manualshive.com logo in svg

OmniSwitch os6900, Network Configuration Manual, Page: 430 / 942

Share
Download
OmniSwitch os6900 Network Configuration Manual Download Page 430

IPsec Overview

Configuring IPsec

page 18-8

OmniSwitch AOS Release 7 Network Configuration Guide

June 2013

Securing Traffic Using IPsec

Securing traffic using IPsec requires the following main procedures below:

Master Security Key - Used to encrypt SA keys when stored on the switch.

Policies - Determines which traffic should be processed using IPsec.

Policy Rules - Determines whether AH, ESP, or a combination of both should be used.

Security Associations (SAs) - Determines which algorithms should be used to secure the traffic.

SA Keys - Determines the keys to be used with the SA to secure the traffic.

Master Security Key

The master security key is used to encrypt and decrypt the configured SA keys that are saved to perma-
nent storage (e.g., 

boot.cfg 

file).

 If no master security key is configured, SA keys are stored unencrypted. 

Therefore, configuring a master key is 

VITALLY IMPORTANT 

and

 STRONGLY RECOMMENDED

. A 

warning message will be logged if the config is saved witout a Master Security Key being set.

IPsec Policy

IPsec Policies define which traffic requires IPsec processing. The policy requires the source and destina-
tion of the traffic to be specified as IPv6 addresses. The policy may cover all traffic from source to desti-
nation or may further restrict it by specifying an upper-layer protocol, source, and/or destination ports. 
Each policy is unidirectional, applying either to inbound or outbound traffic. Therefore, to cover all traffic 
between a source and destination, two policies would need to be defined. 

IPsec Policy Rules

Rules are created and applied to policies. Rules determine what type of encryption or authentication 
should be used for the associated policy. For example, for a security policy where an IPv6 payload should 
be protected by an ESP header, which should then be protected by an AH header, two rules would be 
applied to the policy, one for ESP and one for AH. 

Security Association (SA)

A Security Association, more commonly referred to as an SA, is a basic building block of IPsec.

 

It speci-

fies the actual IPsec algorithms to be employed. SA is a unidirectional agreement between the participants 
regarding the methods and parameters to use in securing a communication channel. A Security Associa-
tion is a management tool used to enforce a security policy in the IPsec environment. SA actually speci-
fies encryption and authentication between communicating peers. 

Manually configured SAs are unidirectional; bi-directional communication requires at least two SAs, one 
for each direction. Manually-configured SAs are specified by a combination of their SPI, source and desti-
nation addresses. However, multiple SAs can be configured for the same source and destination combina-
tion. Such SAs are distinguished by a unique Security Parameter Index (SPI). 

SA Keys

Keys are used for encrypting and authenticating the traffic. Key lengths must match what is required by 
the encryption or authentication algorithm specified in the SA. Key values may be specified either in hexa-
decimal format or as a string.

Summary of Contents for os6900

Page 1: ...Part No 060319 10 Rev G June 2013 OmniSwitch AOS Release 7 Network Configuration Guide www alcatel lucent com...

Page 2: ...Alcatel Lucent Xylan OmniSwitch OmniStack and Alcatel Lucent OmniVista are registered trademarks of Alcatel Lucent OmniAccess Omni Switch Router PolicyView RouterView SwitchManager VoiceView WebView...

Page 3: ...4 Configuring Ethernet Port Parameters 1 4 Enabling and Disabling Autonegotiation 1 4 Configuring Crossover Settings 1 4 Setting Interface Line Speed 1 5 Configuring Duplex Mode 1 5 Setting Trap Port...

Page 4: ...DLD 2 6 Enabling and Disabling UDLD 2 6 Configuring the Operational Mode 2 7 Configuring the Probe Timer 2 7 Configuring the Echo Wait Timer 2 7 Clearing UDLD Statistics 2 8 Verifying the UDLD Configu...

Page 5: ...Specifications 5 2 High Availability Default Values 5 2 Quick Steps for Creating High Availability VLANs 5 3 High Availability VLAN Overview 5 4 High Availability VLAN Operational Mode 5 4 Traffic Fl...

Page 6: ...ration Commands 6 25 Configuring STP Bridge Parameters 6 26 Selecting the Spantree Protocol 6 27 Configuring the Bridge Priority 6 27 Configuring the Bridge Hello Time 6 28 Configuring the Bridge Max...

Page 7: ...n Configuration and Statistics 7 11 Chapter 8 Configuring Dynamic Link Aggregation 8 1 In This Chapter 8 1 Dynamic Link Aggregation Specifications 8 2 Dynamic Link Aggregation Default Values 8 3 Quick...

Page 8: ...9 17 Virtual Chassis Configuration Guidelines 9 17 Configuring the Chassis Identifier 9 19 Configuring the Virtual Chassis Group Identifier 9 20 Creating the Virtual Fabric Link VFL 9 20 Configuring t...

Page 9: ...C VLAN 10 31 Configuring Aggregate Identifier Ranges 10 31 Configuring MCLAG Aggregates 10 31 Configuring the VIP VLAN 10 32 Recommended Configuration Parameters 10 33 Verifying Parameter Consistency...

Page 10: ...in Sub Ring 11 26 Verifying the ERP Configuration 11 27 Chapter 12 Configuring MVRP 12 1 In This Chapter 12 1 MVRP Specifications 12 2 MVRP Defaults 12 3 Quick Steps for Configuring MVRP 12 4 MRP Ove...

Page 11: ...etting the Reinit Delay 13 10 Setting the Notification Interval 13 10 Verifying 802 1AB Configuration 13 11 Chapter 14 Configuring Dynamic Automatic Fabric 14 1 In This Chapter 14 2 Auto Fabric Specif...

Page 12: ...ng the Router ID 15 16 Configuring the Route Preference of a Router 15 16 Configuring the Time to Live TTL Value 15 17 Configuring Route Map Redistribution 15 17 IP Directed Broadcasts 15 23 Denial of...

Page 13: ...g VRF Instances 16 14 Configuring the VRF Profile 16 16 Selecting a VRF Instance 16 17 Assigning IP Interfaces to a VRF Instance 16 17 Configuring Routing Protocols for a Specific VRF Instance 16 18 R...

Page 14: ...ing IPsec 18 9 Configuring IPsec on the OmniSwitch 18 10 Configuring an IPsec Master Key 18 10 Configuring an IPsec Policy 18 11 Configuring an IPsec SA 18 15 Additional Examples 18 19 Configuring ESP...

Page 15: ...FD Protocol Works 20 8 Operational Mode and Echo Function 20 9 BFD Packet Formats 20 9 BFD Session Establishment 20 10 Configuring BFD 20 11 Configuring BFD Session Parameters 20 11 Configuring BFD Su...

Page 16: ...VRRP Configuration Overview 22 10 Basic Virtual Router Configuration 22 10 Creating Deleting a Virtual Router 22 10 Specifying an IP Address for a Virtual Router 22 11 Configuring the Advertisement In...

Page 17: ...0 Configuring Server Load Balancing on a Switch 23 11 Enabling and Disabling Server Load Balancing 23 11 Configuring and Deleting SLB Clusters 23 12 Assigning Servers to and Removing Servers from a Cl...

Page 18: ...abling and Disabling the IGMP Zapping 24 20 Limiting IGMP Multicast Groups 24 21 IPMSv6 Overview 24 22 IPMSv6 Example 24 22 Reserved IPv6 Multicast Addresses 24 23 MLD Version 2 24 23 Configuring IPMS...

Page 19: ...Policy Bandwidth Policing 25 26 Configuring Port Bandwidth Shaping 25 28 QoS Policy Overview 25 29 How Policies Are Used 25 29 Policy Lists 25 30 Interaction With Other Features 25 30 Valid Policies...

Page 20: ...er 3 ACLs 25 65 IPv6 ACLs 25 66 Multicast Filtering ACLs 25 66 Using ACL Security Features 25 67 Applying the Configuration 25 71 Interaction With LDAP Policies 25 72 Verifying the Applied Policy Conf...

Page 21: ...7 6 Quick Steps for Configuring QoS Policy Lists 27 7 UNP Overview 27 9 Profile Types 27 9 UNP Port Types 27 12 Customer Domains 27 12 UNP VLANs 27 12 Device Authentication and Classification 27 13 Ho...

Page 22: ...ngerprinting Modes 28 7 Using the Application REGEX Signature File 28 8 Application Fingerprinting Database 28 9 Interaction With Other Features 28 10 General 28 10 QoS 28 10 sFLOW 28 10 Configuring A...

Page 23: ...ng Deleting a Port Mapping Session 30 3 Creating a Port Mapping Session 30 3 Deleting a Port Mapping Session 30 3 Enabling Disabling a Port Mapping Session 30 4 Enabling a Port Mapping Session 30 4 Di...

Page 24: ...In This Chapter 32 1 Port Mirroring Overview 32 3 Port Mirroring Specifications 32 3 Port Mirroring Defaults 32 3 Quick Steps for Configuring Port Mirroring 32 4 Port Monitoring Overview 32 5 Port Mo...

Page 25: ...nfiguring capture type 32 27 Displaying Port Monitoring Status and Data 32 28 sFlow 32 29 sFlow Manager 32 29 Receiver 32 29 Sampler 32 30 Poller 32 30 Configuring a sFlow Session 32 30 Configuring a...

Page 26: ...h Logging Specifications 34 2 Switch Logging Defaults 34 3 Quick Steps for Configuring Switch Logging 34 4 Switch Logging Overview 34 5 Switch Logging Commands Overview 34 6 Enabling Switch Logging 34...

Page 27: ...Specifications 36 2 SAA Defaults 36 2 Quick Steps for Configuring SAA 36 3 Service Assurance Agent Overview 36 4 Configuring Service Assurance Agent 36 4 Configuring an SAA ID 36 5 Configuring SAA SPB...

Page 28: ...Contents xxviii OmniSwitch AOS Release 7 Network Configuration Guide June 2013...

Page 29: ...r anyone wishing to gain knowledge on how fundamental software features are implemented in the OmniSwitch Series switches will benefit from the material in this configuration guide When Should I Read...

Page 30: ...mniVista includes a complete context sensitive on line help system This guide provides overview material on software features how to procedures and tutorials that will enable you to begin configuring...

Page 31: ...h Management Guide Once you have your switch up and running you will want to begin investigating basic aspects of its hardware and software Information about switch hardware is provided in the OmniSwi...

Page 32: ...nd UNP and Data Center Bridging protocols PFC ETC and DCBX Anytime The OmniSwitch CLI Reference Guide contains comprehensive information on all CLI commands supported by the switch This guide includes...

Page 33: ...mation on all the major software features and protocols included in the base software package Chapters cover Layer 2 information Ethernet and VLAN configuration Layer 3 information routing protocols s...

Page 34: ...unctionality and on site hardware replacement through our global network of highly qualified service delivery partners With 24 hour access to Alcatel Lucent s Service and Support web page you ll be ab...

Page 35: ...rative requests from SNMP or CLI In This Chapter This chapter describes the Ethernet port parameters of the switch and how to configure them through the Command Line Interface CLI CLI Commands are use...

Page 36: ...Supported 802 1Q Hardware Tagging Supported Jumbo Frame Configuration Supported on 1 10 40 Gigabit Ethernet ports Enhance Port Performance EPP Supported on OS6900 with 10 Gigabit transceivers Maximum...

Page 37: ...efaults OmniSwitch AOS Release 7 Network Configuration Guide June 2013 page 1 3 Digital Diagnostics Monitoring DDM interfaces ddm Disabled Enhanced Port Performance EPP interfaces Disabled Parameter D...

Page 38: ...terfaces 2 1 3 autoneg enable interfaces 2 autoneg enable Configuring Crossover Settings To configure crossover settings on a single port a range of ports or an entire slot use the interfaces crossove...

Page 39: ...auto interfaces 3 duplex full Setting Trap Port Link Messages The interfaces link trap command can be used to enable or disable trap port link messages on a specific port a range of ports or all ports...

Page 40: ...The interfaces max frame size command can be used to configure the maximum frame size in bytes on a specific port a range of ports or all ports on a switch For example interfaces 2 3 max frame 9216 i...

Page 41: ...mode Configuring flow control is done to specify whether or not an interface transmits honors or both transmits and honors PAUSE frames PAUSE frames are used to temporarily pause the flow of traf fic...

Page 42: ...quality of the interface 2 Diagnose any link quality issues If the Link Quality is not Good Perform a few basic trouble shooting steps to determine if the issue is with the link partner and whether en...

Page 43: ...with the defi cient receive channels For example interfaces 2 1 epp enable After enabling EPP continue to monitor the Link Quality Configuring Energy Efficient Ethernet 802 3az Energy Efficient Ethern...

Page 44: ...rate in legacy mode This allows EEE capable switches to be deployed in existing networks avoiding backward compatibility issues EEE is only applicable to 10GBase T ports The LLDP option in IEEE 802 3a...

Page 45: ...the port has exceeded the maximum value A device with a secure MAC address that is configured or learned on one of the secure ports attempts to access another secure port Consider the following regard...

Page 46: ...or frames and alignment errors When a configurable number of errors is detected within the duration of a link monitoring window the interface is shut down To configure the number of errors allowed bef...

Page 47: ...erfaces link monitoring admin status command For example interfaces 1 1 link monitoring admin status enable All the statistics link errors and link flaps for a port are reset to zero when Link Monitor...

Page 48: ...guring the Wait to Shutdown Timer The wait to shutdown WTS timer is used to implement a delay before an interface is made non opera tional for other applications such as data control and management On...

Page 49: ...ll continue to send packets to the interface The link status of the remote connected port will be down when the WTS timer is running since the port is physically down The interfaces wait to shutdown c...

Page 50: ...the source ports in the group go down LFP waits a configured amount of time then shuts down another set of interfaces configured as destination ports that are associated with the same group When any...

Page 51: ...ggregation at the time of the violation are shut down A link aggregate port remains in a violation state even if the port leaves the link aggregate If a port that is not a member of a link aggregate a...

Page 52: ...ple link fault propagation group 1 destination port 1 5 8 2 3 4 Configure the LFP wait to shutdown timer This timer specifies the amount of time that LFP will wait before shutting down all the destina...

Page 53: ...ation Example In this example When interfaces 2 1 and 3 1 on OS 1 are down the access switch will keep interface 1 1 as active and traffic will still be forwarded to OS 1 even though it has no network...

Page 54: ...Link Fault Propagation Configuring Ethernet Ports page 1 20 OmniSwitch AOS Release 7 Network Configuration Guide June 2013...

Page 55: ...he Layer 2 communication is functioning properly All connected devices must support UDLD for the protocol to successfully identify and disable unidirectional links When UDLD detects a unidirectional l...

Page 56: ...tch 10K 6900 Maximum number of UDLD ports per system Up to maximum physical ports per system Parameter Description Command Default UDLD administrative state udld Disabled UDLD status of a port udld po...

Page 57: ...rt 6 of slot 1 as 17 seconds using the following command udld port 1 6 probe timer 17 Note Optional Verify the UDLD global configuration by entering the show udld configuration command or verify the U...

Page 58: ...l depends on explicit information instead of implicit information If the protocol is unable to retrieve any explicit information the port is not put in the shutdown state instead it is marked as Undet...

Page 59: ...r the interfaces that are affected by the configuration change UDLD sends a message to the neighbors to flush the part of their caches affected by the status change This UDLD message is intended to sy...

Page 60: ...ling UDLD By default UDLD is disabled on all switch ports To enable UDLD on a switch use the udld command For example the following command enables UDLD on a switch udld enable To disable UDLD on a sw...

Page 61: ...ange of ports For example udld port 1 8 21 probe timer 18 Use the no form of this command to reset the timer For example the following command resets the timer for port 4 of slot 6 no udld port 6 4 pr...

Page 62: ...ted below For more information about the resulting display from these commands see the OmniSwitch CLI Refer ence Guide An example of the output for the show udld configuration port and show udld stati...

Page 63: ...re on the same LAN segment If the destination address is not found in the MAC address table then the packet is forwarded to all other switches that are connected to the same LAN If the MAC address tab...

Page 64: ...raffic Classes Multicast Filtering and Virtual LAN Extensions Maximum number of learned MAC addresses when centralized MAC source learning mode is enabled OS10K 32K Module 32K Chassis OS6900 128K Maxi...

Page 65: ...ecorded in the MAC address table Assigning a MAC address to the silent device s port creates a record in the MAC address table and ensures that packets destined for the silent device are forwarded out...

Page 66: ...mac learning command For more information about this command see the OmniSwitch CLI Reference Guide Static MAC Addresses on Link Aggregate Ports Static MAC Addresses are not assigned to physical ports...

Page 67: ...ddress is enabled For example MAC addresses with a prefix of 01 03 05 13 etc are multicast MAC addresses If a multicast prefix value is not present then the address is treated as a regular MAC address...

Page 68: ...the OmniSwitch CLI Reference Guide Static Multicast MAC Addresses on Link Aggregate Ports Static multicast MAC addresses are not assigned to physical ports that belong to a link aggregate Instead the...

Page 69: ...eived For example the following sets the aging time for all VLANs to 1200 seconds 20 minutes mac learning aging time 1200 A MAC address learned on any VLAN port ages out when the time since a packet w...

Page 70: ...switch is forwarding to another switch within the ring This functionality is also useful in Transparent LAN Service configurations where the service provider device does not need to learn the MAC addr...

Page 71: ...command When distributed MAC source learning mode is disabled the switch operates in the centralized MAC source learning mode the default Enabling or disabling the distributed MAC source learning mod...

Page 72: ...w commands listed below For more information about the resulting displays from these commands see the OmniSwitch CLI Refer ence Guide show mac learning Displays a list of all MAC addresses known to th...

Page 73: ...er ports and or a link aggregate of ports In This Chapter This chapter describes how to define and manage VLAN configurations through the Command Line Interface CLI CLI commands are used in the config...

Page 74: ...a Networks 802 1D Media Access Control Bridges Maximum VLANs per switch 4094 Maximum Tagged VLANs per Port 4094 Maximum Untagged VLANs per Port One untagged VLAN default VLAN per port Maximum VLAN Por...

Page 75: ...h a description for example Finance IP Network using the following command vlan 100 name Finance IP Network 2 Define an IP interface using the following command to assign an IP host address of 21 0 0...

Page 76: ...or deleting VLANs modifying the status of VLAN properties for example administrative Spanning Tree and authentication status changing the VLAN description or configuring VLAN router interfaces VLAN po...

Page 77: ...are enabled when the VLAN is created The name parameter for VLAN is optional Note Quotation marks are required if the description contains multiple words separated by spaces If the description consist...

Page 78: ...Marketing IP Network Assigning Ports to VLANs The OmniSwitch supports static assignment of physical switch ports to a VLAN Once the assignment occurs a VLAN port association VPA is created and tracke...

Page 79: ...remove a default VPA When this is done VLAN 1 is restored as the default VLAN for the port no vlan 955 members port 2 5 Using 802 1Q Tagging Another method for assigning ports to VLANs involves confi...

Page 80: ...example to configure port 3 4 to carry traffic for VLAN 5 enter the following command at the CLI prompt vlan 5 members port 4 3 tagged Port 4 3 is now configured to carry packets tagged with VLAN 5 ev...

Page 81: ...vlan admin state command is used to enable disable a Spanning Tree instance for an existing VLAN In the following examples Spanning Tree is disabled on VLAN 255 and enabled on VLAN 755 spantree vlan 2...

Page 82: ...where to forward packets based on the destination MAC address of the packet routing makes the decision on where to forward packets based on the IP network address assigned to the packet for example 2...

Page 83: ...AN 10 The workstations can communicate with each other because the ports to which they are connected are also assigned to VLAN 10 It is important to note that connection cables do not have to connect...

Page 84: ...idged across physical switch connections within the VLAN 10 domain the workstations are basically unaware that the switches even exist Each workstation believes that the others are all part of the sam...

Page 85: ...finitions show vlan members Displays a list of VLAN port assignments show ip interface Displays VLAN IP router interface information Type Description default The port was statically assigned to the VL...

Page 86: ...provides the following information VLAN 200 is the configured default VLAN for port 3 24 which is currently not active VLAN 200 is an 802 1Q tagged VLAN for port 5 12 which is an active port but curr...

Page 87: ...r more details about the syntax of commands see the OmniSwitch CLI Reference Guide Configuration procedures described in this chapter include Creating a VLAN on page 5 6 Adding and Removing Server Clu...

Page 88: ...tch port not eligible for high availability VLAN assignment Mirroring ports CLI Command Prefix Recognition All high availability VLAN configuration commands with the high availability VLAN prefix supp...

Page 89: ...as shown below vlan 10 members port 1 3 untagged vlan 10 members port 1 4 untagged vlan 10 members port 1 5 untagged 4 Assign mac address for the new server cluster by using the command server cluste...

Page 90: ...N decides on which requests a particular node has to handle Apart from service request paths the nodes are internally connected to share information related to the service load information service req...

Page 91: ...VLAN MAC address are sent out the egress ports that are members of the same VLAN The MAC address is virtual to the server cluster individual servers may have different physical MAC address Since all...

Page 92: ...luster Ports on page 5 7 4 Assign MAC Addresses To assign MAC addresses to the HA VLAN server cluster use the server cluster mac address command which is described in Assigning and Removing MAC Addres...

Page 93: ...rver cluster ports from a high availability VLAN use the no form of server cluster port linkagg command For example no server cluster 1 port 1 21 no server cluster 3 linkagg 1 Assigning and Modifying...

Page 94: ...ddress 00 25 9a 5c 2f 10 to high availability VLAN 20 you would enter server cluster mac address vlan 20 mac 00 25 9a 5c 2f 10 To add more than one MAC address to a high availability VLAN enter each a...

Page 95: ...L2 server cluster through 3 ports 1 3 1 4 1 5 A server cluster can be configured with a unique MAC address and a VLAN with a port list The traffic which ingresses on 1 1 or 1 2 destined to the server...

Page 96: ...dress For example server cluster 1 vlan 10 port mac address 01 00 11 22 33 44 Note Optional You can display the configuration of high availability VLANs with the show server clus ter command For examp...

Page 97: ...red 1 3 1 4 1 5 The ingress ports are on a different VLAN as the server cluster IP inter face However all the egress ports need to be in the same VLAN as the IP interface of server cluster The other t...

Page 98: ...2 mac address static 01 00 5e 22 33 44 Note Optional You can display the configuration of high availability VLANs with the show server clus ter command For example show server cluster 2 Cluster Id 2 C...

Page 99: ...ough 3 ports 1 3 1 4 1 5 There is no provision for port list configuration and Ports are derived dynamically using the IGMP snooping of the reports from the server cluster IGMP v2 reports The traffic...

