Home
/
SNR
/
S2940-8G-v2
/
Configuration Manual

SNR S2940-8G-v2, Configuration Manual

Share

Page: 279 / 420

SNR S2940-8G-v2 Configuration Manual Download Page 279

SNR S2940-8G-v2 Switch Configuration Guide

ACL Configuration

Chapter 43

ACL Configuration

43.1

Introduction to ACL

ACL (Access Control List) is an IP packet filtering mechanism employed in switches, providing
network traffic control by granting or denying access the switches, effectively safeguarding the
security of networks. The user can lay down a set of rules according to some information specific
to packets, each rule describes the action for a packet with certain information matched: 'permit'
or 'deny'. The user can apply such rules to the incoming direction of switch ports, so that data
streams in the incoming direction of specified ports must comply with the ACL rules assigned.

43.1.1

Access-list

Access-list is a sequential collection of conditions that corresponds to a specific rule. Each rule
consist of filter information and the action when the rule is matched. Information included in a rule
is the effective combination of conditions such as source IP, destination IP, IP protocol number and
TCP port, UDP port. Access-lists can be categorized by the following criteria:

•

Filter information based criterion:

IP access-list (layer 3 or higher information), MAC

access-list (layer 2 information), and MAC-IP access-list (layer 2 or layer 3 or higher).

•

Configuration complexity based criterion:

standard and extended, the extended mode

allows more specific filtering of information.

•

Nomenclature based criterion:

numbered and named.

Description of an ACL should cover the above three aspects.

43.1.2

Access-group

When a set of access-lists are created, they can be applied to traffic of incoming direction on all
ports. Access-group is the description to the binding of an access-list to the incoming direction on a
specific port. When an access-group is created, all packets from in the incoming direction through
the port will be compared to the access-list rule to decide whether to permit or deny access.

The current firmware only supports ingress ACL configuration.

279

«
...
277
278
279
280
281
...
»

Summary of Contents for S2940-8G-v2

Page 1: ...iguration Example 50 3 4 Port Troubleshooting 51 4 Port Isolation Function Configuration 52 4 1 Introduction to Port Isolation Function 52 4 2 Task Sequence of Port Isolation 52 4 3 Port Isolation Fun...

Page 2: ...ion 76 10 1 Introduction to EFM OAM 76 10 2 EFM OAM Configuration 79 10 3 EFM OAM Example 81 10 4 EFM OAM Troubleshooting 82 11 Port Security 83 11 1 Introduction to Port Security 83 11 2 Port Securit...

Page 3: ...pical Applications of the Dot1q tunnel 132 17 4 Dot1q tunnel Troubleshooting 133 18 Selective QinQ Configuration 134 18 1 Introduction to Selective QinQ 134 18 2 Selective QinQ Configuration 134 18 3...

Page 4: ...Typical Configuration Examples 157 24 4 MAC Table Troubleshooting 158 24 5 MAC Address Function Extension 158 24 6 MAC Notification Configuration 161 IV MSTP Configuration 164 25 MSTP Configuration 16...

Page 5: ...bleshooting Help 210 31 Prevent ARP Spoofing Configuration 211 31 1 Overview 211 31 2 Prevent ARP Spoofing configuration 212 31 3 Prevent ARP Spoofing Example 213 32 ARP Guard Configuration 214 32 1 I...

Page 6: ...ple 243 37 4 DHCP option 60 and option 43 Troubleshooting 243 38 DHCPv6 option37 38 244 38 1 Introduction to DHCPv6 option37 38 244 38 2 DHCPv6 option37 38 Configuration Task List 245 38 3 DHCPv6 opti...

Page 7: ...ation Function of MAC and IP in Port VLAN Configuration Task Sequence 325 46 3 The Number Limitation Function of MAC and IP in Port VLAN Typical Examples 327 46 4 The Number Limitation Function of MAC...

Page 8: ...rmediate Agent Configuration Task List 359 54 3 PPPoE Intermediate Agent Typical Application 360 54 4 PPPoE Intermediate Agent Troubleshooting 361 55 Web Portal Configuration 362 55 1 Introduction to...

Page 9: ...mples 397 61 4 Device Mirror Troubleshooting 398 62 sFlow Configuration 399 62 1 Introduction to sFlow 399 62 2 sFlow Configuration Task List 399 62 3 sFlow Examples 401 62 4 sFlow Troubleshooting 402...

Page 10: ...66 7 System log 414 67 Reload Switch after Specified Time 418 67 1 Introduce to Reload Switch after Specifid Time 418 67 2 Reload Switch after Specifid Time Task List 418 68 Debugging and Diagnosis f...

Page 11: ...SNR S2940 8G v2 Switch Configuration Guide Part I Basic Management Configuration 11...

Page 12: ...ugh Telnet The procedures for managing the switch via Console interface are listed below Step 1 Setting up the environment Connect with serial port Figure 1 1 Out of band Management Configuration Envi...

Page 13: ...o parity None flow control Step 3 Entering switch CLI interface Power on the switch the following appears in the terminal emulation window that is the CLI configuration mode for Switch System is booti...

Page 14: ...N1 exists in the system The following describes the steps for a Telnet client to connect to the switch s VLAN1 interface by Telnet IPV4 address example Step 1 Configure the IP addresses for the switch...

Page 15: ...ter valid login name and password in the Telnet configuration interface Telnet user will be able to enter the switch s CLI configuration interface The commands used in the Telnet CLI inter face after...

Page 16: ...ion style with the following command authentication line web login local Privilege option must exist and just is 15 Assume an authorized user in the switch has a username of admin and password of admi...

Page 17: ...y system first If as common user it is defaulted to User Mode The prompt shown is Switch the symbol is the prompt for User Mode When exit command is run under Admin Mode it will also return to the Use...

Page 18: ...Mirroring VLAN creation IGMP Snooping start and STP etc And the user can go further to Port Mode for configuration of all the interfaces Interface Mode Use the interface command under Global Mode can...

Page 19: ...P ACL Mode Type ip access list standard command under Global Mode Configure parame ters for Standard IP ACL Mode Use the exit com mand to return to Global Mode Extended IP ACL Mode Type ip access list...

Page 20: ...and no parameter just type in the command to run vlan vlan id parameter values are required after the keyword firewall enable disable user can enter firewall enable or firewall disable for this com m...

Page 21: ...to the Admin Mode directly from the other configuration modes ex cept User Mode Ctrl c Break the ongoing command process such as ping or other command exe cution Tab When a string for a command or ke...

Page 22: ...his command is not exist in current mode The command is recognized but this command can not be used under current mode Please configure precursor command at first The command is recognized but the pre...

Page 23: ...Various Modes exit Exit current mode and enter previous mode such as using this command in global mode to go back to admin mode and back to normal user mode from admin mode show privilege Show privil...

Page 24: ...ction to one remote host If a connection to another remote host is desired the current TCP connection must be dropped Telnet Configuration Task List 1 Configure Telnet Server 2 Telnet to a remote host...

Page 25: ...d1 method2 no authorization line console vty web exec Configure the authorization method list with telnet authorization line vty command 1 15 local radius tacacs none no authorization line vty com man...

Page 26: ...tication etc SSH Server Configuration Task List Command Explanation Global Mode ssh server enable no ssh server enable Enable SSH function on the switch the no command dis ables SSH function username...

Page 27: ...the local host 2 3 Configure Switch IP Addresses All Ethernet ports of switch are default to Data Link layer ports and perform layer 2 forwarding VLAN interface represent a Layer 3 interface function...

Page 28: ...he switch to be a BootP client and obtain IP ad dress and gateway address through BootP negotiation the no command disables the BootP client function 4 DHCP configuration Command Explanation VLAN Inte...

Page 29: ...k topology changes Agents can send Trap messages to NMS to inform the abnormal events Besides NMS can also be set to alert to some abnormal events by enabling RMON function When alert events are trigg...

Page 30: ...ID such as BRIDGE MIB Besides the switch supports self defined private MIB 2 4 3 Introduction to RMON RMON is the most important expansion of the standard SNMP RMON is a set of MIB definitions used to...

Page 31: ...cess num std name ipv6 access ipv6 num std ipv6 name Configure the community string for the switch the no command deletes the configured community string 3 Configure IP address of SNMP management stat...

Page 32: ...priv read read string write write string no tify notify string access num std name ipv6 access ipv6 num std ipv6 name Set the group information on the switch This command is used to configure VACM for...

Page 33: ...4 5 Typical SNMP Configuration Examples The IP address of the NMS is 1 1 1 5 the IP address of the switch Agent is 1 1 1 9 Scenario 1 The NMS network administrative software uses SNMP protocol to obta...

Page 34: ...y string to access the switch with read write permis sion or use public as the community string to access the switch with read only permission Scenario 6 NMS will receive Trap messages from the switch...

Page 35: ...fers to the compressed files of the switch hardware drivers and software support program etc namely what we usually call the IMG update file The IMG file can only be saved in the FLASH with a defined...

Page 36: ...le TFTP server in the PC Run TFTP server program Before start downloading upgrade file to the switch verify the connectivity between the server and the switch by ping from the switch If ping succeeds...

Page 37: ...system update image file Boot write nos img File exists overwrite Y N N y Writing flash nos img Write flash nos img OK Boot Step 8 After successful upgrade execute run or reboot command in BootROM mo...

Page 38: ...ment connection maintains until data transfer is complete Then using the address and port number provided by the client the server establishes data connection on port 20 if not engaged to transfer dat...

Page 39: ...nvolatile storage corresponding to the so called configu ration save If the device does not support CF the configuration file stores in FLASH only if the device supports CF the configuration file stor...

Page 40: ...url ascii binary FTP TFTP client upload download file b For FTP client server file list can be checked Command Explanation Admin Mode ftp dir ftpServerUrl For FTP client server file list can be checke...

Page 41: ...mission time for TFTP server FTP TFTP Configuration Examples The configuration is same for IPv4 address or IPv6 address The example only for IPv4 address Fig 2 3 Download nos img file as FTP TFTP clie...

Page 42: ...ch is a FTP client Transfer the nos img file in the switch to the computer and save as 12_25_nos img The configuration procedures of the switch are listed below Switch config interface vlan 1 Switch C...

Page 43: ...tp Switch superuser 10 1 1 1 220 Serv U FTP Server v2 5 build 6 for WinSock ready 331 User name okay need password 230 User logged in proceed 200 PORT Command successful 150 Opening ASCII mode data co...

Page 44: ...ise the switch may be rendered unable to start If the system file and system start up file upgrade through FTP fails please try to upgrade again or use the BootROM mode to upgrade TFTP Troubleshooting...

Page 45: ...start up file through TFTP the switch must not be restarted until close tftp client is displayed indicating upgrade is successful otherwise the switch may be rendered unable to start If the system fi...

Page 46: ...SNR S2940 8G v2 Switch Configuration Guide Part II Port Configuration 46...

Page 47: ...nsecutive port numbers Suppose an operation should be performed on ports 2 3 4 5 the command would look like interface ethernet 1 2 5 Port speed duplex mode and traffic con trol can be configured unde...

Page 48: ...supported by combo port and fiber port of switch speed duplex auto 10 100 1000 auto full half force10 half force10 full force100 half force100 full force100 fx module type auto detected no phy integra...

Page 49: ...rt scan mode as interrupt or poll mode the no command restores the default port scan mode rate violation 200 2000000 recovery 0 86400 no rate violation Set the max packet reception rate of a port If t...

Page 50: ...ted below Switch1 Switch1 config interface ethernet 1 7 Switch1 Config If Ethernet1 7 bandwidth control 50000 both Switch2 Switch2 config interface ethernet 1 9 Switch2 Config If Ethernet1 9 speed dup...

Page 51: ...ace is set to auto negotiation but the other to forced speed duplex This is determined by IEEE 802 3 The following combinations are not recommended enabling traffic control as well as setting multicas...

Page 52: ...o more than 16 port isolation groups can a switch have 4 2 Task Sequence of Port Isolation 1 Create an isolate port group 2 Add Ethernet ports into the group 3 Display the configuration of port isolat...

Page 53: ...topology and configuration of switches are showed in the figure above with e1 1 e1 10 and e1 15 all belonging to VLAN 100 The requirement is that after port isolation is enabled on switch S1 e1 1 and...

Page 54: ...ward messages When a new source MAC is already learnt by the layer 2 device only with a different source port the original source port will be modified to the new one which means to correspond the ori...

Page 55: ...n Command Explanation Port Mode loopback detection specified vlan vlan list Enable and disable the function of port loopback detection no loopback detection specified vlan vlan list 3 Configure the co...

Page 56: ...the port connecting the switch with the outside network the switch will notify the connected network about the existence of a loopback and control the port on the switch to guarantee the normal operat...

Page 57: ...ch Configuration Guide Port Loopback Detection Function Configuration 5 4 Port Loopback Detection Troubleshooting The function of port loopback detection is disabled by default and should only be enab...

Page 58: ...s in physical layer like automatic negotiation SWITCH A SWITCH B 1 0 1 1 0 2 1 0 4 1 0 3 Figure 6 1 Fiber Cross Connection This kind of problem often appears in the following situations GBIC Giga Bitr...

Page 59: ...at interval Besides ULDP provides the reset mechanism when the port is disabled by ULDP it can check again through reset mechanism The time intervals of notification messages and reset in ULDP can be...

Page 60: ...ation Mode uldp aggressive mode Set the working mode of the port no uldp aggressive mode 5 Configure the method to shut down unidirectional link Command Explanation Global Configuration Mode uldp manu...

Page 61: ...mation no debug uldp event debug uldp packet receive send no debug uldp packet receive send Enable or disable the type of messages can be received and sent on all ports debug uldp hello probe echo uni...

Page 62: ...information on the CRT terminal of PC1 Oct 29 11 09 50 2007 A unidirectional link is detected Port Ethernet1 1 need to be shutted down Oct 29 11 09 50 2007 Unidirectional port Ethernet1 1 shut down Oc...

Page 63: ...1 3 of the STP convergence time If the interval is too long a STP loop will be generated before ULDP discovers and shuts down the unidirectional connection port If the interval is too short the networ...

Page 64: ...o advertise In specific LLDP defines a general advertisement information set a transportation advertise ment protocol and a method to store the received advertisement information The device to ad vert...

Page 65: ...on switch 3 Configure the operating state of port LLDP 4 Configure the intervals of LLDP updating messages 5 Configure the aging time multiplier of LLDP messages 6 Configure the sending delay of updat...

Page 66: ...ld value no lldp msgTxHold Configure the aging time multiplier of LLDP messages as the specified value or default value 6 Configure the sending delay of updating messages Command Explanation Global mo...

Page 67: ...ration mode lldp tooManyNeighbors discard delete Configure the type of operation when the Remote Table of the port is full 12 Display and debug the relative information of LLDP Command Explanation Adm...

Page 68: ...hA config lldp enable SwitchA config interface ethernet 1 4 SwitchA Config If Ethernet1 4 lldp transmit optional tlv portDesc sysCap SwitchA Config If Ethernet1 4 exit SWITCH B configuration task sequ...

Page 69: ...mes an independent logical port Port aggregation is a process of logical abstraction to abstract a set of ports port sequence with the same properties to a logical port Port Channel is a collection of...

Page 70: ...as a normal port Switch have a built in aggre gation interface configuration mode the user can perform related configuration in this mode just like in the VLAN and physical interface configuration mo...

Page 71: ...ion group if the current number of the member ports exceeds the limitation of the max port number then the system of this end will negotiates with the other end to decide the port state according to t...

Page 72: ...rt channel number Enter port channel configuration mode 4 Set load balance method for port group Command Explanation Aggregation port configuration mode load balance src mac dst mac dst src mac src ip...

Page 73: ...nnel 1 Switch1 Config If Port Channel1 Switch2 config Switch2 config port group 2 Switch2 config interface ethernet 1 6 Switch2 Config If Ethernet1 6 port group 2 mode passive Switch2 Config If Ethern...

Page 74: ...xchange LACP PDU to complete aggregation Aggregation finishes immediately when the command to add port 1 2 to port group 1 is entered port 1 and port 2 aggregate to be port channel 1 when port 1 3 joi...

Page 75: ...peed of the whole network by 2 to 5 Technically the Jumbo is just a lengthened frame sent and received by the switch However considering the length of Jumbo frames they will not be sent to CPU We disc...

Page 76: ...re powerful E LMI standard set by MEF is only applied to UNI So above protocols can be used to different network topology and management between them exist the complementary relation EFM OAM Ethernet...

Page 77: ...will also log and report it With the log information network administrators can keep track of network status in time The link event monitored by EFM OAM means that the link happens the error event in...

Page 78: ...nk without autonegotiaction EFM OAM can detect the fault and inform the remote OAM peers through sending Information OAMPDU Dying Gasp There is no definition present Although device does not generate...

Page 79: ...nds no ethernet oam period Configure transmission period of OAMPDU optional no command restores the default value ethernet oam timeout sec onds no ethernet oam timeout Configure timeout of EFM OAM con...

Page 80: ...al event or link fault event of the local no command disables the function optional ethernet oam errored symbol period threshold high high symbols none Configure the high threshold of errored symbol p...

Page 81: ...ethernet1 1 CE config if ethernet1 1 ethernet oam mode passive CE config if ethernet1 1 ethernet oam CE config if ethernet1 1 ethernet oam remote loopback supported Other parameters use the default co...

Page 82: ...en two OAM entities Ensuring SNMP configuration is correct or else errored event can not be reported to network management system Link does not normally communicate in OAM loopback mode it should canc...

Page 83: ...g network security management After port security is enabled the device detects an illegal frame it triggers the corresponding port security feature and takes a pre defined action automatically This r...

Page 84: ...d dynamic sticky ad dress mac addr interface interface id vlan vlan id Clear the secure MAC entry of the interface show port security interface interface id address vlan Show port security configurati...

Page 85: ...Switch config if ethernet1 0 1 exit Switch config 11 4 Port Security Troubleshooting If problems occur when configuring Port Security please check whether the problem is caused by the following reaso...

Page 86: ...e the system reliability DDM applications are shown in the following 1 Module lifetime forecast Monitoring the bias current is able to forecast the laser lifetime Administrator is able to find some po...

Page 87: ...d thresholds Because the user s environments are difference the users is able to define the threshold including high alarm low alarm high warn low warn to flexibly monitor the working state of the tra...

Page 88: ...f the transceiver Command Explanation User mode admin mode and global mode show transceiver interface eth ernet interface list detail Show the monitoring of the transceiver 2 Configure the alarm or wa...

Page 89: ...Command Explanation Admin mode clear transceiver threshold violation interface ethernet interface list Clear the threshold violation of the transceiver monitor 12 3 Examples of DDM Example 1 Ethernet...

Page 90: ...altime High Alarm Low Alarm High Warn Low Warn Temperature 33 70 0 70 0 Voltage V 7 31 A 5 00 0 00 5 00 0 00 Bias current mA 6 11 W 10 30 0 00 5 00 0 00 RX Power dBM 30 54 A 9 00 25 00 9 00 25 00 TX P...

Page 91: ...reshold configured by the user the threshold configured by the manufacturer is labeled with the bracket There is the alarm with A due to 13 01 is less than 12 00 Switch show transceiver interface ethe...

Page 92: ...f ethernet1 21 quit Switch config show transceiver threshold violation interface ethernet 1 21 22 Ethernet 1 21 transceiver threshold violation information Transceiver monitor is enabled Monitor inter...

Page 93: ...ure the used board and switch support the corresponding function When using show transceiver command or show transceiver detail command it cost much time due to the switch will check all ports so it i...

Page 94: ...ce informa tion To deploy and manage voice device expediently LLDP MED TLVs provide multiple infor mation such as PoE Power over Ethernet network policy and the location information of the emergent te...

Page 95: ...Configure device type and country code of the location with Civic Address LCI format and enter Civic Address LCI ad dress mode The no command cancels all configurations of the location with Civic Addr...

Page 96: ...1 0 1 lldp transmit med tlv capability SwitchA Config If Ethernet1 0 1 lldp transmit med tlv network policy SwitchA Config If Ethernet1 0 1 lldp transmit med tlv inventory SwitchB Config If Ethernet1...

Page 97: ...tity PD Power Device IN Inventory MED Capabilities CAP NP PD IN MED Device Type Endpoint Class III Media Policy Type Voice Media Policy Tagged Media Policy Vlan id 10 Media Policy Priority 3 Media Pol...

