3Com CoreBuilder 3500 Page 233 Implementation Manual Download | Manualshive

Page: 233 / 592

background image

The Packet Filtering Language

233

Implementing

Sequential Tests in a

Packet Filter

Filter language expressions are normally evaluated to completion —
a packet is accepted if the value remaining on the top of the stack is
nonzero. Frequently, however, a single test is insufficient to filter packets
effectively. When more tests are warranted, you want to accept a packet
that satisfies one of two cases:

■

At least one criterion specified in two or more tests (that is, ORs the
results of the tests)

or

■

All criteria specified in two or more tests (that is, ANDs the results of
the tests)

The

accept

and

reject

instructions are used to implement sequential tests,

as shown in Figure 37.

In order to optimize a filter’s performance, it is best to exit a filter as early
as possible. If you wait until the last instruction to make the forward or
filter decision, more processing is needed.

The accept and reject criteria allow you to exit a filter early. When using
these instructions, construct the packet filter so that tests that apply to
the majority of the network traffic are performed first. This ensures that
the filter is exited after the first instruction for the majority of packets.
Only a small number of packets will require additional tests.

For example, assume you want to create a filter that checks for particular
IPX attributes that you want to filter, but most of the traffic on your
network is IP traffic. In this case, it would be best to first check each
packet to see if it is a IP frame. If it is, you could accept the packet
immediately. Now only the smaller number of packets that contain IPX
information would be subjected to additional tests.

«
...
231
232
233
234
235
...
»

Summary of Contents for CoreBuilder 3500

Page 1: ... http www 3com com CoreBuilder 3500 Implementation Guide Release 3 0 Part No 10013506 Published November 1999 ...

Page 2: ... s standard commercial license for the Software Technical data is provided with limited rights only as provided in DFAR 252 227 7015 Nov 1995 or FAR 52 227 14 June 1987 whichever is applicable You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in or delivered to you in conjunction with this User Guide Unless otherwise indicated 3...

Page 3: ...7 Procedure Summary 27 Configuration Procedure 28 2 MANAGEMENT ACCESS Management Access Overview 31 Administration Console Overview 32 SNMP Based Network Management Overview 34 Key Concepts 34 OSI Protocols 34 Protocols 35 Key Guidelines for Implementation 38 Access Methods 38 Administration Console Access 40 Password Levels 40 Terminal Port Access 41 Modem Port Access 41 Web Management Access 42 ...

Page 4: ...a 55 Viewing nvData 55 Simple Network Time Protocol SNTP 56 SNTP Overview 56 Implementing SNTP 57 Standards Protocols and Related Reading 57 4 PHYSICAL PORT NUMBERING Port Numbering Overview 59 Numbering Rules 59 Supported Module Types 60 Key Guidelines for Implementation 61 Examples of Port Numbering 62 Example 1 Fully Loaded System 62 Example 2 Empty Slot in the System 63 Example 3 Gigabit Ether...

Page 5: ...nes for Implementation 78 Link Bandwidths 78 Trunks 78 Port Enable and Disable Port State 79 Important Considerations 79 Port Labels 79 Labeling Ports 79 Autonegotiation 80 Important Considerations 80 Port Mode 82 Important Considerations 82 Flow Control 83 Important Considerations 83 PACE Interactive Access 84 Important Considerations 84 Standards Protocols and Related Reading 84 Ethernet Protoco...

Page 6: ...r 104 Enabling and Disabling Status Reporting 104 FDDI Paths 104 Setting tvxLowerBound 104 Setting tmaxLowerBound 105 Setting maxT Req 105 FDDI MACs 106 Setting the Frame Error Threshold 106 Setting the Not Copied Threshold 106 Enabling and Disabling LLC Service 107 FDDI Ports 107 Setting lerAlarm 107 Setting lerCutoff 108 Setting Port Labels 108 Station Mode DAS and SAS 109 Single Attachment Stat...

Page 7: ... Tree Port States 129 Reconfiguring the Bridged Network Topology 131 Key Guidelines for Implementation 132 STP Bridge and Port Parameters 134 Administering Bridge wide STP Parameters 134 Administering STP Parameters on Bridge Ports 136 Frame Processing 137 MAC Address Table 138 Aging Time 138 Address Threshold 138 Important Considerations 138 IP Fragmentation 139 IPX SNAP Translation 139 Broadcast...

Page 8: ...ng Trunks 153 Important Considerations 153 Standards Protocols and Related Reading 154 9 VIRTUAL LANS VLAN Overview 156 Need for VLANs 156 Benefits 157 Features 158 Key Concepts 159 Related Standards and Protocols 159 VLAN IDs 160 Terminology 161 Key Guidelines for Implementation 163 Network based VLANs vs Multiple Interfaces per VLAN 163 VLANs Created by Router Port IP Interfaces 164 Number of VL...

Page 9: ...3 Rules of VLAN Operation 195 Ingress Rules 195 Egress Rules 198 Examples of Flooding and Forwarding Decisions 200 Rules for Network based Layer 3 VLANs 202 Modifying and Removing VLANs 206 Monitoring VLAN Statistics 207 10 PACKET FILTERING Packet Filtering Overview 210 What Can You Filter 210 When Is a Filter Applied Paths 211 Path Assignment 212 Key Concepts 213 Standard Packet Filters 213 Custo...

Page 10: ...s Filter 237 Source Address Filter 237 Length Filter 237 Type Filter 238 Ethernet Type IPX and Multicast Filter 238 Multiple Destination Address Filter 238 Source Address and Type Filter 239 Accept XNS or IP Filter 239 XNS Routing Filter 240 Port Group Filter 240 Limits to Filter Size 241 Using Port Groups in Custom Packet Filters 242 Port Group Packet Filter Example 242 Port Group Filter Operatio...

Page 11: ... 274 Role of VLANs in IP Routing 275 Port based Routing 276 VLAN based Routing 280 Key Guidelines for Implementing IP Routing 282 Configure Trunks Optional 282 Configure IP VLANs VLAN based Routing 282 Establish Your IP Interfaces 283 Enable IP Routing 285 Administering IP Routing 285 Address Resolution Protocol ARP 286 Important Considerations 288 ARP Proxy 288 Important Considerations 288 Exampl...

Page 12: ... Setting Up RIP Routing Policies 306 Creating RIP Routing Policies 307 Example 308 Domain Name System DNS 310 Important Considerations 310 User Datagram Protocol UDP Helper 311 Configuring Overlapped Interfaces 312 Important Considerations 313 Standards Protocols and Related Reading 313 Requests For Comments RFCs 313 Standards Organizations 314 Related Reading 314 12 VIRTUAL ROUTER REDUNDANCY PROT...

Page 13: ...Protocol DHCP 329 Standards Protocols and Related Reading 329 13 IP MULTICAST ROUTING IP Multicast Overview 332 Unicast Model 332 Broadcast Model 332 Multicast Model 332 Benefits of IP Multicast 333 How a Network Supports IP Multicast 334 IP Multicast Routing 334 IP Multicast Tunnels 335 IP Multicast Filtering 336 Internet Support for IP Multicast 337 Key Concepts 338 Traffic Movement 338 IP Multi...

Page 14: ...rations 349 Configuring DVMRP Tunnels 350 Important Considerations 350 Configuring DVMRP Default Routes 352 How Default Routes Work 352 How to Configure A Default Route 352 Viewing the DVMRP Routing Table 353 Viewing the DVMRP Cache 353 Using IP Multicast Traceroute 354 Standards Protocols and Related Reading 355 14 OPEN SHORTEST PATH FIRST OSPF OSPF Overview 358 Features 358 Benefits 360 Key Conc...

Page 15: ...tions 385 Link State Databases 387 Router Link State Advertisements 387 Network Link State Advertisements 388 Summary Link State Advertisements 389 External Link State Advertisements 389 Important Considerations 391 Neighbors 392 Neighbor Information 392 Static Neighbors 395 Important Considerations 395 Router IDs 396 Important Considerations 396 OSPF Memory Partition 397 Default Memory Allocation...

Page 16: ...ey Guidelines for Implementation 427 Procedural Guidelines 427 General Guidelines 427 IPX Interfaces 428 Important Considerations 428 Per Interface Options 429 IPX Routes 430 Important Considerations 430 Primary and Secondary Routes 431 Static Routes 431 Dynamic Routes Using RIP 431 Routing Tables 432 Selecting the Best Route 433 IPX Servers 434 Important Considerations 434 Primary and Secondary S...

Page 17: ...mentation Guidelines 457 AppleTalk Interfaces 458 Important Considerations 459 AppleTalk Routes 460 Important Considerations 460 AppleTalk Address Resolution Protocol AARP Cache 462 AppleTalk Zones 464 Important Considerations 465 Changing Zone Names 466 Forwarding AppleTalk Traffic 468 Enabling Forwarding 468 Disabling Forwarding 468 Important Considerations 468 Checksum Error Detection 469 Impor...

Page 18: ...low Classifiers 485 Defining Nonflow Classifiers 488 QoS Controls 489 Important Considerations 489 Assigning Control Numbers 490 Specifying Rate Limits 492 Specifying Service Levels 493 Specifying TCP Drop Control 494 Setting the QoS Timer Control 495 Examples of Classifiers and Controls 497 Example 1 Traffic to and from a Specific Server 497 Example 2 Filtering Traffic to a Destination 499 Exampl...

Page 19: ...Management Platform 523 SmartAgent Embedded Software 523 Other Commonly Used Tools 523 Event Logging 524 Important Consideration 524 Displaying the Event Log Configuration 524 Configuring the Output Devices 524 Configuring the Services 524 Baselining 525 Important Considerations 525 Displaying the Current Baseline 525 Setting a Baseline 525 Enabling or Disabling Baselines 525 Roving Analysis 526 K...

Page 20: ...s 547 RMON 2 Groups 552 Management Information Base MIB 556 MIB Files 556 Compiler Support 558 MIB Objects 559 MIB Tree 560 MIB II 562 RMON 1 MIB 563 RMON 2 MIB 564 3Com Enterprise MIBs 565 A TECHNICAL SUPPORT Online Technical Services 567 World Wide Web Site 567 3Com Knowledgebase Web Services 567 3Com FTP Site 568 3Com Bulletin Board Service 568 3Com Facts Automated Fax Service 569 Support from ...

Page 21: ... overview of the configuration process This guide is intended for the system or network administrator who is responsible for configuring using and managing the CoreBuilder 3500 system It assumes a working knowledge of local area network LAN operations and familiarity with communications protocols that are used on interconnected LANs If the information in the release notes differs from the informat...

Page 22: ...ace represents information as it appears on the screen Syntax The word syntax means that you evaluate the syntax provided and then supply the appropriate values for the placeholders that appear in angle brackets Example To set the system date and time use the following syntax CCYY MM DDThh mm ss Commands The word command means that you must enter the command exactly as shown and then press Return ...

Page 23: ... Emphasize a point Denote a new term at the place where it is defined in the text Identify menu names menu commands and software button names Examples From the Help menu select Contents Click OK Table 2 Text Conventions continued Convention Description ...

Page 24: ...tory list of all the items that are shipped with your system CoreBuilder 3500 Software Installation and Release Notes Information about the software release including new features software corrections and known problems It also describes any changes to the documentation CoreBuilder 3500 Quick Installation Guide Quick reminders and information for system installation For greater detail on installat...

Page 25: ...llation Guide Installation instructions for the Gigabit Ethernet Interface Converter transceiver CoreBuilder 3500 Power Supply Assembly Removal and Replacement Guide Overview information and removal and replacement instructions for the CoreBuilder power supplies CoreBuilder 3500 Fan Tray Removal and Replacement Guide Overview information and removal and replacement instructions for the fan tray PC...

Page 26: ... system for the CoreBuilder 3500 Web Management software See the Web Management User Guide for information about Web Management and the related Help system Documentation Comments Your suggestions are very important to us They help us to make our documentation more useful to you Please send e mail comments about this guide to sdtechpubs_comments ne 3com com Please include the following information ...

Page 27: ...the following procedures the first time that you set up your system and every time that you modify its configuration Procedure Summary These steps are described in detail in the next section 1 Establish management access 2 Choose a subsequent management access method 3 Choose a subsequent management interface 4 Configure parameters related to the network infrastructure These include system bridge ...

Page 28: ...mmand Reference Guide 2 Choose a subsequent management access method You can continue to access your system through a local serial connection or you can use one of two other local access methods any in band port on a media module or the out of band 10BASE T port on the system processor module To manage the system through either access method you must first configure an IP address To configure an I...

Page 29: ... more of the following topics may apply to your system depending on your network requirements System parameters To choose the file transfer protocol administer nonvolatile data nvData perform system software updates and display your system configuration see Chapter 3 Physical port numbering To learn the port numbering rules and understand the effects of adding or removing modules see Chapter 4 Eth...

Page 30: ...lters To improve LAN performance shape traffic flows or implement security controls with standard custom predefined and port group packet filters see Chapter 10 Quality of Service QoS and the Resource Reservation Protocol RSVP To classify control and prioritize traffic where available bandwidth is low and your network is carrying time sensitive or business critical information use the QoS and RSVP...

Page 31: ...ment applications This chapter covers the following topics Management Access Overview Key Concepts Key Guidelines for Implementation Administration Console Access Web Management Access SNMP Access Management Access Overview The system provides you with the flexibility to access and manage your system using several different methods You can administer your system using The Administration Console We...

Page 32: ...mentation ipxSnapTranslation Enable Disable IP 802 3 FDDI SNAP Translation addressThreshold Set the bridge address threshold agingTime Set the bridge aging time stpState Enable Disable Spanning Tree on a bridge stpPriority Set the Spanning Tree bridge priority stpMaxAge Set the Spanning Tree bridge maximum age stpHelloTime Set the Spanning Tree bridge hello time stpForwardDelay Set the Spanning Tr...

Page 33: ...em by clicking the part of the image that you want to manage Performance features Dynamic monitoring through graphing of QoS statistics and Ethernet interfaces Help Access to the configuration form on which you set up the installable Help files as well as access to links to support information on the 3Com Web site Installable tools Install these optional tools on your workstation from the Software...

Page 34: ...erface Figure 2 shows an example of a Device View screen Figure 2 Sample Transcend Network Control Services Device View Key Concepts This section describes the relationship between the methods of management access described in the previous sections and how they fit into established networking protocols It also introduces the concepts of in band and out of band management using IP OSI Protocols Man...

Page 35: ...on Management SMT protocol Application Layer Transport Layer Network Layer Data link and Physical Layers Ethernet FDDI SMT Administration Console IP Telnet FTP Terminal emulation IP Web Management applications TCP UDP Telnet FTP SNMP SMT proxy agent SNMP agent In band Out of band Ethernet FDDI SMT In band Out of band Modem service Modem service Serial line Terminal Serial line Terminal Administrat...

Page 36: ...istration Console you configure an IP address by defining an IP interface See the Command Reference Guide for additional information about defining IP addresses for in band or out of band management Terminal emulation differs from a virtual terminal protocol in that you must connect a terminal directly to the serial port Figure 4 shows a UNIX workstation connected to the system through a virtual t...

Page 37: ...and management have advantages and disadvantages In Band Management If you manage your system and its attached LANs over the same network that carries your regular data traffic then you are managing your network in band This kind of management is often the most convenient and inexpensive way to access your system The disadvantage is that if your data network is faulty or congested you may not be a...

Page 38: ...ou change the baud rate to something other than 9600 the new setting becomes the new default even after you issue a system nvdata reset command You can use the system serialPort terminalSpeed command through the terminal serial port or through an IP interface However if you change the terminal speed while in a telnet session you must reboot the system for the change to take effect Access Method Ac...

Page 39: ...erface in one of the following ways You can use Telnet to connect up to four concurrent remote sessions to the Administration Console using a terminal program from a host computer You can run Web Management to access its management applications to manage and monitor your system You can run an SNMP based network management application to manage and monitor your system IP is a standard networking pr...

Page 40: ...band management Administration Console Access The first time that you access the Administration Console access the system at the administer level and press the Return key at the password prompt The initial password is null Subsequent access is described next Password Levels The Administration Console supports three password levels allowing the network administrator to provide different levels of a...

Page 41: ...are sent to the serial port regardless of the interface through which the associated action was initiated A Macintosh or PC attachment can use any terminal emulation program for connecting to the terminal serial port A workstation attachment under UNIX can use an emulator such as TIP Modem Port Access You can access the Administration Console from your PC or Macintosh using an external modem attac...

Page 42: ...ires either Microsoft Internet Explorer 4 01 or later or Netscape Navigator 4 03 or later Netscape Navigator If you are using Netscape Navigator 4 03 or 4 04 be sure to install the Netscape JDK 1 1 Patch You can download the patch from the following location http help netscape com filelib html smartupdate If you encounter problems accessing Help files when you use Netscape clear the browser memory...

Page 43: ...hrough an Ethernet port using an IP interface SmartAgent intelligent agents are the foundation of the Transcend architecture SmartAgent software and RMON work together to provide automatic network wide monitoring analysis and reporting For additional information about Transcend Network Control Services see the 3Com Web page at http www 3com com ...

Page 44: ...44 CHAPTER 2 MANAGEMENT ACCESS ...

Page 45: ...Key Guidelines for Implementation File Transfer Security Software Update nvData Operations Simple Network Time Protocol SNTP Standards Protocols and Related Reading You can manage system parameters in either of these ways From the system menu on the Administration Console See the Command Reference Guide From the System folder of the Web Management software See the Web Management User Guide ...

Page 46: ... s current configuration Take a snapshot of your system s current system configuration and status Create and modify passwords Create and maintain a statistics baseline See Chapter 18 for details Set and administer your system s serial port baud rates See Chapter 2 for details Modify your system s date and time See the Command Reference Guide for descriptions of the commands that you use to set and...

Page 47: ... from one system to another with this protocol TFTP Trivial File Transfer Protocol Designed to function over the User Datagram Protocol UDP this protocol reads and writes files to and from a remote server It is smaller and easier to operate than FTP but it lacks most of the FTP features Save Use this option on the nvData menu to save nvData to a file on a remote system Restore Use this option on t...

Page 48: ... or form that governs a system parameter 2 Specify a value File Transfer From the system menu or folder you can select which protocol you want the system to use to transfer data between systems Choose either File Transfer Protocol FTP or the Trivial File Transfer Protocol TFTP which is the default Implementing FTP FTP meets the following file transfer objectives Transfers data reliably and efficie...

Page 49: ...nt requests for file access You must create two files when you are using the save nvData option over TFTP See Saving nvData in this chapter For more information on TFTP see your TFTP server documentation Security You can limit IP management access to your system through the Administration Console or the Web Management software as follows On the Administration Console you can limit IP management ac...

Page 50: ...s displayed when access is denied Access Enables or disables checking for trusted IP clients By default checking for trusted IP clients is disabled The Web Management software offers these security options Display Displays the trusted IP clients and indicates whether checking for trusted IP clients is enabled or disabled Configuration Allows you to enable or disable checking for trusted IP clients...

Page 51: ...P address or subnet forces you to reestablish local access via the serial port For Telnet access the change takes effect at your next login Additional considerations If you modify a trusted IP client definition through the Web Management software the change also affects Telnet and SNMP access to the system If you modify a trusted IP client definition through Telnet access to the Administration Con...

Page 52: ...information on how to verify your system s memory see the Getting Started Guide You can load the system software into flash memory while the system is operating The system does not have to be powered off Verify that you have defined an IP address on your system To guard against failure during the software upgrade be sure to save the software to nvData before you perform the system software upgrade...

Page 53: ...IA flash memory card Important Considerations Consider the following guidelines before you perform an nvData save operation When you use TFTP before you save data to the file you have to create two files on the TFTP server The screen display appears as follows Select menu option system nvdata save Host IP Address 158 101 100 1 158 101 112 34 NV Control file full pathname tftpboot mecca Enter an op...

Page 54: ...you are restoring the image Rule 2 System ID mismatch System IDs do not match between the saved configuration and the target system In this case the system informs you of the mismatch and then prompts you to continue If neither of these rules succeeds you cannot apply the saved configuration to your system Before you restore a system with mismatched system IDs consider the following issues that mi...

Page 55: ...reset it or save the existing nvData to a file See Saving nvData earlier in this chapter for details You can reset nvData on a system only when it is directly connected through the Administration Console You cannot reset nvData through a Telnet connection Viewing nvData To verify that you have successfully saved nvData to the file that you specified view the header information for that file The he...

Page 56: ...n a dedicated server configuration with existing NTP and other SNTP clients and servers SNTP can operate in either unicast mode point to point multicast mode point to multipoint or anycast mode multipoint to point A unicast client Sends a request to a designated server at its unicast address and expects a reply within a specified time frame From the reply the unicast client can determine the time ...

Page 57: ...e systems supports one server at a time you can define up to three servers for backup Therefore when the client does not receive a response from the first server within a designated time it sends a request to the next server on the list Standards Protocols and Related Reading See the following references for more information on these protocols RFC 959 File Transfer Protocol Specification RFC 1350 ...

Page 58: ...58 CHAPTER 3 SYSTEM PARAMETERS ...

Page 59: ... the system Understanding the port numbering scheme enables you to Manage your bridge ports especially if you use trunking as described in Chapter 8 Accurately define your virtual LANs VLANs as described in Chapter 9 Numbering Rules Your system supports up to 24 ports numbered consecutively Port 1 represents the first port associated with a module in Slot 1 the top left slot on the system and cont...

Page 60: ...t have RJ 45 connectors Up to four 100BASE FX Ethernet modules each with 6 ports that have SC connectors Up to four 1000BASE SX or 1000BASE Gigabit Interface Converter GBIC Ethernet modules each with 1 port up to four Gigabit Ethernet ports per system The 1000BASE GBIC module requires CoreBuilder 3500 system software at release 1 2 0 or higher Each Gigabit Ethernet module uses a trunk resource so ...

Page 61: ...ate which physical system connectors can receive or transmit frames within a VLAN You must use the VLAN detail display to see trunk port groups FDDI DAS pairs By default FDDI ports are single attached station SAS M ports where each port is selectable as a bridge port If you configure FDDI ports as dual attach station DAS pairs you associate two FDDI ports with each DAS pair and only the lowest num...

Page 62: ...Fully Loaded System For a fully loaded system 4 occupied slots with Fast Ethernet ports the ports are numbered 1 through 24 starting top left to top right and then continuing bottom left to bottom right as shown in Figure 6 The figure shows the 10 100BASE TX module Figure 6 Port Numbering for a System with Four Fast Ethernet Modules RUN SY INS PS PS FA PWR INS ERR R N S TEMP SERVIC INS PCMCI MODEM...

Page 63: ...as shown in Figure 7 The figure shows the 10 100BASE TX module Figure 7 Port Numbering for a System with an Empty Slot RUN SYS INS PS1 PS2 FAN PWR INS ERR R N S TEMP SERVICE INS PCMCIA MODEM TERMINAL ETHERNET 10BT 1X L E T 2X L E T 3X L E T 4X L E T 5X L E T 6X L E T 1X L E T 2X L E T 3X L E T 4X L E T 5X L E T 6X L E T PWR ERROR 100 BASE TX 3C54321 100 BASE TX 3C54321 PWR INS ERR R 1X L E T 2X L ...

Page 64: ...for a System with a Gigabit Ethernet Module RUN SY INS PS PS FA PWR INS ERR R N S TEMP SERVIC INS PCMCI MODEM TERMINAL ETHERNET 10BT 1X L E T 2X L E T 3X L E T 4X L E T 5X L E T 6X L E T 1X L E T 2X L E T 3X L E T 4X L E T 5X L E T 6X L E T PWR ERROR 100 BASE TX 3C54321 100 BASE TX 3C54321 PWR INS ERR R 1X L E T 2X L E T 3X L E T 4X L E T 5X L E T 6X L E T 100 BASE TX 3C54321 PWR INS ERR Slot 1 Po...

Page 65: ...for the FDDI module shown in slot 1 the three configurable DAS pairs have ports 1 and 4 ports 2 and 5 and ports 3 and 6 When specifying bridge ports for example for VLANs you specify port 1 to represent the first DAS pair port 2 to represent the second DAS pair and port 3 to represent the third DAS pair For more information about FDDI configurations see Chapter 6 Figure 9 Port Numbering for a Syst...

Page 66: ...he renumbered ports now appear in the VLAN summary display Example If a VLAN contained ports 20 through 22 before you removed the module in slot 3 these ports show up as ports 14 through 16 in the VLAN summary after you remove the module If you have a VLAN that includes ports associated with the removed module those ports are removed from the VLAN and the VLAN summary display no longer shows those...

Page 67: ...ved the module in slot 3 the removal of that module causes the trunk to have two missing ports 17 and 18 See Figure 6 It now has renumbered ports 13 and 14 previously ports 19 and 20 If there are no remaining ports in the trunk after the module is removed the trunk summary display shows the trunk without any ports Example If you had a trunk with ports 13 through 16 before you removed the module in...

