manualshive.com logo in svg

FoxGate S63 series, Configuration Manual, Page: 456 / 565

Share
Download
FoxGate S63 series Configuration Manual Download Page 456

SSL Configuration 

455 

52. SSL Configuration 

52.1

 Introduction to SSL 

As  the  computer  networking  technology  spreads,  the  security  of  the  network  has 

been  taking more  and more  important  impact  on  the  availability  and  the  usability  of  the 

networking application. The network security has become one of the greatest barriers of 

modern networking applications. 

To protect sensitive data transferred through Web, Netscape introduced the Secure 

Socket Layer 

– SSL protocol, for its Web browser. Up till now, SSL 2.0 and 3.0 has been 

released. SSL 2.0 is obsolete because of security problems, and it is not supported on the 

switches of Network. The SSL protocol uses the public-key encryption, and has become 

the industry standard for secure communication on internet for Web browsing. The Web 

browser integrates HTTP and SSL to realize secure communication. 

SSL  is  a  safety  protocol  to  protect  private  data  transmission  on  the  Internet.  SSL 

protocols  are  designed  for  secure  transmission  between  the  client  and  the  server,  and 

authentication  both  at  the  server  sides  and  optional  client.  SSL  protocols  must  build  on 

reliable transport layer (such as TCP). SSL protocols are independent for application layer. 

Some  protocols  such  as  HTTP,  FTP,  TELNET  and  so  on,  can  build  on  SSL  protocols 

transparently.  The  SSL  protocol  negotiates  for  the  encryption  algorithm,  the  encryption 

key and the server authentication before data is transmitted. Ever since the negotiation is 

done, all the data being transferred will be encrypted. 

Via above introduction, the security channel is provided by SSL protocols have below 

three characteristics: 

  Privacy.  First  they  encrypt  the  suite  through  negotiation,  then  all  the  messages  be 

encrypted. 

  Affirmation. Though the client authentication of the conversational is optional, but the 

server is always authenticated.     

  Reliability. The message integrality inspect is included in the sending message (use 

MAC). 

52.1.1

 Basic Element of SSL 

The  basic  strategy  of  SSL  provides  a  safety  channel  for  random  application  data 

forwarding between two communication programs. In theory, SSL connect is similar with 

encrypt TCP connect. The position of SSL protocol is under application layer and on the 

Summary of Contents for S63 series

Page 1: ...S95xx Duak Stack Ethernet Switch Manual version 2 0 04 Firmware version 6 2 98 0 FoxGate 2012 Configuration Guide ...

Page 2: ...1 2 6 Fuzzy Match Support 34 2 BASIC SWITCH CONFIGURATION 35 2 1 BASIC CONFIGURATION 35 2 2 TELNET MANAGEMENT 36 2 2 1 Telnet 36 2 2 2 SSH 38 2 3 CONFIGURE SWITCH IP ADDRESSES 39 2 3 1 Switch IP Addresses Configuration Task List 40 2 4 SNMP CONFIGURATION 41 2 4 1 Introduction to SNMP 41 2 4 2 Introduction to MIB 42 2 4 3 Introduction to RMON 43 2 4 4 SNMP Configuration 44 2 4 5 Typical SNMP Config...

Page 3: ... 1 INTRODUCTION TO PORT 71 5 2 NETWORK PORT CONFIGURATION TASK LIST 71 5 3 PORT CONFIGURATION EXAMPLE 74 5 4 PORT TROUBLESHOOTING 75 6 PORT ISOLATION FUNCTION CONFIGURATION 76 6 1 INTRODUCTION TO PORT ISOLATION FUNCTION 76 6 2 TASK SEQUENCE OF PORT ISOLATION 76 6 3 PORT ISOLATION FUNCTION TYPICAL EXAMPLES 77 7 PORT LOOPBACK DETECTION FUNCTION CONFIGURATION 79 7 1 INTRODUCTION TO PORT LOOPBACK DETE...

Page 4: ... 98 10 2 2 Dynamic LACP Aggregation 98 10 3 PORT CHANNEL CONFIGURATION TASK LIST 99 10 4 PORT CHANNEL EXAMPLES 100 10 5 PORT CHANNEL TROUBLESHOOTING 103 11 MTU CONFIGURATION 104 11 1 INTRODUCTION TO MTU 104 11 2 MTU CONFIGURATION TASK SEQUENCE 104 12 EFM OAM CONFIGURATION 105 12 1 INTRODUCTION TO EFM OAM 105 12 2 EFM OAM CONFIGURATION 108 12 3 EFM OAM EXAMPLE 110 12 4 EFM OAM TROUBLESHOOTING 111 1...

Page 5: ...TRODUCTION TO DDM 127 16 1 1 Brief Introduction to DDM 127 16 1 2 DDM Function 128 16 2 DDM CONFIGURATION TASK LIST 129 16 3 EXAMPLES OF DDM 131 16 4 DDM TROUBLESHOOTING 135 17 VLAN CONFIGURATION 136 17 1 VLAN CONFIGURATION 136 17 1 1 Introduction to VLAN 136 17 1 2 VLAN Configuration Task List 137 17 1 3 Typical VLAN Application 140 17 1 4 Typical Application of Hybrid Port 141 17 2 GVRP CONFIGUR...

Page 6: ...Introduction to Voice VLAN 158 17 6 2 Voice VLAN Configuration 159 17 6 3 Typical Applications of the Voice VLAN 160 17 6 4 Voice VLAN Troubleshooting 161 17 7 MULTI TO ONE VLAN TRANSLATION CONFIGURATION 161 17 7 1 Introduction to Multi to One VLAN Translation 161 17 7 2 Multi to One VLAN Translation Configuration 161 17 7 3 Typical application of Multi to One VLAN Translation 162 17 7 4 Multi to ...

Page 7: ...ion 180 19 1 2 Port Roles 182 19 1 3 MSTP Load Balance 182 19 2 MSTP CONFIGURATION TASK LIST 182 19 3 MSTP EXAMPLE 187 19 4 MSTP TROUBLESHOOTING 191 20 QOS CONFIGURATION 192 20 1 INTRODUCTION TO QOS 192 20 1 1 QoS Terms 192 20 1 2 QoS Implementation 193 20 1 3 Basic QoS Model 194 20 2 QOS CONFIGURATION TASK LIST 199 20 3 QOS EXAMPLE 203 20 4 QOS TROUBLESHOOTING 206 21 FLOW BASED REDIRECTION 207 21...

Page 8: ...1 23 4 EGRESS QOS TROUBLESHOOTING HELP 223 24 LAYER 3 FORWARD CONFIGURATION 224 24 1 LAYER 3 INTERFACE 224 24 1 1 Introduction to Layer 3 Interface 224 24 1 2 Layer 3 Interface Configuration Task List 224 24 2 LAYER 3 FUNCTION 226 24 2 1 Layer 3 function introduction 226 24 2 2 Layer 3 function configuration 226 24 3 IP CONFIGURATION 227 24 3 1 Introduction to IPv4 IPv6 227 24 3 2 IP Configuration...

Page 9: ...RP Address Resolution Protocol 246 26 1 2 ARP Spoofing 246 26 1 3 How to prevent void ARP ND Spoofing 246 26 2 PREVENT ARP ND SPOOFING CONFIGURATION 247 26 3 PREVENT ARP ND SPOOFING EXAMPLE 248 27 ARP GUARD CONFIGURATION 250 27 1 INTRODUCTION TO ARP GUARD 250 27 2 ARP GUARD CONFIGURATION TASK LIST 251 28 ARP LOCAL PROXY CONFIGURATION 252 28 1 INTRODUCTION TO ARP LOCAL PROXY FUNCTION 252 28 2 ARP L...

Page 10: ...2 DHCPV6 SERVER CONFIGURATION 271 32 3 DHCPV6 RELAY DELEGATION CONFIGURATION 273 32 4 DHCPV6 PREFIX DELEGATION SERVER CONFIGURATION 273 32 5 DHCPV6 PREFIX DELEGATION CLIENT CONFIGURATION 275 32 6 DHCPV6 CONFIGURATION EXAMPLES 276 32 7 DHCPV6 TROUBLESHOOTING 280 33 DHCP OPTION 82 CONFIGURATION 281 33 1 INTRODUCTION TO DHCP OPTION 82 281 33 1 1 DHCP option 82 Message Structure 281 33 1 2 option 82 W...

Page 11: ...AND OPTION 43 309 36 1 INTRODUCTION TO DHCP OPTION 60 AND OPTION 43 309 36 2 DHCP OPTION 60 AND OPTION 43 CONFIGURATION TASK LIST 309 36 3 DHCPV6 OPTION 60 AND OPTION 43 EXAMPLE 310 36 4 DHCP OPTION 60 AND OPTION 43 TROUBLESHOOTING 310 37 ROUTING PROTOCOL OVERVIEW 312 37 1 ROUTING TABLE 313 37 2 IP ROUTING POLICY 314 37 2 1 Introduction to Routing Policy 314 37 2 2 IP Routing Policy Configuration ...

Page 12: ... 41 1 INTRODUCTION TO BLACK HOLE ROUTING 348 41 2 IPV4 BLACK HOLE ROUTING CONFIGURATION TASK 348 41 3 IPV6 BLACK HOLE ROUTING CONFIGURATION TASK 348 41 4 BLACK HOLE ROUTING CONFIGURATION EXMAPLES 349 41 5 BLACK HOLE ROUTING TROUBLESHOOTING 350 42 BFD 352 42 1 INTRODUCTION TO BFD 352 42 2 BFD CONFIGURATION TASK LIST 352 42 3 EXAMPLES OF BFD 355 42 3 1 Example for Linkage of BFD and Static Route 355...

Page 13: ...CM 374 44 1 1 Introduction to IPv6 DCSCM 374 44 1 2 IPv6 DCSCM Configuration Task Sequence 374 44 1 3 IPv6 DCSCM Typical Examples 377 44 1 4 IPv6 DCSCM Troubleshooting 378 44 2 MLD SNOOPING 379 44 2 1 Introduction to MLD Snooping 379 44 2 2 MLD Snooping Configuration Task 379 44 2 3 MLD Snooping Examples 381 44 2 4 MLD Snooping Troubleshooting 384 45 MULTICAST VLAN 385 45 1 INTRODUCTIONS TO MULTIC...

Page 14: ...ations 429 47 3 2 Examples of IPv4 Radius Applications 431 47 3 3 Examples of IPv6 Radius Application 432 47 4 802 1X TROUBLESHOOTING 433 48 THE NUMBER LIMITATION FUNCTION OF MAC AND IP IN PORT VLAN CONFIGURATION 435 48 1 INTRODUCTION TO THE NUMBER LIMITATION FUNCTION OF MAC AND IP IN PORT VLAN 435 48 2 THE NUMBER LIMITATION FUNCTION OF MAC AND IP IN PORT VLAN CONFIGURATION TASK SEQUENCE 436 48 3 ...

Page 15: ...mple 452 51 3 2 IPv6 RadiusExample 453 51 4 RADIUS TROUBLESHOOTING 454 52 SSL CONFIGURATION 455 52 1 INTRODUCTION TO SSL 455 52 1 1 Basic Element of SSL 455 52 2 SSL CONFIGURATION TASK LIST 457 52 3 SSL TYPICAL EXAMPLE 457 52 4 SSL TROUBLESHOOTING 458 53 IPV6 SECURITY RA CONFIGURATION 459 53 1 INTRODUCTION TO IPV6 SECURITY RA 459 53 2 IPV6 SECURITY RA CONFIGURATION TASK SEQUENCE 459 53 3 IPV6 SECU...

Page 16: ...ICAL APPLICATION 478 56 4 PPPOE INTERMEDIATE AGENT TROUBLESHOOTING 480 57 SAVI CONFIGURATION 481 57 1 INTRODUCTION TO SAVI 481 57 2 SAVI CONFIGURATION 481 57 3 SAVI TYPICAL APPLICATION 485 57 4 SAVI TROUBLESHOOTING 486 58 WEB PORTAL CONFIGURATION 487 58 1 INTRODUCTION TO WEB PORTAL AUTHENTICATION 487 58 2 WEB PORTAL AUTHENTICATION CONFIGURATION TASK LIST 487 58 3 WEB PORTAL AUTHENTICATION TYPICAL ...

Page 17: ...ocol Operation System 505 61 2 MRPP CONFIGURATION TASK LIST 506 61 3 MRPP TYPICAL SCENARIO 508 61 4 MRPP TROUBLESHOOTING 510 62 ULPP CONFIGURATION 511 62 1 INTRODUCTION TO ULPP 511 62 2 ULPP CONFIGURATION TASK LIST 513 62 3 ULPP TYPICAL EXAMPLES 515 62 3 1 ULPP Typical Example1 515 62 3 2 ULPP Typical Example2 517 62 4 ULPP TROUBLESHOOTING 518 63 ULSM CONFIGURATION 520 63 1 INTRODUCTION TO ULSM 52...

Page 18: ...IGURATION 539 67 1 INTRODUCTION TO SNTP 539 67 2 TYPICAL EXAMPLES OF SNTP CONFIGURATION 540 68 NTP FUNCTION CONFIGURATION 541 68 1 INTRODUCTION TO NTP FUNCTION 541 68 2 NTP FUNCTION CONFIGURATION TASK LIST 541 68 3 TYPICAL EXAMPLES OF NTP FUNCTION 544 68 4 NTP FUNCTION TROUBLESHOOTING 545 69 DNSV4 V6 CONFIGURATION 546 69 1 INTRODUCTION TO DNS 546 69 2 DNSV4 V6 CONFIGURATION TASK LIST 547 69 3 TYPI...

Page 19: ...Configuration 559 71 7 3 System Log Configuration Example 560 72 RELOAD SWITCH AFTER SPECIFIED TIME 562 72 1 INTRODUCE TO RELOAD SWITCH AFTER SPECIFID TIME 562 72 2 RELOAD SWITCH AFTER SPECIFID TIME TASK LIST 562 73 DEBUGGING AND DIAGNOSIS FOR PACKETS RECEIVED AND SENT BY CPU 563 73 1 INTRODUCTION TO DEBUGGING AND DIAGNOSIS FOR PACKETS RECEIVED AND SENT BY CPU 563 73 2 DEBUGGING AND DIAGNOSIS FOR ...

Page 20: ... available For instance the user must assign an IP address to the switch via the Console interface to be able to access the switch through Telnet The procedures for managing the switch via Console interface are listed below Step 1 setting up the environment Fig 1 1 Out of band Management Configuration Environment As shown in above the serial port RS 232 is connected to the switch with the serial c...

Page 21: ...ncluded in Windows after the connection established The example below is based on the HyperTerminal included in Windows XP 1 Click Start menu All Programs Accessories Communication HyperTerminal Fig 1 2 Opening Hyper Terminal 2 Type a name for opening HyperTerminal such as Switch Fig 1 3 Opening HyperTerminal 3 In the Connecting using drop list select the RS 232 serial port used by the PC e g COM1...

Page 22: ... stop bit and none for traffic control or you can also click Restore default and click OK Fig 1 5 Opening HyperTerminal Step 3 Entering switch CLI interface Power on the switch the following appears in the HyperTerminal windows that is the CLI configuration mode for Switch Testing RAM 0x077C0000 RAM OK Loading MiniBootROM Attaching to file system ...

Page 23: ...nd management enables management of the switch for some devices attached to the switch In the case when in band management fails due to switch configuration changes out of band management can be used for configuring and managing the switch 1 1 2 1 Management via Telnet To manage the switch with Telnet the following conditions should be met 1 Switch has an IPv4 IPv6 address configured 2 The host IP...

Page 24: ...2 168 200 1 24 Run ping 192 168 200 1 from the host and verify the result check for reasons if ping failed The IP address configuration commands for VLAN1 interface are listed below Before in band management the switch must be configured with an IP address by out of band management i e Console mode the configuration commands are as follows All switch configuration prompts are assumed to be Switch ...

Page 25: ... with the following command username username privilege privilege password 0 7 password To open the local authentication style with the following command authentication line vty login local Privilege option must exist and just is 15 Assume an authorized user in the switch has a username of test and password of test the configuration procedure should like the following Switch enable Switch config S...

Page 26: ... via other devices such as a router Similar to management the switch via Telnet as soon as the host succeeds to ping ping6 an IPv4 IPv6 address of the switch and to type the right login password it can access the switch via HTTP The configuration list is as below Step 1 Configure the IP addresses for the switch and start the HTTP server function on the switch For configuring the IP address on the ...

Page 27: ...face Valid login name and password are required otherwise the switch will reject HTTP access This is a method to protect the switch from unauthorized access As a result when Telnet is enabled for configuring and managing the switch username and password for authorized Telnet users must be configured with the following command username username privilege privilege password 0 7 password To open the ...

Page 28: ...Interface Input the right username and password and then the main Web configuration interface is shown as below Fig 1 11 Main Web Configuration Interface Notice When configure the switch the name of the switch is composed with English letters ...

Page 29: ...l please refer to Snmp network management software user manual 1 2 CLI Interface The switch provides thress management interface for users CLI Command Line Interface interface Web interface Snmp netword management software We will introduce the CLI interface and Web configuration interface in details Web interface is familiar with CLI interface function and will not be covered please refer to Snmp...

Page 30: ...n information of the switch can be queries 1 2 1 2 Admin Mode To Admin Mode sees the following In user entry system if as Admin user it is defaulted to Admin Mode Admin Mode prompt Switch can be entered under the User Mode by running the enable command and entering corresponding access levels admin user password if a password has been set Or when exit command is run under Global Mode it will also ...

Page 31: ...mmand under Global Mode can enter the interface mode specified Switch provides three interface type 1 VLAN interface 2 Ethernet port 3 port channel accordingly the three interface configuration modes Interface Type Entry Operates Exit VLAN Interface Type interface vlan Vlan id command under Global Mode Configure switch IPs etc Use the exit command to return to Global Mode Ethernet Port Type interf...

Page 32: ... to return to Global Mode ACL Mode ACL type Entry Operates Exit Standard IP ACL Mode Type ip access list standard command under Global Mode Configure parameters for Standard IP ACL Mode Use the exit command to return to Global Mode Extended IP ACL Mode Type ip access list extanded command under Global Mode Configure parameters for Extended IP ACL Mode Use the exit command to return to Global Mode ...

Page 33: ...n left right and Blank Space If the terminal does not recognize Up and Down keys ctrl p and ctrl n can be used instead Key s Function Back Space Delete a character before the cursor and the cursor moves back Up Show previous command entered Up to ten recently entered commands can be shown Down Show next command entered When use the Up key to get previously entered commands you can use the Down key...

Page 34: ...e returned if the position should be a keyword then a set of keywords with brief description will be returned if the output is cr then the command is complete press Enter to run the command 3 A immediately following a string This will display all the commands that begin with that string 1 2 5 Input Verification 1 2 5 1 Returned Information success All commands entered through keyboards undergo syn...

Page 35: ...t used in pairs 1 2 6 Fuzzy Match Support Switch shell support fuzzy match in searching command and keyword Shell will recognize commands or keywords correctly if the entered string causes no conflict For example 1 For command show interfaces status ethernet1 0 1 typing sh in status ethernet1 0 1 will work 2 However for command show running config the system will report a Ambiguous command error i...

Page 36: ...Mode config terminal Enter global mode from admin mode Various Modes exit Exit current mode and enter previous mode such as using this command in global mode to go back to admin mode and back to normal user mode from admin mode show privilege Show privilege of the current users Except User Mode Admin Mode end Quit current mode and return to Admin mode when not at User Mode Admin Mode Admin Mode cl...

Page 37: ...and the remote host is the Telnet server Switch can be either the Telnet Server or the Telnet client When switch is used as the Telnet server the user can use the Telnet client program included in Windows or the other operation systems to login to switch as described earlier in the In band management section As a Telnet server switch allows up to 5 telnet client TCP connections And as Telnet clien...

Page 38: ...eb the no form command will cancel the binding ACL authentication ipv6 access class num std name no authentication ipv6 access class Binding standard IPv6 ACL protocol to login with Telnet SSH Web the no form command will cancel the binding ACL authentication line console vty web login method1 method2 no authentication line console vty web login Configure authentication method list with telnet aut...

Page 39: ... client software such as SSH Secure Client and putty Users can run the above software to manage the switch remotely The switch presently supports RSA authentication 3DES cryptography protocol and SSH user password authentication etc 2 2 2 2 SSH Server Configuration Task List Command Explanation Global Mode ssh server enable no ssh server enable Enable SSH function on the switch the no command disa...

Page 40: ...Enable SSH server on the switch and run SSH2 0 client software such as Secure shell client or putty on the terminal Log on the switch by using the username and password from the client Configure the IP address add SSH user and enable SSH service on the switch SSH2 0 client can log on the switch by using the username and password to configure the switch Switch config ssh server enable Switch config...

Page 41: ...s and DNS server addresses to DHCP clients DHCP Server configuration is detailed in later chapters 2 3 1 Switch IP Addresses Configuration Task List 1 Enable VLAN port mode 2 Manual configuration 3 BOOTP configuration 4 DHCP configuration 1 Enable VLAN port mode Command Explanation Global Mode interface vlan vlan id no interface vlan vlan id Create VLAN interface layer 3 interface the no command d...

Page 42: ...le Network Management Protocol is a standard network management protocol widely used in computer network management SNMP is an evolving protocol SNMP v1 RFC1157 is the first version of SNMP which is adapted by vast numbers of manufacturers for its simplicity and easy implementation SNMP v2c is an enhanced version of SNMP v1 which supports layered network management SNMP v3 strengthens the security...

Page 43: ...events by enabling RMON function When alert events are triggered Agents will send Trap messages or log the event according to the settings Inform Request is mainly used for inter NMS communication in the layered network management USM ensures the transfer security by well designed encryption and authentication USM encrypts the messages according to the user typed password This mechanism ensures th...

Page 44: ...c MIB contains public network management information that can be accessed by all NMS private MIB contains specific information which can be viewed and controlled by the support of the manufacturers MIB I RFC1156 is the first implemented public MIB of SNMP and is replaced by MIB II RFC1213 MIB II expands MIB I and keeps the OID of MIB tree in MIB I MIB II contains sub trees which are called groups ...

Page 45: ...vent A list of all events generated by RMON Agent Alarm depends on the implementation of Event Statistics and History display some current or history subnet statistics Alarm and Event provide a method to monitor any integer data change in the network and provide some alerts upon abnormal events sending Trap or record in logs 2 4 4 SNMP Configuration 2 4 4 1 SNMP Configuration Task List 1 Enable or...

Page 46: ...n Global Mode snmp server securityip ipv4 addres s ipv6 address no snmp server securityip ipv4 address ipv6 address Configure IPv4 IPv6 security address which is allowed to access the switch on the NMS the no command deletes the configured security address snmp server securityip enable snmp server securityip disable Enable or disable secure IP address check function on the NMS 4 Configure engine I...

Page 47: ...riv authnopriv authpriv access num std name ipv6 access ipv6 num std ipv6 name Set the group information on the switch This command is used to configure VACM for SNMP v3 7 Configure view Command Explanation Global Mode snmp server view view string oid string include exclude no snmp server view view string oid string Configure view on the switch This command is used for SNMP v3 8 Configuring TRAP C...

Page 48: ...n enable Enable disable RMON 2 4 5 Typical SNMP Configuration Examples The IP address of the NMS is 1 1 1 5 the IP address of the switch Agent is 1 1 1 9 Scenario 1 The NMS network administrative software uses SNMP protocol to obtain data from the switch The configuration on the switch is listed below Switch config snmp server enable Switch config snmp server community rw private Switch config snm...

Page 49: ...S network administrative software uses SNMP protocol to obtain data from the switch The configuration on the switch is listed below Switch config snmp server enable Switch config snmp server community rw private Switch config snmp server community ro public Switch config snmp server securityip 2004 1 2 3 2 The NMS can use private as the community string to access the switch with read write permiss...

Page 50: ...ow snmp command to verify sent and received SNMP messages Use show snmp status command to verify SNMP configuration information Use debug snmp packet to enable SNMP debugging function and verify debug information If users still can t solve the SNMP problems Please contact our technical and service center 2 5 Switch Upgrade Switch provides two ways for switch upgrade BootROM upgrade and the TFTP FT...

Page 51: ... topology for switch upgrade in BootROM mode The upgrade procedures are listed below Step 1 As shown in the figure a PC is used as the console for the switch A console cable is used to connect PC to the management port on the switch The PC should have FTP TFTP server software installed and has the image file required for the upgrade Step 2 Press ctrl b on switch boot up until the switch enters Boo...

Page 52: ...e switch verify the connectivity between the server and the switch by ping from the server If ping succeeds run load command in the BootROM mode from the switch if it fails perform troubleshooting to find out the cause The following is the configuration for the system update image file Boot load nos img Loading Loading file ok Step 5 Execute write nos img in BootROM mode The following saves the sy...

Page 53: ...ep 9 Execute write flash config rom in BootROM mode The following saves the update file Boot write flash config rom Boot write flash config rom File exists overwrite Y N N y Writing flash config rom Write flash config rom OK Boot Step 10 After successful upgrade execute run or reboot command in BootROM mode to return to CLI configuration interface Boot run or reboot Other commands in BootROM mode ...

Page 54: ...d be sent by the FTP client to establish management connection on port 21 in the server and negotiate a data connection through the management connection There are two types of data connections active connection and passive connection In active connection the client transmits its address and port number for data transmission to the server the management connection maintains until data transfer is ...

