SNR S2940-8G-v2 Скачать руководство пользователя страница 214 | Manualshive

Страница: 214 / 420

SNR S2940-8G-v2 Скачать руководство пользователя страница 214

SNR S2940-8G-v2 Switch Configuration Guide

ARP Guard Configuration

Chapter 32

ARP Guard Configuration

32.1

Introduction to ARP Guard

There is serious security vulnerability in the design of ARP protocol, which is any network device,
can send ARP messages to advertise the mapping relationship between IP address and MAC ad-
dress. This provides a chance for ARP cheating. Attackers can send ARP REQUEST messages
or ARP REPLY messages to advertise a wrong mapping relationship between IP address and
MAC address, causing problems in network communication. The danger of ARP cheating has
two forms: 1. PC4 sends an ARP message to advertise that the IP address of PC2 is mapped to
the MAC address of PC4, which will cause all the IP messages to PC2 will be sent to PC4, thus
PC4 will be able to monitor and capture the messages to PC2; 2. PC4 sends ARP messages to
advertise that the IP address of PC2 is mapped to an illegal MAC address, which will prevent PC2
from receiving the messages to it. Particularly, if the attacker pretends to be the gateway and do
ARP cheating, the whole network will be collapsed.

PC1

Switch

HUB

PC4

PC2

PC3

PC5

PC6

Figure 32.1: ARP Guard schematic diagram

We utilize the filtering entries of the switch to protect the ARP entries of important network

devices from being imitated by other devices. The basic theory of doing this is that utilizing the
filtering entries of the switch to check all the ARP messages entering through the port, if the source
address of the ARP message is protected, the messages will be directly dropped and will not be
forwarded.

ARP Guard function is usually used to protect the gateway from being attacked. If all the

accessed PCs in the network should be protected from ARP cheating, then a large number of ARP
Guard address should be configured on the port, which will take up a big part of FFP entries in the
chip, and as a result, might affect other applications. So this will be improper. It is recommended

214

«
...
212
213
214
215
216
...
»

Содержание S2940-8G-v2

Страница 1: ...iguration Example 50 3 4 Port Troubleshooting 51 4 Port Isolation Function Configuration 52 4 1 Introduction to Port Isolation Function 52 4 2 Task Sequence of Port Isolation 52 4 3 Port Isolation Fun...

Страница 2: ...ion 76 10 1 Introduction to EFM OAM 76 10 2 EFM OAM Configuration 79 10 3 EFM OAM Example 81 10 4 EFM OAM Troubleshooting 82 11 Port Security 83 11 1 Introduction to Port Security 83 11 2 Port Securit...

Страница 3: ...pical Applications of the Dot1q tunnel 132 17 4 Dot1q tunnel Troubleshooting 133 18 Selective QinQ Configuration 134 18 1 Introduction to Selective QinQ 134 18 2 Selective QinQ Configuration 134 18 3...

Страница 4: ...Typical Configuration Examples 157 24 4 MAC Table Troubleshooting 158 24 5 MAC Address Function Extension 158 24 6 MAC Notification Configuration 161 IV MSTP Configuration 164 25 MSTP Configuration 16...

Страница 5: ...bleshooting Help 210 31 Prevent ARP Spoofing Configuration 211 31 1 Overview 211 31 2 Prevent ARP Spoofing configuration 212 31 3 Prevent ARP Spoofing Example 213 32 ARP Guard Configuration 214 32 1 I...

Страница 6: ...ple 243 37 4 DHCP option 60 and option 43 Troubleshooting 243 38 DHCPv6 option37 38 244 38 1 Introduction to DHCPv6 option37 38 244 38 2 DHCPv6 option37 38 Configuration Task List 245 38 3 DHCPv6 opti...

Страница 7: ...ation Function of MAC and IP in Port VLAN Configuration Task Sequence 325 46 3 The Number Limitation Function of MAC and IP in Port VLAN Typical Examples 327 46 4 The Number Limitation Function of MAC...

Страница 8: ...rmediate Agent Configuration Task List 359 54 3 PPPoE Intermediate Agent Typical Application 360 54 4 PPPoE Intermediate Agent Troubleshooting 361 55 Web Portal Configuration 362 55 1 Introduction to...

Страница 9: ...mples 397 61 4 Device Mirror Troubleshooting 398 62 sFlow Configuration 399 62 1 Introduction to sFlow 399 62 2 sFlow Configuration Task List 399 62 3 sFlow Examples 401 62 4 sFlow Troubleshooting 402...

Страница 10: ...66 7 System log 414 67 Reload Switch after Specified Time 418 67 1 Introduce to Reload Switch after Specifid Time 418 67 2 Reload Switch after Specifid Time Task List 418 68 Debugging and Diagnosis f...

Страница 11: ...SNR S2940 8G v2 Switch Configuration Guide Part I Basic Management Configuration 11...

Страница 12: ...ugh Telnet The procedures for managing the switch via Console interface are listed below Step 1 Setting up the environment Connect with serial port Figure 1 1 Out of band Management Configuration Envi...

Страница 13: ...o parity None flow control Step 3 Entering switch CLI interface Power on the switch the following appears in the terminal emulation window that is the CLI configuration mode for Switch System is booti...

Страница 14: ...N1 exists in the system The following describes the steps for a Telnet client to connect to the switch s VLAN1 interface by Telnet IPV4 address example Step 1 Configure the IP addresses for the switch...

Страница 15: ...ter valid login name and password in the Telnet configuration interface Telnet user will be able to enter the switch s CLI configuration interface The commands used in the Telnet CLI inter face after...

Страница 16: ...ion style with the following command authentication line web login local Privilege option must exist and just is 15 Assume an authorized user in the switch has a username of admin and password of admi...

Страница 17: ...y system first If as common user it is defaulted to User Mode The prompt shown is Switch the symbol is the prompt for User Mode When exit command is run under Admin Mode it will also return to the Use...

Страница 18: ...Mirroring VLAN creation IGMP Snooping start and STP etc And the user can go further to Port Mode for configuration of all the interfaces Interface Mode Use the interface command under Global Mode can...

Страница 19: ...P ACL Mode Type ip access list standard command under Global Mode Configure parame ters for Standard IP ACL Mode Use the exit com mand to return to Global Mode Extended IP ACL Mode Type ip access list...

Страница 20: ...and no parameter just type in the command to run vlan vlan id parameter values are required after the keyword firewall enable disable user can enter firewall enable or firewall disable for this com m...

Страница 21: ...to the Admin Mode directly from the other configuration modes ex cept User Mode Ctrl c Break the ongoing command process such as ping or other command exe cution Tab When a string for a command or ke...

Страница 22: ...his command is not exist in current mode The command is recognized but this command can not be used under current mode Please configure precursor command at first The command is recognized but the pre...

Страница 23: ...Various Modes exit Exit current mode and enter previous mode such as using this command in global mode to go back to admin mode and back to normal user mode from admin mode show privilege Show privil...

Страница 24: ...ction to one remote host If a connection to another remote host is desired the current TCP connection must be dropped Telnet Configuration Task List 1 Configure Telnet Server 2 Telnet to a remote host...

Страница 25: ...d1 method2 no authorization line console vty web exec Configure the authorization method list with telnet authorization line vty command 1 15 local radius tacacs none no authorization line vty com man...

Страница 26: ...tication etc SSH Server Configuration Task List Command Explanation Global Mode ssh server enable no ssh server enable Enable SSH function on the switch the no command dis ables SSH function username...

Страница 27: ...the local host 2 3 Configure Switch IP Addresses All Ethernet ports of switch are default to Data Link layer ports and perform layer 2 forwarding VLAN interface represent a Layer 3 interface function...

Страница 28: ...he switch to be a BootP client and obtain IP ad dress and gateway address through BootP negotiation the no command disables the BootP client function 4 DHCP configuration Command Explanation VLAN Inte...

Страница 29: ...k topology changes Agents can send Trap messages to NMS to inform the abnormal events Besides NMS can also be set to alert to some abnormal events by enabling RMON function When alert events are trigg...

Страница 30: ...ID such as BRIDGE MIB Besides the switch supports self defined private MIB 2 4 3 Introduction to RMON RMON is the most important expansion of the standard SNMP RMON is a set of MIB definitions used to...

Страница 31: ...cess num std name ipv6 access ipv6 num std ipv6 name Configure the community string for the switch the no command deletes the configured community string 3 Configure IP address of SNMP management stat...

Страница 32: ...priv read read string write write string no tify notify string access num std name ipv6 access ipv6 num std ipv6 name Set the group information on the switch This command is used to configure VACM for...

Страница 33: ...4 5 Typical SNMP Configuration Examples The IP address of the NMS is 1 1 1 5 the IP address of the switch Agent is 1 1 1 9 Scenario 1 The NMS network administrative software uses SNMP protocol to obta...

Страница 34: ...y string to access the switch with read write permis sion or use public as the community string to access the switch with read only permission Scenario 6 NMS will receive Trap messages from the switch...

Страница 35: ...fers to the compressed files of the switch hardware drivers and software support program etc namely what we usually call the IMG update file The IMG file can only be saved in the FLASH with a defined...

Страница 36: ...le TFTP server in the PC Run TFTP server program Before start downloading upgrade file to the switch verify the connectivity between the server and the switch by ping from the switch If ping succeeds...

Страница 37: ...system update image file Boot write nos img File exists overwrite Y N N y Writing flash nos img Write flash nos img OK Boot Step 8 After successful upgrade execute run or reboot command in BootROM mo...

Страница 38: ...ment connection maintains until data transfer is complete Then using the address and port number provided by the client the server establishes data connection on port 20 if not engaged to transfer dat...

Страница 39: ...nvolatile storage corresponding to the so called configu ration save If the device does not support CF the configuration file stores in FLASH only if the device supports CF the configuration file stor...

Страница 40: ...url ascii binary FTP TFTP client upload download file b For FTP client server file list can be checked Command Explanation Admin Mode ftp dir ftpServerUrl For FTP client server file list can be checke...

Страница 41: ...mission time for TFTP server FTP TFTP Configuration Examples The configuration is same for IPv4 address or IPv6 address The example only for IPv4 address Fig 2 3 Download nos img file as FTP TFTP clie...

Страница 42: ...ch is a FTP client Transfer the nos img file in the switch to the computer and save as 12_25_nos img The configuration procedures of the switch are listed below Switch config interface vlan 1 Switch C...

