FoxGate S6424-S2C2 series Скачать руководство пользователя страница 117

Страница: 117 / 286

ACL Configuring

117

Chapter 18. ACL Configuring

18.1 Brief Introduction to ACL

As network scale and network traffic are increasingly growing, network security and

bandwidth allocation become more and more critical to network management. Packet filtering

can be used to efficiently prevent illegal users from accessing networks and to control

network traffic and save network resources. Access control lists (ACL) are often used to filter

packets with configured matching rules.

ACLs are sets of rules (or sets of permit or deny statements) that decide what packets can

pass and what should be rejected based on matching criteria such as source MAC address,

destination MAC address, source IP address, destination IP address, and port number.

When an ACL is assigned to a piece of hardware and referenced by a QoS

policy for traffic classification, the switch does not take action according to

the traffic behavior definition on a packet that does not match the ACL.

ACL according to application identified by ACL numbers, fall into three categories,

Basic ACL: Source IP address

Extended ACL: Source IP address, destination IP address, protocol carried on IP, and

other Layer 3 or Layer 4 protocol header information

Layer 2 ACL: Layer 2 protocol header fields such as source MAC address, destination

MAC address, 802.1p priority, and link layer protocol type

18.1.1 Configuring Match Order

An ACL consists of multiple rules, each of which specifies different matching criteria.

These criteria may have overlapping or conflicting parts. This is where the order in which a

packet is matched against the rules comes to rescue.

Two match orders are available for ACLs:

config: where packets are compared against ACL rules in the order in which they are

configured.

auto: where depth-first match is performed. The term depth-first match has different

meanings for different types of ACLs. Depth-first match for a basic ACL

For example, now configuring 2 types of ACL as below

：

Switch(config)#access-list 2000 deny any

Config ACL subitem successfully.

Switch(config)#access-list 2000 permit 1.1.1.1 0

Содержание S6424-S2C2 series

Страница 1: ......

Страница 2: ... Line 24 2 3 1 Help of Command Line 24 2 3 2 Displaying Characteristics of Command Line 25 2 4 Show History Command of Command Line 25 2 5 Common Command Line Error Messages 26 2 6 Symbols in Command 26 2 7 Parameter in Command 27 3 MANAGE USERS 28 3 1 System Default User 28 3 2 User s Authentication 29 3 3 Local Authentication Configuration 29 3 3 1 Add Users 29 3 3 2 Change Password 30 3 3 3 Mod...

Страница 3: ...RRORING CONFIGURATION 46 5 1 Configure Ethernet Port Mirroring 46 5 1 1 Overview 46 5 1 2 Mirroring 46 5 1 3 Configuring port mirroring 47 5 1 4 Mirroring Configuration 47 6 CONFIGURING PORT UTILIZATION ALARM 50 6 1 Brief Introduction to Device Utilization Alarm 50 6 2 Configuring Device Utilization Alarm 50 6 2 1 Configuring Port Utilization Alarm 50 6 2 2 Configuring CPU Utilization Alarm 50 6 2...

Страница 4: ...lation 64 8 2 Port Isolation Configuration 64 8 2 1 Port Isolation Configuration 64 8 2 2 Port isolation Monitor and Maintenance 65 8 3 Port isolation Configuration Example 65 8 3 1 Port isolation Configuration Example 65 9 VLAN CONFIGURATION 66 9 1 VLAN Overview 66 9 2 VLAN Principles 67 9 3 802 1Q VLAN 68 9 3 1 VLAN Link Type of Ethernet Ports 68 9 3 2 Default VLAN 68 9 3 3 Handling Packets 68 1...

Страница 5: ...Anti Spoofing 83 12 2 6 Displaying and Maintain Anti Spoofing 83 12 3 Configuring against ARP Flood 83 12 3 1 ARP Flood 83 12 3 2 Configuring against ARP Flood 84 12 3 3 Configuring against ARP Flood 84 12 3 4 Displaying and Maintain against ARP Flood 85 13 IGMP SNOOPING 86 13 1 Brief Introduction to IGMP Snooping 86 13 2 IGMP Snooping Configuration 86 13 2 1 Brief Configuration of IGMP Snooping 8...

Страница 6: ...3 Displaying and Maintaining GMRP 99 14 2 4 GMRP Configuring Examples 99 15 DHCP CONFIGURATION 105 15 1 DHCP Overview 105 15 2 DHCP IP Address Assignment 105 15 2 1 IP Address Assignment Policy 105 15 2 2 Obtaining IP Addresses Dynamically 106 15 2 3 DHCP Packet Format 107 15 3 DHCP Relay 108 15 3 1 Usage of DHCP Relay 108 15 3 2 DHCP Relay Fundamentals 109 15 4 Configure DHCP Relay 110 16 DHCP SN...

Страница 7: ...Configuring Basic ACL 120 18 3 1 Configuration Procedure 121 18 3 2 Configuration Examples 121 18 4 Define Extended ACL 121 18 4 1 Configuration Procedure 122 18 4 2 Configuration Procedure 123 18 5 Define Layer 2 ACL 124 18 5 1 Configuring Layer 2 ACL 124 18 5 2 Configuration Examples 125 18 6 Activate ACL 125 18 6 1 Configuration Examples 125 18 6 2 Activate ACL Successfully Active ACL Binding 1...

Страница 8: ...r 134 20 2 2 Configure Two Rate Three Color Marker 135 20 2 3 Configuring Interface Line Rate 135 20 2 4 Configuring Packet Redirection 136 20 2 5 Configuring Traffic Copy to CPU 136 20 2 6 Configuring Traffic Priority 136 20 2 7 Configuring Queue Scheduler 136 20 2 8 Configuring Cos map Relationship of Hardware Priority Queue and Priority of IEEE802 1p Protocol 137 20 2 9 Configuring Mapping Rela...

Страница 9: ...2 1X 160 22 1 2 Rule of 802 1x 162 22 2 Configuring AAA 163 22 2 1 Configuring RADIUS Server 163 22 2 2 Configuring Local User 163 22 2 3 Configuring Domain 164 22 2 4 Configuring RADIUS Features 164 22 3 Configuring 802 1X 166 22 3 1 Configuring EAP 166 22 3 2 Enable 802 1x 166 22 3 3 Configuring 802 1x Parameters for Port 167 22 3 4 Configuring Re authentication 167 22 3 5 Configuring Watch Feat...

Страница 10: ... MSTP Instance Is Enabled 190 23 4 14 Displaying and Maintain MSTP 190 24 CONFIGURING SNTP 191 24 1 Brief introduction of SNTP 191 24 1 1 SNTP Operation Mechanism 191 24 2 Configuring SNTP client 191 24 2 1 List of SNTP Client Configuration 191 24 2 2 Enabling SNTP Client 192 24 2 3 Modifying SNTP Client Operating Mode 192 24 2 4 Configuring SNTP Sever Address 192 24 2 5 Modifying Broadcast Transf...

Страница 11: ...re Using FTP through Ethernet Port 208 27 3 Remote Software Loading 210 27 3 1 Remote Loading Using FTP 210 27 3 2 Remote Loading Using TFTP 210 28 BASIC SYSTEM CONFIGURATION DEBUGGING 211 28 1 Basic System Configuration 211 28 2 SNMP 211 28 2 1 SNMP Overview 211 28 2 2 Configuring SNMP Basic Functions 213 28 2 3 Displaying SNMP 214 28 2 4 SNMP Configuration Example 215 28 3 Network Connectivity T...

Страница 12: ...NFIGURATION 232 31 1 Brief Introduction to CFM 232 31 1 1 CFM Concepts 232 31 1 2 CFM Main Function 232 31 2 Configuring CFM 233 31 2 1 CFM Configuration Task List 233 31 2 2 Maintain Field Configuration 234 31 2 3 Configuration and Maintenance Level Domain Name 234 31 2 4 Maintain Set Configuration 235 31 2 5 Configuration Name and Associated VLAN to Maintain Set 235 31 2 6 Configuration MEPs 235...

Страница 13: ...onitor and Maintenance 249 33 4 Monitor Link Configuration Example 250 34 EFM CONFIGURATION 256 34 1 Brief Introduction to EFM 256 34 1 1 EFM Main Function 256 34 1 2 EFM Protocol Packets 257 34 2 Configuration EFM 257 34 2 1 EFM Configuration Task List 257 34 2 2 EFM Basic Configuration 258 34 2 3 EFM Timer Parameter Configuration 258 34 2 4 Configuring Remote Failure Indication 259 34 2 5 Config...

Страница 14: ...et 266 36 2 2 Advanced L2TP Configuration 267 36 2 3 L2TP Monitor and Maintenance 267 37 QINQ CONFIGURATION 268 37 1 Introduction to QinQ 268 37 1 1 Understanding QinQ 268 37 1 2 Implementations of QinQ 269 37 1 3 Modification of TPID Value of QinQ Frames 270 37 2 Configuring QinQ 270 37 2 1 Default QinQ Configuration 270 37 2 2 Configure BASIC QinQ 271 37 2 3 Configure Selective QinQ 271 37 3 Qin...

Страница 15: ... 2 2 Start MLD Snooping 279 40 2 3 Configuring MLD Snooping Timer 279 40 2 4 Fast leave Configuration Port 279 40 2 5 Maximum Number of Learning Multicast Configuration Port 280 40 2 6 Configuring MLD Snooping Multicast Learning Strategies 280 40 2 7 Configuring MLD Snooping Querier 281 40 2 8 Configuring Routing Port 281 40 2 9 Multicast VLAN Port Configuration 282 40 2 10 Display and Maintenance...

Страница 16: ...Console Port Step 1 As shown in the figure below to set up the local configuration environment connect the serial port of a PC or a terminal to the Console port of the Ethernet switch with the Console cable Console port RS 232 Serial port Console cable Figure 1 1 Set up the local configuration environment via the Console port Step 2 Run terminal emulator such as Hyper Terminal on Windows 9X 2000 X...

Страница 17: ...Logging in Ethernet Switch 17 Figure 1 2 Set up new connection Figure 1 3 Configure the port for connection Figure 1 4 Set communication parameters ...

Страница 18: ...t PC to Ethernet Switch through Telnet After you have correctly configured IP address of a VLAN interface for an Ethernet Switch via Console port the way to configure switch via console refers to Set up Configuration Environment via the Console Port the way to configure ip address of switch refers to 03 using ip address command in VLAN interface mode and make sure PC can ping the switch then you c...

Страница 19: ...p 5 Use the corresponding commands to configure the Ethernet switch or to monitor the running state Enter to get the immediate help For details of specific commands refer to the following chapters Note When configuring the Ethernet switch via Telnet do not modify the IP address of it unnecessary for the modification might cut the Telnet connection 1 2 2 Telnet Ethernet Switch through Ethernet Swit...

Страница 20: ...The user logs in the Telnet Client Ethernet switch For the login process refer to the section describing Connect PC to Ethernet Switch through Telnet Step 3 Perform the following operations on the Telnet Client telnet A B C D A B C D is the IP address of the Telnet Server Step 4 Enter the preset login password and you will see the prompt such If the prompt Too many users appears it indicates that ...

Страница 21: ...iate online help Provide network testing commands such as Tracert and Ping to fast troubleshoot the network Provide various detailed debugging information to help with network troubleshooting Log in and manage other Ethernet switch directly using the Telnet command Provide FTP TFTP Xmodem service for the users to upload and download files The command line interpreter searches for target not fully ...

Страница 22: ... that are equal to or lower than their own level In order to prevent unauthorized users from illegal intrusion user will be identified when switching from a lower level to a higher level with username username privilege level password encryption type password command For the sake of confidentiality on the screen the user cannot see the password that he entered Only when correct password is input f...

Страница 23: ...n privileged Mode exit and end returns to privileged mode quit disconnects to the switch Interface Configuration Mode Configure Interface parameters Switch config if et hernet 0 0 1 Key in interface ethernet 0 0 1 in global Configuration Mode exit returns to global configuration mode and end returns to privileged mode quit disconnects to the switch VLAN Configuration Mode Configure VLAN parameters...

Страница 24: ...onfiguration Mode 2 3 Feature and Functions of Command Line 2 3 1 Help of Command Line Table 2 2 You can get the help information through the help commands which are described as follows Command Purpose Examples help Obtain a brief description of the help system in any command mode Switch help System mode commands cls clear screen help description of the interactive help ping ping command Abbrevia...

Страница 25: ...s Ctrl C when the display pauses Stop displaying and executing command Press other key when the display pauses Continue to display the next screen of information Press Enter when the display pauses Continue to display the next line of information 2 4 Show History Command of Command Line Command line interface provides the function similar to that of DosKey The commands entered by users can be auto...

Страница 26: ...he range Incomplete command The input command is incomplete Too many parameters Enter too many parameters Ambiguous command The parameters entered are not specific 2 6 Symbols in Command This publication uses these conventions to convey instructions and information Command descriptions use these conventions Commands and keywords are in boldface text Arguments for which you supply values are in ita...