Page 98: ...ce is able to send LLDP packets with MED TLV forwardly so the correspond ing Remote table with LLDP MED information on Ethernet1 of switch A 13 4 LLDP MED Troubleshooting If problems occur when config...

Page 99: ...etworks of the same corporation through the service provider network To maintain a local concept it not only needs to transmit the data within the user s private network across the tunnel but also tra...

Page 100: ...lacp dot1x Enable the port to support the tunnel the no command dis ables the function no bpdu tunnel stp gvrp uldp lacp dot1x 14 3 Examples of bpdu tunnel Special lines are used in a service provide...

Page 101: ...original destination MAC address of the packet and then sends the packet to network 2 of user A bpdu tunnel configuration of edge switches PE1 and PE2 in the following PE1 configuration PE1 config bpd...

Page 102: ...out OAM is not the indication weakness of the Ethernet Using the IEEE802 1agas example this also go by the name of connection failure management CFM standard it provides the port to port network inspe...

Page 103: ...inspection is called MP Main tenance Point the bridge of port that configure on the maintenance point 15 2 1 Maintenance Domain The network can be logically divided into different layers from interna...

Page 104: ...is belong to certain maintenance service the boundary of the service which is configured on the port MEP responds for initiating all CFM messages CCM LTM LBM the protocol behaviours and the status are...

Page 105: ...exists and lower level of MIP does not exist then it will build up MIP on particular port at this level defer Whether build up the MIP node the build rules will be determine by the configured rules of...

Page 106: ...ties or orientate the failure point The processes as follow MEP send LTM to the target MP MEP or MIP each of the MIP after receiving the LTM will also send a LTR to source MEP And then transmit the LT...

Page 107: ...way broadcast message LBM the destination address of the message is the outlying MP Once the middle facility receive the LBM will then transmit and the outlying MP will sending the replay message LBR...

Page 108: ...levels in the maintenance domain in the whole network to confirm each level of boundaries in the domain 2 Confirm the name of each maintenance domain the name of different facilities is the same in th...

Page 109: ...net cfm mode Select the mode of enabling CFM OAM it is only used be fore enabling CFM OAM function No command recovers to be the default of auto 2 Enable CFM OAM function globally Command Explanation...

Page 110: ...num pvlan vlan id port pvlan vlan id vlan WORD direction down no service ma name num ber ma num pvlan vlan id Build up MA Configure the property of UP DOWN of MA and enter into MA mode One service ca...

Page 111: ...o mip auto create Build up the MIP configuration on the layer that does not relate to MA As default there is no rule of configuring the mid point and it does not carry the sender id No command deletes...

Page 112: ...omain domain name service ma name number ma num pvlan vlan id Display the configured information of the maintenance collection show ethernet cfm maintenance points local de tail mep mip domain domain...

Page 113: ...aintenance point to the other points Under the default stage this function is closed If enter into target mep id it cannot searching the corresponding mac address If it cannot find it will display err...

Page 114: ...n 3 5 sending cycles of CCM packets judge that the connection to the distant point is wrong then send LTM packet the target of this LTM packet is the distant maintain ing point the TTL field in LTM pa...

Page 115: ...Mode switchport ulpp group group id track cfm cc level level value Configure ulpp group member port to associate with cfm cc detection When ulpp group member port received the matching cfm information...

Page 116: ...id 1 2 Switch config ecfm srv continuity check enable Switch config ecfm srv continuity check receive rmep 2 Switch config ecfm srv exit Switch config ecfm exit Switch config interface ethernet 1 1 Sw...

Page 117: ...LAN ARP Protected VLAN Reference Instance 1 Member Role State Track cfm level Ethernet1 1 MASTER FORWARD 4 Ethernet1 2 SLAVE STANDBY if the CFM checking the CC is overtime then it will inform the ULPP...

Page 118: ...sending and receiving function of CCM information 2 Steps of Configuration 1 Build up VLAN and adding the related ports to corresponding VLAN 2 Open the Global CFM function and build up customer_A an...

Page 119: ...1 on MEP3 Switch config ecfm srv mep mepid 1 4 Switch config ecfm srv continuity check receive rmep 1 3 Switch config ecfm srv exit Switch config ecfm exit Switch config interface ethernet 1 1 Switch...

Page 120: ...onfig ecfm srv continuity check receive enable 8 To check the configuration of maintenance base point of MA1 in customer_A of S1 Switch show ethernet cfm maintenance points local detail mep domain cus...

Page 121: ...on the port then mep will receive the message from this port If it configured the up mep then the mep will receive the messages from others ports Please ensure that the up mep configuration is on the...

Page 122: ...MA is only need to configure on the port if there is configured the MEP point in the port then it cannot develop the MIP even if there is configured the port channel it will cause the MEP ineffective...

Page 123: ...SNR S2940 8G v2 Switch Configuration Guide Part III VLAN and MAC Table Configuration 123...

Page 124: ...ted following IEEE 802 1Q The key idea of VLAN technology is that a large LAN can be partitioned into many separate broadcast domains dynamically to meet the demands PC Printer Server Switch Switch Sw...

Page 125: ...s of multi VLANs They can be used to connect between the switches or to a computer of the user Hybrid ports and Trunk ports receive the data with the same process method but send the data with differe...

Page 126: ...ort Type Command Explanation Port mode switchport mode trunk access hybrid Set the current port as Trunk Access or Hybrid port 5 Set Trunk port Command Explanation Port mode switchport trunk allowed v...

Page 127: ...able Enable VLAN Ingress Rules Command Explanation Global mode vlan ingress enable Enable Disable VLAN ingress rules no vlan ingress enable 9 Configure Private VLAN Command Explanation VLAN mode priva...

Page 128: ...two switches Configuration Item Configuration description VLAN2 Site A and site B switch port 2 4 VLAN100 Site A and site B switch port 5 7 VLAN200 Site A and site B switch port 8 10 Trunk port Site...

Page 129: ...h Config Vlan200 switchport interface ethernet 1 8 10 Switch Config Vlan200 exit Switch config interface ethernet 1 11 Switch Config If Ethernet1 11 switchport mode trunk Switch Config If Ethernet1 11...

Page 130: ...1 10 Switch B Switch config vlan 7 9 10 Switch config interface ethernet 1 7 Switch Config If Ethernet1 7 switchport mode hybrid Switch Config If Ethernet1 7 switchport hybrid native vlan 7 Switch Con...

Page 131: ...nd belong to VLAN 3 On the customer port Trunk VLAN 200 300 On the customer port Trunk VLAN 200 300 Figure 17 1 Dot1q tunnel based Internetworking mode As shown in above after being enabled on the use...

Page 132: ...096 at user s will The user network is considerably independent When the ISP internet is upgrading their network the user networks do not have to change their original configuration Detailed descripti...

Page 133: ...10 switchport mode trunk Switch Config Ethernet1 0 10 dot1q tunnel tpid 0x9100 Switch Config Ethernet1 0 10 exit Switch Config PE2 Switch config vlan 3 Switch Config Vlan3 switchport interface etherne...

Page 134: ...nsmission path 18 2 Selective QinQ Configuration Selective QinQ Configuration Task List 1 Configure the port mapping relation between the inner tag and the outer tag 2 Configure selective QinQ of port...

Page 135: ...cted to the public network 3 The public network permits packets of VLAN 1000 and VLAN 2000 to pass 4 Enable the selective QinQ on Ethernet1 1 and Ethernet1 2 ports of Switch A and Switch B respectivel...

Page 136: ...above configuration packets of VLAN 100 through VLAN 200 from Ethernet1 1 are automatically tagged with the tag of VLAN 1000 as the outer VLAN tag and packets of VLAN 201 through VLAN 300 from Etherne...

Page 137: ...access ports of the switch can not support this function 19 2 VLAN translation Configuration Configuration task sequence of VLAN translation 1 Configure the VLAN translation function on the port 2 Co...

Page 138: ...es VLAN3 to VLAN20 on PE The ingress of the port translates VLAN20 to VLAN3 the egress translates VLAN3 to VLAN20 on PE On the customer port Trunk VLAN 200 300 On the customer port Trunk VLAN 20 Figur...

Page 139: ...sing the VLAN translation the dot1q tunnel function needs to be enabled first to adapt double tag data packet processes VLAN translation When configuration vlan translation of the egress make sure nat...

Page 140: ...n The access ports of the switch can not support this function 20 2 Multi to One VLAN Translation Configuration Multi to One VLAN translation configuration task list 1 Configure Multi to One VLAN tran...

Page 141: ...UserD VID 1 UserF VID 3 UserE VID 2 UserA VID 1 UserB VID 3 UserB VID 2 User A B C VID 100 User D E F VID 200 Figure 20 1 VLAN translation typical application Configuration Item Configuration Explana...

Page 142: ...ddress should not exist in the original and the translated VLAN Check whether the hardware resource of the chip is able to ensure all clients to work normally Limit learning of MAC address may affect...

Page 143: ...the data packet according to the subnet segment leading the data packet to specified VLAN Its advantage is the same as that of the MAC based VLAN the user does not have to change configuration when r...

Page 144: ...AN 3 Configure the correspondence between the MAC address and the VLAN Command Explanation Global mode mac vlan mac mac address vlan vlan id priority priority id no mac vlan mac mac address all Add de...

Page 145: ...efer 21 3 Typical Application of the Dynamic VLAN Scenario In the office network Department A belongs to VLAN100 Several members of this department often have the need to move within the whole office...

Page 146: ...xit Switch C SwitchC Config mac vlan mac f8 f0 82 11 22 33 vlan 100 priority 0 SwitchC Config exit 21 4 Dynamic VLAN Troubleshooting Switch 192 168 1 200 24 192 168 1 100 24 Ping 192 168 1 100 Ping 19...

Page 147: ...22 1 a typical application scene A and G switches are not directly connected in layer 2 network BCDEF are intermediate switches connecting A and G Switch A and G configure VLAN100 1000 manually while...

Page 148: ...ommand Explanation Global mode garp timer join 200 500 garp timer leave 500 1200 garp timer leaveall 5000 60000 no garp timer join leave leaveAll Configure leaveall join and leave timer for GVRP 2 Con...

Page 149: ...1 of Switch A and C Port 10 11 of Switch B Global GVRP Switch A B C Port GVRP Port 11 of Switch A and C Port 10 11 of Switch B Connect two workstations to the VLAN100 ports in switch A and B connect p...

Page 150: ...ce ethernet 1 2 6 Switch Config Vlan100 exit Switch config interface ethernet 1 11 Switch Config If Ethernet1 11 switchport mode trunk Switch Config If Ethernet1 11 gvrp Switch Config If Ethernet1 11...

Page 151: ...The configuration is based on MAC address acquiring a mechanism in which every voice equipment transmitting information through the network has got its unique MAC address VLAN will trace the address...

Page 152: ...on Port mode switchport voice vlan enable Enable disable the Voice VLAN function on the port no switchport voice vlan enable 23 3 Typical Applications of the Voice VLAN Scenario A company realizes voi...

Page 153: ...onfig If Ethernet1 0 10 exit switch Config interface ethernet 1 0 1 switch Config If Ethernet1 0 1 switchport mode hybrid switch Config If Ethernet1 0 1 switchport hybrid allowed vlan 100 untag switch...

Page 154: ...be forwarded for a long time the entry will be deleted from the switch MAC table There are two MAC table operations 1 Obtain a MAC address 2 Forward or filter data frame according to the MAC table 24...

Page 155: ...and port 1 12 is added to the MAC table 4 Now the MAC table has two dynamic entries MAC address 00 01 11 11 11 11 port 1 5 and 00 01 33 33 33 33 port1 12 5 After the communication between PC1 and PC3...

Page 156: ...cast frames in all ports but forward the frames in all ports in the same VLAN Multicast frame For the unknown multicast the switch will broadcast it in the same vlan but the switch only forwards the m...

Page 157: ...Admin Mode clear mac address table dynamic address mac addr vlan vlan id interface ethernet portchan nel interface name Clear the dynamic address table 24 3 Typical Configuration Examples Switch A PC1...

Page 158: ...MAC address If not the problems mentioned above please check for the switch portand contact technical support for solution 24 5 MAC Address Function Extension 24 5 1 MAC Address Binding Introduction...

Page 159: ...port 2 Lock the MAC addresses for a port Command Explanation Port Mode switchport port security lock no switchport port security lock Lock the port then MAC addresses learned will be disabled The no...

Page 160: ...stem will report this monitored event the no command will cancel this function mac address table periodic monitor time 5 86400 Set the MAC monitor interval to count the added and deleted MAC in time a...

Page 161: ...l MAC notification 3 Configure the interval for sending MAC notification 4 Configure the size of history table 5 Configure the trap type of MAC notification supported by the port 6 Show the configurat...

Page 162: ...ed both removed no mac notification Configure or cancel the trap type of MAC notification sup ported by the port 6 Show the configuration and the data of MAC notification Command Explanation Admin mod...

Page 163: ...address table notification interval 5 Switch config mac address table notification history size 100 Switch Config If Ethernet1 4 mac notification both 24 6 4 MAC Notification Troubleshooting Check whe...

Page 164: ...SNR S2940 8G v2 Switch Configuration Guide Part IV MSTP Configuration 164...

Page 165: ...ources and reduces the bandwidth consumption 25 1 1 MSTP Region Because multiple VLANs can be mapped to a single spanning tree instance IEEE 802 1s com mittee raises the MST concept The MST is used to...

Page 166: ...r all of them If the bridge receives superior MST root information lower bridge ID lower path cost and so forth than currently stored for the port it relinquishes its claim as the IST master Within a...

Page 167: ...such as bridge priority and port cost etc Consequently the VLANs in different instances have their own paths The traffic of the VLANs are load balanced 25 2 MSTP Configuration Task List MSTP configura...

Page 168: ...ot guard Configure currently port whether running root guard in specified instance configure the root guard port can t turn to root port spanning tree rootguard no spanning tree rootguard Configure cu...

Page 169: ...igure the fast migrate feature for MSTP Command Explanation Port Mode spanning tree link type p2p auto force true force false no spanning tree link type Set the port link type spanning tree portfast b...

Page 170: ...ng no spanning tree digest snooping Set the port to use the authentication string of partner port The no command restores to use the generated string 9 Configure the FLUSH mode once topology changes C...

Page 171: ...t configuration for switches is listed below Bridge Name SW1 SW2 SW3 SW4 Bridge MAC 00 00 01 00 00 02 00 00 03 00 00 04 Bridge Priority 32768 32768 32768 32768 Port Priority port 1 128 128 128 port 2...

Page 172: ...Switch3 as 0 Set the bridge priority of Instance 4 in Switch4 as 0 The detailed configuration is listed below Switch2 Switch2 config vlan 20 Switch2 Config Vlan20 exit Switch2 config vlan 30 Switch2...

Page 173: ...terface e1 0 1 7 Switch4 Config Port Range switchport mode trunk Switch4 Config Port Range exit Switch4 config spanning tree Switch4 config spanning tree mst 4 priority 0 After the above configuration...

Page 174: ...onfiguration SW3 SW1 SW4 SW2 5X 4 5 3 4 2 1X 1 2 1 2 6X 7X 6 7 3X Figure 25 3 The Topology Of the Instance 0 after the MSTP Calculation SW3 SW4 SW2 5X 4X 5 3 4 2 2 6 7X 6 7 3X Figure 25 4 The Topology...

Page 175: ...enabled globally it can t be enabled on the port The MSTP parameters co work with each other so the parameters should meet the following conditions Otherwise the MSTP may work incorrectly 2 x Bridge_...

Page 176: ...SNR S2940 8G v2 Switch Configuration Guide Part V QoS and Flow based Redirection Configuration 176...

Page 177: ...ccording to the application requirement and network management QoS Domain QoS Domain supports QoS devices to form a net topology that provides Quality of Service so this topology is defined as QoS Dom...

Page 178: ...ets according to the policing policies Scheduling QoS egress action Configure the weight for eight egress queues WRR Weighted Round Robin In Profile Traffic within the QoS policing policy range bandwi...

Page 179: ...d to end QoS solution can be created QoS configuration is flexible the complexity or simplicity depends on the network topology and devices and analysis to incoming outgoing traffic 26 1 3 Basic QoS M...

Page 180: ...traffic according to packet classification information and generate in ternal priority and drop precedence based the classification information For different packet types and switch configurations cla...

Page 181: ...flow to configure different policies that allocate band width to classified traffic the assigned bandwidth policy may be dual bucket dual color or dual bucket three color The traffic will be assigned...

Page 182: ...e for the egress packets the queuing operation assigns the packets to different priority queues according to the internal priority while the scheduling operation perform the packet forwarding accordin...

Page 183: ...policy may be bound to the specific VLAN It is not recommended to synchronously use policy map on VLAN and its port 4 Configure queue management algorithm Configure queue management algorithm such as...

Page 184: ...CTION violate action ACTION ACTION definition drop transmit set dscp transmit dscp_value set prec transmit ip_precedence_value set cos transmit cos_value set internal priority inp_value set Drop Prece...

Page 185: ...the port Egress policy map is not supported yet Global Mode service policy input policy map name vlan vlan list no service policy input policy map name vlan vlan list Apply a policy map to the specifi...

Page 186: ...ll policy map 7 Show configuration of QoS Command Explanation Admin Mode show mls qos maps cos dp dscp dscp dscp intp dscp dp intp dscp Display the configuration of QoS mapping show class map class ma...

Page 187: ...Configuration result An ACL name 1 is set to matching segment 192 168 1 0 Enable QoS globally create a class map named c1 matching ACL1 in class map create another policy map named p1 and refer to c1...

Page 188: ...be used with other trust or Policy Map trust dscp can be used with other trust or Policy Map This configuration takes effect to IPv4 and IPv6 packets trust exp trust dscp and trust cos may be configur...

Page 189: ...COS to Int Prio COS to Drop Prec conversion according to the packet COS value 5 Set the packet COS eld equals Int Prio DSCP to DSCP DSCP to Int Prio DSCP to Drop Prec conversion according to the pack...

Page 190: ...ction accordng to the policy Select one or several options of the following Set COS Set L2 COS eld of the packet Set Int Prio Set internal priority of the packet Set Drop Prec Set drop precedence of t...

Page 191: ...op priority and the egress queue Place packet into speci ed queue and forward according to the weight priority of the queues Enter the policing ow N Y Remark EXP eld of the packet according to Int Pri...

Page 192: ...SNR S2940 8G v2 Switch Configuration Guide QoS Configuration Server Switch3 Switch2 Switch1 QoS Area Trunk Figure 26 8 Typical QoS topology 192...

Page 193: ...network and diagnose the problems in the network 2 Special transmission policy for a special type of data frames The switch can only designate a single destination port of redirection for a same clas...

Page 194: ...ource IP is 192 168 1 111 2 Apply the redirection based on this flow to port 1 The following is the configuration procedure Switch config access list 1 permit host 192 168 1 111 Switch config interfac...

Page 195: ...ority of flexible QinQ is higher than basic QinQ 28 1 2 Basic QinQ Basic QinQ based the port After a port configures QinQ whether the received packet with tag or not the device still packs the default...

Page 196: ...as sify data flow by ACL CoS VLAN ID IPv4 Precedent or DSCP etc for the class map the no command deletes the speci fied match standard 2 Configure policy map of flexible QinQ Command Explanation Globa...

Page 197: ...onfiguration on the port 28 3 Flexible QinQ Troubleshooting If flexible QinQ policy can not be bound to the port please check whether the problem is caused by the following reasons Make sure flexible...

Page 198: ...SNR S2940 8G v2 Switch Configuration Guide Part VI L3 Forward and ARP Configuration 198...

Page 199: ...contain one or more layer 2 ports which belong to the same VLAN or contain no layer 2 ports At least one of the Layer 2 ports contained in Layer 3 interface should be in UP state for Layer 3 interface...

Page 200: ...s Service Information Terminal which make use of Internet which require IP addresses the supply of IP addresses turns out to be more and more tense People have been working on the problem of shortage...

Page 201: ...ant Unlike IPv4 the mobility of IPv6 is from embedded automatic configuration to get transmission address Care Of Address therefore it doesn t need Foreign Agent Furthermore this kind of binding proce...

Page 202: ...re interface IPv6 address b Configure default gateway 2 IPv6 Neighbor Discovery Configuration a Configure DAD neighbor solicitation message number b Configure send neighbor solicitation message interv...

Page 203: ...terface interface type interface name Set static neighbor table entries including neigh bor IPv6 address MAC address and two layer port no ipv6 neighbor ipv6 address Delete neighbor table entries d De...

Page 204: ...0 too If the route table does not have the destination of a packet and has no default route configured the packet will be discarded and an ICMP packet will be sent to the source address indicate the...

Page 205: ...iguration of layer3 SwitchA Switch config Switch config ip route 10 1 5 0 255 255 255 0 10 1 2 2 Configuration of layer3 SwitchC Switch config Next hop use the partner IP address Switch config ip rout...

Page 206: ...e arp ip_address mac_address interface ethernet portName no arp ip_address Configures a static ARP entry the no com mand deletes a ARP entry of the specified IP address 29 4 3 ARP Troubleshooting If p...

Page 207: ...any host or port with ARP scanning features is found in the segment the switch will cut off the attack source to ensure the security of the network There are two methods to prevent ARP scanning port...

Page 208: ...of the port based ARP Scanning Prevention anti arpscan ip based threshold threshold value no anti arpscan ip based threshold Set the threshold of the IP based ARP Scanning Prevention 3 Configure trust...

Page 209: ...disable the debug switch of ARP scan ning prevention 30 3 ARP Scanning Prevention Typical Examples PC Switch2 Switch1 Server PC E1 0 1 E1 0 19 E1 0 2 Figure 30 1 ARP scanning prevention typical config...

Page 210: ...g If Ethernet1 0 19 exit SWITCH B configuration task sequence SwitchB config anti arpscan enable SwitchB config interface ethernet1 0 1 SwitchB Config If Ethernet1 0 1 anti arpscan trust port SwitchB...

Page 211: ...ame network even if are connected by the switches it sends an ARP reply packet to two hosts separately and make them misunderstand MAC address of the other side as the hacker host MAC address In this...

Page 212: ...tic learning function of ARP Thus it prevents ARP spoofing and attack to a great extent 31 2 Prevent ARP Spoofing configuration The steps of preventing ARP spoofing configuration as below 1 Disable AR...

Page 213: ...rce address and destination address the mutual communicated data between B and C are received by A unconsciously Be cause the ARP list is update timely another task for A is to continuously send ARP r...

Page 214: ...dress of PC2 is mapped to an illegal MAC address which will prevent PC2 from receiving the messages to it Particularly if the attacker pretends to be the gateway and do ARP cheating the whole network...

Page 215: ...REE RESOURCE related accessing scheme Please refer to relative documents for details 32 2 ARP Guard Configuration Task List 1 Configure the protected IP address Command Explanation Port configuration...

Page 216: ...the MAC address of the gateway If the switch advertises gratuitous ARP requests the host will not have to send these requests This will reduce the frequency the host s sending ARP requests for the ga...

Page 217: ...92 168 14 254 its network address mask is 255 255 255 0 Two PCs PC1 and PC2 are con nected to this interface Gratuitous ARP can be enabled through the following configuration 1 Configure two interface...

Page 218: ...SNR S2940 8G v2 Switch Configuration Guide Part VII DHCP Configuration 218...

Page 219: ...s when the user of an IP leaves the network that IP can be assigned to another user DHCP is a client server protocol the DHCP client requests the network address and configura tion parameters from the...

Page 220: ...tions between dynamic IP address allocation and manual IP address binding are 1 IP address obtained dynamically can be different every time manually bound IP address will be the same all the time 2 Th...

Page 221: ...dress8 no netbios name server Configure the address for WINS server The no oper ation cancels the address for server netbios node type b node h node m node p node type number no netbios node type Conf...

Page 222: ...que ID of the user when binding address manually 3 Enable logging for address conflicts Command Explanation Global Mode ip dhcp conflict logging no ip dhcp conflict logging Enable disable logging for...

Page 223: ...HCP Relay Configuration Task List 1 Enable DHCP relay 2 Configure DHCP relay to forward DHCP broadcast packet 3 Configure share vlan 1 Enable DHCP relay Command Explanation Global Mode service dhcp no...

Page 224: ...node type H node Lease 3 days Lease 1day In location A a machine with MAC address 00 03 22 23 dc ab is assigned with a fixed IP address of 10 16 1 210 and named as management Switch config service dh...

Page 225: ...ty between the client gateway and the switch must be ensured for the client to get an IP address from the 10 16 2 0 24 address pool Scenario 2 DHCP Server 10 1 1 10 DHCP Relay E1 0 2 10 1 1 1 E1 0 1 1...

Page 226: ...Ethernet1 0 2 switchport mode trunk switch config service dhcp switch config ip forward protocol udp bootps switch config ip dhcp relay information option switch config ip dhcp relay share vlan 1 sub...

Page 227: ...auto address configuration in non state DHCPv6 can provide extend function of DHCPv6 prefix delegation upstream route can assign address prefix to downstream route automatically that achieve the IPv6...

Page 228: ...e been implemented on the switch When the DHCPv6 relay receives any messages from the DHCPv6 client it will encapsulate the request in a Relay forward packet and deliver it to the next DHCPv6 relay or...

Page 229: ...the range of IPv6 address assignable of ad dress pool dns server ipv6 address no dns server ipv6 address To configure DNS server address for DHCPv6 client domain name domain name no domain name domain...

Page 230: ...face name vlan 1 4096 no ipv6 dhcp relay destina tion ipv6 address interface interface name vlan 1 4096 To specify the destination address of DHCPv6 relay trans mit The no form of this command delete...

Page 231: ...pool poolname To configure DHCPv6 address pool b To configure prefix delegation pool used by DHCPv6 address pool Command Explanation DHCPv6 address pool Configuration Mode prefix delegation pool pool...

Page 232: ...server poolname To enable DHCPv6 server function on specified port and binding used DHCPv6 address pool 35 5 DHCPv6 Prefix Delegation Client Configuration DHCPv6 prefix delegation client configuratio...

Page 233: ...nfiguration Example Usage guide Switch3 configuration Switch3 config service dhcpv6 Switch3 config ipv6 dhcp pool EDP Switch3 dhcpv6 EDP config network address 2001 da8 100 1 1 2001 da8 100 1 100 Swit...

Page 234: ...verify the router responsible for DHCPv6 packet forwarding has DHCPv6 relay function If DHCPv6 relay is not available for the intermediate router it is recommended to replace the router or upgrade its...

Page 235: ...n 82 and defend against them DHCP Relay Agent will peel the option 82 from the reply messages it receives and forward the reply message to the specified port of the network access device according to...

Page 236: ...t have option 82 2 DHCP Relay Agent will add the option 82 to the end of the request message it receives then relay and forward the message to the DHCP server By default the sub option 1 of option 82...

Page 237: ...f the system for the received DHCP request message which con tains option 82 The drop mode means that if the message has option82 then the system will drop it without process ing keep mode means that...

Page 238: ...n 82 4 Configure DHCP option 82 default format of Relay Agent Command Explanation Global Mode ip dhcp relay information option subscriber id format hex acsii vs hp Set subscriber id format of Relay Ag...

Page 239: ...the state information of the DHCP option 82 in the system including option82 enabling switch the interface retransmitting policy the circuit ID mode and the DHCP server option82 enabling switch debug...

Page 240: ...ch3 Config interface vlan 3 Switch3 Config if vlan3 ip address 192 168 10 222 255 255 255 0 Switch3 Config interface vlan 2 Switch3 Config if vlan2 ip address 192 168 102 2 255 255 255 0 Switch3 Confi...

Page 241: ...rrectly depending on the network topology of the DHCP Relay Agent or even the Relay Agent can operate normally the allocation of addresses will fail When there is more than one kind of Relay Agent ple...

Page 242: ...rn option 43 to DHCP client 2 Address pool only configured option 43 it will match with any option 60 If the received DHCP packet with option 60 from DHCP client DHCP client will receive the option 43...

Page 243: ...discovery request for wireless controller DHCP server configures option 60 matched with the option 60 of fit ap to return option 43 attribute to FTP AP The wireless controller addresses of DHCP option...

Page 244: ...gal DHCPv6 client to trigger deny service attack through using MAC address of other legal clients Therefore IETF set rfc4649 and rfc4580 i e DHCPv6 option 37 and option 38 to solve these problems DHCP...

Page 245: ...with option 37 keep the system keeps option 37 unchanged and forwards the packet to the server replace the system replaces option 37 of current packet with its own before forwarding it to the server...

Page 246: ...elay option basic functions configuration Command Explanation Global mode ipv6 dhcp relay remote id option no ipv6 dhcp relay remote id op tion This command enables the switch relay to support option...

Page 247: ...of DHCPv6 class during address assignment the no form of this command disables it without removing the relative DHCPv6 class information that has been configured ipv6 dhcp class class name no ipv6 dh...

Page 248: ...assignment policies CLASS of which CLASS1 matches option 38 CLASS2 matches option 37 and CLASS3 matches option 37 and option 38 In the address pool EDP the requests matched with CLASS1 CLASS2 and CLA...

Page 249: ...onfig exit SwitchB config ipv6 dhcp class CLASS3 SwitchB dhcpv6 class class3 config remote id f8 f0 82 00 00 01 subscriber id vlan1 Ethernet1 0 3 SwitchB dhcpv6 class class3 config exit SwitchB config...

Page 250: ...scriber id option S2 config vlan 10 S2 config vlan10 int vlan 10 S2 config if vlan10 ipv6 address 2001 da8 1 2 64 S2 config if vlan10 ipv6 dhcp relay destination 2001 da8 10 1 1 S2 config if vlan10 ex...

Page 251: ...Server reply pack ets including DHCPOFFER DHCPACK and DHCPNAK it will alarm and respond according to the situation shutdown the port or send Black hole Defense against DHCP over load attacks To avoid...

Page 252: ...Snooping 2 Enable DHCP Snooping binding function 3 Enable DHCP Snooping binding ARP function 4 Enable DHCP Snooping option82 function 5 Set the private packet version 6 Set DES encrypted key for priv...

Page 253: ...able Enable disable DHCP Snooping option 82 func tion 5 Set the private packet version Command Explanation Global mode ip user private packet version two no ip user private packet version two To confi...

Page 254: ...dress ipAddr interface ethernet ifname no ip dhcp snooping binding user mac inter face ethernet ifname Add delete DHCP snooping static binding list entries 12 Set defense actions Command Explanation P...

Page 255: ...ping information option self defined remote id format ascii hex Set self defined format of remote id for snooping option82 ip dhcp snooping information option self defined subscriber id vlan port id s...

Page 256: ...on sequence is switch config ip dhcp snooping enable switch config interface ethernet 1 0 11 switch Config Ethernet1 0 11 ip dhcp snooping trust switch Config Ethernet1 0 11 exit switch config interfa...

Page 257: ...SNR S2940 8G v2 Switch Configuration Guide Part VIII Multicast Protocol 257...

Page 258: ...urthermore Broadcast mode goes against the security and secrecy The emergence of IP Multicast technology solved this problem in time The Multicast source only sends out the message once Multicast Rout...

Page 259: ...which are not kept for use by Permanent Multicast Group can be utilized by temporary Multicast groups 224 0 0 0 224 0 0 255 are reserved Multicast addresses Permanent Group Address ad dress 224 0 0 0...

Page 260: ...e shortest path from receipt site to source address If shortest path Tree is used then the source address is the address of source host which sends Multicast Data Packets if Shared Tree is used then t...

Page 261: ...ss transmitting packets The Service Oriented Priority Strategy Multicast of Security Controllable technology adopts the following mode for multicast data in limit range set the priority specified by t...

Page 262: ...configuration destination control configuration also has three steps First enable destination control globally Since destination control need to prevent unautho rized user from receiving multicast da...

Page 263: ...data to achieve and guarantee the effects the specific user requires It is noticeable that multicast data can not get a special care all along unless the data are transmitted at TRUNK port The configu...

Page 264: ...ity of value 4 Usually this is pretty higher the higher possible one is protocol data if higher priority is set when there is too many multicast data it might cause abnormal behavior of the switch pro...

Page 265: ...i fied VLAN ip igmp snooping proxy no ip igmp snooping proxy Enable IGMP Snooping proxy function the no command disables the function ip igmp snooping vlan vlan id limit group g_limit source s_limit n...

Page 266: ...nable the IGMP fast leave function for the specified VLAN the no ip igmp snooping vlan vlan id immediate leave command disables the IGMP fast leave function ip igmp snooping vlan vlan id query mrsp va...

Page 267: ...he switch or in the VLANs If IGMP Snooping should be enabled in VLAN 100 the IGMP Snooping should be first enabled for the switch in Global Mode and in VLAN 100 and set port 1 of VLAN 100 to be the mr...

Page 268: ...nooping SwitchA config ip igmp snooping vlan 60 SwitchA config ip igmp snooping vlan 60 L2 general querier SwitchB config SwitchB config ip igmp snooping SwitchB config ip igmp snooping vlan 100 Switc...

Page 269: ...This ensures the IGMP snooping can work in cooperation with the layer 3 multicast protocols 40 3 4 IGMP Snooping Troubleshooting On IGMP Snooping function configuration and usage IGMP Snooping might n...

Page 270: ...t address it will send a MLD Multicast listener Report back through the multicast address MLD Snooping is namely the MLD listening The switch restricts the multicast traffic from flooding through MLD...

Page 271: ...id mrouter port learnpim6 Enable the function that the specified VLAN learns mrouter port according to pimv6 pack ets the no command will disable the function ipv6 mld snooping vlan vlan id mrpt value...

Page 272: ...le the multicast router on port 1 Suppose we need MLD Snooping on VLAN 100 however by default the global MLD Snooping as well as the MLD Snooping on each VLAN are therefore first we have to enable the...

Page 273: ...ing Group 1 Group 1 Group 1 Group 2 Group 1 Group 2 Mrouter port Multicast Router Figure 41 2 Switch as MLD Querier Function figure Configuration of switch B is the same as the switches in case 1 and...

Page 274: ...physical connection failure wrong configuration etc The user should ensure the following Ensure the physical connection is correct Ensure the MLD Snooping is enabled under global mode using ipv6 mld s...

Page 275: ...ast traffic will be continuously sent to the users 42 2 Multicast VLAN Configuration Task List 1 Enable the multicast VLAN function 2 Configure the IGMP Snooping 1 Enable the multicast VLAN function C...

Page 276: ...0 of the switch The layer 3 switch switchA is connected with layer 2 switches through the port1 0 10 which configured as trunk port On the switchB the VLAN100 is configured set to contain port1 0 15 a...

Page 277: ...interface ethernet 1 0 20 SwitchB config If Ethernet switchport access vlan 101 SwitchB config If Ethernet exit SwitchB config interface ethernet 1 0 15 SwitchB config If Ethernet switchport access vl...

Page 278: ...SNR S2940 8G v2 Switch Configuration Guide Part IX Security Function Configuration 278...

Page 279: ...ion included in a rule is the effective combination of conditions such as source IP destination IP IP protocol number and TCP port UDP port Access lists can be categorized by the following criteria Fi...

Page 280: ...ccess list based on nomenclature i Create a standard IP access list based on nomenclature ii Specify multiple permit or deny rule entries iii Exit ACL Configuration Mode d Configuring an extended IP a...

Page 281: ...direction of the specified port 5 Clear the filtering information of the specified port 1 Configuring access list a Configuring a numbered standard IP access list Command Explanation Global Mode acces...

Page 282: ...sPortMax dIpAddr dMask any destination host destination dIpAddr d port dPort range dPortMin dPort Max precedence prec tos tos time range time range name Creates a numbered UDP extended IP access rule...

Page 283: ...xtended name Creates an extended IP access list bas ing on nomenclature the no ip access list extended name command deletes the name based extended IP access list ii Specify multiple permit or deny ru...

Page 284: ...no form command deletes this name based extended IP access rule no deny permit eigrp gre igrp ipinip ip ospf protocol num sIpAddr sMask any source host source sIpAddr dIpAddr dMask any destination ho...

Page 285: ...st extended name no mac access list extended name Creates an extended name based MAC ac cess rule for other IP protocols the no form command deletes this name based extended MAC access rule ii Specify...

Page 286: ...m command deletes this name based extended MAC access rule no deny permit any source mac host source mac host_smac smac smac mask any destination mac host destination mac host_dmac dmac dmac mask tagg...

Page 287: ...es not exist then an access list will be created using this number access list num deny permit any source mac host source mac host_smac smac smac mask any destination mac host destination mac host_dma...

Page 288: ...rule the no form command deletes this name based extended MAC ICMP access rule no deny permit any source mac host source mac host_smac smac smac mask any destination mac host destination mac host_dma...

Page 289: ...ac mask eigrp gre igrp ip ipinip ospf protocol num source source wildcard any source host source source host ip destination destination wildcard any destination host destination destination host ip pr...

Page 290: ...rtMin dPortMax dscp dscp flow label flowlabel time range time range name ipv6 access list num ext deny permit next header sIPv6Prefix sPrefixlen any source host source sIPv6Addr dIPv6Prefix dPrefixlen...

Page 291: ...p code dscp dscp flow label flowlabel time range time range name Creates an extended name based ICMP IPv6 access rule the no form command deletes this name based extended IPv6 ac cess rule no deny per...

Page 292: ...rule the no form command deletes this name based extended IPv6 access rule iii Exit extended IPv6 ACL configuration mode Command Explanation Extended IPv6 ACL Mode exit Exits extended name based IPv6...

Page 293: ...ange in the week c Configure absolute time range Command Explanation Global Mode absolute start start_time start_data end end_time end_data Configure absolute time range no absolute start start_time s...

Page 294: ...access group 110 in Switch Config If Ethernet1 0 10 exit Switch config exit Configuration result Switch show firewall Firewall status enable Firewall Default Rule Permit Switch show access lists acces...

Page 295: ...11 23 00 00 00 00 00 00 ff ff any destination mac Switch show access group interface ethernet 1 0 10 interface name Ethernet1 0 10 MAC Ingress access list used is 1100 traffic statistics Disable Scen...

Page 296: ...ernet1 0 10 MAC IP Ingress access list used is 3110 traffic statistics Disable Scenario 4 The configuration requirement is stated as below IPv6 protocol runs on the interface 600 of the switch And the...

Page 297: ...ram filtering 3 Bind the ACL to the related interface The configuration steps are listed as below Switch config firewall enable Switch config vlan 100 Switch Config Vlan100 switchport interface ethern...

Page 298: ...configured through physical interface mode ACL configured in the physical mode can only be disabled in the physical mode Those con figured in the VLAN interface configuration mode can only be disable...

Page 299: ...each of them can specify a start offset position L2 end of tag start of L3 header start of L4 header Each window can specify offset its value from 0 to 31 unit is 2Bytes namely 0 means 0Bytes offset...

Page 300: ...ndard Self defined ACL Standard self defined ACL can configure multi ACL lists and each of them can configure multi rules One rule can configure value and mask for 11 windows at most The length of eve...

Page 301: ...e a standard self defined ACL template If the template exists the corresponding window of the template can be mod ified the no command deletes the window of the standard self defined ACL template If t...

Page 302: ...eletes a numbered standard self defined ACL b Configure extended user defined ACL Command Explanation Global Mode userdefined access list extended num deny permit untagged eth2 tagged eth2 cos value m...

Page 303: ...ted below Switch config userdefined access list extended offset swindow1 l3start 4 swindow2 l4start 1 lwindow1 l3start 3 Switch config userdefined access list extended 1300 deny untagged eth2 swindow1...

Page 304: ...config userdefined access list standard 1200 deny 00 12 11 23 00 00 00 00 00 00 ff ff any destination mac tagged 802 3 window1 0A01 FFFF window2 0100 FF00 Switch config firewall enable Switch config v...

Page 305: ...ntrol This standard has been widely used in wireless LAN and ethernet Port Based Network Access Control means to authenticate and control the user devices on the level of ports of LAN access devices O...

Page 306: ...n information to the authenticator system It can also send authentication request and off line request to authenticator The PAE of the authenticator system authenticates the supplicant systems needing...

Page 307: ...uthenticator system and the RADIUS server there are two meth ods to exchange information one method is that EAP messages adopt EAPOR EAP over RADIUS encapsulation format in RADIUS protocol the other i...

Page 308: ...apsulate the relative information of network management such as all kinds of alerting information terminated by terminal devices Length represents the length of the data that is the length of the Pack...

Page 309: ...icator Please refer to the Introduction of RADIUS protocol in AAA RADIUS HWTACACS operation to check the format of RADIUS messages 1 EAP Message As illustrated in the next figure this attribute is use...

Page 310: ...er high level protocols such as EAP over RADIUS making sure that extended authentication protocol messages can reach the authentication server through complicated networks In general EAP relay require...

Page 311: ...on EAP and TLS protocols It uses PKI to protect the id authentication between the supplicant system and the RADIUS server and the dynamically generated session keys requiring both the supplicant syst...

Page 312: ...P and MS CHAPV2 can be transmitted within TTLS tunnels 4 PEAP Authentication Method EAP PEAP is brought up by Cisco Microsoft and RAS Security as a recommended open stan dard It has long been utilized...

Page 313: ...cess Challenge EAP Response EAP TLS TLS change_cipher_spec TLS finished Figure 45 10 the Authentication Flow of 802 1x EAP TLS 45 1 6 The Extension and Optimization of 802 1x Besides supporting the po...

Page 314: ...particular users of the port can access limited resources before being authenticated Once those users pass the authentication they can access all resources Attention when using private supplicant sys...

Page 315: ...and join Auto VLAN Auto VLAN won t change or affect the port s configuration But the priority of Auto VLAN is higher than that of the user set VLAN that is Auto VLAN is the one takes effect when the...

Page 316: ...becomes offline the port will be allocated to the specified Guest VLAN again 45 2 802 1x Configuration Task List 802 1x Configuration Task List 1 Enable IEEE 802 1x function 2 Access management unit p...

Page 317: ...t only used when the access control mode of the port is userbased the no command is used to reset the limit to 10 by default dot1x guest vlan vlanID no dot1x guest vlan Set the guest vlan of the speci...

Page 318: ...ion on no supplicant response the no command restores the default set ting dot1x re authentication no dot1x re authentication Enables periodical supplicant authentica tion the no command disables this...

Page 319: ...update supplicant system software Ethernet1 0 6 the port used by the switch to access the Internet is in VLAN5 As illustrated in the up figure on the switch port Ethernet1 0 2 the 802 1x feature is e...

Page 320: ...h Config If Ethernet1 0 2 switch port mode access Set the access control mode on the port as portbased Switch Config If Ethernet1 0 2 dot1x port method portbased Set the access control mode on the por...

Page 321: ...adius Server 10 1 1 3 Figure 45 16 IEEE 802 1x Configuration Example Topology The PC is connecting to port 1 0 2 of the switch IEEE 802 1x authentication is enabled on port1 0 2 the access mode is the...

Page 322: ...he interface 1 0 2 of the switch and enable IEEE802 1x on inter face1 0 2 Use MAC based authentication Configure the IP address of the switch as 2004 1 2 3 2 and connect the switch with any interface...

Page 323: ...e 802 1x authentication the above functions must be disabled If the switch is configured properly but still cannot pass through authentication connectivity between the switch and RADIUS server the swi...

Page 324: ...switch will delete it from the MAC address list Usually the switch supports both the static configuration and dynamic study of MAC address which means each port can have more than one static set MAC...

Page 325: ...ing the number of MAC ARP and ND of interfaces 1 Limiting the number of dynamic MAC If the number of dynamically learnt MAC address by the VLAN of the switch is already larger than or equal with the m...

Page 326: ...P in the VLAN ipv6 nd dynamic maximum value no ipv6 nd dynamic maximum Enable and disable the number limitation function of NEIGHBOR in the VLAN 3 Configure the timeout value of querying dynamic MAC C...

Page 327: ...arp count no debug ip arp count All kinds of debug information when limiting the num ber of ARP in VLAN debug ipv6 nd count no debug ipv6 nd count All kinds of debug information when limiting the num...

Page 328: ...shooting Help The number limitation function of MAC and IP in Port VLAN is disabled by default if users need to limit the number of user accessing the network they can enable it If the number limitati...

Page 329: ...P of the host into forwarding IP and hence enable the messages from the host to be forwarded by the switch Given the fact that MAC IP can be exclusively bound with a host it is necessary to make MAC I...

Page 330: ...m ip pool ip address num no am ip pool ip address num Configure the forwarding IP of the port 4 Configure the forwarding MAC IP Command Explanation Port Mode am mac ip pool mac address ip address no a...

Page 331: ...packets from other users According to the requirements mentioned above the switch can be configured as follows Switch config am enable Switch config interface ethernet1 0 1 Switch Config If Ethernet...

Page 332: ...attacks such as DoS The protocol check allows the user to drop matched packets based on specified conditions The security features provide several simple and effective protections against Dos attacks...

Page 333: ...fragment attack function dosattack check tcp header size Configure the minimum permitted TCP head length of the packet This command has no effect when used separately the user should enable the dosat...

Page 334: ...hose source port is equal to the destination port Only the ping command with defaulted options is allowed within the IPv4 network namely the ICMP request packet can not be fragmented and its net lengt...

Page 335: ...otocol is of a more reliable transmission and encryption characteristics and is more adapted to security control According to the characteristics of the TACACS Version 1 78 we provide TACACS authen ti...

Page 336: ...igure the authentication timeout for the TACACS server the no tacacs server timeout command re stores the default configuration 4 Configure the IP address of the TACACS NAS Command Explanation Global...

Page 337: ...4 TACACS Troubleshooting In configuring and using TACACS the TACACS may fail to authentication due to reasons such as physical connection failure or wrong configurations The user should ensure the fo...

Page 338: ...have and the accounting for the network resource RADIUS Remote Authentication Dial in User Service is a kind of distributed and client server protocol for information exchange The RADIUS client is us...

Page 339: ...alue fields Type field 1 octet the type of the attribute value which is shown as below Property Type of property Property Type of property 1 User Name 23 Framed IPX Network 2 User Password 24 State 3...

Page 340: ...a accounting enable no aaa accounting enable To enable AAA accounting The no form of this com mand will disable AAA accounting aaa accounting update enable dis able Enable or disable the update accoun...

Page 341: ...erver The no form of this command will restore the default configuration radius server accounting interim update timeout seconds no radius server accounting interim update timeout To configure the upd...

Page 342: ...uration A computer connects to a switch of which the IP address is 2004 1 2 3 2 and connected with a RADIUS authentication server without Ethernet1 0 2 IP address of the server is 2004 1 2 3 3 and the...

Page 343: ...RADIUS server physical connection Second all interface and link protocols are in the UP state use show interface command Then ensure the RADIUS key configured on the switch is in accordance with the...

Page 344: ...the server sides and optional client SSL protocols must build on reliable transport layer such as TCP SSL protocols are independent for application layer Some protocols such as HTTP FTP TELNET and so...

Page 345: ...SSL software under Linux which may not be recognized by the web browser With regard to the switch application it is not necessary to apply for a formal SSL certification key A private certification k...

Page 346: ...be configured for users to access the web interface on the switch If the SSL has been configured communication between the client and the switch will be encrypted through SSL for safety Firstly SSL sh...

Page 347: ...SSL is enabled SSL should be restarted after changes on the port configuration and en cryption configuration IE 7 0 or above should be used for use of des cbc sha If the SSL problems remain unsolved a...

Page 348: ...ork security Simultaneously the normal users get incorrect address and will not be able to connect to the network So in order to implement the security RA function configuring on the switch ports to r...

Page 349: ...al user in the graph advertises RA the normal user will receive the RA set the default router as the vicious IPv6 host user and change its own address This will cause the normal user to not be able to...

Page 350: ...authentication information in the authentication server the matched packets of the port and the source MAC are allowed to pass when the au thentication is successful MAB user didn t need to input the...

Page 351: ...uest vlan 1 4094 no mac authentication bypass guest vlan Set guest vlan of MAB authentication only Hybrid port uses this command it is not take effect on access port mac authentication bypass binding...

Page 352: ...cation mab Configure the authentication mode and pri ority of MAC address the no command re stores the default authentication mode 53 3 MAB Example The typical example of MAB authentication function S...

Page 353: ...g if vlan9 ip address 192 168 61 9 255 255 255 0 Switch config if vlan9 exit Switch config radius server authentication host 192 168 61 10 Switch config radius server accounting host 192 168 61 10 Swi...

Page 354: ...s any problem happens when using MAB function please check whether the problem is caused by the following reasons Make sure global and port MAB function are enabled Make sure the correct username and...

Page 355: ...oever the clients or the access device and the network are faced with security problem especially from the client in the current access network Traditional Ethernet user can not be identified traced a...

Page 356: ...ve Discovery Terminate packet is an especial packet of PPPoE it s Ethernet protocol number 0x8863 is the same as four packets above so it can be considered a packet of discovery stage To stop a PPPoE...

Page 357: ...the sum of all TLV length TLV type field 2 bytes A TLV frame means a TAG type field means TAG type the table is as follows TLV length field 2 bytes Specify the length of TAG data field TLV data field...

Page 358: ...ssed by default occupy 6 bytes and use space symbol to compart eth occupies 3 bytes and uses space symbol to compart Slot ID occupies 2 bytes use to compart and occupy 1 byte Port Index occupies 3 byt...

Page 359: ...e agent type tr 101 circuit id identifier string option delimiter Configure circuit id in added vendor tag pppoe intermediate agent type self defined circuit id vlan port id switch id mac hostname rem...

Page 360: ...tion Switch config if ethernet1 0 1 pppoe intermediate agent trust Switch config if ethernet1 0 1 pppoe intermediate agent vendor tag strip Step 3 Port ethernet1 0 2 of vlan1 and port ethernet1 0 3 of...

Page 361: ...iter of Port ID and Vlan ID as Switch config pppoe intermediate agent type tr 101 circuit id identifier string efgh option spv delimiter delimiter Step 6 Configure circuit id value as bbbb on port eth...

Page 362: ...to communicate with Radius server through logging in authentication client The after 802 1x authentication adds web based authentication mode the user can download a special Java Applet program by bro...

Page 363: ...nding limit 1 256 no webportal binding limit Configure the max web portal binding num ber allowed by the port 4 Configure HTTP redirection address of web portal authentication Command Explanation Glob...

Page 364: ...s address and port as RADIUS server s IP and port and enable the accounting function Ethernet 1 0 2 connects to pc1 the port enables web portal authentication and configure the redirection address an...

Page 365: ...g if ethernet1 0 2 webportal enable Switch config if ethernet1 0 2 ip dhcp snooping binding webportal 55 4 Web Portal Authentication Troubleshooting When using web portal authentication the system wil...

Page 366: ...ts on egress and ingress direction the packets match the specific rules can be allowed or denied ACL can support IP ACL MAC ACL MAC IP ACL IPv6 ACL Ingress direction of VLAN can bind four kinds of ACL...

Page 367: ...ation Global mode vacl mac ip access group 3100 3299 WORD in out traffic statistic vlan WORD no vacl mac ip access group 3100 3299 WORD in out vlan WORD Configure or delete MAC IP VLAN ACL 4 Configure...

Page 368: ...network but can access the inside network with no limitation and apply the policy to Vlan2 Network environment is shown as below PC PC PC PC VLAN1 VLAN2 Figure 56 1 VLAN ACL configuration example Con...

Page 369: ...to VLAN Switch config vacl ip access group vacl_a in vlan 1 Switch config vacl ip access group vacl_b in vlan 2 56 4 VLAN ACL Troubleshooting When VLAN ACL and Port ACL are configured at the same tim...

Page 370: ...e address SAVI function includes ND Snooping function DHCPv6 Snooping function and RA Snooping according to the protocol packet type ND Snooping function is used to detect ND protocol packet it sets I...

Page 371: ...nly slaac only dhcp slaac enable Enable the application scene function for SAVI no command disables the function 3 Configure SAVI binding function Command Explanation Global Mode savi ipv6 check sourc...

Page 372: ...period to a port after its state from up to down no command restores the default value 8 Enable or disable SAVI prefix check function Command Explanation Global Mode ipv6 cps prefix check enable no ip...

Page 373: ...nd disables the trust function port is trans lated from trust port into untrust port 14 Enable or disable ND trust of port Command Explanation Port mode ipv6 nd snooping trust no ipv6 nd snooping trus...

Page 374: ...h1 config savi ipv6 dhcp slaac enable Switch1 config savi check binding probe mode Switch1 config interface ethernet1 0 1 Switch1 config if ethernet1 0 1 ipv6 dhcp snooping trust Switch1 config if eth...

Page 375: ...inding number exceeds the max binding limit it is recommended to configure the bigger binding limit If node binding can not be set for new user after configure the bigger binding limit please check wh...

Page 376: ...SNR S2940 8G v2 Switch Configuration Guide Part X Reliability Configuration 376...

Page 377: ...PP has below characters compare to STP protocol MRPP specifically uses to Ethernet ring topology fast convergence less than 1 s ideally it can reach 100 50 ms 58 1 1 Conception Introduction Switch A S...

Page 378: ...ernet is in break state the secondary port of primary node releases block state and forwards data packets There are no difference on function between Primary port and secondary port of transfer node T...

Page 379: ...time The primary releases the secondary port block state and sends LINK DOWN FLUSH_FDB packet to inform all of transfer nodes to refresh own MAC address forward list 3 Ring Restore After the primary n...

Page 380: ...format no re stores default timer value enable no enable Enable MRPP ring format no disables enabled MRPP ring Port mode mrpp ring ring id primary port no mrpp ring ring id primary port Specify primar...

Page 381: ...ccurs on using MRPP protocol The multi switch constitutes a single MRPP ring all of the switches only are configured an MRPP ring 4000 thereby constitutes a single MRPP ring In above configuration SWI...

Page 382: ...2 mrpp ring 4000 secondary port Switch config If Ethernet1 0 2 exit Switch Config SWITCH C configuration Task Sequence Switch Config mrpp enable Switch Config mrpp ring 4000 Switch mrpp ring 4000 con...

Page 383: ...correct restores the ring and then observes the ring is normal or not The convergence time of MRPP ring net is relative to the response mode of up down If use poll mode the convergence time as hundred...

Page 384: ...above figure uses the double uplink network this is the typical application scene of ULPP SwitchA goes up to SwitchD through SwitchB and SwitchC port A1 and port A2 are the uplink ports SwitchA confi...

Page 385: ...ts through the port which is switched to Forwarding state and update MAC address tables and ARP tables of other devices in the network ULPP respectively uses two kinds of flush packets to update the e...

Page 386: ...an reference instance instance list Configure the protection VLANs the no op eration deletes the protection VLANs flush enable mac flush disable mac Enable or disable sending the flush packets which u...

Page 387: ...pp error Show the error information of ULPP the no operation disables the showing debug ulpp event no debug ulpp event Show the event information of ULPP the no operation disables the showing 59 3 ULP...

Page 388: ...oup 1 control vlan 10 Switch ulpp group 1 exit Switch Config interface ethernet 1 0 1 Switch config If Ethernet1 0 1 ulpp group 1 master Switch config If Ethernet1 0 1 exit Switch Config interface Eth...

Page 389: ...port in group2 The VLANs protected by group1 are 1 100 and by group2 are 101 200 Here both port E1 0 1 and port E1 0 2 at the forwarding state the master port and the slave port mutually backup respec...

Page 390: ...Config interface ethernet 1 0 1 Switch config If Ethernet1 0 1 switchport mode trunk Switch config If Ethernet1 0 1 ulpp flush enable mac Switch config If Ethernet1 0 1 ulpp flush enable arp SwitchC...

Page 391: ...he controlled port its state changes along with Up Down of ULSM group and is always the same with ULSM group state ULSM associates with ULPP to enable the downstream device to apperceive the link prob...

Page 392: ...elating information of ULSM Command Explanation Admin mode show ulsm group group id Show the configuration information of ULSM group debug ulsm event no debug ulsm event Show the event information of...

Page 393: ...interface Ethernet 1 0 2 Switch config If Ethernet1 0 2 ulpp group 1 slave Switch config If Ethernet1 0 2 exit SwitchB configuration task list Switch Config ulsm group 1 Switch Config interface ethern...

Page 394: ...eshooting With the normal configuration if the downlink port does not responds the down event of the uplink port please enable the debug function of ULSM copy the debug information of 3 minutes and th...

Page 395: ...SNR S2940 8G v2 Switch Configuration Guide Part XI Flow Monitor Configuration 395...

Page 396: ...frames received or by the specified rule of a port to another port The flow mirror will take effect only the specified rule is permit A chassis switch supports at most 4 mirror destination ports each...

Page 397: ...ace 1 the data frames sent out by interface 9 and received from interface 7 sent and received by CPU and the data frames received by interface 15 and matched by rule 120 The source IP address is 1 2 3...

Page 398: ...t if yes modify the TRUNK group If the throughput of mirror destination port is smaller than the total throughput of mirror source port s the destination port will not be able to duplicate all source...

Page 399: ...ata sample includes the IPv4 and IPv6 packets Extensions of other types are not sup ported so far As for non IPv4 and IPv6 packet the unify HEADER mode will be adopted following the requirements in RF...

Page 400: ...nfigure the length of the packet data head copied in the sFlow data sampling the no form of this command restores to the default value 5 Configure the max data head length of the sFlow packet Command...

Page 401: ...tchA connected with PC is 192 168 1 100 A loopback interface with the address of 10 1 144 2 is configured on the SwitchA sFlow configuration is as follows Configuration procedure is as follows Switch...

Page 402: ...re wrong configuration etc The user should ensure the following Ensure the physical connection is correct Guarantee the address of the sFlow analyzer configured under global or port mode is acces sibl...

Page 403: ...SNR S2940 8G v2 Switch Configuration Guide Part XII Network Time Management Configuration 403...

Page 404: ...s to provide time synchronization service for other clients in LAN The figure below depicts a NTP SNTP application network topology where SNTP mainly works between second level servers and various ter...

Page 405: ...the con sistent time For a local system running NTP its time can be synchronized by other reference sources and can be used as a reference source to synchronize other clocks also can synchronize each...

Page 406: ...by the NTP client The no operation will can cel the configuration and restore the default value 4 To configure time zone Command Explanation Global mode clock timezone WORD add subtract 0 23 0 59 no c...

Page 407: ...Explanation Global mode no ntp syn interval 1 3600 un Configure the request packet sending interval of ntp client as 1s 3600s The no command recovers to be the default value of 64s 10 Display informat...

Page 408: ...not support NTP server at present Switch C Switch config ntp enable Switch config interface vlan 1 Switch Config if Vlan1 ip address 192 168 1 12 255 255 255 0 Switch config interface vlan 2 Switch C...

Page 409: ...is considered 11 00 am of summer time 65 2 Summer Time Configuration Task Sequence 1 Configure absolute or recurrent time range of summer time Command Explanation Global mode clock summer time word a...

Page 410: ...le 2 The configuration requirement in the following The summer time from 23 00 on the first Sat urday of April to 00 00 on the last Sunday of October year after year clock offset as 2 hours and summer...

Page 411: ...SNR S2940 8G v2 Switch Configuration Guide Part XIII Debugging and Diagnosis 411...

Page 412: ...nd ICMPv6 query packet to the remote equip ment verifying the accessibility between the switch and the remote equipment Options and ex planations of the parameters of the Ping6 command please refer to...

Page 413: ...very time to discover another router the Traceroute6 repeat this action till certain datagram reaches the destination Traceroute6 Options and explanations of the parameters of the Traceroute6 command...

Page 414: ...bleshooting Debug commands for their corre sponding protocols will be introduced in the later chapters 66 7 System log 66 7 1 System Log Introduction The system log takes all information output under...

Page 415: ...use the system log server By configuring the log host on the switch the log can be sent to the log server for future examination Format and Severity of the Log Information The log information format i...

Page 416: ...on can be save both in SDRAM and the NVRAM if exists besides sent to all terminals To check the log save in SDRAM and the NVRAM we can use the show logging buffered command To clear the log save in NV...

Page 417: ...ddress of the switch is 100 100 100 1 and the IPv4 address of the remote log server is 100 100 100 5 It is required to send the log information with a severity equal to or higher than warnings to this...

Page 418: ...after a spec ified period of time usually when updating the switch version The switch can be rebooted after a period of time instead of immediately after its version being updated successfully 67 2 Re...

Page 419: ...no cpu rx ratelimit total Set the total rate of the CPU receiving packets the no command sets the total rate of the CPU receiving packets to default cpu rx ratelimit queue length queue id qlen value...

Page 420: ...nd Sent by CPU debug driver receive send interface interface name all protocol protocol type discard all detail Turn on the showing of the CPU receiving or sending packet informations no debug driver...

Reviews:

No comments

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands