background image

13-8

C

HAPTER

 13: C

ONFIGURING

 A

DDRESS

 

AND

 P

ORT

 G

ROUPS

 

TO

 U

SE

 

IN

 P

ACKET

 F

ILTERS

Enter the ports in this syntax: 

< Ethernet | E | FDDI | F > [port] < port number >

As you enter each address or port, the system attempts to add it to the 
group. 

If the address or port you enter is already a member of the group, a 
message is displayed, as shown next, and the address or port is ignored. 

Warning: Selected address was already a member of the 

address group

OR

Error: Port grp - no error for the current software

For address groups, if the system fails to accept the additional address, 
the address is not added to the group and an error message is displayed as 
follows:

Error: No room in group for additional address.

The point at which the system runs out of room for additional addresses 
depends on:

The number of addresses currently in the address table.

The number of unique addresses configured across all address groups on 
the system. (Each statically configured address and each unique address 
assigned to one or more address groups consumes one address storage 
location.)

For port groups, entering an invalid port specification results in error 
messages, similar to those described on page 15-5.

Address group

example

In the example, two additional addresses are added to the 

Development

 

address group.

Select address group to be modified [1-4]: 

2

Adding addresses to group 2 - Development

Enter the addresses to be added - type q to return to the menu:

Address: 

08-21-42-62-98-ab

Address: 

08-37-21-65-78-c4

Address: 

q

Summary of Contents for SUPERSTACK 2200

Page 1: ... SUPERSTACK II SWITCH 2200 ADMINISTRATION CONSOLE USER GUIDE Part No 801 00310 000 Published September 1996 Revision 01 ...

Page 2: ...ricted Rights Clause at 48 C F R 52 227 19 and the limitations set forth in 3Com Corporation s standard commercial agreement for the software Unpublished rights reserved under the copyright laws of the United States If there is any software on removable media described in this documentation it is furnished under a license agreement included with the product as a separate document in the hardcopy d...

Page 3: ...1 Configuration Tasks 1 1 2 HOW TO USE THE ADMINISTRATION CONSOLE Initial User Access 2 1 Levels of User Access 2 1 Administer Access Example 2 2 Write Access Example 2 2 Read Access Example 2 3 Using Menus to Perform Tasks 2 3 Administration Console Menu Structure 2 4 System Menu 2 4 Ethernet Menu 2 4 FDDI Menu 2 5 Bridge Menu 2 5 IP Menu 2 6 SNMP Menu 2 7 Analyzer Menu 2 7 Selecting Menu Options...

Page 4: ...ut Management Access 3 1 Using a Serial Connection 3 1 Using an IP Interface 3 1 In band or Out of band 3 2 Setting Up the Console Serial Port 3 2 Setting Up an IP Interface for Management 3 3 General Setup Process 3 3 Administering Interfaces 3 3 Displaying Interfaces 3 4 Defining an Interface 3 5 Modifying an Interface 3 6 Removing an Interface 3 7 Administering Routes 3 7 Displaying the Routing...

Page 5: ...swords 4 2 Setting the System Name 4 3 Changing the Date and Time 4 3 Rebooting the System 4 4 5 BASELINING STATISTICS About Setting Baselines 5 1 Displaying the Current Baseline 5 1 Setting Baselines 5 2 Enabling or Disabling Baselines 5 2 6 SAVING RESTORING AND RESETTING NONVOLATILE DATA About Working with Nonvolatile Data 6 1 Saving NV Data 6 2 Restoring NV Data 6 3 Examining a Saved NV Data Fi...

Page 6: ...and Disabling LLC Service 8 18 Setting the MAC Paths 8 18 Administering FDDI Ports 8 19 Displaying Port Information 8 19 Setting lerAlarm 8 20 Setting lerCutoff 8 21 Setting Port Labels 8 22 Setting the Port Paths 8 23 9 SETTING UP THE SYSTEM FOR ROVING ANALYSIS About Roving Analysis 9 1 Displaying the Roving Analysis Configuration 9 2 Adding an Analyzer Port 9 3 Removing an Analyzer Port 9 4 Star...

Page 7: ... 11 12 Removing Addresses 11 12 Flushing All Addresses 11 13 Flushing Dynamic Addresses 11 13 Freezing Dynamic Addresses 11 13 12 CREATING AND USING PACKET FILTERS About Packet Filtering 12 1 Listing Packet Filters 12 2 Displaying Packet Filters 12 3 Creating Packet Filters 12 3 Concepts for Writing a Filter 12 4 How the Packet Filter Language Works 12 4 Basic Elements of a Packet Filter 12 6 Impl...

Page 8: ... to Groups 13 7 Removing Addresses or Ports from a Group 13 9 Loading Groups 13 11 PART APPENDIXES A PACKET FILTER OPCODES EXAMPLES AND SYNTAX ERRORS Opcodes A 1 Packet Filter Examples A 9 Destination Address Filter A 9 Source Address Filter A 9 Length Filter A 9 Type Filter A 10 Ethernet Type IPX and Multicast Filter A 10 Multiple Destination Address Filter A 10 Source Address and Type Filter A 1...

Page 9: ...Bulletin Board Service B 1 Access by Modem B 1 Access by ISDN B 2 World Wide Web Site B 2 3ComForum on CompuServe B 2 3ComFactsSM Automated Fax Service B 3 Support from Your Network Supplier B 3 Support from 3Com B 4 Returning Products for Repair B 4 INDEX ...

Page 10: ... system using the SuperStack II Switch 2200 Getting Started guide Audience description This guide is intended for the system or network administrator who is responsible for configuring using and managing the Switch 2200 system It assumes a working knowledge of local area network LAN operations and a familiarity with communications protocols that are used on interconnected LANs If the information i...

Page 11: ... moving between menus Setting interface parameters screen height and control keys Running scripts of Console tasks Getting help II System Level Functions Setting up the system for management access through serial ports or using IP and setting up SNMP Configuring SNMP community strings Setting up trap reporting Configuring system parameters such as name date time and passwords Baselining statistics...

Page 12: ...iltering criteria V Appendixes Additional information about packet filters opcode descriptions examples and error messages Getting Technical Support Returning products for repair Table 1 Description of Guide Parts continued Part Contents Table 2 Notice Icons Icon Type Description Information Note Information notes call attention to important features or instructions Caution Cautions contain direct...

Page 13: ...ntax vs Command Syntax indicates that the general command syntax form is provided You must evaluate the syntax and supply the appropriate value for example Set the date by using the following syntax mm DD yy hh mm ss xm Command indicates that all variables in the command syntax form have been supplied and you can enter the command as shown in text for example To update the system software enter th...

Page 14: ...ormation about using the Administration Console to configure and manage your Switch 2200 system Shipped with system Part No 801 00310 000 Command Quick Reference for the SuperStack II Switch 2200 Administration Console Contains all of the Administration Console intelligent switching commands for the Switch 2200 system Folded card shipped with system Part No 801 00314 000 Documentation Comments You...

Page 15: ...I Chapter 1 Overview of SuperStack II Switch 2200 Administration Chapter 2 How to Use the Administration Console INTRODUCTION ...

Page 16: ...ant MAC port bridge and IP statistics The Switch 2200 Administra tion Console allows you to configure your system and display these impor tant statistics For more complete network management you can use an external application such as 3Com s Transcend Enterprise Manager Configuration Tasks This section uses tables to summarize the tasks and quick commands for the SuperStack II Switch 2200 Administ...

Page 17: ...tics to evaluate recent activity in your system and on your network system baseline page 5 2 Configure timeout for remote sessions Configure the system to disconnect remote sessions after a specified time interval system telnet page 2 12 Control access to the Console Set passwords for levels of access read write administer and prohibit remote access during your session by locking the Console syste...

Page 18: ...rface display ip interface define ip interface modify ip interface remove page 3 5 Define static routes Access a menu from which you can display define remove and flush static routes for transmitting traffic through the system Static routes override routes learned through RIP ip route ip route default page 3 9 Administer the ARP cache Display remove and flush the ARP cache a table of known IP addr...

Page 19: ... Enable or disable IP fragmentation Enable or disable the fragmenting of large FDDI packets to allow FDDI and Ethernet stations to communicate using IP bridge ipFragmentation page 10 5 Enable or disable IPX snap translation Enable or disable the translation of 802 3_RAW IPX packets to FDDI_SNAP packets when going from Ethernet to FDDI and vice versa when going from FDDI to Ethernet The default is ...

Page 20: ...ress multicast storms and limit the rate at which multicast packets are propagated by the system bridge port multicastLimit page 11 7 Administer bridge port addresses Administer the MAC address of stations connected to Ethernet and FDDI ports This command accesses a menu from which you can list add remove flush and freeze bridge port addresses bridge port address page 11 11 Use packet filters to r...