Страница 27: ...hernet and port number is device slot num port num Device means stack value which is 0 slot num means slot number S6424 S2C2 supports slot 0 and 1 and S6424 S2C2 supports slot 0 1 and 2 port num is the port number in the slot S6424 S2C2 is in the range of 1 to 24 and S6424 S2C2 is in the range of 1 to 48 Port parameter interface list means multiple ports Seriate interfaces with the same type can b...

Страница 28: ...ssword It cannot create or delete other users and change other user s password and privilege This chapter contains following sections System default user Add users Change password Modify User s Privilege Level Delete User Show users 3 1 System Default User There is an internal username with password called Super administrator It processes the superior priority in the switch to manage both the user...

Страница 29: ...specified the privilege 4 show username Check the configuration 5 exit Exit to user mode 6 copy running config startup config Save the configuration Note Username it means the name of the user to be added which must be 1 to 32 printable characters without Level means the priority of the user to be added which is the number between 0 and 15 0 and 1 mean the normal user and 2 to 15 mean the administ...

Страница 30: ...123456 Switch config username change password please input you login password please input username admin Please input user new password Please input user confirm password change user password success 3 3 3 Modify User s Privilege Level In global configuration mode only Super administrator admin can modify the privilege level of other users Enter global configuration mode how to enter global confi...

Страница 31: ...bal configuration mode refers to the first 2 steps in Table 3 1 before following the below steps Table 3 4 Delete user Ste p Command Description 1 no username username Delete user 2 show username Check configuration 3 exit Exit to user mode 4 copy running config startup config Save the configuration Note Username means the name of the user to be deleted When deleting a user which is used it will b...

Страница 32: ...ame as that of RADIUS server Generally they are Accounting port 1813 Authentication port 1812 Configure shared key of authentication accounting RADIUS server acct secret key auth secret key key Selected Shared key should be the same as that of RADIUS server Show configuration show muser 3 4 2 Configure TACACS remote authentication Configuring user s login through TACACS server authentication accou...

Страница 33: ...nfigured it means local authentication is used if remote authentication failed By default it is local authentication Configure IP shared key TCP port timeout of TACACS remote server tacacs priamary secondary server ipaddress key keyvalue port portnum timeout timevalue Selected By default TCP port is 49 and timeout is5 seconds Show TACACS configuration show tacacs Show current authentication show m...

Страница 34: ...ault VLAN ID for Ethernet Port Both hybrid port and trunk port can belong to more than one VLAN but there is a default VLAN for each port The default VLAN ID PVID is VLAN 1 and it can be changed if necessary the way to change PVID refers to Table 4 5 4 1 3 Handling packets Different ports have different ways to handle the packet Details are in Table 4 1 Table 4 1 Different port handles different p...

Страница 35: ...sic port configuration 4 2 1 1 Enter Interface Configuration Mode Before configuring the Ethernet port enter interface configuration mode first Perform the following configuration in privileged mode Table 4 2 Enter interface configuration mode Step Command Description 1 configure terminal Enter global configuration mode 2 interface ethernet device num slot num port num Enter interface configuratio...

Страница 36: ...inal Enter interface configuration mode interface ethernet device num slot num port num Configure port mode to be Access Hybrid or Trunk switchport mode access hybrid trunk Show port mode show interface ethernet device num slot num port num Example There is VLAN 1 20 Configure uplink port e 0 1 1 to be trunk and it can transceive packets of VLAN1 20 Switch config vlan 1 20 Switch config if vlan sw...

Страница 37: ...an vlan 30 Switch config if vlan switchport ethernet 0 0 3 Add VLAN port successfully Switch config if vlan vlan 40 Switch config if vlan switchport ethernet 0 0 4 Add VLAN port successfully Switch config if vlan interface ethernet 0 0 1 Switch config if ethernet 0 0 1 switchport default vlan 10 Switch config if ethernet 0 0 1 interface ethernet 0 0 2 Switch config if ethernet 0 0 2 switchport def...

Страница 38: ...port num Add Hybrid port to specific VLAN and keep the packet VID switchport hybrid tagged vlan vlan list Add Hybrid port to specific VLAN and strip the packet VID switchport hybrid untagged vlan vlan list Delete Hybrid port from specific VLAN no switchport hybrid vlan vlan list Add Trunk port to specific VLAN switchport trunk allowed vlan vlan list Delete Trunk port from specific VLAN no switchpo...

Страница 39: ...he default interface priority is 0 The larger the priority value is the higher the priority is And the packet with the higher priority will be quickly handled Configure port description description description list The description is used to distinguish ports By default the description of a port is empty 4 3 Combo Port A combo port is formed by two Ethernet ports on the panel one of which is an op...

Страница 40: ...e Type for Ethernet Port We can configure ingress acceptable frame mode to be all types or only tagged The untagged frame will not be accepted after the port setting to be only tagged Perform the following configuration in interface configuration mode Table 4 9 Configure ingress acceptable frame Operation Command Enable ingress acceptable frame ingress acceptable frame all tagged Disable ingress a...

Страница 41: ...able Disable Flow Control for Ethernet Port Option Command Enable Ethernet port flow control flow control Disable Ethernet port flow control no flow control Note By default Ethernet port flow control is disabled Example Enable flow control on ethernet 0 0 5 Switch config interface ethernet 0 0 5 Switch config if ethernet 0 0 5 flow control Setting successfully flow control is enable Disable flow c...

Страница 42: ... exit Display the utilization information of all ports show utilization interface The utilization information of all ports includes receiving and sending speed bandwidth utilization rate etc Press Enter to exit Note Using clear interface command in global mode if the interface num and slot num are not assigned the information of all interfaces is cleared If the slot num is assigned the port inform...

Страница 43: ...casts 0 broadcasts Show statistic interface ethernet 0 0 2 Switch config if ethernet 0 0 1 show statistics interface ethernet 0 0 2 Port number e0 0 2 input rate 0 bits sec 0 packets sec output rate 0 bits sec 0 packets sec 64 byte packets 0 65 127 byte packets 0 128 255 byte packets 0 256 511 byte packets 0 512 1023 byte packets 0 1024 1518 byte packets 0 0 packets input 0 bytes 0 discarded packe...

Страница 44: ... down 0 0 0 0 0 0 e0 0 10 down 0 0 0 0 0 0 e0 0 11 down 0 0 0 0 0 0 e0 0 12 down 0 0 0 0 0 0 e0 0 13 down 0 0 0 0 0 0 e0 0 14 down 0 0 0 0 0 0 e0 0 15 down 0 0 0 0 0 0 e0 0 16 down 0 0 0 0 0 0 e0 0 17 down 0 0 0 0 0 0 0 Clear Counters U page up D page down CR exit Show utilization interface Switch config if ethernet 0 0 1 show utilization interface Link Utilization Averages Sat Jan 1 00 43 44 2000...

Страница 45: ... 0 0 e0 0 12 down 0 0 0 0 e0 0 13 down 0 0 0 0 e0 0 14 down 0 0 0 0 e0 0 15 down 0 0 0 0 e0 0 16 down 0 0 0 0 e0 0 17 down 0 0 0 0 spacebar toggle screen U page up D page down CR exit Clear interface Switch config if ethernet 0 0 1 clear interface clear current port statistics information record successfully ...

Страница 46: ...ic Mirroring Traffic mirroring maps traffic flows that match specific ACLs to the specified destination port for packet analysis and monitoring Before configuring traffic mirroring you need to define ACLs required for flow identification 5 1 1 2 Port Mirroring Port mirroring refers to the process of copying the packets received or sent by the specified port to the destination port 5 1 2 Mirroring ...

Страница 47: ...roring has been determined Configuration procedure Perform the configuration in global configuration mode Table 5 2 Configure traffic mirroring Operation Command Description Configure traffic mirroring mirrored to ip group acl number acl name subitem subitem link group acl number acl name subitem subitem interface ethernet interface num The command is for traffic mirroring on the packets which mee...

Страница 48: ...he packets received via the port egress only mirrors the packets sent by the port both mirrors the packets received and sent by the port at the same time The destination port is specified Configuration procedure Perform the following configuration in global configuration mode Table 5 3 Configure port mirroring Operation Command Description Configure destination port so called monitor port mirror d...

Страница 49: ...g Configuration 49 Mirror cpu both to ethernet 0 1 2 Switch config mirror destination interface ethernet 0 1 2 Config monitor port successfully Switch config mirror source interface cpu both Config mirrored port successfully ...

Страница 50: ...arms will show in the list of Syslog 6 2 Configuring Device Utilization Alarm 6 2 1 Configuring Port Utilization Alarm Using below commands to configure port utilization Enable port utilization in system and port mode by default The exceed value equals 850M the normal value equals 600M Table 6 1 Configuring port utilization alarm Operation Command Remark Enter global configuration mode configure t...

Страница 51: ...Device Utilization Alarm After finishing above configuration you can show configuration by below commands Table 6 3 Displaying and debugging device utilization alarm Operation Command Remark Display the enable status and alarm value of CPU utilization alarm show alarm cpu Perform either of the commands Display port utilization in system mode show alarm all packets Perform either of the commands Di...

Страница 52: ...gregation group their basic configuration must be the same The basic configuration includes STP QoS VLAN port attributes and other associated settings STP configuration including STP status enabled or disabled link attribute point to point or not STP priority maximum transmission speed loop prevention status QoS configuration including traffic limiting priority marking default 802 1p priority traf...

Страница 53: ...tion generated by system depending on the configurations of the port rate duplex mode other basic configuration and administrative key when the port is aggregated 1 The ports in the same aggregation group must have the same operation key O Key and administrative key A Key 2 The administrative key A Key and operation key O Key of an LACP enable aggregation port is equal to its aggregation group ID ...

Страница 54: ... actively send LACPDUs group in passive mode will only response LACPDUs passively When interconnecting with another device static mode can only interconnect with static mode active mode can interconnect with both active and passive mode but passive mode can only interconnect with active mode The default mode is ACTIVE 7 1 5 3 Port status of Dynamic Aggregation Group A port in a dynamic aggregation...

Страница 55: ...two device IDs are compared the system priorities are compared first and the system MAC addresses are compared when the system priorities are the same The device with smaller device ID will be considered as the preferred one Note Changing the system priority of a device may change the preferred device between the two parties and may further change the states bundled or standby of the member ports ...

Страница 56: ...ame The port with smaller port ID is considered as the preferred one 7 3 Load balancing Policy Load balancing policy is specific physical link selection strategy when sending packets which can be source MAC destination MAC source and destination MAC source IP destination IP and source and destination IP The default strategy is source MAC 7 4 Link Aggregation Configuration Link aggregation configur...

Страница 57: ...no channel group channel group number This command used in global configuration mode is for deleting a static aggregation group Back to global configuration mode exit Delete a static aggregation group no channel group channel group number This command used in interface configuration mode is for deleting a port from an aggregation group Delete all ports from the group first before deleting the grou...

Страница 58: ... group number This command used in global configuration mode is for deleting a static aggregation group 8 Back to global configuration mode exit 9 Delete a dynamic aggregation group no channel group channel group number This command used in interface configuration mode is for deleting a port from an aggregation group Delete all ports from the group first before deleting the group 7 6 Displaying an...

Страница 59: ...erminal switch A config channel group 1 Configure switch B switch B configure terminal switch B config channel group 1 Configure channel group load balance Configure switch A switch A config channel group load balance src dst mac Configure switch B switch B config channel group load balance src dst mac Configure LACP system and port priority Configure switch A switch A config lacp system priority ...

Страница 60: ...annel group 1 mode on Remember to re config mac addresses associated with port e0 0 3 Remember to re config mac addresses associated with port e0 0 4 2 Dynamic Configure switch A switch A config interface range ethernet 0 0 1 to ethernet 0 0 2 switch A config if range channel group 1 mode active Remember to re config mac addresses associated with port e0 0 1 Remember to re config mac addresses ass...

Страница 61: ...or state e0 0 1 bndl 2 2 64 1 10111100 e0 0 2 bndl 2 2 64 1 10111100 actor state activity timeout aggregation synchronization collecting distributing defaulted expired show lacp internal of switch B switch B config if range show lacp internal Load balance src dst mac Channel 1 dynamic channel Port State A Key O Key Priority Logic port Actor state e0 0 3 bndl 2 2 256 3 00111100 e0 0 4 bndl 2 2 256 ...

Страница 62: ...ization collecting distributing defaulted expired 3 Show system ID Show switch A system ID switch A config if range show lacp sys id 1024 000a5a010203 Show switch B system ID switch B config if range show lacp sys id 2048 000a5a020305 Delete port member from channel group Configure switch A switch A config if range no channel group 1 Remember to re config mac addresses associated with port e0 0 1 ...

Страница 63: ...Link Aggregation Configuration 63 Delete channel group Configure switch A switch A config no channel group 1 Configure switch B switch B config no channel group 1 ...

Страница 64: ... the isolation group or create other isolation groups The number of the ports an isolation group can contain is total port number 1 Because isolated ports are downlink ports There should be at least one uplink port Note When a port in an aggregation group is configured as the member of isolation group the other ports of the aggregation group will not be downlink ports 8 2 Port Isolation Configurat...

