QTech QSW-2800 series Configuration Manual Download Page 319

Page: 319 / 415

+7(495) 797-3311 www.qtech.ru
Москва, Новозаводская ул., 18, стр. 1

305

Chapter 40 Operational Configuration of AM

Function

40.1 Introduction to AM Function

AM (Access Management) means that when a switch receives an IP or ARP message, it will

compare the information extracted from the message (such as source IP address or source

MAC-IP address) with the configured hardware address pool. If there is an entry in the address

pool matching the information (source IP address or source MAC-IP address), the message

will be forwarded, otherwise, dumped. The reason why source-IP-based AM should be

supplemented by source-MAC-IP-based AM is that IP address of a host might change. Only

with a bound IP, can users change the IP of the host into forwarding IP, and hence enable the

messages from the host to be forwarded by the switch. Given the fact that MAC-IP can be

exclusively bound with a host, it is necessary to make MAC-IP bound with a host for the

purpose of preventing users from maliciously modifying host IP to forward the messages from

their hosts via the switch.

With the interface-bound attribute of AM, network mangers can bind the IP (MAC-IP) address

of a legal user to a specified interface. After that, only the messages sending by users with

specified IP (MAC-IP) addresses can be forwarded via the interface, and thus strengthen the

monitoring of the network security.

40.2 AM Function Configuration

Task List

1. Enable AM function

2. Enable AM function on an interface

3. Configure the forwarding IP

4. Configure the forwarding MAC-IP

5. Delete all of the configured IP or MAC-IP or both

6. Display relative configuration information of AM

1. Enable AM function

Command

Explanation

Global Mode

am enable

Globally enable or disable AM function.

Summary of Contents for QSW-2800 series

Page 1: ...IC SWITCH CONFIGURATION 2 15 2 1 BASIC CONFIGURATION 2 15 2 2 TELNET MANAGEMENT 2 16 2 2 1 Telnet 2 16 2 2 2 SSH 2 18 2 3 CONFIGURE SWITCH IP ADDRESSES 2 19 2 3 1 Switch IP Addresses Configuration Tas...

Page 2: ...EXAMPLES 5 50 CHAPTER 6 PORT LOOPBACK DETECTION FUNCTION CONFIGURATION6 51 6 1 INTRODUCTION TO PORT LOOPBACK DETECTION FUNCTION 6 51 6 2 PORT LOOPBACK DETECTION FUNCTION CONFIGURATION TASK LIST 6 52...

Page 3: ...EXAMPLE 11 81 11 4 EFM OAM TROUBLESHOOTING 11 81 CHAPTER 12 PORT SECURITY 12 83 12 1 INTRODUCTION TO PORT SECURITY 12 83 12 2 PORT SECURITY CONFIGURATION TASK LIST 12 83 12 3 EXAMPLE OF PORT SECURITY...

Page 4: ...to Selective QinQ 16 113 16 3 2 Selective QinQ Configuration 16 113 16 3 3 Typical Applications of Selective QinQ 16 114 16 3 4 Selective QinQ Troubleshooting 16 116 16 4 VLAN TRANSLATION CONFIGURATI...

Page 5: ...TION 17 135 17 6 1 Introduction to MAC Notification 17 135 17 6 2 MAC Notification Configuration 17 135 17 6 3 MAC Notification Example 17 137 17 6 4 MAC Notification Troubleshooting 17 137 CHAPTER 18...

Page 6: ...22 169 22 1 1 Introduction to Layer 3 Management Interface 22 169 22 1 2 Layer 3 Interface Configuration Task List 22 169 22 2 IP CONFIGURATION 22 170 22 2 1 Introduction to IPv4 IPv6 22 170 22 2 2 I...

Page 7: ...RVER CONFIGURATION 27 190 27 3 DHCP RELAY CONFIGURATION 27 192 27 4 DHCP CONFIGURATION EXAMPLES 27 194 27 5 DHCP TROUBLESHOOTING 27 197 CHAPTER 28 DHCPV6 CONFIGURATION 28 199 28 1 INTRODUCTION TO DHCP...

Page 8: ...DHCP SNOOPING 32 227 32 2 DHCP SNOOPING CONFIGURATION TASK SEQUENCE 32 228 32 3 DHCP SNOOPING TYPICAL APPLICATION 32 232 32 4 DHCP SNOOPING TROUBLESHOOTING HELP 32 233 32 4 1 Monitor and Debug Informa...

Page 9: ...D Snooping Troubleshooting 35 257 CHAPTER 36 MULTICAST VLAN 36 258 36 1 INTRODUCTIONS TO MULTICAST VLAN 36 258 36 2 MULTICAST VLAN CONFIGURATION TASK LIST 36 258 36 3 MULTICAST VLAN EXAMPLES 36 259 CH...

Page 10: ...BLESHOOTING HELP 39 303 CHAPTER 40 OPERATIONAL CONFIGURATION OF AM FUNCTION 40 305 40 1 INTRODUCTION TO AM FUNCTION 40 305 40 2 AM FUNCTION CONFIGURATION TASK LIST 40 305 40 3 AM FUNCTION EXAMPLE 40 3...

Page 11: ...T 44 322 44 3 SSL TYPICAL EXAMPLE 44 323 44 4 SSL TROUBLESHOOTING 44 324 CHAPTER 45 IPV6 SECURITY RA CONFIGURATION 45 325 45 1 INTRODUCTION TO IPV6 SECURITY RA 45 325 45 2 IPV6 SECURITY RA CONFIGURATI...

Page 12: ...CHAPTER 50 SAVI CONFIGURATION 50 349 50 1 INTRODUCTION TO SAVI 50 349 50 2 SAVI CONFIGURATION 50 349 50 3 SAVI TYPICAL APPLICATION 50 353 50 4 SAVI TROUBLESHOOTING 50 354 CHAPTER 51 MRPP CONFIGURATION...

Page 13: ...55 4 SFLOW TROUBLESHOOTING 55 381 CHAPTER 56 SNTP CONFIGURATION 56 382 56 1 INTRODUCTION TO SNTP 56 382 56 2 TYPICAL EXAMPLES OF SNTP CONFIGURATION 56 383 CHAPTER 57 NTP FUNCTION CONFIGURATION 57 384...

Page 14: ...TO RELOAD SWITCH AFTER SPECIFID TIME 60 398 60 2 RELOAD SWITCH AFTER SPECIFID TIME TASK LIST 60 398 CHAPTER 61 DEBUGGING AND DIAGNOSIS FOR PACKETS RECEIVED AND SENT BY CPU 61 399 61 1 INTRODUCTION TO...

Page 15: ...IP address to the switch via the Console interface to be able to access the switch through Telnet The procedures for managing the switch via Console interface are listed below Step 1 setting up the en...

Page 16: ...l Programs Accessories Communication HyperTerminal 2 Type a name for opening HyperTerminal such as Switch Opening HyperTerminal 3 In the Connecting using drop list select the RS 232 serial port used b...

Page 17: ...that is the CLI configuration mode for Switch Testing RAM 0x077C0000 RAM OK Loading MiniBootROM Attaching to file system Loading nos img done Booting Starting at 0x10000 Attaching to file system Perfo...

Page 18: ...with Telnet the following conditions should be met Switch has an IPv4 IPv6 address configured The host IP address Telnet client and the switch s VLAN interface IPv4 IPv6 address is in the same network...

Page 19: ...vlan 1 Switch Config if Vlan1 ip address 10 1 128 251 255 255 255 0 Switch Config if Vlan1 no shutdown To enable the Telnet Server function users should type the CLI command telnet server enable in th...

Page 20: ...he commands used in the Telnet CLI interface after login is the same as that in the Console interface Telnet Configuration Interface 1 1 2 2 Management via HTTP To manage the switch via HTTP the follo...

Page 21: ...Firefox browser with 1 5 or later version For example if the IPv6 address of the switch is 3ffe 506 1 2 3 Input the IPv6 address of the switch is http 3ffe 506 1 2 3 and the address should draw togeth...

Page 22: ...to find it and implement read write operation on it Details about how to manage switches via SNMP network management software will not be covered in this manual please refer to Snmp network managemen...

Page 23: ...queries 1 2 1 2 Admin Mode To Admin Mode sees the following In user entry system if as Admin user it is defaulted to Admin Mode Admin Mode prompt Switch can be entered under the User Mode by running...

Page 24: ...odes Interface Type Entry Operates Exit VLAN Interface Type interface vlan Vlan id command under Global Mode Configure switch IPs etc Use the exit command to return to Global Mode Ethernet Port Type i...

Page 25: ...al Mode Configure parameters for Extended IP ACL Mode Use the exit command to return to Global Mode 1 2 2 Configuration Syntax Switch provides various configuration commands Although all the commands...

Page 26: ...y entered commands you can use the Down key to return to the next command Left The cursor moves one character to the left You can use the Left and Right key to modify an entered command Right The curs...

Page 27: ...mation error Output error message Explanation Unrecognized command or illegal parameter The entered command does not exist or there is error in parameter scope type or format Ambiguous command At leas...

Page 28: ...7 3311 www qtech ru 18 1 14 command error if only show r is entered as Shell is unable to tell whether it is show run or show running config Therefore Shell will only recognize the command if sh ru is...

Page 29: ...xit Exit current mode and enter previous mode such as using this command in global mode to go back to admin mode and back to normal user mode from admin mode show privilege Show privilege of the curre...

Page 30: ...ion As a Telnet server switch allows up to 5 telnet client TCP connections And as Telnet client using telnet command under Admin Mode allows the user to login to the other remote hosts Switch can only...

Page 31: ...web login Configure authentication method list with telnet authentication enable method1 method2 no authentication enable Configure the enable authentication method list authorization line console vty...

Page 32: ...ssh server enable no ssh server enable Enable SSH function on the switch the no command disables SSH function username username privilege privilege password 0 7 password no username username Configure...

Page 33: ...Switch IP Addresses All Ethernet ports of switch are default to Data Link layer ports and perform layer 2 forwarding VLAN interface represent a Layer 3 interface function which can be assigned an IP...

Page 34: ...ddress ipv6 address prefix length Configure IPv6 address including aggregation global unicast address local site address and local link address The no command deletes IPv6 address 3 BOOTP configuratio...

Page 35: ...e on the SNMP network management Agent is the server software runs on the devices which need to be managed NMS manages all the managed objects through Agents The switch supports Agent function The com...