Page 100: ...3 12 mac address static 01 00 11 22 33 44 5 If you want to assign a dynamic mac address for the server cluster enter the command as follows server cluster 3 ip 10 135 33 12 mac address dynamic 6 Enabl...

Page 101: ...r 3 mode L3 vlan 12 vlan 12 members port 1 3 untagged vlan 12 members port 1 4 untagged vlan 12 members port 1 5 untagged server cluster 3 ip 10 135 33 12 mac address static 01 00 11 22 33 44 ip multi...

Page 102: ...35 33 203 14 L3 01 12 11 22 33 45 10 135 33 203 15 L3 01 00 5e 00 00 44 10 135 33 203 225 0 1 2 cluster igmp To display the status and configuration of a single high availability VLAN cluster enter sh...

Page 103: ...y into a single Spanning Tree to ensure that there is only one data path between any two switches Supports fault tolerance within the network topology The Spanning Tree is reconfigured in the event of...

Page 104: ...mmand Line Interface CLI CLI commands are used in the configuration examples for more details about the syntax of commands see the OmniSwitch CLI Reference Guide Configuration procedures described in...

Page 105: ...Trees 802 1w Rapid Spanning Tree Protocol Spanning Tree operating modes supported Flat mode one spanning tree instance per switch Per VLAN mode one spanning tree instance per VLAN Spanning Tree port e...

Page 106: ...nds Maximum aging time allowed for Spanning Tree information learned from the network spantree max age 20 seconds Spanning Tree port state transi tion time spantree forward delay 15 seconds Path cost...

Page 107: ...at or per VLAN or protocol is active on the switch Parameter Description Command Default The MST region name spantree mst region name blank The revision level for the MST region spantree mst region re...

Page 108: ...ddition to the CST instance Each MSTI is mapped to a set of VLANs As a result the flat mode can now support the forwarding of VLAN traffic over separate data paths This section provides a Spanning Tre...

Page 109: ...ot bridge does not have a root port Designated Port The designated bridge provides the LAN with the shortest path to the root The designated port connects the LAN to this bridge Backup Port Any operat...

Page 110: ...ding or discarding for each bridge port based on the role the port plays in the active Spanning Tree topology The following events trigger the transmitting and or processing of BPDU in order to discov...

Page 111: ...address 2 The best root path cost 3 If root path costs are equal the bridge ID of the bridge sending the BPDU 4 If the previous three values tie then the port ID lowest priority value then lowest por...

Page 112: ...A eventually receives the same packets back and the cycle starts over again This causes severe congestion on the network often referred to as a broadcast storm Physical Topology Example The Spanning...

Page 113: ...AN from Switch B to Switch A All ports on Switch D are designated ports because Switch D is the root and each port connects to a LAN Ports 2 10 3 1 and 3 8 are the root ports for Switches A B and C re...

Page 114: ...tree that uses 802 1D STP or 802 1w RSTP to provide a loop free network topology The Alcatel Lucent flat spanning tree mode applies a single CST instance on a per switch basis The per VLAN mode is an...

Page 115: ...8 and 5 2 and 4 2 and 5 1 are seen as redundant because they are both controlled by the VLAN 200 Spanning Tree instance and connect to the same switches The VLAN 200 Spanning Tree instance determines...

Page 116: ...ions are compared to each other across VLANs to determine which connection provides the best path However because VLANs 200 and 250 are associated to MSTI 2 it is possible to change the port path cost...

Page 117: ...set of VLANs a one to many association STP and RSTP in the flat mode apply one Spanning Tree instance to all VLANs a one to all association STP and RSTP in the per VLAN mode apply a single Spanning Tr...

Page 118: ...el and have the same VLANs mapped to the same MSTI The CST for the entire network sees Switches A B and C as one virtual bridge that is running a single Spanning Tree instance As a result CST blocks t...

Page 119: ...Instance The Common and Internal Spanning Tree CIST instance is the Spanning Tree calculated by the MST region IST and the network CST The CIST is represented by the single Spanning Tree flat mode ins...

Page 120: ...s not recommended The per VLAN mode is a proprietary implementation that creates a separate Spanning Tree instance for each VLAN configured on the switch The MSTP implementation is in compliance with...

Page 121: ...switch to flat mode MSTP Making a backup copy of the switch boot cfg file before changing the protocol to MSTP is highly recommended Having a backup copy makes it easier to revert to the non MSTP conf...

Page 122: ...ss VLANs Multiple connections between switches are considered redundant paths even if they are associated with different VLANs Spanning Tree parameters are configured for the single flat mode instance...

Page 123: ...ches If a port in VLAN 10 and a port in VLAN 20 both connect to the same switch within their respective VLANs they are not considered redundant data paths and STP does not block them However if two po...

Page 124: ...r VLAN Spanning Tree mode allows OmniSwitch ports to transmit and receive either the standard IEEE BPDUs or Cisco s proprietary PVST BPDUs When the PVST mode is enabled a user port operates in the def...

Page 125: ...lity command is used to enable or disable the PVST interoperability mode globally for all switch ports and link aggregates or on a per port link aggregate basis By default PVST compatibility is disabl...

Page 126: ...ror message Also the existing per vlan priority values are restored when changing from PVST mode back to per VLAN mode For more information on priority refer Configuring the Bridge Priority on page 6...

Page 127: ...e is also known as MSTI 0 vlan command applies to the specified VLAN instance These commands referred to as explicit commands allow the configuration of a particular Spanning Tree instance independent...

Page 128: ...t active unless Spanning Tree is enabled on the VLAN and at least one active port is assigned to the VLAN Use the spantree vlan admin state command to enable or disable a VLAN Spanning Tree instance I...

Page 129: ...dge Priority A bridge is identified within the Spanning Tree by its bridge ID an eight byte hex number The first two bytes of the bridge ID contain a priority value and the remaining six bytes contain...

Page 130: ...interval is the number of seconds a bridge waits between transmissions of Configuration BPDU When a bridge is attempting to become the root or if it has become the root or a designated bridge it sends...

Page 131: ...the topology more often To change the bridge max age time value for a VLAN instance regardless of which mode per VLAN or flat is active for the switch use the spantree max age command with the vlan pa...

Page 132: ...For example the following commands change the forward delay time value for the flat mode instance to 10 spantree forward delay 10 spantree cist forward delay 10 Note The forward delay time is not con...

Page 133: ...pports two default path cost modes long or short just like in OmniSwitch per vlan implementation If you have configured PVST mode in the OmniSwitch it is recommended that the same default path cost mo...

Page 134: ...way to prevent undesirable ports from becoming the root for an MSTI To change the default status of the AVC on the switch and to globally enable this feature for all MSTIs use the spantree auto vlan...

Page 135: ...summary of Spanning Tree port configuration commands For more information about these commands see the OmniSwitch CLI Reference Guide Commands Used for spantree cist Configuring the port Spanning Tree...

Page 136: ...isable To change the port Spanning Tree status for the flat mode instance use the spantree cist command Note that this command is available when the switch is running in either mode per VLAN or flat F...

Page 137: ...t represents a collection of physical ports To enable or disable the Spanning Tree status for a link aggregate use the spantree vlan or spantree cist commands described above but specify a link aggreg...

Page 138: ...n with VLAN ID 10 spantree vlan 10 port 10 1 priority 3 To change the port priority value for the flat mode instance use the spantree priority command with the cist and port parameters Note that this...

Page 139: ...and the path_cost is set to zero the following IEEE 802 1D recommended default path cost values based on link speed are used Spanning Tree is automatically enabled on a port and the path cost is set...

Page 140: ...e Ports Physical ports that belong to a link aggregate do not participate in the Spanning Tree Algorithm Instead the algorithm is applied to the aggregate logical link virtual port that represents a c...

Page 141: ...he linkagg parameter and a link aggregate control ID number For example the following command sets the path cost for link aggregate 10 associated with VLAN 755 to 19 spantree vlan 755 linkagg 10 path...

Page 142: ...de per VLAN or flat is active for the switch use the spantree vlan mode command For example the following command sets the mode for port 8 1 for VLAN 10 to forwarding spantree vlan 10 port 8 1 mode fo...

Page 143: ...ort is always allowed to transition to the role of root port regardless of the alternate port connection type Note Configure ports that will connect to a host PC workstation server etc as edge ports s...

Page 144: ...an aggregate of ports see Chapter 7 Configuring Static Link Aggregation and Chapter 8 Configuring Dynamic Link Aggregation Configuring the Edge Port Status There are two methods for determining the e...

Page 145: ...s to prevent bridges external to the core region of the network from influencing the Spanning Tree topology However note that enabling the restricted role status for a port may impact connectivity wit...

Page 146: ...ch was calculated based on both configured and default Spanning Tree parameter values Example Active Spanning Tree Topology In the above example topology Each switch is operating in the per VLAN Spann...

Page 147: ...work loop condition is avoided Redundant connections also exist between Switch A and Switch B Although the path cost value for both of these connections is the same ports 2 8 and 3 3 are in a discardi...

Page 148: ...ion show spantree vlan 255 Spanning Tree Parameters for Vlan 255 Spanning Tree Status ON Protocol IEEE RAPID STP mode per vlan 1 STP per Vlan Priority 32768 0x0FA0 Bridge ID 8000 00 d0 95 00 00 04 Des...

Page 149: ...the bridge is acting as the root of the MST region This section provides a tutorial for defining a sample MST region configuration as shown in the diagram below In order for switches A B and C in the...

Page 150: ...create and map MSTIs to VLANs 4 Configure 3 as the maximum number of hops for the region using the spantree mst region max hops command For example spantree mst region max hops 3 Note Optional Verify...

Page 151: ...he spantree mode command For example spantree mode flat Note that defining an MSTP configuration requires the use of explicit Spanning Tree commands which are available in both the flat and per VLAN m...

Page 152: ...ing the spantree msti path cost command For example the PPC for ports associated with the CIST instance is set to the default of 200 000 for 100 MB connections The following commands change the PPC va...

Page 153: ...as redundant for that instance In addition the CIST data path remains available for CIST VLAN traffic Another solution to this scenario is to assign all VLANs to an MSTI leaving no VLANs controlled by...

Page 154: ...ee bridge information for a VLAN instance show spantree cist ports Displays Spanning Tree port information for the flat mode Common and Internal Spanning Tree CIST instance show spantree msti ports Di...

Page 155: ...hernet backbones to Gigabit Ethernet backbones In This Chapter This chapter describes the basic components of static link aggregation and how to configure them through the Command Line Interface CLI C...

Page 156: ...ion Default Values The table below lists default values and the commands to modify them for static aggregate groups Platforms Supported OmniSwitch 10K 6900 Maximum number of link aggregation groups 12...

Page 157: ...tatic agg size command For example linkagg static agg 1 size 4 2 Assign all the necessary ports with the linkagg static port agg command For example linkagg static port 1 1 4 agg 1 3 Create a VLAN for...

Page 158: ...egate Size 4 Number of Selected Ports 4 Number of Reserved Ports 4 Number of Attached Ports 4 Primary Port 1 1 You can also use the show linkagg port port command to display information on specific po...

Page 159: ...ribes static link aggregation For information on dynamic link aggregation please refer to Chapter 8 Configuring Dynamic Link Aggregation Static Link Aggregation Operation Static link aggregate groups...

Page 160: ...6 for more information Note See Quick Steps for Configuring Static Link Aggregation on page 7 3 for a brief tutorial on configuring these mandatory parameters Alcatel Lucent s link aggregation softwar...

Page 161: ...reate static aggregate group 5 that consists of eight links on a switch enter linkagg static agg 5 size 8 Note The number of links assigned to a static aggregate group must always be close to the numb...

Page 162: ...the linkagg static port agg command by entering linkagg static port followed by the slot number a slash the port number agg and the number or ID of the static aggregate group For example to assign po...

Page 163: ...egate group the name must be specified within quotes for example Static Aggregate Group 4 Deleting a Static Aggregate Group Name To remove a name from a static aggregate group use the no form of the l...

Page 164: ...2 41 2 42 2 43 and 2 44 on Switch B Sample Network Using Static Link Aggregation Follow the steps below to configure this network Note Only the steps to configure the local i e Switch A switch are pr...

Page 165: ...ic and dynamic enter show linkagg Number Aggregate SNMP Id Size Admin State Oper State Att Sel Ports 1 Static 40000001 4 ENABLED DOWN 0 0 2 Static 40000002 8 ENABLED DOWN 0 0 10 Dynamic 40000010 8 ENA...

Page 166: ...c link aggregate group 1 enter show linkagg port 4 1 A screen similar to the following would be displayed Static Aggregable Port SNMP Id 2001 Slot Port 4 1 Administrative State ENABLED Operational Sta...

Page 167: ...of dynamic link aggregation and how to configure them through the Command Line Interface CLI CLI commands are used in the configuration examples for more details about the syntax of commands see the O...

Page 168: ...table below lists specifications for dynamic aggregation groups and ports Platforms Supported OmniSwitch 10K 6900 IEEE Specifications Supported 802 3ad Aggregation of Multiple Link Segments Maximum n...

Page 169: ...er system id 00 00 00 00 00 00 Group Partner System Priority linkagg lacp agg partner system priority 0 Group Partner Administrative Key linkagg lacp agg partner admin key 0 Actor Port Administrative...

Page 170: ...5 linkagg lacp port 5 4 actor admin key 5 linkagg lacp port 6 1 2 actor admin key 5 linkagg lacp port 7 3 actor admin key 5 linkagg lacp port 8 1 actor admin key 5 3 Create a VLAN for this dynamic li...

Page 171: ...Actor Oper Key 0 Partner System Id 00 20 da 81 d5 b1 Partner System Priority 0 Partner Admin Key 5 Partner Oper Key 0 When multi chassis link aggregation feature is activated on the switch the show li...

Page 172: ...ation interacts with other software features Link aggregation groups are identified by unique MAC addresses which are created by the switch but can be modified by the user at any time Load balancing f...

Page 173: ...for information on using Command Line Interface CLI commands to configure dynamic aggregate groups and see Displaying Dynamic Link Aggregation Configuration and Statistics on page 8 30 for informatio...

Page 174: ...roups This section describes how to use Alcatel Lucent s Command Line Interface CLI commands to create modify and delete dynamic aggregate groups See Configuring Mandatory Dynamic Link Aggregate Param...

Page 175: ...describe how to create and delete dynamic aggregate groups with the linkagg lacp agg size command Creating a Dynamic Aggregate Group To configure a dynamic aggregate group enter linkagg lacp agg follo...

Page 176: ...gate Group To configure ports with the same administrative key which allows them to be aggregated enter lacp port followed by the slot number a slash the port number actor admin key and the user speci...

Page 177: ...or administrative key of 10 to slot 4 port 1 enter linkagg lacp port 4 1 actor admin key 10 Removing Ports from a Dynamic Aggregate Group To remove a port from a dynamic aggregate group use the no for...

Page 178: ...Aggregate Groups on page 8 8 for more information Modifying Dynamic Aggregate Group Parameters This section describes how to modify the following dynamic aggregate group parameters Group name see Mod...

Page 179: ...ame command by entering linkagg lacp agg followed by the dynamic aggregate group number and no name For example to remove any user configured name from dynamic aggregate group 4 enter no linkagg lacp...

Page 180: ...er For example to remove an administrative key from dynamic aggregate group 4 enter no linkagg lacp agg 4 actor admin key Modifying the Dynamic Aggregate Group Actor System Priority By default the dyn...

Page 181: ...group number and actor system id For example to remove the user configured system ID from dynamic aggregate group 4 enter no linkagg lacp agg 4 actor system id Modifying the Dynamic Aggregate Group Pa...

Page 182: ...ple to reset the partner system priority of dynamic aggregate group 4 to its default value enter no linkagg lacp agg 4 partner system priority Modifying the Dynamic Aggregate Group Partner System ID B...

Page 183: ...LACPDU frames The following subsections describe how to configure user specified values and how to restore them to their default values with the linkagg lacp agg admin state command Configuring Actor...

Page 184: ...tore bits 0 active and 2 aggregate to their default settings on dynamic aggregate actor port 2 in slot 5 enter no linkagg lacp port 5 2 actor admin state active aggregate collect Specifying this keywo...

Page 185: ...enter linkagg lacp port 7 3 actor system id 00 20 da 06 ba d3 For example to modify the system ID of the dynamic aggregate actor port 3 in slot 7 to 00 20 da 06 ba d3 and document that the port is 10...

Page 186: ...restore the value to its default value with the linkagg lacp port actor port priority command Configuring the Actor Port Priority You can configure the actor port priority to a value by entering linka...

Page 187: ...are used for LACPDU frames and 2 indicating that this port is available for aggregation are set in LACPDU frames The following subsections describe how to configure user specified values and how to re...

Page 188: ...ggregate or synchronize keywords For example to restore bits 0 active and 2 aggregate to their default settings on dynamic aggregate partner port 1 in slot 7 enter no linkagg lacp port 7 1 partner adm...

Page 189: ...the slot number a slash the port number partner admin key and the user specified partner port administrative key For example to modify the administrative key of a dynamic aggregate group partner port...

Page 190: ...ash the port number and the partner admin system id parameters For example to remove a user configured system ID from dynamic aggregate partner port 2 in slot 6 enter no linkagg lacp port 6 2 partner...

Page 191: ...example to modify the administrative status of dynamic aggregate partner port 1 in slot 7 to 200 you would enter linkagg lacp port 7 1 partner admin port 200 For example to modify the administrative...

Page 192: ...y 100 Restoring the Partner Port Priority To remove a user configured partner port priority from a dynamic aggregate group partner port configuration use the no form of the linkagg lacp port partner a...

Page 193: ...Spanning Tree Protocol STP with the highest priority 15 possible And VLAN 12 has been configured on dynamic aggregate group 7 with 802 1Q tagging and 802 1p priority bit settings Sample Network Using...

Page 194: ...g Tree Protocol STP has been disabled on this VLAN STP is enabled by default enable it on VLAN 10 by entering vlan 10 stp enable Note Optional Use the show spantree ports command to determine if the S...

Page 195: ...onfigure 802 1Q tagging with a tagging ID VLAN ID of 12 on dynamic aggregate group 7 by entering vlan 12 members 7 5 If the QoS Manager has been disabled it is enabled by default enable it by entering...

Page 196: ...wide link aggregate group and link aggregate port information respectively For example to display global statistics on all link aggregate groups both dynamic and static enter show linkagg agg A screen...

Page 197: ...in System Priority 20 Partner Oper System Priority 20 Partner Admin System Id 00 00 00 00 00 00 Partner Oper System Id 00 00 00 00 00 00 Partner Admin Key 8 Partner Oper Key 0 Attached Agg Id 0 Actor...

Page 198: ...Displaying Dynamic Link Aggregation Configuration and Statistics Configuring Dynamic Link Aggregation page 8 32 OmniSwitch AOS Release 7 Network Configuration Guide June 2013...

Page 199: ...chassis configuration With the introduction of the Virtual Chassis feature a switch can now operate in two modes Virtual Chassis or Standalone When a switch operates in Virtual Chassis this will caus...

Page 200: ...ut the syntax of the commands see the OmniSwitch CLI Reference Guide The following information and configuration procedures are included in this chapter Virtual Chassis Specifications on page 9 3 Virt...

Page 201: ...of physical switches in a Virtual Chassis Note Must be the same platform type 2 Valid chassis identifier 1 or 2 Valid chassis group identifier 0 255 Valid chassis priority 0 255 Maximum number of Vir...

Page 202: ...ameter Description Command Default Value Comments Chassis Identifier virtual chassis configured chassis id 0 Chassis group identifier virtual chassis chassis group 0 Chassis priority virtual chassis c...

Page 203: ...igned to it and the underlying interfaces admin istratively enabled A vcboot cfg file containing the generic virtual chassis configuration present must be present in the running directory Note Multi C...

Page 204: ...4 2 Use the show virtual chassis consistency command to check the consistency of the virtual chassis show virtual chassis consistency Legend denotes mandatory consistency which will affect chassis sta...

Page 205: ...ge with support for all protocols A Virtual Chassis can be upgraded using ISSU to minimize network impact Virtual Chassis Basic Topology Virtual Chassis Concepts and Components Virtual Chassis is an O...

Page 206: ...s and VFL links vcboot cfg A file containing information pertaining to the virtual chassis as a whole including L2 and L3 configuration management configuration user ports configuration etc Similar to...

Page 207: ...ts it will not be affected 3 The vcsetup cfg and vcboot cfg files will be automatically created within vc_dir directory 4 The images from the current running directory will be automatically copied to...

Page 208: ...s to start up error mode if either one of the following conditions occur The vcsetup cfg and vcboot cfg configuration files are present in the running directory but no valid advanced license is instal...

Page 209: ...chassis fail the chassis will reboot and the first in line Slave chassis will take over becoming the new Master chassis The first in line is derived from the same election criteria that were used to s...

Page 210: ...is scenario Using directly connected CMM EMP ports could result in a scenario where the Primary CMM on one switch is directly connected to the Secondary CMM on the other switch if a local CMM takeover...

Page 211: ...loads it comes back as a Slave chassis To restore the role of Master to the original Master chassis the current Master can be rebooted and the original Master will take over assuming the Master role P...

Page 212: ...Features on page 9 16 Basic Virtual Chassis Building Block The building block below can be used to connect to the edge or core devices in the network and is comprised of two switches connected with a...

Page 213: ...guration Guide June 2013 page 9 15 Virtual Chassis at the Core Data Center VC In the topology shown below edge switches are connected through virtual chassis and core switches are dual attached Data C...

Page 214: ...uration that does not adhere to this requirement then upon boot up only one configured VFL member port from each group of ports listed above will be enabled The configuration of the remaining ports of...

Page 215: ...tch is still operating in standalone mode For a thorough description of the configuration process while a switch is already operating in virtual chassis mode please refer to the CLI guide General Virt...

Page 216: ...ue group identifier This configuration may cause problems for the RCD Remote Chassis Detection protocol used to detect virtual chassis topology splits as well as other unpredictable issues The virtual...

Page 217: ...ges to the control VLAN will only take effect after the next reboot of the switch The control VLAN must be the same between the switches comprising the virtual chassis For more information on the Cont...

Page 218: ...he virtual chassis vf link create and virtual chassis vf link member port commands For example virtual chassis vf link 0 create virtual chassis vf link 0 member port 1 1 virtual chassis vf link 0 memb...

Page 219: ...sis and can be used for remote access to the entire Virtual Chassis The Chassis EMP IP address is assigned to each switch comprising the virtual chassis EMP CHAS1 or EMP CHAS2 This address can be used...

Page 220: ...S1 EMP CMMA CHAS2 EMP CMMB CHAS2 A direct connection to the associated CMM s console port is required before attempting to change IP address information using the modify boot parameters command as sho...