Страница 65: ... mode 8 3 Port isolation Configuration Example 8 3 1 Port isolation Configuration Example I Network requirements User PC1 PC2 PC3 connect to switch e0 0 2 e0 0 3 e0 0 4 Switch connects to Internet by e0 0 1 User PC1 PC2 PC3 need independent data exchange II Networking diagram III Configuration procedure Switch configure terminal Switch config isolate port ethernet 0 0 2 to ethernet 0 0 4 Add port ...

Страница 66: ... forwarded to other VLANs therefore it is very helpful in controlling network traffic saving device investment simplifying network management and improving security Figure 9 1 Vlan implementation A VLAN can span across multiple switches or even routers This enables hosts in a VLAN to be dispersed in a looser way That is hosts in a VLAN can belong to different physical network segment Compared with...

Страница 67: ...ntains four fields including TPID Tag Protocol Identifier priority CFI Canonical Format Indicator and VID VLAN ID TPID is a 16 bit field indicating that this data frame is VLAN tagged By default it is 0x8100 Priority is a 3 bit field referring to 802 1p priority Refer to section QoS QoS profile for details CFI is a 1 bit field indicating whether the MAC address is encapsulated in the standard form...

Страница 68: ...ut the Tag label 9 3 2 Default VLAN Details refer to 02 Port configuration 9 3 3 Handling Packets Different ports have different ways to handle the packet Details are in Table 9 1 Table 9 1 Different port handles different packet Port type Ingress Egress Untagged packet Tagged packet Access port Receive it and add a tag with VID being equal to PVID If VID of the packet is equal to the port permitt...

Страница 69: ...lobal configuration mode configure terminal Create a vlan and enter vlan configuration mode VLAN vlan list If the VLAN to be created exists enter the VLAN mode directly Otherwise create the VLAN first and then enter the VLAN mode Vlan id allowed to configure is in the range of 1 to 4094 Vlan list can be in the form of discrete number a sequence number or the combination of discrete and sequence nu...

Страница 70: ...rivilege mode Table 10 4 Delete vlan Operation Command Description Enter global configuration mode configure terminal Delete VLAN no vlan vlan list all Display the related information about VLAN show vlan vlan_id Note After perform no vlan all system will delete all vlan except VLAN 1 In other words VLAN 1 cannot be deleted The VLAN to be removed cannot exist in the multicast group So please remov...

Страница 71: ...if vlan switchport ethernet 0 0 3 ethernet 0 0 4 Set the default vlan of Ethernet0 0 1and Ethernet0 0 2 Switch config interface range ethernet 0 0 1 to ethernet 0 0 2 Switch config if range switchport default vlan 2 Set the default vlan of Ethernet0 0 3 and Ethernet0 0 4 Switch config interface range ethernet 0 0 3 to ethernet 0 0 4 Switch config if range switchport default vlan 3 Enter VLAN view ...

Страница 72: ...tions or withdrawals handles attributes of other participants GARP participants exchange attributes primarily by sending the following three types of messages Join Leave and LeaveAll I Join to announce the willingness to register some attribute with other participants II Leave to announce the willingness to deregister with other participants LeaveAll to deregister all attributes A LeaveAll message...

Страница 73: ...P optional 11 3 1 11 2 2 Startup GVRP Before enabling GVRP on a port you must enable GVRP globally because it disables in default Notes you need to configure the port trunk to enable GVRP Table 11 2 Startup GVRP Operation Command Remark Enter global configuration mode configure terminal Enable GVRP in global configuration mode gvrp required Enter port configuration mode interface ethernet device s...

Страница 74: ...ined by GVRP show gvrp interface ethernet device slot port Show GVRP permit VLAN show garp permit vlan 11 3 2 GVRP Configuration Examples As below S1 and S3 forward respective static VLAN information to S2 by GVRP protocol S2 forwards to each other with local static and learning VLAN from GVRP At the end S1 S2 S3 can share the dynamic VLAN information Figure 11 1 Network Figure 11 1 Configuration ...

Страница 75: ...lt permit VLAN Other Garp permit VLAN 2 4 Configure S2 Preparation before configure Switch config vlan 5 6 Switch config if vlan switchport ethernet 0 0 2 Add VLAN port successfully Switch config if vlan switchport ethernet 0 0 3 Add VLAN port successfully Switch config if vlan exit Switch config interface range ethernet 0 0 2 to ethernet 0 0 3 Switch config if range switchport mode trunk Switch c...

Страница 76: ...config if vlan switchport ethernet 0 0 4 Add VLAN port successfully Switch config if vlan interface e 0 0 4 Switch config if ethernet 0 0 4 switchport mode trunk Configure GVRP Switch config gvrp Turn on GVRP successfully Switch config interface e 0 0 4 Switch config if ethernet 0 0 4 gvrp Switch config garp permit vlan 7 8 Verify GVRP configuration Switch config show gvrp GVRP state enable Switch...

Страница 77: ...atic VLAN member e0 0 1 e0 2 2 Static tagged ports e0 0 1 Static untagged Ports e0 0 2 e0 2 2 Dynamic tagged ports show VLAN information VLAN ID 2 VLAN status static VLAN member e0 0 1 Static tagged ports e0 0 1 Static untagged Ports Dynamic tagged ports show VLAN information VLAN ID 3 VLAN status static VLAN member e0 0 1 Static tagged ports e0 0 1 Static untagged Ports Dynamic tagged ports show ...

Страница 78: ...ion VLAN ID 6 VLAN status dynamic VLAN member e0 0 1 Static tagged ports Static untagged Ports Dynamic tagged ports e0 0 1 show VLAN information VLAN ID 7 VLAN status dynamic VLAN member e0 0 1 Static tagged ports Static untagged Ports Dynamic tagged ports e0 0 1 show VLAN information VLAN ID 8 VLAN status dynamic VLAN member e0 0 1 Static tagged ports Static untagged Ports Dynamic tagged ports e0...

Страница 79: ...Host A finds it Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame and sends the frame to Host B 2 If Host A finds no entry for Host B Host A buffers the packet and broadcasts an ARP request in which the source IP address and source MAC address are respectively the IP address and MAC address of Host A and the destination IP address and MAC address ar...

Страница 80: ...ination IP address is the one of Host B After obtaining the MAC address of Host B from another ARP reply the gateway sends the packet to Host B 12 1 2 ARP Message Format Figure 12 2 ARP Message Format The following explains the fields in Figure 12 2 Hardware type This field specifies the hardware address type The value 1 represents Ethernet Protocol type This field specifies the type of the protoc...

Страница 81: ...acket has the following characteristics The sender MAC address or target MAC address in the ARP message is inconsistent with the source MAC or destination MAC address in the Ethernet frame The mapping between the sender IP address and the sender MAC address in the forged ARP message is not the true IP to MAC address binding of a valid client ARP attacks bring many malicious effects Network communi...

Страница 82: ...otection configuration on the gateway This relieves the burden from the gateway If the access switches do not support ARP attack protection or the hosts are connected to a gateway directly the gateway must be configured to Create correct ARP entries and prevent them from being modified Suppress the burst impact of ARP packets or the IP packets that will trigger sending of ARP requests The merits o...

Страница 83: ...tion operation step4 end return to privilege mode step5 copy running config startup config save modified configuration 12 2 5 Configuring Default of Anti Spoofing Table 12 3 Configure default of anti spoofing Function Default arp anti spoofing disable Configure ARP Packet Source MAC Address Consistency Check enable arp anti spoofing unknown diacard flood discard 12 2 6 Displaying and Maintain Anti...

Страница 84: ...saved in the system log related to alarms For disabled users administrators can set automatic or manual recovery In the S6424 S2C2 switch on the entire process is as follows Enable ARP anti flood function will be broadcast ARP packets received on the CPU according to an ARP packet source MAC address to identify the different streams Set security ARP rate if the rate exceeds the threshold the switc...

Страница 85: ...ery time arp anti flood recover time time optional Configurable time range is 0 1440 minutes set to 0 said to be manually restored By default the user automatically banned recovery time of 10 minutes Banned user manual resume forwarding arp anti flood recover H H H H H H all optional 12 3 4 Displaying and Maintain against ARP Flood Table 12 6 Operation Command Remark Display ARP anti flood configu...

Страница 86: ...icast frame can transfer packet according to his own multicast address table 13 2 IGMP Snooping Configuration 13 2 1 Brief Configuration of IGMP Snooping Table 13 1 Brief configuration of IGMP Snooping Configuration Task Remark Detailed configuration IGMP Snooping basic configuration Enable IGMP Snooping required 3 2 2 Modify and optimize IGMP Snooping configuration Configure IGMP Snooping multica...

Страница 87: ...Remark Enter global configuration mode configure terminal Configure IGMP Snooping multicast interface aging time igmp snooping host aging time time optional By default dynamic interface aging time is300S Configure maximum leave time igmp snooping max response time time optional by default maximum leave time is 10S 13 2 4 Configuring Port Fast Leave Under normal circumstances IGMP Snooping on IGMP ...

Страница 88: ...p limit number optional By default the number of the multicast group allowed learning is NUM_MULTICAST_GROUPS 13 2 6 Configuring IGMP Snooping Querier In an IP multicast network running IGMP a multicast router or Layer 3 multicast switch is responsible for sending IGMP general queries so that all Layer 3 multicast devices can establish and maintain multicast forwarding entries thus to forward mult...

Страница 89: ...st Learning Strategy Configured multicast learning strategies the administrator can control the router only to learn the specific multicast group If a multicast group is added to the blacklist then the router will not learn the multicast group the contrary in the white list in the router can learn multicast group Table 13 7 Configuring IGMP Snooping multicast learning strategy Operation Command Re...

Страница 90: ... Multicast VLAN on the port function regardless of the port receiving the IGMP messages belong to which VLAN the switch will be modified as a multicast VLAN Table 13 9 Configure IGMP Snooping port multicast VLAN Operation Command Remarks Enter global configuration mode configure terminal Enter port configuration mode interface ethernet interface num Configure IGMP Snooping port multicast VLAN igmp...

Страница 91: ...guring Port of Discarded Packets Report or Not When this feature is enabled on a port the switch drops the IGMP report message Default port to receive all IGMP packets Table 13 12 Configure port of discarded packets report or not Operation Command Remarks Enter global configuration mode configure terminal Enter port configuration mode interface ethernet interface num Configure the port discarded p...

Страница 92: ...e effect the configuration port reference profile the more the type of profile must be the same between that port can only refer to the same type permit or deny the profile When the port is referenced permit the profile the profile can only learn the definition of the corresponding multicast group when the port reference deny the profile the profile can be defined in addition to learning outside o...

Страница 93: ... snooping record host interface ethernet interface num Display information about multicast preview show igmp snooping preview Display the current state of multicast channel preview show igmp snooping preview status Display profile configuration information show igmp snooping profile interface ethernet interface num profile list Display multicast group show multicast interface ethernet interface nu...

Страница 94: ... if vlan switchport ethernet 0 0 2 S switch A config if vlan exit S switch A config vlan 4 S switch A config if vlan switchport ethernet 0 0 3 S switch A config if vlan exit Enable igmp snooping S switch A config igmp snooping When Host A Host B Host C forward IGMP report to S switch A S switch A will learn corresponding multicast table entry port When the Multicast Source Router send igmp query t...

Страница 95: ...ve data flow S switch A will forward corresponding to Host A Host B Host C Static multicast configuration examples Configuration steps Configuring S switch A configure VLAN 2 to 4 and add the ports into VLAN2 3 4 of Ethernet0 0 1 Ethernet0 0 2 and Ethernet0 0 3 S switch A config vlan 2 S switch A config if vlan switchport ethernet 0 0 1 S switch A config if vlan exit S switch A config vlan 3 S swi...

Страница 96: ... 01 vlan 2 S switch A config multicast mac address 01 00 5e 00 01 01 vlan 2 interface ethernet 0 0 1 S switch A config multicast mac address 01 00 5e 00 01 02 vlan 3 S switch A config multicast mac address 01 00 5e 00 01 02 vlan 3 interface ethernet 0 0 2 S switch A config multicast mac address 01 00 5e 00 01 03 vlan 4 S switch A config multicast mac address 01 00 5e 00 01 03 vlan 4 interface ethe...

Страница 97: ... 3 S switch A config show igmp snooping router static Port VID Age Type e0 0 4 2 no age STATIC e0 0 4 3 no age STATIC e0 0 4 4 no age STATIC Total Record 3 When Multicast Source Router sends 224 0 1 1 224 0 1 3 multicast serve data flow S switch A will forward corresponding to Host A Host B Host C ...

Страница 98: ...ion transferred by GMRP includes local manual configuration of static multicast register information and the dynamic multicast register information of other switch 14 2 GMRP Configuration 14 2 1 Enabling GMRP Enable GMRP needs in both globally and port configuration By default GMRP disable in both globally and port configuration Table 14 1 Enable GMRP Operation Command Remark Enter globally config...

Страница 99: ...iguration mode show gmrp Perform either of the commands Display GMRP in port configuration mode show gmrp interface ethernet interface nu m Display GMRP permit multicast show garp permit multicast Display local broadcast including static and learning broadcast by GMRP show multicast 14 2 4 GMRP Configuring Examples As shown below S1 and S3 by GMRP protocol packets to its own static multicast infor...

