Alcatel OmniSwitch 6624 Скачать руководство пользователя страница 371 | Manualshive

Страница: 371 / 546

Alcatel OmniSwitch 6624 Скачать руководство пользователя страница 371

Configuring 802.1X

802.1X Overview

OmniSwitch 6624/6648 Network Configuration Guide

April 2004

page 19-5

802.1X Overview

The 802.1X standard defines port-based network access controls, and provides the structure for authenti-
cating physical devices attached to a LAN. It uses the Extensible Authentication Protocol over LAN
(EAPOL).

There are three components for 802.1X:

•

The Supplicant

—This is the device connected to the switch. The device may be connected directly to

the switch or via a point-to-point LAN segment. Typically the supplicant is a PC or laptop.

•

The Authenticator Port Access Entity (PAE)

—This entity requires authentication from the suppli-

cant. The authenticator is connected to the supplicant directly or via a point-to-point LAN segment.
The OmniSwitch acts as the authenticator.

•

The Authentication Server

—This component provides the authentication service and verifies the

credentials (username, password, challenge, etc.) of the supplicant. On the OmniSwitch, only RADIUS
servers are currently supported for 802.1X authentication.

Note.

The OmniSwitch itself cannot be an 802.1X supplicant.

802.1X Port Behavior

Before any device is authenticated through an 802.1X port, the port is blocked. The port will only accept
802.1X frames (EAPoL frames).

When an 802.1X frame is received from a supplicant, the switch sends an EAP packet to request the
supplicant’s identity. The supplicant then sends the information (an EAP response), which is validated on
an authentication server set up for authenticating 802.1X ports. The server determines whether additional
information (a challenge, or secret) is required from the supplicant.

After the supplicant is successfully authenticated, the port is open only for the supplicant MAC address or
for any MAC address, depending on the global 802.1X configuration. The global configuration is
controlled by the

aaa authentication 802.1x

command. The keyword

open-unique

specifies that only

frames from the supplicant’s MAC address will be allowed on the port after the supplicant is authenti-
cated. The keyword

open-global

specifies that any frames will be allowed on the port after the supplicant

is authenticated. (The

open-unique

state is the default). See

“Setting 802.1X Switch Parameters” on

page 19-8

for more information about configuring this command.

802.1X Components

Supplicant

Authenticator PAE

RADIUS server

OmniSwitch

PC

login request

OmniSwitch 6648

OmniSwitch 6648

Authentication

Server

authentication

request

authorization

granted

«
...
369
370
371
372
373
...
»

Содержание OmniSwitch 6624

Страница 1: ...Part No 060179 10 Rev C April 2004 OmniSwitch 6624 6648 Network Configuration Guide www alcatel com...

Страница 2: ...OmniVista are registered trademarks of Alcatel Internetworking Inc OmniAccess Omni Switch Router PolicyView RouterView SwitchManager VoiceView WebView X Cell X Vision and the Xylan logo are trademark...

Страница 3: ...ults 1 3 Configuring Ethernet Ports Tutorial 1 4 Ethernet Ports Overview 1 6 OmniSwitch 6648 1 6 OmniSwitch 6624 1 7 OmniSwitch 6600 U24 1 7 10 100 Crossover Supported 1 7 Setting Ethernet Port Parame...

Страница 4: ...4 Configuring Static MAC Addresses 2 5 Static MAC Addresses on Link Aggregate Ports 2 5 Configuring MAC Address Table Aging Time 2 6 Displaying MAC Address Table Information 2 7 Chapter 3 Configuring...

Страница 5: ...11 Defining an IP Router Port 4 11 Modifying an IP Router Port 4 12 Defining Maximum Transmission Unit MTU Size 4 12 What is Single MAC Router Mode 4 13 Bridging VLANs Across Multiple Switches 4 14 V...

Страница 6: ...Defaults 6 2 Sample VLAN Port Assignment 6 3 Statically Assigning Ports to VLANs 6 4 Dynamically Assigning Ports to VLANs 6 4 How Dynamic Port Assignment Works 6 5 VLAN Mobile Tag Classification 6 5...

Страница 7: ...7 15 How to Define a MAC Port Binding Rule 7 16 How to Define a MAC IP Address Binding Rule 7 16 How to Define an IP Port Binding Rule 7 16 How to Define a Port Protocol Binding Rule 7 17 Defining MA...

Страница 8: ...g with Link Aggregation 9 6 Configuring the Frame Type 9 7 Show 802 1Q Information 9 8 Application Example 9 9 Verifying 802 1Q Configuration 9 11 Chapter 10 Configuring Static Link Aggregation 10 1 I...

Страница 9: ...Configuring Ports to Join and Removing Ports in a Dynamic Aggregate Group 11 12 Configuring Ports To Join a Dynamic Aggregate Group 11 12 Removing Ports from a Dynamic Aggregate Group 11 16 Modifying...

Страница 10: ...cols 12 4 IP Forwarding 12 5 Creating an IP Router Port 12 5 Creating a Static Route 12 6 Creating a Default Route 12 6 Configuring Address Resolution Protocol ARP 12 7 Adding a Permanent Entry to the...

Страница 11: ...ling a RIP Host Route 13 9 RIP Redistribution 13 9 Enabling RIP Redistribution 13 10 Configuring a RIP Redistribution Policy 13 10 Configuring a Redistribution Metric 13 11 Configuring a RIP Redistrib...

Страница 12: ...y Overview 15 4 DHCP 15 4 DHCP and the OmniSwitch 15 5 DHCP Relay and Authentication 15 5 External DHCP Relay Application 15 6 Internal DHCP Relay 15 7 DHCP Relay Implementation 15 8 Global DHCP 15 8...

Страница 13: ...thentication Servers 17 3 Quick Steps For Configuring Authentication Servers 17 4 Server Overview 17 5 Backup Authentication Servers 17 5 Authenticated Switch Access 17 5 Authenticated VLANs 17 6 Port...

Страница 14: ...uired Files for Web Browser Clients 18 8 SSL for Web Browser Clients 18 11 DNS Name and Web Browser Clients 18 11 Installing the AV Client 18 12 Loading the Microsoft DLC Protocol Stack 18 12 Loading...

Страница 15: ...the Maximum Number of Requests 19 10 Re authenticating an 802 1X Port 19 10 Initializing an 802 1X Port 19 11 Configuring Accounting for 802 1X 19 11 Verifying the 802 1X Port Configuration 19 11 Cha...

Страница 16: ...he QoS Log 21 14 What Kind of Information Is Logged 21 14 Number of Lines in the QoS Log 21 14 Log Detail Level 21 15 Forwarding Log Events to PolicyView 21 15 Forwarding Log Events to the Console 21...

Страница 17: ...37 Creating MAC Groups 21 38 Creating Port Groups 21 39 Port Groups and Maximum Bandwidth 21 40 Verifying Condition Group Configuration 21 42 Using Map Groups 21 43 Sample Map Group Configuration 21 4...

Страница 18: ...Layer 3 ACLs 22 14 Layer 3 ACL Example 1 22 14 Layer 3 ACL Example 2 22 15 Multicast Filtering ACLs 22 15 Verifying the ACL Configuration 22 16 ACL Application Example 22 18 Chapter 23 Configuring IP...

Страница 19: ...figuring the Querier Aging and Election Timeout 23 12 Restoring the Querier Aging and Election Timeout 23 12 IPMS Application Example 23 13 Displaying IPMS Configurations and Statistics 23 15 Chapter...

Страница 20: ...ealth Threshold Limits 24 26 Configuring Sampling Intervals 24 27 Viewing Sampling Intervals 24 27 Viewing Health Statistics for the Switch 24 28 Viewing Health Statistics for a Specific Interface 24...

Страница 21: ...or Task Statistics 26 7 Displaying the Memory Monitor Size Statistics 26 9 Appendix A Software License and Copyright Statements A 1 Alcatel License Agreement A 1 ALCATEL INTERNETWORKING INC AII SOFTWA...

Страница 22: ...Contents xxii OmniSwitch 6624 6648 Network Configuration Guide April 2004...

Страница 23: ...nterprise edge workgroup switches offer ing 24 and 48 10 100 ports respectively The OmniSwitch 6600 U24 is a next generation enterprise edge workgroup switch offering 24 fiber 100 Mbps ports In additi...

Страница 24: ...features that are typically deployed in a multi switch environment What is in this Manual This configuration guide includes information about configuring the following features VLANs VLAN router ports...

Страница 25: ...parameter Many chapters include a Quick Steps section which is a procedure covering the basic steps required to get a software feature up and running In Depth Information All chapters include overview...

Страница 26: ...n the switch directory structure basic file and directory utilities switch access security SNMP and web based management It is recommended that you read this guide before connecting your switch to the...

Страница 27: ...es procedures for readying an individual switch for integration into a network Topics include the software directory architecture image rollback protections authenticated switch access managing switch...

Страница 28: ...hat you are using Acrobat Reader with the global search option look for the following button in the toolbar Note When printing pages from the documentation PDFs de select Fit to Page if it is selected...

Страница 29: ...sed in the configuration examples For more details about the syntax of commands see the OmniSwitch CLI Reference Guide Configuration procedures described in this chapter include Setting Trap Port Link...

Страница 30: ...Ethernet 100 Mbps Gigabit Ethernet 1 Gb 1000 Mbps 2 Port Gigabit Uplink Modules OS6600 GNI C2 copper uplink module OS6600 GNI U2 fiber uplink module Switching Routing Support Layer 2 Switching Layer 3...

Страница 31: ...e Speed interfaces speed Auto Duplex Mode interfaces duplex Auto copper ports Full fiber ports Interface Configuration interfaces admin Up Enabled Inter Frame Gap interfaces ifg 12 bytes Maximum Flood...

Страница 32: ...to full duplex in order to set Flow Control described below 3 This step enables flow control for this port with the flow command If the data buffers on the switch are full flow control allows the swit...

Страница 33: ...address 00 d0 95 12 ed 04 BandWidth Megabits 100 Duplex Full Long Accept Disable Runt Accept Disable Long Frame Size Bytes 1518 Runt Size Bytes 64 Input Bytes Received 0 Lost Frames 0 Unicast Frames 0...

Страница 34: ...t Ethernet when the Gigabit Ethernet modules are installed For more information on Ethernet hardware configurations refer to the OmniSwitch 6600 Series Hardware Users Guide The OmniSwitch software sup...

Страница 35: ...rnet when the Giga bit Ethernet modules are installed For more information on Ethernet hardware configurations refer to the OmniSwitch 6600 Series Hardware Users Guide 10 100 Crossover Supported By de...

Страница 36: ...ort link enable To enable trap port link messages on a single port enter trap followed by the slot number a slash the port number and port link enable For example to enable trap port link messages on...

Страница 37: ...to enable flow control on port 3 on slot 2 enter flow 2 3 To enable flow control on a range of ports enter flow followed by the slot number a slash the first port number a hyphen and the last port num...

Страница 38: ...wait time for an entire switch slot enter flow followed by the slot number wait and the desired wait time in microseconds For example to configure a flow control wait time of 96 microseconds on slot...

Страница 39: ...slot 2 port 3 and document the interface type as Fast Ethernet enter flow fastethernet 2 3 no wait Setting Interface Line Speed The interfaces speed command is used to set the line speed on a specific...

Страница 40: ...ure the duplex mode on an entire slot enter interfaces followed by the slot number duplex and the desired duplex setting auto full or half For example to set the duplex mode on slot 2 to full enter in...

Страница 41: ...ic port a range of ports or all ports on a switch slot Values for this command range from 9 to 12 bytes Note This command is only valid on Gigabit ports Gigabit Ethernet is supported only on ports 49...

Страница 42: ...terfaces 2 1 3 no l2 statistics As an option you can document the interface type by entering ethernet fastethernet or gigaethernet before the slot number For example to reset all Layer 2 statistics co...

Страница 43: ...flood multicast For example to enable the maximum flood rate for multicast traffic on slot 2 enter interfaces 2 flood multicast As an option you can document the interface type by entering ethernet f...

Страница 44: ...slot number a slash the port number alias and the text description which can be up to 40 charac ters long For example to configure an alias of ip_phone1 for port 3 on slot 2 enter interfaces 2 3 alias...

Страница 45: ...and the remote link partner is forced to 10 half duplex This is due to the fact that when the local device is set to auto negotiating 10 100 full duplex it senses the remote device is not auto negotia...

Страница 46: ...ngle port a range of ports or an entire NI use the interfaces flow command Please note that if auto negotiation is disabled then flow control will also be disabled To enable or disable flow control on...

Страница 47: ...rfaces Displays general interface information such as hardware MAC address input and output errors show interfaces accounting Displays interface accounting information show interfaces counters Display...

Страница 48: ...Verifying Ethernet Port Configuration Configuring Ethernet Ports page 1 20 OmniSwitch 6624 6648 Network Configuration Guide April 2004...

Страница 49: ...so filtered to determine if the source and destination address are on the same LAN segment If the destination address is not found in the MAC address table then the packet is forwarded to all other sw...

Страница 50: ...e Protocol Operation Interface 1 00 00 00 00 00 01 learned 0800 bridging 8 1 1 00 d0 95 6a 73 9a learned aaaa0003 bridging 10 23 Total number of Valid MAC addresses above 2 The show mac address table...

Страница 51: ...ddress aging time for VLAN 200 to 1200 seconds the default is 300 seconds using the following command mac address table aging time 1200 vlan 200 Note Optional To verify the static MAC address configur...

Страница 52: ...e Assigning a MAC address to the silent device s port creates a record in the MAC address table and ensures that packets destined for the silent device are forwarded out that port When defining a stat...

Страница 53: ...dress status type permanent reset or learned is not specified then only permanent addresses are removed from the table The following example removes a MAC address entry with a reset status that is ass...

Страница 54: ...eds 1200 seconds If a VLAN ID is not specified then the aging time value is applied to all VLANs configured on the switch When using the mac address table aging time command in a switch configuration...

Страница 55: ...n example of the output for the show mac address table and show mac address table aging time commands is also given in Sample MAC Address Table Configuration on page 2 2 show mac address table Display...

Страница 56: ...Displaying MAC Address Table Information Managing Source Learning page 2 8 OmniSwitch 6624 6648 Network Configuration Guide April 2004...

Страница 57: ...ed traffic stopping all traffic on the port or only blocking traffic that violates LPS criteria In This Chapter This chapter describes how to configure LPS parameters through the Command Line Interfac...

Страница 58: ...port 1 Maximum number of learned MAC addresses allowed per port 100 Maximum number of configurable MAC address ranges per LPS port 1 Maximum number of learned MAC addresses per OmniSwitch 6624 6648 ap...

Страница 59: ...f learned MAC addresses allowed on the same ports to 25 using the following command port security 3 6 12 4 6 12 5 6 12 maximum 25 3 Configure the amount of time in which source learning is allowed on...

Страница 60: ...d on the port A list of configured authorized source MAC addresses allowed on the port Additional LPS functionality allows the user to specify how the LPS port handles unauthorized traffic The followi...

Страница 61: ...hen used as criteria for authorizing future traffic from this source MAC on that same port In other words learned authorized MAC addresses become configured criteria for an LPS port For example if the...

Страница 62: ...the source learning MAC address table However when a MAC is authorized for learning on an LPS port an entry is made in the MAC address table in the same manner as if it was learned on a non LPS port s...

Страница 63: ...igured and dynamic in the LPS table for the specified port For example no port security 5 10 Configuring a Source Learning Time Limit By default the source learning time limit is disabled Use the port...

Страница 64: ...rned MAC address are allowed on this port If the maximum number of MAC addresses allowed is reached before the switch LPS time limit expires then all source learning of dynamic and configured MAC addr...

Страница 65: ...multiple ports specify a range of ports or multiple slots For example port security 4 1 5 mac range low 00 20 da 00 00 10 high 00 20 da 00 00 50 port security 2 1 4 4 5 8 mac range low 00 20 d0 59 0c...

Страница 66: ...s required to return the port back to normal operation To configure the security violation mode for an LPS port enter port security followed by the port s slot port designation then violation followed...

Страница 67: ...ls about the syntax of commands see the OmniSwitch CLI Reference Guide Configuration procedures described in this chapter include Creating Modifying VLANs on page 4 5 Defining VLAN Port Assignments on...

Страница 68: ...ase Maximum authenticated VLANs per stack 128 MAC Router Mode Supported Single CLI Command Prefix Recognition All VLAN management commands support prefix recognition See the Using the CLI chapter in t...

Страница 69: ...AN 30 400 on off on off off NA on VLAN 400 1 Create VLAN 255 with a description e g Finance IP Network using the following command vlan 255 name Finance IP Network 2 Define an IP router port using the...

Страница 70: ...ion in the current Spanning Tree algorithm Enabling or disabling classification of mobile port traffic by 802 1Q tagged VLAN ID Enabling or disabling VLAN authentication Defining VLAN IP router ports...

Страница 71: ...active network device Non active port assign ments are allowed but do not change the VLAN s operational state Ports are either statically or dynamically assigned to VLANs When a port is assigned to a...

Страница 72: ...switch ports to a VLAN Regardless of how a port is assigned to a VLAN once the assignment occurs a VLAN port association VPA is created and tracked by VLAN management software on each switch To view...

Страница 73: ...h to allow dynamic VLAN port assignment requires the following steps 1 Use the vlan port mobile command to enable mobility on switch ports that will participate in dynamic VLAN assignment See Chapter...

Страница 74: ...er only IP and IPX protocol rules support the dynamic assignment of one mobile port to multiple VLANs The following table provides a list of commands used to define the various types of VLAN rules For...

Страница 75: ...ause the VLAN mobile tag classification attribute is disabled on VLAN 224 In essence the VLAN mobile tag attribute provides a dynamic 802 1Q tagging capability Mobile ports can now receive and process...

Страница 76: ...VLAN 755 vlan 255 stp disable vlan 755 stp enable STP does not become operationally active on a VLAN unless the VLAN is operationally active which occurs when at least one active port is assigned to...

Страница 77: ...er port e g 193 204 173 21 3 A subnet mask defaults to the IP address class 4 The router port forwarding status defaults to forwarding A forwarding router port sends IP frames to other subnets A route...

Страница 78: ...40 0 0 1 If a change is made to any of the other parame ters and the Class C mask is not specified again in the command syntax the mask will revert back to the default Class A value of 255 0 0 0 For...

Страница 79: ...base chassis MAC address for the switch As a result up to 4094 IP router port VLANs are supported per single switch or per stack of switches This also eliminates the need to allocate additional MAC a...

Страница 80: ...agram shows the physical configuration of an example VLAN bridging domain VLAN Bridging Domain Physical Configuration In the above diagram VLAN 10 exists on all four switches and the connection ports...

Страница 81: ...ugh they are physically connected to different stacks VLAN Bridging Domain Logical View Creating a VLAN bridging domain across multiple switches and or stacks of switches allows VLAN members to commun...

Страница 82: ...Verifying the VLAN Configuration Configuring VLANs page 4 16 OmniSwitch 6624 6648 Network Configuration Guide April 2004...

Страница 83: ...o the topology Supports two Spanning Tree operating modes flat single STP instance per switch and 1x1 single STP instance per VLAN Supports two Spanning Tree Algorithms 802 1D standard and 802 1w rapi...

Страница 84: ...ch 6624 6648 Switch Management Guide for more information Parameter Description Command Default Spanning Tree operating mode bridge mode 1x1 a separate Spanning Tree instance for each VLAN BPDU switch...

Страница 85: ...dentified STP calculates the best path that leads from each bridge back to the root and blocks any connections that would cause a network loop To determine the best path to the root STP uses the path...

Страница 86: ...ost value to the root The root bridge does not have a root port Designated Port The designated bridge provides the LAN with the shortest path to the root The designated port connects the LAN to this b...

Страница 87: ...D as the root bridge ID When a bridge receives BPDU on its root port that contains more attractive information higher prior ity parameters and or lower path costs it forwards this information on to ot...

Страница 88: ...Examples The following diagram shows an example of a physical network topology that incorporates data path redundancy to ensure fault tolerance These redundant paths however create loops in the networ...

Страница 89: ...e designated ports because Switch D is the root and each port connects to a LAN Ports 2 10 3 1 and 3 8 are the root ports for Switches A B and C respectively because they offer the shortest path towar...

Страница 90: ...ere is one STP instance for the entire switch port states are determined across VLANs Multiple connections between switches are considered redundant paths even if they are configured in different VLAN...

Страница 91: ...hes If a port in VLAN 10 and a port in VLAN 20 both connect to the same switch within their respective VLANs they are not considered redundant data paths and STP will not block one of them However if...

Страница 92: ...lat STP mode When a switch is running in the 1x1 STP mode each VLAN is in essence a virtual STP bridge with its own STP instance and configurable parameters To change STP parameters while running in t...

Страница 93: ...or an individual VLAN use the show spantree command For more information about this command see the OmniSwitch CLI Reference Guide Enabling Disabling the VLAN BPDU Switching Status By default BPDU ar...

Страница 94: ...to 2 seconds If the switch is running in the flat Spanning Tree mode then a hello time value is defined for VLAN 1 Lowering the hello time interval improves the robustness of the Spanning Tree topolog...

Страница 95: ...ay time propagated in a root bridge Configuration BPDU is the value used by all other bridges in the tree for their own forward delay time Therefore if this value is changed for the root bridge VLAN a...

Страница 96: ...ally set Enabling Disabling STP on a Port By default STP is enabled on all ports If STP is disabled on a port the port is put in a forwarding state for the Spanning Tree instance For example if a port...

Страница 97: ...e associated with the port If the switch is running in the flat Spanning Tree mode then the port priority applies across all VLANs associated with the port VLAN 1 is referenced as the port s VLAN even...

Страница 98: ...s VLAN even if the port is associated with other VLANs To change the path cost for a port enter bridge followed by an existing VLAN ID or VLAN 1 if using a flat Spanning Tree instance then the port s...

Страница 99: ...ually changed again or the port mode is changed to dynamic Ports operating in a manual mode state do not participate in the Spanning Tree Algorithm Dynamic mode indicates that the active Spanning Tree...

Страница 100: ...port is at the edge of a bridged LAN does not receive BPDU and has only one MAC address learned Edge ports however will operationally revert to a point to point or a no point to point connection type...

Страница 101: ...ection command only configures one port at a time Connection Type on Link Aggregate Ports Physical ports that belong to a link aggregate do not participate in the Spanning Tree Algorithm Instead the a...

Страница 102: ...dministrative status for this VLAN was enabled by default when the VLAN was created VLAN 255 on each switch is configured to use the 802 1w rapid reconfiguration Spanning Tree Algorithm and Protocol P...

Страница 103: ...an the same values for ports 2 10 and 3 1 The ports that provide the connection between Switch B and Switch C are in a discarding blocking state because this connection has a higher path cost than the...

Страница 104: ...0 04 Designated Root 000A 00 d0 95 00 00 01 Cost to Root Bridge 4 Root Port Slot 3 Interface 8 Next Best Root Cost 0 Next Best Root Port None Hold Time 1 Topology Changes 3 Topology age 0 4 37 Current...

Страница 105: ...ow For more information about the resulting displays from these commands see the OmniSwitch CLI Refer ence Guide An example of the output for the show spantree and show spantree ports commands is also...

Страница 106: ...Verifying the Spanning Tree Configuration Configuring Spanning Tree Parameters page 5 24 OmniSwitch 6624 6648 Network Configuration Guide April 2004...

Страница 107: ...Static Link Aggregation and Chapter 11 Configuring Dynamic Link Aggregation Dynamic assignment applies only to mobile ports When traffic is received on a mobile port the packets are classified using...

Страница 108: ...if using IP and IPX protocol rules Maximum VLAN associations per mobile port using VLAN mobile tag classification 32768 Switch ports eligible for static VLAN assignment Non mobile fixed ports Mobile p...

Страница 109: ...ile 3 4 5 4 Disable the default VLAN parameter for mobile ports 3 4 and 3 5 using the following command vlan port 3 4 5 default vlan disable With this parameter disabled VLAN 255 will not carry any tr...

Страница 110: ...t VLAN See Chapter 10 Configuring Static Link Aggregation and Chapter 11 Configuring Dynamic Link Aggregation for more information When a port is statically assigned to a VLAN a VLAN port association...

Страница 111: ...lan 802 1q command is still used to statically tag VLANs for the port see Chapter 9 Configuring 802 1Q for more information Consider the following when using VLAN mobile tag classification Using mobil...

Страница 112: ...obile tagging enabled Since the work stations are sending tagged packets destined for the mobile tag enabled VLANs each port is assigned to the appropriate VLAN without user intervention As the diagra...

Страница 113: ...age 6 7 Tagged Mobile Port Traffic Triggers Dynamic VLAN Assignment OmniSwitch 6648 OmniSwitch 6648 OmniSwitch 6648 OmniSwitch 6648 OmniSwitch Port 2 VLAN 2 VLAN 1 VLAN 4 IP Network 130 0 0 0 Default...

Страница 114: ...til the port is dynamically assigned to another VLAN Use the vlan port default vlan command to prevent the default VLAN from carrying non matching traffic see Understanding Mobile Port Prop erties on...

Страница 115: ...e diagram on page 6 10 shows Port 1 is assigned to VLAN 2 because the workstation is transmitting IP traffic on network 130 0 0 0 that matches the VLAN 2 network address rule Port 2 is assigned to VLA...

Страница 116: ...on 4 Configure the method of traffic classification VLAN rules or tagged VLAN ID that will trigger dynamic assignment of a mobile port to the VLANs created in Step 3 See VLAN Rule Classification on pa...

Страница 117: ...ports regardless of the QoS settings See Chapter 21 Configuring QoS for more information Use the show vlan port mobile command to display a list of ports that are mobile or are eligible to become mobi...

Страница 118: ...t networks make sure that ignoring BPDU on a mobile port will not cause network loops to go undetected Connectivity problems could also result if a mobile BPDU port dynamically moves out of its config...

Страница 119: ...matches VLAN criteria the port is assigned to that VLAN Secondary VLANs are any VLAN a port is subse quently assigned to that is not the configured default VLAN for that port A mobile port can obtain...

Страница 120: ...OmniSwitch 6648 OmniSwitch 6648 OmniSwitch OmniSwitch 6648 OmniSwitch 6648 OmniSwitch 6648 If default VLAN is enabled Device traffic that does not match any VLAN rules is forwarded on the mobile port...

Страница 121: ...eated from occasional network users e g laptop are not unnecessarily retained If restore default VLAN is disabled Why disable restore default VLAN VPAs are retained even when port traffic is idle for...