Страница 43: ...tp Switch superuser 10 1 1 1 220 Serv U FTP Server v2 5 build 6 for WinSock ready 331 User name okay need password 230 User logged in proceed 200 PORT Command successful 150 Opening ASCII mode data co...

Страница 44: ...ise the switch may be rendered unable to start If the system file and system start up file upgrade through FTP fails please try to upgrade again or use the BootROM mode to upgrade TFTP Troubleshooting...

Страница 45: ...start up file through TFTP the switch must not be restarted until close tftp client is displayed indicating upgrade is successful otherwise the switch may be rendered unable to start If the system fi...

Страница 46: ...SNR S2940 8G v2 Switch Configuration Guide Part II Port Configuration 46...

Страница 47: ...nsecutive port numbers Suppose an operation should be performed on ports 2 3 4 5 the command would look like interface ethernet 1 2 5 Port speed duplex mode and traffic con trol can be configured unde...

Страница 48: ...supported by combo port and fiber port of switch speed duplex auto 10 100 1000 auto full half force10 half force10 full force100 half force100 full force100 fx module type auto detected no phy integra...

Страница 49: ...rt scan mode as interrupt or poll mode the no command restores the default port scan mode rate violation 200 2000000 recovery 0 86400 no rate violation Set the max packet reception rate of a port If t...

Страница 50: ...ted below Switch1 Switch1 config interface ethernet 1 7 Switch1 Config If Ethernet1 7 bandwidth control 50000 both Switch2 Switch2 config interface ethernet 1 9 Switch2 Config If Ethernet1 9 speed dup...

Страница 51: ...ace is set to auto negotiation but the other to forced speed duplex This is determined by IEEE 802 3 The following combinations are not recommended enabling traffic control as well as setting multicas...

Страница 52: ...o more than 16 port isolation groups can a switch have 4 2 Task Sequence of Port Isolation 1 Create an isolate port group 2 Add Ethernet ports into the group 3 Display the configuration of port isolat...

Страница 53: ...topology and configuration of switches are showed in the figure above with e1 1 e1 10 and e1 15 all belonging to VLAN 100 The requirement is that after port isolation is enabled on switch S1 e1 1 and...

Страница 54: ...ward messages When a new source MAC is already learnt by the layer 2 device only with a different source port the original source port will be modified to the new one which means to correspond the ori...

Страница 55: ...n Command Explanation Port Mode loopback detection specified vlan vlan list Enable and disable the function of port loopback detection no loopback detection specified vlan vlan list 3 Configure the co...

Страница 56: ...the port connecting the switch with the outside network the switch will notify the connected network about the existence of a loopback and control the port on the switch to guarantee the normal operat...

Страница 57: ...ch Configuration Guide Port Loopback Detection Function Configuration 5 4 Port Loopback Detection Troubleshooting The function of port loopback detection is disabled by default and should only be enab...

Страница 58: ...s in physical layer like automatic negotiation SWITCH A SWITCH B 1 0 1 1 0 2 1 0 4 1 0 3 Figure 6 1 Fiber Cross Connection This kind of problem often appears in the following situations GBIC Giga Bitr...

Страница 59: ...at interval Besides ULDP provides the reset mechanism when the port is disabled by ULDP it can check again through reset mechanism The time intervals of notification messages and reset in ULDP can be...

Страница 60: ...ation Mode uldp aggressive mode Set the working mode of the port no uldp aggressive mode 5 Configure the method to shut down unidirectional link Command Explanation Global Configuration Mode uldp manu...

Страница 61: ...mation no debug uldp event debug uldp packet receive send no debug uldp packet receive send Enable or disable the type of messages can be received and sent on all ports debug uldp hello probe echo uni...

Страница 62: ...information on the CRT terminal of PC1 Oct 29 11 09 50 2007 A unidirectional link is detected Port Ethernet1 1 need to be shutted down Oct 29 11 09 50 2007 Unidirectional port Ethernet1 1 shut down Oc...

Страница 63: ...1 3 of the STP convergence time If the interval is too long a STP loop will be generated before ULDP discovers and shuts down the unidirectional connection port If the interval is too short the networ...

Страница 64: ...o advertise In specific LLDP defines a general advertisement information set a transportation advertise ment protocol and a method to store the received advertisement information The device to ad vert...

Страница 65: ...on switch 3 Configure the operating state of port LLDP 4 Configure the intervals of LLDP updating messages 5 Configure the aging time multiplier of LLDP messages 6 Configure the sending delay of updat...

Страница 66: ...ld value no lldp msgTxHold Configure the aging time multiplier of LLDP messages as the specified value or default value 6 Configure the sending delay of updating messages Command Explanation Global mo...

Страница 67: ...ration mode lldp tooManyNeighbors discard delete Configure the type of operation when the Remote Table of the port is full 12 Display and debug the relative information of LLDP Command Explanation Adm...

Страница 68: ...hA config lldp enable SwitchA config interface ethernet 1 4 SwitchA Config If Ethernet1 4 lldp transmit optional tlv portDesc sysCap SwitchA Config If Ethernet1 4 exit SWITCH B configuration task sequ...

Страница 69: ...mes an independent logical port Port aggregation is a process of logical abstraction to abstract a set of ports port sequence with the same properties to a logical port Port Channel is a collection of...

Страница 70: ...as a normal port Switch have a built in aggre gation interface configuration mode the user can perform related configuration in this mode just like in the VLAN and physical interface configuration mo...

Страница 71: ...ion group if the current number of the member ports exceeds the limitation of the max port number then the system of this end will negotiates with the other end to decide the port state according to t...

Страница 72: ...rt channel number Enter port channel configuration mode 4 Set load balance method for port group Command Explanation Aggregation port configuration mode load balance src mac dst mac dst src mac src ip...

Страница 73: ...nnel 1 Switch1 Config If Port Channel1 Switch2 config Switch2 config port group 2 Switch2 config interface ethernet 1 6 Switch2 Config If Ethernet1 6 port group 2 mode passive Switch2 Config If Ethern...

Страница 74: ...xchange LACP PDU to complete aggregation Aggregation finishes immediately when the command to add port 1 2 to port group 1 is entered port 1 and port 2 aggregate to be port channel 1 when port 1 3 joi...

Страница 75: ...peed of the whole network by 2 to 5 Technically the Jumbo is just a lengthened frame sent and received by the switch However considering the length of Jumbo frames they will not be sent to CPU We disc...

Страница 76: ...re powerful E LMI standard set by MEF is only applied to UNI So above protocols can be used to different network topology and management between them exist the complementary relation EFM OAM Ethernet...

Страница 77: ...will also log and report it With the log information network administrators can keep track of network status in time The link event monitored by EFM OAM means that the link happens the error event in...

Страница 78: ...nk without autonegotiaction EFM OAM can detect the fault and inform the remote OAM peers through sending Information OAMPDU Dying Gasp There is no definition present Although device does not generate...

Страница 79: ...nds no ethernet oam period Configure transmission period of OAMPDU optional no command restores the default value ethernet oam timeout sec onds no ethernet oam timeout Configure timeout of EFM OAM con...

Страница 80: ...al event or link fault event of the local no command disables the function optional ethernet oam errored symbol period threshold high high symbols none Configure the high threshold of errored symbol p...

Страница 81: ...ethernet1 1 CE config if ethernet1 1 ethernet oam mode passive CE config if ethernet1 1 ethernet oam CE config if ethernet1 1 ethernet oam remote loopback supported Other parameters use the default co...

Страница 82: ...en two OAM entities Ensuring SNMP configuration is correct or else errored event can not be reported to network management system Link does not normally communicate in OAM loopback mode it should canc...

Страница 83: ...g network security management After port security is enabled the device detects an illegal frame it triggers the corresponding port security feature and takes a pre defined action automatically This r...

Страница 84: ...d dynamic sticky ad dress mac addr interface interface id vlan vlan id Clear the secure MAC entry of the interface show port security interface interface id address vlan Show port security configurati...

Страница 85: ...Switch config if ethernet1 0 1 exit Switch config 11 4 Port Security Troubleshooting If problems occur when configuring Port Security please check whether the problem is caused by the following reaso...

Страница 86: ...e the system reliability DDM applications are shown in the following 1 Module lifetime forecast Monitoring the bias current is able to forecast the laser lifetime Administrator is able to find some po...

Страница 87: ...d thresholds Because the user s environments are difference the users is able to define the threshold including high alarm low alarm high warn low warn to flexibly monitor the working state of the tra...

Страница 88: ...f the transceiver Command Explanation User mode admin mode and global mode show transceiver interface eth ernet interface list detail Show the monitoring of the transceiver 2 Configure the alarm or wa...

Страница 89: ...Command Explanation Admin mode clear transceiver threshold violation interface ethernet interface list Clear the threshold violation of the transceiver monitor 12 3 Examples of DDM Example 1 Ethernet...

Страница 90: ...altime High Alarm Low Alarm High Warn Low Warn Temperature 33 70 0 70 0 Voltage V 7 31 A 5 00 0 00 5 00 0 00 Bias current mA 6 11 W 10 30 0 00 5 00 0 00 RX Power dBM 30 54 A 9 00 25 00 9 00 25 00 TX P...

Страница 91: ...reshold configured by the user the threshold configured by the manufacturer is labeled with the bracket There is the alarm with A due to 13 01 is less than 12 00 Switch show transceiver interface ethe...

Страница 92: ...f ethernet1 21 quit Switch config show transceiver threshold violation interface ethernet 1 21 22 Ethernet 1 21 transceiver threshold violation information Transceiver monitor is enabled Monitor inter...

Страница 93: ...ure the used board and switch support the corresponding function When using show transceiver command or show transceiver detail command it cost much time due to the switch will check all ports so it i...

Страница 94: ...ce informa tion To deploy and manage voice device expediently LLDP MED TLVs provide multiple infor mation such as PoE Power over Ethernet network policy and the location information of the emergent te...

Страница 95: ...Configure device type and country code of the location with Civic Address LCI format and enter Civic Address LCI ad dress mode The no command cancels all configurations of the location with Civic Addr...

Страница 96: ...1 0 1 lldp transmit med tlv capability SwitchA Config If Ethernet1 0 1 lldp transmit med tlv network policy SwitchA Config If Ethernet1 0 1 lldp transmit med tlv inventory SwitchB Config If Ethernet1...

Страница 97: ...tity PD Power Device IN Inventory MED Capabilities CAP NP PD IN MED Device Type Endpoint Class III Media Policy Type Voice Media Policy Tagged Media Policy Vlan id 10 Media Policy Priority 3 Media Pol...

Страница 98: ...ce is able to send LLDP packets with MED TLV forwardly so the correspond ing Remote table with LLDP MED information on Ethernet1 of switch A 13 4 LLDP MED Troubleshooting If problems occur when config...

Страница 99: ...etworks of the same corporation through the service provider network To maintain a local concept it not only needs to transmit the data within the user s private network across the tunnel but also tra...

Страница 100: ...lacp dot1x Enable the port to support the tunnel the no command dis ables the function no bpdu tunnel stp gvrp uldp lacp dot1x 14 3 Examples of bpdu tunnel Special lines are used in a service provide...

Страница 101: ...original destination MAC address of the packet and then sends the packet to network 2 of user A bpdu tunnel configuration of edge switches PE1 and PE2 in the following PE1 configuration PE1 config bpd...

Страница 102: ...out OAM is not the indication weakness of the Ethernet Using the IEEE802 1agas example this also go by the name of connection failure management CFM standard it provides the port to port network inspe...

Страница 103: ...inspection is called MP Main tenance Point the bridge of port that configure on the maintenance point 15 2 1 Maintenance Domain The network can be logically divided into different layers from interna...

Страница 104: ...is belong to certain maintenance service the boundary of the service which is configured on the port MEP responds for initiating all CFM messages CCM LTM LBM the protocol behaviours and the status are...

Страница 105: ...exists and lower level of MIP does not exist then it will build up MIP on particular port at this level defer Whether build up the MIP node the build rules will be determine by the configured rules of...

Страница 106: ...ties or orientate the failure point The processes as follow MEP send LTM to the target MP MEP or MIP each of the MIP after receiving the LTM will also send a LTR to source MEP And then transmit the LT...

Страница 107: ...way broadcast message LBM the destination address of the message is the outlying MP Once the middle facility receive the LBM will then transmit and the outlying MP will sending the replay message LBR...

Страница 108: ...levels in the maintenance domain in the whole network to confirm each level of boundaries in the domain 2 Confirm the name of each maintenance domain the name of different facilities is the same in th...

Страница 109: ...net cfm mode Select the mode of enabling CFM OAM it is only used be fore enabling CFM OAM function No command recovers to be the default of auto 2 Enable CFM OAM function globally Command Explanation...

Страница 110: ...num pvlan vlan id port pvlan vlan id vlan WORD direction down no service ma name num ber ma num pvlan vlan id Build up MA Configure the property of UP DOWN of MA and enter into MA mode One service ca...

Страница 111: ...o mip auto create Build up the MIP configuration on the layer that does not relate to MA As default there is no rule of configuring the mid point and it does not carry the sender id No command deletes...

Страница 112: ...omain domain name service ma name number ma num pvlan vlan id Display the configured information of the maintenance collection show ethernet cfm maintenance points local de tail mep mip domain domain...

Страница 113: ...aintenance point to the other points Under the default stage this function is closed If enter into target mep id it cannot searching the corresponding mac address If it cannot find it will display err...

Страница 114: ...n 3 5 sending cycles of CCM packets judge that the connection to the distant point is wrong then send LTM packet the target of this LTM packet is the distant maintain ing point the TTL field in LTM pa...

Страница 115: ...Mode switchport ulpp group group id track cfm cc level level value Configure ulpp group member port to associate with cfm cc detection When ulpp group member port received the matching cfm information...

Страница 116: ...id 1 2 Switch config ecfm srv continuity check enable Switch config ecfm srv continuity check receive rmep 2 Switch config ecfm srv exit Switch config ecfm exit Switch config interface ethernet 1 1 Sw...

Страница 117: ...LAN ARP Protected VLAN Reference Instance 1 Member Role State Track cfm level Ethernet1 1 MASTER FORWARD 4 Ethernet1 2 SLAVE STANDBY if the CFM checking the CC is overtime then it will inform the ULPP...

Страница 118: ...sending and receiving function of CCM information 2 Steps of Configuration 1 Build up VLAN and adding the related ports to corresponding VLAN 2 Open the Global CFM function and build up customer_A an...

Страница 119: ...1 on MEP3 Switch config ecfm srv mep mepid 1 4 Switch config ecfm srv continuity check receive rmep 1 3 Switch config ecfm srv exit Switch config ecfm exit Switch config interface ethernet 1 1 Switch...

Страница 120: ...onfig ecfm srv continuity check receive enable 8 To check the configuration of maintenance base point of MA1 in customer_A of S1 Switch show ethernet cfm maintenance points local detail mep domain cus...

Страница 121: ...on the port then mep will receive the message from this port If it configured the up mep then the mep will receive the messages from others ports Please ensure that the up mep configuration is on the...

Страница 122: ...MA is only need to configure on the port if there is configured the MEP point in the port then it cannot develop the MIP even if there is configured the port channel it will cause the MEP ineffective...

Страница 123: ...SNR S2940 8G v2 Switch Configuration Guide Part III VLAN and MAC Table Configuration 123...

Страница 124: ...ted following IEEE 802 1Q The key idea of VLAN technology is that a large LAN can be partitioned into many separate broadcast domains dynamically to meet the demands PC Printer Server Switch Switch Sw...

Страница 125: ...s of multi VLANs They can be used to connect between the switches or to a computer of the user Hybrid ports and Trunk ports receive the data with the same process method but send the data with differe...

Страница 126: ...ort Type Command Explanation Port mode switchport mode trunk access hybrid Set the current port as Trunk Access or Hybrid port 5 Set Trunk port Command Explanation Port mode switchport trunk allowed v...

Страница 127: ...able Enable VLAN Ingress Rules Command Explanation Global mode vlan ingress enable Enable Disable VLAN ingress rules no vlan ingress enable 9 Configure Private VLAN Command Explanation VLAN mode priva...

Страница 128: ...two switches Configuration Item Configuration description VLAN2 Site A and site B switch port 2 4 VLAN100 Site A and site B switch port 5 7 VLAN200 Site A and site B switch port 8 10 Trunk port Site...

Страница 129: ...h Config Vlan200 switchport interface ethernet 1 8 10 Switch Config Vlan200 exit Switch config interface ethernet 1 11 Switch Config If Ethernet1 11 switchport mode trunk Switch Config If Ethernet1 11...

Страница 130: ...1 10 Switch B Switch config vlan 7 9 10 Switch config interface ethernet 1 7 Switch Config If Ethernet1 7 switchport mode hybrid Switch Config If Ethernet1 7 switchport hybrid native vlan 7 Switch Con...

Страница 131: ...nd belong to VLAN 3 On the customer port Trunk VLAN 200 300 On the customer port Trunk VLAN 200 300 Figure 17 1 Dot1q tunnel based Internetworking mode As shown in above after being enabled on the use...

Страница 132: ...096 at user s will The user network is considerably independent When the ISP internet is upgrading their network the user networks do not have to change their original configuration Detailed descripti...

Страница 133: ...10 switchport mode trunk Switch Config Ethernet1 0 10 dot1q tunnel tpid 0x9100 Switch Config Ethernet1 0 10 exit Switch Config PE2 Switch config vlan 3 Switch Config Vlan3 switchport interface etherne...

Страница 134: ...nsmission path 18 2 Selective QinQ Configuration Selective QinQ Configuration Task List 1 Configure the port mapping relation between the inner tag and the outer tag 2 Configure selective QinQ of port...

Страница 135: ...cted to the public network 3 The public network permits packets of VLAN 1000 and VLAN 2000 to pass 4 Enable the selective QinQ on Ethernet1 1 and Ethernet1 2 ports of Switch A and Switch B respectivel...

Страница 136: ...above configuration packets of VLAN 100 through VLAN 200 from Ethernet1 1 are automatically tagged with the tag of VLAN 1000 as the outer VLAN tag and packets of VLAN 201 through VLAN 300 from Etherne...

Страница 137: ...access ports of the switch can not support this function 19 2 VLAN translation Configuration Configuration task sequence of VLAN translation 1 Configure the VLAN translation function on the port 2 Co...

Страница 138: ...es VLAN3 to VLAN20 on PE The ingress of the port translates VLAN20 to VLAN3 the egress translates VLAN3 to VLAN20 on PE On the customer port Trunk VLAN 200 300 On the customer port Trunk VLAN 20 Figur...

Страница 139: ...sing the VLAN translation the dot1q tunnel function needs to be enabled first to adapt double tag data packet processes VLAN translation When configuration vlan translation of the egress make sure nat...

Страница 140: ...n The access ports of the switch can not support this function 20 2 Multi to One VLAN Translation Configuration Multi to One VLAN translation configuration task list 1 Configure Multi to One VLAN tran...

Страница 141: ...UserD VID 1 UserF VID 3 UserE VID 2 UserA VID 1 UserB VID 3 UserB VID 2 User A B C VID 100 User D E F VID 200 Figure 20 1 VLAN translation typical application Configuration Item Configuration Explana...

Страница 142: ...ddress should not exist in the original and the translated VLAN Check whether the hardware resource of the chip is able to ensure all clients to work normally Limit learning of MAC address may affect...

Страница 143: ...the data packet according to the subnet segment leading the data packet to specified VLAN Its advantage is the same as that of the MAC based VLAN the user does not have to change configuration when r...

Страница 144: ...AN 3 Configure the correspondence between the MAC address and the VLAN Command Explanation Global mode mac vlan mac mac address vlan vlan id priority priority id no mac vlan mac mac address all Add de...

Страница 145: ...efer 21 3 Typical Application of the Dynamic VLAN Scenario In the office network Department A belongs to VLAN100 Several members of this department often have the need to move within the whole office...

Страница 146: ...xit Switch C SwitchC Config mac vlan mac f8 f0 82 11 22 33 vlan 100 priority 0 SwitchC Config exit 21 4 Dynamic VLAN Troubleshooting Switch 192 168 1 200 24 192 168 1 100 24 Ping 192 168 1 100 Ping 19...

Страница 147: ...22 1 a typical application scene A and G switches are not directly connected in layer 2 network BCDEF are intermediate switches connecting A and G Switch A and G configure VLAN100 1000 manually while...

Страница 148: ...ommand Explanation Global mode garp timer join 200 500 garp timer leave 500 1200 garp timer leaveall 5000 60000 no garp timer join leave leaveAll Configure leaveall join and leave timer for GVRP 2 Con...

Страница 149: ...1 of Switch A and C Port 10 11 of Switch B Global GVRP Switch A B C Port GVRP Port 11 of Switch A and C Port 10 11 of Switch B Connect two workstations to the VLAN100 ports in switch A and B connect p...

Страница 150: ...ce ethernet 1 2 6 Switch Config Vlan100 exit Switch config interface ethernet 1 11 Switch Config If Ethernet1 11 switchport mode trunk Switch Config If Ethernet1 11 gvrp Switch Config If Ethernet1 11...

Страница 151: ...The configuration is based on MAC address acquiring a mechanism in which every voice equipment transmitting information through the network has got its unique MAC address VLAN will trace the address...

Страница 152: ...on Port mode switchport voice vlan enable Enable disable the Voice VLAN function on the port no switchport voice vlan enable 23 3 Typical Applications of the Voice VLAN Scenario A company realizes voi...

Страница 153: ...onfig If Ethernet1 0 10 exit switch Config interface ethernet 1 0 1 switch Config If Ethernet1 0 1 switchport mode hybrid switch Config If Ethernet1 0 1 switchport hybrid allowed vlan 100 untag switch...

Страница 154: ...be forwarded for a long time the entry will be deleted from the switch MAC table There are two MAC table operations 1 Obtain a MAC address 2 Forward or filter data frame according to the MAC table 24...

Страница 155: ...and port 1 12 is added to the MAC table 4 Now the MAC table has two dynamic entries MAC address 00 01 11 11 11 11 port 1 5 and 00 01 33 33 33 33 port1 12 5 After the communication between PC1 and PC3...

Страница 156: ...cast frames in all ports but forward the frames in all ports in the same VLAN Multicast frame For the unknown multicast the switch will broadcast it in the same vlan but the switch only forwards the m...

Страница 157: ...Admin Mode clear mac address table dynamic address mac addr vlan vlan id interface ethernet portchan nel interface name Clear the dynamic address table 24 3 Typical Configuration Examples Switch A PC1...

Страница 158: ...MAC address If not the problems mentioned above please check for the switch portand contact technical support for solution 24 5 MAC Address Function Extension 24 5 1 MAC Address Binding Introduction...

Страница 159: ...port 2 Lock the MAC addresses for a port Command Explanation Port Mode switchport port security lock no switchport port security lock Lock the port then MAC addresses learned will be disabled The no...

Страница 160: ...stem will report this monitored event the no command will cancel this function mac address table periodic monitor time 5 86400 Set the MAC monitor interval to count the added and deleted MAC in time a...

Страница 161: ...l MAC notification 3 Configure the interval for sending MAC notification 4 Configure the size of history table 5 Configure the trap type of MAC notification supported by the port 6 Show the configurat...

Страница 162: ...ed both removed no mac notification Configure or cancel the trap type of MAC notification sup ported by the port 6 Show the configuration and the data of MAC notification Command Explanation Admin mod...

Страница 163: ...address table notification interval 5 Switch config mac address table notification history size 100 Switch Config If Ethernet1 4 mac notification both 24 6 4 MAC Notification Troubleshooting Check whe...

Страница 164: ...SNR S2940 8G v2 Switch Configuration Guide Part IV MSTP Configuration 164...

Страница 165: ...ources and reduces the bandwidth consumption 25 1 1 MSTP Region Because multiple VLANs can be mapped to a single spanning tree instance IEEE 802 1s com mittee raises the MST concept The MST is used to...

Страница 166: ...r all of them If the bridge receives superior MST root information lower bridge ID lower path cost and so forth than currently stored for the port it relinquishes its claim as the IST master Within a...

Страница 167: ...such as bridge priority and port cost etc Consequently the VLANs in different instances have their own paths The traffic of the VLANs are load balanced 25 2 MSTP Configuration Task List MSTP configura...

Страница 168: ...ot guard Configure currently port whether running root guard in specified instance configure the root guard port can t turn to root port spanning tree rootguard no spanning tree rootguard Configure cu...

Страница 169: ...igure the fast migrate feature for MSTP Command Explanation Port Mode spanning tree link type p2p auto force true force false no spanning tree link type Set the port link type spanning tree portfast b...

Страница 170: ...ng no spanning tree digest snooping Set the port to use the authentication string of partner port The no command restores to use the generated string 9 Configure the FLUSH mode once topology changes C...

Страница 171: ...t configuration for switches is listed below Bridge Name SW1 SW2 SW3 SW4 Bridge MAC 00 00 01 00 00 02 00 00 03 00 00 04 Bridge Priority 32768 32768 32768 32768 Port Priority port 1 128 128 128 port 2...

Страница 172: ...Switch3 as 0 Set the bridge priority of Instance 4 in Switch4 as 0 The detailed configuration is listed below Switch2 Switch2 config vlan 20 Switch2 Config Vlan20 exit Switch2 config vlan 30 Switch2...

Страница 173: ...terface e1 0 1 7 Switch4 Config Port Range switchport mode trunk Switch4 Config Port Range exit Switch4 config spanning tree Switch4 config spanning tree mst 4 priority 0 After the above configuration...

Страница 174: ...onfiguration SW3 SW1 SW4 SW2 5X 4 5 3 4 2 1X 1 2 1 2 6X 7X 6 7 3X Figure 25 3 The Topology Of the Instance 0 after the MSTP Calculation SW3 SW4 SW2 5X 4X 5 3 4 2 2 6 7X 6 7 3X Figure 25 4 The Topology...

Страница 175: ...enabled globally it can t be enabled on the port The MSTP parameters co work with each other so the parameters should meet the following conditions Otherwise the MSTP may work incorrectly 2 x Bridge_...

Страница 176: ...SNR S2940 8G v2 Switch Configuration Guide Part V QoS and Flow based Redirection Configuration 176...

Страница 177: ...ccording to the application requirement and network management QoS Domain QoS Domain supports QoS devices to form a net topology that provides Quality of Service so this topology is defined as QoS Dom...

Страница 178: ...ets according to the policing policies Scheduling QoS egress action Configure the weight for eight egress queues WRR Weighted Round Robin In Profile Traffic within the QoS policing policy range bandwi...

Страница 179: ...d to end QoS solution can be created QoS configuration is flexible the complexity or simplicity depends on the network topology and devices and analysis to incoming outgoing traffic 26 1 3 Basic QoS M...

Страница 180: ...traffic according to packet classification information and generate in ternal priority and drop precedence based the classification information For different packet types and switch configurations cla...

Страница 181: ...flow to configure different policies that allocate band width to classified traffic the assigned bandwidth policy may be dual bucket dual color or dual bucket three color The traffic will be assigned...

Страница 182: ...e for the egress packets the queuing operation assigns the packets to different priority queues according to the internal priority while the scheduling operation perform the packet forwarding accordin...

Страница 183: ...policy may be bound to the specific VLAN It is not recommended to synchronously use policy map on VLAN and its port 4 Configure queue management algorithm Configure queue management algorithm such as...

Страница 184: ...CTION violate action ACTION ACTION definition drop transmit set dscp transmit dscp_value set prec transmit ip_precedence_value set cos transmit cos_value set internal priority inp_value set Drop Prece...

Страница 185: ...the port Egress policy map is not supported yet Global Mode service policy input policy map name vlan vlan list no service policy input policy map name vlan vlan list Apply a policy map to the specifi...

Страница 186: ...ll policy map 7 Show configuration of QoS Command Explanation Admin Mode show mls qos maps cos dp dscp dscp dscp intp dscp dp intp dscp Display the configuration of QoS mapping show class map class ma...

Страница 187: ...Configuration result An ACL name 1 is set to matching segment 192 168 1 0 Enable QoS globally create a class map named c1 matching ACL1 in class map create another policy map named p1 and refer to c1...

Страница 188: ...be used with other trust or Policy Map trust dscp can be used with other trust or Policy Map This configuration takes effect to IPv4 and IPv6 packets trust exp trust dscp and trust cos may be configur...

Страница 189: ...COS to Int Prio COS to Drop Prec conversion according to the packet COS value 5 Set the packet COS eld equals Int Prio DSCP to DSCP DSCP to Int Prio DSCP to Drop Prec conversion according to the pack...

Страница 190: ...ction accordng to the policy Select one or several options of the following Set COS Set L2 COS eld of the packet Set Int Prio Set internal priority of the packet Set Drop Prec Set drop precedence of t...

Страница 191: ...op priority and the egress queue Place packet into speci ed queue and forward according to the weight priority of the queues Enter the policing ow N Y Remark EXP eld of the packet according to Int Pri...

Страница 192: ...SNR S2940 8G v2 Switch Configuration Guide QoS Configuration Server Switch3 Switch2 Switch1 QoS Area Trunk Figure 26 8 Typical QoS topology 192...

Страница 193: ...network and diagnose the problems in the network 2 Special transmission policy for a special type of data frames The switch can only designate a single destination port of redirection for a same clas...

Страница 194: ...ource IP is 192 168 1 111 2 Apply the redirection based on this flow to port 1 The following is the configuration procedure Switch config access list 1 permit host 192 168 1 111 Switch config interfac...

Страница 195: ...ority of flexible QinQ is higher than basic QinQ 28 1 2 Basic QinQ Basic QinQ based the port After a port configures QinQ whether the received packet with tag or not the device still packs the default...

Страница 196: ...as sify data flow by ACL CoS VLAN ID IPv4 Precedent or DSCP etc for the class map the no command deletes the speci fied match standard 2 Configure policy map of flexible QinQ Command Explanation Globa...

Страница 197: ...onfiguration on the port 28 3 Flexible QinQ Troubleshooting If flexible QinQ policy can not be bound to the port please check whether the problem is caused by the following reasons Make sure flexible...

Страница 198: ...SNR S2940 8G v2 Switch Configuration Guide Part VI L3 Forward and ARP Configuration 198...

Страница 199: ...contain one or more layer 2 ports which belong to the same VLAN or contain no layer 2 ports At least one of the Layer 2 ports contained in Layer 3 interface should be in UP state for Layer 3 interface...

Страница 200: ...s Service Information Terminal which make use of Internet which require IP addresses the supply of IP addresses turns out to be more and more tense People have been working on the problem of shortage...

Страница 201: ...ant Unlike IPv4 the mobility of IPv6 is from embedded automatic configuration to get transmission address Care Of Address therefore it doesn t need Foreign Agent Furthermore this kind of binding proce...

Страница 202: ...re interface IPv6 address b Configure default gateway 2 IPv6 Neighbor Discovery Configuration a Configure DAD neighbor solicitation message number b Configure send neighbor solicitation message interv...

Страница 203: ...terface interface type interface name Set static neighbor table entries including neigh bor IPv6 address MAC address and two layer port no ipv6 neighbor ipv6 address Delete neighbor table entries d De...

Страница 204: ...0 too If the route table does not have the destination of a packet and has no default route configured the packet will be discarded and an ICMP packet will be sent to the source address indicate the...

Страница 205: ...iguration of layer3 SwitchA Switch config Switch config ip route 10 1 5 0 255 255 255 0 10 1 2 2 Configuration of layer3 SwitchC Switch config Next hop use the partner IP address Switch config ip rout...

Страница 206: ...e arp ip_address mac_address interface ethernet portName no arp ip_address Configures a static ARP entry the no com mand deletes a ARP entry of the specified IP address 29 4 3 ARP Troubleshooting If p...

Страница 207: ...any host or port with ARP scanning features is found in the segment the switch will cut off the attack source to ensure the security of the network There are two methods to prevent ARP scanning port...

Страница 208: ...of the port based ARP Scanning Prevention anti arpscan ip based threshold threshold value no anti arpscan ip based threshold Set the threshold of the IP based ARP Scanning Prevention 3 Configure trust...

Страница 209: ...disable the debug switch of ARP scan ning prevention 30 3 ARP Scanning Prevention Typical Examples PC Switch2 Switch1 Server PC E1 0 1 E1 0 19 E1 0 2 Figure 30 1 ARP scanning prevention typical config...

Страница 210: ...g If Ethernet1 0 19 exit SWITCH B configuration task sequence SwitchB config anti arpscan enable SwitchB config interface ethernet1 0 1 SwitchB Config If Ethernet1 0 1 anti arpscan trust port SwitchB...

Страница 211: ...ame network even if are connected by the switches it sends an ARP reply packet to two hosts separately and make them misunderstand MAC address of the other side as the hacker host MAC address In this...

Страница 212: ...tic learning function of ARP Thus it prevents ARP spoofing and attack to a great extent 31 2 Prevent ARP Spoofing configuration The steps of preventing ARP spoofing configuration as below 1 Disable AR...

Страница 213: ...rce address and destination address the mutual communicated data between B and C are received by A unconsciously Be cause the ARP list is update timely another task for A is to continuously send ARP r...

Страница 214: ...dress of PC2 is mapped to an illegal MAC address which will prevent PC2 from receiving the messages to it Particularly if the attacker pretends to be the gateway and do ARP cheating the whole network...

Страница 215: ...REE RESOURCE related accessing scheme Please refer to relative documents for details 32 2 ARP Guard Configuration Task List 1 Configure the protected IP address Command Explanation Port configuration...

Страница 216: ...the MAC address of the gateway If the switch advertises gratuitous ARP requests the host will not have to send these requests This will reduce the frequency the host s sending ARP requests for the ga...

Страница 217: ...92 168 14 254 its network address mask is 255 255 255 0 Two PCs PC1 and PC2 are con nected to this interface Gratuitous ARP can be enabled through the following configuration 1 Configure two interface...

Страница 218: ...SNR S2940 8G v2 Switch Configuration Guide Part VII DHCP Configuration 218...

Страница 219: ...s when the user of an IP leaves the network that IP can be assigned to another user DHCP is a client server protocol the DHCP client requests the network address and configura tion parameters from the...

Страница 220: ...tions between dynamic IP address allocation and manual IP address binding are 1 IP address obtained dynamically can be different every time manually bound IP address will be the same all the time 2 Th...

Страница 221: ...dress8 no netbios name server Configure the address for WINS server The no oper ation cancels the address for server netbios node type b node h node m node p node type number no netbios node type Conf...

Страница 222: ...que ID of the user when binding address manually 3 Enable logging for address conflicts Command Explanation Global Mode ip dhcp conflict logging no ip dhcp conflict logging Enable disable logging for...

Страница 223: ...HCP Relay Configuration Task List 1 Enable DHCP relay 2 Configure DHCP relay to forward DHCP broadcast packet 3 Configure share vlan 1 Enable DHCP relay Command Explanation Global Mode service dhcp no...

Страница 224: ...node type H node Lease 3 days Lease 1day In location A a machine with MAC address 00 03 22 23 dc ab is assigned with a fixed IP address of 10 16 1 210 and named as management Switch config service dh...

Страница 225: ...ty between the client gateway and the switch must be ensured for the client to get an IP address from the 10 16 2 0 24 address pool Scenario 2 DHCP Server 10 1 1 10 DHCP Relay E1 0 2 10 1 1 1 E1 0 1 1...

Страница 226: ...Ethernet1 0 2 switchport mode trunk switch config service dhcp switch config ip forward protocol udp bootps switch config ip dhcp relay information option switch config ip dhcp relay share vlan 1 sub...

Страница 227: ...auto address configuration in non state DHCPv6 can provide extend function of DHCPv6 prefix delegation upstream route can assign address prefix to downstream route automatically that achieve the IPv6...

Страница 228: ...e been implemented on the switch When the DHCPv6 relay receives any messages from the DHCPv6 client it will encapsulate the request in a Relay forward packet and deliver it to the next DHCPv6 relay or...

Страница 229: ...the range of IPv6 address assignable of ad dress pool dns server ipv6 address no dns server ipv6 address To configure DNS server address for DHCPv6 client domain name domain name no domain name domain...

Страница 230: ...face name vlan 1 4096 no ipv6 dhcp relay destina tion ipv6 address interface interface name vlan 1 4096 To specify the destination address of DHCPv6 relay trans mit The no form of this command delete...

Страница 231: ...pool poolname To configure DHCPv6 address pool b To configure prefix delegation pool used by DHCPv6 address pool Command Explanation DHCPv6 address pool Configuration Mode prefix delegation pool pool...

Страница 232: ...server poolname To enable DHCPv6 server function on specified port and binding used DHCPv6 address pool 35 5 DHCPv6 Prefix Delegation Client Configuration DHCPv6 prefix delegation client configuratio...

Страница 233: ...nfiguration Example Usage guide Switch3 configuration Switch3 config service dhcpv6 Switch3 config ipv6 dhcp pool EDP Switch3 dhcpv6 EDP config network address 2001 da8 100 1 1 2001 da8 100 1 100 Swit...

Страница 234: ...verify the router responsible for DHCPv6 packet forwarding has DHCPv6 relay function If DHCPv6 relay is not available for the intermediate router it is recommended to replace the router or upgrade its...

Страница 235: ...n 82 and defend against them DHCP Relay Agent will peel the option 82 from the reply messages it receives and forward the reply message to the specified port of the network access device according to...

Страница 236: ...t have option 82 2 DHCP Relay Agent will add the option 82 to the end of the request message it receives then relay and forward the message to the DHCP server By default the sub option 1 of option 82...

Страница 237: ...f the system for the received DHCP request message which con tains option 82 The drop mode means that if the message has option82 then the system will drop it without process ing keep mode means that...

Страница 238: ...n 82 4 Configure DHCP option 82 default format of Relay Agent Command Explanation Global Mode ip dhcp relay information option subscriber id format hex acsii vs hp Set subscriber id format of Relay Ag...

Страница 239: ...the state information of the DHCP option 82 in the system including option82 enabling switch the interface retransmitting policy the circuit ID mode and the DHCP server option82 enabling switch debug...

Страница 240: ...ch3 Config interface vlan 3 Switch3 Config if vlan3 ip address 192 168 10 222 255 255 255 0 Switch3 Config interface vlan 2 Switch3 Config if vlan2 ip address 192 168 102 2 255 255 255 0 Switch3 Confi...

Страница 241: ...rrectly depending on the network topology of the DHCP Relay Agent or even the Relay Agent can operate normally the allocation of addresses will fail When there is more than one kind of Relay Agent ple...

Страница 242: ...rn option 43 to DHCP client 2 Address pool only configured option 43 it will match with any option 60 If the received DHCP packet with option 60 from DHCP client DHCP client will receive the option 43...

Страница 243: ...discovery request for wireless controller DHCP server configures option 60 matched with the option 60 of fit ap to return option 43 attribute to FTP AP The wireless controller addresses of DHCP option...

Страница 244: ...gal DHCPv6 client to trigger deny service attack through using MAC address of other legal clients Therefore IETF set rfc4649 and rfc4580 i e DHCPv6 option 37 and option 38 to solve these problems DHCP...

Страница 245: ...with option 37 keep the system keeps option 37 unchanged and forwards the packet to the server replace the system replaces option 37 of current packet with its own before forwarding it to the server...

Страница 246: ...elay option basic functions configuration Command Explanation Global mode ipv6 dhcp relay remote id option no ipv6 dhcp relay remote id op tion This command enables the switch relay to support option...

Страница 247: ...of DHCPv6 class during address assignment the no form of this command disables it without removing the relative DHCPv6 class information that has been configured ipv6 dhcp class class name no ipv6 dh...

Страница 248: ...assignment policies CLASS of which CLASS1 matches option 38 CLASS2 matches option 37 and CLASS3 matches option 37 and option 38 In the address pool EDP the requests matched with CLASS1 CLASS2 and CLA...

Страница 249: ...onfig exit SwitchB config ipv6 dhcp class CLASS3 SwitchB dhcpv6 class class3 config remote id f8 f0 82 00 00 01 subscriber id vlan1 Ethernet1 0 3 SwitchB dhcpv6 class class3 config exit SwitchB config...

Страница 250: ...scriber id option S2 config vlan 10 S2 config vlan10 int vlan 10 S2 config if vlan10 ipv6 address 2001 da8 1 2 64 S2 config if vlan10 ipv6 dhcp relay destination 2001 da8 10 1 1 S2 config if vlan10 ex...

Страница 251: ...Server reply pack ets including DHCPOFFER DHCPACK and DHCPNAK it will alarm and respond according to the situation shutdown the port or send Black hole Defense against DHCP over load attacks To avoid...

Страница 252: ...Snooping 2 Enable DHCP Snooping binding function 3 Enable DHCP Snooping binding ARP function 4 Enable DHCP Snooping option82 function 5 Set the private packet version 6 Set DES encrypted key for priv...

Страница 253: ...able Enable disable DHCP Snooping option 82 func tion 5 Set the private packet version Command Explanation Global mode ip user private packet version two no ip user private packet version two To confi...

Страница 254: ...dress ipAddr interface ethernet ifname no ip dhcp snooping binding user mac inter face ethernet ifname Add delete DHCP snooping static binding list entries 12 Set defense actions Command Explanation P...

Страница 255: ...ping information option self defined remote id format ascii hex Set self defined format of remote id for snooping option82 ip dhcp snooping information option self defined subscriber id vlan port id s...

Страница 256: ...on sequence is switch config ip dhcp snooping enable switch config interface ethernet 1 0 11 switch Config Ethernet1 0 11 ip dhcp snooping trust switch Config Ethernet1 0 11 exit switch config interfa...

Страница 257: ...SNR S2940 8G v2 Switch Configuration Guide Part VIII Multicast Protocol 257...

Страница 258: ...urthermore Broadcast mode goes against the security and secrecy The emergence of IP Multicast technology solved this problem in time The Multicast source only sends out the message once Multicast Rout...

Страница 259: ...which are not kept for use by Permanent Multicast Group can be utilized by temporary Multicast groups 224 0 0 0 224 0 0 255 are reserved Multicast addresses Permanent Group Address ad dress 224 0 0 0...

Страница 260: ...e shortest path from receipt site to source address If shortest path Tree is used then the source address is the address of source host which sends Multicast Data Packets if Shared Tree is used then t...

Страница 261: ...ss transmitting packets The Service Oriented Priority Strategy Multicast of Security Controllable technology adopts the following mode for multicast data in limit range set the priority specified by t...

Страница 262: ...configuration destination control configuration also has three steps First enable destination control globally Since destination control need to prevent unautho rized user from receiving multicast da...

Страница 263: ...data to achieve and guarantee the effects the specific user requires It is noticeable that multicast data can not get a special care all along unless the data are transmitted at TRUNK port The configu...

Страница 264: ...ity of value 4 Usually this is pretty higher the higher possible one is protocol data if higher priority is set when there is too many multicast data it might cause abnormal behavior of the switch pro...

Страница 265: ...i fied VLAN ip igmp snooping proxy no ip igmp snooping proxy Enable IGMP Snooping proxy function the no command disables the function ip igmp snooping vlan vlan id limit group g_limit source s_limit n...

Страница 266: ...nable the IGMP fast leave function for the specified VLAN the no ip igmp snooping vlan vlan id immediate leave command disables the IGMP fast leave function ip igmp snooping vlan vlan id query mrsp va...

Страница 267: ...he switch or in the VLANs If IGMP Snooping should be enabled in VLAN 100 the IGMP Snooping should be first enabled for the switch in Global Mode and in VLAN 100 and set port 1 of VLAN 100 to be the mr...

Страница 268: ...nooping SwitchA config ip igmp snooping vlan 60 SwitchA config ip igmp snooping vlan 60 L2 general querier SwitchB config SwitchB config ip igmp snooping SwitchB config ip igmp snooping vlan 100 Switc...

Страница 269: ...This ensures the IGMP snooping can work in cooperation with the layer 3 multicast protocols 40 3 4 IGMP Snooping Troubleshooting On IGMP Snooping function configuration and usage IGMP Snooping might n...

Страница 270: ...t address it will send a MLD Multicast listener Report back through the multicast address MLD Snooping is namely the MLD listening The switch restricts the multicast traffic from flooding through MLD...

Страница 271: ...id mrouter port learnpim6 Enable the function that the specified VLAN learns mrouter port according to pimv6 pack ets the no command will disable the function ipv6 mld snooping vlan vlan id mrpt value...

Страница 272: ...le the multicast router on port 1 Suppose we need MLD Snooping on VLAN 100 however by default the global MLD Snooping as well as the MLD Snooping on each VLAN are therefore first we have to enable the...

Страница 273: ...ing Group 1 Group 1 Group 1 Group 2 Group 1 Group 2 Mrouter port Multicast Router Figure 41 2 Switch as MLD Querier Function figure Configuration of switch B is the same as the switches in case 1 and...

Страница 274: ...physical connection failure wrong configuration etc The user should ensure the following Ensure the physical connection is correct Ensure the MLD Snooping is enabled under global mode using ipv6 mld s...

Страница 275: ...ast traffic will be continuously sent to the users 42 2 Multicast VLAN Configuration Task List 1 Enable the multicast VLAN function 2 Configure the IGMP Snooping 1 Enable the multicast VLAN function C...

Страница 276: ...0 of the switch The layer 3 switch switchA is connected with layer 2 switches through the port1 0 10 which configured as trunk port On the switchB the VLAN100 is configured set to contain port1 0 15 a...

Страница 277: ...interface ethernet 1 0 20 SwitchB config If Ethernet switchport access vlan 101 SwitchB config If Ethernet exit SwitchB config interface ethernet 1 0 15 SwitchB config If Ethernet switchport access vl...

Страница 278: ...SNR S2940 8G v2 Switch Configuration Guide Part IX Security Function Configuration 278...

Страница 279: ...ion included in a rule is the effective combination of conditions such as source IP destination IP IP protocol number and TCP port UDP port Access lists can be categorized by the following criteria Fi...

Страница 280: ...ccess list based on nomenclature i Create a standard IP access list based on nomenclature ii Specify multiple permit or deny rule entries iii Exit ACL Configuration Mode d Configuring an extended IP a...

Страница 281: ...direction of the specified port 5 Clear the filtering information of the specified port 1 Configuring access list a Configuring a numbered standard IP access list Command Explanation Global Mode acces...

Страница 282: ...sPortMax dIpAddr dMask any destination host destination dIpAddr d port dPort range dPortMin dPort Max precedence prec tos tos time range time range name Creates a numbered UDP extended IP access rule...

Страница 283: ...xtended name Creates an extended IP access list bas ing on nomenclature the no ip access list extended name command deletes the name based extended IP access list ii Specify multiple permit or deny ru...

Страница 284: ...no form command deletes this name based extended IP access rule no deny permit eigrp gre igrp ipinip ip ospf protocol num sIpAddr sMask any source host source sIpAddr dIpAddr dMask any destination ho...

Страница 285: ...st extended name no mac access list extended name Creates an extended name based MAC ac cess rule for other IP protocols the no form command deletes this name based extended MAC access rule ii Specify...

Страница 286: ...m command deletes this name based extended MAC access rule no deny permit any source mac host source mac host_smac smac smac mask any destination mac host destination mac host_dmac dmac dmac mask tagg...

Страница 287: ...es not exist then an access list will be created using this number access list num deny permit any source mac host source mac host_smac smac smac mask any destination mac host destination mac host_dma...

Страница 288: ...rule the no form command deletes this name based extended MAC ICMP access rule no deny permit any source mac host source mac host_smac smac smac mask any destination mac host destination mac host_dma...

Страница 289: ...ac mask eigrp gre igrp ip ipinip ospf protocol num source source wildcard any source host source source host ip destination destination wildcard any destination host destination destination host ip pr...

Страница 290: ...rtMin dPortMax dscp dscp flow label flowlabel time range time range name ipv6 access list num ext deny permit next header sIPv6Prefix sPrefixlen any source host source sIPv6Addr dIPv6Prefix dPrefixlen...

Страница 291: ...p code dscp dscp flow label flowlabel time range time range name Creates an extended name based ICMP IPv6 access rule the no form command deletes this name based extended IPv6 ac cess rule no deny per...

Страница 292: ...rule the no form command deletes this name based extended IPv6 access rule iii Exit extended IPv6 ACL configuration mode Command Explanation Extended IPv6 ACL Mode exit Exits extended name based IPv6...

Страница 293: ...ange in the week c Configure absolute time range Command Explanation Global Mode absolute start start_time start_data end end_time end_data Configure absolute time range no absolute start start_time s...

Страница 294: ...access group 110 in Switch Config If Ethernet1 0 10 exit Switch config exit Configuration result Switch show firewall Firewall status enable Firewall Default Rule Permit Switch show access lists acces...

Страница 295: ...11 23 00 00 00 00 00 00 ff ff any destination mac Switch show access group interface ethernet 1 0 10 interface name Ethernet1 0 10 MAC Ingress access list used is 1100 traffic statistics Disable Scen...

Страница 296: ...ernet1 0 10 MAC IP Ingress access list used is 3110 traffic statistics Disable Scenario 4 The configuration requirement is stated as below IPv6 protocol runs on the interface 600 of the switch And the...

Страница 297: ...ram filtering 3 Bind the ACL to the related interface The configuration steps are listed as below Switch config firewall enable Switch config vlan 100 Switch Config Vlan100 switchport interface ethern...

Страница 298: ...configured through physical interface mode ACL configured in the physical mode can only be disabled in the physical mode Those con figured in the VLAN interface configuration mode can only be disable...

Страница 299: ...each of them can specify a start offset position L2 end of tag start of L3 header start of L4 header Each window can specify offset its value from 0 to 31 unit is 2Bytes namely 0 means 0Bytes offset...

Страница 300: ...ndard Self defined ACL Standard self defined ACL can configure multi ACL lists and each of them can configure multi rules One rule can configure value and mask for 11 windows at most The length of eve...

Страница 301: ...e a standard self defined ACL template If the template exists the corresponding window of the template can be mod ified the no command deletes the window of the standard self defined ACL template If t...

Страница 302: ...eletes a numbered standard self defined ACL b Configure extended user defined ACL Command Explanation Global Mode userdefined access list extended num deny permit untagged eth2 tagged eth2 cos value m...

Страница 303: ...ted below Switch config userdefined access list extended offset swindow1 l3start 4 swindow2 l4start 1 lwindow1 l3start 3 Switch config userdefined access list extended 1300 deny untagged eth2 swindow1...

Страница 304: ...config userdefined access list standard 1200 deny 00 12 11 23 00 00 00 00 00 00 ff ff any destination mac tagged 802 3 window1 0A01 FFFF window2 0100 FF00 Switch config firewall enable Switch config v...

Страница 305: ...ntrol This standard has been widely used in wireless LAN and ethernet Port Based Network Access Control means to authenticate and control the user devices on the level of ports of LAN access devices O...

Страница 306: ...n information to the authenticator system It can also send authentication request and off line request to authenticator The PAE of the authenticator system authenticates the supplicant systems needing...

Страница 307: ...uthenticator system and the RADIUS server there are two meth ods to exchange information one method is that EAP messages adopt EAPOR EAP over RADIUS encapsulation format in RADIUS protocol the other i...

Страница 308: ...apsulate the relative information of network management such as all kinds of alerting information terminated by terminal devices Length represents the length of the data that is the length of the Pack...

Страница 309: ...icator Please refer to the Introduction of RADIUS protocol in AAA RADIUS HWTACACS operation to check the format of RADIUS messages 1 EAP Message As illustrated in the next figure this attribute is use...

Страница 310: ...er high level protocols such as EAP over RADIUS making sure that extended authentication protocol messages can reach the authentication server through complicated networks In general EAP relay require...

Страница 311: ...on EAP and TLS protocols It uses PKI to protect the id authentication between the supplicant system and the RADIUS server and the dynamically generated session keys requiring both the supplicant syst...

Страница 312: ...P and MS CHAPV2 can be transmitted within TTLS tunnels 4 PEAP Authentication Method EAP PEAP is brought up by Cisco Microsoft and RAS Security as a recommended open stan dard It has long been utilized...

Страница 313: ...cess Challenge EAP Response EAP TLS TLS change_cipher_spec TLS finished Figure 45 10 the Authentication Flow of 802 1x EAP TLS 45 1 6 The Extension and Optimization of 802 1x Besides supporting the po...

Страница 314: ...particular users of the port can access limited resources before being authenticated Once those users pass the authentication they can access all resources Attention when using private supplicant sys...

Страница 315: ...and join Auto VLAN Auto VLAN won t change or affect the port s configuration But the priority of Auto VLAN is higher than that of the user set VLAN that is Auto VLAN is the one takes effect when the...

Страница 316: ...becomes offline the port will be allocated to the specified Guest VLAN again 45 2 802 1x Configuration Task List 802 1x Configuration Task List 1 Enable IEEE 802 1x function 2 Access management unit p...

Страница 317: ...t only used when the access control mode of the port is userbased the no command is used to reset the limit to 10 by default dot1x guest vlan vlanID no dot1x guest vlan Set the guest vlan of the speci...

Страница 318: ...ion on no supplicant response the no command restores the default set ting dot1x re authentication no dot1x re authentication Enables periodical supplicant authentica tion the no command disables this...

Страница 319: ...update supplicant system software Ethernet1 0 6 the port used by the switch to access the Internet is in VLAN5 As illustrated in the up figure on the switch port Ethernet1 0 2 the 802 1x feature is e...

Страница 320: ...h Config If Ethernet1 0 2 switch port mode access Set the access control mode on the port as portbased Switch Config If Ethernet1 0 2 dot1x port method portbased Set the access control mode on the por...

Страница 321: ...adius Server 10 1 1 3 Figure 45 16 IEEE 802 1x Configuration Example Topology The PC is connecting to port 1 0 2 of the switch IEEE 802 1x authentication is enabled on port1 0 2 the access mode is the...

Страница 322: ...he interface 1 0 2 of the switch and enable IEEE802 1x on inter face1 0 2 Use MAC based authentication Configure the IP address of the switch as 2004 1 2 3 2 and connect the switch with any interface...

Страница 323: ...e 802 1x authentication the above functions must be disabled If the switch is configured properly but still cannot pass through authentication connectivity between the switch and RADIUS server the swi...

Страница 324: ...switch will delete it from the MAC address list Usually the switch supports both the static configuration and dynamic study of MAC address which means each port can have more than one static set MAC...

Страница 325: ...ing the number of MAC ARP and ND of interfaces 1 Limiting the number of dynamic MAC If the number of dynamically learnt MAC address by the VLAN of the switch is already larger than or equal with the m...

Страница 326: ...P in the VLAN ipv6 nd dynamic maximum value no ipv6 nd dynamic maximum Enable and disable the number limitation function of NEIGHBOR in the VLAN 3 Configure the timeout value of querying dynamic MAC C...

Страница 327: ...arp count no debug ip arp count All kinds of debug information when limiting the num ber of ARP in VLAN debug ipv6 nd count no debug ipv6 nd count All kinds of debug information when limiting the num...

Страница 328: ...shooting Help The number limitation function of MAC and IP in Port VLAN is disabled by default if users need to limit the number of user accessing the network they can enable it If the number limitati...

Страница 329: ...P of the host into forwarding IP and hence enable the messages from the host to be forwarded by the switch Given the fact that MAC IP can be exclusively bound with a host it is necessary to make MAC I...

Страница 330: ...m ip pool ip address num no am ip pool ip address num Configure the forwarding IP of the port 4 Configure the forwarding MAC IP Command Explanation Port Mode am mac ip pool mac address ip address no a...

Страница 331: ...packets from other users According to the requirements mentioned above the switch can be configured as follows Switch config am enable Switch config interface ethernet1 0 1 Switch Config If Ethernet...

Страница 332: ...attacks such as DoS The protocol check allows the user to drop matched packets based on specified conditions The security features provide several simple and effective protections against Dos attacks...

Страница 333: ...fragment attack function dosattack check tcp header size Configure the minimum permitted TCP head length of the packet This command has no effect when used separately the user should enable the dosat...

Страница 334: ...hose source port is equal to the destination port Only the ping command with defaulted options is allowed within the IPv4 network namely the ICMP request packet can not be fragmented and its net lengt...

Страница 335: ...otocol is of a more reliable transmission and encryption characteristics and is more adapted to security control According to the characteristics of the TACACS Version 1 78 we provide TACACS authen ti...

Страница 336: ...igure the authentication timeout for the TACACS server the no tacacs server timeout command re stores the default configuration 4 Configure the IP address of the TACACS NAS Command Explanation Global...

Страница 337: ...4 TACACS Troubleshooting In configuring and using TACACS the TACACS may fail to authentication due to reasons such as physical connection failure or wrong configurations The user should ensure the fo...

Страница 338: ...have and the accounting for the network resource RADIUS Remote Authentication Dial in User Service is a kind of distributed and client server protocol for information exchange The RADIUS client is us...

Страница 339: ...alue fields Type field 1 octet the type of the attribute value which is shown as below Property Type of property Property Type of property 1 User Name 23 Framed IPX Network 2 User Password 24 State 3...

Страница 340: ...a accounting enable no aaa accounting enable To enable AAA accounting The no form of this com mand will disable AAA accounting aaa accounting update enable dis able Enable or disable the update accoun...

Страница 341: ...erver The no form of this command will restore the default configuration radius server accounting interim update timeout seconds no radius server accounting interim update timeout To configure the upd...

Страница 342: ...uration A computer connects to a switch of which the IP address is 2004 1 2 3 2 and connected with a RADIUS authentication server without Ethernet1 0 2 IP address of the server is 2004 1 2 3 3 and the...

Страница 343: ...RADIUS server physical connection Second all interface and link protocols are in the UP state use show interface command Then ensure the RADIUS key configured on the switch is in accordance with the...

Страница 344: ...the server sides and optional client SSL protocols must build on reliable transport layer such as TCP SSL protocols are independent for application layer Some protocols such as HTTP FTP TELNET and so...

Страница 345: ...SSL software under Linux which may not be recognized by the web browser With regard to the switch application it is not necessary to apply for a formal SSL certification key A private certification k...

Страница 346: ...be configured for users to access the web interface on the switch If the SSL has been configured communication between the client and the switch will be encrypted through SSL for safety Firstly SSL sh...

Страница 347: ...SSL is enabled SSL should be restarted after changes on the port configuration and en cryption configuration IE 7 0 or above should be used for use of des cbc sha If the SSL problems remain unsolved a...

Страница 348: ...ork security Simultaneously the normal users get incorrect address and will not be able to connect to the network So in order to implement the security RA function configuring on the switch ports to r...

Страница 349: ...al user in the graph advertises RA the normal user will receive the RA set the default router as the vicious IPv6 host user and change its own address This will cause the normal user to not be able to...

Страница 350: ...authentication information in the authentication server the matched packets of the port and the source MAC are allowed to pass when the au thentication is successful MAB user didn t need to input the...

Страница 351: ...uest vlan 1 4094 no mac authentication bypass guest vlan Set guest vlan of MAB authentication only Hybrid port uses this command it is not take effect on access port mac authentication bypass binding...

Страница 352: ...cation mab Configure the authentication mode and pri ority of MAC address the no command re stores the default authentication mode 53 3 MAB Example The typical example of MAB authentication function S...

Страница 353: ...g if vlan9 ip address 192 168 61 9 255 255 255 0 Switch config if vlan9 exit Switch config radius server authentication host 192 168 61 10 Switch config radius server accounting host 192 168 61 10 Swi...

Страница 354: ...s any problem happens when using MAB function please check whether the problem is caused by the following reasons Make sure global and port MAB function are enabled Make sure the correct username and...

Страница 355: ...oever the clients or the access device and the network are faced with security problem especially from the client in the current access network Traditional Ethernet user can not be identified traced a...

Страница 356: ...ve Discovery Terminate packet is an especial packet of PPPoE it s Ethernet protocol number 0x8863 is the same as four packets above so it can be considered a packet of discovery stage To stop a PPPoE...

Страница 357: ...the sum of all TLV length TLV type field 2 bytes A TLV frame means a TAG type field means TAG type the table is as follows TLV length field 2 bytes Specify the length of TAG data field TLV data field...

Страница 358: ...ssed by default occupy 6 bytes and use space symbol to compart eth occupies 3 bytes and uses space symbol to compart Slot ID occupies 2 bytes use to compart and occupy 1 byte Port Index occupies 3 byt...

Страница 359: ...e agent type tr 101 circuit id identifier string option delimiter Configure circuit id in added vendor tag pppoe intermediate agent type self defined circuit id vlan port id switch id mac hostname rem...

Страница 360: ...tion Switch config if ethernet1 0 1 pppoe intermediate agent trust Switch config if ethernet1 0 1 pppoe intermediate agent vendor tag strip Step 3 Port ethernet1 0 2 of vlan1 and port ethernet1 0 3 of...

Страница 361: ...iter of Port ID and Vlan ID as Switch config pppoe intermediate agent type tr 101 circuit id identifier string efgh option spv delimiter delimiter Step 6 Configure circuit id value as bbbb on port eth...

Страница 362: ...to communicate with Radius server through logging in authentication client The after 802 1x authentication adds web based authentication mode the user can download a special Java Applet program by bro...

Страница 363: ...nding limit 1 256 no webportal binding limit Configure the max web portal binding num ber allowed by the port 4 Configure HTTP redirection address of web portal authentication Command Explanation Glob...

Страница 364: ...s address and port as RADIUS server s IP and port and enable the accounting function Ethernet 1 0 2 connects to pc1 the port enables web portal authentication and configure the redirection address an...

Страница 365: ...g if ethernet1 0 2 webportal enable Switch config if ethernet1 0 2 ip dhcp snooping binding webportal 55 4 Web Portal Authentication Troubleshooting When using web portal authentication the system wil...

Страница 366: ...ts on egress and ingress direction the packets match the specific rules can be allowed or denied ACL can support IP ACL MAC ACL MAC IP ACL IPv6 ACL Ingress direction of VLAN can bind four kinds of ACL...

Страница 367: ...ation Global mode vacl mac ip access group 3100 3299 WORD in out traffic statistic vlan WORD no vacl mac ip access group 3100 3299 WORD in out vlan WORD Configure or delete MAC IP VLAN ACL 4 Configure...

Страница 368: ...network but can access the inside network with no limitation and apply the policy to Vlan2 Network environment is shown as below PC PC PC PC VLAN1 VLAN2 Figure 56 1 VLAN ACL configuration example Con...

Страница 369: ...to VLAN Switch config vacl ip access group vacl_a in vlan 1 Switch config vacl ip access group vacl_b in vlan 2 56 4 VLAN ACL Troubleshooting When VLAN ACL and Port ACL are configured at the same tim...

Страница 370: ...e address SAVI function includes ND Snooping function DHCPv6 Snooping function and RA Snooping according to the protocol packet type ND Snooping function is used to detect ND protocol packet it sets I...

Страница 371: ...nly slaac only dhcp slaac enable Enable the application scene function for SAVI no command disables the function 3 Configure SAVI binding function Command Explanation Global Mode savi ipv6 check sourc...

Страница 372: ...period to a port after its state from up to down no command restores the default value 8 Enable or disable SAVI prefix check function Command Explanation Global Mode ipv6 cps prefix check enable no ip...

Страница 373: ...nd disables the trust function port is trans lated from trust port into untrust port 14 Enable or disable ND trust of port Command Explanation Port mode ipv6 nd snooping trust no ipv6 nd snooping trus...

Страница 374: ...h1 config savi ipv6 dhcp slaac enable Switch1 config savi check binding probe mode Switch1 config interface ethernet1 0 1 Switch1 config if ethernet1 0 1 ipv6 dhcp snooping trust Switch1 config if eth...

Страница 375: ...inding number exceeds the max binding limit it is recommended to configure the bigger binding limit If node binding can not be set for new user after configure the bigger binding limit please check wh...

Страница 376: ...SNR S2940 8G v2 Switch Configuration Guide Part X Reliability Configuration 376...

Страница 377: ...PP has below characters compare to STP protocol MRPP specifically uses to Ethernet ring topology fast convergence less than 1 s ideally it can reach 100 50 ms 58 1 1 Conception Introduction Switch A S...

Страница 378: ...ernet is in break state the secondary port of primary node releases block state and forwards data packets There are no difference on function between Primary port and secondary port of transfer node T...

Страница 379: ...time The primary releases the secondary port block state and sends LINK DOWN FLUSH_FDB packet to inform all of transfer nodes to refresh own MAC address forward list 3 Ring Restore After the primary n...

Страница 380: ...format no re stores default timer value enable no enable Enable MRPP ring format no disables enabled MRPP ring Port mode mrpp ring ring id primary port no mrpp ring ring id primary port Specify primar...

Страница 381: ...ccurs on using MRPP protocol The multi switch constitutes a single MRPP ring all of the switches only are configured an MRPP ring 4000 thereby constitutes a single MRPP ring In above configuration SWI...

Страница 382: ...2 mrpp ring 4000 secondary port Switch config If Ethernet1 0 2 exit Switch Config SWITCH C configuration Task Sequence Switch Config mrpp enable Switch Config mrpp ring 4000 Switch mrpp ring 4000 con...

Страница 383: ...correct restores the ring and then observes the ring is normal or not The convergence time of MRPP ring net is relative to the response mode of up down If use poll mode the convergence time as hundred...

Страница 384: ...above figure uses the double uplink network this is the typical application scene of ULPP SwitchA goes up to SwitchD through SwitchB and SwitchC port A1 and port A2 are the uplink ports SwitchA confi...

Страница 385: ...ts through the port which is switched to Forwarding state and update MAC address tables and ARP tables of other devices in the network ULPP respectively uses two kinds of flush packets to update the e...

Страница 386: ...an reference instance instance list Configure the protection VLANs the no op eration deletes the protection VLANs flush enable mac flush disable mac Enable or disable sending the flush packets which u...

Страница 387: ...pp error Show the error information of ULPP the no operation disables the showing debug ulpp event no debug ulpp event Show the event information of ULPP the no operation disables the showing 59 3 ULP...

Страница 388: ...oup 1 control vlan 10 Switch ulpp group 1 exit Switch Config interface ethernet 1 0 1 Switch config If Ethernet1 0 1 ulpp group 1 master Switch config If Ethernet1 0 1 exit Switch Config interface Eth...

Страница 389: ...port in group2 The VLANs protected by group1 are 1 100 and by group2 are 101 200 Here both port E1 0 1 and port E1 0 2 at the forwarding state the master port and the slave port mutually backup respec...

Страница 390: ...Config interface ethernet 1 0 1 Switch config If Ethernet1 0 1 switchport mode trunk Switch config If Ethernet1 0 1 ulpp flush enable mac Switch config If Ethernet1 0 1 ulpp flush enable arp SwitchC...

Страница 391: ...he controlled port its state changes along with Up Down of ULSM group and is always the same with ULSM group state ULSM associates with ULPP to enable the downstream device to apperceive the link prob...

Страница 392: ...elating information of ULSM Command Explanation Admin mode show ulsm group group id Show the configuration information of ULSM group debug ulsm event no debug ulsm event Show the event information of...

Страница 393: ...interface Ethernet 1 0 2 Switch config If Ethernet1 0 2 ulpp group 1 slave Switch config If Ethernet1 0 2 exit SwitchB configuration task list Switch Config ulsm group 1 Switch Config interface ethern...

Страница 394: ...eshooting With the normal configuration if the downlink port does not responds the down event of the uplink port please enable the debug function of ULSM copy the debug information of 3 minutes and th...

Страница 395: ...SNR S2940 8G v2 Switch Configuration Guide Part XI Flow Monitor Configuration 395...

Страница 396: ...frames received or by the specified rule of a port to another port The flow mirror will take effect only the specified rule is permit A chassis switch supports at most 4 mirror destination ports each...

Страница 397: ...ace 1 the data frames sent out by interface 9 and received from interface 7 sent and received by CPU and the data frames received by interface 15 and matched by rule 120 The source IP address is 1 2 3...

Страница 398: ...t if yes modify the TRUNK group If the throughput of mirror destination port is smaller than the total throughput of mirror source port s the destination port will not be able to duplicate all source...

Страница 399: ...ata sample includes the IPv4 and IPv6 packets Extensions of other types are not sup ported so far As for non IPv4 and IPv6 packet the unify HEADER mode will be adopted following the requirements in RF...

Страница 400: ...nfigure the length of the packet data head copied in the sFlow data sampling the no form of this command restores to the default value 5 Configure the max data head length of the sFlow packet Command...

Страница 401: ...tchA connected with PC is 192 168 1 100 A loopback interface with the address of 10 1 144 2 is configured on the SwitchA sFlow configuration is as follows Configuration procedure is as follows Switch...

Страница 402: ...re wrong configuration etc The user should ensure the following Ensure the physical connection is correct Guarantee the address of the sFlow analyzer configured under global or port mode is acces sibl...

Страница 403: ...SNR S2940 8G v2 Switch Configuration Guide Part XII Network Time Management Configuration 403...

Страница 404: ...s to provide time synchronization service for other clients in LAN The figure below depicts a NTP SNTP application network topology where SNTP mainly works between second level servers and various ter...

Страница 405: ...the con sistent time For a local system running NTP its time can be synchronized by other reference sources and can be used as a reference source to synchronize other clocks also can synchronize each...

Страница 406: ...by the NTP client The no operation will can cel the configuration and restore the default value 4 To configure time zone Command Explanation Global mode clock timezone WORD add subtract 0 23 0 59 no c...

Страница 407: ...Explanation Global mode no ntp syn interval 1 3600 un Configure the request packet sending interval of ntp client as 1s 3600s The no command recovers to be the default value of 64s 10 Display informat...

Страница 408: ...not support NTP server at present Switch C Switch config ntp enable Switch config interface vlan 1 Switch Config if Vlan1 ip address 192 168 1 12 255 255 255 0 Switch config interface vlan 2 Switch C...

Страница 409: ...is considered 11 00 am of summer time 65 2 Summer Time Configuration Task Sequence 1 Configure absolute or recurrent time range of summer time Command Explanation Global mode clock summer time word a...

Страница 410: ...le 2 The configuration requirement in the following The summer time from 23 00 on the first Sat urday of April to 00 00 on the last Sunday of October year after year clock offset as 2 hours and summer...

Страница 411: ...SNR S2940 8G v2 Switch Configuration Guide Part XIII Debugging and Diagnosis 411...

Страница 412: ...nd ICMPv6 query packet to the remote equip ment verifying the accessibility between the switch and the remote equipment Options and ex planations of the parameters of the Ping6 command please refer to...

Страница 413: ...very time to discover another router the Traceroute6 repeat this action till certain datagram reaches the destination Traceroute6 Options and explanations of the parameters of the Traceroute6 command...

Страница 414: ...bleshooting Debug commands for their corre sponding protocols will be introduced in the later chapters 66 7 System log 66 7 1 System Log Introduction The system log takes all information output under...

Страница 415: ...use the system log server By configuring the log host on the switch the log can be sent to the log server for future examination Format and Severity of the Log Information The log information format i...

Страница 416: ...on can be save both in SDRAM and the NVRAM if exists besides sent to all terminals To check the log save in SDRAM and the NVRAM we can use the show logging buffered command To clear the log save in NV...

Страница 417: ...ddress of the switch is 100 100 100 1 and the IPv4 address of the remote log server is 100 100 100 5 It is required to send the log information with a severity equal to or higher than warnings to this...

Страница 418: ...after a spec ified period of time usually when updating the switch version The switch can be rebooted after a period of time instead of immediately after its version being updated successfully 67 2 Re...

Страница 419: ...no cpu rx ratelimit total Set the total rate of the CPU receiving packets the no command sets the total rate of the CPU receiving packets to default cpu rx ratelimit queue length queue id qlen value...

Страница 420: ...nd Sent by CPU debug driver receive send interface interface name all protocol protocol type discard all detail Turn on the showing of the CPU receiving or sending packet informations no debug driver...

Отзывы:

Нет отзывов

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды