PLANET SGS-6340-24P4S User's manual
advertisement
Assistant Bot
Need help? Our chatbot has already read the manual and is ready to assist you. Feel free to ask any questions about the device, but providing details will make the conversation more productive.
▼
Scroll to page 2
of
539
1 Trademarks Copyright © PLANET Technology Corp. 2016. Contents are subject to revision without prior notice. PLANET is a registered trademark of PLANET Technology Corp. All other trademarks belong to their respective owners. Disclaimer PLANET Technology does not warrant that the hardware will work properly in all environments and applications, and makes no warranty and representation, either implied or expressed, with respect to the quality, performance, merchantability, or fitness for a particular purpose. PLANET has made every effort to ensure that this User's Manual is accurate; PLANET disclaims liability for any inaccuracies or omissions that may have occurred. Information in this User's Manual is subject to change without notice and does not represent a commitment on the part of PLANET. PLANET assumes no responsibility for any inaccuracies that may be contained in this User's Manual. PLANET makes no commitment to update or keep current the information in this User's Manual, and reserves the right to make improvements to this User's Manual and/or to the products described in this User's Manual, at any time without notice. If you find information in this manual that is incorrect, misleading, or incomplete, we would appreciate your comments and suggestions. FCC Warning This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the Instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense. CE Mark Warning This is a Class A product. In a domestic environment, this product may cause radio interference, in which case the user may be required to take adequate measures. Energy Saving Note of the Device This power required device does not support Standby mode operation. For energy saving, please remove the power cable to disconnect the device from the power circuit. In view of saving the energy and reducing the unnecessary power consumption, it is strongly suggested to remove the power connection for the device if this device is not intended to be active. WEEE Warning To avoid the potential effects on the environment and human health as a result of the presence of hazardous substances in electrical and electronic equipment, end users of electrical and electronic equipment should understand the meaning of the crossed-out wheeled bin symbol. Do not dispose of WEEE as unsorted municipal waste and have to collect such WEEE separately. Revision PLANET Layer 3 Multi-Port Full Gigabit Stackable Managed Switch User's Manual FOR MODEL: SGS-6340-24T4S/48T4S/24P4S/20S4C4X/16XR REVISION: 1.1 (August, 2016) Part No: EM-SGS-6340-series 2 Contents CHAPTER 1 INTRODUCTION ........................................................................................ 1-1 1.1 PACKET CONTENTS ............................................................................................................................. 1-1 1.2 PRODUCT DESCRIPTION ....................................................................................................................... 1-2 1.3 PRODUCT FEATURES ........................................................................................................................... 1-6 1.4 PRODUCT SPECIFICATIONS ................................................................................................................... 1-9 CHAPTER 2 INSTALLATION............................................................................................17 2.1 HARDWARE DESCRIPTION ..................................................................................................................... 17 2.1.1 Switch Front Panel ................................................................................................................... 17 2.1.2 LED Indications ........................................................................................................................ 19 2.1.3 Switch Rear Panel.................................................................................................................... 24 2.2 INSTALLING THE MANAGED SWITCH ....................................................................................................... 26 2.2.1 Desktop Installation.................................................................................................................. 26 2.2.2 Rack Mounting ......................................................................................................................... 27 2.2.3 Installing the SFP/SFP+ Transceiver ....................................................................................... 28 CHAPTER 3 SWITCH MANAGEMENT .......................................................................... 3-1 3.1 MANAGEMENT OPTIONS ....................................................................................................................... 3-1 3.1.1 Out-of-Band Management....................................................................................................... 3-1 3.1.2 In-band Management .............................................................................................................. 3-5 3.2 CLI INTERFACE .................................................................................................................................... 3-9 3.2.1 Configuration Modes ............................................................................................................. 3-11 3.2.2 Configuration Syntax............................................................................................................. 3-13 3.2.3 Shortcut Key Support ............................................................................................................ 3-14 3.2.4 Help Function ........................................................................................................................ 3-14 3.2.5 Input Verification.................................................................................................................... 3-15 3.2.6 Fuzzy Match Support ............................................................................................................ 3-15 CHAPTER 4 BASIC SWITCH CONFIGURATION .......................................................... 4-1 4.1 BASIC CONFIGURATION ........................................................................................................................ 4-1 4.2 TELNET MANAGEMENT ......................................................................................................................... 4-2 4.2.1 Telnet....................................................................................................................................... 4-2 4.2.2 SSH ......................................................................................................................................... 4-4 4.3 CONFIGURING SWITCH IP ADDRESSES.................................................................................................. 4-6 4.3.1 Switch IP Addresses Configuration Task List.......................................................................... 4-6 4.4 SNMP CONFIGURATION ....................................................................................................................... 4-7 4.4.1 Introduction to SNMP .............................................................................................................. 4-7 4.4.2 Introduction to MIB .................................................................................................................. 4-9 4.4.3 Introduction to RMON ........................................................................................................... 4-10 4.4.4 SNMP Configuration ............................................................................................................. 4-10 1 4.4.5 Typical SNMP Configuration Examples ................................................................................ 4-13 4.4.6 SNMP Troubleshooting ......................................................................................................... 4-15 4.5 SWITCH UPGRADE ............................................................................................................................. 4-15 4.5.1 Switch System Files .............................................................................................................. 4-15 4.5.2 BootROM Upgrade................................................................................................................ 4-16 4.5.3 FTP/TFTP Upgrade............................................................................................................... 4-18 CHAPTER 5 FILE SYSTEM OPERATIONS...................................................................5-28 5.1 INTRODUCTION TO FILE STORAGE DEVICES......................................................................................... 5-28 5.2 FILE SYSTEM OPERATION CONFIGURATION TASK LIST......................................................................... 5-28 5.3 TYPICAL APPLICATIONS...................................................................................................................... 5-30 5.4 TROUBLESHOOTING ........................................................................................................................... 5-30 CHAPTER 6 CLUSTER CONFIGURATION.................................................................... 6-1 6.1 INTRODUCTION TO CLUSTER NETWORK MANAGEMENT............................................................................ 6-1 6.2 CLUSTER NETWORK MANAGEMENT CONFIGURATION SEQUENCE ........................................................... 6-1 6.3 EXAMPLES OF CLUSTER ADMINISTRATION ............................................................................................ 6-5 6.4 CLUSTER ADMINISTRATION TROUBLESHOOTING .................................................................................... 6-6 CHAPTER 7 PORT CONFIGURATION........................................................................... 7-7 7.1 INTRODUCTION TO PORT ...................................................................................................................... 7-7 7.2 NETWORK PORT CONFIGURATION TASK LIST ........................................................................................ 7-7 7.3 PORT CONFIGURATION EXAMPLE ....................................................................................................... 7-10 7.4 PORT TROUBLESHOOTING .................................................................................................................. 7-11 CHAPTER 8 PORT ISOLATION FUNCTION CONFIGURATION ..................................8-12 8.1 INTRODUCTION TO PORT ISOLATION FUNCTION.................................................................................... 8-12 8.2 TASK SEQUENCE OF PORT ISOLATION................................................................................................. 8-12 8.3 PORT ISOLATION FUNCTION TYPICAL EXAMPLES ................................................................................. 8-13 CHAPTER 9 PORT LOOPBACK DETECTION FUNCTION CONFIGURATION ...........9-14 9.1 INTRODUCTION TO PORT LOOPBACK DETECTION FUNCTION ................................................................ 9-14 9.2 PORT LOOPBACK DETECTION FUNCTION CONFIGURATION TASK LIST .................................................. 9-14 9.3 PORT LOOPBACK DETECTION FUNCTION EXAMPLE ............................................................................. 9-16 9.4 PORT LOOPBACK DETECTION TROUBLESHOOTING .............................................................................. 9-17 CHAPTER 10 ULDP FUNCTION CONFIGURATION ..................................................10-18 10.1 INTRODUCTION TO ULDP FUNCTION ............................................................................................... 10-18 10.2 ULDP CONFIGURATION TASK SEQUENCE ....................................................................................... 10-19 2 10.3 ULDP FUNCTION TYPICAL EXAMPLES ............................................................................................ 10-22 10.4 ULDP TROUBLESHOOTING ............................................................................................................ 10-23 CHAPTER 11 LLDP FUNCTION OPERATION CONFIGURATION .............................11-25 11.1 INTRODUCTION TO LLDP FUNCTION ............................................................................................... 11-25 11.2 LLDP FUNCTION CONFIGURATION TASK SEQUENCE ....................................................................... 11-26 11.3 LLDP FUNCTION TYPICAL EXAMPLE............................................................................................... 11-29 11.4 LLDP FUNCTION TROUBLESHOOTING ............................................................................................. 11-30 CHAPTER 12 PORT CHANNEL CONFIGURATION ...................................................12-31 12.1 INTRODUCTION TO PORT CHANNEL ................................................................................................. 12-31 12.2 BRIEF INTRODUCTION TO LACP ..................................................................................................... 12-32 12.2.1 Static LACP Aggregation................................................................................................... 12-33 12.2.2 Dynamic LACP Aggregation.............................................................................................. 12-33 12.2.3 Port Channel Configuration Task List................................................................................ 12-34 12.3 PORT CHANNEL EXAMPLES ............................................................................................................ 12-35 12.4 PORT CHANNEL TROUBLESHOOTING .............................................................................................. 12-38 CHAPTER 13 MTU CONFIGURATION........................................................................13-39 13.1 INTRODUCTION TO MTU ................................................................................................................. 13-39 13.2 MTU CONFIGURATION TASK SEQUENCE ......................................................................................... 13-39 CHAPTER 14 EFM OAM CONFIGURATION...............................................................14-40 14.1 INTRODUCTION TO EFM OAM ........................................................................................................ 14-40 14.2 EFM OAM CONFIGURATION .......................................................................................................... 14-43 14.3 EFM OAM EXAMPLE ..................................................................................................................... 14-45 14.4 EFM OAM TROUBLESHOOTING ..................................................................................................... 14-46 CHAPTER 15 PORT SECURITY .................................................................................15-48 15.1 INTRODUCTION TO PORT SECURITY............................................................................................ 15-48 15.2 PORT SECURITY CONFIGURATION TASK LIST .............................................................................. 15-48 15.3 EXAMPLE OF PORT SECURITY.................................................................................................... 15-49 15.4 PORT SECURITY TROUBLESHOOTING ......................................................................................... 15-50 CHAPTER 16 DDM CONFIGURATION .......................................................................16-51 16.1 INTRODUCTION TO DDM................................................................................................................. 16-51 16.1.1 Brief Introduction to DDM.................................................................................................. 16-51 16.1.2 DDM Function ................................................................................................................... 16-52 16.2 DDM CONFIGURATION TASK LIST ................................................................................................... 16-53 16.3 EXAMPLES OF DDM....................................................................................................................... 16-55 3 16.4 DDM TROUBLESHOOTING .............................................................................................................. 16-59 CHAPTER 17 LLDP-MED ............................................................................................17-60 17.1 INTRODUCTION TO LLDP-MED ...................................................................................................... 17-60 17.2 LLDP-MED CONFIGURATION TASK SEQUENCE .............................................................................. 17-60 17.3 LLDP-MED EXAMPLE ................................................................................................................... 17-62 17.4 LLDP-MED TROUBLESHOOTING ................................................................................................... 17-65 CHAPTER 18 BPDU-TUNNEL CONFIGURATION......................................................18-65 18.1 INTRODUCTION TO BPDU-TUNNEL .................................................................................................... 18-65 18.1.1 bpdu-tunnel function.......................................................................................................... 18-66 18.1.2 Background of bpdu-tunnel............................................................................................... 18-66 18.2 BPDU-TUNNEL CONFIGURATION TASK LIST ...................................................................................... 18-66 18.3 EXAMPLES OF BPDU-TUNNEL .......................................................................................................... 18-67 18.4 BPDU-TUNNEL TROUBLESHOOTING ................................................................................................. 18-68 CHAPTER 19 EEE ENERGY-SAVING CONFIGURATION ..........................................19-69 19.1 INTRODUCTION TO EEE ENERGY-SAVING ........................................................................................ 19-69 19.2 EEE ENERGY-SAVING CONFIGURATION LIST.................................................................................... 19-69 19.3 EEE ENERGY-SAVING TYPICAL EXAMPLES ..................................................................................... 19-69 CHAPTER 20 VLAN CONFIGURATION......................................................................20-70 20.1 VLAN CONFIGURATION ................................................................................................................. 20-70 20.1.1 Introduction to VLAN ......................................................................................................... 20-70 20.1.2 VLAN Configuration Task List ........................................................................................... 20-71 20.1.3 Typical VLAN Application .................................................................................................. 20-75 20.1.4 Typical Application of Hybrid Port ..................................................................................... 20-77 20.2 DOT1Q-TUNNEL CONFIGURATION ................................................................................................... 20-78 20.2.1 Introduction to Dot1q-tunnel.............................................................................................. 20-78 20.2.2 Dot1q-tunnel Configuration ............................................................................................... 20-80 20.2.3 Typical Applications of the Dot1q-tunnel ........................................................................... 20-80 20.2.4 Dot1q-tunnel Troubleshooting........................................................................................... 20-81 20.3 SELECTIVE Q-IN-Q CONFIGURATION ............................................................................................... 20-82 20.3.1 Introduction to Selective Q-in-Q........................................................................................ 20-82 20.3.2 Selective Q-in-Q Configuration ......................................................................................... 20-82 20.3.3 Typical Applications of Selective Q-in-Q ........................................................................... 20-83 20.3.4 Selective Q-in-Q Troubleshooting ..................................................................................... 20-85 20.4 VLAN TRANSLATION CONFIGURATION ............................................................................................ 20-85 20.4.1 Introduction to VLAN Translation ...................................................................................... 20-85 20.4.2 VLAN Translation Configuration........................................................................................ 20-85 20.4.3 Typical Application of VLAN Translation ........................................................................... 20-87 20.4.4 VLAN Translation Troubleshooting ................................................................................... 20-88 4 20.5 MULTI-TO-ONE VLAN TRANSLATION CONFIGURATION .................................................................... 20-88 20.5.1 Introduction to Multi-to-One VLAN Translation ................................................................. 20-88 20.5.2 Multi-to-One VLAN Translation Configuration................................................................... 20-88 20.5.3 Typical Application of Multi-to-One VLAN Translation ...................................................... 20-89 20.5.4 Multi-to-One VLAN Translation Troubleshooting .............................................................. 20-90 20.6 DYNAMIC VLAN CONFIGURATION................................................................................................... 20-90 20.6.1 Introduction to Dynamic VLAN.......................................................................................... 20-90 20.6.2 Dynamic VLAN Configuration ........................................................................................... 20-91 20.6.3 Typical Application of the Dynamic VLAN ......................................................................... 20-93 20.6.4 Dynamic VLAN Troubleshooting ....................................................................................... 20-95 20.7 GVRP CONFIGURATION ................................................................................................................. 20-95 20.7.1 Introduction to GVRP ........................................................................................................ 20-95 20.7.2 GVRP Configuration Task List........................................................................................... 20-96 20.7.3 Example of GVRP ............................................................................................................. 20-97 20.7.4 GVRP Troubleshooting ................................................................................................... 20-100 20.8 VOICE VLAN CONFIGURATION ..................................................................................................... 20-100 20.8.1 Introduction to Voice VLAN ............................................................................................. 20-100 20.8.2 Voice VLAN Configuration .............................................................................................. 20-101 20.8.3 Typical Applications of the Voice VLAN .......................................................................... 20-102 20.8.4 Voice VLAN Troubleshooting .......................................................................................... 20-103 CHAPTER 21 MAC TABLE CONFIGURATION.........................................................21-104 21.1 INTRODUCTION TO MAC TABLE .................................................................................................... 21-104 21.1.1 Obtaining MAC Table ...................................................................................................... 21-104 21.1.2 Forward or Filter.............................................................................................................. 21-105 21.2 MAC ADDRESS TABLE CONFIGURATION TASK LIST ........................................................................ 21-106 21.3 TYPICAL CONFIGURATION EXAMPLES ........................................................................................... 21-108 21.4 MAC TABLE TROUBLESHOOTING ................................................................................................. 21-109 21.5 MAC ADDRESS FUNCTION EXTENSION ......................................................................................... 21-109 21.5.1 MAC Address Binding ..................................................................................................... 21-109 21.6 MAC NOTIFICATION CONFIGURATION ............................................................................................21-111 21.6.1 Introduction to MAC Notification ......................................................................................21-111 21.6.2 MAC Notification Configuration........................................................................................21-111 21.6.3 MAC Notification Example .............................................................................................. 21-113 21.6.4 MAC Notification Troubleshooting................................................................................... 21-113 CHAPTER 22 MSTP CONFIGURATION....................................................................22-114 22.1 INTRODUCTION TO MSTP............................................................................................................. 22-114 22.2 MSTP REGION ............................................................................................................................ 22-114 22.2.1 Operations within an MSTP Region ................................................................................ 22-115 22.2.2 Port Roles ....................................................................................................................... 22-116 22.2.3 MSTP Load Balance ....................................................................................................... 22-116 5 22.3 MSTP CONFIGURATION TASK LIST ............................................................................................... 22-116 22.4 MSTP EXAMPLE.......................................................................................................................... 22-121 22.5 MSTP TROUBLESHOOTING .......................................................................................................... 22-125 CHAPTER 23 QOS CONFIGURATION......................................................................23-126 23.1 INTRODUCTION TO QOS ............................................................................................................... 23-126 23.1.1 QoS Terms ...................................................................................................................... 23-126 23.1.2 QoS Implementation ....................................................................................................... 23-127 23.1.3 Basic QoS Model ............................................................................................................ 23-128 23.2 QOS CONFIGURATION TASK LIST ................................................................................................. 23-131 23.3 QOS EXAMPLE ............................................................................................................................ 23-136 23.4 QOS TROUBLESHOOTING ............................................................................................................. 23-138 CHAPTER 24 FLOW-BASED REDIRECTION...............................................................24-1 24.1 INTRODUCTION TO FLOW-BASED REDIRECTION ................................................................................. 24-1 24.2 FLOW-BASED REDIRECTION CONFIGURATION TASK SEQUENCE ......................................................... 24-1 24.3 FLOW-BASED REDIRECTION EXAMPLES ............................................................................................ 24-2 24.4 FLOW-BASED REDIRECTION TROUBLESHOOTING HELP...................................................................... 24-2 CHAPTER 25 FLEXIBLE Q-IN-Q CONFIGURATION....................................................25-3 25.1 INTRODUCTION TO FLEXIBLE QINQ ................................................................................................... 25-3 25.1.1 Q-in-Q Technique ................................................................................................................ 25-3 25.1.2 Basic Q-in-Q........................................................................................................................ 25-3 25.1.3 Flexible Q-in-Q .................................................................................................................... 25-3 25.1.4 Flexible Q-in-Q Configuration Task List .............................................................................. 25-3 25.2 FLEXIBLE Q-IN-Q EXAMPLE ............................................................................................................. 25-5 25.3 FLEXIBLE Q-IN-Q TROUBLESHOOTING .............................................................................................. 25-7 CHAPTER 26 LAYER 3 MANAGEMENT CONFIGURATION........................................26-7 26.1 LAYER 3 MANAGEMENT INTERFACE .................................................................................................. 26-7 26.1.1 Introduction to Layer 3 Management Interface ................................................................... 26-7 26.1.2 Layer 3 Interface Configuration Task List............................................................................ 26-7 26.2 IP CONFIGURATION .......................................................................................................................... 26-8 26.2.1 Introduction to IPv4, IPv6 .................................................................................................... 26-8 26.2.2 IP Configuration ................................................................................................................ 26-10 26.2.3 IPv6 Troubleshooting ........................................................................................................ 26-12 26.3 STATIC ROUTE ............................................................................................................................... 26-12 26.3.1 Introduction to Static Route ............................................................................................... 26-12 26.3.2 Introduction to Default Route ............................................................................................ 26-13 26.3.3 Static Route Configuration Task List ................................................................................. 26-13 26.3.4 Static Route Configuration Examples ............................................................................... 26-14 6 26.4 RIP............................................................................................................................................... 26-15 26.4.1 Introduction to RIP ............................................................................................................ 26-15 26.4.2 RIP Configuration Task List............................................................................................... 26-17 26.4.3 RIP Examples – Typical RIP ............................................................................................. 26-23 26.4.4 RIP Examples – RIP aggregation function........................................................................ 26-25 26.4.5 RIP Troubleshooting.......................................................................................................... 26-25 26.5 OSPF ........................................................................................................................................... 26-26 26.5.1 Introduction to OSPF......................................................................................................... 26-26 26.5.2 OSPF Configuration Task List ........................................................................................... 26-29 26.5.3 OSPF Examples................................................................................................................ 26-34 26.5.4 Configuration Example of OSPF....................................................................................... 26-34 26.5.5 Configuration Examples of OSPF VPN............................................................................. 26-43 26.5.6 OSPF Troubleshooting...................................................................................................... 26-44 26.6 ARP ............................................................................................................................................. 26-45 26.6.1 Introduction to ARP ........................................................................................................... 26-45 26.6.2 ARP Configuration Task List.............................................................................................. 26-45 26.6.3 ARP Troubleshooting ........................................................................................................ 26-45 CHAPTER 27 ARP SCANNING PREVENTION FUNCTION CONFIGURATION.........27-46 27.1 INTRODUCTION TO ARP SCANNING PREVENTION FUNCTION ............................................................ 27-46 27.2 ARP SCANNING PREVENTION CONFIGURATION TASK SEQUENCE .................................................... 27-47 27.3 ARP SCANNING PREVENTION TYPICAL EXAMPLES .......................................................................... 27-49 27.4 ARP SCANNING PREVENTION TROUBLESHOOTING HELP ................................................................. 27-50 CHAPTER 28 PREVENT ARP SPOOFING CONFIGURATION ..................................28-51 28.1 OVERVIEW ..................................................................................................................................... 28-51 28.1.1 ARP (Address Resolution Protocol) .................................................................................. 28-51 28.1.2 ARP Spoofing .................................................................................................................... 28-51 28.1.3 How to prevent void ARP Spoofing ................................................................................... 28-51 28.2 PREVENT ARP SPOOFING CONFIGURATION ..................................................................................... 28-52 28.3 PREVENT ARP SPOOFING EXAMPLE............................................................................................... 28-53 CHAPTER 29 ARP GUARD CONFIGURATION ..........................................................29-55 29.1 INTRODUCTION TO ARP GUARD ................................................................................................... 29-55 29.2 ARP GUARD CONFIGURATION TASK LIST ..................................................................................... 29-56 CHAPTER 30 GRATUITOUS ARP CONFIGURATION ................................................30-57 30.1 INTRODUCTION TO GRATUITOUS ARP ............................................................................................. 30-57 30.2 GRATUITOUS ARP CONFIGURATION TASK LIST ............................................................................... 30-57 30.3 GRATUITOUS ARP CONFIGURATION EXAMPLE ................................................................................ 30-58 30.4 GRATUITOUS ARP TROUBLESHOOTING .......................................................................................... 30-59 7 CHAPTER 31 DHCP CONFIGURATION .....................................................................31-60 31.1 INTRODUCTION TO DHCP............................................................................................................... 31-60 31.2 DHCP SERVER CONFIGURATION .................................................................................................... 31-61 31.3 DHCP RELAY CONFIGURATION ...................................................................................................... 31-64 31.4 DHCP CONFIGURATION EXAMPLES ................................................................................................ 31-65 31.5 DHCP TROUBLESHOOTING ............................................................................................................ 31-69 CHAPTER 32 DHCPV6 CONFIGURATION .................................................................32-70 32.1 INTRODUCTION TO DHCPV6........................................................................................................... 32-70 32.2 DHCPV6 SERVER CONFIGURATION ................................................................................................ 32-71 32.3 DHCPV6 RELAY DELEGATION CONFIGURATION .............................................................................. 32-73 32.4 DHCPV6 PREFIX DELEGATION SERVER CONFIGURATION ................................................................ 32-73 32.5 DHCPV6 PREFIX DELEGATION CLIENT CONFIGURATION ................................................................. 32-75 32.6 DHCPV6 CONFIGURATION EXAMPLES ............................................................................................ 32-76 32.7 DHCPV6 TROUBLESHOOTING ........................................................................................................ 32-78 CHAPTER 33 DHCP OPTION 82 CONFIGURATION..................................................33-80 33.1 INTRODUCTION TO DHCP OPTION 82 ............................................................................................. 33-80 33.1.1 DHCP Option 82 Message Structure ................................................................................ 33-80 33.1.2 Option 82 Working Mechanism ......................................................................................... 33-81 33.2 DHCP OPTION 82 CONFIGURATION TASK LIST ............................................................................... 33-82 33.3 DHCP OPTION 82 APPLICATION EXAMPLES ................................................................................... 33-85 33.4 DHCP OPTION 82 TROUBLESHOOTING ........................................................................................... 33-87 CHAPTER 34 DHCP OPTION 60 AND OPTION 43 ....................................................34-89 34.1 INTRODUCTION TO DHCP OPTION 60 AND OPTION 43 ..................................................................... 34-89 34.2 DHCP OPTION 60 AND OPTION 43 CONFIGURATION TASK LIST ....................................................... 34-89 34.3 DHCPV6 OPTION 60 AND OPTION 43 EXAMPLE .............................................................................. 34-90 34.4 DHCP OPTION 60 AND OPTION 43 TROUBLESHOOTING .................................................................. 34-90 CHAPTER 35 DHCPV6 OPTIONS 37, 38 ......................................................................35-1 35.1 INTRODUCTION TO DHCPV6 OPTIONS 37, 38.................................................................................... 35-1 35.2 DHCPV6 OPTIONS 37, 38 CONFIGURATION TASK LIST...................................................................... 35-2 35.3 DHCPV6 OPTIONS 37, 38 EXAMPLES .............................................................................................. 35-8 35.3.1 DHCPv6 Snooping options 37, 38 Example ....................................................................... 35-8 35.3.2 DHCPv6 Relay option37, 38 Example .............................................................................. 35-10 35.4 DHCPV6 OPTIONS 37, 38 TROUBLESHOOTING ............................................................................... 35-11 CHAPTER 36 DHCP SNOOPING CONFIGURATION .................................................36-12 8 36.1 INTRODUCTION TO DHCP SNOOPING .............................................................................................. 36-12 36.2 DHCP SNOOPING CONFIGURATION TASK SEQUENCE ...................................................................... 36-13 36.3 DHCP SNOOPING TYPICAL APPLICATION........................................................................................ 36-18 36.4 DHCP SNOOPING TROUBLESHOOTING HELP .................................................................................. 36-19 36.4.1 Monitor and Debug Information ........................................................................................ 36-19 36.4.2 DHCP Snooping Troubleshooting Help............................................................................. 36-19 CHAPTER 37 DHCP SNOOPING OPTION 82 CONFIGURATION..............................37-20 37.1 INTRODUCTION TO DHCP SNOOPING OPTION 82 ............................................................................ 37-20 37.1.1 DHCP Option 82 Message Structure ................................................................................ 37-20 37.1.2 DHCP Snooping Option 82 Working Mechanism ............................................................. 37-21 37.2 DHCP SNOOPING OPTION 82 CONFIGURATION TASK LIST .............................................................. 37-22 37.3 DHCP SNOOPING OPTION 82 APPLICATION EXAMPLES................................................................... 37-23 37.4 DHCP SNOOPING OPTION 82 TROUBLESHOOTING .......................................................................... 37-24 CHAPTER 38 IPV4 MULTICAST PROTOCOL ............................................................38-25 38.1 IPV4 MULTICAST PROTOCOL OVERVIEW ......................................................................................... 38-25 38.1.1 Introduction to Multicast .................................................................................................... 38-25 38.1.2 Multicast Address .............................................................................................................. 38-26 38.1.3 IP Multicast Packet Transmission ..................................................................................... 38-27 38.1.4 IP Multicast Application ..................................................................................................... 38-27 38.2 DCSCM........................................................................................................................................ 38-28 38.2.1 Introduction to DCSCM ..................................................................................................... 38-28 38.2.2 DCSCM Configuration Task List........................................................................................ 38-29 38.2.3 DCSCM Configuration Examples...................................................................................... 38-32 38.2.4 DCSCM Troubleshooting .................................................................................................. 38-33 38.3 IGMP SNOOPING ........................................................................................................................... 38-33 38.3.1 Introduction to IGMP Snooping ......................................................................................... 38-33 38.3.2 IGMP Snooping Configuration Task List ........................................................................... 38-33 38.3.3 IGMP Snooping Examples ................................................................................................ 38-36 38.3.4 IGMP Snooping Troubleshooting ...................................................................................... 38-38 CHAPTER 39 IPV6 MULTICAST PROTOCOL ............................................................39-39 39.1 MLD SNOOPING ............................................................................................................................ 39-39 39.1.1 Introduction to MLD Snooping .......................................................................................... 39-39 39.1.2 MLD Snooping Configuration Task ................................................................................... 39-39 39.1.3 MLD Snooping Examples ................................................................................................. 39-41 39.1.4 MLD Snooping Troubleshooting........................................................................................ 39-44 CHAPTER 40 MULTICAST VLAN ...............................................................................40-45 40.1 INTRODUCTIONS TO MULTICAST VLAN ........................................................................................... 40-45 40.2 MULTICAST VLAN CONFIGURATION TASK LIST ............................................................................... 40-45 9 40.3 MULTICAST VLAN EXAMPLES ........................................................................................................ 40-46 CHAPTER 41 ACL CONFIGURATION ........................................................................41-49 41.1 INTRODUCTION TO ACL.................................................................................................................. 41-49 41.1.1 Access-list ......................................................................................................................... 41-49 41.1.2 Access-group .................................................................................................................... 41-49 41.1.3 Access-list Action and Global Default Action..................................................................... 41-49 41.2 ACL CONFIGURATION TASK LIST .................................................................................................... 41-50 41.3 ACL EXAMPLE .............................................................................................................................. 41-64 41.4 ACL TROUBLESHOOTING ............................................................................................................... 41-69 CHAPTER 42 802.1X CONFIGURATION ....................................................................42-71 42.1 INTRODUCTION TO 802.1X .............................................................................................................. 42-71 42.1.1 The Authentication Structure of 802.1x ............................................................................. 42-71 42.1.2 The Work Mechanism of 802.1x ....................................................................................... 42-73 42.1.3 The Encapsulation of EAPOL Messages .......................................................................... 42-74 42.1.4 The Encapsulation of EAP Attributes ................................................................................ 42-75 42.1.5 The Authentication Methods of 802.1x.............................................................................. 42-77 42.1.6 The Extension and Optimization of 802.1x ....................................................................... 42-81 42.1.7 The Features of VLAN Allocation ...................................................................................... 42-82 42.2 802.1X CONFIGURATION TASK LIST ................................................................................................ 42-83 42.3 802.1X APPLICATION EXAMPLE ...................................................................................................... 42-87 42.3.1 Examples of Guest VLAN Applications ............................................................................. 42-87 42.3.2 Examples of IPv4 RADIUS Applications ........................................................................... 42-90 42.3.3 Examples of IPv6 RADIUS Application ............................................................................. 42-91 42.4 802.1X TROUBLESHOOTING ........................................................................................................... 42-92 CHAPTER 43 THE NUMBER LIMITATION FUNCTION OF MAC AND IP IN PORT, VLAN CONFIGURATION........................................................................................................43-93 43.1 THE NUMBER LIMITATION FUNCTION OF MAC AND IP IN PORT, VLAN CONFIGURATION TASK SEQUENCE ............................................................................................................................................................. 43-94 43.2 THE NUMBER LIMITATION FUNCTION OF MAC AND IP IN PORT, VLAN TYPICAL EXAMPLES ............... 43-97 43.3 THE NUMBER LIMITATION FUNCTION OF MAC AND IP IN PORT, VLAN TROUBLESHOOTING HELP ...... 43-98 CHAPTER 44 OPERATIONAL CONFIGURATION OF AM FUNCTION ......................44-99 44.1 INTRODUCTION TO AM FUNCTION ................................................................................................... 44-99 44.2 AM FUNCTION CONFIGURATION TASK LIST ..................................................................................... 44-99 44.3 AM FUNCTION EXAMPLE .............................................................................................................. 44-101 44.4 AM FUNCTION TROUBLESHOOTING .............................................................................................. 44-102 CHAPTER 45 SECURITY FEATURE CONFIGURATION ..........................................45-103 45.1 INTRODUCTION TO SECURITY FEATURE ......................................................................................... 45-103 10 45.2 SECURITY FEATURE CONFIGURATION ........................................................................................... 45-103 45.2.1 Prevent IP Spoofing Function Configuration Task Sequence ......................................... 45-103 45.2.2 Prevent TCP Unauthorized Label Attack Function Configuration Task Sequence ......... 45-103 45.2.3 Anti Port Cheat Function Configuration Task Sequence................................................. 45-104 45.2.4 Prevent TCP Fragment Attack Function Configuration Task Sequence ......................... 45-104 45.2.5 Prevent ICMP Fragment Attack Function Configuration Task Sequence ....................... 45-104 45.3 SECURITY FEATURE EXAMPLE ...................................................................................................... 45-105 CHAPTER 46 TACACS+ CONFIGURATION.............................................................46-106 46.1 INTRODUCTION TO TACACS+ ...................................................................................................... 46-106 46.2 TACACS+ CONFIGURATION TASK LIST ........................................................................................ 46-106 46.3 TACACS+ SCENARIOS TYPICAL EXAMPLES................................................................................. 46-107 46.4 TACACS+ TROUBLESHOOTING ................................................................................................... 46-108 CHAPTER 47 RADIUS CONFIGURATION................................................................47-109 47.1 INTRODUCTION TO RADIUS ......................................................................................................... 47-109 47.1.1 AAA and RADIUS Introduction........................................................................................ 47-109 47.1.2 Message Structure for RADIUS ...................................................................................... 47-109 47.2 RADIUS CONFIGURATION TASK LIST ............................................................................................47-111 47.3 RADIUS TYPICAL EXAMPLES ...................................................................................................... 47-113 47.3.1 IPv4 RADIUS Example ................................................................................................... 47-113 47.3.2 IPv6 RADIUS Example ................................................................................................... 47-114 47.4 RADIUS TROUBLESHOOTING ...................................................................................................... 47-114 CHAPTER 48 SSL CONFIGURATION.......................................................................48-116 48.1 INTRODUCTION TO SSL................................................................................................................ 48-116 48.1.1 Basic Element of SSL ..................................................................................................... 48-117 48.2 SSL CONFIGURATION TASK LIST .................................................................................................. 48-118 48.3 SSL TYPICAL EXAMPLE ............................................................................................................... 48-119 48.4 SSL TROUBLESHOOTING ............................................................................................................. 48-119 CHAPTER 49 IPV6 SECURITY RA CONFIGURATION.............................................49-121 49.1 INTRODUCTION TO IPV6 SECURITY RA.......................................................................................... 49-121 49.2 IPV6 SECURITY RA CONFIGURATION TASK SEQUENCE .................................................................. 49-121 49.3 IPV6 SECURITY RA TYPICAL EXAMPLES ....................................................................................... 49-122 49.4 IPV6 SECURITY RA TROUBLESHOOTING HELP .............................................................................. 49-123 CHAPTER 50 MAB CONFIGURATION .....................................................................50-124 50.1 INTRODUCTION TO MAB............................................................................................................... 50-124 50.2 MAB CONFIGURATION TASK LIST ................................................................................................. 50-124 11 50.3 MAB EXAMPLE ........................................................................................................................... 50-126 50.4 MAB TROUBLESHOOTING ............................................................................................................ 50-128 CHAPTER 51 PPPOE INTERMEDIATE AGENT CONFIGURATION ........................51-129 51.1 INTRODUCTION TO PPPOE INTERMEDIATE AGENT ......................................................................... 51-129 51.1.1 Brief Introduction to PPPoE ............................................................................................ 51-129 51.1.2 Introduction to PPPoE IA ................................................................................................ 51-129 51.2 PPPOE INTERMEDIATE AGENT CONFIGURATION TASK LIST ........................................................... 51-134 51.3 PPPOE INTERMEDIATE AGENT TYPICAL APPLICATION ................................................................... 51-135 51.4 PPPOE INTERMEDIATE AGENT TROUBLESHOOTING ...................................................................... 51-137 CHAPTER 52 WEB PORTAL CONFIGURATION......................................................52-138 52.1 INTRODUCTION TO WEB PORTAL AUTHENTICATION ........................................................................ 52-138 52.2 WEB PORTAL AUTHENTICATION CONFIGURATION TASK LIST .......................................................... 52-138 52.3 WEB PORTAL AUTHENTICATION TYPICAL EXAMPLE ....................................................................... 52-140 52.4 WEB PORTAL AUTHENTICATION TROUBLESHOOTING ..................................................................... 52-141 CHAPTER 53 VLAN-ACL CONFIGURATION ...............................................................53-1 53.1 INTRODUCTION TO VLAN-ACL ........................................................................................................ 53-1 53.2 VLAN-ACL CONFIGURATION TASK LIST .......................................................................................... 53-1 53.3 VLAN-ACL CONFIGURATION EXAMPLE............................................................................................ 53-3 53.4 VLAN-ACL TROUBLESHOOTING ...................................................................................................... 53-4 CHAPTER 54 SAVI CONFIGURATION .........................................................................54-5 54.1 INTRODUCTION TO SAVI................................................................................................................... 54-5 54.2 SAVI CONFIGURATION ..................................................................................................................... 54-5 54.3 SAVI TYPICAL APPLICATION .......................................................................................................... 54-10 54.4 SAVI TROUBLESHOOTING .............................................................................................................. 54-11 CHAPTER 55 MRPP CONFIGURATION .....................................................................55-12 55.1 INTRODUCTION TO MRPP .............................................................................................................. 55-12 55.1.1 Conception Introduction .................................................................................................... 55-12 55.1.2 MRPP Protocol Packet Types ........................................................................................... 55-13 55.1.3 MRPP Protocol Operation System.................................................................................... 55-14 55.2 MRPP CONFIGURATION TASK LIST ................................................................................................ 55-14 55.3 MRPP TYPICAL SCENARIO ............................................................................................................ 55-16 55.4 MRPP TROUBLESHOOTING ............................................................................................................ 55-18 CHAPTER 56 ULPP CONFIGURATION ......................................................................56-20 56.1 INTRODUCTION TO ULPP ............................................................................................................... 56-20 12 56.2 ULPP CONFIGURATION TASK LIST ................................................................................................. 56-21 56.3 ULPP TYPICAL EXAMPLES ............................................................................................................ 56-24 56.3.1 ULPP Typical Example1.................................................................................................... 56-24 56.3.2 ULPP Typical Example2.................................................................................................... 56-26 56.4 ULPP TROUBLESHOOTING............................................................................................................. 56-27 CHAPTER 57 ULSM CONFIGURATION .....................................................................57-28 57.1 INTRODUCTION TO ULSM............................................................................................................... 57-28 57.2 ULSM CONFIGURATION TASK LIST ................................................................................................. 57-29 57.3 ULSM TYPICAL EXAMPLE .............................................................................................................. 57-30 57.4 ULSM TROUBLESHOOTING ............................................................................................................ 57-31 CHAPTER 58 MIRROR CONFIGURATION .................................................................58-32 58.1 INTRODUCTION TO MIRROR............................................................................................................. 58-32 58.2 MIRROR CONFIGURATION TASK LIST............................................................................................... 58-32 58.3 MIRROR EXAMPLES ....................................................................................................................... 58-33 58.4 DEVICE MIRROR TROUBLESHOOTING .............................................................................................. 58-34 CHAPTER 59 SFLOW CONFIGURATION...................................................................59-35 59.1 INTRODUCTION TO SFLOW .............................................................................................................. 59-35 59.2 SFLOW CONFIGURATION TASK LIST ................................................................................................ 59-35 59.3 SFLOW EXAMPLES ......................................................................................................................... 59-37 59.4 SFLOW TROUBLESHOOTING ........................................................................................................... 59-38 CHAPTER 60 RSPAN CONFIGURATION ...................................................................60-39 60.1 INTRODUCTION TO RSPAN ............................................................................................................ 60-39 60.2 RSPAN CONFIGURATION TASK LIST .............................................................................................. 60-41 60.3 TYPICAL EXAMPLES OF RSPAN..................................................................................................... 60-42 60.4 RSPAN TROUBLESHOOTING .......................................................................................................... 60-45 CHAPTER 61 ERSPAN................................................................................................61-46 61.1 INTRODUCTION TO ERSPAN .......................................................................................................... 61-46 61.2 ERSPAN CONFIGURATION TASK LIST ............................................................................................ 61-46 61.3 TYPICAL EXAMPLES OF ERSPAN .................................................................................................. 61-47 61.4 ERSPAN TROUBLESHOOTING ....................................................................................................... 61-49 CHAPTER 62 SNTP CONFIGURATION ......................................................................62-50 62.1 INTRODUCTION TO SNTP ............................................................................................................... 62-50 62.2 TYPICAL EXAMPLES OF SNTP CONFIGURATION .............................................................................. 62-51 13 CHAPTER 63 NTP FUNCTION CONFIGURATION .....................................................63-52 63.1 INTRODUCTION TO NTP FUNCTION ................................................................................................. 63-52 63.2 NTP FUNCTION CONFIGURATION TASK LIST.................................................................................... 63-52 63.3 TYPICAL EXAMPLES OF NTP FUNCTION .......................................................................................... 63-55 63.4 NTP FUNCTION TROUBLESHOOTING ............................................................................................... 63-55 CHAPTER 64 SUMMER TIME CONFIGURATION ......................................................64-56 64.1 INTRODUCTION TO SUMMER TIME ................................................................................................... 64-56 64.2 SUMMER TIME CONFIGURATION TASK SEQUENCE ........................................................................... 64-56 64.3 EXAMPLES OF SUMMER TIME ......................................................................................................... 64-57 64.4 SUMMER TIME TROUBLESHOOTING ................................................................................................. 64-57 CHAPTER 65 DNSV4/V6 CONFIGURATION ..............................................................65-58 65.1 INTRODUCTION TO DNS ................................................................................................................. 65-58 65.2 DNSV4/V6 CONFIGURATION TASK LIST .......................................................................................... 65-59 65.3 TYPICAL EXAMPLES OF DNS.......................................................................................................... 65-61 65.4 DNS TROUBLESHOOTING............................................................................................................... 65-63 CHAPTER 66 MONITOR AND DEBUG .......................................................................66-64 66.1 PING ............................................................................................................................................. 66-64 66.2 PING6 ........................................................................................................................................... 66-64 66.3 TRACEROUTE ................................................................................................................................ 66-64 66.4 TRACEROUTE6 .............................................................................................................................. 66-65 66.5 SHOW ........................................................................................................................................... 66-65 66.6 DEBUG .......................................................................................................................................... 66-66 66.7 SYSTEM LOG ................................................................................................................................. 66-66 66.7.1 System Log Introduction ................................................................................................... 66-66 66.7.2 System Log Configuration................................................................................................. 66-69 66.7.3 System Log Configuration Example.................................................................................. 66-70 CHAPTER 67 RELOAD SWITCH AFTER SPECIFIED TIME ......................................67-71 67.1 INTRODUCTION TO RELOAD SWITCH AFTER SPECIFIED TIME ............................................................ 67-71 67.2 RELOAD SWITCH AFTER SPECIFIED TIME TASK LIST ........................................................................ 67-71 CHAPTER 68 DEBUGGING AND DIAGNOSIS FOR PACKETS RECEIVED AND SENT BY CPU ........................................................................................................................68-72 68.1 INTRODUCTION TO DEBUGGING AND DIAGNOSIS FOR PACKETS RECEIVED AND SENT BY CPU........... 68-72 68.2 DEBUGGING AND DIAGNOSIS FOR PACKETS RECEIVED AND SENT BY CPU TASK LIST ...................... 68-72 14 CHAPTER 69 DYING GASP CONFIGURATION .........................................................69-73 69.1 INTRODUCTION TO DYING GASP...................................................................................................... 69-73 69.2 DYING GASP TYPICAL EXAMPLES ................................................................................................... 69-73 69.3 DYING GASP TROUBLESHOOTING ................................................................................................... 69-73 CHAPTER 70 POE CONFIGURATION ........................................................................70-74 70.1 INTRODUCTION TO POE.................................................................................................................. 70-74 70.2 POE CONFIGURATION .................................................................................................................... 70-74 70.3 TYPICAL APPLICATION OF POE....................................................................................................... 70-76 70.4 POE TROUBLESHOOTING HELP ...................................................................................................... 70-77 15 User’s Manual of SGS-6340 seriesT Chapter 1 INTRODUCTION Thank you for purchasing PLANET L3 Multi-Port Full Gigabit Stackable Managed Switch, SGS-6340-24T4S/SGS-6340-24P4S/SGS-6340-20S4C4X/SGS-6340-48T4S/SGS-6340-16XR. The descriptions of these models are as follows: SGS-6340-24T4S Layer 3 24-Port 10/100/1000T + 4-Port 1000X SFP Stackable Managed Switch SGS-6340-24P4S Layer 3 24-Port 10/100/1000T 802.3at PoE + 4-Port 1000X SFP Stackable Managed Switch (370W) SGS-6340-20S4C4X Layer 3 20-Port 100/1000X SFP + 4-Port Gigabit TP/SFP + 4-Port 10G SFP+ Stackable Managed Switch SGS-6340-48T4S Layer 3 48-Port 10/100/1000T + 4-Port 1000X SFP Stackable Managed Switch SGS-6340-16XR Layer 3 16-Port 10GBASE-SR/LR SFP+ Stackable Managed Switch (100~240V AC, -48~-60V DC) The term “Managed Switch” means the Switches mentioned in this user’s manual. 1.1 Packet Contents Open the box of the Managed Switch and carefully unpack it. The box should contain the following items: The Managed Switch x1 Quick Installation Guide x1 Power Cord x1 RJ45-to-DB9 Console Cable x1 Rubber Feet x4 Two Rack-mounting Brackets with Attachment x1 Screws SFP Dust Caps (Please refer to table below) SFP Dust Cap Model Name 4 SGS-6340-24T4S/24P4S/48T4S 16 SGS-6340-16XR 28 SGS-6340-20S4C4X If any of these are missing or damaged, please contact your dealer immediately; if possible, retain the carton including the original packing material, and use them again to repack the product in case there is a need to return it to us for repair. 1-1 User’s Manual of SGS-6340 seriesT 1.2 Product Description Cost-effective Layer 3 Routing Solution for Enterprise Intranet Networking Designed for enterprises and small- and medium-sized businesses where an intranet routing network is built, PLANET SGS-6340 Series, a Layer 3 Stackable Gigabit Managed Switch, provides hardware-based Layer 3 routing capability with IPv4/IPv6 static routing, RIP (Routing Information Protocol) and OSPF (Open Shortest Path First) routing features which allow to crossover different VLANs and different IP addresses, and performs effective data traffic control for security, VoIP and video streaming applications. Efficient IP Stacking Management The SGS-6340 Series supports IP stacking function that helps network managers to easily configure up to 24 switches in the same series via one single IP address instead of connecting and setting each unit one by one. It enables centralized management regardless of the series of switches being distributed in various locations. New switches can be flexibly added to the IP stacking group when network expands. Layer 3 Routing Support The SGS-6340 Series enables the administrator to conveniently boost network efficiency by configuring Layer 3 static routing manually, the RIP (Routing Information Protocol) or OSPF (Open Shortest Path First) settings automatically. The RIP can employ the hop count as a routing metric and prevent routing loops by implementing a limit on the number of hops allowed in a path from the source to a destination. The maximum number of hops allowed for the RIP is 15. The OSPF is an interior dynamic routing protocol for autonomous system based on link-state. The protocol creates a link-state database by exchanging link-states among Layer 3 switches, and then uses the Shortest Path First algorithm to generate a route table based on that database. 1-2 User’s Manual of SGS-6340 seriesT Abundant IPv6 Support The SGS-6340 Series provides IPv6 management and enterprise-level secure features such as SSH, ACL, WRR and RADIUS authentication. The SGS-6340 Series thus helps the enterprises to step in the IPv6 era with the lowest investment. In addition, you don’t need to replace the network facilities when the IPv6 FTTx edge network is built. High Performance The SGS-6340 Series boasts a high-performance switch architecture that is capable of providing non-blocking switch fabric and wire-speed throughput as high as 56~128Gbps, which greatly simplifies the tasks of upgrading the LAN for catering to increasing bandwidth demands. Robust Layer 2 Features The SGS-6340 Series can be programmed for basic switch management functions such as port speed configuration, port aggregation, VLAN, Spanning Tree Protocol, WRR, bandwidth control and IGMP snooping. The SGS-6340 Series provides 802.1Q tagged VLAN, Q-in-Q, voice VLAN and GVRP Protocol. The VLAN groups allowed to be on the SGS-6340 Series will be maximally up to 256. By supporting port aggregation, the SGS-6340 Series allows the operation of a high-speed trunk combined with multiple ports. It enables up to 128 groups for trunking with a maximum of 8 ports for each group. Excellent Traffic Control The SGS-6340 Series is loaded with powerful traffic management and WRR features to enhance services offered by telecoms. The WRR functionalities include wire-speed Layer 4 traffic classifiers and bandwidth limitation which are particularly useful for multi-tenant unit, multi-business unit, Telco, or network service applications. It also empowers the enterprises to take full advantage of the limited network resources and guarantees the best in VoIP and video conferencing transmission. Powerful Security The SGS-6340 Series supports ACL policies comprehensively. The traffic can be classified by source/destination IP addresses, source/destination MAC addresses, IP protocols, TCP/UDP, IP precedence, time ranges and ToS. Moreover, various policies can be conducted to forward the traffic. The SGS-6340 Series also provides IEEE 802.1x port based access authentication, which can be deployed with RADIUS, to ensure the port level security and block illegal users. Efficient Management For efficient management, the SGS-6340 Series Managed Gigabit Switch is equipped with console, Web and SNMP management interfaces. With its built-in Web-based management interface, the SGS-6340 Series offers an easy-to-use, platform-independent management and configuration facility. The SGS-6340 Series supports standard Simple Network Management Protocol (SNMP) and can be managed via any 1-3 User’s Manual of SGS-6340 seriesT standard-based management software. For text-based management, the SGS-6340 Series can be accessed via Telnet and the console port. Moreover, the SGS-6340 Series offers secure remote management by supporting SSH connection which encrypts the packet content at each session. Flexibility and Extension Solution The SGS-6340-20S4C4X provides twenty-four 100/1000Mbps dual speed SFP Fiber ports, four 1/10Gbps SFP+ Fiber ports, and four 10/100/1000Mbps TP/SFP combo ports. Each of the SFP+ slots supports Dual-Speed, 10GBASE-SR/LR or 1000BASE-SX/LX. Therefore, the administrator can flexibly choose the suitable SFP transceiver according to not only the transmission distance, but also the transmission speed required. The four mini-GBIC slots built in the SGS-6340-24T4S/48T4S/24P4S are compatible with 1000BASE-X and WDM SFP (Small Form-factor Pluggable) fiber-optic modules. The distance can be extended from 550 meters (multi-mode fiber) to 10/50/70/120 kilometers (single-mode fiber or WDM fiber). They are well suited for applications within the enterprise data centers and distributions. AC and DC Redundant Power to Ensure Continuous Operation (SGS-6340-20S4C4X only) The SGS-6340-20S4C4X is equipped with one 100~240V AC power supply unit and one additional -48 ~ -60V DC power supply unit for redundant power supply installation. A redundant power system is also provided to enhance the reliability with either AC or DC power supply unit. The redundant power system is specifically designed to handle the demands of high-tech facilities requiring the highest power integrity. Furthermore, with the -48 ~ -60V DC power supply implemented, the SGS-6340-20S4C4X can be applied as the telecom level device. Centralized Power Management for Gigabit Ethernet PoE Networking (SGS-6340-24P4S only) To fulfill the needs of higher power required PoE network applications with Gigabit speed transmission, the SGS-6340-24P4S features high-performance Gigabit IEEE 802.3af PoE (up to 15.4 watts) and IEEE 802.3at PoE+ (up to 30 watts) on all ports. It perfectly meets the power requirement of PoE VoIP phone and all kinds of PoE IP cameras such as IR, PTZ, speed dome cameras or even box type IP cameras with built-in fan and heater. 1-4 User’s Manual of SGS-6340 seriesT The SGS-6340-24P4S’s PoE capabilities also help to reduce deployment costs for network devices as a result of freeing from restrictions of power outlet locations. Power and data switching are integrated into one unit, delivered over a single cable and managed centrally. It thus eliminates cost for additional AC wiring and reduces installation time. PoE Schedule for Energy Saving (SGS-6340-24P4S only) Besides being used for IP surveillance, the SGS-6340-24P4S is certainly applicable to building any PoE network including VoIP and wireless LAN. Under the trend of energy saving worldwide and contributing to the environmental protection on the Earth, the SGS-6340-24P4S can effectively control the power supply besides its capability of giving high watts power. The “PoE schedule” function helps you to enable or disable PoE power feeding for each PoE port during specified time intervals and it is a powerful function to help SMBs or enterprises save energy and budget 1-5 User’s Manual of SGS-6340 seriesT 1.3 Product Features Physical Ports 4/24/48-Port 10/100/1000BASE-T Gigabit Ethernet RJ45 4/24 1000BASE-X mini-GBIC/SFP slots, SFP type auto detection (only SGS-6340-20S4C4X supports 100BASE-FX SFP) 4 10GBASE-SR/LR SFP+ slots, compatible with 1000BASE-SX/LX/BX SFP (SGS-6340-20S4C4X only) 16 10GBASE-SR/LR SFP+ slots, compatible with 1000BASE-SX/LX/BX SFP (SGS-6340-16XR only) RJ45 to DB9 console interface for switch basic management and setup Power over Ethernet (SGS-6340-24P4S only) Complies with IEEE 802.3at Power over Ethernet Plus, end-span PSE Backward compatible with IEEE 802.3af Power over Ethernet Up to 24 ports of IEEE 802.3af/802.3at devices powered Supports PoE power up to 30 watts for each PoE port Auto detects powered device (PD) Circuit protection prevents power interference between ports Remote power feeding up to 100 meters PoE management - Total PoE power budget control - Per port PoE function enable/disable - PoE port power feeding priority - Per PoE port power limitation - PD classification detection - PoE schedule IP Stacking Connects with stack member via both Gigabit TP and SFP interfaces Single IP address management, supporting up to 24 units stacked together IP Routing Features Supports maximum 128 static routes and route summarization Supports dynamic routing protocol: RIP and OSPF Layer 2 Features Complies with the IEEE 802.3, IEEE 802.3u, IEEE 802.3ab, IEEE 802.3z Gigabit Ethernet standard Supports auto-negotiation and half-duplex/full-duplex modes for all 10BASE-T, 100BASE-TX and 1000BASE-T ports Auto-MDI/MDI-X detection on each RJ45 port Prevents packet loss flow control - IEEE 802.3x pause frame flow control in full-duplex mode - Back-pressure flow control in half-duplex mode High performance Store-and-Forward architecture, broadcast storm control, port loopback detect 1-6 User’s Manual of SGS-6340 seriesT 16K MAC address table, automatic source address learning and aging Supports VLAN - IEEE 802.1Q tag-based VLAN - GVRP for dynamic VLAN management - Up to 256 VLANs groups, out of 4041 VLAN IDs - Provider Bridging (VLAN Q-in-Q, IEEE 802.1ad) supported - Private VLAN Edge (PVE) supported - GVRP protocol for Management VLAN - Protocol-based VLAN - MAC-based VLAN - IP subnet VLAN Supports Link Aggregation - Maximum 128 trunk groups, up to 8 ports per trunk group - IEEE 802.3ad LACP (Link Aggregation Control Protocol) - Cisco ether-channel (static trunk) Supports Spanning Tree Protocol - STP, IEEE 802.1D (Classic Spanning Tree Protocol) - RSTP, IEEE 802.1w (Rapid Spanning Tree Protocol) - MSTP, IEEE 802.1s (Multiple Spanning Tree Protocol, spanning tree by VLAN) - Supports BPDU & root guard Port mirroring to monitor the incoming or outgoing traffic on a particular port (many to many) Provides port mirror (many-to-1) Quality of Service 8 priority queues on all switch ports Support for strict priority and WRR (Weighted Round Robin) CoS policies Traffic classification - IEEE 802.1p CoS/ToS - IPv4/IPv6 DSCP - Port-based WRR Strict priority and WRR CoS policies Multicast Supports IPv4 IGMP snooping v1, v2 and v3, IPv6 MLD v1 and v2 snooping Querier mode support Supports Multicast VLAN Register (MVR) Security IEEE 802.1x port-based network access authentication MAC-based network access authentication Built-in RADIUS client to co-operate with the RADIUS servers for IPv4 and IPv6 TACACS+ login users access authentication IP-based Access Control List (ACL) MAC-based Access Control List Supports DHCP snooping 1-7 User’s Manual of SGS-6340 seriesT Supports ARP inspection IP Source Guard prevents IP spoofing attacks Dynamic ARP Inspection discards ARP packets with invalid MAC address to IP address binding Management Management IP for IPv4 and IPv6 Switch Management Interface - Console/Telnet Command Line Interface - Web switch management - SNMP v1, v2c, and v3 switch management - SSH/SSL secure access BOOTP and DHCP for IP address assignment Firmware upload/download via TFTP or HTTP Protocol for IPv4 and IPv6 SNTP (Simple Network Time Protocol) for IPv4 and IPv6 User privilege levels control Syslog server for IPv4 and IPv6 Four RMON groups 1, 2, 3, 9 (history, statistics, alarms and events) Supports ping, trace route function for IPv4 and IPv6 1-8 User’s Manual of SGS-6340 seriesT 1.4 Product Specifications Product SGS-6340-24T4S SGS-6340-24P4S SGS-6340-48T4S Hardware Specifications Copper Ports 24 10/100/1000BASE-T 24 10/100/1000BASE-T 48 10/100/1000BASE-T RJ45 auto-MDI/MDI-X RJ45 auto-MDI/MDI-X RJ45 auto-MDI/MDI-X ports ports ports 24 ports with 802.3at/af - PoE Injector Port - PoE injector function SFP/mini-GBIC Slots 4 1000BASE-X SFP interfaces Console 1 x RJ45-to-RS232 serial port (9600, 8, N, 1) Switch Architecture Store-and-forward Switch Fabric 56Gbps/non-blocking 56Gbps/non-blocking 104Gbps/non-blocking Switch Throughput 41.66Mpps 41.66Mpps 77.38Mpps Address Table 16K MAC address table with auto learning function Shared Data Buffer 1.5MB Flow Control Jumbo Frame Dimensions (W x D x H) Weight Power Consumption Power Requirements Back pressure for half-duplex IEEE 802.3x pause frame for full-duplex 9KB 442 x 220 x 44 mm, 1U 442 x 330 x 44 mm, 1U 442 x 280 x 44 mm, 1U height height height 2340g 4503g 3702g 19.2 watts/65.51 BTU 449 watts/1532.05 BTU 38 watts/129 BTU (maximum) (maximum) (maximum) AC 100~240V, 50/60Hz Power over Ethernet PoE Standard -- IEEE 802.3at PoE+ PSE -- PoE Power Supply Type -- End-span -- -- Per port 54V DC, 33 -- PoE Power Output watts (max.) Power Pin Assignment -- 1/2(+), 3/6(-) -- PoE Power Budget -- 370 watts (max.) -- PoE Ability PD @ 9 watts -- 24 units -- PoE Ability PD @ 15 watts -- 24 units -- PoE Ability PD @ 30 watts -- 12 units -- 1-9 User’s Manual of SGS-6340 seriesT Management Functions System Configuration Console, Telnet, SSH, Web browser, SNMP v1, v2c and v3 Supports both IPv4 and IPv6 addressing Supports the user IP security inspection for IPv4/IPv6 SNMP Supports MIB and TRAP Supports IPv4/IPv6 FTP/TFTP Supports IPv4/IPv6 NTP Supports RMON 1, 2, 3, 9 four groups Supports the RADIUS authentication for IPv4/IPv6 Telnet user name and Management password Supports IPv4/IPv6 SSH The right configuration for users to adopt RADIUS server’s shell management Supports CLI, console, Telnet Supports SNMP v1, v2c and v3 Supports Security IP safety net management function: avoid unlawful landing at nonrestrictive area Supports Syslog server for IPv4 and IPv6 Supports TACACS+ Layer 3 Functions IP Interface Per VLAN, up to 128 IPv4/IPv6 Static routing Routing Protocol RIPv1/v2 OSPFv1/v2 Routing Table 128 Layer 2 Functions Port disable/enable Auto-negotiation 10/100/1000Mbps full and half duplex mode selection Port Configuration Flow control disable/enable Bandwidth control on each port Port loopback detect Port Status Display each port’s speed duplex mode, link status, flow control status and auto negotiation status 802.1Q tagged based VLAN, up to 256 VLAN groups 802.1ad Q-in-Q (VLAN stacking) VLAN GVRP for VLAN management Private VLAN Edge (PVE) supported Protocol-based VLAN MAC-based VLAN 1-10 User’s Manual of SGS-6340 seriesT IP subnet VLAN Bandwidth Control Link Aggregation TX/RX/both IEEE 802.3ad LACP/static trunk Supports 128 groups with 8 ports per trunk group 8 priority queues on all switch ports Supports strict priority and Weighted Round Robin (WRR) CoS policies QoS Traffic classification: - IEEE 802.1p CoS/ToS - IPv4/IPv6 DSCP - Port-based WRR IGMP v1/v2/v3 snooping Multicast Querier mode support MLD v1/v2 snooping Multicast VLAN Register (MVR) Supports Standard and Expanded ACL Access Control List IP-based ACL/MAC-based ACL Time-based ACL Up to 512 entries Bandwidth Control At least 64Kbps step Supports MAC + port binding IPv4/IPv6 + MAC + port binding Security IPv4/IPv6 + port binding Supports MAC filter ARP scanning prevention Authentication IEEE 802.1x port-based network access control AAA authentication: TACACS+ and IPv4/IPv6 over RADIUS RFC 1213 MIB-II RFC 1215 Internet Engineering Task Force RFC 1271 RMON RFC 1354 IP-Forwarding MIB RFC 1493 Bridge MIB RFC 1643 Ether-like MIB SNMP MIBs RFC 1907 SNMP v2 RFC 2011 IP/ICMP MIB RFC 2012 TCP MIB RFC 2013 UDP MIB RFC 2096 IP forward MIB RFC 2233 if MIB RFC 2452 TCP6 MIB 1-11 User’s Manual of SGS-6340 seriesT RFC 2454 UDP6 MIB RFC 2465 IPv6 MIB RFC 2466 ICMP6 MIB RFC 2573 SNMP v3 notify RFC 2574 SNMP v3 vacm RFC 2674 Bridge MIB Extensions (IEEE 802.1Q MIB) RFC 2674 Bridge MIB Extensions (IEEE 802.1P MIB) Standard Conformance Regulatory Compliance FCC Part 15 Class A, CE Standards Compliance IEEE 802.3 10BASE-T IEEE 802.3u 100BASE-TX IEEE 802.3z Gigabit 1000BASE-SX/LX IEEE 802.3ab Gigabit 1000BASE-T IEEE 802.3x flow control and back pressure IEEE 802.3ad port trunk with LACP IEEE 802.1D Spanning Tree Protocol IEEE 802.1w Rapid Spanning Tree Protocol IEEE 802.1s Multiple Spanning Tree Protocol IEEE 802.1p Class of Service IEEE 802.1Q VLAN tagging IEEE 802.1X port authentication network control IEEE 802.1ab LLDP IEEE 802.3af Power over Ethernet (SGS-6340-24P4S) IEEE 802.3at Power over Ethernet PLUS (SGS-6340-24P4S) RFC 768 UDP RFC 793 TFTP RFC 791 IP RFC 792 ICMP RFC 2068 HTTP RFC 1112 IGMP v1 RFC 2236 IGMP v2 RFC 3376 IGMP v3 RFC 2710 MLD v1 FRC 3810 MLD v2 RFC 2328 OSPF v2 RFC 1058 RIP v1 RFC 2453 RIP v2 Environment Operating Temperature: Relative Humidity: 0 ~ 50 degrees C 5 ~ 90% (non-condensing) Storage Temperature: Relative Humidity: -10 ~ 70 degrees C 5 ~ 90% (non-condensing) 1-12 User’s Manual of SGS-6340 seriesT Product SGS-6340-20S4C4X SGS-6340-16XR Hardware Specifications 4 10/100/1000BASE-T RJ45 Copper Ports auto-MDI/MDI-X ports, shared with -- port-21 to port-24 24 100/1000BASE-X SFP interfaces SFP/mini-GBIC Slots Compatible with 100BASE-FX SFP -- transceiver 4 10GBASE-SR/LR SFP+ interface SFP+ Slots (port-25 to port-28) Compatible with 1000BASE-SX/LX/BX SFP transceiver 16 10GBASE-SR/LR SFP+ interface Compatible with 1000BASE-SX/LX/BX SFP transceiver Console 1 x RJ45-to-RS232 serial port (9600, 8, N, 1) Switch Architecture Store-and-forward Switch Fabric 128Gbps/non-blocking 320Gbps/non-blocking Switch Throughput 95.24Mpps 238Mpps 16K MAC address table with auto 16K MAC address table with auto learning function learning function 1.5MB 2MB Address Table Shared Data Buffer Flow Control Back pressure for half-duplex IEEE 802.3x pause frame for full-duplex Jumbo Frame 9KB Dimensions (W x D x H) 442 x 220 x 44 mm, 1U height 440 x 240 x 44 mm, 1U height Weight 2821g 3100g Power Consumption 54.5 watts/185.96 BTU (maximum) 27 watts/93 BTU (maximum) AC 100~240V, 50/60Hz AC 100~240V, 50/60Hz DC -48 ~ -60V DC -48 ~ -60V 2 1 Power Requirements Fan Management Function System Configuration Console, Telnet, SSH, Web browser, SNMP v1, v2c and v3 Supports both IPv4 and IPv6 addressing Supports the user IP security inspection for IPv4/IPv6 SNMP Management Supports MIB and TRAP Supports IPv4/IPv6 FTP/TFTP Supports IPv4/IPv6 NTP Supports RMON 1, 2, 3, 9 four groups 1-13 User’s Manual of SGS-6340 seriesT Supports the RADIUS authentication for IPv4/IPv6 Telnet user name and password Supports IPv4/IPv6 SSH The right configuration for users to adopt RADIUS server’s shell management Supports CLI, console, Telnet Supports SNMPv1, v2c and v3 Supports Security IP safety net management function: avoid unlawful landing at non-restrictive area Supports Syslog server for IPv4 and IPv6 Supports TACACS+ Layer 3 Function IP Interface Routing Protocol Routing Table Per VLAN, up to 128 Per VLAN, up to 64 IPv4/IPv6 static routing IPv4/IPv6 static routing RIPv1/v2 RIPv1/v2 OSPFv1/v2 OSPFv1/v2 128 64 Layer 2 Function Port disable/enable Auto-negotiation 10/100/1000Mbps full and half duplex mode selection Port Configuration Flow control disable/enable Bandwidth control on each port Port loopback detect Port Status Display each port’s speed duplex mode, link status, flow control status and auto negotiation status 802.1Q tagged based VLAN, up to 256 VLAN groups 802.1ad Q-in-Q (VLAN stacking) GVRP for VLAN management VLAN Private VLAN Edge (PVE) supported Protocol-based VLAN MAC-based VLAN IP subnet VLAN Bandwidth Control Link Aggregation TX/RX/both IEEE 802.3ad LACP/static trunk Supports 128 groups with 8 ports per trunk group 8 priority queues on all switch ports Supports strict priority and Weighted Round Robin (WRR) CoS policies QoS Traffic classification: - IEEE 802.1p CoS/ToS - IPv4/IPv6 DSCP 1-14 User’s Manual of SGS-6340 seriesT - Port-based WRR IGMP v1/v2/v3 snooping Querier mode support Multicast MLD v1/v2 snooping Querier mode support Multicast VLAN Register (MVR) Supports Standard and Expanded ACL Access Control List IP-based ACL/MAC-based ACL Time-based ACL Up to 512 entries Bandwidth Control At least 64Kbps stream Supports MAC + port binding IPv4/IPv6 + MAC + port binding Security IPv4/IPv6 + port binding Supports MAC filter ARP scanning prevention Authentication SNMP MIBs IEEE 802.1x port-based network access control AAA authentication: TACACS+ and IPv4/IPv6 over RADIUS RFC 1213 MIB-II RFC 1215 Internet Engineering Task Force RFC 1271 RMON RFC 1354 IP-Forwarding MIB RFC 1493 Bridge MIB RFC 1643 Ether-like MIB RFC 1907 SNMPv2 RFC 2011 IP/ICMP MIB RFC 2012 TCP MIB RFC 2013 UDP MIB RFC 2096 IP forward MIB RFC 2233 if MIB RFC 2452 TCP6 MIB RFC 2454 UDP6 MIB RFC 2465 IPv6 MIB RFC 2466 ICMP6 MIB RFC 2573 SNMPv3 notification RFC 2574 SNMPv3 VACM RFC 2674 Bridge MIB Extensions Standard Conformance Regulatory Compliance FCC Part 15 Class A, CE Standards Compliance IEEE 802.3 10BASE-T IEEE 802.3u 100BASE-TX IEEE 802.3z Gigabit 1000BASE-SX/LX IEEE 802.3ab Gigabit 1000BASE-T IEEE 802.3ae 10Gb/s Ethernet IEEE 802.3x flow control and back pressure 1-15 User’s Manual of SGS-6340 seriesT IEEE 802.3ad port trunk with LACP IEEE 802.1D Spanning Tree Protocol IEEE 802.1w Rapid Spanning Tree Protocol IEEE 802.1s Multiple Spanning Tree Protocol IEEE 802.1p Class of Service IEEE 802.1Q VLAN tagging IEEE 802.1X port authentication network control IEEE 802.1ab LLDP RFC 768 UDP RFC 793 TFTP RFC 791 IP RFC 792 ICMP RFC 2068 HTTP RFC 1112 IGMP v1 RFC 2236 IGMP v2 RFC 3376 IGMP v3 RFC 2710 MLD v1 FRC 3810 MLD v2 RFC 2328 OSPF v2 RFC 1058 RIP v1 RFC 2453 RIP v2 Environment Operating Temperature: Relative Humidity: 0 ~ 50 degrees C 5 ~ 90% (non-condensing) Storage Temperature: Relative Humidity: -10 ~ 70 degrees C 5 ~ 90% (non-condensing) 1-16 User’s Manual of SGS-6340 seriesT Chapter 2 INSTALLATION This section describes how to install your Managed Switch and make connections to the Managed Switch. Please read the following topics and perform the procedures in the order being presented. To install your Managed Switch on a desktop or shelf, simply complete the following steps. In this paragraph, we will describe how to install the Managed Switch and the installation points attended to it. 2.1 Hardware Description 2.1.1 Switch Front Panel The unit front panel provides a simple interface monitoring the switch. Figure 2-1~ Figure 2-4 shows the front panel of the Managed Switch. SGS-6340-24T4S Front Panel Figure 2-1 SGS-6340-24T4S front panel SGS-6340-48T4S Front Panel Figure 2-2 SGS-6340-48T4S front panel SGS-6340-24P4S Front Panel Figure 2-3 SGS-6340-24P4S front panel SGS-6340-20S4C4X Front Panel Figure 2-4 SGS-6340-20S4C4X Front Panel 17 User’s Manual of SGS-6340 seriesT SGS-6340-16XR Front Panel Figure 2-4 SGS-6340-16XR Front Panel ■ Gigabit TP interface 10/100/1000BASE-T Copper, RJ45 Twisted-pair: Up to 100 meters. ■ Gigabit SFP slots 100/1000BASE-X mini-GBIC slot, SFP (Small Factor Pluggable) transceiver module: From 550 meters to 2km (multi-mode fiber), up to above 10/20/30/40/50/70/120 kilometers (single-mode fiber). Only SGS-6340-20S4C4X supports 100BASE-FX. ■ 10 Gigabit SFP slot 10GBASE-SR/LR mini-GBIC slot, SFP (Small Factor Pluggable) Transceiver Module supports from 300 meters (Multi-mode Fiber), up to 10 kilometers (Single Mode Fiber) ■ Console Port The console port is a RJ45 port connector. It is an interface for connecting a terminal directly. Through the console port, it provides rich diagnostic information including IP Address setting, factory reset, port management, link status and system setting. Users can use the attached DB9 to RJ45 console cable in the package and connect to the console port on the device. After the connection, users can run any terminal emulation program (Hyper Terminal, ProComm Plus, Telix, Winterm and so on) to enter the startup screen of the device. ■ Reset button On the front panel, the reset button is designed for rebooting the Managed Switch without turning off and on the power. ■ DC Power Connector (SGS-6340-20S4C4X only) The front panel of the Managed Switch contains a power switch and a DC power connector, which accepts DC power input voltage from -48V to -60V DC. Connect the power cable to the Managed Switch at the input terminal block. The wire gauge for the terminal block should be in the range of 12 ~ 24 AWG. 18 User’s Manual of SGS-6340 seriesT 2.1.2 LED Indications The front panel LEDs indicate instant status of port links, data activity, system operation, stack status and system power. SGS-6340-24T4S LED Indication Figure 2-5 SGS-6340-24T4S LED Panel ■ System LED PWR SYS Color Green Off Green Function Lights to indicate that the Switch has power. Power is off. Lights to indicate the system diagnosis is completed. Blinks to indicate boot is enable. ■ 10/100/1000BASE-T Interfaces LED Color Function Lights to indicate the link through that port is successfully established LNK/ACT Green Blinks to indicate that the switch is actively sending or receiving data over that port. Off No flow goes through the port. ■ SFP Interfaces LED LNK/ACT Color Green Off Function Lights to indicate the link through that port is successfully established No flow goes through the port. 19 User’s Manual of SGS-6340 seriesT SGS-6340-48T4S LED Indication Figure 2-6 SGS-6340-48P4S LED Panel ■ System LED PWR SYS Color Green Off Green Function Lights to indicate that the Switch has power. Power is off. Lights to indicate the system diagnosis is completed. Blinks to indicate boot is enable. ■ 10/100/1000BASE-T Interfaces LED Color Function Lights to indicate the link through that port is successfully established LNK/ACT Green Blinks to indicate that the switch is actively sending or receiving data over that port. Off No flow goes through the port. ■ SFP Interfaces LED LNK/ACT Color Green Off Function Lights to indicate the link through that port is successfully established No flow goes through the port. 20 User’s Manual of SGS-6340 seriesT SGS-6340-24P4S LED Indication Figure 2-7 SGS-6340-24P4S LED Panel ■ System LED PWR SYS Color Green Off Green Function Lights to indicate that the Switch has power. Power is off. Lights to indicate the system diagnosis is completed. Blinks to indicate boot is enable. ■ 10/100/1000BASE-T Interfaces LED Color Function Lights to indicate the link through that port is successfully established LNK/ACT Green port. Off PoE In-Use Blinks to indicate that the switch is actively sending or receiving data over that Green No flow goes through the port. Lights to indicate the port is providing 54V DC in-line power. ■ SFP Interfaces LED LNK/ACT Color Green Off Function Lights to indicate the link through that port is successfully established No flow goes through the port. 21 User’s Manual of SGS-6340 seriesT SGS-6340-20S4C4X LED Indication Figure 2-8 SGS-6340-20S4C4X LED Panel ■ System LED PWR SYS Color Green Off Green Function Lights to indicate that the Switch has power. Power is off. Lights to indicate the system diagnosis is completed. Blinks to indicate boot is enable. ■ 10/100/1000BASE-T Interfaces LED Color Function Lights to indicate the link through that port is successfully established LNK/ACT Green Blinks to indicate that the switch is actively sending or receiving data over that port. Off No flow goes through the port. ■ 100/1000X SFP Interfaces LED LNK/ACT Color Green Off Function Lights to indicate the link through that port is successfully established No flow goes through the port. ■ 1/10G SFP+ Interfaces LED LNK/ACT Color Green Off Function Lights to indicate the link through that port is successfully established No flow goes through the port. 22 User’s Manual of SGS-6340 seriesT SGS-6340-16XR LED Indication Figure 2-8 SGS-6340-16XR LED Panel ■ System/Alarm LED PWR SYS FAN Color Green Off Green Function Lights to indicate that the Switch has power. Power is off. Blinks to indicate the system diagnosis is completed. Off System is booting. Red Lights to indicate that the Switch has fan fault. 23 User’s Manual of SGS-6340 seriesT 2.1.3 Switch Rear Panel The rear panel of the Managed Switch indicates an AC inlet power socket, which accepts input power from 100 to 240V AC, 50-60Hz. Figure 2-9 ~ Figure 2-12 shows the rear panel of this Managed Switch. SGS-6340-24T4S Rear Panel Figure 2-9 Rear Panel of SGS-6340-24T4S SGS-6340-48T4S Rear Panel Figure 2-10 Rear Panel of SGS-6340-48T4S SGS-6340-24P4S Rear Panel Figure 2-11 Rear Panel of SGS-6340-24P4S SGS-6340-20S4C4X Rear Panel Figure 2-12 Rear Panel of SGS-6340-20S4C4X SGS-6340-16XR Rear Panel Figure 2-12 Rear Panel of SGS-6340-16XR 24 User’s Manual of SGS-6340 seriesT ■ AC Power Receptacle For compatibility with electric service in most areas of the world, the Managed Switch’s power supply automatically adjusts to line power in the range of 100-240VAC and 50/60 Hz. Plug the female end of the power cord firmly into the receptacle on the rear panel of the Managed Switch. Plug the other end of the power cord into an electric service outlet then the power will be ready. ■ DC Power Connector (SGS-6340-16XR only) The front panel of the Managed Switch contains a power switch and a DC power connector, which accepts DC power input voltage from -48V to -60V DC. Connect the power cable to the Managed Switch at the input terminal block. The device is a power-required device, meaning it will not work till it is powered. If your networks should be active all the time, please consider using UPS (Uninterruptible Power Supply) for your device. It will prevent you from network data loss or network downtime. Power Notice: In some areas, installing a surge suppression device may also help to protect your Managed Switch from being damaged by unregulated surge or current to the Switch or the power adapter. 25 User’s Manual of SGS-6340 seriesT 2.2 Installing the Managed Switch This section describes how to install your Managed Switch and make connections to the Managed Switch. Please read the following topics and perform the procedures in the order being presented. To install your Managed Switch on a desktop or shelf, simply complete the following steps. In this paragraph, we will describe how to install the Managed Switch and the installation points attended to it. 2.2.1 Desktop Installation To install the Managed Switch on desktop or shelf, please follows these steps: Step 1: Attach the rubber feet to the recessed areas on the bottom of the Managed Switch. Step 2: Place the Managed Switch on the desktop or the shelf near an AC power source, as shown in Figure 2-13. Figure 2-13 Place the Managed Switch on the desk Step 3: Keep enough ventilation space between the Managed Switch and the surrounding objects. Step 4: Connect the Managed Switch to network devices. Connect one end of a standard network cable to the 10/100/1000 RJ45 ports on the front of the Managed Switch. Connect the other end of the cable to the network devices such as printer servers, workstations, routers or others. Connection to the Managed Switch requires UTP Category 5 network cabling with RJ45 tips. For more information, please see the Cabling Specification in Appendix A. 26 User’s Manual of SGS-6340 seriesT Step 5: Supply power to the Managed Switch. Connect one end of the power cable to the Managed Switch. Connect the power plug of the power cable into a standard wall outlet. When the Managed Switch receives power, the Power LED should remain solid Green. 