Page 55: ...ile and boot file System image file refers to the compressed file for switch hardware driver and software support program usually refer to as IMAGE upgrade file In switch the system image file is allowed to save in FLASH only Switch mandates the name of system image file to be uploaded via FTP in Global Mode to be nos img other IMAGE system files will be rejected Boot file refers to the file initi...

Page 56: ...e will be loaded to overwrite current start up configuration file 2 5 3 2 FTP TFTP Configuration The configurations of switch as FTP and TFTP clients are almost the same so the configuration procedures for FTP and TFTP are described together in this manual 2 5 3 2 1 FTP TFTP Configuration Task List 1 FTP TFTP client configuration 1 Upload download the configuration file or system file 2 For FTP cl...

Page 57: ...n Global Mode ip ftp username username password 0 7 password no ip ftp username username Configure FTP login username and password this no command will delete the username and password 3 Modify FTP server connection idle time Command Explanation Global Mode ftp server timeout seconds Set connection idle time 3 TFTP server configuration 1 Start TFTP server Command Explanation Global Mode tftp serve...

Page 58: ...to a computer which is a FTP TFTP server with an IP address of 10 1 1 1 the switch acts as a FTP TFTP client the IP address of the switch management VLAN is 10 1 1 2 Download nos img file in the computer to the switch FTP Configuration Computer side configuration Start the FTP server software on the computer and set the username Switch and the password superuser Place the 12_30_nos img file to the...

Page 59: ...cts from one of its ports to a computer which is a FTP client Transfer the nos img file in the switch to the computer and save as 12_25_nos img The configuration procedures of the switch are listed below Switch config interface vlan 1 Switch Config if Vlan1 ip address 10 1 1 2 255 255 255 0 Switch Config if Vlan1 no shut Switch Config if Vlan1 exit Switch config ftp server enable Switch config use...

Page 60: ... 10 1 1 1 the switch acts as a FTP client and the IP address of the switch management VLAN1 interface is 10 1 1 2 FTP Configuration PC side Start the FTP server software on the PC and set the username Switch and the password superuser Switch Switch config interface vlan 1 Switch Config if Vlan1 ip address 10 1 1 2 255 255 255 0 Switch Config if Vlan1 no shut Switch Config if Vlan1 exit Switch copy...

Page 61: ...ful nos img file length 1526021 read file ok send file 150 Opening ASCII mode data connection for nos img 226 Transfer complete close ftp client The following is the message displays when files are successfully received Otherwise please verify link connectivity and retry copy command again 220 Serv U FTP Server v2 5 build 6 for WinSock ready 331 User name okay need password 230 User logged in proc...

Page 62: ...y copy command again nos img file length 1526021 read file ok begin to send file wait file transfers complete Close tftp client The following is the message displays when files are successfully received Otherwise please verify link connectivity and retry copy command again begin to receive file wait recv 1526037 write ok transfer complete close tftp client If the switch is upgrading system file or...

Page 63: ...es 2 The creation of sub directories 3 The deletion of sub directory 4 Changing the current working directory of the storage device 5 The display operation of the current working directory 6 The display operation of information about a designated file or directory 7 The deletion of a designated file in the file system 8 The renaming operation of files 9 The copying operation of files 1 The formatt...

Page 64: ...he display operation of information about a designated file or directory Command Explanation Admin Configuration Mode dir WORD Display information about a designated file or directory on the storage device 7 The deletion of a designated file in the file system Command Explanation Admin Configuration Mode delete file url Delete the designated file in the file system 8 The renaming operation of file...

Page 65: ...6 1 11 0 img Copy flash nos img to flash nos 6 1 11 0 img Y N y Copyed file flash nos img to flash nos 6 1 11 0 img 3 4 Troubleshooting If errors occur when users try to implement file system operations please check whether they are caused by the following reasons Whether file names or paths are entered correctly When renaming a file whether it is in use or the new file name is already used by an ...

Page 66: ...n statically or dynamically add the candidate switches to the cluster which is already established Accordingly they can configure and manage the member switches through the commander switch When the member switches are distributed in various physical locations such as on the different floors of the same building cluster network management has obvious advantages Moreover cluster network management ...

Page 67: ...e attributes of the cluster in the candidate switch 1 Set the time interval of keep alive messages of the cluster 2 Set the max number of lost keep alive messages that can be tolerated in the cluster 5 Remote cluster network management 1 Remote configuration management 2 Remotely upgrade member switch 3 Reboot member switch 6 Manage cluster network with web 1 Enable http 7 Manage cluster network w...

Page 68: ...o manually added ones cluster keepalive interval second no cluster keepalive interval Set the keep alive interval of the cluster cluster keepalive loss count int no cluster keepalive loss count Set the max number of lost keep alive messages that can be tolerated in the cluster Admin mode clear cluster nodes nodes sn candidate sn list mac address mac addr Clear nodes in the list of candidate switch...

Page 69: ...ss mac addr In the commander switch this command is used to reset the member switch cluster update member member id src url dst filename ascii binary In the commander switch this command is used to remotely upgrade the member switch It can only upgrade nos img file Command Explanation Global Mode ip http server Enable http function in commander switch and member switch Notice must insure the http ...

Page 70: ...re 1 Configure the command switch Configuration of SW1 Switch config cluster run Switch config cluster ip pool 10 2 3 4 Switch config cluster commander 5526 Switch config cluster auto add Command Explanation Global Mode snmp server enable Enable snmp server function in commander switch and member switch Notice must insure the snmp server function be enabled in member switch when commander switch v...

Page 71: ...ed the command switch and member switch belongs to the cluster vlan After cluster commander is enabled in VLAN1 of the command switch please don t enable a routing protocol RIP OSPF BGP in this VLAN in order to prevent the routing protocol from broadcasting the private cluster addresses in this VLAN to other switches and cause routing loops Whether the connection between the command switch and the...

Page 72: ...ormed on ports 2 3 4 5 the command would look like interface ethernet 1 0 2 5 Port speed duplex mode and traffic control can be configured under Ethernet Port Mode causing the performance of the corresponding network ports to change accordingly 5 2 Network Port Configuration Task List 1 Enter the network port configuration mode 2 Configure the properties for the network ports 1 Configure combo mod...

Page 73: ...r port of switch speed duplex auto 10 100 1000 auto full half force10 half force10 full force100 half force100 full force100 fx module type auto detected no phy integrated phy integrated force1g half force1g full nonegotiate master slave force10g full no speed duplex Sets port speed and duplex mode of 100 1000Base TX or 100Base FX ports The no format of this command restores the default setting i ...

Page 74: ...ure port scan mode as interrupt or poll mode the no command restores the default port scan mode rate violation 200 2000000 recovery 0 86400 no rate violation Set the max packet reception rate of a port If the rate of the received packet violates the packet reception rate shut down this port and configure the recovery time the default is 300s The no command will disable the rate violation function ...

Page 75: ...witch1 Config If Ethernet1 0 7 bandwidth control 50 both Switch2 Switch2 config interface ethernet 1 0 9 Switch2 Config If Ethernet1 0 9 speed duplex force100 full Switch2 Config If Ethernet1 0 9 exit Switch2 config interface ethernet 1 0 10 Switch2 Config If Ethernet1 0 10 speed duplex force1g full Switch2 Config If Ethernet1 0 10 exit Switch2 config monitor session 1 source interface ethernet 1 ...

Page 76: ...d duplex This is determined by IEEE 802 3 The following combinations are not recommended enabling traffic control as well as setting multicast limiting for the same port setting broadcast multicast and unknown destination unicast control as well as port bandwidth limiting for the same port If such combinations are set the port throughput may fall below the expected performance For Combo port it su...

Page 77: ...ve 6 2 Task Sequence of Port Isolation 1 Create an isolate port group 2 Add Ethernet ports into the group 3 Specify the flow to be isolated 4 Display the configuration of port isolation 1 Create an isolate port group Command Explanation Global Mode isolate port group WORD no isolate port group WORD Set a port isolation group the no operation of this command will delete the port isolation group 2 A...

Page 78: ...anation Admin Mode and global Mode show isolate port group WORD Display the configuration of port isolation including all configured port isolation groups and Ethernet ports in each group 6 3 Port Isolation Function Typical Examples Fig 6 1 Typical example of port isolation function The topology and configuration of switches are showed in the figure above with e1 0 1 e1 0 10 and e1 0 15 all belong...

Page 79: ...te with the uplink port e1 0 15 That is the communication between any pair of downlink ports is disabled while that between any downlink port and a specified uplink port is normal The uplink port can communicate with any port normally The configuration of S1 Switch config isolate port group test Switch config isolate port group test switchport interface ethernet 1 0 1 1 0 10 ...

Page 80: ...new source MAC is already learnt by the layer 2 device only with a different source port the original source port will be modified to the new one which means to correspond the original MAC address with the new port As a result if there is any loopback existing in the link all MAC addresses within the whole layer 2 network will be corresponded with the port where the loopback appears usually the MA...

Page 81: ... loopback detection interval time loopback no loopback no loopback detection interval time Configure the time interval of loopback detection 2 Enable the function of port loopback detection Command Explanation Port Mode loopback detection specified vlan vlan list no loopback detection specified vlan vlan list Enable and disable the function of port loopback detection 3 Configure the control method...

Page 82: ...isplay the state and result of the corresponding ports 5 Configure the loopback detection control mode automatic recovery enabled or not Command Explanation Global Mode loopback detection control recovery timeout 0 3600 Configure the loopback detection control mode automatic recovery enabled or not or recovery time 7 3 Port Loopback Detection Function Example Fig 7 1 Typical example of port loopba...

Page 83: ...Ethernet1 0 1 loopback detection special vlan 1 3 Switch Config If Ethernet1 0 1 loopback detection control block If adopting the control method of block MSTP should be globally enabled And the corresponding relation between the spanning tree instance and the VLAN should be configured Switch config spanning tree Switch config spanning tree mst configuration Switch Config Mstp Region instance 1 vla...

Page 84: ...ce the physical layer of the link is connected and works normal via the checking mechanism of the physical layer communication problems between the devices can not be found As shown in Graph the problem in fiber connection can not be found through mechanisms in physical layer like automatic negotiation Fig 4 1 Fiber Cross Connection Fig 8 1 One End of Each Fiber Not Connected This kind of problem ...

Page 85: ...connection state of the link by exchanging information with remote devices ULDP can dynamically study the interval at which the remote device sends notification messages and adjust the local TTL time to live according to that interval Besides ULDP provides the reset mechanism when the port is disabled by ULDP it can check again through reset mechanism The time intervals of notification messages an...

Page 86: ... Explanation Port configuration mode uldp aggressive mode no uldp aggressive mode Set the working mode of the port 5 Configure the method to shut down unidirectional link Command Explanation Global configuration mode uldp manual shutdown no uldp manual shutdown Configure the method to shut down unidirectional link 6 Configure the interval of Hello messages Command Explanation Global configuration ...

Page 87: ...lay global information and the neighbor information of the port debug uldp fsm interface ethernet IFname no debug uldp fsm interface ethernet IFname Enable or disable the debug switch of the state machine transition information on the specified port debug uldp error no debug uldp error Enable or disable the debug switch of error information debug uldp event no debug uldp event Enable or disable th...

Page 88: ...P Only when the connection is correct can the ports work normally won t be shut down Switch A configuration sequence SwitchA config uldp enable SwitchA config interface ethernet 1 0 1 SwitchA Config If Ethernet1 0 1 uldp enable SwitchA Config If Ethernet1 0 1 exit SwitchA config interface ethernet 1 0 2 SwitchA Config If Ethernet1 0 2 uldp enable Switch B configuration sequence SwitchB config uldp...

Page 89: ...nnected the ports have to work in duplex mode and have the same rate If the automatic negotiation mechanism of the fiber ports with one port misconnected decides the working mode and rate of the ports ULDP won t take effect no matter enabled or not In such situation the port is considered as Down In order to make sure that neighbors can be correctly created and unidirectional links can be correctl...

Page 90: ...rmation There are several DEBUG commands provided to print debug information such as information of events state machine errors and messages Different types of message information can also be printed according to different parameters The Recovery timer is disabled by default and will only be enabled when the users have configured recovery time 30 86400 seconds Reset command and reset mechanism can...

Page 91: ...ery information of all neighbor devices For example the detail information of the device configuration and discovery can both use this protocol to advertise In specific LLDP defines a general advertisement information set a transportation advertisement protocol and a method to store the received advertisement information The device to advertise its own information can put multiple pieces of advert...

Page 92: ... 2 LLDP Function Configuration Task Sequence 1 Globally enable LLDP function 2 Configure the port based LLDP function switch 3 Configure the operating state of port LLDP 4 Configure the intervals of LLDP updating messages 5 Configure the aging time multiplier of LLDP messages 6 Configure the sending delay of updating messages 7 Configure the intervals of sending Trap messages 8 Configure to enable...

Page 93: ... default value 6 Configure the sending delay of updating messages Command Explanation Global Mode lldp transmit delay seconds no lldp transmit delay Configure the sending delay of updating messages as the specified value or default value 7 Configure the intervals of sending Trap messages Command Explanation Global Mode lldp notification interval seconds no lldp notification interval Configure the ...

Page 94: ...ghbors discard delete Configure the type of operation when the Remote Table of the port is full 12 Display and debug the relative information of LLDP Command Explanation Admin Global Mode show lldp Display the current LLDP configuration information show lldp interface ethernet IFNAME Display the LLDP configuration information of the current port show lldp traffic Display the information of all kin...

Page 95: ...ortDes and SysCap SWITCH A configuration task sequence SwitchA config lldp enable SwitchA config interface ethernet 1 0 4 SwitchA Config If Ethernet1 0 4 lldp transmit optional tlv portDesc sysCap SwitchA Config If Ethernet1 0 4 exit SWITCH B configuration task sequence SwitchB config lldp enable SwitchB config interface ethernet1 0 1 SwitchB Config If Ethernet1 0 1 lldp mode receive SwitchB Confi...

Page 96: ...LLDP Function Operation Configuration 95 Using show function of LLDP function can display the configuration information in global or port configuration mode ...

Page 97: ...lly as one physical port Port Channel can be used as a normal port by the user and can not only add network s bandwidth but also provide link backup Port aggregation is usually used when the switch is connected to routers PCs or other switches Fig 10 1 Port aggregation As shown in the above S1 is aggregated to a Port Channel the bandwidth of this Port Channel is the total of all the four ports If ...

Page 98: ...gregation interface configuration mode the user can perform related configuration in this mode just like in the VLAN and physical interface configuration mode 10 2 Brief Introduction to LACP LACP Link Aggregation Control Protocol is a kind of protocol based on IEEE802 3ad standard to implement the link dynamic aggregation LACP protocol uses LACPDU Link Aggregation Control Protocol Data Unit to exc...

Page 99: ...t is the single port aggregation In the dynamic aggregation LACP protocol of the port is at the enable state 2 The port state of the dynamic aggregation group In dynamic aggregation group the ports have two states selected or standby Both selected ports and standby ports can receive and send LACP protocol but standby ports can not forward the data packets Because the limitation of the max port num...

Page 100: ...n LACP protocol 1 Creating a port group 2 Add physical ports to the port group 3 Enter port channel configuration mode Command Explanation Global Mode interface port channel port channel number Enter port channel configuration mode 4 Set load balance method for switch Command Explanation Global Mode port group port group number no port group port group number Create or delete a port group Command ...

Page 101: ... Command Explanation Global mode lacp system priority system priority no lacp system priority Set the system priority of LACP protocol the no command restores the default value Command Explanation Port mode lacp port priority port priority no lacp port priority Set the port priority in LACP protocol The no command restores the default value Command Explanation Port mode lacp timeout short long no ...

Page 102: ... Switch1 Config If Port Range port group 1 mode active Switch1 Config If Port Range exit Switch1 config interface port channel 1 Switch1 Config If Port Channel1 Switch2 config Switch2 config port group 2 Switch2 config interface ethernet 1 0 6 Switch2 Config If Ethernet1 0 6 port group 2 mode passive Switch2 Config If Ethernet1 0 6 exit Switch2 config interface ethernet 1 0 8 10 Switch2 Config If ...

Page 103: ...e configuration steps are listed below Switch1 config Switch1 config interface ethernet 1 0 1 Switch1 Config If Ethernet1 0 1 port group 1 mode on Switch1 Config If Ethernet1 0 1 exit Switch1 config interface ethernet 1 0 2 Switch1 Config If Ethernet1 0 2 port group 1 mode on Switch1 Config If Ethernet1 0 2 exit Switch1 config interface ethernet 1 0 3 Switch1 Config If Ethernet1 0 3 port group 1 m...

Page 104: ...ed and re aggregate with port 3 to form port channel 1 when port 1 0 4 joins port group 1 port channel 1 of port 1 2 and 3 are ungrouped and re aggregate with port 4 to form port channel 1 It should be noted that whenever a new port joins in an aggregated port group the group will be ungrouped first and re aggregated to form a new group Now all four ports in both S1 and S2 are aggregated in on mod...

Page 105: ...e network by 2 to 5 Technically the Jumbo is just a lengthened frame sent and received by the switch However considering the length of Jumbo frames they will not be sent to CPU We discard the Jumbo frames sent to CPU in the packet receiving process 11 2 MTU Configuration Task Sequence 1 Configure enable MTU function 1 Configure enable MTU function Command Explanation Global Mode mtu mtu value no m...

Page 106: ... bottom Using EFM OAM can effectively advance management and maintenance for Ethernet to ensure the stable network operation CFM is used for monitoring the whole network connectivity and locating the fault in access aggregation network layer Compare with CFM Y 1731 standard set by ITU International Telecommunications Union is more powerful E LMI standard set by MEF is only applied to UNI So above ...

Page 107: ...ents EFM OAM implements link monitoring through the exchange of Event Notification OAMPDUs When detecting a link error event the local OAM entity sends an Event Notification OAMPDU to notify the remote OAM entity At the same time it will log information and send SNMP Trap to the network management system While OAM entity on the other side receives the notification it will also log and report it Wi...

Page 108: ...n EFM OAM can detect the fault and inform the remote OAM peers through sending Information OAMPDU Dying Gasp There is no definition present Although device does not generate Dying Gasp OAMPDU it still receives and processes such OAMPDU sent by its peer 4 Remote loopback testing Remote loopback testing is available only after an Ethernet OAM connection is established With remote loopback enabled op...

Page 109: ...figuring OAM parameters 1 Enable EFM OAM function of port Customer Service Provider Customer CE PE 802 1ah OAMPDU 802 3ah Ethernet in the First Mile Command Explanation Port mode ethernet oam mode active passive Configure work mode of EFM OAM default is active mode ethernet oam no ethernet oam Enable EFM OAM of port no command disables EFM OAM of port ethernet oam period seconds no ethernet oam pe...

Page 110: ...net oam errored frame period threshold low window Configure the low threshold and window period of errored frame period event no command resotores the default value ethernet oam errored frame threshold low low frames window seconds no ethernet oam errored frame threshold low window Configure the low threshold and window period of errored frame event no command resotores the default value optional ...

Page 111: ...errored frame period event no command restores the default value optional ethernet oam errored frame threshold high high frames none no ethernet oam errored frame threshold high Configure the high threshold of errored frame event no command restores the default value optional ethernet oam errored frame seconds threshold high high frame seconds none no ethernet oam errored frame seconds threshold h...

Page 112: ...ack Execute the following command to make one of OAM peers exiting OAM loopback after complete detection PE config if ethernet1 0 1 no ethernet oam remote loopback Execute the following command without supporting remote loopback CE config if ethernet1 0 1 no ethernet oam remote loopback supported 12 4 EFM OAM Troubleshooting When using EFM OAM it occurs the problem please check whether the problem...

Page 113: ...abled automatically So the negotiation in the peer of the link must be disabled otherwise the link connection will unsuccessful When disabling OAM the negotiation of the port will be restored Therefore to ensure the link connection is normal the negotiations must be accordant in two peers of the link After enabling OAM when the link negotiations in two peers are successful the state is up After th...

Page 114: ...orporation through the service provider network To maintain a local concept it not only needs to transmit the data within the user s private network across the tunnel but also transmit layer 2 protocol packets within the user s private network 13 1 2 Background of bpdu tunnel Special lines are used in a service provider network to build user specific Layer 2 networks As a result a user network is ...

Page 115: ...ild user specific Layer 2 networks As a result a user network is broken down into parts located at different sides of the service provider network As shown in Figure User A has two devices CE 1 and CE 2 and both devices belong to the same VLAN User s network is divided into network 1 and Command Explanation Global mode bpdu tunnel dmac mac no bpdu tunnel dmac Configure or cancel the tunnel MAC add...

Page 116: ... forwards the packet in the service provider network 2 The encapsulated Layer 2 protocol packet called BPDU Tunnel packet is forwarded to PE 2 at the other end of the service provider network which de encapsulates the packet restores the original destination MAC address of the packet and then sends the packet to network 2 of user A bpdu tunnel configuration of edge switches PE1 and PE2 in the foll...

Page 117: ...tunnel Configuration 116 PE2 config if ethernet1 0 1 bpdu tunnel dot1x 13 4 bpdu tunnel Troubleshooting After port disables stp gvrp uldp lacp and dot1x functions it is able to configure bpdu tunnel function ...

Page 118: ...ission and management about the voice device information To deploy and manage voice device expediently LLDP MED TLVs provide multiple information such as PoE Power over Ethernet network policy and the location information of the emergent telephone service 14 2 LLDP MED Configuration Task Sequence 1 Basic LLDP MED configuration Command Explanation Port mode lldp transmit med tlv all no lldp transmi...

Page 119: ...ideo signaling Configure network policy of the port including VLAN ID the supported application such as voice and video the application priority and the used policy and so on civic location dhcp server switch endpointDev country code no civic location Configure device type and country code of the location with Civic Address LCI format and enter Civic Address LCI address mode The no command cancels...

Page 120: ...D startup mechanism is enabled it needs to fast send the LLDP packets with LLDP MED TLV this command is used to set the value of the fast sending packets the no command restores the default value Admin mode show lldp Show the configuration of the global LLDP and LLDP MED show lldp interface ethernet IFNAME Show the configuration of LLDP and LLDP MED on the current port show lldp neighbors interfac...

Page 121: ...twork policy voice tag tagged vid 10 cos 5 dscp 15 SwitchA Config If Ethernet1 0 1 exit SwitchA config interface ethernet1 0 2 SwitchA Config If Ethernet1 0 2 lldp enable SwitchA Config If Ethernet1 0 2 lldp mode both 2 Configure Switch B SwitchB config interface ethernet1 0 1 SwitchB Config If Ethernet1 0 1 lldp enable SwitchB Config If Ethernet1 0 1 lldp mode both SwitchB Config If Ethernet1 0 1...

Page 122: ...es NP Network Policy LI Location Identification PSE Power Source Entity PD Power Device IN Inventory MED Capabilities CAP NP PD IN MED Device Type Endpoint Class III Media Policy Type Voice Media Policy Tagged Media Policy Vlan id 10 Media Policy Priority 3 Media Policy Dscp 5 Power Type PD Power Source Primary power source Power Priority low Power Value 15 4 Watts Hardware Revision Firmware Revis...

Page 123: ... 1 Both Ethernet2 of switch A and Ethernet1 of switch B are the ports of network connection device they will not send LLDP packets with MED TLV information forwardly Although configure Ethernet1 of switch B to send MED TLV information it will not send the related MED information that results the corresponding Remote table without the related MDE information on Ethernet2 of switch A 2 LLDP MED devi...

Page 124: ...LLDP MED TLV the packets also without LLDP MED TLV sent by the port that means no MED information is received and the port does not enable the function for sending LLDP MED information If neighbor device has sent LLDP MED information to network connection device but there is no LLDP MED information by checking show lldp neighbors command that means LLDP MED information sent by neighbor is error ...

Page 125: ...re and takes a pre defined action automatically This reduces user s maintenance workload and greatly enhances system security 15 2 PORT SECURITY Configuration Task List 1 Basic configuration for PORT SECURITY Command Explanation Port mode switchport port security no switchport port security Configure port security of the interface switchport port security mac address mac address vlan vlan id no sw...

Page 126: ...nterface interface id address vlan Show port security configuration 15 3 Example of PORT SECURITY Fig 15 1 Typical topology chart for port security When the interface enabled Port security function configure the maximum number of the secure MAC addresses allowed by a interface to be 10 the interface allows 10 users to access the internet at most If it exceeds the maximum number the new user cannot...

Page 127: ... maximum 10 Switch config if ethernet1 0 1 exit Switch config 15 4 PORT SECURITY Troubleshooting If problems occur when configuring PORT SECURITY please check whether the problem is caused by the following reasons Check whether PORT SECURITY is enabled normally Check whether the valid maximum number of MAC addresses is configured ...

Page 128: ...nce workload and enhance the system reliability DDM applications are shown in the following 1 Module lifetime forecast Monitoring the bias current is able to forecast the laser lifetime Administrator is able to find some potential problems by monitoring voltage and temperature of the module 1 High Vcc voltage will result in the breakdown CMOS low Vcc voltage will result in the abnormity work 2 Hig...

Page 129: ...warning alarm real time state and threshold and so on Besides checking the fault information of the fiber module helps administrator to fast locate the link fault and saves the restored time 2 Threshold defined by the user For real time parameters TX power RX power Temperature Voltage Bias current there are fixed thresholds Because the user s environments are difference the users is able to define...

Page 130: ...hresholds of each parameter for the transceiver 3 Configure the state of the transceiver monitoring 1 Configure the interval of the transceiver monitoring 2 Configure the enable state of the transceiver monitoring 3 Show the information of the transceiver monitoring 4 Clear the information of the transceiver monitoring 1 Show the real time monitoring information of the transceiver 2 Configure the ...