Page 21: ...e system ethernet label page 7 8 Set the Ethernet port state Enable or disable an Ethernet port controlling whether the port sends and receives frames ethernet portState page 7 8 Configure Ethernet ports to be monitored by a network analyzer Analyze data forwarded through Ethernet ports With roving analysis you set up one Ethernet port for a network analyzer attachment and set up another Ethernet ...

Page 22: ...for the TVX timer the minimum value for the T Max timer and the maximum value for the T Req timer fddi path tvxLowerBound fddi path tmaxLowerBound fddi path maxTreq page 8 7 page 8 8 page 8 9 Set FDDI MAC parameters Set the parameters for the frame error threshold and the not copied threshold enable or disable LLC service and set MAC paths fddi mac frameErrorThreshold fddi mac notCopiedThreshold f...

Page 23: ... null Subsequent access is described in this chapter Levels of User Access The Administration Console supports three password levels allowing the network administrator to provide different levels of access for a range of Switch 2200 users These access levels are described in Table 2 1 Table 2 1 Password Access Levels Access Level For Users Who Need to Allows Users to Administer Perform system set ...

Page 24: ...ware baseline Administer a statistics baseline consoleSpeed Set the console serial port baud rate telnet Administer telnet sessions password Set the console passwords name Set the system name time Set the date and time screenHeight Set the console screen height consoleLock Allow Disallow remote access to the console ctlKeys Enable Disable Ctl X reboot and Ctl C abort nvData Save restore or reset n...

Page 25: ...Administration Console by selecting options from this menu and from others below it Each menu option is accompanied by a brief description Here is the top level menu Menu options system Administer system level functions ethernet Administer Ethernet ports fddi Administer FDDI resources bridge Administer bridging ip Administer IP snmp Administer SNMP analyzer Administer Roving Analysis script Run a ...

Page 26: ... system See Figure 2 1 Figure 2 1 System level Functions Menu Hierarchy for Administer Access Ethernet Menu From the ethernet menu you can view information for and name Ethernet ports See Figure 2 2 For example to view all Ethernet port statistics you enter ethernet at the top level menu and then detail at the ethernet menu Figure 2 2 Ethernet Menu Hierarchy for Administer Access Top Level Menu sy...

Page 27: ...ameters including those for the Spanning Tree Protocol STP You can also configure the bridge at the port level and administer packet filters See Figure 2 4 For example to set the Spanning Tree state for a bridge port you enter bridge at the top level menu port at the bridge menu and stpState at the port menu Top Level Menu fddi menu station menu system station display ethernet path connectPolicy f...

Page 28: ...isplay summary list ethernet ipFragmentation detail add fddi ipxSnapTranslation multicastLimit remove bridge addressThreshold stpState find ip agingTime stpCost flushAll snmp stpState stpPriority flushDynamic analyzer stpPriority address freeze script stpMaxAge logout stpHelloTime packetFilter menu stpForwardDelay list addressGroup menu stpGroupAddress display list port create display packetFilter...

Page 29: ...lectively choose any Ethernet network segment attached to a Switch 2200 and monitor its activity using a network analyzer See Figure 2 7 For example to add analyzer ports you enter analyzer at the top level menu and then add at the analyzer menu Figure 2 7 Analyzer Menu Hierarchy for Administer Access Top Level Menu snmp menu trap menu system display display ethernet community addModify fddi trap ...

Page 30: ...d command until it becomes unambiguous When a new menu appears the selection prompt with its choices in parentheses changes to reflect your progression through the menus For example if you enter system at the top level menu and then baseline at the system menu the prompt changes at the next level Select a menu option system baseline Entering a command string Once you are familiar with the menu str...

Page 31: ...alid values Enabled shown in brackets is the default Enter a new value disabled enabled enabled Entering values in command strings A command string can also contain the value of a command parameter If you enter a value at the end of a command string the task is completed and you are returned to the previous menu For example to disable a baseline from the top level menu enter Select a menu option s...

Page 32: ...ut reaches the designated screen height you are prompted to press a key to display more information To receive no prompts set the screen height to infinite 0 At this setting however the screen output might scroll beyond the screen depending on your screen size To set the screen height 1 From the top level of the Administration Console enter system screenHeight You are prompted for a screen height ...

Page 33: ...ble the functionality as shown here Enter new value disabled enabled enabled 2 Enter enabled or disabled at the prompt Remote Access Parameters You can reach the Administration Console remotely through a telnet or rlogin session You can set parameters to prevent disconnections when another user remotely accesses the Administration Console to enable the Switch 2200 to end remote sessions after a sp...

Page 34: ...le or on to lock it Enabling Timeout of Remote Sessions You can configure the Switch 2200 to disconnect remote sessions after a user specified time interval of no activity By default the telnet timeout is disabled To enable or disable the telnet timeout 1 From the top level of the Administration Console enter system telnet timeOut 2 Enter the telnet timeout state off or on The default time interva...

Page 35: ...SCII based line editor such as EMACS or vi To run them from the Administration Console you must access the directory where your scripts are stored When writing scripts you can use the number symbol to identify comments in the script To run a script 1 From the top level of the Administration Console enter script You are prompted for information about where you have stored the script you want to run...

Page 36: ... The next example shows how you can script these tasks to initially configure your system Setting up the Console port baud rate Setting the system name Assigning an IP address for management Checking the IP connection by pinging the Switch 2200 Enabling Spanning Tree on the system Setting up SNMP trap reporting ...

Page 37: ... ip interface define 158 101 112 99 IP address for the system 255 255 0 0 subnet mask 158 101 255 255 broadcast address 1 cost all ports ip interface display Validate access to management workstation ip ping 158 101 112 26 management workstation address Enable the Spanning Tree Protocol bridge stpState enabled Configure my node as an SNMP trap destination snmp trap add 158 101 112 26 management wo...

Page 38: ...structions for using the Administration Console Help for specific menu options To get help for a specific menu option enter and the name of the option for which you want help The system displays instructions if available for using that option For example to get help on the ethernet option on the top level menu enter ethernet Viewing More Levels of Menu Options The outlining feature allows you to l...

Page 39: ...If you are accessing the system through the Console serial port exiting returns you to the password prompt To exit from the Administration Console 1 Return to the top level of the Administration Console if you are not already there by pressing the ESC key 2 From the top level menu enter logout Top Level Menu system ethernet fddi bridge ip snmp analyzer script logout ...

Page 40: ...er 3 Configuring Management Access to the System Chapter 4 Administering Your System Environment Chapter 5 Baselining Statistics Chapter 6 Saving Restoring and Resetting Nonvolatile Data SYSTEM LEVEL FUNCTIONS ...

Page 41: ......

Page 42: ...ement application such as 3Com s Transcend Enterprise Manager Using a Serial Connection Direct access through the console serial port is often preferred because it allows you to stay attached during system reboots See the SuperStack II Switch 2200 Getting Started Guide for console port pin outs Serial connections are often more readily available at a site than Ethernet connections A Macintosh or P...

Page 43: ...sh communication using the console serial port To set the baud rate for the Console serial port 1 From the top level of the Administration Console enter system consoleSpeed 2 Enter the baud rate for the serial port The system supports the following baud rates 19200 9600 4800 2400 1200 and 300 If you are connected to the Console serial port when you set the baud rate for that serial port the follow...

Page 44: ...ty for your system by displaying the IP statistics at any time Administering Interfaces You define interfaces to establish the relationship between the ports on your system and the subnets in your IP network You can have up to 32 addresses on a single port and you can assign up to 17 ports per interface An IP interface has the following information associated with it IP Address This address is spe...

Page 45: ...nterface share the same IP address subnet mask broadcast address and cost The Switch 2200 contains 17 ports 1 FDDI and 16 Ethernet Be sure that the port to which your management station is attached is included in an interface Displaying Interfaces You can display a table that shows all IP interfaces configured for the system including their parameter settings To display IP interface information en...

Page 46: ...mes sourced from the attached segment To avoid unintentional filtering of IP broadcasts 3Com recommends that you include all ports If you do not assign all ports to this interface be sure that you include the port to which your network management station is attached To define an IP interface 1 From the top level of the Administration Console enter ip interface define You are prompted for the inter...

Page 47: ...Ethernet Select port s 1 18 all 2 4 8 If you physically change the configuration of your system after defining IP interfaces the ports designated for those interfaces might no longer be valid You should reconfigure your interfaces Modifying an Interface To modify an IP interface that you have already defined 1 From the top level of the Administration Console enter ip interface modify You are promp...

Page 48: ...t Mask These elements define the address of the destination network subnet or host A route matches a given IP address if the bits in the IP address that corresponds to the bits set in the route subnet mask match the route destination address When it forwards a packet if the system finds more than one routing table entry matching an address for example a route to the destination network and a route...