2.2.2 Rack Mounting To install the Managed Switch in a 19-inch standard rack, please follow the instructions described below. Step 1: Place the Managed Switch on a hard flat surface, with the front panel positioned towards the front side. Step 2: Attach the rack-mount bracket to each side of the Managed Switch with supplied screws attached to the package. Figure 2-14 shows how to attach brackets to one side of the Managed Switch. Figure 2-14 Attach brackets to the Managed Switch. You must use the screws supplied with the mounting brackets. Damage caused to the parts by using incorrect screws would invalidate the warranty. Step 3: Secure the brackets tightly. Step 4: Follow the same steps to attach the second bracket to the opposite side. Step 5: After the brackets are attached to the Managed Switch, use suitable screws to securely attach the brackets to the rack, as shown in Figure 2-15. 27 User’s Manual of SGS-6340 seriesT Figure 2-15 Mounting SGS-6340 Series in a Rack Step 6: Proceeds with steps 4 and 5 of session 2.2.1 Desktop Installation to connect the network cabling and supply power to the Managed Switch. 2.2.3 Installing the SFP/SFP+ Transceiver The sections describe how to insert an SFP/SFP+ transceiver into an SFP/SFP+ slot. The SFP/SFP+ transceivers are hot-pluggable and hot-swappable. You can plug in and out the transceiver to/from any SFP/SFP+ port without having to power down the Managed Switch, as the Figure 2-16 shows. Figure 2-16 Plug in the SFP transceiver 28 User’s Manual of SGS-6340 seriesT Approved PLANET SFP/SFP+ Transceivers PLANET Managed Switch supports both single mode and multi-mode SFP/SFP+ transceivers. The following list of approved PLANET SFP/SFP+ transceivers is correct at the time of publication: Fast Ethernet Transceiver (100BASE-X SFP) Connector Interface Model Speed (Mbps) Fiber Mode Distance Wavelength (nm) Operating Temp. MFB-FX 100 LC Multi Mode 2km 1310nm 0 ~ 60 degrees C MFB-F20 100 LC Single Mode 20km 1310nm 0 ~ 60 degrees C MFB-F40 100 LC Single Mode 40km 1310nm 0 ~ 60 degrees C MFB-F60 100 LC Single Mode 60km 1310nm 0 ~ 60 degrees C MFB-F120 100 LC Single Mode 120km 1550nm 0 ~ 60 degrees C MFB-TFX 100 LC Multi Mode 2km 1310nm -40 ~ 75 degrees C MFB-TF20 100 LC Single Mode 20km 1550nm -40 ~ 75 degrees C Fast Ethernet Transceiver (100BASE-BX, Single Fiber Bi-directional SFP) Model Speed (Mbps) MFB-FA20 100 MFB-FB20 Connector Interface Fiber Mode Distance Wavelength (TX/RX) Operating Temp. WDM(LC) Single Mode 20km 1310nm/1550nm 0 ~ 60 degrees C 100 WDM(LC) Single Mode 20km 1550nm/1310nm 0 ~ 60 degrees C MFB-TFA20 100 WDM(LC) Single Mode 20km 1310nm/1550nm -40 ~ 75 degrees C MFB-TFB20 100 WDM(LC) Single Mode 20km 1550nm/1310nm -40 ~ 75 degrees C MFB-TFA40 100 WDM(LC) Single Mode 40km 1310nm/1550nm -40 ~ 75 degrees C MFB-TFB40 100 WDM(LC) Single Mode 40km 1550nm/1310nm -40 ~ 75 degrees C Gigabit Ethernet Transceiver (1000BASE-X SFP) Connector Interface Model Speed (Mbps) Fiber Mode Distance Wavelength (nm) Operating Temp. MGB-GT 1000 Copper -- 100m -- 0 ~ 60 degrees C MGB-SX 1000 LC Multi Mode 550m 850nm 0 ~ 60 degrees C MGB-SX2 1000 LC Multi Mode 2km 1310nm 0 ~ 60 degrees C MGB-LX 1000 LC Single Mode 10km 1310nm 0 ~ 60 degrees C MGB-L30 1000 LC Single Mode 30km 1310nm 0 ~ 60 degrees C MGB-L50 1000 LC Single Mode 50km 1550nm 0 ~ 60 degrees C MGB-L70 1000 LC Single Mode 70km 1550nm 0 ~ 60 degrees C MGB-L120 1000 LC Single Mode 120km 1550nm 0 ~ 60 degrees C MGB-TSX 1000 LC Multi Mode 550m 850nm -40 ~ 75 degrees C MGB-TLX 1000 LC Single Mode 10km 1310nm -40 ~ 75 degrees C MGB-TL30 1000 LC Single Mode 30km 1310nm -40 ~ 75 degrees C MGB-TL70 1000 LC Single Mode 70km 1550nm -40 ~ 75 degrees C 29 User’s Manual of SGS-6340 seriesT Gigabit Ethernet Transceiver (1000BASE-BX, Single Fiber Bi-directional SFP) Connector Interface Model Speed (Mbps) Fiber Mode Distance Wavelength (TX/RX) Operating Temp. MGB-LA10 1000 WDM(LC) Single Mode 10km 1310nm/1550nm 0 ~ 60 degrees C MGB-LB10 1000 WDM(LC) Single Mode 10km 1550nm/1310nm 0 ~ 60 degrees C MGB-LA20 1000 WDM(LC) Single Mode 20km 1310nm/1550nm 0 ~ 60 degrees C MGB-LB20 1000 WDM(LC) Single Mode 20km 1550nm/1310nm 0 ~ 60 degrees C MGB-LA40 1000 WDM(LC) Single Mode 40km 1310nm/1550nm 0 ~ 60 degrees C MGB-LB40 1000 WDM(LC) Single Mode 40km 1550nm/1310nm 0 ~ 60 degrees C MGB-LA60 1000 WDM(LC) Single Mode 60km 1310nm/1550nm 0 ~ 60 degrees C MGB-LB60 1000 WDM(LC) Single Mode 60km 1550nm/1310nm 0 ~ 60 degrees C MGB-TLA10 1000 WDM(LC) Single Mode 10km 1310nm/1550nm -40 ~ 75 degrees C MGB-TLB10 1000 WDM(LC) Single Mode 10km 1550nm/1310nm -40 ~ 75 degrees C MGB-TLA20 1000 WDM(LC) Single Mode 20km 1310nm/1550nm -40 ~ 75 degrees C MGB-TLB20 1000 WDM(LC) Single Mode 20km 1550nm/1310nm -40 ~ 75 degrees C MGB-TLA40 1000 WDM(LC) Single Mode 40km 1310nm/1550nm -40 ~ 75 degrees C MGB-TLB40 1000 WDM(LC) Single Mode 40km 1550nm/1310nm -40 ~ 75 degrees C MGB-TLA60 1000 WDM(LC) Single Mode 60km 1310nm/1550nm -40 ~ 75 degrees C MGB-TLB60 1000 WDM(LC) Single Mode 60km 1550nm/1310nm -40 ~ 75 degrees C 10Gbps SFP+ (10G Ethernet/10GBASE) Model Speed (Mbps) Connector Interface Fiber Mode Distance MTB-SR 10G LC Multi Mode Up to 300m 850nm 0 ~ 60 degrees C MTB-LR 10G LC Single Mode 10km 1310nm 0 ~ 60 degrees C Wavelength (nm) Operating Temp. 10Gbps SFP+ (10GBASE-BX, Single Fiber Bi-directional SFP) Model Speed (Mbps) Connector Interface Fiber Mode Distance MTB-LA20 10G WDM(LC) Single Mode 20km MTB-LB20 10G WDM(LC) Single Mode MTB-LA40 10G WDM(LC) MTB-LB40 10G MTB-LA60 MTB-LB60 Wavelength Wavelength (RX) Operating Temp. 1270nm 1330nm 0 ~ 60 degrees C 20km 1330nm 1270nm 0 ~ 60 degrees C Single Mode 40km 1270nm 1330nm 0 ~ 60 degrees C WDM(LC) Single Mode 40km 1330nm 1270nm 0 ~ 60 degrees C 10G WDM(LC) Single Mode 60km 1270nm 1330nm 0 ~ 60 degrees C 10G WDM(LC) Single Mode 60km 1330nm 1270nm 0 ~ 60 degrees C (TX) It is recommended to use PLANET SFP/SFP+ on the Managed Switch. If you insert an SFP/SFP+ transceiver that is not supported, the Managed Switch will not recognize it. 30 User’s Manual of SGS-6340 seriesT 1. Before we connect the SGS-6340 Series to the other network device, we have to make sure both sides of the SFP transceivers are with the same media type, for example: 1000BASE-SX to 1000BASE-SX, 1000Bas-LX to 1000BASE-LX. 2. Check whether the fiber-optic cable type matches with the SFP transceiver requirement. To connect to 1000BASE-SX SFP transceiver, please use the multi-mode fiber cable with one side being the male duplex LC connector type. To connect to 1000BASE-LX SFP transceiver, please use the single-mode fiber cable with one side being the male duplex LC connector type. Connect the Fiber Cable 1. Insert the duplex LC connector into the SFP/SFP+ transceiver. 2. Connect the other end of the cable to a device with SFP/SFP+ transceiver installed. 3. Check the LNK/ACT LED of the SFP/SFP+ slot on the front of the Managed Switch. Ensure that the SFP/SFP+ transceiver is operating correctly. 4. Check the Link mode of the SFP/SFP+ port if the link fails. To function with some fiber-NICs or Media Converters, user has to set the port Link mode to “10G Force”, “1000M Force” or “100M Force”. Remove the Transceiver Module 1. Make sure there is no network activity anymore. 2. Remove the Fiber-Optic Cable gently. 3. Lift up the lever of the MGB module and turn it to a horizontal position. 4. Pull out the module gently through the lever. Figure 2-17: How to Pull Out the SFP/SFP+ Transceiver Never pull out the module without lifting up the lever of the module and turning it to a horizontal position. Directly pulling out the module could damage the module and the SFP/SFP+ module slot of the Managed Switch. 31 Chapter 3 Switch Management 3.1 Management Options After purchasing the switch, the user needs to configure the switch for network management. Switch provides two management options: in-band management and out-of-band management. 3.1.1 Out-Of-Band Management Out-of-band management is the management through Console interface. Generally, the user will use out-of-band management for the initial switch configuration, or when in-band management is not available. For instance, the SGS-6340 Series default IP address is 192.168.0.254 or the user can try to assign a new IP address to the switch via the Console interface to be able to access the switch through Telnet. The procedures for managing the switch via Console interface are listed below: Step 1: Setting up the environment: Figure 3-1 Out-of-band Management Configuration Environment As shown in the above, the serial port (RS232) is connected to the switch with the serial cable provided. The table below lists all the devices used in the connection. Device Name Description PC machine Has functional keyboard and RS232, with terminal emulator installed, such as Tera Term and hyper terminal. Serial port cable One end is connected to the RS232 serial port; the other end to the console port. Switch Functional console port required. 3-1 Step 2: Entering the HyperTerminal Open the HyperTerminal included in Windows after the connection established. The example below is based on the HyperTerminal included in Windows XP. 1) Click Start menu - All Programs -Accessories -Communication - HyperTerminal. Figure 3-2 Opening Hyper Terminal 2) Type a name for opening HyperTerminal, such as “Switch”. Figure 3-3 Opening HyperTerminal 3-2 3) In the “Connect using” drop-list, select the RS-232 serial port used by the PC, e.g., COM1, and click “OK”. Figure 3-4 Opening HyperTerminal 4) COM1 property appears and select “9600” for “Baud rate”, “8” for “Data bits”, “none” for “Parity checksum”, “1” for stop bit and “none” for traffic control; or you can also click “Restore default” and click “OK”. Figure 3-5 Opening HyperTerminal Step 3: Entering switch CLI interface Power on the switch and the following appears in the HyperTerminal windows, that is the CLI configuration mode for Switch. 3-3 System is booting, please wait... Bootrom version: 7.1.37 Creation date: Aug 15 2014 - 16:59:42 Testing RAM... 0x10000000 RAM OK. Loading flash:/nos.img ... ## Booting kernel from Legacy Image at 62000100 ... Image Name: Image Type: Data Size: Linux-3.6.5+ ARM Linux Kernel Image (gzip compressed) 11772899 Bytes = 11.2 MiB Load Address: 60008000 Entry Point: 60008000 Verifying Checksum ... OK Uncompressing Kernel Image ... OK Starting kernel ... Current time is Sun Jan 01 00:00:00 2006 SGS-6340 Series Switch Operating System Software Version 7.0.3.5(R0102.0087) Compiled Aug 22 12:20:28 2014 52 Ethernet/IEEE 802.3 interface(s) Mac Addr 00-30-4f-23-45-67 Recover config from file flash:/startup.cfg Loading startup-config ... …… Switch> The user can now enter commands to manage the switch. For a detailed description of the commands, please refer to the following chapters. 3-4 3.1.2 In-band Management In-band management refers to the management by login to the switch using Telnet, or using HTTP, or using SNMP management software to configure the switch. In-band management enables management of the switch for some devices attached to the switch. In the case when in-band management fails due to switch configuration changes, out-of-band management can be used for configuring and managing the switch. 3.1.2.1 Management via Telnet To manage the switch with Telnet, the following conditions should be met: 1) Switch has an IPv4/IPv6 address configured; 2) The host IP address (Telnet client) and the switch’s VLAN interface IPv4/IPv6 address is in the same network segment; 3) If 2) is not met, Telnet client can connect to an IPv4/IPv6 address of the switch via other devices, such as a router. The switch is Layer 3 switch that can be configured with several IPv4/IPv6 addresses. The following example assumes the shipment status of the switch where only VLAN1 exists in the system. The following describes the steps for a Telnet client to connect to the switch’s VLAN1 interface by Telnet (with IPv4 address as an example): Figure 3-6 Manage the Switch by Telnet Step 1: Configure the IP addresses for the switch and start the Telnet Server function on the switch. First is the configuration of host IP address. This should be within the same network segment as the switch VLAN1 interface IP address. Suppose the switch VLAN1 interface IP address is 10.1.128.251/24. Then, a possible host IP address is 10.1.128.252/24. Run “ping 10.1.128.251” from the host and verify the result. Check for reasons if ping fails. The IP address configuration commands for VLAN1 interface are listed below. Before in-band management is used, the switch must be configured with an IP address by out-of-band management (i.e. Console mode). The configuration commands are as follows (All switch configuration prompts are assumed to be “Switch” hereafter if not otherwise specified.): Switch# Switch#config Switch (config)#interface vlan 1 Switch (Config-if-Vlan1)#ip address 10.1.128.251 255.255.255.0 Switch (Config-if-Vlan1)#no shutdown 3-5 Step 2: Run Telnet Client program. Run Telnet client program included in Windows with the specified Telnet target. Figure 3-7 Run telnet client program included in Windows Step 3: Login to the switch. Login to the Telnet configuration interface. Valid login name and password are required, otherwise, the switch will reject Telnet access. This is the method to protect the switch from unauthorized access. As a result, when Telnet is enabled for configuring and managing the switch, username and password for authorized Telnet users must be configured with the following command: username <username> privilege <privilege> [password (0|7) <password>] To open the local authentication style with the following command: authentication line vty login local. Privilege option must exist and just is 15. Assume an authorized user in the switch has a username of “test”, and password of “test”, the configuration procedure should like the following: Switch# Switch#config Switch (config)#username test privilege 15 password 0 test Switch (config)#authentication line vty login local Enter valid login name and password in the Telnet configuration interface, Telnet user will be able to enter the switch’s CLI configuration interface. The commands used in the Telnet CLI interface after login is the same as that in the Console interface. Figure 3-8 Telnet Configuration Interface 3-6 3.1.2.2 Management via HTTP To manage the switch via HTTP, the following conditions should be met: 1) Switch has an IPv4/IPv6 address configured; 2) The host IPv4/IPv6 address (HTTP client) and the switch’s VLAN interface IPv4/IPv6 address are in the same network segment; 3) If 2) is not met, HTTP client should connect to an IPv4/IPv6 address of the switch via other devices, such as a router. Similar to management the switch via Telnet, as soon as the host succeeds to ping/ping6 an IPv4/IPv6 address of the switch and to type the right login password, it can access the switch via HTTP. The configuration list is shown below: Step 1: Configure the IP addresses for the switch and start the HTTP server function on the switch. For configuring the IP address on the switch through out-of-band management, see the Telnet management chapter. To enable the Web configuration, users should type the CLI command IP http server in the global mode as shown below: Switch# Switch#config Switch (config)#ip http server Step 2: Run HTTP protocol on the host. Open the Web browser on the host and type the IP address of the switch, or run directly the HTTP protocol on the Windows. For example, the IP address of the switch is “10.1.128.251”; Figure 3-9 Run HTTP Protocol When accessing a switch with IPv6 address, it is recommended to use the Firefox browser with 1.5 or later version. For example, if the IPv6 address of the switch is 3ffe:506:1:2::3, the IPv6 address of the switch should be http://[3ffe:506:1:2::3]. Please note the address should be in the square brackets. 3-7 Step 3: Login to the switch. Login to the Web configuration interface. Valid login name and password are required, otherwise, the switch will reject HTTP access. This is the method to protect the switch from unauthorized access. As a result, when Telnet is enabled for configuring and managing the switch, username and password for authorized Telnet users must be configured with the following command: username <username> privilege <privilege> [password (0|7) <password>] To open the local authentication style with the following command: authentication line web login local. Privilege option must exist and is just 15. Assume an authorized user in the switch has a username “admin”, and password “admin”, the configuration procedure should be as follows: Switch# Switch#config Switch (config)#username admin privilege 15 password 0 admin Switch (config)#authentication line web login local The Web login interface of SGS-6340 Series is shown below: Figure 3-10 Web Login Interface 3-8 Input the right username and password and then the main Web configuration interface is shown below. Figure 3-11 Main Web Configuration Interface When configuring the switch, the name of the switch is composed of English letters. 3.1.2.3 Manage the Switch via SNMP Network Management Software The followings are required by SNMP network management software to manage switches: 1) IP addresses are configured on the switch; 2) The IP address of the client host and that of the VLAN interface on the switch it subordinates to should be in the same segment; 3) If 2) is not met, the client should be able to reach an IP address of the switch through devices like routers; 4) SNMP should be enabled. The host with SNMP network management software should be able to ping the IP address of the switch, so that when running, SNMP network management software will be able to find it and implement read/write operation on it. Details about how to manage switches via SNMP network management software will not be covered in this manual; please refer to “Simple Network Management software user manual”. 3.2 CLI Interface The switch provides three management interfaces for users: CLI (Command Line Interface) interface, Web interface and Simple Network Management software. We will introduce the CLI interface and Web configuration interface in details. Web interface is familiar with CLI interface function and will not be covered. Please refer to “Simple Network Management software user manual”. 3-9 CLI interface is familiar to most users. As aforementioned, out-of-band management and Telnet login are all performed through CLI interface to manage the switch. CLI Interface is supported by Shell program, which consists of a set of configuration commands. Those commands are categorized according to their functions in switch configuration and management. Each category represents a different configuration mode. The Shell for the switch is described below: Configuration Modes Configuration Syntax Shortcut keys Help function Input verification Fuzzy match support 3-10 3.2.1 Configuration Modes Figure 3-12 Shell Configuration Modes 3.2.1.1 User Mode On entering the CLI interface, entering user entry system first. If as common user, it is defaulted to User Mode. The prompt shown is “Switch>“, the symbol “>“ is the prompt for User Mode. When exit command is run under Admin Mode, it will also return to the User Mode. Under User Mode, no configuration to the switch is allowed; only clock time and version information of the switch can be queried. 3.2.1.2 Admin Mode Admin Mode sees the following: In user entry system, if as Admin user, it is defaulted to Admin Mode. Admin Mode prompt “Switch#” can be entered under the User Mode by running the enable command and entering corresponding access levels admin user password, if a password has been set. Or, when exit command is run under Global Mode, it will also return to the Admin Mode. Switch also provides a shortcut key sequence "Ctrl+z”, this allows an easy way to exit to Admin Mode from any configuration mode (except User Mode). Under Admin Mode, the user can query the switch configuration information, connection status and traffic statistics of all ports; the user can further enter the Global Mode from Admin Mode to modify all configurations of the switch. For this reason, a password must be set for entering Admin mode to prevent unauthorized access and malicious modification to the switch. 3-11 3.2.1.3 Global Mode Type the config command under Admin Mode to enter the Global Mode prompt “Switch(config)#”. Use the exit command under other configuration modes such as Port Mode, VLAN mode to return to Global Mode. The user can perform global configuration settings under Global Mode, such as MAC Table, Port Mirroring, VLAN creation, IGMP Snooping start and STP, etc. And the user can go further to Port Mode for configuration of all the interfaces. Interface Mode Use the interface command under Global Mode to enter the interface mode specified. Switch provides three interface types: 1. VLAN interface; 2. Ethernet port; 3. port-channel, according to the three interface configuration modes. Interface Type Entry Operates VLAN Interface Type interface vlan <Vlan-id> Configure switch IPs, etc command under Global Mode. Exit Use the exit command to return to Global Mode. Ethernet Port port-channel Type interface Ethernet Configure supported Use the exit command <interface-list> command duplex mode, speed, etc. to return to Global under Global Mode. of Ethernet Port. Mode. Type interface port-channel Configure port-channel Use the exit command <port-channel-number> related settings such as to return to Global command under Global Mode. duplex mode, speed, etc. Mode. VLAN Mode Using the vlan <vlan-id> command under Global Mode to enter the corresponding VLAN Mode. Under VLAN Mode the user can configure all member ports of the corresponding VLAN. Run the exit command to exit the VLAN Mode to Global Mode. DHCP Address Pool Mode Type the ip dhcp pool <name> command under Global Mode to enter the DHCP Address Pool Mode prompt “Switch(Config-<name>-dhcp)#”. DHCP address pool properties can be configured under DHCP Address Pool Mode. Run the exit command to exit the DHCP Address Pool Mode to Global Mode. ACL Mode ACL type Entry Operates Exit Standard IP ACL Type ip access-list Configure parameters Use the exit Mode standard command under for Standard IP ACL command to return Global Mode. Mode. to Global Mode. Extended IP ACL Type ip access-list Configure parameters Use the exit Mode extended command under for Extended IP ACL command to return Global Mode. Mode. to Global Mode. 3-12 3.2.2 Configuration Syntax Switch provides various configuration commands. Although all the commands are different, they all abide by the syntax for Switch configuration commands. The general commands format of Switch is shown below: cmdtxt <variable> {enum1 | … | enumN } [option1 | … | optionN] Conventions: cmdtxt in bold font indicates a command keyword; <variable> indicates a variable parameter; {enum1 | … | enumN } indicates a mandatory parameter that should be selected from the parameter set enum1~enumN; and the square bracket ([ ]) in [option1 | … | optionN] indicate an optional parameter. There may be combinations of “< >“, “{ }” and “[ ]” in the command line, such as [<variable>], {enum1 <variable>| enum2}, [option1 [option2]], etc. Here are examples for some actual configuration commands: show version, no parameters required. This is a command with only a keyword and no parameter, just type in the command to run. vlan <vlan-id>, parameter values are required after the keyword. firewall {enable | disable}, user can enter firewall enable or firewall disable for this command. snmp-server community {ro | rw} <string>, the followings are possible: snmp-server community ro <string> snmp-server community rw <string> 3-13 3.2.3 Shortcut Key Support Switch provides several shortcut keys to facilitate user configuration, such as up, down, left, right and blank space. If the terminal does not recognize Up and Down keys, ctrl +p and ctrl +n can be used instead. Key(s) Function Back Space Delete a character before the cursor, and the cursor moves back. Up “↑” Show previous command entered. Up to ten recently entered commands can be shown. Down “↓” Show next command entered. When use the Up key to get previously entered commands, you can use the Down key to return to the next command Left “←” Right “→” The cursor moves one character to You can use the Left and the left. Right key to modify an The cursor moves one character to entered command. the right. Ctrl +p The same as Up key “↑”. Ctrl +n The same as Down key “↓”. Ctrl +b The same as Left key “←”. Ctrl +f The same as Right key “→”. Ctrl +z Return to the Admin Mode directly from the other configuration modes (except User Mode). Ctrl +c Break the ongoing command process, such as ping or other command execution. Tab When a string for a command or keyword is entered, the Tab can be used to complete the command or keyword if there is no conflict. 3.2.4 Help Function There are two ways in Switch for the user to access help information: the “help” command and the “?”. Access to Help Usage and function Help Under any command line prompt, type in “help” and press Enter will get a brief description of the associated help system. “?” 1. Under any command line prompt, enter “?” to get a command list of the current mode and related brief description. 2. Enter a “?” after the command keyword with an embedded space. If the position should be a parameter, a description of that parameter type, scope, etc, will be returned; if the position should be a keyword, then a set of keywords with brief description will be returned; if the output is “<cr>“, then the command is complete, press Enter to run the command. 3. A “?” immediately following a string. This will display all the commands that begin with that string. 3-14 3.2.5 Input Verification 3.2.5.1 Returned Information: Successful All commands entered through keyboards undergo syntax check by the Shell. Nothing will be returned if the user enters a correct command under corresponding modes and the execution is successful. Returned Information: error Output error message Explanation Unrecognized command or illegal The entered command does not exist, or there is parameter! error in parameter scope, type or format. Ambiguous command At least two interpretations are possible based on the current input. Invalid command or parameter The command is recognized, but no valid parameter record is found. This command does not exist in The command is recognized, but this command current mode cannot be used under current mode. Please configure precursor The command is recognized, but the prerequisite command "*" first! command has not been configured. syntax error : missing '"' before the Quotation marks are not used in pairs. end of command line! 3.2.6 Fuzzy Match Support Switch shell supports fuzzy match in searching command and keyword. Shell will recognize commands or keywords correctly if the entered string causes no conflict. For example: 1) For command “show interfaces status ethernet1/1”, typing “sh in status ethernet1/1” will work. 2) However, for command “show running-config”, the system will report a “> Ambiguous command!” error if only “show r” is entered, as Shell is unable to tell whether it is “show run” or “show running-config”. Therefore, Shell will only recognize the command if “sh ru” is entered. 3-15 Chapter 4 Basic Switch Configuration 4.1 Basic Configuration Basic switch configuration includes commands for entering and exiting the admin mode, for entering and exiting interface mode, for configuring and displaying the switch clock, for displaying the version information of the switch system, etc. Command Explanation Normal User Mode/ Admin Mode The User uses enable command to step into enable [<1-15>] admin mode from normal user mode or modify disable the privilege level of the users. The disable command is for exiting admin mode. Admin Mode Enter global mode from admin mode. config [terminal] Various Modes Exit current mode and enter previous mode, such as using this command in global mode to exit go back to admin mode, and back to normal user mode from admin mode. Show privilege of the current users. show privilege Except User Mode/ Admin Mode Quit current mode and return to Admin mode end when not in User Mode/ Admin Mode. Admin Mode clock set [YYYY.MM.DD] <HH:MM:SS> Set system date and time. show version Display version information of the switch. set default Restore to the factory default. write Save current configuration parameters to Flash Memory. reload Reset the switch. show cpu usage Show CPU usage rate. show cpu utilization Show current CPU utilization rate. show memory usage Show memory usage rate. Global Mode 4-1 banner motd <LINE> no banner motd Configure the information displayed when the login authentication of a Telnet or console user is successful. 4.2 Telnet Management 4.2.1 Telnet 4.2.1.1 Introduction to Telnet Telnet is a simple remote terminal protocol for remote login. Using Telnet, the user can login to a remote host with its IP address of hostname from his own workstation. Telnet can send the user’s keystrokes to the remote host and send the remote host output to the user’s screen through TCP connection. This is a transparent service, as to the user, the keyboard and monitor seems to be connected to the remote host directly. Telnet employs the Client-Server mode; the local system is the Telnet client and the remote host is the Telnet server. Switch can be either the Telnet Server or the Telnet client. When switch is used as the Telnet server, the user can use the Telnet client program included in Windows or other operating systems to login to switch, as described earlier in the In-band Management section. As a Telnet server, switch allows up to 5 Telnet client TCP connections. And as Telnet client, using telnet command under Admin Mode allows the user to login to the other remote hosts. Switch can only establish TCP connection to one remote host. If a connection to another remote host is desired, the current TCP connection must be dropped. 4.2.1.2 Telnet Configuration Task List 2. Configure Telnet Server 2. Telnet to a remote host from the switch. 1. Configure Telnet Server Command Explanation Global Mode Enable the Telnet server function in the telnet-server enable switch: the no command disables the no telnet-server enable Telnet function. username <user-name> [privilege Configure user name and password of <privilege>] [password [0 | 7] <password>] the Telnet. The no form command no username <username> deletes the Telnet user authorization. 4-2 Enable command authorization function for the login user with VTY (login with Telnet and SSH). The no command aaa authorization config-commands disables this function. When enabling no aaa authorization config-commands this command and configuring command authorization manner, it will request to authorize when executing some commands. Configure the secure IP address to login authentication securityip <ip-addr> to the switch through Telnet: the no no authentication securityip <ip-addr> command deletes the authorized Telnet secure address. Configure IPv6 security address to login authentication securityipv6 <ipv6-addr> to the switch through Telnet; the no no authentication securityipv6 command deletes the authorized Telnet <ipv6-addr> security address. authentication ip access-class Binding standard IP ACL protocol to login {<num-std>|<name>} with Telnet/SSH/Web; the no form no authentication ip access-class command will cancel the binding ACL. authentication ipv6 access-class Binding standard IPv6 ACL protocol to {<num-std>|<name>} login with Telnet/SSH/Web; the no form no authentication ipv6 access-class command will cancel the binding ACL. authentication line {console | vty | web} login method1 [method2 …] Configure authentication method list with no authentication line {console | vty | web} Telnet. login authentication enable method1 Configure the enable authentication [method2 …] method list. no authentication enable authorization line {console | vty | web} exec method1 [method2 …] Configure the authorization method list no authorization line {console | vty | web} with Telnet. exec Configure command authorization authorization line vty command <1-15> manner and authorization selection {local | radius | tacacs} (none|) priority of login user with VTY (login with no authorization line vty command <1-15> Telnet and SSH). The no command recovers to be default manner. accounting line {console | vty} command 4-3 Configure the accounting method list. <1-15> {start-stop | stop-only | none} method1 [method2…] no accounting line {console | vty} command <1-15> Admin Mode Display debug information for Telnet terminal monitor client login to the switch; the no terminal no monitor command disables the debug information. Show the user information who logs in through Telnet or SSH. It includes line show users number, user name and user IP. Delete the logged user information on the appointed line; force user to get down the clear line vty <0-31> line who logs in through Telnet or SSH. 2. Telnet to a remote host from the switch Command Explanation Admin Mode telnet [vrf <vrf-name>] {<ip-addr> | Login to a remote host with the Telnet <ipv6-addr> | host <hostname>} [<port>] client included in the switch. 4.2.2 SSH 4.2.2.1 Introduction to SSH SSH (Secure Shell) is a protocol which ensures a secure remote access connection to network devices. It is based on the reliable TCP/IP protocol. By conducting the mechanism such as key distribution, authentication and encryption between SSH server and SSH client, a secure connection is established. The information transferred on this connection is protected from being intercepted and decrypted. The switch meets the requirements of SSH2.0. It supports SSH2.0 client software such as SSH Secure Client and putty. Users can run the above software to manage the switch remotely. The switch presently supports RSA authentication, 3DES Cryptography Protocol, SSH user password authentication, etc. 4-4 4.2.2.2 SSH Server Configuration Task List Command Explanation Global Mode ssh-server enable Enable SSH function on the switch; the no no ssh-server enable command disables SSH function. username <username> [privilege Configure the username and password of <privilege>] [password [0 | 7] SSH client software for logging on the <password>] switch; the no command deletes the no username <username> username. Configure timeout value for SSH ssh-server timeout <timeout> authentication; the no command restores no ssh-server timeout the default timeout value for SSH authentication. ssh-server authentication-retires <authentication-retires> no ssh-server authentication-retries Configure the number of times for retrying SSH authentication; the no command restores the default number of times for retrying SSH authentication. ssh-server host-key create rsa modulus Generate the new RSA host key on the <moduls> SSH server. Admin Mode Display SSH debug information on the SSH terminal monitor client side; the no command stops terminal no monitor displaying SSH debug information on the SSH client side. show crypto key Show the secret key of SSH. rypto key clear rsa Clear the secret key of SSH. 4.2.2.3 Example of SSH Server Configuration Example 1: Requirement: Enable SSH server on the switch, and run SSH2.0 client software such as Secure shell client or putty on the terminal. Log on the switch by using the username and password from the client. Configure the IP address, add SSH user and enable SSH service on the switch. SSH2.0 client can log on the switch by using the username and password to configure the switch. 4-5 Switch(config)#ssh-server enable Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 100.100.100.200 255.255.255.0 Switch(Config-if-Vlan1)#exit Switch(config)#username test privilege 15 password 0 test In IPv6 network, the terminal should run SSH client software which supports IPv6, such as putty6. Users should not modify the configuration of the switch except allocating an IPv6 address for the local host. 4.3 Configure Switch IP Addresses All Ethernet ports of switch are defaulted to Data Link layer ports and perform layer 2 forwarding. VLAN interface represents a Layer 3 interface function which can be assigned an IP address, which is also the IP address of the switch. All VLAN interface related configuration commands can be configured under VLAN Mode. Switch provides three IP address configuration methods: Manual BOOTP DHCP Manual configuration of IP address is assigned to an IP address manually for the switch. In BOOTP/DHCP mode, the switch operates as a BOOTP/DHCP client, send broadcast packets of BOOTPRequest to the BOOTP/DHCP servers, and the BOOTP/DHCP servers assign the address on receiving the request. In addition, switch can act as a DHCP server, and dynamically assign network parameters such as IP addresses, gateway addresses and DNS server addresses to DHCP clients DHCP Server configuration is detailed in later chapters. 4.3.1 Switch IP Addresses Configuration Task List 1. Enable VLAN port mode 2. Manual configuration 3. BOOTP configuration 4. DHCP configuration 1. Enable VLAN port mode Command Explanation Global Mode interface vlan <vlan-id> Create VLAN interface (layer 3 interface); the no interface vlan <vlan-id> no command deletes the VLAN interface. 4-6 2. Manual configuration Command Explanation VLAN Interface Mode ip address <ip_address> <mask> Configure IP address of VLAN interface; the [secondary] no command deletes IP address of VLAN no ip address <ip_address> <mask> interface. [secondary] ipv6 address <ipv6-address / Configure IPv6 address, including prefix-length> [eui-64] aggregation global unicast address, local site no ipv6 address <ipv6-address / address and local link address. The no prefix-length> command deletes IPv6 address. 3. BOOTP configuration Command Explanation VLAN Interface Mode Enable the switch to be a BootP client and ip bootp-client enable obtain IP address and gateway address no ip bootp-client enable through BootP negotiation; the no command disables the BootP client function. 4. DHCP configuration Command Explanation VLAN Interface Mode Enable the switch to be a DHCP client and ip dhcp-client enable obtain IP address and gateway address no ip dhcp-client enable through DHCP negotiation; the no command disables the DHCP client function. 4.4 SNMP Configuration 4.4.1 Introduction to SNMP SNMP (Simple Network Management Protocol) is a standard network management protocol widely used in computer network management. SNMP is an evolving protocol. SNMP v1 [RFC1157] is the first version of SNMP which is adapted by vast numbers of manufacturers for 4-7 its simplicity and easy implementation; SNMP v2c is an enhanced version of SNMP v1, which supports layered network management; SNMP v3 strengthens the security by adding USM (User-based Security Mode) and VACM (View-based Access Control Model). SNMP protocol provides a simple way of exchange network management information between two points in the network. SNMP employs a polling mechanism of message query, and transmits messages through UDP (a connectionless transport layer protocol). Therefore it is well supported by the existing computer networks. SNMP protocol employs a station-agent mode. There are two parts in this structure: NMS (Network Management Station) and Agent. NMS is the workstation on which SNMP client program is running. It is the core on the SNMP network management. Agent is the server software runs on the devices which need to be managed. NMS manages all the managed objects through Agents. The switch supports Agent function. The communication between NMS and Agent functions in Client/Server mode by exchanging standard messages. NMS sends request and the Agent responds. There are seven types of SNMP message: Get-Request Get-Response Get-Next-Request Get-Bulk-Request Set-Request Trap Inform-Request NMS sends queries to the Agent with Get-Request, Get-Next-Request, Get-Bulk-Request and Set-Request messages; and the Agent, upon receiving the requests, replies with Get-Response message. On some special situations, like network device ports are on Up/Down status or the network topology changes, Agents can send Trap messages to NMS to inform the abnormal events. Besides, NMS can also be set to alert to some abnormal events by enabling RMON function. When alert events are triggered, Agents will send Trap messages or log the event according to the settings. Inform-Request is mainly used for inter-NMS communication in the layered network management. USM ensures the transfer security by well-designed encryption and authentication. USM encrypts the messages according to the user typed password. This mechanism ensures that the messages can’t be viewed on transmission. And USM authentication ensures that the messages can’t be changed on transmission. USM employs DES-CBC cryptography. And HMAC-MD5 and HMAC-SHA are used for authentication. VACM is used to classify the users’ access permission. It puts the users with the same access permission in the same group. Users can’t conduct the operation which is not authorized. 4-8 4.4.2 Introduction to MIB The network management information accessed by NMS is well defined and organized in a Management Information Base (MIB). MIB is pre-defined information which can be accessed by network management protocols. It is in layered and structured form. The pre-defined management information can be obtained from monitored network devices. ISO ASN.1 defines a tree structure for MID. Each MIB organizes all the available information with this tree structure. And each node on this tree contains an OID (Object Identifier) and a brief description about the node. OID is a set of integers divided by periods. It identifies the node and can be used to locate the node in an MID tree structure, shown in the figure below: Figure 4-1 ASN.1 Tree Instance In this figure, the OID of the object A is 1.2.1.1. NMS can locate this object through this unique OID and gets the standard variables of the object. MIB defines a set of standard variables for monitored network devices by following this structure. If the variable information of Agent MIB needs to be browsed, the MIB browse software will need to be run on the NMS. MIB in the Agent usually consists of public MIB and private MIB. The public MIB contains public network management information that can be accessed by all NMS; private MIB contains specific information which can be viewed and controlled by the support of the manufacturers. MIB-I [RFC1156] is the first implemented public MIB of SNMP, and is replaced by MIB-II [RFC1213]. MIB-II expands MIB-I and keeps the OID of MIB tree in MIB-I. MIB-II contains sub-trees which are called groups. Objects in those groups cover all the functional domains in network management. NMS obtains the network management information by visiting the MIB of SNMP Agent. The switch can operate as an SNMP Agent, and supports both SNMP v1/v2c and SNMP v3. The switch supports basic MIB-II, RMON public MIB and other public MIDs such as BRIDGE MIB. Besides, the switch supports self-defined private MIB. 4-9 4.4.3 Introduction to RMON RMON is the most important expansion of the standard SNMP. RMON is a set of MIB definitions, used to define standard network monitor functions and interfaces, enabling the communication between SNMP management terminals and remote monitors. RMON provides a highly efficient method to monitor actions inside the subnets. MID of RMON consists of 10 groups. The switch supports the most frequently used group 1, 2, 3 and 9: Statistics: Maintain basic usage and error statistics for each subnet monitored by the Agent. History: Record periodical statistic samples available from Statistics. Alarm: Allow management console users to set any count or integer for sample intervals and alert thresholds for RMON Agent records. Event: A list of all events generated by RMON Agent. Alarm depends on the implementation of Event. Statistics and History display some current or history subnet statistics. Alarm and Event provide a method to monitor any integer data change in the network, and provide some alerts upon abnormal events (sending Trap or record in logs). 4.4.4 SNMP Configuration 4.4.4.1 SNMP Configuration Task List 1. Enable or disable SNMP Agent server function 2. Configure SNMP community string 3. Configure IP address of SNMP management base 4. Configure engine ID 5. Configure user 6. Configure group 7. Configure view 8. Configuring TRAP 9. Enable/Disable RMON 1. Enable or disable SNMP Agent server function Command Explanation Global Mode snmp-server enabled no snmp-server enabled Enable the SNMP Agent function on the switch; the no command disables the SNMP Agent function on the switch. 4-10 2. Configure SNMP community string Command Explanation Global Mode snmp-server community {ro | rw} {0 | 7} <string> [access {<num-std>|<name>}] [ipv6-access {<ipv6-num-std>|<ipv6-name>}] [read <read-view-name>] [write <write-view-name>] Configure the community string for the switch; the no command deletes the configured community string. no snmp-server community <string> [access {<num-std>|<name>}] [ipv6-access {<ipv6-num-std>|<ipv6-name>}] 3. Configure IP address of SNMP management station Command Explanation Global Mode snmp-server securityip { <ipv4-address> | Configure IPv4/IPv6 security address which is <ipv6-address> } allowed to access the switch on the NMS; the no snmp-server securityip no command deletes the configured security { <ipv4-address> | <ipv6-address> } address. snmp-server securityip enable Enable or disable secure IP address check snmp-server securityip disable function on the NMS. 4. Configure engine ID Command Explanation Global Mode snmp-server engineid <engine-string> Configure the local engine ID on the switch. no snmp-server engineid This command is used for SNMP v3. 5. Configure user Command Explanation Global Mode snmp-server user <use-string> <group-string> [{authPriv | authNoPriv} Add a user to an SNMP group. This command auth {md5 | sha} <word>] [access is used to configure USM for SNMP v3. {<num-std>|<name>}] [ipv6-access 4-11 {<ipv6-num-std>|<ipv6-name>}] no snmp-server user <user-string> [access {<num-std>|<name>}] [ipv6-access {<ipv6-num-std>|<ipv6-name>}] 6. Configure group Command Explanation Global Mode snmp-server group <group-string> {noauthnopriv|authnopriv|authpriv} [[read <read-string>] [write <write-string>] [notify <notify-string>]] [access {<num-std>|<name>}] [ipv6-access Set the group information on the switch. This {<ipv6-num-std>|<ipv6-name>}] command is used to configure VACM for no snmp-server group <group-string> SNMP v3. {noauthnopriv|authnopriv|authpriv} [access {<num-std>|<name>}] [ipv6-access {<ipv6-num-std>|<ipv6-name>}] 7. Configure view Command Explanation Global Mode snmp-server view <view-string> <oid-string> {include|exclude} Configure view on the switch. This command no snmp-server view <view-string> is used for SNMP v3. [<oid-string>] 8. Configuring TRAP Command Explanation Global Mode snmp-server enable traps Enable the switch to send Trap message. no snmp-server enable traps This command is used for SNMP v1/v2/v3. snmp-server host { <host-ipv4-address> | Set the host IPv4/IPv6 address which is used <host-ipv6-address> } {v1 | v2c | {v3 to receive SNMP Trap information. For SNMP 4-12 {noauthnopriv | authnopriv | authpriv}}} v1/v2, this command also configures Trap <user-string> community string; for SNMP v3, this no snmp-server host command also configures Trap user name { <host-ipv4-address> | and security level. The “no” form of this <host-ipv6-address> } {v1 | v2c | {v3 command cancels this IPv4 or IPv6 address. {noauthnopriv | authnopriv | authpriv}}} <user-string> snmp-server trap-source {<ipv4-address> | <ipv6-address>} Set the source IPv4 or IPv6 address which is no snmp-server trap-source used to send trap packet, the no command {<ipv4-address> | <ipv6-address>} deletes the configuration. 9. Enable/Disable RMON Command Explanation Global Mode rmon enable Enable/disable RMON. no rmon enable 4.4.5 Typical SNMP Configuration Examples The IP address of the NMS is 1.1.1.5; the IP address of the switch (Agent) is 1.1.1.9. Scenario 1: The NMS network administrative software uses SNMP protocol to obtain data from the switch. The configuration on the switch is listed below: Switch(config)#snmp-server enable Switch(config)#snmp-server community rw private Switch(config)#snmp-server community ro public Switch(config)#snmp-server securityip 1.1.1.5 The NMS can use private as the community string to access the switch with read-write permission, or use public as the community string to access the switch with read-only permission. Scenario 2: NMS will receive Trap messages from the switch (Note: NMS may have community string verification for the Trap messages. In this scenario, the NMS uses a Trap verification community string of usertrap). 4-13 The configuration on the switch is listed below: Switch(config)#snmp-server enable Switch(config)#snmp-server host 1.1.1.5 v1 usertrap Switch(config)#snmp-server enable traps Scenario 3: NMS uses SNMP v3 to obtain information from the switch. The configuration on the switch is listed below: Switch(config)#snmp-server Switch(config)#snmp-server user tester UserGroup authPriv auth md5 hellotst Switch(config)#snmp-server group UserGroup AuthPriv read max write max notify max Switch(config)#snmp-server view max 1 include Scenario 4: NMS wants to receive the v3Trap messages sent by the switch. The configuration on the switch is listed below: Switch(config)#snmp-server enable Switch(config)#snmp-server host 10.1.1.2 v3 authpriv tester Switch(config)#snmp-server enable traps Scenario 5: The IPv6 address of the NMS is 2004:1:2:3::2; the IPv6 address of the switch (Agent) is 2004:1:2:3::1. The NMS network administrative software uses SNMP protocol to obtain data from the switch. The configuration on the switch is listed below: Switch(config)#snmp-server enable Switch(config)#snmp-server community rw private Switch(config)#snmp-server community ro public Switch(config)#snmp-server securityip 2004:1:2:3::2 The NMS can use private as the community string to access the switch with read-write permission, or use public as the community string to access the switch with read-only permission. Scenario 6: NMS will receive Trap messages from the switch (Note: NMS may have community string verification for the Trap messages. In this scenario, the NMS uses a Trap verification community string of usertrap). 4-14 The configuration on the switch is listed below: Switch(config)#snmp-server host 2004:1:2:3::2 v1 usertrap Switch(config)#snmp-server enable traps 4.4.6 SNMP Troubleshooting When users configure the SNMP, the SNMP server may fail to run properly due to physical connection failure and wrong configuration, etc. Users can troubleshoot the problems by following the guide below: Good condition of the physical connection. Interface and datalink layer protocol is Up (use the “show interface” command), and the connection between the switch and host can be verified by ping (use “ping” command). The switch enabled SNMP Agent server function (use “snmp-server” command) Secure IP for NMS (use “snmp-server securityip” command) and community string (use “snmp-server community” command) are correctly configured, as any of them fails, SNMP will not be able to communicate with NMS properly. If Trap function is required, remember to enable Trap (use “snmp-server enable traps” command). And remember to properly configure the target host IP address and community string for Trap (use “snmp-server host” command) to ensure Trap message can be sent to the specified host. If RMON function is required, RMON must be enabled first (use “rmon enable” command). Use “show snmp” command to verify sent and received SNMP messages; Use “show snmp status” command to verify SNMP configuration information; Use “debug snmp packet” to enable SNMP debugging function and verify debug information. If users still can’t solve the SNMP problems, Please contact our technical and service center. 4.5 Switch Upgrade Switch provides two ways for switch upgrade: BootROM upgrade and the TFTP/FTP upgrade under Shell. 4.5.1 Switch System Files The system files include system image file and boot file. The updating of the switch is to update the two files by overwriting the old files with the new ones. The system image files refer to the compressed files of the switch hardware drivers, and software support program, etc, namely what we usually called the IMG update file. The IMG file can only be saved in the FLASH with a defined name of nos.img The boot file is for initiating the switch, namely what we usually called the ROM update file (It can be compressed into IMG file if it is of large size.). In the switch, the boot file is allowed to 4-15 save in ROM only. Switch mandates the name of the boot file to be boot.rom. The update method of the system image file and the boot file is the same. The switch supplies the user with two modes of updating: 1. BootROM mode; 2. TFTP and FTP update in Shell mode. This two update method will be explained in details in the following two sections. 4.5.2 BootROM Upgrade There are two methods for BootROM upgrade: TFTP and FTP, which can be selected at BootROM command settings. Cable connection Console cable connection Figure 4-2 Typical topology for switch upgrade in BootROM mode The upgrade procedures are listed below: Step 1: As shown in the figure, a PC is used as the console for the switch. A console cable is used to connect PC to the management(MGMT) port on the switch. The PC should have FTP/TFTP server software installed and has the image file required for the upgrade. Step 2: Press “ctrl+b” on switch boot up until the switch enters BootROM monitor mode. The operation result is shown below: [Boot]: Step 3: Under BootROM mode, run “setconfig” to set the IP address and mask of the switch under BootROM mode, server IP address and mask, and select TFTP or FTP upgrade. Suppose the switch address is 192.168.1.2, and PC address is 192.168.1.66, and select TFTP upgrade, the configuration should like: [Boot]: setconfig 4-16 Host IP Address: [10.1.1.1] 192.168.1.2 Server IP Address: [10.1.1.2] 192.168.1.66 FTP(1) or TFTP(2): [1] 2 Network interface configure OK. [Boot] Step 4: Enable FTP/TFTP server in the PC. For TFTP, run TFTP server program; for FTP, run FTP server program. Before start downloading upgrade file to the switch, verify the connectivity between the server and the switch by ping from the server. If ping succeeds, run “load” command in the BootROM mode from the switch; if it fails, perform troubleshooting to find out the cause. The following is the configuration for the system update image file. [Boot]: load nos.img Loading... Loading file ok! Step 5: Execute write nos.img in BootROM mode. The following saves the system update image file. [Boot]: write nos.img File nos.img exists, overwrite? (Y/N)?[N] y Writing nos.img..................................................... Write nos.img OK. [Boot]: Step 6: The following update file boot.rom, the basic environment is the same as Step 4. [Boot]: load boot.rom Loading… Loading file ok! Step 7: Execute write boot.rom in BootROM mode. The following saves the update file. [Boot]: write boot.rom File boot.rom exists, overwrite? (Y/N)?[N] y Writing boot.rom……………………………………… 4-17 Write boot.rom OK. [Boot]: Step 8: After successful upgrade, execute run or reboot command in BootROM mode to return to CLI configuration interface. [Boot]: run(or reboot) Other commands in BootROM mode 1. DIR command Used to list existing files in the FLASH. [Boot]: dir boot.rom 327,440 1900-01-01 00:00:00 --SH boot.conf 83 1900-01-01 00:00:00 --SH nos.img 2,431,631 1980-01-01 00:21:34 ---- startup-config temp.img 2,922 1980-01-01 00:09:14 ---2,431,631 1980-01-01 00:00:32 ---- 2. CONFIG RUN command Used to set the IMAGE file to run upon system start-up, and the configuration file to run upon configuration recovery. [Boot]: config run Boot File: [nos.img] nos.img Config File: [boot.conf] 4.5.3 FTP/TFTP Upgrade 4.5.3.1 Introduction to FTP/TFTP FTP (File Transfer Protocol)/TFTP (Trivial File Transfer Protocol) are both file transfer protocols that belong to the fourth layer (application layer) of the TCP/IP protocol stack, used for transferring files between hosts, hosts and switches. Both of them transfer files in a client-server model. Their differences are listed below. FTP builds upon TCP to provide reliable connection-oriented data stream transfer service. However, it does not provide file access authorization and uses simple authentication mechanism (transfers username and password in plain text for authentication). When using FTP to transfer files, two connections need to be established between the client and the server: a management connection and a data connection. A transfer request should be sent by the 4-18 FTP client to establish management connection on port 21 in the server, and negotiate a data connection through the management connection. There are two types of data connections: active connection and passive connection. In active connection, the client transmits its address and port number for data transmission to the server, the management connection maintains until data transfer is complete. Then, using the address and port number provided by the client, the server establishes data connection on port 20 (if not engaged) to transfer data; if port 20 is engaged, the server automatically generates some other port numbers to establish data connection. In passive connection, the client, through management connection, notify the server to establish a passive connection. The server then creates its own data listening port and informs the client about the port, and the client establishes data connection to the specified port. As data connection is established through the specified address and port, there is a third party to provide data connection service. TFTP builds upon UDP, providing unreliable data stream transfer service with no user authentication or permission-based file access authorization. It ensures correct data transmission by sending and acknowledging mechanism and retransmission of time-out packets. The advantage of TFTP over FTP is that it is a simple and low overhead file transfer service. Switch can operate as either FTP/TFTP client or server. When switch operates as an FTP/TFTP client, configuration files or system files can be downloaded from the remote FTP/TFTP servers (can be hosts or other switches) without affecting its normal operation. And file list can also be retrieved from the server in FTP client mode. Of course, switch can also upload current configuration files or system files to the remote FTP/TFTP servers (can be hosts or other switches). When switch operates as an FTP/TFTP server, it can provide file upload and download service for authorized FTP/TFTP clients, as file list service as FTP server. Here are some terms frequently used in FTP/TFTP. ROM: Short for EPROM is erasable read-only memory. EPROM is repalced by FLASH memory in switch. SDRAM: RAM memory in the switch is used for system software operation and configuration sequence storage. 4-19 FLASH: Flash memory is used to save system file and configuration file. System file: including system image file and boot file. System image file: Refers to the compressed file for switch hardware driver and software support program, usually refer to as IMAGE upgrade file. In switch, the system image file is allowed to save in FLASH only. Switch mandates the name of system image file to be uploaded via FTP in Global Mode to be nos.img, other IMAGE system files will be rejected. Boot file: Refers to the file initializes the switch, also referred to as the ROM upgrade file (Large size file can be compressed as IMAGE file). In switch, the boot file is allowed to save in ROM only. Switch mandates the name of the boot file to be boot.rom. Configuration file: Including start up configuration file and running configuration file. The distinction between startup configuration file and running configuration file can facilitate the backup and update of the configurations. Startup configuration file: Refers to the configuration sequence used in switch startup. Startup configuration file is stored in nonvolatile storage, corresponding to the so-called configuration save. If the device does not support CF, the configuration file will be stored in FLASH only. If the device supports CF, the configuration file will be stored in FLASH or CF. If the device supports multi-config file, the name of the configuration file will be .cfg file (The default is startup.cfg.). If the device does not support multi-config file, the name of the startup configuration file will be startup-config. Running configuration file: Refers to the running configuration sequence used in the switch. In the switch, the running configuration file stores in the RAM. In the current version, the running configuration sequence running-config can be saved from the RAM to FLASH by write command or copy running-config startup-config command, so that the running configuration sequence becomes the startup configuration file, which is called configuration save. To prevent illicit file upload and easier configuration, switch mandates the name of running configuration file to be running-config. Factory configuration file: The configuration file shipped with switch named factory-config. Run set default and write and restart the switch, and factory configuration file will be loaded to overwrite current startup configuration file. 4-20 4.5.3.2 FTP/TFTP Configuration The configurations of switch as FTP and TFTP clients are almost the same, so the configuration procedures for FTP and TFTP are described together in this manual. 4.5.3.2.1 FTP/TFTP Configuration Task List 1. FTP/TFTP client configuration (1) Upload/download the configuration file or system file. (2) For FTP client, server file list can be checked. 2. FTP server configuration (1) Start FTP server (2) Configure FTP login username and password (3) Modify FTP server connection idle time (4) Shut down FTP server 3. TFTP server configuration (1) Start TFTP server (2) Configure TFTP server connection idle time (3) Configure retransmission times before timeout for packets without acknowledgement (4) Shut down TFTP server 1. FTP/TFTP client configuration (1)FTP/TFTP client upload/download file Command Explanation Admin Mode copy <source-url> <destination-url> [ascii | binary] FTP/TFTP client upload/download file. (2)For FTP client, server file list can be checked. Admin Mode For FTP client, server file list can be ftp-dir <ftpServerUrl> checked. FtpServerUrl format looks like: ftp: //user: password@IPv4|IPv6 Address. 2. FTP server configuration (1)Start FTP server 4-21 Command Explanation Global Mode ftp-server enable no ftp-server enable Start FTP server, the no command shuts down FTP server and prevents FTP user from logging in. (2)Configure FTP login username and password Command Explanation Global Mode ip ftp username <username> Configure FTP login username and password; password [0 | 7] <password> this no command will delete the username and no ip ftp username<username> password. (3)Modify FTP server connection idle time Command Explanation Global Mode ftp-server timeout <seconds> Set connection idle time. 3. TFTP server configuration (1)Start TFTP server Command Explanation Global Mode tftp-server enable no tftp-server enable Start TFTP server, the no command shuts down TFTP server and prevents TFTP user from logging in. (2)Modify TFTP server connection idle time Command Explanation Global Mode tftp-server retransmission-timeout Set maximum retransmission time within timeout <seconds> interval. 4-22 (3)Modify TFTP server connection retransmission time Command Explanation Global Mode tftp-server retransmission-number <number> Set the retransmission time for TFTP server. 4.5.3.3 FTP/TFTP Configuration Examples The configuration is the same as IPv4 address or IPv6 address. The example is only for IPv4 address. 10.1.1.2 10.1.1.1 Figure 4-2 Download nos.img file as FTP/TFTP client Scenario 1: The switch is used as FTP/TFTP client. The switch connects from one of its ports to a computer, which is a FTP/TFTP server with an IP address of 10.1.1.1; the switch acts as a FTP/TFTP client, the IP address of the switch management VLAN is 10.1.1.2. Download “nos.img” file in the computer to the switch. FTP Configuration Computer side configuration: Start the FTP server software on the computer and set the username “Switch”, and the password “superuser”. Place the “12_30_nos.img” file to the appropriate FTP server directory on the computer. The configuration procedures of the switch are listed below: Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-Vlan1)#no shut Switch(Config-if-Vlan1)#exit 4-23 Switch(config)#exit Switch#copy ftp: //Switch:[email protected]/12_30_nos.img nos.img With the above commands, the switch will have the “nos.img” file in the computer downloaded to the FLASH. TFTP Configuration Computer side configuration: Start TFTP server software on the computer and place the “12_30_nos.img” file to the appropriate TFTP server directory on the computer. The configuration procedures of the switch are listed below: Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-Vlan1)#no shut Switch(Config-if-Vlan1)#exit Switch(config)#exit Switch#copy tftp: //10.1.1.1/12_30_nos.img nos.img Scenario 2: The switch is used as FTP server. The switch operates as the FTP server and connects from one of its ports to a computer, which is a FTP client. Transfer the “nos.img” file in the switch to the computer and save as 12_25_nos.img. The configuration procedures of the switch are listed below: Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-Vlan1)#no shut Switch(Config-if-Vlan1)#exit Switch(config)#ftp-server enable Switch(config)# username Admin password 0 superuser Computer side configuration: Login to the switch with any FTP client software, with the username “Switch” and password “superuser”, use the command “get nos.img 12_25_nos.img” to download “nos.img” file from the switch to the computer. Scenario 3: The switch is used as TFTP server. The switch operates as the TFTP server and connects from one of its ports to a computer, which is a TFTP client. Transfer the “nos.img” file in the switch to the computer. The configuration procedures of the switch are listed below: 4-24 Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-Vlan1)#no shut Switch(Config-if-Vlan1)#exit Switch(config)#tftp-server enable Computer side configuration: Login to the switch with any TFTP client software, use the “tftp” command to download “nos.img” file from the switch to the computer. Scenario 4: Switch acts as FTP client to view file list on the FTP server. Synchronization conditions: The switch connects to a computer by an Ethernet port, the computer is a FTP server with an IP address of 10.1.1.1; the switch acts as a FTP client, and the IP address of the switch management VLAN1 interface is 10.1.1.2. FTP Configuration: PC side: Start the FTP server software on the PC and set the username “Switch”, and the password “superuser”. Switch: Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-Vlan1)#no shut Switch(Config-if-Vlan1)#exit Switch#copy ftp: //Switch: [email protected] 220 Serv-U FTP-Server v2.5 build 6 for WinSock ready... 331 User name okay, need password. 230 User logged in, proceed. 200 PORT Command successful. 150 Opening ASCII mode data connection for /bin/ls. recv total = 480 nos.img nos.rom parsecommandline.cpp position.doc qmdict.zip …(some display omitted here) 4-25 show.txt snmp.TXT 226 Transfer complete. 4.5.3.4 FTP/TFTP Troubleshooting 4.5.3.4.1 FTP Troubleshooting When upload/download system file with FTP protocol, the connectivity of the link must be ensured, i.e., use the “Ping” command to verify the connectivity between the FTP client and server before running the FTP program. If ping fails, you will need to check for appropriate troubleshooting information to recover the link connectivity. The following is what the message displays when files are successfully transferred. Otherwise, please verify link connectivity and retry “copy” command again. 220 Serv-U FTP-Server v2.5 build 6 for WinSock ready... 331 User name okay, need password. 230 User logged in, proceed. 200 PORT Command successful. nos.img file length = 1526021 read file ok send file 150 Opening ASCII mode data connection for nos.img. 226 Transfer complete. close ftp client. The following is the message displays when files are successfully received. Otherwise, please verify link connectivity and retry “copy” command again. 220 Serv-U FTP-Server v2.5 build 6 for WinSock ready... 331 User name okay, need password. 230 User logged in, proceed. 200 PORT Command successful. recv total = 1526037 ************************ write ok 150 Opening ASCII mode data connection for nos.img (1526037 bytes). 226 Transfer complete. If the switch is an upgraded system file or system startup file through FTP, the switch must not be restarted until “close ftp client” or “226 Transfer complete.” is displayed, indicating upgrade is successful, otherwise, the switch may be rendered unable to start. 4-26 If the system file and system startup file upgrade through FTP fails, please try to upgrade again or use the BootROM mode to upgrade. 4.5.3.4.2 TFTP Troubleshooting When uploading/downloading system file with TFTP protocol, the connectivity of the link must be ensured, i.e., use the “Ping” command to verify the connectivity between the TFTP client and server before running the TFTP program. If ping fails, you will need to check for appropriate troubleshooting information to recover the link connectivity. The following is the message displayed when files are successfully transferred. Otherwise, please verify link connectivity and retry “copy” command again. nos.img file length = 1526021 read file ok begin to send file, wait... file transfers complete. Close tftp client. The following is the message displayed when files are successfully received. Otherwise, please verify link connectivity and retry “copy” command again. begin to receive file, wait... recv 1526037 ************************ write ok transfer complete close tftp client. If the switch is an upgraded system file or system startup file through TFTP, the switch must not be restarted until “close tftp client” is displayed, indicating upgrade is successful, otherwise, the switch may be rendered unable to start. If the system file and system startup file upgrade through TFTP fails, please try upgrading again or use the BootROM mode to upgrade. 4-27 Chapter 5 File System Operations 5.1 Introduction to File Storage Devices File storage devices used in switches mainly include FLASH cards. As the most common storage device, FLASH is usually used to store system image files (IMG files), system boot files (ROM files) and system configuration files (CFG files). Flash can copy, delete, or rename files under Shell or BootROM mode. 5.2 File System Operation Configuration Task List 1. The formatting operation of storage devices 2. The creation of sub-directories 3. The deletion of sub-directory 4. Changing the current working directory of the storage device 5. The display operation of the current working directory 6. The display operation of information about a designated file or directory 7. The deletion of a designated file in the file system 8. The renaming operation of files 9. The copying operation of files 1. The formatting operation of storage devices Command Explanation Admin Mode format <device> Format the storage device. 2. The creation of sub-directories Command Explanation Admin Mode mkdir <directory> Create a sub-directory in a designated directory on a certain device. 3. The deletion of sub-directory Command Explanation Admin Mode rmdir <directory> Delete a sub-directory in a designated directory on a certain device. 5-28 4. Changing the current working directory of the storage device Command Explanation Admin Mode cd <directory> Change the current working directory of the storage device. 5. The display operation of the current working directory Command Explanation Admin Mode pwd Display the current working directory. 6. The display operation of information about a designated file or directory Command Explanation Admin Mode dir [WORD] Display information about a designated file or directory on the storage device. 7. The deletion of a designated file in the file system Command Explanation Admin Mode delete <file-url> Delete the designated file in the file system. 8. The renaming operation of files Command Explanation Admin Mode rename <source-file-url> <dest-file> Change the name of a designated file on the switch to a new one. 9. The copy operation of files Command Explanation Admin Mode copy <source-file-url > <dest-file-url> Copy a designated file one the switch and store it as a new one. 5-29 5.3 Typical Applications Copy an IMG file flash:/nos.img stored in the FLASH on the boardcard, to cf:/nos-6.1.11.0.img. The configuration of the switch is as follows: Switch#copy flash:/nos.img flash:/nos-6.1.11.0.img Copy flash:/nos.img to flash:/nos-6.1.11.0.img? [Y:N] y Copyed file flash:/nos.img to flash:/nos-6.1.11.0.img. 5.4 Troubleshooting If errors occur when users try to implement file system operations, please check whether they are caused by the following reasons Whether file names or paths are entered correctly. When renaming a file, whether it is in use or the new file name is already used by an existing file or directory 5-30 Chapter 6 Cluster Configuration 6.1 Introduction to cluster network management Cluster network management is an in-band configuration management. Unlike CLI, SNMP and Web Config which implement a direct management of the target switches through a management workstation, cluster network management implements a direct management of the target switches (member switches) through an intermediate switch (commander switch). A commander switch can manage multiple member switches. As soon as a Public IP address is configured in the commander switch, all the member switches which are configured with private IP addresses can be managed remotely. This feature economizes public IP addresses which are short of supply. Cluster network management can dynamically discover cluster feature enabled switches (candidate switches). Network administrators can statically or dynamically add the candidate switches to the cluster which is already established. Accordingly, they can configure and manage the member switches through the commander switch. When the member switches are distributed in various physical locations (such as on the different floors of the same building), cluster network management has obvious advantages. Moreover, cluster network management is an in-band management. The commander switch can communicate with member switches in existing network. There is no need to build a specific network for network management. Cluster network management has the following features: Save IP addresses Simplify configuration tasks Indifference to network topology and distance limitation Auto detecting and auto establishing With factory default settings, multiple switches can be managed through cluster network management The commander switch can upgrade and configure any member switches in the cluster 6.2 Cluster Network Management Configuration Sequence Cluster Network Management Configuration Sequence: 1. Enable or disable cluster function 2. Create cluster 1) Configure private IP address pool for member switches of the cluster 2) Create or delete cluster 6-1 3) Add or remove a member switch 3. Configure attributes of the cluster in the commander switch 1) Enable or disable automatically adding cluster members 2) Set automatically added members to manually added ones 3) Set or modify the time interval of keep-alive messages on switches in the cluster. 4) Set or modify the max. number of lost keep-alive messages that can be tolerated 5) Clear the list of candidate switches maintained by the switch 4. Configure attributes of the cluster in the candidate switch 1) Set the time interval of keep-alive messages of the cluster 2) Set the max. number of lost keep-alive messages that can be tolerated in the cluster 5. Remote cluster network management 1) Remote configuration management 2) Remotely upgrade member switch 3) Reboot member switch 6. Manage cluster network with web 1) Enable http 7. Manage cluster network with snmp 1) Enable snmp server 1. Enable or disable cluster Command Explanation Global Mode cluster run [key <WORD>] [vid <VID>] Enable or disable cluster function in no cluster run the switch. 6-2 2. Create a cluster Command Explanation Global Mode cluster ip-pool <commander-ip> Configure the private IP address pool no cluster ip-pool for cluster member devices. cluster commander [<cluster_name>] Create or delete a cluster. no cluster commander cluster member {nodes-sn <nodes-sn> | mac-address <mac-addr> [id <member-id> ] | Add or remove a member switch. auto-to-user} no cluster member {id <member-id> | mac-address <mac-addr>} 3. Configure attributes of the cluster in the commander switch Command Explanation Global Mode Enable or disable adding newly cluster auto-add discovered candidate switch to the no cluster auto-add cluster. Change automatically added cluster member auto-to-user members into manually added ones. cluster keepalive interval <second> Set the keep-alive interval of the no cluster keepalive interval cluster. Set the max. number of lost cluster keepalive loss-count <int> keep-alive messages that can be no cluster keepalive loss-count tolerated in the cluster. Admin Mode clear cluster nodes [nodes-sn Clear nodes in the list of candidate <candidate-sn-list> | mac-address switches maintained by the switch. <mac-addr>] 4. Configure attributes of the cluster in the candidate switch Command Explanation Global Mode 6-3 cluster keepalive interval <second> Set the keep-alive interval of the no cluster keepalive interval cluster. Set the max. number of lost cluster keepalive loss-count <int> keep-alive messages that can be no cluster keepalive loss-count tolerated in the clusters. 5. Remote cluster network management Command Explanation Admin Mode In the commander switch, this command is used to configure and rcommand member <member-id> manage member switches. In the member switch, this command is used to configure the commander rcommand commander switch. In the commander switch, this cluster reset member [id <member-id> | command is used to reset the mac-address <mac-addr>] member switch. In the commander switch, this cluster update member <member-id> command is used to remotely <src-url> <dst-filename>[ascii | binary] upgrade the member switch. It can only upgrade nos.img file. 6. Manage cluster network with web Command Explanation Global Mode Enable http function in commander switch and member switch. Note: Ensure the http function is enabled in member switch when commander switch visiting member ip http server switch by web. The commander switch visits member switch via beat member node in member cluster topology. 6-4 7. Manage cluster network with snmp Command Explanation Global Mode Enable snmp server function in commander switch and member switch. Note: Ensure the SNMP server function is enabled in member switch when commander switch visiting snmp-server enable member switch by sn. The commander switch visit member switch via configure character string <commander-community>@sw<me mber id>. 6.3 Examples of Cluster Administration Scenario: Among the four switches -- SW1, SW2, SW3 and SW4 -- SW1 is the command switch and the other switches are member switch. The SW2 and SW4 are directly connected with the command switch while SW3 connects to the command switch through SW2. E1 E2 SW1 E1 E2 E1 SW2 SW3 Figure 6-1: Examples of Cluster Configuration Procedure 1. Configure the command switch Configuration of SW1: Switch(config)#cluster run Switch(config)#cluster ip-pool 10.2.3.4 Switch(config)#cluster commander 5526 Switch(config)#cluster auto-add 6-5 E1 SW4 2. Configure the member switch Configuration of SW2-SW4 Switch(config)#cluster run 6.4 Cluster Administration Troubleshooting When encountering problems in applying the cluster admin, please check the following possible causes: The command switch should be correctly configured and the automatically added function (cluster auto-add) is enabled. The ports are connected to the command switch and member switch belongs to the cluster vlan. After cluster commander is enabled in VLAN1 of the command switch, please don’t enable a routing protocol (RIP, OSPF, BGP) in this VLAN in order to prevent the routing protocol from broadcasting the private cluster addresses in this VLAN to other switches and cause routing loops. Whether the connection between the command switch and the member switch is correct. We can use the debug cluster packets to check if the command and the member switches can receive and process related cluster admin packets correctly. 6-6 Chapter 7 Port Configuration 7.1 Introduction to Port Switch contains Cable ports and Combo ports. The Combo ports can be configured as either 1000GX-TX ports or SFP Gigabit fiber ports. If the user needs to configure some network ports, he/she can use the interface Ethernet <interface-list> command to enter the appropriate Ethernet port configuration mode, where <interface-list> stands for one or more ports. If <interface-list> contains multiple ports, special characters such as ';' or '-' can be used to separate ports, ';' is used for discrete port numbers and '-' is used for consecutive port numbers. Suppose an operation should be performed on ports 2,3,4,5 the command would look like: interface Ethernet 1/2-5. Port speed, duplex mode and traffic control can be configured under Ethernet Port Mode causing the performance of the corresponding network ports to change accordingly. 7.2 Network Port Configuration Task List 1. Enter the network port configuration mode 2. Configure the properties for the network ports (1) Configure combo mode for combo ports (2) Enable/Disable ports (3) Configure port names (4) Configure port cable types (5) Configure port speed and duplex mode (6) Configure bandwidth control (7) Configure traffic control (8) Enable/Disable port loopback function (9) Configure broadcast storm control function for the switch (10) Configure scan port mode (11) Configure rate-violation control of the port (12) Configure interval of port-rate-statistics 3. Virtual cable test 7-7 1. Enter the Ethernet port configuration mode Command Explanation Global Mode interface ethernet <interface-list> Enters the network port configuration mode. 2. Configure the properties for the Ethernet ports Command Explanation Port mode media-type {copper | copper-preferred-auto | fiber | sfp-preferred-auto} shutdown no shutdown Sets the combo port mode (combo ports only). Enables/Disables specified ports. description <string> Specifies or cancels the name of specified no description ports. mdi {auto | across | normal} no mdi Sets the cable type for the specified port; this command is not supported by combo port and fiber port of switch. speed-duplex {auto [10 [100 [1000]] [auto | full | half |]] | force10-half | force10-full | force100-half | force100-full | force100-fx [module-type {auto-detected | no-phy-integrated | phy-integrated}] | {{force1g-half | force1g-full} [nonegotiate [master | slave]]}| Sets port speed and duplex mode of 100/1000BASE-TX or 1000BASE-X ports. The no format of this command restores the default setting, i.e., negotiates speed and duplex mode automatically. force10g-full} no speed-duplex negotiation {on|off} bandwidth control <bandwidth> [both | receive | transmit] no bandwidth control Enables/Disables the auto-negotiation function of 1000BASE-X ports. Sets or cancels the bandwidth used for incoming/outgoing traffic for specified ports. flow control Enables/Disables traffic control function for no flow control specified ports. loopback Enables/Disables loopback test function for no loopback specified ports. 7-8 Enables the storm control function for broadcasts, multicasts and unicasts with storm control {unicast | broadcast | unknown destinations (short for broadcast), multicast} {kbps <Kbits> | pps <PPS>} and sets the allowed broadcast packet no strom control {unicast | broadcast | number or the bit number passing per multicast}> second; the no format of this command disables the broadcast storm control function. Configure that switch does not transmit switchport flood-control broadcast, unknown multicast or unknown { bcast|mcast|ucast } unicast packets any more to the specified no switchport flood-control port; no command restores the default { bcast|mcast|ucast } configuration. Note: This switch does not support this command. Configure port-scan-mode as interrupt or poll port-scan-mode {interrupt | poll} mode, the no command restores the default no port-scan-mode port-scan-mode. Set the max. packet reception rate of a port. rate-violation <200-2000000> [recovery <0-86400>] no rate-violation If the rate of the received packet violates the packet reception rate, shut down this port and configure the recovery time, the default is 300s. The no command will disable the rate-violation function of a port. Command Explanation Port Mode switchport discard packet { all | Configure the port not to receive any packet untag } or untag; the no command cancel the no switchport discard packet { all | restriction of discard, it means the port is untag } allowed to receive any packet or untag. Command Explanation Global Mode port-rate-statistics interval <interval Configure the interval of port-rate-statistics. -value> 7-9 3. Virtual cable test Command Explanation Admin Mode virtual-cable-test interface ethernet Test virtual cables of the port. <interface-list> 7.3 Port Configuration Example Switch 1 1/7 1/9 1/10 1/12 1/8 Switch 2 Switch 3 Figure 7-1: Port Configuration Example No VLAN has been configured in the switches; default VLAN1 is used. Switch Port Property Switch1 1/7 Ingress bandwidth limit: 50 M Switch2 1/8 Mirror source port 1/9 100Mbps full, mirror source port 1/10 1000Mbps full, mirror destination port 1/12 100Mbps full Switch3 The configurations are listed below: Switch 1: Switch1(config)#interface ethernet 1/7 Switch1(Config-If-Ethernet1/7)#bandwidth control 50000 receive 7-10 Switch 2: Switch2(config)#interface ethernet 1/9 Switch2(Config-If-Ethernet1/9)#speed-duplex force100-full Switch2(Config-If-Ethernet1/9)#exit Switch2(config)#interface ethernet 1/10 Switch2(Config-If-Ethernet1/10)#speed-duplex force1g-full Switch2(Config-If-Ethernet1/10)#exit Switch2(config)#monitor session 1 source interface ethernet 1/8;1/9 Switch2(config)#monitor session 1 destination interface ethernet 1/10 Switch 3: Switch3(config)#interface ethernet 1/12 Switch3(Config-If-Ethernet1/12)#speed-duplex force100-full Switch3(Config-If-Ethernet1/12)#exit 7.4 Port Troubleshooting Here are some situations that frequently occurs in port configuration and the following solutions are advised: Two connected fiber interfaces won’t link up if one interface is set to auto-negotiation but the other to forced speed/duplex. This is determined by IEEE 802.3. The following combinations are not recommended: enabling traffic control as well as setting multicast limiting for the same port; setting broadcast, multicast and unknown destination unicast control as well as port bandwidth limiting for the same port. If such combinations are set, the port throughput may fall below the expected performance. 7-11 Chapter 8 Port Isolation Function Configuration 8.1 Introduction to Port Isolation Function Port isolation is an independent port-based function working in an inter-port way, which isolates flows of different ports from each other. With the help of port isolation, users can isolate ports within a VLAN to save VLAN resources and enhance network security. After this function is configured, the ports in a port isolation group will be isolated from each other, while ports belonging to different isolation groups or no such group can forward data to one another normally. No more than 16 port isolation groups can a switch has. 8.2 Task Sequence of Port Isolation 1. Create an isolate port group 2. Add Ethernet ports into the group 3. Display the configuration of port isolation 1. Create an isolate port group Command Explanation Global Mode Set a port isolation group; the no operation of isolate-port group <WORD> this command will delete the port isolation no isolate-port group <WORD> group. 2. Add Ethernet ports into the group Command Explanation Global Mode isolate-port group <WORD> switchport Add one port or a group of ports into a port interface [ethernet] <IFNAME> isolation group to isolate, which will become no isolate-port group <WORD> isolated from the other ports in the group; the switchport interface [ethernet] <IFNAME> no operation of this command will remove one port or a group of ports out of a port isolation group. 3. Display the configuration of port isolation Command Explanation Admin and Global Mode Display the configuration of port isolation, show isolate-port group [ <WORD> ] including all configured port isolation groups and Ethernet ports in each group. 8-12 8.3 Port Isolation Function Typical Examples e1/15 Vlan e1/1 S1 S2 e1/10 S3 Figure 8-1: Typical example of port isolation function The topology and configuration of switches are showed in the figure above, with e1/1, e1/10 and e1/15 all belonging to VLAN 100. The requirement is that, after port isolation is enabled on switch S1, e1/1 and e1/10 on switch S1 cannot communicate with each other, while both of them can communicate with the uplink port e1/15. That is, the communication between any pair of downlink ports is disabled while that between any downlink port and a specified uplink port is normal. The uplink port can communicate with any port normally. The configuration of S1: Switch(config)#isolate-port group test Switch(config)#isolate-port group test switchport interface ethernet 1/1;1/10 8-13 Chapter 9 Port Loopback Detection Function Configuration 9.1 Introduction to Port Loopback Detection Function With the development of switches, more and more users begin to access the network through Ethernet switches. In enterprise network, users access the network through Layer 2 switches, which means urgent demands for both internet and the internal Layer 2 interwork. When Layer 2 interwork is required, the messages will be forwarded through MAC addressing the accuracy of which key is the correct one interworking between users. In Layer 2 switching, the messages are forwarded through MAC addressing. Layer 2 devices learn MAC addresses via learned MAC address, that is, when the port receives a message from an unknown source -MAC address, it will add this MAC to the receive port, so that the following messages with a destination of this MAC can be forwarded directly, which also means learned MAC address once and for all can forward messages. When a new source MAC is already learnt by the Layer 2 device, only with a different source port, the original source port will be modified to the new one, which means to correspond the original MAC address with the new port. As a result, if there is any loopback existing in the link, all MAC addresses within the whole Layer 2 network will be corresponded with the port where the loopback appears (usually the MAC address will be frequently shifted from one port to another), causing the Layer 2 network to collapse. That is why it is a necessity to check port loopbacks in the network. When a loopback is detected, the detected device should send alarms to the network management system, ensuring the network manager is able to discover, locate and solve the problem in the network and protect users from a long-lasting disconnected network. Since detecting loopbacks can make dynamic judgment of the existence of loopbacks in the link and tell whether it has gone, the devices supporting port control (such as port isolation and port MAC address learning control) can maintain that automatically, which will not only reduce the burden of network managers but also response time, minimizing the effect causing loopbacks to the network. 9.2 Port Loopback Detection Function Configuration Task List 1. Configure the time interval of loopback detection 2. Enable the function of port loopback detection 3. Configure the control method of port loopback detection 9-14 4. Display and debug the relevant information of port loopback detection 5. Configure the loopback-detection control mode (automatic recovery enabled or not) 1.Configure the time interval of loopback detection Command Explanation Global Mode loopback-detection interval-time <loopback> <no-loopback> no loopback-detection interval-time Configure the time interval of loopback detection. 2.Enable the function of port loopback detection Command Explanation Port Mode loopback-detection specified-vlan <vlan-list> Enable and disable the function of port no loopback-detection specified-vlan loopback detection. <vlan-list> 3.Configure the control method of port loopback detection Command Explanation Port Mode loopback-detection control {shutdown |block| learning} no loopback-detection control Enable and disable the function of port loopback detection control. 4.Display and debug the relevant information of port loopback detection Command Explanation Admin Mode Enable the debug information of the debug loopback-detection function module of port loopback detection. no debug loopback-detection The no operation of this command will disable the debug information. 9-15 Display the state and result of the loopback show loopback-detection [interface detection of all ports, if no parameter is <interface-list>] provided; otherwise, display the state and result of the corresponding ports. 5. Configure the loopback-detection control mode (automatic recovery enabled or not) Command Explanation Global Mode Configure the loopback-detection control loopback-detection control-recovery mode (automatic recovery enabled or not) timeout <0-3600> or recovery time. 9.3 Port Loopback Detection Function Example SWITCH Network Topology Figure 9-1: Typical example of port loopback detection As shown in the above configuration, the switch will detect the existence of loopbacks in the network topology. After enabling the function of loopback detection on the port connecting the switch with the outside network, the switch will notify the connected network about the existence of a loopback, and control the port on the switch to guarantee the normal operation of the whole network. The configuration task sequence of SWITCH: Switch(config)#loopback-detection interval-time 35 15 Switch(config)#interface ethernet 1/1 9-16 Switch(Config-If-Ethernet1/1)#loopback-detection special-vlan 1-3 Switch(Config-If-Ethernet1/1)#loopback-detection control block If adopting the control method of block, MSTP should be globally enabled. And the corresponding relation between the spanning tree instance and the VLAN should be configured. Switch(config)#spanning-tree Switch(config)#spanning-tree mst configuration Switch(Config-Mstp-Region)#instance 1 vlan 1 Switch(Config-Mstp-Region)#instance 2 vlan 2 Switch(Config-Mstp-Region)# 9.4 Port Loopback Detection Troubleshooting The function of port loopback detection is disabled by default and should only be enabled if required. 9-17 Chapter 10 ULDP Function Configuration 10.1 Introduction to ULDP Function Unidirectional link is a common error state of link in networks, especially in fiber links. Unidirectional link means that only one port of the link can receive messages from the other port, while the latter one can not receive messages from the former one. Since the physical layer of the link is connected and works normal, via the checking mechanism of the physical layer, communication problems between the devices can not be found. As shown in Graph, the problem in fiber connection can not be found through mechanisms in physical layer like automatic negotiation. Switch A g1/1 g1/2 g1/3 g1/4 Switch B Figure 10-1: Fiber Cross Connection Switch A g1/2 g1/1 Switch B Switch C g1/3 Figure 10-2: One End of Each Fiber Not Connected 10-18 This kind of problem often appears in the following situations: GBIC (Giga Bitrate Interface Converter) or interfaces have problems, software problems, hardware becomes unavailable or operates abnormally. Unidirectional link will cause a series of problems, such as spinning tree topological loop, broadcast black hole. ULDP (Unidirectional Link Detection Protocol) can help avoid disasters that could happen in the situations mentioned above. In a switch connected via fibers or copper Ethernet line (like ultra five-kind twisted pair), ULDP can monitor the link state of physical links. Whenever a unidirectional link is discovered, it will send warnings to users and can disable the port automatically or manually according to users’ configuration. The ULDP of switches recognizes remote devices and check the correctness of link connections via interacting ULDP messages. When ULDP is enabled on a port, protocol state machine will be started, which means different types of messages will be sent at different states of the state machine to check the connection state of the link by exchanging information with remote devices. ULDP can dynamically study the interval at which the remote device sends notification messages and adjust the local TTL (time to live) according to that interval. Besides, ULDP provides the reset mechanism, when the port is disabled by ULDP, it can check again through reset mechanism. The time intervals of notification messages and reset in ULDP can be configured by users, so that ULDP can respond faster to connection errors in different network environments. The premise of ULDP working normally is that link works in duplex mode, which means ULDP is enabled on both ends of the link, using the same method of authentication and password. 10.2 ULDP Configuration Task Sequence 1. Enable ULDP function globally 2. Enable ULDP function on a port 3. Configure aggressive mode globally 4. Configure aggressive mode on a port 5. Configure the method to shut down unidirectional link 6. Configure the interval of Hello messages 7. Configure the interval of Recovery 8. Reset the port shut down by ULDP 9. Display and debug the relative information of ULDP 10-19 1. Enable ULDP function globally Command Explanation Global Mode uldp enable uldp disable Globally enable or disable ULDP function. 2. Enable ULDP function on a port Command Explanation Port Mode uldp enable uldp disable Enable or disable ULDP function on a port. 3. Configure aggressive mode globally Command Explanation Global Mode uldp aggressive-mode no uldp aggressive-mode Set the global working mode. 4. Configure aggressive mode on a port Command Explanation Port Mode uldp aggressive-mode no uldp aggressive-mode Set the working mode of the port. 5. Configure the method to shut down unidirectional link Command Explanation Global Mode uldp manual-shutdown Configure the method to shut down no uldp manual-shutdown unidirectional link. 10-20 6. Configure the interval of Hello messages Command Explanation Global Mode uldp hello-interval <integer> no uldp hello-interval Configure the interval of Hello messages, ranging from 5 to 100 seconds. The value is 10 seconds by default. 7. Configure the interval of Recovery Command Explanation Global Mode uldp recovery-time <integer> no uldp recovery-time <integer> Configure the interval of Recovery reset, ranging from 30 to 86400 seconds. The value is 0 second by default. 8. Reset the port shut down by ULDP Command Explanation Global or Port Mode Reset all ports in global configuration uldp reset mode; Reset the specified port in port configuration mode. 9. Display and debug the related information of ULDP Command Explanation Admin Mode Display ULDP information. No parameter means to display global ULDP information. show uldp [interface ethernet IFNAME] The parameter specifying a port will display global information and the neighbor information of the port. debug uldp fsm interface ethernet <IFname> no debug uldp fsm interface ethernet <IFname> Enable or disable the debug switch of the state machine transition information on the specified port. debug uldp error Enable or disable the debug switch of error no debug uldp error information. 10-21 debug uldp event Enable or disable the debug switch of no debug uldp event event information. debug uldp packet {receive|send} Enable or disable the type of messages no debug uldp packet {receive|send} can be received and sent on all ports. debug uldp {hello|probe|echo| unidir|all} [receive|send] interface ethernet Enable or disable the content detail of a <IFname> particular type of messages can be no debug uldp {hello|probe|echo| received and sent on the specified port. unidir|all} [receive|send] interface ethernet <IFname> 10.3 ULDP Function Typical Examples Switch A g1/1 g1/2 g1/3 g1/4 Switch B PC2 PC1 Figure 10-3 Fiber Cross Connection In the network topology in Graph, port g1/1 and port g1/2 of SWITCH A as well as port g1/3 and port g1/4 of SWITCH B are all fiber ports. And the connection is cross connection. The physical layer is connected and works normally, but the data link layer is abnormal. ULDP can discover and disable this kind of error state of link. The final result is that port g1/1, g1/2 of SWITCH A and port g1/3, g1/4 of SWITCH B are all shut down by ULDP. Only when the connection is correct, can the ports work normally (won’t be shut down). Switch A configuration sequence: SwitchA(config)#uldp enable SwitchA(config)#interface ethernet 1/1 SwitchA(Config-If-Ethernet1/1)#uldp enable SwitchA(Config-If-Ethernet1/1)#exit SwitchA(config)#interface ethernet 1/2 SwitchA(Config-If-Ethernet1/2)#uldp enable 10-22 Switch B configuration sequence: SwitchB(config)#uldp enable SwitchB(config)#interface ethernet1/3 SwitchB(Config-If-Ethernet1/3)#uldp enable SwitchB(Config-If-Ethernet1/3)#exit SwitchB(config)#interface ethernet 1/4 SwitchB(Config-If-Ethernet1/4)#uldp enable As a result, port g1/1, g1/2 of SWITCH A are all shut down by ULDP, and there is notification information on the CRT terminal of PC1. %Oct 29 11:09:50 2007 A unidirectional link is detected! Port Ethernet1/1 need to be shut down! %Oct 29 11:09:50 2007 Unidirectional port Ethernet1/1 is shut down! %Oct 29 11:09:50 2007 A unidirectional link is detected! Port Ethernet1/2 need to be shut down! %Oct 29 11:09:50 2007 Unidirectional port Ethernet1/2 is shut down! Port g1/3, and port g1/4 of SWITCH B are all shut down by ULDP, and there is notification information on the CRT terminal of PC2. %Oct 29 11:09:50 2007 A unidirectional link is detected! Port Ethernet1/3 need to be shut down! %Oct 29 11:09:50 2007 Unidirectional port Ethernet1/3 is shut down! %Oct 29 11:09:50 2007 A unidirectional link is detected! Port Ethernet1/4 need to be shut down! %Oct 29 11:09:50 2007 Unidirectional port Ethernet1/4 is shut down! 10.4 ULDP Troubleshooting Configuration Notice: In order to ensure that ULDP can discover that the one of fiber ports has not connected or the ports are incorrectly cross connected, the ports have to work in duplex mode and have the same rate. If the automatic negotiation mechanism of the fiber ports with one port misconnected decides the working mode and rate of the ports, ULDP won’t take effect whether it is enabled or not. In such situation, the port is considered as “Down”. In order to make sure that neighbors can be correctly created and unidirectional links can be correctly discovered, it is required that both end of the link should enable ULDP, using the same authentication method and password. At present, no password is needed on both ends. 10-23 The hello interval of sending hello messages can be changed (it is10 seconds by default and ranges from 5 to 100 seconds) so that ULDP can respond faster to connection errors of links in different network environments. But this interval should be less than 1/3 of the STP convergence time. If the interval is too long, a STP loop will be generated before ULDP discovers and shuts down the unidirectional connection port. If the interval is too short, the network burden on the port will be increased, which means a reduced bandwidth. ULDP does not handle any LACP event. It treats every link of TRUNK group (like Port-channel, TRUNK ports) as independent, and handles each of them respectively. ULDP does not compact with similar protocols of other vendors, which means users can not use ULDP on one end and use other similar protocols on the other end. ULDP function is disabled by default. After globally enabling ULDP function, the debug switch can be enabled simultaneously to check the debug information. There are several DEBUG commands provided to print debug information, such as information of events, state machine, errors and messages. Different types of message information can also be printed according to different parameters. The Recovery timer is disabled by default and will only be enabled when the users have configured recovery time (30-86400 seconds). Reset command and reset mechanism can only reset the ports automatically shut down by ULDP. The ports shut down manually by users or by other modules won’t be reset by ULDP. 10-24 Chapter 11 LLDP Function Operation Configuration 11.1 Introduction to LLDP Function Link Layer Discovery Protocol (LLDP) is a new protocol defined in 802.1ab. It enables neighbor devices to send notices of their own state to other devices, and enables all ports of every device to store information about them. If necessary, the ports can also send update information to the neighbor devices directly connected to them, and those neighbor devices will store the information in standard SNMP MIBs. The network management system can check the layer-two connection state from MIB. LLDP won’t configure or control network elements or flows, but only report the configuration of layer-two. Another content of 802.1ab is to utilizing the information provided by LLDP to find the conflicts in layer-two. IEEE now uses the existing physical topology, interfaces and Entity MIBs of IETF. To simplify, LLDP is a neighbor discovery protocol. It defines a standard method for Ethernet devices, such as switches, routers and WLAN access points, to enable them to notify their existence to other nodes in the network and store the discovery information of all neighbor devices. For example, the detail information of the device configuration and discovery can both use this protocol to advertise. In specific, LLDP defines a general advertisement information set, a transportation advertisement protocol and a method to store the received advertisement information. The device to advertise its own information can put multiple pieces of advertisement information in one LAN data packet to transport. The type of transportation is the type length value (TLV) field. All devices supporting LLDP have to support device ID and port ID advertisement, but it is assumed that, most devices should also support system name, system description and system performance advertisement. System name and system description advertisement can also provide useful information for collecting network flow data. System description advertisement can include data such as the full name of the advertising device, hardware type of system, the version information of software operation system and so on. 802.1AB Link Layer Discovery Protocol will make searching the problems in an enterprise network an easier process and can strengthen the ability of network management tools to discover and maintain accurate network topology structure. Many kinds of network management software use “Automated Discovery” function to trace the change and condition of topology, but most of them can reach layer-three and classify the devices into all IP subnets at best. This kind of data are very primitive, only referring to basic 11-25 events like the adding and removing of relative devices instead of details about where and how these devices operate with the network. Layer 2 discovery covers information like which devices have which ports, which switches connect to other devices and so on, it can also display the routs between clients, switches, routers, application servers and network servers. Such details will be very meaningful for schedule and investigate the source of network failure. LLDP will be a very useful management tool, providing accurate information about network mirroring, flow data and searching network problems. 11.2 LLDP Function Configuration Task Sequence 1. Globally enable LLDP function 2. Configure the port-based LLDP function switch 3. Configure the operating state of port LLDP 4. Configure the intervals of LLDP updating messages 5. Configure the aging time multiplier of LLDP messages 6. Configure the sending delay of updating messages 7. Configure the intervals of sending Trap messages 8. Configure to enable the Trap function of the port 9. Configure the optional information-sending attribute of the port 10. Configure the size of space to store Remote Table of the port 11. Configure the type of operation when the Remote Table of the port is full 12. Display and debug the relative information of LLDP 1. Globally enable LLDP function Command Explanation Global Mode lldp enable lldp disable Globally enable or disable LLDP function. 11-26 2. Configure the port-based LLDP function switch Command Explanation Port Mode lldp enable Configure the port-based LLDP function lldp disable switch. 3. Configure the operating state of port LLDP Command Explanation Port Mode Configure the operating state of port lldp mode (send|receive|both|disable) LLDP. 4. Configure the intervals of LLDP updating messages Command Explanation Global Mode Configure the intervals of LLDP updating lldp tx-interval <integer> messages as the specified value or no lldp tx-interval default value. 5. Configure the aging time multiplier of LLDP messages Command Explanation Global Mode Configure the aging time multiplier of lldp msgTxHold <value> LLDP messages as the specified value or no lldp msgTxHold default value. 6. Configure the sending delay of updating messages Command Explanation Global Mode Configure the sending delay of updating lldp transmit delay <seconds> messages as the specified value or no lldp transmit delay default value. 11-27 7. Configure the intervals of sending Trap messages Command Explanation Global Mode Configure the intervals of sending lldp notification interval <seconds> Trap messages as the specified value or no lldp notification interval default value. 8. Configure to enable the Trap function of the port Command Explanation Port Mode Enable or disable the Trap function of lldp trap <enable|disable> the port. 9. Configure the optional information-sending attribute of the port Command Explanation Port Mode lldp transmit optional tlv [portDesc] Configure the optional [sysName] [sysDesc] [sysCap] information-sending attribute of the port no lldp transmit optional tlv as the option value of default values. 10. Configure the size of space to store Remote Table of the port Command Explanation Port Mode Configure the size of space to store lldp neighbors max-num < value > Remote Table of the port as the no lldp neighbors max-num specified value or default value. 11. Configure the type of operation when the Remote Table of the port is full Command Explanation Port Mode lldp tooManyNeighbors {discard | Configure the type of operation when the delete} Remote Table of the port is full. 11-28 12. Display and debug the relative information of LLDP Command Explanation Admin and Global Mode Display the current LLDP configuration show lldp information. show lldp interface ethernet <IFNAME> Display the LLDP configuration information of the current port. Display the information of all kinds of show lldp traffic counters. show lldp neighbors interface Display the information of LLDP ethernet < IFNAME > neighbors of the current port. Display all ports with LLDP debug show debugging lldp enabled. Admin Mode debug lldp Enable or disable the DEBUG switch. no debug lldp debug lldp packets interface ethernet Enable or disable the DEBUG <IFNAME> no debug lldp packets interface ethernet <IFNAME> packet-receiving and sending function in port or global mode. Port Mode Clear Remote-table of the port. clear lldp remote-table 11.3 LLDP Function Typical Example Figure 11-1: LLDP Function Typical Configuration Example 11-29 In the network topology graph above, the port 1,3 of SWITCH B are connected to port 2,4 of SWITCH A. Port 1 of SWITCH B is configured to message-receiving-only mode, Option TLV of port 4 of SWITCH A is configured as portDes and SysCap. SWITCH A configuration task sequence: SwitchA(config)# lldp enable SwitchA(config)#interface ethernet 1/4 SwitchA(Config-If-Ethernet1/4)#lldp transmit optional tlv portDesc sysCap SwitchA(Config-If-Ethernet1/4)exit SWITCH B configuration task sequence: SwitchB(config)#lldp enable SwitchB(config)#interface ethernet1/1 SwitchB(Config-If-Ethernet1/1)#lldp mode receive SwitchB(Config-If-Ethernet1/1)#exit 11.4 LLDP Function Troubleshooting LLDP function is disabled by default. After enabling the global switch of LLDP, users can enable the debug switch “debug lldp” simultaneously to check debug information. Using “show” function of LLDP function can display the configuration information in global or port configuration mode. 11-30 Chapter 12 Port Channel Configuration 12.1 Introduction to Port Channel To understand Port Channel, Port Group should be introduced first. Port Group is a group of physical ports in the configuration level; only physical ports in the Port Group can take part in link aggregation and become a member port of a Port Channel. Logically, Port Group is not a port but a port sequence. Under certain conditions, physical ports in a Port Group perform port aggregation to form a Port Channel that has all the properties of a logical port, therefore it becomes an independent logical port. Port aggregation is a process of logical abstraction to abstract a set of ports (port sequence) with the same properties to a logical port. Port Channel is a collection of physical ports and used logically as one physical port. Port Channel can be used as a normal port by the user, and can not only add network’s bandwidth, but also provide link backup. Port aggregation is usually used when the switch is connected to routers, PCs or other switches. S1 S2 Figure 12-1: Port aggregation As shown in the above, S1 is aggregated to a Port Channel, the bandwidth of this Port Channel is the total of all the four ports. If traffic from S1 needs to be transferred to S2 through the Port Channel, traffic allocation calculation will be performed based on the source MAC address and the lowest bit of target MAC address. The calculation result will decide which port to convey the traffic. If a port in Port Channel fails, the other ports will undertake traffic of that port through a traffic allocation algorithm. This algorithm is carried out by the hardware. Switch offers two methods for configuring port aggregation: manual Port Channel creation and LACP (Link Aggregation Control Protocol) dynamic Port Channel creation. Port aggregation can only be performed on ports in full-duplex mode. For Port Channel to work properly, member ports of the Port Channel must have the same properties as follows: 12-31 All ports are in full-duplex mode. All Ports are of the same speed. All ports are Access ports and belong to the same VLAN or are all TRUNK ports, or are all Hybrid ports. If the ports are all TRUNK ports or Hybrid ports, then their “Allowed VLAN” and “Native VLAN” property should also be the same. If Port Channel is configured manually or dynamically on switch, the system will automatically set the port with the smallest number to be Master Port of the Port Channel. If the spanning tree function is enabled in the switch, the spanning tree protocol will regard Port Channel as a logical port and send BPDU frames via the master port. Port aggregation is closely related with switch hardware. Switch allow physical port aggregation of any two switches, maximum 14 groups and 8 ports in each port group are supported. Once ports are aggregated, they can be used as a normal port. Switch have a built-in aggregation interface configuration mode, the user can perform related configuration in this mode just like in the VLAN and physical interface configuration mode. 12.2 Brief Introduction to LACP LACP (Link Aggregation Control Protocol) is a kind of protocol based on IEEE802.3ad standard to implement the link dynamic aggregation. LACP protocol uses LACPDU (Link Aggregation Control Protocol Data Unit) to exchange the information with the other end. After LACP protocol of the port is enabled, this port will send LACPDU to the other end to notify the system priority, the MAC address of the system, the priority of the port, the port ID and the operation Key. After the other end receives the information, the information is compared with the saving information of other ports to select the port which can be aggregated, accordingly, both sides can reach an agreement about the ports join or exit the dynamic aggregation group. The operation Key is created by LACP protocol according to the combination of configuration (speed, duplex, basic configuration, management Key) of the ports to be aggregated. After the dynamic aggregation port enables LACP protocol, the management Key is 0 by default. After the static aggregation port enables LACP, the management Key of the port is the same with the ID of the aggregation group. 12-32 For the dynamic aggregation group, the members of the same group have the same operation Key, for the static aggregation group, the ports of Active have the same operation Key. The port aggregation is that multi-ports are aggregated to form an aggregation group, so as to implement the out/in load balance in each member port of the aggregation group and provides the better reliability. 12.2.1 Static LACP Aggregation Static LACP aggregation is enforced by users configuration, and do not enable LACP protocol. When configuring static LACP aggregation, use “on” mode to force the port to enter the aggregation group. 12.2.2 Dynamic LACP Aggregation 1. The summary of the dynamic LACP aggregation Dynamic LACP aggregation is an aggregation created/deleted by the system automatically; it does not allow the user to add or delete the member ports of the dynamic LACP aggregation. The ports, which have the same attribute of speed and duplex, are connected to the same device, have the same basic configuration, and can be dynamically aggregated together. Only one port can create the dynamic aggregation and that is the single port aggregation. In the dynamic aggregation, LACP protocol of the port is in the enable state. 2. The port state of the dynamic aggregation group In dynamic aggregation group, the ports have two states: selected or standby. Both selected ports and standby ports can receive and send LACP protocol, but standby ports cannot forward the data packets. The limitation of the max. port number is in the aggregation group. If the current number of the member ports exceeds the limitation of the max. port number, then the system of this end will negotiate with the other end to decide the port state according to the port ID. The negotiation steps are as follows: Compare ID of the devices (the priority of the system + the MAC address of the system). First, compare the priority of the systems, if they are the same, then compare the MAC address of the systems. The end with a small device ID has the high priority. Compare the ID of the ports (the priority of the port + the ID of the port). For each port in the side of the device which has the high device priority, first, compare the priority of the ports, if the priorities are same, then compare the ID of the ports. The port with a small port ID is selected, and the others become the standby ports. 12-33 In an aggregation group, the port which has the smallest port ID and is in the selected state will be the master port while the other ports in the selected state will be the member port. 12.2.3 Port Channel Configuration Task List 1. Create a port group in Global Mode 2. Add ports to the specified group from the Port Mode of respective ports 3. Enter port-channel configuration mode 4. Set load-balance method for port-group 5. Set the system priority of LACP protocol 6. Set the port priority of the current port in LACP protocol 7. Set the timeout mode of the current port in LACP protocol 1. Creating a port group Command Explanation Global Mode port-group <port-group-number> Create or delete a port group. no port-group <port-group-number> 2. Add physical ports to the port group Command Explanation Port Mode port-group <port-group-number> mode Add the ports to the port group and set their {active | passive | on} mode. no port-group 3. Enter port-channel configuration mode. Command Explanation Global Mode interface port-channel <port-channel-number> Enter port-channel configuration mode. 12-34 4. Set load-balance method for port-group Command Explanation Aggregation Port Mode load-balance {src-mac | dst-mac | dst-src-mac | src-ip | dst-ip | dst-src-ip} Set load-balance for port-group. 5. Set the system priority of LACP protocol Command Explanation Global Mode Set the system priority of LACP lacp system-priority <system-priority> protocol, the no command restores no lacp system-priority the default value. 6. Set the port priority of the current port in LACP protocol Command Explanation Port Mode Set the port priority in LACP protocol. lacp port-priority <port-priority> The no command restores the default no lacp port-priority value. 7. Set the timeout mode of the current port in LACP protocol Command Explanation Port Mode Set the timeout mode in LACP lacp timeout {short | long} protocol. The no command restores no lacp timeout the default value. 12.3 Port Channel Examples Scenario 1: Configuring Port Channel in LACP. 12-35 S1 S2 Figure 12-2: Configure Port Channel in LACP The switches in the description below are all switches and as shown in the figure, ports 1, 2, 3, 4 of S1 are access ports and add them to group1 with active mode. Ports 6, 8, 9, 10 of S2 are access ports and add them to group2 with passive mode. All the ports should be connected with cables. The configuration steps are listed below: Switch1#config Switch1(config)#interface ethernet 1/1-4 Switch1(Config-If-Port-Range)#port-group 1 mode active Switch1(Config-If-Port-Range)#exit Switch1(config)#interface port-channel 1 Switch1(Config-If-Port-Channel1)# Switch2#config Switch2(config)#port-group 2 Switch2(config)#interface ethernet 1/6 Switch2(Config-If-Ethernet1/6)#port-group 2 mode passive Switch2(Config-If-Ethernet1/6)#exit Switch2(config)#interface ethernet 1/8-10 Switch2(Config-If-Port-Range)#port-group 2 mode passive Switch2(Config-If-Port-Range)#exit Switch2(config)#interface port-channel 2 Switch2(Config-If-Port-Channel2)# 12-36 Configuration result: Shell prompts ports aggregated successfully after a while, now ports 1, 2, 3, 4 of S1 form an aggregated port named “Port-Channel1”, ports 6, 8, 9, 10 of S2 form an aggregated port named “Port-Channel2”; can be configured in their respective aggregated port modes. Scenario 2: Configuring Port Channel in ON mode. S1 S2 Figure 12-3: Configure Port Channel in ON mode As shown in the figure, ports 1, 2, 3, 4 of S1 are access ports and add them to group1 with “on” mode. Ports 6, 8, 9, 10 of S2 are access ports and add them to group2 with “on” mode. The configuration steps are listed below: Switch1#config Switch1(config)#interface ethernet 1/1 Switch1(Config-If-Ethernet1/1)#port-group 1 mode on Switch1(Config-If-Ethernet1/1)#exit Switch1(config)#interface ethernet 1/2 Switch1 (Config-If-Ethernet1/2)#port-group 1 mode on Switch1 (Config-If-Ethernet1/2)#exit Switch1 (config)#interface ethernet 1/3 Switch1 (Config-If-Ethernet1/3)#port-group 1 mode on Switch1 (Config-If-Ethernet1/3)#exit Switch1 (config)#interface ethernet 1/4 Switch1 (Config-If-Ethernet1/4)#port-group 1 mode on Switch1 (Config-If-Ethernet1/4)#exit Switch2#config Switch2(config)#port-group 2 Switch2(config)#interface ethernet 1/6 12-37 Switch2 (Config-If-Ethernet1/6)#port-group 2 mode on Switch2 (Config-If-Ethernet1/6)#exit Switch2 (config)#interface ethernet 1/8-10 Switch2(Config-If-Port-Range)#port-group 2 mode on Switch2(Config-If-Port-Range)#exit Configuration result: Add ports 1, 2, 3, 4 of S1 to port-group1 in order, and we can see a group in “on” mode is completely joined forcedly, switch in other ends won’t exchange LACP PDU to complete aggregation. Aggregation finishes immediately when the command to add port 1/2 to port-group 1 is entered, port 1 and port 2 aggregate to be port-channel 1, when port 1/3 joins port-group 1, port-channel 1 of port 1 and 2 are ungrouped and re-aggregate with port 3 to form port-channel 1, when port 1/4 joins port-group 1, port-channel 1 of port 1, 2 and 3 are ungrouped and re-aggregate with port 4 to form port-channel 1. (It should be noted that whenever a new port joins in an aggregated port group, the group will be ungrouped first and re-aggregated to form a new group.) Now all four ports in both S1 and S2 are aggregated in “on” mode and become an aggregated port respectively. 12.4 Port Channel Troubleshooting If problems occur when configuring port aggregation, please first check the following for causes. Ensure all ports in a port group have the same properties, i.e., whether they are in full-duplex mode, forced to the same speed, and have the same VLAN properties, etc. If inconsistency occurs, make corrections. Some commands cannot be used on a port in port-channel, such as arp, bandwidth, ip, ip-forward, etc. 12-38 Chapter 13 MTU Configuration 13.1 Introduction to MTU So far the Jumbo (Jumbo Frame) has not reached a determined standard in the industry (including the format and length of the frame). Normally frames sized within 1519-9000 should be considered jumbo frame. Networks with jumbo frames will increase the speed of the whole network by 2% to 5%. Technically the Jumbo is just a lengthened frame sent and received by the switch. However considering the length of Jumbo frames, they will not be sent to CPU. We discard the Jumbo frames sent to CPU in the packet receiving process. 13.2 MTU Configuration Task Sequence 1. Configure enable MTU function 1. Configure enable MTU function Command Explanation Global Mode Configure the MTU size of JUMBO frame, mtu [<mtu-value>] no mtu enable enable the receiving/sending function of JUMBO frame. The no command disables sending and receiving function of MTU frames. 13-39 Chapter 14 EFM OAM Configuration 14.1 Introduction to EFM OAM Ethernet is designed for Local Area Network at the beginning, but link length and network scope is extended rapidly while Ethernet is also applied to Metropolitan Area Network and Wide Area Network along with development. Due to lack the effectively management mechanism, it affects Ethernet application to Metropolitan Area Network and Wide Area Network, implementing OAM on Ethernet becomes a necessary development trend. There are four protocol standards about Ethernet OAM, they are 802.3ah (EFM OAM), 802.3ag (CFM), E-LMI and Y.1731. EFM OAM and CFM are set for IEEE organization. EFM OAM works in data link layer to validly discover and manage the data link status of rock-bottom. Using EFM OAM can effectively advance management and maintenance for Ethernet to ensure the stable network operation. CFM is used for monitoring the whole network connectivity and locating the fault in access aggregation network layer. Compare with CFM, Y.1731 standard set by ITU (International Telecommunications Union) is more powerful. E-LMI standard set by MEF is only applied to UNI. So above protocols can be used to different network topology and management, between them exist the complementary relation. EFM OAM (Ethernet in the First Mile Operation, Administration and Maintenance) works in data link layer of OSI model to implement the relative functions through OAM sublayer, figure is shown below: Figure 14-1: OAM location in OSI model 14-40 OAM protocol data units (OAMPDU) use destination MAC address 01-80-c2-00-00-02 of protocol, the max. transmission rate is 10Pkt/s. EFM OAM is established on the basis of OAM connection, it provides a link operation management mechanism such as link monitoring, remote fault detection and remote loopback testing, the simple introduction for EFM OAM in the following: 1. Ethernet OAM connection establishment Ethernet OAM entity discovers remote OAM entities and establishes sessions with them by exchanging Information OAMPDUs. EFM OAM can operate in two modes: active mode and passive mode. One session can only be established by the OAM entity working in the active mode and ones working in the passive mode need to wait until it receives the connection request. After an Ethernet OAM connection is established, the Ethernet OAM entities on both sides exchange Information OAMPDUs continuously to keep the valid Ethernet OAM connection. If an Ethernet OAM entity receives no Information OAMPDU for five seconds, the Ethernet OAM connection is disconnected. 2. Link Monitoring Fault detection in an Ethernet is difficult, especially when the physical connection in the network is not disconnected but network performance is degrading gradually. Link monitoring is used to detect and discover link faults in various environments. EFM OAM implements link monitoring through the exchange of Event Notification OAMPDUs. When detecting a link error event, the local OAM entity sends an Event Notification OAMPDU to notify the remote OAM entity. At the same time it will log information and send SNMP Trap to the network management system. While OAM entity on the other side receives the notification, it will also log and report it. With the log information, network administrators can keep track of network status in time. The link event monitored by EFM OAM means that the link happens the error event, including Errored symbol period event, Errored frame event, Errored frame period event, Errored frame seconds event. Errored symbol period event: The errored symbol number can not be less than the low threshold. (Symbol: the min data transmission unit of physical medium. It is unique for coding system, the symbols may be different for different physical mediums, symbol rate means the changed time of electron status per second. ) Errored frame period event: Specifying N is frame period, the errored frame number within the period of receiving N frames can not be less than the low threshold. (Errored frame: Receiving the errored frame detected by CRC.) Errored frame event: The number of detected error frames over M seconds can not be less than the low threshold. 14-41 Errored frame seconds event: The number of error frame seconds detected over M seconds can not be less than the low threshold. (Errored frame second: Receiving an errored frame at least in a second.) 3. Remote Fault Detection In a network where traffic is interrupted due to device failures or unavailability, the flag field defined in Ethernet OAMPDUs allows an Ethernet OAM entity to send fault information to its peer. As Information OAMPDUs are exchanged continuously across established OAM connections, an Ethernet OAM entity can inform one of its OAM peers of link faults through Information OAMPDUs. Therefore, the network administrator can keep track of link status in time through the log information and troubleshoot in time. There are three kinds of link faults for Information OAMPDU, they are Critical Event, Dying Gasp and Link Fault, and their definitions are different for each manufacturer, here the definitions are as below: Critical Event: EFM OAM function of port is disabled. Link Fault: The number of unidirectional operation or fault can not be less than the high threshold in local. Unidirectional Operation means unidirectional link can not work normally on full-duplex link without auto-negotiation. EFM OAM can detect the fault and inform the remote OAM peers through sending Information OAMPDU. Dying Gasp: There is no definition present. Although device does not generate Dying Gasp OAMPDU, it still receives and processes such OAMPDU sent by its peer. 4. Remote loopback testing Remote loopback testing is available only after an Ethernet OAM connection is established. With remote loopback enabled, operating Ethernet OAM entity in active mode issues remote loopback requests and the peer responds to them. If the peer operates in loopback mode, it returns all packets except Ethernet OAMPDUs to the senders along the original paths. Performing remote loopback testing periodically helps to detect network faults in time. Furthermore, performing remote loopback testing by network segments helps to locate network faults. Note: The communication will not be processed normally in remote loopback mode. 14-42 Shown below is the typical EFM OAM application topology. It is used for point-to-point link and emulational IEEE 802.3 point-to-point link. Device enables EFM OAM through point-to-point connection to monitor the link fault in the First Mile with Ethernet access. For user, the connection between user to telecommunication is “the First Mile”, for service provider, it is “the Last Mile”. Customer Service Provider Customer 802.3ah Ethernet in the First Mile CE 802.1ah OAMPDU PE Figure 14-2: Typical OAM application topology 14.2 EFM OAM Configuration EFM OAM configuration task list 1. Enable EFM OAM function of port 2. Configure link monitor 3. Configure remote failure Note: it needs to enable OAM first when configuring OAM parameters. 1. Enable EFM OAM function of port Command Explanation Port Mode Configure work mode of EFM OAM, ethernet-oam mode {active | passive} default is active mode. Enable EFM OAM of port, no ethernet-oam command disables EFM OAM of no ethernet-oam port. ethernet-oam period <seconds> Configure transmission period of no ethernet-oam period OAMPDU (optional), no command 14-43 restores the default value. Configure timeout of EFM OAM ethernet-oam timeout <seconds> connection, no command restores no ethernet-oam timeout the default value. 2. Configure link monitor Command Explanation Port Mode ethernet-oam link-monitor Enable link monitor of EFM OAM, no no ethernet-oam link-monitor command disables link monitor. ethernet-oam errored-symbol-period {threshold low <low-symbols> | window <seconds>} no ethernet-oam errored-symbol-period {threshold low | window } Configure the low threshold and window period of errored symbol period event, no command restores the default value. (optional) ethernet-oam errored-frame-period {threshold Configure the low threshold and low <low-frames> | window <seconds>} window period of errored frame no ethernet-oam errored-frame-period period event, no command restores {threshold low | window } the default value. ethernet-oam errored-frame {threshold low Configure the low threshold and <low-frames> | window <seconds>} window period of errored frame no ethernet-oam errored-frame {threshold low event, no command restores the | window } default value. (optional) ethernet-oam errored-frame-seconds {threshold low <low-frame-seconds> | window <seconds>} no ethernet-oam errored-frame-seconds {threshold low | window } 14-44 Configure the low threshold and window period of errored frame seconds event, no command restores the default value. (optional) 3. Configure remote failure Command Explanation Port Mode Enable remote failure detection of EFM OAM (failure means ethernet-oam remote-failure critical-event or link-fault event of the no ethernet-oam remote-failure local), no command disables the function. (optional) ethernet-oam errored-symbol-period Configure the high threshold of threshold high {high-symbols | none} errored symbol period event, no no ethernet-oam errored-symbol-period command restores the default value. threshold high (optional) ethernet-oam errored-frame-period threshold Configure the high threshold of high {high-frames | none} errored frame period event, no no ethernet-oam errored-frame-period command restores the default value. threshold high (optional) ethernet-oam errored-frame threshold high Configure the high threshold of {high-frames | none} errored frame event, no command no ethernet-oam errored-frame threshold high restores the default value. (optional) ethernet-oam errored-frame-seconds Configure the high threshold of threshold high {high-frame-seconds | none} errored frame seconds event, no no ethernet-oam errored-frame-seconds command restores the default value. threshold high (optional) 14.3 EFM OAM Example Example: CE and PE devices with point-to-point link enable EFM OAM to monitor “the First Mile” link performance. It will report the log information to network management system when occurring fault event and use remote loopback function to detect the link in necessary instance Figure 14-3: Typical OAM application topology 14-45 Configuration procedure: (Omitting SNMP and Log configuration in the following) Configuration on CE: CE(config)#interface ethernet1/1 CE (config-if-ethernet1/1)#ethernet-oam mode passive CE (config-if-ethernet1/1)#ethernet-oam CE (config-if-ethernet1/1)#ethernet-oam remote-loopback supported Other parameters use the default configuration. Configuration on PE: PE(config)#interface ethernet 1/1 PE (config-if-ethernet1/1)#ethernet-oam Other parameters use the default configuration. Execute the following command when using remote loopback. PE(config-if-ethernet1/1)#ethernet-oam remote-loopback Execute the following command to make one of OAM peers exiting OAM loopback after complete detection. PE(config-if-ethernet1/1)# no ethernet-oam remote-loopback Execute the following command without supporting remote loopback. CE(config-if-ethernet1/1)#no ethernet-oam remote-loopback supported 14.4 EFM OAM Troubleshooting When using EFM OAM, it occurs the problem, please check whether the problem is resulted by the following reasons: Check whether OAM entities of two peers of link in passive mode. If so, EFM OAM connection can not be established between two OAM entities. Ensuring SNMP configuration is correct, or else errored event can not be reported to network management system. Link does not normally communicate in OAM loopback mode, it should cancel remote loopback in time after detect the link performance. 14-46 Ensuring the used board supports remote loopback function. Port should not configure STP, MRPP, ULPP, Flow Control, loopback detection functions after it enables OAM loopback function, because OAM remote loopback function and these functions are mutually exclusive. 14-47 Chapter 15 PORT SECURITY 15.1 Introduction to PORT SECURITY Port security is a MAC address-based security mechanism for network access controlling. It is an extension to the existing 802.1x authentication and MAC authentication. It controls the access of unauthorized devices to the network by checking the source MAC address of the received frame and the access to unauthorized devices by checking the destination MAC address of the sent frame. With port security, you can define various port security modes to make that a device learns only legal source MAC addresses, so as to implement corresponding network security management. After port security is enabled, the device detects an illegal frame, it triggers the corresponding port security feature and takes a pre-defined action automatically. This reduces user’s maintenance workload and greatly enhances system security. 15.2 PORT SECURITY Configuration Task List 1. Basic configuration for PORT SECURITY Command Explanation Port Mode switchport port-security Configure port-security of the no switchport port-security interface. switchport port-security mac-address <mac-address> [vlan <vlan-id>] Configure the static security no switchport port-security mac-address MAC of the interface. <mac-address> [vlan <vlan-id>] switchport port-security maximum <value> [vlan Configure the maximum <vlan-list>] number of the security MAC no switchport port-security maximum <value> [vlan address allowed by the <vlan-list>] interface. When exceeding the maximum number of the configured MAC switchport port-security violation {protect | restrict | shutdown} addresses, MAC address accessing the interface does not belongs to this interface in no switchport port-security violation MAC address table or a MAC address is configured to several interfaces in same 15-48 VLAN, both of them will violate the security of the MAC address. switchport port-security aging {static | time <value> | type {absolute | inactivity}} no switchport port-security violation aging {static | time | type} Enable port-security aging entry of the interface, specify aging time or aging type. Admin Mode clear port-security {all | configured | dynamic | sticky} [[address <mac-addr> | interface <interface-id>] [vlan <vlan-id> ]] Clear the secure MAC entry of the interface. show port-security [interface <interface-id>] Show port-security [address | vlan] configuration. 15.3 Example of PORT SECURITY Internet Figure 15-1: Typical topology chart for port security When the interface enables Port security function, configure the maximum number of the secure MAC addresses allowed by an interface to be 10, the interface allows 10 users to access the internet at most. If it exceeds the maximum number, the new user cannot access the internet, so that it not only limits the user’s number but also accesses the internet safely. If configuring the maximum number of the secure MAC addresses as 1, only HOST A or HOST B is able to access the internet. Configuration process: #Configure the switch. Switch(config)#interface Ethernet 1/1 Switch(config-if-ethernet1/1)#switchport port-security Switch(config-if- ethernet1/1)#switchport port-security maximum 10 Switch(config-if- ethernet1/1)#exit Switch(config)# 15-49 15.4 PORT SECURITY Troubleshooting If problems occur when configuring PORT SECURITY, please check whether the problem is caused by the following reasons: Check whether PORT SECURITY is enabled normally Check whether the valid maximum number of MAC addresses is configured 15-50 Chapter 16 DDM Configuration 16.1 Introduction to DDM 16.1.1 Brief Introduction to DDM DDM (Digital Diagnostic Monitor) makes the detailed digital diagnostic function standard in SFF-8472 MSA. It sets that the parameter signal is monitored and makes it to digitize on the circuit board of the inner module. After that, providing the demarcated result or the digitize measure result and the demarcated parameter which are saved in the standard memory framework, so as to expediently read by serial interface with double cables. Normally, intelligent fiber modules support Digital Diagnostic function. Network management unit is able to monitor the parameters (temperature, voltage, bias current, tx power and rx power) of the fiber module to obtain their thresholds and the real-time state of the current fiber module by the inner MCU of the fiber module. That is able to help the network management units to locate the fault in the fiber link, reduce the maintenance workload and enhance the system reliability. DDM applications are shown in the following: 1. Module lifetime forecast Monitoring the bias current is able to forecast the laser lifetime. Administrator is able to find some potential problems by monitoring voltage and temperature of the module. (1)High Vcc voltage will result in the breakdown CMOS, low Vcc voltage will result in the abnormity work. (2)High rx power will damage the receiving module, low rx power will result that the receiving module cannot work normally. (3)High temperature will result in the fast aging of the hardware. (4)Monitoring the received fiber power to monitor the capability of the link and the remote switch. 2. Fault location In fiber link, locating the fault is important to the fast overload of the service, fault isolation is able to help administrator to fast locate the location of the link fault within the module (local module or remote module) or on the link, it also reduce the time for restoring the fault of the system. Analyzing warning and alarm status of real-time parameters (temperature, voltage, bias current, tx power and rx power) can fast locate the fault through Digital Diagnostic function. Besides, the state of Tx Fault and Rx LOS is important for analyzing the fault. 16-51 3. Compatibility verification Compatibility verification is used to analyze whether the environment of the module accords the data manual or it is compatible with the corresponding standard, because the module capability is able to be ensured only in the compatible environment. Sometimes, environment parameters exceed the data manual or the corresponding standard, it will make the falling of the module capability that result in the transmission error. Environment is not compatible with the module are as below: (1)Voltage exceeds the set range (2)Rx power is overload or is under the sensitivity of the transceiver (3)Temperature exceeds the range of the running temperature SGS-6340-20S4C4X doesn’t support DDM function. 16.1.2 DDM Function DDM descriptions are shown in the following: 1. Show the monitoring information of the transceiver Administrator is able to know the current working state of the transceiver and find some potential problems through checking the real-time parameters (including TX power, RX power, Temperature, Voltage, Bias current) and querying the monitoring information (such as warning, alarm, real-time state and threshold, and so on). Besides, checking the fault information of the fiber module helps administrator to fast locate the link fault and saves the restored time. 2. Threshold defined by the user For real-time parameters (TX power, RX power, Temperature, Voltage, Bias current), there are fixed thresholds. Because the user’s environments are difference, the users is able to define the threshold (including high alarm, low alarm, high warn, low warn) to flexibly monitor the working state of the transceiver and find the fault directly. The thresholds configured by the user and the manufacturer can be shown at the same time. When the threshold defined by the user is irrational, it will prompt the user and automatically process alarm or warning according to the default threshold. (the user is able to restore all thresholds to the default thresholds or restore a threshold to the default threshold) Threshold rationality: high/low warn should be between high alarm and low alarm and high threshold should be higher than low threshold, namely, high alarm>= high warn>= low warn>= low alarm. 16-52 For fiber module, verification mode of the receiving power includes inner verification and outer verification which are decided by the manufacturer. Besides the verification mode of the real-time parameters and the default thresholds are same. 3. Transceiver monitoring Besides checking the real-time working state of the transceiver, the user needs to monitor the detailed status, such as the former abnormity time and the abnormity type. Transceiver monitoring helps the user to find the former abnormity status through checking the log and query the last abnormity status through executing the commands. When the user finds the abnormity information of the fiber module, the fiber module information may be remonitored after processing the abnormity information, here, the user is able to know the abnormity information and renew the monitoring. 16.2 DDM Configuration Task List DDM configuration task list: 1. Show the real-time monitoring information of the transceiver 2. Configure the alarm or warning thresholds of each parameter for the transceiver 3. Configure the state of the transceiver monitoring (1) Configure the interval of the transceiver monitoring (2) Configure the enable state of the transceiver monitoring (3) Show the information of the transceiver monitoring (4) Clear the information of the transceiver monitoring 1. Show the real-time monitoring information of the transceiver Command Explanation Admin and Global Mode show transceiver [interface ethernet Show the monitoring of the <interface-list>][detail] transceiver. 2. Configure the alarm or warning thresholds of each parameter for the transceiver Command Explanation Port Mode transceiver threshold {default | {temperature | voltage | bias | rx-power | tx-power} Set the threshold defined by the {high-alarm | low-alarm | high-warn | user. low-warn} {<value> | default}} 16-53 3. Configure the state of the transceiver monitoring (1) Configure the interval of the transceiver monitoring Command Explanation Global Mode Set the interval of the transceiver transceiver-monitoring interval <minutes> monitor. The no command sets the no transceiver-monitoring interval interval to be the default interval of 15 minutes. (2)Configure the enable state of the transceiver monitoring Command Explanation Port Mode Set whether the transceiver monitoring is enabled. Only the port enables the transceiver monitoring, transceiver-monitoring {enable | disable} the system records the abnormity state. After the port disables the function, the abnormity information will be clear. (3)Show the information of the transceiver monitoring Command Explanation Admin and Global Mode Show the information of the transceiver monitoring, including the show transceiver threshold-violation last threshold-violation information, [interface ethernet <interface-list>] the interval of the current transceiver monitoring and whether the port enables the transceiver monitoring. 16-54 (4)Clear the information of the transceiver monitoring Command Explanation Admin Mode clear transceiver threshold-violation [interface Clear the threshold violation of the ethernet <interface-list>] transceiver monitor. 16.3 Examples of DDM Example1: Ethernet 21 and Ethernet 23 are inserted the fiber module with DDM, Ethernet 24 is inserted the fiber module without DDM, Ethernet 22 does not insert any fiber module, show the DDM information of the fiber module. a、Show the information of all interfaces which can read the real-time parameters normally,(No fiber module is inserted or the fiber module is not supported, the information will not be shown), for example: Switch#show transceiver Interface Temp(℃) Voltage(V) Bias(mA) RX Power(dBM) TX Power (dBM) 1/21 33 3.31 6.11 -30.54(A-) -6.01 1/23 33 5.00(W+) 6.11 -20.54(W-) -6.02 b、Show the information of the specified interface. (N/A means no fiber module is inserted or does not support the fiber module), for example: Switch#show transceiver interface ethernet 1/21-22;23 Interface Temp(℃) Voltage(V) Bias(mA) RX Power(dBM) 1/21 33 3.31 6.11 1/22 N/A N/A N/A 1/23 33 5.00(W+) 6.11 -30.54(A-) TX Power(dBM) -6.01 N/A N/A -20.54(W-) -6.02 c、Show the detailed information, including base information, parameter value of the real-time monitoring, warning, alarm, abnormity state and threshold information, for example: Switch#show transceiver interface ethernet 1/21-22;24 detail Ethernet 1/21 transceiver detail information: Base information: 16-55 SFP found in this port, manufactured by company, on Sep 29 2010. Type is 1000BASE-SX, Link length is 550 m for 50um Multi-Mode Fiber. Link length is 270 m for 62.5um Multi-Mode Fiber. Nominal bit rate is 1300 Mb/s, Laser wavelength is 850 nm. Brief alarm information: RX loss of signal Voltage high RX power low Detail diagnostic and threshold information: Diagnostic Realtime Value -------------- Threshold High Alarm Low Alarm ----------- ----------- High Warn ------------ Low Warn --------- Temperature(℃) 33 70 0 70 0 Voltage(V) 7.31(A+) 5.00 0.00 5.00 0.00 Bias current(mA) 6.11(W+) 10.30 0.00 5.00 0.00 RX Power(dBM) -30.54(A-) 9.00 -25.00 9.00 -25.00 TX Power(dBM) -6.01 9.00 -25.00 9.00 -25.00 Ethernet 1/22 transceiver detail information: N/A Ethernet 1/24 transceiver detail information: Base information: SFP found in this port, manufactured by company, on Sep 29 2010. Type is 1000BASE-SX, Link length is 550 m for 50um Multi-Mode Fiber. Link length is 270 m for 62.5um Multi-Mode Fiber. Nominal bit rate is 1300 Mb/s, Laser wavelength is 850 nm. Brief alarm information: N/A Detail diagnostic and threshold information: N/A Example 2: Ethernet 21 is inserted the fiber module with DDM. Configure the threshold of the fiber module after showing the DDM information. Step 1: Show the detailed DDM information. Switch#show transceiver interface ethernet 1/21 detail Ethernet 1/21 transceiver detail information: Base information: …… Brief alarm information: 16-56 RX loss of signal Voltage high RX power low Detail diagnostic and threshold information: Diagnostic Realtime Value Threshold High Alarm Low Alarm -------------- ----------- High Warn ----------- Low Warn ------------ --------- Temperature(℃) 33 70 0 70 0 Voltage(V) 7.31(A+) 5.00 0.00 5.00 0.00 Bias current(mA) 6.11(W+) 10.30 0.00 5.00 0.00 RX Power(dBM) -30.54(A-) 9.00 -25.00 9.00 -25.00 TX Power(dBM) -13.01 9.00 -25.00 9.00 -25.00 Step 2: Configure the tx-power threshold of the fiber module, the low-warning threshold is -12, the low-alarm threshold is -10.00. Switch#config Switch(config)#interface ethernet 1/21 Switch(config-if-ethernet1/21)#transceiver threshold tx-power low-warning -12 Switch(config-if-ethernet1/21)#transceiver threshold tx-power low-alarm -10.00 Step 3: Show the detailed DDM information of the fiber module. The alarm uses the threshold configured by the user, the threshold configured by the manufacturer is labeled with the bracket. There is the alarm with ‘A-’ due to -13.01 is less than -12.00. Switch#show transceiver interface ethernet 1/21 detail Ethernet 1/21 transceiver detail information: Base information: …… Brief alarm information: RX loss of signal Voltage high RX power low TX power low Detail diagnostic and threshold information: Diagnostic Realtime Value -------------Temperature(℃) 33 Threshold High Alarm Low Alarm ----------70 16-57 ----------0 High Warn ---------70 Low Warn --------0 Voltage(V) 7.31(A+) 5.00 Bias current(mA) 6.11(W+) 10.30 RX Power(dBM) -30.54(A-) 9.00 TX Power(dBM) -13.01(A-) 9.00 0.00 5.00 0.00 0.00 5.00 0.00 -25.00 9.00 -25.00 -12.00(-25.00) 9.00 -10.00(-25.00) Example 3: Ethernet 21 is inserted the fiber module with DDM. Enable the transceiver monitoring of the port after showing the transceiver monitoring of the fiber module. Step 1: Show the transceiver monitoring of the fiber module. Both ethernet 21 and ethernet 22 do not enable the transceiver monitoring, its interval is set to 30 minutes. Switch(config)#show transceiver threshold-violation interface ethernet 1/21-22 Ethernet 1/21 transceiver threshold-violation information: Transceiver monitor is disabled. Monitor interval is set to 30 minutes. The last threshold-violation doesn’t exist. Ethernet 1/22 transceiver threshold-violation information: Transceiver monitor is disabled. Monitor interval is set to 30 minutes. The last threshold-violation doesn’t exist. Step 2: Enable the transceiver monitoring of ethernet 21. Switch(config)#interface ethernet 1/21 Switch(config-if-ethernet1/21)#transceiver-monitoring enable Step 3: Show the transceiver monitoring of the fiber module. In the following configuration, ethernet 21 enabled the transceiver monitoring, the last threshold-violation time is Jan 02 11:00:50 2011, the detailed DDM information exceeding the threshold is also shown. Switch(config-if-ethernet1/21)#quit Switch(config)#show transceiver threshold-violation interface ethernet 1/21-22 Ethernet 1/21 transceiver threshold-violation information: Transceiver monitor is enabled. Monitor interval is set to 30 minutes. The current time is Jan 02 12:30:50 2011. The last threshold-violation time is Jan 02 11:00:50 2011. Brief alarm information: RX loss of signal RX power low Detail diagnostic and threshold information: 16-58 Diagnostic Threshold Realtime Value High Alarm ------------ Low Alarm ----------- ----------- High Warn ------------ Low Warn --------- Temperature(℃) 33 70 0 70 0 Voltage(V) 7.31 10.00 0.00 5.00 0.00 Bias current(mA) 3.11 10.30 0.00 5.00 0.00 RX Power(dBM) -30.54(A-) 9.00 -25.00(-34) 9.00 -25.00 TX Power(dBM) -1.01 -12.05 9.00 -10.00 9.00 Ethernet 1/22 transceiver threshold-violation information: Transceiver monitor is disabled. Monitor interval is set to 30 minutes. The last threshold-violation doesn’t exist. 16.4 DDM Troubleshooting If problems occur when configuring DDM, please check whether the problem is caused by the following reasons: Ensure that the transceiver of the fiber module has been inserted fast on the port, or else DDM configuration will not be shown. Ensure that SNMP configuration is valid, or else the warning event cannot inform the network management system. Because only some boards and box switches support SFP with DDM or XFP with DDM, ensure the used board and switch support the corresponding function. When using show transceiver command or show transceiver detail command, it cost much time due to the switch will check all ports, so it is recommended to query the monitoring information of the transceiver on the specified port. Ensure the threshold defined by the user is valid. When any threshold is error, the transceiver will give an alarm according to the default setting automatically. 16-59 Chapter 17 LLDP-MED 17.1 Introduction to LLDP-MED LLDP-MED (Link Layer Discovery Protocol-Media Endpoint Discovery) based on 802.1AB LLDP (Link Layer Discovery Protocol) of IEEE. LLDP provides a standard link layer discovery mode, it sends local device information (including its major capability, management IP address, device ID and port ID) as TLV (type/length/value) triplets in LLDPDU (Link Layer Discovery Protocol Data Unit) to the direct connection neighbors. The device information received by the neighbors will be stored with a standard management information base (MIB). This allows a network management system to quickly detect and identify the communication status of the link. In 802.1AB LLDP, there is no transmission and management about the voice device information. To deploy and manage voice device expediently, LLDP-MED TLVs provide multiple information, such as PoE (Power over Ethernet), network policy, and the location information of the emergent telephone service. 17.2 LLDP-MED Configuration Task Sequence 1. Basic LLDP-MED configuration Command Explanation Port Mode Configure the specified port to lldp transmit med tlv all send all LLDP-MED TLVs. The no lldp transmit med tlv all no command disables the function. Configure the specified port to lldp transmit med tlv capability send LLDP-MED Capability no lldp transmit med tlv capability TLV. The no command disables the capability. Configure the specified port to lldp transmit med tlv networkPolicy send LLDP-MED Network no lldp transmit med tlv networkPolicy Policy TLV. The no command disables the capability. Configure the specified port to lldp transmit med tlv extendPoe send LLDP-MED Extended no lldp transmit med tlv extendPoe Power-Via-MDI TLV. The no 17-60 command disables the capability. Configure the port to send LLDP-MED Inventory lldp transmit med tlv inventory Management TLVs. The no no lldp transmit med tlv inventory command disables the capability. network policy {voice | voice-signaling | guest-voice | guest-voice-signaling | softphone-voice | video-conferencing | streaming-video | Configure network policy of the video-signaling} [status {enable | disable}] [tag port, including VLAN ID, the {tagged | untagged}] [vid {<vlan-id> | dot1p}] [cos supported application (such as <cos-value>] [dscp <dscp-value> ] voice and video), the no network policy {voice | voice-signaling | application priority and the guest-voice | guest-voice-signaling | used policy, and so on. softphone-voice | video-conferencing | streamingvideo | video-signaling} Configure device type and country code of the location civic location {dhcp server | switch | endpointDev} <country-code> with Civic Address LCI format and enter Civic Address LCI address mode. The no no civic location command cancels all configurations of the location with Civic Address LCI format. Configure the location with ecs location <tel-number> ECS ELIN format on the port, no ecs location the no command cancels the configured location. Enable or disable LLDP-MED lldp med trap {enable | disable} trap for the specified port. Civic Address LCI address Mode {description-language | province-state | city | county | street | locationNum | location | floor | room | postal | otherInfo} <address> no {description-language | province-state | city | county | street | locationNum | location | floor | room | postal | otherInfo} Global Mode 17-61 Configure the detailed address after enter Civic Address LCI address mode of the port. When the fast LLDP-MED startup mechanism is enabled, it needs to fast send the LLDP lldp med fast count <value> packets with LLDP-MED TLV, no lldp med fast count this command is used to set the value of the fast sending packets, the no command restores the default value. Admin Mode Show the configuration of the show lldp global LLDP and LLDP-MED. Show the configuration of show lldp [interface ethernet <IFNAME>] LLDP and LLDP-MED on the current port. show lldp neighbors [interface ethernet <IFNAME>] Show LLDP and LLDP-MED configuration of the neighbors. 17.3 LLDP-MED Example Figure 17-1: Basic LLDP-MED configuration topology 1) Configure Switch A SwitchA(config)#interface ethernet1/1 SwitchA (Config-If-Ethernet1/1)# lldp enable SwitchA (Config-If-Ethernet1/1)# lldp mode both(this configuration can be omitted, the default mode is RxTx) 17-62 SwitchA (Config-If-Ethernet1/1)# lldp transmit med tlv capability SwitchA (Config-If-Ethernet1/1)# lldp transmit med tlv network policy SwitchA (Config-If-Ethernet1/1)# lldp transmit med tlv inventory SwitchB (Config-If-Ethernet1/1)# network policy voice tag tagged vid 10 cos 5 dscp 15 SwitchA (Config-If-Ethernet1/1)# exit SwitchA (config)#interface ethernet1/2 SwitchA (Config-If-Ethernet1/2)# lldp enable SwitchA (Config-If-Ethernet1/2)# lldp mode both 2) Configure Switch B SwitchB (config)#interface ethernet1/1 SwitchB(Config-If-Ethernet1/1)# lldp enable SwitchB (Config-If-Ethernet1/1)# lldp mode both SwitchB (Config-If-Ethernet1/1)# lldp transmit med tlv capability SwitchB (Config-If-Ethernet1/1)# lldp transmit med tlv network policy SwitchB (Config-If-Ethernet1/1)# lldp transmit med tlv inventory SwitchB (Config-If-Ethernet1/1)# network policy voice tag tagged vid 10 cos 4 3) Verify the configuration # Show the global status and interface status on Switch A. SwitchA# show lldp neighbors interface ethernet 1/1 Port name : Ethernet1/1 Port Remote Counter : 1 TimeMark :20 ChassisIdSubtype :4 ChassisId :00-30-4f-00-00-02 PortIdSubtype :Local PortId :1 PortDesc :**** SysName :**** SysDesc :***** SysCapSupported :4 SysCapEnabled :4 LLDP MED Information : 17-63 MED Codes: (CAP)Capabilities, (NP) Network Policy (LI) Location Identification, (PSE)Power Source Entity (PD) Power Device, (IN) Inventory MED Capabilities:CAP,NP,PD,IN MED Device Type: Endpoint Class III Media Policy Type :Voice Media Policy :Tagged Media Policy Vlan id :10 Media Policy Priority :3 Media Policy Dscp :5 Power Type : PD Power Source :Primary power source Power Priority :low Power Value :15.4 (Watts) Hardware Revision: Firmware Revision:4.0.1 Software Revision:6.2.30.0 Serial Number: Manufacturer Name:**** Model Name:Unknown Assert ID:Unknown IEEE 802.3 Information : auto-negotiation support: Supported auto-negotiation support: Not Enabled PMD auto-negotiation advertised capability: 1 operational MAU type: 1 SwitchA# show lldp neighbors interface ethernet 1/2 Port name : interface ethernet 1/2 Port Remote Counter:1 Neighbor Index: 1 Port name : Ethernet1/2 Port Remote Counter : 1 TimeMark :20 ChassisIdSubtype :4 ChassisId :00-30-4f-00-00-02 PortIdSubtype :Local PortId :1 17-64 PortDesc :Ethernet1/1 SysName :**** SysDesc :***** SysCapSupported :4 SysCapEnabled :4 Explanation: 1) Both Ethernet2 of switch A and Ethernet1 of switch B are the ports of network connection device, they will not send LLDP packets with MED TLV information forwardly. Although configure Ethernet1 of switch B to send MED TLV information, it will not send the related MED information, that results the corresponding Remote table without the related MDE information on Ethernet2 of switch A. 2) LLDP-MED device is able to send LLDP packets with MED TLV forwardly, so the corresponding Remote table with LLDP MED information on Ethernet1 of switch A. 17.4 LLDP-MED Troubleshooting If problems occur when configuring LLDP-MED, please check whether the problem is caused by the following reasons: Check whether the global LLDP is enabled. Only network connection device received LLDP packets with LLDP-MED TLV from the near MED device, it sends LLDP-MED TLV. If network connection device configured the command for sending LLDP-MED TLV, the packets also without LLDP-MED TLV sent by the port, that means no MED information is received and the port does not enable the function for sending LLDP-MED information. If neighbor device has sent LLDP-MED information to network connection device, but there is no LLDP-MED information by checking show lldp neighbors command, that means LLDP-MED information sent by neighbor is error. Chapter 18 bpdu-tunnel Configuration 18.1 Introduction to bpdu-tunnel BPDU Tunnel is a Layer 2 tunnel technology. It allows Layer 2 protocol packets of geographically dispersed private network users to be transparently transmitted over specific tunnels across a service provider network. 18-65 18.1.1 bpdu-tunnel function In MAN application, multi-branches of a corporation may connect with each other by the service provider network. VPN provided by the service provider enables the geographically dispersed networks to form a local LAN, so the service provider needs to provide the tunnel function, namely, data information generated by user’s network is able to arrive at other networks of the same corporation through the service provider network. To maintain a local concept, it not only needs to transmit the data within the user’s private network across the tunnel, but also transmit layer 2 protocol packets within the user’s private network. 18.1.2 Background of bpdu-tunnel Special lines are used in a service provider network to build user-specific Layer 2 networks. As a result, a user network is broken down into parts located at different sides of the service provider network. As shown in Figure, User A has two devices (CE 1 and CE 2) and both devices belong to the same VLAN. User’s network is divided into network 1 and network 2, which are connected by the service provider network. When Layer 2 protocol packets cannot implement the passthrough across the service provider network, the user’s network cannot process independent Layer 2 protocol calculation (for example, spanning tree calculation), so they affect each other. Figure 18-1: BPDU Tunnel application 18.2 bpdu-tunnel Configuration Task List bpdu-tunnel configuration task list: 1. Configure tunnel MAC address globally 2. Configure the port to support the tunnel 18-66 1. Configure tunnel MAC address globally Command Explanation Global Mode bpdu-tunnel {stp|gvrp|dot1x} Enable to support the tunnel, the no no bpdu-tunnel {stp|gvrp|dot1x} command disables the function. 2. Configure the port to support the tunnel Command Explanation Port Mode Enable the port to support the tunnel, bpdu-tunnel {stp|gvrp|dot1x} the no command disables the no bpdu-tunnel {stp|gvrp|dot1x} function. 18.3 Examples of bpdu-tunnel Special lines are used in a service provider network to build user-specific Layer 2 networks. As a result, a user network is broken down into parts located at different sides of the service provider network. As shown in Figure, User A has two devices (CE 1 and CE 2) and both devices belong to the same VLAN. User’s network is divided into network 1 and network 2, which are connected by the service provider network. When Layer 2 protocol packets cannot implement the passthrough across the service provider network, the user’s network cannot process independent Layer 2 protocol calculation (for example, spanning tree calculation), so they affect each other. Figure 18-2: BPDU Tunnel application environment 18-67 With BPDU Tunnel, Layer 2 protocol packets from user’s networks can be passed through over the service provider network in the following work flow: 1. After receiving a Layer 2 protocol packet from network 1 of user A, PE 1 in the service provider network encapsulates the packet, replaces its destination MAC address with a specific multicast MAC address, and then forwards the packet in the service provider network. 2. The encapsulated Layer 2 protocol packet (called BPDU Tunnel packet) is forwarded to PE 2 at the other end of the service provider network, which de-encapsulates the packet, restores the original destination MAC address of the packet, and then sends the packet to network 2 of user A. bpdu-tunnel configuration of edge switches PE1 and PE2 in the following: PE1 configuration: PE1(config)# bpdu-tunnel dmac 01-02-03-04-05-06 PE1(config-if-ethernet1/1)# bpdu-tunnel stp PE1(config-if-etherne1/1)# bpdu-tunnel lacp PE1(config-if-ethernet1/1)# bpdu-tunnel uldp PE1(config-if-ethernet1/1)# bpdu-tunnel gvrp PE1(config-if-ethernet1/1)# bpdu-tunnel dot1x PE2 configuration: PE2(config)# bpdu-tunnel dmac 01-02-03-04-05-06 PE2(config-if-ethernet1/1)# bpdu-tunnel stp PE2(config-if-ethernet1/1)# bpdu-tunnel lacp PE2(config-if-ethernet1/1)# bpdu-tunnel uldp PE2(config-if-ethernet1/1)# bpdu-tunnel gvrp PE2(config-if-ethernet1/1)# bpdu-tunnel dot1x 18.4 bpdu-tunnel Troubleshooting After port disables stp, gvrp, uldp, lacp and dot1x functions, it is able to configure bpdu-tunnel function. 18-68 Chapter 19 EEE Energy-saving Configuration 19.1 Introduction to EEE Energy-saving eee is Energy Efficient Ethernet. After the port is enabled this function, switch will detect the port state automatically. If the port is free and there is no data transmission, this port will change to the power saving mode and it will cut down the power of the port to save the energy. 19.2 EEE Energy-saving configuration List 1. Enable EEE energy-saving function Command Explanation Port Mode Enable the energy-saving function of the port; the no eee enable command disables the no eee enable energy-saving function of the port. 19.3 EEE Energy-saving Typical Examples Case:Configure the port 1 of switch as saving mode. Below is the configuration steps: Switch(config-if-ethernet1/1)# eee enable 19-69 Chapter 20 VLAN Configuration 20.1 VLAN Configuration 20.1.1 Introduction to VLAN VLAN (Virtual Local Area Network) is a technology that divides the logical addresses of devices within the network to separate network segments based on functions, applications or management requirements. By this way, virtual workgroups can be formed regardless of the physical location of the devices. IEEE announced IEEE 802.1Q protocol to direct the standardized VLAN implementation, and the VLAN function of switch is implemented following IEEE 802.1Q. The key idea of VLAN technology is that a large LAN can be partitioned into many separate broadcast domains dynamically to meet the demands. Switch Switch Switch VLAN1 Server VLAN2 Server PC VLAN3 Server PC PC PC Laser Printer PC Figure 20-1: A VLAN network defined logically Each broadcast domain is a VLAN. VLANs have the same properties as the physical LANs, except VLAN is a logical partition rather than physical one. Therefore, the partition of VLANs can be performed regardless of physical locations, and the broadcast, multicast and unicast traffic within a VLAN is separated from the other VLANs. With the aforementioned features, VLAN technology provides us with the following conveniences: Improving network performance 20-70 Saving network resources Simplifying network management Lowering network cost Enhancing network security Switch Ethernet Ports can work in three kinds of modes: Access, Hybrid and Trunk with each mode having a different processing method in forwarding the packets with tagged or untagged. The ports of Access type only belong to one VLAN, usually they are used to connect the ports of the computer. The ports of Trunk type allow multi-VLANs to pass, receive and send the packets of multi-VLANs. Usually they are used to connect between the switches. The ports of Hybrid type allow multi-VLANs to pass, receive and send the packets of multi-VLANs. They can be used to connect between the switches, or to a computer of the user. Hybrid ports and Trunk ports receive the data with the same process method, but send the data with a different method: Hybrid ports can send the packets of multi-VLANs without the VLAN tag, while Trunk ports send the packets of multi-VLANs with the VLAN tag except the port native VLAN. The switch implements VLAN and GVRP (GARP VLAN Registration Protocol) which are defined by 802.1Q. The chapter will explain the use and the configuration of VLAN and GVRP in details. 20.1.2 VLAN Configuration Task List 1. Create or delete VLAN 2. Set or delete VLAN name 3. Assign Switch ports for VLAN 4. Set the switch port type 5. Set Trunk port 6. Set Access port 7. Set Hybrid port 8. Enable/Disable VLAN ingress rules globally 9. Configure Private VLAN 10. Set Private VLAN association 11. Specify internal VLAN ID 20-71 1. Create or delete VLAN Command Explanation Global Mode vlan WORD Create/delete VLAN or enter VLAN Mode no vlan WORD 2. Set or delete VLAN name Command Explanation VLAN Interface Mode name <vlan-name> Set or delete VLAN name. no name 3. Assigning Switch ports for VLAN Command Explanation VLAN Interface Mode switchport interface etherent Assign Switch ports to VLAN. <interface-list> no switchport interface <interface-list> 4. Set the Switch Port Type Command Explanation Port Mode switchport mode {trunk | access | hybrid} Set the current port as Trunk, Access or Hybrid port. 5. Set Trunk port Command Explanation Port Mode switchport trunk allowed vlan {WORD | all | add WORD | except WORD | remove Set/delete VLAN allowed to be crossed by Trunk. The “no” command restores WORD} the default setting. no switchport trunk allowed vlan 20-72 switchport trunk native vlan <vlan-id> Set/delete PVID for Trunk port. no switchport trunk native vlan 6. Set Access port Command Explanation Port Mode Add the current port to the specified switchport access vlan <vlan-id> VLAN. The “no” command restores the no switchport access vlan default setting. 7. Set Hybrid port Command Explanation Port Mode switchport hybrid allowed vlan {WORD | all | add WORD | except WORD | remove Set/delete the VLAN which is allowed by WORD} {tag | untag} Hybrid port with tag or untag mode. no switchport hybrid allowed vlan switchport hybrid native vlan <vlan-id> no switchport hybrid native vlan Set/delete PVID of the port. 8. Disable/Enable VLAN Ingress Rules Command Explanation Port Mode vlan ingress enable Enable/Disable VLAN ingress rules. no vlan ingress enable 9. Configure Private VLAN Command Explanation VLAN Interface Mode private-vlan {primary | isolated | Configure current VLAN to Private VLAN. community} The no command deletes private VLAN. no private-vlan 20-73 10. Set Private VLAN association Command Explanation VLAN Interface Mode private-vlan association Set/delete Private VLAN association. <secondary-vlan-list> no private-vlan association 11. Specify internal VLAN ID Command Explanation Global Mode Specify internal VLAN ID. vlan <2-4094> internal 20-74 20.1.3 Typical VLAN Application Scenario: VLAN100 VLAN2 VLAN200 PC Workstation Workstation PC PC PC Switch A Trunk Link Switch B PC PC VLAN2 PC Workstation VLAN100 Workstation PC VLAN200 Figure 20-2: Typical VLAN Application Topology The existing LAN is required to be partitioned into 3 VLANs due to security and application requirements. The three VLANs are VLAN2, VLAN100 and VLAN200. Those three VLANs cross two different locations A and B. One switch is placed in each site, and cross-location requirement can be met if VLAN traffic can be transferred between the two switches. Configuration Item Configuration description VLAN2 Site A and site B switch port 2-4. VLAN100 Site A and site B switch port 5-7. VLAN200 Site A and site B switch port 8-10. Trunk port Site A and site B switch port 11. Connect the Trunk ports of both switches for a Trunk link to convey the cross-switch VLAN traffic; connect all network devices to the other ports of corresponding VLANs. In this example, port 1 and port 12 are spared and can be used for management port or for other purposes. The configuration steps are listed below: 20-75 Switch A: Switch(config)#vlan 2 Switch(Config-Vlan2)#switchport interface ethernet 1/2-4 Switch (Config-Vlan2)#exit Switch (config)#vlan 100 Switch (Config-Vlan100)#switchport interface ethernet 1/5-7 Switch (Config-Vlan100)#exit Switch (config)#vlan 200 Switch (Config-Vlan200)#switchport interface ethernet 1/8-10 Switch (Config-Vlan200)#exit Switch (config)#interface ethernet 1/11 Switch (Config-If-Ethernet1/11)#switchport mode trunk Switch(Config-If-Ethernet1/11)#exit Switch(config)# Switch B: Switch(config)#vlan 2 Switch(Config-Vlan2)#switchport interface ethernet 1/2-4 Switch (Config-Vlan2)#exit Switch (config)#vlan 100 Switch (Config-Vlan100)#switchport interface ethernet 1/5-7 Switch (Config-Vlan100)#exit Switch (config)#vlan 200 Switch (Config-Vlan200)#switchport interface ethernet 1/8-10 Switch (Config-Vlan200)#exit Switch (config)#interface ethernet 1/11 Switch (Config-If-Ethernet1/11)#switchport mode trunk Switch (Config-If-Ethernet1/11)#exit 20-76 20.1.4 Typical Application of Hybrid Port Scenario: internet Switch A Switch B PC1 PC2 Figure 20-3: Typical Application of Hybrid Port PC1 connects to the interface Ethernet 1/7 of Switch B; PC2 connects to the interface Ethernet 1/9 of Switch B; Ethernet 1/10 of Switch A connects to Ethernet 1/10 of Switch B. It is required that PC1 and PC2 cannot mutually access due to reason of the security, but PC1 and PC2 can access other network resources through the gateway Switch A. We can implement this status through Hybrid port. Configuration items are as follows: Port Port 1/10 of Switch A Type Access PVID 10 the VLANs are allowed to pass Allow the packets of VLAN 10 to pass with untag method. Port 1/10 of Switch B Hybrid 10 Allow the packets of VLAN 7, 9, 10 to pass with untag method. Port 1/7 of Switch B Hybrid 7 Allow the packets of VLAN 7, 10 to pass with untag method. Port 1/9 of Switch B Hybrid 9 Allow the packets of VLAN 9, 10 to pass with untag method. 20-77 The configuration steps are listed below: Switch A: Switch(config)#vlan 10 Switch(Config-Vlan10)#switchport interface ethernet 1/10 Switch B: Switch(config)#vlan 7;9;10 Switch(config)#interface ethernet 1/7 Switch(Config-If-Ethernet1/7)#switchport mode hybrid Switch(Config-If-Ethernet1/7)#switchport hybrid native vlan 7 Switch(Config-If-Ethernet1/7)#switchport hybrid allowed vlan 7;10 untag Switch(Config-If-Ethernet1/7)#exit Switch(Config)#interface Ethernet 1/9 Switch(Config-If-Ethernet1/9)#switchport mode hybrid Switch(Config-If-Ethernet1/9)#switchport hybrid native vlan 9 Switch(Config-If-Ethernet1/9)#switchport hybrid allowed vlan 9;10 untag Switch(Config-If-Ethernet1/9)#exit Switch(Config)#interface Ethernet 1/10 Switch(Config-If-Ethernet1/10)#switchport mode hybrid Switch(Config-If-Ethernet1/10)#switchport hybrid native vlan 10 Switch(Config-If-Ethernet1/10)#switchport hybrid allowed vlan 7;9;10 untag Switch(Config-If-Ethernet1/10)#exit 20.2 Dot1q-tunnel Configuration 20.2.1 Introduction to Dot1q-tunnel Dot1q-tunnel is also called Q-in-Q (802.1Q-in-802.1Q), which is an expansion of 802.1Q. Its dominating idea is encapsulating the customer VLAN tag (CVLAN tag) to the service provider VLAN tag (SPVLAN tag). Carrying the two VLAN tags the packet is transmitted through the backbone network of the ISP internet, so as to provide a simple Layer 2 tunnel for the users. It is simple and easy to manage, applicable only by static configuration, and especially adaptive to small office network or small scale metropolitan area network using Layer 3 switch as backbone equipment. 20-78 On the customer port Trunk VLAN 200-300 Unsymmetrical CE1 connection PE1 Customer network 1 This port on PE1 is enabled Q-in-Q and belong to VLAN3 SP network Trunk connection P Trunk connection PE2 This port on PE1 is enabled Q-in-Q and belong to VLAN3 CE2 Unsymmetrical Customer connection network 2 On the customer port Trunk VLAN 200-300 Figure 20-4: Dot1q-tunnel based Internetworking mode As shown in above, after being enabled on the user port, dot1q-tunnel assigns each user an SPVLAN identification (SPVID). Here the identification of user is 3. The same SPVID should be assigned to the same network user on different PEs. When packet reaches PE1 from CE1, it carries the VLAN tag 200-300 of the user internal network. Since the dot1q-tunnel function is enabled, the user port on PE1 will add on the packet another VLAN tag, of which the ID is the SPVID assigned to the user. Afterwards, the packet will only be transmitted in VLAN3 when traveling in the ISP internet network while carrying two VLAN tags (the inner tag is added when entering PE1, and the outer is SPVID), whereas the VLAN information of the user network is open to the provider network. When the packet reaches PE2 and before being forwarded to CE2 from the client port on PE2, the outer VLAN tag is removed, then the packet CE2 received is absolutely identical to the one sent by CE1. For the user, the role the operator network plays between PE1 and PE2, is to provide a reliable Layer 2 link. The technology of Dot1q-tuunel provides the ISP internet the ability of supporting many client VLANs by only one VLAN of themselves. Both the ISP internet and the clients can configure their own VLAN independently. It is obvious that the dot1q-tunnel function has got the following characteristics: Applicable through simple static configuration, no complex configuration or maintenance is needed. Operators will only have to assign one SPVID for each user, which increases the number of concurrent supportable users while the users has got the ultimate freedom in selecting and managing the VLAN IDs (select within 1~4094 at users’ will). The user network is considerably independent. When the ISP internet is upgrading 20-79 their network, the user networks do not have to change their original configuration. Detailed description on the application and configuration of dot1q-tunnel will be provided in this section. 20.2.2 Dot1q-tunnel Configuration Configuration Task Sequence of Dot1q-Tunnel: 1. Configure the dot1q-tunnel function on port 2. Configure the global protocol type (TPID) 1. Configure the dot1q-tunnel function on port Command Explanation Port Mode dot1q-tunnel enable Enter/exit the dot1q-tunnel mode on the no dot1q-tunnel enable port. 2. Configure the global protocol type (TPID) Command Explanation Global Mode dot1q-tunnel tpid Configure the global protocol type. {0x8100|0x9100|0x9200|<1-65535>} 20.2.3 Typical Applications of the Dot1q-tunnel Scenario: Edge switches PE1 and PE2 of the ISP internet forward the VLAN200~300 data between CE1 and CE2 of the client network with VLAN3. The port1 of PE1 is connected to CE1, port10 is connected to public network and the TPID of the connected equipment is 9100; port1 of PE2 is connected to CE2 and port10 is connected to public network. Configuration Configuration Explanation Item VLAN3 Port1 of PE1 and PE2. dot1q-tunnel Port1 of PE1 and PE2. tpid 9100 20-80 Configuration procedure is as follows: PE1: Switch(config)#vlan 3 Switch(Config-Vlan3)#switchport interface ethernet 1/1 Switch(Config-Vlan3)#exit Switch(Config)#interface ethernet 1/1 Switch(Config-Ethernet1/1)# dot1q-tunnel enable Switch(Config-Ethernet1/1)# exit Switch(Config)#interface ethernet 1/10 Switch(Config-Ethernet1/10)#switchport mode trunk Switch(Config-Ethernet1/10)#exit Switch(config)#dot1q-tunnel tpid 0x9100 Switch(Config)# PE2: Switch(config)#vlan 3 Switch(Config-Vlan3)#switchport interface ethernet 1/1 Switch(Config-Vlan3)#exit Switch(Config)#interface ethernet 1/1 Switch(Config-Ethernet1/1)# dot1q-tunnel enable Switch(Config-Ethernet1/1)# exit Switch(Config)#interface ethernet 1/10 Switch(Config-Ethernet1/10)#switchport mode trunk Switch(Config-Ethernet1/10)#exit Switch(config)#dot1q-tunnel tpid 0x9100 Switch(Config)# 20.2.4 Dot1q-tunnel Troubleshooting Enabling dot1q-tunnel on Trunk port will make the tag of the data packet unpredictable which is not required in the application. So it is not recommended to enable dot1q-tunnel on Trunk port. Enabled with STP/MSTP is not supported. 20-81 20.3 Selective Q-in-Q Configuration 20.3.1 Introduction to Selective Q-in-Q Selective Q-in-Q is an enhanced application for dot1q tunnel function. It is able to tag packets (they are received by the same port) with different outer VLAN tags based on different inner VLAN tags according to user’s requirement, so it is able to implement packets of different types assigned to different VLANs by selecting different transmission paths. 20.3.2 Selective Q-in-Q Configuration Selective Q-in-Q Configuration Task List: 1. Configure the port mapping relation between the inner tag and the outer tag 2. Configure selective Q-in-Q of port 1. Configure the port mapping relation between the inner tag and the outer tag Command Explanation Port Mode dot1q-tunnel selective s-vlan <s-vid> Configure/delete the port mapping c-vlan <c-vid-list> no dot1q-tunnel selective s-vlan <s-vid> c-vlan <c-vid-list> relation of the inner tag and the outer tag for selective Q-in-Q. 2. Configure selective Q-in-Q of port Command Explanation Port Mode dot1q-tunnel selective enable Enable/disable selective Q-in-Q of the no dot1q-tunnel selective enable port. 20-82 20.3.3 Typical Applications of Selective Q-in-Q Figure 20-5: Selective Q-in-Q application 1. Ethernet1/1 of Switch A provides public network access for PC users and Ethernet 1/2 of Switch A provides public network access for IP phone users. PC users belong to VLAN 100 through VLAN 200, and IP phone users belong to VLAN 201 through VLAN 300. Ethernet 1/9 of Switch A is connected to the public network. 2. Ethernet1/1 and Ethernet1/2 of Switch B provide network access for PC users belonging to VLAN 100 through VLAN 200 and IP phone users belonging to VLAN 201 through VLAN 300 respectively. Ethernet 1/9 is connected to the public network. 3. The public network permits packets of VLAN 1000 and VLAN 2000 to pass. 4. Enable the selective Q-in-Q on Ethernet1/1 and Ethernet1/2 ports of Switch A and Switch B respectively. Packets of VLAN 100 through VLAN 200 are tagged with the tag of VLAN 1000 as the outer VLAN tag on Ethernet1/1, and packets of VLAN 201 through VLAN 300 are tagged with the tag of VLAN 2000 as the outer VLAN tag on Ethernet1/2. Steps of configuration: # Create VLAN 1000 and VLAN 2000 on SwitchA. switch(config)#vlan 1000;2000 # Configure Ethernet1/1 as a hybrid port and configure it to remove VLAN tags when forwarding packets of VLAN 1000. 20-83 switch(config-if-ethernet1/1)#switchport hybrid allowed vlan 1000 untag # Configure the mapping rules for selective Q-in-Q on Ehernet1/1 to insert VLAN 1000 tag as the outer VLAN tag in packets with the tags of VLAN 100 through VLAN 200. switch(config-if-ethernet1/1)#dot1q-tunnel selective s-vlan 1000 c-vlan 100-200 # Enable selective Q-in-Q on Ethernet1/1. switch(config-if-ethernet1/1)#dot1q-tunnel selective enable # Configure Ethernet 1/2 as a hybrid port and configure it to remove VLAN tags when forwarding packets of VLAN 2000. switch(config-if-ethernet1/2)#switchport mode hybrid switch(config-if-ethernet1/2)#switchport hybrid allowed vlan 2000 untag # Configure mapping rules for selective Q-in-Q on Ehernet1/2 to insert VLAN 2000 tag as the outer VLAN tag in packets with the tags of VLAN 201 through VLAN 300. switch(config-if-ethernet1/2)#dot1q-tunnel selective s-vlan 2000 c-vlan 201-300 # Enable selective Q-in-Q on Ethernet 1/2. switch(config-if-ethernet1/2)#dot1q-tunnel selective enable # Configure uplink port Ethernet 1/9 as a hybrid port and configure it to save VLAN tags when forwarding packets of VLAN 1000 and VLAN 2000. switch(config-if-ethernet1/2)#interface ethernet 1/9 switch(config-if-ethernet1/9)#switchport mode hybrid switch(config-if-ethernet1/9)#switchport hybrid allowed vlan 1000;2000 tag After the above configuration, packets of VLAN 100 through VLAN 200 from Ethernet1/1 are automatically tagged with the tag of VLAN 1000 as the outer VLAN tag, and packets of VLAN 201 through VLAN 300 from Ethernet1/2 are automatically tagged with the tag of VLAN 2000 as the outer VLAN tag on SwitchA. 20-84 The configuration on Switch B is similar to that on Switch A and the configuration is as follows: switch(config)#vlan 1000;2000 switch(config)#interface ethernet 1/1 switch(config-if-ethernet1/1)#switchport mode hybrid switch(config-if-ethernet1/1)#switchport hybrid allowed vlan 1000 untag switch(config-if-ethernet1/1)#dot1q-tunnel selective s-vlan 1000 c-vlan 100-200 switch(config-if-ethernet1/1)#dot1q-tunnel selective enable switch(config-if-ethernet1/1)#interface ethernet 1/2 switch(config-if-ethernet1/2)#switchport hybrid allowed vlan 2000 untag switch(config-if-ethernet1/2)#dot1q-tunnel selective s-vlan 2000 c-vlan 201-300 switch(config-if-ethernet1/2)#dot1q-tunnel selective enable switch(config-if-ethernet1/9)#switchport mode hybrid switch(config-if-ethernet1/9)#switchport hybrid allowed vlan 1000;2000 tag 20.3.4 Selective Q-in-Q Troubleshooting Selective Q-in-Q and dot1q-tunnel functions should not be configured synchronously for a port. 20.4 VLAN Translation Configuration 20.4.1 Introduction to VLAN Translation VLAN translation, as one can tell from the name, which translates the original VLAN ID to new VLAN ID according to the user requirements so to exchange data across different VLANs. VLAN translation supports ingress translation, and switch over the VLAN ID at the ingress. Application and configuration of VLAN translation will be explained in details in this section. 20.4.2 VLAN Translation Configuration Configuration task sequence of VLAN translation: 1. Configure the VLAN translation function on the port 2. Configure the VLAN translation relations on the port 3. Configure whether the packet is dropped when VLAN translation fails 4. Show the related configuration of VLAN translation 20-85 1. Configure the VLAN Translation of the port Command Explanation Port Mode vlan-translation enable Enter/exit the port VLAN translation no vlan-translation enable mode. 2. Configure the VLAN-translation relation of the port Command Explanation Global/Port Mode vlan-translation <old-vlan-id> to Add/delete a VLAN translation relation. <new-vlan-id> in no vlan-translation old-vlan-id in 3. Configure whether the packet is dropped when VLAN translation fails Command Explanation Port Mode vlan-translation miss drop {in | out | both} no vlan-translation miss drop {in | out | Configure the VLAN translation packet dropped on port if there is any failure. both} 4. Show the related configuration of VLAN translation Command Explanation Admin Mode Show the related configuration of VLAN show vlan-translation translation. 20-86 20.4.3 Typical Application of VLAN Translation Scenario: Edge switches PE1 and PE2 of the ISP internet support the VLAN20 data task between CE1 and CE2 of the client network with VLAN3. The port1/1 of PE1 is connected to CE1; port1/10 is connected to public network; port1/1 of PE2 is connected to CE2; port1/10 is connected to public network. On the customer port Trunk VLAN 200-300 CE1 Trunk connection PE1 SP networks Trunk connection Customer networks1 The ingress of the port translates VLAN20 to VLAN3, the egress translates VLAN3 to VLAN20 on PE P Trunk connection PE2 The ingress of the port translates VLAN20 to VLAN3, the egress translates VLAN3 to VLAN20 on PE Trunk connection On the customer port Trunk VLAN 20 Figure 20-6: VLAN translation topology mode Configuration Configuration Explanation Item VLAN translation Port1/1 of PE1 and PE2. Trunk port Port1/1 and Port1/10 of PE1 and PE2. Configuration procedure is as follows: PE1、PE2: switch(Config)#interface ethernet 1/1 switch(Config-Ethernet1/1)#switchport mode trunk switch(Config-Ethernet1/1)# vlan-translation enable switch(Config-Ethernet1/1)# vlan-translation 20 to 3 in switch(Config-Ethernet1/1)# vlan-translation 3 to 20 out switch(Config-Ethernet1/1)# exit switch(Config)#interface ethernet 1/10 switch(Config-Ethernet1/10)#switchport mode trunk switch(Config-Ethernet1/10)#exit switch(Config)# Note: This switch only supports the in direction. 20-87 CE2 Customer networks2 20.4.4 VLAN Translation Troubleshooting Normally the VLAN Translation is applied on trunk ports. Normally before using the VLAN Translation, the dot1q-tunnel function needs to be enabled first to adapt double tag data packet processes VLAN-translation. When configuring VLAN translation of the egress, make sure native VLAN of the port is not identical with vid of the packet. Otherwise, the tag of the packet will be stripped in advance and the transform of vid cannot be completed. QoS only matches VLAN-id that the packet is translated when VLAN translation and QoS are configured at the same time. 20.5 Multi-to-One VLAN Translation Configuration 20.5.1 Introduction to Multi-to-One VLAN Translation Multi-to-One VLAN translation translates the original VLAN ID into the new VLAN ID according to user’s requirement on uplink traffic, and restores the original VLAN ID on downlink traffic. Application and configuration of Multi-to-One VLAN translation will be explained in details in this section. 20.5.2 Multi-to-One VLAN Translation Configuration Multi-to-One VLAN translation configuration task list: 1. Configure Multi-to-One VLAN translation on the port 2. Show the related configuration of Multi-to-One VLAN translation 1. Configure Multi-to-One VLAN translation on the port Command Explanation Port Mode vlan-translation n-to-1 <WORD> to Configure/delete Multi-to-One VLAN <new-vlan-id> translation. no vlan-translation n-to-1 <WORD> 20-88 2. Show the related configuration of Multi-to-One VLAN translation Command Explanation Admin Mode Show the related configuration of show vlan-translation n-to-1 Multi-to-One VLAN translation. 20.5.3 Typical Application of Multi-to-One VLAN Translation Scenario: UserA, userB and userC belong to VLAN1, VLAN2, VLAN3, respectively. Before entering the network layer, data traffic of userA, userB and userC is translated into VLAN 100 by Ethernet1/1 of edge switch1. Contrarily, data traffic of userA, userB and userC will be translated into VLAN1, VLAN2, VLAN3 by Ethernet1/1 of edge switch1 from network layer respectively. In the same way, it implements multi-to-one translation for userD, userE and userF on Ethernet1/1 of edge switch2. Figure 20-7: VLAN translation typical application 20-89 Configuration Item Configuration Explanation VLAN Switch1、Switch2 Trunk Port Downlink port 1/1 and uplink port 1/5 of Switch1 and Switch 2 Multi-to-One Downlink port 1/1 of Switch1 and Switch2 VLAN-translation Configuration procedure is as follows: Switch1、Switch2: switch(Config)# vlan 1-3;100 switch(Config-Ethernet1/1)#switchport mode trunk switch(Config-Ethernet1/1)# vlan-translation n-to-1 1-3 to 100 switch(Config)#interface ethernet 1/5 switch(Config-Ethernet1/5)#switchport mode trunk switch(Config-Ethernet1/5)#exit 20.5.4 Multi-to-One VLAN Translation Troubleshooting Do not be used with Dot1q-tunnel at the same time. Do not be used with VLAN translation at the same time. The same MAC address should not exist in the original and the translated VLAN. Check whether the hardware resource of the chip is able to ensure all clients to work normally. Limiting learning of MAC address may affect Multi-to-One VLAN Translation. Multi-to-One VLAN Translation should be enabled after MAC learning. 20.6 Dynamic VLAN Configuration 20.6.1 Introduction to Dynamic VLAN The dynamic VLAN is named corresponding to the static VLAN (namely the port based VLAN). Dynamic VLAN supported by the switch includes MAC-based VLAN, IP-subnet-based VLAN and Protocol-based VLAN. Detailed description is as follows: The MAC-based VLAN division is based on the MAC address of each host, namely every host with a MAC address will be assigned to certain VLAN. By the means, the network user will maintain his membership in his belonging VLAN when moving from a physical location to another. We can see the greatest advantage of this VLAN division is that the VLAN does not have to be re-configured when the user physical location changes, meaning shifting from one switch to another, which is because it is user based, not switch port based. 20-90 The IP subnet based VLAN is divided according to the source IP address and its subnet mask of every host. It assigns corresponding VLAN ID to the data packet according to the subnet segment, leading the data packet to specified VLAN. Its advantage is the same as that of the MAC-based VLAN; the user does not have to change configuration when relocated. The VLAN is divided by the network layer protocol, assigning a different protocol to different VLANs. This is very attractive to the network administrators who wish to organize the user by applications and services. Moreover the user can move freely within the network while maintaining his membership. Advantage of this method enables user to change physical position without changing their VLAN residing configuration, while the VLAN can be divided by types of protocols which is important to the network administrators. Further, this method has no need of added frame label to identify the VLAN, which reduces the network traffic. Note: Dynamic VLAN needs to associate with Hybrid attribute of the ports to work, so the ports that may be added to a dynamic VLAN must be configured as Hybrid port. 20.6.2 Dynamic VLAN Configuration Dynamic VLAN Configuration Task Sequence: 1. Configure the MAC-based VLAN function on the port 2. Set the VLAN to MAC VLAN 3. Configure the correspondence between the MAC address and the VLAN 4. Configure the IP-subnet-based VLAN function on the port 5. Configure the correspondence between the IP subnet and the VLAN 6. Configure the correspondence between the Protocols and the VLAN 7. Adjust the priority of the dynamic VLAN 1. Configure the MAC-based VLAN function on the port Command Explanation Port Mode switchport mac-vlan enable Enable/disable the MAC-based VLAN no switchport mac-vlan enable function on the port. 20-91 2. Set the VLAN to MAC VLAN Command Explanation Global Mode Configure the specified VLAN to MAC mac-vlan vlan <vlan-id> VLAN; the “no mac-vlan” command no mac-vlan cancels the MAC VLAN configuration of this VLAN. 3. Configure the correspondence between the MAC address and the VLAN Command Explanation Global Mode Add/delete the correspondence between mac-vlan mac <mac-addrss> vlan the MAC address and the VLAN, namely <vlan-id> priority <priority-id> specified MAC address join/leave no mac-vlan {mac <mac-addrss>|all} specified VLAN. 4. Configure the IP-subnet-based VLAN function on the port Command Explanation Port Mode switchport subnet-vlan enable Enable/disable the port IP-subnet-base no switchport subnet-vlan enable VLAN function on the port. 5. Configure the correspondence between the IP subnet and the VLAN Command Explanation Global Mode subnet-vlan ip-address <ipv4-addrss> Add/delete the correspondence between mask <subnet-mask> vlan <vlan-id> the IP subnet and the VLAN, namely priority <priority-id> no subnet-vlan {ip-address <ipv4-addrss> mask <subnet-mask>|all} 20-92 specified IP subnet joins/leaves specified VLAN. 6. Configure the correspondence between the Protocols and the VLAN Command Explanation Global Mode protocol-vlan mode {ethernetii etype <etype-id>|llc {dsap <dsap-id> ssap <ssap-id>}|snap etype <etype-id>} vlan <vlan-id> priority <priority-id> no protocol-vlan {mode {ethernetii etype <etype-id>|llc {dsap <dsap-id> ssap Add/delete the correspondence between the Protocols and the VLAN, namely specified protocol joins/leaves specified VLAN. <ssap-id>}|snap etype <etype-id>}|all} 7. Adjust the priority of the dynamic VLAN Command Explanation Global Mode dynamic-vlan mac-vlan prefer Configure the priority of the dynamic dynamic-vlan subnet-vlan prefer VLAN. 20.6.3 Typical Application of the Dynamic VLAN Scenario: In the office network Department A belongs to VLAN100. Several members of this department often have the need to move within the whole office network. It is also required to ensure the resource for other members of the department to access VLAN 100. Assume one of the members is M, the MAC address of his PC is 00-30-4f-11-22-33, when M moves to VLAN200 or VLAN300, the port connecting M is configured as Hybrid mode and belongs to VLAN100 with untag mode. In this way, the data of VLAN100 will be forwarded to the port connecting M, and implement the communication requirement in VLAN100. 20-93 Switch A Switch B Switch C VLAN100 VLAN200 VLAN300 M Figure 20-8: Typical topology application of dynamic VLAN Configuration Configuration Explanation Items MAC-based VLAN Global configuration on Switch A, Switch B, Switch C. For example, M at E1/1 of Switch A, then the configuration procedures are as follows: Switch A, Switch B, Switch C: SwitchA (Config)#mac-vlan mac 00-03 -0f-11-22-33 vlan 100 priority 0 SwitchA (Config)#interface ethernet 1/1 SwitchA (Config-Ethernet1/1)# swportport mode hybrid SwitchA (Config-Ethernet1/1)# swportport hybrid allowed vlan 100 untagged SwitchB (Config)#mac-vlan mac 00-30-4f-11-22-33 vlan 100 priority 0 SwitchB (Config)#exit SwitchB# SwitchC (Config)#mac-vlan mac 00-30-4f-11-22-33 vlan 100 priority 0 SwitchC (Config)#exit SwitchC# 20-94 20.6.4 Dynamic VLAN Troubleshooting On the switch configured with dynamic VLAN, if the two connected equipment (e.g. PC) both belongs to the same dynamic VLAN, first communication between the two equipment may not go through. The solution will be letting the two equipment positively send data packet to the switch (such as ping), to let the switch learn their source MAC, then the two equipment will be able to communicate freely within the dynamic VLAN. Ping 192.168.1.100 Ping 192.168.1.200 Dynamic VLAN 192.168.1.100/24 192.168.1.200/24 Figure 20-9: Dynamic VLAN Troubleshooting 20.7 GVRP Configuration 20.7.1 Introduction to GVRP GVRP, i.e. GARP VLAN Registration Protocol, is an application of GARP (Generic Attribute Registration Protocol). GARP is mainly used to establish an attribute transmission mechanism to transmit attributes, so as to ensure protocol entities registering and deregistering the attribute. According to different transmission attributes, GARP can be divided into many application protocols, such as GMRP and GVRP. Therefore, GVRP is a protocol which transmits VLAN attributes to the whole Layer 2 network through GARP Protocol. 20-95 Figure 20-10: a typical application scene A and G switches are not directly connected in Layer 2 network; BCDEF are intermediate switches connecting A and G. Switch A and G configure VLAN100-1000 manually while BCDEF switches do not. When GVRP is not enabled, A and G cannot communicate with each other, because intermediate switches without relevant VLANs. However, after GVRP is enabled on all switches, its VLAN attribute transmission mechanism enables the intermediate switches registering the VLANs dynamically, and the VLAN in VLAN100-1000 of A and G can communicate with each other. The VLANs dynamically registered by intermediate switches will be deregistered when deregistering VLAN100-1000 of A and G switches manually. So the same VLAN of two unadjacent switches can communicate mutually through GVRP protocol instead of configuring each intermediate switch manually for achieving the purpose of simplifying VLAN configuration. 