Page 221: ...al chassis vf link 0 create Chassis_2 virtual chassis vf link 0 member port 1 24 25 Chassis_1 ip interface local emp address 10 255 100 2 mask 255 255 255 0 Chassis_2 write memory Chassis_2 convert co...

Page 222: ...ort 1 1 10 actor admin key 1 VC_Core linkagg lacp port 1 1 11 actor admin key 1 VC_Core linkagg lacp port 2 1 10 actor admin key 1 VC_Core linkagg lacp port 2 1 11 actor admin key 1 VC_Core vlan 100 m...

Page 223: ...out the output details that result from these commands see the OmniSwitch CLI Reference Guide show virtual chassis topology Displays details about the configured and operational parameters related to...

Page 224: ...Displaying Virtual Chassis Configuration and Status Configuring Virtual Chassis page 9 26 OmniSwitch AOS Release 7 Network Configuration Guide June 2013...

Page 225: ...without running Layer 2 loop detection protocols such as the Spanning Tree Protocol between the edge and aggregation switches while still detecting data loop conditions failure detection and converge...

Page 226: ...ation examples for more details about the syntax of commands see the OmniSwitch CLI Reference Guide The following information and configuration procedures are included in this chapter Quick Steps for...

Page 227: ...run the same version of the OmniSwitch AOS Release 7 software for MCLAG support Platforms Supported OmniSwitch 10K 6900 Maximum number of MCLAG aggregates on multi chassis domain 128 Maximum number o...

Page 228: ...s Parameter Description Command Default Value Comments Multi chassis chassis ID multi chassis chassis id N A Not an MCLAG peer switch Multi chassis chassis group ID multi chassis chassis group 0 Hello...

Page 229: ...ti chassis chassis group command as shown below OS10K Chassis 1 multi chassis chassis group 10 OS10K Chassis 2 multi chassis chassis group 10 3 Create a virtual fabric link between chassis peers using...

Page 230: ...al 0 127 48 95 Peer N A N A 0 47 Multi Chassis N A N A 96 127 7 Verify the virtual fabric link configuration and default VLAN settings using the show multi chassis vf link command as shown below OS10K...

Page 231: ...s Type OS10K OS10K OK Hello Interval 1 1 OK IPC VLAN 4094 4094 OK Chassis Group 10 10 OK STP Path Cost Mode Auto Auto OK STP Mode Per VLAN Per VLAN OK 10 Save the configuration and reload using the wr...

Page 232: ...l Peer Status Chassis ID 1 2 OK Hello Interval 1 1 OK IPC VLAN 4094 4094 OK STP Path Cost Mode Auto Auto OK STP Mode Per VLAN Per VLAN OK OS10K Chassis 2 show multi chassis consistency Consistency Loc...

Page 233: ...ing blocks to provide full functionality The following sections highlight the various components of MCLAG The Multi Chassis Domain is a virtual entity consisting of two peer switches the virtual fabri...

Page 234: ...ion between edge devices and the peer switches Virtual Fabric Link VFL is an aggregated group of 10G ports that connects the multi chassis peer switches As one of the basic building blocks of a MCLAG...

Page 235: ...mer investment Example of a MCLAG Group Network An important characteristic of this solution relates to the absence of a logical loop between the edge and multi chassis peer switches even though a phy...

Page 236: ...ude a set of MCLAG aggregate ports The loop detection mechanism generates multicast Loop Detect PDU at regular intervals In a MCLAG network the source MAC is reserved and the MAC is unique to each cha...

Page 237: ...ommended on page 10 15 Unsupported Topologies on page 10 15 Basic MCLAG Building Block The following diagram illustrates the basic building block that can be used to construct more flexible and comple...

Page 238: ...MCLAG at the Aggregation Layer In the topology shown below edge switches are connected through MCLAG and core switches are dual attached MCLAG at the Aggregation Layer MC LAG MC LAG MC LAG MC LAG MC L...

Page 239: ...w across the Virtual Fabric Link Still Spanning Tree is not required as there are no logical loops in this network Edge Switches Without MCLAG Unsupported Topologies In the topology shown below MCLAG...

Page 240: ...rs need to have consistent configurations for example LACP System ID in order for the edge switch to be able to negotiate the four links as part of the same aggregate Edge Switch to Multiple MCLAG Dom...

Page 241: ...7 Network Configuration Guide June 2013 page 10 17 The following topology illustrates that Switch B is required to keep separate system resources such as MAC tables ports software applications per vir...

Page 242: ...non unicast traffic switch S1 will select a different port of the aggregate MCLAG A to send the ARP request In this example assume that the request goes through one of the ports connected to M1 repre...

Page 243: ...low ARP Reply Over MCLAG The ARP reply is a unicast packet as follows Source MAC MACB Destination MAC MACA 5 Step 5 MACB Learning As the ARP reply packet traverses the system on its way back via the p...

Page 244: ...lease 7 Network Configuration Guide June 2013 A loop duplicate packet prevention mechanism is implemented so that non unicast frames received on the Virtual Fabric Link are not flooded out any local M...

Page 245: ...ecting MCLAG devices using the PVST protocol Spanning Tree can run on MCLAG chassis peers even though Spanning Tree is disabled on MC LAG ports In this case One of the MCLAG chassis peers should be th...

Page 246: ...ng so will only cause a slight increase in the amount of control traffic that is sent over the VFL on the IPC VLAN There is no benefit to enabling IPMS on an IPC VLAN Source Learning MCLAG is supporte...

Page 247: ...configuration does not match on both peers Universal Network Profiles The Universal Network Profile UNP configuration must be the same on both MCLAG peer switches Any inconsistencies in the configurat...

Page 248: ...each switch local and peer unp linkagg classification Mandatory Peer learns MAC MAC is not classified but may get assigned to a different UNP on each switch local and peer unp linkagg trust tag Manda...

Page 249: ...d The IP interfaces configured on a VIP VLAN have limited functionality Routing protocols and VRRP cannot be configured on such IP interfaces A VIP VLAN IP interface supports two types of IP address o...

Page 250: ...stency Recommendations In addition to ensuring that the MCLAG configuration is the same between peer switches configuring the same values for the following non MCLAG features is highly recommended MAC...

Page 251: ...elines to follow when configuring MCLAG on an OmniSwitch General MCLAG functionality is only active for switches on which an MCLAG chassis ID is configured The Spanning Tree protocol can run on MCLAG...

Page 252: ...main uses a unique group ID For information about configuring the chassis group ID see Configuring the Group ID on page 10 30 and Example 2 MCLAG Group ID Configuration on page 10 37 Virtual Fabric Li...

Page 253: ...address The management address is a unique IP address used by each switch within a multi chassis system to provide management services Each peer switch must have a unique management IP address The vi...

Page 254: ...group ID number for each peer switch within a group For example multi chassis chassis group 1 By default the chassis group ID is set to 0 In a network environment where more than one pair of MCLAG pee...

Page 255: ...vlan command to modify the IPC VLAN For example multi chassis ipc vlan 4093 Configuring Aggregate Identifier Ranges The aggregate identifier ranges are the valid ranges defined for standard aggregate...

Page 256: ...tual IP interface for a VIP VLAN use the ip interface command with the vip address parameter For example the following command creates a virtual IP interface for VIP VLAN 10 ip interface vip vlan 10 v...

Page 257: ...nfigured identical on both the chassis MAC Address Aging Timer MCLAG member ports port speed and duplex Static MAC Entries QoS Configuration Port Security Configuration IGMP Snooping Configuration IP...

Page 258: ...es the ability to change these parameters on a per aggregate basis As a result these parameters are always treated as per MCLAG aggregate Parameter Violation Impact Global Parameters Chassis ID must b...

Page 259: ...propriate routing protocol on VLANs 20 and 50 OS10K M2 vlan 30 OS10K M2 vlan 50 OS10K M2 ip interface vlan 30 address 30 30 30 1 24 vlan 30 OS10K M2 ip interface vlan 50 address 50 50 50 2 24 vlan 50...

Page 260: ...OS10K M2 multi chassis vf link create OS10K M2 multi chassis vf link member port 8 1 OS10K M2 multi chassis vf link member port 8 17 OS10K M2 multi chassis vip vlan 10 OS10K M2 ip interface vip vlan...

Page 261: ...ss condition within the network To ensure that a globally unique MAC address is assigned to each MCLAG virtual IP interface configure the multi chassis group ID on each switch within each MCLAG group...

Page 262: ...chassis status Displays the configured and operational parameters related to the multi chassis feature on the local chassis show multi chassis vf link Displays the configured and operational paramete...

Page 263: ...op free topology in multi ring and ladder networks that contain interconnection nodes interconnected shared links master rings and sub rings The following chapter details the different functionalities...

Page 264: ...rced Switch Manual Switch Clear for Manual Forced Switch Dual end blocking not supported ITU T Y 1731 IEEE 802 1ag ERP packet compliant with OAM PDU format for CCM Supported Platforms OmniSwitch 10K 6...

Page 265: ...status for the node erp ring rpl node Disabled The wait to restore timer value for the RPL node erp ring wait to restore 5 minutes The guard timer value for the ring node erp ring guard timer 50 centi...

Page 266: ...art of one master ring The sub rings connected to the interconnection nodes are open The sub rings cannot use shared links ERP and ERPv2 Terms Ring Protection Link RPL and RB A designated link between...

Page 267: ...er are as follows The timer is started when the RPL node receives an R APS NR message that indicates ring protection is no longer required The timer is stopped when the RPL owner receives an R APS SF...

Page 268: ...ng nodes of the failure condition At this point the ring is operating in protection mode When this mode is invoked the RPL is unblocked forming a new traffic pattern on the ring for example traffic is...

Page 269: ...wner blocks the RPL Once the WTR timer expires the RPL owner blocks the RPL and transmits an R APS NR RB message indicating that RPL is blocked RB On receiving the R APS NR RB message ring nodes flush...

Page 270: ...le ERP instances are supported per physical ring A shared link can only be part of the master ring The sub rings connected to the interconnection nodes are not closed and cannot use the shared links C...

Page 271: ...c destination mac address of 01 19 A7 00 00 00 R APS messages must be tagged in order to identify the ring ID Note The Service VLAN must be tagged no support of untagged service VLAN The sub ring and...

Page 272: ...e VLAN may carry data traffic and if enabled and configured to do so IPMS will perform regular multicast snooping on that VLAN Disabling IPMS on the ERP Service VLAN is recommended if IP multicast rou...

Page 273: ...2 tagged 2 Create ERP ring ID 1 ERP Service VLAN and MEG Level and associate two ports to the ring using the erp ring command erp ring 1 port1 1 1 port2 1 2 service vlan 1001 level 1 3 Configure the R...

Page 274: ...1001 and configure them for use with ERP using the ethernet service svlan nni command ethernet service nni port 1 1 ethernet service nni port 1 2 ethernet service svlan 1001 nni port 1 1 ethernet ser...

Page 275: ...Setting the Guard Timer on page 11 15 6 Configure the ring port to receive the loss of connectivity event for a Remote Ethernet OAM endpoint See Configuring ERP with VLAN Stacking NNIs on page 11 16 7...

Page 276: ...agg 1 port2 linkagg 2 service vlan 500 level 1 erp ring 1 enable 4 Repeat Steps 1 through 6 for each switch that participates in the ERP ring Make sure to use the same VLAN ID and MEG level for the se...

Page 277: ...estore Timer The wait to restore WTR timer determines the number of minutes the RPL owner waits before blocking the RPL port after the ERP ring has recovered from a link failure By default the WTR tim...

Page 278: ...or the service VLAN and the associated NNI ports as the ring ports For example erp ring 1 port1 1 1 port2 1 2 service vlan 1001 level 2 erp ring 1 enable Note the following when configuring an ERP rin...

Page 279: ...ce VLAN for the ring Use the show erp command to verify the configured VLAN Stacking ERP ring configuration For more information about these commands see the OmniSwitch CLI Reference Guide Clearing ER...

Page 280: ...mer values These values can be adjusted as necessary The following sub sections provide the details on prerequisites and different configurations for switches to set up an ERPv2 ring network using Alc...

Page 281: ...A sub ring on the interconnection node can be configured using the following command Switch 3 erp ring 3 sub ring port 1 3 service vlan 10 level 2 Sample Switch Configuration The following configurat...

Page 282: ...Interconnection Node of the Sub Ring When R APS virtual channel is enabled on the interconnection node of a sub ring all the R APS messages received from sub ring port are processed and flooded to maj...

Page 283: ...When the ERPv2 node is operating with ERPv1 node in the same ring it operates in different way for compatibility In this mode revertive mode is always assumed it operates in revertive mode regardless...

Page 284: ...RP ring with ERP ring ID 1 on all switches in the network 2 Define an ERP Service VLAN as VLAN 10 on all switches 3 Set the Management Entity Group MEG level to 2 for all switches 4 Switch C is the RP...

Page 285: ...1 erp ring 1 enable 3 Verify the ERP ring configuration on any switch using the following command show erp ring 1 Legend Inactive Configuration Ring Id 1 Ring Port1 2 1 Ring Port2 1 2 Ring Status enab...

Page 286: ...ology In addition a tutorial is also included that provides steps on how to configure the example network topology using the Command Line Interface CLI Example ERPv2 Overview The following diagram sho...

Page 287: ...ed Step 2 Create the ERP rings 1 and 2 on Switch A Switch A erp ring 1 port1 2 1 port2 2 2 service vlan 10 level 1 Switch A erp ring 2 sub ring port 1 6 service vlan 200 level 1 Step 3 Create traffic...

Page 288: ...ing 1 port1 1 2 port2 2 1 service vlan 10 level 1 vlan 100 300 erp ring 1 enable vlan 100 300 members port 1 2 tagged vlan 100 300 members port 2 1 tagged Configuring Secondary RPL Node The following...

Page 289: ...tch CLI Reference Guide show erp Displays the ERP configuration information for all rings a specific ring or for a specific ring port show erp statistics Displays the ERP statistics for all rings a sp...

Page 290: ...Verifying the ERP Configuration Configuring ERP page 11 28 OmniSwitch AOS Release 7 Network Configuration Guide June 2013...

Page 291: ...the other MVRP enabled switches MVRP helps to maintain VLAN configuration dynamically based on current network configurations In This Chapter This chapter describes the MVRP feature and how to config...

Page 292: ...AOS Release 7 Network Configuration Guide June 2013 MVRP Specifications IEEE Standards Supported IEEE 802 1ak 2007 Amendment 7 Multiple Registration Protocol IEEE 802 1Q 2005 Corrigendum 2008 Platfor...

Page 293: ...mvrp registration normal Applicant mode of the port mvrp applicant active Timer value for join timer mvrp timer join 600 milliseconds Timer value for leave timer mvrp timer leave 1800 milliseconds Ti...

Page 294: ...es MVRP on port 1 2 of the switch mvrp port 1 2 enable 6 Optional Restrict a port from becoming a member of the statically created VLAN by using the mvrp static vlan restrict command For example the f...

Page 295: ...f VLANs Each MVRP device that receives the declaration in the network creates or updates a dynamic VLAN registration entry in the filtering database to indicate that the VLAN is registered on the rece...

Page 296: ...member of these VLANs 4 Port 4 on Switch C receives the advertisements VLANs 10 20 and 30 are created as VLANs on Switch C and Port 4 become a member of VLANs 10 20 and 30 5 Port 5 advertises VLANs 1...

Page 297: ...ber of this VLAN 5 Port 1 on Switch A receives the advertisement creates dynamic VLAN 50 Port 1 becomes a member of VLAN 50 The resulting configuration is depicted as follows Dynamic Learning of VLAN...

Page 298: ...ures interact with MVRP Refer to the specific chapter for each feature to get more detailed information about how to configure and use the feature STP MVRP feature is supported only in STP flat mode I...

Page 299: ...wever for the port to become an active participant MVRP must be globally enabled on the switch By default MVRP is disabled on the ports To enable MVRP on a specified port use the mvrp port command For...

Page 300: ...the mvrp registration command For example to configure port 2 of slot 1 in normal mode enter the following mvrp port 1 2 registration normal To view the registration mode of the port use the show mvrp...

Page 301: ...onfigurations for all the ports including timer values registration and applicant modes enter the following show mvrp port enable Port Join Leave LeaveAll Periodic Registration Applicant Periodic Time...

Page 302: ...in MVRP Join timer The maximum time an MVRP instance waits before making declaration for VLANs Leave timer The wait time taken to remove the port from the VLAN after receiving a Leave message on that...

Page 303: ...vice By default the dynamic VLAN registrations are not restricted and the VLAN can either be created on the device or mapped to another port To restrict a VLAN from being dynamically learned on the de...

Page 304: ...nd as shown no mvrp port 1 2 static vlan restrict vlan 5 9 Restricting VLAN Advertisement VLANs learned by a switch through MVRP can either be propagated to other switches or be blocked This helps pru...

Page 305: ...gates show mvrp configuration Displays the global configuration for MVRP show mvrp linkagg Displays the MVRP configuration for a specific port or an aggregate of ports show mvrp port Displays the MVRP...

Page 306: ...Verifying the MVRP Configuration Configuring MVRP page 12 16 OmniSwitch AOS Release 7 Network Configuration Guide June 2013...

Page 307: ...In This Chapter This chapter describes the basic components of 802 1AB and how to configure them through the Command Line Interface CLI The CLI commands are used in the configuration examples for mor...

Page 308: ...number of network policies that can be configured on the switch 32 Parameter Description Command Default Value Comments Transmit time interval for LLDPDUs lldp transmit interval 30 seconds Transmit h...

Page 309: ...LDPDUs To set the interval for a 20 second delay use the lldp transmit delay command For example lldp transmit delay 20 6 Set the LLDPDUs transmit fast start count required for LLDP Fast Restart mecha...

Page 310: ...DU the information is updated in the related MIB By exchanging information with all the neighbors each device gets to know its neighbor on each port The information contained in the LLDPDU is transmit...

Page 311: ...as an edge device for example IP phone and IP PBX among others In such a case the switch stops sending LLDPDU and starts sending MED LLDPDU on the port connected to the edge device LLDP Media Endpoint...

Page 312: ...n and Reception LLDP operates in a one way direction so that the information in the LLDPDUs flows from one device to another LLDPDUs are not exchanged as an information request by one device and a res...

Page 313: ...mand at the CLI prompt lldp 1 5 lldpdu disable Enabling and Disabling Notification The lldp notification command is used to control per port notification status about the remote device change on a spe...

Page 314: ...ansmit state To enable the 802 1 TLV LLDPDU transmission on a switch enter the lldp tlv dot1 command lldp chassis tlv dot1 port vlan enable To enable the 802 1 TLV on port 1 of slot 5 enter the follow...

Page 315: ...Disabling Application Priority TLV The lldp tlv application command is used to include the LLDP DCBx Application Priority TLV in the LLDPDUs transmitted on a specific port a slot or all ports on a swi...

Page 316: ...r the lldp transmit hold multiplier command For example to set the transmit hold multiplier value to 2 enter lldp transmit hold multiplier 2 Note The Time To Live is a multiple of the transmit interva...

Page 317: ...lays system wide statistics show lldp statistics Displays port statistics show lldp local system Displays local system information show lldp local port Displays port information show lldp local manage...

Page 318: ...Verifying 802 1AB Configuration Configuring 802 1AB page 13 12 OmniSwitch AOS Release 7 Network Configuration Guide June 2013...

Page 319: ...s LAN environment to help reduce administrative overhead This feature is supported in both standalone or virtual chassis mode Auto discovery will not operate until after the virtual chassis setup is c...

Page 320: ...or more details about the syntax of the commands see the OmniSwitch CLI Reference Guide The following information and configuration procedures are included in this chapter Auto Fabric Specifications o...

Page 321: ...Release 7 Network Configuration Guide June 2013 page 14 3 Auto Fabric Specifications The table below lists specifications for Auto Fabric Platforms Supported OmniSwitch 10K 6900 Modes Supported Standa...

Page 322: ...ommand Default Value Comments Auto fabric administrative state auto fabric admin state enabled if no configuration file exists Auto fabric protocols state auto fabric protocols enabled Auto fabric con...

Page 323: ...d auto configuration for the default discovery window 3 After the LACP discovery window expires the switch will perform SPB auto discovery 4 After the SPB discovery the switch will perform MVRP auto d...

Page 324: ...val 1 minute Global Auto Fabric LACP Discovery Status Enabled Global Auto Fabric SPB Discovery Status Enabled Global Auto Fabric MVRP Discovery Status Enabled Auto Fabric Config Save Timer Status Disa...

Page 325: ...very it must be in it s default state If the port is in its default state the system will attempt to determine a port can be a member of an existing or new link aggregate by analyzing any received LAC...

Page 326: ...h no LACP discov ered no SPB M adjacencies formed and if MVRP is enabled no VLAN registrations Then the MVRP configuration is removed and the auto fabric discovery window is started If a LACP frame is...

Page 327: ...Multiple ports with same admin key are detected and LAG is formed and configured on both core and edge switches 4 After LACP discovery window expires SPB discovery starts SPB BVLANs and control BVLAN...

Page 328: ...rs the LACP frames since it is running auto fabric and forms LAG with ports with same admin key There could be multiple or single LAG groups based on the admin key advertised 4 After LACP discovery wi...

Page 329: ...n already formed aggregate or a new aggregate id Neighbor device is also booting up with this device Max aggregate size not exceeded If there are fewer ports than the maximum possible size of an aggre...

Page 330: ...0x8000 If there are any BVLANs manually configured that are not in the range of 4000 4015 SPB M discov ery will not run If there are any VLANs configured except BVLANs in the 4000 4015 range SPB disco...

Page 331: ...y configured There are no default MVRP VLANs MVRP does not have an auto discovery time limit Operation is continuous until the administrator makes changes Virtual Chassis and MC LAG Auto Fabric cannot...

Page 332: ...state enable auto fabric interface 1 1 admin state enable Starting the Discovery Process The discovery can be manually started To manually begin the discovery process use the auto fabric discovery st...

Page 333: ...uration file boot cfg post discovery if the write memory command is given Automatically The system will save the discovered configuration to the configuration file boot cfg at set periods automaticall...

Page 334: ...CLI show commands to display the current configuration and status of auto fabric These commands include the following For more information about the output details that result from these commands see...

Page 335: ...f Internet Protocol is supported IPv4 and IPv6 For more information about using IPv6 see Chapter 17 Configuring IPv6 In This Chapter This chapter describes IP and how to configure it through the Comma...

Page 336: ...P Information see page 15 32 Displaying User Datagram Protocol UDP Information see page 15 33 Service Assurance Agent SAA see page 15 33 Tunneling Generic Routing Encapsulation page 15 33 IP Encapsula...

Page 337: ...apsulation GRE 1702 Generic Routing Encapsulation over IPV4 Networks 2003 IP Encapsulation within IP Maximum router interfaces per system 4094 IP Maximum router interfaces per VLAN 16 Maximum HW route...

Page 338: ...ts to a different VLAN on a switch create an IP interface on each VLAN The following steps provide a quick tutorial of how to enable IP forwarding between VLANs from scratch If active VLANs have alrea...

Page 339: ...at provides reliable connection oriented full duplex data streams While the role of TCP is to add reliability to IP TCP relies upon IP to do the actual deliver ing of datagrams UDP A secondary transpo...

Page 340: ...ce with its physi cal MAC address For more information see Configuring Address Resolution Protocol ARP on page 15 12 Virtual Router Redundancy Protocol VRRP Used to back up routers For more informatio...

Page 341: ...ter interface the ports associated with that VLAN are in essence firewalled from other VLANs IP multinetting is also supported A network is said to be multinetted when multiple IP subnets are brought...

Page 342: ...sulation for the interface defaults to Ethernet II The encapsulation determines the framing type the interface uses when generating frames that are forwarded out of VLAN ports Select an encapsulation...

Page 343: ...Accounting interface ip interface Accounting address 40 0 0 1 The subnet mask for the Accounting interface was previously set to 255 255 255 0 The above example resets the mask to the default value o...

Page 344: ...otal number of IP interfaces allowed per VLAN or switch To change the address remove the interface using the no ip interface Loopback0 command and readd it with the new address Loopback0 Address Adver...

Page 345: ...1 0 24 gateway 171 11 2 1 When you create a static route the default metric value of 1 is used However you can change the priority of the route by increasing its metric value The lower the metric valu...

Page 346: ...cified IP address responds with an ARP reply packet containing its hardware address The switch receives the ARP reply packet stores the hardware address in its ARP cache for future use and begins exch...

Page 347: ...e ARP Table Permanent entries do not age out of the ARP table Use the no arp command to delete a permanent entry from the ARP table When deleting an ARP entry you only need to enter the IP address For...

Page 348: ...RP filtering is used to determine whether the switch responds to ARP requests that contain a specific IP address ARP filtering is used in conjunction with the Local Proxy ARP application however it is...

Page 349: ...l filter use the no form of the arp filter command For example no arp filter 198 0 0 0 To clear all ARP filters from the switch configuration use the clear arp filter command For example clear arp fil...

Page 350: ...172 22 2 115 Configuring the Router ID By default the router primary address of the router is used as the router ID However if a primary address has not been explicitly configured the router ID defau...

Page 351: ...eceiving network In addition a route map can also contain statements that modify route parameters before they are redistributed When a route map is created a name is given to identify the group of sta...

Page 352: ...xample ip route map ospf to bgp sequence number 10 action permit The above command creates the ospf to bgp route map assigns a sequence number of 10 to the route map and specifies a permit action To o...

Page 353: ...ap Use the no form of the ip route map command to delete an entire route map a route map sequence or a specific statement within a sequence To delete an entire route map enter no ip route map followed...

Page 354: ...Number 20 Action permit match ip4 interface to finance set metric 5 Sequence 10 and sequence 20 are both linked to route map rm_1 and are processed in ascending order according to their sequence numb...

Page 355: ...fault or denied redistribution For example ip access list ipaddr address 16 24 2 1 16 action deny redist control all subnets ipv6 access list ip6addr address 2001 1 64 action permit redist control no...

Page 356: ...ve status ip redist ospf into bgp route map ospf to bgp status enable Route Map Redistribution Example The following example configures the redistribution of OSPF routes into a BGP network using a rou...

Page 357: ...ing ICMP Ping of Death Ping packets that exceed the largest IP datagram size 65535 bytes are sent to a host and crash the system SYN Attack Floods a system with a series of TCP SYN packets resulting i...

Page 358: ...nd SNMP traps are generated The switch can be set to detect various types of port scans by monitoring for TCP or UDP packets sent to open or closed ports Monitoring is done in the following manner Pac...

Page 359: ...ackets are received along with 200 UDP open port packets This would bring the total penalty value to 4300 as shown using the following equa tion 100 previous minute value 10 TCP X 10 penalty 10 UDP X...

Page 360: ...nalty command with a penalty value For example to assign a penalty value of 10 to TCP UDP packets destined for closed ports enter the following ip dos scan close port penalty 10 To assign a penalty va...

Page 361: ...n progress when the total penalty value of the switch crosses the port scan penalty value threshold To enable SNMP trap generation enter the ip dos trap command as shown ip dos trap enable To disable...

Page 362: ...default It has no impact on ports that are opened by loading applications such as RIP and BGP In addition the ip service command allows you to designate which service to enable or disable by specifyi...

Page 363: ...Unreachable Message Usually means that a failure has occurred in the route lookup of the destination IP in the packet Host Unreachable Message Usually indicates delivery failure such as an unresolved...

Page 364: ...or distinguishing between a request or a reply and the unreachable command has options distinguishing between a network host protocol or port For example to enable an echo request message enter the fo...

Page 365: ...inimum packet gap times Use the show icmp control command to display the table ICMP Statistics Table The ICMP Statistics Table displays the ICMP statistics and errors This data can be used to monitor...

Page 366: ...packet from the local switch to a specified destination This command displays the individual hops to the destination as well as timing information When using this command enter the name of the destina...

Page 367: ...lation within IP IPIP Generic Routing Encapsulation GRE encapsulates a packet to be carried over the GRE tunnel with a GRE header The resulting packet is then encapsulated with an outer header by the...

Page 368: ...of the following are satisfied Both source and destination addresses are assigned The source address of the tunnel is one of the switch s IP interface addresses that is either a VLAN or Loopback0 int...

Page 369: ...ace command as shown ip interface gre address 24 24 24 1 mask 255 255 255 0 To configure an IPIP tunnel use the ip interface tunnel command as shown ip interface ipip tunnel source 23 23 23 1 destinat...

Page 370: ...se Displays a list of all routes static and dynamic that exist in the IP router database show ip config Displays IP configuration parameters show ip protocols Displays switch routing protocol informat...

Page 371: ...ay in another VRF Quick Steps for Configuring VRF Route Leak The following steps provide a quick tutorial on how to configure VRF Route Leak Each step describes a specific operation and provides the C...

Page 372: ...routes To export routes from the default VRF enter the ip export command at the CLI prompt as shown ip export route map R1 To export routes from a specific VRF specify the VRF globally or enter into t...

Page 373: ...hat are imported and added to the RDB from other VRFs use the ip route pref command with the import parameter For example ip route pref import 100 Leaked routes are only for forwarding If a local rout...

Page 374: ...VRF Route Leak Configuring IP page 15 40 OmniSwitch AOS Release 7 Network Configuration Guide June 2013...

Page 375: ...ribes the Multiple VRF feature and how to configure it through the Command Line Interface CLI CLI commands are used in the configuration examples for more details about the syntax of commands see the...

Page 376: ...Switch 10K 6900 OmniSwitch License Requirements Advanced License required on OmniSwitch 6900 only Routing Protocols Supported Static IPv4 RIPv2 OSPFv2 BGP4 Maximum number of max profile VRF instances...

Page 377: ...s now the active VRF CLI context Any commands entered at this point apply to this instance unless the commands entered are not supported in multiple VRF instances 2 Create a second VRF instance IpTwo...

Page 378: ...he ip bgp neighbor ip bgp neighbor remote as and ip bgp neighbor admin state commands For example IpTwo ip bgp neighbor 102 1 1 10 IpTwo ip bgp neighbor 102 1 1 10 remote as 1000 IpTwo ip bgp neighbor...

Page 379: ...lan 100 vlan 101 vlan 102 vrf IpOne IpOne vrf IpTwo IpTwo vrf IpOne IpOne ip interface intf100 address 100 1 1 1 24 vlan 100 IpOne ip interface intf101 address 101 1 1 1 24 vlan 101 IpOne ip router ro...

Page 380: ...lementation of VRF functionality does not require a BGP MPLS configuration in the provider network Instead VRF instances can route and forward IP traffic between customer sites using point to point La...

Page 381: ...2013 page 16 7 Example Multiple VRF Configuration VRF A Customer A Site 1 PE 2 PE 1 PE 3 Service Provider VRF A VRF B VRF C IP Network VRF B Customer B Site 1 VRF C Customer C Site 1 VRF A Customer A...

Page 382: ...rivate network needs its own address space but does not need a routing protocol to share many routes may only need a default route A combination of low and max profiles is allowed on the switch Howeve...

Page 383: ...ip load rip vrf vrfOne ip rip status enable vrf vrfOne ip rip interface intf100 status enable In this example vrfOne is added to the beginning of the IP and RIP configuration command lines This indic...

Page 384: ...tion Guide June 2013 Level Description Telnet SSH SFTP SCP Radius SNMP HTTP HTTPS NTP LDAP TACACS Syslog 0 Default VRF Only Yes Yes 1 Single VRF for all services Yes Yes 2 Single VRF per service each...

Page 385: ...cross multiple VRF instances Non VRF Aware Switch applications that have no association with any VRF instance even the default instance Note that configuration of this type of application is only allo...

Page 386: ...r router ID number and primary IP address that is explicit to the associated VRF instance BGP neighbors defined for a specific VRF instance and address family IPv4 and IPv6 peer with neighbors accessi...

Page 387: ...y condition applies This parameter can also specify the default VRF and a no form of the command exists to remove a VRF condition parameter For example qos policy condition c1 vrf engr_vrf qos policy...

Page 388: ...the following command configures the forwarding of specific UDP packets to VLAN 100 within the context of the vrfTwo instance ip udp dns vlan 100 When a VRF instance is deleted all UDP DHCP Relay con...

Page 389: ...rf IpOne IpOne In this example instance IpOne is created and made the active VRF context at the same time Note that the CLI command prompt indicates the active context by displaying the name of the VR...

Page 390: ...e is created A max profile VRF supports dynamic routing protocols and other supported VRF limits To create a VRF instance with low profile capabilities use the vrf command with the profile low paramet...

Page 391: ...not display the instance name Assigning IP Interfaces to a VRF Instance When a VRF instance is created or an existing instance is selected any IP interface subsequently config ured is associated with...

Page 392: ...context then the BGP routing instance is associated with IpOne All traffic for the BGP instance is routed and forwarded on the interfaces associated with VRF IpOne For more information about the inter...

Page 393: ...e 200 1 1 1 255 255 255 0 DOWN NO vlan 200 IpOne vrf default show ip interface Total 6 interfaces Name IP Address Subnet Mask Status Forward Device EMP 192 168 10 1 255 255 255 0 DOWN NO EMP Loopback...

Page 394: ...Verifying the VRF Configuration Configuring Multiple VRF page 16 20 OmniSwitch AOS Release 7 Network Configuration Guide June 2013...

Page 395: ...pter describes IPv6 and how to configure it through Command Line Interface CLI The CLI commands are used in the configuration examples for more details about the syntax of commands see the OmniSwitch...

Page 396: ...gram Interface API for IPv6 3587 IPv6 Global Unicast Address Format 3595 Textual Conventions for IPv6 Flow Label 3596 DNS Extensions to Support IP Version 6 4007 IPv6 Scoped Address Architecture 4022...

Page 397: ...tes OS10K OS6900 256 prefix 65 OS10K U48 C48 8K prefix 64 OS10K U32S 6K prefix 64 OS10K U32E 8K prefix 64 OS6900 8K Note Exceeding these limits or having IPv4 routes will result in some traffic being...

Page 398: ...p command Description Command Default Global status of IPv6 on the switch N A Enabled Interfaces ipv6 interface loopback 6to4 tunnels ipv6 interface tunnel_6to4 Prefixes ipv6 prefix None Hop Limit ipv...

Page 399: ...v300 interface by using the ipv6 address command For example ipv6 address 2001 db8 4100 2 64 eui 64 v6if v300 Note Optional To verify the IPv6 interface configuration enter show ipv6 interface For ex...

Page 400: ...he IPv6 header is only twice the size of the IPv4 header despite the significant increase in address size Improved support for header options Improved header option encoding allows more efficient forw...

Page 401: ...be used on multiple interfaces Unicast Standard unicast addresses similar to IPv4 Unique Local IPv6 Unicast IPv6 unicast address format that is globally unique and intended for local communications us...

Page 402: ...the double colon is only allowed once within a single address So if the address was1234 531F 0 0 BCD2 F34A 0 0 a double colon could not replace both sets of zeros For example the first two versions of...

Page 403: ...ollowing example FE80 2d0 95ff fe6b 5ccd 64 Note that when this example address was created the MAC address was modified by complementing the second bit of the leftmost byte and by inserting the hex v...

Page 404: ...ess Use the well known prefix FC00 7 to to allow for easy filtering at site boundaries Allow sites to be combined or privately interconnected without creating any address conflicts or requir ing renum...

Page 405: ...4 network or decapsulated IPv4 header stripped for transmission to an IPv6 destination An IPv6 6to4 tunnel interface is identified by its assigned address which is derived by combining a 6to4 well kno...

Page 406: ...4 IPv6 Domains In this scenario 6to4 sites have connectivity to native IPv6 domains through a relay router which is connected to both the IPv4 and IPv6 domains The 6to4 border routers are still used b...

Page 407: ...uring IPv6 Tunnel Interfaces on page 17 18 For more detailed informa tion and scenarios by using 6to4 tunnels refer to RFC 3056 Configured Tunnels A configured tunnel is where the endpoint addresses a...

Page 408: ...not active until at least one port associated with the VLAN goes active A link local address is automatically configured for an IPv6 interface except for 6to4 tunnels when the interface is configured...

Page 409: ...ipv6 address local unicast command can be used to generate a unique local address using the configured global id Modifying an IPv6 Interface The ipv6 interface command is also used to modify existing...

Page 410: ...et prefix length of 64 bits To use the MAC address of an interface or device as the interface ID specify the eui 64 option with this command For example ipv6 address 2001 db8 4100 1000 64 eui 64 v6if...

Page 411: ...otation Refer to RFC 4291 for more technical address information Removing an IPv6 Address To remove an IPv6 address from an interface use the no form of the ipv6 address command as shown no ipv6 addre...

Page 412: ...entify tunnel endpoints The router that the 6to4 tunnel interface is configured on will encapsulate IPv6 packets in IPv4 headers and send them to the IPv4 destination address where they will be proces...

Page 413: ...xample above the IPv6 interface name for the gateway was included This parameter is required only when a link local address is specified as the gateway When you create a static route the default metri...

Page 414: ...r local static OSPFv3 RIPng EBGP and IBGP highest to lowest Use the ipv6 route pref command to change the route preference value of a router For example to configure the route preference of an OSPF ro...

Page 415: ...control redistribution of routes between protocols Such criteria is defined by configuring route map statements There are three different types of statements Action An action statement configures the...

Page 416: ...s with a tag value of eight are redistrib uted into the RIP network All other routes with a different tag value are dropped Note Configuring match statements is not required However if a route map doe...

Page 417: ...ly the match tag 8 statement from route map redistipv4 sequence 10 no ip route map redistipv4 sequence number 10 match tag 8 Configuring Route Map Sequences A route map may consist of one or more sequ...

Page 418: ..._1 sequence number 10 match tag 8 ip route map rm_1 sequence number 10 match ipv6 interface to finance Configuring Access Lists An IP access list provides a convenient way to add multiple IPv4 or IPv6...

Page 419: ...the router interface are processed based on the contents of the ospf to rip route map Routes that match criteria specified in this route map are either allowed or denied redistribution into the RIPng...

Page 420: ...nce number 20 action permit ip route map ospf to rip sequence number 20 match ipv6 interface intf_ospf ip route map ospf to rip sequence number 20 set metric 255 ip route map ospf to rip sequence numb...

Page 421: ...tunnel information show ipv6 routes Displays the IPv6 Forwarding Table show ipv6 route pref Displays the configured route preference of a router show ipv6 router database Displays a list of all routes...

Page 422: ...Verifying the IPv6 Configuration Configuring IPv6 page 17 28 OmniSwitch AOS Release 7 Network Configuration Guide June 2013...

Page 423: ...e Authentication Header AH and the Encapsulating Security Payload ESP and through the use of cryptographic key manage ment procedures and protocols Note The OmniSwitch currently supports IPsec for IPv...

Page 424: ...128 192 or 256 bits Authentication Algorithms Supported for AH HMAC SHA1 96 HMAC MD5 96 and AES XCBC MAC 96 Key lengths supported for Authentication Algorithms HMAC MD5 128 bits HMAC SHA1 160 bits AE...

Page 425: ...psec policy ALLoutMD5 rule 1 ah ipsec policy ALLinMD5 rule 1 ah 4 Enable the policies A policy cannot be enabled until the rules are defined Now that rules have been defined enable the policy using th...

Page 426: ...r keys need to be defined 1 Define the policy The commands below use similar policy information as in the previous example but the action has been changed to discard ipsec policy Discard_ALLoutMD5 sou...

Page 427: ...ntegrity Authentication Header AH to provide connectionless integrity and data origin authentication for IPv6 datagrams and to provide optional protection against replay attacks Unlike ESP AH does not...

Page 428: ...mmonly used algorithms are AES and 3DES These algorithms are used for encrypting IPv6 packets Advanced Encryption Standard Cipher Block Chaining AES CBC The AES CBC mode comprises three different key...

Page 429: ...indicates the value of the upper layer protocol being protected for example UDP or TCP in the transport mode The payload length field in the AH header indicates the length of the header The SPI in com...

Page 430: ...Therefore to cover all traffic between a source and destination two policies would need to be defined IPsec Policy Rules Rules are created and applied to policies Rules determine what type of encrypt...

Page 431: ...currently supports manually configured SAs only Discarding Traffic using IPsec In order to discard IPv6 datagrams a policy is configured in the same manner as an IPsec security policy the difference b...

Page 432: ...d Disabling a Policy on page 18 12 Configure the authentication and encryption keys required for manually configured IPsec Security associations SA This is described in Configuring IPsec SA Keys on pa...

Page 433: ...order to cover all traffic between source and destination a minimum of two policies need to be defined one policy for inbound traffic and another policy for outbound traffic To configure an IPsec poli...

Page 434: ...000 source 0 destination 0 port 23 protocol tcp in discard ipsec policy telnet_ipsec priority 200 source 3ffe 1200 32 destination 0 port 23 protocol tcp in ipsec admin state disable ipsec policy telne...

Page 435: ...source 0 destination 3ffe 200 200 4001 99 protocol udp in ipsec description IPsec on all inbound UDP admin state enable The following table lists the various protocols that can be specified refer to t...

Page 436: ...ich a rule should get applied to the payload The policy name config ured for the IPsec policy rule should be the same as the policy name configured for the IPsec security policy It s possible to first...

Page 437: ...h source 3ffe 1 1 1 1 destination 3ffe 1 1 1 99 spi 9902 authentication hmac sha1 description HMAC SHA1 on traffic from 1 to 99 The above commands configure bi directional IPsec SAs of AH type for dat...

Page 438: ...SA To display the configured IPsec SA use the show ipsec sa command For example show ipsec sa Name Type Source Destination SPI Encryption Authentication State tcp_in_ah ah 3ffe 1 1 1 99 3ffe 1 1 1 1 9...

Page 439: ...must be unique Use the no form of this command to delete the configured IPsec SA key For example no ipsec key tcp_in_ah Verifying IPsec SA Key To display the encryption key values which are configured...

Page 440: ...nitor the incoming and outgoing packets for the configured parameters by using the show ipsec ipv6 statistics command Inbound Successful 2787 Policy violation 0 No SA found 0 Unknown SPI 0 AH replay c...

Page 441: ...from 200 ipsec policy tcp_out rule 1 esp ipsec policy tcp_in rule 1 esp ipsec policy tcp_out admin state enable ipsec policy tcp_in admin state enable ipsec sa tcp_out_esp esp source 3ffe 100 destinat...

Page 442: ...cy tcp_in rule 1 esp ipsec policy tcp_out admin state enable ipsec policy tcp_in admin state enable ipsec sa tcp_out_esp esp source 3ffe 200 destination 3ffe 100 spi 1001 encryption des cbc authentica...

Page 443: ...ll RIPng packets Discarding RIPng Packets Switch A ipsec policy DISCARD_UDPout source fe80 100 destination ff02 9 protocol udp out discard ipsec policy DISCARD_UDPin source fe80 200 destination ff02 9...

Page 444: ...the resulting displays form these commands see the IPsec Commands chap ter in the OmniSwitch CLI Reference Guide Examples of the above commands and their outputs are given in the section Configuring I...

Page 445: ...g RIP send receive option and RIP interface metric It also details RIP redistribution which allows a RIP network to exchange routing information with networks running different protocols e g OSPF and...

Page 446: ...aximum Number of Peers 100 Maximum Number of Routes 10K Description Command Default RIP Status ip rip admin state disable RIP Forced Hold Down Interval ip rip force holddowntimer 0 RIP Update Interval...

Page 447: ...untagged 4 Assign an active port to VLAN 2 by using the vlan members command For example the following command assigns port 2 on slot 1 to VLAN 2 vlan 2 members port 1 2 untagged 5 Configure an IP int...

Page 448: ...routing information and listens for responses to the request If a switch configured to supply RIP hears the request it responds with a response packet based on information in its routing database The...

Page 449: ...ity to specify the network mask with each network in a packet Because RIPv1 switches ignore the network mask in RIPv2 packets their calculation of the network mask could possibly be wrong For this rea...

Page 450: ...switches Therefore workstations connected to VLAN 1 on Switch 1 can communicate with workstations connected to VLAN 3 on Switch 2 RIP Routing Loading RIP When the switch is initially configured RIP m...

Page 451: ...15 Configuring IP for more information Enabling a RIP Interface Once you have created a RIP interface you must enable it to enable RIP routing Use the ip rip interface admin state command followed by...

Page 452: ...he Receive options are v1 Only RIPv1 packets is received by the switch v2 Only RIPv2 packets is received by the switch both Both RIPv1 and RIPv2 packets is received by the switch none Interface ignore...

Page 453: ...so expired During this time the switch accepts any advertisements for better paths that are received Note that the RIP forced hold down timer is not the same as the RIP hold down timer The forced hold...

Page 454: ...ter which an expired route is removed from the RIB Enter the command and the garbage timer value in seconds For example to set a garbage timer value of 180 seconds you would enter ip rip garbage timer...

Page 455: ...s command allows a direct connection to the host without using the RIP table If a switch is directly attached to a host on a network use the ip rip host route command to enable a default route to the...

Page 456: ...used to control redistribution of routes between protocols Such criteria is defined by configuring route map statements There are three different types of statements Action An action statement config...

