Part No. 060179-10, Rev. E April 2005 OmniSwitch 6600 Family Network Configuration Guide www.alcatel.
This user guide documents release 5.1.6 of the OmniSwitch 6600 Family Network Configuration Guide. The functionality described in this guide is subject to change without notice. Copyright © 2005 by Alcatel Internetworking, Inc. All rights reserved. This document may not be reproduced in whole or in part without the express written permission of Alcatel Internetworking, Inc. Alcatel® and the Alcatel logo are registered trademarks of Alcatel.
Contents About This Guide ....................................................................................................... xxv Supported Platforms ....................................................................................................... xxv Who Should Read this Manual? .................................................................................... xxvi When Should I Read this Manual? ................................................................................
Contents Setting Interface Line Speed ..................................................................................1-16 Configuring Duplex Mode .....................................................................................1-17 Enabling and Disabling Interfaces .........................................................................1-18 Configuring Inter-frame Gap Values .....................................................................1-18 Resetting Statistics Counters .....................
Contents Configuring an Authorized MAC Address Range ..........................................................3-9 Selecting the Security Violation Mode .........................................................................3-10 Restoring the Operational State of an LPS Port .....................................................3-10 Displaying Learned Port Security Information .............................................................3-11 Chapter 4 Configuring VLANs ...................................
Contents Bridge Configuration Commands Overview ..........................................................5-12 Selecting Bridge Protocol .......................................................................................5-14 Configuring the Bridge Priority .............................................................................5-14 Configuring the Bridge Hello Time .......................................................................5-15 Configuring the Bridge Max Age Time ......................
Contents Quick Steps for Configuring MSTIs .............................................................................6-16 Verifying the MST Configuration .................................................................................6-19 Chapter 7 Assigning Ports to VLANs ........................................................................................ 7-1 In This Chapter ................................................................................................................
Contents Defining DHCP MAC Address Rules ....................................................................8-12 Defining DHCP MAC Range Rules .......................................................................8-13 Defining DHCP Port Rules ....................................................................................8-13 Defining DHCP Generic Rules ..............................................................................8-14 Defining Binding Rules ...........................................
Contents Chapter 10 Configuring 802.1Q ................................................................................................. 10-1 In this Chapter ............................................................................................................... 10-1 802.1Q Specifications ...................................................................................................10-2 802.1Q Defaults Table ......................................................................................
Contents Dynamic Link Aggregation Default Values .................................................................12-3 Quick Steps for Configuring Dynamic Link Aggregation ............................................12-4 Dynamic Link Aggregation Overview ..........................................................................12-7 Dynamic Link Aggregation Operation ...................................................................12-7 Relationship to Other Features .......................................
Contents Quick Steps for Configuring IP Forwarding .................................................................13-3 IP Overview ..................................................................................................................13-4 IP Protocols ............................................................................................................13-4 Transport Protocols .........................................................................................
Contents Configuring an IPv6 Interface .....................................................................................14-10 Modifying an IPv6 Interface ................................................................................14-11 Removing an IPv6 Interface .................................................................................14-11 Assigning IPv6 Addresses ...........................................................................................14-12 Removing an IPv6 Address ......
Contents RDP Specifications .......................................................................................................16-2 RDP Defaults ................................................................................................................16-2 Quick Steps for Configuring RDP ................................................................................16-3 RDP Overview ..............................................................................................................
Contents Chapter 18 Configuring VRRP ..................................................................................................... 18-1 In This Chapter ..............................................................................................................18-1 VRRP Specifications .....................................................................................................18-2 VRRP Defaults ..............................................................................................
Contents RADIUS Servers ...........................................................................................................19-9 RADIUS Server Attributes .....................................................................................19-9 Standard Attributes ..........................................................................................19-9 Vendor-Specific Attributes for RADIUS ......................................................
Contents Configuring the AV-Client for DHCP .................................................................20-23 Configuring Authenticated VLANs ............................................................................20-26 Removing a User From an Authenticated Network .............................................20-26 Configuring Authentication IP Addresses ............................................................20-27 Setting Up the Default VLAN for Authentication Clients ........................
Contents Policy Server Defaults ...................................................................................................22-2 Policy Server Overview ................................................................................................22-3 Installing the LDAP Policy Server ................................................................................22-3 Modifying Policy Servers .............................................................................................
Contents Enabling/Disabling Fragment Classification .................................................23-17 Setting the Fragment Timeout .......................................................................23-17 Classifying Bridged Traffic as Layer 3 ................................................................23-18 Setting the Statistics Interval ................................................................................23-18 Returning the Global Configuration to Defaults ........................
Contents Policy Applications .....................................................................................................23-50 Basic QoS Policies ...............................................................................................23-50 Basic Commands ...........................................................................................23-51 Traffic Prioritization Example .......................................................................23-51 Bandwidth Shaping Example .........
Contents Chapter 25 Configuring IP Multicast Switching ..................................................................... 25-1 In This Chapter ..............................................................................................................25-1 IPMS Specifications ......................................................................................................25-2 IPMS Default Values ....................................................................................................
Contents Port Mirroring Defaults ..........................................................................................26-4 Quick Steps for Configuring Port Mirroring ..........................................................26-5 Port Monitoring Overview ............................................................................................26-6 Port Monitoring Specifications ..............................................................................26-6 Port Monitoring Defaults ................
Contents Sample Display for History Probe .................................................................26-30 Sample Display for Alarm Probe ..................................................................26-30 Displaying a List of RMON Events ..............................................................26-31 Displaying a Specific RMON Event .............................................................26-31 Monitoring Switch Health .....................................................................
Contents Displaying the Memory Monitor Size Statistics ....................................................28-9 Appendix A Software Licenseand Copyright Statements ......................................................A-1 Alcatel License Agreement ............................................................................................ A-1 ALCATEL INTERNETWORKING, INC. (“AII”) SOFTWARE LICENSE AGREEMENT ...................................................................................................
Contents xxiv OmniSwitch 6600 Family Network Configuration Guide April 2005
About This Guide This OmniSwitch 6600 Family Network Configuration Guide describes how to set up and monitor software features that will allow your switch to operate in a live network environment. The software features described in this manual are shipped standard with your OmniSwitch 6600 Family switch. These features are used when setting up your OmniSwitch in a network of switches and routers.
Who Should Read this Manual? About This Guide Who Should Read this Manual? The audience for this user guide is network administrators and IT support personnel who need to configure, maintain, and monitor switches and routers in a live network. However, anyone wishing to gain knowledge on how fundamental software features are implemented in the OmniSwitch 6600 Family will benefit from the material in this configuration guide.
About This Guide What is Not in this Manual? What is Not in this Manual? The configuration procedures in this manual use Command Line Interface (CLI) commands in all examples. CLI commands are text-based commands used to manage the switch through serial (console port) connections or via Telnet sessions. Procedures for other switch management methods, such as web-based (WebView or OmniVista) or SNMP, are outside the scope of this guide.
Documentation Roadmap About This Guide Stage 1: Using the Switch for the First Time Pertinent Documentation: OmniSwitch 6600 Family Getting Started Guide Release Notes A hard-copy OmniSwitch 6600 Family Getting Started Guide is included with OmniSwitch 6600 Family switches; these guides provide all the information you need to get your switch up and running the first time.
About This Guide Documentation Roadmap Anytime The OmniSwitch CLI Reference Guide contains comprehensive information on all CLI commands supported by the switch. This guide includes syntax, default, usage, example, related CLI command, and CLI-to-MIB variable mapping information for all CLI commands supported by the switch. This guide can be consulted anytime during the configuration process to find detailed and specific information on each CLI command.
Related Documentation About This Guide Related Documentation The following are the titles and descriptions of all the OmniSwitch 6600 Family user manuals: • OmniSwitch 6600 Family Getting Started Guide Describes the hardware and software procedures for getting an OmniSwitch 6600 Family switch up and running. Also provides information on fundamental aspects of OmniSwitch software and stacking architecture.
About This Guide User Manual CD User Manual CD All user guides for the OmniSwitch 6600 Family are included on the User Manual CD that accompanied your switch. This CD also includes user guides for other Alcatel data enterprise products. In addition, it contains a stand-alone version of the on-line help system that is embedded in the OmniVista network management application.
Technical Support page xxxii About This Guide OmniSwitch 6600 Family Network Configuration Guide April 2005
1 Configuring Ethernet Ports The Ethernet software is responsible for a variety of functions that support the Ethernet and Gigabit Ethernet ports on OmniSwitch 6600 Family switches. These functions include diagnostics, software loading, initialization, configuration of line parameters, gathering statistics, and responding to administrative requests from SNMP or CLI.
Ethernet Specifications Configuring Ethernet Ports Ethernet Specifications IEEE Standards Supported 802.3 Carrier Sense Multiple Access with Collision Detection (CSMA/CD) Ports Supported Ethernet (10 Mbps) Fast Ethernet (100 Mbps) Gigabit Ethernet (1 Gb/1000 Mbps).
Configuring Ethernet Ports Ethernet Port Defaults Ethernet Port Defaults The following table shows Ethernet port default values.
Configuring Ethernet Ports Tutorial Configuring Ethernet Ports Configuring Ethernet Ports Tutorial This tutorial describes typical steps involved in configuring an Ethernet port. This example presumes that slot (switch) 1, port 1 is an Ethernet port. 1 This step configures the line speed for slot 1, port 1 with the interfaces speed command.
Configuring Ethernet Ports Configuring Ethernet Ports Tutorial Note. Optional. To verify the Ethernet port configuration, use the show interfaces command. The display is similar to the one shown below, and provides additional statistics about received and transmitted bytes and frames.
Ethernet Ports Overview Configuring Ethernet Ports Ethernet Ports Overview This chapter describes the Ethernet software CLI commands used for configuring and monitoring your switch’s Ethernet port parameters. These commands allow you to handle administrative or port-related requests to and from SNMP, the CLI or WebView. The OmniSwitch software supports the Gigabit Ethernet expansion modules (OmniSwitch 6624, 6648, 6600-U24, and 6600-P24 only) listed in the table here.
Configuring Ethernet Ports Ethernet Ports Overview OmniSwitch 6624 The OmniSwitch 6624 provides 24 10/100 Mbps ports and two expansion slots. The expansion slots are empty by default. Optionally, they can hold either four Gigabit Ethernet ports or two Gigabit Ethernet ports and two stacking connections. Port numbers 1 through 24 support both 10 Mbps Ethernet and 100 Mbps Fast Ethernet interfaces.
Ethernet Ports Overview Configuring Ethernet Ports OmniSwitch 6600-P24 The OmniSwitch 6600-P24 provides 24 10/100 Mbps Power over Ethernet (PoE) ports and two expansion slots. The expansion slots are empty by default. Optionally, they can hold either four Gigabit Ethernet ports or two Gigabit Ethernet ports and two stacking connections. Port numbers 1 through 24 support both 10 Mbps Ethernet and 100 Mbps Fast Ethernet interfaces.
Configuring Ethernet Ports Ethernet Ports Overview OmniSwitch 6602-48 The OmniSwitch 6602-48 provides 48 10/100 Mbps ports, two Gigabit MiniGBIC ports, and two stacking ports. Port numbers 1 through 48 support both 10 Mbps Ethernet and 100 Mbps Fast Ethernet interfaces. Port numbers 49 and 50 support 1000 Mbps Gigabit Ethernet and port numbers 51 and 52 are stacking ports. For more information on Ethernet hardware configurations, refer to the OmniSwitch 6600 Family Hardware Users Guide.
Ethernet Ports Overview Configuring Ethernet Ports Valid Port Settings This table below lists valid speed, duplex, and auto negotiation settings for the different OmniSwitch 6600 Family port types. Chassis Type (Port Nos.) Port Type OmniSwitch 6624 (ports 1–24) Copper twisted pair (RJ-45) auto/10/100 auto/full/half Yes OmniSwitch 6624 (ports 25–26) Wire-rate when an OS6600- 1000 GNI-U2 is installed using LC fiber SFPs or copper 1000Base-T SFPs.
Configuring Ethernet Ports Chassis Type (Port Nos.) Ethernet Ports Overview Port Type User-Specified User-Specified Auto Port Speed Duplex Negotiation (Mbps) Supported Supported? Supported OmniSwitch 6600-U24 100 Mbps fiber SFP ports (ports 1–24) full/half Yes OmniSwitch 6600-U24 Wire-rate when an OS6600- 1000 (ports 25–26) GNI-U2 is installed using LC fiber SFPs or copper 1000Base-T SFPs.
Ethernet Ports Overview Configuring Ethernet Ports Chassis Type (Port Nos.) Port Type OmniSwitch 6602-24 (ports 1–24) Copper twisted pair (RJ-45) auto/10/100 auto/full/half Yes OmniSwitch 6602-24 (ports 25–26) Wire-rate when an LC fiber 1000 SFP or copper 1000Base-T SFP is installed.
Configuring Ethernet Ports Setting Ethernet Port Parameters Setting Ethernet Port Parameters When using CLI commands to set Ethernet port parameters, keep in mind that Ethernet and Fast Ethernet are supported only on ports 1 through 48 on the OmniSwitch 6648 and OmniSwitch 6602-48 and ports 1 through 24 on the OmniSwitch 6624, OmniSwitch 6600-P24, and OmniSwitch 6600-U24.
