Part No. 060217-10, Rev. A June 2006 OmniSwitch 6800 Series OmniSwitch 6850 Series OmniSwitch 9000 Series Network Configuration Guide www.alcatel.
This user guide documents release 6.1.1 of the OmniSwitch 9000 Series and release 6.1.2 of the OmniSwitch 6800 Series and of the OmniSwitch 6850 Series. The functionality described in this guide is subject to change without notice. Copyright © 2006 by Alcatel Internetworking, Inc. All rights reserved. This document may not be reproduced in whole or in part without the express written permission of Alcatel Internetworking, Inc. Alcatel® and the Alcatel logo are registered trademarks of Alcatel.
Contents About This Guide ...................................................................................................... xxix Supported Platforms ...................................................................................................... xxix Who Should Read this Manual? ..................................................................................... xxx When Should I Read this Manual? .................................................................................
Configuring a Port Alias ........................................................................................1-12 Configuring Maximum Frame Sizes ......................................................................1-13 Setting Ethernet Parameters for Non Combo Ports .......................................................1-13 Setting Interface Line Speed ..................................................................................1-14 Configuring Duplex Mode .......................................
MST General Overview ..................................................................................................3-4 How MSTP Works ...................................................................................................3-4 Comparing MSTP with STP and RSTP ...................................................................3-7 What is a Multiple Spanning Tree Instance (MSTI) ................................................3-7 What is a Multiple Spanning Tree Region ..........................
VLAN Management Overview .......................................................................................5-4 Creating/Modifying VLANs ...........................................................................................5-5 Adding/Removing a VLAN .....................................................................................5-5 Enabling/Disabling the VLAN Administrative Status .............................................5-6 Modifying the VLAN Description ..................................
Enabling/Disabling Spanning Tree on a Port .........................................................6-23 Spanning Tree on Link Aggregate Ports .........................................................6-24 Configuring Port Priority .......................................................................................6-24 Port Priority on Link Aggregate Ports .............................................................6-25 Configuring Port Path Cost ..........................................................
Creating/Deleting a Port Mapping Session .....................................................................8-3 Creating a Port Mapping Session .............................................................................8-3 Deleting a User/Network Port of a Session .......................................................8-3 Deleting a Port Mapping Session .............................................................................8-3 Enabling/Disabling a Port Mapping Session .............................
Application Example: DHCP Rules ..............................................................................9-22 The VLANs .....................................................................................................9-22 DHCP Servers and Clients ..............................................................................9-22 Verifying VLAN Rule Configuration ...........................................................................9-25 Chapter 10 Using Interswitch Protocols ...................
Application-Layer Protocols ...........................................................................12-4 Additional IP Protocols ...................................................................................12-5 IP Forwarding ................................................................................................................12-6 Configuring an IP Router Interface ........................................................................12-7 Modifying an IP Router Interface ................
Adding and Deleting Ports in a Static Aggregate Group .......................................13-9 Adding Ports to a Static Aggregate Group ......................................................13-9 Removing Ports from a Static Aggregate Group .............................................13-9 Modifying Static Aggregation Group Parameters .......................................................13-10 Modifying the Static Aggregate Group Name .....................................................
Modifying Dynamic Aggregate Partner Port Parameters ....................................14-23 Modifying the Partner Port System Administrative State .............................14-23 Modifying the Partner Port Administrative Key ...........................................14-25 Modifying the Partner Port System ID ..........................................................14-25 Modifying the Partner Port System Priority ..................................................
RIP Routing ...................................................................................................................16-5 Loading RIP ...........................................................................................................16-6 Enabling RIP ..........................................................................................................16-6 Creating a RIP Interface .........................................................................................
Chapter 18 Configuring DHCP Relay .........................................................................................18-1 In This Chapter ..............................................................................................................18-1 DHCP Relay Specifications ..........................................................................................18-2 DHCP Relay Defaults ...................................................................................................
VRRP Overview ............................................................................................................19-4 Why Use VRRP? ....................................................................................................19-5 Definition of a Virtual Router ................................................................................19-5 VRRP MAC Addresses ..........................................................................................19-6 ARP Requests .......................
Flushing the IPX RIP/SAP Tables .......................................................................20-14 Verifying the IPX Configuration ................................................................................20-15 Chapter 21 Managing Authentication Servers ...................................................................... 21-1 In This Chapter ..............................................................................................................
Chapter 22 Configuring Authenticated VLANs ......................................................................22-1 In This Chapter ..............................................................................................................22-1 Authenticated Network Overview .................................................................................22-2 AVLAN Configuration Overview .................................................................................22-4 Sample AVLAN Configuration ..
802.1X Overview ..........................................................................................................23-6 Supplicant Classification ........................................................................................23-6 802.1X Ports and DHCP ..................................................................................23-7 Re-authentication .............................................................................................23-7 802.1X Accounting .......................
Quick Steps for Importing ACL Text Files .................................................................. 25-4 ACLMAN Overview .................................................................................................... 25-5 ACLMAN Configuration File ............................................................................... 25-5 ACL Text Files ...................................................................................................... 25-6 ACL Precedence ............................
Configuring Global QoS Parameters ......................................................................... 26-13 Enabling/Disabling QoS ...................................................................................... 26-13 Setting the Global Default Dispositions ...............................................................26-13 Setting the Global Default Servicing Mode .........................................................26-14 Using the QoS Log ..................................................
Creating MAC Groups .........................................................................................26-39 Creating Port Groups ............................................................................................26-40 Port Groups and Maximum Bandwidth .........................................................26-41 Verifying Condition Group Configuration ...........................................................26-43 Using Map Groups ...........................................................
Layer 3 ACLs .......................................................................................................27-11 Layer 3 ACL: Example 1 ..............................................................................27-12 Layer 3 ACL: Example 2 ..............................................................................27-12 Multicast Filtering ACLs .....................................................................................27-12 Using ACL Security Features ................................
Modifying IPMS Parameters .......................................................................................28-12 Modifying the IGMP Query Interval ...................................................................28-12 Configuring the IGMP Query Interval ..........................................................28-12 Restoring the IGMP Query Interval ..............................................................28-12 Modifying the IGMP Last Member Query Interval ......................................
Modifying IPMSv6 Parameters ...................................................................................28-25 Modifying the MLD Query Interval .....................................................................28-25 Configuring the MLD Query Interval ...........................................................28-25 Restoring the MLD Query Interval ...............................................................28-25 Modifying the MLD Last Member Query Interval ........................................
Remote Monitoring (RMON) Overview .....................................................................29-10 RMON Specifications ..........................................................................................29-10 RMON Probe Defaults .........................................................................................29-11 Quick Steps for Enabling/Disabling RMON Probes ............................................29-11 Switch Health Overview ....................................................
Remote Monitoring (RMON) .....................................................................................29-32 Ethernet Statistics ..........................................................................................29-33 History (Control & Statistics) ........................................................................29-33 Alarm .............................................................................................................29-33 Event ............................................
Appendix A Software License and Copyright Statements .....................................................A-1 Alcatel License Agreement ............................................................................................A-1 ALCATEL INTERNETWORKING, INC. (“AII”) SOFTWARE LICENSE AGREEMENT .......................................................................................................A-1 Third Party Licenses and Notices .........................................................................
page -xxviii OmniSwitch 6800/6850/9000 Network Configuration Guide June 2006
About This Guide This OmniSwitch 6800/6850/9000 Network Configuration Guide describes how to set up and monitor software features that will allow your switch to operate in a live network environment. The software features described in this manual are shipped standard with your OmniSwitch 6800 Series, OmniSwitch 6850 Series, and OmniSwitch 9000 Series switches. These features are used when setting up your OmniSwitch in a network of switches and routers.
Who Should Read this Manual? About This Guide Who Should Read this Manual? The audience for this user guide is network administrators and IT support personnel who need to configure, maintain, and monitor switches and routers in a live network. However, anyone wishing to gain knowledge on how fundamental software features are implemented in the OmniSwitch 9000 Series will benefit from the material in this configuration guide.
About This Guide What is Not in this Manual? What is Not in this Manual? The configuration procedures in this manual use Command Line Interface (CLI) commands in all examples. CLI commands are text-based commands used to manage the switch through serial (console port) connections or via Telnet sessions. Procedures for other switch management methods, such as web-based (WebView or OmniVista) or SNMP, are outside the scope of this guide.
Documentation Roadmap About This Guide Documentation Roadmap The OmniSwitch user documentation suite was designed to supply you with information at several critical junctures of the configuration process. The following section outlines a roadmap of the manuals that will help you at each stage of the configuration process. Under each stage, we point you to the manual or manuals that will be most helpful to you.
About This Guide Documentation Roadmap Stage 3: Integrating the Switch Into a Network Pertinent Documentation: Network Configuration Guide Advanced Routing Configuration Guide When you are ready to connect your switch to the network, you will need to learn how the OmniSwitch implements fundamental software features, such as 802.1Q, VLANs, Spanning Tree, and network routing protocols.
Related Documentation About This Guide Related Documentation The following are the titles and descriptions of all the related OmniSwitch 6800/6850/9000 user manuals: • OmniSwitch 6800 Series Getting Started Guide Describes the hardware and software procedures for getting an OmniSwitch 6800 Series switch up and running. Also provides information on fundamental aspects of OmniSwitch software and stacking architecture.
About This Guide Related Documentation • OmniSwitch 6800/6850/9000 Advanced Routing Configuration Guide Includes network configuration procedures and descriptive information on all the software features and protocols included in the advanced routing software package. Chapters cover multicast routing (DVMRP and PIM-SM), and OSPF. • Technical Tips, Field Notices Includes information published by Alcatel’s Customer Support group.
User Manual CD About This Guide User Manual CD All user guides for the OmniSwitch 9000 Series are included on the User Manual CD that accompanied your switch. This CD also includes user guides for other Alcatel data enterprise products. In addition, it contains a stand-alone version of the on-line help system that is embedded in the OmniVista network management application.
1 Configuring Ethernet Ports The Ethernet software is responsible for a variety of functions that support Ethernet, Gigabit Ethernet, and 10 Gigabit Ethernet ports on OmniSwitch 6800, 6850, and 9000 switches. These functions include diagnostics, software loading, initialization, configuration of line parameters, gathering statistics, and responding to administrative requests from SNMP or CLI.
Ethernet Specifications Configuring Ethernet Ports Ethernet Specifications IEEE Standards Supported 802.3 Carrier Sense Multiple Access with Collision Detection (CSMA/CD) 802.3u (100BaseTX) 802.3ab (1000BaseT) 802.3z (1000Base-X) 802.
Configuring Ethernet Ports Non Combo Port Defaults Non Combo Port Defaults The following table shows non combo port default values.
Ethernet Ports Overview Configuring Ethernet Ports Ethernet Ports Overview This chapter describes the Ethernet software CLI commands used for configuring and monitoring your switch’s Ethernet port parameters. These commands allow you to handle administrative or port-related requests to and from SNMP, CLI, or WebView. Note. OmniSwitch 9000 Series switches do not support combo ports. These ports are supported on OmniSwitch 6800 Series and OmniSwitch 6850 Series switches only.
Configuring Ethernet Ports Ethernet Ports Overview Valid Port Settings on OmniSwitch 6800 Series Switches This table below lists valid speed, duplex, and autonegotiation settings for the different OmniSwitch 6800 Series port types. Chassis Type (Port Nos.
Ethernet Ports Overview Configuring Ethernet Ports Chassis Type (Port Nos.) Port Type User-Specified User-Specified Auto Port Speed Duplex Negotiation (Mbps) Supported Supported? Supported OmniSwitch 6800-48 (ports 49–50) Fiber XFP 10000 full Yes See the OmniSwitch 6850 Series Hardware Users Guide for more information about the OmniSwitch 6850 hardware that is supported in the current release.
Configuring Ethernet Ports Ethernet Ports Overview Autonegotiation Guidelines Please note a link will not be established on any copper Ethernet port if any one of the following is true: • The local port advertises 100 Mbps full duplex and the remote link partner is forced to 100 Mbps full duplex. • The local port advertises 100 Mbps full duplex and the remote link partner is forced to 100 Mbps half duplex.
Setting Ethernet Parameters for All Port Types Configuring Ethernet Ports Setting Ethernet Parameters for All Port Types The following sections describe how to configure Ethernet port parameters using CLI commands that can be used on all port types.
Configuring Ethernet Ports Setting Ethernet Parameters for All Port Types Resetting Statistics Counters The interfaces no l2 statistics command is used to reset all Layer 2 statistics counters on a specific port, a range of ports, or all ports on a switch (slot). To reset Layer 2 statistics on an entire slot, enter interfaces followed by the slot number and no l2 statistics.
Setting Ethernet Parameters for All Port Types Configuring Ethernet Ports As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet before the slot number.
Configuring Ethernet Ports Setting Ethernet Parameters for All Port Types Multicast Flood Rate Limiting The interfaces flood multicast command is used to enable or disable flood rate limiting for multicast traffic on a single port, a range of ports, or all ports on a switch (slot). When multicast flood rate limiting is enabled, the peak flood rate value for a port is applied to both multicast and flooded traffic. By default, multicast flood rate limiting is disabled for a port.
Setting Ethernet Parameters for All Port Types Configuring Ethernet Ports By default the following peak flood rate values are used for limiting the rate at which traffic is flooded on a switch port: parameter default Mbps (10 Ethernet) 4 Mbps (100 Fast Ethernet) 49 Mbps (Gigabit Ethernet) 496 Mbps (10 Gigabit Ethernet) 997 To change the peak flood rate for an entire slot, enter interfaces followed by the slot number, flood rate, and the flood rate in megabits.
Configuring Ethernet Ports Setting Ethernet Parameters for All Port Types As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet before the slot number.
Setting Ethernet Parameters for Non Combo Ports Configuring Ethernet Ports Setting Ethernet Parameters for Non Combo Ports The following sections describe how to use CLI commands to configure non combo ports. (See the tables in “Valid Port Settings on OmniSwitch 6800 Series Switches” on page 1-5, “Valid Port Settings on OmniSwitch 6850 Series Switches” on page 1-5, and “Valid Port Settings on OmniSwitch 9000 Series Switches” on page 1-6 for more information.
Configuring Ethernet Ports Setting Ethernet Parameters for Non Combo Ports As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet before the slot number.
Setting Ethernet Parameters for Non Combo Ports Configuring Ethernet Ports To configure the inter-frame gap on an entire slot, enter interfaces, followed by the slot number, ifg, and the desired inter-frame gap value. For example, to set the inter-frame gap value on slot 2 to 10 bytes, enter: -> interfaces 2 ifg 10 To configure the inter-frame gap on a single port, enter interfaces, followed by the slot number, a slash (/ ), the port number, ifg, and the desired inter-frame gap value.
Configuring Ethernet Ports Setting Ethernet Parameters for Non Combo Ports As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet before the slot number. For example, to enable autonegotiation on port 3 on slot 2 and document the port as Ethernet, enter: -> interfaces ethernet 2/3 autoneg enable Note. Please refer to “Autonegotiation Guidelines” on page 1-7 for guidelines on configuring autonegotiation.
Setting Combo Ethernet Port Parameters on OmniSwitch 6800 and 6850 Switches Configuring Ethernet Ports Setting Combo Ethernet Port Parameters on OmniSwitch 6800 and 6850 Switches The following sections describe how to use CLI commands to configure combo ports on OmniSwitch 6800 and 6850 switches only. • Ports 21–24 on the OmniSwitch 6800-24 and OmniSwitch 6850-24 switches are combo ports. • Ports 45–48 on the OmniSwitch 6800-48 and OmniSwitch 6850-48 switches are combo ports.
Configuring Ethernet Ports Setting Combo Ethernet Port Parameters on OmniSwitch 6800 and 6850 Switches Setting Combo Ports to Preferred Copper In preferred copper mode, combo ports will use the copper RJ-45 10/100/1000 port instead of the fiber MiniGBIC SFP port, if both ports are enabled and have a valid link. If the copper port goes down, then the switch will automatically switch to the fiber MiniGBIC SFP port.
Setting Combo Ethernet Port Parameters on OmniSwitch 6800 and 6850 Switches Configuring Ethernet Ports Setting Combo Ports to Preferred Fiber In preferred fiber mode (the default), combo ports will use the fiber MiniGBIC SFP port instead of the copper RJ-45 10/100/1000 port if both ports are enabled and have a valid link. If the fiber port goes down, then the switch will automatically switch to the copper RJ-45 port.
Configuring Ethernet Ports Setting Combo Ethernet Port Parameters on OmniSwitch 6800 and 6850 Switches To set the line speed on a single combo port, enter interfaces, followed by the slot number, a slash (/), the combo port number, hybrid, either fiber or copper, and the desired speed.
Setting Combo Ethernet Port Parameters on OmniSwitch 6800 and 6850 Switches Configuring Ethernet Ports copper, duplex, and the desired duplex setting (auto, full, or half). For example, to set the duplex mode on fiber combo ports 45 through 48 on slot 2 to full, enter: -> interfaces 2/45-48 hybrid fiber duplex full As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet before the slot number.
Configuring Ethernet Ports Setting Combo Ethernet Port Parameters on OmniSwitch 6800 and 6850 Switches Note. Please refer to “Autonegotiation Guidelines” on page 1-7 for guidelines on configuring autonegotiation. Configuring Crossover Settings for Combo Ports To configure crossover settings on a single combo port, a range of combo ports, or all combo ports in an entire slot, use the interfaces hybrid crossover command.
Combo Port Application Example Configuring Ethernet Ports Combo Port Application Example The figure below shows a sample application example for using OmniSwitch 6800 Series combo ports. Workstations A and B are connected with 100 Mbps links to copper combo ports 1/45 and 1/46, respectively. (MiniGBIC SFP combo ports 1/45 and 1/46 are unused.) Server A has a primary 1 Gbps fiber connection to combo MiniGBIC SFP port 1/47 and a backup 100 Mbps connection to copper combo port 1/47.
Configuring Ethernet Ports Combo Port Application Example 3 Verify that combo ports 1/47 and 1/48 are set to the default setting of preferred fiber (which will make the MiniGBIC SFP ports 1/47 and 1/48 the primary connections while copper combo ports 1/47 and 1/48 will only become active if the equivalent MiniGBIC SFP ports go down) with the show interfaces status command as shown below: -> show interfaces 1/45-48 status DETECTED CONFIGURED Slot/ AutoNego Speed Duplex Hybrid Speed Duplex Hybrid Trap Port
Verifying Ethernet Port Configuration Configuring Ethernet Ports Verifying Ethernet Port Configuration To display information about Ethernet port configuration settings, use the show commands listed in the following table. show interfaces flow control Displays interface flow control wait time settings in nanoseconds. show interfaces Displays general interface information, such as hardware, MAC address, input and output errors. show interfaces accounting Displays interface accounting information.
2 Managing Source Learning Transparent bridging relies on a process referred to as source learning to handle traffic flow. Network devices communicate by sending and receiving data packets that each contain a source MAC address and a destination MAC address. When packets are received on switch network interface (NI) module ports, source learning examines each packet and compares the source MAC address to entries in a MAC address database table.
Source Learning Specifications Managing Source Learning Source Learning Specifications RFCs supported 2674 - Definitions of Managed Objects for Bridges with Traffic Classes, Multicast Filtering and Virtual LAN Extensions IEEE Standards supported 802.1Q - Virtual Bridged Local Area Networks 802.
Managing Source Learning Sample MAC Address Table Configuration 1 Create VLAN 200, if it does not already exist, using the following command: -> vlan 200 2 Assign switch ports 2 through 5 on slot 3 to VLAN 200–if they are not already associated with VLAN 200–using the following command: -> vlan 200 port default 3/2-5 3 Create a static MAC address entry using the following command to assign address 002D95:5BF30E to port 3/4 associated with VLAN 200 and to specify a permanent management status for the s
MAC Address Table Overview Managing Source Learning MAC Address Table Overview Source learning builds and maintains the MAC address table on each switch. New MAC address table entries are created in one of two ways: they are dynamically learned or statically assigned. Dynamically learned MAC addresses are those that are obtained by the switch when source learning examines data packets and records the source address and the port and VLAN it was learned on.
Managing Source Learning Using Static MAC Addresses Configuring Static MAC Addresses To configure a permanent, bridging static MAC address, enter mac-address-table followed by a MAC address, slot/port, and the VLAN ID to assign to the MAC address.
Configuring MAC Address Table Aging Time Managing Source Learning Configuring MAC Address Table Aging Time Source learning also tracks MAC address age and removes addresses from the MAC address table that have aged beyond the aging timer value. When a device stops sending packets, source learning keeps track of how much time has passed since the last packet was received on the device’s switch port. When this amount of time exceeds the aging time value, the MAC is aged out of the MAC address table.
Managing Source Learning Selecting the Source Learning Mode Selecting the Source Learning Mode There are two types of source learning modes currently available: software and hardware. The software mode performs all source learning using switch software. The hardware mode takes advantage of hardware resources that are now available to perform source learning tasks. At the present time, it is possible to select which mode is active for the chassis and/or a given set of ports.
Displaying Source Learning Information Managing Source Learning Displaying Source Learning Information To display MAC Address Table entries, statistics, and aging time values, use the show commands listed below: show mac-address-table Displays a list of all MAC addresses known to the MAC address table, including static MAC addresses. show mac-address-table count Displays a count of the different types of MAC addresses (learned, permanent, reset, and timeout).
3 Using 802.1s Multiple Spanning Tree The Alcatel Multiple Spanning Tree (MST) implementation provides support for the IEEE 802.1s Multiple Spanning Tree Protocol (MSTP). In addition to the 802.1D Spanning Tree Algorithm and Protocol (STP) and the 802.1w Rapid Spanning Tree Algorithm and Protocol (RSTP), MSTP also ensures that there is always only one data path between any two switches for a given Spanning Tree instance to prevent network loops. MSTP is an enhancement to the 802.
MST Specifications Using 802.1s Multiple Spanning Tree MST Specifications IEEE Standards supported 802.1D–Media Access Control (MAC) Bridges 802.1w–Rapid Reconfiguration (802.1D Amendment 2) 802.1Q–Virtual Bridged Local Area Networks 802.1s–Multiple Spanning Trees (802.1Q Amendment 3) Spanning Tree Operating Modes supported Flat mode - one spanning tree instance per switch 1x1 mode - one spanning tree instance per VLAN Spanning Tree Protocols supported 802.
Using 802.1s Multiple Spanning Tree Spanning Tree Port Parameter Defaults Parameter Description Command Default Automatic VLAN Containment bridge auto-vlan-containment Disabled Spanning Tree Port Parameter Defaults Parameter Description Command Default Spanning Tree port administrative state bridge slot/port Enabled Spanning Tree port priority value bridge slot/port priority 7 Spanning Tree port path cost.
MST General Overview Using 802.1s Multiple Spanning Tree MST General Overview The Multiple Spanning Tree (MST) feature allows for the mapping of one or more VLANs to a single Spanning Tree instance, referred to as a Multiple Spanning Tree Instance (MSTI), when the switch is running in the flat Spanning Tree mode. MST uses the Multiple Spanning Tree Algorithm and Protocol (MSTP) to define the Spanning Tree path for each MSTI. In addition, MSTP provides the ability to group switches into MST Regions.
Using 802.1s Multiple Spanning Tree MST General Overview VLAN 100 3/1 2/1 4/2 5/1 VLAN 200 4/8 || VLAN 100 VLAN 200 5/2 1x1 Mode STP/RSTP In the above 1x1 mode example: • Both switches are running in the 1x1 mode (one Spanning Tree instance per VLAN). • VLAN 100 and VLAN 200 are each associated with their own Spanning Tree instance.
MST General Overview Using 802.1s Multiple Spanning Tree VLAN 100 3/1 2/1 4/2 || 5/1 || 5/2 || 3/6 VLAN 100 CIST-0 CIST-0 VLAN 150 4/8 VLAN 200 VLAN 150 VLAN 200 MSTI-2 MSTI-2 2/12 VLAN 250 VLAN 250 Flat Mode MSTP (802.1s) In the above flat mode MSTP example: • Both switches are running in the flat mode and using MSTP. • VLANs 100 and 150 are not associated with an MSTI. By default they are controlled by the CIST instance 0, which exists on every switch.
Using 802.1s Multiple Spanning Tree MST General Overview Comparing MSTP with STP and RSTP Using MSTP (802.1s) has the following items in common with STP (802.1D) and RSTP (802.1w) protocols: • Each protocol ensures one data path between any two switches within the network topology. This prevents network loops from occurring while at the same time allowing for redundant path configuration.
MST General Overview Using 802.1s Multiple Spanning Tree What is a Multiple Spanning Tree Region A Multiple Spanning Tree region represents a group of 802.1s switches. An MST region appears as a single, flat mode instance to switches outside the region. A switch can belong to only one region at a time. The region a switch belongs to is identified by the following configurable attributes, as defined by the IEEE 802.1s standard: • Region name–An alphanumeric string up to 32 characters.
Using 802.1s Multiple Spanning Tree MST General Overview What is the Common Spanning Tree The Common Spanning Tree (CST) is the overall network Spanning Tree topology resulting from STP, RSTP, and/or MSTP calculations to provide a single data path through the network. CST provides connectivity between MST regions and other MST regions and/or Single Spanning Tree (SST) switches.
MST Configuration Overview Using 802.1s Multiple Spanning Tree MST Configuration Overview The following general steps are required to set up a Multiple Spanning Tree (MST) configuration: • Select the flat Spanning Tree mode. By default, each switch runs in the 1x1 mode. MSTP is only supported on a flat mode switch. See “Understanding Spanning Tree Modes” on page 3-11 for more information. • Select the 802.1s protocol. By default, OmniSwitch 9000 switches use the 802.
Using 802.1s Multiple Spanning Tree MST Configuration Overview Implicit commands resemble previously implemented Spanning Tree commands, but apply to the appropriate instance based on the current mode and protocol that is active on the switch. For example, if the 1x1 mode is active, the instance number specified with the following command implies a VLAN ID: -> bridge 255 priority 16384 If the flat mode is active, the single flat mode instance is implied and thus configured by the command.
MST Interoperability and Migration Using 802.1s Multiple Spanning Tree MST Interoperability and Migration Connecting an MSTP (802.1s) switch to a non-MSTP flat mode switch is supported. Since the Common and Internal Spanning Tree (CIST) controls the flat mode instance on both switches, STP or RSTP can remain active on the non-MSTP switch within the network topology. An MSTP switch is part of a Multiple Spanning Tree (MST) Region, which appears as a single, flat mode instance to the non-MSTP switch.
Using 802.1s Multiple Spanning Tree MST Interoperability and Migration Migrating from 1x1 Mode to Flat Mode MSTP As previously described, the 1x1 mode is an Alcatel proprietary implementation that applies one Spanning Tree instance to each VLAN. For example, if five VLANs exist on the switch, then their are five Spanning Tree instances active on the switch, unless Spanning Tree is disabled on one of the VLANs.
Quick Steps for Configuring an MST Region Using 802.1s Multiple Spanning Tree Quick Steps for Configuring an MST Region An MST region identifies a group of MSTP (802.1s) switches that is seen as a single, flat mode instance by other regions and/or non-MSTP switches. A region is defined by three attributes: name, revision level, and a VLAN-to-MSTI mapping. Switches configured with the same value for all three of these attributes belong to the same MST region.
Using 802.1s Multiple Spanning Tree Quick Steps for Configuring an MST Region 3 Map VLANs 100 and 200 to MSTI 2 and VLANs 300 and 400 to MSTI 4 using the bridge msti vlan command to define the configuration digest. For example: -> bridge msti 2 vlan 100 200 -> bridge msti 4 vlan 300 400 See “Quick Steps for Configuring MSTIs” on page 3-16 for a tutorial on how to create and map MSTIs to VLANs. 4 Configure 3 as the maximum number of hops for the region using the bridge mst region max hops command.
Quick Steps for Configuring MSTIs Using 802.1s Multiple Spanning Tree Quick Steps for Configuring MSTIs By default the Spanning Tree software is active on all switches and operating in the 1x1 mode using the standard 802.1D STP (OmniSwitch 9000 default) or 802.1w RSTP (OmniSwitch 6800 and 6850 default). As a result, a loop-free network topology is automatically calculated based on default 802.1D Spanning Tree switch, bridge, and port parameter values.
Using 802.1s Multiple Spanning Tree Quick Steps for Configuring MSTIs -> vlan 200 port default 4/8 -> vlan 250 port default 2/12 The following commands assign ports 2/1, 5/1, 5/2, and 3/6 to VLANs 100, 150, 200, and 250 on Switch B: -> -> -> -> vlan vlan vlan vlan 100 150 200 250 port port port port default default default default 2/1 5/1 5/2 3/6 5 Create one MSTI using the bridge msti command. For example: -> bridge msti 1 6 Assign VLANs 200 and 250 to MSTI 1.
Quick Steps for Configuring MSTIs Using 802.1s Multiple Spanning Tree Flat Mode MSTP (802.1s) with Superior MSTI 1 PPC Values Note that of the two data paths available to MSTI 1 VLANs, one is still blocked because it is seen as redundant for that instance. In addition, the CIST data path still remains available for CIST VLAN traffic. Another solution to this scenario is to assign all VLANs to an MSTI, leaving no VLANs controlled by the CIST. As a result, the CIST BPDU will only contain MSTI information.
Using 802.1s Multiple Spanning Tree Verifying the MST Configuration Verifying the MST Configuration To display information about the MST configuration on the switch, use the show commands listed below: show spantree cist Displays the Spanning Tree bridge configuration for the flat mode Common and Internal Spanning Tree (CIST) instance. show spantree msti Displays Spanning Tree bridge information for an 802.1s Multiple Spanning Tree Instance (MSTI).
Verifying the MST Configuration page 3-20 Using 802.
4 Configuring Learned Port Security Learned Port Security (LPS) provides a mechanism for authorizing source learning of MAC addresses on Ethernet and Gigabit Ethernet ports. The only types of Ethernet ports that LPS does not support are link aggregate and tagged (trunked) link aggregate ports. Using LPS to control source MAC address learning provides the following benefits: • A configurable source learning time limit that applies to all LPS ports.
Learned Port Security Specifications Configuring Learned Port Security Learned Port Security Specifications RFCs supported Not applicable at this time. IEEE Standards supported Not applicable at this time. Ports eligible for Learned Port Security Ethernet and gigabit Ethernet ports (fixed, mobile, 802.1Q tagged, and authenticated ports). Ports not eligible for Learned Port Security Link aggregate ports. 802.1Q (trunked) link aggregate ports.
Configuring Learned Port Security Sample Learned Port Security Configuration Sample Learned Port Security Configuration This section provides a quick tutorial that demonstrates the following tasks: • Enabling LPS on a set of switch ports. • Defining the maximum number of learned MAC addresses allowed on an LPS port. • Defining the time limit in which source learning is allowed on all LPS ports. • Selecting a method for handling unauthorized traffic received on an LPS port.
Learned Port Security Overview Configuring Learned Port Security Learned Port Security Overview Learned Port Security (LPS) provides a mechanism for controlling network device access on one or more switch ports. Configurable LPS parameters allow the user to restrict the source learning of host MAC addresses to: • A specific amount of time in which the switch allows source learning to occur on all LPS ports. • A maximum number of learned MAC addresses allowed on the port.
Configuring Learned Port Security Learned Port Security Overview How LPS Authorizes Source MAC Addresses When a packet is received on a port that has LPS enabled, switch software checks the following criteria to determine if the source MAC address contained in the packet is allowed on the port: • Is the source learning time window open? • Is the number of MAC addresses learned on the port below the maximum number allowed? • Is there a configured authorized MAC address entry for the LPS port that matches t
Learned Port Security Overview Configuring Learned Port Security Static Configuration of Authorized MAC Addresses It is also possible to statically configure authorized source MAC address entries into the LPS table. This type of entry behaves the same way as dynamically configured entries in that it authorizes port access to traffic that contains a matching source MAC address. Static source MAC address entries, however, take precedence over dynamically learned entries.
Configuring Learned Port Security Enabling/Disabling Learned Port Security Enabling/Disabling Learned Port Security By default, LPS is disabled on all switch ports. To enable LPS on a port, use the port-security command. For example, the following command enables LPS on port 1 of slot 4: -> port-security 4/1 enable To enable LPS on multiple ports, specify a range of ports or multiple slots.
Configuring the Number of MAC Addresses Allowed Configuring Learned Port Security Configuring the Number of MAC Addresses Allowed By default, one MAC address is allowed on an LPS port. To change this number, enter port-security followed by the port’s slot/port designation then maximum followed by a number between 1 and 100.
Configuring Learned Port Security Configuring an Authorized MAC Address Range Configuring an Authorized MAC Address Range By default, each LPS port is set to a range of 00:00:00:00:00:00–ff:ff:ff:ff:ff:ff, which includes all MAC addresses. If this default is not changed, then addresses received on LPS ports are subject only to the source learning time limit and maximum number of MAC addresses allowed restrictions for the port.
Selecting the Security Violation Mode Configuring Learned Port Security Selecting the Security Violation Mode By default, the security violation mode for an LPS port is set to restrict. In this mode, when an unauthorized MAC address is received on an LPS port, the packet containing the address is blocked. However, all other packets that contain an authorized source MAC address are allowed to forward on the port.
5 Configuring VLANs In a flat bridged network, a broadcast domain is confined to a single LAN segment or even a specific physical location, such as a department or building floor. In a switch-based network, such as one comprised of Alcatel switching systems, a broadcast domain—or VLAN— can span multiple physical switches and can include ports from a variety of media types.
VLAN Specifications Configuring VLANs VLAN Specifications RFCs Supported 2674 - Definitions of Managed Objects for Bridges with Traffic Classes, Multicast Filtering and Virtual LAN Extensions IEEE Standards Supported 802.1Q - Virtual Bridged Local Area Networks 802.
Configuring VLANs Sample VLAN Configuration Sample VLAN Configuration The following steps provide a quick tutorial that will create VLAN 255. Also included are steps to define a VLAN description, IP router interface, and static switch port assignments. Note. Optional. Creating a new VLAN involves specifying a VLAN ID that is not already assigned to an existing VLAN. To determine if a VLAN already exists in the switch configuration, enter show vlan.
VLAN Management Overview Configuring VLANs VLAN Management Overview One of the main benefits of using VLANs to segment network traffic, is that VLAN configuration and port assignment is handled through switch software. This eliminates the need to physically change a network device connection or location when adding or removing devices from the VLAN broadcast domain. The VLAN management software handles the following VLAN configuration tasks performed on an Alcatel switch: • Creating or modifying VLANs.
Configuring VLANs Creating/Modifying VLANs Creating/Modifying VLANs The initial configuration for all Alcatel switches consists of a default VLAN 1 and all switch ports are initially assigned to this VLAN. When a switching module is added to the switch, the module’s physical ports are also assigned to VLAN 1. If additional VLANs are not configured on the switch, then the entire switch is treated as one large broadcast domain. All ports will receive all traffic from all other ports.
Creating/Modifying VLANs Configuring VLANs Note that up to 253 Spanning Tree instances per switch are supported in the 1x1 Spanning Tree mode. Since each VLAN with Spanning Tree enabled uses one of these instances, only 253 VLANs can have an active Spanning Tree instance at any given time. To create more than 253 VLANs on a switch running in the 1x1 Spanning Tree mode, use the vlan stp disable, vlan 1x1 stp disable, or vlan flat stp disable command to create a VLAN with Spanning Tree disabled.
Configuring VLANs Defining VLAN Port Assignments Defining VLAN Port Assignments Alcatel switches support static and dynamic assignment of physical switch ports to a VLAN. Regardless of how a port is assigned to a VLAN, once the assignment occurs, a VLAN port association (VPA) is created and tracked by VLAN management software on each switch. To view current VLAN port assignments in the switch configuration, use the show vlan port command.
Defining VLAN Port Assignments Configuring VLANs Configuring Dynamic VLAN Port Assignment Configuring the switch to allow dynamic VLAN port assignment requires the following steps: 1 Use the vlan port mobile command to enable mobility on switch ports that will participate in dynamic VLAN assignment. See Chapter 7, “Assigning Ports to VLANs,”for detailed procedures. 2 Enable/disable mobile port properties that determine mobile port behavior.
Configuring VLANs Defining VLAN Port Assignments Rule Types Command Network address vlan ip vlan ipx Protocol vlan protocol Port vlan port Enabling/Disabling VLAN Mobile Tag Classification Use the vlan mobile-tag command to enable or disable the classification of mobile port packets based on 802.1Q VLAN ID tag.
Enabling/Disabling Spanning Tree for a VLAN Configuring VLANs Enabling/Disabling Spanning Tree for a VLAN When a VLAN is created, an 802.1D standard Spanning Tree Algorithm and Protocol (STP) instance is enabled for the VLAN by default. On the OmniSwitch 6800 and 6850, an 802.1w Rapid Spanning Tree Algorithm and Protocol (RSTP) instance is enabled for the VLAN by default. The spanning tree operating mode set for the switch determines how VLAN ports are evaluated to identify redundant data paths.
Configuring VLANs Enabling/Disabling VLAN Authentication Enabling/Disabling VLAN Authentication Layer 2 authentication uses VLAN membership to grant access to network resources. Authenticated VLANs control membership through a log-in process; this is sometimes called user authentication. A VLAN must have authentication enabled before it can participate in the Layer 2 authentication process. To enable/disable authentication on an existing VLAN, use the vlan authentication command.
Configuring VLAN Router Interfaces Configuring VLANs Configuring an IPX Router Interface Use the vlan router ipx command to define an IPX router interface for an existing VLAN. Specify the following when using this command: 1 The VLAN ID of the router VLAN (can only specify an existing VLAN). 2 The IPX network address to assign to the router interface. An IPX network address consists of eight hex characters (e.g., 4001690D or 0000210A).
Configuring VLANs Configuring VLAN Router Interfaces Modifying an IPX Router Interface The vlan router ipx command is also used to modify one or more existing IPX router interface parameter values. For example, the following command changes the existing router interface IPX address for VLAN 955 to 1000450C: -> vlan 955 router ipx 1000450C It is not necessary to first remove the IPX router interface from the VLAN. The changes specified will overwrite existing parameter values.
Bridging VLANs Across Multiple Switches Configuring VLANs Bridging VLANs Across Multiple Switches To create a VLAN bridging domain that extends across multiple switches: 1 Create a VLAN on each switch with the same VLAN ID number (e.g., VLAN 10). 2 If using mobile ports for end user device connections, define VLAN rules that will classify mobile port traffic into the VLAN created in Step 1. 3 On each switch, assign the ports that will provide connections to other switches to the VLAN created in Step 1.
Configuring VLANs Verifying the VLAN Configuration The connection between Switch C and D is shown with a broken line because the ports that provide this connection are in a blocking state. Spanning Tree is active by default on all switches, VLANs and ports. The Spanning Tree algorithm determined that if all connections between switches were active, a network loop would exist that could cause unnecessary broadcast traffic on the network. The path between Switch C and D was shut down to avoid such a loop.
Verifying the VLAN Configuration page 5-16 Configuring VLANs OmniSwitch 6800/6850/9000 Network Configuration Guide June 2006
6 Configuring Spanning Tree Parameters The Spanning Tree Algorithm and Protocol (STP) is a self-configuring algorithm that maintains a loopfree topology while providing data path redundancy and network scalability. Based on the IEEE 802.1D standard, the Alcatel STP implementation distributes the Spanning Tree load between the primary management module and the network interface modules.
Spanning Tree Specifications Configuring Spanning Tree Parameters Spanning Tree Specifications IEEE Standards supported 802.1D–Media Access Control (MAC) Bridges 802.1w–Rapid Reconfiguration (802.1D Amendment 2) 802.1Q–Virtual Bridged Local Area Networks 802.1s–Multiple Spanning Trees (802.1Q Amendment 3) Spanning Tree Operating Modes supported Flat mode - one spanning tree instance per switch 1x1 mode - one spanning tree instance per VLAN Spanning Tree Protocols supported 802.
Configuring Spanning Tree Parameters Spanning Tree Port Parameter Defaults Spanning Tree Port Parameter Defaults Parameter Description Command Default Spanning Tree port administrative state bridge slot/port Enabled Spanning Tree port priority value bridge slot/port priority 7 Spanning Tree port path cost. bridge slot/port path cost 0 (cost is based on port speed) Path cost mode bridge path cost mode Auto (16-bit in 1x1 mode and 802.1D or 802.1w flat mode, 32-bit in 802.
Spanning Tree Overview Configuring Spanning Tree Parameters Spanning Tree Overview Alcatel switches support the use of the 802.1D Spanning Tree Algorithm and Protocol (STP), the 802.1w Rapid Spanning Tree Algorithm and Protocol (RSTP), and the 802.1s Multiple Spanning Tree Protocol (MSTP). RSTP expedites topology changes by allowing blocked ports to transition directly into a forwarding state, bypassing listening and learning states.
Configuring Spanning Tree Parameters Spanning Tree Overview Role Port/Bridge Properties Alternate Port Any operational port that is not the root port for its bridge and its bridge is not the designated bridge for the LAN. An alternate port offers an alternate path to the root bridge if the root port on its own bridge goes down. Disabled Port Port is not operational. If an active connection does come up on the port, it is assigned an appropriate role. Note.
Spanning Tree Overview Root ID Configuring Spanning Tree Parameters The Bridge ID for the bridge that this bridge believes is the root. Root Path Cost The sum of the Path Costs that lead from the root bridge to this bridge port. The Path Cost is a configurable parameter value. The IEEE 802.1D standard specifies a default value that is based on port speed. See “Configuring Port Path Cost” on page 6-25 for more information.
Configuring Spanning Tree Parameters Spanning Tree Overview STP evaluates BPDU parameter values to select the best BPDU based on the following order of precedence: 1 The lowest root bridge ID (lowest priority value, then lowest MAC address). 2 The best root path cost. 3 If root path costs are equal, the bridge ID of the bridge sending the BPDU. 4 If the previous three values tie, then the port ID (lowest priority value, then lowest port number).
Spanning Tree Overview Configuring Spanning Tree Parameters The following diagram shows the logical connectivity of the same physical topology as determined by the Spanning Tree Algorithm.
Configuring Spanning Tree Parameters Spanning Tree Operating Modes Spanning Tree Operating Modes The switch can operate in one of two Spanning Tree modes: flat and 1x1. Both modes apply to the entire switch and determine whether a single Spanning Tree instance is applied across multiple VLANs (flat mode) or a single instance is applied to each VLAN (1x1 mode). By default, a switch is running in the 1x1 mode when it is first turned on.
Spanning Tree Operating Modes Configuring Spanning Tree Parameters Flat STP Switch Port 8/3 Default VLAN 2 Port 10/5 Default VLAN 20 Port 1/2 Default VLAN 5 VLAN 10 (tagged) Port 2/5 Default VLAN 5 VLAN 6 (tagged) Flat Spanning Tree Example In the above example, if port 8/3 connects to another switch and port 10/5 connects to that same switch, the Spanning Tree Algorithm would detect a redundant path and transition one of the ports into a blocking state. The same holds true for the tagged ports.
Configuring Spanning Tree Parameters Spanning Tree Operating Modes The following diagram shows a switch running in the 1x1 Spanning Tree mode and shows Spanning Tree participation for both fixed and tagged ports. STP 2 STP 3 STP 4 Port 1/3 Default VLAN 5 Switch Port 1/5 Default VLAN 10 VLAN 2 (tagged) Port 2/5 Default VLAN 2 VLAN 10 (tagged) Port 2/3 Default VLAN 5 Port 1/4 Default VLAN 2 Port 2/4 Default VLAN 2 1x1 (single and 802.
Configuring STP Bridge Parameters Configuring Spanning Tree Parameters Configuring STP Bridge Parameters The Spanning Tree software is active on all switches by default and uses default bridge and port parameter values to calculate a loop free topology. It is only necessary to configure these parameter values if it is necessary to change how the topology is calculated and maintained.
Configuring Spanning Tree Parameters Configuring STP Bridge Parameters Note that explicit commands using the cist and msti keywords are required to define an MSTP (802.1s) configuration. Implicit commands are only allowed for defining STP or RSTP configurations. See Chapter 3, “Using 802.1s Multiple Spanning Tree,” for more information about these keywords and using implicit and explicit commands. The following is a summary of Spanning Tree bridge configuration commands.
Configuring STP Bridge Parameters Commands Configuring Spanning Tree Parameters Type bridge auto-vlan-containment N/A Used for ... Enables or disables Auto VLAN Containment (AVC) for 802.1s instances. Note. When a snapshot is taken of the switch configuration, the explicit form of all Spanning Tree commands is captured.
Configuring Spanning Tree Parameters Configuring STP Bridge Parameters Configuring the Bridge Priority A bridge is identified within the Spanning Tree by its bridge ID (an eight byte hex number). The first two bytes of the bridge ID contain a priority value and the remaining six bytes contain a bridge MAC address. The bridge priority is used to determine which bridge will serve as the root of the Spanning Tree. The lower the priority value, the higher the priority.
Configuring STP Bridge Parameters Configuring Spanning Tree Parameters Configuring the Bridge Hello Time The bridge hello time interval is the number of seconds a bridge will wait between transmissions of Configuration BPDU. When a bridge is attempting to become the root or if it has become the root or a designated bridge, it sends Configuration BPDU out all forwarding ports once every hello time value.
Configuring Spanning Tree Parameters Configuring STP Bridge Parameters Configuring the Bridge Max Age Time The bridge max age time specifies how long, in seconds, the bridge retains Spanning Tree information it receives from Configuration BPDU. When a bridge receives a BPDU, it updates its configuration information and the max age timer is reset. If the max age timer expires before the next BPDU is received, the bridge will attempt to become the root, designated bridge, or change its root port.
Configuring STP Bridge Parameters Configuring Spanning Tree Parameters Configuring the Bridge Forward Delay Time The bridge forward delay time specifies how long, in seconds, a port remains in the learning state while it is transitioning to a forwarding state. In addition, when a topology change occurs, the forward delay time value is used to age out all dynamically learned addresses in the MAC address forwarding table.
Configuring Spanning Tree Parameters Configuring STP Bridge Parameters Enabling/Disabling the VLAN BPDU Switching Status By default, BPDU are not switched on ports associated with VLANs that have Spanning Tree disabled. This may result in a network loop if the VLAN has redundant paths to one or more other switches. Allowing VLANs that have Spanning Tree disabled to forward BPDU to all ports in the VLAN, can help to avoid this problem.
Configuring STP Bridge Parameters Configuring Spanning Tree Parameters Using Automatic VLAN Containment In an 802.1s Multiple Spanning Tree (MST) configuration, it is possible for a port that belongs to a VLAN that is not a member of an instance to become the root port for that instance. This can cause a topology change that could lead to a loss of connectivity between VLANs/switches.
Configuring Spanning Tree Parameters Configuring STP Port Parameters Configuring STP Port Parameters The following sections provide information and procedures for using CLI commands to configure STP port parameters. These parameters determine the behavior of a port for a specific VLAN Spanning Tree instance (1x1 STP mode) or for a single Spanning Tree instance applied to the entire switch (flat STP mode).
Configuring STP Port Parameters Configuring Spanning Tree Parameters The following is a summary of Spanning Tree port configuration commands. For more information about these commands, see the OmniSwitch CLI Reference Guide. Commands Type Used for ... bridge slot/port Implicit Configuring the port Spanning Tree status for a VLAN instance when the 1x1 mode is active or the single Spanning Tree instance when the flat mode is active.
Configuring Spanning Tree Parameters Configuring STP Port Parameters The following sections provide information and procedures for using implicit Spanning Tree port configuration commands and also includes explicit command examples. Note. When a snapshot is taken of the switch configuration, the explicit form of all Spanning Tree commands is captured.
Configuring STP Port Parameters Configuring Spanning Tree Parameters Spanning Tree on Link Aggregate Ports Physical ports that belong to a link aggregate do not participate in the Spanning Tree Algorithm. Instead, the algorithm is applied to the aggregate logical link (virtual port) that represents a collection of physical ports.
Configuring Spanning Tree Parameters Configuring STP Port Parameters MSTI ID for the instance number. For example, the following command configures the priority value for port 1/12 for MSTI 10 to 5: -> bridge msti 10 1/12 priority 5 Note that when MSTP (802.1s) is the active flat mode protocol, explicit Spanning Tree bridge commands are required to configure parameter values. Implicit commands are for configuring parameters when the STP or RSTP protocols are in use. See Chapter 3, “Using 802.
Configuring STP Port Parameters Configuring Spanning Tree Parameters Link Speed IEEE 802.1D Recommended Value 4 Mbps 250 10 Mbps 100 16 Mbps 62 100 Mbps 19 1 Gbps 4 10 Gbps 2 By default, Spanning Tree is enabled on a port and the path cost is set to zero. If the switch is running in the 1x1 Spanning Tree mode, then the port path cost applies to the specified VLAN instance associated with the port.
Configuring Spanning Tree Parameters Configuring STP Port Parameters Path Cost for Link Aggregate Ports Physical ports that belong to a link aggregate do not participate in the Spanning Tree Algorithm. Instead, the algorithm is applied to the aggregate logical link (virtual port) that represents a collection of physical ports. By default, Spanning Tree is enabled on the aggregate logical link and the path cost value is set to zero.
Configuring STP Port Parameters Configuring Spanning Tree Parameters For more information about configuring an aggregate of ports, see Chapter 13, “Configuring Static Link Aggregation,” and Chapter 14, “Configuring Dynamic Link Aggregation.” Configuring Port Mode There are two port modes supported: manual and dynamic. Manual mode indicates that the port was set by the user to a forwarding or blocking state.
Configuring Spanning Tree Parameters Configuring STP Port Parameters Configuring Port Connection Type Specifying a port connection type is done when using the Rapid Spanning Tree Algorithm and Protocol (RSTP), as defined in the IEEE 802.1w standard. RSTP transitions a port from a blocking state directly to forwarding, bypassing the listening and learning states, to provide a rapid reconfiguration of the Spanning Tree in the event of a path or root bridge failure.
Configuring STP Port Parameters Configuring Spanning Tree Parameters available when the switch is running in either mode (1x1 or flat) and an instance number is not required.
Configuring Spanning Tree Parameters Sample Spanning Tree Configuration Sample Spanning Tree Configuration This section provides an example network configuration in which the Spanning Tree Algorithm and Protocol has calculated a loop-free topology. In addition, a tutorial is also included that provides steps on how to configure the example network topology using the Command Line Interface (CLI).
Sample Spanning Tree Configuration Configuring Spanning Tree Parameters • The path cost for each port connection defaults to a value based on the link speed. For example, the connection between Switch B and Switch C is a 100 Mbps link, which defaults to a path cost of 19. • VLAN 255 on Switch D is configured with a Bridge ID priority value of 10, which is less than the same value for VLAN 255 configured on the other switches.
Configuring Spanning Tree Parameters Sample Spanning Tree Configuration 4 Change the bridge priority value for VLAN 255 on Switch D to 10 using the following command (leave the priority for VLAN 255 on the other three switches set to the default value of 32768): -> bridge 255 priority 10 VLAN 255 on Switch D will have the lowest Bridge ID priority value of all four switches, which will qualify it as the Spanning Tree root VLAN for the VLAN 255 broadcast domain. Note.
Verifying the Spanning Tree Configuration Configuring Spanning Tree Parameters Verifying the Spanning Tree Configuration To display information about the Spanning Tree configuration on the switch, use the show commands listed below: show spantree Displays VLAN Spanning Tree information, including parameter values and topology change statistics. show spantree ports Displays Spanning Tree information for switch ports, including parameter values and the current port state.
7 Assigning Ports to VLANs Initially all switch ports are non-mobile (fixed) and are assigned to VLAN 1, which is also their configured default VLAN. When additional VLANs are created on the switch, ports are assigned to the VLANs so that traffic from devices connected to these ports is bridged within the VLAN domain. Switch ports are either statically or dynamically assigned to VLANs.
Port Assignment Specifications Assigning Ports to VLANs Port Assignment Specifications IEEE Standards Supported 802.1Q–Virtual Bridged Local Area Networks 802.1D–Media Access Control Bridges Maximum VLANs per switch and stack 4094 (based on switch configuration and available resources). Maximum VLAN port associations 32768 Switch ports eligible for port mobility. Untagged Ethernet and gigabit Ethernet ports that are not members of a link aggregate.
Assigning Ports to VLANs Sample VLAN Port Assignment Sample VLAN Port Assignment The following steps provide a quick tutorial that will create a VLAN, statically assign ports to the VLAN, and configure mobility on some of the VLAN ports: 1 Create VLAN 255 with a description (e.g.
Statically Assigning Ports to VLANs Assigning Ports to VLANs Statically Assigning Ports to VLANs The vlan port default command is used to statically assign both mobile and non-mobile ports to another VLAN. When the assignment is made, the port drops the previous VLAN assignment. For example, the following command assigns port 2 on slot 3, currently assigned to VLAN 1, to VLAN 755: -> vlan 755 port default 3/2 Port 3/2 is now assigned to VLAN 755 and no longer associated with VLAN 1.
Assigning Ports to VLANs Dynamically Assigning Ports to VLANs How Dynamic Port Assignment Works Traffic received on mobile ports is classified using one of the following methods: • Packet is tagged with a VLAN ID that matches the ID of another VLAN that has mobile tagging enabled. (See “VLAN Mobile Tag Classification” on page 7-5 for more information.) • Packet contents matches criteria defined in a VLAN rule. (See “VLAN Rule Classification” on page 7-8 for more information.
Dynamically Assigning Ports to VLANs Assigning Ports to VLANs In the initial VLAN port assignment configuration shown below, • All three ports have workstations that are configured to send packets with an 802.1Q VLAN ID tag for three different VLANs (VLAN 2, 3, and 4). • Mobility is enabled on each of the workstation ports. • VLAN 1 is the configured default VLAN for each port. • VLANs 2, 3, and 4 are configured on the switch, each one has VLAN mobile tagging enabled.
Assigning Ports to VLANs Dynamically Assigning Ports to VLANs OmniSwitch VLAN 4 VLAN 2 IP Network 140.0.0.0 IP Network 130.0.0.0 VLAN 1 VLAN 3 Default VLAN Port 1 130.0.0.1 IP Network 138.0.0.0 Port 3 Port 2 138.0.0.1 140.0.0.
Dynamically Assigning Ports to VLANs Assigning Ports to VLANs VLAN Rule Classification VLAN rule classification triggers dynamic VLAN port assignment when traffic received on a mobile port matches the criteria defined in a VLAN rule. Different rule types are available for classifying different types of network device traffic (see Chapter 9, “Defining VLAN Rules,” for more information).
Assigning Ports to VLANs Dynamically Assigning Ports to VLANs OmniSwitch VLAN 2 IP Network 130.0.0.0 VLAN 4 IP Network 140.0.0.0 VLAN 1 Default VLAN VLAN 3 IP Network 138.0.0.0 Port 1 130.0.0.1 Port 3 Port 2 138.0.0.5 140.0.0.3 VLAN Rule Classification: Initial Configuration As soon as the workstations start sending traffic, switch software checks the source subnet of the frames and looks for a match with any configured IP network address rules.
Dynamically Assigning Ports to VLANs Assigning Ports to VLANs OmniSwitch VLAN 4 VLAN 2 IP Network 140.0.0.0 IP Network 130.0.0.0 VLAN 1 VLAN 3 Default VLAN Port 1 130.0.0.1 IP Network 138.0.0.0 Port 3 Port 2 138.0.0.1 140.0.0.
Assigning Ports to VLANs Dynamically Assigning Ports to VLANs Enabling/Disabling Port Mobility To enable mobility on a port, use the vlan port mobile command. For example, the following command enables mobility on port 1 of slot 4: -> vlan port mobile 4/1 To enable mobility on multiple ports, specify a range of ports and/or multiple slots. -> vlan port mobile 4/1-5 5/12-20 6/10-15 Use the no form of this command to disable port mobility.
Understanding Mobile Port Properties Assigning Ports to VLANs When BPDU ignore is enabled and the mobile port receives a BPDU, the following occurs: • The port retains its mobile status and remains eligible for dynamic VLAN assignment. • The port is not included in the Spanning Tree algorithm. Note. Enabling BPDU ignore is not recommended.
Assigning Ports to VLANs Understanding Mobile Port Properties What is a Secondary VLAN? All mobile ports start out with a configured default VLAN assignment. When mobile port traffic matches VLAN criteria, the port is assigned to that VLAN. Secondary VLANs are any VLAN a port is subsequently assigned to that is not the configured default VLAN for that port.
Understanding Mobile Port Properties Assigning Ports to VLANs OmniSwitch Configured Default VLAN 1 VLAN 3 Device connected to a mobile port sends traffic. If the traffic matches existing VLAN criteria, then the mobile port and its traffic are dynamically assigned to that VLAN. If device traffic does not match any VLAN rules, then the default VLAN property determines if the traffic is forwarded on the port’s configured default VLAN (VLAN 1 in this example). If default VLAN is enabled....
Assigning Ports to VLANs Understanding Mobile Port Properties Secondary VLAN 2 Configured Default VLAN 1 Configured Default VLAN 1 Secondary VLAN 3 Port assigned to default VLAN 1 or another VLAN using the vlan port default command. If restore default VLAN is enabled.... Configured Default VLAN 1 Port is assigned to other VLANs when its traffic matches their criteria. If restore default VLAN is disabled....
Understanding Mobile Port Properties Assigning Ports to VLANs Configuring Mobile Port Properties Mobile port properties indicate mobile port status and affect port behavior when the port is dynamically assigned to one or more VLANs. For example, mobile port properties determine the following: • Should the configured default VLAN forward or discard port traffic that does not match any VLAN rule criteria.
Assigning Ports to VLANs Understanding Mobile Port Properties Enable/Disable Default VLAN Restore To enable or disable default VLAN restore, enter vlan port followed by the port’s slot/port designation then default vlan restore followed by enable or disable. For example, -> vlan port 3/1 default vlan restore enable -> vlan port 5/2 default vlan restore disable To enable or disable default VLAN restore on multiple ports, specify a range of ports and/or multiple slots.
Understanding Mobile Port Properties Assigning Ports to VLANs Enable/Disable 802.1X Port-Based Access Control To enable or disable 802.1X on a mobile port, enter vlan port followed by the port’s slot/port designation then 802.1x followed by enable or disable. For example, -> vlan port 3/1 802.1x enable -> vlan port 5/2 802.1x disable To enable or disable 802.1X on multiple ports, specify a range of ports and/or multiple slots. -> vlan port 6/1-32 8/10-24 9/3-14 802.1x enable -> vlan port 5/3-6 9/1-4 802.
Assigning Ports to VLANs Verifying VLAN Port Associations and Mobile Port Properties Verifying VLAN Port Associations and Mobile Port Properties To display a list of VLAN port assignments or the status of mobile port properties, use the show commands listed below: show vlan port Displays a list of VLAN port assignments, including the type and status for each assignment show vlan port mobile Displays the mobile status and current mobile parameter values for each port.
Verifying VLAN Port Associations and Mobile Port Properties Assigning Ports to VLANs The following example uses the show vlan port command to display VPA information for all ports in VLAN 200: -> show vlan 200 port port type status --------+---------+-------------3/24 default inactive 5/11 mobile forwarding 5/12 qtagged blocking The above example output provides the following information: • VLAN 200 is the configured default VLAN for port 3/24, which is currently not active.
8 Configuring Port Mapping Port Mapping is a security feature, which controls communication between peer users. Each session comprises a session ID, a set of user ports, and/or a set of network ports. The user ports within a session cannot communicate with each other and can only communicate via network ports. In a port mapping session with user port set A and network port set B, the ports in set A can only communicate with the ports in set B.
Port Mapping Specifications Configuring Port Mapping Port Mapping Specifications Ports Supported Ethernet (10 Mbps)/Fast Ethernet (100 Mbps)/Gigabit Ethernet (1 Gb/1000 Mbps)/10 Gigabit Ethernet (10 Gb/10000 Mbps). Mapping Sessions Eight sessions supported per standalone switch and stack. Platforms Supported OmniSwitch 6800 OmniSwitch 6850 Platforms Not Supported OmniSwitch 9000 Port Mapping Defaults The following table shows port mapping default values.
Configuring Port Mapping Creating/Deleting a Port Mapping Session You can also verify the status of a port mapping session by using the show port mapping status command. Creating/Deleting a Port Mapping Session Before port mapping can be used, it is necessary to create a port mapping session. The following subsections describe how to create and delete a port mapping session with the port mapping user-port network-port and port mapping command, respectively.
Enabling/Disabling a Port Mapping Session Configuring Port Mapping Note. You must delete any attached ports with the port mapping user-port network-port command before you can delete a port mapping session. Enabling/Disabling a Port Mapping Session By default, the port mapping session will be disabled. The following subsections describe how to enable and disable the port mapping session with the port mapping command.
Configuring Port Mapping Sample Port Mapping Configuration Sample Port Mapping Configuration This section provides an example port mapping network configuration. In addition, a tutorial is also included that provides steps on how to configure the example port mapping session using the Command Line Interface (CLI). Example Port Mapping Overview The following diagram shows a four-switch network configuration with active port mapping sessions.
Verifying the Port Mapping Configuration Configuring Port Mapping Example Port Mapping Configuration Steps The following steps provide a quick tutorial that configures the port mapping session shown in the diagram on page 8-5.
9 Defining VLAN Rules VLAN rules are used to classify mobile port traffic for dynamic VLAN port assignment. Rules are defined by specifying a port, MAC address, protocol, network address, binding, or DHCP criteria to capture certain types of network device traffic. It is also possible to define multiple rules for the same VLAN. A mobile port is assigned to a VLAN if its traffic matches any one VLAN rule.
VLAN Rules Specifications Defining VLAN Rules VLAN Rules Specifications IEEE Standards Supported 802.1Q–Virtual Bridged Local Area Networks 802.1v–VLAN Classification by Protocol and Port 802.1D–Media Access Control Bridges Maximum number of VLANs per switch 4094 (based on switch configuration and available resources) Maximum number of rules per VLAN Unlimited Maximum number of rules per switch 8129 of each rule type, except for a DHCP generic rule because only one is allowed per switch.
Defining VLAN Rules Sample VLAN Rule Configuration Sample VLAN Rule Configuration The following steps provide a quick tutorial that will create an IP network address and DHCP MAC range rule for VLAN 255, an IPX protocol rule for VLAN 355, and a MAC-IP-port binding rule for VLAN 1500. The remaining sections of this chapter provide further explanation of all VLAN rules and how they are defined. 1 Create VLAN 255 with a description (e.g.
VLAN Rules Overview Defining VLAN Rules VLAN Rules Overview The mobile port feature available on the switch allows dynamic VLAN port assignment based on VLAN rules that are applied to mobile port traffic.When a port is defined as a mobile port, switch software compares traffic coming in on that port with configured VLAN rules. If any of the mobile port traffic matches any of the VLAN rules, the port and the matching traffic become a member of that VLAN.
Defining VLAN Rules VLAN Rules Overview DHCP Rules Dynamic Host Configuration Protocol (DHCP) frames are sent from client workstations to request an IP address from a DHCP server. The server responds with the same type of frames, which contain an IP address for the client. If clients are connected to mobile ports, DHCP rules are used to classify this type of traffic for the purposes of transmitting and receiving DHCP frames to and from the server.
VLAN Rules Overview Defining VLAN Rules Binding Rules Binding rules restrict VLAN assignment to specific devices by requiring that device traffic match all criteria specified in the rule. As a result, a separate binding rule is required for each device. An unlimited number of such rules, however, is allowed per VLAN and up to 8129 of each rule type is allowed per switch. Although DHCP traffic is examined and processed first by switch software, binding rules take precedence over all other rules.
Defining VLAN Rules VLAN Rules Overview IP protocol rules also capture DHCP traffic, if no other DHCP rule exists that would classify the DHCP traffic into another VLAN. Therefore, it is not necessary to combine DHCP rules with IP protocol rules for the same VLAN. Port Rules Port rules are fundamentally different from all other supported rule types, in that traffic is not required to trigger dynamic assignment of the mobile port to a VLAN.
VLAN Rules Overview Defining VLAN Rules Understanding VLAN Rule Precedence In addition to configurable VLAN rule types, there are two internal rule types for processing mobile port frames. One is referred to as frame type and is used to identify Dynamic Host Configuration Protocol (DHCP) frames. The second internal rule is referred to as default and identifies frames that do not match any VLAN rules. Note.
Defining VLAN Rules VLAN Rules Overview Precedence Step/Rule Type Condition Result 1. Frame Type Frame is a DHCP frame. Go to Step 2. Frame is not a DHCP frame. Skip Steps 2, 3, 4, and 5. 2. DHCP MAC DHCP frame contains a matching source MAC address. Frame source is assigned to the rule’s VLAN, but not learned. 3. DHCP MAC Range DHCP frame contains a source Frame source is assigned to the MAC address that falls within a rule’s VLAN, but not learned. specified range of MAC addresses. 4.
VLAN Rules Overview Defining VLAN Rules Precedence Step/Rule Type Condition Result 8. MAC-Port Binding Frame contains a matching source MAC address and source port. Frame source is assigned to the rule’s VLAN. Frame only contains a matching Frame is blocked; its source is source MAC address; port does not not assigned to the rule’s VLAN. match. Frame only contains a matching Frame is allowed; its source is port; source MAC address does not not assigned to the rule’s VLAN. match. 9.
Defining VLAN Rules Configuring VLAN Rule Definitions Precedence Step/Rule Type Condition Result 10. Network Address Frame contains a matching IP sub- Frame source is assigned to the net address, or rule’s VLAN. (See note below regarding IP Network Address and Port-Protocol Frame contains a matching IPX Binding rule precedence.) network address. Frame source is assigned to the rule’s VLAN. 15. Protocol Frame contains a matching protocol type. Frame source is assigned to the rule’s VLAN. 16.
Configuring VLAN Rule Definitions Defining VLAN Rules • When a VLAN is administratively disabled, static port and dynamic mobile port assignments are retained but traffic on these ports is not forwarded. However, VLAN rules remain active and continue to classify mobile port traffic for VLAN membership. • When a VLAN is deleted from the switch configuration, all rules defined for that VLAN are automati- cally removed and any static or dynamic port assignments are dropped.
Defining VLAN Rules Configuring VLAN Rule Definitions Use the no form of the vlan dhcp mac command to remove a DHCP MAC address rule. -> vlan 255 no dhcp mac 00:00:da:59:0c:11 Defining DHCP MAC Range Rules A DHCP MAC range rule is similar to a DHCP MAC address rule, but allows the user to specify a range of MAC addresses. This is useful when it is necessary to define rules for a large number of sequential MAC addresses.
Configuring VLAN Rule Definitions Defining VLAN Rules Defining DHCP Generic Rules DHCP generic rules capture all DHCP traffic that does not match an existing DHCP MAC or DHCP port rule. If none of these other rules exist, then all DHCP frames are captured regardless of the port they came in on or the frame’s source MAC address. Only one rule of this type is allowed per switch. To define a DHCP generic rule, enter vlan followed by an existing VLAN ID then dhcp generic.
Defining VLAN Rules Configuring VLAN Rule Definitions How to Define a MAC-Port-IP Address Binding Rule To define a MAC-port-IP address binding rule, enter vlan followed by an existing VLAN ID then binding mac-ip-port followed by a valid MAC address, IP address, and a slot/port designation. For example, the following command defines a MAC-port-IP binding rule for VLAN 255: -> vlan 255 binding mac-ip-port 00:00:da:59:0c:12 21.0.0.
Configuring VLAN Rule Definitions Defining VLAN Rules How to Define a MAC-Port Binding Rule To define a MAC-port binding rule, enter vlan followed by an existing VLAN ID then binding mac-port followed by a valid MAC address and a slot/port designation.
Defining VLAN Rules Configuring VLAN Rule Definitions How to Define a Port-Protocol Binding Rule To define a port-protocol binding rule, enter vlan followed by an existing VLAN ID then binding port-protocol followed by a valid MAC address, a slot/port designation and a protocol type.
Configuring VLAN Rule Definitions Defining VLAN Rules Defining MAC Range Rules A MAC range rule is similar to a MAC address rule, but allows the user to specify a range of MAC addresses. This is useful when it is necessary to define rules for a large number of sequential MAC addresses. One MAC range rule could serve the same purpose as 10 or 20 MAC address rules, requiring less work to configure.
Defining VLAN Rules Configuring VLAN Rule Definitions If a subnet mask is not specified, the default class for the IP address is used (Class A, B, or C). For example, either one of the following commands will create an IP network address rule for network 134.10.0.0: -> vlan 1200 ip 134.10.0.0 255.255.0.0 -> vlan 1200 ip 134.10.0.0 The pool of available internet IP addresses is divided up into three classes, as shown in the following table. Each class includes a range of IP addresses.
Configuring VLAN Rule Definitions Defining VLAN Rules The following table lists keywords for specifying an encapsulation value: IPX encapsulation keywords e2 or ethernet2 llc snap novell Use the no form of the vlan ipx command to remove an IPX network address rule.
Defining VLAN Rules Configuring VLAN Rule Definitions Defining Port Rules Port rules do not require mobile port traffic to trigger dynamic assignment. When this type of rule is defined, the specified mobile port is immediately assigned to the specified VLAN. As a result, port rules are often used for silent network devices, which do not trigger dynamic assignment because they do not send traffic. Port rules only apply to outgoing mobile port broadcast types of traffic and do not classify incoming traffic.
Application Example: DHCP Rules Defining VLAN Rules Application Example: DHCP Rules This application example shows how Dynamic Host Configuration Protocol (DHCP) port and MAC address rules are used in a DHCP-based network. DHCP is built on a client-server model in which a designated DHCP server allocates network addresses and delivers configuration parameters to dynamically configured clients. Since DHCP clients initially have no IP address, assignment of these clients to a VLAN presents a problem.
Defining VLAN Rules Application Example: DHCP Rules The following table summarizes the VLAN architecture and rules for all devices in this network configuration. The diagram on the following page illustrates this network configuration. Device VLAN Membership Rule Used/Router Role DHCP Server 1 Test VLAN IP network address rule=10.15.0.0 DHCP Server 2 Branch VLAN IP network address rule=10.13.0.
Application Example: DHCP Rules Defining VLAN Rules OmniSwitch TM OmniSwitch 9700 Client 1 DHCP Port Rule Server 1 10.15.14.16 Test VLAN IP Subnet 10.15.X.X Client 2 DHCP Port Rule DHCP Port Rules Client 3 DHCP Port Rule Router 1 No DHCP Relay Client 4 DHCP Port Rule Production VLAN IP Subnet 10.15.128.X DHCP Port Rules Router 2 DHCP Relay On Client 5 DHCP Port Rule Branch VLAN Server 2 10.13.15.17 Client 6 DHCP Port Rule IP Subnet 10.13.X.
Defining VLAN Rules Verifying VLAN Rule Configuration Verifying VLAN Rule Configuration To display information about VLAN rules configured on the switch, use the show commands listed below: show vlan rules Displays a list of rules for one or all VLANs configured on the switch. For more information about the resulting display from this command, see the OmniSwitch CLI Reference Guide. An example of the output for the show vlan rules command is also given in “Sample VLAN Rule Configuration” on page 9-3.
Verifying VLAN Rule Configuration page 9-26 Defining VLAN Rules OmniSwitch 6800/6850/9000 Network Configuration Guide June 2006
10 Using Interswitch Protocols Alcatel Interswitch Protocol (AIP) is used to discover adjacent switches in the network. The following protocol is supported: • Alcatel Mapping Adjacency Protocol (AMAP), which is used to discover the topology of OmniSwitches and Omni Switch/Router (Omni S/R). See “AMAP Overview” on page 10-3. This protocol is described in detail in this chapter. In This Chapter This chapter describes the AMAP protocol and how to configure it through the Command Line Interface (CLI).
AIP Specifications Using Interswitch Protocols AIP Specifications Standards Not applicable at this time. AMAP is an Alcatel proprietary protocol.
Using Interswitch Protocols AMAP Overview AMAP Overview The Alcatel Mapping Adjacency Protocol (AMAP) is used to discover the topology of OmniSwitches in a particular installation. Using this protocol, each switch determines which OmniSwitches are adjacent to it by sending and responding to Hello update packets.
AMAP Overview Using Interswitch Protocols The transmission states are illustrated here.
Using Interswitch Protocols Configuring AMAP Common Transmission and Remote Switches If an AMAP switch is connected to multiple AMAP switches via a hub, the switch sends and receives Hello traffic to and from the remote switches through the same port. If one of the remote switches stops sending Hello packets and other remote switches continue to send Hello packets, the ports in the common transmission state will remain in the common transmission state.
Configuring AMAP Using Interswitch Protocols Configuring the AMAP Common Time-out Interval The common time-out interval is used only in the common transmission state to determine the time interval between sending Hello update packets. A switch sends an update for a port just before or after the common time-out interval expires. Note. Switches avoid synchronization by jittering the common time-out interval plus or minus 10 percent of the configured value.
Using Interswitch Protocols Configuring AMAP Displaying AMAP Information Use the show amap command to view a list of adjacent switches and their associated MAC addresses, interfaces, VLANs, and IP addresses. For remote switches that stop sending Hello packets and that are connected via a hub, entries may take up to three times the common time-out intervals to age out of this table.
Configuring AMAP Using Interswitch Protocols A visual illustration of these connections is shown here: Remote interface 2/1 Remote Switch B 0020da:032c40 Switch A (local) TM OmniSwitch 9700 Local interface 4/1 Remote Switch C 0020da:999660 Local interface 7/1 Local interface 5/1 hub Remote interface 1/8 Remote interface 2/8 Remote interface 4/8 See the OmniSwitch CLI Reference Guide for information about the show amap command.
11 Configuring 802.1Q 802.1Q is the IEEE standard for segmenting networks into VLANs. 802.1Q segmentation is done by adding a specific tag to a packet. In this Chapter This chapter describes the basic components of 802.1Q VLANs and how to configure them through the Command Line Interface (CLI). The CLI commands are used in the configuration examples; for more details about the syntax of commands, see “802.1Q Commands” in the OmniSwitch CLI Reference Guide.
802.1Q Specifications Configuring 802.1Q 802.1Q Specifications IEEE Specification Draft Standard P802.1Q/D11 IEEE Standards for Local And Metropolitan Area Network: Virtual Bridged Local Area Networks, July 30, 1998 Maximum Number of Tagged VLANs per Port 4093 Maximum Number of Untagged VLANs per One untagged VLAN per port. Port Maximum Number of VLAN Port Associa- 32768 tions Note. Up to 4093 VLANs can be assigned to a tagged port or link aggregation group.
Configuring 802.1Q 802.1Q Overview 802.1Q Overview Alcatel’s 802.1Q is an IEEE standard for sending frames through the network tagged with VLAN identification. This chapter details procedures for configuring and monitoring 802.1Q tagging on a single port in a switch or a link aggregation group in a switch. 802.1Q tagging is the IEEE version of VLANs. It is a method for segregating areas of a network into distinct VLANs.
802.1Q Overview Configuring 802.1Q The port can only be assigned to one untagged VLAN (in every case, this will be the default VLAN). In the example above the default VLAN is VLAN 1. The port can be assigned to as many 802.1Q VLANs as necessary, up to 4093 per port or 32768 VLAN port associations. For the purposes of Quality of Service (QoS), 802.1Q ports are always considered to be trusted ports. For more information on QoS and trusted ports, see Chapter 26, “Configuring QoS.” Alcatel’s 802.
Configuring 802.1Q Configuring an 802.1Q VLAN Configuring an 802.1Q VLAN The following sections detail procedures for creating 802.1Q VLANs and assigning ports to 802.1Q VLANs. Enabling Tagging on a Port To set a port to be a tagged port, you must specify a VLAN identification (VID) number and a port number. You may also optionally assign a text identification. For example, to configure port 4 on slot 3 to be a tagged port, enter the following command at the CLI prompt: -> vlan 5 802.
Configuring an 802.1Q VLAN Configuring 802.1Q To remove 802.1Q tagging from a selected port, use the same command as above with a no keyword added, as shown: -> vlan 5 no 802.1q 8 Note. The link aggregation group must be created first before it can be set to use 802.1Q tagging For more specific information, see the vlan 802.1q command section in the OmniSwitch CLI Reference Guide.
Configuring 802.1Q Configuring an 802.1Q VLAN Show 802.1Q Information After configuring a port or link aggregation group to be a tagged port, you can view the settings by using the show 802.1q command, as demonstrated: -> show 802.1q 3/4 Acceptable Frame Type Force Tag Internal : : Any Frame Type NA Tagged VLANS Internal Description -------------+-------------------------------------------------+ 2 TAG PORT 3/4 VLAN 2 -> show 802.
Application Example Configuring 802.1Q Application Example In this section the steps to create 802.1Q connections between switches are shown. The following diagram shows a simple network employing 802.1Q on both regular ports and link aggregation groups.
Configuring 802.1Q Application Example The following steps apply to Switch 2. They will attach port 2/1 to VLAN 2 and set the port to accept 802.1Q tagged traffic only: 1 Create VLAN 2 by entering vlan 2 as shown below (VLAN 1 is the default VLAN for the switch): -> vlan 2 2 Set port 2/1 as a tagged port and assign it to VLAN 2 by entering the following: -> vlan 2 802.1q 2/1 3 Set port 2/1 to accept only tagged traffic by entering the following: -> vlan 802.
Verifying 802.1Q Configuration Configuring 802.1Q The following steps apply to Stack 3. They will attach ports 4/1 and 4/2 as link aggregation group 5 to VLAN 3. 1 Configure static link aggregation group 5 by entering the following: -> static linkagg 5 size 2 2 Assign ports 4/1 and 4/2 to static link aggregation group 5 by entering the following two commands: -> static agg 4/1 agg num 5 -> static agg 4/2 agg num 5 3 Create VLAN 3 by entering the following: -> vlan 3 4 Configure 802.
12 Configuring IP Internet Protocol (IP) is primarily a network-layer (Layer 3) protocol that contains addressing and control information that enables packets to be forwarded. Along with Transmission Control Protocol (TCP), IP represents the heart of the Internet protocols.
IP Specifications Configuring IP • Managing IP – – – – – Internet Control Message Protocol (ICMP) (see page 12-20) Using the Ping Command (see page 12-23) Tracing an IP Route (see page 12-24) Displaying TCP Information (see page 12-24) Displaying User Datagram Protocol (UDP) Information (see page 12-24) IP Specifications RFCs Supported RFC 791–Internet Protocol RFC 792–Internet Control Message Protocol RFC 826–An Ethernet Address Resolution Protocol Maximum VLANs per switch 4094 (based on switch con
Configuring IP Quick Steps for Configuring IP Forwarding Quick Steps for Configuring IP Forwarding Using only IP, which is always enabled on the switch, devices connected to ports on the same VLAN are able to communicate at Layer 2. The initial configuration for all Alcatel switches consists of a default VLAN 1. All switch ports are initially assigned to this VLAN.
IP Overview Configuring IP IP Overview IP is a network-layer (Layer 3) protocol that contains addressing and control information that enables packets to be forwarded on a network. IP is the primary network-layer protocol in the Internet protocol suite. Along with TCP, IP represents the heart of the Internet protocols. IP Protocols IP is associated with several Layer 3 and Layer 4 protocols. These protocols are built into the base code loaded on the switch.
Configuring IP IP Overview Additional IP Protocols There are several additional IP-related protocols that may be used with IP forwarding. These protocols are included as part of the base code. • Address Resolution Protocol (ARP)—Used to match the IP address of a device with its physical (MAC) address. For more information, see “Configuring Address Resolution Protocol (ARP)” on page 12-11. • Virtual Router Redundancy Protocol (VRRP)—Used to back up routers.
IP Forwarding Configuring IP IP Forwarding Network device traffic is bridged (switched) at the Layer 2 level between ports that are assigned to the same VLAN. However, if a device needs to communicate with another device that belongs to a different VLAN, then Layer 3 routing is necessary to transmit traffic between the VLANs.
Configuring IP IP Forwarding Configuring an IP Router Interface IP is enabled by default. Using IP, devices connected to ports on the same VLAN are able to communicate. However, to forward packets to a different VLAN, you must create at least one router interface on each VLAN. Use the ip interface command to define up to eight IP interfaces for an existing VLAN.
IP Forwarding Configuring IP Modifying an IP Router Interface The ip interface command is also used to modify existing IP interface parameter values. It is not necessary to first remove the IP interface and then create it again with the new values. The changes specified will overwrite existing parameter values. For example, the following command changes the subnet mask to 255.255.255.
Configuring IP IP Forwarding Configuring a Loopback0 Interface Loopback0 is the name assigned to an IP interface to identify a consistent address for network management purposes. The Loopback0 interface is not bound to any VLAN, so it will always remain operationally active. This differs from other IP interfaces in that if there are no active ports in the VLAN, all IP interface associated with that VLAN are not active.
IP Forwarding Configuring IP Creating a Static Route Static routes are user-defined and carry a higher priority than routes created by dynamic routing protocols. That is, if two routes have the same metric value, the static route has the higher priority. Static routes allow you to define, or customize, an explicit path to an IP network segment, which is then added to the IP Forwarding table. Static routes can be created between VLANs to enable devices on these VLANs to communicate.
Configuring IP IP Forwarding Configuring Address Resolution Protocol (ARP) To send packets on a locally connected network, the switch uses ARP to match the IP address of a device with its physical (MAC) address. To send a data packet to a device with which it has not previously communicated, the switch first broadcasts an ARP request packet. The ARP request packet requests the Ethernet hardware address corresponding to an Internet address.
IP Forwarding Configuring IP Deleting a Permanent Entry from the ARP Table Permanent entries do not age out of the ARP table. Use the no arp command to delete a permanent entry from the ARP table. When deleting an ARP entry, you only need to enter the IP address. For example, to delete an entry for IP address 171.11.1.1, you would enter: -> no arp 171.11.1.1 Use the show arp command to display the ARP table and verify that the entry was deleted. Note.
Configuring IP IP Forwarding Note that when Local Proxy ARP is enabled for any one IP router interface associated with a VLAN, the feature is applied to the entire VLAN. It is not necessary to enable it for each interface. However, if the IP interface that has this feature enabled is moved to another VLAN, Local Proxy ARP is enabled for the new VLAN and must be enabled on another interface for the old VLAN.
IP Configuration Configuring IP IP Configuration IP is enabled on the switch by default and there are few options that can, or need to be, configured. This section provides instructions for some basic IP configuration options. Configuring the Router Primary Address The router primary address is used by advanced routing protocols (e.g., OSPF) to identify the switch on the network. It is also the address that is used to access the switch for management purposes.
Configuring IP IP Configuration Use the ip directed-broadcast command to enable or disable IP-directed broadcasts. For example: -> ip directed-broadcast off Use the show ip config command to display the IP-directed broadcast state. Denial of Service (DoS) Filtering By default, the switch filters denial of service (DoS) attacks, which are security attacks aimed at devices that are available on a private network or the Internet.
IP Configuration Configuring IP . DoS Settings UDP/TCP closed = 10 UDP open = 20 TCP open = 5 Threshold = 2000 Decay = 2 TM OmniSwitch 9700 Penalty Total = 0 In one minute, 10 TCP closed port packets and 10 UDP closed port packets are received. This would bring the total penalty value to 200, as shown using the following equation: (10 TCP X 10 penalty) + (10 UDP X 10 penalty) = 200 This value would be divided by 2 (due to the decay) and decreased to 100.
Configuring IP IP Configuration In the next minute, 10 more TCP and UDP closed port packets are received, along with 200 UDP open port packets. This would bring the total penalty value to 4300, as shown using the following equation: (100 previous minute value) + (10 TCP X 10 penalty) + (10 UDP X 10 penalty) + (200 UDP X 20 penalty) = 4300 This value would be divided by 2 (due to decay) and decreased to 2150.
IP Configuration Configuring IP Setting the Port Scan Penalty Value Threshold The port scan penalty value threshold is the highest point the total penalty value for the switch can reach before a trap is generated informing the administrator that a port scan is in progress. To set the port scan penalty value threshold, enter the threshold value with the ip dos scan threshold command.
Configuring IP IP Configuration The following table lists ip service command options for specifying TCP/UDP services and also includes the well-known port number associated with each service: service port ftp 21 ssh 22 telnet 23 http 80 secure-http 443 avlan-http 260 avlan-secure-http 261 avlan-telnet 259 udp-relay 67 network-time 123 snmp 161 proprietary 1024 proprietary 1025 OmniSwitch 6800/6850/9000 Network Configuration Guide June 2006 page 12-19
Managing IP Configuring IP Managing IP The following sections describe IP commands that can be used to monitor and troubleshoot IP forwarding on the switch. Internet Control Message Protocol (ICMP) Internet Control Message Protocol (ICMP) is a network layer protocol within the IP protocol suite that provides message packets to report errors and other IP packet processing information back to the source.
Configuring IP Managing IP Activating ICMP Control Messages ICMP messages are identified by a type and a code. This number pair specifies an ICMP message. For example, ICMP type 4, code 0, specifies the source quench ICMP message. To enable or disable an ICMP message, use the icmp type command with the type and code.
Managing IP Configuring IP In addition to the icmp type command, several commonly used ICMP messages have been separate CLI commands for convenience.
Configuring IP Managing IP Setting the Minimum Packet Gap The minimum packet gap is the time required between sending messages of a like type. For instance, if the minimum packet gap for Address Mask request messages is 40 microseconds, and an Address Mask message is sent, at least 40 microseconds must pass before another one could be sent. To set the minimum packet gap, use the min-pkt-gap keyword with any of the ICMP control commands.
Managing IP Configuring IP Tracing an IP Route The traceroute command is used to find the path taken by an IP packet from the local switch to a specified destination. This command displays the individual hops to the destination as well as some timing information. When using this command, you must enter the name of the destination as part of the command line (either the IP address or host name). Use the optional max-hop parameter to set a maximum hop count to the destination.
Configuring IP Verifying the IP Configuration Verifying the IP Configuration A summary of the show commands used for verifying the IP configuration is given here: show ip interface Displays the usability status of interfaces configured for IP. show ip route Displays the IP Forwarding table. show ip config Displays IP configuration parameters. show ip protocols Displays switch routing protocol information and status. show ip service Displays the current status of TCP/UDP service ports.
Verifying the IP Configuration page 12-26 Configuring IP OmniSwitch 6800/6850/9000 Network Configuration Guide June 2006
13 Configuring Static Link Aggregation Alcatel’s static link aggregation software allows you to combine several physical links into one large virtual link known as a link aggregation group. Using link aggregation provides the following benefits: • Scalability. It is possible to configure up to 32 link aggregation groups that consist of 2, 4, or 8 10- Mbps, 100-Mbps, 1-Gbps, or 10-Gbps Ethernet links. • Reliability.
Static Link Aggregation Specifications Configuring Static Link Aggregation Static Link Aggregation Specifications The table below lists specifications for static groups. Maximum number of link aggregation groups 32 (per switch or a stack of switches) Number of links per group supported 2, 4, or 8 (per switch or a stack of switches) Range for optional group name 1 to 255 characters CLI Command Prefix Recognition All static link aggregation configuration commands support prefix recognition.
Configuring Static Link Aggregation Quick Steps for Configuring Static Link Aggregation Quick Steps for Configuring Static Link Aggregation Follow the steps below for a quick tutorial on configuring a static aggregate link between two switches. Additional information on how to configure each command is given in the subsections that follow. 1 Create the static aggregate link on the local switch with the static linkagg size command.
Quick Steps for Configuring Static Link Aggregation Configuring Static Link Aggregation Note. Optional. You can verify your static link aggregation settings with the show linkagg command.
Configuring Static Link Aggregation Static Link Aggregation Overview Static Link Aggregation Overview Link aggregation allows you to combine 2, 4, or 8 physical connections into large virtual connections known as link aggregation groups. You can configure up to 32 link aggregation groups per a standalone switch or a stack of switches. Each group can consist of 2, 4, or 8 10-Mbps, 100-Mbps, 1-Gbps, or 10Gbps Ethernet links. You can create Virtual LANs (VLANs), 802.
Static Link Aggregation Overview Configuring Static Link Aggregation OS9-GNI-C24 and two ports on another OS9-GNI-C24 on Switch B. The network administrator has created a separate VLAN for this group so users can use this high speed link. Switch B Switch A Switch software treats the static aggregate groups as one large virtual link.
Configuring Static Link Aggregation Configuring Static Link Aggregation Groups Configuring Static Link Aggregation Groups This section describes how to use Alcatel’s Command Line Interface (CLI) commands to configure static link aggregate groups. See “Configuring Mandatory Static Link Aggregate Parameters” on page 13-7 for more information. Note. See “Quick Steps for Configuring Static Link Aggregation” on page 13-3 for a brief tutorial on configuring these mandatory parameters.
Configuring Static Link Aggregation Groups Configuring Static Link Aggregation Creating and Deleting a Static Link Aggregate Group The following subsections describe how to create and delete static link aggregate groups with the static linkagg size command. Creating a Static Aggregate Group You can create up to 32 static and/or dynamic link aggregation groups per a standalone switch or a stack of switches.
Configuring Static Link Aggregation Configuring Static Link Aggregation Groups Adding and Deleting Ports in a Static Aggregate Group The following subsections describe how to add and delete ports in a static aggregate group with the static agg agg num command. Adding Ports to a Static Aggregate Group The number of ports assigned in a static aggregate group can be less than or equal to the maximum size you specified in the static linkagg size command.
Modifying Static Aggregation Group Parameters Configuring Static Link Aggregation Modifying Static Aggregation Group Parameters This section describes how to modify the following static aggregate group parameters: • Static aggregate group name (see “Modifying the Static Aggregate Group Name” on page 13-10) • Static aggregate group administrative state (see “Modifying the Static Aggregate Group Administra- tive State” on page 13-10) Modifying the Static Aggregate Group Name The following subsections desc
Configuring Static Link Aggregation Application Example Application Example Static link aggregation groups are treated by the switch’s software the same way it treats individual physical ports. This section demonstrates this by providing a sample network configuration that uses static link aggregation along with other software features. In addition, a tutorial is provided that shows how to configure this sample network using Command Line Interface (CLI) commands.
Displaying Static Link Aggregation Configuration and Statistics Configuring Static Link Aggregation Displaying Static Link Aggregation Configuration and Statistics You can use Command Line Interface (CLI) show commands to display the current configuration and statistics of link aggregation. These commands include the following: show linkagg Displays information on link aggregation groups. show linkagg port Displays information on link aggregation ports.
14 Configuring Dynamic Link Aggregation Alcatel’s dynamic link aggregation software allows you to combine several physical links into one large virtual link known as a link aggregation group. Using link aggregation provides the following benefits: • Scalability. It is possible to configure up to 32 link aggregation groups that consist of 2, 4, or 8 10- Mbps, 100-Mbps, 1-Gbps, or 10-Gbps Ethernet links. • Reliability.
Dynamic ink Aggregation Specifications Configuring Dynamic Link Aggregation Dynamic ink Aggregation Specifications The table below lists specifications for dynamic aggregation groups and ports: IEEE Specifications Supported 802.
Configuring Dynamic Link Aggregation Dynamic Link Aggregation Default Values Dynamic Link Aggregation Default Values The table below lists default values for dynamic aggregate groups.
Quick Steps for Configuring Dynamic Link Aggregation Configuring Dynamic Link Aggregation Quick Steps for Configuring Dynamic Link Aggregation Follow the steps below for a quick tutorial on configuring a dynamic aggregate link between two switches. Additional information on how to configure each command is given in the subsections that follow.
Configuring Dynamic Link Aggregation Quick Steps for Configuring Dynamic Link Aggregation Note. As an option, you can verify your dynamic aggregation group settings with the show linkagg command on either the actor or the partner switch.
Quick Steps for Configuring Dynamic Link Aggregation Configuring Dynamic Link Aggregation An example of what these commands look like entered sequentially on the command line on the partner switch: -> -> -> -> -> -> -> -> -> -> page 14-6 lacp lacp lacp lacp lacp lacp lacp lacp lacp vlan linkagg 2 size 8 actor admin key 5 agg 2/1 actor admin key 5 agg 3/1 actor admin key 5 agg 3/3 actor admin key 5 agg 3/6 actor admin key 5 agg 5/1 actor admin key 5 agg 5/6 actor admin key 5 agg 8/1 actor admin key 5 ag
Configuring Dynamic Link Aggregation Dynamic Link Aggregation Overview Dynamic Link Aggregation Overview Link aggregation allows you to combine 2, 4, or 8 physical connections into large virtual connections known as link aggregation groups. You can configure up to 32 link aggregation groups per a standalone switch or a stack of switches. Each group can consist of 2, 4, or 8 10-Mbps, 100-Mbps, 1-Gbps, or 10Gbps Ethernet links. You can create Virtual LANs (VLANs), 802.
Dynamic Link Aggregation Overview Configuring Dynamic Link Aggregation Local (Actor) Switch Remote (Partner) Switch 1. Local (actor) switch sends requests to establish a dynamic aggregate group link to the remote (partner) switch. 2. Partner switch acknowl- edges that it can accept this dynamic group. 3. Actor and partner switches negotiate parameters for the dynamic group, producing optimal settings. Dynamic Group 4. Actor and partner switches establish the dynamic aggregate group.
Configuring Dynamic Link Aggregation Dynamic Link Aggregation Overview Relationship to Other Features Link aggregation groups are supported by other switch software features. For example, you can configure 802.1Q tagging on link aggregation groups in addition to configuring it on individual ports. The following features have CLI commands or command parameters that support link aggregation: • VLANs. For more information on VLANs, see Chapter 5, “Configuring VLANs.” • 802.1Q.
Configuring Dynamic Link Aggregate Groups Configuring Dynamic Link Aggregation Configuring Dynamic Link Aggregate Groups This section describes how to use Alcatel’s Command Line Interface (CLI) commands to create, modify, and delete dynamic aggregate groups. See “Configuring Mandatory Dynamic Link Aggregate Parameters” on page 14-10 for more information. Note. See “Quick Steps for Configuring Dynamic Link Aggregation” on page 14-4 for a brief tutorial on configuring these mandatory parameters.
Configuring Dynamic Link Aggregation Configuring Dynamic Link Aggregate Groups Creating and Deleting a Dynamic Aggregate Group The following subsections describe how to create and delete dynamic aggregate groups with the lacp linkagg size command.
Configuring Dynamic Link Aggregate Groups Configuring Dynamic Link Aggregation Configuring Ports to Join and Removing Ports in a Dynamic Aggregate Group The following subsections describe how to configure ports with the same administrative key (which allows them to be aggregated) or to remove them from a dynamic aggregate group with the lacp agg actor admin key command.
Configuring Dynamic Link Aggregation Configuring Dynamic Link Aggregate Groups As an option, you can use the ethernet, fastethernet, and gigaethernet keywords before the slot and port number to document the interface type or make the command look consistent with early-generation Alcatel CLI syntax. For example, to configure an actor administrative key of 10 and to document that the port is a 10-Mbps Ethernet port to slot 4 port 1, enter: -> lacp agg ethernet 4/1 actor admin key 10 Note.
Modifying Dynamic Link Aggregate Group Parameters Configuring Dynamic Link Aggregation Modifying Dynamic Link Aggregate Group Parameters The table on page 14-3 lists default group and port settings for Alcatel’s dynamic link aggregation software. These parameters ensure compliance with the IEEE 802.3ad specification. For most networks, these default values do not need to be modified or will be modified automatically by switch software.
Configuring Dynamic Link Aggregation Modifying Dynamic Link Aggregate Group Parameters For example, to name dynamic aggregate group 4 “Engineering” you would enter: -> lacp linkagg 4 name Engineering Note. If you want to specify spaces within a name, the name must be enclosed in quotes.
Modifying Dynamic Link Aggregate Group Parameters Configuring Dynamic Link Aggregation Deleting a Dynamic Aggregate Actor Administrative Key To remove an actor switch administrative key from a dynamic aggregate group’s configuration use the no form of the lacp linkagg actor admin key command by entering lacp linkagg followed by the dynamic aggregate group number and no actor admin key.
Configuring Dynamic Link Aggregation Modifying Dynamic Link Aggregate Group Parameters Restoring the Dynamic Aggregate Group Actor System ID To remove the user-configured actor switch system ID from a dynamic aggregate group’s configuration use the no form of the lacp linkagg actor system id command by entering lacp linkagg followed by the dynamic aggregate group number and no actor system id.
Modifying Dynamic Link Aggregate Group Parameters Configuring Dynamic Link Aggregation For example, to reset the partner system priority of dynamic aggregate group 4 to its default value you would enter: -> lacp linkagg 4 no partner system priority Modifying the Dynamic Aggregate Group Partner System ID By default, the dynamic aggregate group partner system ID is 00:00:00:00:00:00.
Configuring Dynamic Link Aggregation Modifying Dynamic Link Aggregate Group Parameters Note. A port may belong to only one aggregate group. In addition, mobile ports cannot be aggregated. See Chapter 7, “Assigning Ports to VLANs,” for more information on mobile ports. Modifying the Actor Port System Administrative State The system administrative state of a dynamic aggregate group actor port is indicated by bit settings in Link Aggregation Control Protocol Data Unit (LACPDU) frames sent by the port.
Modifying Dynamic Link Aggregate Group Parameters lacp agg actor admin state Keyword expire Configuring Dynamic Link Aggregation Definition Specifying this keyword has no effect because the system always determines its value. When this bit (bit 7) is set by the system, the actor cannot receive LACPDU frames. Note. Specifying none removes all administrative states from the LACPDU configuration.
Configuring Dynamic Link Aggregation Modifying Dynamic Link Aggregate Group Parameters For example, to modify the system ID of the dynamic aggregate actor port 3 in slot 7 to 00:20:da:06:ba:d3 you would enter: -> lacp agg 7/3 actor system id 00:20:da:06:ba:d3 As an option, you can use the ethernet, fastethernet, and gigaethernet keywords before the slot and port number to document the interface type or make the command look consistent with early-generation Alcatel CLI syntax.
Modifying Dynamic Link Aggregate Group Parameters Configuring Dynamic Link Aggregation Modifying the Actor Port Priority By default, the actor port priority (used to converge dynamic key changes) is 0. The following subsections describe how to configure a user-specified value and how to restore the value to its default value with the lacp agg actor port priority command.
Configuring Dynamic Link Aggregation Modifying Dynamic Link Aggregate Group Parameters Modifying Dynamic Aggregate Partner Port Parameters This section describes how to modify the following dynamic aggregate partner port parameters: • Partner port system administrative state (see “Modifying the Partner Port System Administrative State” on page 14-23) • Partner port administrative key (see “Modifying the Partner Port Administrative Key” on page 14-25) • Partner port system ID (see “Modifying the Partner P
Modifying Dynamic Link Aggregate Group Parameters Configuring Dynamic Link Aggregation Keyword Definition synchronize Specifies that bit 3 in the partner state octet is enabled. When this bit is set, the port is allocated to the correct dynamic aggregation group. If this bit is not enabled, the port is not allocated to the correct aggregation group. By default, this value is disabled. collect Specifying this keyword has no effect because the system always determines its value.
Configuring Dynamic Link Aggregation Modifying Dynamic Link Aggregate Group Parameters Note. Since individual bits with the LACPDU frame are set with the lacp agg partner admin state command you can set some bits on and restore other bits to default values within the same command.
Modifying Dynamic Link Aggregate Group Parameters Configuring Dynamic Link Aggregation Configuring the Partner Port System ID You can configure the partner port system ID by entering lacp agg, the slot number, a slash (/), the port number, partner admin system id, and the user-specified partner administrative system ID (i.e., the MAC address in hexadecimal format).
Configuring Dynamic Link Aggregation Modifying Dynamic Link Aggregate Group Parameters Restoring the Partner Port System Priority To remove a user-configured system priority from a dynamic aggregate group partner port’s configuration use the no form of the lacp agg partner admin system priority command by entering lacp agg, the slot number, a slash (/), the port number, and no partner admin system priority.
Modifying Dynamic Link Aggregate Group Parameters Configuring Dynamic Link Aggregation For example, to modify the port priority of dynamic aggregate partner port 3 in slot 4 to 100 you would enter: -> lacp agg 4/3 partner admin port priority 100 As an option, you can use the ethernet, fastethernet, and gigaethernet keywords before the slot and port number to document the interface type or make the command look consistent with early-generation Alcatel CLI syntax.
Configuring Dynamic Link Aggregation Application Examples Application Examples Dynamic link aggregation groups are treated by the switch’s software the same way it treats individual physical ports.This section demonstrates this feature by providing sample network configurations that use dynamic aggregation along with other software features. In addition, tutorials are provided that show how to configure these sample networks by using Command Line Interface (CLI) commands.
Application Examples Configuring Dynamic Link Aggregation Link Aggregation and Spanning Tree Example As shown in the figure on page 14-29, VLAN 10, which uses the Spanning Tree Protocol (STP) with a priority of 15, has been configured to use dynamic aggregate group 7. The actual physical links connect ports 3/9 and 3/10 on Switch A to ports 1/1 and 1/2 on Switch B. Follow the steps below to configure this network: Note. Only the steps to configure the local (i.e.
Configuring Dynamic Link Aggregation Application Examples Link Aggregation and QoS Example As shown in the figure on page 14-29, VLAN 12, which uses 802.1Q frame tagging and 802.1p prioritization, has been configured to use dynamic aggregate group 7. The actual physical links connect ports 4/1, 4/2, 4/3, and 4/4 on Switch A to ports 1/1, 1/2, 1/3, and 1/4 on Switch C (a stack of four OmniSwitch 6800 Series switches). Follow the steps below to configure this network: Note.
Application Examples Configuring Dynamic Link Aggregation 10 Repeat steps 1 through 9 on Switch C. All the commands would be the same except you would substi- tute the appropriate port numbers. Note. If you do not use the qos apply command any QoS policies you configured will be lost on the next switch reboot.
Configuring Dynamic Link Aggregation Displaying Dynamic Link Aggregation Configuration and Statistics Displaying Dynamic Link Aggregation Configuration and Statistics You can use Command Line Interface (CLI) show commands to display the current configuration and statistics of link aggregation. These commands include the following: show linkagg Displays information on link aggregation groups. show linkagg port Displays information on link aggregation ports.
Displaying Dynamic Link Aggregation Configuration and Statistics Configuring Dynamic Link Aggregation A screen similar to the following would be displayed: Dynamic Aggregable Port SNMP Id Slot/Port Administrative State Operational State Port State Link State Selected Agg Number Primary port LACP Actor System Priority Actor System Id Actor Admin Key Actor Oper Key Partner Admin System Priority Partner Oper System Priority Partner Admin System Id Partner Oper System Id Partner Admin Key Partner Oper Key Att
15 Configuring IPv6 Internet Protocol version 6 (IPv6) is the next generation of Internet Protocol version 4 (IPv4). Both versions are supported along with the ability to tunnel IPv6 traffic over IPv4. Implementing IPv6 solves the limited address problem currently facing IPv4, which provides a 32-bit address space. IPv6 increases the address space available to 128 bits. Note. IPv6 is only supported on the OmniSwitch 6850 and OmniSwitch 9000 switches for this release.
IPv6 Specifications Configuring IPv6 IPv6 Specifications RFCs Supported 2460–Internet Protocol, Version 6 (IPv6) Specification 2461–Neighbor Discovery for IP Version 6 (IPv6) 2462–IPv6 Stateless Address Autoconfiguration 2463–Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification 2464–Transmission of IPv6 Packets Over Ethernet Networks 2893–Transition Mechanisms for IPv6 Hosts and Routers 3513–Internet Protocol Version 6 (IPv6) Addressing Architecture 3056–Con
Configuring IPv6 Quick Steps for Configuring IPv6 Routing Quick Steps for Configuring IPv6 Routing The following tutorial assumes that VLAN 200 and VLAN 300 already exist in the switch configuration. For information about how to configure VLANs, see Chapter 5, “Configuring VLANs.” 1 Configure an IPv6 interface for VLAN 200 by using the ipv6 interface command.
IPv6 Overview Configuring IPv6 IPv6 Overview IPv6 provides the basic functionality that is offered with IPv4 but includes the following enhancements and features not available with IPv4: • Increased IP address size—IPv6 uses a 128-bit address, a substantial increase over the 32-bit IPv4 address size. Providing a larger address size also significantly increases the address space available, thus eliminating the concern over running out of IP addresses.
Configuring IPv6 IPv6 Overview IPv6 Addressing One of the main differences between IPv6 and IPv4 is that the address size has increased from 32 bits to 128 bits. Going to a 128-bit address also increases the size of the address space to the point where running out of IPv6 addresses is not a concern. The following types of IPv6 addresses are supported: Unicast—Standard unicast addresses, similar to IPv4. Multicast—Addresses that represent a group of devices.
IPv6 Overview Configuring IPv6 Because the last four words of the above address are uncompressed values, the double colon indicates that the first four words of the address all contain zeros. Note that using the double colon is only allowed once within a single address. So if the address was1234:531F:0:0:BCD2:F34A:0:0, a double colon could not replace both sets of zeros.
Configuring IPv6 IPv6 Overview Stateless autoconfiguration is not available for assigning a global unicast or anycast address to an IPv6 interface. In other words, manual configuration is required to assign a non-link-local address to an interface. See “Assigning IPv6 Addresses” on page 15-12 for more information. Both stateless and stateful autoconfiguration is supported for devices, such as a workstation, when they are connected to the switch.
IPv6 Overview Configuring IPv6 6to4 Site to 6to4 Site over IPv4 Domain In this scenario, isolated IPv6 sites have connectivity over an IPv4 network through 6to4 border routers. An IPv6 6to4 tunnel interface is configured on each border router and assigned an IPv6 address with the 6to4 well-known prefix, as described above. IPv6 hosts serviced by the 6to4 border router have at least one IPv6 router interface configured with a 6to4 address.
Configuring IPv6 IPv6 Overview The following diagram illustrates the basic traffic flow between native IPv6 hosts and 6to4 sites: IPv6 6to4 Border Router IPv6/IPv4 6to4 Relay Router IPv4 Domain 6to4 Site IPv6 Domain IPv6 Router 6to4 Host IPv6 Site IPv6 Host In the above diagram: 1 The 6to4 relay router advertises a route to 2002::/16 on its IPv6 router interface.
Configuring an IPv6 Interface Configuring IPv6 Configuring an IPv6 Interface The ipv6 interface command is used to create an IPv6 interface for a VLAN or a tunnel. Note the following when configuring an IPv6 interface: • A unique interface name is required for both a VLAN and tunnel interface. • If creating a VLAN interface, the VLAN must already exist. See Chapter 5, “Configuring VLANs,” for more information. • If creating a tunnel interface, a tunnel ID or 6to4 is specified.
Configuring IPv6 Configuring an IPv6 Interface Use the show ipv6 interface command to verify the interface configuration for the switch. For more information about this command, see the OmniSwitch CLI Reference Guide. Modifying an IPv6 Interface The ipv6 interface command is also used to modify existing IPv6 interface parameter values. It is not necessary to first remove the interface and then create it again with the new values. The changes specified will overwrite existing parameter values.
Assigning IPv6 Addresses Configuring IPv6 Assigning IPv6 Addresses As was previously mentioned, when an IPv6 interface is created for a VLAN or a configured tunnel, an IPv6 link-local address is automatically created for that interface. This is also true when a device, such as a workstation, is connected to the switch. Link-local addresses, although private and non-routable, enable interfaces and workstations to communicate with other interfaces and workstations that are connected to the same link.
Configuring IPv6 Assigning IPv6 Addresses Removing an IPv6 Address To remove an IPv6 address from an interface, use the no form of the ipv6 address command. -> no ipv6 address 4100:1000::20/64 v6if-v200 Note that the subnet router anycast address is automatically deleted when the last unicast address of the same subnet is removed from the interface.
Configuring IPv6 Tunnel Interfaces Configuring IPv6 Configuring IPv6 Tunnel Interfaces There are two types of tunnels supported, 6to4 and configured. Both types facilitate the interaction of IPv6 networks with IPv4 networks by providing a mechanism for carrying IPv6 traffic over an IPv4 network infrastructure. This is an important function since it is more than likely that both protocols will need to coexist within the same network for some time.
Configuring IPv6 Verifying the IPv6 Configuration Verifying the IPv6 Configuration A summary of the show commands used for verifying the IPv6 configuration is given here: show ipv6 interface Displays the status and configuration of IPv6 interfaces. show ipv6 tunnel Displays IPv6 configured tunnel information and whether the 6to4 tunnel is enabled or not. show ipv6 routes Displays the IPv6 Forwarding Table. show ipv6 prefixes Displays IPv6 subnet prefixes used in router advertisements.
Verifying the IPv6 Configuration page 15-16 Configuring IPv6 OmniSwitch 6800/6850/9000 Network Configuration Guide June 2006
16 Configuring RIP Routing Information Protocol (RIP) is a widely used Interior Gateway Protocol (IGP) that uses hop count as its routing metric. RIP-enabled routers update neighboring routers by transmitting a copy of their own routing table. The RIP routing table uses the most efficient route to a destination, that is, the route with the fewest hops and longest matching prefix. The switch supports RIP version 1 (RIPv1), RIP version 2 (RIPv2), and RIPv2 that is compatible with RIPv1.
RIP Specifications Configuring RIP RIP Specifications RFCs Supported RFC 1058–RIP v1 RFC 2453–RIP v2 RFC 1722–RIP v2 Protocol Applicability Statement RFC 1724–RIP v2 MIB Extension Maximum Number of RIP Routes 2048 RIP Defaults The following table lists the defaults for RIP configuration through the ip rip command.
Configuring RIP Quick Steps for Configuring RIP Routing Quick Steps for Configuring RIP Routing To forward packets to a device on a different VLAN, you must create a router port on each VLAN. To route packets by using RIP, you must enable RIP and create a RIP interface on the router port. The following steps show you how to enable RIP routing between VLANs “from scratch”. If active VLANs and router ports have already been created on the switch, go to Step 7. 1 Create VLAN 1 with a description (e.g.
RIP Overview Configuring RIP 12 Enable the RIP interface by using the ip rip interface status command. For example: -> ip rip interface 171.11.1.1 status enable 13 Enable redistribution of local routes on the switch by using the ip rip redist command. For example: -> ip rip redist local 14 Use the ip rip redist-filter command to redistribute all local routes. For example: -> ip rip redist-filter local 0.0.0.0 0.0.0.0 15 Enable RIP redistribution by using the ip rip redist status command.
Configuring RIP RIP Routing are traversed by a datagram along that path. When a switch receives a routing update that contains a new or changed destination network entry, the switch adds one to the metric value indicated in the update and enters the network in the routing table. After updating its routing table, the switch immediately begins transmitting routing updates to inform other network switches of the change. These updates are sent independently of the regularly scheduled updates.
RIP Routing Configuring RIP switches have been assigned to VLAN 2, and a physical connection has been made between the switches. Therefore, workstations connected to VLAN 1 on Switch 1 can communicate with workstations connected to VLAN 3 on Switch 2. Switch 1 Switch 2 Router Port/ = RIP Interface RIP Routing Table VLAN 1 110.0.0.0 110.0.0.1 VLAN 2 120.0.0.0 RIP Routing Table Physical Connection 110.0.0.2 VLAN 2 120.0.0.0 VLAN 3 130.0.0.0 130.0.0.1 130.0.0.
Configuring RIP RIP Routing Creating a RIP Interface You must create a RIP interface on a VLAN’s IP router port to enable RIP routing. Enter the ip rip interface command followed by the IP address of the VLAN router port. For example, to create a RIP interface on a router port with an IP address of 171.15.0.1 you would enter: -> ip rip interface 171.15.0.1 Use the no ip rip interface command to delete a RIP interface.
RIP Routing Configuring RIP Configuring the RIP Interface Receive Option The RIP Receive option defines the type(s) of RIP packets that the interface will accept. Using this command will override RIP default behavior. Other devices must be able to interpret the information provided by this command or routing information will not be properly exchanged between the switch and other devices on the network. Use the ip rip interface recv-version command to configure an individual RIP interface Receive option.
Configuring RIP RIP Options RIP Options The following sections detail procedures for configuring RIP options. RIP must be loaded and enabled on the switch before you can configure any of the RIP configuration options. Configuring the RIP Forced Hold-Down Interval The RIP forced hold-down timer value defines an amount of time, in seconds, during which routing information regarding better paths is suppressed.
RIP Redistribution Configuring RIP RIP Redistribution Redistribution provides a way to exchange routing information between RIP networks and OSPF and BGP networks. It also redistributes local and static routes into RIP. Basically, redistribution makes a non-RIP route look like a RIP route.
Configuring RIP RIP Redistribution Configuring a Redistribution Metric When redistributing routes into RIP, the metric for the redistributed route is calculated as a summation of the route’s metric and the corresponding metric in the redistribution policy. This is the case when the matching filter metric is 0 (the default). However, if the matching redistribution filter metric is set to a non-zero value, the redistributed route’s metric is set to the filter metric.
RIP Redistribution Configuring RIP Creating a Redistribution Filter Use the ip rip redist-filter command to create a RIP redistribution filter. Enter the command, the route type, and the destination IP address and mask of the traffic you want to redistribute. Only routes matching the policy and destination specified in the filter will be redistributed into the RIP and passed to the destination. For example, to redistribute OSPF routes destined for the 10.0.0.
Configuring RIP RIP Redistribution Configuring a Redistribution Filter Metric You can prioritize redistribution of route types to a network by assigning a metric value to a route type(s). The default redistribution filter metric is 1. However, you can lower the priority of a route type by increasing its metric value. For example, if you want to give priority to OSPF routes to a particular network, you would set the metric value for the other route types to 2.
RIP Security Configuring RIP RIP Security By default, there is no authentication used for a RIP. However, you can configure a password for a RIP interface. To configure a password, you must first select the authentication type (simple or MD5), and then configure a password. Configuring Authentication Type If simple or MD5 password authentication is used, both switches on either end of a link must share the same password. Use the ip rip interface auth-type command to configure the authentication type.
Configuring RIP Verifying the RIP Configuration Verifying the RIP Configuration A summary of the show commands used for verifying the RIP configuration is given here: show ip rip Displays the RIP status and general configuration parameters (e.g., forced hold-down timer). show ip rip routes Displays the RIP routing database. The routing database contains all the routes learned through RIP. show ip rip interface Displays the RIP interface status and configuration.
Verifying the RIP Configuration page 16-16 Configuring RIP OmniSwitch 6800/6850/9000 Network Configuration Guide June 2006
17 Configuring RDP Router Discovery Protocol (RDP) is an extension of ICMP that allows end hosts to discover routers on their networks. This implementation of RDP supports the router requirements as defined in RFC 1256. In This Chapter This chapter describes the RDP feature and how to configure RDP parameters through the Command Line Interface (CLI). CLI commands are used in the configuration examples; for more details about the syntax of commands, see the OmniSwitch CLI Reference Guide.
RDP Specifications Configuring RDP RDP Specifications RFCs Supported RFC 1256–ICMP Router Discovery Messages Router advertisements Supported Host solicitations Only responses to solicitations supported in this release. Maximum number of RDP interfaces per One for each available IP interface configured switch on the switch. Advertisement destination addresses 224.0.0.1 (all systems multicast) 255.255.255.
Configuring RDP Quick Steps for Configuring RDP Quick Steps for Configuring RDP Configuring RDP involves enabling RDP operation on the switch and creating RDP interfaces to advertise VLAN router IP addresses on the LAN. There is no order of configuration involved. For example, it is possible to create RDP interfaces even if RDP is not enabled on the switch. The following steps provide a quick tutorial on how to configure RDP.
Quick Steps for Configuring RDP Configuring RDP To verify the configuration for a specific RDP interface, specify the interface name when using the show ip router-discovery interface command. The display is similar to the one shown below. -> show ip router-discovery interface Marketing Name = Marketing, IP Address = 11.255.4.1, IP Mask = 255.0.0.0, IP Interface status = Enabled, RDP Interface status = Enabled, VRRP Interface status = Disabled, Advertisement address = 224.0.0.
Configuring RDP RDP Overview RDP Overview End host (clients) sending traffic to other networks need to forward their traffic to a router. In order to do this, hosts need to find out if one or more routers exist on their LAN, then learn their IP addresses. One way to discover neighboring routers is to manually configure a list of router IP addresses that the host reads at startup. Another method available involves listening to routing protocol traffic to gather a list of router IP addresses.
RDP Overview Configuring RDP RDP Interfaces An RDP interface is created by enabling RDP on a VLAN router IP address. Once enabled, the RDP interface becomes active and joins the all-routers IP multicast group (224.0.0.2). The interface then transmits three initial router advertisement messages at random intervals that are no greater than 16 seconds apart. This process occurs upon activation to increase the likelihood that end hosts will quickly discover this router.
Configuring RDP RDP Overview Security Concerns ICMP RDP packets are not authenticated, which makes them vulnerable to the following attacks: • Passive monitoring—Attackers can use RDP to re-route traffic from vulnerable systems through the attacker’s system. This allows the attacker to monitor or record one side of the conversation. However, the attacker must reside on the same network as the victim for this scenario to work.
Enabling/Disabling RDP Configuring RDP Enabling/Disabling RDP RDP is included in the base software and is available when the switch starts up. However, by default this feature is not operational until it is enabled on the switch. To enable RDP operation on the switch, use the following command: -> ip router-discovery enable Once enabled, any existing RDP interfaces on the switch that are also enabled will activate and start to send initial advertisements.
Configuring RDP Creating an RDP Interface RDP Interface Parameter Default Advertisement lifetime. 1800 seconds (3 * maximum value) Router IP address preference level. 0 It is only necessary to change the above parameter values if the default value is not sufficient. The following subsections provide information about how to configure RDP interface parameters if it is necessary to use a different value.
Creating an RDP Interface Configuring RDP Setting the Minimum Advertisement Interval To set the minimum amount of time, in seconds, that the RDP will allow between advertisements, use the ip router-discovery interface min-advertisement-interval command.
Configuring RDP Verifying the RDP Configuration Verifying the RDP Configuration To display information about the RDP configuration on the switch, use the show commands listed below: show ip router-discovery Displays the current operational status of RDP on the switch. Also includes the number of advertisement packets transmitted and the number of solicitation packets received by all RDP interfaces on the switch.
Verifying the RDP Configuration page 17-12 Configuring RDP OmniSwitch 6800/6850/9000 Network Configuration Guide June 2006
18 Configuring DHCP Relay The User Datagram Protocol (UDP) is a connectionless transport protocol that runs on top of IP networks. The DHCP Relay allows you to use nonroutable protocols (such as UDP) in a routing environment. UDP is used for applications that do not require the establishment of a session and end-to-end error checking. Email and file transfer are two applications that could use UDP.
DHCP Relay Specifications Configuring DHCP Relay DHCP Relay Specifications Note. The DHCP Relay functionality described in this chapter is supported on the OmniSwitch 6800, 6850, and 9000 switches unless otherwise stated in the following Specifications table or specifically noted within any section of this chapter.
Configuring DHCP Relay DHCP Relay Defaults DHCP Relay Defaults The following table describes the default values of the DHCP Relay parameters. Parameter Description Command Default Value/Comments Forward delay time value for DHCP Relay ip helper forward delay 3 seconds Maximum number of hops ip helper maximum hops 4 hops Packet forwarding option ip helper standard ip helper avlan only ip helper per-vlan only Standard Automatic switch IP configuration for default VLAN 1.
Quick Steps for Setting Up DHCP Relay Configuring DHCP Relay Quick Steps for Setting Up DHCP Relay You should configure DHCP Relay on switches where packets are routed between IP networks. There is no separate command for enabling or disabling the relay service. DHCP Relay is automatically enabled on the switch whenever a DHCP server IP address is defined. To set up DHCP Relay, proceed as follows: 1 Identify the IP address of the DHCP server. Where the DHCP server has IP address 128.100.16.
Configuring DHCP Relay DHCP Relay Overview DHCP Relay Overview The DHCP Relay service, its corresponding port numbers, and configurable options are as follows: • DHCP Relay Service: BOOTP/DHCP • UDP Port Numbers 67/68 for Request/Response • Configurable options: DHCP server IP address, Forward Delay, Maximum Hops, Forwarding Option, automatic switch IP configuration The port numbers indicate the destination port numbers in the UDP header.
DHCP Relay Overview Configuring DHCP Relay DHCP DHCP (Dynamic Host Configuration Protocol) provides a framework for passing configuration information to Internet hosts on a TCP/IP network. It is based on the Bootstrap Protocol (BOOTP), adding the ability to automatically allocate reusable network addresses and additional configuration options. DHCP consists of the following two components: • A protocol for delivering host-specific configuration parameters from a DHCP server to a host.
Configuring DHCP Relay DHCP Relay Overview External DHCP Relay Application The DHCP Relay may be configured on a router that is external to the switch. In this application example the switched network has a single VLAN configured with multiple segments. All of the network hosts are DHCP-ready, meaning they obtain their network address from the DHCP server. The DHCP server resides behind an external network router, which supports the DHCP Relay functionality.
DHCP Relay Overview Configuring DHCP Relay Internal DHCP Relay The internal DHCP Relay is configured using the UDP forwarding feature in the switch, available through the ip helper address command. For more information, see “DHCP Relay Implementation” on page 18-9. This application example shows a network with two VLANs, each with multiple segments. All network clients are DHCP-ready and the DHCP server resides on just one of the VLANs.
Configuring DHCP Relay DHCP Relay Implementation DHCP Relay Implementation The OmniSwitch allows you to configure the DHCP Relay feature in one of two ways. You can set up a global DHCP request or you can set up the DHCP Relay based on the VLAN of the DHCP request. Both of these choices provide the same configuration options and capabilities. However, they are mutually exclusive. The following matrix summarizes the options.
DHCP Relay Implementation Configuring DHCP Relay To delete an IP address, use the no form of the ip helper address command. The IP address specified with this syntax will be deleted. If an IP address is not specified with this syntax, then all IP helper addresses are deleted. The following command deletes an helper address for IP address 125.255.17.11: -> ip helper no address 125.255.17.
Configuring DHCP Relay DHCP Relay Implementation Setting Maximum Hops This value specifies the maximum number of relays the BOOTP/DHCP packet can go through until it reaches its server destination. This limit keeps packets from “looping” through the network. If a UDP packet contains a hop count equal to the hops value, DHCP Relay discards the packet. The following syntax is used to set a maximum of four hops. -> ip helper maximum hops 4 The hops value represents the maximum number of relays.
Using Automatic IP Configuration Configuring DHCP Relay Using Automatic IP Configuration An additional function of the DHCP Relay feature enables a switch to broadcast a BootP or DHCP request packet at boot time to obtain an IP address for default VLAN 1. This function is separate from the previously described functions (such as Global DHCP, per-VLAN DHCP and related configurable options) in that enabling or disabling automatic IP configuration does not exclude or prevent other DHCP Relay functionality.
Configuring DHCP Relay Configuring DHCP Security Features Configuring DHCP Security Features There are two DHCP security features available: DHCP relay agent information option (Option-82) and DHCP Snooping. The DHCP Option-82 feature enables the relay agent to insert identifying information into client-originated DHCP packets before the packets are forwarded to the DHCP server.
Configuring DHCP Security Features Configuring DHCP Relay If the DHCP packet from the client ... The relay agent ... Contains a zero gateway IP address (0.0.0.0) and Option-82 data. Drops the packet, keeps the Option-82 data and forwards the packet, or replaces the Option-82 data with its own Option-82 data and forwards the packet. The action performed by the relay agent in this case is determined by the agent information policy that is configured through the ip helper agent-information policy command.
Configuring DHCP Relay Configuring DHCP Security Features Enabling the Relay Agent Information Option-82 Use the ip helper agent-information command to enable the DHCP Option-82 feature for the switch. For example: -> ip helper agent-information enable This same command is also used to disable this feature.
Configuring DHCP Security Features Configuring DHCP Relay Using DHCP Snooping Using DHCP Snooping improves network security by filtering DHCP messages received from devices outside the network and building and maintaining a binding table (database) to track access information for such devices. In order to identify DHCP traffic that originates from outside the network, DHCP Snooping categorizes ports as either trusted or untrusted.
Configuring DHCP Relay Configuring DHCP Security Features • The port from where the DHCP packet originated. • The VLAN associated with the port from where the DHCP packet originated. • The lease time for the assigned IP address. • The binding entry type; dynamic or static (user-configured). After extracting the above information and populating the binding table, the agent then forwards the packet to the port from where the packet originated.
Configuring DHCP Security Features Configuring DHCP Relay the trust mode for a port is configured to block or allow all DHCP traffic. See “Configuring the Port Trust Mode” on page 18-18 for more information. In addition, the following functionality is also activated by default when DHCP Snooping is enabled: • The DHCP Snooping binding table is created and maintained.
Configuring DHCP Relay Configuring DHCP Security Features Configuring the Port Trust Mode The DHCP Snooping trust mode for a port determines whether or not the port accepts all DHCP traffic, client-only DHCP traffic, or blocks all DHCP traffic. The following trust modes for a port are configurable using the ip helper dhcp-snooping port command: • client-only—The default mode applied to ports when DHCP Snooping is enabled. This mode restricts DHCP traffic on the port to only DHCP client-related traffic.
Configuring DHCP Security Features Configuring DHCP Relay Configuring Rate Limiting To set up DHCP rate limiting from the client, configure a QoS policy rule similar to the one shown in the following example: -> policy condition client-dhcp destination udp port 67 -> policy action client-limit maximum bandwidth -> policy rule client-limit action client-limit condition client-dhcp Where is (packets per second * average packet size) or a specific overall data rate to use for limiting the numb
Configuring DHCP Relay Configuring DHCP Security Features -> no ip helper dhcp-snooping binding 00:2a:95:51:6c:10 port 1/15 address 17.15.3.10 lease-time 3 vlan 200 To view the DHCP Snooping binding table contents, use the show ip helper dhcp-snooping binding command. See the OmniSwitch CLI Reference Guide for example outputs of this command. Configuring the Binding Table Timeout The contents of the DHCP Snooping binding table resides in the switch memory.
Verifying the DHCP Relay Configuration Configuring DHCP Relay Verifying the DHCP Relay Configuration To display information about the DHCP Relay and BOOTP/DHCP, use the show commands listed below. For more information about the resulting displays from these commands, see the OmniSwitch CLI Reference Guide. An example of the output for the show ip helper command is also given in “Quick Steps for Setting Up DHCP Relay” on page 18-4.
19 Configuring VRRP The Virtual Router Redundancy Protocol (VRRP) is a standard router redundancy protocol supported in IP version 4. It is based on RFC 3768 and provides redundancy by eliminating the single point of failure inherent in a default route environment. Note. RFC 3768, which obsoletes RFC 2338, does not include support for authentication types. As a result, configuring VRRP authentication is no longer supported in this release..
VRRP Specifications Configuring VRRP VRRP Specifications RFCs Supported RFC 3768–Virtual Router Redundancy Protocol RFC 2787–Definitions of Managed Objects for the Virtual Router Redundancy Protocol Compatible with HSRP? No Maximum number of virtual routers 255 Maximum number of IP addresses 1 for the IP address owner; more than 1 address may be configured if the router is a backup for a master router that supports multiple addresses VRRP Defaults The following table lists the defaults for VRRP co
Configuring VRRP Quick Steps for Creating a Virtual Router Quick Steps for Creating a Virtual Router 1 Create a virtual router. Specify a virtual router ID (VRID) and a VLAN ID. For example: -> vrrp 6 4 The VLAN must already be created on the switch. For information about creating VLANs, see Chapter 5, “Configuring VLANs.” 2 Configure an IP address for the virtual router. -> vrrp 6 4 ip 10.10.2.
VRRP Overview Configuring VRRP VRRP Overview VRRP allows routers on a LAN to back up a default route. VRRP dynamically assigns responsibility for a virtual router to a physical router (VRRP router) on the LAN. The virtual router is associated with an IP address (or set of IP addresses) on the LAN. A virtual router master is elected to forward packets for the virtual router’s IP address. If the master router becomes unavailable, the highest priority backup router will transition to the master state. Note.
Configuring VRRP VRRP Overview If OmniSwitch A becomes unavailable, OmniSwitch B becomes the master router. OmniSwitch B will then respond to ARP requests for IP address A using the virtual router’s MAC address (00:00:5E:00:01:01). It will also forward packets for IP address B and respond to ARP requests for IP address B using the OmniSwitch’s physical MAC address. OmniSwitch B, however, cannot accept packets addressed to IP address A (such as ICMP ping requests).
VRRP Overview Configuring VRRP If backup routers are configured with priority values that are close in value, there may be a timing conflict, and the first backup to take over may not be the one with the highest priority; a backup with a higher priority will then preempt the new master. The virtual router may be configured to prohibit any preemption attempts, except by the IP address owner.
Configuring VRRP Interaction With Other Features VRRP Tracking A virtual router’s priority may be conditionally modified to prevent another router from taking over as master. Tracking policies are used to conditionally modify the priority setting whenever a slot/port, IP address and or IP interface associated with a virtual router goes down.
Configuration Overview Configuring VRRP Configuration Overview VRRP is part of the base software. At startup, VRRP is loaded onto the switch and is enabled. Virtual routers must first be configured and enabled as described in the sections.
Configuring VRRP Configuration Overview • Preempt mode. By default, preempt mode is enabled. Use no preempt to turn it off, and preempt to turn it back on. For more information about the preempt mode, see “Setting Preemption for Virtual Routers” on page 19-11. • Advertising interval (in seconds). Use the interval keyword with the desired number of seconds for the delay in sending VRRP advertisement packets. The default is 1 second. See “Configuring the Advertisement Interval” on page 19-10.
Configuration Overview Configuring VRRP Configuring the Advertisement Interval The advertisement interval is configurable, but all virtual routers with the same VRID should be configured with the same value. Mismatched values will create network problems.
Configuring VRRP Configuration Overview In this example, virtual router 6 is disabled. (If you are modifying an existing virtual router, the virtual router must be disabled before it may be modified.) The virtual router priority is then set to 50. The priority value is relative to the priority value configured for other virtual routers backing up the same IP address. Since the default priority is 100, setting the value to 50 would typically provide a router with lower priority in the VRRP network.
Configuration Overview Configuring VRRP A virtual router must be disabled before it may be modified. Use the vrrp command to disable the virtual router first; then use the command again to modify the parameters. For example: -> vrrp 7 3 disable -> vrrp 7 3 priority 200 -> vrrp 7 3 enable In this example, virtual router 7 on VLAN 3 is disabled. The virtual router is then modified to change its priority setting.
Configuring VRRP Configuration Overview Creating Tracking Policies To create a tracking policy, use the vrrp track command and specify the amount to decrease a virtual router’s priority and the slot/port, IP address, or IP interface name to be tracked. For example: -> vrrp track 3 enable priority 50 20.1.1.3 In this example, a tracking policy ID (3) is created and enabled for IP address 20.1.1.3.
Verifying the VRRP Configuration Configuring VRRP Verifying the VRRP Configuration A summary of the show commands used for verifying the VRRP configuration is given here: show vrrp Displays the virtual router configuration for all virtual routers or for a particular virtual router. show vrrp statistics Displays statistics about VRRP packets for all virtual routers configured on the switch or for a particular virtual router. show vrrp track Displays information about tracking policies on the switch.
Configuring VRRP VRRP Application Example VRRP Application Example In addition to providing redundancy, VRRP can assist in load balancing outgoing traffic. The figure below shows two virtual routers with their hosts splitting traffic between them. Half of the hosts are configured with a default route to virtual router 1’s IP address (10.10.2.250), and the other half are configured with a default route to virtual router 2’s IP address (10.10.2.245).
VRRP Application Example Configuring VRRP Note. The same VRRP configuration must be set up on each switch. The VRRP router that contains, or owns, the IP address will automatically become the master for that virtual router. If the IP address is a virtual address, the virtual router with the highest priority will become the master router. In this scenario, the master of VRID 1 will respond to ARP requests for IP address A using the virtual router MAC address for VRID 1 (00:00:5E:00:01:01).
Configuring VRRP VRRP Application Example VRRP Tracking Example The figure below shows two VRRP routers with two virtual routers backing up one IP address on each VRRP router respectively. Virtual router 1 serves as the default gateway on OmniSwitch A for clients 1 and 2 through IP address 10.10.2.250.
VRRP Application Example Configuring VRRP If port 3/1 on VRRP router A goes down, the master for virtual router A is still functioning but workstation clients 1 and 2 will not be able to get to the Internet. With this tracking policy enabled, however, master router 1’s priority will be temporarily decremented to 50, allowing backup router 1 to take over and provide connectivity for those workstations. When port 3/1 on VRRP router A comes back up, master 1 will take over again. Note.
20 Configuring IPX The Internet Packet Exchange (IPX) protocol, developed by Novell for NetWare, is a Layer 3 protocol used to route packets through IPX networks. (NetWare is Novell’s network server operating system.) In This Chapter This chapter describes IPX and how to configure it through the Command Line Interface (CLI). It includes instructions for configuring IPX routing and fine-tuning IPX by using optional IPX configuration parameters (e.g., IPX packet extension and type-20 propagation).
IPX Specifications Configuring IPX IPX Specifications Specifications Supported IPX RIP and Service Advertising Protocol (SAP) router specification; version 1.30; May 23, 1996 Part No. 107000029-001 IPX Defaults The following table lists the defaults for IPX configuration through the ipx command.
Configuring IPX Quick Steps for Configuring IPX Routing Quick Steps for Configuring IPX Routing When IPX is enabled, devices connected to ports on the same VLAN are able to communicate. However, to route packets to a device on a different VLAN, you must create an IPX router port on each VLAN. The following steps show you how to enable IPX routing between VLANs “from scratch”. If active VLANs have already been created on the switch, go to step 5. 1 Create VLAN 1 with a description (e.g.
IPX Overview Configuring IPX IPX Overview IPX specifies a connectionless datagram similar to the IP packet of TCP/IP networks. An IPX network address consists of two parts, a network number and a node number. The IPX network number is assigned by the network administrator. The node number is the Media Access Control (MAC) address for a network interface in the end node. IPX exchanges information by using its own version of RIP, which sends updates every 60 seconds.
Configuring IPX IPX Overview IPX is associated with additional protocols built into the switch software. The switch supports the following IPX protocols: • IPX RIP—Layer 3 protocol used by NetWare routers to exchange IPX routing information. IPX RIP functions similarly to IP RIP. IPX RIP uses two metrics to calculate the best route, hop count and ticks.
IPX Routing Configuring IPX IPX Routing When IPX is enabled, devices connected to ports on the same VLAN are able to communicate. However, to route packets to a device on a different VLAN, you must create an IPX router port on each VLAN. Enabling IPX Routing IPX is enabled by default. If necessary, use the ipx routing command to enable IPX. Use the no ipx routing command to disable IPX. Use the show ipx interface command to display IPX router status and configuration parameters.
Configuring IPX IPX Routing IPX Router Port Configuration Options When you create an IPX router port by using the vlan router ipx command, RIP routing is enabled using the default parameters listed below. However, you can use the full command to change the default parameters. Sample configurations are shown at the end of this section. Routing Type By default, both RIP and SAP packets are processed (active). However, additional configurations can be used: • active.
IPX Routing Configuring IPX The network node is only required if the default network is directly connected to the switch. For example, to create a default route to network 222 (which is directly attached to the switch) you would enter: -> ipx default-route 222 00:20:da:99:88:77 Use the no ipx default-route command to delete a default route.
Configuring IPX IPX Routing You can also enable or disable Type 20 packet forwarding on a specific VLAN by using the optional VLAN parameter. For example, to enable Type 20 packet forwarding only on VLAN 1 you would enter: -> ipx type-20-propagation 1 enable Use the show ipx type-20-propagation command to display Type 20 packet forwarding status for the switch. Configuring Extended RIP and SAP Packets Larger RIP and SAP packets can be transmitted to reduce network congestion.
IPX Routing Configuring IPX Using the PING Command The ping command is used to test the reachability of certain types of IPX nodes. The software supports two different types of IPX pings: • Novell—Used to test the reachability of NetWare servers currently running the NetWare Loadable Module called IPXRTR.NLM. This type cannot be used to reach NetWare workstations running IPXODI. Novell uses a unique type of ping for this purpose (implemented by their IPXPNG.EXE program).
Configuring IPX IPX RIP/SAP Filtering IPX RIP/SAP Filtering The IPX RIP/SAP Filtering feature give you a means of controlling the operation of the IPX RIP/SAP protocols. By using IPX RIP/SAP filters, you can minimize the number of entries put in the IPX RIP Routing and SAP Bindery Tables, improve overall network performance by eliminating unnecessary traffic, and control users’ access to NetWare services.
IPX RIP/SAP Filtering Configuring IPX Configuring RIP Filters IPX RIP filters allow you to minimize the number of entries put in the IPX RIP routing table. RIP input filters control which networks are allowed into the routing table when IPX RIP updates are received. RIP output filters control which networks the switch advertises in its IPX RIP updates. Use the ipx filter rip command to configure a RIP input or output filter.
Configuring IPX IPX RIP/SAP Filtering You can narrow the filter by specifying a VLAN and a SAP type. For example, to create a filter that will block 0004 (NetWare File Server) SAP updates from being sent to VLAN 1 you would enter: -> ipx filter 1 sap 0004 out block You can also narrow the filter by specifying a network. You must enter the network number and the network mask.
IPX RIP/SAP Filtering Configuring IPX IPX RIP/SAP Filter Precedence Whenever you use multiple “allow” filters you must first define a filter to block all RIPs or SAPs. Then, all of the subsequent “allow” filters of the same type must be at least as specific in all areas for the filters to work. Note that filtering precedence is related only to “allow” filters. Multiple “block” filters can be defined with varying specificity in each of the areas of the filter.
Configuring IPX Verifying the IPX Configuration Verifying the IPX Configuration A summary of the show commands used for verifying the IPX configuration is given here: show ipx interface Displays current IPX interface configuration information. show ipx route Displays IPX routing table information. show ipx filter Displays currently configured IPX RIP, SAP, and GNS filters. show ipx type-20-propagation Displays the current status of Type 20 packet forwarding.
Verifying the IPX Configuration page 20-16 Configuring IPX OmniSwitch 6800/6850/9000 Network Configuration Guide June 2006
21 Managing Authentication Servers This chapter describes authentication servers and how they are used with the switch. The types of servers described include Remote Authentication Dial-In User Service (RADIUS), Lightweight Directory Access Protocol (LDAP), and SecurID’s ACE/Server.
Authentication Server Specifications Managing Authentication Servers Authentication Server Specifications RADIUS RFCs Supported RFC 2865–Remote Authentication Dial In User Service (RADIUS) RFC 2866–RADIUS Accounting RFC 2867–RADIUS Accounting Modifications for Tunnel Protocol Support RFC 2868–RADIUS Attributes for Tunnel Protocol Support RFC 2809–Implementation of L2TP Compulsory Tunneling via RADIUS RFC 2869–RADIUS Extensions RFC 2548–Microsoft Vendor-specific RADIUS Attributes RFC 2882–Network Access S
Managing Authentication Servers Server Defaults Server Defaults The defaults for authentication server configuration on the switch are listed in the tables in the next sections.
Quick Steps For Configuring Authentication Servers Managing Authentication Servers Quick Steps For Configuring Authentication Servers 1 For RADIUS or LDAP servers, configure user attribute information on the servers. See “RADIUS Servers” on page 21-9 and “LDAP Servers” on page 21-15. 2 Use the aaa radius-server and/or the aaa ldap-server command to configure the authentication server(s). For example: -> aaa radius-server rad1 host 10.10.2.1 10.10.3.5 key amadeus -> aaa ldap-server ldap2 host 10.10.3.
Managing Authentication Servers Server Overview Server Overview Authentication servers are sometimes refered to as AAA servers (authentication, authorization, and accounting). These servers are used for storing information about users who want to manage the switch (Authenticated Switch Access) and users who need access to a particular VLAN or VLANs (Authenticated VLANs). RADIUS or LDAP servers may be used for Authenticated Switch Access and/or Authenticated VLANs.
Server Overview Managing Authentication Servers A RADIUS server supporting the challenge and response mechanism as defined in RADIUS RFC 2865 may access an ACE/Server for authentication purposes. The ACE/Server is then used for user authentication, and the RADIUS server is used for user authorization. End Station End Station LDAP or RADIUS Server login request ACE/Server login request OmniSwitch 6648 The switch polls the server and receives login and privilege information about the user.
Managing Authentication Servers Server Overview Port-Based Network Access Control (802.1X) For devices authenticating on an 802.1X port on the switch, only RADIUS authentication servers are supported. The RADIUS server contains a database of user names and passwords, and may also contain challenges/responses and other authentication criteria. Authentication Server Authenticator PAE Supplicant authentication request login request PC OmniSwitch authorization granted RADIUS server Basic 802.
ACE/Server Managing Authentication Servers ACE/Server An external ACE/Server may be used for authenticated switch access. It cannot be used for Layer 2 authentication or for policy management. Attributes are not supported on ACE/Servers. These values must be configured on the switch through the user commands. See the “Switch Security” chapter of the OmniSwitch 6800/6850/9000 Switch Management Guide for more information about setting up the local user database.
Managing Authentication Servers RADIUS Servers RADIUS Servers RADIUS is a standard authentication and accounting protocol defined in RFC 2865 and RFC 2866. A built-in RADIUS client is available in the switch. A RADIUS server that supports Vendor Specific Attributes (VSAs) is required. The Alcatel attributes may include VLAN information, time-of-day, or slot/port restrictions.
RADIUS Servers Managing Authentication Servers Num. Standard Attribute 19 20 21 22 23 Notes Callback-Number Callback-Id Unassigned Frame-Route Framed-IPX-Network Not supported. These attributes are used for dial-up sessions; not applicable to the RADIUS client in the switch. 24 State Sent in challenge/response packets. 25 Class Used to pass information from the server to the client and passed unchanged to the accounting server as part of the accounting-request packet.
Managing Authentication Servers RADIUS Servers Vendor-Specific Attributes for RADIUS The Alcatel RADIUS client supports attribute 26, which includes a vendor ID and some additional subattributes called subtypes. The vendor ID and the subtypes collectively are called Vendor Specific Attributes (VSAs). Alcatel, through partnering arrangements, has included these VSAs in some vendors’ RADIUS server configurations. The attribute subtypes are defined in the server’s dictionary file.
RADIUS Servers Managing Authentication Servers Configuring Functional Privileges on the Server Configuring the functional privileges attributes (Alcatel-Acce-Priv-F-x) can be cumbersome because it requires using read and write bitmasks for command families on the switch. 1 To display the functional bitmasks of the desired command families, use the show aaa priv hexa command. 2 On the RADIUS server, configure the functional privilege attributes with the bitmask values. Note.
Managing Authentication Servers RADIUS Servers RADIUS Accounting Server Attributes The following table lists the standard attributes supported for RADIUS accounting servers. The attributes in the radius.ini file may be modified if necessary. Num. Standard Attribute Description 1 User-Name Used in access-request and account-request packets. 4 NAS-IP-Address Sent with every access-request. Specifies which switches a user may have access to. More than one of these attributes is allowed per user.
RADIUS Servers Managing Authentication Servers The following table lists the VSAs supported for RADIUS accounting servers. The attributes in the radius.ini file may be modified if necessary. Num. Accounting VSA Type Description 1 Alcatel-Auth-Group integer The authenticated VLAN number. The only protocol associated with this attribute is Ethernet II. If other protocols are required, use the protocol attribute instead. 2 Alcatel-Slot-Port string Slot(s)/port(s) valid for the user.
Managing Authentication Servers LDAP Servers LDAP Servers Lightweight Directory Access Protocol (LDAP) is a standard directory server protocol. The LDAP client in the switch is based on several RFCs: 1798, 2247, 2251, 2252, 2253, 2254, 2255, and 2256. The protocol was developed as a way to use directory services over TCP/IP and to simplify the directory access protocol (DAP) defined as part of the Open Systems Interconnection (OSI) effort. Originally it was a front-end for X.500 DAP.
LDAP Servers Managing Authentication Servers LDAP Server Details LDAP servers must be configured with the properly defined LDAP schema and correct database suffix, including well-populated data. LDAP schema is extensible, permitting entry of user-defined schema as needed. LDAP servers are also able to import and export directory databases using LDIF (LDAP Data Interchange Format). LDIF File Structure LDIF is used to transfer data to LDAP servers in order to build directories or modify LDAP databases.
Managing Authentication Servers LDAP Servers This is how the entry would appear with actual data in it. dn: uid=yname, ou=people, o=yourcompany objectClass: top objectClass: person objectClass: organizational Person cn: your name sn: last name givenname: first name uid: yname ou: people description: ... Directory Entries Directory entries are used to store data in directory servers.
LDAP Servers Managing Authentication Servers In addition to managing attributes in directory entries, LDAP makes the descriptive information stored in the entries accessible to other applications. The general structure of entries in a directory tree is shown in the following illustration. It also includes example entries at various branches in the tree.
Managing Authentication Servers LDAP Servers All attributes are automatically deleted when requests to delete the last value of an attribute are submitted. Attributes can also be deleted by specifying delete value operations without attaching any values. Modified attribute values are replaced with other given values by submitting replace requests to the server, which then translates and performs the requests.
LDAP Servers Managing Authentication Servers components description DN of directory entry where search is initiated. Attributes to be returned for entry search results. All attributes are returned if search attributes are not specified. Different results are retrieved depending on the scopes associated with entry searches. “base” search: retrieves information about distinguished name as specified in URL. This is a search.
Managing Authentication Servers LDAP Servers Directory Server Schema for LDAP Authentication Object classes and attributes will need to be modified accordingly to include LDAP authentication in the network (object classes and attributes are used specifically here to map user account information contained in the directory servers). • All LDAP-enabled directory servers require entry of an auxiliary objectClass:passwordObject for user password policy information.
LDAP Servers Managing Authentication Servers Configuring Authentication Key Attributes The alp2key tool is provided on the Alcatel software CD for computing SNMP authentication keys.The alp2key application is supplied in two versions, one for Unix (Solaris 2.5.1 or higher) and one for Windows (NT 4.0 and higher). To configure the bop-shakey or bop-md5key attributes on the server: 1 Use the alp2key application to calculate the authentication key from the password of the user.
Managing Authentication Servers LDAP Servers Fields Included for Layer 2 Authentication Only • Client MAC address: xx:xx:xx:xx:xx:xx:xx (alphanumeric). • Switch VLAN number client joins in multiple authority mode (0=single authority; 2=multiple author- ity); variable-length digits.
LDAP Servers Managing Authentication Servers Dynamic Logging Dynamic logging may be performed by an LDAP-enabled directory server if an LDAP server is configured first in the list of authentication servers configured through the the aaa accounting vlan or aaa accounting session command. Any other servers configured are used for accounting (storing history records) only.
Managing Authentication Servers LDAP Servers The bop-loggedusers attribute is a formatted string with the following syntax: loggingMode : accessType ipAddress port macAddress vlanList userName The fields are defined here: Field Possible Values loggingMode ASA x—for an authenticated user session, where x is the number of the session AVLAN—for Authenticated VLAN session in single authority mode AVLAN y—for Authenticated VLAN session in multiple authority mode, where y is relevant VLAN accessType Any on
LDAP Servers Managing Authentication Servers Creating an LDAP Authentication Server An example of creating an LDAP server: -> aaa ldap-server ldap2 host 10.10.3.4 dn cn=manager password tpub base c=us In this example, the switch will be able to communicate with an LDAP server (called ldap2) that has an IP address of 10.10.3.4, a domain name of cn=manager, a password of tpub, and a searchbase of c=us. These parameters must match the same parameters configured on the server itself. Note.
Managing Authentication Servers Verifying the Authentication Server Configuration Removing an LDAP Authentication Server To delete an LDAP server from the switch configuration, use the no form of the command with the relevant server name. -> no aaa ldap-server topanga5 The topanga5 server is removed from the configuration.
Verifying the Authentication Server Configuration page 21-28 Managing Authentication Servers OmniSwitch 6800/6850/9000 Network Configuration Guide June 2006
22 Configuring Authenticated VLANs Authenticated VLANs control user access to network resources based on VLAN assignment and a user log-in process; the process is sometimes called user authentication or Layer 2 Authentication. (Another type of security is device authentication, which is set up through the use of port-binding VLAN policies or static port assignment. See Chapter 9, “Defining VLAN Rules.”) In this chapter, the terms authenticated VLANs (AVLANs) and Layer 2 Authentication are synonymous.
Authenticated Network Overview Configuring Authenticated VLANs Authenticated Network Overview An authenticated network involves several components as shown in this illustration.
Configuring Authenticated VLANs Authenticated Network Overview • Web browser client. Any standard Web browser may be used (Netscape or Internet Explorer). An IP address is required prior to authentication. See “Web Browser Authentication Client” on page 22-7 for more information about Web browser clients. Authenticated VLANs—At least one authenticated VLAN must be configured. See “Configuring Authenticated VLANs” on page 22-26.
AVLAN Configuration Overview Configuring Authenticated VLANs AVLAN Configuration Overview Configuring authenticated VLANs requires several major steps. The steps are outlined here and described throughout this chapter. See “Sample AVLAN Configuration” on page 22-5 for a quick overview of implementing the commands used in these procedures. 1 Set up authentication clients. See “Setting Up Authentication Clients” on page 22-7. 2 Configure at least one authenticated VLAN.
Configuring Authenticated VLANs AVLAN Configuration Overview Sample AVLAN Configuration 1 Enable at least one authenticated VLAN: -> vlan 2 authentication enable Note that this command does not create a VLAN; the VLAN must already be created. For information about creating VLANs, see Chapter 5, “Configuring VLANs.” The VLAN must also have an IP router interface if Telnet or Web browser clients will be authenticating into this VLAN.
AVLAN Configuration Overview Configuring Authenticated VLANs 6 Enable authentication by specifying the authentication mode (single mode or multiple mode) and the server. Use the RADIUS or LDAP server name(s) configured in step 5. For example: -> aaa authentication vlan single-mode rad1 rad2 7 Set up an accounting server (for RADIUS or LDAP) for authentication sessions. -> aaa accounting vlan rad3 local Note.
Configuring Authenticated VLANs Setting Up Authentication Clients Setting Up Authentication Clients The following sections describe the Telnet authentication client, Web browser authentication client, and Alcatel’s proprietary AV-Client. For information about removing a particular client from an authenticated network, see “Removing a User From an Authenticated Network” on page 22-26.
Setting Up Authentication Clients Configuring Authenticated VLANs with one authenticated VLAN. The address may be assigned dynamically if a DHCP server is located in the network. DHCP is required in networks with multiple authenticated VLANs. • Configure a DHCP server. Web browser clients may get IP addresses via a DHCP server prior to authenticating or after authentication in order to move into a different VLAN.
Configuring Authenticated VLANs Setting Up Authentication Clients Installing Files for Mac OS 9.x Clients 1 In the browser URL command line, enter the authentication DNS name (configured through the aaa avlan dns command). The authentication page displays. 2 Click on the link to download the installation software. The javlanInstall.sit file is copied to the Mac desktop. 3 Double-click the javlanInstall.sit file on the desktop.
Setting Up Authentication Clients Configuring Authenticated VLANs To set root access: 1 Open the NetInfo from the HardDisk/Application/Utilities folder. 2 Select Domain > Security > Authenticate. Enter the administrator’s password if required. 3 Select Domain > Security > Enable Root. Enter the password. 4 Select System Preferences/Login and select the login prompt to display when opening a new session. 5 Quit the current session and relogon as the root user.
Configuring Authenticated VLANs Setting Up Authentication Clients SSL for Web Browser Clients A Secure Socket Layer (SSL) is used to authenticate Web browser clients. A certificate from a Certification Authority (CA) or a self-signed (private) certificate must be installed on the switch. A self-signed certificate is provided by Alcatel (wv-cert.pem). If you are using a well-known certificate or some other self-signed certificate, you should replace the wv-cert.pem file with the relevant file.
Setting Up Authentication Clients Configuring Authenticated VLANs Installing the AV-Client The AV-Client is a proprietary Windows-based application that is installed on client end stations. The installation instructions are provided in this chapter. The AV-Client does not require an IP address in order to authenticate; the client relies on the DLC protocol (rather than IP) to communicate with the authentication agent in the switch.
Configuring Authenticated VLANs Setting Up Authentication Clients Windows 95 Install the 32-bit DLC protocol program and the update patch from the Microsoft FTP site (ftp.microsoft.com). From the FTP site, download the MSDLC32.EXE and DLC32UPD.EXE files (or the latest DLC protocol update). These files are self-extracting zip files. Follow these steps: 1 Double-click the MSDLC32.EXE file in the folder to which you want to download the file. Note. Do not run MSDLC32.
Setting Up Authentication Clients Configuring Authenticated VLANs 3 We recommend that you follow the instructions on the screen regarding closing all Windows programs before proceeding with the installation. Click on the Next button. The following window displays.
Configuring Authenticated VLANs Setting Up Authentication Clients 4 From this window you may install the client at the default destination folder shown on the screen or you may click the Browse button to select a different directory. Click on the Next button. The software loads, and the following window displays. 5 This window gives you the option of restarting your PC workstation now, or later. You cannot use the AV-Client until you restart your computer.
Setting Up Authentication Clients Configuring Authenticated VLANs Windows 95 and Windows 98 1 Download the AV-Client from the Alcatel website onto the Windows desktop. 2 Double-click the AV-Client icon. The installation routine begins and the following window displays: 3 We recommend that you follow the instructions on the screen regarding closing all Windows programs before proceeding with the installation. Click on the Next button. The following window displays: .
Configuring Authenticated VLANs Setting Up Authentication Clients 4 From this window you may install the client at the default destination folder shown on the screen or you may click the Browse button to select a different directory. Click on the Next button. The software loads, and the following window displays. 5 This window recommends that you read a text file included with the client before you exit the install shield. Click on the box next to “View the single sign-on Notes” to select this option.
Setting Up Authentication Clients Configuring Authenticated VLANs Setting the AV-Client as Primary Network Login Windows 95 and Windows 98 If your operating system is Windows 95 or Windows 98, you must configure the AV-Client as the primary network login. This is done via the Windows Control Panel. From your Windows desktop, select Start > Settings > Control Panel. Double-click on the Network icon on the Control Panel window. From the Configuration Tab, proceed as follows: 1 Click the Add button.
Configuring Authenticated VLANs Setting Up Authentication Clients Selecting a Dialog Mode The AV-Client has two dialog modes, basic and extended. In basic dialog mode, the client prompts the user for a username and a password only. In extended mode, which is required for multiple authority authentication, the client login screen also prompts the user for a VLAN number and optional challenge code.
Setting Up Authentication Clients Configuring Authenticated VLANs Viewing AV-Client Components The configuration utility includes a screen that lists each component, version and build date for the AVClient. To view this screen, click on the Version tab and a screen similar to the following will display.
Configuring Authenticated VLANs Setting Up Authentication Clients Logging Into the Network Through an AV-Client Once the AV-Client software has been loaded on a user’s PC workstation, an AV-Client icon will be created on the Windows desktop in the task bar. Follow these steps to log into the authentication network: 1 Right click the AV-Client icon and select Logon. The following login screen displays: 2 Enter the user name for this device in the “Login Name?” field.
Setting Up Authentication Clients Configuring Authenticated VLANs Logging Off the AV-Client 1 To log off the AV-Client, point your mouse to the AV-Client icon in your Windows system tray and execute a right-click to select Logoff. The following screen displays. 2 To continue the procedure, click the Logoff button. The following screen indicates that the AV-Client is sending a logoff request to the authentication server.
Configuring Authenticated VLANs Setting Up Authentication Clients Configuring the AV-Client for DHCP For an AV-Client, DHCP configuration is not required. AV-Clients do not require an IP address to authenticate, but they may want an IP address for IP communication in an authenticated VLAN. Note. If the AV-Client will be used with DHCP, the DHCP server must be configured as described in “Setting Up the DHCP Server” on page 22-29.
Setting Up Authentication Clients Configuring Authenticated VLANs 1 To configure the DHCP parameters, access the AV-Client configuration utility and select the DHCP tab. The following screen displays: 2 Click the box next to “Enable DHCP Operations”. Several options will activate in the utility window as shown in the following screen. When you click on a box next to an option, the option is activated in the configuration window.
Configuring Authenticated VLANs Setting Up Authentication Clients 4 To apply the change, click the Apply button. When you click the OK button, the screen will close and the change will take effect. If you decide not to implement the change, click the Cancel button and the screen will close without implementing a change.
Configuring Authenticated VLANs Configuring Authenticated VLANs Configuring Authenticated VLANs At least one authenticated VLAN must be configured on the switch. For more information about VLANs in general, see Chapter 5, “Configuring VLANs.” To configure an authenticated VLAN, use the vlan authentication command to enable authentication on an existing VLAN. For example: -> vlan 2 authentication enable Note that the specified VLAN (in this case, VLAN 2) must already exist on the switch.
Configuring Authenticated VLANs Configuring Authenticated VLANs Configuring Authentication IP Addresses Authentication clients connect to an IP address on the switch for authentication. (Web browser clients may enter a DNS name rather than the IP address; see “Setting Up a DNS Path” on page 22-29).
Configuring Authenticated Ports Configuring Authenticated VLANs Port Binding and Authenticated VLANs By default, authenticated VLANs do not support port binding rules. These rules are used for assigning devices to authenticated VLANs when device traffic coming in on an authenticated port matches criteria specified in the rule. You can globally enable the switch so that port binding rules may be enabled on any authenticated VLAN on the switch.
Configuring Authenticated VLANs Setting Up a DNS Path Setting Up a DNS Path A Domain Name Server (DNS) name may be configured so that Web browser clients may enter a URL on the browser command line instead of an authentication IP address. A Domain Name Server must be set up in the network for resolving the name to the authentication IP address.
Setting Up the DHCP Server Configuring Authenticated VLANs Before Authentication Normally, authentication clients cannot traffic in the default VLAN, so authentication clients do not belong to any VLAN when they connect to the switch. Even if DHCP relay is enabled, the DHCP discovery process cannot take place. To address this issue, a DHCP gateway address must be configured so that the DHCP relay “knows” which router port address to use for serving initial IP addresses.
Configuring Authenticated VLANs Setting Up the DHCP Server When this command is specified, the switch will act as a relay for authentication DHCP packets only; nonauthentication DHCP packets will not be relayed. For more information about using the ip helper avlan only command, see Chapter 18, “Configuring DHCP Relay.
Configuring the Server Authority Mode Configuring Authenticated VLANs Configuring the Server Authority Mode Authentication servers for Layer 2 authentication are configured in one of two modes: single authority or multiple authority. Single authority mode uses a single list of servers (one primary server and up to three backups) to poll with authentication requests. Multiple authority mode uses multiple lists of servers and backups, one list for each authenticated VLAN. Note.
Configuring Authenticated VLANs Configuring the Server Authority Mode Authenticated VLAN 2 VLAN 1 TM Authentication Clients Authenticated VLAN 3 OmniSwitch 9700 OmniSwitch Authenticated VLAN 4 LDAP or RADIUS servers Authentication Network—Single Mode To configure authentication in single mode, use the aaa authentication vlan command with the single-mode keyword and name(s) of the relevant server and any backups.. At least one server must be specified; the maximum is four servers.
Configuring the Server Authority Mode Configuring Authenticated VLANs Configuring Multiple Mode Multiple authority mode associates different servers with particular VLANs. This mode is typically used when one party is providing the network and another is providing the server. When this mode is configured, a client is first prompted to select a VLAN. After the VLAN is selected, the client then enters a user name and password.
Configuring Authenticated VLANs Specifying Accounting Servers To configure authentication in multiple mode, use the aaa authentication vlan command with the multiple-mode keyword, the relevant VLAN ID, and the names of the servers. The VLAN ID is required, and at least one server must be specified (a maximum of four servers is allowed per VLAN).
Verifying the AVLAN Configuration Configuring Authenticated VLANs Verifying the AVLAN Configuration To verify the authenticated VLAN configuration, use the following show commands: show aaa authentication vlan Displays information about authenticated VLANs and the server configuration. show aaa accounting vlan Displays information about accounting servers configured for Authenticated VLANs. show avlan user Displays MAC addresses for authenticated VLAN users on the switch.
23 Configuring 802.1X Physical devices attached to a LAN port on the switch through a point-to-point LAN connection may be authenticated through the switch through port-based network access control. This control is available through the IEEE 802.1X standard implemented on the switch. In This Chapter This chapter describes 802.1X ports used for port-based access control and how to configure them through the Command Line Interface (CLI).
802.1X Specifications Configuring 802.1X 802.1X Specifications Note. The 802.1x functionality described in this chapter is supported on the OmniSwitch 6800, 6850, and 9000 switches unless otherwise stated in the following Specifications table or specifically noted within any other section of this chapter.
Configuring 802.1X 802.1X Defaults Description Keyword Default Whether or not the port is re-authenticated. no reauthentication | reauthentication no reauthentication Note. By default, accounting is disabled for 802.1X authentication sessions.
Quick Steps for Configuring 802.1X Configuring 802.1X Quick Steps for Configuring 802.1X 1 Configure the port as a mobile port and an 802.1X port using the following vlan port commands: -> vlan port mobile 3/1 -> vlan port 3/1 802.1x enable The port is set up automatically with 802.1X defaults. See “802.1X Defaults” on page 23-2 for information about the defaults. For more information about vlan port commands, see Chapter 7, “Assigning Ports to VLANs.
Configuring 802.1X Quick Steps for Configuring 802.1X Optional. To display the number of 802.1x users on the switch, use the show 802.1x users command: ->show 802.
802.1X Overview Configuring 802.1X 802.1X Overview The 802.1X standard defines port-based network access controls, and provides the structure for authenticating physical devices attached to a LAN. It uses the Extensible Authentication Protocol (EAP). There are three components for 802.1X: • The Supplicant—This is the device connected to the switch that supports the 802.1x protocol. The device may be connected directly to the switch or via a point-to-point LAN segment.
Configuring 802.1X 802.1X Overview • If the authentication server returned a VLAN ID, then the supplicant is assigned to that VLAN. All subsequent traffic from the supplicant is then forwarded on that VLAN. • If the authentication server does not return a VLAN ID, then the supplicant is classified according to any device classification policies that are configured for the port. See “Using Access Guardian Policies” on page 23-9 for more information.
802.1X Overview Configuring 802.1X Note. If the MAC address of the supplicant has aged out during the authentication session, the 802.1X software in the switch will alert the source learning software in the switch to re-learn the address. 802.1X ports may also be initialized if there a problem on the port. Initializing a port drops connectivity to the port and requires the port to be re-authenticated. See “Initializing an 802.1X Port” on page 23-13. 802.1X Accounting 802.
Configuring 802.1X Using Access Guardian Policies Using Access Guardian Policies In addition to the authentication and VLAN classification of 802.1x clients (supplicants), the OmniSwitch 6800/6850 implementation of Access Guardian extends this type of functionality to non-802.1x clients (non-supplicants). Access Guardian introduces configurable 802.1x device classification policies to handle both supplicant and non-supplicant access to 802.1x ports.
Using Access Guardian Policies Configuring 802.1X When multiple policies are specified when configuring a device classification policy, they form a compound policy. Compound policies that use 802.1x authentication are supplicant policies; all others are non-supplicant policies. The order in which policies are applied to client traffic is determined by the order in which the policy was configured.
Configuring 802.1X Setting Up Port-Based Network Access Control Setting Up Port-Based Network Access Control For port-based network access control, 802.1X must be enabled for the switch and the switch must know which servers to use for authenticating 802.1X supplicants. In addition, 802.1X must be enabled on each port that is connected to an 802.1X supplicant (or device). Optional parameters may be set for each 802.1X port. The following sections describe these procedures in detail. Setting 802.
Setting Up Port-Based Network Access Control Configuring 802.1X Configuring 802.1X Port Parameters By default, when 802.1X is enabled on a port, the port is configured for bidirectional control, automatic authorization, and re-authentication. In addition, there are several timeout values that are set by default as well as a maximum number of times the switch will retransmit an authentication request to the user.
Configuring 802.1X Setting Up Port-Based Network Access Control Note. The authentication server timeout may also be configured (with the server-timeout keyword) but the value is always superseded by the value set for the RADIUS server through the aaa radius-server command. Configuring the Maximum Number of Requests During the authentication process, the switch sends requests for authentication information from the supplicant. By default, the switch will send up to two requests for information.
Configuring Access Guardian Policies Configuring 802.1X This command drops connectivity on port 1 of slot 3. The switch sends out a Request Identity message and restores connectivity when the port is successfully re-authenticated. Configuring Accounting for 802.1X To log 802.1X sessions, use the aaa accounting 802.1x command with the desired RADIUS server names; use the keyword local to specify that the Switch Logging function in the switch should be used to log 802.1X sessions.
Configuring 802.1X Configuring Access Guardian Policies Note that if no policies are configured on an 802.1x port, non-supplicants are blocked on the port and the following classification process is performed for supplicants by default: 1 802.1x authentication via remote RADIUS server is attempted. 2 If authentication fails or successful authentication returns a VLAN ID that does not exist, the device is blocked.
Configuring Access Guardian Policies Configuring 802.1X Supplicant Policy Examples The following table provides example supplicant policy commands and a description of how the resulting policy is applied to classify supplicant devices: Supplicant Policy Command Example Description 802.1x 1/24 supplicant policy authentication pass group-mobility default-vlan fail vlan 43 block If the 802.
Configuring 802.1X Configuring Access Guardian Policies To configure a compound non-supplicant policy, use the pass and fail keywords to specify which policies to apply when MAC authentication is successful but does not return a VLAN ID and which policies to apply when MAC authentication fails. The pass keyword is implied and therefore an optional keyword. If the fail keyword is not used, the default action is to block the device when authentication fails. Note.
Configuring Access Guardian Policies Configuring 802.1X Supplicant Policy Command Example Description 802.1x 2/1 non-supplicant policy authentication fail vlan 100 default-vlan If MAC authentication does not return a VLAN ID, the device is blocked from accessing the switch on port 2/1. If the device fails MAC authentication, then the following occurs: 1 If VLAN 100 exists and is not an authenticated VLAN, the device is assigned to VLAN 100.
Configuring 802.1X Verifying the 802.1X Port Configuration Supplicant Policy Command Example Description 802.1x 3/10 non-supplicant policy vlan 43 block No authentication process is performed.but the following classification still occurs: 1 If VLAN 43 exists and is not an authenticated VLAN, then the device is assigned to VLAN 43. 2 If VLAN 43 does not exist or is an authenticated VLAN, then the device is blocked from accessing the switch on port 3/10. Verifying the 802.
Verifying the 802.1X Port Configuration page 23-20 Configuring 802.
24 Managing Policy Servers Quality of Service (QoS) policies that are configured through Alcatel’s PolicyView network management application are stored on a Lightweight Directory Access Protocol (LDAP) server. PolicyView is an OmniVista application that runs on an attached workstation. In This Chapter This chapter describes how LDAP directory servers are used with the switch for policy management. There is no required configuration on the switch.
Policy Server Specifications Managing Policy Servers Policy Server Specifications The following tables lists important information about LDAP policy servers: LDAP Policy Servers RFCs Supported RFC 2251–Lightweight Directory Access Protocol (v3) RFC 3060–Policy Core Information Model—Version 1 Specification Maximum number of policy servers (supported on the switch) 4 Maximum number of policy servers (supported by PolicyView) 1 Policy Server Defaults Defaults for the policy server command are as follo
Managing Policy Servers Policy Server Overview Policy Server Overview The Lightweight Directory Access Protocol (LDAP) is a standard directory server protocol. The LDAP policy server client in the switch is based on RFC 2251. Currently, only LDAP servers are supported for policy management. When the policy server is connected to the switch, the switch is automatically configured to communicate with the server to download and manage policies created by the PolicyView application.
Modifying Policy Servers Managing Policy Servers Modifying Policy Servers Policy servers are automatically configured when the server is installed; however, policy server parameters may be modified if necessary. Note. SSL configuration must be done manually through the policy server command. Modifying LDAP Policy Server Parameters Use the policy server command to modify parameters for an LDAP policy server.
Managing Policy Servers Modifying Policy Servers Modifying the Port Number To modify the port, enter the policy server command with the port keyword and the relevant port number. -> policy server 10.10.2.3 port 5000 Note that the port number must match the port number configured on the policy server. If the port number is modified, any existing entry for that policy server is not removed. Another entry is simply added to the policy server table. Note.
Modifying Policy Servers Managing Policy Servers Configuring a Secure Socket Layer for a Policy Server A Secure Socket Layer (SSL) may be configured between the policy server and the switch. If SSL is enabled, the PolicyView application can no longer write policies to the LDAP directory server. By default, SSL is disabled. To enable SSL, use the policy server command with the ssl option. For example: -> policy server 10.10.2.3 ssl SSL is now enabled between the specified server and the switch.
Managing Policy Servers Verifying the Policy Server Configuration Interaction With CLI Policies Policies configured via PolicyView can only be modified through PolicyView. They cannot be modified through the CLI. Any policy management done through the CLI only affects policies configured through the CLI. For example, the qos flush command only removes CLI policies; LDAP policies are not affected. Also, the policy server flush command removes only LDAP policies; CLI policies are not affected. Note.
Verifying the Policy Server Configuration page 24-8 Managing Policy Servers OmniSwitch 6800/6850/9000 Network Configuration Guide June 2006
25 Using ACL Manager Access Control List Manager (ACLMAN) is a function of the Quality of Service (QoS) application that provides an interactive shell for using common industry syntax to create ACLs. Commands entered using the ACLMAN shell are interpreted and converted to Alcatel CLI syntax that is used for creating QoS filtering policies. This implementation of ACLMAN also provides the following features: • Importing of text files that contain common industry ACL syntax.
ACLMAN Defaults Using ACL Manager ACLMAN Defaults The following table shows the defaults for ACLs: Parameter Command Default ACL disposition N/A deny Logging rate time interval logging-rate 30 seconds page 25-2 OmniSwitch 6800/6850/9000 Network Configuration Guide June 2006
Using ACL Manager Quick Steps for Creating ACLs Quick Steps for Creating ACLs The following steps provide a quick tutorial for creating a standard ACL using the ACLMAN shell: 1 Activate the ACLMAN shell using the aclman CLI command. -> aclman Welcome to ACLMAN Aclman# When the shell goes operational, the Privileged Exec Mode is automatically activated. 2 Enter the configure terminal command to access the Global Configuration Mode.
Quick Steps for Importing ACL Text Files Using ACL Manager Quick Steps for Importing ACL Text Files The following steps provide a quick tutorial for importing text files that contain common industry syntax used to create ACLs: 1 Activate the ACLMAN shell using the aclman CLI command. -> aclman Welcome to ACLMAN Aclman# When the shell goes operational, the Privileged Exec Mode is automatically activated.
Using ACL Manager ACLMAN Overview ACLMAN Overview ACLMAN is a function of the Alcatel QoS system that allows network administrators to configure and manage ACLs using common industry syntax. ACLs configured using ACLMAN are transparently converted into Alcatel QoS filtering policies and applied to the switch. An ACLMAN interactive shell provides an ACL command line interface that is similar to command interfaces that are available on other industry platforms.
ACLMAN Overview Using ACL Manager ACL Text Files ACLMAN supports the importing of common industry ACL statements created and saved to a file using a text editor. The import command in the Privileged Exec Mode of the ACLMAN shell triggers ACLMAN to read the specified text file and load the ACL statements into the running configuration. These same statements also become part of the ACLMAN startup configuration when a write memory command is performed.
Using ACL Manager Using the ACLMAN Shell Using the ACLMAN Shell The aclman command activates the ACLMAN interactive shell. When the shell is active, the following command prompt appears: Aclman# Once the shell is active, then only supported ACLMAN syntax is allowed. There is no predetermined or configurable timeout value that triggers an exit from the ACLMAN shell. The exit command is used to return to the Alcatel CLI.
ACLMAN Modes and Commands Using ACL Manager ACLMAN Modes and Commands The ACLMAN interactive shell supports a limited subset of common industry ACL syntax necessary to create Alcatel ACLs.
Using ACL Manager ACLMAN Modes and Commands Command Description qos {enable | disable} Enables or disables QoS policies. By default policies are enabled. This command is the equivalent of the Alcatel CLI qos enable and qos disable command. Note that this command applies to both ACLMAN and Alcatel CLI configured policies. show logging Displays QoS logging information. This command is equivalent to the Alcatel CLI show logging command. show resources Displays a summary of QoS resources.
ACLMAN Modes and Commands Using ACL Manager Command Description access-list access-list-number {permit | deny} protocol {source source-wildcard | host address | any} [operator [port]] {destination destination-wildcard | host address | any} [operator [port]] [established] [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name] Creates an extended numbered ACL when the ACL number specified is between 100 and 199 or 2000 and 2699.
Using ACL Manager ACLMAN Modes and Commands Command Description ip access-list resequence access-list-name starting-sequence-number increment Renumbers the permit and deny statements in the named ACL using the specified starting sequence number and increment value. By default the number 10 is used for the first statement of an ACL and the increment value is set to 10.
ACLMAN Modes and Commands Using ACL Manager Access List Configuration Mode Commands The ip-access-list command (Global Configuration Mode) invokes the Access List Configuration Mode for the specified named ACL. The following commands are available in this mode: Command Description [sequence number] {permit | deny} {source source-wildcard | host address | any} Creates an ACL entry for the active named standard ACL. The optional sequence number parameter specifies the number assigned to the entry.
Using ACL Manager ACLMAN Modes and Commands Command Description [sequence number] {permit | deny} protocol {source source-wildcard | host address | any} [operator [port]] {destination destination-wildcard | host address | any} [operator [port]] [established] [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name] Creates an ACL entry for the active named extended ACL. The optional sequence number parameter specifies the number assigned to the entry.
ACLMAN Modes and Commands Using ACL Manager Time Range Configuration Mode Commands The time-range command (Global Configuration Mode) invokes the Time Range Configuration Mode, which is used to configure a range of time in which an ACL is valid. The following commands are available in this mode: Command Description absolute [start time date] [end time date] Defines an absolute range of time for an ACL. Note that only one period (absolute or periodic) for each time range is supported.
Using ACL Manager Supported Protocols and Services Supported Protocols and Services When creating extended IP ACLs, enter one of the following supported protocol types for the required protocol parameter value. Supported Protocol Parameters ahp igrp esp gre icmp igmp ip ipinip nos ospf pcp pim tcp udp When creating extended TCP ACLs, enter one of the following supported TCP service types for the required port parameter value.
Configuring ACLs Using ACL Manager Configuring ACLs This section describes using ACLMAN functionality to configure and apply common industry ACLs on an Alcatel switch. For more information about using the Alcatel CLI to configure and manage ACLs, see Chapter 24, “Configuring QoS,”. To configure a common industry ACL, the following general steps are required: 1 Create an ACL. Use Global Configuration Mode commands to create numbered or named standard and extended ACLs.
Using ACL Manager Configuring ACLs • The order of permit and deny statements within an ACL is very important because statements are processed in order. • A named standard ACL cannot have the same name as that of an existing extended ACL. The reverse is also true; named extended ACLs cannot use a name already assigned to a standard ACL. • ACL names are truncated to 16 characters. • When a number is specified for an ACL remark entry, ACL entries are renumbered after a switch reboot.
Configuring ACLs Using ACL Manager Aclman(config)#access-list 102 deny ip host 178.4.25.1 any Aclman(config)#access-list 102 permit udp any any Aclman(config)#access-list 102 deny udp host 178.4.25.1 any To remove a numbered ACL, use the no form of the access-list command. Note that removing a single entry from a standard ACL is not allowed without deleting the entire ACL.
Using ACL Manager Configuring ACLs Aclman#show ip access-list Test2 Extended IP access list Test2 10 permit udp host 198.172.10.4 any 20 permit tcp host 11.22.3.1 any 30 permit ip any 172.10.5.0 0.0.255.255 In the above example, the permit ip any any entry is removed from the Test2 extended ACL. A new entry, permit ip any 172.10.5.0 0.0.255.255, is then added to the same ACL. Note that new entries are added to the end of the access list by default.
Configuring ACLs Using ACL Manager Editing the ACLMAN Configuration File Another method for configuring ACLs involves using a text editor to edit the contents of the ACLMAN configuration file (aclman.cfg). This file is located in either the /flash/working or /flash/certified directory in the switch flash file system. The updated ACL configuration is then loaded into the running configuration on the next reboot of the switch or when the configure replace command is performed.
Using ACL Manager Verifying the ACLMAN Configuration Verifying the ACLMAN Configuration To display information about ACLs configured through ACLMAN, use the following show commands in the Privileged Exec Mode. Note that these commands are specific to the ACLMAN shell interface and are not available through the Alcatel CLI interface. show [ip] access-lists Displays access list configuration information. show ip interface Displays a list of ACLs associated with a specific interface.
Verifying the ACLMAN Configuration page 25-22 Using ACL Manager OmniSwitch 6800/6850/9000 Network Configuration Guide June 2006
26 Configuring QoS Alcatel’s QoS software provides a way to manipulate flows coming through the switch based on userconfigured policies. The flow manipulation (generally referred to as Quality of Service or QoS) may be as simple as allowing/denying traffic, or as complicated as remapping 802.1p bits from a Layer 2 network to ToS values in a Layer 3 network.
QoS Specifications Configuring QoS QoS Specifications Note. The QoS functionality described in this chapter is supported on the OmniSwitch 6800, 6850, and 9000 switches unless otherwise stated in the following Specifications table or specifically noted within any other section of this chapter.
Configuring QoS QoS General Overview QoS General Overview Quality of Service (QoS) refers to transmission quality and available service that is measured and sometimes guaranteed in advance for a particular type of traffic in a network. QoS lends itself to circuitswitched networks like ATM, which bundle traffic into cells of the same length and transmit the traffic over predefined virtual paths.
QoS Policy Overview Configuring QoS QoS Policy Overview A policy (or a policy rule) is made up of a condition and an action. The condition specifies parameters that the switch will examine in incoming flows, such as destination address or Type of Service (ToS) bits. The action specifies what the switch will do with a flow that matches the condition; for example, it may queue the flow with a higher priority, or reset the ToS bits. Policies may be created directly on the switch through the CLI or WebView.
Configuring QoS Interaction With Other Features It is possible to configure a valid QoS rule that is active on the switch, however the switch is not able to enforce the rule because some other switch function (for example, routing) is disabled. See the condition and condition/action combinations tables for more information about valid combinations (“Condition Combinations” on page 26-6 and “Action Combinations” on page 26-8).
Condition Combinations Configuring QoS Condition Combinations The CLI prevents you from configuring invalid condition combinations that are never allowed; however, it does allow you to create combinations that are supported in some scenarios. For example, you might configure source ip and a destination ip for the same condition.
Configuring QoS Condition Combinations Policy Condition Combinations Table Layer 1 Layer 2 Layer 3* Layer 4* IP Multicast (IGMP) Layer 1 All All All All destination only Layer 2 All All All source vlan and 802.1p only destination only Layer 3* All All All All destination only Layer 4* All source vlan and 802.
Action Combinations Configuring QoS Action Combinations The CLI prevents you from configuring invalid action combinations that are never allowed; however, it does allow you to create combinations that are supported in some scenarios. For example, an action specifying maximum bandwidth may be combined with an action specifying priority. The following actions are supported and may be combined with other actions: • ACL (disposition drop) • Priority • 802.
Configuring QoS QoS Defaults QoS Defaults The following tables list the defaults for global QoS parameters, individual port settings, policy rules, and default policy rules. Global QoS Defaults Use the qos reset command is to reset global values to their defaults. Description Command Default QoS enabled or disabled qos enabled Global default queuing scheme for ports qos default servicing mode strict priority queuing Whether ports are globally trusted or untrusted qos trust ports 802.
QoS Defaults Configuring QoS QoS Port Defaults Use the qos port reset command to reset port settings to the defaults. Description Command/keyword Default The default 802.1p value qos port default 802.1p inserted into packets received on untrusted ports. 0 The default DSCP value inserted qos port default dscp into packets received on untrusted ports. 0 Whether the port uses strict priority or weighted fair queuing.
Configuring QoS QoS Defaults Policy Action Defaults The following are defaults for the policy action command: Description Keyword Default Whether the flow matching the rule should be accepted or denied disposition accept Note that in the current software release, the deny and drop options produce the same effect that is, the traffic is silently dropped. Note. There are no defaults for the policy condition command.
QoS Configuration Overview Configuring QoS QoS Configuration Overview QoS configuration involves the following general steps: 1 Configuring Global Parameters. In addition to enabling/disabling QoS, global configuration includes settings such as global port parameters, default disposition for flows, and various timeouts. The type of parameters you might want to configure globally will depend on the types of policies you will be configuring. For example, if you want to set up policies for 802.
Configuring QoS Configuring Global QoS Parameters Configuring Global QoS Parameters This section describes the global QoS configuration, which includes enabling and disabling QoS, applying and activating the configuration, controlling the QoS log display, and configuring QoS port and queue parameters. Enabling/Disabling QoS By default QoS is enabled on the switch. If QoS policies are configured and applied, the switch will attempt to classify traffic and apply relevant policy actions.
Configuring Global QoS Parameters Configuring QoS Setting the Global Default Servicing Mode The servicing mode refers to the queuing scheme used to shape traffic on destination (egress) ports. There are three schemes available: one strict priority and two weighted fair queueing (WFQ) options. By default all switch ports are set to use strict priority queuing. The qos default servicing mode command is used to set the default queuing scheme for all switch ports.
Configuring QoS Configuring Global QoS Parameters To turn off debugging (which effectively turns off logging), enter the following: -> no debug qos Enter the qos apply command to activate the setting. Number of Lines in the QoS Log By default the QoS log displays a maximum of 256 lines. To change the maximum number of lines that may display, use the qos log lines command and enter the number of lines. For example: -> qos log lines 30 The number of lines in the log is changed.
Configuring Global QoS Parameters Configuring QoS Forwarding Log Events to the Console QoS log messages may be sent to the switch logging utility, which is an event logging application available on the OmniSwitch. The configuration of the switch logging utility then determines if QoS messages are sent to a log file in the switch’s flash file system, displayed on the switch console, and/or sent to a remote syslog server.
Configuring QoS Configuring Global QoS Parameters software in the switch (which manages policies downloaded from an LDAP server) through the qos forward log command. Clearing the QoS Log The QoS log can get large if invalid rules are configured on the switch, or if a lot of QoS events have taken place. Clearing the log makes the file easier to manage. To clear the QoS log, use the qos clear log command. For example: -> qos clear log All the current lines in the QoS log are deleted.
Configuring Global QoS Parameters Configuring QoS Verifying Global Settings To display information about the global configuration, use the following show commands: show qos config Displays global information about the QoS configuration. show qos statistics Displays statistics about QoS events. For more information about the syntax and displays of these commands, see the OmniSwitch CLI Reference Guide.
Configuring QoS QoS Ports and Queues QoS Ports and Queues Queue parameters may be modified on a port basis. When a flow coming into the switch matches a policy, it is queued based on: • Parameters given in the policy action (specified by the policy action command) with either of the following keywords: priority, maximum bandwidth, or maximum depth. • Port settings configured through the qos port command. Shared Queues Eight priority queues are available at startup for each port.
QoS Ports and Queues Configuring QoS Priority to Queue Mapping Table 802.1p ToS/DSCP Rule(action) Priority OS6850/9000 Queue OS6800 Queue 6 110xxx 6 6 5 7 111xxx 7 7 5 Configuring Queuing Schemes There are four queuing schemes available for each switch port: one strict priority scheme and three weighted fair queuing (WFQ) schemes. By default the strict priority scheme is used and consists of eight priority queues (SPQ). All eight queues on the port are serviced strictly by priority.
Configuring QoS QoS Ports and Queues • The higher the queue weight assigned to a DRR queue, the higher the percentage of traffic that is serviced by that queue. For example, a queue with a weight of three will send four times as much traffic as a queue with a weight of one. The queuing scheme selected is the scheme that is used to shape traffic on destination (egress) ports and is referred to as the QoS servicing mode for the port.
QoS Ports and Queues Configuring QoS Configuring the Egress Queue Minimum/Maximum Bandwidth Configuring a minimum and maximum bandwidth value for each of the eight egress port queues is allowed on the OmniSwitch 6850 and 9000 but is not supported on the OmniSwitch 6800. By default the bandwidth values are set to zero, which means best effort for the minimum bandwidth and port speed for the maximum bandwidth. To configure the bandwidth values use the qos port q minbw maxbw command.
Configuring QoS QoS Ports and Queues Configuring Trusted Ports By default, all ports (except 802.1Q-tagged ports and mobile ports) are untrusted. The trust setting may be configured globally on the switch, or on a per-port basis. To configure the global setting on the switch, use the qos trust ports command. For example: -> qos trust ports To configure individual ports as trusted, use the qos port trusted command with the desired slot/port number.
QoS Ports and Queues Configuring QoS Verifying the QoS Port and Queue Configuration To display information about QoS ports and queues, use the following commands: show qos port Displays information about all QoS ports or a particular port. show qos queue Displays information for all QoS queues or only those queues associated with a particular slot/port. See the OmniSwitch CLI Reference Guide for more information about the syntax and displays for these commands.
Configuring QoS Creating Policies Creating Policies This section describes how to create policies in general. For information about configuring specific types of policies, see “Policy Applications” on page 26-50. Basic commands for creating policies are as follows: policy condition policy action policy rule This section describes generally how to use these commands. See “Policy Applications” on page 26-50 For additional details about command syntax, see the OmniSwitch CLI Reference Guide. Note.
Creating Policies Configuring QoS Note. (Optional) To verify that the rule has been configured, use the show policy rule command.
Configuring QoS Creating Policies Creating Policy Conditions This section describes how to create policy conditions in general. Creating policy conditions for particular types of network situations is described later in this chapter. Note. Policy condition configuration is not active until the qos apply command is entered. See “Applying the Configuration” on page 26-47.
Creating Policies Configuring QoS Removing Condition Parameters To remove a classification parameter from the condition, use no with the relevant keyword. For example: -> policy condition c3 no source ip The specified parameter (in this case, a source IP address) will be removed from the condition (c3) at the next qos apply. Note. You cannot remove all parameters from a policy condition. A condition must be configured with at least one parameter.
Configuring QoS Creating Policies policy action keywords disposition shared priority maximum bandwidth maximum depth tos 802.1p dcsp map port-disable redirect port redirect linkagg no-cache Note. If you combine priority with 802.1p, dscp, tos, or map, in an action, the priority value is used to prioritize the flow. Removing Action Parameters To remove an action parameter or return the parameter to its default, use no with the relevant keyword.
Creating Policies Configuring QoS Creating Policy Rules This section describes in general how to create or delete policy rules and rule parameters. See later sections of this chapter for more information about creating particular types of policy rules. To create a policy rule, use the policy rule command and specify the name of the rule, the desired condition, and the desired action. In this example, condition c3 is created for traffic coming from IP address 10.10.8.
Configuring QoS Creating Policies • Software and hardware resources are allocated for rules associated with a validity period even if the validity period is not active. Pre-allocating the resources makes sure the rule can be enforced when the validity period becomes active. Disabling Rules By default, rules are enabled. Rules may be disabled or re-enabled through the policy rule command using the disable and enable options.
Creating Policies Configuring QoS To reconfigure the rule as saved, use the policy rule command with the save option. For example: -> policy rule rule5 save For more information about the configuration snapshot, write memory, and copy running-config working commands, see the OmniSwitch 6800/6850/9000 Switch Management Guide and the OmniSwitch CLI Reference Guide. For more information about applying rules, see “Applying the Configuration” on page 26-47.
Configuring QoS Creating Policies When the command is used to show output for all pending and applied policy configuration, the following characters may appear in the display: character definition + Indicates that the policy rule has been modified or has been created since the last qos apply. - Indicates the policy object is pending deletion. # Indicates that the policy object differs between the pending/applied objects.
Creating Policies Configuring QoS The keywords used with these commands are similar to the keywords used for the policy condition command.
Configuring QoS Creating Policies To activate any policy rules that have not been applied, use the qos apply command. To delete rules that have not been applied (and any other QoS configuration not already applied), use the qos revert command. See “Applying the Configuration” on page 26-47.
Using Condition Groups in Policies Configuring QoS Using Condition Groups in Policies Condition groups are made up of multiple IP addresses, MAC addresses, services, or ports to which you want to apply the same action or policy rule. Instead of creating a separate condition for each address, etc., create a condition group and associate the group with a condition.
Configuring QoS Using Condition Groups in Policies 3 Attach the condition to a policy rule. (For more information about configuring rules, see “Creating Policy Rules” on page 26-29.) In this example, action act4 has already been configured. For example: -> policy rule my_rule condition cond3 action act4 4 Apply the configuration. See “Applying the Configuration” on page 26-47 for more information about this command. -> qos apply The next sections describe how to create groups in more detail.
Using Condition Groups in Policies Configuring QoS To remove addresses from a network group, use no and the relevant address(es). For example: -> policy network group netgroup3 no 173.21.4.39 This command deletes the 173.21.4.39 address from netgroup3 after the next qos apply. To remove a network group from the configuration, use the no form of the policy network group command with the relevant network group name. The network group must not be associated with any policy condition or action.
Configuring QoS Using Condition Groups in Policies In this example, a policy service called telnet1 is created with the TCP protocol number (6) and the wellknown Telnet destination port number (23).
Using Condition Groups in Policies Configuring QoS This command configures a condition called c6 with service group serv_group. All of the services specified in the service group will be included in the condition. (For more information about configuring conditions, see “Creating Policy Conditions” on page 26-27.) Note. Service group configuration must be specifically applied to the configuration with the qos apply command. To delete a service from the service group, use no with the relevant service name.
Configuring QoS Using Condition Groups in Policies Note. MAC group configuration is not active until the qos apply command is entered. To delete addresses from a MAC group, use no and the relevant address(es): -> policy mac group macgrp2 no 08:00:20:00:00:00 This command specifies that MAC address 08:00:20:00:00:00 will be deleted from macgrp2 at the next qos apply. To delete a MAC group, use the no form of the policy mac group command with the relevant MAC group name.
Using Condition Groups in Policies Configuring QoS This command specifies that port 2/1 will be deleted from the techpubs port group at the next qos apply. To delete a port group, use the no form of the policy port group command with the relevant port group name. The port group must not be associated with any policy condition. For example: -> no policy port group techpubs The port group techpubs will be deleted at the next qos apply.
Configuring QoS Using Condition Groups in Policies • It is also possible to configure a minimum and maximum bandwidth value for individual egress port queues. See “Configuring the Egress Queue Minimum/Maximum Bandwidth” on page 26-22 for more information. • The bandwidth limit configured using the qos port maximum bandwidth command takes precedence over an egress queue limit configured on the same port.
Using Condition Groups in Policies Configuring QoS Verifying Condition Group Configuration To display information about condition groups, use the following show commands: show policy network group Displays information about all pending and applied policy network groups or a particular network group. Use the applied keyword to display information about applied groups only.
Configuring QoS Using Map Groups Using Map Groups Map groups are used to map 802.1p, ToS, or DSCP values to different values. The following mapping scenarios are supported: • 802.1p to 802.1p, based on Layer 2, Layer 3, and Layer 4 parameters and source/destination slot/port. In addition, 802.1p classification can trigger this action. • ToS or DSCP to 802.1p, based on Layer 3 and Layer 4 parameters and source/destination slot/port. In addition ToS or DSCP classification can trigger this action. Note.
Using Map Groups Configuring QoS How Map Groups Work When mapping from 802.1p to 802.1p, the action will result in remapping the specified values. Any values that are not specified in the map group are preserved. In this example, a map group is created for 802.1p bits. -> policy map group Group2 1-2:5 4:5 5-6:7 -> policy action Map1 map 802.1p to 802.1p using Group2 The to and from values are separated by a colon (:). If traffic with 802.
Configuring QoS Using Map Groups To delete a map group, use the no form of the policy map group command. The map group must not be associated with a policy action.
Applying the Configuration Configuring QoS Applying the Configuration Configuration for policy rules and many global QoS parameters must specifically be applied to the configuration with the qos apply command. Any parameters configured without this command are maintained for the current session but are not yet activated.
Configuring QoS Applying the Configuration Deleting the Pending Configuration Policy settings that have been configured but not applied through the qos apply command may be returned to the last applied settings through the qos revert command. For example: -> qos revert This command ignores any pending policies (any additions, modifications, or deletions to the policy configuration since the last qos apply) and writes the last applied policies to the pending configuration.
Applying the Configuration Configuring QoS Interaction With LDAP Policies The qos apply, qos revert, and qos flush commands do not affect policies created through the PolicyView application. Separate commands are used for loading and flushing LDAP policies on the switch. See Chapter 21, “Managing Authentication Servers,” for information about managing LDAP policies.
Configuring QoS Policy Applications Policy Applications Policies are used to classify incoming flows and treat the relevant outgoing flows. There are many ways to classify the traffic and many ways to apply QoS parameters to the traffic. Classifying traffic may be as simple as identifying a Layer 2 or Layer 3 address of an incoming flow. Treating the traffic might involve prioritizing the traffic or rewriting an IP address.
Policy Applications Configuring QoS Note. If multiple addresses, services, or ports should be given the same priority, use a policy condition group to specify the group and associate the group with the condition. See “Using Condition Groups in Policies” on page 26-35 for more information about groups. Note that some condition parameters may be used in combination only under particular circumstances; also, there are restrictions on condition/action parameter combinations.
Configuring QoS Policy Applications Bandwidth Shaping Example In this example, a specific flow from a source IP address is sent to a queue that will support its maximum bandwidth requirement. First, create a condition for the traffic. In this example, the condition is called ip_traffic2. A policy action (flowShape) is then created to enforce a maximum bandwidth requirement for the flow. -> policy condition ip_traffic2 source ip 10.10.5.
Policy Applications Configuring QoS In the following example, flows destined for IP address 40.2.70.200 are redirected to link aggregate 10: -> policy condition L4LACOND destination IP 40.2.70.200 -> policy action REDIRECTLA redirect linkagg 10 -> policy rule L4LARULE condition L4LACOND action REDIRECTLA Note that in both examples above, the rules are not active on the switch until the qos apply command is entered on the command line.
Configuring QoS Policy Applications In the next example, the policy map group command specifies a group of values that should be mapped; the policy action map command specifies what should be mapped (802.1p to 802.1p, ToS/DSCP to 802.1p) and the mapping group that should be used. For more details about creating map groups, see “Creating Map Groups” on page 26-45. Here, traffic from two different subnets must be mapped to 802.1p values in a network called Network C.
Policy Applications Configuring QoS Policy Based Routing Policy Based Routing (PBR) allows a network administrator to define QoS policies that will override the normal routing mechanism for traffic matching the policy condition. Note. When a PBR QoS rule is applied to the configuration, it is applied to the entire switch, unless you specify a built-in port group in the policy condition.
Configuring QoS Policy Applications For example: 174.26.1.0 173.10.2.0 10.3.0.0 Firewall 173.5.1.0 173.5.1.254 OmniSwitch Using a Built-In Port Group In this scenario, traffic from the firewall is sent back to the switch to be re-routed. But because the traffic re-enters the switch through a port that is not in the Slot01 port group, the traffic does not match the Redirect_All policy and is routed normally through the switch. -> policy condition Traffic3 source ip 10.3.0.0 mask 255.255.0.
Policy Applications page 26-58 Configuring QoS OmniSwitch 6800/6850/9000 Network Configuration Guide June 2006
27 Configuring ACLs Access Control Lists (ACLs) are Quality of Service (QoS) policies used to control whether or not packets are allowed or denied at the switch or router interface. ACLs are sometimes referred to as filtering lists. ACLs are distinguished by the kind of traffic they filter. In a QoS policy rule, the type of traffic is specified in the policy condition. The policy action determines whether the traffic is allowed or denied.
ACL Specifications Configuring ACLs ACL Specifications These specifications are the same as those for QoS in general: Note.
Configuring ACLs ACL Defaults ACL Defaults The following table shows the defaults for ACLs: Parameter Command Default Global bridged disposition qos default bridged disposition accept Global routed disposition qos default routed disposition accept Global multicast disposition qos default multicast disposition accept Policy rule disposition policy rule disposition accept Policy rule precedence policy rule precedence 0 (lowest) Note that in the current software release, the deny and drop o
Quick Steps for Creating ACLs Configuring ACLs Quick Steps for Creating ACLs 1 Set the global disposition for bridged or routed traffic. By default, all flows that do match any policies are allowed on the switch. Typically, you may want to deny traffic for all Layer 3 flows that come into the switch and do not match a policy, but allow any Layer 2 (bridged) flows that do not match policies.
Configuring ACLs ACL Overview ACL Overview ACLs provide moderate security between networks. The following illustration shows how ACLs may be used to filter subnetwork traffic through a private network, functioning like an internal firewall for LANs.
ACL Overview Configuring ACLs Rule Precedence The switch attempts to classify flows coming into the switch according to policy precedence. Only the rule with the highest precedence will be applied to the flow. This is true even if the flow matches more than one rule. How Precedence is Determined When there is a conflict between rules, precedence is determined using one of the following methods: • Precedence value—Each policy has a precedence value.
Configuring ACLs ACL Configuration Overview ACL Configuration Overview This section describes the QoS CLI commands used specifically to configure ACLs. ACLs are basically a type of QoS policy, and the commands used to configure ACLs are a subset of the switch’s QoS commands. For information about basic configuration of QoS policies, see Chapter 26, “Configuring QoS.” To configure an ACL, the following general steps are required: 1 Set the global disposition.
Creating Condition Groups For ACLs Configuring ACLs Important. If you set the global bridged disposition (using the qos default bridged disposition command) to deny or drop, it will result in dropping all Layer 2 traffic from the switch that does not match any policy to accept traffic. You must create policies (one for source and one for destination) to allow traffic on the switch.
Configuring ACLs Configuring ACLs Creating Policy Conditions For ACLs A policy condition for IP filtering may include a particular source IP address, destination IP address, source IP port, or destination IP port. Or, the condition may simply refer to the network group, MAC group, port group, or service group. Typically ACLs use group keywords in policy conditions. A single rule, therefore, filters traffic for multiple addresses or ports.
Configuring ACLs Configuring ACLs Creating Policy Rules for ACLs A policy rule is made up of a condition and an action. For example, to create a policy rule for filtering IP addresses, which is a Layer 3 ACL, use the policy rule command with the condition and action keywords. The precedence keyword is optional. By default rules have a precedence of 0. See “Rule Precedence” on page 27-6 for more information about precedence. -> policy condition c3 source ip 10.10.4.
Configuring ACLs Configuring ACLs Layer 2 ACL Example In this example, the default bridged disposition is accept (the default). Since the default is accept, the qos default bridged disposition command would only need to be entered if the disposition had previously been set to deny. The command is shown here for completeness.
Configuring ACLs Configuring ACLs Layer 3 ACL: Example 1 In this example, the default routed disposition is accept (the default). Since the default is accept, the qos default routed disposition command would only need to be entered if the disposition had previously been set to deny. The command is shown here for completeness. -> -> -> -> qos default routed disposition accept policy condition addr2 source ip 192.68.82.
Configuring ACLs Configuring ACLs The following keywords may be used in the condition to indicate the client parameters: Multicast ACL Keywords destination ip destination vlan destination port destination port group destination mac destination mac group If a destination group is specified, the corresponding single value keyword cannot be combined in the same condition. For example, if a destination port is specified, a destination port group cannot be specified in the same condition.
Using ACL Security Features Configuring ACLs Using ACL Security Features The following additional ACL features are available for improving network security and preventing malicious activity on the network: • UserPorts—A port group that identifies its members as user ports to prevent spoofed IP traffic. When a port is configured as a member of this group, packets received on the port are dropped if they contain a source IP network address that does not match the IP subnet for the port.
Configuring ACLs Using ACL Security Features Configuring UserPort Traffic Types and Port Behavior In addition to spoofed traffic, it is also possible to configure QoS to look for BPDU, RIP, OSPF, and/or BGP packets on user ports. When the specified type of traffic is encountered, the user port can either filter the traffic or administratively shutdown to block all traffic. By default spoofed traffic is filtered on user ports.
Using ACL Security Features Configuring ACLs 2 Add the services created in Step 1 to a service group called DropServices using the policy service group command, as shown below: -> policy service group DropServices tcp135 tcp445 udp137 udp138 udp445 Note that the DropServices group must be specified using the exact capitalization as shown in the above example.
Configuring ACLs Using ACL Security Features Configuring ICMP Drop Rules Combining a Layer 2 condition for source VLAN with a Layer 3 condition for IP protocol is supported. In addition, two new condition parameters are available to provide more granular filtering of ICMP packets: icmptype and icmpcode. Use these two conditions together in a policy to block ICMP echo request and reply packets without impacting switch performance.
Verifying the ACL Configuration Configuring ACLs Note that if a flag is specified on the command line after the any or all keyword, then the match value is one. If the flag only appears as part of the mask, then the match value is zero. See the policy condition tcpflags command page in the OmniSwitch CLI Reference Guide for more information. Verifying the ACL Configuration To display information about ACLs, use the same show commands that are used for displaying any QoS policies.
Configuring ACLs Verifying the ACL Configuration To display only policy rules that are active (enabled) on the switch, use the show active policy rule command. For example: -> show active policy rule +my_rule5 Cnd/Act: Policy From Prec Enab Inact Refl Log Save cli 0 Yes No No No Yes cond2 -> pri2 Matches 0 mac1 Cnd/Act: cli 0 Yes dmac1 -> pri2 0 No No No Yes In this example, the rule my_rule does not display because it is inactive.
ACL Application Example Configuring ACLs ACL Application Example In this application for IP filtering, a policy is created to deny Telnet traffic from the outside world to an engineering group in a private network. OmniSwitch Private Network (Engineering) Public Network (The Internet) traffic originating from the public network destined for the private network Set up a policy rule called outside to deny Telnet traffic to the private network.
28 Configuring IP Multicast Switching IP Multicast Switching is a one-to-many communication technique employed by emerging applications, such as video distribution, news feeds, conferencing, netcasting, and resource discovery (OSPF, RIP2, and BOOTP). Unlike unicast, which sends one packet per destination, multicast sends one packet to all devices in any subnetwork that has at least one device requesting the multicast traffic.
In This Chapter Configuring IP Multicast Switching • Configuring and removing an MLD static group on page 28-24. • Modifying IPMSv6 parameters beginning on page 28-25.
Configuring IP Multicast Switching IPMS Specifications Note. You can also configure and monitor IPMS with WebView, Alcatel’s embedded Web-based device management application. WebView is an interactive and easy-to-use GUI that can be launched from OmniVista or a Web browser. Please refer to WebView’s online documentation for more information on configuring and monitoring IPMS/IPMSv6 with WebView. IPMS Specifications The table below lists specifications for Alcatel’s IPMS software.
IPMS Default Values Configuring IP Multicast Switching IPMS Default Values The table below lists default values for Alcatel’s IPMS software.
Configuring IP Multicast Switching IPMS Overview IPMS Overview A multicast group is defined by a multicast group address, which is a Class D IP address in the range 224.0.0.0 to 239.255.255.255. (Addresses in the range 239.0.0.0 to 239.255.255.255 are reserved for boundaries.) The multicast group address is indicated in the destination address field of the IP header. (See “Reserved IP Multicast Addresses” on page 28-6 for more information.
IPMS Overview Configuring IP Multicast Switching Reserved IP Multicast Addresses The Internet Assigned Numbers Authority (IANA) created the range for multicast addresses, which is 224.0.0.0 to 239.255.255.255. However, as the table below shows, certain addresses are reserved and cannot be used. Address or Address Range Description 224.0.0.0 through 224.0.0.255 Routing protocols (e.g., OSPF, RIP2) 224.0.1.0 through 224.0.1.255 Internetwork Control Block (e.g., RSVP, DHCP, commercial servers) 224.0.2.
Configuring IP Multicast Switching IPMS Overview PIM Protocol-Independent Multicast (PIM) is an IP multicast routing protocol that uses routing information provided by unicast routing protocols, such as RIP and OSPF. Sparse Mode PIM (PIM-SM) contrasts with flood-and-prune dense mode multicast protocols, such as DVMRP and PIM Dense Mode (PIM-DM), in that multicast forwarding in PIM-SM is initiated only via specific requests.
Configuring IPMS on a Switch Configuring IP Multicast Switching Configuring IPMS on a Switch This section describes how to use Command Line Interface (CLI) commands to enable and disable IP Multicast Switching and Routing (IPMSR) switch wide (see “Enabling and Disabling IP Multicast Status” on page 28-8), configure a port as a IGMP static neighbor (see “Configuring and Removing an IGMP Static Neighbor” on page 28-9), configure a port as a IGMP static querier (see “Configuring and Removing an IGMP Static Q
Configuring IP Multicast Switching Configuring IPMS on a Switch -> ip multicast vlan 2 status To restore the IP Multicast status to its default setting (i.e., disabled). Configuring and Restoring the IGMP Version By default, the version of Internet Group Management Protocol (IGMP) membership is Version 2. The following subsections describe how to configure IGMP protocol version ranging from 1 to 3 with the ip multicast version command.
Configuring IPMS on a Switch Configuring IP Multicast Switching For example, to configure port 10 in slot 4 with designated VLAN 2 as an IGMP static neighbor you would enter: -> ip multicast static-neighbor vlan 2 port 4/10 You can also configure a link aggregation group as an IGMP static neighbor port by entering ip multicast static-neighbor followed by vlan, a space, VLAN number (which must be between 0 and 4095), a space, followed by port, a space, and the link aggregation group number.
Configuring IP Multicast Switching Configuring IPMS on a Switch space, the VLAN number, a space, followed by port, a space, the slot number of the port, a slash (/), and the port number. For example, to remove port 10 in slot 4 with designated VLAN 2 as an IPMS static querier you would enter: -> no ip multicast static-querier vlan 2 port 4/10 Configuring and Removing an IGMP Static Group IGMP static group ports receive IGMP reports generated on the specified IP Multicast group address.
Modifying IPMS Parameters Configuring IP Multicast Switching Modifying IPMS Parameters The table in “IPMS Default Values” on page 28-4 lists default values for IPMS parameters. The following sections describe how to use CLI commands to modify these parameters. Modifying the IGMP Query Interval The default IGMP query interval (i.e., the time between IGMP queries) is 125 in seconds.
Configuring IP Multicast Switching Modifying IPMS Parameters Configuring the IGMP Last Member Query Interval You can modify the IGMP last member query interval from 1 to 65535 in tenths of seconds by entering ip multicast last-member-query-interval followed by the new value.
Modifying IPMS Parameters Configuring IP Multicast Switching Restoring the IGMP Query Response Interval To restore the IGMP query response interval to its default (i.e., 100 tenths-of-seconds) value on the system if no VLAN is specified, use the ip multicast query-response-interval command by entering: -> ip multicast query-response-interval 0 Or, as an alternative, enter: -> ip multicast query-response-interval To restore the IGMP query response interval to its default value.
Configuring IP Multicast Switching Modifying IPMS Parameters You can also restore the IGMP router timeout on the specified VLAN by entering: -> ip multicast vlan 2 router-timeout 0 Or, as an alternative, enter: -> ip multicast vlan 2 router-timeout To restore the IGMP router timeout to its default value. Modifying the Source Timeout The default source timeout (i.e., the expiry time of IP multicast sources) is 30 seconds.
Modifying IPMS Parameters Configuring IP Multicast Switching Enabling the IGMP Querying You can enable the IGMP querying by entering ip multicast querying followed by the enable keyword.
Configuring IP Multicast Switching Modifying IPMS Parameters Restoring the IGMP Robustness Variable You can restore the IGMP robustness variable to its default (i.e., 2) value on the system if no vlan is specified, by entering ip multicast robustness followed by the value 0 as shown below: -> ip multicast robustness 0 Or, as an alternative, enter: -> ip multicast robustness To restore the IGMP robustness to its default value. You can also restore the IGMP robustness variable to its default (i.e.
Modifying IPMS Parameters Configuring IP Multicast Switching Or, as an alternative, enter: -> ip multicast vlan 2 spoofing To restore the IGMP spoofing to its default setting (i.e., disabled). Enabling and Disabling the IGMP Zapping By default, IGMP zapping (i.e., processing membership and source filter removals immediately without waiting for the protocol’s specified time period – this mode facilitates IP TV applications looking for quick changes between IP multicast groups) is disabled on a switch.
Configuring IP Multicast Switching IPMSv6 Overview IPMSv6 Overview An IPv6 multicast address identifies a group of nodes. A node can belong to any number of multicast groups. IPv6 multicast addresses are classified as fixed scope multicast addresses and variable scope multicast addresses.(See the “Reserved IPv6 Multicast Addresses” on page 28-20.) IPMSv6 tracks the source VLAN on which the Multicast Listener Discovery Protocol (MLD) requests are received.
IPMSv6 Overview Configuring IP Multicast Switching Reserved IPv6 Multicast Addresses The Internet Assigned Numbers Authority (IANA) classified the scope for IPv6 multicast addresses as fixed scope multicast addresses and variable scope multicast addresses. However, as the table below shows only well-known addresses, which are reserved and cannot be assigned to any multicast group.
Configuring IP Multicast Switching Configuring IPMSv6 on a Switch Configuring IPMSv6 on a Switch This section describes how to use Command Line Interface (CLI) commands to enable and disable IPv6 Multicast Switching (IPMSv6) switch wide (see “Enabling and Disabling IPv6 Multicast Status” on page 28-21), configure a port as an MLD static neighbor (see “Configuring and Removing an MLD Static Neighbor” on page 28-22), configure a port as an MLD static querier (see “Configuring and Removing an MLD Static Quer
Configuring IPMSv6 on a Switch Configuring IP Multicast Switching Configuring and Restoring the MLD Version By default, the version of Multicast Listener Discovery (MLD) Protocol is Version 1. The following subsections describe how to configure the MLD version as Version 1 or Version 2 by using the ipv6 multicast version command.
Configuring IP Multicast Switching Configuring IPMSv6 on a Switch For example, to configure link aggregation group 7 with designated VLAN 2 as a static neighbor you would enter: -> ipv6 multicast static-neighbor vlan 2 port 7 Removing an MLD Static Neighbor To reset the port so that it is no longer an MLD static neighbor port, use the no form of the ipv6 multicast static-neighbor command by entering no ipv6 multicast static-neighbor, followed by vlan, a space, the VLAN number, a space, followed by port,
Configuring IPMSv6 on a Switch Configuring IP Multicast Switching Configuring and Removing an MLD Static Group MLD static group ports receive MLD reports generated on the specified IPv6 Multicast group address. The following subsections describe how to configure and remove an MLD static group by using the ipv6 multicast static-group command.
Configuring IP Multicast Switching Modifying IPMSv6 Parameters Modifying IPMSv6 Parameters The table in “IPMSv6 Default Values” on page 28-4 lists default values for IPMSv6 parameters. The following sections describe how to use CLI commands to modify these parameters. Modifying the MLD Query Interval The default IPMSv6 query interval (i.e., the time between MLD queries) is 125 in seconds.
Modifying IPMSv6 Parameters Configuring IP Multicast Switching Restoring the MLD Last Member Query Interval To restore the MLD last member query interval to its default (i.e., 1000 milliseconds) value on the system if no VLAN is specified, use the ipv6 multicast last-member-query-interval command by entering: -> ipv6 multicast last-member-query-interval 0 Or, as an alternative, enter: -> ipv6 multicast last-member-query-interval To restore the MLD last member query interval to its default (i.e.
Configuring IP Multicast Switching Modifying IPMSv6 Parameters You can also restore the MLD query response interval on the specified VLAN by entering: -> ipv6 multicast van 2 query-response-interval 0 Or, as an alternative, enter: -> ipv6 multicast vlan 2 query-response-interval To restore the MLD query response interval to its default value. Modifying the MLD Router Timeout The default MLD router timeout (i.e., expiry time of IPv6 multicast routers) is 90 seconds.
Modifying IPMSv6 Parameters Configuring IP Multicast Switching Configuring the Source Timeout You can modify the source timeout from 1 to 65535 seconds by entering ipv6 multicast source-timeout followed by the new value.
Configuring IP Multicast Switching Modifying IPMSv6 Parameters Or, as an alternative, enter: -> ipv6 multicast querying To restore the MLD querying to its default setting (i.e., disabled). You can also disable the MLD querying on the specified VLAN by entering: -> ipv6 multicast vlan 2 querying disable Or, as an alternative, enter: -> ipv6 multicast vlan 2 querying To restore the MLD querying to its default setting (i.e., disabled).
Modifying IPMSv6 Parameters Configuring IP Multicast Switching Or, as an alternative, enter: -> ipv6 multicast vlan 2 robustness To restore the MLD robustness to its default value. Enabling and Disabling the MLD Spoofing By default, MLD spoofing (i.e., replacing a client's MAC and IPv6 address with the system's MAC and IPv6 address, when proxying aggregated MLD group membership information) is disabled on the switch.
Configuring IP Multicast Switching Modifying IPMSv6 Parameters Enabling the MLD Zapping To enable MLD zapping on the system if no VLAN is specified, use the ipv6 multicast zapping command as shown below: -> ipv6 multicast zapping enable You can also enable MLD zapping on the specified VLAN by entering: -> ipv6 multicast vlan 2 zapping enable Disabling the MLD Zapping To disable MLD zapping on the system if no VLAN is specified, use the ipv6 multicast zapping command as shown below: -> ipv6 multicast zap
IPMS Application Example Configuring IP Multicast Switching IPMS Application Example The figure below shows a sample network with the switch sending multicast video. A client attached to Port 5 needs to be configured as a static IGMP neighbor and another client attached to Port 2 needs to be configured as a static IGMP querier. OmniSwitch Video TM OmniSwitch 9700 Multicast Server (source IP address) Static Neighbor Attached to Slot 1, Port 5. Static Querier Attached to Slot 1, Port 2.
Configuring IP Multicast Switching IPMS Application Example An example of what these commands look like entered sequentially on the command line: -> -> -> -> ip ip ip ip multicast multicast multicast multicast status enable static-neighbor vlan 5 port 1/5 static-querier vlan 5 port 1/2 robustness 7 As an option, you can use the show ip multicast, show ip multicast neighbor, and show ip multicast querier commands to confirm your settings as shown below: -> show ip multicast Status: Enabled Querying: Di
IPMSv6 Application Example Configuring IP Multicast Switching IPMSv6 Application Example The figure below shows a sample network with the switch sending multicast video. A client attached to Port 5 needs to be configured as a static MLD neighbor and another client attached to Port 2 needs to be configured as a static MLD querier. OmniSwitch Video TM OmniSwitch 9700 Multicast Server (source IPv6 address) Static Neighbor Attached to Slot 1, Port 5. Static Querier Attached to Slot 1, Port 2.
Configuring IP Multicast Switching IPMSv6 Application Example An example of what these commands look like entered sequentially on the command line: -> -> -> -> ipv6 ipv6 ipv6 ipv6 multicast multicast multicast multicast status enable static-neighbor vlan 5 port 1/5 static-querier vlan 5 port 1/2 robustness 7 As an option, you can use the show ipv6 multicast, show ipv6 multicast neighbor, and show ipv6 multicast querier commands to confirm your settings as shown below: -> show ipv6 multicast Status: Qu
Displaying IPMS Configurations and Statistics Configuring IP Multicast Switching Displaying IPMS Configurations and Statistics Alcatel’s IP Multicast Switching (IPMS) show commands provide tools to monitor IPMS traffic and settings and to troubleshoot problems. These commands are described below: show ip multicast Displays the general IP Multicast switching and routing configuration parameters on a switch. show ip multicast group Displays all detected multicast groups that have members.
Configuring IP Multicast Switching Displaying IPMSv6 Configurations and Statistics Displaying IPMSv6 Configurations and Statistics Alcatel’s IPv6 Multicast Switching (IPMSv6) show commands provide tools to monitor IPMSv6 traffic and settings and to troubleshoot problems. These commands are described below: show ipv6 multicast Displays the general IPv6 Multicast switching and routing configuration parameters on a switch. show ipv6 multicast group Displays all detected multicast groups that have members.
Displaying IPMSv6 Configurations and Statistics page 28-38 Configuring IP Multicast Switching OmniSwitch 6800/6850/9000 Network Configuration Guide June 2006
29 Diagnosing Switch Problems Several tools are available for diagnosing problems that may occur with the switch.
In This Chapter Diagnosing Switch Problems • Disabling a Port Monitoring Session—see “Disabling a Port Monitoring Session” on page 29-22. • Deleting a Port Monitoring Session—see “Deleting a Port Monitoring Session” on page 29-22. • Pausing a Port Monitoring Session—see “Pausing a Port Monitoring Session” on page 29-23. • Configuring the persistence of a Port Monitoring Session—see “Configuring Port Monitoring Session Persistence” on page 29-23.
Diagnosing Switch Problems Port Mirroring Overview Port Mirroring Overview The following sections detail the specifications, defaults, and quick set up steps for the port mirroring feature. Detailed procedures are found in “Port Mirroring” on page 29-14. Port Mirroring Specifications Ports Supported Ethernet (10 Mbps)/Fast Ethernet (100 Mbps)/ Gigabit Ethernet (1 Gb/1000 Mbps)/10 Gigabit Ethernet (10 Gb/10000 Mbps). Mirroring Sessions Supported One session supported per standalone switch and stack.
Port Mirroring Overview Diagnosing Switch Problems Quick Steps for Configuring Port Mirroring 1 Create a port mirroring session. Be sure to specify the port mirroring session ID, source (mirrored) and destination (mirroring) slot/ports, and unblocked VLAN ID (optional—protects the mirroring session from changes in Spanning Tree if the mirroring port will monitor mirrored traffic on an RMON probe belonging to a different VLAN).
Diagnosing Switch Problems Port Monitoring Overview Port Monitoring Overview The following sections detail the specifications, defaults, and quick set up steps for the port mirroring feature. Detailed procedures are found in “Port Monitoring” on page 29-21. Port Monitoring Specifications Ports Supported Ethernet (10 Mbps)/Fast Ethernet (100 Mbps)/ Gigabit Ethernet (1 Gb/1000 Mbps)/10 Gigabit Ethernet (10 Gb/10000 Mbps). Monitoring Sessions Supported One per switch and/or stack.
Port Monitoring Overview Diagnosing Switch Problems Quick Steps for Configuring Port Monitoring 1 To create a port monitoring session, use the port monitoring source command by entering port monitoring, followed by the port monitoring session ID, source, and the slot and port number of the port to be monitored.
Diagnosing Switch Problems sFlow Overview sFlow Overview The following sections detail the specifications, defaults, and quick set up steps for the sFlow feature. Detailed procedures are found in “sFlow” on page 29-26. Note. sFlow is only supported on the OmniSwitch 6850 and OmniSwitch 9000 for this release. sFlow Specifications RFCs Supported 3176 - sFlow Management Information Base Sampling Sampling rate of one (1) counts all packets and 0 (zero) disables sampling.
sFlow Overview Diagnosing Switch Problems Quick Steps for Configuring sFlow Follow the steps below to create a sFlow receiver session. 1 To create a sFlow receiver session, use the sflow receiver command by entering sflow receiver, followed by the receiver index, name, and the address to be monitored. For example: -> sflow receiver 1 name Golden address 198.206.181.3 2 Optional. Configure optional parameters. For example, to specify the timeout value “65535” for sFlow receiver session on address 198.
Diagnosing Switch Problems sFlow Overview For more information about this command, see “sFlow” on page 29-26 or the “sFlow Commands” chapter in the OmniSwitch CLI Reference Guide. Follow the steps below to create a sFlow poller session. 1 To create a sFlow poller session, use the sflow poller command by entering sflow poller, followed by the instance ID, port list, receiver, and the interval. For example: -> sflow poller 1 2/6-10 receiver 1 interval 30 Note. Optional.
Remote Monitoring (RMON) Overview Diagnosing Switch Problems Remote Monitoring (RMON) Overview The following sections detail the specifications, defaults, and quick set up steps for the RMON feature. Detailed procedures are found in “Remote Monitoring (RMON)” on page 29-32.
Diagnosing Switch Problems Remote Monitoring (RMON) Overview RMON Probe Defaults The following table shows Remote Network Monitoring default values. Global RMON Probe Defaults Parameter Description CLI Command Default Value/Comments RMON Probe Configuration rmon probes No RMON probes configured. Quick Steps for Enabling/Disabling RMON Probes 1 Enable an inactive (or disable an active) RMON probe, where necessary. You can also enable or disable all probes of a particular flavor, if desired.
Switch Health Overview Diagnosing Switch Problems Switch Health Overview The following sections detail the specifications, defaults, and quick set up steps for the switch health feature. Detailed procedures are found in “Monitoring Switch Health” on page 29-39.
Diagnosing Switch Problems Switch Health Overview Switch Health Defaults The following table shows Switch Health default values.
Port Mirroring Diagnosing Switch Problems Port Mirroring On OmniSwitch 9000 switches, you can set up port mirroring between Ethernet ports within the same switch chassis, while on OmniSwitch 6800 and 6850 switches, you can set up port mirroring across switches within a stack. Ethernet ports supporting port mirroring include 10BaseT/100BaseTX/1000BaseT (RJ-45), 1000BaseSX/LX/LH, and 10GBaseS/L (LC) connectors.
Diagnosing Switch Problems Port Mirroring Note that when port mirroring is enabled, there may be some performance degradation, since all frames received and transmitted by the mirrored port need to be copied and sent to the mirroring port.
Port Mirroring Diagnosing Switch Problems The diagram on the following page illustrates how port mirroring can be used with an external RMON probe to copy RMON probe frames and Management frames to and from the mirroring and mirrored ports. Frames received from an RMON probe attached to the mirroring port can be seen as being received by the mirrored port.
Diagnosing Switch Problems Port Mirroring Creating a Mirroring Session Before port mirroring can be used, it is necessary to create a port mirroring session. The port mirroring source destination CLI command can be used to create a mirroring session between a mirrored (active) port and a mirroring port. One (1) port mirroring session is supported in a standalone switch or in a stack consisting of two or more switches.
Port Mirroring Diagnosing Switch Problems Unblocking Ports (Protection from Spanning Tree) If the mirroring port monitors mirrored traffic on an RMON probe belonging to a different VLAN than the mirrored port, it should be protected from blocking due to Spanning Tree updates.
Diagnosing Switch Problems Port Mirroring Note. Note that the port mirroring session identifier and slot/port locations of the designated interfaces must always be specified. Configuring Port Mirroring Direction By default, port mirroring sessions are bidirectional.
Port Mirroring Diagnosing Switch Problems To disable a port mirroring session, enter the port mirroring command, followed by the port mirroring session ID number and the keyword disable. The following command disables port mirroring session 6 (turning port mirroring off): -> port mirroring 6 disable Displaying Port Mirroring Status To display port mirroring status, use the show port mirroring status command.
Diagnosing Switch Problems Port Monitoring Port Monitoring An essential tool of the network engineer is a network packet capture device. A packet capture device is usually a PC-based computer, such as the Sniffer®, that provides a means for understanding and measuring data traffic of a network. Understanding data flow in a VLAN-based switch presents unique challenges, primarily because traffic moves inside the switch, especially on dedicated devices.
Port Monitoring Diagnosing Switch Problems Configuring a Port Monitoring Session To configure a port monitoring session, use the port monitoring source command by entering port monitoring, followed by the user-specified session ID number, source, the slot number of the port to be monitored, a slash (/), and the port number of the port. For example, to configure port monitoring session 6 on port 2/3 enter: -> port monitoring 6 source 2/3 Note.
Diagnosing Switch Problems Port Monitoring Pausing a Port Monitoring Session To pause a port monitoring session, use the port monitoring command by entering port monitoring, followed by the port monitoring session ID and pause. For example, to pause port monitoring session 6, enter: -> port monitoring 6 pause To resume a paused port monitoring session, use the port monitoring command by entering port monitoring, followed by the port monitoring session ID and resume.
Port Monitoring Diagnosing Switch Problems To prevent more recent packets from overwriting older packets in the data file, if the file size is exceeded, use the port monitoring source CLI command by entering port monitoring, followed by the user-specified session ID number, source, the slot number of the port to be monitored, a slash (/), the port number of the port, file, the name of the file, and overwrite off.
Diagnosing Switch Problems Port Monitoring Displaying Port Monitoring Status and Data A summary of the show commands used for displaying port monitoring status and port monitoring data is given here: show port monitoring status Displays port monitoring status. show port monitoring file Displays port monitoring data.
sFlow Diagnosing Switch Problems sFlow sFlow is a network monitoring technology that gives visibility in to the activity of the network, by providing network usage information. It provides the data required to effectively control and manage the network usage. sFlow is a sampling technology that meets the requirements for a network traffic monitoring solution. sFlow is an industry standard with many vendors delivering products with this support.
Diagnosing Switch Problems sFlow Sampler The sampler is the module which gets hardware sampled from Q-Dispatcher and fills up the sampler part of the UDP datagram. Poller The poller is the module which gets counter samples from Ethernet driver and fills up the counter part of the UDP datagram.
sFlow Diagnosing Switch Problems To configure a sFlow poller session, use the sflow poller command by entering sflow poller, followed by the instance ID number, the slot number of the port to be monitored, a slash (/), and the port number of the port and receiver, the receiver_index. For example, to configure poller session 3 on port 1/1 enter: -> sflow poller 3 1/1 receiver 6 In addition, you can also specify optional parameters shown in the table below.
Diagnosing Switch Problems sFlow Displaying a sFlow Sampler The show sflow sampler command is used to display the sampler table. For example, to view the sFlow sampler table, enter the show sflow sampler command without specifying any additional parameters.
sFlow Diagnosing Switch Problems Displaying a sFlow Agent The show sflow agent command is used to display the receiver table. For example, to view the sFlow agent table, enter the show sflow agent command without specifying any additional parameters. A screen similar to the following example will be displayed, as shown below: -> ip interface loopback0 127.0.0.1 -> show sflow agent Agent Version Agent IP = 1.3; Alcatel; 6.1.1 = 127.0.0.1 Note.
Diagnosing Switch Problems Remote Monitoring (RMON) Remote Monitoring (RMON) Remote Network Monitoring (RMON) is an SNMP protocol used to manage networks remotely. RMON probes can be used to collect, interpret, and forward statistical data about network traffic from designated active ports in a LAN segment to an NMS (Network Management System) application for monitoring and analysis without negatively impacting network performance.
Remote Monitoring (RMON) Diagnosing Switch Problems RMON probes can be enabled or disabled via CLI commands. Configuration of Alarm threshold values for RMON traps is a function reserved for RMON-monitoring NMS stations. This feature supports basic RMON 4 group implementation in compliance with RFC 2819, including the Ethernet Statistics, History (Control & Statistics), Alarms and Events groups (described below). Note. RMON 10 group and RMON2 are not implemented in the current release.
Diagnosing Switch Problems Remote Monitoring (RMON) Enabling or Disabling RMON Probes To enable or disable an individual RMON probe, enter the rmon probes CLI command. Be sure to specify the type of probe (stats/history/alarm), followed by the entry number (optional), as shown in the following examples.
Remote Monitoring (RMON) Diagnosing Switch Problems Displaying RMON Tables Two separate commands can be used to retrieve and view Remote Monitoring data: show rmon probes and show rmon events. The retrieved statistics appear in a table format (a collection of related data that meets the criteria specified in the command you entered).
Diagnosing Switch Problems Remote Monitoring (RMON) Displaying Statistics for a Particular RMON Probe To view statistics for a particular current RMON probe, enter the show rmon probes command, specifying an entry number for a particular probe, such as: -> show rmon probes 4005 A display showing statistics for the specified RMON probe will appear, as shown in the following sections.
Remote Monitoring (RMON) Diagnosing Switch Problems Sample Display for History Probe The display shown here identifies RMON Probe 10325’s Owner description and interface location (Analyzer-p:128.251.18.166 on slot 1, port 35), the total number of History Control Buckets (samples) requested and granted (2), along with the time interval for each sample (30 seconds) and system-generated Sample Index ID number (5859).
Diagnosing Switch Problems Remote Monitoring (RMON) Displaying a List of RMON Events RMON Events are actions that occur based on Alarm conditions detected by an RMON probe.
Monitoring Switch Health Diagnosing Switch Problems Monitoring Switch Health To monitor resource availability, the NMS (Network Management System) needs to collect significant amounts of data from each switch. As the number of ports per switch (and the number of switches) increases, the volume of data can become overwhelming. The Health Monitoring feature can identify and monitor a switch’s resource utilization levels and thresholds, improving efficiency in data collection.
Diagnosing Switch Problems Monitoring Switch Health The following sections include a discussion of CLI commands that can be used to configure resource parameters and monitor or reset statistics for switch resources. These commands include: • health threshold—Configures threshold limits for input traffic (RX), output/input traffic (TX/RX), memory usage, CPU usage, and chassis temperature. See page 29-40 for more information. • show health threshold—Displays current health threshold settings.
Monitoring Switch Health Diagnosing Switch Problems memory Specifies a value for the memory usage threshold. Memory usage refers to the total amount of RAM memory currently used by switch applications. The default memory usage threshold is 80 percent. cpu Specifies a value for the CPU usage threshold. CPU usage refers to the total amount of CPU processor capacity currently used by switch applications. The default CPU usage threshold is 80 percent.
Diagnosing Switch Problems Monitoring Switch Health Note. For detailed definitions of each of the threshold types, refer to “Configuring Resource and Temperature Thresholds” on page 29-40, as well as Chapter 36, “Health Monitoring Commands,” in the OmniSwitch CLI Reference Guide. Configuring Sampling Intervals The sampling interval is the period of time between polls of the switch’s consumable resources to monitor performance vis-a-vis previously specified thresholds.
Monitoring Switch Health Diagnosing Switch Problems Viewing Health Statistics for the Switch The show health command can be used to display health statistics for the switch. To display health statistics, enter the show health command, followed by the slot/port location and optional statistics keyword. For example, to view health statistics for the entire switch, enter the show health command without specifying any additional parameters.
Diagnosing Switch Problems Monitoring Switch Health Viewing Health Statistics for a Specific Interface To view health statistics for slot 4/port 3, enter the show health command, followed by the appropriate slot and port numbers.
Monitoring Switch Health page 29-44 Diagnosing Switch Problems OmniSwitch 6800/6850/9000 Network Configuration Guide June 2006
30 Using Switch Logging Switch logging is an event logging utility that is useful in maintaining and servicing the switch. Switch logging uses a formatted string mechanism to either record or discard event data from switch applications. The log records are copied to the output devices configured for the switch. Log records can be sent to a text file and written into the flash file system. The log records can also be scrolled to the switch’s console or to a remote IP address.
Switch Logging Specifications Using Switch Logging Switch Logging Specifications Functionality Supported High-level event logging mechanism that forwards requests from applications to enabled logging devices. Functionality Not Supported Not intended for debugging individual hardware applications. Logging Devices Flash Memory/Console/IP Address Application ID Levels Supported IDLE (255), DIAG (0), IPC-DIAG (1), QDRIVER (2), QDISPATCHER (3), IPC-LINK (4), NI-SUPERVISION (5), INTERFACE (6), 802.
Using Switch Logging Switch Logging Defaults Switch Logging Defaults The following table shows switch logging default values. Global Switch Logging Defaults Parameter Description CLI Command Default Value/Comments Enabling/Disabling switch logging swlog Enabled Switch logging severity level swlog appid level Default severity level is info.
Quick Steps for Configuring Switch Logging Using Switch Logging Quick Steps for Configuring Switch Logging 1 Enable switch logging by using the following command: -> swlog 2 Specify the ID of the application to be logged along with the logging severity level. -> swlog appid bridge level warning Here, the application ID specifies bridging and the severity is set to the “warning” level. 3 Specify the output device to which the switch logging information will be sent.
Using Switch Logging Switch Logging Overview Switch Logging Overview Switch logging uses a formatted string mechanism to process log requests from switch applications. When a log request is received, switch logging compares the severity level included with the request to the severity level stored for the application ID. If there is a match, a log message is generated using the format specified by the log request and placed in the switch log queue.
Switch Logging Commands Overview Using Switch Logging Switch Logging Commands Overview This section describes the switch logging CLI commands, for enabling or disabling switch logging, displaying the current status of the switch logging feature, and displaying stored log information. Enabling Switch Logging The swlog command initializes and enables switch logging, while no swlog disables it.
Using Switch Logging Switch Logging Commands Overview CLI Keyword Numeric Equivalent Application ID STP 11 APPID_SPANNINGTREE LINKAGG 12 APPID_LINKAGGREGATION QOS 13 APPID_QOS RSVP 14 APPID_RSVP IP 15 APPID_IP IPMS 17 APPID_IPMS AMAP 18 APPID_XMAP GMAP 19 APPID_GMAP AAA 20 APPID_AAA IPC-MON 21 APPID_IPC_MON IP-HELPER 22 APPID_BOOTP_RELAY PMM 23 APPID_MIRRORING_MONITORING MODULE 24 APPID_L3HRE SLB 25 APPID_SLB EIPC 26 APPID_EIPC CHASSIS 64 APPID_CHASSISUPER
Switch Logging Commands Overview Using Switch Logging CLI Keyword Numeric Equivalent Application ID EPILOGUE 85 APPID_EPILOGUE LDAP 86 APPID_LDAP NOSNMP 87 APPID_NOSNMP SSL 88 APPID_SSL DBGGW 89 APPID_DBGGW LANPOWER 108 APPID_LANPOWER The level keyword assigns the error-type severity level to the specified application IDs. Values range from 2 (highest severity) to 9 (lowest severity).
Using Switch Logging Switch Logging Commands Overview Removing the Severity Level To remove the switch logging severity level, enter the no swlog appid level command, including the application ID and severity level values. The following is a typical example: -> no swlog appid 75 level 5 Or, alternatively, as: -> no swlog appid system level warning No confirmation message will appear on the screen.
Switch Logging Commands Overview Using Switch Logging Disabling an IP Address from Receiving Switch Logging Output To disable a particular IP address from receiving switch logging output, enter the following command: -> no swlog output socket No confirmation message will appear on the screen. Note. It is not necessary to specify the IP address in the no swlog output socket command.
Using Switch Logging Switch Logging Commands Overview Configuring the Switch Logging File Size By default, the size of the switch logging file is 128000 bytes. To configure the size of the switch logging file, use the swlog output flash file-size command. To use this command, enter swlog output flash file size followed by the number of bytes, which must be at least 32000. (The maximum size the file can be is dependent on the amount of free memory available in flash memory.) Note.
Switch Logging Commands Overview Using Switch Logging Displaying Switch Logging Records The show log swlog command can produce a display showing all the switch logging information or you can display information according to session, timestamp, application ID, or severity level. For details, refer to the OmniSwitch CLI Reference Guide. The following sample screen output shows a display of all the switch logging information. Note. Switch logging frequently records a very large volume of data.
A Software License and Copyright Statements This appendix contains Alcatel and third-party software vendor license and copyright statements. Alcatel License Agreement ALCATEL INTERNETWORKING, INC. (“AII”) SOFTWARE LICENSE AGREEMENT IMPORTANT. Please read the terms and conditions of this license agreement carefully before opening this package. By opening this package, you accept and agree to the terms of this license agreement.
Alcatel License Agreement 3. Confidentiality. AII considers the Licensed Files to contain valuable trade secrets of AII, the unauthorized disclosure of which could cause irreparable harm to AII. Except as expressly set forth herein, Licensee agrees to use reasonable efforts not to disclose the Licensed Files to any third party and not to use the Licensed Files other than for the purpose authorized by this License Agreement.
Alcatel License Agreement 10. Governing Law. This License Agreement shall be construed and governed in accordance with the laws of the State of California. 11. Severability. Should any term of this License Agreement be declared void or unenforceable by any court of competent jurisdiction, such declaration shall have no effect on the remaining terms herein. 12. No Waiver.
Third Party Licenses and Notices Third Party Licenses and Notices The licenses and notices related only to such third party software are set forth below: A. Booting and Debugging Non-Proprietary Software A small, separate software portion aggregated with the core software in this product and primarily used for initial booting and debugging constitutes non-proprietary software, some of which may be obtained in source code format from AII for a limited period of time.
Third Party Licenses and Notices C. Linux Linux is written and distributed under the GNU General Public License which means that its source code is freely-distributed and available to the general public. D. GNU GENERAL PUBLIC LICENSE: Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 675 Mass Ave, Cambridge, MA 02139, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
Third Party Licenses and Notices verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term “modification”.) Each licensee is addressed as “you”. Activities other than copying, distribution and modification are not covered by this License; they are outside its scope.
Third Party Licenses and Notices b Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c Accompany it with the information you received as to the offer to distribute corresponding source code.
Third Party Licenses and Notices consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.
Third Party Licenses and Notices Appendix: How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program.
Third Party Licenses and Notices Material copyright Linux Online Inc. Design and compilation copyright (c)1994-2002 Linux Online Inc. Linux is a registered trademark of Linus Torvalds Tux the Penguin, featured in our logo, was created by Larry Ewing Consult our privacy statement URLWatch provided by URLWatch Services. All rights reserved. E. University of California Provided with this product is certain TCP input and Telnet client software developed by the University of California, Berkeley. F.
Third Party Licenses and Notices H. Apptitude, Inc. Provided with this product is certain network monitoring software (“MeterWorks/RMON”) licensed from Apptitude, Inc., whose copyright notice is as follows: Copyright (C) 1997-1999 by Apptitude, Inc. All Rights Reserved. Licensee is notified that Apptitude, Inc. (formerly, Technically Elite, Inc.), a California corporation with principal offices at 6330 San Ignacio Avenue, San Jose, California, is a third party beneficiary to the Software License Agreement.
Third Party Licenses and Notices L. Wind River Systems, Inc. Provided with this product is certain software (“Run-Time Module”) licensed from Wind River Systems, Inc.
Index Numerics 10 Gigabit Ethernet see Ethernet 10/100/1000 ports defaults 1-3 802.1p trusted ports 26-22 802.1Q 11-1 application examples 11-8 defaults 11-2 enabling tagging 11-5 frame type 11-6 overview 11-3 specifications 11-2 trusted ports 26-5, 26-23 verify information about 11-10 802.1Q ports trusted 26-22 802.
Index Port Mapping 8-2 port mirroring 29-4 port monitoring 29-6, 29-8 QoS 26-25, 26-50 RDP 17-3 RIP 16-3 RMON 29-11 source learning 2-2 Spanning Tree Algorithm and Protocol 6-7, 6-31 static link aggregation 13-3, 13-11 switch health 29-13 switch logging 30-4 VLAN rules 9-3, 9-22 VLANs 5-3, 5-14, 7-3 VRRP 19-3, 19-15 applied configuration 26-47 how to verify 26-49 ARP clearing the ARP cache 12-12 creating a permanent entry 12-11 deleting a permanent entry 12-12 dynamic entry 12-11 filtering 12-13 local prox
Index ACLs 25-2, 27-3 assigning ports to VLANs 7-2 authentication servers 21-3 combo ports 1-3 DHCP Relay 18-3 dynamic link aggregation 14-3 Ethernet ports 1-2, 1-3 interswitch protocols 10-2 IP 12-2 IPMS 28-4 IPv6 15-2 IPX 20-2 Learned Port Security 4-2 mobile ports 7-2 policy servers 24-2 Port Mapping 8-2 port mirroring 29-3 port monitoring 29-5, 29-7 QoS 26-9 RDP 17-2 RDP interface 17-8 RIP 16-2 RMON 29-11 source learning 2-2 static link aggregation 13-2 switch health 29-13 switch logging 30-3 VLAN rule
Index F Fast Ethernet see Ethernet Fast Spanning Tree 6-4 filtering lists see ACLs filters IPX GNS 20-13 IPX RIP 20-12 IPX SAP 20-12 forced copper 1-4 configuring 1-20 forced fiber 1-4 configuring 1-19 frame type 11-6 G Gigabit Ethernet see Ethernet H health interval command 29-43 health statistics reset command 29-45 health threshold command 29-41 health threshold limits displaying 29-42 Hot Standby Routing Protocol see HSRP Hsecu.
Index see IPMS ip multicast switching command 28-8, 28-17, 28-21, 28-30 IP multinetting 12-6 ip rip force-holddowntimer command 16-9 ip rip host-route command 16-9 ip rip interface auth-key command 16-14 ip rip interface auth-type command 16-14 ip rip interface command 16-3, 16-7 ip rip interface metric command 16-8 ip rip interface recv-version command 16-8 ip rip interface send-version command 16-7 ip rip interface status command 16-3, 16-7 ip rip redist command 16-4, 16-10 ip rip redist metric command 1
Index lacp agg actor port priority command 14-22 lacp agg actor system id command 14-20 lacp agg actor system priority command 14-21 lacp agg partner admin key command 14-25 lacp agg partner admin port command 14-27 lacp agg partner admin port priority command 14-27 lacp agg partner admin state command 14-23 lacp agg partner admin system id command 14-25 lacp agg partner admin system priority command 14-26 lacp linkagg actor admin key command 14-15 lacp linkagg actor system id command 14-16 lacp linkagg ac
Index for ACLs 27-10 how the switch uses them 26-4 Policy Based Routing 26-55 precedence 26-31, 27-6 redirect linkagg 26-52 redirect port 26-52 rules 26-29 verify information about 26-32 policies configured via PolicyView 26-49 policy action 802.
Index Q QoS application examples 26-25, 26-50 ASCII-file-only syntax 26-26 configuration overview 26-12 defaults 26-9 enabled/disabled 26-13 interaction with other features 26-5 overview 26-3 quick steps for creating policies 26-25 traffic prioritization 26-50 qos apply command 26-47 global configuration 26-47 policy and port configuration 26-47 testing conditions 26-33 qos clear log command 26-17 qos command 26-13 qos default bridged disposition command 26-11, 26-13 qos default bridged disposition command
Index RIP redistribution policies 16-10 creating 16-10 deleting 16-10 RMON application examples 29-11 defaults 29-11 specifications 29-10 RMON events displaying list 29-38 displaying specific 29-38 RMON probes displaying list 29-35 displaying statistics 29-36 enabling/disabling 29-34 rmon probes command 29-34 RMON tables displaying 29-35 Router Discovery Protocol see RDP router ID 12-14 router port IP 12-7 IPX 20-6 router primary address 12-14 Routing Information Protocol see RIP RSTP see Rapid Spanning Tr
Index 802.1w rapid reconfiguration protocol 6-14 automatic VLAN containment 6-20 forward delay time 6-18 hello time 6-16 maximum age time 6-17 priority 6-15 Spanning Tree port parameters 6-21 connection type 6-29 link aggregate ports 6-24, 6-25, 6-27, 6-28, 6-30 mode 6-28 path cost 6-25 priority 6-24 specification IPv6 15-2 specifications 802.
Index User Datagram Protocol see UDP users functional privileges 21-12, 21-21 V Vendor Specific Attributes see VSAs Virtual Router Redundancy Protocol see VRRP virtual routers 19-5 vlan 802.1q command 5-7, 5-9, 7-4, 11-5 vlan 802.
Index Index-12 OmniSwitch 6800/6850/9000 Network Configuration Guide June 2006