Page 131: ...r monitoring is enabled Only the port enables the transceiver monitoring the system records the abnormity state After the port disables the function the abnormity information will be clear Command Explanation Admin mode and global mode show transceiver threshold violation interface ethernet interface list Show the information of the transceiver monitoring including the last threshold violation inf...

Page 132: ...or example Switch show transceiver interface ethernet 1 0 21 22 23 Interface Temp Voltage V Bias mA RX Power dBM TX Power dBM 1 0 21 33 3 31 6 11 30 54 A 6 01 1 0 22 N A N A N A N A N A 1 0 23 33 5 00 W 6 11 20 54 W 6 02 c Show the detailed information including base information parameter value of the real time monitoring warning alarm abnormity state and threshold information for example Switch s...

Page 133: ...50 nm Brief alarm information N A Detail diagnostic and threshold information N A Example2 Ethernet 21 is inserted the fiber module with DDM Configure the threshold of the fiber module after showing the DDM information Step1 Show the detailed DDM information Switch show transceiver interface ethernet 1 0 21 detail Ethernet 1 0 21 transceiver detail information Base information Brief alarm informat...

Page 134: ...information RX loss of signal Voltage high RX power low TX power low Detail diagnostic and threshold information Diagnostic Threshold Realtime Value High Alarm Low Alarm High Warn Low Warn Temperature 33 70 0 70 0 Voltage V 7 31 A 5 00 0 00 5 00 0 00 Bias current mA 6 11 W 10 30 0 00 5 00 0 00 RX Power dBM 30 54 A 9 00 25 00 9 00 25 00 TX Power dBM 13 01 A 9 00 12 00 25 00 9 00 10 00 25 00 Example...

Page 135: ...g if ethernet1 0 21 quit Switch config show transceiver threshold violation interface ethernet 1 0 21 22 Ethernet 1 0 21 transceiver threshold violation information Transceiver monitor is enabled Monitor interval is set to 30 minutes The current time is Jan 02 12 30 50 2011 The last threshold violation time is Jan 02 11 00 50 2011 Brief alarm information RX loss of signal RX power low Detail diagn...

Page 136: ...the network management system Because only some boards and box switches support SFP with DDM or XFP with DDM ensure the used board and switch support the corresponding function When using show transceiver command or show transceiver detail command it cost much time due to the switch will check all ports so it is recommended to query the monitoring information of the transceiver on the specified po...

Page 137: ...plemented following IEEE 802 1Q The key idea of VLAN technology is that a large LAN can be partitioned into many separate broadcast domains dynamically to meet the demands Fig 17 1 A VLAN network defined logically Each broadcast domain is a VLAN VLANs have the same properties as the physical LANs except VLAN is a logical partition rather than physical one Therefore the partition of VLANs can be pe...

Page 138: ...of multi VLANs They can be used to connect between the switches or to a computer of the user Hybrid ports and Trunk ports receive the data with the same process method but send the data with different method Hybrid ports can send the packets of multi VLANs without the VLAN tag while Trunk ports send the packets of multi VLANs with the VLAN tag except the port native VLAN The switch implements VLAN...

Page 139: ...Assign Switch ports to VLAN Command Explanation Port Mode switchport mode trunk access hybrid Set the current port as Trunk Access or Hybrid port Command Explanation Port Mode switchport trunk allowed vlan WORD all add WORD except WORD remove WORD no switchport trunk allowed vlan Set delete VLAN allowed to be crossed by Trunk The no command restores the default setting switchport trunk native vlan...

Page 140: ... switchport hybrid native vlan vlan id no switchport hybrid native vlan Set delete PVID of the port Command Explanation Port Mode vlan ingress enable no vlan ingress enable Enable Disable VLAN ingress rules Command Explanation VLAN mode private vlan primary isolated community no private vlan Configure current VLAN to Private VLAN The no command deletes private VLAN Command Explanation VLAN mode pr...

Page 141: ...tion Item Configuration description VLAN2 Site A and site B switch port 2 4 VLAN100 Site A and site B switch port 5 7 VLAN200 Site A and site B switch port 8 10 Trunk port Site A and site B switch port 11 Connect the Trunk ports of both switches for a Trunk link to convey the cross switch VLAN traffic connect all network devices to the other ports of corresponding VLANs In this example port 1 and ...

Page 142: ...ig If Ethernet1 0 11 switchport mode trunk Switch Config If Ethernet1 0 11 exit Switch config Switch B Switch config vlan 2 Switch Config Vlan2 switchport interface ethernet 1 0 2 4 Switch Config Vlan2 exit Switch config vlan 100 Switch Config Vlan100 switchport interface ethernet 1 0 5 7 Switch Config Vlan100 exit Switch config vlan 200 Switch Config Vlan200 switchport interface ethernet 1 0 8 10...

Page 143: ...twork resources through the gateway SwitchA We can implement this status through Hybrid port Configuration items are as follows Port Type PVID the VLANs are allowed to pass Port 1 0 10 of Switch A Access 10 Allow the packets of VLAN 10 to pass with untag method Port 1 0 10 of Switch B Hybrid 10 Allow the packets of VLAN 7 9 10 to pass with untag method Port 1 0 7 of Switch B Hybrid 7 Allow the pac...

Page 144: ...0 untag Switch Config If Ethernet1 0 9 exit Switch Config interface Ethernet 1 0 10 Switch Config If Ethernet1 0 10 switchport mode hybrid Switch Config If Ethernet1 0 10 switchport hybrid native vlan 10 Switch Config If Ethernet1 0 10 switchport hybrid allowed vlan 7 9 10 untag Switch Config If Ethernet1 0 10 exit 17 2 GVRP Configuration 17 2 1 Introduction to GVRP GVRP i e GARP VLAN Registration...

Page 145: ...nsmission mechanism enables the intermediate switches registering the VLANs dynamically and the VLAN in VLAN100 1000 of A and G can communicate with each other The VLANs dynamically registered by intermediate switches will be deregistered when deregistering VLAN100 1000 of A and G switches manually So the same VLAN of two unadjacent switches can communicate mutually through GVRP protocol instead o...

Page 146: ...n Global mode garp timer join 200 500 garp timer leave 500 1200 garp timer leaveall 5000 60000 no garp timer join leave leaveAll Configure leaveall join and leave timer for GVRP Command Explanation Port mode gvrp no gvrp Enable disable GVRP function of port Command Explanation Global mode gvrp no gvrp Enable disable the global GVRP function of port ...

Page 147: ...h each other through Switch B without static VLAN100 entries Configuration Item Configuration description VLAN100 Port 2 6 of Switch A and C Trunk port Port 11 of Switch A and C Port 10 11 of Switch B Global GVRP Switch A B C Port GVRP Port 11 of Switch A and C Port 10 11 of Switch B Connect two workstations to the VLAN100 ports in switch A and B connect port 11 of Switch A to port 10 of Switch B ...

Page 148: ...witch Config If Ethernet1 0 11 switchport mode trunk Switch Config If Ethernet1 0 11 gvrp Switch Config If Ethernet1 0 11 exit Switch C Switch config gvrp Switch config vlan 100 Switch Config Vlan100 switchport interface ethernet 1 0 2 6 Switch Config Vlan100 exit Switch config interface ethernet 1 0 11 Switch Config If Ethernet1 0 11 switchport mode trunk Switch Config If Ethernet1 0 11 gvrp Swit...

Page 149: ...PE1 from CE1 it carries the VLAN tag 200 300 of the user internal network Since the dot1q tunnel function is enabled the user port on PE1 will add on the packet another VLAN tag of which the ID is the SPVID assigned to the user Afterwards the packet will only be transmitted in VLAN3 when traveling in the ISP internet network while carrying two VLAN tags the inner tag is added when entering PE1 and...

Page 150: ...e VLAN IDs select within 1 4096 at users will The user network is considerably independent When the ISP internet is upgrading their network the user networks do not have to change their original configuration Detailed description on the application and configuration of dot1q tunnel will be provided in this section 17 3 2 Dot1q tunnel Configuration Configuration Task Sequence of Dot1q Tunnel 1 Conf...

Page 151: ...ig Vlan3 switchport interface ethernet 1 0 1 Switch Config Vlan3 exit Switch Config interface ethernet 1 0 1 Switch Config Ethernet1 0 1 dot1q tunnel enable Switch Config Ethernet1 0 1 exit Switch Config interface ethernet 1 0 10 Switch Config Ethernet1 0 10 switchport mode trunk Switch Config Ethernet1 0 10 dot1q tunnel tpid 0x9100 Switch Config Ethernet1 0 10 exit Switch Config PE2 Switch config...

Page 152: ...translation is classified to ingress translation and egress translation this switch only supports switchover of ingress for VLAN ID Application and configuration of VLAN translation will be explained in detail in this section 17 4 2 VLAN translation Configuration Configuration task sequence of VLAN translation 1 Configure the VLAN translation function on the port 2 Configure the VLAN translation r...

Page 153: ...1 of PE1 is connected to CE1 port1 0 10 is connected to public network port1 0 1 of PE2 is connected to CE2 port1 0 10 is connected to public network Port mode vlan translation old vlan id to new vlan id in no vlan translation old vlan id in Add delete a VLAN translation relation Command Explanation Port mode vlan translation miss drop in no vlan translation miss drop in Configure the VLAN transla...

Page 154: ...tion 3 to 20 out switch Config Ethernet1 0 1 exit switch Config interface ethernet 1 0 10 switch Config Ethernet1 0 10 switchport mode trunk switch Config Ethernet1 0 10 exit switch Config 17 4 4 VLAN translation Troubleshooting Normally the VLAN translation is applied on trunk ports SP networks P PE1 PE2 CE1 CE2 Trunk connection Trunk connection Trunk connection Trunk connection Customer networks...

Page 155: ...s and its subnet mask of every host It assigns corresponding VLAN ID to the data packet according to the subnet segment leading the data packet to specified VLAN Its advantage is the same as that of the MAC based VLAN the user does not have to change configuration when relocated The VLAN is divided by the network layer protocol assigning different protocol to different VLANs This is very attractiv...

Page 156: ...lanation Port Mode switchport mac vlan enable no switchport mac vlan enable Enable disable the MAC based VLAN function on the port Command Explanation Global Mode mac vlan vlan vlan id no mac vlan Configure the specified VLAN to MAC VLAN the no mac vlan command cancels the MAC VLAN configuration of this VLAN Command Explanation Global Mode mac vlan mac mac addrss vlan vlan id priority priority id ...

Page 157: ...his way the data of VLAN100 will be forwarded to the port connecting M and implement the communication requirement in VLAN100 mask subnet mask vlan vlan id priority priority id no subnet vlan ip address ipv4 addrss mask subnet mask all between the IP subnet and the VLAN namely specified IP subnet joins leaves specified VLAN Command Explanation Global Mode protocol vlan mode ethernetii etype etype ...

Page 158: ...22 33 vlan 100 priority 0 SwitchA Config interface ethernet 1 0 1 SwitchA Config Ethernet1 0 1 swportport mode hybrid SwitchA Config Ethernet1 0 1 swportport hybrid allowed vlan 100 untagged SwitchB Config mac vlan mac 00 03 0f 11 22 33 vlan 100 priority 0 SwitchB Config exit SwitchB SwitchC Config mac vlan mac 00 03 0f 11 22 33 vlan 100 priority 0 SwitchC Config exit SwitchC 17 5 4 Dynamic VLAN T...

Page 159: ...service service for voice data and improve the voice data traffic transmission priority to ensure the calling quality The switch can judge if the data traffic is the voice data traffic from specified equipment according to the source MAC address field of the data packet entering the port The packet with the source MAC address complying with the system defined voice equipment OUI Organizationally U...

Page 160: ...onfiguration Task Sequence 1 Set the VLAN to Voice VLAN 2 Add a voice equipment to Voice VLAN 3 Enable the Voice VLAN on the port 1 Configure the VLAN to Voice VLAN 2 Add a Voice equipment to a Voice VLAN 3 Enable the Voice VLAN of the port Command Explanation Global Mode voice vlan vlan vlan id no voice vlan Set cancel the VLAN as a Voice VLAN Command Explanation Global Mode voice vlan mac mac ad...

Page 161: ...g 17 10 VLAN typical apply topology Figure Configuration items Configuration Explanation Voice VLAN Global configuration on the Switch Configuration procedure Switch 1 Switch config vlan 100 Switch Config Vlan100 exit Switch config voice vlan vlan 100 Switch config voice vlan mac 00 03 0f 11 22 33 mask 255 priority 5 name company Switch config voice vlan mac 00 03 0f 11 22 55 mask 255 priority 5 n...

Page 162: ...7 Multi to One VLAN Translation Configuration 17 7 1 Introduction to Multi to One VLAN Translation Multi to One VLAN translation it translates the original VLAN ID into the new VLAN ID according to user s requirement on uplink traffic and restores the original VLAN ID on downlink traffic Application and configuration of Multi to One VLAN translation will be explained in detail in this section 17 7...

Page 163: ...serB and userC will be translated into VLAN1 VLAN2 VLAN3 by Ethernet1 0 1 of edge switch1 from network layer respectively In the same way it implements multi to one translation for userD userE and userF on Ethernet1 0 1 of edge switch2 Fig 17 11 VLAN translation typical application U s e r A V I D 1 User B VID 2 U s e rC V ID 3 U s e r D V I D 1 UserE VID 2 U s e rF V ID 3 User D E F VID 101 User ...

Page 164: ...e time Do not be used with VLAN translation at the same time The same MAC address should not exist in the original and the translated VLAN Check whether the hardware resource of the chip is able to ensure all clients to work normally Limit learning of MAC address may affect Multi to One VLAN Translation Multi to One VLAN Translation should be enabled after MAC learning 17 8 Super VLAN Configuratio...

Page 165: ...s 1 1 1 0 28 However subnet 1 1 1 0 of network segment subnet broadcast address 1 1 1 15 and the default gateway address 1 1 1 1 can not become the host address address range within 1 1 1 2 to 1 1 1 14 can become the host address So the usable host addresses total is 13 232 28 3 13 however only 10 addresses can satisfy the requirement for VLAN21 The rest may be deduced by analogy the needed host a...

Page 166: ...We can see that the number of the wasting IP address such as subnet number broadcast address default gateway address is considerable and badly reduce the addressing flexility that waste many addresses Therefore Super VLAN is developed for solving the problem Super VLAN advantages are shown in the following Reduce IP address number about subnet number default gateway address and broadcast address I...

Page 167: ...erface 5 Specify or delete ip addr range of subvlan Command Explanation VLAN configuration mode supervlan no supervlan Create or delete supervlan Command Explanation VLAN configuration mode subvlan WORD no subvlan WORD all Specify or delete subvlan Command Explanation Interface configuration mode arp proxy subvlan WORD all no arp proxy subvlan WORD all Enable or disable arp proxy function of subvl...

Page 168: ...nge of VLAN4 from 1 1 1 20 to 1 1 1 30 layer 3 flows of terminals within two address ranges allows to be forwarded only To implement this requirement it needs to configure supervlan on switch Configuration items Configuration Explanation VLAN2 Supervlan VLAN3 Port1 of switchA VLAN4 Port2 of switchA Configuration procedure Switch A switch Config vlan 2 4 switch Config vlan 2 switch Config Vlan2 sup...

Page 169: ...n be forwarded to other VLAN When two devices send flows to each other at different subvlan please enable arp proxy function on two subvlans Sub vlan can not set layer 3 interface When creating deleting supervlan VLAN needs to ensure no layer 3 interface if not it will result in error If interface of supervlan specifies IP address range but do not specify address range of subvlan address range set...

Page 170: ...eates a mapping to the destination port Then the MAC table is queried for the destination MAC address if hit the data frame is forwarded in the associated port otherwise the switch forwards the data frame to its broadcast domain If a dynamic MAC address is not learnt from the data frames to be forwarded for a long time the entry will be deleted from the switch MAC table There are two MAC table ope...

Page 171: ...destined to 00 01 33 33 33 33 as the MAC table contains only a mapping entry of MAC address 00 01 11 11 11 11 and port1 0 5 and no port mapping for 00 01 33 33 33 33 present the switch broadcast this message to all the ports in the switch assuming all ports belong to the default VLAN1 3 PC3 and PC4 on port 1 0 12 receive the message sent by PC1 but PC4 will not reply as the destination MAC address...

Page 172: ...e MAC table will find PC2 and PC1 are in the same physical segment and filter the message i e drop this message Three types of frames can be forwarded by the switch Broadcast frame Multicast frame Unicast frame The following describes how the switch deals with all the three types of frames 1 Broadcast frame The switch can segregate collision domains but not broadcast domains If no VLAN is set all ...

Page 173: ...dress aging time 2 Configure static MAC forwarding or filter entry 3 Clear dynamic address table 4 Configure MAC learning through CPU control 1 Configure the MAC aging time Command Explanation Global Mode mac address table aging time 0 aging time no mac address table aging time Configure the MAC address aging time 2 Configure static MAC forwarding or filter entry Command Explanation Global Mode ma...

Page 174: ...ble MAC learning through CPU control the no command restores that the chip automatically learn MAC address 18 3 Typical Configuration Examples Fig 18 2 MAC Table typical configuration example Scenario Four PCs as shown in the above figure connect to port 1 0 5 1 0 7 1 0 9 1 0 11 of switch all the four PCs belong to the default VLAN1 As required by the network environment dynamic learning is enable...

Page 175: ...tion finishes and the port will learn the MAC address If not the problems mentioned above please check for the switch portand contact technical support for solution 18 5 MAC Address Function Extension 18 5 1 MAC Address Binding 18 5 1 1 Introduction to MAC Address Binding Most switches support MAC address learning each port can dynamically learn several MAC addresses so that forwarding data stream...

Page 176: ...mmand disables the MAC address binding function for the port and restores the MAC address learning function for the port 2 Lock the MAC addresses for a port Command Explanation Port Mode switchport port security lock no switchport port security lock Lock the port then MAC addresses learned will be disabled The no switchport port security lock command restores the function switchport port security ...

Page 177: ...ac notification trap configuration Command Explanation Global Mode mac address table periodic monitor time 5 86400 Set the MAC monitor interval to count the added and deleted MAC in time and send out them with trap message 18 5 1 3 Binding MAC Address Binding Troubleshooting Enabling MAC address binding for ports may fail in some occasions Here are some possible causes and solutions If MAC address...

Page 178: ...pported by the port 6 Show the configuration and the data of MAC notification 7 Clear the statistics of MAC notification trap 1 Configure the global snmp MAC notification 2 Configure the global MAC notification 3 Configure the interval for sending MAC notification Command Explanation Global mode snmp server enable traps mac notification no snmp server enable traps mac notification Configure or can...

Page 179: ... config snmp server enable Switch config snmp server enable traps mac notification Switch config mac address table notification Switch config mac address table notification interval 5 Command Explanation Global mode mac address table notification history size 0 500 no mac address table notification history size Configure the history table size the no command restores the default value Command Expl...

Page 180: ...config mac address table notification history size 100 Switch Config If Ethernet1 0 4 mac notification both 18 6 4 MAC Notification Troubleshooting Check whether trap message is sent successfully by show command and debug command of snmp ...

Page 181: ...reduce the number of spanning tree instances which consumes less CPU resources and reduces the bandwidth consumption 19 1 1 MSTP Region Because multiple VLANs can be mapped to a single spanning tree instance IEEE 802 1s committee raises the MST concept The MST is used to make the association of a certain VLAN to a certain spanning tree instance A MSTP region is composed of one or multiple bridges ...

Page 182: ...s at the boundary of the region is selected as the IST master When an MSTP bridge initializes it sends BPDUs claiming itself as the root of the CST and the IST master with both of the path costs to the CST root and to the IST master set to zero The bridge also initializes all of its MST instances and claims to be the root for all of them If the bridge receives superior MST root information lower b...

Page 183: ...each MSTI port has one new role Master Port The port roles in the CIST Root Port Designated Port Alternate Port and Backup Port are defined in the same ways as those in the RSTP 19 1 3 MSTP Load Balance In a MSTP region VLANs can by mapped to various instances That can form various topologies Each instance is independent from the others and each distance can have its own attributes such as bridge ...

Page 184: ...ning tree priority bridge priority no spanning tree priority Configure the spanning tree priority of the switch Port Mode spanning tree mst instance id cost cost no spanning tree mst instance id cost Set port path cost for specified instance spanning tree mst instance id port priority port priority no spanning tree mst instance id port priority Set port priority for specified instance spanning tre...

Page 185: ...The no command restores the default setting MSTP region mode show Display the information of the current running system instance instance id vlan vlan list no instance instance id vlan vlan list Create Instance and set mapping between VLAN and Instance name name no name Set MSTP region name revision level level no revision level Set MSTP region revision level abort Quit MSTP region mode and return...

Page 186: ... MSTP region Command Explanation Port Mode spanning tree link type p2p auto force true force false no spanning tree link type Set the port link type spanning tree portfast bpdufilter bpduguard recovery 30 3600 no spanning tree portfast Set and cancel the port to be an boundary port bpdufilter receives the BPDU discarding bpduguard receives the BPDU will disable port no parameter receives the BPDU ...

Page 187: ...mit hold count Set the max transmit hold count of port spanning tree cost format dot1d dot1t Set port cost format with dot1d or dot1t Command Explanation Port Mode spanning tree digest snooping no spanning tree digest snooping Set the port to use the authentication string of partner port The no command restores to use the generated string Command Explanation Global Mode spanning tree tcflush enabl...

Page 188: ...figuration for switches is listed below Bridge Name SW1 SW2 SW3 SW4 Bridge MAC Address 00 00 01 00 00 02 00 00 03 00 00 04 Bridge Priority 32768 32768 32768 32768 Port Priority port 1 128 128 128 port 2 128 128 128 port 3 128 128 port 4 128 128 port 5 128 128 port 6 128 128 port 7 128 128 Ro ute Co st port 1 200000 200000 200000 Port Mode spanning tree tcflush enable disable protect no spanning tr...

Page 189: ...Switch3 and Switch4 to have the same region name as mstp Map VLAN 20 and VLAN 30 in Switch2 Switch3 and Switch4 to Instance 3 Map VLAN 40 and VLAN 50 in Switch2 Switch3 and Switch4 to Instance 4 Step 3 Set Switch3 as the root bridge of Instance 3 Set Switch4 as the root bridge of Instance 4 Set the bridge priority of Instance 3 in Switch3 as 0 Set the bridge priority of Instance 4 in Switch4 as 0 ...

Page 190: ...ning tree mst configuration Switch3 Config Mstp Region name mstp Switch3 Config Mstp Region instance 3 vlan 20 30 Switch3 Config Mstp Region instance 4 vlan 40 50 Switch3 Config Mstp Region exit Switch3 config interface e1 0 1 7 Switch3 Config Port Range switchport mode trunk Switch3 Config Port Range exit Switch3 config spanning tree Switch3 config spanning tree mst 3 priority 0 Switch4 Switch4 c...

Page 191: ...ot of the instance 4 The traffic of VLAN 20 and VLAN 30 is sent through the topology of the instance 3 The traffic of VLAN 40 and VLAN 50 is sent through the topology of the instance 4 And the traffic of other VLANs is sent through the topology of the instance 0 The port 1 in Switch2 is the master port of the instance 3 and the instance 4 The MSTP calculation generates 3 topologies the instance 0 ...

Page 192: ... port The MSTP parameters co work with each other so the parameters should meet the following conditions Otherwise the MSTP may work incorrectly 2 Bridge_Forward_Delay 1 0 seconds Bridge_Max_Age Bridge_Max_Age 2 Bridge_Hello_Time 1 0 seconds When users modify the MSTP parameters they have to be sure about the changes of the topologies The global configuration is based on the bridge Other configura...

Page 193: ...rantee for service quality of consistent and predictable data transfer service to fulfill program requirements QoS cannot generate new bandwidth but provides more effective bandwidth management according to the application requirement and network management QoS Domain QoS Domain supports QoS devices to form a net topology that provides Quality of Service so this topology is defined as QoS Domain C...

Page 194: ...rding operations to packets according to the policing policies Scheduling QoS egress action Add the packets to the corresponding egress queue according to the internal priority And then decide sending and dropping according to Drop Precedence sending algorithm and queue weight of egress queue 20 1 2 QoS Implementation To implement the switch software QoS a general mature reference model should be ...

Page 195: ...ority packets in case of bandwidth shortage If devices of each hop in a network support differentiated service an end to end QoS solution can be created QoS configuration is flexible the complexity or simplicity depends on the network topology and devices and analysis to incoming outgoing traffic 20 1 3 Basic QoS Model The basic QoS consists of four parts Classification Policing Remark and Schedul...

Page 196: ...acket IP packet N N Y N N Y Enter the policing flow Y Set Int Prio as the default ingress Int Prio tag packet Y N 2 2 L2 COS value of the packet is its own L2 COS L2 COS value obtained by the packet as the default COS 1 Fig 20 4 Classification process Note 1 L2 CoS value is considered a property of the packets there is no relation with the internal priority obtained of the following flow ...

Page 197: ...ferent policies that allocate bandwidth to classified traffic the assigned bandwidth policy may be single bucket dual color or dual bucket three color The traffic will be assigned with different color can be discarded or passed for the passed packets add the remarking action Remarking uses a new Int Prio value of lower priority to replace the original higher level Int Prio value in the packet COS ...

Page 198: ...of the packets 1 Policied IntP Transmit Drop the internal priority of the packets 2 Whether configure the policy The specific color action Fig 20 5 Policing and Remarking process Note 1 Int Prio will be covered with the after setting Set Int Prio of the specific color action will cover Set Int Prio of the unrelated action with the color Note 2 Drop the internal priority of the packets according to...

Page 199: ...ified queue and forward the packets according to the weight priority Yes No Read the buffer value according to the queue management algorithm WDRR SP the drop precedence and the egress queue buffer is available Drop the packets Select the queue according to IntPrio to Queue mapping Obtain the packet Drop Prec according to IntPrio to Drop Prec Fig 20 6 Queuing and Scheduling process Note 1 The ingr...

Page 200: ... bound to that port The policy may be bound to the specific VLAN It is not recommended to synchronously use policy map on VLAN and its port or else the policy map priority of the port is higher Configure queue management algorithm Configure queue management algorithm such as sp wdrr and so on Configure QoS mapping Configure the mapping from CoS to IntP DSCP to IntP IntP to DSCP COS IntP DP or queu...

Page 201: ...els the new assigned value Single bucket mode policy bits_per_second normal_burst_bytes exceed action ACTION Dual bucket mode policy bits_per_second normal_burst_bytes pir peak_rate_bps maximum_burst_bytes exceed action ACTION violate action ACTION ACTION definition drop transmit set internal priority intp_value policied intp transmit no policy Configure a policy for the classified flow The non ag...

Page 202: ...st cos dscp no mls qos trust cos dscp Configure port trust the no command disables the current trust status of the port mls qos cos default cos no mls qos cos Configure the default CoS value of the port the no command restores the default setting mls qos internal priority default intp no mls qos internal priority Configure the default internal priority value of the port the no command restores the...

Page 203: ... is wdrr Global Mode mls qos queue wdrr weight weight0 weight7 no mls qos queue wdrr weight Set wdrr queue weight for all ports globally the default queue weight is 1 1 1 1 1 1 1 1 5 Configure QoS mapping Command Explanation Global Mode mls qos map cos intp intp1 intp8 dscp intp in dscp list to intp intp cos intp list to out cos intp dp intp list to out dp intp dscp intp list to out dscp intp intp...

Page 204: ...oS configuration information on a port show mls qos vlan v id Display QoS configuration on VLAN interface 20 3 QoS Example Example 1 Enable QoS function change the global queue out weight to 1 1 2 2 4 4 8 8 set port ethernet 1 0 1 in trust CoS mode without changing DSCP value and set the default CoS value of the port to 5 The configuration steps are listed below Switch config Switch config mls qos...

Page 205: ...ss group 1 Switch Config ClassMap c1 exit Switch config policy map p1 Switch Config PolicyMap p1 class c1 Switch Config PolicyMap p1 Class c1 policy 10000 4000 exceed action drop Switch Config PolicyMap p1 Class c1 exit Switch Config PolicyMap p1 exit Switch config interface ethernet 1 0 2 Switch Config If Ethernet1 0 2 service policy input p1 Configuration result An ACL name 1 is set to matching ...

Page 206: ... to trust dscp Thus inside the QoS domain packets of different priorities will go to different queues and get different bandwidth The configuration steps are listed below QoS configuration in Switch1 Switch config Switch config access list 1 permit 192 168 1 0 0 0 0 255 Switch config class map c1 Switch Config ClassMap c1 match access group 1 Switch Config ClassMap c1 exit Switch config policy map...

Page 207: ...rust dscp can be used with other trust or Policy Map This configuration takes effect to IPv4 and IPv6 packets trust exp trust dscp and trust cos may be configured at the same time the priority is EXP DSCP COS If the dynamic VLAN mac vlan voice vlan ip subnet vlan protocol vlan is configured then the packet COS value equals COS value of the dynamic VLAN At present it is not recommended to synchrono...

Page 208: ... the problems in the network 2 Special transmission policy for a special type of data frames The switch can only designate a single destination port of redirection for a same class of flow within a source port of redirection while it can designate different destination ports of redirection for different classes of flows within a source port of redirection The same class of flow can be applied to d...

Page 209: ...ased on this flow to port 1 The following is the configuration procedure Switch config access list 1 permit host 192 168 1 111 Switch config interface ethernet 1 0 1 Switch Config If Ethernet1 0 1 access group 1 redirect to interface ethernet 1 0 6 21 4 Flow based Redirection Troubleshooting Help When the configuration of flow based redirection fails please check that whether it is the following r...

Page 210: ...Q is higher than basic QinQ 22 1 2 Basic QinQ Basic QinQ based the port After a port configures QinQ whether the received packet with tag or not the device still packs the default VLAN tag for the packet Using basic QinQ is simple but the setting method of VLAN tag is inflexible 22 1 3 Flexible QinQ Flexible QinQ based data flow It selects whether pack the external tag and packs what kind of the e...

Page 211: ...s Set the match standard of class map classify data flow by ACL CoS VLAN ID IPv4 Precedent or DSCP etc for the class map the no command deletes the specified match standard 2 Configure policy map of flexible QinQ Command Explanation Global mode policy map policy map name no policy map policy map name Create a policy map and enter policy map mode the no command deletes the specified policy map clas...

Page 212: ... the no command deletes the specified policy map applied to the port Global mode service policy input policy map name vlan vid no service policy input policy map name vlan vid Apply a policy map to a VLAN the no command deletes the specified policy map applied to the VLAN 4 Show flexible QinQ policy map bound to port Command Explanation Admin mode show mls qos interface interface id Show flexible ...

Page 213: ...ied to BRAS device The packet with tag 2001 or 3001 will be packed an external tag 2001 or 3001 and classfied to SR device according to the flow rules The second user can be assigned different VLAN tags for different VLANs in DSLAM2 Notice The assigned VLAN tag of the second user may be same with the first user and the packet with tag will be also packed an external tag In the above figure the ext...

Page 214: ...ow of DSLAM2 enters the switch s downlink port1 the configuration is as follows Switch config class map c1 Switch config classmap c1 match vlan 1001 Switch config classmap c1 exit Switch config class map c2 Switch config classmap c2 match vlan 2001 Switch config classmap c2 exit Switch config class map c3 Switch config classmap c3 match vlan 3001 Switch config classmap c3 exit Switch config policy...

Page 215: ...ed by the following reasons Make sure flexible QinQ whether supports the configured class map and policy map Make sure ACL includes permit rule if the class map matches ACL rule Make sure the switch exists enough TCAM resource to send the binding Priority of flexible QinQ and vlan ingress filtering for processing packets is flexible QinQ vlan ingress filtering ...

Page 216: ... network cannot identify and distinguish various kinds of communications while this ability is the very premise of providing differentiated services for different communications Therefore the best effort service mode of traditional network cannot meet the demand of applications The emergence of QoS techniques is committed to solve this problem Egress PolicyMap is the QoS policy in egress which per...

Page 217: ...edence Policing and remark of Egress Set the color of packet traffic according to policing policy of Egress PolicyMap degrade or drop different color packets According to the characters including field values like COS and DSCP of upstream packets policing and rewriting of Egress make the last QoS change on the packet prior to the packet egress Policing configures different policing policy based on...

Page 218: ...ts modify dscp value of packets according to cos table of QoS remarking dscp cos for dscp value of packets modify cos value of packets according to dscp table of QoS remarking dscp dscp for dscp value of packets modify dscp value of packets according to dscp table of QoS remarking 23 2 Egress QoS Configuration Egress QoS Configuration Task List Configure class map Set up a classification rule acco...

Page 219: ...een packets modifying switch of green packets should be enabled and ingress needs to trust the corresponding QoS attribute qos dscp exp 1 Configure a class map Command Explanation Global Mode class map class map name no class map class map name Create a class map and enter class map mode no command deletes the specified class map match access group acl index or name ip dscp dscp list ip precedence...

Page 220: ...y bits_per_second normal_burst_bytes pir peak_rate_bps maximum_burst_bytes action ACTION violate action drop transmit ACTION definition policied cos to cos transmit policied cos to dscp transmit policied dscp exp to cos transmit policied dscp exp to dscp transmit no policy Configure a policy for the classified flow The non aggregation policy command supports three colors Analyze the working mode o...

Page 221: ... applied to the VLAN interface 4 Set Egress QoS remark mapping Command Explanation Global Mode mls qos map cos cos cos dscp green yellow red value1 value2 value8 no mls qos map cos cos cos dscp green yellow red Set Egress cos mapping no command resotores the default configuration mls qos map dscp cos dscp dscp green yellow red dscp list to value no mls qos map dscp cos dscp dscp green yellow red S...

Page 222: ...s dscp dscp cos dscp exp green yellow red Show mapping relation of Egress QoS remark 23 3 Egress QoS Examples Example1 On the egress of the port1 change cos value as 4 for the packet with dscp value of 0 Create a class map switch config class map 1 switch config classmap 1 match ip dscp 0 switch config classmap 1 exit Create a policy map switch config policy map 1 switch config policymap 1 class 1...

Page 223: ...o 1 Mb s with the normal burst value of 1 MB the max burst value of 4 MB set dscp value of 1 as 10 for green packets set dscp value of yellow packets as 9 and drop red packets Create a class map switch config class map c1 switch config classmap c1 match ip dscp 1 switch config classmap c1 exit Create a policy map switch config policy map p1 switch config policymap p1 class c1 switch config policym...

Page 224: ...sification table is supported by the current device If terminal printing suggests lack of resource please make sure there is enough resource to send the current policy If the policy with match acl configured cannot bind to the port or VLAN please make sure rules including permit exist in ACL If modifying QoS attribute is invalid by Egress QoS remark please ensure whether ingress sets the correspon...

Page 225: ...peed 24 1 Layer 3 Interface 24 1 1 Introduction to Layer 3 Interface Layer 3 interface can be created on switch The Layer 3 interface is not a physical interface but a virtual interface Layer 3 interface is built on VLANs The Layer 3 interface can contain one or more layer 2 ports which belong to the same VLAN or contain no layer 2 ports At least one of the Layer 2 ports contained in Layer 3 inter...

Page 226: ... deletes the Loopback interface created in the switch 2 Bandwidth for Layer 3 Interface configuration 3 Configure VLAN interface description 4 Open or close the vlan interface Command Explanation VLAN Interface Mode bandwidth bandwidth no bandwidth Configure the bandwidth for Layer 3 Interface The no command recovery the default value Command Explanation VLAN Interface Mode description text no des...

Page 227: ...able IPv4 layer 3 forwarding function Ipv6 hardware forwarding enable Enable IPv6 layer 3 forwarding function 2 Configure L3 list number Command Explain Global mode Ipv4 hardware forwarding l3 1 256 Ipv6 hardware forwarding l3 1 256 Configure IPv4 L3 list number Configure IPv4 L3 list number 3 Configure LPM list number Command Explain Global mode Ipv4 hardware forwarding lpm 1 128 Ipv6 hardware fo...

Page 228: ...e and Wireless Service Information Terminal which make use of Internet which require IP addresses the supply of IP addresses turns out to be more and more tense People have been working on the problem of shortage of IPv4 addresses for a long time by introducing various technologies to prolong the lifespan of existing IPv4 infrastructure including Network Address Translation NAT for short and Class...

Page 229: ...vides security extended header which provides end to end security services such as access control confidentiality and data integrity consequently making the implement of encryption validation and Virtual Private Network easier Enhance the support for Mobile IP and mobile calculating devices The Mobile IP Protocol defined in IETF standard makes mobile devices movable without cutting the existing co...

Page 230: ...the IPv4 address of three layer interface 1 Configure the IPv4 address of three layer interface Command Explanation VLAN Interface Configuration Mode ip address ip address mask secondary no ip address ip address mask Configure IP address of VLAN interface the no ip address ip address mask command cancels IP address of VLAN interface 24 3 2 2 IPv6 Address Configuration The configuration Task List o...

Page 231: ...1 Configure interface IPv6 address Command Explanation Interface Configuration Mode ipv6 address ipv6 address prefix length eui 64 no ipv6 address ipv6 address prefix length Configure IPv6 address including aggregatable global unicast addresses site local addresses and link local addresses The no ipv6 address ipv6 address prefix length command cancels IPv6 address 2 Set IPv6 Static Routing Command...

Page 232: ...ommand resumes default value 1 second 3 Enable and disable router advertisement Command Explanation Interface Configuration Mode ipv6 nd suppress ra no ipv6 nd suppress ra Forbid IPv6 Router Advertisement The NO command enables IPv6 router advertisement 4 Configure Router Lifespan Command Explanation Interface Configuration Mode ipv6 nd ra lifetime seconds no ipv6 nd ra lifetime Configure Router a...

Page 233: ...x and advertisement parameters of router The NO command cancels the address prefix of routing advertisement 8 Configure static IPv6 neighbor Entries Command Explanation Interface Configuration Mode ipv6 neighbor ipv6 address hardware address interface interface type interface name Set static neighbor table entries including neighbor IPv6 address MAC address and two layer port no ipv6 neighbor ipv6...

Page 234: ...on Interface Configuration Mode ipv6 nd retrans timer seconds Set the retrans timer of sending router advertisement 14 Set the flag representing whether information other than the address information will be obtained via DHCPv6 Command Explanation Interface Configuration Mode ipv6 nd other config flag Set the flag representing whether information other than the address information will be obtained...

Page 235: ...address 192 168 2 2 255 255 255 0 in VLAN2 of Switch2 and configure IPv4 address 192 168 3 1 255 255 255 0 in VLAN3 5 The IPv4 address of PC1 is 192 168 1 100 255 255 255 0 and the IPv4 address of PC2 is 192 168 3 100 255 255 255 0 6 Configure static routing 192 168 3 0 24 on Switch1 and configure static routing 192 168 1 0 24 on Switch2 7 Ping each other among PCs Note First make sure PC1 and Swi...

Page 236: ...ng6 function Configuration Description 1 Configure two VLANs on Switch1 namely VLAN1 and VLAN2 2 Configure IPv6 address 2001 1 64 in VLAN1 of Switch1 and configure IPv6 address 2002 1 64 in VLAN2 3 Configure 2 VLANs on Switch2 namely VLAN2 and VLAN3 4 Configure IPv6 address 2002 2 64 in VLAN2 of Switch2 and configure IPv6 address 2003 1 64 in VLAN3 5 The IPv6 address of PC1 is 2001 11 64 and the I...

Page 237: ...f Vlan2 ipv6 address 2002 2 64 Switch2 Config interface vlan 3 Switch2 Config if Vlan3 ipv6 address 2003 1 64 Switch2 Config if Vlan3 exit Switch2 Config ipv6 route 2001 33 64 2002 1 Switch1 ping6 2003 33 Configuration result Switch1 show run interface Vlan1 ipv6 address 2001 1 64 interface Vlan2 ipv6 address 2002 2 64 interface Loopback mtu 3924 ipv6 route 2003 64 2002 2 no login end Switch2 show...

Page 238: ...achieve wire speed forwarding In addition flexible management is provided to adjust and monitor forwarding Switch supports aggregation algorithm enabling disabling optimization to adjust generation of network route entry in the switch chip and view statistics for IP forwarding and hardware forwarding chip status 24 4 2 IP Route Aggregation Configuration Task IP route aggregation configuration task...

Page 239: ...ceived Enabling proxy ARP allows machines physically separated but of the same IP segment ignores the physical separation and communicate via proxy ARP interface as if in the same physical network 24 5 2 ARP Configuration Task List ARP Configuration Task List 1 Configure static ARP 2 Configure proxy ARP 3 Clear dynamic ARP 4 Clear the statistic information of ARP messages 1 Configure static ARP Co...

Page 240: ... the port in normal condition learn the port information of arp nd entry again according to arp nd packets If PC or other network nodes switch over the port non security switchover ARP packets are not sent or received does not process to learn again New l3 station movement is used to satisfy arp nd switchover in specific condition When MAC switch over the port it is considered to be security switc...

Page 241: ...Layer 3 Forward Configuration 240 Command Explanation Global Mode l3 station move no l3 station move Enable or disable l3 station move ...

Page 242: ... prevent ARP scanning if there is any host or port with ARP scanning features is found in the segment the switch will cut off the attack source to ensure the security of the network There are two methods to prevent ARP scanning port based and IP based The port based ARP scanning will count the number to ARP messages received from a port in a certain time range if the number is larger than a preset...

Page 243: ...bally 2 Configure the threshold of the port based and IP based ARP Scanning Prevention Command Explanation Global configuration mode anti arpscan port based threshold threshold value no anti arpscan port based threshold Set the threshold of the port based ARP Scanning Prevention anti arpscan ip based threshold threshold value no anti arpscan ip based threshold Set the threshold of the IP based ARP...

Page 244: ...ic recovery time 6 Display relative information of debug information and ARP scanning Command Explanation Global configuration mode anti arpscan log enable no anti arpscan log enable Enable or disable the log function of ARP scanning prevention anti arpscan trap enable no anti arpscan trap enable Enable or disable the SNMP Trap function of ARP scanning prevention show anti arpscan trust ip port su...

Page 245: ... A configuration task sequence SwitchA config anti arpscan enable SwitchA config anti arpscan recovery time 3600 SwitchA config anti arpscan trust ip 192 168 1 100 255 255 255 0 SwitchA config interface ethernet1 0 2 SwitchA Config If Ethernet1 0 2 anti arpscan trust port SwitchA Config If Ethernet1 0 2 exit SwitchA config interface ethernet1 0 19 SwitchA Config If Ethernet1 0 19 anti arpscan trus...

Page 246: ... Configuration 245 25 4 ARP Scanning Prevention Troubleshooting Help ARP scanning prevention is disabled by default After enabling ARP scanning prevention users can enable the debug switch debug anti arpscan to view debug information ...

Page 247: ...s ARP cache table so it creates a possibility of ARP spoofing If the hacker wants to snoop the communication between two host computers in the same network even if are connected by the switches it sends an ARP reply packet to two hosts separately and make them misunderstand MAC address of the other side as the hacker host MAC address In this way the direct communication is actually communicated in...

Page 248: ...tion At one time it doesn t interrupt the automatic learning function of ARP Thus it prevents ARP spoofing and attack to a great extent ND is neighbor discovering protocol in IPv6 protocol and it s similar to ARP on operation principle therefore we do in the same way as preventing ARP spoofing to prevent ND spoofing and attack 26 2 Prevent ARP ND Spoofing configuration The steps of preventing ARP ...

Page 249: ...B to itself so need switch sends the packets transfer from B to A firstly A sends ARP reply packet to switch format is 192 168 2 3 00 00 00 00 00 01 mapping its MAC address to C s IP so the switch changes IP address when it updates ARP list then data packet of 192 168 2 3 is transferred to 00 00 00 00 00 01 address A MAC address In further a transfers its received packets to C by modifying source ...

Page 250: ...0 00 00 02 interface eth 1 0 2 Switch Config If Vlan2 interface vlan 3 Switch Config If Vlan3 arp 192 168 2 3 00 00 00 00 00 03 interface eth 1 0 2 Switch Config If Vlan3 exit Switch Config ip arp security learnprotect Switch Config Switch config ip arp security convert If the environment changing it enable to forbid ARP refresh once it learns ARP property it wont be refreshed by new ARP reply pac...

Page 251: ...ss which will prevent PC2 from receiving the messages to it Particularly if the attacker pretends to be the gateway and do ARP cheating the whole network will be collapsed Fig 27 1 ARP GUARD schematic diagram We utilize the filtering entries of the switch to protect the ARP entries of important network devices from being imitated by other devices The basic theory of doing this is that utilizing th...

Page 252: ...ease refer to relative documents for details 27 2 ARP GUARD Configuration Task List 1 Configure the protected IP address Command Explanation Port configuration mode arp guard ip addr no arp guard ip addr Configure delete ARP GUARD address ...

Page 253: ...ARP message the switch hardware will send the ARP request to CPU instead of forwarding this message via hardware according to new ARP handling rules 3 With local ARP proxy enabled the switch will send ARP reply message to PC1 to fill up its mac address 4 After receiving the ARP reply PC1 will create ARP send an IP message and set the destination MAC of the Ethernet head as the MAC of the switch 5 ...

Page 254: ...Command Explanation Interface vlan mode ip local proxy arp no ip local proxy arp Enable or disable ARP local proxy function 28 3 Typical Examples of ARP Local Proxy Function As shown in the following figure S1 is a medium high level layer 3 switch supporting ARP local proxy S2 is layer 2 access switches supporting interface isolation Considering security interface isolation function is enabled on ...

Page 255: ...nfig if Vlan1 exit 28 4 ARP Local Proxy Function Troubleshooting ARP local proxy function is disabled by default Users can view the current configuration with display command With correct configuration by enabling debug of ARP users can check whether the ARP proxy is normal and send proxy ARP messages In the process of operation the system will show corresponding prompts if any operational error o...

Page 256: ...the gateway If the switch advertises gratuitous ARP requests the host will not have to send these requests This will reduce the frequency the hosts sending ARP requests for the gateway s MAC address 2 Gratuitous ARP is a method to prevent ARP cheating The switch s advertising gratuitous ARP request will force the hosts to update its ARP table cache Thus forged ARP of gateway cannot function 29 2 G...

Page 257: ...PC3 PC4 PC5 are connected to the interface The IP address of interface VLAN 1 is 192 168 14 254 its network address mask is 255 255 255 0 Two PCs PC1 and PC2 are connected to this interface Gratuitous ARP can be enabled through the following configuration 1 Configure two interfaces to use gratuitous ARP at one time Switch config ip gratuitous arp 300 Switch config exit 2 Configure gratuitous ARP s...

Page 258: ... the debugging information about ARP packets can be retrieved through the command debug ARP send If gratuitous ARP is enabled in global configuration mode it can be disabled only in global configuration mode If gratuitous ARP is configured in interface configuration mode the configuration can only be disabled in interface configuration mode ...

Page 259: ... shutdown the interface if ARP resolution is successful keep the interface up Only layer 3 switch supports keepalive gateway function 30 2 Keepalive Gateway Configuration Task List 1 Enable or disable keepalive gateway configure the interval period that ARP request packet is sent and the retry count after detection is failing 2 Show keepalive gateway and IPv4 running status of the interface 1 Enab...

Page 260: ...5 255 0 for gateway A interface address of interface vlan100 is 1 1 1 2 255 255 255 0 for gateway B gateway B supports keepalive gateway function the configuration in the following 1 Adopt the default interval that ARP packet is sent and the retry count after detection is failing the default interval is 10s the default retry count is 5 times Switch config interface vlan 100 Switch config if vlan10...

Page 261: ... following reasons Make sure the device is layer 3 switch layer 2 switch does not support keepalive gateway The detection method is used to point to point topology mode only Detect IPv4 accessibility by the method so the detection result only affects IPv4 traffic other traffic such as IPv6 is not affected Physical state of interface only controlled by physical signal Interface can t run IPv4 after...

Page 262: ...ient requests the network address and configuration parameters from the DHCP server the server provides the network address and configuration parameters for the clients if DHCP server and clients are located in different subnets DHCP relay is required for DHCP packets to be transferred between the DHCP client and DHCP server The implementation of DHCP is shown below Fig 31 1 DHCP protocol interact...

Page 263: ... be different every time manually bound IP address will be the same all the time 2 The lease period of IP address obtained dynamically is the same as the lease period of the address pool and is limited the lease of manually bound IP address is theoretically endless 3 Dynamically allocated address cannot be bound manually 4 Dynamic DHCP address pool can inherit the network configuration parameters ...

Page 264: ... clients The no command deletes DNS server configuration domain name domain no domain name Configure Domain name for DHCP clients the no domain name command deletes the domain name netbios name server address1 address2 address 8 no netbios name server Configure the address for WINS server The no operation cancels the address for server netbios node type b node h node m node p node type number no n...

Page 265: ...h address Exclude the addresses in the address pool that are not for dynamic allocation 3 Configure manual DHCP address pool parameters Command Explanation DHCP Address Pool Mode hardware address hardware address Ethernet IEEE802 type number no hardware address Specify delete the hardware address when assigning address manually host address mask prefix length no host Specify delete the IP address ...

Page 266: ...ay is added to the process 1 The client broadcasts a DHCPDISCOVER packet and DHCP relay inserts its own IP address to the relay agent field in the DHCPDISCOVER packet on receiving the packet and forwards the packet to the specified DHCP server for DHCP frame format please refer to RFC2131 2 On the receiving the DHCPDISCOVER packets forwarded by DHCP relay the DHCP server sends the DHCPOFFER packet...

Page 267: ...ng to the office locations The network configurations for location A and B are shown below PoolA network 10 16 1 0 PoolB network 10 16 2 0 Device IP address Device IP address Default gateway 10 16 1 200 10 16 1 201 Default gateway 10 16 1 200 10 16 1 201 DNS server 10 16 1 202 DNS server 10 16 1 202 WINS server 10 16 1 209 WWW server 10 16 1 209 WINS node type H node Lease 3 days Lease 1day In loc...

Page 268: ...ess 00 03 22 23 dc ab Switch dhcp A1 config exit Usage Guide When a DHCP BOOTP client is connected to a VLAN1 port of the switch the client can only get its address from 10 16 1 0 24 instead of 10 16 2 0 24 This is because the broadcast packet from the client will be requesting the IP address in the same segment of the VLAN interface after VLAN interface forwarding and the VLAN interface IP addres...

Page 269: ...0 2 switchport access vlan 2 Switch Config Erthernet1 0 2 exit Switch config interface vlan 2 Switch Config if Vlan2 ip address 10 1 1 1 255 255 255 0 Switch Config if Vlan2 exit Switch config ip forward protocol udp bootps Switch config interface vlan 1 Switch Config if Vlan1 ip help address 10 1 1 10 Switch Config if Vlan1 exit Note It is recommended to use the combination of command ip forward ...

Page 270: ...rade its software to one that has a DHCP relay function In such case DHCP server should be examined for an address pool that is in the same segment of the switch VLAN such a pool should be added if not present and This does not indicate switch cannot assign IP address for different segments see solution 2 for details In DHCP service pools for dynamic IP allocation and manual binding are conflictin...

Page 271: ...t assigns IPv6 address it can solve the bug of IPv6 auto address configuration in non state DHCPv6 can provide extend function of DHCPv6 prefix delegation upstream route can assign address prefix to downstream route automatically that achieve the IPv6 address auto assignment in levels of network environment and resolved the problem of ISP and IPv6 network dispose There are three entities in the DH...

Page 272: ...e completed between the DHCPv6 client and server At the time this manual is written DHCPv6 server relay and prefix delegation client have been implemented on the switch When the DHCPv6 relay receives any messages from the DHCPv6 client it will encapsulate the request in a Relay forward packet and deliver it to the next DHCPv6 relay or the DHCPv6 server The DHCPv6 messages coming from the server wi...

Page 273: ...parameter of DHCPv6 address pool Command Explanation DHCPv6 address pool Configuration Mode network address ipv6 pool start address ipv6 pool end address prefix length eui 64 no network address To configure the range of IPv6 address assignable of address pool dns server ipv6 address no dns server ipv6 address To configure DNS server address for DHCPv6 client domain name domain name no domain name ...

Page 274: ...mmand Explanation Global Mode service dhcpv6 no service dhcpv6 To enableDHCPv6 service 2 To configure DHCPv6 relay delegation on port Command Explanation Interface Configuration Mode ipv6 dhcp relay destination ipv6 address interface interface name vlan 1 4096 no ipv6 dhcp relay destination ipv6 address interface interface name vlan 1 4096 To specify the destination address of DHCPv6 relay transmi...

Page 275: ...ngth no ipv6 local pool poolname To configure prefix delegation pool 3 To configure DHCPv6 address pool 1 To achieve delete DHCPv6 address pool Command Explanation Global Mode ipv6 dhcp pool poolname no ipv6 dhcp pool poolname To configure DHCPv6 address pool 2 To configure prefix delegation pool used by DHCPv6 address pool Command Explanation DHCPv6 address pool Configuration Mode prefix delegati...

Page 276: ...domain name no domain name domain name To configure domain name for DHCPv6 client 4 To enable DHCPv6 prefix delegation server function on port Command Explanation Interface Configuration Mode ipv6 dhcp server poolname preference value rapid commit allow hint no ipv6 dhcp server poolname To enable DHCPv6 server function on specified port and binding used DHCPv6 address pool 32 5 DHCPv6 Prefix Deleg...

Page 277: ...xamples Example1 When deploying IPv6 networking the switch can be configured as DHCPv6 server in order to manage the allocation of IPv6 addresses Both the state and the stateless DHCPv6 are supported Topology The access layer use Switch1 switch to connect users of dormitory buildings Switch2 is configured as DHCPv6 relay delegation in primary aggregation layer Switch3 is configured as DHCPv6 serve...

Page 278: ... Vlan1 ipv6 address 2001 da8 1 1 1 64 Switch3 Config if Vlan1 exit Switch3 config interface vlan 10 Switch3 Config if Vlan10 ipv6 address 2001 da8 10 1 1 64 Switch3 Config if Vlan10 ipv6 dhcp server EastDormPool preference 80 Switch3 Config if Vlan10 exit Switch3 config Switch2 configuration Switch2 enable Switch2 config Switch2 config service dhcpv6 Switch2 config interface vlan 1 Switch2 Config ...

Page 279: ... which receive the address prefix send routing advertisement RA messages to the client hosts about the address prefix through the interface which is connected to the hosts then the hosts get an valid IPv6 address through stateless auto configuration while at the same time the stateless DHCPv6 server will be configured for the interface in order to provide the DHCPv6 client with information such as...

Page 280: ...itch2 config ipv6 dhcp pool dhcp pool Switch2 dhcpv6 dhcp pool config prefix delegation pool client prefix pool 1800 600 Switch2 dhcpv6 dhcp pool config exit Switch2 config interface vlan 2 Switch2 Config if Vlan2 ipv6 dhcp server dhcp pool Switch2 Config if Vlan2 exit Switch1 configuration Switch1 enable Switch1 config Switch1 config service dhcpv6 Switch1 config interface vlan 2 Switch1 Config i...

Page 281: ...cket forwarding has DHCPv6 relay function If DHCPv6 relay is not available for the intermediate router it is recommended to replace the router or upgrade its software to one that has a DHCPv6 relay function Sometimes hosts are connected to the DHCPv6 enabled switches but can not get IPv6 addresses In this situation it should be checked first whether the ports which the hosts are connected to are c...

Page 282: ... all the possible DHCP attack messages according to the information in option 82 and defend against them DHCP Relay Agent will peel the option 82 from the reply messages it receives and forward the reply message to the specified port of the network access device according to the physical port information in the option The application of DHCP option 82 is transparent for the client 33 1 1 DHCP opti...

Page 283: ...broadcast message while initializing This request message does not have option 82 2 DHCP Relay Agent will add the option 82 to the end of the request message it receives then relay and forward the message to the DHCP server By default the sub option 1 of option 82 Circuit ID is the interface information of the switch connected to the DHCP client VLAN name and physical port name but the users can c...

Page 284: ...e DHCP option 82 attributes of the interface 3 Enable the DHCP option 82 of server 4 Configure DHCP option 82 default format of Relay Agent 5 Configure delimiter 6 Configure creation method of option82 7 Diagnose and maintain DHCP option 82 1 Enabling the DHCP option 82 of the Relay Agent Command Explanation Global mode ip dhcp relay information option no ip dhcp relay information option Set this ...

Page 285: ...ion 82 and forward the message to the server to process The no ip dhcp relay information policy will set the retransmitting policy of the option 82 DCHP message as replace ip dhcp relay information option subscriber id standard circuit id no ip dhcp relay information option subscriber id This command is used to set the format of option 82 sub option1 Circuit ID option added to the DHCP request mes...

Page 286: ... option 82 default format of Relay Agent Command Explanation Global mode ip dhcp relay information option subscriber id format hex acsii vs hp Set subscriber id format of Relay Agent option82 ip dhcp relay information option remote id format default vs hp Set remote id format of Relay Agent option82 5 Configure delimiter Command Explanation Global mode ip dhcp relay information option delimiter co...

Page 287: ...circuit id for relay option82 7 Diagnose and maintain DHCP option 82 Command Explanation Admin mode show ip dhcp relay information option This command will display the state information of the DHCP option 82 in the system including option82 enabling switch the interface retransmitting policy the circuit ID mode and the DHCP server option82 enabling switch debug ip dhcp relay packet This command is...

Page 288: ...etwork of Swich1 or Swich2 and thus can allocate separate address spaces for the two networks to simplify the management of networks The following is the configuration of Switch3 MAC address is 00 03 0f 02 33 01 Switch3 Config service dhcp Switch3 Config ip dhcp relay information option Switch3 Config ip forward protocol udp bootps Switch3 Config interface vlan 3 Switch3 Config if vlan3 ip address...

Page 289: ... is implemented as a sub function module of DHCP Relay Agent Before using it users should make sure that the DHCP Relay Agent is configured correctly DHCP option 82 needs the DHCP Relay Agent and the DHCP server cooperate to finish the task of allocating IP addresses The DHCP server should set allocating policy correctly depending on the network topology of the DHCP Relay Agent or even the Relay A...

Page 290: ...erver the debug ip dhcp server packet command can be used during the operating procedure to display the procedure of data packets processing of the server including displaying the identified option 82 information of the request message and the option 82 information returned by the reply message ...

Page 291: ...trigger deny service attack through using MAC address of other legal clients Therefore IETF set rfc4649 and rfc4580 i e DHCPv6 option 37 and option 38 to solve these problems DHCPv6 option 37 and option 38 is similar to DHCP option 82 When DHCPv6 client sends request packets to DHCPv6 server though DHCPv6 relay agent if DHCPv6 relay agent supports option 37 and option 38 they will be added to requ...

Page 292: ...r id option This command enables DHCPv6 SNOOPING to support option 38 option no command disables it ipv6 dhcp snooping remote id policy drop keep replace no ipv6 dhcp snooping remote id policy This command is used to configure the reforward policy of the system when receiving DHCPv6 packets with option 37 which can be drop the system simply discards it with option 37 keep the system keeps option 3...

Page 293: ...6 dhcp snooping subscriber id select delimiter Configures user configuration options to generate subscriber id no command restores to its original default configuration i e enterprise number together with vlan MAC ipv6 dhcp snooping subscriber id select sp sv pv spv delimiter WORD delimiter WORD no ipv6 dhcp snooping subscriber id select delimiter Configures user configuration options to generate ...

Page 294: ...delimiter Configures user configuration options to generate remote id The no command restores to its original default configuration i e enterprise option 37 and it is a string with a length of less than 128 The no operation restores remote id in option 37 to enterprise number together with vlan MAC address ipv6 dhcp snooping subscriber id subscriber id no ipv6 dhcp snooping subscriber id This comm...

Page 295: ...ding option 37 in received DHCPv6 request packets of which remote id is the content of remote id in user defined option 37 and it is a string with a length of less than 128 The no operation restores remote id in option 37 to enterprise number together with vlan MAC address ipv6 dhcp relay subscriber id subscriber id no ipv6 dhcp relay subscriber id This command is used to set the form of adding op...

Page 296: ...ommand enables DHCPv6 server to support the using of DHCPv6 class during address assignment the no form of this command disables it without removing the relative DHCPv6 class information that has been configured ipv6 dhcp class class name no ipv6 dhcp class class name This command defines a DHCPv6 class and enters DHCPv6 class mode the no form of this command removes this DHCPv6 class Interface co...

Page 297: ...tion mode class class name no class class name This command associates class to address pool in DHCPv6 address pool configuration mode and enters class configuration mode in address pool Use no command to remove the link address range start ip end ip no address range start ip end ip This command is used to set address range for a DHCPv6 class in DHCPv6 address pool configuration mode the no comman...

Page 298: ...om 2001 da8 100 1 2 to 2001 da8 100 1 30 from 2001 da8 100 1 31 to 2001 da8 100 1 60 and from 2001 da8 100 1 61 to2001 da8 100 1 100 respectively DHCPv6 snooping function is enabled and option 37 and option 38 are configured in Switch A Switch A configuration SwitchA config ipv6 dhcp snooping remote id option SwitchA config ipv6 dhcp snooping subscriber id option SwitchA config int e 1 0 1 SwitchA...

Page 299: ... dhcpv6 class class1 config exit SwitchB config ipv6 dhcp class CLASS2 SwitchB dhcpv6 class class2 config remote id 00 03 0f 00 00 01 subscriber id vlan1 Ethernet1 0 2 SwitchB dhcpv6 class class2 config exit SwitchB config ipv6 dhcp class CLASS3 SwitchB dhcpv6 class class3 config remote id 00 03 0f 00 00 01 subscriber id vlan1 Ethernet1 0 3 SwitchB dhcpv6 class class3 config exit SwitchB config ip...

Page 300: ... used for IPv6 address allocation if special server is used for uniform allocation and management for IPv6 address DHCPv6 server supports both stateful and stateless DHCPv6 Network topology In access layer layer2 access device Switch1 connects users in dormitory in first level aggregation layer aggregation device Switch2 is used as DHCPv6 relay agent in second level aggregation layer aggregation d...

Page 301: ... server must be in the same VLAN otherwise it needs to use DHCPv6 relay Snooping option37 38 can process one of the following operations for DHCPv6 request packets with option37 38 replace the original option37 38 with its own discard the packets with option37 38 do not execute adding discarding or forwarding operation Therefore please check policy configuration of snooping option37 38 on second d...

Page 302: ...trol independently Defense against Fake DHCP Server once the switch intercepts the DHCP Server reply packets including DHCPOFFER DHCPACK and DHCPNAK it will alarm and respond according to the situation shutdown the port or send Black hole Defense against DHCP over load attacks To avoid too many DHCP messages attacking CPU users should limit the DHCP speed of receiving packets on trusted and non tr...

Page 303: ...to user s authentication status 35 2 DHCP Snooping Configuration Task Sequence 1 Enable DHCP Snooping 2 Enable DHCP Snooping binding function 3 Enable DHCP Snooping binding ARP function 4 Enable DHCP Snooping option82 function 5 Set the private packet version 6 Set DES encrypted key for private packets 7 Set helper server address 8 Set trusted ports 9 Enable DHCP Snooping binding DOT1X function 10...

Page 304: ...t version two no ip user private packet version two To configure delete the private packet version 6 Set DES encrypted key for private packets Command Explanation Globe mode enable trustview key 0 7 password no enable trustview key To configure delete DES encrypted key for private packets Command Explanation Globe mode ip dhcp snooping binding enable no ip dhcp snooping binding enable Enable or di...

Page 305: ...trust no ip dhcp snooping trust Set or delete the DHCP snooping trust attributes of ports Command Explanation Port mode ip dhcp snooping binding dot1x no ip dhcp snooping binding dot1x Enable or disable the DHCP snooping binding dot1x function Command Explanation Port mode ip dhcp snooping binding user control no ip dhcp snooping binding user control Enable or disable the DHCP snooping binding use...

Page 306: ...sages Command Explanation Admin mode debug ip dhcp snooping packet debug ip dhcp snooping event debug ip dhcp snooping update debug ip dhcp snooping binding Please refer to the chapter on system troubleshooting Command Explanation Globe mode ip dhcp snooping information option subscriber id format hex acsii vs hp This command is used to set subscriber id format of DHCP snooping option82 ip dhcp sn...

Page 307: ... define the parameters of remote id suboption by themselves ip dhcp snooping information option self defined remote id format ascii hex Set self defined format of remote id for snooping option82 ip dhcp snooping information option self defined subscriber id vlan port id switch id mac hostname remote mac string WORD no ip dhcp snooping information option type self defined subscriber id Set creation...

Page 308: ...0 10 trying to fake a DHCP Server by sending DHCPACK Setting DHCP Snooping on the switch will effectively detect and block this kind of network attack Configuration sequence is switch switch config switch config ip dhcp snooping enable switch config interface ethernet 1 0 11 switch Config Ethernet1 0 11 ip dhcp snooping trust switch Config Ethernet1 0 11 exit switch config interface ethernet 1 0 1...

Page 309: ... information 35 4 2 DHCP Snooping Troubleshooting Help If there is any problem happens when using DHCP Snooping function please check if the problem is caused by the following reasons Check that whether the global DHCP Snooping is enabled If the port does not react to invalid DHCP Server packets please check that whether the port is set as a non trusted port of DHCP Snooping ...

Page 310: ...ss pool or else do not return option 43 to DHCP client 2 Address pool only configured option 43 it will match with any option 60 If the received DHCP packet with option 60 from DHCP client DHCP client will receive the option 43 configured in the address pool 3 Address pool only configured option 60 it will not return option 43 to DHCP client 36 2 DHCP option 60 and option 43 Configuration Task Lis...

Page 311: ... 36 1 Typical DHCP option 60 and option 43 topology Fit AP obtains IP address and option 43 attribute by DHCP server to send unicast discovery request for wireless controller DHCP server configures option 60 matched with the option 60 of fit ap to return option 43 attribute to FTP AP Configuration procedure Configure DHCP server router config ip dhcp pool a router dhcp a config option 60 ascii AP1...

Page 312: ...DHCP option 60 and option 43 311 Check whether service dhcp function is enabled If the address pool configured option 60 check whether it matches with the option 60 of the packets ...

Page 313: ...r3 switch and can be obtained with no calculation Static route is the manually specified path to a network or a host static route cannot be changed freely The advantage of static route is simple and consistent and it can limit illegal route modification and is convenient for load balance and route backup However as this is set manually it is not suitable for mid or large scale networks for the rou...

Page 314: ...he layer3 switch resides For example the network address of a host or the segment the layer3 switch resides with a destination address of 200 1 1 1 and mask 255 255 255 0 is 200 1 1 0 Output interface specify the interface of layer3 switch to forward IP packets IP address of the next layer3 switch next hop specify the next layer3 switch the IP packet will pass Route entry priority There may be sev...

Page 315: ... and ip prefix for use We will introduce each filter in following sections 1 route map For matching certain properties of the specified routing information and setting some routing propertities when the conditions are fulfilled Route map is for controlling and changing the routing messages while also controlling the redistribution among routes A route map consists of a series of match and set comm...

Page 316: ...Each prefix list may contain multiple items each of which specifies a matching range of a network prefix type and identifies with a sequence number which specifies the matching check order of ip prefix In the process of matching the switch check each items identified by sequence number in ascending order and the filter will be passed once certain items is matched without checking rest items 4 Auto...

Page 317: ...de match as path list name no match as path list name Match the autonomous system as path access list the BGP route passes through the no match as path list name command deletes match condition match community community list name community list num exact match no match community community list name community list num exact match Match a community property access list The no match community communi...

Page 318: ...p incomplete no match origin egp igp incomplete Match the route origin The no match origin egp igp incomplete command deletes match condition match route type external type 1 type 2 no match route type external type 1 type 2 Match the route type The no match route type external type 1 type 2 command deletes match condition match tag tag val no match tag tag val Match the route tag The no match tag...

Page 319: ...one additive Configure BGP community list value The no command deletes the configuration set extcommunity rt soo AA NN no set extcommunity rt soo AA NN Configure BGP extended community list property The no command deletes the configuration set ip next hop ip_addr no set ip next hop ip_addr Set next hop IP address The no command deletes the configuration set local preference pre_val no set local pr...

Page 320: ...ix list The no ip prefix list list_name description command deletes the configuration ip prefix list list_name seq sequence_number deny permit any ip_addr mask_length ge min_prefix_len le max_prefix_len no ip prefix list list_name seq sequence_number deny permit any ip_addr mask_length ge min_prefix_len le max_prefix_len Set the prefix list The no ip prefix list list_name seq sequence_number deny ...

Page 321: ...onfig router neighbor 172 16 20 2 remote as 3 SwitchA config router neighbor 172 16 20 2 route map AddAsNumbers out SwitchA config router neighbor 192 68 6 1 remote as 2 SwitchA config router exit SwitchA config route map AddAsNumbers permit 10 SwitchA config route map set as path prepend 1 1 37 2 4 Troubleshooting Faq The routing protocol could not achieve the routing messages study under normal ...

Page 322: ...fix list should at least have one item set to permit mode The deny mode items can be defined first to fast remove the unmatched routing messages however if all the items are set to deny mode any route will not be able to pass the filtering of this address prefix list We can define a permit 0 0 0 0 0 le 32 item after several deny mode items are defined so to permit all other routing messages pass t...

Page 323: ...2 For route backup configure static route in the backup line with a lower priority than the main line Static route and dynamic route can coexist layer3 switch will choose the route with the highest priority according to the priority of routing protocols At the same time static route can be introduced redistribute in dynamic route and change the priority of the static route introduced as required 3...

Page 324: ...a simple network consisting of three layer3 switches the network mask for all switches and PC is 255 255 255 0 PC A and PC C are connected via the static route set in SwtichA and SwitchC PC3 and PC B are connected via the static route set in SwtichC to SwitchB PC B and PC C is connected via the default route set in SwitchB Fig 38 1 Static Route Configurations Configuration steps Configuration of l...

Page 325: ...0 255 255 255 0 10 1 2 1 Next hop use the partner IP address Switch config ip route 10 1 4 0 255 255 255 0 10 1 3 1 Configuration of layer3 SwitchB Switch config Switch config ip route 0 0 0 0 0 0 0 0 10 1 3 2 In this way ping connectivity can be established between PC A and PC C and PC B and PC C ...

Page 326: ...hes every 30 seconds for update If no information from the partner is received in 180 seconds then the device is deemed to have failed and the network connected to that device is considered to be unreachable However the route of that layer3 switch will be kept in the route table for another 120 seconds before deletion As layer3 switches running RIP built route table with second hand information in...

Page 327: ...ontains all route entries for reachable destination and route table is built based on this database When a RIP layer3 switch sent route update packets to its neighbor devices the complete route table is included in the packets Therefore in a large network routing data to be transferred and processed for each layer3 switch is quite large causing degraded network performance Besides the above mentio...

Page 328: ... configure routes of the other protocols to be introduced in RIP 2 Configure interface authentication mode and password 3 Configure the route deviation 4 Configure and apply route filter 5 Configure Split Horizon 3 Configure other RIP protocol parameters 1 Configure the managing distance of RIP route 2 Configure the RIP route capacity limit in route table 3 Configure the RIP update timeout holddow...

Page 329: ...r and address family configuration mode network A B C D M ifname vlan no network A B C D M ifname vlan Enables the segment running RIP protocol the no network A B C D M ifname vlan command deletes the segment 2 Configure RIP protocol parameters 1 Configure RIP packet transmitting mechanism 1 Configure the RIP data packet point transmitting 2 Configure the Rip broadcast Command Explanation Router C...

Page 330: ... Generate a default route to the RIP protocol the no default information originate command cancels the feature 2 Configure interface authentication mode and password Command Explanation Interface configuration mode ip rip authentication mode text md5 no ip rip authentication mode text md5 Sets the authentication method the no ip rip authentication mode text md5 command cancels the authentication a...

Page 331: ...onfigure a key on the key chain and accept it as an authorized time the no accept lifetime command deletes it send lifetime start time end time duration seconds infinite no send lifetime Configure the transmitting period of a key on the key chain the no send lifetime command deletes the send lifetime 3 Configure the route deviation Command Explanation Router configuration mode offset list access l...

Page 332: ...on reverse the no ip rip split horizon command cancels the split horizon 3 Configure other RIP protocol parameters 1 Configure RIP routing priority 2 Configure the RIP route capacity limit in route table 3 Configure timer for RIP update timeout and hold down 4 Configure RIP UDP receiving buffer size Command Explanation Router configuration mode distance number A B C D M access list name access lis...

Page 333: ...ible 2 no ip rip send version Sets the version of RIP packets to send on all ports the no ip rip send version command set the version to the one configured by the version command ip rip receive version 1 2 no ip rip receive version Sets the version of RIP packets to receive on all ports the no action of this command set the version to the one configured by the version command ip rip receive packet...

Page 334: ...onfigure redistribution of OSPF routing to RIP 1 Enable Redistribution of OSPF routing to RIP Command Explanation Router RIP Configuration Mode redistribute ospf process id metric value route map word no redistribute ospf process id To enable or disable the redistribution of OSPF routing to RIP 2 Display and debug the information about configuration of redistribution of OSPF routing to RIP Command...

Page 335: ...nterface vlan 1 SwitchA config SwitchA config interface vlan 1 SwitchA Config if Vlan1 ip address 10 1 1 1 255 255 255 0 SwitchA config if Vlan1 Configure the IP address of interface vlan 2 SwitchA config vlan 2 SwitchA Config Vlan2 switchport interface ethernet 1 0 2 Set the port Ethernet1 0 2 access vlan 2 successfully SwitchA Config Vlan2 exit SwitchA config interface vlan 2 SwitchA Config if V...

Page 336: ...if Vlan1 exit Initiate RIP protocol and configure the RIP segments SwitchB config router rip SwitchB config router network vlan 1 SwitchB config router exit c Layer 3 SwitchC SwitchC config SwitchC config interface vlan 1 Configure the IP address of interface vlan 1 SwitchC Config if Vlan1 ip address 20 1 1 2 255 255 255 0 SwitchC Config if Vlan1 exit Initiate RIP protocol and configure the RIP se...

Page 337: ...he router table of S1 save the memory S1 configuration list S1 config router rip S1 config router network vlan 1 S2 configuration list S2 config router rip S2 config router network vlan 1 S2 config router exit S2 config in vlan 1 S2 Config if Vlan1 ip rip agg 192 168 20 0 22 39 4 RIP Troubleshooting The RIP protocol may not be working properly due to errors such as physical connection configuratio...

Page 338: ...witch is received within 180 seconds then the route to the switch will remains in the route table for 120 seconds before it is deleted Therefore if to delete a RIP route this route item is assured to be deleted from route table after 300 seconds When exchanging routing messages with CE using RIP protocol on the PE router we should first create corresponding VPN routing transmitting examples to ass...

Page 339: ... every 30 seconds for update If no information from the partner is received in 180 seconds then the device is deemed to have failed and the network connected to that device is considered to be unreachable However the route of that layer3 switch will be kept in the route table for another 120 seconds before deletion As layer3 switches running RIPng build route table with second hand information inf...

Page 340: ...on receiving the request the neighbor devices reply with the packets containing their local routing information 2 The Layer3 switch modifies its local route table on receiving the reply packets and sends triggered update packets to the neighbor devices to advertise route update information On receiving the triggered update packet the neighbor lay3 switches send triggered update packets to their ne...

Page 341: ...ete the specified route in RIPng route table 5 Configure RIPng route aggregation 1 Configure aggregation route of IPv6 route mode 2 Configure aggregation route of IPv6 interface configuration mode 3 Display IPv6 aggregation route information 6 Configure redistribution of OSPFv3 routing to RIPng 1 Enable redistribution of OSPFv3 routing to RIPng 2 Display and debug the information about configurati...

Page 342: ...ighbor The no passive interface ifname command cancels the function 2 Configure RIP routing parameters 1 Configure route introduction default route metric configure routes of the other protocols to be introduced in RIP Command Explanation Router configuration mode default metric value no default metric Configure the default metric of distributed route the no default metric command restores the def...

Page 343: ...ts The no distribute list access list number access list name prefix prefix list name in out ifname command means do not set the route filter no aggregate address IPv6 address Configure route aggregation the no aggregate address IPv6 address command cancels the route aggregation 4 Configure split horizon Command Explanation Interface configuration mode IPv6 rip split horizon poisoned Configure tha...

Page 344: ...d Explanation Interface Configuration Mode ipv6 rip aggregate address X X X X M no ipv6 rip aggregate address X X X X M To configure or delete IPv6 aggregation route on interface 3 Display IPv6 aggregation route information Command Explanation Admin Mode and Configuration Mode show ipv6 rip aggregate To display IPv6 aggregation route information such as aggregation interface metric numbers of aggr...

Page 345: ...g route messages received from NSM 40 3 RIPng Configuration Examples 40 3 1 Typical RIPng Examples Fig 40 1 RIPng Example As shown in the above figure a network consists of three layer 3 switches SwitchA and SwitchB connect to SwitchC through interface vlan1 and vlan2 All the three switches are running RIPng Assume SwitchA VLAN1 2001 1 1 1 64 and VLAN2 2001 1 1 1 64 exchange update information wit...

Page 346: ...do not send RIPng messages to SwitchC SwitchA config SwitchA config router passive interface Vlan1 SwitchA config router exit Layer 3 SwitchB Enable RIPng protocol SwitchB config router IPv6 rip SwitchB config router rip exit Configure the IPv6 address and interfaces of Ethernet port vlan1 to run RIPng SwitchB config SwitchB config interface Vlan1 SwitchB config if IPv6 address 2001 1 1 2 64 Switc...

Page 347: ...1 20 0 110 in interface vlan1 of S2 after that sending router messages to S2 through vlan1 and put the four subnet routers aggregated to one router as 2001 1 20 0 110 and send to S1 and not send subnet to neighbor It can reduce the router table of S1 save the memory S1 configuration list S1 config router ipv6 rip S1 config router network vlan 1 S2 configuration list S2 config router ipv6 rip S2 co...

Page 348: ...mand and set RIPng protocol parameter on corresponding interfaces After that a RIPng protocol feature should be noticed the Layer 3 switch running RIPng transmits the route updating messages every 30 seconds A Layer 3 switch is considered inaccessible if no route updating messages from the switch are received within 180 seconds then the route to the switch will remains in the route table for 120 s...

Page 349: ...no ip route ip prefix mask ip prefix prefix length null0 To configure the static Black Hole Routing The no form of this command will remove the specified Black Hole Routing configuration 41 3 IPv6 Black Hole Routing Configuration Task 1 Enable the IPv6 function 2 Configure the IPv6 Black Hole Routing 1 Enable the IPv6 function Command Explaination Global Configuration Mode ipv6 enable To enable th...

Page 350: ...21 Commonly this configuration will work well However if one of the Layer 3 interfaces in Switch 2 goes down for example the interface belonged to 192 168 1 0 24 When datagrams arrives at VLAN1 in Switch 2 there will be no routing rules for these datagrams The switch then will forward these datagrams according to the default routing back to Switch 1 When Switch 1 receives these datagrams it will f...

Page 351: ...terface belonged to 2004 1 2 3 1 80 When datagrams arrives at VLAN1 in Switch 2 there will be no routing rules for these datagrams The switch then will forward these datagrams according to the default routing back to Switch 1 When Switch 1 receives these datagrams it will forward them back to Switch 2 Thus loopback exists To solve this problem Black Hole Routing can be introduced on Switch 2 ipv6 ...

Page 352: ...al routing configuration in order to prevent the Black Hole Routing from intervening other routing configuration When the network address mask of Black Hole Routing configuration is the same with some other configuration it is suggested that the distance of Black Hole Routing is set lower For problems that cannot be fixed through above methods please issue the command show ip route distance and sh...

Page 353: ...n between two network devices to monitor their bidirectional forwarding paths to serve for superstratum protocols However there is no discovery mechanism for BFD it is notified by superstratum protocol to establish sessions After a session is established if no BFD control packet is received from the peer within detection time it notifies the failure to superstratum protocol which will take appropr...

Page 354: ...ceive interval value no bfd min echo receive interval Configure the minimum receiving interval for BFD control packets no command restores its default value bfd echo no bfd echo Enable bfd echo no command disables the function bfd echo source ip ipv4 address no bfd echo source ip Detect link fault by configuring source address of echo packets no command deletes the configured source address of ech...

Page 355: ...Global Mode ip route vrf name ipv4 address ipv4 address mask nexthop bfd no ip route vrf name ipv4 address ipv4 address mask nexthop bfd Configure BFD for the static route no command cancels the configuration ipv6 route vrf name ipv6 address ipv6 address prefix nexthop bfd no ipv6 route vrf name ipv6 address ipv6 address prefix nexthop bfd Configure BFD for the static IPv6 route no command cancels...

Page 356: ...1 255 255 255 0 Switch config ip route 14 1 1 0 255 255 255 0 12 1 1 2 bfd Switch B Switch config Switch config interface vlan 12 Switch config if vlan12 ip address 12 1 1 2 255 255 255 0 Switch config interface vlan 14 Switch config if vlan15 ip address 14 1 1 1 255 255 255 0 Switch config ip route 15 1 1 0 255 255 255 0 12 1 1 1 bfd When the link between Switch B and layer 2 switch is failing Sw...

Page 357: ...h config interface vlan 100 Switch config if vlan100 ip address 10 1 1 2 255 255 255 0 Switch config interface vlan 300 Switch config if vlan300 ip address 30 1 1 1 255 255 255 0 Switch config router rip Switch config router network vlan 100 Switch config router network vlan 300 Switch config interface vlan 100 Switch config if vlan100 rip bfd enable When the link between Switch A and Switch B is ...

Page 358: ...erface vlan 2 Switch config ip vlan2 ip address 192 16 0 101 255 255 255 0 Switch config router vrrp 1 Switch config router virtual ip 192 168 0 10 Switch config router interface vlan 1 Switch config router enable Switch config router bfd enable Configure Switch B Switch config Switch config bfd mode passive Switch config interface vlan 2 Switch config ip vlan2 ip address 192 16 0 102 255 255 255 ...

Page 359: ...tocol neighbor is established successfully If no route protocol neighbor is established successfully here BFD can not process the detection Check whether the configured source ip is correct for linkage with static route if the connectivity of IP between two peers fails BFD can not process the detection Check whether VRRP group is established successfully for linkage with VRRP protocol If no VRRP g...

Page 360: ...aluable bandwidth resource and furthermore Broadcast mode goes against the security and secrecy The emergence of IP Multicast technology solved this problem in time The Multicast source only sends out the message once Multicast Routing Protocol sets up tree routing for Multicast data packet and then the transferred packet just starts to be duplicated and distributed in the bifurcate crossing as fa...

Page 361: ...nent or temporary Some of the Multicast group addresses are assigned officially they are called Permanent Multicast Group Permanent Multicast Group keeps its IP address fixed but its member structure can vary within The member amount of Permanent Multicast Group can be arbitrary even zero The IP Multicast addresses which are not kept for use by Permanent Multicast Group can be utilized by temporar...

Page 362: ...icast group address in the destination address field of IP data packet Unlike Unicast mode Multicast data packet must be forwarded to a number of external interfaces to be sent to all receiver sites in Multicast mode thus Multicast transmission procedure is more complicated than Unicast transmission procedure In order to guarantee that all Multicast packets get to the router via the shortest path ...

Page 363: ...st Packet Source Controllable Multicast User Controllable and Service Oriented Priority Strategy Multicast The Multicast Packet Source Controllable technology of Security Controllable Multicast technology is mainly processed in the following manners 1 On the edge switch if source under control multicast is configured then only multicast data from specified group of specified source can pass 2 For ...

Page 364: ...onfiguration Mode no ip multicast source control Required Enable source control globally the no ip multicast source control command disables source control globally It is noticeable that after enabling source control globally all multicast packets are discarded by default All source control configuration can not be processed until that it is enabled globally while source control can not be disable...

Page 365: ...p 5000 5099 Used to configure the rules source control uses to port the NO form cancels the configuration 2 Destination Control Configuration Like source control configuration destination control configuration also has three steps First enable destination control globally Since destination control need to prevent unauthorized user from receiving multicast data the switch won t broadcast the multic...

Page 366: ... commands are as follows Command Explanation Port Configuration Mode no ip multicast destination control access group 6000 7999 Used to configure the rules destination control uses to port the NO form cancels the configuration Global Configuration Mode no ip multicast destination control 1 4094 macaddr access group 6000 7999 Used to configure the rules destination control uses to specify VLAN MAC ...

Page 367: ...If Ethernet1 0 5 ip multicast source control access group 5000 EC config interface ethernet1 0 10 EC Config If Ethernet1 0 10 ip multicast source control access group 5001 2 Destination Control We want to limit users with address in 10 0 0 0 8 network segment from entering the group of 238 0 0 0 8 so we can make the following configuration Firstly enable IGMP snooping in the VLAN it is located Her...

Page 368: ...P multicast IGMP is used by multicast enabled network device such as a router for host membership query and by hosts that are joining a multicast group to inform the router to accept packets of a certain multicast address All those operations are done through IGMP message exchange The router will use a multicast address 224 0 0 1 that can address to all hosts to send an IGMP host membership query ...

Page 369: ...nooping vlan vlan id limit group g_limit source s_limit no ip igmp snooping vlan vlan id limit Configure the max group count of vlan and the max source count of every group The no ip igmp snooping vlan vlan id limit command cancels this configuration ip igmp snooping vlan vlan id l2 general querier no ip igmp snooping vlan vlan id l2 general querier Set this vlan to layer 2 general querier It is r...

Page 370: ...ip igmp snooping vlan vlan id query interval command restores the default value ip igmp snooping vlan vlan id immediately leave no ip igmp snooping vlan vlan id immediately leave Enable the IGMP fast leave function for the specified VLAN the no ip igmp snooping vlan vlan id immediate leave command disables the IGMP fast leave function ip igmp snooping vlan vlan id query mrsp value no ip igmp snoop...

Page 371: ...port source address Configure forwarding IGMP packet source address The no operation cancels the packet source address ip igmp snooping vlan vlan id specific query mrsp value no ip igmp snooping vlan vlan id specific query mrspt Configure the maximum query response time of the specific group or source the no command restores the default value 43 3 3 IGMP Snooping Examples Scenario 1 IGMP Snooping ...

Page 372: ...t 1 0 1 Multicast Configuration Suppose two programs are provided in the Multicast Server using multicast address Group1 and Group2 three of four hosts running multicast applications are connected to port 2 6 10 plays program1 while the host is connected to port 12 plays program 2 IGMP Snooping listening result The multicast table built by IGMP Snooping in VLAN 100 indicates ports 1 2 6 10 in Grou...

Page 373: ... 100 mrouter interface ethernet 1 0 1 Multicast Configuration The same as scenario 1 IGMP Snooping listening result Similar to scenario 1 Scenario 3 To run in cooperation with layer 3 multicast protocols SWITCH which is used in Scenario 1 is replaced with ROUTER with specific configurations remains the same And multicast and IGMP snooping configurations are the same with what it is in Scenario 1 T...

Page 374: ... IGMP Snooping function configuration and usage IGMP Snooping might not run properly because of physical connection or configuration mistakes So the users should note that Make sure correct physical connection Activate IGMP Snooping on whole configuration mode use ip igmp snooping Configure IGMP Snooping at VLAN on whole configuration mode use ip igmp snooping vlan vlan id Make sure one VLAN is co...

Page 375: ...y is implemented on the basis of controlling the MLD message sent from the users so the control module is MLD snooping and the MLD module the control logic of which includes the following three methods controlling according to the VLAN MAC sending the message controlling according to the IP address sending the message and controlling according to the input port of the message MLD snooping can adop...

Page 376: ...guring ACL using ACL number from 8000 to 8099 while each rule number can configure 10 rules What should be paid attention to is that these rules have orders the earliest configured rule is at the front Once a rule is matched the following ones will not take effect so the globally enabled rules should be the last to configure The following is the command Command Explanation Global Configuration Mod...

Page 377: ...rol necessary Globally enable IPV4 and IPv6 destination control the no operation of this command will globally disable destination control All of the other configuration can only take effect after globally enabled The next is configuring destination control rules which are similar to that of source control but using ACL number from 9000 to 10099 instead Command Explanation Global Configuration Mod...

Page 378: ...ts the method of specifying a priority for the specified multicast data to meet the user s particular demand what should be paid attention to is that only when multicast data is transmitted in TRUNK can it be taken special care of The configuration is quite simple for only one command is needed that is set priority for the specified multicast the following is the command Command Explanation Global...

Page 379: ...ddress to use this access list Switch config ipv6 access list 9000 deny any ff1e 1 64 Switch config ipv6 access list 9000 permit any any Switch config multicast destination control Switch config ipv6 multicast destination control fe80 203 fff fe01 228a 64 access group 9000 Thus the users of this segment can only join groups other than 2ff1e 1 64 3 Multicast policy Server 2008 1 is sending importan...

Page 380: ... multicast traffic from flooding through MLD Snooping and forward the multicast traffic to ports associated to multicast devices only The switch listens to the MLD messages between multicast routers and listeners and maintains the multicast group forwarding list based on the listening result The switches forwards multicast packets according to the multicast forwarding list The switch realizes the ...

Page 381: ...ing to pimv6 packets the no command will disable the function ipv6 mld snooping vlan vlan id mrpt value no ipv6 mld snooping vlan vlan id mrpt Configure the keep alive time of the mrouter port The no form of this command restores to the default ipv6 mld snooping vlan vlan id query interval value no ipv6 mld snooping vlan vlan id query interval Configure the query interval The no form of this comma...

Page 382: ...onfigured on the switch consists of ports 1 2 6 10 and 12 Four hosts are respectively connected to 2 6 10 and 12 while the multicast router on port 1 Suppose we need MLD Snooping on VLAN 100 however by default the global MLD Snooping as well as the MLD Snooping on each VLAN are therefore first we have to enable the global MLD Snooping at the same time enable the MLD Snooping on VLAN 100 furthermor...

Page 383: ...e host connected to port 10 playing program 2 and the one to port 12 playing program 3 MLD Snooping interception results The multicast table on vlan 100 shows port 1 2 6 are in Multicasting Server 1 Group1 port1 10 are in Multicasting Server 1 Group2 and port1 121 12 are in Multicasting Server 2 Group3 All the four hosts successfully receive programs they are interested in port2 6 receives no traf...

Page 384: ...ion results Same as scenario 1 Scenario 3 To run in cooperation with layer 3 multicast protocols SWITCH which is used in Scenario 1 is replaced with ROUTER with specific configurations remains the same And multicast and IGMP snooping configurations are the same with what it is in Scenario 1 To configure PIM SM6 on ROUTER and enable PIM SM6 on vlan 100 use the same PIM mode with the connected multi...

Page 385: ...c The user should ensure the following Ensure the physical connection is correct Ensure the MLD Snooping is enabled under global mode using ipv6 mld snooping Ensure the MLD Snooping is configured on the vlan under global mode using ipv6 mld snooping vlan vlan id Ensure there is a vlan configured as a L2 general querier or there is a static mrouter configured in a segment Use command to check if th...

Page 386: ... continuously sent to the users 45 2 Multicast VLAN Configuration Task List 1 Enable the multicast VLAN function 2 Configure the IGMP Snooping 1 Enable the multicast VLAN function Command Explanation VLAN configuration mode multicast vlan no multicast vlan Configure a VLAN and enable the multicast VLAN on it The no multicast vlan command disables the multicast function on the VLAN multicast vlan a...

Page 387: ...itch switchA through port 1 0 1 which belongs to the VLAN10 of the switch The layer 3 switch switchA is connected with layer 2 switches through the port1 0 10 which configured as trunk port On the switchB the VLAN100 is configured set to contain port1 0 15 and VLAN101 to contain port1 0 20 PC1 and PC2 are respectively connected to port 1 0 15 and1 0 20 The switchB is connected with the switchA thr...

Page 388: ...witchA Config If Ethernet1 0 10 switchport mode trunk SwitchB config SwitchB config vlan 100 SwitchB config vlan100 Switchport access ethernet 1 0 15 SwitchB config vlan100 exit SwitchB config vlan 101 SwitchB config vlan101 Switchport access ethernet 1 0 20 SwitchB config vlan101 exit SwitchB config interface ethernet 1 0 10 SwitchB Config If Ethernet1 0 10 switchport mode trunk SwitchB Config If...

Page 389: ...d Information included in a rule is the effective combination of conditions such as source IP destination IP IP protocol number and TCP port UDP port Access lists can be categorized by the following criteria Filter information based criterion IP access list layer 3 or higher information MAC access list layer 2 information and MAC IP access list layer 2 or layer 3 or higher Configuration complexity...

Page 390: ...guring a numbered extended IP access list 3 Configuring a standard IP access list based on nomenclature a Create a standard IP access list based on nomenclature b Specify multiple permit or deny rule entries c Exit ACL Configuration Mode 4 Configuring an extended IP access list based on nomenclature a Create an extensive IP access list based on nomenclature b Specify multiple permit or deny rule e...

Page 391: ... packet filtering function 1 Enable global packet filtering function 2 Configure default action 3 Configuring time range function 1 Create the name of the time range 2 Configure periodic time range 3 Configure absolute time range 4 Bind access list to an incoming direction of the specified port 5 Clear the filtering information of the specified port 1 Configuring access list 1 Configuring a number...

Page 392: ...ecified number does not exist then an access list will be created using this number access list num deny permit tcp sIpAddr sMask any source host source sIpAddr s port sPort range sPortMin sPortMax dIpAddr dMask any destination host destination dIpAddr d port dPort range dPortMin dPortMax ack fin psh rst urg syn precedence prec tos tos time range time range name Creates a numbered TCP extended IP ...

Page 393: ...ing a standard IP access list basing on nomenclature a Create a name based standard IP access list Command Explanation Global Mode ip access list standard name no ip access list standard name Creates a standard IP access list based on nomenclature the no ip access list standard name command deletes the name based standard IP access list b Specify multiple permit or deny rules Command Explanation S...

Page 394: ...range time range name Creates an extended name based ICMP IP access rule the no form command deletes this name based extended IP access rule no deny permit igmp sIpAddr sMask any source host source sIpAddr dIpAddr dMask any destination host destination dIpAddr igmp type precedence prec tos tos time range time range name Creates an extended name based IGMP IP access rule the no form command deletes...

Page 395: ...o form command deletes this name based extended IP access rule c Exit extended IP ACL configuration mode Command Explanation Extended IP ACL Mode exit Exits extended name based IP ACL configuration mode 5 Configuring a numbered standard MAC access list Command Explanation Global Mode access list num deny permit any source mac host source mac host_smac smac smac m ask no access list num Creates a n...

Page 396: ...s a numbered MAC extended access list 7 Configuring a extended MAC access list based on nomenclature a Create an extensive MAC access list based on nomenclature Command Explanation Global Mode mac access list extended name no mac access list extended name Creates an extended name based MAC access rule for other IP protocols the no form command deletes this name based extended MAC access rule b Spe...

Page 397: ...ype protocol protocol mask Creates an extended name based MAC access rule matching MAC frame the no form command deletes this name based extended MAC access rule no deny permit any source mac host source mac host_smac smac smac mask any d estination mac host destination mac host_dmac dmac dmac mask untagged eth2 ethertype protocol protocol mask Creates an extended name based MAC access rule matchi...

Page 398: ...es this name based extended MAC access rule c Exit ACL Configuration Mode Command Explanation Extended name based MAC access configure Mode exit Quit the extended name based MAC access configure mode 8 Configuring a numbered extended MAC IP access list Command Explanation Global mode access list num deny permit any source mac host source mac host_smac smac smac mask any destination mac host destin...

Page 399: ...ort3 range dPortMin dPortMax ack fin psh rst urg syn precedence precedence tos tos time range time range name Creates a numbered mac ip extended mac tcp access rule if the numbered extended access list of specified number does not exist then an access list will be created using this number access list num deny permit any source mac host source mac host_smac smac smac mask any destination mac host ...

Page 400: ...C IP access list based on nomenclature Command Explanation Global Mode mac ip access list extended name no mac ip access list extended name Creates an extended name based MAC IP access rule the no form command deletes this name based extended MAC IP access rule b Specify multiple permit or deny rule entries Command Explanation Extended name based MAC IP access Mode no deny permit any source mac ho...

Page 401: ...ion wildcard any desti nation host destination destination host ip d port port3 range dPortMin dPortMax ack fin psh rst urg syn precedence precedence tos tos time range time range name Creates an extended name based MAC TCP access rule the no form command deletes this name based extended MAC TCP access rule no deny permit any source mac host source mac host_smac smac smac mask any destination mac ...

Page 402: ...lanation Global Mode ipv6 access list num deny permit sIPv6Addr sPrefixlen any source host source sIpv6Addr no ipv6 access list num Creates a numbered standard IPv6 access list if the access list already exists then a rule will add to the current access list the no access list num command deletes a numbered standard IPv6 access list 11 Configuring a numbered extensive IPv6 access list Command Expl...

Page 403: ...st destination dIPv6Addr dPort dPort range dPortMin dPortMax dscp dscp flow label flowlabel time range time range name ipv6 access list num ext deny permit next header sIPv6Prefix sPrefixlen any source host source sIPv6Addr dIPv6Prefix dPrefixlen any destination host destination dIPv6Addr dscp dscp flow label fl time range time range name no ipv6 access list num access list 12 Configuring a standa...

Page 404: ...mmand Explanation Global Mode ipv6 access list extended name no ipv6 access list extended name Creates an extended IPv6 access list basing on nomenclature the no command deletes the name based extended IPv6 access list b Specify multiple permit or deny rules Command Explanation Extended IPv6 ACL Mode no deny permit icmp sIPv6Prefix sPrefixlen any source host source sIPv6Addr dIPv6Prefix dPrefixlen...

Page 405: ...dscp dscp flow label fl time range time range name Creates an extended name based UDP IPv6 access rule the no form command deletes this name based extended IPv6 access rule no deny permit proto sIPv6Prefix sPrefixlen any source host source sIPv6Addr dIPv6Prefix dPrefixlen any destination host destination dIPv6Addr dscp dscp flow label flowlabel time range time range name Creates an extended name b...

Page 406: ... function 3 Configuring time range function 1 Create the name of the time range Command Explanation Global Mode time range time_range_name Create a time range named time_range_name no time range time_range_name Stop the time range function named time_range_name 2 Configure periodic time range Command Explanation Time range Mode absolute periodic Monday Tuesday Wednesday Thursday Friday Saturday Su...

Page 407: ...te start start_time start_data end end_time end_data Stop the function of the time range 4 Bind access list to a specific direction of the specified port Command Explanation Physical Port Mode VLAN Interface Mode ip ipv6 mac mac ip access group acl name in out traffic statistic no ip ipv6 mac mac ip access group acl name in out Apply an access list to the ingress or egress direction on the port th...

Page 408: ...exit Configuration result Switch show firewall Firewall status enable Firewall default rule permit Switch show access lists access list 110 used 1 time s 1 rule s access list 110 deny tcp 10 0 0 0 0 0 0 255 any destination d port 21 Switch show access group interface ethernet 1 0 10 interface name Ethernet1 0 10 the ingress acl use in firewall is 110 traffic statistics Disable Scenario 2 The confi...

Page 409: ...roup interface ethernet 1 0 10 interface name Ethernet1 0 10 MAC Ingress access list used is 1100 traffic statistics Disable Scenario 3 The configuration requirement is stated as below The MAC address range of the network connected to the interface 10 of the switch is 00 12 11 23 xx xx and IP network is 10 0 0 0 24 FTP should be disabled and ping requests from outside network should be disabled Co...

Page 410: ... Ethernet1 0 10 MAC IP Ingress access list used is 3110 traffic statistics Disable Scenario 4 The configuration requirement is stated as below IPv6 protocol runs on the interface 600 of the switch And the IPv6 network address is 2003 1 1 1 0 64 Users in the 2003 1 1 1 66 0 80 subnet should be disabled from accessing the outside network Configuration description 1 Create the corresponding access li...

Page 411: ...bled from accessing the listed interfaces Configuration description 1 Create the corresponding access list 2 Configure datagram filtering 3 Bind the ACL to the related interface The configuration steps are listed as below Switch config firewall enable Switch config vlan 100 Switch Config Vlan100 switchport interface ethernet 1 0 1 2 5 7 Switch Config Vlan100 exit Switch config access list 1 deny h...

Page 412: ...wn order If the priority is same then the priority of configuration at first is higher Ingress IPv6 ACL Ingress MAC IP ACL Ingress IP ACL Ingress MAC ACL The number of ACLs that can be successfully bound depends on the content of the ACL bound and the hardware resource limit Users will be prompted if an ACL cannot be bound due to hardware resource limitation If an access list contains same filteri...

Page 413: ...igure the access from user The prevailing application of WLAN and LAN access in telecommunication networks in particular make it necessary to control ports in order to implement the user level access control And as a result IEEE LAN WAN committee defined a standard which is 802 1x to do Port Based Network Access Control This standard has been widely used in wireless LAN and ethernet Port Based Net...

Page 414: ...m is an entity to provide authentication service for authenticator systems The authentication server system is used to authenticate and authorize users as well as does fee counting and usually is a RADIUS Remote Authentication Dial In User Service server which can store the relative user information including username password and other parameters such as the VLAN and ports which the user belongs ...

Page 415: ...ed port is in connected status authenticated to transmit service messages When unauthenticated no message from supplicant systems is allowed to be received The controlled and uncontrolled ports are two parts of one port which means each frame reaching this port is visible on both the controlled and uncontrolled ports 3 Controlled direction In unauthenticated status controlled ports can be set as u...

Page 416: ...E of the authenticator system will decide the authenticated unauthenticated status of the controlled port according to the authentication result of the RADIUS server 47 1 3 The Encapsulation of EAPOL Messages 1 The Format of EAPOL Data Packets EAPOL is a kind of message encapsulation format defined in 802 1x protocol and is mainly used to transmit EAP messages between the supplicant system and the...

Page 417: ... when its value is 0 Packet Body represents the content of the data which will be in different formats according to different types 2 The Format of EAP Data Packets When the value of Type domain in EAPOL packet is EAP Packet the Packet Body is in EAP format illustrated in the next figure Fig 47 4 the Format of EAP Data Packets Code specifies the type of the EAP packet There are four of them in tot...

Page 418: ...age As illustrated in the next figure this attribute is used to encapsulate EAP packet the type code is 79 String domain should be no longer than 253 bytes If the data length in an EAP packet is larger than 253 bytes the packet can be divided into fragments which then will be encapsulated in several EAP Messages attributes in their original order Fig 47 6 the Encapsulation of EAP Message Attribute...

Page 419: ...US making sure that extended authentication protocol messages can reach the authentication server through complicated networks In general EAP relay requires the RADIUS server to support EAP attributes EAP Message and Message Authenticator EAP is a widely used authentication frame to transmit the actual authentication protocol rather than a special authentication mechanism EAP provides some common ...

Page 420: ...can support all the EAP methods above and all the EAP authentication methods that may be extended in the future In EAP relay if any authentication method in EAP MD5 EAP TLS EAP TTLS and PEAP is adopted the authentication methods of the supplicant system and the RADIUS server should be the same 1 EAP MD5 Authentication Method EAP MD5 is an IETF open standard which providing the least security since...

Page 421: ... system and the Radius authentication server to possess digital certificate to implement bidirectional authentication It is the earliest EAP authentication method used in wireless LAN Since every user should have a digital certificate this method is rarely used practically considering the difficult maintenance However it is still one of the safest EAP standards and enjoys prevailing supports from ...

Page 422: ...e their own digital certificate The only request is that the Radius server should have a digital certificate The authentication of users identity is implemented with passwords transmitted in a safely encrypted tunnel established via the certificate of the authentication server Any kind of authentication request including EAP PAP and MS CHAPV2 can be transmitted within TTLS tunnels 4 PEAP Authentic...

Page 423: ...authentication method Fig 47 11 the Authentication Flow of 802 1x PEAP 47 1 5 2 EAP Termination Mode In this mode EAP messages will be terminated in the access control unit and mapped into RADIUS messages which is used to implement the authentication authorization and fee counting The basic operation flow is illustrated in the next figure In EAP termination mode the access control unit and the RAD...

Page 424: ...l port can have more than one users There are three access control methods the methods to authenticate users port based MAC based and user based IP address MAC address port When the port based method is used as long as the first user of this port passes the authentication all the other users can access the network resources without being authenticated However once the first user is offline the net...

Page 425: ... is 800 mac based relates to ratelimit value of switch it can supports 4000 authenticated users but it is recommended that the number of the authenticated users should not exceed 2000 47 1 7 The Features of VLAN Allocation 1 Auto VLAN Auto VLAN feature enables RADIUS server to change the VLAN to which the access port belongs based on the user information and the user access device information When...

Page 426: ...ive authentication supplicant system or the version of the supplicant system being too low Once the 802 1x feature is enabled and the Guest VLAN is configured properly a port will be added into Guest VLAN just like Auto VLAN if there is no response message from the supplicant system after the device sends more authentication triggering messages than the upper limit EAP Request Identity from the po...

Page 427: ...e prefix mask no dot1x user free resource Sets free access network resource for unauthorized dot1x user The no command close the resource dot1x unicast enable no dot1x unicast enable Enable the 802 1x unicast passthrough function of switch the no operation of this command will disable this function 2 Access management unit property configuration 1 Configure port authentication status Command Expla...

Page 428: ... userbased standard advanced no dot1x port method Sets the port access management method the no command restores MAC based access management dot1x max user macbased number no dot1x max user macbased Sets the maximum number of access users for the specified port the no command restores the default setting of allowing 1 user dot1x max user userbased number no dot1x max user userbased Set the upper l...

Page 429: ...1x timeout quiet period seconds no dot1x timeout quiet period Sets time to keep silent on port authentication failure the no command restores the default value dot1x timeout re authperiod seconds no dot1x timeout re authperiod Sets the supplicant re authentication interval the no command restores the default setting dot1x timeout tx period seconds no dot1x timeout tx period Sets the interval for t...

Page 430: ...its authentication server Ethernet1 0 2 the port through which the user accesses the switch belongs to VLAN100 the authentication server is in VLAN2 Update Server being in VLAN10 is for the user to download and update supplicant system software Ethernet1 0 6 the port used by the switch to access the Internet is in VLAN5 Internet SWITCH Ethernet1 0 2 VLAN10 Ethernet1 0 3 VLAN10 VLAN2 Update server ...

Page 431: ...ntication the authentication server will assign VLAN5 which makes the user and Ethernet1 0 6 both in VLAN5 allowing the user to access the Internet The following are configuration steps Configure RADIUS server Switch config radius server authentication host 10 1 1 3 Switch config radius server accounting host 10 1 1 3 Switch config radius server key test Switch config aaa enable Switch config aaa ...

Page 432: ... Switch Config If Ethernet1 0 2 dot1x guest vlan 100 Switch Config If Ethernet1 0 2 exit Using the command of show running config or show interface ethernet1 0 2 users can check the configuration of Guest VLAN When there is no online user no failed user authentication or no user gets offline successfully and more authentication triggering messages EAP Request Identity are sent than the upper limit...

Page 433: ...rface vlan 1 Switch Config if vlan1 ip address 10 1 1 2 255 255 255 0 Switch Config if vlan1 exit Switch config radius server authentication host 10 1 1 3 Switch config radius server accounting host 10 1 1 3 Switch config radius server key test Switch config aaa enable Switch config aaa accounting enable Switch config dot1x enable Switch config interface ethernet 1 0 2 Switch Config Ethernet1 0 2 ...

Page 434: ...to Switch Config If Ethernet1 0 2 exit 47 4 802 1x Troubleshooting It is possible that 802 1x be configured on ports and 802 1x authentication be set to auto t switch can t be to authenticated state after the user runs 802 1x supplicant software Here are some possible causes and solutions If 802 1x cannot be enabled for a port make sure the port is not executing MAC binding or configured as a port...

Page 435: ...802 1x Configuration 434 such login user the user login ID and password may be wrong and should be verified and input again ...

Page 436: ...lete it from the MAC address list Usually the switch supports both the static configuration and dynamic study of MAC address which means each port can have more than one static set MAC addresses and dynamically learnt MAC addresses and thus can implement the transmission of data traffic between port and known MAC addresses When a MAC address becomes out of date it will be dealt with broadcast No n...

Page 437: ...namic ARP and ND then shutdown the ARP and ND study function of this port otherwise the port can continue its study Limiting the number of MAC ARP and ND of interfaces 1 Limiting the number of dynamic MAC If the number of dynamically learnt MAC address by the VLAN of the switch is already larger than or equal with the max number of dynamic MAC address then shutdown the MAC study function of all th...

Page 438: ...n VLAN configuration mode vlan mac address dynamic maximum value no vlan mac address dynamic maxim um Enable and disable the number limitation function of MAC in the VLAN Interface configuration mode ip arp dynamic maximum value no ip arp dynamic maximum Enable and disable the number limitation function of ARP in the VLAN ipv6 nd dynamic maximum value no ipv6 nd dynamic maximum Enable and disable ...

Page 439: ...R in corresponding ports and VLAN debug switchport mac count no debug switchport mac count All kinds of debug information when limiting the number of MAC on ports debug switchport arp count no debug switchport arp count All kinds of debug information when limiting the number of ARP on ports debug switchport nd count no debug switchport nd count All kinds of debug information when limiting the numb...

Page 440: ...tly do MAC ARP cheating it will be easy for them to fill the MAC ARP list entries of the switch causing successful DOS attacks Limiting the MAC ARP ND list entry can prevent DOS attack On port 1 0 1 of SWITCH A set the max number can be learnt of dynamic MAC address as 20 dynamic ARP address as 20 NEIGHBOR list entry as 10 In VLAN 1 set the max number of dynamic MAC address as 30 of dynamic ARP ad...

Page 441: ...he switch and whether the port is configured as a MAC binding port The number limitation function of MAC address is mutually exclusive to these configurations so if the users need to enable the number limitation function of MAC address on the port they should check these functions mentioned above on this port are disabled If all the configurations are normal after enabling the number limitation fu...

Page 442: ...o be forwarded by the switch Given the fact that MAC IP can be exclusively bound with a host it is necessary to make MAC IP bound with a host for the purpose of preventing users from maliciously modifying host IP to forward the messages from their hosts via the switch With the interface bound attribute of AM network mangers can bind the IP MAC IP address of a legal user to a specified interface Af...

Page 443: ...ding IP of the port 4 Configure the forwarding MAC IP Command Explanation Port Mode am mac ip pool mac address ip address no am mac ip pool mac address ip address Configure the forwarding MAC IP of the port 5 Delete all of the configured IP or MAC IP or both Command Explanation Global Mode no am all ip pool mac ip pool Delete MAC IP address pool or IP address pool or both pools configured by all u...

Page 444: ...above the switch can be configured as follows Switch config am enable Switch config interface ethernet1 0 1 Switch Config If Ethernet 1 0 1 am port Switch Config If Ethernet 1 0 1 am ip pool 10 10 10 1 10 49 4 AM Function Troubleshooting AM function is disabled by default and after it is enabled relative configuration of AM can be made Users can view the current AM configuration with show am comma...

Page 445: ...Operational Configuration of AM Function 444 ...

Page 446: ...ryption characteristics and is more adapted to security control According to the characteristics of the TACACS Version 1 78 we provide TACACS authentication function on the switch when the user logs such as telnet the authentication of user name and password can be carried out with TACACS 50 2 TACACS Configuration Task List 1 Configure the TACACS authentication key 2 Configure the TACACS server 3 ...

Page 447: ... the TACACS server the no tacacs server timeout command restores the default configuration 4 Configure the IP address of the TACACS NAS Command Explanation Global Mode tacacs server nas ipv4 ip address no tacacs server nas ipv4 To configure the source IP address for the TACACS packets for the switch 50 3 TACACS Scenarios Typical Examples Fig 50 1 TACACS Configuration A computer connects to a switc...

Page 448: ...S Troubleshooting In configuring and using TACACS the TACACS may fail to authentication due to reasons such as physical connection failure or wrong configurations The user should ensure the following First good condition of the TACACS server physical connection Second all interface and link protocols are in the UP state use show interface command Then ensure the TACACS key configured on the switch...

Page 449: ...work resource RADIUS Remote Authentication Dial in User Service is a kind of distributed and client server protocol for information exchange The RADIUS client is usually used on network appliance to implement AAA in cooperation with 802 1x protocol The RADIUS server maintains the database for AAA and communicates with the RADIUS client through RADIUS protocol The RADIUS protocol is the most common...

Page 450: ...sed to carry detailed information about AAA An Attribute value is formed by Type Length and Value fields Type field 1 octet the type of the attribute value which is shown as below Property Type of property Property Type of property 1 User Name 23 Framed IPX Network 2 User Password 24 State 3 CHAP Password 25 Class 4 NAS IP Address 26 Vendor Specific 5 NAS Port 27 Session Timeout 6 Service Type 28 ...

Page 451: ...ntication and accounting function 2 Configure the RADIUS authentication key 3 Configure the RADIUS server 4 Configure the parameter of the RADIUS service 5 Configure the IP address of the RADIUS NAS 1 Enable the authentication and accounting function 2 Configure the RADIUS authentication key Command Explanation Global Mode Command Explanation Global Mode aaa enable no aaa enable To enable the AAA ...

Page 452: ... key 0 7 string primary no radius server accounting host ipv4 address ipv6 address Specifies the IPv4 IPv6 address and the port number whether be primary server for RADIUS accounting server the no command deletes the RADIUS accounting server 4 Configure the parameter of the RADIUS service Command Explanation Global Mode radius server dead time minutes no radius server dead time To configure the in...

Page 453: ...source IP address for the RADIUS packets for the switch radius nas ipv6 ipv6 address no radius nas ipv6 To configure the source IPv6 address for the RADIUS packets for the switch 51 3 RADIUS Typical Examples 51 3 1 IPv4 Radius Example Fig 51 2 The Topology of IEEE802 1x configuration A computer connects to a switch of which the IP address is 10 1 1 2 and connected with a RADIUS authentication serv...

Page 454: ...ration A computer connects to a switch of which the IP address is 2004 1 2 3 2 and connected with a RADIUS authentication server without Ethernet1 0 2 IP address of the server is 2004 1 2 3 3 and the authentication port is defaulted at 1812 accounting port is defaulted at 1813 Configure steps as below Switch config interface vlan 1 Switch Config if vlan1 ipv6 address 2004 1 2 3 2 64 Switch Config ...

Page 455: ...he RADIUS server physical connection Second all interface and link protocols are in the UP state use show interface command Then ensure the RADIUS key configured on the switch is in accordance with the one configured on RADIUS server Finally ensure to connect to the correct RADIUS server If the RADIUS authentication problem remains unsolved please use debug aaa and other debugging command and copy...

Page 456: ... and the server and authentication both at the server sides and optional client SSL protocols must build on reliable transport layer such as TCP SSL protocols are independent for application layer Some protocols such as HTTP FTP TELNET and so on can build on SSL protocols transparently The SSL protocol negotiates for the encryption algorithm the encryption key and the server authentication before ...

Page 457: ...witch and the client When the SSL session has been set up all the data transmission in the application layer will be encrypted SSL handshake is done when the SSL session is being set up The switch should be able to provide certification keys Currently the keys provided by the switch are not the formal certification keys issued by official authentic but the private certification keys generated by S...

Page 458: ... command deletes the port number 3 Configure delete secure cipher suite by SSL used Command Explanation Global Mode ip http secure ciphersuite des cbc3 sha rc4 128 sha des cbc sha no ip http secure ciphersuite Configure delete secure cipher suite by SSL used 4 Maintenance and diagnose for the SSL function Command Explanation Admin Mode or Configuration Mode show ip http secure server status Show t...

Page 459: ...ld ensure the following First good condition of the physical connection Second all interface and link protocols are in the UP state use show interface command Then make sure SSL function is enabled use ip http secure server command Don t use the default port number if configured port number pay attention to the port number when input the web wide If SSL is enabled SSL should be restarted after cha...

Page 460: ...nd will not be able to connect to the network So in order to implement the security RA function configuring on the switch ports to reject vicious RA messages is necessary thus to prevent forwarding vicious RA to a certain extent and to avoid affecting the normal operation of the network 53 2 IPv6 Security RA Configuration Task Sequence 1 Globally enable IPv6 security RA 2 Enable IPv6 security RA o...

Page 461: ...aph advertises RA the normal user will receive the RA set the default router as the vicious IPv6 host user and change its own address This will cause the normal user to not be able to connect the network We want to set security RA on the 1 0 2 port of the switch so that the RA from the illegal user will not affect the normal user Switch configuration task sequence Switch config Switch config ipv6 ...

Page 462: ...expectation after configuring IPv6 security RA Check if the switch is correctly configured Check if there are rules conflicting with security RA function configured on the switch this kind of rules will cause RA messages to be forwarded ...

Page 463: ...the specific rules can be allowed or denied ACL can support IP ACL MAC ACL MAC IP ACL IPv6 ACL Ingress direction of VLAN can bind four kinds of ACL at the same time there are four resources on egress direction of VLAN IP ACL and MAC ACL engage one resource severally MAC IP ACL and IPv6 ACL engage two resources severally so egress direction of VLAN can not bind four kinds of ACL at the same time Wh...

Page 464: ...N ACL of MAC IP Command Explanation Global mode vacl mac ip access group 3100 3299 WORD in out traffic statistic vlan WORD no vacl mac ip access group 3100 3299 WORD in out vlan WORD Configure or delete MAC IP VLAN ACL 4 Configure VLAN ACL of IPv6 type Command Explanation Global mode vacl ipv6 access group 500 699 WORD in out traffic statistic vlan WORD no ipv6 access group 500 699 WORD in out vla...

Page 465: ... department can access the outside network at timeout but finance department are not allowed to access the outside network at any time for the security Then the following policies are configured Set the policy VACL_A for technique department At timeout they can access the outside network the rule as permit but other times the rule as deny and the policy is applied to Vlan1 Set the policy VACL_B of...

Page 466: ...urce any destination time range t1 3 Configure the extended acl_b of IP at any time it only allows to access resource within the internal network such as 192 168 1 255 Switch config ip access list extended vacl_b Switch config ip ext nacl vacl_a permit ip any source 192 168 1 0 0 0 0 255 Switch config ip ext nacl vacl_a deny ip any source any destination 4 Apply the configuration to VLAN Switch co...

Page 467: ... the matched packets of the port and the source MAC are allowed to pass when the authentication is successful MAB user didn t need to input the username and password manually in the process of authentication At present MAB authentication device only supports RADIUS authentication method There is the selection method for the authentication username and password use the MAC address of the MAB user a...

Page 468: ...username WORD password WORD Set the authentication mode of MAB authentication function 3 Configure MAB parameters Command Explanation Port Mode mac authentication bypass guest vlan 1 4094 no mac authentication bypass guest vlan Set guset vlan of MAB authentication only Hybrid port uses this command it is not take effect on access port mac authentication bypass binding limit 1 100 no mac authentica...

Page 469: ...authentication bypass timeout linkup period 0 30 no mac authentication bypass timeout linkup period To obtain IP again set the interval of down up when MAB binding is changing into VLAN mac authentication bypass spoofing garp check enable no mac authentication bypass spoofing garp check enable Enable the spoofing garp check function MAB function will not deal with spoofing garp any more the no com...

Page 470: ...hernet 1 0 3 is an access port connects to the printer and enables MAB function Ethernet 1 0 4 is a trunk port connects to Switch2 Ethernet 1 0 4 is a trunk port of Switch2 connects to Switch1 Ethernet 1 0 1 is an access port belongs to vlan8 connects to update server to download and upgrade the client software Ethernet 1 0 2 is an access port belongs to vlan9 connects to radius server which confi...

Page 471: ...r key test Switch config aaa enable Switch config aaa accounting enable 2 Enable the authentication function of each port Switch config interface ethernet 1 0 1 Switch config if ethernet1 0 1 dot1x enable Switch config if ethernet1 0 1 dot1x port method portbased Switch config if ethernet1 0 1 dot1x guest vlan 8 Switch config if ethernet1 0 1 exit Switch config interface ethernet 1 0 2 Switch conf...

Page 472: ...lem is caused by the following reasons Make sure global and port MAB function are enabled Make sure the correct username and password of MAB authentication are used Make sure the radius server configuration is correct Complete MAB offline detect through query whether dynamic MAC is exist Do not delete the binding if the MAC address exists in MAC address table The actual offline time without the tr...

Page 473: ...ecurity problem gradually becomes the focus soever the clients or the access device and the network are faced with security problem especially from the client in the current access network Traditional Ethernet user can not be identified traced and located exactly however in exoteric and controllable network identification and location are the basic character and requirement for user for example wh...

Page 474: ...ssion ID will be sent to client through PADS PPPoE Active Discovery Session confirmation packet hereto PPPoE discovery stage is completed enter session stage PADT PPPoE Active Discovery Terminate packet is an especial packet of PPPoE its Ethernet protocol number 0x8863 is the same as four packets above so it can be considered a packet of discovery stage To stop a PPPoE session PADT may be sent at ...

Page 475: ...I frame The protocol sets type field value of PPPoE protocol packet as 0x8863 include 5 kinds of packets in PPPoE discovery stage only type field value of session stage as 0x8864 PPPoE version field 4 bits Specify the current PPPoE protocol version the current version must be set as 0x1 PPPoE type field 4 bits Specify the protocol type the current version must be set as 0x1 PPPoE code field 1 byte...

Page 476: ...server name from the tag and select the corresponding server 0x0103 Exclusive tag of the host It is similar to tag field of PPPoE data packets and is used to match the sending and reveiving end Because broadcast network may exist many PPPoE data packets synchronously 0x0104 AC Cookies It is used to avoid the vicious DOS attack 0x0105 The identifier of vendor 0x0110 Relay session ID PPPoE data pack...

Page 477: ...e symbol to compart Slot ID occupies 2 bytes use to compart and occupy 1 byte Port Index occupies 3 bytes use to compart and occupy 1 byte Vlan ID occupies 4 bytes all fields use ASCII user can configure ciucuit ID for each port according to requirement ANI n byte Space 1byte eth 3 byte Space 1 byte Slot ID 2 byte 1byte Port Index 3 byte 1 byte Vlan ID 4 byte Fig 56 3 Agent Circuit ID value MAC of...

Page 478: ...PoE Intermediate Agent Command Explanation Global Mode pppoe intermediate agent no pppoe intermediate agent Enabel global PPPoE Intermediate Agent function pppoe intermediate agent type tr 101 circuit id access node id string no pppoe intermediate agent type tr 101 circuit id access node id Configure access node ID field value of circuit ID in added vendor tag pppoe intermediate agent type tr 101 ...

Page 479: ... format circuit id remote id hex ascii no pppoe intermediate agent format circuit id remote id Configure the format with hex or ASCII for circuit id and remote id Port Mode pppoe intermediate agent no pppoe intermediate agent Enable PPPoE Intermediate Agent function of port pppoe intermediate agent vendor tag strip no pppoe intermediate agent vendor tag strip Set vendor tag strip function of port ...

Page 480: ...nfigure circuit ID as aaaa remote ID as xyz for port ethernet1 0 3 Switch config if ethernet1 0 3 pppoe intermediate agent circuit id aaaa Switch config if ethernet1 0 3 pppoe intermediate agent remote id xyz circuit id value is abcd eth 01 002 0001 remote id value is 0a0b0c0d0e0f for the added vendor tag of port ethernet1 0 2 circuit id value is aaaa remote id value is xyz for the added vendor ta...

Page 481: ...onfig if ethernet1 0 3 pppoe intermediate agent remote id xyz circuit id value is bbbb remote id value is 0a0b0c0d0e0f for the added vendor tag of port ethernet1 0 2 circuit id value is efgh eth 01 003 1234 remote id value is xyz for the added vendor tag of port ethernet1 0 3 56 4 PPPoE Intermediate Agent Troubleshooting Only switch enables global PPPoE intermediate agent firstly this function can...

Page 482: ...nooping function is used to detect ND protocol packet it sets IPv6 address binding obtained by nodes with the stateless address configuration DHCPv6 Snooping function is used to detect DHCPv6 protocol packet it sets IPv6 address binding obtained by nodes with the stateful address configuration RA Snooping function is used to avoid the lawless node sending the spurious RA packet 57 2 SAVI Configura...

Page 483: ... interface if name type slaac dhcp lifetime lifetime type static no savi ipv6 check source binding ip ip address interface if name Configure a static or dynamic binding manually no command deletes the configured binding This command may be configured in a global function of savi enable slaac only enable dhcp only enable or dhcp slaac enable 4 Configure the global max dad delay for SAVI Command Exp...

Page 484: ...isable SAVI prefix check function Command Explanation Global mode ipv6 cps prefix check enable no ipv6 cps prefix check enable Enable the address prefix check for SAVI no command disables the function 9 Configure IPv6 address prefix for a link Command Explanation Global mode ipv6 cps prefix ip address vlan vid no ipv6 cps prefix ip address Configure IPv6 address prefix for a link manually no comma...

Page 485: ...tion 13 Enable or disable DHCPv6 trust of port Command Explanation Port mode ipv6 dhcp snooping trust no ipv6 dhcp snooping trust Enable DHCPv6 trust port no command disables the trust function port is translated from trust port into untrust port 14 Enable or disable ND trust of port Command Explanation Port mode ipv6 nd snooping trust no ipv6 nd snooping trust Configure a port as slaac trust and ...

Page 486: ...4 DHCP snooping to use IPv4 and IPv6 source address authentication is implemented Typical network topology application for SAVI function Client_1 Client_2 Ethernet1 0 13 Ethernet1 0 12 Switch2 Switch1 Ethernet1 0 1 Ethernet1 0 2 Switch3 Client_1 and Client_2 means two different user s PC installed IPv6 protocol respectively connect with port Ethernet1 0 12 of Switch1 and port Ethernet1 0 13 of Swi...

Page 487: ...nction please ensure the global SAVI function enabled After that enable the global function of the corresponding SAVI scene according to the actual application scene and enable the port authentication function If client can not correctly obtain IPv6 address assigned by DHCPv6 server after enable SAVI function please ensure DHCP port trust is configured by uplink port with DHCPv6 server If node bin...

Page 488: ... authentication client The after 802 1x authentication adds web based authentication mode the user can download a special Java Applet program by browser or other plug in to replace 802 1x client For the environment which uses 802 1x authentication installing client or downloading the special Java Applet program become a mortal problem To satisfy user s actual requirement the manual describes an ap...

Page 489: ...onfigure the max web portal binding number allowed by the port 4 Configure HTTP redirection address of web portal authentication Command Explanation Global Mode webportal redirect ip no webportal redirect Configure HTTP redirection address of web portal authentication 5 Configure IP source address for communicating between accessing device and portal server Command Explanation Global Mode webporta...