Setting Ethernet Port Parameters Configuring Ethernet Ports Setting Flow Control The flow command can be used to enable or disable (the default) flow control on a specific port, a range of ports, or all ports on an entire switch (slot). When the buffers on a receiving device are full, flow control transmits pause frames to the remote link partner to delay transmission. The local port can delay transmission of data if the remote link partner transmits a pause frame. Note.
Configuring Ethernet Ports Setting Ethernet Port Parameters As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet before the slot number. For example to disable flow control on the interface on slot 2 port 3 and document the interface type as Fast Ethernet enter: -> no flow fastethernet 2/3 Setting Flow Control Wait Time By default, the flow control wait time is 0 microseconds.
Setting Ethernet Port Parameters Configuring Ethernet Ports Restoring the Flow Control Wait Time To restore the flow control wait time (i.e., set it back to 0) for an entire switch, enter flow followed by the slot number and no wait. For example, to restore the flow control wait time to 0 seconds on slot 2 enter: -> flow 2 no wait To restore the flow control wait time (i.e., set it back to 0) for a single port, enter interfaces followed by the slot number, a slash (/), the port number, and no wait.
Configuring Ethernet Ports Setting Ethernet Port Parameters As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet before the slot number. For example, to configure the line speed on slot 2 port 3 at 100 Mbps and document the interface type as Fast Ethernet enter: -> interfaces fastethernet 2/3 speed 100 Note. Copper Gigabit Ethernet ports are always set to auto.
Setting Ethernet Port Parameters Configuring Ethernet Ports Enabling and Disabling Interfaces The interfaces admin command is used to enable (the default) or disable a specific port, a range of ports, or all ports on an entire switch (slot). To enable or disable an entire slot enter interfaces followed by the slot number, admin, and the desired administrative setting (either up or down).
Configuring Ethernet Ports Setting Ethernet Port Parameters As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet before the slot number. For example, to set the inter-frame gap value on port 52 on slot 2 to 10 bytes and document the port as Gigabit Ethernet enter: -> interfaces gigaethernet 2/52 ifg 10 Note. Since the interfaces ifg command is only supported on Gigabit interfaces only the gigaethernet keyword should be used.
Setting Ethernet Port Parameters Configuring Ethernet Ports Configuring Flood Rates The following subsections describe how to enable the maximum flood rate (see “Enabling the Maximum Flood Rate” on page 1-20), enable the maximum flood rate for multicast traffic (see “Enabling Maximum Flood Rate for Multicast Traffic” on page 1-20), and how to configure the flood rate on an entire switch (slot), a specific port, or a range of ports (see “Configuring Flood Rate Values” on page 1-21).
Configuring Ethernet Ports Setting Ethernet Port Parameters Configuring Flood Rate Values By default, the flood rate is 42 Mbps on 10/100 ports and 496 Mbps on Gigabit ports. The interfaces flood rate command can be used to configure the peak flood rate value on a specific port, a range of ports, or all ports on a switch (slot) in megabits per second, ranging from 0 to 9 Mbps for Ethernet, 0 to 99 Mbps for Fast Ethernet, or 0 to 999 Mbps for Gigabit Ethernet. Note.
Setting Ethernet Port Parameters Configuring Ethernet Ports Configuring Auto Negotiation, Crossover, and Flow Control Settings The following subsections describe how to enable and disable auto negotiation (see “Enabling and Disabling Auto Negotiation” on page 1-22), configuring crossover settings (see “Configuring Crossover Settings” on page 1-23), and configuring flow control (see “Enabling and Disabling Flow” on page 1-23).
Configuring Ethernet Ports Setting Ethernet Port Parameters Configuring Crossover Settings To configure crossover settings on a single port, a range of ports, or an entire slot use the interfaces crossover command. If auto negotiation is disabled, flow control, auto speed, and auto duplex are not accepted. Setting the crossover configuration to auto will configure the interface or interfaces to automatically detect crossover settings.
Setting Ethernet Port Parameters Configuring Ethernet Ports As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet before the slot number. For example, to enable flow control on port 3 on slot 2 and document the port as Fast Ethernet enter: -> interfaces fastethernet 2/3 flow enable Note. If auto negotiation is disabled and then later enabled on an interface, the original flow setting will then be restored.
Configuring Ethernet Ports Verifying Ethernet Port Configuration Verifying Ethernet Port Configuration To display information about Ethernet port configuration settings, use the show commands listed in the following table. show interfaces flow control Displays interface flow control wait time settings in nanoseconds. show interfaces Displays general interface information, such as hardware, MAC address, input and output errors. show interfaces accounting Displays interface accounting information.
Verifying Ethernet Port Configuration page 1-26 Configuring Ethernet Ports OmniSwitch 6600 Family Network Configuration Guide April 2005
2 Managing Source Learning Transparent bridging relies on a process referred to as source learning to handle traffic flow. Network devices communicate by sending and receiving data packets that each contain a source MAC address and a destination MAC address. When packets are received on switch network interface (NI) module ports, source learning examines each packet and compares the source MAC address to entries in a MAC address database table.
Source Learning Specifications Managing Source Learning Source Learning Specifications RFCs supported 2674 - Definitions of Managed Objects for Bridges with Traffic Classes, Multicast Filtering and Virtual LAN Extensions IEEE Standards supported 802.1Q - Virtual Bridged Local Area Networks 802.
Managing Source Learning Sample MAC Address Table Configuration 2 Assign switch ports 2 through 5 on slot 3 to VLAN 200--if they are not already associated with VLAN 200--using the following command: -> vlan 200 port default 3/2-5 3 Create a static MAC address entry using the following command to assign address 000041:5BF30E to port 3/4 associated with VLAN 200 and to specify a timeout management status for the static address: -> mac-address-table timeout 00:2d:95:5B:F3:0E 3/4 200 4 Change the MAC add
MAC Address Table Overview Managing Source Learning MAC Address Table Overview Source learning builds and maintains the MAC address table on each switch. New MAC address table entries are created in one of two ways: they are dynamically learned or statically assigned. Dynamically learned MAC addresses are those that are obtained by the switch when source learning examines data packets and records the source address and the port and VLAN it was learned on.
Managing Source Learning Using Static MAC Addresses • If a packet received on a port associated with the same VLAN contains a source address that matches a static MAC address, the packet is discarded. The same source address on different ports within the same VLAN is not supported. • If a static MAC address is configured on a port link that is down or disabled, an asterisk appears to the right of the MAC address in the show mac-address-table command display.
Configuring MAC Address Table Aging Time Managing Source Learning Configuring MAC Address Table Aging Time Source learning also tracks MAC address age and removes addresses from the MAC address table that have aged beyond the aging timer value. When a device stops sending packets, source learning keeps track of how much time has passed since the last packet was received on the device’s switch port. When this amount of time exceeds the aging time value, the MAC is aged out of the MAC address table.
Managing Source Learning Displaying MAC Address Table Information Displaying MAC Address Table Information To display MAC Address Table entries, statistics, and aging time values, use the show commands listed below: show mac-address-table Displays a list of all MAC addresses known to the MAC address table, including static MAC addresses. show mac-address-table count Displays a count of the different types of MAC addresses (learned, permanent, reset, and timeout).
Displaying MAC Address Table Information page 2-8 Managing Source Learning OmniSwitch 6600 Family Network Configuration Guide April 2005
3 Configuring Learned Port Security Learned Port Security (LPS) provides a mechanism for authorizing source learning of MAC addresses on Ethernet and Gigabit Ethernet ports. The only types of Ethernet ports that LPS does not support are link aggregate and tagged (trunked) link aggregate ports. Using LPS to control source MAC address learning provides the following benefits: • A configurable source learning time limit that applies to all LPS ports.
Learned Port Security Specifications Configuring Learned Port Security Learned Port Security Specifications RFCs supported Not applicable at this time. IEEE Standards supported Not applicable at this time. Ports eligible for Learned Port Security Ethernet and Gigabit Ethernet ports (fixed, mobile, 802.1Q tagged, and authenticated ports). Ports not eligible for Learned Port Security Link aggregate ports. 802.1Q (trunked) link aggregate ports.
Configuring Learned Port Security Sample Learned Port Security Configuration Sample Learned Port Security Configuration This section provides a quick tutorial that demonstrates the following tasks: • Enabling LPS on a set of switch ports. • Defining the maximum number of learned MAC addresses allowed on an LPS port. • Defining the time limit in which source learning is allowed on all LPS ports. • Selecting a method for handling unauthorized traffic received on an LPS port.
Learned Port Security Overview Configuring Learned Port Security Learned Port Security Overview Learned Port Security (LPS) provides a mechanism for controlling network device access on one or more switch ports. Configurable LPS parameters allow the user to restrict the source learning of host MAC addresses to: • A specific amount of time in which the switch allows source learning to occur on all LPS ports. • A maximum number of learned MAC addresses allowed on the port.
Configuring Learned Port Security Learned Port Security Overview How LPS Authorizes Source MAC Addresses When a packet is received on a port that has LPS enabled, switch software checks the following criteria to determine if the source MAC address contained in the packet is allowed on the port: • Is the source learning time window open? • Is the number of MAC addresses learned on the port below the maximum number allowed? • Is there a configured authorized MAC address entry for the LPS port that matches t
Learned Port Security Overview Configuring Learned Port Security Static Configuration of Authorized MAC Addresses It is also possible to statically configure authorized source MAC address entries into the LPS table. This type of entry behaves the same way as dynamically configured entries in that it authorizes port access to traffic that contains a matching source MAC address. Static source MAC address entries, however, take precedence over dynamically learned entries.
Configuring Learned Port Security Enabling/Disabling Learned Port Security Enabling/Disabling Learned Port Security By default, LPS is disabled on all switch ports. To enable LPS on a port, use the port-security command. For example, the following command enables LPS on port 1 of slot 4: -> port-security 4/1 enable To enable LPS on multiple ports, specify a range of ports or multiple slots.
Configuring the Number of MAC Addresses Allowed Configuring Learned Port Security Configuring the Number of MAC Addresses Allowed By default, one MAC address is allowed on an LPS port. To change this number, enter port-security followed by the port’s slot/port designation then maximum followed by a number between 1 and 100.
Configuring Learned Port Security Configuring an Authorized MAC Address Range Configuring an Authorized MAC Address Range By default, each LPS port is set to a range of 00:00:00:00:00:00–ff:ff:ff:ff:ff:ff, which includes all MAC addresses. If this default is not changed, then addresses received on LPS ports are subject only to the source learning time limit and maximum number of MAC addresses allowed restrictions for the port.
Selecting the Security Violation Mode Configuring Learned Port Security Selecting the Security Violation Mode By default, the security violation mode for an LPS port is set to restrict. In this mode, when an unauthorized source MAC address is received on an LPS port, the packet containing the address is blocked. However, all other packets containing an authorized source MAC address are still allowed on the port.
Configuring Learned Port Security Displaying Learned Port Security Information Displaying Learned Port Security Information To display LPS port and table information, use the show commands listed below: show port-security Displays Learned Port Security configuration values as well as MAC addresses learned on the port. show port-security shutdown Displays the current time limit value set for source learning on all LPS enabled ports.
Displaying Learned Port Security Information page 3-12 Configuring Learned Port Security OmniSwitch 6600 Family Network Configuration Guide April 2005
4 Configuring VLANs In a flat bridged network, a broadcast domain is confined to a single LAN segment or even a specific physical location, such as a department or building floor. In a switch-based network, such as one comprised of Alcatel switching systems, a broadcast domain—or VLAN— can span multiple physical switches and can include ports from a variety of media types.
VLAN Specifications Configuring VLANs VLAN Specifications RFCs Supported 2674 - Definitions of Managed Objects for Bridges with Traffic Classes, Multicast Filtering and Virtual LAN Extensions IEEE Standards Supported 802.1Q - Virtual Bridged Local Area Networks 802.
Configuring VLANs Sample VLAN Configuration Sample VLAN Configuration The following steps provide a quick tutorial that will create VLAN 255 on a stack configuration that includes four switches. Also included are steps to define a VLAN description, IP router interface, and static switch port assignments. Note. Optional. Creating a new VLAN involves specifying a VLAN ID that is not already assigned to an existing VLAN. To determine if a VLAN already exists in the switch configuration, enter show vlan.
Sample VLAN Configuration Configuring VLANs To verify that ports 3/2-4 were assigned to VLAN 255, use the show vlan port command.
Configuring VLANs VLAN Management Overview VLAN Management Overview One of the main benefits of using VLANs to segment network traffic, is that VLAN configuration and port assignment is handled through switch software. This eliminates the need to physically change a network device connection or location when adding or removing devices from the VLAN broadcast domain. The VLAN management software handles the following VLAN configuration tasks performed on an Alcatel switch: • Creating or modifying VLANs.
Creating/Modifying VLANs Configuring VLANs Creating/Modifying VLANs The initial configuration for all Alcatel switches consists of a default VLAN 1 and all switch ports are initially assigned to this VLAN. When a switching module is added to the switch, the module’s physical ports are also assigned to VLAN 1. If additional VLANs are not configured on the switch, then the entire switch is treated as one large broadcast domain. All ports will receive all traffic from all other ports.
Configuring VLANs Defining VLAN Port Assignments Enabling/Disabling the VLAN Administrative Status To enable or disable the administrative status for an existing VLAN, enter vlan followed by an existing VLAN ID and either enable or disable. -> vlan 755 disable -> vlan 255 enable When the administrative status for a VLAN is disabled, VLAN port assignments are retained but traffic is not forwarded on these ports.
Defining VLAN Port Assignments Configuring VLANs Changing the Default VLAN Assignment for a Port To assign a switch port to a new default VLAN, enter vlan followed by an existing VLAN ID number, port default, then the slot/port designation. For example, the following command assigns port 5 on slot 2 to VLAN 955: -> vlan 955 port default 2/5 All ports initially belong to default VLAN 1. When the vlan port default command is used, the port’s default VLAN assignment is changed to the specified VLAN.
Configuring VLANs Defining VLAN Port Assignments Configuring VLAN Rule Classification VLAN rule classification triggers dynamic VLAN port assignment when traffic received on a mobile port matches the criteria defined in a VLAN rule. Different rule types are available for classifying different types of network device traffic. It is possible to define multiple rules for one VLAN and rules for multiple VLANs.
Defining VLAN Port Assignments Configuring VLANs Enabling/Disabling VLAN Mobile Tag Classification Use the vlan mobile-tag command to enable or disable the classification of mobile port packets based on 802.1Q VLAN ID tag. For example, the following commands enable the mobile tag attribute for VLAN 1525 and disable it for VLAN 224: -> vlan 1525 mobile-tag enable -> vlan 224 mobile-tag disable If a mobile port that is statically assigned to VLAN 10 receives an 802.
Configuring VLANs Enabling/Disabling Spanning Tree for a VLAN Enabling/Disabling Spanning Tree for a VLAN When a VLAN is created, an 802.1D standard Spanning Tree Algorithm and Protocol (STP) instance is enabled for the VLAN by default. The spanning tree operating mode set for the stack determines how VLAN ports are evaluated to identify redundant data paths.
Enabling/Disabling VLAN Authentication Configuring VLANs Enabling/Disabling VLAN Authentication Layer 2 authentication uses VLAN membership to grant access to network resources. Authenticated VLANs control membership through a log-in process; this is sometimes called user authentication. A VLAN must have authentication enabled before it can participate in the Layer 2 authentication process. To enable/disable authentication on an existing VLAN, use the vlan authentication command.
Configuring VLANs Bridging VLANs Across Multiple Switches Bridging VLANs Across Multiple Switches To create a VLAN bridging domain that extends across multiple switches: 1 Create a VLAN on each switch with the same VLAN ID number (e.g., VLAN 10). 2 If using mobile ports for end user device connections, define VLAN rules that will classify mobile port traffic into the VLAN created in Step 1. 3 On each switch, assign the ports that will provide connections to other switches to the VLAN created in Step 1.
Verifying the VLAN Configuration Configuring VLANs The connection between Stack C and D is shown with a broken line because the ports that provide this connection are in a blocking state. Spanning Tree is active by default on all stacks, VLANs and ports. The Spanning Tree algorithm determined that if all connections between stacks were active, a network loop would exist that could cause unnecessary broadcast traffic on the network. The path between Stack C and D was shut down to avoid such a loop.
5 Configuring Spanning Tree Parameters The Spanning Tree Algorithm and Protocol (STP) is a self-configuring algorithm that maintains a loopfree topology while providing data path redundancy and network scalability. Based on the IEEE 802.1D standard, the Alcatel STP implementation distributes the Spanning Tree load between the Chassis Management Module (CMM) and the Network Interface modules (NIs).
Spanning Tree Specifications Configuring Spanning Tree Parameters Spanning Tree Specifications IEEE Standards supported 802.1D–Media Access Control (MAC) Bridges 802.1w–Rapid Reconfiguration (802.1D Amendment 2) 802.1Q–Virtual Bridged Local Area Networks 802.1s–Multiple Spanning Trees (802.1Q Amendment 3) Spanning Tree Operating Modes supported Flat mode - one spanning tree instance per switch 1x1 mode - one spanning tree instance per VLAN Spanning Tree Protocols supported 802.
Configuring Spanning Tree Parameters Spanning Tree Port Parameter Defaults Spanning Tree Port Parameter Defaults Parameter Description Command Default Spanning Tree port administrative state bridge slot/port Enabled Spanning Tree port priority value bridge slot/port priority 7 Spanning Tree port path cost. bridge slot/port path cost 0 (cost is based on port speed) Path cost mode bridge path cost mode Auto (16-bit in 1x1 mode and 802.1D or 802.1w flat mode, 32-bit in 802.
Spanning Tree Overview Configuring Spanning Tree Parameters Spanning Tree Overview Alcatel switches support the use of the 802.1D Spanning Tree Algorithm and Protocol (STP), the 802.1w Rapid Spanning Tree Algorithm and Protocol (RSTP), and the 802.1s Multiple Spanning Tree Protocol (MSTP). RSTP expedites topology changes by allowing blocked ports to transition directly into a forwarding state, bypassing listening and learning states.
Configuring Spanning Tree Parameters Spanning Tree Overview Role Port/Bridge Properties Alternate Port Any operational port that is not the root port for its bridge and its bridge is not the designated bridge for the LAN. An alternate port offers an alternate path to the root bridge if the root port on its own bridge goes down. Disabled Port Port is not operational. If an active connection does come up on the port, it is assigned an appropriate role. Note.
Spanning Tree Overview Root ID Configuring Spanning Tree Parameters The Bridge ID for the bridge that this bridge believes is the root. Root Path Cost The sum of the Path Costs that lead from the root bridge to this bridge port. The Path Cost is a configurable parameter value. The IEEE 802.1D standard specifies a default value that is based on port speed. See “Configuring Port Path Cost” on page 5-23 for more information.
Configuring Spanning Tree Parameters Spanning Tree Overview 2 The best root path cost. 3 If root path costs are equal, the bridge ID of the bridge sending the BPDU. 4 If the previous three values tie, then the port ID (lowest priority value, then lowest port number). When a topology change occurs, such as when a link goes down or a switch is added to the network, the affected bridge sends Topology Change Notification (TCN) BPDU to the designated bridge for its LAN.
Spanning Tree Overview Configuring Spanning Tree Parameters The following diagram shows the logical connectivity of the same physical topology as determined by the Spanning Tree Algorithm.
Configuring Spanning Tree Parameters Spanning Tree Operating Modes Spanning Tree Operating Modes The switch can operate in one of two Spanning Tree modes: flat and 1x1. Both modes apply to the entire switch and determine whether a single Spanning Tree instance is applied across multiple VLANs (flat mode) or a single instance is applied to each VLAN (1x1 mode). By default, a switch is running in the 1x1 mode when it is first turned on.
Spanning Tree Operating Modes Configuring Spanning Tree Parameters Flat STP Switch Port 8/3 Default VLAN 2 Port 10/5 Default VLAN 20 Port 1/2 Default VLAN 5 VLAN 10 (tagged) Port 2/5 Default VLAN 5 VLAN 6 (tagged) Flat Spanning Tree Example In the above example, if port 8/3 connects to another switch and port 10/5 connects to that same switch, the Spanning Tree Algorithm would detect a redundant path and transition one of the ports into a blocking state. The same holds true for the tagged ports.
Configuring Spanning Tree Parameters Spanning Tree Operating Modes The following diagram shows a switch running in the 1x1 Spanning Tree mode and shows Spanning Tree participation for both fixed and tagged ports. STP 2 STP 3 STP 4 Port 1/3 Default VLAN 5 Switch Port 1/5 Default VLAN 10 VLAN 2 (tagged) Port 2/5 Default VLAN 2 VLAN 10 (tagged) Port 2/3 Default VLAN 5 Port 1/4 Default VLAN 2 Port 2/4 Default VLAN 2 1x1 (single and 802.
Configuring Spanning Tree Bridge Parameters Configuring Spanning Tree Parameters Configuring Spanning Tree Bridge Parameters The Spanning Tree software is active on all switches by default and uses default bridge and port parameter values to calculate a loop free topology. It is only necessary to configure these parameter values to change how the topology is calculated and maintained.
Configuring Spanning Tree Parameters Configuring Spanning Tree Bridge Parameters Note that explicit commands using the cist and msti keywords are required to define an MSTP (802.1s) configuration. Implicit commands are only allowed for defining STP or RSTP configurations. See Chapter 6, “Using 802.1s Multiple Spanning Tree,” for more information about these keywords and using implicit and explicit commands. The following is a summary of Spanning Tree bridge configuration commands.
Configuring Spanning Tree Bridge Parameters Configuring Spanning Tree Parameters The following sections provide information and procedures for using implicit bridge configuration commands and also includes explicit command examples. Note. When a snapshot is taken of the switch configuration, the explicit form of all Spanning Tree commands is captured.
Configuring Spanning Tree Parameters Configuring Spanning Tree Bridge Parameters Note. Configuring a Spanning Tree bridge instance with a priority value that will cause the instance to become the root is recommended, instead of relying on the comparison of switch base MAC addresses to determine the root. If the switch is running in the 1x1 Spanning Tree mode, then a priority value is assigned to each VLAN instance.
Configuring Spanning Tree Bridge Parameters Configuring Spanning Tree Parameters Note that lowering the hello time interval improves the robustness of the Spanning Tree algorithm. Increasing the hello time interval lowers the overhead of Spanning Tree processing. If the switch is running in the 1x1 Spanning Tree mode, then a hello time value is defined for each VLAN instance. If the switch is running in the flat Spanning Tree mode, then a hello time value is defined for the single flat mode instance.
Configuring Spanning Tree Parameters Configuring Spanning Tree Bridge Parameters The explicit bridge 1x1 max age command configures the max age time for a VLAN instance when the switch is running in either mode (1x1 or flat). For example, the following command performs the same function as the command in the previous example: -> bridge 1x1 455 max age 10 To change the max age time value for the flat mode instance, use either the bridge max age command or the bridge cist max age command.
Configuring Spanning Tree Bridge Parameters Configuring Spanning Tree Parameters -> bridge forward delay 10 -> bridge cist forward delay 10 As in previous releases, it is possible to configure the flat mode instance with the bridge forward delay command by specifying 1 as the instance number (e.g., bridge 1 forward delay 30). However, this is only available when the switch is already running in the flat mode and STP or RSTP is the active protocol.
Configuring Spanning Tree Parameters Configuring Spanning Tree Port Parameters Configuring Spanning Tree Port Parameters The following sections provide information and procedures for using CLI commands to configure STP port parameters. These parameters determine the behavior of a port for a specific VLAN Spanning Tree instance (1x1 STP mode) or for a single Spanning Tree instance applied to the entire switch (flat STP mode).
Configuring Spanning Tree Port Parameters Configuring Spanning Tree Parameters The following is a summary of Spanning Tree port configuration commands. For more information about these commands, see the OmniSwitch CLI Reference Guide. Commands Type Used for ... bridge slot/port Implicit Configuring the port Spanning Tree status for a VLAN instance when the 1x1 mode is active or the single Spanning Tree instance when the flat mode is active.
Configuring Spanning Tree Parameters Configuring Spanning Tree Port Parameters The following sections provide information and procedures for using implicit Spanning Tree port configuration commands and also includes explicit command examples. Note. When a snapshot is taken of the switch configuration, the explicit form of all Spanning Tree commands is captured.
Configuring Spanning Tree Port Parameters Configuring Spanning Tree Parameters To enable or disable the Spanning Tree status for a link aggregate, use the bridge slot/port commands described above but specify a link aggregate control number instead of a slot and port.
Configuring Spanning Tree Parameters Configuring Spanning Tree Port Parameters STP or RSTP protocols are in use. See Chapter 6, “Using 802.1s Multiple Spanning Tree,” for more information. Port Priority on Link Aggregate Ports Physical ports that belong to a link aggregate do not participate in the Spanning Tree Algorithm. Instead, the algorithm is applied to the aggregate logical link (virtual port) that represents a collection of physical ports.
Configuring Spanning Tree Port Parameters Link Speed IEEE 802.1D Recommended Value 1 Gbps 4 10 Gbps 2 Configuring Spanning Tree Parameters By default, Spanning Tree is enabled on a port and the path cost is set to zero. If the switch is running in the 1x1 Spanning Tree mode, then the port path cost applies to the specified VLAN instance associated with the port. If the switch is running in the flat Spanning Tree mode, then the port path cost applies across all VLANs associated with the port.
Configuring Spanning Tree Parameters Configuring Spanning Tree Port Parameters Path Cost for Link Aggregate Ports Physical ports that belong to a link aggregate do not participate in the Spanning Tree Algorithm. Instead, the algorithm is applied to the aggregate logical link (virtual port) that represents a collection of physical ports. By default, Spanning Tree is enabled on the aggregate logical link and the path cost value is set to zero.
Configuring Spanning Tree Port Parameters Configuring Spanning Tree Parameters Aggregate Size (number of links) Default Path Cost Value 16 5 1 Gbps N/A 3 10 Gbps N/A 1 Link Speed To change the path cost value for a link aggregate, use the bridge slot/port path cost commands described above, but specify a link aggregate control number instead of a slot and port.