Страница 100: ...net 0 0 1 exit Configure GMRP Switch config gvrp Turn on GVRP successfully Switch config gmrp Turn on GMRP successfully Switch config garp permit vlan 111 333 Switch config garp permit multicast mac address 01 00 5e 01 01 01 vlan 111 Switch config interface e 0 0 1 Switch config if ethernet 0 0 1 gvrp Switch config if ethernet 0 0 1 gmrp Switch config if ethernet 0 0 1 exit GVRP configuration veri...

Страница 101: ...ate enable Switch config show gmrp interface ethernet 0 0 2 ethernet 0 0 3 port GMRP status e0 0 2 enable e0 0 3 enable Total entries 2 Configuration on S3 Before configuration Switch config vlan 111 333 Switch config if vlan switchport ethernet 0 0 1 to ethernet 0 0 10 Add VLAN port successfully Switch config multicast mac address 01 00 5e 03 03 03 vlan 333 adding multicast group successfully Swi...

Страница 102: ...MRP status enable Switch config show gmrp interface ethernet 0 0 4 port GMRP status e0 0 4 enable Total entries 1 Switch config show garp permit multicast GARP permit multicast vlan 333 mac 01 00 5e 03 03 03 After configuration is complete you can show multicast command to view the function of learning to GMRP multicast registration information View the multicast information in S1 can be found 01 ...

Страница 103: ...ion MAC Address 01 00 5e 01 01 01 VLAN ID 111 Static port list IGMP port list Dynamic port list e0 0 2 MAC Address 01 00 5e 03 03 03 VLAN ID 333 Static port list IGMP port list Dynamic port list e0 0 3 Total entries 2 View multicast information on S3 can be found 01 00 5 e 01 01 01 by GMRP multicast learn Switch config show multicast show multicast table information MAC Address 01 00 5e 01 01 01 V...

Страница 104: ...GMRP Configuration 104 VLAN ID 333 Static port list e0 0 1 e0 0 10 IGMP port list Dynamic port list Total entries 2 ...

Страница 105: ... send requests to DHCP servers for configuration parameters and the DHCP servers return the corresponding configuration information such as IP addresses to configure IP addresses dynamically A typical DHCP application includes one DHCP server and multiple clients such as PCs and laptops as shown in Picture 1 1 Figure 15 1 Typical DHCP application 15 2 DHCP IP Address Assignment 15 2 1 IP Address A...

Страница 106: ... client tries to find a DHCP server by broadcasting a DHCP DISCOVER packet Offer In this phase the DHCP server offers an IP address Each DHCP server that receives the DHCP DISCOVER packet chooses an unassigned IP address from the address pool based on the IP address assignment policy and then broadcasts a DHCP OFFER packet to the DHCP client Select In this phase the DHCP client selects an IP addre...

Страница 107: ...fied lease time and will be reclaimed by the DHCP server when the lease expires If the DHCP client wants to use the IP address for a longer time it must update the IP lease By default a DHCP client updates its IP address lease automatically by unicasting a DHCP REQUEST packet to the DHCP server when half of the lease time elapses The DHCP server responds with a DHCP ACK packet to notify the DHCP c...

Страница 108: ...ntify that the DHCP response packet is sent in the unicast or broadcast mode Other bits are reserved ciaddr IP address of a DHCP client yiaddr IP address that the DHCP server assigns to a client siaddr IP address of the DHCP server giaddr IP address of the first DHCP relay that the DHCP client passes after it sent the request packet chaddr Hardware address of the DHCP client sname Name of the DHCP...

Страница 109: ...n other network segments In the process of dynamic IP address assignment through the DHCP relay the DHCP client and DHCP server interoperate with each other in a similar way as they do without the DHCP relay The following sections only describe the forwarding process of the DHCP relay For the interaction process of the packets see 15 2 2 Obtaining IP Addresses Dynamically The DHCP client broadcast...

Страница 110: ...eration Command Remarks Enter global configuration mode configure terminal Enable DHCP Relay dhcp relay required Enter vlan configuration mode vlan vid required Configure vlan ipaddres interface ip ip mask gateway required Configure vlan DHCP server dhcpserver ip backupip ip required ...

Страница 111: ...ress To ensure that the DHCP clients obtain IP addresses from valid DHCP servers you can specify a port to be a trusted port or an untrusted port by the DHCP snooping function Trusted ports can be used to connect DHCP servers or ports of other switches Untrusted ports can be used to connect DHCP clients or networks Untrusted ports drop the DHCP ACK and DHCP OFFER packets received from DHCP servers...

Страница 112: ... DHCP Client number connected to switch port dhcp snooping max clients 0 2048 By default the max DHCP Client number connected to switch port is 2048 Enter VLAN mode vlan vlan_list Configure max DHCP Client number in specified VLAN dhcp snooping max clients 0 2048 By default the max DHCP Client number in specified VLAN is 2048 16 3 2 Configure IP Source Guard IP Source Guard provides source IP addr...

Страница 113: ...and Debugging DHCP Snooping After the above configurations you can verify the configurations by executing the show command in any configurationw mode Table 16 4 Displaying and Debugging DHCP Snooping Operation Command Display DHCP Snooping clients show dhcp snooping clients Display DHCP Snooping status in interface show dhcp snooping interface ethernet device num 0 slot num 0 2 port num 1 48 Displ...

Страница 114: ...following commands are performed in Switch acting as a DHCP Snooping device A Enter global configuration mode Switch configure terminal Switch config B Enable DHCP Snooping Switch config dhcp snooping Config DHCP Snooping successfully C Enter interface configuration mode of Ethernet0 0 1 Switch config interface ethernet 0 0 1 D Set Ethernet0 0 1 to be Trust Switch config if ethernet 0 0 1 dhcp sno...

Страница 115: ...the DHCP client and is usually configured on the DHCP relay Generally sub option 1 and sub option 2 must be used together to identify information about a DHCP source Sub option 2 A sub option of option 82 Sub option 2 represents the remote agent ID namely Remote ID It holds the MAC address of the DHCP relay and is usually configured on the DHCP relay Generally sub option 1 and sub option 2 must be...

Страница 116: ... disabled Configure the strategy for the DHCP relay to process request packets containing option 82 dhcp option82 strategy drop keep replace By default the DHCP relay replaces the option 82 carried by a DHCP request packet with its own option 82 17 2 2 Displaying and Debugging DHCP Option82 Table 17 2 Displaying and Debugging DHCP Option82 Operation Command Display DHCP option82 show dhcp option82...

Страница 117: ... does not match the ACL ACL according to application identified by ACL numbers fall into three categories Basic ACL Source IP address Extended ACL Source IP address destination IP address protocol carried on IP and other Layer 3 or Layer 4 protocol header information Layer 2 ACL Layer 2 protocol header fields such as source MAC address destination MAC address 802 1p priority and link layer protoco...

Страница 118: ...ig show access list config 1 Standard IP Access List 1 match order is auto 2 rule 0 permit 1 1 1 1 0 0 0 0 1 deny any Notes ACL must enable Switches must obey first enable then active Please refer to Chapter 1 6 for detailed configuration 18 1 2 Switch Support ACL Switch support ACL as below Basic ACL Extended ACL Layer 2 AC 18 2 Configuring Time Range There are two kinds of configuration configur...

Страница 119: ...ime range test from 00 00 01 01 2004 to 23 59 12 31 2004 command Compound time range created using the time range time name start time to end time days from time1 date1 to time2 date2 to time2 date2 command A time range thus created recurs on the day or days of the week only within the specified period For example to create a time range that is active from 12 00 to 14 00 on Wednesdays between Janu...

Страница 120: ...time range that is active from 8 00 to 18 00 every working day Switch configure terminal Switch config time range b Config time range successfully Switch config timerange b periodic weekdays 8 00 00 to 18 00 00 Config periodic range successfully Switch config timerange b show time range name b Current time is 02 47 56 2009 01 31 Saturday time range b Inactive periodic weekdays 08 00 to 18 00 18 3 ...

Страница 121: ...access list standard name match order config auto optional by default system is config Define basic ACL and enter configuration mode access list standard name required Configure ACL rule permit deny source IPv4 v6 source wildcard any ipv6any time range name required 18 3 2 Configuration Examples Define a basic ACL with number mark to deny packet with source IP 10 0 0 1 Switch configure terminal Sw...

Страница 122: ...ildcard any ipv6any port portmask dest IPv4 v6 dest wildcard any ipv6any port portmask precedence precedence tos tos dscp dscp time range name required Table 18 5 Configure extended ACL based on name identification Command Operation Remark Enter global configuration mode configure terminal Define subitem match rule access list extended name match order config auto optional by default system is con...

Страница 123: ...ard is 0 the host address dest wildcard any Any is any destination address port TCP UDP port number precedence precedence priority precedence message IP precedence values range from 0 to 7 tos tos tos priority packets ToS priority ranges from 0 to 15 dscp dscp DSCP priority Rule applies only to non first fragment packet effective Level ranges from 0 to 63 fragment fragmentation information time ra...

Страница 124: ...mode configure terminal Define sub item match rule access list num match order config auto optional by default system is config Define Layer 2 ACL access list num permit deny protocol cos vlan pri ingress source vlan id source mac addr source mac wildcard interface interface num any egress dest mac addr dest mac wildcard interface interface num cpu any time range name required Table 18 8 Configure...

Страница 125: ...tch obey the rule of First enable then active Table 18 9 Activate ACL Command Operation Remark Enter global configuration mode configure terminal Active ACL access group ip group name num subitem num link group name num subitem num required 18 6 1 Configuration Examples Switches only permit with source IP address 1 1 1 1 Before configuration Switch config show access list config 2000 Standard IP A...

Страница 126: ...uration steps Switch config access list 2000 permit 1 1 1 1 0 Switch config access list 4000 permit ingress 00 00 00 00 00 01 0 interface ethernet 0 0 1 egress any Switch config access group ip group 2000 link group 4000 18 7 Displaying and Debugging ACL After finishing above configuration you can see configuration as below commands Table 18 10 Display and debug ACL Command Operation Remark Displa...

Страница 127: ...storm control is Disable 19 2 Storm Control Configuration 19 2 1 Configure Storm Control Storm Control configuration is configured in global configuration mode and enable disable in interface configuration mode that is administrator can enable it per port Table 19 1 Configure Storm control Operation Command Remarks Enter global configuration mode configure terminal Configure storm control type Sto...

Страница 128: ...ble 19 2 Storm control monitor and maintenance Operation Command Remarks Show interface show interface ethernet slot port On any configuration mode Note If there is no configuration for storm control there will be no info show for that ...

Страница 129: ...very independent LAN and many LAN in the form of Ethernet have become a part of internet With the development of Ethernet technology Ethernet connecting will become one of main connecting for internet users To execute end to end QoS solution has to consider the service guarantee of Ethernet QoS which needs Ethernet device applies to Ethernet technology to provide different levels of QoS guarantee ...

Страница 130: ...ag including 8 formats gives the precedence to forward the packets Table 20 1 Description on 802 1Q values Cos decimal Cos binary Descrption 0 000 spare 1 001 background 2 010 best effort 3 011 excellent effort 4 100 controlled load 5 101 video 6 110 voice 7 111 network management 2 IP precedence TOS precedence and DSCP values The TOS field in the IP header contains eight bits the first three bits...

Страница 131: ...gure 20 3 DSCP values In a network in the Diff Serve model traffic is grouped into the following classes and packets are processed according to their DSCP values Expedited forwarding EF class In this class packets are forwarded regardless of link share of other traffic The class is suitable for preferential services requiring low delay low packet loss low jitter and high bandwidth Assured forwardi...

Страница 132: ...Filtration Packet filtration is to filtrate service flow such as deny that is deny the service flow which is matching the traffic classification and permit other flows to pass System adopts complicated flow classification to filtrate all kinds of information of service layer 2 packets to deny useless unreliable and doubtable service flow to strengthen network security Two key points of realizing p...

Страница 133: ... Key service possesses an important feature that is require the precedent service to reduce the response delay when network congestion Priority queue divides all packets into 4 levels that is superior priority middle priority normal priority and inferior priority 3 2 1 0 and their priority levels reduce in turn When queue scheduler PQ precedently transmits the packets in superior priority accordin...

Страница 134: ... Protocol System will map between 802 1p protocol priority of packet and hardware queue priority For each packet system will map it to specified hardware queue priority according to 802 1p protocol priority of packet 20 1 13 Slow Mirror Flow mirror means coping specified data packet to monitor interface to detect network and exclude failure 20 1 14 Statistics Based on Flow Statistics based on flow...

Страница 135: ...erminal Configure Two Rate Three Color Marker two rate policer policer id cir cir cbs cbs pir pir pbs pbs color aware drop red optional Enter port configuration mode interface ethernet device slot port optional perform either of the globally and port mode Configure Two Rate Three Color Marker rate limit input output ip group num name subitem subitem link group num name subitem subitem two rate pol...

Страница 136: ...opy to CPU traffic copy to cpu ip group num name subitem subitem link group num name subitem subitem optional 20 2 6 Configuring Traffic Priority Traffic priority configuration is the strategy of remark priority for matching packet in ACL and the marked priority can be filled in the domain which reflects priority in packet head Table 20 10 Configure traffic priority Operation Command remark Enter ...

Страница 137: ... the cos map relationship of hardware priority queue and priority of IEEE802 1p protocol timely when the one to one correspondence shifting By default the cos map relationship of hardware priority queue and priority of IEEE802 1p protocol as below Table 20 12 802 1p and he cos map relationship of hardware priority queue 802 1p hardware priority queue 0 0 1 0 2 1 3 1 4 2 5 2 6 3 7 3 Administrators ...

Страница 138: ...43 2 59 3 12 0 28 1 44 2 60 3 13 0 29 1 45 2 61 3 14 0 30 1 46 2 62 3 15 0 31 1 47 2 63 3 Administrators also change the mapping relationship between DSCP and 8 priority in IEEE 802 1p according to the actual network Table 20 15 Configuring the relation between DSCP and 8 priority in IEEE 802 1p Operation Command remark Enter globally configuration mode configure terminal Startup the relation betw...

Страница 139: ... perform either of the commands Display QoS statistic show qos info statistic Display quue scheduler mode and parameters show queue scheduler Display the cos map relationship of hardware priority queue and priority of IEEE802 1p protocol show queue scheduler cos map Display the dscp map relationship of hardware priority queue and priority of IEEE802 1p protocol show queue scheduler dscp map Displa...

Страница 140: ...ed for calculating spanning trees and maintaining the spanning tree topology Topology change notification TCN BPDUs used for notifying concerned devices of network topology changes if any 21 1 3 Basic concepts in STP Root Bridge A tree network must have a root hence the concept of root bridge has been introduced in STP There is one and only one root bridge in the entire network and the root bridge...

Страница 141: ... network into loop free tree structure 21 1 4 Spanning Tree Interface States Each Layer 2 interface on a switch using spanning tree exists in one of these states Disabled The interface is not participating in spanning tree because of a shutdown port no link on the port or no spanning tree instance running on the port Blocking The interface does not participate in frame forwarding Listening The fir...

Страница 142: ...s to block frame forwarding as the switch learns end station location information for the forwarding database 4 When the forward delay timer expires spanning tree moves the interface to the forwarding state where both learning and frame forwarding are enabled 21 2 How STP Works STP identifies the network topology by transmitting configuration BPDUs between network devices Configuration BPDUs conta...

Страница 143: ... BPDU has a lower priority than that of the configuration BPDU generated by the port the device will discard the received configuration BPDU without doing any processing on the configuration BPDU of this port If the received configuration BPDU has a higher priority than that of the configuration BPDU generated by the port the device will replace the content of the configuration BPDU generated by t...

Страница 144: ...ID is replaced with the ID of this port 3 The device compares the calculated configuration BPDU with the configuration BPDU on the port of which the port role is to be defined and does different things according to the comparison result If the calculated configuration BPDU is superior the device will consider this port as the designated port and the configuration BPDU on the port will be replaced ...

Страница 145: ...ice A Port AP1 receives the configuration BPDU of Device B 1 0 1 BP1 Device A finds that the configuration BPDU of the local port 0 0 0 AP1 is superior to the configuration received message and discards the received configuration BPDU Port AP2 receives the configuration BPDU of Device C 2 0 2 CP1 Device A finds that the BPDU of the local port 0 0 0 AP2 is superior to the received configuration BPD...

Страница 146: ...P1 0 0 0 AP1 Designated port BP2 0 5 1 BP2 Device C Port CP1 receives the configuration BPDU of Device A 0 0 0 AP2 Device C finds that the received configuration BPDU is superior to the configuration BPDU of the local port 2 0 2 CP1 and updates the configuration BPDU of CP1 Port CP2 receives the configuration BPDU of port BP2 of Device B 1 0 1 BP2 before the message was updated Device C finds that...

Страница 147: ...ble above a spanning tree with Device A as the root bridge is stabilized as shown in Figure 21 3 Figure 21 3 The final calculated spanning tree Note To facilitate description the spanning tree calculation process in this example is simplified while the actual process is more complicated 2 The BPDU forwarding mechanism in STP Upon network initiation every switch regards itself as the root bridge ge...

Страница 148: ...new configuration BPDU as the calculation result cannot be propagated throughout the network immediately If the newly elected root port and designated ports start to forward data right away a temporary loop is likely to occur For this reason as a mechanism for state transition in STP a newly elected root port or designated port requires twice the forward delay time before transitioning to the forw...

Страница 149: ... protocol of single spanning tree A switching network only has one spanning tree To guarantee the normal communication inside a VLAN the devices of a VLAN shall have routes to one another on the Spanning Tree otherwise the communication inside the VLAN will be affected if some links inside a VLAN are blocked For some VLAN that cannot be arranged along the spanning tree paths for some special requi...

Страница 150: ...nes this switch can be root or not If this switch is needed to be the root the priority can be configured inferior By default the switch bridge priority is 32768 Table 21 7 Configure STP priority Operation Command Remarks Enter global configuration mode configure terminal Configure STP priority spanning tree priority bridge priority Optional 21 4 4 Configure Time Parameter There are three time par...

Страница 151: ...ive path The path cost is related to the link speed rate The larger the speed rate is the less the cost is STP can auto detect the link speed rate of current interface and converse it to be the cost Configure port path cost will make STP re calculating The value of the path cost is 1 65535 It is suggested using the default value which makes the STP to calculate the current port cost by itself By d...

Страница 152: ... Configure STP mcheck spanning tree mcheck Optional 21 4 8 Configure STP Point to Point Mode In rstp the requirement of interface quickly in transmission status is that the interface must be point to point link not media sharing link It can be specified interface link mode manually and can also judge it by network bridge Table 21 12 Configure STP point to point mode Operation Command Remarks Enter...

Страница 153: ...e configure terminal Enter interface configuration mode interface ethernet interface num Configure STP transit limit spanning tree transit limit transit limit Optional 21 4 11 RSTP Monitor and Maintenance After finishing above configuration user can check the configurations by command below Table 21 15 RSTP monitor and maintenance Operation Command Remarks Show STP interface show spanning tree int...

Страница 154: ...itch B configure Ethernet0 0 1 and Ethernet0 0 2 to be trunk S switch B config interface range ethernet 0 0 1 ethernet 0 0 2 S switch B config if range switchport mode trunk S switch B config if range exit configure S switch B priority to be 4096 to make sure S switch B is bridge Configure cost of Ethernet0 0 1 and Ethernet0 0 2 to be 10 S switch B config spanning tree priority 4096 S switch B con...

Страница 155: ...address 000a 5a13 b13d Configured Hello Time 2 second s Max Age 20 second s Forward Delay 15 second s Root Bridge has priority 0 MAC address 000a 5a13 b13d Path cost to root bridge is 0 Stp top change 3 times Port e0 0 1 of bridge is Forwarding Spanning tree protocol is enabled remote loop detect is disabled The port is a DesignatedPort Port path cost 200000 Port priority 128 root guard enabled an...

Страница 156: ... Time 2 second s Max Age 20 second s Forward Delay 15 second s Message Age 0 sent BPDU 16 TCN 0 RST 17 Config BPDU 0 received BPDU 3 TCN 0 RST 3 Config BPDU 0 S switch B S switch B config show spanning tree interface ethernet 0 0 1 ethernet 0 0 2 The bridge is executing the IEEE Rapid Spanning Tree protocol The bridge has priority 4096 MAC address 0000 0077 8899 Configured Hello Time 2 second s Ma...

Страница 157: ...led remote loop detect is disabled The port is a DesignatedPort Port path cost 10 Port priority 128 root guard disabled and port is not in root inconsistent state Designated bridge has priority 4096 MAC address 0000 0077 8899 The Port is a non edge port Connected to a point to point LAN segment Maximum transmission limit is 3 BPDUs per hello time Times Hello Time 2 second s Max Age 20 second s For...

Страница 158: ...ort Connected to a point to point LAN segment Maximum transmission limit is 3 BPDUs per hello time Times Hello Time 2 second s Max Age 20 second s Forward Delay 15 second s Message Age 0 sent BPDU 3 TCN 0 RST 3 Config BPDU 0 received BPDU 396 TCN 0 RST 396 Config BPDU 0 Port e0 0 2 of bridge is Forwarding Spanning tree protocol is enabled remote loop detect is disabled The port is a RootPort Port ...

Страница 159: ...STP Configuration 159 Forward Delay 15 second s Message Age 1 sent BPDU 8 TCN 0 RST 8 Config BPDU 0 received BPDU 418 TCN 0 RST 418 Config BPDU 0 ...

Страница 160: ... authentication passes this user is allowed to access LAN resources or it will be refused 22 1 1 Architecture of 802 1X 802 1X operates in the typical client server model and defines three entities supplicant system authenticator system and authentication server system as shown in figure 1 1 Supplicant system A system at one end of the LAN segment which is authenticated by the authenticator system...

Страница 161: ...authentication request of the authenticator PAE and provides authentication information The supplicant PAE can also send authentication requests and logoff requests to the authenticator 2 Controlled port and uncontrolled port An authenticator provides ports for supplicants to access the LAN Each of the ports can be regarded as two logical ports a controlled port and an uncontrolled port The uncont...

Страница 162: ... Request packet to the authentication server 5 When receiving the RADIUS Access Request packet the RADIUS server compares the identify information against its user information table to obtain the corresponding password information Then it encrypts the password information using a randomly generated challenge and sends the challenge information through a RADIUS Access Challenge packet to the authen...

Страница 163: ...g RADIUS Server RADIUS server saves valid user s identity When authentication system transfers user s identity to RADIUS server and transfer the validation to user User accessing to system can access LAN resources after authentication of RADIUS server Table 22 1 Configure RADIUS server Operation Command Remark Enter global configuration mode configure terminal Enter AAA mode aaa required Enter RAI...

Страница 164: ...ault Domain scheme scheme local radius local required choice RADIUS name radius host binding radius name optional configure access limit users access limit enable number disable optional active the state state active block required 22 2 4 Configuring RADIUS Features Configuring RADIUS some compatible or special features as below Table 22 4 Configure RADIUS features Operation Command Remark Enter g...

Страница 165: ... you can modify the properties of numbers Port PVID radius vlan enable optional This feature is turned on if the user authentication passes it will be modified by the user where port PVID is This function is fixed by the Tunnel Pvt Group ID attribute names which requires a string of the property value this string for the VLAN by name descriptor matches the VLAN value Limit port of MAC address numb...

Страница 166: ...er a supplicant or the authenticator system A supplicant can initiate authentication by launching the 802 1x client software to send an EAPOL Start frame to the authenticator system while an authenticator system can initiate authentication by unsolicitedly sending an EAP Request Identity packet to an unauthenticated supplicant Table 22 5 Configure EAP Operation Command Remark Enter global configur...

Страница 167: ... After the user is authenticated the port can be configured to immediately re certification or periodic re certification Table 22 8 Configure re authentication operation Command Remarks Enter global configuration mode configure terminal Immediately re certification dot1x re authenticate interface list Optional Periodic re authentication enabled on a port dot1x re authentication interface list Opti...

Страница 168: ...Operation Command Remarks Enter global configuration mode configure terminal Configuration allows the maximum number of users through the authentication dot1x max user interface list Optional Deletes the specified users online dot1x user cut username name mac address mac vlan vid Optional Open heartbeat detection dot1x detect interface list Optional Heartbeat detection time configuration dot1x det...

Страница 169: ...his avoids proliferation and infinite recycling of packets that would occur in a loop network and prevents deterioration of the packet processing capability of network devices caused by duplicate packets received The multiple spanning tree protocol MSTP overcomes the shortcomings of STP and RSTP In addition to support for rapid network convergence it also allows data flows of different VLANs to be...

Страница 170: ...All are MSTP enabled They have the same region name They have the same VLAN to instance mapping configuration They have the same MSTP revision level configuration and They are physically linked with one another Multiple MST regions can exist in a switched network You can use an MSTP command to group multiple devices to the same MST region 2 CIST Jointly constituted by ISTs and the CST the CIST is ...

Страница 171: ...e spanning tree can exist in each MST region each spanning tree corresponding to a VLAN These spanning trees are called MSTIs 6 CIST root bridge CIST root The root bridge of the IST or an MSTI within an MST region is the regional root bridge of the MST or that MSTI Based on the topology different spanning trees in an MST region may have different regional roots 7 CIST External root path cost Exter...

Страница 172: ... port backup port and so on 1 Root port a port responsible for forwarding data to the root bridge Figure 23 2 Root port 2 Designated port a port responsible for forwarding data to the downstream network segment or device Figure 23 3 Designated port 3 Alternate port The standby port for the root port or master port When the root port or master port is blocked the alternate port becomes the new root...

Страница 173: ...ted the device will block either of the two ports and the backup port is that port to be blocked Figure 23 5 Backup port 5 A master port connects an MST region to the common root The path from the master port to the common root is the shortest path between the MST region and the common root In the CST the master port is the root port of the region which is considered as a node The master port is a...

Страница 174: ...running RSTP During MSTP calculation a boundary port assumes the same role on the CIST and on MST instances Namely if a boundary port is the master port on the CIST it is also the master port on all MST instances within this region 7 Edge Port In RSTP and MSTP protocols edge port means that connect to host port in the network these ports can be in a forwarding status and not be a loopback without ...

Страница 175: ...the CIST topology change confirmation consent forwarding learning port role suggested that the topology change state 1 byte CIST Root Identifier CIST root bridge s unique identifier by the CIST root bridge of It is the similar of FoxGate region and red region of the message format and SST Version 3 Length indicates the length of the blue area Version 3 Length indicates the length of the blue area ...

Страница 176: ... Discarding to Learning from Learning to Forwarding protocol timer time in the network topology changes be as the dynamic filtering database entry aging time Version 1 Length additional information is fixed at 0 1 byte Version 3 Length instructions from the MST BPDU configuration identification to the end of length of the packet 2 bytes MST Configuration Identifier MST configuration identification...

Страница 177: ...ng tree priority vector The following part introduces how to calculate the CIST priority vectors and MSTI priority vectors The CIST priority vector consists of common root bridge external root path cost regional root internal root path cost designated bridge ID designated port ID and the BPDU receiving port ID 1 Detailed as below 2 CIST root id 3 CIST external root path cost 4 CIST regional root i...

Страница 178: ...root path cost is 1 Therefore the bridge 8 MST CIST bridge priority vector update MST bridge 1 1 MST Bridge 8 0 MST Bridge 8 MST bridge 8 port x is the CIST root port MST CIST bridge priority bridge 9 level vector update MST bridge 1 1 MST Bridge 9 0 MST Bridge 9 Similarly MST bridge port 3 f is the CIST root port 2 The election of each domain CIST regional root bridge IST root bridge CIST root po...

Страница 179: ...n the MST received the CIST bridge priority vector 7 MST Bridge 7 0 MST Bridge 7 0 MST bridge 7 u better do not update the port s of information Then MST Bridge 9 r and s with CIST port priority vector comparison the election for the Region 3 MST bridge 8 the CIST regional root bridge MST Bridge 9 port r is the CIST root port Assuming MST Bridge 9 CIST internal root path cost is 1 then the informa...

Страница 180: ...MSTI Priority Vectors MSTI elections and the electoral process similar to the single spanning tree MSTI priority vector is used to compare the election Figure 23 10 To Region 3 as an example MSTI1 formation as shown in Figure 23 10 Assuming the bridge priority MST bridge 9 MST bridge 8 MST bridge 7 The path cost of all ports is 1 1 MSTP domain root bridge election MST Bridge 7 Bridge highest prior...

Страница 181: ...state Figure 23 11 To Region 3 as an example MSTI2 formation as shown in Figure 23 11 Assuming the bridge priority MST bridge 8 MST bridge 7 MST bridge 9 The path cost of all ports is 1 1 MST Bridge 9 Bridge highest priority was selected MSTI regional root bridge 2 MST bridge 7 and 8 of the MSTI internal root path cost is 1 port t and w are MSTI root port 3 MST was selected as the LAN Bridge 9 J a...

Страница 182: ...inimum cost path 4 Each MSTI will be an independent choice of a switch as the MSTI regional root 5 Each switch within the region and will determine the LAN segment where the MSTI root to reach the path of least cost 6 CIST Root Port provided through the CIST regional root if not the CIST regional root switch to reach the CIST root if not the CIST root switch with minimum cost path 7 Alternate and ...

Страница 183: ...on MST region and SST fields between the edge of the port on the MSTP processing is slightly more complicated When the edge of the other switch port receives STP BPDU sent by the time the port will enter the STP compliant state sending STP BPDU When the edge of the port when the received RSTP BPDU the port will enter the RSTP compatible state but still send MSTP BPDU Because RSTP to consider when ...

Страница 184: ...nal 23 4 13 Display and maintain MSTP optional 23 4 14 23 4 2 Enabling MSTP After the tree starts to give birth to a global default for all ports will participate in the spanning tree topology is calculated if an administrator wants some of the port does not participate in the calculation of the production tree or go to the specified port configuration mode use the no spanning tree to disable the ...

Страница 185: ...oduce temporary redundant paths if the Forward Delay configuration is too large the network may not be a long time to restore connectivity Forward Delay value range is 4 to 30 seconds it is recommended to use the default value of 15 seconds Forward Delay time must be greater than equal to the Hello Time 2 Max Age is used to set the MSTP protocol packet aging longest interval if the timeout it disc...

Страница 186: ...elected as the spanning tree root bridge By configuring the bridge priority of the smaller you can specify a switch to become the spanning tree root bridge purposes By default the switch bridge priority is 32768 Table 23 5 Configure MSTP bridge priority Operation Command Remark Enter global configuration mode configure terminal Configure MSTP instance priority spanning tree mst instance instance n...

Страница 187: ...ing tree mst link type point to point forcefalse Optional 23 4 8 Configuring Path Cost Port path cost is divided into internal and external costs to spend the former is based on the configuration parameters for each instance of MSTP each MSTP region to determine the topology of different instances which is unrelated to an instance of the parameters used to determine each region of the topology com...

Страница 188: ...rt configuration mode interface ethernet interface num Configure port priority spanning tree mst instance instance num port priority priority Optional 23 4 10 Configuring Root Port Protection As the maintenance of configuration errors or malicious network attacks network valid root bridge may receive a higher priority configuration information so the root bridge will lose the current status of the...

Страница 189: ...om the same packet in an MST region while the configuration summary record when BPDU packets sent to these manufacturer s switches the switch configuration summary to supplement it This switch is realized and the manufacturer s switches in the MSTP region exchange Table 23 11 Configure digest snooping port Operation Command Remark Enter global configuration mode configure terminal Enter port confi...

Страница 190: ...nce is enabled Operation Command Remark Enter global configuration mode configure terminal Does not enable MSTP instance spanning tree mst disable instance instance number Optional Enable MSTP instances no spanning tree 23 4 14 Displaying and Maintain MSTP After completing the above configuration can use the following command to view configuration RSTP Table 23 14 Display MSTP and maintain Operati...

Страница 191: ...receives packet from server passively In anycast mode client actively sends request to local broadcast or multicast address and all servers in the network will reply to the client Client will choose the server whose reply packet is first received to be the server and drops packets from others After choosing the server working mode is the same as that of the unicast In all modes after receiving the...

Страница 192: ...ators can modify SNTP operating mode according to the network unicast multicast broadcast or anycast Table 24 3 modifying SNTP client operating mode Operation Command Remark Enter globally configuration mode configure terminal modifying SNTP client Operation mode sntp client mode broadcast unicast multicast anycast key key optional by default SNTP client works in broadcast mode 24 2 4 Configuring ...

Страница 193: ...ast message SNTP client needs configure the sending multicast TTL when working both in the any cast and in the request way of forwarding the multicast address Table 24 6 Configure multicast TTL Operation Command Remark Enter globally configuration configure terminal Configure multicast TTL sntp client multicast ttl ttl optional By default sending multicast TTL is 255 24 2 7 Configuring Interval Po...

Страница 194: ...st mode SNTP client receives protocol packets from all servers without distinction When there is malice attacking server it will not provide correct time local time cannot be the standard time To solve this problem a series of valid servers can be listed to filtrate source address of the packet Table 24 9 Configure valid server Operation Command Remark Enter globally configuration mode configure t...

Страница 195: ... Client After finishing above configuration you can use below Commands to show SNTP client configuration Table 24 11 Displaying and maintain SNTP client Operation Command Remark Display and maintain SNTP client show sntp client Perform either of the Commands ...

Страница 196: ...blic key in a randomly generated RSA key pair to the client The client figures out session key based on the public key from the server and the random number generated locally The client encrypts the random number with the public key from the server and sends the result back to the server The server then decrypts the received data with the server private key to get the client random number The serv...

Страница 197: ... Use this command in privileged mode Load upload the key public or private through TFTP load upload keyfile private public TFTP A B C D file_name Use this command in privileged mode Load upload the key public or private through FTP load upload keyfile private public FTP A B C D file_name Username Password Use this command in privileged mode Show SSH show ssh Show SSH key show keyfile public privat...

Страница 198: ... encoded by Base64 coding without and space Public key cannot be in private keyfile and private keyfilecannot be encrypted by password 25 4 SSH Server Configuration Example 25 4 1 Use Default Key 1 Network requirements As shown in Figure 25 1 The PC SSH Client runs the client software which supports SSHv2 0 establish a local connection with the switch SSH Server and ensure the security of data exc...

Страница 199: ...ork diagram for SSH server configuration 3 Configuration procedure Use key generated tool to generate a pair of RSA key as Figure 1 3 Figure 25 3 Example of correct private key form Load key Switch load keyfile private tftp 1 1 1 1 private ppk SSH key file will be updated are you sure y n n y Loading SSH key file via TFTP Load SSH key file via TFTP successfully Switch load keyfile public tftp 1 1 ...

Страница 200: ...TDZ LEKEMEXGK8CfM6nXPZQ a3Fmx6RjgHuI9Ey09bD9HvKZDnh9pSuoi8pL1XniFFVV0SSJAAAAQQD1WXgoFLCM uDsHA Ysls6nqRzAYjCvPyt8PVpjuz7CETO4Ii5Zxo jhey6qtEmSvdfYo dxSzx BEodj rrnWGHAAAAQQCl2QrR5hZvY cM1DDxhTFjPkNiuXrCGdYEYpPbws5jxJTl wtYpyW5yisImMxc5WpVVNGNukww2iNbuzQxO8XtzAAAAQBaM4z8kTff8SMpc60vL q9rjapCTrfPU9QN0I00LiILO3ju2E0dgrK1qF00QA1o2AMcfA Hp1HBHY424fTRx FJ0 Private MAC 37b49b5d489ff022fa3de91b2330fd89a74...

Страница 201: ...to sections by command configuration mode The commands that are of the same configuration mode are grouped into one section Sections are separated by empty lines or comment lines A line is a comment line if it starts with the character The sections are listed in this order system configuration section physical port configuration section logical interface configuration section routing protocol conf...

Страница 202: ...e mode Prompts for not executable command during execution Line xxxx invalid s Cannot execute Line xxxx failed s Execution failed Line xxxx failed too long command s Not execute command which is beyond 512 characters xxxx means the line number of the command s means command characters Not executable command includes commands with grammar error and unmatched mode Show saved configuration show start...

Страница 203: ...nt 203 The system software does not match the configuration file after the software of the Ethernet switch is updated The configuration files in the Flash are damaged The common reason is that wrong configuration files are loaded ...

Страница 204: ...You can load software locally by using XMODEM through Console port TFTP through Ethernet port FTP through Ethernet port You can load software remotely by using FTP TFTP Note The BootROM software version should be compatible with the host software version when you load the BootROM and host software 27 2 Local Software Loading If your terminal is directly connected to the switch you can load the Boo...

Страница 205: ...tarts to transmit data packets When receiving a complete packet the receiving program checks the packet using the agreed method If the check succeeds the receiving program sends an acknowledgement character and the sending program proceeds to send another packet otherwise the receiving program sends a negative acknowledgement character and the sending program retransmits the packet 27 2 1 2 Loadin...

Страница 206: ...ROM and Host Software Loading 206 FIgure 27 1 Choose Transfer Send File FIgure 27 2 Send file dialog box Step 3 Click Send The system displays the page as shown in Figure 27 3 FIgure 27 3 Sending file page ...

Страница 207: ...ing instead of BootROM loading 27 2 2 Loading Software Using TFTP through Ethernet Port 27 2 2 1 Introduction to TFTP TFTP one protocol in TCP IP protocol suite is used for trivial file transfer between client and server It uses UDP to provide unreliable data stream transfer service 27 2 2 2 Loading BootROM software FIgure 27 4 Local loading using TFTP Step 1 As shown in Picture 27 4 connect the s...

Страница 208: ...llowing information Download wholeBootRom successfully Update BootRom successfully Download BootRom via TFTP successfully 27 2 2 3 Loading host software The subsequent steps are the same as those for loading the BootROM program except that the system gives the prompt for host software loading instead of BootROM loading Caution When loading BootROM and host software using TFTP you are recommended t...

Страница 209: ...ollowing FTP related parameters as required Switch load whole bootrom ftp ftpserver ip filename Caution Load File name bootrom bin Switch IP address A B C D Server IP address A B C E Step 4 Press Enter The system displays the following information Are you sure to update your bootrom Yes or No Y N Step 5 Enter Y to start file downloading or N to return to the Bootrom update menu If you enter Y the ...

Страница 210: ...sed as both the configuration device and the FTP server You can telnet to the switch and then execute the FTP commands to download the BootROM program bootrom bin from the remote FTP server with an IP address 10 1 1 1 to the switch FIgure 27 6 Remote loading using FTP Step 1 Open FTP software and set host IP address to be 10 1 1 1 Set the username and password Note When using different FTP server ...

Страница 211: ...name hour minute By default it is the UTC time zone 28 2 SNMP 28 2 1 SNMP Overview By far the simple network management protocol SNMP has gained the most extensive application in the computer networks SNMP has been put into use and widely accepted as an industry standard in practice It is used for ensuring the transmission of the management information between any two nodes In this way network adm...

Страница 212: ...dopts user name and password authentication SNMP V1 and SNMP V2C adopt community name authentication The SNMP packets failing to pass community name authentication are discarded The community name is used to define the relation between SNMP NMS and SNMP Agent The community name can limit access to SNMP Agent from SNMP NMS functioning as a password You can define the following features related to t...

Страница 213: ...ew view name Configure system administrator s contact snmp server contact syscontact If there is space in the syscontact keywords it should be quoted by quotation mark Enable destination host address snmp server host host addr version 1 2c 3 auth noauthpriv priv community string udp port port notify type notifytype list The community name in snmp server host version should not be empty Configure s...

Страница 214: ... user username groupname remote host udp port port auth md5 sha authpassword encrypt authpassword authpassword authpassword authkey encrypt authkey authkey authkey priv des privpassword encrypt privpassword privpassword privpassword privkey encrypt privkey privkey privkey There are three default users 1 initialmd5 HMACMD5AuthProtocol 2 initialsha HMACSHAAuthProtocol 3 initialnone NoauthProtocol At...

Страница 215: ...e community name and access authority administrator ID contact and switch location and enabling the switch to sent trap packet 28 2 4 2 Network diagram FIgure 28 2 Network diagram for SNMP 28 2 4 3 Network procedure Set the community name group name and user Switch config snmp server community FoxGate ro permit Switch config snmp server group grp1 1 read internet write internet notify Internet Swi...

Страница 216: ... You can use the tracert command to trace the gateways a packet passes during its journey from the source to the destination This command is mainly used to check the network connectivity It can help you locate the trouble spot of the network The executing procedure of the tracert command is as follows First the source host sends a data packet with the TTL of 1 and the first hop device returns an I...

Страница 217: ...m Layer 2 packet forwarding Each entry in a MAC adress table contains the following fields Destination MAC address ID of the VLAN which a port belongs to Forwarding port number Upon receiving a packet a switch queries its MAC address table for the forwarding port number according to the destination MAC address carried in the packet and then forwards the packet through the port The dynamic address ...

Страница 218: ... address to the MAC address table through address learning After that the switch can directly forward other packets destined for the same network device by using the newly added MAC address entry If the destination device does not respond to the packet this indicates that the destination device is unreachable or that the destination device receives the packet but gives no response In this case the...

Страница 219: ...Basic System Configuration Debugging 219 Note The switch learns only unicast addresses by using the MAC address learning mechanism but directly drops any packet with a broadcast source MAC address ...

Страница 220: ... from the MAC addresses contained in blackhole MAC address entries Permanent MAC address entry This type of MAC address entries own the same features as the static MAC address entries but it will be reserved at reboot if the configuration is saved Table 29 1 lists the different types of MAC address entries and their characteristics MAC address entry Configuration method Aging time Reserved or not ...

Страница 221: ...ment effective MAC address aging The aging time that is too long or too short results in a large amount of broadcast packets wandering across the network and decreases the performance of the switch If the aging time is too long excessive invalid MAC address entries maintained by the switch may fill up the MAC address table This prevents the MAC address table from varying with network changes in ti...

Страница 222: ...d in both global configuration mode and interface configuration mode By default this function is enabled Set the maximum number of MAC addresses the port can learn mac address table max mac count max mac count By default the number of the MAC addresses a port can learn is not limited 29 1 1 2 Displaying and Maintaining MAC Address Table Configuration To verify your configuration you can display in...

Страница 223: ...address table configuration Configuration procedure Add a MAC address with the VLAN ports and states specified Switch config mac address table static 00 01 fc 00 0c 01 interface ethernet 0 0 2 vlan 1 Add ARL table entry successfully Set the aging time of dynamic MAC addresses to 500 seconds Switch config mac address table age time 500 Config MAC address table aging time successfully Display the in...

Страница 224: ...on unknown packet dlf forward multicast unicast By default destination unknown unicast and multicast packets will be transferred This command can be used in both global configuration mode and interface configuration mode Configure whether to transmit BPDU packet discard bpdu By default all BPDU packets will be transferred Enable loopback test loopback internal external This command can be used in ...

Страница 225: ...telnet client telnet ip addr port num localecho By default port num is 23 and local echo is disabled Configure the number of user permitted by telnet login access list telnet limit limit no By default the number of max permitted user is 5 Force telnet client to stop stop telnet client all term id Only the super admin administrator can use this command Display telnet client show telnet client 29 3 ...

Страница 226: ... be used in the command generated by de compilation Configure the syslog level for sending mail alarm mailalarm logging level level By default the syslog level is 0 The syslog whose level is lower than configured will be sent by email Display mail alarm info show mailalarm 29 3 6 Anti Dos Attack The IP fragment packet number the system can receive does not occupy the all received packet resources ...

Страница 227: ...stem Display memory info show memory Display system clock show clock Display cpu utilization show cpu utilization Display cpu car value show cpu car Display packet statistics sent to cpu show cpu statistics Clear packet statistics sent to cpu clear cpu statistics Display L3 table of all L3 interfaces or of specific IP show ip fdb ip ip address mask Display dhcp server client info show dhcp server ...

Страница 228: ...o time After receiving neighbor s advertisement LLDP device will read the advertisement content and save in LLDP neighbor table LLDP neighbor table can be aged with TTL value being aging time If neighbor s LLDP advertisement cannot be received within aging time the neighbor entry will be removed LLDP timer Hello time The time interval for sending LLDP packet Hold time LLDP aging time granularity f...

Страница 229: ...ime lldp hello time 5 32768 s Optional 30 2 4 Configure LLDP Hold Time By default LLDP Hold time is 4S Perform following command in global configuration mode Table 30 4 Configure LLDP Hold time Operation Command Description Configure LLDP Hello time lldp hold time 2 10 s Optional 30 2 5 Configure LLDP Packet Transferring and Receiving Mode on Port There are three types of mode Rx receiving only Tx...

Страница 230: ...iguration mode 30 2 7 Configuration Example Network requirements Device S1 and S2 inform their own information through LLDP Network diagram Figure 30 1 LLDP Network diagram Configuration procedure Configure in S1 Switch config lldp Configure in S2 Switch config lldp Execute show lldp command in any switch followings will show Switch config sh lldp interface ethernet 0 0 7 System LLDP enable LLDP h...

Страница 231: ...t e0 0 7 System Name Switch S6424 S2C2 System Description S6424 S2C2 Switch Port Description NULL Management Address 1 1 1 33 Port Vlan ID 1 Port SetSpeed auto Port ActualSpeed FULL 1000 Port Link Aggregation support not in aggregation ...

Страница 232: ...ntain the set point Maintenance set to maintain the domain name maintenance set name to identify Maintain set service on a VLAN to maintain focus on the maintenance point of sending packets of the band are the VLAN tag at the same time maintaining focus on the maintenance point can receive by maintaining focus on its maintenance point sent the message Maintenance point Maintenance points configure...

Страница 233: ...ifferent device to maintain the same name Required monitoring of VLAN determine the set of maintenance within the maintenance domain Determine the maintenance set name the same maintenance domain within the same set on different devices to maintain the same name That the same maintenance domain within the same set of maintenance to maintain a list of endpoints in the different devices should remai...

Страница 234: ...u can specify a different domain for each maintenance of domain names the name by the name of the format and content of two parts the whole network a unique domain name is best to show nested relationship between the maintenance domain must also designated to maintain the domain level only the level of maintenance of large domain nested level can only be a small maintenance domain Table 31 5 Confi...

Страница 235: ... ensure that all network only Table 31 7 Configuration name and the associated VLAN to maintain set Operation Command Remarks Enter global configuration mode configure terminal To maintain the domain configuration mode to enter cfm md md index Enter the configuration mode set to maintain cfm ma ma index The name of the configuration set and maintain the VLAN associated with the main cfm ma format ...

Страница 236: ... configure terminal To maintain the domain configuration mode to enter cfm md md index Enter the configuration mode set to maintain cfm ma ma index Creating remote maintenance end point and specify the end of its peer MEPs cfm rmep rmep id mep mep id Required 31 2 8 Configuring MIPs MIPs used to test the response of CFM message the user can program the network device or in non border ports configu...

Страница 237: ...ust be the same 31 2 10 Configure Loopback By configuring the loopback function you can check the source to the target MEPs MEPs or MIPs link between the situations in order to achieve the link connectivity verification Table 31 12 Configure loopback Operation Command Remarks Enter global configuration mode configure terminal To maintain the domain configuration mode to enter cfm md md index Enter...

Страница 238: ...completing the above configuration you can use the following command to display the CFM configuration Table 31 14 Display and maintenance of the CFM Operation Command Remarks The Maintenance domain information show cfm md md index Perform either of the commands The Maintenance Set Information show cfm ma Display the end point of maintenance information show cfm mp local Remote maintenance point in...

Страница 239: ... the superior one will be the master interface There must be trap alarm when master or backup link default Flex Link is dedicated to dual uplink networks It delivers the following benefits Keeping one uplink connected and the other blocked when both uplinks in a dual uplink network are healthy thus preventing broadcast storms caused by network loops Switching the traffic to the backup link within ...

Страница 240: ... link group is a port role specified using commands It can be an Ethernet port electrical or optical or an aggregate interface As shown in Figure 32 1 the active port in the Flex link group configured on Switch D is the master port GigabitEthernet 1 0 1 while that in the Flex link group on Switch E is the slave port GigabitEthernet 1 0 2 Although GigabitEthernet 1 0 1 of Switch E is blocked it is ...

Страница 241: ...is section uses the network shown in Figure 32 2 to describe the Flex link mechanism as the link status transiting from normal to faulty and then to recovery Figure 32 2 Flex Link application scenario 32 1 2 1 Link Normal Operating GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 of Switch A form a Flex link group with the former as the master port and the latter as the slave port When both uplinks...

Страница 242: ...ving port After that when Switch D receives a data packet destined for Host A Host B Host C switch D will broadcasts the packet at Layer 2 Switch C will search MAC address table after receiving it and forward it to Switch A from GE1 0 2 Switch A forward it to Host A Host B Host C In this way data traffic can be forwarded correctly Tis mechanism will update MAC address without waiting for entry age...

Страница 243: ...32 2 4 Configure Flex links MMU Optional 32 2 5 Flex Links monitor and maintainenance Optional 32 2 6 32 2 2 Configure Flex Links group Configuring Flex Links group needs specify master and slave port If master port is ethernet port the configuration should be in interface configuration mode if master port is channel group port member the configuration should be in global configuration mode Table ...

Страница 244: ... channel group num ber_2 is slave port Enter interface configuration mode interface ethernet device slot port_1 Configure Flex Links preemption mode switchport backup interface device slot port_2 channel group channel group number_2 preemption mode Forced Bandwidth Off port_1 is master port port_2 channel group num ber_2 is slave port 32 2 4 Configure Flex Links Preemption Delay After configuring ...

Страница 245: ...iving port This function is disabled by default Table 32 5 Configure Flex links MMU Operation Command Remarks Enter global configuration mode configure terminal Configure Flex links MMU mac address table move update transmit receive port_1 is master port port_2 channel group number_2 is slave port 32 2 6 Flex Links Monitor and Maintenance After finishing above configuration user can check the conf...

Страница 246: ... and rapid convergence However when the link on which the uplink port GigabitEthernet 1 0 1 of Switch B resides fails link switchover will not happen in the Flex link group configured on Switch A because the link on which the master port GigabitEthernet 1 0 1 resides is healthy But in fact traffic of Switch A can no longer reach Switch D through GigabitEthernet 1 0 1 and the traffic is thus interr...

Страница 247: ...net port electrical or optical or an aggregate interface As shown in Figure 33 2 GigabitEthernet 1 0 1 of Switch A is the only uplink port of the monitor link group configured on the device For a monitor link group that has multiple uplink ports as long as at least one of its uplink ports is in the forwarding state the monitor link group is up However when all uplink ports of the monitor link grou...

Страница 248: ...he hosts a Flex link group is configured on Switch A GigabitEthernet 1 0 1 is the master port of the Flex link group and is in the forwarding state GigabitEthernet 1 0 2 is the slave port Figure 33 3 Monitor Link mechanism To avoid traffic interruption due to the failure of the link on which GigabitEthernet 1 0 1 of Switch B resides configure a monitor link group on Switch B and specify GigabitEth...

Страница 249: ...mode Table 33 2 Configure Monitor Links group Operation Command Remarks Enter global configuration mode configure terminal Monitor Link for channel group channel group channel group number monitor link group group ID uplink downlink Delete channel group from Monitor Link group No channel group channel group number monitor link group group ID uplink downlink Optional Enter interface configuration m...

Страница 250: ...edure Device C Disable STP on GE1 0 1 and GE1 0 2 configure them as Trunk Device C config interface range ethernet 1 0 1 ethernet 1 0 2 Device C config if range no spanning tree Device C config if range switchport mode trunk Device C config if range exit Configure Flex Links group GE1 0 1 is the master port and GE1 0 2 is the slave port The preemption is role preemption and the delay is 5s Device ...

Страница 251: ...igure GE1 0 1 and GE1 0 2 to be Trunk and enable MMU packet receiving Device A config interface range ethernet 1 0 1 ethernet 1 0 2 Device A config if range switchport mode trunk Device A config if range exit Device A config mac address table move update receive Device B Configure GE1 0 1 and GE1 0 2 to be Trunk and enable MMU packet receiving Device B config interface range ethernet 1 0 1 etherne...

Страница 252: ...e MMU packet receiving Device D config interface range ethernet 1 0 1 ethernet 1 0 2 Device D config if range switchport mode trunk Device D config if range exit Device D config mac address table move update receive Configure GE1 0 1 to be uplink port of Monitor Link group 1 GE1 0 2 to be downlink port of Monitor Link group 1 Device DB config interface ethernet 1 0 1 Device D config if ethernet 1 ...

Страница 253: ... 0 2 DOWN Device B config show mac address table move update Dst mac address 01 80 c2 00 00 10 Default Current settings Rcv Off On Xmt Off Off Rcv Count 0 Xmt Count 0 show Flex Links and Monitor Link in Device C Device C config show interface switchport backup ActiveInterface BackupInterface State e1 0 1 e1 0 2 active Standby backup up Preemption mode Forced Preemption Delay 5 seconds Total record...

Страница 254: ...10 Default Current settings Rcv Off On Xmt Off Off Rcv Count 1 Xmt Count 0 When the link between Device A and Device B recovers GE1 0 1 of Device C will turn into forwarding after 5s Show Flex Links and Monitor Link in Device B Device B config show monitor link group Monitor link Group Group 1 UplinkID UplinkStatus e1 0 1 UP DownlinkID DownlinkStatus e1 0 2 UP Device B config show mac address tabl...

Страница 255: ...fig show mac address table move update Dst mac address 01 80 c2 00 00 10 Default Current settings Rcv Off Off Xmt Off On Rcv Count 0 Xmt Count 2 show Flex Links and Monitor Link in Device D Device D config show monitor link group Monitor link Group Group 1 UplinkID UplinkStatus e1 0 1 UP DownlinkID DownlinkStatus e1 0 2 UP Device D config show mac address table move update Dst mac address 01 80 c2...

Страница 256: ...e end of the connection requests are in a passive mode of the two an EFM can t be established between the entities connected Remote failure indication When the device detects a link event of an emergency the fault will end EFM entity s Flag by Information OAMPDU fault information field the type of emergency event link EFM notification to the peer entity In this way administrators can log informati...

Страница 257: ...inistrators to effectively manage the network Table 34 2 EFM protocol packets Message type Effect Information OAMPDU EFM entity status for the information including local information the remote information and custom information sent to the remote entity EFM EFM connections to maintain Event Notification OAMPDU Generally used for link monitoring on local and remote connected EFM physical link fail...

Страница 258: ...te Optional 1 2 10 Display and maintenance of EFM Optional 1 2 11 34 2 2 EFM Basic Configuration EFM mode of operation is divided into proactive mode and passive mode when the EFM function enabled the Ethernet port started to use the default mode of operation and the establishment of its peer port connected EFM Table 34 4 EFM basic configuration Operation Command Remarks Enter global configuration...

Страница 259: ...se EFM connection times out the local entity will EFM EFM aging and physical connection to the end of the relationship the EFM connection is broken so the connection must be greater than the timeout interval to send handshake packets Recommended for 3 times or more otherwise it will lead to EFM connection instability 34 2 4 Configuring Remote Failure Indication Table 34 6 Configure remote failure ...

Страница 260: ...frame window win value Optional Configure errored frame event detection threshold efm link monitor errored frame threshold th value Optional Configure errored frame period event detection cycle efm link monitor errored frame period window win value Optional Configure errored frame period event detection threshold efm link monitor errored frame period threshold th value Optional Configure errored f...

Страница 261: ...back ignore process Optional By default the remote refused to initiate a remote loopback request 34 2 8 Initiating Remote Loopback Request Table 34 10 Initiate a remote loopback request Operation Command Remarks Enter global configuration mode configure terminal Enter port configuration mode interface ethernet device slot port Initiate a remote loopback request efm remote loopback start stop Optio...

Страница 262: ...tate Optional Access to remote devices global MIB variable values show efm remote mib fecability fecmode Optional Description Only when the port EFM connection has been created EFM working model is for the proactive mode the far side far side port supports MIB variable access function to the port on the far end of the MIB variable for initiating the request Currently only supports remote query cap...

Страница 263: ...EFM configuration 263 Show EFM protocol packet statistics show efm statistics interface interface name Clear EFM protocol packet statistics clear efm statistics interface interface name ...

Страница 264: ... configuration options Through the radius server for authentication By the local user database for authentication 35 2 Mac Address Authentication Configuration 35 2 1 AAA Related Configuration MAC authentication which need to be configured to use AAA authentication for domain authentication The radius server for authentication or choose the local user database authentication in the AAA authenticat...

Страница 265: ...uthentication mac authentication encryption pap chap Optional 35 2 2 Enabling Configuration Related parameters it needs to start before they can be the mac address authentication Need to start the global mode and port mode mac authentication the port of mac authentication before they can take effect Table 35 2 Enabling configuration Operation Command Remarks Enter global configuration mode configu...

Страница 266: ... Offline detect timer configuration mac authentication timer quiet quiet time Optional 35 2 5 Mac vlan Configuration Functions Open this feature user authentication is successful the server will return the user vlan number the system for dynamic hardware mac vlan entries are configured and dynamically create the vlan and the user is adding the vlan port so you can vlan access the network If the sy...

Страница 267: ... vlan function mac authentication guest vlan vid Optional Guest vlan configuration re authentication timer mac authentication timer guest vlan reauth time Optional 35 2 7 Configuring User Features Mainly provides the following features limit the number of users Limit the number of users allowed on a port user authentication rate limits To prevent the user authentication result in excessive cpu is ...

Страница 268: ...capsulates the packet replaces its destination MAC address with a specific multicast MAC address and then forwards the packet in the service provider network 2 The encapsulated Layer 2 protocol packet called bridge protocol data unit BPDU for short is forwarded to PE 2 at the other end of the service provider network which de encapsulates the packet restores the original destination MAC address of...

Страница 269: ...igure the rate for up to cpu l2 tunnel drop threshold cdp lacp pagp stp udld vtp rate Optional 36 2 3 L2TP Monitor and Maintenance After finishing above configuration user can check the configurations by command below Table 36 3 L2TP monitor and maintenance Operation Command Remarks Show L2TP configuration show l2 tunnel interface ethernet interface num On any configuration mode Show the rate for ...

Страница 270: ...the amount of VLANs in the MAN Figure 37 1 QinQ Ethernet frame structure The port QinQ feature is a flexible easy to implement Layer 2 VPN technique which enables the access point to encapsulate an outer VLAN tag in Ethernet frames from customer networks private networks so that the Ethernet frames will travel across the service provider s backbone network public network with double VLAN tags The ...

Страница 271: ...le VLAN based implementation of QinQ Selective QinQ is global User can enable disable it on port by using no dtag flexible qinq command If selective QinQ on port is disabled the port is on static QinQ mode If selective QinQ on port is enabled global dynamic QinQ is for ports Selective QinQ can For ingress packet different outer vlan tag can be added according to different inner VLAN ID For ingress...

Страница 272: ...lue so that the QinQ frames when sent to the public network carry the TPID value identical to the value of a particular vendor to allow interoperability with the devices of that vendor The TPID in an Ethernet frame has the same position with the protocol type field in a frame without a VLAN tag To avoid problems in packet forwarding and handling in the network you cannot set the TPID value to any ...

Страница 273: ... 37 4 Enable selective QinQ Operation Command Description Enter global configuration mode configure terminal Enable basic QinQ qinq Modify outer TPID qinq inner tpid outer tpid tpid value Optional default value is 0x8100 Add different outer VLAN Tag for different inner VID qinq insert start vlan id end vlan id service vlan id These command can only be used in global configuration mode Configure vl...

Страница 274: ... to VLAN 100 created in the service provider network are interconnected through trunk ports In between Provider A and Provider B are network devices with TPID 0x9100 Figure 37 3 Basic QinQ application It is required that Customer A and Customer B can communicate with each other across the service provider network Configuration on Provider A Switch configure terminal Switch config qinq Switch confi...

Страница 275: ...config if ethernet 0 0 1 qinq mode customer Switch config if ethernet 0 0 1 interface ethernet 0 1 1 Switch config if ethernet 0 1 1 switchport mode trunk Switch config if ethernet 0 1 1 exit Selective QinQ Configuration Network requirements As shown in Figure 37 4 Provider A and Provider B are access switches in the service provider network that connect the customer network The customer network i...

Страница 276: ...erface ethernet 0 1 1 Switch config if ethernet 0 1 1 switchport mode trunk Switch config if ethernet 0 1 1 exit 2 Configuration on Provider B Switch configure terminal Switch config qinq Switch config qinq outer tpid 9100 Switch config qinq insert 10 10 100 Switch config qinq insert 20 20 100 Switch config vlan 100 Switch config if vlan switchport ethernet 0 0 1 ethernet 0 1 1 Switch config if vl...

Страница 277: ...trol packet 01 80 c2 00 00 02 802 3ad LACP packet 01 80 c2 00 00 03 802 1X packet 01 80 c2 00 00 0e LLDP packet 01 80 c2 00 00 10 Flexlink MMU packet 01 80 c2 00 00 20 GMRP packet 01 80 c2 00 00 21 GVRP packet 38 2 Configure Port Car Perform following commands in global configuration mode Table 37 6 Configure port car Operation Command Description Enter global configuration mode configure terminal...

Страница 278: ...play port car status show port car 38 4 Port car Configuration Example Enable global port car and configure global rate to be 200pps Switch configure terminal Switch config port car Switch config port car rate 200 Enable port e0 1 1 port car and configure rate to be 50pps Switch config interface ethernet 0 1 1 Switch config if ethernet 0 1 1 port car Switch config if ethernet 0 1 1 port car rate 5...

Страница 279: ...onfigure Storm control Storm Control configuration is in interface configuration mode that is administrator can configure it per port Table 37 8 Configure Storm control Operation Command Remarks Enter global configuration mode configure terminal Enter interface configuration mode interface ethernet device slot port Configure packet type for storm control Storm control broadcast multicast unicast R...

Страница 280: ...lticast frames based on their respective multicast address table be forwarded 40 2 Configuring MLD Snooping 40 2 1 MLD Snooping Configuration Task List Table 40 1 MLD Snooping Configuration Task List Configuration Tasks Remark Detailed configuration Basic MLD Snooping Configuration Start MLD Snooping Required 40 2 2 Adjust and optimize the MLD Snooping Configuration Configure dynamic multicast mem...

Страница 281: ...me time Optional Default configuration the maximum response time to leave the 10S 40 2 4 Fast leave Configuration Port Under normal circumstances MLD Snooping in MLD leave message is received directly will not remove the port from the multicast group but to wait some time before the port from the multicast group Start quickly delete function MLD Snooping received MLD leave message the direct port ...

Страница 282: ... number of multicast will be occupied In other words all the ports will share this NUM_MULTICAST_GROUPS multicast group resources 40 2 6 Configuring MLD Snooping Multicast Learning Strategies Configured multicast learning strategies the administrator can control the router only to learn the specific multicast group If a multicast group is added to the blacklist then the router will not learn the m...

Страница 283: ...link layer to send general queries messages in order to establish and maintain multicast forwarding entry Users can also configure the MLD Snooping querier sends general query messages with the source address the maximum response time and query cycle Table 40 7 Configuring MLD Snooping querier Operation Command Remarks Enter global configuration mode configure terminal On MLD Snooping querier mld ...

Страница 284: ...ill be modified as a multicast VLAN Table 40 9 Multicast VLAN port configuration Operation Command Remarks Enter global configuration mode configure terminal Enter port configuration mode interface ethernet interface num Multicast VLAN port configuration mld snooping multicast vlan vid Optional 40 2 10 Display and Maintenance of MLD Snooping After completing the above configuration can use the fol...

Страница 285: ...ration steps Configuring S switch A Configure VLAN2 to 4 and add the ports separately into VlAN2 3 4 of Ethernet0 0 1 Ethernet0 0 2 and Ethernet0 0 3 S switch A config vlan 2 S switch A config if vlan switchport ethernet 0 0 1 S switch A config if vlan exit S switch A config vlan 3 S switch A config if vlan switchport ethernet 0 0 2 S switch A config if vlan exit S switch A config vlan 4 IPV6 Mult...

Страница 286: ...port entry Show the switch learned multicast group S switch A config show mld snooping group show multicast table information MAC Address 33 33 00 01 00 01 VLAN ID 2 port list e0 0 1 MAC Address 33 33 00 01 00 02 VLAN ID 3 port list e0 0 2 MAC Address 33 33 00 01 00 03 VLAN ID 4 port list e0 0 2 Total entries 3 S switch A config show mld snooping router dynamic Port VID Age Type e0 0 4 2 284 STATI...

Результаты поиска

Содержание S6424-S2C2 series

Отзывы:

Бренды по названию

Популярные бренды

FoxGate S6424-S2C2 series, Руководство по настройке

Результаты поиска

Содержание S6424-S2C2 series

Отзывы:

Бренды по названию

Популярные бренды