Page 490: ...et1 0 2 Ethernet1 0 3 Pc 1 Ethernet1 0 2 Ethernet1 0 4 Ethernet1 0 5 Switch 2 Internet Ethernet1 0 1 Ethernet1 0 4 Ethernet1 0 6 Portal server 192 168 40 99 RADIUS server 192 168 40 100 DHCP server DNS server Switch1 192 168 40 50 13 1 Web portal typical application scene In the above figure pc1 is end user there is http browser in it but no 802 1x authentication client pc1 wants to access the net...

Page 491: ...0 255 255 255 0 Switch config webportal enable Switch config webportal nas ip 192 168 40 50 Switch config webportal redirect 192 168 40 99 Switch config interface ethernet 1 0 3 Switch config if ethernet1 0 3 webportal enable Web portal authentication associates with DHCP snooping binding to use the configuration is as follows Switch config ip dhcp snooping enable Switch config ip dhcp snooping bi...

Page 492: ...ve router while the Backup routers serve as backups for the active router The virtual router has its own virtual IP address can be identical with the IP address of some router in the Standby cluster and routers in the Standby cluster also have their own IP address Since VRRP runs on routes or Ethernet Switches only the Standby cluster is transparent to the hosts with the segment To them there exis...

Page 493: ...r intervals 4 Configure VRRP interface monitor 1 Create Remove the Virtual Router Command Explanation Global Mode router vrrp vrid no router vrrp vrid Creates Removes the Virtual Router 2 Configure VRRP Dummy IP Address and Interface Command Explanation VRRP protocol configuration mode virtual ip ip no virtual ip Configures VRRP Dummy IP address the no virtual ip command removes the virtual IP add...

Page 494: ...RRP Timer intervals Command Explanation VRRP protocol configuration mode advertisement interval time Configures VRRP timer value in seconds 4 Configure VRRP interface monitor Command Explanation VRRP protocol configuration mode circuit failover IFNAME Vlan ID value_reduced no circuit failover Configures VRRP interface monitor the no circuit failover removes monitor to the interface 59 3 VRRP Typic...

Page 495: ...Config Router Vrrp interface vlan 1 SwitchB Config Router Vrrp enable 59 4 VRRP Troubleshooting In configuring and using VRRP protocol the VRRP protocol may fail to run properly due to reasons such as physical connection failure or wrong configurations The user should ensure the following Good condition of the physical connection All interface and link protocols are in the UP state use show interf...

Page 496: ...e same network segment of the interface s actual IP address If the examination remains unsolved please use debug vrrp and other debugging command and copy the DEBUG message within 3 minutes send the recorded message to the technical server center of our company ...

Page 497: ...s which use this gateway as their next hop host Even if there are more than one default gateways before rebooting the terminal devices they can not switch to the new gateway Adopting virtual router redundancy protocol VRPR can effectively avoid the flaws of statically specifying gateways In VRRP protocol there are two groups of import concepts VRRP routers and virtual routers master routers and ba...

Page 498: ...RRPv3 Message VRRPv3 has its own message format VRRP messages are used to communicate the priority of routers and the state of Master in the backup group they are encapsulated in IPv6 messages to send and are sent to the specified IPv6 multicast address The format of VRRPv3 message is shown in Graph 1 The source address of the IPv6 message encapsulating the VRRPv3 message is the local address of t...

Page 499: ...he time reducing the affection that the switch causes on terminal devices There is only one kind of VRRP control message VRRP advertisement It uses IP multicast data packets to encapsulate and the format of multicast addresses is FF02 0 0 0 0 0 XXXX XXXX In order to keep a consistence with the multicast address in VRRPv2 224 0 0 18 the multicast addresses used by VRRPv3 advertisement messages can ...

Page 500: ...icy is configured the backup router with higher priority will preempt the role of new master router over the current master router with lower priority In order to avoid the fault of returning a physical MAC address when Pinging virtual IP it is regulated that virtual IP can not be the real IP of the interface Thus all the interfaces participating of the backup group selection will be backup by def...

Page 501: ...preempt mode Command Explanation VRRPv3 Protocol Mode preempt mode true false Configure VRRPv3 preempt mode 2 Configure VRRPv3 priority Command Explanation VRRPv3 Protocol Mode priority priority Configure VRRPv3 priority 3 Configure the VRRPv3 advertisement interval Command Explanation VRRPv3 Protocol Mode advertisement interval time Configure the VRRPv3 advertisement interval in cent seconds 4 Co...

Page 502: ...IPv6_C and V_IPV6_D respectively and the default IPv6 gateway address are configured as V_IPv6_C and V_IPv6_D respectively in reality the IPv6 gateway address of hosts are usually learnt automatically via router advertisements thus the IPv6 next hop of the hosts will have some randomness Doing this will not only implement router backup but also the flow sharing function in the LAN The configuratio...

Page 503: ...v3 protocol it might operate abnormally because of incorrect physical connections and configuration So users should pay attention to the following points First the physical connections should be correct Next the interface and link protocol are UP use show ipv6 interface command And then make sure that IPv6 forwarding function is enabled use ipv6 enable command Besides make sure that VRRPv3 protoco...

Page 504: ...s compare to STP protocol 1 MRPP specifically uses to Ethernet ring topology 2 fast convergence less than 1 s ideally it can reach 100 50 ms 61 1 1 Conception Introduction Fig 61 1 MRPP Sketch Map 1 Control VLAN Control VLAN is a virtual VLAN only used to identify MRPP protocol packet transferred in the link To avoid confusion with other configured VLAN avoids configuring control VLAN ID to be the...

Page 505: ...ry node The primary port of primary node is used to send ring health examine packet hello the secondary port is used to receive Hello packet sending from primary node When the Ethernet is in health state the secondary port of primary node blocks other data in logical and only MRPP packet can pass When the Ethernet is in break state the secondary port of primary node releases block state and forwar...

Page 506: ...ive health detect packet when timer is over time The primary releases the secondary port block state and sends LINK DOWN FLUSH_FDB packet to inform all of transfer nodes to refresh own Packet Type Explanation Hello packet Health examine packet Hello The primary port of primary node evokes to detect ring if the secondary port of primary node can receive Hello packet in configured overtime so the ri...

Page 507: ...rarily only permit control VLAN packet pass after only receiving LINK UP FLUSH FDB packet from primary node and releases the port block state 61 2 MRPP Configuration Task List 1 Globally enable MRPP 2 Configure MRPP ring 3 Configure the query time of MRPP 4 Configure the compatible mode 5 Display and debug MRPP relevant information 1 Globally enable MRPP Command Explanation Global Mode mrpp enable...

Page 508: ...figure the query time of MRPP Command Explanation Global Mode mrpp poll time 20 2000 Configure the query interval of MRPP 4 Configure the compatible mode Command Explanation Global Mode mrpp errp compatible no mrpp errp compatible Enable the compatible mode for ERRP the no command disables the compatible mode mrpp eaps compatible no mrpp eaps compatible Enable the compatible mode for EAPS the no c...

Page 509: ... primary port E1 0 2 to secondary port Other switches are secondary nodes of MRPP ring configures primary port and secondary port separately To avoid ring it should temporarily disable one of the ports of primary node when it enables each MRPP ring in the whole MRPP ring and after all of the nodes are configured open the port When disable MRPP ring it needs to insure the MRPP ring doesn t have rin...

Page 510: ...itch config If Ethernet1 0 1 interface ethernet 1 0 2 Switch config If Ethernet1 0 2 mrpp ring 4000 secondary port Switch config If Ethernet1 0 2 exit Switch Config SWITCH C configuration Task Sequence Switch Config mrpp enable Switch Config mrpp ring 4000 Switch mrpp ring 4000 control vlan 4000 Switch mrpp ring 4000 enable Switch mrpp ring 4000 exit Switch Config interface ethernet 1 0 1 Switch c...

Page 511: ...on MRPP ring it disconnects the ring firstly and ensures if each switch MRPP ring configuration on the ring is correct or not if correct restores the ring and then observes the ring is normal or not The convergence time of MRPP ring net is relative to the response mode of up down If use poll mode the convergence time as hundreds of milliseconds in simple ring net if use interrupt mode the converge...

Page 512: ...work this is the typical application scene of ULPP SwitchA goes up to SwitchD through SwitchB and SwitchC port A1 and port A2 are the uplink ports SwitchA configures ULPP thereinto port A1 is set as the master port port A2 is set as the slave port When port A1 at forwarding state has the problem switch the uplink at once port A2 turns into forwarding state After this when recovering the master por...

Page 513: ...vice of configuring ULPP needs to send the flush packets through the port which is switched to Forwarding state and update MAC address tables and ARP tables of other devices in the network ULPP respectively uses two kinds of flush packets to update the entries the updated packets of MAC address and the deleted packets of ARP For making use of the bandwidth resource enough ULPP can implement VLAN l...

Page 514: ...ing information of ULPP 1 Create ULPP group globally 2 Configure ULPP group Command Expalnation Global mode ulpp group integer no ulpp group integer Configure and delete ULPP group globally Command Explanation ULPP group configuration mode preemption mode no preemption mode Configure the preemption mode of ULPP group The no operation deletes the preemption mode ...

Page 515: ...letes the protection VLANs flush enable mac flush disable mac Enable or disable sending the flush packets which update MAC address flush enable arp flush disable arp Enable or disable sending the flush packets which delete ARP description string no description Configure or delete ULPP group description Port mode ulpp control vlan vlan list no ulpp control vlan vlan list Configure the receiving con...

Page 516: ... debug ulpp flush content interface name Show the contents of the received flush packets the no operation disables the showing debug ulpp error no debug ulpp error Show the error information of ULPP the no operation disables the showing debug ulpp event no debug ulpp event Show the event information of ULPP the no operation disables the showing 62 3 ULPP Typical Examples 62 3 1 ULPP Typical Exampl...

Page 517: ...hB and SwitchC configure the flush packets that receive ULPP SwitchA configuration task list Switch Config vlan 10 Switch Config vlan10 switchport interface ethernet 1 0 1 1 0 2 Switch Config vlan10 exit Switch Config spanning tree mst configuration Switch Config Mstp Region instance 1 vlan 10 Switch Config Mstp Region exit Switch Config ulpp group 1 Switch ulpp group 1 protect vlan reference inst...

Page 518: ...2 is the master port and port 1 0 1 is the slave port in group2 The VLANs protected by group1 are 1 100 and by group2 are 101 200 Here both port E1 0 1 and port E1 0 2 at the forwarding state the master port and the slave port mutually backup respectively forward the packets of different VLAN ranges When port E1 0 1 has the problem the traffic of VLAN 1 200 are forwarded by port E1 0 2 When port E...

Page 519: ...If Ethernet1 0 2 ulpp group 1 slave Switch config If Ethernet1 0 2 ulpp group 2 master Switch config If Ethernet1 0 2 exit SwitchB configuration task list Switch Config interface ethernet 1 0 1 Switch config If Ethernet1 0 1 switchport mode trunk Switch config If Ethernet1 0 1 ulpp flush enable mac Switch config If Ethernet1 0 1 ulpp flush enable arp SwitchC configuration task list Switch Config i...

Page 520: ...ULPP Configuration 519 information of 3 minutes and the configuration information send them to our technical service center ...

Page 521: ...ate changes along with Up Down of ULSM group and is always the same with ULSM group state ULSM associates with ULPP to enable the downstream device to apperceive the link problem of the upstream device and process correctly As the picture illustrated SwitchA configures ULPP here the traffic is forwarded by port A1 If the link between SwitchB and Switch D has the problem SwitchA can not apperceive ...

Page 522: ... of ULSM 1 Create ULSM group globally Command explanation Global mode ulsm group group id no ulsm group group id Configure and delete ULSM group globally 2 Configure ULSM group Command explanation Port mode ulsm group group id uplink downlink no ulsm group group id uplink downlink Configure the uplink downlink port of ULSM group the no command deletes the uplink downlink port ...

Page 523: ...he port state synchronization its independent running is useless so it usually associates with ULPP protocol to use In the topology SwitchA enables ULPP protocol it is used to switch the uplink SwitchB and SwitchC enable ULSM protocol to monitor whether the uplink is down If it is down then ULSM will execute the down operation for the downlink port to shutdown it so ULPP protocol of Swtich A execu...

Page 524: ... Ethernet1 0 1 exit Switch Config interface ethernet 1 0 3 Switch config If Ethernet1 0 3 ulsm group 1 uplink Switch config If Ethernet1 0 3 exit SwitchC configuration task list Switch Config ulsm group 1 Switch Config interface ethernet 1 0 2 Switch config If Ethernet1 0 2 ulsm group 1 downlink Switch config If Ethernet1 0 2 exit Switch Config interface ethernet 1 0 4 Switch config If Ethernet1 0...

Page 525: ...will take effect only the specified rule is permit A chassis switch supports at most 4 mirror destination ports each boardcard allows a source or destination port of a mirror session At present each box switch can set many mirror sessions There is no limitation on mirror source ports one port or several ports is allowed When there are more than one source ports they can be in the same VLAN or in d...

Page 526: ...guration guidelines 1 Configure interface 1 0 1 to be a mirror destination interface 2 Configure the interface 1 0 7 ingress and interface 1 0 9 egress to be mirrored source 3 Configure access list 120 4 Configure access 120 to binding interface 15 ingress Configuration procedure is as follows Switch config monitor session 4 destination interface ethernet 1 0 1 Switch config monitor session 4 sour...

Page 527: ...ber of a TRUNK group or not if yes modify the TRUNK group If the throughput of mirror destination port is smaller than the total throughput of mirror source port s the destination port will not be able to duplicate all source port traffic please decrease the number of source ports duplicate traffic for one direction only or choose a port with greater throughput as the destination port Mirror desti...

Page 528: ...port belongs The source switch copies the mirrored traffic flows to the Remote VLAN and then through Layer 2 forwarding the mirrored flows are sent to an intermediate switch or destination switch 2 Intermediate switch Switches between the source switch and destination switch on the network Intermediate switch forwards mirrored flows to the next intermediate switch or the destination switch Circums...

Page 529: ...belong to the RSPAN VLAN The destination port should be connected to the Monitor and the configured as access port or the TRUNK port The RSPAN reflector port will be working dedicatedly for mirroring when a port is configured as a reflector port it will discards all the existing connections to the remote peer disable configurations related to loopback interfaces and stop forwarding datagram Connec...

Page 530: ...nitor session session destination interface interface number no monitor session session destination interface interface number To configure mirror destination interface The no command deletes the mirror destination port 4 Configure reflector port Command Explanation VLAN Configuration Mode remote span no remote span To configure the specified VLAN as RSPAN VLAN The no command will remove the confi...

Page 531: ...eflector port and the other is with reflector port For the first one only one fixed port can be connected to the intermediate switch However no reflector port has to be configured This maximizes the usage of witch ports For the latter one the port connected to the monitor session session reflector port interface number no monitor session session reflector port To configure the interface to reflect...

Page 532: ... destination interface ethernet1 0 2 Switch config monitor session 1 remote vlan 5 Intermediate switch Interface ethernet1 0 6 is the source port which is connected to the source switch Interface ethernet1 0 7 is the destination port which is connected to the intermediate switch The native VLAN of this port cannot be configured as RSPAN VLAN or the mirrored data may not be carried by the destinati...

Page 533: ...SPAN VLAN it is access port or TRUNK port of the RSPAN VLAN RSPAN VLAN is 5 Switch config vlan 5 Switch Config Vlan5 remote span Switch Config Vlan5 exit Switch config interface ethernet1 0 2 Switch Config If Ethernet1 0 2 switchport mode trunk Switch Config If Ethernet1 0 2 exit Switch config interface ethernet 1 0 3 Switch Config If Ethernet1 0 3 switchport mode trunk Switch Config If Ethernet1 ...

Page 534: ...net1 0 9 switchport mode trunk Switch Config If Ethernet1 0 9 exit Switch config interface ethernet 1 0 10 Switch Config If Ethernet1 0 10 switchport access vlan 5 Switch Config If Ethernet1 0 10 exit 65 4 RSPAN Troubleshooting Due to the following reasons RSPAN may not function Whether the destination mirror port is a member of the Port channel group If so please change the Port channel group con...

Page 535: ...RSPAN Configuration 534 VLAN for the TRUNK ports ...

Page 536: ...g and statistic targeting physical port Our data sample includes the IPv4 and IPv6 packets Extensions of other types are not supported so far As for non IPv4 and IPv6 packet the unify HEADER mode will be adopted following the requirements in RFC3176 copying the head information of the packet based on analyzing the type of its protocol The latest sFlow protocol presented by InMon Company is the ver...

Page 537: ... Configure the packet head length copied by sFlow Command Explanation Port Mode sflow header len length vlaue no sflow header len Configure the length of the packet data head copied in the sFlow data sampling the no form of this command restores to the default value 5 Configure the max data head length of the sFlow packet Command Explanation Port Mode sflow data len length vlaue no sflow data len ...

Page 538: ... 1 200 The address of the layer 3 interface on the SwitchA connected with PC is 192 168 1 100 A loopback interface with the address of 10 1 144 2 is configured on the SwitchA sFlow configuration is as follows Configuration procedure is as follows Switch config Switch config sflow ageng address 10 1 144 2 Switch config sflow destination 192 168 1 200 Switch config sflow priority 1 Switch config int...

Page 539: ...nsure the physical connection is correct Guarantee the address of the sFlow analyzer configured under global or port mode is accessible If traffic sampling is required the sampling rate of the interface must be configured If statistic sampling is required the statistic sampling interval of the interface must be configured If the examination remains unsolved please contact with the technical servic...

Page 540: ...s the simplified version of NTP removing the complex algorithm of NTP SNTP is used for hosts who do not require full NTP functions it is a subset of NTP It is common practice to synchronize the clocks of several hosts in local area network with other NTP hosts through the Internet and use those hosts to provide time synchronization service for other clients in LAN The figure below depicts a NTP SN...

Page 541: ...h two redundant SNTP NTP servers For time to be synchronized the network must be properly configured There should be reachable route between any switch and the two SNTP NTP servers Example Assume the IP addresses of the SNTP NTP servers are 10 1 1 1 and 20 1 1 1 respectively and SNTP NTP server function such as NTP master is enabled then configurations for any switch should like the following Swit...

Page 542: ...g NTP its time can be synchronized by other reference sources and can be used as a reference source to synchronize other clocks also can synchronize each other by transmit NTP packets 68 2 NTP Function Configuration Task List 1 To enable NTP function 2 To configure NTP server function 3 To configure the max number of broadcast or multicast servers supported by the NTP client 4 To configure time zo...

Page 543: ...oadcast or multicast servers supported by the NTP client The no operation will cancel the configuration and restore the default value 4 To configure time zone Command Explication Global Mode clock timezone WORD add subtract 0 23 0 59 no clock timezone WORD This command configures timezone in global mode the no command deletes the configured timezone 5 To configure NTP access control list Command E...

Page 544: ...ulticast client To configure specified interface to receive NTP multicast packets ntp ipv6 multicast client no ntp ipv6 multicast client To configure specified interface to receive IPv6 NTP multicast packets 8 To configure some interface can t receive NTP packets Command Explication vlan Configuration Mode ntp disable no ntp disable To disable the NTP function 9 Display information Command Explica...

Page 545: ...o synchronize time with time server in network there is two time server in network the one is used as host the other is used as standby the connection and configuration as follows Switch A and Switch B are the switch or route which support NTP server The configuration of Switch C is as follows Switch A and Switch B may have the different command because of different companies we not explain there ...

Page 546: ...g information The NTP function disables by default the show command can be used to display current configuration If the configuration is right please use debug every relative debugging command and display specific information in procedure and the function is configured right or not you can also use show command to display the NTP running information any questions please send the recorded message t...

Page 547: ...cal domain name cache for a match If a match is found it sends the corresponding IPv4 IPv6 address back to the switch If no match is found it sends a query to a higher DNS server This process continues until a result whether success or failure is returned The Domain Name System DNS is a hierarchical naming system for computers services or any resource participating in the Internet It associates va...

Page 548: ...ctionality of the Internet 69 2 DNSv4 v6 Configuration Task List 1 To enable disable DNS function 2 To configure delete DNS server 3 To configure delete domain name suffix 4 To delete the domain entry of specified address in dynamic cache 5 To enable DNS dynamic domain name resolution 6 Enable disable DNS SERVER function 7 Configure the max number of client information in the switch queue 8 Config...

Page 549: ...ipv4 ipv6 hostname To enable DNS dynamic domain name resolution 6 Enable disable DNS SERVER function Command Explanation Global Mode ip dns server no ip dns server Enable disable DNS SERVER function 7 Configure the max number of client information in the switch queue Command Explanation Global Mode ip dns server queue maximum 1 5000 no ip dns server queue maximum Configure the max number of client...

Page 550: ...end recv events relay no debug dns all packet send recv events relay To enable disable DEBUG of DNS function 69 3 Typical Examples of DNS Fig 69 1 DNS CLIENT typical environment As shown in fig the switch connected to DNS server through network if the switch want to visit sina Website it needn t to know the IPv4 IPv6 address of sina Website only need is to record the domain name of sina Website is...

Page 551: ...globally enabled the switch will look up its local cache when receiving a DNS request from a client PC If there is a domain needed by the local client it will directly answer the client s request otherwise the switch will relay the request to the real DNS server pass the reply from the DNS Server to the client and record the domain and its IP address for a faster lookup in the future Switch config...

Page 552: ...show interface command Then please make sure that the DNS dynamic lookup function is enabled use the ip domain lookup command before enabling the DNS CLIENT function To use DNS SERVER function please enable it use the ip dns server command Finally ensure configured DNS server address use dns server command and the switch can ping DNS server If the DNS problems remain unsolved please use debug DNS ...

Page 553: ... am of summer time 70 2 Summer Time Configuration Task Sequence 1 Configure absolute or recurrent time range of summer time Command Explanation Global Mode clock summer time word absolute HH MM YYYY MM DD HH MM YYYY MM DD offset no clock summer time Set absolute time range of summer time start and end summer time is configured with specified year clock summer time word recurring HH MM MM DD HH MM ...

Page 554: ...ation requirement in the following The summer time from 23 00 on the first Saturday of April to 00 00 on the last Sunday of October year after year clock offset as 2 hours and summer time is named as time_travel Configuration procedure is as follows Switch config clock summer time time_travel recurring 23 00 first sat apr 00 00 last sun oct 120 70 4 Summer Time Troubleshooting If there is any prob...

Page 555: ...e accessibility between the switch and the remote equipment Options and explanations of the parameters of the Ping6 command please refer to Ping6 command chapter in the command manual 71 3 Traceroute Traceroute command is for testing the gateways through which the data packets travel from the source device to the destination device so to check the network accessibility and locate the network failu...

Page 556: ...essage including the source address of the IPv6 packet all content in the IPv6 packet and the IPv6 address of the router Upon receiving this message the Traceroute6 sends another datagram of which the HOPLIMIT is increased to 2 so to discover the second router Plus 1 to the HOPLIMIT every time to discover another router the Traceroute6 repeat this action till certain datagram reaches the destinati...

Page 557: ...witch as well as the Trunk port information show tcp show tcp ipv6 Display the TCP connection status established currently on the switch show udp show udp ipv6 Display the UDP connection status established currently on the switch show telnet login Display the information of the Telnet client which currently establishes a Telnet connection with the switch show tech support Display the operation inf...

Page 558: ... terminal or monitor this function is good for remote maintenance Assign a proper log buffer zone inside the switch for record the log information permanently or temporarily Configure the log host the log system will directly send the log information to the log host and save it in files to be viewed at any time Among above log channels users rarely use the console monitor but will commonly choose ...

Page 559: ... is 4 debugging is leveled at 7 so the critical is higher than warnings which no doubt is high than debugging The rule applied in filtering the log information by severity level is that only the log information with level equal to or higher than the threshold will be outputted So when the severity threshold is set to debugging all information will be outputted and if set to critical only critical ...

Page 560: ... be sent to all terminal with also saved in the SDRAM log buffer zone And the critical information can be save both in SDRAM and the NVRAM if exists besides sent to all terminals To check the log save in SDRAM and the NVRAM we can use the show logging buffered command To clear the log save in NVRAM and SDRAM log buffer zone we can use the clear logging command 71 7 2 System Log Configuration Syste...

Page 561: ... loghost sequence number 3 Enable disable the log executed commands 4 Display the log source 5 Display executed commands state 71 7 3 System Log Configuration Example Example 1 When managing VLAN the IPv4 address of the switch is 100 100 100 1 and the IPv4 address of the remote log server is 100 100 100 5 It is required to send the log Command Description Global mode logging executed commands enab...

Page 562: ...0 5 facility local1 level warnings Example 2 When managing VLAN the IPv6 address of the switch is 3ffe 506 1 and the IPv4 address of the remote log server is 3ffe 506 4 It is required to send the log information with a severity equal to or higher than critical to this log server and save the log in the record equipment local7 Configuration procedure Switch config interface vlan 1 Switch Config if ...

Page 563: ...riod of time usually when updating the switch version The switch can be rebooted after a period of time instead of immediately after its version being updated successfully 72 2 Reload Switch after Specifid Time Task List 1 Reload switch after specified time Command Explanation Admin mode reload after HH MM SS days days Reload the switch after a specified time period reload cancel Cancel the specif...

Page 564: ...t total Set the total rate of the CPU receiving packets the no command sets the total rate of the CPU receiving packets to default cpu rx ratelimit protocol protocol type packets no cpu rx ratelimit protocol protocol type Set the max rate of the CPU receiving packets of the protocol type the no command set the max rate to default clear cpu rx stat protocol protocol type Clear the statistics of the...

Page 565: ...Debugging and Diagnosis for Packets Received and Sent by CPU 564 no debug driver receive send Turn off the showing of the CPU receiving or sending packet informations ...

Reviews:

No comments