20.7.2 GVRP Configuration Task List GVRP configuration task list: 1. Configure GVRP timer 2. Configure port type 3. Enable GVRP function 1. Configure GVRP timer Command Explanation Global Mode Configure leaveall, join and leave garp timer join <200-500> 20-96 timer for GVRP. garp timer leave <500-1200> garp timer leaveall <5000-60000> no garp timer (join | leave | leaveAll) 2. Configure port type Command Explanation Port Mode gvrp Enable/ disable GVRP function of no gvrp port. 3. Enable GVRP function Command Explanation Global Mode gvrp Enable/ disable the global GVRP no gvrp function of port. 20.7.3 Example of GVRP GVRP application: PC Switch A Switch B Switch C PC Figure 20-11: Typical GVRP Application Topology 20-97 To enable dynamic VLAN information register and update among switches, GVRP protocol is to be configured in the switch. Configure GVRP in Switch A, B and C, enable Switch B to learn VLAN100 dynamically so that two workstations connected to VLAN100 in Switch A and C can communicate with each other through Switch B without static VLAN100 entries. Configuration Configuration description Item VLAN100 Port 2-6 of Switch A and C. Trunk port Port 11 of Switch A and C, Port 10, 11 of Switch B. Global GVRP Switch A, B, C. Port GVRP Port 11 of Switch A and C, Port 10, 11 of Switch B. Connect two workstations to the VLAN100 ports in switch A and B, connect port 11 of Switch A to port 10 of Switch B, and port 11 of Switch B to port 11 of Switch C. The configuration steps are listed below: Switch A: Switch(config)# gvrp Switch(config)#vlan 100 Switch(Config-Vlan100)#switchport interface ethernet 1/2-6 Switch(Config-Vlan100)#exit Switch(config)#interface ethernet 1/11 Switch(Config-If-Ethernet1/11)#switchport mode trunk Switch(Config-If-Ethernet1/11)# gvrp Switch(Config-If-Ethernet1/11)#exit Switch B: Switch(config)#gvrp Switch(config)#interface ethernet 1/10 Switch(Config-If-Ethernet1/10)#switchport mode trunk Switch(Config-If-Ethernet1/10)# gvrp Switch(Config-If-Ethernet1/10)#exit Switch(config)#interface ethernet 1/11 Switch(Config-If-Ethernet1/11)#switchport mode trunk Switch(Config-If-Ethernet1/11)# gvrp Switch(Config-If-Ethernet1/11)#exit 20-98 Switch C: Switch(config)# gvrp Switch(config)#vlan 100 Switch(Config-Vlan100)#switchport interface ethernet 1/2-6 Switch(Config-Vlan100)#exit Switch(config)#interface ethernet 1/11 Switch(Config-If-Ethernet1/11)#switchport mode trunk Switch(Config-If-Ethernet1/11)# gvrp Switch(Config-If-Ethernet1/11)#exit 20-99 20.7.4 GVRP Troubleshooting The GARP counter setting for Trunk ports in both ends of Trunk link must be the same, otherwise, GVRP will not work normally. It is recommended to avoid enabling GVRP and RSTP at the same time in switch. If GVRP needs to be enabled, RSTP function for the ports must be disabled first. 20.8 Voice VLAN Configuration 20.8.1 Introduction to Voice VLAN Voice VLAN is specially configured for the user voice data traffic. By setting a Voice VLAN and adding the ports of the connected voice equipment to the Voice VLAN, the user will be able to configure QoS (Quality of service) service for voice data, and improve the voice data traffic transmission priority to ensure the calling quality. The switch can judge if the data traffic is the voice data traffic from specified equipment according to the source MAC address field of the data packet entering the port. The packet with the source MAC address complying with the system defined voice equipment OUI (Organizationally Unique Identifier) will be considered the voice data traffic and transmitted to the Voice VLAN. The configuration is based on MAC address, acquiring a mechanism in which every voice equipment transmitting information through the network has got its unique MAC address. VLAN will trace the address that belongs to specified MAC. By this means, VLAN allows the voice equipment to always belong to Voice VLAN when relocated physically. The greatest advantage of the VLAN is the equipment that can be automatically placed into Voice VLAN according to its voice traffic which will be transmitted at specified priority. Meanwhile, when voice equipment is physically relocated, it still belongs to the Voice VLAN without any further configuration modification, which is because it is based on voice equipment other than switch port. Note: Voice VLAN needs to associate with Hybrid attribute of the ports to work, so the ports that may be added to Voice VLAN must be configured as Hybrid port. 20-100 20.8.2 Voice VLAN Configuration Voice VLAN Configuration Task Sequence: 1. Set the VLAN to Voice VLAN 2. Add a voice equipment to Voice VLAN 3. Enable the Voice VLAN on the port 1. Configure the VLAN to Voice VLAN Command Explanation Global Mode voice-vlan vlan <vlan-id> Set/cancel the VLAN as a Voice VLAN no voice-vlan 2. Add a Voice equipment to a Voice VLAN Command Explanation Global Mode voice-vlan mac <mac-address> mask <mac-mask> priority <priority-id> [name <voice-name>] no voice-vlan {mac <mac-address> mask Specify certain voice equipment join/leave the Voice VLAN <mac-mask>|name <voice-name> |all} 3. Enable the Voice VLAN of the port Command Explanation Port Mode switchport voice-vlan enable Enable/disable the Voice VLAN function no switchport voice-vlan enable on the port 20-101 20.8.3 Typical Applications of the Voice VLAN Scenario: A company realizes voice communication through configuring Voice VLAN. IP-phone1 and IP-phone2 can be connected to any port of the switch, namely normal communication and interconnected with other switches through the uplink port. IP-phone1 MAC address is 00-30-4f-11-22-33, connect port 1/1 of the switch, IP-phone2 MAC address 00-30-4f-11-22-55, connect port 1/2 of the switch. Switch IP-phone1 IP-phone2 Figure 20-12: VLAN typical apply topology Figure Configuration Configuration Explanation items Voice VLAN Global configuration on the Switch. Configuration procedure: Switch 1: Switch(config)#vlan 100 Switch(Config-Vlan100)#exit Switch(config)#voice-vlan vlan 100 Switch(config)#voice-vlan mac 00-30-4f-11-22-33 mask 255 priority 5 name company Switch(config)#voice-vlan mac 00-30-4f-11-22-55 mask 255 priority 5 name company Switch(config)#interface ethernet 1/10 Switch(Config-If-Ethernet1/10)#switchport mode trunk Switch(Config-If-Ethernet1/10)#exit switch(Config)#interface ethernet 1/1 switch(Config-If-Ethernet1/1)#switchport mode hybrid switch(Config-If-Ethernet1/1)#switchport hybrid allowed vlan 100 untag 20-102 is switch(Config-If-Ethernet1/1)#exit switch(Config)#interface ethernet 1/2 switch(Config-If-Ethernet1/2)#switchport mode hybrid switch(Config-If-Ethernet1/2)#switchport hybrid allowed vlan 100 untag switch(Config-If-Ethernet1/2)#exit 20.8.4 Voice VLAN Troubleshooting Voice VLAN cannot be applied concurrently with MAC-base VLAN. The Voice VLAN supports maximum 1024 sets of voice equipment; the exceeded number of equipment will not be supported. The Voice VLAN on the port is enabled by default. If the configured data can no longer enter the Voice VLAN during operation, please check if the Voice VLAN function has been disabled on the port. 20-103 Chapter 21 MAC Table Configuration 21.1 Introduction to MAC Table MAC table is a table identifies the mapping relationship between destination MAC addresses and switch ports. MAC addresses can be categorized as static MAC addresses and dynamic MAC addresses. Static MAC addresses are manually configured by the user, have the highest priority and are permanently effective (will not be overwritten by dynamic MAC addresses); dynamic MAC addresses are entries learnt by the switch in data frame forwarding, and is effective for a limited period. When the switch receives a data frame to be forwarded, it stores the source MAC address of the data frame and creates a mapping to the destination port. Then the MAC table is queried for the destination MAC address, if hit, the data frame is forwarded in the associated port; otherwise, the switch forwards the data frame to its broadcast domain. If a dynamic MAC address is not learnt from the data frames to be forwarded for a long time, the entry will be deleted from the switch MAC table. There are two MAC table operations: 1. Obtain a MAC address. 2. Forward or filter data frame according to the MAC table. 21.1.1 Obtaining MAC Table The MAC table can be built up statically and dynamically. Static configuration is to set up a mapping between the MAC addresses and the ports; dynamic learning is the process in which the switch learns the mapping between MAC addresses and ports, and updates the MAC table regularly. In this section, we will focus on the dynamic learning process of MAC table. Figure 21-1: MAC Table dynamic learning 21-104 The topology of the figure above: 4 PCs connected to switch, where PC1 and PC2 belongs to the same physical segment (same collision domain), the physical segment connects to port 1/5 of switch; PC3 and PC4 belongs to the same physical segment that connects to port 1/12 of switch. The initial MAC table contains no address mapping entries. Take the communication of PC1 and PC3 for an example. The MAC address learning process is as follows: 1. When PC1 sends message to PC3, the switch receives the source MAC address 00-01-11-11-11-11 from this message. The mapping entry of 00-01-11-11-11-11 and port 1/5 are added to the switch MAC table. 2. At the same time, the switch learns the message which is destined to 00-01-33-33-33-33, as the MAC table contains only a mapping entry of MAC address 00-01-11-11-11-11 and port1/5, and no port mapping for 00-01-33-33-33-33 is present. The switch broadcasts this message to all the ports in the switch (assuming all ports belong to the default VLAN1). 3. PC3 and PC4 on port 1/12 receive the message sent by PC1, but PC4 will not reply, as the destination MAC address is 00-01-33-33-33-33, only PC3 will reply to PC1. When port 1/12 receives the message sent by PC3, a mapping entry for MAC address 00-01-33-33-33-33 and port 1/12 is added to the MAC table. 4. Now the MAC table has two dynamic entries, MAC address 00-01-11-11-11-11 - port 1/5 and 00-01-33-33-33-33 -port1/12. 5. After the communication between PC1 and PC3, the switch does not receive any message sent from PC1 and PC3. And the MAC address mapping entries in the MAC table are deleted in 300 to 2*300 seconds (ie, in single to double aging time). The 300 seconds here is the default aging time for MAC address entry in switch. Aging time can be modified in switch. 21.1.2 Forward or Filter The switch will forward or filter received data frames according to the MAC table. Take the above figure for an example. Assuming switch has learned the MAC address of PC1 and PC3, and the user manually configures the mapping relationship for PC2 and PC4 to ports. The MAC table of switch will be: MAC Address Port number Entry added by 00-01-11-11-11-11 1/5 Dynamic learning 00-01-22-22-22-22 1/5 Static configuration 00-01-33-33-33-33 1/12 Dynamic learning 00-01-44-44-44-44 1/12 Static configuration 21-105 1. Forward data according to the MAC table If PC1 sends a message to PC3, the switch will forward the data received on port 1/5 from port1/12. 2. Filter data according to the MAC table If PC1 sends a message to PC2, the switch, on checking the MAC table, will find PC2 and PC1, which are in the same physical segment and filter the message (i.e. drop this message). Three types of frames can be forwarded by the switch: Broadcast frame Multicast frame Unicast frame The following describes how the switch deals with all the three types of frames: 1. Broadcast frame: The switch can segregate collision domains but not broadcast domains. If no VLAN is set, all devices connected to the switch are in the same broadcast domain. When the switch receives a broadcast frame, it forwards the frame in all ports. When VLANs are configured in the switch, the MAC table will be adapted accordingly to add VLAN information. In this case, the switch will not forward the received broadcast frames in all ports, but forward the frames in all ports in the same VLAN. 2. Multicast frame: For the unknown multicast, the switch will broadcast it in the same VLAN, but the switch only forwards the multicast frames to the multicast group’s port if IGMP Snooping function or the static multicast group has been configured. 3. Unicast frame: When no VLAN is configured, if the destination MAC addresses are in the switch MAC table, the switch will directly forward the frames to the associated ports; when the destination MAC address in a unicast frame is not found in the MAC table, the switch will broadcast the unicast frame. When VLANs are configured, the switch will forward unicast frame within the same VLAN. If the destination MAC address is found in the MAC table but belonging to different VLANs, the switch can only broadcast the unicast frame in the VLAN it belongs to. 21.2 Mac Address Table Configuration Task List 1. Configure the MAC address aging-time 2. Configure static MAC forwarding or filter entry 3. Clear dynamic address table 4. Configure MAC learning through CPU control 21-106 1. Configure the MAC aging-time Command Explanation Global Mode Configure the MAC address aging-time. mac-address-table aging-time <0|aging-time> no mac-address-table aging-time 2. Configure static MAC forwarding or filter entry Command Explanation Global Mode mac-address-table {static | static-multicast | blackhole} address <mac-addr> vlan <vlan-id > [interface ethernet <interface-name>] | Configure static MAC entries, static [source|destination|both] multicast MAC entries, filter address no mac-address-table {static | entries. static-multicast | blackhole } [address <mac-addr>] [vlan <vlan-id>] [interface ethernet <interface-name>] 3. Clear dynamic address table Command Explanation Admin Mode clear mac-address-table dynamic [address Clear the dynamic address table. <mac-addr>] [vlan <vlan-id>] [interface [ethernet | portchannel] <interface-name>] 4. Configure MAC learning through CPU control Command Explanation Global Mode mac-address-learning cpu-control Enable MAC learning through CPU no mac-address-learning cpu-control control, the no command restores that the chip automatically learn MAC address. 21-107 Show the hash collision mac table. show collision-mac-address-table Admin Mode Clear the hash collision mac table. clear collision-mac-address-table 21.3 Typical Configuration Examples Figure 22-3: MAC Table typical configuration example Scenario: Four PCs as shown in the above figure connect to port 1/5, 1/7, 1/9, 1/11 of switch; all the four PCs belong to the default VLAN1. As required by the network environment, dynamic learning is enabled. PC1 holds sensitive data and cannot be accessed by any other PC that is in another physical segment; PC2 and PC3 have static mapping set to port 1/7 and port 1/9, respectively. The configuration steps are listed below: 1. Set the MAC address 00-01-11-11-11-11 of PC1 as a filter address. Switch(config)#mac-address-table static 00-01-11-11-11-11 discard vlan 1. 2.Set the static mapping relationship for PC2 and PC3 to port 1/7 and port 1/9, respectively. Switch(config)#mac-address-table static address 00-01-22-22-22-22 vlan 1 interface ethernet 1/7 Switch(config)#mac-address-table static address 00-01-33-33-33-33 vlan 1 interface ethernet 1/9 21-108 21.4 MAC Table Troubleshooting Using the show mac-address-table command, a port is found to be failed to learn the MAC of a device connected to it. Possible reasons: The connected cable is broken. Spanning Tree is enabled and the port is in “discarding” status; or the device is just connected to the port and Spanning Tree is still under calculation, wait until the Spanning Tree calculation finishes, and the port will learn the MAC address. If not the problems mentioned above, please check the switch port and contact technical support for solution. 21.5 MAC Address Function Extension 21.5.1 MAC Address Binding 21.5.1.1 Introduction to MAC Address Binding Most switches support MAC address learning; each port can dynamically learn several MAC addresses, so that forwarding data streams between known MAC addresses within the ports can be achieved. If an MAC address is aged, the packet destined for that entry will be broadcasted. In other words, an MAC address learned in a port will be used for forwarding in that port, if the connection is changed to another port, the switch will learn the MAC address again to forward data in the new port. However, in some cases, security or management policy may require MAC addresses to be bound with the ports, only data stream from the binding MAC are allowed to be forwarded in the ports. That is to say, after a MAC address is bound to a port, only the data stream destined for that MAC address can flow in from the binding port, data stream destined for the other MAC addresses that not bound to the port will not be allowed to pass through the port. 21.5.1.2 MAC Address Binding Configuration Task List 1. Enable MAC address binding function for the ports 2. Lock the MAC addresses for a port 3. MAC address binding property configuration 1. Enable MAC address binding function for the ports Command Explanation Port Mode 21-109 Enable MAC address binding function for the port and lock the port. When a port is locked, the MAC address learning function switchport port-security for the port will be disabled: the “no no switchport port-security switchport port-security” command disables the MAC address binding function for the port, and restores the MAC address learning function for the port. 2. Lock the MAC addresses for a port Command Explanation Port Mode switchport port-security aging {static | time <value> | type {absolute | Enable the aging entries of port-security, inactivity}} and specify the aging time and type on the no switchport port-security violation interface. aging {static | time | type} switchport port-security mac-address <mac-address> [vlan <vlan-id>] Configure the static secure MAC on the no switchport port-security interface, the no command cancels the mac-address <mac-address> [vlan configuration. <vlan-id>] Admin Mode clear port-security dynamic [address Clear dynamic MAC addresses learned by <mac-addr> | interface <interface-id>] the specified port. 3. MAC address binding property configuration Command Explanation Port Mode Configure the maximum number of the switchport port-security maximum <value> [vlan <vlan-list>] no switchport port-security maximum <value> [vlan <vlan-list>] secure MAC allowed by the interface, if specifying VLAN parameter, it means the maximum number in the configured VLANs. The no command cancels the maximum number of the secure MAC configured by the interface. 21-110 When exceeding the maximum number of the configured MAC addresses, MAC address accessing the interface does not switchport port-security violation {protect | recovery | restrict | shutdown} no switchport port-security violation belongs to this interface in MAC address table or a MAC address is configured to several interfaces in same VLAN, both of them will violate the security of the MAC address. 21.5.1.3 Binding MAC Address Binding Troubleshooting Enabling MAC address binding for ports may fail in some occasions. Here are some possible causes and solutions: If MAC address binding cannot be enabled for a port, make sure the port is not enabling port aggregation and is not configured as a Trunk port. MAC address binding is exclusive to such configurations. If MAC address binding is to be enabled, the functions mentioned above must be disabled first. If a secure address is set as static address and deleted, that secure address will be unusable even though it exists. For this reason, it is recommended to avoid static address for ports enabling MAC address. 21.6 MAC Notification Configuration 21.6.1 Introduction to MAC Notification MAC Notification function depends on the notification. Add or remove the MAC address, namely, when the device is added or removed, it will notify administrator about the change by the trap function of SNMP. 21.6.2 MAC Notification Configuration Mac notification configuration task list: 1. Configure the global SNMP MAC notification 2. Configure the global MAC notification 3. Configure the interval for sending MAC notification 4. Configure the size of history table 5. Configure the trap type of MAC notification supported by the port 6. Show the configuration and the data of MAC notification 7. Clear the statistics of MAC notification trap 21-111 1. Configure the global SNMP MAC notification Command Explanation Global Mode snmp-server enable traps mac-notification Configure or cancel the global SNMP no snmp-server enable traps mac-notification MAC notification. 2. Configure the global MAC notification Command Explanation Global Mode mac-address-table notification Configure or cancel the global MAC no mac-address-table notification notification. 3. Configure the interval for sending MAC notification Command Explanation Global Mode mac-address-table notification interval <0-86400> no mac-address-table notification interval Configure the interval for sending the MAC address notification, the no command restores the default interval. 4. Configure the size of history table Command Explanation Global Mode mac-address-table notification history-size Configure the history table size, the <0-500> no command restores the default no mac-address-table notification history-size value. 5. Configure the trap type of MAC notification supported by the port Command Explanation Port Mode Configure or cancel the trap type of mac-notification {added | all | moved} MAC notification supported by the no mac-notification port. 21-112 6. Show the configuration and the data of MAC notification Command Explanation Admin Mode Show the configuration and the data show mac-notification summary of MAC notification. 7. Clear the statistics of MAC notification trap Command Explanation Admin Mode Clear the statistics of MAC clear mac-notification statistics notification trap. 21.6.3 MAC Notification Example IP address of network management station (NMS) is 1.1.1.5, IP address of Agent is 1.1.1.9. NMS will receive Trap message from Agent. (Note: NMS may set the authentication to the community character string of trap, suppose the community character string as usertrap) Configuration procedure in the following: Switch(config)#snmp-server enable Switch(config)#snmp-server enable traps mac-notification Switch(config)# mac-address-table notification Switch(config)# mac-address-table notification interval 5 Switch(config)# mac-address-table notification history-size 100 Switch(Config-If-Ethernet1/4)# mac-notification both 21.6.4 MAC Notification Troubleshooting Check whether trap message is sent successfully by show command and debug command of SNMP. 21-113 Chapter 22 MSTP Configuration 22.1 Introduction to MSTP The MSTP (Multiple STP) is a new Spanning Tree Protocol which is based on the STP and the RSTP. It runs on all the bridges of a bridged-LAN. It calculates a common and internal spanning tree (CIST) for the bridge-LAN which consists of the bridges running the MSTP, the RSTP and the STP. It also calculates the independent multiple spanning-tree instances (MSTI) for each MST domain (MSTP domain). The MSTP, which adopts the RSTP for its rapid convergence of the spanning tree, enables multiple VLANs to be mapped to the same spanning-tree instance which is independent to other spanning-tree instances. The MSTP provides multiple forwarding paths for data traffic and enables load balancing. Moreover, because multiple VLANs share a same MSTI, the MSTP can reduce the number of spanning-tree instances, which consumes less CPU resources and reduces the bandwidth consumption. 22.2 MSTP Region Because multiple VLANs can be mapped to a single spanning tree instance, IEEE 802.1s committee raises the MST concept. The MST is used to make the association of a certain VLAN to a certain spanning tree instance. A MSTP region is composed of one or multiple bridges with the same MCID (MST Configuration Identification) and the bridged-LAN (a certain bridge in the MSTP region is the designated bridge of the LAN, and the bridges attaching to the LAN are not running STP). All the bridges in the same MSTP region have the same MSID. MSID consists of 3 attributes: Configuration Name: Composed by digits and letters Revision Level Configuration Digest: VLANs mapping to spanning tree instances The bridges with the above same 3 attributes are considered as in the same MST region. When the MSTP calculates CIST in a bridged-LAN, an MSTP region is considered as a bridge. See the figure below: 22-114 Root A Root A B M E MST D F D REGION C Figure 22-1: Example of CIST and MST Region In the above network, if the bridges are running the STP or the RSTP, one port between Bridge M and Bridge B should be blocked. But if the bridges in the yellow range run the MSTP and are configured in the same MST region, MSTP will treat this region as a bridge. Therefore, one port between Bridge B and Root is blocked and one port on Bridge D is blocked. 22.2.1 Operations within an MSTP Region The IST connects all the MSTP bridges in a region. When the IST converges, the root of the IST becomes the IST master, which is the switch within the region with the lowest bridge ID and path cost to the CST root. The IST master is also the CST root if there is only one region within the network. If the CST root is outside the region, one of the MSTP bridges at the boundary of the region is selected as the IST master. When an MSTP bridge initializes, it sends BPDUs claiming itself as the root of the CST and the IST master, with both of the path costs to the CST root and to the IST master set to zero. The bridge also initializes all of its MST instances and claims to be the root for all of them. If the bridge receives superior MST root information (lower bridge ID, lower path cost, and so forth) than currently stored for the port, it relinquishes its claim as the IST master. Within a MST region, the IST is the only spanning-tree instance that sends and receives BPDUs. Because the MST BPDU carries information for all instances, the number of BPDUs that need to be processed by a switch to support multiple spanning-tree instances is significantly reduced. All MST instances within the same region share the same protocol timers, but each MST instance has its own topology parameters, such as root switch ID, root path cost, and so forth. 22-115 22.2.1.1 Operations between MST Regions If there are multiple regions or legacy 802.1D bridges within the network, MSTP establishes and maintains the CST, which includes all MST regions and all legacy STP bridges in the network. The MST instances combine with the IST at the boundary of the region to become the CST. The MSTI is only valid within its MST region. An MSTI has nothing to do with MSTIs in other MST regions. The bridges in a MST region receive the MST BPDU of other regions through Boundary Ports. They only process CIST related information and abandon MSTI information. 22.2.2 Port Roles The MSTP bridge assigns a port role to each port which runs MSTP. CIST port roles: Root Port, Designated Port, Alternate Port and Backup Port On top of those roles, each MSTI port has one new role: Master Port. The port roles in the CIST (Root Port, Designated Port, Alternate Port and Backup Port) are defined in the same ways as those in the RSTP. 22.2.3 MSTP Load Balance In an MSTP region, VLANs can by mapped to various instances. That can form various topologies. Each instance is independent from the others and each distance can have its own attributes such as bridge priority, port cost, etc. Consequently, the VLANs in different instances have their own paths. The traffic of the VLANs are load-balanced. 22.3 MSTP Configuration Task List MSTP configuration task list: 1. Enable the MSTP and set the running mode 2. Configure instance parameters 3. Configure MSTP region parameters 4. Configure MSTP time parameters 5. Configure the fast migrate feature for MSTP 6. Configure the format of port packet 7. Configure the spanning-tree attribute of port 8. Configure the snooping attribute of authentication key 9. Configure the FLUSH mode once topology changes 22-116 1. Enable MSTP and set the running mode Command Explanation Global and Port Mode spanning-tree no spanning-tree Enable/Disable MSTP. Global Mode spanning-tree mode {mstp|stp|rstp} no spanning-tree mode Set MSTP running mode. Port Mode spanning-tree mcheck Force port migrate to run under MSTP. 2. Configure instance parameters Command Explanation Global Mode spanning-tree mst <instance-id> priority <bridge-priority> Set bridge priority for specified instance. no spanning-tree mst <instance-id> priority spanning-tree priority <bridge-priority> Configure the spanning-tree priority of the no spanning-tree priority switch. Port Mode spanning-tree mst <instance-id> cost Set port path cost for specified instance. <cost> no spanning-tree mst <instance-id> cost spanning-tree mst <instance-id> port-priority <port-priority> no spanning-tree mst <instance-id> Set port priority for specified instance. port-priority spanning-tree mst <instance-id> rootguard no spanning-tree mst <instance-id> rootguard spanning-tree rootguard no spanning-tree rootguard Configure currently port whether running rootguard in specified instance, configure the rootguard port can’t turn to root port. Configure currently port whether running rootguard in instance 0, configure the rootguard port can’t turn to root port. spanning-tree [mst <instance-id>] Enable loopguard function on specified loopguard instance, the no command disables this 22-117 function. no spanning-tree [mst <instance-id>] loopguard 3. Configure MSTP region parameters Command Explanation Global Mode spanning-tree mst configuration Enter MSTP region mode. The no no spanning-tree mst configuration command restores the default setting. MSTP Region Mode instance <instance-id> vlan <vlan-list> Create Instance and set mapping no instance <instance-id> [vlan <vlan-list> ] between VLAN and Instance. name <name> Set MSTP region name. no name revision-level <level> Set MSTP region revision level. no revision-level Quit MSTP region mode and return to Global mode without saving MSTP abort region configuration. Quit MSTP region mode and return to Global mode with saving MSTP region exit configuration. Cancel one command or set initial no value. 4. Configure MSTP time parameters Command Explanation Global Mode spanning-tree forward-time <time> Set the value for switch forward delay no spanning-tree forward-time time. spanning-tree hello-time <time> Set the Hello time for sending BPDU no spanning-tree hello-time messages. spanning-tree maxage <time> Set Aging time for BPDU messages. no spanning-tree maxage spanning-tree max-hop <hop-count> Set Maximum number of hops of no spanning-tree max-hop BPDU messages in the MSTP region. 22-118 5. Configure the fast migrate feature for MSTP Command Explanation Port Mode spanning-tree link-type p2p Set the port link type. {auto|force-true|force-false} no spanning-tree link-type Set and cancel the port to be an spanning-tree portfast [bpdufilter| bpduguard] [recovery <30-3600>] boundary port. bpdufilter receives the BPDU discarding; bpduguard receives the BPDU will disable port; no parameter no spanning-tree portfast receives the BPDU, the port becomes a non-boundary port. 6. Configure the format of MSTP Command Explanation Port Mode Configure the format of port spanning-tree format standard spanning-tree packet, standard format spanning-tree format privacy is provided by IEEE, privacy is spanning-tree format auto compatible with CISCO and auto no spanning-tree format means the format is determined by checking the received packet. 7. Configure the spanning-tree attribute of port Command Explanation Port Mode spanning-tree cost Set the port path cost. no spanning-tree cost spanning-tree port-priority Set the port priority. no spanning-tree port-priority spanning-tree rootguard Set the port is root port. no spanning-tree rootguard Global Mode 22-119 spanning-tree transmit-hold-count Set the max. transmit-hold-count of <tx-hold-count-value> port. no spanning-tree transmit-hold-count spanning-tree cost-format {dot1d | dot1t} Set port cost format with dot1d or dot1t. 8. Configure the snooping attribute of authentication key Command Explanation Port Mode Set the port to use the authentication spanning-tree digest-snooping string of partner port. The no no spanning-tree digest-snooping command restores to use the generated string. 9. Configure the FLUSH mode once topology changes Command Explanation Global Mode Enable: the spanning-tree flush once the topology changes. Disable: the spanning tree don’t flush spanning-tree tcflush {enable| disable| when the topology changes. protect} Protect: the spanning-tree flush not no spanning-tree tcflush more than one time every ten seconds. The no command restores to default setting, enable flush once the topology changes. Port Mode spanning-tree tcflush {enable| disable| Configure the port flush mode. protect} The no command restores to use the no spanning-tree tcflush global configured flush mode. 22-120 22.4 MSTP Example The following is a typical MSTP application example: SW1 1 1 SW2 2 2 4 5 1 2X 3 3X 4 6 7 SW3 6X 7X 5X SW4 Figure 22-2: Typical MSTP Application Scenario The connections among the switches are shown in the above figure. All the switches run in the MSTP mode by default, their bridge priority, port priority and port route cost are all in the default values (equal). The default configuration for switches is listed below: Bridge Name SW1 SW2 SW3 SW4 Bridge MAC …00-00-01 …00-00-02 …00-00-03 …00-00-04 32768 32768 32768 32768 port 1 128 128 128 port 2 128 128 128 port 3 128 128 port 4 128 128 port 5 128 128 Address Route Cost Port Priority Bridge Priority port 6 128 128 port 7 128 128 port 1 200000 200000 200000 port 2 200000 200000 200000 port 3 200000 200000 port 4 200000 200000 port 5 200000 200000 port 6 200000 200000 port 7 200000 200000 22-121 By default, the MSTP establishes a tree topology (in blue lines) rooted with Switch A. The ports marked with “x” are in the discarding status, and the other ports are in the forwarding status. Configurations Steps: Step 1: Configure port to VLAN mapping: Create VLAN 20, 30, 40, 50 in Switch 2, Switch 3 and Switch 4. Set ports 1-7 as trunk ports in Switch 2 Switch 3 and Switch 4. Step 2: Set Switch 2, Switch 3 and Switch 4 in the same MSTP: Set Switch 2, Switch 3 and Switch 4 to have the same region name as mstp. Map VLAN 20 and VLAN 30 in Switch 2, Switch 3 and Switch 4 to Instance 3; Map VLAN 40 and VLAN 50 in Switch 2, Switch 3 and Switch 4 to Instance 4. Step 3: Set Switch 3 as the root bridge of Instance 3; Set Switch 4 as the root bridge of Instance 4 Set the bridge priority of Instance 3 in Switch 3 as 0. Set the bridge priority of Instance 4 in Switch 4 as 0. The detailed configuration is listed below: Switch 2: Switch2(config)#vlan 20 Switch2(Config-Vlan20)#exit Switch2(config)#vlan 30 Switch2(Config-Vlan30)#exit Switch2(config)#vlan 40 Switch2(Config-Vlan40)#exit Switch2(config)#vlan 50 Switch2(Config-Vlan50)#exit Switch2(config)#spanning-tree mst configuration Switch2(Config-Mstp-Region)#name mstp Switch2(Config-Mstp-Region)#instance 3 vlan 20;30 Switch2(Config-Mstp-Region)#instance 4 vlan 40;50 Switch2(Config-Mstp-Region)#exit Switch2(config)#interface e1/1-7 Switch2(Config-Port-Range)#switchport mode trunk Switch2(Config-Port-Range)#exit Switch2(config)#spanning-tree 22-122 Switch 3: Switch3(config)#vlan 20 Switch3(Config-Vlan20)#exit Switch3(config)#vlan 30 Switch3(Config-Vlan30)#exit Switch3(config)#vlan 40 Switch3(Config-Vlan40)#exit Switch3(config)#vlan 50 Switch3(Config-Vlan50)#exit Switch3(config)#spanning-tree mst configuration Switch3(Config-Mstp-Region)#name mstp Switch3(Config-Mstp-Region)#instance 3 vlan 20;30 Switch3(Config-Mstp-Region)#instance 4 vlan 40;50 Switch3(Config-Mstp-Region)#exit Switch3(config)#interface e1/1-7 Switch3(Config-Port-Range)#switchport mode trunk Switch3(Config-Port-Range)#exit Switch3(config)#spanning-tree Switch3(config)#spanning-tree mst 3 priority 0 Switch 4: Switch4(config)#vlan 20 Switch4(Config-Vlan20)#exit Switch4(config)#vlan 30 Switch4(Config-Vlan30)#exit Switch4(config)#vlan 40 Switch4(Config-Vlan40)#exit Switch4(config)#vlan 50 Switch4(Config-Vlan50)#exit Switch4(config)#spanning-tree mst configuration Switch4(Config-Mstp-Region)#name mstp Switch4(Config-Mstp-Region)#instance 3 vlan 20;30 Switch4(Config-Mstp-Region)#instance 4 vlan 40;50 Switch4(Config-Mstp-Region)#exit Switch4(config)#interface e1/1-7 Switch4(Config-Port-Range)#switchport mode trunk Switch4(Config-Port-Range)#exit 22-123 Switch4(config)#spanning-tree Switch4(config)#spanning-tree mst 4 priority 0 After the above configuration, Switch1 is the root bridge of the instance 0 of the entire network. In the MSTP region which Switch 2, Switch 3 and Switch 4 belong to, Switch2 is the region root of the instance 0, Switch3 is the region root of the instance 3 and Switch 4 is the region root of the instance 4. The traffic of VLAN 20 and VLAN 30 is sent through the topology of the instance 3. The traffic of VLAN 40 and VLAN 50 is sent through the topology of the instance 4. And the traffic of other VLANs is sent through the topology of the instance 0. The port 1 in Switch 2 is the master port of the instance 3 and the instance 4. The MSTP calculation generates 3 topologies: the instance 0, the instance 3 and the instance 4 (marked with blue lines). The ports with the mark “x” are in the status of discarding. The other ports are the status of forwarding. Because the instance 3 and the instance 4 are only valid in the MSTP region; the following figure only shows the topology of the MSTP region. SW1 1 1 SW2 5 4 2 2 2 3 3X 4 1X 6 7 SW3 6X 7X 5X SW4 Figure 22-3: The Topology Of the Instance 0 after the MSTP Calculation 2 SW2 5 4 2 3X 3 4X 6 7 SW3 6 5X 7X SW4 Figure 22-4: The Topology Of the Instance 3 after the MSTP Calculation 22-124 2 SW2 5X 4 2X 3 3X 4 6 7X SW3 6 7 5 SW4 Figure 22-5: The Topology Of the Instance 4 after the MSTP Calculation 22.5 MSTP Troubleshooting In order to run the MSTP on the switch port, the MSTP has to be enabled globally. If the MSTP is not enabled globally, it can’t be enabled on the port. The MSTP parameters co-work with each other, so the parameters should meet the following conditions. Otherwise, the MSTP may work incorrectly. 2×(Bridge_Forward_Delay -1.0 seconds) >= Bridge_Max._Age Bridge_Max._Age >= 2 ×(Bridge_Hello_Time + 1.0 seconds) When users modify the MSTP parameters, they have to be sure about the changes of the topologies. The global configuration is based on the bridge. Other configurations are based on the individual instances. 22-125 Chapter 23 QoS Configuration 23.1 Introduction to QoS QoS (Quality of Service) is a set of capabilities that allow you to create differentiated services for network traffic, thereby providing better service for selected network traffic. QoS is a guarantee for service quality of consistent and predictable data transfer service to fulfill program requirements. QoS cannot generate extra bandwidth but provides more effective bandwidth management according to the application requirement and network management policy. 23.1.1 QoS Terms QoS: Quality of Service provides a guarantee for service quality of consistent and predictable data transfer service to fulfill program requirements. QoS cannot generate new bandwidth but provides more effective bandwidth management according to the application requirement and network management. QoS Domain: QoS Domain supports QoS devices to form a net-topology that provides Quality of Service, so this topology is defined as QoS Domain. CoS: Class of Service, the classification information carried by Layer 2 802.1Q frames, taking 3 bits of the Tag field in frame header, is called user priority level in the range of 0 to 7. Figure 23-1: CoS priority ToS: Type of Service, a one-byte field carried in Layer 3 IPv4 packet header to symbolize the service type of IP packets. Among ToS field can be IP Precedence value or DSCP value. Figure 23-2: ToS priority IP Precedence: IP priority. Classification information carried in Layer 3 IP packet header, occupying 3 bits, in the range of 0 to 7. 23-126 DSCP: Differentiated Services Code Point, classification information carried in Layer 3 IP packet header, occupying 6 bits, in the range of 0 to 63, and is downward compatible with IP Precedence. MPLS TC(EXP): A field of the MPLS packets means the service class, there are 3 bits, the ranging from 0 to 7. Internal Priority: The internal priority setting of the switch chip; its valid range relates with the chip; short for Int-Prio or IntP. Drop Precedence: When processing the packets, firstly drop the packets with the bigger drop precedence, the ranging is 0-2 in three color algorithm, the ranging is 0-1 in dual color algorithm. Short for Drop-Prec or DP. Classification: The entry action of QoS, classifying packet traffic according to the classification information carried in the packet and ACLs. Policing: Ingress action of QoS that lays down the policing policy and manages the classified packets. Remark: Ingress action of QoS, perform allowing, degrading or discarding operations to packets according to the policing policies. Scheduling: QoS egress action. Configure the weight for eight egress queues WRR (Weighted Round Robin). In-Profile: Traffic within the QoS policing policy range (bandwidth or burst value) is called In-Profile. Out-of-Profile: Traffic out the QoS policing policy range (bandwidth or burst value) is called Out-of-Profile. 23.1.2 QoS Implementation To implement the switch software QoS, a general, mature reference model should be given. QoS cannot create new bandwidth, but can maximize the adjustment and configuration for the current bandwidth resource. Fully implemented QoS can achieve complete management over the network traffic. The following is as accurate as possible a description of QoS. 23-127 The data transfer specifications of IP cover only addresses and services of source and destination, and ensure correct packet transmission using OSI layer 4 or above protocols such as TCP. However, rather than provide a mechanism for providing and protecting packet transmission bandwidth, IP provide bandwidth service by the best effort. This is acceptable for services like Mail and FTP, but for increasing multimedia business data and e-business data transmission, this best effort method cannot satisfy the bandwidth and low-lag requirement. Based on differentiated service, QoS specifies a priority for each packet at the ingress. The classification information is carried in Layer 3 IP packet header or Layer 2 802.1Q frame header. QoS provides same service to packets of the same priority, while offers different operations for packets of different priority. QoS-enabled switch or router can provide different bandwidth according to the packet classification information, and can remark on the classification information according to the policing policies configured, and may discard some low priority packets in case of bandwidth shortage. If devices of each hop in a network support differentiated service, an end-to-end QoS solution can be created. QoS configuration is flexible, the complexity or simplicity depends on the network topology and devices and analysis to incoming/outgoing traffic. 23.1.3 Basic QoS Model The basic QoS consists of four parts: Classification, Policing, Remark and Scheduling, where classification, policing and remark are sequential ingress actions, and Queuing and Scheduling are QoS egress actions. Figure 23-3: Basic QoS Model 23-128 Classification: Classify traffic according to packet classification information and generate internal priority and drop precedence based the classification information. For different packet types and switch configurations, classification is performed differently; the flowchart below explains this in detail. Figure 23-4: Classification process 23-129 Policing and remark: Each packet in classified ingress traffic is assigned an internal priority value and a drop precedence value, and can be policed and remarked. Policing can be performed based on the flow to configure different policies that allocate bandwidth to classified traffic, the assigned bandwidth policy may be dual bucket dual color or dual bucket three color. The traffic, will be assigned with different color, can be discarded or passed, for the passed packets, add the remarking action. Remarking uses a new DSCP value of lower priority to replace the original higher level DSCP value in the packet. The following flowchart describes the operations. Figure 23-5: Policing and Remarking process Queuing and scheduling: There are the internal priority and the drop precedence for the egress packets; the queuing operation assigns the packets to different priority queues according to the internal priority, while the scheduling operation perform the packet forwarding according to the priority queue weight and the drop precedence. The following flowchart describes the operations during queuing and scheduling. 23-130 Figure 23-6: Queuing and Scheduling process 23.2 QoS Configuration Task List Configure class map Set up a classification rule according to ACL, CoS, VLAN ID, IPv4 Precedent, DSCP, IPV6 FL to classify the data stream. Different classes of data streams will be processed with different policies. Configure a policy map After data steam classification, a policy map can be created to associate with the class map created earlier and enter class mode. Then different policies (such as bandwidth limit, priority 23-131 degrading assigning new DSCP value) can be applied to different data streams. You can also define a policy set that can be use in a policy map by several classes. Apply QoS to the ports or the VLAN interfaces Configure the trust mode for ports or bind policies to ports. A policy will only take effect on a port when it is bound to that port. The policy may be bound to the specific VLAN. It is not recommended to synchronously use policy map on VLAN and its port. Configure queue management algorithms, such as sp,wrr, wdrr,sp+wrr,sp+wdrr, and so on. 1. Configure class map. Command Explanation Global Mode Create a class map and enter class map class-map <class-map-name> mode; the “no class-map no class-map <class-map-name> <class-map-name>” command deletes the specified class map. Class Map Mode match {access-group <acl-index-or-name> | ip dscp <dscp-list>| ip precedence <ip-precedence-list>| ipv6 access-group <acl-index-or-name> | ipv6 dscp <dscp-list>| ipv6 flowlabel <flowlabel-list>|vlan Set matching criterion (classify data stream by ACL, CoS, VLAN ID, IPv4 Precedent, IPv6 FL or DSCP, etc) for the <vlan-list> | cos <cos-list> | c-vlan class map; the no command deletes <vlan-list>} specified matching criterion. no match {access-group | ip dscp | ip precedence | ipv6 access-group | ipv6 dscp | ipv6 flowlabel | vlan | cos | c-vlan} 2. Configure a policy map Command Explanation Global Mode Create a policy map and enter policy policy-map <policy-map-name> map mode; the no command deletes the no policy-map <policy-map-name> specified policy map. class-map <class-map-name> [insert-before 23-132 After a policy map is created, it can be <class-map-name>] associated to a class. Different policy or no class <class-map-name> new DSCP value can be applied to different data streams in class mode; the no command deletes the specified class. Policy Class-map Mode set {ip dscp <new-dscp> | ip precedence Assign a new internal priority for the <new-precedence> | internal priority classified traffic; the no command <new-inp> | drop precedence <new-dp> | cos cancels the new assigned value. <new-cos>} no set {ip dscp | ip precedence | internal priority | drop precedence |cos } Configure a policy for the classified flow. Single Bucket Mode: policy <bits_per_second> The non-aggregation policy command <normal_burst_bytes> ({conform-action supporting three colors. Determine ACTION | exceed-action ACTION} ) whether the working mode of token bucket is singe rage single bucket, Dual Bucket Mode: single rate dual bucket or dual rate dual policy <bits_per_second> bucket, set the corresponding action to <normal_burst_bytes> [pir <peak_rate_bps>] the different color packets. The no | <maximum_burst_bytes> [{conform-action command will delete the mode ACTION | exceed-action ACTION | configuration. violate-action ACTION }] ACTION definition: drop | transmit | set-dscp-transmit <dscp_value> | set-prec-transmit <ip_precedence_value> | set-cos-transmit <cos_value> | set-internal-priority <inp_value> | set-Drop-Precedence <dp_value> no policy Set statistic function for the classified traffic. After enable this function under the policy class map mode, add statistic accounting function to the traffic of the policy class no accounting map. In single bucket mode, the messages can be only red or green when passing policy. When printing the information, in-profile means green and 23-133 out-profile means red; In dual bucket mode, there are three colors(green, yellow, red) of messages. in-profile means green, out-profile means red and yellow. drop Drop or transmit the traffic that match no drop the class, the no command cancels the assigned action. transmit no transmit 3. Apply QoS to port or VLAN interface Command Explanation Port Mode mls qos trust dscp Configure port trust; the no command no mls qos trust dscp disables the current trust status of the port. Configure the default CoS value of the mls qos cos {<default-cos>} port; the no command restores the no mls qos cos default setting. Apply a policy map to the specified port; the no command deletes the specified service-policy input <policy-map-name> policy map applied to the port or deletes no service-policy input {<policy-map-name>} all the policy maps applied on the ingress direction of the port . Egress policy map is not supported yet. Global Mode Apply a policy map to the specified service-policy input <policy-map-name> vlan VLAN interface; the no command <vlan-list> deletes the specified policy map applied no service-policy input {<policy-map-name>} to the VLAN interface or deletes all the vlan <vlan-list> policy maps applied in the ingress direction of the vlan interface . 23-134 4. Configure queue management algorithm and weight Command Explanation Port Mode mls qos queue algorithm {sp | wrr | wdrr} Set queue management algorithm, the no mls qos queue algorithm default queue management algorithm is wrr. mls qos queue wrr weight Set queue weight based a port, the <weight0..weight7> default queue weight is 1 2 3 4 5 6 7 8. no mls qos queue wrr weight mls qos queue wdrr weight Configure the queue weight according to <weight0..weight7> the port. The queue weight is 10 20 40 no mls qos queue wdrr weight 80 160 320 640 1280 as default. mls qos queue <queue-id> bandwidth Configure the bandwidth pledge <minimum-bandwidth> according to the port. The range is kbit/s <maximum-bandwidth> and the granularity is 64kbit. no mls qos queue <queue-id> bandwidth 5. Configure QoS mapping Command Explanation Global Mode mls qos map {cos-intp <intp1…intp8> | Set the priority mapping for QoS, the no cos-dp<dp1…dp8> | dscp-intp <in-dscp list> command restores the default mapping to <intp> | dscp-dp <in-dscp list> to <dp> | value. dscp-dscp <in-dscp list> to <out-dscp>} no mls qos map {cos-intp | cos-dp | dscp-intp | dscp-dp | dscp-dscp} 6. Clear accounting data of the specific ports or VLANs Command Explanation Admin Mode clear mls qos statistics [in Clear accounting data of the specified <vlan-id>/<interface> | interface ports or VLAN Policy Map. If there are <interface-name> | vlan <vlan-id>] no parameters, clear accounting data of all policy map. 23-135 7. Show configuration of QoS Command Explanation Admin Mode show mls qos maps [cos-intp | dscp-intp] Display the configuration of QoS mapping. show class-map [<class-map-name>] Display the classified map information of QoS. Display the policy map information of show policy-map [<policy-map-name>] QoS. show mls qos {interface [<interface-id>] Display QoS configuration information on [policy | queuing] | vlan <vlan-id>} a port. 23.3 QoS Example Example 1: Enable QoS function to change the queue out weight of port to 1:1:2:2:4:4:8:8; set it in trust CoS mode and set the default CoS value of the port to 5. The configuration steps are listed below: Switch#config Switch(config)#mls qos queue weight 1 1 2 2 Switch(Config-If-Ethernet1/1)# mls qos queue wrr weight 1 1 2 2 4 4 8 8 Switch(Config-If-Ethernet1/1)#mls qos cos 5 Configuration result: When QoS is enabled in Global Mode, the egress queue bandwidth proportion of all ports is 1:1:2:2:4:4:8:8. When packets with CoS value coming in through port, it will be mapped to the queue out according to the CoS value; CoS value 0 to 7 corresponds to queue out 0, 0, 1, 1, 2, 2, 3, 3 respectively. If the incoming packet without CoS value, it is defaulted to 5 and will be put in queue 2. Example 2: In port ethernet1/2, set the bandwidth for packets from segment 192.168.1.0 to 10 Mb/s, with a burst value of 4 MB; all packets exceed this bandwidth setting will be dropped. 23-136 The configuration steps are listed below: Switch#config Switch(config)#access-list 1 permit 192.168.1.0 0.0.0.255 Switch(config)#class-map c1 Switch(Config-ClassMap-c1)#match access-group 1 Switch(Config-ClassMap-c1)#exit Switch(config)#policy-map p1 Switch(Config-PolicyMap-p1)#class c1 Switch(Config-PolicyMap-p1-Class-c1)#policy 10000 4000 exceed-action drop Switch(Config-PolicyMap-p1-Class-c1)#exit Switch(Config-PolicyMap-p1)#exit Switch(config)#interface ethernet 1/2 Switch(Config-If-Ethernet1/2)#service-policy input p1 Configuration result: An ACL name 1 is set to matching segment 192.168.1.0. Enable QoS globally, create a class map named c1, matching ACL1 in class map; create another policy map named p1 and refer to c1 in p1, set appropriate policies to limit bandwidth and burst value. Apply this policy map on port ethernet1/2. After the above settings done, bandwidth for packets from segment 192.168.1.0 through port ethernet 1/2 is set to 10 Mb/s, with a burst value of 4 MB, all packets exceed this bandwidth setting in that segment will be dropped. Example 3: Server QoS area Switch 3 Switch 2 Trunk Switch 1 Figure 23-7: Typical QoS topology 23-137 As shown in the figure, inside the block is a QoS domain, Switch 1 classifies different traffics and assigns different IP precedences. For example, set CoS precedence for packets from segment 192.168.1.0 to 5 on port ethernet1/1. The port connecting to switch 2 is a trunk port. In Switch 2, set port ethernet 1/1 that connecting to swtich1 to trust cos. Thus inside the QoS domain, packets of different priorities will go to different queues and get a different bandwidth. The configuration steps are listed below: QoS configuration in Switch1: Switch#config Switch(config)#access-list 1 permit 192.168.1.0 0.0.0.255 Switch(config)#class-map c1 Switch(Config-ClassMap-c1)#match access-group 1 Switch(Config-ClassMap-c1)#exit Switch(config)#policy-map p1 Switch(Config-PolicyMap-p1)#class c1 Switch(Config-PolicyMap-p1-Class-c1)#set ip precedence 5 Switch(Config-PolicyMap-p1-Class-c1)#exit Switch(Config-PolicyMap-p1)#exit Switch(config)#interface ethernet 1/1 Switch(Config-If-Ethernet1/1)#service-policy input p1 QoS configuration in Switch2: Switch#config Switch(config)#interface ethernet 1/1 Switch(Config-If-Ethernet1/1)#mls qos trust cos 23.4 QoS Troubleshooting trust cos can be used with other trust or Policy Map. trust dscp can be used with other trust or Policy Map. This configuration takes effect to IPv4 and IPv6 packets. trust dscp and trust cos may be configured at the same time, the priority is: DSCP>COS. If the dynamic VLAN (mac vlan/voice vlan/ip subnet vlan/protocol vlan) is configured, then the packet COS value equals COS value of the dynamic VLAN. Policy map can only be bound to ingress direction, egress is not supported yet. At present, it is not recommended to synchronously use policy map on VLAN and VLAN’s port. 23-138 Chapter 24 Flow-based Redirection 24.1 Introduction to Flow-based Redirection Flow-based redirection function enables the switch to transmit the data frames meeting some special condition (specified by ACL) to another specified port. The fames meeting a same special condition are called a class of flow, the ingress port of the data frame is called the source port of redirection, and the specified egress port is called the destination port of redirection. Usually there are two kinds of application of flow-based redirection: 1. Connecting a protocol analyzer (for example, Sniffer) or a RMON monitor to the destination port of redirection, to monitor and manage the network, and diagnose the problems in the network; 2. Special transmission policy for a special type of data frames. The switch can only designate a single destination port of redirection for a same class of flow within a source port of redirection, while it can designate different destination ports of redirection for different classes of flows within a source port of redirection. The same class of flow can be applied to different source ports. 24.2 Flow-based Redirection Configuration Task Sequence 1. Flow-based redirection configuration 2. Check the current flow-based redirection configuration 1. Flow-based redirection configuration Command Explanation Port Mode Specify flow-based redirection access-group <aclname> redirect to interface for the port; the “no [ethernet <IFNAME>|<IFNAME>] access-group <aclname> no access-group <aclname> redirect redirect” command is used to delete flow-based redirection. 24-1 2. Check the current flow-based redirection configuration Command Explanation Admin / Global Mode show flow-based-redirect {interface [ethernet <IFNAME> |<IFNAME>]} Display the information of current flow-based redirection in the system/port. 24.3 Flow-based Redirection Examples Example: User’s request of configuration is listed as follows: redirecting the frames whose source IP is 192.168.1.111 received from port 1 to port 6, that is sending the frames whose source IP is 192.168.1.111 received from port 1 through port6. Modification of configuration: 1: Set an ACL, the condition to be matched is: source IP is 192.168.1.111; 2: Apply the redirection based on this flow to port 1. The following is the configuration procedure: Switch(config)#access-list 1 permit host 192.168.1.111 Switch(config)#interface ethernet 1/1 Switch(Config-If-Ethernet1/1)# access-group 1 redirect to interface ethernet 1/6 24.4 Flow-based Redirection Troubleshooting Help When the configuration of flow-based redirection fails, please check whether it is the following reasons causing the problem: The type of flow (ACL) can only be digital standard IP ACL, digital extensive IP ACL, nomenclature standard IP ACL, nomenclature extensive IP ACL, digital standard MAC ACL, digital extensive MAC ACL, nomenclatural standard MAC ACL, nomenclatural extensive MAC ACL, digital standard IPv6 ACL, and nomenclature standard IPv6 ACL; Parameters of Timerange and Portrange cannot be set in ACL; the type of ACL should be permitted. The redirection port must be 1000Mb port in the flow-based redirection function. 24-2 Chapter 25 Flexible Q-in-Q Configuration 25.1 Introduction to Flexible Q-in-Q 25.1.1 Q-in-Q Technique Dot1q-tunnel is also called Q-in-Q (802.1Q-in-802.1Q), which is an expansion of 802.1Q. Its dominating idea is encapsulating the customer VLAN tag (CVLAN tag) to the service provider VLAN tag (SPVLAN tag). The packet with two VLAN tags is transmitted through the backbone network of the ISP internet to provide a simple Layer 2 tunnel for the users. It is simple and easy to manage, applicable only by static configuration, and especially adaptive to small office network or small metropolitan area network using Layer 3 switch as backbone equipment. There are two kinds of Q-in-Q: basic Q-in-Q and flexible Q-in-Q, the priority of flexible Q-in-Q is higher than basic Q-in-Q. 25.1.2 Basic Q-in-Q Basic Q-in-Q based port. After a port configures Q-in-Q, whether the received packet with tag or not, the device still packs the default VLAN tag for the packet. Using basic Q-in-Q is simple, but the setting method of VLAN tag is inflexible. 25.1.3 Flexible Q-in-Q Flexible Q-in-Q based data flow. It selects whether pack the external tag and packs what kind of the external tag by matching the material flow. For example, implement the property of flexible Q-in-Q according to the user’s VLAN tag, MAC address, IPv4/IPv6 address, IPv4/IPv6 protocol and the port ID of the application, etc. So, it can encapsulate the external tag for the packet and implements different scheme by different users or methods. 25.1.4 Flexible Q-in-Q Configuration Task List The match of flexible Q-in-Q data flow uses policy-map rule of QoS to be sent; the configuration task list is as follows: 1. Create class-map to classify different data flows 2. Create flexible Q-in-Q policy-map to relate with the class-map and set the corresponding operation 3. Bind flexible Q-in-Q policy-map to port 25-3 1. Configure class map Command Explanation Global Mode class-map <class-map-name> Create a class-map and enter no class-map <class-map-name> class-map mode, the no command deletes the specified class-map. Class-map Mode match {access-group <acl-index-or-name> | Set the match standard of class-map, ip dscp <dscp-list>| ip precedence (classify data flow by ACL, IPv4 <ip-precedence-list>| ipv6 access-group Precedent or DSCP, etc for the class <acl-index-or-name>| ipv6 dscp <dscp-list> | map); the no command deletes the ipv6 flowlabel <flowlabel-list> | vlan specified match standard. <vlan-list> | cos <cos-list> | c-vlan <vlan-list>} no match {access-group | ip dscp | ip precedence|ipv6 access-group| ipv6 dscp | ipv6 flowlabel | vlan | cos | c-vlan} 2. Configure policy-map of flexible Q-in-Q Command Explanation Global Mode policy-map <policy-map-name> Create a policy-map and enter no policy-map <policy-map-name> policy-map mode, the no command deletes the specified policy-map. class <class-map-name> [insert-before After a policy-map is created, it can be <class-map-name>] associated to a class. Different policy no class <class-map-name> or new DSCP value can be applied to different data flows in class mode; the no command deletes the specified class-map. Policy Class-map Mode set {s-vid <new-vid>} Assign the new cos and vid value to the no set {s-vid } packets which match the class map, no command cancels the operation. 25-4 3. Bind flexible Q-in-Q policy-map to port Command Explanation Port Mode service-policy input <policy-map-name> Apply a policy-map to a port, the no no service-policy input <policy-map-name> command deletes the specified policy-map applied to the port. 4. Show flexible Q-in-Q policy-map bound to port Command Explanation Admin Mode show mls qos {interface ethernet Show flexible Q-in-Q configuration on the [<interface-id>] port. 25.2 Flexible Q-in-Q Example Metropolitan Area Core Network SR BRAS DSCP 10 TAG 1001 DSCP 20 TAG 2001 DSCP 30 TAG 3001 DSCP Insert Metropolitan Area Network Platform 10 DSLAM1 DSCP 20 DSCP 30 DSLAM2 DSCP 10 TAG 1001 DSCP 20 TAG 2001 DSCP 30 TAG 3001 DSCP 10 DSCP 20 DSCP 30 Broad Band Video order programme VOIP Figure 25-1: Flexible Q-in-Q application topology As shown in the figure, the first user is assigned three DSCPs that the values are 10, 20, 30 respectively in DSLAM1. DSCP10 corresponds to Broad Band Network, DSCP20 corresponds to VOIP, DSCP30 corresponds to VOD. After the downlink port enables flexible QinQ function, the packets will be packed with different external tags according to DSCP of users. DSCP10 25-5 will be packed an external tag 1001 (This tag is unique in public network), enter Broad Band Network-DSCP10 and classfied to BRAS device. DSCP20 (or DSCP30) will be packed an external VLAN tag 2001(or 3001) and classfied to SR device according to the flow rules. The second user can be assigned different DSCPs in DSLAM2. Notice: The assigned DSCP of the second user may be same with the first user and the DSCP value will be also packed an external tag. In the above figure, the external tag of the second user is different to the first user for distinguishing DSLAM location and locating the user finally. The configuration in the following: If the data flow of DSLAM1 enters the switch’s downlink port1, the configuration is as follows: Switch(config)#class-map c1 Switch(config-classmap-c1)#match ip dscp 10 Switch(config-classmap-c1)#exit Switch(config)#class-map c2 Switch(config-classmap-c2)#match ip dscp 20 Switch(config-classmap-c2)#exit Switch(config)#class-map c3 Switch(config-classmap-c3)#match ip dscp 30 Switch(config-classmap-c3)#exit Switch(config)#policy-map p1 Switch(config-policymap-p1)#class c1 Switch(config-policymap-p1-class-c1)# set s-vid 1001 Switch(config-policymap-p1)#class c2 Switch(config-policymap-p1-class-c2)# set s-vid 2001 Switch(config-policymap-p1)#class c3 Switch(config-policymap-p1-class-c3)# set s-vid 3001 Switch(config-policymap-p1-class-c3)#exit Switch(config-policymap-p1)#exit Switch(config)#interface ethernet 1/1 Switch(config-if-ethernet1/1)#dot1q-tunnel enable Switch(config-if-ethernet1/1)#service-policy p1 in 25-6 25.3 Flexible Q-in-Q Troubleshooting If flexible Q-in-Q policy cannot be bound to the port, please check whether the problem is caused by the following reasons: Make sure flexible Q-in-Q whether supports the configured class-map and policy-map Make sure ACL includes permit rule if the class-map matches ACL rule Make sure the switch exists enough TCAM resource to send the binding Chapter 26 Layer 3 Management Configuration Switch only support Layer 2 forwarding, but can configure a Layer 3 management port for the communication of all kinds of management protocols based on IP Protocol. 26.1 Layer 3 Management Interface 26.1.1 Introduction to Layer 3 Management Interface Only one Layer 3 management interface can be created on switch. The Layer 3 interface is not a physical interface but a virtual interface. Layer 3 interface is built on VLANs. The Layer 3 interface can contain one or more Layer 2 ports which belong to the same VLAN, or contain no Layer 2 ports. At least one of the Layer 2 ports contained in Layer 3 interface should be in UP state for Layer 3 interface in UP state, otherwise, Layer 3 interface will be in DOWN state. The switch can use the IP addresses set in the Layer 3 management interface to communicate with the other devices via IP. 26.1.2 Layer 3 Interface Configuration Task List Layer 3 Interface Configuration Task List: 1. Create Layer 3 management interface 2. Configure VLAN interface description 1. Create Layer 3 Management Interface Command Explanation Global Mode interface vlan <vlan-id> Creates a management VLAN interface; the no command no interface vlan <vlan-id> deletes the VLAN interface created in the switch. 26-7 2. Configure VLAN interface description Command Explanation VLAN Interface Mode description <text> no description Configure the description information of VLAN interface. The no command will cancel the description information of VLAN interface. 26.2 IP Configuration 26.2.1 Introduction to IPv4, IPv6 IPv4 is the current version of global universal Internet protocol. The practice has proved that IPv4 is simple, flexible, open, stable, strong and easy to implement while collaborating well with various protocols of upper and lower layers. Although IPv4 almost has not been changed since it was established in 1980’s, it has kept growing to the current global scale with the promotion of Internet. However, as Internet infrastructure and Internet application services continue boosting, IPv4 has shown its deficiency when facing the present scale and complexity of Internet. IPv6 refers to the sixth version of Internet protocol which is the next generation Internet protocol designed by IETF to replace the current Internet protocol version 4 (IPv4). IPv6 was specially developed to make up the shortages of IPv4 addresses so that Internet can develop further. The most important problem IPv6 has solved is to add the amount of IP addresses. IPv4 addresses have nearly run out, whereas the amount of Internet users has been increasing in geometric series. With the greatly and continuously boosting of Internet services and application devices (Home and Small Office Network, IP phone and Wireless Service Information Terminal which make use of Internet,) which require IP addresses, the supply of IP addresses turns out to be more and more tense. People have been working on the problem of shortage of IPv4 addresses for a long time by introducing various technologies to prolong the lifespan of existing IPv4 infrastructure, including Network Address Translation(NAT for short), and Classless Inter-Domain Routing(CIDR for short), etc. Although the combination of CIDR, NAT and private addressing has temporarily mitigated the problem of IPv4 address space shortage, NAT technology has disrupted the end-to-end model which is the original intention of IP design by making it necessary for router devices that serve as network intermediate nodes to maintain every connection status which increases network delay greatly and decreases network performance. Moreover, the translation of network data 26-8 packet addresses baffles the end-to-end network security check, IPSec authentication header is such an example. Therefore, in order to solve all kinds of problems existing in IPv4 comprehensively, the next generation Internet Protocol IPv6 designed by IETF has become the only feasible solution at present. First of all, the 128 bits addressing scheme of IPv6 Protocol can guarantee to provide enough globally unique IP addresses for global IP network nodes in the range of time and space. Moreover, besides increasing address space, IPv6 also enhanced many other essential designs of IPv4. Hierarchical addressing scheme facilitates Route Aggregation, effectively reduces route table entries and enhances the efficiency and expansibility of routing and data packet processing. The header design of IPv6 is more efficient compared with IPv4. It has less data fields and takes out header checksum, thus expedites the processing speed of basic IPv6 header. In IPv6 header, fragment field can be shown as an optional extended field, so that data packets fragmentation process won’t be done in router forwarding process, and Path MTU Discovery Mechanism collaborates with data packet source which enhances the processing efficiency of router. Address automatic configuration and plug-and-play is supported. Large amounts of hosts can find network routers easily by address automatic configuration function of IPv6 while obtaining a globally unique IPv6 address automatically as well which makes the devices using IPv6 Internet plug-and-play. Automatic address configuration function also makes the readdressing of existing network easier and more convenient, and it is more convenient for network operators to manage the transformation from one provider to another. Support IPSec. IPSec is optional in IPv4, but required in IPv6 Protocol. IPv6 provides security extended header, which provides end-to-end security services such as access control, confidentiality and data integrity, consequently making the implement of encryption, validation and Virtual Private Network easier. Enhance the support for Mobile IP and mobile calculating devices. The Mobile IP Protocol defined in IETF standard makes mobile devices movable without cutting the existing connection, which is a network function getting more and more important. Unlike IPv4, the mobility of IPv6 is from embedded automatic configuration to get transmission address (Care-Of-Address); therefore it doesn’t need Foreign Agent. Furthermore, this kind of binding process enables Correspondent Node communicate with Mobile Node directly, thereby avoids the extra system cost caused by triangle routing choice required in IPv4. 26-9 Avoid the use of Network Address Translation. The purpose of the introduction of NAT mechanism is to share and reuse same address space among different network segments. This mechanism mitigates the problem of the shortage of IPv4 address temporally; meanwhile it adds the burden of address translation process for network device and application. Since the address space of IPv6 has increased greatly, address translation becomes unnecessary, thus the problems and system cost caused by NAT deployment are solved naturally. Support extensively deployed Routing Protocol. IPv6 has kept and extended the supports for existing Internal Gateway Protocols (IGP for short), and Exterior Gateway Protocols (EGP for short). For example, IPv6 Routing Protocol such as RIPng, OSPFv3, IS-ISv6 and MBGP4+, etc. Multicast addresses increased and the support for multicast has enhanced. By dealing with IPv4 broadcast functions such as Router Discovery and Router Query, IPv6 multicast has completely replaced IPv4 broadcast in the sense of function. Multicast not only saves network bandwidth, but enhances network efficiency as well. 26.2.2 IP Configuration Layer 3 interface can be configured as IPv4 interface and IPv6 interface. 26.2.2.1 IPv4 Address Configuration IPv4 address configuration task list: 1. Configure the IPv4 address of three-layer interface 2. Configure the default gateway 1. Configure the IPv4 address of three-layer interface Command Explanation VLAN Interface Mode Configure IP address of VLAN ip address <ip-address> <mask> [secondary] no ip address [<ip-address> <mask>] interface; the no ip address [<ip-address> <mask>] command cancels IP address of VLAN interface. 26.2.2.2 IPv6 Address Configuration 26-10 The configuration Task List of IPv6 is as follows: 1. IPv6 basic configuration (1) Configure interface IPv6 address (2) Configure default gateway 2. IPv6 Neighbor Discovery Configuration (1) Configure DAD neighbor solicitation message number (2) Configure send neighbor solicitation message interval (3) Configure static IPv6 neighbor entries (4) Delete all entries in IPv6 neighbor table 1. IPv6 Basic Configuration (1) Configure interface IPv6 address Command Explanation VLAN Interface Mode ipv6 address Configure IPv6 address, including aggregately <ipv6-address/prefix-length> global unicast addresses, site-local addresses [eui-64] and link-local addresses. The no ipv6 address no ipv6 address <ipv6-address/prefix-length> command <ipv6-address/prefix-length> cancels IPv6 address. 2. IPv6 Neighbor Discovery Configuration (1) Configure DAD Neighbor solicitation Message number Command Explanation VLAN Interface Mode Set the neighbor query message number sent in ipv6 nd dad attempts <value> sequence when the interface makes duplicate no ipv6 nd dad attempts address detection. The no command resumes default value (1). (2) Configure Send Neighbor solicitation Message Interval Command Explanation VLAN Interface Mode ipv6 nd ns-interval <seconds> no ipv6 nd ns-interval Set the interval of the interface to send neighbor query message. The NO command resumes default value (1 second). 26-11 (3) Configure static IPv6 neighbor Entries Command Explanation VLAN Interface Mode ipv6 neighbor <ipv6-address> Set static neighbor table entries, including <hardware-address> interface neighbor IPv6 address, MAC address and <interface-type interface-name> two-layer port. no ipv6 neighbor <ipv6-address> Delete neighbor table entries. 26.2.3 IPv6 Troubleshooting If the connected PC has not obtained IPv6 address, you should check the RA announcement switch (the default is turned off) 26.3 Static Route 26.3.1 Introduction to Static Route As mentioned earlier, the static route is the manually specified path to a network or a host. Static route is simple and consistent, and can prevent illegal route modification, and is convenient for load balance and route backup. However, it also has its own defects. Static route, as its name indicates, is static, it won’t modify the route automatically on network failure, and manual configuration is required on such occasions, therefore it is not suitable for mid and large-scale networks. Static route is mainly used in the following two conditions: 1) in stable networks to reduce load of route selection and routing data streams. For example, static route can be used in route to STUB network. 2) For route backup, configure static route in the backup line, with a lower priority than the main line. Static route and dynamic route can coexist; Layer 3 switch will choose the route with the highest priority according to the priority of routing protocols. At the same time, static route can be introduced (redistribute) in dynamic route, and change the priority of the static route introduced as required. 26-12 26.3.2 Introduction to Default Route Default route is a kind of static route, which is used only when no matching route is found. In the route table, default route in is indicated by a destination address of 0.0.0.0 and a network mask of 0.0.0.0, too. If the route table does not have the destination of a packet and has no default route configured, the packet will be discarded, and an ICMP packet will be sent to the source address indicate the destination address or network is unreachable. 26.3.3 Static Route Configuration Task List 1. Static route configuration 1. Static route configuration Command Explanation Global Mode Set static routing; the no ip ip route {<ip-prefix> <mask> | <ip-prefix>/<prefix-length>} {<gateway-address> | <gateway-interface>} [<distance>] route {<ip-prefix> <mask> | <ip-prefix>/<prefix-length>} [<gateway-address> | no ip route {<ip-prefix> <mask> | <ip-prefix>/<prefix-length>} [<gateway-address> | <gateway-interface>] [<distance>] <gateway-interface>] [<distance>] command deletes a static route entry 26-13 26.3.4 Static Route Configuration Examples The figure shown below is a simple network consisting of three Layer 3 switches, the network mask for all switches and PC is 255.255.255.0. PC-A and PC-C are connected via the static route set in SwtichA and SwitchC; PC3 and PC-B are connected via the static route set in SwitchC to SwitchB; PC-B and PC-C is connected via the default route set in SwitchB. PC-C:10.1.5.2 PC-A:10.1.1.2 PC-B:10.1.4.2 Switch C vlan2:10.1.2.2 vlan3:10.1.5.1 vlan1:10.1.3.2 vlan1:10.1.1.1 Switch A vlan2:10.1..2.1 vlan2:10.1.4.1 vlan1:10.1.3.1 Switch B Figure 26-1: Static Route Configurations Configuration steps: Configuration of Layer 3 SwitchA Switch#config Switch (config) #ip route 10.1.5.0 255.255.255.0 10.1.2.2 Configuration of Layer 3 SwitchC Switch#config Next hop use the partner IP address Switch(config)#ip route 10.1.1.0 255.255.255.0 10.1.2.1 Next hop use the partner IP address Switch(config)#ip route 10.1.4.0 255.255.255.0 10.1.3.1 Configuration of Layer 3 SwitchB Switch#config 26-14 Switch(config)#ip route 0.0.0.0 0.0.0.0 10.1.3.2 In this way, ping connectivity can be established between PC-A and PC-C, and PC-B and PC-C. 26.4 RIP 26.4.1 Introduction to RIP RIP is first introduced in ARPANET, this is a protocol dedicated to small, simple networks. RIP is a distance vector routing protocol based on the Bellman-Ford algorithm. Network devices running vector routing protocol send two kind of information to the neighboring devices regularly: • Number of hops to reach the destination network, or metrics to use or number of networks to pass. • What is the next hop, or the director (vector) to use to reach the destination network. The distance vector Layer 3 switch send all their route selecting tables to the neighbor Layer 3 switches at regular interval. A Layer 3 switch will build their own route selecting information table based on the information received from the neighbor Layer 3 switches. Then, it will send this information to its own neighbor Layer 3 switches. As a result, the route selection table is built on second hand information, route beyond 15 hops will be deemed as unreachable. RIP protocol is an optional routing protocol based on UDP. Hosts using RIP send and receive packets on UDP port 520. All Layer 3 switches running RIP send their route table to all neighbor Layer 3 switches every 30 seconds for update. If no information from the partner is received in 180 seconds, then the device is deemed to have failed and the network connected to that device is considered to be unreachable. However, the route of that Layer 3 switch will be kept in the route table for another 120 seconds before deletion. As Layer 3 switches running RIP built route table with second hand information, infinite count may occur. For a network running RIP routing protocol, when an RIP route becomes unreachable, the neighboring RIP Layer 3 switch will not send route update packets at once, instead, it waits until the update interval timeout (every 30 seconds) and sends the update packets containing that route. If before it receives the updated packet, its neighbors send packets containing the information about the failed neighbor, “infinite count” will be resulted. In other words, the route of unreachable Layer 3 switch will be selected with the metrics increasing progressively. This greatly affects the route selection and route aggregation time. To prevent “infinite count”, RIP provides mechanism such as “split horizon” and “triggered update” to solve route loop. “Split horizon” is done by avoiding sending to a gateway routes leaned from that gateway. There are two split horizon methods: “simple split horizon” and “poison reverse split horizon”. Simple split horizon deletes from the route to be sent to the neighbor gateways the routes learnt from the neighbor gateways; poison reverse split horizon not only deletes the abovementioned routes, but set the costs of those routes to infinite. 26-15 “Triggering update” mechanism defines whenever route metric changed by the gateway, the gateway advertise the update packets immediately, regardless of the 30 second update timer status. There two versions of RIP, version 1 and version 2. RFC1058 introduces RIP-I protocol, RFC2453 introduces RIP-II, which is compatible with RFC1723 and RFC1388. RIP-I updates packets by packets broadcast, subnet mask and authentication is not supported. Some fields in the RIP-I packets are not used and are required to be all 0’s; for this reason, such all 0's fields should be checked when using RIP-I, the RIP-I packets should be discarded if such fields are non-zero. RIP-II is a more improved version than RIP-I. RIP-II sends route update packets by multicast packets (multicast address is 224.0.0.9). Subnet mask field and RIP authentication filed (simple plaintext password and MD5 password authentication are supported), and support variable length subnet mask. RIP-II used some of the zero field of RIP-I and require no zero field verification. Switch sends RIP-II packets in multicast by default, both RIP-I and RIP-II packets will be accepted. Each Layer 3 switch running RIP has a route database, which contains all route entries for reachable destination, and route table is built based on this database. When a RIP Layer 3 switch sent route update packets to its neighbor devices, the complete route table is included in the packets. Therefore, in a large network, routing data to be transferred and processed for each Layer 3 switch is quite large, causing degraded network performance. Besides the above mentioned, RIP protocol allows route information discovered by the other routing protocols to be introduced to the route table. The operation of RIP protocol is shown below: 1. Enable RIP. The switch sends request packets to the neighbor Layer 3 switches by broadcasting; on receiving the request, the neighbor devices reply with the packets containing their local routing information. 2. The Layer 3 switch modifies its local route table on receiving the reply packets and sends triggered update packets to the neighbor devices to advertise route update information. On receiving the triggered update packet, the neighbor lay3 switches send triggered update packets to their neighbor lay3 switches. After a sequence of triggered update packet broadcast, all Layer 3 switches get and maintain the latest route information. In addition, RIP Layer 3 switches will advertise its local route table to their neighbor devices every 30 seconds. On receiving the packets, neighbor devices maintain their local route table, select the best route and advertise the updated information to their own neighbor devices, so that the updated routes are globally valid. Moreover, RIP uses a timeout mechanism for outdated route, that is, if a switch does not receive regular update packets from a neighbor within a certain interval (invalid timer interval), it considers the route from that neighbor invalid, after holding the route fro a certain interval (holddown timer interval), it will delete that route. 26-16 26.4.2 RIP Configuration Task List 1. Enable RIP (required) (1) Enable/disable RIP module. (2) Enable interface to send/receive RIP packets 2. Configure RIP protocol parameters (optional) (1) Configure RIP sending mechanism 1) Configure specified RIP packets transmission address 2) Configure RIP interface broadcast (2) Configure the RIP routing parameters 1) Configure route introduction (default route metric, configure routes of the other protocols to be introduced in RIP) 2) Configure interface authentication mode and password 3) Configure the route deviation 4) Configure and apply route filter 5) Configure Split Horizon (3) Configure other RIP protocol parameters 1) Configure the managing distance of RIP route 2) Configure the RIP route capacity limit in route table 3) Configure the RIP update, timeout, holddown and other timer. 4) Configure the receiving buffer size of RIP UDP 3. Configure RIP-I/RIP-II switch (1) Configure the RIP version to be used in all interfaces (2) Configure the RIP version to send/receive in all interfaces (3) Configure whether to enable RIP packets sending/receiving for interfaces 4. Delete the specified route in RIP route table 5. Configure the RIP routing aggregation (1) Configure aggregation route of IPv4 route mode (2) Configure aggregation route of IPv4 interface configuration mode (3) Display IPv4 aggregation route information 6. Configure redistribution of OSPF routing to RIP (1) Enable Redistribution of OSPF routing to RIP (2) Display and debug the information about configuration of redistribution of OSPF routing to RIP 7. Configure VRF address family mode for RIP (1) Enable/disable RIP module (2) Configure VRF address family 1. Enable RIP protocol Applying RIP route protocol with basic configuration in switch is simple. Normally you only have to open the RIP switch and configure the segments running RIP, namely send and receive the RIP data packet by default RIP configuration. The version of data packet sending and receiving is variable when needed, allow/deny sending, receiving RIP data packet. Refer to 3. 26-17 Command Explanation Global Mode router rip Enables RIP; the “no router rip” command no router rip disables RIP. Router and Address Family Mode network <A.B.C.D/M | ifname|vlan> no network <A.B.C.D/M | ifname|vlan> Enables the segment running RIP protocol; the no network <A.B.C.D/M | ifname|vlan> command deletes the segment. 2. Configure RIP protocol parameters (1)Configure RIP packet transmitting mechanism 1)Configure the RIP data packet point-transmitting 2)Configure the RIP broadcast Command Explanation Router Mode Specify the IP address of the neighbor router neighbor <A.B.C.D> needs point-transmitting; the no neighbor no neighbor <A.B.C.D> <A.B.C.D> command cancels the appointed router. Block the RIP broadcast on specified pot and the passive-interface<ifname|vlan> no passive-interface<ifname|vlan > RIP data packet is only transmittable among Layer 3 switch configured with neighbor. The no passive-interface<ifname|vlan > command cancels the function. (2)Configure RIP route parameters 1)Configure route introduction (default route metric, configure routes of the other protocols to be introduced in RIP) Command Explanation Router Mode default-metric <value> no default-metric Sets the default route metric for route to be introduced; the “no default-metric” command restores the default setting. redistribute {kernel |connected| static| Redistribute the routes distributed in other ospf | isis| bgp} [metric<value>] routing protocols into the RIP data packet; the [route-map<word>] no redistribute {kernel |connected| static| no redistribute {kernel |connected| ospf static| ospf | isis| bgp} [metric<value>] [route-map<word>] [route-map<word>] distributed route of corresponding protocols. default-information originate no default-information originate | isis| bgp} [metric<value>] command cancels the Generate a default route to the RIP protocol; the no default-information originate command cancels the feature. 26-18 2)Configure interface authentication mode and password Command Explanation VLAN Interface Mode ip rip authentication mode { text| md5} Sets the authentication method; the no ip rip no ip rip authentication mode [text| authentication mode [text| md5] command md5] cancels the authentication action. ip rip authentication string <text> no ip rip authentication string Sets the authentication key; the no ip rip authentication string command means no key is needed. ip rip authentication key-chain Sets the key chain used in authentication, the no <name-of-chain> ip no ip rip authentication key-chain [<name-of-chain>] command means the key [<name-of-chain>] chain is not used. ip rip authentication cisco-compatible no ip rip authentication cisco-compatible rip authentication key-chain After configure this command, configure MD5 authentication, then can receive RIP packet of cisco, the no command restores the default configuration. Global Mode key chain <name-of-chain> no key chain < name-of-chain > Enter keychain mode, and configure a key chain, the no key chain < name-of-chain > command deletes the key chain. Keychain Mode key <keyid> no key <keyid> Enter the keychain-key mode and configure a key of the keychain; the no key <keyid> command deletes one key. Keychain-key Mode key-string <text> no key-string <text> accept-lifetime <start-time> {<end-time>| duration<seconds>| infinite} no accept-lifetime Configure the password used by the key, the no key-string <text> command deletes the password. Configure a key on the key chain and accept it as an authorized time; the no accept-lifetime command deletes it. send-lifetime <start-time> {<end-time>| Configure the transmitting period of a key on the duration<seconds>| infinite} key chain; the no send-lifetime command no send-lifetime deletes the send-lifetime. 26-19 3)Configure the route deviation Command Explanation Router Mode offset-list <access-list-number | Configure that provide a deviation value to the access-list-name> {in | out } <number> route metric value when the port sends or [<ifname>] receives RIP data packet; the no offset-list no offset-list <access-list-number <access-list-number |access-list-name> {in|out }<number {in|out } <number >[<ifname>] command >[<ifname>] removes the deviation table. |access-list-name> 4)Configure and apply the route filtering Command Explanation Router Mode distribute-list {< access-list-number |access-list-name Configure and apply the access table and prefix >|prefix<prefix-list-name>}{in|out} table to filter the routes. The no distribute-list [<ifname>] {< no distribute-list {< access-list-number |access-list-name>|prefix<prefix-list-name>}{ |access-list-name in|out} [<ifname>]command means do not use >|prefix<prefix-list-name>}{in|out} the access table and prefix table. access-list-number [<ifname>] 5)Configure the split horizon Command Explanation VLAN Interface Mode Configure that take the split horizon when the ip rip split-horizon [poisoned] port sends data packets; poisoned for poison no ip rip split-horizon reverse the no ip rip split-horizon command cancels the split horizon. (3)Configure other RIP protocol parameters 1)Configure RIP routing priority 2)Configure the RIP route capacity limit in route table 3)Configure timer for RIP update, timeout and hold-down 4)Configure RIP UDP receiving buffer size Command Explanation Router Mode 26-20 distance <number> [<A.B.C.D/M> ] [<access-list-name|access-list-number >] no distance [<A.B.C.D/M> ] Specify the route administratively distance of RIP protocol; the no distance [<A.B.C.D/M> ] command restore the default value 120. maximum-prefix Configure the maximum of RIP route; the no <maximum-prefix>[<threshold>] maximum-prefix <maximum-prefix > no maximum-prefix <maximum-prefix > no maximum-prefix command cancels the no maximum-prefix limit. timers basic <update> <invalid> Adjust <garbage> collection time, the no timers basic command no timers basic restores the default configuration. recv-buffer-size <size> no recv-buffer-size the update, timeout and garbage The command configures the UDP receiving buffer size of the RIP; the no recv-buffer-size command restores the system default values. 3. Configure RIP-I/RIP-II toggling (1)Configure the RIP version to be used in all ports Command Explanation RIP Mode Configure the versions of all the RIP data version { 1 | 2 } no version packets transmitted/received by the Layer 3 switch port sending/receiving the no version command restores the default configuration, version 2. (2)Configure the RIP version to send/receive in all ports. (3)Configure whether to enable RIP packets sending/receiving for ports Command Explanation VLAN Interface Mode ip rip send version { 1 | 1-compatible | 2} no ip rip send version Sets the version of RIP packets to send on all ports; the no ip rip send version command set the version to the one configured by the version command. Sets the version of RIP packets to receive on all ip rip receive version {1 | 2 | } ports; the no action of this command set the no ip rip receive version version to the one configured by the version command. ip rip receive-packet no ip rip receive-packet Enables receiving RIP packets on the interface; the no ip rip receive-packet command close data receiving on this port. 26-21 Enables sending RIP packets on the interface; ip rip send-packet the “no ip rip send-packet” command disables no ip rip send-packet sending RIP packets on the interface. 4. Delete the specified route in RIP route table Command Explanation Admin Mode clear ip rip route The command deletes a specified route from the {<A.B.C.D/M>|kernel|static|connected|r RIP route table. ip|ospf|isis|bgp|all} 5. Configure the RIP routing aggregation (1) Configure IPv4 aggregation route globally Command Explanation Router Mode ip rip aggregate-address A.B.C.D/M To configure or delete IPv4 aggregation route no ip rip aggregate-address A.B.C.D/M globally. (2) Configure IPv4 aggregation route on interface Command Explanation VLAN Interface Mode ip rip aggregate-address A.B.C.D/M To configure or delete IPv4 aggregation route no ip rip aggregate-address on interface. A.B.C.D/M (3) Display IPv4 aggregation route information Command Explanation Admin Mode To display aggregation route information. show ip rip aggregate 6. Configure redistribution of OSPF routing to RIP (1) Enable Redistribution of OSPF routing to RIP Command Explanation Router RIP Mode redistribute ospf [ <process-id> ] [metric <value> ] [route-map <word> ] no redistribute ospf [ <process-id> ] To enable or disable the redistribution OSPF routing to RIP. 26-22 of (2) Display and debug the information about configuration of redistribution of OSPF routing to RIP Command Explanation Admin Mode debug rip redistribute message send To enable or disable debugging messages no debug rip redistribute message send sent by RIP for redistribution of OSPF routing. debug rip redistribute route receive To enable or disable debugging messages no debug rip redistribute route receive received from NSM. 7. Configure VRF address family mode for RIP Command Explanation Router RIP Mode address-family ipv4 vrf <vrf-name> no address-family ipv4 vrf <vrf-name> The command configures a RIP address family on the VRF of the PE router; the no command deletes the configured address family. Address Family Mode exit-address-family This command exits the address family mode. 26.4.3 RIP Examples – Typical RIP Interface Interface vlan1:10.1.1.1/24 vlan1:10.1.1.2/24 SWITCHB SWITCHC SWITCHA Interface Interface vlan2:20.1.1.1/24 vlan1:20.1.1.2/24 Figure 26-2 RIP example In the figure shown above, a network consists of three Layer 3 switches, in which SwitchA connected with SwitchB and SwitchC, and RIP routing protocol is running in all of the three switches. SwitchA (interface vlan1:10.1.1.1,interface vlan2:20.1.1.1)exchanges Layer 3 switch update messages only with SwitchB(interface vlan1:10.1.1.2), but not with SwitchC (interface vlan 2: 20.1.1.2). SwitchA, SwitchB, SwitchC configurations are as follows: 26-23 a) Layer 3 SwitchA: Configure the IP address of interface vlan 1 SwitchA#config SwitchA(config)# interface vlan 1 SwitchA(Config-if-Vlan1)# ip address 10.1.1.1 255.255.255.0 SwitchA(config-if-Vlan1)# Configure the IP address of interface vlan 2 SwitchA(config)# vlan 2 SwitchA(Config-Vlan2)# switchport interface ethernet 1/0/2 Set the port Ethernet1/0/1 access vlan 2 successfully SwitchA(Config-Vlan2)# exit SwitchA(config)# interface vlan 2 SwitchA(Config-if-Vlan2)# ip address 20.1.1.1 255.255.255.0 Initiate RIP protocol and configure the RIP segments SwitchA(config)#router rip SwitchA(config-router)#network vlan 1 SwitchA(config-router)#network vlan 2 SwitchA(config-router)#exit Configure that the interface vlan 2 do not transmit RIP messages to SwitchC SwitchA(config)#router rip SwitchA(config-router)#passive-interface vlan 2 SwitchA(config-router)#exit SwitchA(config) # b) Layer 3 SwitchB Configure the IP address of interface vlan 1 SwitchB#config SwitchB(config)# interface vlan 1 SwitchB(Config-if-Vlan1)# ip address 10.1.1.2 255.255.255.0 SwitchB(Config-if-Vlan1)exit Initiate RIP protocol and configure the RIP segments SwitchB(config)#router rip SwitchB(config-router)#network vlan 1 SwitchB(config-router)#exit c) Layer 3 SwitchC Configure the IP address of interface vlan 1 SwitchC#config SwitchC(config)# interface vlan 1 Configure the IP address of interface vlan 1 SwitchC(Config-if-Vlan1)# ip address 20.1.1.2 255.255.255.0 SwitchC(Config-if-Vlan1)#exit Initiate RIP protocol and configure the RIP segments 26-24 SwitchC(config)#router rip SwitchC(config-router)#network vlan 1 SwitchC(config-router)#exit 26.4.4 RIP Examples – RIP aggregation function The application topology as follows: S1 vlan1:192.168.10.1 192.168.20.0/22 192.168.21.0/24 vlan1:192.168.10.2 192.168.22.0/24 S2 192.168.23.0/24 192.168.24.0/24 Figure 26-3 Typical application of RIP aggregation As the above network topology, S2 is connected to S1 through interface vlan1, there are other 4 subnet routers of S2, which are 192.168.21.0/24, 192.168.22.0/24, 192.168.23.0/24, 192.168.24.0/24. S2 supports route aggregation, and to configure aggregation route 192.168.20.0/22 in interface vlan1 of S2, after that, sending router messages to S1 through vlan1, and put the four subnet routers aggregated to one router as 192.168.20.0/22, and send to S1, and not send subnet to neighbor. It can reduce the router table of S1, save the memory. S1 configuration list: S1(config)#router rip S1(config-router) #network vlan 1 S2 configuration list: S2(config)#router rip S2(config-router) #network vlan 1 S2(config-router) #exit S2(config)#in vlan 1 S2(Config-if-Vlan1)# ip rip agg 192.168.20.0/22 26.4.5 RIP Troubleshooting The RIP protocol may not be working properly due to errors such as physical connection, configuration error when configuring and using the RIP protocol. So users should pay attention 26-25 to following: First ensure the physic connection is correct Second, ensure the interface and chain protocol are UP (use show interface command) Then initiate the RIP protocol (use router rip command) and configure the segment (use network command) and set RIP protocol parameter on corresponding interfaces, such as the option between RIP-I and RIP-II After that, one feature of RIP protocol should be noticed ---the Layer 3 switch running RIP protocol sending route updating messages to all neighboring Layer 3 switches every 30 seconds. A Layer 3 switch is considered inaccessible if no route updating messages from the switch is received within 180 seconds, then the route to the switch will remains in the route table for 120 seconds before it is deleted. Therefore, if to delete a RIP route, this route item is assured to be deleted from route table after 300 seconds. When exchanging routing messages with CE using RIP protocol on the PE router, we should first create corresponding VPN routing/transmitting examples to associate with corresponding interfaces. Then enter the RIP address family mode configuring corresponding parameters. If the RIP routing problem remains unresolved, please use debug rip command to record the debug message in three minutes, and send them to our technical service center. 26.5 OSPF 26.5.1 Introduction to OSPF OSPF is abbreviation for Open Shortest Path First. It is an interior dynamic routing protocol for autonomous system based on link-state. The protocol creates a link-state database by exchanging link-states among Layer 3 switches, and then uses the Shortest Path First algorithm to generate a route table basing on that database. Autonomous system (AS) is a self-managed interconnected network. In large networks, such as the Internet, a giant interconnected network is broken down to autonomous systems. Big enterprise networks connecting to the Internet are independent AS, since the other hosts on the Internet are not managed by those AS and they don’t share interior routing information with the Layer 3 switches on the Internet. Each link-state Layer 3 switch can provide information about the topology with its neighboring Layer 3 switches. • The network segment (link) connecting to the Layer 3 switch • State of the connecting link Link-state information is flooded throughout the network so that all Layer 3 switches can get firsthand information. Link-state Layer 3 switches will not broadcast all information contained in their route tables; instead, they only send changed link-state information. Link-state Layer 3 switches establish neighborhood by sending “HELLO” to their neighbors, then link-state 26-26 advertisements (LSA) will be sent among neighboring Layer 3 switches. Neighboring Layer 3 switch copy the LSA to their routing table and transfer the information to the rest part of the network. This process is referred to as “flooding”. In this way, firsthand information is sent throughout the network to provide accurate map for creating and updating routes in the network. Link-state routing protocols use cost instead of hops to decide the route. Cost is assigned automatically or manually. According to the algorithm in link-state protocol, cost can be used to calculate the hop number for packets to pass, link bandwidth, and current load of the link. The administrator can even add weight for better assessment of the link-state. 1) When a link-state Layer 3 switch enters a link-state interconnected network, it sends a HELLO packet to get to know its neighbors and establish neighborhood. 2) The neighbors respond with information about the links they are connecting and the related costs. 3) The originate Layer 3 switch uses this information to build its own routing table 4) Then, as part of the regular update, Layer 3 switch send link-state advertisement (LSA) packets to its neighboring Layer 3 switches. The LSA include links and related costs of that Layer 3 switch. 5) Each neighboring Layer 3 switch copies the LSA packet and passes it to the next neighbor (i.e. flooding). 6) Since routing database is not recalculated before Layer 3 switch forwards LSA flooding, the converging time is greatly reduced. One major advantage of link-state routing protocols is the fact that infinite counting is impossible, this is because of the way link-state routing protocols build up their routing table. The second advantage is that converging in a link-state interconnected network is very fast, once the routing topology changes, updates will be flooded throughout the network very soon. Those advantages release some Layer 3 switch resources, as the process ability and bandwidth used by bad route information are minor. The features of OSPF protocol include the following: OSPF supports networks of various scales, several hundreds of Layer 3 switches can be supported in an OSPF network. Routing topology changes can be quickly found and updating LSAs can be sent immediately, so that routes converge quickly. Link-state information is used in shortest path algorithm for route calculation, eliminating loop route. OSPF divides the autonomous system into areas, reducing database size, bandwidth occupation and calculation load. (According to the position of Layer 3 switches in the autonomous system, they can be grouped as internal area switches, area border switches, AS border switches and backbone switches). OSPF supports load balance and multiple routes to the same destination of equal costs. OSPF supports 4 level routing mechanisms (process routing according to the order of intra-area path, inter-area path, type 1 external path and type 2 external path). OSPF supports IP subnet and redistribution of routes from the other routing protocols, and interface-based packet verification. OSPF supports sending packets in multicast. 26-27 Each OSPF Layer 3 switch maintains a database describing the topology of the whole autonomous system. Each Layer 3 switch gathers the local status information, such as available interface, reachable neighbors, and sends link-state advertisement (sending out link-state information) to exchange link-state information with other OSPF Layer 3 switches to form a link-state database describing the whole autonomous system. Each Layer 3 switch builds a shortest path tree rooted by itself according to the link-state database, this tree provides the routes to all nodes in an autonomous system. If two or more Layer 3 switches exist (i.e. multi-access network), "designated Layer 3 switch” and “backup designated Layer 3 switch” will be selected. Designated Layer 3 switch is responsible for spreading link-state of the network. This concept helps reducing the traffic among the Layer 3 switches in multi-access network. OSPF protocol requires the autonomous system to be divided into areas. That is to divide the autonomous system into 0 area (backbone area) and non-0 areas. Routing information between areas are further abstracted and summarized to reduce the bandwidth required in the network. OSPF uses four different kinds of routes; they are intra-area route, inter-area route, type 1 external route and type 2 external route, in the order of highest priority to lowest. The route inside an area and between areas describes the internal network structure of an autonomous system, while external routes describe how to select the routing information to destination outside the autonomous system. The first type of exterior route corresponds to the information introduced by OSPF from the other interior routing protocols, the costs of those routes are comparable with the costs of OSPF routes; the second type of exterior route corresponds to the information introduced by OSPF from the other exterior routing protocols, but the costs of those routes are far greater than that of OSPF routes, so OSPF route cost is ignored when calculating route costs. OSPF areas are centered with the Backbone area, identified as Area 0, all the other areas must be connected to Area 0 logically, and Area 0 must be continuous. For this reason, the concept of virtual link is introduced to the backbone area, so that physically separated areas still have logical connectivity to the backbone area. The configurations of all the Layer 3 switches in the same area must be the same. In conclusion, LSA can only be transferred between neighboring Layer 3 switches, OSPF protocol includes 5 types of LSA: router LSA, network LSA, network summary LSA to the other areas, ASBR summary LSA and AS external LSA. They can also be called type1 LSA, type2 LSA, type3 LSA, type4 LSA, and type5 LSA. Router LSA is generated by each Layer 3 switch inside an OSPF area, and is sent to all the other neighboring Layer 3 switches in the same area; network LSA is generated by the designated Layer 3 switch in the OSPF area of multi-access network, and is sent to all other neighboring Layer 3 switches in this area. (In order to reduce traffic on Layer 3 switches in the multi-access network, “designated Layer 3 switch” and “backup designated Layer 3 switch” should be selected in the multi-access network, and the network link-state is broadcasted by the designated Layer 3 switch); network summary LSA is generated by border switches in an OSPF area , and is transferred among area border Layer 3 switches; AS external LSA is generated by Layer 3 switches on external border of AS, and is transferred throughout the AS. 26-28 As to autonomous systems mainly advertises exterior link-state, OSPF allow some areas to be configured as STUB areas to reduce the size of the topology database. Type4 LSA (ASBR summary LSA) and type5 LSA (AS external LSA) are not allowed to flood into/through STUB areas. STUB areas must use the default routes, the Layer 3 switches on STUB area edge advertise the default routes to STUB areas by type 3 summary LSA, those default routes only floods inside STUB area and will not get out of STUB area. Each STUB area has a corresponding default route, the route from a STUB area to AS exterior destination must rely on the default route of that area. The following simply outlines the route calculation process of OSPF protocol: 1) Each OSPF-enabled Layer 3 switch maintains a database (LS database) describing the link-state of the topology structure of the whole autonomous system. Each Layer 3 switch generates a link-state advertisement according to its surrounding network topology structure (router LSA), and sends the LSA to other Layer 3 switches through link-state update (LSU) packets. Thus each Layer 3 switches receives LSAs from other Layer 3 switches, and all LSAs are combined to the link-state database. 2) Since a LSA is the description of the network topology structure around a Layer 3 switch, the LS database is the description of the network topology structure of the whole network. The Layer 3 switches can easily create a weighted vector map according to the LS database. Obviously, all Layer 3 switches in the same autonomous system will have the same network topology map. 3) Each Layer 3 switch uses the shortest path first (SPF) algorithm to calculate a tree of shortest path rooted by itself. The tree provides the route to all the nodes in the autonomous system, leaf nodes consist of the exterior route information. The exterior route can be marked by the Layer 3 switch broadcast it, so that additional information about the autonomous system can be recorded. As a result, the route table of each Layer 3 switch is different. OSPF protocol is developed by the IETF, the OSPF v2 widely used now is fulfilled according to the content described in RFC2328. 26.5.2 OSPF Configuration Task List The OSPF configuration for SGS-6340 Series switches may be different from the configuration procedure to switches of the other manufacturers. It is a two-step process: Enable OSPF in the Global Mode;2, Configure OSPF area for the interfaces. The configuration task list is as follows: 1. Enable OSPF protocol (required) (1) Enable/disable OSPF protocol (required) (2) Configure the ID number of the Layer 3 switch running OSPF (optional) (3) Configure the network scope for running OSPF (optional) (4) Configure the area for the interface (required) 26-29 2. Configure OSPF protocol parameters (optional) (1) Configure OSPF packet sending mechanism parameters 1) Configure OSPF packet verification 2) Set the OSPF interface to receive only 3) Configure the cost for sending packets from the interface 4) Configure OSPF packet sending timer parameter (timer of broadcast interface sending HELLO packet to poll, timer of neighboring Layer 3 switch invalid timeout, timer of LSA transmission delay and timer of LSA retransmission. (2) Configure OSPF route introduction parameters 1) Configure default parameters (default type, default tag value, default cost) 2) Configure the routes of the other protocols to introduce to OSPF. (3) Configure OSPF importing the routes of other OSPF processes 1) Enable the function of OSPF importing the routes of other OSPF processes 2) Display relative information 3) Debug (4) Configure other OSPF protocol parameters 1) Configure OSPF routing protocol priority 2) Configure cost for OSPF STUB area and default route 3) Configure OSPF virtual link 4) Configure the priority of the interface when electing designated Layer 3 switch (DR). 5) 3. Configure to keep a log for OSPF adjacency changes or not Disable OSPF protocol 1. Enable OSPF protocol Basic configuration of OSPF routing protocol on switch is quite simple, usually only enabling OSPF and configuration of the OSPF area for the interface are required. The OSPF protocol parameters can use the default settings. If OSPF protocol parameters need to be modified, please refer to “2. Configure OSPF protocol parameters”. Command Explanation Global Mode Enables OSPF protocol; the “no router [no] router ospf [process <id>] ospf” command disables OSPF protocol. (required) OSPF Protocol Configuration Mode Configures the ID number for the Layer 3 router-id <router_id> no router-id switch running OSPF; the “no router id” command cancels the ID number. The IP address of an interface is selected to be the Layer 3 switch ID. (optional) 26-30 Configure certain segment to certain area, [no] network {<network> <mask> | <network>/<prefix>} area <area_id> the no [no] network {<network> <mask> | area <network>/<prefix>} command cancels this <area_id> configuration. (required) 2. Configure OSPF protocol parameters (1)Configure OSPF packet sending mechanism parameters 1)Configure OSPF packet verification 2)Set the OSPF interface to receive only 3)Configure the cost for sending packets from the interface Command Explanation Interface Configuration Mode ip ospf authentication { message-digest | null} no ip ospf authentication Configures the authentication method by the interface to accept OSPF packets; the no ip ospf authentication command restores the default settings. Configure the key of the authentication process ip ospf authentication-key LINE of OSPF data packets receiving for the no ip ospf authentication-key interfaces; the no action of this command restores the default settings. ip ospf cost <cost > no ip ospf cost Sets the cost for running OSPF on the interface; the no ip ospf cost command restores the default setting. 4)Configure OSPF packet sending timer parameter (timer of broadcast interface sending HELLO packet to poll, timer of neighboring Layer 3 switch invalid timeout, timer of LSA transmission delay and timer of LSA retransmission. Command Explanation Interface Configuration Mode ip ospf hello-interval <time> no ip ospf hello-interval Sets interval for sending HELLO packets; the “no ip ospf hello-interval” command restores the default setting. Sets the interval before regarding a neighbor ip ospf dead-interval <time > Layer 3 switch invalid; the “no ip ospf no ip ospf dead-interval dead-interval” command restores the default setting. ip ospf transit-delay <time> no ip ospf transit-delay Sets the delay time before sending link-state broadcast; the “no ip ospf transmit-delay” command restores the default setting. 26-31 Sets the interval for retransmission of link-state ip ospf retransmit-interval <time> advertisement among neighbor Layer 3 no ip ospf retransmit-interval switches; the “no ip ospf retransmit-interval” command restores the default setting. (2)Configure OSPF route introduction parameters Configure the routes of the other protocols to introduce to OSPF. Command Explanation OSPF Protocol Configuration Mode redistribute { bgp | connected | static | Distribute other protocols to find routing and rip | kernel} [ metric-type { 1 | 2 } ] [ tag static routings as external routing messages <tag> ] [ metric <cost_value> ] the no redistribute {bgp | connected | [router-map <WORD>] static | rip | kernel} command cancels the no redistribute { bgp | connected | distributed external messages. static | rip | kernel } (3)Configure OSPF importing the routes of other OSPF processes 1)Enable the function of OSPF importing the routes of other OSPF processes Command Explanation Router OSPF Mode redistribute ospf [<process-id>] [metric<value>] [metric-type {1|2}][route-map<word>] no redistribute ospf [<process-id>] [metric<value>] [metric-type Enable or disable the function of OSPF importing the routes of other OSPF processes. {1|2}][route-map<word>] 2)Display relative information Command Explanation Admin Mode or Configure Mode show ip ospf [<process-id>] redistribute Display the configuration information of the OSPF process importing other outside routes. 3)Debug Command Explanation Admin Mode 26-32 debug ospf redistribute message send Enable or disable debugging of sending no debug ospf redistribute message command from OSPF process redistributed send to other OSPF process routing. debug ospf redistribute route receive Enable or disable debugging of received no debug ospf redistribute route routing message from NSM for OSPF receive process. (4)Configure other OSPF protocol parameters 1)Configure how to calculate OSPF SPF algorithm time 2)Configure the LSA limit in the OSPF link state database 3)Configure various OSPF parameters Command Explanation OSPF Protocol Configuration Mode Configure the SPF timer of OSPF; the timers spf <interval> no timers spf command restores the no timers spf default settings. overflow database {<max-LSA> [hard | soft] Configure the LSA limit in current OSPF | external <max-LSA> <recover time>} process database; the no overflow no overflow database [external <max-LSA database [external < max-LSA > < > < recover time >] recover time >] command restores the default settings. area <id> {authentication [message-digest] | default-cost <cost> | filter-list {access | Configure the parameters in OSPF area prefix} <WORD> {in | out} | nssa (STUB area, NSSA area and virtual [default-information-originate | links); the no area <id> {authentication no-redistribution | no-summary | | default-cost | filter-list {access | translator-role] | range <range> | stub prefix} <WORD> {in | out} | nssa [no-summary] | virtual-link <neighbor>} [default-information-originate | no area <id> {authentication | default-cost | no-redistribution | filter-list {access | prefix} <WORD> {in | translator-role] | range <range> | stub out} | nssa [default-information-originate | [no-summary] no-redistribution | no-summary | <neighbor>} command restores the translator-role] | range <range> | stub default settings. | no-summary | virtual-link [no-summary] | virtual-link <neighbor>} 4)Configure the priority of the interface when electing designated Layer 3 switch (DR). Command Explanation Interface Configuration Mode ip ospf priority <priority> no ip ospf priority Sets the priority of the interface in “designated Layer 3 switch” election; the no ip ospf priority command restores the default setting. 26-33 5)Configure to keep a log for OSPF adjacency changes or not Command Explanation OSPF Protocol Configuration Mode log-adjacency-changes detail Configure to keep a log for OSPF adjacency no log-adjacency-changes detail changes or not. 5)Filter the route obtained by OSPF Command Explanation OSPF Protocol Configuration Mode Use access list to filter the route obtained by filter-policy <access-list-name> OSPF, the no command cancels the route no filter-policy filtering. 3. Disable OSPF protocol Command Explanation Global Mode Disables OSPF routing protocol. no router ospf [process <id>] 26.5.3 OSPF Examples 26.5.4 Configuration Example of OSPF Scenario 1: OSPF autonomous system. This scenario takes an OSPF autonomous system consists of five switch for example. Switch A E1/1:100.1.1.1 vlan2 E1/2:10.1.1.1 vlan1 Switch E E1/2:30.1.1.1 vlan3 E1/1:100.1.1.2 vlan2 Switch D E1/1:30.1.1.2 vlan3 Area 0 E1/1:10.1.1.2 vlan1 E1/1:20.1.1.2 vlan3 Switch B E1/2:20.1.1.1 vlan3 Switch C Area 1 Figure 26-4 Network topology of OSPF autonomous system 26-34 The configuration for Layer 3 Switch1 and Switch5 is shown below: Layer 3 Switch1 Configuration of the IP address for interface vlan1 Switch1#config Switch1(config)# interface vlan 1 Switch1(config-if-vlan1)# ip address 10.1.1.1 255.255.255.0 Switch1(config-if-vlan1)#exit Configuration of the IP address for interface vlan2 Configure the IP address of interface vlan2 Switch1(config)# interface vlan 2 Switch1(config-if-vlan2)# ip address 100.1.1.1 255.255.255.0 Switch1 (config-if-vlan2)#exit Enable OSPF protocol, configure the area number for interface vlan1 and vlan2. Switch1(config)#router ospf Switch1(config-router)#network 10.1.1.0/24 area 0 Switch1(config-router)#network 100.1.1.0/24 area 0 Switch1(config-router)#exit Switch1(config)#exit Switch1# Layer 3 Switch2: Configure the IP address for interface vlan1 and vlan2. Switch2#config Switch2(config)# interface vlan 1 Switch2(config-if-vlan1)# ip address 10.1.1.2 255.255.255.0 Switch2(config-if-vlan1)#no shutdown Switch2(config-if-vlan1)#exit Switch2(config)# interface vlan 3 Switch2(config-if-vlan3)# ip address 20.1.1.1 255.255.255.0 Switch2(config-if-vlan3)#no shutdown Switch2(config-if-vlan3)#exit Enable OSPF protocol, configure the OSPF area interfaces vlan1 and vlan3 in Switch2(config)#router ospf Switch2(config-router)# network 10.1.1.0/24 area 0 Switch2(config-router)# network 20.1.1.0/24 area 1 Switch2(config-router)#exit Switch2(config)#exit Switch2# 26-35 Layer 3 Switch3: Configuration of the IP address for interface vlan3. Switch3#config Switch3(config)# interface vlan 3 Switch3(config-if-vlan1)# ip address 20.1.1.2 255.255.255.0 Switch3(config-if-vlan3)#no shutdown Switch3(config-if-vlan3)#exit Initiate the OSPF protocol, configure the OSPF area to which interface vlan3 belongs Switch3(config)#router ospf Switch3(config-router)# network 20.1.1.0/24 area 1 Switch3(config-router)#exit Switch3(config)#exit Switch3# Layer 3 Switch4: Configuration of the IP address for interface vlan3 Switch4#config Switch4(config)# interface vlan 3 Switch4(config-if-vlan3)# ip address30.1.1.2 255.255.255.0 Switch4(config-if-vlan3)#no shutdown Switch4(config-if-vlan3)#exit Enable OSPF protocol, configure the OSPF area Switch4(config)#router ospf Switch4(config-router)# network 30.1.1.0/24 area 0 Switch4(config-router)#exit Switch4(config)#exit Switch4# Layer 3 Switch5: Configuration of the IP address for interface vlan2 Switch5#config Switch5(config)# interface vlan 2 Switch5(config-if-vlan2)# ip address 100.1.1.2 255.255.255.0 Switch5(config-if-vlan2)#no shutdown Switch5(config-if-vlan2)#exit 26-36 interfaces vlan3 resides in. Configuration of the IP address for interface vlan3 Switch5(config)# interface vlan 3 Switch5(config-if-vlan3)# ip address 30.1.1.1 255.255.255.0 Switch5(config-if-vlan3)#no shutdown Switch5(config-if-vlan3)#exit Enable OSPF protocol, configure the number of the area in which interface vlan2 and vlan3 reside in. Switch5(config)#router ospf Switch5(config-router)# network 30.1.1.0/24 area 0 Switch5(config-router)# network 100.1.1.0/24 area 0 Switch5(config-router)#exit Switch5(config)#exit Switch5# Scenario 2: Typical OSPF protocol complex topology. N11 N1 N3 Area 1 N13 Switch D Switch A N2 N12 Switch B Switch E Switch F Switch C N4 Area 0 N10 N14 Switch K Switch I N8 Switch J N7 Area 2 N9 N15 Switch L Area 3 Switch G N5 Switch H N6 Figure 26-5 Typical complex OSPF autonomous system This scenario is a typical complex OSPF autonomous system network topology. Area1 include network N1-N4 and Layer 3 SwitchA-SwitchD, area2 include network N8-N10, host H1 and Layer 3 SwitchH, area3 include N5-N7 and Layer 3 SwitchF, SwitchG SwitchA0 and Switch11, and network N8-N10 share a summary route with host H1(i.e. area3 is defined as a STUB area). Layer 3 SwitchA, SwitchB, SwitchD, SwitchE, SwitchG, SwitchH, Switch12 are in-area Layer 3 switches, SwitchC, SwitchD, SwitchF, Switch10 and Switch11 are edge Layer 3 switches of the area, SwitchD and SwitchF are edge Layer 3 switches of the autonomous system. 26-37 To area1, Layer 3 switches SwitchA and SwitchB are both in-area switches, area edge switches SwitchC and SwitchD are responsible for reporting distance cost to all destination outside the area, while they are also responsible for reporting the position of the AS edge Layer 3 switches SwitchD and SwitchF, AS exterior link-state advertisement from SwitchD and SwitchF are flooded throughout the whole autonomous system. When ASE LSA floods in area 1, those LSAs are included in the area 1 database to get the routes to network N11 and N15. In addition, Layer 3 SwitchC and SwitchD must summary the topology of area 1 to the backbone area (area 0, all non-0 areas must be connected via area 0, direct connections are not allowed), and advertise the networks in area 1 (N1-N4) and the costs from SwitchC and SwitchD to those networks. As the backbone area is required to keep connected, there must be a virtual link between backbone Layer 3 Switch10 and Switch11. The area edge Layer 3 switches exchange summary information via the backbone Layer 3 switch, each area edge Layer 3 switch listens to the summary information from the other edge Layer 3 switches. Virtual link can not only maintain the connectivity of the backbone area, but also strengthen the backbone area. For example, if the connection between backbone Layer 3 SwitchG and Switch10 is cut down, the backbone area will become incontinuous. The backbone area can become more robust by establishing a virtual link between backbone Layer 3 switches SwitchF and Switch10. In addition, the virtual link between SwitchF and Switch10 provide a short path from area 3 to Layer 3 Switch F. Take area 1 as an example. Assume the IP address of Layer 3 SwitchA is 10.1.1.1, IP address of Layer 3 Switch B interface VLAN2 is 10.1.1.2, IP address of Layer 3 SwitchC interface VLAN2 is 10.1.1.3, IP address of Layer 3 SwitchD interface VLAN2 is 10.1.1.4. SwitchA is connecting to network N1 through Ethernet interface VLAN1 (IP address 20.1.1.1); SwitchB is connecting to network N2 through Ethernet interface VLAN1 (IP address 20.1.2.1); SwitchC is connecting to network N4 through Ethernet interface VLAN3 (IP address 20.1.3.1). All the three addresses belong to area 1. SwitchC is connecting to Layer 3 SwitchE through Ethernet interface VLAN1 (IP address 10.1.5.1); SwitchD is connecting to Layer 3 SwitchD through Ethernet interface VLAN1 (IP address 10.1.6.1); both two addresses belong to area 1. Simple authentication is implemented among Layer 3 switches in area1, edge Layer 3 switches of area 1 authenticate with the area 0 backbone Layer 3 switches by MD5 authentication. The followings are just configurations for all Layer 3 switches in area 1, configurations for Layer 3 switches of the other areas are omitted. The following are the configurations of SwitchA, SwitchB, SwitchC and SwitchD: 1)Switch A: Configure IP address for interface vlan2 SwitchA#config SwitchA(config)# interface vlan 2 SwitchA(config-If-Vlan2)# ip address 10.1.1.1 255.255.255.0 SwitchA(config-If-Vlan2)#exit 26-38 Enable OSPF protocol, configure the area number for interface vlan2. SwitchA(config)#router ospf SwitchA(config-router)#network 10.1.1.0/24 area 1 SwitchA(config-router)#exit Configure simple key authentication. SwitchA(config)#interface vlan 2 SwitchA(config-If-Vlan2)#ip ospf authentication SwitchA(config-If-Vlan2)#ip ospf authentication-key DCS SwitchA(config-If-Vlan2)exit Configure IP address and area number for interface vlan1. SwitchA(config)# interface vlan 1 SwitchA(config-If-Vlan1)#ip address 20.1.1.1 255.255.255.0 SwitchA(config-If-Vlan1)#exit SwitchA(config)#router ospf SwitchA(config-router)#network 20.1.1.0/24 area 1 SwitchA(config-router)#exit 2)Switch B: Configure IP address for interface vlan2 SwitchB#config SwitchB(config)# interface vlan 2 SwitchB(config-If-Vlan2)# ip address 10.1.1.2 255.255.255.0 SwitchB(config-If-Vlan2)#exit Enable OSPF protocol, configure the area number for interface vlan2. SwitchB(config)#router ospf SwitchB(config-router)#network 10.1.1.0/24 area 1 SwitchB(config-router)#exit SwitchB(config)#interface vlan 2 Configure simple key authentication. SwitchB(config)#interface vlan 2 SwitchB(config-If-Vlan2)#ip ospf authentication SwitchB(config-If-Vlan2)#ip ospf authentication-key DCS SwitchB(config-If-Vlan2)#exit 26-39 Configure IP address and area number for interface vlan1. SwitchB(config)# interface vlan 1 SwitchB(config-If-Vlan1)#ip address 20.1.2.1 255.255.255.0 SwitchB(config-If-Vlan1)#exit SwitchB(config)#router ospf SwitchB(config-router)#network 20.1.2.0/24 area 1 SwitchB(config-router)#exit SwitchB(config)#exit 3)Switch C: Configure IP address for interface vlan2 SwitchC#config SwitchC(config)# interface vlan 2 SwitchC(config-If-Vlan2)# ip address 10.1.1.3 255.255.255.0 SwitchC(config-If-Vlan2)#exit Enable OSPF protocol, configure the area number for interface vlan2 SwitchC(config)#router ospf SwitchC(config-router)#network 10.1.1.0/24 area 1 SwitchC(config-router)#exit Configure simple key authentication SwitchC(config)#interface vlan 2 SwitchC(config-If-Vlan2)#ip ospf authentication SwitchC(config-If-Vlan2)#ip ospf authentication-key DCS SwitchC(config-If-Vlan2)#exit Configure IP address and area number for interface vlan3 SwitchC(config)# interface vlan 3 SwitchC(config-If-Vlan3)#ip address 20.1.3.1 255.255.255.0 SwitchC(config-If-Vlan3)#exit SwitchC(config)#router ospf SwitchC(config-router)#network 20.1.3.0/24 area 1 SwitchC(config-router)#exit Configure IP address and area number for interface VLAN 1 SwitchC(config)# interface vlan 1 SwitchC(config-If-Vlan1)#ip address 10.1.5.1 255.255.255.0 SwitchC(config-If-Vlan1)#exit SwitchC(config)#router ospf SwitchC(config-router)#network 10.1.5.0/24 area 0 SwitchC(config-router)#exit 26-40 Configure MD5 key authentication. SwitchC(config)#interface vlan 1 SwitchC (config-If-Vlan1)#ip ospf authentication message-digest SwitchC (config-If-Vlan1)#ip ospf authentication-key DCS SwitchC (config-If-Vlan1)#exit SwitchC(config)#exit SwitchC# 4)Switch D: Configure IP address for interface VLAN2 SwitchD#config SwitchD(config)# interface vlan 2 SwitchD(config-If-Vlan2)# ip address 10.1.1.4 255.255.255.0 SwitchD(config-If-Vlan2)#exit Enable OSPF protocol, configure the area number for interface VLAN2. SwitchD(config)#router ospf SwitchD(config-router)#network 10.1.1.0/24 area 1 SwitchD(config-router)#exit Configure simple key authentication. SwitchD(config)#interface vlan 2 SwitchD(config-If-Vlan2)#ip ospf authentication SwitchD(config-If-Vlan2)#ip ospf authentication-key DCS SwitchD(config-If-Vlan2)#exit Configure the IP address and the area number for the interface VLAN 1 SwitchD(config)# interface vlan 1 SwitchD(config-If-Vlan1)# ip address 10.1.6.1 255.255.255.0 SwitchD(config-If-Vlan1)exit SwitchD(config)#router ospf SwitchD(config-router)#network 10.1.6.0/24 area 0 SwitchD(config-router)#exit Configure MD5 key authentication SwitchD(config)#interface vlan 1 SwitchD(config-If-Vlan1)#ip ospf authentication message-digest SwitchD(config-If-Vlan1)#ip ospf authentication-key DCS SwitchD(config-If-Vlan1)exit SwitchD(config)#exit SwitchD# 26-41 Scenario 3: The function of OSPF importing the routers of other OSPF processes As shown in the following graph, a switch running the OSPF routing protocol connects two networks: network A and network B. Because of some reason, it is required that network A should be able to learn the routers of network B, but network B should not be able to learn the routers of network A. According to that, two OSPF processes can be started respectively on interface VLAN 1 and interface VLAN 2. the OSPF process which interface VLAN 1 belongs to is configured to import the routers of the OSPF process which interface VLAN 2 belongs to, while the OSPF process which interface VLAN 2 belongs to should not be configured to import the routers of the OSPF process which interface VLAN 1 belongs to. Network A Vlan1 1.1.1.1 Vlan2 2.2.2.2 Network B Figure 26-6 Function of OSPF importing the routers of other OSPF processes example We can configure as follows: Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 1.1.1.1 255.255.255.0 Switch(Config-if-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-if-Vlan2)#ip address 2.2.2.2 255.255.255.0 Switch(Config-if-Vlan2)#exit Switch(config)#router ospf 10 Switch(config-router)#network 2.2.2.0/24 area 1 Switch(config-router)#exit Switch(config)#router ospf 20 Switch(config-router)#network 1.1.1.0/24 area 1 Switch(config-router)#redistribute ospf 10 Switch(config-router)#exit 26-42 26.5.5 Configuration Examples of OSPF VPN Interface Interface vlan1:10.1.1.1/24 vlan1:10.1.1.2/24 SWITCHB SWITCHC SWITCHA Interface Interface vlan2:20.1.1.1/24 vlan1:20.1.1.2/24 Figure 26-7 OSPF VPN Example The above figure shows that a network consists of three Layer 3 switches in which the switchA as PE, SwitchB and SwitchC as CE1 and CE2. The PE is connected to CE1 and CE2 through VLAN1 and VLAN2. The routing messages are exchanged between PE and CE through OSPF protocol. a) SwitchA, the Layer 3 switch as PE Configure VPN route/transmitting examples vpnb and vpnc SwitchA#config SwitchA(config)#ip vrf vpnb SwitchA(config-vrf)# SwitchA(config-vrf)#exit SwitchA#(config) SwitchA(config)#ip vrf vpnc SwitchA(config-vrf)# SwitchA(config-vrf)#exit Associate the VLAN 1 and VLAN 2 respectively with vpnb and vpnc while configuring IP address SwitchA(config)#in vlan1 SwitchA(config-if-Vlan1)#ip vrf forwarding vpnb SwitchA(config-if-Vlan1)#ip address 10.1.1.1 255.255.255.0 SwitchA(config-if-Vlan1)#exit SwitchA(config)#in vlan2 SwitchA(config-if-Vlan2)#ip vrf forwarding vpnc SwitchA(config-if-Vlan2)#ip address 20.1.1.1 255.255.255.0 SwitchA(config-if-Vlan2)#exit Configure OSPF examples associated with vpnb and vpnc respectively SwitchA(config)# SwitchA(config)#router ospf 100 vpnb 26-43 SwitchA(config-router)#network 10.1.1.0/24 area 0 SwitchA(config-router)#redistribute bgp SwitchA(config-router)#exit SwitchA(config)#router ospf 200 vpnc SwitchA(config-router)#network 20.1.1.0/24 area 0 SwitchA(config-router)#redistribute bgp b) The Layer 3 SwitchB of CE1: Configure the IP address of Ethernet E 1/0/2 SwitchB#config SwitchB(config)# interface Vlan1 SwitchB(config-if-vlan1)# ip address 10.1.1.2 255.255.255.0 SwitchB (config-if-vlan1)exit Enable OSPF protocol and configuring OSPF segments SwitchB(config)#router ospf SwitchB(config-router-rip)#network 10.1.1.0/24 area 0 SwitchB(config-router-rip)#exit c) The Layer 3 SwitchC of CE2 Configure the IP address of Ethernet E 1/0/2 SwitchC#config SwitchC(config)# interface Vlan1 SwitchC(config-if-vlan1)# ip address 20.1.1.2 255.255.255.0 SwitchC(config-if-vlan1)#exit Initiate OSPF protocol and configuring OSPF segments SwitchC(config)#router ospf SwitchC(config-router)#network 20.1.1.0/24 area 0 SwitchC(config-router)#exit 26.5.6 OSPF Troubleshooting The OSPF protocol may not be working properly due to errors such as physic connection, configuration error when configuring and using the OSPF protocol. So users should pay attention to following: First ensure the physic connection is correct Second, ensure the interface and link protocol are UP (use show interface command) Configure different IP address from different segment on each interface Then initiate OSPF protocol (use router-ospf command) and configure the OSPF area on corresponding interface 26-44 After that, a OSPF protocol feature should be checked---the OSPF backbone area should be continuous and apply virtual link to ensure it is continuous. if not; all non 0 areas should only be connected to other non 0 area through 0 area; a border Layer 3 switch means that one part of the interfaces of this switch belongs to 0 area, the other part belongs to non 0 area; Layer 3 switch DR should be specified for multi-access network such as broadcast network. 26.6 ARP 26.6.1 Introduction to ARP ARP (Address Resolution Protocol) is mainly used to resolve IP address to Ethernet MAC address. Switch supports static ARP configuration. 26.6.2 ARP Configuration Task List ARP Configuration Task List: 1. Configure static ARP 1. Configure static ARP Command Explanation VLAN Interface Mode arp <ip_address> <mac_address> Configures a static ARP entry; the no no arp <ip_address> command deletes a static ARP entry. 26.6.3 ARP Troubleshooting If ping from the switch to directly connected network devices fails, the following can be used to check the possible cause and create a solution. Check whether the corresponding ARP has been learned by the switch. If ARP has not been learned, then enabled ARP debugging information and view the sending/receiving condition of ARP packets. Defective cable is a common cause of ARP problems and may disable ARP learning. 26-45 Chapter 27 ARP Scanning Prevention Function Configuration 27.1 Introduction to ARP Scanning Prevention Function ARP scanning is a common method of network attack. In order to detect all the active hosts in a network segment, the attack source will broadcast lots of ARP messages in the segment, which will take up a large part of the bandwidth of the network. It might even do large-traffic-attack in the network via fake ARP messages to collapse of the network by exhausting the bandwidth. Usually ARP scanning is just a preface of other more dangerous attack methods, such as automatic virus infection or the ensuing port scanning, vulnerability scanning aiming at stealing information, distorted message attack, and DOS attack, etc. Since ARP scanning threatens the security and stability of the network with great danger, so it is very significant to prevent it. Switch provides a complete resolution to prevent ARP scanning: if there is any host or port with ARP scanning features is found in the segment, the switch will cut off the attack source to ensure the security of the network. There are two methods to prevent ARP scanning: port-based and IP-based. The port-based ARP scanning will count the number to ARP messages received from a port in a certain time range, if the number is larger than a preset threshold, this port will be “down”. The IP-based ARP scanning will count the number to ARP messages received from an IP in the segment in a certain time range, if the number is larger than a preset threshold, any traffic from this IP will be blocked, while the port related with this IP will not be “down”. These two methods can be enabled simultaneously. After a port or an IP is disabled, users can recover its state via automatic recovery function. To improve the effect of the switch, users can configure trusted ports and IP, the ARP messages from which will not be checked by the switch. Thus the load of the switch can be effectively decreased. 27-46 27.2 ARP Scanning Prevention Configuration Task Sequence 1. Enable the ARP Scanning Prevention function. 2. Configure the threshold of the port-based and IP-based ARP Scanning Prevention 3. Configure trusted ports 4. Configure trusted IP 5. Configure automatic recovery time 6. Display relative information of debug information and ARP scanning 1. Enable the ARP Scanning Prevention function. Command Explanation Global Mode anti-arpscan enable Enable or disable the ARP Scanning no anti-arpscan enable Prevention function globally. 2. Configure the threshold of the port-based and IP-based ARP Scanning Prevention Command Explanation Global Mode anti-arpscan port-based threshold <threshold-value> Set the threshold of the port-based no anti-arpscan port-based ARP Scanning Prevention. threshold anti-arpscan ip-based threshold <threshold-value> no anti-arpscan ip-based threshold Set the threshold of the IP-based ARP Scanning Prevention. 3. Configure trusted ports Command Explanation Port Mode anti-arpscan trust <port | supertrust-port> no anti-arpscan trust <port | Set the trust attributes of the ports. supertrust-port> 27-47 4. Configure trusted IP Command Explanation Global Mode anti-arpscan trust ip <ip-address> [<netmask>] Set the trust attributes of IP. no anti-arpscan trust ip <ip-address> [<netmask>] 5. Configure automatic recovery time Command Explanation Global Mode anti-arpscan recovery enable Enable or disable the automatic no anti-arpscan recovery enable recovery function. anti-arpscan recovery time <seconds> Set automatic recovery time. no anti-arpscan recovery time 6. Display relative information of debug information and ARP scanning Command Explanation Global Mode anti-arpscan log enable Enable or disable the log function of ARP no anti-arpscan log enable scanning prevention. anti-arpscan trap enable Enable or disable the SNMP Trap function no anti-arpscan trap enable of ARP scanning prevention. show anti-arpscan [trust <ip | port | Display the state of operation and supertrust-port> | prohibited <ip | port>] configuration of ARP scanning prevention. Admin Mode debug anti-arpscan <port | ip> Enable or disable the debug switch of ARP no debug anti-arpscan <port | ip> scanning prevention. 27-48 27.3 ARP Scanning Prevention Typical Examples SWITCH B E1/1 E1/19 SWITCH A E1/2 E1/2 Server 192.168.1.100/24 PC PC Figure 27-1: ARP scanning prevention typical configuration example In the network topology above, port E1/1 of SWITCH B is connected to port E1/19 of SWITCH A, the port E1/2 of SWITCH A is connected to file server (IP address is 192.168.1.100/24), and all the other ports of SWITCH A are connected to common PC. The following configuration can prevent ARP scanning effectively without affecting the normal operation of the system. SWITCH A configuration task sequence: SwitchA(config)#anti-arpscan enable SwitchA(config)#anti-arpscan recovery time 3600 SwitchA(config)#anti-arpscan trust ip 192.168.1.100 255.255.255.0 SwitchA(config)#interface ethernet1/2 SwitchA (Config-If-Ethernet1/2)#anti-arpscan trusted port SwitchA (Config-If-Ethernet1/2)#exit SwitchA(config)#interface ethernet1/19 SwitchA (Config-If-Ethernet1/19)#anti-arpscan supertrusted port Switch A(Config-If-Ethernet1/19)#exit SWITCHB configuration task sequence: Switch B(config)# anti-arpscan enable SwitchB(config)#interface ethernet1/1 SwitchB(Config-If-Ethernet1/1)#anti-arpscan trusted port SwitchB(Config-If-Ethernet1/1)exit 27-49 27.4 ARP Scanning Prevention Troubleshooting Help ARP scanning prevention is disabled by default. After enabling ARP scanning prevention, users can enable the debug switch, “debug anti-arpscan”, to view debug information. 27-50 Chapter 28 Prevent ARP Spoofing Configuration 28.1 Overview 28.1.1 ARP (Address Resolution Protocol) Generally speaking, ARP (RFC-826) protocol is mainly responsible of mapping IP address to relevant 48-bit physical address, that is MAC address, for instance, IP address is 192.168.0.1, network card Mac address is 00-30-4F-FD-1D-2B. What the whole mapping process is that a host computer send broadcast data packet involving IP address information of destination host computer, ARP request, and then the destination host computer send a data packet involving its IP address and Mac address to the host, so two host computers can exchange data by MAC address. 28.1.2 ARP Spoofing In terms of ARP Protocol design, to reduce redundant ARP data communication on networks, even though a host computer receives an ARP reply which is not requested by itself, it will also insert an entry to its ARP cache table, so it creates a possibility of “ARP spoofing”. If the hacker wants to snoop the communication between two host computers in the same network (even if are connected by the switches), it sends an ARP reply packet to two hosts separately, and make them misunderstand MAC address of the other side as the hacker host MAC address. In this way, the direct communication is actually communicated indirectly among the hacker host computer. The hackers not only obtain communication information they need, but also only need to modify some information in data packet and forward successfully. In this sniff way, the hacker host computer doesn’t need to configure intermix mode of network card, that is because the data packet between two communication sides are sent to hacker host computer on physical layer, which works as a relay. 28.1.3 How to prevent void ARP Spoofing There are many sniff, monitor and attack behaviors based on ARP protocol in networks, and most of attack behaviors are based on ARP spoofing, so it is very important to prevent ARP spoofing. ARP spoofing accesses normal network environment by counterfeiting legal IP address firstly, and sends a great deal of counterfeited ARP application packets to switches, after switches learn these packets, they will cover previously corrected IP, mapping of MAC address, and then some corrected IP, MAC address mapping are modified to correspondence 28-51 relationship configured by attack packets so that the switch makes mistake on transfer packets, and takes an effect on the whole network. Or the switches are made used of by vicious attackers, and they intercept and capture packets transferred by switches or attack other switches, host computers or network equipment. What the essential method on preventing attack and spoofing switches based on ARP in networks is to disable switch automatic update function; the cheater can’t modify corrected MAC address in order to avoid wrong packets transfer and can’t obtain other information. At one time, it doesn’t interrupt the automatic learning function of ARP. Thus it prevents ARP spoofing and attack to a great extent. 28.2 Prevent ARP Spoofing configuration The steps of preventing ARP spoofing configuration as below: 1. Disable ARP automatic update function 2. Disable ARP automatic learning function 3. Changing dynamic ARP to static ARP 1. Disable ARP automatic update function Command Explanation Global Mode ip arp-security updateprotect Disable and enable ARP automatic update no ip arp-security updateprotect function. 2. Disable ARP automatic learning function Command Explanation Global and VLAN Interface Mode ip arp-security learnprotect Disable and enable ARP automatic learning no ip arp-security learnprotect function. 3. Function on changing dynamic ARP to static ARP Command Explanation Global and VLAN Interface Mode ip arp-security convert Change dynamic ARP to static ARP. 28-52 28.3 Prevent ARP Spoofing Example Switch A B C Equipment Explanation Equipment Configuration switch IP:192.168.2.4; mac: 00-00-00-00-00-04 1 A IP:192.168.2.1; mac: 00-00-00-00-00-01 1 B IP:192.168.1.2; mac: 00-00-00-00-00-02 1 C IP:192.168.2.3; mac: 00-00-00-00-00-03 some Quality There is a normal communication between B and C on above diagram. A wants switch to forward packets sent by B to itself, so need switch sends the packets transfer from B to A. firstly A sends ARP reply packet to switch, format is: 192.168.2.3, 00-00-00-00-00-01, mapping its MAC address to C’s IP, so the switch changes IP address when it updates ARP list., then data packet of 192.168.2.3 is transferred to 00-00-00-00-00-01 address (A MAC address). In further, a transfers its received packets to C by modifying source address and destination address, the mutual communicated data between B and C are received by A unconsciously. Because the ARP list is update timely, another task for A is to continuously send ARP reply packet, and refreshes switch ARP list. So it is very important to protect ARP list, configure to forbid ARP learning command in stable environment, and then change all dynamic ARP to static ARP, the learned ARP will not be refreshed, and protect for users. Switch#config Switch(config)#interface vlan 1 Switch(config-if-vlan1)#arp 192.168.2.1 00-00-00-00-00-01 interface ethernet 1/1 Switch(config-if-vlan1)#arp 192.168.2.2 00-00-00-00-00-02 interface ethernet 1/2 Switch(config-if-vlan1)#arp 192.168.2.3 00-00-00-00-00-03 interface ethernet 1/3 Switch(Config-If-Vlan3)#exit 28-53 Switch(Config)#ip arp-security learnprotect Switch(Config)# Switch(config)#ip arp-security convert If the environment changing, it enable to forbid ARP refresh, once it learns ARP property, it wont be refreshed by new ARP reply packet, and protect use data from sniffing. Switch#config Switch(config)#ip arp-security updateprotect 28-54 Chapter 29 ARP GUARD Configuration 29.1 Introduction to ARP GUARD There is serious security vulnerability in the design of ARP protocol, which is any network device, can send ARP messages to advertise the mapping relationship between IP address and MAC address. This provides a chance for ARP cheating. Attackers can send ARP REQUEST messages or ARP REPLY messages to advertise a wrong mapping relationship between IP address and MAC address, causing problems in network communication. The danger of ARP cheating has two forms: 1. PC4 sends an ARP message to advertise that the IP address of PC2 is mapped to the MAC address of PC4, which will cause all the IP messages to PC2 will be sent to PC4, thus PC4 will be able to monitor and capture the messages to PC2; 2. PC4 sends ARP messages to advertise that the IP address of PC2 is mapped to an illegal MAC address, which will prevent PC2 from receiving the messages to it. Particularly, if the attacker pretends to be the gateway and do ARP cheating, the whole network will be collapsed. PC1 Switch HUB A B C D PC2 PC3 PC4 PC5 PC6 Figure 29-1: ARP GUARD schematic diagram We utilize the filtering entries of the switch to protect the ARP entries of important network devices from being imitated by other devices. The basic theory of doing this is that utilizing the filtering entries of the switch to check all the ARP messages entering through the port, if the source address of the ARP message is protected, the messages will be directly dropped and will not be forwarded. ARP GUARD function is usually used to protect the gateway from being attacked. If all the accessed PCs in the network should be protected from ARP cheating, then a large number of ARP GUARD address should be configured on the port, which will take up a big part of FFP entries in the chip, and as a result, might affect other applications. So this will be improper. It is recommended that adopting FREE RESOURCE related accessing scheme. Please refer to relative documents for details. 29-55 29.2 ARP GUARD Configuration Task List 1. Configure the protected IP address Command Explanation Port Mode arp-guard ip <addr> no arp-guard ip <addr> Configure/delete ARP GUARD address 29-56 Chapter 30 Gratuitous ARP Configuration 30.1 Introduction to Gratuitous ARP Gratuitous ARP is a kind of ARP request that is sent by the host with its IP address as the destination of the ARP request. The basic working mode for the switch is as below: The Layer 3 interfaces of the switch can be configured to advertise gratuitous ARP packets period or the switch can be configured to enable to send gratuitous ARP packets in all the interfaces globally. The purpose of gratuitous ARP is as below: 1. To reduce the frequency that the host sends ARP request to the switch. The hosts in the network will periodically send ARP requests to the gateway to update the MAC address of the gateway. If the switch advertises gratuitous ARP requests, the host will not have to send these requests. This will reduce the frequency the hosts’ sending ARP requests for the gateway’s MAC address. 2. Gratuitous ARP is a method to prevent ARP cheating. The switch’s advertising gratuitous ARP request will force the hosts to update its ARP table cache. Thus, forged ARP of gateway cannot function. 30.2 Gratuitous ARP Configuration Task List 1. Enable gratuitous ARP and configure the interval to send gratuitous ARP request 2. Display configurations about gratuitous ARP 1. Enable gratuitous ARP and configure the interval to send gratuitous ARP request. Command Explanation Global and VLAN Interface Mode. ip gratuitous-arp <5-1200> no ip gratuitous-arp To enable gratuitous ARP and configure the interval to send gratuitous ARP request. The no command cancels the gratuitous ARP. 30-57 2. Display configurations about gratuitous ARP Command Explanation Admin, Global and VLAN Interface Mode show ip gratuitous-arp [interface VLAN To display configurations about gratuitous <1-4094>] ARP. 30.3 Gratuitous ARP Configuration Example Switch Interface vlan10 192.168.15.254 255.255.255.0 PC1 PC2 PC3 PC4 PC5 Figure 30-1: Gratuitous ARP Configuration Example For the network topology shown in the figure above, interface VLAN10 whose IP address is 192.168.15.254 and network address mask is 255.255.255.0 in the switch system. Five PCs – PC1, PC2, PC3, PC4, PC5 are connected to the interface. Gratuitous ARP can be enabled through the following configuration: 1. Configure global gratuitous ARP Switch(config)#ip gratuitous-arp 300 Switch(config)#exit 2. Configure interface gratuitous ARP Switch(config)#interface vlan 10 Switch(Config-if-Vlan10)#ip gratuitous-arp 300 Switch(Config-if-Vlan10)#exit Switch(config) #exit 30-58 30.4 Gratuitous ARP Troubleshooting Gratuitous ARP is disabled by default. And when gratuitous ARP is enabled, the debugging information about ARP packets can be retrieved through the command debug ARP send. If gratuitous ARP is enabled in global configuration mode, it can be disabled only in global configuration mode. If gratuitous ARP is configured in interface configuration mode, the configuration can only be disabled in interface configuration mode. If gratuitous ARP is enabled in both global and interface configuration mode, and the sending interval of gratuitous ARP is configured in both configuration modes, the switch takes the value which is configured in interface configuration mode. 30-59 Chapter 31 DHCP Configuration 31.1 Introduction to DHCP DHCP [RFC2131] is the acronym for Dynamic Host Configuration Protocol. It is a protocol that assigns IP address dynamically from the address pool as well as other network configuration parameters such as default gateway, DNS server, and default route and host image file position within the network. DHCP is the enhanced version of BOOTP. It is a mainstream technology that can not only provide boot information for diskless workstations, but can also release the administrators from manual recording of IP allocation and reduce user effort and cost on configuration. Another benefit of DHCP is it can partially ease the pressure on IP demands, when the user of an IP leaves the network that IP can be assigned to another user. DHCP is a client-server protocol, the DHCP client requests the network address and configuration parameters from the DHCP server; the server provides the network address and configuration parameters for the clients; if DHCP server and clients are located in different subnets, DHCP relay is required for DHCP packets to be transferred between the DHCP client and DHCP server. The implementation of DHCP is shown below: Discover Offer Request Ack DHCP SERVER DHCP CLIENT Figure 31-1: DHCP protocol interaction Explanation: 1. DHCP client broadcasts DHCPDISCOVER packets in the local subnet. 2. On receiving the DHCPDISCOVER packet, DHCP server sends a DHCPOFFER packet along with IP address and other network parameters to the DHCP client. 3. DHCP client broadcast DHCPREQUEST packet with the information for the DHCP server it selected after selecting from the DHCPOFFER packets. 4. The DHCP server selected by the client sends a DHCPACK packet and the client gets an IP address and other network configuration parameters. The above four steps finish a Dynamic host configuration assignment process. However, if the DHCP server and the DHCP client are not in the same network, the server will not receive the DHCP broadcast packets sent by the client, therefore no DHCP packets will be sent to the client by the server. In this case, a DHCP relay is required to forward such DHCP packets so 31-60 that the DHCP packets exchange can be completed between the DHCP client and server. Switch can act as both a DHCP server and a DHCP relay. DHCP server supports not only dynamic IP address assignment, but also manual IP address binding (i.e. specify a specific IP address to a specified MAC address or specified device ID over a long period. The differences and relations between dynamic IP address allocation and manual IP address binding are: 1) IP address obtained dynamically can be different every time; manually bound IP address will be the same all the time. 2) The lease period of IP address obtained dynamically is the same as the lease period of the address pool, and is limited; the lease of manually bound IP address is theoretically endless. 3) Dynamically allocated address cannot be bound manually. 4) Dynamic DHCP address pool can inherit the network configuration parameters of the dynamic DHCP address pool of the related segment. 31.2 DHCP Server Configuration DHCP Sever Configuration Task List: 1. Enable/Disable DHCP service 2. Configure DHCP Address pool (1) Create/Delete DHCP Address pool (2) Configure DHCP address pool parameters (3) Configure manual DHCP address pool parameters 3. Enable logging for address conflicts 1. Enable/Disable DHCP service Command Explanation Global Mode service dhcp Enable DHCP server. The no command no service dhcp disables DHCP server. Port Mode ip dhcp disbale The port disables DHCP services, the no no ip dhcp disable command enables DHCP services. 2. Configure DHCP Address pool (1) Create/Delete DHCP Address pool Command Explanation Global Mode 31-61 ip dhcp pool <name> Configure DHCP Address pool. The no no ip dhcp pool <name> operation cancels the DHCP Address pool. (2) Configure DHCP address pool parameters Command Explanation DHCP Address Pool Mode Configure the address scope that can be network-address <network-number> allocated to the address pool. The no [mask | prefix-length] operation of this command cancels the no network-address allocation address pool. default-router [<address1>[<address2>[…<address8> ]]] Configure default gateway for DHCP clients. The no operation cancels the default gateway. no default-router dns-server [<address1>[<address2>[…<address8> ]]] Configure DNS server for DHCP clients. The no command deletes DNS server configuration. no dns-server Configure Domain name for DHCP clients; domain-name <domain> the “no domain-name” command deletes no domain-name the domain name. netbios-name-server [<address1>[<address2>[…<address8> Configure the address for WINS server. The ]]] no operation cancels the address for server. no netbios-name-server netbios-node-type {b-node|h-node|m-node|p-node|<type-n umber>} Configure node type for DHCP clients. The no operation cancels the node type for DHCP clients. no netbios-node-type Configure the file to be imported for DHCP bootfile <filename> clients on boot up. The no command no bootfile cancels this operation. next-server [<address1>[<address2>[…<address8> Configure the address of the server hosting ]]] file for importing. The no command deletes no next-server the address of the server hosting file for [<address1>[<address2>[…<address8> importing. ]]] 31-62 Configure the network parameter specified option <code> {ascii <string> | hex by the option code. The no command <hex> | ipaddress <ipaddress>} deletes the network parameter specified by no option <code> the option code. Configure the lease period allocated to lease { days [hours][minutes] | infinite } addresses in the address pool. The no no lease command deletes the lease period allocated to addresses in the address pool. max-lease-time {[<days>] [<hours>] Set the maximum lease time for the [<minutes>] | infinite} addresses in the address pool; the no no max-lease-time command restores the default setting. Global Mode ip dhcp excluded-address <low-address> [<high-address>] Exclude the addresses in the address pool no ip dhcp excluded-address that are not for dynamic allocation. <low-address> [<high-address>] (3) Configure manual DHCP address pool parameters Command Explanation DHCP Address Pool Mode hardware-address <hardware-address> [{Ethernet | IEEE802|<type-number>}] no hardware-address Specify/delete the hardware address when assigning address manually. host <address> [<mask> | Specify/delete the IP address to be <prefix-length> ] assigned to the specified client when no host binding address manually. client-identifier <unique-identifier> Specify/delete the unique ID of the user no client-identifier when binding address manually. 3. Enable logging for address conflicts Command Explanation Global Mode ip dhcp conflict logging Enable/disable logging for DHCP address to no ip dhcp conflict logging detect address conflicts. Admin Mode clear ip dhcp conflict <address | all > Delete a single address conflict record or all conflict records. 31-63 31.3 DHCP Relay Configuration When the DHCP client and server are in different segments, DHCP relay is required to transfer DHCP packets. Adding a DHCP relay makes it unnecessary to configure a DHCP server for each segment, one DHCP server can provide the network configuration parameter for clients from multiple segments, which is not only cost-effective but also management-effective. DHCPDi scover DHCPDi scover ( Br oadcast ) DHCPOFFER( Uni cast ) DHCPOFFER DHCPREQUEST DHCPREQUEST( Br oadcast ) DHCP Cl i ent DHCPACK( Uni cast ) DHCP Rel ay DHCPACK DHCP Ser ver Figure 31-2: DHCP relay As shown in the above figure, the DHCP client and the DHCP server are in different networks, the DHCP client performs the four DHCP steps as usual yet DHCP relay is added to the process. 1. The client broadcasts a DHCPDISCOVER packet, and DHCP relay inserts its own IP address to the relay agent field in the DHCPDISCOVER packet on receiving the packet, and forwards the packet to the specified DHCP server (for DHCP frame format, please refer to RFC2131). 2. On the receiving the DHCPDISCOVER packets forwarded by DHCP relay, the DHCP server sends the DHCPOFFER packet via DHCP relay to the DHCP client. 3. DHCP client chooses a DHCP server and broadcasts a DHCPREQUEST packet, DHCP relay forwards the packet to the DHCP server after processing. 4. On receiving DHCPREQUEST, the DHCP server responds with a DHCPACK packet via DHCP relay to the DHCP client. DHCP Relay Configuration Task List: 1. Enable DHCP relay. 2. Configure DHCP relay to forward DHCP broadcast packet. 3. Configure share-vlan 31-64 1. Enable DHCP relay. Command Explanation Global Mode service dhcp DHCP server and DHCP relay is enabled as the no service dhcp DHCP service is enabled. 2. Configure DHCP relay to forward DHCP broadcast packet. Command Explanation Global Mode ip forward-protocol udp bootps The UDP port 67 is used for DHCP broadcast no ip forward-protocol udp bootps packet forwarding. VLAN Interface Mode ip helper-address <ipaddress> no ip helper-address <ipaddress> Set the destination IP address for DHCP relay forwarding; the “no ip helper-address <ipaddress>“command cancels the setting. 3. Configure share-VLAN When the user want to use layer 2 device as DHCP relay, there is the number limitation that create layer 3 interface on layer 2 device, but using the layer 3 interface of share-VLAN (it may include many sub-VLAN, however a sub-VLAN only correspond to a share-VLAN) can implement DHCP relay forwarding, and the relay device needs to enable option82 function at the same time. Command Explanation Global Mode ip dhcp relay share-vlan <vlanid> sub-vlan <vlanlist> Create or delete share-VLAN and it's sub-VLAN. no dhcp relay share-vlan 31.4 DHCP Configuration Examples Scenario 1: Too save configuration efforts of network administrators and users, a company is using switch as a DHCP server. The Admin VLAN IP address is 10.16.1.2/16. The local area network for the company is divided into network A and B according to the office locations. The network 31-65 configurations for location A and B are shown below. PoolA(network 10.16.1.0) PoolB(network 10.16.2.0) Device IP address Device IP address Default gateway 10.16.1.200 Default gateway 10.16.1.200 10.16.1.201 10.16.1.201 DNS server 10.16.1.202 DNS server 10.16.1.202 WINS server 10.16.1.209 WWW server 10.16.1.209 WINS node type H-node Lease 3 days Lease 1day In location A, a machine with MAC address 00-03-22-23-dc-ab is assigned with a fixed IP address of 10.16.1.210 and named as “management”. Switch(config)#service dhcp Switch(config)#interface vlan 1 Switch(Config-Vlan-1)#ip address 10.16.1.2 255.255.0.0 Switch(Config-Vlan-1)#exit Switch(config)#ip dhcp pool A Switch(dhcp-A-config)#network 10.16.1.0 24 Switch(dhcp-A-config)#lease 3 Switch(dhcp-A-config)#default-route 10.16.1.200 10.16.1.201 Switch(dhcp-A-config)#dns-server 10.16.1.202 Switch(dhcp-A-config)#netbios-name-server 10.16.1.209 Switch(dhcp-A-config)#netbios-node-type H-node Switch(dhcp-A-config)#exit Switch(config)#ip dhcp excluded-address 10.16.1.200 10.16.1.201 Switch(config)#ip dhcp pool B Switch(dhcp-B-config)#network 10.16.2.0 24 Switch(dhcp-B-config)#lease 1 Switch(dhcp-B-config)#default-route 10.16.2.200 10.16.2.201 Switch(dhcp-B-config)#dns-server 10.16.2.202 Switch(dhcp-B-config)#option 72 ip 10.16.2.209 Switch(dhcp-config)#exit Switch(config)#ip dhcp excluded-address 10.16.2.200 10.16.2.201 Switch(config)#ip dhcp pool A1 Switch(dhcp-A1-config)#host 10.16.1.210 Switch(dhcp-A1-config)#hardware-address 00-03-22-23-dc-ab Switch(dhcp-A1-config)#exit 31-66 Usage Guide: When a DHCP/BOOTP client is connected to a VLAN1 port of the switch, the client can only get its address from 10.16.1.0/24 instead of 10.16.2.0/24. This is because the broadcast packet from the client will be requesting the IP address in the same segment of the VLAN interface after VLAN interface forwarding, and the VLAN interface IP address is 10.16.1.2/24, therefore the IP address assigned to the client will belong to 10.16.1.0/24. If the DHCP/BOOTP client wants to have an address in 10.16.2.0/24, the gateway forwarding broadcast packets of the client must belong to 10.16.2.0/24. The connectivity between the client gateway and the switch must be ensured for the client to get an IP address from the 10.16.2.0/24 address pool. Scenario 2: E1/1 DHCP Client 192.168.1.1 E1/2 10.1.1.1 DHCP Relay DHCP Client DHCP Server 10.1.1.10 DHCP Client Figure 31-3: DHCP Relay Configuration As shown in the above figure, route switch is configured as a DHCP relay. The DHCP server address is 10.1.1.10, the configuration steps is as follows: Switch(config)#service dhcp Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 192.168.1.1 255.255.255.0 Switch(Config-if-Vlan1)#exit Switch(config)#vlan 2 Switch(Config-Vlan-2)#exit Switch(config)#interface Ethernet 1/2 Switch(Config-Erthernet1/2)#switchport access vlan 2 Switch(Config-Erthernet1/2)#exit Switch(config)#interface vlan 2 31-67 Switch(Config-if-Vlan2)#ip address 10.1.1.1 255.255.255.0 Switch(Config-if-Vlan2)#exit Switch(config)#ip forward-protocol udp bootps Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip help-address 10.1.1.10 Switch(Config-if-Vlan1)#exit Note: It is recommended to use the combination of command ip forward-protocol udp <port> and ip helper-address <ipaddress>. ip help-address can only be configured for ports on layer 3 and cannot be configured on layer 2 ports directly. Scenario 3: Figure 31-4: DHCP configuration example As shown in the above figure, PC1 is DHCP client, obtain the address through DHCP. Switch1 is a layer 2 access device, it enables DHCP Relay and option82 functions, Ethernet1/2 is a access port, belongs to VLAN3, Ethernet1/3 is a trunk port, connects to DHCP Server, DHCP Server address is 192.168.40.199. Switch1 creates VLAN1 and interface VLAN1, configure IP address of interface VLAN1 as 192.168.40.50, configure the address of DHCP Relay forwarding as 192.168.40.199, configure VLAN3 as a sub-VLAN of VLAN1. The configuration is as follows: switch(config)#vlan 1 switch(config)#vlan 3 switch(config)#interface ethernet 1/2 Switch(Config-If-Ethernet1/2)#switchport access vlan 3 switch(config)#interface ethernet 1/3 Switch(Config-If-Ethernet1/2)#switchport mode trunk switch(config)#service dhcp switch(config)#ip forward-protocol udp bootps 31-68 switch(config)#ip dhcp relay information option switch(config)#ip dhcp relay share-vlan 1 sub-vlan 3 switch(config-if-vlan1)#ip address 192.168.40.50 255.255.255.0 switch(config-if-vlan1)#ip helper-address 192.168.40.199 31.5 DHCP Troubleshooting If the DHCP clients cannot obtain IP addresses and other network parameters, the following procedures can be followed when DHCP client hardware and cables have been verified ok. Verify the DHCP server is running, start the related DHCP server if not running. In such case, DHCP server should be examined for an address pool that is in the same segment of the switch VLAN, such a pool should be added if not present, and (This does not indicate switch cannot assign IP address for different segments, see solution 2 for details.) In DHCP service, pools for dynamic IP allocation and manual binding are conflicting, i.e., if command “network-address” and “host” are run for a pool, only one of them will take effect; furthermore, in manual binding, only one IP-MAC binding can be configured in one pool. If multiple bindings are required, multiple manual pools can be created and IP-MAC bindings set for each pool. New configuration in the same pool overwrites the previous configuration. 31-69 Chapter 32 DHCPv6 Configuration 32.1 Introduction to DHCPv6 DHCPv6 [RFC3315] is the IPv6 version for Dynamic Host Configuration Protocol (DHCP). It is a protocol that assigns IPv6 address as well as other network configuration parameters such as DNS address, and domain name to DHCPv6 client, DHCPv6 is a conditional auto address configuration protocol relative to IPv6. In the conditional address configuration process, DHCPv6 server assigns a complete IPv6 address to client, and provides DNS address, domain name and other configuration information, maybe the DHCPv6 packet can transmit through relay delegation, at last the binding of IPv6 address and client can be recorded by DHCPv6 server, all that can enhance the management of network; DHCPv6 server can also provide non state DHCPv6 service, that is only assigns DNS address and domain name and other configuration information but not assigns IPv6 address, it can solve the bug of IPv6 auto address configuration in non state; DHCPv6 can provide extend function of DHCPv6 prefix delegation, upstream route can assign address prefix to downstream route automatically, that achieve the IPv6 address auto assignment in levels of network environment, and resolved the problem of ISP and IPv6 network dispose. There are three entities in the DHCPv6 protocol – the client, the relay and the server. The DHCPv6 protocol is based on the UDP protocol. The DHCPv6 client sends request messages to the DHCP server or DHCP relay with the destination port as 547, and the DHCPv6 server and relay send replying messages with the destination port as 546. The DHCPv6 client sends solicit or request messages with the multicast address – ff02::1:2 for DHCP relay and server. Solicit (Multicast) Advertise (Unicast) Request (Multicast) Reply (Unicast) DHCPv6 CLIENT DHCPv6 SERVER Figure 32-1: DHCPv6 negotiation When a DHCPv6 client tries to request an IPv6 address and other configurations from the DHCPv6 server, the client has to find the location of the DHCP server, and then request configurations from the DHCP server. 1. In the time of located server, the DHCP client tries to find a DHCPv6 server by broadcasting a SOLICIT packet to all the DHCP delay delegation and server with broadcast address as FF02::1:2. 32-70 2. Any DHCP server which receives the request, will reply the client with an ADVERTISE message, which includes the identity of the server –DUID, and its priority. 3. It is possible that the client receives multiple ADVERTISE messages. The client should select one and reply it with a REQUEST message to request the address which is advertised in the ADVERTISE message. 4. The selected DHCPv6 server then confirms the client about the IPv6 address and any other configuration with the REPLY message. The above four steps finish a Dynamic host configuration assignment process. However, if the DHCPv6 server and the DHCPv6 client are not in the same network, the server will not receive the DHCPv6 broadcast packets sent by the client, therefore no DHCPv6 packets will be sent to the client by the server. In this case, a DHCPv6 relay is required to forward such DHCPv6 packets so that the DHCPv6 packets exchange can be completed between the DHCPv6 client and server. At the time this manual is written, DHCPv6 server, relay and prefix delegation client have been implemented on the switch. When the DHCPv6 relay receives any messages from the DHCPv6 client, it will encapsulate the request in a Relay-forward packet and deliver it to the next DHCPv6 relay or the DHCPv6 server. The DHCPv6 messages coming from the server will be encapsulated as relay reply packets to the DHCPv6 relay. The relay then removes the encapsulation and delivers it the DHCPv6 client or the next DHCPv6 relay in the network. For DHCPv6 prefix delegation where DHCPv6 server is configured on the PE router and DHCPv6 client it configured on the CPE router, the CPE router is able to send address prefix allocation request to the PE router and get a pre-configured address prefix, but not set the address prefix manually. The protocol negotiation between the client and the prefix delegation client is quite similar to that when getting a DHCPv6 address. Then the CPE router divides the allocated prefix – whose length should be less than 64 characters, into 64 subnets. The divided address prefix will be advertised through routing advertisement messages (RA) to the host directly connected to the client. 32.2 DHCPv6 Server Configuration DHCPv6 server configuration task list as below: 1. To enable/disable DHCPv6 service 2. To configure DHCPv6 address pool (1) To achieve/delete DHCPv6 address pool (2) To configure parameter of DHCPv6 address pool 3. To enable DHCPv6 server function on port 32-71 1. To enable/disable DHCPv6 service Command Explanation Global Mode service dhcpv6 To enable DHCPv6 service. no service dhcpv6 2. To configure DHCPv6 address pool (1)To achieve/delete DHCPv6 address pool Command Explanation Global Mode ipv6 dhcp pool <poolname> no ipv6 dhcp pool <poolname> To configure DHCPv6 address pool. (2)To configure parameter of DHCPv6 address pool Command Explanation DHCPv6 Address Pool Mode network-address <ipv6-pool-start-address> {<ipv6-pool-end-address> | <prefix-length>} [eui-64] To configure the range of IPv6 address assignable of address pool. no network-address dns-server <ipv6-address> To configure DNS server address for no dns-server <ipv6-address> DHCPv6 client. domain-name <domain-name> no domain-name <domain-name> To configure DHCPv6 client domain name. excluded-address <ipv6-address> To exclude IPv6 address which isn’t used for no excluded-address <ipv6-address> dynamic assignment in address pool. lifetime {<valid-time> | infinity} {<preferred-time> | infinity} no lifetime To configure valid time or preferred time of DHCPv6 address pool. 32-72 3. To enable DHCPv6 server function on port. Command Explanation VLAN Interface Mode ipv6 dhcp server <poolname> [preference <value>] [rapid-commit] [allow-hint] no ipv6 dhcp server <poolname> To enable DHCPv6 server function on specified port, and binding the used DHCPv6 address pool. 32.3 DHCPv6 Relay Delegation Configuration DHCPv6 relay delegation configuration task list as below: 1. To enable/disable DHCPv6 service 2. To configure DHCPv6 relay delegation on port 1. To enable DHCPv6 service Command Explanation Global Mode service dhcpv6 no service dhcpv6 To enableDHCPv6 service. 2. To configure DHCPv6 relay delegation on port Command Explanation VLAN Interface Mode ipv6 dhcp relay destination {[<ipv6-address>] [interface { <interface-name> | vlan <1-4096>}]} no ipv6 dhcp relay destination {[<ipv6-address>] [interface To specify the destination address of DHCPv6 relay transmit; The no form of this command delete the configuration. { <interface-name> | vlan <1-4096>}]} 32.4 DHCPv6 Prefix Delegation Server Configuration DHCPv6 prefix delegation server configuration task list as below: 1. To enable/delete DHCPv6 service 2. To configure prefix delegation pool 32-73 3. To configure DHCPv6 address pool (1) To achieve/delete DHCPv6 address pool (2) To configure prefix delegation pool used by DHCPv6 address pool (3) To configure static prefix delegation binding (4) To configure other parameters of DHCPv6 address pool 4. To enable DHCPv6 prefix delegation server function on port 1. To enable/delete DHCPv6 service Command Explanation Global Mode service dhcpv6 To enable DHCPv6 service. no service dhcpv6 2. To configure prefix delegation pool Command Explanation Global Mode ipv6 local pool <poolname> <prefix|prefix-length> To configure prefix delegation pool. <assigned-length> no ipv6 local pool <poolname> 3. To configure DHCPv6 address pool (1)To achieve/delete DHCPv6 address pool Command Explanation Global Mode ipv6 dhcp pool <poolname> To configure DHCPv6 address pool. no ipv6 dhcp pool <poolname> (2)To configure prefix delegation pool used by DHCPv6 address pool Command Explanation DHCPv6 Address Pool Mode prefix-delegation pool <poolname> To specify prefix delegation pool used by [lifetime <valid-time> <preferred-time>] DHCPv6 address pool, and assign usable no prefix-delegation pool <poolname> prefix to client. 32-74 (3) To configure static prefix delegation binding Command Explanation DHCPv6 Address Pool Mode prefix-delegation <ipv6-prefix/prefix-length> <client-DUID> [iaid <iaid>] [lifetime <valid-time> <preferred-time>] no prefix-delegation To specify IPv6 prefix and any prefix required static binding by client. <ipv6-prefix/prefix-length> <client-DUID> [iaid <iaid>] (4) To configure other parameter of DHCPv6 address pool Command Explanation DHCPv6 Address Pool Mode dns-server <ipv6-address> To configure DNS server address for no dns-server <ipv6-address> DHCPv6 client. domain-name <domain-name> To configure domain name for DHCPv6 no domain-name <domain-name> client. 4. To enable DHCPv6 prefix delegation server function on port Command Explanation VLAN Interface Mode ipv6 dhcp server <poolname> [preference <value>] [rapid-commit] [allow-hint] no ipv6 dhcp server <poolname> To enable DHCPv6 server function on specified port, and binding used DHCPv6 address pool. 32.5 DHCPv6 Prefix Delegation Client Configuration DHCPv6 prefix delegation client configuration task list as below: 1. To enable/disable DHCPv6 service 2. To enable DHCPv6 prefix delegation client function on port 32-75 1. To enable/disable DHCPv6 service Command Explanation Global Mode service dhcpv6 no service dhcpv6 To enable DHCPv6 service. 2. To enable DHCPv6 prefix delegation client function on port Command Explanation VLAN Interface Mode ipv6 dhcp client pd <prefix-name> [rapid-commit] no ipv6 dhcp client pd To enable client prefix delegation request function on specified port, and the prefix obtained associate with universal prefix configured. 32.6 DHCPv6 Configuration Examples Example1: When deploying IPv6 networking, the switch can be configured as DHCPv6 server in order to manage the allocation of IPv6 addresses. Both the state and the stateless DHCPv6 are supported. Topology: The access layer use Switch1 switch to connect users of dormitory buildings and it is configured as DHCPv6 relay delegation; Switch3 is configured as DHCPv6 server in secondary aggregation layer, and connected with backbone network or higher aggregation layers; The Windows Vista which be provided with DHCPv6 client must load on PC. 32-76 Usage guide: Switch3 configuration: Switch3>enable Switch3#config Switch3(config)#service dhcpv6 Switch3(config)#ipv6 dhcp pool EastDormPool Switch3(dhcpv6-EastDormPool-config)#network-address 2001:da8:100:1::1 2001:da8:100:1::100 Switch3(dhcpv6-EastDormPool-config)#excluded-address 2001:da8:100:1::1 Switch3(dhcpv6-EastDormPool-config)#dns-server 2001:da8::20 Switch3(dhcpv6-EastDormPool-config)#dns-server 2001:da8::21 Switch3(dhcpv6-EastDormPool-config)#domain-name dhcpv6.com Switch3(dhcpv6-EastDormPool-config)#lifetime 1000 600 Switch3(dhcpv6-EastDormPool-config)#exit Switch3(config)#interface vlan 1 Switch3(Config-if-Vlan1)#ipv6 address 2001:da8:1:1::1/64 Switch3(Config-if-Vlan1)#exit Switch3(config)#interface vlan 10 Switch3(Config-if-Vlan10)#ipv6 address 2001:da8:10:1::1/64 Switch3(Config-if-Vlan10)#ipv6 dhcp server EastDormPool preference 80 Switch3(Config-if-Vlan10)#exit Switch3(config)# 32-77 Switch2 configuration: Switch2>enable Switch2#config Switch2(config)#service dhcpv6 Switch2(config)#interface vlan 1 Switch2(Config-if-Vlan1)#ipv6 address 2001:da8:1:1::2/64 Switch2(Config-if-Vlan1)#exit Switch2(config)#interface vlan 10 Switch2(Config-if-Vlan10)#ipv6 address 2001:da8:10:1::2/64 Switch2(Config-if-Vlan10)#exit Switch2(config)#interface vlan 100 Switch2(Config-if-Vlan100)#ipv6 address 2001:da8:100:1::1/64 Switch2(Config-if-Vlan100)#no ipv6 nd suppress-ra Switch2(Config-if-Vlan100)#ipv6 nd managed-config-flag Switch2(Config-if-Vlan100)#ipv6 nd other-config-flag Switch2(Config-if-Vlan100)#exit Switch2(config)# Switch1 configuration: Switch1(config)#service dhcpv6 Switch2(config)#interface vlan 1 Switch2(Config-if-Vlan1)#ipv6 address 2001:da8:100:1::2/64 Switch2(Config-if-Vlan1)#ipv6 dhcp relay destination 2001:da8:10:1::1 32.7 DHCPv6 Troubleshooting If the DHCPv6 clients cannot obtain IPv6 addresses and other network parameters, the following procedures can be followed when DHCPv6 client hardware and cables have been verified ok: Verify the DHCPv6 server is running, start the related DHCP v6 server function if not running; If the DHCPv6 clients and servers are not in the same physical network, verify the router responsible for DHCPv6 packet forwarding has DHCPv6 relay function. If DHCPv6 relay is not available for the intermediate router, it is recommended to replace the router or upgrade its software to one that has a DHCPv6 relay function; Sometimes hosts are connected to the DHCPv6 enabled switches, but can not get IPv6 addresses. In this situation, it should be checked first whether the ports which 32-78 the hosts are connected to, are connected with the port which the DHCPv6 server is connected to. If connected directly, it should be checked then whether the IPv6 address pool of the VLAN which the port belongs to, is in the same subnet with the address pool configure in the DHCPv6 server; If not connected directly, and any layer three DHCPv6 relay is configured between the hosts and the DHCPv6 server, it should be checked first whether an valid IPv6 address has been configured for the switch interface which the hosts are connected to. If not configured, configure an valid IPv6 address. If configured, it should be checked whether the configured IPv6 address is in the same subnet with the DHCPv6 server. If not, please add it to the address pool. 32-79 Chapter 33 DHCP Option 82 Configuration 33.1 Introduction to DHCP Option 82 DHCP option 82 is the Relay Agent Information Option, its option code is 82. DHCP option 82 is aimed at strengthening the security of DHCP servers and improving the IP address configuration policy. The Relay Agent adds option 82 (including the client’s physical access port, the access device ID and other information), to the DHCP request message from the client then forwards the message to DHCP server. When the DHCP server which supports the option 82 function receives the message, it will allocate an IP address and other configuration information for the client according to preconfigured policies and the option 82 information in the message. At the same time, DHCP server can identify all the possible DHCP attack messages according to the information in option 82 and defend against them. DHCP Relay Agent will peel the option 82 from the reply messages it receives, and forward the reply message to the specified port of the network access device, according to the physical port information in the option. The application of DHCP option 82 is transparent for the client. 33.1.1 DHCP Option 82 Message Structure A DHCP message can have several option segments; option 82 is one of them. It has to be placed after other options but before option 255. The following is its format: Code: represents the sequence number of the relay agent information option, the option 82 is called so because RFC3046 is defined as 82. Len: the number of bytes in Agent Information Field, not including the two bytes in Code segment and Len segment. Option 82 can have several sub-options, and need at least one sub-option. RFC3046 defines the following two sub-options, whose formats are showed as follows: 33-80 SubOpt: the sequence number of sub-option, the sequence number of Circuit ID sub-option is 1, the sequence number of Remote ID sub-option is 2. Len: the number of bytes in Sub-option Value, not including the two bytes in SubOpt segment and Len segment. 33.1.2 Option 82 Working Mechanism DHCP RelayAgent DHCP Request DHCP Request Option82 DHCP Reply DHCP Reply Option82 DHCP Client DHCP Server DHCP option 82 flow chart If the DHCP Relay Agent supports option 82, the DHCP client should go through the following four steps to get its IP address from the DHCP server: discover, offer, select and acknowledge. The DHCP protocol follows the procedure below: 1)DHCP client sends a request broadcast message while initializing. This request message does not have option 82. 2)DHCP Relay Agent will add the option 82 to the end of the request message it receives, then relay and forward the message to the DHCP server. By default, the sub-option 1 of option 82 (Circuit ID) is the interface information of the switch connected to the DHCP client (VLAN name and physical port name), but the users can configure the Circuit ID as they wish. The sub-option 2 of option 82(Remote ID) is the MAC address of the DHCP relay device. 3)After receiving the DHCP request message, the DHCP server will allocate IP address and other information for the client according to the information and preconfigured policy in the option segment of the message. Then it will forward the reply message with DHCP configuration information and option 82 information to DHCP Relay Agent. 4)DHCP Relay Agent will peel the option 82 information from the replay message sent by DHCP server, and then forward the message with DHCP configuration information to the DHCP client. 33-81 33.2 DHCP Option 82 Configuration Task List 1. Enabling the DHCP option 82 of the Relay Agent 2. Configure the DHCP option 82 attributes of the interface 3. Enable the DHCP option 82 of server 4. Configure DHCP option 82 default format of Relay Agent 5. Configure delimiter 6. Configure creation method of option82 7. Diagnose and maintain DHCP option 82 1. Enabling the DHCP option 82 of the Relay Agent. Command Explanation Global Mode Set this command to enable the option 82 ip dhcp relay information option no ip dhcp relay information option function of the switch Relay Agent. The “no ip dhcp relay information option” is used to disable the option 82 function of the switch Relay Agent. 2. Configure the DHCP option 82 attributes of the interface Command Explanation VLAN Interface Mode 33-82 This command is used to set the retransmitting policy of the system for the received DHCP request message which contains option 82. The drop mode means that if the message has option82, then the system will drop it without processing; keep ip dhcp relay information policy {drop | keep | replace} no ip dhcp relay information policy mode means that the system will keep the original option 82 segment in the message, and forward it to the server to process; replace mode means that the system will replace the option 82 segment in the existing message with its own option 82, and forward the message to the server to process. The “no ip dhcp relay information policy” will set the retransmitting policy of the option 82 DCHP message as “replace”. This command is used to set the format of option 82 sub-option1(Circuit ID option) added to the DHCP request messages from interface, standard means the standard VLAN name and physical port ip dhcp relay information option name format, subscriber-id {standard | <circuit-id>} like”VLAN2+Ethernet1/12”,<circuit-id> is no ip dhcp relay information option the circuit-id contents of option 82 specified subscriber-id by users, which is a string no longer than 64characters. The” no ip dhcp relay information option subscriber-id” command will set the format of added option 82 sub-option1 (Circuit ID option) as standard format. Global Mode Set the suboption2 (remote ID option) ip dhcp relay information option content of option 82 added by DHCP remote-id {standard | <remote-id>} request packets (They are received by the no ip dhcp relay information option interface). The no command sets the remote-id additive suboption2 (remote ID option) format of option 82 as standard. 33-83 3. Enable the DHCP option 82 of server. Command Explanation Global Mode This command is used to enable the switch ip dhcp server relay information enable DHCP server to identify option82. The “no no ip dhcp server relay information ip dhcp server relay information enable” enable command will make the server ignore the option 82. 4. Configure DHCP option 82 default format of Relay Agent Command Explanation Global Mode ip dhcp relay information option Set subscriber-id format of Relay Agent subscriber-id format {hex | acsii | vs-hp} option82. ip dhcp relay information option Set remote-id format of Relay Agent remote-id format {default | vs-hp} option82. 5. Configure delimiter Command Explanation Global Mode ip dhcp relay information option Set the delimiter of each parameter for delimiter [colon | dot | slash | space] suboption of option82 in global mode, no no ip dhcp relay information option command restores the delimiter as slash. delimiter 6. Configure creation method of option82 Command Explanation Global Mode ip dhcp relay information option self-defined remote-id {hostname | mac | Set creation method for option82, users string WORD} can define the parameters of remote-id no ip dhcp relay information option suboption by themselves self-defined remote-id 33-84 ip dhcp relay information option Set self-defined format of remote-id for self-defined remote-id format [ascii | relay option82. hex] ip dhcp relay information option self-defined subscriber-id {vlan | port | id (switch-id (mac | hostname)| Set creation method for option82, users can define the parameters of circuit-id remote-mac)| string WORD } suboption by themselves no ip dhcp relay information option self-defined subscriber-id ip dhcp relay information option self-defined subscriber-id format [ascii | hex] Set self-defined format of circuit-id for relay option82. 7. Diagnose and maintain DHCP option 82 Command Explanation Admin Mode This command will display the state information of the DHCP option 82 in the show ip dhcp relay information option system, including option82 enabling switch, the interface retransmitting policy, the circuit ID mode and the DHCP server option82 enabling switch. This command is used to display the information of data packets processing in debug ip dhcp relay packet DHCP Relay Agent, including the “add” and “peel” action of option 82. 33.3 DHCP Option 82 Application Examples Vlan2:ethernet1/3 DHCP Client PC1 DHCP Relay Agent Switch3 Switch1 Vlan3 Vlan2:ethernet1/2 DHCP Server Switch2 DHCP Client PC2 Figure 33-1: A DHCP option 82 typical application example 33-85 In the above example, layer 2 switches Switch1 and Switch2 are both connected to layer 3 switch Switch3, Switch 3 will transmit the request message from DHCP client to DHCP serer as DHCP Relay Agent. It will also transmit the reply message from the server to DHCP client to finish the DHCP protocol procedure. If the DHCP option 82 is disabled, DHCP server cannot distinguish that whether the DHCP client is from the network connected to Switch1 or Switch2. So, all the PC terminals connected to Switch1 and Switch2 will get addresses from the public address pool of the DHCP server. After the DHCP option 82 function is enabled, since the Switch3 appends the port information of accessing Switch3 to the request message from the client, the server can tell that whether the client is from the network of Swich1 or Swich2, and thus can allocate separate address spaces for the two networks, to simplify the management of networks. The following is the configuration of Switch3(MAC address is 00:30:4f:02:33:01): Switch3(Config)#service dhcp Switch3(Config)#ip dhcp relay information option Switch3(Config)#ip forward-protocol udp bootps Switch3(Config)#interface vlan 3 Switch3(Config-if-vlan3)#ip address 192.168.10.222 255.255.255.0 Switch3(Config-if-vlan2)#ip address 192.168.102.2 255.255.255.0 Switch3(Config-if-vlan2)#ip helper 192.168.10.88 Linux ISC DHCP Server supports option 82, its configuration file /etc/dhcpd.con is ddns-update-style interim; ignore client-updates; class "Switch3Vlan2Class1" { match if option agent.circuit-id = "Vlan2+Ethernet1/2" and option = "Vlan2+Ethernet1/3" and option agent.remote-id=00:30:4f:02:33:01; } class "Switch3Vlan2Class2" { match if option agent.circuit-id agent.remote-id=00:30:4f:02:33:01; } subnet 192.168.102.0 netmask 255.255.255.0 { option routers 192.168.102.2; 33-86 option subnet-mask 255.255.255.0; option domain-name "example.com.cn"; option domain-name-servers 192.168.10.3; authoritative; pool { range 192.168.102.21 192.168.102.50; default-lease-time 86400; #24 Hours max-lease-time 172800; #48 Hours allow members of "Switch3Vlan2Class1"; } pool { range 192.168.102.51 192.168.102.80; default-lease-time 43200; #12 Hours max-lease-time 86400; #24 Hours allow members of "Switch3Vlan2Class2"; } } Now, the DHCP server will allocate addresses for the network nodes from Switch1 which are relayed by Switch3 within the range of 192.168.102.21 ~ 192.168.102.50, and allocate addresses for the network nodes from Switch1 within the range of 192.168.102.51~ 192.168.102.80. 33.4 DHCP Option 82 Troubleshooting DHCP option 82 is implemented as a sub-function module of DHCP Relay Agent. Before using it, users should make sure that the DHCP Relay Agent is configured correctly. DHCP option 82 needs the DHCP Relay Agent and the DHCP server cooperate to finish the task of allocating IP addresses. The DHCP server should set allocating policy correctly depending on the network topology of the DHCP Relay Agent, or, even the Relay Agent can operate normally, the allocation of addresses will fail. When there is more than one kind of Relay Agent, please pay attention to the retransmitting policy of the interface DHCP request messages. To implement the option 82 function of DHCP Relay Agent, the “debug dhcp relay packet” command can be used during the operating procedure, including adding the contents of option 82, the retransmitting policy adopted, the option 82 contents of the server peeled by the Relay Agent and etc., such information can help users to do troubleshooting. 33-87 To implement the option 82 function of DHCP server, the “debug ip dhcp server packet” command can be used during the operating procedure to display the procedure of data packets processing of the server, including displaying the identified option 82 information of the request message and the option 82 information returned by the reply message. 33-88 Chapter 34 DHCP Option 60 and option 43 34.1 Introduction to DHCP Option 60 and Option 43 DHCP server analyzes DHCP packets from DHCP client. If packets with option 60, it will decide whether option 43 is returned to DHCP client according to option 60 of packets and configuration of option 60 and option 43 in DHCP server address pool. Configure the corresponding option 60 and option 43 in DHCP server address pool: 1. Address pool configured option 60 and option 43 at the same time. The received DHCP packet with option 60 from DHCP client, if it matches with option 60 of DHCP server address pool, DHCP client will receive the option 43 configured in the address pool, or else do not return option 43 to DHCP client. 2. Address pool only configured option 43, it will match with any option 60. If the received DHCP packet with option 60 from DHCP client, DHCP client will receive the option 43 configured in the address pool. 3. Address pool only configured option 60, it will not return option 43 to DHCP client. 34.2 DHCP Option 60 and Option 43 Configuration Task List 1. Basic DHCP option 60 and option 43 configuration Command Explanation Address Pool Mode Configure option 60 character option 60 ascii LINE string with ascii format in ip dhcp pool mode. Configure option 43 character option 43 ascii LINE string with ascii format in ip dhcp pool mode. Configure option 60 character option 60 hex WORD string with hex format in ip dhcp pool mode. Configure option 43 character option 43 hex WORD string with hex format in ip 34-89 dhcp pool mode. Configure option 60 character option 60 ip A.B.C.D string with IP format in ip dhcp pool mode. Configure option 43 character option 43 ip A.B.C.D string with IP format in ip dhcp pool mode. Delete the configured option no option 60 60 in the address pool mode. Delete the configured option no option 43 43 in the address pool mode. 34.3 DHCPv6 Option 60 and Option 43 Example Figure 34-1: Typical DHCP option 60 and option 43 topology Fit AP obtains IP address and option 43 attribute by DHCP server to send unicast discovery request for wireless controller. DHCP server configures option 60 matched with the option 60 of fit ap to return option 43 attribute to FTP AP. The wireless controller addresses of DHCP option 43 are 192.168.10.5 and 192.168.10.6. Configuration procedure: # Configure DHCP server switch (config)#ip dhcp pool a switch (dhcp-a-config)#option 60 ascii AP1000 switch (dhcp-a-config)#option 43 hex 0104C0A80A050104C0A80A06 34.4 DHCP Option 60 and Option 43 Troubleshooting If problems occur when configuring DHCP option 60 and option 43, please check whether the problem is caused by the following reasons: Check whether service dhcp function is enabled If the address pool configured option 60, check whether it matches with the option 60 of the packets 34-90 Chapter 35 DHCPv6 Options 37, 38 35.1 Introduction to DHCPv6 Options 37, 38 DHCPv6 (Dynamic Host Configuration Protocol for IPv6) is designed for IPv6 address scheme and is used for assigning IPv6 prefixes, IPv6 addresses and other configuration parameters to hosts. When DHCPv6 client wants to request address and configure parameter of DHCPv6 server from different link, it needs to communicate with server through DHCPv6 relay agent. DHCPv6 message received by relay agent node is reencapsulated to be relay-forward packets and they are forwarded to the server which sends the relay-reply packets to DHCPv6 relay agent node in different link, after that, relay agent node restores DHCPv6 message to DHCPv6 client to finish communication between client and server. There are some problems when using DHCPv6 relay agent, for example: How to assign IP address in the fixed range to the specified users? How to avoid illegal DHCPv6 client to forge IP address exhaust attack triggered by MAC address fields of DHCPv6 packets? How to avoid illegal DHCPv6 client to trigger deny service attack through using MAC address of other legal clients? Therefore, IETF set rfc4649 and rfc4580, i.e. DHCPv6 option 37 and option 38 to solve these problems. DHCPv6 option 37 and option 38 is similar to DHCP option 82. When DHCPv6 client sends request packets to DHCPv6 server though DHCPv6 relay agent, if DHCPv6 relay agent supports option 37 and option 38, they will be added to request packets. For the respond packets of server, option 37 and option 38 are meaningless and are peeled from the respond packets. Therefore, the application of option 37 and option 38 is transparent for client. DHCPv6 server can authenticate identity of DHCPv6 client and DHCPv6 relay device by option 37 and option 38, assign and manage client address neatly through configuring the assign policy, prevent DHCPv6 attack availably according to the inclusive client information, such as forging MAC address fields of DHCPv6 packets to trigger IP address exhaust attack. Since server can identify multiple request packets from the same access port, it can assign the address number through policy limit to avoid address exhaust. However, rfc4649 and rfc4580 do not set how to use option 37 and option 38 for DHCPv6 server, users can use it neatly according to their own demand. 35-1 35.2 DHCPv6 Options 37, 38 Configuration Task List 1. Dhcpv6 snooping option basic functions configuration 2. Dhcpv6 relay option basic functions configuration 3. Dhcpv6 server option basic functions configuration 1.DHCPv6 snooping option basic functions configuration Command Description Global Mode This command enables ipv6 dhcp snooping remote-id option DHCPv6 SNOOPING to no ipv6 dhcp snooping remote-id option support option 37 option, no command disables it. This command enables ipv6 dhcp snooping subscriber-id option DHCPv6 SNOOPING to no ipv6 dhcp snooping subscriber-id option support option 38 option, no command disables it. This command is used to configure the reforwarded policy of the system when receiving DHCPv6 packets with option 37, which can be: drop, the system simply discards it with option 37; ipv6 dhcp snooping remote-id policy {drop | keep | keep, the system keeps option replace} 37 unchanged and forwards no ipv6 dhcp snooping remote-id policy the packet to the server; replace, the system replaces option 37 of current packet with its own before forwarding it to the server. no command configures the reforwarded policy of DHCPv6 packets with option 37 as replace. This command is used to ipv6 dhcp snooping subscriber-id policy {drop | configure the reforwarded keep | replace} policy of the system when no ipv6 dhcp snooping subscriber-id policy receiving DHCPv6 packets with option 38, which can be: 35-2 drop, the system simply discards it with option 38; keep, the system keeps option 38 unchanged and forwards the packet to the server; replace, the system replaces option 38 of current packet with its own before forwarding it to the server. no command configures the reforwarded policy of DHCPv6 packets with option 38 as replace. Configures user configuration ipv6 dhcp snooping subscriber-id select (sp | sv | pv | spv) delimiter WORD (delimiter WORD |) no ipv6 dhcp snooping subscriber-id select delimiter options to generate subscriber-id, no command restores to its original default configuration, i.e. enterprise number together with vlan MAC. Configures user configuration ipv6 dhcp snooping subscriber-id select options to generate (sp|sv|pv|spv) delimiter WORD (delimiter WORD |) subscriber-id. The no no ipv6 dhcp snooping subscriber-id select command restores to its original default configuration, delimiter i.e. vlan name together with port name. Port Mode This command is used to set the form of adding option 37 in received DHCPv6 request packets, of which <remote-id> ipv6 dhcp snooping remote-id <remote-id> no ipv6 dhcp snooping remote-id is the content of remote-id in user-defined option 37 and it is a string with a length of less than 128. The no operation restores remote-id in option 37 to enterprise-number together with vlan MAC address. ipv6 dhcp snooping subscriber-id <subscriber-id> 35-3 This command is used to set the form of adding option 38 in no ipv6 dhcp snooping subscriber-id received DHCPv6 request packets, of which <subscriber-id> is the content of subscriber-id in user-defined option 38 and it is a string with a length of less than 128. The no operation restores subscriber-id in option 38 to vlan name together with port name such as "Vlan2+Ethernet1/2". 2. DHCPv6 relay option basic functions configuration Command Description Global Mode This command enables the ipv6 dhcp relay remote-id option switch relay to support option no ipv6 dhcp relay remote-id option 37 and the no form of this command disables it. This command enables the ipv6 dhcp relay subscriber-id option switch relay to support the no ipv6 dhcp relay subscriber-id option option 38, the no form of this command disables it. Configures user configuration options to generate remote-id. ipv6 dhcp relay remote-id delimiter WORD no ipv6 dhcp relay remote-id delimiter The no command restores to its original default configuration, i.e. enterprise number together with vlan MAC. Configures user configuration options to generate ipv6 dhcp relay subscriber-id select (sp | sv | pv | subscriber-id. The no spv) delimiter WORD (delimiter WORD |) command restores to its no ipv6 dhcp relay subscriber-id select delimiter original default configuration, i.e. vlan name together with port name. 35-4 Layer 3 Interface Mode This command is used to set the form of adding option 37 in received DHCPv6 request packets, of which <remote-id> is the content of remote-id in ipv6 dhcp relay remote-id <remote-id> user-defined option 37 and it is no ipv6 dhcp relay remote-id a string with a length of less than 128. The no operation restores remote-id in option 37 to enterprise-number together with vlan MAC address. This command is used to set the form of adding option 38 in received DHCPv6 request packets, of which <subscriber-id> is the content ipv6 dhcp relay subscriber-id <subscriber-id> no ipv6 dhcp relay subscriber-id of subscriber-id in user-defined option 38 and it is a string with a length of less than 128. The no operation restores subscriber-id in option 38 to vlan name together with port name such as "Vlan2+Ethernet1/2". 3. Dhcpv6 server option basic functions configuration Command Description Global Mode This command enables DHCPv6 server to support the ipv6 dhcp server remote-id option identification of option 37, the no ipv6 dhcp server remote-id option no form of this command disables it. This command enables ipv6 dhcp server subscriber-id option DHCPv6 server to support the no ipv6 dhcp server subscriber-id option identification of option 38, the no form of this command 35-5 disables it. This command enables DHCPv6 server to support the using of DHCPv6 class during ipv6 dhcp use class address assignment, the no no ipv6 dhcp use class form of this command disables it without removing the relative DHCPv6 class information that has been configured. This command defines a DHCPv6 class and enters ipv6 dhcp class <class-name> DHCPv6 class mode, the no no ipv6 dhcp class <class-name> form of this command removes this DHCPv6 class. VLAN Interface Mode This command enables the DHCPv6 server to support selections when multiple option 37 or option 38 options exist and the option 37 and ipv6 dhcp server select relay-forw option 38 of relay-forw in the no ipv6 dhcp server select relay-forw innermost layer are selected. The no operation of it restores the default configuration, i.e. selecting option 37 and option 38 of the original packets. IPv6 DHCP Class Mode {remote-id [*] <remote-id> [*] | subscriber-id [*] This command configures <subscriber-id> [*]} option 37 and option 38 that no {remote-id [*] <remote-id> [*] | subscriber-id [*] match the class in ipv6 dhcp <subscriber-id> [*]} class configuration mode. DHCPv6 Address Pool Mode This command associates class to address pool in DHCPv6 address pool class <class-name> configuration mode and enters no class <class-name> class configuration mode in address pool. Use no command to remove the link. 35-6 This command is used to set address range for a DHCPv6 class in DHCPv6 address pool address range <start-ip> <end-ip> configuration mode, the no no address range <start-ip> <end-ip> command is used to remove the address range. The prefix/plen form is not supported. 35-7 35.3 DHCPv6 Options 37, 38 Examples 35.3.1 DHCPv6 Snooping options 37, 38 Example Switch B Interface E1/1 SwitchA Interface E1/2 Interface E1/3 MAC-AA MAC-BB Interface E1/4 MAC-CC Figure 35-1: DHCPv6 Snooping option schematic As shown in the figure above, Mac-AA, Mac-BB and Mac-CC are normal users, connected to untrusted interface 1/2, 1/3 and 1/4 respectively, and they get IP 2010:2, 2010:3 and 2010:4 through DHCPv6 Client; DHCPv6 Server is connected to the trusted interface 1/1. Configure three address assignment policies (CLASS), of which CLASS1 matches option 38, CLASS2 matches option 37 and CLASS3 matches option 37 and option 38. In the address pool EastDormPool, the requests matched with CLASS1, CLASS2 and CLASS3 will be assigned an address ranging from 2001:da8:100:1::2 to 2001:da8:100:1::30, from 2001:da8:100:1::31 to 2001:da8:100:1::60 and from 2001:da8:100:1::61 to2001:da8:100:1::100 respectively; DHCPv6 snooping function is enabled and option 37 and option 38 are configured in Switch A. Switch A configuration: SwitchA(config)#ipv6 dhcp snooping remote-id option SwitchA(config)#ipv6 dhcp snooping subscriber-id option SwitchA(config)#int e 1/1 SwitchA(config-if-ethernet1/1)#ipv6 dhcp snooping trust SwitchA(config-if-ethernet1/1)#exit SwitchA(config)#interface vlan 1 35-8 SwitchA(config-if-vlan1)#ipv6 address 2001:da8:100:1::1 SwitchA(config-if-vlan1)#exit SwitchA(config)#interface ethernet 1/1-4 SwitchA(config-if-port-range)#switchport access vlan 1 SwitchA(config-if-port-range)#exit SwitchA(config)# Switch B configuration: SwitchB(config)#service dhcpv6 SwitchB(config)#ipv6 dhcp server remote-id option SwitchB(config)#ipv6 dhcp server subscriber-id option SwitchB(config)#ipv6 dhcp pool EastDormPool SwitchB(dhcpv6-eastdormpool-config)#network-address 2001:da8:100:1::2 2001:da8:100:1::1000 SwitchB(dhcpv6-eastdormpool-config)#dns-server 2001::1 SwitchB(dhcpv6-eastdormpool-config)#domain-name dhcpv6.com SwitchB(dhcpv6-eastdormpool-config)# excluded-address 2001:da8:100:1::2 SwitchB(dhcpv6-eastdormpool-config)#exit SwitchB(config)# SwitchB(config)#ipv6 dhcp class CLASS1 SwitchB(dhcpv6-class-class1-config)#remote-id 00-30-4f-00-00-01 subscriber-id vlan1+Ethernet1/1 SwitchB(dhcpv6-class-class1-config)#exit SwitchB(config)#ipv6 dhcp class CLASS2 SwitchB(dhcpv6-class-class2-config)#remote-id 00-30-4f-00-00-01 subscriber-id vlan1+Ethernet1/2 SwitchB(dhcpv6-class-class2-config)#exit SwitchB(config)#ipv6 dhcp class CLASS3 SwitchB(dhcpv6-class-class3-config)#remote-id 00-30-4f-00-00-01 subscriber-id vlan1+Ethernet1/3 SwitchB(dhcpv6-class-class3-config)#exit SwitchB(config)#ipv6 dhcp pool EastDormPool SwitchB(dhcpv6-eastdormpool-config)#class CLASS1 SwitchB(dhcpv6-pool-eastdormpool-class-class1-config)#address range 2001:da8:100:1::3 2001:da8:100:1::30 SwitchB(dhcpv6-pool-eastdormpool-class-class1-config)#exit SwitchB(dhcpv6-eastdormpool-config)#class CLASS2 SwitchB(dhcpv6-pool-eastdormpool-class-class2-config)#address range 35-9 2001:da8:100:1::31 2001:da8:100:1::60 SwitchB(dhcpv6-eastdormpool-config)#class CLASS3 SwitchB(dhcpv6-pool-eastdormpool-class-class3-config)#address range 2001:da8:100:1::61 2001:da8:100:1::100 SwitchB(dhcpv6-pool-eastdormpool-class-class3-config)#exit SwitchB(dhcpv6-eastdormpool-config)#exit SwitchB(config)#interface vlan 1 SwitchB(config-if-vlan1)#ipv6 address 2001:da8:100:1::2/64 SwitchB(config-if-vlan1)#ipv6 dhcp server EastDormPool SwitchB(config-if-vlan1)#exit SwitchB(config)# 35.3.2 DHCPv6 Relay option37, 38 Example Example 1: When deploying IPv6 campus network, DHCPv6 server function of routing device can be used for IPv6 address allocation if special server is used for uniform allocation and management for IPv6 address. DHCPv6 server supports both stateful and stateless DHCPv6. Network topology: In access layer, layer2 access device Switch1 connects users in dormitory; in first-level aggregation layer, aggregation device Switch2 is used as DHCPv6 relay agent; in second-level aggregation layer, aggregation device Switch3 is used as DHCPv6 server and connects with backbone network or devices in higher aggregation layer; in user side, PCs are generally loaded with Windows Vista system, thus having DHCPv6 client. Figure 35-2: DHCPv6 relay option schematic 35-10 Switch 2 configuration: S2(config)#service dhcpv6 S2(config)#ipv6 dhcp relay remote-id option S2(config)#ipv6 dhcp relay subscriber-id option S2(config)#vlan 10 S2(config-vlan10)#int vlan 10 S2(config-if-vlan10)#ipv6 address 2001:da8:1:::2/64 S2(config-if-vlan10)#ipv6 dhcp relay destination 2001:da8:10:1::1 S2(config-if-vlan10)#exit S2(config)# 35.4 DHCPv6 Options 37, 38 Troubleshooting Request packets sent by DHCPv6 client are multicast packets received by the device within its VLAN, if DHCPv6 server wants to receive the packets from client, DHCPv6 client and DHCPv6 server must be in the same VLAN, otherwise it needs to use DHCPv6 relay. Snooping option37,38 can process one of the following operations for DHCPv6 request packets with option37,38: replace the original option37,38 with its own; discard the packets with option37,38; do not execute adding, discarding or forwarding operation. Therefore, please check policy configuration of snooping option37,38 on second device when obtaining the false address or no address is obtained according to option37,38. DHCPv6 server obtains option37,38 of the packets from client by default, if no, it will obtain option37,38 of the packet sent by relay. DHCPv6 server only checks whether the first DHCPv6 relay adds option37,38 that means only option37,38 of the innermost relay-forw is valid in relay packets. 35-11 Chapter 36 DHCP Snooping Configuration 36.1 Introduction to DHCP Snooping DHCP Snooping means that the switch monitors the IP-getting process of DHCP CLIENT via DHCP protocol. It prevents DHCP attacks and illegal DHCP SERVER by setting trusted ports and untrusted ports. And the DHCP messages from trusted ports can be forwarded without being verified. In typical settings, trusted ports are used to connect DHCP SERVER or DHCP RELAY Proxy, and untrusted ports are used to connect DHCP CLINET. The switch will forward the DCHP request messages from untrusted ports, but not DHCP reply ones. If any DHCP reply messages is received from a untrusted port, besides giving an alarm, the switch will also implement designated actions on the port according to settings, such as “shutdown”, or distributing a “blackhole”. If DHCP Snooping binding is enabled, the switch will save binding information (including its MAC address, IP address, IP lease, VLAN number and port number) of each DHCP CLINET on untrusted ports in DHCP snooping binding table With such information, DHCP Snooping can combine modules like dot1x and ARP, or implement user-access-control independently. Defense against Fake DHCP Server: once the switch intercepts the DHCP Server reply packets(including DHCPOFFER, DHCPACK, and DHCPNAK), it will alarm and respond according to the situation(shutdown the port or send Black hole)。 Defense against DHCP over load attacks: To avoid too many DHCP messages attacking CPU, users should limit the DHCP speed of receiving packets on trusted and non-trusted ports. Record the binding data of DHCP: DHCP SNOOPING will record the binding data allocated by DHCP SERVER while forwarding DHCP messages, it can also upload the binding data to the specified server to backup it. The binding data is mainly used to configure the dynamic users of dot1x user based ports. Please refer to the chapter called“dot1x configuration” to find more about the usage of dot1x use-based mode. Add binding ARP: DHCP SNOOPING can add static binding ARP according to the binding data after capturing binding data, thus to avoid ARP cheating. Add trusted users: DHCP SNOOPING can add trusted user list entries according to the parameters in binding data after capturing binding data; thus these users can access all resources without DOT1X authentication. Automatic Recovery: A while after the switch shut down the port or send blockhole, it should automatically recover the communication of the port or source MAC and send information to Log Server via syslog. 36-12 LOG Function: When the switch discovers abnormal received packets or automatically recovers, it should send syslog information to Log Server. The Encryption of Private Messages: The communication between the switch and the inner network security management system TrustView uses private messages. And the users can encrypt those messages of version 2. Add authentication option82 Function: It is used with dot1x dhcpoption82 authentication mode. Different option 82 will be added in DHCP messages according to user’s authentication status. 36.2 DHCP Snooping Configuration Task Sequence 1. Enable DHCP Snooping 2. Enable DHCP Snooping binding function 3. Enable DHCP Snooping option82 function 4. Set the private packet version 5. Set DES encrypted key for private packets 6. Set helper server address 7. Set trusted ports 8. Enable DHCP Snooping binding DOT1X function 9. Enable DHCP Snooping binding USER function 10. Adding static list entries function 11. Set defense actions 12. Set rate limitation of DHCP messages 13. Enable the debug switch 14. Configure DHCP Snooping option 82 attributes 1. Enable DHCP Snooping Command Explanation Globe Mode ip dhcp snooping enable no ip dhcp snooping enable Enable or disable the DHCP snooping function. 2. Enable DHCP Snooping binding Command Explanation Globe Mode 36-13 ip dhcp snooping binding enable no ip dhcp snooping binding enable Enable or disable the DHCP snooping binding function. 3. Enable DHCP Snooping binding ARP function Command Explanation Globe Mode ip dhcp snooping binding arp no ip dhcp snooping binding arp This command is not supported by the switch. 4. Enable DHCP Snooping option82 function Command Explanation Globe Mode ip dhcp snooping information enable no ip dhcp snooping information enable Enable/disable DHCP Snooping option 82 function. 5. Set the private packet version Command Explanation Globe Mode ip user private packet version two no ip user private packet version two To configure/delete the private packet version. 6. Set DES encrypted key for private packets Command Explanation Globe Mode enable trustview key 0/7 <password> To configure/delete DES encrypted key for no enable trustview key private packets. 7. Set helper server address Command Explanation Globe Mode 36-14 ip user helper-address A.B.C.D [port <udpport>] source <ipAddr> (secondary|) Set or delete helper server address. no ip user helper-address (secondary|) 8. Set trusted ports Command Explanation Port Mode ip dhcp snooping trust Set or delete the DHCP snooping trust attributes no ip dhcp snooping trust of ports. 9. Enable DHCP SNOOPING binding DOT1X function Command Explanation Port Mode ip dhcp snooping binding dot1x Enable or disable the DHCP snooping binding no ip dhcp snooping binding dot1x dot1x function. 10. Enable or disable the DHCP SNOOPING binding USER function Command Explanation Port Mode ip dhcp snooping binding user-control Enable or disable the DHCP snooping binding no ip dhcp snooping binding user function. user-control 36-15 11. Add static binding information Command Explanation Globe Mode ip dhcp snooping binding user <mac> address <ipAddr> interface (ethernet|) <ifname> Add/delete DHCP snooping static binding list no ip dhcp snooping binding user entries. <mac> interface (ethernet|) <ifname> 12. Set defense actions Command Explanation Port Mode ip dhcp snooping action {shutdown|blackhole} [recovery Set or delete the DHCP snooping automatic <second>] defense actions of ports. no ip dhcp snooping action 13. Set rate limitation of data transmission Command Explanation Globe Mode ip dhcp snooping limit-rate <pps> Set rate limitation of the transmission of DHCP no ip dhcp snooping limit-rate snooping messages. 14. Enable the debug switch Command Explanation Admin Mode debug ip dhcp snooping packet debug ip dhcp snooping event Please refer to the chapter on system debug ip dhcp snooping update troubleshooting. debug ip dhcp snooping binding 15. Configure DHCP Snooping option 82 attributes 36-16 Command Explanation Globe Mode ip dhcp snooping information option subscriber-id format {hex | acsii | vs-hp} This command is used to set subscriber-id format of DHCP snooping option82. ip dhcp snooping information Set the suboption2 (remote ID option) content of option remote-id {standard | option 82 added by DHCP request packets (they <remote-id>} are received by the port). The no command sets no ip dhcp snooping information the additive suboption2 (remote ID option) option remote-id format of option 82 as standard. ip dhcp snooping information option delimiter [colon | dot | slash Set the delimiter of each parameter for | space] suboption of option82 in global mode, no no ip dhcp snooping information command restores the delimiter as slash. option delimiter ip dhcp snooping information option self-defined remote-id Set creation method for option82, users can {hostname | mac | string WORD} define the parameters of remote-id suboption by no ip dhcp snooping information themselves. option self-defined remote-id ip dhcp snooping information option self-defined remote-id format [ascii | hex] Set self-defined format of remote-id for snooping option82. ip dhcp snooping information option self-defined subscriber-id {vlan | port | id (switch-id (mac | hostname)| remote-mac) | string WORD} no ip dhcp snooping information Set creation method for option82, users can define the parameters of circute-id suboption by themselves. option type self-defined subscriber-id ip dhcp snooping information option self-defined subscriber-id format [ascii | hex] Set self-defined format of circuit-id for snooping option82. Port mode 36-17 ip dhcp snooping information Set the suboption1 (circuit ID option) content of option subscriber-id {standard | option 82 added by DHCP request packets (they <circuit-id>} are received by the port). The no command sets no ip dhcp snooping information the additive suboption1 (circuit ID option) format option subscriber-id of option 82 as standard. Command Explanation Globe Mode This command is used to set that allow ip dhcp snooping information option allow-untrusted (replace|) no ip dhcp snooping information option allow-untrusted (replace|) untrusted ports of DHCP snooping to receive DHCP packets with option82 option. When the "replace" is setting, the potion82 option is allowed to replace. When disabling this command, all untrusted ports will drop DHCP packets with option82 option. 36.3 DHCP Snooping Typical Application Figure 36-1: Sketch Map of TRUNK As showed in the above chart, Mac-AA device is the normal user, connected to the non-trusted port 1/1 of the switch. It operates via DHCP Client, IP 1.1.1.5; DHCP Server and GateWay are connected to the trusted ports 1/11 and 1/12 of the switch; the malicious user Mac-BB is connected to the non-trusted port 1/10, trying to fake a DHCP Server(by sending DHCPACK). Setting DHCP Snooping on the switch will effectively detect and block this kind of network attack. 36-18 Configuration sequence is: switch# switch#config switch(config)#ip dhcp snooping enable switch(config)#interface ethernet 1/11 switch(Config-Ethernet1/11)#ip dhcp snooping trust switch(Config-Ethernet1/11)#exit switch(config)#interface ethernet 1/12 switch(Config-Ethernet1/12)#ip dhcp snooping trust switch(Config-Ethernet1/12)#exit switch(config)#interface ethernet 1/1-10 switch(Config-Port-Range)#ip dhcp snooping action shutdown switch(Config-Port-Range)# 36.4 DHCP Snooping Troubleshooting Help 36.4.1 Monitor and Debug Information The “debug ip dhcp snooping” command can be used to monitor the debug information. 36.4.2 DHCP Snooping Troubleshooting Help If there is any problem happens when using DHCP Snooping function, please check if the problem is caused by the following reasons: Check that whether the global DHCP Snooping is enabled; If the port does not react to invalid DHCP Server packets, please check that whether the port is set as a non-trusted port of DHCP Snooping. 36-19 Chapter 37 DHCP Snooping Option 82 Configuration 37.1 Introduction to DHCP Snooping Option 82 DHCP option 82 is the Relay Agent Information Option, its option code is 82. DHCP option 82 is aimed at strengthening the security of DHCP servers and improving the IP address configuration policy. Switch obtain DHCP request packets(include DHCPDISCOVER, DHCPREQUEST, DHCPINFORM and DHCPRELEASE), DHCP SNOOPING is added to option 82 by request packets (including the client’s physical access port, the access device ID and other information), to the DHCP request message from the client then forwards the message to DHCP server. When the DHCP server which supports the option 82 function receives the message, it will allocate an IP address and other configuration information for the client according to preconfigured policies and the option 82 information in the message. At the same time, DHCP server can identify all the possible DHCP attack messages according to the information in option 82 and defend against them. DHCP SNOOPING will peel the option 82 from the reply messages it receives, and forward the reply message to the specified port of the network access device. The application of DHCP option 82 is transparent for the client. 37.1.1 DHCP Option 82 Message Structure A DHCP message can have several option segments; option 82 is one of them. It has to be placed after other options but before option 255. The following is its format: Code: represents the sequence number of the relay agent information option, the option 82 is called so because RFC3046 is defined as 82. Len: the number of bytes in Agent Information Field, not including the two bytes in Code segment and Len segment. Option 82 can have several sub-options, and need at least one sub-option. RFC3046 defines the following two sub-options, whose formats are showed as follows: 37-20 SubOpt: the sequence number of sub-option, the sequence number of Circuit ID sub-option is 1, the sequence number of Remote ID sub-option is 2. Len: the number of bytes in Sub-option Value, not including the two bytes in SubOpt segment and Len segment. 37.1.2 DHCP Snooping Option 82 Working Mechanism DHCP SNOOPING DHCP Request DHCP Request Option82 DHCP Reply DHCP Reply Option82 DHCP Client DHCP Server DHCP option 82 flow chart If the DHCP SNOOPING supports option 82, the DHCP client should go through the following four steps to get its IP address from the DHCP server: discover, offer, select and acknowledge. The DHCP protocol follows the procedure below: 1)DHCP client sends a request broadcast message while initializing. This request message does not have option 82. 2)DHCP SNOOPING will add the option 82 to the end of the request message it receives, and perform layer 2 forwarding. By default, the sub-option 1 of option 82 (Circuit ID) is the interface information of the switch connected to the DHCP client (VLAN name and physical port name). The sub-option 2 of option 82(Remote ID) is the CPU MAC address of the switch. 3)After receiving the DHCP request message, the DHCP server will allocate IP address and other information for the client according to the information and preconfigured policy in the option segment of the message. Then it will forward the reply message with DHCP configuration information and option 82 information to DHCP SNOOPING. 4)DHCP SNOOPING will peel the option 82 information from the replay message sent by DHCP server, then the message with DHCP configuration information to perform layer 2 forwarding. 37-21 37.2 DHCP Snooping Option 82 Configuration Task List 1. Enable DHCP SNOOPING 2. Enable DHCP Snooping binding function 3. Enable DHCP Snooping option 82 binding function 4. Configure trusted ports 1. Enable DHCP SNOOPING Command Explanation Global Mode ip dhcp snooping enable Enable or disable DHCP SNOOPING no ip dhcp snooping enable function. 2. Enable DHCP Snooping binding function Command Explanation Global Mode ip dhcp snooping binding enable Enable or disable DHCP SNOOPING no ip dhcp snooping binding enable binding function. 3. Enable DHCP Snooping option 82 function Command Explanation Global Mode ip dhcp snooping information enable Enable or disable DHCP SNOOPING no ip dhcp snooping information enable option 82 function. 4. Configure trusted ports Command Explanation Port Mode ip dhcp snooping trust Set or delete DHCP SNOOPING trust no ip dhcp snooping trust attribute of ports. 37-22 37.3 DHCP Snooping Option 82 Application Examples DHCP Client PC1 Switch1 Vlan1:eth1/3 DHCP Server Figure 37-1: DHCP option 82 typical application example In the above example, layer 2 Switch1 will transmit the request message from DHCP client to DHCP serer through enable DHCP Snooping. It will also transmit the reply message from the server to DHCP client to finish the DHCP protocol procedure. After the DHCP SNOOPING option 82 function is enabled, the Switch1 appends the port information of accessing Switch1 to the request message from the client by option 82. The following is the configuration of Switch1(MAC address is 00-30-4f-02-33-01): Switch1(config)#ip dhcp snooping enable Switch1(config)#ip dhcp snooping binding enable Switch1(config)# ip dhcp snooping information enable Switch1(Config-If-Ethernet1/12)#ip dhcp snooping trust Linux ISC DHCP Server supports option 82, its configuration file /etc/dhcpd.conf is ddns-update-style interim; ignore client-updates; class "Switch1Vlan1Class1" { match if option agent.circuit-id = agent.remote-id=00:30:4f:02:33:01; } subnet 192.168.102.0 netmask 255.255.255.0 { option routers 192.168.102.2; option subnet-mask 255.255.255.0; option domain-name "example.com.cn"; option domain-name-servers 192.168.10.3; authoritative; pool { range 192.168.102.51 192.168.102.80; 37-23 "Vlan1+Ethernet1/3" and option default-lease-time 43200; #12 Hours max-lease-time 86400; #24 Hours allow members of "Switch1Vlan1Class1"; } } Now, the DHCP server will allocate addresses for the network nodes from Switch1 within the range of 192.168.102.51 ~ 192.168.102.80. 37.4 DHCP Snooping Option 82 Troubleshooting To implement the option 82 function of DHCP SNOOPING, the “debug ip dhcp snooping packet” command can be used during the operating procedure, including adding the option 82 information of the request message, the option 82 information peeled by the reply message. 37-24 Chapter 38 IPv4 Multicast Protocol 38.1 IPv4 Multicast Protocol Overview This chapter will give an introduction to the configuration of IPv4 Multicast Protocol. 38.1.1 Introduction to Multicast Various transmission modes can be adopted when the destination of packet (including data, sound and video) transmission is the minority users in the network. One way is to use Unicast mode, i.e. to set up a separate data transmission path for each user; or, to use Broadcast mode, which is to send messages to all users in the network, and they will receive the Broadcast messages no matter they need or not. For example, if there are 200 users in a network who want to receive the same packet, then the traditional solution is to send this packet for 200 times separately via Unicast to guarantee the users who need the data can get all data wanted, or send the data in the entire domain via Broadcast. Transferring the data in the whole range of network .The users who need these data can get directly from the network. Both modes waste a great deal of valuable bandwidth resource, and furthermore, Broadcast mode goes against the security and secrecy. The emergence of IP Multicast technology solved this problem in time. The Multicast source only sends out the message once, Multicast Routing Protocol sets up tree-routing for Multicast data packet, and then the transferred packet just starts to be duplicated and distributed in the bifurcate crossing as far as possible. Thus the packet can be sent to every user who needs it accurately and effectively. It should be noticed that it is not necessary for Multicast source to join in Multicast group. It sends data to some Multicast groups, but it is not necessarily a receiver of the group itself. There can be more than one source sending packets to a Multicast group simultaneously. There may exist routers in the network which do not support Multicast, but a Multicast router can encapsulate the Multicast packets into Unicast IP packets with tunnel mode to send them to the Multicast router next to it, which will take off the Unicast IP header and continue the Multicast transmission process, thus a big alteration of network structure is avoided. The primary advantages of Multicast are: 1. Enhance efficiency: reduce network traffic, lighten the load of server and CPU 2. Optimize performance: reduce redundant traffic 3. Distributed application: Enable Multipoint Application 38-25 38.1.2 Multicast Address The destination address of Multicast message uses class D IP address with range from 224.0.0.0 to 239.255.255.255. D class address can not appear in the source IP address field of an IP message. In the process of Unicast data transmission, the transmission path of a data packet is from source address routing to destination address, and the transmission is performed with hop-by-hop principle. However, in IP Multicast environment, the destination addresses is a group instead of a single one, they form a group address. All message receivers will join in a group, and once they do, the data flowing to the group address will be sent to the receivers immediately and all members in the group will receive the data packets. The members in a Multicast group are dynamic, the hosts can join and leave the Multicast group at any time. Multicast group can be permanent or temporary. Some of the Multicast group addresses are assigned officially; they are called Permanent Multicast Group. Permanent Multicast Group keeps its IP address fixed but its member structure can vary within. The member amount of Permanent Multicast Group can be arbitrary, even zero. The IP Multicast addresses which are not kept for use by Permanent Multicast Group can be utilized by temporary Multicast groups. 224.0.0.0 ~ 224.0.0.255 are reserved Multicast addresses (Permanent Group Address), address 224.0.0.0 is reserved but not assigned, and other addresses are used by Routing Protocol; 224.0.1.0~238.255.255.255 are Multicast addresses available to users(Temporary Group Address ) and are valid in the entire domain of the network; 239.0.0.0 ~ 239.255.255.255 are local management Multicast addresses, which are valid only in specific local domain. Frequently used reserved multicast address list is as follows: Benchmark address (reserved) 224.0.0.1 Address of all hosts 224.0.0.2 Address of all Multicast Routers 224.0.0.3 Unassigned 224.0.0.4 DVMRP Router 224.0.0.5 OSPF Router 224.0.0.6 OSPF DR 224.0.0.7 ST Router 224.0.0.8 ST host 224.0.0.9 RIP-2 Router 224.0.0.10 IGRP Router 224.0.0.11 Active Agent 224.0.0.12 DHCP Server/Relay Agent 224.0.0.13 All PIM Routers 224.0.0.14 RSVP Encapsulation 224.0.0.15 All CBT Routers 38-26 224.0.0.16 Specified SBM 224.0.0.17 All SBMS 224.0.0.18 VRRP 224.0.0.22 IGMP When Ethernet transmits Unicast IP messages, the destination MAC address it uses is the receiver’s MAC address. But in transmitting Multicast packets, the transmission destination is not a specific receiver any more, but a group with uncertain members, thus Multicast MAC address is used. Multicast MAC address is corresponding to Multicast IP address. It is prescribed in IANA (Internet Assigned Number Authority) that the higher 25 bits in Multicast MAC address is 0x01005e, and the lower 23bits in MAC address is the lower 23bits in Multicast IP address. Since only 23bits out of the lower 28bits in IP Multicast address are mapped into MAC address, therefore there are 32 IP Multicast addresses which are mapped into the same MAC address. 38.1.3 IP Multicast Packet Transmission In Multicast mode, the source host sends packets to the host group indicated by the Multicast group address in the destination address field of IP data packet. Unlike Unicast mode, Multicast data packet must be forwarded to a number of external interfaces to be sent to all receiver sites in Multicast mode, thus Multicast transmission procedure is more complicated than Unicast transmission procedure. In order to guarantee that all Multicast packets get to the router via the shortest path, the receipt interface of the Multicast packet must be checked in some certain way based on Unicast router table; this checking mechanism is the basis for most Multicast Routing Protocol to forward in Multicast mode --- RPF (Reverse Path Forwarding) check. Multicast router makes use of the impressed packet source address to query Unicast Router Table or independent Multicast Router Table to determine if the packet ingress interface is on the shortest path from receipt site to source address. If shortest path Tree is used, then the source address is the address of source host which sends Multicast Data Packets; if Shared Tree is used, then the source address is the address of the root of the Shared-Tree. When Multicast data packet gets to the router, if RPF check passes, then the data packet is forwarded according to Multicast forward item, and the data packet will be discarded else wise. 38.1.4 IP Multicast Application IP Multicast technology has effectively solved the problem of sending in single point and receiving in multipoint. It has achieved the effective data transmission from a point to multiple points, saved a great deal of network bandwidth and reduced network load. Making use of the Multicast property of network, some new value-added operations can be supplied conveniently. 38-27 In Information Service areas such as online living broadcast, network TV, remote education, remote medicine, real time video/audio meeting, the following applications may be supplied: 1) Application of Multimedia and Streaming Media 2) Data repository, finance application (stock) etc 3) Any data distribution application of “one point to multiple points” In the situation of more and more multimedia operations in IP network, Multicast has tremendous market potential and Multicast operation will be generalized and popularized. 38.2 DCSCM 38.2.1 Introduction to DCSCM DCSCM (Destination control and source control multicast) technology mainly includes three aspects, i.e. Multicast Packet Source Controllable, Multicast User Controllable and Service-Oriented Priority Strategy Multicast. The Multicast Packet Source Controllable technology of Security Controllable Multicast technology is mainly processed in the following manners: 1. On the edge switch, if source under-control multicast is configured, then only multicast data from specified group of specified source can pass. 2. For RP switch in the core of PIM-SM, for REGISTER information out of specified source and specified group, REGISTER_STOP is transmitted directly and table entry is not allowed to set up. (This task is implemented in PIM-SM model). The implement of Multicast User Controllable technology of Security Controllable Multicast technology is based on the control over IGMP report message sent out by the user, thus the model being controlled is IGMP snooping and IGMPmodel, of which the control logic includes the following three, i.e. to take control based on VLAN+MAC address transmitting packets, to take control based on IP address of transmitting packets and to take control based on the port where messages enter, in which IGMP snooping can use the above three methods to take control simultaneously, while since IGMP model is located at layer 3, it only takes control over the IP address transmitting packets. The Service-Oriented Priority Strategy Multicast of Security Controllable technology adopts the following mode: for multicast data in limit range, set the priority specified by the user at the join-in end so that data can be sent in a higher priority on TRUNK port, consequently guarantee the transmission is processed in user-specified priority in the entire network. 38-28 38.2.2 DCSCM Configuration Task List 1. Source Control Configuration 2. Destination Control Configuration 3. Multicast Strategy Configuration 1. Source Control Configuration Source Control Configuration has three parts, of which the first is to enable source control. The command of source control is as follows: Command Explanation Global Mode Enable source control globally, the “no ip multicast source-control” command disables source control globally. It is noticeable that, after [no] ip multicast source-control (Required) enabling source control globally, all multicast packets are discarded by default. All source control configuration can not be processed until that it is enabled globally, while source control can not be disabled until all configured rules are disabled. The next is to configure the rule of source control. It is configured in the same manner as for ACL, and uses ACL number of 5000-5099, every rule number can be used to configure 10 rules. It is noticeable that these rules are ordered, the front one is the one which is configured the earliest. Once the configured rules are matched, the following rules won’t take effect, so rules of globally allow must be put at the end. The commands are as follows: Command Explanation Global Mode [no] access-list <5000-5099> {deny|permit} ip {{<source> <source-wildcard>}|{host-source <source-host-ip>}|any-source} {{<destination> <destination-wildcard>}|{host-desti nation The rule used to configure source control. This rule does not take effect until it is applied to specified port. Using the NO form of it can delete specified rule. <destination-host-ip>}|any-destinat ion} 38-29 The last is to configure the configured rule to specified port. Note: If the rules being configured will occupy the table entries of hardware, configuring too many rules will result in configuration failure caused by bottom table entries being full, so we suggest user to use the simplest rules if possible. The configuration rules are as follows: Command Explanation Port Mode [no] ip multicast source-control Used to configure the rules source control uses access-group <5000-5099> to port, the NO form cancels the configuration. 2. Destination Control Configuration Like source control configuration, destination control configuration also has three steps. First, enable destination control globally. Since destination control need to prevent unauthorized user from receiving multicast data, the switch won’t broadcast the multicast data it received after configuring global destination control. Therefore, It should be avoided to connect two or more other Layer 3 switches in the same VLAN on a switch on which destination control is enabled. The configuration commands are as follows: Command Explanation Global Mode Globally enable destination control. The no operation of this command will globally disable destination control. All [no] multicast destination-control of the other configuration can only (required) take effect after globally enabled. The next is configuring destination control rules, which are similar. Next is to configure destination control rule. It is similar to source control, except to use ACL No. of 6000-7999. Command Explanation Global Mode 38-30 [no] access-list <6000-7999> {deny|permit} ip {{<source> <source-wildcard>}|{host-source The rule used to configure destination <source-host-ip>{range<2-65535>|}}|any-sou control. This rule does not take effect rce} {{<destination> until it is applied to source IP or <destination-wildcard>}|{host-destination VLAN-MAC and port. Using the NO <destination-host-ip>{range<2-255>|}}|any-d form of it can delete specified rule. estination} The last is to configure the rule to specified source IP, source VLAN MAC or specified port. It is noticeable that, due to the above situations, these rules can only be used globally in enabling IGMP-SNOOPING. And if IGMP-SNOOPING is not enabled, then only source IP rule can be used under IGMP Protocol. The configuration commands are as follows: Command Explanation Port Mode Used to configure the rules destination [no] ip multicast destination-control control uses to port, the NO form access-group <6000-7999> cancels the configuration. Global Mode [no] ip multicast destination-control Used to configure the rules destination <1-4094> <macaddr> access-group control uses to specify VLAN-MAC, the <6000-7999> NO form cancels the configuration. Used to configure the rules destination [no] ip multicast destination-control control uses to specified IP address/net <IPADDRESS/M> access-group mask, the NO form cancels the <6000-7999> configuration. 3. Multicast Strategy Configuration Multicast Strategy uses the manner of specifying priority for specified multicast data to achieve and guarantee the effects the specific user requires. It is noticeable that multicast data can not get a special care all along unless the data are transmitted at TRUNK port. The configuration is very simple, it has only one command, i.e. to set priority for the specified multicast. The commands are as follows: Command Explanation Global Mode [no] ip multicast policy <IPADDRESS/M> <IPADDRESS/M> cos <priority> Configure multicast strategy, specify priority for sources and groups in specific range, and the range is <0-7>. 38-31 38.2.3 DCSCM Configuration Examples 1. Source Control In order to prevent an Edge Switch from putting out multicast data ad asbitsium, we configure Edge Switch so that only the switch at port Ethernet1/5 is allowed to transmit multicast, and the data group must be 225.1.2.3. Also, switch connected up to port Ethernet1/10 can transmit multicast data without any limit, and we can make the following configuration. EC(config)#access-list 5000 permit ip any host 225.1.2.3 EC(config)#access-list 5001 permit ip any EC(config)#ip multicast source-control EC(config)#interface ethernet1/5 EC(Config-If-Ethernet1/5)#ip multicast source-control access-group 5000 EC(config)#interface ethernet1/10 EC(Config-If-Ethernet1/10)#ip multicast source-control access-group 5001 2. Destination Control We want to limit users with address in 10.0.0.0/8 network segment from entering the group of 238.0.0.0/8, so we can make the following configuration: Firstly enable IGMP snooping in the VLAN it is located (Here it is assumed to be in VLAN2) EC(config)#ip igmp snooping EC(config)#ip igmp snooping vlan 2 After that, configure relative destination control access-list, and configure specified IP address to use that access-list. Switch(config)#access-list 6000 deny ip any 238.0.0.0 0.255.255.255 Switch(config)#access-list 6000 permit ip any Switch(config)#multicast destination-control Switch(config)#ip multicast destination-control 10.0.0.0/8 access-group 6000 In this way, users of this network segment can only join groups other than 238.0.0.0/8. 3. Multicast strategy Server 210.1.1.1 is distributing important multicast data on group 239.1.2.3, we can configure on its join-in switch as follows: Switch(config)#ip multicast policy 210.1.1.1/32 239.1.2.3/32 cos 4 38-32 In this way, the multicast stream will have a priority of value 4 (Usually this is pretty higher, the higher possible one is protocol data; if higher priority is set, when there is too many multicast data, it might cause abnormal behavior of the switch protocol) when it gets to other switches through this switch. 38.2.4 DCSCM Troubleshooting The effect of DCSCM module itself is similar to ACL, and the problems occurred are usually related to improper configuration. Please read the descriptions above carefully. If you still can not determine the cause of the problem, please send your configurations and the effects you expect to the after-sale service staff of our company. 38.3 IGMP Snooping 38.3.1 Introduction to IGMP Snooping IGMP (Internet Group Management Protocol) is a protocol used in IP multicast. IGMP is used by multicast enabled network device (such as a router) for host membership query, and by hosts that are joining a multicast group to inform the router to accept packets of a certain multicast address. All those operations are done through IGMP message exchange. The router will use a multicast address (224.0.0.1) that can address to all hosts to send an IGMP host membership query message. If a host wants to join a multicast group, it will reply to the multicast address of that a multicast group with an IGMP host membership reports a message. IGMP Snooping is also referred to as IGMP listening. The switch prevents multicast traffic from flooding through IGMP Snooping, multicast traffic is forwarded to ports associated to multicast devices only. The switch listens to the IGMP messages between the multicast router and hosts, and maintains multicast group forwarding table based on the listening result, and can then decide to forward multicast packets according to the forwarding table. Switch provides IGMP Snooping and is able to send a query from the switch so that the user can use switch in IP multicast. 38.3.2 IGMP Snooping Configuration Task List 1. Enable IGMP Snooping 2. Configure IGMP Snooping 38-33 1. Enable IGMP Snooping Command Explanation Global Mode ip igmp snooping Enables IGMP Snooping. The no operation no ip igmp snooping disables IGMP Snooping function. 2. Configure IGMP Snooping Command Explanation Global Mode Enables IGMP Snooping for specified VLAN. ip igmp snooping vlan <vlan-id> The no operation disables IGMP Snooping for no ip igmp snooping vlan <vlan-id> specified VLAN. ip igmp snooping proxy Enable IGMP Snooping proxy function, the no no ip igmp snooping proxy command disables the function. ip igmp snooping vlan < vlan-id > limit Configure the max. group count of vlan and {group <g_limit> | source <s_limit>} the max. source count of every group. The “no no ip igmp snooping vlan < vlan-id > limit ip igmp snooping vlan <vlan-id> limit” command cancels this configuration. ip igmp snooping vlan <1-4094> interface Configure the number of groups which are (ethernet | port-channel|) IFNAME limit allowed joining and the maximum of the {group <1-65535>| source <1-65535>} source in each group under the IGMP strategy (replace | drop) Snooping port. Configure the strategy when it no ip igmp snooping vlan <1-4094> is up to the upper limit, including “replace” and interface (ethernet | port-channel|) “drop”. No command configures as “no IFNAME limit group source strategy limitation”. Set this vlan to layer 2 general querier. It is ip igmp snooping vlan <vlan-id> recommended to configure a layer 2 general l2-general-querier querier on a segment. The “no ip igmp no ip igmp snooping vlan <vlan-id> snooping vlan <vlan-id> l2-general-querier l2-general-querier”command cancels this configuration. ip igmp snooping vlan <vlan-id> Configure the version number of a general l2-general-querier-version <version> query from a layer 2 general querier. ip igmp snooping vlan <vlan-id> Configure the source address of a general l2-general-querier-source <source> query from a layer 2 general querier. 38-34 ip igmp snooping vlan <vlan-id> mrouter-port interface <interface –name> no ip igmp snooping vlan <vlan-id> mrouter-port interface <interface –name> Configure static mrouter port of vlan. The no form of the command cancels this configuration. ip igmp snooping vlan <vlan-id> Enable the function that the specified VLAN mrouter-port learnpim learns mrouter-port (according to pim no ip igmp snooping vlan <vlan-id> packets), the no command will disable the mrouter-port learnpim function. ip igmp snooping vlan <vlan-id> mrpt Configure this survive time of mrouter port. <value > The “no ip igmp snooping vlan <vlan-id> no ip igmp snooping vlan <vlan-id> mrpt mrpt” command restores the default value. ip igmp snooping vlan <vlan-id> Configure this query interval. The “no ip igmp query-interval <value> snooping vlan <vlan-id> query-interval” no ip igmp snooping vlan <vlan-id> command restores the default value. query-interval ip igmp snooping vlan <vlan-id> Enable the IGMP fast leave function for the immediately-leave specified VLAN: the “no ip igmp snooping no ip igmp snooping vlan <vlan-id> vlan <vlan-id> immediate-leave” command immediately-leave disables the IGMP fast leave function. ip igmp snooping vlan <vlan-id> Configure the maximum query response query-mrsp <value> period. The “no ip igmp snooping vlan no ip igmp snooping vlan <vlan-id> <vlan-id> query-mrsp” command restores to query-mrsp the default value. ip igmp snooping vlan <vlan-id> Configure the query robustness. The “no ip query-robustness <value> igmp snooping vlan <vlan-id> no ip igmp snooping vlan <vlan-id> query-robustness” command restores to the query-robustness default value. ip igmp snooping vlan <vlan-id> Configure the suppression query time. The suppression-query-time <value> “no ip igmp snooping vlan <vlan-id> no ip igmp snooping vlan <vlan-id> suppression-query-time” command suppression-query-time restores to the default value. 38-35 ip igmp snooping vlan <vlan-id> static-group <A.B.C.D> [source <A.B.C.D>] interface [ethernet | Configure static-group on specified port of the port-channel] <IFNAME> VLAN. The no form of the command cancels no ip igmp snooping vlan <vlan-id> this configuration. static-group <A.B.C.D> [source <A.B.C.D>] interface [ethernet | port-channel] <IFNAME> ip igmp snooping vlan <vlan-id> report source-address <A.B.C.D> no ip igmp snooping vlan <vlan-id> report source-address ip igmp snooping vlan <vlan-id> Configure forwarding IGMP packet source address, The no operation cancels the packet source address. Configure the maximum query response time specific-query-mrsp <value> no ip igmp snooping vlan <vlan-id> specific-query-mrspt of the specific group or source, the no command restores the default value. 38.3.3 IGMP Snooping Examples Scenario 1: IGMP Snooping function Multicast router Multicast Server 1 Multicast Server 2 Multicast port IGMP Snooping Group 1 Group 1 Group 1 Group 2 Figure 38-1: Enabling IGMP Snooping function 38-36 Example: As shown in the above figure, a VLAN 100 is configured in the switch and includes ports 1, 2, 6, 10 and 12. Four hosts are connected to port 2, 6, 10 and 12 respectively and the multicast router is connected to port 1. As IGMP Snooping is disabled by default either in the switch or in the VLANs, If IGMP Snooping should be enabled in VLAN 100, the IGMP Snooping should be first enabled for the switch in Global Mode and in VLAN 100 and set port 1 of VLAN 100 to be the mrouter port. The configuration steps are listed below: Switch(config)#ip igmp snooping Switch(config)#ip igmp snooping vlan 100 Switch(config)#ip igmp snooping vlan 100 mrouter interface ethernet 1/1 Multicast Configuration Suppose two programs are provided in the Multicast Server using multicast address Group1 and Group2, three of four hosts running multicast applications are connected to port 2, 6, 10 plays program1, while the host is connected to port 12 plays program 2. IGMP Snooping listening result: The multicast table built by IGMP Snooping in VLAN 100 indicates ports 1, 2, 6, 10 in Group1 and ports 1, 12 in Group2. All the four hosts can receive the program of their choice: ports 2, 6, 10 will not receive the traffic of program 2 and port 12 will not receive the traffic of program 1. Scenario 2: L2-general-querier Multicast Server Group 1 Group 2 Switch A IGMP Snooping L2 general querier Multicast port Group 1 Group 1 Switch B IGMP Snooping Group 1 Group 2 Figure 38-2: The switches as IGMP Queries 38-37 The configuration of Switch2 is the same as the switch in scenario 1, SwitchA takes the place of Multicast Router in scenario 1. Let’s assume VLAN 60 is configured in SwitchA, including ports 1, 2, 10 and 12. Port 1 connects to the multicast server, and port 2 connects to Switch2. In order to send Query at regular interval, IGMP query must be enabled in Global mode and in VLAN60. The configuration steps are listed below: SwitchA#config SwitchA(config)#ip igmp snooping SwitchA(config)#ip igmp snooping vlan 60 SwitchA(config)#ip igmp snooping vlan 60 L2-general-querier SwitchB#config SwitchB(config)#ip igmp snooping SwitchB(config)#ip igmp snooping vlan 100 SwitchB(config)#ip igmp snooping vlan 100 mrouter interface ethernet 1/1 Multicast Configuration The same as scenario 1 IGMP Snooping listening result: Similar to scenario 1 38.3.4 IGMP Snooping Troubleshooting On IGMP Snooping function configuration and usage, IGMP Snooping might not run properly because of physical connection or configuration mistakes. So the users should note that: Make sure correct physical connection Activate IGMP Snooping on whole configuration mode (use ip igmp snooping) Configure IGMP Snooping at VLAN on whole configuration mode ( use ip igmp snooping vlan <vlan-id>) Make sure one VLAN is configured as L2 common checker in same mask, or make sure configured static mrouter Use show ip igmp snooping vlan <vid> command check IGMP Snooping information 38-38 Chapter 39 IPv6 Multicast Protocol 39.1 MLD Snooping 39.1.1 Introduction to MLD Snooping MLD, the Multicast Listener Discovery Protocol, is used to realize multicasting in the IPv6. MLD is used by the network equipments such as routers which supports multicast for multicast listener discovery, also used by listeners looking forward to join certain multicast group informing the router to receive data packets from certain multicast address, all of which are done through MLD message exchange. First the router send an MLD Multicast listener Query message through a multicast address which can address all the listeners (namely ff02::1). Once there is a listener who wishes to join the multicast address, it will send a MLD Multicast listener Report back through the multicast address. MLD Snooping is namely the MLD listening. The switch restricts the multicast traffic from flooding through MLD Snooping, and forward the multicast traffic to ports associated to multicast devices only. The switch listens to the MLD messages between multicast routers and listeners, and maintains the multicast group forwarding list based on the listening result. The switches forwards multicast packets according to the multicast forwarding list The switch realizes the MLD Snooping function while supporting MLD v2. This way, the user can acquire IPv6 multicast with the switch. 39.1.2 MLD Snooping Configuration Task 1. Enable the MLD Snooping function 2. Configure the MLD Snooping 1. Enable the MLD Snooping function Command Explanation Global Mode Enable global MLD Snooping, the “no ipv6 ipv6 mld snooping mld snooping” command disables the no ipv6 mld snooping global MLD snooping. 39-39 2. Configure MLD Snooping Command Explanation Global Mode Enable MLD Snooping on specific VLAN. The ipv6 mld snooping vlan <vlan-id> “no” form of this command disables MLD no ipv6 mld snooping vlan <vlan-id> Snooping on specific VLAN. Configure the number of the groups in which ipv6 mld snooping vlan <vlan-id> limit the MLD Snooping can join, and the {group <g_limit> | source <s_limit>} maximum number of sources in each group. no ipv6 mld snooping vlan <vlan-id> limit The “no” form of this command restores to the default. ipv6 mld snooping vlan <vlan-id> Set the VLAN level 2 general querier, which l2-general-querier is recommended on each segment. The “no” no ipv6 mld snooping vlan <vlan-id> form of this command cancels the level 2 l2-general-querier general querier configuration. ipv6 mld snooping vlan <vlan-id> mrouter-port interface <interface –name> no ipv6 mld snooping vlan <vlan-id> mrouter-port interface <interface –name> Configure the static mrouter port in specific vlan. The “no” form of this command cancels the mrouter port configuration. ipv6 mld snooping vlan <vlan-id> Enable the function that the specified VLAN mrouter-port learnpim6 learns mrouter-port (according to pimv6 no ipv6 mld snooping vlan <vlan-id> packets), the no command will disable the mrouter-port learnpim6 function. ipv6 mld snooping vlan <vlan-id> mrpt Configure the keep-alive time of the mrouter <value> port. The “no” form of this command restores no ipv6 mld snooping vlan <vlan-id> mrpt to the default. ipv6 mld snooping vlan <vlan-id> query-interval <value> Configure the query interval. The “no” form of no ipv6 mld snooping vlan <vlan-id> this command restores to the default. query-interval ipv6 mld snooping vlan <vlan-id> Configure immediate leave multicast group immediate-leave function for the MLD Snooping of specific no ipv6 mld snooping vlan <vlan-id> VLAN. The “no” form of this command immediate-leave cancels the immediate leave configuration. ipv6 mld snooping vlan <vlan-id> query-mrsp <value> no ipv6 mld snooping vlan <vlan-id> query-mrsp Configure the query maximum response period. The “no” form of this command restores to the default. 39-40 ipv6 mld snooping vlan <vlan-id> query-robustness <value> Configure the query robustness, the “no” no ipv6 mld snooping vlan <vlan-id> form of this command restores to the default. query-robustness ipv6 mld snooping vlan <vlan-id> Configure the suppression query time. The suppression-query-time <value> “no” form of this command restores to the no ipv6 mld snooping vlan <vlan-id> default suppression-query-time Ipv6 mld snooping vlan <vlan-id> static-group <X:X::X:X> [source <X:X::X:X>] interface [ethernet | Configure static-group on specified port of port-channel] <IFNAME> the VLAN. The no form of the command no ipv6 mld snooping vlan <vlan-id> cancels this configuration. static-group <X:X::X:X> [source <X:X::X:X>] interface [ethernet | port-channel] <IFNAME> 39.1.3 MLD Snooping Examples Scenario 1: MLD Snooping Function Multicast Router Mrouter Port MLD Snooping Switch Group1 Group1 Group1 Group2 Figure 39-1: Open the switch MLD Snooping Function figure As shown above, the vlan 100 configured on the switch consists of ports 1, 2, 6, 10 and 12. Four hosts are respectively connected to 2, 6, 10 and 12 while the multicast router on port 1. Suppose we need MLD Snooping on VLAN 100, however by default, the global MLD Snooping as well as the MLD Snooping on each VLAN are, therefore first we have to enable the global MLD Snooping at the same time enable the MLD Snooping on VLAN 100, furthermore we need to set the port 1 of VLAN 100 as a mrouter port. 39-41 Configuration procedure is as follows. Switch#config Switch(config)#ipv6 mld snooping Switch(config)#ipv6 mld snooping vlan 100 Switch(config)#ipv6 mld snooping vlan 100 mrouter-port interface ethernet 1/1 Multicast configuration: Assume there are two multicast servers: the Multicast Server 1 and the Multicast Server 2, amongst program 1 and 2 are supplied on the Multicast Server 1 while program 3 on the Multicast server 2, using group addresses respectively the Group 1, Group 2 and Group 3. Concurrently multicast application is operating on the four hosts. Two hosts connected to port 2, 6 are playing program 1 while the host connected to port 10 playing program 2, and the one to port 12 playing program 3. MLD Snooping interception results: The multicast table on vlan 100 shows: port 1, 2, 6 are in (Multicasting Server 1, Group1), port1, 10 are in (Multicasting Server 1,Group2), and port1, 121, 12 are in (Multicasting Server 2, Group3) All the four hosts successfully receive programs they are interested in. port2, 6 receives no traffic from program2 and 3; port10 receives no traffic from program 1 and 3, and port12 receives no traffic from program1 and 2. 39-42 Scenario 2: MLD L2-general-querier Switch A Switch B Figure 39-2: Switch as MLD Querier Function figure Configuration of switch B is the same as the switches in case 1, and here the switch 1 replaces the Multicast Router in case 1. Assume the vlan 60 configured on it contains port 1, 2, 10 and 12, amongst port 1 is connected to multicast server, port 2 to switch2. To send Query periodically, global MLD Snooping has to be enabled while executing the mld snooping vlan 60 l2-general-querier, setting the vlan 60 to a Level 2 General Querier. Configuration procedure is as follows: SwitchA#config SwitchA(config)#ipv6 mld snooping SwitchA(config)#ipv6 mld snooping vlan 60 SwitchA(config)#ipv6 mld snooping vlan 60 l2-general-querier 39-43 SwitchB#config SwitchB(config)#ipv6 mld snooping SwitchB(config)#ipv6 mld snooping vlan 100 SwitchB(config)#ipv6 mld snooping vlan 100 mrouter interface ethernet 1/1 Multicast configuration: Same as scenario 1 MLD Snooping interception results: Same as scenario 1 39.1.4 MLD Snooping Troubleshooting In configuring and using MLD Snooping, the MLD Snooping server may fail to run properly due to physical connection failure, wrong configuration, etc. The user should ensure the following: Ensure the physical connection is correct Ensure the MLD Snooping is enabled under global mode (using ipv6 mld snooping) Ensure the MLD Snooping is configured on the vlan under global mode (using ipv6 mld snooping vlan <vlan-id>) Ensure there is a vlan configured as a L2 general querier, or there is a static mrouter configured in a segment, Use command to check if the MLD snooping information is correct 39-44 Chapter 40 Multicast VLAN 40.1 Introductions to Multicast VLAN Based on current multicast order method, when orders from users in different VLAN, each VLAN will copy a multicast traffic in this VLAN, which is a great waste of the bandwidth. By configuration of the multicast VLAN, we add the switch port to the multicast VLAN, with the IGMP Snooping/MLD Snooping functions enabled, users from different VLAN will share the same multicast VLAN. The multicast traffic only exists within a multicast VLAN, so the bandwidth is saved. As the multicast VLAN is absolutely separated from the user VLAN, security and bandwidth concerns can be met at the same time, after the multicast VLAN is configured, the multicast traffic will be continuously sent to the users. 40.2 Multicast VLAN Configuration Task List 1. Enable the multicast VLAN function 2. Configure the IGMP Snooping 3. Configure the MLD Snooping 1. Enable the multicast VLAN function Command Explanation VLAN Mode Configure a VLAN and enable the multicast multicast-vlan VLAN on it. The “no multicast-vlan” no multicast-vlan command disables the multicast function on the VLAN. Associate a multicast VLAN with several multicast-vlan association <vlan-list> VLANs. The no form of this command deletes no multicast-vlan association <vlan-list> the related VLANs associated with the multicast VLAN. multicast-vlan association interface (ethernet | port-channel|) IFNAME no multicast-vlan association interface (ethernet | port-channel|) IFNAME Associate the specified port with the multicast VLAN, so the associated ports are able to receive the multicast flow. The no command cancels the association between the ports and the multicast VLAN. 40-45 2. Configure the IGMP Snooping Command Explanation Global Mode ip igmp snooping vlan <vlan-id> Enable the IGMP Snooping function on the no ip igmp snooping vlan <vlan-id> multicast VLAN. The no form of this command disables the IGMP Snooping on the multicast VLAN. ip igmp snooping no ip igmp snooping Enable the IGMP Snooping function. The no form of this command disables the IGMP snooping function. 3. Configure the MLD Snooping ipv6 mld snooping vlan <vlan-id> no ipv6 mld snooping vlan <vlan-id> ipv6 mld snooping no ipv6 mld snooping Enable MLD Snooping on multicast VLAN; the no form of this command disables MLD Snooping on multicast VLAN. Enable the MLD Snooping function. The no form of this command disables the MLD snooping function. 40.3 Multicast VLAN Examples Figure 40-1: Function configuration of the Multicast VLAN As shown in the figure, the multicast server is connected to the layer 3 switch switchA through port 1/1 which belongs to the VLAN10 of the switch. The layer 3 switch switchA is connected with layer 2 switches through the port1/10, which configured as trunk port. On the switchB the VLAN100 is configured set to contain port1/15, and VLAN101 to contain port1/20. PC1 and 40-46 PC2 are respectively connected to port 1/15 and1/20. The switchB is connected with the switchA through port1/10, which configured as trunk port. VLAN 20 is a multicast VLAN. By configuring multicast vlan, the PC1 and PC2 will receives the multicast data from the multicast VLAN. The following configuration based on the IP address of the switch has been configured and all the equipment are connected correctly. Configuration procedure SwitchA#config SwitchA(config)#vlan 10 SwitchA(config-vlan10)#switchport access ethernet 1/1 SwitchA(config-vlan10)exit SwitchA(config)#interface vlan 10 Switch(Config-if-Vlan10)#ip pim dense-mode Switch(Config-if-Vlan10)#exit SwitchA(config)#vlan 20 SwitchA(config-vlan20)#exit SwitchA(config)#interface vlan 20 SwitchA(Config-if-Vlan20)#ip pim dense-mode SwitchA(Config-if-Vlan20)#exit SwitchA(config)#ip pim multicast SwitchA(config)# interface ethernet1/10 SwitchA(Config-If-Ethernet1/10)switchport mode trunk SwitchB#config SwitchB(config)#vlan 100 SwitchB(config-vlan100)#Switchport access ethernet 1/15 SwitchB(config-vlan100)exit SwitchB(config)#vlan 101 SwitchB(config-vlan101)#Switchport access ethernet 1/20 SwitchB(config-vlan101)exit SwitchB(config)# interface ethernet 1/10 SwitchB(Config-If-Ethernet1/10)#switchport mode trunk SwitchB(Config-If-Ethernet1/10)#exit SwitchB(config)#vlan 20 SwitchB(config-vlan20)#multicast-vlan SwitchB(config-vlan20)#multicast-vlan association 100,101 SwitchB(config-vlan20)#exit 40-47 SwitchB(config)#ip igmp snooping SwitchB(config)#ip igmp snooping vlan 20 When multicast VLAN supports IPv6 multicast, usage is the same as IPv4, but the difference is using with MLD Snooping, so an example is not given. 40-48 Chapter 41 ACL Configuration 41.1 Introduction to ACL ACL (Access Control List) is an IP packet filtering mechanism employed in switches, providing network traffic control by granting or denying access the switches, effectively safeguarding the security of networks. The user can lay down a set of rules according to some information specific to packets, each rule describes the action for a packet with certain information matched: “permit” or “deny”. The user can apply such rules to the incoming direction of switch ports, so that data streams of specified ports must comply with the ACL rules assigned. 41.1.1 Access-list Access-list is a sequential collection of conditions that corresponds to a specific rule. Each rule consist of filter information and the action when the rule is matched. Information included in a rule is the effective combination of conditions such as source IP, destination IP, IP protocol number and TCP port, UDP port. Access-lists can be categorized by the following criteria: Filter information based criterion: IP access-list (layer 3 or higher information), MAC access-list (layer 2 information), and MAC-IP access-list (layer 2 or layer 3 or higher). Configuration complexity based criterion: standard and extended, the extended mode allows more specific filtering of information. Nomenclature based criterion: numbered and named. Description of an ACL should cover the above three aspects. 41.1.2 Access-group When a set of access-lists are created, they can be applied to traffic of incoming direction on all ports. Access-group is the description to the binding of an access-list to the incoming direction on a specific port. When an access-group is created, all packets from in the incoming direction through the port will be compared to the access-list rule to decide whether to permit or deny access. The current firmware only supports ingress ACL configuration. 41.1.3 Access-list Action and Global Default Action There are two access-list actions and default actions: “permit” or “deny”. The following rules apply: 41-49 An access-list can consist of several rules. Filtering of packets compares packet conditions to the rules, from the first rule to the first matched rule; the rest of the rules will not be processed. Global default action applies only to IP packets in the incoming direction on the ports. Global default action applies only when packet flirter is enabled on a port and no ACL is bound to that port, or no binding ACL matches. 41.2 ACL Configuration Task List ACL Configuration Task Sequence: 1. Configuring access-list (1) Configuring a numbered standard IP access-list (2) Configuring a numbered extended IP access-list (3) Configuring a standard IP access-list based on nomenclature a) Create a standard IP access-list based on nomenclature b) Specify multiple “permit” or “deny” rule entries c) Exit ACL Configuration Mode (4) Configuring an extended IP access-list based on nomenclature a) Create an extensive IP access-list based on nomenclature b) Specify multiple “permit” or “deny” rule entries c) Exit ACL Configuration Mode (5) Configuring a numbered standard MAC access-list (6) Configuring a numbered extended MAC access-list (7) Configuring a extended MAC access-list based on nomenclature a) Create a extensive MAC access-list based on nomenclature b) Specify multiple “permit” or “deny” rule entries c) Exit ACL Configuration Mode (8) Configuring a numbered extended MAC-IP access-list (9) Configuring a extended MAC-IP access-list based on nomenclature a) Create a extensive MAC-IP access-list based on nomenclature b) Specify multiple “permit” or “deny” rule entries c) Exit MAC-IP Configuration Mode (10) Configuring a numbered standard IPv6 access-list (11) Configuring a standard IPv6 access-list based on nomenclature a) Create a standard IPv6 access-list based on nomenclature b) Specify multiple permit or deny rule entries c) Exit ACL Configuration Mode 2. Configuring the packet filtering function (1) Enable global packet filtering function 41-50 (2) Configure default action 3. Configuring time range function (1) Create the name of the time range (2) Configure periodic time range (3) Configure absolute time range 4. Bind access-list to an incoming direction of the specified port 5. Clear the filtering information of the specified port 1. Configuring access-list (1) Configuring a numbered standard IP access-list Command Explanation Global Mode Creates a numbered standard IP access-list, if the access-list access-list <num> {deny | permit} {{<sIpAddr> <sMask>} | any-source | {host-source <sIpAddr>}} no access-list <num> already exists, then a rule will add to the current access-list; the “no access-list <num>“ command deletes a numbered standard IP access-list. (2) Configuring a numbered extensive IP access-list Command Explanation Global Mode access-list <num> {deny | permit} icmp {{<sIpAddr> Creates a numbered ICMP <sMask>} | any-source | {host-source <sIpAddr>}} extended IP access rule; if the {{<dIpAddr> <dMask>} | any-destination | numbered extended access-list {host-destination <dIpAddr>}} [<icmp-type> of specified number does not [<icmp-code>]] [precedence <prec>] [tos exist, then an access-list will be <tos>][time-range<time-range-name>] created using this number. access-list <num> {deny | permit} igmp {{<sIpAddr> Creates a numbered IGMP <sMask>} | any-source | {host-source <sIpAddr>}} extended IP access rule; if the {{<dIpAddr> <dMask>} | any-destination | numbered extended access-list {host-destination <dIpAddr>}} [<igmp-type>] of specified number does not [precedence <prec>] [tos exist, then an access-list will be <tos>][time-range<time-range-name>] created using this number. 41-51 access-list <num> {deny | permit} tcp {{<sIpAddr> <sMask>} | any-source | {host-source <sIpAddr>}} Creates a numbered TCP [s-port {<sPort> | range <sPortMin> <sPortMax>}] extended IP access rule; if the {{<dIpAddr> <dMask>} | any-destination | numbered extended access-list {host-destination <dIpAddr>}} [d-port {<dPort> | of specified number does not range <dPortMin> <dPortMax>}] exist, then an access-list will be [ack+fin+psh+rst+urg+syn] [precedence <prec>] [tos created using this number. <tos>][time-range<time-range-name>] access-list <num> {deny | permit} udp {{<sIpAddr> <sMask>} | any-source | {host-source <sIpAddr>}} [s-port {<sPort> | range <sPortMin> <sPortMax>}] {{<dIpAddr> <dMask>} | any-destination | {host-destination <dIpAddr>}} [d-port {<dPort> | range <dPortMin> <dPortMax>}] [precedence <prec>] [tos <tos>][time-range<time-range-name>] Creates a numbered UDP extended IP access rule; if the numbered extended access-list of specified number does not exist, then an access-list will be created using this number. Creates a numbered IP access-list <num> {deny | permit} {eigrp | gre | igrp | extended IP access rule for ipinip | ip | ospf | <protocol-num>} {{<sIpAddr> other specific IP protocol or all IP <sMask>} | any-source | {host-source <sIpAddr>}} protocols; if the numbered {{<dIpAddr> <dMask>} | any-destination | extended access-list of specified {host-destination <dIpAddr>}} [precedence <prec>] number does not exist, then an [tos <tos>][time-range<time-range-name>] access-list will be created using this number. Deletes a numbered extensive no access-list <num> IP access-list. (3) Configuring a standard IP access-list basing on nomenclature a. Create a name-based standard IP access-list Command Explanation Global Mode Creates a standard IP access-list based on nomenclature; the “no ip ip access-list standard <name> access-list standard no ip access-list standard <name> <name>“ command deletes the name-based standard IP access-list. 41-52 b. Specify multiple “permit” or “deny” rules Command Explanation Standard IP ACL Mode Creates a standard [no] {deny | permit} {{<sIpAddr> <sMask>} | any-source | {host-source <sIpAddr>}} name-based IP access rule; the “no” form command deletes the name-based standard IP access rule. c. Exit name-based standard IP ACL configuration mode Command Explanation Standard IP ACL Mode Exits name-based standard IP exit ACL configuration mode. (4) Configuring an name-based extended IP access-list a. Create an extended IP access-list basing on nomenclature Command Explanation Global Mode Creates an extended IP access-list basing on nomenclature; the “no ip ip access-list extended <name> access-list extended no ip access-list extended <name> <name> “ command deletes the name-based extended IP access-list. b. Specify multiple “permit” or “deny” rules Command Explanation Extended IP ACL Mode 41-53 [no] {deny | permit} icmp {{<sIpAddr> <sMask>} | any-source | {host-source <sIpAddr>}} {{<dIpAddr> <dMask>} | any-destination | {host-destination <dIpAddr>}} [<icmp-type> [<icmp-code>]] [precedence <prec>] [tos Creates an extended name-based ICMP IP access rule; the no form command deletes this name-based extended IP access rule. <tos>][time-range<time-range-name>] [no] {deny | permit} igmp {{<sIpAddr> <sMask>} | Creates an extended any-source | {host-source <sIpAddr>}} {{<dIpAddr> name-based IGMP IP access <dMask>} | any-destination | {host-destination rule; the no form command <dIpAddr>}} [<igmp-type>] [precedence <prec>] [tos deletes this name-based <tos>][time-range<time-range-name>] extended IP access rule. [no] {deny | permit} tcp {{<sIpAddr> <sMask>} | any-source | {host-source <sIpAddr>}} [s-port {<sPort> | range <sPortMin> <sPortMax>}] {{<dIpAddr> <dMask>} | any-destination | {host-destination <dIpAddr>}} [d-port {<dPort> | range <dPortMin> <dPortMax>}] [ack+fin+psh+rst+urg+syn] [precedence <prec>] [tos Creates an extended name-based TCP IP access rule; the no form command deletes this name-based extended IP access rule. <tos>][time-range<time-range-name>] [no] {deny | permit} udp {{<sIpAddr> <sMask>} | any-source | {host-source <sIpAddr>}} [s-port Creates an extended {<sPort> | range <sPortMin> <sPortMax>}] name-based UDP IP access {{<dIpAddr> <dMask>} | any-destination | rule; the no form command {host-destination <dIpAddr>}} [d-port {<dPort> | deletes this name-based range <dPortMin> <dPortMax>}] [precedence extended IP access rule. <prec>] [tos <tos>][time-range<time-range-name>] [no] {deny | permit} {eigrp | gre | igrp | ipinip | ip | Creates an extended ospf | <protocol-num>} {{<sIpAddr> <sMask>} | name-based IP access rule any-source | {host-source <sIpAddr>}} {{<dIpAddr> for other IP protocols; the no <dMask>} | any-destination | {host-destination form command deletes this <dIpAddr>}} [precedence <prec>] [tos name-based extended IP <tos>][time-range<time-range-name>] access rule. c. Exit extended IP ACL configuration mode Command Explanation Extended IP ACL Mode Exits extended name-based exit IP ACL configuration mode. 41-54 (5) Configuring a numbered standard MAC access-list Command Explanation Global Mode Creates a numbered standard MAC access-list, if the access-list<num>{deny|permit}{any-source-mac|{ho st-source-mac<host_smac>}|{<smac><smac-mask>} } access-list already exists, then a rule will add to the current access-list; the “no access-list no access-list <num> <num>“ command deletes a numbered standard MAC access-list. (6) Creates a numbered MAC extended access-list Command Explanation Global Mode Creates a numbered MAC access-list<num> {deny|permit} {any-source-mac| {host-source-mac<host_smac>}|{<smac><smac-ma sk>}}{any-destination-mac|{host-destination-mac<h ost_dmac>}|{<dmac><dmac-mask>}}[untagged-eth2 | tagged-eth2 | untagged-802-3 | tagged-802-3] no access-list <num> extended access-list, if the access-list already exists, then a rule will add to the current access-list; the “no access-list <num>“ command deletes a numbered MAC extended access-list. 41-55 (7) Configuring a extended MAC access-list based on nomenclature a. Create an extensive MAC access-list based on nomenclature Command Explanation Global Mode Creates an extended name-based MAC access rule mac-access-list extended <name> for other IP protocols; the no no mac-access-list extended <name> form command deletes this name-based extended MAC access rule. b. Specify multiple “permit” or “deny” rule entries Command Explanation Extended name-based MAC access rule Mode [no]{deny|permit}{any-source-mac|{host-source-ma c<host_smac>}|{<smac><smac-mask>}} Creates an extended {any-destination-mac|{host-destination-mac name-based MAC access rule <host_dmac>} |{<dmac> <dmac-mask>}} [cos matching MAC frame; the no <cos-val> [<cos-bitmask>] [vlanId <vid-value> form command deletes this [<vid-mask>][ethertype<protocol>[<protocol-mask>] name-based extended MAC ]]] access rule. [no]{deny|permit}{any-source-mac|{host-source-ma c<host_smac>}|{<smac><smac-mask>}}{any-destin ation-mac|{host-destination-mac<host_dmac>}|{<d mac><dmac-mask>}}[untagged-eth2 [ethertype <protocol> [protocol-mask]]] Creates an extended name-based MAC access rule matching untagged ethernet 2 frame; the no form command deletes this name-based extended MAC access rule. [no]{deny|permit}{any-source-mac|{host-source-ma c<host_smac>}|{<smac><smac-mask>}} {any-destination-mac|{host-destination-mac <host_dmac>}|{<dmac><dmac-mask>}} [untagged-802-3] Creates an name-based extended MAC access rule matching 802.3 frame; the no form command deletes this name-based extended MAC access rule. 41-56 [no]{deny|permit}{any-source-mac|{host-source-ma Creates an name-based c<host_smac>}|{<smac><smac-mask>}}{any-destin extended MAC access rule ation-mac|{host-destination-mac<host_dmac>}|{<d matching tagged ethernet 2 mac><dmac-mask>}}[tagged-eth2 [cos <cos-val> frame; the no form command [<cos-bitmask>]] [vlanId <vid-value> [<vid-mask>]] deletes this name-based [ethertype<protocol> [<protocol-mask>]]] extended MAC access rule. [no]{deny|permit}{any-source-mac|{host-source-ma Creates an name-based c <host_smac>}|{<smac><smac-mask>}} extended MAC access rule {any-destination-mac|{host-destination-mac<host_d matching tagged 802.3 frame; mac>}|{<dmac><dmac-mask>}} [tagged-802-3 [cos the no form command deletes <cos-val> [<cos-bitmask>]] [vlanId <vid-value> this name-based extended [<vid-mask>]]] MAC access rule. c. Exit ACL Configuration Mode Command Explanation Extended name-based MAC access configure Mode Quit the extended name-based MAC access exit configure mode. (8) Configuring a numbered extended MAC-IP access-list Command Explanation Global Mode access-list<num>{deny|permit} {any-source-mac| {host-source-mac <host_smac>} | {<smac> <smac-mask>}} {any-destination-mac | Creates a numbered {host-destination-mac <host_dmac>} | {<dmac><dmac-mask>}} icmp {{<source> <source-wildcard>} |any-source| {host-source <source-host-ip>}} {{<destination> <destination-wildcard>} | any-destination | {host-destination <destination-host-ip>}} [<icmp-type> [<icmp-code>]] [precedence mac-icmp extended mac-ip access rule; if the numbered extended access-list of specified number does not exist, then an access-list will be created using this number. <precedence>] [tos <tos>] [time-range <time-range-name>] access-list<num>{deny|permit}{any-source-mac| Creates a numbered {host-source-mac<host_smac>}|{<smac><smac-ma mac-igmp extended mac-ip 41-57 sk>}} {any-destination-mac|{host-destination-mac access rule; if the numbered <host_dmac>}|{<dmac><dmac-mask>}}igmp extended access-list of {{<source><source-wildcard>}|any-source| specified number does not {host-source<source-host-ip>}} exist, then an access-list will {{<destination><destination-wildcard>}|any-destinati be created using this number. on| {host-destination<destination-host-ip>}} [<igmp-type>] [precedence <precedence>] [tos <tos>][time-range<time-range-name>] access-list<num>{deny|permit}{any-source-mac| {host-source-mac<host_smac>}|{<smac><smac-ma sk>}}{any-destination-mac|{host-destination-mac <host_dmac>}|{<dmac><dmac-mask>}}tcp Creates a numbered mac-ip {{<source><source-wildcard>}|any-source| extended mac-tcp access {host-source<source-host-ip>}} [s-port {<port1> | rule; if the numbered range <sPortMin> <sPortMax>}] extended access-list of {{<destination><destination-wildcard>}|any-destinati specified number does not on| {host-destination <destination-host-ip>}} [d-port exist, then an access-list will {<port3> | range <dPortMin> <dPortMax>}] be created using this number. [ack+fin+psh+rst+urg+syn] [precedence <precedence>] [tos <tos>][time-range<time-range-name>] access-list<num>{deny|permit}{any-source-mac| {host-source-mac<host_smac>}|{<smac><smac-ma sk>}}{any-destination-mac|{host-destination-mac <host_dmac>}|{<dmac><dmac-mask>}}udp {{<source><source-wildcard>}|any-source| {host-source<source-host-ip>}} [s-port {<port1> | range <sPortMin> <sPortMax>}] {{<destination><destination-wildcard>}|any-destinati on| {host-destination<destination-host-ip>}} [d-port {<port3> | range <dPortMin> <dPortMax>}] Creates a numbered mac-udp extended mac-ip access rule; if the numbered extended access-list of specified number does not exist, then an access-list will be created using this number. [precedence <precedence>] [tos <tos>][time-range<time-range-name>] access-list<num>{deny|permit}{any-source-mac| Creates a numbered {host-source-mac<host_smac>}|{<smac><smac-ma extended mac-ip access rule sk>}} {any-destination-mac|{host-destination-mac for other specific mac-ip <host_dmac>}|{<dmac><dmac-mask>}} protocols or all mac-ip {eigrp|gre|igrp|ip|ipinip|ospf|{<protocol-num>}} protocols; if the numbered {{<source><source-wildcard>}|any-source| extended access-list of 41-58 {host-source<source-host-ip>}} specified number does not {{<destination><destination-wildcard>}|any-destinati exist, then an access-list will on| {host-destination<destination-host-ip>}} be created using this number. [precedence <precedence>] [tos <tos>][time-range<time-range-name>] Deletes this numbered extended MAC-IP access no access-list <num> rule. (9) Configuring a extended MAC-IP access-list based on nomenclature a. Create an extensive MAC-IP access-list based on nomenclature Command Explanation Global Mode Creates an extended name-based MAC-IP access mac-ip-access-list extended <name> rule; the no form command no mac-ip-access-list extended <name> deletes this name-based extended MAC-IP access rule. b. Specify multiple “permit” or “deny” rule entries Command Explanation Extended name-based MAC-IP access Mode [no]{deny|permit} {any-source-mac|{host-source-mac <host_smac>}|{<smac><smac-mask>}} {any-destination-mac|{host-destination-mac Creates an extended <host_dmac>}|{<dmac><dmac-mask>}}icmp name-based MAC-ICMP {{<source><source-wildcard>}|any-source| access rule; the no form {host-source<source-host-ip>}} command deletes this {{<destination><destination-wildcard>}|any-destinati name-based extended on| {host-destination <destination-host-ip>}} MAC-ICMP access rule. [<icmp-type> [<icmp-code>]] [precedence <precedence>][tos<tos>][time-range<time-range-na me>] [no]{deny|permit}{any-source-mac|{host-source-ma Creates an extended c <host_smac>}|{<smac><smac-mask>}} name-based MAC-IGMP 41-59 {any-destination-mac|{host-destination-mac access rule; the no form <host_dmac>}|{<dmac><dmac-mask>}}igmp command deletes this {{<source><source-wildcard>}|any-source| name-based extended {host-source<source-host-ip>}} MAC-IGMP access rule. {{<destination><destination-wildcard>}|any-destinati on| {host-destination <destination-host-ip>}} [<igmp-type>] [precedence <precedence>] [tos <tos>][time-range<time-range-name>] [no]{deny|permit}{any-source-mac|{host-source-ma c<host_smac>}|{<smac><smac-mask>}} {any-destination-mac|{host-destination-mac <host_dmac>}|{<dmac><dmac-mask>}}tcp {{<source><source-wildcard>}|any-source| {host-source<source-host-ip>}} [s-port {<port1> | range <sPortMin> <sPortMax>}] {{<destination><destination-wildcard>}|any-destinati on| {host-destination <destination-host-ip>}} [d-port {<port3> | range <dPortMin> <dPortMax>}] Creates an extended name-based MAC-TCP access rule; the no form command deletes this name-based extended MAC-TCP access rule. [ack+fin+psh+rst+urg+syn] [precedence<precedence>][tos<tos>][time-range<ti me-range-name>] [no]{deny|permit}{any-source-mac|{host-source-ma c<host_smac>}|{<smac><smac-mask>}} {any-destination-mac|{host-destination-mac <host_dmac>}|{<dmac><dmac-mask>}}udp Creates an extended {{<source><source-wildcard>}|any-source| name-based MAC-UDP {host-source<source-host-ip>}} [s-port {<port1> | access rule; the no form range <sPortMin> <sPortMax>}] command deletes this {{<destination><destination-wildcard>}|any-destinati name-based extended on| {host-destination <destination-host-ip>}} MAC-UDP access rule. [d-port {<port3> | range <dPortMin> <dPortMax>}] [precedence <precedence>] [tos <tos>][time-range<time-range-name>] [no]{deny|permit}{any-source-mac|{host-source-ma Creates an extended c<host_smac>}|{<smac><smac-mask>}} name-based access rule for {any-destination-mac|{host-destination-mac the other IP protocol; the no <host_dmac>}|{<dmac><dmac-mask>}} form command deletes this {eigrp|gre|igrp|ip|ipinip|ospf|{<protocol-num>}} name-based extended access {{<source><source-wildcard>}|any-source| rule. 41-60 {host-source<source-host-ip>}} {{<destination><destination-wildcard>}|any-destinati on| {host-destination<destination-host-ip>}} [precedence<precedence>][tos<tos>][time-range<ti me-range-name>] c. Exit MAC-IP Configuration Mode Command Explanation Extended name-based MAC-IP access Mode Quit extended name-based exit MAC-IP access mode. (10) Configuring a numbered standard IPv6 access-list Command Explanation Global Mode Creates a numbered standard IPv6 access-list, if the ipv6 access-list <num> {deny | permit} {{<sIPv6Addr> <sPrefixlen>} | any-source | {host-source <sIpv6Addr>}} access-list already exists, then a rule will add to the current access-list; the “no access-list no ipv6 access-list <num> <num>“ command deletes a numbered standard IPv6 access-list. (11)Configuring a standard IPv6 access-list based on nomenclature a. Create a standard IPv6 access-list based on nomenclature Command Explanation Global Mode ipv6 access-list standard <name> Creates a standard IP no ipv6 access-list standard <name> access-list based on nomenclature; the no command delete the name-based standard IPv6 access-list. 41-61 b. Specify multiple permit or deny rules Command Explanation Standard IPv6 ACL Mode [no] {deny | permit} {{<sIPv6Prefix/sPrefixlen>} | Creates a standard any-source | {host-source <sIPv6Addr> }} name-based IPv6 access rule; the no form command deletes the name-based standard IPv6 access rule. c. Exit name-based standard IP ACL configuration mode Command Explanation Standard IPv6 ACL Mode Exits name-based standard exit IPv6 ACL configuration mode. 2. Configuring packet filtering function (1) Enable global packet filtering function Command Explanation Global Mode firewall enable Enables global packet filtering function. firewall disable Disables global packet filtering function. 3. Configuring time range function (1)Create the name of the time range Command Explanation Global Mode Create a time range named time-range <time_range_name> time_range_name. Stop the time range function named no time-range <time_range_name> time_range_name. 41-62 (2)Configure periodic time range Command Explanation Time range Mode absolute-periodic {Monday | Tuesday | Wednesday | Thursday | Friday | Saturday | Sunday} <start_time> to {Monday | Tuesday | Wednesday | Thursday | Configure the time range for Friday | Saturday | Sunday} <end_time> the request of the week, and periodic every week will run by the {{Monday+Tuesday+Wednesday+Thursday+ time range. Friday+Saturday+Sunday} | daily | weekdays | weekend} <start_time> to <end_time> [no] absolute-periodic {Monday | Tuesday | Wednesday | Thursday | Friday | Saturday | Sunday} <start_time> to {Monday | Tuesday | Wednesday | Thursday | Friday | Saturday | Sunday} <end_time> Stop the function of the time [no] periodic range in the week. {{Monday+Tuesday+Wednesday+Thursday+ Friday+Saturday+Sunday} | daily | weekdays | weekend} <start_time> to <end_time> (3)Configure absolute time range Command Explanation Global Mode absolute start <start_time> <start_data> [end Configure absolute time <end_time> <end_data>] range. [no] absolute start <start_time> <start_data> [end Stop the function of the time <end_time> <end_data>] range. 41-63 4. Bind access-list to a specific direction of the specified port. Command Explanation Physical Port Mode / VLAN Interface Mode Physical interface mode: Applies an access-list to the specified direction on the port; the no command deletes the access-list bound to the port. {ip|ipv6|mac|mac-ip} access-group VLAN interface mode: Applies an <acl-name> {in} [traffic-statistic] access-list to the specified direction on no {ip|ipv6|mac|mac-ip} access-group the port of VLAN; the no command <acl-name> {in} deletes the access-list bound to the port of VLAN.When the acl of ipv6 is applied by this switch, it only supports the standard acl of ipv6. 5. Clear the filtering information of the specified port Command Explanation Admin Mode clear access-group statistic Clear the filtering information of the specified [ethernet <interface-name> ] port. 41.3 ACL Example Scenario 1: The user has the following configuration requirements: port 10 of the switch connects to 10.0.0.0/24 segment; ftp is not desired for the user. Configuration description: 1. Create a proper ACL 2. Configuring packet filtering function 3. Bind the ACL to the port The configuration steps are listed below: Switch(config)#access-list 110 deny tcp 10.0.0.0 0.0.0.255 any-destination d-port 21 Switch(config)#firewall enable Switch(config)#interface ethernet 1/10 41-64 Switch(Config-If-Ethernet1/10)#ip access-group 110 in Switch(Config-If-Ethernet1/10)#exit Switch(config)#exit Configuration result: Switch#show firewall Firewall status: enable. Switch#show access-lists access-list 110(used 1 time(s)) 1 rule(s) access-list 110 deny tcp 10.0.0.0 0.0.0.255 any-destination d-port 21 Switch#show access-group interface ethernet 1/10 interface name:Ethernet1/10 the ingress acl use in firewall is 110, traffic-statistics Disable. Scenario 2: The configuration requirements are stated below: The switch should drop all the 802.3 datagrams with 00-12-11-23-xx-xx as the source MAC address coming from interface 10. Configuration description: 1. Create the corresponding MAC ACL. 2. Configure datagram filtering. 3. Bind the ACL to the related interface. The configuration steps are listed below. Switch(config)#access-list 1100 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac untagged-802-3 Switch(config)#access-list 1100 deny 00-12-11-23-00-00 tagged-802 Switch(config)#firewall enable Switch(config)#interface ethernet1/10 Switch(Config-If-Ethernet1/10)#mac access-group 1100 in Switch(Config-If-Ethernet1/10)#exit Switch(config)#exit 41-65 00-00-00-00-ff-ff any Configuration result: Switch#show firewall Firewall Status: Enable. Switch #show access-lists access-list 1100(used 1 time(s)) access-list 1100 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac untagged-802-3 access-list 1100 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac Switch #show access-group interface ethernet 1/10 interface name:Ethernet1/10 MAC Ingress access-list used is 1100,traffic-statistics Disable. Scenario 3: The configuration requirements are stated below: The MAC address range of the network is connected to the interface 10 of the switch which is 00-12-11-23-xx-xx, and IP network is 10.0.0.0/24. FTP should be disabled and ping requests from outside network should be disabled. Configuration description: 1. Create the corresponding access list. 2. Configure datagram filtering. 3. Bind the ACL to the related interface. The configuration steps are listed below: Switch(config)#access-list 3110 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac tcp 10.0.0.0 0.0.0.255 any-destination d-port 21 Switch(config)#access-list 3110 deny any-source-mac 00-00-00-00-ff-ff icmp any-source 10.0.0.0 0.0.0.255 Switch(config)#firewall enable Switch(config)#interface ethernet 1/10 Switch(Config-If-Ethernet1/10)#mac-ip access-group 3110 in Switch(Config-Ethernet1/10)#exit Switch(config)#exit 41-66 00-12-11-23-00-00 Configuration result: Switch#show firewall Firewall Status: Enable. Switch#show access-lists access-list 3110(used 1 time(s)) access-list 3110 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac tcp 10.0.0.0 0.0.0.255 any-destination d-port 21 access-list 3110 deny any-source-mac 00-12-11-23-00-00 00-00-00-00-ff-ff icmp any-source 10.0.0.0 0.0.0.255 Switch #show access-group interface ethernet 1/10 interface name:Ethernet1/10 MAC-IP Ingress access-list used is 3110, traffic-statistics Disable. Scenario 4: The configuration requirements are stated below: IPv6 protocol runs on the interface 600 of the switch. And the IPv6 network address is 2003:1:1:1::0/64. Users in the 2003:1:1:1:66::0/80 subnet should be disabled from accessing the outside network. Configuration description: 1. Create the corresponding access list. 2. Configure datagram filtering. 3. Bind the ACL to the related interface. The configuration steps are listed below. Switch(config)#ipv6 access-list 600 permit 2003:1:1:1:66::0/80 any-destination Switch(config)#ipv6 access-list 600 deny 2003:1:1:1::0/64 any-destination Switch(config)#firewall enable Switch(config)#interface ethernet 1/10 Switch(Config-If-Ethernet1/10)#ipv6 access-group 600 in Switch(Config-If-Ethernet1/10)#exit Switch(config)#exit 41-67 Configuration result: Switch#show firewall Firewall Status: Enable. Switch#show ipv6 access-lists Ipv6 access-list 600(used 1 time(s)) ipv6 access-list 600 deny 2003:1:1:1::0/64 any-source ipv6 access-list 600 permit 2003:1:1:1:66::0/80 any-source Switch #show access-group interface ethernet 1/10 interface name:Ethernet1/10 IPv6 Ingress access-list used is 600, traffic-statistics Disable. Scenario 5: The configuration requirements are stated below: The interface 1, 2, 5, 7 belongs to vlan100, Hosts with 192.168.0.1 as its IP address should be disabled from accessing the listed interfaces. Configuration description: 1. Create the corresponding access list. 2. Configure datagram filtering. 3. Bind the ACL to the related interface. The configuration steps are listed below. Switch (config)#firewall enable Switch (config)#vlan 100 Switch (Config-Vlan100)#switchport interface ethernet 1/1;2;5;7 Switch (Config-Vlan100)#exit Switch (config)#access-list 1 deny host-source 192.168.0.1 Switch (config)#interface ethernet1/1;2;5;7 Switch (config-if-port-range)#ip access-group 1 in Switch (Config-if-Vlan100)#exit Configuration result: Switch (config)#show access-group interface vlan 100 Interface VLAN 100: Ethernet1/1: IP Ingress access-list used is 1, traffic-statistics Disable. 41-68 Ethernet1/2: IP Ingress access-list used is 1, traffic-statistics Disable. Ethernet1/5: IP Ingress access-list used is 1, traffic-statistics Disable. Ethernet1/7: IP Ingress access-list used is 1, traffic-statistics Disable. 41.4 ACL Troubleshooting Checking for entries in the ACL is done in a top-down order and ends whenever an entry is matched. Default rule will be used only if no ACL is bound to the incoming direction of the port, or no ACL entry is matched.Each ingress port can bind one MAC-IP ACL, one IP ACL, one MAC ACL, one IPv6 ACL (via the physical interface mode or Vlan interface mode). When binding four ACL and packet matching several ACL at the same time, the priority relations are as follows in a top-down order. If the priority is same, then the priority of configuration at first is higher. Ingress IPv6 ACL Ingress MAC-IP ACL Ingress IP ACL Ingress MAC ACL The number of ACLs that can be successfully bound depends on the content of the ACL bound and the hardware resource limit. Users will be prompted if an ACL cannot be bound due to hardware resource limitation. If an access-list contains same filtering information but conflicting action rules, binding to the port will fail with an error message. For instance, configuring “permit tcp any any-destination” and “deny tcp any any-destination” at the same time is not permitted. Viruses such as “worm.blaster” can be blocked by configuring ACL to block specific ICMP packets or specific TCP or UDP port packet. If the physical mode of an interface is TRUNK, ACL can only be configured through physical interface mode. ACL configured in the physical mode can only be disabled in the physical mode. Those configured in the VLAN interface configuration mode can only be disabled in the VLAN interface mode. When a physical interface is added into or removed from a VLAN (with the trunk interfaces as exceptions), ACL configured in the corresponding VLAN will be bound or unbound respectively. If ACL configured in the target VLAN, which is configured in VLAN interface mode, conflicts with existing ACL configuration on the interface, which is configured in physical interface mode, the configuration will fail to effect. When no physical interfaces are configured in the VLAN, the ACL configuration of the VLAN will be removed. And it can not recover if new interfaces are added to the VLAN. When the interface mode is changed from access mode to trunk mode, the ACL configured in VLAN interface mode which is bound to physical interface will be removed. 41-69 And when the interface mode is changed from trunk mode to access mode, ACL configured in VLAN1 interface mode will be bound to the physical interface. If binding fails, the changing will fail either. When removing a VLAN configuration, if there are any ACLs bound to the VLAN, the ACL will be removed from all the physical interfaces belonging to the VLAN, and it will be bound to VLAN 1 ACL(if ACL is configured in VLAN1). If VLAN 1 ACL binding fails, the VLAN removal operation will fail. 41-70 Chapter 42 802.1x Configuration 42.1 Introduction to 802.1x The 802.1x protocol originates from 802.11 protocol, the wireless LAN protocol of IEEE, which is designed to provide a solution to doing authentication when users access a wireless LAN. The LAN defined in IEEE 802 LAN protocol does not provide access authentication, which means as long as the users can access a LAN controlling device (such as a LAN Switch), they will be able to get all the devices or resources in the LAN. There was no looming danger in the environment of LAN in those primary enterprise networks. However, along with the boom of applications like mobile office and service operating networks, the service providers should control and configure the access from user. The prevailing application of WLAN and LAN access in telecommunication networks, in particular, make it necessary to control ports in order to implement the user-level access control. And as a result, IEEE LAN/WAN committee defined a standard, which is 802.1x, to do Port-Based Network Access Control. This standard has been widely used in wireless LAN and ethernet. “Port-Based Network Access Control” means to authenticate and control the user devices on the level of ports of LAN access devices. Only when the user devices connected to the ports pass the authentication, can they access the resources in the LAN, otherwise, the resources in the LAN won’t be available. 42.1.1 The Authentication Structure of 802.1x The system using 802.1x has a typical Client/Server structure, which contains three entities (as illustrated in the next figure): Supplicant system, Authenticator system, and Authentication server system. Figure 42-1: The Authentication Structure of 802.1x 42-71 The supplicant system is an entity on one end of the LAN segment, should be authenticated by the access controlling unit on the other end of the link. A Supplicant system usually is a user terminal device. Users start 802.1x authentication by starting supplicant system software. A supplicant system should support EAPOL (Extensible Authentication Protocol over LAN). The authenticator system is another entity on one end of the LAN segment to authenticate the supplicant systems connected. An authenticator system usually is a network device supporting 802,1x protocol, providing ports to access the LAN for supplicant systems. The ports provided can either be physical or logical. The authentication server system is an entity to provide authentication service for authenticator systems. The authentication server system is used to authenticate and authorize users, as well as does fee-counting, and usually is a RADIUS (Remote Authentication Dial-In User Service) server, which can store the relative user information, including username, password and other parameters such as the VLAN and ports which the user belongs to. The three entities above concerns the following basic concepts: PAE of the port, the controlled ports and the controlled direction. 1. PAE PAE (Port Access Entity) is the entity to implement the operation of algorithms and protocols. The PAE of the supplicant system is supposed to respond the authentication request from the authenticator systems and submit user’s authentication information to the authenticator system. It can also send authentication request and off-line request to authenticator. The PAE of the authenticator system authenticates the supplicant systems needing to access the LAN via the authentication server system, and deal with the authenticated/unauthenticated state of the controlled port according to the result of the authentication. The authenticated state means the user is allowed to access the network resources, the unauthenticated state means only the EAPOL messages are allowed to be received and sent while the user is forbidden to access network resources. 2. controlled/uncontrolled ports The authenticator system provides ports to access the LAN for the supplicant systems. These ports can be divided into two kinds of logical ports: controlled ports and uncontrolled ports. The uncontrolled port is always in bi-directionally connected status, and mainly used to transmit EAPOL protocol frames, to guarantee that the supplicant systems can always send or receive authentication messages. The controlled port is in connected status authenticated to transmit service messages. When unauthenticated, no message from supplicant systems is allowed to be received. 42-72 The controlled and uncontrolled ports are two parts of one port, which means each frame reaching this port is visible on both the controlled and uncontrolled ports. 3. Controlled direction In unauthenticated status, controlled ports can be set as unidirectional controlled or bi-directionally controlled. When the port is bi-directionally controlled, the sending and receiving of all frames is forbidden. When the port is unidirectional controlled, no frames can be received from the supplicant systems while sending frames to the supplicant systems is allowed. Notes: At present, this kind of switch only supports unidirectional control. 42.1.2 The Work Mechanism of 802.1x IEEE 802.1x authentication system uses EAP (Extensible Authentication Protocol) to implement exchange of authentication information between the supplicant system, authenticator system and authentication server system. Figure 42-2: the Work Mechanism of 802.1x EAP messages adopt EAPOL encapsulation format between the PAE of the supplicant system and the PAE of the authenticator system in the environment of LAN. Between the PAE of the authenticator system and the RADIUS server, there are two methods to exchange information: one method is that EAP messages adopt EAPOR (EAP over RADIUS) encapsulation format in RADIUS protocol; the other is that EAP messages terminate with the PAE of the authenticator system, and adopt the messages containing RAP (Password Authentication Protocol) or CHAP (Challenge Handshake Authentication Protocol) attributes to do the authentication interaction with the RADIUS server. When the user pass the authentication, the authentication server system will send the relative information of the user to authenticator system, the PAE of the authenticator system will decide the authenticated/unauthenticated status of the controlled port according to the authentication result of the RADIUS server. 42-73 42.1.3 The Encapsulation of EAPOL Messages 1. The Format of EAPOL Data Packets EAPOL is a kind of message encapsulation format defined in 802.1x protocol, and is mainly used to transmit EAP messages between the supplicant system and the authenticator system in order to allow the transmission of EAP messages through the LAN. In IEEE 802/Ethernet LAN environment, the format of EAPOL packet is illustrated in the next figure. The beginning of the EAPOL packet is the Type/Length domain in MAC frames. Figure 42-3: the Format of EAPOL Data Packet PAE Ethernet Type: Represents the type of the protocol whose value is 0x888E. Protocol Version: Represents the version of the protocol supported by the sender of EAPOL data packets. Type: represents the type of the EAPOL data packets, including: EAP-Packet (whose value is 0x00): the authentication information frame, used to carry EAP messages. This kind of frame can pass through the authenticator system to transmit EAP messages between the supplicant system and the authentication server system. EAPOL-Start (whose value is 0x01): the frame to start authentication. EAPOL-Logoff (whose value is 0x02): the frame requesting to quit. EAPOL-Key (whose value is 0x03): the key information frame. EAPOL-Encapsulated-ASF-Alert (whose value is 0x04): used to support the Alerting messages of ASF (Alert Standard Forum). This kind of frame is used to encapsulate the relative information of network management such as all kinds of alerting information, terminated by terminal devices. Length: represents the length of the data, that is, the length of the “Packet Body”, in byte. There will be no following data domain when its value is 0. Packet Body: represents the content of the data, which will be in different formats according to different types. 2. The Format of EAP Data Packets When the value of Type domain in EAPOL packet is EAP-Packet, the Packet Body is in EAP format (illustrated in the next figure). 42-74 Figure 42-4: the Format of EAP Data Packets Code: specifies the type of the EAP packet. There are four of them in total: Request (1),Response(2),Success(3),Failure(4). There is no Data domain in the packets of which the type is Success or Failure, and the value of the Length domains in such packets is 4. The format of Data domains in the packets of which the type is Request and Response is illustrated in the next figure. Type is the authentication type of EAP, the content of Type data depends on the type. For example, when the value of the type is 1, it means Identity, and is used to query the identity of the other side. When the type is 4, it means MD5-Challenge, like PPP CHAP protocol, contains query messages. Figure 42-5: the Format of Data Domain in Request and Response Packets Identifier: to assist matching the Request and Response messages. Length: the length of the EAP packet, covering the domains of Code, Identifier, Length and Data, in byte. Data: the content of the EAP packet, depending on the Code type. 42.1.4 The Encapsulation of EAP Attributes RADIUS adds two Message-Authenticator. attribute Please to support refer to EAP the authentication: Introduction of EAP-Message RADIUS protocol and in “AAA-RADIUS-HWTACACS operation” to check the format of RADIUS messages. 1. EAP-Message As illustrated in the next figure, this attribute is used to encapsulate EAP packet, the type code is 79, String domain should be no longer than 253 bytes. If the data length in an EAP packet is larger than 253 bytes, the packet can be divided into fragments, which then will be encapsulated in several EAP-Messages attributes in their original order. 42-75 Figure 42-6: the Encapsulation of EAP-Message Attribute 2. Message-Authenticator As illustrated in the next figure, this attribute is used in the process of using authentication methods like EAP and CHAP to prevent the access request packets from being eavesdropped. Message-Authenticator should be included in the packets containing the EAP-Message attribute, or the packet will be dropped as an invalid one. Figure 42-7: Message-Authenticator Attribute 42-76 42.1.5 The Authentication Methods of 802.1x The authentication can either be started by supplicant system initiatively or by devices. When the device detects unauthenticated users to access the network, it will send supplicant system EAP-Request/Identity messages to start authentication. On the other hand, the supplicant system can send EAPOL-Start message to the device via supplicant software. 802.1 x systems supports EAP relay method and EAP termination method to implement authentication with the remote RADIUS server. The following is the description of the process of these two authentication methods, both started by the supplicant system. 42.1.5.1 EAP Relay Mode EAP relay is specified in IEEE 802.1x standard to carry EAP in other high-level protocols, such as EAP over RADIUS, making sure that extended authentication protocol messages can reach the authentication server through complicated networks. In general, EAP relay requires the RADIUS server to support EAP attributes: EAP-Message and Message-Authenticator. EAP is a widely-used authentication frame to transmit the actual authentication protocol rather than a special authentication mechanism. EAP provides some common function and allows the authentication mechanisms expected in the negotiation, which are called EAP Method. The advantage of EAP lies in that EAP mechanism working as a base needs no adjustment when a new authentication protocol appears. The following figure illustrates the protocol stack of EAP authentication method. Figure 42-8: the Protocol Stack of EAP Authentication Method By now, there are more than 50 EAP authentication methods that have been developed. The differences among which are those in the authentication mechanism and the management of keys. The 4 most common EAP authentication methods are listed as follows: EAP-MD5 EAP-TLS(Transport Layer Security) EAP-TTLS(Tunneled Transport Layer Security) PEAP(Protected Extensible Authentication Protocol) 42-77 They will be described in details in the following part. Attention: The switch, as the access controlling unit of Pass-through, will not check the content of a particular EAP method, so can support all the EAP methods above and all the EAP authentication methods that may be extended in the future. In EAP relay, if any authentication method in EAP-MD5, EAP-TLS, EAP-TTLS and PEAP is adopted, the authentication methods of the supplicant system and the RADIUS server should be the same. 1. EAP-MD5 Authentication Method EAP-MD5 is an IETF open standard which providing the least security, since MD5 Hash function is vulnerable to dictionary attacks. The following figure illustrated the basic operation flow of the EAP-MD5 authentication method. Figure 42-9: the Authentication Flow of 802.1x EAP-MD5 42-78 2. EAP-TLS Authentication Method EAP-TLS is brought up by Microsoft based on EAP and TLS protocols. It uses PKI to protect the id authentication between the supplicant system and the RADIUS server and the dynamically generated session keys, requiring both the supplicant system and the Radius authentication server to possess digital certificate to implement bidirectional authentication. It is the earliest EAP authentication method used in wireless LAN. Since every user should have a digital certificate, this method is rarely used practically considering the difficult maintenance. However it is still one of the safest EAP standards, and enjoys prevailing supports from the vendors of wireless LAN hardware and software. The following figure illustrates the basic operation flow of the EAP-TLS authentication method. Figure 42-10: the Authentication Flow of 802.1x EAP-TLS 42-79 3. EAP-TTLS Authentication Method EAP-TTLS is a product of the cooperation of Funk Software and Certicom. It can provide an authentication as strong as that provided by EAP-TLS, but without requiring users to have their own digital certificate. The only request is that the Radius server should have a digital certificate. The authentication of users’ identity is implemented with passwords transmitted in a safely encrypted tunnel established via the certificate of the authentication server. Any kind of authentication request including EAP, PAP and MS-CHAPV2 can be transmitted within TTLS tunnels. 4. PEAP Authentication Method EAP-PEAP is brought up by Cisco, Microsoft and RAS Security as a recommended open standard. It has long been utilized in products and provides very good security. Its design of protocol and security is similar to that of EAP-TTLS, using a server’s PKI certificate to establish a safe TLS tunnel in order to protect user authentication. The following figure illustrates the basic operation flow of PEAP authentication method. Figure 42-11: the Authentication Flow of 802.1x PEAP 42-80 42.1.5.2 EAP Termination Mode In this mode, EAP messages will be terminated in the access control unit and mapped into RADIUS messages, which is used to implement the authentication, authorization and fee-counting. The basic operation flow is illustrated in the next figure. In EAP termination mode, the access control unit and the RADIUS server can use PAP or CHAP authentication method. The following figure will demonstrate the basic operation flow using CHAP authentication method. Figure 42-12: the Authentication Flow of 802.1x EAP Termination Mode 42.1.6 The Extension and Optimization of 802.1x Besides supporting the port-based access authentication method specified by the protocol, devices also extend and optimize it when implementing the EAP relay mode and EAP termination mode of 802.1x. Supports some applications in the case of which one physical port can have more than one users 42-81 There are three access control methods (the methods to authenticate users): port-based, MAC-based and user-based (IP address+ MAC address+ port). When the port-based method is used, as long as the first user of this port passes the authentication, all the other users can access the network resources without being authenticated. However, once the first user is offline, the network won’t be available to all the other users. When the MAC-based method is used, all the users accessing a port should be authenticated separately, only those pass the authentication can access the network, while the others can not. When one user becomes offline, the other users will not be affected. When the user-based (IP address+ MAC address+ port) method is used, all users can access limited resources before being authenticated. There are two kinds of control in this method: standard control and advanced control. The user-based standard control will not restrict the access to limited resources, which means all users of this port can access limited resources before being authenticated. The user-based advanced control will restrict the access to limited resources, only some particular users of the port can access limited resources before being authenticated. Once those users pass the authentication, they can access all resources. Attention: When using private supplicant systems, user-based advanced control is recommended to effectively prevent ARP cheat. The maximum number of the authenticated users can be 4000, but less than 2000 will be preferred. 42.1.7 The Features of VLAN Allocation 1. Auto VLAN Auto VLAN feature enables RADIUS server to change the VLAN to which the access port belongs, based on the user information and the user access device information. When an 802.1x user passes authentication on the server, the RADIUS server will send the authorization information to the device, if the RADIUS server has enabled the VLAN-assigning function, then the following attributes should be included in the Access-Accept messages: Tunnel-Type = VLAN (13) Tunnel-Medium-Type = 802 (6) Tunnel-Private-Group-ID = VLANID The VLANID here means the VID of VLAN, ranging from 1 to 4094. For example, Tunnel-Private-Group-ID = 30 means VLAN 30. When the switch receives the assigned Auto VLAN information, the current Access port will leave the VLAN set by the user and join Auto VLAN. Auto VLAN won’t change or affect the 42-82 port’s configuration. But the priority of Auto VLAN is higher than that of the user-set VLAN, that is Auto VLAN is the one takes effect when the authentication is finished, while the user-set VLAN do not work until the user become offline. Notes: At present, Auto VLAN can only be used in the port-based access control mode, and on the ports whose link type is Access. 2. Guest VLAN Guest VLAN feature is used to allow the unauthenticated user to access some specified resources. The user authentication port belongs to a default VLAN (Guest VLAN) before passing the 802.1x authentication, with the right to access the resources within this VLAN without authentication. But the resources in other networks are beyond reach. Once authenticated, the port will leave Guest VLAN, and the user can access the resources of other networks. In Guest VLAN, users can get 802.1x supplicant system software, update supplicant system or update some other applications (such as anti-virus software, the patches of operating system). The access device will add the port into Guest VLAN if there is no supplicant getting authenticated successfully in a certain stretch of time because of lacking exclusive authentication supplicant system or the version of the supplicant system being too low. Once the 802.1x feature is enabled and the Guest VLAN is configured properly, a port will be added into Guest VLAN, just like Auto VLAN, if there is no response message from the supplicant system after the device sends more authentication-triggering messages than the upper limit (EAP-Request/Identity) from the port. The authentication server assigns an Auto VLAN, and then the port leaves Guest VLAN and joins the assigned Auto VLAN. When the user becomes offline, the port will be allocated to the specified Guest VLAN again. The authentication server assigns an Auto VLAN, and then the port leaves Guest VLAN and joins the specified VLAN. When the user becomes offline, the port will be allocated to the specified Guest VLAN again. 42.2 802.1x Configuration Task List 802.1x Configuration Task List: 1. Enable IEEE 802.1x function 2. Access management unit property configuration 1) Configure port authentication status 42-83 2) Configure access management method for the port: MAC-based or port-based 3) Configure expanded 802.1x function 4) Configure IPv6 passthrough function of the port 3. User access devices related property configuration (optional) 1. Enable 802.1x function Command Explanation Global Mode dot1x enable Enables the 802.1x function in the switch and ports; the no no dot1x enable command disables the 802.1x function. dot1x privateclient enable no dot1x privateclient enable dot1x user free-resource <prefix> <mask> no dot1x user free-resource Enables the switch force client software using private 802.1x authentication packet format. The no command will disable this function. Sets free access network resource for unauthorized dot1x user. The no command close the resource. dot1x unicast enable Enable the 802.1x unicast passthrough function of switch; no dot1x unicast enable the no operation of this command will disable this function. 2. Access management unit property configuration 1) Configure port authentication status Command Explanation Port Mode dot1x port-control {auto|force-authorized|force- Sets the 802.1x authentication mode; the no command unauthorized } restores the default setting. no dot1x port-control 42-84 2) Configure port access management method Command Explanation Port Mode dot1x port-method {macbased | Sets the port access management method; portbased | userbased {standard | the no command restores MAC-based advanced}} access management. no dot1x port-method Sets the maximum number of access users dot1x max-user macbased <number> for the specified port; the no command no dot1x max-user macbased restores the default setting of allowing 1 user. Set the upper limit of the number of users allowed accessing the specified port, only dot1x max-user userbased <number> used when the access control mode of the no dot1x max-user userbased port is userbased; the no command is used to reset the limit to 10 by default. dot1x guest-vlan <vlanID> Set the guest vlan of the specified port; the no dot1x guest-vlan no command is used to delete the guest vlan. dot1x portbased mode single-mode Set the single-mode based on portbase no dot1x portbased mode single-mode authentication mode; the no command disables this function. 3) Configure expanded 802.1x function Command Explanation Global Mode dot1x macfilter enable Enables the 802.1x address filter function in the switch; the no dot1x macfilter enable no command disables the 802.1x address filter function. dot1x macbased port-down-flush Enables this command, when the dot1x certification no dot1x macbased port-down-flush according to mac is down, delete the user who passed the certification of the port; The no command does not make the down operation. 42-85 dot1x accept-mac <mac-address> [interface <interface-name> ] Adds 802.1x address filter table entry, the no command no dot1x accept-mac deletes 802.1x filter address table entries. <mac-address> [interface <interface-name> ] dot1x eapor enable no dot1x eapor enable Enables the EAP relay authentication function in the switch; the no command sets EAP local end authentication. 4) Configure IPv6 passthrough function of the port Command Explanation Port Mode Enables IPv6 passthrough function of global mode on a dot1x ipv6 passthrough switch, only applicable when access control mode is no dot1x ipv6 passthrough userbased; the no operation of this command will disable the function. 3. Supplicant related property configuration Command Explanation Global Mode dot1x max-req <count> no dot1x max-req Sets the number of EAP request/MD5 frame to be sent before the switch re-initials authentication on no supplicant response, the no command restores the default setting. dot1x re-authentication Enables periodical supplicant authentication; the no no dot1x re-authentication command disables this function. dot1x timeout quiet-period <seconds> Sets time to keep silent on port authentication failure; the no dot1x timeout no command restores the default value. quiet-period dot1x timeout re-authperiod <seconds> Sets the supplicant re-authentication interval; the no no dot1x timeout command restores the default setting. re-authperiod dot1x timeout tx-period Sets the interval for the supplicant to re-transmit EAP <seconds> request/identity frame; the no command restores the no dot1x timeout tx-period default setting. 42-86 dot1x re-authenticate Enables IEEE 802.1x re-authentication (no wait timeout [interface <interface-name> ] requires) for all ports or a specified port. 42.3 802.1x Application Example 42.3.1 Examples of Guest VLAN Applications Update server Authenticator server Ethernet1/3 VLAN10 Ethernet1/2 VLAN100 VLAN2 SWITCH Ethernet1/6 VLAN5 Internet User Figure 42-13: The Network Topology of Guest VLAN Notes: In the figures in this session, E2 means Ethernet 1/2, E3 means Ethernet 1/3 and E6 means Ethernet 1/6. As shown in the next figure, a switch accesses the network using 802.1x authentication, with a RADIUS server as its authentication server. Ethernet1/2, the port through which the user accesses the switch belongs to VLAN100; the authentication server is in VLAN2; Update Server, being in VLAN10, is for the user to download and update supplicant system software; Ethernet1/6, the port used by the switch to access the Internet is in VLAN5. 42-87 Update server Authenticator server Ethernet1/3 VLAN2 VLAN10 SWITCH Ethernet1/ Ethernet1/6 2 VLAN5 Internet User Figure 42-14: User Joining Guest VLAN As illustrated in the above figure, on the switch port Ethernet1/2, the 802.1x feature is enabled, and the VLAN10 is set as the port’s Guest VLAN. Before the user gets authenticated or when the user fails to do so, port Ethernet1/2 is added to VLAN10, allowing the user to access the Update Server. Update server Authenticator server Ethernet1/3 VLAN10 Ethernet1/ 2 VLAN2 SWITCH Ethernet1/6 VLAN5 Internet User Figure 42-15: User Being Online, VLAN Being Offline As illustrated in the above figure, when the users are online after a successful authentication, the authentication server will assign VLAN5, which makes both the user and Ethernet1/6 in VLAN5, allowing the user to access the Internet. The following are configuration steps: # Configure RADIUS server. 42-88 Switch(config)#radius-server authentication host 10.1.1.3 Switch(config)#radius-server accounting host 10.1.1.3 Switch(config)#radius-server key test Switch(config)#aaa enable Switch(config)#aaa-accounting enable # Create VLAN100. Switch(config)#vlan 100 # Enable the global 802.1x function Switch(config)#dot1x enable # Enable the 802.1x function on port Ethernet1/2 Switch(config)#interface ethernet1/2 Switch(Config-If-Ethernet1/2)#dot1x enable # Set the link type of the port as access mode. Switch(Config-If-Ethernet1/2)#switch-port mode access # Set the access control mode on the port as portbased. Switch(Config-If-Ethernet1/2)#dot1x port-method portbased # Set the access control mode on the port as auto. Switch(Config-If-Ethernet1/2)#dot1x port-control auto # Set the port’s Guest VLAN as 100. Switch(Config-If-Ethernet1/2)#dot1x guest-vlan 100 Switch(Config-If-Ethernet1/2)#exit 42-89 Using the command of show running-config or show interface ethernet1/2, users can check the configuration of Guest VLAN. When there is no online user, no failed user authentication or no user gets offline successfully, and more authentication-triggering messages (EAP-Request/Identity) are sent than the upper limit defined, users can check whether the Guest VLAN configured on the port takes effect with the command show vlan id 100. 42.3.2 Examples of IPv4 RADIUS Applications 10.1.1.2 10.1.1.1 RADIUS Server 10.1.1.3 Figure 42-16: IEEE 802.1x Configuration Example Topology The PC is connecting to port 1/2 of the switch; IEEE 802.1x authentication is enabled on port1/2; the access mode is the default MAC-based authentication. The switch IP address is 10.1.1.2. Any port other than port 1/2 is used to connect to RADIUS authentication server, which has an IP address of 10.1.1.3, and use the default port 1812 for authentication and port 1813 for accounting. IEEE 802.1x authentication client software is installed on the PC and is used in IEEE 802.1x authentication. The configuration procedures are listed below: Switch(config)#interface vlan 1 Switch(Config-if-vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-vlan1)#exit Switch(config)#radius-server authentication host 10.1.1.3 Switch(config)#radius-server accounting host 10.1.1.3 Switch(config)#radius-server key test Switch(config)#aaa enable Switch(config)#aaa-accounting enable 42-90 Switch(config)#dot1x enable Switch(config)#interface ethernet 1/2 Switch(Config-Ethernet1/2)#dot1x enable Switch(Config-Ethernet1/2)#dot1x port-control auto Switch(Config-Ethernet1/2)#exit 42.3.3 Examples of IPv6 RADIUS Application 2004:1:2:3::2 2004:1:2:3::1 RADIUS Server 2004:1:2:3::3 Figure 42-17: IPv6 RADIUS Connect the computer to the interface 1/2 of the switch, and enable IEEE802.1x on interface1/2. Use MAC based authentication. Configure the IP address of the switch as 2004:1:2:3::2, and connect the switch with any interface except interface 1/2 to the RADIUS authentication server. Configure the IP address of the RADIUS server to be 2004:1:2:3::3. Use the default ports 1812 and 1813 for authentication and accounting respectively. Install the IEEE802.1x authentication client software on the computer, and use the client for IEEE802.1x authentication. The detailed configurations are listed below: Switch(config)#interface vlan 1 Switch(Config-if-vlan1)#ipv6 address 2004:1:2:3::2/64 Switch(Config-if-vlan1)#exit Switch(config)#radius-server authentication host 2004:1:2:3::3 Switch(config)#radius-server accounting host 2004:1:2:3::3 Switch(config)#radius-server key test Switch(config)#aaa enable Switch(config)#aaa-accounting enable 42-91 Switch(config)#dot1x enable Switch(config)#interface ethernet 1/2 Switch(Config-If-Ethernet1/2)#dot1x enable Switch(Config-If-Ethernet1/2)#dot1x port-control auto Switch(Config-If-Ethernet1/2)#exit 42.4 802.1x Troubleshooting It is possible that 802.1x be configured on ports and 802.1x authentication be set to auto, t switch can’t be to authenticated state after the user runs 802.1x supplicant software. Here are some possible causes and solutions: If 802.1x cannot be enabled for a port, make sure the port is not executing MAC binding, or configured as a port aggregation. To enable the 802.1x authentication, the above functions must be disabled. If the switch is configured properly but still cannot pass through authentication, connectivity between the switch and RADIUS server, the switch and 802.1x client should be verified, and the port and VLAN configuration for the switch should be checked, too. Check the event log in the RADIUS server for possible causes. In the event log, not only unsuccessful logins are recorded, but prompts for the causes of unsuccessful login. If the event log indicates wrong authenticator password, radius-server key parameter shall be modified; if the event log indicates no such authenticator, the authenticator needs to be added to the RADIUS server; if the event log indicates no such login user, the user login ID and password may be wrong and should be verified and input again. 42-92 Chapter 43 The Number Limitation Function of MAC and IP in Port, VLAN Configuration MAC address list is used to identify the mapping relationship between the destination MAC addresses and the ports of switch. There are two kinds of MAC addresses in the list: static MAC address and dynamic MAC address. The static MAC address is set by users, having the highest priority (will not be overwritten by dynamic MAC address), and will always be effective; dynamic MAC address is learnt by the switch through transmitting data frames, and will only be effective in a specific time range. When the switch receives a data framed waiting to be transmitted, it will study the source MAC address of the data frame, build a mapping relationship with the receiving port, and then look up the MAC address list for the destination MAC address. If any matching list entry is found, the switch will transmit the data frame via the corresponding port, or, the switch will broadcast the data frame over the VLAN it belongs to. If the dynamically learnt MAC address matches no transmitted data in a long time, the switch will delete it from the MAC address list. Usually the switch supports both the static configuration and dynamic study of MAC address, which means each port can have more than one static set MAC addresses and dynamically learnt MAC addresses, and thus can implement the transmission of data traffic between port and known MAC addresses. When a MAC address becomes out of date, it will be dealt with broadcast. No number limitation is put on MAC address of the ports of our current switches; every port can have several MAC addressed either by configuration or study, until the hardware list entries are exhausted. To avoid too many MAC addresses of a port, we should limit the number of MAC addresses a port can have. For each INTERFACE VLAN, there is no number limitation of IP; the upper limit of the number of IP is the upper limit of the number of user on an interface, which is, at the same time, the upper limit of ARP and ND list entry. There is no relative configuration command can be used to control the sent number of these list entries. To enhance the security and the controllability of our products, we need to control the number of MAC address on each port and the number of ARP, ND on each INTERFACE VLAN. The number of static or dynamic MAC address on a port should not exceed the configuration. The number of user on each VLAN should not exceed the configuration, either. 43-93 Limiting the number of MAC and ARP list entry can avoid DOS attack to a certain extent. When malicious users frequently do MAC or ARP cheating, it will be easy for them to fill the MAC and ARP list entries of the switch, causing successful DOS attacks. To sum up, it is very meaningful to develop the number limitation function of MAC and IP in port, VLAN. Switch can control the number of MAC addresses of ports and the number ARP, ND list entry of ports and VLAN through configuration commands. Limiting the number of dynamic MAC and IP of ports: 1. Limiting the number of dynamic MAC. If the number of dynamically learnt MAC address by the switch is already larger than or equal with the max number of dynamic MAC address, then shutdown the MAC study function on this port, otherwise, the port can continue its study. 2. Limiting the number of dynamic IP. If the number of dynamically learnt ARP and ND by the switch is already larger than or equal with the max. number of dynamic ARP and ND, then shutdown the ARP and ND study function of this port, otherwise, the port can continue its study. Limiting the number of MAC, ARP and ND of interfaces: 1. Limiting the number of dynamic MAC. If the number of dynamically learnt MAC address by the VLAN of the switch is already larger than or equal with the max. number of dynamic MAC address, then shutdown the MAC study function of all the ports in this VLAN, otherwise, all the ports in this VLAN can continue their study (except special ports). 2. Limiting the number of dynamic IP. If the number of dynamically learnt ARP and ND by the switch is already larger than or equal with the max. number of dynamic ARP and ND, then the VLAN will not study any new ARP or ND, otherwise, the study can be continued. 43.1 The Number Limitation Function of MAC and IP in Port, VLAN Configuration Task Sequence 1. Enable the number limitation function of MAC and IP on ports 2. Enable the number limitation function of MAC and IP in VLAN 3. Configure the timeout value of querying dynamic MAC 4. Configure the violation mode of ports 5. Display and debug the relative information of number limitation of MAC and IP on ports 43-94 1. Enable the number limitation function of MAC and IP on ports Command Explanation Port Mode switchport mac-address dynamic maximum <value> Enable and disable the number limitation no switchport mac-address dynamic function of MAC on the ports. maximum switchport arp dynamic maximum <value> Enable and disable the number limitation no switchport arp dynamic maximum function of ARP on the ports. switchport nd dynamic maximum <value> Enable and disable the number limitation no switchport nd dynamic maximum function of ND on the ports. 2. Enable the number limitation function of MAC and IP in VLAN Command Explanation VLAN Mode vlan mac-address dynamic maximum Enable and disable the number limitation <value> no vlan mac-address dynamic maximum function of MAC in the VLAN. VLAN Interface Mode ip arp dynamic maximum <value> Enable and disable the number limitation no ip arp dynamic maximum function of ARP in the VLAN. ipv6 nd dynamic maximum <value> Enable and disable the number limitation no ipv6 nd dynamic maximum function of NEIGHBOR in the VLAN. 3. Configure the timeout value of querying dynamic MAC Command Explanation Global Mode mac-address query timeout <seconds> Configure the timeout value of querying dynamic MAC. 4. Configure the violation mode of ports Command Explanation Port Mode 43-95 switchport mac-address violation {protect Set the violation mode of the port, the no | shutdown} [recovery <5-3600>] command restores the violation mode to no switchport mac-address violation protect. 5. Display and debug the related information of number limitation of MAC and IP on ports Command Explanation Admin Mode show mac-address dynamic count {vlan <vlan-id> | interface ethernet Display the number of dynamic MAC in corresponding ports and VLAN. <portName> } show arp-dynamic count {vlan Display the number of dynamic ARP in <vlan-id> | interface ethernet corresponding ports and VLAN. <portName> } show nd-dynamic count {vlan Display the number of dynamic <vlan-id> | interface ethernet NEIGHBOUR in corresponding ports and <portName> } VLAN. debug switchport mac count All kinds of debug information when no debug switchport mac count limiting the number of MAC on ports. debug switchport arp count All kinds of debug information when no debug switchport arp count limiting the number of ARP on ports. All kinds of debug information when debug switchport nd count limiting the number of NEIGHBOUR on no debug switchport nd count ports. debug vlan mac count All kinds of debug information when no debug vlan mac count limiting the number of MAC in VLAN. debug ip arp count All kinds of debug information when no debug ip arp count limiting the number of ARP in VLAN. debug ipv6 nd count All kinds of debug information when no debug ipv6 nd count limiting the number of MAC in VLAN. 43-96 43.2 The Number Limitation Function of MAC and IP in Port, VLAN Typical Examples SWITCH A SWITCH B ……… PC PC PC PC PC Figure 43-1: The Number Limitation of MAC and IP in Port, VLAN Typical Configuration Example In the network topology above, SWITCH B connects to many PC users, before enabling the number limitation function of MAC and IP in Port, VLAN, if the system hardware has no other limitation, SWTICH A and SWTICH B can get the MAC, ARP, ND list entries of all the PC, so limiting the MAC, ARP list entry can avoid DOS attack to a certain extent. When malicious users frequently do MAC, ARP cheating, it will be easy for them to fill the MAC, ARP list entries of the switch, causing successful DOS attacks. Limiting the MAC, ARP, ND list entry can prevent DOS attack. On port 1/1 of SWITCH A, set the max. number can be learnt of dynamic MAC address as 20, dynamic ARP address as 20, NEIGHBOR list entry as 10. In VLAN 1, set the max. number of dynamic MAC address as 30, of dynamic ARP address as 30, NEIGHBOR list entry as 20. SWITCH A configuration task sequence: Switch (config)#interface ethernet 1/1 Switch (Config-If-Ethernet1/1)#switchport mac-address dynamic maximum 20 Switch (Config-If-Ethernet1/1)#switchport arp dynamic maximum 20 Switch (Config-If-Ethernet1/1)#switchport nd dynamic maximum 10 Switch (Config-if-Vlan1)#vlan mac-address dynamic maximum 30 43-97 43.3 The Number Limitation Function of MAC and IP in Port, VLAN Troubleshooting Help The number limitation function of MAC and IP in Port, VLAN is disabled by default, if users need to limit the number of user accessing the network, they can enable it. If the number limitation function of MAC address can not be configured, please check whether Spanning-tree, dot1x, TRUNK is running on the switch and whether the port is configured as a MAC-binding port. The number limitation function of MAC address is mutually exclusive to these configurations, so if the users need to enable the number limitation function of MAC address on the port, they should check these functions mentioned above on this port are disabled. If all the configurations are normal, after enabling the number limitation function of MAC and IP in Port, VLAN, users can use debug commands to debug every limitation, check the details of number limitations and judge whether the number limitation function is correct. If there is any problem, please sent result to technical service center. 43-98 Chapter 44 Operational Configuration of AM Function 44.1 Introduction to AM Function AM (Access Management) means that when a switch receives an IP or ARP message, it will compare the information extracted from the message (such as source IP address or source MAC-IP address) with the configured hardware address pool. If there is an entry in the address pool matching the information (source IP address or source MAC-IP address), the message will be forwarded, otherwise, dumped. The reason why source-IP-based AM should be supplemented by source-MAC-IP-based AM is that IP address of a host might change. Only with a bound IP, can users change the IP of the host into forwarding IP, and hence enable the messages from the host to be forwarded by the switch. Given the fact that MAC-IP can be exclusively bound with a host, it is necessary to make MAC-IP bound with a host for the purpose of preventing users from maliciously modifying host IP to forward the messages from their hosts via the switch. With the interface-bound attribute of AM, network mangers can bind the IP (MAC-IP) address of a legal user to a specified interface. After that, only the messages sending by users with specified IP (MAC-IP) addresses can be forwarded via the interface, and thus strengthen the monitoring of the network security. 44.2 AM Function Configuration Task List 1. Enable AM function 2. Enable AM function on an interface 3. Configure the forwarding IP 4. Configure the forwarding MAC-IP 5. Delete all of the configured IP or MAC-IP or both 6. Display relative configuration information of AM 1. Enable AM function Command Explanation Global Mode am enable Globally enable or disable AM function. no am enable 44-99 2. Enable AM function on an interface Command Explanation Port Mode Enable/disable AM function on the port. am port When the AM function is enabled on the no am port port, no IP or ARP message will be forwarded by default. 3. Configure the forwarding IP Command Explanation Port Mode am ip-pool <ip-address> <num> no am ip-pool <ip-address> <num> Configure the forwarding IP of the port. 4. Configure the forwarding MAC-IP Command Explanation Port Mode am mac-ip-pool <mac-address> <ip-address> Configure the forwarding MAC-IP of the no am mac-ip-pool <mac-address> port. <ip-address> 5. Delete all of the configured IPs or MAC-IPs or both Command Explanation Global Mode Delete MAC-IP address pool or IP no am all [ip-pool|mac-ip-pool] address pool or both pools configured by all users. 44-100 6. Display related configuration information of AM Command Explanation Global Mode Display the AM configuration information show am [interface <interface-name>] of one port or all ports. 44.3 AM Function Example Internet SWITCH Port1 Port2 HUB1 HUB2 ……… PC1 PC2 PC30 Figure 44-1: a typical configuration example of AM function In the topology above, 30 PCs, after converged by HUB1, connect with interface1 on the switch. The IP addresses of these 30 PCs range from 100.10.10.1 to 100.10.10.30. Considering security, the system manager will only take user with an IP address within that range as legal ones. And the switch will only forward data packets from legal users while dumping packets from other users. According to the requirements mentioned above, the switch can be configured as follows: Switch(config)#am enable Switch(config)#interface ethernet1/1 Switch(Config-If-Ethernet 1/1)#am port Switch(Config-If-Ethernet 1/1)#am ip-pool 10.10.10.1 10 44-101 44.4 AM Function Troubleshooting AM function is disabled by default, and after it is enabled, related configuration of AM can be made. Users can view the current AM configuration with “show am” command, such as whether the AM is enabled or not, and AM information on each interface, they can also use “show am [interface <interface-name>]” command to check the AM configuration information on a specific interface. If any operational error happens, the system will display detailed corresponding prompt. 44-102 Chapter 45 Security Feature Configuration 45.1 Introduction to Security Feature Before introducing the security features, we here first introduce the DoS. The DoS is short for Denial of Service, which is a simple but effective destructive attack on the internet. The server under DoS attack will drop normal user data packet due to non-stop processing the attacker’s data packet, leading to the denial of the service and worse can lead to leak of sensitive data of the server.' Security feature refers to applications such as protocol check which is for protecting the server from attacks such as DoS. The protocol check allows the user to drop matched packets based on specified conditions. The security features provide several simple and effective protections against Dos attacks while acting no influence on the linear forwarding performance of the switch. 45.2 Security Feature Configuration 45.2.1 Prevent IP Spoofing Function Configuration Task Sequence 1.Enable the IP spoofing function. Command Explanation Global Mode [no] dosattack-check srcip-equal-dstip enable Enable/disable the function of checking if the IP source address is the same as the destination address. 45.2.2 Prevent TCP Unauthorized Label Attack Function Configuration Task Sequence 1.Enable the anti TCP unauthorized label attack function Command Explanation Global Mode [no] dosattack-check tcp-flags enable Enable/disable checking TCP label function. 45-103 45.2.3 Anti Port Cheat Function Configuration Task Sequence 1. Enable the anti port cheat function Command Explanation Global Mode [no] dosattack-check srcport-equal-dstport enable Enable/disable the prevent-port-cheat function. 45.2.4 Prevent TCP Fragment Attack Function Configuration Task Sequence 1.Enable the prevent TCP fragment attack function 2.Configure the minimum permitted TCP head length of the packet Command Explanation Global Mode [no] dosattack-check tcp-fragment Enable/disable the prevent TCP fragment enable attack function. Configure the minimum permitted TCP head length of the packet. This command has no dosattack-check tcp-header <size> effect when used separately, the user should enable the dosattack-check tcp-fragment enable. Note: This function is not supported by switch. 45.2.5 Prevent ICMP Fragment Attack Function Configuration Task Sequence 1. Enable the prevent ICMP fragment attack function 2. Configure the max. permitted ICMPv4 net load length Command Explanation Global Mode [no] dosattack-check icmp-attacking Enable/disable the prevent ICMP fragment enable attack function. 45-104 Configure the max. permitted ICMPv4 net load dosattack-check icmpv4-size <size> length. This command has not effect when used separately, the user have to enable the dosattack-check icmp-attacking enable. 45.3 Security Feature Example Scenario: The User has the following configuration requirements: the switch do not forward data packet whose source IP address is equal to the destination address, and those whose source port is equal to the destination port. Only the ping command with defaulted options is allowed within the IPv4 network, namely the ICMP request packet can not be fragmented and its net length is normally smaller than 100. Configuration procedure: Switch(config)# dosattack-check srcip-equal-dstip enable Switch(config)# dosattack-check srcport-equal-dstport enable Switch(config)# dosattack-check icmp-attacking enable Switch(config)# dosattack-check icmpV4-size 100 45-105 Chapter 46 TACACS+ Configuration 46.1 Introduction to TACACS+ TACACS+ terminal access controller access control protocol is a protocol similar to the radius protocol for control the terminal access to the network. Three independent functions of Authentication, Authorization, Accounting are also available in this protocol. Compared with RADIUS, the transmission layer of TACACS+ protocol is adopted with TCP protocol, further with the packet head ( except for standard packet head) encryption, this protocol is of a more reliable transmission and encryption characteristics, and is more adapted to security control. According to the characteristics of the TACACS+ (Version 1.78), we provide TACACS+ authentication function on the switch, when the user logs, such as telnet, the authentication of user name and password can be carried out with TACACS+. 46.2 TACACS+ Configuration Task List 1. Configure the TACACS+ authentication key 2. Configure the TACACS+ server 3. Configure the TACACS+ authentication timeout time 4. Configure the IP address of the RADIUS NAS 1. Configure the TACACS+ authentication key Command Explanation Global Mode tacacs-server key {0 | 7}<string> no tacacs-server key Configure the TACACS+ server key; the “no tacacs-server key” command deletes the key. 2. Configure TACACS+ server Command Explanation Global Mode 46-106 tacacs-server authentication host Configure the IP address, listening port <ip-address> [port <port-number>] number, the value of timeout timer and the [timeout <seconds>] [key {0 | 7} key string of the TACACS+ server; the no <string>] [primary] no tacacs-server authentication host <ip-address> form of this command deletes the TACACS+ authentication server. 3. Configure the TACACS+ authentication timeout time Command Explanation Global Mode Configure the authentication timeout for the tacacs-server timeout <seconds> TACACS+ server, the “no tacacs-server no tacacs-server timeout timeout” command restores the default configuration. 4. Configure the IP address of the TACACS+ NAS Command Explanation Global Mode tacacs-server nas-ipv4 <ip-address> To configure the source IP address for the no tacacs-server nas-ipv4 TACACS+ packets for the switch. 46.3 TACACS+ Scenarios Typical Examples 10.1.1.2 10.1.1.1 TACACS Server 10.1.1.3 Figure 46-1: TACACS Configuration A computer connects to a switch, of which the IP address is 10.1.1.2 and connected with a TACACS+ authentication server; IP address of the server is 10.1.1.3 and the authentication port is defaulted at 49, set telnet log on authentication of the switch as tacacs local, via using 46-107 TACACS+ authentication server to achieve telnet user authentication. Switch(config)#interface vlan 1 Switch(Config-if-vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-vlan1)#exit Switch(config)#tacacs-server authentication host 10.1.1.3 Switch(config)#tacacs-server key test Switch(config)#authentication line vty login tacacs 46.4 TACACS+ Troubleshooting In configuring and using TACACS+, the TACACS+ may fail to authentication due to reasons such as physical connection failure or wrong configurations. The user should ensure the following: First good condition of the TACACS+ server physical connection. Second all interface and link protocols are in the UP state (use “show interface” command). Then ensure the TACACS+ key configured on the switch is in accordance with the one configured on TACACS+ server. Finally ensure to connect to the correct TACACS+ server. 46-108 Chapter 47 RADIUS Configuration 47.1 Introduction to RADIUS 47.1.1 AAA and RADIUS Introduction AAA is short for Authentication, Authorization and Accounting. it provides a consistent framework for the network management safely. According to the three functions of Authentication, Authorization, Accounting, the framework can meet the access control for the security network in which one can visit the network device and the access-level the user can have and the accounting for the network resource. RADIUS (Remote Authentication Dial in User Service), is a kind of distributed and client/server protocol for information exchange. The RADIUS client is usually used on network appliance to implement AAA in cooperation with 802.1x protocol. The RADIUS server maintains the database for AAA, and communicates with the RADIUS client through RADIUS protocol. The RADIUS protocol is the most common used protocol in the AAA framework. 47.1.2 Message Structure for RADIUS The RADIUS protocol uses UDP to deliver protocol packets. The packet format is shown below. Figure 47-1: Message structure for RADIUS 47-109 Code field (1octets) is the type of the RADIUS packet. Available value for the Code field is shown below: 1 Access-Request 2 Access-Accept 3 Access-Reject 4 Accounting-Request 5 Accounting-Response 11 Access-Challenge Identifier field (1 octet): Identifier for the request and answer packets. Length field (2 octets): The length of the overall RADIUS packet, including Code, Identifier, Length, Authenticator and Attributes Authenticator field (16 octets): used for validation of the packets received from the RADIUS server. Or it can be used to carry encrypted passwords. This field falls into two kinds: the Request Authenticator and the Response Authenticator. Attribute field: used to carry detailed information about AAA. An Attribute value is formed by Type, Length, and Value fields. Type field (1 octet), the type of the attribute value, which is shown as below: Property Type of property Property Type of property 1 User-Name 23 Framed-IPX-Network 2 User-Password 24 State 3 CHAP-Password 25 Class 4 NAS-IP-Address 26 Vendor-Specific 5 NAS-Port 27 Session-Timeout 6 Service-Type 28 Idle-Timeout 7 Framed-Protocol 29 Termination-Action 8 Framed-IP-Address 30 Called-Station-Id 9 Framed-IP-Netmask 31 Calling-Station-Id 10 Framed-Routing 32 NAS-Identifier 11 Filter-Id 33 Proxy-State 12 Framed-MTU 34 Login-LAT-Service 13 Framed-Compression 35 Login-LAT-Node 14 Login-IP-Host 36 Login-LAT-Group 15 Login-Service 37 Framed-AppleTalk-Link 16 Login-TCP-Port 38 Framed-AppleTalk-Network 17 (unassigned) 39 Framed-AppleTalk-Zone 47-110 18 Reply-Message 40-59 (reserved for accounting) 19 Callback-Number 60 CHAP-Challenge 20 Callback-Id 61 NAS-Port-Type 21 (unassigned) 62 Port-Limit 22 Framed-Route 63 Login-LAT-Port Length field (1 octet), the length in octets of the attribute including Type, Length and Value fields. Value field, value of the attribute whose content and format is determined by the type and length of the attribute. 47.2 RADIUS Configuration Task List 1. Enable the authentication and accounting function 2. Configure the RADIUS authentication key 3. Configure the RADIUS server 4. Configure the parameter of the RADIUS service 5. Configure the IP address of the RADIUS NAS 1. Enable the authentication and accounting function Command Explanation Global Mode To enable the AAA authentication function. aaa enable The no form of this command will disable no aaa enable the AAA authentication function. aaa-accounting enable To enable AAA accounting. The no form of no aaa-accounting enable this command will disable AAA accounting. aaa-accounting update {enable|disable} Enable or disable the update accounting function. 2. Configure the RADIUS authentication key Command Explanation Global Mode radius-server key {0 | 7} <string> no radius-server key To configure the encryption key for the RADIUS server. The no form of this command will remove the configured key. 47-111 3. Configure the RADIUS server Command Explanation Global Mode radius-server authentication host {<ipv4-address> | <ipv6-address>} [port <port-number>] [key {0 | 7} <string>] [primary] [access-mode {dot1x | telnet}] no radius-server authentication host Specifies the IPv4/IPv6 address and the port number, whether be primary server for RADIUS accounting server; the no command deletes the RADIUS accounting server. {<ipv4-address> | <ipv6-address> radius-server accounting host {<ipv4-address> | <ipv6-address>} [port <port-number>] [key {0 | 7} <string>] Specifies the IPv4/IPv6 address and the port number, whether be primary server for RADIUS accounting server; the no [primary] command deletes the RADIUS accounting no radius-server accounting host server. {<ipv4-address> | <ipv6-address>} 4. Configure the parameter of the RADIUS service Command Explanation Global Mode To configure the interval that the RADIUS radius-server dead-time <minutes> becomes available after it is down. The no no radius-server dead-time form of this command will restore the default configuration. To configure retry times for the RADIUS radius-server retransmit <retries> packets. The no form of this command no radius-server retransmit restores the default configuration. To configure the timeout value for the radius-server timeout <seconds> RADIUS server. The no form of this no radius-server timeout command will restore the default configuration. radius-server accounting-interim-update timeout <seconds> no radius-server accounting-interim-update timeout To configure the update interval for accounting. The no form of this command will restore the default configuration. 47-112 5. Configure the IP address of the RADIUS NAS Command Explanation Global Mode radius nas-ipv4 <ip-address> To configure the source IP address for the no radius nas-ipv4 RADIUS packets for the switch. radius nas-ipv6 <ipv6-address> To configure the source IPv6 address for no radius nas-ipv6 the RADIUS packets for the switch. 47.3 RADIUS Typical Examples 47.3.1 IPv4 RADIUS Example 10.1.1.2 10.1.1.1 RADIUS Server 10.1.1.3 Figure 47-2: The Topology of IEEE802.1x configuration A computer connects to a switch, of which the IP address is 10.1.1.2 and connected with a RADIUS authentication server without Ethernet1/2; IP address of the server is 10.1.1.3 and the authentication port is defaulted at 1812, accounting port is defaulted at 1813. Configure steps as below: Switch(config)#interface vlan 1 Switch(Config-if-vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-vlan1)#exit Switch(config)#radius-server authentication host 10.1.1.3 Switch(config)#radius-server accounting host 10.1.1.3 Switch(config)#radius-server key test Switch(config)#aaa enable Switch(config)#aaa-accounting enable 47-113 47.3.2 IPv6 RADIUS Example 2004:1:2:3::2 2004:1:2:3::1 RADIUS Server 2004:1:2:3::3 Figure 47-3: The Topology of IPv6 RADIUS configuration A computer connects to a switch, of which the IP address is 2004:1:2:3::2 and connected with a RADIUS authentication server without Ethernet1/2; IP address of the server is 2004:1:2:3::3 and the authentication port is defaulted at 1812, accounting port is defaulted at 1813. Configure steps as shown below: Switch(config)#interface vlan 1 Switch(Config-if-vlan1)#ipv6 address 2004:1:2:3::2/64 Switch(Config-if-vlan1)#exit Switch(config)#radius-server authentication host 2004:1:2:3::3 Switch(config)#radius-server accounting host 2004:1:2:3::3 Switch(config)#radius-server key test Switch(config)#aaa enable Switch(config)#aaa-accounting enable 47.4 RADIUS Troubleshooting In configuring and using RADIUS, the RADIUS may fail to authentication due to reasons such as physical connection failure or wrong configurations. The user should ensure the following: First make sure good condition of the RADIUS server physical connection Second all interface and link protocols are in the UP state (use “show interface” command) Then ensure the RADIUS key configured on the switch is in accordance with the one configured on RADIUS server Finally ensure to connect to the correct RADIUS server 47-114 If the RADIUS authentication problem remains unsolved, please use debug aaa and other debugging command and copy the DEBUG message within 3 minutes, send the recorded message to the technical server center of our company. 47-115 Chapter 48 SSL Configuration 48.1 Introduction to SSL As the computer networking technology spreads, the security of the network has been taking more and more important impact on the availability and the usability of the networking application. The network security has become one of the greatest barriers of modern networking applications. To protect sensitive data transferred through Web, Netscape introduced the Secure Socket Layer – SSL protocol, for its Web browser. Up till now, SSL 2.0 and 3.0 has been released. SSL 2.0 is obsolete because of security problems, and it is not supported on the switches of Network. The SSL protocol uses the public-key encryption, and has become the industry standard for secure communication on internet for Web browsing. The Web browser integrates HTTP and SSL to realize secure communication. SSL is a safety protocol to protect private data transmission on the Internet. SSL protocols are designed for secure transmission between the client and the server, and authentication both at the server sides and optional client. SSL protocols must build on reliable transport layer (such as TCP). SSL protocols are independent for application layer. Some protocols such as HTTP, FTP, TELNET and so on, can build on SSL protocols transparently. The SSL protocol negotiates for the encryption algorithm, the encryption key and the server authentication before data is transmitted. Ever since the negotiation is done, all the data being transferred will be encrypted. Via above introduction, the security channel is provided by SSL protocols have below three characteristics: Privacy. First they encrypt the suite through negotiation, then all the messages be encrypted. Affirmation. Though the client authentication of the conversational is optional, but the server is always authenticated. Reliability. The message integrality inspect is included in the sending message (use MAC). 48-116 48.1.1 Basic Element of SSL The basic strategy of SSL provides a safety channel for random application data forwarding between two communication programs. In theory, SSL connect is similar with encrypt TCP connect. The position of SSL protocol is under application layer and on the TCP. If the mechanism of the data forwarding in the lower layer is reliable, the data read-in the network will be forwarded to the other program in sequence, lose packet and re-forwarding will not appear. A lot of transmission protocols can provide such kind of service in theory, but in actual application, SSL is almost running on TCP, and not running on UDP and IP directly. When web function is running on the switch and client visit our web site through the internet browser, we can use SSL function. The communication between client and switch through SSL connect can improve the security. Firstly, SSL should be enabled on the switch. When the client tries to access the switch through https method, a SSL session will be set up between the switch and the client. When the SSL session has been set up, all the data transmission in the application layer will be encrypted. SSL handshake is done when the SSL session is being set up. The switch should be able to provide certification keys. Currently the keys provided by the switch are not the formal certification keys issued by official authentic, but the private certification keys generated by SSL software under Linux which may not be recognized by the web browser. With regard to the switch application, it is not necessary to apply for a formal SSL certification key. A private certification key is enough to make the communication safe between the users and the switch. Currently it is not required that the client is able to check the validation of the certification key. The encryption key and the encryption method should be negotiated during the handshake period of the session which will be then used for data encryption. SSL session handshake process: 48-117 48.2 SSL Configuration Task List 1. Enable/disable SSL function 2. Configure/delete port number by SSL used 3. Configure/delete secure cipher suite by SSL used 4. Maintenance and diagnose for the SSL function 1. Enable/disable SSL function Command Explanation Global Mode ip http secure-server no ip http secure-server Enable/disable SSL function. 2. Configure/delete port number by SSL used Command Explanation Global Mode ip http secure-port <port-number> no ip http secure-port Configure port number by SSL used, the” no ip http secure-port” command deletes the port number. 3. Configure/delete secure cipher suite by SSL used Command Explanation Global Mode ip http secure-ciphersuite {des-cbc3-sha|rc4-128-sha| Configure/delete secure cipher suite by SSL des-cbc-sha} used. no ip http secure-ciphersuite 4. Maintenance and diagnose for the SSL function Command Explanation Admin Mode show ip http secure-server status debug ssl no debug ssl Show the configured SSL information. Open/close the DEBUG for SSL function. 48-118 48.3 SSL Typical Example When the Web function is enabled on the switch, SSL can be configured for users to access the web interface on the switch. If the SSL has been configured, communication between the client and the switch will be encrypted through SSL for safety. Firstly, SSL should be enabled on the switch. When the client tries to access the switch through https method, a SSL session will be set up between the switch and the client. When the SSL session has been set up, all the data transmission in the application layer will be encrypted. Web Server Date Acquisition Fails Malicious Users Web Browser https SSLSession Connected PC Users Configuration on the switch: Switch(config)# ip http secure-server Switch(config)# ip http secure-port 1025 Switch(config)# ip http secure-ciphersuite rc4-128-sha 48.4 SSL Troubleshooting In configuring and using SSL, the SSL function may fail due to reasons such as physical connection failure or wrong configurations. The user should ensure the following: First good condition of the physical connection; Second all interface and link protocols are in the UP state (use “show interface” command); Then, make sure SSL function is enabled (use ip http secure-server command ); Don’t use the default port number if configured port number, pay attention to the port number when input the web wide; 48-119 If SSL is enabled, SSL should be restarted after changes on the port configuration and encryption configuration; IE 7.0 or above should be used for use of des-cbc-sha; If the SSL problems remain unsolved after above try, please use debug SSL and other debugging command and copy the DEBUG message within 3 minutes, send the recorded message to technical server center of our company. 48-120 Chapter 49 IPv6 Security RA Configuration 49.1 Introduction to IPv6 Security RA In IPv6 networks, the network topology is generally compromised of routers, layer-two switches and IPv6 hosts. Routers usually advertise RA, including link prefix, link MTU and other information, when the IPv6 hosts receive RA, they will create link address, and set the default router as the one sending RA in order to implement IPv6 network communication. If a vicious IPv6 host sends RA to cause that normal IPv6 users set the default router as the vicious IPv6 host user, the vicious user will be able to capture the information of other users, which will threat the network security. Simultaneously, the normal users get incorrect address and will not be able to connect to the network. So, in order to implement the security RA function, configuring on the switch ports to reject vicious RA messages is necessary, thus to prevent forwarding vicious RA to a certain extent and to avoid affecting the normal operation of the network. 49.2 IPv6 Security RA Configuration Task Sequence 1. Globally enable IPv6 security RA 2. Enable IPv6 security RA on a port 3. Display and debug the relative information of IPv6 security RA 1. Globally enable IPv6 security RA Command Explanation Global Mode ipv6 security-ra enable Globally enable and disable IPv6 security no ipv6 security-ra enable RA. 2. Enable IPv6 security RA on a port Command Explanation Port Mode ipv6 security-ra enable Enable and disable IPv6 security RA in port no ipv6 security-ra enable configuration mode. 49-121 3. Display and debug the related information of IPv6 security RA Command Explanation Admin Mode Enable the debug information of IPv6 debug ipv6 security-ra security RA module, the no operation of no debug ipv6 security-ra this command will disable the output of debug information of IPv6 security RA. show ipv6 security-ra [interface Display the untrusted port and whether <interface-list>] globally security RA is enabled. 49.3 IPv6 Security RA Typical Examples Other IPv6 network RA X Ethernet1/3 Ethernet1/1 Ethernet1/2 RA PC User Illegal User Figure 49-1: IPv6 Security RA sketch map Instructions: if the illegal user in the graph advertises RA, the normal user will receive the RA, set the default router as the vicious IPv6 host user and change its own address. This will cause the normal user to not be able to connect the network. We want to set security RA on the 1/2 port of the switch, so that the RA from the illegal user will not affect the normal user. Switch configuration task sequence: Switch#config Switch(config)#ipv6 security-ra enable Switch(Config-If-Ethernet1/2)# ipv6 security-ra enable 49-122 49.4 IPv6 Security RA Troubleshooting Help The function of IPv6 security RA is quite simple, if the function does not meet the expectation after configuring IPv6 security RA: Check if the switch is correctly configured. Check if there are rules conflicting with security RA function configured on the switch, this kind of rules will cause RA messages to be forwarded. 49-123 Chapter 50 MAB Configuration 50.1 Introduction to MAB In actual network, the existing device cannot install the authentication client, such as printer, and PDA devices, and cannot process 802.1x authentication. However, to access the network resources, they need to use MAB authentication to replace 802.1x authentication. MAB authentication is a network accessing authentication method based on the accessing port and the MAC address of MAB user. The user needn’t install any authentication client, after the authentication device receives ARP packets sent by MAB user, it will authenticate the MAC address of the MAB user and there is the corresponding authentication information in the authentication server, the matched packets of the port and the source MAC are allowed to pass when the authentication is successful. MAB user didn’t need to input the username and password manually in the process of authentication. At present, MAB authentication device only supports RADIUS authentication method. There is the selection method for the authentication username and password: use the MAC address of the MAB user as the username and password, or the fixed username and password (all users use the configured username and password to authenticate). 50.2 MAB Configuration Task List MAB Configuration Task List: 1. Enable MAB function 1) Enable global MAB function 2) Enable port MAB function 2. Configure MAB authentication username and password 3. Configure MAB parameters 1) Configure guest-vlan 2) Configure the binding-limit of the port 3) Configure the reauthentication time 4) Configure the offline detection time 5) Configure other parameters 50-124 1. Enable MAB function Command Explanation Global Mode mac-authentication-bypass enable Enable the global MAB authentication no mac-authentication-bypass enable function. Port Mode mac-authentication-bypass enable Enable the port MAB authentication no mac-authentication-bypass enable function. 2. Configure MAB authentication username and password Command Explanation Global Mode mac-authentication-bypass username-format {mac-address | {fixed username WORD password WORD}} Set the authentication mode of MAB authentication function. 3. Configure MAB parameters Command Explanation Port Mode mac-authentication-bypass binding-limit <1-100> Set the max. MAB binding-limit of the port. no mac-authentication-bypass binding-limit Global Mode mac-authentication-bypass timeout offline-detect (0|<60-7200>) no mac-authentication-bypass timeout Set offline detection interval. offline-detect mac-authentication-bypass timeout quiet-period <1-60> no mac-authentication-bypass timeout Set quiet-period of MAB authentication. quiet-period mac-authentication-bypass timeout stale-period <0-60> Set the time that delete the binding after the no mac-authentication-bypass timeout port is down. stale-period 50-125 mac-authentication-bypass Enable the spoofing-garp-check function, spoofing-garp-check enable MAB function will not deal with no mac-authentication-bypass spoofing-garp any more; the no command spoofing-garp-check enable disables the function. Configure the authentication mode and authentication mab {radius | none} priority of MAC address, the no command no authentication mab restores the default authentication mode. 50.3 MAB Example Example: The typical example of MAB authentication function: Update Server Eth1/1 Radius Server Eth1/2 Internet Eth1/3 Switch 2 Ethernet1/4 Ethernet1/4 Switch 1 Eth1/1 PC1 Eth1/2 PC2 Eth1/3 Printer Figure 50-1: MAB application Switch 1 is a layer 2 accessing switch, Switch 2 is a layer 3 aggregation switch. Ethernet 1/1 is an access port of Switch1, connects to PC1, it enables 802.1x port-based function and configures guest vlan as vlan8. 50-126 Ethernet 1/2 is a hybrid port, connects to PC2, native vlan of the port is vlan1, and configures guest vlan as vlan8, it joins in vlan1, vlan8 and vlan10 with untag method and enables MAB function. Ethernet 1/3 is an access port, connects to the printer and enables MAB function. Ethernet 1/4 is a trunk port, connects to Switch 2. Ethernet 1/4 is a trunk port of Switch 2, connects to Switch 1. Ethernet 1/1 is an access port, belongs to vlan8, connects to update server to download and upgrade the client software. Ethernet 1/2 is an access port, belongs to vlan9, connects to radius server which configure auto vlan as vlan10. Ethernet 1/3 is an access port, belongs to vlan10, connects to external internet resources. To implement this application, the configuration is as follows: Switch 1 configuration: (1) Enable 802.1x and MAB authentication function globally, configure username and password of MAB authentication and radius-server address Switch(config)# dot1x enable Switch(config)# mac-authentication-bypass enable Switch(config)#mac-authentication-bypass username-format fixed username mabuser password mabpwd Switch(config)#vlan 8-10 Switch(config)#interface vlan 9 Switch(config-if-vlan9)ip address 192.168.61.9 255.255.255.0 Switch(config-if-vlan9)exit Switch(config)#radius-server authentication host 192.168.61.10 Switch(config)#radius-server accounting host 192.168.61.10 Switch(config)#radius-server key test Switch(config)#aaa enable Switch(config)#aaa-accounting enable (2) Enable the authentication function of each port Switch(config)#interface ethernet 1/1 Switch(config-if-ethernet1/1)#dot1x enable Switch(config-if-ethernet1/1)#dot1x port-method portbased Switch(config-if-ethernet1/1)#dot1x guest-vlan 8 Switch(config-if-ethernet1/1)#exit 50-127 Switch(config)#interface ethernet 1/2 Switch(config-if-ethernet1/2)#switchport mode hybrid Switch(config-if-ethernet1/2)#switchport hybrid native vlan 1 Switch(config-if-ethernet1/2)#switchport hybrid allowed vlan 1;8;10 untag Switch(config-if-ethernet1/2)#mac-authentication-bypass enable Switch(config-if-ethernet1/2)#mac-authentication-bypass enable guest-vlan 8 Switch(config-if-ethernet1/2)#exit Switch(config)#interface ethernet 1/3 Switch(config-if-ethernet1/3)#switchport mode access Switch(config-if-ethernet1/3)#mac-authentication-bypass enable Switch(config-if-ethernet1/3)#exit Switch(config)#interface ethernet 1/4 Switch(config-if-ethernet1/4)# switchport mode trunk 50.4 MAB Troubleshooting If a problem happens when using MAB function, please check whether the problem is caused by the following reasons: Make sure global and port MAB function are enabled; Make sure the correct username and password of MAB authentication are used; Make sure the radius-server configuration is correct. 50-128 Chapter 51 PPPoE Intermediate Agent Configuration 51.1 Introduction to PPPoE Intermediate Agent 51.1.1 Brief Introduction to PPPoE PPPoE (Point to Point Protocol over Ethernet) is a protocol that applies PPP protocol to Ethernet. PPP protocol is a link layer protocol that utilizes the communication method of point-to-point. It is usually selected by host dial-up link, for example, the link is line dial-up. PPP protocol is applied to Ethernet that means PPPoE protocol makes many hosts of Ethernet to connect a remote access collector through one or multiple bridge devices. If the remote access collector is broadband access server (BAS), it can supply broadband access and accounting functions for these hosts, so PPPoE protocol is used for the broadband access authentication of Ethernet usually. 51.1.2 Introduction to PPPoE IA Broadband access technique is rapidly developed. Broadband access network is also developing from strength to strength, but security problem gradually becomes the focus, so the clients or the access device and the network are faced with security problem (especially from the client) in the current access network. Traditional Ethernet user cannot be identified, traced and located exactly; however, in exoteric and controllable network, identification and location are the basic character and requirement for user, for example, when supplying the application that uses user accounts to login, this method supplied by PPPoE Intermediate Agent can avoid the embezzlement of user accounts. There are two stages for PPPoE protocol to work: discovery stage and session stage. Discovery stage is used to obtain MAC address of the remote server to establish a point-to-point link and a session ID with the server, and session stage uses this session ID to communicate. PPPoE Intermediate Agent only relates to discovery stage, so we simply introduce discovery stage. There are four steps for discovery stage: 1. Client sends PADI packet: For the first step, client uses broadcast address as destination address and broadcast PADI (PPPoE Active Discovery Initiation) packet to discover access collector in layer 2 network. Note: This message may be sent to many access collectors of the network. 2. Broadband Access Server responds to PADO packet: For the second step, server 51-129 responds to PADO (PPPoE Active Discovery Offer) packet to client according to the received source MAC address of PADI packet; the packet will take server name and service name. 3. Client sends PADR packet: For the third step, client selects a server to process the session according to the received PADO packet. It may receive many PADO packets for PADI. Message of the first step may be sent to many servers (select the server according to whether the service information of PADO packet matches with the service information needed by client). MAC address of the other end used for session will be known after server is selected, and send PADR (PPPoE Active Discovery Request) packet to it to announce the session requirements of server. 4. Server responds to PADS packet: For the fourth step, server establishes a session ID according to the received PADR packet. This session ID will be sent to client through PADS (PPPoE Active Discovery Session-confirmation) packet, hereto PPPoE discovery stage is completed to enter session stage. PADT (PPPoE Active Discovery Terminate) packet is a special packet of PPPoE. Its Ethernet protocol number (0x8863) is the same as the above four packets, so it can be considered a packet of discovery stage. To stop a PPPoE session, PADT may be sent at the discretional time of the session. (It can be sent by client or server) PPPoE Intermediate Agent supplies a function that identifies and locates the user. When passing network access device, PADI and PADR messages will be sent by client with the access link tag of this device at PPPoE discovery stage so as to exactly identify and locate the user on server. If the direct-link access device is LAN switch, the added information includes: MAC, Slot ID, Port Index, Vlan ID and so on. This function is implemented according to Migration to Ethernet-based DSL aggregation. 51.1.2.1 PPPoE Intermediate Agent Exchange Process PPPoE Intermediate Agent exchange process is similar to PPPoE exchange process, for the first exchange process, the access link tag is added to PADI and PADR packets. The exchange process is as follows: 51-130 Figure 51-1: PPPoE IA protocol exchange process 51.1.2.2 PPPoE Packet Format PPPoE packet format is as follows: Ethernet II frame Destination MAC Source MAC Type Field PPPoE Data CRC Check Sum PPPoE data Version Type Code Session ID Length Field TLV1 …… TLV N TLV frame Type Length Data The meaning of each field is as follows: Type field (2 bytes) of Ethernet II frame: The protocol sets type field value of PPPoE protocol packet as 0x8863 (including 5 kinds of packets in PPPoE discovery stage only), type field value of session stage as 0x8864. PPPoE version field (4 bits): Specify the current PPPoE protocol version; the current version must be set as 0x1. PPPoE type field (4 bits): Specify the protocol type; the current version must be set as 0x1. PPPoE code field (1 byte): Specify the packet type; 0x09 means PADI packet, 0x07 means PADO packet, 0x19 means PADR packet, 0x65 means PADS packet and 0xa7 means PADT packet. PPPoE session ID field (2 bytes): Specify the session ID. PPPoE length field (2 bytes): Specify the sum of all TLV lengths. TLV type field (2 bytes): A TLV frame means a TAG and type field means TAG type. The table is as follows: 51-131 TLV length field (2 bytes): Specify the length of TAG data field. TLV data field (the length is not specified): Specify the transmitted data of TAG. Tag Type Tag Explanation 0x0000 The end of a series tag in PPPoE data field, it is saved for ensuring the version compatibility and is applied by some packets. 0x0101 Service name. Indicate the supplied services by network. 0x0102 Server name. When user receives the PADO response packet of AC, it can obtain the server name from the tag and select the corresponding server. 0x0103 Exclusive tag of the host. It is similar to tag field of PPPoE data packets and is used to match the sending and receiving end (Because broadcast network may exist many PPPoE data packets synchronously). 0x0104 AC-Cookies. It is used to avoid the vicious DOS attack. 0x0105 The identifier of vendor. 0x0110 Relay session ID. PPPoE data packet can be interrupted to other AC, this field is used to keep other connection. 0x0201 The error of service name. When the requested service name is not accepted by other end, the response packet will take this tag. 0x0202 The error of server name. 0x0203 Common error. Table 51-1: TAG value type of PPPoE 51.1.2.3 PPPoE Intermediate Agent vendor tag Frame The following is the format of tag added by PPPoE IA; adding tag is the Uppermost function of PPPoE IA. Figure 51-2: PPPoE IA - vendor tag (4 bytes in each row) 51-132 Add TLV tag as 0x0105 for PPPoE IA, TAG_LENGTH is length field of vendor tag; 0x00000DE9 is “ADSL Forum” IANA entry of the fixed 4 bytes; 0x01 is type field of Agent Circuit ID, length is length field and Agent Circuit ID value field; 0x02 is type field of Agent Remote ID, length is length field and Agent Remote ID value field. PPPoE IA supplies a default circuit ID value, the default circuit ID (The figure in the following) includes 5 fields, ANI (Access Node Identifier) can be configured by user, its length is less than 47 bytes. If there is no ANI configured, MAC is accessed by default, occupy 6 bytes and use space symbol to compart, “eth” occupies 3 bytes and uses space symbol to compart, “Slot ID” occupies 2 bytes, use “/” to compart and occupy 1 byte, “Port Index” occupies 3 bytes, use “:” to compart and occupy 1 byte, “Vlan ID” occupies 4 bytes, all fields use ASCII, user can configure circuit ID for each port according to requirement. ANI (n byte) Space ( 1byte) eth (3 byte) Space Slot ID (1 byte) (2 byte) / (1byte) Port Index (3 byte) : Vlan ID (1 byte) (4 byte) Figure 51-3: Agent Circuit ID value MAC of the access switch is the default remote ID value of PPPoE IA. remote ID value can be configured by user flexibly, the length is less than 63 bytes. 51.1.2.4 Trusted Port of PPPoE Intermediate Agent Discovery stage sends five kinds of packets, PADI and PADR packets sent by client to server, PADO and PADS packets sent by server to client, and PADT packet can be sent by server or client. In PPPoE IA, for security and reduced traffic, set a port connected server as trusted port, set ports connected client as untrusted port, trusted port can receive all packets, untrusted port can receive only PADI, PADR and PADT packets which are sent to server. To ensure client operation is correct, it must set the port connecting to server as trusted port. Each access to device has a trusted port at least. PPPoE IA vendor tag can not exist in PPPoE packets sent by server to client, so we can strip and forward these vendor tags if they exist in PPPoE packets. Strip function must be configured on trusted port, enabling strip function not to take effect on untrusted port. 51-133 51.2 PPPoE Intermediate Agent Configuration Task List 1. Enable global PPPoE Intermediate Agent 2. Enable port PPPoE Intermediate Agent Command Explanation Global Mode pppoe intermediate-agent Enable global PPPoE Intermediate Agent no pppoe intermediate-agent function. pppoe intermediate-agent type tr-101 circuit-id access-node-id <string> Configure access node ID field value of no pppoe intermediate-agent type tr-101 circuit ID in added vendor tag. circuit-id access-node-id pppoe intermediate-agent type tr-101 circuit-id identifier-string <string> option {sp | sv | pv | spv} delimiter <WORD> Configure circuit-id in added vendor tag. [delimiter <WORD> ] no pppoe intermediate-agent type tr-101 circuit-id identifier-string option delimiter pppoe intermediate-agent type self-defined circuit-id {vlan| port|id (switch-id (mac | hostname)| remote-mac) | string WORD} Configure the self-defined circuit-id. no pppoe intermediate-agent type self-defined circuit-id pppoe intermediate-agent type self-defined remote-id {mac | hostname| Configure the self-defined remote-id. string WORD} no pppoe intermediate-agent type self-defined remote-id pppoe intermediate-agent delimiter Configure the delimiter among the fields <WORD> no pppoe intermediate-agent delimiter in circuit-id and remote-id pppoe intermediate-agent format (circuit-id | remote-id) (hex | ascii) Configure the format with hex or ASCII no pppoe intermediate-agent format for circuit-id and remote-id. (circuit-id | remote-id) Port Mode 51-134 pppoe intermediate-agent Enable PPPoE Intermediate Agent no pppoe intermediate-agent function of port. pppoe intermediate-agent vendor-tag strip no pppoe intermediate-agent vendor-tag Set vendor tag strip function of port. strip pppoe intermediate-agent trust Set a port as trusted port. no pppoe intermediate-agent trust pppoe intermediate-agent circuit-id Set circuit-id of port. <string> no pppoe intermediate-agent circuit-id pppoe intermediate-agent remote-id Set remote-id of port. <string> no pppoe intermediate-agent remote-id 51.3 PPPoE Intermediate Agent Typical Application PPPoE Intermediate Agent typical application is as follows: Figure 51-4: PPPoE IA typical application Both host and BAS server run PPPoE protocol and are connected with Layer 2 Ethernet switch that enables PPPoE Intermediate Agent function. Typical configuration (1) in the following: Step 1: Switch enables global PPPoE IA function, MAC as 0a0b0c0d0e0f. Switch(config)# pppoe intermediate-agent Step 2: Configure port ethernet1/1 which connect server as trusted port, and configure vendor tag strip function. Switch(config-if-ethernet1/1)#pppoe intermediate-agent trust Switch(config-if-ethernet1/1)#pppoe intermediate-agent vendor-tag strip 51-135 Step 3: Port ethernet1/2 of vlan1 and port ethernet1/3 of vlan 1234 enable PPPoE IA function of port. Switch(config-if-ethernet1/2)#pppoe intermediate-agent Switch(config-if-ethernet1/3)#pppoe intermediate-agent Step 4: Configure pppoe intermediate-agent access-node-id as abcd. Switch(config)#pppoe intermediate-agent type tr-101 circuit-id access-node-id abcd Step 5: Configure circuit ID as aaaa, remote ID as xyz for port ethernet1/3. Switch(config-if-ethernet1/3)#pppoe intermediate-agent circuit-id aaaa Switch (config-if-ethernet1/3)#pppoe intermediate-agent remote-id xyz circuit-id value is ”abcd eth 01/002:0001”, remote-id value is ”0a0b0c0d0e0f” for the added vendor tag of port ethernet1/2. circuit-id value is ”aaaa”, remote-id value is ”xyz” for the added vendor tag of port ethernet1/3. Typical configuration (2) in the following: Step 1: Switch enables global PPPoE IA function, MAC as 0a0b0c0d0e0f. Switch(config)#pppoe intermediate-agent Step 2: Configure port ethernet1/1 which connect server as trusted port, and configure vendor tag strip function. Switch(config-if-ethernet1/1)#pppoe intermediate-agent trust Switch(config-if-ethernet1/1)#pppoe intermediate-agent vendor-tag strip Step 3: Port ethernet1/2 of vlan1 and port ethernet1/3 of vlan 1234 enable PPPoE IA function of port. Switch(config-if-ethernet1/2)#pppoe intermediate-agent Switch(config-if-ethernet1/3)#pppoe intermediate-agent Step 4: Configure pppoe intermediate-agent access-node-id as abcd. Switch(config)#pppoe intermediate-agent type tr-101 circuit-id access-node-id abcd 51-136 Step 5: Configure pppoe intermediate-agent identifier-string as “efgh”, combo mode as spv, delimiter of Slot ID and Port ID as “#”, delimiter of Port ID and Vlan ID as “/”. Switch(config)#pppoe intermediate-agent type tr-101 circuit-id identifier-string efgh option spv delimiter # delimiter / Step 6: Configure circuit-id value as bbbb on port ethernet1/2. Switch(config-if-ethernet1/2)#pppoe intermediate-agent circuit-id bbbb Step 7: Configure remote-id as xyz on ethernet1/3. Switch(config-if-ethernet1/3)#pppoe intermediate-agent remote-id xyz circuit-id value is ”bbbb”, remote-id value is ”0a0b0c0d0e0f” for the added vendor tag of port ethernet1/2. circuit-id value is ”efgh eth 01#003/1234”, remote-id value is ”xyz” for the added vendor tag of port ethernet1/3. 51.4 PPPoE Intermediate Agent Troubleshooting Only switch enables global PPPoE intermediate agent firstly, this function can be run on port. Configure a trusted port at least, and this port can connect to server. Vendor tag strip function must be configured by trusted port. Circuit-id override priority is: pppoe intermediate-agent circuit-id < pppoe intermediate-agent identifier-string option delimiter < pppoe intermediate-agent access-node-id. 51-137 Chapter 52 Web Portal Configuration 52.1 Introduction to Web Portal Authentication 802.1x authentication uses the special client to authenticate. The device uses the special layer 2 switch; the authentication server uses RADIUS server; and the format of authentication message uses EAP protocol. Use EAPOL encapsulation technique (encapsulate EAP packets within Ethernet frame) to process the communication between client and authentication proxy switch, but authentication proxy switch and authentication server use EAPOR encapsulation format (run EAP packets on Radius protocol) to process the communication. The device and RADIUS server use RADIUS protocol to transmit PAP packets or CHAP packets when the device processes to relay. For implementing identity authentication and network accessing, user should install the special authentication client software, and spring the authentication flow to communicate with Radius server through logging in authentication client. After 802.1x authentication is added in web-based authentication mode, the user can download a special Java Applet program by browser or other plug-in to replace 802.1x client. For the environment which uses 802.1x authentication, installing client or downloading the special Java Applet program become a mortal problem. To satisfy user’s actual requirement, the manual describes an application scene based on web portal authentication. Web portal authentication not only implements the basic device authentication without the client but also implement the security detection to the terminal. 52.2 Web Portal Authentication Configuration Task List 1. Enable/disable web portal authentication globally (required) 2. Enable/disable web portal authentication of the port (required) 3. Configure the max. web portal binding number allowed by the port (optional) 4. Configure HTTP redirection address of web portal authentication (required) 5. Configure IP source address for communicating between accessing device and portal server (required) 6. Enable dhcp snooping binding web portal function (optional) 7. Delete the binding information of web portal authentication 52-138 1. Enable/disable web portal authentication globally Command Explanation Global Mode webportal enable Enable/disable web portal authentication no webportal enable globally. 2. Enable/disable web portal authentication of the port Command Explanation Port Mode webportal enable Enable/disable web portal authentication of no webportal enable the port. 3. Configure the max. web portal binding number allowed by the port Command Explanation Port Mode webportal binding-limit <1-256> Configure the max. web portal binding no webportal binding-limit number allowed by the port 4. Configure HTTP redirection address of web portal authentication Command Explanation Global Mode webportal redirect <ip> Configure HTTP redirection address of web no webportal redirect portal authentication. 5. Configure IP source address for communicating between accessing device and portal server Command Explanation Global Mode webportal nas-ip <ip-address> no webportal nas-ip Configure IP source address for communicating between accessing device and portal server. 52-139 6. Enable dhcp snooping binding web portal function Command Explanation Port Mode ip dhcp snooping binding webportal Enable dhcp snooping binding web portal no ip dhcp snooping binding webportal function. 7. Delete the binding information of web portal authentication Command Explanation Admin Mode clear webportal binding {mac WORD | interface <ethernet IFNAME | IFNAME> |} Delete the binding information of web portal authentication. 52.3 Web Portal Authentication Typical Example Figure 52-1: Web portal typical application scene 52-140 In the above figure, pc1 is end-user, there is http browser in it, but no 802.1x authentication client, pc1 wants to access the network through web portal authentication. Switch1 is the accessing device, it configures accounting server’s address and port as RADIUS server’s IP and port, and enable the accounting function. Ethernet 1/2 connects to pc1, the port enables web portal authentication, and configure the redirection address and port as portal server’s IP and port, so ethernet 1/2 forbids all flows except dhcp/dns/arp packets. Switch2 is the aggregation switch. Ethernet1/2 connects to radius server while ethernet1/3 connects to portal server. The address of radius server is 192.168.40.100 while the address of portal server is 192.168.40.99. Ethernet1/4 connects to DHCP server while ethernet1/5 connects to DNS server. Ethernet1/6 is trunk port and connects to ethernet1/4 of switch1. The configuration of the common web portal authentication is as follows: Switch(config)#interface vlan 1 Switch(config-if-vlan1)#ip address 192.168.40.50 255.255.255.0 Switch(config)#webportal enable Switch(config)#webportal nas-ip 192.168.40.50 Switch(config)#webportal redirect 192.168.40.99 Switch(config)#interface ethernet 1/3 Switch(config-if-ethernet1/3)#webportal enable Web portal authentication associates with DHCP snooping binding to use, the configuration is as follows: Switch(config)#ip dhcp snooping enable Switch(config)#ip dhcp snooping binding enable Switch(config)#interface ethernet 1/2 Switch(config-if-ethernet1/2)#webportal enable Switch(config-if-ethernet1/2)#ip dhcp snooping binding webportal 52.4 Web Portal Authentication Troubleshooting When using web portal authentication, the system will show the detailed prompt information if the operation is wrong. Web portal authentication is disabled by default. After ensure the configuration is correct, use debug command and show command to check the relative information, if you can not determine the cause of the problem, please send the recorded message to technical server center of our company. 52-141 Chapter 53 VLAN-ACL Configuration 53.1 Introduction to VLAN-ACL The user can configure ACL policy to VLAN to implement the accessing control of all ports in VLAN, and VLAN-ACL enables the user to expediently manage the network. The user only needs to configure ACL policy in VLAN, the corresponding ACL action can takes effect on all member ports of VLAN, but it does not need to solely configure on each member port. When VLAN ACL and Port ACL are configured at the same time, it will first match Port ACL due to Port ACL priority is higher than VLAN-ACL. VLAN-ACL ingress direction can implement the filtering of the packets, the packets match the specific rules can be allowed or denied. ACL can support IP ACL, MAC ACL, MAC-IP ACL, IPv6 ACL. Ingress direction of VLAN can bind four kinds of ACL at the same time. 53.2 VLAN-ACL Configuration Task List 1. Configure VLAN-ACL of IP type 2. Configure VLAN-ACL of MAC type 3. Configure VLAN-ACL of MAC-IP 4. Configure VLAN-ACL of IPv6 type 5. Show configuration and statistic information of VLAN-ACL 6. Clear statistic information of VLAN-ACL 1. Configure VLAN-ACL of IP type Command Explanation Global Mode vacl ip access-group {<1-299> | WORD} {in | out} [traffic-statistic] vlan WORD Configure or delete IP VLAN-ACL. (Egress filtering is not supported by no vacl ip access-group {<1-299> | switch.) WORD} {in | out} vlan WORD 53-1 2. Configure VLAN-ACL of MAC type Command Explanation Global Mode vacl mac access-group {<700-1199> | WORD} {in | out} [traffic-statistic] vlan Configure or delete MAC VLAN-ACL. WORD (Egress filtering is not supported by no vacl mac access-group {<700-1199> | switch.) WORD} {in | out} vlan WORD 3. Configure VLAN-ACL of MAC-IP Command Explanation Global Mode vacl mac-ip access-group {<3100-3299> | WORD} {in | out} [traffic-statistic] vlan Configure or delete MAC-IP VLAN-ACL. WORD (Egress filtering is not supported by no vacl mac-ip access-group switch.) {<3100-3299> | WORD} {in | out} vlan WORD 4. Configure VLAN-ACL of IPv6 type Command Explanation Global Mode vacl ipv6 access-group (<500-699> | Configure or delete IPv6 VLAN-ACL. WORD) {in | out} (traffic-statistic|) vlan (Egress filtering is not supported by WORD no ipv6 access-group {<500-699> | WORD} {in | out} vlan WORD switch).This switch only supports the ipv6 standard acl. 5. Show configuration and statistic information of VLAN-ACL Command Explanation Admin Mode Show the configuration and the statistic information of VACL. (Egress filtering is show vacl [in | out] vlan [<vlan-id>] not supported by switch.) 53-2 6. Clear statistic information of VLAN-ACL Command Explanation Admin Mode Clear the statistic information of VACL. clear vacl [in | out] statistic vlan (Egress filtering is not supported by [<vlan-id>] switch.) 53.3 VLAN-ACL Configuration Example A company’s network configuration is shown below. All departments are divided by different VLANs. Technique department is Vlan1 and finance department is Vlan2. It is required that technique department can access the outside network at timeout, but finance department is not allowed to access the outside network at any time for the sake of security. Then the following policies are configured: Set the policy VACL_A for technique department. At timeout they can access the outside network, the rule as permit, but other times the rule as deny, and the policy is applied to Vlan1. Set the policy VACL_B of ACL for finance department. At any time they can not access the outside network, but can access the inside network with no limitation, and apply the policy to Vlan2. Network environment is shown as below: Figure 53-1: VLAN-ACL configuration example Configuration example: 1) First, configure a time range, the valid time is the working hours of working day: 53-3 Switch(config)#time-range t1 Switch(config-time-range-t1)#periodic weekdays 9:00:00 to 12:00:00 Switch(config-time-range-t1)#periodic weekdays 13:00:00 to 18:00:00 2) Configure the extended acl_a of IP, at working hours; it only allows to access the resource within the internal network (such as 192.168.0.255). Switch(config)# ip access-list extended vacl_a Switch(config-ip-ext-nacl-vacl_a)# permit ip any-source 192.168.0.0 0.0.0.255 time-range t1 Switch(config-ip-ext-nacl-vacl_a)# deny ip any-source any-destination time-range t1 3) Configure the extended acl_b of IP; at any time it only allows to access resource within the internal network (such as 192.168.1.255). Switch(config)#ip access-list extended vacl_b Switch(config-ip-ext-nacl-vacl_a)# permit ip any-source 192.168.1.0 0.0.0.255 Switch(config-ip-ext-nacl-vacl_a)# deny ip any-source any-destination 4) Apply the configuration to VLAN Switch(config)#firewall enable Switch(config)#vacl ip access-group vacl_a in vlan 1 Switch(config)#vacl ip access-group vacl_b in vlan 2 53.4 VLAN-ACL Troubleshooting When VLAN ACL and Port ACL are configured at the same time, the priority is port>VLAN if the two acl are the same kind of ac, such as that they are all ip acl or they are all mac acl. So only the rules on port is effective if the packets match the rule on port and vlan at the same time. Now, it will not meet the principle of deny priority. If the two acl are not the same kine of acl, it can meet the principle of deny priority. Each ACL of different types can only apply one on a VLAN, such as the basic IP ACL, each VLAN can applies one only. 53-4 Chapter 54 SAVI Configuration 54.1 Introduction to SAVI SAVI (Source Address Validation Improvement) is a security authentication method that provides the granularity level of the node source address. It gets the trusted node information (such as port, MAC address information), namely, anchor information by monitoring the interaction process of the relative protocol packets (such as ND protocol, DHCPv6 protocol) and using CPS (Control Packet Snooping) mechanism. After that, it binds the anchor information with the node source address and sends the corresponding filter rules, allow the packets which match the filter rules to pass only, so as to reach the aim that check the validity of node source address. SAVI function includes ND Snooping function, DHCPv6 Snooping function and RA Snooping according to the protocol packet type. ND Snooping function is used to detect ND protocol packet, it sets IPv6 address binding obtained by nodes with the stateless address configuration. DHCPv6 Snooping function is used to detect DHCPv6 protocol packet, it sets IPv6 address binding obtained by nodes with the stateful address configuration. RA Snooping function is used to avoid the lawless node sending the spurious RA packet. 54.2 SAVI Configuration SAVI configuration task list: 1. Enable or disable SAVI function 2. Enable or disable application scene function for SAVI 3. Configure SAVI binding function 4. Configure the global max-dad-delay for SAVI 5. Configure the global max-dad-prepare-delay for SAVI 6. Configure the global max-slaac-life for SAVI 7. Configure the lifetime period for SAVI bind-protect 8. Enable or disable SAVI prefix check function 9. Configure IPv6 address prefix for a link 10. Configure the filter entry number of IPv6 address 11. Configure the check mode for SAVI conflict binding 12. Enable or disable user authentication 13. Enable or disable DHCPv6 trust of port 14. Enable or disable ND trust of port 15. Configure the binding number 54-5 1. Enable or disable SAVI function Command Explanation Global Mode 2. savi enable Enable the global SAVI function, no no savi enable command disables the function. Enable or disable application scene function for SAVI Command Explanation Global Mode savi ipv6 {dhcp-only | slaac-only | Enable the application scene function for dhcp-slaac} enable SAVI, no command disables the function. no savi ipv6 {dhcp-only | slaac-only | dhcp-slaac} enable 3. Configure SAVI binding function Command Explanation Global Mode 4. savi ipv6 check source binding ip Configure a static or dynamic binding <ip-address> mac <mac-address> manually, no command deletes the interface <if-name> {type [slaac | dhcp] configured binding. This command may lifetime <lifetime> | type static} be configured in a global function of savi no savi ipv6 check source binding ip enable, slaac-only enable, dhcp-only <ip-address> interface <if-name> enable or dhcp-slaac enable. Configure the global max-dad-delay for SAVI Command Explanation Global Mode savi max-dad-delay <max-dad-delay> Configure the max. lifetime period of no savi max-dad-delay SAVI binding at DETECTION state, no command restores the default value. 54-6 5. Configure the global max-dad-prepare-delay for SAVI Command Explanation Global Mode 6. savi max-dad-prepare-delay Configure the max. redetection lifetime <max-dad-prepare-delay> period for SAVI binding, no command no savi max-dad-prepare-delay restores the default value. Configure the global max-slaac-life for SAVI Command Explanation Global Mode savi max-slaac-life <max-slaac-life> Configure the lifetime period of the no savi max-slaac-life dynamic slaac binding at BOUND state, no command restores the default value. 7. Configure the lifetime period for SAVI bind-protect Command Explanation Global Mode 8. savi timeout bind-protect Configure the bind-protect lifetime period <protect-time> to a port after its state from up to down, no savi timeout bind-protect no command restores the default value. Enable or disable SAVI prefix check function Command Explanation Global Mode 9. ipv6 cps prefix check enable Enable the address prefix check for SAVI, no ipv6 cps prefix check enable no command disables the function. Configure IPv6 address prefix for a link Command Explanation Global Mode ipv6 cps prefix <ip-address> vlan <vid> Configure IPv6 address prefix for a link no ipv6 cps prefix <ip-address> manually, no command deletes the configured address prefix. 54-7 10. Configure the filter entry number of IPv6 address Command Explanation Global Mode savi ipv6 mac-binding-limit Configure the corresponding dynamic <limit-num> binding number for the same MAC no savi ipv6 mac-binding-limit address, no command restores the default value. Note: The binding number only limits the dynamic binding, but does not limit the static binding number. 11. Configure the check mode for SAVI conflict binding Command Explanation Global Mode savi check binding <simple | probe> Configure the check mode for the mode conflict binding, no command deletes no savi check binding mode the check mode. 12. Enable or disable user authentication Command Explanation Port Mode savi ipv6 check source [ip-address Enable the control authentication mac-address | ip-address | function for user, no command disables mac-address] the function. no savi ipv6 check source 13. Enable or disable DHCPv6 trust of port Command Explanation Port Mode ipv6 dhcp snooping trust Enable DHCPv6 trusted port, no no ipv6 dhcp snooping trust command disables the trusted function. (port is translated from trusted port into untrusted port) 54-8 14. Enable or disable ND trust of port Command Explanation Port Mode ipv6 nd snooping trust Configure a port as slaac trust and RA no ipv6 nd snooping trust trust, no command deletes the port’s trust function. 15. Configure the binding number Command Explanation Port Mode savi ipv6 binding num <limit-num> Configure the binding number of a port, no savi ipv6 binding num no command restores the default value. Note: The binding number only limits the dynamic binding, but does not limit the static binding number. 54-9 54.3 SAVI Typical Application In actual application, SAVI function is usually applied in access layer switch to check the validity of node source address on direct-link. There are four typical application scenes for SAVI function: DHCP-Only, Slaac-Only, DHCP-Slaac and Static binding. In network environment, users can select the corresponding scene according to the actual requirement; in double stacks network, while SAVI function associates with IPv4 DHCP snooping to use, IPv4 and IPv6 source address authentication is implemented. Typical network topology application for SAVI function: Client_1 and Client_2 means two different user’s PC installed IPv6 protocol, respectively connect with port Ethernet1/12 of Switch1 and port Ethernet1/13 of Switch2, and enable the source address check function of SAVI. Ethernet1/1 and Ethernet1/2 are uplink ports of Switch1 and Switch2 respectively, enable DHCP trust and ND trusted functions. Aggregation Switch3 enables DHCPv6 server function and route advertisement function. Configuration steps of SAVI DHCP-SLAAC scene: 54-10 Switch1>enable Switch1#config Switch1(config)#savi enable Switch1(config)#savi ipv6 dhcp-slaac enable Switch1(config)#savi check binding probe mode Switch1(config)#interface ethernet1/1 Switch1(config-if-ethernet1/1)#ipv6 dhcp snooping trust Switch1(config-if-ethernet1/1)#ipv6 nd snooping trust Switch1(config-if-ethernet1/1)#exit Switch1(config)#interface ethernet1/12-20 Switch1(config-if-port-range)#savi ipv6 check source ip-address mac-address Switch1(config-if-port-range)#savi ipv6 binding num 4 Switch1(config-if-port-range)#exit Switch1(config)#exit Switch1#write 54.4 SAVI Troubleshooting After ensure no problem about SAVI client hardware and cable, please check the status which may exist and the propositional solutions in the following: If IPv6 packets are filtered incorrectly after enable SAVI function, please ensure the global SAVI function enabled. After that, enable the global function of the corresponding SAVI scene according to the actual application scene and enable the port authentication function. If client can not correctly obtain IPv6 address assigned by DHCPv6 server after enable SAVI function, please ensure DHCP port trust is configured by uplink port with DHCPv6 server. If node binding can not be set for the new user after enable SAVI function, please check whether the direct-link port configures the max. binding number, and whether the binding number reaches to the max. number. If the binding number exceeds the max. binding limit, it is recommended to configure the bigger binding limit. If node binding can not be set for new user after configure the bigger binding limit, please check whether the direct-link port configures the corresponding binding number, and whether the corresponding binding number reaches to the max. number in the same MAC address. If the binding number exceeds the max. binding limit, it is recommended to configure the bigger binding limit. 54-11 Chapter 55 MRPP Configuration 55.1 Introduction to MRPP MRPP (Multi-layer Ring Protection Protocol), is a link layer protocol applied on Ethernet loop protection. It can avoid broadcast storm caused by data loop on Ethernet ring, and restore communication among every node on ring network when the Ethernet ring has a break link. MRPP is the expansion of EAPS (Ethernet link automatic protection protocol). MRPP protocol is similar to STP protocol on function, MRPP has below characters, compare to STP protocol: <1> MRPP specifically uses to Ethernet ring topology <2> fast convergence, less than 1 s. ideally it can reach 100-50 ms. 55.1.1 Conception Introduction SWITCH A SWITCH B SWITCH F E1 Master Node E2 SWITCH E SWITCH G Ring 1 Ring 2 Master Node E1 SWITCH C SWITCH D E2 SWITCH H Figure 55-1: MRPP Sketch Map 1. Control VLAN Control VLAN is a virtual VLAN, only used to identify MRPP protocol packet transferred in the link. To avoid confusion with other configured VLAN, avoids configuring control VLAN ID to be the same with other configured VLAN ID. The different MRPP ring should configure the different control VLAN ID. 2. Ethernet Ring (MRPP Ring) Ring linked Ethernet network topology. Each MRPP ring has two states. Health state: The whole ring net work physical link is connected. Break state: one or a few physical link break in ring network 55-12 3. nodes Each switch is named after a node on Ethernet. The node has some types: Primary node: each ring has a primary node, it is main node to detect and defend. Transfer node: except for primary node, other nodes are transfer nodes on each ring. The node role is determined by user configuration. As shown Figure 55-1, Switch A is primary node of Ring 1, Switch B. Switch C; Switch D and Switch E are transfer nodes of Ring 1. 4. Primary port and secondary port The primary node and transfer node have two ports connecting to Ethernet separately, one is primary port, and another is secondary port. The role of port is determined by user configuration. Primary port and secondary port of primary node. The primary port of primary node is used to send ring health examine packet (hello), the secondary port is used to receive Hello packet sending from primary node. When the Ethernet is in health state, the secondary port of primary node blocks other data in logical and only MRPP packet can pass. When the Ethernet is in break state, the secondary port of primary node releases block state, and forwards data packets. There are no difference on function between Primary port and secondary port of transfer node. The role of port is determined by user configuration. As shown in Figure 55-1, Switch A E1 is a primary port while E2 is a secondary port. 5. Timer The two timers are used when the primary node sends and receives MRPP protocol packet: Hello timer and Fail Timer. Hello timer: define timer of time interval of health examine packet sending by primary node primary port. Fail timer: define timer of overtime interval of health examine packet receiving by primary node primary port. The value of Fail timer must be more than or equal to the 3 times of value of Hello timer. 55.1.2 MRPP Protocol Packet Types Packet Type Explanation Hello packet (Health examine packet) Hello The primary port of primary node evokes to detect ring, if the secondary port of primary node can receive Hello packet in configured overtime, so the ring is normal. LINK-DOWN (link Down event packet) After transfer node detects Down event on port, immediately sends LINK-DOWN packet to primary node, and inform primary node ring to fail. LINK-DOWN-FLUSH_FDB packet After primary node detects ring failure or receives LINK-DOWN packet, open blocked secondary port, and then uses two ports to send the packet, to inform each transfer node to refresh own 55-13 MAC address. LINK-UP-FLUSH_FDB packet After primary detects ring failure to restore normal, and uses packet from primary port, and informs each transfer node to refresh own MAC address. 55.1.3 MRPP Protocol Operation System 1. Link Down Alarm System When transfer node finds themselves belonging to MRPP ring port Down, it sends link Down packet to primary node immediately. The primary node receives link down packet and immediately releases block state of secondary port, and sends LINK-DOWN-FLUSH-FDB packet to inform all of transfer nodes, refreshing own MAC address forward list. 2. Poll System The primary port of primary node sends Hello packet to its neighbors timely according to configured Hello-timer. If the ring is health, the secondary port of primary node receives health detect packet, and the primary node keeps secondary port. If the ring is break, the secondary port of primary node can’t receive health detect packet when timer is over time. The primary releases the secondary port block state, and sends LINK-DOWN-FLUSH_FDB packet to inform all of transfer nodes, to refresh own MAC address forward list. 3. Ring Restore After the primary node occur ring fail, if the secondary port receives Hello packet sending from primary node, the ring has been restored, at the same time the primary node block its secondary port, and sends its neighbor LINK-UP-Flush-FDB packet. After MRPP ring port refresh UP on transfer node, the primary node maybe find ring restore after a while. For the normal data VLAN, the network maybe forms a temporary ring and creates broadcast storm. To avoid temporary ring, transfer node finds it to connect to ring network port to refresh UP, immediately block temporarily (only permit control VLAN packet pass), after only receiving LINK-UP-FLUSH-FDB packet from primary node, and releases the port block state. 55.2 MRPP Configuration Task List 1) Globally enable MRPP 2) Configure MRPP ring 3) Configure the query time of MRPP 4) Configure the compatible mode 5) Display and debug MRPP relevant information 55-14 1) Globally enable MRPP Command Explanation Global Mode mrpp enable no mrpp enable Globally enable and disable MRPP. 2) Configure MRPP ring Command Explanation Global Mode mrpp ring <ring-id> Create MRPP ring. The “no” command no mrpp ring <ring-id> deletes MRPP ring and its configuration. MRPP Ring Mode control-vlan <vid> Configure control VLAN ID, format “no” no control-vlan deletes configured control VLAN ID. node-mode {master | transit} hello-timer < timer> no hello-timer fail-timer <timer> no fail-timer Configure node type of MRPP ring (primary node or secondary node). Configure Hello packet timer sending from primary node of MRPP ring, format “no” restores default timer value. Configure Hello packet overtime timer sending from primary node of MRPP ring, format “no” restores default timer value. enable Enable MRPP ring, format “no” disables no enable enabled MRPP ring. Port Mode mrpp ring <ring-id> primary-port no mrpp ring <ring-id> primary-port mrpp ring <ring-id> secondary-port no mrpp ring <ring-id> secondary-port Specify primary port of MRPP ring. Specify secondary port of MRPP ring. 3) Configure the query time of MRPP Command Explanation Global Mode mrpp poll-time <20-2000> Configure the query interval of MRPP. 55-15 4) Configure the compatible mode Command Explanation Global Mode Enable the compatible mode for ERRP, the mrpp errp compatible no command disables the compatible no mrpp errp compatible mode. Enable the compatible mode for EAPS, the mrpp eaps compatible no command disables the compatible no mrpp eaps compatible mode. errp domain <domain-id> Create ERRP domain, the no command no errp domain <domain-id> deletes the configured ERRP domain. 5) Display and debug MRPP relevant information Command Explanation Admin Mode Disable MRPP module debug information, debug mrpp format “no” disable MRPP debug no debug mrpp information output. Display MRPP ring configuration show mrpp {<ring-id>} information. show mrpp statistics {<ring-id>} clear mrpp statistics {<ring-id>} Display receiving data packet statistic information of MRPP ring. Clear receiving data packet statistic information of MRPP ring. 55.3 MRPP Typical Scenario SWITCH A SWITCH B E1 Master Node E2 E2 E1 MRPP Ring 4000 E1 E2 E1 SWITCH C E2 SWITCH D Figure 55-2: MRPP typical configuration scenario 55-16 The above topology often occurs on using MRPP protocol. The multi switch constitutes a single MRPP ring, all of the switches only are configured an MRPP ring 4000, thereby constitutes a single MRPP ring. In the above configuration, SWITCH A configuration is primary node of MRPP ring 4000, and configures E1/1 to primary port and E1/2 to secondary port. Other switches are secondary nodes of MRPP ring, configures primary port and secondary port separately. To avoid ring, it should temporarily disable one of the ports of primary node, when it enables each MRPP ring in the whole MRPP ring; and after all of the nodes are configured, open the port. When disable MRPP ring, it needs to insure the MRPP ring doesn’t have ring. SWITCH A configuration Task Sequence: Switch(Config)#mrpp enable Switch(Config)#mrpp ring 4000 Switch(mrpp-ring-4000)#control-vlan 4000 Switch(mrpp-ring-4000)#fail-timer 18 Switch(mrpp-ring-4000)#hello-timer 5 Switch(mrpp-ring-4000)#node-mode master Switch(mrpp-ring-4000)#enable Switch(mrpp-ring-4000)#exit Switch(Config)#interface ethernet 1/1 Switch(config-If-Ethernet1/1)#mrpp ring 4000 primary-port Switch(config-If-Ethernet1/1)#interface ethernet 1/2 Switch(config-If-Ethernet1/2)#mrpp ring 4000 secondary-port Switch(config-If-Ethernet1/2)#exit Switch(Config)# SWITCH B configuration Task Sequence: Switch(Config)#mrpp enable Switch(Config)#mrpp ring 4000 Switch(mrpp-ring-4000)#control-vlan 4000 Switch(mrpp-ring-4000)#enable Switch(mrpp-ring-4000)#exit Switch(Config)#interface ethernet 1/1 Switch(config-If-Ethernet1/1)#mrpp ring 4000 primary-port Switch(config-If-Ethernet1/1)#interface ethernet 1/2 Switch(config-If-Ethernet1/2)#mrpp ring 4000 secondary-port Switch(config-If-Ethernet1/2)#exit Switch(Config)# 55-17 SWITCH C configuration Task Sequence: Switch(Config)#mrpp enable Switch(Config)#mrpp ring 4000 Switch(mrpp-ring-4000)#control-vlan 4000 Switch(mrpp-ring-4000)#enable Switch(mrpp-ring-4000)#exit Switch(Config)#interface ethernet 1/1 Switch(config-If-Ethernet1/1)#mrpp ring 4000 primary-port Switch(config-If-Ethernet1/1)#interface ethernet 1/2 Switch(config-If-Ethernet1/2)#mrpp ring 4000 secondary-port Switch(config-If-Ethernet1/2)#exit Switch(Config)# SWITCH D configuration Task Sequence: Switch(Config)#mrpp enable Switch(Config)#mrpp ring 4000 Switch(mrpp-ring-4000)#control-vlan 4000 Switch(mrpp-ring-4000)#enable Switch(mrpp-ring-4000)#exit Switch(Config)#interface ethernet 1/1 Switch(config-If-Ethernet1/1)#mrpp ring 4000 primary-port Switch(config-If-Ethernet1/1)#interface ethernet 1/2 Switch(config-If-Ethernet1/2)#mrpp ring 4000 secondary-port Switch(config-If-Ethernet1/2)#exit Switch(Config)# 55.4 MRPP Troubleshooting The normal operation of MRPP protocol depends on normal configuration of each switch on MRPP ring, otherwise it is very possible to form ring and broadcast storm: Configuring MRPP ring, you’d better disconnected the ring, and wait for each switch configuration, then open the ring. When the MRPP ring of enabled switch is disabled on MRPP ring, it ensures the ring of the MRPP ring has been disconnected. When there is broadcast storm on MRPP ring, it disconnects the ring firstly, and ensures if each switch MRPP ring configuration on the ring is correct or not; if correct, restores the ring, and then observes the ring is normal or not. 55-18 The convergence time of MRPP ring net is relative to the response mode of up/down. If use poll mode, the convergence time as hundreds of milliseconds in simple ring net, if use interrupt mode, the convergence time within 50 milliseconds. Generally, the port is configured as poll mode, interrupt mode is only applied to better performance environment, but the security of poll mode is better than interrupt mode, port-scan-mode {interrupt | poll} command can be consulted. In normal configuration, it still forms ring broadcast storm or ring block, please open debug function of primary node MRPP, and used show MRPP statistics command to observe states of primary node and transfer node and statistics information is normal or not, and then sends results to our Technology Service Center. 55-19 Chapter 56 ULPP Configuration 56.1 Introduction to ULPP Each ULPP group has two uplink ports, they are master port and slave port. The port may be a physical port or a port channel. The member ports of ULPP group have three states: Forwarding, Standby, Down. Normally, only one port at the forwarding state, the other port is blocked at the Standby state. When the master port has the link problem, the master port becomes down state, and the slave port is switched to forwarding state. Figure 56-1: the using scene of ULPP The above figure uses the double-uplink network, this is the typical application scene of ULPP. SwitchA goes up to SwitchD through SwitchB and SwitchC, port A1 and port A2 are the uplink ports. SwitchA configures ULPP and port A1 is set as the master port and port A2 is set as the slave port. When port A1 in the forwarding state has the problem, switch the uplink at once and port A2 turns into the forwarding state. After this, when recovering the master port, if the preemption mode is not configured, port A2 keeps the Forwarding state, port A1 turns into the Standby state. After the preemption mode is enabled, so as to the master port preempts the slave port when it recovered from the problem. For avoiding the frequent uplink switch caused by the abnormity problem, the preemption delay mechanism is imported, and it needs to wait for some times before the master port preempt the slave port. For keeping the continuance of the flows, the master port does not process to preempt by default, but turns into the Standby state. When configuring ULPP, it needs to specify the VLAN which is protected by this ULPP group through the method of MSTP instances, and ULPP does not provide the protection to other VLANs. 56-20 When the uplink switch is happening, the primary forwarding entries of the device will not be applied to new topology in the network. In the figure, SwitchA configures ULPP, the portA1 as the master port at forwarding state, here the MAC address of PC is learned by Switch D from portD3. After this, portA1 has the problem, the traffic is switched to portA2 to be forwarded. If there is the data sent to PC by SwitchD, still the data will be forwarded from portD3, and will be lost. Therefore, when switching the uplink, the device of configuring ULPP needs to send the flush packets through the port which is switched to Forwarding state, and update MAC address tables and ARP tables of other devices in the network. ULPP respectively uses two kinds of flush packets to update the entries: the updated packets of MAC address and the deleted packets of ARP. For making use of the bandwidth resource enough, ULPP can implement VLAN load balance through the configuration. As the picture illustrated, SwitchA configures two ULPP groups: portA1 is the master port and portA2 is the slave port in group1, portA2 is the master port and portA1 is the slave port in group2, the VLANs are protected by group1 and group2, they are 1-100 and 101-200. Here both portA1 and portA2 are in the forwarding state; the master port and the slave port mutually back up, and respectively forward the packets of the different VLAN ranges. When portA1 has the problem, the traffic of VLAN 1-200 are forwarded by portA2. After this, when portA1 is recovering the normal state, portA2 forwards the data of VLAN 101-200 sequentially, but the data of VLAN 1-100 is switched to portA1 to forward. Figure 56-2: VLAN load balance 56.2 ULPP Configuration Task List 1. Create ULPP group globally 2. Configure ULPP group 3. Show and debug the relating information of ULPP 56-21 1. Create ULPP group globally Command Explanation Global Mode 2. ulpp group <integer> Configure and delete ULPP group no ulpp group <integer> globally. Configure ULPP group Command Explanation ULPP Group Mode Configure the preemption mode of preemption mode ULPP group. The no operation no preemption mode deletes the preemption mode. Configure the preemption delay, the preemption delay <integer> no operation restores the default no preemption delay value 30s. Configure the sending control VLAN, control vlan <integer> no operation restores the default no control vlan value 1. protect vlan-reference-instance Configure the protection VLANs, the <instance-list> no operation deletes the protection no protect vlan-reference-instance VLANs. <instance-list> flush enable mac Enable or disable sending the flush flush disable mac packets which update MAC address. flush enable arp Enable or disable sending the flush flush disable arp packets which delete ARP. Enable or disable sending the flush flush enable mac-vlan packets of deleting the dynamic flush disable mac-vlan unicast mac according to vlan. description <string> Configure or delete ULPP group no description description. Port Mode Configure the receiving control ulpp control vlan <vlan-list> VLANs, no operation restores the no ulpp control vlan <vlan-list> default value 1. 56-22 Enable or disable receiving the flush ulpp flush enable mac packets which update the MAC ulpp flush disable mac 3. address. ulpp flush enable arp Enable or disable receiving the flush ulpp flush disable arp packets which delete ARP. ulpp flush enable mac-vlan Enable or disable receiving the flush ulpp flush disable mac-vlan packets of mac-vlan type. ulpp group <integer> master Configure or delete the master port no ulpp group <integer> master of ULPP group. ulpp group <integer> slave Configure or delete the slave port of no ulpp group <integer> slave ULPP group. Show and debug the relating information of ULPP Command Explanation Admin Mode show ulpp group [group-id] Show the configuration information of the configured ULPP group. show ulpp flush counter interface Show the statistic information of the flush {ethernet <IFNAME> | <IFNAME>} packets. show ulpp flush-receive-port Show flush type and control VLAN received by the port. clear ulpp flush counter interface Clear the statistic information of the flush <name> packets. debug ulpp flush {send | receive} interface <name> no debug ulpp flush {send | receive} interface <name> debug ulpp flush content interface <name> no debug ulpp flush content interface <name> Show the information of the receiving and sending flush packets, the no operation disables the shown information. Show the contents of the received flush packets, the no operation disables the showing. debug ulpp error Show the error information of ULPP, the no no debug ulpp error operation disables the showing. debug ulpp event Show the event information of ULPP, the no debug ulpp event no operation disables the showing. 56-23 56.3 ULPP Typical Examples 56.3.1 ULPP Typical Example1 Switch D E1/2 Switch C Switch B E1/1 E1/1 E1/2 Switch A Figure 56-3: ULPP typical example1 The above topology is the typical application environment of ULPP protocol. SwitchA has two uplinks, they are SwitchB and SwitchC. When any protocols are not enabled, this topology forms a ring. For avoiding the loopback, SwitchA can configure ULPP protocol, the master port and the slave port of ULPP group. When both master port and slave port are up, the slave port will be set as standby state and will not forward the data packets. When the master port is down, the slave port will be set as forwarding state and switch to the uplink. SwitchB and SwitchC can enable the command that receives the flush packets, it is used to associate with ULPP protocol running of SwitchA to switch the uplink immediately and reduce the switch delay. When configuring ULPP protocol of SwitchA, first, create a ULPP group and configure the protection VLAN of this group as vlan10, then configure interface Ethernet 1/1 as the master port, interface Ethernet 1/2 as the slave port, the control VLAN as 10. SwitchB and SwitchC configure the flush packets that receive ULPP. SwitchA configuration task list: Switch(Config)#vlan 10 Switch(Config-vlan10)#switchport interface ethernet 1/1; 1/2 Switch(Config-vlan10)#exit Switch(Config)#spanning-tree mst configuration Switch(Config-Mstp-Region)#instance 1 vlan 10 Switch(Config-Mstp-Region)#exit Switch(Config)#ulpp group 1 Switch(ulpp-group-1)#protect vlan-reference-instance 1 56-24 Switch(ulpp-group-1)#control vlan 10 Switch(ulpp-group-1)#exit Switch(Config)#interface ethernet 1/1 Switch(config-If-Ethernet1/1)# ulpp group 1 master Switch(config-If-Ethernet1/1)#exit Switch(Config)#interface Ethernet 1/2 Switch(config-If-Ethernet1/2)# ulpp group 1 slave Switch(config-If-Ethernet1/2)#exit SwitchB configuration task list: Switch(Config)#vlan 10 Switch(Config-vlan10)#switchport interface ethernet 1/1 Switch(Config-vlan10)#exit Switch(Config)#interface ethernet 1/1 Switch(config-If-Ethernet1/1)# ulpp flush enable mac Switch(config-If-Ethernet1/1)# ulpp flush enable arp Switch(config-If-Ethernet1/1)# ulpp control vlan 10 SwitchC configuration task list: Switch(Config)#vlan 10 Switch(Config-vlan10)#switchport interface ethernet 1/2 Switch(Config-vlan10)#exit Switch(Config)#interface ethernet 1/2 Switch(config-If-Ethernet1/2)# ulpp flush enable mac Switch(config-If-Ethernet1/2)# ulpp flush enable arp Switch(config-If-Ethernet1/2)# ulpp control vlan 10 56-25 56.3.2 ULPP Typical Example2 Switch D E1/2 Switch C Switch B E1/1 Vlan 1-100 E1/1 E1/2 Vlan 101-200 Switch A Figure 56-4: ULPP typical example2 ULPP can implement the VLAN-based load balance. As the picture illustrated, SwitchA configures two ULPP groups: port E1/1 is the master port and port 1/2 is the slave port in group1, port 1/2 is the master port and port 1/1 is the slave port in group2. The VLANs protected by group1 are 1-100 and by group2 are 101-200. Here both port E1/1 and port E1/2 at the forwarding state, the master port and the slave port mutually backup, respectively forward the packets of different VLAN ranges. When port E1/1 has the problem, the traffic of VLAN 1-200 are forwarded by port E1/2. When port E1/1 is recovering the normal state, still port E1/2 forwards the data of VLAN 101-200, the data of VLAN 1-100 are switched to port E1/1 to forward. SwitchA configuration task list: Switch(Config)#spanning-tree mst configuration Switch(Config-Mstp-Region)#instance 1 vlan 1-100 Switch(Config-Mstp-Region)#instance 2 vlan 101-200 Switch(Config-Mstp-Region)#exit Switch(Config)#ulpp group 1 Switch(ulpp-group-1)#protect vlan-reference-instance 1 Switch(ulpp-group-1)#preemption mode Switch(ulpp-group-1)#exit Switch(Config)#ulpp group 2 Switch(ulpp-group-2)#protect vlan-reference-instance 2 Switch(ulpp-group-1)#preemption mode Switch(ulpp-group-2)#exit Switch(Config)#interface ethernet 1/1 Switch(config-If-Ethernet1/1)#switchport mode trunk 56-26 Switch(config-If-Ethernet1/1)#ulpp group 1 master Switch(config-If-Ethernet1/1)#ulpp group 2 slave Switch(config-If-Ethernet1/1)#exit Switch(Config)#interface Ethernet 1/2 Switch(config-If-Ethernet1/2)#switchport mode trunk Switch(config-If-Ethernet1/2)# ulpp group 1 slave Switch(config-If-Ethernet1/2)# ulpp group 2 master Switch(config-If-Ethernet1/2)#exit SwitchB configuration task list: Switch(Config)#interface ethernet 1/1 Switch(config-If-Ethernet1/1)#switchport mode trunk Switch(config-If-Ethernet1/1)# ulpp flush enable mac Switch(config-If-Ethernet1/1)# ulpp flush enable arp SwitchC configuration task list: Switch(Config)#interface ethernet 1/2 Switch(config-If-Ethernet1/2)# switchport mode trunk Switch(config-If-Ethernet1/2)# ulpp flush enable mac Switch(config-If-Ethernet1/2)# ulpp flush enable arp 56.4 ULPP Troubleshooting At present, configuration of more than 2 multi-uplinks is allowed, but it may cause loopback, so is not recommended. With the normal configuration, if the broadcast storm happen or the communication along the ring is broken, please enable the debug of ULPP, copy the debug information of 3 minutes and the configuration information, send them to our technical service center. 56-27 Chapter 57 ULSM Configuration 57.1 Introduction to ULSM ULSM (Uplink State Monitor) is used to process the port state synchronization. Each ULSM group is made up of the uplink port and the downlink port, both the uplink port and the downlink port may be multiple. The port may be a physical port or a port channel, but it can not be a member port of a port channel, and each port only belongs to one ULSM group. The uplink port is the monitored port of ULSM group. When all uplink ports are down or there is no uplink port in ULSM group, ULSM group state is down. ULSM group state is up as long as one uplink port is up. The downlink port is the controlled port, its state changes along with Up/Down of ULSM group and is always the same with ULSM group state. ULSM associates with ULPP to enable the downstream device to apperceive the link problem of the upstream device and process correctly. As the picture illustrated, SwitchA configures ULPP, here the traffic is forwarded by port A1. If the link between SwitchB and Switch D has the problem, SwitchA can not apperceive the problem of the upstream link and sequentially forward the traffic from port A1, cause traffic losing. Configuring ULSM on SwitchB can solve the above problems. The steps are: set port B5 as the uplink port of ULSM group, port B6 as the downlink port. When the link between SwitchB and SwitchD has the problem, both the downlink port B6 and the state of ULSM group are down. It causes Switch A on which ULPP is configured to process uplink switchover and avoid the data dropped. Figure 57-1: ULSM using scene 57-28 57.2 ULSM Configuration Task List 1. Create ULSM group globally 2. Configure ULSM group 3. Show and debug the relating information of ULSM 1. Create ULSM group globally Command explanation Global Mode ulsm group <group-id> no ulsm group <group-id> Configure and delete ULSM group globally. 2. Configure ULSM group Command explanation Port Mode ulsm group <group-id> {uplink | downlink} no ulsm group <group-id> {uplink | downlink} Configure the uplink/downlink port of ULSM group, the no command deletes the uplink/downlink port. 3. Show and debug the relating information of ULSM Command Explanation Admin Mode show ulsm group [group-id] debug ulsm event no debug ulsm event Show the configuration information of ULSM group. Show the event information of ULSM, the no operation disables the shown information. 57-29 57.3 ULSM Typical Example Switch D E1/4 E1/3 Switch B E1/1 E1/2 E1/1 Switch C E1/2 Switch A Figure 57-2: ULSM typical example The above topology is the typical application environment which is used by ULSM and ULPP protocol. ULSM is used to process the port state synchronization, its independent running is useless, so it usually associates with ULPP protocol to use. In the topology, SwitchA enables ULPP protocol, it is used to switch the uplink. SwitchB and SwitchC enable ULSM protocol to monitor whether the uplink is down. If it is down, then ULSM will execute the down operation for the downlink port to shutdown it, so ULPP protocol of SwitchA executes the relative operation of the uplink switchover. SwitchA configuration task list: Switch(Config)#spanning-tree mst configuration Switch(Config-Mstp-Region)#instance 1 vlan 1 Switch(Config-Mstp-Region)#exit Switch(Config)#ulpp group 1 Switch(ulpp-group-1)#protect vlan-reference-instance 1 Switch(ulpp-group-1)#exit Switch(Config)#interface ethernet 1/1 Switch(config-If-Ethernet1/1)# ulpp group 1 master Switch(config-If-Ethernet1/1)#exit Switch(Config)#interface Ethernet 1/2 Switch(config-If-Ethernet1/2)# ulpp group 1 slave Switch(config-If-Ethernet1/2)#exit 57-30 SwitchB configuration task list: Switch(Config)#ulsm group 1 Switch(Config)#interface ethernet 1/1 Switch(config-If-Ethernet1/1)#ulsm group 1 downlink Switch(config-If-Ethernet1/1)#exit Switch(Config)#interface ethernet 1/3 Switch(config-If-Ethernet1/3)#ulsm group 1 uplink Switch(config-If-Ethernet1/3)#exit SwitchC configuration task list: Switch(Config)#ulsm group 1 Switch(Config)#interface ethernet 1/2 Switch(config-If-Ethernet1/2)#ulsm group 1 downlink Switch(config-If-Ethernet1/2)#exit Switch(Config)#interface ethernet 1/4 Switch(config-If-Ethernet1/4)#ulsm group 1 uplink Switch(config-If-Ethernet1/4)#exit 57.4 ULSM Troubleshooting With the normal configuration, if the downlink port does not respond the down event of the uplink port, please enable the debug function of ULSM, copy the debug information and the configuration information, and send them to our technical service center. 57-31 Chapter 58 Mirror Configuration 58.1 Introduction to Mirror Mirror functions include port mirror function, CPU mirror function, flow mirror function. Port mirror refers to the duplication of data frames sent/received on a port to another port. The duplicated port is referred to as mirror source port and the duplicating port is referred to as mirror destination port. A protocol analyzer (such as Sniffer) or a RMON monitor will be connected at mirror destination port to monitor and manage the network, and diagnose the problems in the network. CPU mirror function means that the switch exactly copies the data frames received or sent by the CPU to a port. Flow mirror function means that the switch exactly copies the data frames received by the specified rule of a port to another port. The flow mirror will take effect only the specified rule is permit. Switch supports one mirror destination port only. There is no limitation on mirror source ports, one port or several ports is allowed. When there are more than one source ports, they can be in the same VLAN or in different VLAN. The source port and destination port can be in different VLAN. 58.2 Mirror Configuration Task List 1. Specify mirror destination port 2. Specify mirror source port (CPU) 3. Specify flow mirror source 1. Specify mirror destination port Command Explanation Global Mode monitor session <session> destination Specifies mirror destination port; the no interface <interface-number> no monitor session <session> destination interface <interface-number> command deletes mirror destination source port. 2. Specify mirror source port(CPU) Command Explanation Global Mode monitor session <session> source Specifies mirror source port; the no command 58-32 {interface <interface-list> | cpu} {rx| tx| deletes mirror source port. both} no monitor session <session> source {interface <interface-list> | cpu} 3. Specify flow mirror source Command Explanation Global Mode monitor session <session> source {interface Specifies flow mirror source <interface-list>} access-group <num> {rx|tx|both} port and apply rule; the no no monitor session <session> source {interface command deletes flow mirror <interface-list>} access-group <num> source port. 58.3 Mirror Examples 1. Example: The requirement of the configurations is shown below: To monitor at interface 1 the data frames sent out by interface 9 and received from interface 7, sent and received by CPU, and the data frames received by interface 15 and matched by rule 120 (The source IP address is 1.2.3.4 and the destination IP address is 5.6.7.8). Configuration guidelines: 1. Configure interface 1 to be a mirror destination interface. 2. Configure the interface 7 ingress and interface 9 egress to be mirrored source. 3. Configure the CPU as one of the source. 4. Configure access list 120. 5. Configure access 120 to binding interface 15 ingress. Configuration procedure is as follows: Switch(config)#monitor session 1 destination interface ethernet 1/1 Switch(config)#monitor session 1 source interface ethernet 1/7 rx Switch(config)#monitor session 1 source interface ethernet 1/9 tx Switch(config)#monitor session 1 source cpu Switch(config)#access-list 120 permit tcp 1.2.3.4 0.0.0.255 5.6.7.8 0.0.0.255 Switch(config)#monitor session 1 source interface ethernet 1/15 access-list 120 rx 58-33 58.4 Device Mirror Troubleshooting If problems occur on configuring port mirroring, please check the following first for causes: Whether the mirror destination port is a member of a TRUNK group or not; if yes, modify the TRUNK group. If the throughput of mirror destination port is smaller than the total throughput of mirror source port(s), the destination port will not be able to duplicate all source port traffic; please decrease the number of source ports, duplicate traffic for one direction only or choose a port with greater throughput as the destination port. Mirror destination port cannot be pulled into Isolate vlan, or else it will affect the mirror between VLANs. 58-34 Chapter 59 sFlow Configuration 59.1 Introduction to sFlow The sFlow (RFC 3176) is a protocol based on standard network export and used on monitoring the network traffic information developed by InMon Company. The monitored switch or router sends date to the client analyzer through its main operations such as sampling and statistic, then the analyzer will analyze according to the user requirements so as to monitor the network. A sFlow monitor system includes: sFlow proxy, central data collector and sFlow analyzer. The sFlow proxy collects data from the switch using sampling technology. The sFlow collector is for formatting the sample data statistic which is to be forwarded to the sFlow analyzer which will analyze the sample data and perform corresponding measure according to the result. Our switch here acts as the proxy and central data collector in the sFlow system. We have achieved data sampling and statistic targeting physical port. Our data sample includes the IPv4 and IPv6 packets. Extensions of other types are not supported so far. As for non IPv4 and IPv6 packet, the unify HEADER mode will be adopted following the requirements in RFC3176, copying the head information of the packet based on analyzing the type of its protocol. The latest sFlow protocol presented by InMon Company is version 5. Since it is version 4 which is realized in the RFC3176, version conflict might exist in some case such as the structure and the packet format. This is because version 5 has not become the official protocol, so, in order to be compatible with current applications, we will continue to follow the RFC3176. 59.2 sFlow Configuration Task List 1. Configure sFlow Collector address Command Explanation Global and Port Mode sflow destination <collector-address> Configure the IP address and port number of [<collector-port>] the host in which the sFlow analysis software no sflow destination is installed. As for the ports, if IP address is configured on the port, the port configuration will be applied, or else will be applied the global configuration. The “no sflow destination” command restores to the default port value and deletes the IP address. 59-35 2. Configure the sFlow proxy address Command Explanation Global Mode sflow agent-address <collector-address> Configure the source IP address applied by no sflow agent-address the sFlow proxy; the “no” form of the command deletes this address. 3. Configure the sFlow proxy priority Command Explanation Global Mode sflow priority <priority-value> Configure the priority when sFlow receives no sflow priority packet from the hardware; the “no sflow priority” command restores to the default 4. Configure the packet head length copied by sFlow Command Explanation Port Mode sflow header-len <length-value> Configure the length of the packet data head no sflow header-len copied in the sFlow data sampling; the “no” form of this command restores to the default value. 5. Configure the max. data head length of the sFlow packet Command Explanation Port Mode sflow data-len <length-value> Configure the max. length of the data packet no sflow data-len in sFlow; the “no” form of this command restores to the default. 6. Configure the sampling rate value Command Explanation Port Mode sflow rate {input <input-rate> | output Configure the sampling rate when sFlow <output-rate >} performing hardware sampling. The “no” no sflow rate [input | output] command deletes the rate value. 59-36 7. Configure the sFlow statistic sampling interval Command Explanation Port Mode sflow counter-interval <interval-value> Configure the max. interval when sFlow no sflow counter-interval performing statistic sampling. The “no” form of this command deletes 8. Configure the analyzer used by sFlow Command Explanation Global Mode sflow analyzer sflowtrend Configure the analyzer used by sFlow, the no no sflow analyzer sflowtrend command deletes the analyzer. 59.3 sFlow Examples SWITCH PC Figure 59-1: sFlow configuration topology As shown in the figure, sFlow sampling is enabled on the port 1/1 and 1/2 of the switch. Assume the sFlow analysis software is installed on the PC with the address of 192.168.1.200. The address of the layer 3 interface on the SwitchA connected with PC is 192.168.1.100. A loopback interface with the address of 10.1.144.2 is configured on the SwitchA. sFlow configuration is as follows: Configuration procedure is as follows: Switch#config Switch (config)#sflow aging-address 10.1.144.2 Switch (config)#sflow destination 192.168.1.200 Switch (config)#sflow priority 1 Switch (config)# interface ethernet1/1 Switch (Config-If-Ethernet1/1)#sflow rate input 10000 Switch (Config-If-Ethernet1/1)#sflow rate output 10000 Switch (Config-If-Ethernet1/1)#sflow counter-interval 20 Switch (Config-If-Ethernet1/1)#exit Switch (config)# interface ethernet1/2 59-37 Switch (Config-If-Ethernet1/2)#sflow rate input 20000 Switch (Config-If-Ethernet1/2)#sflow rate output 20000 Switch (Config-If-Ethernet1/2)#sflow counter-interval 40 59.4 sFlow Troubleshooting In configuring and using sFlow, the sFlow server may fail to run properly due to physical connection failure, wrong configuration, etc. The user should ensure the following: Ensure the physical connection is correct Guarantee the address of the sFlow analyzer configured under global or port mode is accessible. If traffic sampling is required, the sampling rate of the interface must be configured If statistic sampling is required, the statistic sampling interval of the interface must be configured If the examination remains unsolved, please contact with the technical service center of our company. 59-38 Chapter 60 RSPAN Configuration 60.1 Introduction to RSPAN Port mirroring refers to the duplication of data frames sent/received on a port to another port. The duplicated port is referred to as mirror source port and the duplicating port is referred to as mirror destination port. It is more convenience for network administrator to monitor and manage the network and diagnostic after the mirroring function achieved. But it only used for such instance that the mirror source port and the mirror destination ports are located in the same switch. RSPAN (remote switched port analyzer) refers to remote port mirroring. It eliminates the limitation that the source port and the destination port must be located on the same switch. This feature makes it possible for the source port and the destination port to be located on different devices in the network, and facilitates the network administrator to manage remote switches. It can’t forward traffic flows on remote mirror VLAN. There are three types of switches with the RSPAN enabled: 1. Source switch: The switch to which the monitored port belongs. The source switch copies the mirrored traffic flows to the Remote VLAN, and then through Layer 2 forwarding, the mirrored flows are sent to an intermediate switch or destination switch. 2. Intermediate switch: Switches between the source switch and destination switch on the network. Intermediate switch forwards mirrored flows to the next intermediate switch or the destination switch. Circumstances can occur where no intermediate switch is present, if a direct connection exists between the source and destination switches. 3. Destination switch: The switch to which the destination port for remote mirroring belongs. It forwards mirrored flows it received from the Remote VLAN to the monitoring device through the destination port. When configuring the RSPAN mirroring of the source switch, reflector port mode or destination mirror port mode can be selected. The destination switch will redirect all the data frames in the RSPAN VLAN to the RSPAN destination port. For RSPAN mirroring, normal mode and advanced mode can be chosen, normal is introduced by default and fit the normal user. The advanced mode fit the advanced user. 1. Advanced mode: To redirect data frames in RSPAN VLAN to the RSPAN destination port, the intermediary and destination devices should support the redirection of flow. 2. Normal mode: To configure the RSPAN destination port in the RSPAN VLAN. Thus, datagrams in the RSPAN VLAN will be broadcasted to the destination port. In this mode, the destination port should be in RSPAN VLAN, and the source port should not be configured for broadcasting storm control. TRUNK ports should be configured carefully in order not to forward RSPAN datagrams to external networks. The normal mode has the benefit of easy configuration, and reduced system resources. 60-39 To be noticed: Normal mode is introduced by default. When using the normal mode, datagrams with reserved MAC addresses cannot be broadcasted. For chassis switches, at most 4 mirror destination ports are supported, and source or destination port of one mirror session can be configured on each line card. For box switches, only one mirror session can be configured. The number of the source mirror ports is not limited, and can be one or more. Multiple source ports are not restricted to be in the same VLAN. The destination port and the source ports can be in different VLAN. For configuration of RSPAN, a dedicated RSPAN VLAN should be configured first for carrying the RSPAN datagrams. The default VLAN, dynamic VLAN, private VLAN, multicast VLAN, and the layer 3 interface enabled VLAN cannot be configured as the RSPAN VLAN. The reflector port must belong to the RSPAN VLAN. The destination port should be connected to the Monitor and the configured as access port or the TRUNK port. The RSPAN reflector port will be working dedicatedly for mirroring, when a port is configured as a reflector port, it will discards all the existing connections to the remote peer, disable configurations related to loopback interfaces, and stop forwarding datagram. Connectivity between the source and destination switch for Remote VLAN, should be made sure by configuration. To be noticed: 1. Layer 3 interfaces related to RSPAN VLAN should not be configured on the source, intermediate, and the destination switches, or the mirrored datagrams may be discarded. 2. For the source and intermediate switches in the RSPAN connections, the native VLAN of TRUNK port cannot be configured as the RSPAN VLAN, Otherwise the RSPAN tag will be disposed before reaching the destination switches. 3. The source port, in access or trunk mode, should not be added to RSPAN VLAN if advanced RSPAN mode is chosen. When the reflector port is used for a inter-card mirroring of CPU TX data, it must be configured as TRUNK port and allows the RSPAN VLAN data passing, the Native VLAN should not be configured as RSPAN VLAN. 4. When configuring the remote mirroring function, the network bandwidth should be considered in order to carry the network flow and the mirrored flow. Keywords: RSPAN: Remote Switched Port Analyzer. RSPAN VLAN: Dedicated VLAN for RSPAN. RSPAN Tag: The VLAN tag which is attached to MTP of the RSPAN datagrams. Reflector Port: The local mirroring port between the RSPAN source and destination ports, which is not directly connected to the intermediate switches. 60-40 60.2 RSPAN Configuration Task List 1. Configure RSPAN VLAN 2. Configure mirror source port(cpu) 3. Configure mirror destination port 4. Configure reflector port 5. Configure remote VLAN of mirror group 1. Configure RSPAN VLAN Command Explanation VLAN Mode To configure the specified VLAN as RSPAN remote-span VLAN. The no command will remove the no remote-span configuration of RSPAN VLAN. 2. Configure mirror source port(CPU) Command Explanation Global Mode monitor session <session> source {interface <interface-list> | cpu [slot <slotnum>]} {rx| tx| both} To configure mirror source port; The no no monitor session <session> source command deletes the mirror source port. {interface <interface-list> | cpu [slot <slotnum>]} 3. Configure mirror destination port Command Explanation Global Mode monitor session <session> destination To configure mirror destination interface; The interface <interface-number> no command deletes the mirror destination no monitor session <session> destination interface <interface-number> port. 60-41 4. Configure reflector port Command Explanation Global Mode monitor session <session> reflector-port <interface-number> To configure the interface to reflector port; The no command deletes the reflector no monitor session <session> port. reflector-port 5. Configure remote VLAN of mirror group Command Explanation Global Mode monitor session <session> To configure remote VLAN of mirror remote vlan <vid> no monitor session <session> remote vlan group, the no command deletes the remote VLAN of mirror group. 60.3 Typical Examples of RSPAN Before RSPAN is invented, network administrators had to connect their PCs directly to the switches, in order to check the statistics of the network. However, with the help of RSPAN, the network administrators can configure and supervise the switches remotely, which brings more efficiency. The figure below shows a sample application of RSPAN. Source Switch E1 Destination Switch Intermediate Switch E2 E9 E7 E6 PC1 E10 Monitor Figure 60-1: RSPAN Application Sample 60-42 Two configuration solutions can be chosen for RSPAN: the first is without reflector port, and the other is with reflector port. For the first one, only one fixed port can be connected to the intermediate switch. However, no reflector port has to be configured. This maximizes the usage of witch ports. For the latter one, the port connected to the intermediate switch is not fixed. Datagrams can be broadcasted in the RSPAN VLAN through the loopback, which is much more flexible. The normal mode configuration is show as below: Solution 1: Source switch: Interface ethernet 1/1 is the source port for mirroring. Interface ethernet 1/2 is the destination port which is connected to the intermediate switch. RSPAN VLAN is 5. Switch(config)#vlan 5 Switch(Config-Vlan5)#remote-span Switch(Config-Vlan5)#exit Switch(config)#interface ethernet 1/2 Switch(Config-If-Ethernet1/2)#switchport mode trunk Switch(Config-If-Ethernet1/2)#exit Switch(config)#monitor session 1 source interface ethernet1/1 rx Switch(config)#monitor session 1 destination interface ethernet1/2 Switch(config)#monitor session 1 remote vlan 5 Intermediate switch: Interface ethernet1/6 is the source port which is connected to the source switch. Interface ethernet1/7 is the destination port which is connected to the intermediate switch. The native VLAN of this port cannot be configured as RSPAN VLAN, or the mirrored data may not be carried by the destination switch. RSPAN VLAN is 5. Switch(config)#vlan 5 Switch(Config-Vlan5)#remote-span Switch(Config-Vlan5)#exit Switch(config)#interface ethernet 1/6-7 Switch(Config-If-Port-Range)#switchport mode trunk Switch(Config-If-Port-Range)#exit Destination switch: Interface ethernet1/9 is the source port, which is connected to the source switch. Interface ethernet1/10 is the destination port which is connected to the monitor. This port is required to be configured as an access port, and belong to the RSPAN VLAN. RSPAN VLAN is 5. 60-43 Switch(config)#vlan 5 Switch(Config-Vlan5)#remote-span Switch(Config-Vlan5)#exit Switch(config)#interface ethernet 1/9 Switch(Config-If-Ethernet1/9)#switchport mode trunk Switch(Config-If-Ethernet1/9)#exit Switch(config)#interface ethernet 1/10 Switch(Config-If-Ethernet1/10)#switchport access vlan 5 Switch(Config-If-Ethernet1/10)#exit Solution 2: Source switch: Interface ethernet 1/1 is the source port. Interface ethernet 1/2 is the TRUNK port, which is connected to the intermediate switch. The native VLAN should not be a RSPAN VLAN. Interface Ethernet 1/3 is a reflector port. The reflector port belongs to the RSPAN VLAN; it is access port or TRUNK port of the RSPAN VLAN. RSPAN VLAN is 5. Switch(config)#vlan 5 Switch(Config-Vlan5)#remote-span Switch(Config-Vlan5)#exit Switch(config)#interface ethernet1/2 Switch(Config-If-Ethernet1/2)#switchport mode trunk Switch(Config-If-Ethernet1/2)#exit Switch(config)#interface ethernet 1/3 Switch(Config-If-Ethernet1/3)#switchport mode trunk Switch(Config-If-Ethernet1/3)#exit Switch(config)#monitor session 1 source interface ethernet1/1 rx Switch(config)#monitor session 1 reflector-port ethernet1/3 Switch(config)#monitor session 1 remote vlan 5 Intermediate switch: Interface ethernet1/6 is the source port which is connected to the source switch. Interface ethernet1/7 is the destination port which is connected to the destination switch. The native VLAN of the port should not be configured as RSPAN VLAN, or the mirrored data may not be carried by the destination switch. RSPAN VLAN is 5. 60-44 Switch(config)#vlan 5 Switch(Config-Vlan5)#remote-span Switch(Config-Vlan5)#exit Switch(config)#interface ethernet 1/6-7 Switch(Config-If-Port-Range)#switchport mode trunk Switch(Config-If-Port-Range)#exit Destination switch: Interface ethernet1/9 is the source port which is connected to the source switch. Interface ethernet1/10 is the destination port which is connected to the monitor. This port is required to be configured as an access port, and belong to the RSPAN VLAN. RSPAN VLAN is 5. Switch(config)#vlan 5 Switch(Config-Vlan5)#remote-span Switch(Config-Vlan5)#exit Switch(config)#interface ethernet 1/9 Switch(Config-If-Ethernet1/9)#switchport mode trunk Switch(Config-If-Ethernet1/9)#exit Switch(config)#interface ethernet 1/10 Switch(Config-If-Ethernet1/10)#switchport access vlan 5 Switch(Config-If-Ethernet1/10)#exit 60.4 RSPAN Troubleshooting Due to the following reasons, RSPAN may not function: Whether the destination mirror port is a member of the Port-channel group. If so, please change the Port-channel group configuration; The throughput the destination port is less than the total throughput of the source mirror ports. If so, the destination cannot catch all the datagrams from every source ports. To solve the problem, please reduce the number of the source ports, or mirror only single direction data flow, or choose some other port with higher capacity as the destination port. Between the source switch and the intermediate switch, whether the native VLAN of the TRUNK ports is configured as RSPAN VLAN. If so, please change the native VLAN for the TRUNK ports. 60-45 Chapter 61 ERSPAN 61.1 Introduction to ERSPAN ERSPAN(Encapsulated Remote Switched Port Analyzer)eliminates the limitation that the source port and the destination port must be located on the same switch. This feature makes it possible for the source port and the destination port to be located on different devices in the network, and facilitates the network administrator to manage remote switches. Compared with the traditional RSPAN, ERSPAN configuration is simpler and it makes the monitored traffic to be transmitted in the specified tunnel. To be noticed 1. Monitor source of ERSPAN monitor only supports port monitor, it does not support CPU monitor and flow monitor presently. 2. For the source and destination switches in the ERSPAN connections, a tunnel must be existed. 3. When configuring the remote mirror function, the network bandwidth should be considered in order to carry the network flow and the mirrored flow. Keywords: ERSPAN: Encapsulated Remote Switched Port Analyzer. 61.2 ERSPAN Configuration Task List 1. Specify mirror source port Command Explanation Global Mode monitor session <session> source {interface <interface-list>} {rx| tx| both} Specify the mirror source port; the no no monitor session <session> source command deletes the mirror source port. {interface <interface-list>} 2. Specify mirror destination tunnel Command Explanation Global Mode monitor session <session> destination tunnel <tunnel-number> no monitor session <session> destination tunnel <tunnel-number> Specify the mirror destination tunnel; the no command deletes the mirror destination tunnel. 61-46 3. Appoint the mirror destination, and the destination can be the physical port or the tunnel Command Explanation Global Mode monitor session <session> destination tunnel interface <interface-number> desmac < MAC Appoint the mirror destination address > desIP < Dest IP address > scrIP < Source to be the physical port or the IP address tunnel; the no command no monitor session <session> destination tunnel deletes the mirror destination. interface <interface-number> 61.3 Typical Examples of ERSPAN Before ERSPAN is invented, network administrators had to connect their PCs directly to the switches, in order to check the status of the network. However, with the help of ERSPAN, network administrators can configure and supervise the switches remotely, which brings more efficiency. In Layer 3 network, Device A connects to the marketing department through Ethernet 1/1, and connects to Ethernet1/2 of Device B through Ethernet 1/2; Device C connects to the server through Ethernet 1/2, and connects to Ethernet 1/1 of Device B through Ethernet 1/1. Server is able to monitor the bidirectional traffic of the marketing department across a GRE tunnel by configuring remote port mirroring. The figure below shows a sample application of ERSPAN. Figure 61-1: ERSPAN application diagram 61-47 Before configuring layer-3 remote port mirroring, make sure that you have created a GRE tunnel that connects the source and destination device, and ensure the normal transmitting for GRE tunnel. The configuration of Layer 3 remote port mirror needs to be processed on the source and destination devices, respectively. Both the source and destination ports are configured on the source and destination devices and their differences are as follows: 1) On Device A, configure the port which you want to monitor as the source port and configure the tunnel interface as the destination port. 2) On Device C, configure the physical port corresponding to the tunnel interface as the source port and configure the port that connects the data monitor device as the destination port. (1) Configure IP addresses Configure IP address and subnet mask for the interfaces, configuration procedures is omitted. (2) Configure Device A (the source device) # Create interface Tunnel1, and configure an IP address and mask for it. SwitchA(config)#interface tunnel 1 SwitchA(config-if-tunnel1)# tunnel mode gre ip SwitchA (config-if-tunnel1)#ip address 50.1.1.1 255.255.255.0 # Configure Tunnel1 to operate in GRE tunnel mode, and configure source and destination IP addresses for it. SwitchA(config-if-tunnel1)# tunnel source 10.1.1.1 SwitchA(config-if-tunnel1)# tunnel destination 40.1.1.1 SwitchA(config-if-tunnel1)# exit # Configure OSPF protocol. SwitchA (config)#router ospf SwitchA (config-router)#network 0.0.0.0/0 area 0 SwitchA (config-router)#exit # Configure Ethernet 1/1 as a source port and Tunnel1 as the destination port of local mirroring group 1. SwitchA(config)#monitor session 4 destination tunnel 1 SwitchA(config)#monitor session 4 source interface ethernet 1/1 both (3) Configure Device B (the intermediate device) # Configure OSPF protocol. SwitchB (config)#router ospf 61-48 SwitchB (config-router)#network 0.0.0.0/0 area 0 SwitchB (config-router)#exit (4) Configure Device C (the destination device) # Create interface Tunne1, and configure an IP address and mask for it. SwitchC(config)#interface tunnel 1 SwitchC (config-if-tunnel1)# tunnel mode gre ip SwitchC (config-if-tunnel1)#ip address 50.1.1.2 255.255.255.0 # Configure Tunnel1 to operate in GRE tunnel mode, and configure source and destination IP addresses for it. SwitchC (config-if-tunnel1)# tunnel source 40.1.1.1 SwitchC (config-if-tunnel1)# tunnel destination 10.1.1.1 SwitchC (config-if-tunnel1)# exit # Configure OSPF protocol. SwitchC (config)#router ospf SwitchC (config-router)#network 0.0.0.0/0 area 0 SwitchC (config-router)#exit # Configure Ethernet 1/1 as a source port and Ethernet 1/2 as the destination port of local mirroring group 1. SwitchC (config)#monitor session 1 destination interface ethernet 1/2 SwitchC (config)#monitor session 1 source interface ethernet 1/1 rx 61.4 ERSPAN Troubleshooting If problems occur when configuring ERSPAN, please check whether the problem is caused by the following reasons: Make sure GRE tunnel configuration to ensure the normal transmission for the traffic. If the throughput of mirror destination port is smaller than the total throughput of mirror source port(s), the destination port will not be able to duplicate the traffic of all source port; please decrease the number of source ports, duplicate traffic for one direction only or choose a port with greater throughput as the destination port. 61-49 Chapter 62 SNTP Configuration 62.1 Introduction to SNTP The Network Time Protocol (NTP) is widely used for clock synchronization for global computers connected to the Internet. NTP can assess packet sending/receiving delay in the network, and estimate the computer’s clock deviation independently, so as to achieve high accuracy in network computer clocking. In most positions, NTP can provide accuracy from 1 to 50ms according to the characteristics of the synchronization source and network route. Simple Network Time Protocol (SNTP) is the simplified version of NTP, removing the complex algorithm of NTP. SNTP is used for hosts who do not require full NTP functions; it is a subset of NTP. It is common practice to synchronize the clocks of several hosts in local area network with other NTP hosts through the Internet, and use those hosts to provide time synchronization service for other clients in LAN. The figure below depicts a NTP/SNTP application network topology, where SNTP mainly works between second level servers and various terminals since such scenarios do not require very high time accuracy, and the accuracy of SNTP (1 to 50 ms) is usually sufficient for those services. Figure 62-1: Working Scenario Switch implements SNTPv4 and supports SNTP client unicast as described in RFC2030; SNTP client multicast and unicast are not supported, nor is the SNTP server function. 62-50 62.2 Typical Examples of SNTP Configuration SNTP/NTP SERVER SNTP/NTP SERVER … … SWITCH SWITCH SWITCH Figure 62-2: Typical SNTP Configuration All switches in the autonomous zone are required to perform time synchronization, which is done through two redundant SNTP/NTP servers. For time to be synchronized, the network must be properly configured. There should be reachable route between any switch and the two SNTP/NTP servers. For example, assume the IP addresses of the SNTP/NTP servers are 10.1.1.1 and 20.1.1.1, respectively, and SNTP/NTP server function (such as NTP master) is enabled, then configurations for any switch should like the following: Switch#config Switch(config)#sntp server 10.1.1.1 62-51 Chapter 63 NTP Function Configuration 63.1 Introduction to NTP Function The NTP (Network Time Protocol) synchronizes timekeeping spans WAN and LAN among distributed time servers and clients, it can get millisecond precision. The introduction of event, state, transmit function and action are defined in RFC-1305. The purpose of using NTP is to keep consistent timekeeping among all clock-dependent devices within the network so that the devices can provide diverse applications based on the consistent time. For a local system running NTP, its time can be synchronized by other reference sources and can be used as a reference source to synchronize other clocks, also can synchronize each other by transmit NTP packets. 63.2 NTP Function Configuration Task List 1. To enable NTP function 2. To configure NTP server function 3. To configure the max. number of broadcast or multicast servers supported by the NTP client 4. To configure time zone 5. To configure NTP access control list 6. To configure NTP authentication 7. To specified some interface as NTP broadcast/multicast client interface 8. To configure some interface can’t receive NTP packets 9. Display information 10. Debug 1. To enable NTP function Command Explication Global Mode ntp enable ntp disable To enable or disable NTP function. 2. To configure NTP server function Command Explication Global Mode 63-52 ntp server {<ip-address> | <ipv6-address>} [version <version_no>] [key <key-id>] no ntp server {<ip-address> | To enable the specified time server of time source. <ipv6-address>} 3. To configure the max. number of broadcast or multicast servers supported by the NTP client Command Explication Global Mode Set the max. number of broadcast or ntp broadcast server count <number> multicast servers supported by the NTP no ntp broadcast server count client. The no operation will cancel the configuration and restore the default value. 4. To configure time zone Command Explication Global Mode clock timezone WORD {add | subtract} This command configures timezone in <0-23> [<0-59>] global mode, the no command deletes the no clock timezone WORD configured timezone. 5. To configure NTP access control list Command Explication Global Mode ntp access-group server <acl> no ntp access-group server < acl> To configure NTP server access control list. 6. To configure NTP authentication Command Explication Global Mode ntp authenticate no ntp authenticate ntp authentication-key <key-id> md5 <value> no ntp authentication-key <key-id> To enable NTP authentication function. To configure authentication key for NTP authentication. 63-53 ntp trusted-key <key-id> no ntp trusted-key <key-id> To configure trusted key. 7. To specified some interface as NTP multicast client interface Command Explication Vlan Mode ntp multicast client To configure specified interface to receive no ntp multicast client NTP multicast packets. ntp ipv6 multicast client To configure specified interface to receive no ntp ipv6 multicast client IPv6 NTP multicast packets. 8. To configure some interface can’t receive NTP packets Command Explication Vlan Mode ntp disable no ntp disable To disable the NTP function. 9. Display information Command Explication Admin Mode show ntp status show ntp session [ <ip-address> | <ipv6-address> ] To display the state of time synchronize. To display the information of NTP session. 10. Debug Command Explication Admin Mode debug ntp authentication To enable debug switch of NTP no debug ntp authentication authentication. debug ntp packets [send | receive] To enable debug switch of NTP packet no debug ntp packets [send | receive] information. debug ntp adjust To enable debug switch of time update no debug ntp adjust information. 63-54 debug ntp sync To enable debug switch of time no debug ntp sync synchronize information. debug ntp events To enable debug switch of NTP event no debug ntp events information. 63.3 Typical Examples of NTP Function A client switch wanted to synchronize time with time server in network, there is two time server in network, the one is used as host, the other is used as standby, the connection and configuration as follows (Switch A and Switch B are the switch or route which support NTP server ): The configuration of Switch C is as follows: (Switch A and Switch B may have the different command because of different companies, we not explain there, our switches are not support NTP server at present) Switch C: Switch(config)#ntp enable Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 192.168.1.12 255.255.255.0 Switch(config)#interface vlan 2 Switch(Config-if-Vlan1)#ip address 192.168.2.12 255.255.255.0 Switch(config)#ntp server 192.168.1.11 Switch(config)#ntp server 192.168.2.11 63.4 NTP Function Troubleshooting In configuration procedures, if there is error occurred, the system can give out the debug information. The NTP function disables by default, the show command can be used to display current configuration. If the configuration is right please use debug every relative debugging command and display specific information in procedure, and the function is configured right or not, you can also use show command to display the NTP running information, any questions please send the recorded message to the technical service center. 63-55 Chapter 64 Summer Time Configuration 64.1 Introduction to Summer Time Summer time is also called daylight saving time, it is a time system for saving energy sources. In summer the time is advanced 1 hour to keep early hours, reduce the lighting, so as to save electrolighting. The rule that adopt summer time is different in each country. At present, almost 110 countries implement summer time. Compare with the standard time, usually set summer time 1 hour late, for example, when summer time is implementing, 10:00 am of the standard time is considered 11:00 am of summer time. 64.2 Summer Time Configuration Task Sequence 1. Configure absolute or recurrent time range of summer time Command Explanation Global Mode clock summer-time <word> absolute Set absolute time range of summer time, start <HH:MM> <YYYY.MM.DD> <HH:MM> and end summer time is configured with <YYYY.MM.DD> [<offset>] specified year. no clock summer-time clock summer-time <word> recurring Set recurrent time range of summer time, <HH:MM> <MM.DD> <HH:MM> <MM.DD> every year the summer time begins from the [<offset>] start time and end at the end time. no clock summer-time clock summer-time <word> recurring Set recurrent time range of summer time, <HH:MM> <week> <day> <month> every year the summer time begins from the <HH:MM> <week> <day> <month> start time and end at the end time. [<offset>] no clock summer-time 64-56 64.3 Examples of Summer Time Example1: The configuration requirement in the following: The summer time from 23:00 on April 1st, 2012 to 00:00 on October 1st, 2012, clock offset as 1 hour, and summer time is named as 2012. Configuration procedure is as follows: Switch(config)# clock summer-time 2012 absolute 23:00 2012.4.1 00:00 2012.10.1 Example2: The configuration requirement in the following: The summer time from 23:00 on the first Saturday of April to 00:00 on the last Sunday of October year after year, clock offset as 2 hours, and summer time is named as time_travel. Configuration procedure is as follows: Switch(config)#clock summer-time time_travel recurring at 23:00 the first Sat. of Apr. and at 00:00 the last Sun. of Oct. 64.4 Summer Time Troubleshooting If there is any problem happens when using summer time, please check whether the problem is caused by the following reasons: Check whether command mode in global mode Check whether system clock is correct 64-57 Chapter 65 DNSv4/v6 Configuration 65.1 Introduction to DNS DNS (Domain Name System) is a distributed database used by TCP/IP applications to translate domain names into corresponding IPv4/IPv6 addresses. With DNS, you can use easy-to-remember and signification domain names in some applications and let the DNS server translate them into correct IPv4/IPv6 addresses. There are two types of DNS services, static and dynamic, which supplement each other in application. Each time the DNS server receives a name query it checks its static DNS database first before looking up the dynamic DNS database. Some frequently used addresses can be put in the static DNS database, the reduction the searching time in the dynamic DNS database would increase efficiency. The static domain name resolution means setting up mappings between domain names and IPv4/IPv6 addresses. IPv4/IPv6 addresses of the corresponding domain names can be found in the static DNS database when you use some applications. Dynamic domain name resolution is implemented by querying the DNS server. A user program sends a name query to the resolver in the DNS client when users want to use some applications with domain name, the DNS resolver looks up the local domain name cache for a match. If a match is found, it sends the corresponding IPv4/IPv6 address back to the switch. If no match is found, it sends a query to a higher DNS server. This process continues until a result, whether success or failure, is returned. The Domain Name System (DNS) is a hierarchical naming system for computers, services, or any resource participating in the Internet. It associates various information with domain names assigned to such participants. Most importantly, it translates humanly meaningful domain names to the numerical (binary) identifiers associated with networking equipment for the purpose of locating and addressing these devices world-wide. An often used analogy to explain the Domain Name System is that it serves as the "phone book" for the Internet by translating human-friendly computer hostnames into IP addresses. The Domain Name System makes it possible to assign domain names to groups of Internet users in a meaningful way, independent of each user's physical location. Because of this, World-Wide Web (WWW) hyperlinks and Internet contact information can remain consistent and constant even if the current Internet routing arrangements change or the participant uses a mobile device. Internet domain names are easier to remember than IP addresses such as 208.77.188.166(IPv4) or 2001:db8:1f70::999:de8:7648:6e8 (IPv6). People take advantage of this when they recite meaningful URLs and e-mail addresses without having to know how the machine will actually locate them. The Domain Name System distributes the responsibility for assigning domain names and mapping them to Internet Protocol (IP) networks by designating authoritative name servers for each domain to keep track of their own changes, avoiding the need for a central register to be continually consulted and updated. In general, the Domain Name System also stores other types of information, such as the list of mail servers that accept email for a given Internet domain. By providing a world-wide, distributed keyword-based redirection service, the Domain Name System is an essential component of the functionality of the Internet. 65-58 65.2 DNSv4/v6 Configuration Task List 1. To enable/disable DNS function 2. To configure/delete DNS server 3. To configure/delete domain name suffix 4. To delete the domain entry of specified address in dynamic cache 5. To enable DNS dynamic domain name resolution 6. Enable/disable DNS SERVER function 7. Configure the max. number of client information in the switch queue 8. Configure the timeout value of caching the client information on the switch 9. Monitor and diagnosis of DNS function 1. To enable/disable DNS function Command Explanation Global Mode ip domain-lookup To enable/disable DNS dynamic lookup no ip domain-lookup function. 2. To configure/delete DNS server Command Explanation Global Mode dns-server {<ip-address> | <ipv6-address>} [priority <value>] To configure DNS server, the no form of this no dns-server {<ip-address> | command deletes DNS server. <ipv6-address>} 3. To configure/delete domain name suffix Command Explanation Global Mode ip domain-list <WORD> no ip domain-list <WORD> To configure/delete domain name suffix. 4. To delete the domain entry of specified address in dynamic cache Command Explanation Admin Mode 65-59 clear dynamic-host {<ip-address> | To delete the domain entry of specified <ipv6-address> | all} address in dynamic cache. 5. To enable DNS dynamic domain name resolution Command Explanation Global Mode dns lookup {ipv4 | ipv6} <hostname> To enable DNS dynamic domain name resolution. 6. Enable/disable DNS SERVER function Command Explanation Global Mode ip dns server no ip dns server Enable/disable DNS SERVER function. 7. Configure the max. number of client information in the switch queue Command Explanation Global Mode ip dns server queue maximum <1-5000> no ip dns server queue maximum Configure the max. number of client information in the switch queue. 8. Configure the timeout value of caching the client information on the switch Command Explanation Global Mode ip dns server queue timeout <1-100> Configure the timeout value of caching the no ip dns server queue timeout client information on the switch. 65-60 9. Monitor and diagnosis of DNS function Command Explanation Admin Mode To show the configured DNS server show dns name-server information. To show the configured DNS domain name show dns domain-list suffix information. To show the dynamic domain name show dns hosts information of resolved by switch. Display the configured global DNS show dns config information on the switch. Display the DNS Client information show dns client maintained by the switch. debug dns {all | packet [send | recv] | events | relay} no debug dns {all | packet [send | recv] To enable/disable DEBUG of DNS function. | events | relay} 65.3 Typical Examples of DNS DNS SERVER IP: 219.240.250.101 IPv6: 2001::1 ip domain-lookup dns-server 219.240.250.101 dns-server 2001::1 INTERNET SWITCH Figure 65-1: DNS CLIENT typical environment As shown in fig, the switch connected to DNS server through network, if the switch want to visit Sina Website, it needn’t to know the IPv4/IPv6 address of Sina Website, only need is to record the domain name of Sina Website is www.sina.com.cn. The DNS server can resolute out the IPv4/IPv6 address of this domain name and send to switch, then the switch can visit Sina Website correctly. The switch is configured as DNS client, basic configurations are as below: first to enable DNS dynamic domain name resolution function on switch, and configure DNS server address, then with some kinds of tools such as PING, the switch can get corresponding IPv4/IPv6 address with dynamic domain name resolution function. 65-61 DNS SERVER IP:219.240.250.101 IPv6:2001::1 client SWITCH INTERNET Figure 65-2: DNS SERVER typical environment The figure above is an application of DNS SERVER. Under some circumstances, the client PC doesn’t know the real DNS SERVER, and points to the switch instead. The switch plays the role of a DNS SERVER in two steps: Enable the global DNS SERVER function, configure the IP address of the real DNS server. After the DNS SERVER function is globally enabled, the switch will look up its local cache when receiving a DNS request from a client PC. If there is a domain needed by the local client, it will directly answer the client’s request; otherwise, the switch will relay the request to the real DNS server, pass the reply from the DNS Server to the client and record the domain and its IP address for a faster lookup in the future. Switch configuration for DNS CLIENT: Switch(config)# ip domain-lookup Switch(config)# dns-server 219.240.250.101 Switch(config)# dns-server 2001::1 Switch#ping host www.sina.com.cn Switch#traceroute host www.sina.com.cn Switch#telnet host www.sina.com.cn Switch configuration for DNS SERVER: Switch(config)# ip domain-lookup Switch(config)# dns-server 219.240.250.101 Switch(config)# dns-server 2001::1 Switch(config)# ip dns server 65-62 65.4 DNS Troubleshooting In configuring and using DNS, the DNS may fail due to reasons such as physical connection failure or wrong configurations. The user should ensure the following: First make sure good condition of the TACACS+ server physical connection; Second all interface and link protocols are in the UP state (use “show interface” command); Then please make sure that the DNS dynamic lookup function is enabled (use the “ip domain-lookup” command) before enabling the DNS CLIENT function. To use DNS SERVER function, please enable it (use the “ip dns server” command); Finally ensure configured DNS server address (use “dns-server” command), and the switch can ping DNS server; If the DNS problems remain unsolved, please use debug DNS all and other debugging command and copy the DEBUG message within 3 minutes, send the recorded message to the technical service center of our company. 65-63 Chapter 66 Monitor and Debug When the users configures the switch, they will need to verify whether the configurations are correct and the switch is operating as expected, and in network failure, the users will also need to diagnostic the problem. Switch provides various debug commands including ping, telnet, show and debug, etc. to help the users to check system configuration, operating status and locate problem causes. 66.1 Ping Ping command is mainly used for sending ICMP query packet from the switches to remote devices, also for check the accessibility between the switch and the remote device. Refer to the Ping command chapter in the Command Manual for explanations of various parameters and options of the Ping command. 66.2 Ping6 Ping6 command is mainly used by the switch to send ICMPv6 query packet to the remote equipment, verifying the accessibility between the switch and the remote equipment. Options and explanations of the parameters of the Ping6 command please refer to Ping6 command chapter in the command manual. 66.3 Traceroute Traceroute command is for testing the gateways through which the data packets travel from the source device to the destination device, so to check the network accessibility and locate the network failure. Execution procedure of the Traceroute command consists of: first a data packet with TTL at 1 is sent to the destination address, if the first hop returns an ICMP error message to inform this packet can not be sent (due to TTL timeout), a data packet with TTL at 2 will be sent. Also the send hop may be a TTL timeout return, but the procedure will carries on till the data packet is sent to its destination. These procedures is for recording every source address which returned ICMP TTL timeout message, so to describe a path the IP data packets traveled to reach the destination. Traceroute Options and explanations of the parameters of the Traceroute command please refer to traceroute command chapter in the command manual. 66-64 66.4 Traceroute6 The Traceroute6 function is used on testing the gateways passed through by the data packets from the source equipment to the destination equipment, to verify the accessibility and locate the network failure. The principle of the Traceroute6 under IPv6 is the same as that under IPv4, which adopts the hop limit field of the ICMPv6 and IPv6 header. First, Traceroute6 sends an IPv6 datagram (including source address, destination address and packet sent time) whose HOPLIMIT is set to 1. When first route on the path receives this datagram, it minus the HOPLIMIT by 1 and the HOPLIMIT is now 0. So the router will discard this datagram and returns with a 「ICMPv6 time exceeded」 message (including the source address of the IPv6 packet, all content in the IPv6 packet and the IPv6 address of the router). Upon receiving this message, the Traceroute6 sends another datagram of which the HOPLIMIT is increased to 2 so to discover the second router. Plus 1 to the HOPLIMIT every time to discover another router, the Traceroute6 repeat this action till certain datagram reaches the destination. Traceroute6 Options and explanations of the parameters of the Traceroute6 command please refer to traceroute6 command chapter in the command manual. 66.5 Show show command is used to display information about the system, port and protocol operation. This part introduces the show command that displays system information, other show commands will be discussed in other chapters. Command Explanation Admin Mode show debugging show flash show history Display the debugging state. Display the files and the sizes saved in the flash. Display the recent user input history command. Show the recent command history of all users. Use clear history all-users show history all-users [detail] command to clear the command history of all users saved by the system, the max. history number can be set by history all-users max-length command. show memory show running-config show running-config current-mode Display content in specified memory area. Display the switch parameter configuration validating at current operation state. Show the configuration under the current mode. 66-65 Display the switch parameter configuration written in the Flash Memory at current operation state, which is normally the show startup-config configuration file applied in next time the switch starts up. Display the VLAN port mode and the show switchport interface [ethernet belonging VLAN number of the switch as <IFNAME>] well as the Trunk port information. show tcp Display the TCP connection status show tcp ipv6 established currently on the switch. show udp Display the UDP connection status show udp ipv6 established currently on the switch. Display the information of the Telnet client which currently establishes a Telnet show telnet login connection with the switch. Display the operation information and the state of each task running on the switch. It is show tech-support used by the technicians to diagnose whether the switch operates properly. show version Display the version of the switch. show temperature This command is not supported by switch. show fan This command is not supported by switch. 66.6 Debug All the protocols switch supports have their corresponding debug commands. The users can use the information from debug commands for troubleshooting. Debug commands for their corresponding protocols will be introduced in the later chapters. 66.7 System log 66.7.1 System Log Introduction The system log takes all information output under it control, while making detailed catalogue, so to select the information effectively. Combining with Debug programs, it will provide a powerful support to the network administrator and developer in monitoring the network operation state and locating the network failures. The switch system log has following characteristics Log output from four directions (or log channels) of the Console, Telnet terminal and monitor, log buffer zone, and log host. 66-66 The log information is classified to four level of severities by which the information will be filtered According to the severity level the log information can be auto outputted to corresponding log channel. 66.7.1.1 Log Output Channel So far the system log can be outputted the log information through four channels: Through Console port to the local console Output the log information to remote Telnet terminal or monitor, this function is good for remote maintenance Assign a proper log buffer zone inside the switch, for record the log information permanently or temporarily Configure the log host, the log system will directly send the log information to the log host, and save it in files to be viewed at any time Among above log channels, users rarely use the console monitor, but will commonly choose the Telnet terminal to monitor the system operation status. However information outputted from these channels are of low traffic capacity and can not be recorded for later view. The other two channels---the log buffer zone and log host channel are two important channels SDRAM (Synchronous Dynamic Random Access Memory) and NVRAM (Non Vulnerable Random Access Memory) is provided inside the switch as two part of the log buffer zone, The two buffer zone record the log information in a circuit working pattern, namely when log information need to be recorded exceeds the buffer size, the oldest log information will be erased and replaced by the new log information, information saved in NVRAM will stay permanently while those in SDRAM will lost when the system restarts or encounter an power failure. Information in the log buffer zone is critical for monitoring the system operation and detecting abnormal states. Note: the NVRAM log buffer may not exist on some switches, which only have the SDRAM log buffer zone. It is recommended to use the system log server. By configuring the log host on the switch, the log can be sent to the log server for future examination. 66.7.1.2 Format and Severity of the Log Information The log information format is compatible with the BSD syslog protocol, so we can record and analyze the log by the systlog (system log protect session) on the UNIX/LINUX, as well as syslog similar applications on PC. The log information is classified into eight classes by severity or emergency procedure. One level per value and the higher the emergency level the log information has, the smaller its value will be. For example, the level of critical is 2, and warning is 4, debugging is leveled at 7, so the critical is higher than warnings which no doubt is high than debugging. The rule applied in filtering the log information by severity level is that: only the log information with level equal to or higher than the threshold will be outputted. So when the severity 66-67 threshold is set to debugging, all information will be outputted and if set to critical, only critical, alerts and emergencies will be outputted. The following table summarizes the log information severity level and brief description. Note: these severity levels are in accordance with the standard UNIX/LINUX syslog. Table 66-1 Severity of the logٛ information Severity Value Description emergencies 0 System is unusable alerts 1 Action must be taken immediately critical 2 Critical conditions errors 3 Error conditions warnings 4 Warning conditions notifications 5 Normal but significant condition informational 6 Informational messages debugging 7 Debug-level messages Right now the switch can generate information of the following four levels Restart the switch, mission abnormal are classified critical Up/down interface, topology change, aggregate port state change of the interface are notifications warnings Outputted information from the CLI command is classified informational Information from the debugging of CLI command is classified debugging Log information can be automatically sent to corresponding channels with regard to respective severity levels. Amongst the debugging information can only be sent to the monitor. Those with the Informational level can only be sent to current monitor terminal, such as the information from the Telnet terminal configuration command can only be transmitted to the Telnet terminal. Warnings information can be sent to all terminal with also saved in the SDRAM log buffer zone. And the critical information can be save both in SDRAM and the NVRAM (if exists) besides sent to all terminals. To check the log save in SDRAM and the NVRAM, we can use the show logging buffered command. To clear the log save in NVRAM and SDRAM log buffer zone, we can use the clear logging command. 66-68 66.7.2 System Log Configuration System Log Configuration Task Sequence: 1. Display and clear log buffer zone 2. Configure the log host output channel 3. Enable/disable the log executed-commands 4. Display the log source 5. Display executed-commands state 1. Display and clear log buffer zone Command Description Admin Mode show logging buffered [ level {critical | Show detailed log information in the log warnings} | range <begin-index> buffer channel. <end-index>] Clear log buffer zone information. clear logging sdram 2. Configure the log host output channel Command Description Global Mode logging {<ipv4-addr> | <ipv6-addr>} Enable the output channel of the log host. [ facility <local-number> ] [level The “no” form of this command will disable <severity>] the output at the output channel of the log no logging {<ipv4-addr> | <ipv6-addr>} host. [ facility <local-number>] Add the loghost sequence-number for the logging loghost sequence-number log, the no command does not include the no logging loghost sequence-number 3. loghost sequence-number. Enable/disable the log executed-commands Command Description Global Mode logging executed-commands {enable | Enable or disable the logging disable} executed-commands 66-69 4. Display the log source Command Description Admin Mode show logging source mstp 5. Show the log information source of MSTP module. Display executed-commands state Command Description Admin Mode show logging executed-commands Show the state of logging state executed-commands 66.7.3 System Log Configuration Example Example 1: When managing VLAN the IPv4 address of the switch is 100.100.100.1, and the IPv4 address of the remote log server is 100.100.100.5. It is required to send the log information with a severity equal to or higher than warnings to this log server and save in the log record equipment local1. Configuration procedure: Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)# ip address 100.100.100.1 255.255.255.0 Switch(Config-if-Vlan1)#exit Switch(config)#logging 100.100.100.5 facility local1 level warnings Example 2: When managing VLAN the IPv6 address of the switch is 3ffe:506::1, and the IPv4 address of the remote log server is 3ffe:506::4. It is required to send the log information with a severity equal to or higher than critical to this log server and save the log in the record equipment local7. Configuration procedure Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ipv6 address 3ffe:506::1/64 Switch(Config-if-Vlan1)#exit Switch(config)#logging 3ffe:506::4 facility local7 level critical 66-70 Chapter 67 Reload Switch after Specified Time 67.1 Introduction to Reload Switch after Specified Time Reload switch after specified time is to reboot the switch without shutdown its power after a specified period of time, usually when updating the switch version. The switch can be rebooted after a period of time instead of immediately after its version being updated successfully. 67.2 Reload Switch after Specified Time Task List 1. Reload switch after specified time Command Explanation Admin Mode reload after {[<HH:MM:SS>] [days Reload the switch after a specified time <days>]} period. reload cancel Cancel the specified time period to reload the switch. 67-71 Chapter 68 Debugging and Diagnosis for Packets Received and Sent by CPU 68.1 Introduction to Debugging and Diagnosis for Packets Received and Sent by CPU The following commands are used to debug and diagnose the packets received and sent by CPU, and are supposed to be used with the help of the technical support. 68.2 Debugging and Diagnosis for Packets Received and Sent by CPU Task List Command Explanation Global Mode cpu-rx-ratelimit protocol Set the max. rate of the CPU receiving packets of the <protocol-type> <packets> protocol type, the no command set the max. rate to default. no cpu-rx-ratelimit protocol [ <protocol- type> ] clear cpu-rx-stat protocol Clear the statistics of the CPU received packets of the [ <protocol-type> ] protocol type. Admin Mode show cpu-rx protocol Show the information of the CPU received packets of the [ <protocol-type> ] protocol type. debug driver {receive|send} Turn on the showing of the CPU receiving or sending packet [interface {<interface-name> informations. |all}] [protocol {<protocol-type> |discard |all}][detail] no debug driver {receive |send} Turn off the showing of the CPU receiving or sending packet informations. 68-72 Chapter 69 Dying Gasp Configuration 69.1 Introduction to Dying Gasp Dying gasp is power failure alarm function. It means that at the case of power failure, the switch can also send information through the ethernet ports to notice the other switch that it is power failure. Dying gasp is enabled as default, but it could run normally with the snmp management function. So the layer 3 interface should be configured on switch and make it connect to snmp management server. snmp trap should be configured orderly. 69.2 Dying Gasp Typical Examples The dying gasp function of the switch is enabled as default, but it could run normally with the snmp management function. Below are the configuration steps: Switch(config)#snmp-server enable Switch(config)#snmp-server securityip X.X.X.X Switch(config)#snmp-server host X.X.X.X v2c switch Switch(config)#snmp-server enable traps Switch(config)#interface vlan N Switch(config-if-vlanN)ip address Y.Y.Y.Y 255.255.255.0 69.3 Dying Gasp Troubleshooting If there is something wrong when configuring dying gasp function, please check out if it is because of the following reasons: Make sure the layer 3 interface has been configured and connected to snmp server. Make sure the address of snmp server. More than one snmp server address can be configured on switch, but dying gasp trap packets will be sent to the last configured server when it is power failure. 69-73 Chapter 70 PoE Configuration 70.1 Introduction to PoE PoE (Power over Ethernet) is a technology to provide direct currents for some IP-based terminals (such as IP phones, APs of wireless LANs and network cameras) while transmitting data to them. Such DC-receiving devices are called PD (Powered Device). The max. distance of reliable power supply provided by PoE is 100 meters. IEEE 802.3af standard is a new PoE standard, and an extension to the current Ethernet standard by adding new items on power supply via network cables to IEEE 802.3 standard. It is also the first international standard on power distribution. The application of PoE used to be in two areas: IP phone and 802.11 wireless network, however, along with the development of this technology, many applications with more practical meanings have emerged and benefited from PoE, such as video monitoring, integrated building management solution, and remote video service booth. All these existing and predictably more of such applications arouse needs for switches supporting PoE. 70.2 PoE Configuration The PoE Configuration Task List: 1. Globally enable or disable PoE 2. Globally Set the Max. Output Power 3. Globally set power management mode 4. Globally set non-standard PD detection mode 5. Globally enable or disable the allowed high-inrush current when nonstandard PD is powered instantaneously 6. Enable or disable PoE on specified ports 7. Set the max. output power on specified ports 8. Set the power priority on specified ports 1. Globally Enable or Disable PoE Command Explanation Global Mode power inline enable no power inline enable Enable/disable PoE globally. 2. Globally set the max.. output power Command Explanation Global Mode 70-74 power inline max <max-wattage> Globally set the max. output power of PoE. no power inline max 3. Globally set the power management mode Command Explanation Global Mode power inline police enable no power inline police enable Enable/disable the power priority management policy mode. 4. Globally set non-standard PD detection mode Command Explanation Global Mode power inline legacy enable Set whether or not to provide power for non-standard IEEE no power inline legacy enable PD. 5. Globally enable or disable the allowed high-inrush current when nonstandard PD is powered instantaneously Command Explanation Global Mode power inline high-inrush enable no power inline high-inrush enable Enable/disable the allowed high-inrush current when nonstandard PD is powered instantaneously. 6. Enable or disable PoE on specified ports Command Explanation Port Mode power inline enable no power inline enable Enable/ disable PoE. 7. Set the max. output power on specified ports Command Explanation Port Mode power inline max <max-wattage> Set the max. output power on specified ports. no power inline max 70-75 8. Set the power priority on specified ports Command Explanation Port Mode power inline priority {critical | high | low} Set the power priority on specified ports. 70.3 Typical Application of PoE Requirements of Network Deployment Set the max. output power of SGS-6340-24P4S to 370W, assuming that the default max. power can satisfy the requirements. Ethernet interface 1/0/2 is connected to an IP phone. Ethernet interface 1/0/4 is connected to a wireless AP. Ethernet interface 1/0/6 is connected to a Bluetooth AP. Ethernet interface 1/0/8 is connected to a network camera. The IP phone connected to Ethernet interface has the highest-level power supply priority: critical, which requires the power supply to the newly connected PD being cut off if it causes PSE power-overload (i.e. adopting the priority policy of PD power management). Power of subordinate AP devices connected to Ethernet interface 1/0/6 should not exceeds 9000mW. Topology of Network Configuration Steps: Globally enable PoE: 70-76 Switch(Config)# power inline enable Globally set the max. power to 370W: Switch(Config)# power inline max. 370 Globally enable the priority policy of power management: Switch(Config)# power inline police enable Set the priority of Port 1/0/2 to critical: Switch(Config-Ethernet1/0/2)# power inline priority critical Set the max. output power of Port 1/0/6 to 9000mW: Switch(Config-Ethernet1/0/6)#power inline max. 9000 70.4 PoE Troubleshooting Help If problems occur on using PoE, please check: When the global value of Power Remaining is less than 15W, due to the power source protection mechanism, the power supply to new PDs will be cut off in first-come-first-serve mode, while the existing low-priority devices will also be disconnected in priority policy mode. If the Power Remaining is over 15W, say 16W, any newly connected device with a power no more than 15W can get its power supply normally, without affecting other devices. Such a power supply buffer of 15W is designed for power source protection, and calls for special attention. The displayed value of power might over the value of max. This involves the relationship between the displayed power and the actual power, for instance: The power set on the port: A, represents the actual output PoE power The displayed power: B, represents the total power of the port (total current × total voltage) The power loss set on the port: C, represents power loss of the internal Sensor ohmic resistance, MosFet etc. Then: B=A+C If the power is set as A=500mW, according to the following table, the compensating current will be I=2.44mA (500mW/50V=10mA assuming the current working voltage is 50V), plus the compensating power C=50V× 2.44mA=122mA B=A+C=500+122=622mW. So, only when the displayed power reaches 622mW, the PD will be disconnected Table: Max. Working Current (mA) Compensating Current (mA) 50 2.44 100 4.88 150 9.76 200 17.08 250 24.41 350 31.73 70-77
advertisement