Page 49: ...es are configured and if they are operating To display the contents of the routing table enter the following from the top level of the Administration Console ip route display In the following example routes for the Switch 2200 are displayed The configuration of RIP is indicated in the status display Destination Subnet mask Metric Gateway Status 158 101 4 0 255 255 255 0 2 158 101 2 8 Static 158 10...

Page 50: ...rn at the prompt 2 Enter the destination IP address of the route 3 Enter the subnet mask of the route 4 Enter the gateway IP address of the route A static route is defined in the following example Enter destination IP address 158 101 4 0 Enter subnet mask 255 255 0 0 255 255 255 0 Enter gateway IP address 158 101 2 8 Removing a Route To remove a route 1 From the top level of the Administration Con...

Page 51: ...s an ICMP destination unreachable message to the host that sent the packet to notify it of the problem To statically configure the default route 1 From the top level of the Administration Console enter ip route default 2 Enter the gateway IP address of the route The default route is immediately added to the routing table Removing the Default Route To remove a default route enter the following from...

Page 52: ...dress Interface 158 101 1 112 08 00 1e 31 a6 2 1 158 101 1 117 08 00 1e 65 21 07 1 Removing an ARP Cache Entry You might want to remove an entry from the ARP cache if the MAC address has changed To remove an entry from the ARP cache 1 From the top level of the Administration Console enter ip arp remove 2 Enter the IP address you want to remove The address is immediately removed from the table If n...

Page 53: ...r routing information but it does not broadcast periodic or triggered RIP updates RIP default mode By default RIP operates in passive mode To set the RIP operating mode 1 From the top level of the Administration Console enter ip rip 2 Enter the RIP mode off or passive To use the value in brackets press Return at the prompt See the following example Select RIP mode off passive passive off Pinging a...

Page 54: ...top level of the Administration Console enter ip ping 2 Enter the IP address of the station you want to ping IP Address 192 9 200 40 You could receive one of the following responses 192 9 200 40 is alive OR no answer from 192 9 200 40 For a remote IP address you can also receive the following response Network is unreachable You should receive a response that the address you pinged is Alive If you ...

Page 55: ...of IP datagrams received including those with errors forwDatagrams Number of datagrams that the IP station attempted to forward inDelivers Number of datagrams that the IP station delivered to local IP client protocols outRequests Number of datagrams that local IP client protocols passed to IP for transmission outNoRoutes Number of datagrams that the IP station discarded because there was no route ...

Page 56: ...k II Switch 2200 Operation Guide Displaying SNMP Settings You can display the current Switch 2200 SNMP configurations for the community strings To display SNMP settings enter the following from the top level of the Administration Console snmp display The community string settings are displayed as shown here Read only community is public Read write community is private Configuring Community Strings...

Page 57: ... enter the community string 3 At the read write prompt enter the community string Administering SNMP Trap Reporting For network management applications you can use the Administration Console to manually administer the trap reporting address information Displaying Trap Information Displaying the trap reporting information shows you the various SNMP traps and the current configured destinations as w...

Page 58: ...ection 21 LANplex Opt FDDI MIB Port EB Error Condition 22 LANplex Opt FDDI MIB Port Path Change Trap Destinations Configured Address Trap Numbers Enabled 158 101 112 3 1 10 12 21 Proxying of remote SMT events is disabled Configuring Trap Reporting You can add new trap reporting destination configurations or you can modify an existing configuration You can define up to ten destination addresses and...

Page 59: ... valid end station or if the agent does not have a route to the destination you receive this message Trap address invalid or unreachable If you see this message confirm the address of the end station and confirm that it is online Removing Trap Destinations When you remove a destination no SNMP traps will be reported to that destination To remove a destination 1 From the top level of the Administra...

Page 60: ... system Local SMT events are automatically reported by the SNMP agent in a Switch 2200 system If you have a single Switch 2200 on your network and you have no other way to access FDDI information then you should enable proxying of SMT events This configuration provides access to the events occurring locally on the Switch 2200 and to those reported by other stations on the FDDI ring If you have mul...

Page 61: ...agement station which will cover all your Switch 2200s but SMT events from systems other than Switch 2200s in your network will not be reported To enable or disable the proxying of remote SMT events 1 From the top level of the Administration Console enter snmp trap smtProxyTraps 2 Enter disabled or enabled at the prompt The proxying of remote SMT traps is disabled or enabled for the system Top Lev...

Page 62: ...mand from the top level of the Administration Console system display Example of a Switch 2200 system configuration display Switch 2200 rev 1 3 System ID 0f2b00 Intelligent Switching Software Version 7 1 0 Built 7 24 96 06 26 55 PM The display contains the following general system information The system type Switch 2200 System ID Software version Software build date and time Warning messages You wi...

Page 63: ... password 1 From the top level of the Administration Console enter system password 2 At the prompt requesting you to enter a password access level to change enter one of the following read write administer 3 At the prompt for your old password enter the old password 4 Enter the new password The password can have up to 32 characters and is case sensitive To enter a null password press Return 5 Rety...

Page 64: ...ory You can display and change the system s current date and time To change either the date or the time 1 From the top level of the Administration Console enter system time The system displays the current date and time along with a prompt asking you if the date and time are correct Example The current system time is 08 24 96 04 37 57 PM Is this correct y n 2 Enter y yes or n no at the prompt If yo...

Page 65: ...ou must connect your system through the Console serial port To reboot the system 1 From the top level of the Administration Console enter system reboot The following message appears Are you sure you want to reboot the system y n 2 Enter y yes or n no If you enter y the system reboots If you enter n you return to the previous menu Table 4 1 Date and Time Variables Format Description first mm month ...

Page 66: ...s they relate only to the most recent power up you must disable the baseline Baselining affects the statistics displayed for Ethernet ports FDDI resources and bridges Displaying the Current Baseline You can display the current baseline to see when the baseline was last set and to determine if you need a newer baseline for viewing statistics To display the current baseline enter the following comma...

Page 67: ...e total accumulated values since the last power up To enable the current baseline 1 From the top level of the Administration Console enter system baseline requestedState You are prompted to enter a new baseline state as shown here Enter new value disabled enabled enabled 2 Enter disabled or enabled at the prompt The new value is confirmed as shown here Baseline set at 08 07 96 10 42 52 AM has been...

Page 68: ... a backup You can also reset system data to its factory configured values if necessary During a save the contents of NV memory are written out to a disk file All configurable parameters are saved in nonvolatile memory including The file also contains the following information which is used to resolve any inconsistencies when NV data is restored Software version number System ID Date and time of cr...

Page 69: ...r your password on the host system 6 Enter a name of the file optional Example Host IP Address 158 101 100 1 158 101 112 34 NV Data file pathname usr jones systemdata User name Tom Password Enter an optional file label Labdata If the information is incorrect or a connection could not be made with the specified host a message similar to the following is displayed Login incorrect Error Could not ope...

Page 70: ...d NV file and the target system Mismatches in system IDs are allowed Before restoring the NV data to a system with a different system ID you should be aware of the following NV data that might cause problems when restored Management IP addresses defined in IP interface configurations are saved as NV data and restored Before connecting the restored system to the network you might need to change the...

Page 71: ...s denied Error Could not open ftp session If a session is successfully opened the system reads the header information compares the stored configuration to the current system configuration and proposes a method of restoration based on one of the restoration rules described on page 6 3 You are prompted to load the proposal CAUTION Restoring nonvolatile data may leave the system in an inconsistent st...

Page 72: ...ur user name on the host system 5 Enter your password on the host system If the information is incorrect or a connection could not be made with the specified host a message similar to the following is displayed User Tom access denied Error Could not open ftp session If a session is successfully opened the system displays the header information that corresponds to the file entered See the following...

Page 73: ...nal default values 1 From the top level of the Administration Console enter system nvData reset You see the following prompt Resetting nonvolatile data may leave the system in an inconsistent state and therefore a reboot is necessary after each reset Do you wish to continue n y y 2 Confirm that you want to reset NV data by entering y yes at the prompt If you enter y yes the system will reboot If y...

Page 74: ...III Chapter 7 Administering Ethernet Ports Chapter 8 Administering FDDI Resources Chapter 9 Setting Up the System for Roving Analysis ETHERNET AND FDDI PARAMETERS ...

Page 75: ......

Page 76: ...ernet port information includes the information in the summary and additional Ethernet port statistics such as collision counters If you want to display Ethernet port statistics relative to a baseline see Chapter 5 for more information To display information about the Ethernet ports 1 From the top level of the Administration Console enter ethernet summary OR ethernet detail 2 Enter the port s for ...