Configuring Spanning Tree Parameters Configuring Spanning Tree Port Parameters Mode for Link Aggregate Ports Physical ports that belong to a link aggregate do not participate in the Spanning Tree Algorithm. Instead, the algorithm is applied to the aggregate logical link (virtual port) that represents a collection of physical ports. To change the port mode for a link aggregate, use the bridge slot/port mode commands described above, but specify a link aggregate control number instead of a slot and port.
Configuring Spanning Tree Port Parameters Configuring Spanning Tree Parameters To change the port connection type for a VLAN instance, specify a VLAN ID with the bridge slot/port connection command when the switch is running in the 1x1 mode. For example, the following command defines an edge port connection type for port 8/1 associated with VLAN 10.
Configuring Spanning Tree Parameters Sample Spanning Tree Configuration Sample Spanning Tree Configuration This section provides an example network configuration in which Spanning Tree has calculated a loopfree topology. In addition, a tutorial is also included that provides steps on how to configure the example network topology using the Command Line Interface (CLI).
Sample Spanning Tree Configuration Configuring Spanning Tree Parameters • Ports 2/1-3, 2/8-10, 3/1-3, and 3/8-10 provide connections to other switches and are all assigned to VLAN 255 on their respective switches. The Spanning Tree administrative status for each port is enabled by default. • The path cost for each port connection defaults to a value based on the link speed. For example, the connection between Switch B and Switch C is a 100 Mbps link, which defaults to a path cost of 19.
Configuring Spanning Tree Parameters Sample Spanning Tree Configuration -> bridge 255 priority 10 VLAN 255 on Switch D will have the lowest Bridge ID priority value of all four switches, which will qualify it as the Spanning Tree root VLAN for the VLAN 255 broadcast domain. Note. To verify the VLAN 255 Spanning Tree configuration on each switch use the following show commands.
Verifying the Spanning Tree Configuration Configuring Spanning Tree Parameters Verifying the Spanning Tree Configuration To display information about the Spanning Tree configuration on the switch, use the show commands listed below: show spantree Displays VLAN Spanning Tree information, including parameter values and topology change statistics. show spantree ports Displays Spanning Tree information for switch ports, including parameter values and the current port state.
6 Using 802.1s Multiple Spanning Tree The Alcatel Multiple Spanning Tree (MST) implementation provides support for the IEEE 802.1s Multiple Spanning Tree Protocol (MSTP). In addition to the 802.1D Spanning Tree Algorithm and Protocol (STP) and the 802.1w Rapid Spanning Tree Algorithm and Protocol (RSTP), MSTP also ensures that there is always only one data path between any two switches for a given Spanning Tree instance to prevent network loops. MSTP is an enhancement to the 802.
MST Specifications Using 802.1s Multiple Spanning Tree MST Specifications IEEE Standards supported 802.1D–Media Access Control (MAC) Bridges 802.1w–Rapid Reconfiguration (802.1D Amendment 2) 802.1Q–Virtual Bridged Local Area Networks 802.1s–Multiple Spanning Trees (802.1Q Amendment 3) Spanning Tree Operating Modes supported Flat mode - one spanning tree instance per switch 1x1 mode - one spanning tree instance per VLAN Spanning Tree Protocols supported 802.
Using 802.1s Multiple Spanning Tree Spanning Tree Port Parameter Defaults Spanning Tree Port Parameter Defaults Parameter Description Command Default Spanning Tree port administrative state bridge slot/port Enabled Spanning Tree port priority value bridge slot/port priority 7 Spanning Tree port path cost.
MST General Overview Using 802.1s Multiple Spanning Tree MST General Overview The Multiple Spanning Tree (MST) feature allows for the mapping of one or more VLANs to a single Spanning Tree instance, referred to as a Multiple Spanning Tree Instance (MSTI), when the switch is running in the flat Spanning Tree mode. MST uses the Multiple Spanning Tree Algorithm and Protocol (MSTP) to define the Spanning Tree path for each MSTI. In addition, MSTP provides the ability to group switches into MST Regions.
Using 802.1s Multiple Spanning Tree MST General Overview VLAN 100 3/1 2/1 4/2 5/1 VLAN 200 4/8 || VLAN 100 VLAN 200 5/2 1x1 Mode STP/RSTP In the above 1x1 mode example: • Both switches are running in the 1x1 mode (one Spanning Tree instance per VLAN). • VLAN 100 and VLAN 200 are each associated with their own Spanning Tree instance.
MST General Overview Using 802.1s Multiple Spanning Tree VLAN 100 3/1 2/1 4/2 || 5/1 || 5/2 || 3/6 VLAN 100 CIST-0 CIST-0 VLAN 150 4/8 VLAN 200 VLAN 150 VLAN 200 MSTI-2 MSTI-2 2/12 VLAN 250 VLAN 250 Flat Mode MSTP (802.1s) In the above flat mode MSTP example: • Both switches are running in the flat mode and using MSTP. • VLANs 100 and 150 are not associated with an MSTI. By default they are controlled by the CIST instance 0, which exists on every switch.
Using 802.1s Multiple Spanning Tree MST General Overview Comparing MSTP with STP and RSTP Using MSTP (802.1s) has the following items in common with STP (802.1D) and RSTP (802.1w) protocols: • Each protocol ensures one data path between any two switches within the network topology. This prevents network loops from occurring while at the same time allowing for redundant path configuration.
MST General Overview Using 802.1s Multiple Spanning Tree What is a Multiple Spanning Tree Region A Multiple Spanning Tree region represents a group of 802.1s switches. An MST region appears as a single, flat mode instance to switches outside the region. A switch can belong to only one region at a time. The region a switch belongs to is identified by the following configurable attributes, as defined by the IEEE 802.1s standard: • Region name–An alphanumeric string up to 32 characters.
Using 802.1s Multiple Spanning Tree MST General Overview number of hops for the region, however, is not one of the attributes that defines whether or not a switch is a member of a region. See “Quick Steps for Configuring an MST Region” on page 6-14 for a tutorial on how to configure MST region parameters.
MST Configuration Overview Using 802.1s Multiple Spanning Tree MST Configuration Overview The following general steps are required to set up a Multiple Spanning Tree (MST) configuration: • Select the flat Spanning Tree mode. By default, each switch runs in the 1x1 mode. MSTP is only supported on a flat mode switch. See “Understanding Spanning Tree Modes” on page 6-11 for more information. • Select the 802.1s protocol. By default, each switch uses the 802.1D protocol. Selecting 802.
Using 802.1s Multiple Spanning Tree MST Configuration Overview Implicit commands resemble previously implemented Spanning Tree commands, but apply to the appropriate instance based on the current mode and protocol that is active on the switch. For example, if the 1x1 mode is active, the instance number specified with the following command implies a VLAN ID: -> bridge 255 priority 16384 If the flat mode is active, the single flat mode instance is implied and thus configured by the command.
MST Interoperability and Migration Using 802.1s Multiple Spanning Tree MST Interoperability and Migration Connecting an MSTP (802.1s) switch to a non-MSTP flat mode switch is supported. Since the Common and Internal Spanning Tree (CIST) controls the flat mode instance on both switches, STP or RSTP can remain active on the non-MSTP switch within the network topology. An MSTP switch is part of a Multiple Spanning Tree (MST) Region, which appears as a single, flat mode instance to the non-MSTP switch.
Using 802.1s Multiple Spanning Tree MST Interoperability and Migration Migrating from 1x1 Mode to Flat Mode MSTP As previously described, the 1x1 mode is an Alcatel proprietary implementation that applies one Spanning Tree instance to each VLAN. For example, if five VLANs exist on the switch, then their are five Spanning Tree instances active on the switch, unless Spanning Tree is disabled on one of the VLANs.
Quick Steps for Configuring an MST Region Using 802.1s Multiple Spanning Tree Quick Steps for Configuring an MST Region An MST region identifies a group of MSTP (802.1s) switches that is seen as a single, flat mode instance by other regions and/or non-MSTP switches. A region is defined by three attributes: name, revision level, and a VLAN-to-MSTI mapping. Switches configured with the same value for all three of these attributes belong to the same MST region.
Using 802.1s Multiple Spanning Tree Quick Steps for Configuring an MST Region 3 Map VLANs 100 and 200 to MSTI 2 and VLANs 300 and 400 to MSTI 4 using the bridge msti vlan command to define the configuration digest. For example: -> bridge msti 2 vlan 100 200 -> bridge msti 4 vlan 300 400 See “Quick Steps for Configuring MSTIs” on page 6-16 for a tutorial on how to create and map MSTIs to VLANs. 4 Configure 3 as the maximum number of hops for the region using the bridge mst region max hops command.
Quick Steps for Configuring MSTIs Using 802.1s Multiple Spanning Tree Quick Steps for Configuring MSTIs By default the Spanning Tree software is active on all switches and operating in the 1x1 mode using the standard 802.1D STP. As a result, a loop-free network topology is automatically calculated based on default 802.1D Spanning Tree switch, bridge, and port parameter values.
Using 802.1s Multiple Spanning Tree Quick Steps for Configuring MSTIs The following commands assign ports 2/1, 5/1, 5/2, and 3/6 to VLANs 100, 150, 200, and 250 on Switch B: -> -> -> -> vlan vlan vlan vlan 100 150 200 250 port port port port default default default default 2/1 5/1 5/2 3/6 5 Create one MSTI using the bridge msti command. For example: -> bridge msti 1 6 Assign VLANs 200 and 250 to MSTI 1.
Quick Steps for Configuring MSTIs Using 802.1s Multiple Spanning Tree Note that of the two data paths available to MSTI 1 VLANs, one is still blocked because it is seen as redundant for that instance. In addition, the CIST data path still remains available for CIST VLAN traffic. Another solution to this scenario is to assign all VLANs to an MSTI, leaving no VLANs controlled by the CIST. As a result, the CIST BPDU will only contain MSTI information. See “How MSTP Works” on page 6-4 for more information.
Using 802.1s Multiple Spanning Tree Verifying the MST Configuration Verifying the MST Configuration To display information about the MST configuration on the switch, use the show commands listed below: show spantree cist Displays the Spanning Tree bridge configuration for the flat mode Common and Internal Spanning Tree (CIST) instance. show spantree msti Displays Spanning Tree bridge information for an 802.1s Multiple Spanning Tree Instance (MSTI).
Verifying the MST Configuration page 6-20 Using 802.
7 Assigning Ports to VLANs Initially all switch ports are non-mobile and are assigned to VLAN 1, which is also their configured default VLAN. When additional VLANs are created on the switch, ports are assigned to the VLANs so that traffic from devices connected to these ports is bridged within the VLAN domain. Switch ports are either statically or dynamically assigned to VLANs.
Port Assignment Specifications Assigning Ports to VLANs Port Assignment Specifications IEEE Standards Supported 802.1Q–Virtual Bridged Local Area Networks 802.1D–Media Access Control Bridges Maximum VLANs per switch 4094 (including default VLAN 1) Maximum VLAN port associations 32768 Switch ports eligible for port mobility. Untagged 10/100 Ethernet and gigabit ports that are not members of a link aggregate. Switch ports eligible for dynamic VLAN assignment. Mobile ports.
Assigning Ports to VLANs Sample VLAN Port Assignment Sample VLAN Port Assignment The following steps provide a quick tutorial that will create a VLAN, statically assign ports to the VLAN, and configure mobility on some of the VLAN ports: 1 Create VLAN 255 with a description (e.g.
Statically Assigning Ports to VLANs Assigning Ports to VLANs Statically Assigning Ports to VLANs The vlan port default command is used to statically assign both mobile and non-mobile ports to another VLAN. When the assignment is made, the port drops the previous VLAN assignment. For example, the following command assigns port 2 on slot 3, currently assigned to VLAN 1, to VLAN 755: -> vlan 755 port default 3/2 Port 3/2 is now assigned to VLAN 755 and no longer associated with VLAN 1.
Assigning Ports to VLANs Dynamically Assigning Ports to VLANs How Dynamic Port Assignment Works Traffic received on mobile ports is classified using one of the following methods: • Packet is tagged with a VLAN ID that matches the ID of another VLAN that has mobile tagging enabled. (See “VLAN Mobile Tag Classification” on page 7-5 for more information.) • Packet contents matches criteria defined in a VLAN rule. (See “VLAN Rule Classification” on page 7-8 for more information.) Note.
Dynamically Assigning Ports to VLANs Assigning Ports to VLANs In the initial VLAN port assignment configuration shown below, • All three ports have workstations that are configured to send packets with an 802.1Q VLAN ID tag for three different VLANs (VLAN 2, 3, and 4). • Mobility is enabled on each of the workstation ports. • VLAN 1 is the configured default VLAN for each port. • VLANs 2, 3, and 4 are configured on the switch, each one has VLAN mobile tagging enabled.
Assigning Ports to VLANs Dynamically Assigning Ports to VLANs OmniSwitch OmniSwitch 6648 OmniSwitch 6648 OmniSwitch 6648 OmniSwitch 6648 VLAN 4 VLAN 2 IP Network 140.0.0.0 IP Network 130.0.0.0 VLAN 1 VLAN 3 Default VLAN Port 1 130.0.0.1 IP Network 138.0.0.0 Port 3 Port 2 138.0.0.1 140.0.0.
