manualshive.com logo in svg

QTech QSW-3900, User Manual

The QTech QSW-3900 is a state-of-the-art device that revolutionizes connectivity. Unlock its full potential by accessing the comprehensive user manual, available for free download at manualshive.com. Discover all the features, settings, and troubleshooting solutions at your fingertips with our easy-to-use manual.

Share
Download
background image

QTECH 

Software Configuration Manual 

13-171 

 

Chapter 13  

ACL Configuration 

13.1     ACL Overview 

An access control list (ACL) is used primarily to identify traffic flows. In order to filter data packets, a series 

of  match  rules  must  be  configured  on  the  network  device  to  identify  the  packets  to  be  filtered.  After  the  specific 
packets are identified, and based on the predefined policy, the network device can permit/prohibit the corresponding 
packets to pass.   

ACLs classify packets based on a series of  match conditions, which can be the source addresses,  destination 

addresses and port numbers carried in the packets.   

The packet match rules defined by ACLs can be referenced by other functions that need to differentiate traffic 

flows, such as the definition of traffic 

classification rules in QoS

policy-based vlan

selective QinQ

 and others.   

According to the application purpose, ACLs fall into the following four types :     

·

 

Standard ACL :    rules are made based on the Layer 3 source IP addresses only.   

·

 

Extended ACL :    rules are made based on the Layer 3 and Layer 4 information such as the source and 

destination IP addresses of the data packets, the type of protocol over IP, protocol-specific features, and 
so on.   

·

 

Link-based  ACL  :    rules  are  made  based  on  the  Layer  2  information  such  as  the  source  and 

destination MAC address, VLAN priority, Layer 2 protocol, and so on.   

·

 

User-based ACL :    such rules specify a byte in the packet, by its offset from the packet header, as the 

starting point to perform logical AND operations, and compare the extracted string with the user-defined 
string to find the matching packets for processing. 

13.1.1   

 

ACL Match Order 

An ACL may contain a number of rules, which specify different packet ranges. This brings about the issue of 

match order when these rules are used to filter packets.   

An ACL supports the following two types of match orders :     

·

 

Configured order :    ACL rules are matched according to the configured order.   

·

 

Automatic ordering :    ACL rules are matched according to the “depth-first” order.   

13.1.1.1 

IP ACL depth-first order 

With the depth-first rule adopted, the rules of an IP ACL (standard and extended) are matched in the following 

order :   

1) Protocol range of ACL rules. The range of IP protocol is 1 to 255 and those of other protocols over IP are 

the same as the corresponding protocol numbers. The smaller the protocol range, the higher the priority. 

2) Range  of source IP address.  The smaller the source  IP address range (that is, the  longer the  mask), the 

higher the priority. 

3) Range of destination IP address. The smaller the destination IP address range (that is, the longer the mask), 

the higher the priority. 

4) Range of Layer 4 port number, that is, of TCP/UDP port number. The smaller the range, the higher the 

priority. 

If  rule  A  and  rule  B  are  the  same  in  all  the  four  ACEs  (access  control  elements)  above,  and  also  in  their 

Summary of Contents for QSW-3900

Page 1: ...QTECH Software Configuration Manual I QSW 3900 Ethernet Switch User s Manual ...

Page 2: ... 1 Enable disable SSH function of the device 1 22 1 7 2 SSH key configuration 1 22 1 7 3 Others 1 23 Chapter 2 Switch Manage and Maintenance 2 24 2 1 System IP configuration 2 24 2 2 Configure manage IP interface 2 24 2 3 Configuration ip address by manual operation 2 24 2 4 Configuration Files Management 2 24 2 4 1 Edit configuration files 2 24 2 4 2 Modify and save current configuration 2 24 2 4...

Page 3: ...roduction to Bridging 3 41 3 2 Major Functionalities of Bridges 3 41 3 2 1 Maintaining the bridge table 3 41 3 2 2 Forwarding and filtering 3 43 3 3 Brief introduction of MAC address table management 3 45 3 4 MAC address table management list 3 45 3 5 Configure system MAC address aging time 3 45 3 6 Configure MAC address item 3 46 3 6 1 Add MAC address 3 46 3 6 2 Add blackhole MAC address 3 46 3 6...

Page 4: ... 4 8 5 Configure the reopen time of the port shutdown by port car 4 59 4 8 6 Configure the port car rate 4 60 4 8 7 Display port car information 4 60 4 9 Port Alarm Configuration 4 60 4 9 1 Brief introduction of port alarm configuration 4 60 4 9 2 Port alarm configuration list 4 60 4 9 3 Enable disable port alarm globally 4 60 4 9 4 Enable disable port alarm on the port 4 61 4 9 5 Configure the ex...

Page 5: ...terface dynamic QinQ 5 77 5 6 4 Enable disable vlan swap 5 77 5 6 5 Configure global vlan swap 5 78 5 6 6 Configure rewrite outer vlan 5 78 5 6 7 Display dynamic QinQ 5 78 5 6 8 Display vlan swap 5 79 5 6 9 Display rewrite outer vlan 5 79 Chapter 6 Layer 3 Configuration 6 80 6 1 Brief Introduction of Layer 3 switching 6 80 6 2 Layer 3 Cnfiguration list 6 80 6 2 1 VLAN division and the creation of ...

Page 6: ... and Standards 8 111 8 2 OSPF Configuration list 8 111 8 2 1 Enable disable OSPF 8 112 8 2 2 Configure router ID 8 112 8 2 3 Specify interface and area id 8 112 8 2 4 Configure area authentication type 8 112 8 2 5 Configure interface type 8 113 8 2 6 Configure interface cost 8 113 8 2 7 Configure priority when selecting DR 8 114 8 2 8 Configure Hello time interval 8 114 8 2 9 Configure interface i...

Page 7: ...icast interface aging time configuration 10 137 10 5 2 IGMP Snooping max response time configuration 10 138 10 5 3 IGMP Snooping interface fast leave configuration 10 138 10 5 4 Configure the number of the multicast group allowed learning 10 138 10 5 5 IGMP Snooping permit deny group configuration 10 138 10 5 6 IGMP Snooping route port forward configuration 10 138 10 5 7 Enable disable IGMP Snoopi...

Page 8: ...ess pool network interface 11 152 11 4 4 Disable enable specified IP address in IP address pool 11 152 11 4 5 Configure lease time 11 153 11 4 6 Configure DNS 11 153 11 4 7 Configure WINS 11 153 11 4 8 Display IP address pool configuration 11 153 11 4 9 Configure ip bind 11 154 11 4 10 Display ip bind 11 154 11 4 11 Add dhcp client 11 154 11 4 12 Show dhcp client 11 154 11 5 Introduction to DHCP R...

Page 9: ...g 12 168 12 5 13 Configure unknown ARP packet handling strategy 12 168 12 5 14 Enable disable ARP anti spoofing valid check 12 169 12 5 15 Enable disable ARP anti spoofing deny disguiser 12 169 12 5 16 Display ARP anti spoofing 12 169 12 5 17 Configure trust port of ARP anti attack 12 170 Chapter 13 ACL Configuration 13 171 13 1 ACL Overview 13 171 13 1 1 ACL Match Order 13 171 13 1 2 Ways to Appl...

Page 10: ...15 198 15 2 6 Configure Hello Time 15 198 15 2 7 Configure Max Age 15 198 15 2 8 Configure path cost of specified interfaces 15 199 15 2 9 Configure STP priority od specified port 15 199 15 2 10 Configure spanning tree root guard 15 199 15 2 11 Configure interface to force to send rstp packet 15 200 15 2 12 Configure link type of specified interface 15 200 15 2 13 Configure the current port as an ...

Page 11: ... interval configuration 17 215 17 2 7 SNTP client retransmit configuration 17 216 17 2 8 SNTP client valid server configuration 17 216 17 2 9 SNTP client MD5 authentication configuration 17 216 Chapter 18 Syslog Configiration 18 217 18 1 Brief introduction of Syslog 18 217 18 2 Syslog Configiration 18 217 18 2 1 Enable disable Syslog 18 218 18 2 2 Syslog sequence number configuration 18 218 18 2 3...

Page 12: ...20 6 2 ERRP configuration 20 233 20 6 3 Configure ERRP timer 20 234 20 6 4 Enter ERRP configuration mode 20 234 20 6 5 Configure control vlan of ERRP domain 20 234 20 6 6 Create ERRP ring 20 235 20 6 7 Enable disable ERRP ring 20 235 20 6 8 Display ERRP domain and ring information 20 235 Chapter 21 PPPoE Plus Configuration 21 236 21 1 Brief Introduction of PPPoE Plus 21 236 21 2 PPPoE Plus Configu...

Page 13: ... VLAN sending cfm cc enable level 22 242 22 4 8 cfm ping 22 242 22 4 9 cfm traceroute 22 243 22 4 10 Display cfm domain 22 243 22 4 11 Display cfm maintenance points local 22 243 22 4 12 Display cfm maintenance points remote 22 244 22 4 13 Display cfm cc database 22 244 22 4 14 Display cfm errors 22 244 ...

Page 14: ...FTP TFTP Xmodem to download and upload files 7 Keywords partial matching searching is adopted by command line convertor for user to input non conflicting key words such as interface command can only input interf 1 1 1 Command Line Configuration Mode System command line adopts classification protection to prevent illegal accessing of unauthorized user Each command mode is for different configuratio...

Page 15: ...quit disconnect with switch RADIUS configuration mode Configure RADIUS server parameter QTECH config radius d efault Input radius host default in global configuration mode Domain configuration mode Configure domain parameter QTECH config aaa test com Input domain test com in AAA configuration mode end return to privileged mode exit return to AAA configuration mode quit disconnect with switch VLAN ...

Page 16: ...yword is needed The parameter of the command is specified which is the number or character string or IP address in a certain range Input when you are uncomprehending and input the correct keyword according to the prompt Keyword is what is to be operated in command If more than one parameter are needed please input keywords and each parameter in turn according to the prompt until enter is showed in...

Page 17: ...and line end prompt QTECH config spanning tree enter The command end 1 1 4 History command Command line interface will save history command inputted by user automatically so that user can invoke history command saved by command line interface and re execute it At most 100 history commands can be saved by command line interface for each user Input Ctrl P to access last command and Ctrl N for next c...

Page 18: ...ompt of interface list is STRING 3 4 Interface parameter interface num is in the form of interface type interface number Interface type is Ethernet and interface number is slot num port num in which slot num is in the range of 0 to 2 and port num is in the range of 1 to 24 Seriate interfaces with the same type can be linked by to keyword but the port number to the right of the to keyword must be l...

Page 19: ... means encryption It is not supported now password Log in password for new user and modified password of the existed user ranges from 1 to 16 characters or numbers If the privilege doesn t configure the default privilege is ordinary user At most 8 users are supported Caution User name supports case insensitivity while password doesn t support case sensitivity Add a new administrator red configure ...

Page 20: ...strator qtech to be 1 and password to be 1234 QTECH config username qtech privilege 1 password 0 1234 1 3 5 Remove user name System administrator admin can use following command to remove user name in global configuration mode no username username Username is the user name to be deleted For example Remove user qtech QTECH config no username qtech 1 3 6 View system user information View user list a...