Page 77: ...455 300242671 port txFrameRate txByteRate txPeakFrameRate txPeakByteRate 1 3 345 208 271724 12 3 345 402 321722 port txQOverflows excessCollision excessDeferrals txInternalErrs 1 0 0 0 0 12 0 0 0 0 port carrierSenseErr txDiscards txUnicasts txMulticasts 1 0 0 528268 893836 12 0 0 322389 934076 port collisions lateCollisions requestedState portState 1 0 0 enabled on line 12 0 0 enabled on line port...

Page 78: ...cted on this port duplexMode Current duplex mode setting Possible values are full half and not applicable n a Duplex mode is not applicable on the Switch 2200 excessCollision Number of frames that could not be transmitted on this port because the maximum allowed number of collisions was exceeded excessDeferrals Number of frames that could not be transmitted on this port because the maximum allowed...

Page 79: ...pling period Sampling periods are 1 second long and are not configurable rxFrames The number of frames copied into receive buffers by this port rxInternalErrs Number of frames discarded because of an internal error during reception rxMulticasts Number of multicast frames delivered to a higher level protocol or application by this port rxPeakByteRate Peak value of ethernetPortByteReceiveRate for th...

Page 80: ...a higher level protocol or application including those not transmitted successfully txPeakByteRate Peak value of ethernetPortByteTransmitRate for this port since the station was last initialized txPeakFrameRate Peak value of ethernetPortFrameTransmitRate for this port since the station was last initialized txQOverflows The number of frames lost because transmit queue was full txUnicasts Number of ...

Page 81: ... is in error Figure 7 1 shows the order in which these discard tests are made Figure 7 1 How Frame Processing Affects Ethernet Receive Frame Statistics rxFrames noRxBuffers rxInternalErrs lengthErrs alignmentErrs fcsErrs rxUcastFrames rxMcastFrames Frames received from the network Frames discarded because buffer space was exhausted Frames discarded because frame in error Frames delivered by this E...

Page 82: ... which these discard tests are made Figure 7 2 How Frame Processing Affects Ethernet Transmit Frame Statistics txUcastFrames txMcastFrames txDiscards txQOverflows excessDeferrals excessCollision carrierSenseErr txInternalErrs txFrames Frames delivered to this port Frames discarded because port disabled Frames discarded because transmit queue full Frames successfully transmitted to the network proc...

Page 83: ...Setting the Port State You can enable place online or disable place off line Ethernet ports When an Ethernet port is enabled frames are transmitted normally over that port When an Ethernet port is disabled the port does not send or receive frames To enable or disable an Ethernet port 1 From the top level of the Administration Console enter ethernet portState 2 Enter the number s of the port s you ...

Page 84: ... For more information about FDDI in the Switch 2200 see the SuperStack II Switch 2200 Operation Guide Administering FDDI Stations An FDDI station is an addressable node on the network that can transmit repeat and receive information A station contains only one Station Management SMT entity and at least one MAC or one port Stations can be single attachment one physical connection to the network or ...

Page 85: ...onId 00 00 00 80 3e 02 95 00 Table 8 1 Description of Fields for FDDI Station Attributes Field Description configuration Attachment configuration for the station or concentrator Values can be Thru Isolated Wrap_A and Wrap_B connectPolicy Bit string representing the connection policies in effect on a station How connection policies translate into bits is described in Table 8 2 This value can be use...

Page 86: ...neration of Neighbor Information Frames NIF This value can be user defined traceMaxExp Maximum propagation time for a Trace on an FDDI topology Places a lower bound on the detection time for an unrecovering ring Table 8 1 Description of Fields for FDDI Station Attributes continued Field Description Table 8 2 Bit to Set for Rejecting a Station Connection This Connection Is Rejected Switch port Remo...

Page 87: ...mary and secondary rings notify SMT B S 6 Undesirable peer connection that creates a wrapped ring notify SMT B M 7 Tree connection with possible redundancy The node may not go to Thru state in CFM In a single MAC node Port B has precedence with defaults for connecting to a Port M M A 12 Tree connection with possible redundancy M B 13 Tree connection with possible redundancy M S 14 Normal tree conn...

Page 88: ...ation Valid values are 2 30 seconds See the following example Select station 1 Station 1 Enter new value 30 Enabling and Disabling Status Reporting The statusReporting attribute controls whether a station generates Status Report Frames SRFs to report events and conditions to network management stations By default status reporting is enabled If you do not have an SMT management station listening to...

Page 89: ...curs the ring wraps around the location of the failure creating a single logical ring You can display FDDI path information and set the time values of the following attributes tvxLowerBound tmaxLowerBound maxTreq These values are used by all MACs configured in a path Displaying Path Information FDDI path information includes the time values for tvxLowerBound tmaxLowerBound and maxTreq as well as v...

Page 90: ...u set this value the less chance of frequent reinitializations but the network will take longer to recover from errors stn path ringLatency traceStatus 1 primary 16 0x0 1 secondary 16 0x0 1 local 0 0x0 stn path tvxLowBound tMaxLowBound maxTReq 1 primary 2500 us 165000 us 165000 us 1 secondary 2500 us 165000 us 165000 us 1 local 2500 us 165000 us 165000 us Table 8 3 Description of Fields for FDDI P...

Page 91: ...to this path This value specifies the boundary for how high T Req the requested token rotation time can be set To set tmaxLowerBound 1 From the top level of the Administration Console enter fddi path tmaxLowerBound You are prompted for a station path and value The Switch 2200 has one station which appears in brackets 2 Press Return 3 Enter the path p primary s secondary 4 Enter the new minimum tim...

Page 92: ...i path maxTreq You are prompted for a station path and value The Switch 2200 has one station which appears in brackets 2 Press Return 3 Enter the path p primary s secondary 4 Enter the new minimum time value The default value is 165000 microseconds µs See the following example Select station 1 Select path s p s all p Station 1 Primary Enter new value 165000 Administering FDDI MACs An FDDI MAC uses...

Page 93: ...mmary or detailed statistics 1 From the top level of the Administration Console enter fddi mac summary OR fddi mac detail You are prompted for a MAC number The Switch 2200 has only one MAC which appears in brackets 2 Press Return The following example shows the summary display of FDDI MAC information Top Level Menu system ethernet fddi bridge ip snmp analyzer script logout station path mac port su...

Page 94: ...rxMulticasts txFrames txBytes 34621 36158 34921 10437189 txFrameRate txByteRate txPeakFrameRate txPeakByteRate 15 4511 23 6911 txInternalErrs txQOverflows txDiscards txUnicasts 0 0 0 34861 txMulticasts frameCount tokenCount ringOpCount 94 280867 1331364113 4 currentPath dupAddrTest duplicateAddr upstreamDupAddr primary passed false false llcAvailable llcService smtAddress true enabled 00 80 3e 02 ...

Page 95: ...frameErrorRatio Ratio of the number lostCount plus the frameErrorCount divided by the frameCount plus lostCount frameErrThresh Threshold for determining when a MAC condition report will be generated lateCount Number of token rotation timer expirations since this MAC last received a token llcAvailable Indicates whether LLC frames can be sent or received on this MAC llcService Allows LLC frames to b...

Page 96: ...e most recent sampling period rxFrames Number of frames received by this MAC rxInternalErrs Number of frames discarded because of an internal hardware error during reception rxMulticasts Number of multicast frames delivered by this MAC to a higher level protocol or application rxPeakByteRate Peak value of fddiMACByteReceiveRate for this MAC since the station was last initialized rxPeakFrameRate Pe...

Page 97: ...by this MAC during the most recent sampling period txFrames Number of frames transmitted by this MAC Note that this number does not include MAC frames txInternalErrs Number of frames discarded because of an internal hardware error during transmission txMulticasts Number of multicast frames queued for transmission by a higher level protocol or application including frames not transmitted successful...

Page 98: ...owever a frame might be discarded for the following reasons LLC Service is disabled The FDDI ring is not operational There is no room on the transmit queue An error has occurred during frame transmission rxFrames noRxBuffers errorCount rxInternalErrs rxDiscards rxUcastFram es Frames received from the Frames discarded because buffer space Frames discarded because frame Frames delivered by this FDDI...

Page 99: ...centage based on 65536 or 100 For example to set the threshold at 1 the value is 655 the system default The lower you set the percentage the more likely SMT will report a problem To set the FrameErrorThreshold 1 From the top level of the Administration Console enter fddi mac frameErrorThreshold You are prompted for a MAC number and new value The Switch 2200 has one MAC which appears in brackets 2 ...

Page 100: ...ignificant enough to report to network management The threshold value is expressed in a percentage based on 65536 or 100 For example to set the threshold at 1 the value is 655 the system default The lower you set the percentage the more likely SMT will report a problem To set the NotCopiedThreshold 1 From the top level of the Administration Console enter fddi mac NotCopiedThreshold You are prompte...