Page 457: ...th a tag value of eight are redistrib uted into the RIP network All other routes with a different tag value are dropped Note Configuring match statements is not required However if a route map does no...

Page 458: ...he match tag 8 statement from route map redistipv4 sequence 10 no ip route map redistipv4 sequence number 10 match tag 8 Configuring Route Map Sequences A route map consists of one or more sequences o...

Page 459: ...umber 10 match tag 8 ip route map rm_1 sequence number 10 match ipv4 interface to finance Configuring Access Lists An IP access list provides a convenient way to add multiple IPv4 or IPv6 addresses to...

Page 460: ...Routes that match criteria specified in this route map are either allowed or denied redistribution into the RIP network The route map can also specify the modification of route information before the...

Page 461: ...umber 20 action permit ip route map ospf to rip sequence number 20 match ipv4 interface intf_ospf ip route map ospf to rip sequence number 20 set metric 255 ip route map ospf to rip sequence number 30...

Page 462: ...hentication is used md5 MD5 authentication is used For example to configure the RIP interface rip 1 for simple authentication you would enter ip rip interface rip 1 auth type simple To configure the R...

Page 463: ...esult from these commands see the OmniSwitch CLI Refer ence Guide show ip rip Displays the RIP status and general configuration parameters e g forced hold down timer show ip rip routes Displays the RI...

Page 464: ...Verifying the RIP Configuration Configuring RIP page 19 20 OmniSwitch AOS Release 7 Network Configuration Guide June 2013...

Page 465: ...t faults in the bidirectional paths between adjacent forwarding engines including data link s and forwarding engines BFD is not intended to directly control liveliness information instead the applicat...

Page 466: ...led Global transmit time interval for BFD control packets ip bfd transmit 300 milliseconds Global receive time interval for BFD control packets ip bfd receive 300 milliseconds Global BFD detection tim...

Page 467: ...f non default BFD session parameters are required for BFD sessions that must be run separate from the IP interface ip bfd interface bfd_int_1 2 Optional Configure a global transmit time interval for a...

Page 468: ...emand mode is not supported The default operational mode is Asynchronous with the echo func tion enabled However Static Routing and VRRP protocol support BFD in the echo only operational mode 8 Option...

Page 469: ...stered STATIC ROUTING OSPF See the BFD Commands chapter in the OmniSwitch CLI Reference Guide for information about the fields in this display Quick Steps for Configuring BFD Support for Layer 3 Proto...

Page 470: ...protocol using the vrrp bfd state command For example vrrp bfd state enable 2 Enable BFD for a specific track policy using the vrrp track address bfd state command For exam ple vrrp track 2 address 1...

Page 471: ...Detecting communication failures as soon as possible is the first step in any network recovery process until a failure is detected network convergence can t begin By rapidly detecting failures BFD ena...

Page 472: ...ms sharing a BFD interface begin sending BFD control packets to each other over the bidirectional forwarding path The packets are transmitted periodically at the negotiated rate The BFD control packet...

Page 473: ...l packets are sent because Echo packets are then used to detect session liveliness In addi tion transmitting Echo packets is only allowed over a single hop transmitting BFD control packets is allowed...

Page 474: ...e system has not yet acknowledged it The session stays at Init until the local system receives a control packet with Init or Up in its state field in which case the session state moves to Up or until...

Page 475: ...and RX interval fields This means that the system with the slower rate deter mines the BFD control packet transmission speed Configuring BFD Configuring BFD for your network requires the following ap...

Page 476: ...waits between each successive transmission of control packets BFD allows you to change the default value and set the transmit time interval from the valid range To change the global transmit time inte...

Page 477: ...the echo interval to 500 milliseconds globally on all BFD sessions To change the BFD echo time interval for a particular BFD session use the ip bfd interface echo inter val command For example ip bfd...

Page 478: ...rs can be changed To disable a BFD session use the ip bfd interface status command with the disable keyword For example ip bfd interface bfd vlan 101 admin state disable To verify the BFD status and c...

Page 479: ...guring BFD Support for VRRP Tracking on page 20 19 Configuring BFD Support for Static Routes on page 20 21 Configuring BFD Support for OSPF The steps below show how to configure and verify BFD support...

Page 480: ...BFD on the interface named vlan 10 To enable BFD on all configured OSPF interfaces use the ip ospf bfd state all interfaces command For example ip ospf bfd state all interfaces enable To disable BFD f...

Page 481: ...ith them Use the show ip bfd sessions command to view BFD sessions with all BFD neighbors as shown below show ip bfd sessions Legends Neg Negotiated Discr Discriminator Intvl Interval in milliseconds...

Page 482: ...bgp Admin Status disabled Operational Status down Autonomous System Number 1 BGP Router Id 0 0 0 0 Confederation Identifier 0 IGP Synchronization Status disabled Minimum AS Origin Interval seconds 15...

Page 483: ...Discr Intvl Intvl Intvl 1 v1001 101 1 1 11 UP 1 300 300 300 2 v2000 200 1 1 1 UP 0 0 0 300 show ip bfd sessions 1 Local discriminator 1 Neighbor IP Address 100 1 1 10 Requested Session Type ASYNC Int...

Page 484: ...ol level enable BFD for a particular VRRP track policy using the vrrp track address bfd state command Ensure that the track policy is associated with at least one of the virtual routers For example vr...

Page 485: ...static routing To change the default BFD status for a particular static route and to enable BFD support use the ip static route bfd state command For example ip static route 10 1 1 1 mask 255 0 0 0 g...

Page 486: ...use b indicates BFD enabled static route r indicates recursive static route with following address in brackets Total IPRM IPv4 routes 7 Destination Gateway Interface Protocol Metric Tag Misc Info b 1...

Page 487: ...ree routers On all three routers OSPF is associated with BFD for faster failure detection of any router on the network Example OSPF Network using the BFD Protocol The following steps are used to confi...

Page 488: ...12 ip interface vlan 12 vlan 12 address 12 0 0 1 mask 255 0 0 0 vlan 12 members port 2 2 vlan 10 ip interface vlan 10 vlan 10 address 10 0 0 1 mask 255 0 0 0 vlan 10 members port 2 3 5 ip router rout...

Page 489: ...vlan 30 ip interface vlan 30 vlan 30 address 30 0 0 3 mask 255 0 0 0 vlan 30 members port 2 3 5 ip router router id 3 3 3 3 These commands created VLANs 23 31 and 30 VLAN 23 handles the backbone conne...

Page 490: ...ospf interface vlan 12 admin state enable ip ospf interface vlan 23 ip ospf interface vlan 23 area 0 0 0 0 ip ospf interface vlan 23 admin state enable ip ospf interface vlan 20 ip ospf interface vla...

Page 491: ...so applied as the default parameter values for the interface The following steps change the default global BFD parameter values for the example network the commands used are the same on each router Se...

Page 492: ...guration To display information such as the BFD status for different session parameters and Layer 3 protocols use the show commands listed in the following table For more information about the resulti...

Page 493: ...LANs that have IP routing enabled In This Chapter This chapter describes the basic components of DHCP Relay and how to configure them CLI commands are used in the configuration examples For more detai...

Page 494: ...ions and BOOTP Vendor Extensions 3046 DHCP Relay Agent Information Option 2001 DHCP Relay Implementation Global DHCP Per VLAN DHCP DHCP Relay Service BOOTP DHCP Bootstrap Protocol Dynamic Host Configu...

Page 495: ...rvice ip udp relay service BOOTP DHCP Forward delay time value for DHCP Relay ip helper forward delay 3 seconds Maximum number of hops ip helper maximum hops 4 hops Packet forwarding option ip helper...

Page 496: ...ip helper address 128 100 16 1 2 Set the forward delay timer for the DHCP relay To set the timer for a 15 second delay use the follow ing command ip helper forward delay 15 3 Set the maximum hop coun...

Page 497: ...t has not been exceeded If the forward delay time is not met or the maximum hop count is exceeded the BOOTP DHCP packet is discarded by the DHCP Relay The forwarding option allows you to specify if th...

Page 498: ...an IP address to a host for a limited period of time or until the host explicitly relinquishes the address Manual The network administrator assigns a host IP address and DHCP simply conveys the assign...

Page 499: ...g router port to the outgoing router port attached to the OmniSwitch DHCP Clients are Members of the Same VLAN The external router inserts the subnet address of the first hop segment into the DHCP req...

Page 500: ...a DHCP request frame to the DHCP server using the local broadcast address For these locally attached stations the frame is simply switched from one station to another In this case the DHCP server and...

Page 501: ...to and from the specified address If multiple DHCP servers are used one IP address must be configured for each server To delete an IP address use the no form of the ip helper address command The IP ad...

Page 502: ...the IP address to the DHCP server or to the next hop to the DHCP server The default values can be accepted for forward delay hop count and relay forwarding option Alternately the relay function can be...

Page 503: ...acket The following syntax is used to set a maximum of four hops ip helper maximum hops 4 The hops value represents the maximum number of relays The default maximum hops value is set to four This maxi...

Page 504: ...subnet mask for the IP address the mask is applied to the VLAN 1 router port address Otherwise a default mask is determined based upon the class of the IP address For example if the IP address is a C...

Page 505: ...relay service command can also be used to enable or disable relay for DHCP well known ports 67 and 68 If the BOOTP DHCP relay service is disabled the ip helper configuration is not retained and all de...

Page 506: ...y service and ip udp relay port command see the OmniSwitch CLI Reference Guide Specifying a Forwarding VLAN To specify which VLAN s UDP Port Relay forwards traffic destined for a generic UDP service p...

Page 507: ...the slot port information does not identify an actual port associated with the Circuit ID VLAN then the agent tries to deliever the packet back to the port where the device is located 5 If the slot po...

Page 508: ...ing parameters are available with this command to specify the policy action drop The DHCP Option 82 data is dropped the default keep The existing Option 82 field information in the DHCP packet is reta...

Page 509: ...how ip helper Displays the current forward delay time the maximum number of hops the forwarding option standard and each of the DHCP server IP addresses configured show ip helper statistics Displays t...

Page 510: ...Verifying the DHCP Relay Configuration Configuring DHCP Relay page 21 18 OmniSwitch AOS Release 7 Network Configuration Guide June 2013...

Page 511: ...is no longer supported in this release In This Chapter This chapter describes VRRPv2 VRRPv3 and how to configure it through the Command Line Interface CLI CLI commands are used in the configuration e...

Page 512: ...terval on page 22 21 VRRPv3 Virtual router priority see Configuring the VRRPv3 Virtual Router Priority on page 22 21 Preempting VRRPv3 virtual routers see Setting Preemption for VRRPv3 Virtual Routers...

Page 513: ...m number of IP addresses per instance 16 Description Keyword Default Virtual router enabled or dis abled enable disable Virtual routers are disabled Priority priority 100 Preempt mode preempt no preem...

Page 514: ...lts for VRRP include Default preempt mode for all the virtual routers in the group vrrp group preempt Parameter value that is to be set and or override with the new default value in all the virtual ro...

Page 515: ...10 2 3 Note IP can be used as an optional parameter instead of Address in the above example 3 Repeat steps 1 through 2 on all of the physical switches that will participate in backing up the address...

Page 516: ...onfigured with a virtual router VRID 1 which is associated with IP address A OmniSwitch A is the master router because it contains the physical interface to which IP address A is assigned OmniSwitch B...

Page 517: ...a VLAN Each VRRP router may backup one or more virtual routers The VRRP router containing the physical interfaces to which the virtual router IP addresses are assigned is called the IP address owner...

Page 518: ...be used to modify this behavior resulting in the VRRP virtual MAC being used as the source This command has no effect on VRRP advertisements which will always be sent using the VRRP virtual MAC as the...

Page 519: ...rtual routers Configuring Collective Management Functionality This feature provides user with the flexibility to manage the virtual routers on the switch collectively and also the capability to group...

Page 520: ...or information about configuring VRRP parameters see the remaining sections of this chapter Basic Virtual Router Configuration At least two virtual routers must be configured on the LAN a master route...

Page 521: ...vrrp address command as described in the next section to specify an IP address or addresses To delete a virtual router use the no form of the vrrp command with the relevant VRID and VLAN ID For examp...

Page 522: ...before interval Configuring Virtual Router Priority VRRP functions with one master virtual router and at least one backup virtual router A priority value determines the role each router plays It also...

Page 523: ...es associated with the physical router always becomes the master router if it is available regardless of the preempt mode setting and the priority values of the backup routers In the above example th...

Page 524: ...routers remain in the initialize state They will remain in this state until the timer expires at which point they will negotiate to determine whether to become the master or a backup To set a delay t...

Page 525: ...r individually or via group This is because the configured values take priority over the default values For the modified default values to effect the virtual routers which are configured with a value...

Page 526: ...onds priority as 150 and preempting mode as no preempt These parameters can be modified at any time but will not have any effect on the virtual routers in the group until you disable then apply the gr...

Page 527: ...enables all the virtual routers in the group except the virtual routers that are disabled individually To enable all the virtual routers in the group including those which are disabled individually yo...

Page 528: ...figuration for all virtual routers or for a particular virtual router show vrrp statistics Displays statistics about VRRP packets for all virtual routers configured on the switch or for a particular v...

Page 529: ...Pv3 parameters see the remaining sections of this chapter Basic VRRPv3 Virtual Router Configuration At least two VRRPv3 virtual routers must be configured on the LAN a master router and a backup route...

Page 530: ...with a priority of 75 and no preempt VRRPv3 advertisements will be sent at intervals of 200 centiseconds vrrp3 7 2 priority 75 no preempt interval 200 Note All VRRPv3 virtual routers with the same VRI...

Page 531: ...dress and the virtual router MAC address In addition to creating duplicate IP MAC address messages both routers will begin forwarding packets sent to the virtual router MAC address This will result in...

Page 532: ...there is more than one backup router and if the backup routers have priority values that are very nearly equal the skew time may not be sufficient to overcome delays caused by network traffic loads an...

Page 533: ...again to modify the parameters For example vrrp3 7 3 admin state disable vrrp3 7 3 priority 200 vrrp3 7 3 admin state enable In this example VRRPv3 virtual router 7 on VLAN 3 is disabled The VRRPv3 vi...

Page 534: ...ion about the displays that result from these commands see the OmniSwitch CLI Refer ence Guide show vrrp3 Displays the VRRPv3 virtual router configuration for all virtual routers or for a particular v...

Page 535: ...ore a tracking policy for the virtual router can be added VRRP tracking does not override IP address ownership the IP address owner will always have prior ity to become master if it is available Assoc...

Page 536: ...st in load balancing outgoing traffic The figure below shows two virtual routers with their hosts splitting traffic between them Half of the hosts are configured with a default route to virtual router...

Page 537: ...he IP address is a virtual address the virtual router with the highest priority will become the master router In this scenario the master of VRID 1 will respond to ARP requests for IP address A using...

Page 538: ...e master for virtual router 1 has a priority of 100 and the backup for virtual router 1 has a priority of 75 The virtual router configuration for VRID 1 and 2 on VRRP router A is as follows vrrp 1 5 p...

Page 539: ...ented to 50 allowing backup router 1 to take over and provide connectivity for those workstations When port 3 1 on VRRP router A comes backup master 1 will take over again Note Preempt must be set on...

Page 540: ...1 57 The CLI commands used to configure this setup are as follows 1 First create two VRRPv3 virtual routers for VLAN 5 Note that VLAN 5 must already be created and available on the switch vrrp3 1 5 vr...

Page 541: ...uter MAC address for VRID 2 00 00 5E 00 02 02 OmniSwitch B is the master for VRID 2 since it contains the physical interface to which 213 100 1 57 is assigned If OmniSwitch B should become unavailable...

Page 542: ...dmin state enable priority 50 port 3 1 vrrp3 1 5 track association 1 If port 3 1 on VRR3 router A goes down the master for virtual router A is still functioning but worksta tion clients 1 and 2 will n...

Page 543: ...ning workload and flexibility you can tailor workload requirements individually to servers within a cluster In This Chapter This chapter describes the basic components of Server Load Balancing and how...

Page 544: ...orms Supported OmniSwitch 10K 6900 Maximum number of clusters 16 Maximum number of physical servers per cluster 16 Layer 3 classification Destination IP address QoS policy condition Layer 2 classifica...

Page 545: ...admin status Enabled Administrative status of physical servers in an SLB cluster ip slb server ip cluster Enabled Relative weight of a physical server in an SLB cluster ip slb server ip cluster 1 SLB...

Page 546: ...h the ip slb server ip cluster command For example ip slb server ip 128 241 130 127 cluster WorldWideWeb ip slb server ip 128 241 130 109 cluster WorldWideWeb weight 4 ip slb server ip 128 241 130 115...

Page 547: ...re the SLB cluster using the ip slb cluster command with the condition parameter For example ip slb cluster Intranet condition c1 3 Assign physical servers to the SLB condition cluster and specify a r...

Page 548: ...4 255 255 255 255 2500 IP Dst TCP Port 80 An example of what the configuration commands look like entered sequentially on the command line policy network group SOURCE 100 0 0 1 100 0 0 2 100 0 0 3 10...

Page 549: ...ervers with a loopback interface Condition A QoS policy condition name is assigned to the cluster virtual server Client requests that meet the criteria of the policy condition are bridged Layer 2 mode...

Page 550: ...30 204 and sends to the appropriate physical server depending on configuration and the operational states of the physical servers The switch then transmits the requested data from the physical server...

Page 551: ...nistrator a relative weight of 30 which is the largest weight in the SLB cluster called WorldWideWeb Server A handles twice as much traffic as Server C which has a weight of 15 three times the traffic...

Page 552: ...ay link and ping status of physical servers These health checks performed by the switch are used by the SLB software to determine the operational states of servers The possible operational states are...

Page 553: ...servers to a logical SLB cluster use the ip slb server ip cluster command which is described in Assigning Servers to and Removing Servers from a Cluster on page 23 14 Note Routing which is enabled by...

Page 554: ...that uses VIP classification to bridge or route client requests to the cluster servers use the ip slb cluster command with the vip parameter For example to configure an SLB cluster called Web_Server w...

Page 555: ...ould be created Note that the user configured policy condition associated with an SLB cluster is the condition used for the automatically configured SLB policy rule For example if you configured an SL...

Page 556: ...an existing logical SLB cluster with the ip slb server ip cluster command by entering ip slb server ip the IP address of the server in dotted decimal format cluster and the name of the SLB cluster For...

Page 557: ...page 23 16 Modifying the Ping Period You can modify this value with the ip slb cluster ping period command by entering ip slb cluster the name of the SLB cluster ping period and the user specified nu...

Page 558: ...121 cluster Web_Server weight 5 Server weights are relative For example if Servers A and B have respective weights of 5 and 10 within a cluster Server A would get half the traffic of server B Since we...

Page 559: ...led WorldWideWeb on line you would enter ip slb cluster WorldWideWeb admin state enable Taking an SLB Cluster Off Line You can take a Server Load Balancing SLB cluster off line with the ip slb cluster...

Page 560: ...ck the health of logical clusters and physical servers Supported features include Support for server health monitoring using Ethernet link state detection Support for server health monitoring using IP...

Page 561: ...0 255 11 127 that belongs to a cluster called WorldWideWeb enter ip slb server ip 10 255 11 127 cluster WorldWideWeb probe server_probe1 Modifying SLB Probes The following subsections describe how to...

Page 562: ...erver_probe1 http retries 10 Configuring a Probe User Name To configure a user name sent to a server as credentials for an HTTP GET operation to verify the health of the server use the ip slb probe us...

Page 563: ...onfigure an ASCII string sent to a server to invoke a response from it and to verify its health use the ip slb probe send command by entering ip slb probe followed by the user configured probe name th...

Page 564: ...show ip slb cluster command provides detailed configuration information and statistics for individual SLB clusters To use the show ip slb cluster command enter the command followed by the name of the...

Page 565: ...een similar to the following is displayed Cluster Web_Server VIP 10 123 11 14 Server 10 123 11 4 Admin weight 3 Admin status Enabled Oper status In Service Availability time 95 Ping failures 0 Last pi...

Page 566: ...on a single probe enter show ip slb probes followed by the probe name as shown in the example below show ip slb probes phttp Probe phttp Type HTTP Period seconds 60 Timeout milliseconds 3000 Retries...

Page 567: ...ng The switch then learns on which ports multicast group subscribers are attached and can intelligently deliver traffic only to the respective ports Alcatel Lucent s implementation of IGMP snooping is...

Page 568: ...RFC 2710 Multicast Listener Discovery MLD for IPv6 RFC 2933 Internet Group Management Protocol MIB RFC 3019 IP Version 6 Management Information Base for The Multicast Listener Discovery Protocol RFC 3...

Page 569: ...ement Protocol Version 3 IGMPv3 and Multicast Listener Discovery Protocol Version 2 MLDv2 for Source Specific Multicas Platforms Supported OmniSwitch 10K 6900 MLD Versions Supported MLDv1 MLDv2 MLD Qu...

Page 570: ...Query Response Interval ip multicast query response interval 100 tenths of seconds IGMP Router Timeout ip multicast router timeout 90 seconds Source Timeout ip multicast source timeout 30 seconds IGM...

Page 571: ...ing disabled MLD Version ipv6 multicast version version 1 MLD Query Interval ipv6 multicast query interval 125 seconds MLD Last Member Query Interval ipv6 multicast last member query interval 1000 mil...

Page 572: ...ternet Group Management Protocol IGMP requests are received The network interfaces verify that a multicast packet is received by the switch on the source or expected port IPMS Example The figure on th...

Page 573: ...Multicast Sparse Mode PIM SM and Dense Mode PIM DM which is described in PIM on page 24 8 Distance Vector Multicast Routing Protocol DVMRP which is described in DVMRP on page 24 8 The multicast routin...

Page 574: ...DVMRP is a distributed multicast routing protocol that dynamically generates per source delivery trees based upon routing exchanges When a multicast source begins to transmit the multicast data is flo...

Page 575: ...LI commands Enabling and Disabling IP Multicast Status IP Multicast Switching and Routing is disabled by default on a switch The following subsections describe how to enable and disable IP Multicast S...

Page 576: ...ble Disabling the IGMP Querier forwarding You can disable the IGMP querier forwarding by entering ip multicast querier forwarding followed by the disable keyword For example to disable the IGMP querie...

Page 577: ...iguring and Removing an IGMP Static Neighbor IGMP static neighbor ports receive all multicast streams on the designated VLAN and also receive IGMP reports for the VLAN The following subsections descri...

Page 578: ...space the slot number of the port a slash and the port number For example to configure port 10 in slot 4 with designated VLAN 2 as an IGMP static querier you would enter ip multicast static querier vl...

Page 579: ...group as an IPMS static group by entering ip multicast static group followed by vlan a space VLAN number which must be between 0 and 4095 a space followed by port a space and the link aggregation gro...

Page 580: ...ery interval 60 You can also modify the IGMP query interval on the specified VLAN by entering ip multicast vlan 2 query interval 60 Restoring the IGMP Query Interval To restore the IGMP query interval...

Page 581: ...member query interval To restore the IGMP last member query interval to its default value You can also restore the IGMP last member query interval on the specified VLAN by entering ip multicast vlan...

Page 582: ...ter Timeout The default IGMP router timeout i e expiry time of IP multicast routers is 90 seconds The following subsections describe how to configure a user specified router timeout value and how to r...

Page 583: ...ource timeout from 1 to 65535 seconds by entering ip multicast source timeout followed by the new value For example to set the source timeout to 360 seconds on the system if no VLAN is specified you w...

Page 584: ...p multicast querying disable Or as an alternative enter ip multicast querying To restore the IGMP querying to its default setting You can also disable the IGMP querying on the specified VLAN by enteri...

Page 585: ...cast robustness followed by the value 0 as shown below ip multicast vlan 2 robustness 0 Or as an alternative enter ip multicast vlan 2 robustness To restore the IGMP robustness to its default value En...

Page 586: ...litates IP TV applications looking for quick changes between IP multicast groups is disabled on a switch The following subsections describe how to enable and disable IGMP zapping by using the ip multi...

Page 587: ...er port Port settings override VLAN settings which override global settings If the maximum number of groups is reached an action can be configured to either drop the new member ship request or replace...

Page 588: ...MLD requests are received The network interfaces verify that a multicast packet is received by the switch on the source or expected port IPMSv6 Example The figure on the following page shows an IPMSv...

Page 589: ...resses Both MLDv1 and MLDv2 are supported Note See Configuring the MLD Version 2 on page 24 25 for information on configuring the IGMP version MLDv2 uses source filtering and reports multicast members...

Page 590: ...ubsections describe how to enable and disable IPv6 Multicast by using the ip multicast helper address command Note If IPv6 Multicast switching and routing is enabled on the system the VLAN configurati...

Page 591: ...keyword For example to disable the MLD querier forwarding on the system if no VLAN is specified you would enter ipv6 multicast querier forwarding disable Or as an alternative enter ipv6 multicast quer...

Page 592: ...e VLAN The following subsections describe how to configure and remove a static neighbor port by using the ipv6 multicast max group command Configuring an MLD Static Neighbor You can configure a port a...

Page 593: ...e the slot number of the port a slash and the port number For example to configure port 10 in slot 4 with designated VLAN 2 as an MLD static querier you would enter ipv6 multicast static querier vlan...

Page 594: ...6 multicast static group followed by vlan a space VLAN number which must be between 0 and 4095 a space followed by port a space and the link aggregation group number For example to configure link aggr...

Page 595: ...160 Restoring the MLD Query Interval To restore the MLD query interval to its default value on the system if no VLAN is specified use the ipv6 multicast query interval command by entering no ipv6 mul...

Page 596: ...rval i e the time period to reply to an MLD query message is 10000 in milliseconds The following subsections describe how to configure the MLD query response interval and restore it by using the ipv6...

Page 597: ...MLD router timeout to 360 seconds on the system if no VLAN is specified you would enter ipv6 multicast router timeout 360 You can also modify the MLD router timeout on the specified VLAN by entering i...

Page 598: ...To restore the source timeout to its default value You can also restore the source timeout on the specified VLAN by entering ipv6 multicast vlan 2 source timeout 0 Or as an alternative enter ipv6 mul...

Page 599: ...ess variable and restore it by using the ipv6 multicast robustness command Configuring the MLD Robustness Variable You can modify the MLD robustness variable from 1 to 7 on the system if no vlan is sp...

Page 600: ...an also enable MLD spoofing on the specified VLAN by entering ipv6 multicast vlan 2 spoofing enable Disabling the MLD Spoofing To disable MLD spoofing on the system if no VLAN is specified you use the...

Page 601: ...pping on the specified VLAN by entering ipv6 multicast vlan 2 zapping disable Or as an alternative enter ipv6 multicast vlan 2 zapping To restore the MLD zapping to its default setting Limiting MLD Mu...

Page 602: ...up limit for a VLAN and replace any requests above the limit use the ip multicast vlan max group command as shown below ipv6 multicast vlan 10 max group 25 action replace To set the MLD group limit fo...

Page 603: ...gure this network Note All the steps following Step 1 which must be executed first can be entered in any order 1 Enable IP Multicast Switching and Routing switch wide by entering ip multicast admin st...

Page 604: ...w ip multicast querier commands to confirm your settings as shown below show ip multicast Status Enabled Querying Disabled Proxying Disabled Spoofing Disabled Zapping Disabled Querier Forwarding Disab...

Page 605: ...s network Note All the steps following Step 1 which must be executed first can be entered in any order 1 Enable IP Multicast Switching and Routing switch wide by entering ipv6 multicast admin state en...

Page 606: ...icast querier commands to confirm your settings as shown below show ipv6 multicast Status Enabled Querying Disabled Proxying Disabled Spoofing Disabled Zapping Disabled Querier Forwarding Disabled Ver...

Page 607: ...or complete documentation on IPMS show commands show ip multicast Displays the general IP Multicast switching and routing configuration parameters on a switch show ip multicast group Displays all dete...

Page 608: ...on IPMS show commands show ipv6 multicast Displays the general IPv6 Multicast switching and routing configuration parameters on a switch show ipv6 multicast group Displays all detected multicast grou...

Page 609: ...hat is used for Layer 2 and Layer 3 4 filtering See Using Access Control Lists on page 25 63 This implementation of QoS integrates traffic management with QoS scheduling Embedded profiles apply the Qo...

Page 610: ...figuring QoS page 25 2 OmniSwitch AOS Release 7 Network Configuration Guide June 2013 Traffic Policing and Shaping on page 25 22 QoS Defaults on page 25 34 Configuring QoS on page 25 38 Policy Applica...

Page 611: ...5120 OS10K XNI U32S OS10K GNI C48E OS10K GNI U48E Maximum number of bandwidth policy rules 2560 OmniSwitch 10K 512 OmniSwitch 6900 Maximum number of validity periods 64 Maximum number of policy servic...

Page 612: ...ministrator can gain more control over networks where different types of traffic or flows are in use or where network congestion is high Preferential treatment can be given to individ ual flows as req...

Page 613: ...ority traffic See Congestion Manage ment on page 25 10 3 Congestion Avoidance Weighted Random Early Detection WRED is used for admission control and bandwidth management Packets that are not high prio...

Page 614: ...ents For more information about output queue congestion management see Congestion Management on page 25 10 How Traffic is Classified and Marked The OmniSwitch provides the following tools and techniqu...

Page 615: ...ation about filtering The Layer 3 classification of bridged traffic is no different from the classification of normal Layer 3 routed traffic Note that this implementation of QoS always performs Layer...

Page 616: ...LAG PDUs Such packets go directly to the CPU via a set of queues without traversing the switch fabric In addition packets from the CPU go directly to local ports without going through the fabric The...

Page 617: ...P 0K 50K No No ethernet 1 11 No Yes 0 0 802 1P 0K No No ethernet 1 12 No Yes 0 0 802 1P 0K No No ethernet Using Trusted Ports With Policies Whether or not the port is trusted is important if you want...

Page 618: ...ework involves the following elements QSet instance QSI A QSI is a logical entity that refers to a set of eight queues Each port in the switch is automatically associated with a QSI On the OmniSwitch...

Page 619: ...as they apply to unicast traffic is the same for both the OmniSwitch 10K and OmniSwitch 6900 See QSet Profiles on page 25 12 for more information Queue Set QSet Framework Unicast Traffic In this examp...

Page 620: ...raffic The multicast queue framework is not user configurable in that there are no user configurable profiles However the type of profile assigned to a port can determine the class of service for mult...

Page 621: ...en the port joined the LAG the port is associated with QSP 1 when it leaves the LAG The qos qsi qsp command is used to change the QSP for a specific QSet instance QSI For example qos qsi port 1 2 qsp...

Page 622: ...0 0 0 Straight SP0 with starvation Queue ID Queue Type Scheduling Weight 802 1p ToS DSCP Notes 8 EF SP 20 X 5 X 5 5 6 Protected EF 7 WFQ7 6 WFQ 20 7 6 7 6 7 x 6 x WFQ 6 WFQ5 WFQ 12 5 5 5 x WFQ 5 WFQ4...

Page 623: ...icast UC 0 7 108 Cos 7 CPU Generated Packets 127 maximum weight For example When sending two streams of 100 MC Lower Priority and 100 MC Higher Priority the distribu tion should be 10 and 50 packets w...

Page 624: ...Robin WRR Profiles Note Wn Weight of UCn Avg Wn Wm Average of Weights of UCn UCm Queues Priority Precedence UC7 7 Highest MC3 7 6 UC6 6 UC5 5 MC2 5 4 UC4 4 UC3 3 MC1 3 2 UC2 2 UC1 1 MC0 1 0 UC0 0 Lowe...

Page 625: ...ng unicast queue behavior For example DCB Profile 1 TC 0 Priority 0 3 TC 1 Priority 4 5 TC 2 Priority 6 7 TC 0 has UC0 through UC3 in Round Robin so MC0 priority 0 and 1 and MC1 priority 2 and 3 will...

Page 626: ...on the egress port speed thus providing efficient use of the fabric bandwidth The following diagram shows the components within the system that provide the QoS features and input based queuing using...

Page 627: ...because egress bandwidth capacity is checked before packets are sent across the switch adverse traffic patterns do not disrupt rate guarantees OmniSwitch 10K Queue Size The queue size is an aggregate...

Page 628: ...pplied to ingress traffic using a QoS policy rule see Configuring Tri Color Marking on page 25 24 for more information Note that all packets that are not marked with a specific color are treated as gr...

Page 629: ...hen congestion of green yellow and red traffic occurs without WRED green has the highest prece dence and red and yellow are dropped When congestion of yellow and red traffic occurs without WRED yellow...

Page 630: ...d determines the delay a packet may experience while wait ing for the queue to clear out other packets that arrived first To verify the WRED profile configuration use the show qos wrp command For exam...

Page 631: ...hat defines and applies the shaping and scheduling configuration for each VOQ in the QSet See Congestion Management on page 25 10 for more information Tri Color Marking This implementation of a Tri Co...

Page 632: ...using the following QoS policy action command parameters cir Committed Information Rate in bits per second cbs Committed Burst Size in bytes pir Peak Information Rate in bits per second pbs Peak Burs...

Page 633: ...ingle Rate TCM srTCM mode To configure the meter to operate in the Two Rate TCM trTCM mode use the pir parameter and specify a peak information rate value that is greater than the committed informatio...

Page 634: ...lly so that DEI bit marking and mapping is enabled for all ports Individual ports can be configured to override the global setting Configuring the DEI Bit Setting By default DEI bit marking egress and...

Page 635: ...idth policy Although bandwidth policies are applied to ingress ports it is possible to specify a destination port or destination port group in a bandwidth policy as well Doing so effects egress rate l...

Page 636: ...s port maxi mum egress bandwidth and qos port maximum ingress bandwidth CLI commands For more informa tion about these commands see the OmniSwitch CLI Reference Guide Note the following when configuri...

Page 637: ...ection discusses policy configuration using the CLI For information about using WebView to configure the switch see the OmniSwitch AOS Release 7 Switch Management Guide For information about configuri...

Page 638: ...ports are always untrusted by default For information about configuring ports with 802 1Q see Chapter 4 Configuring VLANs LDAP Policy Management Policies can also be configured through the PolicyView...

Page 639: ...s can be combined in Layer 2 Layer 3 and Layer 4 conditions In a given rule ToS or DSCP can be specified for a condition with priority specified for the action Individual items and their corresponding...

Page 640: ...ions Table ACL disposition accept drop deny Priority CoS 802 1p ToS DCSP Stamping and Mapping only applies to the outer 802 1p value cannot modify the inner value Maximum Bandwidth Maximum Depth Tri C...

Page 641: ...row represents a policy condition or conditions combined with the policy action or actions in the same row Mirroring Yes Yes Yes Yes Yes Yes No Yes N A Policy Condition Action Combinations Conditions...

Page 642: ...level 5 Number of lines in QoS log qos log lines 10000 Whether log messages are sent to the console qos log console no Whether log messages are avail able to OmniVista applications qos forward log no...

Page 643: ...gement Defaults The following are the default QSet and queue profile settings applied with QSP 1 on the OmniSwitch 10K The following are the default drop precedence settings applied with WRP 1 on the...

Page 644: ...le command Port QSI Default QSP 1 Admin Status Enabled WRP 1 Admin Status Disabled Statistics Admin Status Disabled Statistics Interval 10 seconds Bandwidth 100 QSP 1 Default Bandwidth 100 WRED Profil...

Page 645: ...lt network group called switch that includes all IP addresses configured for the switch itself This default network group can be used in policies See Creating Network Groups on page 25 54 for more inf...

Page 646: ...ou do not need to change the port defaults See QoS Port Defaults on page 25 34 for a list of port defaults See Classification on page 25 6 and Traffic Policing and Shaping on page 25 22 for informatio...

Page 647: ...ng the QoS Log The QoS software in the switch creates its own log for QoS specific events You can modify the number of lines in the log or change the level of detail given in the log The PolicyView ap...

Page 648: ...t reboot Log Detail Level To change the level of detail in the QoS log use the qos log level command The log level determines the amount of detail that is given in the QoS log The qos log level comman...

Page 649: ...ommand For more information about the qos apply command see Applying the Configuration on page 25 71 Use the swlog output command to configure switch logging to output logging events to the console No...

Page 650: ...e network interfaces for QoS statistics use the qos stats interval command with the desired interval time in seconds The default is 60 seconds For example qos stats interval 30 Statistics are displaye...

Page 651: ...icy rule configured through the CLI but it cannot be modified through the CLI Policies are not used to classify traffic until the qos apply command is entered See Applying the Config uration on page 2...

Page 652: ...d saved in an ASCII file typically through the snapshot command the commands included in the file include syntax indicating the origin of the command The origin specifies where the rule condition cond...

Page 653: ...up options in this command refer to groups of addresses services or ports that you config ure separately through policy group commands Rather than create a separate condition for each address service...

Page 654: ...Policy Actions This section describes how to configure policy actions in general Creating policy actions for particular types of network situations is described later in this chapter To create or modi...

Page 655: ...e ERROR a6 is being used by rule my_rule In this case the action is not deleted The action a6 must first be removed from the policy rule my_rule See Creating Policy Rules on page 25 47 for more inform...

Page 656: ...d with a rule using the policy rule command For example the following commands create a validity period named vp01 and associate it with rule r01 policy validity period vp01 hours 13 00 to 19 00 days...

Page 657: ...rule and both rules have the same precedence value the rule that was configured first in the list takes precedence Specifying Precedence for a Particular Rule To specify a precedence value for a parti...

Page 658: ...which a policy list is applied is determined by the type of list that is configured There are two types of policy lists Default This list is always available on every switch and is not configurable By...

Page 659: ...rules first before attempting to create a list The policy list rules command requires that the specified policy rules must already exist in the switch configuration See Creating Policies on page 25 4...

Page 660: ...ist at the time the rule was created The following command removes the rule from the default list policy rule r2 condition c1 action a1 no default list To add an existing rule to the default list use...

Page 661: ...uration 1 Create the group and group entries In this example a network group is created policy network group netgroup1 10 10 5 1 10 10 5 2 2 Attach the group to a policy condition For more information...

Page 662: ...ecified so the IPv4 addresses are assumed to be host addresses policy network group netgroup2 10 10 5 1 10 10 5 2 In the next example a policy network group called netgroup3 is created with two IPv4 a...

Page 663: ...ommand With this command there are two different methods for configuring a service You can specify the protocol and the IP port or you can use shortcut keywords The following table lists the keyword c...

Page 664: ...te the service group which includes the policy service s Use the policy service group command For example policy service group serv_group telnet1 ftp2 In this example a policy service group called ser...

Page 665: ...ing MAC Groups MAC groups are made up of multiple MAC addresses that you want to attach to a condition To create a MAC group use the policy mac group command For example policy mac group macgrp2 08 00...

Page 666: ...the built in groups use the show policy port group command To create a port group use the policy port group command For example policy port group techpubs 2 1 3 1 3 2 3 3 The port group can then be a...

Page 667: ...ys information about all pending and applied policy network groups or a particular network group Use the applied keyword to dis play information about applied groups only show policy service Displays...

Page 668: ...information about map groups and how to set them up see How Map Groups Work on page 25 61 and Creating Map Groups on page 25 61 policy map group tosGroup 1 2 5 4 5 5 6 7 2 Attach the map group to a po...

Page 669: ...same map group but instead specifies mapping 802 1p to ToS policy action Map2 map tos to 802 1p using Group2 In this case if ToS traffic comes into the switch and matches a policy that specifies the M...

Page 670: ...n this case remove the map group from the action then enter the no policy map group command policy action tosMap no map group no policy map group tosGroup The map group is deleted at the next qos appl...

Page 671: ...s spoofing ICMP drop rules and TCP connection rules Layer 2 ACLs Layer 2 filtering filters traffic at the MAC layer Layer 2 filtering can be done for both bridged and routed packets As MAC addresses a...

Page 672: ...icy port group VoIP 1 4 6 1 8 2 3 5 policy condition p0 destination port group VoIP policy condition p1 destination port group VoIP policy condition p2 destination port group VoIP policy condition p3...

Page 673: ...P address of 192 68 82 0 a source IP port of 23 using protocol 6 matches condi tion addr2 which is part of FilterL31 The action for the filter Block is set to deny traffic The flow is dropped on the s...

Page 674: ...IPv6 traffic as it is for IPv4 traffic IPv6 policies do not support the use of network groups service groups map groups or MAC groups IPv6 multicast policies are not supported Anti spoofing and other...

Page 675: ...le for improving network security and preventing mali cious activity on the network UserPorts A port group that identifies its members as user ports to prevent source address spoofing of IP and ARP tr...

Page 676: ...ministratively shutdown to block all traffic By default spoofed traffic is filtered on user ports To specify additional types of traffic to look for on these ports and select how the port deals with s...

Page 677: ...n is considered established The following is an example ACL policy using the established condition parameter policy condition c destination ip 192 168 10 0 mask 255 255 255 0 established policy condit...

Page 678: ...ide June 2013 Note that if a flag is specified on the command line after the any or all keyword then the match value is one If the flag only appears as part of the mask then the match value is zero Se...

Page 679: ...ommands become active immediately Other global commands must specifically be applied The commands are listed in the following table Port and Policy Commands All port parameters and policy parameters m...

Page 680: ...ample there are two new pending policies and three applied policies If you enter qos flush the configuration then looks like In this scenario you can do one of two things To write the applied policies...

Page 681: ...group Displays information about all pending and applied policy network groups or a particular network group Use the applied keyword to dis play information about applied groups only show policy servi...

Page 682: ...zation and bandwidth policing can be the most common types of QoS policies For these policies any condition can be created the policy action indicates how the traffic must be prioritized or how the ba...

Page 683: ...the traffic from Network 1 first create a condition for the traffic that you want to prioritize In this example the condition is called ip_traffic Then create an action to priori tize the traffic as...

Page 684: ...irected flow then redirected packets are the final post routing packets If a route does not exist for the redirected flow the flow is not redirected to the specified port or link aggregate ID and is b...

Page 685: ...the following regarding the use and configuration of mirroring policies Only one policy based MTP session is supported at any given time As a result all mirroring policies must specify the same desti...

Page 686: ...n 802 1p value of 5 policy condition my_condition source ip 10 10 3 0 mask 255 255 255 0 policy action my_action 802 1p 5 policy rule marking condition my_condition action my_action In the next exampl...

Page 687: ...n source or destination IP address source or destination network group source or destination TCP UDP port a service or service group IP protocol or built in source port group Traffic can be redirected...

Page 688: ...way ip 173 5 1 254 policy rule Redirect_All condition Traffic3 action Firewall Note that the functionality of the firewall is important In the example the firewall is sending the traffic to be routed...

Page 689: ...ample illustrates how ACLs can be used to select a subset of the source IP address to be matched and then routed to various gateway IP addresses using conditions actions and rules The next hop gateway...

Page 690: ...8 policy rule r8 condition c8 action a8 qos apply Note the following regarding the use and configuration of IPv4 non contiguous masks Automatic resolution via Address Resolution Protocol ARP for next...

Page 691: ...twork Configuration Guide June 2013 page 25 83 IPv6 example using an IPv6 gateway address policy condition c9 source ipv6 2000 1 mask e000 7 policy action a9 permanent gateway ipv6 2607 f0d0 2001 000a...

Page 692: ...Policy Applications Configuring QoS page 25 84 OmniSwitch AOS Release 7 Network Configuration Guide June 2013...

Page 693: ...n the switch When policies are created on the directory server through PolicyView the PolicyView application automatically configures the switch to communicate with the server This chapter includes in...

Page 694: ...10K 6900 LDAP Policy Servers RFCs Supported RFC 2251 Lightweight Directory Access Protocol v3 RFC 3060 Policy Core Information Model Version 1 Specification Maximum number of policy servers supported...

Page 695: ...S policies stored on an LDAP server and QoS policies configured directly on the switch For more information about creating policies directly on the switch see Chapter 25 Configuring QoS Information ab...

Page 696: ...ding policies to the switch By default policy servers are enabled to download policies To disable a server use the policy server command with the admin state keyword and disable option policy server 1...

Page 697: ...reen policy server 10 10 2 3 policy server 10 10 2 3 port number 5000 show policy server Server IP Address port enabled status primary 1 10 10 2 3 389 Yes Up X 2 10 10 2 3 5000 No Down To remove an en...

Page 698: ...sable SSL use no ssl with the command policy server 10 10 2 3 no ssl SSL is disabled for the 10 10 2 3 policy server No additional policies can be saved to the directory server from the PolicyView app...

Page 699: ...applied from PolicyView or vice versa it activates all current configuration For more information about configuring policies through the CLI see Chapter 25 Configuring QoS Verifying the Policy Server...

Page 700: ...Verifying the Policy Server Configuration Managing Policy Servers page 26 8 OmniSwitch AOS Release 7 Network Configuration Guide June 2013...

Page 701: ...iations with Shortest Path Bridging SPB services based on the VLAN ID contained in device packets Default profile classification for untagged traffic or traffic not classified through other methods Ba...

Page 702: ...10K 6900 Number of UNPs per switch 4K includes static and dynamic profiles Number of UNP users per switch 2K Authentication type MAC based authentication Profile type VLAN or Shortest Path Bridging S...