Page 21: ...to restore it to default value and click setting and then choose auto detect in the pulldown list of terminal simulation and click ok After the successful connection and seeing logging in interface of operation system in terminal configure switch by command line interface The steps are as following Step 1 Connect switch Console with computer serial port Step 2 After the switch power on and system ...

Page 22: ...efore successfully logging in or wrong inputting of user name and password for 5 times If there is such prompt as Sorry session limit reached please connect later At most 5 telnet users are allowed to log in at the same time Step 4 Use related command to configure switch system parameter or view switch operation If you want to enter privileged mode user must possess the privilege of administrator ...

Page 23: ... load the key stored in Flash storage by command line when system booting If configured key is not ESA key or public and private key are not matched user cannot log in by SSH Keyfile contains explanation and key explain line and the key Explain line must contain or space Key contains the key coded by Base64 excluding and space Private keyfile cannot contain public key Private keyfile cannot use pa...

Page 24: ... display SSH version number enabling disabling SSH and SSH keyfile The SSH keyfile is available when the key is configured and loaded Use following command to display configured keyfile show keyfile public private Use following command to display logged in SSH client show users This command is used to display all logged in Telnet and SSH client Use following command to force logged in SSH client t...

Page 25: ...y FTP and TFTP protocol Use text edit tool such as windows nootbook to edit uploaded configuration files System is defaulted to execute configuration files in global configuration mode so there are two initial commands enable and configure terminal There is entering symbol after each command 2 4 2 Modify and save current configuration User can modify and save system current configuration by comman...

Page 26: ...oose one or same of the modules the specified information will be displayed This command can be used in any configuration mode For example Display all saved configuration QTECH show running config Display saved configuration of GARP and OAM module QTECH show running config garp oam 2 4 6 Display current configuration User can display syatem current configuration information in the form of text by ...

Page 27: ...pen TFTP server and set file upload path before use this command Suppose IP address of TFTP server is 192 168 0 100 file name is abc Open TFTP server to configure upload and download path in privileged mode For example Upload configuration to 192 168 0 100 by FTP and saved as abc QTECH upload configuration ftp 192 168 0 100 abc username password Configuration information saved when uploading is su...

Page 28: ...8 0 100 by FTP and saved as abc QTECH upload logging ftp 192 168 0 100 abc user 1234 Download whole bootrom abc to 192 168 0 100 by FTP QTECH load whole bootrom ftp 192 168 0 100 abc user 1234 2 5 3 Download files by Xmodem Use load application xmodem command to load application program by Xmodem protocol load application xmodem Input following command in privileged mode QTECH load application xmo...

Page 29: ...ion show username Display administrator can be logged in show users Display administrators logged in show system Display system information show memory Display memory show clock Display system clock show cpu Display cpu information For example Display system version QTECH config sh ver software platform Broadband NetWork Platform Software software version QTECH QSW 3900 V100R001B01D003P001SP9 copy...

Page 30: ...ample Configure system clock to be 2001 01 01 0 0 0 QTECH clock set 0 0 0 2001 01 01 2 7 2 Network connecting test command Use ping command in privileged mode or user mode to check the network connection ping c count s packetsize t timeout host Parameter c count The number of packet sending s packetsize The length of packet sending with the unit of second t timeout the time of waiting for replying...

Page 31: ...age switch Different IP address and mask mean different information The mask in reverse which is 0 0 0 0 means host address or it means network interface 255 255 255 255 means all hosts When enabling a configuration an item of 0 0 0 0 must be deleted When receiving a packet judge the IP address whether it is in the range of managed IP address If it does not belong to it drop the packet and shutdow...

Page 32: ...e of 1 to 255 and defaulted to be 1 h maximum_hops the max ttl of sending packet which is in the range of 1 to 255 and defaulted to be 30 w time_out the overtime of waiting for the response which is in the range of 10 to 60 with the unit of second and default to be 10 seconds target_name destination host or router address Example Tracert 192 168 1 2 QTECH tracert 192 168 1 2 Tracing route to 192 1...

Page 33: ...ty of SNMP protocol Simple Network Management Protocol SNMP offers a framework to monitor network devices through TCP IP protocol suite It provides a set of basic operations in monitoring and maintaining the Internet and has the following characteristics Automatic network management SNMP enables network administrators to search information modify information find and diagnose network problems plan...

Page 34: ...in a more efficient way 2 11 MIB Overview Management Information Base MIB is a collection of all the objects managed by NMS It defines the set of characteristics associated with the managed objects such as the object identifier OID access right and data type of the objects MIB stores data using a tree structure The node of the tree is the managed object and can be uniquely identified by a path sta...

Page 35: ...nity community name community name is existed community name For example Add community qtech and configure privilege to be rw and permit QTECH config snmp server community qtech rw permit Remove community qtech QTECH config no snmp server community qtech Display community name in any mode show snmp community For example Display SNMP community information QTECH config show snmp community 2 12 2 Con...

Page 36: ...nfig snmp server host 192 168 0 100 version 2c user Delete the item with the notify destination host being 192 168 0 100 and community name being user QTECH config no snmp server host 192 168 0 100 user Display snmp server notify item in any configuration mode show snmp host Display Trap information of snmp QTECH config show snmp host 2 12 4 Configure sysLocation sysLocation is a managing variable...

Page 37: ...cal engine id or recognizable remote engine id Default local engine id is 275140000000000000000000 which cannot be deleted but modified It is defaulted to have no recognizable remote engine id which can be added and deleted Once delete a recognizable remote engine the corresponded user can also be deleted At most 32 engines can be configured Use no snmp server engineID command to restore default l...

Page 38: ...not influence accessing attribution of trap OID that notify belonged to If notify does not contain binded variable sending notify is not effected on view For example Add view view1 and configure it to have a subtree 1 3 6 1 QTECH config snmp server view view1 1 3 6 1 include Add a subtree 1 3 6 2 for existed view view1 QTECH config snmp server view view1 1 3 6 2 include Remove existed view view1 Q...

Page 39: ...cant it is default to be 162 Authpassword is authentication password Unencrypted password ranges from 1 to 32 characters To avoid disclosing this password should be encrypted To configured encrypted password needs client side which supports encryption to encrypt password and use encrypted cryptograph to do the configuration Cryptograph is different by different encryption Input cryptograph in the ...

Page 40: ...st For example Disable dlf forward for unicast QTECH config no dlf forward unicast Disable dlf forward for multicast QTECH config no dlf forward multicast 2 14 CPU Alarm Configuration 2 14 1 Brief introduction of CPU alarm System can monitor CPU usage If CPU usage rate is beyond cpu busy threshold cpu busy alarm is sent because the cpu is busy In this status if cpu is below cpu unbusy threshold cp...

Page 41: ...arm information Use show alarm cpu command in any mode to display cpu alarm information show alarm cpu For example Display CPU alarm information QTECH config show alarm cpu CPU status alarm enable CPU busy threshold 90 CPU unbusy threshold 60 CPU status unbusy 2 15 Anti DOS Attack 2 15 1 IP segment anti attack The IP segment packet number which can be received by system do not occupy resources of ...

Page 42: ...und interfaces Presently the devices support the following transparent bridging features Bridging over Ethernet Bridging over point to point PPP and high level data link control HDLC links Bridging over X 25 links Bridging over frame relay FR links Inter VLAN transparent bridging Routing and bridging are simultaneously supported 3 2 Major Functionalities of Bridges 3 2 1 Maintaining the bridge tab...

Page 43: ...dress of Host A and bridge interface 1 in its bridge table as shown in Figure 2 Figure 2 The bridge determines that Host A is attached to interface 1 When Host B responds to Host B the bridge also hears the Ethernet frame from Host B As the frame is received on bridge interface 1 the bridge determines that Host B is also attached to bridge interface 1 and creates a mapping between the MAC address ...

Page 44: ...n use as shown in Figure 4 Figure 4 The final bridge table 3 2 2 Forwarding and filtering The bridge makes data forwarding or filtering decisions based on the following scenarios When Host A sends an Ethernet frame to Host C the bridge searches its bridge table and finds out that Host C is attached to bridge interface 2 and forwards the Ethernet frame out of bridge interface 2 as shown in II Figur...

Page 45: ...idge filters the Ethernet frame instead of forwarding it as shown in II Figure 6 Figure 6 Filtering When Host A sends an Ethernet frame to Host C if the bridge does not find a MAC to interface mapping about Host C in its bridge table the bridge forwards the Ethernet frame to all interfaces except the interface on which the frame was received as shown in Figure 7 ...

Page 46: ... possesses MAC address learning If the source MAC address of the received packet does not existed in MAC address table system will add source MAC address VLAN ID and port number of receiving this packet as a new item to MAC address table MAC address table can be manual configured Administrator can configure MAC address table according to the real situation of the network Added or modified item can...

Page 47: ...e can be added manually besides dynamically learning mac address table dynamic permanent static mac interface interface num vlan vlan id Parameter mac vlan id and interface num corresponded to the three attributions of the new MAC address table item MAC address attribution can be configured to be dynamic permanent and static Dynamic MAC address can be aging permanent MAC address will not be aging ...

Page 48: ...n vlan id show mac address table blackhole dynamic permanent static vlan vlan id show mac address table blackhole dynamic permanent static interface interface num vlan vlan id show mac address table vlan vlan id The parameter meaning is the same as that of add delete MAC address table item 3 6 5 Enable disable MAC address learning This command is a batch command in global configuration mode to con...

Page 49: ...r can configure MAC learning mode in global configuration mode It will be effective after rebooting mac address table learning mode svl ivl show mac address table learning mode For example Modify MAC address to be IVL QTECH config mac address table learning mode ivl Display MAC address learning mode QTECH config show mac address table learning mode ...

Page 50: ...ed rate Configure interface privilege Configure interface limited speed Configure type of receiving frame Configure interface type Configure default VLAN ID of trunk port Add access port to specified VLAN Display interface information 4 2 2 Enter interface configuration mode Enter interface configuration mode before configuration Configure as following in global configuration mode Enter interface ...

Page 51: ... example Configure the speed of Ethernet 0 0 1 to 100Mbps and duplex mode to be full duplex QTECH config if ethernet 0 0 1 speed 100 QTECH config if ethernet 0 0 1 duplex full In system which ofthe speed or duplex setup to auto and the another will be setup to auto too 4 2 5 Interface Priority Configuration There are 8 priorities from 0 to 7 and the default interface priority is 0 The larger the p...

Page 52: ...sabled Use this command in interface configuration mode ingress filtering no ingress filtering Example Enable VLAN ingress filtration of e0 0 5 QTECH config if ethernet 0 0 5 ingress filtering Disable VLAN ingress filtration of e0 0 5 QTECH config if ethernet 0 0 5 no ingress filtering 4 2 9 Interface ingress acceptable frame configuration Configure ingress acceptable frame mode to be all types or...

Page 53: ...ecified VLAN Use no switchport trunk allowed vlan command to remove trunk port from specified vlan Add trunk port to specified vlan switchport trunk allowed vlan vlan list all Remove trunk port from specified vlan no switchport trunk allowed vlan vlan list all For example Add trunk ports Ethernet0 0 1 to VLAN 3 4 70 to 150 QTECH config if ethernet 0 0 1 switchport trunk allowed vlan 3 4 70 150 4 2...

Page 54: ...ation mode to display information of specified interface or all interfaces Byte receiving Unicast packet receiving Non unicast packet receiving Unicast packet sending Non unicast packet sending Use clear interface interface num slot num command in global configuration mode to clear information of specified interface or all interfaces in specified slot or all interfaces Use clear interface command ...

Page 55: ...rface list cpu For example Configure Ethernet 0 0 1 to Ethernet 0 0 12 to be mirror source interfaces QTECH config mirror source interface ethernet 0 0 1 to ethernet 0 0 12 both Remove Ethernet 0 0 10 to Ethernet 0 0 12 from mirror source interfaces QTECH config no mirror source interface ethernet 0 0 10 to ethernet 0 0 12 4 3 2 3 Display interface mirror Use show mirror command to display system ...

Page 56: ...n STP cost STP interface priority VLAN features interface mode PVID VLAN belonged to tag vlan list of access interface allowed vlan list of trunk interface and layer 2 multicast group belonged to If modifying the feature of one interface in the channel group other interfaces will be modified automatically in the same place The feature refers to point 2 After convergence static hardware item ARL MA...

Page 57: ...nfiguration for all member ports When the configuration of some port in a manual aggregation group changes the system does not remove the aggregation instead it re sets the selected unselected state of the member ports and re selects a master port 4 4 3 Static LACP link aggregation 4 4 3 1 Overview Static aggregations are created manually After you add a port to a static aggregation LACP is enable...

Page 58: ...ation groups work in non load sharing mode 4 6 Aggregation Port Group As mentioned earlier in a manual or static aggregation group a port can be selected only when its configuration is the same as that of the master port in terms of duplex speed pair link state and other basic configurations Their configuration consistency requires administrative maintenance which is troublesome after you change s...

Page 59: ...nterface For example Configure lacp port priority of Ethernet 0 0 2 to be 12345 QTECH config if ethernet 0 0 2 lacp port priority 12345 Delete interface LACP priority no lacp port priority Use this command to restore interface default LACP priority to be 128 Display system LACP ID show lacp sys id System id is in the form of 16 characters of system priority and 32 characters of system MAC address ...

Page 60: ...cting CPU packet in 2 seconds no trap of interface being abnormal is sent 4 8 2 Port CAR configuration command list Port CAR configuration command includes Enable disable interface CAR globally Enable disable interface CAR on a port Configure interface CAR re enable time Configure interface CAR Display interface CAR status 4 8 3 Enable disable interface globally Configure it in global configuratio...

Page 61: ...nfiguration 4 9 1 Brief introduction of port alarm configuration System can monitor port packet receiving rate If the rate of receiving packet is beyond the interface flow exceed threshold send alarm of large interface flow and the interface is in the status of large interface flow In this status if the rate of receiving packet is lower than the interface flow normal threshold send alarm of normal...

Page 62: ...gure alarm all packets exceed threshold to be 500 and normal threshold to be 300 QTECH config alarm all packets threshold exceed 500 normal 300 4 9 6 Display port alarm Input following command in any configuration mode to display global interface alarm show alarm all packets For example Display global alarm all packets information QTECH config show alarm all packets interface ethernet 0 0 1 Input ...

Page 63: ...n control open time Display shutdown control 4 11 1 Configuration mode and time Configure it in global configuration mode shutdown control recover automatic open time seconds mode automatic manual seconds mean time for unshutdown interface Use automatic or manual mode for control port shutdown 4 11 2 Configuration interface shutdown control Configure it in interface configuration mode Enable shutd...

Page 64: ...efault all ports are port isolation uplink ports For example Add Ethernet 0 0 1 Ethernet 0 0 3 Ethernet 0 0 4 Ethernet 0 0 5 Ethernet 0 0 8 to be downlink isolation port QTECH config port isolation ethernet 0 0 1 ethernet 0 0 3 to ethernet 0 0 5 ethernet 0 0 8 Remove ethernet 0 0 3 Ethernet 0 0 4 Ethernet 0 0 5 ethernet 0 0 8 from downlink isolation port QTECH config no port isolation ethernet 0 0...

Page 65: ...s from different VLANs cannot communicate directly In this way broadcast packets are confined to a single VLAN as illustrated in the following figure VLAN diagram A VLAN is not restricted by physical factors that is to say hosts that reside in different network segments may belong to the same VLAN users in a VLAN can be connected to the same switch or span across multiple switches or routers VLAN ...

Page 66: ...lue of 0x8100 indicates that a packet carries a VLAN tag with it The Priority field three bits in length indicates the priority of a packet For information about packet priority refer to QoS Configuration in QoS Volume The CFI field one bit in length specifies whether or not the MAC addresses are encapsulated in standard format when packets are transmitted across different medium This field is not...

Page 67: ... VLAN interface All ports of sub VLANs use the VLAN interface s IP address of the super VLAN Packets cannot be forwarded between sub VLANs at Layer 2 If Layer 3 communication is needed from a sub VLAN it will use the IP address of the super VLAN as the gateway IP address Thus multiple sub VLANs share the same gateway address and thereby save IP address resource The local Address Resolution Protoco...

Page 68: ...lan vlan list Delete created VLAN or specified VLAN except VLAN 1 no vlan vlan list all VLAN ID allowed to configure by system is in the range of 1 to 4094 vlan list can be in the form of discrete number a sequence number or the combination of discrete and sequence number discrete number of which is separate by comma and sequence number of which is separate by subtraction sign such as 2 5 8 10 20 ...

Page 69: ...example Add Ethernet 1 3 4 5 8 to current VLAN QTECH config if vlan switchport ethernet 0 0 1 ethernet 0 0 3 to ethernet 0 0 5 ethernet 0 0 8 Remove Ethernet 3 4 5 8 from current VLAN QTECH config if vlan no switchport ethernet 0 0 3 to ethernet 0 0 5 ethernet 0 0 8 Command switchport access vlan and its no command can also add and delete port to or from VLAN Please refer to interface configuratio...

Page 70: ... interface 1 to send IEEE 802 1Q packet with tag VLAN 5 VLAN 7 10 QTECH config if ethernet 0 0 1 tag vlan 5 7 10 5 2 7 Display VLAN information VLAN information is VLAN description string vlan id VLAN status and interface members in it tagged interfaces untagged interfaces and dynamic tagged interfaces Interface members consist of tagged and untagged members show vlan vlan id If the VLAN with spec...

Page 71: ...bership information via Management mechanisms which allow configuration of Static VLAN Registration Entries 3 Combined static and dynamic configuration in which some VLANs are configured via Management mechanisms and for other VLANs MVRP is relied on to establish the configuration 5 3 3 GARP messages and timers 1 GARP messages GARP participants exchange attributes primarily by sending the followin...

Page 72: ...with other participants by making or withdrawing declarations of attributes and at the same time based on received declarations or withdrawals handles attributes of other participants GARP application entities send protocol data units PDU with a particular multicast MAC address as destination Based on this address a device can identify to which GVRP application GVRP for example should a GARP PDU b...

Page 73: ...ribute Value is omitted End Mark Indicates the end of PDU 5 4 GVRP Configuration list In all configurations enable global GVRP first before enable GVRP on a port GVRP must be enabled in the two ends of trunk link which follows IEEE 802 1Q standard GVRP Configuration list is as following Enable disable global GVRP Enable disable GVRP on a port Display GVRP Add delete vlan that can be dynamic learnt...

Page 74: ... keyword unspecified the command displays GVRP information for all the Ethernet ports If specified the command displays GVRP information on specified Ethernet port For example Display GVRP information on interface Ethernet 0 0 1 QTECH config show gvrp interface ethernet 0 0 1 5 4 4 Add delete vlan that can be dynamic learnt by GVRP Use garp permit vlan command to add configured static vlan to GVRP...

Page 75: ... applications however a large number of VLAN are required to isolate users especially in metropolitan area networks MANs and 4 094 VLANs are far from satisfying such requirements The port QinQ feature provided by the device enables the encapsulation of double VLAN tags within an Ethernet frame with the inner VLAN tag being the customer network VLAN tag while the outer one being the VLAN tag assign...

Page 76: ...ustable TPID Value of QinQ Frames A VLAN tag uses the tag protocol identifier TPID field to identify the protocol type of the tag The value of this field as defined in IEEE 802 1Q is 0x8100 Figure 2 shows the 802 1Q defined tag structure of an Ethernet frame Figure 2 VLAN Tag structure of an Ethernet frame On devices of different vendors the TPID of the outer VLAN tag of QinQ frames may have diffe...

Page 77: ...n protocol number and the ignorance attribution of the tag head of ingress port Only when vlan protocol number of ingress packet is not the same as the port configuration value and not the default value 8100 a new tag head will be added If egress is TAG TPID of TAG head is configured TPID Use dtag command to enable disable QinQ globally in global configuration mode dtag flexible qinq outer tpid tp...

Page 78: ...ECH config no dtag insert 1 2 3 3 Configure a series vlan to be transparent transmitted in dynamic QinQ in the form of start vlan All vlan tag packets can be transmitted from start vlan without adding new tag head because the priority of transparent transmission id superior than adding tag head transparent transmission will not be influenced by svlan inset command Command mode is global configurat...

Page 79: ...l packets from this port without inner vlan ID being specified range and with outer vlan ID being specified one this condition can be optioned the outer vlan ID will be modified to be new Command mode is interface configuration mode rewrite outer vlan start inner vid end inner vid outer vlan outer vid new outer vlan new outer vid no rewrite outer vlan start inner vid end inner vid outer vlan outer...

Page 80: ...play vlan swap Display vlan swap status Command mode is global configuration mode show vlan swap Example Display vlan swap status QTECH config show vlan swap 5 6 9 Display rewrite outer vlan 1 Display rewrite outer vlan Command mode is global configuration mode show rewrite outer vlan Example Display rewrite outer vlan QTECH config show rewrite outer vlan ...

Page 81: ... Layer 3 Cnfiguration list Configuration list is as following VLAN division and the creation of layer 3 interface Transmission mode configuration Create VLAN interface for normal VLAN Create superVLAN interface and add VLAN to superVLAN Configure IP address for VLAN interface or superVLAN interface ARP proxy configuration Display interface configuration 6 2 1 VLAN division and the creation of laye...

Page 82: ...N interface the IP address of which cannot be in the same network interface The IP address firstly configured will be the primary IP address After deleting primary IP address there will be another to be the primary IP address automatically and it can also configure an IP address to be the primary one manually For example if IP address of VLAN interface 1 is 10 11 0 0 1 16 other interfaces cannot c...

Page 83: ...roduction of static routing A static route is a special route that is manually configured by the network administrator If a network s topology is simple you only need configure static routes for the network to work normally The proper configuration and usage of static routes can improve a network s performance and ensure bandwidth for important network applications The disadvantage of using a stat...

Page 84: ...he route manually designated to some address 6 4 Static routing configuration list Add delete static route Display route table information 6 4 1 Add delete static route Use this command to ad a route table item to designate the next hop transmission address when communication with some address Destination address netmask and next hop address must be designated If the destination address and mask a...

Page 85: ...put interface the interface transferring packet Metric value the cost to the destination which is an intergeral number from 0 to 16 Timer the time is from the last time the router is modified Every time when the router is modified the timer is configured to be 0 The process of RIP enabling and running is as following 1 Enabling RIP router will send requery packet in the form of broadcast to neighb...

Page 86: ... how RIP works After RIP is enabled the router sends Request messages to neighboring routers Neighboring routers return Response messages including all information about their routing tables The router updates its local routing table and broadcasts the triggered update messages to its neighbors All routers on the network do the same to keep the latest routing information RIP ages out timed out rou...

Page 87: ... networks such as Class A B and C That is why RIPv1 does not support discontiguous subnet RIPv2 is a Classless Routing Protocol Compared with RIPv1 RIPv2 has the following advantages Supporting route tags The route tag is used in routing policies to flexibly control routes Supporting masks route summarization and classless inter domain routing CIDR Supporting designated next hop to select the best...

Page 88: ...v2 sets the AFI field of the first route entry to 0xFFFF to identify authentication information RIPv2 Authentication Message Authentication Type 2 represents plain text authentication while 3 represents MD5 Authentication Authentication data including password information when plain text authentication is adopted or including key ID MD5 authentication data length and sequence number when MD5 authe...

Page 89: ... no Update Acknowledge after sending an update response a router sends the update response again after a specified interval If still receiving no Update Acknowledge after the upper limit for sending update responses is reached the router considers the neighbor unreachable 7 2 5 Protocols and Standards RFC 1058 Routing Information Protocol RFC 1723 RIP Version 2 Carrying Additional Information RFC ...

Page 90: ...IP no ip rip work After disabling interface running RIP this interface will not send or receive RIP upgrade packet but other interface still can send and receive route of tjis interface Permit interface to receive RIP packet ip rip input Forbid interface to receive RIP packet no ip rip input Permit interface to send RIP packet ip rip output Forbid interface to send RIP packet no ip rip output 7 3 ...

Page 91: ... route convergence RIP 2 supports network mask When sending all routes out in the form of broadcasting disable route convergence of RIP 2 Configure it in RIP protocol configuration mode Enable RIP 2 route convergence auto summary Disable RIP 2 route convergence no auto summary By default RIP 2 uses route convergence 7 3 7 Configure authentication to RIP packet RIP 1 doesn t support packet authenti...

Page 92: ... filtrate the route information which is not matched If all item is in deny mode any route will not pass the filtration It can define an item of permit 0 0 0 0 0 to permit all route information to pass after many deny mode items Above situation can be changed by ip prefix list default command Details refer to command line configuration manual ssss Configure it in global configuration mode Create p...

Page 93: ...IP to receive specified route distribute list gate way in Cancel filtration no distribute list 7 3 13 Display RIP configuration There are 3 commands to display RIP information Display RIP statistics information show ip rip Display RIP interface configuration such as version authentication show ip rip interface Display RIP route table show ip route rip ...

Page 94: ...ponds the information introduced by external routing protocol the cost of which is far beyond that of OSPF itself So when calculating only external cost is considered According to libk state database each router establishes a shortest path tree with the root of itself which can give out the routing to each node in autonomy system External routing information appears in leaf node and it can broadca...

Page 95: ...ect the highest IP address among them If no loopback interface is configured select the highest IP address among addresses of active interfaces on the router 8 1 1 4 OSPF packets OSPF uses five types of packets Hello packet Periodically sent to find and maintain neighbors containing the values of some timers information about the DR BDR and known neighbors DD packet database description packet Des...

Page 96: ... Neighbor and Adjacency are two different concepts Neighbor Two routers that have interfaces to a common network Neighbor relationships are maintained by and usually dynamically discovered by OSPF s hello packets When a router starts it sends a hello packet via the OSPF interface and the router that receives the hello packet checks parameters carried in the packet If parameters of the two routers ...

Page 97: ...er Router ABR An area border router belongs to more than two areas one of which must be the backbone area It connects the backbone area to a non backbone area The connection between an area border router and the backbone area can be physical or logical 3 Backbone Router At least one interface of a backbone router must be attached to the backbone area Therefore all ABRs and internal routers in area...

Page 98: ... backbone area itself must maintain connectivity In practice due to physical limitations the requirements may not be satisfied In this case configuring OSPF virtual links is a solution A virtual link is established between two area border routers via a non backbone area and is configured on both ABRs to take effect The area that provides the non backbone area internal route for the virtual link is...

Page 99: ...rea In general a stub area resides on the border of the AS The ABR in a stub area generates a default route into the area Note the following when configuring a totally stub area The backbone area cannot be a totally stub area The stub command must be configured on routers in a totally stub area A totally stub area cannot have an ASBR because AS external routes cannot be distributed into the stub a...

Page 100: ...ute summarization 1 ABR route summarization To distribute routing information to other areas an ABR generates Type 3 LSAs on a per network segment basis for an attached non backbone area If contiguous network segments are available in the area you can summarize them with a single network segment The ABR in the area distributes only the summary LSA to reduce the scale of LSDBs on routers in other a...

Page 101: ...When the link layer protocol is Frame Relay ATM or X 25 OSPF considers the network type as NBMA by default Packets on these networks are sent to unicast addresses P2MP point to multipoint By default OSPF considers no link layer protocol as P2MP which is a conversion from other network types such as NBMA in general On P2MP networks packets are sent to multicast addresses 224 0 0 5 P2P point to poin...

Page 102: ...DR which requires a relatively long period but has no influence on routing calculation Other routers also known as DRothers establish no adjacency and exchange no routing information with each other thus reducing the number of adjacencies on broadcast and NBMA networks In the following figure real lines are Ethernet physical links and dashed lines represent adjacencies With the DR and BDR in the n...

Page 103: ...LSR LSU and LSAck respectively Packet length Total length of the OSPF packet in bytes including the header Router ID ID of the advertising router Area ID ID of the area where the advertising router resides Checksum Checksum of the message Autype Authentication type from 0 to 2 corresponding with non authentication simple plaintext authentication and MD5 authentication respectively Authentication I...

Page 104: ...Time before declaring a silent router down If two routers have different time values they cannot become neighbors Designated Router IP address of the DR interface Backup Designated Router IP address of the BDR interface Neighbor Router ID of the neighbor router 8 1 5 3 DD packet Two routers exchange database description DD packets describing their LSDBs for database synchronization contents in DD ...

Page 105: ...er is the master during the database exchange process Otherwise the router is the slave DD Sequence Number Used to sequence the collection of database description packets for ensuring reliability and intactness of DD packets between the master and slave The initial value is set by the master The DD sequence number then increments until the complete database description has been sent 8 1 5 4 LSR pa...

Page 106: ...s to peers and each packet carries a collection of LSAs The LSU packet format is shown below LSU packet format 8 1 5 6 LSAck packet LSAack Link State Acknowledgment packets are used to acknowledge received LSU packets contents including LSA headers to describe the corresponding LSAs Multiple LSAs can be acknowledged in a single Link State Acknowledgment packet The following figure gives its format...

Page 107: ... bytes of the LSA including the LSA header 8 1 5 8 Formats of LSAs 1 Router LSA Router LSA format Major fields Link State ID ID of the router that originated the LSA V Virtual Link Set to 1 if the router that originated the LSA is a virtual link endpoint E External Set to 1 if the router that originated the LSA is an ASBR B Border Set to 1 if the router that originated the LSA is an ABR links Numb...

Page 108: ... routers attached to the network Network LSA format Major fields Link State ID The interface address of the DR Network Mask The mask of the network a broadcast or NBMA network Attached Router The IDs of the routers which are adjacent to the DR including the DR itself 3 Summary LSA Network summary LSAs Type 3 LSAs and ASBR summary LSAs Type 4 LSAs are originated by ABRs Other than the difference in...

Page 109: ...fault Destination 0 0 0 0 and the Network Mask is set to 0 0 0 0 Network Mask The IP address mask for the advertised destination E External Metric The type of the external metric value which is set to 1 for type 2 external routes and set to 0 for type 1 external routes Refer to Route types for description about external route types metric The metric to the destination Forwarding Address Data traff...

Page 110: ...tication The authentication password for interfaces attached to a network segment must be identical 8 1 6 3 Hot Standby and GR Distributed routers support OSPF Hot Standby HSB OSPF backs up necessary information of the Active Main Board AMB into the Standby Main Board Once the AMB fails the SMB begins to work to ensure the normal operation of OSPF OSPF supports to backup All OSPF data to the SMB t...

Page 111: ...ble neighbors After that the GR Restarter will update its own routing table and forwarding table based on the new routing information and remove the stale routes In this way the OSPF routing convergence is complete 8 1 6 5 TE and DS TETE OSPF Traffic Engineering TE provides for the establishment and maintenance of Label Switch Paths LSPs of TE When establishing Constraint based Routed LSPs CR LSPs...

Page 112: ...nation in this case since an OSPF intra area route has a higher priority than a backbone route VPN traffic will always travel on the backdoor route rather than the backbone route To avoid this an unnumbered sham link can be configured between PE routers connecting the router to another PE router via an intra area route with a lower cost 8 1 7 Protocols and Standards RFC 1765 OSPF Database Overflow...

Page 113: ...rder Router ABR and a neywork interface delongs to an area or every interface running OSPF protocol must use area ID to demonstrate which area belonged to Different area uses ABR to transmit routing information In addition all routers in the same area must be consensus the parameter configuration Therefore when configuring routers in the same area most configuration data must be considered based o...

Page 114: ...ce to be point to point The difference between NBMA and point to multipoint In OSPF protocol NBMA is connectivity non broadcasting multipoint reaching network Point to multipoint network need not entire connectivity In NBMA it needs selecting DR and BDR while in point to multipoint there is no DR and BDR NBMA is a default network such as if link layer protocol is ATM OSPF will defaulted to think t...

Page 115: ...face and may be BDR or DRother in another interface Selecting DR in broadcast or NBMA interface it is unnecessary to select DR in poit to poit or poit to multipoit interface Configure it in interface configuration mode Configure the priority of interface to select designated router ip ospf priority value Restore the default value no ip ospf priority By default the priority of VLAN interface to sel...

Page 116: ...mit interval this LSA will be retransmit User can configure retransmit interval value Configure it in interface configuration mode Configure the retransmit interval of sending LSA between neighbour routers ip ospf retransmit interval seconds Restore the default value of retransmit interval of sending LSA between neighbour routers no ip ospf retransmit interval By default the retransmit interval of...

Page 117: ...eachable of router out of autonomy system ABR in this area will generate a default route 0 0 0 0 and distribute it to other non ABR router in this area Pay attention to followings when configuring Stub area Backbone area cannot configure to be Stub area and virtual connection cannot pass through Stub area If configuring an area to be Stub area all routers in this area must configure this attributi...

Page 118: ...kboneArea The update of OSPF route in non BackboneArea is through BackboneArea OSPF protocol regulates all non BackboneArea must be connected with BackboneArea that is there must be at least one interface of ABR in area 0 0 0 0 If there is an area which is not physically connected with BackboneArea 0 0 0 0 there must establish a virtual connection If the physical connection cannot be proved becaus...

Page 119: ...uter the cost to its ASBR the cost of ASBR to destination address The second category external routing is the received EGP router This kind of router is less credible so the cost volume of ASBR to the outside of autonomy system is far more expensive than that of autonomy system to ASBR so the former is mainly considered that is the cost to the second external router the cost of ASBR to destination...

Page 120: ...TECH config router ospf default redistribute metric 10 8 2 19 OSPF monitor and maintain Followings are display command show ip ospf Display OSPF information show router id Display configured router ID show ip ospf neighbor Display OSPF neighbor show ip ospf database Display OSPF LSDB show ip ospf virtual link Display OSPF virtual link show ip ospf border routers Display OSPF edge router show ip os...

Page 121: ...o reduce the bandwidth of BGP broadcasting route to transmit plenty of route information in internet For management and security BGP 4 provides abundant route strategy to realize agile filtration and choice BGP operates in s specific router as a high layer protocol BGP router exchanges route information through sending whole BGP table and handle route changes through Update message Sending and rec...

Page 122: ...Configure it in BGP configuration mode Configure the network route local BGP to be notified network ip address mask address mask Cancel the network route local BGP to be notified no network ip address mask address mask network command inserts the route whose destination is ip address to BGP table and notify this route to peer Only the route in IP address before configuration can be insert to local...

Page 123: ... advertisement interval of EBGP is 30 seconds 9 2 2 5 Configure to make its own address to be next hop when BGP router distributing route use its own address to be next hop Configure to make its own address to be next hop neighbor neighbor address next hop self Cancel to make its own address to be next hop no neighbor neighbor address next hop self By default use default configuration to handle ne...

Page 124: ...IBGP and peer exchanging their Update message 9 2 5 Configure AS MED Multi Exit Discriminator MED is the external metric of route which is different from local preference MED exchanges between AS but the EMD entered AS will not leave it MED is used for choosing the best route and the smaller one will be chosen When a router running BGP which gains the route with the same destination address and di...

Page 125: ...permit deny net addr wildcard netmask None distribute list is configured by default BGP route matching is completed by net addr and wildcard netmask For those successfully matched determine to accept route or not through deny or permit command After defining BGP route distribute list it can realize BGP strategy function by applying neighbor distribute list command If ip distribute list command is ...

Page 126: ...his list group means it matches the filtration of the distribute list of the as path list id Example QTECH config ip as path access list 10 deny 700 QTECH config ip as path access list 10 permit 9 2 11 BGP monitor and maintenance Use show command in any configuration mode Show information in BGP table show ip bgp ip address A B C D M QTECH show ip bgp Autonomous System number 400 local router ID 1...

Page 127: ...ow BGP peer summary show ip bgp summary QTECH show ip bgp summary Neighbor V AS MsgRcvd MsgSent Up Down State PfxRcd 192 168 3 3 4 400 1 2 04 41 13 Established 192 168 3 7 4 700 2 0 00 44 15 Established 192 168 3 8 4 400 4 1 06 27 29 Established ...

Page 128: ...lticast environment there are a group of destination addresses called group address rather than one address All the receivers join a group Once they join the group the data sent to this group of addresses starts to be transported to the receivers All the members in this group can receive the data packets This group is a multicast group A multicast group has the following characteristics The member...

Page 129: ...d subnetwork bandwidth management SBM 224 0 0 17 All SBMS 224 0 0 18 Virtual router redundancy protocol VRRP 224 0 0 19 to 224 0 0 255 Other protocols Note Like having reserved the private network segment 10 0 0 0 8 for unicast IANA has also reserved the network segments ranging from 239 0 0 0 to 239 255 255 255 for multicast These are administratively scoped addresses With the administratively sc...

Page 130: ... every GMRP supporting device in the same switching network A host sends a GMRP Join message if it is interested in joining a multicast group After receiving the message the switch adds the port on which the message was received to the multicast group and broadcasts the message throughout the VLAN where the receiving port resides In this way the multicast source in the VLAN gets aware of the exist...

Page 131: ...ny configuration mode to display global GMRP show gmrp Use following command in any configuration mode to display GMRP on a port show gmrp interface interface list Interface list keyword is optional If this keyword unspecified the command displays GMRP information for all the Ethernet ports If specified the command displays GMRP information on specified Ethernet port For example Display GMRP infor...

Page 132: ...rotocol Snooping IGMP Snooping is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups By listening to and analyzing IGMP messages a Layer 2 device running IGMP Snooping establishes mappings between ports and multicast MAC addresses and forwards multicast data based on these mappings As shown in Figure below when IGMP Snooping is not running on the...

Page 133: ...port list Member port A member port is a port on the Ethernet switch that leads switch towards multicast group members In the figure Ethernet 0 0 1 1 and Ethernet 1 2 of Switch A and Ethernet 0 0 1 1 of Switch B are member ports The switch registers all the member ports including static and dynamic member ports on the local device in its IGMP Snooping forwarding table Note l Whenever mentioned in ...

Page 134: ...n its router port list the switch adds it into its router port list and sets an aging timer for this router port 10 4 3 2 When receiving a membership report A host sends an IGMP report to the multicast router in the following circumstances l Upon receiving an IGMP query a multicast group member host responds with an IGMP report l When intended to join a multicast group a host sends an IGMP report ...

Page 135: ...t the IGMP querier resolves from the message the address of the multicast group that the host just left and sends an IGMP group specific query to that multicast group through the port that received the leave group message Upon hearing the IGMP group specific query the switch forwards it through all its router ports in the VLAN and all member ports for that multicast group and performs the followin...

Page 136: ...QTECH Software Configuration Manual 10 135 l If IGMP is disabled the switch clears all its router ports l If IGMP is enabled the switch maintains all its Layer 2 multicast entries and router ports ...

Page 137: ...r that a member is ready to join the multicast group Add the port to the MAC multicast group and start the aging timer of the port Add all ports in the VLAN owning this port to the forward port list of the MAC multicast group IGMP host report message Host Multicast router and multicast switch Apply for joining a multicast group or respond to an IGMP query message Check if the IP multicast group ha...

Page 138: ...ion table in layer 2 Use following command in global configuration mode Enable IGMP Snooping igmp snooping Disable IGMP Snooping no igmp snooping By default IGMP Snooping disables Display IGMP Snooping Use following command in any mode to see IGMP Snooping For example Display IGMP snooping information QTECH config show igmp snooping 10 5 1 IGMP Snooping multicast interface aging time configuration...

Page 139: ...multicast group allowed learning igmp snooping group limit limit Use this command in global configuration mode For example Configure the igmp snooping group limit to be 10 QTECH config if ethernet 0 0 1 igmp snooping group limit 10 10 5 5 IGMP Snooping permit deny group configuration Configure igmp snooping permit deny group and default group learning regulation Configure igmp snooping permit deny...

Page 140: ...l Configure interval of sending IGMP query It is defaulted to be 60s Configure it in global configuration mode igmp snooping query interval seconds no igmp snooping query interval Example Configure interval of sending IGMP query to be 90s QTECH config igmp snooping querier 90 10 5 9 Configure IGMP Snooping querier vlan Sending IGMP query must specify vlan Packet will be transferred to all ports of...

Page 141: ...igure the route port aging no igmp snooping router port age 10 5 13 Add IGMP Snooping route port Added route port demonstrates the transferred port of leave or report packet of the host in the same multicast Configure uplink route port of host responsing packet Configure it in global configuration mode igmp snooping route port vlan vlanID interface port number no igmp snooping route port vlan vlan...

Page 142: ...c address of existed multicast which is in the form of multicast mac address such as 01 00 5e Vlan id ranges from 1 to 4094 Multicast group is assembled by vlan id and mac address Interface list is optional If all is chosen all interfaces in system in multicast mac address vlan interface command If the VLAN doesn t exist the multicast group adding fails For example Add interface Ethernet 0 0 2 to ...

Page 143: ...cast group of specified VLAN ID or all multicast groups no multicast mac address mac vlan vlan id The meaning of mac vlan id and interface list is the same as that above They are corresponded to be existed multicast group For example Delete multicast group with the mac address being 01 00 5e 01 02 03 and VLAN ID being 1 QTECH config no multicast mac address 01 00 5e 01 02 03 vlan 1 10 7 Cross VLAN...

Page 144: ...n multicast tag vlan vlanid untag Example Configure interface 3 to add tag head when transmitting multicast packet and vlanid to be 5 QTECH config if ethernet 0 0 5 cross vlan multicast tag vlan 5 10 7 5 Display cross vlan multicast Use this command to display cross vlan configuration and specified interface configuration show cross vlan multicast interface Example Display configuration of cross v...

Page 145: ...tion The request and grant process uses a lease concept with a controllable time period allowing the DHCP server to reclaim and then reallocate IP addresses that are not renewed dynamic re use of IP addresses With networks getting larger in size and more complicated in structure lack of available IP addresses becomes the common situation the network administrators have to face and network configur...

Page 146: ... An authoritative server will deny the request making the client ask for a new IP immediately A non authoritative server simply ignores the request leading to an implementation dependent timeout for the client to give up on the request and ask for a new IP address 11 2 2 DHCP offers When a DHCP server receives an IP lease request from a client it reserves an IP address for the client and extends a...

Page 147: ...lient RFC 2132 describes the available DHCP options defined by Internet Assigned Numbers Authority IANA DHCP and BOOTP PARAMETERS 11 2 8 Options To identify the vendor and functionality of a DHCP client The information is a variable length string of characters or octets which has a meaning specified by the vendor of the DHCP client One method that a DHCP client can utilize to communicate to the se...

Page 148: ... the assignment of the IP address to the client or returns a DHCP NAK packet to refuse the assignment of the IP address to the client When the client receives the DHCP ACK packet it broadcasts an ARP packet with the assigned IP address as the destination address to detect the assigned IP address and uses the IP address only if it does not receive any response within a specified period Note The IP ...

Page 149: ...tets of 0 s BOOTP legacy Magic Cookie 0x63825363 DHCP Options DHCP option 53 DHCP Request DHCP option 50 192 168 1 100 requested DHCP option 54 192 168 1 1 DHCP server DHCPACK UDP Src 192 168 1 1 sPort 67 Dest 255 255 255 255 dPort 68 OP HTYPE HLEN HOPS 0x02 0x01 0x06 0x00 XID 0x3903F326 SECS FLAGS 0x0000 0x0000 CIADDR Client IP Address 0x00000000 YIADDR Your IP Address 0xC0A80164 SIADDR Server IP...

Page 150: ...rom DHCP clients are forwarded to an external DHCP server which assigns IP addresses to the DHCP clients You can specify the mode to process DHCP packets For the configuration of the first two modes see DHCP Server Configuration For the configuration of the trunk mode see DHCP Relay Agent Configuration One interface only corresponds to one mode In this case the new configuration overwrites the pre...

Page 151: ...le DHCP server 1 QTECH config no dhcp server 1 11 3 3 Specify DHCP server for layer 3 interface After creating DHCP server specify DHCP server for each layer 3 interface and system will relay DHCP packet to DHCP server of this interface after receiving DHCP packet Use this command in interface configuration mode Specify DHCP server for layer 3 interface dhcp sever group num Delete DHCP server for ...

Page 152: ... can enquire IP address information DHCP server distributed In local IP address pool configuration mode configure parameter of DHCP clients distributed by DHCP server The configuration options are gateway and netmask of DHCP client DNS server WINS server lease IP address range distributed to DHCP client and IP address which is forbidden to distribute and specify It needs configure local IP address...

Page 153: ...ection section id section id is the section id of this address pool which can configure at most 8 groups from ip is the start address of this address segment and to ip is the end address These two addresses must be in the address domain determined by this gateway and netmask and IP address in address pool cannot contain gateway Example Create network interface of local IP address pool nic QTECH co...

Page 154: ... suffix suffix name Delete DNS suffix no dns suffix Example Configure primary DNS QTECH config ip pool nic dns primary ip 192 168 0 100 Delete primary DNS QTECH config ip pool nic no dns primary ip 11 4 7 Configure WINS Configure it in local IP address pool configuration mode Configure primary and second WINS wins primary ip second ip ip address Delete primary and second WINS no wins primary ip se...

Page 155: ... dhcp client no dhcp client mac vlanid Example Add client with mac address being 01 00 5e 22 22 22 vlan being 2 ip addrss being 5 5 1 2 QTECH config dhcp client 01 00 5e 22 22 22 5 5 1 2 2 Delete client with mac address being 01 00 5e 22 22 22 vlan being 2 QTECH config no dhcp client 01 00 5e 22 22 22 2 11 4 12 Show dhcp client Configure it in any configuration mode show dhcp client Use this comma...

Page 156: ... the packets are broadcasted in the process of obtaining IP addresses DHCP is only applicable to the situation that DHCP clients and DHCP servers are in the same network segment that is you need to deploy at least one DHCP server for each network segment which is far from economical The DHCP relay agent is designed to address this problem It enables DHCP clients in a subnet to communicate with the...

Page 157: ...2 is the Relay Agent Informaiton option in DHCP packet defined by rfc 3046 When DHCP client sending requiry packet to DHCP relay option82 will be added to packet Option82 in this chapter supports sub option1 sub option2 and sub option5 sub option1 is one of sub option of option82 which is Circuit ID with the content being interface VID and MAC address of receiving packet sub option2 is also the su...

Page 158: ... type It includes at least one option and at most 255 options Option 82 Also known as relay agent information option This option is a part of the Option field in DHCP packet According to RFC3046 option 82 lies before option 255 and after the other options Option 82 includes at least one sub option and at most 255 sub options Currently the commonly used sub options in option 82 are sub option 1 and...

Page 159: ... of the DHCP relay agent 5 Upon receiving the DHCP request packet forwarded by the DHCP relay agent the DHCP server stores the information contained in the option field and sends a packet that contains DHCP configuration information and option 82 to the DHCP relay agent 6 Upon receiving the packet returned from the DHCP server the DHCP relay agent strips option 82 from the packet and forwards the ...

Page 160: ...AN DHCP snooping can be configured on LAN switches to harden the security on the LAN to only allow clients with specific IP MAC addresses to have access to the network DHCP snooping is a series of layer 2 techniques It works with information from a DHCP server to Track the physical location of hosts Ensure that hosts only use the IP addresses assigned to them Ensure that only authorized DHCP serve...

Page 161: ...d ports forward any received DHCP packet to ensure that DHCP clients can obtain IP addresses from valid DHCP servers Untrusted ports drop all the received packets Figure 1 illustrates a typical network diagram for DHCP snooping application where Switch B is an QSW 3900 series switch Figure 1 Typical network diagram for DHCP snooping application Figure 2 illustrates the interaction between a DHCP c...

Page 162: ...ax host number dhcp snooping max clients num 11 8 4 Configure IP source guard Prevent IP address stolen through IP source guard Configure interface IP source guard ip source guard 11 8 5 Show DHCP snooping of ports DHCP snooping of ports configuraton can be displayed by this command Show DHCP snooping configuration of ports show dhcp snooping interface interface num 11 8 6 Show DHCP snooping confi...

Page 163: ... 2 but it also requires the definitions of network The following is the packet structure used for ARP requests and replies On Ethernet networks these packets use an EtherType of 0x0806 and are sent to the broadcast MAC address of FF FF FF FF FF FF Note that the EtherType 0x0806 is used in the Ethernet header and should not be used as the PTYPE of the ARP packet The ARP type 0x0806 should never be ...

Page 164: ...ng to use an IPv4 address whether received from manual configuration DHCP or some other means a host implementing this specification must test to see if the address is already in use by broadcasting ARP probe packets 12 1 3 ARP mediation ARP mediation refers to the process of resolving Layer 2 addresses when different resolution protocols are used on multiple connected circuits e g ATM on one end ...

Page 165: ...addresses to trick devices on the network 12 2 1 How ARP spooing works The attacker send fake arp message to the victim causing it to update its ARP table with false entries The ARP attack works as follow 1 The attacket send ARP messages to the victim with false updates 2 The victim update its ARP table with the attacker MAC address and the false IP address provided by the attacker 3 When the vict...

Page 166: ...rmation Enable disable ARP anti spoofing Configure unknown ARP packet handling strategy Enable disable ARP anti spoofing valid check Enable disable ARP anti spoofing deny disguiser Display ARP anti spoofing 12 5 1 Add and delete ARP table item Use this command can add or delete a static or dynamic ARP table item ARP table item not only include corresponding relations of IP and MAC but also the loc...

Page 167: ...show arp aging 12 5 5 Display ARP table item Use this command to display static dynamic specified IP address or all ARP table item Display all ARP table item show arp all Display dynamic ARP table item show arp dynamic Display static ARP table item QTECH config show arp static Display all ARP table item with the IP address being 192 168 0 100 QTECH config show arp 192 168 0 100 12 5 6 Enable disab...

Page 168: ...n deny all threshold 10 12 5 8 Configure ARP anti flood recover time The banned MAC in ARP anti flood attack will be auto recover after a certain time Use this command in global configuration mode arp anti flood recover time time The recover time can be configured in the range of 0 1440 minutes If time is 0 it means never auto recover Example Configure recover time to be 20 minutes QTECH config ar...

Page 169: ...ARP anti spoofing is used to check the match of ARP packet and configured static ARP After enabling this function all ARP through switch will be redirected to CPU If source IP source MAC interface number vlan id and static ARP are totally matched it is thought to be valid and permitted normal handling and transmit If not drop it If there is not corresponded static ARP table item handle it as strat...

Page 170: ...QTECH config no arp anti spoofing valid check 12 5 15 Enable disable ARP anti spoofing deny disguiser ARP gateway disguiser means attacker disguising gateway address to send free ARP packet whose gateway address is source IP address in LAN After host in LAN receiving this packet the original gateway address will be modified to be address of attacker to cause all hosts in LAN cannot visit network E...

Page 171: ...70 12 5 17 Configure trust port of ARP anti attack Use this command to set the port to be trust and ARP packet from this port will not be check attacking and spoofing Configure e0 0 1 to be trust QTECH config if ethernet 0 0 1 arp anti trust ...

Page 172: ...priority Layer 2 protocol and so on User based ACL such rules specify a byte in the packet by its offset from the packet header as the starting point to perform logical AND operations and compare the extracted string with the user defined string to find the matching packets for processing 13 1 1 ACL Match Order An ACL may contain a number of rules which specify different packet ranges This brings ...

Page 173: ...ng and traffic classification in the data forwarding process You can use the acl order command to specify the match order for the rules in the ACL For detailed configuration refer to Matching Order of ACL Rules ACLs are directly activated on the switch hardware in the following situations the switch references ACLs to implement the QoS functions and forwards data through ACLs 13 1 2 2 ACL referenc...

Page 174: ...CL the rule with any is in the front others use config order for extended ACL compare source address wildcard if they are the same compare destination address wildcard if they are the same compare interface number range the smaller is in the back if the interface number range is the same use config order for user defained ACL compare the length of mask the longer is in the back if they are the sam...

Page 175: ...iguration configure absolute time range and periodic time range Configuring absolute is in the form of year month date hour and minute Configuring periodic time range is in the form of day of week hour and minute 13 3 2 2 Create absolute time range Use following command to configure it Configure it in time range configuration mode Configure absolute time range absolute start time date end time dat...

Page 176: ...meaning refers to corresponded command line 13 3 3 2 Define standard ACL with name ID Defining standard ACL with name ID should enter specified configuration mode use access list standard in global configuration mode which can specify matching order of ACL Use exit command to be back from this mode Enter standard ACL with name ID configuration mode global configuration mode access list standard na...

Page 177: ...ny protocol established source addr source wildcard any port portmask dest addr dest wildcard any port portmask icmp type icmp code precedence precedence tos tos dscp dscp fragments time range time range name Delete all the subitems or one subitem in one ACL with number ID or name ID or all ACLs global configuration mode no access list all access list number name access list name subitem Use permi...

Page 178: ...e no access list all access list number name access list name subitem Use permit deny command repeatedly to define more rules for the same ACL Specifying matching order cannot be modified By default the matching order is user configured order config Concrete parameter meaning refers to corresponded command line 13 3 6 Activate ACL After activating ACL it can be effective Use access group command t...

Page 179: ... access list number name access list name Display statistic information of ACL show access list config statistic Display runtime information of ACL show access list runtime all access list number name access list name Display runtime statistic information of ACL show access list runtime statistic Concrete configuration refers to command line configuration ...

Page 180: ...me features Clasification rule means the filtration regulation configured by the administrator according to managing need which can be simple such as realizing flow with the feature of different priority according to the ToS field of IP packet head and can be complicated such as information of integrated link layer layer 2 network layer layer 3 transmission layer layer 4 such as MAC address IP pro...

Page 181: ...riority queue divides all packets into 4 levels that is superior priority middle priority normal priority and inferior priority 3 2 1 0 and their priority levels reduce in turn When queue schedulerimg PQ precedently transmits the packets in superior priority according to the priority level Transmit packet in inferior priority when the superior one is empty Put the key service in the superior one a...

Page 182: ...ed packet to CPU according to the need of its QoS strategies System realizes QoS function according to accessing control list which includes flow monitor interface speed limit packet redirection priority mark queue scheduler flow mirror flow statistics and coping packet to CPU 14 2 QOS Configuration 14 2 1 QoS Configuration list QOS Configuration includes Packet redirection configuration Priority ...

Page 183: ...specified value of traffic priority command 802 1p priority that is cos value of traffic priority command User can mark different priority for packet according to real QoS strategy Switch can locate packet to interface outputting queue according to the 802 1p priority and also can locate packet to corresponding outputting queue according to the specified local priority in traffic priority command ...

Page 184: ...m subitem link group access list number access list name subitem subitem Details of this command refers to corresponded command 14 2 7 Flow statistic configuration Flow statistic configuration is used to statistic specified service flow packet Use following command to configure it Configure it in global configuration mode Flow statistic configuration traffic statistic ip group access list number a...

Page 185: ...ce num all Display parameter configuration of flow limit show qos interface interface num rate limit Display line limit configuration show qos interface interface num line rate Display QOS statistic information of all interface show qos interface statistic Display priority configuration show qos info traffic priority Display redirection configuration show qos info traffic redirect Display flow sta...

Page 186: ...rk structure This avoids proliferation and infinite recycling of packets that would occur in a loop network and prevents deterioration of the packet processing capability of network devices cause by duplicate packets received 15 1 1 2 Protocol Packets of STP STP uses bridge protocol data units BPDUs also known as configuration messages as its protocol packets STP identifies the network topology by...

Page 187: ...ards BPDUs to the LAN the designated bridge for the LAN is Device B and the designated port is the port BP2 on Device B Figure 1 A schematic diagram of designated bridges and designated ports Note All the ports on the root bridge are designated ports 15 1 1 4 How STP works STP identifies the network topology by transmitting configuration BPDUs between network devices Configuration BPDUs contain su...

Page 188: ...in the form of port name 1 Specific computing process of the STP algorithm Initial state Upon initialization of a device each port generates a BPDU with itself as the root in which the root path cost is 0 designated bridge ID is the device ID and the designated port is the local port Selection of the optimum configuration BPDU Each device sends out its configuration BPDU and receives configuration...

Page 189: ...hest priority If all configuration BPDU have the same root path cost they will be compared for their designated bridge IDs then their designated port IDs and then the IDs of the ports on which they are received The smaller the ID the higher message priority Selection of the root bridge At network initialization each STP compliant device on the network assumes itself to be the root bridge with the ...

Page 190: ...ate they only receive STP packets but do not forward user traffic Once the root bridge the root port on each non root bridge and designated ports have been successfully elected the entire tree shaped topology has been constructed The following is an example of how the STP algorithm works The specific network diagram is shown in Figure 2 In the feature the priority of Device A is 0 the priority of ...

Page 191: ... of the local port 1 0 1 BP2 is superior to the received configuration BPDU and discards the received configuration BPDU BP1 0 0 0 AP1 BP2 1 0 1 BP2 Device B Device B compares the configuration BPDUs of all its ports and determines that the configuration BPDU of BP1 is the optimum configuration BPDU Then it uses BP1 as the root port the configuration BPDUs of which will not be changed Based on the...

Page 192: ... A Device C does not launch an update process after comparison CP1 0 0 0 AP2 CP2 0 5 1 BP2 By comparison Because the root path cost of CP2 9 root path cost of the BPDU 5 path cost corresponding to CP2 4 is smaller than the root path cost of CP1 10 root path cost of the BPDU 0 path cost corresponding to CP2 10 the BPDU of CP2 is elected as the optimum BPDU and CP2 is elected as the root port the me...

Page 193: ...new configuration BPDU has been propagated throughout the network 15 1 2 Introduction to MSTP 15 1 2 1 Why MSTP 1 Disadvantages of STP and RSTP STP does not support rapid state transition of ports A newly elected root port or designated port must wait twice the forward delay time before transitioning to the forwarding state even if it is a port on a point to point link or it is an edge port which ...

Page 194: ... following paragraphs will present some concepts of MSTP Figure 4 Basic concepts in MSTP 1 MST region An MST region is composed of multiple devices in a switched network and network segments among them These devices have the following characteristics All are MSTP enabled They have the same region name They have the same VLAN to instance mapping configuration They have the same MSTP revision level ...

Page 195: ...ional root of instance 1 is device B while that of instance 2 is device C 8 Common root bridge The root bridge of the CIST is the common root bridge In Figure 4 for example the common root bridge is a device in region A0 9 Boundary port A boundary port is a port that connects an MST region to another MST configuration or to a single spanning tree region running STP or to a single spanning tree reg...

Page 196: ...sses and forwards user traffic Learning the port learns MAC addresses but does not forwards user traffic Discarding the port neither learns MAC addresses nor forwards user traffic Note When in different MST instances a port can be in different states A port state is not exclusively associated with a port role Table 6 lists the port state s supported by each port role indicates that the port suppor...

Page 197: ...MSTP performs a separate computing process which is similar to spanning tree computing in STP for each spanning tree In MSTP a VLAN packet is forwarded along the following paths Within an MST region the packet is forwarded along the corresponding MSTI Between two MST regions the packet is forwarded along the CST 15 1 2 4 Implementation of MSTP on devices MSTP is compatible with STP and RSTP STP an...

Page 198: ...ng tree By default switch STP disables For example Enable STP QTECH config spanning tree 15 2 3 Enable disable interface STP Disable STP of specified interface to make the interface not to attend STP calculating Use following command in interface configuration mode Enable STP on specified interface spanning tree Disable STP on specified interface no spanning tree By default interface STP enables F...

Page 199: ...nfigured too large network will not be restored linking for a long time Forward Delay ranges from 4 to 30 seconds The default forward delay time 15 seconds is suggested to use Forward Delay Hello Time 2 15 2 6 Configure Hello Time Suitable Hello Time can guarantee network bridge noticing link failure in time without occupying too much resources Configure it in global configuration mode Configure H...

Page 200: ...cost of the current interface By default the path cost is determined by the current speed In IEEE 802 1D the default path cost is determined by the speed of the interface The port with the speed 10M have the cost of 100 100M 19 1000M 4 15 2 9 Configure STP priority od specified port Specify specified port in STP by configuring port priority Generally the smaller the value is the superior the prior...

Page 201: ...nterface not to be point to point link spanning tree point to point forcefalse Configure switch auto detect whether the interface is point to point link spanning tree point to point auto For example Configure the link connected to Ethernet 0 0 1 as a point to point link QTECH config if ethernet 0 0 1 spanning tree point to point forcetrue 15 2 13 Configure the current port as an edge port Edge por...

Page 202: ...interface For example Display STP configuration QTECH config show spanning tree interface ethernet 0 0 1 The bridge is executing the IEEE Rapid Spanning Tree protocol The bridge has priority 32768 MAC address 001f ce10 14f1 Configured Hello Time 2 second s Max Age 20 second s Forward Delay 15 second s Root Bridge has priority 32768 MAC address 001f ce10 14f1 Path cost to root bridge is 0 Stp top c...

Page 203: ...P Multiple spanning tree IEEE802 1S MSTP is the upgrade for SST Simple spanning tree IEEE8021 D 8021 W SST can realize link redundancy and loopback but cause the waste of effective bandwidth and overload of some link but backup of others because all vlans share a tree MSTP makes up these flaw and realize overload balance as SST by mapping different vlan to different STP example that is different S...

Page 204: ...ration mode Configure MSTP name spanning tree mst name name Configure MSTP revision level spanning tree mst revision revision level Configure mapping relationship between MSTP and VLAN spanning tree mst instance instance num vlan vlan list Example Configure MSTP name to be QTECH QTECH config spanning tree mst name QTECH Configure MSTP revision level to be 10 QTECH config spanning tree mst revision...

Page 205: ...type point to point forcefalse 15 4 7 Configure MSTP interface path cost Port path cost can be divided into internal cost and external cost The former is the configuration parameter based on each MSTP instance to determine topology of different instance in each MSTP region The latter is parameter which has nothing to do with the instance to determine CST topology consisted by each region Configure...

Page 206: ...ce list Example Display MSTP configuring mark QTECH config show spanning tree mst config id Display interface 0 0 2 information of instance1 QTECH config show spanning tree mst instance 1 interface ethernet 0 0 2 15 4 11 Enable disable digest snooping When interface of switch connects to switch which has its own private STP switch cannot connect to each other because of the private STP protocol Di...

Page 207: ...N spanning tree mst ignored vlan vlan list Disable Ignore of VLAN no spanning tree mst ignored vlan vlan list Display Ignore of VLAN show spanning tree mst ignored vlan Example Enable Ignore of VLAN 10 and 20 30 QTECH config spanning tree mst ignored vlan 10 20 30 ...

Page 208: ...ntication Use IEEE 802 1X authentication needs RADIUS server which system can access to make the authentication informayion to send to IEEE 802 1X authentication client software installed in accessing user s device such as PC 16 2 802 1X Configuration Configure system or interface related parameter before enabling 802 1X authentication and these configurations will be saved after disabling 802 1X ...

Page 209: ...rname and its administrator privilege cannot be deleted and modified Note There must be only one super administrator and all the configurations in the manual is setting super administrator as example 16 3 2 User s authentication User s authentication can be divided into local authentication and remote authentication Local authentication The users account and password are saved in local database Al...

Page 210: ...bal configuration mode Super administrator admin can use following command to change the password of all users but other administrators can only change their own password Normal users cannot modify their own password Enter global configuration mode how to enter global configuration mode refers to the first 2 steps in Table before following the below steps Table Modify password Step Command Descrip...

Page 211: ...34 QTECH config username green privilege 0 password 0 1234 16 4 4 Delete User Only Super administrator admin can add and delete user in global configuration mode Enter global configuration mode how to enter global configuration mode refers to the first 2 steps in Table 4 1 before following the below steps Table 4 4 Delete user Step Command Description 1 no username username Delete user 2 show user...

Page 212: ...how muser 16 5 2 Configure TACACS remote authentication Configuring user s login through TACACS server authentication accounting and authorization through TACACS server can be chosen When configuring TACACS authorization configure corresponded priority to users first There are 16 levels 0 16 priorities but there are only 2 levels 0 1 means normal users and 2 15 means administrators for QTECH switc...

Page 213: ...command to configure protocol type between system and RADIUS server After using dot1x eap transfer command 802 1 authentication packet encapsulated by EAP frame from user is sent to RADIUS server after transfering to data frame encapsulated by other high level protocol After using dot1x eap transfer command 802 1 authentication packet encapsulated by EAP frame from user is sent to RADIUS server wi...

Page 214: ...ts e0 0 5 forceauthorized disabled 3600 160 Total 26 item s printed 1 item s 6 Use dot1x max user command to configure the maximum number of supplicant systems an ethernet port can accommodate Use no dot1x max user command to configure the maximum number to be 1 Configure it by using following command dot1x max user user num For example Configure the max user of ethernet 0 0 5 is 10 in interface c...

Page 215: ...twork transmit delay and local time complementary and then adjusts current time according them 17 2 SNTP client configuration SNTP client configuration command includes Enable disable SNTP client SNTP client working mode configuration SNTP client unicast server configuration SNTP client broadcast delay configuration SNTP client multicast TTL configuration SNTP client poll interval configuration SN...

Page 216: ... from server to adjust current system time For example Configure broadcastdelay to be 1 second QTECH config sntp client broadcastdelay 1000 17 2 5 SNTP client multicast TTL configuration Use following command to configure ttl value of multicast packet sntp client multicast ttl ttl value no sntp client multicast ttl This command should be effective by sending packet through multicast address in any...

Page 217: ...ime local time cannot be the standard time To solve this problem a series of valid servers can be listed to filtrate source address of the packet Corresponded command is as following sntp client valid server ipaddress no sntp client valid server For example Configure servers in network interface 10 1 0 0 16 to be valid servers QTECH config sntp client valid server 10 1 0 0 0 0 255 255 17 2 9 SNTP ...

Page 218: ...ormation level reference several level Description corresponded explanation 0 emergencies the most emergent error need reboot 1 alerts need correct immediately self loop hardware error 2 critical key error memory resources distribution error 3 errors non key errors need cautions general error invalid parameter which is hard to restore 4 warnings Warning for some error which may exist alarm losing ...

Page 219: ... 2 3 Syslog time stamps configuration Use following command to configure the type of timestamps in Syslog There 3 types of timestamps timestamps are not displayed uptime is the timestamps and datatime is the timestamps Configure command is as following logging timestamps notime uptime datetime no logging timestamps For example Configure datetime to be the timestamps QTECH config logging timestamps...

Page 220: ...ered logging QTECH config logging buffered 2 Filtration rules configuration command is as following logging buffered level none level list level to level 1 8 module xxx no logging buffered filter xxx means the name of the module means other modules are omitted For example Configure filter regulations of all terminals to allow all module of level 0 to 6 to output information QTECH config logging bu...

Page 221: ...means other modules are omitted For example Configure filter regulations of logging host 1 1 1 1 to allow module vlan of level 7 to output information QTECH config logging host 1 1 1 1 none QTECH config logging host 1 1 1 1 level list 7 module vlan 4 Logging facility configuration command is as following logging facility xxx no logging facility xxx The name of logging facilities means other loggin...

Page 222: ...owing logging snmp agent level none level list level to level 1 8 module xxx no logging snmp agent filter xxx means the name of the module means other modules are omitted For example Configure SNMPAgent filtrate rules to be permitting information with the level 0 5 QTECH config logging snmp agent 5 18 2 9 Module debug configuration Use debug command to enable debug of a module Use no debug command...

Page 223: ... being initialized on an LLDP enabled port when the port changes to operate in another LLDP operating mode The period is known as initialization delay which is determined by the re initialization delay timer 19 1 1 2 Sending LLDPDUs A LLDP enabled device operating in the TxRx mode or Tx mode sends LLDPDUs to its directly connected devices periodically It also sends LLDPDUs when the local configura...

Page 224: ...lobal LLDP Use following command in global configuration mode Enable global LLDP lldp Disable global LLDP no lldp By default global LLDP disables For example Enable global LLDP QTECH config lldp 19 2 3 Configure LLDP hello time Use following command in global configuration mode Configure LLDP hello time lldp hello time 5 32768 Restore default LLDP hello time no lldp hello time The default LLDP hel...

Page 225: ... if ethernet 0 0 1 lldp tx 19 2 6 Display LLDP information Display followings in any configuration mode 1 Enable disable global LLDP 2 Related parameter of global LLDP 3 Interface packet receiving sending mode 4 Interface packet receiving sending statistics 5 Neighbour devices information found show lldp interface interface list For example Display LLDP information of interface Ethernet 0 0 1 QTEC...

Page 226: ...QTECH Software Configuration Manual 19 225 Port Duplex auto Port Speed FULL 100 Port Link Aggregation support in aggregation aggregated port ID is 7 ...

Page 227: ...pecific link layer protocol It can not only prevent data loop from causing broadcast storm efficiently when the Ethernet ring is complete but also restore communication channels among nodes on the Ethernet ring rapidly when a link is torn down Compared with Spanning Tree Protocol STP ERRP features Expedited topology convergence Independent of the number of nodes on the Ethernet ring 20 3 Basic Con...

Page 228: ... edge node on the subring Assistant edge node A node residing on the primary ring and a subring at the same time The node is a special transit node that serves as a transit node on the primary ring and an assistant edge node on the subring This node is used in conjunction with the edge node to detect the integrity of the primary ring and perform loop guard As shown in Figure 1 Ring 1 is the primar...

Page 229: ...fore the Fail timer expires the overall ring is in health state Otherwise the ring transits into disconnect state until the secondary port receives the Health packet again Note In an ERRP domain a transit node learns the Hello timer value and the Fail timer value on the master node through the received Health packets guaranteeing the consistency of two timer values across a ring The Fail timer val...

Page 230: ... the edge node of a failure when a link of primary ring between edge node and assistant edge node is torn down 20 4 Typical ERRP Networking Here are several typical networking applications 20 4 1 Single ring Figure 2 Single ring There is only a single ring in the network topology In this case you only need to define an ERRP domain ...

Page 231: ...ter node Transit node Domain 1 Ring 1 Ring 2 A B C D E 1 2 2 2 2 1 1 1 QSW 2900 Transit node Transit node Transit node Master node F Domain 2 Figure 3 Multi domain tangent rings There are two or more rings in the network topology and only one common node between rings In this case you need define an ERRP domain for each ring ...

Page 232: ...des between rings In this case you only need to define an ERRP domain and set one ring as the primary ring and other rings as subrings 20 4 4 Dual homed rings Figure 5 Dual homed rings There are two or more rings in the network topology and two similar common nodes between rings In this case you only need to define an ERRP domain and set one ring as the primary ring and other rings as subrings ...

Page 233: ...y If the ring works properly the secondary port of the master node will receive Health packets and the master node will maintain it in block state If the ring is torn down the secondary port of the master node will not receive Health packets after the timeout timer expires The master node will release the secondary port from blocking data VLAN while sending Common Flush FDB packets to notify all t...

Page 234: ...mary ring between the edge node and the assistant edge node are down the master nodes of Ring 2 and Ring 3 will open their respective secondary ports and thus a loop among B C E and F is generated As a result broadcast storm occurs In this case to prevent from generating this loop the edge node will block the edge port temporarily The blocked edge port is activated only when the edge node ensures ...

Page 235: ...master control VLAN and sub control VLAN Protocol packet of master ring is transmitted in master control VLAN and protocol packet of sub ring is transmitted in sub control VLAN When configuring specify master control VLAN and sub control VLAN is the one whose VLAN ID is 1 bigger than that of the master control VLAN Port only accessing to Ethernet ring ERRP port of each switch belong to control VLA...

Page 236: ... 0 0 1 common port port id such as ethernet 0 0 1 sec port port id such as ethernet 0 0 1 level ring level 0 means primary ring and 1 means secondary For example Configure primary ring 0 with role mode being master primary port being 1 and secondary port being 2 QTECH config errp ring 0 role master primary port ethernet 0 0 1 secondary port ethernet 0 0 2 level 0 20 6 7 Enable disable ERRP ring Co...

Page 237: ...cket to be sent upstream The TAG contains the identification of the access loop on which the PADI or PADR packet was received in the Access Node where the Intermediate Agent resides If a PADI or PADR packet exceeds 1500 octets after adding the TAG containing the access loop identification the Intermediate Agent must not send the packet to the Broadband Network Gateway In response to the received P...

Page 238: ...global configuration mode Configure PPPoE Plus type pppoeplus type standard huawei The default type is standard The adding tag form will include hostname information when the type is huawei Note All PPPoE clients must be members of IP managed VLAN Please refer to the Configure and manage VLAN ...

Page 239: ...he level A higher level MD can contain lower level MDs but they cannot overlap In other words a higher level MD covers larger area than a lower level MD 22 3 2 Maintenance association Maintenance association MA is a set of maintenance points in a maintenance domain It is identified in the form MD name MA name MA works within a VLAN Packets sent by the maintenance points in a MA carry the correspon...

Page 240: ...overed In this example the X port of device 2 is configured with the following MPs a level 5 MEP a level 3 inbound MEP a level 2 inbound MEP and a level 0 outbound MEP Figure 3 Levels of MPs 22 3 4 Basic Functions of Connectivity Fault Management CFM works effectively only in well deployed and well configured networks Its functions which are implemented through the maintenance points include Conti...

Page 241: ...ktrace message LTM to the target MEP After receiving the message the target MEP as well as the MIPs that the LTM passes send back linktrace reply message LTR to the source Based on the replying messages the source can identify the path to the target 22 3 5 Protocols and Standards The connectivity fault management function is implemented in accordance with IEEE P802 1ag 22 4 CFM Configuration 22 4 ...

Page 242: ...cfm mep level 7 direction up mpid 7110 vlan 110 22 4 4 Configure cfm mip level Configure it in interface configuration mode Configure cfm mip level cfm mip level level id Parameter level id the integrity from 0 7 Delete cfm mip level no cfm mip level level id It is defaulted not to configure cfm mip level For example Configure cfm mip level 7 QTECH config if ethernet 0 0 1 cfm mip level 7 22 4 5 C...

Page 243: ...le level level list vlan vlan list It is defaulted to enable VLAN sending cfm cc enable level For example Configure cfm cc enable level 0 7 vlan 1 10 QTECH config cfm cc enable level 0 7 vlan 1 10 22 4 8 cfm ping cfm ping command is used to check network connection and the arrival of destination mac address Configure it in global configuration mode cfm ping c count s packetsize t timeout mac level...

Page 244: ... to 60 with the unit of second and default value is 5 seconds target_mac destination mac address level id the integrity from 0 7 vlan id VLAN to be tracerted For example cfm traceroute 00 1f ce 10 14 f1 level 4 vlan 110 QTECH cfm traceroute 00 1f ce 10 14 f1 level 4 vlan 110 22 4 10 Display cfm domain Configure it in any configuration mode It will display as following cfm domain name cfm domain le...

Page 245: ...ging time show cfm maintenance points remote For example Display cfm maintenance points remote QTECH config show cfm maintenance points remote 22 4 13 Display cfm cc database Configure it in any configuration mode It will display as following Mac address vlan id ingress interface show cfm cc database For example Display cfm cc database QTECH config show cfm cc database 22 4 14 Display cfm errors C...

Reviews:

No comments

Related manuals for QSW-3900

Vanguard 340 Installation Manual preview
340
Brand: Vanguard Pages: 121
Netopia 3346-ENT Getting Started Manual preview
3346-ENT
Brand: Netopia Pages: 38
National Instruments NI-9206 Getting Started preview
NI-9206
Brand: National Instruments Pages: 8
TP-Link TD-8816 Quick Installation Manual preview
TD-8816
Brand: TP-Link Pages: 2
axing EOC 1-31 Operation Instructions Manual preview
EOC 1-31
Brand: axing Pages: 52
Dialogic Media Board D/120JCT-LS-EW Installation Manual preview
Media Board D/120JCT-LS-EW
Brand: Dialogic Pages: 2
Xyclop XC-4CH-NVR-1TB User Manual preview
XC-4CH-NVR-1TB
Brand: Xyclop Pages: 144
Silvertel Ag102 User Manual preview
Ag102
Brand: Silvertel Pages: 9
Extron electronics VERSATOOLS MTP User Manual preview
VERSATOOLS MTP
Brand: Extron electronics Pages: 19
Lindy Modular Fast Fiber Switch Converter MT-RJ Specifications preview
Modular Fast Fiber Switch Converter MT-RJ
Brand: Lindy Pages: 3
Ceragon Fibe-Air IP-10G Installation Manual preview
Fibe-Air IP-10G
Brand: Ceragon Pages: 71
Enterasys GPIM-08 Reference Sheet preview
GPIM-08
Brand: Enterasys Pages: 2
Hypercom IN-tact 1201 Brochure & Specs preview
IN-tact 1201
Brand: Hypercom Pages: 2
H3C SecPath F5010 Installation, Quick Start preview
SecPath F5010
Brand: H3C Pages: 2
ZyXEL Communications LTE7480-S905 Quick Start Manual preview
LTE7480-S905
Brand: ZyXEL Communications Pages: 4
HighPoint NA381TB Quick Installation Manual preview
NA381TB
Brand: HighPoint Pages: 3
bintec elmeg bintec 4Ge-LE Installation Manual preview
bintec 4Ge-LE
Brand: bintec elmeg Pages: 32
Vivotek PZ7111 Quick Installation Manual preview
PZ7111
Brand: Vivotek Pages: 12

Brands by name

Popular brands

Load more brands