Dynamically Assigning Ports to VLANs Assigning Ports to VLANs VLAN Rule Classification VLAN rule classification triggers dynamic VLAN port assignment when traffic received on a mobile port matches the criteria defined in a VLAN rule. Different rule types are available for classifying different types of network device traffic (see Chapter 8, “Defining VLAN Rules,” for more information).
Assigning Ports to VLANs Dynamically Assigning Ports to VLANs OmniSwitch OmniSwitch 6648 OmniSwitch 6648 OmniSwitch 6648 OmniSwitch 6648 VLAN 2 IP Network 130.0.0.0 VLAN 4 IP Network 140.0.0.0 VLAN 1 Default VLAN VLAN 3 IP Network 138.0.0.0 Port 1 130.0.0.1 Port 3 Port 2 138.0.0.5 140.0.0.
Dynamically Assigning Ports to VLANs Assigning Ports to VLANs OmniSwitch OmniSwitch 6648 OmniSwitch 6648 OmniSwitch 6648 OmniSwitch 6648 VLAN 4 VLAN 2 IP Network 140.0.0.0 IP Network 130.0.0.0 VLAN 1 VLAN 3 Default VLAN Port 1 130.0.0.1 IP Network 138.0.0.0 Port 3 Port 2 138.0.0.1 140.0.0.
Assigning Ports to VLANs Dynamically Assigning Ports to VLANs Enabling/Disabling Port Mobility To enable mobility on a port, use the vlan port mobile command. For example, the following command enables mobility on port 1 of slot 4: -> vlan port mobile 4/1 To enable mobility on multiple ports, specify a range of ports and/or multiple slots. -> vlan port mobile 4/1-5 5/12-20 6/10-15 Use the no form of this command to disable port mobility.
Dynamically Assigning Ports to VLANs Assigning Ports to VLANs When BPDU ignore is enabled and the mobile port receives a BPDU, the following occurs: • The port retains its mobile status and remains eligible for dynamic VLAN assignment. • The port is not included in the Spanning Tree algorithm. Note. Enabling BPDU ignore is not recommended.
Assigning Ports to VLANs Understanding Mobile Port Properties Understanding Mobile Port Properties Dynamic assignment of mobile ports occurs without user intervention when mobile port traffic matches VLAN criteria.
Understanding Mobile Port Properties Assigning Ports to VLANs VLAN Management software on each switch tracks VPAs. When a mobile port link is disabled and then enabled, all secondary VLAN assignments for that port are automatically dropped and the port’s original configured default VLAN assignment is restored. Switch ports are disabled when a device is disconnected from the port, a configuration change is made to disable the port, or switch power is turned off.
Assigning Ports to VLANs Understanding Mobile Port Properties OmniSwitch OmniSwitch OmniSwitch 6648 OmniSwitch 6648 OmniSwitch 6648 OmniSwitch 6648 OmniSwitch 6648 OmniSwitch 6648 Secondary VLAN 2 Configured Default VLAN 1 Configured Default VLAN 1 Secondary VLAN 3 Port assigned to default VLAN 1 or another VLAN using the vlan port default command. OmniSwitch If restore default VLAN is enabled.... Port is assigned to other VLANs when its traffic matches their criteria.
Understanding Mobile Port Properties Assigning Ports to VLANs Configuring Mobile Port Properties Mobile port properties indicate mobile port status and affect port behavior when the port is dynamically assigned to one or more VLANs. For example, mobile port properties determine the following: • Should the configured default VLAN forward or discard port traffic that does not match any VLAN rule criteria.
Assigning Ports to VLANs Understanding Mobile Port Properties Enable/Disable Default VLAN Restore To enable or disable default VLAN restore, enter vlan port followed by the port’s slot/port designation then default vlan restore followed by enable or disable. For example, -> vlan port 3/1 default vlan restore enable -> vlan port 5/2 default vlan restore disable To enable or disable default VLAN restore on multiple ports, specify a range of ports and/or multiple slots.
Understanding Mobile Port Properties Assigning Ports to VLANs Enable/Disable 802.1X Port-Based Access Control To enable or disable 802.1X on a mobile port, enter vlan port followed by the port’s slot/port designation then 802.1x followed by enable or disable. For example, -> vlan port 3/1 802.1x enable -> vlan port 5/2 802.1x disable To enable or disable 802.1X on multiple ports, specify a range of ports and/or multiple slots. -> vlan port 6/1-32 8/10-24 9/3-14 802.1x enable -> vlan port 5/3-6 9/1-4 802.
Assigning Ports to VLANs Verifying VLAN Port Associations and Mobile Port Properties Verifying VLAN Port Associations and Mobile Port Properties To display a list of VLAN port assignments or the status of mobile port properties, use the show commands listed below: show vlan port Displays a list of VLAN port assignments, including the type and status for each assignment show vlan port mobile Displays the mobile status and current mobile parameter values for each port.
Verifying VLAN Port Associations and Mobile Port Properties Assigning Ports to VLANs The following example uses the show vlan port command to display VPA information for all ports in VLAN 200: -> show vlan 200 port port type status --------+---------+-------------3/24 default inactive 5/11 mobile forwarding 5/12 qtagged blocking The above example output provides the following information: • VLAN 200 is the configured default VLAN for port 3/24, which is currently not active.
8 Defining VLAN Rules VLAN rules are used to classify mobile port traffic for dynamic VLAN port assignment. Rules are defined by specifying a port, MAC address, protocol, network address, user-defined, binding, or DHCP criteria to capture certain types of network device traffic. It is also possible to define multiple rules for the same VLAN. A mobile port is assigned to a VLAN if its traffic matches any one VLAN rule.
VLAN Rules Specifications Defining VLAN Rules VLAN Rules Specifications IEEE Standards Supported 802.1Q–Virtual Bridged Local Area Networks 802.1v–VLAN Classification by Protocol and Port 802.1D–Media Access Control Bridges Maximum number of VLANs per switch 4094 Maximum number of rules per VLAN Unlimited Maximum number of rules per switch 8129 of each rule type, except for a DHCP generic rule because only one is allowed per switch.
Defining VLAN Rules Sample VLAN Rule Configuration Sample VLAN Rule Configuration The following steps provide a quick tutorial that will create an IP network address and DHCP MAC range rule for VLAN 255, an IPX protocol rule for VLAN 355, and a MAC-IP-port binding rule for VLAN 1500. The remaining sections of this chapter provide further explanation of all VLAN rules and how they are defined. 1 Create VLAN 255 with a description (e.g.
VLAN Rules Overview Defining VLAN Rules VLAN Rules Overview The mobile port feature available on the switch allows dynamic VLAN port assignment based on VLAN rules that are applied to mobile port traffic.When a port is defined as a mobile port, switch software compares traffic coming in on that port with configured VLAN rules. If any of the mobile port traffic matches any of the VLAN rules, the port and the matching traffic become a member of that VLAN.
Defining VLAN Rules VLAN Rules Overview DHCP Rules Dynamic Host Configuration Protocol (DHCP) frames are sent from client workstations to request an IP address from a DHCP server. The server responds with the same type of frames, which contain an IP address for the client. If clients are connected to mobile ports, DHCP rules are used to classify this type of traffic for the purposes of transmitting and receiving DHCP frames to and from the server.
VLAN Rules Overview Defining VLAN Rules Binding Rules Binding rules restrict VLAN assignment to specific devices by requiring that device traffic match all criteria specified in the rule. As a result, a separate binding rule is required for each device. An unlimited number of such rules, however, is allowed per VLAN and up to 8,129 of each rule type is allowed per switch. Although DHCP traffic is examined and processed first by switch software, binding rules take precedence over all other rules.
Defining VLAN Rules VLAN Rules Overview IP protocol rules also capture DHCP traffic, if no other DHCP rule exists that would classify the DHCP traffic into another VLAN. Therefore, it is not necessary to combine DHCP rules with IP protocol rules for the same VLAN. Custom (User Defined) Rules Custom rules determine VLAN assignment based on criteria defined by the user. The criteria consists of a specified pattern of data and a location where that data must exist within the frame.
VLAN Rules Overview Defining VLAN Rules Understanding VLAN Rule Precedence In addition to configurable VLAN rule types, there are two internal rule types for processing mobile port frames. One is referred to as frame type and is used to identify Dynamic Host Configuration Protocol (DHCP) frames. The second internal rule is referred to as default and identifies frames that do not match any VLAN rules. Note.
Defining VLAN Rules VLAN Rules Overview Precedence Step/Rule Type Condition Result 1. Frame Type Frame is a DHCP frame. Go to Step 2. Frame is not a DHCP frame. Skip Steps 2, 3, 4, and 5. 2. DHCP MAC DHCP frame contains a matching source MAC address. Frame source is assigned to the rule’s VLAN, but not learned. 3. DHCP MAC Range DHCP frame contains a source Frame source is assigned to the MAC address that falls within a rule’s VLAN, but not learned. specified range of MAC addresses. 4.
VLAN Rules Overview Defining VLAN Rules Precedence Step/Rule Type Condition Result 8. MAC-Port Binding Frame contains a matching source MAC address and source port. Frame source is assigned to the rule’s VLAN. Frame only contains a matching Frame is blocked; its source is source MAC address; port does not not assigned to the rule’s VLAN. match. Frame only contains a matching Frame is allowed; its source is port; source MAC address does not not assigned to the rule’s VLAN. match. 9.
Defining VLAN Rules Configuring VLAN Rule Definitions Precedence Step/Rule Type Condition Result 14. Network Address Frame contains a matching IP sub- Frame source is assigned to the net address, or rule’s VLAN. Frame contains a matching IPX network address. Frame source is assigned to the rule’s VLAN. 15. Protocol Frame contains a matching protocol type. Frame source is assigned to the rule’s VLAN. 16. Custom (User Defined) Frames contain data that matches customized rule criteria.
Configuring VLAN Rule Definitions Defining VLAN Rules Refer to the following sections (listed in the order of rule precedence) for instructions on how to define each type of VLAN rule: Rule See DHCP MAC Address “Defining DHCP MAC Address Rules” on page 8-12 DHCP MAC Range “Defining DHCP MAC Range Rules” on page 8-13 DHCP Port “Defining DHCP Port Rules” on page 8-13 DHCP Generic “Defining DHCP Generic Rules” on page 8-14 MAC-Port-IP Address Binding MAC-Port-Protocol Binding MAC-Port Binding MAC-I
Defining VLAN Rules Configuring VLAN Rule Definitions Defining DHCP MAC Range Rules A DHCP MAC range rule is similar to a DHCP MAC address rule, but allows the user to specify a range of MAC addresses. This is useful when it is necessary to define rules for a large number of sequential MAC addresses. One DHCP MAC range rule could serve the same purpose as 10 or 20 DHCP MAC address rules, requiring less work to configure.
Configuring VLAN Rule Definitions Defining VLAN Rules Defining DHCP Generic Rules DHCP generic rules capture all DHCP traffic that does not match an existing DHCP MAC or DHCP port rule. If none of these other rules exist, then all DHCP frames are captured regardless of the port they came in on or the frame’s source MAC address. Only one rule of this type is allowed per switch. To define a DHCP generic rule, enter vlan followed by an existing VLAN ID then dhcp generic.
Defining VLAN Rules Configuring VLAN Rule Definitions How to Define a MAC-Port-IP Address Binding Rule To define a MAC-port-IP address binding rule, enter vlan followed by an existing VLAN ID then binding mac-ip-port followed by a valid MAC address, IP address, and a slot/port designation. For example, the following command defines a MAC-port-IP binding rule for VLAN 255: -> vlan 255 binding mac-ip-port 00:00:da:59:0c:12 21.0.0.
Configuring VLAN Rule Definitions Defining VLAN Rules How to Define a MAC-Port Binding Rule To define a MAC-port binding rule, enter vlan followed by an existing VLAN ID then binding mac-port followed by a valid MAC address and a slot/port designation.
Defining VLAN Rules Configuring VLAN Rule Definitions How to Define a Port-Protocol Binding Rule To define a port-protocol binding rule, enter vlan followed by an existing VLAN ID then binding port-protocol followed by a valid MAC address, a slot/port designation and a protocol type.
Configuring VLAN Rule Definitions Defining VLAN Rules Defining MAC Range Rules A MAC range rule is similar to a MAC address rule, but allows the user to specify a range of MAC addresses. This is useful when it is necessary to define rules for a large number of sequential MAC addresses. One MAC range rule could serve the same purpose as 10 or 20 MAC address rules, requiring less work to configure.
Defining VLAN Rules Configuring VLAN Rule Definitions Network Range Class 1.0.0.0 - 126.0.0.0 A 128.1.0.0 - 191.254.0.0 B 192.0.1.0 - 223.255.254.0 C Use the no form of the vlan ip command to remove an IP network address rule. -> vlan 1200 no ip 134.10.0.0 Defining IPX Network Address Rules IPX network address rules capture frames that contain an IPX network address and encapsulation that matches the IPX network and encapsulation specified in the rule.