Page 703: ...tomer Domain ID assignment unp unp customer domain 0 The MAC authentication status for the UNP port unp mac authentication Disabled Alternate pass UNP for MAC authentication unp mac authentication pas...

Page 704: ...ists on page 27 7 unp name serverA qos policy list name serverA_rules Note Verify the UNP profile configuration using the show unp command For example show unp Name Vlan Policy List Name serverA 500 s...

Page 705: ...ent based on UNP authentication and classification unp port 1 10 25 enable 2 Use the unp default vlan profile command to designate an existing profile as the default UNP for the port Devices are assig...

Page 706: ...es are applied to traffic received on that port to determine the UNP VLAN assignment for the traffic The following quick steps provide a brief tutorial for configuring classification rules 1 To config...

Page 707: ...twork Profiles UNP is done to further enforce device access to network resources A policy list consists of one or more QoS policy rules the list is assigned a name which is used to associate the list...

Page 708: ...AOS Release 7 Network Configuration Guide June 2013 Verify the UNP association for the policy list using the show unp command show unp Name Vlan Policy List Name Sales 100 list1 Guest_user 1000 temp_r...

Page 709: ...e based on the Provider Backbone Bridge Network PBBN architecture This type of profile creates an associa tion between device traffic that is classified into the profile and a SPB service access point...

Page 710: ...amic profiles are saved in the switch configuration and profile attributes are configurable in the same manner as manually created profiles Service Profiles UNP service classification profiles are man...

Page 711: ...he service profile does not exist the dynamic SAP is not created UNP also provides dynamic SAP configuration for UNP access port traffic that is not classified by a UNP service profile Because there i...

Page 712: ...service Customer Domains UNP customer domains provide an additional method for segregating device traffic A domain is identi fied by a numerical ID which can be assigned to UNP ports and profile class...

Page 713: ...requires no agent or special protocol on the device the source MAC address of the device is veri fied through a remote RADIUS server Additional methods for UNP classification include the following UNP...

Page 714: ...ication and classification are disabled on a UNP port traffic received on that port is blocked unless a default UNP or trust VLAN tag is configured for that port Rule Type and Precedence When UNP port...

Page 715: ...determine the dynamic VLAN or SPB service assignment for devices connected through the UNP ports When UNP is enabled on a switch port the following device classification process is triggered when the...

Page 716: ...ication A C B D Tagged packets are blocked in tagged VLAN Untagged packets are blocked in the default VLAN RADIUS server configured Default UNP exists UNP exists Trust VLAN enabled and packet is tagge...

Page 717: ...ic VLAN In this case the remote chassis will do following If there is no profile with this advertised VLAN then the request to convert is dropped If there is a profile with this advertised VLAN but th...

Page 718: ...VLAN is dropped If there is a profile with this advertised VLAN but the VLAN doesn t exist then the VLAN is created as a UNP dynamic VLAN If there is a profile with this advertised VLAN and the VLAN t...

Page 719: ...a profile with this advertised VLAN but the VLAN doesn t exist then the VLAN is created as a UNP dynamic VLAN If there is a profile with this advertised VLAN and the VLAN type is MVRP this VLAN is con...

Page 720: ...his advertised VLAN and the VLAN type is MVRP the VLAN is converted to a UNP dynamic VLAN 3 In a MCLAG configuration after the UNP dynamic profile is created in the local chassis a request is sent to...

Page 721: ...n enabled enabled Send MAC to RADIUS server for authentication A B Tagged packets are blocked in tagged VLAN Untagged packets are blocked in the default VLAN RADIUS server configured Default UNP exist...

Page 722: ...the switch will filter the packets intended for the SAP The SAP already exists but is attached to a different I SID BLVAN Switch resources are not available or configuration limits have reached the m...

Page 723: ...ta Center Switching Guide Learned Port Security The UNP and Learned Port Security LPS features are supported on the same port with the following conditions When LPS is enabled or disabled on a UNP por...

Page 724: ...guring a MCLAG VIP interface for a dynamic UNP VLAN is not allowed For more information about UNP interaction with MCLAG see Chapter 10 Configuring Multi chassis Link Aggregation Multiple VLAN Registr...

Page 725: ...nly the policy rules in the list are applied to traffic from devices to which the profile was applied Any default list policy rules are not applied in this case If a QoS policy list is not specified f...

Page 726: ...s sent to OmniVista and OmniVista will make the necessary notifications and network modifications Shortest Path Bridging The OmniSwitch supports both a VLAN and service domain for traffic classificati...

Page 727: ...ling Dynamic VLAN Configuration on page 27 38 Enable or disable dynamic configuration of VLAN classification profiles A dynamic profile is created only when specific traffic conditions occur on UNP br...

Page 728: ...ticating non supplicants on UNP ports The servers specified with this command must already be configured through the aaa radius server command The following example command specifies authentication se...

Page 729: ...on the UNP port The configuration of UNP port parameters described in this section is only allowed on UNP enabled switch ports Make sure UNP is enabled first before attempting to configure any UNP por...

Page 730: ...more information about configuring VLAN and service profiles see Configuring Profiles on page 27 33 Enabling Classification By default when UNP is enabled on the port classification is disabled This m...

Page 731: ...Device traffic received on the port does not match any UNP classification rules On bridge ports only The UNP VLAN obtained from the matching classification rule does not exist in the switch configura...

Page 732: ...device traffic is blocked on that port Assigning a Customer Domain ID This implementation of UNP supports assigning UNP ports to a customer domain A customer domain is identified by a numerical ID val...

Page 733: ...ive or does not already exist in the switch configuration is allowed However the list will remain inactive for the UNP until the list is enabled or configured using the QoS policy list commands see Co...

Page 734: ...port If so a SAP is assigned using the VLAN tag values of the traffic If not the traffic is learned as filtering on the port Two other configurable service profile attributes include specifying the mu...

Page 735: ...namic profile configuration enable Use the disable option with the dynamic profile configuration command to disable this functionality For example unp dynamic profile configuration disable Dynamic pro...

Page 736: ...hes more than one rule MAC address VLAN tag MAC address MAC address range VLAN tag MAC address range IP address VLAN tag IP address VLAN tag When a classification rule is removed or modified all MAC a...

Page 737: ...vice is assigned to the profile To create a UNP policy list use the policy list command to specify a list name and then use the policy list rules command to specify the names of one or more existing Q...

Page 738: ...for the switch To enable this functionality use the unp dynamic vlan configuration command unp dynamic vlan configuration enable Use the disable option with the dynamic vlan configuration command to...

Page 739: ...enable vlan 451 admin state enable vlan 777 admin state enable vlan 887 888 admin state enable DA UNP unp dynamic vlan configuration enable unp name temp1 vlan 450 unp name unpTemp vlan 10 unp name u...

Page 740: ...To create this type of UNP use the unp auth server down unp command unp auth server down unp down_unp After a device is classified into the VLAN for this UNP an attempt to re authenticate the device...

Page 741: ...lied Universal Network Profile Application Example As soon as the network devices connected to the UNP ports start sending traffic the switch applies the UNP port and profile configuration to determin...

Page 742: ...ith VLAN 10 and a MAC classification rule using the unp vlan profile and unp classification mac address commands unp name unp1 vlan 10 unp classification mac address 11 11 11 11 11 11 3 Configure UNP2...

Page 743: ...ofile rules to classify traffic unp port 1 1 10 classification enable 5 Configure a default UNP if necessary using the unp default vlan profile command This UNP is applied when all other options fail...

Page 744: ...fig uration status for the UNP component by displaying Sync Out of Sync or Local show unp global configuration Dynamic Vlan Configuration Enabled MC Conf Status Sync Dynamic Profile Configuration Enab...

Page 745: ...h multi chassis peer switch the device MAC address was learned show unp user Total users 3 User Learning Port Username Mac address IP Vlan UNP Status Source 1 1 00 00 00 00 00 01 00 00 00 00 00 01 10...

Page 746: ...Verifying the UNP Configuration Configuring Universal Network Profiles page 27 46 OmniSwitch AOS Release 7 Network Configuration Guide June 2013...

Page 747: ...ministrator can obtain more detailed information about protocols running on a specific device or make sure that certain QoS actions are automatically applied wherever an application might be running I...

Page 748: ...ise stated in the following specifications table or specifically noted within any other section of this chapter Note that any rate limit specifications provided in this table are subject to available...

Page 749: ...application signature app fingerprint trap Disabled Application REGEX Signatures App Name bgp Description Border Gateway Protocol xff xff xff xff xff xff xff xff xff xff xff xff xff xff xff xff x01 x...

Page 750: ...ransfer Protocol 220 x09 x0d e smtp simple mail App Name ssh Description Secure Shell ssh 12 0 9 App Name vnc Description Virtual Network Computing rfb 00 1 9 00 0 9 x0a Application Groups App Group c...

Page 751: ...n Fingerprint ing Modes on page 28 7 for more information 3 Optional By default the app regex txt file located in the flash app signature directory on the switch contains the REGEX signatures to which...

Page 752: ...egate triggers the sampling of IP packets on that port or aggregate The sampled IP packets are compared against REGEX application signatures stored in the default app regex txt file located in the fla...

Page 753: ...the Monitoring Mode When a port is configured to operate in AFP monitoring mode the name of an application group of signa tures is specified This triggers the switch to sample ingress IP packets on t...

Page 754: ...th the UNP policy condition c1 appfp group p2p policy action a1 disposition drop policy rule r1 condition c1 action a1 no default list policy list list1 type unp policy list list1 rules r1 qos apply u...

Page 755: ...AC VLAN Dest IP Src IP Dest Port Src Port Each database entry is subject to a 15 minute aging period If the database fills up older entries are aged out before the 15 minute limit fast aging However f...

Page 756: ...sources especially when the QoS and or UNP modes are running on AFP ports A QoS policy list is used by the AFP QoS and UNP modes to specify the name of an application group of signatures to apply to A...

Page 757: ...different application groups for each mode to avoid conflicts or inconsistencies in how traffic is processed For example if monitoring mode is set to use application group named appgroup1 then config...

Page 758: ...gs or the REGEX signature text file from the switch To enable AFP functionality use the app fingerprint admin state command with the enable option For example app fingerprint admin state enable When g...

Page 759: ...ingerprint signature file net regex txt Verifying the REGEX Signature Filename The show app fingerprint configuration command displays the name of the REGEX signature filename that AFP is using for pa...

Page 760: ...packet not from the beginning of the packet payload The or any combination of the three characters may not work properly on hex value data in the packet payload for example the may not work properly...

Page 761: ...col REGEX signature TRTPHOTL x01 x02 App Name jabber Description open instant messenger protocol REGEX signature stream stream x09 x0d x09 x0d xmlns jabber App Name sip Description Session Initiation...

Page 762: ...ack xc0 xa8 x05 xca x01 x00 example x04fake App name Apache mod_cache DoS Description Apache Headers mod_cache DoS Cache x2dControl max x2dage x3d s x2dmaxage x3d max x2dstale x3d max x2dage x3d min x...

Page 763: ...nitor app group my p2p app fingerprint linkagg 10 monitor app group my p2p In this example ports 2 1 through 2 5 and aggregate 10 are configured as AFP ports that will pattern match and monitor ingres...

Page 764: ...st name with the AFP port but the UNP mode uses a policy list assigned to a UNP associated with traffic received on the AFP port The monitoring mode does just that monitors application group traffic b...

Page 765: ...neration and the name of the REGEX signature file currently in use show app fingerprint port Displays the AFP port configuration for the switch including the opera tional mode and application group ap...

Page 766: ...Verifying the AFP Configuration Configuring Application Fingerprinting page 28 20 OmniSwitch AOS Release 7 Network Configuration Guide June 2013...

Page 767: ...must be configured on the servers but it primarily addresses configuring the switch through the Command Line Interface CLI to communicate with the servers to retrieve authentication information about...

Page 768: ...789 Connectionless Lightweight X 5000 Directory Access Protocol RFC 2247 Using Domains in LDAP X 500 Distinguished Names RFC 2251 Lightweight Directory Access Protocol v3 RFC 2252 Lightweight Director...

Page 769: ...ion Servers Defaults for the aaa ldap server command are as follows Description Keyword Default Number of retries on the server before the switch tries a backup server retransmit 3 Timeout for server...

Page 770: ...ration by entering the show aaa server command For example show aaa server Server name rad1 Server type RADIUS IP Address 1 10 10 2 1 IP Address 2 10 10 3 5 Retry number 3 Timeout in sec 2 Authenticat...

Page 771: ...he same type configured through the aaa radius server aaa tacacs server and aaa ldap server commands respectively In addition each authentication method Authenticated Switch Access Authenticated VLANs...

Page 772: ...is then used for user authentica tion and the RADIUS server is used for user authorization The switch polls the server for login information and checks the switch for privi lege information LDAP or T...

Page 773: ...llowing tables list RADIUS server attributes 1 39 and 60 63 their descriptions and whether the Alcatel Lucent RADIUS client in the switch supports them Attribute 26 is for vendor specific informa tion...

Page 774: ...Not supported These attributes are used for dial up sessions not applicable to the RADIUS client in the switch 24 State Sent in challenge response packets 25 Class Used to pass information from the s...

Page 775: ...users on VLAN 23 can use Ethernet II or SNAP encapsulation Authenticated users on VLAN 24 can use IPX with Ethernet II Num RADIUS VSA Type Description 1 Alcatel Lucent Auth Group integer The authentic...

Page 776: ...Type Four values must be included in the dictionary file 1 acct start 2 acct stop 6 failure and 7 acct on Start and stop correspond to login logout The accounting on message is sent when the RADIUS c...

Page 777: ...nter the server name and the desired parameter to be modified aaa radius server rad1 key mozart If you are modifying the server and have just entered the aaa radius server command to create or modify...

Page 778: ...uring authentication if a user is not found on the primary TACACS server the authentication fails The client does not try to authenticate with the other servers in a multiple server configuration If t...

Page 779: ...s otna Note that the shared secret must be configured exactly the same as on the server aaa tacacs server tac1 host 10 10 5 2 10 10 5 5 key otna To modify a TACACS server enter the server name and the...

Page 780: ...n Server 1 Install the directory server software on the server 2 Copy the relevant schema LDIF files from the Alcatel Lucent software CD to the configuration direc tory on the server Each server type...

Page 781: ...ons to send various media file types such as JPEG graphics through electronic mail An LDIF file entry used to define an organizational unit would look like this dn distinguished name objectClass top o...

Page 782: ...often a number of attributes that are defined by values Object classes define all required and optional attributes a set of object classes is referred to as a schema As a minimum every entry must incl...

Page 783: ...scope The filters are used to test the existence of object class attributes and enable LDAP to emulate a read of entry listings during the searches All search preferences are implemented by means of a...

Page 784: ...f any web browser just as HTTP or FTP URLs are entered When LDAP searches are initiated LDAP checks the validity of the LDAP URLs parsing the various components contained within the URLs to process th...

Page 785: ...irectory servers refer to the vendor specific instructions base_dn DN of directory entry where search is initiated attributes Attributes to be returned for entry search results All attributes are retu...

Page 786: ...ons must be configured before the aaa ldap server command is configured Vendor Specific Attributes for LDAP Servers The following are Vendor Specific Attributes VSAs for Authenticated Switch Access an...

Page 787: ...hentication keys The alp2key application is supplied in two versions one for Unix Solaris 2 5 1 or higher and one for Windows NT 4 0 and higher To configure the bop shakey or bop md5key attributes on...

Page 788: ...e directory servers for billing purposes The following sections describe accounting server attributes AccountStartTime User account start times are tracked in the AccountStartTime attribute of the dir...

Page 789: ...e client entered to log in variable length digits Fields For Layer 2 Authentication Only Number of bytes received on the port during the client session from log in to log out variable length digits Nu...

Page 790: ...LDAP server Dynamic entries are stored in the LDAP enabled directory server database from the time the user successfully logs in until the user logs out The entries are removed when the user logs out...

Page 791: ...he server Note The server must be configured with the appropriate schema before the aaa ldap server command is configured The keywords for the aaa ldap server command are listed here Field Possible Va...

Page 792: ...thentication Server A Secure Socket Layer SSL can be set up on the server for additional security When SSL is enabled the server identity is authenticated The authentication requires a certificate fro...

Page 793: ...name no aaa ldap server topanga5 The topanga5 server is removed from the configuration Verifying the Authentication Server Configuration To display information about authentication servers use the fol...

Page 794: ...Verifying the Authentication Server Configuration Managing Authentication Servers page 29 28 OmniSwitch AOS Release 7 Network Configuration Guide June 2013...

Page 795: ...Network ports of a unidirectional port mapping session can be shared with other unidirectional sessions but cannot be shared with any sessions configured in the bidirectional mode Network ports of dif...

Page 796: ...ork port 1 3 2 Enable the port mapping session with the port mapping command For example port mapping 8 enable Note You can verify the configuration of the port mapping session by entering show port m...

Page 797: ...mapping session 3 with network ports of link aggregation group 7 to 9 enter port mapping 3 network port linkagg 7 port mapping 3 network port linkagg 8 port mapping 3 network port linkagg 9 You can s...

Page 798: ...the user ports of a port mapping session from all the switch ports To disable this flooding and to receive traffic from only the network ports enter port mapping 5 unknown unicast flooding disable Co...

Page 799: ...rt mapping sessions In the network diagram the Switch A is configured as follows Port mapping session 1 is created with user ports 2 1 2 2 and network ports 1 1 1 2 and is configured in the unidirecti...

Page 800: ...port mapping 1 unidirectional 2 Create two port mapping sessions on Switch A using the following commands port mapping 1 user port 2 1 2 network port 1 1 2 port mapping 2 user port 3 1 3 network port...

Page 801: ...e methods for handling unauthorized traffic administratively disable the LPS port stop all traffic on the port port remains up or only block traffic that violates LPS criteria In This Chapter This cha...

Page 802: ...r LPS port 1000 Maximum number of filtered MAC addresses allowed per LPS port 100 Maximum number of configurable MAC address ranges per LPS port 1 Parameter Description Command Default LPS status for...

Page 803: ...umber of learned MAC addresses allowed on the same ports to 25 using the following command port security port 1 6 8 maximum 25 3 Configure the amount of time in which source learning is allowed on all...

Page 804: ...e 7 Network Configuration Guide June 2013 To verify the new source learning time limit value use the show port security learning window command For example show port security learning window Learning...

Page 805: ...traffic is received all traffic is stopped LPS functionality is supported on the following port types Fixed 802 1Q tagged Universal Network Profile UNP The following port types are not supported Link...

Page 806: ...Filtered MAC addresses that are dynamically learned as filtered address up to the maxi mum number of filtered addresses allowed on the LPS port How LPS Authorizes Source MAC Addresses When a packet is...

Page 807: ...o change LPS admin disable No change No change Flushed Flushed Enable after disable No change No change Flushed Flushed LPS admin locked No change No change No change No change Enable after locked No...

Page 808: ...arning Window on page 31 12 for more information Use the LPS port security convert to static command to manually convert all dynamic addresses on a specific port to static MAC addresses Note Staticall...

Page 809: ...d on the same port UNP first authenticates and classifies any MAC addresses received then LPS rules are applied If a MAC address violates any of the LPS rules for the port the address may get filtered...

Page 810: ...addresses allowed on an LPS port This procedure is described in Configuring an Authorized MAC Address Range on page 31 15 Specifying whether or not an LPS port shuts down all traffic or only restricts...

Page 811: ...port security 5 21 24 admin state disable To disable all the LPS ports on a chassis use the port security chassis admin state command as shown port security chassis admin state disable When LPS is dis...

Page 812: ...if the number of bridged addresses learned does not exceed the maximum allowed However after the window has closed the switch will continue to learn dynamic filtered MAC addresses until the maximum nu...

Page 813: ...Cs to static MACs is disabled To enable this option for the learning window use the following command port security learning window 30 convert to static enable The following command disables this opti...

Page 814: ...idged MAC addresses the port must learn before a trap is sent Once this value is reached a trap is sent for every MAC learned thereafter By default when one bridged MAC addresses is learned on an LPS...

Page 815: ...y port 4 1 mac range low 00 20 da 00 00 10 high 00 20 da 00 00 50 The following command examples configure a MAC address range for a range of ports port security port 4 1 5 mac range low 00 20 da 00 0...

Page 816: ...nd selects the shutdown mode for port 1 on slot 4 port security port 4 1 violation shutdown To configure the security violation mode for multiple LPS ports specify a range of ports or multiple slots F...

Page 817: ...e commands see the OmniSwitch CLI Refer ence Guide An example of the output for the show port security show port security learning window and show violation commands is also given in Sample Learned Po...

Page 818: ...Displaying Learned Port Security Information Configuring Learned Port Security page 31 18 OmniSwitch AOS Release 7 Network Configuration Guide June 2013...

Page 819: ...ring Station NMS if those limits are violated In This Chapter This chapter describes port mirroring port monitoring remote monitoring RMON probes sFlow and switch health features and explains how to c...

Page 820: ...a see Displaying Port Monitoring Status and Data on page 32 28 Configuring a sFlow Session see Configuring a sFlow Session on page 32 30 Configuring a Fixed Primary Address see Configuring a Fixed Pri...

Page 821: ...Gbps 10 Gigabit Ethernet 10 Gbps 40 Gigabit Ethernet 40 Gbps Mirroring Sessions Supported OmniSwitch 10K 2 OS10 XNI U32 supports 1 session OmniSwitch 6900 2 Combined Mirroring Monitoring Ses sions per...

Page 822: ...0 unblocked vlan 7 Note Optional To verify the port mirroring configuration enter show port mirroring status followed by the port mirroring session ID number The display is similar to the one shown be...

Page 823: ...bit Ethernet 40 Gbps Monitoring Sessions Supported OmniSwitch 10K 1 OmniSwitch 6900 1 Combined Mirroring Monitoring Ses sions per Chassis OmniSwitch 10K 3 OmniSwitch 6900 2 File Type Supported ENC fil...

Page 824: ...of the port to be monitored and enable For example port monitoring 6 source 2 3 enable 3 Optional Configure optional parameters For example to create a file called monitor1 for port monitoring session...

Page 825: ...ource and destination VLANs source and destination priorities source and destination IP addressessource and destination ports tcp flags and tos Polling In octets Out octets Number of Rx Unicast packet...

Page 826: ...ch Problems page 32 8 OmniSwitch AOS Release 7 Network Configuration Guide June 2013 Sample Header Size sflow sampler 128 Bytes Poller Interval Value sflow poller 5 seconds Parameter Description CLI C...

Page 827: ...Name Golden Address IP_V4 198 206 181 3 UDP Port 6343 Timeout 65535 Packet Size 1400 DatagramVer 5 For more information about this command see sFlow on page 32 29 or the sFlow Commands chapter in the...

Page 828: ...ommand by entering sflow poller followed by the instance ID port list receiver and the interval For example sflow poller 1 2 6 10 receiver 1 interval 30 Note Optional To verify the sFlow poller config...

Page 829: ...group Alarms group Events group RMON Functionality Not Supported RMON 10 group RMON2 Host group HostTopN group Matrix group Filter group Packet Capture group An external RMON probe that includes RMON...

Page 830: ...stats The display is similar to the one shown below Entry Slot Port Flavor Status Duration System Resources 1011 1 11 Ethernet Active 11930 27 05 272 bytes 3 To view statistics for a particular RMON...

Page 831: ...erage utilization level during last hour Maximum utilization level during last hour Resource Utilization Raw Sample Values Saved for previous 60 seconds Resource Utilization Current Sample Values Stor...

Page 832: ...hreshold 80 Sampling Interval Secs 10 2 Enter the appropriate command to change the required health threshold or health sampling interval parameter settings or reset all health statistics for the swit...

Page 833: ...are and is supported for Ethernet ports In addition the switch supports N to 1 port mirroring where up to 128 source ports can be mirrored to a single destination port Refer to the Port Mirroring Spec...

Page 834: ...Ports If mirroring is enabled on multiple ports and the same traffic is passing through these ports then only one copy of each packet is sent to the mirroring destination When the packet is mirrored f...

Page 835: ...port These frames from the mirroring port are marked as if they are received on the mirrored port before being sent over the switch backplane to an NMS station Therefore management frames destined fo...

Page 836: ...ee must be disabled for the Remote Port Mirroring VLAN on all switches There must not be any physical loop present in the Remote Port Mirroring VLAN Remote port mirroring RPMIR MTP port can have tagge...

Page 837: ...ession enter the port mirroring source destination command and include the port mirroring session ID number the source and destination slot ports and the remote port mirroring VLAN ID as shown in the...

Page 838: ...tes Enabling or Disabling Mirroring Status Mirroring Status is the parameter using which you can enable or disable a mirroring session i e turn port mirroring on or off There are two ways to do this C...

Page 839: ...The mirroring direction is unidirectional and inward bound port mirroring 6 source 2 3 destination 6 4 inport In this example the command specifies port mirroring session 6 with the mirrored active p...

Page 840: ...ring status command To display all port mirroring sessions enter show port mirroring status 6 Session Mirror Mirror Unblocked Config Oper Destination Direction Vlan Status Status 1 2 1 NONE Enable On...

Page 841: ...rt mirroring 8 destination 1 2 rpmir vlan 1000 Configuring Intermediate Switch Follow the steps given below to configure all the Intermediate Switches vlan 1000 spantree vlan 1000 admin state disable...

Page 842: ...packets to and from a specific Ethernet port Port monitoring has the following features Software commands to enable and display captured port data Captures data in Network General file format A file...

Page 843: ...erwards See the sections below for more information on using these keywords Enabling a Port Monitoring Session To disable a port monitoring session use the port monitoring source command by entering p...

Page 844: ...directory when you configure and enable a port monitoring session This file can be FTPed for later analysis To configure a user specified file use the port monitoring source CLI command by entering po...

Page 845: ...he port to be monitored a slash the port number of the port file the name of the file and overwrite on For example to configure port monitoring session 6 on port 2 3 with a data file called user_port...

Page 846: ...00 00 20 DA 8F 92 C6 BPDU 00 26 42 42 03 00 00 00 00 00 00 20 DA C7 2D D6 08 00 20 95 F3 89 UDP 08 00 45 00 00 6B FE 4A 40 00 00 20 DA A3 89 F6 08 00 20 95 F3 89 UDP 08 00 45 00 00 6B CF 89 40 00 00...

Page 847: ...agent running on the switch router combines interface counters and traffic flow packet samples preferably on all the interfaces into sFlow datagrams that are sent across the network to an sFlow collec...

Page 848: ...parameters can be entered after the IP address For example to configure sFlow receiver session 6 on switch 10 255 11 28 and to specify the packet size and timeout value enter sflow receiver 6 name sf...

Page 849: ...to generate the IP packtes and sent the sFlow data grams out into the network sFlow agent requires an IP address configured to it The agents IP address can be configured using the sflow agent command...

Page 850: ...2 1 2048 128 1 2 3 1 2048 128 1 2 4 1 2048 128 1 2 5 1 2048 128 Note For more information about the displays that result from these commands see the OmniSwitch CLI Reference Guide Displaying a sFlow...

Page 851: ...ide Deleting a sFlow Session To delete a sFlow receiver session use the release form at the end of the sflow agent command by enter ing sflow receiver followed by the receiver index and release For ex...

Page 852: ...MON probe frames and Management frames to and from the mirroring and mirrored ports Frames received from an RMON probe attached to the mirroring port can be seen as being received by the mirrored port...

Page 853: ...cs group includes port utilization and error statistics measured by the RMON probe for each monitored Ethernet interface on the switch Examples of these statistics include CRC Cyclic Redundancy Check...

Page 854: ...le The following command enables RMON Alarm probe number 11235 rmon probes alarm 11235 enable To enable or disable an entire group of RMON probes of a particular flavor type such as Ethernet Statistic...

Page 855: ...he statistics probes enter show rmon probes stats A display showing all current statistics RMON probes must appear as shown in the following example Entry Slot Port Flavor Status Duration System Resou...

Page 856: ...the following sections Sample Display for Ethernet Statistics Probe The display shown here identifies RMON Probe 4005 s Owner description and interface location OmniSwitch Auto Probe on slot 4 port 5...

Page 857: ...tion and interface location Analyzer t 128 251 18 166 on slot 1 port 35 as well as the Alarm Rising Threshold of the probe and Alarm Falling Threshold maximum allowable values beyond which an alarm is...

Page 858: ...linked to ether StatsCollisions 2008 Rising trap Rising Event an Alarm condition detected by the RMON probe in which a trap was generated based on a Rising Threshold Alarm with an elapsed time of 39...

Page 859: ...ealth Monitoring provides the following data to the NMS Switch level Input Output Memory and CPU Utilization Levels Module level and Port level Input Output Utilization Levels For each monitored resou...

Page 860: ...lth threshold Configures threshold limits for input traffic RX output input traffic TX RX memory usage CPU usage and chassis temperature See page 32 43 for more information show health configuration D...

Page 861: ...Switch CLI Reference Guide Note When you specify a new value for a threshold limit the value is automatically applied across all levels of the switch switch module and port You cannot select differing...

Page 862: ...idual thresholds for input traffic RX output input traffic TX RX memory usage and CPU usage To view all health thresholds enter the following command show health configuration Rx Threshold 80 TxRx Thr...

Page 863: ...r example to specify a sampling interval value of 6 seconds enter the following command health interval 6 Valid values for the seconds parameter include 1 2 3 4 5 6 10 12 15 20 or 30 Note If the sampl...

Page 864: ...Resources field displays the device resources that are being measured for example Receive displays statistics for traffic received by the switch Transmit Receive displays statistics for traffic transm...

Page 865: ...e 80 01 01 01 01 In the screen sample shown above the port 04 03 Resources field displays the port resources that are being measured for example Receive displays statistics for traffic received by the...

Page 866: ...Monitoring Switch Health Diagnosing Switch Problems page 32 48 OmniSwitch AOS Release 7 Network Configuration Guide June 2013...

Page 867: ...basis CVLAN inner tag 802 1p bit mapping to SVLAN outer tag 802 1p bit CVLAN inner tag DSCP mapping to SVLAN outer tag 802 1p bit Profiles for saving and applying traffic engineering parameter values...

Page 868: ...if profiles assigns priority or bandwidth Maximum number of SAP profile VLAN transla tion or double tagging rules 8K 4K on OS10K XNI U32 module Maximum number of customer VLANs CVLANs associated with...

Page 869: ...page 33 3 Treatment of customer protocol control frames ingressing on a VLAN Stacking user port ethernet service uni profile Processed Frames 802 3ad UDLD OAM LACP Marker Tunneled Frames STP MVRP Disc...

Page 870: ...ort is switched to other network ports It is also possible for the same switch to function as a both a PE Bridge and a Transit Bridge Tunnel SVLAN A tunnel also referred to as an SVLAN is a logical en...

Page 871: ...S Release 7 Network Configuration Guide June 2013 page 33 5 VLAN Stacking Elements Provider LAN Customer A Customer A Site 2 Site 2 Customer B Site 1 Site 1 Provider Edge 2 Provider Edge 1 Provider Ed...

Page 872: ...o customer packets an 802 1Q tag that contains the tunnel ID associated to that customer s provider bridge port and or VLANs The encapsulated traffic is then transmitted through the Ethernet metro are...

Page 873: ...c Service Access Point SAP A SAP is associated with a VLAN Stacking service name and a SAP profile The SAP binds UNI ports and customer traffic received on those ports to the service The profile speci...

Page 874: ...ts are trusted and use 802 1p classification If there is a conflict between VLAN Stacking Service attributes and the QoS configuration the VLAN Stacking attributes are given precedence over QoS polici...

Page 875: ...s a VLAN Stacking User Network Interface UNI port and associate the port with SAP ID 10 using the ethernet service sap uni command ethernet service sap 10 uni port 1 49 6 Associate traffic from custom...

Page 876: ...tagged 40 sap profile sap video2 Service Name CustomerABC SVLAN 255 NNI s 1 22 SAP Id 10 UNIs 2 10 2 11 CVLAN s 500 600 sap profile default sap profile show ethernet service service name CustomerABC S...

Page 877: ...ports One or more UNI ports are associated with a SAP to identify to the service which ports will receive customer traffic that the service will process for tunneling through the provider network When...

Page 878: ...switch configuration use the no form of the ethernet service svlan command For example to delete SVLAN 300 enter no ethernet service svlan 300 Commands Used for ethernet service svlan Creating SVLANs...

Page 879: ...amed Video Service and asso ciates the service with SVLAN 300 ethernet service service name Video Service svlan 300 The SVLAN ID specified with this command must already exist in the switch configurat...

Page 880: ...nni port 2 1 When a port is converted to a NNI port the default VLAN for the port is changed to a VLAN that is reserved for the VLAN Stacking application At this point the port is no longer configurab...

Page 881: ...h a SVLAN The ethernet service svlan nni command is used to associate the NNI with an SVLAN For example the following command associates NNI 2 1 with SVLAN 300 ethernet service svlan 300 nni port 2 1...

Page 882: ...rovider network edge the type of customer traffic to service parameters to apply to the traffic and the service that will process the traffic for tunneling through the provider network Consider the fo...

Page 883: ...t UNI profile is assigned to the port at the time the port is configured This profile defines how control frames received on the UNI ports are processed While Spanning Tree frames are automati cally t...

Page 884: ...er the following when configuring the type of customer traffic to tunnel If no customer traffic is associated with a VLAN Stacking SAP then the SAP does not process any traffic for the service Only on...

Page 885: ...r priority settings Use the bandwidth not assigned and priority not assigned parameters to prevent the profile from triggering QoS allocation of switch resources When a profile is created using these...

Page 886: ...g UNI port profile The UNI profile determines how control frames ingressing on UNI ports are processed For example the following command creates a UNI profile to specify that VLAN Stacking should disc...

Page 887: ...ne 2013 page 33 21 To change the profile associated with the UNI port back to the default profile specify default uni profile for the profile name For example ethernet service uni port 1 1 uni profile...

Page 888: ...all CVLANs into SVLAN 100 and Customer B traffic CVLAN 10 only into SVLAN 200 In addition the CVLAN 10 inner tag priority bit value is mapped to the SVLAN out tag priority value The customer traffic...

Page 889: ...ing the ethernet service svlan nni command Associate each port with both SVLAN 100 and SVLAN 200 ethernet service svlan 100 nni port 3 1 ethernet service svlan 200 nni port 3 1 4 Configure a VLAN Stac...

Page 890: ...figuration using the show ethernet service command show ethernet service Service Name CustomerA SVLAN 100 NNI s 3 1 SAP Id 20 UNIs 1 1 CVLAN s all sap profile default sap profile Service Name Customer...

Page 891: ...ice sap 20 uni 1 1 ethernet service sap 20 cvlan all ethernet service svlan 200 ethernet service service name CustomerB svlan 200 ethernet service svlan 200 nni port 3 1 ethernet service sap 30 servic...

Page 892: ...t for the show ethernet service command is also given in Quick Steps for Configuring VLAN Stacking on page 33 9 show ethernet service vlan Displays the SVLAN configuration for the switch show ethernet...

Page 893: ...rmation can be helpful in resolving configuration or authentication issues as well as general switch errors This chapter describes the switch logging feature how to configure it and display switch log...

Page 894: ...e IP Address Application ID Levels Supported IDLE 255 DIAG 0 IPC DIAG 1 QDRIVER 2 QDISPATCHER 3 IPC LINK 4 NI SUPERVISION 5 INTERFACE 6 802 1Q 7 VLAN 8 GM 9 BRIDGE 10 STP 11 LINKAGG 12 QOS 13 RSVP 14...

Page 895: ...ues Global Switch Logging Defaults Parameter Description CLI Command Default Value Comments Enabling Disabling switch logging swlog Enabled Switch logging severity level swlog appid Default severity l...

Page 896: ...pid bridge level warning Here the application ID specifies bridging and the severity is set to the warning level 3 Specify the output device to which the switch logging information must be sent swlog...

Page 897: ...rol back to the calling application You can specify the path to where the log file is printed in the flash file system of the switch You can also send the log file to other output devices such as the...

Page 898: ...y The swlog appid command is used to assign the severity levels to the applications The syntax for the swlog appid command requires that you identify a switch application and assign it a severity leve...

Page 899: ...ING MODULE 24 APPID_L3HRE SLB 25 APPID_SLB EIPC 26 APPID_EIPC CHASSIS 64 APPID_CHASSISUPER PORT MGR 65 APPID_PORT_MANAGER CONFIG 66 APPID_CONFIGMANAGER CLI 67 APPID_CLI SNMP 68 APPID_SNMP_AGENT WEB 69...

Page 900: ...erity level or 5 to the system application ID number 75 by using the severity level and application names swlog appid system level warning The following command makes the same assignment by using the...

Page 901: ...tput to the console enter the following command swlog output console To disable the switch logging output to the console enter the following command no swlog output console No confirmation message app...

Page 902: ...tput To disable all configured output IP addresses from receiving switch logging output enter the following command no swlog output socket No confirmation message appears on the screen To disable a sp...

Page 903: ...ory available in flash For example to set the switch logging file to 500000 bytes enter swlog output flash file size 500000 Clearing the Switch Logging Files You can clear the data stored in the switc...

Page 904: ...or all the switch logging information to scroll to the console screen show log swlog Displaying file contents for swlog2 log FILEID fileName swlog2 log endPtr 32 configSize 64000 currentSize 64000 mod...

Page 905: ...etection resiliency and monitoring capability for end to end service guarantee in an Ethernet network In This Chapter This chapter describes the Ethernet OAM feature how to configure it and display Et...

Page 906: ...on Command Default Value Comments MHF value assigned to a MD ethoam domain mhf none ID permission value for MD entry ethoam domain id permission none MHF value assigned to a MA ethoam association mhf...

Page 907: ...is sold to a customer and is designated by a VLAN tag on the User to Network Interface UNI Elements of Service OAM Maintenance End Points MEPs and Maintenance Intermediate Points MIPs MEPs initiate O...

Page 908: ...en 0 and 7 to help identify and differentiate the MD within the domain hierarchy For example different organizations such as operators levels 0 1 2 service providers levels 3 4 and customers levels 5...

Page 909: ...MEPs It detects only loss of connectivity and remote MAC defect MIP CCM Database Support Per section 19 4 of the IEEE 802 1ag 5 2 draft standard an MHF may optionally maintain a MIP CCM database as it...

Page 910: ...ame Timestamp indicating when the DMM frame was received Timestamp indicating the time at which the receiving MEP transmitted the DMR frame back to the sending MEP When a MEP receives a DMR frame the...

Page 911: ...mniSwitch 802 1ag and Y 1731 CFM with the following minor configuration requirements The OmniSwitch MD format must be configured as none ITU T Y 1731 uses the icc based format for a MEG so the OmniSwi...

Page 912: ...stratively enable the Ethernet OAM Maintenance End Point using the ethoam endpoint admin state command For example ethoam endpoint 100 domain esd alcatel lucent com association alcatel sales admin sta...

Page 913: ...his is also the phase where Maintenance Intermediate Points MIP and Maintenance End Points MEP are identified and set up Any port on a switch is referred to as a Maintenance Point MP An MP can be eith...

Page 914: ...el lucent com Note that with this implementation of Ethernet OAM it is only possible to delete an MA when there is no Maintenance End Point MEP or Maintenance Intermediate Point MIP associated with th...

Page 915: ...nd interface status TLVs The use of Virtual MEP allows to create a MEP on a virtual port thus saving the use of physical port To configure a virtual MEP use the ethoam endpoint command For example to...

Page 916: ...ages LTMs and detecting Linktrace replies LTR use the ethoam linktrace command For example ethoam linktrace 10 aa ac 12 12 ad end point 4 domain esd alcatel lucent com association alcatel_sales flag f...

Page 917: ...TH DM The ethoam two way delay command is used to configure a two way ETH DM to monitor roundtrip performance between two MEPs For example the following command is used to initiate the transmission of...

Page 918: ...configuration Displays all the default MD information for all the VLANs or a specific VLAN show ethoam default domain configuration Displays the values of scalar Default MD objects show ethoam vlan D...

Page 919: ...onitoring to generate traffic in a continuous reliable and predictable manner thus enabling the measurement of network performance and health In This Chapter This chapter describes the various types o...

Page 920: ...owever when an agent is configured the following default parameter values are applied unless otherwise specified IEEE Standards Supported N A Platforms Supported OmniSwitch 10K 6900 Parameter Descript...

Page 921: ...ping destination ip 123 22 45 66 source ip 123 35 42 125 type of service 5 inter pkt delay 1500 num pkts 8 payload size 1000 3 Configure SAA saa2 for MAC ping using the saa type mac ping command For...

Page 922: ...nfig urable SAA XML parameters Configuring Service Assurance Agent This section describes how to use OmniSwitch Command Line Interface CLI commands to configure Service Assurance Agent SAA on a switch...

Page 923: ...AC Address Ping SAA L2 SAAs enhance the service level monitoring by enabling performance measurement against any L2 address within the provider network To configure SAA for MAC use the saa type mac pi...

Page 924: ...ype of SAA is configured the SAA start and stop parameters are defined using the saa start and saa stop commands For example saa saa1 start saa saa1 stop Both commands provide the ability to define a...

Page 925: ...from SPB use the saa spb flush command For example saa spb flush Note that the saa spb flush command does not change any of the SPB SAA session parameter values Use the show saa spb command to displa...

Page 926: ...rtt min 3766 min avg 10141 avg max 32919 max rtt jitter min 271 min avg 9540 avg max 26537 max jitter index saaId saaId id 13 name saa2 index id 1 lastRunTime 987731883 lastRunTime reason Iteration s...

Page 927: ...ation about SAA on the switch use the show commands listed below show saa Displays generic configuration parameters for all the configured SAAs show saa type config Displays configured SAAs for the gi...

Page 928: ...Verifying the SAA Configuration Configuring Service Assurance Agent page 36 10 OmniSwitch AOS Release 7 Network Configuration Guide June 2013...

Page 929: ...system Licensee agrees not to assign sublicense transfer pledge lease rent or share their rights under this License Agreement Licensee may retain the program media for backup purposes with retention o...

Page 930: ...E EXCLUSION OF IMPLIED WARRANTIES SO THE ABOVE EXCLUSIONS MAY NOT APPLY TO LICENSEE THIS WARRANTY GIVES THE LICENSEE SPECIFIC LEGAL RIGHTS LICENSEE MAY ALSO HAVE OTHER RIGHTS WHICH VARY FROM STATE TO...

Page 931: ...the event of any breach hereunder shall not be deemed a waiver by that party as to subsequent enforcement of rights or subsequent actions in the event of future breaches 13 Notes to United States Gov...

Page 932: ...Notices applicable to any software distributed alone or in connection with the product to which this document pertains are contained in files within the software itself located at flash foss Also if...

Page 933: ...37 24 39 IPv6 17 5 Layer 3 ACLs 25 65 policies 25 74 policy map groups 25 60 Port Mapping 30 2 30 6 port mirroring 32 4 port monitoring 32 6 32 9 QoS 25 43 25 74 RIP 19 3 RMON 32 12 Server Load Balanc...

Page 934: ...6 4 11 3 Spanning Tree Port 6 4 static link aggregation 7 2 switch health 32 14 switch logging 34 3 UDLD 2 2 VLANs 4 2 VRRP 22 3 Denial of Service see DoS DHCP 21 6 DHCP Relay 21 1 21 10 application...

Page 935: ...ports 5 7 deleting high availability VLANs 5 7 displaying 5 16 specifications 5 2 traffic flow 5 5 Hot Standby Routing Protocol see HSRP HSRP not compatible with VRRP 22 3 I ICMP 15 29 control 15 31 Q...

Page 936: ...ip slb probe expect command 23 21 ip slb probe password command 23 20 ip slb probe period command 23 19 ip slb probe port command 23 20 ip slb probe retries command 23 20 ip slb probe send command 23...

Page 937: ...static link aggregation 7 1 lldp lldpdu command 13 3 lldp notification command 13 3 lldp tlv dot1 command 13 8 lldp tlv dot3 command 13 8 lldp tlv management command 13 3 lldp tlv med command 13 9 lo...

Page 938: ...ring status 32 20 N to 1 port mirroring 32 19 specifications 32 3 unblocking ports 32 20 port mirroring command 32 21 port mirroring session creating 32 19 deleting 32 22 enabling disabling 32 21 port...

Page 939: ...ications 19 2 unloading 19 6 update interval 19 9 verification 19 19 verify information about 19 19 RIP interface creating 19 7 deleting 19 7 enabling 19 7 metric 19 8 password 19 18 receive option 19...

Page 940: ...nd 32 22 show port monitoring file command 32 28 show port security command 31 3 show port security shutdown command 31 4 show qos log command 25 41 show rmon events command 32 37 show rmon probes com...

Page 941: ...MAC addresses 3 3 static route IP 15 11 17 19 metric 15 11 17 19 subnet mask 15 11 subnet mask 15 11 switch health application examples 32 14 defaults 32 14 monitoring 32 41 specifications 32 13 switc...

Page 942: ...description 4 6 high availability VLANs 5 1 IP multinetting 15 7 IP router ports 15 8 MAC address aging time 3 7 operational status 4 5 port assignment 4 7 Spanning Tree status 4 9 VLAN ID 4 4 VRRP 2...

Reviews:

No comments