Page 36: ...ains an OID Object Identifier and a brief description about the node OID is a set of integers divided by periods It identifies the node and can be used to locate the node in a MID tree structure shown...

Page 37: ...1 2 3 and 9 Statistics Maintain basic usage and error statistics for each subnet monitored by the Agent History Record periodical statistic samples available from Statistics Alarm Allow management co...

Page 38: ...of SNMP management station Command Explanation Global Mode snmp server securityip ipv4 address ipv6 address no snmp server securityip ipv4 address ipv6 address Configure IPv4 IPv6 security address wh...

Page 39: ...onfigure view Command Explanation Global Mode snmp server view view string oid string include exclude no snmp server view view string oid string Configure view on the switch This command is used for S...

Page 40: ...below Switch config snmp server enable Switch config snmp server community rw private Switch config snmp server community ro public Switch config snmp server securityip 1 1 1 5 The NMS can use private...

Page 41: ...tring to access the switch with read write permission or use public as the community string to access the switch with read only permission Scenario 6 NMS will receive Trap messages from the switch Not...

Page 42: ...Shell 2 5 1 Switch System Files The system files includes system image file and boot file The updating of the switch is to update the two files by overwrite the old files with the new ones The system...

Page 43: ...mode run setconfig to set the IP address and mask of the switch under BootROM mode server IP address and mask and select TFTP or FTP upgrade Suppose the switch address is 192 168 1 2 and PC address i...

Page 44: ...e nos img exists overwrite Y N N y Writing nos img Write nos img OK Boot Step 6 The following update file boot rom the basic environment is the same as Step 4 Boot load boot rom Loading Loading file o...

Page 45: ...es not provide file access authorization and uses simple authentication mechanism transfers username and password in plain text for authentication When using FTP to transfer files two connections need...

Page 46: ...iguration sequence storage FLASH Flash memory used to save system file and configuration file System file including system image file and boot file System image file refers to the compressed file for...

Page 47: ...e 2 5 3 2 FTP TFTP Configuration The configurations of switch as FTP and TFTP clients are almost the same so the configuration procedures for FTP and TFTP are described together in this manual 2 5 3 2...

Page 48: ...rname and password this no command will delete the username and password 3 Modify FTP server connection idle time Command Explanation Global Mode ftp server timeout seconds Set connection idle time 3...

Page 49: ...er to the switch FTP Configuration Computer side configuration Start the FTP server software on the computer and set the username Switch and the password superuser Place the 12_30_nos img file to the...

Page 50: ...Vlan1 no shut Switch Config if Vlan1 exit Switch config ftp server enable Switch config username Admin password 0 superuser Computer side configuration Login to the switch with any FTP client software...

Page 51: ...erver v2 5 build 6 for WinSock ready 331 User name okay need password 230 User logged in proceed 200 PORT Command successful 150 Opening ASCII mode data connection for bin ls recv total 480 nos img no...

Page 52: ...the switch is upgrading system file or system start up file through FTP the switch must not be restarted until close ftp client or 226 Transfer complete is displayed indicating upgrade is successful...

Page 53: ...ait recv 1526037 write ok transfer complete close tftp client If the switch is upgrading system file or system start up file through TFTP the switch must not be restarted until close tftp client is di...

Page 54: ...dynamically add the candidate switches to the cluster which is already established Accordingly they can configure and manage the member switches through the commander switch When the member switches a...

Page 55: ...ages of the cluster Set the max number of lost keep alive messages that can be tolerated in the cluster Remote cluster network management Remote configuration management Remotely upgrade member switch...

Page 56: ...in the cluster Admin mode clear cluster nodes nodes sn candidate sn list mac address mac addr Clear nodes in the list of candidate switches maintained by the switch Command Explanation Global Mode clu...

Page 57: ...xplanation Global Mode ip http server Enable http function in commander switch and member switch Notice must insure the http function be enabled in member switch when commander switch visiting member...

Page 58: ...he command switch is correctly configured and the auto adding function cluster auto add is enabled If the ports connected the command switch and member switch belongs to the cluster vlan After cluster...

Page 59: ...5 the command would look like interface ethernet 1 2 5 Port speed duplex mode and traffic control can be configured under Ethernet Port Mode causing the performance of the corresponding network ports...

Page 60: ...phy integrated force1g half force1g full nonegotiate master slave force10g full no speed duplex Sets port speed and duplex mode of 100 1000Base TX or 100Base FX ports The no format of this command re...

Page 61: ...this port and configure the recovery time the default is 300s The no command will disable the rate violation function of a port Global Mode port rate statistics interval interval value Configure the...

Page 62: ...net1 8 1 9 Switch2 config monitor session 1 destination interface ethernet 1 10 Switch3 Switch3 config interface ethernet 1 12 Switch3 Config If Ethernet1 12 speed duplex force100 full Switch3 Config...

Page 63: ...solation groups can a switch have 5 2 Task Sequence of Port Isolation 1 Create an isolate port group 2 Add Ethernet ports into the group 3 Display the configuration of port isolation 1 Create an isola...

Page 64: ...gure above with e1 1 e1 10 and e1 15 all belonging to VLAN 100 The requirement is that after port isolation is enabled on switch S1 e1 1 and e1 10 on switch S1 can not communicate with each other whil...

Page 65: ...source MAC is already learnt by the layer 2 device only with a different source port the original source port will be modified to the new one which means to correspond the original MAC address with th...

Page 66: ...erval of loopback detection 2 Enable the function of port loopback detection lCommand Explanation Port Mode loopback detection specified vlan vlan list no loopback detection specified vlan vlan list E...

Page 67: ...l mode automatic recovery enabled or not or recovery time 6 3 Port Loopback Detection Function Example Typical example of port loopback detection As shown in the above configuration the switch will de...

Page 68: ...be globally enabled And the corresponding relation between the spanning tree instance and the VLAN should be configured Switch config spanning tree Switch config spanning tree mst configuration Switch...

Page 69: ...the physical layer communication problems between the devices can not be found As shown in Graph the problem in fiber connection can not be found through mechanisms in physical layer like automatic ne...

Page 70: ...s notification messages and adjust the local TTL time to live according to that interval Besides ULDP provides the reset mechanism when the port is disabled by ULDP it can check again through reset me...

Page 71: ...port 5 Configure the method to shut down unidirectional link Command Explanation Global configuration mode uldp manual shutdown no uldp manual shutdown Configure the method to shut down unidirectiona...

Page 72: ...sm interface ethernet IFname no debug uldp fsm interface ethernet IFname Enable or disable the debug switch of the state machine transition information on the specified port debug uldp error no debug...

Page 73: ...won t be shut down Switch A configuration sequence SwitchA config uldp enable SwitchA config interface ethernet 1 1 SwitchA Config If Ethernet1 1 uldp enable SwitchA Config If Ethernet1 1 exit Switch...

Page 74: ...s Down In order to make sure that neighbors can be correctly created and unidirectional links can be correctly discovered it is required that both end of the link should enable ULDP using the same aut...

Page 75: ...to different parameters The Recovery timer is disabled by default and will only be enabled when the users have configured recovery time 30 86400 seconds Reset command and reset mechanism can only res...

Page 76: ...ific LLDP defines a general advertisement information set a transportation advertisement protocol and a method to store the received advertisement information The device to advertise its own informati...

Page 77: ...onfigure the intervals of LLDP updating messages 5 Configure the aging time multiplier of LLDP messages 6 Configure the sending delay of updating messages 7 Configure the intervals of sending Trap mes...

Page 78: ...Global Mode lldp transmit delay seconds no lldp transmit delay Configure the sending delay of updating messages as the specified value or default value 7 Configure the intervals of sending Trap messa...

Page 79: ...relative information of LLDP Command Explanation Admin Global Mode show lldp Display the current LLDP configuration information show lldp interface ethernet IFNAME Display the LLDP configuration info...

Page 80: ...terface ethernet 1 4 SwitchA Config If Ethernet1 4 lldp transmit optional tlv portDesc sysCap SwitchA Config If Ethernet1 4 exit SWITCH B configuration task sequence SwitchB config lldp enable SwitchB...

Page 81: ...and can not only add network s bandwidth but also provide link backup Port aggregation is usually used when the switch is connected to routers PCs or other switches Port aggregation As shown in the a...

Page 82: ...ard to implement the link dynamic aggregation LACP protocol uses LACPDU Link Aggregation Control Protocol Data Unit to exchange the information with the other end After LACP protocol of the port is en...

Page 83: ...t forward the data packets Because the limitation of the max port number in the aggregation group if the current number of the member ports exceeds the limitation of the max port number then the syste...

Page 84: ...lance method for port group 5 Set the system priority of LACP protocol Command Explanation Global Mode port group port group number no port group port group number Create or delete a port group Comman...

Page 85: ...8 9 10 of S2 are access ports and add them to group2 with passive mode All the ports should be connected with cables The configuration steps are listed below Switch1 config Switch1 config interface e...

Page 86: ...pts ports aggregated successfully after a while now ports 1 2 3 4 of S1 form an aggregated port named Port Channel1 ports 6 8 9 10 of S2 form an aggregated port named Port Channel2 can be configured i...

Page 87: ...ion finishes immediately when the command to add port 2 to port group 1 is entered port 1 and port 2 aggregate to be port channel 1 when port 3 joins port group 1 port channel 1 of port 1 and 2 are un...

Page 88: ...e network by 2 to 5 Technically the Jumbo is just a lengthened frame sent and received by the switch However considering the length of Jumbo frames they will not be sent to CPU We discard the Jumbo fr...

Page 89: ...for monitoring the whole network connectivity and locating the fault in access aggregation network layer Compare with CFM Y 1731 standard set by ITU International Telecommunications Union is more pow...

Page 90: ...le OAM entity on the other side receives the notification it will also log and report it With the log information network administrators can keep track of network status in time The link event monitor...

Page 91: ...s not generate Dying Gasp OAMPDU it still receives and processes such OAMPDU sent by its peer 4 Remote loopback testing Remote loopback testing is available only after an Ethernet OAM connection is es...

Page 92: ...when configuring OAM parameters 1 Enable EFM OAM function of port Command Explanation Port mode ethernet oam mode active passive Configure work mode of EFM OAM default is active mode ethernet oam no e...

Page 93: ...shold low low frames window seconds no ethernet oam errored frame period threshold low window Configure the low threshold and window period of errored frame period event no command resotores the defau...

Page 94: ...stores the default value optional ethernet oam errored frame period threshold high high frames none no ethernet oam errored frame period threshold high Configure the high threshold of errored frame pe...