Page 68: ...empty slot the ports are added back into the VLAN Replacing Modules of Different Types More complicated changes occur when you swap six port modules and one port Gigabit Ethernet modules replace FDDI modules that have DAS port pairs because a DAS pair uses one bridge port to represent two physical ports or replace modules on which you have trunks defined because only the anchor port is used to def...

Page 69: ... module is included in the VLAN after the change Example If a VLAN is defined over a Gigabit Ethernet module in slot 1 and six ports in slot 2 that is the VLAN has ports 1 through 7 configured and you replace the Gigabit Ethernet module with an FDDI module with all SAS ports the VLAN contains ports 1 7 through 12 after the change If a VLAN has a DAS pair on an FDDI module and the stationMode for t...

Page 70: ... four trunks and you replace a module of a given type with a Gigabit Ethernet module the system cannot recognize the new Gigabit Ethernet module because this module type uses a trunk resource In this case you must remove one of your trunks before you add the Gigabit Ethernet module for example a trunk associated with the removed module If you replace a module that has a trunk spanning another modu...

Page 71: ...mentation Port Enable and Disable Port State Port Labels Autonegotiation Port Mode Flow Control PACE Interactive Access Standards Protocols and Related Reading You can manage Ethernet port features in either of these ways From the ethernet menu of the Administration Console See the Command Reference Guide From the Ethernet folder of the Web Management software See the Web Management User Guide ...

Page 72: ...alphanumeric port identifier Port mode Port speed 10 Mbps 100 Mbps or 1000 Mbps and duplex mode half duplex or full duplex Autonegotiation A feature that allows some ports to automatically identify and negotiate speed and duplex mode with a receiving device Flow control A Fast Ethernet and Gigabit Ethernet port mode that pauses and resumes transmissions PACE Interactive Access An algorithm that re...

Page 73: ...crease is accomplished using trunking technology also called link aggregation which works at Open Systems Interconnection OSI Layer 2 For more information about trunking see Chapter 8 Link Availability Ethernet technologies also allow you to design high levels of availability into your network through the use of trunking A trunk enhances network availability because its underlying TCMP technology ...

Page 74: ...allows some ports to identify and negotiate speed and duplex mode with a receiving device Flow control A Fast Ethernet and Gigabit Ethernet port mode that pauses and resumes transmissions Packet The basic unit of communications in Ethernet networks While packets can vary in size they have a consistent format Trunking A technology that combines multiple Fast Ethernet or Gigabit Ethernet ports into ...

Page 75: ...is feature avoids repetitive collisions and prevents an end station from capturing the link With conventional Ethernet a packet collision can cause the last station that transmitted successfully to monopolize Ethernet access and cause delays Network areas 3Com uses a three tiered framework to describe the functional areas in a LAN Wiring closet This area provides connections to user workstations I...

Page 76: ...s in error Figure 10 shows the order in which frame discard tests are made Figure 10 How Frame Processing Affects Ethernet Receive Frame Statistics rxFrames noRxBuffers rxInternalErrs lengthErrs alignmentErrs fcsErrs rxUcastFrames rxMcastFrames Packets received from the network Packets discarded because buffer space was exhausted Packets discarded because packet was in error Packets delivered by t...

Page 77: ...Figure 11 shows the order in which these discard tests are made Figure 11 How Frame Processing Affects Ethernet Transmit Frame Statistics txUcastFrames txMcastFrames txDiscards txQOverflows excessDeferrals excessCollision carrierSenseErr txInternalErrs txFrames Packets delivered to the port Packets discarded because port was disabled Packets discarded because transmit queue was full Packets succes...

Page 78: ...rconnect areas Downlinks from the data center to the campus interconnect area When multiple links are trunked it can be difficult to manage and troubleshoot individual port to port connections if a connectivity problem occurs This issue may not be of concern in a server farm room But if you use trunking extensively between wiring closets and data centers the large number of connections involved an...

Page 79: ... port transmits packets normally When a port is disabled the port neither sends nor receives packets The portState is off line for disabled ports and on line for enabled ports that are connected to a network cable Port Labels Port labels serve as useful reference points and as an accurate way for you to identify ports for management applications Labeling Ports Label Ethernet ports so that you can ...

Page 80: ...anually set the port speed and duplex mode Table 6 lists Ethernet port types on your system whether they support autonegotiation and which features they negotiate Table 6 Port Types and Autonegotiation Attributes Port Type Supports Autonegotiation Negotiable Attributes Default Values for Negotiable Attributes 10 100BASE TX Yes Port speed Duplex mode 10 Mbps Half duplex 100BASE FX No Not applicable...

Page 81: ...rt for handling flow control is On When you enable autonegotiation the system ignores your requested portMode information for 10 100BASE TX ports and your requested flowControl information for 1000BASE SX ports When you disable autonegotiation the system recognizes the requested portMode values for ports that have portMode options and the requested flowControl values for 1000BASE SX ports Use the ...

Page 82: ...come up If the duplex modes differ link errors occur Gigabit Ethernet ports do not support mode options The value all refers only to ports that support port mode options If you change to full duplex mode on the port a message indicates that collision detection will be disabled unless you configure the connected device to the same duplex mode Disable autonegotiation on any port on which you are set...

Page 83: ... to all of the ports The default setting for flow control is off The system does not count flow control packets in receive or transmit statistics Table 8 Flow Control Options Flow Control Option Description Available on Port Type on Port recognizes flow control packets and responds by pausing transmission The port can generate flow control packets as necessary to slow incoming traffic Gigabit Ethe...

Page 84: ...epeater is connected to a switch port Standards Protocols and Related Reading The system supports these Ethernet standards IEEE 802 3 10BASE T Ethernet over unshielded twisted pair UTP wiring IEEE 802 3u 100BASE T Fast Ethernet over UTP or fiber optic cable IEEE 802 3z 1000BASE SX Gigabit Ethernet over multimode fiber optic cable and 1000BASE LX Gigabit Ethernet over multimode or single mode fiber...

Page 85: ...Ethernet media options see the CoreBuilder 3500 Getting Started Guide Table 9 Ethernet Media Specifications Type Speed Media Connector Recommended Distance max 10 100BASE TX 10 100 Mbps Category 5 UTP RJ 45 100 m 100BASE FX 100 Mbps single mode fiber multimode fiber SC SC 20 km 412 m half duplex 2 km full duplex 1000BASE SX 1000 Mbps multimode fiber SC 220 m 62 5 micron 160 MHz km modal bandwidth ...

Page 86: ...86 CHAPTER 5 ETHERNET ...

Page 87: ...This chapter covers these topics FDDI Overview Key Concepts Key Guidelines for Implementation FDDI Stations FDDI Paths FDDI MACs FDDI Ports Station Mode DAS and SAS Sample FDDI Configurations You can manage FDDI in either of these ways From the fddi menu of the Administration Console See the Command Reference Guide From the FDDI folder of the Web Management software See the Web Management User Gui...

Page 88: ...pproach a combination of two independent counter rotating rings each running at a data rate of 100 Mbps Is the first LAN technology to provide an embedded network management capability Benefits FDDI offers numerous benefits many of which originate from the use of fiber optic cable instead of copper cable The FDDI standard specifies a data rate of 100 Mbps which allows more data to be sent over opt...

Page 89: ...ed in the network Media Access Control MAC Specifies access to the medium token passing addressing data checking frame generation and reception error detection and recovery and the bandwidth allocation among the stations Station Management SMT Specifies the FDDI station and ring configurations initialization and maintenance of station to station connections and the control required for the proper ...

Page 90: ...edetermined protocols The model divides these communication protocols into seven layers which are defined so that each layer only requires services from the layer below it Figure 12 FDDI Relationship to OSI Reference Model Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data Link Layer Physical Layer LLC MAC PHY PMD SMT Logical Link Control IEEE 802 2 FDDI ...

Page 91: ...defined by the arrangement and interconnection of its nodes The FDDI physical topology is a ring of trees See Figure 13 Figure 13 Physical Topology Logical topology A network s logical topology is defined by the paths through which tokens and data flow in the network The FDDI logical topology is a dual ring See Figure 14 Figure 14 Logical Topology Nodes Ring of trees L3 L3 L3 L3 L3 L3 Secondary ri...

Page 92: ...s consist of branches of single attach stations SASs and DASs that are star wired off of the concentrators This kind of network is highly reliable provides a single fault tolerant ring offers fault isolation and allows centralized management See Figure 15 Figure 15 Ring of Trees FDDI trunk ring Duplex link CoreBuilder 3500 CoreBuilder 3500 CoreBuilder 3500 CoreBuilder 9000 CoreBuilder 9000 CoreBui...

Page 93: ... Each ring is a logical ring that is a separate data path with its own token Functionally the dual ring provides a high degree of reliability to a LAN When an FDDI network is in normal operation only the primary ring transmits and receives data The secondary ring may also carry data but it is typically used as a backup in case there is a connectivity problem in the primary ring or in one of the no...

Page 94: ...s refer to how a node station or concentrator is connected to an FDDI network They are classified as single attachment and dual attachment Concentrators can be classified as null attachment when the A and B ports are either not present or not used SAS Single Attachment Station A station or concentrator that has only one physical connection to an FDDI network The single attachment cannot accommodat...

Page 95: ...r abbreviations Figure 16 shows how these six node types may connect to an FDDI dual ring Table 10 Node Types and Abbreviations Node Type Abbreviation Single MAC Dual Attachment Station SM DAS Dual MAC Dual Attachment Station DM DAS Single Attachment Station SAS Dual Attachment Concentrator DAC Single Attachment Concentrator SAC Null Attachment Concentrator NAC ...

Page 96: ...NTERFACE FDDI Figure 16 Examples of FDDI Node Types SAS Duplex fiber cable FDDI dual ding M DAC A B M M A B S S SAS S DAC DAC SAC A port B port Master port Slave port A B M S SM DAS B M M A M M SAS S S SAS NAC DM DAS M M M A M B M M M B A ...

Page 97: ...tions Each FDDI station has one Station Management SMT entity to provide connection management ring management and operational management to the FDDI network SMT specifies a set of services and signaling mechanisms that are dedicated to FDDI network management It manages those services of each station on the FDDI network that are specific to the Physical Layer and the MAC portion of the Data Link ...

Page 98: ... to network management about an FDDI station The MIB uses an object oriented approach similar to that used in OSI management standards FDDI managed objects include SMT that is the SMT of the station MACs paths and ports Each of these objects has a collection of attributes such as statistics error counters configuration information event notifications and actions You can access a station s MIB loca...

Page 99: ...er ring or to both rings simultaneously Data flows downstream on the primary ring in one direction from one station to its neighboring station The secondary ring serves as a redundant path and flows in the opposite direction When a link or station failure occurs the ring wraps around the location of the failure creating a single logical ring Paths represent the segments of a logical ring that pass...

Page 100: ...stream station uses Stations that are not transmitting only repeat the incoming symbol stream When repeating the station determines whether the information was destined for it by comparing the destination address to its own address If it sees a match the MAC processes subsequent received symbols or sends them to the Logical Link Control LLC in the data link layer for translation Ports As parts of ...

Page 101: ... the outgoing fiber of the primary ring M port Used by a concentrator station to provide connections within a concentrator tree Also referred to as Master port S port Used by a single attachment station to provide attachment to an M port within a concentrator tree Also referred to as Slave port Key Guidelines for Implementation Consider the following guidelines when you configure and implement FDD...

Page 102: ...tring that represents the connection policies that are in effect on a station A connection s type is defined by the types of the two ports involved A B M or S in the connection You can set the corresponding bit for each of the connection types that you want a particular station to reject The system s FDDI ports can be of type A or type B By default all connections to the systems FDDI ports are val...

Page 103: ...trunk ring peer connection B B 5 Undesirable peer connection that creates twisted primary and secondary rings notify SMT B S 6 Undesirable peer connection that creates a wrapped ring notify SMT B M 7 Tree connection with possible redundancy The node may not go to Thru state in CFM In a single MAC node Port B has precedence with defaults for connecting to a Port M S A 8 Undesirable peer connection ...

Page 104: ...nd Disabling Status Reporting The statusReporting attribute controls whether a station generates Status Report Frames SRFs to report events and conditions to network management stations By default status reporting is enabled If you do not have an SMT management station that listens to these event reports or if you use SNMP to monitor FDDI events on all FDDI end stations you can set this attribute ...

Page 105: ...s the minimum time value of fddiMAC T Max that any MAC that is configured on this path uses This value specifies the boundary for how high T Req the requested token rotation time can be set Setting maxT Req The maxT Req attribute specifies the maximum time value of fddiMACT Req that any MAC that is configured onto this path uses T Req is the value that a MAC bids during the claim process to determ...

Page 106: ...set the percentage the more likely it is for SMT to report a problem Effects and Consequences When you set the frame error threshold consider the following A high error rate often indicates a faulty station on the FDDI ring or a dirty FDDI connector Setting the Not Copied Threshold The NotCopiedThreshold attribute determines when the system generates a MAC condition report because too many frames ...

Page 107: ...llowing port parameters lerAlarm lerCutoff port labels Setting lerAlarm The lerAlarm attribute is the link error rate LER value at which a link connection generates an alarm If the LER value is greater than the alarm setting then SMT sends a Status Report Frame SRF to the network manager software indicating a problem with a port Effects and Consequences When you set the lerAlarm attribute consider...

Page 108: ...k has an LER exponent between 1 x 10 10 and 1 x 10 15 Set the lerCutoff below these values so that a port is only removed only as a last resort The SMT Standard recommended value is 7 The lerCutoff value must be lower than the lerAlarm value so that the network manager software is alerted to a problem before the PHY port is actually removed from the network Setting Port Labels Port labels serve as...

Page 109: ...able Effect and Consequence When you set the station mode consider the following When you modify the station mode any FDDI ports that are associated with a VLAN or a trunk are removed from the VLAN or trunk Sample FDDI Configurations You can install your system into many possible FDDI configurations Figure 18 shows systems attached to an FDDI dual ring The connection to the dual ring is made by th...

Page 110: ...B A B B A A B A B B A B A B A B A SAS server SAS server FDDI link DAS server CoreBuilder 3500 system FDDI dual ring Duplex fiber cable CoreBuilder 3500 system DAS CoreBuilder 6000 or 2500 system DAS CoreBuilder 5000 system DAS CoreBuilder 3500 system CoreBuilder 3500 system NETBuilder II router ...

Page 111: ...b site http www ietf org Standards Organizations Standards organizations ensure interoperability create reports and recommend solutions for communications technology The most important standards groups are International Telecommunications Union ITU Electronic Industry Association EIA American National Standards Institute ANSI International Standards Organization ISO Institute of Electrical and Ele...

Page 112: ...112 CHAPTER 6 FIBER DISTRIBUTED DATA INTERFACE FDDI ...

Page 113: ...uidelines for Implementation STP Bridge and Port Parameters Frame Processing MAC Address Table IP Fragmentation IPX SNAP Translation Broadcast and Multicast Limit for Bridge Ports GARP VLAN Registration Protocol GVRP Standards Protocols and Related Reading You can manage most bridge wide and bridge port commands in either of these ways From the bridge menu of the Administration Console See the Com...

Page 114: ...re outlined in the IEEE 802 1D Media Access Control MAC Bridges base standard A compliant bridge must at minimum Learn source addresses from packets that stations on attached LANs transmitted Age addresses of stations on attached LANs that have not transmitted a packet for a prolonged period Store and forward packets from one LAN to another Use the Spanning Tree Protocol STP for loop detection Ben...

Page 115: ...gmentation When Fiber Distributed Data Interface FDDI stations transmit IP packets that are too large for standard Ethernet to handle IP fragmentation allows your system to reformat large packets into smaller sizes that can be bridged to Ethernet networks IPX SNAP translation IPX SNAP translation allows any 802 3_RAW IPX packets that are forwarded from Ethernet to FDDI to be translated to FDDI_SNA...

Page 116: ...figured addresses called static addresses The system can store up to 32 K addresses in its address table Aging Addresses A dynamic address remains in the bridge s address table as long as the station to which it relates regularly transmits packets through the bridge If the station does not transmit within a specified period of time the dynamic address is aged out deleted from the address table Add...

Page 117: ...cause the bridge receives the same packet from multiple ports within a short period of time a loop can cause a bridge to continually question where the source of a given packet is located As a result the bridge forwards and multiplies the same packet continually which clogs up the LAN bandwidth and eventually affects the bridge s processing capability A backup or redundant path remains a valuable ...

Page 118: ...TERS For more detailed information about Spanning Tree see How the Spanning Tree Protocol Works later in this chapter Figure 19 STP Blocks Redundant Links Transmitting station Bridge C Bridge B LAN 1 LAN 2 Bridge A BLOCKED BLOCKED L2 3 L2 3 L2 3 L2 3 ...

Page 119: ...hy or a calling order among themselves for the purposes of creating a loopless network Based on the information in the CBPDUs the bridges elect a root bridge which is at the top level of the hierarchy The bridges then choose the best path on which to transmit information to the root bridge The bridges that are chosen as the best path called designated bridges form the second level of the hierarchy...

Page 120: ...the root bridge The designated bridge forwards packets between that LAN and the path to the root bridge For this reason the root bridge is always the designated bridge for its attached LANs The port through which the designated bridge is attached to the LAN is elected the designated port Bridges choose a root port that gives the best path from themselves to the root bridge Bridges select ports to ...

Page 121: ...network with its STP elements Figure 21 STP Root and Designated Bridges and Ports R LAN 1 LAN 2 Root bridge D D R Root port D Designated port B Backup port LAN 3 Bridge LAN 4 R B Bridge D D Designated bridge for LANs 1 2 and 4 Designated bridge for LAN 3 L2 3 L2 3 L2 3 ...

Page 122: ... calculation only if the root IDs transmitting bridge IDs and costs when compared are equal In other words the port identifier is a tiebreaker in which the lowest port identifier takes priority This identifier is used primarily for selecting the preferred port when two ports of a bridge are attached to the same LAN or when two routes are available from the bridge to the root bridge Comparing CBPDU...

Page 123: ...Its own bridge ID as the root ID for example 85 Zero 0 as the cost because for the moment it is the root bridge Its own bridge ID as the transmitting ID for example 85 Thus its CBPDU looks like this 85 0 85 2 The bridge receives CBPDUs on each of its ports from all other bridges and saves the best CBPDU from each port The bridge determines the best CBPDU by comparing the information in each messag...

Page 124: ...e is better than the ones received on any of its ports then the bridge assumes that it is the designated bridge for the attached LANs If the bridge receives a better CBPDU on a port than the message it would transmit it no longer transmits CBPDUs on that LAN When the algorithm stabilizes only the designated bridge transmits CBPDUs on that LAN How Multiple Bridges Interpret CBPDUs The previous sect...

Page 125: ...2 Starting the Spanning Tree Calculation LAN 5 Bridge A Bridge B Bridge C Bridge D Bridge E Bridge F LAN 1 LAN 2 LAN 3 LAN 6 LAN 4 12 0 12 10 0 10 20 0 20 81 0 81 29 0 29 35 0 35 XX X XX CBPDU root ID cost transmitter ID L2 3 L2 3 L2 3 L2 3 L2 3 L2 3 ...

Page 126: ...AN 5 Bridge A Bridge B Bridge C Bridge D Bridge E Bridge F LAN 1 LAN 2 LAN 3 LAN 6 LAN 4 10 11 12 10 0 10 10 11 20 10 12 81 10 11 29 10 11 35 Root bridge R B D R B R D R D D D D R B CBPDU root ID cost transmitter ID XX X XX R Root port D Designated port B Backup port B L2 3 L2 3 L2 3 L2 3 L2 3 L2 3 ...

Page 127: ...he cost depends on The port path cost The root path cost of the designated bridge for the LAN to which this port is attached If the bridge has more than one port attachment the port with the lowest cost becomes the root port and the other ports become either designated or backup ports If bridges have redundant links to the same LAN then the port with the lowest port identifier becomes the root por...

Page 128: ...ost of 12 is eliminated as the designated bridge The transmitting bridge ID is compared between Bridge C and Bridge D Because Bridge C s ID 20 is smaller than Bridge D s 29 Bridge C becomes the designated bridge for LAN 3 The designated bridge for LAN 6 is either Bridge D or Bridge E Because Bridge D s transmitting bridge ID 29 is lower than Bridge E s 35 Bridge D becomes the designated bridge for...

Page 129: ...cking state Learning The learning state is similar to the listening state except that data packets are received on that port for the purpose of learning which stations are attached to that port After spending the specified time in this state without receiving information to change the port back to the blocking state the bridge changes the port to the forwarding state The time that the port spends ...

Page 130: ...tening state forward delay must expire before the port can transition to the learning state Then another forward delay period must expire listening state before the port can transition to the forwarding state If you disable a port in the listening learning or forwarding state or if port initialization fails then that port becomes disabled Disabled Blocking Listening Learning Forwarding Port enable...

Page 131: ... the root bridge The root bridge then sets the Topology Change Flag in its CBPDU so that the information is broadcast to all bridges It transmits this CBPDU for a fixed amount of time to ensure that all bridges are informed of the topology change If a port changes from the blocking state to the forwarding state as a result of the topology change STP sends the topology information to all the ports ...

Page 132: ...ut port numbering When you are prompted to select ports specify the option to see a matrix of information about your bridge ports including a Selection column a Port column and a Label column Without trunking the Selection and Port columns contain the same port numbers which indicates that you can select each port With trunking the Selection column indicates that you can select the anchor port low...

Page 133: ...as the VLAN mode and you want to administer bridge port address options you must specify the correct VLAN interface index because each VLAN in allClosed mode has a unique address table The system includes an ignore STP mode option that affects VLAN configurations See Chapter 9 for more information or see the Command Reference Guide GVRP is useful only when there are other switches or NICs in the n...

Page 134: ...value Bridge maximum age The bridge maximum age determines when the stored configuration message information is judged to be too old and is discarded from the bridge s memory If the value is too small then STP may reconfigure the topology too often causing temporary loss of connectivity in the network If the value is too large the network may take longer than necessary to adjust to a new STP confi...

Page 135: ... forward delay is only used if the system is selected as the root bridge Otherwise the system uses the value that is assigned to it by the root bridge STP group address The STP group address is a single address to which a bridge listens when it receives STP information Each bridge on the network sends STP packets to the group address Every bridge on the network receives STP packets that were sent ...

Page 136: ...hrough this port You can set this value individually on each port The range is 1 through 65535 A higher path cost value makes the LAN that is reached through the port more likely to be low in the Spanning Tree topology The lower the LAN is in the topology the less through traffic it carries For this reason assign a high path cost to a LAN that has a lower bandwidth or to one on which you want to m...

Page 137: ...nterface does not deliver frames with errors to the bridge port Thus the rxFrames fields in the Ethernet statistics display and bridge statistics display often report different values that is the latter value is lower because it does not count frames in error A user defined packet filter indicated not to receive the frame A frame that is forwarded from a physical interface to a bridge port is then...

Page 138: ... packet flooding beyond acceptable levels Address Threshold The address threshold is the value at which the system reports the total number of addresses that are known Specifically when this threshold is reached the system generates the SNMP trap addressThresholdEvent The range of values that you can enter for this parameter is between 1 and 1 plus the maximum address table size 32 K Setting the a...

Page 139: ...s than standard Ethernet FDDI stations that transmit IP packet sizes larger than approximately 1500 bytes wish cannot communicate with stations on an Ethernet LAN If the system receives such packets and they are destined for one or more Ethernet LANs it filters them except when IP fragmentation is enabled When you enable IP fragmentation the system breaks up large FDDI packets into smaller packets...

Page 140: ...e is no limit set on the port The system default is zero on all ports You specify the limit in K frames per second approximately 1000 frames per second To determine an appropriate limit measure the normal amount of broadcast or multicast traffic on your network If you have IP multicast application traffic on your network be sure that any limits that you configure do not constrain these traffic flo...

Page 141: ...ges to an STP state other than forwarding no longer participates in GVRP For more information about GVRP and VLANs see Chapter 9 Important Considerations To use GVRP consider the following GVRP updates are not sent out to any blocked STP ports GVRP operates only on ports that are in the STP forwarding state GVRP is disabled by default on the bridge and on all bridge ports Enabling GVRP determines ...

Page 142: ... saved in nonvolatile RAM GVRP s dynamic updates are not When GVRP is disabled the system deletes all VLAN interfaces that were learned through GVRP and leaves unchanged all VLANs that were configured through the Administration Console or through the Web management software Standards Protocols and Related Reading For more information about bridging STP and GVRP consult the following standards IEEE...

Page 143: ...Trunking Overview Key Concepts Key Guidelines for Implementation Defining Trunks Modifying Trunks Removing Trunks Standards Protocols and Related Reading You can manage trunking in either of these ways From the bridge trunk menu of the Administration Console See the Command Reference Guide From the Define Wizard in the Bridge Trunk folder of the Web Management software See the Web Management User ...

