Release Notes for Patch 86241-10

Patch Release Note

Patch 86241-10

For Rapier Switches

Introduction

This patch release note lists the issues addressed and enhancements made in patch 86241-10 for Software Release 2.4.1 on existing models of Rapier L3 managed switches. Patch file details are listed in Table 1.

Table 1: Patch file details for Patch 86241-10.

Base Software Release File

Patch Release Date

Compressed Patch File Name

Compressed Patch File Size

86s-241.rez

20-June-2003

86241-10.paz

1171504 bytes

This release note should be read in conjunction with the following documents:

■

Release Note: Software Release 2.4.1 for Rapier Switches, (Document

Number C613-10338-00 Rev A) available from

www.alliedtelesyn.co.nz/documentation/documentation.html

.

■

Rapier Switch Documentation Set for Software Release 2.4.1 available on the Documentation and Tools CD-ROM packaged with your switch, or from

www.alliedtelesyn.co.nz/documentation/documentation.html

.

WARNING: Using a patch for a different model or software release may cause unpredictable results, including disruption to the network. Information in this release note is subject to change without notice and does not represent a commitment on the part of Allied Telesyn International. While every effort has been made to ensure that the information contained within this document and the features and changes described are accurate, Allied Telesyn International can not accept any type of liability for errors in, or omissions arising from the use of this information.

S i m p ly c o n n e c t i n g t h e wo r l d

2 Patch Release Note

Some of the issues addressed in this Release Note include a level number. This number reflects the importance of the issue that has been resolved. The levels are:

Level 1

This issue will cause significant interruption to network services, and there is no work-around.

Level 2

This issue will cause interruption to network service, however there is a work-around.

Level 3

This issue will seldom appear, and will cause minor inconvenience.

Level 4

This issue represents a cosmetic change and does not affect network operation.

Features in 86241-10

Patch 86241-10 includes all issues resolved and enhancements released in previous patches for Software Release 2.4.1, and the following enhancements:

PCR: 03616 Module: IPG

Three new commands have been added to enable and disable transmission of the following ICMP messages: Network Unreachable, Host Unreachable, and all Redirect messages.

The commands are:

Level: 4

DISABLE IP

ICMPREPLY[={ALL|NETUNREACH|HOSTUNREACH|REDIRECT}]

ENABLE IP


SHOW IP ICMPREPLY

For details, see “Enable and Disable ICMP Messages” on page 41.

PCR: 02466 Module: USER Level: 4

Users authenticated by RADIUS can now be assigned USER, MANAGER, or SECOFF (Security Officer) privilege levels. Previously, users could only be assigned USER.

The serviceType Attribute-Value pair is used to determine the privilege level assigned to the user after successful authentication (Table 2).

Table 2: RADIUS serviceType and privilege levels

RADIUS serviceType Value

NAS-Prompt (7)

Administrative (6)

Any other value, or no serviceType attributevalue pair

Assigned Privilege Level

MANAGER

SECOFF

USER

Patch 86241-10 for Software Release 2.4.1

C613-10340-00 REV K

Patch 86241-10 For Rapier Switches 3

PCR: 02510 Module: SWI Level: 4

Support has been added for enabling flow control on half duplex links. The

ENABLE SWITCH PORT command configures the switch chip to send a jamming signal over a half duplex link in response to congestion. The following commands configure flow control:

DISABLE SWITCH PORT={port-list|ALL}

DISABLE SWITCH PORT=port-list FLOW=PAUSE

DISABLE SWITCH PORT=ALL FLOW={JAMMING|PAUSE}[,...]

ENABLE SWITCH PORT={port-list|ALL}

ENABLE SWITCH PORT=port-list FLOW=PAUSE

ENABLE SWITCH PORT=ALL FLOW={JAMMING|PAUSE}[,...]

SHOW SWITCH PORT[={port-list|ALL}]

PCR: 03096 Module: VLAN, SWI Level: 2

OSPF and RIP Hello packets were being sent out all trunked ports. Now these Hello packets are only sent out the master port of the trunked group.

PCR: 03109 Module: LOG Level: 3

A log was only partially created if there was insufficient NVS memory for log creation on the router. A change has been made so that a log is not created if there is insufficient memory, and a warning message is displayed.

PCR: 03198 Module: PRI Level: 3

The PRI interface would occasionally take a long time for the ifOperStatus of the interface to become UP. This issue has been resolved.


When the VLAN mirror port was configured as a tagged port, the port did not transmit tagged packets. This issue has been resolved.

PCR: 03425 Module: PRI Level: 3

On the AT-AR020 PRI E1/T1 Port Interface Card (PIC), E bits were not transmitted in response to received CRC-4 errors. Also, after a period of

Alarm Indication Signal (AIS) reception, Remote Alarm Indication (RAI) transmission was not terminated. These issues have been resolved.

PCR: 03447 Module: PPP Level: 2

A remotely assigned IP address on a PPP interface was not always released when the connection timed out. This issue has been resolved.

PCR: 03501 Module: IPG Level: 1

A fatal error occurred when DNS relay received a query if the transaction

ID was zero. This issue has been resolved.

PCR: 03572 Module: STP Level: 4

The dot1dStpPortForwardTransitions value in the dot1dBridge MIB was not correctly incremented when STP transitioned a port to the forwarding state.

This issue has been resolved.


C613-10340-00 REV K



The dot1dStpInfoTopChanges value in the dot1dBridge MIB was not correctly incremented when a topology change was detected by the bridge. This issue has been resolved.


When the device received a route from two separate sources to the same destination network, RIP only used the metric value when selecting the best route. RIP now selects the route by lowest preference value, or if they are the same, by the metric.


When IGMP memberships were created at Layer 3 from multicast data, an

IGMP Membership Leave message removed all ports from the specified group. This issue has been resolved.

PCR: 03582 Module: FIREWALL, IPG Level: 4

Previously, when the ADD FIREWALL POLICY INTERFACE command activated software routing, the static IP ARP entries were removed automatically. Static IP ARP entries now remain and the following message is displayed:

WARNING: Static ARPs associated with a particular VLAN are recommended to be deleted when Firewall is enabled on the VLAN.

PCR: 03584 Module: MLD Level: 3

MLD had no mechanism for dealing with an IPv6 interface changing its local link address. This issue has been resolved.

PCR: 03601 Module: VLAN Level: 4

VLAN MIB multicast and broadcast counters were incremented incorrectly.


PCR: 03609 Module: OSPF Level: 1

The IP route filter did not always work correctly for OSPF. This issue has been resolved.

PCR: 03615 Module: LOAD Level: 3

Zmodem uploads to some terminal emulators did not succeed because the

16-bit checksum was incorrect. This issue has been resolved.

PCR: 03620 Module: IPv6 Level: 3

The 16-bit reserved field after the maximum response code field was not set to zero, as specified by the Internet Draft “Multicast Listener Discovery

Version 2 (MLDv2) for IPv6”. This issue has been resolved.

PCR: 03625 Module: STP, SWI Level: 4

The MIB object dot1dStpTimeSinceTopologyChange has been implemented to record when a topology change is detected by the bridge.


C613-10340-00 REV K



When a Finisar 8521 GBIC was used in an AT-A42/GBIC uplink module the link LED did not correctly show the link status. This issue has been resolved.


When the port speed changed the CPU utilisation increased to 99%. This issue has been resolved.


IPv6 static tunnels remained in the Tentative state and did not change to the

Preferred state. This issue has been resolved.


A fatal error occurred when the SHOW IPV6 MLD INTERFACE command was executed after the interface had been destroyed. This issue has been resolved.


Packet forwarding between switch chips on Rapier 48 switches sometimes failed if ingress rate limiting was set below 1 Mb/s. This was caused by packets receiving a bad hop count between switch chips via the CPU, causing packets to be discarded. This issue has been resolved.


A port was deleted when it was removed from a VLAN. This issue has been resolved.


Equal Cost Multi-Path (ECMP) routing selected a route with an infinite metric, so that forwarded packets using that route were discarded. This issue has been resolved.


Patch file details are listed in Table 3:






86s-241.rez

28-May-2003

86241-09.paz

1144643 bytes



C613-10340-00 REV K


PCR: 03083 Module: SWI, BRG, PRI, VLAN

Rapier Series switches can now bridge traffic from a single VLAN to a

remote device via a WAN connection. For details, see “Overview of Remote

Bridging” on page 43.

PCR: 03130 Module: VLAN, SWI

A new feature, protected ports, has been added to the Rapier 24i. Protected ports provide complete layer 2 isolation between ports. For details, see

“Protected Ports” on page 77.

PCR: 03355 Module: IPV6 Level: 2

IPv6 tunnelling over IPv4 failed if an IPv4 interface was not configured, even though an IPv4 interface is not needed for IPv6 tunnelling. This issue has been resolved.


Some memory loss was occurring in the Ping module, and with DNS relay.



The SET TIME command caused an error on Refresh timers for IGMP groups. This issue has been resolved.

PCR: 03514 Module: IPSEC Level: 2

An incorrect IPSec Security Association (SA) was used to transmit packets when the SA’s IP address was assigned dynamically on another VPN gateway. This issue has been resolved.

PCR: 03532 Module: FIREWALL Level: 3

Occasionally the TCP connection was terminated early during an IDENT proxy TCP session. This issue has been resolved.

PCR: 03537 Module: BGP Level: 3

BGP was returning incorrect and/or incomplete bgp4AttrPath MIB entry information. This issue has been resolved.


MLD Snooping flooded VLANs with packets already switched by hardware. This issue has been resolved. Also, MLD Done messages were flooded on all ports. These messages are now only forwarded to the subset of ports required by MLD Snooping.

PCR: 03544 Module: HTTP, FIREWALL Level: 3

HTTP proxy was not denying an IP address if its corresponding domain name was specified in a filter, or if a domain name was requested and its corresponding IP address was in the filter. This issue has been resolved.

PCR: 03547 Module: DHCP Level: 3

The range of values for the IPMTU parameter in the ADD DHCP POLICY command was set incorrectly in PCR 03465. The correct range is 576-65535, not 579-65535. This issue has been resolved.


C613-10340-00 REV K



MLD snooping denied Report packets if their Time to Live was greater than

1. This should not happen with IPv6 MLD. This issue has been resolved.


Trunked ports operated incorrectly when a link became the backup link in the trunk group. This issue has been resolved.


IPv6 filters were not working correctly when the last entry of a filter was altered using the SET IPV6 FILTER command. This issue has been resolved.


When a dynamic public firewall interface was UP it was not possible to delete any (non-dynamic) public interface rules. Also, under the same circumstances it was possible to create duplicates of public interface rules

(with the same rule ID number). These issues have been resolved.


Disabling and then enabling IPv6 made the CREATE IPV6

INTERFACE=VLAN command appear twice in the configuration script.



A fatal error occurred after executing the SET BGP PEER command when a

BGP session was established with more than 15 communities defined. This issue has been resolved.


IPv6 filters were not handling ICMPv6 packets correctly. This issue has been resolved.


The Proxy Arp default setting should be OFF for VLAN interfaces. This issue has been resolved.


During remote bridging, Rapier Series switches sometimes suffered a fatal error when updating the hardware ARL table. This issue has been resolved.


C613-10340-00 REV K








86s-241.rez

13-May-2003

86241-08.paz

470288 bytes



PCR 02465 Module: TTY Network affecting: No

Under some circumstances a fatal error occurred if a large amount of data was pasted onto the command line. This issue has been resolved.


UDP packets passed through the firewall by a reverse enhanced NAT rule were getting an incorrect IP checksum. This caused IP to discard the packets. This issue has been resolved.


SMTP proxy was falsely detecting third party relay under some circumstances. This issue has been resolved.


RIPng was receiving invalid routes and packets. This issue has been resolved.


When deleting a list associated with a policy, all rules were being deleted.

Now only the rules associated with the policy and list are deleted.

PCR: 03299 Module: IKMP Level: 2

Under some circumstances, ISAKMP suffered a fatal error if more than 8 SA proposals were presented. This issue has been resolved.

PCR: 03328 Module: PORT Level: 2

In the start up configuration file, executing the SET MANAGER ASYN=0 command logged in a user without authentication via TACACS+ when

TACACS+ had been enabled. This issue has been resolved.


After VRRP was enabled, the link status of the switch ports was shown as

UP, even if there was no connection to the ports. This issue has been resolved.


During PPPoE TCP MSS clamping, a fatal error occurred if a TCP packet with an invalid zero-length option was encountered. This issue has been resolved.

PCR: 03377 Module: CORE, LOG Level: 3

Syslog messages were not being sent at startup. This issue has been resolved.

PCR: 03380 Module: PING Level: 3

Some memory loss was occurring in the Ping module. This issue has been resolved.

PCR: 03390 Module: HTTP Level: 2

Occasionally a fatal error occurred when the GUI browser started or a page was refreshed. This issue has been resolved.


C613-10340-00 REV K



C613-10340-00 REV K

PCR: 03392 Module: IPSEC, IKMP Level: 3

IPV4 is the default for the IPVERSION parameter in the CREATE IPSEC

POLICY and CREATE ISAKMP POLICY commands. This default was unnecessarily displayed in the SHOW CONFIGURATION DYNAMIC command output. This issue has been resolved.

PCR: 03396 Module: ETH Level: 3

Some memory was lost on the AT-AR022 ETH PIC when hotswapping. This issue has been resolved.

PCR: 03405 Module: STREAM Level: 2

The reconnection to the stream printing TCP port failed after a single successful connection was made. This issue has been resolved.


The default for the PROXYARP parameter in the SET IP INTERFACE command for a VLAN interface was OFF. The default is now ON.


The switch filter was not operating correctly after a boot cycle. This issue has been resolved.


Previously, the ADD SWITCH L3FILTER MATCH command was accepted if the TYPE parameter was not specified. This command now requires the

TYPE parameter, and an error message will be returned if the TYPE parameter is not specified.

PCR: 03420 Module: IPG, SWI Level: 3

It is now possible to prevent specified ports from acting as IGMP all-group ports, and specify which ports are allowed to behave as all-group entry ports. This is enabled with the ENABLE IP IGMP ALLGROUP command, and disabled with the DISABLE IP IGMP ALLGROUP command.

For details, see “IGMP Snooping All-Group Entry” on page 82.

PCR: 03422 Module: PIM Level: 3

When forwarding a multicast packet to a downstream neighbour, the device sometimes forwarded two copies of the packet instead of one. This issue has been resolved.


STP settings were not retained when a port was deleted from the VLAN that the STP belongs to. This issue has been resolved.

PCR: 03436 Module: IP, DHCP Level: 2

When the device was acting as a DHCP client and the DHCP server provided a gateway address, a statically configured default route was deleted and replaced with a default route with the provided gateway address. The correct behaviour is to only delete a dynamic default route in this situation. This issue has been resolved; the correct behaviour is now applied.



A warning message will now appear if the DESTROY DHCP POLICY command is executed for a DHCP policy that has been used by one or more policies as the source of their configuration information. A parent policy can be destroyed with no affect on its child policies.

The new message is:

The destroyed policy <policy-name> has been used by another policy as a source of configuration information.

PCR: 03439 Module: IPX Level: 3

The IPX traffic filter match counter was not incremented if a route was cached. This issue has been resolved.

PCR: 03440 Module: CORE Level: 3

Support has been added for the new 8724-80 and 8748-80 switches.

PCR: 03441 Module: L2TP Level: 2

PPP configured on a L2TP access concentrator (LAC) should be dynamic. If

PPP was incorrectly configured to be static, the static PPP was destroyed when the L2TP tunnel was formed so that only the first connection succeeded. This issue has been resolved so that an L2TP tunnel is not created if the PPP is static.


FTP data transfers did not succeed for some types of NAT. Also, the presence of flow control TCP flags led to some TCP control packets not being recognised. Both issues have been resolved.

PCR: 03444 Module: FR Level: 3

The CIR and CIRLIMITED parameter in the SET FRAMERELAY DLC command now regulates the behaviour of the transmission rate. Previously, the transmission rate did not reflect changes to the CIR setting if the new

CIR was higher than the old CIR (provided that the new CIR is within the physical maximum of the network and the hardware), or changes to the

CIRLIMITED setting if CIRLIMITED was turned ON then OFF. This issue has been resolved.


Disabling OSPF caused a fatal error if there was a large routing table. This issue has been resolved.


The ENABLE IP MVR DEBUG=ALL command was erroneously shown in the output of the SHOW CONFIG DYNAMIC=IP command. This SHOW output no longer includes the ENABLE IP MVR DEBUG=ALL entry.


The IPMTU parameter in the ADD DHCP POLICY command was accepting values in the range 0-4294967295. This parameter now accepts values in the correct range of 579-65535.


C613-10340-00 REV K



An invalid message appeared when the PORT parameter was specified for the ADD IP ROUTE command. This issue has been resolved.

PCR: 03473 Module: PIM, PIM6 Level: 3

The SET LAPD MODE=NONAUTOMATIC command did not change the

LAPD mode from automatic to non-automatic. This issue has been resolved.

PCR: 03475 Module: NTP Level: 3

The PURGE NTP command did not change the UTC offset to the initialised value. This issue has been resolved.


When MLD snooping timed out, entries were not being fully deleted. This issue has been resolved.


The firewall was not denying an ICMP packet, even if ICMP Forwarding was disabled when using Standard NAT. This issue has been resolved.


Occasionally the switch did not forward packets between two VLANs. This issue has been resolved.

PCR: 03492 Module: HTTP, LOAD Level: 2

Some memory loss occurred when loading a file via HTTP. This issue has been resolved.


Sometimes CPU utilisation reached its maximum limit when an IGMP

Membership Report was received. This issue has been resolved.


The layer 3 filter did not operate on SNMP packets with both source and destination ports specified. This issue has been resolved.


When the DHCP server received multiple Decline packets for a single entry, that entry got stuck in the Reclaim state, and repeated Reclaim attempts caused a broadcast storm. This issue has been resolved.

PCR: 03512 Module: SNMP Level: 3

SNMP was not counting OutPkts. This issue has been resolved.


When switching IGMP packets, a packet’s source MAC address was sometimes overwritten. This issue has been resolved.


C613-10340-00 REV K









86s-241.rez

23-Apr-2003

86241-07.paz

966631 bytes



The layer 3 filter sometimes did not compare entries correctly. This may have meant that layer 3 filters did not work as expected all of the time. This issue has been resolved.

PCR: 02404 Module: IPG Network affecting: No

DVMRP multicast forwarding failed to send tagged packets to a tagged port. Packets were erroneously sent untagged to tagged ports. This issue has been resolved.


IPv6 was not sending some packets (such as Router Advertisements) at startup, which meant that IPv6 did not function correctly. This issue has been resolved.

PCR: 02571 Module: IP Level: 3

A fatal error occurred if the IP module was reset after the ADD IP EGP command was executed. This issue has been resolved.

PCR: 03015 Module: SWI Network affecting: No

When ports were added to a trunk group on a Rapier 16, the ports operated in the wrong duplex mode. This issue has been resolved.


After setting the IGMP query timer with the SET IP IGMP command, and saving the configuration, the IGMP Other Querier timeout was not set to the correct value after a restart. This issue has been resolved.


Layer 3 filtering was not correctly modifying a packet's IPDSCP field. This issue has been resolved.

PCR: 03031 Module: FIREWALL Network affecting: No

The ADD FIREWALL POLICY RULE command included an erroneous check on port ranges for non-NAT rules. This check is now restricted to

NAT rules.


C613-10340-00 REV K



C613-10340-00 REV K

PCR: 03037 Module: QOS Network affecting: No

A new value is now shown in the output of the SHOW QOS POLICY command. This is the value of the port bandwidth used when the default traffic class percentage bandwidth is set on a QoS Policy.


Sometimes IP flows were not deleted correctly when both directions of the flow were in use. This issue has been resolved.

PCR: 03050 Module: ETH Level: 3

When an Ethernet port received a MAC Control PAUSE frame it did not stop transmitting packets for a short period of time, as specified in the IEEE

802.3 Ethernet standard. This issue has been resolved.

PCR: 03061 Module: LOAD Network affecting: No

When starting a load that failed, a flash compaction could not be started manually. This issue has been resolved.


When replying to a DHCP REQUEST that had passed through a DHCP relay, the broadcast bit of DHCP NAK messages was not being set. This issue has been resolved in accordance with RFC2131.

PCR: 03068 Module: SWI, QOS Level: 2

The SET QOS HWPRIORITY and SET QOS HWQUEUE commands were not accepting all parameters correctly. This meant that the HWPRIORITY and HWQUEUE commands could not be modified with the associated SET command, but had to be made in the configuration script. This issue has been resolved.


An issue with Secure Shell clients not being able to connect to a Secure Shell server unless 3DES was installed on both the client and the server has been resolved.


The SET SYSTEM NAME command was accepting character strings greater than the limit of 80 characters. This issue has been resolved.

PCR: 03094 Module: STP, VLAN Level: 3

The VLAN membership count for STP ports was incorrect in the default configuration. This issue has been resolved.


TCP sessions could fail if the public side of the firewall was using Kerberos and the private side had a very slow connection to the firewall. This issue has been resolved.


An error sometimes occurred in the firewall module under heavy FTP or

RTSP traffic loads. This issue has been resolved.


PCR: 03119 Module: CLASSIFIER Level: 4

TCP source and TCP destination ports were swapped when viewed in the

GUI. This issue has been resolved.

PCR: 03120 Module: ETH, IPG Level: 4

The SHOW IP INTERFACE command was showing ETH interfaces as up at startup, when SHOW INTERFACE and SHOW ETH STATE had them as down. This issue has been resolved.

PCR: 03132 Module: SWITCH Level: 2

Classifiers that were added to hardware filters were not applied to the hardware. This issue has been resolved.

PCR: 03134 Module: TCP Level: 2

When using the SET TELNET LISTENPORT command, a fatal error sometimes occurred. This issue has been resolved.


The SHOW IPV6 INTERFACE command was not displaying the link layer address and EUI when the interface was down. This issue has been resolved.

PCR: 03144 Module: CURE Level: 4

Users with either USER or MANAGER level privilege can now execute the

STOP PING and STOP TRACE commands. Previously, MANAGER privilege was needed to execute these commands.


The SET IP ROUTE FILTER command was not processing some parameters.


PCR: 03146 Module: PORT Level: 4

The PAGE parameter in the SET ASYN command now only accepts numeric values between 0 and 99, ON or OFF, and TRUE or FALSE.


When the DISABLE BGP DEBUG command was used, debugging messages were still being displayed by the BGP module. This issue has been resolved.


If the Gratuitous ARP feature was enabled on an IP interface, and an ARP packet arrived, (either ARP request, or reply) that had a Target IP address that was equal to the SenderIP address, then the ARP cache was not updated with the ARP packet’s source data. This issue has been resolved.


The CREATE FIREWALL POLICY command was not checking for valid name entries, so invalid printing characters could be used for policy names.



C613-10340-00 REV K



C613-10340-00 REV K


An additional check has been added to validate the MASK specified in an

ADD IP ROUTE command. The check tests that the mask is contiguous.

PCR: 03154 Module: PCI Level:

The SHOW IP MVR command output was showing dynamic members in the incorrect column. This issue has been resolved.


When changing the ACTION parameter between INCLUDE and

EXCLUDE on IPV6 filters the interface information was not preserved between changes. The interface information is now preserved.


Switch trunk speed checks only checked for gigabit settings, not speed capabilities. It is now possible for uplink modules which support 10, 000 and gigabit speed to attach to trunks where speeds are 10Mb/s or 100Mb/s.


Duplicate Address Detection (DAD) was not sent on VLAN interfaces. This issue has been resolved.

PCR: 03171 Module: DVMRP, IPG Level: 3

DVMRP was erroneously forwarding packets to a VLAN with a downstream neighbour. This issue has been resolved.


Deleting an IP MVR group range would only delete the last IP address of the range from the multicast table, not the entire range. This issue has been resolved.


If all 32 VLAN interfaces had IP addresses attached, only 31 VLANs could be multihomed. Now all 32 VLAN interfaces with IP addresses can be multihomed.

PCR: 03184 Module: USER Level: 4

An extra character was erroneously displayed in the output of the SHOW

LOG command when Remote Security Officer was enabled from a configuration script. This issue has been resolved.

PCR: 03186 Module: CORE, FFS, TTY Level: 3

When the QUIT option was chosen after the SHOW DEBUG command was executed, the output did not immediately stop. This issue has been resolved, but there may be a short delay before the command prompt reappears.


The system became unstable if the ADD IPV6 TUNNEL command failed.

This instability was caused by the partially created tunnel entry not being properly removed from the tunnel database. The tunnel entry is now completely removed.



There are two sources of time kept in the device. The real time clock, and the milliseconds since midnight (msSinceMidnight). The msSinceMidnight can reach midnight slightly before the real time clock which means that the value of the msSince Midnight is larger than the number of milliseconds in a day. This meant that at midnight, the elapsed time since the time-to-live value for the Firewall and IP-NAT TCP sessions appeared very large and

Firewall and IP-NAT sessions were prematurely aged out. This issue has been resolved by pausing the msSince Midnight variable at midnight to wait for the real time clock to catch up.


RIPng was not sending a response back to a RIP request message. This issue has been resolved.


When the configuration script was created using the CREATE CONFIG command, the GBLIP parameter in the ADD FIREWALL POLICY command was listed twice. This caused the command to fail when the device was restarted. This issue has been resolved.


When the MARL table had been fully populated, the addition of another multicast group caused an entry to be deleted, and the new entry was not added. This issue has been resolved so that no more groups can be added when the table is full.


The TRACE command was not working when using an IPv6 link-local address. This issue has been resolved.

PCR: 03213 Module: IPSEC Level: 3

A memory leak occurred when some IPSEC processes failed. This issue has been resolved.

PCR: 03217 Module: DVMRP Level: 2

If a DVMRP interface was deleted and then added again, DVMRP routes associated with this interface were not reactivated. This issue has been resolved.


The IGMP group entry timer was not decreasing when UDP data kept arriving for the group. This issue has been resolved.


IGMP queries were being sent after IGMP was disabled. This issue has been resolved.


RIP Request packets for IPv4 were not being transmitted when the link came up or when the switch restarted. This issue has been resolved.


C613-10340-00 REV K



A fatal error occurred when OSPF was under high load. This issue has been resolved.

PCR: 03247 Module: MVR Level: 4

The Joins and Leaves counters in the SHOW IP MVR COUNTER command output did not count subsequent join or leave requests after the first join or leave. This issue has been resolved.


MLD did not respond correctly when it was in exclude mode and it received a request block. This issue has been resolved.

PCR: 03268 Module: SWI Level:

When using MVR on a Rapier 48 or Rapier 48i, multicast packets were not forwarded correctly between ports 1-24 and 25-48. This issue has been resolved.


IGMP reports sometimes contained errors because of MVR. This issue has been resolved.


The DISABLE FIREWALL POLICY PING command was stopping private ping flow through the device when ICMP Forwarding and NAT were enabled. This issue has been resolved.


The RESET SWITCH PORT COUNTER command was clearing all learned

MAC addresses for the specified port. This command should only reset the switch port’s counters. This issue has been resolved.


RIP packets can now contain up to 25 routes per packet instead of 24.

PCR: 03287 Module: Firewall Level: 2

When the firewall was set to ACTION=NAT, it was allowing inbound traffic, (for example FTP) even though a port was specified for a particular application, (for example Telnet). This issue has been resolved.

PCR: 03292 Module: IP Level: 3

When adding static routes with the ADD IP ROUTE command, the order of the route in the route table was the reverse of the order entered. This issue has been resolved.


The MAXSESSION parameter of the SET PPP ACSERVICE command could not be changed when the service was defined over a VLAN. This issue has been resolved.


C613-10340-00 REV K



Broadcast TCP packets were being processed by the device, causing fatal errors when firewall SMTP Proxy was configured. Non-unicast TCP packets are now dropped by IP.


The Designated Router (DR) of the PIM interface was not resetting when the

RESET PIM INTERFACE command was executed. This issue has been resolved.


The SHOW FIREWALL POLICY was not showing the correct debugging items, as set with the ENABLE FIREWALL POLICY DEBUG command.



Firewall rules were not being applied to broadcast packets received on a public interface. This issue has been resolved.


Packets processed by the firewall were not having their TTL decremented.



Following a period of high traffic load, the CPU utilisation would occasionally fail to drop below 40%. This issue has been resolved.


The PIM Designated Router (DR) is now elected over an entire VLAN interface, rather than on a per-port basis.


IGMP Proxy was setting a delay timer of 1-100 seconds when replying to an

IGMP query with a requested maximum delay of 10 seconds. This issue has been resolved.


IGMP Proxy did not disable the DR status of an existing IGMP interface when that interface became the IGMP Proxy Upstream. IGMP Proxy also did not enable the DR status of an interface when it became anything other than the IGMP Proxy Upstream. These issues have been resolved.


RIP packets were discarded when MD5 authentication was used. This issue has been resolved.


Layer 3 filters that matched TCP or UDP port numbers were being applied to the second and subsequent fragments of large fragmented packets. This issue has been resolved.


C613-10340-00 REV K



C613-10340-00 REV K


Enabling OSPF via the GUI sometimes caused a fatal error. This issue has been resolved.

PCR: 03321 Module: DHCP, Q931, TELNET Level: 4

Debugging for DHCP and Q931 was not being disabled when a Telnet session finished. This issue has been resolved.

PCR: 03332 Module: TTY Level: 2

A log message is now created when a user is forced to logout from an asynchronous port when another user (i.e. someone connected via Telnet) resets the asynchronous connection with the RESET ASYN command.


The SET IP MVR command now has extra error checking. This is to ensure that if the IMTLEAVE parameter is not specified, the original range of ports set by the CREATE IP MVR command are still contained within the newly specified port range.


“AT-A42” was being incorrectly displayed as “AT-A42X-00” in the output of the SHOW SYSTEM command. This issue has been resolved.


The RESET IP COUNTER=ALL command was not working correctly when issued from the command line. This issue has been resolved.


Sometimes the Agent Address field in SNMP traps was not the same as the

IP source address. This meant that sometimes the NMS did not send an alarm to the network manager when traps were received from switches.



The Uplink card sometimes unnecessarily changed its status from UP to

DOWN. This issue has been resolved.

PCR: 03350 Module: IP, SWI Level: 3

A fatal error occurred if an IP ARP route entry was deleted after an IP route filter was added while the IP route was equal to zero. This issue has been resolved.


The MRU parameter in the SET PPP command was incorrectly handled as an interface parameter when the configuration script was generated. This meant that the OVER parameter was omitted. The MRU parameter is now correctly handled as a link parameter.


Dynamic interface details were added through the SET INTERFACE command when the CREATE CONFIGURATION command was executed.

This caused errors on startup. This issue has been resolved.



Typing “?” after SET STP=stp-name at the CLI to request context-sensitive

Help only returned the PORT and DEFAULT options. This issue has been resolved so that all options are shown.


The MAC address table entry was not removed when a port shifted between VLANs. This issue has been resolved.


The output of the SHOW IP MVR COUNTER command has been corrected.

Also, the output of the SHOW IP MVR command has been modified. The new output is shown in Figure 1:

Figure 1: Example output from the modified SHOW IP MVR command

Multicast VLAN

-------------------------------------------------------------------------------

VLAN Mode Imtleave Source Ports Receiver Ports

Current Members Group Address

--------------------------------------------------------------------------------

22 compatible 3 9,10 1-3, 6-7

1,6 235.1.1.1

2,7 234.1.1.1

3 compatible 8 12,13 4,5,8,9

4,8 255.1.1.1

--------------------------------------------------------------------------------

PCR: 03385 Module: FILE, INSTALL, SCR Level:

Critical files (prefer.ins, config.ins and enabled.sec) are now copied from NVS to FLASH at boot time if they do not exist in FLASH, or if the NVS version of the file is different from the FLASH version.

PCR: 03387 Module: PIM, PIM6 Level: 2

A memory leak occurred in IP or IPV6 if PIM-SM received IGMP or MLD reports, and there was no Rendezvous Point for the reported group.


The DHCP lease Expiry time showed incorrectly in the SHOW DHCP

CLIENT command when the lease straddled across multiple months and years. This issue has been resolved.

PCR: 03402 Module: IPG Level:

IP routes deleted from the route cache occasionally caused a fatal error. This issue has been resolved.


When a MLD Done report was received, the entire MLD snooping entry was deleted, rather than just the port the MLD Done was received on. This issue has been resolved.


C613-10340-00 REV K



A Prune message was sent in reply to every multicast data packet when there was no output forwarding list for the data. This issue has been resolved.


C613-10340-00 REV K


Patch file details are listed inTable 6:






86s-241.rez

28-Feb-2003

86241-06.paz

369480 bytes



When more than two firewall policies were configured, an unexpected switch restart sometimes occurred. This issue has been resolved.

PCR: 02562 Module: SWI

Dynamic Port Security allows for dynamic MAC address learning on a switch port. If a MAC address is unused for a period of time, it will be aged from the database of currently accepted MAC addresses. This allows the learning of new MAC addresses. Dynamic Port Security is useful because port security allows the number of devices that are connected to a particular switch port to be limited.

For more information on Dynamic Port Security, see “Dynamic Port

Security” on page 92 of this patch release note.


PIM join messages were being sent by a switch connected to an upstream and a downstream switch or router in the same VLAN when a multicast group had no members. This issue has been resolved.


The switch did not always advertise its preferred routes to destinations that were affected by flapping routes. In these conditions, a BGP network does not run efficiently. This issue has been resolved.


A switch port belonging to an enabled STP instance would not respond to

ARP requests if the port had been disabled from STP operation. This prevented the flow of some types of traffic into affected switch ports. This issue has been resolved.


PCR: 03054 Module: TTY, TACPLUS

When a connection is made by Telnet, or directly through the ASYN port, a

TTY session is created with:

• an idle timeout time. The default idle time is zero, which means the TTY session will not time out if there is a lack of activity. If a TACACS+ server is configured on the switch, and the idle time attribute value pair

(AVP) is configured on the TACACS+ server and is received by the switch, the value of the idle time from the TACACS+ server is used to set the TTY session.

• a timeout of zero, which means that the TTY session will not time out. If a TACACS+ server is configured on the switch, and the timeout attribute

value pair (AVP) is configured on the TACACS+ server and received by the switch, the value of the timeout from the TACACS+ server is used to set the TTY session timeout. After the timeout period has elapsed, the user will either be disconnected by termination of their TTY connection

(the default setting), or have their privilege level reduced to USER (the lowest privilege level). If the user’s privilege level is already at the lowest level, then the user will be disconnected by termination of their

TTY connection. If the user’s privilege level is reduced, the TTY session timeout count is reset to its initial value.

PCR: 03056 Module: SSH Level: 3

During an SSH session between the switch and the Secure CRT client, the client did not receive a reply to its MAX-packet-size CMSG. The switch does not support this message, but will now send a negative response to satisfy the secure CRT client’s requirements.


The MIB objects ifTestTable and ifRcvAddressTable were incorrectly included in the switch’s SNMP implementation. These have been removed.


When the TX cable was unplugged from a fibre port the operating status was incorrectly reported as UP. This issue has been resolved.


When BGP imported other route types, it would advertise routes that had nexthops of the BGP peers themselves. The BGP peers would reject these routes and close the peering session, thus preventing the exchange of routing information between BGP peers. This issue has been resolved.


The Import parameter of the ADD, SET, DELETE and SHOW BGP commands now has an INTERFACE type. INTERFACE routes were previously grouped with STATIC routes.

PCR: 03073 Module: UTILITY Level: 2

If the CREATE QOS POLICY command was executed with a range that had a number more than four characters long, for example, CREATE QOS

POLICY=123-12345, then a switch restart occurred. An error message is now displayed if more than four numbers are entered for a range.


C613-10340-00 REV K


PCR: 03074 Module: USER Level:

The SET USER command now requires the PASSWORD option if a

PRIVILEGE is specified. This enables privilege levels to be lowered from a higher level (MANAGER, or SECURITY OFFICER), to USER.


An untagged packet would occasionally be sent on a tagged port. This issue has been resolved.


When PIM was enabled, IGMP snooping would occasionally work incorrectly. This issue has been resolved.

PCR: 03087 Module: IPG Level:

When interfaces with IGMP proxies were deleted, a software restart could sometimes occur. This issue has been resolved.

PCR: 03100 Module: DHCP Level:

DHCP was assigning incorrect IP addresses to clients when they moved from a relayed to a non-relayed range. Gateway checks have been added to remove this issue.


Deriving the originating VLAN from incoming packets could, in some circumstances, cause a software restart. This issue has been resolved.


The PING command when executed with the LENGTH and PATTERN parameters could produce an ICMP echo packet with an incorrect ICMP checksum. This issue has been resolved.


When an IP packet with an invalid TOTAL LENGTH field was received by the CPU routing process, subsequent valid packets were dropped. This issue has been resolved.

PCR: 03107 Module: FR, PPP Level: 2

The mechanism for freeing discarded packets in Frame Relay and PPP could, in some circumstances, cause a software restart. This issue has been resolved.

PCR: 03108 Module: MLDS Level: 4

The DISABLE MLDS command appeared twice in configuration files. This issue has been resolved.


The ADD IP MVR command could cause a software restart. This issue has been resolved.

The ADD IP MVR command parameter GROUP now only accepts multicast addresses.


C613-10340-00 REV K



With DVMRP configured, the switch did not forward multicast data to downstream interfaces on the same VLAN. This issue has been resolved.


DHCP clients that shifted between relayed ranges were not always recognised, and were occasionally allocated incorrect addresses. This issue has been resolved.


Invalid DVMRP prune messages could cause a software restart. This issue has been resolved.


Adding a static ARP entry to a trunk group could cause a software restart.



After sending a DHCP NAK in response to a client’s DHCP REQUEST with a bad lease time, the switch would fail to age out its corresponding DHCP

OFFER entry. This issue has been resolved.

PCR: 03125 Module: DS3 Level: 3

The switch would disassert the AIS, IDLE, LOF and LOS alarms if the defect conditions that had caused the alarm were disasserted, then reasserted before the alarms had been disasserted. This issue has been resolved.


When a static link local address was configured using the ADD IPV6

INT=xxx IP=yyy command, it was not reflected in the switch’s dynamic configuration. Consequently, the command would be absent from the switch’s configuration after CREATE CONFIG and switch RESTART commands were executed. This issue has been resolved.


The ADD BGP PEER command MAXPREFIX parameter now has a default of 24000, instead of OFF. Previously, with no maximum prefix checking by default, if the switch received a very large number of prefixes from a BGP peer, buffer exhaustion could result in a software restart.


The SHOW OSPF NEIGHBOUR command did not reflect a change made to the router priority on a dynamic OSPF interface of a neighbouring router.


PCR: 03035 Module: OSPF

Link state advertisements could incorrectly show an area as a stub area.

This happened during the time when a Direct Route (DR) was removed from a configuration and before a Direct Backup Route (BDR), or an Other

Direct Route (Other DR) was elected. This issue has been resolved.


C613-10340-00 REV K


PCR: 03045 Module: IPG, SWI Level: 3

The switch would flood DVMRP unicast messages to all ports in the VLAN.



ICMP packets originating from the switch used the wrong Equal Cost

Multiple Path route. This issue has been resolved. Also, improvements have been made to ensure that the ICMP packet will be transmitted over the best available route. If the best route becomes unavailable, a new route will be found, if available, so that the ICMP packet continues to reach the destination address.

PCR: 03051 Module: PCI Level: 2

The ECPAC card was not working correctly. This issue has been resolved.


C613-10340-00 REV K








86s-241.rez

17-Jan-2003

86241-05.paz

332388 bytes


PCR: 02315 Module: SNMP

Support has been added for SNMPv2c.

Network affecting: No

SNMP responses will be sent in the same version format as the request message. Minimal configuration is required to specify a SNMP format, because this is decided on a message by message basis. The only thing you need to specify is the version of SNMP received by trap hosts.

To create an SNMP community, use the command:

CREATE SNMP COMMUNITY=name [ACCESS={READ|WRITE}]

[TRAPHOST=ipadd] [MANAGER=ipadd]

[OPEN={ON|OFF|YES|NO|TRUE|FALSE}] [V1TRAPHOST=ipadd]

[V2CTRAPHOST=ipadd]

To add a trap host or management station to the previously created SNMP community, use the command:

ADD SNMP COMMUNITY=name [TRAPHOST=ipadd] [MANAGER=ipadd]

[V1TRAPHOST=ipadd] [V2CTRAPHOST=ipadd]

PCR: 02389 Module: DS3 Network affecting: No

DS3 interface and board type support has been added. DS3 is now supported over PPP and Frame Relay. DS3 MIB support has been added.


For more information on DS3, see “DS3 Interfaces” on page 86 of this release

note.

PCR: 02414 Module: IPv6, SWI, IPG, VLAN Network affecting: No

This patch resolves issues that arose after previous modifications made under this PCR number.

Sometimes IPv6 features did not enable correctly. Also, there were some errors in the output from configuration commands. These issues have been resolved.

PCR: 02560 Module: IPG, SWI, VLAN

IP packet throughput has been improved.


PCR: 03002 Module: USER Network affecting: No

Debugging commands are now available for the RADIUS and TACACS control protocols. Raw packets, decoded packets, and errors can now be displayed.

Access control packet debugging allows the contents of the packets to be viewed. The debugging commands allow both raw (hexadecimal dumps) and/or decoded (human-readable) packet displays. Information on any errors occurring in the transactions can be displayed once the appropriate debugging command is issued.

Only users with SECURITY OFFICER privileges in system secure mode are able to enable RADIUS and TACACS debugging.

The debugging commands are:

ENABLE RADIUS DEBUG={ALL|PKT|DECODE|ERROR} [,...]

ENABLE TACACS DEBUG={ALL|PKT|DECODE|ERROR} [,...]

DISABLE RADIUS DEBUG={ALL|PKT|DECODE|ERROR} [,...]

DISABLE TACACS DEBUG={ALL|PKT|DECODE|ERROR} [,...]

SHOW RADIUS DEBUG

SHOW TACACS DEBUG

PCR: 03013 Module: INSTALL Network affecting: No

The SET INSTALL command was generating an unwanted warning message on Rapier i series switches. This issue has been resolved.








86s-241.rez

15-Jan-2003

86241-04.paz

208232 bytes


C613-10340-00 REV K



PCR 02244 Module: UTILITY Network affecting: No

Virtual interfaces were displayed incorrectly when VLANs were multihomed. This issue has been resolved.

PCR: 02300 Module: Firewall Network affecting: No

If the command ADD FIREWALL POLICY RULE SOURCEPORT=ALL was executed, a value of “65535” was incorrectly displayed for the

SOURCEPORT parameter for that rule in the SHOW FIREWALL POLICY command. This issue has been resolved.


PIM was disabled permanently if the RESET IP command, or the DISABLE

IP command followed by the ENABLE IP commands were executed. PIM is now automatically restarted if these commands are used.


Previously the SET FIREWALL POLICY RULE command permitted the use of the GBLIP and GBLPORT parameters in ways that were not permitted by the ADD FIREWALL POLICY RULE command. This caused problems when a configuration file was generated because some of the illegal parameters from the SET command were put into the ADD command. This resulted in a configuration that contained illegal parameter combinations.

The restrictions placed on the GBLIP and GBLPORT parameters in the ADD command have now been implemented in the SET command so that these problems do not occur.


IP ARP packets that had invalid header values were erroneously accepted by the router. Also, IP packets with a Class E source IP address were erroneously fowarded. These issues have been resolved.


When the system time was set to a time that was before or significantly after the current time, Firewall sessions were prematurely deleted. This issue has been resolved.

PCR: 02400 Module:

CORE,FFS,FILE,INSTALL,SCR


If a problem occurred with NVS, some critical files were lost. As a result, the equipment was forced to load only boot ROM software at boot time. This patch combined with the new version of the boot ROM software (pr1-1.2.0 for the AR700 series) resolves this issue.


The ARP cache is now updated when a gratuitous ARP request or reply packet is received.


C613-10340-00 REV K


PCR: 02506 Module: OSPF IPG Network affecting: No

The ADD IP ROUTE FILTER optional parameter INTERFACE caused the filter to not work on the OSPF external LSA’s flooding.

The SHOW IP ROUTE FILTER interface name output was truncated to 6 characters. These issues have been resolved.

PCR: 02511 Module: Ping Network affecting: No

Executing the PING command sometimes caused a memory leak. This issue has been resolved.


The CREATE CONFIGURATION command inserted the IMTLEAVE parameter into the configuration script when the IMTLEAVE parameter was undefined. This caused an error in the configuration script. This issue has been resolved.

PCR: 02519 Module: IPv6 Network affecting: No

The DELETE IPV6 6T04 command sometimes caused an error. This issue has been resolved.


The DECREMENT parameter of the ADD IPV6 INTERFACE command was not recognised in the command line. This issue has been resolved.

PCR: 02523 Module: QOS, UTILITY Network affecting: No

The SET QOS TRAFFICCLASS command now requires 7 characters to be entered for the optional EXCEEDACTION and EXCEEDREMARKVALUE parameters.

PCR: 02525 Module: TELNET, PING, IPV6,

TCP


The ADD IPV6 HOST command was not accepting the INTERFACE parameter when adding a host with a link-local address. This issue has been resolved.

PCR: 02526 Module: DVMRP Network affecting: No

Under some circumstances, multiple default routes were created for

DVMRP. This issue has been resolved.

PCR: 02527 Module: TCP Network affecting: No

TCP did not send a TCP Reset message under some circumstances, for example when the Telnet server was disabled. This issue has been resolved.


The source IP address is now checked correctly when subnet NAT is used with standard, double, or reverse NAT. Previously, it was sometimes possible to specify an IP address outside the allowable range.


C613-10340-00 REV K



The Firewall showed the wrong counters on Total Received Packets and

Dropped Packets and displayed twice the number of received packets when discarding packets from the public side. Also, when a Deny rule was applied to the private side, the Number of Dropped Packets was always zero. These issues have been resolved.

PCR: 02534 Module: TEST Network affecting: No

The SYN test did not operate successfully when patch 52241-03 was installed. This issue has been resolved.

PCR: 02535 Module: IPV6 Network affecting: No

A fatal error occurred when an IPv6 packet with an invalid payload length was received. This issue has been resolved.

PCR: 02537 Module: L2TP Network affecting: No

When PPP was used over an L2TP tunnel, a speed of zero was shown for the PPP interface on the LNS side, while the LAC side showed a non-zero

PPP interface speed. This issue has been resolved so that the LNS side of the

PPP interface shows the correct speed.


The source mask is now always 0xffffffff in the DVMRP forwarding table.

The temporary route in the DVMRP route table was not displaying correctly. This issue has been resolved.

An IGMP entry was erroneously added for the reserved IP address. This issue has been resolved.

PCR: 02539 Module: CLASSIFIER Network affecting: No

The TCP and UDP source and destination port parameters would accept values of more than 65535. 65535 is now the maximum value for source and destination ports. This complies with RFC768 for UDP and RFC793 for TCP.


The SHOW IPV6 commands were incorrectly including RIPng down routes, and routes on the sending interface. The IPv6 routing table now recognises down routes.


BPDU messages are now sent to all active ports as soon as STP is enabled.


The ARP transmit counter total was not being incremented. This issue has been resolved.


The standard subnet NAT rules on a private interface were not matching a packet unless its source IP address was exactly the same as the IPADDRESS value set for the rule, that is the NAT mask value was not being used. This issue has been resolved.


C613-10340-00 REV K



Reserved multicast data was being duplicated. This issue has been resolved.


If ingress filtering was supported within trunk groups, ports with ingress filtering enabled were erroneously added to the trunk group. This issue has been resolved.


Large RTSP continuation packets could cause a fatal error. This issue has been resolved.


The SET CLASSIFIER and CREATE CLASSIFIER commands now display the tagged and untagged parameters correctly when the PROTOCOL parameter is set to IPX or 802.2.


An issue introduced in a previous patch with the SET IP ROUTE command failing has been resolved.


Some change actions, and the resending of prune messages were not operating correctly. This issue has been resolved.


The ADD FIREWALL POLICY and SET FIREWALL POLICY commands did not generate a valid port list when the optional PORT parameter was set to ALL. This issue has been resolved.

PCR: 02587 Module: OSPF Network affecting: No

When OSPF was enabled on startup, an OSPF interface would sometimes stay in the DOWN state. This issue has been resolved.


Patch file details are listed in Table 9.






86s-241.rez

26-Nov-2002

86241-03.paz

379165 bytes



C613-10340-00 REV K



C613-10340-00 REV K


Incorrect ICMP checksums on incoming packets were not being recognised, and packets with an odd byte size were erroneously being processed. These issues have been resolved.

PCR: 02414 Module: IPv6, SWI, IPG, VLAN Network affecting: No

MLD snooping is now supported on AT-9800 Series Switches and Rapier i

Series Switches.


The ENABLE IPV6 MTUDISCOVERY and SET IPV6 MTU INTERFACE commands were not displayed in the SHOW CONFIGURATION

DYNAMIC command. This issue has been resolved.


Link-local address behaviour was incorrect. Also, the PUBLISH parameter was not updated by the SET IPV6 INTERFACE command, or displayed in the SHOW IPV6 INTERFACE command. These issues have been resolved.

PCR: 02467 Module: CORE Network affecting: No

The board descriptions have changed for some instances of AT-9800 Series

Switches.

PCR: 02469 Module: TM Network affecting: No

After an ASYN port test, the port is now reset to its pre-test state if the test was started by a user connected to the same ASYN port.

PCR: 02477 Module: IPG, PIM, SWI

The following issues have been resolved:


• When equal paths exist to a source, a PIM DM downstream switch/ router could not correctly collect information from AssertSelection between the upstream devices.

• If the Assert winner was another vendor’s device, The Allied Telesyn device did not respond to the Prune message.

• Sometimes a receiver could not get a multicast data stream.

• If unicast routes were changed, multicast data streams sometimes failed to reach receivers or flowed incorrectly.


A fatal error occurred with IPv6 ping when an interface was plugged in and unplugged repeatedly. This issue has been resolved. Also, the TrueMTU value on a VLAN interface was incorrect. This value has been corrected to

1500.


When pinging an unreachable host via a switch, there was a delay before the switch sent a DestinationUnreachable message. This issue has been resolved.


When the switch was under heavy learning load, some MAC address were lost. This issue has been resolved.



It was possible to add the same IPv6 prefix to different IPv6 interfaces. This issue has been resolved.

PCR: 02495 Module: VLAN Network affecting: No

The ADD VLANRELAY and DELETE VLANRELAY commands returned the wrong message if the command could not be processed. This issue has been resolved.

PCR: 02498 Module: VLAN Network affecting: No

The correct protocol number is now returned by VLAN Relay.


Some parameters in the SET IP IGMP command had incorrect ranges. This issue has been resolved. The correct ranges are:

SET IP IGMP [LMQI=1..255] [LMQC=1..5] [QUERYINTERVAL=1..65535]

[QUERYRESPONSEINTERVAL=1..255]

[ROBUSTNESS=1..5]

[TIMEOUT=1..65535]

PCR: 02502 Module: Ping, IPv6 Network affecting: No

If multiple IPv6 interfaces shared the same link-local address, pings to the link-local address sometimes failed. This issue has been resolved.


The source net mask has been removed from DVMRP prune, graft and

graft-ack messages.








86s-241.rez

25-Oct-2002

86241-02.paz

132368 bytes



IPX traffic passing between two switch instances using VLAN for Rapier48 now operates correctly.

PCR: 02210 Module: DNS Relay Network affecting: No

Buffer leaks occurred when DNS relay was enabled. This issue has been resolved.


C613-10340-00 REV K



A buffer leak occurred when a large number of flows (over 4000) were in use and needed to be recycled. This issue has been resolved.


The EPORT parameter in the ADD SWITCH L3FILTER ENTRY and SET

SWITCH L3FILTER ENTRY commands was matching multicast and broadcast packets with software filtering. This issue has been resolved.


Sometimes the retransmission of an FTP packet was not permitted through the Firewall. This issue has been resolved.

PCR: 02245 Module: VRRP Network affecting: No

VRRP returned an incorrect MAC address for an ARP request. This issue has been resolved.


The virtual MAC address was used as the source MAC for all packets forwarded on an interface associated with a Virtual Router (VR). This was confusing when multiple VRs were defined over the same interface because only one virtual MAC address was ever used. The other virtual MAC addresses (for the other VR's) were only used if the source IP address matched the VR’s IP address. To avoid this confusion, the system MAC address is now always used unless the source IP address of the packet is the same as the VR’s IP address.

PCR: 02267 Module: BGP Network affecting: No

When route aggregation was enabled, the atomic aggregate was not being set. This issue has been resolved.


HTTP requests from a fixed IP address were erroneously reported as a host scan attack in the Firewall deny queue. This issue has been resolved.

PCR: 02272 Module: IPG, PIM, SWI



• The RESET PIM INTERFACE=VLAN command was not working correctly.

• Packets with Time to Live (TTL) set to less than 4 were not being forwarded.

• VLAN tags were not being inserted into IP multicast packets on multitagged ports.

• A fatal error occurred when PIM and RIP were both running.

PCR: 02274 Module: TPAD Network affecting: No

ARL message interrupts have been re-enabled after a software table rebuild to fix synchronisation of the software forwarding database with the hardware table.


C613-10340-00 REV K



The CREATE CONFIG command did not save the SOURCEPORT parameter to the configuration file when the low value of the source port range was set to zero. This issue has been resolved.


Report sending and default routes were not working correctly. Also, the

SHOW CONFIGURATION DYNAMIC and SHOW

CONFIGURATION=DVMRP commands were not working correctly. These issues have been resolved.

PCR: 02280 Module: TELNET, TTY Network affecting: No

TELNET sessions are now closed with “^D” only when the session is in the login state.

PCR: 02291 Module: DHCP Network affecting: No

DHCP now processes Discover messages smaller than 300 bytes.

PCR: 02292 Module: IPSEC Network affecting: No

IPSec no longer logs packets that match an ACTION=ALLOW policy. The overhead of this logging was affecting non-IPSec traffic.

PCR: 02294 Module: IKMP Network affecting: No

The LOCALRSAKEY parameter in the CREATE ISAKMP POLICY and SET

ISAKMP POLICY commands was not accepting the value zero. This issue has been resolved.


The PURGE IPSEC command caused a fatal error. This issue has been resolved.


If a packet with a destination IP address equal to a VRRP IP address was received when the router didn’t own the IP address, (because it didn’t have an interface with that IP address) the router incorrectly tried to forward the packet and send an ICMP “redirect” message to the source. Now, if such a packet is received, it will be discarded and an ICMP “host unreachable” message will be sent to the source.


If a DNS relay agent was configured with overlapping subnets, sometimes the DNS server response was returned to the client with a source IP address of an interface on the relay agent that was different from the interface the request was received on. This issue has been resolved.


The default router lifetime value has been corrected. Also, the SET IPV6

INTERFACE command now updates valid and preferred lifetimes correctly.


C613-10340-00 REV K


PCR: 02303 Module: INSTALL Network affecting: No

When enabling or disabling feature licences, a message will now be generated with a warning that changes to feature licences may not take effect until after a reboot.


VRRP used the wrong source IP address in ICMP redirects. RFC 2338 states that the source IP address of ICMP redirects should be the IP address that the end host used when making its next hop routing decision. In the case of a packet sent to a VRRP virtual MAC address, this is the primary VRRP IP address associated with the MAC address, provided such a VR exists and is in the master state. This issue has been resolved.

PCR: 02309 Module: STP Network affecting: No

On models except Rapier i Series Switches, the ENABLE STP DEBUG PORT command did not work correctly. This issue has been resolved.


It was possible to set the trunk speed to 10/100M, even if the port within the trunk was not capable of this speed. This issue has been resolved.


The SHOW IPV6 INTERFACE command now shows the address lifetime aging status that is determined by the DECREMENT parameter in the ADD

IPV6 INTERFACE command. The default valid and preferred address lifetimes have been changed to 30 days and 7 days respectively.


The interface address preferred lifetime was not operating correctly. This issue has been resolved.

PCR: 02321 Module: FR Network affecting: No

A fatal error occurred when the command SET FR=0 LMI= was executed if the LMI was already set to ANNEXA, ANNEXB or ANNEXD. This issue has been resolved.


A fatal error occurred when a PING was executed over an IPV6 tunnel that had previously been deleted. Also, packet forwarding with link-local addresses was not working correctly. These issues have been resolved.

PCR: 02327 Module: IPG/FIREWALL Network affecting: No

In some situations, multihomed interfaces caused the Firewall to apply

NAT and rules incorrectly when packets were received from a subnet that was not attached to the receiving interface. This issue has been resolved.

PCR: 02328 Module: BGP Network affecting: No

BGP was not sending a withdraw message to a peer for a withdrawn or replaced route when the new best route came from that peer. This issue has been resolved.


C613-10340-00 REV K



A buffer leak was occurring in IPv6 fragmentation. This issue has been resolved.

PCR: 02331 Module: IPG, ETH Network affecting: No

IP is now informed when an Ethernet interface goes up or down, after a 2.5 second delay.


The sequence number extracted from the AH and ESP header was in the wrong endian mode, which caused an FTP error with IPSEC anti-replay.



It is now possible to set the domain name of the SMTP server to none

(0.0.0.0) with the SET FIREWALL POLICY SMTPDOMAIN command, even if a server name has not previously been specified.


The SHOW CLASSIFIER command was not displaying Layer 3 information if the classifier had been created with the parameters ETHFORMAT=SNAP and PROTOCOL={IP|0000000800}. This issue has been resolved.

PCR: 02343 Module: PPP Network affecting: No

When acting as a PPPoE Access Concentrator (AC), if a PPPoE client sent discovery packets without the "host-unique" tag, the discovery packets sent by the AC were corrupted. This issue has been resolved.

PCR: 02346 Module: BGP, IPG Network affecting: No

It is now possible to set a preference value for dynamically learned routes based on their protocol using the command:

SET IP ROUTE PREFERENCE={DEFAULT|1..65535}

PROTOCOL={BGP-EXT|BGP-INT|OSPF-EXT1|OSPF-EXT2|OSPF-INTER|

OSPF-INTRA|OSPF-OTHER|RIP}


The CREATE CONFIGURATION command was not correctly generating the DISABLE SWITCH HWFILTER and DISABLE SWITCH L3FILTER commands. This issue has been resolved.

PCR: 02348 Module: ENCO Network affecting: No

When the PAC card was under severe load, the related driver occasionally did not fully transfer all result data from the chip. This caused an actCmdFail error. This issue has been resolved.

PCR: 02354 Module: SCC, SYN, PPP Network affecting: No

In a previous patch, a fatal error occurred after a RESTART ROUTER command was executed when using PPP over SYN. Also, on AR745 models, PPP was using an 8 MB boundary instead of a 16 MB boundary.

These issues have been resolved.


C613-10340-00 REV K


PCR: 02357 Module: FR Network affecting: No


• PIM was not sending Hello messages over a Frame Relay (FR) interface.

• A fatal error occurred if 64 was entered as the interface value in the

DESTROY FRAMERELAY command. The command now only accepts

0-63 for this parameter.

• The ADD FRAMERELAY DLC command incorrectly accepted a TYPE parameter. Also, this command was not accepting the

ENCAPSULATION parameter.

• The CREATE CONFIGURATION command incorrectly generated the

CIR and CIRLIMITED parameters for the ADD FRAMERELAY DLC command.

• FR interfaces with static DLCs were always shown as DOWN. The status of the interface was not being updated when a circuit was added to the interface.


When an IP Multihomed interface was used as an OSPF interface, neighbour relationships were only established if the IP interface for OSPF was added first in the configuration. Now, OSPF establishes neighbour relationships regardless of the IP Multihomed interface configuration order.

PCR: 02363 Module: FFS, FILE, TTY Network affecting: No

The FLASH compaction process is now transparent to the file edition process. The FLASH system is now more stable.


Address learning on the mirror port is now correctly re-enabled when it is no longer the mirror port.


New commands have been added to enable the addition and deletion of static multicast addresses to and from the multicast forwarding table. The new commands are:

ADD SWITCH MULTICASTADDRESS IP=ipadd VLAN=vlan-id

PORT=port-list

DELETE SWITCH MULTICASTADDRESS IP=ipadd VLAN=vlan-id


When the SET IP ROUTE command was executed to change any parameter other than METRIC1, which is the RIP metric, the RIP metric was reset to 1.

This metric is now only updated if a value for the parameter is specified.


When the system time was set to a time that was before or significantly after the current time, Firewall sessions were prematurely deleted. This issue has been resolved.


C613-10340-00 REV K


PCR: 02376 Module: PPP Network affecting: No

When the PPP ONLINELIMIT was exceeded for PPP over TDM, the PPP link stayed open, allowing Link Quality Report (LQR) packets to be transmitted. This caused the ifOutOctets counter to increment. Now, if the

ONLINELIMIT is exceeded, the link will close.


Entering 63 for the EPORT parameter in the ADD SWITCH L3FILTER command caused a fatal error. This parameter now accepts the values 63 and 64.

PCR: 02395 Module: VRRP, TRG Network affecting: No

The SHOW VRRP command now shows the number of trigger activations for the Upmaster and Downmaster triggers.


After a prune lifetime had expired, the interface was not joined back to the

DVMRP multicast delivery tree. This issue has been resolved.



• It was possible to assign the same network on different IPV6 interfaces

• The loopback address was being added to other interfaces

• The tunnel configuration was not showing correctly in IPV6 configuration commands

RIPv6 now sets the metric of routes for interfaces that are DOWN to 16, and immediately sends responses when the link status of VLAN interfaces changes.

PCR: 02399 Module: TRACE Network affecting: No

The Trace utility has been modified. Previously, Trace sent a group of packets at once and waited for multiple responses in order to assess the minimum, maximum and average time to cover a certain "hop distance" towards the target host. Now Trace sends each packet in each group individually, and waits either for a response or a time-out before sending the next packet in the group.


Neighbour discovery and PIM6 caused a fatal error when IPv6 was not enabled, or when the IPv6 feature license was not present. This issue has been resolved.

PCR: 02402 Module: SNMP, CORE, SHOW,

FILE


SNMP MIB support has been enhanced for CPU utilisation and file statistics. MIB support has been added for Allied Telesyn contact details and fast buffers.

PCR: 02403 Module: STP Network affecting: No

A watchdog timeout occurred when the command ENABLE STP PORT was executed. This issue has been resolved.


C613-10340-00 REV K



A Router-Alert option has been added. Also, the SHOW IPV6 MLD

INTERFACE command now works correctly.


A warning now appears when the DELETE IP INTERFACE command is executed before the DELETE DVMRP INTERFACE command.


VRRP pre-empt mode was not working with advertisement updates of 1 second or more because this did not allow for interface start time on startup.

Now a check is made to verify that interfaces are UP before timers are started.


The SHOW TCP command was not showing the listening status for IPv6.


An ISDN call was activated by IPv6 Router Advertisements over IPv6 tunnel interfaces. This issue has been resolved.


Packets with a RIP source address and next hop address that are not on the same subnet as the interface will now be processed. If the received next hop is not on the same subnet, it is treated as 0.0.0.0.


ICMPv6 was returning an error for non-zero fragment offsets. This issue has been resolved.

PCR: 02421 Module: PIM Network affecting: No

The GUI was incorrectly accepting multiple entries for VLANs. This issue has been resolved.

PCR: 02422 Module: GARP Network affecting: No

The GUI was returning incorrect GARP counters. This issue has been resolved.


Link-local address behaviour was incorrect. Also, the PUBLISH parameter was not updated by the SET IPV6 INTERFACE command, or displayed in the SHOW IPV6 INTERFACE command. These issues have been resolved.


Large local packets were not being fragmented. Also, the More Fragment flag in the IPv6 fragment header was not being set correctly. These issues have been resolved.


Received Router Advertisements (RAs) were discarded when the interface was enabled to send RAs. This issue has been resolved.


C613-10340-00 REV K



The IPv6 priority filter was not matching correctly when TCP was specified as the protocol type. This issue has been resolved.

PCR: 02463 Module: DVMRP, IPG Network affecting: No

Multicast multi-homing was not working correctly. This issue has been resolved.








86s-241.rez

26-July-2002

86241-01.paz

27732 bytes

Patch 86241-01 includes the following enhancements:

PCR: 02036 Module: SWITCH Network affecting: No

A new command allows the Layer 3 aging timer to be changed:

SET SWITCH L3AGEINGTIMER=<seconds> where seconds can be 30 - 43200. After each cycle of the ageing timer, all existing Layer 3 entries with the hit bit set will have the hit bit reset to zero, and all existing Layer 3 entries with the hit bit set to zero will be deleted.

The SHOW SWITCH command output now displays the Layer 3 ageing timer value.

PCR 02138 Module: SWI Network affecting: No

The built in Self Test Code for all Rapiers, except G6, has been improved to enhance the detection of faults in switch chip external packet memory.


When a TCP RST/ACK was received by a firewall interface, the packet that was passed to the other side of the firewall lost the ACK flag, and had an incorrect ACK number. This issue has been resolved.


The SHOW CONFIG DYNAMIC=VRRP command was not showing port monitoring and step values correctly. This issue has been resolved.


The PURGE IP command now resets the IP route cache counters to zero.


C613-10340-00 REV K



The SENDCOS filter action did not operate correctly across switch instances. This was because the stacklink port on the Rapier 48 did not correctly compensate for the stack tag on frames received via the filter. This issue has been resolved.


Firewall subnet NAT rules were not working correctly from the private to the public side of the firewall. Traffic from the public to private side

(destined for subnet NAT) was discarded. These issues have been resolved.

ICMP traffic no longer causes a RADIUS lookup for access authentication, but is now checked by ICMP handlers for attacks and eligibility. If the ICMP traffic matches a NAT rule, NAT will occur on inbound and outbound traffic. HTTP 1.0 requests sometimes caused the firewall HTTP proxy to close prematurely. Cached TCP sessions were sometimes not hit correctly.

These issues have been resolved.


On a Rapier 24, adding an IP interface over a FR interface caused an

ASSERT debug fatal error. This issue has been resolved.


Sometimes the Firewall erroneously used NAT. This issue has been resolved.

PCR: 02259 Module: DHCP, IPG Network affecting: No

A dual Ethernet router was incorrectly accepting an IP address from a

DHCP server when the offered address was on the same network as the other Ethernet interface. An error is now recorded when DHCP offers an address that is in the same subnet as another interface.

Enable and Disable ICMP Messages

The Internet Control Message Protocol (ICMP) allows routers to send error and control messages to other routers or hosts. It provides the communication between IP software on one system and IP software on another.

This enhancement allows the switch to enable or disable some ICMP messages when directed by the network manager.

The ICMP messages that are able to be enabled or disabled are:

■

■

■

Network unreachable (RFC792 Type 3 Code 0)

Host unreachable (RFC792 Type 3 Code 1)

ICMP redirect messages (RFC792 Type 5 Code 0, 1, 2, 3)

Network Unreachabl e

This message indicates that the switch does not know how to reach the destination network.


C613-10340-00 REV K


Host Unreachabl e

This message indicates that the switch does not know how to reach the host.

ICMP Redirect

This message is sent to a local host to tell it that its

target is located on the same

LAN (no routing is required) or when it detects a host using a non-optimal route

(usually because a link has failed or changed its status) on a directly connected router to advise of a better route to a particular destination.

For more information on ICMP, see the IP Chapter in your switch’s Software

Reference manual.

Commands

This enhancement introduces three new commands:

■

■

■

DISABLE IP ICMPREPLY

ENABLE IP ICMPREPLY

SHOW IP ICMPREPLY

DISABLE IP ICMPREPLY

Syntax

DISABLE IP


Description

This command disables ICMP reply messages.

If ALL is specified, all configurable ICMP message replies are disabled. If

NETUNREACH is specified, all network unreachable message replies are disabled (RFC792 Type 3 Code 0). If HOSTUNREACH is specified, all host unreachable message replies are disabled (RFC792 Type 3 Code 1). If

REDIRECT is specified, all ICMP redirect message replies are disabled (RFC792

Type 5 Code 0, 1, 2, 3).

Example

To disable all configurable ICMP messages, use the command:

DISABLE IP ICMPREPLY=ALL

See Also

ENABLE IP ICMPREPLY

DISABLE IP ECHOREPLY

SHOW IP ICMPREPLY

ENABLE IP ICMPREPLY

Syntax

ENABLE IP


Description

This command enables ICMP reply messages.


C613-10340-00 REV K


If ALL is specified, all configurable ICMP message replies are enabled. If

NETUNREACH is specified, all network unreachable message replies are enabled (RFC792 Type 3 Code 0). If HOSTUNREACH is specified, all host unreachable message replies are enabled (RFC792 Type 3 Code 1). If

REDIRECT is specified, all ICMP redirect message replies are enabled (RFC792

Type 5 Code 0, 1, 2, 3).

Example

To enable all configurable ICMP messages, use the command:

ENABLE IP ICMPREPLY=ALL

See Also

ENABLE IP ECHOREPLY

DISABLE IP ICMPREPLY

SHOW IP ICMPREPLY

SHOW IP ICMPREPLY

Syntax

SHOW IP ICMPREPLY

Description

This command display the status of configurable ICMP messages (Figure

Figure 2: Example output from the SHOW IP ICMPREPLY command:

SHOW IP ICMP REPLY MESSAGES

--------------------------------------------------------------------------------

ICMP REPLY MESSAGES:

Network Unreachable ................ disabled

Host Unreachable ................... disabled

Redirect ........................... enabled

--------------------------------------------------------------------------------

Table 12: Parameters in the output of the SHOW IP ICMPREPLY command.

Parameter

ICMP Reply Messages

Meaning

A list of ICMP configurable reply messages and whether they are enabled or disabled.


C613-10340-00 REV K

Overview of Remote Bridging

This enhancement adds a bridge module to the software supported on the

Rapier in order to provide Remote Bridging. In addition to providing the existing switching functionality, the Rapier provides a single bridge entity to enable either, but not both, of the following functions:

■

VLAN-WAN bridging. This function provides a single WAN connection over either a frame relay or PPP link. This effectively enables a VLAN to be shared over a remote link; or

■

WAN-WAN bridging. This function provides up to 32 WAN virtual bridge ports.

44 ADD VLAN BRIDGE Patch Release Note

Although the switch can support multiple VLANs locally, only one VLAN can be assigned to the bridge.

This section describes the syntax of the two new commands required to add or delete a bridge from a VLAN.

There is detailed information about remote bridging, including a configuration

example, in the section “Amended Bridging Chapter” on page 45.

Overview of VLAN-WAN Bridging

The boundary of a single Ethernet based LAN is often defined in terms of the devices that are contained within a single broadcast domain, this domain being the area of the local network reachable by a broadcast packet. VLAN-WAN bridging enables devices attached to a local VLAN to be connected via a wide area link to devices located on a remote LAN such that they appear to the network as a single bridged LAN.

New Commands for Configuring a VLAN-WAN Bridge

The following new commands are used to configure VLAN-WAN bridging.

For the complete set of bridge commands, see “Command Reference” on page 55.

ADD VLAN BRIDGE

Syntax

ADD VLAN={vlan-name|1..4094} BRIDGE where:

vlan-name is a unique name for the VLAN, 1 to 15 characters in length. Valid characters are uppercase letters (A-Z), lowercase letters (a-z), digits (0-9) the underscore character (“_”), and the hyphen character (-). The vlan-name cannot be a number or ALL.

Description

This command enables bridging between switch ports that are members of the specified VLAN, and a single virtual port configured on a bridge. Bridging will only take place when the VLAN is attached to a bridge, the bridge has been configured with a single virtual port, and has been enabled. The VLAN can only attach to a single bridge. Note that a VLAN bridge cannot be created if the device is already configured as a WAN to WAN bridge.

Examples

To attach the training VLAN to the bridge use the command:

ADD VLAN=Training BRIDGE

DELETE VLAN BRIDGE

Syntax

DElETE VLAN={vlan-name|1..4094} BRIDGE


C613-10340-00 REV K

Patch 86241-10 For Rapier Switches DELETE VLAN BRIDGE 45

where:

vlan-name is a unique name for the VLAN, 1 to 15 characters in length. Valid characters are uppercase letters (A-Z), lowercase letters (a-z), digits (0-9) the underscore character (“_”), and the hyphen character (-). The vlan-name cannot be a number or ALL.

Description

This command deletes a bridge attachment from the specified VLAN.

Examples

To delete a bridge from the training VLAN use the command:

DELETE VLAN=Training BRIDGE

Amended Bridging Chapter

The following is an amended version of the complete Bridging chapter from the

Rapier Switch Software Reference. This chapter contains detailed information about the bridging commands related to the Remote Bridging enhancement.

Introduction

This chapter provides an overview of the bridging function on the Rapier switch. It describes the support for bridging, and explains how to configure and operate the Rapier to act as a bridge in the following modes:

■

VLAN-WAN bridge

This configuration enables traffic from a single VLAN to be shared across either a PPP link, or frame relay wide area network. For more information,

see “Overview of VLAN-WAN Bridging” on page 51.

■

WAN-WAN bridge

This configuration bridges traffic between two or more virtual ports to link remote WAN connected LANs so as to forward layer two traffic between

them. For more information, see “Overview of WAN-WAN Bridging” on page 54.

The WAN-WAN bridging functions and the VLAN-VLAN remote bridging modes cannot operate simultaneously.

To configure layer 2 frame forwarding between switch ports on a local network, use the VLAN configuration described in the Software Reference,

Switching chapter.

A bridge that has one or more interfaces connected to a wide area network, is called a remote bridge. These bridges can be used to form extended LANs across a wide area network. A particular adaptation of this device, called a VLAN-

WAN bridge, enables terminals attached to a single VLAN to connect to remote terminals across a PPP or Frame Relay wide area network. Note however, that

WAN-WAN bridging and VLAN-WAN bridging cannot simultaneously operate within the same device.

For more information, see the sections: “Internal Representation of the WAN-

WAN Bridge” on page 51, and “Overview of WAN-WAN Bridging” on page 54.


C613-10340-00 REV K

46 DELETE VLAN BRIDGE Patch Release Note

References

■

■

Within this chapter, references are made to the following documents:

■

Patch Release Note.

Release Note: Patch Release 86241-09 for Rapier Series Switches.

■

Software Reference Switching.

Rapier Software Reference, Release 241, RevA, Switching Chapter.

http://www.alliedtelesyn.co.nz/documentation/rapier/241/pdf/switch.pdf.

■

Software Reference Preface.

Rapier Software Reference, Release 241, RevA, Preface:

http://www.alliedtelesyn.co.nz/documentation/rapier/241/pdf/preface.pdf.

■

Software Reference Appendix A, Messages.

Rapier Software Reference, Release 241, RevA, Appendix A Messages.

http://www.alliedtelesyn.co.nz/documentation/rapier/241/pdf/msg.pdf.

■

Software Reference Operation

http://www.alliedtelesyn.co.nz/documentation/rapier/241/pdf/opr.pdf.

IEEE Standard 802.1D-1990, Media Access Control (MAC) Bridges.

IEEE Standard 802.1G Remote MAC Bridging.

The Bridging Process

Bridging comprises two separate but related processes - Learning and

Forwarding. Both processes assume that each station on the extended LAN has a unique data link layer address, and that all data link layer frames have a header that includes the source (sender’s) address and destination (recipient’s) address.

In the Rapier, both the learning and forwarding functions are handled in two areas. For virtual ports these functions are handled using the device’s bridge station map; and for switch ports they are handled using the device’s switch forwarding database.

This chapter describes only the learning and forwarding applied to the virtual ports, i.e. those functions that use the bridge station map. For details of learning and forwarding applied to switch ports, refer to these sections within the Software Reference, Switching chapter.

The Learning Process

The learning process uses an adaptive learning algorithm, sometimes called

backward learning, to discover the location of each station on the extended LAN.

Learning on a VLAN-WAN Bridge

Since the VLAN-WAN bridge only has one virtual port, and all traffic is passed between this port and the switch module, there is no requirement for the bridge station map to learn addresses. Note, however that there is a station learning process within this configuration, but this function is handled by the switch forwarding database. For more information, see, the Software Reference,

Switching chapter.


C613-10340-00 REV K


Learning on a WAN-WAN Bridge

The bridge module receives frames from its virtual ports and compares each frame’s source address against entries listed in its bridge station map. This map contains one entry for every unique station known to the bridge. It also relates each station’s (source) address to a virtual port on the bridge. Using this information, the bridge determines on which virtual port (if any) to transmit frames whose destination address matches the entry in its bridge station map.

If the frame’s source address is not already listed in the bridge station map, the address is added, and an aging timer for that entry is started. If the frame’s source address is listed, the aging timer for that entry is restarted.

If the aging timer for an entry in the bridge station map expires before another frame with the same source address is received, the entry is removed from the map. This prevents it from filling up with information about stations that are inactive, or have been disconnected from the network, while ensuring that entries for active stations are kept alive.

The Bridge Forwarding Process

The bridge forwards received frames that are to be relayed to other ports, filtering out frames on the basis of information contained in the bridge station map.

The destination address of each frame is looked up in the bridge station map. If this address is not found, the bridge floods the frame on all ports except the port on which the frame was received.

This whole process can further be modified by the action of bridge filters.

These are configurable filters that enable bridged frames to be checked against a number of entries. If a match is made to a filter entry, the port forwarding permissions of the filter will be applied in addition to those declared in the bridge station map. Note that in the event of a conflict, the permissions of the filter will override those defined in the station map.

Bridge Forwarding on a VLAN-WAN Bridge

Since the VLAN-WAN bridge only has one virtual port, and all traffic passes between this port and the switch module, there are no forwarding decisions to be made. Note however, that the switch module will still make forwarding decisions for VLAN-WAN data received from the bridge module and destined to its local switch ports. Also note that this forwarding process operates only within the VLAN that is declared to the virtual port.

Data frames cross the wide area link untagged and are retagged by the VLAN-

WAN bridge. Frames entering the bridge from the wide area network are assigned the VLAN tag that the bridge associates with the link. However, the forwarding process itself is handled by the switch forwarding database. For more information, refer to the Software Reference, Switching.

Bridge Forwarding on a WAN-WAN Bridge

The bridge forwarding process forwards frames that are to be relayed to other virtual ports, filtering out frames on the basis of information contained in the bridge station map.

The bridge first looks at the source address of each frame it receives and adds each new address into its station map; it then looks up each frames destination address. If a match is found, the frame will be forwarded to the appropriate


C613-10340-00 REV K


virtual port. If a match is not found, then the bridge will flood the virtual ports to locate the device whose address matches that contained within the received frame. Once the source address is located, its forwarding details will be recorded. Subsequent frames bearing this address can then be forwarded directly to the appropriate virtual port.

Ports

Traffic from two distinct types of ports are bridged by the Rapier, switch ports and virtual ports. A switch port presents a MAC and physical level interface to a LAN connected device, and always forms part of a VLAN. The PORT parameter is used in BRIDGE and VLAN commands to specify the virtual ports.

A virtual port can be thought of as being a named connection point for a specific inter-bridge communications path over a wide area network. An important concept is that, as virtual entities, these ports do not represent physical connections, and that a single physical interface may have multiple virtual ports assigned to it. The Rapier supports virtual port connectivity via either point-to-point (PPP) or frame relay network interfaces. When using frame relay, each virtual port is mapped to a frame relay virtual circuit.

The PORT parameter used in BRIDGE commands refers to virtual ports. An individual virtual port number is associated with a each link, or frame relay virtual circuit.

Note that spanning tree protocol (STP) is supported over switch ports (see the Software

Reference, Switching chapter), but is not supported over the bridge’s virtual ports.

Telnet to a Switch Bridging IP

A device that is bridging a protocol may not also route that protocol. For a switch bridging IP this would mean that an IP interface could not be added and therefore the device could not be managed across a LAN using Telnet. A special case is, therefore, supported for devices bridging IP. A single IP interface can be added to a VLAN interface that is bridging IP, to enable the switch to be accessed via Telnet. To do this, the IP module should be enabled and a single IP interface created on a VLAN.

The configuration must be specifically set to bridge IP and ARP. It is not sufficient to bridge all Ethernet type II packets without specifically bridging IP and ARP packets as well.

Note that Telnet is not supported over WAN links.


C613-10340-00 REV K


Support for Bridging

The implementation of the bridge module in the switch follows the IEEE

802.1D-1990 Standard, “Media Access Control (MAC) Bridges”.

The IEEE Standard 802.1G “Remote MAC Bridging” does not specify any mechanisms (protocols, procedures, communication technologies, etc.) for transporting frames between remote bridges over virtual ports. The implementation of the bridge module in the switch follows the IEEE

802.1D-1990 Standard, “Media Access Control (MAC) Bridges”. WAN ports will be either Frame Relay interfaces, as specified in RFC1490; or PPP interfaces, as specified in RFC 2878.

■

■

■

■

■

The bridge module provides the following functionality:

■

Dynamic configuration, via management commands or SNMP requests.

Configuration changes within the bridge module take effect immediately without requiring either the bridge module or the switch to be reset.

Management of the bridge station map.

Learning of MAC addresses.

Filtering and forwarding of packets. The bridge module accepts all packets on its interfaces and forwards them with no distinction between protocols.

Support for virtual ports over point-to-point (PPP) interfaces and frame relay interfaces.

Support for on-demand ports over PPP interfaces.

Operation of configurable bridge filters which further modify the filtering and forwarding processes as defined above.

■

Attachment to a VLAN to provide Remote Bridging

Remote Bridging

Network bridging originally developed as a means of extending the boundaries of local area network connections. However, the increasing need to interconnect remotely located LANs has resulted in two different technology directions.

1.

To extend layer two connectivity, enabling it to interface to wide area networks (WANs) - Remote Bridging/Layer Two Switching.

2.

To connect remote LANS at the layer three utilising the internet protocol (IP) or similar - Network Routing/Layer Three Switching.

Two remote bridge configurations are supported by the Rapier, VLAN-WAN bridging, and WAN-WAN bridging. The following sections describe the function of each configuration.

Internal Representation

The Rapier contains both a layer two switch and a bridge module. Therefore certain layer two functions are configured using the switch and VLAN commands, while others use the bridge commands. The internal structure of the two configuration modes, VLAN-WAN and WAN-WAN are slightly different; the function of each is as follows.


C613-10340-00 REV K


Internal Representation of a VLAN-WAN Bridge

Figure 3 shows an internal representation of the VLAN-WAN bridge configuration.

Figure 3: Internal representation of a VLAN-WAN bridge

Switch

Forwarding

Database

Switch

Module

Internal

Connection

Bridge

Module

Single Virtual

Port

VLAN A

Switch Ports

BRG7

Local ports connect to the switch module as VLAN members and provide layer two connectivity for their attached terminals. An internal data path (shown by the horizontal grey arrow) provides connectivity between the two modules. All station address learning is achieved using the switch’s forwarding database.

From the diagram it can be seen that configurations relating to the LAN switch ports are made using the switch and VLAN commands and configurations relating to the WAN virtual ports are made using the bridge commands.

The bridge and switch symbols shown in this diagram are only internal functional representations, and are not stand alone devices.


C613-10340-00 REV K

Patch 86241-10 For Rapier Switches DELETE VLAN BRIDGE

Internal Representation of the WAN-WAN Bridge

Figure 4 shows an internal representation of the VLAN-WAN bridge configuration.

Figure 4: Internal representation of WAN-WAN bridge

51

Switch

Forwarding

Database

Bridge

Station

Map

VLAN A

VLAN B

Switch Ports

Switch

Module

Bridge

Module

No

Internal

Connection

Multiple

Virtual

Ports

BRG8

Local ports connect to the switch module as VLAN members and provide layer two connectivity for their attached terminals. WAN connected virtual ports connect to a bridge module to provide WAN to WAN bridging. Accordingly, station learning occurs in two separate locations: the Bridge Station Map for the virtual (WAN) ports, and the Switch Forwarding Database for the local ports. Unlike the VLAN-WAN configuration, there is no communication path between the switch and bridge modules. The LAN switch ports are configured using the switch commands and the WAN virtual ports are configured using the bridge commands.

It is important to remember that the bridge and switch symbols shown in this diagram are only internal functional representations, and do not represent stand alone devices.

Overview of VLAN-WAN Bridging

It is generally better to route a protocol than to bridge it. Sometimes however, bridging can provide a more appropriate solution, particularly where unroutable upper layer protocols are used. These protocols sometimes produce high levels of broadcast messages that can overload a network, an effect that gets progressively worse as the number of devices increases. Although this situation may not pose a problem to the high bandwidths available on local area networks, it could heavily congest the more limited bandwidths available on wide area links. This effect can be reduced by adding a VLAN to a bridge and then limiting the VLAN to only those devices requiring wide area connections.


C613-10340-00 REV K


VLAN-WAN Bridge Configuration

Figure 5 shows a simple remote VLAN connection. A company has its head office at location A and its training centre at location B. In location B, a training server provides computer based training programs that are accessible from selected user PCs located at both sites. Unfortunately, the training application operates over an unroutable protocol.

To solve this problem, a single VLAN is created for the training PCs and a remote VLAN connection enables only the training PCs to access the wide area link.

Figure 5: Example configuration for a remotely bridged VLAN.

Bridge A

Switch Port 11

(Virtual)

Port 1

(Virtual)

Port 1

Frame Relay or

PPP Link

Switch Port 21

Switch Port 12

Bridge B

Switch Port 22

Training VLAN VID=2 Training VLAN VID=2

Training

Server

BRIDGE5

Table 13: VLAN membership of example of a network using tagged ports .

VLAN

Training

Member ports

11, 12 on Bridge A

21, 22 on Bridge B

To configure VLAN-WAN bridge A

1.

Create the VLAN to be used for the training devices.

Because the default VLAN with VID 1 may already exist, VLAN with VID

2 is assigned for the training devices:

CREATE VLAN=Training VID=2

2.

Add switch ports to the VLAN.

Add switch ports to the Training VLAN using the following command:

ADD VLAN=Training PORT=11,12

3.

Add the VLAN to the bridge.

Add the VLAN to the bridge using the following command:

ADD VLAN=2 BRIDGE


C613-10340-00 REV K


4.

Create a WAN interface.

Create a PPP interface over a synchronous port or other interface:

CREATE PPP=0 OVER=syn0

5.

Configure the bridge ports.

Enable the bridge module and add the PPP interface as a virtual port by using the following commands:

ENABLE BRIDGE

ADD BRIDGE PORT=1 INT=PPP0

To configure VLAN-WAN bridge B

1.

Create the Training VLAN.

Create the Training VLAN with VID 2 that will be used for VLAN-WAN bridging:

CREATE VLAN=Training VID=2

2.

Add switch ports to the VLAN.

Add switch ports to the Training VLAN using the following command:

ADD VLAN=Training PORT=21,22

3.

Add the VLAN to the bridge.

Add the VLAN to the bridge using the following command:

ADD VLAN=2 BRIDGE

4.

Create a WAN interface.

Create a PPP interface over a synchronous port or other interface:

CREATE PPP=0 OVER=syn0

5.

Configure the bridge ports.

Enable the bridge module and add the PPP interface as a virtual port by using the following commands:

ENABLE BRIDGE

ADD BRIDGE PORT=1 INT=PPP0

For more information about configuring frame relay and PPP, see the Software

Reference, Frame Relay and PPP chapters.


C613-10340-00 REV K


Overview of WAN-WAN Bridging

This configuration is used to forward frames between two or more LANs connected via a wide area network and using either frame relay or PPP. In this configuration the bridge acts simply as a layer two forwarding device and is unable to forward traffic from the wide area network to its own LAN ports.

WAN-WAN bridge Configuration

The diagram below shows a possible WAN-WAN bridge configuration.

Figure 6: Example configuration of a WAN to WAN bridge

(Virtual)

Port 1

Frame Relay or PPP Link

(Virtual)

Port 2

Frame Relay or PPP Link

Bridge A Bridge C

BRG6


C613-10340-00 REV K

Patch 86241-10 For Rapier Switches ADD BRIDGE FILTER

Command Reference

This section describes the commands available on the Rapier to enable, configure, control and monitor the bridge module.

See Conventions on page ci of Preface in the Software Reference, for details of the conventions used to describe command syntax. See the Software Reference,

Appendix A, Messages, for a complete list of messages and their meanings.

55

ADD BRIDGE FILTER

Syntax

ADD BRIDGE FILTER=1..99 [ENTRY=entry]

[SADDRESS<sep1>macadd [SMASK=macadd]]

[DADDRESS<sep1>macadd [DMASK=macadd]]

[ENCAPSULATION<sep1>{802|ETHII|SNAP|NOVELL}

[DISCRIMINATOR<sep1>protocoltype]] [SIZE<sep2>1..65535]

[OFFSET=1..1500 DATA<sep1>datastring]

[TYPE<sep1>{UNICAST|MULTICAST|BROADCAST|ANY}]

PORT={ALL|NONE|1..32[,1..32]...}

■

■ where:

■

datastring is a hex number, up to 32 hex digits long, that represents a sequence of bytes to match packet data. The number of hex digits must be even.

■

entry is a filter entry number in the range 1 to n+1, where n is the number of filter entries currently defined in the filter.

■

macadd is an Ethernet six-octet MAC address, expressed as six pairs of hexadecimal digits delimited by hyphens.

■

protocoltype is either a valid protocol number or a recognised protocol name. A protocol number can be either 1 byte for SAP, 2 bytes for ETHII or

5 bytes for an 802.2 SNAP type packet, and is specified in hexadecimal.

sep1 is a separator, one of “

sep2 is a separator, one of “ than or equal to).

=

” (is equal to) or “

>=

!=

” (is not equal to).

” (is greater than or equal to) or “

<=

” (is less

Description

This command adds a single filter entry to the bridge access filters. This entry is a condition that will be imposed on all frames passing through the filter.

Filter entries are applied in the order determined by the ENTRY list and operate such that frames matching the selection criteria are passed only to the ports defined by the PORT parameter. Filtering may be based on the following frame components: source and destination MAC addresses, frame encapsulation, protocol and discriminator size, broadcast type, and data content.

Note that these filters operate only on the virtual ports, on ingress, and determine which ports each frame can be forwarded to. Filtering on switch ports is an entirely separate, and simultaneously operating, process. See the Software Reference, Switching chapter for more details of filtering on switch ports.


C613-10340-00 REV K

56 ADD BRIDGE FILTER Patch Release Note

The DADDRESS parameter specifies the value that is matched against the destination MAC address of frames being filtered. If the DMASK parameter is supplied, the destination MAC addresses are masked with the specified value prior to comparison with DADDRESS. The default is to match any destination

MAC address.

The DATA parameter specifies the data to match, starting at the offset given by the OFFSET parameter. Up to 16 bytes of data can be matched, to either check that the data is present (=) or is not present (!=). If the DATA parameter is specified, the OFFSET parameter must also be specified.

The DISCRIMINATOR parameter specifies a value to match in the protocol field of the frame. For Ethernet-II frames, an 8-bit value (two hexadecimal digits) is required. For 802.2 frames, a 16-bit value (four hexadecimal digits) is required. For SNAP frames a 5-byte value (ten hexadecimal digits) is required.

Optionally, a keyword like the keywords used in the ADD BRIDGE STATION command on page -58 may be entered, except that the keywords “ALL802”,

“ALLETHII”, “ALLSNAP” and “NOVELL” are not allowed. If

DISCRIMINATOR is specified, the ENCAPSULATION parameter must also be present and specify an encapsulation other than NOVELL, and the separator used with the ENCAPSULATION parameter must be “=”.

The DMASK parameter specifies a (bitwise) mask to apply to destination MAC addresses from frames prior to comparison with the DADDRESS value. If

DMASK is specified, DADDRESS must also be specified. The default is

FF-FF-FF-FF-FF-FF.

The ENCAPSULATION parameter specifies the format of the frames that will match this filter entry. The four possible settings correspond to the frame types supported by the bridge module—Ethernet-II, IEEE 802.2, SNAP and Novell’s

802.3 format. The default is to match any type of frame. This parameter must be specified if the DISCRIMINATOR parameter is used.

The ENTRY parameter specifies where in a filter list the new entry will be added. If ENTRY is not specified the new entry will be appended to the end of the filter list. If specified, its value can not be greater than one more than the number of entries in the list.

The FILTER parameter specifies the filter to which the entry will be added. If the filter does not exist, it will be created. In this case, ENTRY must either be unspecified or be set to 1.

The OFFSET parameter indicates an offset in the Ethernet packet being checked for filtering, starting at the first octet in the user data part of the packet. Source and destination address, layer 2 fields and protocol type fields are not part of the user data. The first octet in the user data is at offset 1 for the purposes of data filtering. The OFFSET parameter must be specified if the DATA parameter is specified, and is invalid otherwise.

The PORT parameter specifies the virtual ports that a frame matching this filter entry may be forwarded over. If ALL is specified, the frame is eligible for forwarding over all bridge virtual ports. Note that only a single virtual port may be configured to a switch operating in the remote VLAN mode. If NONE is specified, the frame may not be forwarded, and should be discarded. If a comma-separated list of virtual ports is specified, the frame forwarding procedure decides which of the specified ports should receive the frame based upon its analysis of the bridged traffic. Switch ports are unaffected by this command.


C613-10340-00 REV K

Patch 86241-10 For Rapier Switches ADD BRIDGE FILTER 57

The SADDRESS parameter specifies the value to match against the source

MAC address in a frame. If the SMASK parameter is supplied, it is used to bitwise-AND the source MAC address from the frame prior to comparison with SADDRESS. The default is to match any source MAC address.

The SIZE parameter specifies the size of frames matching this filter entry. The size of the frame is taken by excluding the address, type/length field and protocol discriminator. Any value from 1 to 65535 may be entered, but only a subset of this range is sensible in most networks. For example, the size of an

Ethernet frame is between 64 and 1518 bytes (extended to 1522 if VLAN tagging is employed). The separator for this parameter must be one of “<=” or

“>=”, which means that the filter entry always matches a range of frame sizes.

The default is to match any frame size.

The SMASK parameter specifies a (bitwise) mask to apply to source MAC addresses from frames prior to comparison with the SADDRESS value. If

SMASK is specified, SADDRESS must also be specified. The default is

FF-FF-FF-FF-FF-FF.

The TYPE parameter specifies the broadcast/multicast type to match. If

BROADCAST is specified, the filter matches broadcast frames with destination

MAC address FF-FF-FF-FF-FF-FF. If MULTICAST is specified, the filter matches all non-unicast frames with the multicast bit set in the first octet of the

MAC address (including broadcast frames). If UNICAST is specified, the filter matches frames directed to a particular station. The default is to match any type.

Examples

To add a filter entry to bridge filter number 1 that rejects any 802.2-framed IP

ARP frames from station 00-00-cd-12-34-56, use the command:

ADD BRIDGE FILTER=1 SADDRESS=00-00-CD-12-34-56

ENCAPSULATION=802 DISCRIMINATOR=0806 PORT=NONE

To add an entry to filter 1 that rejects frames which have a destination address of ff-ff-ff-ff-ff-ff, Novell encapsulation, and in which the byte at offset 47 in the data field is not 41, use the command:

ADD BRIDGE FILTER=1 DADDR=ff-ff-ff-ff-ff-ff ENCAP=novell

OFFSET=47 DATA!=41 PORT=NONE

Where a filter is applied, frames not meeting the criteria in at least one filter entry are discarded. A general filter entry can be added to the end of a new filter to ensure that frames not explicitly filtered out are passed on by the filter, if this is required. The command ADD BRIDGE FILTER=1 PORT=ALL will achieve this.

See Also

DELETE BRIDGE FILTER

SET BRIDGE FILTER

SHOW BRIDGE FILTER


C613-10340-00 REV K

58 ADD BRIDGE PORT Patch Release Note

ADD BRIDGE PORT

Syntax

ADD BRIDGE PORT=1..32 INTERFACE=interface

[CIRCUIT=circuit] where:

■

interface is a valid interface name formed by concatenating an interface type and an interface instance, e.g. PPP0.

■

circuit is a circuit number within an interface that supports multiple logical connections per physical connection. For a Frame Relay interface, circuit maps to a DLCI. Bridging is not supported over X.25 interfaces.

Description

This command adds an interface as a virtual port on the bridge module. The command must be executed for each interface that is to be added. The bridge module will not become active until at least two ports have been added, or a single virtual port has been added and the bridge has also been added to a

VLAN. See the ADD VLAN BRIDGE command described in the ADD VLAN

BRIDGE command on page -44 of Patch Release Note 86241-09.

The PORT parameter specifies a unique virtual port to be added to the bridge.

When operating the bridge in the VLAN-WAN mode, it can only have one virtual port. If there are already two or more virtual ports on the bridge, the

DELETE BRIDGE PORT command should be used to reduce the number of virtual ports to one.

The INTERFACE parameter specifies the PPP or frame relay interface to be added to a virtual port.

The CIRCUIT parameter is only used when connecting to a frame relay interface. It specifies the frame relay DLCI that is assigned to the port.

Example

To add DLC23 on frame relay interface 1 to the bridge as virtual port 2, use the command:

ADD BRIDGE PORT=2 INTERFACE=FR1 CIRCUIT=23

See Also

DELETE BRIDGE PORT

SHOW BRIDGE PORT

ADD VLAN BRIDGE

ADD BRIDGE STATION

Syntax

ADD BRIDGE STATION=macadd PORT=1..32

where:

■


Description

This command adds a single entry to the bridge station map. The bridge station map is a list of all Ethernet addresses known to the bridge, associated with the virtual port down which that station can be found. Normally, bridge station map entries are learned by inspecting the frames that the bridge receives, but


C613-10340-00 REV K

Patch 86241-10 For Rapier Switches DELETE BRIDGE FILTER 59

this command exists to add static entries to the bridge station map. Note that bridge station map is not active while the bridge is operating in the VLAN-

WAN mode.

The entries added to the bridge station map by this command become part of the bridge module configuration, so can be saved with the CREATE CONFIG command. See the

Software Reference, Operation chapter.

The STATION parameter specifies the MAC address of the station being added to the bridge station map.

The PORT parameter specifies the virtual port out which the station is found.

The specified virtual port must exist.

Examples

To add a bridge station map entry for MAC address 00-00-cd-12-34-56, which is reached via virtual port 1, use the command:

ADD BRIDGE STATION=00-00-CD-12-34-56 PORT=1

See Also

DELETE BRIDGE STATION

SHOW BRIDGE STATION

DELETE BRIDGE FILTER

Syntax

DELETE BRIDGE FILTER=1..99 [ENTRY=entry] where:

■

entry is a filter entry number, in the range 1 to n+1, where n is the number of filter entries currently defined in the filter.

Description

This command deletes a single bridge filter entry, or an entire filter.

The FILTER parameter specifies the bridge filter containing the filter entry to be deleted. The filter must exist.

The ENTRY parameter specifies the particular filter entry within the selected filter to be deleted. The filter entry must exist. If a filter entry is not specified, the entire filter is deleted.

Bridge filtering is inactive in the Remote VLAN mode.

Examples

To delete filter entry 2 within bridge filter 3, use the command:

DELETE BRIDGE FILTER=3 ENTRY=2

See Also

ADD BRIDGE FILTER

SET BRIDGE FILTER

SHOW BRIDGE FILTER


C613-10340-00 REV K

60 DELETE BRIDGE PORT Patch Release Note

DELETE BRIDGE PORT

Syntax

DELETE BRIDGE PORT=1..32

Description

This command removes a virtual port from use by the bridge module.

Examples

To delete bridge virtual port 2, use the command:

DELETE BRIDGE PORT=2

See Also

ADD BRIDGE PORT

SET BRIDGE PORT

SHOW BRIDGE PORT

DELETE BRIDGE STATION

Syntax

DELETE BRIDGE STATION=macadd PORT=1..32

where:

■


Description

This command deletes a single entry from the bridge station map. This is a list of all Ethernet addresses known to the bridge, associated with the virtual port down which that station can be found. This command will delete one of these entries, including entries that have been learned in the filtering and forwarding process, but not addresses of type “self”.

The STATION parameter specifies the MAC address of the station being deleted from the bridge station map.

The PORT parameter specifies the virtual port over which the station is found.

This must be specified in order to locate the bridge station map entry correctly.

The bridge station map is inactive in the Remote VLAN mode.

Examples

To delete the bridge station map entry for MAC address 00-00-cd-12-34-56, which is out virtual port 1, use the command:

DELETE BRIDGE STATION=00-00-CD-12-34-56 PORT=1

See Also

ADD BRIDGE STATION

SHOW BRIDGE STATION


C613-10340-00 REV K

Patch 86241-10 For Rapier Switches ENABLE BRIDGE

DISABLE BRIDGE

Syntax

DISABLE BRIDGE

Description

This command disables the bridge module. The change will take effect immediately.

Examples

To disable bridging, use the command:

DISABLE BRIDGE

See Also

ENABLE BRIDGE

PURGE BRIDGE

RESET BRIDGE

61

DISABLE BRIDGE LEARNING

Syntax

DISABLE BRIDGE LEARNING

Description

This command disables the dynamic learning and updating of the bridge source bridge station map.

If bridge learning is disabled and the ageing timer has aged out all dynamically learned entries, only statically entered MAC source addresses will be used to decide which packets to forward or discard. If no matching entries are found in the bridge station map during the forwarding process, then all virtual ports on the bridge will be flooded with the frame, except the port on which the frame was received.

Bridge learning is inactive in the VLAN-WAN mode.

Examples

To disable the bridge learning function, use the command:


See Also

ENABLE BRIDGE LEARNING

SHOW BRIDGE

ENABLE BRIDGE

Syntax

ENABLE BRIDGE

Description

This command enables the bridge module. The change will take effect immediately. The bridge module must be properly configured and enabled before it will become active. If the bridge module has not previously been configured, then all (requisite) parameters will be set to their defaults.


C613-10340-00 REV K

62 ENABLE BRIDGE LEARNING

Examples

To enable bridging, use the command:

ENABLE BRIDGE

See Also

DISABLE BRIDGE

PURGE BRIDGE

RESET BRIDGE


ENABLE BRIDGE LEARNING

Syntax


Description

This command enables the dynamic learning and updating of the bridge station map.

Examples

To enable the bridge learning function, use the command:


See Also


SHOW BRIDGE

PURGE BRIDGE

Syntax

PURGE BRIDGE

Description

This command will remove all bridge configuration information and restore all defaults. The command should be used before making major changes to the configuration data.

Examples

To purge the current bridge configuration, use the command:

PURGE BRIDGE

See Also

DISABLE BRIDGE

ENABLE BRIDGE

RESET BRIDGE

RESET BRIDGE

Syntax

RESET BRIDGE

Description

This command resets the bridge module. The dynamic filtering database is cleared and initialized with entries from the permanent filtering database, and the bridge protocol entity is initialised.

Examples

To reset the bridge module, use the command:

RESET BRIDGE


C613-10340-00 REV K

Patch 86241-10 For Rapier Switches

See Also

DISABLE BRIDGE

ENABLE BRIDGE

PURGE BRIDGE

SET BRIDGE FILTER 63

SET BRIDGE AGEINGTIMER

Syntax

SET BRIDGE AGEINGTIMER=10..1000000

Description

This command sets the threshold value, in seconds, of the ageing timer, after which a dynamic entry in the filtering database is automatically removed. The default value is 300 seconds.

Examples

To set the ageing timer to 180 seconds, use the command:

SET BRIDGE AGEINGTIMER=180

See Also

SHOW BRIDGE

SHOW BRIDGE FILTER

SET BRIDGE FILTER

Syntax

SET BRIDGE FILTER=1..99 ENTRY=entry [SADDRESS<sep1>macadd

[SMASK=macadd]] [DADDRESS<sep1>macadd [DMASK=macadd]]

[ENCAPSULATION<sep1>{802|ETHII|SNAP|NOVELL}

[DISCRIMINATOR<sep1>protocoltype]] [SIZE<sep2>1..65535]

[OFFSET=1..1500 DATA<sep1>datastring]

[TYPE<sep1>{UNICAST|MULTICAST|BROADCAST|ANY}]

PORTS={ALL|NONE|1..32[,1..32]...}

■

■ where:

■

entry is a filter entry number, in the range 1 to n, where n is the number of filter entries currently defined in the filter.

■


■

protocoltype is either a valid protocol number or a recognised protocol name. A protocol number can be either 1 byte for SAP, 2 bytes for ETHII or

5 bytes for an 802.2 SNAP type packet, and is specified in hexadecimal.

sep1 is a separator, one of “

sep2 is a separator, one of “ than or equal to).

=

” (is equal to) or “

>=

!=

” (is not equal to).

” (is greater than or equal to) or “

<=

” (is less

Description

This command modifies the settings of a single bridge access filter entry. This entry is a condition that will be imposed on frames passing through the filter.

Filter entries are applied in the order determined by the ENTRY list and operate such that frames matching the selection criteria are passed only to the ports defined by the PORT parameter. Filtering may be based on the following frame components: source and destination MAC addresses, frame encapsulation, size, broadcast type, protocol discriminator, and contents of data.


C613-10340-00 REV K

64 SET BRIDGE FILTER Patch Release Note

The ENTRY parameter specifies the filter entry to be modified. The specified filter entry must exist.

The DADDRESS parameter specifies the value to match against the destination

MAC address from frames being filtered. If the DMASK parameter is supplied, the destination MAC addresses are masked with the specified value prior to comparison with DADDRESS. The default is to match any destination MAC address.

The DATA parameter specifies the data to match, starting at the offset given by the offset parameter. Up to 16 bytes of data can be matched, to either check that the data is present (=) or is not present (!=). If the DATA parameter is specified, the OFFSET parameter must also be specified.

The DMASK parameter specifies a (bitwise) mask to apply to destination MAC addresses from frames prior to comparison with the DADDRESS value. If

DMASK is specified, DADDRESS must also be specified. The default is

FF-FF-FF-FF-FF-FF.

The DISCRIMINATOR parameter specifies a value to match in the protocol field of the frame. For Ethernet-II frames, an 8-bit value (two hexadecimal digits) is required. For 802.2 frames, a 16-bit value (four hexadecimal digits) is required. For SNAP frames a 5-byte value (ten hexadecimal digits) is required.

Optionally, a keyword like the keywords used in the ADD BRIDGE STATION command on page -58 may be entered, except that the keywords “ALL802”,

“ALLETHII”, “ALLSNAP” and “NOVELL” are not allowed. If

DISCRIMINATOR is specified, the ENCAPSULATION parameter must also be present and specify an encapsulation other than NOVELL, and the separator used with the ENCAPSULATION parameter must be “=”.

The ENCAPSULATION parameter specifies the format of the frames that will match this filter entry. The four possible settings correspond to the frame types supported by the bridge module—Ethernet-II, IEEE 802.2, SNAP and Novell’s

802.3 format. The default is to match any type of frame. This parameter must be specified if the DISCRIMINATOR parameter is used.

The FILTER parameter identifies the filter containing the entry to be modified.

The specified filter must exist.

The OFFSET parameter indicates an offset in the Ethernet packet being checked for filtering, starting at the first octet in the user data part of the packet. Source and destination address, layer 2 fields and protocol type fields are not part of the user data. The first octet in the user data is at offset 1 for the purposes of data filtering. The OFFSET parameter must be specified if the DATA parameter is specified, and is invalid otherwise.

The PORT parameter specifies the virtual ports that a frame matching this filter entry may be forwarded over. If ALL is specified, the frame is eligible for forwarding over all bridge virtual ports. If NONE is specified, the frame may not be forwarded, and should be discarded. If a comma-separated list of virtual ports is specified, the frame forwarding procedure decides which of the specified virtual ports should receive the frame based upon its analysis of the bridged traffic. The command has no effect on switch ports.

The SADDRESS parameter specifies the value to match against the source

MAC address in a frame. If the SMASK parameter is supplied, it is used to bitwise-AND the source MAC address from the frame prior to comparison with SADDRESS. The default is to match any source MAC address.


C613-10340-00 REV K

Patch 86241-10 For Rapier Switches SET BRIDGE PORT 65

The SIZE parameter specifies the size of frames matching this filter entry. The size of the frame is taken by excluding the address, type/length field and protocol discriminator. Any value from 1 to 65535 may be entered, but only a subset of this range is sensible in most networks. For example, the size of an

Ethernet frame is between 64 and 1514 bytes. The separator for this parameter must be one of “<=” or “>=”, which means that the filter entry always matches a range of frame sizes. The default is to match any frame size.

The SMASK parameter specifies a (bitwise) mask to apply to source MAC addresses from frames prior to comparison with the SADDRESS value. If

SMASK is specified, SADDRESS must also be specified. The default is

FF-FF-FF-FF-FF-FF.

The TYPE parameter specifies the broadcast/multicast type to match. If

BROADCAST is specified, the filter matches broadcast frames with destination

MAC address FF-FF-FF-FF-FF-FF. If MULTICAST is specified, the filter matches all non-unicast frames with the multicast bit set in the first octet of the

MAC address (including broadcast frames). If UNICAST is specified, the filter matches frames directed to a particular station. The default is to match any type.

The SET BRIDGE FILTER command does not allow options that were previously on to be turned off. For example, if a filter entry on source address was created with a command like ADD BRIDGE FILTER=1 SA=00-00-cd-00-00-00

SM=ff-ff-ff-00-00-00, it is not possible to set the filter to not filter on source address with the SET BRIDGE FILTER command. In this case the filter entry should be deleted and a new one created.

Examples

To modify filter entry 4 on filter 2 to apply to SNAP format frames, use the command:

SET BRIDGE FILTER=2 ENTRY=4 ENCAPSULATION=SNAP

Where a filter is applied, frames not meeting the criteria in at least one filter entry are discarded.

See Also

ADD BRIDGE FILTER


SHOW BRIDGE FILTER

SET BRIDGE PORT

Syntax

SET BRIDGE PORT=1..32 [FILTER={NONE|1..99}]

Description

This command sets or changes which filters are associated with an individual port.

The FILTER parameter specifies the bridge filter that is to be associated with this port. The value NONE is used to turn off bridge filtering for frames received on this port. The values 1 to 99 specify a bridge filter which will be used to filter all frames received on this port. By default, there is no bridge filter associated with a port.


C613-10340-00 REV K

66 SHOW BRIDGE

Examples

To add a filter to bridge port 2, use the command:

SET BRIDGE PORT=2 FILTER=2

See Also

ADD BRIDGE PORT

DELETE BRIDGE PORT

SHOW BRIDGE PORT


SHOW BRIDGE

Syntax

SHOW BRIDGE

Description

This command displays configuration information for the bridge (Figure 8 on page 66, Table 14 on page 66).

Figure 7: Example output from the SHOW BRIDGE command with the VLAN “remote office” attached.

Remote Bridge

-------------------------------------------------------------------------------

Bridge Address : 00-00-cd-00-0d-4d

Bridge Name : Switch software version 2.4.1

Address Learning : ON

VLAN Attached : remote office

Number of virtual Ports: 1

Port Number(s) : 3

Ageingtime : 300

Uptime : 12133

-------------------------------------------------------------------------------

Figure 8: Example output from the SHOW BRIDGE command with no VLAN attached.

Remote Bridge

-------------------------------------------------------------------------------

Bridge Address : 00-00-cd-00-0d-4d

Bridge Name : Switch software version 7.4

Address Learning : ON

VLAN Attached : -

Number of virtual Ports: 1

Port Number(s) : 3

Ageingtime : 300

Uptime : 12133

-------------------------------------------------------------------------------

Table 14: Parameters displayed in the output of the SHOW BRIDGE command.

Parameter

Bridge Address

Bridge Name

Address Learning

Meaning

The MAC Address of the remote bridge.

The name of the bridge. This is the same as the value of the

MIB object sysDescr.

The state of address learning; one of “ON” or “OFF”.

VLAN Attached The name of the VLAN attached to the Bridge or “-” if none.


C613-10340-00 REV K

Patch 86241-10 For Rapier Switches SHOW BRIDGE COUNTER 67

Table 14: Parameters displayed in the output of the SHOW BRIDGE command.

Parameter

Number of virtual Ports

Virtual Port Number(s)

Ageingtime database

Uptime

Meaning

The total number of WAN ports enabled for bridging.

The number of WAN port numbers.

The value in seconds of the ageing timer, after which a dynamic entry is removed from the filtering database.

The time in seconds since the remote bridge was last reset or initialized. This is the same as the value of the MIB object

sysUpTime.

Examples

To display the current configuration of the bridge module, use the command:

SHOW BRIDGE

See Also

DISABLE BRIDGE

ENABLE BRIDGE

SHOW BRIDGE COUNTER

Syntax

SHOW BRIDGE [PORT=1..32] COUNTER

Description

This command displays information regarding the forwarding counters associated with the virtual ports (Figure 9 on page 68), (Figure 10 on page 69) and (Table 15 on page 69). If a virtual port is specified, information is displayed for that port, otherwise information is displayed for all virtual ports. This command will not display information on the switch ports. This command will not display information on the switch ports. To do this, use the SHOW

SWITCH PORT COUNTER command.


C613-10340-00 REV K

68 SHOW BRIDGE COUNTER Patch Release Note

Figure 9: Example output from the SHOW BRIDGE COUNTER command for a WAN-WAN bridge.

Port Counter

------------------------------------------------------------------------------

Interface ppp10 fr0 (22) fr0 (1)

Virtual Port Number 1 2 3

1:Fr. In (Data) 0000000000 0000000000 0000000000

02:Fr. for relaying 0000000000 0000000000 0000000000

03:M-Cast Frames 0000000000 0000000000 0000000000

04:Dis: Inactive 0000000000 0000000000 0000000000

05:Dis: STP Ignored 0000000000 0000000000 0000000000

06:Dis: Framing Unknown 0000000000 0000000000 0000000000

07:Dis: MAC Equal 0000000000 0000000000 0000000000

08:Dis: Filter Match 0000000000 0000000000 0000000000

09:Dis: For bridge int. 0000000000 0000000000 0000000000

10:Dis: Same port 0000000000 0000000000 0000000000

11:Dis: No Ports 0000000000 0000000000 0000000000

12:Dis: Port Closed 0000000000 0000000000 0000000000

13:Dis: MTU Exceeded 1 0000000000 0000000000 0000000000

14:Dis: MTU Exceeded 2 0000000000 0000000000 0000000000

15:Dis: MTU Exceeded 3 0000000000 0000000000 0000000000

16:Relay (non-STP) 0000000000 0000000000 0000000000

17:Relay Single 0000000000 0000000000 0000000000

18:Relay Mult. 0000000000 0000000000 0000000000

19:Port Open 0000000000 0000000000 0000000000

20:Port Closed 0000000000 0000000000 0000000000

21:Down Ignore (Demand) 0000000000 0000000000 0000000000

22:Relay Out 0000000000 0000000000 0000000000

23:Send Out 0000000000 0000000000 0000000000

24:Sanity Check 1 0000000000 0000000000 0000000000

25:Sanity Check 2 0000000000 0000000000 0000000000

------------------------------------------------------------------------------


C613-10340-00 REV K

Patch 86241-10 For Rapier Switches SHOW BRIDGE COUNTER

Figure 10: Example output from the SHOW BRIDGE COUNTER command for a VLAN-WAN bridge.

Port Counter

------------------------------------------------------------------------------

Interface vlan fr0 (22)

Virtual Port Number - 1

1:Fr. In (Data) 0000000000 0000000000

02:Fr. for relaying 0000000000 0000000000

03:M-Cast Frames 0000000000 0000000000

04:Dis: Inactive 0000000000 0000000000

05:Dis: STP Ignored 0000000000 0000000000

06:Dis: Framing Unknown 0000000000 0000000000

07:Dis: MAC Equal 0000000000 0000000000

08:Dis: Filter Match 0000000000 0000000000

09:Dis: For bridge int. 0000000000 0000000000

10:Dis: Same port 0000000000 0000000000

11:Dis: No Ports 0000000000 0000000000

12:Dis: Port Closed 0000000000 0000000000

13:Dis: MTU Exceeded 1 0000000000 0000000000

14:Dis: MTU Exceeded 2 0000000000 0000000000

15:Dis: MTU Exceeded 3 0000000000 0000000000

16:Relay (non-STP) 0000000000 0000000000

17:Relay Single 0000000000 0000000000

18:Relay Mult. 0000000000 0000000000

19:Port Open 0000000000 0000000000

20:Port Closed 0000000000 0000000000

21:Down Ignore (Demand) 0000000000 0000000000

22:Relay Out 0000000000 0000000000

23:Send Out 0000000000 0000000000

24:Sanity Check 1 0000000000 0000000000

25:Sanity Check 2 0000000000 0000000000

------------------------------------------------------------------------------

69

Table 15: Parameters displayed in the output of the SHOW BRIDGE COUNTER command.

Parameter

Interface Name

Port Number

01: Fr. In (Data)

02: Fr for relaying

03: M-Cast Frames

04: Dis: Inactive

05: Dis: STP Ignored

06: Dis: Framing Unknown

07: Dis: MAC Equal

08: Dis: Filter Match

Meaning

The name of the interface associated with the bridge port.

For Frame Relay interfaces the DLC number appears in parentheses after the interface name.

The virtual port number for the interface.

The number of data frames received.

The number of frames passed to the relaying process.

The number of multicast frames (including broadcast) frames received.

The number of data frames discarded because the bridge was not active.

The number of STP protocol frames ignored because STP was not active.

The number of frames discarded by the bridge module because their frame type could not be determined. The bridge supports 802.2, ETH-II and SNAP frames.

The number of frames discarded because their source and destination MAC addresses were identical.

The number of frames discarded because they matched an entry in the filtering database (STP disabled).


C613-10340-00 REV K

70 SHOW BRIDGE COUNTER Patch Release Note

Table 15: Parameters displayed in the output of the SHOW BRIDGE COUNTER command. (Continued)

Parameter

09: Dis: For bridge int.

10: Dis: Same port

11: Dis: No Ports

12: Dis: Port Closed

13: Dis: MTU Exceeded 1


Meaning

The number of frames discarded because they were destined for an interface on the bridge.

The number of frames discarded because the destination station was known to be on the same port as the originating station, therefore the bridge need not forward those frames.

The number of frames discarded because they could/should not be forwarded via any bridge port.

The number of frames discarded because the port they were to be transmitted on is closed.

The number of frames discarded because their size was larger than the MTU of the port/interface they were to be transmitted on (Case 1).



16: Relay

17: Relay Single

18: Relay Mult.

19: Port Open

20: Port Closed


The number of frames relayed.

The number of frames relayed via a single port.

The number of frames relayed via multiple ports.

The number of times the lower-layer interface has indicated that this bridge port is open and able to transmit and receive bridge data.

The number of times the lower-layer interface has indicated that this bridge port is closed.

21: Down Ignore (Demand) The number of times a “Port Closed” indication has been ignored because this port is a demand port.

22: Relay Out

23: Send Out

The number of frames relayed out over the port.

The number of frames sent via the port that were not relayed data frames.

24: Sanity Check 1

25: Sanity Check 2

Internal debugging counter.

Internal debugging counter.

Examples

To display the counters for virtual port 2, use the command:

SHOW BRIDGE PORT=2 COUNTER

See Also

SHOW BRIDGE PORT

SHOW BRIDGE

SHOW SWITCH PORT COUNTER


C613-10340-00 REV K

Patch 86241-10 For Rapier Switches SHOW BRIDGE FILTER 71

SHOW BRIDGE FILTER

Syntax

SHOW BRIDGE FILTER[=1..99] [ENTRY=entry] where:

■

entry is a filter entry number, in the range 1 to n, where n is the number of filter entries currently defined in the filter.

Description

This command displays information about one or all bridge filters or one of the entries in a bridge filter (Figure 11 on page 72, Table 16 on page 72).

The FILTER parameter specifies the bridge filter to be displayed. The specified filter must exist. If no filter is specified, all filters are displayed.

The ENTRY parameter specifies a particular entry in the filter. The specified filter entry must exist in the filter. If the ENTRY parameter is specified, the

FILTER parameter must specify a valid filter number.

The counters given in the output are related in the following ways:

■

■

■

“Frames seen” = “Frames passed” + “Frames dropped”.

“Frames seen” = “Frames unmatched” + sum of “Matches”.

“Frames passed” = sum of “Matches” for entries for which “Output ports” is not “None”.

■

“Frames dropped” = “Frames unmatched” + sum of “Matches” for entries for which “Output ports” is “None”.

Whenever an entry is added to a bridge filter the above relationships will hold, so the counters are not cleared. However, when an entry is modified or deleted, the “Matches” count for the entry no longer reflects the frames matched by that filter, so the “Matches” count is cleared to 0. The “Frames seen” counter and one of the “Frames dropped” or “Frames passed” counters (based on the previous value of “Output ports” for the entry) are decremented by the value of “Matches”, so that the relationships are maintained.


C613-10340-00 REV K

72 SHOW BRIDGE FILTER Patch Release Note

Figure 11: Example output from the SHOW BRIDGE FILTER command.

Bridge filters

------------------------------------------------------------------------------

Filter .............. 1

Used by virtual ports.None

Frames seen ......... 37465

Frames passed ....... 4938

Frames unmatched .... 2652

Frames dropped ...... 32527

Entry ............... 1

Source address ........ = 00-00-cd-00-00-00/ff-ff-ff-00-00-00

Dest address .......... Match any

Protocol ......... .... = ETHII, = 0800

Size .................. Match any

Multicast types ....... Match any

Output ports .......... 1,2

Matches ............... 4938

Entry ............... 2

Source address ........ Match any

Dest address .......... Match any

Protocol .............. = ETHII

Size .................. Match any

Multicast types ....... Match any

Data Offset ........... 27

Data Pattern .......... = 345678

Output ports ........ . None

Matches .......... .... 29875

------------------------------------------------------------------------------

Table 16: Parameters displayed in the output of the SHOW BRIDGE FILTER command.

Parameter

Filter

Used by virtual ports

Frames seen

Frames passed

Frames unmatched

Frames dropped

Entry

Source address

Dest address

Protocol

Size

Multicast types

Data Offset

Meaning

The filter number for this filter.

The list of ports which are currently using this filter.

The number of frames to which this filter has been applied.

The number of frames passed by this filter.

The number of frames for which a filter entry match was not made. These frames will be dropped and are included in the Frames dropped count.

The number of frames dropped by this filter.

The filter number for the filter entry.

The condition, address and mask for matching source addresses for the filter entry.

The condition, address and mask for matching destination addresses for the filter entry.

The condition, Ethernet encapsulation and discriminator for the filter entry.

The condition and size of frame for the filter entry.

The condition and multicast frame types for the filter entry.

The offset in the data field of the DATA condition specified in the Data Pattern field.


C613-10340-00 REV K

Patch 86241-10 For Rapier Switches SHOW BRIDGE PORT 73

Table 16: Parameters displayed in the output of the SHOW BRIDGE FILTER command. (Continued)

Parameter

Data Pattern

Output ports

Matches

Meaning

The condition for the data in the data field starting at the position specified in the Data Offset field.

The list of output virtual ports for the filter entry.

The number of times this filter entry has matched a bridged frame. If the output ports field is “None” matches will be included in the Frames dropped count, otherwise matches will be included in the Frames passed count.

Examples

To display information about all bridge filters, use the command:

SHOW BRIDGE FILTER

See Also

ADD BRIDGE FILTER


SET BRIDGE FILTER

SHOW BRIDGE PORT

Syntax

SHOW BRIDGE PORT[=1..32]

This command displays general information about the virtual ports (see Figure

Table 2 on page 73). If a port is specified, information is displayed for the

specified virtual port, otherwise information is displayed for all virtual ports.

Figure 2: Example output from the SHOW BRIDGE PORT command.

Port Information

-------------------------------------------------------------------------------

Port Number : 1

Port Interface : PPP1

Port Media Type : PPP

Port filter : 2

UpTime : 0

Port Number : 2

Port Interface : fr0

Port Media Type : FRAMERELAY

UpTime : 0

-------------------------------------------------------------------------------


C613-10340-00 REV K

74 SHOW BRIDGE PORT Patch Release Note

Table 17: Parameters displayed in the output of the SHOW BRIDGE PORT command.

Parameter

Port Number

Port Interface

Port Media Type

Port filter

Uptime

Path Cost

Meaning

The number of the port.

The interface name for the port. This is the same as the value of the MIB object ifDescr.

The MAC entity type as defined in the MIB object ifType.

The bridge filter, if any, defined for this port.

The count in seconds of the elapsed time since the port was last reset or initialized.

The contribution of the path through the port, when the

Port is the Root Port, to the total cost of the path to the

Root for this bridge.

Designated Root

Designated Cost

Designated Bridge

Designated Port

The unique Bridge Identifier of the bridge recorded as the

Root in the Root Identifier parameter of Configuration

Messages transmitted by the Designated Bridge on the

LAN or Subgroup to which the Port is attached.

For a Designated Port, the path cost offered to the LAN or Subgroup to which the Port is attached; otherwise, the cost of the path to the Root offered by the Designated

Port on the LAN or Subgroup to which this port is attached.

The unique Bridge Identifier of for a Designated Port, the bridge to which the Port belongs, or otherwise, the bridge believed to be the Designated Bridge for the LAN or Subgroup to which this port is attached.

The Port Identifier of the bridge port, on the Designated

Bridge, through which the Designated Bridge transmits the configuration message information stored by this port.

Topology Change Acknowledge The value of the Topology Change Acknowledgment flag in the next configuration message to be transmitted via the port.

Examples

To display the configuration for bridge virtual port 1, use the command:

SHOW BRIDGE PORT=1

See Also

ADD BRIDGE PORT

DELETE BRIDGE PORT


C613-10340-00 REV K

Patch 86241-10 For Rapier Switches SHOW BRIDGE STATION

SHOW BRIDGE PROTOCOL

Syntax

SHOW BRIDGE PROTOCOL

Description

This command displays information about the protocols which are currently enabled for bridging (Figure 3 on page 75, Table 18 on page 75).

Figure 3: Example output from the SHOW BRIDGE PROTOCOL command.

Index Encapsulation Protocol Name Priority

-------------------------------------------------------------------------------

1 ETHII 6004 LAT 1

2 ETHII 6003 DECnet 2

200 SNAP 080007809b 4

-------------------------------------------------------------------------------

75

Table 18: Parameters displayed in the output of the SHOW BRIDGE PROTOCOL command.

Parameter

Index

Encapsulation

Protocol

Name

Priority

Meaning

A manager-defined index. If no index is given, one will be assigned.

The encapsulation of the frame; one of “EthII” (IEEE 802.3),

“SAP” (IEEE 802.2) standard with SAPs, “SNAP” (IEEE

802.2 using the SNAP mechanism), or “Novell” (original

Novell).

The actual protocol field.

The descriptive name, if any, assigned when the protocol was added.

The forwarding priority assigned to the protocol; one of

“0” (lowest), “1” (default), “2”, “3” or “4” (highest).

Examples

To display the list of protocols being bridged, use the command:

SHOW BRIDGE PROTOCOL

See Also

ADD BRIDGE STATION


SHOW BRIDGE STATION

Syntax

SHOW BRIDGE STATION [{ADDRESS=macadd

[MASK=macadd]|PORT=1..32}] where:

■


Description

This command displays the bridge module bridge station map (Figure 4 on page 76, Table 19 on page 77). The bridge station map records which virtual


C613-10340-00 REV K

76 SHOW BRIDGE STATION Patch Release Note

port should be used to transmit frames to all Ethernet MAC addresses the bridge module knows about.

The bridge station map and associated learning is inactive in the VLAN-WAN mode.

Running this command whilst configured for Remote VLAN operation, is likely to display inaccurate configuration information.

The ADDRESS parameter specifies a particular MAC address to display, and limits the display to entries containing the address specified, after the address has been ANDed with the optional MASK. If ADDRESS is not specified, all bridge station map entries are displayed.

The MASK parameter specifies a MAC address mask to widen the range of entries to display. The address of an entry in the dynamic bridge station map is

ANDed with the mask and compared to the address given with the ADDRESS parameter. If there is a match, the entry is displayed. The default is

FF-FF-FF-FF-FF-FF.

The PORT parameter specifies a bridge virtual port name or number for which bridge station map entries are to be displayed.

Figure 4: Example output from the SHOW BRIDGE STATION command.

MAC address Type Port

---------------------------------------

00-00-c0-0e-26-f8 Learned 1

00-00-c0-c9-c6-7b Learned 1

01-80-c2-00-00-10 self 0

01-80-c2-00-00-0f self 0

01-80-c2-00-00-0e self 0

01-80-c2-00-00-0d self 0

01-80-c2-00-00-0c self 0

01-80-c2-00-00-0b self 0

01-80-c2-00-00-0a self 0

01-80-c2-00-00-09 self 0

01-80-c2-00-00-08 self 0

01-80-c2-00-00-07 self 0

01-80-c2-00-00-06 self 0

01-80-c2-00-00-05 self 0

01-80-c2-00-00-04 self 0

01-80-c2-00-00-03 self 0

01-80-c2-00-00-02 self 0

01-80-c2-00-00-01 self 0

01-80-c2-00-00-00 self 0

00-00-cd-00-2c-a0 self 0

---------------------------------------


C613-10340-00 REV K

Patch 86241-10 For Rapier Switches SHOW BRIDGE STATION 77

Table 19: Parameters displayed in the output of the SHOW BRIDGE STATION command.

Parameter

MAC address

Type

Virtual Port

Meaning

The MAC address for this entry in the bridge station map.

The type of bridge station map entry; one of “self”

(addresses that the bridge itself will receive frames on),

“Management” (entries added with the ADD BRIDGE

STATION command on page -58 or by SNMP), or “Learned”

(addresses learned as part of the filtering and forwarding process).

The virtual port ID number.

See Also

ADD BRIDGE STATION



C613-10340-00 REV K

Protected Ports

Port protection provides complete layer 2 isolation between configured ports.

Protected ports are assembled into groups. Groups contain one or more protected ports. There are two types of group: the standard protected port group and the uplink group. Protected ports can only communicate with members of their own group, and any port within the uplink group. The uplink group communicates with all ports (protected or not). You can create many standard protected port groups, but only one uplink group.

One VLAN can contain multiple protected port groups, but a protected port can only belong to one VLAN. A protected port cannot send or receive any traffic to or from another VLAN. If you have trunk groups, a port in a trunk group can only be protected if all ports in the trunk group are protected.

The protected ports enhancement is for Rapier 24i Switches only.

Configuration Example

Hotels sometimes offer guests Internet access from their rooms. With the protected ports feature, you can isolate hotel rooms from each other, but allow computers in each room access to the Internet via the uplink group. This is achieved without any Layer 3 configuration. To do this, you have to create an uplink group of ports, and a separate group with a protected port for each room.

Create a VLAN, an uplink group, and hotel room groups of protected ports

1.

Add a new VLAN

To create a port-based VLAN called HotelOffice, with a VID of 22 that will contain protected ports, use the command:

CREATE VLAN=HotelOffice VID=22 PORTPROTECTED

2.

Add a group of ports that will become the uplink group to the VLAN

78 ADD VLAN PORT Patch Release Note

Add an uplink group of ports to the HotelOffice VLAN. All groups of protected ports will send and receive frames via the uplink group. To make ports 20-22 the uplink group, use the command:

ADD VLAN=HotelOffice PORT=20-22 GROUP=UPLINK

3.

Create groups of protected ports for each hotel room

Add a group for one port attached to a hotel room. Because there is only one port in the group, this port will only pass frames to the uplink group. To assign port 2 to group 1 in the HotelOffice VLAN, use the command:

ADD VLAN=HotelOffice PORT=2 GROUP=1

Add another group for another port attached to a hotel room. To assign port

3 to group 2 in the HotelOffice VLAN, use the command:

ADD VLAN=HotelOffice PORT=3 GROUP=2

ADD VLAN PORT

Syntax

ADD VLAN={vlan-name|1..4094} PORT={port-list|ALL}

[GROUP={UPLINK|group-number}] [FRAME={TAGGED|UNTAGGED}] where:

■

vlan-name is a unique name for the VLAN, 1 to 15 characters in length.

Valid characters are uppercase letters (A-Z), lowercase letters (a-z), digits

(0-9) the underscore character (“_”), and the hyphen character (-). The vlan-

name cannot be a number or ALL.

■

port-list is a port number, a range of port numbers (specified as n-m), or a comma separated list of port numbers and/or ranges. Port numbers start at 1 and end at m, where m is the highest numbered Ethernet switch port, including uplink ports.

■

group-number is a group identifier for a port or a collection of ports.

Description

This command adds ports to the specified VLAN.

On the Rapier i Series switches only, a port can belong to multiple STPs if the port is a member of more than one VLAN. If the port being added to the VLAN also belongs to another STP, through concurrent membership of another

VLAN, it will not be removed from that VLAN or STP.

If as a result of the port addition, ports are moved from one STP to another STP, the two affected STPs are initialised if they are currently enabled. Any previously disabled ports in the STPs are enabled.

The VLAN parameter specifies the name or numerical VLAN Identifier of the

VLAN. The name is case insensitive, although the case is preserved for display purposes. The VLAN must already exist. By default, all ports belong to the default VLAN, with a numerical VLAN Identifier (VID) of 1.

The PORT parameter specifies the ports. All the ports in a trunk group must have the same VLAN configuration. If the command requires that ports be implicitly deleted from the default VLAN and those ports belong to a trunk group, then the command will fail. The ports must belong to only one STP after being added to the VLAN. If the command would succeed on a subset of the


C613-10340-00 REV K

Patch 86241-10 For Rapier Switches CREATE VLAN 79

ports specified, but cause an error on the others, then the command as a whole will fail and have no effect. The mirror port cannot be added to a VLAN.

The GROUP parameter specifies the group type for the protected port or ports in this VLAN. The GROUP parameter can only be specified when the VLAN has been set to PORTPROTECTED with the CREATE VLAN command. If

GROUP is set to UPLINK, then the specified port or ports are added to the broadcast domain of all ports. If GROUP is given a group-number, ports in this group will only pass frames between each other and ports in the uplink group.

If there is one port in the group, it will only pass frames to, and receive frames from, the uplink group.

The FRAME parameter specifies whether a VLAN tag header is included in each frame transmitted on the specified ports. If TAGGED is specified, a VLAN tag is added to frames prior to transmission. The port is then called a tagged port for this VLAN. If UNTAGGED is specified, the frame is transmitted without a VLAN tag. The port is then called an untagged port for this VLAN.

A port can be untagged for one and only one of the VLANs to which it belongs, or for none of the VLANs to which it belongs. A port can have the FRAME parameter set to TAGGED for zero or more VLANs to which it belongs. It is not possible to add an untagged port to a VLAN if the port is already present in any other port-based VLAN except the default VLAN. If the port is an untagged member of the default VLAN, adding it untagged to another VLAN deletes it from the default VLAN. The default setting is UNTAGGED.

Examples

To add port 2 to the port-based marketing VLAN, use the command:

ADD VLAN=Marketing PORT=2

To add port 25 to the training VLAN as a tagged port, use the command:

ADD VLAN=Training PORT=25 FRAME=TAGGED

To add ports 4 and 5 to group 3 in the HotelOffice VLAN so that these ports are blocked against all other ports except each other and the uplink group, use the command:

ADD VLAN=HotelOffice PORT=4-5 GROUP=3

See Also

DELETE VLAN PORT

SHOW VLAN

CREATE VLAN

Syntax

CREATE VLAN=vlan-name VID=2..4094 [PORTPROTECTED] where:

■





Description

This command creates a VLAN with a unique name and VLAN Identifier

(VID), and assigns it to the default STP. To change the VID of an existing

VLAN, that VLAN must be destroyed and created again with the modified


C613-10340-00 REV K

80 SHOW VLAN Patch Release Note

VID. Optionally, this command specifies that some of the ports in the VLAN will be protected.

A maximum of 254 VLANs can be created with any VID in the range 2 to 4094.

The VLAN parameter specifies a unique name for the VLAN. This name can be more meaningful than the VID, to make administration easier. The VLAN name is only used within the switch; it is not transmitted to other VLAN-aware devices, or used in the Forwarding Process or stored in the Forwarding

Database. If the VLAN name begins with “vlan” and ends with a number, for instance “vlan1” or “vlan234”, then the number must be the same as the VID specified. This avoids confusion when identifying which VLAN subsequent commands refer to.

The VID parameter specifies a unique VLAN Identifier for the VLAN. If tagged ports are added to this VLAN, the specified VID is used in the VID field of the tag in outgoing frames. If untagged ports are added to this VLAN, the specified

VID only acts as an identifier for the VLAN in the Forwarding Database. The default port based VLAN has a VID of 1.

If the PORTPROTECTED parameter is specified, this VLAN can contain protected ports. A protected port inside this VLAN will pass frames to, and receive frames from only those ports that exist within its broadcast domain.

This domain consists of any other ports within the port’s group, and the uplink group.

Examples

To create a VLAN named marketing with a VLAN Identifier of 2, use the command:

CREATE VLAN=marketing VID=2

To create a VLAN named vlan42, which must have a VID of 42, use the command:

CREATE VLAN=vlan42 VID=42

To create a VLAN called HotelOffice with a VID of 22 that can contain protected groups of ports, use the command:

CREATE VLAN=HotelOffice VID=22 PORTPROTECTED

See Also

DESTROY VLAN

SHOW VLAN

SHOW VLAN

Syntax

SHOW VLAN[={vlan-name|1..4094|ALL}] where:

■





Description

This command displays information about the specified VLAN. If no VLAN or

ALL is specified, then all VLANs are displayed (Figure 5 on page 81, Table 20 on page 81).


C613-10340-00 REV K

Patch 86241-10 For Rapier Switches SHOW VLAN

Figure 5: Example output from the SHOW VLAN command.

VLAN Information

---------------------------------------------------------------------------

Name ............... default

Identifier ......... 1

Status ............. static

Protected Ports .... Yes

Group (ports) ...... 1 (2)

Group (ports) ...... 2 (3)

Group (ports) ...... 3 (4-5)

Group (ports) ...... UPLINK (20-22)

Untagged ports ..... 1,3-23

Tagged ports ....... None

Spanning Tree ...... default

Trunk ports ........ None

Mirror port ........ None

Attachments:

Module Protocol Format Discrim MAC address

-------------------------------------------------------------------

GARP Spanning tree 802.2 42 -

IP IP Ethernet 0800 -

IP ARP Ethernet 0806 -

-------------------------------------------------------------------

Name ............... v2

Identifier ......... 2

Status ............. dynamic

Protected .......... No

Untagged ports ..... 2,24

Tagged ports ....... None

Spanning Tree ...... default

Trunk ports ........ None

Mirror port ........ None

Attachments:

Module Protocol Format Discrim MAC address

-------------------------------------------------------------------

GARP Spanning tree 802.2 42 -

-------------------------------------------------------------------

81

Table 20: Parameters displayed in the output of the SHOW VLAN command .

Parameter

Name

Identifier

Status

Untagged Ports

Tagged Ports

Protected Ports

Group (ports)

Spanning Tree

Meaning

The name of the VLAN.

The numerical VLAN identifier of the VLAN.

The status of the VLAN, either dynamic or static.

A list of untagged ports that belong to the VLAN.

A list of tagged ports that belong to the VLAN.

Indicates that the protected ports feature is enabled for this

VLAN.

If protected port groups are present, this shows the group

ID, followed (in brackets) by the port or ports within the group that are protected.

The name of the Spanning Tree Protocol to which the VLAN belongs.


C613-10340-00 REV K

82 SHOW VLAN Patch Release Note

Table 20: Parameters displayed in the output of the SHOW VLAN command (Continued).

Parameter

Trunk ports

Mirror port

Attachments

Module

Protocol

Format

Discrim

MAC Address

Meaning

The list of switch ports which belong to trunk groups. This field is displayed if any port in the VLAN also belongs to a trunk group.

The mirror port for the switch, or “None”. Displayed for the default VLAN only.

This section contains information about attachments to the

VLAN made by other modules in the switch.

The name of the software module attached to the VLAN.

The name of the protocol, which is determined from the format and identification number.

The encapsulation format specified by the module.

The discriminator specified by the module to identify which packets of the given format should be received.

The Media Access Control source address for which the module wishes to receive packets. This is commonly known as the Ethernet address.

Examples

To display information on the marketing VLAN, use the command:

SHOW VLAN=marketing

See Also

CREATE VLAN

DESTROY VLAN

IGMP Snooping All-Group Entry

Because IGMP is an IP-based protocol, multicast group membership for VLAN aware devices is on a per-VLAN basis. If at least one port in the VLAN is a member of a multicast group, multicast packets will be flooded onto all ports in the VLAN by default.

IGMP snooping enables the switch to forward multicast traffic intelligently on the switch. The switch listens to IGMP membership reports, queries and leaves messages to identify the switch ports that are members of multicast groups.

Multicast traffic will only be forwarded to ports identified as members of the specific multicast group.

This enhancement allows network managers to prevent specified ports from acting as IGMP all-group ports, and specify which ports are allowed to behave as all-group entry ports, by using the ENABLE IP IGMP ALLGROUP command.

For example, consider a video streaming service which has 15 channels. When the switch receives IGMP membership reports destined for the address

239.0.0.2 from an unauthorised user, all 15 channels of multicast data floods to that port, which may affect the service of the network. In order to avoid this, the network manager decides whether or not to allow a particular port to behave as an IGMP all-group port, e.g. port 8. Then, whenever the above IGMP membership report is sent, the switch will not automatically add port 8 as one


C613-10340-00 REV K

Patch 86241-10 For Rapier Switches SHOW IP IGMP 83

of the egress ports for any IGMP membership report group, so video streaming will not get forwarded to disabled all-group ports selected by the network manager.

Commands

This enhancement modifies one command:

■

SHOW IP IGMP and has two new commands:

■

■

ENABLE IP IGMP ALLGROUP

DISABLE IP IGMP ALLGROUP

Modified Command

SHOW IP IGMP

Syntax

SHOW IP IGMP [COUNTER] [INTERFACE=interface]

Description

This command displays information about IGMP, and multicast group membership for each IP interface.

This enhancement includes the line “Disabled All-groups ports” on the output of this command, as show in Figure 6 on page 84. Ports that are disabled have a

“#” symbol next to the port number.


C613-10340-00 REV K

84 SHOW IP IGMP Patch Release Note

Figure 6: Example output from the SHOW IP IGMP command.

IGMP Protocol

--------------------------------------------------------------------------------

Status ........................... Enabled

Default Query Interval ........... 125 secs

Default Timeout Interval ......... 270 secs

Disabled All-groups ports ........ 1,5,7

Interface Name .......... vlan2 (DR)

IGMP Proxy .............. Off

Group List ..............

Group. 238.0.1.2 Last Adv. 172.50.2.1 Refresh time 34 secs

Ports 3,11,23

Group. 224.1.1.2 Last Adv. 172.50.2.1 Refresh time 130 secs

Ports 2,11,23

All Groups Last Adv. 172.50.1.1 Refresh time 45 secs

Ports 1#,11,23

Interface Name .......... vlan4 (DR)

IGMP Proxy .............. Off

Group List ..............

No group memberships.

--------------------------------------------------------------------------------

Table 21: New parameter in the output of the SHOW IP IGMP command.

Parameter

Disabled All-groups ports

Meaning

A list of ports that are prevented from behaving as IGMP allgroup ports.

Examples

To show information about IGMP, use the command:

SHOW IP IGMP

See Also




C613-10340-00 REV K

Patch 86241-10 For Rapier Switches DISABLE IP IGMP ALLGROUP

New Commands

This enhancement request introduces two new commands from enabling/ disabling all-group entries on switch ports.

85

ENABLE IP IGMP ALLGROUP

Syntax

ENABLE IP IGMP ALLGROUP=[{port-list|ALL}] where:

■

port-list is a port number, a range of port numbers (specified as n-m), or a comma separated list of port numbers and/or ranges. Port numbers start at 1 ad end at m, where m is the highest numbered Ethernet switch port, including uplink ports.

Description

This command enables the specified port(s) to behave as a multicast all-group ports.

The ALLGROUP parameter specifies the list of ports able to behave as allgroup entry ports. If ALL is specified, all ports are able to behave as all-group entry ports. The default is ALL.

Examples

To enable ports 1, 5 and 7 to behave as all-group entry ports, use the command:

ENABLE IP IGMP ALLGROUP=1,5,7

See Also


SHOW IP IGMP

DISABLE IP IGMP ALLGROUP

Syntax

DISABLE IP IGMP ALLGROUP=[{port-list|ALL}] where:

■

port-list is a port number, a range of port numbers (specified as n-m), or a comma separated list of port numbers and/or ranges. Port numbers start at 1 and end at m, where m is the highest numbered Ethernet switch port, including uplink ports.

Description

This command disables the specified port(s) from acting as a multicast allgroup entry ports. Ports that are disabled have a “#” symbol next to the port number in the output of the SHOW IP IGMP command.

Examples

To prevent ports 1, 5 and 7 from behaving as all-group entry ports, use the command:

DISABLE IP IGMP ALLGROUP=1,5,7

See Also


SHOW IP IGMP


C613-10340-00 REV K

86 DISABLE IP IGMP ALLGROUP Patch Release Note

DS3 Interfaces

The AT-RP24i/DS3 provides one standards-based unchannelised DS3 interface. The interface has the following features:

■

■

■

■

■

■

■

■

44.736 Mbit/s interface rate, 44.210 Mbit/s payload data rate

Separate transmit (Tx) and receive (Rx) BNC connectors

75-ohm impedance

B3ZS line encoding

Automatic compensation for lines up to 135m (450ft)

Loop or internal timing

C-bit framing

Support for PPP and Frame Relay encapsulation

The interface meets the following specifications:

■

■

■

■

ANSI T1.103, Digital Hierarchy - Synchronous DS3 Format

ANSI T1.107, Digital Hierarchy - Formats

ANSI T1.231, Digital Hierarchy - Layer 1 In-Service Digital

RFC 2496 (DS3 MIB)

Digital Signal 3 (DS3) is a classification of digital signals, and sits at Layer One of the OSI model. The purpose of Layer One is to provide a transmission link between two entities and to monitor the quality of the link. In DS3 the link monitoring is achieved by adding overhead information alongside the data payload.

The DS3 interface rate is 44.736 Mbit/s with a payload rate of 44.210 Mbit/s.

The signal is partitioned into Multi-frames (M-frames), and the M-frames are partitioned into seven M-subframes. Each M-subframe is further subdivided into 8 blocks of 85 bits with 84 bits available for payload, and one bit for framing overhead. The frame structure is shown in Figure 7 on page 86.

Figure 7: DS3 Framing Structure.

M-Frame 4760 bits

X1 679

Bits

X2 679

Bits

P1 679

Bits

P2 679

Bits

M1 679

Bits

M2 679

Bits

M3

679

Bits

First M-Subframe 680 bits

X1 84

INFO

F1

84

INFO

C1 84

INFO

F2 84

INFO

C2

84

INFO

F3

84

INFO

C3

84

INFO

F4

84

INFO

DS31

The switch with the DS3 interface is called the near end. The entity the switch connects to is called the far end. X1 and X2 are set to 1 if the near end is receiving an Alarm Indication Signal (AIS), a Loss Of Frame (LOF), or a Loss Of


C613-10340-00 REV K

Patch 86241-10 For Rapier Switches DISABLE IP IGMP ALLGROUP 87

Signal (LOS). This allows the near end to indicate to the far end that it is experiencing a problem and is known as Far End Receive Failure (FERF).

P1 and P2 form the P-bit channel. They provide parity information for the preceding M-frame.

M1, M2, and M3 form a frame alignment channel used by the hardware to locate all seven M-subframes.

F1, F2, F3, and F4 form an M-subframe alignment channel which is used by the hardware to identify all frame overhead bit positions.

C1, C2, and C3 form the C-bit channel.

C-bit Parity Mode

■

■

In C-bit parity mode the C-bits are described as follows:

■

The first C-bit in M-subframe 1 is set to 1 to identify the format as C-bit parity. If this is zero the format is assumed to be M23.

The second C-bit in M-subframe 1 is designated Nr and is set to 1.

The third C-bit in M-subframe 1 provides the Far End Alarm and Control

signal (FEAC) which is used to:

• Send alarm or status information from the far end back to the near end.

• Initiate DS3 loopbacks.

The three C-bits in M-subframe 3 are designated as CP-bits and are used to implement CP-bit parity. At the near end the CP-bits are set to the same value as the P-bits. The parity of the CP-bits of frame N are compared with the parity of the CP-bits of frame N+1. A difference in parity between N and N+1 is deemed a CP-bit parity error.

The three C-bits in M-subframe 4 are designated as FEBE bits. The FEBE bits are returned to the far end to indicate the occurrence of a framing error or CPbit parity error. If none occur, the FEBE bits are set to all ones. One or all of the

FEBE bits are set to zero if a CP-bit parity error or an error in the F or M bits is found.

The three C-bits in M-subframe 5 are assigned as a 28.2kbits/s terminal-to- terminal-path maintenance data link. This data link can be switched off at the command interface, If it is switched off, the C-bits in M-subframe 5 are set to all ones. If switched on, the maintenance channel can convey the following information:

■

Path Identification Signal.

A set of ASCII text strings that can be used to uniquely identify this particular DS3 path. This can be useful if the DS3 signal is, at some point in its path, multiplexed into a higher order signal such as DS4 or OC-3. It is common for lower-order signals to be switched within a cross-connect. If this happens it is possible that the wrong DS3 signal is switched through to the switch. When this happens the overhead bits are all correct, so there is no indication that the wrong signal has been applied. The Path

Identification Signal can be agreed by the two parties at either end of the network and tested to ensure that it is the right DS3 signal that has been received.


C613-10340-00 REV K


■

■

Idle Signal.

A set of ASCII text strings that can be used to provide the location of the source of an idle signal.

Test Signal.

A set of ASCII text strings that can be used to provide the location of the source of a test signal.

These signals are sent once every second. All other C-bits are for future use.

Loopbacks

The DS3 interface provides four types of loopback; line, payload, diagnostic, and remote. These loopbacks are activated by the ENABLE DS3 TEST command.

Line loopback is shown in Figure 8 on page 88. In this loopback mode the receive signal is looped straight to the transmit signal.

Figure 8: Line Loopback.

Far End

TX

RX

RX

DS3 NSM

TX

DS32

Payload loopback is similar to line loopback. The difference is that only the payload load is looped back from receive to transmit. The overhead is sourced from the DS3 NSM.

Diagnostic loopback is shown in Figure 9 on page 88. In this loopback mode the transmit signal is connected straight to the receive signal.

Figure 9: Diagnostic Loopback.

Far End

TX

RX

RX

DS3 NSM

TX

DS33

In C-bit parity mode it is also possible for the switch to request a loopback at the far end. This is shown in Figure 10 on page 89. This is achieved using the

FEAC channel. The switch can also respond to remote loopback requests via the FEAC channel from the far end. This results in a near end Line Loopback

(see above).


C613-10340-00 REV K

Patch 86241-10 For Rapier Switches

Figure 10: Remote Loopback.

DISABLE IP IGMP ALLGROUP 89

Far End

TX

RX

RX

DS3 NSM

TX

DS34

Note that it is possible to configure near end local and remote loopbacks at the same time.

DS3 Configuration

The DS3 interface on the switch is automatically configured by the software modules when the switch sets up. Certain aspects of the DS3 signal can be altered to allow the switch to connect to another vendor’s equipment via the

DS3 interface.

The configuration of the DS3 interface can be changed with the command:

SET DS3=instance [CLOCK={LOOP|INTERNAL}] [CMTCE={ON|OFF}]

[DIRECTION={TRANSMIT|RECEIVE}] [EIC=equipment-id]

[FAC=facility-id] [FDET={ON|OFF}] [FIC=frame-id]

[GENNO=generator-id][LIC=location-id] [PARAM15=threshold]

[PARAM24=threshold] [PORT=port-id] [PRIM15=threshold]

[PRIM24=threshold] [UNIT=unit-id] [TYPE=[{PID|ISID|TSID}]

The CLOCK parameter specifies the clock source for the DS3 interface. The default is LOOP timing where the clock is derived from the received DS3 signal. If INTERNAL is selected the DS3 transmit signal is timed using an internal clock.

The CMTCE parameter specifies whether the terminal-to-terminal path-maintenance link is switched on. When CMTCE is set to OFF the maintenance link is switched off and the C-bits in M-subframe 5 are all set to one. If CMTCE is set to ON the maintenance link is switched on. The path maintenance link allows a number of identification messages to be inserted in to the path overhead of the DS3 signal. These messages are in the form of text characters and allow the users at either end of the DS3 path to ensure that the correct DS3 signal has reached their equipment.

The DIRECTION parameter is used with the EIC, FAC, FIC, LIC or UNIT parameters to specify whether the text string is the text to transmit, or the text to expect in the received signal. If TRANSMIT is specified, the user is specifying a text to be transmitted out on the path. If RECEIVE is specified, the user is specifying the ASCII characters expected on the incoming path. If the

DIRECTION parameter is present the TYPE parameter must also be present.

The EIC parameter specifies the Equipment Identification Code. This is 0 to 10 characters in length and describes the equipment at the near end, e.g. “RAPIER

SW”. This parameter is only meaningful with the CMTCE parameter set to ON.

With CMTCE set to OFF this parameter is ignored. The default pattern is

“ignore”.

The FAC parameter specifies the FACility identification code. This is 0 to 38 characters in length and describes the DS3 path.


C613-10340-00 REV K


This data element is called FI in the ANSI specification, it is named FAC in this document to avoid confusion with the FIC parameter.

The FAC parameter is only valid if the TYPE parameter is set to PID. This parameter is only meaningful with the CMTCE parameter set to ON. With

CMTCE set to OFF this parameter is ignored. The default pattern is “ignore”.

The FDET parameter specifies whether fast detection of AIS is enabled. If ON is specified, the AIS detection time is 2.23ms. If OFF is specified, the AIS detection time is 13.5ms. The default is ON.

The FIC parameter specifies the Frame Identification Code. This is 0 to 10 characters in length and describes where the equipment is located within a building, e.g. “FRAME 255”. This parameter is only meaningful with the

CMTCE parameter set to ON. With CMTCE set to OFF this parameter is ignored. The default pattern is “ignore”.

The GENNO parameter specifies the test signal identification message. It is 0 to

38 characters in length and describes the signal generator that initiates a test message. This parameter is only valid if the TYPE parameter is set to ISIS. This parameter is only meaningful with the CMTCE parameter set to ON. With

CMTCE set to OFF this parameter is ignored. The default pattern is “ignore”.

The LIC parameter specifies the Location Identifier Code. This is 0 to 11 characters in length and describes the specific location of the equipment, e.g.

“BUILDING 1”. This parameter is only meaningful with the CMTCE parameter set to ON. With CMTCE set to OFF this parameter is ignored. The default pattern is “ignore”.

The PARAM15 parameter specifies the 15-minute counter threshold for all performance monitoring parameters (PES, PSES, SEF, UAS, LES, CES, CSES) between 1 and 900 seconds inclusive. If a trigger has been created, it will assert if the 24-hour count exceeds the value specified in PARAM15. The default is

900 seconds.

The PARAM24 parameter specifies the 24-hour counter threshold for all performance monitoring parameters (PES, PSES, SEF, UAS, LES, CES, CSES) between 1 and 65535 seconds inclusive. If a trigger has been created, it will assert if the 24-hour count exceeds the value specified in PARAM24. The default is 65535 seconds.

The PORT parameter specifies from which port a test signal is generated, and is

0 to 38 characters in length. This parameter is only valid if the TYPE parameter is set to TSID. This parameter is only meaningful with the CMTCE parameter set to ON. With CMTCE set to OFF this parameter is ignored. The default pattern is “ignore”.

The PRIM15 parameter specifies the 15-minute counter threshold for all performance monitoring primitives (LCV, PCV, CCV) between 1 and 16383 seconds inclusive. If a trigger has been created, it will assert if the 15-minute count exceeds the value specified in PRIM15. The default is 16383.

The PRIM24 parameter specifies the 24-hour counter threshold for all performance monitoring primitives (LCV, PCV, CCV) between 1 and 1048575 seconds inclusive. If a trigger has been created, it will assert if the 24-hour count exceeds the value specified in PRIM24. The default is 1048575.


C613-10340-00 REV K


The PRIM24 parameter specifies the 24-hour counter threshold for all performance monitoring primitives (LCV, PCV, CCV) between 0 and 1048575 seconds. If a trigger has been created, it will assert if the 24-hour count exceeds the value specified in PRIM24. The default is 1048575.

The TYPE parameter is used with the EIC, FAC, FIC, LIC, or UNIT parameters to specify whether the text string is used to describes a path signal, an idle signal, or a test signal.

The UNIT parameter specifies where the equipment is located within a bay e.g.

“SHELF6”, and is 0 to 6 characters in length. This parameter is only meaningful with the CMTCE parameter set to ON. With CMTCE set to OFF this parameter is ignored. The default pattern is “ignore”.

To see the current configuration use the command:

SHOW DS3=n STATE

The DS3 counters can be displayed by using the command:

SHOW DS3=n COUNTERS [HISTORY[=interval]] {NEAR|FAR|BOTH}

The counters can be reset by using the command

RESET DS3[=instance]

COUNTERS[={HDLC|INTERFACE|LINK|DIAGNOSTIC|STATE|ALL}] where:

■

instance is the number of the DS3 interface.

A further description of DS3 can be found in the DS3 Interfaces section of

Chapter 3, Interfaces in your switch’s software reference.

The commands used to set up and configure the DS3 interface are:

■

■

■

■

■

■

■

■

■

■

■

■

■

DISABLE DS3 DEBUG

DISABLE DS3 TEST

ENABLE DS3 DEBUG

ENABLE DS3 TEST

RESET DS3

RESET DS3 COUNTERS

SET DS3

SHOW DS3 CMTCE

SHOW DS3 CONFIGURATION

SHOW DS3 COUNTERS

SHOW DS3 DEBUG

SHOW DS3 STATE

SHOW DS3 TEST

Once the interface is set up and configured, it can be used in conjunction with

Frame Relay, using the following commands:

■

■

CREATE FRAMERELAY

SHOW FRAMERELAY


C613-10340-00 REV K


See Chapter 5, Frame Relay in your switch’s Software Reference.

DS3 interfaces can be tested with the test facility, using the following commands:

■

■

■

DISABLE TEST INTERFACE

ENABLE TEST INTERFACE

SHOW TEST

See Chapter 10, Test Facility in your switch’s Software Reference.

Dynamic Port Security

Dynamic Port Security allows for dynamic MAC address learning on a switch port. If a MAC address is unused for a period of time, it will be aged from the database of currently accepted MAC addresses. This allows the learning of new MAC addresses, which is useful because port security allows the number of devices that are connected to a particular switch port to be limited.

MAC address learning can be set to static or dynamic by using the RELEARN parameter in the following command:

SET SWITCH PORT={port-list|ALL} [ACCEPTABLE={ALL|VLAN}]

[BCLIMIT={NONE|limit}] [DESCRIPTION=description]

[DLFLIMIT={NONE|limit}]

[EGRESSLIMIT={NONE|DEFAULT|0|1000..127000|8..1016}]

[INFILTERING={OFF|ON}]

[INGRESSLIMIT={NONE|DEFAULT|0|64..127000|8..1016}]

[LEARN={NONE|0|1..256]

[INTRUSIONACTION={DISABLE|DISCARD|TRAP}]

[MCLIMIT={NONE|limit}] [MIRROR={BOTH|NONE|RX|TX}]

[MODE={AUTONEGOTIATE|MASTER|SLAVE}]

[MULTICASTMODE={A|B|C}] [RELEARN={OFF|ON}]

[SPEED={AUTONEGOTIATE|10MHALF|10MFULL|10MHAUTO|10MFAUTO

|100MHALF|100MFULL|100MHAUTO|100MFAUTO|1000MHALF|1000MF

ULL|1000MHAUTO|1000MFAUTO}]

The RELEARN parameter determines whether dynamic or static MAC address learning will be used on this port. This parameter has no effect if the security feature limiting the number of MAC addresses is disabled (i.e. when LEARN=0 or NONE).

If the RELEARN parameter is set to OFF, static MAC address learning is used.

Once a MAC address has been learned it will remain permanently in the learning database. IF the RELEARN parameter is set to ON, dynamic MAC address learning is used. If a MAC address is unused for a period of time, it will be removed from the learning database. Another (or the same) MAC address can then be learned and stored in the vacant position in the learning database. When RELEARN is enabled on a port, all existing entries in the learning database are removed. The elapsed time before a MAC address entry is removed can be set using the SET SWITCH AGEINGTIMER command (See the Switch Chapter for more information). The default is OFF.

To see whether the switch is using static or dynamic port security, use the command:


C613-10340-00 REV K


SHOW SWITCH PORT[={port-list|ALL}]

This command displays general information about the specified switch ports or all switch ports.

Figure 1-22: Example output from the SHOW SWITCH PORT command showing the RELEARN parameter.

Switch Port Information

---------------------------------------------------------------------------

Port .......................... 1

Description ................... To intranet hub, port 4

Status ........................ ENABLED

Link State .................... Up

UpTime ........................ 00:10:49

Port Media Type ............... ISO8802-3 CSMACD

Configured speed/duplex ....... Autonegotiate

Actual speed/duplex ........... 1000 Mbps, full duplex

Configured master/slave mode .. Autonegotiate

Actual master/slave mode ...... Master

Acceptable Frame Types ........ Admit All Frames

Broadcast rate limit .......... 1000/s

Multicast rate limit .......... -

DLF rate limit ................ -

Learn limit ................... -

Relearn ....................... OFF

Intrusion action .............. Discard

Current learned, lock state ... 15, not locked

Mirroring ..................... Tx, to port 22

Is this port mirror port ...... No

Enabled flow control .......... Pause

Send tagged pkts for VLAN(s) .. marketing (87)

sales (321)

Port-based VLAN ............... accounting (42)

Ingress Filtering ............. OFF

Trunk Group ................... -

STP ........................... company

Multicast filtering mode ...... (B) Forward all unregister groups

---------------------------------------------------------------------------

Table 1-1: New parameter in the output of the SHOW SWITCH PORT command.

Parameter

Relearn

Meaning

Whether or not

MAC address learning is used, one of “ON or

OFF”.

Availability

Patches can be downloaded from the Software Updates area of the Allied

Telesyn web site at

www.alliedtelesyn.co.nz/support/updates/patches.html

. A licence or password is not required to use a patch.


C613-10340-00 REV K



C613-10340-00 REV K

Release Notes for Patch 86241-10

Patch Release Note

Patch 86241-10

For Rapier Switches

Introduction

Features in 86241-10

Features in 86241-09

Features in 86241-08

Features in 86241-07

Features in 86241-06

Features in 86241-05

Features in 86241-04

Features in 86241-03

Features in 86241-02

Features in 86241-01

Enable and Disable ICMP Messages

Network Unreachabl e

Host Unreachabl e

ICMP Redirect

Commands

DISABLE IP ICMPREPLY

ENABLE IP ICMPREPLY

SHOW IP ICMPREPLY

Overview of Remote Bridging

Overview of VLAN-WAN Bridging

New Commands for Configuring a VLAN-WAN Bridge

ADD VLAN BRIDGE

DELETE VLAN BRIDGE

Amended Bridging Chapter

Introduction

References

The Bridging Process

The Learning Process

Learning on a VLAN-WAN Bridge

Learning on a WAN-WAN Bridge

The Bridge Forwarding Process

Bridge Forwarding on a VLAN-WAN Bridge

Bridge Forwarding on a WAN-WAN Bridge

Ports

Telnet to a Switch Bridging IP

Support for Bridging

Remote Bridging

Internal Representation

Internal Representation of a VLAN-WAN Bridge

Internal Representation of the WAN-WAN Bridge

Overview of VLAN-WAN Bridging

VLAN-WAN Bridge Configuration

Overview of WAN-WAN Bridging

WAN-WAN bridge Configuration

Command Reference

ADD BRIDGE FILTER

ADD BRIDGE PORT

ADD BRIDGE STATION

DELETE BRIDGE FILTER

DELETE BRIDGE PORT

DELETE BRIDGE STATION

DISABLE BRIDGE

DISABLE BRIDGE LEARNING

ENABLE BRIDGE

ENABLE BRIDGE LEARNING

PURGE BRIDGE

RESET BRIDGE

SET BRIDGE AGEINGTIMER

SET BRIDGE FILTER

SET BRIDGE PORT

SHOW BRIDGE

SHOW BRIDGE COUNTER

SHOW BRIDGE FILTER

SHOW BRIDGE PORT

SHOW BRIDGE PROTOCOL

SHOW BRIDGE STATION

Protected Ports

Configuration Example

ADD VLAN PORT

CREATE VLAN

SHOW VLAN

IGMP Snooping All-Group Entry

Commands

Modified Command

SHOW IP IGMP