Страница 122: ...or more mobile ports See Verifying VLAN Port Associations and Mobile Port Properties on page 6 19 for more information Enable Disable Default VLAN To enable or disable forwarding of mobile port traffi...

Страница 123: ...ed all secondary VPAs for that port are automati cally dropped regardless of the restore default VLAN status for that port Switch ports are disabled when a device is disconnected from the port a confi...

Страница 124: ...For example vlan port 3 1 802 1x enable vlan port 5 2 802 1x disable To enable or disable 802 1X on multiple ports specify a range of ports and or multiple slots vlan port 6 1 32 8 10 24 9 3 14 802 1...

Страница 125: ...igned to the VLAN using the vlan port default command The VLAN is now the port s configured default VLAN qtagged The port was statically assigned to the VLAN using the vlan 802 1q com mand The VLAN is...

Страница 126: ...display from this command see the OmniSwitch CLI Reference Guide Understanding show vlan port mobile Output The show vlan port mobile command provides information regarding a port s mobile status If...

Страница 127: ...address or protocol type matches VLAN rule criteria In This Chapter This chapter contains information and procedures for defining VLAN rules through the Command Line Interface CLI CLI commands are us...

Страница 128: ...P generic rule because only one is allowed per switch Switch ports eligible for VLAN rule classifi cation dynamic VLAN assignment Mobile 10 100 Ethernet and gigabit ports Switch ports not eligible for...

Страница 129: ...rule for VLAN 255 that will capture mobile port DHCP traffic that contains a source MAC address that falls within the range specified by the rule For example vlan 255 dhcp mac 00 DA 95 00 59 10 00 DA...

Страница 130: ...AN even if the port receives traffic that matches other rules VLAN Rule Types There are several types of configurable VLAN rules available for classifying different types of network device traffic The...

Страница 131: ...show vlan port command output however will contain an entry for the temporary VLAN port asso ciation that occurs during this process Once a device connected to a mobile port receives an IP address fr...

Страница 132: ...les determine VLAN assignment based on a device s source MAC address This is the simplest type of rule and provides the maximum degree of control and security Members of the VLAN will consist of devic...

Страница 133: ...rt is assigned to the VLAN only for the purpose of forwarding broadcast types of VLAN traf fic to a device connected to that same port Port rules are mostly used for silent devices such as printers th...

Страница 134: ...evel of precedence When a frame is received on a mobile port switch software starts with rule one in the rule precedence table and progresses down the list until there is a successful match between ru...

Страница 135: ...e contains a matching source MAC address source port and source IP subnet address Frame only contains a matching source MAC address port and IP address do not match Frame only contains a matching IP a...

Страница 136: ...ned to the rule s VLAN 10 Port IP Address Binding Frame contains a matching source port and source IP subnet address Frame only contains a matching source IP address port does not match Frame only con...

Страница 137: ...s recommended however to use predefined rules such as MAC address network address and generic protocol rules whenever possible to ensure accurate results when capturing mobile port traffic When a VLAN...

Страница 138: ...pecified when using the vlan dhcp mac command to create a DHCP MAC rule Therefore to specify multiple MAC addresses for the same VLAN create a DHCP MAC rule for each address If dealing with a large nu...

Страница 139: ...addresses e g 01 00 00 c5 09 1a are ignored even if they fall within a specified MAC range and are not allowed as the low or high end boundary MAC If an attempt is made to use a multicast address for...

Страница 140: ...fic IP network address MAC port IP address binding rule 2 The device must attach to a specific switch port and use a specific source MAC address and use a specific protocol MAC port Protocol binding r...

Страница 141: ...a slot port designation and a protocol type For example the following commands define a MAC port protocol binding rule for VLAN 355 and VLAN 455 vlan 355 binding mac port protocol 00 00 da 59 0c 12 3...

Страница 142: ...mmand defines a MAC IP binding rule for VLAN 1501 vlan 1501 binding mac ip 00 02 9a 3e f1 07 172 16 6 3 In this example frames received on any mobile port must contain a source MAC address of 00 02 9a...

Страница 143: ...s capture frames that contain a source MAC address that matches the MAC address specified in the rule The mobile port that receives the matching traffic is dynamically assigned to the rule s VLAN Usin...

Страница 144: ...d and the rule is not created Use the no form of the vlan mac range command to remove a MAC range rule Note that it is only neces sary to enter the low end MAC address to identify which rule to remove...

Страница 145: ...ght hex digits If an address less than eight digits is entered the entry is prefixed with zeros to equal eight characters For example the following command results in an IPX network address rule for n...

Страница 146: ...IP SNAP protocol type to qualify for dynamic assignment to VLAN 1503 The second command specifies that frames received on any mobile port must contain a DSAP SSAP protocol value of f0 f0 to qualify fo...

Страница 147: ...traffic Port rules only apply to outgoing mobile port broadcast types of traffic and do not classify incoming traf fic In addition multiple VLANs can have the same port rule defined The advantage to...

Страница 148: ...ned making it easy to duplicate for testing purposes The Test VLAN contains its own DHCP server and DHCP clients The clients gain membership to the VLAN through DHCP port rules The Production VLAN car...

Страница 149: ...rver 2 Branch VLAN IP network address rule 10 13 0 0 External Router 1 Test VLAN Production VLAN Connects Test VLAN to Production VLAN External Router 2 Production VLAN Branch VLAN DHCP Relay provides...

Страница 150: ...ort Rules DHCP Servers Both DHCP servers become members in their respective VLANs via IP subnet rules Routers Router 1 provides connectivity between the Test VLAN and the Production VLAN It does not h...

Страница 151: ...ut VLAN rules configured on the switch use the show commands listed below For more information about the resulting display from this command see the OmniSwitch CLI Reference Guide An example of the ou...

Страница 152: ...Verifying VLAN Rule Configuration Defining VLAN Rules page 7 26 OmniSwitch 6624 6648 Network Configuration Guide April 2004...

Страница 153: ...r In This Chapter This chapter describes the AMAP and GMAP protocols and how to configure them through the Command Line Interface CLI CLI commands are used in the configuration examples for more detai...

Страница 154: ...rotocols Maximum number of IP addresses propagated by AMAP 255 Parameter Description Command Default AMAP status amap Enabled Discovery time interval amap discovery time 30 seconds Common time interva...

Страница 155: ...witches are on the Spanning Tree path OmniSwitch A and OmniSwitch C have AMAP enabled OmniSwitch B does not OmniSwitch A is adjacent to OmniSwitch C and vice versa If OmniSwitch B enables AMAP the adj...

Страница 156: ...seconds by default To avoid synchronization with adjacent switches the common timeout interval is jittered randomly by plus or minus ten percent Ports wait for a Hello response using the discovery tim...

Страница 157: ...ddition to disabling or enabling AMAP you can view a list of adjacent switches or configure the timeout intervals for Hello packet transmission and reception Enabling or Disabling AMAP To display whet...

Страница 158: ...forms of the command with the desired value any value between 1 and 65535 Note that use of the time command keyword is optional For example amap common 600 amap common time 600 Displaying AMAP Inform...

Страница 159: ...nterface 7 1 VLAN 1 Remote Interface 4 8 VLAN 455 Remote IP Address Configured 3 192 206 183 10 192 206 184 20 192 206 185 30 A visual illustration of these connections is shown here See the OmniSwitc...

Страница 160: ...that are learned on leaf ports ports that are not running Spanning Tree It does not advertise MAC addresses for VLANs assigned by authentication or binding rule classification and it does not adverti...

Страница 161: ...st tick To display the current gaptime interval enter the following command show gmap To change the gaptime interval use either of these forms of the command with the desired value any value between 1...

Страница 162: ...with the desired value any value between 1 and 65535 Note that use of the time command keyword is optional For example gmap hold 500 gmap hold time 250 Displaying GMAP Statistics Use the show gmap co...

Страница 163: ...mmands see 802 1Q Commands in the OmniSwitch CLI Reference Guide Configuration procedures described in this chapter include Setting up an 802 1Q VLAN for a specific port See Enabling Tagging on a Port...

Страница 164: ...d Chapter 6 Assigning Ports to VLANs 802 1Q Defaults Table The following table shows the default settings of the configurable 802 1Q parameters 802 1Q Defaults IEEE Specification Draft Standard P802 1...

Страница 165: ...ds an 802 1Q header to the packet Egress processing of packets is done by the switch hardware Packets have an 802 1Q tag which may be stripped off based on 802 1Q tagging stripping rules If a port is...

Страница 166: ...ort associations For the purposes of Quality of Service QoS 802 1Q ports are always considered to be trusted ports For more information on QoS and trusted ports see Chapter 21 Configuring QoS Alcatel...

Страница 167: ...t vlan 5 802 1q 3 4 Tagging would now be enabled on port 3 4 with a VID of 5 To add tagging to a port and label it with a text name you would enter the text identification following the slot and port...

Страница 168: ...it with a text name enter the text identifica tion following the slot and port number or link aggregation group identification number For example to enable tagging on link aggregation group 8 with a...

Страница 169: ...nd untagged traffic use the same command with the all keyword as shown vlan 802 1q 3 4 frame type all Note If you configure a port to accept only VLAN tagged frames then any frames received on this po...

Страница 170: ...gation group to be a tagged port you can view the settings by using the show 802 1q command as demonstrated show 802 1q 3 4 Acceptable Frame Type Any Frame Type Force Tag Internal off Tagged VLANS Int...

Страница 171: ...LAN 2 by entering vlan 2 as shown below VLAN 1 is the default VLAN for the switch vlan 2 2 Set port 1 1 as a tagged port and assign it to VLAN 2 by entering the following vlan 2 802 1q 1 1 3 Check the...

Страница 172: ...ptable Frame Type tagged only Force Tag Internal on Tagged VLANS Internal Description 2 TAG PORT 2 1 VLAN 2 Connecting Stack 2 and Stack 3 Using 802 1Q The following steps apply to Stack 2 They will a...

Страница 173: ...5 3 Create VLAN 3 by entering the following vlan 3 4 Configure 802 1Q tagging with a tagging ID of 3 on static link aggregation group 5 on VLAN 3 by entering the following vlan 3 802 1q 5 5 Check the...

Страница 174: ...Verifying 802 1Q Configuration Configuring 802 1Q page 9 12 OmniSwitch 6624 6648 Network Configuration Guide April 2004...

Страница 175: ...figuration Guide for information on configuring static link aggregation on OmniSwitch 7700 7800 and 8800 switches which use different procedures and have many different operating ranges In This Chapte...

Страница 176: ...ggregation groups per OmniSwitch 6624 or 6600 U24 switch 4 Maximum number of link aggregation groups per OmniSwitch 6648 switch 8 Number of links per group supported on a single switch 2 4 or 8 Number...

Страница 177: ...aggregation group on the local switch with the static agg agg num command For example static agg 1 1 agg num 1 static agg 1 2 agg num 1 static agg 1 3 agg num 1 static agg 1 4 agg num 1 3 Create a VL...

Страница 178: ...4 Primary Port 1 1 You can also use the show linkagg port port command to display information on specific ports See Displaying Static Link Aggregation Configuration and Statistics on page 10 16 for mo...

Страница 179: ...pes of link aggregation groups Static link aggregate groups Dynamic link aggregate groups This chapter describes static link aggregation also known as OmniChannel For information on dynamic link aggre...

Страница 180: ...CLI to monitor static aggregate groups Relationship to Other Features Link aggregation groups are supported by other switch software features The following features have CLI commands or command param...

Страница 181: ...rs on page 10 13 for more information Note See the Link Aggregation Commands chapter in the OmniSwitch CLI Reference Guide for complete documentation of CLI commands for link aggregation Configuring M...

Страница 182: ...f physical links that you plan to use For example if you are planning to use 2 physical links you should create a group with a size of 2 and not 4 or 8 As an option you can also specify a name and or...

Страница 183: ...o a static aggregate group you use the static agg agg num command by entering static agg followed by the slot number a slash the port number agg num and the number of the static aggregate group In add...

Страница 184: ...17 24 10 100 CONSOLE 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 1 2 EXPANSION STACKING EXPANSION 25 26 27 28 TM OmniSwitch 6624 OK1 OK2 PS1 PS2 PRI SEC TEMP FAN LINK ACT LINK ACT LINK...

Страница 185: ...49 50 51 52 TM OmniSwitch 6648 OK1 OK2 PS1 PS2 PRI SEC TEMP FAN 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 25 26 LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT L...

Страница 186: ...long to only one aggregate group In addition mobile ports cannot be aggregated See Chapter 6 Assigning Ports to VLANs for more information on mobile ports As an option you can use the ethernet fasteth...

Страница 187: ...me for a static aggregate group the name must be specified within quotes e g Static Aggregate Group 4 Deleting a Static Aggregate Group Name To remove a name from a static aggregate group you use the...

Страница 188: ...Switch B Sample Network Using Static Link Aggregation Follow the steps below to configure this network Note Only the steps to configure the local i e Switch A are provided here since the steps to con...

Страница 189: ...6624 6648 Network Configuration Guide April 2004 page 10 15 5 Repeat steps 1 through 4 on Switch B All the commands would be the same except you would substi tute the appropriate port numbers Note Opt...

Страница 190: ...D UP 2 2 2 Dynamic 40000002 4 ENABLED DOWN 0 0 3 Dynamic 40000003 8 ENABLED DOWN 0 2 4 Static 40000005 2 DISABLED DOWN 0 0 When you use the show linkagg command with the link aggregation group number...

Страница 191: ...r information on configuring dynamic link aggregation on OmniSwitch 7700 7800 and 8800 switches which use different procedures and have many different operating ranges In This Chapter This chapter des...

Страница 192: ...aracters Number of links per group supported on a single switch 2 4 or 8 Number of links per group supported in a stack 2 4 8 or 16 Group actor admin key 0 to 65535 Group actor system priority 0 to 65...

Страница 193: ...stem ID lacp linkagg partner system id 00 00 00 00 00 00 Group Partner System Priority lacp linkagg partner system priority 0 Group Partner Administrative Key lacp linkagg partner admin key 0 Actor Po...

Страница 194: ...lacp agg 1 3 actor admin key 2 lacp agg 1 4 actor admin key 2 lacp agg 1 5 actor admin key 2 lacp agg 1 6 actor admin key 2 lacp agg 1 7 actor admin key 2 lacp agg 1 8 actor admin key 2 3 Create a VL...

Страница 195: ...0 1f cc 00 00 00 Actor System Id 00 20 da 81 d5 b0 Actor System Priority 0 Actor Admin Key 1 Actor Oper Key 0 Partner System Id 00 20 da 81 d5 b1 Partner System Priority 0 Partner Admin Key 2 Partner...

Страница 196: ...e commands look like entered sequentially on the command line on the partner switch lacp linkagg 2 size 8 lacp agg 2 9 actor admin key 2 lacp agg 2 10 actor admin key 2 lacp agg 2 11 actor admin key 2...

Страница 197: ...flows on the physical links Load balancing distributes traffic by using a hash coding of source and destination MAC addresses Ports must be the same speed within the same aggregate group Alcatel s lin...

Страница 198: ...onfigure dynamic aggregate groups and see Displaying Dynamic Link Aggregation Configuration and Statistics on page 11 36 for information on using the CLI to moni tor dynamic aggregate groups Local Act...

Страница 199: ...in addition to configuring it on individual ports The following features have CLI commands or command parameters that support link aggregation VLANs For more information on VLANs see Chapter 4 Configu...

Страница 200: ...ge 11 3 please see Modifying Dynamic Link Aggregate Group Parameters on page 11 17 for more information Note See the Link Aggregation Commands chapter in the OmniSwitch CLI Reference Guide for complet...

Страница 201: ...table below These parameters must be entered after size and the user specified number of links For example to create a dynamic aggregate group with aggregate number 3 consisting of two ports called ag...

Страница 202: ...be aggregated enter lacp agg followed by the slot number a slash the port number actor admin key and the user specified actor administrative key which can range from 0 to 65535 In addition ports must...

Страница 203: ...100 17 24 10 100 CONSOLE 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 1 2 EXPANSION STACKING EXPANSION 25 26 27 28 TM OmniSwitch 6624 OK1 OK2 PS1 PS2 PRI SEC TEMP FAN LINK ACT LINK ACT...

Страница 204: ...ON 49 50 51 52 TM OmniSwitch 6648 OK1 OK2 PS1 PS2 PRI SEC TEMP FAN 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 25 26 LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK AC...

Страница 205: ...ong to only one aggregate group In addition mobile ports cannot be aggregated See Chapter 6 Assigning Ports to VLANs for more information on mobile ports You must execute the lacp agg actor admin key...

Страница 206: ...t modify a port s configuration See Chapter 1 Configuring Ethernet Ports for information on configuring Ethernet ports Removing Ports from a Dynamic Aggregate Group To remove a port from a dynamic agg...

Страница 207: ...me see Modifying the Dynamic Aggregate Group Name on page 11 17 Group administrative state see Modifying the Dynamic Aggregate Group Administrative State on page 11 18 Group local actor switch actor a...

Страница 208: ...namic Aggregate Group To enable the dynamic aggregate group administrative state enter lacp linkagg followed by the dynamic aggregate group number and admin state enable For example to enable dynamic...

Страница 209: ...le to change the actor system priority of dynamic aggregate group 4 to 2000 you would enter lacp linkagg 4 actor system priority 2000 Restoring the Dynamic Aggregate Group Actor System Priority To res...

Страница 210: ...u would enter lacp linkagg 4 partner admin key 10 Restoring the Dynamic Aggregate Group partner Administrative Key To remove a partner administrative key from a dynamic aggregate group s configuration...

Страница 211: ...ID from the dynamic aggregate group s configura tion use the no form of the lacp linkagg partner system id command by entering lacp linkagg followed by the dynamic aggregate group number and no partn...

Страница 212: ...o exchange LACPDU frames By default this bit is set timeout Specifies that bit 1 in LACPDU frames is set which indicates that a short timeout is used for LACPDU frames When this bit is disabled a long...

Страница 213: ...aggregate to their default settings on dynamic aggregate actor port 2 in slot 5 you would enter lacp agg 5 2 actor admin state no active no aggregate Note Since individual bits with the LACPDU frame a...

Страница 214: ...following subsections describe how to configure a user specified value and how to restore the value to its default value with the lacp agg actor system priority command Configuring an Actor Port Syst...

Страница 215: ...ort 1 in slot 2 to 100 you would enter lacp agg 2 1 actor port priority 100 As an option you can use the ethernet fastethernet and gigaethernet keywords before the slot and port number to document the...

Страница 216: ...or more information on mobile ports Modifying the Partner Port System Administrative State The system administrative state of a dynamic aggregate group partner i e remote switch port is indi cated by...

Страница 217: ...words For example to restore bits 0 active and 2 aggregate to their default settings on dynamic aggregate partner port 1 in slot 7 you would enter lacp agg 7 1 partner admin state no active no aggrega...

Страница 218: ...the administrative key of a dynamic aggregate group partner port 1 in slot 6 to 1000 enter lacp agg 6 1 partner admin key 1000 As an option you can use the ethernet fastethernet and gigaethernet keyw...

Страница 219: ...acp agg the slot number a slash the port number and no partner admin system id For example to remove a user configured system ID from dynamic aggregate partner port 2 in slot 6 you would enter lacp ag...

Страница 220: ...namic aggregate partner port 1 in slot 7 to 200 you would enter lacp agg 7 1 partner admin port 200 As an option you can use the ethernet fastethernet and gigaethernet keywords before the slot and por...

Страница 221: ...tel CLI syntax For example to modify the port priority of dynamic aggregate partner port 3 in slot 4 to 100 and document that the port is a Fast Ethernet port you would enter lacp agg fastethernet 4...

Страница 222: ...en configured on dynamic aggregate group 7 with 802 1Q tagging and 802 1p priority bit settings Sample Network Using Dynamic Link Aggregation The steps to configure VLAN 10 Spanning Tree example are d...

Страница 223: ...g vlan 10 4 If the Spanning Tree Protocol STP has been disabled on this VLAN STP is enabled by default enable it on VLAN 10 by entering vlan 10 stp enable Note Optional Use the show spantree ports com...

Страница 224: ...actor admin key 7 lacp agg 4 2 actor admin key 7 lacp agg 4 3 actor admin key 7 lacp agg 4 4 actor admin key 7 3 Create VLAN 12 by entering vlan 12 4 Configure 802 1Q tagging with a tagging ID i e VL...

Страница 225: ...nfiguration Guide April 2004 page 11 35 10 Repeat steps 1 through 9 on Switch C All the commands would be the same except you would substi tute the appropriate port numbers Note If you do not use the...

Страница 226: ...aggregate groups both dynamic and static you would enter show linkagg A screen similar to the following would be displayed Number Aggregate SNMP Id Size Admin State Oper State Att Sel Ports 1 Static...

Страница 227: ...r Admin System Priority 20 Partner Oper System Priority 20 Partner Admin System Id 00 00 00 00 00 00 Partner Oper System Id 00 00 00 00 00 00 Partner Admin Key 8 Partner Oper Key 0 Attached Agg Id 0 A...

Страница 228: ...Displaying Dynamic Link Aggregation Configuration and Statistics Configuring Dynamic Link Aggregation page 11 38 OmniSwitch 6624 6648 Network Configuration Guide April 2004...

Страница 229: ...IP and how to configure it through the Command Line Interface CLI It includes instructions for enabling IP forwarding as well as basic IP configuration commands e g ip default ttl CLI commands are us...

Страница 230: ...e network device Non active port assignments are allowed but do not change the VLAN s operational state To forward packets to a different VLAN on the switch you must create a router port on each VLAN...

Страница 231: ...ted with several Layer 3 and Layer 4 protocols These protocols are built into the base code loaded on the switch A brief overview of supported IP protocols is included below Transport Protocols IP is...

Страница 232: ...work using the CLI File Transfer Protocol FTP Enables the transfer of files between hosts This protocol is used to load new images onto the switch Additional IP Protocols There are several additional...

Страница 233: ...ng an IP Router Port You must configure an IP router port on a VLAN for devices on that VLAN to communicate with devices on other VLANs You can only create one IP router port per VLAN VLAN router port...

Страница 234: ...ay 171 11 2 1 When you create a static route the default metric value of 1 is used However you can change the priority of the route by increasing its metric value The lower the metric value the higher...

Страница 235: ...main in the table until they time out You can set this timeout value and you can also manually add or delete permanent addresses to from the table Adding a Permanent Entry to the ARP Table As describe...

Страница 236: ...ic entry from the table Clearing a Dynamic Entry from the ARP Table Dynamic entries can be cleared using the clear arp cache command This command clears all dynamic entries Permanent entries must be c...

Страница 237: ...ter ID By default the primary address of the router is used as the router ID However if a primary address has not been configured the router ID is used by OSPF to identify the switch on the network Th...

Страница 238: ...t issuing SYN ACK responses The half open TCP connections can exhaust TCP resources such that no other TCP connections are accepted Land Attack Spoofed packets are sent with the SYN flag set to a host...

Страница 239: ...decay is set to 2 and the switch port scan penalty value threshold is set to 2000 In one minute 10 TCP closed port packets and 10 UDP closed port packets are received This would bring the total penalt...

Страница 240: ...gned penalty the total penalty value for the switch is increased by the penalty value of the packet in question To assign a penalty value to TCP UDP packets bound for a closed port use the ip dos scan...

Страница 241: ...penalty value cross the port scan penalty value threshold To enable SNMP trap generation enter the ip dos scan trap command as shown ip dos scan trap enable To disable DoS traps enter the same ip dos...

Страница 242: ...sts ip service command options for specifying TCP UDP services and also includes the well known port number associated with each service service port ftp 21 ssh 22 telnet 23 http 80 secure http 443 av...

Страница 243: ...ually means that a failure has occurred in the route lookup of the destination IP in the packet Host Unreachable Message Usually indicates delivery failure such as a unresolved client s hardware addre...

Страница 244: ...unreachable 0 3 host unreachable 3 1 protocal unreachable 3 2 port unreachable 3 3 frag needed but DF bit set 3 4 source route failed 3 5 destination network unknown 3 6 destination host unknown 3 7...

Страница 245: ...rk unreachable message enter the following icmp unreachable net unreachable enable See Chapter 22 IP Commands for specifics on the ICMP message commands Enabling All ICMP Types To enable all ICMP mess...

Страница 246: ...e to set the Source Quench minimum packet gap to 100 microseconds enter the following icmp type 4 code 0 min pkt gap 100 Likewise to set the Timestamp Reply minimum packet gap to 100 microseconds ente...

Страница 247: ...nds the program will wait for a response before timing out For example to send a ping with a count of 2 a size of 32 bytes an interval of 2 seconds and a timeout of 10 seconds you would enter ping 172...

Страница 248: ...information about the displays that result from these commands see the OmniSwitch CLI Refer ence Guide show ip interface Displays the usability status of interfaces configured for IP show ip route Di...

Страница 249: ...g RIP using optional RIP configuration parameters e g RIP send receive option RIP interface metric It also details RIP redistribution which allows a RIP network to exchange routing information with ne...

Страница 250: ...0 RIP Interface Metric ip rip interface metric 1 RIP Interface Send Version ip rip interface send version v2 RIP Interface Receive Version ip rip interface recv version both RIP Host Route ip rip host...

Страница 251: ...2 using the vlan port default command For example the following command assigns port 2 on slot 1 to VLAN 2 vlan 2 port default 1 2 5 Create an IP router port on VLAN 1 using the vlan router ip comman...

Страница 252: ...en Shortest Path First OSPF An IGP that provides a routing function similar to RIP but uses different techniques to determine the best route for a datagram OSPF is part of Alcatel s optional Advanced...

Страница 253: ...ackets their calculation of the network mask could possibly be wrong For this reason RIPv1 compatible RIPv2 packets cannot contain networks that would be misinterpreted by RIPv1 These networks must on...

Страница 254: ...y IP forwarding is required you may not want to use RIP If you are not using RIP it is best not to load it to save switch resources Enabling RIP RIP is disabled by default Use the ip rip status comman...

Страница 255: ...5 0 1 you would enter ip rip interface 171 15 0 1 status enable To disable a RIP interface use the disable keyword with the ip rip interface status command For exam ple to disable RIP routing on RIP i...

Страница 256: ...routes generated by a switch by assigning a metric value to routes generated by that switch s RIP interface For example routes generated by a neighboring switch may have a hop count of 1 However you...

Страница 257: ...not accept better routes from other gateways Use the ip rip force holddowntimer command to configure the interval during which a RIP route remains in a forced hold down state Enter the command and th...

Страница 258: ...that defines the route types that will be redistributed into RIP Only the route types you configure will be redistributed into RIP When you configure a redistri bution policy RIP is automatically ena...

Страница 259: ...edist ospf metric 2 The valid metric range is 0 to 15 default is 0 Note You must configure a redistribution policy before configuring a redistribution metric for that type See Configuring a RIP Redist...

Страница 260: ...igured redistribution filters Note Local interfaces will not be added to the RIP routing table unless RIP redistribution is enabled and a filter is added for the local protocol Configuring a Redistrib...

Страница 261: ...these routes separately or not using the ip rip redist filter redist control command Enter the command specify the route type to be redistributed enter the destination IP address mask then enter a ro...

Страница 262: ...both switches on either end of a link must share the same password Use the ip rip interface auth type command to configure the authentication type Enter the IP address of the RIP interface then enter...

Страница 263: ...ing For example to configure a password nms you would enter ip rip interface 172 22 2 115 auth key nms Verifying the RIP Configuration A summary of the show commands used for verifying the RIP configu...

Страница 264: ...Verifying the RIP Configuration Configuring RIP page 13 16 OmniSwitch 6624 6648 Network Configuration Guide April 2004...

Страница 265: ...rameters through the Command Line Interface CLI CLI commands are used in the configuration examples for more details about the syntax of commands see the OmniSwitch CLI Reference Guide The following p...

Страница 266: ...aces router VLAN IP addresses ip router discovery interface Disabled Advertisement destination address for an active RDP interface ip router discovery interface advertise ment address All systems mult...

Страница 267: ...command refer to the RDP Commands chapter in the OmniSwitch CLI Reference Guide 2 Create an RDP interface for a router IP address In this example the interface has an address of 172 17 6 2 ip router...

Страница 268: ...Interface Yes IP Interface status Enabled RDP Interface Yes RDP Interface status Enabled VRRP Interface status Enabled VRRP masters 2 100 10 10 2 100 10 10 3 Advertisement address 224 0 0 1 Max Advert...

Страница 269: ...ddresses In addition routers send advertisement messages when their RDP interface becomes active and then subsequently at random intervals When a host receives a router advertisement message it adds t...

Страница 270: ...the same time It is important to note that advertisements are only transmitted on RDP interfaces if the following condi tions are met The RDP global status is enabled on the switch An IP interface exi...

Страница 271: ...ng information through to the host from the router If the victim is a secure web server that uses SSL the attacker sitting in between the server and an end host could inter cept unencrypted traffic As...

Страница 272: ...RDP interface for VLAN router IP 17 255 10 2 ip router discovery interface 17 255 10 2 enable The first time an RDP interface is enabled it is not necessary to enter enable as part of the command How...

Страница 273: ...ount of time that RDP will observe before sending the next transmission Both of these values are referred to as the maximum advertisement interval and the minimum advertisement interval Note that when...

Страница 274: ...command For example the following command sets this value to 3000 seconds for packets sent from the 17 255 10 2 router RDP interface ip router discovery interface 17 255 10 2 advertisement lifetime 30...

Страница 275: ...example of the output for the show ip router discovery and show ip router discovery interface commands is also given in Quick Steps for Configuring RDP on page 14 3 show ip router discovery Displays...

Страница 276: ...Verifying the RDP Configuration Configuring RDP page 14 12 OmniSwitch 6624 6648 Network Configuration Guide April 2004...

Страница 277: ...to be forwarded across VLANs that have IP routing enabled In This Chapter This chapter describes the basic components of DHCP Relay and how to configure them CLI commands are used in the configuration...

Страница 278: ...DHCP assigns a permanent IP address to a host Dynamic DHCP assigns an IP address to a host for a limited period of time or until the host explicitly relinquishes the address Manual The network admini...

Страница 279: ...as IP address 128 100 16 1 use the following command ip helper address 128 100 16 1 2 Set the forward delay timer for the BOOTP DHCP relay To set the timer for a 15 second delay use the following comm...

Страница 280: ...e 15 10 for more information An additional function provided by the DHCP Relay service enables automatic IP address configuration for default VLAN 1 when an unconfigured switch boots up If this functi...

Страница 281: ...cket protocol type source IP address or if the packet is a DHCP request See Chapter 7 Defining VLAN Rules for more information DHCP Relay and Authentication Authentication clients may use DHCP to get...

Страница 282: ...t to the outgoing router port attached to the OmniSwitch DHCP Clients are Members of the Same VLAN The external router inserts the subnet address of the first hop segment into the DHCP request frames...

Страница 283: ...ame will simply be switched In this case the DHCP server and clients must be members of the same VLAN they could also all be members of the default VLAN One way to accomplish this is to use DHCP rules...

Страница 284: ...or disabling the relay service You should configure DHCP Relay on switches where packets are routed between IP networks The following command defines a DHCP server address ip helper address 125 255 17...

Страница 285: ...leted If an IP address is not specified with this syntax then all IP helper addresses are deleted The following command deletes an helper address for IP address 125 255 17 11 ip helper no address 125...

Страница 286: ...ay time value is 1 to 65535 seconds Setting Maximum Hops This value specifies the maximum number of relays the BOOTP DHCP packet can go through until it reaches its server destination This limit keeps...

Страница 287: ...acket contains a subnet mask for the IP address the mask is applied to the VLAN 1 router port address Otherwise a default mask is determined based upon the class of the IP address For example if the I...

Страница 288: ...An example of the output for the show ip helper command is also given in Quick Steps for Setting Up DHCP Relay on page 15 3 show ip helper Displays the current forward delay time the maximum number o...

Страница 289: ...ands see the OmniSwitch CLI Reference Guide This chapter provides an overview of VRRP and includes information about the following Virtual routers see Creating a Virtual Router on page 16 7 IP address...

Страница 290: ...Redundancy Protocol Compatible with HSRP No Maximum number of virtual routers 7 Maximum number of IP addresses 1 for the IP address owner more than 1 address may be configured if the router is a back...

Страница 291: ...oe 3 Configure an IP address for the virtual router vrrp 6 4 ip 10 10 2 3 4 Repeat steps 1 through 3 on all of the physical switches that will participate in backing up the address es associated with...

Страница 292: ...nfigured with a virtual router VRID 1 which is associated with IP address A OmniSwitch A is the master router because it contains the physical interface to which IP address A is assigned OmniSwitch B...

Страница 293: ...a set of associated IP addresses on the LAN On the OmniSwitch only one IP address is assigned to an interface but other VRRP routers may have multiple IP addresses per interface In addition the VRID m...

Страница 294: ...rtisements sent by the master router any other packets originating from the master router and as the MAC address in ARP replies instead of a VRRP router s physical MAC address The address has the foll...

Страница 295: ...and to check for conflicting parame ters For information about configuring VRRP parameters see the remaining sections of this chapter Basic Virtual Router Configuration At least two virtual routers mu...

Страница 296: ...rd The vrrp command may also be used to specify whether the virtual router is enabled or disabled it is disabled by default However the virtual router must have an IP address assigned to it before it...

Страница 297: ...y be modified The vrrp command is then used to set the advertising interval for virtual router 6 to 5 seconds Configuring Virtual Router Priority VRRP functions with one master virtual router and at l...

Страница 298: ...uter if is available regardless of the preempt mode setting and the priority values of the backup routers To disable preemption for a virtual router use the vrrp command with the no preempt keywords F...

Страница 299: ...icult for a VRRP packet to be sent from a remote network to disrupt VRRP operation To configure authentication for a virtual router use the authenticate keyword and the desired password with the vrrp...

Страница 300: ...from the configuration The virtual router does not have to be disabled before you delete it Setting VRRP Traps A VRRP router has the capability to generate VRRP SNMP traps for events defined in the VR...

Страница 301: ...outer 2 s IP address 10 10 2 245 The CLI commands used to configure this setup are as follows 1 First create two virtual routers for VLAN 5 Note that VLAN 5 must already be created and available on th...

Страница 302: ...IP address A using the virtual router MAC address for VRID 1 00 00 5E 00 01 01 OmniSwitch 1 is the master for VRID 1 since it contains the physical interface to which 10 10 2 3 is assigned If OmniSwit...

Страница 303: ...terface CLI to communicate with the servers to retrieve authentication information about users Configuration procedures described include Configuring an ACE Server This procedure is described in ACE S...

Страница 304: ...ocol v3 Attribute Syntax Definitions RFC 2253 Lightweight Directory Access Protocol v3 UTF 8 String Representation of Distinguished Names RFC 2254 The String Representation of LDAP Search Filters RFC...

Страница 305: ...ely LDAP Authentication Servers Defaults for the aaa ldap server command are as follows Description Keyword Default Number of retries on the server before the switch tries a backup server retransmit 3...

Страница 306: ...Server name rad1 Server type RADIUS IP Address 1 10 10 2 1 IP Address 2 10 10 3 5 Retry number 3 Timeout in sec 2 Authentication port 1645 Accounting port 1646 Server name ldap2 Server type LDAP IP Ad...

Страница 307: ...ve one backup host of the same type configured through the aaa radius server and aaa ldap server commands respectively In addition each authentication method Authenticated Switch Access Authenticated...

Страница 308: ...p for authentication single authority mode uses a single list an authentication server and any backups to poll with authentication requests Multiple author ity mode uses multiple lists one list for ea...

Страница 309: ...s are supported The RADIUS server contains a database of user names and passwords and may also contain challenges responses and other authentication criteria For more information about configuring 802...

Страница 310: ...e server to the switch s network directory This file is required so that the switch will know the IP address of the ACE Server For information about loading files onto the switch see the OmniSwitch 66...

Страница 311: ...hem Attribute 26 is for vendor specific information and is discussed in Vendor Specific Attributes for RADIUS on page 17 11 Attributes 40 59 are used for RADIUS accounting servers and are listed in RA...

Страница 312: ...o the accounting server as part of the accounting request packet 26 Vendor Specific See Vendor Specific Attributes for RADIUS on page 17 11 27 Session Timeout Not supported 28 Idle Timeout Not support...

Страница 313: ...nticated users on VLAN 23 may use Ethernet II or SNAP encapsulation Authenti cated users on VLAN 24 may use IPX with Ethernet II Num RADIUS VSA Type Description 1 Alcatel Auth Group integer The authen...

Страница 314: ...e cumbersome because it requires using read and write bitmasks for command families on the switch 1 To display the functional bitmasks of the desired command families use the show aaa priv hexa comman...

Страница 315: ...s Type Four values should be included in the dictionary file 1 acct start 2 acct stop 6 failure and 7 acct on Start and stop correspond to login logout The accounting on message is sent when the RADIU...

Страница 316: ...IUS server enter the server name and the desired parameter to be modified aaa radius server rad1 key mozart If you are modifying the server and have just entered the aaa radius server command to creat...

Страница 317: ...he Alcatel software CD to the configuration directory on the server Each server type has a command line tool or a GUI tool for importing LDIF files Database LDIF files may also be copied and used as t...

Страница 318: ...zationalUnit ou organizational unit name list of optional attributes Below are definitions of some LDIF file entries Common Entries The most common LDIF entries describe people in companies and organi...

Страница 319: ...anization Attributes required by a particular object class must also be defined Some commonly used attributes that comprise a DN include the following Country c State or Province st Locality l Organiz...

Страница 320: ...po nent of the DN Retrieving Directory Search Results Results of directory searches are individually delivered to the LDAP client LDAP referrals to other serv ers are not returned to the LDAP client o...

Страница 321: ...parsing the various components contained within the URLs to process the searches LDAP URLs can specify and implement complex or simple searches of a directory depending on what is submitted in the URL...

Страница 322: ...n installing LDAP enabled directory servers refer to the vendor specific instructions attributes Attributes to be returned for entry search results All attributes are returned if search attributes are...

Страница 323: ...iguring Functional Privileges on the Server Configuring the functional privileges attributes bop asa func priv read 1 bop asa func priv read 2 bop asa func priv write 1 bop asa func priv write 2 requi...

Страница 324: ...83d021c07f1 ors40595 129 Note The bop shakey and bop md5key values must be recomputed and copied to the server any time a user s password is changed LDAP Accounting Attributes Logging and accounting f...

Страница 325: ...s For Layer 2 Authentication Only Number of bytes received on the port during the client s session from log in to log out variable length digits Number of bytes sent on the port during the client s se...

Страница 326: ...t Entries are associated with the switch the user is logged into Each dynamic entry contains information about the user s connection The related attribute in the server is bop loggedusers A specific o...

Страница 327: ...e Creating an LDAP Authentication Server An example of creating an LDAP server aaa ldap server ldap2 host 10 10 3 4 dn cn manager password tpub base c us In this example the switch will be able to com...

Страница 328: ...Hbase img file on the switch certs pem If the CA is not well known the CA s certificate must be transfered to the switch via FTP to the flash certified or flash working directory and should be named...

Страница 329: ...r Configuration To display information about authentication servers use the following command An example of the output for this command is given in Quick Steps For Configuring Authentication Servers o...

Страница 330: ...Verifying the Authentication Server Configuration Managing Authentication Servers page 17 28 OmniSwitch 6624 6648 Network Configuration Guide April 2004...

Страница 331: ...manage the switch For more information about Authenti cated Switch Access see the Switch Security chapter in the OmniSwitch 6624 6648 Switch Manage ment Guide In This Chapter This chapter describes a...

Страница 332: ...AP schema information are given in Chapter 17 Managing Authentication Servers RADIUS or LDAP client in the switch The switch must be set up to communicate with the RADIUS or LDAP server This chapter b...

Страница 333: ...red on the switch as an authentication port This is the physical port through which authentication clients are attached to the switch See Config uring Authenticated Ports on page 18 28 DHCP Server A D...

Страница 334: ...ee Setting Up the DHCP Server on page 18 29 5 Configure the authentication server authority mode See Configuring the Server Authority Mode on page 18 32 6 Specify accounting servers for authentication...

Страница 335: ...DHCP server if users will be getting IP addresses from DHCP The IP helper address is the IP address of the DHCP server the AVLAN default DHCP address is the address of any router port configured on t...

Страница 336: ...S or LDAP for authentication sessions aaa accounting vlan rad3 local Note Verify the authentication server configuration by entering the show aaa authentication vlan command or verify the accounting s...

Страница 337: ...enti cating or after authentication in order to move into a different VLAN When multiple authenticated VLANs are configured after the client authenticates the client must issue a DHCP release renew re...

Страница 338: ...l txt file is available in the flash switch directory when you install the Hsecu img file as described in the next section The file may be edited with any text editor and the format of the username an...

Страница 339: ...t file is copied to the Mac desktop 3 Double click the javlanInstall sit file on the desktop 4 Double click on the application javlanInstall AppleScript inside the newly created directory The work sta...

Страница 340: ...are using a self signed SSL certificate or the certificate provided by Alcatel wv cert pem see DNS Name and Web Browser Clients on page 18 11 To set up the Mac OSX 1 for authentication 1 In the browse...

Страница 341: ...flash switch directory on the switch to the workstation 2 On the Mac workstation open a Terminal application at the root see the previous section for informa tion about enabling root access Enter the...

Страница 342: ...Client as Primary Network Login on page 18 18 Configure the AV Client for DHCP optional See Configuring the AV Client Utility on page 18 18 Loading the Microsoft DLC Protocol Stack Windows 2000 and Wi...

Страница 343: ...the Protocol network component 6 In the Select Network Protocol dialog box click on the Have Disk button 7 Specify the drive and path where the MSDLC32 EXE files you should have already extracted them...

Страница 344: ...page 18 14 OmniSwitch 6624 6648 Network Configuration Guide April 2004 3 We recommend that you follow the instructions on the screen regarding closing all Windows programs before proceeding with the i...

Страница 345: ...screen or you may click the Browse button to select a different directory Click on the Next button The software loads and the following window displays 5 This window gives you the option of restartin...

Страница 346: ...wnload the AV Client from the Alcatel website onto the Windows desktop 2 Double click the AV Client icon The installation routine begins and the following window displays 3 We recommend that you follo...

Страница 347: ...the Browse button to select a different directory Click on the Next button The software loads and the following window displays 5 This window recommends that you read a text file included with the cl...

Страница 348: ...the correct path for your disk drive in the space provided and click OK You can also browse to the directory where the AV Client is installed and click OK Select Alcatel AVLAN Login Provider 4 Select...

Страница 349: ...Select the AV Client tab 2 Click on the box next to Enable AV Client Service at Logon The check mark in the box will disap pear and the Apply button will activate 3 To apply the change click the Appl...

Страница 350: ...h 6624 6648 Network Configuration Guide April 2004 Viewing AV Client Components The configuration utility includes a screen that lists each component version and build date for the AV Client To view t...

Страница 351: ...er name is configured on the authentication server 3 Enter the password for this user in the Password field If the client is set up for basic dialog mode and the user enters the correct password the u...

Страница 352: ...ocedure click the Logoff button The following screen indicates that the AV Client is sending a logoff request to the authentication server The next message on the screen indicates that the AV Client i...

Страница 353: ...tion of disabling DHCP operations Delay for IP Address Request You can specify a delay between the moment the client workstation moves into an authentication VLAN and the moment a DHCP request is issu...

Страница 354: ...he DHCP tab The following screen displays 2 Click the box next to Enable DHCP Operations Several options will activate in the utility window as shown in the following screen When you click on a box ne...

Страница 355: ...k Configuration Guide April 2004 page 18 25 4 To apply the change click the Apply button When you click the OK button the screen will close and the change will take effect If you decide not to impleme...

Страница 356: ...the user s MAC address is unknown enter the show avlan user command first Specify the VLAN ID or slot number to get information about a particular VLAN or slot only For example show avlan user 23 name...

Страница 357: ...use the show aaa avlan auth ip command Setting Up the Default VLAN for Authentication Clients By default authentication users cannot traffic in the default VLAN prior to authentication however the swi...

Страница 358: ...ticated VLANs use the avlan port bound command with the enable keyword avlan port bound enable This command allows some port binding rules MAC Port IP address MAC Port Port IP address and MAC Port Pro...

Страница 359: ...aaa avlan dns name auth company When this command is configured a Web browser client may enter auth company in the browser command line to initiate the authentication process To remove a DNS path from...

Страница 360: ...ation about authentication server authority modes see Configuring the Server Authority Mode on page 18 32 After authentication a client may be moved into a VLAN in which the client s current IP addres...

Страница 361: ...the aaa avlan default dhcp command so that Telnet and Web browser clients can obtain IP addresses prior to authentication This gateway is a router port in any of the authenticated VLANs in the networ...

Страница 362: ...ccount ing Servers on page 18 35 Configuring Single Mode This mode should be used when all authenticated VLANs on the switch are using a single authentication server with optional backups configured w...

Страница 363: ...ch will use ldap1 to attempt to authenticate users If ldap1 becomes unavailable the switch will use backup server ldap2 Both servers contain user information including which VLANs users may be authent...

Страница 364: ...he same server services more than one VLAN the same user ID and password may be used to authenticate into one of several VLANs depending on which VLAN the user selects at authentication Clients are on...

Страница 365: ...7 Managing Authentication Servers Up to four account ing servers may be specified For example aaa accounting vlan rad1 ldap2 In this example a RADIUS server rad1 is used for all accounting of authenti...

Страница 366: ...ee the OmniSwitch CLI Reference Guide show aaa authentication vlan Displays information about authenticated VLANs and the server config uration show aaa accounting vlan Displays information about acco...

Страница 367: ...scribes 802 1X ports used for port based access control and how to configure them through the Command Line Interface CLI CLI commands are used in the configuration examples for more details about the...

Страница 368: ...ork Access Control 802 1X RADIUS Usage Guidelines Description Keyword Default Port control in both directions or incoming only direction both in both Port control authorized on the port port control f...

Страница 369: ...e shows the default for authenticating 802 1X ports through the aaa authentication 802 1x command Note By default accounting is disabled for 802 1X authentication sessions Description Keyword Default...

Страница 370: ...must be configured with the vlan authentication command For information about configuring VLANs with authentication see Chapter 4 Configuring VLANs 3 Associate the RADIUS server or servers with authen...

Страница 371: ...s authenticated through an 802 1X port the port is blocked The port will only accept 802 1X frames EAPoL frames When an 802 1X frame is received from a supplicant the switch sends an EAP packet to req...

Страница 372: ...n the global 802 1X setting If the switch is set to open global all traffic is allowed on the port If the switch is set to open unique only traffic with the authenticated MAC address is allowed on the...

Страница 373: ...o an authenticated VLAN if the RADIUS authentication server speci fies a VLAN for that user and the authenticated VLAN is set up on the switch through the vlan authentication command For information a...

Страница 374: ...ly traffic coming from the authen ticated device s MAC address or it may be configured to allow any traffic through the port after authenti cation The keyword open unique indicates that only traffic f...

Страница 375: ...he port is authenticated To configure the port authorization use the 802 1x command with the port control keyword and the force authorized force unauthorized or auto option 802 1x 3 1 port control for...

Страница 376: ...s sent to the supplicant during an authentication attempt use the max req keyword with the 802 1x command For example 802 1x 3 1 max req 3 In this example the maximum number of requests that will be s...

Страница 377: ...keyword local to specify that the Switch Logging function in the switch should be used to log 802 1X sessions RADIUS servers are configured with the aaa radius server command aaa accounting 802 1x ra...

Страница 378: ...Verifying the 802 1X Port Configuration Configuring 802 1X page 19 12 OmniSwitch 6624 6648 Network Configuration Guide April 2004...

Страница 379: ...switch When policies are created on the directory server through PolicyView the PolicyView application automatically configures the switch to communicate with the server This chapter includes informat...

Страница 380: ...Servers RFCs Supported RFC 2251 Lightweight Directory Access Protocol v3 RFC 3060 Policy Core Information Model Version 1 Specification Maximum number of policy servers supported on the switch 4 Maxi...

Страница 381: ...DAP server and QoS policies configured directly on the switch For more information about creating policies directly on the switch see Chapter 21 Configuring QoS Information about installing the LDAP p...

Страница 382: ...from downloading policies to the switch By default policy servers are enabled to download policies To disable a server use the policy server command with the admin keyword and down option policy serve...

Страница 383: ...een policy server 10 10 2 3 policy server 10 10 2 3 port number 5000 show policy server Server IP Address port enabled status primary 1 10 10 2 3 389 Yes Up X 2 10 10 2 3 5000 No Down To remove an ent...

Страница 384: ...disable SSL use no ssl with the command policy server 10 10 2 3 no ssl SSL is disabled for the 10 10 2 3 policy server No additional policies may be saved to the directory server from the PolicyView...

Страница 385: ...lied from PolicyView or vice versa it will activate all current configuration For more information about configuring policies through the CLI see Chapter 21 Configuring QoS Verifying the Policy Server...

Страница 386: ...Verifying the Policy Server Configuration Managing Policy Servers page 20 8 OmniSwitch 6624 6648 Network Configuration Guide April 2004...

Страница 387: ...sed for Layer 2 and Layer 3 4 filtering Since filtering is used in many different network situations ACLs are described in a separate chapter see Chapter 22 Configuring ACLs In This Chapter This chapt...

Страница 388: ...802 1p rules 62 30 64 29 Maximum number of policy conditions 2048 Maximum number of policy actions 2048 Maximum number of policy services 256 Maximum number of groups network MAC service port 1024 Ma...

Страница 389: ...ct to the WAN are not given more bandwidth bottlenecks may still occur Also adding enough bandwidth to compensate for peak load periods will mean that at times some bandwidth will be unused In additio...

Страница 390: ...he PolicyView online help How Policies Are Used When a flow comes into the switch the QoS software in the switch checks to see if there are any policies with conditions that match the flow If there ar...

Страница 391: ...or QoS settings may require that other switch features be configured in a particular way A summary of related features is given here Dynamic Link Aggregates Policies may be used to prioritize dynamic...

Страница 392: ...Use the Condition Combination Table Each row represents items that may be combined any cavaets are listed in the Notes column For information about combining conditions with actions see Condition Acti...

Страница 393: ...No additional action parameters are allowed Use the policy condition action combinations table as a guide when creating policy rules How to Use the Condition Action Combination Table Each row represe...

Страница 394: ...dth bridging ToS or DSCP priority routing bridging when qos classifyl3 bridged is enabled 802 1p 802 1p bridging routing source slot port or port group source interface type disposition maximum bandwi...

Страница 395: ...cs interval qos stats interval 60 seconds Global bridged disposition qos default bridged disposition accept Global routed disposition qos default routed disposition accept Global multicast disposition...

Страница 396: ...bandwidth port bandwidth currently not supported Maximum signalled bandwidth via RSVP qos port maximum signal bandwidth port bandwidth currently not supported Maximum bandwidth qos port maximum bandw...

Страница 397: ...ation about this command Other traffic Any traffic that does not match a policy is accepted or denied based on the global dispo sition setting on the switch The global disposition is by default accept...

Страница 398: ...to change any of the global defaults See Global QoS Defaults on page 21 9 for a list of the global defaults See Configuring Global QoS Parameters on page 21 13 for information about configuring global...

Страница 399: ...ons By default bridged routed and multicast flows that do not match any policies are accepted on the switch To change the global default disposition which determines whether the switch will accept den...

Страница 400: ...may be logged includes rules Layer 2 and Layer 3 information etc For a detailed explanation about the types of informa tion that may be logged see the OmniSwitch CLI Reference Guide A brief summary o...

Страница 401: ...e switch Forwarding Log Events to PolicyView In addition to managing policies created directly on the switch the switch manages policies downloaded from an external LDAP server These policies are crea...

Страница 402: ...og lines qos log level and debug qos commands The log display may also be output to the console through the qos log console command or sent to the policy software in the switch which manages policies...

Страница 403: ...a packet with a fragment offset of 1 will be dropped IP packets with a fragment offset of 1 are typically used for security attacks Enabling Disabling Fragment Classification To enable fragment class...

Страница 404: ...os classifyl3 bridged is enabled all bridged IP packets will be dropped To configure the switch to classify bridged traffic as Layer 3 use the qos classifyl3 bridged command qos classifyl3 bridged To...

Страница 405: ...al Settings To display information about the global configuration use the following show commands For more information about the syntax and displays of these commands see the OmniSwitch CLI Refer ence...

Страница 406: ...as untrusted For more information about configuring 802 1Q for fixed ports see Chapter 9 Configuring 802 1Q Mobile ports are also always trusted however mobile ports may or may not accept Q tagged tr...

Страница 407: ...that port 2 on slot 3 will be able to recognize 802 1p bits A policy condition Traffic is then created to classify traffic containing 802 1p bits set to 4 and destined for port 2 on slot 3 The policy...

Страница 408: ...t used to classify traffic until the qos apply command is entered See Applying the Config uration on page 21 46 To view information about how the switch will classify particular condition parameters u...

Страница 409: ...ntially on the command line is given here policy condition cond3 source ip 10 10 2 3 policy action action2 priority 7 policy rule my_rule condition cond3 action action2 qos apply ASCII File Only Synta...

Страница 410: ...an create a separate condition for each address service or port use groups and attach the group to a single condition See Using Condition Groups in Policies on page 21 34 for more information about se...

Страница 411: ...e or modify a policy action use the policy action command with the desired action parameter A policy action should specify the way traffic should be treated For example it might specify a priority for...

Страница 412: ...t first be removed from the policy rule my_rule See Creating Policy Rules on page 21 26 for more information about setting up rules If a6 is not used by a policy rule it will be deleted after the next...

Страница 413: ...Rules With Compatible Actions on page 21 28 and Layer 3 Rules With Conflicting Actions on page 21 28 for more information about precedence and Layer 3 flows Prece dence is particularly important for...

Страница 414: ...wever the switch will apply only the rule with the highest precedence For example policy condition X source ip 10 10 2 3 policy action W 802 1p 5 policy action Z maximum bandwidth 10m policy rule Rule...

Страница 415: ...ide and the OmniSwitch CLI Reference Guide For more information about applying rules see Applying the Configuration on page 21 46 Logging Rules Logging a rule may be useful for determining the source...

Страница 416: ...be used to classify traffic until the next qos apply Only mac1 is actively being used on the switch to classify traffic show policy condition Displays information about all pending and applied policy...

Страница 417: ...Yes No No No Yes 0 Cnd Act dmac1 pri2 In this example the rule my_rule does not display because it is inactive Rules are inactive if they are administratively disabled through the policy rule command...

Страница 418: ...nter the command and the relevant keyword and value The switch will display information about the potential traffic and attempt to match it to a policy pending policies only For example show policy cl...

Страница 419: ...0 82 5 Packet headers L2 Port 0 0 0 0 IfType any any MAC 000000 000000 000000 000000 VLAN 0 0 802 1p 0 L3 L4 IP 143 209 92 131 198 60 82 5 TOS DSCP 0 0 Using applied l3 policies Classify L3 Matches ru...

Страница 420: ...conditions to reduce the number of rules required to filter particular types of traffic For more information about ACLs see Chapter 22 Configuring ACLs Sample Group Configuration 1 Create the group a...

Страница 421: ...twork policy group use the policy network group command Specify the name of the group and the IP address es to be included in the group Each IP address should be separated by a space A mask may also b...

Страница 422: ...licy Conditions on page 21 24 for more information about configuring policy conditions The network group will be deleted at the next qos apply Creating Services Policy services are made up of TCP or U...

Страница 423: ...ion Service groups are described in Creating Service Groups on page 21 37 Note Service configuration is not active until the qos apply command is entered To remove a policy service enter the no form o...

Страница 424: ...oup from the condition first then enter the no policy service group command For example policy condition c6 no service group no policy service group serv_group The policy condition command removes the...

Страница 425: ...tions on page 21 24 for more information about configuring policy conditions The MAC group will be deleted at the next qos apply Creating Port Groups Port groups are made up of slot and port number co...

Страница 426: ...er the ports in the port group is distributed over the active ports in a source port group This functionality is different from the OmniSwitch 7700 7800 8800 which allows each port in a port group the...

Страница 427: ...this example each port will receive the maximum bandwidth because the ports in the destination port group are split over slots and or physical grouping If the ports in the destination port group howev...

Страница 428: ...pending and applied policy network groups or a particular network group Use the applied keyword to dis play information about applied groups only show policy service Displays information about all pen...

Страница 429: ...ps on page 21 44 policy map group tosGroup 1 2 5 4 5 5 6 7 2 Attach the map group to a policy action See Creating Policy Actions on page 21 25 for more infor mation about creating policy actions polic...

Страница 430: ...same map group but instead specifies mapping 802 1p to ToS policy action Map2 map tos to 802 1p using Group2 In this case if ToS traffic comes into the switch and matches a policy that specifies the...

Страница 431: ...all pending and applied map groups use the show policy map group command To display only information about applied map groups use the applied keyword with the command For more information about the o...

Страница 432: ...ed The commands are listed in the following table Port and Policy Commands All port parameters and policy parameters must be applied with the qos apply command The pending configuration is useful for...

Страница 433: ...ion In some cases you may want to remove all of your rules and start over again To completely erase pend ing policies from the configuration use the qos flush command For example qos flush If you then...

Страница 434: ...splay information about applied rules only show policy network group Displays information about all pending and applied policy network groups or a particular network group Use the applied keyword to d...

Страница 435: ...ring ACLs Policies may also be used for prioritizing traffic in dynamic link aggregation groups For more informa tion about dynamic link aggregates see Chapter 11 Configuring Dynamic Link Aggregation...

Страница 436: ...ritization Example In this example IP traffic is routed from the 10 10 4 0 network through the OmniSwitch To create a policy rule to prioritize the traffic from Network 1 first create a condition for...

Страница 437: ...sts pings use the debug qos internal command with the pingonly keyword debug qos internal pingonly The switch will now drop only ICMP echo requests This functionality is different from the OmniSwitch...

Страница 438: ...be mapped to 802 1p values in a network called Network C A map group tosGroup is created with mapping values policy map group tos_group 1 4 4 5 7 7 policy condition SubnetA source ip 10 10 5 0 mask 25...

Страница 439: ...layer Typically uses IP addresses or IP ports for filtering note that IPX filtering is not supported Multicast ACLs for filtering IGMP traffic In This Chapter This chapter describes ACLs and how to co...

Страница 440: ...r Layer 3 rules with particular actions ACL Filter rules Priority rules Bandwidth ToS rules 802 1p rules 62 30 64 29 Maximum number of policy conditions 2048 Maximum number of policy actions 2048 Maxi...

Страница 441: ...Optional Test the condition with the show policy classify command using information from the policy condition For example show policy classify l3 source ip 192 68 82 0 This command displays informatio...

Страница 442: ...situations it is recommended that the global disposition be set to deny and that rules be created to allow certain types of traffic through the switch To set the global disposition to deny use the qo...

Страница 443: ...gured first in the list will take precedence Note If you configure bridged traffic to be classified as Layer 3 through the qos classifyl3 bridged command Layer 2 ACL rules are effectively disabled for...

Страница 444: ...rity and maximum bandwidth actions at the same time so both rules are used Note See Chapter 21 Configuring QoS for more information about valid condition action combina tions Example Layer 3 Rules Wit...

Страница 445: ...dged frames For information about configuring the switch to classify Layer 3 information in bridged frames see Classifying Bridged Traffic as Layer 3 on page 21 18 Valid Combinations There are limitat...

Страница 446: ...s on page 22 11 For a quick tutorial on how to configure ACLs see Quick Steps for Creating ACLs on page 22 3 Setting the Global Disposition By default flows that do not match any policies are accepted...

Страница 447: ...ion command to deny or drop it will result in dropping all traffic from the switch that does not match any policy to accept traffic You must create policies one for source and one for destination to a...

Страница 448: ...groups the policy condition specifies whether the condition group is a source or destination group If a network group was not used a separate condition would have to be created for each IP address Su...

Страница 449: ...pt If you do not specify a disposition for the policy action the default accept will be used Creating Policy Rules for ACLs A policy rule is made up of a condition and an action For example to create...

Страница 450: ...r MAC group VLAN Physical slot port or port group Interface type The switch classifies the MAC address as both source and destination The condition parameters in the policy rule must be all source par...

Страница 451: ...ot match any accept policy The following example is included to show that you must configure two rules to allow Layer 2 flows in this atypical scenario To allow Layer 2 traffic into the switch two rul...

Страница 452: ...llowing policy condition keywords are used for Layer 3 ACLs Layer 3 ACL Example 1 In this example the default routed disposition is accept the default Since the default is accept the qos default route...

Страница 453: ...ery of IP multicast traffic by sending packets only to those stations that request it Potential multicast group members may be filtered out so that IPMS does not send multicast packets to those statio...

Страница 454: ...s all policy rules configured on the switch show policy rule Policy From Prec Enab Inact Refl Log Save my_rule cli 0 Yes Yes No No Yes Cnd Act cond5 action2 my_rule5 cli 0 Yes No No No Yes Cnd Act con...

Страница 455: ...abled on the switch use the show active policy rule command For example show active policy rule Policy From Prec Enab Inact Refl Log Save Matches my_rule5 cli 0 Yes No No No Yes 0 Cnd Act cond2 pri2 m...

Страница 456: ...olicy condition outside_cond service traffic_in 3 Create a policy action outside_action to deny the traffic policy action outside_action disposition drop 4 Then combine the condition and the action in...

Страница 457: ...ntly deliver traffic only to the respective ports This mechanism is often referred to as IGMP snooping or IGMP gleaning Alcatel s implementation of IGMP snooping is called IP Multicast Switching IPMS...

Страница 458: ...294967295 seconds Membership Timeout 0 to 4294967295 seconds Neighbor Timeout 0 to 4294967295 seconds Querier Timeout 0 to 4294967295 seconds Querier Aging and Election Timeout 0 to 4294967295 seconds...

Страница 459: ...that a multicast packet is received by the switch on the source or expected port Note Jumbo multicast packets are not supported The maximum MTU size supported by Alcatel s IPMS software is 1500 IPMS...

Страница 460: ...iguring the IGMP version In IGMPv2 each membership report contains only one multicast group In IGMPv3 membership reports contain many multicast groups up to the Maximum Transmission Unit MTU size of t...

Страница 461: ...ood rates set with the interfaces flood rate command high enough to accommodate both flood and IPMS traffic In addition a tutorial is provided in IPMS Application Example on page 23 13 that shows how...

Страница 462: ...Neighbor IPMS static neighbor ports receive all multicast streams on the designated VLAN and also receive IGMP reports for the VLAN The following subsections describe how to configure and remove a sta...

Страница 463: ...static querier followed by the VLAN number which must be between 0 and 4095 a space the slot number of the port a slash and the port number For example to configure port 4 in slot 10 with designated V...

Страница 464: ...a space and the VLAN number which must be between 0 and 4095 For example to configure a static member with an IP address of 11 0 0 1 on port 10 in slot 3 with desig nated VLAN 3 you would enter ip mu...

Страница 465: ...and or received The default IPMS leave timeout is 1 second The following subsections describe how to configure a user specified leave timeout value and how to restore it with the ip multicast leave t...

Страница 466: ...e the no form of the ip multicast query interval command by entering ip multicast no query interval Modifying the Membership Timeout The default IPMS membership timeout i e the time the switch will wa...

Страница 467: ...ut to its default i e 90 seconds value you use the no form of the ip multicast neighbor timeout command by entering ip multicast no neighbor timeout as shown below ip multicast no neighbor timeout Mod...

Страница 468: ...to restore it with the ip multicast other querier timeout command Configuring the Querier Aging and Election Timeout You can modify the IPMS querier aging and election timeout from 0 to 4294967295 se...

Страница 469: ...ds Follow the steps below to configure this network Note All the steps following Step 1 which must be executed first may be entered in any order 1 Enable IPMS switch wide by entering ip multicast swit...

Страница 470: ...0 ip multicast leave timeout 120 As an option you can use the show ip multicast switching show ip multicast neighbors and show ip multicast queriers commands to confirm your settings as shown below sh...

Страница 471: ...0 0 0 1 2 3 9 254 Note See the IP Multicast Switching Commands chapter in the OmniSwitch CLI Reference Guide for complete documentation on IPMS show commands show ip multicast switching Displays the c...

Страница 472: ...Displaying IPMS Configurations and Statistics Configuring IP Multicast Switching page 23 16 OmniSwitch 6624 6648 Network Configuration Guide April 2004...

Страница 473: ...MS if those limits are violated In This Chapter This chapter describes the port mirroring remote monitoring RMON probes and switch health features and how to configure them through the Command Line In...

Страница 474: ...tch Health see Configuring Resource and Tempera ture Thresholds on page 24 25 Configuring Sampling Intervals see Configuring Sampling Intervals on page 24 27 Resetting Health Statistics see Resetting...

Страница 475: ...ple a stack of 4 OmniSwitch 6648 can support 8 mirroring sessions Port Capacity Requirements Mirrored monitored and mirroring monitoring ports must be of identical capacity both ports support identica...

Страница 476: ...belonging to a different VLAN For example port mirroring 6 source 2 3 destination 2 4 unblocked 7 2 Enable the port mirroring session port mirroring 6 enable Note Optional To verify the port mirrorin...

Страница 477: ...MON Functionality Not Supported RMON 10 group RMON2 Host group HostTopN group Matrix group Filter group Packet Capture group An external RMON probe that includes RMON 10 group and RMON2 may be used wh...

Страница 478: ...w Entry Slot Port Flavor Status Duration System Resources 4001 4 1 Ethernet Active 00 25 00 275 bytes 4008 4 8 Ethernet Active 00 25 00 275 bytes 4005 4 5 Ethernet Active 00 03 03 275 bytes 3 To view...

Страница 479: ...g last hour Maximum utilization level during last hour Resource Utilization Raw Sample Values Saved for previous 60 seconds Resource Utilization Current Sample Values Stored Resource Utilization Maxim...

Страница 480: ...PU Threshold 80 Temperature Threshold 50 2 Enter the appropriate command to change the desired health threshold or health sampling interval parameter settings or reset all health statistics for the sw...

Страница 481: ...roring session is supported per OmniSwitch 6624 in a stack and up to two port mirroring sessions are supported per OmniSwitch 6648 in a stack When a port mirroring session is configured both the mirro...

Страница 482: ...rored and mirroring ports Note that when port mirroring is enabled there may be some performance degradation since all frames received and transmitted by the mirrored port need to be copied and sent t...

Страница 483: ...and Management frames to and from the mirroring and mirrored ports Frames received from an RMON probe attached to the mirroring port can be seen as being received by the mirrored port These frames fro...

Страница 484: ...hown in the following example port mirroring 6 source 2 3 destination 2 4 This command line specifies mirroring session 6 with the source mirrored port located in slot 2 port 3 and the destination mir...

Страница 485: ...e source and destination slot ports optional unblocked VLAN ID number and enable as shown in the following example port mirroring 6 source 2 3 destination 2 4 unblocked 750 enable This command line sp...

Страница 486: ...slot 2 port 3 and the mirroring port located in slot 6 port 4 The mirroring direction is unidirectional and inward bound port mirroring 6 source 2 3 destination 6 4 inport In this example the command...

Страница 487: ...onal NONE OFF 9 2 1 2 11 inport 7 ON To display a specific session enter show port mirroring status followed by the port mirroring session ID number For example show port mirroring status 6 Session Mi...

Страница 488: ...ON probe attached to the mirroring port can be seen as being received by the mirrored port These frames from the mirroring port are marked as if they are received on the mirrored port before being sen...

Страница 489: ...s group includes port utilization and error statistics measured by the RMON probe for each monitored Ethernet interface on the switch Examples of these statistics include CRC Cyclic Redundancy Check a...

Страница 490: ...The following command enables RMON Alarm probe number 11235 rmon probes alarm 11235 enable To enable or disable an entire group of RMON probes of a particular flavor type such as Ethernet Statistics...

Страница 491: ...atistics probes enter show rmon probes stats A display showing all current statistics RMON probes should appear as shown in the following example Entry Slot Port Flavor Status Duration System Resource...

Страница 492: ...the following sections Sample Display for Ethernet Statistics Probe The display shown here identifies RMON Probe 4005 s Owner description and interface location OmniSwitch Auto Probe on slot 4 port 5...

Страница 493: ...n and interface location Analyzer t 128 251 18 166 on slot 1 port 35 as well as the probe s Alarm Rising Threshold and Alarm Falling Threshold maximum allowable values beyond which an alarm will be ge...

Страница 494: ...linked to ether StatsCollisions 2008 Rising trap Rising Event an Alarm condition detected by the RMON probe in which a trap was generated based on a Rising Threshold Alarm with an elapsed time of 39 m...

Страница 495: ...Output Memory and CPU Utilization Levels Module level and Port level Input Output Utilization Levels For each monitored resource the following variables are defined Most recent utilization level perc...

Страница 496: ...ge CPU usage and chassis temperature See page 24 25 for more information show health threshold Displays current health threshold settings See page 24 26 for details health interval Configures sampling...

Страница 497: ...uide Note When you specify a new value for a threshold limit the value is automatically applied across all levels of the switch switch module and port You cannot select differing values for each level...

Страница 498: ...ow health threshold Rx Threshold 80 TxRx Threshold 80 Memory Threshold 80 CPU Threshold 80 Temperature Threshold 50 To display a specific health threshold enter the show health threshold command follo...

Страница 499: ...lowed by the number of seconds For example to specify a sampling interval value of 6 seconds enter the following command health interval 6 Valid values for the seconds parameter include 1 2 3 4 5 6 10...

Страница 500: ...own above the Device Resources field displays the device resources that are being measured for example Receive displays statistics for traffic received by the switch Transmit Receive displays statisti...

Страница 501: ...r traffic received by the switch while Trans mit Receive displays statistics for traffic transmitted and received by the switch The Limit field displays currently configured resource threshold levels...

Страница 502: ...Monitoring Switch Health Diagnosing Switch Problems page 24 30 OmniSwitch 6624 6648 Network Configuration Guide April 2004...

Страница 503: ...in resolving configuration or authentication issues as well as general switch errors This chapter describes the switch logging feature how to configure it and display switch logging information throug...

Страница 504: ...pported IDLE 255 DIAG 0 IPC DIAG 1 QDRIVER 2 QDISPATCHER 3 IPC LINK 4 NI SUPERVISION 5 INTERFACE 6 802 1Q 7 VLAN 8 GM 9 BRIDGE 10 STP 11 LINKAGG 12 QOS 13 RSVP 14 IP 15 IPMS 17 AMAP 18 GMAP 19 AAA 20...

Страница 505: ...Switch Logging Defaults Parameter Description CLI Command Default Value Comments Enabling Disabling switch logging swlog Enabled Switch logging severity level swlog appid level No application ID or se...

Страница 506: ...is set to the warning level 3 Specify the output device to which the switch logging information will be sent swlog output console In this example the switch logging information will be sent to the co...

Страница 507: ...the log file to other output devices such as the console or remote IP address In this case the log records generated are copied to all configured output devices Switch logging information can be disp...

Страница 508: ...wlog appid level command is used to assign the severity levels to the applications The syntax for the swlog appid level command requires that you identify a switch application and assign it a severity...

Страница 509: ...ULE 24 APPID_L3HRE EIPC 26 APPID_EIPC CHASSIS 64 APPID_CHASSISUPER PORT MGR 65 APPID_PORT_MANAGER CONFIG 66 APPID_CONFIGMANAGER CLI 67 APPID_CLI SNMP 68 APPID_SNMP_AGENT WEB 69 APPID_WEBMGT MIPGW 70 A...

Страница 510: ...he warning severity level or 5 to the system application ID number 75 by using the severity level and application names swlog appid system level warning The following command makes the same assignment...

Страница 511: ...e enter the following command swlog output console To disable the switch logging output to the console enter the following command no swlog output console No confirmation message will appear on the co...

Страница 512: ...o your console screen by using the show swlog command The following information is displayed The enable disable status of switch logging A list of current output devices configured for switch logging...

Страница 513: ...e ls command which is described in the OmniSwitch 6624 6648 Switch Management Guide to determine the amount of available flash memory For example to set the switch logging file to 500000 bytes enter s...

Страница 514: ...12 42 11 2002 SYSTEM info Switch Logging files cleared by command MON NOV 11 13 07 26 2002 WEB info The HTTP session login successfu l MON NOV 11 13 18 24 2002 WEB info The HTTP session login success...

Страница 515: ...echanism that can also be useful in maintain ing and servicing the switch For information about this feature see Chapter 25 Using Switch Logging The configuration snapshot command can be used to captu...

Страница 516: ...shows Memory Monitoring default values Functionality Supported Fence Post Bad Address Detection Leak Monitoring Memory Classification Global Statistical Gathering Task Statistical Gathering Size Stati...

Страница 517: ...malloc ssAppChild mip_msg_qu CliShell0 Vx C Sem 035fe590 28 0011f038 semCCreate zcSelect mip_msg_do The information displayed above includes the task that owns the memory block the type of memory blo...

Страница 518: ...OmniSwitch CLI Reference Guide If a memory leak of unclassified memory is detected the service will generate a sysTrace System Trace message The system trace facility provides a consistent high level...

Страница 519: ...xem SSYaccStac CliShell0 01e3d928 272 02b33a3c malloc SSYaccStac SSYaccPars CliShell0 024fdca8 4 02b33a3c malloc SSLexLexem SSYaccStac CliShell0 035fe3e0 56 02b33a3c malloc SSLexLexem SSYaccStac CliSh...

Страница 520: ...lobal statistics a display similar to the following should appear debug memory monitor show log global Current 33741 Cumulative 687952 In the screen sample shown above the Current and Cumulative field...

Страница 521: ...imer 214 214 tDrcIprm 1801287 1801315 DrcTm 479453 675448 WebView 53690 340083 Rmon 285084 334616 SlbCtrl 578 578 PolMgr 808 15704 Qos 47096 938852 UdpRly 8320 8348 Vrrp 622 1198 Ipx 29634 29634 ipmpm...

Страница 522: ...M 612 12555 tCSCSMtask 586128 15256874 tSwLogTask 13519 In the screen sample shown above the Task Name field identifies the Task ID The Current and Cumulative fields display statistics indicating the...

Страница 523: ...3 512 1024 26778 365552 1024 2048 24572 358630 2048 4096 49648 274071 4096 8192 50793 1534291 8192 16384 478292 673610 16384 32768 431784 1075783 32768 65536 850216 1588017 65536 5130020 25675316 In t...

Страница 524: ...Configuring Debug Memory Commands Monitoring Memory page 26 10 OmniSwitch 6624 6648 Network Configuration Guide April 2004...

Страница 525: ...Licensee s system Licensee agrees not to assign sublicense transfer pledge lease rent or share their rights under this License Agreement Licensee may retain the program media for backup purposes with...

Страница 526: ...Y NOT APPLY TO LICENSEE THIS WARRANTY GIVES THE LICENSEE SPECIFIC LEGAL RIGHTS LICENSEE MAY ALSO HAVE OTHER RIGHTS WHICH VARY FROM STATE TO STATE 6 Limitation of Liability AII s cumulative liability t...

Страница 527: ...enforcement of rights or subsequent actions in the event of future breaches 13 Notes to United States Government Users Software and documentation are provided with restricted rights Use duplication or...

Страница 528: ...Redistributions must contain a verbatim copy of this document 4 The names and trademarks of the authors and copyright holders must not be used in advertising or otherwise to promote the sale use or ot...

Страница 529: ...ights These restrictions translate to certain responsibilities for you if you distribute copies of the software or if you modify it For example if you distribute copies of such a program whether grati...

Страница 530: ...e modified program normally reads commands interactively when run you must cause it when started running for such interactive use in the most ordinary way to print or display an announcement including...

Страница 531: ...l compliance 5 You are not required to accept this License since you have not signed it However nothing else grants you permission to modify or distribute the Program or its derivative works These act...

Страница 532: ...r published by the Free Software Foundation 10 If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different write to the author to ask for permi...

Страница 533: ...ass Ave Cambridge MA 02139 USA Also add information on how to contact you by electronic and paper mail If the program is interactive make it output a short notice like this when it starts in an intera...

Страница 534: ...ight notice and the entire permission notice in its entirety including the disclaimer of warranties 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions a...

Страница 535: ...tware EMWEB PRODUCT licensed from Agranat Systems Inc Agranat Agranat has granted to AII certain warranties of performance which warran ties or portion thereof AII now extends to Licensee IN NO EVENT...

Страница 536: ...ABILITY FOR ANY SPECIAL INDIRECT PUNITIVE INCIDENTAL AND CONSEQUENTIAL DAMAGES and iv any further distribution of the Run Time Module shall be subject to the same restric tions set forth herein With r...

Страница 537: ...authentication 17 14 aaa vlan no command 18 26 Access Control Lists see ACLs accounting servers 18 35 ACE Server for authentication 17 8 ACLs application examples 22 3 22 18 bridged traffic 22 7 defau...

Страница 538: ...router VRRP 16 6 binding VLAN rules 7 6 7 14 BPDU see Bridge Protocol Data Units bridge forward delay command 5 13 bridge hello time command 5 12 bridge max age command 5 13 bridge mode command 5 8 b...

Страница 539: ...11 3 deleting groups 11 11 displaying 11 36 group actor administrative key 11 18 group actor system ID 11 19 group actor system priority 11 19 group administrative state 11 18 group names 11 17 group...

Страница 540: ...penalty command 12 12 ip dos scan threshold command 12 13 ip dos scan trap command 12 13 ip dos scan udp open port penalty command 12 12 ip helper address command 15 8 18 30 ip helper avlan only comma...

Страница 541: ...p agg partner admin state command 11 26 lacp agg partner admin system id command 11 28 lacp agg partner admin system priority command 11 29 lacp linkagg actor admin key command 11 18 lacp linkagg acto...

Страница 542: ...0 policies configured via PolicyView 21 48 policy action 802 1p command 21 21 policy action command 21 20 21 22 policy action map command 21 43 policy actions see actions policy condition command 21 2...

Страница 543: ...command 21 15 qos fragment timeout command 21 17 QoS log cleared 21 16 displayed 21 16 number of display lines 21 14 see also logged events qos log level command 21 15 qos port command 21 20 qos port...

Страница 544: ...hreshold command 24 26 show icmp statistics command 12 18 show ip config command 12 9 12 10 show ip interface command 12 5 show ip rip command 13 6 show ip rip interface command 13 7 show ip rip redis...

Страница 545: ...id level command 25 6 swlog clear command 25 11 swlog command 25 6 swlog output command 25 9 swlog output flash file size command 25 11 T TCN BPDU see Topology Change Notification BPDU TCP statistics...

Страница 546: ...ddress 7 6 7 18 7 19 port 7 7 7 21 precedence 7 8 protocol 7 6 7 20 types 7 4 vlan stp command 4 10 vlan user command 7 21 VLANs 4 1 4 5 802 1Q 9 3 administrative status 4 6 application examples 4 3 4...

Отзывы:

Нет отзывов