Page 95: ...pback supported Other parameters use the default configuration Configuration on PE PE config interface ethernet 1 1 PE config if ethernet1 1 ethernet oam Other parameters use the default configuration...

Page 96: ...y communicate in OAM loopback mode it should cancel remote loopback in time after detect the link performance Ensuring the used board supports remote loopback function Port should not configure STP MR...

Page 97: ...corresponding port security feature and takes a pre defined action automatically This reduces user s maintenance workload and greatly enhances system security 12 2 PORT SECURITY Configuration Task Lis...

Page 98: ...curity interface interface id address vlan Show port security configuration 12 3 Example of PORT SECURITY Internet HOST A HOST B SWITCH Ethernet1 1 Typical topology chart for port security When the in...

Page 99: ...onfig if ethernet1 1 exit Switch config 12 4 PORT SECURITY Troubleshooting If problems occur when configuring PORT SECURITY please check whether the problem is caused by the following reasons Check wh...

Page 100: ...DDM applications are shown in the following 1 Module lifetime forecast Monitoring the bias current is able to forecast the laser lifetime Administrator is able to find some potential problems by moni...

Page 101: ...re Voltage Bias current there are fixed thresholds Because the user s environments are difference the users is able to define the threshold including high alarm low alarm high warn low warn to flexibl...

Page 102: ...toring 1 Show the real time monitoring information of the transceiver 2 Configure the alarm or warning thresholds of each parameter for the transceiver 3 Configure the state of the transceiver monitor...

Page 103: ...ceiver Interface Temp C Voltage V Bias mA RX Power dBM TX Power dBM 1 21 33 3 31 6 11 30 54 A 6 01 Command Explanation Port mode transceiver monitoring enable disable Set whether the transceiver monit...

Page 104: ...QTECH on Sep 29 2010 Type is 1000BASE SX Link length is 550 m for 50um Multi Mode Fiber Link length is 270 m for 62 5um Multi Mode Fiber Nominal bit rate is 1300 Mb s Laser wavelength is 850 nm Brief...

Page 105: ...mA 6 11 W 10 30 0 00 5 00 0 00 RX Power dBM 30 54 A 9 00 25 00 9 00 25 00 TX Power dBM 13 01 9 00 25 00 9 00 25 00 Step2 Configure the tx power threshold of the fiber module the low warning threshold...

Page 106: ...ation information Transceiver monitor is disabled Monitor interval is set to 30 minutes The last threshold violation doesn t exist Ethernet 1 22 transceiver threshold violation information Transceiver...

Page 107: ...please check whether the problem is caused by the following reasons Ensure that the transceiver of the fiber module has been inserted fast on the port or else DDM configuration will not be shown Ensur...

Page 108: ...voice device expediently LLDP MED TLVs provide multiple information such as PoE Power over Ethernet network policy and the location information of the emergent telephone service 14 2 LLDP MED Configur...

Page 109: ...ith Civic Address LCI format and enter Civic Address LCI address mode The no command cancels all configurations of the location with Civic Address LCI format ecs location tel number no ecs location Co...

Page 110: ...onfigure Switch A SwitchA config interface ethernet1 1 SwitchA Config If Ethernet1 1 lldp enable SwitchA Config If Ethernet1 1 lldp mode both this configuration can be omitted the default mode is RxTx...

Page 111: ...SwitchA show lldp neighbors interface ethernet 1 1 Port name Ethernet1 1 Port Remote Counter 1 TimeMark 20 ChassisIdSubtype 4 ChassisId 00 1f ce 00 00 02 PortIdSubtype Local PortId 1 PortDesc SysName...

Page 112: ...sisIdSubtype 4 ChassisId 00 1f ce 00 00 02 PortIdSubtype Local PortId 1 PortDesc Ethernet1 1 SysName SysDesc SysCapSupported 4 SysCapEnabled 4 Explanation 1 Both Ethernet1 2 of switch A and Ethernet1...

Page 113: ...near MED device it sends LLDP MED TLV If network connection device configured the command for sending LLDP MED TLV the packets also without LLDP MED TLV sent by the port that means no MED information...

Page 114: ...same corporation through the service provider network To maintain a local concept it not only needs to transmit the data within the user s private network across the tunnel but also transmit layer 2...

Page 115: ...own in Figure User A has two devices CE 1 and CE 2 and both devices belong to the same VLAN User s network is divided into network 1 and network 2 which are connected by the service provider network W...

Page 116: ...the original destination MAC address of the packet and then sends the packet to network 2 of user A bpdu tunnel configuration of edge switches PE1 and PE2 in the following PE1 configuration PE1 config...

Page 117: ...lowing IEEE 802 1Q The key idea of VLAN technology is that a large LAN can be partitioned into many separate broadcast domains dynamically to meet the demands A VLAN network defined logically Each bro...

Page 118: ...r of the user Hybrid ports and Trunk ports receive the data with the same process method but send the data with different method Hybrid ports can send the packets of multi VLANs without the VLAN tag w...

Page 119: ...Mode switchport mode trunk access hybrid Set the current port as Trunk Access or Hybrid port Command Explanation Port Mode switchport trunk allowed vlan WORD all add WORD except WORD remove WORD no s...

Page 120: ...g mode switchport hybrid native vlan vlan id no switchport hybrid native vlan Set delete PVID of the port Command Explanation Global Mode vlan ingress enable no vlan ingress enable Enable Disable VLAN...

Page 121: ...figuration description VLAN2 Site A and site B switch port 2 4 VLAN100 Site A and site B switch port 5 7 VLAN200 Site A and site B switch port 8 10 Trunk port Site A and site B switch port 11 Connect...

Page 122: ...f Ethernet1 11 switchport mode trunk Switch Config If Ethernet1 11 exit Switch config Switch B Switch config vlan 2 Switch Config Vlan2 switchport interface ethernet 1 2 4 Switch Config Vlan2 exit Swi...

Page 123: ...y SwitchA We can implement this status through Hybrid port Configuration items are as follows Port Type PVID the VLANs are allowed to pass Port 1 10 of Switch A Access 10 Allow the packets of VLAN 10...

Page 124: ...e Ethernet 1 10 Switch Config If Ethernet1 10 switchport mode hybrid Switch Config If Ethernet1 10 switchport hybrid native vlan 10 Switch Config If Ethernet1 10 switchport hybrid allowed vlan 7 9 10...

Page 125: ...and PE2 is to provide a reliable layer 2 link The technology of Dot1q tuunel provides the ISP internet the ability of supporting many client VLANs by only one VLAN of theirselves Both the ISP internet...

Page 126: ...onnected to CE1 port10 is connected to public network the TPID of the connected equipment is 9100 port1 of PE2 is connected to CE2 port10 is connected to public network Configuration Item Configuratio...

Page 127: ...1q tunnel tpid 0x9100 Switch Config 16 2 4 Dot1q tunnel Troubleshooting Enabling dot1q tunnel on Trunk port will make the tag of the data packet unpredictable which is not required in the application...

Page 128: ...200 Eth 1 1 Eth 1 2 Eth1 9 Eth1 9 Eth1 2 Eth1 1 IP Phone IP Phone IP Phone Vlan 201 300 PC PC VLAN 100 200 IP Phone IP Phone IP Phone Vlan 201 300 SP Network VLAN1000 2000 Command Explanation Global P...

Page 129: ...LAN 1000 switch config if ethernet1 1 switchport hybrid allowed vlan 1000 untag Configure the mapping rules for selective QinQ on Ehernet1 1 to insert VLAN 1000 tag as the outer VLAN tag in packets wi...

Page 130: ...vlan 201 300 switch config if ethernet1 2 dot1q tunnel selective enable switch config if ethernet1 9 switchport mode hybrid switch config if ethernet1 9 switchport hybrid allowed vlan 1000 2000 tag 1...

Page 131: ...n CE1 and CE2 of the client network with VLAN3 The port1 of PE1 is connected to CE1 port10 is connected to public network port1 of PE2 is connected to CE2 port10 is connected to public network Command...

Page 132: ...it switch Config Note this switch only supports the in direction 16 4 4 VLAN translation Troubleshooting Normally the VLAN translation is applied on trunk ports Normally before using the VLAN translat...

Page 133: ...figure Multi to One VLAN translation on the port 2 Show the related configuration of Multi to One VLAN translation 1 Configure Multi to One VLAN translation on the port 2 Show the related configuratio...

Page 134: ...E F VID 101 User A B C VID 100 UserA UserB UserC UserD UserE UserF switch1 switch2 VLAN translation typical application Configuration Item Configuration Explanation VLAN Switch1 Switch2 Trunk Port Dow...

Page 135: ...physical location to another As we can see the greatest advantage of this VLAN division is that the VLAN does not have to be re configured when the user physic location change namely shift from one sw...

Page 136: ...rt mac vlan enable no switchport mac vlan enable Enable disable the MAC based VLAN function on the port Command Explanation Global Mode mac vlan vlan vlan id no mac vlan Configure the specified VLAN t...

Page 137: ...h A Switch B Switch C Configuration procedure Switch A Switch B Switch C switch Config mac vlan mac 00 1f ce 11 22 33 vlan 100 priority 0 switch Config exit switch 16 6 4 Dynamic VLAN Troubleshooting...

Page 138: ...tes so as to ensure protocol entities registering and deregistering the attribute According to different transmission attributes GARP can be divided to many application protocols such as GMRP and GVRP...

Page 139: ...A and G switches manually So the same VLAN of two unadjacent switches can communicate mutually through GVRP protocol instead of configuring each intermediate switch manually for achieving the purpose...

Page 140: ...C can communicate with each other through Switch B without static VLAN100 entries Configuration Item Configuration description VLAN100 Port 2 6 of Switch A and C Trunk port Port 11 of Switch A and C...

Page 141: ...11 Switch Config If Ethernet1 11 switchport mode trunk Switch Config If Ethernet1 11 gvrp Switch Config If Ethernet1 11 exit Switch C Switch config gvrp Switch config vlan 100 Switch Config Vlan100 s...

Page 142: ...ame and creates a mapping to the destination port Then the MAC table is queried for the destination MAC address if hit the data frame is forwarded in the associated port otherwise the switch forwards...

Page 143: ...and port1 5 and no port mapping for 00 01 33 33 33 33 present the switch broadcast this message to all the ports in the switch assuming all ports belong to the default VLAN1 PC3 and PC4 on port 1 12 r...

Page 144: ...Broadcast frame The switch can segregate collision domains but not broadcast domains If no VLAN is set all devices connected to the switch are in the same broadcast domain When the switch receives a...

Page 145: ...ing or filter entry Clear dynamic address table Command Explanation Admin Mode clear mac address table dynamic address mac addr vlan vlan id interface ethernet portchannel interface name Clear the dyn...

Page 146: ...listed below 1 Set the MAC address 00 01 11 11 11 11 of PC1 as a filter address Switch config mac address table static 00 01 11 11 11 11 discard vlan 1 2 Set the static mapping relationship for PC2 a...

Page 147: ...for forwarding in that port if the connection is changed to another port the switch will learn the MAC address again to forward data in the new port However in some cases security or management polic...

Page 148: ...no switchport port security timeout restores the default setting switchport port security mac address mac address no switchport port security mac address mac address Add static secure MAC address the...

Page 149: ...some occasions Here are some possible causes and solutions If MAC address binding cannot be enabled for a port make sure the port is not enabling port aggregation and is not configured as a Trunk port...

Page 150: ...f MAC notification supported by the port Command Explanation Global mode snmp server enable traps mac notification no snmp server enable traps mac notification Configure or cancel the global snmp MAC...

Page 151: ...c notification Switch config mac address table notification Switch config mac address table notification interval 5 Switch config mac address table notification history size 100 Switch Config If Ether...

Page 152: ...e MSTP can reduce the number of spanning tree instances which consumes less CPU resources and reduces the bandwidth consumption 18 1 1 MSTP Region Because multiple VLANs can be mapped to a single span...

Page 153: ...IST master with both of the path costs to the CST root and to the IST master set to zero The bridge also initializes all of its MST instances and claims to be the root for all of them If the bridge r...

Page 154: ...nstances That can form various topologies Each instance is independent from the others and each distance can have its own attributes such as bridge priority and port cost etc Consequently the VLANs in...

Page 155: ...ing tree mst instance id port priority Set port priority for specified instance spanning tree mst instance id rootguard no spanning tree mst instance id rootguard Configure currently port whether runn...

Page 156: ...orward time time no spanning tree forward time Set the value for switch forward delay time spanning tree hello time time no spanning tree hello time Set the Hello time for sending BPDU messages spanni...

Page 157: ...ns the format is determined by checking the received packet Command Explanation Port Mode spanning tree cost no spanning tree cost Set the port path cost spanning tree port priority no spanning tree p...

Page 158: ...ning tree flush once the topology changes Disable the spanning tree don t flush when the topology changes Protect the spanning tree flush not more than one time every ten seconds The no command restor...

Page 159: ...00000 200000 Port 7 200000 200000 By default the MSTP establishes a tree topology in blue lines rooted with SwitchA The ports marked with x are in the discarding status and the other ports are in the...

Page 160: ...ig Port Range switchport mode trunk Switch2 Config Port Range exit Switch2 config spanning tree Switch3 Switch3 config vlan 20 Switch3 Config Vlan20 exit Switch3 config vlan 30 Switch3 Config Vlan30 e...

Page 161: ...stance 0 of the entire network In the MSTP region which Switch2 Switch3 and Switch4 belong to Switch2 is the region root of the instance 0 Switch3 is the region root of the instance 3 and Switch4 is t...

Page 162: ...pology Of the Instance 3 after the MSTP Calculation The Topology Of the Instance 4 after the MSTP Calculation Switch2 Switch3 Switch 4 2 2 3 3 X 4 4 X 5 5 X 6 7 6 x 7 X Switch1 Switch2 Switch3 Switch4...

Page 163: ...meters co work with each other so the parameters should meet the following conditions Otherwise the MSTP may work incorrectly 2 Bridge_Forward_Delay 1 0 seconds Bridge_Max_Age Bridge_Max_Age 2 Bridge_...

Page 164: ...e data transfer service to fulfill program requirements QoS cannot generate new bandwidth but provides more effective bandwidth management according to the application requirement and network manageme...

Page 165: ...Traffic within the QoS policing policy range bandwidth or burst value is called In Profile Out of Profile Traffic out the QoS policing policy range bandwidth or burst value is called Out of Profile 19...

Page 166: ...ration is flexible the complexity or simplicity depends on the network topology and devices and analysis to incoming outgoing traffic 19 1 3 Basic QoS Model The basic QoS consists of four parts Classi...

Page 167: ...he flow to configure different policies that allocate bandwidth to classified traffic the assigned bandwidth policy may be dual bucket dual color or dual bucket three color The traffic will be assigne...

Page 168: ...cedence for the egress packets the queuing operation assigns the packets to different priority queues according to the internal priority while the scheduling operation perform the packet forwarding ac...

Page 169: ...lass map Set up a classification rule according to ACL CoS VLAN ID IPv4 Precedent DSCP IPV6 FL to classify the data stream Different classes of data streams will be processed with different policies C...

Page 170: ...lass map and enter class map mode the no class map class map name command deletes the specified class map match access group acl index or name ip dscp dscp list ip precedence ip precedence list ipv6 a...

Page 171: ...policy for the classified flow Set corresponding action to different color packets The no command will delete the mode configuration accounting no accounting Set statistic function for the classified...

Page 172: ...weight Command Explanation Global Mode mls qos queue algorithm sp wrr no mls qos queue algorithm Set queue management algorithm the default queue management algorithm is wrr mls qos queue weight weigh...

Page 173: ...ch config mls qos queue weight 1 1 2 2 Switch Config If Ethernet1 1 mls qos cos 5 Configuration result When QoS enabled in Global Mode the egress queue bandwidth proportion of all ports is 1 1 2 2 Whe...

Page 174: ...After the above settings done bandwidth for packets from segment 192 168 1 0 through port ethernet 1 2 is set to 10 Mb s with a burst value of 4 MB all packets exceed this bandwidth setting in that s...

Page 175: ...h2 Switch config Switch config interface ethernet 1 1 Switch Config If Ethernet1 1 mls qos trust cos 19 4 QoS Troubleshooting trust cos and EXP can be used with other trust or Policy Map trust dscp ca...

Page 176: ...ransmission policy for a special type of data frames The switch can only designate a single destination port of redirection for a same class of flow within a source port of redirection while it can de...

Page 177: ...this flow to port 1 The following is the configuration procedure Switch config access list 1 permit host 192 168 1 111 Switch config interface ethernet 1 1 Switch Config If Ethernet1 1 access group 1...

Page 178: ...Q Basic QinQ based the port After a port configures QinQ whether the received packet with tag or not the device still packs the default VLAN tag for the packet Using basic QinQ is simple but the setti...

Page 179: ...o command deletes the specified match standard 2 Configure policy map of flexible QinQ Command Explanation Global mode policy map policy map name no policy map policy map name Create a policy map and...

Page 180: ...ly in DSLAM1 DSCP10 corresponds to Broad Band Network DSCP20 corresponds to VOIP DSCP30 corresponds to VOD After the downlink port enables flexible QinQ function the packets will be packed with differ...

Page 181: ...ymap p1 class c3 set s vid 3001 Switch config policymap p1 class c3 exit Switch config policymap p1 exit Switch config interface ethernet 1 1 Switch config if ethernet1 1 dot1q tunnel enable Switch co...

Page 182: ...if ethernet1 1 service policy p1 in 21 4 Flexible QinQ Troubleshooting If flexible QinQ policy can not be bound to the port please check whether the problem is caused by the following reasons Make sur...

Page 183: ...ayer 3 interface should be in UP state for Layer 3 interface in UP state otherwise Layer 3 interface will be in DOWN state The switch can use the IP addresses set in the layer 3 management interface t...

Page 184: ...of Internet which require IP addresses the supply of IP addresses turns out to be more and more tense People have been working on the problem of shortage of IPv4 addresses for a long time by introduci...

Page 185: ...ile calculating devices The Mobile IP Protocol defined in IETF standard makes mobile devices movable without cutting the existing connection which is a network function getting more and more important...

Page 186: ...ss mask command cancels IP address of VLAN interface 2 Configure the default gateway Command Explanation Global Mode ip default gateway A B C D no ip default gateway A B C D Configure the default gate...

Page 187: ...ssage number Command Explanation Interface Configuration Mode ipv6 nd dad attempts value no ipv6 nd dad attempts Set the neighbor query message number sent in sequence when the interface makes duplica...

Page 188: ...Configuration Task List ARP Configuration Task List 1 Configure static ARP 1 Configure static ARP Command Explanation Interface Configuration Mode arp ip_address mac_address no arp ip_address Configur...

Page 189: ...7 495 797 3311 www qtech ru 18 1 175...

Page 190: ...h ARP scanning features is found in the segment the switch will cut off the attack source to ensure the security of the network There are two methods to prevent ARP scanning port based and IP based Th...

Page 191: ...based threshold threshold value no anti arpscan port based threshold Set the threshold of the port based ARP Scanning Prevention anti arpscan ip based threshold threshold value no anti arpscan ip bas...

Page 192: ...r disable the SNMP Trap function of ARP scanning prevention show anti arpscan trust ip port supertrust port prohibited ip port Display the state of operation and configuration of ARP scanning preventi...

Page 193: ...ort SwitchA Config If Ethernet1 2 exit SwitchA config interface ethernet1 19 SwitchA Config If Ethernet1 19 anti arpscan trust supertrust port Switch A Config If Ethernet1 19 exit SWITCHB configuratio...

Page 194: ...cation between two host computers in the same network even if are connected by the switches it sends an ARP reply packet to two hosts separately and make them misunderstand MAC address of the other si...

Page 195: ...n At one time it doesn t interrupt the automatic learning function of ARP Thus it prevents ARP spoofing and attack to a great extent 24 2 Prevent ARP Spoofing configuration The steps of preventing ARP...

Page 196: ...1 address A MAC address In further a transfers its received packets to C by modifying source address and destination address the mutual communicated data between B and C are received by A unconsciousl...

Page 197: ...config ip arp security convert If the environment changing it enable to forbid ARP refresh once it learns ARP property it wont be refreshed by new ARP reply packet and protect use data from sniffing...

Page 198: ...revent PC2 from receiving the messages to it Particularly if the attacker pretends to be the gateway and do ARP cheating the whole network will be collapsed ARP GUARD schematic diagram We utilize the...

Page 199: ...www qtech ru 18 1 185 25 2 ARP GUARD Configuration Task List 1 Configure the protected IP address Command Explanation Port configuration mode arp guard ip addr no arp guard ip addr Configure delete AR...

Page 200: ...advertises gratuitous ARP requests the host will not have to send these requests This will reduce the frequency the hosts sending ARP requests for the gateway s MAC address Gratuitous ARP is a method...

Page 201: ...10 whose IP address is 192 168 15 254 and network address mask is 255 255 255 0 in the switch system Five PCs PC1 PC2 PC3 PC4 PC5 are connected to the interface Gratuitous ARP can be enabled through t...

Page 202: ...nabled in global configuration mode it can be disabled only in global configuration mode If gratuitous ARP is configured in interface configuration mode the configuration can only be disabled in inter...

Page 203: ...and configuration parameters for the clients if DHCP server and clients are located in different subnets DHCP relay is required for DHCP packets to be transferred between the DHCP client and DHCP serv...

Page 204: ...heoretically endless 3 Dynamically allocated address cannot be bound manually 4 Dynamic DHCP address pool can inherit the network configuration parameters of the dynamic DHCP address pool of the relat...

Page 205: ...he address for server netbios node type b node h node m node p node type number no netbios node type Configure node type for DHCP clients The no operation cancels the node type for DHCP clients bootfi...

Page 206: ...g address manually client identifier unique identifier no client identifier Specify delete the unique ID of the user when binding address manually 3 Enable logging for address conflicts Command Explan...

Page 207: ...packet via DHCP relay to the DHCP client DHCP client chooses a DHCP server and broadcasts a DHCPREQUEST packet DHCP relay forwards the packet to the DHCP server after processing On receiving DHCPREQU...

Page 208: ...ators and users a company is using switch as a DHCP server The Admin VLAN IP address is 10 16 1 2 16 The local area network for the company is divided into network A and B according to the office loca...

Page 209: ...h config ip dhcp pool A1 Switch dhcp A1 config host 10 16 1 210 Switch dhcp A1 config hardware address 00 03 22 23 dc ab Switch dhcp A1 config exit Usage Guide When a DHCP BOOTP client is connected to...

Page 210: ...switchport access vlan 2 Switch Config Erthernet1 2 exit Switch config interface vlan 2 Switch Config if Vlan2 ip address 10 1 1 1 255 255 255 0 Switch Config if Vlan2 exit Switch config ip forward p...

Page 211: ...ch Config If Ethernet1 2 switchport mode trunk switch config service dhcp switch config ip forward protocol udp bootps switch config ip dhcp relay information option switch config ip dhcp relay share...

Page 212: ...one of them will take effect furthermore in manual binding only one IP MAC binding can be configured in one pool If multiple bindings are required multiple manual pools can be created and IP MAC bindi...

Page 213: ...provide extend function of DHCPv6 prefix delegation upstream route can assign address prefix to downstream route automatically that achieve the IPv6 address auto assignment in levels of network envir...

Page 214: ...from the DHCPv6 client it will encapsulate the request in a Relay forward packet and deliver it to the next DHCPv6 relay or the DHCPv6 server The DHCPv6 messages coming from the server will be encaps...

Page 215: ...signable of address pool dns server ipv6 address no dns server ipv6 address To configure DNS server address for DHCPv6 client domain name domain name no domain name domain name To configure DHCPv6 cli...

Page 216: ...e vlan 1 4096 no ipv6 dhcp relay destination ipv6 address interface interface name vlan 1 4096 To specify the destination address of DHCPv6 relay transmit The no form of this command delete the config...

Page 217: ...mand Explanation DHCPv6 address pool Configuration Mode prefix delegation pool poolname lifetime valid time preferred time no prefix delegation pool poolname To specify prefix delegation pool used by...

Page 218: ...Prefix Delegation Client Configuration DHCPv6 prefix delegation client configuration task list as below To enable disable DHCPv6 service To enable DHCPv6 prefix delegation client function on port 1 T...

Page 219: ...s and it is configured as DHCPv6 relay delegation Switch3 is configured as DHCPv6 server in secondary aggregation layer and connected with backbone network or higher aggregation layers The Windows Vis...

Page 220: ...g Switch2 configuration Switch2 enable Switch2 config Switch2 config service dhcpv6 Switch2 config interface vlan 1 Switch2 Config if Vlan1 ipv6 address 2001 da8 1 1 2 64 Switch2 Config if Vlan1 exit...

Page 221: ...connected to the DHCPv6 enabled switches but can not get IPv6 addresses In this situation it should be checked first whether the ports which the hosts are connected to are connected with the port whic...

Page 222: ...entify all the possible DHCP attack messages according to the information in option 82 and defend against them DHCP Relay Agent will peel the option 82 from the reply messages it receives and forward...

Page 223: ...2 to the end of the request message it receives then relay and forward the message to the DHCP server By default the sub option 1 of option 82 Circuit ID is the interface information of the switch con...

Page 224: ...e the option 82 function of the switch Relay Agent The no ip dhcp relay information option is used to disable the option 82 function of the switch Relay Agent 2 Configure the DHCP option 82 attributes...

Page 225: ...added option 82 sub option1 Circuit ID option as standard format Global Mode ip dhcp relay information option remote id standard remote id no ip dhcp relay information option remote id Set the subopti...

Page 226: ...remote id suboption by themselves ip dhcp relay information option self defined remote id format ascii hex Set self defined format of remote id for relay option82 ip dhcp relay information option sel...

Page 227: ...ected to Switch1 and Switch2 will get addresses from the public address pool of the DHCP server After the DHCP option 82 function is enabled since the Switch3 appends the port information of accessing...

Page 228: ...102 2 option subnet mask 255 255 255 0 option domain name example com option domain name servers 192 168 10 3 authoritative pool range 192 168 102 21 192 168 102 50 default lease time 86400 24 Hours...

Page 229: ...d of Relay Agent please pay attention to the retransmitting policy of the interface DHCP request messages To implement the option 82 function of DHCP Relay Agent the debug dhcp relay packet command ca...

Page 230: ...d option 43 it will match with any option 60 If the received DHCP packet with option 60 from DHCP client DHCP client will receive the option 43 configured in the address pool 3 Address pool only confi...

Page 231: ...r configures option 60 matched with the option 60 of fit ap to return option 43 attribute to FTP AP Configuration procedure Configure DHCP server router config ip dhcp pool a router dhcp a config opti...

Page 232: ...client to trigger deny service attack through using MAC address of other legal clients Therefore IETF set rfc4649 and rfc4580 i e DHCPv6 option 37 and option 38 to solve these problems DHCPv6 option...

Page 233: ...drop keep replace no ipv6 dhcp snooping remote id policy This command is used to configure the reforward policy of the system when receiving DHCPv6 packets with option 37 which can be drop the system...

Page 234: ...ote id no ipv6 dhcp snooping remote id This command is used to set the form of adding option 37 in received DHCPv6 request packets of which remote id is the content of remote id in user defined option...

Page 235: ...CPv6 request packets of which remote id is the content of remote id in user defined option 37 and it is a string with a length of less than 128 The no operation restores remote id in option 37 to ente...

Page 236: ...8 of relay forw in the innermost layer are selected The no operation of it restores the default configuration i e selecting option 37 and option 38 of the original packets IPv6 DHCP Class configuratio...

Page 237: ...l the requests matched with CLASS1 CLASS2 and CLASS3 will be assigned an address ranging from 2001 da8 100 1 2 to 2001 da8 100 1 30 from 2001 da8 100 1 31 to 2001 da8 100 1 60 and from 2001 da8 100 1...

Page 238: ...1f ce 00 00 01 subscriber id vlan1 Ethernet1 1 SwitchB dhcpv6 class class1 config exit SwitchB config ipv6 dhcp class CLASS2 SwitchB dhcpv6 class class2 config remote id 00 1f ce 00 00 01 subscriber...

Page 239: ...v6 address allocation if special server is used for uniform allocation and management for IPv6 address DHCPv6 server supports both stateful and stateless DHCPv6 Network topology In access layer layer2...

Page 240: ...n the same VLAN otherwise it needs to use DHCPv6 relay Snooping option37 38 can process one of the following operations for DHCPv6 request packets with option37 38 replace the original option37 38 wit...

Page 241: ...ol independently Defense against Fake DHCP Server once the switch intercepts the DHCP Server reply packets including DHCPOFFER DHCPACK and DHCPNAK it will alarm and respond according to the situation...

Page 242: ...authentication status 32 2 DHCP Snooping Configuration Task Sequence 1 Enable DHCP Snooping 2 Enable DHCP Snooping binding function 3 Enable DHCP Snooping option82 function 4 Set the private packet v...

Page 243: ...n 6 Set DES encrypted key for private packets Command Explanation Globe mode enable trustview key 0 7 password no enable trustview key To configure delete DES encrypted key for private packets 7 Set h...

Page 244: ...p snooping binding dot1x Enable or disable the DHCP snooping binding dot1x function Command Explanation Port mode ip dhcp snooping binding user control no ip dhcp snooping binding user control Enable...

Page 245: ...d to set that allow untrusted ports of DHCP snooping to receive DHCP packets with option82 option When disabling this command all untrusted ports will drop DHCP packets with option82 option ip dhcp sn...

Page 246: ...fine the parameters of circute id suboption by themselves ip dhcp snooping information option self defined subscriber id format ascii hex Set self defined format of circuit id for snooping option82 Po...

Page 247: ...If Ethernet1 11 exit switch config interface ethernet 1 12 switch Config If Ethernet1 12 ip dhcp snooping trust switch Config If Ethernet1 12 exit switch config interface ethernet 1 1 10 switch Config...

Page 248: ...nfigured policies and the option 82 information in the message At the same time DHCP server can identify all the possible DHCP attack messages according to the information in option 82 and defend agai...

Page 249: ...option 82 to the end of the request message it receives and perform layer 2 forwarding By default the sub option 1 of option 82 Circuit ID is the interface information of the switch connected to the...

Page 250: ...NOOPING function 2 Enable DHCP Snooping binding function Command Explanation Global mode ip dhcp snooping binding enable no ip dhcp snooping binding enable Enable or disable DHCP SNOOPING binding func...

Page 251: ...is the configuration of Switch1 MAC address is 00 1f ce 02 33 01 Switch1 config ip dhcp snooping enable Switch1 config ip dhcp snooping binding enable Switch1 config ip dhcp snooping information enab...

Page 252: ...cate addresses for the network nodes from Switch1 within the range of 192 168 102 51 192 168 102 80 33 4 DHCP Snooping option 82 Troubleshooting To implement the option 82 function of DHCP SNOOPING th...

Page 253: ...e Broadcast mode goes against the security and secrecy The emergence of IP Multicast technology solved this problem in time The Multicast source only sends out the message once Multicast Routing Proto...

Page 254: ...p Permanent Multicast Group keeps its IP address fixed but its member structure can vary within The member amount of Permanent Multicast Group can be arbitrary even zero The IP Multicast addresses whi...

Page 255: ...ure In order to guarantee that all Multicast packets get to the router via the shortest path the receipt interface of the Multicast packet must be checked in some certain way based on Unicast router t...

Page 256: ...out of specified source and specified group REGISTER_STOP is transmitted directly and table entry is not allowed to set up This task is implemented in PIM SM model The implement of Multicast User Con...

Page 257: ...e front one is the one which is configured the earliest Once the configured rules are matched the following rules won t take effect so rules of globally allow must be put at the end The commands are a...

Page 258: ...Global Configuration Mode no access list 6000 7999 deny permit ip source source wildcard host source source host ip any source destination destination wildcard host destination destination host ip any...

Page 259: ...tsium we configure Edge Switch so that only the switch at port Ethernet1 5 is allowed to transmit multicast and the data group must be 225 1 2 3 Also switch connected up to port Ethernet1 10 can trans...

Page 260: ...fects you expect to the after sale service staff of our company 34 3 IGMP Snooping 34 3 1 Introduction to IGMP Snooping IGMP Internet Group Management Protocol is a protocol used in IP multicast IGMP...

Page 261: ...group count of vlan and the max source count of every group The no ip igmp snooping vlan vlan id limit command cancels this configuration ip igmp snooping vlan vlan id l2 general querier no ip igmp s...

Page 262: ...id immediate leave command disables the IGMP fast leave function ip igmp snooping vlan vlan id query mrsp value no ip igmp snooping vlan vlan id query mrsp Configure the maximum query response period...

Page 263: ...xample As shown in the above figure a VLAN 100 is configured in the switch and includes ports 1 2 6 10 and 12 Four hosts are connected to port 2 6 10 12 respectively and the multicast router is connec...

Page 264: ...ceive the traffic of program 1 Scenario 2 L2 general querier The switches as IGMP Queries The configuration of Switch2 is the same as the switch in scenario 1 SwitchA takes the place of Multicast Rout...

Page 265: ...ping function configuration and usage IGMP Snooping might not run properly because of physical connection or configuration mistakes So the users should note that Make sure correct physical connection...

Page 266: ...eport back through the multicast address MLD Snooping is namely the MLD listening The switch restricts the multicast traffic from flooding through MLD Snooping and forward the multicast traffic to por...

Page 267: ...ion ipv6 mld snooping vlan vlan id mrouter port learnpim6 no ipv6 mld snooping vlan vlan id mrouter port learnpim6 Enable the function that the specified VLAN learns mrouter port according to pimv6 pa...

Page 268: ...command cancels this configuration 35 1 3 MLD Snooping Examples Scenario 1 MLD Snooping Function Open the switch MLD Snooping Function figure As shown above the vlan 100 configured on the switch consi...

Page 269: ...application is operating on the four hosts Two hosts connected to port 2 and 5 are playing program 1 while the host connected to port 10 playing program 2 and the one to port 12 playing program 3 MLD...

Page 270: ...d Query periodically global MLD Snooping has to be enabled while executing the mld snooping vlan 60 l2 general querier setting the vlan 60 to a Level 2 General Querier Configuration procedure is as fo...

Page 271: ...nection failure wrong configuration etc The user should ensure the following Ensure the physical connection is correct Ensure the MLD Snooping is enabled under global mode using ipv6 mld snooping Ensu...

Page 272: ...ulticast VLAN is configured the multicast traffic will be continuously sent to the users 36 2 Multicast VLAN Configuration Task List 1 Enable the multicast VLAN function 2 Configure the IGMP Snooping...

Page 273: ...nd disables the IGMP snooping function 3 Configure the MLD Snooping ipv6 mld snooping vlan vlan id no ipv6 mld snooping vlan vlan id Enable MLD Snooping on multicast VLAN the no form of this command d...

Page 274: ...fig if Vlan10 ip pim dense mode Switch Config if Vlan10 exit SwitchA config vlan 20 SwitchA config vlan20 exit SwitchA config interface vlan 20 SwitchA Config if Vlan20 ip pim dense mode SwitchA Confi...

Page 275: ...7 495 797 3311 www qtech ru 18 1 261 When multicast VLAN supports IPv6 multicast usage is the same with IPv4 but the difference is using with MLD Snooping so does not give an example...

Page 276: ...IP IP protocol number and TCP port UDP port Access lists can be categorized by the following criteria Filter information based criterion IP access list layer 3 or higher information MAC access list la...

Page 277: ...list based on nomenclature Create an extensive IP access list based on nomenclature Specify multiple permit or deny rule entries Exit ACL Configuration Mode 5 Configuring a numbered standard MAC acces...

Page 278: ...st source sIpAddr dIpAddr dMask any destination host destination dIpAddr icmp type icmp code precedence prec tos tos time range time range name Creates a numbered ICMP extended IP access rule if the n...

Page 279: ...nge time range name Creates a numbered IP extended IP access rule for other specific IP protocol or all IP protocols if the numbered extended access list of specified number does not exist then an acc...

Page 280: ...d extended IP access rule no deny permit igmp sIpAddr sMask any source host source sIpAddr dIpAddr dMask any destination host destination dIpAddr igmp type precedence prec tos tos time range time rang...

Page 281: ...rce mac host_smac smac smac mask no access list num Creates a numbered standard MAC access list if the access list already exists then a rule will add to the current access list the no access list num...

Page 282: ...2 ethertype protocol protocol mask Creates an extended name based MAC access rule matching untagged ethernet 2 frame the no form command deletes this name based extended MAC access rule no deny permit...

Page 283: ...sing this number access list num deny permit any source mac host source mac host_smac smac smac mask any destination mac host destination mac host_dmac dmac dmac mask igmp source source wildcard any s...

Page 284: ...um deny permit any source mac host source mac host_smac smac smac mask any destination mac host destination mac host_dmac dmac dmac mask eigrp gre igrp ip ipinip ospf protocol num source source wildca...

Page 285: ...ion mac host_dmac dmac dmac mask igmp source source wildcard any source host source source host ip destination destination wildcard any destination host destination destination host ip igmp type prece...

Page 286: ...tocol num source source wildcard any source host source source host ip destination destination wildcard any destination host destination destination host ip precedence precedence tos tos time range ti...

Page 287: ...c Exit name based standard IP ACL configuration mode Command Explanation Standard IPv6 ACL Mode exit Exits name based standard IPv6 ACL configuration mode 2 Configuring packet filtering function 1 En...

Page 288: ...igure absolute time range Command Explanation Global Mode absolute start start_time start_data end end_time end_data Configure absolute time range no absolute start start_time start_data end end_time...

Page 289: ...le Switch config interface ethernet 1 10 Switch Config If Ethernet1 10 ip access group 110 in Switch Config If Ethernet1 10 exit Switch config exit Configuration result Switch show firewall Firewall s...

Page 290: ...3 access list 1100 deny 00 12 11 23 00 00 00 00 00 00 ff ff any destination mac Switch show access group interface ethernet 1 10 interface name Ethernet1 10 MAC Ingress access list used is 1100 traff...

Page 291: ...name Ethernet1 10 MAC IP Ingress access list used is 3110 traffic statistics Disable Scenario 4 The configuration requirement is stated as below IPv6 protocol runs on the interface 600 of the switch A...

Page 292: ...on Create the corresponding access list Configure datagram filtering Bind the ACL to the related interface The configuration steps are listed as below Switch config firewall enable Switch config vlan...

Page 293: ...Viruses such as worm blaster can be blocked by configuring ACL to block specific ICMP packets or specific TCP or UDP port packet If the physical mode of an interface is TRUNK ACL can only be configure...

Page 294: ...nfiguration if there are any ACLs bound to the VLAN the ACL will be removed from all the physical interfaces belonging to the VLAN and it will be bound to VLAN 1 ACL if ACL is configured in VLAN1 If V...

Page 295: ...and configure the access from user The prevailing application of WLAN and LAN access in telecommunication networks in particular make it necessary to control ports in order to implement the user leve...

Page 296: ...lement the operation of algorithms and protocols The PAE of the supplicant system is supposed to respond the authentication request from the authenticator systems and submit user s authentication info...

Page 297: ...n the PAE of the authenticator system and the RADIUS server there are two methods to exchange information one method is that EAP messages adopt EAPOR EAP over RADIUS encapsulation format in RADIUS pro...

Page 298: ...EAPOL Start whose value is 0x01 the frame to start authentication EAPOL Logoff whose value is 0x02 the frame requesting to quit EAPOL Key whose value is 0x03 the key information frame EAPOL Encapsula...

Page 299: ...gth and Data in byte Data the content of the EAP packet depending on the Code type 38 1 4 The Encapsulation of EAP Attributes RADIUS adds two attribute to support EAP authentication EAP Message and Me...

Page 300: ...authentication protocol messages can reach the authentication server through complicated networks In general EAP relay requires the RADIUS server to support EAP attributes EAP Message and Message Aut...

Page 301: ...cation methods that may be extended in the future In EAP relay if any authentication method in EAP MD5 EAP TLS EAP TTLS and PEAP is adopted the authentication methods of the supplicant system and the...

Page 302: ...authentication It is the earliest EAP authentication method used in wireless LAN Since every user should have a digital certificate this method is rarely used practically considering the difficult ma...

Page 303: ...thod EAP PEAP is brought up by Cisco Microsoft and RAS Security as a recommended open standard It has long been utilized in products and provides very good security Its design of protocol and security...

Page 304: ...he protocol devices also extend and optimize it when implementing the EAP relay mode and EAP termination mode of 802 1x Supports some applications in the case of which one physical port can have more...

Page 305: ...ll be preferred 38 1 6 The Features of VLAN Allocation 1 Auto VLAN Auto VLAN feature enables RADIUS server to change the VLAN to which the access port belongs based on the user information and the use...

Page 306: ...more authentication triggering messages than the upper limit EAP Request Identity from the port The authentication server assigns an Auto VLAN and then the port leaves Guest VLAN and joins the assign...

Page 307: ...tion Port Mode dot1x port method macbased portbased userbased standard advanced no dot1x port method Sets the port access management method the no command restores MAC based access management dot1x ma...

Page 308: ...v6 passthrough no dot1x ipv6 passthrough Enables IPv6 passthrough function of global mode on a switch only applicable when access control mode is userbased the no operation of this command will disabl...

Page 309: ...s The Network Topology of Guest VLAN Notes in the figures in this session E2 means Ethernet 1 2 E3 means Ethernet 1 3 and E6 means Ethernet 1 6 As showed in the next figure a switch accesses the netwo...

Page 310: ...Online VLAN Being Offline As illustrated in the up figure when the users become online after a successful authentication the authentication server will assign VLAN5 which makes the user and Ethernet1...

Page 311: ...mode on the port as portbased Switch Config If Ethernet1 2 dot1x port method portbased Set the access control mode on the port as auto Switch Config If Ethernet1 2 dot1x port control auto Set the por...

Page 312: ...E 802 1x authentication client software is installed on the PC and is used in IEEE 802 1x authentication The configuration procedures are listed below Switch config interface vlan 1 Switch Config if v...

Page 313: ...IEEE802 1x authentication client software on the computer and use the client for IEEE802 1x authentication The detailed configurations are listed as below Switch config interface vlan 1 Switch Config...

Page 314: ...but still cannot pass through authentication connectivity between the switch and RADIUS server the switch and 802 1x client should be verified and the port and VLAN configuration for the switch should...

Page 315: ...f the dynamically learnt MAC address matches no transmitted data in a long time the switch will delete it from the MAC address list Usually the switch supports both the static configuration and dynami...

Page 316: ...imitation function of MAC on the ports 2 Configure the violation mode of ports Command Explanation Port mode switchport mac address violation protect shutdown recovery 5 3600 no switchport mac address...

Page 317: ...ck to a certain extent When malicious users frequently do MAC cheating it will be easy for them to fill the MAC list entries of the switch causing successful DOS attacks Limiting the MAC list entry ca...

Page 318: ...ss is mutually exclusive to these configurations so if the users need to enable the number limitation function of MAC address on the port they should check these functions mentioned above on this port...

Page 319: ...host to be forwarded by the switch Given the fact that MAC IP can be exclusively bound with a host it is necessary to make MAC IP bound with a host for the purpose of preventing users from maliciously...

Page 320: ...arding IP of the port 4 Configure the forwarding MAC IP Command Explanation Port Mode am mac ip pool mac address ip address no am mac ip pool mac address ip address Configure the forwarding MAC IP of...

Page 321: ...the switch can be configured as follows Switch config am enable Switch config interface ethernet1 1 Switch Config If Ethernet1 1 am port Switch Config If Ethernet1 1 am ip pool 10 10 10 1 10 40 4 AM...

Page 322: ...otecting the server from attacks such as DoS The protocol check allows the user to drop matched packets based on specified conditions The security features provide several simple and effective protect...

Page 323: ...ction 2 Configure the minimum permitted TCP head length of the packet Command Explanation Global Mode no dosattack check tcp fragment enable Enable disable the prevent TCP fragment attack function dos...

Page 324: ...iguration requirements the switch do not forward data packet whose source IP address is equal to the destination address and those whose source port is equal to the destination port Only the ping comm...

Page 325: ...TACACS authentication function on the switch when the user logs such as telnet the authentication of user name and password can be carried out with TACACS 42 2 TACACS Configuration Task List 1 Config...

Page 326: ...Mode tacacs server nas ipv4 ip address no tacacs server nas ipv4 To configure the source IP address for the TACACS packets for the switch 42 3 TACACS Scenarios Typical Examples TACACS Configuration A...

Page 327: ...In configuring and using TACACS the TACACS may fail to authentication due to reasons such as physical connection failure or wrong configurations The user should ensure the following First good conditi...

Page 328: ...urce RADIUS Remote Authentication Dial in User Service is a kind of distributed and client server protocol for information exchange The RADIUS client is usually used on network appliance to implement...

Page 329: ...e fields Type field 1 octet the type of the attribute value which is shown as below Property Type of property Property Type of property 1 User Name 23 Framed IPX Network 2 User Password 24 State 3 CHA...

Page 330: ...ess of the RADIUS NAS 1 Enable the authentication and accounting function 2 Configure the RADIUS authentication key Command Explanation Global Mode radius server key string no radius server key To con...

Page 331: ...ad time To configure the interval that the RADIUS becomes available after it is down The no form of this command will restore the default configuration radius server retransmit retries no radius serve...

Page 332: ...rver is 10 1 1 3 and the authentication port is defaulted at 1812 accounting port is defaulted at 1813 Configure steps as below Switch config interface vlan 1 Switch Config if vlan1 ip address 10 1 1...

Page 333: ...t 2004 1 2 3 3 Switch config radius server accounting host 2004 1 2 3 3 Switch config radius server key test Switch config aaa enable Switch config aaa accounting enable 43 4 RADIUS Troubleshooting In...

Page 334: ...18 1 320 If the RADIUS authentication problem remains unsolved please use debug aaa and other debugging command and copy the DEBUG message within 3 minutes send the recorded message to the technical...

Page 335: ...for application layer Some protocols such as HTTP FTP TELNET and so on can build on SSL protocols transparently The SSL protocol negotiates for the encryption algorithm the encryption key and the ser...

Page 336: ...ch are not the formal certification keys issued by official authentic but the private certification keys generated by SSL software under Linux which may not be recognized by the web browser With regar...

Page 337: ...cipher suite by SSL used 4 Maintenance and diagnose for the SSL function Command Explanation Admin Mode or Configuration Mode show ip http secure server status Show the configured SSL information debu...

Page 338: ...use show interface command Then make sure SSL function is enabled use ip http secure server command Don t use the default port number if configured port number pay attention to the port number when i...

Page 339: ...multaneously the normal users get incorrect address and will not be able to connect to the network So in order to implement the security RA function configuring on the switch ports to reject vicious R...

Page 340: ...whether globally security RA is enabled 45 3 IPv6 Security RA Typical Examples IPv6 Security RA sketch map Instructions if the illegal user in the graph advertises RA the normal user will receive the...

Page 341: ...y RA Troubleshooting Help The function of IPv6 security RA is quite simple if the function does not meet the expectation after configuring IPv6 security RA Check if the switch is correctly configured...

Page 342: ...are allowed to pass when the authentication is successful MAB user didn t need to input the username and password manually in the process of authentication At present MAB authentication device only s...

Page 343: ...ntication bypass timeout offline detect 0 60 7200 no mac authentication bypass timeout offline detect Set offline detection interval mac authentication bypass timeout quiet period 1 60 no mac authenti...

Page 344: ...s guest vlan as vlan8 it joins in vlan1 vlan8 and vlan10 with untag method and enables MAB function Ethernet 1 3 is an access port connects to the printer and enables MAB function Ethernet 1 4 is a tr...

Page 345: ...counting host 192 168 61 10 Switch config radius server key test Switch config aaa enable Switch config aaa accounting enable Enable the authentication function of each port Switch config interface et...

Page 346: ...6 4 MAB Troubleshooting If there is any problem happens when using MAB function please check whether the problem is caused by the following reasons Make sure global and port MAB function are enabled M...

Page 347: ...the access device and the network are faced with security problem especially from the client in the current access network Traditional Ethernet user can not be identified traced and located exactly ho...

Page 348: ...n confirmation packet hereto PPPoE discovery stage is completed enter session stage PADT PPPoE Active Discovery Terminate packet is an especial packet of PPPoE its Ethernet protocol number 0x8863 is t...

Page 349: ...de 5 kinds of packets in PPPoE discovery stage only type field value of session stage as 0x8864 PPPoE version field 4 bits Specify the current PPPoE protocol version the current version must be set as...

Page 350: ...tag of the host It is similar to tag field of PPPoE data packets and is used to match the sending and reveiving end Because broadcast network may exist many PPPoE data packets synchronously 0x0104 AC...

Page 351: ...4 byte Fig 11 3 Agent Circuit ID value MAC of the access switch is the default remote ID value of PPPoE IA remote ID value can be configured by user flexibly the length is less than 63 bytes 47 1 2 4...

Page 352: ...pe self defined remote id mac hostname string WORD no pppoe intermediate agent type self defined remote id Configure the self defined remote id pppoe intermediate agent delimiter WORD no pppoe interme...

Page 353: ...gent trust Switch config if ethernet1 1 pppoe intermediate agent vendor tag strip Step3 Port ethernet1 2 of vlan1 and port ethernet1 3 of vlan 1234 enable PPPoE IA function of port Switch config if et...

Page 354: ...of Slot ID and Port ID as delimiter of Port ID and Vlan ID as Switch config pppoe intermediate agent type tr 101 circuit id identifier string efgh option spv delimiter delimiter Step6 Configure circu...

Page 355: ...gging in authentication client The after 802 1x authentication adds web based authentication mode the user can download a special Java Applet program by browser or other plug in to replace 802 1x clie...

Page 356: ...Mode webportal binding limit 1 256 no webportal binding limit Configure the max web portal binding number allowed by the port 4 Configure HTTP redirection address of web portal authentication Command...

Page 357: ...on 48 3 Web Portal Authentication Typical Example Pc 2 Ethernet1 3 Ethernet1 2 Ethernet1 3 Pc 1 Ethernet1 2 Ethernet1 4 Ethernet1 5 Switch 2 Internet Ethernet1 1 Ethernet1 4 Ethernet1 6 Portal server...

Page 358: ...255 255 255 0 Switch config webportal enable Switch config webportal nas ip 192 168 40 50 Switch config webportal redirect 192 168 40 99 Switch config interface ethernet 1 3 Switch config if ethernet...

Page 359: ...n implement the filtering of the packets the packets match the specific rules can be allowed or denied ACL can support IP ACL MAC ACL MAC IP ACL IPv6 ACL Ingress direction of VLAN can bind four kinds...

Page 360: ...orted by switch 4 Configure VLAN ACL of IPv6 type Command Explanation Global mode vacl ipv6 access group 500 699 WORD in out traffic statistic vlan WORD no ipv6 access group 500 699 WORD in out vlan W...

Page 361: ...e rule as permit but other times the rule as deny and the policy is applied to Vlan1 Set the policy VACL_B of ACL for finance department At any time they can not access the outside network but can acc...

Page 362: ...nacl vacl_a permit ip any source 192 168 1 0 0 0 0 255 Switch config ip ext nacl vacl_a deny ip any source any destination 4 Apply the configuration to VLAN Switch config firewall enable Switch config...

Page 363: ...function is used to detect ND protocol packet it sets IPv6 address binding obtained by nodes with the stateless address configuration DHCPv6 Snooping function is used to detect DHCPv6 protocol packet...

Page 364: ...dhcp lifetime lifetime type static no savi ipv6 check source binding ip ip address interface if name Configure a static or dynamic binding manually no command deletes the configured binding This comma...

Page 365: ...x check function Command Explanation Global mode ipv6 cps prefix check enable no ipv6 cps prefix check enable Enable the address prefix check for SAVI no command disables the function Configure IPv6 a...

Page 366: ...disable DHCPv6 trust of port Command Explanation Port mode ipv6 dhcp snooping trust no ipv6 dhcp snooping trust Enable DHCPv6 trust port no command disables the trust function port is translated from...

Page 367: ...to use IPv4 and IPv6 source address authentication is implemented Typical network topology application for SAVI function Client_1 Client_2 Ethernet1 13 Ethernet1 12 Switch2 Switch1 Ethernet1 1 Ethern...

Page 368: ...bal SAVI function enabled After that enable the global function of the corresponding SAVI scene according to the actual application scene and enable the port authentication function If client can not...

Page 369: ...ring topology 2 fast convergence less than 1 s ideally it can reach 100 50 ms 51 1 1 Conception Introduction MRPP Sketch Map 1 Control VLAN Control VLAN is a virtual VLAN only used to identify MRPP pr...

Page 370: ...amine packet hello the secondary port is used to receive Hello packet sending from primary node When the Ethernet is in health state the secondary port of primary node blocks other data in logical and...

Page 371: ...sends LINK DOWN FLUSH_FDB packet to inform all of transfer nodes to refresh own MAC address forward list 3 Ring Restore After the primary node occur ring fail if the secondary port receives Hello pac...

Page 372: ...of MRPP 4 Configure the compatible mode 5 Display and debug MRPP relevant information 1 Globally enable MRPP Command Explanation Global Mode mrpp enable no mrpp enable Globally enable and disable MRP...

Page 373: ...Enable the compatible mode for ERRP the no command disables the compatible mode mrpp eaps compatible no mrpp eaps compatible Enable the compatible mode for EAPS the no command disables the compatible...

Page 374: ...en it enables each MRPP ring in the whole MRPP ring and after all of the nodes are configured open the port When disable MRPP ring it needs to insure the MRPP ring doesn t have ring SWITCH A configura...

Page 375: ...pp ring 4000 control vlan 4000 Switch mrpp ring 4000 enable Switch mrpp ring 4000 exit Switch Config interface ethernet 1 1 Switch config If Ethernet1 1 mrpp ring 4000 primary port Switch config If Et...

Page 376: ...stores the ring and then observes the ring is normal or not The convergence time of MRPP ring net is relative to the response mode of up down If use poll mode the convergence time as hundreds of milli...

Page 377: ...SwitchA goes up to SwitchD through SwitchB and SwitchC port A1 and port A2 are the uplink ports SwitchA configures ULPP thereinto port A1 is set as the master port port A2 is set as the slave port Wh...

Page 378: ...hrough the port which is switched to Forwarding state and update MAC address tables and ARP tables of other devices in the network ULPP respectively uses two kinds of flush packets to update the entri...

Page 379: ...ct vlan reference instance instance list Configure the protection VLANs the no operation deletes the protection VLANs flush enable mac flush disable mac Enable or disable sending the flush packets whi...

Page 380: ...port Show flush type and control VLAN received by the port clear ulpp flush counter interface name Clear the statistic information of the flush packets debug ulpp flush send receive interface name no...

Page 381: ...tchB and SwitchC can enable the command that receives the flush packets it is used to associate with ULPP protocol running of SwitchA to switch the uplink immediately and reduce the switch delay When...

Page 382: ...ist Switch Config vlan 10 Switch Config vlan10 switchport interface ethernet 1 1 Switch Config vlan10 exit Switch Config interface ethernet 1 1 Switch config If Ethernet1 1 ulpp flush enable mac Switc...

Page 383: ...rt E1 2 When port E1 1 is recovering the normal state still port E1 2 forwards the data of VLAN 101 200 the data of VLAN 1 100 are switched to port E1 1 to forward SwitchA configuration task list Swit...

Page 384: ...ch config If Ethernet1 1 ulpp flush enable mac Switch config If Ethernet1 1 ulpp flush enable arp SwitchC configuration task list Switch Config interface ethernet 1 2 Switch config If Ethernet1 2 swit...

Page 385: ...port its state changes along with Up Down of ULSM group and is always the same with ULSM group state ULSM associates with ULPP to enable the downstream device to apperceive the link problem of the ups...

Page 386: ...up globally Command explanation Global mode ulsm group group id no ulsm group group id Configure and delete ULSM group globally 2 Configure ULSM group Command explanation Port mode ulsm group group id...

Page 387: ...usually associates with ULPP protocol to use In the topology SwitchA enables ULPP protocol it is used to switch the uplink SwitchB and SwitchC enable ULSM protocol to monitor whether the uplink is do...

Page 388: ...hernet 1 3 Switch config If Ethernet1 3 ulsm group 1 uplink Switch config If Ethernet1 3 exit SwitchC configuration task list Switch Config ulsm group 1 Switch Config interface ethernet 1 2 Switch con...

Page 389: ...irror function means that the switch exactly copies the data frames received by the specified rule of a port to another port The flow mirror will take effect only the specified rule is permit Switch s...

Page 390: ...sent out by interface 9 and received from interface 7 sent and received by CPU and the data frames received by interface 15 and matched by rule 120 The source IP address is 1 2 3 4 and the destinatio...

Page 391: ...dify the TRUNK group If the throughput of mirror destination port is smaller than the total throughput of mirror source port s the destination port will not be able to duplicate all source port traffi...

Page 392: ...port Our data sample includes the IPv4 and IPv6 packets Extensions of other types are not supported so far As for non IPv4 and IPv6 packet the unify HEADER mode will be adopted following the requireme...

Page 393: ...4 Configure the packet head length copied by sFlow Command Explanation Port Mode sflow header len length vlaue no sflow header len Configure the length of the packet data head copied in the sFlow data...

Page 394: ...on the port 1 1 and 1 2 of the switch Assume the sFlow analysis software is installed on the PC with the address of 192 168 1 200 The address of the layer 3 interface on the SwitchA connected with PC...

Page 395: ...ical connection failure wrong configuration etc The user should ensure the following Ensure the physical connection is correct Guarantee the address of the sFlow analyzer configured under global or po...

Page 396: ...removing the complex algorithm of NTP SNTP is used for hosts who do not require full NTP functions it is a subset of NTP It is common practice to synchronize the clocks of several hosts in local area...

Page 397: ...be synchronized the network must be properly configured There should be reachable route between any switch and the two SNTP NTP servers Example Assume the IP addresses of the SNTP NTP servers are 10...

Page 398: ...running NTP its time can be synchronized by other reference sources and can be used as a reference source to synchronize other clocks also can synchronize each other by transmit NTP packets 57 2 NTP F...

Page 399: ...NTP client The no operation will cancel the configuration and restore the default value 4 To configure time zone Command Explication Global Mode clock timezone WORD add subtract 0 23 0 59 no clock ti...

Page 400: ...erface to receive IPv6 NTP multicast packets 8 To configure some interface can t receive NTP packets Command Explication Interface Configuration Mode ntp disable no ntp disable To disable the NTP func...

Page 401: ...s used as host the other is used as standby the connection and configuration as follows Switch A and Switch B are the switch or route which support NTP server The configuration of Switch C is as follo...

Page 402: ...les by default the show command can be used to display current configuration If the configuration is right please use debug every relative debugging command and display specific information in procedu...

Page 403: ...r time 58 2 Summer Time Configuration Task Sequence 1 Configure absolute or recurrent time range of summer time Command Explanation Global Mode clock summer time word absolute HH MM YYYY MM DD HH MM Y...

Page 404: ...t in the following The summer time from 23 00 on the first Saturday of April to 00 00 on the last Sunday of October year after year clock offset as 2 hours and summer time is named as time_travel Conf...

Page 405: ...en the switch and the remote equipment Options and explanations of the parameters of the Ping6 command please refer to Ping6 command chapter in the command manual 59 3 Traceroute Traceroute command is...

Page 406: ...Traceroute6 repeat this action till certain datagram reaches the destination Traceroute6 Options and explanations of the parameters of the Traceroute6 command please refer to traceroute6 command chap...

Page 407: ...6 Debug All the protocols switch supports have their corresponding debug commands The users can use the information from debug commands for troubleshooting Debug commands for their corresponding prot...

Page 408: ...e oldest log information will be erased and replaced by the new log information information saved in NVRAM will stay permanently while those in SDRAM will lost when the system restarts or encounter an...

Page 409: ...d information from the CLI command is classified informational Information from the debugging of CLI command is classified debugging Log information can be automatically sent to corresponding channels...

Page 410: ...logging ipv4 addr ipv6 addr facility local number Enable the output channel of the log host The no form of this command will disable the output at the output channel of the log host logging loghost se...

Page 411: ...55 255 255 0 Switch Config if Vlan1 exit Switch config logging 100 100 100 5 facility local1 level warnings Example 2 When managing VLAN the IPv6 address of the switch is 3ffe 506 1 and the IPv4 addre...

Page 412: ...period of time usually when updating the switch version The switch can be rebooted after a period of time instead of immediately after its version being updated successfully 60 2 Reload Switch after...

Page 413: ...tocol protocol type packets no cpu rx ratelimit protocol protocol type Set the max rate of the CPU receiving packets of the protocol type the no command set the max rate to default clear cpu rx stat p...

Page 414: ...7 495 797 3311 www qtech ru 18 1 400...

Page 415: ...uthentication line Command authentication line console vty web login local radius tacacs no authentication line console vty web login Function Configure VTY login with Telnet and SSH Web and Console s...

Search results

Summary of Contents for QSW-2800 series

Reviews:

Related manuals for QSW-2800 series

Brands by name

Popular brands

QTech QSW-2800 series, Configuration Manual

Search results

Summary of Contents for QSW-2800 series

Reviews:

Related manuals for QSW-2800 series

Brands by name

Popular brands