Page 101: ... for a MAC number and to enable or disable LLC service The Switch 2200 has one MAC which appears in brackets 2 Press Return 3 Enter the new MAC value enabled or disabled See the following example Select MAC 1 MAC 1 Enter new value disabled enabled enabled disabled Setting the MAC Paths The possible backplane path assignments include primary and secondary To assign MACs to paths 1 From the top leve...

Page 102: ...DI port statistics such as error counters To view FDDI port information 1 From the top level of the Administration Console enter fddi port display You are prompted for a port 2 Enter the port about which you want to view information Example Top Level Menu system ethernet fddi bridge ip snmp analyzer script logout station path mac port display lerAlarm lerCutoff label path port portLabel lemCount 1...

Page 103: ...t Number of Elasticity Buffer errors that have been detected lctFailCount Number of consecutive times the link confidence test LCT has failed during connection management lemCount Number of link errors detected by this port lemRejectCount Number of times that the link error monitor rejected the link lerAlarm The link error rate estimate at which a link connection generates an alarm lerCondition Co...

Page 104: ... enter the value without the negative symbol For example to express the value 1 x 10 8 enter 8 as the value Setting lerCutoff The lerCutoff attribute is the link error rate estimate at which a link connection is disabled Once the lerCutoff value is reached the PHY that detected a problem is disabled The lerCutoff value is expressed as an exponent such as 1 x 10 10 A healthy network has an LER expo...

Page 105: ...Port Labels Port labels serve as useful reference points and as an accurate means of identifying your ports for management You may want to label your FDDI ports for easy identification of the devices attached to them for example workstation server FDDI backbone To label an FDDI port 1 From the top level of the Administration Console enter fddi port label You are prompted for a port number and a la...

Page 106: ... Administration Console enter fddi port path You are prompted for a port 2 Enter the port s you want to configure 3 Select the DAS configuration isol or thru for peer mode at the prompt 4 Select the DAS configuration isol wrap AB or dualHome for tree mode at the prompt Top Level Menu system ethernet fddi bridge ip snmp analyzer script logout station path mac port display lerAlarm lerCutoff label p...

Page 107: ... the same Switch 2200 system or remotely when the analyzer and the port are on different systems You can monitor a port to Analyze traffic loads on each segment so that you can continually optimize your network loads by moving network segments Troubleshoot network problems for example to find out why there is so much traffic on a particular segment When you set up an Ethernet port to analyze port ...

Page 108: ... one analyzer port and from there monitor one Ethernet port at a time Displaying the Roving Analysis Configuration You can display the roving analysis configuration to see which ports are designated as analyzer ports and which ports are currently being monitored on a specific system When you display the roving analysis configurations for a system you receive A list of analyzer ports on the system ...

Page 109: ... From the top level of the Administration Console enter analyzer add 2 Press Return to select Ethernet as the port type 3 Enter the number of the Ethernet port to which the network analyzer is attached The MAC address of the analyzer port is displayed You will need this information for setting up the port you want to monitor See the following example Select Ethernet port 1 16 9 Analyzer port addre...

Page 110: ...removed or rearranged the MAC address of the analyzer port remains fixed If the module with the analyzer port is moved to another slot then the NVRAM is cleared Removing an Analyzer Port You can change the location of your analyzer port removing the current port you are using from the roving analysis configuration To remove analyzer ports 1 From the top level of the Administration Console enter an...

Page 111: ...he Switch 2200 system to which the analyzer is attached See the example below for starting port monitoring Select port type Ethernet Select port 1 16 16 Enter the target analyzer port address 00 80 3e 0a 3b 02 Port selection errors If your port selection is not valid you receive one of the following messages Error starting monitoring analyzer already configured on this port Error starting monitori...

Page 112: ...mally Stopping Port Monitoring After analyzing an Ethernet port you can remove it from the roving analysis configuration To remove a port configured for monitoring 1 From the top level of the Administration Console enter analyzer stop 2 Press Return to select Ethernet as the port type 3 Enter the number of the Ethernet port currently being monitored Port data is no longer copied and forwarded from...

Page 113: ...pter 10 Administering the Bridge Chapter 11 Administering Bridge Ports Chapter 12 Creating and Using Packet Filters Chapter 13 Configuring Address and Port Groups to Use in Packet Filters BRIDGING PARAMETERS ...

Page 114: ...isplaying Bridge Information You can display information about the bridge The display includes bridge statistics such as topology change information and configurations for the bridge and Spanning Tree To display bridge information enter the following from the top level of the Administration Console bridge display Information about the bridge is displayed Top Level Menu system ethernet fddi bridge ...

Page 115: ...topologyChangeFlag BridgeIdentifier false 8000 00803e0f2b00 designatedRoot stpGroupAddress bridgeMaxAge 0000 000000000000 01 80 c2 00 00 00 20 maxAge bridgeHelloTime helloTime 20 2 2 bridgeFwdDelay forwardDelay holdTime 15 15 1 rootCost rootPort priority 0 No port 0x8000 agingTime mode addrTableSize 300 transparent 8191 addressCount peakAddrCount addrThreshold 95 107 8000 ipFragmentation ipxTransl...

Page 116: ...neration of configuration messages by a bridge that assumes itself to be the root The default value is 2 seconds bridgeIdentifier Bridge identification It includes the bridge priority value and the MAC address of the lowest numbered port for example 8000 00803e003dc0 bridgeMaxAge Maximum age value used when this bridge is the root bridge This value determines when the stored configuration message ...

Page 117: ...d the smaller the cost rootPort Port with the best path from the bridge to the root bridge stpGroupAddress Address that bridge listens to when receiving STP information stpState Configurable parameter that provides the state of the bridge that is whether Spanning Tree is enabled or disabled for that bridge The default value is disabled timeSinceLast TopologyChange Value in hours minutes and second...

Page 118: ...nslated to FDDI_SNAP Likewise SNAP IPX packets being forwarded from FDDI to Ethernet will be translated to 802 3_RAW packets When IPX snap translation is disabled standard IEEE 802 1H bridging from 802 3_RAW packets to FDDI_RAW packets is implemented Default value The default value is enabled To enable or disable IPX snap translation for a bridge 1 From the top level of the Administration Console ...

Page 119: ...ng Time The bridge aging time is the maximum period in seconds for aging out dynamically learned forwarding information This parameter allows you to configure the system to age addresses in a timely manner without increasing packet flooding Aging time values The values can range from 10 to 32 267 seconds The default value is 300 seconds which is 5 minutes To set the bridge aging time 1 From the to...

Page 120: ...led To enable or disable Spanning Tree Protocol 1 From the top level of the Administration Console enter bridge stpState 2 Enter enabled or disabled at the prompt Setting the Bridge Priority The bridge priority influences the choice of the root bridge and the designated bridge The lower the bridge s priority number the more likely that the bridge will be chosen as the root bridge or a designated b...

Page 121: ...ger than necessary to adjust to a new Spanning Tree configuration after a topology change such as the restarting of a bridge Maximum Age recommended value A conservative value is to assume a delay variance of 2 seconds per hop The recommended value is 20 seconds To configure the bridge max age 1 From the top level of the Administration Console enter bridge stpMaxAge 2 Enter the bridge max age valu...

Page 122: ...of a bridged network This delay gives all links that need to be turned off in the new topology time to turn off before new links are turned on Setting the value too low could result in temporary loops as the Spanning Tree algorithm reconfigures the topology However setting the value too high can lead to a longer wait as the Spanning Tree Protocol reconfigures Forward delay recommended value The re...

Page 123: ...ferent group addresses If STP does not seem to be working in a mixed vendor environment other vendors products might have different group addresses In this case you need to set the STP group address To set the STP group address 1 From the top level of the Administration Console enter bridge stpGroupAddress You are prompted for the new address 2 Enter the group address For IBM Spanning Tree Protoco...

Page 124: ...ormation 1 From the top level of the Administration Console enter bridge port summary OR bridge port detail You are prompted for the port type 2 Enter Ethernet FDDI or all You are prompted for port number s 3 Enter the number s of the port s or all to view port parameters for all ports on the bridge Top Level Menu system ethernet fddi bridge ip snmp analyzer script logout display ipFragmentation i...

Page 125: ...xSecurityDiscs rxOtherDiscs Ethernet 1 0 0 0 Ethernet 12 0 0 0 port rxAllFilters rxMcastFilters rxForwardUcasts Ethernet 1 0 0 0 Ethernet 12 0 0 0 port rxFloodUcasts rxForwardMcasts txBlockedDiscs Ethernet 1 1499 79983 0 Ethernet 12 0 0 0 port txMtuExcDiscs txAllFilters txMcastFilters Ethernet 1 0 0 0 Ethernet 12 0 0 0 port txFrames portId stp Ethernet 1 1357939 0x8003 enabled Ethernet 12 1187369 ...

Page 126: ...her Ethernet or FDDI maximum count 1 FDDI and 2 17 Ethernet portId Identification of the port which includes the port priority and the port number for example 8002 priority First factor to determine if a port is to be the designated port when more that one bridge port is attached to the same LAN If all ports in a bridge have the same priority then the port number is used as the determining factor ...

Page 127: ... rxMcastLimit Configurable parameter that limits the rate of multicast frames forwarded on a bridge port rxOtherDiscs Number of frames discarded by this port because they contained either invalid group source addresses or source addresses belonging to this bridge indicates network loops rxSameSegDiscs Number of frames discarded by this port because the destination address is known on the same netw...

Page 128: ...forward them depending on address comparisons with the bridge s source address list Disabled The port has been disabled by management stp Whether the port is enabled or disabled for the Spanning Tree Protocol txAllFilters Number of frames discarded because of a user defined packet filter on the transmit all path of this bridge port txBlockedDiscs Number of frames discarded by this port because the...

Page 129: ...ceive Bridge Port Statistics A frame forwarded to a bridge port is transmitted onto a physical interface unless it is discarded A frame might be discarded for the following reasons The transmit bridge port is blocked The frame is too large for the corresponding physical interface A user defined packet filter indicated that the frame should not be forwarded rxFrames sameSegDiscs rxBlockedDiscs rxSe...

Page 130: ...tLimit You are prompted for port type 2 Enter Ethernet FDDI or all You are prompted for port number s 3 Enter the number s of the port s or all to set the threshold for all ports on the bridge You are prompted for a new value for each port you specified txBlockedDiscs txMtuExcDiscs txMcastFilters txAllFilters txFrames Frames forwarded to this bridge port Frames discarded because transmit port bloc...

Page 131: ...or participate in the Spanning Tree algorithm See page 10 7 for instructions on enabling STP for the entire bridge When STP is disabled for a port as well as for the entire bridge the port will continue to forward frames Default value By default the Spanning Tree state value on a port is the same as the Spanning Tree state value set for the bridge To enable or disable STP on a port 1 From the top ...

Page 132: ...traffic To configure the path cost 1 From the top level of the Administration Console enter bridge port stpCost You are prompted for the port type 2 Enter Ethernet FDDI or all You are prompted for the port number s 3 Enter the number s of the port s or all to configure path cost for all ports on each bridge You are prompted for the path cost for each port you specified 4 Enter the path cost for th...

Page 133: ...ure the port priority for all ports on each bridge You are prompted for the port priority for each port you specified 4 Enter the port priority for the port s The following example shows values being set for more than one port Ethernet port 3 Enter new value 0x80 1 Ethernet port 4 Enter new value 0x80 500 If your configuration was successful you return to the previous menu If the configuration was...

Page 134: ... 3 Enter the number s of the port s or all to display all MAC addresses for the ports you selected An example of an address list follows Addresses for Ethernet port 1 Ethernet address Type Age secs 08 00 20 1d 67 e2 Dynamic 219 00 80 3e 02 68 00 Dynamic 219 00 20 af 29 7b 74 Dynamic 219 08 00 02 05 91 c1 Dynamic 219 00 80 3e 02 6d 00 Dynamic 219 00 80 3e 08 5f 00 Dynamic 219 00 80 3e 00 3d 00 Dyna...

Page 135: ...ddress remove You are prompted for the port type 2 Enter Ethernet or FDDI You are prompted for the port number 3 Enter the number of the port You are prompted for one or more addresses to remove 4 Enter addresses to remove pressing Return after each entry Once you have entered all of the addresses to be removed enter q to return to the previous menu Top Level Menu system ethernet fddi bridge ip sn...

Page 136: ...ll You are prompted for the port number s 3 Enter the number s of the port s or all The addresses are flushed from the address table Freezing Dynamic Addresses You can convert all the dynamic addresses associated with the selected port s into static addresses This conversion is called freezing the addresses Freezing dynamic addresses is a way to improve your network security Top Level Menu system ...

Page 137: ...e port number s 3 Enter the number s of the port s or all The dynamic addresses become static Top Level Menu system ethernet fddi bridge ip snmp analyzer script logout display ipFragmentation ipxSnapTranslation addressThreshold agingTime stpState stpPriority stpMaxAge stpHelloTime stpForwardDelay stpGroupAddress port packetFilter summary detail multicastLimit stpState stpCost stpPriority address l...

Page 138: ...d in Table 12 1 When you create a packet filter you can assign it to the transmit or the receive path of each port or to both paths For additional detailed explanations of packet filter concepts see Chapter 7 User defined Packet Filtering in the SuperStack II Switch 2200 Operation Guide Table 12 1 Packet Processing Paths Path Description Transmit all All frames that are transmitted to the segment ...

Page 139: ... All Port 8 Receive All Packet Filter 3 Forward IP packets only No port assignments In this example there are two packet filters on the system The first packet filter has a filter id of 1 and a user defined name of Receive OUI 08 00 1E This filter is loaded onto ports 4 3 and 5 On port 3 the filter is assigned to both the transmit multicast and receive multicast paths The second filter filter id 2...

Page 140: ...yed 1 n 2 Packet filter 2 Type 900 or Multicast name Type 900 or Multicast pushLiteral w 0x900 pushField w 12 gt reject pushField b 0 pushLiteral b 0x01 and not Creating Packet Filters You create custom packet filters by writing a packet filter definition Each packet processing path on a port may have a unique packet filter definition or may share a definition with other ports Packet filter defini...

Page 141: ...e expressions typically test the values of various fields in the received packet which include MAC addresses type fields IP addresses and Service Access Points SAPs A program in the packet filter language consists of a series of one or more instructions that results in the top of the stack containing a byte value after execution of the last instruction in the program This byte value determines whe...

Page 142: ...rcase letters for the opcode and size The contents of a line following the first outside a quoted string are ignored Operand sizes The following operand sizes are supported 1 byte b 2 bytes w 4 bytes l 6 bytes a Included primarily for use with 48 bit IEEE globally assigned MAC addresses Maximum length The maximum length for a filter definition is 4096 bytes Stack The packet filter language uses a ...

Page 143: ...e address or some part of the data A packet filter operates on these fields to make filtering decisions Ethernet and FDDI packet fields are shown in Figure 12 1 Figure 12 1 Ethernet and FDDI Packet Fields Destination Address 6 octets Source Address 6 octets Type Length Ethernet Type field if 1500 802 3 Length field if 1500 0 6 12 14 25 octets Ethernet Packet Data 64 octets of data can be examined ...

Page 144: ...field can be 1 2 4 or 6 bytes Typically you only specify a 6 byte field when you want the filter to examine a 48 bit address pushField constant A literal value to which you are comparing a packet field As with a field a constant can be 1 2 4 or 6 bytes long pushLiteral Table 12 4 Packet Filter Operators Operator Result Opcode equal true if operand 1 operand 2 eq not equal true if operand 1 operand...

Page 145: ...that is ORs the results of the tests or Satisfies all criteria specified in two or more tests ANDs the results of the tests The accept and reject instructions are used to implement sequential tests as shown in Figure 12 2 When using accept or reject construct the packet filter so that the tests more likely to be satisfied are performed before tests that are less likely to be satisfied Figure 12 2 ...

Page 146: ... filter program is stored in a preprocessed format to minimize the space required by the packet filter definition When assigned to a port the packet filter is converted from the stored format to a run time format to optimize the performance of the filter Each SuperStack II Switch 2200 system is limited to a maximum of 16 packet filter programs Preprocessed packet filters Each system provides a max...

Page 147: ... following syntax opcode size operand comment The opcode descriptions are in the section Appendix A Packet Filter Opcodes Examples and Syntax Errors The description of the supported operand sizes can be found in Table 12 2 The operand value is determined by what you are testing for example an address or a length Implicit operands for an instruction must be of the size expected by the instruction A...

Page 148: ...M pushDAGM pushSPGM or pushDPGM for filtering by address or port groups See Chapter 13 for more information Examples of Creating Filters The following example shows a complex packet filter built from three simple packet filters Each of the shorter simpler packet filters can be used on its own to accomplish its own task Combined these filters create a solution for a larger filtering problem Filteri...

Page 149: ...x076c and less than 0x0898 The socket value is located 24 bytes into the packet in IP data grams and 30 bytes into the packet in XNS datagrams You can use this information to create pseudocode that simplifies the process of writing the actual filter It helps to write the pseudocode in outline form as shown here 1 Determine if the packet has a broadcast address Use the packet filter path assignment...

Page 150: ...with ge and lt test to determine if the socket value is within the range If it is a one will be placed on the stack and compare if XNS in range IP FILTERING SECTION pushField w 12 get the type field of the packet and place it on top of the stack pushLiteral w 0x0800 put the type value for IP on top of the stack eq if the two values on the top of the stack are equal then return a non zero value pus...

Page 151: ...tch 2200 that has more than one filter stored in memory Naming is also useful for archiving filters on an ftp server so that the filters can be saved and loaded on one or more Switch 2200 systems 2 Enter executable instruction 1 pushField w 12 get the type field of the packet and place it on top of the stack 3 Enter executable instruction 2 pushLiteral w 0x0600 put the type value for XNS on top of...

Page 152: ...Field w 30 put the value of the socket from the packet on top of the stack 4 Enter executable instruction 3 ge compare if the value of the socket is greater than or equal to the lower bound 5 Enter executable instruction 4 pushLiteral w 0x0898 put the highest socket value on top of the stack 6 Enter executable instruction 5 pushField w 30 put the value of the socket from the packet on top of the s...

Page 153: ...are if IP and in range This combination looks like this Name Only IP pkts w in socket range pushField w 12 get the type field of the packet and place it on top of the stack pushLiteral w 0x0800 put the type value for IP on top of the stack eq if the two values on the top of the stack are equal then return a non zero value pushLiteral w 0x76c put the lowest socket value on top of the stack 1900 pus...

Page 154: ...a not statement to discard any matching packets not discard if IP in range XNS in range The complete packet filter that discards IP and XNS packets that are within the specified range is shown on page 12 13 Tools for Writing a Filter You can create a new packet filter using either an ASCII based text editor such as EMACS or vi or the line editor built into the Administration Console Using an ASCII...

Page 155: ...packetFilter create The packet filter line editor appears 2 Enter the definition for the packet filter See the command in Table 12 6 3 Save the packet filter by pressing Ctrl W The syntax of the filter definition is checked If any errors are detected the errors are displayed and the editor is re entered at the line containing the first error After correcting the errors attempt to save the packet f...

Page 156: ...e character preceding the cursor and shifts the remainder of the line left one position Delete Current Character Ctrl d Deletes a single character under the cursor and shifts the remainder of the line left one position Delete Line Ctrl k Deletes the remainder of the line from the current cursor position If the cursor is positioned over the first character all of the characters on the line are dele...

Page 157: ...re prompted to confirm the deletion 3 Enter y yes to delete or n no to return to the previous menu Editing Checking and Saving Packet Filters You can use the Switch 2200 system line editor to edit packet filters Once you save the packet filter it is checked for syntax errors The Switch 2200 system software will not allow you to assign the packet filter to a port until the filter is error free You ...

Page 158: ...isting filter prompt and y at the Store as new filter prompt The packet filter is assigned a number To exit from the editor without saving changes enter n at both prompts Correcting errors in a packet filter When you save a packet filter edited with the built in text editor the system checks the syntax of the filter definition If any errors are detected the errors are displayed and the editor is r...

Page 159: ...e offered the option of editing the filter definition or terminating the load The load might fail if the system has insufficient nonvolatile RAM to store the filter In this case an error message tells you that the system did not accept the load Assigning Packet Filters to Ports To assign a packet filter to one or more ports the packet filter must reside on the system Each path transmit all transmi...

Page 160: ...ceive all rxA path on port 1 Select filter 1 n 1 Select port type s Ethernet FDDI all Ethernet FDDI FDDI Select port s 1 16 all 1 16 1 Select path s txA txM rxA rxM all txA rxA The ports are limited to those that have at least one path unassigned while the paths are limited to those that are unassigned Because you can specify multiple selections at each level you can assign a wildcard that attempt...

Page 161: ... example the unassignment is from the transmit all txA paths on port 1 Select filter 1 n 1 Select port type s Ethernet FDDI all Ethernet FDDI FDDI Select port s 1 16 all 1 16 1 Select path s txA txM rxA rxM all txA rxA txA Because you can specify multiple selections at each level you can assign a wildcard that attempts to unassign the filter from the set indicated by the ports and paths taken in c...

Page 162: ...ing the group s source group mask and destination group mask You reference these group masks using the opcodes SAGM source address group mask DAGM destination address group mask SPGM source port group mask and DPGM destination port group mask Here are some examples of using address and port groups in packet filters Address group packet filter example In this example the filter only forwards packet...

Page 163: ...Add and remove addresses and ports to or from a group Listing Groups You can list the address and port groups currently defined for your Switch 2200 system The group id group name if any and group mask are displayed 1 For address groups enter the following command from the top level of the Administration Console bridge packetFilter addressGroup OR for port groups enter the following command bridge...

Page 164: ...port group shows the group id the name of the group and all the addresses or ports included in that group To display address or port groups 1 For address groups enter the following command from the top level of the Administration Console bridge packetFilter addressGroup OR for port groups enter the following command bridge packetFilter portGroup 2 Enter this command display 3 Enter the id number o...

Page 165: ...ss or port group an unused address or port group must be available A port group is limited to the number of ports on the system 1 For address groups enter the following command from the top level of the Administration Console bridge packetFilter addressGroup OR for port groups enter the following command bridge packetFilter portGroup 2 Enter this command create 3 For address groups enter the addre...

Page 166: ...to the last address are added to the group and the group is loaded on the system If you enter an invalid port name the port is not added to the group and you receive one of the following error messages Error No port type specified for the port Error No port number specified for the port The correct format is Ethernet E FDDI F port port number Specified port number is invalid Valid FDDI port for th...

Page 167: ...acket filters If you want to use a group later but want to delete it now first save it to an ASCII file To delete an address or port group 1 For address groups enter the following command from the top level of the Administration Console bridge packetFilter addressGroup OR for port groups enter the following command bridge packetFilter portGroup 2 Enter this command delete You are prompted for the ...

Page 168: ...group can contain is 17 which is the maximum number of ports on a Switch 2200 For clarity only one menu the address group menu is displayed here To add addresses or ports to an existing group 1 For address groups enter the following command from the top level of the Administration Console bridge packetFilter addressGroup OR for port groups enter the following command bridge packetFilter portGroup ...

Page 169: ... Error No room in group for additional address The point at which the system runs out of room for additional addresses depends on The number of addresses currently in the address table The number of unique addresses configured across all address groups on the system Each statically configured address and each unique address assigned to one or more address groups consumes one address storage locati...

Page 170: ... Administration Console bridge packetFilter addressGroup OR for port groups enter the following command bridge packetFilter portGroup 2 To remove an address from a group enter removeAddress OR to remove a port from a group enter removePort 3 Enter the number of the group to modify 4 Enter the addresses or ports to remove from the new group Type q after entering all the addresses or ports Enter the...

Page 171: ...d and you are prompted for the next one to be removed Address group example In this example two Ethernet addresses are removed from the Marketing address group Select address group to be modified 1 4 4 Removing addresses from group 4 Marketing Enter the addresses to be removed type q to return to the menu Address 08 37 21 65 78 c4 Address 08 42 21 84 78 f1 Address q Port group example In this exam...

Page 172: ...ing example shows a script that builds an address group bridge packetFilter addressGroup create 08 37 21 65 78 c4 08 32 18 55 40 a0 08 22 12 65 78 05 08 18 23 00 82 00 08 52 12 65 5f 22 08 25 43 41 6e 09 08 00 65 23 00 ee 08 5a 42 77 8a 01 08 22 13 66 00 2a 08 8e 54 11 78 3b 08 77 12 65 78 8c q When you run the script the address group is automatically created and stored on the system For more inf...

Page 173: ...13 12 CHAPTER 13 CONFIGURING ADDRESS AND PORT GROUPS TO USE IN PACKET FILTERS ...

Page 174: ...V Appendix A Packet Filter Opcodes Examples and Sytax Errors Appendix B Technical Support APPENDIXES ...

Page 175: ...ating and using packet filters see Chapter 12 Opcodes Opcodes are instructions used in packet filter definitions The available opcodes are described in this section name name Description Assigns a user defined name to the packet filter The name may be any sequence of ASCII characters other than quotation marks The name is limited to 32 characters Only a single name statement can be included in a p...

Page 176: ...g fields in the first 1518 bytes of the target packet Specify the offset as either an octal decimal or hexadecimal number Precede an octal number by a 0 Precede a hexadecimal number by either 0x or 0X Use either upper or lower case letters for the hexadecimal digits a through f Storage Needed 3 bytes pushLiteral size value Description Pushes a literal constant value onto the stack The most signifi...

Page 177: ...ress of a packet belongs This instruction pushes 4 bytes onto the stack Each address group is represented by a single bit in the SAGM Multicast addresses including broadcast addresses are in all groups Storage Needed 1 byte pushDAGM Description Pushes the destination address group mask DAGM onto the top of the stack The DAGM is a bitmap representing the groups to which the destination address of a...

Page 178: ...cription Pushes the destination port group mask DPGM onto the top of the stack The DPGM is a bitmap representing the groups to which the destination port of a packet belongs This instruction pushes 4 bytes on to the stack Each port group mask is represented by a single bit in the DPGM bitmap Port group masks are assigned to the bitmap in sequence starting with port group mask 1 as the least signif...

Page 179: ...omparison If the first is less than the second a byte containing the value non zero is pushed onto the stack otherwise a byte containing 0 is pushed The size of the operands is determined by the contents of the stack Storage Needed 1 byte le less than or equal to Description Pops two values from the stack and performs an unsigned comparison If the first is less than or equal to the second a byte c...

Page 180: ... byte ge greater than or equal to Description Pops two values from the stack and performs an unsigned comparison If the first is greater than or equal to the second a byte containing the value non zero is pushed onto the stack otherwise a byte containing 0 is pushed The size of the operands is determined by the contents of the stack Storage Needed 1 byte and bit wise AND Description Pops two value...

Page 181: ...the stack The size of the operands and the result are determined by the contents of the stack Storage Needed 1 byte not Description A byte is popped from the stack if it is non zero a zero byte is pushed back onto the stack Otherwise a non zero byte is pushed back onto the stack Storage Needed 1 byte accept Description Conditionally accepts the packet being examined A byte is popped from the stack...

Page 182: ...lue is pushed back onto the stack The size of the first operand and the size of the result are determined by the contents of the top of the stack The second operand is always 1 byte and only the low 5 bits of the byte are used as the shift count Storage Needed 1 byte shiftr shift right Description Pops two values from the stack and shifts the first operand right by the number of bits specified by ...

Page 183: ...eq Check for match Source Address Filter This filter operates on the source address field of a frame It allows packets to be forwarded that are from stations with an OUI of 08 00 02 To customize this filter to another OUI value change the literal value loaded in the last pushLiteral l instruction Note that the OUI must be padded with an additional 00 to fill out the literal to 4 bytes name Forward...

Page 184: ...01 Multicast bit is low order bit pushField b 0 Get 1st byte of destination and Isolate multicast bit not Top of stack 1 to accept 0 to reject Multiple Destination Address Filter This filter operates on the destination address field of a frame It allows packets to be forwarded that are destined for one of four different stations To customize this filter to other destination stations change the lit...

Page 185: ...irst 3 bytes pushField l 6 Get first 4 bytes of source address and Top of stack now has OUI pushLiteral l 0x09000200 Load OUI value eq Check for match Accept XNS or IP Filter This filter operates on the type field of a frame It allows packets to be forwarded that are XNS or IP frame Note the use of the pushTop instruction to make a copy of the type field name Forward IP or XNS pushField w 12 Get t...

Page 186: ...roup result is either zero or non zero address group masks pushLiteral l 0 Put a zero on the stack ne If not equal returns a one to stack resulting in packet forwarded Port Group Filter This filter discards all frames sourced from a port in either group three or eight name Discard Port Groups 3 and 8 pushSPGM Get source port group mask pushLiteral l 0x0084 Select bits 3 and 8 and If port group bit...

Page 187: ...quires two operands of the same size The top two operands currently on the stack are of different sizes Stack underflow The opcode requires one or more operands An insufficient number of operands are currently on the stack Stack overflow The opcode pushes an operand on the stack The stack does not have sufficient room for the operand No result found on top of stack The program must end with a byte...

Page 188: ... string The string specified does not have a starting quotation mark String is too long The string specified is too long Strings are limited to 32 characters exclusive of the opening and closing quotation marks Missing close quote on string The string specified does not have an ending quotation mark Multiple name statements in program More than one name statement was found in the program Only a si...

Page 189: ...as well as technical articles This service is available via modem or ISDN seven days a week 24 hours a day Access by Modem To reach the service by modem set your modem to 8 data bits no parity and 1 stop bit Call the telephone number nearest you Country Data Rate Telephone Number Australia up to 14400 bps 61 2 9955 2073 France up to 14400 bps 33 1 69 86 69 54 Germany up to 9600 bps 49 89 627 32 18...

Page 190: ...om com This service features news and information about 3Com products customer service and support 3Com s latest news releases selected articles from 3TECH journal 3Com s award winning technical journal and more 3ComForum on CompuServe 3ComForum is a CompuServe service containing patches software drivers and technical articles about all 3Com products as well as a messaging section for peer support...

Page 191: ...nning installation hardware maintenance application training and support services When you contact your network supplier for assistance have the following information ready Diagnostic error messages A list of system hardware and software including revision levels Details about recent configuration changes if applicable If you are unable to contact your network supplier see the following section on...

Page 192: ...er s expense To obtain an RMA number call or fax 4 17 96 Country Telephone Number Country Telephone Number Australia Sydney 61 2 9937 5000 Japan 81 3 3345 7251 Melbourne 61 3 9866 8022 Mexico 525 531 0591 Belgium 0800 71429 Netherlands 06 0227788 Brazil 55 11 546 0869 Norway 800 13376 Canada 905 882 9964 Singapore 65 538 9368 Denmark 800 17309 South Africa 27 11 803 7404 Finland 0800 113153 Spain ...

Page 193: ...values 10 6 addressThresholdEvent 10 6 administer access example 2 2 Administration Console command strings 2 8 Control keys 2 11 entering values 2 9 exiting 2 17 initial user access 2 1 interface parameters 2 10 2 11 locking 2 12 menu descriptions 2 3 to 2 7 menu hierarchy moving up 2 9 menu options selecting 2 8 password access 2 1 4 2 restart 2 11 screen height setting 2 10 scripts 2 13 top lev...

Page 194: ...and packet filter commands and entering values 2 9 quick 1 1 using 2 8 community strings setting 3 16 values 3 15 CompuServe B 2 connectPolicy configuring 8 4 Console serial port for management 3 1 reasons for disconnecting 2 11 rebooting the system 4 4 setting baud rate 3 2 Control keys enabling 2 11 conventions notice icons 3 cost See also metric of IP interface 3 4 Spanning Tree settings 10 4 1...

Page 195: ...t and roving analysis 9 6 defined 8 19 labeling 8 22 lerAlarm setting 8 20 lerCutoff setting 8 21 statistics diplaying 8 19 FDDI station and SMT 8 1 and SRFs 8 2 8 5 connection policies setting 8 4 defined 8 1 statistics displaying 8 2 status reporting enabling 8 5 T notify setting 8 5 filter id 12 2 flushing ARP cache 3 12 learned routes 3 10 MAC addresses 11 13 SNMP trap addresses 3 19 forward d...

Page 196: ...lue 8 20 cutoff value 8 21 lerAlarm and lerCutoff value 8 21 defined 8 20 setting 8 21 lerCutoff and lerAlarm value 8 21 defined 8 21 Link Error Rate See LER listening state 10 9 11 5 LLC enabling 8 18 service description 8 18 Logical Link Control See LLC lt opcode A 5 M MAC Media Access Control address adding 11 12 and ARP 3 11 configuring 11 11 displaying 11 11 dynamic to static 11 13 flushing 1...

Page 197: ...odes 12 7 purpose 12 7 or opcode A 7 OUI in packet filter A 11 out of band management 3 2 P packet Ethernet type 12 6 FDDI type 12 6 fields for operands 12 7 packet filter See also address group and port group address group example 13 1 assigning to ports 12 22 basic elements 12 6 concepts 12 4 to 12 11 correcting errors 12 21 creating 12 3 to 12 17 definitions 12 3 deleting 12 20 displaying conte...

Page 198: ...th 12 1 receive multicast packet processing path 12 1 reject opcode 12 8 A 8 remote sessions enabling timeout 2 12 setting timeout interval 2 13 restart Administration Console 2 11 returning products for repair B 4 RIP and broadcast address 3 4 default mode 3 12 displaying state 3 4 Off mode 3 12 Passive mode 3 12 setting mode 3 12 rlogin and exiting the Console 2 17 and rebooting the system 4 4 r...

Page 199: ... 17 MAC Not Copied Condition 3 17 MAC Path Change 3 17 New Root 3 17 Port EB Error Condition 3 17 Port LER Condition 3 17 Port Path Change 3 17 Port Undesired Connection 3 17 SMT Hold Condition 3 17 SMT Peer Wrap Condition 3 17 System Overtemperature 3 17 Topology Change 3 17 socket values filter 12 12 12 15 software backup NV data 6 1 6 2 build date and time 4 1 from factory 1 1 version number 4 ...

Page 200: ...ooting the system 4 4 setting timeout interval 2 13 temperature warning 4 2 terminal emulation and the serial port 3 1 text editor built in 12 17 time formats 4 4 setting system 4 3 timing out route status 3 8 tmaxLowerBound defined 8 8 setting 8 8 T notify configuring 8 5 defined 8 5 token and FDDI MAC 8 9 transmit all packet processing path 12 1 transmit multicast packet processing path 12 1 tra...

Reviews: