® Part No.
3Com Corporation ■ 5400 Bayfront Plaza ■ Santa Clara, California ■ 95052-8145 © 3Com Corporation, 1996. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without permission from 3Com Corporation.
CONTENTS ABOUT THIS GUIDE Introduction 1 How to Use This Guide 2 Conventions 3 Switch 2200 Documentation 4 Documentation Comments 5 PART I 1 INTRODUCTION SUPERSTACK™ II SWITCH 2200 ADMINISTRATION OVERVIEW About Switch 2200 Administration Configuration Tasks 1-1 2 1-1 HOW TO USE THE ADMINISTRATION CONSOLE Initial User Access 2-1 Levels of User Access 2-1 Administer Access Example 2-2 Write Access Example 2-2 Read Access Example 2-3 Using Menus to Perform Tasks 2-3 Administration Console Menu Structure
Administration Console Interface Parameters 2-10 Adjusting the Screen Height 2-10 Disabling the Reboot and Abort Keys 2-11 Remote Access Parameters 2-11 Preventing Disconnections 2-11 Enabling Timeout of Remote Sessions 2-12 Setting Timeout Interval for Remote Sessions 2-13 Running Scripts of Administration Console Tasks 2-13 Getting Help in the Administration Console 2-16 Online Help 2-16 Viewing More Levels of Menu Options 2-16 Exiting the Administration Console 2-17 PART II 3 SYSTEM-LEVEL FUNCTIONS CON
Setting Up SNMP on Your System 3-15 Displaying SNMP Settings 3-15 Configuring Community Strings 3-15 Administering SNMP Trap Reporting 3-16 Displaying Trap Information 3-16 Configuring Trap Reporting 3-17 Removing Trap Destinations 3-18 Flushing Trap Destinations 3-19 Setting Up SMT Event Proxying 3-19 4 ADMINISTERING YOUR SYSTEM ENVIRONMENT Displaying the System Configuration Setting Passwords 4-2 Setting the System Name 4-3 Changing the Date and Time 4-3 Rebooting the System 4-4 5 4-1 BASELINING STAT
8 ADMINISTERING FDDI RESOURCES Administering FDDI Stations 8-1 Displaying Station Information 8-2 Setting the Connection Policies 8-3 Setting Neighbor Notification Timer 8-5 Enabling and Disabling Status Reporting 8-5 Administering FDDI Paths 8-6 Displaying Path Information 8-6 Setting tvxLowerBound 8-7 Setting tmaxLowerBound 8-8 Setting maxT-Req 8-9 Administering FDDI MACs 8-9 Displaying MAC Information 8-10 Setting the Frame Error Threshold 8-16 Setting the Not Copied Threshold 8-17 Enabling and Disablin
Administering STP Bridge Parameters 10-7 Enabling and Disabling STP on a Bridge 10-7 Setting the Bridge Priority 10-7 Setting the Bridge Maximum Age 10-8 Setting the Bridge Hello Time 10-9 Setting the Bridge Forward Delay 10-9 Setting the STP Group Address 10-10 11 ADMINISTERING BRIDGE PORTS Displaying Bridge Port Information 11-1 Setting the Multicast Limit 11-7 Administering STP Bridge Port Parameters 11-8 Enabling and Disabling STP on a Port 11-8 Setting the Port Path Cost 11-9 Setting the Port Priorit
Loading Packet Filters 12-22 Assigning Packet Filters to Ports 12-22 Unassigning Packet Filters from Ports 12-24 13 CONFIGURING ADDRESS AND PORT GROUPS TO USE IN PACKET FILTERS Using Groups in Packet Filters 13-1 Listing Groups 13-2 Displaying Groups 13-3 Creating New Groups 13-4 Deleting Groups 13-6 Adding Addresses and Ports to Groups 13-7 Removing Addresses or Ports from a Group 13-9 Loading Groups 13-11 PART A APPENDIXES PACKET FILTER OPCODES, EXAMPLES, AND SYNTAX ERRORS Opcodes A-1 Packet Filter Ex
B TECHNICAL SUPPORT Online Technical Services B-1 3Com Bulletin Board Service B-1 Access by Modem B-1 Access by ISDN B-2 World Wide Web Site B-2 3ComForum on CompuServe® B-2 3ComFactsSM Automated Fax Service B-3 Support from Your Network Supplier B-3 Support from 3Com B-4 Returning Products for Repair B-4 INDEX
ABOUT THIS GUIDE Introduction Audience description The SuperStack™ II Switch 2200 Administration Console User Guide provides all the information you need to configure and manage your Switch 2200 once it is installed and the system is attached to the network. Prior to using this guide, you should have already installed and set up your system using the SuperStack™ II Switch 2200 Getting Started guide.
2 ABOUT THIS GUIDE How to Use This Guide This guide is organized by types of tasks you may need to perform on the Switch 2200. The parts of the guide are described in Table 1.
Conventions 3 Table 1 Description of Guide Parts (continued) Part Contents IV: Bridging Configuring bridge and bridge port parameters Administering the Spanning Tree Protocol bridge and bridge port parameters Displaying and configuring bridge port addresses Creating and using packet filters Creating address groups and port groups and using them as filtering criteria V: Appendixes Additional information about packet filters: opcode descriptions, examples, and error messages Getting Technical Support R
4 ABOUT THIS GUIDE Table 3 Text Conventions Convention Description “Enter” “Enter” means type something, then press the [Return] or [Enter] key. “Syntax” vs. “Command” “Syntax” indicates that the general command syntax form is provided.
Documentation Comments ■ 5 SuperStack™ II Switch 2200 Getting Started Describes all the procedures necessary for planning your configuration and for installing, cabling, powering up, and troubleshooting your Switch 2200 system. (Shipped with system/Part No. 801-00309-000) ■ SuperStack™ II Switch 2200 Operation Guide Provides information to help you understand system management and administration, FDDI technology, and bridging.
I INTRODUCTION Chapter 1 Overview of SuperStack™ II Switch 2200 Administration Chapter 2 How to Use the Administration Console
1 SUPERSTACK™ II SWITCH 2200 ADMINISTRATION OVERVIEW This chapter introduces you to SuperStack™ II Switch 2200 administration and briefly describes the system parameters that you can configure. About Switch 2200 Administration The Switch 2200 software is installed at the factory in flash memory on the system processor. Because this software boots from flash memory automatically when you power on your system, the system is immediately ready for use in your network.
1-2 CHAPTER 1: SUPERSTACK™ II SWITCH 2200 ADMINISTRATION OVERVIEW Table 1-1 General System Commands Task Quick Command For Details, See. . .
Configuration Tasks 1-3 Table 1-1 General System Commands (continued) Task Quick Command For Details, See. . . Save, restore, or reset nonvolatile data in the system system nvData page 6-2 system reboot page 4-4 Task Quick Command For Details, See. . . Configure the Console port baud rate system consoleSpeed page 3-2 ip interface display ip interface define ip interface modify ip interface remove page 3-5 Communicate with the system using SNMP, rlogin, or telnet.
1-4 CHAPTER 1: SUPERSTACK™ II SWITCH 2200 ADMINISTRATION OVERVIEW Table 1-2 System Management Setup Commands (continued) Task Quick Command For Details, See. . . Configure SNMP management snmp display snmp community page 3-15 snmp trap display snmp trap addModify snmp trap remove snmp trap flush snmp trap smtProxyTraps page 3-16 Task Quick Command For Details, See. . .
Configuration Tasks 1-5 Table 1-3 Bridging Commands (continued) Task Quick Command For Details, See. . .
1-6 CHAPTER 1: SUPERSTACK™ II SWITCH 2200 ADMINISTRATION OVERVIEW Table 1-4 Ethernet Commands Task Quick Command For Details, See. . . Display Ethernet port information ethernet summary ethernet detail page 7-1 ethernet label page 7-8 ethernet portState page 7-8 analyzer display analyzer add analyzer remove analyzer start analyzer stop page 9-2 to page 9-6 Display label, status, and statistic information on Ethernet ports in a summarized or detailed format.
Configuration Tasks 1-7 Table 1-5 FDDI Commands Task Quick Command For Details, See. . .
2 HOW TO USE THE ADMINISTRATION CONSOLE This chapter familiarizes you with user access levels of the Superstack™ II Switch 2200 Administration Console and explains how to: ■ Move around within the menu hierarchy to perform tasks ■ Set up the interface parameters ■ Access online help ■ Use scripts for performing Administration Console tasks ■ Exit the Administration Console Initial User Access As the initial user, access the system at the administer level and press Return at the password prompt.
2-2 CHAPTER 2: HOW TO USE THE ADMINISTRATION CONSOLE Each time you access the Administration Console, the system prompts you for an access level and password, as shown here: Select access level (read, write, administer): Password: The passwords are stored in nonvolatile (NV) memory. You must enter the password correctly before you are allowed to continue. The following examples show how the top-level menu structure changes based on the level of access.
Using Menus to Perform Tasks Read Access Example Only the display option in the baseline menu is available 2-3 If you have read access, the system menu contains only the display options shown here: Menu options: -----------------------------------------------------------------display - Display the system configuration baseline - Administer statistics baseline Type ‘q’ to return to the previous menu or ? for help.
2-4 CHAPTER 2: HOW TO USE THE ADMINISTRATION CONSOLE Administration Console Menu Structure The following sections show the menu paths for performing tasks from the top-level menu and provide a brief description of each top-level menu option. See “Selecting Menu Options” on page 2-8 for instructions on actually using the menu system. The following menus display the options available for users with administer access.
Using Menus to Perform Tasks 2-5 FDDI Menu From the fddi menu, you can view information about and configure the FDDI station, paths, MAC, and ports. (See Figure 2-3.) For example, to enable the LLC service of the FDDI MAC, you enter fddi at the top-level menu, mac at the fddi menu, and then llcService at the mac menu.
2-6 CHAPTER 2: HOW TO USE THE ADMINISTRATION CONSOLE Top-Level Menu system ethernet fddi ➧ bridge ip snmp analyzer script logout bridge menu display ipFragmentation ipxSnapTranslation addressThreshold agingTime stpState stpPriority stpMaxAge stpHelloTime stpForwardDelay stpGroupAddress ➧ port ➧ packetFilter port menu summary detail multicastLimit stpState stpCost stpPriority ➧ address packetFilter menu list display create delete edit load assign unassign ➧ addressGroup ➧ portGroup address menu list add
Using Menus to Perform Tasks 2-7 SNMP Menu From the snmp menu, you can configure SNMP community strings and trap reporting. (See Figure 2-6.) For example, to flush all trap reporting destinations, you enter snmp at the top-level menu, trap at the snmp menu, and then flush at the trap menu.
2-8 CHAPTER 2: HOW TO USE THE ADMINISTRATION CONSOLE Selecting Menu Options You select a menu option at the selection prompt by entering its name (or enough of the name to uniquely identify it within the particular menu). For example, to access the system menu from the top-level menu, you enter: Select a menu option: system OR Select a menu option: sy Menu options are not case sensitive.
Using Menus to Perform Tasks 2-9 If you enter a command incorrectly, you receive a prompt telling you that what you entered was not valid or was ambiguous. You must re-enter the command from the point at which it became incorrect. Entering Values When you reach the level at which you perform a specific task, you are prompted for a value. The prompt usually shows all valid values (if applicable) and sometimes a suggested default value.
CHAPTER 2: HOW TO USE THE ADMINISTRATION CONSOLE 2-10 Administration Console Interface Parameters Adjusting the Screen Height You can change two Administration Console interface parameters: the screen height and the functioning of the reboot and abort control keys. You can change the Administration Console’s screen height to increase or decrease the space available for displaying information. The screen height setting does not affect the way the system displays menus.
Remote Access Parameters 2-11 Example: Do you want this to be the new default screen height? (y/n): y Disabling the Reboot and Abort Keys As shipped, the Administration Console allows you to use the [Ctrl + X] or [Ctrl + C] key combinations within the Administration Console. These key strokes allow you to reboot the system [Ctrl + X] or restart the Administration Console [Ctrl + C]. You can change this setting to disable both of these features.
CHAPTER 2: HOW TO USE THE ADMINISTRATION CONSOLE 2-12 To ensure that your Administration Console session will not be pre-empted by remote access, you can lock the Administration Console. Remote access is prohibited only for that particular session. The Administration Console is always locked when you are in the middle of a command. For example, the Administration Console is locked during a software update.
Running Scripts of Administration Console Tasks Setting Timeout Interval for Remote Sessions Top-Level Menu ➧ system ethernet bridge ip snmp analyzer script logout display softwareUpdate baseline consoleSpeed ➧ telnet password timeOut name ➧ interval time screenHeight consoleLock ctlKeys nvData reboot Running Scripts of Administration Console Tasks 2-13 You can set the timeout interval for remote sessions to any value from 30 minutes to 60 minutes. By default, the timeout interval is 30 minutes.
2-14 CHAPTER 2: HOW TO USE THE ADMINISTRATION CONSOLE The task you scripted is run in the Administration Console.
Running Scripts of Administration Console Tasks 2-15 # This script performs some start-up configurations. # # Set the Console serial port baud rate. # system consoleSpeed 300 # Console port baud rate # # Set the system name # system name Engineering Switch2200_4 # # Assign an IP address to the Switch 2200. # ip interface define 158.101.112.99 # IP address for the system 255.255.0.0 # subnet mask 158.101.255.
2-16 CHAPTER 2: HOW TO USE THE ADMINISTRATION CONSOLE Getting Help in the Administration Console Online Help General online help Help for specific menu options If you need assistance when using the Administration Console, it has online Help and an outlining feature, both of which can be accessed from any menu level. These features are described in this section.
Exiting the Administration Console Exiting the Administration Console 2-17 If you are using an rlogin session to access the system, exiting will terminate the session. If you are accessing the system through the Console serial port, exiting returns you to the password prompt. To exit from the Administration Console: Top-Level Menu system ethernet fddi bridge ip snmp analyzer script ➧ logout 1 Return to the top level of the Administration Console, if you are not already there, by pressing the [ESC] key.
II SYSTEM-LEVEL FUNCTIONS Chapter 3 Configuring Management Access to the System Chapter 4 Administering Your System Environment Chapter 5 Baselining Statistics Chapter 6 Saving, Restoring, and Resetting Nonvolatile Data
3 CONFIGURING MANAGEMENT ACCESS TO THE SYSTEM This chapter describes how to configure management access to the SuperStack™ II Switch 2200 stackable switch through a serial connection or an IP interface. It also describes how to configure the Switch 2200 so that you can manage it using the Simple Network Management Protocol (SNMP). About Management Access Using a Serial Connection You can access the Administration Console directly through the console serial port.
CHAPTER 3: CONFIGURING MANAGEMENT ACCESS TO THE SYSTEM 3-2 In-band or Out-of-band? By default, the Switch 2200 system provides in-band management through its Ethernet and FDDI ports. In-band management, management using the same network that carries regular data traffic, is often the most convenient and inexpensive way to access your system. If you are using a dedicated network for management data, then you are managing your network out-of-band.
Setting Up an IP Interface for Management Setting Up an IP Interface for Management 3-3 IP is a standard networking protocol used for communications among various networking devices. To access the system using TCP/IP or to manage the system using SNMP, you must set up IP for your system as described in this section.
3-4 CHAPTER 3: CONFIGURING MANAGEMENT ACCESS TO THE SYSTEM ■ Broadcast Address The system uses the IP address when it broadcasts packets to other stations on the same subnet. In particular, the system uses this address for sending RIP updates. By default, the system uses a directed broadcast (all 1s in the host field). ■ Cost The system uses this number, between 1 and 15, when calculating route metrics. Unless your network has special requirements, you should assign a cost of 1 to all interfaces.
Setting Up an IP Interface for Management 3-5 IP forwarding is enabled, RIP is active, ICMP router discovery is disabled. Index 1 2 3 4 IP address 158.101.1.1 158.101.4.1 158.101.6.1 158.101.8.1 Subnet mask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 Cost 1 1 1 1 Ports 1 2 5 8 Defining an Interface When you define an interface, you define the interface’s IP address, subnet mask, broadcast address, cost, and the collection of system ports associated with the interface.
3-6 CHAPTER 3: CONFIGURING MANAGEMENT ACCESS TO THE SYSTEM 3 Enter the subnet mask of the network to which the interface is to be connected. 4 Enter the broadcast address to be used on the interface. 5 Enter the cost value of the interface. 6 Enter the port(s) that you want to include in the interface. Separate nonconsecutive ports with commas (,). Enter a consecutive series of ports using a hyphen (-). Example: Enter IP address: 158.101.1.1 Enter subnet mask [255.255.0.0]: 255.255.255.
Setting Up an IP Interface for Management 3-7 Removing an Interface You might want to remove an interface if you no longer need to communicate with IP on the ports associated with that interface.
3-8 CHAPTER 3: CONFIGURING MANAGEMENT ACCESS TO THE SYSTEM ■ Gateway IP Address This address tells the router how to forward packets whose destination address matches the route’s IP address and subnet mask. The system forwards such packets to the indicated gateway. ■ Status The status of the route provides the information described in Table 3-2.
Setting Up an IP Interface for Management 3-9 Defining a Static Route You might want to define a static route to transmit system traffic, such as system pings or SNMP response, through a consistent route. Before you define static routes, you must define at least one IP interface. (See “Defining an Interface” on page 3-5.) Static routes remain in the table until you remove them, or until you remove the corresponding interface.
3-10 CHAPTER 3: CONFIGURING MANAGEMENT ACCESS TO THE SYSTEM Flushing a Route Flushing deletes all learned routes from the routing table. Top-Level Menu system ethernet interface fddi ➧ route display bridge static arp ➧ ip remove rip snmp ping ➧ flush analyzer statistics default script noDefault logout To flush all learned routes, enter the following from the top level of the Administration Console: ip route flush All learned routes are immediately deleted from the routing table.
Setting Up an IP Interface for Management Administering the ARP Cache 3-11 The Switch 2200 uses the Address Resolution Protocol (ARP) to find the MAC addresses corresponding to the IP addresses of hosts and routers on the same subnets. An ARP cache is a table of known IP addresses and their corresponding MAC addresses.
3-12 CHAPTER 3: CONFIGURING MANAGEMENT ACCESS TO THE SYSTEM Flushing ARP Cache Entries You might want to delete all entries from the ARP cache if the MAC address has changed.
Setting Up an IP Interface for Management 3-13 Pinging uses the Internet Control Message Protocol (ICMP) echo facility to send an ICMP echo request packet to the IP station you specify. It then waits for an ICMP echo reply packet. Possible responses from pinging are: ■ Alive ■ No answer ■ Network is unreachable. A network is unreachable when there is no route to that network.
3-14 CHAPTER 3: CONFIGURING MANAGEMENT ACCESS TO THE SYSTEM Displaying IP Statistics The IP statistics you can view are described in Table 3-3.
Setting Up SNMP on Your System Setting Up SNMP on Your System 3-15 To manage the Switch 2200 from an external management application, you must configure SNMP community strings and set up trap reporting as described in this section. You can manage the Switch 2200 using an SNMP-based external management application. This application (an SNMP manager) sends requests to the Switch 2200 system, where they are processed by the Switch SNMP agent.
3-16 CHAPTER 3: CONFIGURING MANAGEMENT ACCESS TO THE SYSTEM in the request matches the agent’s read-write community. Only the SNMP get and get-next requests are valid if the community string in the request matches the read-only community. Community string length When you set a community string, you can specify any value up to 48 characters long.
Setting Up SNMP on Your System 3-17 Here is an example display of the SNMP trap reporting information: Trap Descriptions: Trap #Description 1 MIB II: Coldstart 2 MIB II: Authentication Failure 3 Bridge MIB: New Root 4 Bridge MIB: Topology Change 5 LANplex Systems MIB: System Overtemperature 10 LANplex Systems MIB: Address Threshold 12 LANplex Opt FDDI MIB: SMT Hold Condition 13 LANplex Opt FDDI MIB: SMT Peer Wrap Condition 14 LANplex Opt FDDI MIB: MAC Duplicate Address Condition 15 LANplex Opt FDDI MIB: M
3-18 CHAPTER 3: CONFIGURING MANAGEMENT ACCESS TO THE SYSTEM 3 Enter the trap number(s). Separate a series of more than two trap numbers with a hyphen (-) and nonsequential trap numbers by commas. Enter all if you want to enable all the traps for the destination. The trap numbers you enter allow the trap specified by that number to be sent to the destination address when the corresponding event occurs. No unlisted traps are transmitted.
Setting Up SNMP on Your System 3-19 Flushing Trap Destinations When flushing the SNMP trap reporting destinations, you remove all trap destination address information for the SNMP agent.
3-20 CHAPTER 3: CONFIGURING MANAGEMENT ACCESS TO THE SYSTEM occurring locally on the one Switch 2200 and to those reported by other stations on the FDDI ring (including other Switch 2200s). ■ Enable local SNMP traps and disable the proxying of remote SMT events on every Switch 2200 in your network. Local traps will be reported to the management station (which will cover all your Switch 2200s), but SMT events from systems other than Switch 2200s in your network will not be reported.
4 ADMINISTERING YOUR SYSTEM ENVIRONMENT This chapter focuses on the administration of your SuperStack™ II Switch 2200 system environment, which involves: ■ Displaying the current system configuration ■ Setting system passwords ■ Setting the system name ■ Changing the system date and time ■ Rebooting Displaying the System Configuration The system configuration display provides software and hardware revisions and warning messages for certain system conditions.
CHAPTER 4: ADMINISTERING YOUR SYSTEM ENVIRONMENT 4-2 Setting Passwords Initial passwords ■ System temperature has exceeded the maximum level for normal operation ■ Fan failure ■ Power supply failure The Administration Console supports three levels of password: one for browsing or viewing only (read), one for configuring network parameters (write), and one for full system administration (administer).
Setting the System Name 4-3 The administration console password has been successfully changed. 6 Repeat steps 1 through 5 for each level of password you want to configure. Setting the System Name You should give the Switch 2200 an easily recognizable and unique name to help you manage the system. For example, you might want to name the system according to its physical location (say, SS2200 ENGLAB).
CHAPTER 4: ADMINISTERING YOUR SYSTEM ENVIRONMENT 4-4 Table 4-1 Date and Time Variables Format Description first mm month (1–12) dd date (1–31) yy last two digits of the year (00–99) hh hour (1–12) second mm minute (00–59) ss second (00–59) xM either AM or PM 4 Press [Return] when you want the system to start keeping the time that you entered.
5 BASELINING STATISTICS This chapter describes how baselining statistics work in the SuperStack™ II Switch 2200, and how to set, display, enable, or disable a baseline statistic. About Setting Baselines Normally, statistics for MACs and ports start compiling at system power-up. Baselining allows you to view statistics over the period of time since a baseline was set. By viewing statistics relative to a baseline, you can more easily evaluate recent activity in your system or on your network.
5-2 CHAPTER 5: BASELINING STATISTICS Setting Baselines Top-Level Menu ➧ system ethernet display display softwareUpdate fddi ➧ set ➧ baseline bridge consoleSpeedrequestedState ip telnet snmp analyzer password name script time logout screenHeight consoleLock ctlKeys nvData reboot Enabling or Disabling Baselines Setting a baseline resets the counters to zero. The accumulated totals since power up are maintained by the system. The baseline is time-stamped.
6 SAVING, RESTORING, AND RESETTING NONVOLATILE DATA This chapter describes the nonvolatile (NV) data in the SuperStack™ II Switch 2200 system and how to save, restore, and reset the data. About Working with Nonvolatile Data If you want to transfer NV data from one system to another, save the system’s NV data and restore it as appropriate. You might also want to save a certain configuration of the system for your reference and as a backup.
6-2 CHAPTER 6: SAVING, RESTORING, AND RESETTING NONVOLATILE DATA Saving NV Data When NV data is saved, it is written to a disk file on a host computer. The information can then be retrieved from the disk file when you use the restore command.
Restoring NV Data 6-3 The failure message varies depending on the problem encountered while saving the NV data. At the end of the save, you are returned to the previous menu. Restoring NV Data When you restore system NV data, the software presents you with a proposal for how to restore the data.
6-4 CHAPTER 6: SAVING, RESTORING, AND RESETTING NONVOLATILE DATA To restore the NV data: Top-Level Menu ➧ system ethernet display save softwareUpdate fddi ➧ restore baseline bridge consoleSpeedexamine ip reset telnet snmp password analyzer name script time logout screenHeight consoleLock ctlKeys ➧ nvData reboot 1 From the top level of the Administration Console, enter: system nvData restore You are prompted for information for restoring the NV data saved to a file.
Examining a Saved NV Data File Examining a Saved NV Data File Top-Level Menu ➧ system ethernet fddi bridge ip snmp analyzer script logout display save softwareUpdate restore baseline ➧ examine consolelSpeed reset telnet password name time screenHeight consoleLock ctlKeys ➧ nvData reboot 6-5 After saving NV data to a file, you can examine the header information of that file.
CHAPTER 6: SAVING, RESTORING, AND RESETTING NONVOLATILE DATA 6-6 Resetting NV Data to Defaults At times you may not want to restore the system NV data. Instead, you may want to reset the values to the factory defaults so that you can start configuring the system from the original settings. CAUTION: Resetting the NV data means that all NV memory is set back to the factory defaults. Before proceeding, ensure that you want to reset your NV data.
III ETHERNET AND FDDI PARAMETERS Chapter 7 Administering Ethernet Ports Chapter 8 Administering FDDI Resources Chapter 9 Setting Up the System for Roving Analysis
7 ADMINISTERING ETHERNET PORTS This chapter describes how to: Displaying Ethernet Port Information ■ View Ethernet port information ■ Configure Ethernet port labels ■ Enable or disable an Ethernet port You can display either a summary of Ethernet port information or a detailed report. When you display a summary of Ethernet port information, you view its label, status, and the most pertinent statistics about general port activity and port errors.
7-2 CHAPTER 7: ADMINISTERING ETHERNET PORTS port 1 12 port 1 12 rxFrames 406430 242400 rxBytes 36336795 29275605 rxPeakByteRate rxPeakFrameRate 90484 163 58438 394 rxFrameRate 0 0 rxByteRate 0 0 noRxBuffers 0 0 alignmentErrs 0 0 port 1 12 fcsErrs 0 0 lengthErrs 0 0 rxInternalErrs 0 0 rxDiscards 0 0 port 1 12 rxUnicasts 365811 242033 rxMulticasts 40619 367 txFrames 1422085 1256455 txBytes 234636091 300242671 port 1 12 txFrameRate 3 3 txByteRate txPeakFrameRate 345 208 345 402 txPeakByt
Displaying Ethernet Port Information 7-3 An example of a summary display for Ethernet ports is shown here: port 1 12 portLabel Office113_SPARCstation5 Office322_Quadra900 portState on-line on-line txBytes 234900612 300479754 port 1 12 rxFrames 406876 242532 txFrames 1423733 1257721 port 1 12 rxErrs 0 0 txErrs 0 0 rxBytes 36377226 29293858 noRxBuffers 0 0 txQOverflows 0 0 Table 7-1 describes the information provided about an Ethernet port.
7-4 CHAPTER 7: ADMINISTERING ETHERNET PORTS Table 7-1 Description of Fields for Ethernet Port Attributes (continued) Field Description portLabel 32-character string containing a user-defined name. The maximum length of the string is 32 characters, including the null terminator. portState Current software operational state of this port. Possible values are on-line and off-line. portType Specific description of this port’s type.
Displaying Ethernet Port Information 7-5 Table 7-1 Description of Fields for Ethernet Port Attributes (continued) Field Description txFrameRate Average number of frames transmitted per second by this port during the most recent sampling period. Sampling periods are 1 second long and are not configurable.
7-6 CHAPTER 7: ADMINISTERING ETHERNET PORTS All frames on the Ethernet network are received promiscuously by an Ethernet port. However, frames may be discarded for the following reasons: Frame Processing and Ethernet Statistics ■ There is no buffer space available. ■ The frame is in error. Figure 7-1 shows the order in which these discard tests are made. . . .from Ethernet Network Receive Frame. . .
Displaying Ethernet Port Information 7-7 Frames are delivered to an Ethernet port by bridge and management applications. However, a frame may be discarded for the following reasons: ■ The Ethernet port is disabled. ■ There is no room on the transmit queue. ■ An error occurred during frame transmission. Figure 7-2 shows the order in which these discard tests are made. Transmit Frame Statistics. . .
7-8 CHAPTER 7: ADMINISTERING ETHERNET PORTS Labeling a Port Port labels serve as useful reference points and as an accurate means of identifying your ports for management. You may want to label your Ethernet ports so that you can easily identify the device specifically attached to each port (for example, LAN, workstation, or server).
8 ADMINISTERING FDDI RESOURCES This chapter describes how to display information about and configure the SuperStack™ II Switch 2200 system and its: ■ FDDI station ■ FDDI paths ■ Media Access Control (MAC) ■ FDDI ports This chapter, which covers advanced FDDI topics, is intended for users familiar with the FDDI MIB. Under normal operating conditions, you do not need to change the FDDI default settings.
8-2 CHAPTER 8: ADMINISTERING FDDI RESOURCES Displaying Station Information Top-Level Menu system ethernet ➧ station ➧ fddi path bridge mac ip port snmp analyzer script logout When you display FDDI station information, you receive information about the station, including its configuration, status reporting, and the most pertinent statistics about general station activity and errors.
Administering FDDI Stations 8-3 Table 8-1 Description of Fields for FDDI Station Attributes (continued) Setting the Connection Policies Field Description tNotify Timer used in the Neighbor Notification protocol to indicate the interval of time between the generation of Neighbor Information Frames (NIF). This value can be user-defined. traceMaxExp Maximum propagation time for a Trace on an FDDI topology. Places a lower bound on the detection time for an unrecovering ring.
8-4 CHAPTER 8: ADMINISTERING FDDI RESOURCES Table 8-2 Bit to Set for Rejecting a Station Connection (continued) This Connection Is Rejected... (Switch port - Remote port) If This Bit Is Set B-B 5 Undesirable peer connection that creates twisted primary and secondary rings; notify SMT. B-S 6 Undesirable peer connection that creates a wrapped ring; notify SMT. B-M 7 Tree connection with possible redundancy. The node may not go to Thru state in CFM.
Administering FDDI Stations Setting Neighbor Notification Timer 8-5 The T-notify attribute is a timer used in the Neighbor Notification protocol to indicate the interval of time between the generation of Neighbor Information Frames (NIF). NIF frames allow stations to discover their upstream and downstream neighbors. The T-notify value has a range of 2 to 30 seconds, with a default value of 30 seconds.
8-6 CHAPTER 8: ADMINISTERING FDDI RESOURCES 2 Press [Return]. 3 Enter the new statusReporting value ( enabled or disabled). See the following example: Select station [1]: Station 1 - Enter new value (disabled,enabled) [enabled]: disabled Administering FDDI Paths FDDI’s dual, counter-rotating ring consists of a primary ring and a secondary ring. FDDI stations can be connected to either ring or to both rings simultaneously.
Administering FDDI Paths 8-7 3 Enter the path ( p = primary, s = secondary). See the following example of path information: stn 1 1 1 path primary secondary local ringLatency 16 16 0 traceStatus 0x0 0x0 0x0 stn 1 1 1 path primary secondary local tvxLowBound 2500 us 2500 us 2500 us tMaxLowBound 165000 us 165000 us 165000 us maxTReq 165000 us 165000 us 165000 us Table 8-3 describes these statistics.
8-8 CHAPTER 8: ADMINISTERING FDDI RESOURCES To set tvxLowerBound: Top-Level Menu system ethernet station ➧ fddi ➧ path bridge mac ip port snmp analyzer script logout 1 From the top level of the Administration Console, enter: display ➧ tvxLowerBound tmaxLowerBound maxTreq fddi path tvxLowerBound You are prompted for a station, path, and value. The Switch 2200 has one station, which appears in brackets. 2 Press [Return]. 3 Enter the path ( p = primary, s = secondary). 4 Enter the new minimum time value.
Administering FDDI MACs Setting maxT-Req 8-9 The maxT-Req attribute specifies the maximum time value of fddiMACT-Req that will be used by any MAC that is configured onto this path. T-Req is the value that a MAC bids during the claim process to determine a ring’s operational token rotation time, T_Opr. The lowest T-Req bid on the ring becomes T_Opr. When T_Opr is a low value, the token rotates more quickly, so token latency is reduced.
8-10 CHAPTER 8: ADMINISTERING FDDI RESOURCES Displaying MAC Information FDDI MAC information can be viewed in a summary or in detail. When you display a summary of various FDDI MAC statistics, you receive information about the MAC, including received and transmitted frames and received and transmitted bytes. The detailed display includes the information in the summary and additional FDDI MAC statistics.
Administering FDDI MACs 8-11 The following example shows the detail display of FDDI MAC information: rxFrames 103666 rxBytes 23089968 rxFrameRate 36 rxByteRate 7582 rxPeakFrameRate 48 rxPeakByteRate 10308 lostCount 0 lateCount 0 notCopiedCount notCopiedThresh 0 6550 notCopiedRatio 0 notCopiedCond inactive frameErrThresh frameErrorRatio 655 0 frameErrCond inactive errorCount 0 noRxBuffers tvxExpiredCount 0 0 rxUnicasts 34621 txFrameRate 15 rxInternalErrs 0 rxDiscards 32923 txFrames 34921
8-12 CHAPTER 8: ADMINISTERING FDDI RESOURCES Table 8-4 describes the information provided for the FDDI MAC.
Administering FDDI MACs 8-13 Table 8-4 Description of Fields for FDDI MAC Attributes (continued) Field Description oldDownstream Previous value of the MAC address of this MAC’s downstream neighbor oldUpstream Previous value of the MAC address of this MAC’s upstream neighbor ringOpCount Number of times that this MAC has entered the operational state from the nonoperational state rmtState State of the ring management as defined in SMT rxByteRate Average number of bytes received per second by this
8-14 CHAPTER 8: ADMINISTERING FDDI RESOURCES Table 8-4 Description of Fields for FDDI MAC Attributes (continued) Field Description tvxCapab Maximum time value of the valid transmission timer that this MAC can support tvxExpiredCount Number of times that this MAC’s valid transmission timer has expired tvxValue Value of the valid transmission timer in use by this MAC txByteRate Average number of bytes transmitted per second by this MAC during the most recent sampling period txBytes Number of byte
Administering FDDI MACs ■ LLC service is disabled. ■ This is an NSA Frame and the A-bit is set. Figure 8-1 shows the order in which these discard tests are made. . . .from FDDI Network Receive Frame. . .
8-16 CHAPTER 8: ADMINISTERING FDDI RESOURCES Figure 8-2 shows the order in which the discard tests are made. Transmit Frame Statistics. . . Frames delivered to this MAC txDiscards Frames discarded because transmit queue full txQOverflows Frames discarded because of error during transmission txInternalErrs Frames discarded because LLC Service disabled or ring not processing of txUcastFrame s txMcastFram es successfully transmitted = Frames to the network txFrames . . .
Administering FDDI MACs 8-17 See the following example: Select MAC [1]: MAC 1 - Enter new value [655]: Setting the Not Copied Threshold The NotCopiedThreshold attribute determines when a MAC condition report is generated because too many frames could not be copied. Not-copied frames occur when there is no buffer space available in the station (which indicates that there is congestion in the station). SMT monitors the ratio of frames not copied to all frames transmitted within a certain period of time.
8-18 CHAPTER 8: ADMINISTERING FDDI RESOURCES Enabling and Disabling LLC Service The Logical Link Control (LLC) service allows LLC frames to be sent and received on the MAC. LLC frames are all data frames transmitted on the network. If there is something wrong on your network, you may want to turn off data (user) traffic for a MAC by disabling LLC service. Although you have disabled data traffic from the MAC, the MAC still participates in neighbor notification and is visible to network management.
Administering FDDI Ports Administering FDDI Ports Displaying Port Information 8-19 Within an FDDI station, the PHY and PMD entities make up a port. A port (consisting of the PHY/PMD pair that connects to the fiber media) is located at both ends of a physical connection and determines the characteristics of that connection. Each FDDI port is one of four types: A, B, M, or S.
8-20 CHAPTER 8: ADMINISTERING FDDI RESOURCES Table 8-5 describes the type of information provided for an FDDI port.
Administering FDDI Ports 8-21 values so that you are only receiving alarms if your network is in poor health. The SMT Standard recommended value is 8. The lerAlarm value must be higher than the lerCutoff value so that the network manager will be alerted to a problem before the PHY (port) is actually removed from the network.
8-22 CHAPTER 8: ADMINISTERING FDDI RESOURCES To set the lerCutoff: Top-Level Menu system ethernet station ➧ fddi display path lerAlarm bridge mac ip ➧ port ➧ lerCutoff snmp label analyzer path script logout 1 From the top level of the Administration Console, enter: fddi port lerCutoff You are prompted for a port number and an estimated link error rate value at which the link connection will be broken. 2 Enter the port number. 3 Enter the estimated link error rate value.
Administering FDDI Ports Setting the Port Paths 8-23 In the Switch 2200 you can assign the A and B ports to either the primary or the secondary path. To assign ports to paths: Top-Level Menu system ethernet station ➧ fddi display path lerAlarm bridge mac lerCutoff ip ➧ port label snmp analyzer ➧ path script logout 1 From the top level of the Administration Console, enter: fddi port path You are prompted for a port. 2 Enter the port(s) you want to configure.
9 SETTING UP THE SYSTEM FOR ROVING ANALYSIS This chapter describes how to set up the SuperStack™ II Switch 2200 system for roving analysis. With roving analysis, you can monitor Ethernet port activity either locally or remotely using a network analyzer attached to the system. About Roving Analysis Roving analysis is the monitoring of Ethernet port traffic for network management purposes.
9-2 CHAPTER 9: SETTING UP THE SYSTEM FOR ROVING ANALYSIS the remote port is located. The remote system must be located on the same FDDI ring as the system to which the analyzer is attached. Figure 9-1 shows the process for establishing local and remote monitoring of ports.
Adding an Analyzer Port Top-Level Menu system ethernet ➧ display add fddi remove bridge start ip stop snmp ➧ analyzer script logout Adding an Analyzer Port 9-3 To display the roving analysis configurations, enter the following from the top level of the Administration Console: analyzer display The configurations are displayed as shown in the following example: Ethernet ports configured as analyzer ports: Ethernet Port Address 9 00-80-3e-0a-3b-02 Ethernet ports being monitored: Ethernet Port Address 16 0
9-4 CHAPTER 9: SETTING UP THE SYSTEM FOR ROVING ANALYSIS Once the analyzer port is set, it is disabled from receiving or transmitting any other data. Instead, it transmits the data it receives from the monitored port to the network analyzer. If you have enabled Spanning Tree on this port, it is automatically disabled as long as the port is configured for the network analyzer. Once configured, the analyzer port also broadcasts its MAC address so that the address can be learned on remote systems.
Starting Port Monitoring Starting Port Monitoring 9-5 After you have a local or remote port configured for the network analyzer, you can start monitoring port activity. 3Com recommends that you ALWAYS configure the analyzer port before configuring the monitored ports.
9-6 CHAPTER 9: SETTING UP THE SYSTEM FOR ROVING ANALYSIS You are then prompted for an FDDI port through which the data should be forwarded, as shown below: Select FDDI port (1-2): 2 Once you successfully configure a port to monitor, all the data received and transmitted on the port is forwarded to the selected analyzer port, as well as processed normally. Stopping Port Monitoring After analyzing an Ethernet port, you can remove it from the roving analysis configuration.
IV BRIDGING PARAMETERS Chapter 10 Administering the Bridge Chapter 11 Administering Bridge Ports Chapter 12 Creating and Using Packet Filters Chapter 13 Configuring Address and Port Groups to Use in Packet Filters
10 ADMINISTERING THE BRIDGE This chapter describes how to view the bridge setup and how to configure the following bridge-level parameters: ■ IP fragmentation ■ IPX snap translation ■ Address threshold ■ Address aging time ■ Spanning Tree Protocol (STP) parameters For information about configuring the bridge port, see Chapter 11. For information about creating packet filters for a bridge, see Chapter 12. Displaying Bridge Information You can display information about the bridge.
10-2 CHAPTER 10: ADMINISTERING THE BRIDGE The following example shows a display of bridge information.
Displaying Bridge Information 10-3 Table 10-1 Bridge Attributes Parameter Description addressCount Number of addresses in the bridge address table addrTableSize Maximum number of addresses that will fit in the bridge address table addrThreshold Reporting threshold for the total number of addresses known on this bridge. When this threshold is reached, the SNMP trap addressThresholdEvent is generated.
10-4 CHAPTER 10: ADMINISTERING THE BRIDGE Table 10-1 Bridge Attributes (continued) Parameter Description maxAge The maximum age value at which the stored configuration message information is judged too old and discarded. This value is determined by the root bridge. mode Operational mode of the bridge. Valid value is transparent for IEEE 802.1d Transparent bridging.
Enabling and Disabling IP Fragmentation Enabling and Disabling IP Fragmentation Default value 10-5 When IP fragmentation is enabled, large FDDI packets are “fragmented” into smaller packets. IP fragmentation allows FDDI and Ethernet stations connected to the Switch 2200 to communicate using IP even if the FDDI stations are transmitting packets that would typically be too large to bridge. The default value is enabled.
10-6 CHAPTER 10: ADMINISTERING THE BRIDGE Setting the Address Threshold Address threshold values The address threshold for a bridge is the reporting threshold for the total number of Ethernet addresses known to the system. When this threshold is reached, the SNMP trap addressThresholdEvent is generated. The range of valid values for this parameter is between 1 and the address table size + 1.
Administering STP Bridge Parameters Administering STP Bridge Parameters Enabling and Disabling STP on a Bridge 10-7 You can enable or disable Spanning Tree Protocol in the system and set the following STP bridge parameters: priority, maximum age, hello time, and forward delay. For more information about how the Spanning Tree parameters interact at the bridge level to create a loopless network, see Chapter 5: Transparent Bridging in the SuperStack™ II Switch 2200 Operation Guide.
10-8 CHAPTER 10: ADMINISTERING THE BRIDGE To configure the STP bridge priority: Top-Level Menu system display ethernet ipFragmentation ➧ bridge ipxSnapTranslation ip addressThreshold snmp agingTime analyzer stpState script ➧ stpPriority logout stpMaxAge stpHelloTime stpForwardDelay stpGroupAddress port packetFilter Setting the Bridge Maximum Age 1 From the top level of the Administration Console, enter: bridge stpPriority 2 Enter the priority value at the prompt.
Administering STP Bridge Parameters Setting the Bridge Hello Time Hello time recommended value Top-Level Menu system display ethernet ipFragmentation ➧ bridge ipxSnapTranslation ip addressThreshold snmp agingTime analyzer stpState script stpPriority logout stpMaxAge ➧ stpHelloTime stpForwardDelay stpGroupAddress port packetFilter Setting the Bridge Forward Delay 10-9 Hello time is the period between the generation of configuration messages by a root bridge.
10-10 CHAPTER 10: ADMINISTERING THE BRIDGE Setting the STP Group Address The STP group address is a single address that bridges listen to when receiving STP information. Each bridge on the network sends STP packets to the group address. Every bridge on the network receives STP packets sent to the group address, regardless of which bridge sent the packets. Because there is no industry standard on what the group address should be, products from different vendors may respond to different group addresses.
11 ADMINISTERING BRIDGE PORTS This chapter describes how to view bridge port information and configure the following: Displaying Bridge Port Information ■ Multicast packet threshold ■ Spanning Tree Protocol (STP) parameters ■ Bridge port addresses Bridge port information includes the STP configurations for the bridge port. You can display this information in both summary and detail formats.
11-2 CHAPTER 11: ADMINISTERING BRIDGE PORTS The following example shows a bridge port summary display. port Ethernet 1 Ethernet 12 port Ethernet 1 Ethernet 12 portId 0x8003 0x800e rxFrames 411180 243559 rxDiscards 0 0 txFrames 1353766 1184225 stp enabled enabled state forwarding forwarding fwdTransitions 1 1 The following example shows a bridge port detail display.
Displaying Bridge Port Information 11-3 Table 11-1 describes the type of information provided for the bridge port. Table 11-1 Bridge Port Attributes Parameter Description designatedBridge Identification of the designated bridge of the LAN to which the port is attached designatedCost Cost through this port to get to the root bridge. The designated cost of the root port is the same as the cost received in incoming BPDUs from the designated bridge for that LAN.
11-4 CHAPTER 11: ADMINISTERING BRIDGE PORTS Table 11-1 Bridge Port Attributes (continued) Parameter Description rxFrames Number of frames that have been received by this port from its segment. A frame received on the interface corresponding to this port is only counted by this object if the frame is for a protocol being processed by the local bridging function, including bridge management frames.
Displaying Bridge Port Information 11-5 Table 11-1 Bridge Port Attributes (continued) Parameter Description state Spanning Tree state (blocking, listening, learning, forwarding, disabled) in which the port is currently operating: Blocking: The bridge continues to run the Spanning Tree algorithm on that port, but the bridge does not receive data packets from the port, learn locations of station addresses from it, or forward packets onto it.
11-6 CHAPTER 11: ADMINISTERING BRIDGE PORTS All frames received on a physical (Ethernet or FDDI) interface and not explicitly directed to the Switch 2200 are delivered to the corresponding bridge port. A frame is then either forwarded to another bridge port or discarded. A frame might be discarded for the following reasons: Frame Processing and Bridge Port Statistics ■ The destination station is on the same segment as the source station. ■ The receive bridge port is blocked.
Setting the Multicast Limit 11-7 Figure 11-2 shows the order in which the discard decisions are made.
11-8 CHAPTER 11: ADMINISTERING BRIDGE PORTS 4 Enter the new multicast threshold value for the port(s). See the example below: Ethernet port 4 - Enter new value [0]: 400 Ethernet port 5 - Enter new value [0]: 400 Administering STP Bridge Port Parameters Enabling and Disabling STP on a Port Default value You can enable or disable the Spanning Tree Protocol for one or more ports on the system. This only affects the operation of the port if the Spanning Tree Protocol is enabled.
Administering STP Bridge Port Parameters 11-9 The following example shows values being set for more than one port: Ethernet port 4 - Enter new value (disabled,enabled) [enabled]: disabled Ethernet port 5 - Enter new value (disabled,enabled) [enabled]: disabled Setting the Port Path Cost Path cost value You can set the path cost for a bridge port. The path cost is the cost to be added to the root cost field in a configuration message received on this port.
11-10 CHAPTER 11: ADMINISTERING BRIDGE PORTS Setting the Port Priority Port priority value The STP port priority influences the choice of port when the bridge has two ports connected to the same LAN, creating a loop. The port with the lowest port priority will be the one used by the Spanning Tree Protocol. Port priority is a 1-octet value.
Administering Port Addresses Administering Port Addresses Listing Addresses 11-11 You can administer the MAC addresses of stations connected to Ethernet and FDDI ports on the Switch 2200. You can display MAC addresses currently associated with the selected ports. Each address type (static or dynamic), assigned port, and age are also listed.
11-12 CHAPTER 11: ADMINISTERING BRIDGE PORTS Adding New Addresses When you assign new MAC addresses to the selected ports, these addresses are added as statically configured addresses. A statically configured address is never aged and can never be learned on a different Ethernet port.
Administering Port Addresses Flushing All Addresses 11-13 You can flush all static and dynamic MAC addresses from the selected port(s). Static MAC addresses are those that you specified using the add menu option. Dynamic MAC addresses are those that were automatically learned by the bridge.
11-14 CHAPTER 11: ADMINISTERING BRIDGE PORTS To freeze all dynamic addresses: Top-Level Menu system ethernet display summary ipFragmentation fddi detail list ➧ bridge ipxSnapTranslation add multicastLimit addressThreshold ip remove stpState agingTime snmp find stpCost stpState analyzer flushAll stpPriority stpPriority script flushDynamic stpMaxAge ➧ address logout ➧ freeze stpHelloTime stpForwardDelay stpGroupAddress ➧ port packetFilter 1 From the top level of the Administration Console, enter: bridge po
12 CREATING AND USING PACKET FILTERS This chapter describes how to create and edit packet filters using the packet filter language.
12-2 CHAPTER 12: CREATING AND USING PACKET FILTERS Listing Packet Filters Top-Level Menu system ➧ list ethernet display display ipFragmentation fddi create ➧ bridge ipxSnapTranslation delete addressThreshold ip edit snmp agingTime load analyzer stpState assign script stpPriority unassign logout stpMaxAge addressGroup stpHelloTime portGroup stpForwardDelay stpGroupAddress port ➧ packetFilter When you list the packet filters for the system, the filter identification, filter name (if any), and filter assign
Displaying Packet Filters Displaying Packet Filters 12-3 When displaying the contents of a single packet filter, you select the packet filter using the filter id (which you can obtain by listing the packet filters as described in the previous section). The packet filter instructions are displayed; however, any comments in the original packet filter definition file are not displayed because they are not saved with the packet filter.
12-4 CHAPTER 12: CREATING AND USING PACKET FILTERS Concepts for Writing a Filter Before writing a packet filter, you should understand thsee basic concepts: ■ How the packet filter language works ■ The basic elements of a packet filter ■ How to implement sequential tests in a packet filter ■ The pre-processed and run-time storage requirements How the Packet Filter Language Works You define packet filters using a simple, stack-oriented language.
Creating Packet Filters 12-5 Table 12-2 describes the instructions and stacks of a packet filter. Table 12-2 Packet Filter Instructions and Stacks — Descriptions and Guidelines Element Descriptions and Guidelines Instructions Each instruction in a packet filter definition must be on a separate line in the packet filter definition file. Instruction format An instruction consists of an opcode followed by explicit operands and a comment.
12-6 CHAPTER 12: CREATING AND USING PACKET FILTERS Basic Elements of a Packet Filter Before creating a packet filter, you must decide which part of the packet you want to filter. You can filter Ethernet packets by the destination address, source address, type/length, or some part of the data. You can filter FDDI packets by the destination address, source address, or some part of the data. A packet filter operates on these fields to make filtering decisions.
Creating Packet Filters 12-7 The Ethernet and FDDI packet fields in Figure 12-1 are used as operands in the packet filter. The two simplest operands are described in Table 12-3. Table 12-3 Packet Filter Operands Operand Description Opcode packet field A field in the packet that can reside at any offset. The size of the field can be 1, 2, 4, or 6 bytes. Typically, you only specify a 6-byte field when you want the filter to examine a 48-bit address.
12-8 CHAPTER 12: CREATING AND USING PACKET FILTERS Implementing Sequential Tests in a Packet Filter Filter language expressions are normally evaluated to completion — a packet is accepted if the value remaining on the top of the stack is non-zero. Frequently, however, a single test is insufficient to filter packets effectively.
Creating Packet Filters 12-9 The following example shows the use of both accept and reject in a packet filter. This packet filter was created for a network running both Phase I and Phase II AppleTalk.TM The goal of the filter is to eliminate the AppleTalk traffic. Name “Filter AppleTalk datagrams” pushField.w 12 pushTop pushLiteral 0x809b eq reject pushLiteral.w lt 0x5dc accept pushField.a pushLiteral.a ne 16 0x03080007809b # # # # # # # # # # # # # # # # # # Get the type field. Make a copy.
12-10 CHAPTER 12: CREATING AND USING PACKET FILTERS Run-time storage of packet filters For run-time storage of packet filter programs, each Switch 2200 system provides a maximum of 8192 bytes. There is no explicit system or per-packet-filter overhead; however, performance considerations can result in unused areas of the run-time storage. The run-time format is approximately eight times the size of the stored format.
Creating Packet Filters 12-11 4 Apply a logic operation to the values in steps 2 and 3. The operator you use depends on what comparison you want to make. Variations on these four basic steps of writing packet filters include: Examples of Creating Filters ■ Use pushTop for each additional comparison you intend to make with the pushField value. This opcode makes a duplicate of the pushField value and places it on top of the original pushField on the stack.
12-12 CHAPTER 12: CREATING AND USING PACKET FILTERS Packet Filter Solution The solution described here is to create a highly sophisticated packet filter that prevents only the broadcast packets from the market data servers from being forwarded onto the segments that are not part of an active trading floor. Before writing the packet filter, it is important to understand the functions that the filter must provide.
Creating Packet Filters 12-13 The pseudocode translates into the following packet filter: Name “IP XNS ticker bcast filter” # Assign this filter in the multicast path # of a port only--this is very important # # XNS FILTERING SECTION # pushField.w 12 # get the type field of the packet and # place it on top of the stack. pushLiteral.w 0x0600 # put the type value for XNS on top of # the stack. eq # if the two values on the top of the # stack are equal, then return a non-zero # value. pushLiteral.
12-14 CHAPTER 12: CREATING AND USING PACKET FILTERS The rest of this section concentrates on the parts of the filter, showing you how to translate the pseudocode’s requirements into filter language. The large filter on page 12-13 is broken down into subsets to show how you can create small filters that perform one or two tasks, and then combine them for more sophisticated filtering. Table 12-5 shows how the purpose of each pseudocode step is accomplished in the small series of packet filters.
Creating Packet Filters 12-15 4 Enter executable instruction #3: eq # if the two values on the top of the stack are equal, # then return a non-zero value Packet Filter Two. This filter is designed to accept packets within the socket range of 0x76c and 0x898. These steps show how to create this filter: 1 Name the filter: “Socket range filter” 2 Enter executable instruction #1: pushLiteral.w 0x76c # put the lowest socket value on top # of the stack 3 Enter executable instruction #2: pushField.
12-16 CHAPTER 12: CREATING AND USING PACKET FILTERS Combining a Subset of the Filters. The next filter accepts IP packets with a socket range of 0x76c (1900) and 0x898 (2200). The filter combines packet filters one and two, modifying them for IP. These steps show how to create this filter. 1 Name the filter: “Only IP pkts w/in socket range” 2 Perform steps 2 through 4 as described in “Packet Filter One” on page 12-14, except give the pushLiteral instruction (in step 3) a value of 0x0800 for IP.
Creating Packet Filters 12-17 Combining All the Filters. Together, the four packet filters work to perform the solution to the problem: filtering the broadcast packets from the market data servers. These steps show how to create this filter: 1 Name the filter: “Discard XNS & IP pkts w/in socket range” 2 Perform steps 2 through 4 as described in “Packet Filter One” on page 12-14. 3 Perform steps 2 through 8 as described in “Packet Filter Two” on page 12-15.
12-18 CHAPTER 12: CREATING AND USING PACKET FILTERS The maximum length of a packet filter definition is 4096 bytes. The editor assumes a terminal capability no higher than a glass tty (that is, it does not assume an addressable screen). You can place any ASCII printable character into the editing buffer at the cursor position. If a character exceeds the maximum line length, the character is discarded and a bell sounds. The editor initially operates in insert mode.
Creating Packet Filters 12-19 Table 12-6 Packet Filter Editor Commands Command Keys Description List buffer Ctrl+l Displays each of the lines in the editing buffer and then redisplays the line currently being edited Next Line Ctrl+n Moves cursor to next line; positions cursor at start of line Previous Line Ctrl+p Moves cursor to previous line; positions cursor at start of line Start of Line Ctrl+a Moves cursor within a line to the start of the present line End of Line Ctrl+e Moves cursor
12-20 CHAPTER 12: CREATING AND USING PACKET FILTERS Using an External Text Editor To use an ASCII-based editor to create a packet filter: 1 Create the definition in a text file. 2 From a networked workstation, ftp the file to the Switch 2200 on which you want to load the filter. 3 Load the filter as described in “Loading Packet Filters” on page 12-22.
Editing, Checking and Saving Packet Filters 12-21 To edit a packet filter using the Switch 2200 system line editor: Top-Level Menu system list ethernet display display ipFragmentation fddi create ipxSnapTranslation ➧ bridge delete addressThreshold ip ➧ edit agingTime snmp load analyzer stpState assign stpPriority script unassign logout stpMaxAge addressGroup stpHelloTime portGroup stpForwardDelay stpGroupAddress port ➧ packetFilter 1 From the top level of the Administration Console, enter: bridge packetF
12-22 CHAPTER 12: CREATING AND USING PACKET FILTERS Loading Packet Filters When you create packet filters using an external text editor, you must load the filters onto the system from the network host on which you created them. Once loaded, the packet filter definition is converted into the internal format that is used by the packet filter code in the system.
Assigning Packet Filters to Ports 12-23 it meets the forwarding criteria. A packet that does not meet the forwarding criteria defined in the filter is discarded.
12-24 CHAPTER 12: CREATING AND USING PACKET FILTERS Unassigning Packet Filters from Ports Top-Level Menu system list ethernet display display ipFragmentation fddi create ➧ bridge ipxSnapTranslation delete addressThreshold ip edit snmp agingTime load analyzer stpState assign script stpPriority➧ unassign logout stpMaxAge addressGroup stpHelloTime portGroup stpForwardDelay stpGroupAddress port ➧ packetFilter To unassign a packet filter from one or more ports, the packet filter must have been previously assi
13 CONFIGURING ADDRESS AND PORT GROUPS TO USE IN PACKET FILTERS This chapter describes how to use address and port groups as filtering criteria in a packet filter, and how to administer address and port groups. Using Groups in Packet Filters You can use address groups (a list of MAC addresses) and port groups (a list of Switch 2200 Ethernet and FDDI ports) as filtering criteria in a packet filter.
13-2 CHAPTER 13: CONFIGURING ADDRESS AND PORT GROUPS TO USE IN PACKET FILTERS In this example, packets are not forwarded to ports in groups 3 and 8. Port group packet filter example Name “Discard Groups 3 and 8” pushSPGM # Get source port group mask pushLiteral.l 0x0084 # Select bits 3 and 8 and # If port group bits 3 & 8 are common # with SPGM, then non-zero value is # pushed onto stack pushLiteral.
Displaying Groups Address group example 13-3 In this example, three address groups are defined in the system. The first address group has an id of 1 and the name Accounting. This group uses an address group mask of 1 (the bit set in the mask) .
13-4 CHAPTER 13: CONFIGURING ADDRESS AND PORT GROUPS TO USE IN PACKET FILTERS members of the group. The name of the address group in this example is Development, and the group has five members. Select address group to be displayed [1-n]: 2 Address Group 2 - Development 05-39-24-56-ab-ee 08-29-34-fd-32-14 08-29-34-dd-ee-01 09-34-56-32-12-e3 00-14-32-54-fd-4e Port group example In this example, port group 2 is displayed.
Creating New Groups 13-5 Enter the ports in this syntax: < Ethernet | E | FDDI | F > [port] < port number > As you enter each address or port, the system attempts to add it to the group. If the address or port you enter is already a member of the group, the system displays a message, as shown next, and the address or port is ignored. Warning: Selected address was already a member of the address group.
13-6 CHAPTER 13: CONFIGURING ADDRESS AND PORT GROUPS TO USE IN PACKET FILTERS Port group example In this example, a new port group is created and loaded on the system. The bit in the port group mask for the group is 12 and the name of the group is Education. One port is entered and assigned to the group.
Adding Addresses and Ports to Groups Adding Addresses and Ports to Groups 13-7 When adding addresses or ports to an existing group, you can either enter the addresses or ports at the prompts or import them from a file. At least one address group or port group must exist before you can add addresses or ports. (See “Creating New Groups” on page 13-4.) An address may be in multiple address groups.
13-8 CHAPTER 13: CONFIGURING ADDRESS AND PORT GROUPS TO USE IN PACKET FILTERS Enter the ports in this syntax: < Ethernet | E | FDDI | F > [port] < port number > As you enter each address or port, the system attempts to add it to the group. If the address or port you enter is already a member of the group, a message is displayed, as shown next, and the address or port is ignored.
Removing Addresses or Ports from a Group Port group example 13-9 This example shows a port successfully added to the Manufacturing port group.
13-10 CHAPTER 13: CONFIGURING ADDRESS AND PORT GROUPS TO USE IN PACKET FILTERS As you enter addresses and ports, the system attempts to remove them from the group. If the address or port is not found in the group, a warning message is displayed, as shown here: Warning: Specified address was not a member of the address group. OR Warning: Specified port was not a member of the port group.
Loading Groups Loading Groups 13-11 There is no explicit menu item to load address and port groups that are defined in a file on a remote host. However, you can “load” groups by creating a script on a remote host (which includes your address or port group) and then running that script.
13-12 CHAPTER 13: CONFIGURING ADDRESS AND PORT GROUPS TO USE IN PACKET FILTERS
V APPENDIXES Appendix A Packet Filter Opcodes, Examples, and Sytax Errors Appendix B Technical Support
A PACKET FILTER OPCODES, EXAMPLES, AND SYNTAX ERRORS This appendix: ■ Describes the specific opcodes you can use when creating a packet filter ■ Provides numerous examples of commonly used packet filters ■ Describes the possible syntax errors you might receive when loading a packet filter For information on creating and using packet filters, see Chapter 12. Opcodes Opcodes are instructions used in packet filter definitions.
A-2 APPENDIX A: PACKET FILTER OPCODES, EXAMPLES, AND SYNTAX ERRORS pushField.size Description: Pushes a field from the target packet onto the stack. Packet data starting at is copied onto the stack. The most significant byte of the field is the byte at the specified offset. The number of bytes pushed is determined by the size field of the instruction.
Opcodes pushTop Description: Pushes the current top of the stack onto the stack (that is, it reads the top of the stack and pushes the value onto the stack). The size of the push is determined by the size of the contents of the stack. Storage Needed: 1 byte pushSAGM Description: Pushes the source address group mask (SAGM) onto the top of the stack. The SAGM is a bitmap representing the groups to which the source address of a packet belongs. This instruction pushes 4 bytes onto the stack.
A-4 APPENDIX A: PACKET FILTER OPCODES, EXAMPLES, AND SYNTAX ERRORS pushSPGM Description: Pushes the source port group mask (SPGM) onto the top of the stack. The SPGM is a bitmap representing the groups to which the source port of a packet belongs. This instruction pushes 4 bytes on to the stack. Each port group mask is represented by a single bit in the SPGM bitmap.
Opcodes ne (not equal) Description: Pops two values from the stack and compares them. If they are not equal, a byte containing the value non-zero is pushed onto the stack; otherwise, a byte containing 0 is pushed. The size of the operands is determined by the contents of the stack. Storage Needed: 1 byte lt (less than) Description: Pops two values from the stack and performs an unsigned comparison.
A-6 APPENDIX A: PACKET FILTER OPCODES, EXAMPLES, AND SYNTAX ERRORS gt (greater than) Description: Pops two values from the stack and performs an unsigned comparison. If the first is greater than the second, a byte containing the value non-zero is pushed onto the stack; otherwise, a byte containing 0 is pushed. The size of the operands is determined by the contents of the stack.
Opcodes or (bit-wise OR) Description: Pops two values from the stack and pushes the bit-wise OR of these values back onto the stack. The size of the operands and the result are determined by the contents of the stack. Storage Needed: 1 byte xor (bit-wise exclusive-OR) Description: Pops two values from the stack and pushes the bit-wise exclusive-OR of these values back onto the stack. The size of the operands and the result are determined by the contents of the stack.
A-8 APPENDIX A: PACKET FILTER OPCODES, EXAMPLES, AND SYNTAX ERRORS reject Description: Conditionally rejects the packet being examined. A byte is popped from the stack. If it is non-zero, the packet is rejected and evaluation of the filter ends immediately; otherwise, filter evaluation continues with the next instruction. Storage Needed: 1 byte shiftl (shift left) Description: Pops two values from the stack and shifts the first operand left by the number of bits specified by the second operand.
Packet Filter Examples Packet Filter Examples Destination Address Filter The following examples of using the packet filter language start with basic packet filter concepts. This filter operates on the destination address field of a frame. It allows packets to be forwarded that are destined for stations with an Organizationally Unique Identifier (OUI) of 08-00-02. To customize this filter to another OUI value, change the literal value loaded in the last pushLiteral.l instruction.
A-10 APPENDIX A: PACKET FILTER OPCODES, EXAMPLES, AND SYNTAX ERRORS Type Filter This filter operates on the type field of a frame. It allows packets to be forwarded that are IP frames. To customize this filter to another type value, change the literal value loaded in the pushLiteral.w instruction. name pushField.w pushLiteral.w eq Ethernet Type IPX and Multicast Filter This filter rejects frames that have either a Novell IPX Ethernet type field (8134 hex) or a multicast destination address.
Packet Filter Examples Source Address and Type Filter This filter operates on the source address and type fields of a frame. It allows XNS packets to be forwarded that are from stations with an OUI of 08-00-02. To customize this filter to another OUI value, change the literal value loaded in the last pushLiteral.l instruction. Note that the OUI must be padded with an additional 00 to fill out the literal to 4 bytes.
A-12 APPENDIX A: PACKET FILTER OPCODES, EXAMPLES, AND SYNTAX ERRORS Address Group Filter This filter accepts only frames whose source and destination address are in the same group. name pushSAGM pushDAGM and destination pushLiteral.
Common Syntax Errors Common Syntax Errors A-13 When a packet filter definition is loaded, the definition is checked for syntax errors. The syntax errors and their causes are listed in Table A-1. Table A-1 Possible Syntax Errors When Loading Packet Filters Syntax Error Description Opcode not found An opcode was expected on the line and was not found. The opcode must be one of those described in “Opcodes” on page A-1 and must include the size, if any. The opcode and size must be separated by a single “.
A-14 APPENDIX A: PACKET FILTER OPCODES, EXAMPLES, AND SYNTAX ERRORS Table A-1 Possible Syntax Errors When Loading Packet Filters (continued) Syntax Error Description Invalid characters in number The number specified as an offset or literal is improperly formatted. Possible causes are 1) lack of white space setting off the number, and 2) invalid characters in the number. Note: The radix of the number is determined by the first 1 or 2 characters of the number.
B TECHNICAL SUPPORT 3Com provides easy access to technical support information through a variety of services. This appendix describes these services.
B-2 APPENDIX B: TECHNICAL SUPPORT Access by ISDN ISDN users can dial in to 3ComBBS using a digital modem for fast access up to 56 Kbps. To access 3ComBBS using ISDN, dial the following number: (408) 654 2703 World Wide Web Site Access the latest networking information on 3Com’s World Wide Web site by entering our URL into your Internet browser: http://www.3Com.
Support from Your Network Supplier 3ComFactsSM Automated Fax Service B-3 3Com Corporation’s interactive fax service, 3ComFacts, provides data sheets, technical articles, diagrams, and troubleshooting instructions on 3Com products 24 hours a day, seven days a week. Call 3ComFacts using your touch-tone telephone and international access numbers: Country Telephone Number Hong Kong (852) 2537 5610 U.K. (44) (1442) 278279 U.S.
B-4 APPENDIX B: TECHNICAL SUPPORT Support from 3Com If you are unable to receive support from your network supplier, technical support contracts are available from 3Com. In the U.S. and Canada, call (800) 876-3266 for customer service. If you are outside the U.S.
INDEX Numerics 3Com Bulletin Board Service (3ComBBS) B-1 3Com sales offices B-4 3ComFacts B-3 3ComForum B-2 A abort at prompts 2-9 enabling CTL+C 2-11 accept opcode 12-8, A-7 access levels 2-1 address adding static 11-12 aging time 10-6 filters A-9 flushing 11-13 for SNMP trap reporting 3-17 freezing 11-13 in routing table 3-7 IP 3-3 IP to MAC, translating 3-11 maximum number in group 13-7 removing static 11-12 address group adding addresses 13-7 to 13-9 as filtering criteria 13-1 copying 13-7 creating 13
2 INDEX baud rate console serial port 3-2 bell, warning 4-1 blocking state 11-5 bridge See also packet filter address threshold, setting 10-6 aging time, setting 10-6 designated 11-3 IP fragmentation, enabling 10-5 IPX Snap Translation, enabling 10-5 menus 2-5 Spanning Tree bridge priority, setting 10-7 enabling 10-7 forward delay, setting 10-9 hello time, setting 10-9 maximum age, setting 10-8 statistics, displaying 10-1 bridge port MAC addresses adding 11-12 flushing 11-13 freezing 11-13 listing 11-11 r
INDEX portState 7-8 station MAC addresses 11-11 Ethernet address and restoring NV data 6-3 for the monitored port 9-5 Ethernet port analyzer attached 9-3 displaying information 7-1 label 7-4 labeling 7-8 setting state (on-line or off-line) 7-8 static MAC addresses 11-12 statistics 7-3 F fan, warning 4-2 fax service B-3 FDDI commands, quick 1-7 fragmenting packets 10-5 management 8-1 menus 2-5 packet fields 12-6 port label 8-20 rings 8-6 station MAC addresses 11-11 wrapped ring 8-6 FDDI MAC condition repor
4 INDEX Internet Control Message Protocol.
INDEX multicast frames and packet filters 12-1 multicast limit configuring 11-7 defined 11-7 OUI in packet filter A-11 out-of-band management 3-2 P N name opcode A-1 naming the Switch 2200 4-3 ne opcode A-5 neighbor notification and LLC Service 8-18 network monitoring.
6 INDEX path cost defined 11-9 setting 11-9 path.
INDEX S SAGM (source address group mask) 13-1 screen height adjusting 2-10 scripts for the Administration Console examples 2-15 running 2-13 serial port (console) for management 3-1 rebooting the system 4-4 setting baud rate 3-2 Service Access Points (SAPs) and packet filters 12-4 shiftl opcode A-8 shiftr opcode A-8 SMT (Station Management) and FDDI stations 8-1 lerAlarm value 8-21 lerCutoff value 8-21 SMT event enabling proxying 3-20 proxying defined 3-19 Sniffing.
8 INDEX Switch 2200 administration overview 1-1 and network monitoring 9-1 bell warning 4-1 documentation 4 fan warning 4-2 naming 4-3 NV data restoration 6-3 ports and IP interfaces 3-6 power supply warning 4-2 quick commands 1-1 rebooting 4-4 resetting to system defaults 6-6 system backup 6-2 system configuration, displaying 4-1 system date and time 4-3 temperature warning 4-2 user access levels 2-1 warning messages 4-1 system configuration displaying 4-1 system menus 2-4 trap reporting configuring des