Page 144: ...ics associated with the trunk Modify You modify a trunk s characteristics or add or remove a port from the trunk Remove You remove a trunk definition from the system Benefits Trunking can help you meet your network capacity and availability needs With trunks you can cost effectively increase the bandwidth between switches or between servers and switches as your network requires With trunking you c...

Page 145: ... system logically groups the physical ports that you specify into a single bridge port identified by a single bridge port number in bridge statistics For example Figure 26 shows that Ethernet ports 2 3 and 4 are represented by bridge port 2 after trunking The lowest numbered port in the trunk called the anchor port represents the entire trunk After trunking you can select bridge port 2 when you sp...

Page 146: ...cify its anchor port as the bridge port The VLAN that you create then includes all of the physical ports in the trunk Trunk Control Message Protocol TCMP The Trunk Control Message Protocol TCMP performs the following functions Detects and corrects trunks that violate trunk configuration rules Ensures orderly activation and deactivation of trunk ports The system runs a separate TCMP agent for each ...

Page 147: ...s in a trunk must be parallel and must connect Correctly configured ports Identical types of ports with no two ports on a trunk connected to the same network Identical types of network nodes switches or servers You cannot mix FDDI Fast Ethernet and Gigabit Ethernet links in a trunk All links to be trunked must be homogeneous When multiple links are trunked it can be difficult to manage and trouble...

Page 148: ...mited to the speed of just one of the port to port links within the trunk For example the maximum burst rate over a 400 Mbps pipeline with four trunked Fast Ethernet links is 100 Mbps This limitation preserves frame ordering between devices usually by moving all traffic between two specific MAC addresses across only one port to port link Therefore trunking provides no direct benefit for some one w...

Page 149: ...tive strategy If you cannot upgrade to Gigabit Ethernet then trunking Fast Ethernet in switch to switch or switch to server links can help you fine tune or expand network capacity After Gigabit Ethernet is in place you can use trunking to further expand switch to switch or server to switch links Table 14 Comparing Gigabit Ethernet with Trunked Fast Ethernet Comparison Point Gigabit Ethernet Trunke...

Page 150: ...te be enabled But devices can operate without TCMP When TCMP is not in effect on a point to point link its configuration validation is simply absent If your system has more than one media type for example FDDI Fast Ethernet and Gigabit Ethernet you are prompted for a media type before you are prompted for the trunk information Trunk names become the port labels when you display information on the ...

Page 151: ...of a VLAN those ports are removed from the VLAN You must modify the VLAN and add the new bridge port to the appropriate VLAN This situation does not apply to the default VLAN all ports are part of the default VLAN including the trunk s anchor port If you upgrade from Version 1 1 and exceed four trunk channels the Gigabit Ethernet port is not initialized and an error message is posted to the system...

Page 152: ...he pair are members of a trunk If you have more than one media type on your system for example Fast Ethernet and Gigabit Ethernet you are prompted for a media type before you are prompted for the trunk information Any changes that you make to the trunk s characteristics take effect immediately and do not interrupt trunk operations If you add or remove a port however you must reboot the system to i...

Page 153: ...ant Considerations If you remove a Gigabit Ethernet module that has trunks defined NVRAM is not cleaned up but the trunk ports are available for use by a replacement module of the same type Because each Gigabit Ethernet module uses an internal trunk resource towards the system limit of four keep in mind how many trunk resources may be used when you remove a trunk For example if your system has a t...

Page 154: ...er unshielded twisted pair UTP IEEE 802 3u 100BASE T Fast Ethernet over UTP or fiber IEEE 802 3z 1000BASE SX Gigabit Ethernet over multimode fiber and 1000BASE LX Gigabit Ethernet over multimode or singlemode fiber 3Com trunking technology interoperates with similar technology from other vendors including Sun Microsystems and Cisco Systems ...

Page 155: ...Ignore STP Mode Port based VLANs The Default VLAN Static Port based VLANs Dynamic Port based VLANs Using GVRP Protocol based VLANs Network based IP VLANs Rules of VLAN Operation Modifying and Removing VLANs Monitoring VLAN Statistics You can manage VLANs in either of these ways From the bridge vlan menu of the Administration Console See the Command Reference Guide From the Bridge VLAN folder of th...

Page 156: ...bridge ports in the VLAN that is associated with the frame except the port on which it was received This process is referred to as bridge flooding As networks grow and the amount and types of traffic increase bridge flooding may create unnecessary traffic problems that can clog the LAN To help control the flow of traffic through a switch and meet the demands of growing networks vendors have respon...

Page 157: ...Ns can be used to isolate unicast traffic to a single broadcast domain thereby providing a form of network security Benefits You can use VLANs to Reduce the cost of equipment moves upgrades and other changes and simplify network administration Create virtual workgroups in which members of the same department or section appear to share the same LAN with most of the network traffic staying in the sa...

Page 158: ...Default VLAN later in this chapter for more information The system also supports both static and dynamic port based VLAN configuration if you choose to set it up that way See Static Port based VLANs and Dynamic Port based VLANs Using GVRP later in this chapter for more information Protocol based VLAN Determines VLAN membership using a group of ports that share one or more protocol types In additio...

Page 159: ...chitecture to logically partition bridged LANs and provide services to defined user groups independent of physical location Allowing interoperability among multivendor equipment IEEE 802 1Q defines the bridging rules for VLANs that is ingress and egress rules as defined in Key Concepts and described in detail in Rules of VLAN Operation later in this chapter The standard also specifies a tag format...

Page 160: ... type Be aware of these additional guidelines The default VLAN always uses the reserved VID of 1 Before you assign a VID review the information in Table 15 If you rely on dynamic configuration to create a port based VLAN based on GVRP updates the VID is the unique IEEE 802 1Q VID When you define a router port IP interface the system automatically creates a router port IP VLAN and assigns it the ne...

Page 161: ...terface you must place the system in allClosed mode This removes any allOpen VLANs and re creates the default VLAN See Chapter 11 for more information on defining router port IP interfaces VLAN mode A system wide mode that determines whether data with a unicast MAC address can be forwarded between configured VLANs allOpen In allClosed mode each VLAN has its own address table and data cannot be for...

Page 162: ...unk when you define the VLAN interface All bridge ports are initially part of the default VLAN VLAN name The name that you assign to the VLAN It can contain up to 32 ASCII characters If the name includes spaces enclose the name in quotation marks The default VLAN uses the name Default Dynamic VLAN configuration Using the GARP VLAN Registration Protocol GVRP this configuration enables dynamic VLAN ...

Page 163: ...s 2 Define an IP VLAN or a VLAN that supports IP as one of its protocols 3 Define multiple IP interfaces with different IP addresses to use that IP VLAN You can define up to 32 IP interfaces on the system including IP routing interfaces for static VLANs router port IP VLANs or any combination of static VLANs and router port IP VLANs If you define multiple interfaces for an IP VLAN you cannot subse...

Page 164: ...N and any other VLANs and enables the router port to ignore Spanning Tree states on the port Once you define the router port IP interface and change the VLAN mode to allClosed the following events occur The system deletes all other VLANs and redefines the default VLAN You must redefine any VLANs that you had configured keeping in mind that unicast traffic will no longer be forwarded between VLANs ...

Page 165: ...Number of Protocol Suites To perform the calculation first determine the total number of protocol suites used on your system Use the following guidelines IP counts as one protocol suite for IP VLANs AppleTalk counts as one protocol suite for AppleTalk VLANs Generic IPX which uses all four IPX types counts as four protocol suites Each IPX type alone counts as one DECnet counts as one protocol suite...

Page 166: ...ed AppleTalk IPX 802 2 Sub Network Access Protocol SNAP and IPX 802 3 Raw 125 5 3 22 In this configuration the system supports a minimum of 22 VLANs Per Table 19 these 5 protocol suites use 7 protocols 3 IP 1 unspecified 2 AppleTalk 1 IPX 802 2 SNAP and 0 IPX 802 3 Raw because it does not use an Ethernet protocol type If you are upgrading your system from Release 1 2 and the VLAN resource limit is...

Page 167: ... or dynamic updates of port based VLANs verify that GVRP is enabled as both a bridge wide and a bridge port parameter See Chapter 9 for information about bridging parameters See Dynamic Port based VLANs Using GVRP for information about GVRP You can configure overlapping VLANs if they have some distinguishing characteristic For example a bridge port can be shared by multiple VLANs as long as the sh...

Page 168: ...interface If you plan to use trunks define the appropriate trunks before you define your VLANs If you define a VLAN with certain ports and subsequently configure some of those ports to be part of a trunk the system removes those ports from the VLAN and places them in the default VLAN See Trunking and the Default VLAN for more information When you define a VLAN that includes trunk ports you must sp...

Page 169: ...you define a router port IP interface and the system creates the router port VLAN you cannot change the VLAN mode until you delete the router port IP interface Select the VLAN mode as follows allOpen Use this less restrictive mode if you have no security issues about the forwarding of data between VLANs The allOpen mode is the default VLAN mode for all VLANs that you create It permits data with a ...

Page 170: ...N interface index to identify the appropriate bridge address table If you select allOpen mode the default the entire system has only one address table so you can manipulate the bridge port addresses without specifying a VLAN interface index Modifying the VLAN Mode To change your VLAN mode perform these procedures 1 Delete all routing interfaces including router port IP interfaces that you have con...

Page 171: ...ocol based For nonoverlapped protocol based VLANs Either the protocol type or the member ports are unique per VLAN For overlapped protocol based VLANs multiple VLANs of the same protocol type that share ports IEEE 802 1Q tagging for shared ports That is the shared ports can employ a tagging mode of none in only one of the same protocol type VLANs shared ports in all other VLANs of the same protoco...

Page 172: ... is in allClosed mode Ignore STP mode is useful when you have redundant router connections between systems that have STP enabled In this situation if you want to create multiple VLANs and use one VLAN for routing you can configure your system to ignore the STP blocking mode for that VLAN This setting avoids disruptions to routing connectivity based on the STP state To disable STP blocking on a per...

Page 173: ...erver associated with IP VLAN D STP blocks the routed as well as bridged traffic for the one path unless you enable Ignore STP Mode for the routed IP VLANs With the blocking removed for IP routed traffic the best path is used Figure 27 Using Ignore STP Mode L2 3 L2 3 L2 3 IP VLAN E IP VLAN C IP VLAN B Ignore STP Mode Enabled for ports IP VLAN A IP VLAN D ...

Page 174: ...er all bridge ports become VLAN aware after a software update or after an NV data reset and do not have to be explicitly tagged in order to forward tagged frames This difference in resource usage and modes of tagging has the following impact After you upgrade the system from 1 2 to 3 0 the release uses VLAN resources differently than it did at Release 1 2 and may cause a change in the total number...

Page 175: ...Ns logically group together one or more bridge ports on the system and use the generic protocol type unspecified Each arbitrary collection of bridge ports is designated as a VLAN interface This VLAN interface belongs to a given VLAN Flooding of all frames that are received on bridge ports in a VLAN interface is constrained to that VLAN interface Your system supports the following types of port bas...

Page 176: ...y the system also renumbers its ports when you add the module If necessary you can modify or remove the default VLAN on the system For example you may want to modify the default VLAN to remove certain ports Such a change does not prevent the system from adding a new module s bridge ports to the default VLAN However the following changes do prevent the system from adding a new module s bridge ports...

Page 177: ...trunk for ports in one of the other VLANs the system removes those ports from that other VLAN and places them in the default VLAN The same action occurs when you remove an existing trunk from a VLAN that you created after the trunk For example If you have the default VLAN as well as other VLANs and you subsequently modify an existing trunk that has ports in one of the VLANs any port removed from t...

Page 178: ...VRP to dynamically create port based VLAN interfaces Important Considerations When you create this type of VLAN interface review these guidelines When you select the bridge ports that you want to be part of the VLAN the bridge ports that you specify as part of the VLAN are the same as your physical ports unless you have created trunks or unless you have DAS ports defined on an FDDI module If you d...

Page 179: ...2 1Q tagging for the other VLAN or IEEE 802 1Q tagging for each VLAN Port based VLANs use the protocol type unspecified To define a port based VLAN interface specify this information A VID in the range 2 through 4094 or accept the next available VID The bridge ports that are part of the VLAN If you have trunk ports specify the anchor port for the trunk For FDDI DAS ports specify the lowest numbere...

Page 180: ... address table therefore the frame is forwarded to the port that corresponds to the known destination address However if the transmit port is not a member port of unspecA the frame is transmitted untagged regardless of that port s tag status on unspecB In Figure 28 if STP is enabled STP blocks one of the paths unless you enable Ignore STP mode See Ignore STP Mode earlier in this chapter for more i...

Page 181: ...t based VLANs with Overlapped Ports Table 17 Port based VLAN Definitions Without Overlapped Ports for Device 1 unspecA unspecB VLAN Index 2 VLAN Index 3 VID 10 VID 15 Bridge ports 1 4 Bridge ports 5 8 Protocol type unspecified Protocol type unspecified Per port tagging Ports 1 4 none Per port tagging Ports 5 8 none VLAN name unspecA VLAN name unspecB L2 3 L2 3 Ports 1 4 VID 20 unspecA Device 1 Dev...

Page 182: ...elp you simplify the management of VLAN configurations in your larger networks GVRP allows the system to Dynamically create a port based VLAN unspecified protocol with a specific VID and a specific port based on updates from GVRP enabled devices Learn on a port by port basis about GVRP updates to an existing port based VLAN with that VID and IEEE 802 1Q tagging Send dynamic GVRP updates about its ...

Page 183: ...iguration enable GVRP as an entire bridge state and then as an individual bridge port state for the appropriate ports See Chapter 7 By default GVRP is disabled as both a bridge state and a bridge port state If GVRP is enabled the VLAN origin for a port based VLAN is dynamic with GVRP When GVRP is disabled the VLAN origin is either static traditional static VLAN without GVRP or router router port I...

Page 184: ...to classify and analyze packets by VLAN protocols you manually configure protocol based VLANs But if the system needs to know only how to reach a given VLAN then GVRP provides all necessary information A GVRP created VLAN is useful in situations where only Layer 2 switching needs to be performed for that VLAN Routing between a GVRP created VLAN and another VLAN can be performed with an external ro...

Page 185: ...with the VID sent from one end station is propagated throughout the network Figure 30 Sample Configuration Using GVRP LAN 1 R R D LAN 2 R D D Station sending update with VID D Declaration of Attribute R Registration of Attribute D R D R D R R R D R D L2 3 L2 3 L2 3 L2 3 ...

Page 186: ...e specify this information The VID of your choice except 1 or any VID already assigned or accept the next available VID The bridge ports that are part of the VLAN interface If you have trunk ports specify the anchor port for the trunk The protocol for the specified ports in the VLAN Tag status none or IEEEE 802 1Q IEEE 802 1Q tagging must be selected for ports that overlap on both port and protoco...

Page 187: ...types IPX type II Ethernet Version 2 IPX 802 2 LLC DSAP SSAP value 0xE0 hex IPX 802 3 Raw DSAP SSAP value 0xFF hex IPX 802 2 SNAP DSAP SSAP value 0xAA hex 4 1 1 1 1 4 1 0 0 1 This protocol does not use an Ethernet protocol type AppleTalk DDP AARP Ethernet Version 2 SNAP PID 1 2 Xerox XNS XNS IDP XNS Address Translation XNS Compatibility Ethernet Version 2 SNAP PID 1 3 DECnet DEC MOP DEC MOP Remote...

Page 188: ...protocols For example the DECnet protocol suite uses 5 of the available 15 protocols regardless of the number of VLANs that use DECnet Example Protocol based VLANs for Bridging Figure 31 is an example of a VLAN bridging configuration that contains three protocol based VLANs two IP and one IPX that overlap on an FDDI link port 1 in each VLAN You can configure the link to be part of a trunk as descr...

Page 189: ...ssociated with the VLAN You can also opt to use a routing versus bridging model by defining a router port IP interface as defined in Chapter 11 Because the system supports router port IP interfaces as well as IP router interfaces for static VLANs you must specify the interface type vlan when you define an IP interface for a static VLAN Table 20 Sample Protocol based VLAN Definitions IP 1 VLAN IP 2...

Page 190: ...guring an IP routing interface the subnet portion of both addresses must be compatible For example IP VLAN subnet 157 103 54 0 with subnet mask of 255 255 255 0 IP host interface address 157 103 54 254 with subnet mask of 255 255 255 0 Layer 2 bridging communication is still possible within an IP VLAN or router interface for the group of ports within that IP VLAN For allClosed VLANs IP data destin...

Page 191: ...1 Device 1 IP VLAN2 Devices 1 and 2 IP VLAN3 Device 2 VLAN Index 2 VLAN Index 3 VLAN Index 4 VID 7 VID 8 VID 9 Bridge port 6 Bridge port 13 on device 1 Bridge port 1 on device 2 Bridge port 8 Protocol type IP Protocol type IP Protocol type IP No Layer 3 address No Layer 3 address No Layer 3 address Per port tagging Port 6 none Per port tagging Ports 1 and 13 none Per port tagging Port 8 none VLAN ...

Page 192: ...n allClosed mode overlapped network based IP VLANs must be IEEE 802 1Q tagged which means that the system does not use the Layer 3 information Important Considerations When you create a network based VLAN interface review these guidelines You can either configure network based IP VLANs IP VLANs with unique Layer 3 IP addresses or you can define a single protocol based VLAN with the protocol type I...

Page 193: ...ging for any overlapped ports Therefore this feature has no added benefit When IEEE 802 1Q tagging is implemented implicit VLAN membership information such as the protocol or Layer 3 IP network address is not used the frame is assigned to the VLAN based solely on the tag VID and the receive port In allOpen mode you are not required to supply the IEEE 802 1Q tagging To ensure line speed throughput ...

Page 194: ...chor port for a trunk that uses ports 7 and 8 Bridge ports 6 7 7 is anchor port for a trunk that uses ports 7 and 8 Protocol type IP Protocol type IP 158 101 112 0 Layer 3 address 255 255 255 0 mask 158 101 113 0 Layer 3 address 255 255 255 0 mask Per port tagging Port 6 IEEE 802 1Q Anchor port 7 IEEE 802 1Q Per port tagging Port 6 IEEE 802 1Q Anchor port 7 IEEE 802 1Q VLAN name IPVLAN2 VLAN name ...

Page 195: ...s These rules determine the VLAN to which an incoming frame belongs The frame is assigned to the VLAN that has the most specific match The system uses this protocol match hierarchy to find the most specific match 1 IEEE 802 1Q tag VID value if the frame is tagged 2 A specific protocol match for example IP IPX or AppleTalk 3 Either the default VLAN an untagged unspecified protocol type VLAN with al...

Page 196: ...e s protocol type Receive port is in aVLAN that matches both the frame s VID and protocol type Frame tagged Yes Frame tagged with a VID No No VLAN mode is all Open Assign frame to null VLAN Assign frame to matched VLAN Assign frame to null VLAN Yes A VLAN is defined that matches both the frame s VID and protocol type Assign frame to matched VLAN Yes Yes Yes No No No To Egress rules Frame has been ...

Page 197: ...ID of the frame matches that of a VLAN and The protocol type of the frame matches that of the same VLAN The frame is assigned to the null VLAN It can still be forwarded untagged if the destination address of the frame is associated with another port in the bridge address table allClosed The tagged frame is assigned to one of the configured VLANs if The receive port is in a VLAN with a VID that mat...

Page 198: ...an unknown multicast or broadcast destination address is received then it is flooded that is forwarded to all ports on the VLAN that is associated with the frame except the port on which it was received Those frames assigned to the null VLAN are not flooded to any ports because no ports are associated with the null VLAN See Examples of Flooding and Forwarding Decisions later in this chapter If the...

Page 199: ...frame is to be transmitted If that port is tagged for the VLAN associated with the frame transmit the frame as a tagged frame If that port is not tagged for the VLAN that is associated with the frame transmit the frame as an untagged frame If the transmit port is not a member of the assigned VLAN the frame is transmitted untagged For VLANs in allOpen mode this result may occur in either of these s...

Page 200: ... this example ports and frames are untagged and the destination address is unknown multicast or broadcast Table 24 Protocol based VLANs and Flooding Decisions Index VID VLAN Name Ports 1 1 Default 1 12 2 2 IP1 1 8 3 3 IPX1 9 11 Untagged data received on this port Is flooded on this VLAN Because IP port 1 IP1 VID 2 IP data received matches IP1 on the source receive port IPX port 11 IPX1 VID 3 IPX d...

Page 201: ...m but not on the receive port This case is called VLAN exception flooding Table 25 shows how the VLAN exception flooding decision is made assuming a 12 port configuration Table 25 VLAN Exception Flooding Index VID VLAN Name Ports 1 1 Default 1 12 2 2 IP1 1 8 Untagged data received on this port Is flooded on this VLAN Because XNS port 1 Default VID 1 XNS data on port 1 matches the unspecified proto...

Page 202: ...x0800 ARP 0x0806 RARP 0x8035 The frames associated with these protocols have different ingress rules for assignment to the appropriate network based VLAN IP frames These frames are assigned to the network based IP VLAN if the IP source address is consistent with the VLAN subnetwork and the IP destination address is one of the following 0 0 0 0 255 255 255 255 A Class D multicast address Otherwise ...

Page 203: ...ooding Decisions Index VID VLAN Name Ports IP Subnet 2 2 IP_100 1 untagged 2 6 tagged 158 101 100 0 mask 255 255 255 0 Frame received on Port 1 Action IP Frame Protocol 0x0800 IP destination address DA 158 101 103 1 MAC DA is known on port 6 Frame is assigned to the IP_100 VLAN and transmitted on port 6 tagged RARP Response Frame Protocol 0x8035 IP DA 158 101 103 2 MAC DA is unknown Frame is assig...

Page 204: ...ese VLANs In the following example the system is in allOpen mode and the incoming frame is untagged Table 27 Network based VLANs and Forwarding and Flooding Decisions Index VID VLAN Name Ports IP Subnet 2 2 IP_100 1 untagged 2 5 tagged 6 untagged 158 101 100 0 mask 255 255 255 0 3 3 IP_101 1 untagged 2 6 tagged 158 101 101 0 mask 255 255 255 0 4 4 IP_102 1 untagged 2 6 tagged 158 101 102 0 mask 25...

Page 205: ...P DA 158 101 103 1 MAC DA is known on port 6 Assigned to the All IP Subnets VLAN Transmitted on port 6 untagged ARP Request Frame Protocol 0x0806 IP SA 158 101 100 2 Broadcast MAC DA Assigned to the IP_100 VLAN Flooded over that VLAN ports 2 5 tagged port 6 untagged ARP Request Frame Protocol 0x0806 IP SA 158 101 103 2 Broadcast MAC DA Assigned to the All IP Subnets VLAN Flooded over that VLAN por...

Page 206: ...gh that port If you remove ports from a specific VLAN and the default VLAN is intact those ports come under jurisdiction of the Default VLAN unspecified protocol type and no explicit or implicit tagging Verify that each bridge port is associated with at least one VLAN in order to handle traffic If you modify the default VLAN to remove certain ports verify that those ports are included in another V...

Page 207: ...onditions When the VLANs are defined for the same protocol type or the type unspecified and do not have any overlapping ports for example an IP VLAN1 with ports 1 6 and IP VLAN2 with ports 7 12 If the VLANs are explicitly defined for different protocol types but may have overlapping ports for example an IP VLAN and an IPX VLAN that both use ports 2 4 ...

Page 208: ...208 CHAPTER 9 VIRTUAL LANS ...

Page 209: ...ng Custom Packet Filters The Packet Filtering Language Common Syntax Errors Custom Packet Filter Examples Limits to Filter Size Using Port Groups in Custom Packet Filters Port Group Management and Control Functions Long Custom Filter Example You can control and manage packet filters in either of these ways From the bridge packetFilter menu of the Administration Console See the Command Reference Gu...

Page 210: ...e frame You can filter Ethernet Fast Ethernet Fiber Distributed Data Interface FDDI or Gigabit Ethernet frames by the destination address source address type length or any attribute within the first 64 bytes Keep in mind that the offsets may differ between FDDI and Ethernet so the same filter may not work on all interfaces Ethernet and FDDI packet fields are shown in Figure 35 Figure 35 Ethernet a...

Page 211: ...avel on many different paths through the switch You can control to which path a filter is applied Input Packet Filtering Receive Path Input packet filtering applies to packets immediately upon reaching the switch port before they reach the switch s internal forwarding processing receive path Because the packets never enter the switch the switch itself is protected against an external attack Output...

Page 212: ... in Table 28 Table 28 Packet Processing Paths Path Description Transmit all txA All frames that are transmitted to the segment that is connected to the port Transmit multicast txM All multicast including broadcast frames that are transmitted to the segment connected to the port Receive all rxA All frames that are received by the port from the segment that is connected to the port Receive multicast...

Page 213: ... software filters that are supplied with the Filter Builder application Filter Builder provides one standard filter that is executed by the hardware the others are custom filters that are executed in software See Table 30 later in this chapter Port Groups A collection of ports that you can reference in a packet filter You create port groups from the Administration Console You can specify different...

Page 214: ...nsequently use custom filters only on ports and paths that need them Processing too many frames in software can affect performance on the ports where custom filters are assigned If you are trying to filter a certain type of broadcast or multicast packet assign the filter to either the txM or the rxM paths allowing only unicast traffic to bypass the filter Each packet processing path on a port may ...

Page 215: ...ce Guide Listing packet filters You can list the packet filters that are defined for the system The display includes the filter identification filter name if any and filter assignments Use the bridge packetfilter list command Displaying packet filters When you display the contents of a single packet filter you select the packet filter using the filter id number that you see when you list the packe...

Page 216: ... is converted into the internal format that is used by the packet filter code in the system Use the bridge packetfilter load command Filters created with the Filter Builder Web Management application can be downloaded directly from Filter Builder See the example in Downloading Custom Packet Filters later in this chapter Assigning packet filters When you assign a packet filter to one or more ports ...

Page 217: ...dministration Console The built in text editor provides a minimal set of EMACS style editing functions that you can use to edit a packet filter definition one line at a time A single line is limited to no more than 79 characters The number of lines is limited only by available memory Because the built in editor is deliberately limited in scope this method is most suited to making small temporary c...

Page 218: ...d shifts the remainder of the line left one position Delete Current Character Ctrl d Deletes a single character under the cursor and shifts the remainder of the line left one position Delete Line Ctrl k Deletes the remainder of the line from the current cursor position If the cursor is positioned over the first character all of the characters on the line are deleted but the line is retained A seco...

Page 219: ...standard hardware or custom software filters to your switch Create your own custom filters and then download them to your switch With Filter Builder you can implement custom packet filters easily and verify that your filters are syntactically correct before you test them on the system Figure 36 shows the Filter Builder configuration form Figure 36 Filter Builder Configuration Form ...

Page 220: ...le filter use this interface Create or Edit Filter window If you are familiar with the packet filtering or to create a complex filter use this interface For more information on the Filter Builder tool see the Web Management User Guide and the Filter Builder s Help system Table 30 Predefined Filter Builder Packet Filters Filter Name Type Filtering Function Implemented fddiforwardip Custom Forwards ...

Page 221: ...ems by default Web Management is installed in 3com and Filter Builder s filter directory is 3Com Filterbuilder Filters If you store your own filters in a different directory point TFTP to it instead On the CoreBuilder 3500 you must set the file transfer protocol to TFTP with the system fileTransfer TFTP option To download the filter 1 Display the directory in which the filter is stored 2 Select th...

Page 222: ...er 3500 has permission to access TFTP and FTP use different permission mechanisms TFTP grants all outside systems permission to access files in its defined home directory See your system s TFTP documentation to find out where the TFTP home is then either copy the filter file to that directory or change home to point to the directory the file is in On most UNIX systems TFTP s home directory is tftp...

Page 223: ...ssword Example FTP Select menu option bridge packetFilter load Host IP address 160 103 8 112 File pathname userfiles thewriter rejmulticast fil User name thewriter Password Packet filter 1 stored 5 Verify that the filter has been loaded Example Select menu option bridge packetFilter list Packet Filter 1 rejMulticast No port assignments 6 At the module prompt enter bridge packetFilter assign to ass...

Page 224: ...inition Comments are stripped When assigned to a port the packet filter is converted from the stored format to a run time format to optimize the performance of the filter Each system is limited to a maximum of 16 packet filter programs How the Packet Filter Language Works A program in the packet filter language typically consists of a series of one or more instructions that results in the top of t...

Page 225: ...e expected by the instruction Any mismatch in implicit operand size results in an error operand size mismatch when you load the program into the system When you write a packet filter be sure that you use comments preceded by to describe each step in the filter This habit helps you to revise filters and enables others to understand and use the filters you create To write a packet filter follow thes...

Page 226: ...ollowing the first outside a quoted string are ignored so use the to begin your comments Comments are not stored in the system they are useful when the filter is created and saved externally Operand sizes The following operand sizes are supported 1 byte b 2 bytes w 4 bytes l 6 bytes a Included primarily for use with 48 bit IEEE globally assigned MAC addresses Maximum length The maximum length for ...

Page 227: ...et Filter Operands Operand Description Opcode packet field A field in the packet that can reside at any offset The size of the field can be 1 2 4 or 6 bytes Typically you only specify a 6 byte field when you want the filter to examine a 48 bit address pushField constant A literal value to which you are comparing a packet field As with a field a constant can be 1 2 4 or 6 bytes long pushLiteral ...

Page 228: ...es the number of bytes pushed The pushField instruction provides direct access to any 1 2 4 or 6 byte b w l or a field contained within the first 64 bytes of the target packet Specify the offset as an octal decimal or hexadecimal number Precede an octal number by a 0 Precede a hexadecimal number by either 0x or 0X Use either upper or lower case letters for the hexadecimal digits a through f pushLi...

Page 229: ...lter that is going to check the same offset more than once such as checking the Ethernet type field to filter multiple protocols use the following guidelines Assume that you want to filter DEC LAT IP and ARP traffic on a port Rather than use multiple pushField w 12 commands to look at the 12th offset where the Ethernet type field resides use multiple pushTop commands as shown here Original Filter ...

Page 230: ...e bitmap in sequence starting with port group mask 1 as the least significant bit through port group mask 32 as the most significant bit Use pushDPGM to filter by port groups See Using Port Groups in Custom Packet Filters for more information eq equal 1 byte Pops two values from the stack and compares them If they are equal a byte containing the non zero value is pushed onto the stack otherwise a ...

Page 231: ...bit wise AND 1 byte Pops two values from the stack and pushes the bit wise AND of these values back onto the stack The contents of the stack determine the size of the operands and the result This is a bit wise operator Each bit of the operands is logically compared to produce the resulting bit or bit wise OR 1 byte Pops two values from the stack and pushes the bit wise OR of these values back onto...

Page 232: ... can significantly improve the performance of certain types of filters See Implementing Sequential Tests in a Packet Filter earlier in the chapter for more information shiftl shift left 1 byte Pops two values from the stack and shifts the first operand left by the number of bits specified by the second operand Bits shifted out of the left side of the operand are discarded and zeros are shifted in ...

Page 233: ...s best to exit a filter as early as possible If you wait until the last instruction to make the forward or filter decision more processing is needed The accept and reject criteria allow you to exit a filter early When using these instructions construct the packet filter so that tests that apply to the majority of the network traffic are performed first This ensures that the filter is exited after ...

Page 234: ...ect packet and terminate test sequence First test Nonzero result Next test Yes No Name Filter AppleTalk datagrams pushField w 12 Get the type field pushTop Make a copy pushLiteral 0x809b EtherTalk Phase I type eq Test if the packet type is equal to the AppleTalk type reject reject the packet and end Otherwise pushLiteral w 0x5dc Largest 802 3 packet size lt If this value is less than the value in ...

Page 235: ...of different sizes Stack underflow The opcode requires one or more operands An insufficient number of operands are currently on the stack Stack overflow The opcode pushes an operand on the stack The stack does not have sufficient room for the operand No result found on top of stack The program must end with a byte operand on the top of the stack After the last instruction in the program is execute...

Page 236: ...size 1 2 4 or 6 Missing open quote on string The string specified does not have a starting quotation mark String is too long The string specified is too long Strings are limited to 32 characters exclusive of the opening and closing quotation marks Missing close quote on string The string specified does not have an ending quotation mark Multiple name statements in program More than one name stateme...

Page 237: ...her OUI value change the literal value loaded in the last pushLiteral l instruction The OUI must be padded with an additional 00 to fill out the literal to 4 bytes Length Filter This filter operates on the length field of a frame It allows packets to be forwarded that are less than 400 bytes in length To customize this filter to another length value change the literal value loaded in the pushLiter...

Page 238: ...ield pushLiteral w 0x0800 Load IP type value eq Check for match name Type 900 or Multicast pushField w 12 Get type field pushLiteral w 0x900 Push type value to test against gt Is type field 900 hex reject If yes reject frame done pushLiteral b 0x01 Multicast bit is low order pushField b 0 bit and Get 1 st byte of destination not Isolate multicast bit Top of stack 1 to accept 0 to reject name Forwa...

Page 239: ...Accept XNS or IP Filter This filter operates on the type field of a frame It allows packets to be forwarded that are XNS or IP frame The pushTop instruction makes a copy of the type field name XNS from 08 00 02 pushField w 12 Get type field pushLiteral w 0x0600 Load type value ne Check for mis match reject Toss any non XNS frames pushLiteral l 0xffffff00 Set up mask to isolate first 3 bytes pushFi...

Page 240: ...t Group Filter See Using Port Groups in Custom Packet Filters for a port group filter example name Drop XNS Routing pushField w 12 Get type field pushLiteral w 0x0600 Load XNS type value ne Check for non XNS packet accept Forward if non XNS packet pushLiteral b 0x01 Load XNS routing type pushField b 19 Get XNS type ne Check for non XNS routing packet ...

Page 241: ...ode and size plus additional bytes for any explicit operands System overhead is 22 bytes plus a per packet filter overhead of 13 bytes For example assume a packet filter program requires 200 bytes for storing the instructions in the program If this packet filter is the only one loaded the nonvolatile memory required is 22 bytes for system overhead plus 13 bytes for packet filter overhead plus 200 ...

Page 242: ...orts in groups 3 and 8 Port Group Filter Operation When an address is learned on a port the address and the port number the packet was received on are inserted into the bridge address table and a bit mask that is associated with the address that denotes the group membership is inserted into the port group mask table The bridge address table stores each SA DA MAC address with the port number The po...

Page 243: ...and the port mask of the destination port respectively You can use these commands to verify if the source and destination addresses of the packets are members of the same port group to implement your filtering algorithm A frame is received unicast multicast broadcast on the source port The source port group mask SPGM is found in the table of port group masks using the received port as the index Th...

Page 244: ...n port group 2 and the rxAll path filter is applied to 1 5 then the appropriate filtering restricts the flooding to the corresponding port group Table 35 and Table 36 show how each port pair filters or does not filter a broadcast frame that is received on port 1 and destined for ports 2 3 4 5 The result is that the frame is flooded to ports 2 3 and the frame is filtered from ports 4 5 Table 35 Por...

Page 245: ...able A port group is limited to the number of ports on a system Listing groups You can list the port groups currently defined on the system The group id group name if any group mask and the slots where the group is loaded are displayed Displaying groups The display of a port group shows the group id the name of the group and all the addresses or ports included in that group Deleting groups When yo...

Page 246: ... However you can load groups by creating a script on a remote host which includes your port group and then running that script on your Administration Console host The following example shows a script that builds two port groups one named Mktg and the other named Sales bridge packetFilter portGroup create 15 Mktg 1 2 3 bridge packetFilter portGroup create 32 Sales 5 6 When you run the script your g...

Page 247: ... that are forwarded to all stations on all segments attached to the system Not all of the segments attached to the system have stations that require these broadcast updates To optimize the performance of these Ethernet segments you need to filter the broadcasts Packet Filter Solution The solution described here is to create a highly sophisticated packet filter that prevents only the broadcast pack...

Page 248: ...etermine if the packet is an XNS datagram 3 Examine socket values and discard the packet if The socket value is greater than or equal to 0x76c and The socket value is less than 0x898 4 Determine if the packet is an IP datagram 5 If so then examine socket values and discard the packet if The socket value is greater than or equal to 0x76c and The socket value is less than 0x898 6 End the filter The ...

Page 249: ...bound and and together with ge and lt test to determine if the socket value is within the range If it is place a one on the stack and Compare if XNS in range IP FILTERING SECTION pushField w 12 Get the type field of the packet and place it on top of the stack pushLiteral w 0x0800 Put the type value for IP on top of the stack eq If the two values on the top of the stack are equal then return a non ...

Page 250: ...filter Name Forward only XNS packets It is important to distinguish the function of each filter when it is loaded onto a system that has more than one filter stored in memory Naming is also useful for archiving filters on a remote system so that the filters can be saved and loaded on one or more systems 2 Enter executable instruction 1 pushField a 0 Clear the stack 3 Enter executable instruction 2...

Page 251: ...er executable instruction 7 eq If the two values on the top of the stack are equal then return a non zero value This returns non zero for XNS broadcast frames Packet Filter Two This filter is designed to accept packets within the socket range of 0x76c and 0x898 When combined with Filter One above it forwards XNS packets Follow these steps to create this filter 1 Name the filter Name Socket range f...

Page 252: ... determine if the socket value is within the range If it is place a non zero value on the stack Combining a Subset of the Filters The next filter places a non zero value on the stack for IP packets with a socket range of 0x76c 1900 and 0x898 2200 The filter combines packet filters one and two modifying them for IP These steps show how to create this filter 1 Name the filter name Only IP pkts w in ...

Page 253: ... zero value pushLiteral w 0x76c Put the lowest socket value on top of the stack 1900 pushField w 24 Put the value of the socket from the packet on top of the stack ge Compare if the value of the socket is greater than or equal to the lower bound pushLiteral w 0x0898 Put the highest socket value on top of the stack 2200 pushField w 24 Put the value of the socket from the packet on top of the stack ...

Page 254: ...ement to compare the results of step 2 and the results of step 3 and compare if XNS in range 5 Perform steps 2 through 4 as described earlier in Combining a Subset of the Filters 6 Add an or statement or determine if the type field is either XNS or IP 7 Add a not statement to discard any matching packets not discard if IP in range or XNS in range The complete packet filter discards IP and XNS pack...

Page 255: ... the stack lt Compare if the value of the socket is less than the upper bound and and together with ge and lt test to determine if the socket value is within the range If it is place a one on the stack and Compare if XNS in range reject reject if XNS and in range IP FILTERING SECTION The type field of the packet was place on top of the stack by the PushTop command pushLiteral w 0x0800 Put the type...

Page 256: ...256 CHAPTER 10 PACKET FILTERING ...

Page 257: ...solution Protocol ARP ARP Proxy Internet Control Message Protocol ICMP ICMP Redirect ICMP Router Discovery Broadcast Address Directed Broadcast Routing Information Protocol RIP Routing Policies Domain Name System DNS User Datagram Protocol UDP Helper Standards Protocols and Related Reading You can configure and manage IP routing in either of these ways From the ip menu of the Administration Consol...

Page 258: ... 3 device can act as a router Routers typically Connect enterprise networks Connect subnets or client server networks to the main enterprise network Figure 38 shows where routers are typically used in a network Routing connects subnets to the enterprise network providing connectivity between devices within a workgroup department or building Figure 38 Subnet Routing Architecture Router Gigabit Ethe...

Page 259: ...uch a network the system streamlines your network architecture by routing traffic between subnets and switching within subnets See Figure 39 Figure 39 Typical Routing Architecture Layer 2 switch Layer 2 switch Layer 2 switch Layer 2 switch Router Gigabit Ethernet Router Router Layer 2 switch Sales Engineering Marketing Connecting enterprise networks Connecting enterprise networks ...

Page 260: ... to each subnet See Figure 40 Figure 40 Multiple Ethernet Ports Per Subnet Bridging switches traffic between ports that are assigned to the same subnet Traffic traveling to different subnets is routed using one of the supported routing protocols For information about implementing bridging see Chapter 7 R Subnetwork 1 Subnetwork 3 Subnetwork 2 ...

Page 261: ...the next hop the next device on the path to the destination Each hop involves three steps 1 The IP routing algorithm computes the next hop IP address and the next router interface using routing table entries 2 The Address Resolution Protocol ARP translates the next hop IP address into a physical MAC address 3 Using the physical MAC address the router sends the packet out the appropriate bridge por...

Page 262: ...nd assign new network addresses to existing hosts Optimal routing IP routing can be the most powerful tool in a complex network setup for sending devices to find the best route to receiving devices The best route here means the shortest and fastest route Flexibility Using IP routing policies and ICMP you can control the amount the importance and the type of traffic on your network Routing policies...

Page 263: ...quently modify that IP VLAN to supply Layer 3 address information If only one routing interface is defined for the IP VLAN then you can supply Layer 3 address information as long as it matches the Layer 3 information that is specified for the routing interface This action converts the IP VLAN into a network based VLAN If you use network based VLANs you are limited to defining only one IP routing i...

Page 264: ...sses A central agency assigns the network part of the IP address and you assign the host part All devices that are connected to the same network share the same network part also called the prefix Dotted Decimal Notation The actual IP address is a 32 bit number that is stored in binary format These 32 bits are segmented into 4 groups of 8 bits each group is referred to as a field or an octet Decima...

Page 265: ...network class See Table 38 Subnet Portion The IP address can also contain a subnet part at the beginning of the host part of the IP address Thus you can divide a single Class A B or C network internally allowing the network to appear as a single network to other external networks The subnet part of the IP address is visible only to hosts and gateways on the subnet When an IP address contains a sub...

Page 266: ...shorthand This notation translates four consecutive 8 bit groups octets into four integers that range from 0 through 255 The subnet mask in the example is written as 255 255 255 0 Traditionally subnet masks were applied to octets in their entirety However one octet in the subnet mask can be further subdivided so that part of the octet indicates an extension of the network number and the rest of th...

Page 267: ...ing There is an alternate method to represent the subnet mask numbers This method is based on the fact that the subnet mask numbers are based on the number of bits that signify the network portion of the mask Many Internet Service Providers ISP providers now use this notation to denote the subnet mask See Table 39 The subnet mask 255 255 255 255 is reserved as the default broadcast address Table 3...

Page 268: ...esses using VLSMs is being used increasingly more as networks grow in size and number However be aware that this method of addressing can greatly increase your network maintenance and the risk of creating erroneous addresses unless you plan the addressing scheme properly Route Aggregation Route aggregation is a numbering scheme in which you can significantly reduce the total number of IP addresses...

Page 269: ...our utilization of IP addresses and your routing tables will be easier to maintain Router ABC 78 1 0 0 16 78 2 0 0 16 78 3 0 0 16 78 254 0 0 16 78 0 0 0 8 78 1 1 0 24 78 1 2 0 24 78 1 3 0 24 78 1 254 0 24 78 254 32 0 19 78 254 64 0 19 78 254 96 0 19 78 254 192 0 19 78 1 2 32 27 78 1 2 64 27 78 1 2 96 27 78 1 192 0 27 ...

Page 270: ... address numbers so that you can take advantage of route aggregation Use RIP 2 or Open Shortest Path First OSPF to carry the extended network prefix information with each route advertisement Make sure that the routers forward routes based on what is known as the longest match For example assume that the destination IP address of a packet is 158 101 26 48 and that the following four routes are in t...

Page 271: ...Network Management Protocol SNMP set up an IP interface to manage your system either in band with your regular network traffic or out of band with a dedicated network In Band Management Set up an IP routing interface and at least one virtual LAN VLAN See Chapter 9 for information about how to define a VLAN Out of Band Management Assign an IP address and subnet mask for the out of band Ethernet por...

Page 272: ...estination network subnet or host Subnet mask The subnet mask for the destination network Metric A measure of the distance to the destination In the Routing Information Protocol RIP the metric is the number of hops through routers Gateway The IP address of the router interface through which the packet travels on its next hop Status Information that the routing protocol has about the route such as ...

Page 273: ...rvals This process helps you to keep up with network changes and allows the system to reconfigure routes quickly and reliably Interior Gateway Protocols IGPs which operate within networks provide this automated method Default Route In addition to the routes to specific destinations a routing table can contain a default route The router uses the default route to forward packets that do not match an...

Page 274: ...l MAC address the frame is further examined to determine if the frame is a routed frame Layer 3 or a request to the switch itself Layer 2 This model allows the system to give the frame first to Layer 2 to be bridged by the VLAN and then given to the router only if the frame cannot be bridged This scheme gives you the flexibility to define router interfaces on top of several bridge ports Your syste...

Page 275: ...th a VLAN ID Even though port based packets do not use VLAN software the hardware must recognize the packets as VLAN entities Therefore the system configures every router port interface as a single port nontagged protocol based VLAN VLAN based router interface You explicitly create a VLAN index then define the IP interface and associate the interface with the index In addition port based routing r...

Page 276: ...router determines that the packet belongs to a recognized routing protocol so the packet is passed to the router 3 The router examines the destination network address and forwards the packet to the interface port that is connected to the destination subnetwork Figure 49 Routing versus Bridging Port based routing is advantageous for networks or network segments whose emphasis is heavily on routing ...

Page 277: ...e very little bridging takes place within the backbone port based routing actually makes operations more efficient Figure 50 Port based Routing Backbone Operations To Internet Backbone Port based Routing L3 VLAN based Routing L3 Server Farm 2 2 2 2 3 3 3 1 2 2 2 1 1 1 1 2 L3 L3 L3 L3 Most routing performed here No PCs or Servers here 1 1 1 1 ...

Page 278: ...panning tree that is not associated with the routing topology This is especially useful if you want to configure two routers in parallel and let the routing protocol or protocols manage the routing loop while STP simultaneously manages any potential bridge loop This redundant router configuration is widely used to incorporate Network redundancy Load sharing between two routers on the same two LANs...

Page 279: ...red a port to be part of a protocol VLAN you cannot use it to create a router port interface of the same protocol and vice versa However if a port is part of an IPX VLAN then you can use that port to create an IP router port interface In order to support router port IP interfaces the system must operate in allClosed VLAN mode To prevent MAC addresses from being shared between other VLANs and the r...

Page 280: ...sses are on the same subnet the packet is bridged directly to the destination address of the host If network addresses are on different subnets the packet must be routed from one to the other In this case the host sends an ARP request for its gateway MAC address then transmits the packet using the MAC address of the gateway Figure 52 illustrates the process when the packet is routed 1 The packet e...

Page 281: ...system to act as both a bridge and a router adding both port density and bandwidth to any interface without requiring any additional hardware Limitations of VLAN based Routing With VLAN based routing the router is subservient to the bridge The bridge topology dictates the router topology Router loops rely on the bridge to resolve them not the routing protocols For large amounts of IP traffic this ...

Page 282: ...bered port to associate with the trunk For example if ports 7 through 12 are associated with a trunk specifying 7 to 12 defines the VLAN to include all of the physical ports in the trunk ports 7 through 12 For more information about trunking see Chapter 8 Configure IP VLANs VLAN based Routing If you want to use VLAN based routing you must first configure the VLAN to use IP An IP VLAN is called a p...

Page 283: ...pe of interface VLAN or port VLAN interface index for VLAN based routing The number of the IP VLAN that is associated with the IP interface When the system prompts you for this option the menu identifies the available VLAN indexes Bridge port for port based routing The number of the physical port associated with this IP interface Important Considerations Consider the following issues before you es...

Page 284: ... an IP Interface After you determine the characteristics for each IP interface you are ready to define each interface You can use the Administration Console or the Web Management Console to define an IP interface Your system can contain up to 32 IP interfaces These interfaces can be defined all on one VLAN all on one router port or on any combination of VLANs and router ports To define your IP int...

Page 285: ...t the age time to 0 Set up a default route The system uses the default route to forward packets that do not match any other routing table entry You may want to use the default route in place of routes to numerous destinations that all have the same gateway IP address If you do not use a default route ICMP is more likely to return an address not found error Before you can define static routes you m...

Page 286: ...s the packet destination the host or router translates that IP address into a MAC address before sending the packet To perform this translation the host or router first searches its ARP cache which is a table of IP addresses with their corresponding MAC addresses Each device that participates in IP routing maintains an ARP cache See Figure 53 Figure 53 Example of an ARP Cache If the IP address doe...

Page 287: ...the packet back to the source hardware address When the originating host or router receives this ARP reply it places the new MAC address in its ARP cache next to the corresponding IP address See Figure 55 Figure 55 Example of ARP Cache Updated with ARP Reply After the MAC address is known the host or router can send the packet directly to the next hop 158 101 3 1 158 101 2 1 Source hardware addres...

Page 288: ...t has no routing ability to determine the MAC address of a host on another network or subnet When ARP proxy is enabled and a workstation sends an ARP request for a remote network the system determines if it has the best route and then answers the ARP request by sending its own MAC address to the workstation The workstation then sends the frames for the remote destination to the system which uses i...

Page 289: ...dressed to the corresponding IP interface on the router and forwarded appropriately Figure 56 Proxy ARP With ARP proxy enabled on the router the MAC address of IP interface 10 10 1 1 is returned to server A when server A sends an ARP message for Server B s MAC address Server A Server B 10 10 1 2 255 255 0 0 10 10 1 1 255 255 255 0 10 10 2 1 255 255 255 0 10 10 2 2 255 255 0 0 L3 ...

Page 290: ...host or gateway sends an ICMP echo request to a specified destination If the destination receives the echo request it sends an ICMP echo reply to the sender This process tests whether the destination is reachable and responding and verifies that the network transport hardware and software are working The ping option is frequently used to invoke this process Creates more efficient routing ICMP Redi...

Page 291: ...e gateways that connect a particular subnet to outside networks By using the preference setting you can select which gateway is the preferred choice Informs sources that a packet has exceeded its allocated time to exist within the network ICMP Time Exceeded For more information about ICMP Redirect and ICMP Router Discovery see ICMP Redirect and ICMP Router Discovery later in this chapter ...

Page 292: ... is a performance cost associated with this redirect activity You have to monitor the activity to gauge its effect on the network Performance can be affected if the sending device ignores the recommendations of ICMP Redirect in which case the performance cost of ICMP Redirect is incurred while the benefits are wasted If you add or change more than one IP interface associated with the same VLAN dis...

Page 293: ... interface and enable it for the other you may not get the performance improvement that you want Example Figure 57 shows how ICMP Redirect works Figure 57 ICMP Redirect Example 150 101 117 253 255 255 255 0 150 101 119 2 150 101 117 2 255 255 255 0 System 1 ICMP redirect enabled System 2 Host A 150 101 117 254 255 255 255 0 1 Host A pings 150 101 119 2 3 ICMP redirect on System 1 returns informati...

Page 294: ...wing points in mind with ICMP Router Discovery You need not manually configure a default route Although IP traffic may initially be directed to any of the routers on the LAN ICMP Redirect messages subsequently channel IP traffic to the correct router ICMP Router Discovery is useful on large networks or if the network topology has undergone a recent change If you are on a small network that is rela...

Page 295: ...r all inbound and outbound broadcast traffic Many hosts are set up to respond to an echo request to their broadcast address with an echo reply which can breach security Directed Broadcast A directed broadcast contains 1s in the host portion of the address field You can choose to have your system on a per interface basis enable or disable the forwarding of directed broadcast frames Important Consid...

Page 296: ...e devices usually hosts listen for RIP messages and update their internal routing tables but do not send RIP messages An active router sends a broadcast RIP message every 30 seconds This message contains the IP address and a metric distance from the router to each destination in the routing table In RIP each router through which a packet must travel to reach a destination counts as one network hop...

Page 297: ... packets and compatibility mode is disabled the software uses the multicast address of 224 0 0 9 when sending periodic updates Doing so reduces the load on hosts that are not configured to listen to RIP 2 messages When the system is configured to advertise RIP 2 packets and compatibility mode is enabled the software uses the advertisement list for RIP 2 updates Cost You can use RIP to calculate th...

Page 298: ...ised You can disable Poison Reverse because it augments what Split Horizon already does and it puts additional information that you may not need into RIP updates Advertisement Address The system uses the advertisement address specified to advertise routes to other stations on the same network The system uses this address for sending updates Note that RIP 2 updates depend on the setting of RIP comp...

Page 299: ...fault a RIP 2 update sends all routing table entries RIP 1 Versus RIP 2 Like RIP 1 RIP 2 allows the system to dynamically configure its own routing table RIP 2 is much more flexible and efficient than RIP 1 however because RIP 2 advertises using the multicast method which can advertise to a subset of the network RIP 1 uses the broadcast method which advertises to the whole network RIP 2 can do thi...

Page 300: ...tes are sent from and received by the routing table in your system Both RIP and OSPF have routing policy capabilities This section describes the RIP routing policies OSPF routing policies are discussed in Chapter 14 There are two basic types of routing policies Import policies Import policies control what routes are added to the routing table That is the import policies control which routes your s...

Page 301: ... a route needs to be added to the routing table 1 The protocol OSPF or RIP that receives the route sends that route to the routing table manager 2 The routing table manager searches the Import policies 3 If the import policy allows the route to be accepted the routing table manager adds the route to the routing table otherwise the route is discarded See Figure 60 The router also needs to periodica...

Page 302: ...gn to the route The range of the metric is 0 through 16 hops If you specify 0 the system does not modify the metric if you specify 16 you are specifying that the route is unreachable 16 represents infinity Administrative weight Controls the relative weight of each policy with respect to another policy The range extends from 1 to 16 with 16 taking the greatest precedence RIP OSPF Import Export Rout...

Page 303: ...oming RIP route has a metric set to 16 which indicates that the route is invalid an existing IP RIP Import Accept Policy does not change the metric This ensures that an IP RIP Import Accept Policy does not overwrite RIP poison reverse triggered updates which could cause incorrect route information to be placed into the routing tables Implementing RIP Routing Policies RIP routing policies determine...

Page 304: ...ied interfaces with or without metric adjustments all all routers Specified route mask accept Accept specified route on specified interfaces with or without metric adjustments all all accept Accept all routes on specified interfaces with or without metric adjustments Specified router Specified route mask reject Reject specified route from specified router on specified interfaces Metrics do not app...

Page 305: ...olicy that matches the origin protocol The policy with the lowest index Table 43 RIP Export Policy Conditions Protocol Source Router Route Action Description RIP OSPF static Specified router or all routers Specified route mask accept Advertise RIP OSPF static specified route from specified source router on specified interfaces with or without metric adjustments RIP OSPF static Specified router or ...

Page 306: ...on formula that RIP uses to convert a routing table metric into one that RIP understands 4 Establish a policy to report OSPF routes so that the metrics that are reported with these routes are imported into RIP without being changed Effects and Consequences Consider these points when you use routing policies Configure the administrative weight setting carefully because this setting has the highest ...

Page 307: ...e route origin IP interface The IP interface on your system that the route is coming in on The policy takes effect on the selected interface only if the origin protocol matches the protocol enabled for the interface selected Policy action The determination whether to accept or reject the route Metric adjustment The determination to increase or decrease the route metric the number of hops for the r...

Page 308: ...0 0 RIP packets from Router 1 Router B Routes in packets 130 1 0 0 131 1 0 0 132 1 0 0 133 1 0 0 131 1 0 0 133 1 0 0 132 1 0 0 Route addresses 10 1 2 2 Source address 10 1 1 1 Selected IP interface 1 Interface 1 Routing table 130 1 0 0 133 1 0 0 Policies 130 1 0 0 from 10 1 2 2 accept 131 1 0 0 from 10 1 2 2 reject 132 1 0 0 from 10 1 2 2 reject 133 1 0 0 from 10 1 2 2 accept 1 ...

Page 309: ...routing table of Router B Table 44 Router B Routing Policies Policy Type Source Address Route Address Route Subnet Mask IP Interface Policy Action Metric Weight Import 10 1 2 2 130 1 0 0 255 255 0 0 1 accept 1 1 Import 10 1 2 2 131 1 0 0 255 255 0 0 1 reject 2 Import 10 1 2 2 132 1 0 0 255 255 0 0 1 reject 1 Import 10 1 2 2 133 1 0 0 255 255 0 0 1 accept 1 2 ...

Page 310: ...o the associated IP address You can resolve an IP address to a host name or a host name to an IP address on a name server Enter either the host name or the IP address the DNS client displays the pair Important Considerations When you set up DNS servers on your LAN remember the following Always set up more than one DNS name server a primary and secondary server so that the lookup service does not h...

Page 311: ...other configuration options DHCP captures the behavior of BOOTP relay agents and DHCP participants can interoperate with BOOTP participants RFC 2131 is the official specification for DHCP Both BOOTP and DHCP use the logical port number 67 for their servers However 3Com implements a generic UDP Helper agent in the system that can apply to any port Implementing UDP Helper Configure UDP Helper by spe...

Page 312: ...pter IP Routing in the Command Reference Guide You need to have a thorough understanding of your network configuration to use UDP Helper Review the network topology before you implement UDP Helper Configuring Overlapped Interfaces Overlapped IP interfaces are multiple logical interfaces that are defined for a single physical port You can specify how UDP Helper forwards packets from overlapped IP i...

Page 313: ...AN from which the packet was received Therefore if the configuration has overlapped VLAN interfaces on a particular port and one of those interfaces is associated with the same VLAN as an IP forwarding address then the frame is broadcast to that VLAN regardless of the interface option that you have selected Standards Protocols and Related Reading This section describes how to obtain more technical...

Page 314: ...A American National Standards Institute ANSI International Standards Organization ISO Institute of Electrical and Electronic Engineers IEEE Internet Engineering Task Force IETF National Institute of Standards and Technology NIST Related Reading For more information about the IP protocol suite refer to the following books High Speed Networks TCP IP and ATM Design Principles by William Stallings Pre...

Page 315: ... VRRP Overview Key Concepts Important Considerations Implementing VRRP VRRP and Other Networking Operations Standards Protocols and Related Reading Before you implement VRRP be sure that you have a good understanding of how IP networks function See Chapter 3 for more information about IP networks Also be sure to read this chapter thoroughly before you set up VRRP on your network You can configure ...

Page 316: ...n host address providing that the destination resides on the same subnet as the sending device If the destination address resides on a non local subnet then the sending device must use one of the following methods to learn the route to the remote network Routing protocol ICMP Router Discovery Static route Default gateway Routing Protocols Routing protocols provide dynamic updates to end stations i...

Page 317: ...e connectivity even if there are alternate paths available VRRP addresses this drawback by defining an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN The election process automatically detects a failure of the primary Master router and transfers all traffic forwarding to the backup router All of this is done without your intervent...

Page 318: ...sumes all forwarding responsibilities on behalf of Router A This transfer of forwarding responsibilities allows the workstation to have continued access across the WAN to the server Key Concepts This section contains some VRRP definitions that you should know before reading further VRRP router A router running the VRRP protocol A VRRP router can Act as a Master router with actual addresses on a in...

Page 319: ...ddress that VRRP uses in its advertisements that supply the source of the IP packet Virtual router initialize A state in which a virtual router is defined but not enabled A virtual router is also in the initialize state when its associated interface is not operational How VRRP Works When you assign Master router responsibilities to one of the virtual routers on the LAN the Master controls the IP a...

Page 320: ...ty as far as which router should have assumed responsibility upon a failure However there can be more than one virtual router on a network because there can be more than one backup router for each static gateway This is because a single backup router at the time of assuming primary router responsibilities becomes the single point of failure See Figure 63 for an example of a network topology that A...

Page 321: ...t priority takes over Master responsibilities until the original Master comes back online If two routers have the same priority VRRP resolves the conflict by selecting the virtual router with the numerically highest primary IP address In other words if Virtual Router A primary IP address of 1 1 1 2 and Virtual Router C primary IP address of 1 1 1 3 both have a priority of 100 Virtual Router C woul...

Page 322: ...P and Telnet do not function properly Sends periodic VRRP advertisement messages Set the advertising interval to be short enough to provide a timely transition to another router should the Master fail Try an advertising interval of 1 second A Backup router monitors the availability and state of the Master and Does not respond to ARP requests for the IP address or addresses associated with the virt...

Page 323: ...s a sample VRRP configuration Specifically it shows you how to configure interfaces on Router 2 and Router 1 in the topology shown in Figure 64 to back up each other Figure 64 Sample Configuration To implement this configuration you must perform the following tasks Create VLANs Configure IP Interfaces Configure the Router Protocol Enable Routing Configure VRRP Enable VRRP 150 100 0 10 1 0 0 Router...

Page 324: ... you must configure for both Router 1 and Router 2 as shown in Figure 64 Use ip interface define in the Administration Console or use the IP Interface Define form in the Web Management console to configure the IP interfaces IP interfaces for Router 1 IP interfaces for Router 2 VLAN VID Port Protocol Suite Tagging VLAN1 2 1 IP None VLAN2 3 2 IP None VLAN3 4 3 IP None VLAN4 5 4 IP None VLAN5 6 5 IP ...

Page 325: ...ndex number and the VID s IP interface established earlier in this procedure In the case of a backup router notice that you associate the IP address of the interface you want to back up VRRP parameters for Router 1 Index RIP 1 Mode RIP 2 Mode Compatibility Mode Route Aggregate Cost Poison Reverse Advertisement Addresses 1 learn enabled disabled enabled 1 enabled 255 255 255 255 2 learn enabled dis...

Page 326: ... by the virtual router then finally remove the VLAN VRRP and Other Networking Operations Read this section for information about how VRRP interacts with other networking functions including Spanning Tree Protocol STP Dynamic routing protocols Routing Information Protocol RIP Routing Information Protocol version 2 RIP 2 Open Shortest Path First OSPF IP Multicast ICMP Redirect Quality of Service QoS...

Page 327: ... RIP 2 and OSPF have their own facilities to track routes across networks You can continue to use these protocols with VRRP routers but on any given subnetwork you must configure the same routing protocols with the same parameters Figure 65 shows how in a parallel routing environment OSPF is configured on each interface in the 99 99 1 0 subnetwork and RIP 2 is configured on each interface in the 9...

Page 328: ...outer called the Querier always has the lowest IP address in the subnetwork If the Querier goes down another router can be designated to take its place The fewer routers that you have designated as possible Queriers the more efficient the handover is Be aware that if you introduce a parallel router topology to take advantage of VRRP you can introduce a topology that is not optimal for IGMP operati...

Page 329: ... well as Backups Failure to match routing policies among all virtual routers on the LAN could for example leave some routing destinations unreachable Dynamic Host Configuration Protocol DHCP Consider using VRRP if your network uses the Dynamic Host Configuration Protocol DHCP DHCP provides for a default gateway and an end host IP address and therefore is at risk to be a single point of failure Con...

Page 330: ...330 CHAPTER 12 VIRTUAL ROUTER REDUNDANCY PROTOCOL VRRP ...

Page 331: ...s How IGMP Supports IP Multicast How DVMRP Supports IP Multicast Key Guidelines for Implementation Configuring IGMP Options Configuring DVMRP Interfaces Configuring DVMRP Tunnels Configuring DVMRP Default Routes Viewing the DVMRP Routing Table Viewing the DVMRP Cache Using IP Multicast Traceroute Standards Protocols and Related Reading You can manage IP multicast routing parameters from the ip mul...

Page 332: ...e their desire to receive the communication In contrast to unicast a source that uses IP multicast generates and sends only one copy of the information that is desired by multiple receivers At point where the delivery path that reaches group members diverges network devices replicate and forward the packets This approach makes efficient use of both source processing power and network bandwidth Whe...

Page 333: ...ient delivery mechanism The business benefits of using IP multicast are that it Enables the simultaneous delivery of information to many receivers in the most efficient logical way Vastly reduces the load on the source for example a server because it does not have to produce multiple copies of the same data Makes efficient use of network bandwidth and scales as the number of participants or collab...

Page 334: ...transmissions fundamentally depend on multicast enabled Layer 3 devices traditional routers or Layer 3 switches hereafter both are called routers to direct packets on an efficient path from sources to destinations As shown in Figure 66 routers that support IP multicast must accomplish two important tasks Communicate with other routers to determine the shortest loopfree delivery path between an IP ...

Page 335: ...d multicast group members In the event that some routers in your network only transmit unicast packets you can configure a transitional technique called tunneling to extend the service area Tunnels provide a virtual point to point link between two multicast routers where the path between them includes one or more routers that do not support multicast routing unicast routers Figure 67 depicts a net...

Page 336: ...ends copies of the group traffic to all ports even if only one port of those ports leads to group members This is because the multicast routing protocol does not track exactly where group members reside on that interface The ability to filter IP multicast traffic on ports within a routing interface that do not lead to group members is highly desirable although it is not required in the IP multicas...

Page 337: ...rtual network located within portions of the physical Internet Its construction reflects several multicast zones connected together via IP multicast tunnels When it was created in 1992 the MBONE spanned four countries and 40 subnetworks today it spans over 25 countries and thousands of subnetworks You can connect to the MBONE through most Internet service providers ISPs You can use it to test mult...

Page 338: ...eam and downstream between routers and between routers and group members IP Multicast Groups Users can join or leave an IP multicast group at any time Users request and cancel membership through mechanisms built into their desktop application perhaps visible to the user as Go and Quit buttons There are no restrictions on the physical location or number of members in a group A user may belong to on...

Page 339: ...ions See Table 45 for examples of permanent reserved addresses or for a complete and current list visit the IANA Web site http www iana org Addresses 224 0 1 0 239 255 255 255 are either assigned to various multicast applications or remain unassigned From this range addresses 239 0 0 0 239 255 255 255 are reserved for site local applications not Internet wide applications Table 45 Examples of Clas...

Page 340: ...rk interface cards NICs The mapping process involves placing the low order 23 bits of the Class D address binary format into the low order 23 bits of the MAC address hexadecimal format For example the Layer 3 address 224 10 8 5 maps to the Layer 2 MAC address 01 00 5E 0A 08 05 To send a multicast packet a source station inserts the Class D address in the IP packet the network interface card maps t...

Page 341: ...ges The querier normally sends messages called IGMP Host Membership Query Messages or queries every 125 seconds All the hosts hear the query because it is addressed to 224 0 0 1 the all systems on this subnetwork Class D address A query is not forwarded beyond the subnetwork from which it originates Host Messages Hosts use IGMP to build their own types of IP multicast messages as described in this...

Page 342: ...ther that host is the last group member on the subnetwork by issuing a group specific query Leave group messages lower leave latency that is the time between when the last group member on a given subnetwork sends a report and when a router stops forwarding traffic for that group onto the subnetwork This process conserves bandwidth The alternative is for the router to wait for at least two queries ...

Page 343: ...path so that multicast storms do not occur Spanning Tree Delivery DVMRP version 3 x uses the Reverse Path Multicast RPM algorithm to construct a delivery tree that begins at the source and spans out to reach group members on a loopless path through the network Hence DVMRP seeks to form a source rooted spanning tree for each source group pair The shape of each tree changes dynamically depending on ...

Page 344: ...erent implementation of the spanning tree concept it is not used with IP multicast Managing the Spanning Tree RPM uses three main techniques to dynamically adjust the shape of an IP multicast spanning tree broadcasting pruning and grafting These techniques balance the goal of an efficient delivery path with the goal of effective service for all potential group members Figure 69 shows the broadcast...

Page 345: ...s explained next to upstream routers if their interfaces do not lead to group members IGMP reports if they want to continue receiving traffic for that source group pair Some IP multicast applications try to actively send traffic on the network even if no group members are requesting their traffic Your system can detect which ports lead to routers and send these infrequent broadcast packets only to...

Page 346: ...Interface Characteristics All DVMRP interfaces and DVMRP tunnels have two characteristics a metric that specifies the cost for the interface and a time to live TTL threshold Metric Value The DVMRP metric is a numeric value or cost for that path The higher the assigned cost the less likely it is that the multicast packets will be routed over that interface provided that other path options exist TTL...

Page 347: ...ut configuring IGMP functions on your system see Configuring IGMP Options later in this chapter 3 Enable DVMRP on each interface that is to perform IP multicast routing You can modify the default TTL threshold and DVMRP metric values that the system assigns to each interface For general information about DVMRP see How DVMRP Supports IP Multicast earlier in this chapter For information about config...

Page 348: ...ng IP multicast application traffic verify that bridge ports are not configured with a multicast limit that is too low Impact of IEEE 802 1Q on Multicasts Multicasting in 802 1Q VLAN tagging environments may have performance implications for your system Specifically if you have multiple VLANs associated with a single port the system is forced to replicate multicast packets to each VLAN that has mu...

Page 349: ...t all times They add little processing overhead to the system Configuring DVMRP Interfaces DVMRP is the protocol used to develop source rooted spanning trees between routers in the network You can enable or disable DVMRP on individual routing interfaces Important Considerations The default setting for DVMRP on each new interface is disabled If DVMRP is disabled the interface cannot participate in ...

Page 350: ... configure up to 8 tunnels per CoreBuilder 3500 system Before you can define a tunnel end point you must configure a routing interface and enable DVMRP on the interface Think of a tunnel end point as being layered on top of an existing IP multicast routing interface To define a tunnel you specify the following tunnel characteristics The index number of the local router interface that serves as the...

Page 351: ...display lists tunnels in ascending order by the tunnel index number Tunnel index numbers provide a way to identify and remove individual tunnels which is especially useful when multiple tunnel end points are configured on the same routing interface When you remove a tunnel the system does not dynamically reorder remaining tunnels in the multicast tunnel display For example if you had three tunnels...

Page 352: ...es the default route How to Configure A Default Route To configure a default route on an interface follow these steps 1 Specify the interface index number 2 Set the default route metric cost Enter a value from 1 through 32 to signify the cost of the route The value 0 indicates that no default route is configured 3 Set the default route mode There are two options all The interface advertises the de...

Page 353: ...raffic if group members exist The system may never receive process IP multicast traffic from the sources listed in the routing table Receipt of IP multicast traffic depends on whether group members exist on directly attached subnetworks or on subnetworks from downstream routers See the Command Reference Guide for definitions of the fields of information and symbols used in the DVMRP route display ...

Page 354: ...em you specify a source and group address 2 The system sends a traceroute Query packet to the last hop multicast router the upstream router for this source group pair 3 The last hop router turns the Query packet into a Request packet by adding a response data block containing its interface addresses and packet statistics It then forwards the Request packet via unicast to the router that it believe...

Page 355: ...s no route is encountered along the path All interim devices must support IP multicast traceroute for you to see a complete path on the display Standards Protocols and Related Reading DVMRP was first defined in RFC 1075 and has been modified in various Internet drafts IGMP was first defined in RFC 1112 and has been modified in various Internet drafts To learn more about DVMRP and IGMP IP multicast...

Page 356: ...356 CHAPTER 13 IP MULTICAST ROUTING ...

Page 357: ... OSPF Overview Key Concepts Key Guidelines for Implementing OSPF Autonomous System Boundary Routers Areas Default Route Metric OSPF Interfaces Link State Databases Neighbors Router IDs OSPF Memory Partition Stub Default Metrics Virtual Links OSPF Routing Policies OSPF Statistics You manage OSPF routing from the ip ospf menu of the Administration Console See the Command Reference Guide ...

Page 358: ... protocol like RIP periodically exchange all or a portion of their tables but only with their neighbors Routers using a link state protocol like OSPF send small portions of their tables throughout the network by flooding For information about how to perform IP routing see Chapter 11 Features Your system supports OSPF Version 2 as defined in RFC 1583 OSPF routing on your system includes these featu...

Page 359: ...col On nonbroadcast multiaccess networks you must statically configure neighbors Your system allows you to display all neighbors in the locality of the router as well configure them when needed For more information see Neighbors later in this chapter Router IDs A router ID identifies the router to other routers within the autonomous system In addition it serves as a tie breaker in the designated r...

Page 360: ... overview of OSPF activity on the interface For more information see OSPF Statistics later in this chapter Benefits The benefits of OSPF are what set it apart from both RIP and other Shortest Path First based algorithms before it While designing OSPF the Internet Engineering Task Force IETF proposed a number of modifications which dealt with improving the existing SPF model These modifications ran...

Page 361: ... with a single scheme configured for each area This partitioning allows some areas to use much stricter authentication than others Host specific and network specific route support OSPF supports traffic forwarding to single hosts or networks Each network the router knows has both an IP destination address and a mask The mask indicates the number of nodes on the network A mask of all ones 0xffffffff...

Page 362: ...nge of addresses that are being described by the particular route Including this mask enables the implementation of variable length subnet masks VLSMs which means that a single IP network number can be subnetworked or broken up into many subnetworks of various sizes When networks are subnetworked OSPF forwards each IP packet to the network that is the best match for the packet s destination It det...

Page 363: ...ers create their topology databases using the data in link state advertisements LSAs from other routers in the autonomous system Areas Autonomous systems can be subdivided into smaller more manageable groups of contiguous networks called areas Each OSPF router in an area must have identical topological link state databases These databases may include area links summarized links and external links ...

Page 364: ...ch area that is connected to it including the backbone area Area border routers also send configuration summaries for their attached areas to the backbone area which then distributes this information to other OSPF areas in the autonomous system In Figure 70 four area border routers link the areas in autonomous system A Autonomous system boundary routers ASBRs Autonomous system boundary routers exc...

Page 365: ...d maintain communications with their neighbors In nonmulticast networks routers find neighbors by sending unicast hello packets to other statically configured routers Database description packets Neighbor routers use database description packets to synchronize their link state summary databases Link state request packets To collect network topology data routers transmit link state request packets ...

Page 366: ...own address in another router s hello packet the two routers establish two way communications as neighbors Establishing Adjacencies If neighboring OSPF routers succeed in exchanging and synchronizing their link state databases they appear as adjacent in all router and network link advertisements Electing the Backup Designated Router OSPF selects a backup designated router for the network segment T...

Page 367: ...gnated router becomes the designated router and OSPF selects a new backup designated router OSPF selects the candidate router with the highest priority If candidate routers have the same priority OSPF selects the router that has the highest router ID The designated router then becomes adjacent to all other routers on the network segment by sending Hello packets to them Calculating Shortest Path Tr...

Page 368: ...raffic See Virtual Links later in this chapter To a stub area When a packet s destination is in a stub area an area that does not accept external route advertisements OSPF uses the area s predefined default route You configure default routing in area border routers that serve an OSPF stub area such as area border router 1 in Figure 70 For more information see Stub Default Metrics later in this cha...

Page 369: ... add additional routers as your network grows Router placement and participation When you populate an area with OSPF routers consider the following guidelines Because OSPF uses a CPU intensive algorithm keep the maximum number of routers participating in OSPF exchanges in any given area to around 50 This number decreases the likelihood of performance problems that may be associated with router rec...

Page 370: ...routers within the OSPF network Every router inside an autonomous system knows how to reach the boundary routers for its autonomous system In Figure 70 two ASBRs control traffic between two autonomous systems Configuring an ASBR A router becomes an ASBR as a by product of other settings A router becomes an ASBR if any operational in band IP interface on the router Has both OSPF and RIP disabled on...

Page 371: ...ther cases where a router can become an ASBR You create IP interfaces with the ip interface option You configure RIP on IP interfaces with the ip rip options You configure OSPF on IP interfaces with the ip ospf options You create default route metrics with the ip ospf defaultRouteMetric define option You create static routes with the ip ospf policy options ...

Page 372: ...address space is its own distinct address space Stub area An OSPF area that does not accept or distribute external address advertisements Instead the area border router generates a default external route that is advertised into the stub area for destinations outside the autonomous system Use the stub area designation to minimize topological data that is stored in the area s routers Range An addres...

Page 373: ...tead the area border router that is attached to the stub area advertises a single default external route into the area This relationship conserves significant LSA database space that would otherwise be used to store external link state advertisements flooded into the area In Figure 70 area 2 is a stub area that is reached only through area border router 1 It is possible to have a stub area with mu...

Page 374: ...us system boundary router 1 Router 5 Area 0 backbone Area 1 Autonomous system A Area border router 2 Area 2 stub Area 3 Area border router 3 Area border router 1 Autonomous system boundary router 2 Autonomous system B Area border router 4 Virtual link Segment 2 Segment 3 Segment 1 Segment 4 Segment 6 Segment 7 Segment 8 Point to point link Segment 5 ...

Page 375: ...that are connected to an area maintain identical routing databases about the area Routers that are connected to multiple areas maintain a separate routing database for each attached area For example in Figure 70 Routers 1 2 3 and 4 maintain identical routing databases about backbone area 0 Routers 5 and 6 maintain identical routing databases about area 1 Area border router 1 maintains separate rou...

Page 376: ...tes within the area fall within a specified address range This summary route or address range is defined by an IP address and mask combination OSPF supports Variable Length Subnet Masks VLSMs so you can summarize a range of addresses on any bit boundary in a network or subnetwork address For example an address range specified with an IP address of 142 194 0 0 with a mask of 255 255 0 0 describes a...

Page 377: ...tain autonomous system boundary routers ASBRs Backbone area A stable fault tolerant backbone is vital to your OSPF internetwork It ensures communication between all areas within the AS Consider the following guidelines when you design the backbone area If you have only one area in your autonomous system then you do not need to configure a backbone area 0 0 0 0 A backbone area must have the area ID...

Page 378: ... neighbor that is physically connected to the backbone the router can use that neighbor to establish a virtual link to the backbone Do not use too many virtual links to connect ABRs for the following reasons Stability of the virtual link depends on the stability of the underlying area that it spans This dependency on underlying areas can make troubleshooting difficult Virtual links cannot run acro...

Page 379: ...cific match for a packet s destination forwards the packet to the default router in the area To configure an OSPF router to advertise itself as the default router for an area you define a default route metric By default the default route metric is not defined which means that the router does not advertise itself as the area s default router When you remove the default route metric the router no lo...

Page 380: ...n one of three ways Designated router DR The router that has the highest priority value unless a designated router already exists on the network segment Backup designated router BDR The router that has a lower priority than the DR the BDR takes over DR functions if the DR fails Not a designated router Any router that is given a priority of 0 or that is not elected DR or BDR Priority 0 routers can ...

Page 381: ... 0 are not eligible for designated router and backup designated router election When a router interface within an area first comes online it determines if a designated router exists for the area If one exists the new router accepts the designated router regardless of its own router priority Therefore if you want to change the designated router for an area configure the router that you want to serv...

Page 382: ...s attached to faster media types such as Gigabit Ethernet are also assigned a default cost of 1 To ensure that a particular media interface is the preferred route leave that link with its metric cost of 1 and manually configure the other links with a higher cost metric for example 2 Delay The transmit delay is the estimated time in seconds that it takes for the system to transmit a link state upda...

Page 383: ...he hello interval value must be identical among all routers that are attached to a common network Hello packets notify other routers that the sending router is still active on the network If a router does not send Hello packets for the period of time that is specified by the dead interval that router is considered inactive by its neighbors and all participating OSPF routers within the affected are...

Page 384: ... inserts the specified password in the OSPF header of every packet that it transmits and receives only those OSPF packets that contain the same password Simple password authentication prevents routers from inadvertently joining the area and helps ensure that only trusted routers participate in the routing domain By default OSPF interfaces on your system do not have associated passwords When no pas...

Page 385: ...nated router such as when all routers have a priority of 0 routers do not form neighbor adjacencies and routing information is not exchanged Area ID Set the area ID to the same value for all routers on the network segment All routers in the same area must have the same area ID The backbone area 0 0 0 0 is configured by default The system associates all newly defined OSPF interfaces with the backbo...

Page 386: ...ip delay between any two routers on the attached network Set the value that you specify for the retransmit interval conservatively to avoid needless transmissions Set the retransmit interval higher for serial lines and virtual links Password By default an OSPF interface does not have an associated password Use the same password for all routers on the same network segment OSPF passwords are not enc...

Page 387: ...ginating router s links interfaces to the area Information contained in each link state advertisement includes LSID Link State ID The ID of the router that generated the LSA Router ID ID of the router that originated the LSA LS Seq Link State Sequence The sequence number of the advertisement Used to detect old or duplicate link state advertisements LS age The time in seconds since the LSA was gene...

Page 388: ...the IP address mask of the neighboring router Metric Cost of using this outbound router link With the exception of stub networks this value must be other than 0 Network Link State Advertisements The designated router for each area originates a network link state advertisement for each transit network a network that has more than one attached router This advertisement describes all routers that are...

Page 389: ...ry link advertisements this is the ASBR s router ID Router ID ID of the router that originated the LSA LS Seq Link State Sequence The sequence number of the advertisement Used to detect old or duplicate link state advertisements LS age The time in seconds since the LSA was generated Network Mask For Type 3 summary link state advertisements this is the destination network s IP address mask For Type...

Page 390: ...dvertises the smallest external metric is chosen regardless of the internal distance to the AS boundary router For example if an ABR is advertising Type 2 external route metrics the cost of the route from any router within the AS is equal to the cost of the external route alone The cost of reaching the advertising ABR is not considered in determining the cost of the external route The internal cos...

Page 391: ...ible values Type 1 Normal link state metric Type 2 The metric is larger than any local link state path See the discussion of Type 1 and Type 2 external metrics earlier in this section Route Tag External Not used by OSPF These 32 bits may be used to communicate other information between boundary routers Important Considerations When you view the link state database consider the following An asteris...

Page 392: ...rk Routers 1 and 2 are neighbors on a point to point link Routers 3 and 4 and area border router 2 are neighbors on segment 4 No routers are neighbors on segments 2 3 5 and 6 In area 1 Router 5 and area border router 2 are neighbors on segment 7 Routers 5 and 6 area border router 4 and autonomous system boundary router 1 are neighbors on segment 9 No routers are neighbors on segment 8 In area 3 ar...

Page 393: ... two way communication or greater Exstart The initial step in creating an adjacency between two routers Adjacencies involve a master slave relationship between two routers which is when that relationship is determined The master sends the first information describing its link state database in the form of database description packets The slave can only respond to the database description packets E...

Page 394: ...in order to synchronize the neighboring routers link state databases The router requests these LSAs by sending link state request packets to the neighbor The neighbor then responds with link state update packets containing the requested LSAs As the appropriate LSAs are received from the neighbor they are removed from the request queue Flags The type of neighbor Possible values D The neighbor was d...

Page 395: ...er that you want to associate with the specified interface The Hello protocol then dynamically retrieves the additional neighbor information as described in Neighbor Information in the previous section Important Considerations Consider the following guidelines when you configure neighbors Routers use OSPF hello packets to learn neighbor addresses dynamically on broadcast networks Define static nei...

Page 396: ... available Default A unique ID that the system generates and uses as the default router ID Interface The index of an IP interface on the router Address An ID that you define in the form of an IP address OSPF routing must be inactive before you can add or modify an OSPF router ID To deactivate OSPF routing set the OSPF mode to disabled See the Command Reference Guide for details After you add the r...

Page 397: ...mory for to perform all of its functions and enable most features Under this option OSPF always has a partition of memory available for its use Under the default OSPF memory allocation scheme two values have meaning Current partition maximum size Allocated memory size Current Partition Maximum Size The current partition maximum size is the maximum amount of memory that OSPF can allocate It is calc...

Page 398: ...An attempt to allocate memory past the OSPF current partition maximum size generates a soft restart condition that momentarily causes the router to go down This may occur for example because The routing table grew suddenly because it received a large number of external link state advertisements LSAs such as RIP routes learned from an ASBR that had to be added to the internal database The router is...

Page 399: ...usly memory reserved under the OSPF current maximum partition size is not available to other protocols even if it is not allocated If you must carefully apportion memory among competing protocols then you might want to decrease the memory available to OSPF A router located in a stub area has no external link state advertisements LSAs for example and might require less memory System Memory Allocati...

Page 400: ...e 70 earlier in this chapter you would configure area border router 1 to generate a default route into stub area 2 If you define a stub default metric of 4 area border router 1 will generate a default route with an associated cost of 4 into stub area 2 If you remove the stub default metric the ABR does not advertise a default route into the stub area A stub area can have multiple ABRs and multiple...

Page 401: ... when discontinuity occurs Connect area backbones For example you can merge two existing OSPF networks into one network sharing a common backbone A virtual link must be established between two ABRs that share a common nonbackbone area with one of those ABRs directly connected to the backbone The nonbackbone area through which the virtual link runs is called a transit area The endpoints of a virtua...

Page 402: ...th routers shown in Figure 71 Router A Transit area 0 0 0 2 Target router 3 1 1 1 Router B Transit area 0 0 0 2 Target router 2 1 1 1 Important Considerations Consider the following guidelines when you configure virtual links You must configure a virtual link for any area border router that has an interface connected to a location outside the backbone area You can define up to 32 virtual links per...

Page 403: ... uses to communicate with B Conserve routing table space The selective nature of routing policies can minimize routing table sizes and increase network stability For example you may want to limit the number of hosts and gateways from which routing information is accepted in which case you can define an import policy to selectively rule out or reject unnecessary routing table entries Isolate suspec...

Page 404: ...icies against directly connected OSPF interfaces because all routers in the area must maintain identical link state databases With the ability to wildcard policy parameters such as 0 0 0 0 to indicate all routers or all routes occasions may arise when several policies match a route In such cases routers use the following procedure to determine which policy to apply to the route If multiple policie...

Page 405: ...uter itself did not originate the route it learned it by means of an external link state advertisement You can also adjust the cost of each route that is accepted into the routing table Using RIP you can define which external routes RIP a router advertises They are self originated but must be external to OSPF Because all routers within the same OSPF area must maintain similar databases all routers...

Page 406: ...tes to which you want the policy to apply specified by a network address and subnet mask The action that you want the router to take accept or reject Accept configures the router to add the route to its routing table Reject prevents the router from adding the route to its routing table OSPF Routing Table Accept Incoming traffic non self originated IP Network Link State Database Import Policy Rejec...

Page 407: ...o the routing table with the cost metric that has been defined by the import policy In case multiple policies match the same route you can also assign an administrative weight to define an order of precedence Import Policies at a Glance Table 47 lists the possible import policy configurations Table 47 OSPF Import Policies Route Address Route Subnet Mask Policy Action Metric Adjustment Description ...

Page 408: ... cost and external metric type of each route that you allow the router to advertise Using RIP you can define which external routes RIP a router advertises External routes are self originated but must be external to OSPF See the discussion about Type 1 and Type 2 metrics in External Link State Advertisements earlier in this chapter for more information about external metric types Table 48 Import Po...

Page 409: ...ss Figure 73 Export Policy Process You define these criteria as part of an export policy The method by which the route was learned by the router Possible origins include directly connected interfaces and static routes as well as RIP routes imported by autonomous system boundary routers When you define an export policy against a directly connected interface you can specify one or all of the physica...

Page 410: ...ate advertisements and as a result is not propagated over the network For export policies that define routes to be advertised in external LSAs you can define a new cost metric value for the route or you can adjust the existing cost metric using one of these operators adds the specified number to the existing cost metric subtracts the specified number from the existing cost metric multiplies the sp...

Page 411: ... specified metric type with a cost of C RIP or Static 0 0 0 0 B Accept C Type 1 Type 2 RIP or Static Route B originating from any router is advertised as the specified metric type with a cost of C RIP or Static 0 0 0 0 0 0 0 0 Accept C Type 1 Type 2 RIP or Static routes originating from any router are advertised as the specified metric type with a cost of C RIP or Static A B Reject N A N A RIP or ...

Page 412: ... routers must maintain similar link state databases and shortest path trees you cannot define an export policy to restrict the advertisement of directly connected OSPF interfaces Table 51 OSPF Export Policies for Directly Connected Interfaces Origin Protocol Interface Policy Action Metric Adjustment External Metric Type Description Direct Specific non OSPF interface or All non OSPF interfaces Acce...

Page 413: ...IP route 138 140 9 0 originates from router 131 141 126 9 Although the router can add the 138 140 9 0 route to its routing table this policy prohibits the boundary router from migrating the route from its routing table to its link state database As a result the route is not propagated over the network Table 53 Export Policy to Reject Static Routes Policy Field Definition Policy type export Origin ...

Page 414: ...es the interface over the network as a Type 2 external metric with an associated cost of 12 overriding the external metric type and cost that are defined for the interface in the system s routing table Export Example 5 Advertisement of Static Routes The policy defined in Table 56 configures a router to advertise all static routes as Type 1 external metrics with a cost of 1 Table 55 Export Policy t...

Page 415: ... to advertise all routes that are imported from a RIP network as Type 2 external metrics with associated costs of 10 Table 57 Export Policy to Accept RIP Routes Policy Field Definition Policy type export Origin protocol rip Source address 0 0 0 0 Route address 0 0 0 0 Policy action accept Metric adjustment 10 ASE Type Type 2 Administrative weight 1 ...

Page 416: ...t path first computations made Each time that a router comes online or each time there is a change in topology the router must perform SPF computations Memory failures Number of nonfatal memory allocation failures LSAs transmitted Number of link state advertisements transmitted LSAs received Number of link state advertisements received Route update errors Number of nonfatal routing table update fa...

Page 417: ...ts RFC 1583 Moy J OSPF Version 2 March 1994 RFC 1850 Baker F and Coltrun R OSPF Version 2 Management Information Base November 1995 Other useful reading includes Moy John OSPF Anatomy of an Internet Routing Protocol Reading MA Addison Wesley Longman ISBN 0201634724 1997 RFC 1245 Moy J OSPF Protocol Analysis July 1991 RFC 1586 DeSouza O and Rodriguez M Guidelines for Running OSPF Over Frame Relay N...

Page 418: ...418 CHAPTER 14 OPEN SHORTEST PATH FIRST OSPF ...

Page 419: ...ed Reading You can manage IPX routing from the ipx top level menu of the Administration Console See the Command Reference Guide IPX Routing Overview You can route packets from your system to an external destination using the Internet Packet Exchange IPX protocol The IPX protocol is a NetWare LAN communications protocol that moves data between servers and workstation programs that are running on va...

Page 420: ...vide services for connectionless communications Reduce the cost of equipment moves upgrades and other changes and simplify network administration Create VLAN to IPX interfaces to create virtual workgroups with most of the traffic staying in the same IPX interface broadcast domain Help avoid flooding and minimize broadcast and multicast traffic Application Presentation Session Transport Network Dat...

Page 421: ...s the relationship between an IPX VLAN and the subnetworks in the IPX network Each IPX VLAN interface is associated with a VLAN that supports IPX The system has one interface defined for each subnetwork to which it directly connected A router operates at the Network layer of the OSI Reference Model The router receives instructions to route packets from one segment to another from the network layer...

Page 422: ...how many routers a packet has passed through on its way to its destination Packets are discarded when this value reaches 16 A network node sets this field to 0 before sending the IPX packet Packet type A 1 byte field that specifies the upper layer protocol that receives the packet Destination network A 4 byte field that contains the network number of the destination node When a sending node sets t...

Page 423: ...yte field that contains the source node network number If a sending node sets this field to 0 the source s local network number is unknown Source node A 6 byte field that contains the source node physical address Broadcast addresses are not allowed Source socket A 2 byte field that contains the socket address of the process that transmitted the packet Packet data A field that contains information ...

Page 424: ...n example of IPX format routing Figure 76 IPX Packet Routing Network 000000AA Node 000000000001 Socket 4003 Node Node 000000000020 000000000021 Network 000000BB Node 000000000003 Socket 0451 MAC Header Destination Node 000000000020 Source Node 000000000001 IPX Header Checksum FFFF Packet length 011E Transport control 00 Packet type 11 Dest network 000000BB Dest node 000000000003 Dest socket 0451 S...

Page 425: ...ing node is a router rather than a workstation the node s internal routing tables supply the destination s network location The destination router does not need to broadcast a RIP request Router s Responsibility A router handles a received IPX packet in one of two ways If the packet is destined for a network number to which the router is directly connected the sending router Places the destination...

Page 426: ... be crossed to reach a network segment Interface The system assigned number for an IPX interface NetBIOS Protocol Network Basic Input Output System protocol An application programming interface API that adds special functions for PC based LANs Node The node address of the router that can forward packets to each network segment when this is set to all 0s the router is directly connected RIP Routing...

Page 427: ...es 4 Define servers 5 Select RIP or SAP if you plan to use them 6 Define IPX forwarding General Guidelines Consider the following general guidelines before you configure IPX routing on your system Every IPX interface has one IPX VLAN and other associated information The IPX router has one IPX interface defined for each network to which it is directly connected Before you define an associated IPX i...

Page 428: ... up available for communication or down unavailable for communication VLAN interface index VLAN index Identifies the VLAN that is associated with a IPX interface When the system prompts you for this option it indicates the available VLAN indexes Important Considerations Consider the following guidelines when you set up an IPX interface The first line in an interface display indicates whether IPX f...

Page 429: ...IPX VLAN index If you use the OddLengthPadding feature make sure that you select only those interfaces that require odd length padding If you enable this option for every interface network performance slows To create an IPX interface see the Administering IPX Routing chapter in the Command Reference Guide Per Interface Options You set the NetBIOS and OddLengthPadding options on each interface NetB...

Page 430: ...system has extended memory the route table display includes a range for the routing table Secondary entries in the N M format where N is the minimum number of entries and M is the maximum number of secondary entries If no range is displayed the system does not have extended memory so the number of route table entries is a fixed number A Secondary route entry can replace a Primary route entry when ...

Page 431: ... Secondary routes in the routing table To set up routes in the routing table see the IPX chapter in the Command Reference Guide Static Routes You manually configure a static route Static routes are useful in environments in which no routing protocol is used or when you want to override a routing protocol s generated route Static routes do not change until you change them and they do not time out B...

Page 432: ...intranetwork segments This table allows a router to send packets toward their destinations over the best possible routes The table contains an entry for every network number that the router knows about The router uses this information when the router is not directly connected to a packet s destination network The routing information table provides the address of another router that can forward the...

Page 433: ...ute toward a destination If one route requires the lowest number of tiks the router selects it as the best route If multiple routes require the same lowest number of tiks the router selects the route that requires the lowest number of hops as the best route If multiple routes require the same lowest number of tiks and hops the router may select any of them as the best route Routing table Interface...

Page 434: ... m is the maximum number of entries Static servers remain in the table until you Remove them Remove the corresponding interface Remove the route to the corresponding network address A static server must have an IPX network address that corresponds to a configured interface or to a static route If an interface goes down any static servers on that interface are permanently removed from the server ta...

Page 435: ... servers boot up they advertise their services When servers are brought down they use SAP to broadcast that their services are no longer available Client systems do not use this server information directly Instead SAP agents within each router on the server s network segment collect this information The SAP agents store information in their server information tables Client systems then contact the...

Page 436: ... it notifies the sending source about all servers known to the agent This response includes the same information that is sent out in periodic SAP broadcasts When the request is specific the SAP agent notifies the sending source about all servers of the requested type Server Tables Server information tables contain data about all active servers on the intranetwork SAP agents use these tables to sto...

Page 437: ...ce requests Hops to server The number of intermediate networks that must be crossed to reach the server Age of server The time in seconds since the server s last table update IPX Forwarding You can control whether the system forwards or discards IPX packets with the ipx forwarding option Important Considerations Consider the following guidelines before you use the ipx forwarding option When you en...

Page 438: ...all routers on the network and age those networks that might become inaccessible if a router is disconnected abnormally from the network Important Considerations Consider the following guidelines before you use the ipx rip mode option The system has three RIP modes Off The system processes no incoming RIP packets and generates no RIP packets of its own Passive The system processes all incoming RIP...

Page 439: ...e protocol receiving the route forwards the route to the routing table manager The routing table manager compares the route to the import policy to determine whether to accept or drop the route If the routing table manager accepts the route it stores the route in the routing table The default import policy is none that is the router places all routes into the routing table RIP Import Policies At c...

Page 440: ...ed with the RIP policy Source Node Address The MAC address of the router that can forward packets to the network Action Whether this router accepts or rejects a route that matches the policy Metric Increase or decrease a route metric by a value that you specify This parameter is valid only if the Policy Action is set to Accept import policies To change the route metric of an export policy you must...

Page 441: ...he ipx sap mode option The system has three SAP modes Off The system does not process any incoming SAP packets and does not generate any SAP packets of its own Passive The system processes all incoming SAP packets and responds to SAP requests but it does not broadcast periodic or triggered SAP updates Active The system processes all incoming SAP packets responds to explicit requests for routing in...

Page 442: ...hether to advertise the service If the export policy does not prohibit the service the router sends it out The default export policy is none that is the router advertises all services SAP Policy Parameters These parameters define SAP policies Policy type Import apply the policy to received services or Export apply the policy to advertised services Route origin The origin of the service for this po...

Page 443: ...that match the same service A higher value takes precedence over a lower value IPX Statistics You can view the following IPX statistics on your system IPX summary statistics IPX RIP statistics IPX SAP statistics IPX forwarding statistics IPX interface statistics In the display the status line indicates whether IPX forwarding is enabled RIP mode is active RIP mode triggered updates are enabled SAP ...

Page 444: ...andards and protocols apply when you use IPX to route packets on your system IEEE 802 2 IEEE 802 2 LLC IEEE 802 3 IEEE 802 3 RAW IEEE 802 3 SNAP Internet Packet eXchange IPX RFC 1234 RFC 1552 Routing Information Protocol RIP RFC 1058 Service Advertisement Protocol SAP NetWare Protocol ...

Page 445: ... manage AppleTalk from the appletalk top level menu of the Administration Console See the Command Reference Guide AppleTalk Overview AppleTalk is a suite of protocols defined by Apple Computer Inc for connecting computers peripherals devices and other equipment to a network AppleTalk protocols support most of the functions offered by the Open Systems Interconnection OSI Reference Model The AppleTa...

Page 446: ...pter for more information AppleTalk routes Your system maintains a table of reachable AppleTalk networks You may want to view the contents of this table for administrative purposes See AppleTalk Routes later in this chapter for more information AppleTalk Address Resolution Protocol AARP cache The AARP cache contains a listing that maps each known AppleTalk address to a corresponding MAC address Yo...

Page 447: ...more information Benefits The benefits of AppleTalk include AppleTalk is built into all Apple devices making them automatically network capable This makes AppleTalk an extremely easy network system to install and operate The naming mechanism AppleTalk uses frees users from having to understand anything about how AppleTalk works AppleTalk supports peer to peer networking so no dedicated servers or ...

Page 448: ...d network services and data delivery Figure 79 AppleTalk Protocols and the OSI Reference Model Application Presentation Session Transport Network Data link Physical OSI Reference Model AppleTalk Data Stream Protocol ADSP Routing Table Maintenance Protocol RTMP PostScript TokenTalk Link Access Protocol EtherTalk Link Access Protocol Token ring hardware Ethernet hardware LocalTalk hardware Datagram ...

Page 449: ...ee link access protocols LAPs TokenTalk LAP TLAP Ethernet LAP ELAP LocalTalk LAP LLAP The AppleTalk Address Resolution Protocol AARP which translates hardware addresses to AppleTalk addresses also exists at the data link layer because it is closely related to the Ethernet and token ring LAPs AARP is usually included in the definition of each LAP so it does not appear in the reference model See App...

Page 450: ...Protocol NBP Routing Table Maintenance Protocol RTMP This protocol maintains information about AppleTalk addresses and connections between different networks It specifies that each router Learns new routes from other routers Deletes a route if the local router has not broadcast the route to the network for a certain period of time Each router builds a routing table for dynamic routing operations i...

Page 451: ...r an additional period of time the RTMP changes the status of an entry from bad to really bad 4 The router removes the entry of a nonresponding router with a really bad status The data in the routing table is cross referenced to the Zone Information Table ZIT This table maps networks into zones See Session Layer Protocols later in this chapter for more information about the ZIT Figure 80 illustrat...

Page 452: ...ata Stream Protocol ADSP ensures delivery of DDP packets to a destination without any losses or corruption Name Binding Protocol NBP This protocol translates alphanumeric entity names to AppleTalk addresses NBP maintains a table of node addresses and named entities within each node Because each node also maintains its own list of named entities the names directory within an AppleTalk network is no...

Page 453: ...e network number in the matching ZIT entry with the network number in the RTMP table to find the interface for routing the packet AppleTalk Session Protocol ASP The ASP passes commands between a workstation and a server after they connect to each other ASP ensures that the commands are delivered in the same order that they were sent and returns the results of these commands to the workstation Prin...

Page 454: ...ended Phase 1 and extended Phase 2 3Com routers support extended network numbers While the CoreBuilder 3500 system does not translate Phase 1 packets to Phase 2 packets it does route packets to a Phase 1 network The system anticipates that a gateway exists between the two networks to translate the packets An extended intranet can span a range of logical networks Network numbers in an extended netw...

Page 455: ...pter Seed Routers A seed router initializes the intranet with AppleTalk configuration information including network numbers and zone names The seed router broadcasts this information so that nonseed routers can learn it You designate a seed router through the Administration Console A nonseed router listens for a seed router and takes configuration information from the first one it detects A nonsee...

Page 456: ... it can also contain a single network number such as network 3 3 AppleTalk Address Resolution Protocol AARP An AppleTalk support protocol that maps the hardware address of an AppleTalk node to an AppleTalk protocol address Hop Count The number of routers a packet must cross to reach a destination network AppleTalk Echo Protocol AEP An AppleTalk support protocol used to test the accessibility of a ...

Page 457: ...igured with matching Network ranges Default zones Zone lists If a configuration mismatch occurs between routers on the same segment then unpredictable behavior may result For example zones may fail to show up in Chooser and AppleTalk services may become inaccessible If you are connecting your system s AppleTalk Phase 2 routing interface to an AppleTalk Phase 1 network follow these guidelines Speci...

Page 458: ...ts a network number from within this range Address The AppleTalk interface address which is based on the network range and a unique network node number 1 through 253 and expressed in the format network node The network number identifies the network The node number uniquely identifies the AppleTalk node on the network The router selects the network number from the range of numbers assigned to the n...

Page 459: ...f possible node numbers All seed routers on a network must have the same value for both the start and end of the network number range For example if you have a segment to which multiple routers are attached and you have assigned a network range of 4 9 then all seed router ports attached to the segment must be configured with a network range of 4 9 All seed routers on a network must be configured w...

Page 460: ... Each routing table entry contains the following information Network Range A range of 16 bit numbers that identifies a network Each device on the network selects from this range the network number it will use to identify itself on the network Distance Number of hops to the destination network Interface Interface used to reach the destination network State Status good suspect bad or really bad of e...

Page 461: ...in the deleted network number If the zone Information Table contains an entry whose network number range is not in the RTMP table it then concludes that the network is no longer on the Internet and deletes the network s ZIT entry An overburdened network with many routers can prevent some routers from sending RTMP updates every 10 seconds Because routers begin to age out routes after the loss of 2 ...

Page 462: ...network initializes it randomly selects an AppleTalk address for itself At the same time the node sends 10 AARP probe packets The probe packets determine whether any other nodes on the network are using the selected address If the address already exists the initializing node randomly selects another address and sends another set of probe packets The AARP maintains an Address Mapping Table AMT with...

Page 463: ...ddress becomes the node s address If the system receives a reply it repeats the process until it discovers an available address AARP entries include the following information AARP Address AARP address of the node in network node format MAC Address MAC layer address of the node Interface Interface through which the node can be reached Age Number of seconds before the system ages out the cache entry...

Page 464: ...alk zones Figure 81 AppleTalk Networks and Zones This example shows an AppleTalk intranet with three subnetworks 47 47 20 40 and 8 8 Three AppleTalk zones span these networks Administration Accounting and Marketing Network 20 40 includes two nodes in the Administration zone and five nodes in the Accounting zone Network 47 47 includes a node from the Accounting zone and all nodes in the Marketing z...

Page 465: ...ss then requests from the originating router the corresponding Zones associated with the newly discovered network When it receives the associated zones it then updates the ZIT entry If the Zone information table contains an entry whose network number range is not in the RTMP table it then concludes that the network is no longer on the Internet and deletes the networks ZIT entry This means whenever...

Page 466: ...or a segment and retain the existing network range you must age out the range from all routers on the network This ensures that all routers query for the new zone information This is because after a zone has been acquired routers do not query for zone information until the network has been aged out of their routing tables If you do not age out the network range some routers may not remove the netw...

Page 467: ...o the segment for which you are changing zone information This forces all routers on the segment to query for the zone information when they receive the new network range The old information is removed from the ZIT when the old network range is aged out of the RTMP tables To change the zone information for a network by assigning a new network range to the segment do the following 1 Reconfigure any...

Page 468: ...otocol DDP packets Because AppleTalk uses this network layer protocol this also disables the routing of AppleTalk packets You disable routing of AppleTalk traffic on a system wide basis This means all AppleTalk interfaces defined on the system will not forward routable AppleTalk traffic All AppleTalk traffic is dropped In addition all traffic from non routable protocols or protocols not yet config...

Page 469: ...sum generation and verification is disabled Disabled is the preferred setting Enabling the checksum generation or verification significantly impacts the router s performance You may want to disable checksum generation and verification if you have older devices that cannot receive packets with checksums AppleTalk Echo Protocol AEP The system supports the AppleTalk Echo Protocol AEP which sends a da...

Page 470: ...ices such as RTMP NBP and ZIP rely on DDP for packet delivery as illustrated in Figure 79 earlier in this chapter Your system allows you to view a variety of DDP statistics including inBcastErrors Number of dropped DDP datagrams for which the system was not their final destination and they were sent to the broadcast MAC address inCsumErrors Number of DDP datagrams that were dropped because of a ch...

Page 471: ...an the length of the expected DDP header outLocals Number of host generated DDP datagrams Routing Table Maintenance Protocol AppleTalk uses the Routing Table Maintenance Protocol RTMP to build and maintain routing tables Your system allows you to view a variety of RTMP statistics including inDatas Number of good RTMP data packets that were received inOtherErrs Number of RTMP packets received that ...

Page 472: ... performed by the Name Binding Protocol Your system allows you to view a variety of ZIP statistics including inErrors Number of ZIP packets received that were rejected for any error inExReplies Number of ZIP extended replies received inGniReplies Number of ZIP GetNetInfo reply packets received inGniRequests Number of ZIP GetNetInfo request packets received inLocalZones Number of Zip GetLocalZones ...

Page 473: ...Info reply with the zone invalid bit set in response to a GetNetInfo request with an invalid zone name outZoneLists Number of transmitted ZIP GetZoneList reply packets Name Binding Protocol AppleTalk uses the Name Binding Protocol NBP to convert user friendly entity names which are user defined and change infrequently into AppleTalk network addresses which are dynamically assigned and change frequ...

Page 474: ...ing For more information about AppleTalk technology see the following publications Gursharan S Sidhu Richard F Andrews and Alan B Oppenheimer Inside AppleTalk Second Addition Addison Wesley Publishing Company 1990 RFC 1742 AppleTalk Management Information Base II ...

Page 475: ...plementation QoS Classifiers QoS Controls Examples of Classifiers and Controls Modifying and Removing Classifiers and Controls QoS Excess Tagging Transmit Queues and QoS Bandwidth LDAP RSVP You can manage QoS and RSVP in either of these ways From the qos menu of the Administration Console See the Command Reference Guide From the Traffic Policy QoS folder of the Web Management Software See the Web ...

Page 476: ...s that exceed the control s rate limit Settable QoS Bandwidth Controls the weighting of high priority and best effort traffic Resource Reservation Protocol RSVP A building block of QoS that implements QoS characteristics in your LAN environment RSVP is an end to end signaling IP protocol that allows an end station to request the reservation of bandwidth across the network RSVP provides admission c...

Page 477: ... service To simplify your classification of traffic the system provides a set of predefined traffic classes You can also specify your own classes of traffic with applied controls to Create a to from classifier with address port patterns that isolate traffic based on source and destination Block traffic for example prevent certain traffic from one workgroup from seeing another workgroup Assign prio...

Page 478: ... also define a control that inserts a priority tag value in forwarded frames The IEEE 802 1p priority tag values are 0 to 7 decimal Table 59 shows the IEEE 802 1p user priority values and the corresponding traffic types The value 7 Network Control is considered the highest priority and 1 Background Traffic is the lowest priority Note that the value 0 the default Best Effort has a higher priority t...

Page 479: ... the IP address or socket level These classifiers are numbered in a range of from 1 to 399 You can define filtering parameters for a flow classifier by setting the source IP address source IP address mask the destination IP address destination IP address mask and the TCP or UDP port range Because these classifiers have lower class numbers they take precedence over nonflow classifiers When a packet...

Page 480: ...ed with the control and its classifier If you want to drop conforming packets for only a subset of ports specify the receivePort or aggregate rate limit set the rate limit to 0 and specify the group of ports Loss eligible status Loss eligible packets are conforming packets that are discarded instead of queued when transmit queues back up beyond a threshold You can specify whether conforming packet...

Page 481: ...width for the control queue is set via RSVP By default 75 percent of the bandwidth is used for high priority traffic and 25 percent is used for best effort packets that is three high priority packets are sent for each best effort packet Low priority packets do not have bandwidth allocated QoS excess tagging Enables you to select an IEEE 802 1p priority tag value for nonconforming excess packets pa...

Page 482: ... excess traffic that exceeds the rate limit parameters c Apply an IEEE 802 1p priority tag value to forwarded traffic General Guidelines You must define a classifier before you can assign a control to it A classifier does not affect traffic scheduling until you configure a control for that classifier Traffic that is not classified and controlled is treated with a transmit priority of best best eff...

Page 483: ...ecause the system predefines 16 nonflow classifiers you must delete one of the existing nonflow classifiers except the default classifier before you can add your own See Modifying and Removing Classifiers and Controls later in this chapter for information on changing or deleting a classifier When you configure a classifier the system prompts you for different information based on your choice of de...

Page 484: ...P or UDP socket information If you want to define a nonflow classifier for bridged or routed packets specify a value in the range of from 400 to 498 See the list of predefined nonflow classifiers in Figure 82 For nonflow classifiers you cannot classify to the IP address or socket level Flow Classifier Name Control Cast Protocol 802 1p 20 FTP none UM TCP 23 Telnet Traffic none UM TCP 401 Background...

Page 485: ...ow priority since classifier number 6 is lower than classifier 420 and has a higher precedence Table 60 shows the basic information for these classifiers Defining Flow Classifiers You can define up to 100 flow classifiers per system for routed IP traffic When you define a flow classifier using a unique classifier number you can create one or more address port patterns filters for that classifier E...

Page 486: ...ou want to define another address port pattern filter for this classifier Specifying Addresses and Address Masks You can classify traffic using source and destination IP addresses and their associated source and destination IP address masks For a classifier aimed at filtering traffic to a specific destination from a particular source you could define a single address port pattern that specifies th...

Page 487: ... A mask of 0 0 0 0 is a wildcard match Specifying Ports and Port Ranges Many common applications are associated with well known port numbers For example FTP which uses TCP uses ports 20 and 21 Telnet which also uses TCP uses port 23 and SNMP which uses UDP uses port 161 You can consult the services database file typically associated with TCP IP hosts for a list of the well known applications servi...

Page 488: ...t type enter the hexidecimal value For DSAP SSAP type enter the DSAP and SSAP hexidecimal values An IEEE 802 1p tag value in the range 0 to 7 or all You can tell the system to recognize any IEEE 802 1p tagged frames with any combination of the priority tags in the range 0 to 7 The tag value is automatically used by the associated control when forwarding frames See IEEE 802 1p earlier in this chapt...

Page 489: ...iers You can also modify one of these predefined controls There are several ways to create controls for classifiers You can Apply one control to only one classifier Apply one control to multiple classifiers Assign a rate limit of none to a control and thereby emphasize the service level and priority tag Assign a rate limit type of receivePort or aggregate to the control and define multiple rate li...

Page 490: ... Administration Console to display summary and detail information for your controls When you define a control you supply the following information A control number in the range 5 to 50 unless you remove the predefined controls from prefined classifiers A control name a unique name of up to 32 characters long The rate limit type for the control none receivePort or aggregate A service level transmit...

Page 491: ... type of rate limit and a service level other than drop any combination of IEEE 802 1p priority tag values in the range 0 to 7 or none to apply to forwarded frames By default no tags are applied unless the associated classifier defines a tag value In that case the tag value from the associated classifier is used for the forwarded frames Whether to drop packets used to establish TCP connections Thi...

Page 492: ...ort or aggregate you have many additional options After you specify a service level and loss eligibility status for conforming packets you can also specify a service level for nonconforming excess packets packets that exceed the specified rate limit whether the nonconforming excess are loss eligible how the rate limit for receive ports should be expressed the rate limit value a burst size and the ...

Page 493: ...andwidth later in this chapter Service levels also define the loss eligibility status for conforming and nonconforming excess By default conforming packets are not loss eligible nonconforming excess are loss eligible The system supports these service levels High For any type of rate limit transmits the packet first top priority Best For any type of rate limit transmits the packet on a best effort ...

Page 494: ...ion By dropping only the initial TCP packet used to establish TCP connections those packets containing a signature of SYN 1 ACK 0 you can establish one way TCP flow filtering Figure 83 3 way TCP Handshake Figure 84 shows an example with TCP drop control disabled Figure 84 QoS Control Action Drop Control Disabled With the QoS Classifier and QoS Control definition shown in Figure 84 TCP control is n...

Page 495: ...S Timer option lets you configure a QoS session to take effect during a predefined time period by setting the start and end times for the specific control Setting the start and end times is similar to using a VCR to record programs The default setting for the timer control is no no timer control QoS controlled classifiers are in effect all the time when timer control is not enabled Starting and en...

Page 496: ...hen a start and end time The control is activated between the start and end time everyday Day of the Week Select a day and then a start and end time The control is removed once the end time is reached Every Day of the Week Select a start day and then the start time and end time The control is activated between the start and end times every 7 days Every Day This Week Select start and end time The c...

Page 497: ...is kind of configuration could be called a to from classifier The control applied to this classifier gives the traffic to and from the server high priority Figure 86 Flow Classifier for Traffic to from a Specific Server To from classifier definition with two address and port patterns 168 101 160 0 168 101 161 0 168 101 163 0 168 101 162 0 168 101 162 151 Database server Clients Classifier Field Cl...

Page 498: ...tern y Source IP address 168 101 162 151 Source IP address mask 255 255 255 255 Destination IP address 168 101 0 0 Destination IP address mask 255 255 0 0 UDP source port range start 0 UDP source port range end 65535 UDP destination port range start 2020 UDP destination port range end 2020 Add another filter address port pattern y Source IP address 168 101 162 151 Source IP address mask 255 255 25...

Page 499: ... 20 30 0 subnet The associated control for this classifier sets a service level of drop to drop all traffic sent by the 168 20 30 0 subnet to the Accounting network Figure 87 Flow Classifier for Traffic to from a Subnet Control Field Definition Control Number 5 Control Name DBServer1 Rate Limit Type none Service Level high Loss Eligible Status no 802 1p tag for forwarded frames none Classifiers co...

Page 500: ...rotocol type all Source IP address 168 20 30 0 Source IP address mask 255 255 255 0 Destination IP address 192 1 0 0 Destination IP address mask 255 255 0 0 UDP source port range start 0 UDP source port range end 65535 UDP destination port range start 0 UDP destination port range end 65535 Add another address port pattern n Control Field Definition Control Number 6 Control Name IPFilter1 Rate Limi...

Page 501: ... with controls to filter IP traffic Classifier 1 permits IP traffic between two hosts 192 20 3 3 and 193 20 3 3 while classifier 3 drops IP traffic TCP and UDP not ICMP to and from one of the hosts 192 20 3 3 Figure 88 Flow Classifier for Traffic to from a Subnet 192 20 3 0 subnet 192 20 4 0 subnet 193 20 3 0 subnet 193 20 8 0 subnet 192 20 3 3 193 20 3 3 ...

Page 502: ... range start 0 UDP source port range end 65535 UDP destination port range start 0 UDP destination port range end 65535 Add another filter address port pattern y Source IP address 193 20 3 3 Source IP address mask 255 255 255 255 Destination IP address 192 20 3 3 Destination IP address mask 255 255 255 255 UDP source port range start 0 UDP source port range end 65535 UDP destination port range star...

Page 503: ...sk 0 0 0 0 UDP source port range start 0 UDP source port range end 65535 UDP destination port range start 0 UDP destination port range end 65535 Add another filter address port pattern y Source IP address 0 0 0 0 all Source IP address mask 0 0 0 0 Destination IP address 192 20 3 3 Destination IP address mask 255 255 255 255 UDP source port range start 0 UDP source port range end 65535 UDP destinat...

Page 504: ...rity to Web Traffic Classifier definition for high priority Web traffic 220 1 2 0 128 10 0 0 Web servers Web clients 128 10 0 222 220 1 2 222 198 20 30 222 176 9 0 222 176 9 0 0 198 20 30 0 subnet subnet subnet subnet Classifier Field Classifier Definition Classifier Number 17 Classifier Name httpServer1 Cast Type unicast IP protocol type TCP Source IP address 0 0 0 0 Source IP address mask 0 0 0 ...

Page 505: ...Source IP address mask 0 0 0 255 Destination IP address 0 0 0 0 Destination IP address mask 0 0 0 0 UDP source port range start 0 UDP source port range end 65535 UDP destination port range start 80 UDP destination port range end 80 Add another filter address port pattern y Source IP address 0 0 0 222 Source IP address mask 0 0 0 255 Destination IP address 0 0 0 0 Destination IP address mask 0 0 0 ...

Page 506: ...ia traffic with an IEEE 802 1p priority tag of 5 and control this traffic with a high priority transmit service level and a rate limit of 2048 Kbytes sec Figure 90 Nonflow Classifier Control for Bridged Multimedia Traffic Control Field Definition Control Number 7 Control Name httpServer1 Rate Limit Type none Service Level high 802 1p tag for forwarded frames none Classifiers controlled 17 Server C...

Page 507: ...ast Type all unicast multicast broadcast UMB Protocol type any IEEE 802 1Q tag s 5 Control Field Definition Control Number 4 Control Name Interactive_Multimedia Rate Limit Type receivePort Service Level high Loss Eligible Status no Excess Service Level drop Excess Loss Eligible Status Representation of Rate Limit Kbytes sec Rate Limit Value 2048 KB Burst Size 181 KB Bridge Ports 1 to 13 802 1p tag...

Page 508: ...unicast traffic between clients and the server on the 168 101 0 0 network The applied control handles this bridged traffic with a high priority transmit service level and a rate limit of 75 percent of the link bandwidth Figure 91 Nonflow Classifier Control for Bridged IP Unicast Traffic Server Clients 168 101 0 0 IP network 255 255 0 0 ...

Page 509: ...ast Type unicast U Protocol type IP IEEE 802 1Q tag s 0 to 7 Control Field Definition Control Number 5 Control Name IP_Unicast Rate Limit Type receivePort Service Level high Loss Eligible Status no Excess Service Level low Excess Loss Eligible Status yes Representation of Rate Limit percent Rate Limit Value 75 percent Burst Size 363 KB Bridge Ports 1 to 13 802 1p tag for forwarded frames uses tags...

Page 510: ...y the default control You can modify other predefined classifiers and the predefined controls for example if you want to redefine the handling of Business Critical traffic which is associated with predefined control 3 Once you apply a control to a classifier you must remove the control for a classifier before you can modify or remove the classifier When you remove a control the associated classifi...

Page 511: ...Tagging The following example shows how to use a classifier control and QoS excess tagging to tag conforming QoS multicast video traffic from a server as Streaming Multimedia 802 1p service and tag any excess traffic as Standard 802 1p service In this sample configuration The configured rate limit is 1 MByte so when the server sends 1 5 MBytes the upstream system knows 1 MByte is conforming and 50...

Page 512: ...e IP address mask 255 255 255 255 Destination IP address 0 0 0 0 Destination IP address mask 0 0 0 0 UDP source port range start 0 UDP source port range end 65535 UDP destination port range start 2010 UDP destination port range end 2020 Add another filter address port pattern y Source IP address 169 10 20 30 Source IP address mask 255 255 255 255 Destination IP address 0 0 0 0 Destination IP addre...

Page 513: ...idth still available after the other queues are serviced Low priority packets do not have bandwidth allocated You can configure the weighting of the high priority and best effort transmit queues by using the option to modify QoS bandwidth By default the weighting of the queues is 75 percent high priority traffic and 25 percent best effort traffic Keep in mind that the weighting does not represent ...

Page 514: ... The CoreBuilder 3500 contains the LDAP client software necessary to communicate and exchange configuration information for QoS parameters stored on the LDAP server Important Considerations Review the following before you enable LDAP on your system You must configure an LDAP server on either a workstation PC using LDAP from Netscape Navigator or on a Solaris or HP Unix workstation using University...

Page 515: ...to the LDAP server cannot be established when the CoreBuilder 3500 is powered on the settings stored in nvFlash are used to provide the fundamental QoS parameters including the default control best effort for the default nonflow classifier 499 When a successful connection is made the QoS parameters are retrieved from the LDAP server using a search filter a group name or a wildcard Once a CoreBuild...

Page 516: ... RSVP is receiver oriented that is an end system can send an RSVP request on behalf of an application to request a specific QoS from the network At each hop along the path back to the source routers such as your system register the reservation and try to provide the required QoS If a router cannot provide the required QoS its RSVP process sends an error to the end system that initiated the request...

Page 517: ...vation per sender on each transmission type Shared explicit A shared reservation flow originating from a limited number of senders for example an audio application This style identifies the flows for specific network resources A single reservation can be applied to all senders in the set Wildcard filter A shared reservation flow from all senders Total reservable bandwidth percentage Controls the a...

Page 518: ...vice that has already performed policing for that flow The system polices the flow when RSVP requests it This is the default policing option The RSVP protocol knows how to detect what is edge and what is not when policing Always The system always polices the flow Never The system never polices the flow even if RSVP requests it Example of RSVP Figure 94 shows an RSVP configuration in which an RSVP ...

Page 519: ...RSVP 519 Figure 94 Sample RSVP Configuration Source station End stations Routers ...

Page 520: ...s the default The service level for excess policed traffic best or low with low as the default This setting applies to the excess traffic with the reserved bandwidth that is in which queue it should be placed Whether nonconforming excess are loss eligible yes or no with no as the default After you enable RSVP you can use your management interface for example the Administration Console to display s...

Page 521: ...ing Analysis Ping traceRoute SNMP Remote Monitoring RMON Management Information Base MIB You can manage baselining roving analysis and SNMP in either of these ways From the menus of the Administration Console See the Command Reference Guide From the respective folders of the Web Management software See the Web Management User Guide You can manage event logging only from the menus of the Administra...

Page 522: ...the device monitoring of your system are described in this section to give you a perspective of the scope of device monitoring Administration Console The Administration Console provides you with access to all the features of your system It also provides you access to some of the device monitoring tools such as event logging baselining roving analysis ping traceRoute and snapshot You access the Adm...

Page 523: ... then make the data useful and alert the user if there are problems on the device For more information about traditional SNMP management see SNMP later in this chapter SmartAgent software which uses Remote Monitoring RMON is self monitoring collecting and analyzing its own statistical analytical and diagnostic data In this way you can conduct network management by exception that is you are only no...

Page 524: ...n display the current settings for the event log The display identifies the output device the severity levels for the log messages and the supported services Configuring the Output Devices For the Administration Console you can configure one or more of these severity levels error Logs application specific error messages to the Console warning Indicates a nonfatal problem config Indicates configura...

Page 525: ...as they relate only to the most recent power up disable the baseline Baselining affects the statistics that are displayed for Ethernet ports and bridges Displaying the Current Baseline You can get a display the current baseline to see when the baseline was last set and to determine if you need a newer baseline for viewing statistics Setting a Baseline You can reset the baseline counters to zero 0 ...

Page 526: ...r port The port that is being monitored is called the monitor port Figure 95 Connecting an Analyzer to the System The purpose of roving analysis is to Analyze traffic loads on each segment so that you can continually optimize your network loads by moving network segments Troubleshoot switched network problems for example to find out why a particular segment has so much traffic When you set up a ro...

Page 527: ...e bridge port as the port that you want to monitor For more accurate analysis attach the analyzer to a dedicated port instead of through a repeater When the analyzer port is set it cannot receive or transmit any other data Instead it receives only the data from the port s to be monitored If Spanning Tree Protocol was enabled on the analyzer port it is automatically disabled When the analyzer port ...

Page 528: ... monitor port analyzer start command affects that port s ability to collect RMON data Table 62 shows which RMON groups can continue to collect data and which cannot after the port has become a monitor port Table 62 Roving Analysis and RMON Data RMON Groups Works with Roving Analysis RMON 1 Groups Statistics Yes History Yes Alarm Yes Hosts No HostTopN No Matrix No Event Yes RMON 2 Groups protocolDi...

Page 529: ...sis or traffic sampling but not both at the same time The monitor and analyzer ports must be of the same type media For example FDDI ports cannot be monitored on Ethernet ports and Ethernet ports cannot be monitored on FDDI ports You can use a Fast Ethernet port to monitor a Gigabit Ethernet port but a warning message will be printed Because the analyzer port is slower than the monitor port the an...

Page 530: ... that are associated with the network domain name See Domain Name Servers in Chapter 11 Using Ping The system provides two ping functions ping Uses the hostname or IP address to ping a host with default options advancedPing Uses the hostname or IP address to ping a host with the advanced ping options that you specify Ping Responses This list gives the possible responses to a ping If the host is re...

Page 531: ...hod allows you to ping your network segments in an organized way rather than having to remember all the hostnames and locations Your DNS server is down and your system cannot look up host names properly You can ping with IP addresses even if you cannot access hostname information Ping by hostname when you want to identify DNS server problems To troubleshoot problems involving large packet sizes pi...

Page 532: ...ket the traceRoute feature launches UDP probe packets with a small TTL value and then listens for an ICMP Time Exceeded reply from a gateway Probes start with a small TTL of 1 and increase the value by 1 until one of the following events occurs The system receives a Port Unreachable message indicating that the packet reached the host The probe exceeds the maximum number of hops The default is 30 A...

Page 533: ...to the management station SNMP provides the language and the rules that the manager and agent use to communicate Managers can discover agents Through autodiscovery tools on Network Management Platforms such as HP OpenView Network Node Manager When you manually enter IP addresses of the devices that you want to manage For agents to discover their managers you must provide the agent with the IP addr...

Page 534: ...by the system agent See Trap Reporting later in this chapter SNMP Messages SNMP supports queries called messages that allow the protocol to transmit information between the managers and the agents Types of SNMP messages Get and Get next The management station requests an agent to report information Set The management station requests an agent to change one of its parameters Get Responses The agent...

Page 535: ...art MIB II The agent has started or been restarted 2 Link Down MIB II The status of an attached communication interface has changed from up to down 3 Link Up MIB II The status of an attached communication interface has changed from down to up 4 Authentication Failure MIB II The agent received a request from an unauthorized manager 5 New Root Bridge MIB The sending agent has become the new root of ...

Page 536: ...ess 21 MAC Path Change 3C FDDI MIB A status that the FDDI Path changes 22 Port LER Condition 3C FDDI MIB A status that the FDDI port link error rate reaches a certain threshold 23 Port Undesired Connection 3C FDDI MIB A port connection does not match the connection policy 24 Port EB Error Condition 3C FDDI MIB Elasticity Buffer has overflowed 25 Port Path Change 3C FDDI MIB Any port path change 26...

Page 537: ...Authentication type is valid but does not match the type configured Authentication type is valid and matches but has the wrong key 35 QOS Intruder QOS MIB This trap is generated when a user attempts to access a network restricted with a QoS One Way TCP Filter The trap contains the following information Source IP Address Destination IP Address Destination IP Port Number QoS Classifier Number To pre...

Page 538: ...in band Ethernet port depending on where the management station is attached See Chapter 2 for more information You can manage the system using an SNMP based external management application This application called the SNMP manager sends requests to the system where they are processed by the internal SNMP agent You can gain access to the Remote Monitoring RMON capabilities of your system through SNM...

Page 539: ...alid if the community string in the request matches the agent s read only community string or read write community string Community string length When you set a community string you can specify any value up to 48 characters long Administering SNMP Trap Reporting For network management applications you can use the Administration Console to manually administer the trap reporting address information ...

Page 540: ... Destinations When you flush the SNMP trap reporting destinations you remove all trap destination address information for the SNMP agent Set SNMP smtProxyTraps Controls SNMP s ability to alert you by means of an SNMP to SMT proxy of a significant event occurring in the FDDI station statistics Control SNMP Write Requests Allows or disallows SNMP write requests ...

Page 541: ...in Your System RMON 1 Groups RMON 2 Groups The CoreBuilder 3500 does not provide RMON support for Gigabit Ethernet ports You can gain access to the RMON capabilities of the system through SNMP applications such as Transcend Network Control Services software not through the serial interface or Telnet For more information about the details of managing 3Com devices using RMON and Transcend tools see ...

Page 542: ...eeps a summary of statistics including historical data in its local memory Management station Communicates with your system and collects the summarized data from it The station can be on a different network from the system and can manage the system s probe function through either in band or out of band connections The RMON specification consists almost entirely of the definition of the MIB The RMO...

Page 543: ...e overburdened by the amount of data it must collect Frequent console polling also generates significant network traffic that itself can create problems for the network The RMON implementation in your system offers solutions to both of these problems The system examines the network without affecting the characteristics and performance of the network The system can report by exception rather than b...

Page 544: ...ddistatistics and axFddihistory On FDDI modules these supplement the RMON 1 statistics and history groups RMON 2 support The system software offers embedded RMON support for seven RMON 2 groups RMON 2 defines ten groups RMON 2 enables the system RMON feature to see above the MAC layer and monitor traffic based on network layer protocols and addresses The embedded RMON support software cannot recei...

Page 545: ...o more than the cost of traditional network monitors Placing probe functionality inside the system has these advantages You can integrate RMON with normal device management The system can manage conditions proactively The system associates statistics with individual ports and then takes action based on these statistics For example the system can generate a log event and send an RMON trap if errors...

Page 546: ... 3 and event group 9 data on as many ports as its resources allow The system will keep RMON 2 protocolDir group 11 protocolDist group 12 and probeConfig group 19 data on as many ports as its resources allow All other RMON group data is hardware sampled The system can be configured to keep hardware sampled RMON group data on up to four ports per CoreBuilder 3500 system No RMON data is kept for Giga...

Page 547: ...segment being monitored History 2 Gathers and stores periodic statistical samples from the statistics group Alarm 3 Allows you to define thresholds for any MIB variable and trigger alarms Host 4 Discovers new hosts on the network by keeping a list of source and destination physical addresses that are seen in good packets HostTopN 5 Allows you to prepare reports that describe the hosts that top a l...

Page 548: ...mplemented in the RMON 1 statistics group to keep track of the frame sizes that are encountered History and axFDDIHistory Groups The history and axFDDIHistory groups record periodic statistical samples for Ethernet and FDDI interfaces and store them for later retrieval The information available per interface for each time interval includes Number of received octets Number of received packets Numbe...

Page 549: ...ance of this chapter illustrates RMON functions using counters Counters hold and update the number of times an event occurs on a port module or switch Alarms monitor the counters and report when counters exceed their set threshold Counters are useful when you compare their values at specific time intervals to determine rates of change The time intervals can be short or long depending on what you m...

Page 550: ...larm Thresholds Thresholds determine when an alarm reports that a counter has exceeded a certain value You can set alarm thresholds manually through the network choosing any value for them that is appropriate for your application The network management software monitors the counters and thresholds continually during normal operations to provide data for later calibration Figure 97 shows a counter ...

Page 551: ... counter is rising from below the low threshold In the second instance the counter is not rising from below the low threshold Host Group The host group records the following statistics for each host the host group detects hosts on the network by their physical MAC addresses Number of received packets Number of transmitted packets Number of received octets Number of transmitted octets Number of tra...

Page 552: ...onfiguration group Table 67 briefly describes these groups Table 67 RMON 2 Groups Supported in the System RMON 2 Group Group Number Purpose protocolDir 11 Provides a list of all protocols that the probe can interpret protocols for which the probe can decode and count packets The protocols can be different network transport and higher layer protocols This group allows the addition deletion and conf...

Page 553: ...eters information about the probe s capabilities for a specific protocol nlMatrix 15 A network layer matrix that provides statistics on the amount of traffic between source destination pairs of hosts based on network layer address It also maintains a TopN table to rank pairs of hosts based on the number of octets or number of packets sent between pairs of hosts alHost 16 Traffic statistics to and ...

Page 554: ...mber of octets transmitted to this address since it was added to the network layer host table Address Map Group The addressMap group maps each network address to a specific MAC level address and to a specific port on the network device This group provides three scalar objects to track address mapping entry insertions deletions and the maximum number of entries an address map control table and an a...

Page 555: ...ork address This group features a host data table Application Layer Matrix Group The alMatrix group gathers statistics about pairs of hosts conversing over a monitored port based on protocol The RMON 2 network layer matrix group gathers statistics based on the network address This group features one control table and three data tables The alMatrix SD and alMatrix DS tables monitor traffic flows pe...

Page 556: ...ion of a MIB allows a Simple Network Management Protocol SNMP network management package such as the Transcend Network Control Services application suite to manage a network device without having a specific description of that device 3Com ships the following MIB files with Extended System software as ASN 1 files BRIDGE MIB mib Bridge MIB RFC 1493 Unsupported groups and tables in this MIB dot1dSr g...

Page 557: ...IB2 MIB mib MIB II MIB RFC 1213 Unsupported groups and tables in this MIB egp group OSPF MIB mib OSPF MIB RFC 1850 RMON MIB mib RMON MIB RFC 1757 RMON statistics for Gigabit Ethernet are not currently supported Supported groups in this MIB statistics history alarm hosts hostTopN matrix event axonFddiRmon mib AXON RMON MIB proprietary support axFddiStatistics axFddiHistory ...

Page 558: ...n be configured for the following RMON groups at any given time addressMap alHost alMatrix hosts hostTopN matrix nlHost nlMatrix SNMPv2 MIB mib used by other MIBs RFC 1907 SOURCE ROUTING MIB mib Source Routing Bridges MIB RFC 1525 VRRP MIB mib Virtual Router Redundancy Protocol MIB Draft RFC 3Com Enterprise MIBs See 3Com Enterprise MIBs later in this chapter Compiler Support Compiler Support ASN 1...

Page 559: ...e number of the counter s column in the table In Figure 98 the counter is in column 5 of the etherStatsEntry table The name of the table where the counter resides is 3CometherStatTable although this name does not appear in the display To manage a network you do not need to know the contents of every MIB object Most network management applications including Transcend Network Control Services make t...

Page 560: ...umbers is called the object identifier OID Each object is uniquely and unambiguously identified by the path of numeric values When the system software performs an SNMP Get operation the management application sends the OID to the agent which in turn checks to see if the OID is supported If the OID is supported the agent returns information about the object For example to retrieve an object from th...

Page 561: ...rfaces 2 at 3 ip 4 icmp 5 tcp 6 udp 7 egp 8 enterprises 1 transmission 10 snmp 11 RMON 16 MIB I MIB II Statistics 1 History 2 Alarm 3 Hosts 4 HostTopN 5 Matrix 6 Filter 7 Capture 8 Event 9 TokenRing 10 RMON 1 ProtocolDir 11 Protocol Dist 12 AddressMap 13 nlHost 14 nlMatrix 15 alHost 16 alMatrix 17 userHistory 18 probeConfig 19 RMON 2 3Com 43 synernetics 114 chipcom 49 startek 260 onstream 135 reti...

Page 562: ... indicates the group s branch in the MIB subtree MIB I supports groups 1 through 8 MIB II supports groups 1 through 8 plus two additional groups Table 68 MIB II Group Descriptions MIB II Group Purpose system 1 Operates on the managed node interfaces 2 Operates on the network interface for example a port or MAC that attaches the device to the network at 3 Were used for address translation in MIB I ...

Page 563: ...lds Hosts 4 Statistics stored for each station s MAC address HostTopN 5 Stations ranked by traffic or errors Matrix 6 Map of traffic communication among devices that is who is talking to whom Filter 7 Packet selection mechanism Capture 8 Traces of packets according to predefined filters Event 9 Reporting mechanisms for alarms Token Ring 10 Ring Station Statistics and status information associated ...

Page 564: ...on Protocol Directory 11 Lists the inventory of protocols that the probe can monitor Protocol Distribution 12 Collects the number of octets and packets for protocols detected on a network segment Address Map 13 Lists MAC address to network address bindings discovered by the probe and the interface on which the bindings were last seen Network Layer Host 14 Counts the amount of traffic sent from and...

Page 565: ...43 29 4 23 3cPoll mib 3Com Remote Polling MIB 43 29 4 22 3cProd mib 3Com Transcend Product Management MIB 43 1 3cQos mib 3Com QoS MIB 43 29 4 21 3cSys mib 3Com System MIB 43 29 4 Unsupported groups in this MIB a3ComSysSlot a3ComSysControlPanel a3ComSysSnmp 3cSysBridge mib 3Com Bridging MIB 43 29 4 10 3cSysFt mib 3Com File Transfer MIB 43 29 4 14 3cSysSmt mib 3Com SMT MIB 43 29 4 9 3cTrunk mib 3Com...

Page 566: ...566 CHAPTER 18 DEVICE MONITORING ...

Page 567: ...3Com FactsSM Automated Fax Service World Wide Web Site To access the latest networking information on the 3Com Corporation World Wide Web site enter this URL into your Internet browser http www 3com com This service provides access to online support information such as technical documentation and software as well as support options that range from technical education to maintenance and professiona...

Page 568: ...roducts This service is available through analog modem or digital modem ISDN 24 hours a day 7 days a week Access by Analog Modem To reach the service by modem set your modem to 8 data bits no parity and 1 stop bit Call the telephone number nearest you Country Data Rate Telephone Number Australia Up to 14 400 bps 61 2 9955 2073 Brazil Up to 28 800 bps 55 11 5181 9666 France Up to 14 400 bps 33 1 69...

Page 569: ...e qualified to provide a variety of services including network planning installation hardware maintenance application training and support services When you contact your network supplier for assistance have the following information ready Product model name part number and serial number A list of system hardware and software including revision levels Diagnostic error messages Details about recent ...

Page 570: ...61 00137 or 021 6350 1590 800 6161 463 00798 611 2230 0 2 3455 6455 0080 611 261 001 800 611 2000 Europe From anywhere in Europe call 31 0 30 6029900 phone 31 0 30 6029999 fax Europe South Africa and Middle East From the following countries you may use the toll free numbers Austria Belgium Denmark Finland France Germany Hungary Ireland Israel Italy 0800 297468 0800 71429 800 17309 0800 113153 0800...

Page 571: ...9900 31 30 6029999 Latin America 1 408 326 2927 1 408 326 3355 From the following countries you may call the toll free numbers select option 2 and then option 2 Austria Belgium Denmark Finland France Germany Hungary Ireland Israel Italy Netherlands Norway Poland Portugal South Africa Spain Sweden Switzerland U K 0800 297468 0800 71429 800 17309 0800 113153 0800 917959 0800 1821502 00800 12813 1800...

Page 572: ...572 APPENDIX A TECHNICAL SUPPORT ...

Page 573: ...nt 138 adjacencies OSPF 366 Administration Console 46 accessing 32 40 accessing the modem port 39 managing from 32 password levels 40 sample menu output 32 top level menu 41 ADSP AppleTalk Data Stream Protocol 453 advertise RIP mode 297 advertisement address 298 advertising IEEE 802 1Q VLANs 183 AEP AppleTalk Echo Protocol 452 456 469 aggregated links Ethernet 73 alarm thresholds RMON examples of ...

Page 574: ...delines for configuring 459 AppleTalk interfaces and VLANs 458 AppleTalk protocols for VLANs 187 AppleTalk Session Protocol ASP 453 AppleTalk Transaction Protocol ATP 452 area border routers 364 375 378 387 389 area IDs OSPF 385 areas 358 361 363 372 376 backbone 373 377 backbone OSPF 385 stub 373 377 400 transit 373 ARP Address Resolution Protocol cache 285 286 defined 286 location in OSI Referen...

Page 575: ...9 VLAN ports via module replacements 69 checksum 456 configuring AppleTalk 469 Chooser Macintosh 455 classifiers QoS 482 assigning numbers 484 defining flow 485 defining nonflow 488 flow routing requirements 485 488 predefined 483 restrictions 482 sample configurations 497 499 501 504 506 508 512 specifying ports and ranges 487 types of 479 using 483 collision Ethernet 84 community strings defined...

Page 576: ...tination addresses 486 destination IP address masks 486 devices GVRP enabled 182 DeviceView 33 DHCP Dynamic Host Configuration Protocol 311 directed broadcast 295 disabled port state 129 disabled RIP mode 297 distance AppleTalk routes 460 distance vector protocols 358 DNS Domain Name Server 310 DNS server problems 531 documentation comments 26 defined 24 for the system 24 on CD ROM 26 orders 24 DP...

Page 577: ...extended network prefix 267 external link state advertisements OSPF 389 external LSAs and stub areas 400 external metrics OSPF type 1 390 type 2 390 external routes OSPF 390 F Fast Ethernet 72 ports autonegotiation 80 81 ports duplex mode 82 ports speed 82 sample port numbering 62 trunks 149 fax service 3Com Facts 569 FDDI and OSI model 90 dual homing 97 dual ring 93 MIB 98 modules and port number...

Page 578: ...hanges when adding 68 ports autonegotiation 80 81 ports flow control 83 sample port numbering 64 trunks 149 Gigabit Ethernet and RMON 546 group address Spanning Tree setting 135 gt opcode 231 guidelines configuration and port numbering 61 for accessing your system 38 key for configuring AppleTalk 457 QoS 482 GVRP GARP VLAN Registration Protocol 159 sample configuration 185 STP and 141 183 using 18...

Page 579: ...532 traceRoute functions 532 IP Internet Protocol addresses 264 283 administering DNS 310 assigning addresses to in band or out of band ports 39 broadcast address 295 defining a management interface 36 interfaces 284 management concepts 37 management interface 39 managing in band 40 managing out of band 40 networking protocol 39 overlapped interfaces 312 UDP Helper 311 IP address classes of 265 de...

Page 580: ...OSPF 388 link state acknowledge packets OSPF 365 advertisements LSAs OSPF 363 364 366 367 372 387 protocol OSPF 358 request packets OSPF 365 update packets OSPF 365 link state age OSPF 387 link state databases OSPF 359 383 387 viewing 391 link state ID OSPF 387 link state sequence OSPF 387 listening port state 129 135 LLC service description 101 107 log event 524 logical topology 91 loss eligible ...

Page 581: ...Protocol NBP 452 name opcode 228 named entities 455 names for VLANs 162 NBP Name Binding Protocol 473 ne opcode 230 neighbor notification and LLC Service 101 107 neighbors OSPF 359 363 365 366 367 369 383 384 392 guidelines for administering 395 static 395 viewing information 392 network address 264 campus interconnects 78 capacity recommendations 78 data centers 78 segmentation 262 wiring closets...

Page 582: ...ence Model 34 261 and FDDI 90 AppleTalk routing and 448 OSPF and imported RIP routes 404 OSPF Open Shortest Path First addresses addressing scheme 369 ranges 372 376 adjacencies 366 area border routers 376 378 387 389 areas 358 361 363 area IDs 381 385 backbone 373 377 385 guidelines for configuring 376 parameters 372 authentication 361 autonomous systems 363 boundary routers 362 387 benefits of 3...

Page 583: ...rts 398 statistics 360 416 stub areas 372 373 377 400 stub default metrics 359 400 summary 358 summary link state advertisements 389 transit areas 373 transmit delay 385 type 1 external metrics 390 type 2 external metrics 390 types of routers 364 variable length subnet mask 362 virtual links 360 362 364 368 375 377 378 387 392 401 402 OUI in packet filter 239 out of band management 37 40 271 overl...

Page 584: ...on guidelines 61 effects of empty slots 63 effects of module removals 66 effects of module replacements 68 70 FDDI 65 overview 59 rules 60 port ranges guidelines for specifying 482 port state learning 129 listening 129 port based VLANs allOpen mode and 171 dynamic configuration via GVRP 182 sample configurations 181 182 using 175 ports anchor in trunk 145 associating with rate limits 491 bridging ...

Page 585: ...tocol UDP 37 using with classifiers 479 virtual terminal protocols 35 36 Zone Information ZIP 465 472 pruning IP multicast 346 pushDPGM opcode 230 242 pushField size 228 pushLiteral opcode 228 pushSPGM opcode 230 242 pushTop opcode 229 Q QoS Quality of Service 475 and RSVP 479 bandwidth 481 513 burst size 480 493 classifiers 479 assigning numbers 484 defining flow 485 defining nonflow 488 predefin...

Page 586: ...ix group 555 on Gigabit Ethernet ports 546 probe 542 probeConfig group 555 protocolDir group 553 protocolDist group 554 SmartAgent software 523 statistics 547 548 Version 1 544 groups 547 Version 2 544 groups 552 RMON 2 564 groups 564 MIB definition 564 root bridge 119 root port 119 route aggregation 268 299 route flapping AppleTalk networks 461 route summarization OSPF 376 route support OSPF 361 ...

Page 587: ... 460 465 471 rules ingress and egress VLAN 162 195 port numbering 60 S S port 101 sample configurations GVRP 185 Ignore STP mode 173 multiple QoS classifiers and control 501 port numbering 62 QoS excess tagging 512 QoS filtering classifiers and controls 499 QoS high priority 504 QoS nonflow classifiers and controls 506 508 QoS to from classifiers and controls 497 RSVP 518 SAP Service Advertising P...

Page 588: ...22 root bridge 119 root port 119 spanning tree IP multicast 344 speed Ethernet ports 82 Fast Ethernet ports 82 SPGM source port group mask 242 SRF Status Report Frames and FDDI stations 104 and lerAlarm 107 stack 226 standard packet filter 213 standards IEEE 802 1p 478 related to QoS and RSVP 478 states AppleTalk interface 458 static neighbors OSPF 395 static route IP 273 285 static route IPX 435 ...

Page 589: ...ebase Web Services 567 bulletin board service 568 fax service 569 network suppliers 569 product repair 571 Telnet 36 terminal emulation 36 terminal port access 41 baud rate setting 38 establishing a connection 38 setting up 38 using an emulator 41 terms VLAN 161 text editor built in 217 timer option 481 tmaxLowerBound defined 105 setting 105 T notify defined 104 token 100 topology FDDI 91 to 93 to...

Page 590: ...tes GVRP 182 User Datagram Protocol UDP 37 V variable length subnet mask VLSM and OSPF 362 vi editor 217 VID VLAN ID 159 GVRP and 182 range 160 router port IP interfaces and 160 Viewing nvData 55 virtual links OSPF 360 362 364 368 375 377 378 387 392 401 402 virtual router Backup router 319 bridge loops 327 DHCP 329 IGMP 328 initialize state 319 Master router 319 primary IP address 319 prioritizin...

Page 591: ...anning Tree Protocol 327 using 319 virtual router 318 322 virtual router backup 319 virtual router master 319 W Web Management software 51 access 42 applications 31 45 browser requirements 42 interface window 42 using Internet Explorer 42 using Netscape Navigator 42 wildcard filter style RSVP 518 wildcards for flow classifier addresses masks 486 wiring closets 78 X XNS in packet filter 240 248 250...

Page 592: ...592 INDEX ...

Reviews:

No comments

Related manuals for CoreBuilder 3500

Brand: Sangoma Pages: 12

Brand: Pantech Pages: 101

Brand: Yealink Pages: 8

Brand: Qing Xin Electronic Pages: 45

Brand: H-TEK Pages: 142

Brand: Alcatel Pages: 67

Brand: Rath Pages: 8

Capsat TT-3060A

Brand: Thrane&Thrane Pages: 182

Brand: Ericsson Pages: 56

Brand: TECNO MOBILE LIMITED Pages: 6

Brand: M4 Pages: 19

Brand: Nordmende Pages: 40

Brand: Yezz Pages: 35

Brand: Samsung Pages: 217

Brand: GENERAL MOBILE Pages: 107

Brand: Lava Pages: 20

Brand: Zte Pages: 168

cricket Galaxy S8

Brand: Samsung Pages: 13

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands