255OctsPkts -Number of packets (including bad packets) received that were between 128 and 255 bytes in length inclusive (excluding framing bits but including FCS bytes).

256To511OctsPkts - Number of packets (including bad packets) received that were between 256 and 511 bytes in length inclusive (excluding framing bits but including FCS bytes).

512To1023OctsPkts - Number of packets (including bad packets) received that were between 512 and 1023 bytes in length inclusive (excluding framing bits but including

FCS bytes).

1024To1518OctsPkts - Number of packets (including bad packets) received that were between 1024 and 1518 bytes in length inclusive (excluding framing bits but including

FCS bytes)

TxBytes - Number of transmitted bytes in good and bad packets including FCS bytes and excluding frame bits.

TxPkts - Number of packets transmitted including good and bad.

TxExDeferPkts - Number of transmitted excessive defer packets.

TxGiantPkts - Number of well formed packets longer than 1518 bytes including FCS bytes and excluding framing bits.

TxUnderRunPkts - Number of transmitted underrun packets.

TxCrcErrorPkts -Number of transmitted packets with CRC errors.

TxLCheckErrorPkts - Number of transmitted length check packets.

TxLOutRangePkts - Number of transmitted length out of range packets.

TxLateCollPkts - Number of transmitted late collision packets.

TxExCollPkts - Number of transmitted excessive collision packets.

TxSingleCollPkts -Number of transmitted single collision packets.

TxCollPkts - Number of transmitted collision packets.

TxPausePkts - Number of transmitted pause packets.

TxMcastPkts - Number of good multicast packets transmitted.

TxBcastPkts - Number of good broadcast packets transmitted.

System Software Configuration Guide 6.5.0

57

VLAN M

ANAGEMENT

Port Statistics

Displaying Port Statistics

Two sets of statistics are stored: the Total statistics, the values since the last boot up, and the Current statistics, the values since the last statistics clear. The system also calculates throughput values to show current statistics in terms of rate.

You can display a summary of current, total, and current throughput statistics for all or specific ports. Optionally, you can control the output to display:

Active - only non-zero values.

Delay - to specify a length of time in seconds to display the statistics.

Count - number of times to repeat the display.

Scale - specifies the units (Giga, Mega, Kilo, or None) in which to display the values.

For throughput statistics, the default scale is Mega.

Type - Filters type of statistics: basic (only received and transmitted packets and bytes), tx-only (transmitted only), rx-only (received only), errors or all.

To display a summary of port statistics for all ports:

port show statistics|total-statistics|throughput [active] [delay <NUMBER: 1-86400>] [count

<NUMBER: 0-4294967295>] [scale <tera|giga|mega|kilo|none>]

Examples of all active port statistics summary:

> port show statistics active

+------------------------------ PORT STATISTICS SUMMARY ----------------------+

| Port | Byte | Pkt |

| | Tx | Rx | Tx | Rx |

+---------+----------------+----------------+----------------+----------------+

| 1 | 8326248088 | 0 | 67147162 | 0 |

| 2 | 8326247964 | 0 | 67147161 | 0 |

| 12 | 0 | 28879569152 | 0 | 225621634 |

+---------+----------------+----------------+----------------+----------------+

Example of all active port total statistics summary:

> port show total-statistics active

+---------------------- PORT TOTAL STATISTICS SUMMARY -------------------------

| Port | Byte | Pkt |

| | Tx | Rx | Tx | Rx |

+---------+----------------+----------------+----------------+----------------+

| 1 | 169713065596 | 1053155263708 | 325536280 | 1372943892 |

| 2 | 21452132866 | 19878912 | 77950273 | 310608 |

| 12 | 885114437038 | 193572376072 | 1147664620 | 490131140 |

+---------+----------------+----------------+----------------+----------------+

Example of all active port throughput statistics:

CN3920-07> port show throughput active

+--------------- PORT THROUGHPUT SUMMARY 5 SECOND SAMPLE ------------------+

| Port | Bit Rate (Mbps) | Pkt Rate (Mpps) |

| | Tx | Rx | Tx | Rx |

+---------+----------------+----------------+----------------+----------------+

| 1 | 0.867 | | 0.001 | |

| 2 | 0.867 | | 0.001 | |

| 12 | | 2.008 | | 0.003 |

+---------+----------------+----------------+----------------+----------------+

58 System Software Configuration Guide 6.5.0

VLAN M

ANAGEMENT

Port Statistics

To display statistics for specific ports:

port show port <PortList> statistics|total-statistics|throughput [active] [delay <NUMBER: 1-

86400>] [count <NUMBER: 0-4294967295>] [scale <tera|giga|mega|kilo|none>][type

<all|basic|errors|tx|rx>]

Example of port 1 statistics:

> port show port 1 statistics active

+--------------- PORT 1 STATISTICS -----+

| Statistic | Value |

+--------------------+------------------+

| TxBytes | 8383361868 |

| TxPkts | 67607757 |

| TxBcastPkts | 67607757 |

+--------------------+------------------+

Example of port 1 total statistics:

> port show port 1 total-statistics active

+-------------------- PORT 1 STATISTICS -------------------+

| Statistic | Total Value | Value |

+--------------------+------------------+------------------+

| RxBytes | 1053155263708 | 0 |

| RxPkts | 1372943892 | 0 |

| RxMcastPkts | 8678509 | 0 |

| RxBcastPkts | 8678545 | 0 |

| 128To255OctsPkts | 8678525 | 0 |

| 512To1023OctsPkts | 1355586868 | 0 |

| 1024To1518OctsPkts | 8678499 | 0 |

| TxBytes | 169749142776 | 8393012044 |

| TxPkts | 325827225 | 67685581 |

| TxLOutRangePkts | 939 | 0 |

| TxMcastPkts | 11277954 | 0 |

| TxBcastPkts | 136721539 | 67685581 |

+--------------------+------------------+------------------+

Example of port 1 throughput statistics:

> port show port 1 throughput active

+---------------------- PORT 1 THROUGHPUT ------------------------------------+

| Statistic | Current Value | Delta Value | Rate Mpps & Mbps |

+--------------------+------------------+------------------+------------------+

| Time | 0:21:45:20 | 0:00:03:43.4 | |

| TxBytes | 8,399.264 | 23.951 | 0.107 |

| TxPkts | 67.736 | 0.193 | 0.001 |

| TxBcastPkts | 67.736 | 0.193 | 0.001 |

+--------------------+------------------+------------------+------------------+

Monitoring Port Statistics

In addition, you can continuously monitor port statistics. The system will display the statistics and automatically clear the screen before displaying the updated values. To stop monitoring, press Ctrl+C.

To monitor statistics for all ports:

port monitor statistics|total-statistics|throughput [active] [delay <NUMBER: 1-86400>] [count

<NUMBER: 0-4294967295>] [scale <tera|giga|mega|kilo|none>]

System Software Configuration Guide 6.5.0

59

VLAN M

ANAGEMENT

Port Statistics

Example of monitoring total statistics for all active ports:

> port monitor total-statistics active delay 10

<Screen clears>

+---------------------- PORT TOTAL STATISTICS SUMMARY -------------------------+

| Port | Byte | Pkt |

| | Tx | Rx | Tx | Rx |

+---------+----------------+----------------+----------------+----------------+

| 1 | 170475797780 | 1053155263708 | 331687346 | 1372943892 |

| 2 | 22214864802 | 19878912 | 84101337 | 310608 |

| 12 | 885114437038 | 196217923208 | 1147664620 | 510799477 |

+---------+----------------+----------------+----------------+----------------+

Example of monitoring statistics for a specific port:

> port monitor port 1 statistics active delay 10

<Screen clears>

+------------------------------ PORT STATISTICS SUMMARY ----------------------+

| Port | Byte | Pkt |

| | Tx | Rx | Tx | Rx |

+---------+----------------+----------------+----------------+----------------+

| 1 | 9124523384 | 0 | 73584866 | 0 |

| 2 | 9124523756 | 0 | 73584869 | 0 |

| 12 | 0 | 31648384384 | 0 | 247253003 |

+---------+----------------+----------------+----------------+----------------+

Example of monitoring throughput statistics for a specific port:

> port monitor port 1 throughput active

<Screen clears>

Info: This CLI output may take a while to display press CTRL-C to abort

<Screen clears>

+--------------- PORT THROUGHPUT SUMMARY 20 SECOND SAMPLE ------------------+

| Port | Bit Rate (Mbps) | Pkt Rate (Mpps) |

| | Tx | Rx | Tx | Rx |

+---------+----------------+----------------+----------------+----------------+

| 1 | 0.860 | | 0.001 | |

| 2 | 0.860 | | 0.001 | |

| 12 | | 2.984 | | 0.003 |

+---------+----------------+----------------+----------------+----------------+

To monitor the statistics for specific ports:

port monitor port <PortList> statistics statistics|total-statistics|throughput [active]

[delay <NUMBER: 1-86400>] [count <NUMBER: 0-4294967295>] [scale <tera|giga|mega|kilo|none>]

[type <all|basic|errors|tx|rx>]

60 System Software Configuration Guide 6.5.0

Example of monitoring total statistics for a specific port:

> port monitor port 1 total-statistics active delay 10

<Screen clears>

INFO: Waiting 10 seconds for display. Abort with CTRL-c

+-------------------- PORT 1 STATISTICS -------------------+

| Statistic | Total Value | Value |

+--------------------+------------------+------------------+

| RxBytes | 1053155263708 | 0 |

| RxPkts | 1372943892 | 0 |

| RxMcastPkts | 8678509 | 0 |

| RxBcastPkts | 8678545 | 0 |

| 128To255OctsPkts | 8678525 | 0 |

| 512To1023OctsPkts | 1355586868 | 0 |

| 1024To1518OctsPkts | 8678499 | 0 |

| TxBytes | 170169369228 | 8813238496 |

| TxPkts | 329216148 | 71074504 |

| TxLOutRangePkts | 939 | 0 |

| TxMcastPkts | 11277954 | 0 |

| TxBcastPkts | 140110462 | 71074504 |

+--------------------+------------------+------------------+

Example of monitoring statistics for a specific port:

> port monitor port 1 statistics active delay 10

<Screen clears>

INFO: Waiting 10 seconds for display. Abort with CTRL-c

+--------------- PORT 1 STATISTICS -----+

| Statistic | Value |

+--------------------+------------------+

| TxBytes | 8800415160 |

| TxPkts | 70971090 |

| TxBcastPkts | 70971090 |

+--------------------+------------------+

Example of monitoring throughput statistics for a specific port:

> port monitor port 1 throughput active

<Screen clears>

INFO: Waiting 5 seconds for display. Abort with CTRL-c

+---------------------- PORT 1 THROUGHPUT ------------------------------------+

| Statistic | Current Value | Delta Value | Rate Mpps & Mbps |

+--------------------+------------------+------------------+------------------+

| Time | 0:21:52:05 | 0:00:00:05.2 | |

| TxBytes | 8,442.673 | 0.549 | 0.110 |

| TxPkts | 68.086 | 0.004 | 0.001 |

| TxBcastPkts | 68.086 | 0.004 | 0.001 |

+--------------------+------------------+------------------+------------------+

Clearing Port Statistics

To clear current statistics for all ports:

port clear statistics

To clear current statistics for specific ports:

port clear port <PortList> statistics

System Software Configuration Guide 6.5.0

VLAN M

ANAGEMENT

Port Statistics

61

VLAN M

ANAGEMENT

Port Statistics

62 System Software Configuration Guide 6.5.0

Chapter

Configuring CPU Rate Limiting

• • • • • •

5

At a Glance:

Overview

Benefits

Configuration

Troubleshooting

This chapter explains the purpose and configuration of Central Processing Unit (CPU) rate limiting.

Overview

Network protocol control frames require examination and processing from the CPU. When the CPU must process a large volume of control frames per second, all CPU resources are consumed. This overload causes the CLI and SNMP to become unresponsive.

Benefits

With CPU rate limiting, you can control the number of frames that the CPU must process to help protect the CPU from resource overload, system lockup, and port link loss.

Configuration

By default, CPU rate limiting is globally disabled for the device, and enabled for all individual ports. Before any CPU rate limiting is enforced for the individual ports, you must enable CPU rate limiting globally.

You can configure CPU rate limits in Packets Per Second (PPS) per physical port for the following packet classes:

Bootstrap Protocol (BOOTP) and Dynamic Host Configuration Protocol (DHCP) control frames. The default rate limit is 5 PPS.

Connectivity Fault Management (CFM) control frames. The default rate limit is 50 PPS.

Tunneled control frames. The default rate limit is 250 PPS.

802.1x port-based network access control frames. The default rate limit is 5 PPS.

Operation, Administration, and Maintenance (EOAM) control frames. The default rate limit is 5 PPS.

Egress Port Restriction (EPR) Address Resolution Protocol (ARP) control frames. The default rate limit is 5 PPS.

System Software Configuration Guide 6.5.0

63

C

ONFIGURING

CPU R

ATE

L

IMITING

Configuration

Internet Group Management Protocol (IGMP) control frames. The default rate limit is

5 PPS.

Generic Internet Protocol control frames. The default rate limit is 700 PPS.

Link Aggregation Control Protocol (LACP) control frames. The default rate limit is 5

PPS.

Link Layer Discovery Protocol (LLDP) control frames. The default rate limit is 5 PPS.

Multi-Protocol Label Switching (MPLS) control frames. The default rate limit is 5 PPS.

Provider Edge (PE) ARP control frames. The default rate limit is 5 PPS.

Per VLAN Spanning Tree (PVST) control frames. The default rate limit is 5 PPS.

Rapid Spanning Tree Protocol (RSTP) control frames. The default rate limit is 5 PPS.

Loopback (used for debug). The default rate limit is 5 PPS.

Remote loopback (used for debug). The default rate limit is 5 PPS.

Two-Way Active Measurement Protocol (TWAMP) test frames. The default rate limit is

100 PPS.

Two-Way Active Measurement Protocol (TWAMP) response frames. The default rate limit is 250 PPS.

Unknown control frames (do not match other packet classes). The default rate limit is

500 PPS.

Setting CPU Rate Limits

When you set CPU rate limits, it can affect services that use control frames within the specified packet class. In a one second interval, the CPU will pass the specified number of packets and drop all following packets of that packet class on the specified port for the remainder of the second.

To set CPU rate limits:

flow cpu-rate-limit set

Example:

> flow cpu-rate-limit set port 15 twamp 300

Resetting CPU Rate Limits to Default

You can easily reset the CPU rate limits to default values for specified ports and packet classes. If you do not specify the packet class, then all packet class rate limits will be set to the default values for the specified ports.

To reset CPU rate limits to default:

flow cpu-rate-limit unset

Example:

> flow cpu-rate-limit unset port 15 twamp

64 System Software Configuration Guide 6.5.0

C

ONFIGURING

CPU R

ATE

L

IMITING

Configuration

Enabling CPU Rate Limiting

You can enable CPU rate limiting at the global (system) level and per port. By default,

CPU rate limiting is disabled at the global level and administratively enabled per port.

When CPU rate limiting is disabled globally, then it is disabled for all ports regardless of the per port state. When you enable CPU rate limiting at the global level, all ports that are administratively enabled per port become operationally enabled and enforce their configured CPU rate limits.

To enable globally:

flow cpu-rate-limit enable

Example:

> flow cpu-rate-limit enable

To enable per port:

flow cpu-rate-limit enable [port <PhyPortNameList]

Example:

> flow cpu-rate-limit enable port 15

System Software Configuration Guide 6.5.0

65

C

ONFIGURING

CPU R

ATE

L

IMITING

Configuration

Disabling CPU Rate Limiting

You can disable CPU rate limiting at the global (system) system level or per port.

To disable globally:

flow cpu-rate-limit disable

Example:

> flow cpu-rate-limit disable

To disable per port:

flow cpu-rate-limit disable[port <PhyPortNameList]

Example:

> flow cpu-rate-limit disable port 15

Configuring CPU Rate Limiting

This section provides a typical example of CPU rate limiting for UNI (subscriber) ports and

NNI (provider) ports. For the UNI ports, rate limits are increased for DHCP packet classes, and decreased for CFT, CFM, generic IP, and unknown control frames. For the NNI ports,

CPU rate limits are set to protect against RSTP, LACP, and LLDP packet storms and minimized for CFT. All other packet classes are left at default.

To configure CPU Rate Limits:

Step # Description

Step 1 Set the BOOTP/DHCP rate limit for UNI ports.

Step 2 Set the CFT rate limit for UNI ports.

Step 3 Set the RSTP, LACP, and LLDP rate limit for NNI ports.

Step 4 Set the CFT rate limit for NNI ports.

Step 5 Enable CPU rate limiting globally.

Command

flow cpu-rate-limit set

{port <PhyPortNameList} flow cpu-rate-limit set

{port <PhyPortNameList} flow cpu-rate-limit set

{port <PhyPortNameList} flow cpu-rate-limit set

{port <PhyPortNameList} flow cpu-rate-limit enable

66 System Software Configuration Guide 6.5.0

C

ONFIGURING

CPU R

ATE

L

IMITING

Configuration

Example:

1. > flow cpu-rate-limit set port 1-5 bootp 50

2. > flow cpu-rate-limit set port 1-5 cft 50 cfm 0 inet 5 dflt 10

3. > flow cpu-rate-limit set port 25-28 rstp 50 lacp 10 lldp 25

4. > flow cpu-rate-limit set port 25-28 cft 10

5. > flow cpu-rate-limit enable

System Software Configuration Guide 6.5.0

67

C

ONFIGURING

CPU R

ATE

L

IMITING

Troubleshooting

Troubleshooting

Displaying CPU Rate Limiting Status

You can display the global status of CPU rate limiting, including an indication of frames dropped. When the CPU is dropping frames from a given port to enforce configured rate limits, the “Drops” column will show “Yes”, otherwise, it will be empty. If “Yes” is displayed in the “Drops” column, it is recommended that you display the port’s statistics

(as shown in the Displaying CPU Rate Limiting Statistics for a Specific Port

section on page 69) to determine what type of control frames are being dropped.

To display the global status of CPU rate limiting:

flow cpu-rate-limit show

Example:

> flow cpu show

+------------- CPU RATE LIMITING ------------+

| Parameter | Value |

+-----------------------+----------------------+

| Device Admin State | Disabled |

+-----------------------+----------------------+

+----------------------------------------------+

| Per Port CPU Rate Limiting |

+--------+-----------+---------------+---------+

| Port | Admin | Operational | Drops |

+--------+-----------+---------------+---------+

| 1 | Enabled | Disabled | |

| 2 | Enabled | Disabled | |

| 3 | Enabled | Disabled | |

| 4 | Enabled | Disabled | |

| 5 | Enabled | Disabled | |

| 6 | Enabled | Disabled | |

| 7 | Enabled | Disabled | |

| 8 | Enabled | Disabled | |

| 9 | Enabled | Disabled | |

| 10 | Enabled | Disabled | |

+--------+-----------+---------------+---------+

68 System Software Configuration Guide 6.5.0

Displaying CPU Rate Limits for a Specific Port

To display CPU rate limits for a specific port:

flow cpu-rate-limit show port <PortName>

Example:

> flow cpu-rate-limit show port 15

+------------------------------------+

| Packets Per Second Rate Limits |

| Port | Packet Class | PPS Rate |

+------+-----------------+-----------+

| 15 | Bootp/DHCP | 5 |

| 15 | CFM | 50 |

| 15 | CFT | 250 |

| 15 | Dot 1X | 5 |

| 15 | EOAM | 5 |

| 15 | EPR ARP | 5 |

| 15 | IGMP | 5 |

| 15 | INET/IP | 700 |

| 15 | LACP | 5 |

| 15 | LLDP | 5 |

| 15 | MPLS | 5 |

| 15 | PE ARP | 5 |

| 15 | PVST | 5 |

| 15 | RSTP | 5 |

| 15 | Loopback | 5 |

| 15 | Remote Loopback | 5 |

| 15 | TWAMP TST | 100 |

| 15 | TWAMP RSP | 250 |

| 15 | Default | 500 |

+------+-----------------+-----------+

Displaying CPU Rate Limiting Statistics for a Specific Port

To display CPU rate limiting statistics for a specific port:

flow cpu-rate-limit show port <PortName> statistics

C

ONFIGURING

CPU R

ATE

L

IMITING

Troubleshooting

System Software Configuration Guide 6.5.0

69

C

ONFIGURING

CPU R

ATE

L

IMITING

Troubleshooting

Example:

> flow cpu-rate-limit show port 15 statistics

+----------- Rate Limit Packet Statistics -----------+

| Port | Packet Class | Dropped | Passed |

+------+-----------------+-------------+-------------+

| 15 | Bootp/DHCP | 0 | 13900 |

| 15 | CFM | 0 | 0 |

| 15 | CFT | 0 | 0 |

| 15 | Dot 1X | 0 | 0 |

| 15 | EOAM | 0 | 0 |

| 15 | EPR ARP | 0 | 0 |

| 15 | IGMP | 0 | 0 |

| 15 | INET/IP | 0 | 8511 |

| 15 | LACP | 0 | 4671 |

| 15 | LLDP | 0 | 4590 |

| 15 | MPLS | 0 | 0 |

| 15 | PE ARP | 0 | 0 |

| 15 | PVST | 0 | 0 |

| 15 | RSTP | 8 | 68853 |

| 15 | Loopback | 0 | 0 |

| 15 | Remote Loopback | 0 | 0 |

| 15 | TWAMP TST | 0 | 0 |

| 15 | TWAMP RSP | 0 | 0 |

| 15 | Default | 0 | 0 |

| 15 | Default | 0 | 0 |

| 15 | Drop | 0 | 0 |

+------+-----------------+-------------+-------------+

Clearing CPU Rate Limiting Statistics for a Specific Port

To clear CPU rate limiting statistics for a specific port:

flow cpu-rate-limit clear port <PortName> statistics

Example:

> flow cpu-rate-limit clear port 15 statistics

Displaying CPU Rate Limiting Configuration in the Configuration File

CPU Rate Limiting configuration is saved to the configuration file in the FLOW/QOS

CONFIG: section.

To display CPU rate limiting configuration in the configuration file:

> configuration show

! Device Configuration File

! Chassis MAC: 00:02:a1:30:7d:60

! Created: Sat Feb 23 12:17:02 2008

! Created by: su

! SW Package: Slot 1 - xxxx-xx-xx-xx-xxx

! Build Number: 2323

! MIB Number: 02-05-00-9924

!

!...

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! FLOW/QOS CONFIG:

!

flow cpu-rate-limit enable

!

!

!...

70 System Software Configuration Guide 6.5.0

Chapter

Configuring IEEE 802.1x Security

• • • • • •

6

At a glance:

802.1x Overview

Deployment Example

Using 802.1x with LACP

Configuring 802.1x

This chapter discusses IEEE 802.1x security.

Using 802.1x to Authenticate a PC

Troubleshooting 802.1x Operation

NOTE: This version of system software supports the IEEE 802.1X-2001 Standard.

802.1x Overview

The IEEE 802.1x standard defines an authentication protocol that uses a centralized authentication server (typically a RADIUS server) to provide port-based and user-based network access control. This provides a method for authenticating customer premise equipment (CPE) and the Portals, Service Delivery Switches, and/or Service

Concentration Switches used to provide the CPE network connection.

When a device configured for 802.1x authentication is connected to the network, it passes an authentication request to the device providing its uplink. That device then passes the request through the network to the authentication server, which compares the device’s user name and password to a pre-entered subscriber database entry and decides whether to allow the device full access to the network.

NOTE: If you upgrade from a software release prior to 4.7.2 without first installing the

Advanced-Security feature license, will be disabled and its configuration will not be supported.

System Software Configuration Guide 6.5.0

71

C

ONFIGURING

IEEE 802.1

X

S

ECURITY

802.1x Overview

The use of 802.1x with RADIUS authentication differs from standard RADIUS management authentication. 802.1x uses port-based authentication, whereas RADIUS by itself is used to authenticate users who are attempting to access a device in order to change or monitor its configuration. However, the same RADIUS server could be used for

authentication in both instances. Figure 6-1 shows an example of 802.1x authentication.

Authenticator

Device B

802.1x EAPOL

Messages

Port 6

RADIUS

Messages

72

Supplicant

Device A

Authentication

Server

Port 4

Figure 6-1: IEEE 802.1x Authentication Example

The 802.1x standard specifies the following roles in the authentication process:

Supplicant - is the device requesting access to the network. This could be a subscriber device, such as a PC, or a port on a Portal, Service Delivery Switch, or Service

Concentration Switch that is connected to another device providing its uplink. In the case of a PC, the PC’s network interface card (NIC) is configured for 802.1x authentication using EAP-MD5. When the NIC is enabled, it issues an 802.1x authentication request to a port on the device providing its uplink that is configured as an 802.1x Authenticator. Until the Supplicant is successfully authenticated, only extensible application protocol over LAN (EAPOL) messages from the Supplicant are accepted by the Authenticator port on the uplink device, while other data packets are dropped.

NOTE: If the Supplicant is configured to use DHCP to obtain an IP address, the DHCP request is not passed to the DHCP server until after the Supplicant has successfully authenticated. If the Supplicant does not authenticate, it does not receive an IP address

- preventing it from being reached via an uplink or a subscriber connection. A direct serial port connection to the Supplicant device is then required to correct the problem.

Authenticator - acts as an intermediary between the 802.1x Supplicant and the

RADIUS Authentication Server. It receives the EAPOL formatted authentication request from the Supplicant, encapsulates the authentication request into a RADIUS message, and passes the authentication request to the Authentication (RADIUS) Server. The response from the Authentication Server is sent back to the Authenticator, which forwards the response to the Supplicant. The Authenticator also uses the RADIUS response to determine whether to begin passing regular data traffic to/from the

Supplicant.

The port acting as the Authenticator can be configured to respond to 802.1x frames in one of the following three ways:

System Software Configuration Guide 6.5.0

C

ONFIGURING

IEEE 802.1

X

S

ECURITY

Deployment Example

Auto - provides 802.1x operation on a port, allowing only EAPOL frames to be sent and received until the client successfully authenticates. Once authenticated, regular traffic is allowed.

Force Authorized - In this mode, 802.1X is disabled and the port is in an authorized state. The port transmits and receives normal traffic without 802.1Xbased authentication of the client.

Force Unauthorized - causes all communications from an 802.1x client to be blocked, preventing the client from authenticating through this port.

Authentication Server - receives the RADIUS authentication requests sent from the

Authenticator, looks to see if the Supplicant’s user name and password (and additional information if configured) are in its subscriber data base, and responds with a message to allow or deny network access to the Supplicant. For the authentication to succeed, the Authentication Server must be configured to use the same encryption type as the

Supplicant (currently only EAP-MD5 is supported).

Deployment Example

Figure 6-2 illustrates a possible network topology where 802.1x is used. Device A has a

connection to an Authentication server that is configured with a list of user names and passwords. Device A port 16 is configured as an Authenticator, and is connected to

Device B port 25, which is configured as a Supplicant. When Device B is connected to

Device A and is powered on, it sends out EAPOL messages to Device A to begin the authentication process. Device A forms the EAPOL messages into a RADIUS message and forwards the request to the Authentication Server. Once authenticated, Device A port 16 allows regular traffic to ingress from Device B port 25. If Device B port 25 fails to authenticate, regular traffic from that port is blocked, preventing traffic from any devices downstream from reaching the network.

Device A

Port 1

Port 16

Authenticator

Authentication

Server

Portal

Device B

Port 25

Supplicant

PC

Authenticator

Figure 6-2: I802.1x Deployment Example

After Device B port 25 has successfully authenticated, it can pass data from downstream devices that receive their uplink from that port, such as the Portal connected to port 24.

When the Portal connected to Device B is powered on, it sends EAPOL messages out port

5 to Device B port 24, which in turn forms the message into a RADIUS message and

System Software Configuration Guide 6.5.0

73

C

ONFIGURING

IEEE 802.1

X

S

ECURITY

Using 802.1x with LACP

forwards it upstream to the Authentication Server. Once the Portal has successfully authenticated, Device B port 24 will allow regular traffic from the Portal to ingress that port.

If a PC is connected to a subscriber port on the Portal, the same 802.1x process can be used to authenticate the PC and unblock the port on the Portal to provide network access.

Using 802.1x with LACP

802.1X operation controls the state of physical ports, allowing or denying a port access based on its authentication state. Ports that are configured as 802.1x Supplicants that are members of a link aggregation group must be authenticated in order to pass traffic as part of that LACP group.

If a port that is a member of an LACP group becomes unauthenticated during operation, it is removed from the distribution list.

Configuring 802.1x

For all of the following examples refer to Figure 6-2. However, these examples configure

only

Device

A and

Device

B in Figure 6-2. Port 16 on

Device

A is configured as an

Authenticator and port 25 on

Device

B as a Supplicant. These examples also assume that the proper entries have already been entered on the Authentication (RADIUS) server.

As previously described, 802.1x operation consists of three entities: Supplicant,

Authenticator, and Authentication Server. The Supplicant and Authenticator are configured on individual physical ports on the devices.

The Authentication Server is a third party device that is separately controlled by the network administrator, but must be accessible by the Authenticator in order to authenticate the Supplicant. The user name(s) and password(s) used by Supplicants must be configured on the server. The server must also be configured to use MD5 encryption.

Most Authentication servers can be configured to allow multiple Supplicants to use the same user name and password to authenticate, but may also require each Supplicant to have a unique user name and/or password.

NOTE: The following Authenticator and Supplicant configuration examples assume that all 802.1x controls are in their default state. Only the required controls are changed in order to successfully authenticate the Supplicant device. Additional configuration changes may be required, depending on the actual network topology.

74 System Software Configuration Guide 6.5.0

C

ONFIGURING

IEEE 802.1

X

S

ECURITY

Configuring 802.1x

Configuring the Supplicant

CAUTION: Enabling 802.1x operation blocks further access to the Supplicant port until it has been authenticated. Make sure to configure all Supplicant-specific settings before enabling 802.1x operation on the device, otherwise, the remaining configuration must be performed using a console port connection or through another port on the device that is also part of the device’s management VLAN but is not configured as a Supplicant.

Step # Description Command

Step 1 Establish a connection with the Supplicant device

(Device B).

Telnet

Step 2 On the Supplicant device (Device B), enter the port number of the Supplicant (Port 25 in this example), the username, and the password for the Supplicant.

dot1x supp set port

<PhyPortNameList>

Be sure to enter the username and password exactly as they are configured on the remote authentication server.

Text strings are case sensitive.

Step 3 Enable Supplicant operation on port 25 of Device B.

dot1x supp enable port

<PhyPortNameList>

Step 4 Enable 802.1x operation on Device B.

dot1x enable

CLI Example:

1. dot1x supp set port 25 username Joan password nomoresecrets

2. dot1x supp enable port 25

3. dot1x enable

The Supplicant is now sending EAPOL Start messages, and is looking for an Authenticator.

Configuring the Authenticator

Step # Description Command

Step 1 Establish a connection with the Authenticator device

(Device A).

Telnet

Step 2 Specifying the RADIUS server that will be used as the

Authentication Server. Specify the IP address, UDP port if needed (default 1812), and specify whether the server will be used as a dedicated 802.1x authenticating server

(dot1x) or if it will be used for both user authentication

AND 802.1x authentication (All).

radius add server <IpHost>

Step 3 Set the RADIUS server key.

radius set

Step 4 Enable the RADIUS server for the Authenticator device.

radius enable [server

<IpHostRadius>]

System Software Configuration Guide 6.5.0

75

C

ONFIGURING

IEEE 802.1

X

S

ECURITY

Configuring 802.1x

76

Step # Description

Step 5 Globally enable RADIUS on the Authenticator device.

Command

radius enable [server

<IpHostRadius>]

Step 6 Configure Authenticator settings on port 16 of Device A, setting the PAE mode to auto (default).

dot1x auth set port

<PhyPortNameList>

In auto mode, the port state depends on the result of the authentication process.

Step 7 Enable Authenticator operation on port 16 of Device A.

dot1x auth set port

<PhyPortNameList>

Step 8 Enable 802.1x operation on the Authenticator device.

dot1x enable

CLI Example:

1. > radius add server 10.10.10.10 use-for dot1x

2. > radius set key radiuskey

3. > radius enable server 10.10.10.10

4. > radius enable

5. > dot1x auth set port 16 mode auto

6. > dot1x auth enable port 16

7. > dot1x enable

802.1x operation has now been enabled on the device and port 16 has been configured as an Authenticator.

Verifying Authentication

The Port Access Entity (PAE) state for the Supplicant and the Authenticator monitor the current state of authentication. When the Supplicant has authenticated, both devices should indicate that state.

> dot1x show

+--Global Dot1x Status--+

| Enable +

+-----------------------+

+---------------- Dot1x Configuration ----------------+

| Port | Admin | Operational | Port Role |

| | State | State | (Auth/Supp) |

+--------+----------+------------------+--------------+

|1 |Disabled |Unknown |None |

|2 |Disabled |Unknown |None |

|3 |Disabled |Unknown |None |

|4 |Disabled |Unknown |None |

|5 |Disabled |Unknown |None |

|6 |Disabled |Unknown |None |

|7 |Disabled |Unknown |None |

|8 |Disabled |Unknown |None |

|9 |Disabled |Unknown |None |

|10 |Disabled |Unknown |None |

|11 |Disabled |Unknown |None |

|12 |Disabled |Unknown |None |

|13 |Disabled |Unknown |None |

|14 |Disabled |Unknown |None |

|15 |Disabled |Unknown |None |

|16 |Enabled |Authorized |Authenticator |

|17 |Disabled |Unknown |None |

System Software Configuration Guide 6.5.0

C

ONFIGURING

IEEE 802.1

X

S

ECURITY

Using 802.1x to Authenticate a PC

|18 |Disabled |Unknown |None |

|19 |Disabled |Unknown |None |

|20 |Disabled |Unknown |None |

|21 |Disabled |Unknown |None |

|22 |Disabled |Unknown |None |

|23 |Disabled |Unknown |None |

|24 |Disabled |Unknown |None |

|25 |Disabled |Unknown |None |

|26 |Disabled |Unknown |None |

|27 |Disabled |Unknown |None |

|28 |Disabled |Unknown |None |

+--------+----------+------------------+--------------+

> dot1x auth show port 16

+--- Dot1x Authenticator Pae State ----+

+ Authenticated |

+--------------------------------------+

+------------------------ Dot1x Authenticator Port Configuration ---------+

|Port| Eap | Auth |Quiet | Tx |Supp|Server|Max|Reauth| Reauth |

| |Result| Mode |Period|Period|Tmo | Tmo |Req|State | Period |

|----+------+-------------+------+------+----+------+---+------+----------|

|16 |Succ |Auto |60 |30 |30 |30 |2 |Ena |3600 |

+----+------+-------------+------+------+----+------+---+------+----------+

+------------------ Dot1x Authenticator Port Statistics -----------------------+

| Port | Eapol | Eapol | Id Req | Id Resp | Request |Response |

| | Frames Tx | Frames Rx | Frames Tx | Frames Rx |Frames Tx |Frames Rx |

+--------+-----------+-----------+-----------+-----------+----------+----------+

|16 |32183 |70 |21421 |34 |34 |34 |

+--------+-----------+-----------+-----------+-----------+----------+----------+

+------------------ Dot1x Authenticator Session Statistics --------------------+

|Parameter | Value |

+---------------------------+--------------------------------------------------+

|Frames Tx |2794 |

|Frames Rx |1866 |

|Sess Id |2-1 |

|Session Time (seconds) |214 |

|Session Auth Method |Remote Authentication Server |

|Session Terminate Cause |Not Terminated Yet |

|Session Username |joan |

+---------------------------+--------------------------------------------------+

Using 802.1x to Authenticate a PC

A personal computer (PC) with an 802.1x-capable network interface card (NIC) can be configured as a Supplicant. Using an Access Portal or other device configured as an

Authenticator, the PC can be authenticated in order to access the network.

Both the NIC and the PC’s operating system must support 802.1x operation. For example,

Windows™ 2000 requires Service Pack 4 to enable 802.1x operation. Some NICs provide

802.1x operation while others do not. If an “Authentication” tab is not displayed in the

NIC’s configuration settings, 802.1x is probably not supported. Consult the NIC’s documentation for its capabilities and operating system requirements.

System Software Configuration Guide 6.5.0

77

C

ONFIGURING

IEEE 802.1

X

S

ECURITY

Using 802.1x to Authenticate a PC

Configuring the NIC

The following steps outline the general procedure to configure the PC’s settings. Note that the NIC must be enabled to perform these steps.

1. Access the NIC’s properties. In Windows™, select Start > Settings >

Network Connections (or access the Network Connections on the Control

Panel). Right-click on the entry for the NIC being used and select

Properties.

2. Select the Authentication tab.

Must use MD5!

Leave these un-checked.

78

Figure 6-3: Local Area Connection Properties

3. Check the box next to “Enable IEEE 802.1x authentication for this network.”

4. Select MD5-Challenge for the EAP Type.

5. Un-check any other boxes that may be checked.

6. Select OK.

7. Close the NIC properties window.

Logging Into the Network

1. Connect the PC to the port configured as the Authenticator on the Portal or other device connected to the network.

2. After several seconds, the PC displays an alert regarding entering user credentials. Click on the alert to display the entry window.

System Software Configuration Guide 6.5.0

C

ONFIGURING

IEEE 802.1

X

S

ECURITY

Troubleshooting 802.1x Operation

3. Enter the user name and password exactly as it is entered on the authentication server and select OK.

Figure 6-4: Authenticating the PC

NOTE: Even after the PC has successfully authenticated, it will not have network connectivity unless the NIC has either been configured with a static IP address that is within the network’s subnet or it has been configured to use DHCP to obtain an IP address and a DHCP server is reachable on the network.

Troubleshooting 802.1x Operation

If a Supplicant fails to authenticate when put into service, or the Supplicant cannot be contacted after it successfully authenticates, verify that the following conditions are met:

• The physical ports on the devices that are configured as the Supplicant and the

Authenticator have a direct physical connection to each other. The only exception to this is if control frame tunneling is configured to tunnel 802.1x EAPOL frames through any intermediate device(s) connecting the Supplicant to the Authenticator.

• If the Supplicant is configured to obtain its IP address from a DHCP server, that server must be accessible once the Supplicant has been authenticated.

• Make sure that global 802.1x operation is enabled on the Supplicant and on the

Authenticator.

• Verify that MD5 encryption is being used by the authentication server. Other types of encryption, such as Protected EAP (PEAP), are not supported.

• The Supplicant, Authenticator, and Authentication Server must all be on the same

VLAN in order to communicate (unless a router exists between the switch and the server). The EAPOL messages sent by the Supplicant are not 802.1q tagged, therefore the Supplicant can successfully authenticate without being on the same VLAN as the

Authenticator or the Authentication Server. However, once authentication is successful, the Supplicant will not be able to communicate with the Authenticator if it is on a different VLAN.

Use the Ping command to verify that the Authenticator can communicate with the

Authentication Server.

System Software Configuration Guide 6.5.0

79

C

ONFIGURING

IEEE 802.1

X

S

ECURITY

Troubleshooting 802.1x Operation

Verify that the Authentication Server’s authentication port number is the same number specified in the Supplicant’s settings.

Verify that the RADIUS key specified matches the key configured on the Authentication

Server.

Verify that the user name and password specified for the Supplicant are exactly the same as they are entered in the Authentication Server’s user list (including the use of lower and upper case characters)

80 System Software Configuration Guide 6.5.0

Chapter

Link Aggregation and LACP

• • • • • •

7

At a Glance:

Overview

Link Aggregation Group

Manual Link Aggregation

LACP

Configuring Link Aggregation

This chapter discusses the differences between Link Aggregation and LACP. It also explains how to configure them.

Overview

Link Aggregation is defined in IEEE 802.3ad. This standard defines how two or more fullduplex Ethernet ports of the same speed can be combined into a single logical port to carry traffic between two devices connected in parallel. This logical grouping of ports enables load sharing and load balancing among these ports and thus an aggregation of bandwidth as well. Traffic destined to egress on an aggregated port is distributed among all the links in the group.

Link Aggregation also provides inherent, automatic redundancy for high-traffic network connections. This is achieved by dynamically redirecting traffic from a failed port to the remaining good port in the aggregation group. Link Aggregation can therefore be used to expand bandwidth and add link redundancy.

NOTE: The IEEE 802.3ad standard does not support aggregation of bandwidth between links taking different paths and connecting to different upstream units. Only ports connected in parallel between two units can be aggregated.

Link Aggregation Group

Link Aggregation is configured using the concept of physical ports vs. logical ports.

Physical ports are actual ports on the switch, while logical ports or Link Aggregation

Groups (LAG) are the collective group the physical ports belong to. Grouped physical ports appear to the system as one logical port. For example, with spanning tree, a physical port assigned to a LAG appears to be operationally down. This excludes the physical port from being considered in the spanning tree topology.

Instead, within the LAG group there is always a ‘lead port’, which is responsible for sending control frames for protocols such as RSTP. The lowest port number in the LAG is always elected as the lead port. If the lead port should go down, the port with the next lowest port number will assume the role of lead port. If a link failure should occur, it is

System Software Configuration Guide 6.5.0

81

L

INK

A

GGREGATION AND

LACP

Manual Link Aggregation

almost transparent. The only traffic losses will be the frames either in the egress queue or those already on the wire at the time of failure. Up to 8 LAGs are supported with up to 8 physical ports per unit.

In addition, aggregated ports operate as if they were a single entity with respect to L2 address learning, regardless of which port of the LAG traffic ingresses.

Two types of Link Aggregation are supported, manual Link Aggregation and Link

Aggregation Control Protocol (LACP). However, regardless of the type of Link Aggregation, the user is only required to create a LAG, add ports to it, and then specify the mode of aggregation (manual or LACP). The unit will take care of the rest of the configuration itself.

NOTE: EOAM loopback set on the LEAD port of an aggregation will cause the RECEIVE-side aggregation (if it is the lead port in loopback) to NOT forward traffic. EOAM loopback done on ANY other physical port in the aggregation should pass traffic correctly.

Manual Link Aggregation

LACP allows the unit to negotiate link aggregation by sending LACP PDUs to its peer.

Manually configured Link Aggregation ports are considered “blind” as they are set up completely by the administrator and never send LACP PDUs. A manual Link Aggregation forms only when a LAG has been specifically configured on two devices following which, their ports are physically connected.

Although Link Aggregation has been a standard since 1998 every vendor has a slightly different implementation (e.g., Cisco Ether Channel, Sun Trunking, etc.). Manual Link

Aggregation is most useful when connecting a Ciena device to another vendor’s device that supports manual Link Aggregation.

LACP

IEEE 802.3ad LACP allows for standards-based link aggregation between devices over full duplex, same-speed links. LACP utilizes control packets in order to establish aggregation of links, maintain that aggregation, and distribute or redistribute bandwidth for load balancing and link failure. The LACP protocol is very intricate and prone to configuration errors. Ciena has therefore simplified the configuration of Link Aggregation.

Traditionally, network administrators had to worry about configuring such parameters as

Actor Admin Keys, Operational keys, collector max delay, and other such complications.

In the Ciena implementation, all of these parameters are handled behind the scenes.

After a LAG has been created on one device and ports are added, it will look for eligible ports on its peer to aggregate with. It doesn’t matter if the two LAGs have the same configurations as their peer, as long as the groups are valid they will find each other and negotiate an aggregation.

82 System Software Configuration Guide 6.5.0

L

INK

A

GGREGATION AND

LACP

LACP

LAG 8

Ports 9, 12, 14, 16

Aggregation

LAG 2

Ports 5, 8, 10, 12

Figure 7-1: Link Aggregation

NOTE: Advanced users may still directly configure parameters and keys for both LAGs and physical ports.

LACP uses two types of control frames; LACP PDUs and Marker Frames. Both messages use a globally unique destination address of 01-80-C2-00-00-02 and a corresponding Ethernet type. LACP PDUs are used for negotiation between links. Marker frames are used to maintain frame sequence order.

As bandwidth is distributed across aggregated ports and a port is made ready to forward frames on the LAG, Marker Frames and Marker Response Frames are exchanged. When an event that requires flow redistribution occurs, the flows that need to be redistributed are first blocked. Once blocked, a Marker Frame that has a response timer tied to it, is sent out each port in the aggregation group to the link partner (i.e. another Service Delivery

System Software Configuration Guide 6.5.0

83

L

INK

A

GGREGATION AND

LACP

LACP

Switch/Service Concentration Switch) for each flow. When the Marker Response Frames are received or the response timers expire, the flow is moved in the forwarding database of the newly selected port and forwarding is once again enabled.

Protection Link Aggregation

Additional ports can be added (up to 16 per Aggregation Group, with up to 8 ports active at any given time) to a Link Aggregation Group (LAG) as either Protection (backup) ports, or as regular Distribution ports. By default, all ports are distribution ports. Protection ports collect the same traffic as the Distribution ports, but do not transmit data (if LACP is enabled) until an active port in the LAG becomes disabled, either administratively or operationally.

Designating ports as Protection ports enables port redundancy in the event of a

Distribution port failure, and thus smooths out potential traffic bottlenecks.

For example, suppose that 3 ports are designated as Distribution ports, and 2 ports are designated as Protection ports. All 5 ports are grouped together in the same LAG. The

Distribution ports handle all the traffic, and the Protection ports are essentially on standby. If a Distribution ports fails, then the Protection port with the lowest port number immediately takes its place.

By default, when a failed Distribution port returns to operational status, it becomes a

Protection (backup) port. However, this behavior can be overridden by enabling the revert-protection

parameter. In this case, the original Distribution port becomes active again (and one of the Protection ports then reverts back to being a backup port) only after the revert-delay timer expires, or an additional Distribution port fails. The timer delay protects the LAG from a port that may be rapidly flapping between enabled and disabled.

When using the aggregation show agg member command, the state of each port in the aggregation group is displayed in the Type field. This field can help determine if a port is participating in the aggregation group or in the case of a Protection port, whether a port is distributing traffic or just collecting traffic. Protection ports are indicated by a

“P” next to the port number. The following states are listed:

• Added– the physical port has been administratively added to the logical aggregation port (for example, aggregation add agg port command)

• Selec- the physical port has been selected for this aggregation port by the protocol.

Agged – the physical port has been aggregated to this aggregation port by the protocol.

This physical port now belongs the logical aggregation port.

Dist- The port is forwarding traffic over the logical aggregation port.

84 System Software Configuration Guide 6.5.0

L

INK

A

GGREGATION AND

LACP

Configuring Link Aggregation

Configuring Link Aggregation

The example configures LACP between two devices. When configuring LACP all links in the Aggregation should either be up or down.

For manual Link Aggregation, it is recommended that both devices be configured first, before the physical connections are made. Ciena does not recommend manual configuration of LACP parameters and keys unless the user has a firm understanding of the LACP standard.

NOTE: When naming Link Aggregation Groups, do not use a dash (-) symbol. The CLI will misinterpret the dash as denoting a port range.

CAUTION: When changing the mode of a link aggregation from manual to LACP or from

LACP to manual for a single link, a service disruption will occur on the LACP side until the modes match again. If connecting to the device using the management interface, the desired aggregation state must be modified on the “far end” device first or connectivity will be lost unless a backup link exists.

For example, remote connections between Juniper devices are lost after disabling link aggregation. Juniper devices should be set to manual mode with the interfaces <agg group> aggregated-ether-options lacp

command.

To minimize service disruption, Ciena recommends provisioning backup links before modifying the link aggregation mode.

To configure Link Aggregation:

Step # Description Command

Step 1 Create a Link Aggregation Group (virtual port) on Service

Delivery Switch/Service Concentration Switch 1.

aggregation create agg

<LagPortName[7]>

Step 2 Add ports to the Aggregation Group.

aggregation add agg

<LagPortName[7]> {[port

<PhyPortNameList>]

[protection-port

<PhyPortNameList>]}

Step 3 (optional) Verify the configuration of the LAG.

aggregation show agg

<LagPortName[7]> [info]

[mode]

Step 4 Create a VLAN for the LAG

vlan create vlan

<VlanIdList> [name

<String[31]>]

Step 5 Add the aggregation to the VLAN

vlan add vlan <VlanList> port <PortNameList>

System Software Configuration Guide 6.5.0

85

L

INK

A

GGREGATION AND

LACP

Configuring Link Aggregation

Step # Description

Step 6 (optional) Verify VLAN creation and membership.

Command

vlan show [port

<PortNameList>|vlan

<VlanList>] statistics

Step 7 Repeat the configuration for Service Delivery

Switch/Service Concentration Switch 2.

Since the steps in configuration of both Service Delivery Switches/Service Concentration

Switches is the same for both link partners, only device 1 is shown in the following example:

CLI Example:

The following example creates an aggregation group with ports 5,8,11, and 15 named group_1 in VLAN 10.

1. > aggregation create agg group_1

2. > aggregation add agg group_1 port 5,8,11,15

3. > aggregation show agg group_1 info

+--------------------- Agg Port 2049 Info --------------------+

| Parameter | Value |

+---------------------------+---------------------------------+

| LAG Port Name & ID | group_1 0x0801(2049) |

| Added Total Ports | 5 8 11 15 |

| Primary Ports | 5 8 11 15 |

| Protection Ports | 0 - |

| Selected Ports | 5 8 11 15 |

| Admin & Oper State | Up Up |

| Lacp Mode | LACP |

| Marker Delay | 0 |

| Marker Resp_All_Rcvd Count| 0 |

| Time_Out Count | 0 |

| Ready Waiting | None |

| Port Entry | |

| Aggregator Index | 0x0801 |

| ACTOR Port MAC | 00:02:A1:07:18:A0 |

| Sys Prio & ID | 0x8000 00:02:A1:07:18:A0 |

| Admin & Oper Key | 0x0801 0x2801 |

| Agg/Individual | Aggregate |

| Coll Max. Delay | 0 |

| PARTNER Sys Prio & ID | 0x8000 00:02:A1:15:57:40 |

| Oper Key | 0x2801 |

| Coll Max Delay | 0 |

| Revert Time out | 5000 (ms) |

| Revert Protection | Off |

+---------------------------+---------------------------------+

4. > vlan create vlan 10

5. > vlan add vlan 10 port group_1

6. > vlan show vlan 10

86 System Software Configuration Guide 6.5.0

L

INK

A

GGREGATION AND

LACP

Configuring Link Aggregation

Configuring Protection Ports

To configure Link Aggregation Protection:

Step # Description Command

Step 1 Create a Link Aggregation Group (virtual port) on the

Service Delivery Switch/Service Concentration Switch 1.

aggregation create agg

<LagPortName[7]>

Step 2 Add ports to the Aggregation Group as regular

Distribution ports.

aggregation add agg

<LagPortName[7]> {[port

<PhyPortNameList>]

[protection-port

<PhyPortNameList>]}

Step 3 Add additional ports to the Aggregation Group as

Protection ports.

aggregation add agg

<LagPortName[7]> {[port

<PhyPortNameList>]

[protection-port

<PhyPortNameList>]}

Step 4 Enable/disable revert protection (default = off)

aggregation set agg

<LagPortName[7]> revertprotection <on|off>

Step 5 Set revert delay timer from 0—60,000 ms

(default = 5000 ms)

aggregation set agg

<LagPortName[7]> revertdelay <NUMBER: 0-60000>

Since the steps in configuration of both Service Delivery Switches/Service Concentration

Switches is the same for both link partners, only device 1 is shown in the following example:

CLI Example:

1. > aggregation create agg 111

2. > aggregation add agg 111 port 1,2,3

3. > aggregation add agg 111 protection-port 4,5,6

4. > aggregation set agg 111 revert-protection on

5. > aggregation set agg 111 revert-delay 10000

System Software Configuration Guide 6.5.0

87

L

INK

A

GGREGATION AND

LACP

Configuring Link Aggregation

88 System Software Configuration Guide 6.5.0

At a Glance:

Environmental Overview

Monitoring Temperature and Status

Monitoring Power Supply Status

Monitoring Power On Self Tests

Managing Device Archives

Chapter

Monitoring System Status

• • • • • •

8

Displaying Device Identification

Attributes

Displaying Platform Capabilities

Displaying the Chassis MAC address

This chapter discusses how to monitor the chassis environment, including temperature, power supplies, Power On Self Test (POST), device archive, and device identification information. System resources are also monitored and available for display. System resource items include CPU and memory usage, as well as aggregations, meter profiles,

PBT entries, virtual switches, and MAC tables.

Environmental Overview

Environmental monitoring of chassis components can provide early warning indications of possible component failure. Monitoring these components via the CLI ensures safe and reliable system operation and avoids network interruptions.

Monitoring Temperature and Status

Temperature sensors report the device’s current operating temperature. Two fixed temperature thresholds are set on each device, a low temperature threshold and a high temperature threshold. The fixed low temperature threshold is set at 0°C and the high temperature threshold at 40°C. Exceeding these temperature thresholds can cause damage to the device and may void the warranty.

The device stores the highest and lowest temperatures. Also, when a high/low temperature violation is detected (e.g., device temperature exceeds 40°C), a counter is incremented. Separate counters are kept for high and low temperature violations.

Setting Temperature Thresholds

You can change the high and low temperature thresholds.

To set the temperature thresholds:

chassis set {[high-temp-threshold <NUMBER: 0-60>],[low-temp-threshold <NUMBER: 0-60>]}

System Software Configuration Guide 6.5.0

89

M

ONITORING

S

YSTEM

S

TATUS

Monitoring Power Supply Status

Example:

chassis fan-tray set sensor-id 1 high-temp-threshold 40 low-temp-threshold 5

Checking Chassis Temperature

To check chassis temperature:

> chassis show temperature

+- TEMPERATURE THRESHOLD -+

| Low | High |

+------------+------------+

| 0 C | 60 C |

+------------+------------+

+--- TEMPERATURE STATUS --+

| Current | Low | High |

+---------+-------+-------+

| 41 C | 41 C | 41 C |

+---------+-------+-------+

The temperature threshold and status displays the following:

Field Description

Low Threshold The lowest temperature at which the device can be safely operated.

High Threshold

Current

Low

High

The highest temperature at which the device can be safely operated.

Current device temperature.

Lowest device temperature recorded.

Highest device temperature recorded.

Monitoring Power Supply Status

The chassis supports a variety of power configurations with or without UPS, including meter based and power conversion. You can display the status of the power supply.

Checking Power Supply Status

To check the power supply status:

>chassis show power

+------ Power Supply Status -----+

| Id | Type | State |

+---------+------------+---------+

| 1 | AC | Online |

+---------+------------+---------+

90 System Software Configuration Guide 6.5.0

M

ONITORING

S

YSTEM

S

TATUS

Monitoring Power On Self Tests

The power supply status displays the following:

Field Description

ID

Type

• ID 1— Main power supply

• ID 2— backup battery

Indicates whether the power supply is AC or

DC, or not installed (Unequipped).

State

Online— Power supply is operational.

• Offline— Power supply is installed but not turned on.

Faulted— Power supply is not functioning.

Monitoring Power On Self Tests

Power-on Self-tests (POST) run automatically when the chassis is powered up. These tests provide troubleshooting information about the switch, showing failures, portconnectivity problems, or other information. If no problems are found with the device, the POST results will indicate that no errors were detected.

Errors are reported using a 32 bit hex value called a POST Code. The CLI also displays a brief text message with the POST Code that describes the error. If POST errors are found, note the POST Code(s) and any associated messages, then contact Customer Support.

NOTE: On the CN 3940 platform with 2 installed power supplies, if one is not powered up,

POST will fail as if the power supply is faulted. Software does not distinguish between a power supply without power and a power supply that is faulted.

Checking POST State and Results

To check POST state and results for all or specific modules:

chassis post show

Examples of possible POST results using the CLI:

>chassis post show

POST is enabled.

POST Results: No errors detected.

>chassis post show

POST is disabled.

>chassis post show

POST is enabled.

POST Results:

SWITCH: 14818B180 CXE data line test failed: Wrote 0x01000000 Read 0x00000000

SWITCH: 00103918 CXE address line test failed (address 0x40000000)

CORE: 01020304 Can’t write to temp sensor #1

System Software Configuration Guide 6.5.0

91

M

ONITORING

S

YSTEM

S

TATUS

Managing Device Archives

Managing Device Archives

Device archives store information related to the environmental status of the device. You can save this information to a file on the flash or export it to a TFTP server.

Displaying Device Archives

You can display all device archives or specify only to show fan, platform, or slot device archives.

To display device archives:

device-archive show

Example:

> device-archive show

+------------------------ DEVICE ARCHIVE -----------------------+

| Parameter | Value |

+---------------------------------------------+-----------------+

| Cumulative system uptime (seconds) | 1779 |

| Cumulative system uptime (days:hh:mm:ss) | 000:00:29:39 |

| Highest Temperature (degrees Celsius) | 0 (60 MAX)|

| Number of High Temperature Violations | 0 |

| Lowest Temperature (degrees Celsius) | 50 ( 0 MIN)|

| Number of Low Temperature Violations | 0 |

| Number of Soft Resets | 0 |

| Total Number of Resets | 0 |

| Last Reset Reason | Unknown |

+---------------------------------------------------------------+

Saving Device Archives to Flash

You can save all device archives to /mnt/sysfs/archive.

To save device archives to flash:

device-archive save

Example:

> device-archive save

> file cd /mnt/sysfs/archive

> file ls

-rw-r--r-- 1 root root 167 Jan 1 00:10 default.arc

92 System Software Configuration Guide 6.5.0

M

ONITORING

S

YSTEM

S

TATUS

Displaying Device Identification Attributes

Displaying Device Identification Attributes

Device identification attributes includes:

Device Type

• Hardware Version

Serial Number

• MAC Address

Manufactured Date

• E-PROM (Param) Version

To display device identification attributes:

chassis show attributes

Example:

> chassis show attributes

+---------------- CHASSIS DEVICE ID ----------------+

| Parameter | |

+---------------------------+-----------------------+

| Chassis Device Type | 007 |

| Chassis Hardware Version | 0 |

| Chassis Serial Number | 0 |

| Chassis MAC Address | 00:02:a1:07:a4:a0 |

| Manufactured Date | 25-10-2007 |

| Param Version | 005 |

+---------------------------+-----------------------+

Displaying Platform Capabilities

Platform capabilities describe a variety of physical and software resources supported by the chassis.

To display platform capabilities:

chassis show capabilities

System Software Configuration Guide 6.5.0

93

M

ONITORING

S

YSTEM

S

TATUS

Displaying the Chassis MAC address

Example:

> chassis show capabilities

+-------------------------- PLATFORM CAPABILITIES -------------------------+

| Parameter | Value |

+------------------------+-------------------------------------------------+

| Capabilities Class | 0 |

| Platform Type | 007 |

| Platform Name | CN 3911 |

| Platform Description | CN 3911 Service Delivery Switch |

| No. Slots | 1 |

| Primary Ctrl Blade | 1 |

| DC Power | No |

| Redundant Power | No |

| Max Physical Ports | 10 |

| Max LAG Ports | 0 |

| Max VLANs | 256 |

| VLAN Translation | Not Supported |

| Max IGMP Snoop VLANs | 0 |

| Max Mcast Groups | 0 |

| Max RSTP Domains | 0 |

| Protocol Filters | Not Supported |

| Max Tunnels | 0 |

| Max Ingress Tunnels | 0 |

| Max Egress Tunnels | 0 |

| Max VCs | 0 |

| Max VSs | 0 |

| Max VS Subs | 0 |

| Multi Subs Per Port | False |

| VPLS FPGA Support | False |

| PBT FPGA Support | False |

| Max Learned Entries | 4000 |

| Max FSMT Entries | 0 |

| Max FSMT COS Entries | 0 |

| Max L4 Prot/P Entries | 0 |

| Max SLT Entries | 0 |

| Max SACT Entries | 0 |

| Max SMT Entries | 1024 |

| Max EPR Snids | 0 |

| Max SLT Wildcards | 0 |

+------------------------+-------------------------------------------------+

Displaying the Chassis MAC address

The chassis MAC address is assigned at manufacturing.

To display the chassis MAC address:

chassis show mac

Example:

> chassis show mac

Chassis MAC 00:02:a1:07:a4:a0

94 System Software Configuration Guide 6.5.0

Chapter

OAM

• • • • • •

9

At a Glance:

Overview

Principles of Operation

Feature Benefits

Configuring OAM

This chapter provides an overview of the IEEE 802.3ah Operations, Administration, and

Maintenance (OAM) and how to configure OAM on devices running this version of SAOS.

Overview

IEEE 802.3ah OAM defines a standard for data link layer Operations, Administration and Maintenance (OAM) sublayer within Layer 2 of the OSI model. It provides mechanisms for monitoring link operation such as remote fault indication and remote loopback control. It is important to note that this OAM functionality only applies to point-to-point Ethernet links. It is the responsibility of higher layer protocols to implement end-to-end OAM functions (over multiple links) in a network.

One of the key functions that can be implemented using OAM is remote loopback mode which is a mechanism by which a Data Terminating Equipment (DTE) requests a remote

DTE to go into loopback mode. In this mode all frames sent to the remote DTE are simply looped back unchanged. The return frames can then be analyzed by the sender to determine link quality. Note that in addition to EOAM loopback, a loopback test can also be performed using two physical ports within the same VLAN or broadcast domain using the port set port loopback command.

Principles of Operation

OAM remote loopback is the ability to test link quality/performance and isolate link faults by sending frames from one DTE and looping them back at the other DTE. As such, loopback is an intrusive procedure and all normal port operations such as forwarding and learning are disrupted. Any services supported by the ports involved also cease to function. SAOS therefore provides the ability to configure a port to ignore loopback requests.

System Software Configuration Guide 6.5.0

95

OAM

Principles of Operation

OAM loopback can only be initiated by DTEs that are configured for OAM Active mode.

Active mode DTEs can be switched to loopback mode. In rare cases when two Active mode

DTEs simultaneously issue loopback commands for the other DTE, one of the DTEs drops its request and accepts the remote DTE’s command.

OAM Client

MAC Client

OAM

MAC Control

MAC

Physical

Local DTE

X

OAM Client

MAC Client

OAM

MAC Control

MAC

Physical

Remote DTE

Medium

Figure 9-1: Operation of OAM Remote Loopback

Link Events

802.3ah OAM uses 2 types of link events, critical link events and non-critical link events.

Critical link events (link fault, dying gasp, etc.) are signaled to the remote DTE by setting the appropriate flag in the OAMPDU frame header. Non-critical events are conveyed using

Event Notification PDUs. The data field in an event OAMPDU consists of event TLVs.

Critical Events

Critical events are generated for the following events:

Dying Gasp- generated when a reboot command is issued administratively, when power is lost, or there is a fatal software error.

Critical Link Event- generated when the unit temperature crosses above the configured threshold (default = 40°C), unit temperature crosses below the configured threshold

(default = 0°C), or fan speed drops below 800 RPM.

Non-Critical Events

Non-critical event notifications are sent under the following conditions:

Errored Frame Event- generated if the errored frame count is equal to or greater than the specified threshold for that period. Jabber, oversize, undersize, fragment and CRC errors are all monitored.

Errored Frame Period Event- generated if the errored frame count is greater than or equal to the specified threshold for a period (number of received frames). Jabber, oversize, undersize, fragment and CRC errors are all monitored.

Errored Frame Seconds Summary Event- generated if the number of errored frame seconds is equal to or greater than the specified threshold for that period. An errored frame second is a 1 second interval wherein at least one frame error is detected.

Jabber, oversize, undersize, fragment and CRC errors are all monitored.

96 System Software Configuration Guide 6.5.0

OAM

Feature Benefits

Feature Benefits

The primary benefit of 802.3ah OAM is to provide the ability to monitor a link for critical events and then put the remote device into loopback mode to test on the link. OAM functions can be implemented once two directly connected DTEs become aware of each others’ OAM capabilities. This is made possible through an OAM discovery process.

OAM information is conveyed in Slow Protocol frames called OAMPDUs. OAMPDUs must be standard length frames (64-1518 octets) and must be untagged. As per the standard, a maximum of 10 OAMPDUs may be sent per second.

Discovery is the process by which the OAM capabilities of peer OAM-enabled entities are discovered. Information OAM Protocols Data Units (OAMPDUs) are used to exchange OAM capability information. In addition, the flags field in the OAMPDU header is used to indicate the current state of OAM discovery. Once discovery is successful other OAM messages/commands can be exchanged between peer OAM entities. The discovery process re-starts automatically if an OAM entity does not receive an Information OAMPDU from the peer OAM entity within 5 seconds.

Support of Standard Tools

OAM is a standards-based protocol. Using OAM rather than a proprietary topology discovery protocol allows the network provider to interoperate with non-devices that support OAM. SNMP MIBs (Management information Database) are supported.

Through the Command Line Interface (CLI), a user can access the SAOS device and manage OAM information. General information, such as loopback configuration for all ports can be displayed and users with proper privileges can configure OAM options. The

SAOS software can then detect and manipulate OAM information transmitted.

Configuring OAM

OAM is disabled by default on all ports, but can be enabled or disabled on a per-port basis.

NOTE: To enable EOAM commands, the Advanced OAM feature license must be installed with the software license install command.

Enabling OAM

In the following configuration example, the user displays the state of port 5 on a device, then enables OAM on this port. The same configuration is applied to another device on port 11.

NOTE: In this example, configuration settings are verified by using show commands.

Although these steps are listed as optional, it is good practice to verify command settings using these commands.

System Software Configuration Guide 6.5.0

97

OAM

Configuring OAM

Configuration steps:

Step # Description

Step 1 Enable Global EOAM on both devices.

Location/Command

eoam enable [port

<PhyPortNameList>]

Step 2 Display the current state of port 5 on device A.

Step 3 Set port 5 to enable mode active on device A and port 11 to enable mode passive on device B.

eoam enable [port

<PhyPortNameList>]

Step 4 (Optional) Verify the configuration of the port.

eoam show [port

<PhyPortNameList>] [linkevents] [errd-eventsstatistics] [event-log] eoam show [port

<PhyPortNameList>] [linkevents] [errd-eventsstatistics] [event-log]

CLI Example:

1. > eoam show port 5

+--Global Oam Status --+

| Disable |

+----------------------+

+----------------------------- Oam Port Statistics -------------------------+

|Port|Admin| Oper State |Mode|OAM Func Support| Info | Info | Unkn |

| |State| | |UniD|Lb |Ev |Var| PduTx | PduRx |CodeRx|

+----+-----+------------+----+----+---+---+---+------------+-----------+------+

|5 |Dis |Disable |Act |0 |0 |0 |0 |0 |0 |0 |

+----+-----+------------+----+----+---+---+---+------------+-----------+------+

+---------------------- Oam Peer Port Info --------------------------------+

| Oper State |Mode|OAM Func Support|Max OamPdu | Peer Mac Address |

| | |UniD|Lb |Ev |Var| size | |

+------------+----+----+---+---+---+-----------+------------------------------+

|In-Active |Un |0 |0 |0 |0 |0 |00:00:00:00:00:00 |

+------------+----+----+---+---+---+-----------+------------------------------+

2. > eoam enable

3. > eoam enable port 5

98 System Software Configuration Guide 6.5.0

OAM

Configuring OAM

4. > eoam show port 5

+--Global Oam Status --+

| Enable |

+----------------------+

+----------------------------- Oam Port Statistics -------------------------+

|Port|Admin| Oper State |Mode|OAM Func Support| Info | Info | Unkn |

| |State| | |UniD|Lb |Ev |Var| PduTx | PduRx |CodeRx|

+----+-----+------------+----+----+---+---+---+------------+-----------+------+

|5 |En |Disable |Act |0 |1 |1 |0 |0 |0 |0 |

+----+-----+------------+----+----+---+---+---+------------+-----------+------+

+---------------------- Oam Peer Port Info --------------------------------+

| Oper State |Mode|OAM Func Support|Max OamPdu | Peer Mac Address |

| | |UniD|Lb |Ev |Var| size | |

+------------+----+----+---+---+---+-----------+------------------------------+

|In-Active |Un |0 |0 |0 |0 |0 |00:00:00:00:00:00 |

+------------+----+----+---+---+---+-----------+------------------------------+

Enabling Loopback

In the following configuration example, the user displays the state of port 5, then enables the loopback on this port. This example assumes that the peer device/port has been enabled to participate in OAM loopback.

NOTE: In this example, configuration settings are verified by using show commands.

Although these steps are listed as optional, it is good practice to verify command settings using these commands.

Configuration steps:

Step # Description

Step 1 Display the current state of port 5 on device A.

Step 2 Start loopback on designated port.

Step 3 (Optional) Verify the configuration of the port.

Step 4 View loopback statistics.

Step 5 Once troubleshooting has been accomplished, OAM loopback is stopped.

Location/Command

eoam show [port

<PhyPortNameList>] [linkevents] [errd-eventsstatistics] [event-log] eoam loopback start port

<PhyPortNameList> eoam show [port

<PhyPortNameList>] [linkevents] [errd-eventsstatistics] [event-log] eoam loopback show eoam loopback stop port

<PhyPortNameList>

System Software Configuration Guide 6.5.0

99

OAM

Configuring OAM

CLI Example:

1. > eoam show port 5

+--Global Oam Status --+

| Enable |

+----------------------+

+----------------------------- Oam Port Statistics -------------------------+

|Port|Admin| Oper State |Mode|OAM Func Support| Info | Info | Unkn |

| |State| | |UniD|Lb |Ev |Var| PduTx | PduRx |CodeRx|

+----+-----+------------+----+----+---+---+---+------------+-----------+------+

|5 |En |SendAny |Act |0 |1 |1 |0 |192 |38 |0 |

+----+-----+------------+----+----+---+---+---+------------+-----------+------+

+---------------------- Oam Peer Port Info --------------------------------+

| Oper State |Mode|OAM Func Support|Max OamPdu | Peer Mac Address |

| | |UniD|Lb |Ev |Var| size | |

+------------+----+----+---+---+---+-----------+------------------------------+

|Active |Act |0 |1 |1 |0 |1518 |00:02:a1:a1:d1:f0 |

+------------+----+----+---+---+---+-----------+------------------------------+

2. > eoam loopback start port 5

3. > eoam show port 5

+--Global Oam Status --+

| Enable |

+----------------------+

+----------------------------- Oam Port Statistics -------------------------+

|Port|Admin| Oper State |Mode|OAM Func Support| Info | Info | Unkn |

| |State| | |UniD|Lb |Ev |Var| PduTx | PduRx |CodeRx|

+----+-----+------------+----+----+---+---+---+------------+-----------+------+

|5 |En |SendAny |Act |0 |1 |1 |0 |257 |102 |0 |

+----+-----+------------+----+----+---+---+---+------------+-----------+------+

+---------------------- Oam Peer Port Info --------------------------------+

| Oper State |Mode|OAM Func Support|Max OamPdu | Peer Mac Address |

| | |UniD|Lb |Ev |Var| size | |

+------------+----+----+---+---+---+-----------+------------------------------+

|Active |Act |0 |1 |1 |0 |1518 |00:02:a1:a1:d1:f0 |

+------------+----+----+---+---+---+-----------+------------------------------+

100 System Software Configuration Guide 6.5.0

OAM

Configuring OAM

4. > eoam loopback show port 5

+-----------------------Oam Loopback Port Statistics --------------------------+

| Port | Lb |Lb Ignore|PeerLb | LbPduTx | LbPduRx | Lb Ctrl | Lb Ctrl |

| | Status | State |Support| | | Tx | Rx |

+------+--------+---------+-------+-----------+-----------+----------+---------+

|5 | Dis |Ignore | Yes | 0 | 0 | 1 | 0 |

+------+--------+---------+-------+-----------+-----------+----------+---------+

5. > eoam loopback stop port 5

System Software Configuration Guide 6.5.0

101

OAM

Configuring OAM

102 System Software Configuration Guide 6.5.0

Chapter

Configuring and Identifying Transceivers

• • • • • •

10

At a Glance:

Overview

Compliance

Identification

Diagnostics

Displaying Transceiver Information

Determining Transceiver Speed

Disabling and Enabling Transceivers

Setting the Port Connector Mode

This chapter explains transceiver technology and describes the various management options available.

Overview

The Small Form-factor Pluggable (SFP) device used with a device is a hot-swappable compact optical transceiver and is supported by most fiber optic component vendors.

SFPs offer high speed (5 Gbps and higher) and physical compactness. Port transceiver information, including status and type, is available via CLI or SNMP.

Compliance

The system software supports SFP transceivers that are compliant with the following documents:

• Small Form Factor Pluggable (SFP) Transceiver Multi Source Agreement, September 14,

2000

• Digital Diagnostic Monitoring Interface for Optical transceivers SFF-8473, Draft

Revision 9.0, April 4, 2002.

For a list of supported optics refer to the Hardware Installation and User’s Guide for the platform you are working with.

Identification

Ciena devices support transceivers that contain a standard serial erasable programmable read-only memory (EPROM) that provides information on the type of SFP used. The following information is read from the EPROM:

• Identifier Type (GBIC, SFP...)

• Extended Identifier Type

System Software Configuration Guide 6.5.0

103

C

ONFIGURING AND

I

DENTIFYING

T

RANSCEIVERS

Diagnostics

Connector Type (SC, LC, MU, SG...)

Vendor Name

Vendor Organizational Unique Identifier (OUI)

Vendor Part Number

Vendor Serial Number

Vendor Revision Number

Encoding Algorithm (NRZ, Manchester...)

Manufacturing Date Code

Transceiver Code

Transceiver SFF-8472 Compliance Version

Diagnostics

Ciena devices support advanced transceivers that have an additional diagnostic serial

EPROM. The system software determines if the transceiver has the diagnostic EPROM and will provide the following information to the user:

Wavelength

Temperature

Rx Power

Tx Power

Tx Disable State

Tx Fault State

Rx Rate Select State

The information is stored in a table on a per port basis. The standard EPROM information is updated during initialization or when a new transceiver has been inserted. The diagnostic information is updated at a rate of 1 port per 5 seconds. However, this process has a low priority, and in times of a heavy CPU load, the information may be refreshed slowly or not at all.

Transceivers that support diagnostics can trigger events and SNMP traps, including:

SFPs: BiasHigh, BiasLow, RxPowerHigh, RxPowerLow, TempHigh, TempLow,

TxPowerHigh, TxPowerLow, VccHigh, VccLow

XFPs: BiasHigh, BiasLow, RxPowerHigh, RxPowerLow, TempHigh, TempLow,

TxPowerHigh, TxPowerLow

Each of these events and traps include a warning and alarm version of each, for example,

BiasHighAlarm and BiasHighWarning). Thresholds are set by the SFP vendors, and are not programmable. Both event classes (alarm, warning) are logged under the xcvr-mgr. The warnings are logged using category of debug and the severity of warning. The alarms are logged using category of debug and the severity of minor.

These alarms and warnings are based on flags that are set or cleared inside the SFP. These flags are polled at a low priority and slow rate, so flags may be set and then cleared without generating a trap or event. For example, if the TempHigh alarm threshold is

104 System Software Configuration Guide 6.5.0

C

ONFIGURING AND

I

DENTIFYING

T

RANSCEIVERS

Displaying Transceiver Information

exceeded for a few seconds, and then cleared before the flag is polled, it will not trigger a TempHigh alarm. You can forcibly clear alarms and warnings by removing and then reinserting the transceiver or disabling g and then enabling the port.

Displaying Transceiver Information

To display diagnostic information for a specified port:

NOTE: The option “diagnostics” is supported for SFPs that actually support diagnostics.

If the SFP does not have internal diagnostics capabilities then an error will be returned.

port show port <PhyPortNameList> diagnostics

Example of SFP that does not support diagnostics:

> port xcvr show port 12 diagnostics

No diagnostic data present for port 12

Example of SFP that supports diagnostics:

> port xcvr show port 1 diagnostics

+-------------------- XCVR DIAGNOSTICS - Port 1 -----------------+

| | | Alarm | Warning |

| Output | Value | Threshold | Flag | Threshold | Flag |

+--------------+----------+---------------+------+---------------+------+

| Temp (degC)| 31.124 | HIGH 90.000 | 0 | HIGH 80.000 | 0 |

| | | LOW -5.000 | 0 | LOW 0.000 | 0 |

+--------------+----------+---------------+------+---------------+------+

| Vcc (volts)| 3.295 | HIGH 3.630 | 0 | HIGH 3.500 | 0 |

| | | LOW 2.970 | 0 | LOW 3.100 | 0 |

+--------------+----------+---------------+------+---------------+------+

| Bias (mA)| 21.520 | HIGH 60.000 | 0 | HIGH 50.000 | 0 |

| | | LOW 3.000 | 0 | LOW 4.000 | 0 |

+--------------+----------+---------------+------+---------------+------+

| Tx Power (mW)| 1.488 | HIGH 3.162 | 0 | HIGH 2.511 | 0 |

| | | LOW 0.794 | 0 | LOW 1.000 | 0 |

+--------------+----------+---------------+------+---------------+------+

| Rx Power (mW)| 0.0000 | HIGH 0.1590 | 0 | HIGH 0.1262 | 0 |

| | | LOW 0.0005 | 0 | LOW 0.0010 | 0 |

+--------------+----------+---------------+------+---------------+------+

To display a summary of transceiver status:

> port xcvr show

+----+-----+-----+---------Transceiver-Status------------+----------------+----+

| |Admin| Oper| |Ether Medium & |Diag|

|Port|State|State| Vendor Name & Part Number |Connector Type |Data|

+----+-----+-----+---------------------------------------+----------------+----+

|9 |Empty| | | | |

|10 |Empty| | | | |

|11 |Empty| | | | |

|12 |Ena |Ena |WORLDWIDEPACKETS XCVR-010Y31 Rev10 |1000BASE-LX/LC | |

+----+-----+-----+---------------------------------------+----------------+----+

System Software Configuration Guide 6.5.0

105

C

ONFIGURING AND

I

DENTIFYING

T

RANSCEIVERS

Displaying Transceiver Information

To display a summary of transceiver status for a specific port:

port xcvr show port <PhyPortNameList> state

Example:

> port xcvr show port 12

+----+-----+-----+---------Transceiver-Status------------+----------------+----+

| |Admin| Oper| |Ether Medium & |Diag|

|Port|State|State| Vendor Name & Part Number |Connector Type |Data|

+----+-----+-----+---------------------------------------+----------------+----+

|12 |Ena |Ena |WORLDWIDEPACKETS XCVR-010Y31 Rev10 |1000BASE-LX/LC | |

+----+-----+-----+---------------------------------------+----------------+----+

To display vendor EPROM data for a specific port:

port show port <PhyPortNameList> vendor

Example:

> port xcvr show port 9 vendor

+------------------------ XCVR VENDOR DATA - Port 9 ------------------------+

| Parameter | Value | Decoded String Equivalent |

+--------------------------+--------------------+------------------------------+

| Identifier | 0x0 | unknown |

| Ext. Identifier | 0x0 | unknown |

| Connector | 0x0 | unknown |

+--------------------------+--------------------+------------------------------+

| Transceiver Codes | 0x0000000000000000 | |

| - SONET Compliance | 0x0000 | |

| - Ethernet Compliance | 0x00 | unknown |

| - Link Length | 0x00 | unknown |

| - Transmitter Technology| 0x0000 | unknown |

| - Transmission Media | 0x00 | unknown |

| - Channel speed | 0x00 | unknown |

| Encoding | 0x00 | unknown |

| BR, Nominal | 0 | |

|--------------------------+--------------------+------------------------------|

| Length(9um fiber) 1km | 0 | 0km |

| Length(9um fiber) 100m | 0 | 0m |

| Length(50um) 10m | 0 | 0m |

| Length(62.5um) 10m | 0 | 0m |

| Length(copper) 1m | 0 | 0m |

|--------------------------+--------------------+------------------------------|

| Vendor Name | | |

| Vendor OUI | 0x000000 | |

| Vendor PN | | |

| Vendor Revision | | |

| Wavelength | 0 | |

|--------------------------+--------------------+------------------------------|

| Options | 0x0 | |

| - RATE_SELECT | Bit 5 | No |

| - TX_DISABLE | Bit 4 | No |

| - TX_FAULT | Bit 3 | No |

| - Loss of Signal Invert | Bit 2 | No |

| - Loss of Signal | Bit 1 | No |

|--------------------------+--------------------+------------------------------|

106 System Software Configuration Guide 6.5.0

C

ONFIGURING AND

I

DENTIFYING

T

RANSCEIVERS

Determining Transceiver Speed

| BR, max | 0 | |

| BR, min | 0 | |

| Vender Serial Number | | |

| Date (mm/dd/yy) | | |

|--------------------------+--------------------+------------------------------|

| Diag Monitor Type | 0x0 | |

| - Legacy diagnostics | Bit 7 | No |

| - Diagnostics monitoring| Bit 6 | No |

| - Internally calibrated | Bit 5 | No |

| - Externally calibrated | Bit 4 | No |

| - Rx power measurement | Bit 3 | OAM |

|--------------------------+--------------------+------------------------------|

| Enhanced Options | 0x0 | |

| - Alarm/Warning Flags | Bit 7 | No |

| - Soft TX_DISABLE | Bit 6 | No |

| - Soft TX_FAULT | Bit 5 | No |

| - Soft RX_LOS | Bit 4 | No |

| - Soft RATE_SELECT | Bit 3 | No |

|--------------------------+--------------------+------------------------------|

| SFF-8472 Compliance | 0x0 | None |

+--------------------------+--------------------+------------------------------+

Determining Transceiver Speed

When a transceiver is plugged in, the port speed is blank until a link is established, and then it is set to match the transceiver speed.

To display the optic speed:

> port show

+-----------------------------------------------------------------------------+

| Port Table | Operational Status | Admin Config |

|--------+--------+----+--------------+----+---+-------+----+----+-------+----|

| Port | Port | | Link State | | | |Auto| | |Auto|

| Name | Type |Link| Duration |XCVR|STP| Mode |Neg |Link| Mode |Neg |

|--------+--------+----+--------------+----+---+-------+----+----+-------+----|

| 1 |10/100/G| Up | 0d 5h 4m27s| |FWD| 100/FD| On |Ena |1000/FD| On |

| 2 |10/100/G| Up | 0d 5h 4m27s| |FWD| 100/FD| On |Ena |1000/FD| On |

| 3 |10/100/G|Down| 0d 0h 0m 0s| |Dis| | On |Ena |1000/FD| On |

| 4 |10/100/G|Down| 0d 0h 0m 0s| |Dis| | On |Ena |1000/FD| On |

| 5 |10/100/G|Down| 0d 0h 0m 0s| |Dis| | On |Ena |1000/FD| On |

| 6 |10/100/G|Down| 0d 0h 0m 0s| |Dis| | On |Ena |1000/FD| On |

| 7 |10/100/G|Down| 0d 0h 0m 0s| |Dis| | On |Ena |1000/FD| On |

| 8 |10/100/G|Down| 0d 0h 0m 0s| |Dis| | On |Ena |1000/FD| On |

| 9 |10/100/G|Down| 0d 0h 0m 0s| |Dis| | On |Ena |Auto/FD| On |

| 10 |10/100/G|Down| 0d 0h 0m 0s| |Dis| | On |Ena |Auto/FD| On |

| 11 |10/100/G|Down| 0d 0h 0m 0s| |Dis| | On |Ena |Auto/FD| On |

| 12 | Gig | Up | 4d 2h48m52s|Ena |FWD|1000/FD| On |Ena |Auto/FD| On |

+--------+--------+----+--------------+----+---+-------+----+----+-------+----+

The optic speed can also be determined using the port xcvr show port

<PortNameList> vendor command. The Encoding “Value” column displays the actual value read from the optic, while the “Decoded String Equivalent” column indicates the port speed supported.

System Software Configuration Guide 6.5.0

107

C

ONFIGURING AND

I

DENTIFYING

T

RANSCEIVERS

Disabling and Enabling Transceivers

Example:

> port xcvr show port 1 vendor

+------------------------ XCVR VENDOR DATA - Port 1 ------------------------+

| Parameter | Value | Decoded String Equivalent |

+--------------------------+--------------------+------------------------------+

| Identifier | 0x3 | SFP transciever |

| Ext. Identifier | 0x4 | SFP/GBIC |

| Connector | 0x7 | LC |

+--------------------------+--------------------+------------------------------+

| Transceiver Codes | 0x0000000002000000 | |

| - SONET Compliance | 0x0000 | |

| - Ethernet Compliance | 0x02 | 1000BASE-LX |

| - Link Length | 0x00 | unknown |

| - Transmitter Technology| 0x0000 | unknown |

| - Transmission Media | 0x00 | unknown |

| - Channel speed | 0x00 | unknown |

+--------------------------+--------------------+------------------------------+

| Encoding | 0x01 | 8B10B |

| BR, Nominal | 13 | Gigabit |

|--------------------------+--------------------+------------------------------|

...

+--------------------------+--------------------+------------------------------+

Disabling and Enabling Transceivers

When you disable or enable a port directly, the transceiver is disabled or enabled.

To disable transceiver status for a specific port:

port disable port <PhyPortNameList>

Example:

> port disable port 9

To enable transceiver status for a specific port:

port enable port <PhyPortNameList>

Example:

> port enable port 9

Setting the Port Connector Mode

Some ports support both RJ45 and SFP connectors. Only one of these connectors can be active at a given time. Connectors are enabled by setting the mode for the port. Default modes for ports vary depending on the platform:

• CN 3911 and CN 3920, the default mode is SFP for all dual-mode ports.

CN 3940, the default mode is RJ45 for ports 1-20, and SFP for ports 21-24.

• CN 5140, the default mode is SFP for all ports.

CN 3960, the default mode is RJ45 on all of the dual-mode ports.

108 System Software Configuration Guide 6.5.0

C

ONFIGURING AND

I

DENTIFYING

T

RANSCEIVERS

Setting the Port Connector Mode

In addition, speed is set to “Auto” with auto-negotiation enabled. So, you can install 1G or 100M transceivers, and the system will automatically set the speed accordingly. If these settings or other port attributes are set explicitly and do not match the capabilities of the active connector, a mismatch warning will be generated. The warning will be cleared when the attributes match the capabilities of the active connector.

NOTE: If you upgrade a CN 3911 device using an RJ-45 connector from 6.1.0.92 to

6.2.0.91, IP connectivity to the device will be lost. After the upgrade, the remote interface port (9 or 10) defaults to "SFP mode" after the upgrade. At that point, you need to access the device's serial console port to set the port back to RJ-45 mode.

NOTE: If you attempt to set the mode to a connector that is not supported for the specified port, the system generates a “Capability not supported” error message.

To set the mode for a specific port:

port set port <PortName> mode <default|rj45|sfp>

Example:

> port set port 9 mode rj45

System Software Configuration Guide 6.5.0

109

C

ONFIGURING AND

I

DENTIFYING

T

RANSCEIVERS

Setting the Port Connector Mode

110 System Software Configuration Guide 6.5.0

Chapter

Port State Mirroring

• • • • • •

11

At a Glance:

Overview

Principles of Operation

Feature Benefits

Bi-directional Port State Mirroring

Configuring Port State Mirroring

This chapter provides an overview of Port State Mirroring and how to configure it on Ciena devices running SAOS software.

Overview

Port State Mirroring (sometimes referred to as link loss forwarding or link state tracking) provides link redundancy by associating the link state of one or more source (uplink) ports with one or more downstream (destination) ports on the switch. If the link is lost on a source port, all of the other destination ports associated with it are automatically placed in a disabled state as well. When used in conjunction with OSPF or RSTP, port state mirroring can be leveraged to force the use of a secondary link.

If port state mirroring is not configured and a link is lost (a cable is disconnected, the connected switch or router goes down, etc.) the link state of the associated interfaces is not affected and a failover to a secondary interface is not initiated.

Principles of Operation

Port state mirroring allows ports to be bundled together in a related group referred to as a port state mirror group (PSMG). Within the group, the link state of the destination ports is dependent upon the link state of the source port(s) in the PSMG. With a single source port, if the source port becomes disabled, all of the destination ports in the group will be forced into a disabled state as well. Likewise, when the source port becomes available again, the destination ports transition back to an enabled state (dependant upon their own availability).

In a PSMG that has more than one source port, all source ports must be disabled in order for the destination ports to be forced into a disabled state. For example, if a PSMG has ports 1 and 2 configured as source ports, both ports must be down to force the destination ports into a disabled state. This also means that only one source port is required to be up in order to transition all destination ports back to the enabled state.

System Software Configuration Guide 6.5.0

111

P

ORT

S

TATE

M

IRRORING

Feature Benefits

Feature Benefits

Allowing the port state of source ports to directly control the port state of destination ports provides an easy way to shape traffic patterns. Port state mirroring also provides another way to detect link health that otherwise might not be detected.

Bi-directional Port State Mirroring

With bi-directional port state mirroring, ports can mirror their state in both the upstream and downstream directions. This allows the service provider’s router port to be automatically disabled if the customer’s router port becomes unavailable. Likewise, the converse is true, the customer’s router port can be disabled if the service provider’s router port should become unavailable.

Provider

Router

Device 1

Provider

Router

Port

4

Port

15

Figure 11-1: Bi-directional Port State Mirroring

In Figure 11-1, assume that port 4 and port 15 have been configured in a bi-directional

PSMG. If port 15 cannot establish link with the customer router, then port 4 will become disabled as well.

CAUTION: This feature should be configured with care in the event that other customers are serviced by the router connected to Device 1, as they will lose connection to the service provider router as well.

Bi-directional PSMGs are configured the same as a standard PSMG, however, the type must be specified as bi-directional instead of uni-directional.

Configuring Port State Mirroring

In the following configuration example, represented in Figure 11-2, a PSMG is configured

on Device 1 and another PSMG on Device 2. On Device 1, the downstream (destination) ports 1, 2, 5, and 6 are defined in PSMG 1 with uplink ports 3 and 4 acting as the source ports. For Device 2, downstream ports 7, 8, 11, and 12 are defined in PSMG 2 with uplink ports 9 and 10 acting as the source ports.

Ports 1 and 2 on Device 1 serve as the primary connections for Server 1 and Server 2, whereas port 7 and 8 on Device 2 are the secondary links for Server 1 and Server 2.

Likewise, the primary links for Server 3 and Server 4 are through port 11 and 12 on Device

2 with secondary links to Device 1 through ports 5 and 6.

112 System Software Configuration Guide 6.5.0

P

ORT

S

TATE

M

IRRORING

Configuring Port State Mirroring

This example forces the servers to switch over to their secondary links when the uplinks become unavailable. In addition, it disables the secondary links when the uplinks are unavailable. Primary links are represented as solid lines, whereas secondary links are represented as dashed lines.

Device 1

Port

1

Port

2

Port

3

Port

5

Port

4

Port

6

Network

Port

9

Port

10

Port

7

Port

8

Device 2

Port

11

Port

12

Server 1 Server 2 Server 3

Figure 11-2: Configuring Port State Mirroring

Server 4

Configuration steps:

This configuration example assumes the proper VLAN/port assignments have already been configured.

Step # Description

Step 1 Create Port State Mirror Group PSMG1 on Device 1.

Location/Command

port state-mirror-group create <psmg-object (15)>

Step 2 Add source ports 3 and 4 and destination ports 1, 2, 5, and 6 to PSMG1.

port state-mirror-group add {[<psmg-src-groupattr>] [<psmg-dst-listattr>]}

System Software Configuration Guide 6.5.0

113

P

ORT

S

TATE

M

IRRORING

Configuring Port State Mirroring

Step # Description Location/Command

Step 3 (optional) Verify that the ports have been assigned to the

PSMG and that their operational status displays as Link

Up.

port state-mirror-group show [<psmg-object>]

Step 4 Create Port State Mirror Group PSMG2 on Device 2.

port state-mirror-group create <psmg-object (15)>

Step 5 Add source ports 9 and 10 and destination ports 7, 8, 11, and 12 to PSMG2.

port state-mirror-group add {[<psmg-src-groupattr>] [<psmg-dst-listattr>]}

Step 6 (optional) Verify that the ports have been assigned to the

PSMG and that their operational status deploys as Link

Up.

port state-mirror-group show [<psmg-object>]

CLI Example:

Device 1

1. > port state-mirror-group create group PSMG1

2. > port state-mirror-group add group PSMG1 src-port 3,4 dst-port 1,2,5,6

3. > port state-mirror-group show

+---------------- PORT STATE MIRROR GROUPS --------------+

| | Collective | Member Counts |

| Name | Oper State | Source | Destination |

+-----------------+------------+-----------+-------------+

| PSMG1 | Enabled | 2 | 4 |

+-----------------+------------+-----------+-------------+

+----------- PORT STATE MIRROR GROUPS MEMBERS -----------+

| | Member |

| Port State Mirror Group | Port | Type | Oper State |

+-------------------------+----------+------+------------+

| PSMG1 | 1 | Dst | Link up |

| PSMG1 | 2 | Dst | Link up |

| PSMG1 | 3 | Src | Link up |

| PSMG1 | 4 | Src | Link up |

| PSMG1 | 5 | Dst | Link up |

| PSMG1 | 6 | Dst | Link up |

+-------------------------+----------+------+------------+

Device 2

1. > port state-mirror-group create group PSMG2

2. > port state-mirror-group add group PSMG2 src-port 9,10 dst-port

7,8,11,12

114 System Software Configuration Guide 6.5.0

P

ORT

S

TATE

M

IRRORING

Configuring Port State Mirroring

3. > port state-mirror-group show

+---------------- PORT STATE MIRROR GROUPS --------------+

| | Collective | Member Counts |

| Name | Oper State | Source | Destination |

+-----------------+------------+-----------+-------------+

| PSMG2 | Enabled | 2 | 4 |

+-----------------+------------+-----------+-------------+

+----------- PORT STATE MIRROR GROUPS MEMBERS -----------+

| | Member |

| Port State Mirror Group | Port | Type | Oper State |

+-------------------------+----------+------+------------+

| PSMG1 | 7 | Dst | Link up |

| PSMG1 | 8 | Dst | Link up |

| PSMG1 | 9 | Src | Link up |

| PSMG1 | 10 | Src | Link up |

| PSMG1 | 11 | Dst | Link up |

| PSMG1 | 12 | Dst | Link up |

+-------------------------+----------+------+------------+

System Software Configuration Guide 6.5.0

115

P

ORT

S

TATE

M

IRRORING

Configuring Port State Mirroring

116 System Software Configuration Guide 6.5.0

Chapter

Security

• • • • • •

12

At a Glance:

Overview

Service Access Control

User Management

Service Access Control

RADIUS

TACACS+

IP Access Control Lists

This chapter explains how to configure various security features of devices running SAOS.

Security features are employed to prevent unauthorized access to network resources and to deployed services.

Overview

SAOS employs several methods to prevent unauthorized access to devices and to control the way that services are distributed through the network. Some features restrict certain types of protocols or packets, while others restrict port access. The following security features can be combined to provide an increased security level:

• Service Access Control- controls device access to the network.

• RADIUS- grants conditional access to configured users using Remote Authentication Dial

In User Service (RADIUS).

• TACACS- performs authentication, authorization and accounting (AAA) functions using

Terminal Access Controller Access Control System (TACACS).

Service Access Control

Service Access Control (SAC) provides a way to control packet forwarding based on MAC addresses. If a service provider knew the MAC address of every device connected to the network, packet forwarding could be strictly controlled. However, subscribers can connect a myriad of devices to the network. Keeping track of the changing list of these

MAC addresses would be extremely difficult. Therefore, SAOS devices employ SAC to:

• Allow static MAC addresses.

Control the number of dynamically learned MAC addresses on a per-port basis.

By configuring static MAC entries, security is provided to allow only those frames to be forwarded that have a source MAC address that is recognized by the device.

System Software Configuration Guide 6.5.0

117

S

ECURITY

Service Access Control

When an SAC entry is created, a maximum number of dynamic MAC addresses is entered for a specific port. Setting this limit specifies the number of dynamic MAC addressees without having to know their actual value. Once the limit is reached, additional MAC addresses will not be learned and frames from subsequent devices can be configured to either be forwarded or dropped. The learn limit does not apply to static MAC addresses.

For example, if the learn limit is set to four, the device will learn the MAC addresses of the first four subscriber devices connected to the network and allow them to send frames, and can drop frames that come from a fifth device (assuming that all devices are connected to the network at the same time). Frames containing source addresses that match static addresses in the device will be forwarded, and are unaffected by the MAC limit set on the port.

A MAC aging timer can also be set for dynamically learned MACs, which clears entries from the MAC table when they have been inactive for the period of time specified. Static MAC addresses are never aged out. In the previous example, although only four devices may be connected to the network at one time, devices may be unplugged from the network and new devices (i.e., new MAC addresses) will be allowed once the old MAC address ages out.

It should be noted that limiting MAC addresses does not provide absolute security as a

MAC address can still be spoofed (made to look like an authorized MAC address).

Benefits

SAC protects the Provider network from unauthorized access and can help prevent denial of service attacks. In addition, Service providers could use SAC to offer different subscriber access packages without having to know any specifics about the subscriber devices. For example, a SAC could be created for “Gold” level subscribers that allows them to connect up to 5 devices (i.e. 5 MAC addresses) to the network, while “Bronze” level subscribers are only allowed to connect 1 device to the network at a time.

Configuration

This section provides configuration examples for configuring SAC.

NOTE: The device is capable of learning a maximum of 16,000 dynamic MACs (32,000 on the CN 3960), which requires installation of the Advanced Ethernet (AE) license key.

Without the AE license, the device is restricted to learning a maximum of 4,000 dynamic

MACs. License keys can be purchased by contacting Ciena customer support.

Configuring Service Access Control with MAC Aging

In this first configuration example, an SAC entry is created on port 5 that limits the number of learned MAC addresses to 4. The MAC address of a set top box is also entered as a static MAC, and will not interfere with the maximum number of dynamic MACs set for the port. In addition, MAC address aging is enabled in order to allow dynamic MACs to age out. MAC address aging is an optional step.

NOTE: The MAC aging timer is configured for the entire device, it cannot be set on a VLAN or port basis. Depending on the location of this device in the network, changing the MAC aging timer may cause connectivity issues with critical devices. When changing the MAC aging timer, be certain that desirable devices will not be inadvertently aged out.

118 System Software Configuration Guide 6.5.0

S

ECURITY

Service Access Control

NOTE: In the following example, configuration settings are verified by using show commands. Although these steps are listed as optional, it is good practice to verify command settings using these commands.

Configuration steps:

Step # Description Location/Command

Step 1 Create the SAC entry for the port.

flow access-control create port <PortNo> {maxdynamic-macs <max-macsvalue>} [forwardunlearned <on|off>]

Step 2 Enable MAC aging.

MAC aging is enabled by default.

Step 3 Set MAC aging to 120 seconds.

The default MAC aging timer is 300 seconds.

flow aging {disable | enable} flow aging set time <10 -

1000000>}

Step 4 Enter the static MAC address. Note that in order to add a static MAC on port 5, the VLAN used must already be created and port 5 must be a member of the VLAN flow static-mac add vlan

<VlanID> mac

<xx:xx:xx:xx:xx:xx> port

<PortNo>}

Step 5 (Optional) Verify the SAC entry.

Step 6 (Optional) Verify the MAC aging settings.

Step 7 (Optional) Verify the static MAC entry.

flow access-control show flow aging show flow show static-mac

CLI Example:

1. > flow access-control create port 5 max-dynamic-macs 4

2. > flow aging enable

3. > flow aging set time 120

4. > flow static-mac add vlan 300 port 5 mac aa:bb:cc:dd:ee:ff

5. > flow access-control show

+------------------------- FLOW ACCESS-CONTROL TABLE -----------------------+

| Instance | Dynamic Addresses | | Oper |

| Type | Value | Maximum | Learned | Threshold | Status |

+---------+-----------------+----------+----------+-------------+-----------+

| Port | 5 | 4 | 0 | Not Reached | Enabled |

+---------+-----------------+----------+----------+-------------+-----------+

6. > flow aging show

+------- FLOW AGING-INFO -------+

| Parameter | Value |

+-----------------+-------------+

| Status | Enabled |

| Time (Seconds) | 120 |

+-----------------+-------------+

System Software Configuration Guide 6.5.0

119

S

ECURITY

Service Access Control

7. > flow show static-mac

+--------------- FLOW MAC-LEARN TABLE -----------+

| VLAN | Address (SA) | Port | Type |

+--------+-------------------+-----------+-------+

| 1 | 00:BB:CC:DD:EE:FF | 1 | Dyna |

| 127 | 00:AA:CC:DD:EE:FF | 1 | Dyna |

| 300 | AA:BB:CC:DD:EE:FF | 5 | Stat |

+--------+-------------------+-----------+-------+

Configuring Static MACs and SAC on the Same Device

By using static or dynamic MAC entries, access to a service can be restricted. For instance, on port 5, to limit access to video services for a specific set top box, a static

MAC address could be created for the STB, along with disabling MAC learning on the port by creating a SAC entry with a learn limit of 0. In this scenario, only the set top box would have access to the video services, and no other MACs would be serviced on the port.

On a different port, for example port 6, a SAC entry with a learn limit of 1 could be created for the port so that only one device, with a dynamic address, can be learned and serviced by the port

Note that disabling MAC aging will keep the learned MAC address in the MAC table until it is flushed by one of the following events:

Using the flow mac-addr flush CLI command

• Spanning Tree topology change

Link state change

• Reboot of device

In the following example, access to a port is limited to one device, such as a set top box, for ports 5 and 6.

On port 5, the device’s MAC address is entered manually, no dynamic learning will take place on that port and no other devices will be accepted on this port. On port 6, the MAC address is learned dynamically, but MAC address aging is disabled for the device.

On port 6, if the Ethernet device is removed, its source MAC address will remain in the

MAC Learning table until the MAC table is flushed. Until such time, the SAOS device will not forward packets from a different device on if it is attached to port 6.

NOTE: In the following example, configuration settings are verified by using show commands. Although these steps are listed as optional, it is good practice to verify command settings using these commands.

Configuration steps:

Step # Description Command

Step 1 Create the SAC entry. Set the maximum number of allowed MAC addresses to 0.

flow access-control create port <PortNo> {maxdynamic-macs <max-macsvalue>}

Step 2 Enter the static MAC address.

In order to add a static MAC on port 5, the VLAN used must already be created and port 5 must be a member of the VLAN flow static-mac add vlan

<VlanID> mac

<xx:xx:xx:xx:xx:xx> port

<PortNo>}

120 System Software Configuration Guide 6.5.0

S

ECURITY

Service Access Control

Step # Description

Step 3 (Optional) Verify the SAC entry.

Step 4 (Optional) Verify the static MAC entry.

Step 5 Create a SAC entry and set the maximum number of allowed MAC addresses to 1.

Command

flow access-control show flow show static-mac flow access-control create port <PortNo> {maxdynamic-macs <max-macsvalue>} flow aging disable

Step 6 Disable MAC aging.

MAC aging is disabled by default.

Step 7 (Optional) Verify the SAC entry.

flow access-control show

CLI Example:

1. > flow access-control create port 5 max-dynamic-macs 0

2. > flow static-mac add vlan 300 mac aa:bb:cc:dd:ee:ff port 5

3. > flow access-control show

+------------------------- FLOW ACCESS-CONTROL TABLE -----------------------+

| Instance | Dynamic Addresses | | Oper |

| Type | Value | Maximum | Learned | Threshold | Status |

+---------+-----------------+----------+----------+-------------+-----------+

| Port | 5 | 0 | 0 | Reached | Enabled |

+---------+-----------------+----------+----------+-------------+-----------+

4. > flow mac-addr show

+--------------- FLOW MAC-LEARN TABLE -----------+

| VLAN | Address (SA) | Port | Type |

+--------+-------------------+-----------+-------+

| 1 | 00:BB:CC:DD:EE:FF | 1 | Dyna |

| 127 | 00:AA:CC:DD:EE:FF | 1 | Dyna |

| 300 | AA:BB:CC:DD:EE:FF | 5 | Stat |

+--------+-------------------+-----------+-------+

5. > flow access-control create port 6 max-dynamic-macs 1

6. > flow aging disable

7. > flow access-control show

+------------------------- FLOW ACCESS-CONTROL TABLE -------------------------+

| Instance | Dynamic Addresses | | Oper |

| Type | Value | Maximum | Learned | Threshold | Status |

+---------+-----------------+----------+----------+-------------+-------------+

| Port | 6 | 1 | 0 | Not Reached | Enabled |

+---------+-----------------+----------+----------+-------------+-------------+

Configuring the Device to Forward or Drop Unknown Addresses

The Forward-Unlearned option allows for the Forwarding or Dropping of Unknown DA

MACs, when the SAC limit has been reached on a port.

When the Forward-Unlearned option is turned on, and the maximum number of dynamic

MACs have been learned on the port, additional MACs sent to the port, that are unknown to the device, will be flooded to all ports in the same broadcast domain (VLAN or Virtual

Switch). When the Forward-Unlearned option is turned off, unknown DA MACs will be dropped instead of flooded.

System Software Configuration Guide 6.5.0

121

S

ECURITY

User Management

The following CLI commands are used to turn the Forward-Unlearned option on or off:

> flow access-control create port 1 max-dynamic-macs 25 forward-unlearned on

> flow access-control create port 1 max-dynamic-macs 25 forward-unlearned off

Note that packets will be forwarded if an SA is unlearned and the table is full. Because the device learns at line rate, the flow show mac-addr command will lag behind the hardware when learning at a high rate.

User Management

Telnet access to the CLI through user accounts can be limited. When logging in, users are asked to supply a user name and a password. If they do not supply the correct password, or the user account does not exist, they will be denied access. The user account password can be specified as a secret (encrypted) or as clear text in order to ensure that the password cannot be easily viewed.

When a user account is created, it is assigned a privilege level. The privilege level determines the access rights for that user. The CLI provides the following user privilege levels:

Limited User - can only execute commands that show system configuration information but cannot change the configuration of the device.

Super User - includes all the privileges of the limited user, can make system configuration changes, and perform execute commands.

At least one of each type of user must be configured on the device. To delete a default user, the network operator must first create a user of the same type and then delete the default account. This ensures that the network operator controls access rights to the device.

Two user names/passwords are provided by default:

User Name Privilege Level Password Access Rights

user Limited User <empty> Read-Only

If a user password is forgotten, it cannot be retrieved. However, a super user can assign the user a new password or the user can be deleted and added again with a different password.

NOTE: When you create users and save the configuration, the user create user command is saved in the SECURITY CONFIG: section of the configuration file. The plain text password is encrypted and saved with the attribute of secret. For example: user create user superuser1 access-level super secret abcd1234467890e

You can copy this line from the configuration file of one device to the configuration file of another device to ensure the user is configured the same on both devices. The user will be able to log on to both devices with the same plain text password.

122 System Software Configuration Guide 6.5.0

S

ECURITY

User Management

Feature Benefit

Controlling device access through user accounts enables the network operator to expressly define those users that can view configuration information and those that can view and modify configuration information.

Configuring Users

If your user ID has super access level, you can create users with limited (read-only) or super (read/write) access level. User names and passwords are case sensitive and are limited to a length of 16 characters. Also, you can delete users. Before deleting a default user, create a user of the same type and then delete the default account. If a user forgets their password, it cannot be retrieved. However, you can assign the user a new password or delete the user and create it again with a different password. When you create users and save the configuration, the user create user command is saved in the SECURITY

CONFIG: section of the configuration file. The plain text password is encrypted and saved with the attribute of secret. For example: user create user superuser1 access-level super secret abcd1234467890e

You can copy this line from the configuration file of one device to the configuration file of another device to ensure the user is configured the same on both devices. The user will be able to log on to both devices with the same plain text password. Optionally, you can create or update users to use the secret attribute to use a pre-encrypted password.

To configure a user account:

Step # Description Command

Step 1 Create the user account, specifying a name, access level, and password.

user create user

<String[16]>

Step 2 (Optional) Verify the account creation.

user show

The following example creates 2 users, one with super user privilege and the other with limited user access level.

CLI Example:

> user create user MIS access-level super password 2manysecrets

> user create user data access-level limited password blue32

> user show

+--------- USER ACCOUNT TABLE -----+-------+

| Username | Privilege | Flags |

+------------------+---------------+-------+

| MIS | super | P |

| data | limited | P |

| su | super | DP |

| user | limited | D |

+------------------+---------------+-------+

NOTE: The DP and D shown in the Flags column above indicates that an account is a default account. These accounts may be deleted if desired, however one active user account of each privilege level must always exist.

System Software Configuration Guide 6.5.0

123

S

ECURITY

User Management

Displaying Users

If your user ID has super or limited user access, you can display created users, users who are currently logged on, and your own user name and access level.

To display all created users:

> user show

+--------- USER ACCOUNT TABLE --------+---------+

| Username | Privilege | Default |

+------------------+------------------+---------+

| su | super | * |

| user | limited | * |

+------------------+------------------+---------|

To display all users currently logged on to the device:

> user who

+------------------+---------+----------+-----------------------------+

| Username |Idle Time| Pid | Terminal |

+------------------+---------+----------+-----------------------------+

| su | 0m | 131204 | /telnet_192.168.3.153:1287 |

| su | 0m | 196735 | /telnet_192.168.3.153:1116 |

+------------------+---------+----------+-----------------------------+

To display your user name and access level:

> user whoami username: su access-level: super

Configuring Authorization Providers

Three methods of user authorization are supported: local, RADIUS, and TACACS+, and separate authorization methods can be set for the serial port and remote access (Telnet).

By default, the local user database only is used for authorization.

You can configure the device to use a backup authorization method and priority. The backup authentication method will only be used if the primary authentication method does not complete because a server is not available (not configured, not enabled, or failed to contact as in a communication error). If the server is contacted and the authentication is denied (not allowed), the secondary method will not be called.

For a given authentication method, the scope defines the method called dependent upon the source of the login attempt. For a scope policy equal to "remote", the authentication method will only be called for login attempts originating from either the local or remote management interfaces. For a scope policy equal to "serial", the authentication method will only be called for login attempts originating from the serial port. For a scope policy of "all", the authentication method will be called for all management interfaces, remote, local and serial. In all cases, the priority backup authentication rules described above apply.

CLI Example:

To set the authorization scope, priority, and method:

user auth set [scope <all|serial|remote>] [priority <NUMBER: 1...3> ]

[method <none|local|radius|tacacs>]

124 System Software Configuration Guide 6.5.0

S

ECURITY

RADIUS

To display authorization providers and statistics:

> user auth show

+----------------------- Authorization Providers ----------------------+

| Priority | Method | Called | Success | Failure | Skipped | Scope |

+----------+----------+---------+---------+---------+---------+--------+

| 1 | local | 6 | 5 | 1 | 0 | all |

+----------+----------+---------+---------+---------+---------+--------+

To specify separate TACACS and serial authentication methods. There will be no backup for TACACS, and the TACACS server will only be used for local and remote login attempts.

The local DB will be used only for serial port login attempts:

> user auth set priority 1 method tacacs scope remote

> user auth set priority 2 method local scope serial

To specify TACACS server used only for local and remote interface login attempts and use the local DB for serial port and primary backup login attempts:

> user auth set priority 1 method tacacs scope remote

> user auth set priority 2 method local scope serial

To clear authorization statistics:

> user auth clear [priority <NUMBER 1-3>]

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a client/server system used to secure networks against unauthorized remote access such as with Telnet. When authenticating a telnet user, the device sends authentication requests to a RADIUS server or servers. The RADIUS servers keep track of all user authentication and service access information. The RADIUS server returns authentication results to the device and the user is either allowed or denied access based on this information.

RADIUS servers are also used as the preferred server for 802.1x authentication. The

802.1x framework uses RADIUS messages for communication between the authenticator and the authentication server. For this purpose, RADIUS configuration includes a parameter that allows the RADIUS sever to be designated strictly as a user authentication server, an 802.1x authentication server, or both.

Feature Benefit

RADIUS servers allow the network operator to configure and control user accounts in one central location instead of having to configure accounts on every device on the network.

RADIUS enables access and authentication control to be very flexible in the way it regulates access.

Configuring RADIUS

RADIUS can be enabled/disabled either on a global basis or on a server by server basis.

By default RADIUS is globally enabled. When a RADIUS server is configured on the device, that server is enabled by default. The destination UDP port number for the server can also be specified. If it is not specified, the default port number of 1812 will be used. A specific priority that controls the order in which servers are contacted can be set for each server, if desired. The server priority continues sequentially and increases or decreases automatically so there are no gaps in server priority. If a new server is added without specifying a priority, it is assigned a priority based on the last server present in the list.

System Software Configuration Guide 6.5.0

125

S

ECURITY

RADIUS

In addition, the servers can be searched by their priority or cached value (last accessed).

Also, the authentication key can be specified in MD5 encrypted format rather than clear text.

Various attributes can be set that determine how the device interacts with configured

RADIUS servers:

Field

Timeout

Retries

Key

Description

Length of time, in seconds, that the device will wait for a response from the RADIUS server.

Number of times the client should attempt to contact the RADIUS server before declaring it unreachable.

The authentication string used to verify that the device is authorized to access the RADIUS server. The key must be between 8 and 128 characters in length and must be the same for all RADIUS servers specified.

The following example enters a RADIUS server, and then sets the global parameters for using RADIUS authentication.

NOTE: In the following example, configuration settings are verified by using show commands. Although these steps are listed as optional, it is good practice to verify command settings using these commands.

To configure a RADIUS server and client:

Step # Description

Step 1 Enable RADIUS globally.

Step 2 Add a RADIUS server.

Step 3 (Optional) set the RADIUS server’s attributes.

Step 4 (Optional) Verify RADIUS configurations.

Step 5 (Optional) Check the RADIUS server statistics.

Command

radius enable [server

<IpHostRadius>] radius add server <IpHost>

radius set

radius show [stats] radius show [stats]

126 System Software Configuration Guide 6.5.0

S

ECURITY

RADIUS

CLI Example:

> radius enable

> radius add server 10.10.10.100

> radius set server 10.10.10.100 use-for user-login

> radius set key 2manysecrets retries 2 timeout 2

> radius set search-method cached

> radius show

+-- RADIUS ATTRIBUTES --+

| Parameter | Value |

+-------------+---------+

| Admin State | Enabled |

| Oper State | Enabled |

| Retries | 3 |

| Timeout | 1 |

| Key | ******* |

| Search type | Cached |

+-------------+---------+

+------------------------------ RADIUS SERVER TABLE ---------------------------+

| IP Address | HostName |Pri |UDP |State| App |

| | | |Port | | |

+---------------+---------------------------------+----+-----+-----------------+

| 10.10.10.100 | | 1 |1812 | Ena | User-login|

+---------------+---------------------------------+----+-----+-----+-----------+

> radius show stats

+----------- Radius Server Statistics --------------+

+---------------------------------------------------+

| IP Address : 10.10.10.100 |

| Access Requests : 971 |

| Access Rejects : 0 |

| Access Accepts : 971 |

| Access Challenges : 0 |

| Access Retransmission : 0 |

| Bad Autheticators : 0 |

| Pending Requests : 0 |

| Packets Dropped : 0 |

| Malformed Responses : 0 |

+---------------------------------------------------+

NOTE: If the RADIUS server does not respond to requests or is not accessible, the only way to access the device is through SNMP/EMS unless you have configured the authorization provider to use the local database as a second priority authorization method.

System Software Configuration Guide 6.5.0

127

S

ECURITY

TACACS+

TACACS+

TACACS+ is a security protocol that performs the following AAA functions between a

Network Access Server (NAS) and an authentication server:

Authentication—Grants users access when they first log in to a device or request a service.

Authorization—Determines which actions users are allowed to perform when they do have access to a device. Authorization will be performed only if authentication was done by TACACS+.

• Accounting—Records user actions in order to perform security audits or for billing purposes. Accounting will be performed only if authentication was done by TACACS+.

The TACACS+ protocol client is supported where the device operates as a NAS. The

TACACS+ client can be configured to support up to 8 authentication, authorization and accounting servers via the CLI or SNMP. If a TACACS+ server is not configured, a locally configured password file is used for authentication. Local authentication is used only if the user authentication provider order is configured properly to allow for it.

NOTE: TACACS+ is not compatible with previous TACACS and XTACACS protocols.

Feature Benefit

TACACS+ provides an industry standard means of controlling AAA functions. It also provides security by using a shared key to encrypt information between the NAS and the authentication server.

Configuring TACACS+

TACACS+ can be enabled/disabled on a global basis, and can also be enabled on specific

Authentication, Authorization or Accounting servers. (Note that authentication must be enabled for Authorization or Accounting to be operational.)

NOTE: To configure TACACS+, you need to install the Advanced Security license key. To obtain the Advanced Ethernet license key, contact Ciena Sales.

By default TACACS+ is globally enabled, only Authentication is enabled, and no default

TACACS+ servers are configured. Up to 8 servers can be configured for each of the individual AAA functions and the global lists. If the authentication, authorization, or accounting server list cannot be used or has no specified servers, the global list will be used by default. The global list will also be used if no TACACS+ authentication, authorization or accounting servers are specified. In addition, the servers can be searched by their priority or cached value (last accessed).

Each TACACS+ server has a unique priority number within the specific AAA/or global list between 1 and 8, where 1 is the highest priority. The server priority continues sequentially and increases or decreases automatically so there are no gaps in server priority. If a new server is added without specifying a priority, it is assigned a priority based on the last server present in the list. In addition to priority, the TCP port number can be specified for each server. If it is not specified, the default port number of 49 is used.

128 System Software Configuration Guide 6.5.0

S

ECURITY

TACACS+

When performing authentication, the login password allows all ASCII values from 32 to 126 except ASCII 34 ("). This is because passwords that contain a space (ASCII 32) must be enclosed in quotes, and the quotes are removed prior to encryption. Also, spaces at the beginning or end of the password are discarded, and should not be used. In addition, the password can be specified as a secret (encrypted) as well as clear text.

Authentication will fail under the following circumstances:

• The TACACS server operational state is DISABLED

The number of authentication retries has been met

If all servers have been tried without success, or if a server rejects the user credentials, then the authentication is considered to have failed. The user login/authentication attempt is denied.

Authenticated users can execute commands and their associated arguments, and these are passed as fully expanded CLI commands to the TACACS+ server. Attribute-Value types other than "cmd" and "cmd-arg" are not supported.

When session and command accounting are enabled, start and stop messages are sent for each login session and command that is executed. TACACS+ statistics can be viewed and cleared.

The following example creates 3 TACACS+ servers to be used for authentication, sets the global parameters for using TACACS+ authentication, and then enables AAA.

NOTE: In the following example, configuration settings are verified by using show commands. Although these steps are listed as optional, it is good practice to verify command settings using these commands.

To configure TACACS+:

Step # Description

Step 1 Configure the list of TACACS+ servers.

Step 2 Enable TACACS+ globally.

Step 3 Set the global TACACS+ attributes.

Step 4 Enable authentication.

Step 5 Enable authorization.

Step 6 Enable accounting.

Step 7 Enable or disable Syslog.

Step 8 (Optional) Verify TACACS+ configurations.

Command

tacacs add server <IP address or host name>

tacacs enable [server <IP address or host name>] tacacs set

tacacs authentication

<disable|enable> tacacs authorization

<disable|enable>

tacacs accounting

<disable|enable>

tacacs syslog

<disable|enable>

tacacs show [statistics]

System Software Configuration Guide 6.5.0

129

S

ECURITY

IP Access Control Lists

CLI Example:

> tacacs add server 10.10.10.100

> tacacs add server 10.10.10.200

> tacacs enable

> tacacs set key 543432

> tacacs set retries 2

> tacacs set timeout 24

> tacacs set privilegelvlrw 3

> tacacs set server 10.10.10.200 priority 1

> tacacs authentication enable

> tacacs authorization enable

> tacacs accounting enable

IP Access Control Lists

An IP Access Control List (IP-ACL) provides basic security for IP Protocols that terminate within the device. When IP-ACLs are enabled, the IP source address and (optionally) the ingress physical port number of incoming IP frames are compared to an ACL that defines combinations that are allowed to communicate with the device. Frames containing items that do not match a configured ACL entry are discarded.

NOTE: Be careful to not enable the IP-ACL feature without ensuring that the IP addresses/subnets are configured correctly or you have local or serial access to the device, as you might not be able to reach the device once IP-ACLs are enabled. This can affect all communications to the remote management interface which includes TWAMP,

SNMP, MPLS signalling, etc.

Feature Benefit

IP-ACLs control inbound access to the device, preventing unauthorized IP addresses from communicating with the device.

Configuring IP-ACL

The IP-ACL feature is controlled via a global enable setting. When the feature is disabled, incoming frames are not examined. When enabled, a default drop entry is enabled, with individual IP-ACL entries specifying exceptions to the drop entry. Incoming frames are then tested against a table of configured IP-ACL entries to determine their eligibility for further processing.

IP-ACL entries can be added to the table and must contain, at a minimum, an IP source address (IP-SA) and IP mask (IP-MASK). A list of allowed ingress ports can optionally be specified when an IP-ACL entry is added. This list defines which specific hardware ports of the device the frame can be accepted from. A port list can be specified as a single port number, a comma separated list of port numbers, a port range, or some combination of these. If not specified, frames can ingress from any valid port.

The IP address and IP mask information for interfaces that are configured on the device can be imported into the IP-ACL access list table. This way, the IP-ACL table can be preloaded to avoid being locked out of the device when the IP-ACL feature is enabled.

Existing IP-ACL entries can be modified to alter their optional parameters, but not their

IP-SA or IP-MASK. Existing IP-ACL entries can be removed by specifying their IP-SA and IP-

MASK.

130 System Software Configuration Guide 6.5.0

S

ECURITY

IP Access Control Lists

To configure IP-ACL:

Step # Description

Step 1 Configure an ACL.

Step 2 Enable IP-ACL globally.

Step 3 (Optional) View the IP-ACL configuration.

Step 4 (Optional) Import the IP addresses and IP mask of configured interfaces.

Step 5 (Optional) Clear IP-ACL statistics.

Command

interface ip-acl add

interface ip-acl enable interface ip-acl show interface ip-acl import interface ip-acl clear statistics

CLI Example:

In this example, there is only 1 host IP address that can match this ACL:

> interface ip-acl add ip 10.10.10.100 netmask 255.255.255.255

> interface ip-acl enable

> interface ip-acl show

> interface ip-acl clear statistics

In this example, the valid hosts range from 10.10.10.1 through 10.10.10.255 and source from either port 27 or port 28:

> interface ip-acl add ip 10.10.10.0 netmask 255.255.255.0 port 27,28

> interface ip-acl enable

In this example, the IP addresses and IP mask of configured interfaces are imported into the IP ACL list:

> interface ip-acl import

> interface ip-acl enable

System Software Configuration Guide 6.5.0

131

S

ECURITY

IP Access Control Lists

132 System Software Configuration Guide 6.5.0

Chapter

Configuring Broadcast Containment

• • • • • •

13

At a Glance:

Overview

Benefits

Configuring Broadcast Containment

Troubleshooting

This chapter how to configure broadcast containment.

Overview

Broadcast containment prevents services from being disrupted by broadcast storms on specified ports. A broadcast storm occurs when broadcast packets flood the network, creating excessive traffic and degrading performance. When a broadcast filter is created and one or more ports are added to it, the device monitors incoming broadcast packets for a specified period of time. Broadcast packets exceeding the configured threshold are dropped. SNMP traps are sent when the configured broadcast threshold is exceeded and when broadcast traffic goes below the configured threshold.

The system software supports containment rates for the following flood traffic types:

Unknown unicast traffic

• Layer 2 Broadcast traffic

Layer 2 Unknown Multicast traffic

Benefits

Broadcast containment prevents services from being disrupted by Layer 2 broadcast storms and Denial of Service (DoS) attack.

System Software Configuration Guide 6.5.0

133

C

ONFIGURING

B

ROADCAST

C

ONTAINMENT

Configuring Broadcast Containment

Configuring Broadcast Containment

The system software supports one broadcast containment filter for each port.

NOTE: To enable broadcast containment commands, the Advanced Ethernet feature license must be installed with the software license install command.

Enabling and Disabling Broadcast Containment

By default, broadcast containment is disabled.

To enable broadcast containment:

broadcast-containment enable

Example:

> broadcast-containment enable

To disable broadcast containment:

broadcast-containment disable

Example:

> broadcast-containment disable

Creating a Broadcast Containment Filter

When creating a broadcast containment filter, you specify a filter name and set the containment rate. These attributes are as follows:

filter - Unique name for the broadcast containment filter.

kbps- Rate from 0-10000000 in kilobits per second.

port - List of ports to apply the filter to.

containment-classification - Specifies one or more flood traffic types to filter,

Unknown unicast traffic (unknown-ucast), Layer 2 Broadcast traffic (bcast), or Layer 2

Unknown Multicast traffic (l2-mcast). By default, the filtered traffic types are Layer 2

Broadcast traffic (bcast) and Layer 2 Unknown Multicast traffic (l2-mcast).

NOTE: If you downgrade to a software release prior to 6.5, any containment classification settings you configure will be lost, and filtered traffic types will revert to Layer 2

Broadcast traffic (bcast) and Layer 2 Unknown Multicast traffic (l2-mcast).

The maximum number of filters that can be created per platform is as follows:

CN 3911 - 15

• CN 3920 - 18

CN 3940 and CN 5140 - 36

• CN 3960 - 18

134 System Software Configuration Guide 6.5.0

C

ONFIGURING

B

ROADCAST

C

ONTAINMENT

Configuring Broadcast Containment

To create a broadcast containment filter:

broadcast-containment create {filter <String [15]>} [kbps <NUMBER: 0-10000000>]

[port <PortNameList>] [containment-classification <[bcast],[l2-mcast],[unknownucast]>]

Example:

> broadcast-containment create filter denial kbps 2000 port 1

Setting Broadcast Containment Filter Attributes

After creating a filter, you can update the containment rate and rename it.

To set broadcast containment profile attributes:

broadcast-containment set {filter <FilterName>} kbps <NUMBER: 0-10000000> name

<String [15]> <[bcast],[l2-mcast],[unknown-ucast]>]

Example:

> broadcast-containment set filter denial kbps 1000 containment-classification bcast,l2-mcast,unknown-ucast

Deleting a Broadcast Containment Filter

You can delete a broadcast containment filter.

To delete a broadcast containment filter:

broadcast-containment delete {filter <String>}

Example:

> broadcast-containment delete filter denial

Adding Ports to a Broadcast Containment Filter

After creating a broadcast containment filter, you can add additional ports to it.

NOTE: Multiple ports can be added to a filter, but only one filter may be applied to a specific port at a time. Also, when multiple ports are added to a filter, the bandwidth for the filter is shared among the ports.

To add a port to a broadcast containment filter:

broadcast-containment add filter <String> port <PortNameList>

Example:

> broadcast-containment add filter denial port 5

Removing Ports from a Broadcast Containment Filter

You can remove ports from a broadcast containment filter.

System Software Configuration Guide 6.5.0

135

C

ONFIGURING

B

ROADCAST

C

ONTAINMENT

Configuring Broadcast Containment

To add a port to a broadcast containment filter:

broadcast-containment remove filter <String> port <PortNameList>

Example:

> broadcast-containment add filter denial port 5

Sample Configuration

The following example creates a Broadcast Containment filter that limits the number of broadcast packets received on port 10 to 2000 kbps.

To configure broadcast containment:

Step # Description

Step 1 Enable broadcast containment.

Command

broadcast-containment enable

Step 2 Create the broadcast containment filter.

broadcast-containment create

Step 2, 3, and 4 may be combined into a single step.

Step 3 Set the containment rate and classification for the filter.

broadcast-containment set

Step 4 Add port 10 to the filter.

broadcast-containment add

CLI Example:

1. > broadcast-containment enable

2. > broadcast-containment create filter denial

3. > broadcast-containment set filter denial kbps 2000 containment-classification l2mcast

4. > broadcast-containment add filter denial port 10

136 System Software Configuration Guide 6.5.0

C

ONFIGURING

B

ROADCAST

C

ONTAINMENT

Troubleshooting

Troubleshooting

Displaying Broadcast Containment Filters

To display broadcast containment status and a summary of broadcast containment filters:

broadcast-containment show

Example:

> broadcast-containment show

+--------- Broadcast Containment Globals --------+

| Parameter | Value |

+-------------------------+----------------------+

| Admin Status | Enabled |

+-------------------------+----------------------+

+--------- Broadcast Containment Filters --------+

| Filter | | |

| Name | ID | Kbps | Dropping |

+-----------------+-------+-----------+----------+

| Denial | 1 | 2000 | No |

+-----------------+-------+-----------+----------+

To display details about a specific broadcast containment filter:

broadcast-containment show [filter <FilterName>]

Example:

> broadcast-containment show filter denial

+------------ Broadcast Containment Filter -----------+

| Parameter | Value |

+----------------------------------+------------------+

| Filter Name | denial |

| Index | 1 |

| Kilobits Per Second (Kbps) | 2000 |

| Broadcast | Off |

| L2 Multicast | On |

| Unknown Unicast | Off |

+----------------------------------+------------------+

+--------------- Associated Members ------------------+

| |

| Port 10 |

+----------------------------------+------------------+

To display filter membership for specified ports:

broadcast-containment show [port <PortNameList>]

System Software Configuration Guide 6.5.0

137

C

ONFIGURING

B

ROADCAST

C

ONTAINMENT

Troubleshooting

Example:

> broadcast-containment show port 1

+--------------------------- Port Filters ---------------------------+

| Port | Filter |

| Name | Description | Name | ID |

+-----------------+-----------------------+-----------------+--------+

| 1 | test | denial | 1 |

+-----------------+-----------------------+-----------------+--------+

Displaying Broadcast Containment Configuration in the Configuration File

Broadcast containment configuration is saved to the configuration file in the BCAST

FILTER CONFIG: section.

To display broadcast containment configuration in the configuration file:

> configuration show

!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! NETWORK CONFIG: vlans!

!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

...

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! BCAST FILTER CONFIG:

!

broadcast-containment create filter denial kbps 2000

!

!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

138 System Software Configuration Guide 6.5.0

Chapter

Quality of Service

• • • • • •

14

At a Glance:

Overview

Ingress Resolved COS Mapping

Traffic Profiling

Ingress R-CoS to Egress CoS Queue

Mapping

Congestion Avoidance

Egress Scheduling

Egress Shaping

Configuring Frame Bandwidth

Calculation

This chapter details Quality of Service (QoS) features of the system software. QoS refers to the management of bandwidth to ensure that network traffic is allocated the desired amount of network resources.

Overview

This chapter describes the mechanisms for managing bandwidth, including:

Ingress Resolved Class of Service Mapping - applies a Resolved CoS Policy.

Traffic Profiling - provide ingress traffic classification and metering.

NOTE: To configure traffic profiling, you need to install the Advanced Ethernet license key. To obtain the Advanced Ethernet license key, contact Ciena Sales.

• Ingress R-CoS to Egress CoS queue mapping — assigns traffic to CoS queues based upon

R-CoS values.

• Congestion avoidance processing — method for managing CoS queue traffic when congestion occurs on egress.

NOTE: To enable configurable congestion avoidance, you need to install the Advanced

Ethernet license key. To obtain the Advanced Ethernet license key, contact Ciena Sales.

• Egress Scheduling — determines the order in which the physical queues are processed.

Egress Shaping - controls bandwidth for taking frames out of queues at egress.

• Configurable frame bandwidth calculation — configure whether to use the inter-framegap (IFG) in the calculations for ingress metering and egress shaping.

System Software Configuration Guide 6.5.0

139

Q

UALITY OF

S

ERVICE

Ingress Resolved COS Mapping

Ingress Resolved COS Mapping

The system software associates an internal Resolved CoS (R-CoS) value and Resolved Color

(R-COLOR) with every ingress frame that classifies to a port. The R-CoS and R-COLOR values provide the baseline for CoS treatment of a frame as it switches through the device. The R-CoS value ranges from 0-7, where 7 has the highest priority and 0 has the lowest priority. R-COLOR values are green, yellow or red. The initial R-CoS and R-Color values depend upon the configuration of the Resolved CoS Policy.

NOTE: The Resolved CoS policy on a port is ignored when it is involved in one or more virtual switch (subscriber) memberships. With that configuration, the R-CoS is determined by the encap CoS policy (and priority) that is configured at the virtual switch.

However, when the encap CoS policy configured on a Virtual Switch Member is portinherit, the Resolved Cos Policy is not ignored.

140

Configuring Resolved CoS Policies

The Resolved CoS Policy defines how the internal R-CoS value is determined and is applied per port as follows:

Fixed (fixed-cos)- CoS values in the frame are ignored and fixed R-CoS and R-COLOR are applied to the frame from the Fixed Resolved CoS value for the port. When this policy is applied, CoS mapping is in untrusted mode. The default Fixed Resolved CoS value is 0.

Outer .1D mapped (dot1d-tag1-cos)- The PCP/L2 CoS value from the outer-tag is mapped to an R-CoS value derived from the Resolved CoS Mapping table. When this policy is applied, CoS mapping is in trusted mode.

Layer 3 DSCP CoS (l3-dscp-cos) - The Differentiated Services Code Point CoS value from the Layer 3 Type Of Service (TOS) byte is mapped to an R-CoS value from the Resolved

CoS Mapping table. When this policy is applied, CoS mapping is in trusted mode.

The default Resolved CoS Policy for all ports is Outer .1D mapped. The default Resolved

CoS Map is shown in Table 14-1, in this chapter.

Table 14-1: Default Resolved Cos Map

PCP/L2 CoS Type Frame CoS

2

3

0

1

6

7

4

5

Untagged

2

3

0

1

6

7

4

5

Untagged

R-CoS R-Color

2

3

0

1

Green

Green

Green

Green

6

7

4

5

Green

Green

Green

Green

Ingress port fixed .1D value

Green

System Software Configuration Guide 6.5.0

Q

UALITY OF

S

ERVICE

Ingress Resolved COS Mapping

To set the Resolved CoS Policy:

port set port <PortNameList> [resolved-cos-policy <dot1d-tag1-cos|fixed-cos|l3-dscp-cos>]

Example:

> port set port 1 resolved-cos-policy dot1d-tag1-cos

To set the Fixed Resolved CoS:

port set port <PortNameList> [fixed-rcos <NUMBER: 0-7]

Example:

> port set port 1 resolved-cos-policy dot1d-tag1-cos

To display the Resolved CoS Policy and Fixed Resolved CoS settings of a port:

port show port <PortName>

Example:

> port show port 1

+---------------------------- PORT INFO ------------------------------+

| Field | Admin | Oper |

+-------------------------+---------------------+---------------------+

| Type | 10/100/G |

| Description | |

| Spanning Tree State | Disabled |

| MAC Address | 00:03:18:43:de:b2 |

| Phy Loopback | Off |

| Link State | Enabled | Disabled |

| State Group Link State | | |

| Mode | rj45 | unknown |

| Speed | 1 Gbps | 0 Gbps |

| Duplex | full | |

| Flow Control | off | |

| Auto Negotiation | Enabled | |

| Flow Control Advertised | off | |

| PVID | 1 | 1 |

| Untag Ingress Vtag | 1 | 1 |

| Untag Ingress Data Vid | 0 | 0 |

| Fixed Resolved CoS | 0 | 0 |

| Ingress VLAN Filter | Enabled | Enabled |

| Ingress VS Filter | Off | Off |

| Acceptable Frame Type | all | all |

| Egress Untag VLAN | 1 | 1 |

| Max Frame Size | 1526 | 1526 |

| Untagged Data VS | | |

| Untagged Ctrl VS | | |

| Resolved CoS Policy | dot1d-tag1-cos | dot1d-tag1-cos |

| Service Port Type | Subscriber | Subscriber |

| Eth VC EtherType | 8100 | 8100 |

| Eth VC EtherType Policy | all | all |

| Mirror-port | Off | Off |

| Ingress-mirror | | |

| Egress-mirror | | |

| Ingress to Egress QMap | Default-RCOS | Default-RCOS |

| XCVR caps mismatch | <NONE> |

+-------------------------+---------------------+---------------------+

System Software Configuration Guide 6.5.0

141

Q

UALITY OF

S

ERVICE

Traffic Profiling

Traffic Profiling

Traffic profiling classifies ingress traffic based upon each frame’s CoS value and compares the traffic flow to a configured Committed Information Rate (CIR) and Peak Information

Rate (PIR) defined in kilobits per second (kbps). Depending upon how the traffic flow compares to these rates, the R-COLOR of each frame is set to a specific value upon ingress. Traffic ingressing at a rate:

Up to CIR will be marked Green and allowed through.

Above CIR and less than PIR will be marked Yellow and allowed through.

Above PIR will be marked Red and dropped.

NOTE: On a 100 Mbps port the CIR cannot be set to the full amount of physical bandwidth of the port (100 Mbps). This is because 1 Mb of bandwidth is reserved for the ingress and egress of BPDUs and other high priority traffic. To commit all of the physical bandwidth to a CIR could create a serious condition in which the device does not receive critical frames. To avoid this issue, the CIR should only be configured to a maximum of 99 Mbps.

Enabling and Disabling Traffic Profiling

Traffic profiling can be enabled per port and globally. By default, traffic profiling is disabled both globally and per port.

To enable traffic profiling:

traffic-profiling enable [port <PortNameList>]

To display the global and per port status of traffic profiling:

traffic-profiling show

Example:

> traffic-profiling show

+------------ TRAFFIC PROFILING GLOBAL TABLE -----------+

| Profiling Status | Disabled |

+-------------------------------------------------------+

+-------------- PORT TRAFFIC PROFILE TABLE -------------+

| Port | Status | Mode |

| | Admin | Oper | |

+----------+----------+----------+----------------------+

| 1 | Disabled | Disabled | standard-dot1dpri |

| 2 | Disabled | Disabled | standard-dot1dpri |

| 3 | Disabled | Disabled | standard-dot1dpri |

| 4 | Disabled | Disabled | standard-dot1dpri |

| 5 | Disabled | Disabled | standard-dot1dpri |

| 6 | Disabled | Disabled | standard-dot1dpri |

| 7 | Disabled | Disabled | standard-dot1dpri |

| 8 | Disabled | Disabled | standard-dot1dpri |

| 9 | Disabled | Disabled | standard-dot1dpri |

| 10 | Disabled | Disabled | standard-dot1dpri |

+----------+----------+----------+----------------------+

142 System Software Configuration Guide 6.5.0

Q

UALITY OF

S

ERVICE

Traffic Profiling

Configuring Per Port Attributes

Traffic profiling can be configured per port with the following attributes:

arp-standard-profile - Sets whether non-conforming ARP frames are associated with an existing standard profile or bypass traffic profiling. ARP frames are treated specially because they are required for IP networks to function. Dropping ARP frames would result in breaking an IP network.The default setting is bypass.

meter-pool - A meter pool provides the meter resources for traffic profiles. The system provides 8 meter pools with each containing 64 meters. A single traffic profile consumes 1 meter. You can change the meter pool for a given port as long as there are enough resources in the newly assigned meter pool. A given port can only be assigned to one meter pool.

mode - The mode sets the inspection point for the remarking:

standard-dot1dpri - Finds a matching traffic profile using 802.1D priority. This mode is the default.

standard-ip-prec - Finds a matching profiling using the upper 3 bits of the TOS byte that make up the IP precedence.

standard-dscp- Finds a matching profiling using the DSCP value.

standard-vlan - Finds a matching profiling based upon the VLAN ID.

standard-vlan-dot1dpri - Finds a matching profiling based upon the VLAN ID and outer .1D priority value in the frame.

standard-vlan-ipp - Finds a matching profiling based upon the VLAN ID and ipprecedence value in the frame.

standard-vlan-dscp - Finds a matching profiling based upon the VLAN ID and the

DSCP value in the frame.

nonconform-standard-profile - Sets whether non-conforming frames (that are not

ARP) are associated with a standard profile or dropped. Non-conforming frames are those ingressing frames that do not match one of the configured per-port traffic profiles. For example, non-conforming 802.1D priority frames are those frames that do not have a matching 802.1D priority configured in one of the traffic profiles. The same applies to DSCP (no matching 6 bit code point), and IP-Precedence (no matching 3 bit

IP Precedence value). Note that certain frames, such as ARPs and non-IP frames, will always be non-conforming because these frames do not contain the DSCP field. The default setting is drop.

To set the per port attributes:

traffic-profiling set port <PortName> {[arp-standard-profile <bypass|<Traffic

ProfilingStandardName>], [meter-pool <TrafficProfilingMeterPoolName>], [mode <standarddot1dpri|standard-ip-prec|standard-dscp|standard-vlan|standard-vlan-dot1dpri|standard-vlanipp|standard-vlan-dscp], [nonconform-standard-profile

<drop|<TrafficProfilingStandardName>>]}

Example:

> traffic-profiling set port 1 arp-standard-profile bypass meter-pool TP-POOL1 mode standardvlan nonconform-standard-profile drop

To display per port attributes:

traffic-profiling show

System Software Configuration Guide 6.5.0

143

Q

UALITY OF

S

ERVICE

Traffic Profiling

Example:

> traffic-profiling show port 1

+---------------- TRAFFIC PROFILING TABLE -------------------+

| Port | 1 |

| Profiling Admin State | Disabled |

| Profiling Oper State | Disabled |

| Profiling Mode | standard-dot1dpri |

| Meter Pool | TP-POOL3 |

| Non-Conform Standard Profile | drop |

| ARP Standard Profile | bypass |

+------------------------------------------------------------+

To display meter pool assignments for all ports:

traffic-profiling show meter-pool

Example on CN 3920:

> traffic-profiling show meter-pool

+----------- TRAFFIC-PROFILING METER-POOL MAP ----------+

| Meter-Pool | Ports |Total | Used |

+------------------+----------------------+------+------+

| TP-POOL1 | | 64 | 0 |

+------------------+----------------------+------+------+

| TP-POOL2 | | 64 | 0 |

+------------------+----------------------+------+------+

| TP-POOL3 | 1 2 | 64 | 0 |

+------------------+----------------------+------+------+

| TP-POOL4 | 3 4 | 64 | 0 |

+------------------+----------------------+------+------+

| TP-POOL5 | 5 6 | 64 | 0 |

+------------------+----------------------+------+------+

| TP-POOL6 | 7 8 | 64 | 0 |

+------------------+----------------------+------+------+

| TP-POOL7 | 9 10 | 64 | 0 |

+------------------+----------------------+------+------+

| TP-POOL8 | 11 12 | 64 | 0 |

+------------------+----------------------+------+------+

Configuring Standard Profiles

Standard profiles define the CoS values for classification and metering rates. You can configure up to 64 standard profiles per port with a maximum of 512 standard profiles per system and a maximum of 64 profiles per metering pool:

profile - If a name is specified and Profile ID is not, a Profile ID will be automatically picked for the traffic profile.

dot1dpri - Classifies to the traffic profile based on 802.1d priority value ranging 0-7.

Up to 8 classifiers are supported per port. (Optional)

ip-prec - Classifies to the traffic profile based on IP precedence value ranging 0-7. Up to 8 classifiers are supported per port.(Optional)

dscp - Classifies to the traffic profile based on DSCP. Up to 60 classifiers are supported per port.(Optional)

dscp-remark-policy - IPv4 frames that classify to the traffic profile will have the DSCP value marked with a fixed value, or leave as is.

fixed-dscp - Fixed DSCP value to use when remarking an IPv4 frame for a traffic profile with a dscp-remark-policy of fixed.

cir - Committed information rate. (Mandatory, if PIR is not specified)

pir - Peak information rate. (Mandatory, if CIR is not specified)

144 System Software Configuration Guide 6.5.0

Q

UALITY OF

S

ERVICE

Traffic Profiling

cbr - Committed burst size.

ebs - Excess burst size.

name - Traffic profile name with up to 15 characters. If you do not specify a name, one is automatically created for the profile number (STD#1 through STD#64).

vlan - Classifies to the traffic profile based on VLAN ID. One VLAN classifier is supported per port per profile. (Optional)

NOTE: The configured CIR and PIR will always normalize to the rate equal to or greater than the configured value in 64 kilobit increments in order to be processed by the hardware.

To create a standard profile:

traffic-profiling standard-profile create {port <PortNameList>} [profile <ProfileNumber>]

[dot1dpri <NUMBER LIST: 0-7>] [ip-prec <NUMBER LIST: 0-7>] [dscp <NUMBER LIST: 0-63>] [fixeddscp <0-63>] {[cir <kbps>], [pir <kbps>], [cbs <kbytes>], [ebs <kbytes>]} [name

<TrafficProfilingStandardName[15]>] [vlan <VLAN>]

Example:

> traffic-profiling standard-profile create port 1 profile 1 cir 128 pir 128 ip-prec 1 dscp 1

To delete a standard profile:

traffic-profiling standard-profile delete {port <PortNameList>} {profile <NUMBER: 1-8>}

To set attributes for a standard profile:

traffic-profiling standard-profile set {port <PortName>} {profile <ProfileNumber>} {[dot1dpri

<NUMBER LIST: 0-7>] [ip-prec <NUMBER LIST: 0-7>] [dscp <NUMBER LIST: 0-63>] [dscp-remarkpolicy <leave | fixed'>] [fixed-dscp <0-63>] {[cir <NUMBER>], [pir <NUMBER>]} [cbs <kbytes>],

[ebs <kbytes>]} [name <TrafficProfilingStandardName[15]>] [vlan <VLAN>] [vlan <VLAN>]

Example:

> traffic-profiling standard-profile set port 1 profile 1 dot1dpri 1

To remove classification attributes for a standard profile:

traffic-profiling standard-profile unset {port <PortNameList>} {profile

<TrafficProfilingStandardName[15]>} [dot1dpri <NUMBER LIST: 0-7>] [ip-prec <NUMBER LIST: 0-

7>] [dscp <NUMBER LIST: 0-63>] [vlan]

Example:

> traffic-profiling standard-profile unset port 1 profile 1 dot1dpri 1

To display a summary of standard traffic profiles:

traffic-profiling standard-profile show

System Software Configuration Guide 6.5.0

145

Q

UALITY OF

S

ERVICE

Traffic Profiling

Example:

> traffic-profiling standard-profile show

+--------------------------- STANDARD PROFILE TABLE ---------------------------+

| Port | Profile | BW (Kbps) | CLASSIFIERS |

| |ID| Name | CIR | PIR | |

+--------+--+---------------+-------+-------+----+-----------------------------+

| 1 |1 |STD#1 |128 |128 | IPP| 1 |

| | DSC| 1 |

+--------+--+---------------+-------+-------+----+-----------------------------+

| 1 |2 |STD#2 |0 |256 | |

+--------+--+---------------+-------+-------+----+-----------------------------+

| 2 |3 |STD#3 |1024 |1024 | IPP| 1 |

+--------+--+---------------+-------+-------+----+-----------------------------+

| 2 |4 |STD#4 |0 |256 | |

+--------+--+---------------+-------+-------+----+-----------------------------+

To display standard profiles associated with a specified port:

traffic-profiling standard-profile show [port <PortName>]>

Example:

> traffic-profiling standard-profile show port 1

+--------------------------- STANDARD PROFILE TABLE ---------------------------+

| Port | Profile | BW (Kbps) | CLASSIFIERS |

| |ID| Name | CIR | PIR | |

+--------+--+---------------+-------+-------+----+-----------------------------+

| 1 |1 |STD#1 |128 |128 | IPP| 1 |

| | DSC| 1 |

+--------+--+---------------+-------+-------+----+-----------------------------+

| 1 |2 |STD#2 |0 |256 | |

+--------+--+---------------+-------+-------+----+-----------------------------+

To clear statistics for all standard profiles:

traffic-profiling standard-profile clear statistics

Example:

> traffic-profiling standard-profile clear statistics

To display statistics for all standard profiles:

traffic-profiling standard-profile show [statistics]

Example:

> traffic-profiling standard-profile show statistics

+------------------- STANDARD PROFILE TABLE ------------------+

| Port | Profile | Statistics |

| |ID| Name | Type Bytes |

+--------+--+---------------+---------------------------------+

| 1 |1 |STD#1 | Accepted 0 |

| | | | Dropped 0 |

+--------+--+---------------+---------------------------------+

| 1 |2 |STD#2 | Accepted 0 |

| | | | Dropped 0 |

+--------+--+---------------+---------------------------------+

146 System Software Configuration Guide 6.5.0

Q

UALITY OF

S

ERVICE

Traffic Profiling

Configuring Per-Port Traffic Profiling

The configuration example in this section shows how to configure per-port traffic profiling to meter ingress traffic based upon 802.1D priority.

Configuration steps:

Step # Description

Step 1

Step 2

Enable traffic profiling globally.

Enable traffic profiling on port 1.

Command

traffic-profiling enable traffic-profiling enable port <PortName>

Step 3 Confirm the global configuration (optional).

Step 4

Set traffic profiling mode on port 1 to standarddot1dpri (default)

.

Step 5 Confirm the per port configuration for port 1.

traffic-profiling show traffic-profiling set port

<PortName> traffic-profiling show port <PortName>

Step 6 Create Traffic profile 1 on port 1 with CIR 3,000Kbps and

PIR 3,200Kbps, dot1dpri 0,1,2.

traffic-profiling standard-profile create

Step 7 Create Traffic profile 2 on port 1 with CIR 3,000Kbps and

PIR 3,200Kbps, dot1dpri 3,4,5.

traffic-profiling standard-profile create

Step 8 Create Traffic profile 3 on port 1 with CIR 2,000Kbps and

PIR 2,432Kbps, dot1dpri 6,7.

traffic-profiling standard-profile create

Step 9 Display the traffic profiles associated with port 1

(Optional). traffic-profiling standard-profile show port

<PortName>

Example:

1. > traffic-profiling enable

2. > traffic-profiling enable port 1

3. > traffic-profiling show

+------------ TRAFFIC PROFILING GLOBAL TABLE -----------+

| Profiling Status | Enabled |

+-------------------------------------------------------+

+-------------- PORT TRAFFIC PROFILE TABLE -------------+

| Port | Status | Mode |

| | Admin | Oper | |

+----------+----------+----------+----------------------+

| 1 | Enabled | Enabled | standard-dot1dpri |

| 2 | Disabled | Disabled | standard-dot1dpri |

| 3 | Disabled | Disabled | standard-dot1dpri |

| 4 | Disabled | Disabled | standard-dot1dpri |

| 5 | Disabled | Disabled | standard-dot1dpri |

| 6 | Disabled | Disabled | standard-dot1dpri |

| 7 | Disabled | Disabled | standard-dot1dpri |

| 8 | Disabled | Disabled | standard-dot1dpri |

| 9 | Disabled | Disabled | standard-dot1dpri |

| 10 | Disabled | Disabled | standard-dot1dpri |

+----------+----------+----------+----------------------+

System Software Configuration Guide 6.5.0

147

Q

UALITY OF

S

ERVICE

Traffic Profiling

4. > traffic-profiling set port 1 mode standard-dot1dpri

5. > traffic-profiling show port 1

+---------------- TRAFFIC PROFILING TABLE -------------------+

| Port | 1 |

| Profiling Admin State | Enabled |

| Profiling Oper State | Enabled |

| Profiling Mode | standard-dot1dpri |

| Non-Conform Standard Profile | drop |

| ARP Standard Profile | bypass |

| Meter Pool | TP-POOL1 |

+------------------------------------------------------------+

6. > traffic-profiling standard-profile create port 1 profile 1 cir

3000 pir 3200 dot1dpri 0,1,2

7. > traffic-profiling standard-profile create port 1 profile 2 cir

3000 pir 3200 dot1dpri 3,4,5

8. > traffic-profiling standard-profile create port 1 profile 3 cir

2000 pir 2432 dot1dpri 6,7

9. > traffic-profiling standard-profile show port 1

+--------------------------- STANDARD PROFILE TABLE ---------------------------+

| Port | Profile | BW (Kbps) | CLASSIFIERS |

| |ID| Name | CIR | PIR | |

+--------+--+---------------+-------+-------+----+-----------------------------+

| 1 |1 |STD#1 |3008 |3200 | .1D| 0 1 2 |

+--------+--+---------------+-------+-------+----+-----------------------------+

| 1 |2 |STD#2 |3008 |3200 | .1D| 3 4 5 |

+--------+--+---------------+-------+-------+----+-----------------------------+

| 1 |3 |STD#3 |2048 |2432 | .1D| 6 7 |

+--------+--+---------------+-------+-------+----+-----------------------------+

148 System Software Configuration Guide 6.5.0

Q

UALITY OF

S

ERVICE

Traffic Profiling

Configuring Per-Port and Per-VLAN Traffic Profiling

The configuration example in this section shows how to configure per-port and per-VLAN traffic profiling to meter ingress traffic based upon VLAN tag. Port 1 is the UNI port and port 9 is the NNI port.

Configuration steps:

Step # Description

Step 1 Enable traffic profiling globally.

Command

traffic-profiling enable

Step 2 Enable traffic profiling on UNI port 1.

traffic-profiling enable port <PortName>

Step 3

Set traffic profiling mode on port 1 to standardvlan

.

Step 4 Confirm the global configuration (optional).

traffic-profiling set port

<PortName> traffic-profiling show

Step 5 Confirm the per port configuration for port 1.

traffic-profiling show port <PortName>

Step 6 Create VLAN 1001, 1002, 1003.

Step 7 Add port 1 and 9 to VLAN1001, 1002, 1003.

vlan create vlan add vlan <VlanList> port <PortNameList>

Step 8 Confirm the VLAN configuration (optional).

Step 9 Create Traffic profile 1 on port 1 with CIR 100 kbps and

PIR 1024 Kbps, and classifier VLAN 1001.

vlan show traffic-profiling standard-profile create

Step 10 Create Traffic profile 2 on port 1 with CIR 100 kbps and

PIR 1024 Kbps, and classifier VLAN 1002.

traffic-profiling standard-profile create

Step 11 Create Traffic profile 3 on port 1 with CIR 100 kbps and

PIR 1024 Kbps, and classifier VLAN 1003.

Step 12 Display the traffic profiles associated with port 1

(Optional). traffic-profiling standard-profile create traffic-profiling standard-profile show port

<PortName>

1. > traffic-profiling enable

2. > traffic-profiling enable port 1

System Software Configuration Guide 6.5.0

149

Q

UALITY OF

S

ERVICE

Traffic Profiling

150

3. > traffic-profiling show

+------------ TRAFFIC PROFILING GLOBAL TABLE -----------+

| Profiling Status | Enabled |

+-------------------------------------------------------+

+-------------- PORT TRAFFIC PROFILE TABLE -------------+

| Port | Status | Mode |

| | Admin | Oper | |

+----------+----------+----------+----------------------+

| 1 | Enabled | Enabled | standard-dot1dpri |

| 2 | Disabled | Disabled | standard-dot1dpri |

| 3 | Disabled | Disabled | standard-dot1dpri |

| 4 | Disabled | Disabled | standard-dot1dpri |

| 5 | Disabled | Disabled | standard-dot1dpri |

| 6 | Disabled | Disabled | standard-dot1dpri |

| 7 | Disabled | Disabled | standard-dot1dpri |

| 8 | Disabled | Disabled | standard-dot1dpri |

| 9 | Disabled | Disabled | standard-dot1dpri |

| 10 | Disabled | Disabled | standard-dot1dpri |

+----------+----------+----------+----------------------+

4. > traffic-profiling set port 1 mode standard-vlan

5. > traffic-profiling show port 1

+---------------- TRAFFIC PROFILING TABLE -------------------+

| Port | 1 |

| Profiling Admin State | Enabled |

| Profiling Oper State | Enabled |

| Profiling Mode | standard-vlan |

| Non-Conform Standard Profile | drop |

| ARP Standard Profile | bypass |

| Meter Pool | TP-POOL1 |

+------------------------------------------------------------+

6. > vlan create vlan 1001-1003

...This may take a while depending upon the VLAN range...

7. > vlan add vlan 1001-1003 port 1,9

...This may take a while depending upon the VLAN range...

8. > vlan show

+-----------------------------------------------------------------------------+

|VLAN| | Ports 1 |

| ID | VLAN Name |1234567890 |

+----+--------------------------------+---------------------------------------+

| 1|Default |xxxxxxxxxx |

| 127|VLAN#127 | xx |

| 270|Mgmt | x |

|1001|VLAN#1001 |x x |

|1002|VLAN#1002 |x x |

|1003|VLAN#1003 |x x |

+----+--------------------------------+---------------------------------------+

9. > traffic-profiling standard-profile create port 1 profile 1 cir

100 pir 1024 vlan 1001

10.> traffic-profiling standard-profile create port 1 profile 2 cir

100 pir 1024 vlan 1002

System Software Configuration Guide 6.5.0

Q

UALITY OF

S

ERVICE

Ingress R-CoS to Egress CoS Queue Mapping

11.> traffic-profiling standard-profile create port 1 profile 3 cir

100 pir 1024 vlan 1003

12.> traffic-profiling standard-profile show port 1

+--------------------------- STANDARD PROFILE TABLE ---------------------------+

| Port | Profile | BW (Kbps) | CLASSIFIERS |

| |ID| Name | CIR | PIR | |

+--------+--+---------------+-------+-------+----+-----------------------------+

| 1 |1 |STD#1 |128 |1024 | VLN| 1001 |

+--------+--+---------------+-------+-------+----+-----------------------------+

| 1 |2 |STD#2 |128 |1024 | VLN| 1002 |

+--------+--+---------------+-------+-------+----+-----------------------------+

| 1 |3 |STD#3 |128 |1024 | VLN| 1003 |

+--------+--+---------------+-------+-------+----+-----------------------------+

Ingress R-CoS to Egress CoS Queue Mapping

Each physical port supports 8 CoS queues. Depending upon the policies applied to the port, the R-CoS and R-COLOR values may change during processing. The final internal R-

CoS value is used to map the frame to one of the 8 physical port CoS queues as shown in

Table 14-2, in this chapter.

Table 14-2: Default Internal R-CoS Mapping

R-CoS Physical Port CoS

Queue

2

3

0

1

6

7

4

5

Reserved for outbound

CPU frames

5

6

3

4

7

1

2

0

0

In addition to the default queue mapping, up to 7 custom Queue Map Profiles can be created to configure R-CoS to CoS queue mapping. The mapping-mode of custom queue map profiles is always R-CoS mapped. Any port can use a custom queue map profile by configuring the ingress-to-egress-qmap attribute on the port. R-CoS values (0 - 7) can be mapped to CoS Queues (0 - 7), or any combination thereof (for example, all 7 R-CoS values mapped to the same CoS queue, etc.).

System Software Configuration Guide 6.5.0

151

Q

UALITY OF

S

ERVICE

Congestion Avoidance

To create/modify a custom R-CoS to CoSQ table and assign it to an egress port:

> traffic-services queuing queue-map create rcos-map custom-map-1

> traffic-services queuing queue-map set rcos-map custom-map-1 rcos 0 queue 3

> traffic-services queuing queue-map show rcos-map custom-map-1

> port set port 9 ingress-to-egress-qmap custom-map-1

To delete a custom R-CoS map from the system:

NOTE: A custom R-CoS queue map profile cannot be deleted if it is assigned to a port, as it must first be removed from the port before it can be deleted.

> port set port 9 egress-queue-map Default-RCOS

NOTE: You cannot unset a port's egress-queue-map profile, as this is a required parameter. To remove a custom R-CoS profile from a port you must replace it with another

R-CoS profile (for example, the Default-RCOS profile).

> traffic-services queuing queue-map delete rcos-map custom-map-1

> traffic-services queuing queue-map show

Example of the default R-CoS map:

+---------------------------RCOS TO QUEUE MAPPING ----------------------------+

| |

+-------------------------------+---------------------------------------------+

| Name | Default-RCOS |

| Id | 1 |

| Type | RCOS To Queue Mapping |

+-----------------------------------------------------------------------------+

| RCOS: | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | |

| +---+---+---+---+---+---+---+---+ |

| Queue: | 0 | 0 | 1 | 2 | 3 | 4 | 5 | 6 | |

+---------+---+---+---+---+---+---+---+---+-----------------------------------+

Congestion Avoidance

Congestion avoidance processing determines whether a frame should be enqueued or dropped. Congestion avoidance is configured per queue based on a congestion avoidance profile associated with each CoS queue. This profile contains the drop parameters for traffic. Drop parameters are defined by the following general attributes:

Drop Threshold—defines the percentage of the queue capacity that is reached before packets are eligible to be dropped.

Drop Probability—define the percentage of packets that are dropped once the threshold is exceeded.

By dropping packets before the queue fills up, congestion avoidance controls the average buffer queue size by indicating to the end hosts when they should temporarily slow down transmission of TCP packets. Randomly dropping packets prior to periods of high congestion tells the packet source to decrease its transmission rate. Assuming the packet source is using TCP, it will decrease its transmission rate until all the packets reach their destination, indicating that the congestion is cleared. TCP not only pauses, but it also restarts quickly and adapts its transmission rate to the rate that the network can support.

152 System Software Configuration Guide 6.5.0

Q

UALITY OF

S

ERVICE

Congestion Avoidance

Depending upon the hardware platform, the system software supports Simple Random

Early Detection (sRED) profiles or simple Weighted Random Early Discard (sWRED) profiles for congestion avoidance that are enabled by default. You can configure custom congestion avoidance profiles for your platform and configure the egress port queues to use them.

Creating and modifying sRED profiles

The CN 3911, CN 3920, CN 3940, and CN 5140 platforms support sRED profiles. By default there is one congestion avoidance profile (Default-SRED) in the system that all queues reference, and each port supports two default sRED curves per queue, one for TCP yellow traffic and one for TCP green traffic. Each sRED curve supports a lower drop threshold and drop probability. The upper threshold is not configurable, and supports 128 packets per port.

When the number of packets are below the lower threshold, no packets are dropped.

When they exceed the lower threshold, and are below the upper threshold, they are dropped according to the drop probability value. When the number of packets reaches the upper threshold, all packets are dropped (100 percent drop probability) until the number of packets is below the upper threshold.

For yellow packets, the default drop threshold is 50 percent. For green packets, the default drop threshold is 75 percent. This means that the queue capacity can be filled with 75 percent green packets, and 50 percent yellow packets before the packets are eligible to be dropped. Additionally, both sRED curves assign a drop probability percentage for green (0.09765625 percent or 1/1024) and yellow (6.25 percent or 1/16) packets per CoS queue that is applied via a congestion avoidance profile.You can create up to 7 custom congestion avoidance profiles and modify their configuration.

Lower drop threshold values for green or yellow traffic range from 1-100 percent. Drop probability values for green or yellow traffic include:

• 100pct - 100 percent

6.25pct - 6.25 percent or 1/16.

• 3.125pct - 3.125 percent or 1/32.

1.5625pct - 1.5625 percent or 1/64.

• 0.78125pct - 0.78125 percent or 1/128.

0.390625pct - 0.390625 percent or 1/256.

• 0.1953125pct - 0.1953125 percent or 1/512.

0.09765625pct - 0.09765625 percent or 1/1024.

If you create a custom sRED profile without specifying the thresholds or drop probability values, the profile will be the same as the Default-SRED profile.

To create an sRED profile:

traffic-services queuing congestion-avoidance-profile create profile <String[15]>

[green-threshold <NUMBER: 1-100>] [green-drop-probability <100pct|6.25pct|3.125pct|

1.5625pct|0.78125pct|0.390625pct|0.1953125pct|0.09765625pct>]

[yellow-threshold <NUMBER: 1-100>][yellow-drop-probability <100pct|6.25pct|3.125pct|

1.5625pct|0.78125pct|0.390625pct|0.1953125pct|0.09765625pct>]]

Example:

traffic-services queuing congestion-avoidance-profile create profile green-yellow-1 greenthreshold 100 yellow-threshold 1 yellow-drop-probability 100pct

System Software Configuration Guide 6.5.0

153

Q

UALITY OF

S

ERVICE

Congestion Avoidance

To modify an sRED profile:

traffic-services queuing congestion-avoidance-profile set profile

<CongestionAvoidanceProfile> {[green-threshold <NUMBER: 1-100>], [green-drop-probability

<100pct|6.25pct|3.125pct|1.5625pct|0.78125pct|0.390625pct|0.1953125pct|0.09765625pct>],

[yellow-threshold <NUMBER: 1-100>], [yellow-drop-probability <100pct|6.25pct|3.125pct|

1.5625pct|0.78125pct|0.390625pct|0.1953125pct|0.09765625pct>]}

Example:

traffic-services queuing congestion-avoidance-profile set profile green-yellow-1 greenthreshold 90 green-drop-probability 0.1953125pct yellow-threshold 25

Creating and modifying sWRED profiles

The CN 3960 platform supports simple Weighted Random Early Discard (sWRED) profiles to handle three types of traffic:

TCP green traffic

• TCP yellow traffic (has been metered to yellow from traffic profiling)

Non-TCP traffic

For each traffic type, an sWRED profile supports an sWRED curve with a configurable start threshold (1-100 percent), upper threshold (1-100 percent), and a maximum drop probability. Maximum drop probability values include:

• 100pct - 100 percent

75pct - 75 percent

• 50pct -50 percent

25pct -25 percent

• 10pct - 10 percent

9pct - 9 percent

• 8pct - 8 percent

7pct - 7 percent

• 6pct - 6 percent

5pct - 5 percent

• 4pct - 4 percent

3pct - 3 percent

• 2pct - 2 percent

1pct - 1percent

• 0pct - 0 percent

When the number of packets are below the start threshold, no packets are dropped.

When they exceed the start threshold, and are below the upper threshold, they are dropped according to the maximum drop probability value. When the number of packets reaches the upper threshold, all packets are dropped according to the maximum drop probability until the number of packets is below the upper threshold.

The default sWRED profile (Default-S-WRED) is configured as follows:

• TCP green start threshold - 75 percent

TCP green maximum upper threshold - 100 percent

• TCP green maximum drop probability - 0 percent

TCP yellow start threshold - 50 percent

• TCP yellow maximum upper threshold - 100 percent

154 System Software Configuration Guide 6.5.0

Q

UALITY OF

S

ERVICE

Congestion Avoidance

• TCP yellow maximum drop probability - 100 percent

Non-TCP start threshold - 50 percent

• Non-TCP maximum upper threshold - 100 percent

Non-TCP maximum drop probability - 100 percent

If you create a custom sWRED profile without specifying the thresholds or drop probability values, the profile will be the same as the Default-S-WRED profile.

To create an sWRED profile:

traffic-services queuing congestion-avoidance-profile create profile <String[15]>

[tcp-green-threshold <NUMBER: 1-100>] [tcp-green-upper-threshold <NUMBER: 1-100>]

[tcp-green-drop-probability <100pct|75pct|50pct|25pct|10pct|9pct|8pct|7pct|6pct|5pct|4pct

|3pct|2pct|1pct|0pct>] [tcp-yellow-threshold <NUMBER: 1-100>] [tcp-yellow-upper-threshold

<NUMBER: 1-100>] [tcp-yellow-drop-probability <100pct|75pct|50pct|25pct|10pct|9pct|

8pct|7pct|6pct|5pct|4pct|3pct|2pct|1pct|0pct>] [non-tcp-threshold <NUMBER: 1-100>] [non-tcpupper-threshold <NUMBER: 1-100>] [non-tcp-drop-probability <100pct|75pct|50pct|25pct|10pct|

9pct|8pct|7pct|6pct|5pct|4pct|3pct|2pct|1pct|0pct>]

Example:

traffic-services queuing congestion-avoidance-profile create profile green-yellow-1 tcpgreen-upper-threshold 100 tcp-yellow-upper-threshold 1 tcp-yellow-drop-probability 100pct

To modify an sWRED profile:

traffic-services queuing congestion-avoidance-profile set profile

<CongestionAvoidanceProfile> [tcp-green-threshold <NUMBER: 1-100>] [tcp-green-upperthreshold <NUMBER: 1-100>] [tcp-green-drop-probability <100pct|75pct|50pct|25pct|10pct|

9pct|8pct|7pct|6pct|5pct|4pct|3pct|2pct|1pct|0pct>] [tcp-yellow-threshold <NUMBER: 1-100>]

[tcp-yellow-upper-threshold <NUMBER: 1-100>] [tcp-yellow-drop-probability <100pct|

75pct|50pct|25pct|10pct|9pct|8pct|7pct|6pct|5pct|4pct|3pct|2pct|1pct|0pct>] [non-tcpthreshold <NUMBER: 1-100>] [non-tcp-upper-threshold <NUMBER: 1-100>] [non-tcp-dropprobability <100pct|75pct|50pct|25pct|10pct|9pct|8pct|7pct|6pct|5pct|4pct|3pct|2pct|

1pct|0pct>]

Example:

traffic-services queuing congestion-avoidance-profile set profile green-yellow-1 non-tcpupper-threshold 1 non-tcp-drop-probability 100pct

Displaying custom congestion avoidance profiles

You can display configuration of all or specific congestion avoidance profiles, including: name, ID, type, thresholds, and drop probability.

To display all congestion avoidance profiles:

traffic-services queuing congestion-avoidance-profile show

To display a specific congestion avoidance profile:

traffic-services queuing congestion-avoidance-profile show profile

<CongestionAvoidanceProfile>

System Software Configuration Guide 6.5.0

155

Q

UALITY OF

S

ERVICE

Congestion Avoidance

Example of the default sRED congestion avoidance profile:

traffic-services queuing congestion-avoidance-profile show profile Default-SRED

+-------------------- CONGESTION AVOIDANCE PROFILE DATA -----------------------+

| |

+--------------------------------+---------------------------------------------+

| Name | Default-SRED |

| Id | 1 |

| Type | SRED |

+------------------------------------------------------------------------------+

| Green || Yellow |

| Threshold | Drop Probability || Threshold | Drop Probability |

+-----------+------------------------++-----------+----------------------------+

| 75 % | 0.09765625pct.(1/1024) || 50 % | 6.25pct.......(1/16) |

+-----------+------------------------++-----------+----------------------------+

Example of the default sWRED congestion avoidance profile:

traffic-services queuing congestion-avoidance-profile show profile Default-S-WRED

+-------------------------------- CONGESTION AVOIDANCE PROFILE DATA ---------------------------------+

| |

+--------------------------------+-------------------------------------------------------------------+

| Name | Default-S-WRED |

| Id | 1 |

| Type | WRED-Simple |

+----------------------------------------------------------------------------------------------------+

| Tcp-Green || Tcp-Yellow || Non-Tcp |

| Lower | Upper | Drop || Lower | Upper | Drop || Lower | Upper | Drop |

| Threshold | Threshold | Prob || Threshold | Threshold | Prob || Threshold | Threshold | Prob |

+-----------+-----------+--------++-----------+--------------------++-----------+-----------+--------+

| 75 | 100 | 0pct || 50 | 100 | 100pct || 75 | 100 | 0pct |

+-----------+-----------+--------++-----------+--------------------++-----------+-----------+--------+

Configuring the congestion avoidance profile for egress port queues

The default congestion avoidance profile for egress port queues is to use Default-SRED or

Default-S-WRED, depending upon the platform. After creating custom congestion avoidance profiles, you can set the egress port queues to use them. The queue is identified by queue number and egress port queue group (PortQueueGroup), which is the egress port name.

To update the congestion avoidance profile for an egress port queue:

traffic-services queuing egress-port-queue-group set queue <NUMBER: 0-7> port

<PortQueueGroup> congestion-avoidance-profile <CongestionAvoidanceProfileName>

Example:

traffic-services queuing egress-port-queue-group set queue 2 port 1 congestion-avoidanceprofile green-yellow-1

To clear the congestion avoidance profile to the default for an egress port queue:

traffic-services queuing egress-port-queue-group unset queue <NUMBER: 0-7> port

<PortQueueGroup> congestion-avoidance-profile

Example:

traffic-services queuing egress-port-queue-group unset queue 2 port 1 congestion-avoidanceprofile

156 System Software Configuration Guide 6.5.0

Q

UALITY OF

S

ERVICE

Congestion Avoidance

To display the congestion avoidance profile for an egress port queue:

traffic-services queuing egress-port-queue-group show queue <NUMBER: 0-7> port

<PortQueueGroup>

Example of sRED:

> traffic-services queuing egress-port-queue-group show queue 0 port 1

+---------------------------------- QUEUE DATA --------------------------------+

| |

+--------------------------------+---------------------------------------------+

| Queue Id | 0 |

| Queue Group Name [Port] | 1 |

| Congestion Avoidance Profile | Default-SRED |

+------------------------------------------------------------------------------+

| Scheduler | Size | CIR | CBS | EIR | EBS |

| Pri Idx | Weight | (Pckts) | (Kbps) | (Kbytes) | (Kbps) | (Kbytes) |

+---------+----------+---------+------------+----------+------------+----------+

| 10000 | 20 | 100 | 0 | 0 | 1000000 | 256 |

+---------+----------+---------+------------+----------+------------+----------+

Example of sWRED:

> traffic-services queuing egress-port-queue-group show queue 0 port 1

+---------------------------------- QUEUE DATA --------------------------------+

| |

+--------------------------------+---------------------------------------------+

| Queue Id | 0 |

| Queue Group Name [Port] | 1 |

| Congestion Avoidance Profile | Default-S-WRED |

+------------------------------------------------------------------------------+

| Scheduler | Size | CIR | CBS | EIR | EBS |

| Pri Idx | Weight | (Pckts) | (Kbps) | (Kbytes) | (Kbps) | (Kbytes) |

+---------+----------+---------+------------+----------+------------+----------+

| 10000 | 20 | 100 | 0 | 0 | 1000000 | 256 |

+---------+----------+---------+------------+----------+------------+----------+

Deleting a custom congestion avoidance profile

You can delete custom congestion avoidance profiles that are not in use.

To delete a congestion avoidance profile:

traffic-services queuing congestion-avoidance-profile delete profile

<CongestionAvoidanceProfile>

Renaming custom congestion avoidance profile

You can change the name of a custom congestion avoidance profile.

To rename a congestion avoidance profile:

traffic-services queuing congestion-avoidance-profile rename profile

<CongestionAvoidanceProfile> name <String[15]>

System Software Configuration Guide 6.5.0

157

Q

UALITY OF

S

ERVICE

Egress Scheduling

Egress Scheduling

Scheduling determines the order in which the physical queues are processed. Currently, the system software follows strict priority scheduling by default. CoS queue 7 has the highest priority while CoS queue 0 has the lowest priority. When contention (or congestion) for bandwidth occurs in the system, the higher priority CoS queues will be serviced before the lower priority CoS queues. By default, the 802.1p priority (VLAN priority in the frame) is used to map to an internal priority (resolved CoS) which is then mapped to a physical CoS queue. The result is that frames with a higher priority will transmit before those with a lower priority. Strict priority queuing reduces resources for low priority packets, but ensures low-latency servicing of high-priority packets.

In addition to strict priority, three other scheduling methods can be configured. When configured for any of these scheduler modes, if the scheduling weight of a queue in the egress port queue group is set to 0, the scheduler will treat that queue as if it is in strict priority mode.

• Weighted Round Robin (WRR)—queues in the queuing group are scheduled in a weighted fashion according to the per-queue scheduler-weight.

• Round-Robin (RR)—queues in the queuing group are scheduled as if all queues in the queuing group have equal weighting.

• Weighted Deficit Round Robin (WDRR)—queues in the queuing group are scheduled in a weighted fashion according to the per-queue scheduler-weight and frame size.

To change an egress port's scheduler algorithm for the egress queue group:

traffic-services queuing egress-port-queue-group set port <PortQueueGroup> scheduleralgorithm <strict|round-robin|weighted-deficit-round-robin|weighted-round-robin>

Example:

> traffic-services queuing egress-port-queue-group set port 9 scheduler-algorithm weightedround-robin

To change a queue's weight for use with the port’s scheduler algorithm:

traffic-services queuing egress-port-queue-group set queue <NUMBER: 0-7> port

<PortQueueGroup> scheduler-weight <NUMBER: 0-1000>

NOTE: The default weight for CoS Queue 7 is 0, which is serviced in a strict-priority fashion being the highest priority over all other CoS queues in the Egress Queue group.

Queue 7 is typically reserved for CPU-Sourced traffic and should not be changed.

Example:

traffic-services queuing egress-port-queue-group set queue 0 port 9 scheduler-weight 100

To display queue weight and scheduler algorithms for all or a specific egress port:

traffic-services queuing egress-port-queue-group show [port <PortQueueGroup>]

158 System Software Configuration Guide 6.5.0

Q

UALITY OF

S

ERVICE

Egress Shaping

Example:

> traffic-services queuing egress-port-queue-group show port 9

+------------------------------ QUEUE GROUP DATA ------------------------------+

| |

+--------------------------------+---------------------------------------------+

| Name [Port] | 9 |

| Id | 9 |

| Queue Count | 8 |

| Scheduling Algorithm | weighted-round-robin |

| Shaper Bandwidth (Kbps) | 1000000 |

+------------------------------------------------------------------------------+

| | Scheduler | Size | CIR | CBS | EIR | EBS |

| Q | Pri Idx | Weight | (Pckts) | (Kbps) | (Kbytes) | (Kbps) | (Kbytes) |

+---+---------+--------+---------+-----------+----------+-----------+----------+

| 0 | 10000 | 100 | 100 | 0 | 0 | 1000000 | 256 |

| 1 | 20000 | 30 | 100 | 0 | 0 | 1000000 | 256 |

| 2 | 30000 | 40 | 100 | 0 | 0 | 1000000 | 256 |

| 3 | 40000 | 50 | 100 | 0 | 0 | 1000000 | 256 |

| 4 | 50000 | 60 | 100 | 0 | 0 | 1000000 | 256 |

| 5 | 60000 | 70 | 100 | 0 | 0 | 1000000 | 256 |

| 6 | 70000 | 80 | 100 | 0 | 0 | 1000000 | 256 |

| 7 | 80000 | 0 | 100 | 1024 | 256 | 1000000 | 256 |

+---+---------+--------+---------+-----------+----------+-----------+----------+

Egress Shaping

A shaper-rate and burst size can be configured on the egress port queue group that limits the amount of egress bandwidth a port uses and controls the amount of traffic that can burst. Each queue can also be individually shaped according to the following parameters:

CIR in Kbps—this is rate of traffic that can egress from a queue and be considered guaranteed traffic.

CBS in Kbytes—this is the amount of CIR traffic that can burst from a queue (the CIR bucket size).

EIR in Kbps—this is the rate of traffic that can egress from a queue above CIR and is considered non-guaranteed traffic.

EBS in Kbytes—this is the amount of EIR traffic that can egress from a queue (the EIR bucket size).

In order to guarantee CIR, the individually set CIR on queues must not be oversubscribed for the egress port that the frames are egressing. That is, the sum of all CIRs for the physical queues and the virtual queues in a queue group on a port should not exceed the administrative (and operational) speed of the port. When the shaper rate of the egress port queue group is set, it sets a single Information Rate (IR) regardless of the CIR and EIR of the individual queues. To guarantee CIR, the sum of the CIRs on each queue cannot exceed the IR of the egress port queue group.

When a queue or an attribute of the egress queue group of an aggregated port is modified, that value is updated at each queue or physical port of the aggregation, with the exception of the shaper rate bandwidth. The shaper rate bandwidth is divided equally amongst the number of distributing ports. This means that the shaper rate can be used to control the total bandwidth that the ports share, otherwise the ports would each have an amount of bandwidth that would add up to a cumulative amount of bandwidth for the aggregation member ports.

When you set the burst size, the value is rounded to the nearest larger 4Kbyte block. The burst size is not divided among ports in an aggregation group.

System Software Configuration Guide 6.5.0

159

Q

UALITY OF

S

ERVICE

Configuring Frame Bandwidth Calculation

To set the egress port shaper-rate bandwidth:

traffic-services queuing egress-port-queue-group set port <PortQueueGroup> shaper-rate

<NUMBER: 0-10000000>

Example:

> traffic-services queuing egress-port-queue-group set port 3 shaper-rate 1200

To set the egress port shaper-rate burst-size:

traffic-services queuing egress-port-queue-group set port <PortQueueGroup> burst-size

<NUMBER: 4-10240>

Example:

> traffic-services queuing egress-port-queue-group set port 3 burst-size 1024

To set the egress shaping parameters per queue:

traffic-services queuing egress-port-queue-group set queue <NUMBER: 0-7> port

<PortQueueGroup> cir <NUMBER: 0-10000000> cbs <NUMBER: 0-256> eir <NUMBER: 0-10000000> ebs

<NUMBER: 0-256>

Example:

> traffic-services queuing egress-port-queue-group set queue 0 port 9 cir 5000 cbs 5000 eir

4000 ebs 3000

Configuring Frame Bandwidth Calculation

The system supports 20 bytes of IFG that can be considered when calculating bandwidth for traffic profiling according to CIR and PIR settings in a traffic profile for ingress metering and egress shaping.

To set the Bandwidth calculation mode:

> flow bw-calculation-mode set mode <payload | transport>

To NOT use IFG in bandwidth calculations:

> flow bw-calculation set mode payload

To use IFG in bandwidth calculations:

> flow bw-calculation set mode transport

Note that when the system is in payload calculation mode, the 20-byte IFG is not considered in the bandwidth equations. However, the physical port must still operate according to Ethernet standards and take into account the IFG when transmitting packets.

Therefore, the operator could possibly configure a CIR sum at a port that would exceed the physical bandwidth of the port due to the required IFG on the wire. The software does not attempt to adjust bandwidth or issue user-events when in payload mode. The software assumes bandwidth to be configured and consumed according to transport mode.

160 System Software Configuration Guide 6.5.0

Chapter

Configuring Multicast Services

• • • • • •

15

At a Glance:

Overview

IGMP Snooping

Unknown Multicast Filtering

Configuring Multicast

This chapter details how to configure multicast services in some typical situations.

Overview

Typical Internet Group Management Protocol (IGMP) was designed for environments that have a low volume of multicast packets and no real-time traffic requirements for processing IGMP messages. IGMP was designed for networks where multicast services are critical, such as networks delivering IP broadcast video. Devices employ enhanced IGMP snooping and various filters to limit multicast streams and assure their timely delivery.

IGMP Snooping

While traditional IGMP snooping works well in most enterprise networks, service providers delivering converged services need to deliver high-bandwidth multicast services to many subscribers without disruptions. These types of networks must handle near-real-time join/leave processing for all subscribers.

In order to support these requirements, several enhancements to traditional IGMP are provided, including Proxy Query Delay, IGMP message shaping, an IGMP query engine,

IGMP message filtering, configurable IGMP leave modes, rapid topology response, and fast join/leave processing. It should be noted that multicast services (IGMP) is globally enabled for the entire device by default, however, it can be enabled or disabled for each multicast VLAN individually.

IGMP Message Shaping

Traditional IGMP snooping sends a proxy query to all devices at once. In response all ports in a device tend to reply a nearly the same time. This causes bursts or spikes of IGMP join messages that all reach the router at the same time. To alleviate this problem, a type of proxy reporting called IGMP message shaping is used. When an IGMP query is received,

IGMP membership reports are sent at a constant rate to the router, based on the list of active multicast groups. This eases the burden on the multicast querier.

System Software Configuration Guide 6.5.0

161

C

ONFIGURING

M

ULTICAST

S

ERVICES

IGMP Snooping

Proxy Query Delay

Another problem with traditional IGMP snooping occurs on the downstream devices. When a general query is received, it is forwarded to all ports on the device at the same time.

This request requires it to update its multicast tables, which prompts the hosts on all ports in the VLAN to reply almost simultaneously, which demands a great amount of CPU processing. It is far more desirable, from a CPU load perspective, to spread query responses out over time.

This normalization of query responses is accomplished by internally forwarding query messages to just one port at a time. This delay smooths out the load on the CPU and helps to reduce channel-change latency. This delay between ports is configured as the query delay. In addition, since the device employs IGMP Message Shaping, the router is unaware

of any delay in the report (refer to the IGMP Message Shaping section).

Proxy Query also helps to detect the path between the device and the router. If a link failure occurs that affects the path between the router and the service delivery switch, it is able to find the new path to the router even if the router does not send a query message. Instead of waiting for a query from the router, which could take minutes or even hours. The maximum time required to locate the new router path is only as long as the

Proxy Query delay interval.

IGMP Query Engine

In a traditional multicast environment, all requests and queries are processed through a multicast router. Typically, these routers are overburdened with processing requirements and thus cannot respond as quickly as is needed in converged service network. To eliminate the need for a separate IGMP router and speed up multicast response times, you can configure service delivery switches to use a built-in IGMP query engine.

The query engine can be configured to generate query packets at regular intervals performing the function of a multicast router. However, only one device on the network can act as an IGMP query agent at a time and all multicast servers must interface directly with this device. Queriers negotiate with each other to determine which device should be the active querier. However, if multiple queriers are seen by the service delivery switch, it acts only on the queries from the device with the lowest IP address and ignores any other active queriers. Therefore a unique, non-zero source IP address must be set for the query engine when it is enabled.

162 System Software Configuration Guide 6.5.0

C

ONFIGURING

M

ULTICAST

S

ERVICES

IGMP Snooping

Figure 15-1 is an example of an active Query Engine in a network. The multicast server

interfaces directly with the “top-level” device (device 1), which is also acting as the IGMP querier for the network. The other devices forward IGMP messages to the “top-level” device only. Multicast streams flow from device 1 to device 2 and from device 1 to device

3.

Multicast

Server

Device 2

Device 1

Query Engine

Enabled

Device 3

Figure 15-1: Query Engine Deployment

If the query engine was enabled on device 2 instead of device 1, no membership reports would forward from device 2 to device 1, and no multicast streams would flow from device 1 to device 2.

When using the Query Engine, the device must not have a learned or configured router port for the VLAN. Additionally, you need to set the Source IP address to a value other than the default value of 0.0.0.0.

NOTE: Do not enable this feature if using a traditional IGMP router on the network.

IGMP Message Filtering

Traditional IGMP join message processing involves forwarding each IGMP join message received from a host to the server ports. Forwarding each IGMP join message to the server ports is a scaling issue for those devices higher in the network and ultimately the IGMP router. Enabling IGMP Message Filtering is a scaling feature that causes the system

System Software Configuration Guide 6.5.0

163

C

ONFIGURING

M

ULTICAST

S

ERVICES

IGMP Snooping

software to intelligently forward IGMP join messages to server ports only if that IGMP join message is required to cause a multicast stream to flow to the host. IGMP join messages that are redundant are filtered.

NOTE: If two IGMP join messages are received on two ports, and the last 3 octets of the destination IP address are the same, the second port cannot be part of the multicast group. For example, Port 1 receives a JOIN with destination IP 224.1.2.3, and it becomes part of the multicast group. If Port 2 receives a JOIN message with destination

IP 225.1.2.3, then Port 2 cannot become part of the multicast group.

Multicast

Server

ESPN

Multicast

Stream

MSNBC

Multicast

Stream

Router

Set Top Box A

MSNBC join

Message

MSNBC join

Message

Device 1

Device 4

Device 2

Device 3

164

ESPN join

Message

Set Top Box B Set Top Box C

Figure 15-2: IGMP Message Filtering

For example, if a subscriber on Set Top Box A is watching a video channel such as ESPN, when the subscriber on Set Top Box B changes the channel to ESPN (subscribes to the ESPN multicast group) Set Top Box B sends an IGMP join message to device number 3. However, device 3 does not forward the join message upstream since the multicast stream is already present. In contrast, if Set Top Box A joins the MSNBC multicast group, a join message would be sent all the way upstream back to the multicast router since the router does not have any active members in the MSNBC group.

System Software Configuration Guide 6.5.0

C

ONFIGURING

M

ULTICAST

S

ERVICES

IGMP Snooping

StreamCast

Typical multicast video deployments support a centralized server topology where a single video source provides all multicast content for a VLAN. While backup servers may exist, only one server delivers content.

A distributed solution allows a number of multicast servers to deliver content on a VLAN.

Figure 15-3 shows such an architecture where two multicast routers each actively

provide video content on the same VLAN. StreamCast is the solution that supports distributed video architecture, which allows service offerings that provide customers the ability to set up video conferences between many remote offices or other multicast streaming applications.

Multicast

Server A

Multicast

Server B

Device 2

Device 1

Query Engine

Enabled

Device 3

Set Top Box B

Set Top Box B

Figure 15-3: StreamCast

IGMP Leave Modes

Two methods for handling IGMP leaves are supported, Fast Leave and Inquisitive Leave.

In Fast Leave mode, a port is removed from the multicast group immediately after a leave report is received for the port. The multicast stream no longer flows to the port.

In Inquisitive Leave mode, a timer is used to determine when ports are removed from a multicast group. Instead of immediately removing a port, when the device receives the leave report, it starts a timer and also sends out a group-specific membership query. If a

System Software Configuration Guide 6.5.0

165

C

ONFIGURING

M

ULTICAST

S

ERVICES

IGMP Snooping

membership report is received for the group on that port before the timer expires, the timer is cancelled. However, if the port does not receive a membership report, the port will be removed as soon as the timer expires.

This delay, reduces channel-change latency, which can be especially useful in situations such a last channel recall. It also resolves problems introduced when a subscriber connects a hub or non-IGMP switch to their customer premises equipment (CPE).

Inquisitive leave should only be enabled on devices that have a CPE (e.g., a set top box) attached to them.

IGMP Parameters

The following table is a summary of IGMP parameters. In cases where these parameters have different names between the Device Manager and the CLI, the Device Manager name is listed in parentheses.

Field

IGMP Snooping

(Active State)

Default Router Port

Description

Displays whether IGMP is active for the entry selected.

IGMP Leave Mode

(Inq. Leave State)

Last Member Query Interval

(Last Mem. Query Int.)

L2 Packet Priority

(Priority)

Snooping State

Robustness

The port on the device used to communicate with the router.

This port sends and receives the IGMP query and join/leave messages. If a router port is not assigned, the value will be 0.

Used if the actual router port is not known.

Enables inquisitive leave. When enabled, the Active Linger

Timeout is used to remove ports from the multicast group membership table. When a leave report is received by the device, the Last Member Query Interval timer is started and a group-specific query will egress the port. The timer is canceled if a membership report is received on the port. The port is removed from the group when the timer expires.

Max response time inserted into group-specific queries sent in response to leave messages. Also determines the amount of time between group-specific queries. Ignored when inquisitive-leave is disabled.

802.1p priority value assigned to IGMP packets for this VLAN.

Default priority is 7.

Linger Timeout

Active Linger Timeout

Enables or disables IGMP snooping for the VLAN.

Number of IGMP join or IGMP leave messages to send for each multicast group.

The time, in seconds, that a filter will remain in the IGMP table after all hosts have left the group. This is done to give sufficient time for the upstream IGMP router to receive and process the leave message. The filter is removed when the

Linger Timeout expires.

Used for inquisitive leaves. If no join message are received before the timer expires, the port is removed from the group.

166 System Software Configuration Guide 6.5.0

C

ONFIGURING

M

ULTICAST

S

ERVICES

Unknown Multicast Filtering

Field

Router Query Interval

(Router Query Int.)

Minimum Query Response Time

Group Address Range (Start)

(Rtr. Range Start IP)

Group Address Range (End)

(Rtr. Range End IP)

Proxy Query Source Address

(Source IP Address)

IGMP Query Engine

(Query Engine State)

Proxy Query Interval

(Query Interval)

Proxy Query Response Interval

Proxy Query Delay

Description

Determines the time (in seconds) to wait for the router to send a General Query message.

Time, in deciseconds (1/10 of a second), that hosts have to respond to an IGMP query.

Configures the starting IP address in the multicast range for the IGMP router that corresponds to this multicast entry. Each router should be configured to use a separate range of multicast addresses to avoid conflict.

Configures the ending IP address in the multicast range for the IGMP router that corresponds to this multicast entry.

When the query engine is enabled, this address is used as the source for all query packets. This IP address must be unique for the VLAN.

Enables/Disables the IGMP query engine.

Determines the interval, in seconds when the query engine will send IGMP general queries.

Determines the rate at which devices respond to IGMP queries from the router.

Q uery messages are sent to one port at a time. This setting determines the delay between forwarding messages to each port.

Unknown Multicast Filtering

Various filters are used to limit multicast traffic. Normally when a Layer-2 switch receives a multicast packet with an unknown destination address, it floods the packet to all ports in the VLAN. Unknown multicast filtering (UMF) is used to filter (drop) these unknown packets. A destination address is considered unknown if it is not found in the list of active multicast groups.

UMF is useful when a multicast server is connected directly to the Layer-2 network, bypassing the Layer-3 router. In this case, the multicast server continuously floods the device with multicast traffic. With UMF enabled, the switch will simply drop all multicast streams that have not been joined until a a join message is received. UMF is enabled by setting this feature to Filter (drop). UMF should be enabled before reaching host devices otherwise, they will be flooded with multiple multicast streams.

Configuring Multicast

The following examples show various IGMP configurations in ring topologies.The default settings for the IGMP timers should work well for most applications.

System Software Configuration Guide 6.5.0

167

C

ONFIGURING

M

ULTICAST

S

ERVICES

Configuring Multicast

In addition, there are two important configuration settings on the multicast router that can affect IGMP performance.

Query-Response-Interval -determines how fast the device must respond to a general query. A short interval results in a burst of responses within a very short time, causing the CPU load to spike. A larger value helps avoid this peak thereby easing CPU load.

Where possible, this value should be set as close to (but not exceeding) the queryinterval.

Query-Interval -on the router, this value determines how often the router sends a general-query message. Each time the device receives a general query, it must use system resources to respond to the router. If the interval is too short it could cause the device to become sluggish. The minimum value should be about one minute for every

100 multicast groups on the network. The value chosen for query-interval on the router should be less than or equal to the value chosen for router-query-interval on the device.

NOTE: To configure Multicast, you need to install the Advanced Ethernet license key. To obtain the Advanced Ethernet license key, contact Ciena Sales.

Multicast Router Topology

This example demonstrates how to configure devices in a network where a multicast server is delivering services over the network via a multicast router. This router is also the querier and controls the delivery of multicast streams.

168 System Software Configuration Guide 6.5.0

In this example, multicast services are delivered on VLAN 300.

Multicast

Server Router

C

ONFIGURING

M

ULTICAST

S

ERVICES

Configuring Multicast

Set Top Box

Device 1

Device 2

Device 4

Device 3

Set Top Box Set Top Box

Figure 15-4: Multicast Services with a Multicast Router

System Software Configuration Guide 6.5.0

169

C

ONFIGURING

M

ULTICAST

S

ERVICES

Configuring Multicast

To configure multicast services:

Step # Description Command

Step 1 Create a multicast entry for the VLAN on all four devices.

multicast-services create vlan <VlanList>

This enables multicast services for the specified VLAN.

Step 2 Set the query timers to the same values as on the multicast router.

multicast-services igmpsnooping set

The default value for the query-ip-source-address is

0.0.0.0. This value is used as the source address for all query messages as well as for proxy-reply messages sent to the router. The default value should work in most cases. However, if this address must be changed because of a router on the network, make sure to use the correct address for the router interface you are using, otherwise, the router may discard all proxy-reply messages from the device.

Step 3 Enable IGMP snooping on all four devices.

multicast-services igmpsnooping enable

Step 4 (Optional) Enable UMF on the specified VLAN for the devices that have subscriber equipment connected to them (in our example, device 2 and 3).

multicast-services umf drop

In this scenario, UMF blocks multicast streams originating from subscriber equipment or other locations in the network. It also ensures the subscriber devices receive only the multicast streams they have joined.

Step 5 (Optional) Verify the IGMP settings.

multicast-services show configuration

Since the configuration of each box is very similar, the following example will configure

device 2 from Figure 15-4.

CLI Example:

1. > multicast-services create vlan 300

2. > multicast-services igmp-snooping set query-response-interval

100

3. > multicast-services igmp-snooping enable

4. > multicast-services umf drop vlan 300

170 System Software Configuration Guide 6.5.0

C

ONFIGURING

M

ULTICAST

S

ERVICES

Configuring Multicast

5. > multicast-services show configuration vlan 300

+----------------------------------------------------+------------------------+

| MULTICAST CONFIGURATION VLAN 300 VLAN#300 |

+----------------------------------------------------+------------------------+

| Global Multicast Services | enable |

| Multicast Services | enable |

| UMF | drop |

| WKM Forwarding | disabled |

+----------------------------------------------------+------------------------+

| IGMP CONFIGURATION (general) |

+----------------------------------------------------+------------------------+

| IGMP Snooping | enable |

| IGMP Server Topology | centralized |

| IGMP Query Engine | off |

| IGMP Leave Mode | fast |

| L2 Packet Priority | 7 |

| Robustness | 1 |

+----------------------------------------------------+------------------------+

| IGMP CONFIGURATION (proxy query) |

+----------------------------------------------------+------------------------+

| Proxy Query Interval (s) | 125 |

| Proxy Query Response Interval (ds) | 100 |

| Proxy Query Delay (ds) | 10 |

| Proxy Query Source Address | 0.0.0.0 |

| Last Member Query Interval (ds) | 10 |

+----------------------------------------------------+------------------------+

| IGMP CONFIGURATION (router) |

+----------------------------------------------------+------------------------+

| Router Query Interval (s) | 250 |

| Linger Timeout (s) | 120 |

| Active Linger Timeout (s) | 30 |

| Minimum Query Response Interval (ds) | 50 |

| Group Address Range (start) | 0.0.0.0 |

| Group Address Range (end) | 0.0.0.0 |

| Default Router Port | 0 |

+----------------------------------------------------+------------------------+

Multicast Server Topology

This example shows how to configure devices in a network that does not employ a multicast router. The multicast server floods a set of multicast streams on the network.

The device connected to the multicast server is configured to contain the multicast streams and to act as the querier (Query Engine enabled) for downstream devices.

System Software Configuration Guide 6.5.0

171

C

ONFIGURING

M

ULTICAST

S

ERVICES

Configuring Multicast

For this example, multicast services are delivered on VLAN 300. In the topology

represented in Figure 15-5, UMF is required on device 1 to contain the streams being

flooded by the multicast server. On all other devices, UMF is optional.

Multicast

Server

Set Top Box

Device 1

172

Device 2

Device 4

Device 3

Set Top Box Set Top Box

Figure 15-5: Delivering Multicast Services using the Query Engine

To configure multicast services:

Step # Description Command

Step 1 Create a multicast entry for the VLAN on all four devices.

multicast-services create vlan <VlanList>

This enables multicast services for the specified VLAN.

Step 2 Configure the Query Engine on the same device.

When using this command, the source IP address must be set before the Query Engine is enabled. In addition, the router port must be set to 0 (unlearned).

multicast-services igmpsnooping set

System Software Configuration Guide 6.5.0

C

ONFIGURING

M

ULTICAST

S

ERVICES

Configuring Multicast

Step # Description Command

Step 3 Enable IGMP snooping on all four devices.

multicast-services igmpsnooping enable

Step 4 Enable UMF on device 1. (Optional) Enable UMF on the specified VLAN for the devices that have subscriber equipment connected to them (in our example, device 2 and 3).

multicast-services umf drop

Step 5 (Optional) Verify the IGMP settings.

multicast-services show configuration

The following examples configure device 1 from Figure 15-5.

CLI Example:

1. > multicast-services create vlan 300

2. > multicast-services igmp-snooping set query-ip-sourceaddr

10.10.10.10 query-engine on

3. > multicast-services igmp-snooping enable

4. > multicast-services umf drop vlan 300

5. > multicast-services show configuration vlan 300

+----------------------------------------------------+------------------------+

| MULTICAST CONFIGURAITON VLAN 300 VLAN#300 |

+----------------------------------------------------+------------------------+

| Global Multicast Services | enable |

| Multicast Services | enable |

| UMF | drop |

| WKM Forwarding | disabled |

+----------------------------------------------------+------------------------+

| IGMP CONFIGURAITON (general) |

+----------------------------------------------------+------------------------+

| IGMP Snooping | enable |

| IGMP Query Engine | on |

| IGMP Leave Mode | fast |

| L2 Packet Priority | 7 |

| Robustness | 1 |

+----------------------------------------------------+------------------------+

| IGMP CONFIGURAITON (proxy query) |

+----------------------------------------------------+------------------------+

| Proxy Query Interval (s) | 125 |

| Proxy Query Response Interval (ds) | 100 |

| Proxy Query Delay (ds) | 10 |

| Proxy Query Source Address | 10.10.10.10 |

| Last Member Query Interval (ds) | 10 |

+----------------------------------------------------+------------------------+

| IGMP CONFIGURAITON (router) |

+----------------------------------------------------+------------------------+

| Router Query Interval (s) | 250 |

| Linger Timeout (s) | 120 |

| Active Linger Timeout (s) | 30 |

| Minimum Query Response Interval (ds) | 50 |

| Group Address Range (start) | 0.0.0.0 |

| Group Address Range (end) | 0.0.0.0 |

| Default Router Port | 0 |

+----------------------------------------------------+------------------------+

System Software Configuration Guide 6.5.0

173

C

ONFIGURING

M

ULTICAST

S

ERVICES

Configuring Multicast

Multicast with Redundant Routers

This example demonstrates how to configure devices in a network that has two (or more) redundant multicast servers. Both multicast servers are connected to the network via a multicast router.

In this scenario, only one router with its associated multicast server, is active at a time.

The second router and server in a standby mode. The active server is determined by identifying the router that has the lowest IP address. This router will handle general queries and “authorize” the delivery of various streams through the network.

Multicast

Server 1

Router 1

Multicast

Server 2

Set Top Box

Router 2

Device 1

Device 2

Device 4

Device 3

174

Set Top Box Set Top Box

Figure 15-6: Delivering Multicast Services Using Redundant Multicast Routers

In response to a topology change, for example, if the link that has the router port for the device goes down, device will advertise a router address of 0.0.0.0 to indicate that it has lost the router. For example, assuming that router 1 has a lower IP address than Router

2, if the link between device 1 and Router 1 goes down, devices 1, 2, 3 and 4 will send out general queries advertising a router address of 0.0.0.0. Device 4 will become the interface for multicast services and all joins/leaves will then be sent to it. However, when

Router 1 is restored, it will again become the primary router and Router 2 will again go into standby mode.

System Software Configuration Guide 6.5.0

C

ONFIGURING

M

ULTICAST

S

ERVICES

Configuring Multicast

This allows the network to continue delivery of multicast services while ensuring the least delay in service possible. This also allows order to be maintained between the two multicast routers, so that there is no competition or confusion.

In this example, multicast services are assumed to be delivered on VLAN 300. For the

network represented in Figure 15-6, UMF is required on device 1, and device 2. On all

other devices, it is optional.

To configure multicast services:

Step # Description Command

Step 1 Create a multicast entry for the VLAN on all four devices.

multicast-services create vlan <VlanList>

This enables multicast services for the specified VLAN.

Step 2 Enable UMF on device 1 and device 4. (Optional) Enable

UMF on the specified VLAN for the devices that have subscriber equipment connected to them (in our example, device 2 and 3).

multicast-services umf drop

Step 3 Set the query timers to the same values as on the multicast router.

multicast-services igmpsnooping set

The default value for the query-ip-source-address is

0.0.0.0. This value is used as the source address for all query messages as well as for proxy-reply messages sent to the router. The default value should work in most cases. However, if this address must be changed because of a router on the network, make sure to use the correct address for the router interface you are using, otherwise, the router may discard all proxy-reply messages from the device.

Step 4 Enable IGMP snooping on all four devices.

multicast-services igmpsnooping enable

Step 5 (Optional) Verify the IGMP settings.

multicast-services show configuration

Since the configuration of each box is very similar, the following example will configure

device 1 from Figure 15-6. Note that device 1 and device 4 should be configured exactly

the same.

CLI Example:

1. > multicast-services create vlan 300

2. > multicast-services umf drop vlan 300

3. > multicast-services igmp-snooping set query-response-interval

100

4. > multicast-services igmp-snooping enable

System Software Configuration Guide 6.5.0

175

C

ONFIGURING

M

ULTICAST

S

ERVICES

Configuring Multicast

5. > multicast-services show configuration vlan 300

+----------------------------------------------------+------------------------+

| MULTICAST CONFIGURATION VLAN 300 VLAN#300 |

+----------------------------------------------------+------------------------+

| Global Multicast Services | enable |

| Multicast Services | enable |

| UMF | drop |

| WKM Forwarding | disabled |

+----------------------------------------------------+------------------------+

| IGMP CONFIGURATION (general) |

+----------------------------------------------------+------------------------+

| IGMP Snooping | enable |

| IGMP Server Topology | centralized |

| IGMP Query Engine | off |

| IGMP Leave Mode | fast |

| L2 Packet Priority | 7 |

| Robustness | 1 |

+----------------------------------------------------+------------------------+

| IGMP CONFIGURATION (proxy query) |

+----------------------------------------------------+------------------------+

| Proxy Query Interval (s) | 125 |

| Proxy Query Response Interval (ds) | 100 |

| Proxy Query Delay (ds) | 10 |

| Proxy Query Source Address | 0.0.0.0 |

| Last Member Query Interval (ds) | 10 |

+----------------------------------------------------+------------------------+

| IGMP CONFIGURATION (router) |

+----------------------------------------------------+------------------------+

| Router Query Interval (s) | 250 |

| Linger Timeout (s) | 120 |

| Active Linger Timeout (s) | 30 |

| Minimum Query Response Interval (ds) | 50 |

| Group Address Range (start) | 0.0.0.0 |

| Group Address Range (end) | 0.0.0.0 |

| Default Router Port | 0 |

+----------------------------------------------------+------------------------+

176 System Software Configuration Guide 6.5.0

C

ONFIGURING

M

ULTICAST

S

ERVICES

Configuring Multicast

Redundant Query Engines

This example demonstrates how to configure devices in a network that has redundant links between the multicast server and the rest of the network.

Set Top Box

Multicast

Server

Device 3

Device 1

Device 2

Set Top Box Set Top Box

Figure 15-7: IGMP Snooping

In this scenario, the Query Engine must be enabled on device 1 and device 3, but only one

Query Engine will be active at a time. The second Query Engine will effectively be in standby mode. The active Query Engine is determined by identifying the engine with the lowest source IP address. This Query Engine then handles general queries and

“authorizes” the delivery of various streams through the network.

In response to a topology change, for example, if the link that has the router port for a device goes down, the device will advertise a router address of 0.0.0.0 to indicate that it has lost the router.

For example, assuming that device 1 has a lower source IP address than device 3, if the link between device 1 and the Multicast Server goes down, devices 1, 2, and 3 will send out general queries advertising a router address of 0.0.0.0. Device 3 will then become the interface for multicast services and all joins/leaves will then be sent to it. However, when the link between device 1 and the Multicast Server is restored, it will again become the primary Query Engine, and device 3 will return to standby mode.

This allows the network to continue delivery of multicast services while ensuring the least delay in service possible. This also allows order to be maintained between the two Query

Engines, so that there is no competition or confusion.

System Software Configuration Guide 6.5.0

177

C

ONFIGURING

M

ULTICAST

S

ERVICES

Configuring Multicast

In this example, multicast services are assumed to be delivered on VLAN 300. The network

should also be using RSTP. For the network represented in Figure 15-7, UMF is required

on device 1, and device 3. On all other devices, it is optional.

To configure multicast services:

Step # Description

Step 1 Create a multicast entry for the VLAN on devices 1, 2, and 3.

Command

multicast-services create vlan <VlanList>

This enables multicast services for the specified VLAN.

Step 2 Configure the Query Engine on devices 1 and 3.

When using this command, the source IP address must come before the Query Engine is enabled, in order to function properly. In addition, the router port must be set to 0 (unlearned).

multicast-services igmpsnooping set [query-ip-

source-addr <IpAddress>]

[query-engine <on|off>]

Make sure that the source IP address for the two devices is different and that the device that should become the primary Query Engine has a lower IP address.

Step 3 Enable IGMP snooping on devices 1, 2, and 3.

multicast-services igmpsnooping set

Step 4 Enable UMF on devices 1 and 3. (Optional) Enable UMF on devices that have subscriber equipment connected to them (in our example, device 2).

multicast-services umf drop

Step 5 (Optional) Verify the IGMP settings.

multicast-services show configuration

Since the configuration of each box is very similar, the following example will configure

device 1 from Figure 15-5. Note that with the exception of the Query Engine source IP

address, the configuration for device 1 and device 3 should be exactly the same.

CLI Example:

1. > multicast-services create vlan 300

2. > multicast-services igmp-snooping set query-ip-source-addr

10.10.10.10 query-engine on

3. > multicast-services igmp-snooping enable

4. > multicast-services umf drop vlan 300

178 System Software Configuration Guide 6.5.0

C

ONFIGURING

M

ULTICAST

S

ERVICES

Configuring Multicast

5. > multicast-services show configuration vlan 300

+----------------------------------------------------+------------------------+

| MULTICAST CONFIGURAITON VLAN 300 VLAN#300 |

+----------------------------------------------------+------------------------+

| Global Multicast Services | enable |

| Multicast Services | enable |

| UMF | drop |

| WKM Forwarding | disabled |

+----------------------------------------------------+------------------------+

| IGMP CONFIGURAITON (general) |

+----------------------------------------------------+------------------------+

| IGMP Snooping | enable |

| IGMP Query Engine | on |

| IGMP Leave Mode | fast |

| L2 Packet Priority | 7 |

| Robustness | 1 |

+----------------------------------------------------+------------------------+

| IGMP CONFIGURAITON (proxy query) |

+----------------------------------------------------+------------------------+

| Proxy Query Interval (s) | 125 |

| Proxy Query Response Interval (ds) | 100 |

| Proxy Query Delay (ds) | 10 |

| Proxy Query Source Address | 10.10.10.10 |

| Last Member Query Interval (ds) | 10 |

+----------------------------------------------------+------------------------+

| IGMP CONFIGURAITON (router) |

+----------------------------------------------------+------------------------+

| Router Query Interval (s) | 250 |

| Linger Timeout (s) | 120 |

| Active Linger Timeout (s) | 30 |

| Minimum Query Response Interval (ds) | 50 |

| Group Address Range (start) | 0.0.0.0 |

| Group Address Range (end) | 0.0.0.0 |

| Default Router Port | 0 |

+----------------------------------------------------+------------------------+

System Software Configuration Guide 6.5.0

179

C

ONFIGURING

M

ULTICAST

S

ERVICES

Configuring Multicast

180 System Software Configuration Guide 6.5.0

Chapter

Layer 2 VPNs

• • • • • •

16

At a Glance:

Overview

Principles of Operation

Q-in-Q Encapsulation

Ethernet Virtual Private Line

Ethernet Private Line/LAN

EVPL Bundling

This chapter details the configuration of Layer 2 VPNs on devices running SAOS software, providing support for 802.1ad Provider Bridging.

Overview

Virtual Private Networks (VPNs), generally based on traditional Frame Relay and ATM services, have been broadly used with carriers and customers, providing point to point and WAN solutions. These technologies were historically expensive to install and complicated to operate. However, new end-user services have been implemented using

Ethernet LAN services as a broadcast technology.

This solution supports the deployment of L2 VPNs or Transparent LAN Services that enable a service provider to provide Ethernet Private Line/LAN (EPL) or Ethernet Virtual Private

Line (EVPL) to their encap customers. The customer perspective is that their connection to the service provider is a direct connection to a private line or LAN between their sites.

Up to 64 provider bridges can be supported.

L2 VPNs transport Ethernet/802.3 and VLAN tagged traffic between multiple sites that belong to the same L2 broadcast domain or VPLS service. These services are deployed over Ethernet using an extension of 802.1Q, called Q-in-Q.

Principles of Operation

Q-in-Q is implemented via the attachment of a Virtual Circuit (defining the Provider

VLAN) to a Virtual Switch (defining the Subscriber VLANs), as shown in Figure 16-3. The

customer perspective is that their connection to the service provider is a direct connection using a private LAN between geographically separated sites.

System Software Configuration Guide 6.5.0

181

L

AYER

2 VPN

S

Principles of Operation

UNI

Provider VLAN

VS

VC

NNI

NNI

UNI

Figure 16-1: Provider VLAN Overview Using Q-in-Q

NOTE: In order to use the 802.1ad provider bridging feature, you need to install the

Advanced Ethernet (AE) license key. License keys can be purchased by contacting Ciena customer support.

Virtual Switch

A virtual switch (VS) is a Layer 2 forwarding domain between a customer bundle (multiple per-port per-VLAN entries) or per-port entries and the network transport interfaces

(VCs). Ethernet switches have long been governed by the use of VLANs. Traffic tagged with a specific VLAN is forwarded to other VLAN member ports. However, in geographically separated networks, the same VLAN ID may be used by more than one subscriber group, but for security and administrative purposes, the VLAN must remain separated.

A virtual switch essentially separates the forwarding plane from the data plane, thus the virtual switch is customer-centric, while the virtual circuit is service-centric.

A virtual switch should be configured whenever there is a need for a Point-to-Point,

Ethernet Virtual Private LAN solution.

Reserved VLAN

A reserved VLAN is used internally to link a virtual switch with an internal switching domain, and acts to connect both subscriber and provider facing interfaces. A reserved

VLAN must be created for each virtual switch before the virtual switch is configured. The reserved VLAN pool is part of the same 1-4094 range as the system VLAN pool. The system assigns the reserved VLAN from this pool when the VS is created.

Subscriber/UNI traffic can also be switched without connecting to the provider/transport network.

182 System Software Configuration Guide 6.5.0

L

AYER

2 VPN

S

Q-in-Q Encapsulation

UNI

Reserved VLAN

VS

NNI

NNI

UNI

Figure 16-2: Reserved VLAN

Reserved VLANs are configured using the virtual-switch add reserved-vlan CLI command. Reserved VLANs cannot be deleted using the vlan delete CLI command, instead they must be removed using the virtual-switch remove reserved-vlan command. In addition, the default name for a reserved cannot be changed, so reserved

VLANs will always appear in the format of VLAN#XXX.

The virtual-switch show command can be used to see which reserved VLAN is associated with a virtual switch:

> virtual-switch show

Virtual Circuits

A virtual circuit (VC) defines a secure logical connection between one or more customer endpoints. It is a service trunk, where transport services start and end (encap and decap).This association is based on an extension to IEEE 802.1ad VLAN standard referred to as double tagging (Q-in-Q). Virtual circuits encapsulate and decapsulate L2 tags over the service provider’s network to allow data to be easily switched without the need for in-depth individual packet analysis or routing decisions at each network device. They can be thought of as the provider VLAN.

Provider VLAN

The provider VLAN is defined by the VLAN assigned to the virtual circuit when it is created. When a VC with a provider VLAN is attached to a VS, the provider VLAN itself becomes the double-tagged (encapsulated) VLAN. The virtual circuit references the provider VLAN, and the VC VLAN has a service port associated with it.

Q-in-Q Encapsulation

Encapsulating an 802.1Q VLAN tagged frame within another 802.1Q tag enables the service provider to encapsulate the customer VLAN tagging information while using VLANs within the provider network. SAOS allows Ethernet virtual circuits to be statically created. An Ethernet-VC uses an additional 802.1Q VLAN tag and includes the following:

Service Etype (default 0x8100)

Service VLAN ID (range)

Service .1d (range)

System Software Configuration Guide 6.5.0

183

L

AYER

2 VPN

S

Q-in-Q Encapsulation

An Ethernet-VC has the following properties which can be configured statically:

• Name

Provider VLAN ID and port

• Encapsulation (encap) Priority Policy (802.1D)

The following configurations are supported:

Per-port (PP) Q-in-Q

• Per-port-per-VLAN (PPV) Q-in-Q

184 System Software Configuration Guide 6.5.0

L

AYER

2 VPN

S

Q-in-Q Encapsulation

Q-in-Q Ethertype

The Ethertype of the outer VLAN tag can be customized. This allows compatibility with standard 802.1Q encapsulation methods like Extreme's vMAN that uses the 9100, and

802.1ad for Provider Bridging. Using the virtual-circuit ethernet set port

command, the Ethertype value to use can be configured as described in Table 16-1, in this chapter.

Table 16-1: Ethertype Setting (Per-Port)

Name Description

8100

9100

88a8

This indicates to use normal 802.1Q Ethertype for all frames egressing the port.

This indicates to use the 0x9100 Ethertype on frames using

the user configured policy described in Table 16-2, in this chapter.

This indicates to use the 802.1ad Ethertype on frames using

the user configured policy described in Table 16-2, in this chapter.

The virtual-circuit ethernet set port command includes a setting that allows the operator to specify the policy or rules for applying that configured Ethertype

on a per-port basis as described in Table 16-2, in this chapter.

Table 16-2: Ethertype Policy (Per-Port)

Name Description

all encap-only

When this policy is set then only Q-in-Q encapsulated frames going out the port will use the configured Ethertype (see

Table 16-1, in this chapter).

When this policy is set then only encapsulated frames going

out a port will use the configured Ethertype (see Table 16-1, in this chapter). This will affect both single and double tagged

frames that have had a provider VLAN tag added to them.

NOTE: The only policy available on current platforms is All. This means that all VLAN tagged frames that egress the port will be affected by the configured Ethertype as the outer tag e-type.

CVLAN to S-PRI COS Policy Override

You can override the encap-cos-policy of the VS by setting the encap-cos-policy of the VS member to fixed. The fixed COS value is then obtained from the encap-fixed-dot1dpri parameter of the VS member.

System Software Configuration Guide 6.5.0

185

L

AYER

2 VPN

S

Ethernet Virtual Private Line

CLI Example:

> virtual-switch ethernet add vs vsName port 1 vlan 300 encap-cos-policy fixed encap-fixed-dot1dpri 5

Ethernet Virtual Private Line

Figure 16-3 illustrates a point to point Ethernet Virtual Private Line (EVPL) that supports

multiple Ethernet-VCs per UNI. Frames from port-VLAN-based classified UNI ingress are forwarded to the NNI egress by adding a specified SVID.

CVID (100)

CVID (200)

CVID (300)

UNI

VS 1

VC

SVID (1000)

VS 2

VC

SVID (2000)

(svid)

VS 3

VC

SVID (3000)

1000/100

NNI

2000/200

3000/300

Figure 16-3: EVPL Provider Bridging

To create an EVPL provider bridge:

1. Create a provider VLAN and add the NNI port to the VLAN.

2. Create an Ethernet virtual circuit for the provider VLAN.

3. Create a virtual switch and add UNI port(s) to the subscriber VLAN.

4. Attach the Ethernet VC to the VS.

CLI Example:

> vlan create vlan 100

> vlan create vlan 200

> vlan create vlan 300

> vlan add vlan 100,200,300 port 7,8

> virtual-circuit ethernet create vc vc0 vlan 100

> virtual-circuit ethernet create vc vc1 vlan 200

> virtual-circuit ethernet create vc vc3 vlan 300

> virtual-switch add reserved-vlan 1000-1002

> virtual-switch ethernet create vs vs1 vc vc0 encap-fixed-dot1dpri 0

> virtual-switch ethernet create vs vs2 vc vc1 encap-fixed-dot1dpri 1

> virtual-switch ethernet create vs vs3 vc vc2 encap-fixed-dot1dpri 2

> virtual-switch ethernet add vs vs1 port 1 vlan 100

> virtual-switch ethernet add vs vs2 port 1 vlan 200

> virtual-switch ethernet add vs vs3 port 1 vlan 300

186 System Software Configuration Guide 6.5.0

L

AYER

2 VPN

S

Ethernet Private Line/LAN

Ethernet Private Line/LAN

SAOS supports point to point Ethernet Private Line (EPL) with one EVC per UNI. Frames from port-based and port-vlan-based classified UNI ingress are forwarded to an NNI egress by adding a specified SVID, and are forwarded to a UNI egress by removing the SVID. The

UNI port will only accept an untagged-data-vs configuration that matches the VS of the

Per Port (EPL) member. This can be used in conjunction with the ingress-vs-filter.

As an example, Figure 16-4 shows an example of an EPL provider bridge.

All customer

VLANs (CVID)

UNI

VS

VC

1001

(SVID)

NNI

1001/CVID

Figure 16-4: Ethernet Private Line

CLI Example:

> vlan create vlan 101

> vlan add vlan 101 port 10

> virtual-switch add reserved-vlan 1001

> virtual-circuit ethernet create vc EVC101 vlan 101

> virtual-switch ethernet create vs EVS100 vc EVC101 encap-fixed-dot1dpri 3

> virtual-switch ethernet add vs EVS100 port 1 vlan 100

SAOS also supports point to multipoint Ethernet Virtual Private LAN (EVP-LAN) with multiple EVCs per UNI and fixed policy priority bit re-marking on ingress.

System Software Configuration Guide 6.5.0

187

L

AYER

2 VPN

S

EVPL Bundling

EVPL Bundling

SAOS supports Ethernet Virtual Private Line (EVPL) bundling. EVPL bundling allows multiple customer VLAN IDs (C-VIDs) to be mapped to one or more virtual switches. Up to

4094 unique VLANs can be configured on one port. It should be noted that EVPL bundling will only function where traffic is being encapsulated.

As an example, Figure 16-5 shows multiple C-VIDS ingressing on port 28. VLANs 10-20

have been mapped to virtual switch 2, and VLANs 100-110 and 250 are mapped to

Ethernet-VS 1. This allows multiple C-VIDs to be mapped to two separate virtual switches.

Virtual Switch 2

Virtual Switch 1

Port 28

VID 10-20

VID 100-110, 250

Figure 16-5: Multiple C-VIDS to Multiple VS

CLI Example:

> virtual-switch ethernet add vs vs1 port 28 vlan 100-110,250

> virtual-switch ethernet add vs vs2 port 28 vlan 10-20

NOTE: If the port vlan-ingress-filter parameter is set to on, only frames that match a configured VLAN tag will be forwarded.

188 System Software Configuration Guide 6.5.0

Chapter

Configuring Connectivity Fault Management

• • • • • •

17

At a glance:

Overview

Benefits

Configuring CFM Globally

Configuring CFM Services

Configuring MEPs

Configuring Remote MEPs

Configuring MIPs

Configuring CFM Services for a VLAN

Service

Configuring CFM Services for a

Virtual Switch

CFM Over Q-in-Q

Troubleshooting

This chapter discusses the Ciena implementation of the IEEE P802.1ag/D8 Connectivity

Fault Management (CFM) protocol that is used to detect and isolate network service connectivity problems.

Overview

Connectivity Fault Management (CFM) provides a method to continuously monitor the end-to-end network connectivity of a network service, such as a Virtual Switch (VS) or a

VLAN. Services can be monitored over a single hop, a point-to-point link, or over multiple hops, using equipment managed by one or more service providers and operations entities.

Services are identified by a collection of Service Access Points (SAPs) called a Service

Instance. There are two types of SAPs:

• Maintenance End Points - Maintenance End Points (MEPs) are created at the edge

(entry/exit) points of the service being monitored.

Maintenance Intermediate Points - Maintenance Intermediate Points (MIPs) are created between MEPs to track faults at intermediate points.

MEPs send periodic multicast messages (called Continuity Check Messages or CCMs) to each other through the VS or VLAN service to determine the status of the service connection. These can be thought of as heartbeat messages. Devices not configured for

CFM forward CCMs as they would any other multicast message. If an expected CCM is not received by a MEP on a participating network device within the specified period, a fault alarm regarding the service is issued in the form of an SNMP trap and system log message.

System Software Configuration Guide 6.5.0

189

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Overview

In Figure 17-1, the service being monitored is VLAN 5. The MA consists of three MEPs (one

on each edge of the service) and several MIPs. One of the MEPs monitors VLAN 5 at its source, which is the connection to the service provider. The other two MEPs monitor VLAN

5 at the devices that connect directly to the customer premise equipment (CPE). The MIPs represent one or more CFM-configured network devices (switches/Service Delivery

Switches/Service Concentration Switches) used to connect VLAN 5 to multiple subscribers.

CPE

VLAN 5

MEP

CPE

VLAN 5

MEP

MIP

MIP

MIP

MIP

MIP

MEP

VLAN 5

Service

Provider

Figure 17-1: Example Maintenance Association (MA)

Maintenance Domains

Unless a dedicated end-to-end physical connection is used (such as a fiber optic cable), delivering Ethernet services between remote sites typically requires connections through equipment installed and controlled by a separate administrative entity. Each of these entities needs to monitor the status of the services that they are providing in order to be aware of any loss of service and at what point the service has been disrupted.

In order to monitor the same service through the equipment used by various carrier entities, portions of the network under the control of a common administrative entity are identified by a Maintenance Domain (MD). CFM provides up to eight MDs each numbered from 0-7 to identify its position relative to adjacent CFM domains. The values assigned must be carefully chosen, with the lowest numeric value used for the “inner most” domain levels and higher numbered domain levels assigned in sequence as they are configured outward toward the ends of the service. CFM domains must be fully nested, that is, an inner domain must be fully contained within a surrounding domain.

The default MD level is 3. The MD level does not necessarily have to be changed to configure CFM. The level would only have to be changed when the Operator’s CFM needs are different from what a level 3 MD can provide.

NOTE: If a Maintenance Domain name is changed, it must be changed on all other units.

The name must be the same on each end point.

The three general types of domains are: Customer, Provider, and Operator. These names are guidelines to indicate the type of entity typically associated with a particular maintenance domain.

Customer domains contain the devices connected to the customer and to the source of the service being monitored. For example, if two physically separate business entities are connecting to each other, customer equipment is configured for CFM operation at both ends to monitor the connection, specifying the same domain at both ends. The Customer domain is assigned a level in the range of 5 to 7.

190 System Software Configuration Guide 6.5.0

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Overview

Provider domains represent the connection used to join each end of the Customer domain. For example, this could be the Internet service provider used by the business.

The Provider domain is assigned a level in the range of 3 to 4.

Operator domains are the central physical infrastructure provider. This could be the owner of a fiber optic network that spans the distance between the cities where the two business units are located. The Operator domain is assigned a level in the range of 0 to 2.

Figure 17-2 shows three Maintenance Domains associated with a Service Instance used to

monitor connectivity across a Provider network between two CE devices. Devices CE1 and

CE2 reside in the outer-most MD at MD Level 5. The CE devices may be administered by either the Customer or the Provider. The Provider administers devices MTU1 and MTU2 in a second MD at MD Level 4, which is surrounded by the Customer MD. The CE devices connect to the service at Domain Service Access Points (DSAPs) on the boundary between the Customer and Provider MDs. DSAPs are members of the MD that offer the ability to connect to external systems and lie on the edge of the MD. These DSAPs correspond to

the same physical ports as those associated with the SAPs in Figure 17-2. The example

includes a third MD at MD Level 2, contained within the Provider MD. This illustrates that the Provider has contracted with an Operator to transport the service between its MTU devices. The Provider connects its devices to the Operator's network at a second set of

DSAPs, which lie on the boundary between the Provider and Operator Maintenance

Domains. The Provider has no knowledge of the internal topology or configuration of the network contained within the Operator MD.

Figure 17-2: Nested Maintenance Domains

MEPs pass CCMs of higher relative domain levels without acting on them. For example, when one of the MEPs in the Customer domain sends a CCM, the MEPs in the Provider and

Operator domain pass the CCMs on to the MEP at the other end of the Customer domain.

This is what allows Connection Fault Management to work across multiple domains.

However, CCMs with equal or lower relative domain levels are not passed on by MEPs in order to contain those messages within their respective domains.

Maintenance Associations

A Maintenance Association (MA) relates a Service Instance with a Maintenance domain and includes the group of SAPs belonging to the Service Instance. CFM frames carry a

Maintenance Association Identifier (MAID) that identifies the connection between SAPs.

The MAID includes the Maintenance Domain name along with a Short MA Name.

System Software Configuration Guide 6.5.0

191

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Overview

MEPs

As previously mentioned, MEPs send and receive continuity check messages (CCMs) over the service on a periodic basis to determine if that service is still available. Each MEP is assigned a unique numeric identifier (MEPID) and maintains a table of other MEPs

(referred to as remote MEPs) that belong to its MA. This table, called the MEP-CCM-

Database, is used to determine if one or more remote MEPs are no longer sending CCMs.

MEPS are directional: Up or Down. A Down MEP sends CCMs towards and receives them from the physical medium. Down MEPs monitor service connectivity from one device to another carrying the same service. This could be a direct connection or a connection through several other devices and MIPs. An Up MEP sends CCMs towards and receives them from the MAC Relay Entity.

MIPs

Like MEPs, MIPs respond to and forward link-trace messages that are used to identify the point in an MA where the service is lost. MEPs and MIPs also respond to loopback messages that are also used to isolate faults at intermediate service nodes. Unlike MEPs, MIPs do not exchange CCMs, but they do act on CCMs and forward them.A MIP is not affiliated with a single MA, and processes CFM protocol frames for all MAs traversing an SI at or above its specified MD Level. Another function of a MIP is to record all CCMs received by a logical interface that are at or above its MD Level, in order to construct the MIP-CCM Database.

This database serves as a record of the CFM monitored services that are using a service instance, and provides a learn table of the MAC addresses used by MEPs. In the event that entries have aged-out of the normal MAC learn table due to a service failure, the MIP-CCM database can be alternatively queried to resolve forwarding information for Linktrace requests during the troubleshooting process.

Continuity Check Messages

CCMs have the following characteristics:

Transmitted at a configurable interval (see Table 17-2, in this chapter); the same value

is used for all MEPs in the MA.

Catalogued by MIPs at the same MD level.

• Terminated by remote MEPs at the same MD level.

Carry information that drives several internal state machines, but do not solicit a response.

Loopback Messages

Loopback messages are unicast frames that a MEP transmits, at the request of an administrator, to verify connectivity to a particular MEP or MIP. Upon reception, the MEP or MIP transmits a Loopback Reply (LBR) to the initiator. A loopback message can also be configured to contain arbitrary data, which can be used to diagnose faults that are sensitive to frame size, or a specific data pattern.

192 System Software Configuration Guide 6.5.0

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Overview

Linktrace Messages

Linktrace messages are multicast frames that a MEP transmits, at the request of an administrator, to either isolate a service fault to a specific MEP, or to trace the path through the network to a particular MEP or Target MAC address. When the fdb-only parameter is specified, only the normal forwarding database is used to look up the target

MAC, and not the MEP CCM and MIP CCM databases that would also be used otherwise.

When processing a received linktrace message, the UseFDBonly flag in the message is honored when looking up the target MAC.

For each visible MIP, linktrace messages indicate ingress action, relay action, and egress action. Linktrace messages also contain a TTL value (configurable), which is decremented each time the Linktrace messages are forwarded by the MEP or MIP. Linktrace messages are multicast, reply messages are unicast.

ITU-T Y.1731 Performance Measurements

Y.1731, introduced by the International Telecommunication Union Telecommunication

Standardization Sector (ITU-T) complements the IEEE 802.1ag standard, adding the following:

• Frame delay- the Delay Measurement Message (DMM) and the Delay Measurement Reply

(DMR) include time stamps that are used to calculate two-way frame delay. These measurements are configured per CFM service. Each MEP can be enabled to perform frame delay and frame delay variation measurements to peer MEPs in the same ME.

• Jitter- frame delay variation is calculated by tracking the round-trip DMMs. Note that all DMMs expected must be returned in order to make the jitter calculation.

• Frame loss- frame loss is calculated by sending counters within Loss Measurement

Messages (LMMs) and Loss Measurement Replies (LMRs). The far-end counters are then compared with the local counters to calculate frame loss for two-way delay measure, port-to-port measurements as a ratio. A bidirectional service is determined unavailable if either of the two directions is declared unavailable, therefore, each MEP must be able to perform near-end and far-end frame loss measurements.

Carrier Ethernet Network

Figure 17-3: Y.1731 Messages Are Initiated Between Two MEPs

Y.1731 tests are initiated by the network administrator and are sent between specific

MEPs in the same ME. This then triggers the unicast DMMs or LMMs to be sent to the desired remote MEP with a specified packet count at a configurable interval (default is

100 ms). MIPs do not participate in delay/jitter or frame loss measurements.

System Software Configuration Guide 6.5.0

193

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Benefits

As an example, in Figure 17-4, MEP 12 could initiate a delay/jitter or frame loss

measurement test to MEP 10 or 11. When the test is completed, the delay and jitter measurements from the test will be available and will remain in the system until it is rebooted or another test is run for the same service.

MEP 12

MIP

MEP 10

MIP

X

RSTP

BLOCK

MIP

MEP 11

Figure 17-4: Illustration of Path Taken by Y.1731 Messages

Figure 17-4 displays the path that DMMs and LMMs would take (green lines) and the return

path for DMRs and LMRs (red lines) for a test of delay/jitter or frame loss initiated on MEP

10 to MEP 11.

Benefits

CFM provides utilities to maintain network connectivity including:

Path discovery - Linktrace messages are used to determine the path taken to a target

MAC address.

Fault detection - CCMs are used to detect both connectivity failures and unintended connectivity between Service Instances.

Fault verification and isolation - Loopback messages are used to perform fault verification, or to confirm successful initiation or restoration of connectivity.

Linktrace messages and loopback messages are used to isolate faults.

Fault notification - Fault notification is provided by the MEP that detected a connectivity fault either because expected CCMs were not received, unexpected or invalid CCM were received, or the CCM carried a notification of the failure of its associated MEP.

Fault recovery - Fault notifications help network operators correct configuration errors or replace failed components.

194 System Software Configuration Guide 6.5.0

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Maintenance Association Examples

Maintenance Association Examples

Provider Example

In this example, a Provider has created a Maintenance Association (MA) to monitor a

Service Instance on VLAN 10, associated with a data service sold to the Subscriber. This

MA allows the Provider to determine whether or not the fault lies within its own network if a Subscriber reports that the service is down.

For simplicity, this example depicts only the relationship between two MEPs on two

Service Delivery Switches in Multi-tenant Units (MTU1 and MTU2). Figure 17-5 depicts the

MEP on MTU1, port 2, and MTU2 port 9. The Provider creates Maintenance Association

PROVIDER1 at Maintenance Domain Level 4 on each MTU device. MEPs 1 and 2 on port 2 and port 9 respectively are then added to this Maintenance Association.

Figure 17-5: Provider Maintenance Association

In order for the Provider to monitor and troubleshoot service connectivity to the edge of the Operator network, the Operator must expose MIPs at the ports where the service connects to its network. Although the Provider is unable to administratively manage these

MIPs, they allow the Provider to use CFM Loopback and Linktrace mechanisms to determine whether or not a service fault lies within the Operator network.

The Operator creates MIPs for VLAN 10 at MD Level 4 in ports 4 and 7. These MIPs are not associated with a specific Maintenance association, and are accessible by any

Maintenance Association associated with its VLAN and MD Level. Thus, the Operator is able to provide MIPs to the Provider without specific knowledge of the Provider's

Maintenance Association configuration.

Operator Example

In this example, the Operator (OPERATOR1) and the Provider wish to use CFM to simultaneously monitor the service on VLAN 10. To this end, the Operator creates its own

Maintenance Association for the service at Maintenance Domain Level 2. This MA allows the Operator to monitor and troubleshoot connectivity for the service within its own network without interfering with the operation of the Provider's Maintenance Association on the same VLAN, but at a higher MD Level.

As shown in Figure 17-6, configuration of this MA requires the creation of the OPERATOR1

Maintenance Association on devices OP1 and OP2, and MEPs on ports 4 and 7. Although not depicted in the diagram, the Operator could also create MIPs on any intermediate devices that transport the service.

System Software Configuration Guide 6.5.0

195

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Maintenance Association Examples

Figure 17-6: Operator Maintenance Association

Customer Example

CFM can also monitor the VLAN 10 service between Subscriber devices in the Customer

Maintenance Domain, independent of the Maintenance Associations in the Provider and

Operator Maintenance Domains. Although a Customer MA will verify end-to-end service connectivity, the Customer is only able to isolate a fault to a specific link if the fault lies within the Customer Maintenance Domain. A fault can be isolated to the interior of the

Provider network, but the Provider must be contacted to further troubleshoot the service disruption.

Figure 17-7 shows a Customer configured MA between the two CE devices. This

configuration coexists with the previously defined PROVIDER1 and OPERATOR1

Maintenance Associations. The CUSTOMER1 MA is created on devices CE1 and CE2. MEPs are configured on CE1, port 1 and CE2, port 10. The MIPs shown on the Provider devices

MTU1 and MTU2 must be created by the Provider.

196

Figure 17-7: Customer Maintenance Association

System Software Configuration Guide 6.5.0

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Maintenance Association Examples

Physical Link Example

The Maintenance Domain Level 0 is typically reserved for Maintenance Associations that directly monitor physical links. A physical link MA may be associated with a link contained within a single Maintenance Domain, or a link that spans two MDs. Physical Link

Maintenance Associations include a MEP on each port at both ends of the link.

In Figure 17-8, two physical link Maintenance Associations have been added to the

configuration, OPPHY1 and P1. MA OPPHY1 monitors the link between OP1 port 5 and OP2 port 6. The Operator creates this MA at MD Level 0, so that it will not interfere with the operation of the higher-level Maintenance Associations. MEPs are then added to OPHY1 for the ports at each end of the link.

DOWN

MEP

UP MEP

MIP

MIP MIP

MIP

DOWN

MEP

UP MEP

UP MEP

DOWN

MEP

UP MEP

DOWN

MEP

P1

DOWN MEPs

Figure 17-8: Physical Link Maintenance Association

Maintenance Association P1 is configured for the physical link connecting the Provider and

Operator networks. Therefore, this requires that the Operator and Provider agree on a

Maintenance Domain Level and a Maintenance Association name. The Operator and

Provider must each create MA P1 on their respective devices. The Operator creates the

MEP for OP2 port 7, while the Provider creates the MEP for MTU2 port 8. Once configured,

MA P1 can be used by both Operator and Provider to monitor VLAN 10 connectivity across the link connecting their networks.

System Software Configuration Guide 6.5.0

197

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Configuring CFM Globally

Configuring CFM Globally

Global CFM configuration includes:

• Enabling and disabling CFM

Setting CFM attributes

• Setting and displaying Maintenance Domains

NOTE: In order to configure CFM, you need to install the Advanced OAM (AOAM) license key. License keys can be purchased by contacting Ciena customer support.

Enabling and Disabling CFM

By default CFM is globally disabled. cfm enable

To enable CFM:

cfm disable

To disable CFM:

Setting CFM Attributes

CFM global attributes include:

Strict Compliance for 802.1ad (dot1ad-strict) -When enabled, only CFM frames that contain a single VLAN tag or are untagged are recognized as CFM frames. A doubletagged CFM frame will be forwarded as a normal data frame on interfaces containing

MEPs and/or MIPs, and CFM processing is bypassed.

Ethertype (ethertype) - The Ethertype value sent in CFM frames entered in decimal or hexadecimal format. The default is 35074 (0x8902 hexidecimal).

MIP Level Enforcement (mip-level-enforcement) - the level configured on the MIP is ignored when mip-level-enforcement is off.

Remote MEP Hold Time (rmep-hold-time) -When a remote MEP is first detected, it is not declared active and the RMEP fault is not cleared for the time period equal to the remote MEP hold time.

Y1731 Ethertype (y1731ethertype) - The Y1731 Ethertype value sent in CFM frames entered in decimal or hexadecimal format. The default is 35074 (0x8902 hexidecimal).

To set CFM global attributes:

cfm set {[dot1ad-strict <enable|disable>], [ethertype <NUMBER: 1-65535>], [mip-level-

enforcement <on|off>], [rmep-hold-time <NUMBER: 10-300000>], [y1731ethertype <NUMBER:

2048...65535>]}

Example:

> cfm set ethertype 35272 mep-hold-time 300000 dot1ad-strict enable mip-level-enforment on

198 System Software Configuration Guide 6.5.0

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Configuring CFM Globally

Displaying Global CFM Configuration

To display global CFM configuration:

cfm show [statistics]

Example:

> cfm show

+------------ CFM GLOBAL CONFIGURATION -------------+

| Parameter | Value |

+-------------------------------+-------------------+

| Admin State | Enabled |

| Ethertype | 0x8902 |

| Y1731 Ethertype | 0x8902 |

| Remote MEP Hold Time (ms) | 10000 |

| 802.1ad Strict Mode | Off |

| MIP Level Enforcement | Off |

| MIP CCM Database Learning | Enabled |

| Frames/sec Avail | 1998 |

| Source MAC For PBT CFM Frames | 00:02:A1:31:23:C0 |

| Total Rx Frames | 360999 |

| Total Tx Frames | 585314 |

+-------------------------------+-------------------+

Setting and Displaying Maintenance Domains

SAOS provides eight pre-configured Maintenance Domains. The name for each maintenance domain defaults to “md” followed by the level: md0, md1, md2, and so on.

If desired, you can change the name of the maintenance domain.

NOTE: If a Maintenance Domain name is changed, it must be changed on all other units.

The name must be the same on each end point.

To change the name of a maintenance domain:

cfm md set level <NUMBER: 0-7> name <String[31]>

Example:

> cfm md set level 7 CustomerMD7 cfm md show

To display a list of maintenance domains:

System Software Configuration Guide 6.5.0

199

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Configuring CFM Services

Example:

> cfm md show

+---- CFM MAINTENANCE DOMAINS ---+

|Level |Name |Services|

+------+----------------+--------+

|0 |md0 |0 |

|1 |md1 |0 |

|2 |md2 |0 |

|3 |md3 |2 |

|4 |md4 |0 |

|5 |md5 |0 |

|6 |md6 |0 |

|7 |md7 |0 |

+------+----------------+--------+

To display details about a specific maintenance domain:

cfm md show level <NUMBER: 0-7>

Example:

> cfm md show level 3

+------------- CFM MAINTENANCE DOMAIN INFO ---------------+

| Parameter | Value |

+----------------------+----------------------------------+

| Level | 3 |

| Name | md3 |

| Index | 4 |

| Number of Services | 2 |

| MD Name | md3 |

| MD Name Length | 3 |

| MD Name Format | String |

+----------------------+----------------------------------+

To display services for a specific maintenance domain:

cfm md show level <NUMBER: 0-7> services

Example:

> cfm md show level 3 services

+---------------------------- CFM SERVICES: MD LEVEL 3 -----------------------+

| | | | | | | MEPs | Service Faults |

|Name |Type|Service Network |Vid |Lvl|Adm|Loc|Rem|XC|CC|RM|PS|RD|IS|

+----------------+----+----------------|----+---|---+---+---+--+--+--+--+--+--+

|VLAN#1001 |VLAN|VLAN#1001 |1001|3 |dis|0 |0 | | | | | | |

+----------------+----+----------------|----+---|---+---+---+--+--+--+--+--+--+

Configuring CFM Services

You can configure CFM services for static primary and backup PBT tunnels, virtual switches, and VLANs. Multiple CFM services can be created at the same MD level in a common VS or VLAN. Only a single MEP or MIP is allowed per interface MD level, but MEPs at the same MD level can belong to different CFM services.

NOTE: For examples of configuring CFM services for PBT tunnels, refer to the Configuring

PBT section in Chapter 23, on page 351.

200 System Software Configuration Guide 6.5.0

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Configuring CFM Services

Creating a CFM Service

When creating a service, the following attributes apply:

Level—Maintenance Domain Level for the service. The default is 3.

Name—Name for the service. By default, the name matches the virtual switch or VLAN associated with the service. This identifier will be used as the Short MA Name of its associated MA. The link partner associated with the same service on the far end must be configured with the same identifier for CFM to function correctly.

Next MEPID—CFM has a configurable nextMepid value, with the range 1-8191, which is used to determine default MEPIDs. When a MEP is created without a specified MEPID, the current value of nextMepid will be used as the MEPID of the new MEP, and then incremented by one. If the resulting value of nextMepid is already used by an existing

MEP, nextMepid will be continually incremented until a unique value is found. The purpose of nextMepid is to provide a mechanism for generating MEPIDs that are unique in the MA across all devices in the Service network. Be sure to assign each device a nextMepid value that will guarantee MEPID uniqueness across all MEPs.

NOTE: A total of up to 256 combined CFM services are supported on the CN 3911 and

CN 3920, and up to 530 on the CN 3940, CN 3960, and CN 5140. This includes VS, VLAN, and PBT tunnel services (on platforms that support the service).

To create a CFM service for a virtual switch:

cfm service create vs <VirtualSwitchName> [level <NUMBER: 0-7>] [name <String[31]>] [nextmepid <NUMBER:1 - 8191>]

Example:

> cfm service create vs VS-1 name CFM-SRV-VS-1 next-mepid 300

To create a CFM service for a VLAN:

cfm service create vlan <VlanID>

[level <NUMBER: 0-7>] [name <String[31]>] [next-mepid

<NUMBER:1 - 8191>]

Example:

> cfm service create vlan 1001

Setting Service Attributes

CFM services have the following configurable attributes:

Alarm Priority—Determines what priority level will be used to trigger an alarm. For each fault event, CFM reports a defect type that corresponds to a priority level. If a detected fault’s priority level is lower than the alarm priority setting, it will not be reported. The range is 1-5, and the default is 3. Priority levels and corresponding defect types are shown in

Table 17-1

, in this chapter.

Table 17-1: Alarm Priority

Priority Level Defect Type Service Fault

System Software Configuration Guide 6.5.0

201

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Configuring CFM Services

Table 17-1: Alarm Priority

1 RDI – Remote Defect Indicator shows that the remote MEP is not receiving CCMs from some other MEP in the service.

In CFM-PBT services, an RDI fault indicates that only one of the tunnels in the pair has faulted, and that traffic is only flowing in one direction.

2

3

4

5

6

MAC Status Defect indicates the remote MEP transmitted

CCM for a non-forwarding interface (Not applicable for PBT

CFM services).

Remote MEP CCM Defect indicates that the local MEP is not receiving CCMs from Remote MEP(s).

Error CCM Defect indicates misconfiguration of MEPID or ccm-interval.

CCM Cross Connect Defect indicates misconfiguration of

MAID or MD Level. When a CCM has an incorrectly configured MAID or MD level, it triggers a Cross Connect

Defect (XC) fault. However, this CCM is still counted as a valid CCM, and will increment the valid received (Rx) statistics counter.

A new service initially has the Instability (IN) service fault until a stable remote MEP is detected. The service should not have any faults after the remote MEP is detected and determined to be stable. This fault cannot be suppressed by the alarm priority setting, and will always be reported.

RD

MS

RM

CC

XC

IN

Alarm Time—Time (in milliseconds) that defects must be present before issuing a Fault

Alarm. The Alarm Time starts whenever a fault greater than the Alarm Priority is detected. The range is 0 – 36000 milliseconds. Default = 1000 ms (1 second). The lower the value, the faster a fault alarm is issued.

202 System Software Configuration Guide 6.5.0

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Configuring CFM Services

CCM Interval—The CCM Interval refers to the frequency at which CCM messages are transmitted. The default value is 1 second. Valid CCM intervals are defined in

Table 17-2, in this chapter.

Table 17-2: CCM Intervals

Interval Period

0 or off

1 or 4ms

2 or 10ms

3 or 100ms

1 or 4ms

2 or 10ms

3 or 100ms

4 or 1sec

5 or 10sec

6 or 1min

7 or 10min

Disables CCM transmission from all MEPs in a given Maintenance Association.

4 milliseconds

10 milliseconds

100 milliseconds

4 milliseconds

10 milliseconds

100 milliseconds

1 second (Default)

10 seconds

60 seconds

10 minutes

NOTE: Setting the CCM Interval to 4 milliseconds is not recommended for a production environment, although it can be used for testing. Also, note that faster CCM rates are more CPU intensive.

System Software Configuration Guide 6.5.0

203

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Configuring CFM Services

DMM Interval—The DMM Interval refers to the frequency at which DMM messages are transmitted. The default value is 1 second. Valid DMM intervals are defined in

Table 17-3, in this chapter.

Table 17-3: DMM Intervals

Interval

0 or off

1 or 4ms

Period

Disables DMM transmission from all MEPs in a given Maintenance Association.

4 milliseconds

2 or 10ms

3 or 100ms

4 or 1sec

5 or 10sec

6 or 1min

7 or 10min

10 milliseconds

100 milliseconds

1 second (Default)

10 seconds

60 seconds

10 minutes

NOTE: Setting the DMM Interval to 4 milliseconds is not recommended for a production environment, although it can be used for testing.

LMM Interval—The LMM Interval refers to the frequency at which LMM messages are transmitted. The default value is 1 second. Valid LMM intervals are defined in

Table 17-4, in this chapter.

Table 17-4: LMM Intervals

Interval Period

0 or off

1 or 4ms

2 or 10ms

3 or 100ms

4 or 1sec

5 or 10sec

6 or 1min

7 or 10min

Disables DMM transmission from all MEPs in a given Maintenance Association.

4 milliseconds

10 milliseconds

100 milliseconds

1 second (Default)

10 seconds

60 seconds

10 minutes

NOTE: Setting the LMM Interval to 4 milliseconds is not recommended for a production environment, although it can be used for testing.

CCM Loss Bucket Size—CCM loss bucket size for CCM loss statistics ranging from 1-60 minutes. The default bucket duration is 15 minutes, which provides a default history of 24 hours.

CCM Loss Num—CCM loss number ranging from 1-255.

204 System Software Configuration Guide 6.5.0

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Configuring CFM Services

CCM Loss Stats—Enables or disables CCM loss statistics collection. When enabled, the history of CCM frame sequence errors for a remote MEP are saved. Each sequence error is used to compute the number of CCM frames that have been lost. This number is then added to the current history bucket. SAOS has a total of 96 history buckets. Changes to the enable/disable state or bucket duration flush the history.

Level—Maintenance Domain Level for the service. The default is 3.

Name—Name for the service. By default, the name matches the virtual switch or VLAN associated with the service.This identifier will be used as the Short MA Name of its associated MA. The link partner associated with the same service on the far end must be configured with the same identifier for CFM to function correctly.

Next MEPID—CFM has a configurable nextMepid value, with the range 1-8191, which is used to determine default MEPIDs. When a MEP is created without a specified MEPID, the current value of nextMepid will be used as the MEPID of the new MEP, and then incremented by one. If the resulting value of nextMepid is already used by an existing

MEP, nextMepid will be continually incremented until a unique value is found. The purpose of nextMepid is to provide a mechanism for generating MEPIDs that are unique in the MA across all devices in the Service network. Be sure to assign each device a nextMepid value that will guarantee MEPID uniqueness across all MEPs.

Remote MEP aging time—Time period in milliseconds that a Remote MEP in the service can stay in an RMEP fault state before it is deleted. For example, if it is set to 60000, a Remote MEP will be deleted one minute after CCMs are no longer received from it.

The default value is 0, which disables remote MEP aging.

Remote Mep Discovery - Enables or disables Remote MEP Discovery for the service.

When disabled, Remote MEPs must be explicitly configured and will not be discovered through CCM reception.

Reset Time—Time period for which there should be no fault identified before clearing previous faults.

Sender ID Type (sender-id-type) -Sender ID TLV type.

To set CFM service attributes:

cfm service set service <CFMServiceName> {[alarm-priority <NUMBER: 0-7>], [alarm-time <NUMBER:

0-36000>],[ccm-interval <NUMBER: 0-7|off|4ms|10ms|100ms|1sec|

10sec|1min|10min>], [ccm-loss-bucket-size <NUMBER: 1-60>], [ccm-loss-num <NUMBER: 1-255>],

[ccm-loss-stats <enable|disable>], [encapsulation <dot1q|dot1ad>], [level <NUMBER: 0-7>],

[name <String[31]>], [next-mepid <NUMBER: 1 - 8191>], [remote-mep-aging-time <NUMBER:

0...3600000>], [reset-time <NUMBER: 10-36000>], [sender-id-type <none|chassis|manage|chassismanage>]}

Example:

> cfm service set service CFM-SRV-VS-1 name VS-CFM-1

Deleting a CFM Service

Deleting CFM on a tunnel will result in the deletion of its dedicated MA and associated

MEPs. Also, if any fault states exist on the associated Virtual Switch or VLAN, they will be cleared.

To delete a CFM service:

cfm service delete service <CFMServiceName>

Example:

> cfm service delete service VS-CFM-1

System Software Configuration Guide 6.5.0

205

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Configuring CFM Services

Enabling a CFM Service

When you create a CFM service, it is disabled by default.

To enable a CFM service:

cfm service enable service <CFMServiceName>

Example:

> cfm service enable service VS-CFM-1

Disabling a CFM Service

After a CFM service is disabled, any fault states will be cleared.

To disable a CFM service:

cfm service disable service <CFMServiceName>

Example:

> cfm service disable service VS-CFM-1

Displaying CFM Services

You can display a list of all CFM service along with the status, or detailed information for:

A specific CFM service.

• MEPs for a specific CFM service.

Remote MEP for the specified CFM service.

The list of all CFM services indicates existence of a fault with an "X" for the following service faults:

XC (Cross-connect) - Indicates that a CCM was received with an incorrect MAID

(MEGID), or was for an MD Level different than the service MD Level.

CC (Error CCM)- Indicates that a CCM was received with an incorrect ccm-interval, or that the Remote MEP's MEPID equals the MEPID of a local MEP in the service.

RM (RMEP Error) - Indicates that a CCM not been received from a Remote MEP within

3.5 * ccm-interval.

PS (Port Status) - Indicates that one or more Remote MEPs reside in a ports that are not forwarding.

RDI (RDI) - Indicates that one or more Remote MEPs have detected service faults.

IS (Instability) - Indicates that the service is yet to discover a stable Remote MEP.

Faults indicated here may not have been reported through a service fault event, as that requires a fault to have a priority greater than the service alarm-priority and be present for a period of time longer than the service alarm-time. A CFM service that is completely healthy will not have any Service Fault indicators. Some service fault conditions may be expected. For example, if a service has a Remote MEP in a port that is disabled, then the

PS fault will always be present.

To display all CFM services:

cfm service show

206 System Software Configuration Guide 6.5.0

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Configuring CFM Services

Example:

> cfm service show

+--------------------------------- CFM SERVICES ------------------------------+

| | | | | | | MEPs | Service Faults |

|Name |Type|Service Network |Vid |Lvl|Adm|Loc|Rem|XC|CC|RM|PS|RD|IS|

+----------------+----+----------------|----+---|---+---+---+--+--+--+--+--+--+

|VLAN#1001 |VLAN|VLAN#1001 |1001|3 |dis|0 |0 | | | | | | |

+----------------+----+----------------|----+---|---+---+---+--+--+--+--+--+--+

To display a specific CFM service:

cfm service show service <CFMServiceName>

Example of a service without faults:

> cfm service show service VLAN#1001

+-------------------- CFM SERVICE INFO -------------------+

| Parameter | Value |

+----------------------+----------------------------------+

| CFM Service Name | VLAN#1001 |

| Index | 1 |

| Service Type | VLAN |

| Vs or VLAN Name | VLAN#1001 |

| Service Network | 1001 |

| Encapsulation | IEEE 802.1Q |

| Maint. Domain Level | 3 |

| Maint. Domain Name | md3 |

| Short MA Name | VLAN#1001 |

| MAID | md3VLAN#1001 |

| Admin State | disabled |

| Oper State | disabled |

| CCM Interval | 4 or 1sec |

| CCM Loss Number | 3 |

| Alarm Priority | 3 |

| Alarm Time | 3000 |

| Reset Time | 3000 |

| Remote MEP Aging Time| 0 |

| Next MEPID | 1 |

| Total MEPs | 0 |

| Active Meps | 0 |

| Total Remote MEPs | 0 |

| Service Faults | |

| Last Fault CCM | <none> |

| CCM Loss Statistics | Disabled |

| CCM Loss Bucket Size | 15 |

| DMM Interval | 3 or 100ms |

| LMM Interval | 3 or 100ms |

|---------------------------------------------------------|

System Software Configuration Guide 6.5.0

207

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Configuring CFM Services

Example of a service with a fault:

If an "XC" or "CC" fault condition is present, a raw hex dump of the last CCM frame that triggered the fault is shown in the detailed display for the CFM service.

> cfm service show service vl100l2

+-------------------- CFM SERVICE INFO -------------------+

| Parameter | Value |

+----------------------+----------------------------------+

| CFM Service Name | vl100l2 |

| Index | 1 |

| Service Type | VLAN |

| PBT,Vs or VLAN Name | VLAN#100 |

| Service Network | 100 |

| Encapsulation | IEEE 802.1Q |

| Maint. Domain Level | 2 |

| Maint. Domain Name | md2 |

| Short MA Name | vl100l2 |

| MAID | md2vl100l2 |

| Admin State | enabled |

| Oper State | enabled |

| CCM Interval | 3 or 100ms |

| CCM Loss Number | 3 |

| Alarm Priority | 3 |

| Alarm Time | 3000 |

| Reset Time | 3000 |

| Next MEPID | 601 |

| Total MEPs | 1 |

| Active Meps | 1 |

| Total Remote MEPs | 1 |

| Service Faults | XCON |

| Last Fault CCM | Frame Length: 112 |

| | 01 80 C2 00 00 31 00 02 |

| | A1 31 23 C7 81 00 E0 64 |

| | 89 02 20 01 03 46 00 00 |

| | 02 62 00 3A 04 03 6D 64 |

| | 31 02 07 76 6C 31 30 30 |

| | 6C 31 00 00 00 00 00 00 |

| | 00 00 00 00 00 00 00 00 |

| | 00 00 00 00 00 00 00 00 |

| | 00 00 00 00 00 00 00 00 |

| | 00 00 00 00 00 00 00 00 |

| | 00 00 00 00 00 00 00 00 |

| | 00 00 00 00 01 00 08 06 |

| | 04 00 02 A1 31 23 C7 02 |

| | 00 01 02 04 00 01 01 00 |

| CCM Loss Statistics | Disabled |

| CCM Loss Bucket Size | 15 |

| DMM Interval | 3 or 100ms |

| LMM Interval | 3 or 100ms |

|---------------------------------------------------------|

To display MEPs for a specific CFM service:

cfm service show service <CFMServiceName> mep

Example:

> cfm service show service VLAN#1001

+-------------------------------- CFM MEPs ----------------------------+

| | | | | |Admin|CCM |CCM|

|Service |Port |Mepid|Type| Mac Address |State|State|Pri|

+----------------+--------+-----+----+-----------------+-----+-----+---+

|VLAN#1001 |1 |1 |down|00:02:A1:24:0E:32|en |on |7 |

+----------------+--------+-----+----+-----------------+-----+-----+---+

208 System Software Configuration Guide 6.5.0

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Configuring MEPs

To display remote MEPs for a specific CFM service:

cfm service show service <CFMServiceName> remote-mep

Example:

> cfm service show service CFM_VLAN_777 remote-mep

++------------------------------ CFM REMOTE MEPS -------------------------------+

| | | |State|Total |Seq |Last |Fault|

|Service |Mepid|Mac Address |Ad|Op|Rx CCM |Error|Seq Num |F|M|R|

+----------------+-----+-----------------+--+--+---------+-----+---------+-+-+-+

|CFM_VLAN_777 |101 |00:02:A1:07:94:00|en|en|1249 |0 |1249 | | | |

+----------------+-----+-----------------+--+--+---------+-----+---------+-+-+-+

Configuring MEPs

In order for CCM messages to be generated and processed, MEPs must be configured for the CFM service.

Creating a MEP

Attributes for a MEP include:

vlan - Customer VLAN ID specified for MEPs on ports that are members of a virtual switch. The default is 0.

type - The type determines whether CFM Messages processed by a MEP ingress and egress through its associated logical interfaces (down), or are logically forwarded to and from its logical interface from other logical interfaces in the service instance (up).

The default type is up.

mepid - Numeric identifier unique for every MEP in the Maintenance Association. The default MEPID is the next MEP ID available.

NOTE: A total of up to 256 MEPs are supported on the CN 3911 and CN 3920, and up to

530 MEPs are supported on the CN 3940, CN 3960, and CN 5140.

When you create a CFM service for virtual switches, an up MEP is automatically created for each subscriber port. A separate MEP is created for each customer VLAN (C-VID) on every subscriber port. You can also create MEPs manually. For example, you can create a down MEP on a subscriber port for monitoring within the customer network or a down

MEP on a provider port to monitor the provider network. Note that once a VLAN parameter is specified when creating a MEP on a subscriber port, it is not configurable once the MEP is created.

To create a MEP:

cfm mep create service <CFMServiceName> port <PortName> [vlan <VlanId] [type <up|down>] [mepid

<NUMBER: 1-8191>]

Example:

> cfm mep create service CFM_VLAN_777 port 10 type down mepid 2

System Software Configuration Guide 6.5.0

209

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Configuring MEPs

To create a MEP on a subscriber port C-VID:

> cfm mep create service CFM_VLAN_777 port 3 vlan 10 mepid 3

Specifying MEPs in CLI Commands

MEPs can be specified at the CLI in one of three ways:

By MEPID using the local-mepid parameter. This form is applicable to both subscriber and provider ports, and is the recommended form:

> cfm mep set service CFM_VLAN_777 local-mepid 2 ccm-priority 4

By port only. This is applicable to both subscriber and provider ports, but on a provider port, it is the equivalent of specifying the port with vlan 0:

> cfm mep set service CFM_VLAN_777 port 10 ccm-priority 4

• By port and VLAN. This form is applicable to subscriber ports only: cfm mep set service CFM_VLAN_777 port 3 vlan 10 ccm-priority 4

A MEP is specified using one of these three forms for all commands that pertain to MEPs

(for example, enable, disable, delete, show, linktrace, loopback, delay, and frame-loss). In most commands (except set) the MEPID parameter is called mepid

instead of local-mepid.

Setting MEP Attributes

You can set the attributes for MEPs, including:

ccm-priority - CCM message priority value 0-7. Default is 3 .

ccm-state - Default is on. For troubleshooting purposes, you can set the state to off, and the MEP will process the CCMs that it receives, but will not transmit any.

ltm-priority - Linktrace Message priority value 0-7. Default is 3.

mepid - MEP Identifier. Default is the next MEP ID available in the Maintenance

Association.

tag-vid - The VLAN ID of the additional tag for 802.1ad CFM traffic.

tag-priority - The dot1p priority encoded in the additional tag.

tag-mode - Enables CVID support for VLAN CFM services.

type - MEP type. Default is down.

To set MEP attributes:

cfm mep set {local-mepid <NUMBER: 1-8191> | port <PortName> [vlan <Vlan>]} [ccm-priority <NUMBER:

1-5>][ccm-state <on|off>][ltm-priority <NUMBER: 1-5>][mepid <NUMBER: 1-8191>][tag-vid <0-

4095>][tag-priority <0-7>][tag-mode <on|off>][type <up|down>]

Example:

> cfm mep set service CFM_VLAN_777 port 10 mepid 201

Deleting a MEP

If needed, you can delete MEPs no longer in use for a CFM service.

To delete a MEP:

cfm mep delete service <CFMServiceName> {local-mepid <NUMBER: 1-8191> | port <PortName> [vlan

<Vlan>]}

210 System Software Configuration Guide 6.5.0

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Configuring MEPs

Example:

> cfm mep delete service CFM_VLAN_777 port 10

Disabling a MEP

For troubleshooting, you can disable a MEP to prevent processing of CFM messages.

To disable a MEP:

cfm mep disable service <CFMServiceName> {local-mepid <NUMBER: 1-8191> | port <PortName> [vlan

<Vlan>]}

Example:

> cfm mep disable service CFM_VLAN_777 port 10

Enabling a MEP

Newly created MEPs are automatically enabled. If you disabled a MEP, you can enable it.

To enable a MEP:

cfm mep enable service <CFMServiceName> {local-mepid <NUMBER: 1-8191> | port <PortName> [vlan

<Vlan>]}

Example:

> cfm mep enable service CFM_VLAN_777 port 10

Displaying MEPs

You can display a summary of all CFM MEPS including the associated CFM services, logical interfaces, MEP ID, type, MAC address, administrative state, CCM state, CCM priority, and

Loopback Message priority. Also, you can display additional detailed configuration and statistics for specified MEPs, such as transmitted and received CCMs, loopback messages, and linktrace messages.

To display all MEPs:

cfm mep show

System Software Configuration Guide 6.5.0

211

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Configuring MEPs

Example:

> cfm mep show

+---------------------------------- CFM MEPs -------------------------------+

| | | | | | |Admin|CCM |CCM|

|Service |Port |Vid |Mepid|Type| Mac Address |State|State|Pri|

+----------------+--------+----|-----+----+-----------------+-----+-----+---+

|vl100l4 |1 |0 |58 |up |00:02:A1:31:23:C2|en |on |4 |

|vl100l4 |1 |10 |59 |up |00:02:A1:31:23:C2|en |on |7 |

|vl100l4 |1 |20 |66 |up |00:02:A1:31:23:C2|en |on |7 |

|vl100l5 |1 |10 |59 |up |00:02:A1:31:23:C2|en |on |7 |

|vl100l5 |1 |4094|60 |up |00:02:A1:31:23:C2|en |on |7 |

|vl100l5 |2 |0 |67 |up |00:02:A1:31:23:C3|en |on |7 |

|vl100l5 |2 |20 |61 |up |00:02:A1:31:23:C3|en |on |7 |

|vl100l5 |7 |10 |63 |up |00:02:A1:31:23:C8|en |on |7 |

|vl100l5 |7 |20 |64 |up |00:02:A1:31:23:C8|en |on |7 |

|vl100 |6 |100 |58 |down|00:02:A1:31:23:C7|en |on |7 |

|vl32l7 |5 |32 |59 |up |00:02:A1:31:23:C6|en |on |7 |

+----------------+--------+----|-----+----+-----------------+-----+-----+---+

To display detailed MEP information for a specific CFM service:

cfm mep show [service <CFMServiceName> {mepid <NUMBER: 1-8191> | port <PortName> [vlan

<Vlan>]} [order-by-mepid][exclude-evpl]

212 System Software Configuration Guide 6.5.0

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Configuring MEPs

Example:

> cfm mep show service vsl02 mepid 2002

+-------------------------------- CFM MEP INFO --------------------------------+

| Parameter | Value |

+-------------------------------------+----------------------------------------+

| Service | vs102 |

| Service Type | VLAN |

| VLAN Name | VLAN#102 |

| Service Network | 102 |

| Port | 1 |

| VLAN | 1002 |

| MEPID | 2002 |

| Mac Address | 00:02:A1:31:23:C2 |

| Type | Up |

| Admin State | enabled |

| CCM State | on |

| CCM Priority | 7 |

| Tag Mode | off |

| Tag VID | 0 |

| Tag Priority | 7 |

| Next Loopback Sequence Number | 1 |

| Next Linktrace Sequence Number | 1 |

| Rx Total Valid Frames | 0 |

| Rx Total Invalid Frames | 0 |

| Rx Invalid Message Overflow | 0 |

| Rx Invalid Port Status TLV | 0 |

| Rx Invalid Interface Status TLV | 0 |

| Rx Invalid Sender ID TLV | 0 |

| Tx CCM | 0 |

| Rx Valid CCM | 0 |

| Rx CCM In Sequence | 0 |

| Rx CCM Sequence Errors | 0 |

| Rx MD Level Xcon CCM | 0 |

| Rx MAID Xcon CCM | 0 |

| Rx MEPID Error CCM | 0 |

| Rx CCM-Interval Error CCM | 0 |

| Rx Invalid CCM | 0 |

| Tx Loopback Message | 0 |

| Tx Loopback Reply | 0 |

| Rx In-order Loopback Reply | 0 |

| Rx Out-of-order Loopback Reply | 0 |

| Rx Content Mismatch Loopback Reply | 0 |

| Rx Unexpected Loopback Reply | 0 |

| Rx Invalid Loopback Reply | 0 |

| Rx Valid Loopback Message | 0 |

| Rx Invalid Loopback Message | 0 |

| Tx Linktrace Message | 0 |

| Rx Valid Linktrace Message | 0 |

| Rx Total Invalid Linktrace Message | 0 |

| Rx Invalid Linktrace Relay Action | 0 |

| Tx Linktrace Reply | 0 |

| Delay Measurement Repeats | Disabled |

| Delay Measurement Delay (min) | 0 |

| Tx Delay Measurement Message | 0 |

| Rx Delay Measurement Message | 0 |

| Tx Delay Measurement Reply | 0 |

| Rx Delay Measurement Reply | 0 |

| Rx Delay Measurement Reply Timeout | 0 |

| Frame Loss Measurement Repeats | Disabled |

| Frame Loss Measurement Delay (min) | 0 |

| Tx Frame Loss Measurement Message | 0 |

| Rx Frame Loss Measurement Message | 0 |

| Tx Frame Loss Measurement Reply | 0 |

| Rx Frame Loss Measurement Reply | 0 |

| Rx Frame Loss Measure Reply Timeout | 0 |

+-------------------------- Last Loopback Message -----------------------------+

| Target Remote MEPID | 0 |

| Target Mac Address | 00:00:00:00:00:00 |

| Priority: | 7 |

System Software Configuration Guide 6.5.0

213

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Configuring Remote MEPs

| Count: | 0 |

| First Sequence Number | 0 |

| LBMs Sent | 1 |

| LBMs To Send | 0 |

| Rx In-order Loopback Reply | 0 |

| Rx Out-of-order Loopback Reply | 0 |

| Rx Content Mismatch | 0 |

+--------------------- Last Delay Measurement Message -------------------------+

| Target Remote MEPID | 0 |

| Target Mac Address | 00:00:00:00:00:00 |

| Priority | 0 |

| Frame Count Tx | 0 |

| Frame Count Rx | 0 |

| Delay in us | 0 |

| Jitter in us | 0 |

+------------------- Last Frame Loss Measurement Message ----------------------+

| Target Remote MEPID | 0 |

| Target Mac Address | 00:00:00:00:00:00 |

| Priority | 0 |

| Frame Count Tx | 0 |

| Frame Count Rx | 0 |

| Frame Loss Near | 0 |

| Frame Loss Far | 0 |

+-------------------------- Last Linktrace Message ----------------------------+

| Target Remote MEPID | 0 |

| Target Mac Address | 00:00:00:00:00:00 |

| Priority | 7 |

| Sequence Number | 0 |

| Initial TTL | 0 |

| Use FDB Only | No |

|---------------------------- Linktrace Responses -----------------------------|

| |Ttl| |Remote MEP |Relay| Ingress | Egress |Flags|

|Ttl|Idx|Trans Id |Mac Address |Actn |Port |Actn |Port |Actn |FY|TM|

+---+---+----------+-----------------+-----+--------+-----+--------+-----+--+--|

Configuring Remote MEPs

A Remote MEP monitors connectivity with a service endpoint on another device in the network. Every valid CCM received from a MEP on a remote device that belongs to the same MA as a local service is associated with a Remote MEP in the service.

A Remote MEP can either be manually created or added to a service upon discovery through CCM reception. Once CCMs are consistently received from a Remote MEP for a configurable hold-time, it is automatically activated. Failure to receive a configurable number of consecutive CCMs from an active Remote MEP constitutes loss of connectivity with the remote endpoint, and triggers a service fault. Remote MEP discovery can be enabled or disabled per CFM service.

A Remote MEP also serves as the target for Loopback and Linktrace operations used for monitoring service health and troubleshooting service faults.

NOTE: A total of up to 4609 Remote MEPs are supported on the CN 3911 and CN 3920, and up to 8192 Remote MEPs are supported on the CN 3940, CN 3960, and CN 5140.

Creating a remote MEP

A manually created MEP must be assigned a MEPID that is not equal to the MEPID of any local or remote MEP already associated with the service. Manually created Remote MEPs are administratively disabled by default, and will persist in the system. The MAC address

214 System Software Configuration Guide 6.5.0

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Configuring Remote MEPs

associated with a Remote MEP can be configured to a fixed value, an the MAC address is uninitialized until it is either explicitly configured or a CCM containing the MEPID associated with that Remote MEP is processed.

To create a remote MEP:

cfm remote-mep create [service <CFMServiceName> mepid <NUMBER:1-8191>]

Example:

> cfm remote-mep create service VLAN#1001 mepid 100 hold-state lock

To set remote MEP attributes:

cfm remote-mep set [service <CFMServiceName> mepid <NUMBER:1-8191>][hold-state

<enabled|disabled|lock>][mac <MacAddress>]

Example:

> cfm remote-mep set service CFM-1 hold-state disabled

Deleting a remote MEP

You can delete a remote MEP.

To delete a remote MEP:

cfm remote-mep delete [service <CFMServiceName> mepid <NUMBER:1-8191>]

Example:

> cfm remote-mep delete service CFM-1 mepid 100

Remote MEP States

The enable/disable operation and hold-state settings are factors in determining Remote

MEP operational state. The following rules apply to Remote MEP states:

A discovered Remote MEP is initially administratively enabled, while a manually created Remote MEP is initially administratively disabled.

A Remote MEP can only cause a service fault when it is operationally enabled.

A Remote MEP that is administratively disabled is always operationally disabled.

Remote MEP hold-state has three settings: enable, disable, and lock.

When a Remote MEP is administratively enabled and its hold-state is "disable", it immediately becomes operationally enabled.

When a Remote MEP is administratively enabled and its hold-state is "enable" it will transition to an operational "hold" state, and remains there until it is free of RMEP faults for a period of time equal to the global rmep-hold-time setting. Once this occurs, the Remote MEP transitions to an operationally enabled state.

If the hold-state is set to "lock", then the behavior in the previous bullet applies, except the Remote MEP will remain in an operational "hold" state indefinitely. The

"lock" hold-state is used to hold the Remote MEP in a diagnostic state that is fully operational other than it cannot trigger a service fault.

System Software Configuration Guide 6.5.0

215

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Configuring Remote MEPs

Disabling a remote MEP

When you disable a remote MEP, it cannot trigger a service fault.You can disable remote

MEPs that have not been discovered by CFM.

To disable a remote MEP:

cfm remote-mep disable service <CFMServiceName> mepid <NUMBER:1-8191>

Example:

> cfm remote-mep disable service VS-CFM-1 mepid 2

Enabling a remote MEP

When a new remote MEP is discovered, it is added to MEP CCM Database in a hold state.

If valid CCMs are continuously received from the remote MEP for the time specified in the rmep-hold-time and the MEP is administratively enabled, the remote MEP automatically transitions to the enabled operational state. If the MEP has been administratively disabled, it will remain in the hold state indefinitely. You can enable remote MEPs that have not been discovered by CFM.

To enable a remote MEP:

cfm remote-mep enable service <CFMServiceName> mepid <NUMBER:1-8191>

Example:

> cfm remote-mep enable service VS-CFM-1 mepid 2

Disabling Remote MEP discovery

When Remote MEP discovery is disabled at the CFM service level, a Remote MEP will not be automatically added to the service if CCMs that are received by one of its MEPs contain an unknown MEPID, and in this case an Error CCM service fault is triggered.

To disable remote MEP discovery:

cfm service set remote-mep-discovery

Example:

> cfm service set service vl100l5 remote-mep-discovery disable

Displaying remote MEPs

You can display the remote MEP summary table to verify CCM reception and to display faults as shown in the following fields:

Seq Error - Number of CCM sequence errors. A sequence error occurs when the sequence number of a CCM is not one greater than the sequence number of the last

CCM received from the Remote MEP, and indicates that a CCM is lost or received out of order.

Fault - Remote MEP fault indicators. All defects currently in effect for a Remote MEP are designated with an "X":

216 System Software Configuration Guide 6.5.0

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Configuring Remote MEPs

F - Remote MEP Fault. A CCM has not been received from the Remote MEP within ccm-interval*3.5.

P - Port Status. The last CCM received from the Remote MEP indicated a Port Status fault.

R - RDI - The last CCM received from the Remote MEP indicated an RDI fault.

In a healthy service, Remote MEPs will typically not have any fault indicators. A non-zero value for "Seq Error" indicates that one or more CCMs from the Remote MEP were lost in transit. CCMs that are delayed for a period of time > ccm-interval*3.5 are not reflected in the "Seq Error" field, although such a condition may trigger and RMEP Fault (F).

Also, you can display details for a specific remote MEP.

To display a summary of all remote MEPs:

cfm remote-mep show

Example:

> cfm remote-mep show

+------------------------------ CFM REMOTE MEPS -------------------------------+

| | | |State|Total |Seq |Last |Fault|

|Service |Mepid|Mac Address |Ad|Op|Rx CCM |Error|Seq Num |F|M|R|

+----------------+-----+-----------------+--+--+---------+-----+---------+-+-+-+

|VS-CFM-1 |2 |00:00:00:00:00:00|en|hd|0 |0 |0 |X| | |

+----------------+-----+-----------------+--+--+---------+-----+---------+-+-+-+

To display details about a specific remote MEPs:

cfm remote-mep show [service <CFMServiceName>] [mepid <NUMBER: 1-8191>]

System Software Configuration Guide 6.5.0

217

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Configuring Remote MEPs

Example:

> cfm remote-mep show service vl100l5 mepid 3

+---------------------------- CFM REMOTE MEP INFO -----------------------------+

| Parameter | Value |

+-------------------------------------+----------------------------------------+

| Service | vl100l5 |

| MEPID | 3 |

| Mac Address | 00:00:00:00:00:00 |

| Service Network | 100 |

| MD Level | 5 |

| Admin State | enabled |

| Operational State | hold (locked) |

| Hold State | lock |

| Time since last state change (ms) | 8326968 |

| CCM Sequence Errors | 0 |

| Total CCM Lost | 0 |

| Total Rx CCM | 0 |

| CCM Failure Defect | No |

| Port Status Defect | None |

| RDI Error Defect | No |

| DMM Tx Count | 0 |

| DMR Rx Count | 0 |

| DMM Ave Delay (us) | 0 |

| DMM Ave Jitter (us) | 0 |

| LMM Tx Count | 0 |

| LMR Rx Count | 0 |

| LMM Frame Loss Near | 0 |

| LMM Frame Loss Far | 0 |

| CCM Loss Statistics | Disabled |

| CCM Loss Statistics Wrapped | No |

| CCM Current Loss Statistics Index | 0 |

| CCM Loss Bucket Size (minutes) | 15 |

+-------------------------------------+----------------------------------------+

218 System Software Configuration Guide 6.5.0

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Configuring MIPs

Configuring MIPs

A MIP is able to forward and respond to Linktrace messages, and it provides an intermediate target for Loopback messages, making fault isolation possible. Note that you can disable the MIP CCM Database. When the database is disabled, MIPs will not process CCMs to create new entries and any entries currently in the database are removed. In addition, the global mip-level-enforcement setting can be turned off to ignore the level configured on the MIP.

Creating MIPs

When you have intermediate devices (between the devices containing service MEPs) in a

VLAN service, you need to create a MIP. Similar to MEPs, MIPs can be created on individual

C-VIDs of a VS subscriber port.

To create MIPs:

cfm mip create {vlan <VlanId>} {port <PortName>} [level <NUMBER: 0-7>]

Example:

> cfm mip create vlan 1001 port 1

Setting MIP Attributes

To set the MIP maintenance domain level:

cfm mip set {vlan <VlanId>} {port <PortName>} {level <NUMBER: 0-7>}

Example:

> cfm mip set vlan 1001 port 1 level 0

Deleting MIPs

To delete a MIP:

cfm mip delete {vlan <VlanId>} {port <PortName>}

Example:

> cfm mip delete vlan 1001 port 1

Disabling the MIP Database

To disable the MIP database:

cfm mip database {enable|disable}

Example:

> cfm mip database disable

System Software Configuration Guide 6.5.0

219

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Configuring MIPs

Displaying MIP configuration

To display MIP configuration:

cfm mip show [vlan <VlanId> port <PortName>]

Example:

> cfm mip show

+------------------------- CFM MIPs ---------------------------+

| Service Instance |Vlan Id |Port |Level |Mac Address |

|------------------+--------+--------+------+------------------|

|VLAN#1001 |1001 |1 |3 |00:02:A1:24:0E:32 |

|------------------+--------+--------+------+------------------|

Displaying the MIP Database

To display the MIP database:

cfm mip-ccm-db show

Example:

> cfm mip-ccm-db show

+------------------------------ MIP CCM Database ------------------------------+

+----+-----------------+--------+---------+---------+--------+--+-----+----+---|

+----+-----------------+--------+---------+---------+--------+--+-----+----+---|

220 System Software Configuration Guide 6.5.0

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Configuring CFM Services for a VLAN Service

Configuring CFM Services for a VLAN Service

This configuration example shows how to configure CFM to monitor connectivity between the two CE devices by configuring a VLAN CFM service.

To configure CFM on CE1:

Step # Description

Step 1 Create the VLAN.

Step 2 Add the ports to the VLAN.

Step 3 Re-name MD level 5 to Customer.

Step 4 Create the CFM service.

Step 5 Create a down MEP for the network facing port.

Step 6 Enable CFM globally.

Step 7 Enable the CFM service.

Command

vlan create vlan add cfm md set cfm service create cfm mep create cfm enable cfm service enable

Example:

1. > vlan create vlan 10

2. > vlan add vlan 10 port 1

3. > cfm service create vlan 10 name CFM_VLAN_10 level 5

4. > cfm md set level 5 name Customer

5. > cfm mep create service CFM_VLAN_10 port 1 type down mepid 1

6. > cfm enable

7. > cfm service enable service CFM_VLAN_10

To configure CFM on CE2:

Step # Description

Step 1 Create the VLAN.

Step 2 Add the ports to the VLAN.

Step 3 Re-name MD level 5 to Customer.

Step 4 Create the CFM service.

Step 5 Create a down MEP for the network facing port.

Step 6 Enable CFM globally.

Step 7 Enable the CFM service.

Command

vlan create vlan add cfm md set cfm service create cfm mep create cfm enable cfm service enable

System Software Configuration Guide 6.5.0

221

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Configuring CFM Services for a Virtual Switch

Example:

1. > vlan create vlan 10

2. > vlan add vlan 10 port 10

3. > cfm service create vlan 10 name CFM_VLAN_10 level 5

4. > cfm md set level 5 name Customer

5. > cfm mep create service CFM_VLAN_10 port 10 type down mepid 2

6. > cfm enable

7. > cfm service enable service CFM_VLAN_10

Configuring CFM Services for a Virtual Switch

CFM is supported for Ethernet type Virtual Switches (VS) to provide:

Service fault monitoring of a provider VLAN associated with an attached virtual circuit.

• Transmission and receipt of Q-in-Q encapsulated CFM frames over a virtual circuit for monitoring of subscriber VLANs.

• Ability to process and forward EVPL bundled CFM frames.

CFM on VS automatically creates an Up MEP on every C-VID on all subscriber ports. This allows connectivity between all service endpoints in the network to be monitored by creating CFM Services for corresponding virtual-switches on other devices in the service.

Each device will automatically detect a Remote MEP for all non-local service endpoints.

A VS-based CFM service is also dynamic, so if a new subscriber port is added to its associated VS, then a MEP is automatically added to the service for that port. The primary benefit of using a VS-based CFM services is to facilitate connectivity monitoring between all endpoints in a service network. You can also manually create down MEPs on provider ports to monitor provider VLANs.

VS-based CFM services monitor the active VLAN for service faults. If the virtual switch has an attached virtual circuit, the active VLAN is the provider VLAN associated with the virtual circuit. Otherwise, the active VLAN is the VS reserved VLAN. You can configure a

CFM service to monitor the active VLAN directly along with a CFM service to monitor the

VS as long as the services are at different MD levels.

To configure CFM for a virtual switch:

Step # Description

Step 1 Create the CFM service.

Step 2 Enable CFM globally.

Step 3 Enable the CFM service.

Command

cfm service create vs

<VirtualSwitchName> [level <NUMBER: 0-

7>] [name <String[31]>] [next-mepid

<NUMBER:1 - 8191>] cfm enable cfm service <CfmServiceName> enable

Example:

1. > cfm service create vs VS-1 name CFM_VS_1

2. > cfm enable

3. > cfm service enable service CFM_VS_1

222 System Software Configuration Guide 6.5.0

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

CFM Over Q-in-Q

CFM Over Q-in-Q

The partitioning of a VS into CFM interface groups allows CFM to operate over individual

Subscriber VLANs by mimicking the frame transformations applied to data frames forwarded by the VS. Specifically, a CFM frame originating from a MEP in a Subscriber interface, is transmitted out Provider interfaces using Q-in-Q encapsulation, with a C-VID equal to the Subscriber interface VID, and the S-VID equal to the Provider interface VID.

Similarly when a Q-in-Q encapsulated CFM frame is received on a Provider interface, it is forwarded to the interfaces in the interface group corresponding to the frame’s C-VID tag, after removing the frame’s outer S-VID tag.

CFM Frame Origination

A MEP’s interface type and VID determines how the frames that it originates are initially encapsulated:

Down MEP on any interface: Frame is single-tagged with interface VID

Up MEP on Subscriber interface: Frame is single-tagged with interface VID

Up Mep on Provider interface: Frame is untagged.

A frame transformation is then potentially applied at each egress interface, depending upon the interface type:

Subscriber egress interface: No transform

Provider egress interface: Push interface VID

Table 17-5, in this chapter summarizes these Up MEP frame transformations and the

resulting frame encapsulation for each possible combination of MEP and egress interface types.

Table 17-5: Encapsulation of Originated CFM Frames

Up MEP Ifc

Type

Up MEP Ifc VID MEP Frame

Encap

Egress Ifc

Type

Subscriber 10 802.1Q

Provider

Subscriber

Subscriber

Subscriber

20

0

0

VID=10

802.1Q

VID=20

Untagged

Untagged

Subscriber

Subscriber

Provider

Provider

Provider

N/A

N/A

Untagged

Untagged

Provider

Subscriber

Egress Ifc VID Egress Ifc

Transform

300 Push Egress Ifc

VID

20 None

Egress Frame

Encap

802.1ad

S-VID=300

C-VID=10

802.1Q

VID=20

0

200

None

Push Egress Ifc

VID

100 Push Egress Ifc

VID

40 None

Untagged

802.1Q

VID=200

802.1Q

VID=100

802.1Q

VID=40

System Software Configuration Guide 6.5.0

223

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

CFM Over Q-in-Q

Handling CFM Frames Received on a VS

When a CFM frame is received on a VS interface, it may be consumed by a MEP on that interface. If not, it is forwarded to other VS interfaces, each of which may either consume or forward the frame. A frame that is not consumed by the ingress interface is normalized by applying an frame transformation based on the ingress interface type, before it is forwarded. The result of this normalization determines the interface group used for forwarding the frame.

A CFM frame received on a Subscriber interface is not transformed, while the S-VID

(outer) tag is popped off a frame that ingresses a Provider interface. If the transformed frame is tagged, then its VID determines the interface group for forwarding. If the frame

is untagged, the interface group for VID=0 is used. Table 17-6, in this chapter summarizes

this behavior.

Table 17-6: Transformation and Forwarding of CFM Frames Received on a VS

Ingress Ifc

Type

Ingress Ifc VID Ingress Frame

Encap

Ingress

Transform

Transformed

Frame Encap

Action

Subscriber 10 802.1Q

VID=10

None 802.1Q

Subscriber

Provider

Provider

0 Untagged

100

200

802.1ad

S-VID=100

C-VID=20

802.1Q

VID=200

None

Pop S-VID

Pop S-VID

VID=10

Untagged

802.1Q

VID=20

Untagged

Forward to all other Subscriber interfaces with

VID = 10 and all

Provider interfaces.

Forward to all other Subscriber interfaces with

VID = 0 and all

Provider interfaces.

Forward to all other Provider interfaces and all Subscriber interfaces with

VID=20.

Forward to all other Provider interfaces and all Subscriber interfaces with

VID=0.

224 System Software Configuration Guide 6.5.0

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Troubleshooting

Troubleshooting

Sending and Displaying Loopback Messages

Loopback is a unicast CFM frame sent from a MEP to specific MEPs or MIPs. Multiple messages may be sent to the same destination and loopback catalogs the responses by how many were received in order and how many were out of order. You can display the loopback replies, including the following information:

Tx — Number of LBMs transmitted

ToTx — Number of LBMs for transmission remaining

Io — Number of In Order LBRs received

Ooo — Number of Out of Order LBRs received

Con — Number of LBRs received having a Content Mismatch with the corresponding

LBM.

Normally, the Tx LBM value is equal to the LBR in Order value to indicate that an LBR was received for each LBM, and that all LBRs were received in the expected order. If LBR Out of Order is greater than 0, then some LBRs were not received in the same order as their associated LBMs were transmitted. If Tx LBM is greater than the LBR In Order value plus the LBR Out of Order value, then an LBR was not received for every LBM transmitted.

To send a loopback message to a MEP:

cfm loopback send service <CFMServiceName> {local-mepid <NUMBER: 1-8191> | port <PortName>

[vlan <Vlan>]} {mepid <NUMBER: 1-8191>}

To send a loopback message to a MAC address:

cfm loopback send service <CFMServiceName> {local-mepid <NUMBER: 1-8191> | port <PortName>

[vlan <Vlan>]} {mac <MacAddress>}

To display loopback replies:

cfm loopback show [service <CFMServiceName>]

Example of sending a loopback message to a MEP specified by MEP ID:

> cfm loopback send service vl100l5 local-mepid 59 mepid 1 count 100

> cfm loopback show

+----------------------- MEP LOOPBACK MESSAGE INFORMATION ---------------------+

| |Local|Remote |Rem |Next | LBM | Rx LBR |

|Service |Mepid|Mac Address |Mepid|Seq Number|Tx |ToTx|Io |Ooo|Con|

+----------------+-----+-----------------+-----+----------+---+----+---+---+---|

|vl100l5 |59 |00:02:A1:30:B1:04|1 |51 |50 |50 |50 |0 |0 |

+----------------+-----+-----------------+-----+----------+---+----+---+---+---|

Example of sending multiple messages to obtain an order count:

> cfm loopback send service cfmvlan port 1 mepid 100 count 10

> cfm loopback show

Example of sending messages to a specific MAC address:

> cfm loopback send-mac service cfmvlan port 1 mac 00:02:A1:15:56:E0

> cfm loopback show

System Software Configuration Guide 6.5.0

225

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Troubleshooting

Sending and Displaying Linktrace Messages

Linktrace is a multicast CFM frame originated from a MEP. When received by a MIP, the

MIP checks its forwarding table and responds that the request was received on port X and forwarded out of port Y. In the case of a MEP to MEP message, all intermediate MIPs on the path will respond on a per box basis. All linktrace responses are unicast back to the originator.

NOTE: Linktrace requests may also be sent to any arbitrary MAC address, not necessarily a MEP/MIP. This feature can be used to trace paths, even those outside of a given

Maintenance Association.

You can display the linktrace replies, including the following information:

Ttl -Time to Live. An LTR is received from each CFM aware node that handles and propagates the LTM. Each node decrements the LTM Ttl by one and encodes the resulting value in the LTR. Normally, the Ttl values in the LTR list start at the initial

LTM Ttl - 1, and decrease by one for each row in the table. Non-sequential Ttl values indicate that not all LTRs send by intermediate nodes were received, or that the LTM

Ttl was incorrectly decremented at some point.

Ttl Idx - Time to Live Index. A locally assigned value used to differentiate multiple

LTRs received with the same Ttl value. Normally, one LTR is received for each Ttl, and its Ttl index is 1. Multiple LTR entries for the same Ttl indicate an error condition, as it is the result of the LTM being handled on multiple forwarding paths through the network to the target DA.

|---------------------------- Linktrace Responses -----------------------------|

| |Ttl| |Remote MEP |Relay| Ingress | Egress |Flags|

|Ttl|Idx|Trans Id |Mac Address |Actn |Port |Actn |Port |Actn |FY|TM|

+---+---+----------+-----------------+-----+--------+-----+--------+-----+--+--|

|63 |1 |1 |00:02:A1:31:23:C7|Hit |6 |Ok |5 |Ok | | |

+---+---+----------+-----------------+-----+--------+-----+--------+-----+--+--|

|63 |2 |1 |00:02:A1:12:34:56|Hit |9 |Ok |5 |Ok | | |

+---+---+----------+-----------------+-----+--------+-----+--------+-----+--+--|

Relay Action - Indicates how the LTM was handled by the MEP or MIP as follows:

Hit - The LTM reached the target MEP or MIP.

FDB - The egress port for forwarding to the LTM target MAC was resolved using the

MAC learn table.

MFDB - The egress port for forwarding to the LTM target MAC was resolved using the MEP or MIP CCM Database.

-nodef- - Undefined. This value should never be present in an LTR Relay Action.

Ingress Port - Name of the port on which the LTM was received. The name is either a port number or aggregation name.

Ingress Action - Reports how a data frame to the LTM target MAC would be handled at the ingress port as follows:

Ok - The frame would be accepted for forwarding

Down - The ingress port is not operational.

Blocked - The ingress port is blocked by topology enforcement.

VID - The ingress port is not a member of the LTM's VID, and ingress filtering is enabled.

-nodef- - Undefined. This value should never be returned as an Ingress Action.

226 System Software Configuration Guide 6.5.0

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Troubleshooting

Egress Port - Name of the port that is the target of the LTM, or the port that a data frame to the LTM target MAC would be transmitted out when forwarded. The name is either a port number or aggregation name.

Egress Action - Reports how a frame to the LTM target MAC would be handled as it passes through the egress port as follows:

Ok - The frame would be forwarded.

Down - The frame would be discarded because the egress port is not operational.

Blocked - The frame would be discarded because the egress port is blocked by topology enforcement.

VID - The frame would be discarded because the egress port is not a member of the

LTM VID and egress filtering is enabled.

-nodef- - Undefined. This indicates that the frame would not reach the egress port.

For example, in the case where the LTM is targeted at a MEP in the ingress port, the output would look like this:

|---------------------------- Linktrace Responses -----------------------------|

| |Ttl| |Remote MEP |Relay| Ingress | Egress |Flags|

|Ttl|Idx|Trans Id |Mac Address |Actn |Port |Actn |Port |Actn |FY|TM|

+---+---+----------+-----------------+-----+--------+-----+--------+-----+--+--|

|63 |1 |1 |00:02:A1:31:23:C7|Hit |6 |Ok |5 |nodef| | |

+---+---+----------+-----------------+-----+--------+-----+--------+-----+--+--|

Flags - Reports two flags in the linktrace responses:

FY - FwdYes.

TM - TerminalMEP.

A normal linktrace result is to receive one LTR for each intermediate MIP (if any) along the forwarding path to the target MAC, and a LTR from the target MEP or MIP, or the

Remote MEP that handles an LTM targeted at an arbitrary DA. Failure to receive any LTRs indicates one or more of the following conditions:

• The LTM was not handled by any MEP or MIP that could resolve how to forward to the target MAC.

• The LTM did not traverse any MEPs or MIPs as it was multicast through the network.

All LTRs were lost in transit.

• The LTR Ttl values should be consecutive. A Ttl value that is more than one less than

Ttl value of the LTR immediately above it in the output typically indicates that one or more LTRs were lost in transit.

To send a linktrace to another MEP:

cfm linktrace send service <CFMServiceName> {local-mepid <NUMBER:1-8191> | port <PortName>

[vlan <Vlan>]} {mepid <NUMBER: 1-8191>}

To send a linktrace to a MAC address:

cfm linktrace send-mac service <CFMServiceName> {local-mepid <NUMBER:1-8191> | port <PortName>

[vlan <Vlan>]} {mac <MacAddress>}

To display linktrace replies:

cfm linktrace show [service <CFMServiceName>]

System Software Configuration Guide 6.5.0

227

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Troubleshooting

Example of sending a linktrace to a Remote MEP with one LTR received:

> cfm linktrace send service vl100 port 5 mepid 600

> cfm linktrace show

+----------------------------- Linktrace Message ------------------------------+

| | | | | Target | | | |

|Service |Port |Vlan|Mep |Mac Address |Mepid|Trans Id |Ttl|FDB|

|----------------+--------+----+----+-----------------+-----+----------+---|---+

|vl100 |5 | |61 |00:02:A1:30:B1:02|600 |1 |64 |No |

|---------------------------- Linktrace Responses -----------------------------|

| |Ttl| |Remote MEP |Relay| Ingress | Egress |Flags|

|Ttl|Idx|Trans Id |Mac Address |Actn |Port |Actn |Port |Actn |FY|TM|

+---+---+----------+-----------------+-----+--------+-----+--------+-----+--+--|

|63 |1 |1 |00:02:A1:30:B1:02|Hit |1 |Ok |1 |Ok | | |

+---+---+----------+-----------------+-----+--------+-----+--------+-----+--+--|

Example of sending a linktrace to a MAC address with no LTRs received:

> cfm link-trace send-mac service vl100 port 5 mac 00:11:22:33:44:55

> cfm link-trace show

+----------------------------- Linktrace Message ------------------------------+

| | | | | Target | | | |

|Service |Port |Vlan|Mep |Mac Address |Mepid|Trans Id |Ttl|FDB|

|----------------+--------+----+----+-----------------+-----+----------+---|---+

|vl100 |5 | |61 |00:11:22:33:44:55| |2 |64 |No |

|---------------------------- Linktrace Responses -----------------------------|

| |Ttl| |Remote MEP |Relay| Ingress | Egress |Flags|

|Ttl|Idx|Trans Id |Mac Address |Actn |Port |Actn |Port |Actn |FY|TM|

+---+---+----------+-----------------+-----+--------+-----+--------+-----+--+--|

| | | | | | | | | | | |

+---+---+----------+-----------------+-----+--------+-----+--------+-----+--+--|

Sending and Displaying Y.1731 Delay Measurement Messages

When sending DMM transmissions from a CFM Service, you need to specify the following:

• CFM service name (service).

Local MEP ID (local-mepid).

• Remote MEP ID (remote-mepid) or unicast Mac address of target Remote MEP (mac).

Priority and drop eligible values to be used in the VLAN tag of the transmitted frame

(priority). Default is 7. (Optional)

Number of DMM frames to transmit per delay measurement test (count). Valid range is

2 - 600 and the default value is 2. (Optional)

Auto-Repeat Interval (repeat), if the test should be repeated. Valid range 0 - 1440 minutes. By default a test will not be auto-repeated. A value of 0 indicates that the test should run continuously. (Optional)

• Delay threshold to generate an event and trap when test results continuously exceed the value. (Optional)

• Jitter threshold to generate an event and trap when test results continuously exceed the value. (Optional)

To send DMMs to a remote MEP:

cfm delay send {service <CFMServiceName>} {local-mepid <NUMBER: 1-8191>} {remote-mepid

<NUMBER: 1-8191>} [count <NUMBER: 2-600>][priority <NUMBER: 1-7>] [repeat <NUMBER: 1-

7>][delay-threshold <NUMBER>] [jitter-threshold <NUMBER>]

Example:

cfm delay send service CFM_VLAN_10 local-mepid 2 remote-mepid 1

228 System Software Configuration Guide 6.5.0

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Troubleshooting

To send DMMs to a MAC address:

cfm delay send-mac {service <CFMServiceName>} {local-mepid <NUMBER: 1-8191>} {mac

<MacAddress>} [count <NUMBER: 2-600>] [priority <NUMBER: 1-7>] [repeat <NUMBER: 1-7>] [delaythreshold <NUMBER>] [jitter-threshold <NUMBER>]

Example:

> cfm delay send-mac ervice CFM_VLAN_10 local-mepid 2 mac 01:02:03:04:05:06

To display DMM test results:

cfm delay show [service <CFMServiceName>]

Example:

> cfm delay show

+-------------------- MEP DELAY MEASUREMENT MESSAGE INFORMATION ----------------------+

| | Local |Remote |Remote| | | Delay | Jitter |Rep |

|Service | Mepid |Mac Address |Mepid |DMM's|DMR's| in us | in us |Time|

+----------------+--------+-----------------+------+-----+-----+--------+--------+----+

|CFM_VLAN_10 |2 |00:02:A1:30:7D:70| 1 |10 |10 |891 |31 | |

+----------------+--------+-----------------+------+-----+-----+--------+--------+----+

To cancel remote MEP DMM transmission:

cfm delay cancel {service <CFMServiceName>} {local-mepid <NUMBER: 1-8191>} {remote-mepid

<NUMBER: 1-8191>}

Example:

> cfm delay cancel service CFM_VLAN_10 local-mepid 2 remote-mepid 1

To cancel MAC address DMMs transmission:

cfm delay cancel-mac {service <CFMServiceName>} {local-mepid <NUMBER: 1-8191>} {mac

<MacAddress>}

Example:

> cfm delay cancel-mac service CFM_VLAN_10 local-mepid 1 mac 01:02:03:04:05:06

To clear delay measurement statistics for all or a specific service local MEP ID:

cfm delay clear [service <CFMServiceName>] [local-mepid <NUMBER: 1-8191>]

Example:

> cfm delay clear

System Software Configuration Guide 6.5.0

229

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Troubleshooting

Sending and Displaying Y.1731 Frame Loss Measurement Messages

When sending LMM transmissions from a CFM Service, you need to specify the following:

CFM service name (service).

• Local MEP ID (local-mepid).

Remote MEP ID (remote-mepid) or unicast Mac address of target Remote MEP (mac).

• Priority and drop eligible values to be used in the VLAN tag of the transmitted frame

(priority). Default is 7. (Optional)

• Number of LMM frames to transmit per loss measurement test (count). Valid range is 2

- 600 and the default value is 2. (Optional)

• Auto-Repeat Interval (repeat), if the test should be repeated. Valid range 0 - 1440 minutes. By default a test will not be auto-repeated. A value of 0 indicates that the test should run continuously. (Optional)

Near loss threshold to generate an event and trap when test results continuously exceed the value. (Optional)

Far loss threshold to generate an event and trap when test results continuously exceed the value. (Optional)

To send LMMs to a remote MEP:

cfm frame-loss send {service <CFMServiceName>} {local-mepid <NUMBER: 1-8191>} {remote-mepid

<NUMBER: 1-8191>} [count <NUMBER: 2-600>][priority <NUMBER: 1-7>][repeat <NUMBER: 1-7>][nearloss-threshold <NUMBER: 0-600>] [far-loss-threshold <0-600>]

Example:

cfm frame-loss send service CFM_VLAN_10 local-mepid 2 remote-mepid 1

To send LMMs to a MAC address:

cfm frame-loss send-mac {service <CFMServiceName>} {local-mepid <NUMBER: 1-8191>} {mac

<MacAddress>} [count <NUMBER: 2-600>] [priority <NUMBER: 1-7>] [repeat <NUMBER: 1-7>] [nearloss-threshold <NUMBER: 0-600>] [far-loss-threshold <0-600>]

Example:

> cfm frame-loss send-mac service CFM-VLAN_10 local-mepid 2 mac 01:02:03:04:05:06 repeat 1 count 250 delay-threshold 2000 jitter-threshold 4000

To display LMM test results:

cfm frame-loss show [service <CFMServiceName>]

Example:

> cfm frame-loss show

+--------------- MEP FRAME LOSS MEASUREMENT MESSAGE INFORMATION ----------------+

| | Local |Remote |Remote| | |Frame|Frame|Rep

|

|Service | Mepid |Mac Address |Mepid |LMM's|LMR's|LossN|LossF|Time

|

+----------------+--------+-----------------+------+-----+-----+-----+-----+----+

|CFM_VLAN_10 |2 |00:02:A1:30:7D:70| 1 |71 |71 |0 |0 | |

+----------------+--------+-----------------+------+-----+-----+-----+-----+----+

230 System Software Configuration Guide 6.5.0

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Troubleshooting

To cancel remote MEP LMM transmission:

cfm frame-loss cancel {service <CFMServiceName>} {local-mepid <NUMBER: 1-8191>} {remote-mepid

<NUMBER: 1-8191>}

Example:

> cfm frame-loss cancel service CFM_VLAN_10 local-mepid 2remote-mepid 1

To cancel MAC address LMMs transmission:

cfm frame-loss cancel-mac {service <CFMServiceName>} {local-mepid <NUMBER: 1-8191>} {mac

<MacAddress>}

Example:

> cfm frame-loss send-mac service CFM_VLAN_10 local-mepid 2 mac 01:02:03:04:05:06

Displaying and Clearing CFM Statistics

You can display and clear statistics for all CFM services or for specific CFM services.

To display global CFM statistics:

cfm show statistics

Example:

> cfm show statistics

+------------------- CFM GLOBAL STATISTICS -------------------+

| Tx Total Frames | 0 |

| Tx Flooded frames | 0 |

| Tx Flood ignored - Invalid Level | 0 |

| Tx Flood ignored - High Level Mep Exist | 0 |

| Tx Flood ignored - STP State | 0 |

| Rx Total Frames | 0 |

| Rx Drop - Invalid Etype | 0 |

| Rx Drop - Invalid Op-Code | 0 |

+------------------------------------------+------------------+

| CCM: |

| Tx Total CCM | 0 |

| Tx Total CCM Flooded | 0 |

| Rx Total CCM | 0 |

| Rx Total CCM Sequence Errors | 0 |

| Rx Invalid MAID | 0 |

| Rx Invalid CCM Interval | 0 |

| Rx Invalid First Tlv Offset | 0 |

| Rx Invalid Port Status Tlv | 0 |

| Rx Invalid Interface Status Tlv | 0 |

| Rx Invalid Logical Interface | 0 |

| Rx Invalid Service Instance | 0 |

| Rx Invalid PBT Encap Tunnel | 0 |

| Rx Drop - Admin Disable | 0 |

| Rx Drop - STP state not Forwarding | 0 |

| Rx Drop - CCM Blocked by Opp. Mep | 0 |

| Rx Drop - CCM Leakage | 0 |

| Rx Drop - CCM Too Long | 0 |

| Rx Drop - CCM Service Disabled | 0 |

System Software Configuration Guide 6.5.0

231

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Troubleshooting

+------------------------------------------+------------------+

| Loopback: |

| Tx Total LBM | 0 |

| Tx Total LBR | 0 |

| Rx Total LBM | 0 |

| Rx Total LBR | 0 |

| Rx LBM Invalid First TLV Offset | 0 |

| Rx LBR Invalid First TLV Offset | 0 |

| Rx Unresolved LBM | 0 |

| Rx Unresolved LBR | 0 |

+------------------------------------------+------------------+

| LinkTrace: |

| Tx Total LTM | 0 |

| Tx Total LTR | 0 |

| Rx Total LTM | 0 |

| Rx Total LTR | 0 |

| Rx LTM Invalid First TLV Offset | 0 |

| Rx LTR Invalid First TLV Offset | 0 |

| Rx LTR Invalid Relay Action | 0 |

| Rx Unresolved LTM | 0 |

| Rx Unresolved LTR | 0 |

+------------------------------------------+------------------+

To display CFM statistics for a specific service:

cfm services show service <CFMServiceName> statistics

Example:

> cfm service show service vl100 statistics

+-------------------- CFM SERVICE STATS ------------------+

| Parameter | Value |

+----------------------+----------------------------------+

| CFM Service Name | vl100 |

| Service Index | 2 |

| Service Type | VLAN |

+----------------------+----------------------------------+

| CCM Stats | |

| Total Tx | 178 |

| Total Rx | 180 |

+----------------------+----------------------------------+

| Linktrace Stats | |

| Total Tx LTM | 0 |

| Total Tx LTR | 0 |

| Total Rx LTM | 0 |

| Total Rx LTR | 0 |

| Total Rx Spoof LTR| 0 |

+----------------------+----------------------------------+

| Loopback Stats | |

| Total Tx LBM | 0 |

| Total Tx LBR | 0 |

| Total Rx LBM | 0 |

| Total Rx LBR | 0 |

| Total Rx OOO LBR | 0 |

+----------------------+----------------------------------+

| Delay Stats | |

| Total Tx DMM | 0 |

| Total Tx DMR | 0 |

| Total Rx DMM | 0 |

| Total Rx DMR | 0 |

232 System Software Configuration Guide 6.5.0

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Troubleshooting

+----------------------+----------------------------------+

| Loss Stats | |

| Total Tx LMM | 0 |

| Total Tx LMR | 0 |

| Total Rx LMM | 0 |

| Total Rx LMR | 0 |

+----------------------+----------------------------------+

To clear global CFM statistics:

cfm clear statistics

Example:

> cfm clear statistics

To clear CFM statistics for all services:

cfm services clear statistics

Example:

> cfm service clear statistics

To clear CFM statistics for a specific service:

cfm service clear service <CFMServiceName> statistics

Example:

> cfm service clear service v1100 statistics

To clear CFM statistics for all MEPs:

cfm mep clear statistics

Example:

> cfm mep clear statistics

To clear CFM statistics for a specific MEP:

cfm mep clear service <CFMServiceName> port <PortName> statistics

Example:

> cfm mep clear serivce v1100 port 5 statistics

To clear CFM statistics for all remote MEPs:

cfm remote-mep clear statistics

Example:

> cfm remote-mep clear statistics

System Software Configuration Guide 6.5.0

233

C

ONFIGURING

C

ONNECTIVITY

F

AULT

M

ANAGEMENT

Troubleshooting

To clear CFM statistics for a specific remote MEP:

cfm remote-mep clear service <CFMServiceName> mep-id <NUMBER: 1-8191> statistics

Example:

> cfm remote-mep clear serivce v1100 mep-id 600 statistics

To clear delay measurement statistics for all or a specific service local MEP ID:

cfm delay clear [service <CFMServiceName>] [local-mepid <NUMBER: 1-8191>]

Example:

> cfm delay clear

To clear loss measurement statistics for all or a specific service local MEP ID:

cfm frame-loss clear [service <CFMServiceName>] [local-mepid <NUMBER: 1-8191>]

Example:

> cfm frame-loss clear

Displaying CFM Port Stack information

CFM port stack information includes the MEPs and MIPs present in each interface, along with the service associated with each MEP.

To display CFM port stack information:

cfm stack show [vlan <VlanId>]

Example:

> cfm stack show

+-------------------------- CFM Interface Stacks -----------------------------+

|Service Inst|Vlan|Port |Type|L|Mep |Adm|Service |MAC Address |

+------------+----+--------+----+-+----+---+----------------+-----------------+

|VLAN#1001 1001 1 |Down|3|1 |en |VLAN#1001 |00:02:A1:24:0E:32|

+------------+----+--------+----+-+----+---+----------------+-----------------+

234 System Software Configuration Guide 6.5.0

Chapter

Configuring L2 Control Frame Tunneling

• • • • • •

18

At a Glance:

Overview

Benefits

Configuration

Troubleshooting

This chapter explains how to configure the treatment of Layer 2 (L2) control frames with

L2 control frame tunneling.

NOTE: To configure L2 control frame tunneling, you need to install the Advanced Ethernet license key. To obtain the Advanced Ethernet license key, contact Ciena Sales.

Overview

A device identifies the associated protocol of L2 control frame based upon the Media

Access Control Destination Address (MAC DA) and other information within the frame.

Depending upon the state of processing, L2 control frames can be in three forms:

Untagged - standards based definition of the protocol’s control frame. In this form, the frame does not have a VLAN tag, but does have the protocol specific MAC DA.

Depending upon the protocol, it may have a specific EtherType value and other information. Typically, control frames in this format are received from the subscriber facing interface.

Transparent (tagged)- one or more 802.1 VLAN tags have been added to transform the frame, and the protocol specific MAC DA is left intact. This form occurs when a control frame is received from a subscriber facing interface, encapsulated as a data frame, and then forwarded from a network facing interface for transport through the provider network.

L2 Protocol Tunneling (L2PT) - standard MAC DA has been transformed to the L2PT special MAC DA.

In conformance with IEEE standards, the default configuration does not propagate untagged L2 control frames through the network. If the default disposition is “discard”, the frames are dropped without further processing. If the disposition is “peer”, the

frames are forwarded to the software process that handles the specific protocol. Table

18-1, in this chapter shows the frame format for the three forms for each protocol along

with the default disposition for each.

System Software Configuration Guide 6.5.0

235

C

ONFIGURING

L2 C

ONTROL

F

RAME

T

UNNELING

Overview

236

Table 18-1: Control Frame Formats and Disposition

Control Frame Name

(with CLI attribute)

Rapid Spanning Tree

Protocol (rstp)

Link Aggregation

Control Protocol (lacp)

Untagged

Tagged

LACP Marker (lacpmarker)

802.3ah Operation,

Administration, and

Maintenance (oam)

Form

Untagged

Tagged

L2PT

L2PT

Untagged

Tagged

L2PT

Untagged

Default

Disposition

Peer

DA MAC

Address

01-80-C2-00-00-

00

Same as data frame

01-80-C2-00-00-

00

Same as data frame

01-00-0C-CD-CD-

D0

Peer 01-80-C2-00-00-

02

Same as data frame

01-80-C2-00-00-

02

Same as data frame

01-00-0C-CD-CD-

D0

Peer 01-80-C2-00-00-

02

Same as data frame

01-80-C2-00-00-

02

Same as data frame

01-00-0C-CD-CD-

D0

Discard 01-80-C2-00-00-

02

Type/Length

Encapsulation

LLC or

EtherType

DSAP/SSAP=0x

42 Ctrl=0x03

Subtype

DSAP/SSAP=0x

42 Ctrl=0x03

DSAP/SSAP=0x

42 Ctrl=0x03

88-09 01

88-09

88-09

88-09

88-09

88-09

88-09

01

01

02

02

02

03

IEEE Std.

802.1X/EAPOL(802.1x)

Untagged

Tagged

LLDP 802.1ab(lldp)

Tagged

L2PT

L2PT

Untagged

Tagged

L2PT

Same as data frame

01-80-C2-00-00-

02

Same as data frame

01-00-0C-CD-CD-

D0

Discard 01-80-C2-00-00-

03

Same as data frame

01-80-C2-00-00-

03

Same as data frame

01-00-0C-CD-CD-

D0

Peer 01-80-C2-00-00-

0E

Same as data frame

01-80-C2-00-00-

0E

Same as data frame

01-00-0C-CD-CD-

D0

88-09

88-09

88-8E

88-8E

88-8E

88-CC

88-CC

88-CC

03

03

System Software Configuration Guide 6.5.0

Table 18-1: Control Frame Formats and Disposition

Generic Attribute

Registration Protocol

(GARP) Block (garpblock)

Untagged Discard 01-80-C2-00-00-

2X

GARP Mulicast

Registration Protocol

(gmrp)

Tagged

L2PT

Untagged

Same as data frame

01-80-C2-00-00-

2X

Not supported Not Supported

Discard 01-80-C2-00-00-

20

GARP VLAN

Registration Protocol

(gvrp)

Tagged

L2PT

Untagged

Same as data frame

01-80-C2-00-00-

20

Not supported Not Supported

Discard 01-80-C2-00-00-

21

L2PT

Cisco-Port Aggregation

Protocol (cisco-pagp)

Untagged

Tagged

Cisco-Unidirectional

Link Detection (ciscoudld)

Tagged

L2PT

Untagged

Same as data frame

01-80-C2-00-00-

21

Not supported Not Supported

Discard 01-00-0C-CC-CC-

CC

SNAP

Same as data frame

01-00-0C-CC-CC-

CC

SNAP

Same as data frame

01-00-0C-CD-CD-

D0

SNAP

Discard 01-00-0C-CC-CC-

CC

SNAP

Cisco Discovery

Protocol (cisco-cdp)

Cisco-Dynamic

Trunking Protocol

(cisco-dtp)

Tagged

L2PT

Untagged

Tagged

L2PT

Untagged

Same as data frame

01-00-0C-CC-CC-

CC

SNAP

Same as data frame

01-00-0C-CD-CD-

D0

SNAP

Discard 01-00-0C-CC-CC-

CC

SNAP

Same as data frame

01-00-0C-CC-CC-

CC

SNAP

Same as data frame

01-00-0C-CD-CD-

D0

SNAP

Discard 01-00-0C-CC-CC-

CC

SNAP

System Software Configuration Guide 6.5.0

C

ONFIGURING

L2 C

ONTROL

F

RAME

T

UNNELING

Overview

237

00-01

00-01

00-01

00-01

01-11

01-11

20-00

20-00

20-00

20-04

01-04

01-04

01-04

01-11

C

ONFIGURING

L2 C

ONTROL

F

RAME

T

UNNELING

Overview

Table 18-1: Control Frame Formats and Disposition

Tagged Same as data frame

01-00-0C-CC-CC-

CC

SNAP

L2PT

Cisco-VLAN Trunking

Protocol (cisco-vtp)

Cisco-Per VLAN

Spanning Tree (ciscopvst)

Untagged

Tagged

L2PT

Untagged

Same as data frame

01-00-0C-CD-CD-

D0

SNAP

Discard 01-00-0C-CC-CC-

CC

SNAP

Same as data frame

01-00-0C-CC-CC-

CC

SNAP

Same as data frame

01-00-0C-CD-CD-

D0

SNAP

Discard 01-00-0C-CC-CC-

CD

SNAP

Cisco-VLAN Bridge

(vlan-bridge)

Cisco STP Fast Uplink

(cisco-stp-uplink-fast)

Bridge Block (bridgeblock)

All Bridges Block (allbridges-block)

Tagged

L2PT

Untagged

Tagged

L2PT

Untagged

Tagged

L2PT

Untagged

Tagged

L2PT

Untagged

Tagged

L2PT

Same as data frame

01-00-0C-CC-CC-

CD

SNAP

Same as data frame

01-00-0C-CD-CD-

D0

SNAP

Discard 01-00-0C-CD-CD-

CE

SNAP

Same as data frame

01-00-0C-CD-CD-

CE

SNAP

Same as data frame

01-00-0C-CD-CD-

D0

SNAP

Discard 01-00-0C-CD-CD-

CD

SNAP

Same as data frame

01-00-0C-CD-CD-

CD

SNAP

Same as data frame

01-00-0C-CD-CD-

D0

SNAP

Discard 01-80-C2-00-00-

0X

Same as data frame

01-80-C2-00-00-

0X

Not supported Not Supported

Discard 01-80-C2-00-00-

1X

Same as data frame

01-80-C2-00-00-

1X

Not supported Not Supported

01-0B

01-0B

01-0C

01-0C

01-0C

20-0A

20-0A

20-0A

20-04

20-04

20-03

20-03

20-03

01-0B

238 System Software Configuration Guide 6.5.0

C

ONFIGURING

L2 C

ONTROL

F

RAME

T

UNNELING

Benefits

Benefits

With L2 Control Frames Tunneling, you can change the handling of untagged L2 control frames to be processed and forwarded as if they were data frames instead of being discarded or locally processed. Also, you can change the handling of transparent L2 control frames to be transformed to L2PT frame format.

Configuration

L2 control frame tunneling directs untagged L2 control frames into a forwarding domain of a virtual switch. Every virtual switch is associated with an L2 control frame tunneling configuration container. The container storing the configuration information is called an

L2 control frame tunneling instance, which includes:

Administrative Status - whether or not L2 control frame tunneling is enabled or disabled for the virtual switch.

Fixed .1D priority- sets the .1D priority value applied to untagged L2 control frames to provide the baseline for Class of Service (CoS) treatment of the frame as it switches through the device. The priority value ranges from 0-7, where 7 has the highest priority and 0 has the lowest priority.

Protocol Disposition List - sets a user-defined list of protocols to be processed by L2 control frame tunneling along with a disposition action of forward or discard.

Adding Untagged L2 Control Frame Classification to a Port

In order for untagged L2 control frames to be directed from a port to a forwarding domain, you need to add the untagged L2 control frame traffic classification (untaggedctrl-vs) to the port and the port must have some membership in the designated virtual switch (virtual-switch ethernet add vs <VirtualSwitchName> port

<PortName> vlan <VlanId>

). When the untagged-ctrl-vs attribute has been designated, then the L2 control frame tunneling instance of the specified virtual switch will be used to handle the untagged L2 control frames that ingress the logical-port.

To add L2 control frame traffic classification for port:

port set port <PortName> untagged-ctrl-vs <VirtualSwitchName>

Removing Untagged L2 Control Frame Classification from a Port

When the untagged-ctrl-vs attribute is removed, an untagged L2 control frame is processed at the port according the default disposition for its protocol.

To remove L2 control frame traffic classification for a port:

port unset port <PortName> untagged-ctrl-vs <VirtualSwitchName>

Enabling L2 Control Frame Tunneling

You can enable an L2 control frame tunnel on each port of each device simultaneously.

To enable L2 control frame tunneling:

virtual-switch l2-cft enable vs <VirtualSwitchName>

System Software Configuration Guide 6.5.0

239

C

ONFIGURING

L2 C

ONTROL

F

RAME

T

UNNELING

Configuration

Disabling L2 Control Frame Tunneling

When you disable L2 control frame tunneling for a specified virtual switch, any configured

L2PT transforms will not occur, and untagged L2 control frames will be handled according to their default disposition.

To disable L2 control frame tunneling:

virtual-switch l2-cft disable vs <VirtualSwitchName>

Adding Control Protocols

When adding a control protocol, you can optionally specify the disposition. If you do not specify the disposition, the default disposition for the control protocol is used.

Possible disposition values are:

Discard - Frame is discarded without further processing.

Forward - frame is directed to the forwarding domain associated with the L2 control frame tunneling instance. Frames with this disposition are subject to all ingress and egress transformations configured on the interface. In addition, these frames are flooded to all logical interfaces attached to the virtual switch associated with the L2 control frame tunneling instance.

To add a control protocol to an L2 control frame tunneling instance:

virtual-switch l2-cft protocol add vs <VirtualSwitchName> {ctrl-protocol <802.1x|all-bridgesblock|bridge-block|cisco-cdp|cisco-dtp|cisco-pagp|cisco-pvst|cisco-stp-uplink-fast|ciscoudld|cisco-vtp|garp-block|gmrp|gvrp|lacp|lacp-marker|lldp|oam|rstp|vlan-bridge>}

[disposition <discard|forward>]

Removing Control Protocols

When you remove a control protocol from a L2 control frame tunneling instance, untagged L2 control frames will be processed according to the default disposition for the control protocol.

To remove a control protocol from an L2 control frame tunneling instance:

virtual-switch l2-cft protocol remove vs <VirtualSwitchName> {ctrl-protocol <802.1x|allbridges-block|bridge-block|cisco-cdp|cisco-dtp|cisco-pagp|cisco-pvst|cisco-stp-uplinkfast|cisco-udld|cisco-vtp|garp-block|gmrp|gvrp|lacp|lacp-marker|lldp|oam|rstp|vlan-bridge>}

Setting the Disposition of Control Protocols

After you add a control protocol to an L2 control frame tunneling instance, you can modify its disposition.

To set the disposition of a control protocol in an L2 control frame tunneling instance:

virtual-switch l2-cft set vs <VirtualSwitchName> {ctrl-protocol <802.1x|all-bridgesblock|bridge-block|cisco-cdp|cisco-dtp|cisco-pagp|cisco-pvst|cisco-stp-uplink-fast|ciscoudld|cisco-vtp|garp-block|gmrp|gvrp|lacp|lacp-marker|lldp|oam|rstp|vlan-bridge>}

{disposition <discard|forward>}

240 System Software Configuration Guide 6.5.0

C

ONFIGURING

L2 C

ONTROL

F

RAME

T

UNNELING

Configuration

Setting the Fixed .1D Priority Value

When an untagged frame is forwarded (encapsulated) by the L2 control frame tunneling instance, it is given a Fixed .1D priority value. The default Fixed .1D priority value is 6.

You can modify it to a value between 0 and 7.

To set the Fixed .1D Priority value for frames forwarded by an L2 control frame tunneling instance:

virtual-switch l2-cft set vs <VirtualSwitchName> priority <NUMBER: 0-7>

Setting the Tunnel Method

The tunnel method controls the classification and processing of untagged L2 control frames. You can set the tunnel method for a virtual switch to one of two modes, transparent or L2PT. The default mode is L2PT.

To set the tunnel mode:

virtual-switch l2-cft set vs <VirtualSwitchName> tunnel-method <l2pt|transparent>

Transparent Mode

When the tunnel method is in transparent mode, the switching chip hardware handles dispositions without sending frames to the CPU for processing, and is referred to as "fast path" operation. With "fast path" operation, untagged L2 control frame dispositions are maintained when the control frame ingresses a customer-facing interface with the untagged-ctrl-vs specified. Protocol dispositions are not maintained when the equivalent tagged L2 control frame ingresses a network-facing interface(s).

In transparent mode, the

L2 control frame is encapsulated accordingly, and the IEEE or Cisco MAC DA is left intact.

L2PT Mode

When the virtual switch is configured for L2PT mode, L2 control frames are classified and either dropped or forwarded, according to each protocol's disposition and the untaggedctrl-vs designation at each customer-facing interface. In L2PT mode the L2 control frame is fully decoded based on the proper IEEE or Cisco MAC DA and any relevant Op-Codes in the frame. If there is a specific protocol match on a protocol that supports L2PT stamping, the frame is eligible for conversion to and from L2PT and proper IEEE or Cisco

MAC DA. Certain protocols do not support L2PT transformation, since their classification data does not contain enough information to uniquely identify the protocol once the protocol-specific MAC DA has been replaced. Such protocols do not have an L2PT form.

In general, when the virtual switch is in L2PT mode, the switching chip hardware sends

L2 control frames to the CPU for "slow-path" processing. The frame agent will egress that frame out the customer-facing interfaces as a "proper" IEEE or Cisco L2 control frame, and egress the frame out network-facing interfaces as the same L2PT frame.

L2 control frames that ingress a network-facing interface are processed as follows:

• If the L2 control frame is in the L2PT-equivalent form and is fully decodable, it is converted back to the proper IEEE or Cisco MAC DA.

Egressing Customer-Facing Interface(s): The proper IEEE or Cisco MAC DA form of the frame will egress out all customer-facing interfaces of the virtual switch.

System Software Configuration Guide 6.5.0

241

C

ONFIGURING

L2 C

ONTROL

F

RAME

T

UNNELING

Configuration

Egressing Network-Facing Interface(s): The L2PT form of the frame will egress out all network-facing interfaces, except for the interface on which the frame ingressed.

• If the L2 control frame has an L2PT MAC DA, but is not decodable, that frame will be switched out all customer-facing and network-facing interfaces with no conversion of

MAC DA.

If the L2 control frame is already in the proper IEEE or Cisco MAC DA form, that frame will be switched out all customer-facing and network-facing interfaces with no conversion of MAC DA to L2PT. This means that if an IEEE L2 control frame enters a network-facing interface, that same frame will egress interfaces regardless of the

L2PT mode enabled on the virtual switch.

L2 control frames that ingress a customer-facing Interface are processed as follows:

• If the L2 control frame is in the L2PT-equivalent form, it will be treated as a data frame and switched out all customer-facing and network-facing interfaces with no conversion of MAC DA.

If the L2 control frame is in the proper IEEE or Cisco MAC DA untagged form, that frame will subject to the disposition set for the protocol at the virtual switch L2 control frame tunneling instance. This untagged L2 control frame has classified to the customer facing port based upon the untagged-ctrl-vs attribute of that port.

Egressing Customer-Facing Interface(s): The proper IEEE or Cisco MAC DA form of the frame will egress out all customer-facing interfaces of the virtual switch. From customer-to-customer, the L2PT form will not propagate.

Egressing Network-Facing Interface(s): The L2PT form of the frame will egress out all network-facing interfaces, except for the interface on which the frame ingressed.

If the L2 control frame has an IEEE or Cisco MAC DA, but is not decodable, that frame will be switched out all customer-facing and network-facing interfaces with no conversion of MAC DA.

Configuring L2 Control Frame Tunneling

In general, L2 control frame tunneling includes the following steps:

1. Add a disposition of forward or discard for each protocol to be handled by

L2CFT to the L2CFT Instance associated with the virtual switch to be used as a L2CF forwarding-domain.

2. Enable the L2CFT Instance.

3. Specify the untagged-ctrl-vs for each customer-facing virtual switch interface member. Those interface members will handle untagged L2CFs.

4. Enable L2PT mode at the virtual switch if L2PT transforms are to occur for tunneled L2CFs.

5. Configure the L2 control frame fixed .1D priority value - this is the frame

PCP that will go onto the frame when encapsulated.

The configuration example in this section shows how you can configure virtual switches and ports to classify untagged L2 control frames and then transform them into the L2PT form. The ingress port classification allows untagged L2 control frames and frames with

VLAN tag 100. The L2 control frame tunneling instance is enabled for the virtual switch.

Also, RSTP and LACP are added to the protocol disposition list with the disposition of forwarding.

242 System Software Configuration Guide 6.5.0

C

ONFIGURING

L2 C

ONTROL

F

RAME

T

UNNELING

Configuration

To configure L2 control frame tunneling:

Step # Description Command

Step 1 Create the VLAN 100.

Step 2 Add the ingress and egress ports to VLAN 100.

vlan create vlan <VlanId> vlan add vlan <VlanId> port <PortName>

Step 3 Confirm the creation of VLAN 100 (Optional).

Step 4 Confirm the ports are members of VLAN 100.

Step 5 Create a virtual circuit and assign it to VLAN 100.

vlan show vlan show vlan <VlanId> virtual-circuit ethernet create vc

<VirtualCircuitName> vlan

<VlanId>

Step 6 Confirm the creation of the virtual circuit (Optional).

Step 7 Confirm the VLAN 100 is associated with the virtual circuit (Optional).

Step 8 Add reserved VLAN 1000.

virtual-circuit show virtual-circuit show vc

<VirtualCircuitName> virtual-switch add reserved-vlan <VlanId>

Step 9 Create the virtual switch. virtual-switch ethernet create vs

<VirtualSwitchName> vc

<VirtualCircuitName>

Step 10 Add the ingress port to the virtual switch.

virtual-switch ethernet add vs <VirtualSwitchName> port <PortName>

Step 11 Enable L2 control frame tunneling for the virtual switch.

virtual-switch l2-cft enable vs

<VirtualSwitchName>

Step 12 Add the control protocols to the protocol disposition list with the desired disposition for the L2 control frame tunneling instance.

virtual-switch l2-cft protocol add vs

<VirtualSwitchName>

Step 13 Add the L2 control frame classification to the port for ingress traffic.

port set port <portName> untagged-ctrl-vs

<VirtualSwitchName>

Step 14 Confirm the L2 control frame tunnel configuration of the virtual switch (Optional).

virtual-switch l2-cft show vs <VirtualSwitchName>

Example:

1. > vlan create vlan 100

2. > vlan add vlan 100 port 1

3. > vlan show

4. > vlan show vlan 100

5. > virtual-circuit ethernet create vc cft-vc vlan 100

System Software Configuration Guide 6.5.0

243

C

ONFIGURING

L2 C

ONTROL

F

RAME

T

UNNELING

Configuration

6. > virtual-circuit show

+------ ETHERNET VIRTUAL CIRCUIT TABLE -----+

| Name | VLAN |

+-----------------+-------------------------+

| cft-vc | 100 |

+-----------------+-------------------------+

7. > virtual-circuit show vc cft-vc

+------------- ETHERNET VIRTUAL CIRCUIT INFO -------------+

| Parameter | Value |

+----------------------+----------------------------------+

| Name | cft-vc |

| ID | 1 |

| Provider VLAN | (100) VLAN#100 |

| Psuedo-Wire Type | untagged |

| VS Using | |

+---------------------------------------------------------+

8. > virtual-switch add reserved-vlan 1000

9. > virtual-switch ethernet create vs cft-vs vc cft-vc

10.> virtual-switch ethernet add vs cft-vs port 1

11.> virtual-switch l2-cft enable vs cft-vs

12.> virtual-switch l2-cft protocol add vs cft-vs ctrl-protocol rstp disposition forward

> virtual-switch l2-cft protocol add vs cft-vs ctrl-protocol lacp disposition forward

13.> port set port <portName> untagged-ctrl-vs <VirtualSwitchName>

14.> virtual-switch l2-cft show vs cft-vs

+--------- L2 Ctrl Protocol Tunneling - cft-vs -+

| Parameter | Value |

+-----------------------+--------------------------------+

| Admin State | Enabled |

| Tunnel Method | l2pt |

| Priority | 6 |

+-----------------------+--------------------------------+

| Protocol Name | Disposition |

+-----------------------+--------------------------------+

| rstp | forward |

| lacp | forward |

+-----------------------+--------------------------------+

244 System Software Configuration Guide 6.5.0

C

ONFIGURING

L2 C

ONTROL

F

RAME

T

UNNELING

Troubleshooting

Troubleshooting

Displaying Enabled L2 Control Frame Tunneling Instances

You can display a summary of all currently enabled L2 control frame tunneling instances or details about a single L2 control frame tunneling instance specified by virtual switch.

To display a summary of enabled L2 control frame tunneling instances:

virtual-switch l2-cft show

Example:

> virtual-switch l2-cft show

+------------------------- L2 Ctrl Protocol Tunneling -----------------------+

| Virtual Switch | Admin State | Tunnel Method | Priority |

+------------------+-------------+--------------------------------+----------+

| cft_0 | Disabled | l2pt | 6 |

| cft_1 | Disabled | l2pt | 6 |

| cft_2 | Disabled | l2pt | 6 |

| cft_3 | Disabled | l2pt | 6 |

| cft_4 | Disabled | l2pt | 6 |

| cft_5 | Disabled | l2pt | 6 |

| cft_6 | Disabled | l2pt | 6 |

| cft_7 | Disabled | l2pt | 6 |

| cft_8 | Disabled | l2pt | 6 |

| cft-vs | Disabled | l2pt | 6 |

+------------------+-------------+--------------------------------+----------+

To display details about a specific enabled L2 control frame tunneling instance:

virtual-switch l2-cft show [vs <VirtualSwitchName>]

Example:

> virtual-switch l2-cft show vs cft-vs

+--------- L2 Ctrl Protocol Tunneling - cft-vs -+

| Parameter | Value |

+-----------------------+--------------------------------+

| Admin State | Enabled |

| Tunnel Method | l2pt |

| Priority | 6 |

+-----------------------+--------------------------------+

| Protocol Name | Disposition |

+-----------------------+--------------------------------+

| rstp | forward |

| lacp | forward |

+-----------------------+--------------------------------+

System Software Configuration Guide 6.5.0

245

C

ONFIGURING

L2 C

ONTROL

F

RAME

T

UNNELING

Troubleshooting

Displaying the L2 control frame classification for a port

You can display the status of L2 control frame classification for a specific port.

To display the status of L2 control frame classification for a port:

port show

Example:

> port show port 9

+---------------------------- PORT INFO ------------------------------+

| Field | Admin | Oper |

+-------------------------+---------------------+---------------------+

| Type | 10/100/G |

| Description | |

| Spanning Tree State | Forwarding |

| MAC Address | 00:02:a1:07:86:e2 |

| Phy Loopback | Off |

| Link State | Enabled | Enabled |

| State Group Link State | | |

| Mode | rj45 | unknown |

| Speed | 1 Gbps | 1 Gbps |

| Duplex | full | full

| Flow Control | off | off

|

|

| Auto Negotiation | Enabled | Enabled

| Flow Control Advertised | off | Enabled

|

|

| PVID | 300 | 300 |

| Untag Ingress Vtag | 1 | 1 |

| Untag Ingress Data Vid | 0 | 0 |

| Fixed Resolved CoS | 0 | 0 |

| Ingress VLAN Filter | Enabled | Enabled |

| Ingress VS Filter | Off | Off |

| Acceptable Frame Type | all | all |

| Egress Untag VLAN | 300 | 300 |

| Max Frame Size | 1526 | 1526 |

| Untagged Data VS | | |

| Untagged Ctrl VS | | |

| Resolved CoS Policy | dot1d-tag1-cos | dot1d-tag1-cos |

| Service Port Type | Subscriber | Subscriber |

| Eth VC EtherType | 8100 | 8100 |

| Eth VC EtherType Policy | all | all |

| Mirror-port | Off | Off |

| Ingress-mirror | | |

| Egress-mirror | | |

| Ingress to Egress QMap | Default-RCOS | Default-RCOS |

| XCVR caps mismatch | <NONE> |

+-------------------------+---------------------+---------------------+

246 System Software Configuration Guide 6.5.0

C

ONFIGURING

L2 C

ONTROL

F

RAME

T

UNNELING

Troubleshooting

Displaying L2 Control Frame Tunneling Configuration in the Configuration File

L2 control frame tunneling related configuration is saved to the configuration file in various sections, including:

VIRTUAL-CIRCUIT CONFIG:

• VIRTUAL-SWITCH CONFIG:

L2 CFT PROTOCOL CONFIG:

Example:

> configuration show

...

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! VIRTUAL-CIRCUIT CONFIG: virtual circuits

! virtual-circuit ethernet create vc cft-vc0 vlan 100

!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! VIRTUAL-SWITCH CONFIG:

! virtual-switch add reserved-vlan 1000

! virtual-switch ethernet create vs cft-vs vc cft-vc0

! virtual-switch ethernet add vs cft-vs port 9

! port set port 9 untagged-ctrl-vs cft-vs

!

!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! L2 CFT CONFIG:

! virtual-switch l2-cft enable vs cft-vs

! virtual-switch l2-cft protocol add vs cft-vs ctrl-protocol rstp disposition forward virtual-switch l2-cft protocol add vs cft-vs ctrl-protocol lacp disposition forward

!

!

...

System Software Configuration Guide 6.5.0

247

C

ONFIGURING

L2 C

ONTROL

F

RAME

T

UNNELING

Troubleshooting

248 System Software Configuration Guide 6.5.0

Chapter

Configuring TWAMP

• • • • • •

19

At a Glance:

Overview

Benefits

Configuring TWAMP

Troubleshooting

This chapter explains the implementation and configuration of Two-Way Active

Measurement Protocol (TWAMP).

NOTE: To configure TWAMP functionality, you need to install the Advanced OAM license key. To obtain the Advanced OAM license key, contact Ciena Sales.

Overview

As defined in RFC4656, One-Way Active Measurement Protocol (OWAMP) measures unidirectional IP performance between two devices. Based upon OWAMP, TWAMP provides bidirectional measurements of IP performance between two devices through an exchange of test messages. The system software supports the following TWAMP modes:

TWAMP Light Responder

• TWAMP Complete Server

TWAMP Client

In order to ensure accurate time-stamping of response frames, it is recommended that you configure the NTP client to set the system date and time with a minimum of three configured NTP servers.

NOTE: For additional information regarding NTP, see the Configuring NTP section in

Chapter 3, on page 27.

To maintain system performance, this implementation of TWAMP does not authenticate with the method described in the standard.

System Software Configuration Guide 6.5.0

249

C

ONFIGURING

TWAMP

Overview

Protocols

In compliance with the Internet Engineering Task Force (IETF) draft document, draft-ietfippm-twamp-06.txt, TWAMP Light Responder and Complete TWAMP use the TWAMP-Test protocol to exchange TWAMP test packets between the devices. Complete TWAMP uses a second protocol, TWAMP-Control to initiate, start, and stop a TWAMP test session.

Operational Roles

In a TWAMP-Test session, devices operate in the following roles:

Session-Sender - Endpoint device that sends TWAMP measurement packets.

Session-Reflector - Endpoint device that receives TWAMP measurement packets with the ability to create and send TWAMP measurement packets in response.

Server - Endpoint device that manages one or more TWAMP-Test sessions, including the state of the session endpoint devices.

Control-Client - Endpoint device that initiates requests, triggers the start and stop of a test session.

Relationship Between Protocols and Operational Roles

Figure 19-1 illustrates the relationship between the TWAMP protocols and the

operational roles and shows a potential implementation where four separate devices operate in each role.

250

Figure 19-1: TWAMP relationships

System Software Configuration Guide 6.5.0

C

ONFIGURING

TWAMP

Overview

TWAMP Light Responder

With TWAMP Light Responder mode, devices operate as Session-Reflectors only, and a performance management system operates in the Session-Sender, Control-Client, and

Server roles. Figure 19-2 shows the relationship between the TWAMP-Test protocol and

operational roles in TWAMP Light Responder.

Figure 19-2: TWAMP Light Responder

While the TWAMP-Test session runs, the Session-Sender sends TWAMP-Test packets to the device. When incoming frames contain a UDP packet and the UDP destination port matches the device’s configured active TWAMP port, the Session-Reflector processes the packets and returns response packets to the Session-Sender. After the exchange of test packets is complete, the Control-Client ends the session.

System Software Configuration Guide 6.5.0

251

C

ONFIGURING

TWAMP

Overview

TWAMP Complete Server

With TWAMP Complete Server mode, devices operate as Session-Reflectors and Servers for up to 10 sessions, and a performance management system operates in the Session-

Sender and Control-Client roles. Figure 19-3 illustrates the relationship between the

TWAMP protocols and the operational roles in TWAMP Complete Server.

Figure 19-3: TWAMP Complete relationships

During a TWAMP session, the Server component recognizes an incoming TCP-based test session request, and configures itself for this test session. Operating in this mode, only one test session is supported at a time and test responses are returned only to the control device that established the session. Any other incoming UDP test messages are dropped.

Formal requests to establish a test session while one exists will be refused.

TWAMP Client

With TWAMP Client mode, devices operate as a Control-Client and a Session-Sender enabling the device to establish test sessions and generate test initiation messages.

Devices may be used as test originators and manage multiple test sessions with multiple

remote devices. Figure 19-4 illustrates the relationship between the TWAMP protocols

and the operational roles where one device is operating in TWAMP Client mode and the other in TWAMP Complete mode.

252

Figure 19-4: TWAMP Client relationships

System Software Configuration Guide 6.5.0

C

ONFIGURING

TWAMP

Overview

TWAMP-Test Packets

TWAMP supports variable sizes of TWAMP-Test packets, and can process at a minimum of

1200 packets per minute. Currently, the Session-Sender packet follows the format shown

in Figure 19-5.

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

Sequence Number

Timestamp

Error Estimate

Packet Padding

Figure 19-5: TWAMP-Test packet format from Session-Sender

The response packet format is shown in Figure 19-6.

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

Sequence Number

Timestamp

Error Estimate

Receive Timestamp

Sender Sequence Number

Sender Timestamp

Sender Error Estimate

Sender TTL

Must Be Zero

Must Be Zero

Packet Padding

Figure 19-6: TWAMP-Test Response Packet from Session-Reflector

System Software Configuration Guide 6.5.0

253

C

ONFIGURING

TWAMP

Benefits

Benefits

TWAMP provides a way for network administrators to quickly measure latency and jitter between two devices with real-time processing.

Configuring TWAMP

TWAMP configuration includes the following:

Enabling and disabling the TWAMP state globally and per port.

• Configuring the global TWAMP attributes.

Enabling and disabling the TWAMP Light Responder.

• Enabling and disabling TWAMP Complete Server.

Configuring TWAMP Client.

Enabling and Disabling TWAMP

By default, TWAMP is disabled at the global level. When you enable TWAMP at the global level, then it is automatically enabled for all ports.

To enable globally:

twamp enable

Example:

> twamp enable

To enable per port:

twamp enable [port <PhyPortNameList>]

Example:

> twamp enable port 15

To disable globally:

twamp disable

Example:

> twamp disable

To disable per port:

twamp disable [port <PhyPortNameList>]

Example:

> twamp disable port 15

254 System Software Configuration Guide 6.5.0

C

ONFIGURING

TWAMP

Configuring TWAMP

Configuring Global TWAMP Attributes

The global TWAMP client DSCP and server DSCP entries set the respective DSCP values in

TCP messages used for control session communications. By default, the global DSCP values for TWAMP Client and Complete Server are set to 0. You can individually set the

DSCP values between 0-63. The default setting for the active TWAMP port is 861. When setting the port, be sure to select the port setting defined in the performance management system for testing devices. In addition, you can set a time out value for abandoned session recovery. By default, the time out value is 90 seconds.

To set the global TWAMP attributes:

twamp set {[client-dscp <NUMBER: 0-63>], [server-dscp <NUMBER: 0-63>],[port <NUMBER: 256-

65535>], [timeout <NUMBER: 60-86400>]}

Example:

> twamp set port 5678

To reset the port and timeout attributes to their default values:

twamp unset {[port],[timeout]}

Example:

> twamp unset port timeout

System Software Configuration Guide 6.5.0

255

C

ONFIGURING

TWAMP

Configuring TWAMP

Enabling and Disabling TWAMP Light Responder

You can disable or enable the TWAMP Light Responder state globally. By default TWAMP

Light Responder is disabled.

To disable globally:

twamp light disable

Example:

> twamp light disable

To enable globally:

twamp light enable

Example:

> twamp light enable

Enabling and Disabling TWAMP Complete Server

You can disable or enable the TWAMP Complete Server state globally. By default, TWAMP

Complete Server is disabled. When TWAMP Complete Server is enabled, the device can operate as Session-Reflectors and Servers for up to 10 sessions.

To disable globally:

twamp server disable

Example:

> twamp server disable

To enable globally:

twamp server enable

Example:

> twamp server enable

256 System Software Configuration Guide 6.5.0

C

ONFIGURING

TWAMP

Configuring TWAMP

Configuring TWAMP Client

Enabling and Disabling TWAMP Client

You can disable or enable the TWAMP Client state globally. By default, TWAMP Client is disabled. Before you can create any sessions, you must enable the TWAMP Client. In order for the session to start with a target, the target must be configured to support TWAMP

Complete Server. On devices running this system software, you need to enable TWAMP

Complete Server.

NOTE: TWAMP Client cannot be disabled with existing TWAMP sessions, as each session has memory allocated to it for statistics gathering. Before the disable command will be accepted, delete all sessions. To stop a test, run the twamp client test stop command.

To disable globally:

twamp client disable

Example:

> twamp client disable

To enable globally:

twamp client enable

Example:

> twamp client enable

System Software Configuration Guide 6.5.0

257

C

ONFIGURING

TWAMP

Configuring TWAMP

Creating a TWAMP Client Session

You can create up to 20 TWAMP Client sessions choosing a fixed interval test packet stream or a Poisson distribution packet stream. You can specify that the packets are marked with a CoS policy and priority value, IP Precedence (0-7) or Differentiated

Services Code Point (DSCP) values (0-63), to measure "Real Time" and "Best Effort" paths

across the network. Table 19-1, in this chapter shows the attributes of the supported

packet streams.

Table 19-1: Packet Stream Attributes

Packet Stream Type Inter-packet

Frequency

Fixed Interval 100ms

Poisson Distribution Average 3.3s,

300ms to 12s

Packet Size CoS Marking

Variable - 64-1500 byte test messages.

2 shared among test sessions and denoted by IP precedence (0-7)or

DSCP (0-63) values.

Fixed - 238 bytes 4 shared among test sessions and denoted by IP precedence (0-7)or

DSCP (0-63) values.

Cycle Time

15

15

To create a TWAMP Client session:

twamp client session create name <String [15]> host <IpAddress> [commport <TCP/UDP port to use if different from global>] [cos-policy <dscp|ip-prec>] [dot1dpri <NUMBER:1-7>] [dscp

<NUMBER: 0-63>] [ip-prec <NUMBER: 0-7>] [pkt-size <NUMBER: 64-1500>] [repeat <on|off>] [type

<fixed|poisson>]

Example:

> twamp client session create name myTest host 192.168.12.34 cos-policy ip-prec ip-prec 7 repeat off type fixed

Displaying TWAMP Client Sessions

You can display a list of configured TWAMP Client sessions.

To display TWAMP Client sessions:

twamp client show

Example:

+------------------------------------------------------------------------------+

| TWAMP Client Sessions |

+-----------------+-----------------+-----+----+---+----+---+----+---+----+----+

| Name | IP Addr |State|Port|CoS|DSCP|IPP|Size|RPT|Type|Seq#|

+-----------------+-----------------+-----+----+---+----+---+----+---+----+----+

| myTest | 192.168.12.34 | Idle| 861| I | 0 | 7 | 142| N | Fix| 0|

+-----------------+-----------------+-----+----+---+----+---+----+---+----+----+

258 System Software Configuration Guide 6.5.0

C

ONFIGURING

TWAMP

Configuring TWAMP

Updating a TWAMP Client Session

You can update the attributes of an existing session.

To update a TWAMP Client session:

twamp client session set name <SessionName> {[host <IpAddress>], [commport <TCP/UDP port to use if different from global>], [cos-policy <dscp|ip-prec>], [dscp <NUMBER: 0-63>], [ip-prec

<NUMBER: 0-7>], [pkt-size <NUMBER: 64-1500>], [repeat <on|off>], [type <fixed|poisson>]}

Example:

> twamp client session set name myTest type poisson

Deleting a TWAMP Client Session

To delete a TWAMP Client session:

twamp client session delete name <SessionName>

Example:

> twamp client delete name myTest

Establishing and Stopping a Test Session

While TWAMP Client tests are in session, the device still responds to incoming TWAMP test sessions.

To establish or stop a TWAMP Client session:

twamp client test name <SessionName> [host <IpAddress>] [stop]

Example of establishing a session:

> twamp client test name myTest

Example of stopping a session:

> twamp client test name myTest stop

System Software Configuration Guide 6.5.0

259

C

ONFIGURING

TWAMP

Configuring TWAMP

Displaying and Clearing TWAMP Client Statistics

TWAMP Client test statistics are collected and stored daily. Statistics are collected in 15 minute intervals. After a TWAMP Client session is started, statistics are available about

15 minutes later. For a TWAMP session that is set to "repeat," statistics will be stored in

15 minute increments for up to 24 hours. The statistics storage area works in a First In,

First Out fashion. Statistics are stored in RAM and are lost upon reboot.

To display TWAMP Client statistics:

twamp client show [statistics [name <SessionName>] [mode <long|short>] [period <last|8-hour|

24-hour>]]

Example:

> twamp client show statistics name myTest

+-----------------+---------+-----------+----+----+----+----+---------------+

| Name | RT 95th | RT 99.9th | Tx | Rx | RL | OL |Completion Time|

+-----------------+---------+-----------+----+----+----+----+---------------+

| myTest | 0.312 | 0.410 | 272| 272| 0| 0| 08/ 5/08 21:29|

+-----------------+---------+-----------+----+----+----+----+---------------+

To clear TWAMP Client statistics:

twamp client clear statistics {name <SessionName>|all}

Example:

> twamp client clear statistics name myTest

260 System Software Configuration Guide 6.5.0

C

ONFIGURING

TWAMP

Configuring TWAMP

Displaying Active TWAMP Sessions on the Target Device

You can display active test sessions on target devices running this system software.

To display the test session on the target:

twamp server show

Example:

> twamp server show

+--------------------------------------------------------------+

| TWAMP Server Test Sessions |

+----+----------+----------+-----------------+------+----------+

| ID | State | Src Port | Host IP | Pkts | SeqNum |

+----+----------+----------+-----------------+------+----------+

| 1 | Test | 49154 | 192.168.12.342 | 9000 | 0 |

| 2 | Listen | 0 | 0.0.0.0 | 0 | 0 |

| 3 | Listen | 0 | 0.0.0.0 | 0 | 0 |

| 4 | Listen | 0 | 0.0.0.0 | 0 | 0 |

+----+----------+----------+-----------------+------+----------+

Clearing a TWAMP Session on the Target Device

You can force a TWAMP session down from the target devices running this system software.

To clear a session:

twamp server clear session <Session ID: 1-4>

Example:

> twamp server clear session 1

System Software Configuration Guide 6.5.0

261

C

ONFIGURING

TWAMP

Troubleshooting

Sample Configuration

This configuration example shows the steps for configuring TWAMP components, including the steps for configuring NTP.

To configure TWAMP:

Step # Description

Step 1 Set the active TWAMP port. The default is 861.

Step 2 Enable TWAMP globally.

Command

twamp set twamp enable

Step 3 Enable TWAMP Light Responder.

Step 4 Enable TWAMP Complete. twamp light enable twamp server enable

Step 5 Enable Mini-WIPM.

Step 6 Create a TWAMP Client test session. twamp client enable twamp client create session

Step 7 (Recommended) Add a minimum of three NTP servers to the NTP Client server list.

ntp-client add server

<IpHost>

Example:

1. > twamp set port 5678

2. > twamp enable

3. > twamp light enable

4. > twamp server enable

5. > twamp client enable

6. > twamp client session create name myTest host 192.168.12.34 cospolicy ipprec ipprec 7 type fixed

7. > ntp-client add server 192.2.3.4

> ntp-client add server 192.6.7.8

> ntp-client add server 192.9.10.11

Troubleshooting

Displaying TWAMP information

You can display the global state, per port state, and active TWAMP port. Optionally, you can display the setting for the active TWAMP port only.

To display TWAMP configuration:

twamp show [port]

262 System Software Configuration Guide 6.5.0

C

ONFIGURING

TWAMP

Troubleshooting

Example:

> twamp show

+--------- TWAMP State Info -------+

| Parameter | Value |

+-----------------------+------------+

| Device Admin State | Disabled |

| Client | Disabled |

| Server | Disabled |

| Light Reflector | Disabled |

| Client HW Assist | On |

| Server HW Assist | On |

+-----------------------+------------+

+--------- Active TWAMP Port --------+

| TCP/UDP Port | 861 |

+-----------------+------------------+

+----TWAMP Server Session Timeout----+

| Timeout | 90 seconds |

+-----------------+------------------+

+-------- TWAMP DSCP Settings -------+

| Client TCP DSCP | 0 |

| Server TCP DSCP | 0 |

+-----------------+------------------+

+------------------------------------+

| Per Port TWAMP State Info |

+--------+-----------+---------------+

| Port | Admin | Operational |

+--------+-----------+---------------+

| 1 | Enabled | Disabled |

| 2 | Enabled | Disabled |

| 3 | Enabled | Disabled |

| 4 | Enabled | Disabled |

| 5 | Enabled | Disabled |

| 6 | Enabled | Disabled |

| 7 | Enabled | Disabled |

| 8 | Enabled | Disabled |

| 9 | Enabled | Disabled |

| 10 | Enabled | Disabled |

| 11 | Enabled | Disabled |

| 12 | Enabled | Disabled |

+--------+-----------+---------------+

Displaying TWAMP Configuration in the Configuration File

TWAMP configuration is saved to the configuration file in the TWAMP CONFIG: section.

System Software Configuration Guide 6.5.0

263

C

ONFIGURING

TWAMP

Troubleshooting

To display TWAMP configuration in the configuration file:

> configuration show

!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! NETWORK CONFIG: vlans!

!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

...

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! TWAMP CONFIG:

!

twamp set port 5678 twamp enable

!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

264 System Software Configuration Guide 6.5.0

Chapter

Configuring MSTP

• • • • • •

20

At a Glance:

Overview

Benefits

Configuration

Troubleshooting

This chapter explains the implementation of the Multiple Spanning Tree Protocol (MSTP).

Overview

Multiple Spanning Tree Protocol (MSTP - IEEE 802.1Q-2005) is a standards based version of creating multiple spanning trees where each VLAN has its own Multiple Spanning Tree

Instance (MSTI). Each instance has an independent spanning tree topology to provide multiple forwarding paths for data traffic, enable load balancing and reduce the number of spanning tree instances required to support a large number of VLANs. MSTP was developed to replace Spanning Tree Protocol (STP) and Rapid Spanning Tree Protocol

(RSTP).

Like STP, defined in IEEE 802.1D, MSTP provides a loop-free topology in bridged networks and delivers efficient reconfiguration (convergence) of the loop-free topology in the event that a link fails. MSTP inherits its rapid transition mechanism from RSTP, defined in

IEEE 802.1W, to achieve fast convergence times.

MST Regions and Spanning Trees

An MST Region is a set of physically connected LANs and MST bridges that support the same MSTP configuration. A region can have one bridge or multiple bridges. Each bridge must be capable of processing RSTP BPDUs. There is no limit to the number of MST regions in a network, and each region supports up to 8 MSTIs. One of these MSTIs is called an

Internal Spanning Tree (IST), which connects all MSTP bridges in an MST Region. An IST is a sub tree in the Common Spanning Tree (CST) that spans the network and interconnects

MST Regions. The collection of ISTs and the CST make up the Common and Internal

Spanning Tree (CIST).

NOTE: This implementation does not yet support MSTI configuration. By default, all

VLANs are mapped to the CIST.

System Software Configuration Guide 6.5.0

265

C

ONFIGURING

MSTP

Overview

Bridges

The bridge with the best priority among all STP, RSTP, and MSTP enabled network bridges is called the CIST Root. The boundary bridge between regions becomes the CIST Regional

Root. If there are multiple boundary bridges, the one with the best cost to the CIST Root becomes the CIST Regional Root. If all the bridges within a network are in one MST region, the CIST Root is also the CIST Regional Root.

BPDUs

Like its predecessors, STP and RSTP, MSTP-enabled devices send out bridge protocol data units (BPDUs) to detect topology changes in the network. BPDUs are sent when a device is powered up, when a topology change is detected, and at regular intervals (every few seconds). Thus, if a device fails, its neighbors realize that they have not received BPDUs and initiate a spanning tree recalculation. When a device receives these BPDUs, it does not forward them, but uses them to create its own BPDUs.

MSTP BPDUs carry the following information:

Protocol Identifier - STP, RSTP, or MSTP.

Protocol Version Identifier - STP (0), RSTP (2), or MSTP (3).

BPDU Type - Configuration or topology change MSTP/RSTP BPDU.

CIST Flags - Identifies the message as a topology change, proposal, port role, learning, forwarding, agreement, or topology change acknowledgement.

CIST Root Identifier- the bridge priority and base MAC address of the device that the transmitting device considers to be the CIST Root.

CIST External Root Path Cost - an additive cost of all the links between the transmitting bridge and the CIST Root bridge. A root path cost of 0 indicates this BPDU came from the same region as the CIST Root, each device then adds its link cost towards root to 0 and uses that cost when generating the new BPDU.

CIST Regional Root Identifier- the bridge priority and base MAC address of the device that the transmitting device considers to be the CIST Regional Root.

CIST Port Identifier - The port priority and base MAC address of the port transmitting the BPDU.

Forward Delay (forward-delay) - Forward delay is the time taken before a root or designated port starts forwarding after being selected and determined not to satisfy the rapid transition condition. The operational value is set to the value distributed by the root bridge via BPDU and the configured value is not set until this bridge becomes the elected root bridge. The default value is 15.

Message Age - The current age of the BPDU.

Max Age- The BPDU life span.

Hello Time - The time between two consecutive periodic BPDUs.

Forward Delay - The time taken before a root or designated port starts forwarding after being selected and determined not to satisfy the rapid transition condition.

Version 1 Length - Indicates whether or not Version 1 (IEEE Standard 802.1G) information is present. For MSTP, the value is 0 to indicate that no Version 1 information is present.

Version 3 Length - The number of bytes that are to follow in the packet.

MST Configuration Identifier - The “finger print” of the MSTP configuration for the bridge, including the following:

Configuration Id Format Selector- The format of the MST Configuration Identifier, which is 0, the value defined for MSTP in the 802.1Q-2005 standard.

Configuration Name- Configurable character string that uniquely identifies the region. The default value is the device’s MAC address.

266 System Software Configuration Guide 6.5.0

C

ONFIGURING

MSTP

Overview

Revision Level- Configurable numeric value that provides an additional parameter to further differentiate MST regions.

Configuration Digest- A 16-octet signature that is calculated with the HMAC_MD5 algorithm from the configured VLAN ID and MSTID mapping table as specified in the standard.

CIST Internal Root Path Cost - specifies how close the device is to the CIST Root bridge.

CIST Bridge Identifier - base MAC and bridge priority of the CIST Bridge.

CIST Remaining Hops - Number of hops remaining before reaching the maximum hop value.

MSTI Configuration Messages - Information used by MSTP to calculate vectors for the specified multiple spanning tree instances (MSTIs), including:

MSTI Flags - Identifies the message as a topology change, proposal, port role, learning, forwarding, agreement, or master.

MSTI Regional Root Identifier - base MAC and bridge priority of the MSTI Regional

Root.

MSTI Internal Root Path Cost - an additive cost of all the links between the transmitting bridge and the MSTI Regional Root bridge. An MSTI Regional Root path cost of 0 indicates this BPDU came directly from the MSTI Regional Root, each device then adds its link cost towards MSTI Regional Root to 0 and uses that cost when generating the new BPDU.

MSTI Bridge Priority - bridge priority value.

MSTI Port Priority - port priority value.

MSTI Remaining Hops - hops remaining before the number exceeds the maximum hop count.

Port Roles

Based on the MSTP calculation for load balancing, ports in the CIST are assigned port roles. The port roles are similar to the port roles in STP and RSTP.

Table 20-1: MSTP Port Role and State Summary

MSTP Port Role Port State Description

CIST Root Port

Alternate Port

Designated Port

Forwarding Represents the best path (lowest cost) to the Root bridge of the CIST of the bridge.

Discarding (Blocking) Secondary port (Root Port being primary) that provides an alternate path to the root bridge of he CIST should the root port fail.

Forwarding Port that provides the best path to the root bridge of the

CIST for the link.

Backup Port

Discarding (Blocking) Port that provides a backup path to a LAN segment if the

Designated Port of the CIST fails.

CIST Regional Root Port Forwarding For MSTI only, this port provides connectivity from the

Region to a CIST Root that lies outside the Region.

System Software Configuration Guide 6.5.0

267

C

ONFIGURING

MSTP

Overview

NOTE: This implementation does not support the learning state as defined by the IEEE.

When a port is behaving as defined by the IEEE learning state, it will be in the blocking state in this implementation.

Boundary Port

A boundary port connects an MST region to:

A different MST region

A single STP box

A single RSTP box

At the boundary port of the region, MSTP configuration changes so that the control of the

STP state is per port. For this reason, MSTP calculated roles do not apply to its boundary ports. Instead, the boundary port state is forced to be the same as the IST port state.

Network Convergence

When a MSTP bridge initializes, it claims itself as both the CIST Root and CIST Regional

Root via BPDU. When superior CIST Root information is received, it relinquishes its claim as the CIST Root. When superior IST information is received, it then relinquishes its claim as the CIST Regional Root. Finally, the MST region is converged when all bridges agree on the same CIST Regional Root and all port roles are synchronized.

MSTP limits the scope of topology change. If any MSTI topology change is detected by the non-boundary ports, it only triggers a MAC flush to the MSTI within the region. A topology change detected by the boundary port, however, will trigger MAC flushes more widely.

When the network is converged, each MST region independently allocates any frames to any given VLAN in a stable network. The CIST Root, Designated, and CIST Regional Root ports forward data frames, and Alternate, Backup and Disabled ports do not.

Backward Compatibility

As designed by IEEE, MSTP is fully backward compatible with RSTP and STP. MSTP operates with switches that support STP, RSTP, and traditional 802.1q through the selection of a designated MSTP bridge to function as the representative of that entire region to the CST.

This enables MSTP regions composed of many switches and bridges to appear as a single switch to other Ethernet switches and bridges in a network. BPDUs for the STP instances are exchanged only between switches within an MSTP region. Since this information is not propagated outside the MSTP region, switch CPU cycles are reduced. Also, keeping this information within the region prevents network flapping and frequent network reconvergence caused by link and port outages.

The MSTP uses version 3 BPDU which attaches the CIST and MSTI information at the end of legacy STP and RSTP BPDUs. The CST takes care of the connectivity for all MST regions and all the RSTP and STP bridges in the network. The MST region appears as a virtual bridge cluster to adjacent STP or RSTP bridges (as well as to other MST regions.)

When an MST enabled bridge port receives an STP BPDU (version 0 BPDU) or an RSTP BPDU

(version 2 BPDU), it knows that it is at the boundary of the region. Based on the version of the BPDU received, an MST enabled bridge will send the corresponding version of BPDU

268 System Software Configuration Guide 6.5.0

C

ONFIGURING

MSTP

Benefits

to communicate with its counterpart. However, when its neighbor bridge switches its force-version to MSTP, it will not force this link to MSTP automatically. A per port protocol migration check will force the port to MSTP for a short period of time.

NOTE: MSTP backward compatibility supports RSTP mode and STP mode. However, it does not support Ciena proprietary RSTP port based domain functionality.

Benefits

The main benefits of MSTP are:

Scalability on large networks. Both STP and RSTP 802.1W allow the total BPDU traversing of maximum 24 bridges from the root bridge. RSTP 802.1D/D4 (2003) allows the BPDU traversing of maximum 40 bridges. Within an MST region, MSTP limits BPDU traversing of maximum of 30 bridges, with no limit on the number of regions.

In case of ring topology, the number of bridges a BPDU can traverse is limited to the maximum number of bridges configured on the ring, taking the worst case of link failure into consideration. In a meshed topology, however, the maximum number of bridges can be included in the topology is much more than the limit.

Limited Topology changes. MSTP limits the topology change events as within the region as possible. This makes a lot of sense, especially for large networks.

Redundant links and load balancing. MSTP supports the assignment of a number of

VLANs to a single spanning tree instance, and multiple instances are supported within each spanning tree region. These multiple Spanning Tree instances enable L2 networks to have redundant physical links because VLANs can be assigned to different Virtual bridges (spanning tree instances); this also enables load balancing.

System Software Configuration Guide 6.5.0

269

C

ONFIGURING

MSTP

Configuration

Configuration

Assume a network with two regions, each with three bridges, separated by an RSTP bridge.

270

Figure 20-1: Sample Network Segment

The general steps for configuring MSTP in a network are as follows:

1. Configure one bridge in the network as the CIST root bridge.

2. Configure the CIST port settings.

3. For each region, configure the unique MST Identifiers.

4. For each MSTP bridge, configure the mode to MSTP.

5. Configure the bridge settings.

6. Configure port settings.

7. Enable MSTP on all bridges.

System Software Configuration Guide 6.5.0

C

ONFIGURING

MSTP

Configuration

Configuring the CIST Root Bridge

For all bridges in the network, pick a bridge as the root bridge of the CIST. Assign the lowest number of priority to the root bridge.The bridge-priority assigned to the CIST for the bridge is used in the priority component of the CIST Bridge Identifier of BPDUs transmitted from this bridge. The supported range is 0-15. The value entered is multiplied by 4096 to conform with the standard as shown in

Table 20-2

, in this chapter.

Table 20-2: CIST Root Bridge Priority Mapping

Bridge Priority

Entered Value

Maps to Standard Value

0

1

2

0

4096

8192

12

13

14

15

9

10

11

6

7

8

3

4

5

36864

40960

45056

49152

53248

57344

61440

12288

16384

20480

24576

28672

32768

To set the CIST root bridge priority:

mstp set cist bridge-priority <NUMBER: 0-15>

Example:

Assume for the network segment shown in Figure 20-1 that Bridge A is the CIST Root

bridge.

1. For Bridge A, set the CIST bridge priority as follows:

> mstp set cist bridge-priority 1

System Software Configuration Guide 6.5.0

271

C

ONFIGURING

MSTP

Configuration

2. To verify the priority:

> mstp show cist

+--- MSTP CIST Info -----------------------------------------------------------+

| Parameter | Value |

+-----------------------------------+------------------------------------------+

| CIST Bridge Id | |

| Priority | 1 (0x1000) |

| Mac Address | 00-02-A1-30-7C-40 |

| | |

| CIST Bridge Priority Vector | |

| Root Port Id | |

| Priority | 1 (0x1000) |

| Mac Address | 00-02-A1-30-7C-40 |

| External Path Cost | 0 |

| Regional Root Id | |

| Priority | 1 (0x1000) |

| Mac Address | 00-02-A1-30-7C-40 |

| Internal Path Cost | 0 |

| Designated Bridge Id | |

| Priority | 1 (0x1000) |

| Mac Address | 00-02-A1-30-7C-40 |

| Designated Root Id | (0x0000) |

| Priority | 0 |

| Port | 0 |

| | |

| CIST Bridge Times | |

| Message Age | 0 |

| Max Age | 20 |

| Forward Delay | 15 |

| Max Hops | 20 |

| | |

| CIST Root Priority Vector | |

| Root Port Id | |

| Priority | 1 (0x1000) |

| Mac Address | 00-02-A1-30-7C-40 |

| External Path Cost | 0 |

| Regional Root Id | |

| Priority | 1 (0x1000) |

| Mac Address | 00-02-A1-30-7C-40 |

| Internal Path Cost | 0 |

| Designated Bridge Id | |

| Priority | 1 (0x1000) |

| Mac Address | 00-02-A1-30-7C-40 |

| Designated Root Id | (0x0000) |

| Priority | 0 |

| Port | 0 |

| | |

| CIST Root Port ID | (0x0000) |

| Priority | 0 |

| Port | 0 |

| | |

| CIST Root Times | |

| Message Age | 0 |

| Max Age | 20 |

| Forward Delay | 15 |

| Remaining Hops | 20 |

+-----------------------------------+------------------------------------------+

272 System Software Configuration Guide 6.5.0

C

ONFIGURING

MSTP

Configuration

Configuring CIST ports

If desired, you can individually configure priority and path cost settings for CIST ports manually. These configurable settings are:

Port Priority (port-priority) - Port priority is the priority component of the CIST Port

Identifier field of BPDUs transmitted from the specified port(s). The supported range is 0-15. The value entered is multiplied by 16 to conform with the standard as shown

in

Table 20-3

, in this chapter.

Table 20-3: CIST Port Priority Mapping

Port Priority Entered

Value

Maps to Standard Value

14

15

12

13

10

11

8

9

6

7

4

5

2

3

0

1

192

208

224

240

128

144

160

176

96

112

64

80

32

48

0

16

Internal Path Cost (int-path-cost) - Sets the CIST internal root path cost for the specified port(s). Allowable path cost values are 1-200000000. This sets the CIST

Internal Root Path Cost field in BPDUs transmitted from the specified port(s). This value will not be used in the BPDU if dynamic internal path cost is enabled for the CIST on the specified port(s). The default is 20000.

Dynamic Internal Path Cost (dynamic-int-path-cost) - Enables or disables dynamic internal port path cost calculations for the CIST for the specified port(s). When enabled, the CIST Internal Root Path Cost field of BPDUs from the specified port(s) will use a value internally calculated based on link rate (and possibly other factors). When disabled, the configured int-path-cost value for the CIST for the specified port(s) will be used.

To configure the CIST ports:

mstp set cist-port {[port-priority <NUMBER: 0-15>],[int-path-cost <NUMBER: 1-

200000000>],[dynamic-int-path-cost <on|off>]}{port <PortNameList>}

System Software Configuration Guide 6.5.0

273

C

ONFIGURING

MSTP

Configuration

Configuring the MST Identifier

To more easily identify BPDUs sent from an MST Region, you can configure the following:

Configuration Name (mst-cfg-id-name) - The configuration name is used for calculating the MST Configuration Identifier for the bridge.

Revision Level (mst-cfg-id-rev-level) - The revision level for calculating the MST

Configuration Identifier for the bridge. The numeric value is transmitted in MST BPDUs in the Revision Level of the MST Configuration Identifier field. Since this is limited to

2 octets, the range of this value is 0-65535. The default value is '0'.

To configure the MST Identifier:

mstp set [mst-cfg-id-name <String[32]>] [mst-cfg-id-rev-level <NUMBER: 0-65535>]

To display the MST Identifier:

mstp show mst-cfg-id

Example:

For the network segment shown in Figure 20-1:

1. Set the MST Identifier for Bridges A, B, and C as follows:

> mstp set mst-cfg-id-name "MST Region 1" mst-cfg-id-rev-level 1

2. Verify the MST Identifier.

> mstp show mst-cfg-id

+--- MSTP MST Configuration Id Info -----------------------------------+

| Parameter | Value |

+-----------------------------------+----------------------------------+

| Configuration Name | MST Region 1 |

| Revision Level | 1 |

| Configuration Digest | 6EDEDB2C31B7A50DCEBFB6FFE47D5766 |

+-----------------------------------+----------------------------------+

3. Set the MST Identifier for Bridges D, E, and F as follows:

> mstp set mst-cfg-id-name "MST Region 2" mst-cfg-id-rev-level 2

4. Verify the MST Identifier.

> mstp show mst-cfg-id

+--- MSTP MST Configuration Id Info -----------------------------------+

| Parameter | Value |

+-----------------------------------+----------------------------------+

| Configuration Name | MST Region 2 |

| Revision Level | 2 |

| Configuration Digest | 6F696C6D9DD9032F8FEDA4DD25AC021B |

+-----------------------------------+----------------------------------+

Configuring Bridge Global Settings

You can manually configure global settings for all network bridges, including:

Forward Delay (forward-delay) - Forward delay is the time taken before a root or designated port starts forwarding after being selected and determined not to satisfy the rapid transition condition. The operational value is set to the value distributed by the root bridge via BPDU and the configured value is not set until this bridge becomes the elected root bridge. The default value is '15'.

274 System Software Configuration Guide 6.5.0

C

ONFIGURING

MSTP

Configuration

Hello Time (hello-time) - Hello time is the time between two consecutive periodic

BPDUs.The operational value is set to the value distributed by the root bridge via BPDU and the configured value is not set until this bridge becomes the elected root bridge.

The minimum value of '1' is not recommended because the periodic BPDU sending takes up the 1 per second transmit hold count allowance. When rapid convergence takes place, only one BPDU is allowed to send within a second for a port delaying the explicit handshake and rapid topology change. The default value is '2'.

Loopback Blocking (loopback-blocking) - Loopback port blocking prevents data loops by detecting their own BPDUs being looped back to them on the same port. The default value is 'off', which is shown as 'disabled' with the mstp show bridge command.

Maximum Age (max-age) - Maximum age limits the BPDU life span to limit the size of the spanning tree. The default value is '20'.

Maximum Hops (max-hops) - Maximum hops limits the number of hops for BPDUs. The default is '20'.

Path Cost Default (path-cost-def) - Path cost default controls the type of internal and external path costs for the bridge. MSTP supports default path costs defined in

IEEE802.1D-1998 and IEEE802.1t-2001. The default value is 'stp8021t2001'.

Transmit Hold Count (tx-hold-count) - Transmit hold count limits the number of BPDUs a bridge can send per second. The default value is '6'.

To configure bridge global settings:

mstp set {[forward-delay <NUMBER: 4-30>], [hello-time <NUMBER: 1-10>], [loopbackblocking <on|off>], [max-age <NUMBER: 6-40>],[max-hops <NUMBER: 6-40>],[path-costdef <stp8021d1998|stp8021t2001>],[tx-hold-count <NUMBER: 1-10>]}

To verify bridge global settings:

mstp show [bridge]

Configuring Ports

You can manually adjust individual port settings, such as:

Dynamic External Path Cost (dynamic-ext-path-cost) - Turns on or off dynamic calculation of the external path cost. When set to 'on', the external port path cost is calculated dynamically based on the port speed. When set to 'off', the external port path cost is the value configured in the 'ext-path-cost' parameter.

Edge Port (edge-port) - Setting the specified port to be consider an edge port allows for rapid port state transition to the forwarding state. For 10/100 ports, the default value for edge-port is 'on'. For other ports, the default is 'off'. Always configure GIG link edge ports explicitly as edge ports. Rapid transition will fail otherwise. Another alternative is to disable MSTP on the GIG link edge ports, though this is not the preferred method.

Migration Check (migration-check) - Triggers a migration check by the MSTP Port

Protocol Migration State Machine. This is a momentary configuration parameter, setting it to 'on' will initiate the migration check and setting it to 'off' will have no effect.

External Path Cost (ext-path-cost) - Sets the external port path cost for the specified port, which takes effect only if 'dynamic-ext-path-cost' is set to 'off'. The default value is '20000'. Rather than configure the port path cost, it is recommended that you turn on dynamic path cost to have MSTP select the best link(s) for forwarding.

Point to Point MAC (point-point-mac) - Sets how to determine the link for the specified port: auto (automatic mechanisms determine the link), force-true

(connected to a point-to-point link) or force-false (not connected to a point-to-point link).

Automatic Edge (auto-edge) - Sets MSTP to automatically identify the edge ports.

System Software Configuration Guide 6.5.0

275

C

ONFIGURING

MSTP

Troubleshooting

Restricted Role (restricted-role) - When set to on, this attribute restricts the port from becoming a root port, even if it has the best priority. The default is 'off'.

Restricted Topology Change Notice (restricted-tcn) - When set to on, this attribute restricts the port from forwarding topology change notices.

To configure ports:

mstp set port <PortNameList> [dynamic-ext-path-cost <on|off>][edge-port

<on|off>][migration-check][ext-path-cost <NUMBER: 1-200000000>][point-point-mac

<auto|force-false|force-true>][auto-edge <on|off>][restricted-role

<on|off>][restricted-tcn <on|off>]

To disable MSTP on specified ports:

mstp disable port <PortNameList>

To enable MSTP on specified ports:

mstp enable port <PortNameList>

To verify port settings:

mstp show port <PortNameList>

Enabling MSTP and Saving Configuration

After completing the MSTP configuration, enable MSTP on all bridges and save the configuration.

To globally enable MSTP and save the configuration:

mstp enable configuration save

Troubleshooting

Disabling and Enabling MSTP on a bridge

In general, it is best never to disable Spanning Tree on any bridge in the network as data loops might exist, rendering part or whole of the network useless. However, there may be occasions during troubleshooting that require you to globally disable MSTP on a bridge.

To disable MSTP:

mstp disable

To enable MSTP:

mstp enable

Clearing and Viewing MSTP Statistics

MSTP statistics track the number of received and transmitted topology change notification (TCN), configuration (CFG), RSTP, and MSTP BPDUs.

276 System Software Configuration Guide 6.5.0

C

ONFIGURING

MSTP

Troubleshooting

To view statistics for all ports:

mstp show statistics

Example:

> mstp show statistics

+--- MSTP Statistics -------------------------------+

| Port | Port Receive Statistics |

| Name | rxTcnBpdu| rxCfgBpdu| rxRstBpdu| rxMstBpdu|

+-------+----------+----------+----------+----------+

|1 | 0| 0| 0| 0|

|2 | 0| 0| 0| 0|

|3 | 0| 0| 0| 0|

|4 | 0| 0| 0| 0|

|5 | 0| 0| 0| 0|

|6 | 0| 0| 0| 0|

|7 | 0| 0| 0| 0|

|8 | 0| 0| 0| 0|

|9 | 0| 0| 0| 0|

|10 | 0| 0| 0| 0|

|11 | 0| 0| 0| 0|

|12 | 0| 0| 0| 0|

+-------+----------+----------+----------+----------+

| Port | Port Transmit Statistics |

| Name | txTcnBpdu| txCfgBpdu| txRstBpdu| txMstBpdu|

+-------+----------+----------+----------+----------+

|1 | 0| 0| 0| 120889|

|2 | 0| 0| 0| 0|

|3 | 0| 0| 0| 0|

|4 | 0| 0| 0| 0|

|5 | 0| 0| 0| 0|

|6 | 0| 0| 0| 0|

|7 | 0| 0| 0| 0|

|8 | 0| 0| 0| 0|

|9 | 0| 0| 0| 0|

|10 | 0| 0| 0| 0|

|11 | 0| 0| 0| 0|

|12 | 0| 0| 0| 120891|

+-------+----------+----------+----------+----------+

To view statistics for specific ports:

mstp show port <PortNameList> statistics

Example:

> mstp show port 1 statistics

+--- MSTP Port 1 Statistics ---------------------------------------------------+

| Statistic | Value |

+-----------------------------------+------------------------------------------+

| Received TCN BPDUs | 0 |

| Received CFG BPDUs | 0 |

| Received RST BPDUs | 3 |

| Received MST BPDUs | 3 |

| | |

| Transmitted TCN BPDUs | 0 |

| Transmitted CFG BPDUs | 0 |

| Transmitted RST BPDUs | 0 |

| Transmitted MST BPDUs | 36627 |

+-----------------------------------+------------------------------------------+

To clear statistics for all or specified ports:

mstp clear [port <PortNameList>] statistics

System Software Configuration Guide 6.5.0

277

C

ONFIGURING

MSTP

Troubleshooting

Viewing Port State Machine Information

MSTP port and CIST state machine information includes variables, timers, and states.

To view state machine information:

mstp show port <PortNameList> state-machine

278 System Software Configuration Guide 6.5.0

C

ONFIGURING

MSTP

Troubleshooting

Example:

> mstp show port 1 state-machine

+--- MSTP Port 1 Info ---------------------------------------------------------+

| Parameter | Value |

+-----------------------------------+------------------------------------------+

| Name | 1 |

| Port Status | up |

| Port Uptime | 0000D19:52:40 |

| | |

| MSTP Enable | enabled |

| External Path Cost | |

| Admin Value | 20000 |

| Oper Value | 200000 |

| Dynamic Ext Path Cost | on |

| Edge Port | |

| Auto Edge | true |

| Admin Value | true |

| Oper Value | false |

| Point-to-Point MAC | |

| Admin Value | auto |

| Oper Value | true |

| Restricted Role | false |

| Restricted Tcn | false |

| | |

| Port State Machine Info | |

| Port State Machine Variables | |

| txCount | 1 |

| operEdge | false |

| portEnabled | true |

| infoInternal | false |

| newInfo | false |

| newInfoMsti | false |

| rcvdInternal | false |

| rcvdBpdu | false |

| rcvdRSTP | false |

| rcvdSTP | false |

| rcvdTcAck | false |

| rcvdTcn | false |

| sendRSTP | true |

| tcAck | false |

| mcheck | false |

| autoEdge | true |

| Port State Machine Timers | |

| mdelayWhile | 0 |

| helloWhen | 2 |

| edgeDelayWhile | 0 |

| Port State Machine States | |

| Port Protocol Migration State | SENSING |

| Port Receive State | RECEIVE |

| Port Transmit State | IDLE |

| Bridge Detection State | NOT_EDGE |

+-----------------------------------+------------------------------------------+

+--- MSTP Port 1 CIST Info ---------+------------------------------------------+

| MSTP State | forwarding |

| Role | designated |

| Port Priority | 8 |

| Internal Path Cost | |

| Admin Value | 20000 |

| Oper Value | 200000 |

| Dynamic Int Path Cost | on |

| | |

| CIST Designated Times | |

| Message Age | 0 |

| Max Age | 20 |

| Forward Delay | 15 |

| Remaining Hops | 20 |

| | |

| CIST Designated Priority Vector | |

| Root Port Id | |

System Software Configuration Guide 6.5.0

279

C

ONFIGURING

MSTP

Troubleshooting

280

| Priority | 1 (0x1000) |

| Mac Address | 00-02-A1-30-7C-40 |

| External Path Cost | 0 |

| Regional Root Id | |

| Priority | 1 (0x1000) |

| Mac Address | 00-02-A1-30-7C-40 |

| Internal Path Cost | 0 |

| Designated Bridge Id | |

| Priority | 1 (0x1000) |

| Mac Address | 00-02-A1-30-7C-40 |

| Designated Root Id | (0x8001) |

| Priority | 8 |

| Port | 1 |

| | |

| CIST Message Times | |

| Message Age | 1 |

| Max Age | 20 |

| Forward Delay | 15 |

| Hello Time | 2 |

| Remaining Hops | 20 |

| | |

| CIST Message Priority Vector | |

| Root Port Id | |

| Priority | 15 (0xFFFF) |

| Mac Address | FF-FF-FF-FF-FF-FF |

| External Path Cost | 4294967295 |

| Regional Root Id | |

| Priority | 15 (0xFFFF) |

| Mac Address | FF-FF-FF-FF-FF-FF |

| Internal Path Cost | 4294967295 |

| Designated Bridge Id | |

| Priority | 15 (0xFFFF) |

| Mac Address | FF-FF-FF-FF-FF-FF |

| Designated Root Id | (0xFFFF) |

| Priority | 15 |

| Port | 4095 |

| | |

| CIST Port Times | |

| Message Age | 0 |

| Max Age | 20 |

| Forward Delay | 15 |

| Hello Time | 2 |

| Remaining Hops | 20 |

| | |

| CIST Port Priority Vector | |

| Root Port Id | |

| Priority | 1 (0x1000) |

| Mac Address | 00-02-A1-30-7C-40 |

| External Path Cost | 0 |

| Regional Root Id | |

| Priority | 1 (0x1000) |

| Mac Address | 00-02-A1-30-7C-40 |

| Internal Path Cost | 0 |

| Designated Bridge Id | |

| Priority | 1 (0x1000) |

| Mac Address | 00-02-A1-30-7C-40 |

| Designated Root Id | (0x8001) |

| Priority | 8 |

| Port | 1 |

| | |

| CIST Root Path Priority Vector | |

| Root Port Id | |

| Priority | 1 (0x1000) |

| Mac Address | 00-02-A1-30-7C-40 |

| External Path Cost | 0 |

| Regional Root Id | |

| Priority | 1 (0x1000) |

| Mac Address | 00-02-A1-30-7C-40 |

| Internal Path Cost | 0 |

| Designated Bridge Id | |

| Priority | 1 (0x1000) |

System Software Configuration Guide 6.5.0

C

ONFIGURING

MSTP

Troubleshooting

| Mac Address | 00-02-A1-30-7C-40 |

| Designated Root Id | (0x8001) |

| Priority | 8 |

| Port | 1 |

| | |

| CIST State Machine Info | |

| CIST State Machine Variables | |

| forward | true |

| forwarding | true |

| infoIs | Mine |

| learn | true |

| learning | true |

| proposed | false |

| proposing | false |

| rcvdTc | false |

| reRoot | false |

| reselect | false |

| selected | true |

| tcProp | false |

| updtInfo | false |

| agreed | true |

| portId | 0x8001-->priority 8, portnum 1 |

| rcvdInfo | InferiorRootAlternateInfo |

| role | designated |

| selectedRole | designated |

| sync | false |

| synced | true |

| agree | true |

| disputed | false |

| fdbFlush | false |

| rcvdMsg | false |

| CIST State Machine Timers | |

| fdWhile | 0 |

| rrWhile | 0 |

| rbWhile | 0 |

| tcWhile | 0 |

| rcvdInfoWhile | 0 |

| CIST State Machine States | |

| Port Information State | CURRENT |

| Port Role Transitions State | DESIGNATED_PORT |

| Port State Transition State | FORWARDING |

| Topology Change State | ACTIVE |

+-----------------------------------+------------------------------------------+

System Software Configuration Guide 6.5.0

281

C

ONFIGURING

MSTP

Troubleshooting

282 System Software Configuration Guide 6.5.0

Chapter

Event Logging

• • • • • •

21

At a Glance:

Overview

Principles of Operation

Syslog

Flash Log

RAM Log

Command Log

Troubleshooting

This chapter provides explanations for how events generate messages to different types of logs on a Ciena device and describes the various options available to view and/or configure these event logging messages.

Overview

The system software supports the following types of logs SAOS:

Syslog: Messages sent to collectors which are added (configured) via the SAOS CLI.

• Flash log: Text messages written to flash files.

RAM log: Text messages written to RAM files.

• Command log: Entries of commands issued from the CLI.

Messages are written to the logs with timestamps based upon the system time settings, of local or UTC. A variety of log filters can be created to specify which events need to be logged and where they should be logged to.

Principles of Operation

In SAOS, every event can be logged to the logs listed above. An event manager converts events to messages and traps.

Events are generated by any component of the software that is programmed to generate logging information.

To display a list of system events, run any of the following CLI commands:

> syslog show system-events

• > log flash show system-events

System Software Configuration Guide 6.5.0

283

E

VENT

L

OGGING

Principles of Operation

> log ram show system events

NOTE: The log flash show system-events, log ram show system events, and the syslog show system-events commands list system events that apply to multiple platforms, including events that are not supported by devices running this system software.

Example:

> syslog show system-events

+ EVENTS ---------------------------------------------------------------------+

| Mgr: bcastContainment |

| Event Sev | Syslog Sev| Event # | Event |

+-----------+-----------+-----------------------------------------------------+

| warning | warning | 0x10001 | Broadcast containment filter %d(%s) is dro|

| warning | warning | 0x10002 | Broadcast containment filter %d(%s) has st|

+-----------------------------------------------------------------------------+

| Mgr: blade |

| Event Sev | Syslog Sev| Event # | Event |

+-----------+-----------+-----------------------------------------------------+

| info | info | 0x20001 | Blade Operational State changed |

| major | alert | 0x20003 | Line Blade Faulted |

| info | info | 0x20004 | Blade Admin State Changed on Slot %d |

| info | info | 0x20005 | Blade package version incorrect |

| minor | error | 0x20006 | POST Error code 0x%08x : %s |

| config | notice | 0x20007 | Blade manager config entry add slot: %d ca|

| config | notice | 0x20008 | Blade manager config entry remove slot: %d|

| config | notice | 0x20009 | Blade manager set slot: %d, admin state to|

| config | notice | 0x2000B | Blade manager set installed image slot: %d|

| config | notice | 0x2000C | Blade manager set installed slot: %d, pac|

+-----------------------------------------------------------------------------+

...

+-----------------------------------------------------------------------------+

To display the event severity to Syslog severity mapping, run any of the following CLI commands:

• > syslog show severity-mapping

> log flash show severity-mapping

• > log ram show severity-mapping

Example:

> syslog show severity-mapping

+--- SEVERITY MAPPING ----+

| Event | Syslog |

+------------+------------+

| critical | emergency |

| major | alert |

| minor | error |

| warning | warning |

| config | notice |

| info | info |

| debug | debug |

+------------+------------+

284 System Software Configuration Guide 6.5.0

E

VENT

L

OGGING

Principles of Operation

Comparing Log Types

Some differences between the log types can be found. These differences will guide the configuration of the event logging process. Users are encouraged to review the next paragraphs to identify the most appropriate log or combination of logs that will best meet their needs.

For example, flash logs may contain up to 4000 messages and messages are persistent across reboots up to a maximum of 4 reboots.

Syslog collectors and trap servers have configuration options external to SAOS that may include how many messages are retained and for how long.

Flash and RAM logs have a great deal of configuration flexibility because multiple filters may be created specifying the severity range, source manager and port, and the information specified by all of the filters is logged.

Because of the more permanent properties of flash logs, users can review the flash logs to identify or review older events.

Syslog has a more limited configuration capability. Multiple collectors can be configured but only one min-max severity range per collector. A syslog message facility number and prefix string can be specified per CLI-configured collector.

Command logs are persistent across reboots and can contain up to 2500 entries.

System Failure Notification

The purpose of the “System Failure Notification” is to notify the network operator that a device is going off-line. There are two major means of notification:

• if the system is able to detect failure and transmit a notification, a “dying gasp” will be transmitted.

• on power-up, the system will provide notification regarding the reason for the failure.

The “dying gasp” behavior is highly desirable. The capability to differentiate at the

Network Operations Center between a power failure and a device failure is important for the operator.

If a system failure occurs, devices will do the following:

Generate an event on any administrative reboot, either forced reboot or reset to factory defaults and indicate the reason.

Attempt to generate an event on any system crash or unexpected reboot. There will be some conditions where transmitting a notification is not possible.

Attempt to generate an event when a power failure occurs.

The “dying gasp” event will have critical severity. The event can be saved to the internal flash. The event will also generate a syslog message that will be delivered based on the users syslog configuration. In addition, the system will generate an associated SNMP trap

(wwpLeosChassisDyingGaspNotification).

On system start-up a Cold Start trap is generated that includes the reason for the previous shutdown. An event is generated at start-up to indicate that the system has started up.

System Software Configuration Guide 6.5.0

285

E

VENT

L

OGGING

Syslog

Syslog

Syslog messages can be sent to the Syslog Server or a standard UNIX or NT-type Syslog daemon. Configuring Syslog enables configuration events, system error messages, interface status, security alerts, and environmental conditions to be centrally logged and analyzed.

The Syslog server, if operationally enabled will transmit Syslog messages to the specified

IP address(es) and port numbers. It will only transmit messages greater than or equal to the minimum severity and less than or equal to the maximum severity. The user can also specify which Syslog facility they wish system events to be generated for. This is typically used on the server side to separate events arriving at the server from multiple sources.

Since Syslog servers can be configured via DHCP, the user can also configure the default collector attributes for minimum severity, maximum severity, UDP port, and facility.

These defaults are applied to the user and DHCP configured collectors.

Each event generated by the SAOS software has a severity and a manager, and possibly a port associated with it. Next is the type of information selected and/or filtered sent to the syslog:

• Multiple collectors (external systems with IP address) may be configured (added) via the SAOS CLI and/or via DHCP.

• Each collector added via the CLI has a configurable min-max severity range.

Each collector added via the CLI has a configurable facility number.

• All events in the min-max range are sent to the collector.

Each CLI configured collector may have a different min-max range.

• Collectors added via DHCP have a default min-max range which cannot be configured.

Each collector can have only one min-max range.

The device allows configuration of the Syslog collector and global parameters shown in the tables that follow.

286 System Software Configuration Guide 6.5.0

E

VENT

L

OGGING

Syslog

Table 21-1 defines event severities.

Table 21-1: Event Severity Mapping

Syslog Severity Definition

Critical

Major

Minor

Warning

Informational

Debug

Cleared

Config

This indicates a condition in the device that is service affecting and requires immediate corrective action. It may indicate a catastrophic condition that affects multiple subscribers/customers.

This indicates a condition in the device that is service affecting and requires urgent corrective action. It may indicate a condition that affects a very small number of customers.

This indicates the existence of a non-service affecting fault condition and that corrective action should be taken in order to prevent a more serious

(for example, service affecting) fault. Such a severity can be reported, for example, when the detected alarm condition is not currently degrading the capacity of the managed object.

The Warning severity level indicates the detection of a potential or impending service affecting fault, before any significant effects have occurred. Action should be taken to further diagnose (if necessary) and correct the problem in order to prevent it from becoming a more serious service affecting fault.

The informational severity level indicates an occurrence on the device which is in no way associated with a performance degradation. No action is required by the operator. One example of this may be an event indicating that the configuration was saved to the flash file system.

The debug severity level indicates a class of events that are not intended for normal operation of the device and are merely used for troubleshooting. In general it is expected that these would be filtered.

The Cleared severity level indicates the clearing of one or more previously reported alarms. An alarm with severity level “Cleared” can clear the corresponding Critical, Major or Minor alarm.

The Config event indicates a configuration change. It is primarily used for communicating configuration changes through the system and to external entities.

System Software Configuration Guide 6.5.0

287

E

VENT

L

OGGING

Syslog

Table 21-2 summarizes the mapping of SAOS event severities to standard Syslog

severities.

5

6

7

2

3

4

8

9

10

Table 21-2: Event Severity Mapping

Syslog Severity

(numerical Value)

0

1

Event Severity Syslog Severity Syslog

none cleared debug debug

Severity Value

7

7 indeterminate critical major minor warming config info debug local debug emergency alert error warning notice informational debug debug

3

4

5

7

0

1

6

7

7

Table 21-3 provides a description of Syslog attributes.

Table 21-3: Syslog Attributes

Field Default

Admin State

Oper State

Enable

Collector

Custom Prefix

Facility

Min. Severity

Max. Severity

UDP Port

None

Empty

3

Alert

Emergency

514

Range (min. max.)

Enable, Disable

Enable, Disable, Unresolved x.x.x.x or valid hostname

String [15]

Integer (0-23)

Description

The administrative state of this collector

The operational state is Enabled if both the global

Admin State for Syslog is Enabled, and the Admin state of this collector is Enabled

This identifies the IP Address of the Syslog collector where the syslog messages will be sent.

This value is included as a prefix in the syslog message

Defines the facility code that will be sent on each message for this collector

Defines the minimum severity that a message must be to be sent to this collector

Other, Debug, Informational,

Notice, Warning, Error, Alert,

Emergency

Other, Debug, Informational,

Notice, Warning, Error, Alert,

Emergency

Integer (0-65535)

Defines the maximum severity that a message can be to be sent to this collector

The UDP port that the syslog message will be transmitted to on the collector IP Address

288 System Software Configuration Guide 6.5.0

E

VENT

L

OGGING

Syslog

A mnemonic field has been added to syslog messages to help quantify events. This field consists of three parts separated by dashes:

1. Source of the event

2. Event severity

3. Abbreviation of the event

For example, the mnemonic XCVR-3-OPTIC_REMOVED identifies that the source is the

Transceiver manager (XCVR) with an event severity of Error (3) and the event is that a pluggable transceiver has been removed (OPTIC_REMOVED).

To enable and configure Syslog

Step # Description

Step 1 Enables syslog globally.

Step 2 Adds a syslog server.

Step 3 Enables syslog on the specified server.

Command

syslog enable syslog add collector

<IpAddress> <'emergency' |

'alert' | 'critical' |

'error' | 'warning' |

'notice' | 'info'| 'debug'

| 'other'> syslog enable collector

<IpAddress>

Example:

1. > syslog enable

2. > syslog add collector 12.14.16.12 min-severity error max-severity info udp-port 560 facility 1

3. > syslog enable collector 12.14.16.12

System Software Configuration Guide 6.5.0

289

E

VENT

L

OGGING

Flash Log

Flash Log

The system software logs various events (critical, reboot, power failure) to local flash files.

The default severities for flash filtering are as follows:

- minimum: major

- maximum: critical

Each event generated by the system has a severity and a manager, and possibly a port associated with it. You can configure flash log filters to select the type of events to be sent to the flash log:

Only one flash log exists.

• Multiple filters may be created for the flash log.

Each filter specifies the min-max range, the source software manager and the source port.

All events in the min-max range that match the manager and port are sent to the collector.

Table 21-4 provides a description of event filter attributes.

Table 21-4: Event Filter Attributes

Field

Admin State

Default

Enable

Range (min. max.)

Enable, Disable

Operational State

Min. Severity

Max. Severity

Port List

Category List

Major

Critical

Empty

Empty

Enable, Disable

Debug, Info, Config,

Warning, Minor, Major,

Critical

Debug, Info, Config,

Warning, Minor, Major,

Critical

List of Port IDs

List of Categories

Description

The administrative state of this collector

The operational state is

Enabled if both the global

Admin State for Syslog is

Enabled, and the Admin state of this collector is Enabled

Defines the minimum severity that a message must be to be included in the log.

Defines the maximum severity that a message must be to be included in the log

This is a list of ports. For events generated on ports, only events on the ports in this list will be included in the log

This is a list of categories. All events in the listed categories will be included in the log as long as the port and severity criteria also match.

290 System Software Configuration Guide 6.5.0

E

VENT

L

OGGING

Flash Log

Configuring flash log filters

A default flash filter is automatically created and is named “default”. You can update the default filter or create new filters to limit or increase the events you want to log. The

1,000 most recent events are logged into flash memory, and will survive a system reboot.

To create a flash log filter:

log flash create filter <LogFlashFilterName[15]> {[all-mgrs], [arp-mgr <all|info>],[blade-mgr

<all|config|info>], [bcast-containment-mgr <all|info>], [cfm-mgr <all|info>], [chassis-mgr

<all|info>], [config-mgr <all|info>], [dnld-mgr <all|info>], [dnsc-mgr all|info], [dhcp-mgr

<all|debug|error|info|options|pkt|sm|timers>], [dot1x <all|info>], [event-mgr <all|info>],

[interface-mgr <all|debug|info>], [lacp-mgr <all|error|info|notif|mux-sm|ptx-ss-pkt>],

[lldp-mgr <all|error|info|notif|other|pdu|sm>], [max-severity

<critical|major|minor|warning|config|info|debug>], [min-severity

<critical|major|minor|warning|config|info|debug>], [ntpc-mgr <all|config|debug|info>], [port

<PortNameList>], [port-mgr <all|config|info|state-change>], [snmp-mgr <all|info>], [softwaremgr <all|info>], [tacacs-mgr <all|info>], [xcvr-mgr <all|debug|info>]}

To add events to an existing flash log filter:

log flash add filter <LogFlashFilterName[15]> {[all-mgrs], [arp-mgr <all|info>],[blade-mgr

<all|config|info>], [bcast-containment-mgr <all|info>], [cfm-mgr <all|info>], [chassis-mgr

<all|info>], [config-mgr <all|info>], [dnld-mgr <all|info>], [dnsc-mgr all|info], [dhcp-mgr

<all|debug|error|info|options|pkt|sm|timers>], [dot1x <all|info>], [event-mgr <all|info>],

[interface-mgr <all|debug|info>], [lacp-mgr <all|error|info|notif|mux-sm|ptx-ss-pkt>],

[lldp-mgr <all|error|info|notif|other|pdu|sm>], [ntpc-mgr <all|config|debug|info>], [port

<PortNameList>], [port-mgr <all|config|info|state-change>], [snmp-mgr <all|info>], [softwaremgr <all|info>], [tacacs-mgr <all|info>], [xcvr-mgr <all|debug|info>]}

To remove events from an existing flash log filter:

log flash remove filter <LogFlashFilterName[15]> {[all-mgrs], [arp-mgr <all|info>],[blade-mgr

<all|config|info>], [bcast-containment-mgr <all|info>], [cfm-mgr <all|info>], [chassis-mgr

<all|info>], [config-mgr <all|info>], [dnld-mgr <all|info>], [dnsc-mgr all|info], [dhcp-mgr

<all|debug|error|info|options|pkt|sm|timers>], [dot1x <all|info>], [event-mgr <all|info>],

[interface-mgr <all|debug|info>], [lacp-mgr <all|error|info|notif|mux-sm|ptx-ss-pkt>],

[lldp-mgr <all|error|info|notif|other|pdu|sm>], [ntpc-mgr <all|config|debug|info>], [port

<PortNameList>], [port-mgr <all|config|info|state-change>], [snmp-mgr <all|info>], [softwaremgr <all|info>], [tacacs-mgr <all|info>], [xcvr-mgr <all|debug|info>]}

To set the severities for a flash log filter:

log flash set filter <LogFlashFilterName[15]> {[max-severity

<critical|major|minor|warning|config|info|debug>], [min-severity

<critical|major|minor|warning|config|info|debug>]}

To delete a custom flash log filter:

log flash delete filter <LogFlashFilterName[15]>

To enable flash logging globally or for a specific flash log filter:

log flash enable [filter <LogFlashFilterName[15]>]

To disable flash logging globally or for a specific flash log filter:

log flash disable [filter <LogFlashFilterName[15]>]

System Software Configuration Guide 6.5.0

291

E

VENT

L

OGGING

Flash Log

Configuration Example:

This example shows how to create and enable a flash log filter for DHCP options:

> log flash create filter dhcpOptions

> log flash add filter dhcpOptions dhcp-mgr options

> log flash set filter dhcpOptions min-severity debug

> log flash enable filter dhcpOptions

> log flash enable

Configuring flash log packet filters

In addition to the flash log filters for events based on specific managers and severities, you can create flash log packet filters to enable logging based on specific packet types or ports. For each flash log packet filters, you can enable or disable packet decoding. When packet decoding is enabled, only the decoded packet is logged.

NOTE: Creating a packet filter for all, ingress, or egress ip-pkt types can use 100% of the

CPU resulting in lockup and reboot.

Table 21-5 provides a description of packet filter attributes.

Table 21-5: Packet Filter Attributes

Field Default

Enable Admin State

Operational State

Packet Decode

Packet Groups

Port List

Off

Empty

Range (min. max.)/Value

Description

Enable, Disable

Enable, Disable

The administrative state of this collector

The operational state is Enabled if both the global Admin State for Syslog is Enabled, and the Admin state of this collector is Enabled

On, Off When this attribute is On the packets will be included in the log in decoded format. This is less space efficient, but much easier to read

IGMP, IP, LACP, LLDP, RSTP Defines the maximum severity of messages to be included in the log

List of Port IDs This is a list of ports. For events generated on ports, only events on the ports in this list will be included in the log

292 System Software Configuration Guide 6.5.0

E

VENT

L

OGGING

Flash Log

To create a packet filter:

log flash create pkt-filter <LogFlashPacketFilterName[15]> {[cfm-pkt <all|egress|ingress>],

[igmp-pkt <all|egress|ingress>], [ip-pkt <all|egress|ingress>],[lacp-pkt

<all|egress|ingress>], [lldp-pkt <all|egress|ingress>], [mstp-pkt <all|egress|ingress>],

[pkt-decode <on|off>], [port <PortNameList>], [rstp-pkt <all|egress|ingress>]}

To add a packet type or port to a packet filter:

log flash add pkt-filter <LogFlashPacketFilterName[15]> {[cfm-pkt <all|egress|ingress>],

[igmp-pkt <all|egress|ingress>], [ip-pkt <all|egress|ingress>],[lacp-pkt

<all|egress|ingress>], [lldp-pkt <all|egress|ingress>], [mstp-pkt <all|egress|ingress>],

[port <PortNameList>], [rstp-pkt <all|egress|ingress>]}

To remove a packet type from a packet filter:

log flash remove pkt-filter <LogFlashPacketFilterName[15]> {[cfm-pkt <all|egress|ingress>],

[igmp-pkt <all|egress|ingress>], [ip-pkt <all|egress|ingress>],[lacp-pkt

<all|egress|ingress>], [lldp-pkt <all|egress|ingress>], [mstp-pkt <all|egress|ingress>],

[port <PortNameList>], [rstp-pkt <all|egress|ingress>]}

To set the packet decoding attribute for a packet filter:

log flash set pkt-filter <LogFlashPacketFilterName[15]> {pkt-decode <on|off>}

To delete a packet filter:

log flash delete pkt-filter <LogFlashPacketFilterName[15]>

To enable a packet filter:

log flash enable pkt-filter <LogFlashPacketFilterName[15]>

To disable a packet filter:

log flash disable pkt-filter <LogFlashPacketFilterName[15]>

Configuration Example:

This example shows how to configure a flash log packet filter for LLDP.

> log flash create pkt-filter myLLDPPktFilter

> log flash add pkt-filter myLLDPPktFilter lldp-pkt all

> log flash set pkt-filter myLLDPPktFilter pkt-decode on

> log flash enable pkt-filter myLLDPPktFilter

System Software Configuration Guide 6.5.0

293

E

VENT

L

OGGING

Flash Log

Displaying flash log and flash log packet filter configuration

You can display the global state configuration with a summarized list of flash log and flash log packet filters, a summary of flash log filters only, or a summary of packet filters only or details for a specific flash log or flash log packet filters.

To display flash log filter configuration:

log flash show [filter <LogFlashFilterName>] | [pkt-filter <LogFlashPktFilter>] | [logsummary] | [pkt-summary]

Example of a summarized list of both flash log and flash log packet filters:

> log flash show

+------------------------ FLASH LOG STATE CONFIGURATION ----------------------+

| Admin State | enabled |

+------------------+----------------------------------------------------------+

+----------------------- FLASH LOG FILTER CONFIGURATION ----------------------+

| | Admin | Oper | Severity | |

| Filter Name | State | State | Maximum | Minimum | No. Ports |

+------------------+----------+----------+-----------+-----------+------------+

| default | enabled | enabled | critical | critical | 28 |

| dhcpOptions | enabled | enabled | critical | debug | 0 |

+------------------+----------+----------+-----------+-----------+------------+

+----------------------- FLASH PKT FILTER CONFIGURATION ----------------------+

| | Admin | Oper | Pkt | No. Frame | |

| Filter Name | State | State | Decode | Types | No. Ports |

+------------------+----------+----------+-----------+-----------+------------+

| No Pkt Filters | | | | | |

+------------------+----------+----------+-----------+-----------+------------+

294 System Software Configuration Guide 6.5.0

Example of the default flash log filter configuration:

> log flash show filter default

+---------- LOG FLASH FILTER CONFIGURATION -----------+

| Name | default |

| Index | 1 |

| Admin State | enabled |

| Oper State | enabled |

| Maximum Severity | critical |

| Minimum Severity | major |

|------------------|----------------------------------|

| Categories | |

| | blade-mgr - config |

| | - info |

| | chassis-mgr - info |

| | config-mgr - info |

| | dnld-mgr - info |

| | dhcp-mgr - debug |

| | - error |

| | - info |

| | - options |

| | - pkt |

| | - sm |

| | - timers |

| | dnsc-mgr - resolve |

| | - monitor |

| | - info |

| | event-mgr - info |

| | igmp-mgr - events |

| | - egress-pkt |

| | - ingress-pkt |

| | - info |

| | interface-mgr - debug |

| | - info |

| | unknown - info |

| | lldp-mgr - error |

| | - notif |

| | - other |

| | - pdu |

| | - sm |

| | - info |

| | ntpc-mgr - config |

| | - debug |

| | - info |

| | port-mgr - config |

| | - info |

| | - state-change |

| | snmp-mgr - info |

| | software-mgr - info |

| | xcvr-mgr - info |

| | - debug |

|------------------|----------------------------------|

| Port List | 1 2 3 |

| | 12345678901234567890123456789012 |

| | XXXXXXXXXX---------------------- |

| | |

+------------------+----------------------------------+

E

VENT

L

OGGING

Flash Log

System Software Configuration Guide 6.5.0

295

E

VENT

L

OGGING

Flash Log

Displaying the flash log

You can display the entries made to flash based upon the configured flash log and flash log packet filters. Specifying the 'tail' attribute will display the last number of lines specified and the keyword string will search for the keyword in entries and display the corresponding lines.

To display the flash log:

log flash view [tail <NUMBER: 1-100>]|[keyword <String[16]>]

Example:

> log flash view tail 5

January 2, 2000 17:02:09.000 ntwrk: :Vlan add port vlan 200 added port 3

January 2, 2000 17:02:09.000 ntwrk: :Vlan add port vlan 200 added port 4

January 2, 2000 17:02:16.000 chassis: DHCP IP 172.25.0.2 User dhcp:DHCP System

Time Offset Set, tJanuary 2, 2000 17:02:16.000 chassis: DHCP IP 172.25.0.2 User

dhcp:DHCP System Time Offset Set, tJanuary 2, 2000 17:02:28.000 snmp: :Cannot ping gateway, cannot send cold trap but making an attempt

In addition, you can display the log files located in the /mnt/sysfs/log directory. These default system event logs are accessible using the following CLI commands. In this example, we can see at what time and for which reason the unit was reset.

Example:

> file

(file)> cd /mnt/sysfs/log

(file)> ls

Directory '/mnt/sysfs/log' pdtrc.lo0

ipstrc.lo0

eventLog.6

eventLog.5

(file)> cat eventLog.5

------------ > BOOTING < ------------

21:55:50.252 chassis: Cli requested device REBOOT, Rebooting now

To clear the log flash file:

log flash clear

296 System Software Configuration Guide 6.5.0

E

VENT

L

OGGING

RAM Log

RAM Log

The system software logs events to local RAM files in addition to the local flash. The default severities for RAM filter are as follows:

- minimum: major

- maximum: critical

The configuration and attributes of RAM log filters are similar to flash log filters:

Only one RAM log exists.

• Multiple filters may be created for the RAM log.

Each filter specifies the min-max range, the source software manager and the source port.

All events in the min-max range that match the manager and port are sent to the collector.

NOTE: The RAM log is a temporary storage log file that will be erased when the unit is rebooted.

You can configure event and packet filters for the RAM log with the same attributes described for the flash log. With RAM logs, you can set a global notification attribute to broadcast new entries to all active CLI sessions.

To configure the global notification:

log ram set global-notify <on|off>

Creating a RAM log filter

A default RAM log filter is automatically created and is named “default”. You can update the default filter or create new filters to limit or increase the events you want to log.

To create a RAM log filter:

log ram create filter <LogFlashFilterName[15]> {[all-mgrs], [arp-mgr <all|info>],[blade-mgr

<all|config|info>], [bcast-containment-mgr <all|info>], [cfm-mgr <all|info>], [chassis-mgr

<all|info>], [config-mgr <all|info>], [dnld-mgr <all|info>], [dnsc-mgr all|info], [dhcp-mgr

<all|debug|error|info|options|pkt|sm|timers>], [dot1x <all|info>], [event-mgr <all|info>],

[interface-mgr <all|debug|info>], [lacp-mgr <all|error|info|notif|mux-sm|ptx-ss-pkt>],

[lldp-mgr <all|error|info|notif|other|pdu|sm>], [max-severity

<critical|major|minor|warning|config|info|debug>], [min-severity

<critical|major|minor|warning|config|info|debug>], [ntpc-mgr <all|config|debug|info>], [port

<PortNameList>], [port-mgr <all|config|info|state-change>], [snmp-mgr <all|info>], [softwaremgr <all|info>], [tacacs-mgr <all|info>], [xcvr-mgr <all|debug|info>]}

To add events to an existing RAM log filter:

log ram add filter <LogFlashFilterName[15]> {[all-mgrs], [arp-mgr <all|info>],[blade-mgr

<all|config|info>], [bcast-containment-mgr <all|info>], [cfm-mgr <all|info>], [chassis-mgr

<all|info>], [config-mgr <all|info>], [dnld-mgr <all|info>], [dnsc-mgr all|info], [dhcp-mgr

<all|debug|error|info|options|pkt|sm|timers>], [dot1x <all|info>], [event-mgr <all|info>],

[interface-mgr <all|debug|info>], [lacp-mgr <all|error|info|notif|mux-sm|ptx-ss-pkt>],

[lldp-mgr <all|error|info|notif|other|pdu|sm>], [ntpc-mgr <all|config|debug|info>], [port

<PortNameList>], [port-mgr <all|config|info|state-change>], [snmp-mgr <all|info>], [softwaremgr <all|info>], [tacacs-mgr <all|info>], [xcvr-mgr <all|debug|info>]}

System Software Configuration Guide 6.5.0

297

E

VENT

L

OGGING

RAM Log

To remove events from an existing RAM log filter:

log ram remove filter <LogFlashFilterName[15]> {[all-mgrs], [arp-mgr <all|info>],[blade-mgr

<all|config|info>], [bcast-containment-mgr <all|info>], [cfm-mgr <all|info>], [chassis-mgr

<all|info>], [config-mgr <all|info>], [dnld-mgr <all|info>], [dnsc-mgr all|info], [dhcp-mgr

<all|debug|error|info|options|pkt|sm|timers>], [dot1x <all|info>], [event-mgr <all|info>],

[interface-mgr <all|debug|info>], [lacp-mgr <all|error|info|notif|mux-sm|ptx-ss-pkt>],

[lldp-mgr <all|error|info|notif|other|pdu|sm>], [ntpc-mgr <all|config|debug|info>], [port

<PortNameList>], [port-mgr <all|config|info|state-change>], [snmp-mgr <all|info>], [softwaremgr <all|info>], [tacacs-mgr <all|info>], [xcvr-mgr <all|debug|info>]}

To set the severities for a RAM log filter:

log ram set filter <LogFlashFilterName[15]> {[max-severity

<critical|major|minor|warning|config|info|debug>], [min-severity

<critical|major|minor|warning|config|info|debug>]}

To delete a custom RAM log filter:

log ram delete filter <LogFlashFilterName[15]>

To enable flash logging globally or for a specific ram log filter:

log ram enable [filter <LogFlashFilterName[15]>]

To disable flash logging globally or for a specific ram log filter:

log ram disable [filter <LogFlashFilterName[15]>]

Configuration Example:

This example shows how to create and enable a RAM log filter for DHCP options:

> log ram create filter dhcpOptions

> log ram add filter dhcpOptions dhcp-mgr options

> log ram set filter dhcpOptions min-severity debug

> log ram enable filter dhcpOptions

> log ram enable

Configuring RAM log packet filters

In addition to the RAM log filters for events based on specific managers and severities, you can create RAM log packet filters to enable logging based on specific packet types or ports. For each RAM log packet filters, you can enable or disable packet decoding. When packet decoding is enabled, only the decoded packet is logged.

NOTE: Creating a packet filter for all, ingress, or egress ip-pkt types can use 100% of the

CPU resulting in lockup and reboot.

To create a packet filter:

log ram create pkt-filter <LogramPacketFilterName[15]> {[cfm-pkt <all|egress|ingress>],

[igmp-pkt <all|egress|ingress>], [ip-pkt <all|egress|ingress>],[lacp-pkt

<all|egress|ingress>], [lldp-pkt <all|egress|ingress>], [mstp-pkt <all|egress|ingress>],

[pkt-decode <on|off>], [port <PortNameList>], [rstp-pkt <all|egress|ingress>]}

298 System Software Configuration Guide 6.5.0

E

VENT

L

OGGING

RAM Log

To add a packet type or port to a packet filter:

log ram add pkt-filter <LogramPacketFilterName[15]> {[cfm-pkt <all|egress|ingress>], [igmppkt <all|egress|ingress>], [ip-pkt <all|egress|ingress>],[lacp-pkt <all|egress|ingress>],

[lldp-pkt <all|egress|ingress>], [mstp-pkt <all|egress|ingress>], [port <PortNameList>],

[rstp-pkt <all|egress|ingress>]}

To remove a packet type from a packet filter:

log ram remove pkt-filter <LogramPacketFilterName[15]> {[cfm-pkt <all|egress|ingress>],

[igmp-pkt <all|egress|ingress>], [ip-pkt <all|egress|ingress>],[lacp-pkt

<all|egress|ingress>], [lldp-pkt <all|egress|ingress>], [mstp-pkt <all|egress|ingress>],

[port <PortNameList>], [rstp-pkt <all|egress|ingress>]}

To set the packet decoding attribute for a packet filter:

log ram set pkt-filter <LogramPacketFilterName[15]> {pkt-decode <on|off>}

To delete a packet filter:

log ram delete pkt-filter <LogramPacketFilterName[15]>

To enable a packet filter:

log ram enable pkt-filter <LogramPacketFilterName[15]>

To disable a packet filter:

log ram disable pkt-filter <LogramPacketFilterName[15]>

Configuration Example:

This example shows how to configure a ram log packet filter for LLDP.

> log ram create pkt-filter myLLDPPktFilter

> log ram add pkt-filter myLLDPPktFilter lldp-pkt all

> log ram set pkt-filter myLLDPPktFilter pkt-decode on

> log ram enable pkt-filter myLLDPPktFilter

Displaying RAM log and RAM log packet filter configuration

You can display the global configuration with a summarized list of RAM log and RAM log packet filters, a summary of flash log filters only, or a summary of packet filters only or details for a specific flash log or flash log packet filters.

To display flash log filter configuration:

log flash show [filter <LogFlashFilterName>] | [pkt-filter <LogFlashPktFilter>] | [logsummary] | [pkt-summary]

System Software Configuration Guide 6.5.0

299

E

VENT

L

OGGING

RAM Log

Example of a summarized list of both flash log and flash log packet filters:

> log ram show

+------------------------ RAM LOG STATE CONFIGURATION ------------------------+

| Admin State | enabled |

| Global-notify | disabled |

+------------------+----------------------------------------------------------+

+----------------------- RAM LOG FILTER CONFIGURATION ------------------------+

| | Admin | Oper | Severity | |

| Filter Name | State | State | Maximum | Minimum | No. Ports |

+------------------+----------+----------+-----------+-----------+------------+

| default | enabled | enabled | critical | info | 12 |

+------------------+----------+----------+-----------+-----------+------------+

+----------------------- RAM PKT FILTER CONFIGURATION ------------------------+

| | Admin | Oper | Pkt | No. Frame | |

| Filter Name | State | State | Decode | Types | No. Ports |

+------------------+----------+----------+-----------+-----------+------------+

| No Filters | | | | | |

+------------------+----------+----------+-----------+-----------+------------+

300 System Software Configuration Guide 6.5.0

Example of the default flash log filter configuration:

> log ram show filter default

+----------- LOG RAM FILTER CONFIGURATION ------------+

| Name | default |

| Index | 1 |

| Admin State | enabled |

| Oper State | enabled |

| Maximum Severity | critical |

| Minimum Severity | major |

|------------------|----------------------------------|

| Categories | |

| | blade-mgr - config |

| | - info |

| | chassis-mgr - info |

| | config-mgr - info |

| | dnld-mgr - info |

| | dhcp-mgr - debug |

| | - error |

| | - info |

| | - options |

| | - pkt |

| | - sm |

| | - timers |

| | dnsc-mgr - resolve |

| | - monitor |

| | - info |

| | event-mgr - info |

| | igmp-mgr - events |

| | - egress-pkt |

| | - ingress-pkt |

| | - info |

| | interface-mgr - debug |

| | - info |

| | unknown - info |

| | lldp-mgr - error |

| | - notif |

| | - other |

| | - pdu |

| | - sm |

| | - info |

| | ntpc-mgr - config |

| | - debug |

| | - info |

| | port-mgr - config |

| | - info |

| | - state-change |

| | snmp-mgr - info |

| | software-mgr - info |

| | xcvr-mgr - info |

| | - debug |

|------------------|----------------------------------|

| Port List | 1 2 3 |

| | 12345678901234567890123456789012 |

| | XXXXXXXXXX---------------------- |

| | |

+------------------+----------------------------------+

E

VENT

L

OGGING

RAM Log

System Software Configuration Guide 6.5.0

301

E

VENT

L

OGGING

Command Log

Displaying the RAM log

You can display all RAM log entries or monitor entries as they occur. To stop monitoring the RAM log, press Ctrl+C.

To display RAM log entries:

log ram trace [all]

Example of monitoring entries:

> log ram trace

(trace activated)

May 6, 2009 14:14:26.604 chassis: Telnet IP 1.90.90.24 User su:System Session More Enable

<Ctrl+C>

--break--

Example of all:

> log ram trace all

January 1, 2000 00:00:50.488 interface: :local interface is operationally enabl ed

January 1, 2000 00:00:51.038 interface: :local interface is operationally enabl ed

January 1, 2000 00:00:51.081 chassis: :AC power supply 1 failure

January 1, 2000 00:00:51.097 interface: :remote interface is operationally enab led

January 1, 2000 00:00:56.952 lacpOptCheck() Total 0 signal sent

January 1, 2000 00:01:15.151 LLDP: lldpBAdmStateSET() to state 0

January 1, 2000 00:01:15.759 interface: :remote interface is operationally enab led

January 1, 2000 00:01:15.798 interface: :remote interface is operationally enab led

January 1, 2000 00:01:22.410 Software: saos-06-05-00-0027 Build 27

May 10, 2009 07:05:05.890 [UTC] config: Local RS-232 User gss:Config Save

May 10, 2009 07:05:46.971 [UTC] config: Local RS-232 User gss:Config Save

May 10, 2009 07:05:55.112 [UTC] chassis: Telnet IP 10.25.42.9 User su:System Se ssion More Disable

May 10, 2009 07:05:55.316 [UTC] chassis: Telnet IP 10.25.42.9 User su:System Gl obal Inactivity Timer Disable

May 11, 2009 16:55:55.139 [UTC] chassis: Telnet IP 10.25.42.9 User su:System Se ssion More Disable

May 11, 2009 16:55:55.343 [UTC] chassis: Telnet IP 10.25.42.9 User su:System Gl obal Inactivity Timer Disable

-----------------------------------

To clear the log ram file:

log ram clear

Command Log

The system logs user command history for monitoring system configuration performed from the CLI. Each time a system goes into service, a header is written to the log containing the system identifier and a timestamp. All subsequent commands (with some exceptions) issued from the CLI are entered in chronological order up to 2500 entries, and then the entries wrap to the beginning of the command log file. When commands contain a password, the password will be masked to maintain security. This command log is stored in the local flash file system, and each entry includes:

Log ID - sequence identifier of the entry.

302 System Software Configuration Guide 6.5.0

E

VENT

L

OGGING

Command Log

User - Session, IP address of the user session, or user ID to indicate who issued the command.

User privilege level - access level of the user who issued the command.

Timestamp - Timestamp of when the command was issued. This timestamp is stored in UTC format, but the display format is determined by the system timestamp as set with the system set timestamp command.

Currently, the system does not write entries to the command log for the following:

• Log on attempts, successful or failed.

Commands run from the configuration file during startup.

• Commands contained within a file used in configuration augment commands.

You can display the command log, rerun commands entered into the log file, specify to repeat a specific command, and disable or enable command logging.

NOTE: Limited users cannot display or repeat commands requiring super user access.

Displaying the command log

You can display all entries in the command log in the default format with sequence ID and command. Also, you can apply multiple options to display specific information and to change the format, such as:

[destination] - Location of the command log file.

[recent] - Recent entries.

[last <DurationString>] - Entries from the specified time interval in the format

N[yMwdhms]. If you specify a number only, the interval will be shown in seconds.

[today] - Entries from today.

[yesterday] - Entries from yesterday.

[from-date <DateString>] - Entries from specified date (yyyy-mm-dd or yy-mm-dd or mm-dd).

[to-date <DateString>] - Entries to specified date (yyyy-mm-dd or yy-mm-dd or mmdd).

[from-time <TimeString>] - Entries from specified time (hh:mm or hh:mm:ss)

[to-time <TimeString>] - Entries to specified time (hh:mm or hh:mm:ss)

[tail <NUMBER: 1-4290261631>] - Latest number of entries

[containing <String>] - Entries containing a specific string.

[mine] - Displays entries for current user.

[since-activated] - Entries since system startup.

[user <String[16]>] - Displays entries for the specified user.

[privilege <lmited|super>] - Limits to users with the specified privilege.

[on-terminal <TerminalString>] - Entries of commands run from a specific terminal

ID.

[sequence-id <NUMBERList>] - Entries with the specified sequence identifier(s).

[verbose] - Displays the command log in a table format with headings, timestamp, and user information. Without the verbose option, the command log is displayed with sequence ID and command only.

System Software Configuration Guide 6.5.0

303

E

VENT

L

OGGING

Command Log

To display the command log:

command-log show [destination] [recent] [last <String>] [today] [yesterday] [from-date

<String>] [to-date <String>] [from-time <String>] [to-time <String>] [tail <#>] [containing

<String>] [mine] [since-activated] [user <String>] [privilege <limited|super|diag>] [onterminal <String>] [sequence-id <#List>][verbose]

Examples:

> command-log show destination

Command Log Destination: flash

> command-log show recent

8180: command-log show last 6h

8181: command-log show last 6h verbose

8182: command-log show last 30m verbose

8183: command-log show destination

8184: command-log show today

8185: command-log show yesterday

8189: command-log show from-date 2009-05-04 to-date 2009-05-06

8190: command-log show on-terminal /telnet_10.25.42.9:4682

8194: command-log show tail 10 verbose

> command-log show recent verbose

+------------------------------ COMMAND LOG -----------------------------------+

| ID | Date & Time (UTC) | User(privilege) on Terminal |

+-------+--------------------------+-------------------------------------------+

+-------+--------------------------+-------------------------------------------+

| 8274 | Wed May 6 19:37:22 2009 | su(super) /telnet_1.90.90.24:3935 |

| command-log show today from-time 13:34:00 to-time 19:34:00 verbose

| | Wed May 6 19:37:28 2009 | |

+-------+--------------------------+-------------------------------------------+

Repeating commands

If you need to rerun a command listed in the command log, you can repeat it by specifying a sequence ID or repeat your last command. Also, you can repeat a specific command without having to look up a sequence Identifier. When repeating commands, you can specify a time interval (in the format N[yMwdhms]) and number of times to run the command.

NOTE: The system does not support rerunning the command-log repeat command.

If you run command-log repeat my-last-command and the last command run was command-log repeat

, the system will rerun the command you ran prior to it. Also, if you run command-log repeat and specify a sequence ID for the command-log repeat command, it will fail with the error message “Cannot repeat command: command-log repeat

.”

To repeat a command

command-log repeat {sequence-id <numbers>|my-last-command|command <String>} [every

<DurationString>] [times <NUMBER: 1-4290261631>]

304 System Software Configuration Guide 6.5.0

Example of my-last-command:

> command-log repeat my-last-command times 2 command-log show last 1m

8281: command-log show last 1m

8282: command-log show last 1m command-log show last 1m

8281: command-log show last 1m

8282: command-log show last 1m

Example of sequence-id list:

> command-log repeat sequence-id 8360,8196,8042 cli show object command-log full

command-log disable

command-log enable

command-log show

command-log show destination

command-log show recent

command-log show last <String>

command-log show today

command-log show yesterday

command-log show from-date <String>

command-log show to-date <String>

command-log show from-time <String>

command-log show to-time <String>

command-log show tail <#>

command-log show containing <String>

command-log show mine

command-log show since-activated

command-log show user <String>

command-log show privilege <limited|super|diag>

command-log show on-terminal <String>

command-log show sequence-id <#List>

command-log show verbose

command-log repeat my-last-command

command-log repeat command <String>

command-log repeat every <String>

command-log repeat times <#> command-log show tail 7

8448: broadcast-containment show port 1

8479: cli show object broadcast-containment full

8939: command-log show

8943: command-log repeat sequence-id 8409,8205,8210

8944: command-log show

8945: command-log repeat sequence-id 8210

8946: broadcast-containment show system shell set more on

E

VENT

L

OGGING

Command Log

System Software Configuration Guide 6.5.0

305

E

VENT

L

OGGING

Troubleshooting

Example of a specific command:

> command-log repeat command "port show port 1 statistics active" every 10s times 2 port show port 1 statistics active

+--------------- PORT 1 STATISTICS -----+

| Statistic | Value |

+--------------------+------------------+

| TxBytes | 14790225612 |

| TxPkts | 119276013 |

| TxBcastPkts | 119276013 |

+--------------------+------------------+ port show port 1 statistics active

+--------------- PORT 1 STATISTICS -----+

| Statistic | Value |

+--------------------+------------------+

| TxBytes | 14791312968 |

| TxPkts | 119284782 |

| TxBcastPkts | 119284782 |

+--------------------+------------------+

Disabling and enabling command logging

Command logging is enabled by default. You can disable it to conserve space on the local flash file system. The commands to disable and enable are logged.

To disable command logging:

command-log disable

To enable command logging:

command-log enable

Troubleshooting

Sending log test messages

You can test the configuration of log flash and RAM filters by sending a test message.

To send a test message:

log send msg <String[127]> severity <critical|major|minor|warning|config|info|debug>

Example:

> log send msg “This is a test message.” severity critical

Resetting log file configuration to defaults

You can reset the configuration of flash and RAM log filters to the default settings and clear the flash and RAM log files.

To reset the configuration and clear the log files:

log reset-to-factory-defaults

306 System Software Configuration Guide 6.5.0

Chapter

Configuring SNMP

• • • • • •

22

At a Glance:

Overview

Benefits

Configuring Global Attributes

Configuring SNMPv1/v2c Community

Based Security

Configuring Port Traps and Servers

Configuring SNMPv3

Configuring RMON

Troubleshooting

This chapter describes Simple Network Management Protocol (SNMP) and how to configure it.

Overview

Simple Network Management Protocol (SNMP) governs the functions and management of network devices and components called managed objects. SNMP provides the ability to administer managed objects using a Network Management System (NMS) interface, instead of the CLI. Examples of NMS interfaces are a Management Information Base (MIB) browser or Ethernet Services Manager (ESM). The NMS interface acts as an SNMP manager and sends messages to the device in the form of an SNMP Protocol Description Unit (PDU).

These messages are processed by the SNMP agent on the device.

NOTE: To optimize performance when retrieving large table views while browsing MIBs, use SNMP v2 Get Bulk instead of SNMP Get.

SNMP Architecture

The system software supports SNMP versions v1, v2c, and v3. The SNMP architecture includes the following components:

Message dispatcher - The message dispatcher is responsible for sending and receiving

SNMP messages. When an SNMP request message is received, the Dispatcher determines the SNMP version and then passes the message to the appropriate Message

Processing Model (SNMPv1, SNMPv2c, or SNMPv3). The Dispatcher is also responsible for dispatching SNMP response messages to the NMS interface application.

Community authentication - SNMPv1 and SNMPv2c support a community-based security model. This model provides limited security based upon the configured community name. No encryption or user authentication is provided. All SNMP messages between Agent and manager contain “Community Name” in the plain text.

User-based authentication - SNMPv3 supports a user-based security model. This model requires users to provide a secret key for authentication and privacy. The supported authentication protocols are Keyed Hashing for Message Authentication

System Software Configuration Guide 6.5.0

307

C

ONFIGURING

SNMP

Overview

308

Message Digest 5 (HMAC-MD5) and HMAC Secure Hash Algorithm 1 (SHA-1) algorithms.

Privacy is accomplished by encrypting and decrypting SNMPv3 packets with the Cipher

Block Chaining mode to the Data Encryption Standard (CBC-DES) algorithm.

View-based access control- SNMPv3 provides additional security by limiting access to specific managed objects.

Protocol PDU operations - The Message Processing Subsystem handles the Protocol

PDU operations of preparing messages for sending and extracting data from received messages. This system software version supports the SNMPv1 Message Processing Model for SNMPv1 and SNMPv2 protocol operations.

MIBs - The system software supports both standard and proprietary MIBS that store configuration, operational state, and statistics information in the form of managed objects. Each managed object is identified by an Object Identifier (OID) and exchanges information between the MIB and the system software modules through an Application

Programming Interface (API). MIB files supported in this release include:

BRIDGE-MIB.my

ETHERLIKE-MIB.my

IANA-ADDRESS-FAMILY-NUMBERS-MIB.my

IANAifType-MIB.my

IEEE8021-PAE-MIB.my

IF-MIB.my

LLDP_DOT1-MIB.my

LLDP_DOT3-MIB.my

RFC1213-MIB.my

rfc1215.mib

RFC-1215.my

RMON2-MIB.my

RMON-MIB.my

SNMP-NOTIFICATION-MIB.my

SNMPv2-MIB.my

WWP-LEOS-8021X-MIB.my

WWP-LEOS-BLADE-MIB.my

WWP-LEOS-BROADCAST-CONTAINMENT-MIB.my

WWP-LEOS-CFM-MIB.my

WWP-LEOS-CHASSIS-MIB.my

WWP-LEOS-COMMUNITY-MIB.my

WWP-LEOS-DATAPLANE-MIB.my

WWP-LEOS-DHCP-CLIENT-MIB.my

WWP-LEOS-DNS-CLIENT-MIB.my

WWP-LEOS-EXT-LAG-MIB.my

WWP-LEOS-FEATURE-LICENSE-MIB.my

WWP-LEOS-FILE-TRANSFER-MIB.my

WWP-LEOS-FLOW-MIB.my

WWP-LEOS-IGMP-MIB.my

WWP-LEOS-IP-INTERFACE-MIB.my

WWP-LEOS-L2CFT-MIB.my

WWP-LEOS-LLDP-MIB.my

WWP-LEOS-MSTP-MIB.my

System Software Configuration Guide 6.5.0

WWP-LEOS-MULTICAST-FILTER-MIB.my

WWP-LEOS-NTP-CLIENT-MIB.my

WWP-LEOS-OAM-MIB.my

WWP-LEOS-PBT-MIB.my

WWP-LEOS-OAM-MIB-MODULE.my

WWP-LEOS-PING-MIB.my

WWP-LEOS-PORT-MIB.my

WWP-LEOS-PORT-STATS-MIB.my

WWP-LEOS-PORT-XCVR-MIB.my

WWP-LEOS-RADIUS-CLIENT.my

WWP-LEOS-SSH-MIB.my

WWP-LEOS-SW-XGRADE-MIB.my

WWP-LEOS-SYSLOG-COLLECTOR-MIB.my

WWP-LEOS-SYSTEM-CONFIG-MIB.my

WWP-LEOS-SYSTEM-CONTROL-MIB.my

WWP-LEOS-TACACS-CLIENT-MIB.my

WWP-LEOS-TRAFFIC-PROFILE-MIB.my

WWP-LEOS-TWAMP-MIB.my

WWP-LEOS-USER-MIB.my

WWP-LEOS-VLAN-TAG-MIB.my

WWP-LEOS-VPLS-MIB.my

WWP-PRODUCTS-MIB.my

C

ONFIGURING

SNMP

Overview

System Software Configuration Guide 6.5.0

309

C

ONFIGURING

SNMP

Overview

EMS/NMS

Interface

Message

Dispatcher

Figure 22-1 illustrates the SNMPv1 & SNMPv2c agent and the SNMPv3 Engine

Architecture.

OLD SNMPv1/v2c Agent

Community

Authentication

Protocol PDU

Operations

Standard /

Proprietary

MIBs

MIB Compiler

New SNMPv3 Engine

EMS/NMS

Interface

Message

Dispatcher

VACM

Access Control

Subsystem

Protocol PDU

Operations

OID to Method

Routines

V Methods

K Methods

Message

Processing v1/v2c/v3

Authentication

Module (MD5/SHA)

Privacy Services

(DES)

MIB

Instrumentation

API to System

Software Modules

Figure 22-1: SNMPv1 & SNMPv2c Agents / SNMPv3 Engine Architecture

310 System Software Configuration Guide 6.5.0

C

ONFIGURING

SNMP

Overview

SNMPv1

SNMPv1 is defined by RFC1157 (SNMPv1), RFC1155 Structure of Management Information

Version 1 (SMIv1), RFC1212 and RFC1215. This version supports primitive data types based on SMIv1 with the following operations:

Get Request - manager requests the current value of a specified managed object from the agent.

Get Next Request - manager requests the current value of the next managed object in the MIB from the agent.

Set Request - manager requests the agent to set the value of the specified managed object.

Get Response - agent responds to a Get-Request, Get-Next-Request, or Set-Request with the value of the managed object.

Trap - agent notifies manager of system event.

The SNMPv1 message and Protocol Description Unit (PDU) format is shown in Figure 22-2:

Figure 22-2: SNMPv1 Message and PDU Format

System Software Configuration Guide 6.5.0

311

C

ONFIGURING

SNMP

Overview

SNMPv2c

SNMPv2c is defined by RFC1901, RFC3416 (SNMPv2), RFC2578 (SMIv2) and RFC2579. It supports the same operations as SNMPv1 with additional support for the Get Bulk

(RFC3616) operation for efficient retrieval of large amounts of data. This version defines a newer SNMPv2 Trap PDU format and supports data types based on SMIv2 including 64 bit counters.

The SNMPv2c message and PDU format is shown in Figure 22-3:

Figure 22-3: SNMPv2c Message and PDU Format

312 System Software Configuration Guide 6.5.0

C

ONFIGURING

SNMP

Overview

SNMPv3

SNMPv3 uses the same PDU format and supports all operations that are defined in

SNMPv2c, but it is not considered a stand-alone protocol. Instead, it employs an extensible framework that uses SNMPv2c information that is encapsulated in the SNMPv3 packet format.

Packet Format

The SNMPv3 packet format includes a message header, security parameters, and PDU

information as shown in Figure 22-4:

Figure 22-4: SNMPv3 Packet Format

System Software Configuration Guide 6.5.0

313

C

ONFIGURING

SNMP

Overview

Following is a list of the supported SNMPv3 fields:

Table 22-1: SNMPv3 Packets

Packet Name msgVersion msgID msgMaxSize msgFlags msgSecurityModel msgSecurityParameters scopedPDU

Description

Displays the SNMP version of the packet

(e.g. 1, 2, or 3).

Used to coordinate request and response messages between manager and agent. A msgID in a response must be the same as the

msgID received in the request.

Indicates the maximum message size that the sender can support.

Indicates how the message is to be processed and contains the following flags:

• reportableFlag

• authFlag

• privFlag

Contains the security model that was used for security processing upon message reception.

Contains the security model specific data. This data is defined and used only by the security model specified by msgSecurityModel.

Contains the normal PDU and information for identifying the administratively unique context for processing the PDU.

Security License Key

A valid security license key is required to allow SNMPv3 packets with an authentication only security level setting (authNoPriv) or an authentication with privacy security level setting (authPriv).

CAUTION: SNMP will not respond to requests and will drop packets if a valid security license key is not installed.

Once a valid security license key is installed, SNMP will enable encryption and authentication. It will then accept SNMPv3 packets and allow the user to access the device.

NOTE: A valid security license key is not required to allow SNMPv1, SNMPv2c, or SNMPv3 packets with a no authentication and privacy (noAuthNoPriv) security level setting.

For information on SNMP security levels, see the snmpSecurityLevel section on page 315.

Supported Concepts

Following is a list of the supported SNMPv3 concepts:

Table 22-2: SNMPv3 Concepts

Concept Description

314 System Software Configuration Guide 6.5.0

C

ONFIGURING

SNMP

Overview

Table 22-2: SNMPv3 Concepts snmpEngineID snmpEngineBoots snmpEngineTime snmpSecurityLevel

Authoritative SNMP Engine

Agent Discovery

A unique identifier for an SNMP engine within an administrative domain. The snmpEngineID is computed using the chassis MAC address and an administratively assigned string.

Counts the number of times an SNMP engine has re-booted or reinitialized since the snmpEngineID was last set. This counter is initially set to zero.

Specifies the number of seconds since the snmpEngineBoots counter was last incremented. This counter is initially set to zero. If the snmpEngineTime reaches its maximum (2147483647), then the snmpEngineBoots is incremented by one and the

snmpEngineTime starts counting again from zero.

Contains three security levels that rank from highest to lowest respectively:

• authPriv

• authNoPriv

• noAuthNoPriv

Protects against message replay, message delay, and message redirection.

Used to first determine the snmpEngineID of the agent, and then determines the snmpEngineBoots and snmpEngineTime.

Supported Table Entries

Following is a list of the supported SNMPv3 table entries:

Table 22-3: SNMPv3 Table Entries

Table Name Description usmUserTable

Specifies the creation of new users who are allowed to access

SNMP supported devices. This table is only used when an ingress SNMP packet utilizes SNMPv3. usmUserTable includes the following information:

vacmSecurityToGroupTable

• usmUserEngineID

• usmUserName

• usmUserAuthProtocol

• usmUserPrivProtocol

Attaches a security model to a group that is defined in

usmUserTable. This table does not, however, validate whether or not a user ID specified in the table exists in usmUserTable.

vacmSecurityToGroupTable includes the following information:

• vacmSecurityModel

• vacmSecurityName

• vacmGroupName

System Software Configuration Guide 6.5.0

315

C

ONFIGURING

SNMP

Overview

316

Table 22-3: SNMPv3 Table Entries vacmAccessTable

Specifies either a read view, write view, or notify view access policy for the group specified in vacmSecurityToGroupTable.

vacmAccessTable includes the following information:

vacmViewTreeFamilyTable snmpTargetAddrTable snmpTargetParamTable snmpCommunityTable

• vacmGroupName

• vacmAccessSecurityModel

• vacmAccessSecurityLevel

• vacmAccessReadViewName

• vacmAccessWriteViewName

• vacmAccessNotifyViewName

vacmAccessSecurityLevel contains three security levels that rank from highest to lowest respectively:

• authPriv

• authNoPriv

• noAuthNoPriv

Specifies the following three views that are used in

vacmAccessTable:

• vacmViewTreeFamilyViewName

• vacmViewTreeFamilySubtree

• vacmViewTreeFamilyType

Specifies the transport addresses that can either be used when generating SNMP traps or allow SNMP requests that come from specified IP addresses. snmpTargetAddrTable includes the following information:

• snmpTargetAddrName

• snmpTargetAddrTAddress

• snmpTargetAddrTagList

• snmpTargetAddrParams

Specifies additional information about the

snmpTargetAddrTable. This additional information includes what security model, security level, and trap type is to be used when generating SNMP traps. snmpTargetParamTable includes the following information:

• snmpTargetParamsName

• snmpTargetParamsSecurityModel

• snmpTargetParamsSecurityName

• snmpTargetParamsSecurityLevel

Used to map earlier SNMPv1 and SNMPv2c communities, notifications, and configurations into the SNMPv3 framework.

snmpCommunityTable includes the following information:

• snmpCommunityIndex

• snmpCommunityName

• snmpCommunitySecurityName

• snmpCommunityTransportTag

System Software Configuration Guide 6.5.0

C

ONFIGURING

SNMP

Overview

Following is a list of the maximum number of SNMPv3 table entries that are supported

Table 22-4: SNMPv3 Maximum Number Of Table Entries

Table Name Maximum Entries Supported usmUserTable vacmSecurityToGroupTable vacmAccessTable vacmViewTreeFamilyTable snmpTargetAddrTable snmpTargetParamTable snmpCommunityTable

17

15

18

15

20

20

15

System Software Configuration Guide 6.5.0

317

C

ONFIGURING

SNMP

Overview

Supported SNMP Traps

Following is a list of supported SNMP traps:

Table 22-5: SNMP Traps

SNMP Trap Name

authenticationFailure coldStart fallingAlarm linkDown linkUp lldpRemTablesChange risingAlarm wwpFTransferCompletion wwpLeosBcastThresholdExceed wwpLeosBladeStateChange wwpLeosCfmFaultTrap wwpLeosCfmPbtFaultTrap wwpLeosChassisDoorStatusChangeNotification wwpLeosChassisDyingGaspNotification wwpLeosChassisPowerSupplyStatusNotification wwpLeosChassisRebootNotification wwpLeosChassisTempNotification wwpLeosChassisSnmpStateNotification wwpLeosDhcpClientOptionDisabledNotification wwpLeosEthLinkUp wwpLeosEthLinkDown wwpLeosFlowL2SacHighThreshold wwpLeosFlowL2SacNormalThreshold wwpLeosImproperCmdInConfigFile wwpLeosIpInterfaceAddrChgNotification wwpLeosMstpBridgeRootPortLostNotification wwpLeosMstpNewRootNotification wwpLeosMstpPortBackupNotification

Associated MIB File

SNMPv2-MIB.my

SNMPv2-MIB.my

RMON-MIB.my

IF-MIB.my

IF-MIB.my

LLDP-MIB.my

RMON-MIB.my

WWP-LEOS-FILE-TRANSFER-MIB.my

WWP-LEOS-BROADCAST-CONTAINMENT-MIB.my

WWP-LEOS-BLADE-MIB.my

WWP-LEOS-CFM-MIB.my

WWP-LEOS-CFM-MIB.my

WWP-LEOS-CHASSIS-MIB.my

WWP-LEOS-CHASSIS-MIB.my

WWP-LEOS-CHASSIS-MIB.my

WWP-LEOS-CHASSIS-MIB.my

WWP-LEOS-CHASSIS-MIB.my

WWP-LEOS-CHASSIS-MIB.my

WWP-LEOS-DHCP-CLIENT-MIB.my

WWP-LEOS-PORT-MIB.my

WWP-LEOS-PORT-MIB.my

WWP-LEOS-FLOW-MIB.my

WWP-LEOS-FLOW-MIB.my

WWP-LEOS-SYSTEM-CONFIG-MIB.my

WWP-LEOS-IP-INTERFACE-MIB.my

WWP-LEOS-MSTP-MIB.my

WWP-LEOS-MSTP-MIB.my

WWP-LEOS-MSTP-MIB.my

318 System Software Configuration Guide 6.5.0

C

ONFIGURING

SNMP

Benefits

Table 22-5: SNMP Traps

wwpLeosMstpPortFlapNotification wwpLeosMstpPortOperEdgeNotification wwpLeosMstpPvstBpduReceivedNotification wwpLeosMstpSelfLoopNotification wwpLeosMstpTopologyChangeNotification wwpLeosOamLinkEventTrap wwpLeosPbtTunnelReversionNotification wwpLeosCfmFaultTrapSet wwpLeosCfmFaultTrapClear wwpLeosSwXgradeBladePkgIncorrect wwpLeosSwXgradeOpCompletion wwpLeosSystemServiceModeChange

RMON

WWP-LEOS-MSTP-MIB.my

WWP-LEOS-MSTP-MIB.my

WWP-LEOS-MSTP-MIB.my

WWP-LEOS-MSTP-MIB.my

WWP-LEOS-MSTP-MIB.my

WWP-LEOS-OAM-MIB.my

WWP-LEOS-PBT-MIB.my

WWP-LEOS-CFM-MIB.my

WWP-LEOS-CFM-MIB.my

WWP-LEOS-SW-XGRADE-MIB.my

WWP-LEOS-SW-XGRADE-MIB.my

WWP-LEOS-SYSTEM-CONFIG-MIB.my

With remote monitoring (RMON), you can enable a device to gather information related to groups defined in the IEEE RFC 1757 and RFC 2021. Using a network monitoring device, you can probe the network to retrieve this information by sampling SNMP MIB objects.

RMON supports four of the groups defined in IEEE RFC 1757:

Alarm - The alarm group monitors system variables periodically, taking samples and comparing them to the configured thresholds (rising and/or falling). A user defined event is generated when a threshold has been crossed.

Event - With the event group you can create an event and define an action to take when an alarm occurs. RMON on all devices supports the configuration of up to 28 entries for statistics, alarms, events, and history.

History - The history group is a set of periodical statistical samples saved during a defined period of time for a port. Data provided can subsequently be reviewed.

Statistics - Ethernet statistics are retrieved and measured by the probes for each of the configured Ethernet ports on the device.

RMON supports one of the groups defined in IEEE RFC 2021:

User History - Periodic samples of user specified history.

Benefits

SNMP provides the basis to manage network devices through interfaces other than the

CLI, including configuration, notification of system events, and RMON.

Configuring Global Attributes

You can set and display global SNMP attributes including:

Operational status

• System contact information

System Software Configuration Guide 6.5.0

319

C

ONFIGURING

SNMP

Configuring Global Attributes

System location

• Link up and down traps status

CFM fault traps status

Setting Operational Status

The operational status is either enabled or disabled. When the operational status is disabled, attempts to connect to the SNMP agent will timeout. By default, the status is enabled. snmp enable

To enable SNMP status:

To disable SNMP status:

snmp disable

Setting Contact, Location, Link Up and Down Traps, and CFM Fault Traps

In addition to the operational status, you can set the following attributes:

Contact - The contact field is a 1-63 character string, such as a department name and phone number. If the string includes spaces, enclose it with quotes. By default, the contact is “Customer Support, World Wide Packets”.

Location - The location field is a 1-63 character string, such as an address. If the string includes spaces, enclose it with quotes. By default, the location is “Not Specified”.

Enhanced link up and link down trap - When enabled, proprietary link up and down traps are sent by the device. By default, the proprietary link up and link down traps are disabled.

Standard link up and link down trap - When enabled, standard link up and down traps are sent by the device. By default, standard link up and link down traps are enabled.

CFM fault trap - When enabled, CFM faults are sent by the device. By default, the CFM fault traps are disabled.

To set SNMP contact, location, and trap attributes:

snmp set {[contact <String[255]>], [enhancement-link-up-down-trap <disable|enable>]}

[location <String[255]>], [std-link-up-down-trap <disable|enable>], [cfm-fault-trap

<disable|enable>]}

Example:

> snmp set contact "Customer Support, World Wide Packets" enhancement-link-up-down-trap disable location "Spokane Valley, USA" std-link-up-down-trap enable

Displaying SNMP Global Attributes

snmp show

To display SNMP global attributes:

320 System Software Configuration Guide 6.5.0

C

ONFIGURING

SNMP

Configuring SNMPv1/v2c Community Based Security

> snmp show

Example:

+----------------------SNMP GLOBAL CONFIGURATION-------------------------+

| Parameter | Value |

+-----------------------------+------------------------------------------+

| Operational status | Enable |

| System Contact | Customer Support, World Wide Packets |

| System Location | Not Specified |

| Standard link-up-down trap | Enable |

| Enhanced link-up-down trap | Disable |

+-----------------------------+------------------------------------------+

Configuring SNMPv1/v2c Community Based Security

SNMP communities provide limited security for SNMP access to the device. The default

community configuration shown in Table 22-6, in this chapter allows any IP address

within the network to access the device via SNMP.

Table 22-6: Default SNMP Communities

IP Address Community

0.0.0.0

0.0.0.0

public private

Permissions

read-only read-write

NOTE: SNMPv1/v2c community based security are deprecated. Deprecated commands are still supported by the CLI and work for configuration. However, in a future release, deprecated commands will no longer be supported.

Creating a Community and Adding Members

Whether you want to add a member to an existing community or create a new one, the command is the same. If the community does not exist, it is created. If it already exists, the IP address and permission is added to the community. You can add up to 18 entries to the community table.

To create a community or add members to an existing community:

snmp add community <String[64]> ip <IpAddress> permission <read-only|read-write>

Example:

> snmp add community MyCommunity ip 1.1.1.1 permission read-write

Removing a Community and Removing Members

Whether you want to remove a member from a community or remove a community, the command is the same. If the community has more than one member, you must run the command to remove all IP addresses from the community.

System Software Configuration Guide 6.5.0

321

C

ONFIGURING

SNMP

Configuring SNMPv1/v2c Community Based Security

To remove a community or remove members from a community:

snmp remove community <CommunityName> ip <IpAddress>

Example:

> snmp remove community MyCommunity ip 1.1.1.1

Updating Community Permissions

To update the permissions for a community entry:

snmp set community <CommunityName> ip <IpAddress> permission <read-only|read-write>

Example:

> snmp set community MyCommunity ip 1.1.1.1 permission read-only

Displaying SNMP Communities

To display all SNMP communities:

snmp show communities

Example:

> snmp show communities

+--------------------+--------------------+--------------------------------+

| IP Address | Host Name | Community Name | Permissions |

+--------------------+--------------------+-----------------+--------------+

| 0.0.0.0 | | public | read-only |

| 0.0.0.0 | | private | read-write |

| 1.1.1.1 | | MyCommunity | read-only |

+--------------------+--------------------+-----------------+--------------+

Configuring Trap Servers

You can configure the device to transmit any SNMP traps to a designated trap server.

Adding a Trap Server

To add a trap server:

snmp add trap-server <IpAddress> community <CommunityName>

Example:

> snmp add trap-server 1.1.1.4 community MyCommunity

322 System Software Configuration Guide 6.5.0

C

ONFIGURING

SNMP

Configuring Port Traps and Servers

Removing a Trap Server

To remove a trap server:

snmp remove trap-server <IpAddress> community <CommunityName>

Example:

> snmp remove trap-server 1.1.1.4 community MyCommunity

Displaying Trap Servers

To display all trap servers:

snmp show trap-server

Example:

> snmp show trap-server

+---------------------------- TRAP SERVER TABLE -------------------------------+

| IP Address | Host Name | Community Name |

+-----------------+---------------------------------+--------------------------+

| 1.1.1.4 | | MyCommunity |

+-----------------+---------------------------------+--------------------------+

Configuring Port Traps and Servers

When the port trap is disabled, any traps generated by the port will not be transmitted to a configured trap server. By default, port traps are enabled for all ports.

To disable port traps:

snmp port-traps disable port <PortNameList>

Example:

> snmp port-traps disable port 10

To enable port traps:

snmp port-traps enable port <PortNameList>

Example:

> snmp port-traps enable port 10

To display all port traps:

snmp show port-traps

System Software Configuration Guide 6.5.0

323

C

ONFIGURING

SNMP

Configuring SNMPv3

Example:

> snmp show port-traps

+------PORT TRAP TABLE------+

| PortName | State |

+----------------+----------+

| 1 | Enable |

| 2 | Enable |

| 3 | Enable |

| 4 | Enable |

| 5 | Enable |

| 6 | Enable |

| 7 | Enable |

| 8 | Enable |

| 9 | Enable |

| 10 | Enable |

+----------------+----------+

Configuring SNMPv3

This section identifies default table entries and sample configurations that are supported.

NOTE: To configure SNMPv3 encryption and authentication, the Advanced Security feature license must be installed with the software license install command.

SNMPv3 Default Table Entries

Following is a list of the SNMPv3 default table entries that are supported

:

Table 22-7: Default SNMP User Table Entries

User Name AuthProtocol

Public

Private noAuth noAuth

PrivProtocol

noPriv noPriv

324

Table 22-8: Default SNMP Security Map Table Entries

User Name SecModel

Public

Private

Public

Private

V1

V1

V2

V2

GroupName

Public

Private

Public

Private

Table 22-9: Default SNMP VACM Access Table Entries

GroupName SecModel SecLevel ReadView

Public V1 noAuth V12cView

WriteView NotifView

V12cView

System Software Configuration Guide 6.5.0

C

ONFIGURING

SNMP

Configuring SNMPv3

Table 22-9: Default SNMP VACM Access Table Entries

Public

Private

Private

V2c

V1

V2 noAuth noAuth noAuth

V12cView

V12cView

V12cView

V12cView

V12cView

V12cView

V12cView

V12cView

Table 22-10: Default SNMP VACM View Tree Table Entries

ViewTreeName

V12cView

V12cView

SubTree

iso snmpResearch

Type

include exclude

Table 22-11: Default SNMP Target Table Entries

Target Name

Anywhere

IP Address

0.0.0.0

Param Name

None

Tags

AnywhereTag

UDP Port

0

Table 22-12: Default SNMP Community Map Table Entries

Community Index

T0000000

Community Name

Public

SecName

Public

T0000001 Private Private

Transport Tag

AnywhereTag

AnywhereTag

Table 22-13: Default SNMP Notification Table Entries

Notification Name Notification Tag

Traps TrapTag

Notification Type

1

Creating SNMP Users

You can create users with an authentication protocol, privacy protocol, authentication password, privacy password, authentication secret key, and privacy secret key.

To create a user:

snmp create user <String[32]> {auth-protocol <noauth|md5|sha>} [priv-protocol

<nopriv|des>] [priv-password <String[64>] [auth-password <String[64]>] [authsecret <String[40]>] [priv-secret <String[40]>]

System Software Configuration Guide 6.5.0

325

C

ONFIGURING

SNMP

Configuring SNMPv3

Example:

> snmp create user user1 auth-protocol md5 priv-protocol noPriv auth-password mypassword

To display users:

snmp show user

Example:

> snmp show user

+-----------------------+--------------+--------------+

| UserName | AuthProt | PrivProt |

+-----------------------+--------------+--------------|

| user1 | md5 | noPriv |

| public | noAuth | noPriv |

| private | noAuth | noPriv |

+-----------------------+--------------+--------------+

To delete a user:

snmp delete user <String[32]>

Example:

> snmp show user

Configuring SNMP Community Mapping

1. Create an entry in the snmpCommunityTable.

snmp create community-index <String[32]> {community <String[64]>} {sec-name

<String[32]>}

Example:

> snmp create community-index comm1 community mycommunity sec-name user1

2. Validate that the new entry was created.

> snmp show community-map

+----------------+----------------+----------------+----------------+

| CommunityIndex | CommunityName | SecName | TransportTag |

+----------------+----------------+----------------|----------------+

| comm1 | mycommunity | user1 | |

| t0000000 | public | public | anywhereTag |

| t0000001 | private | private | anywhereTag |

+----------------+----------------+----------------|----------------+

3. Create an entry in the vacmSecurityToGroupTable.

snmp security-to-group attach user <String[32]> {sec-model <v1|v2c|v3>} {group

<String[32]>}

326 System Software Configuration Guide 6.5.0

C

ONFIGURING

SNMP

Configuring SNMPv3

Example:

> snmp security-to-group attach user user1 sec-model v1 group group1

4. Validate that the new entry was created.

> snmp show security-to-group

+-----------------------+----------+------------------+

| UserName | SecModel | GroupName |

+-----------------------+----------+------------------+

| user1 | v1 | group1 |

| public | v1 | public |

| private | v1 | private |

| public | v2c | public |

| private | v2c | private |

+-----------------------+----------+------------------+

5. Create an entry in the vacmAccessTable.

snmp create access-entry <String[32]> {sec-model <v1|v2c|v3>}{sec-level

<noAuth|authNoPriv|authWithPriv>}[read-view <String[64]>][write-view

<String[64]>][notify-view <String[64]>]

Example:

> snmp create access-entry group1 sec-model v1 sec-level noAuth read-view viewtree1

6. Validate that the new entry was created.

> snmp show access-entry

+------------+----------+----------+----------+-----------+-----------+

| GroupName | SecModel | SecLevel | ReadView | WriteView | NotifView |

+------------+----------+----------+----------+-----------+-----------+

| group1 | v1 | noAu | viewtree1| | |

| public | v1 | noAu | V12cView | | V12cView |

| public | v2c | noAu | V12cView | | V12cView |

| private | v1 | noAu | V12cView | V12cView | V12cView |

| private | v2c | noAu | V12cView | V12cView | V12cView |

+------------+----------+----------+----------+-----------+-----------+

7. Create an entry in the vacmViewTreeFamilyTable.

snmp create viewtree <String[32]> {sub-tree <String[64]>} {type <include|exclude>}

Example:

> snmp create viewtree viewtree1 sub-tree mgmt type include

System Software Configuration Guide 6.5.0

327

C

ONFIGURING

SNMP

Configuring SNMPv3

8. Validate that the new entry was created.

> snmp show viewtree

+---------------------------+-----------------------+----------+

| ViewTreeName | SubTree | Type |

+---------------------------+-----------------------+----------+

| V12cView | iso | include |

| V12cView | snmpResearch | exclude |

| viewtree1 | mgmt | include |

+---------------------------+-----------------------+----------+

Configuring a

Trap Server

1. Create an SNMP trap server entry using the default SNMPv1 / SNMPv2c configuration.

snmp create target <String[32]>{addr <IpAddress>}{param-name <String[32]>}[tag

<String[32]>][udp-port <NUMBER: 1-65535>]

Example:

> snmp create target TRAPS addr 10.10.10.10 param-name TRAPS

2. Validate that the new entry was created.

> snmp show target

+--------------+---------------+---------------+----------------+---------+

| TargetName | IPAddress | ParamName | Tags | Udp Port|

+--------------+---------------+---------------+----------------+---------+

| TRAPS | 10.10.10.10 | TRAPS | TrapTag | 162 |

| anywhere | 0.0.0.0 | none | anywhereTag | 0 |

+--------------+---------------+---------------+----------------+---------+

3. Create a target parameter and security name.

snmp create target-param <String[32]> {sec-name <String[32]>}

Example:

> snmp create target-param TRAPS sec-name public

4. Validate that the new entry was created.

> snmp show targetParams

+---------------------------+--------------------------+--------+--------+

| TargetParamName | SecurityName | Sec | MP |

| | | Model | Model |

+---------------------------+--------------------------+--------+--------+

| TRAPS | public | v1 | 0 |

+---------------------------+--------------------------+--------+--------+

328 System Software Configuration Guide 6.5.0

C

ONFIGURING

SNMP

Configuring SNMPv3

Configuring

Traps

1. Create an entry in the snmpTargetAddrTable.

snmp create target <String[32]>{addr <IpAddress>}{param-name <String[32]>}[tag

<String[32]>][udp-port <NUMBER: 1-65535>]

Example:

> snmp create target target1 addr 192.168.15.30 param-name param1 tag TrapTag

2. Validate that the new entry was created.

> snmp show target

+----------------+---------------+----------------+-------------+----------+

| TargetName | IPAddress | ParamName | Tags | Udp Port |

+----------------+---------------+----------------+-------------+----------+

| anywhere | 0.0.0.0 | none | anywhereTag | 0 |

| target1 | 192.168.15.30 | param1 | TrapTag | 162 |

+----------------+---------------+----------------+-------------+----------+

3. Create an entry in the snmpTargetParamTable.

snmp create target-param <String[32]> {sec-name <String[32]>}

Example:

> snmp create target-param param1 sec-name user1

4. Validate that the new entry was created.

> snmp show targetparams

+------------------+-----------------+-----------+----------+

| TargetParamName | SecurityName | Sec Model | MP Model |

+------------------+-----------------+-----------+----------+

| param1 | user1 | v1 | 0 |

+------------------+-----------------+-----------+----------+

5. Create an entry in the vacmSecurityToGroupTable.

snmp security-to-group attach user <String[32]> {sec-model <v1|v2c|v3>} {group

<String[32]>}

Example:

> snmp security-to-group attach user user1 sec-model v1 group group1

System Software Configuration Guide 6.5.0

329

C

ONFIGURING

SNMP

Configuring SNMPv3

6. Validate that the new entry was created.

> snmp show security-to-group

+-----------------------+----------+------------------+

| UserName | SecModel | GroupName |

+-----------------------+----------+------------------+

| user1 | v1 | group1 |

| public | v1 | public |

| private | v1 | private |

| public | v2c | public |

| private | v2c | private |

+-----------------------+----------+------------------+

7. Create an entry in the vacmViewTreeFamilyTable.

snmp create viewtree <String[32]> {sub-tree <String[64]>} {type <include|exclude>}

Example:

> snmp create viewtree trap sub-tree mgmt type include

8. Validate that the new entry was created.

> snmp show viewtree

+---------------------------+-----------------------+----------+

| ViewTreeName | SubTree | Type |

+---------------------------+-----------------------+----------+

| trap | mgmt | include |

| V12cView | iso | include |

| V12cView | snmpResearch | exclude |

+---------------------------+-----------------------+----------+

9. Create an entry in the vacmAccessTable.

snmp create access-entry <String[32]> {sec-model <v1|v2c|v3>}{sec-level

<noAuth|authNoPriv|authWithPriv>}[read-view <String[64]>][write-view

<String[64]>][notify-view <String[64]>]

Example:

> snmp create access-entry group1 sec-model v1 sec-level noAuth read-view trap notify-view trap

10.Validate that the new entry was created.

> snmp show access-entry

+-------------+-----------+----------+----------+-----------+-----------+

| GroupName | SecModel | SecLevel | ReadView | WriteView | NotifView |

+-------------+-----------+----------+----------+-----------+-----------+

| group1 | v1 | noAuth | trap | | trap |

| public | v1 | noAuth | V12cView | | V12cView |

| public | v2c | noAuth | V12cView | | V12cView |

| private | v1 | noAuth | V12cView | V12cView | V12cView |

| private | v2c | noAuth | V12cView | V12cView | V12cView |

+-------------+-----------+----------+----------+-----------+-----------+

330 System Software Configuration Guide 6.5.0

C

ONFIGURING

SNMP

Configuring SNMPv3

11.Create an entry in the snmpCommunityTable.

snmp create community-index <String[32]> {community <String[64]>} {sec-name

<String[32]>}

Example:

> snmp create community-index target1 community comm1 sec-name user1 transport-tag

TrapTag

12.Validate that the new entry was created.

> snmp show community-map

+----------------+----------------+-------------+---------------+

| CommunityIndex | CommunityName | SecName | TransportTag |

+----------------+----------------+-------------|---------------+

| t0000000 | public | public | anywhereTag |

| t0000001 | private | private | anywhereTag |

| target1 | comm1 | user1 | TrapTag |

+----------------+----------------+-------------+---------------+

Modifying Community Map Attributes

You can modify the attributes of a community map, including the community name, security name, and transport tag.

To modify community map attributes:

snmp set community-index <String[32]> {community <String[64]>} {sec-name

<String[32]>} [transport-tag <String[32]>

Example:

> snmp set community-index target1 community comm1 sec-name user1 transport-tag anywhereTag

System Software Configuration Guide 6.5.0

331

C

ONFIGURING

SNMP

Configuring SNMPv3

Creating and Attaching an SNMPv3 User to an SNMPv3 Access Entry Group

1. Create an SNMPv3 user with an authentication protocol, privacy protocol, authentication password, and privacy password.

snmp create user <String[32]> {auth-protocol <noauth|md5|sha>} [priv-protocol

<nopriv|des>] [priv-password <String[64>] [auth-password <String[64]>] [authsecret <String[40]>] [priv-secret <String[40]>]

Example:

> snmp create user SNMPv3_User auth-protocol md5 priv-protocol des auth-password

SNMPv3_password1 priv-password SNMPv3_password2

2. Validate that the new entry was created.

> snmp show user

+---------------------------------+--------------+--------------+

| UserName | AuthProt | PrivProt |

+---------------------------------+--------------+--------------|

| public | noAuth | noPriv |

| private | noAuth | noPriv |

| SNMPv3_User | md5 | des |

+---------------------------------+--------------+--------------|

3. Create a view tree entry in the vacmViewTreeFamilyTable with a sub-tree that can be viewed.

snmp create viewtree <String[32]> {sub-tree <String[64]>} {type <include|exclude>}

Example:

> snmp create viewtree SNMPv3_view sub-tree mgmt type include

4. Validate that the new entry was created.

> snmp show viewtree

+---------------------------+-----------------------+----------+

| ViewTreeName | SubTree | Type |

+---------------------------+-----------------------+----------+

| V12cView | iso | include |

| V12cView | snmpResearch | exclude |

| SNMPv3_view | mgmt | include |

+---------------------------+-----------------------+----------+

5. Create an access policy in the vacmAccessTable with a v3 security model.

Include a security level with authorization and privileges. Also include a read view, write view, and notify view.

snmp create access-entry <String[32]> {sec-model <v1|v2c|v3>}{sec-level

<noAuth|authNoPriv|authWithPriv>}[read-view <String[64]>][write-view

<String[64]>][notify-view <String[64]>]

332 System Software Configuration Guide 6.5.0

C

ONFIGURING

SNMP

Configuring SNMPv3

Example:

> snmp create access-entry SNMPv3_Group sec-model v3 sec-level authWithPriv readview V3View write-view V3View notify-view V3View

6. Validate that the new entry was created.

> snmp show access-entry

+--------------+-----------+----------+----------+-----------+-----------+

| GroupName | SecModel | SecLevel | ReadView | WriteView | NotifView |

+--------------+-----------+----------+----------+-----------+-----------+

| public | v1 | noAuth | V12cView | | V12cView |

| public | v2c | noAuth | V12cView | | V12cView |

| private | v1 | noAuth | V12cView | V12cView | V12cView |

| private | v2c | noAuth | V12cView | V12cView | V12cView |

| SNMPv3_Group | usm | AuthWtPv | V3View | V3View | V3View |

+--------------+-----------+----------+----------+-----------+-----------+

7. Attach the SNMPv3 user to an SNMPv3 access group using the

vacmSecurityToGroupTable.

snmp security-to-group attach user <String[32]> {sec-model <v1|v2c|v3>} {group

<String[32]>}

Example:

> snmp security-to-group attach user SNMPv3_User sec-model v3 group SNMPv3_Group

8. Validate that the new entry was created.

> snmp show security-to-group

+-----------------------+----------+------------------+

| UserName | SecModel | GroupName |

+-----------------------+----------+------------------+

| public | v1 | public |

| private | v1 | private |

| public | v2c | public |

| private | v2c | private |

| SNMPv3_User | v3 | SNMPv3_Group |

+-----------------------+----------+------------------+

Modifying User Attributes

You can modify the attributes of an existing SNMPv3 user, including: authentication protocol, privacy protocol, authentication password, and privacy password.

To modify user attributes:

snmp set user <SnmpUser> {[auth-protocol <noauth|md5|sha>], [auth-password

<String>], [priv-protocol <nopriv|des>], [priv-password <String>]}

Example:

> snmp set user SNMPv3_User auth-protocol md5 priv-protocol des auth-password

SNMPv3_password1 priv-password SNMPv3_password2

System Software Configuration Guide 6.5.0

333

C

ONFIGURING

SNMP

Configuring RMON

Configuring Notification Entries

You can create, modify, delete, and display entries in the snmpNotifTable specified in

SNMP-NOTIFICATION-MIB.my. The snmpNotifTable contains a default entry tag called the

Trap Tag that is used to qualify entries in the snmpTargetTable for SNMPv1 traps.

To create notification entries:

snmp create notify <String[32]> {notify-tag <String[32]>} [notify-type

<trap|notification>]

Example:

> snmp create notify myNotifyName notify-tag myNotifyTag notify-type trap

To modify notification entries:

snmp set notify <String[32]> {[notify-tag <String[32]>], [notify-type

<trap|notification>]}

Example:

> snmp set notify notify myNotifyName notify-tag myNotifyTag notify-type notification

To delete notification entries:

snmp delete notify <String[32]>

Example:

> snmp delete notify myNotification

To display a list of notification entries:

snmp show notify

Example:

> snmp show notify

+----------------+------------------+-------------------+

|NotificationName| Notification Tag | Notification Type |

+----------------+------------------+-------------------+

|Traps |TrapTag |1 |

|myNotifyName |myNotifyTag |2 |

+----------------+------------------+-------------------+

Configuring RMON

Configuring Alarms

When you configure alarms, you define a set of parameters that will be compared to object values and network activities. When the alarm threshold is crossed, an event is generated and the samples will be written to a log.

334 System Software Configuration Guide 6.5.0

C

ONFIGURING

SNMP

Configuring RMON

Two types of sampling can be configured: absolute sampling which compares the data to the set threshold; delta sampling which compares two consecutive samplings and compares the difference against the threshold.

Rising and falling thresholds allow the administrator to define boundaries (high and low) and create a warning if these boundaries are crossed. For example, an alarm will be triggered if the amount of packets going trough a port is higher than expected (rising threshold) or below normal (falling threshold).

A number of attributes need to be defined in order to describe an alarm:

data source - indicate the interface OID (example:

1.3.6.1.2.1.16.1.1.1.5).

index - the index in the alarm table.

owner - name of the owner (optional).

sample-type - absolute or delta.

interval - time interval in seconds used to compare samples and send alarm.

startup-alarm - defines the condition required to trigger alarm (rising, falling or both).

falling-event-index - set index for falling event.

rising-event-index - set index for rising event.

falling-threshold - minimum value (related the particular interface MIB object being monitored) against which samplings are compared.

rising-threshold - maximum value (related to the particular interface MIB object being monitored) against which samplings are compared.

To add an alarm entry:

rmon alarm add {data-source <String[127]>} {falling-event-index <NUMBER:1-65535>} {fallingthreshold <NUMBER:0-999999999>} {index <NUMBER:1-65535>} {interval <NUMBER:1-3600>} [owner

<String[127]>] {rising-event-index <NUMBER:1-65535>}{rising-threshold <NUMBER:0-999999999>}

{sample-type <absolute|delta >} {startup-alarm <rising|falling|both>}

Example:

This example adds an alarm entry to monitor the amount of traffic entering a port and create an event when the throughput is under 100 Mbps or above 900 Mbps:

> rmon alarm add data-source 1.3.6.1.2.1.16.1.1.1.5 index 1 interval 30 owner Admin sample-type absolute startup-alarm both falling-event-index 1 falling-threshold 100 rising-event-index 1 rising-threshold 900

To display an alarm entry:

rmon show alarm-index <NUMBER:1-65535>

Example:

> rmon show alarm-index 1

+-------------RMON ALARM STATISTICS-----------------------+

| Index | Parameter | Value |

+--------+---------------+--------------------------------+

| 1 | OID | etherStatsPkts |

| | Type | Absolute |

| | Interval (sec)| 30 |

| | Rising Limit | 900 |

| | Falling Limit | 100 |

| | Rising Index | 1 |

| | Falling Index | 1 |

| | Owner | Admin |

+--------+---------------+--------------------------------+

System Software Configuration Guide 6.5.0

335

C

ONFIGURING

SNMP

Configuring RMON

To delete an alarm entry:

rmon alarm remove index <NUMBER:1-65535>

Example:

> rmon alarm remove alarm-index 1

Configuring Events

An event notifies you when an alarm is triggered. When you create an a event, the following attributes apply:

index - creates an index for the event in the event table

description - describe the event

type - indicate the type of event created and where the information is sent: none, log snmp-trap, log-and-snmptrap.

community - create a community or refer to an existing community (optional)

owner - indicate event’s owner (optional)

To add an event entry:

rmon event add [community <String[127]>] [owner <String[127]>] {description <String[127]>}

{index <NUMBER:1-65535>} {type <none|log|snmp-trap|log-and-snmptrap>}

Example:

> rmon event add index 1 description Test type log community Network1 owner Admin

To display event entries:

rmon show event-table

Example:

> rmon show event-table

+----------------------RMON EVENT STATISTICS--------------------------+

| Index | Description | Event Type | Community | Owner |

+-------+-----------------------+--------------+------------+---------+

| 1 | Test | log | Network1 | Admin |

+-------+-----------------------+--------------+------------+---------+

To delete an event entry:

rmon event remove index <NUMBER:1-65535>

Example:

> rmon event remove index 1

Configuring History

With the history group, you can monitor and store port Ethernet statistics. A bucket is one sample of data collection during a distinct time interval. A number of attributes need to be defined to configure the history group:

data source - indicate the interface OID (example:

1.3.6.1.2.1.16.1.1.1.5).

index - the index in the history table.

336 System Software Configuration Guide 6.5.0

C

ONFIGURING

SNMP

Configuring RMON

interval - indicates in seconds the sampling interval.

num-buckets - number of buckets to use.

owner - indicate history entry’s owner (optional)

file-logging - enables or disables saving the history to a file.

To add an history entry:

rmon history add {data-source <String[127]>} {index <NUMBER:1-65535>} [interval <NUMBER:1-

3600>] [num-buckets <NUMBER:1-65535>] [owner <String[127]>] [file-logging <on | off>]

Example:

> rmon history add data-source 1.3.6.1.2.1.16.1.1.1.5 index 1 interval 12 num-buckets 78 owner

Admin

To display event entries:

rmon show history

Example:

> rmon show history

+---------------------RMON HISTORY STATISTICS----------------------+

| Index | OID | Req-buckets | Interval | Owner |

+-------+--------------------+-------------+----------+------------+

| 1 | etherStatsPkts | 78 | 12 | Admin |

+-------+--------------------+-------------+----------+------------+

To delete a history entry:

rmon history remove index <NUMBER:1-65535>

Example:

> rmon history remove index 1

Configuring Statistics

The statistics group (defined in RFC1757) provides information about data received over a device ports. This information is a list of raw statistics. These statistic counters are either based on frames or bytes passing through the port.

Statistics attributes include:

data source - indicate the interface OID in the format ifIndex.100xx where xx is the port number (example: ifindex.10001).

index - the index is a unique number corresponding to a row in the table.

owner - indicate history entry’s owner (optional).

To add a statistics entry:

rmon statistics add {data-source <String[127]>} {index <NUMBER:1-65535>} [owner

<String[127]>]

Example:

> rmon statistics add index 1 data-source ifIndex.10001 owner Admin

System Software Configuration Guide 6.5.0

337

C

ONFIGURING

SNMP

Configuring RMON

To display a statistics entry:

rmon show statistics

Example:

> rmon show statistics

+----------RMON STATISTICS-------------+

| Index | OID | Owner |

+-------+-----------------+------------+

| 1 | ifIndex.10001 | Admin |

+-------+-----------------+------------+

To delete a statistics entry:

rmon statistics remove index <NUMBER 1-65535>

Example:

> rmon statistics remove index 1

Configuring User History

The user history provides a way to specify the MIB information to be collected. When configuring user history, you need to define an SNMP object along with a control entry.

The object attributes include:

sample-type - sample type, absolute or delta.

object - OID name.

index - the index is a unique number corresponding to a row in the table.

control-index - maps to the associated control entry.

The control entry includes:

file-logging - Enables or disables file-logging which makes the history persistent

(optional).

index - Index in the history table (optional).

interval - Interval used for monitoring (optional).

num-buckets - Number of buckets to use (optional).

owner - Name of the owner (optional).

To add a user history object entry:

rmon usr-history add-object {sample-type absolute|delta} {object <String[127]>} {index

<NUMBER: 1-1200>} control-index <NUMBER: 1-1200>}

Example:

> rmon usr-history add-object index 1 control-index 1 sample-type absolute object snmpInPkts.0

To add a user history control entry:

rmon usr-history add-control [file-logging <on|off>] {index <NUMBER:1-1200>} [interval

<NUMBER:1-65535>] [num-buckets <NUMBER:1-65535>] [owner <String[127]>]

338 System Software Configuration Guide 6.5.0

C

ONFIGURING

SNMP

Configuring RMON

Example:

> rmon history add data-source 1.3.6.1.2.1.16.1.1.1.5 index 1 interval 12 num-buckets 78 owner

Admin

To display user history object and control entries:

rmon show user-history

Example:

> rmon show user-history

+----------RMON USER HISTORY CONTROL TABLE----------------------------------+

| index | object |requested | granted | interval | owner | File |

| | | buckets | buckets | | | Logging|

+-------+--------+----------+---------+----------+-----------------+--------+

| 1 | 1 | 50| 50 | 1800 | | no |

+-------+--------+----------+---------+----------+-----------------+--------+

+---------RMON USER HISTORY OBJECT TABLE-------------------+

| object | control | data source | sample-type |

| index | index | | |

+--------+---------+-------------------------+-------------+

| 1 | 1 | snmpInPkts.0 | Absolute |

+--------+---------+-------------------------+-------------+

To delete a user history object entry:

rmon usr-history remove-object {index <NUMBER 1-65535>} {control-index <NUMBER: 1-1200>}

Example:

> rmon usr-history remove-object index 1 control-index 1

To delete a user history control entry:

rmon usr-history remove-control index <NUMBER 1-65535>

Example:

> rmon usr-history remove-control index 1

System Software Configuration Guide 6.5.0

339

C

ONFIGURING

SNMP

Troubleshooting

Troubleshooting

Displaying SNMP Configuration in the Configuration File

SNMP and RMON configuration is saved to the configuration file in the SNMP CONFIG: section.

Example:

> configuration show

...

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! SNMP CONFIG:

!

snmp port-traps disable port 1 snmp port-traps disable port 2 snmp port-traps disable port 3 snmp port-traps disable port 4 snmp port-traps disable port 5 snmp port-traps disable port 6 snmp port-traps disable port 7 snmp port-traps disable port 8 snmp port-traps disable port 9 snmp port-traps disable port 10 snmp set contact "Customer Support, Ciena +1 (509) 242-9000" snmp set location "Spokane Valley, USA" snmp set enhancement-link-up-down-trap enable rmon usr-history add-control index 1 rmon usr-history add-object index 1 object snmpInPkts.0 control-index 1 sample-type absolute

!

340 System Software Configuration Guide 6.5.0

Chapter

Provider Backbone Transport

• • • • • •

23

At a Glance:

Overview

Connectivity Fault Management

Benefits

Configuration

This chapter details the implementation of Provider Backbone Transport (PBT) in the core of a Ciena network. A basic understanding of the IEEE 802.1Q, 802.1ad, and 802.1ah standards is assumed. In addition, it is highly recommended that CFM (IEEE 802.1ag) be used to monitor the PBT service to warn if any faults occur in the service.

A software license key is required to activate PBT. Contact Ciena Sales to obtain a license key.

NOTE: PBT is not supported on the CN 3911 and CN 3920.

Overview

Provider Backbone Transport (PBT) can be considered as an extension to what is known as

Provider Backbone Bridging (PBB) or Carrier Ethernet. PBT allows providers to create point-to-point, primary and backup Ethernet tunnels and specify the path that traffic will take across their Ethernet metro networks. These paths reserve appropriate bandwidth and support the provisioned QoS metrics. However, PBT is unique in that it actually disables some Ethernet features in order to accomplish its goal of delivering traffic.

VLAN Tagging

The IEEE 802.1Q standard specifies a mechanism for adding tags to Ethernet frames. This tagging allows an Ethernet network to be divided into virtual networks or VLANs.

Generally, individual customers in a provider’s network are identified by unique VLAN IDs.

Additionally, each customer typically uses VLAN IDs in their own network to differentiate between service types (for example, data or VoIP) and possibly to distinguish between departments. This three-tier hierarchy allows separate domains for the service provider, customer and individual enterprise departments.

Given the 12-bit size of the VLAN field in an Ethernet frame, the number of available

VLAN IDs is limited to 4,096. In a large provider network, the number of customers could easily exceed 4,000, exhausting the available VLAN IDs very quickly. To help improve network scalability, two standards have been introduced to support this hierarchical approach, IEEE 802.1ad and IEEE 802.1ah.

System Software Configuration Guide 6.5.0

341

P

ROVIDER

B

ACKBONE

T

RANSPORT

Overview

Q-in-Q

The IEEE 802.1ad (also known as Q-in-Q, stacked VLANs, or Provider Bridges), extends the original concept of VLAN tags by specifying a new provider-administered 802.1Q tag (Qtag) that wraps or encapsulates the original customer packet in an additional header. This allows the service provider to administer their own tags to identify individual customer networks, while the first (original) Q-tag is unique within the customer’s own network.

This then allows for overlap between the customer and provider VLAN IDs since the customer Q-tag is hidden while it is transported through the provider network. However, while this Q-in-Q approach supports a three-tiered hierarchy and frees up additional VLAN

IDs, the service provider can still only create 4,094 customer VLANs. Scalability is still an issue as 4,000 tags is simply insufficient for large metropolitan networks. This shortcoming is addressed by the second standard, IEEE 802.1ah.

MAC Header Encapsulation

The IEEE 802.1ah standard, also known as MAC header encapsulation (MAC-in-MAC) or

Provider Backbone Bridging, encapsulates the customer MAC header with a MAC header for the service provider. A 24-bit service tag that identifies individual subscribers, is also used in the service provider MAC header. This enables a maximum of 16 million service instances to be supported, thus alleviating the scalability issue entirely.

With IEEE 802.1ah, the overall network is treated as separate service provider and end customer domains. In the service provider domain, the network switches on the service provider MAC header and the customer MAC is not even visible. This introduces strict demarcation between the customer and service provider, enabling a truly hierarchical approach to the network. MAC-in-MAC greatly improves the scalability of Layer 2 networks.

This approach also alleviates another limitation to traditional Ethernet; learning.

Traditional Ethernet switch-based networks have two defining characteristics that limit their topological size, namely learning and loop avoidance. When a switch receives a packet destined for an end station it does not yet know about, it floods the packet down every link on which it is connected. This is referred to as Flood for Unknown. As the switch inspects every packet it receives, it remembers or learns the association of sending stations and ingress links. Each switch in the layer 2 domain learns the address and associated link for every other device in the network.

While many metro and core devices may be able to support hundreds of thousands of addresses, requiring each device in a provider’s network to handle this number of addresses is cost prohibitive and impacts protection switching schemes. MAC-in-MAC encapsulation solves this Layer 2 scalability problem since there are now fewer MAC addresses to learn at the core.

The IEEE 802.1ah MAC header, specifies that a backbone VLAN tag (B-tag), and an instance service VLAN tag (I-tag) be added to packets traversing the provider backbone bridge.

This extended service VLAN tag is mapped from the Service VLAN ID tag and is longer than a normal VLAN tag. The additional B-tag is then added to ensure that the switches in the middle of the 802.1ah core do not need to know about the 802.1ah functions, thus ensuring backward compatibility. The backbone MAC header is then removed at the other end of the provider’s 802.1ah backbone bridge. A big advantage of 802.1ah is that it works in conjunction with the 802.1ad Provider Bridges VLAN stacking standard to allow both techniques to be used simultaneously.

342 System Software Configuration Guide 6.5.0

P

ROVIDER

B

ACKBONE

T

RANSPORT

Overview

Provider Backbone Transport

NOTE: When using PBT, MSTP should not be enabled as all PBT ports need to be in the forwarding state. For example, if MSTP is enabled it could block one of the PBT ports and thus remove the backup tunnel.

PBT has emerged to further address limitations related to scalability and reliability. PBT may be deployed in place of PBB or may run in parallel with PBB. In both cases, PBT eliminates the need for backbone core devices to perform learning and flooding. Instead, point-to-point tunnels to transport L2VPNs are provisioned. Rather than using MSTP to prevent loops, the tunnels are used to traffic engineer the provider backbone network.

A PBT tunnel is unidirectional and is set up to ingress on a local node at one edge of the provider backbone and to terminate on a remote device at the other end of the backbone.

This tunnel transports encapsulated subscriber frames from the local node to the remote node. A second tunnel is then configured in the opposite direction to ingress the remote node and terminate on the local node. This serves as the transport for the reverse traffic.

A tunnel pair together make a bidirectional pipe referred to as a PBT trunk.

PBT tunnels are set up to transport Ethernet Virtual Circuits (IEEE 802.1ad), with the subscriber frames encapsulated using 802.1ah MAC-in-MAC encapsulation. Tunnels are then identified by the Backbone Destination Address (B-DA) and the Backbone Tag (B-Tag).

In Figure 23-1, the highlighted fields are added to the frame to identify tunnels and to

identify flood domains and interconnects.

Tunnel Identifier

Tunnel Identifier

Figure 23-1: PBT Frame Format

Since the tunnels are point-to-point, PBT can also achieve recovery times approaching 50 ms. Providers can set up primary and protection PBT paths and then leverage Carrier

Ethernet OAM standard CFM (IEEE 802.1ag) to monitor the tunnels. This provides fault notifications in milliseconds and thus carrier-grade failover times can be achieved.

System Software Configuration Guide 6.5.0

343

P

ROVIDER

B

ACKBONE

T

RANSPORT

Overview

Figure 23-2 shows an example PBT network with the core provider network in the center

and 3 access networks attached to the core. In the core, primary tunnels are configured

(solid lines) as well as backup tunnels (dotted lines) in order to provide resiliency and greater utilization of the backbone network. Again, in the core, there is no loop detection and no learning.

Figure 23-2: Example of a PBT Network

The system software supports configuration of a maximum of 64 PBT trunks. This allows for 32 ingress tunnels and 32 egress tunnels. However, one PBT tunnel may be used to transport multiple subscriber services. In addition, one virtual circuit must be created for each service instance. A maximum of 127 virtual circuits are supported by one PBT tunnel. PBT tunnels may also be configured across link aggregation ports.

344 System Software Configuration Guide 6.5.0

P

ROVIDER

B

ACKBONE

T

RANSPORT

Overview

Figure 23-3 depicts two Provider Bridged networks interconnected by a PBT network.

Two customer Layer 2 Virtual Private networks are shown traversing primary and backup

PBT tunnels through the core network.

Figure 23-3: A PBT Network with Primary and Backup Tunnels

Traffic from Customer A originates at its Site 1. The Provider Bridge encapsulates the customer traffic by adding a Subscriber S-Tag containing the configured S-VID value of 100 reserved for Customer A within its domain. This traffic is then sent to the Provider

Backbone Edge Bridge A (PBEB-A).

PBEB-A has been configured to assign Customer A traffic (S-VID=100) to a 24-bit Instance

Service Identifier (I-SID) value of 10,000. This I-SID value is associated with a primary and a backup PBT tunnel. Each primary and backup tunnel is identified using the combination of a PBEB Destination MAC address and a Backbone-VID (B-VID). This is a significant difference between PBT and PBB. In PBB, B-VIDs represent flood domains that interconnect multiple Provider Bridged networks. In PBT, B-VIDs together with B-DAs identify which tunnel the frame will use.

In our example, the PBEB-A encapsulates S-VID 100 traffic by adding the B-DA value for

PBEB-D, a B-SA value for PBEB-A, a B-VID value of 4001 (primary tunnel), and the I-SID value of 10,000. This MAC header encapsulated traffic is forwarded to Provider Backbone

Core Bridge-C (PBCB-C). PBCB-C has been configured to not learn or flood traffic on B-VID

4001, which has been reserved for PBT use. The fact that PBT does not learn or flood is an important point. Each PBCB device must be provisioned with forwarding database entries in order to properly forward traffic within the tunnels.

The PBCB-C forwarding table learns an entry for the combination of PBEB-D, B-VID 4001 and the traffic is forwarded on the particular port in the direction of PBEB-D. PBEB-D receives the traffic and removes the MAC header encapsulation. Since the S-VID values are only locally significant to the Provider Bridged network, a provider has the flexibility to translate the S-VID value. In our example, PBEB-D has been configured to associate I-

SID 10,000 with S-VID 110.

System Software Configuration Guide 6.5.0

345

P

ROVIDER

B

ACKBONE

T

RANSPORT

Connectivity Fault Management

In this illustration, traffic from the tunnel is de-encapsulated and the S-VID is remapped to the value of 110. The traffic is forwarded to the provider bridge attached to Customer

A’s Site 2. The S-Tag encapsulation is removed by the PB device and the original customer frame from Site 1 is delivered to Site 2.

NOTE: It should also be noted that the PBT service tag is 22 Bytes in length and this needs to be taken into account when calculating available bandwidth. For example, when sending a 64-Byte packet at 100% of line rate through a PBT tunnel, each 64-Byte frame is actually 86 Bytes long (64 + 22).

Connectivity Fault Management

PBT virtual switches and tunnels are monitored through the use of IEEE 802.1ag

Connectivity Fault Management (CFM) Continuity Check Messages (CCM). When CFM services are configured for PBT virtual switches, CCM control frames are sent and received within the PBT tunnels and monitor faults based on the associated PBT virtual circuit events. For CFM services that monitor PBT tunnels, CCM control frames are sent and received regularly along the PBT tunnels. If the primary tunnel should experience a fault, the tunnel endpoints automatically begin using the backup tunnel. The forwarding database entries are pre-configured along the backup path to minimize the failover and restoration times. Only one backup tunnel can be created.

Bac kup

Tunn el

Ingress PBT

Edge Bridge

MEP A

MEP C

Primary Tunnel

MEP B

MEP D

Egress PBT

Edge Bridge

Figure 23-4: PBT with CFM

It should be noted that once a failover occurs (switching the path from the primary to the backup tunnel), the default behavior is for the provisioned primary tunnel to become the backup tunnel unless tunnel reversion is configured using the pbt set tunnelreversion

command. The tunnel-reversion command will automatically revert traffic back to the provisioned primary tunnel once it is up and the reversion hold timer is completed (pbt set reversion-hold-time).

Example:

> pbt set tunnel-reversion off

> pbt set reversion-hold-time 3000

346 System Software Configuration Guide 6.5.0

P

ROVIDER

B

ACKBONE

T

RANSPORT

Connectivity Fault Management

Manual reversion allows the network operator to control when or if the reversion will take place (such as late at night or on a weekend) so that the impact to the service is minimum. Manual reversion also prevents flapping between the two tunnels if the primary is not entirely stable. Automatic tunnel reversion is useful if the backup tunnel is inferior to the primary tunnel. Thus, failback occurs automatically.

NOTE: Please note that when configuring PBT reversion, tunnel reversion must be enabled on all remote bridges and the reversion hold time must be set to the same value.

If reversion settings are not symmetrical, it can cause issues with indicating the primary/backup tunnel and can cause delays in reversions.

Ciena supports the draft IEEE 802.1ag CFM including MAC ping, MAC traceroute, and CCM.

Using these powerful CFM tools, both service connectivity and PBT tunnel resiliency is enhanced. In addition, CCM thresholds can be configured to fine-tune protection switching.

PBT Dual Homing

The system software also supports the dual homing of primary and backup tunnels. This enables PBT tunnels to terminate on entirely separate devices. This offers device redundancy and path diversity for upstream connections.

In Figure 23-5, device A is dual homed to device B and device C. This offers link

resiliency, such that if device B fails, traffic is then diverted to the backup tunnel terminating at device C.

B

Ingress PBT

Edge Bridge

Pri ma ry

Tun nel

Backup Tunnel

C

A

Figure 23-5: PBT Dual Homing

Dual homing is configured by specifying a unique MAC address and bridge name when using the pbt remote-bridge create bridge-name command. This second remote bridge is then specified when creating the backup tunnel.

Tunnel Pairing and Synchronization

Although PBT tunnels are set up as trunks, and both an encapsulation and a decapsulation tunnel are required for traffic transport, the tunnel states are not automatically linked together. This makes it possible for the encap and decap tunnels to have different operational states.

System Software Configuration Guide 6.5.0

347

P

ROVIDER

B

ACKBONE

T

RANSPORT

Benefits

For example, if the encap tunnel was down due to misconfiguration, the decap tunnel could still be up and running. This would allow incoming traffic to be decapsulated, thus providing only unidirectional traffic on the circuit. This creates a problem with devices on the terminating end of the tunnels. They would accept all frames regardless of their

B-VID value.

To avoid this behavior, encap and decap tunnels should be tied together using the tunnel pair create

command. By pairing encap and decap tunnels, traffic on an interface is dropped unless the B-VID is specifically configured. In addition, it synchronizes the operational state of the two tunnels. When one tunnel goes down, encap or decap, CCMs are sent over the interface to ensure that the device on the other end takes both tunnels down. The tunnel state will remain down until the MEPs on the other devices have verified connectivity.

In Figure 23-6, the encap tunnel on device B goes down. Device B then sends a CCM error

code to device A. Device A then takes down both the primary encap and decap tunnels and a failover occurs to the backup tunnel.

Tunnel

Pair

Encap

Tunnel

Decap

Tunnel

Pri ma ry

Tun nel

Backup Tunnel

B

C

A

Figure 23-6: Tunnel Pairing Example

To ensure synchronization between primary and backup tunnels, you can enable tunnel synchronization. When tunnel synchronization is turned on for the primary tunnel, a deactivation of either the primary or backup tunnel causes CCMs to be transmitted to the inactive tunnel. This feature enables interoperability with devices running system software 5.x. By default, tunnel synchronization is disabled.

To enable or disable tunnel synchronization when creating a tunnel:

tunnel encap create static-pbt <String> tunnel-sync <on|off>

To enable or disable tunnel synchronization for an existing tunnel:

tunnel encap set static-pbt <TunnelPbtPriTunnel> tunnel-sync <on|off>

Benefits

The main benefits of PBT include:

Removing the 4,000 tag limitation, enabling 16 million distinct services to be configured.

No learning or flooding in the core of the network for a reduction in complexity and cost.

348 System Software Configuration Guide 6.5.0

P

ROVIDER

B

ACKBONE

T

RANSPORT

Configuration

• Customer MAC address and other information is tunneled through the provider’s network, enhancing security and scalability.

• Using specifically engineered paths or tunnels allows the provider to target maximum utilization of the core network devices.

• The customer and Provider control domains are separated, allowing layer 2 control frames to be transported through the provider’s network.

• 802.1ag CFM can be used to monitor tunnels and provide carrier-grade failover detection.

Configuration

The following steps are used to configure PBT:

1. Prepare the device for PBT

2. PBT general configuration

3. Tunnel configuration

4. Tunnel protection (optional)

5. VC configuration

6. VS configuration

7. VS subscribers

8. CFM configuration (optional)

9. QoS (optional)

NOTE: On the CN 3960, only ports 11 and 12 can be used to configure tunnels for PBT.

Preparing the device for PBT

To use PBT, a license key is required in order to enable PBT features. PBT license keys can be purchased by contacting Ciena customer support.

System Software Configuration Guide 6.5.0

349

P

ROVIDER

B

ACKBONE

T

RANSPORT

Configuration

To prepare the device for PBT:

1. > software license show

+-----------------------------------------------------------------------------+

| | | License | | Sequence | Days |

| Feature Name |Status | Domain | Admin | Number | Remain|

+------------------------------+-------+---------+-------+------------+-------+

| Base-Features |enable | | 00000 | 0000000000 | 00000 |

| Advanced-Security |enable |CN 3140 | 00001 | 0000000020 | 00000 |

| Advanced-Ethernet |enable |CN 3140 | 00001 | 0000000175 | 00000 |

| Advanced-OAM |enable |CN 3140 | 00001 | 0000000190 | 00000 |

| PBB-TE |disable| | 00000 | 0000000000 | 00000 |

+------------------------------+-------+---------+-------+------------+-------+

| Feature Name | License Key |

+-----------------------------------------------------------------------------+

| Base-Features | |

| Advanced-Security | W6F6H8C7N3ZPLQ |

| Advanced-Ethernet | W9F6H8C7N330Q4 |

| Advanced-OAM | WAF6H8C7N34FQK |

| PBB-TE | |

+-----------------------------------------------------------------------------+

2. > software license install file myLicenseFile.txt license-key A1BCD2E3F4GHIZ

3. >software license show

+-----------------------------------------------------------------------------+

| | | License | | Sequence | Days |

| Feature Name |Status | Domain | Admin | Number | Remain|

+------------------------------+-------+---------+-------+------------+-------+

| Base-Features |enable | | 00000 | 0000000000 | 00000 |

| Advanced-Security |enable |CN 3140 | 00001 | 0000000020 | 00000 |

| Advanced-Ethernet |enable |CN 3140 | 00001 | 0000000175 | 00000 |

| Advanced-OAM |enable |CN 3140 | 00001 | 0000000190 | 00000 |

| PBB-TE |enable |CN 3140 | 00001 | 0000000200 | 00000 |

+------------------------------+-------+---------+-------+------------+-------+

| Feature Name | License Key |

+-----------------------------------------------------------------------------+

| Base-Features | |

| Advanced-Security | W6F6H8C7N3ZPLQ |

| Advanced-Ethernet | W9F6H8C7N330Q4 |

| Advanced-OAM | WAF6H8C7N34FQK |

| PBB-TE | A1BCD2E3F4GHIZ |

+-----------------------------------------------------------------------------+

NOTE: Please note that the license key used here is only an example. Contact Ciena Sales to obtain a proper license key.

350 System Software Configuration Guide 6.5.0

P

ROVIDER

B

ACKBONE

T

RANSPORT

Configuration

4. Make sure that MSTP is disabled either globally or on the individual encap and decap tunnel ports.

> mstp disable

> mstp show

======== Bridge MSTP is DISABLED !!! ========

Configuring PBT

The following configurations are set on a single device as an example of configuring PBT general parameters.

Configuring general PBT parameters:

1. Display the current PBT settings

> pbt show

+------------------ PBT Attributes --------------------+

| PBT Bridge MAC | 00:02:a1:30:7d:60 |

| PBT Service E-type | 0x88c8 |

| PBT Tunnel E-type | 0x88a8 |

| PBT Tunnel Reversion | Off |

| PBT Reversion Hold Time | 3000 milli secs |

+----------------------------+-------------------------+

+--------------- PBT Reserved B-VIDs ------------------+

| B-VID | In Use |

+----------------------------+-------------------------+

| No entries found |

+----------------------------+-------------------------+

+--------------- PBT Remote Bridges -------------------+

| Bridge Name | Index | Bridge MAC | In use |

+-----------------+-------+-------------------+--------+

| No entries found |

+-----------------+-------+-------------------+--------+

2. Configure the PBT bridge MAC that will be used as the B-SA in the frames.

> pbt set bridge-mac

00:02:a1:30:7c:80

NOTE: It is recommended that you manually set the B-SA PBT bridge MAC address. If you do not set the B-SA PBT bridge MAC address, the system software will send the chassis base MAC address as the B-SA. In the event of a hardware failure, the chassis base MAC would change, requiring configuration changes on other devices configured to use this device as a remote bridge. This setting needs to be unique from the B-SA for all devices.

System Software Configuration Guide 6.5.0

351

P

ROVIDER

B

ACKBONE

T

RANSPORT

Configuration

3. Set the Ethertypes if needed. Ethertypes for services and PBT tunnels are configurable for interoperability. The default is 0x88a8 for PBT tunnels and 0x88c8 for services.

> pbt set tunnel-tag-ethertype

0x88a8

> pbt set service-tag-ethertype

0x88c8

NOTE: Please note that in order for PBT frames to be transmitted through a device, the PBT ethertype must be set to 0x8100 (33024 decimal).

4. Reserve Bridge VLAN IDs (B-VIDs). Each incoming tunnel requires a unique B-VID.

> pbt reserve bvid

112-115

NOTE: The maximum number of B-VIDs that can be reserved is equal to the maximum number of PBT tunnels, which is 32. If trying to reserve more than 32, the system software generates the following error message: ERROR: reserving B-Vid, No more resources available.

5. Configure remote bridge names for use in tunnels and virtual circuits. For operator convenience, tunnel endpoints can be identified with names by associating a MAC address with name. The subsequent Tunnel and VC configurations refer to the nodes by these names.

> pbt remote-bridge create bridge-name

sw1 bridge-mac 00:02:a1:37:bc:60

Configuring PBT tunnels:

Both an encapsulation (egressing) and a decapsulation (ingressing) tunnel are required for connectivity.

1. Configure the encap tunnel, providing the tunnel destination node, the B-VID to be used, and the NNI port that the tunnel will egress traffic on.

> tunnel encap create static-pbt to_sw1 b-vid 115 dest-bridge-name sw1 port 21 tunnel-sync on

NOTE: Optionally a CoS policy and a Primary Code Point (PCP) value for the encapsulated frames can also be configured using the tunnel encap set encapcos-policy

and tunnel encap set encap-fixed-pcp commands.

2. Configure the decapsulation tunnel, providing the tunnel source node, the B-VID to be used, and the NNI port on which the tunnel will ingress.

> tunnel decap create static-pbt frm-sw1 b-vid 115 src-bridge-name sw1 port 21

3. Pair the primary encapsulation and decapsulation tunnels together.

> tunnel pair create tnl-pair myPair encap-pbt to_sw1 decap-pbt frm-sw1

Configuring the PBT backup tunnels:

Note that configuration of the backup tunnel is optional, but recommended. The tunnel name must also be the same as the primary tunnel.

352 System Software Configuration Guide 6.5.0

P

ROVIDER

B

ACKBONE

T

RANSPORT

Configuration

1. Configure the backup encap tunnel.

> tunnel encap create static-backup-pbt

to_sw1 b-vid 116 dest-bridge-name sw1 port

23

2. Configure the backup decap tunnel.

> tunnel decap create static-pbt

bkp_sw1 b-vid 116 src-bridge-name sw1 port 23

3. Pair the backup encapsulation and decapsulation tunnels together.

> tunnel pair create tnl-pair

backup_pair encap-backup-pbt to_sw1 decap-pbt

bkp_sw1

4. Display the tunnels to verify the configuration.

> tunnel encap show

+------------------------ ENCAP TUNNEL TABLE ------------------------------+

|Name |Type |Oper|Admin|Destination |B-VID|Role|Active |

+----------------+------------+----------+--------------+-----+----+-------+

+----------------+------------+----------+--------------+-----+----+-------+

Configuring the virtual circuit:

Configuring a virtual circuit for PBT involves setting the ingress I-SID for service identification, the egress I-SID, the destination node, and the PBT tunnels to be used.

1. Configure the VC.

> virtual-circuit pbt create static-vc

vc1 dest-bridge-name sw1 egress-isid 1001 ingress-isid

1002 tunnel tunnel1

Configuring the virtual switch:

Configuring a virtual switch for PBT involves creating reserved VLANs, designating the PBT

VC to be used with the VS, and adding subscriber ports/VLANs. Optionally, Encap CoS policies may also be set for CoS mapping between the customer frames and the encapsulation PBT tunnel header.

1. Reserve VLANs for the virtual switch.

> virtual-switch add reserved-vlan

3100-3105

2. Create the virtual switch naming it and associating it with the PBT virtual circuit.

> virtual-switch ethernet create vs

vs1 vc vc1

3. Add the subscriber port and VLAN to the virtual switch.

> virtual-switch ethernet add vs

vs1 port 1 vlan 10

System Software Configuration Guide 6.5.0

353

P

ROVIDER

B

ACKBONE

T

RANSPORT

Configuration

Configuring CFM on a PBT tunnel (optional):

Configuring CFM for the PBT tunnels requires enabling CFM globally, creating a CFM service using the PBT tunnel, and then enabling the service.

1. Enable CFM globally.

> cfm enable

2. Create the CFM service for the PBT tunnel.

> cfm service create static-pbt

pbt1 name pbt1 next-mepid 2

3. If desired, the CCM interval can be configured, but the interval must be the same on both sides of the tunnel endpoints. The default is 1 second.

NOTE: Setting the CCM Interval to 4 milliseconds is not recommended for a production environment, although it can be used for testing.

> cfm service set service

pbt1 ccm-interval 4 or

> cfm service set service

pbt1 ccm-interval 1sec

4. Enable the CFM PBT service.

> cfm service enable service

pbt1

5. Verify that the MEP IDs at both ends of the tunnel are different. If they are the same, change one of the MEP IDs.

> cfm mep show

> cfm remote-mep show

> cfm mep set service

pbt1 port 21 mepid 2

Configuring QoS on a PBT tunnel (optional):

Configuring QoS for PBT involves setting any traffic metering required at the ingress

(UNI), configuring a flow service level, then configuring a flow service mapping using the configured VS and the service level.

1. Set up ingress metering.

> traffic-profiling standard-profile create port

1 profile 1 cir 15040 pir 15040

> traffic-profiling set port

1 mode standard-diffserv

2. Configure Egress traffic shaping.

> flow service-level create port 21 slid

9 cir 15040 pir 15040

> flow service-mapping create vs

pbt1 dst-port 21 slid 9

3. Set CoS marking.

> tunnel encap set static-pbt

pbt1 encap-cos-policy fixed encap-fixed-pcp 3

> virtual-switch ethernet set vs

pbt1 encap-cos-policy fixed encap-fixed-dot1dpri

4

354 System Software Configuration Guide 6.5.0

P

ROVIDER

B

ACKBONE

T

RANSPORT

Configuration

Sample Configuration

The following configuration example displays the steps to configure a primary and a

backup PBT tunnel over the devices shown in Figure 23-7. It also employs CFM to monitor

the connection.

The following configuration assumes PBT mode has been enabled on the device and that a valid PBT license key has been entered.

1

23

24

21 23 23

24

2

22

24

Figure 23-7: PBT Configuration Example

Configuration for device 1 SJC:

1. SJC> mstp disable

2. SJC> pbt set bridge-mac 00:02:a1:30:7c:80

3. SJC> pbt reserve bvid 2000,3000

4. SJC> pbt remote-bridge create bridge-name SFO bridge-mac

00:02:a1:30:7c:c0

5. SJC> tunnel encap create static-pbt to_SFO b-vid 2000 destbridge-name SFO port 23 tunnel-sync on

6. SJC> tunnel decap create static-pbt frm_SFO b-vid 2000 srcbridge-name SFO port 23

7. SJC> tunnel pair create tnl-pair SJC encap-pbt to_SFO decap-pbt frm_SFO

8. SJC> tunnel encap create static-backup-pbt to_SFO b-vid 3000 dest-bridge-name SFO port 24

9. SJC> tunnel decap create static-pbt bkp_SFO b-vid 3000 srcbridge-name SFO port 24

10. SJC> tunnel pair create tnl-pair SJC-Backup encap-backup-pbt to_SFO decap-pbt bkp_sfo

System Software Configuration Guide 6.5.0

355

P

ROVIDER

B

ACKBONE

T

RANSPORT

Configuration

11. SJC> virtual-circuit pbt create static-vc pbt dest-bridge-name

SFO egress-isid 1 ingress-isid 2 tunnel to_SFO

12. SJC> virtual-switch add reserved-vlan 1000

13. SJC> virtual-switch ethernet create vs pbt vc pbt

14. SJC> virtual-switch ethernet add vs pbt port 1 vlan 10

15. SJC> cfm service create static-pbt to_SFO name PBT level 7 nextmepid 100

16. SJC> cfm service set service PBT alarm-time 0

17. SJC> cfm service enable service PBT

18. SJC> cfm service create static-backup-pbt to_SFO name PBT_BKP level 7 next-mepid 101

Configuration for device 2 SFO:

1. SFO> mstp disable

2. SFO> pbt set bridge-mac 00:02:a1:30:7c:c0

3. SFO> pbt reserve bvid 2000,3000

4. SFO> pbt remote-bridge create bridge-name SJC bridge-mac

00:02:a1:30:7c:80

5. SFO> tunnel encap create static-pbt to_SJC b-vid 2000 destbridge-name SJC port 23 tunnel-sync on

6. SFO> tunnel decap create static-pbt to_SJC b-vid 2000 srcbridge-name SJC port 23

7. SFO> tunnel pair create tnl-pair SFO encap-pbt to_SJC decap-pbt to_SJC

8. SFO> tunnel encap create static-backup-pbt to_SJC b-vid 3000 dest-bridge-name SJC port 24

9. SFO> tunnel decap create static-pbt to_SJC b-vid 3000 srcbridge-name SJC port 24

10. SFO> tunnel pair create tnl-pair SFO-Backup encap-backup-pbt to_SJC decap-pbt to_SJC

11. SFO> virtual-circuit pbt create static-vc pbt dest-bridge-name

SJC egress-isid 2 ingress 1 tunnel to_SJC

12. SFO> virtual-switch add reserved-vlan 1000

13. SFO> virtual-switch ethernet create vs pbt vc pbt

14. SFO> virtual-switch ethernet add vs pbt port 1 vlan 10

15. SFO> cfm service create static-pbt to_SJC name PBT level 7 nextmepid 200

16. SFO> cfm service set service PBT alarm-time 0

17. SFO> cfm service enable service PBT

18. SFO> cfm service create static-backup-pbt to_SJC name PBT_BKP level 7 next-mepid 201

19. SFO> cfm service enable service PBT_BKP

356 System Software Configuration Guide 6.5.0

P

ROVIDER

B

ACKBONE

T

RANSPORT

Configuration

Configuration for device 3 MTV:

1. MTV> mstp disable

2. MTV> vlan create vlan 2000,3000

3. MTV> vlan add vlan 2000,3000 port 21,23

4. MTV> cfm mip create vlan 2000 port 21 level 6

5. MTV> cfm mip create vlan 2000 port 23 level 6

6. MTV> cfm mip create vlan 3000 port 21 level 6

7. MTV> cfm mip create vlan 3000 port 23 level 6

Configuration for device 4 Sunny:

1. Sunny> mstp disable

2. Sunny> vlan create vlan 2000,3000

3. Sunny> vlan add vlan 2000,3000 port 22,26

4. Sunny> cfm mip create vlan 2000 port 22 level 6

5. Sunny> cfm mip create vlan 2000 port 24 level 6

6. Sunny> cfm mip create vlan 3000 port 22 level 6

7. Sunny> cfm mip create vlan 3000 port 24 level 6

System Software Configuration Guide 6.5.0

357

P

ROVIDER

B

ACKBONE

T

RANSPORT

Configuration

358 System Software Configuration Guide 6.5.0

Chapter

Link Layer Discovery Protocol

• • • • • •

24

At a Glance:

Overview

Principles of Operation

Feature Benefits

Configuring Link Layer Discovery

Protocol

Troubleshooting

This chapter provides an overview of the Link Layer Discovery Protocol (LLDP) and describes how to configure 802.1AB LLDP.

Overview

The Link Layer Discovery Protocol allows network equipment (i.e., stations, switches, bridges, routers, etc.) to advertise their parameters for network topology discovery and management. Traditional network management protocols, such as SNMP, running at key locations, use layer 3 protocols to identify the devices connected to the network. The

Link Layer Discovery Protocol is a layer 2 protocol, allowing precise discovery of the physical-link topology of the network. Devices act as LLDP agents, which drastically increases the network discovery performance of SNMP applications, as well as any system capable of accessing standard LLDP MIBs.

Principles of Operation

The system software supports LLDP as specified in the IEEE 802.1AB-2005 standard. Like

Rapid Spanning Tree Protocol (RSTP), LLDP is a link-constrained, layer 2 protocol. This means that the exchange of LLDP messages only takes place between adjacent LLDP agents (devices) on the network, unless control frame tunneling is used to tunnel the

LLDP PDUs through another device. LLDP agents communicate basic management information with each other by exchanging Link Layer Discovery Protocol Data Units

(LLDPDUs). The information about a device, and its immediate neighbors is then retrievable through the standard LLDP MIBs using SNMP. It is important to note that LLDP operates only on physical ports.

System Software Configuration Guide 6.5.0

359

L

INK

L

AYER

D

ISCOVERY

P

ROTOCOL

Principles of Operation

As illustrated in Figure 24-1, LLDP Agent A exchanges LLDPDUs with LLDP Agent B and

Agent C, but not with Agent D since it is not directly connected to Agent A.

LLDP Agent B

LLDP Agent A

LLDP Agent C

360

LLDP Agent D

Figure 24-1: Example of Architectural Relationship Between LLDP Agents

NOTE: Link Layer Discovery Protocol does not configure or control any traffic or devices on the network. Its primary role is to report discovered information to higher-layer management tools. It is not intended to act as a configuration protocol for remote systems nor as a mechanism to signal control information between ports.

LLDP TLVs

The LLDPDU is a layer 2 packet that consists of an L2 source, destination, and an

Ethertype field, and 4 or more Type Length and Value fields (TLVs). The LLDP standard specifies 9 common TLV fields, 4 of which are mandatory TLVs and the remaining 5 are optional TLVs to carry information for broadcasting sender information.

Layer 2 DA, 01-80-C2-00-00-0E

Layer 2 SA, Port-MAC of the transmitting device

Layer 2 etherType field, 88-CC

Chassis ID TLV

Port ID TLV

TTL TLV

Optional TLVs

End of LLDPDU TLV

Figure 24-2: LLDPDU Packet

System Software Configuration Guide 6.5.0

L

INK

L

AYER

D

ISCOVERY

P

ROTOCOL

Principles of Operation

Periodic LLDPDUs are sent out at a user defined interval, however, LLDPDUs are also sent whenever LLDP TLV data has changed. An SNMP notification is then generated after changed data is received from a neighboring device. Upon receipt of this notification the

SNMP management application polls the LLDP MIB objects to determine what information has changed.

Common TLVs

The system software supports all of the 9 common TLVs specified by the standard:

Chassis ID TLV- The first TLV in an LLDPDU is mandatory and identifies the chassis. It contains the 802 LAN station associated with the transmitting LLDP agent and supports the “MAC Address” chassis ID subtype.

Port ID TLV- The second TLV in an LLDPDU is mandatory and identifies the port component that transmits the TLV. It supports the “Interface Alias” port ID subtype.

Time To Live (TTL) TLV- The third TLV in an LLDPDU is mandatory and indicates the number of seconds that the recipient LLDP agent is to regard the information associated with this LLDPDU to be valid.

Port Description TLV- This optional TLV is an alpha-numeric string that indicates the port's description.

System Name TLV- This optional TLV is an alpha-numeric string that indicates the assigned name.

System Description TLV- This optional TLV is an alpha-numeric string that indicates the system description.

System Capabilities TLV- This optional TLV identifies the primary functions of the system and whether or not these primary functions are enabled. It supports the bridge capability.

Management Address TLV(s)- This optional TLV identifies the address associated with the local LLDP agent that may be used to reach higher layer entities to assist discovery by network management.

End of LLDPDU TLV- This mandatory 2 octet TLV defines the end of LLDPDU with all 0 values.

802.1 Organizationally Specific TLVs

Port VLAN ID TLV- allows a port to advertise its VLAN ID (PVID) that will be associated with untagged or priority tagged frames.

Port and Protocol VLAN ID TLV- The system software stores values received from the remote partner for this TLV but does not transmit this TLV.

VLAN Name TLV- The system software stores values received from the remote partner for this TLV but does not transmit this TLV.

Protocol ID TLV- allows an 802 LAN station to advertise particular protocols that are accessible through the port. Currently, the system software advertises the following protocols: RSTP and 802.3ah OAM.

802.3 Organizationally Specific TLVs

MAC/PHY Configuration/Status TLV- advertises Auto-negotiation support and status,

PMD auto-negotiation capability, and Operational MAU type.

Power via MDI TLV- The system software stores values received from the remote partner for this TLV but does not transmit this TLV.

System Software Configuration Guide 6.5.0

361

L

INK

L

AYER

D

ISCOVERY

P

ROTOCOL

Feature Benefits

Link Aggregation TLV- advertises whether the link is capable of being aggregated, whether the link is currently in an aggregation, and the port ID of the aggregation if it is in an aggregation. LLDP advertises Link Agg TLV in the PDU but Link Aggregation is not currently supported and is disabled.

Maximum Frame Size TLV- advertises the maximum frame size capability.

Ciena Organizationally Specific TLVs

Unknown TLVs- the LLDP standard specifies that unknown TLVs need to be stored locally if memory can be allocated. The system software stores all unknown TLVs for all valid LLDP PDUs for retrieval.

LLDP Graceful Shut Down- When an LLDP agent is administratively disabled, it executes a graceful shut down handshake. It sends out the last LLDP PDU that specifies the TTL as zero in TTL TLV. When its counterpart receives this LLDPDU, it cleans up all the LLDP information received.

Feature Benefits

Using LLDP for network topology discovery offers the following benefits to the network provider:

Accurate network topology discovery and management

• Support of standard tools using SNMP

Multi-vendor interoperability.

Accurate Network Topology Discovery and Management

Many network management tools use layer 3 protocols to automate the discovery process and track topology configurations and changes. The use of layer 2 LLDP allows network management tools to quickly and accurately discover current network topologies and to track both intentional and unintentional topology changes. Network administrators and technicians can use the accurate and up to date topology information to more quickly diagnose network problems in the field.

Support of Standard Tools

Each LLDP agent maintains its own per-port table of information in a standard SNMP MIB.

Updates are sent as needed to the closest connected device on the network. Through the

Command Line Interface (CLI), a user can access the device and manage LLDP information. General information, such as Chassis ID and port configuration can be displayed. Users with su security privileges can configure LLDP options and manipulate

TLVs. For example, a specific port could be configured to only transmit or receive

LLDPDUs.

LLDPDUs are used to update standard LLDP Management information Databases (MIBs) allowing any standard SNMP application to monitor the information as it changes.

Multi-vendor Interoperability.

LLDP is a standards-based protocol. Using LLDP rather than a proprietary topology discovery protocol allows the network provider to interoperate with non-Ciena devices that also support LLDP.

362 System Software Configuration Guide 6.5.0

L

INK

L

AYER

D

ISCOVERY

P

ROTOCOL

Configuring Link Layer Discovery Protocol

Configuring Link Layer Discovery Protocol

LLDP is enabled by default on all ports, but can be enabled or disabled on a per-port basis.

In addition, some optional TLVs can be excluded from transmission in the LLDP PDU on a per-port basis.

For a complete list of the available LLDP commands refer to the lldp section on page 441

in Appendix , “”.

CAUTION: The default settings for LLDP should be sufficient to ensure proper topology discovery in most networks. Since LE-NS ESM topology discovery relies on LLDP for higher performance topology discovery, care should be taken when modifying the LLDP configuration. In certain topologies, LLDP does not need to be forwarded (e.g., when using non-LLDP devices such as hubs).

In the following configuration example, the user displays the state of port 10, then disables LLDP on this port.

It should be noted as well that by using the lldp show port command, information about the remote port (neighbor) can be seen in the LLDP Remote Port TLV section of the output. This displays the MAC address, port number, and other information of the connected remote port.

Configuration steps:

Step # Description

Step 1 Display the current state of port 10.

Step 2 Set port 10 to disable.

Step 3 (Optional) Verify the configuration of the port.

Location/Command

lldp show [configuration]

|[statistics][port

<PhyPortNameList>

[configuration|statistics

]]

lldp set port

<PhyPortNameList> {[mode rx-only|tx-only|txrx|disable],[notification

<on|off>]}

lldp show [configuration]

|[statistics][port

<PhyPortNameList>

[configuration|statistics

]]

System Software Configuration Guide 6.5.0

363

L

INK

L

AYER

D

ISCOVERY

P

ROTOCOL

Configuring Link Layer Discovery Protocol

CLI Example:

1. > lldp show port 10

>lldp show port 10

+----------- LLDP Port Configuration -----------+

| | | Basic | Org Specific | |

| | Admin |TLV Type| Dot1 |Dot3| | |

| Port | State |123456789|1234567|1234| |Notif|

+------+-------+---------+-------+----+---+-----+

|10 | Tx-Rx |111111111|1 1111|1111| | Off |

+------+-------+---------+-------+----+---+-----+

Where: ||||||||| ||||||| ||||

Dot3 Type ||||||||| ||||||| |||+-- 4 Maximum Frame Size TlvTx

Dot3 Type ||||||||| ||||||| ||+-- 3 Link Aggregation TlvTx

Dot3 Type ||||||||| ||||||| |+-- 2 Power via MDI TlvTx

Dot3 Type ||||||||| ||||||| +-- 1 MacPhy Config TlvTx

Dot1 Type ||||||||| ||||||+-- 7 Protocol ID OAM TlvTx

Dot1 Type ||||||||| |||||+-- 6 Protocol ID Dot1X TlvTx

Dot1 Type ||||||||| ||||+-- 5 Protocol ID STP TlvTx

Dot1 Type ||||||||| |||+-- 4 Protocol ID LACP TlvTx

Dot1 Type ||||||||| ||+-- 3 VLAN Name TlvTx

Dot1 Type ||||||||| |+-- 2 Port&Protocol VLAN ID TlvTx

Dot1 Type ||||||||| +-- 1 Port VLAN ID TlvTx

Basic Type ||||||||+-- 9 Local Mgmt Address TlvTx

Basic Type |||||||+-- 8 Remote Mgmt Address TlvTx

Basic Type ||||||+-- 7 System Capabilities TlvTx

Basic Type |||||+-- 6 System Description TlvTx

Basic Type ||||+-- 5 System Name TlvTx

Basic Type |||+-- 4 Port Description TlvTx

Basic Type ||+-- 3 Time-to-Live TlvTx

Basic Type |+-- 2 Port ID TlvTx

Basic Type +-- 1 Chassis ID TlvTx

+-------------------------- LLDP Port Statistics --------------------------+

| Port | Out | In | InErrPkt| InError | Tlv | Unknown | AgedOut |

| | TotalPkt| TotalPkt|Discarded| Tlv |Discarded| Tlv | Total |

+------+---------+---------+---------+---------+---------+---------+---------+

|10 | 7| 8| 0| 0| 0| 0| 0|

+------+---------+---------+---------+---------+---------+---------+---------+

+----------------------- LLDP Local Bridge TLV ----------------------+

| TLV | Type | Value |

+------------+--------------+----------------------------------------+

| Chassis ID |MacAddr %| 0x0002A107A4A0 |

| TimeToLive | | 120 (second) |

| System Name| | CN 3911 |

| System Desc| | CN 3911 Service Delivery Switch |

| System Cap |Capabilities | Bridge |

| |Enabled Cap | Bridge |

| Mgmt Addr | | No Data |

+------------+--------------+----------------------------------------+

+ Port 10 ------------- LLDP Local Port TLV ----------------------+

| TLV | Type | Value |

+------------|--------------|----------------------------------------+

| Port ID |IfAlias 1| 10 |

| Port Desc | | 10/100/G Port |

| 802.1 |PortVlanId | 1 |

| 802.1 |PortProtVlanId| NotSupt Disable ProtVId:0 |

| 802.1 |ProtocolId | LACP (operationally disabled) |

| | | STP |

| | | Dot1X (operationally disabled) |

| | | OAM (operationally disabled) |

| 802.3 |MacPhyConfig | AutoNeg:Support Enable |

| | | PmdAutoNegAdCap:Unknown |

| | | OperMauType:Unknown |

| 802.3 |PowerViaMDI | PortClass:PD MDI:NotSupt |

| | | MDI:Disable PairCtrl:Can't |

| | | PwrPair:NotSupt PwrClass:NotSupt |

| 802.3 |LinkAgg | Capable Disable |

| 802.3 |MaxFrameSize | 1526 |

+------------|--------------|----------------------------------------+

364 System Software Configuration Guide 6.5.0

L

INK

L

AYER

D

ISCOVERY

P

ROTOCOL

Configuring Link Layer Discovery Protocol

+ Port 10 ------------- LLDP Remote Port TLV ----------------------+

| TLV | Type | Value |

+------------|--------------|----------------------------------------+

| Chassis ID |MacAddr | 0x0002A1307D60 |

| Port ID |IfAlias | 10 |

| TimeToLive | | 120 (second) |

| Port Desc | | Fast Ethernet Port |

| System Name| | 311v-Src |

| System Desc| | LE-311v Access Concentrator |

| System Cap |Capabilities | Bridge |

| |Enabled Cap | Bridge |

| Mgmt Addr |IPv4 | 192.168.054.242 |

| AddrIf|ifIndex/if#2 | 1.3.6.1.2.1.2.2.1.1.2 |

| 802.1 |PortVlanId | 1 |

| 802.1 |ProtocolId | LACP |

| | | OAM |

| 802.3 |MacPhyConfig | AutoNeg:Support Enable |

| | | PmdAutoNegAdCap:Unknown |

| | | OperMauType:Unknown |

| 802.3 |PowerViaMDI | PortClass:PD MDI:NotSupt |

| | | MDI:Disable PairCtrl:Can't |

| | | PwrPair:NotSupt PwrClass:NotSupt |

| 802.3 |LinkAgg | Capable Disable |

| 802.3 |MaxFrameSize | 1526 |

+------------|--------------|----------------------------------------+

2. > lldp set port 10 mode disable

>lldp set port 10 disable

3. > lldp show port 10 configuration

>lldp show port 10 configuration

+----------- LLDP Port Configuration -----------+

| | | Basic | Org Specific | |

| | Admin |TLV Type| Dot1 |Dot3| | |

| Port | State |123456789|1234567|1234| |Notif|

+------+-------+---------+-------+----+---+-----+

|10 |Disable|111111111|1 1111|1111| | Off |

+------+-------+---------+-------+----+---+-----+

Where: ||||||||| ||||||| ||||

Dot3 Type ||||||||| ||||||| |||+-- 4 Maximum Frame Size TlvTx

Dot3 Type ||||||||| ||||||| ||+-- 3 Link Aggregation TlvTx

Dot3 Type ||||||||| ||||||| |+-- 2 Power via MDI TlvTx

Dot3 Type ||||||||| ||||||| +-- 1 MacPhy Config TlvTx

Dot1 Type ||||||||| ||||||+-- 7 Protocol ID OAM TlvTx

Dot1 Type ||||||||| |||||+-- 6 Protocol ID Dot1X TlvTx

Dot1 Type ||||||||| ||||+-- 5 Protocol ID STP TlvTx

Dot1 Type ||||||||| |||+-- 4 Protocol ID LACP TlvTx

Dot1 Type ||||||||| ||+-- 3 VLAN Name TlvTx

Dot1 Type ||||||||| |+-- 2 Port&Protocol VLAN ID TlvTx

Dot1 Type ||||||||| +-- 1 Port VLAN ID TlvTx

Basic Type ||||||||+-- 9 Local Mgmt Address TlvTx

Basic Type |||||||+-- 8 Remote Mgmt Address TlvTx

Basic Type ||||||+-- 7 System Capabilities TlvTx

Basic Type |||||+-- 6 System Description TlvTx

Basic Type ||||+-- 5 System Name TlvTx

Basic Type |||+-- 4 Port Description TlvTx

Basic Type ||+-- 3 Time-to-Live TlvTx

Basic Type |+-- 2 Port ID TlvTx

Basic Type +-- 1 Chassis ID TlvTx

System Software Configuration Guide 6.5.0

365

L

INK

L

AYER

D

ISCOVERY

P

ROTOCOL

Troubleshooting

Troubleshooting

Displaying LLDP neighbors

To display neighboring devices including the local port, remote port, remote management address, chassis identification, and system name:

>lldp show neighbors

+------------------------------------------------------------------------------+

| LLDP Neighbors |

+------------------------------------------------------------------------------+

| Remote Addr: 10.26.193.79 |

| System Name: 3911-Center-Ematar |

| System Desc: CN 3911 Service Delivery Switch |

+-------+----------------------------------------------------------------------+

| Local | Remote |

+-------+------+---------------------------------------------------------------+

| Port | Port | Info |

+-------+------+---------------------------------------------------------------+

| 5 | 27 | Chassis Id: 0002A1306B40 |

| | | Mgmt Addr: 172.16.233.214 |

| | | System Name: LE311-Center-Ematar |

| | | System Desc: LightningEdge (tm) LE-311v Access Concentrator |

+-------+------+---------------------------------------------------------------+

| 6 | 8 | Chassis Id: 0002A107B010 |

| | | Mgmt Addr: 10.26.193.56, 10.26.193.56 |

| | | System Name: 3920-Right-Ematar |

| | | System Desc: CN 3920 Service Delivery Switch |

+-------+------+---------------------------------------------------------------+

| 8 | 8 | Chassis Id: 0002A107AFC0 |

| | | Mgmt Addr: 10.26.193.55 |

| | | System Name: 3920-Left-Ematar |

| | | System Desc: CN 3920 Service Delivery Switch |

+-------+------+---------------------------------------------------------------+

366 System Software Configuration Guide 6.5.0

Chapter

System Software Management

• • • • • •

25

At A Glance:

Overview

Network connectivity

Release Compatibility

Preparing Files for Upgrade

Upgrading from a Previous Version of SAOS

Backup Software Images

This chapter describes the procedure for upgrading and downgrading system software.

Overview

The upgrade of system software is driven by the use of software configuration files created by the network administrator. The actual upgrade process takes about 10 minutes for the device to execute. Device upgrades should take place in an organized manner, for example, starting from the edge of the network and working toward the core, or starting from the core and working toward to the edge.

Network connectivity

The system software upgrade process requires the device to have network connectivity in order to download files and send notifications. You can use the serial console or the remote interface for the upgrade. The remote interface must be configured properly before the upgrade is started. The device must be able to communicate with the TFTP server.

Release Compatibility

The following rules apply to software upgrade and downgrade:

Release 6.1 can upgrade to 6.2.x but not to any other releases.

• Release 6.2.x can upgrade to 6.3.x but not to any other releases.

Release 6.3.x will not downgrade to any other release.

• Release 6.4.x can downgrade to 6.3.1 but cannot downgrade to any other release.

Release 6.3.1 can upgrade to any other software version.

• The device will not install unsupported software.

Attempting to install unsupported software will cause an error message

System Software Configuration Guide 6.5.0

367

S

YSTEM

S

OFTWARE

M

ANAGEMENT

Preparing Files for Upgrade

Preparing Files for Upgrade

Installing the Software Package

SAOS system software is released in the form of a software package. All files needed for the upgrade are contained in the package. Compatibility information is found in the software package readme file. The software package must be decompressed to the TFTP root directory. The ZIP file is created so that all files will be contained in a subfolder named <tftproot>/ciena/packages/saos-<build> directory on the TFTP server (where

<build> is the actual build number of the system software, for example, saos-06-05-00-

0043).

root

ciena packages

saos-06-05-00-0043 le-06-05-00-0043.afs

le-06-05-00-0043.ker

le-06-05-00-0043.rfs

le-06-05-00-0043.tar.gz

le-132.cfe

le-lnx.xml

mainShellMenu.xml

mainShellMenu.xsl

pmf-saos-06-05-00-0043.xml

readme.txt

cmd

artamir.xml

brego.xml

le-xx.cmd

le-2xx.cmd

le-4xx.cmd

le-4xx.xml

le-lnx.cml

0002a1xxyyzz.xml

Figure 25-1: Sample TFTP Directory Structure

config

default.cmd

startupCfg.cfg

chassisCfg.cfg

testCfg.cfg

368 System Software Configuration Guide 6.5.0

S

YSTEM

S

OFTWARE

M

ANAGEMENT

Preparing Files for Upgrade

In Figure 25-1, the root directory refers to the directory that was chosen as the root

directory for the TFTP server. Operators are free to define the root directory however they wish. All files and folders will be stored in one sub-directory off the root directory named “ciena”. This directory has three sub-directories:

• packages

: This directory has one sub-directory for each software package. Each directory contains all the image files for all device types supported by the software package. This folder also contains platform or board capability files. File names may be changed, but the extensions may not be changed (i.e., .xml).

• cmd

: Device command files. This directory contains command files and package meta files for each platform class. Command files for specific devices may also exist in this directory, such as <MACaddress>.xml.

• config

: This directory contains configuration files such as startup-config, chassisconfig, etc.

Several files are required for the upgrade, which are summarized in the following table.

Also note that all file locations in this table are specified relative to the TFTP root folder.

Table 25-1: Table 1 Upgrade Files

Filename

ciena/packages/saos-<build>.rfs

ciena/packages/saos-<build>.afs

ciena/packages/le-lnx.xml

ciena/packages/pmf-saos-<build>.xml

ciena/packages/readme.txt

ciena/cmd/<MACAddress>.xml

Description

Root file.

Application file.

Device class command file.

Package command file.

Package readme file.

Device specific command file.

Command File

The software package contains a generic platform class command file named le-lnx.xml.

This is a fully functional command file that does not require any modifications in order to install the software package on the device. Command files can also be used to upgrade or configure one or more devices.

System Software Configuration Guide 6.5.0

369

S

YSTEM

S

OFTWARE

M

ANAGEMENT

Preparing Files for Upgrade

The following is an example of a SAOS Command file:

<!--

README: SAOS Command File

This is a sample command file.

This file will activate package saos-06-05-00-0043 on your device(s).

You can modify this file, rename it, and copy it as you wish.

Command files are used to install new software and/or load new configuration files to one or many devices. Definitions in the command file are organized by platform-class. You may define as many platform classes as you like in a single command file.

The following example defines two platform classes and uses all possible attributes:

<XmlWwpCommandFile>

<XmlCmdPlatformClass name="CN3911"

version="saos-06-05-00-0043"

operation="upgrade"

serviceAffecting="yes">

</XmlCmdPlatformClass>

<XmlCmdPlatformClass name="brego"

configFilePath="myFolder/my-config-file.txt"

configFileRule="activate"

welcomeBanner="myBannerFile.txt"

licenseFile="myLicenseFile.txt"

<SshKeyFile name="user1.pk2"></SshKeyFile>

<SshKeyFile name="user2.pk2"></SshKeyFile>

<SshKeyFile name="user3.pk2"></SshKeyFile>

version="saos-06-05-00-0043"

packagePath="folder1/folder2/folder3"

operation="install"

serviceAffecting="no" >

</XmlCmdPlatformClass>

</XmlWwpCommandFile>

The following attributes are MANDATORY:

platformClass in order of preference, the most specific match (eg, CN3911), then the class match (eg, artamir for CN3911 and CN3920, brego for CN3940 and 5140 etc)

The class "le-lnx" must be there if upgrade from 6.3.1 or earlier (for

CN3911 and CN3920 only)

Possible values for platformClass:

le-lnx, CN3911, CN3920, CN3940, CN5140, CN3960, artamir, brego.

The following attributes are OPTIONAL:

configFilePath (path and filename, path is relative to tftproot)

configFileRule (see note #1 below)

welcomeBanner (path and filename, path is relative to tftproot)

licenseFile (path and filename, path is relative to tftproot)

SshKeyFile (path and filename, path is relative to tftproot)

version (leos-xx-yy-zz-abcd)

packagePath (complete path to the package directory relative to the tftp-root directory)

operation (upgrade or xgradei or install)

serviceAffecting (yes or no)

Possible values for the attribute: configFileRule

install

- Download the config file from the server.

- Store the file in the directory '/flash0/config'

- Store the new filename as 'default-load-file'

- Store the new filename as 'last-config-file'

- This file will be loaded when the device is rebooted.

activate

- Same behavior as install.

- In addition, the file is activated (loaded) immediately.

370 System Software Configuration Guide 6.5.0

S

YSTEM

S

OFTWARE

M

ANAGEMENT

Preparing Files for Upgrade

- This may require a reboot.

- Reboot will not occur unless "serviceAffecting" is specified.

augment

- Download the config file.

- Augment the current system configuration with the commands in this file.

augmentAndSave

- Download the config file.

- Augment the current system configuration with the commands in this file.

- Save the resulting configuration to the file default-save-filename.

Possible values for the attribute: operation

upgrade

- Download & install image files if necessary.

- Activate the new image files.

- This operation may require a reboot.

- Reboot will not occur unless serviceAffecting="yes"

install

- Download & install image files if necessary

- Do not activate the new image files

- This option is not available for CN3911 and CN3920

x-grade

- Exact same behavior as 'upgrade'

- It is supported for backwards compatibility with previous release.

Possible values for the attribute: serviceAffecting

yes (The device is allowed to reboot if necessary)

no (The device is NOT allowed to reboot)

NOTE #1

DHCP can be used to run a command file. If a command file request

comes in from DHCP, the device will only run the command file once.

If another request comes in with the same command file name, the

device will ignore the request from DHCP. The name of the command

file is saved (last-command-file) and it may be reset by the user

via the shell or SNMP. The same is true for the configuration file.

NOTE #2

The License file format is shown here. Lines may appear in any order.

Any text following ! will be considered a comment.

Whitespace is ignored.

! This is my example license file

install <license key>

uninstall <feature name>

install <license key>

-->

<XmlWwpCommandFile>

<XmlCmdPlatformClass name="le-lnx"

version="saos-06-05-00-0043"

packagePath="ciena/packages/saos-06-05-00-0043"

operation="upgrade"

serviceAffecting="yes"

></XmlCmdPlatformClass>

<XmlCmdPlatformClass name="artamir"

version="saos-06-05-00-0043"

packagePath="ciena/packages/saos-06-05-00-0043"

operation="upgrade"

serviceAffecting="yes"

></XmlCmdPlatformClass>

<XmlCmdPlatformClass name="brego"

version="saos-06-05-00-0043"

packagePath="ciena/packages/saos-06-05-00-0043"

operation="upgrade"

serviceAffecting="yes"

></XmlCmdPlatformClass>

</XmlWwpCommandFile>

System Software Configuration Guide 6.5.0

371

S

YSTEM

S

OFTWARE

M

ANAGEMENT

Upgrading from a Previous Version of SAOS

Command file types

You can create additional command files for specific devices or platform classes. Device specific command files are named with the device MAC address, such as:

• 0002a1010203.xml

Platform class command files are named as follows:

• artamir.xml - for CN 3911 and CN 3920 platforms.

• brego.xml - for CN 3940, CN 3960, and CN 5140 platforms.

You can run command files from the CLI or with a DHCP server. To run the command file from the command line:

> software run command-file <FileName> server <IpAddress>

Configure the DHCP server settings as follows:

• Next Server (option -14): Specifies the IP address of the TFTP server.

Boot File (option -1): Specifies the path to the command file directory or the full path to the command file itself.

CORRECT:

ciena/cmd/ ciena/packages/saos-<build>/ ciena/cmd/0002a1010203.xml

INCORRECT:

ciena/cmd (missing the slash “/” at the end of the path

If you specify only the path of the command file, the device will search the directory for the most specific command file in the following order.

1. Device specific file named with its MAC address.

2. Platform class file for its platform, artimir.xml or brego.xml

3. Generic platform class file, le-lnx.xml

Once the most specific command file has been selected, the device runs the section of the command file with the most specific platform class. So, if the command file has an artimir section and an le-lnx section, the device will process the artimir section, and skip the le-lnx section.

NOTE: For CN 3911 or CN 3920 devices running system software 6.3.1 or earlier, only the device specific and generic platform files are supported. Also, the le-lnx platform class must exist within the command file.

Upgrading from a Previous Version of SAOS

There are several methods to upgrade the system software. The upgrade process can triggered by a DHCP server or from the CLI. In addition, the upgrade process can be accomplished without the use of a command file.

372 System Software Configuration Guide 6.5.0

S

YSTEM

S

OFTWARE

M

ANAGEMENT

Upgrading from a Previous Version of SAOS

CAUTION: The instructions in this section assume you are upgrading from 6.3.1 or higher.

NOTE: After upgrading SAOS, configuration changes that are saved to the configuration file may not be backwards compatible. If a downgrade occurs, such changes can cause configuration errors after a re-boot.

NOTE: Packages must be located in the <tftproot>/ciena/packages/saos-<build> directory on the TFTP server or the upgrade will fail.

The following is an example of a SAOS Command File for upgrading:

<XmlWwpCommandFile>

<XmlCmdPlatformClass name="le-lnx"

version="saos-06-05-00-0043"

packagePath="ciena/packages/saos-06-05-00-0043"

operation="upgrade"

serviceAffecting="yes"

></XmlCmdPlatformClass>

<XmlCmdPlatformClass name="artamir"

version="saos-06-05-00-0043"

packagePath="ciena/packages/saos-06-05-00-0043"

operation="upgrade"

serviceAffecting="yes"

></XmlCmdPlatformClass>

<XmlCmdPlatformClass name="brego"

version="saos-06-05-00-0043"

packagePath="ciena/packages/saos-06-05-00-0043"

operation="upgrade"

serviceAffecting="yes"

></XmlCmdPlatformClass>

</XmlWwpCommandFile>

The following is a list of the Command File Syntax.

Possible values for the configFileRule attribute:

install

- Download the config file from the server.

- Store the file in the directory '/flash0/config'

- Store the new filename as 'default-load-file'

- Store the old file as 'last-config-file'

- This file will be loaded when the device is rebooted.

activate

- Same behavior as install.

- In addition, the file is activated (loaded) immediately.

- This may require a reboot.

- Reboot will not occur unless “serviceAffecting” is specified.

• augment

- Download the config file.

- Augment the current system configuration with the commands in this file.

System Software Configuration Guide 6.5.0

373

S

YSTEM

S

OFTWARE

M

ANAGEMENT

Upgrading from a Previous Version of SAOS

- Configuration is NOT saved.

• augmentAndSave

- Download the config file.

- Augment the current system configuration with the commands in this file.

- Save the resulting configuration to the file ‘default-save-filename’.

- No backup configuration is saved, the configuration that is updated.

Possible values for the operation attribute:

• upgrade

- Download and install image files if necessary.

- Activate the new image files.

- This operation may require a reboot.

- Reboot will not occur unless serviceAffecting=“yes”

• x-grade

- Download package PMF file from TFTP server.

- Download all images files specified in the PMF file.

These files are stored in the RAM disk.

- No further action is taken until the reboot command is given.

- Erase flash and burn new image files into flash.

- Supported for backwards compatibility with previous release.

NOTE: If you intend to upgrade software AND system configuration with the same command file, do NOT use 'activate' for the configFileRule.

Instead of using activate for the configFileRule when upgrading software AND system configuration with the same command file, use one of the following combinations:

1. configFileRule=“install” operation=“install”

This combination installs a new configuration file in flash, installs new software, then stops. The user must then activate the new software by rebooting device.

2. configFileRule=“install” operation=“activate”

Installs a new configuration file, installs the new software, then reboots the device.

3. configFileRule=“augmentAndSave” operation= “activate”

Augments the configuration, saves it, upgrades the software, then reboots the device.

Upgrading Using the CLI and a Command File

The following commands can be run using any user account with a privilege level of superuser.

1. Ensure that the device has access to the TFTP server.

2. Using the CLI, perform a configuration save using the configuration save command.

3. Enter the following command to run the command file, specifying the desired directory, command file, and TFTP server IP address:

> software run command-file ciena/packages/saos-##-##-##-####/xx.xml server <TFTP Server IP>

The upgrade process begins immediately and may take up to 10 minutes to complete.

374 System Software Configuration Guide 6.5.0

S

YSTEM

S

OFTWARE

M

ANAGEMENT

Upgrading from a Previous Version of SAOS

Upgrading Using the CLI without a Command File

The following commands can be run using any user account with a privilege level of superuser.

CAUTION: The upgrade process described in this section will cause the system to reboot automatically.

1. Ensure that the device has access to the TFTP server.

2. Using the CLI, perform a configuration save using the configuration save command.

3. Enter the following command:

• To cause the device to upgrade the system software and to reboot automatically, enter the following command, specifying the desired software package and TFTP server IP address:

> software upgrade package saos-##-##-##-#### server 1.2.3.4 service-disruption allow

NOTE: The upgrade process may take up to 10 minutes to complete.

Upgrading Using a DHCP server

This method of upgrade uses a DHCP server to trigger the upgrade process through the use of a command file.

1. Configure the DHCP server according to the instructions found in the Configuring

DHCP section on page 23.

2. Enable the DHCP client on the SAOS device using the CLI command dhcp client enable

.

3. Perform a configuration save (e.g., from the CLI use the configuration save command).

4. The upgrade process will begin as soon as a DHCP renew occurs and may take up to

10 minutes to complete.

Use the DHCP option 'bootfile' to run a command file. A fully qualified filename

(path1/path2/file.xml) can be used or a directory name such as “Path1/path2/” can be specified. Path names MUST end with a slash to distinguish them from a file name. Some examples:

• bootfile = “ciena/packages/saos-06-04-00-0032/”

• bootfile = “ciena/packages/saos-06-04-00-0032/command-06-03-00-0032.xml”

• bootfile = “cmd/my-command-file.xml”

System Software Configuration Guide 6.5.0

375

S

YSTEM

S

OFTWARE

M

ANAGEMENT

Backup Software Images

If you specify a directory as the bootfile, the device will try to download the file MAC.xml where MAC is the Ethernet MAC address of the device (i.e. 0002a1010203.xml). If that fails, the device will try to download the file le-lnx.xml file.

NOTE: When a configuration file is processed due to a request from DHCP, the device will save the filename (last-config-file) and it will not process the same file name twice. You need to reset this file name in order to process the same configuration file a second time.

The same is true for the command file name as well.

Backup Software Images

The CN 3940, CN 3960, and CN 5140 have two flash image banks instead of a single flash image bank. The second image bank holds a backup copy of the system software. If the primary image bank becomes corrupted, the system will automatically switch to the backup bank.

When the software upgrade command is used, the new software is installed in one image bank only. The old software remains in the other image bank. Once the new software is installed and running, the user can backup the new software as follows:

> software protect

It is highly recommended (but not required) to run the protect command after each upgrade.

The software show command displays information for both flash image banks:

> software show

+------------------------------------------------------------------------------+

| Installed Package : saos-06-05-00-0040 |

| Running Package : saos-06-05-00-0040 |

| Application Build : 3507 |

| Package Build Info : Wed Feb 11 02:50:42 2009 shdbuilder tango.ciena.com |

| Running Kernel : 2.6.26.6-3507 |

| Running MIB version : 02-03-07-0005 |

+------------------------------------------------------------------------------+

| Running bank : B |

| Bank package version: saos-06-05-00-0040 |

| Bootloader version : 3454 |

| Bootloader status : valid |

| Standby bank : A |

| Bank package version: saos-06-05-00-0040 |

| Bootloader version : 3516 |

| Bootloader status : valid |

+------------------------------------------------------------------------------+

| Last command file: unknown |

| Last configuration file: unknown |

+------------------------------------------------------------------------------+

The following command will download and install software into flash but will not reboot the device. The system will load the new software when the device is later rebooted or power cycled:

> software install package saos-06-04-00-0134 server 1.2.3.4

376 System Software Configuration Guide 6.5.0

Appendix

Command Line Interface

• • • • • •

26

This appendix describes the operating system commands and syntax.

Overview

The Command Line Interface (CLI) is a text-based command interface used to configure the device and to view system information.

NOTE: The CLI hides commands depending on user access level, installed licenses, and platform.

This appendix includes the following topics:

Access Levels

Accessing the CLI

Navigating the CLI

Deprecated Commands

Global Commands

Protocol/Manager Commands

CAUTION: Commands not documented in this appendix should not be used. If you choose to use them, you do so at your own risk as they can cause severe interruption of delivered services and access to the device.

Access Levels

When a user account is created, it is assigned an access level. The CLI provides two access levels, including:

Limited User (lu) - able to execute commands that do not change the state of the system in a significant way or change the configuration of the device.

Super User (su) - includes all the privileges of the limited user and can make significant system state changes, modify the device configuration, and perform execute commands including creating user accounts.

System Software Configuration Guide 6.5.0

377

Accessing the CLI

The CLI provides two default user names/passwords:

User Name Access Level Password Access Rights

su Super Read/Write user Limited User (lu) <empty> Read-Only

Accessing the CLI

To access CLI commands, a session must first be established with the device by establishing a Telnet session or through direct connection to the serial console port.

NOTE: A maximum of 6 Telnet sessions can be connected at the same time.

Accessing the CLI Using Telnet

To access the device through Telnet, the device must have an IP address, the Telnet client must have a route set up to allow access to the device, and the user must have a valid user name and password to log into the system.

All devices coming out of manufacturing have a hard coded IP address, 172.16.233.214.

This IP address should be used when connecting to a device that has not gone through a

DHCP process.

If the device has gone through the DHCP process, the DHCP server assigns an IP address based on the device’s MAC address. The MAC address is the same as the device’s serial number.

To access the CLI using Telnet:

1. Determine the IP address for the device.

2. Obtain a valid user name and logon password.

3. Configure default gateway setup to access the device.

4. Use a Telnet client to connect to the device.

5. At the logon prompt, enter a user name and then a password to access the prompt, for example: username: su password:

>

378 System Software Configuration Guide 6.5.0

Navigating the CLI

Accessing the CLI Using the Serial Console Port

By default, the serial console port is enabled.

1. Connect a terminal or PC running terminal emulation software to the serial console port using an RJ-45 cable.

2. Configure the connected terminal with the following settings:

• Character size = 8

Parity = None

• Stop Bit = 1

Baud Rate = 9600 bps

• Control = None

3. At the logon prompt, enter a user name and then a password to access the prompt, for example: username: su password:

>

Navigating the CLI

When entering a command at the prompt, ensure that you have the appropriate access level. Most configuration commands require the super-user access level. At any prompt, press the Tab key for a list of commands in alphabetical order available from the current prompt. For example, pressing tab on the main level menu lists the following:

>

arp - arp

blade - blade management

chassis - chassis management

cli - cli shell special functions

configuration - configuration

device-archive - device archive

dhcp - dhcp commands

file - file submenu

flow - flow management

interface - ip interface management

lldp - Link Layer Discovery Protocol

log - log

logout - Log off this system

ntp-client - ntp-client

ping - ping

port - port

reboot - reboot system

snmp - SNMP

software - software version management

syslog - syslog

system - system management

traceroute - traceroute a packet

user - user management

vlan - vlan

Command Schema

In order to provide consistency across all the commands, all CLI commands follow a basic underlying schema or syntax:

<object> [<subobject>] <action> [instance] [<attributes>]

System Software Configuration Guide 6.5.0

379

Navigating the CLI

An <object> can identify a feature (e.g. multicast, epr, radius etc.) or a basic object (e.g. module, VLAN, port, etc.). On the surface, these seem like completely mismatched entities, however, if a device is considered to have an instance of each of these entities, then both features and the basic system objects can be considered as objects.

A <subobject> subdivides a feature. For example, multicast has many sub-features in it such as umf, epf, channel-stream, etc.

An <action> is a verb that describes the type of action that will occur on the object/instance that is specified. Examples of actions are:

• create

• delete

• add

• remove

• set

• unset

• enable

• disable

• attach

• detach

An <instance> defines an recurrence of an object. For example, ports have multiple instances. A feature like radius is an object but there is only a single instance of it. An instance is identified by a keyword and a value, such as “port 3/1.”

<attributes> are always a pairing of a keyword and a value. For example, the keyword

“port” is followed by a value such as 3/1. A command may take multiple attributes and the attributes can be specified in any order relative to one another.

As an example, breaking down the command grammar of a command such as

“ aggregation add agg Lag1 port 7/2

” yields the following:

• object = aggregation

• subobject = none

• action = add

• instance = agg Lag1

• attribute = port 7/2

Sub-menus

Objects and sub-objects have sub-menus. For example, from the top-level prompt, if you enter system, the prompt changes to the system sub-menu and displays, (system)>.

The same is true for sub-features, such as system shell. At the (system)> prompt, entering shell the prompt changes to the shell sub-menu under system and displays

(system/shell)>

. To return to the top-level prompt from any sub-menu, type exit, and press Enter.

Command Completion

The CLI supports partial command recognition. This means that you can enter the first few characters that uniquely identify a command for the system to recognize it. For example, for the sub-port commands, you can enter:

> vl

380 System Software Configuration Guide 6.5.0

Navigating the CLI

CLI(vlan)> and the prompt will then change to:

If you do not enter enough characters to uniquely identify the command, a shell parser error will occur. For example:

> s

SHELL PARSER FAILURE: 's' - ambiguous input

This error occurs, because multiple commands begin with “s”. Pressing the Tab key partially completes the command and displays the available commands. For example,:

>s snmp software system

In addition, pressing space and then Tab twice at the end of the command string displays available actions, objects, or sub-objects, for example:

>arp <Tab> arp

>arp <Tab>

delete - delete arp entry

flush - flush arp cache for all interfaces

for - check if the ip address is in use

in-use - check if the ip address is in use

show - show arp information

After specifying the object, action, instance, and even attributes, you can press space and then Tab to display additional parameters. For example,

>arp for

ip - IP address

Getting Help

To get more detail about available commands, enter ? or help at any prompt. A command can also be followed by a space and a ? or help to get a list of valid parameters for that command. For example, the following command lists all the valid parameters for the arp command:

>arp

delete - delete arp entry

flush - flush arp cache for all interfaces

for - check if the ip address is in use

in-use - check if the ip address is in use

show - show arp information

In addition, you can display specific objects or search on specific keywords with the cli

search and show commands described in the cli command section of this chapter.

Command Response

In general, errors are generated for a configuration command only when the command is unsuccessful. For example, if you run a delete command, the CLI responds without any message and returns to the CLI prompt. Even if the object does not exist, the command does not end in error, because the end result is that the specified object does not exist in the system. Similarly, if you attempt set an attribute that is already set, the CLI responds by returning you to the CLI prompt. If you attempt to create an object that already exists, the CLI responds with an error to show the duplication.

System Software Configuration Guide 6.5.0

381

Navigating the CLI

Understanding Command Syntax

A variety of symbols are used to indicate CLI command syntax. These symbols describe how to enter a command. They are not entered as part of the command itself. Table 1 summarizes command syntax symbols.

Table 26-1: Command Syntax Symbols

Symbol Description

< > Encloses a variable or literal value that must be specified.

Some examples include:

{ } server <IpAddress> priority <NUMBER: 1-7> dns <on|off> description <String[31]>

For server <IpAddress>

, the attribute could be entered as server 10.10.11.100

or server www.ciena.com

. With priority <NUMBER: 1-7> the text within <> indicates that 1 - 7 are valid values. In the example of dns <on|off>, either the literal value of on or off is valid, such as dns on

. For description

<String[31]>

, any string of up to 31 characters is entered.

Encloses a required value or list of required arguments.

One or more values or arguments can be specified. For example, in the syntax: flow access-control create

{port <PortName>}

{max-dynamic-macs <NUMBER>}

[forward-unlearned <on|off>]

|

[ ]

{ [], [], [] }

The port and max-dynamic-max arguments are required.

The forward-unlearned argument is optional.

Separates mutually exclusive items in a list, only one of which can be entered. For example, in the syntax: dhcp client options set subnet

<on|off> either on or off must be specified, for example: dhcp client options set subnet on

Encloses an optional value or a list of optional arguments.

One or more values or arguments can be specified. For example, in the syntax: arp show [interface <Interface>] you can enter a value for interface

<Interface>

or not. For example: arp show

Specifies a list of optional items where at least one must be specified.

382 System Software Configuration Guide 6.5.0

Navigating the CLI

Table 26-1: Command Syntax Symbols

*

Indicates the example has been abbreviated and that the actual display contains more information.

Indicates zero or more occurrences of what is preceding.

Specifying Multiple Objects with Lists and Ranges

To simplify configuration of multiple objects, some CLI commands allow actions to be specified on multiple ports or slots at once. This is done using object lists and ranges.

Each command specifies the CLI variables it accepts.

A list of objects can be specified using a comma-delimited list (for example, x, y, z). A range of objects can be specified using a dash (-). For example, “x-z” would properly specify a range.

On a multi-module device, a command can apply to multiple modules by specifying a slot list or range. For example, “1,2,3” or “1-3”. Ports on the module are then specified relative to the module. For example, port 1/1 identifies the first port on module in slot

1. Port ranges are generally specified as: <port a>-<port b>. This range specifies all the ports between and including ports 'a' and 'b'. So the range “1/1 - 4/3” would include all the ports present on modules in slots 1, 2, 3 as well as the first 3 ports on the module in slot 4. Lists of ports can be specified as being comma delimited, e.g. “1/1, 1/3, 1/5”.

Port lists and ranges can also be combined so that the following is valid, “1/1-1/5,1/7”.

For a single module device, ports are enumerated with a single ID, e.g. 1, 2, and 3. Lists of ports can be specified as being comma delimited, e.g. “1, 3, 5." Port lists and ranges can also be combined so that the following is valid, “1-4, 7."

For example, the vlan command could be used as follows:

> vlan add vlan 400 port 2,4

Or each command could be entered individually:

> vlan add vlan 400 port 2

> vlan add vlan 400 port 4

Specifying IP Addresses

The format for the IpAddress is:

<IpAddress>=<NUMBER STRING: xxx.xxx.xxx.xxx, 0<=xxx<=255>

The syntax description from RFC 1035 is as follows:

<domain>::= <subdomain>|“”

<subdomain>::= <label>|<subdomain> “.” <label>

<label>::= <letter> [ [ <ldh-str> ] <let-dig>]

<ldh-st> ::= <let-dig-hyp>|<let-dig-hyp> <ldh-str>

<let-dig-hyp> ::= <let-dig>|“-”

<let-dig> ::= <letter>|<digit>

<letter> ::= any one of the 52 alphabetic characters A through Z in upper case and a through z in lower case

<digit> ::= any one of the ten digits 0 through 9

System Software Configuration Guide 6.5.0

383

Navigating the CLI

RFC 3696 (Application Techniques for Checking and Transformation of Names) describes the above situation as follows:

“The LDH rule, as updated, provides that the labels (words or strings separated by periods) that make up a domain name must consist of only the ASCII [ASCII] alphabetic and numeric characters, plus the hyphen. No other symbols or punctuation characters are permitted, nor is blank space. If the hyphen is used, it is not permitted to appear at either the beginning or end of a label. There is an additional rule that essentially requires that top-level domain names not be all- numeric.”

Additionally a fully qualified domain name may contain up to 255 characters including '.' and must not be all digits.

Entering Names

When entering names or description the following rules apply:

• String length > 0

First character may not be a space

• Last character may not be a space

All characters are in the ASCII range 32…126

• The following characters are not allowed:

"

%

*

?

!

• Names are case-sensitive

384 System Software Configuration Guide 6.5.0

Deprecated Commands

Specifying Common Objects and Attributes

<FileName>= <String> for example, /flash0/file.txt

<DirName> = <String[127]>

<MacAddress>= <xx:xx:xx:xx:xx:xx>

Deprecated Commands

Some commands are designated as deprecated (obsolete). Deprecated commands are still supported by the CLI and work for configuration. However, in a future release, deprecated commands will no longer be supported. These commands can be identified in the command list with the text “(DEPRECATED)”. In addition to commands, parameters for some commands are designated as deprecated.

NOTE: All commands deprecated in past releases have been removed from this release and are no longer supported.

Global Commands

Various global commands are supported that are common to the computing industry.

These commands do not follow the defined schema and use a standard UNIX-type implementation. You can run these commands from any menu shell. Some global commands related to file management are listed under the “file” command menu, however, you do not have to type “file” preceding the commands.

Command Description Access Level

Clears the terminal screen.

su/lu

Release

Introduced

6.0

clear

Example:

> clear exit

Example:

> exit

Goodbye.

Connection to host lost.

ping [ip] <IpAddress>

Log off and end the Telnet session.

su/lu su/lu

6.2

6.0

[count <NUMBER: 1-100000>]

[interval <NUMBER: 1-100000>]

[packet-size <NUMBER: 1-1464>]

[timeout <NUMBER: 1-100000>]

Ping the specified IP address. Attributes are expressed as integers in the following units:

• number of packets to send

• interval (in milliseconds)

• packet-size (in kilobytes)

• timeout (in milliseconds).

6.0

6.0

6.0

6.0

System Software Configuration Guide 6.5.0

385

Global Commands

Command Description

Example:

>ping ip 192.168.76.100

PING 192.168.76.100 (192.168.76.100): 56 data bytes ping: sendto: Network is unreachable reboot Performs a soft reset of the system including the kernel.

telnet

[-l <UserName>]

Establishes Telnet client session to the specified IP address.

Logs in with the specified user. If left unspecified, the remote system prompts for the user name.

{<IpAddress>}

[<port>]

IP address to Telnet to.

TCP port. By default, the port is 23.

Example:

> telnet 10.10.121.19

Entering character mode

Escape character is '^]'.

Access Level Release

Introduced

su su/lu

6.0

6.3

6.3

6.3

6.3

3911 00:02:A1:24:0E:30

SAOS is True Carrier Ethernet TM software.

3911 login: su

Password:

SAOS is True Carrier Ethernet TM software.

Welcome to the shell.

> exit

Goodbye.

> traceroute [ip] <IpAddress>

[-F]

[-I]

[-l]

[-d]

[-n]

[-r]

Performs a standard traceroute for the specified ip address.

• Set the don't fragment bit.

Use ICMP ECHO instead of UDP datagrams.

Display the ttl value of the returned packet.

Set SO_DEBUG options to socket.

Print hop addresses numerically rather than symbolically.

Bypass the normal routing tables and send directly to a host.

su/lu 6.0

6.0

6.0

6.0

6.0

6.0

6.0

386 System Software Configuration Guide 6.5.0

Protocol/Manager Commands

Command

[-v]

[-m max_ttl ]

[-p port#]

[-q nqueries]

[ -s src_addr]

[-t tos]

[-w wait]

[-g]

Description

Verbose.

Max time-to-live (max number of hops).

Base UDP port number used in probes (default is 33434).

Number of probes per 'ttl' (default is 3).

IP address to use as the source address.

Type-of-service in probe packets

(default 0).

Time in seconds to wait for a response (default is 3 seconds).

Loose source route gateway

(8 max).

Access Level Release

Introduced

6.0

6.0

Example:

> traceroute ip 192.168.54.241

traceroute to 192.168.54.241 (192.168.54.241), 30 hops max, 40 byte packets

1: 192.168.54.241 4087 us 1811 us 1811 us

6.0

6.0

6.0

6.0

6.0

6.0

Protocol/Manager Commands

Protocol/Manager commands are those commands that configure system operation.

Table 26-2: Summary of Protocol/Manager Commands

Command Description

aggregation

arp

blade broadcast-containment

cfm

chassis

cli command-log

configuration

device-archive

dhcp

Enter the link aggregation menu

Enter the ARP menu

Enter the blade menu

Enter the broadcast containment menu

Enter the Connectivity Fault Management (CFM) menu

Enter the chassis menu

Search or display CLI shell commands

Enter the command logging menu

Applies, saves, resets, and displays configuration

Enters the device-archive menu

Enter the DHCP menu

Release

Introduced

6.4

6.0

6.0

6.0

6.5

6.0

6.2

6.2

6.0

6.0

6.0

System Software Configuration Guide 6.5.0

387

Protocol/Manager Commands

Table 26-2: Summary of Protocol/Manager Commands

dns client

Enter the DNS menu

radius

rmon

snmp

software

ssh

system

tacacs

telnet-server

traffic-profiling

twamp

user

virtual-circuit

virtual-switch

vlan

dot1x

eoam

file

flow

interface

lldp

log

mstp

multicast-services

ntp-client

PBT

port

Enter the 802.1x menu

Enter the OAM menu

Enter the file menu

Enter flow menu

Enter the interface menu

Enter the LLDP menu

Enter the logging menu

Enter the MSTP menu

Enter the Multicast Services menu

Enter the NTP menu

Enter the PBT menu

Enter the port menu

Enter the RADIUS menu

Enter the RMON menu

Enter the SNMP menu

Enter the software management menu

Enter the Secure Shell (SSH) menu

Enter the system menu

Enter the TACACS+ menu

Enter the Telnet server menu

Enter the traffic profiling menu

Enter the TWAMP menu

Enter the user menu

Enter the virtual circuit menu

Enter the virtual switch menu

Enter the VLAN menu

6.0

6.2

6.0

6.3

6.3

6.3

6.2

6.0

6.0

6.4

6.0

6.0

6.0

6.0

6.2

6.2

6.0

6.0

6.3

6.0

6.0

6.0

6.0

6.2

6.4

6.2

6.0

388 System Software Configuration Guide 6.5.0

Protocol/Manager Commands

aggregation

Command Description

aggregation add agg <LagPortName[7]>

{[port <PhyPortNameList>]

[protection-port <PhyPortNameList>]}

Example:

Adds a port and protection port to an aggregation.

> aggregation add agg lag21 port 1-4 aggregation create agg <LagPortName[7]>

Example:

Creates an aggregation group.

> aggregation create agg lag22 aggregation delete agg <LagPortName[7]>

Example:

> aggregation delete agg lag22 aggregation disable

Deletes an aggregation.

Disables aggregation globally. Note that remote connections between Juniper devices are lost after disabling link aggregation. Juniper devices should be set to manual mode with the interfaces <agg group> aggregated-ether-options lacp

command.

Example:

> aggregation disable aggregation enable Enables aggregation globally.

Aggregation is enabled by default.

Example:

> aggregation enable aggregation lacpmib set agg <LagPortName[7]>

{[admin-key <NUMBER: 0 - 4095>],

[system-priority <NUMBER: 0 - 65535>]}

Example:

Sets the LACP MIB attributes for the specified aggregator port, including:

Administrator key

• System priority.

> aggregation lacpmib set agg ManLag1 admin-key 2050 aggregation lacpmib set port <PhyPortName>

{[actor-admin-key <NUMBER: 0-4095>]

Sets LACP MIB group attributes for the specified physical ports, including:

Actor Administrator key.

Security

Level

su

Release

Introduced

6.4

su su su su su su

6.4

6.4

6.4

6.4

6.4

6.4

6.4

6.4

6.4

System Software Configuration Guide 6.5.0

389

Protocol/Manager Commands

[actor-admin-state <NUMBER: 0-255>]

[actor-port-priority <NUMBER: 0-65535>]

[actor-system-priority <NUMBER: 0-65535>]

[partner-admin-key <NUMBER: 0-4095>]

[partner-admin-state <NUMBER: 0-255>]

[partner-port-priority <NUMBER: 0-65535>]

[partner-system-id <MacAddress>]

Actor Administrator state.

Actor port priority.

Actor system priority.

Partner administrator key.

Partner administrator state.

Partner port priority.

Partner system identification,

MAC address.

Partner system priority.

partner-system-priority <NUMBER: 0-65535>

Example:

>