Configuring VLAN Rule Definitions Defining VLAN Rules Defining Protocol Rules Protocol rules capture frames that contain a protocol type that matches the protocol value specified in the rule. There are several generic protocol parameter values to select from; IP Ethernet-II, IP SNAP, IPX Ethernet II, IPX Novell (802.3), IPX LLC (802.2), IPX SNAP, DECNet, and Appletalk.
Defining VLAN Rules Configuring VLAN Rule Definitions Defining Custom (User) Rules A custom rule captures mobile port frames that contain a specified pattern of data at a specified location. Custom rules require the user to specify the following parameter values: Parameter Definition offset A number between 0 and 72. Specifies the number of bytes into the frame where the pattern (value) is found. value A four byte hex value that specifies a pattern of data (e.g., 60020000).
Application Example: DHCP Rules Defining VLAN Rules Application Example: DHCP Rules This application example shows how Dynamic Host Configuration Protocol (DHCP) port and MAC address rules are used in a DHCP-based network. DHCP is built on a client-server model in which a designated DHCP server allocates network addresses and delivers configuration parameters to dynamically configured clients. Since DHCP clients initially have no IP address, assignment of these clients to a VLAN presents a problem.
Defining VLAN Rules Application Example: DHCP Rules The following table summarizes the VLAN architecture and rules for all devices in this network configuration. The diagram on the following page illustrates this network configuration. Device VLAN Membership Rule Used/Router Role DHCP Server 1 Test VLAN IP network address rule=10.15.0.0 DHCP Server 2 Branch VLAN IP network address rule=10.13.0.
Application Example: DHCP Rules Defining VLAN Rules OmniSwitch OmniSwitch 6648 OmniSwitch 6648 OmniSwitch 6648 OmniSwitch 6648 Client 1 DHCP Port Rule Server 1 10.15.14.16 Test VLAN IP Subnet 10.15.X.X Client 2 DHCP Port Rule DHCP Port Rules Client 3 DHCP Port Rule Router 1 No DHCP Relay Client 4 DHCP Port Rule Production VLAN IP Subnet 10.15.128.X DHCP Port Rules Router 2 DHCP Relay On Client 5 DHCP Port Rule Branch VLAN Server 2 10.13.15.17 Client 6 DHCP Port Rule IP Subnet 10.13.X.
Defining VLAN Rules Verifying VLAN Rule Configuration Verifying VLAN Rule Configuration To display information about VLAN rules configured on the switch, use the show commands listed below: show vlan rules Displays a list of rules for one or all VLANs configured on the switch. For more information about the resulting display from this command, see the OmniSwitch CLI Reference Guide. An example of the output for the show vlan rules command is also given in “Sample VLAN Rule Configuration” on page 8-3.
Verifying VLAN Rule Configuration page 8-26 Defining VLAN Rules OmniSwitch 6600 Family Network Configuration Guide April 2005
9 Using Interswitch Protocols Alcatel Interswitch Protocols (AIP) are used to discover adjacent switches and retain mobile port information across switches. The following protocols are supported: • Alcatel Mapping Adjacency Protocol (AMAP), which is used to discover the topology of OmniSwitches and OmniSwitch/Routers (Omni S/R). See “AMAP Overview” on page 9-3. • Group Mobility Advertisement Protocol (GMAP), which is used to retain learned mobile port and protocol information.
AIP Specifications Using Interswitch Protocols AIP Specifications Standards Not applicable at this time. AMAP and GMAP are Alcatel proprietary protocols.
Using Interswitch Protocols AMAP Overview AMAP Overview The Alcatel Mapping Adjacency Protocol (AMAP) is used to discover the topology of OmniSwitches or Omni S/Rs in a particular installation. Using this protocol, each switch determines which OmniSwitches or Omni S/Rs are adjacent to it by sending and responding to Hello update packets.
AMAP Overview Using Interswitch Protocols The transmission states are illustrated here.
Using Interswitch Protocols Configuring AMAP Common Transmission and Remote Switches If an AMAP switch is connected to multiple AMAP switches via a hub, the switch sends and receives Hello traffic to and from the remote switches through the same port. If one of the remote switches stops sending Hello packets and other remote switches continue to send Hello packets, the ports in the common transmission state will remain in the common transmission state.
Configuring AMAP Using Interswitch Protocols Configuring the AMAP Common Timeout Interval The common timeout interval is used only in the common transmission state to determine the time interval between sending Hello update packets. A switch sends an update for a port just before or after the common timeout interval expires. Note. Switches avoid synchronization by jittering the common timeout interval plus or minus 10 percent of the configured value.
Using Interswitch Protocols Configuring AMAP Displaying AMAP Information Use the show amap command to view a list of adjacent switches and their associated MAC addresses, interfaces, VLANs, and IP addresses. For remote switches that stop sending Hello packets and that are connected via a hub, entries may take up to three times the common timeout intervals to age out of this table.
Configuring AMAP Using Interswitch Protocols A similified visual illustration of these connections is shown here for example purposes only: Remote interface 2/1 Switch A (local) Remote Switch B 0020da:032c40 OmniSwitch 6648 OmniSwitch 6648 OmniSwitch 6648 OmniSwitch 7800 Local interface 4/1 Local interface 7/1 Local interface 5/1 hub OmniSwitch 7800 Remote interface 1/8 Remote interface 2/8 Remote interface 4/8 Remote Switch C 0020da:999660 See the OmniSwitch CLI Reference Guide for informat
Using Interswitch Protocols GMAP Overview GMAP Overview The Group Mobility Advertisement Protocol (GMAP) enables workstation users to move from port to port among interconnected switches and still retain all learned mobile port and protocol information. Using GMAP, the switch that receives a GMAP update packet updates its internal GMAP tables and queries the forwarding database to make any necessary updates.
Configuring GMAP Using Interswitch Protocols Configuring the GMAP Gap Time Interval The GMAP gap time interval determines the interpacket time used when multiple packets are required for an update. When there are many MAC addresses on mobile ports, more than one GMAP packet is required for an update. Typically there is no need to alter the gaptime interval, but you may want to modify it if traffic spikes are occurring on the network. Note.
Using Interswitch Protocols Configuring GMAP Configuring the GMAP Hold Time The GMAP hold time specifies the length of time the switch retains information received in GMAP update packets. By default, the holdtime interval is 4320 minutes (72 hours). To display the current holdtime interval, enter the following command: -> show gmap To change the holdtime interval, use either of these forms of the command with the desired value (any value between 1 and 65535).
Configuring GMAP page 9-12 Using Interswitch Protocols OmniSwitch 6600 Family Network Configuration Guide April 2005
10 Configuring 802.1Q 802.1Q is the IEEE standard for segmenting networks into VLANs. 802.1Q segmentation is done by adding a specific tag to a packet. In this Chapter This chapter describes the basic components of 802.1Q VLANs and how to configure them through the Command Line Interface (CLI). CLI commands are used in the configuration examples; for more details about the syntax of commands, see “802.1Q Commands” in the OmniSwitch CLI Reference Guide.
802.1Q Specifications Configuring 802.1Q 802.1Q Specifications IEEE Specification Draft Standard P802.1Q/D11 IEEE Standards for Local And Metropolitan Area Network: Virtual Bridged Local Area Networks, July 30, 1998 Maximum Number of Tagged VLANs per Port 4093 Maximum Number of Untagged VLANs per One untagged VLAN per port. Port Maximum Number of VLAN Port Associa- 32768 tions Note. Up to 4093 VLANs can be assigned to a tagged port or link aggregation group.
Configuring 802.1Q 802.1Q Overview 802.1Q Overview Alcatel’s 802.1Q is an IEEE standard for sending frames through the network tagged with VLAN identification. This chapter details procedures for configuring and monitoring 802.1Q tagging on a single port in a switch or a link aggregation group in a switch. 802.1Q tagging is the IEEE version of VLANs. It is a method for segregating areas of a network into distinct VLANs.
802.1Q Overview Configuring 802.1Q The port can only be assigned to one untagged VLAN (in every case, this will be the default VLAN). In the example above the default VLAN is VLAN 1. The port can be assigned to as many 802.1Q VLANs as necessary, up to 4093 per port or 32768 VLAN port associations. For the purposes of Quality of Service (QoS), 802.1Q ports are always considered to be trusted ports. For more information on QoS and trusted ports, see Chapter 23, “Configuring QoS.” Alcatel’s 802.
Configuring 802.1Q Configuring an 802.1Q VLAN Configuring an 802.1Q VLAN The following sections detail procedures for creating 802.1Q VLANs and assigning ports to 802.1Q VLANs. Enabling Tagging on a Port To set a port to be a tagged port, you must specify a VLAN identification (VID) number and a port number. You may also optionally assign a text identification. For example, to configure port 4 on slot 3 to be a tagged port, enter the following command at the CLI prompt: -> vlan 5 802.
Configuring an 802.1Q VLAN Configuring 802.1Q Enabling Tagging with Link Aggregation To enable tagging on link aggregation groups, enter the link aggregation group identification number in place of the slot and port number, as shown: -> vlan 5 802.1q 8 (For further information on creating link aggregation groups, see Chapter 11, “Configuring Static Link Aggregation,” or Chapter 12, “Configuring Dynamic Link Aggregation.
Configuring 802.1Q Configuring an 802.1Q VLAN Configuring the Frame Type Once a port has been set to receive and send tagged frames, it will be able to receive or send tagged or untagged traffic. Tagged traffic will be subject to 802.1Q rules, while untagged traffic will behave as directed by normal switch operation. (Setting up rules for non-802.1Q traffic is defined in Chapter 4, “Configuring VLANs.”) A port can also be configured to accept only tagged frames.
Configuring an 802.1Q VLAN Configuring 802.1Q Show 802.1Q Information After configuring a port or link aggregation group to be a tagged port, you can view the settings by using the show 802.1q command, as demonstrated: -> show 802.1q 3/4 Acceptable Frame Type Force Tag Internal : : Any Frame Type off Tagged VLANS Internal Description -------------+-------------------------------------------------+ 2 TAG PORT 3/4 VLAN 2 -> show 802.
Configuring 802.1Q Application Example Application Example In this section the steps to create 802.1Q connections between switches are shown. The following diagram shows a simple network employing 802.1Q on both regular ports and link aggregation groups.
Application Example Configuring 802.1Q The following steps apply to Stack 2. They will attach port 2/1 to VLAN 2, and set the port to accept 802.1Q tagged traffic only: 1 Create VLAN 2 by entering vlan 2 as shown below (VLAN 1 is the default VLAN for the switch): -> vlan 2 2 Set port 2/1 as a tagged port and assign it to VLAN 2 by entering the following: -> vlan 2 802.1q 2/1 3 Set port 2/1 to accept only tagged traffic by entering the following: -> vlan 802.
Configuring 802.1Q Verifying 802.1Q Configuration The following steps apply to Stack 3. They will attach ports 4/1 and 4/2 as link aggregation group 5 to VLAN 3. 1 Configure static link aggregation group 5 by entering the following: -> static linkagg 5 size 2 2 Assign ports 4/1 and 4/2 to static link aggregation group 5 by entering the following two commands: -> static agg 4/1 agg num 5 -> static agg 4/2 agg num 5 3 Create VLAN 3 by entering the following: -> vlan 3 4 Configure 802.
Verifying 802.1Q Configuration page 10-12 Configuring 802.
11 Configuring Static Link Aggregation Alcatel’s static link aggregation software allows you to combine several physical links into one large virtual link known as a link aggregation group. Using link aggregation can provide the following benefits: • Scalability. You can configure up to 30 link aggregation groups that can consist of 2, 4, or 8 on a single switch and 2, 4, 8, or 16 links in a stack. • Reliability.
Static Link Aggregation Specifications Configuring Static Link Aggregation Static Link Aggregation Specifications The table below lists specifications for static groups.
Configuring Static Link Aggregation Quick Steps for Configuring Static Link Aggregation Quick Steps for Configuring Static Link Aggregation Follow the steps below for a quick tutorial on configuring a static aggregate link between two switches. Additional information on how to configure each command is given in the subsections that follow. 1 Create the static aggregate link on the local switch with the static linkagg size command.
Quick Steps for Configuring Static Link Aggregation Configuring Static Link Aggregation Note. Optional. You can verify your static link aggregation settings with the show linkagg command.
Configuring Static Link Aggregation Static Link Aggregation Overview Static Link Aggregation Overview Link aggregation allows you to combine 2, 4, or 8 physical connections on a single switch or 2, 4, 8, or 16 links in a stack into large virtual connections known as link aggregation groups.
Static Link Aggregation Overview Configuring Static Link Aggregation Relationship to Other Features Link aggregation groups are supported by other switch software features. The following features have CLI commands or command parameters that support link aggregation: • VLANs. For more information on VLANs see Chapter 4, “Configuring VLANs.” • 802.1Q. For more information on configuring and monitoring 802.1Q see Chapter 10, “Configuring 802.1Q.” • Spanning Tree.
Configuring Static Link Aggregation Configuring Static Link Aggregation Groups Configuring Static Link Aggregation Groups This section describes how to use Alcatel’s Command Line Interface (CLI) commands to configure static link aggregate groups. See “Configuring Mandatory Static Link Aggregate Parameters” on page 11-7 for more information. Note. See “Quick Steps for Configuring Static Link Aggregation” on page 11-3 for a brief tutorial on configuring these mandatory parameters.
Configuring Static Link Aggregation Groups Configuring Static Link Aggregation Creating and Deleting a Static Link Aggregate Group The following subsections describe how to create and delete static link aggregate groups with the static linkagg size command.
Configuring Static Link Aggregation Configuring Static Link Aggregation Groups Adding and Deleting Ports in a Static Aggregate Group The following subsections describe how to add and delete ports in a static aggregate group with the static agg agg num command. Adding Ports to a Static Aggregate Group The number of ports assigned in a static aggregate group can be less than or equal to the maximum size you specified in the static linkagg size command.
Configuring Static Link Aggregation Groups Configuring Static Link Aggregation Number of Links (Aggregate Size) OmniSwitch 6624/6600-U24/6600-P24 Maximum Valid Port Assignment (Port Speed) 2 1–2 (10/100) 9–10 (10/100) 17–18 (10/100) 25–26 (Gigabit) 4 1–4 (10/100) 9–12 (10/100) 17–20 (10/100) 25–28 (Gigabit) 8 1–8 (10/100) 9–16 (10/100) 17–24 (10/100) TM OmniSwitch 6624 CONSOLE 25 1 3 5 7 9 11 13 15 17 19 21 23 2 4 6 8 10 12 14 16 18 20 22 24 OK1 PS1 PRI TEMP OK2 PS2 SEC FA
Configuring Static Link Aggregation TM Configuring Static Link Aggregation Groups Number of Links (Aggregate Size) OmniSwitch 6648 Maximum Valid Port Assignment (Port Speed) 2 1–2 (10/100) 9–10 (10/100) 17–18 (10/100) 25–26 (10/100) 33–34 (10/100) 41–42 (10/100) 49–50 (Gigabit) 51–52 (Gigabit) 4 1–4 (10/100) 9–12 (10/100) 17–20 (10/100) 25–28 (10/100) 33–36 (10/100) 41–44 (10/100) 8 1–8 (10/100) 9–16 (10/100) 17–24 (10/100) 25–32 (10/100) 33–40 (10/100) 41–48 (10/100) 25 27 29 31 33 35 37
Configuring Static Link Aggregation Groups Number of Links (Aggregate Size) 1 1 2 3 4 Configuring Static Link Aggregation OmniSwitch 6602-24 Maximum Valid Port Configuration (Port Speed) 2 1–2 (10/100) 9–10 (10/100) 17–18 (10/100) 25–26 (Gigabit) 4 1–4 (10/100) 9–12 (10/100) 17–20 (10/100) 8 1–8 (10/100) 9–16 (10/100) 17–24 (10/100) 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 TM OmniSwitch 6602-24 25 C o n s o l e Sel OK1 PS1 PR1 TMP 26 27 OK2 PS2 SEC FAN
Configuring Static Link Aggregation Configuring Static Link Aggregation Groups Number of Links (Aggregate Size) OmniSwitch 6602-48 Maximum Valid Port Configuration (Port Speed) 2 1–2 (10/100) 9–10 (10/100) 17–18 (10/100) 25–26 (10/100) 33–34 (10/100) 41–42 (10/100) 49–50 (Gigabit) 4 1–4 (10/100) 9–12 (10/100) 17–20 (10/100) 25–28 (10/100) 33–36 (10/100) 41–44 (10/100) 8 1–8 (10/100) 9–16 (10/100) 17–24 (10/100) 25–32 (10/100) 33–40 (10/100) 41–48 (10/100) 1 1 2 3 4 5 6 7 8 9 10 11 12
Configuring Static Link Aggregation Groups Configuring Static Link Aggregation On an OmniSwitch 6624 or 6600-U24 you must install either an OS6600-GNI-C2 or OS6600-GNI-U2 expansion module in the left-hand expansion slot before you can use ports 25 and 26 for link aggregation and you must install either an OS6600-GNI-C2 or OS6600-GNI-U2 expansion module in the right-hand expansion/stacking slot before you can use ports 27 and 28 for link aggregation.
Configuring Static Link Aggregation Modifying Static Aggregation Group Parameters Modifying Static Aggregation Group Parameters This section describes how to modify the following static aggregate group parameters: • Static aggregate group name (see “Modifying the Static Aggregate Group Name” on page 11-15) • Static aggregate group administrative state (see “Modifying the Static Aggregate Group Administra- tive State” on page 11-15) Modifying the Static Aggregate Group Name The following subsections desc
Application Example Configuring Static Link Aggregation Application Example Static link aggregation groups are treated by the switch’s software the same way it treats individual physical ports. This section demonstrates this by providing a sample network configuration that uses static link aggregation along with other software features. In addition, a tutorial is provided that shows how to configure this sample network using Command Line Interface (CLI) commands.
Configuring Static Link Aggregation Application Example 5 Repeat steps 1 through 4 on Switch B. All the commands would be the same except you would substi- tute the appropriate port numbers. Note. Optional. Use the show 802.1q command to display 802.1Q configurations.
Displaying Static Link Aggregation Configuration and Statistics Configuring Static Link Aggregation Displaying Static Link Aggregation Configuration and Statistics You can use Command Line Interface (CLI) show commands to display the current configuration and statistics of link aggregation. These commands include the following: show linkagg Displays information on link aggregation groups. show linkagg port Displays information on link aggregation ports.
12 Configuring Dynamic Link Aggregation Alcatel’s dynamic link aggregation software allows you to combine several physical links into one large virtual link known as a link aggregation group. Using link aggregation can provide the following benefits: • Scalability. You can configure up to 30 link aggregation groups that can consist of 2, 4, or 8 on a single switch and 2, 4, 8, or 16 links in a stack. • Reliability.
Dynamic Link Aggregation Specifications Configuring Dynamic Link Aggregation Dynamic Link Aggregation Specifications The table below lists specifications for dynamic aggregation groups and ports: IEEE Specifications Supported 802.
Configuring Dynamic Link Aggregation Dynamic Link Aggregation Default Values Dynamic Link Aggregation Default Values The table below lists default values for dynamic aggregate groups.
Quick Steps for Configuring Dynamic Link Aggregation Configuring Dynamic Link Aggregation Quick Steps for Configuring Dynamic Link Aggregation Follow the steps below for a quick tutorial on configuring a dynamic aggregate link between two switches. Additional information on how to configure each command is given in the subsections that follow.
Configuring Dynamic Link Aggregation Quick Steps for Configuring Dynamic Link Aggregation Note. As an option, you can verify your dynamic aggregation group settings with the show linkagg command on either the actor or partner switch.
Quick Steps for Configuring Dynamic Link Aggregation Configuring Dynamic Link Aggregation An example of what these commands look like entered sequentially on the command line on the partner switch: -> -> -> -> -> -> -> -> -> -> page 12-6 lacp lacp lacp lacp lacp lacp lacp lacp lacp vlan linkagg 2 size 8 admin key 5 agg 2/9 actor admin key 5 agg 2/10 actor admin key 5 agg 2/11 actor admin key 5 agg 2/12 actor admin key 5 agg 2/13 actor admin key 5 agg 2/14 actor admin key 5 agg 2/15 actor admin key 5 ag
Configuring Dynamic Link Aggregation Dynamic Link Aggregation Overview Dynamic Link Aggregation Overview Link aggregation allows you to combine 2, 4, or 8 physical connections on a single switch or 2, 4, 8, or 16 links in a stack into large virtual connections known as link aggregation groups.
Dynamic Link Aggregation Overview Configuring Dynamic Link Aggregation Remote (Partner) Switch Local (Actor) Switch 1. Local (actor) switch sends requests to establish a dynamic aggregate group link to the remote (partner) switch. OmniSwitch 6648 OmniSwitch 6648 OmniSwitch 6648 OmniSwitch 6648 OmniSwitch 6648 OmniSwitch 6648 2. Partner switch acknowl- edges that it can accept this dynamic group. 3.
Configuring Dynamic Link Aggregation Dynamic Link Aggregation Overview Relationship to Other Features Link aggregation groups are supported by other switch software features. For example, you can configure 802.1Q tagging on link aggregation groups in addition to configuring it on individual ports. The following features have CLI commands or command parameters that support link aggregation: • VLANs. For more information on VLANs see Chapter 4, “Configuring VLANs.” • 802.1Q.
Configuring Dynamic Link Aggregate Groups Configuring Dynamic Link Aggregation Configuring Dynamic Link Aggregate Groups This section describes how to use Alcatel’s Command Line Interface (CLI) commands to create, modify, and delete dynamic aggregate groups. See “Configuring Mandatory Dynamic Link Aggregate Parameters” on page 12-10 for more information. Note. See “Quick Steps for Configuring Dynamic Link Aggregation” on page 12-4 for a brief tutorial on configuring these mandatory parameters.
Configuring Dynamic Link Aggregation Configuring Dynamic Link Aggregate Groups Creating and Deleting a Dynamic Aggregate Group The following subsections describe how to create and delete dynamic aggregate groups with the lacp linkagg size command.
Configuring Dynamic Link Aggregate Groups Configuring Dynamic Link Aggregation Configuring Ports to Join and Removing Ports in a Dynamic Aggregate Group The following subsections describe how to configure ports with the same administrative key (which allows them to be aggregated) or to remove them from a dynamic aggregate group with the lacp agg actor admin key command.
Configuring Dynamic Link Aggregation Number of Links (Aggregate Size) TM Configuring Dynamic Link Aggregate Groups OmniSwitch 6624/6600-U24/6600-P24 Maximum Valid Port Configuration (Port Speed) 2 1–2 (10/100) 9–10 (10/100) 17–18 (10/100) 25–26 (Gigabit) 4 1–4 (10/100) 9–12 (10/100) 17–20 (10/100) 25–28 (Gigabit) 8 1–8 (10/100) 9–16 (10/100) 17–24 (10/100) OmniSwitch 6624 CONSOLE 25 1 3 5 7 9 11 13 15 17 19 21 23 2 4 6 8 10 12 14 16 18 20 22 24 OK1 PS1 PRI TEMP OK2 PS2 SEC
Configuring Dynamic Link Aggregate Groups TM Configuring Dynamic Link Aggregation Number of Links (Aggregate Size) OmniSwitch 6648 Maximum Valid Port Configuration (Port Speed) 2 1–2 (10/100) 9–10 (10/100) 17–18 (10/100) 25–26 (10/100) 33–34 (10/100) 41–42 (10/100) 49–50 (Gigabit) 51–52 (Gigabit) 4 1–4 (10/100) 9–12 (10/100) 17–20 (10/100) 25–28 (10/100) 33–36 (10/100) 41–44 (10/100) 8 1–8 (10/100) 9–16 (10/100) 17–24 (10/100) 25–32 (10/100) 33–40 (10/100) 41–48 (10/100) 25 27 29 31 33 35 3
Configuring Dynamic Link Aggregation Number of Links (Aggregate Size) 1 1 2 3 4 Configuring Dynamic Link Aggregate Groups OmniSwitch 6602-24 Maximum Valid Port Configuration (Port Speed) 2 1–2 (10/100) 9–10 (10/100) 17–18 (10/100) 25–26 (Gigabit) 4 1–4 (10/100) 9–12 (10/100) 17–20 (10/100) 8 1–8 (10/100) 9–16 (10/100) 17–24 (10/100) 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 TM OmniSwitch 6602-24 25 C o n s o l e Sel OK1 PS1 PR1 TMP 26 27 OK2 PS2 SEC FAN
Configuring Dynamic Link Aggregate Groups Configuring Dynamic Link Aggregation Number of Links (Aggregate Size) OmniSwitch 6602-48 Maximum Valid Port Configuration (Port Speed) 2 1–2 (10/100) 9–10 (10/100) 17–18 (10/100) 25–26 (10/100) 33–34 (10/100) 41–42 (10/100) 49–50 (Gigabit) 4 1–4 (10/100) 9–12 (10/100) 17–20 (10/100) 25–28 (10/100) 33–36 (10/100) 41–44 (10/100) 8 1–8 (10/100) 9–16 (10/100) 17–24 (10/100) 25–32 (10/100) 33–40 (10/100) 41–48 (10/100) 1 1 2 3 4 5 6 7 8 9 10 11 12
Configuring Dynamic Link Aggregation Configuring Dynamic Link Aggregate Groups On an OmniSwitch 6624, 6600-U24, or 6600-P24 you must install either an OS6600-GNI-C2 or OS6600GNI-U2 expansion module in the left-hand expansion slot before you can use ports 25 and 26 for link aggregation and you must install either an OS6600-GNI-C2 or OS6600-GNI-U2 expansion module in the right-hand expansion/stacking slot before you can use ports 27 and 28 for link aggregation.
Configuring Dynamic Link Aggregate Groups Configuring Dynamic Link Aggregation As an option, you can use the ethernet, fastethernet, and gigaethernet keywords before the slot and port number to document the interface type or make the command look consistent with early-generation Alcatel CLI syntax. For example, to configure actor administrative key of 10 and to document that the port is a 10 Mbps Ethernet port to slot 4 port 1, enter: -> lacp agg ethernet 4/1 actor admin key 10 Note.
Configuring Dynamic Link Aggregation Modifying Dynamic Link Aggregate Group Parameters Modifying Dynamic Link Aggregate Group Parameters The table on page 12-3 lists default group and port settings for Alcatel’s dynamic link aggregation software. These parameters ensure compliance with the IEEE 802.3ad specification. For most networks, these default values do not need to be modified or will be modified automatically by switch software.
Modifying Dynamic Link Aggregate Group Parameters Configuring Dynamic Link Aggregation For example, to name dynamic aggregate group 4 “Engineering” you would enter: -> lacp linkagg 4 name Engineering Note. If you want to specify spaces within a name, the name must be enclosed with quotes.
Configuring Dynamic Link Aggregation Modifying Dynamic Link Aggregate Group Parameters Deleting a Dynamic Aggregate Actor Administrative Key To remove an actor switch administrative key from a dynamic aggregate group’s configuration use the no form of the lacp linkagg actor admin key command by entering lacp linkagg followed by the dynamic aggregate group number, and no actor admin key.
Modifying Dynamic Link Aggregate Group Parameters Configuring Dynamic Link Aggregation Restoring the Dynamic Aggregate Group Actor System ID To remove the user-configured actor switch system ID from a dynamic aggregate group’s configuration use the no form of the lacp linkagg actor system id command by entering lacp linkagg followed by the dynamic aggregate group number and no actor system id.
Configuring Dynamic Link Aggregation Modifying Dynamic Link Aggregate Group Parameters For example, to reset the partner system priority of dynamic aggregate group 4 to its default value you would enter: -> lacp linkagg 4 no partner system priority Modifying the Dynamic Aggregate Group Partner System ID By default, the dynamic aggregate group partner system ID is 00:00:00:00:00:00.
Modifying Dynamic Link Aggregate Group Parameters Configuring Dynamic Link Aggregation Note. A port may belong to only one aggregate group. In addition, mobile ports cannot be aggregated. See Chapter 7, “Assigning Ports to VLANs,” for more information on mobile ports. Modifying the Actor Port System Administrative State The system administrative state of a dynamic aggregate group actor port is indicated by bit settings in Link Aggregation Control Protocol Data Unit (LACPDU) frames sent by the port.
Configuring Dynamic Link Aggregation lacp agg actor admin state Keyword expire Modifying Dynamic Link Aggregate Group Parameters Definition Specifying this keyword has no effect because the system always determines its value. When this bit (bit 7) is set by the system, the actor cannot receive LACPDU frames. Note. Specifying none removes all administrative states from the LACPDU configuration.
Modifying Dynamic Link Aggregate Group Parameters Configuring Dynamic Link Aggregation For example, to modify the system ID of dynamic aggregate actor port 3 in slot 7 to 00:20:da:06:ba:d3 you would enter: -> lacp agg 7/3 actor system id 00:20:da:06:ba:d3 As an option, you can use the ethernet, fastethernet, and gigaethernet keywords before the slot and port number to document the interface type or make the command look consistent with early-generation Alcatel CLI syntax.
Configuring Dynamic Link Aggregation Modifying Dynamic Link Aggregate Group Parameters Modifying the Actor Port Priority By default, the actor port priority (used to converge dynamic key changes) is 0. The following subsections describe how to configure a user-specified value and how to restore the value to its default value with the lacp agg actor port priority command.
Modifying Dynamic Link Aggregate Group Parameters Configuring Dynamic Link Aggregation Modifying Dynamic Aggregate Partner Port Parameters This section describes how to modify the following dynamic aggregate partner port parameters: • Partner port system administrative state (see “Modifying the Partner Port System Administrative State” on page 12-28) • Partner port administrative key (see “Modifying the Partner Port Administrative Key” on page 12-30) • Partner port system ID (see “Modifying the Partner P
Configuring Dynamic Link Aggregation Modifying Dynamic Link Aggregate Group Parameters Keyword Definition synchronize Specifies that bit 3 in the partner state octet is enabled. When this bit is set, the port is allocated to the correct dynamic aggregation group. If this bit is not enabled, the port is not allocated to the correct aggregation group. By default, this value is disabled. collect Specifying this keyword has no effect because the system always determines its value.
Modifying Dynamic Link Aggregate Group Parameters Configuring Dynamic Link Aggregation Note. Since individual bits with the LACPDU frame are set with the lacp agg partner admin state command you can set some bits on and restore other bits to default values within the same command.
Configuring Dynamic Link Aggregation Modifying Dynamic Link Aggregate Group Parameters Configuring the Partner Port System ID You can configure the partner port system ID by entering lacp agg, the slot number, a slash (/), the port number, partner admin system id, and the user-specified partner administrative system ID (i.e., the MAC address in hexadecimal format).
Modifying Dynamic Link Aggregate Group Parameters Configuring Dynamic Link Aggregation Restoring the Partner Port System Priority To remove a user-configured system priority from a dynamic aggregate group partner port’s configuration use the no form of the lacp agg partner admin system priority command by entering lacp agg, the slot number, a slash (/), the port number, and no partner admin system priority.
Configuring Dynamic Link Aggregation Modifying Dynamic Link Aggregate Group Parameters For example, to modify the port priority of dynamic aggregate partner port 3 in slot 4 to 100 you would enter: -> lacp agg 4/3 partner admin port priority 100 As an option, you can use the ethernet, fastethernet, and gigaethernet keywords before the slot and port number to document the interface type or make the command look consistent with early-generation Alcatel CLI syntax.
Application Examples Configuring Dynamic Link Aggregation Application Examples Dynamic link aggregation groups are treated by the switch’s software the same way it treats individual physical ports.This section demonstrates this feature by providing sample network configurations that use dynamic aggregation along with other software features. In addition, tutorials are provided that show how to configure these sample networks using Command Line Interface (CLI) commands.
Configuring Dynamic Link Aggregation Application Examples Link Aggregation and Spanning Tree Example As shown in the figure on page 12-34, VLAN 10, which uses the Spanning Tree Protocol (STP) with a priority of 15, has been configured to use dynamic aggregate group 7. The actual physical links connect ports 3/9 and 3/10 on Switch A to ports 1/1 and 1/2 on Switch B. Follow the steps below to configure this network: Note. Only the steps to configure the local (i.e.
Application Examples Configuring Dynamic Link Aggregation Link Aggregation and QoS Example As shown in the figure on page 12-34, VLAN 12, which uses 802.1Q frame tagging and 802.1p prioritization, has been configured to use dynamic aggregate group 7. The actual physical links connect ports 4/1, 4/2, 4/3, and 4/4 on Switch A to ports 1/1, 1/2, 1/3, and 1/4 on Switch C (a stack of four OmniSwitch 6648 switches). Follow the steps below to configure this network: Note.
Configuring Dynamic Link Aggregation Application Examples 10 Repeat steps 1 through 9 on Switch C. All the commands would be the same except you would substi- tute the appropriate port numbers. Note. If you do not use the qos apply command any QoS policies you configured will be lost on the next switch reboot.
Displaying Dynamic Link Aggregation Configuration and Statistics Configuring Dynamic Link Aggregation Displaying Dynamic Link Aggregation Configuration and Statistics You can use Command Line Interface (CLI) show commands to display the current configuration and statistics of link aggregation. These commands include the following: show linkagg Displays information on link aggregation groups. show linkagg port Displays information on link aggregation ports.
Configuring Dynamic Link Aggregation Displaying Dynamic Link Aggregation Configuration and Statistics A screen similar to the following would be displayed: Dynamic Aggregable Port SNMP Id Slot/Port Administrative State Operational State Port State Link State Selected Agg Number Primary port LACP Actor System Priority Actor System Id Actor Admin Key Actor Oper Key Partner Admin System Priority Partner Oper System Priority Partner Admin System Id Partner Oper System Id Partner Admin Key Partner Oper Key Att
Displaying Dynamic Link Aggregation Configuration and Statistics page 12-40 Configuring Dynamic Link Aggregation OmniSwitch 6600 Family Network Configuration Guide April 2005
13 Configuring IP Internet Protocol (IP) is primarily a network-layer (Layer 3) protocol that contains addressing and control information that enables packets to be forwarded. Along with Transmission Control Protocol (TCP), IP represents the heart of the Internet protocols.
IP Specifications Configuring IP • Managing IP – – – – – “Internet Control Message Protocol (ICMP)” on page 13-18 “Using the Ping Command” on page 13-22 “Tracing an IP Route” on page 13-22 “Displaying TCP Information” on page 13-22 “Displaying UDP Information” on page 13-23 IP Specifications RFCs Supported RFC 791–Internet Protocol RFC 792–Internet Control Message Protocol RFC 826–An Ethernet Address Resolution Protocol Maximum router VLANs per switch 4094 Maximum IP interfaces per VLAN 1 Maximum
Configuring IP Quick Steps for Configuring IP Forwarding Quick Steps for Configuring IP Forwarding Using only IP, which is always enabled on the switch, devices connected to ports on the same VLAN are able to communicate at Layer 2. The initial configuration for all Alcatel switches consists of a default VLAN 1. All switch ports are initially assigned to this VLAN. When another switch is added (stacked), all of that switch’s ports are also assigned to VLAN 1.
IP Overview Configuring IP IP Overview IP is a network-layer (Layer 3) protocol that contains addressing and control information that enables packets to be forwarded on a network. IP is the primary network-layer protocol in the Internet protocol suite. Along with TCP, IP represents the heart of the Internet protocols. IP Protocols IP is associated with several Layer 3 and Layer 4 protocols. These protocols are built into the base code loaded on the switch.
Configuring IP IP Overview Additional IP Protocols There are several additional IP-related protocols that may be used with IP forwarding. These protocols are included as part of the base code. • Address Resolution Protocol (ARP)—Used to match the IP address of a device with its physical (MAC) address. For more information, see “Configuring Address Resolution Protocol (ARP)” on page 13-10. • Virtual Router Redundancy Protocol (VRRP)—Used to back up routers.
IP Forwarding Configuring IP IP Forwarding Network device traffic is bridged (switched) at the Layer 2 level between ports that are assigned to the same VLAN. However, if a device needs to communicate with another device that belongs to a different VLAN, then Layer 3 routing is necessary to transmit traffic between the VLANs.
Configuring IP IP Forwarding Configuring an IP Router Interface IP is enabled by default. Using IP, devices connected to ports on the same VLAN are able to communicate. However, to forward packets to a different VLAN, you must create an IP router interface on each VLAN. . Use the ip interface command to define an IP interface for an existing VLAN. The following parameter values are configured with this command: • A unique interface name (text string up to 20 characters) used to identify the IP interface.
IP Forwarding Configuring IP Modifying an IP Router Interface The ip interface command is also used to modify existing IP interface parameter values. It is not necessary to first remove the IP interface and then create it again with the new values. The changes specified will overwrite existing parameter values. For example, the following command changes the subnet mask to 255.255.255.
Configuring IP IP Forwarding Creating a Static Route Static routes are user-defined and carry a higher priority than routes created by dynamic routing protocols. That is, if two routes have the same metric value, the static route has the higher priority. Static routes allow you to define, or customize, an explicit path to an IP network segment, which is then added to the IP Forwarding table. Static routes can be created between VLANs to enable devices on these VLANs to communicate.
IP Forwarding Configuring IP Configuring Address Resolution Protocol (ARP) To send packets on a locally connected network, the switch uses ARP to match the IP address of a device with its physical (MAC) address. To send a data packet to a device with which it has not previously communicated, the switch first broadcasts an ARP request packet. The ARP request packet requests the Ethernet hardware address corresponding to an Internet address.
Configuring IP IP Forwarding Clearing Dynamic ARP Entries Dynamic entries can be cleared using the clear arp-cache command. This command clears all dynamic entries. Permanent entries must be cleared using the no arp command. Use the show arp command to display the table and verify that the table was cleared. Note. Dynamic entries remain in the ARP table until they time out. If the switch does not receive data from a host for this user-specified time, the entry is removed from the table.
IP Configuration Configuring IP IP Configuration IP is enabled on the switch by default and there are few options that can, or need to be, configured. This section provides instructions for some basic IP configuration options. Configuring the Router Primary Address The router primary address is used by advanced routing protocols (e.g., OSPF) to identify the switch on the network. It is also the address that is used to access the switch for management purposes.
Configuring IP IP Configuration IP-Directed Broadcasts An IP directed broadcast is an IP datagram that has all zeroes or all 1’s in the host portion of the destination IP address. The packet is sent to the broadcast address of a subnet to which the sender is not directly attached. Directed broadcasts are used in denial-of-service “smurf” attacks.
IP Configuration Configuring IP • Trap generation. If the total penalty value exceeds the set port scan penalty value threshold, a trap is generated to alert the administrator that a port scan may be in progress. For example, imagine that a switch is set so that TCP and UDP packets destined for closed ports are given a penalty of 10, TCP packets destined for open ports are given a penalty of 5, and UDP packets destined for open ports are given a penalty of 20.
Configuring IP IP Configuration In the next minute, 10 more TCP and UDP closed port packets are received, along with 200 UDP open port packets. This would bring the total penalty value to 4300, as shown with the following equation: (100 previous minute value) + (10 TCP X 10 penalty) + (10 UDP X 10 penalty) + (200 UDP X 20 penalty) = 4300 This value would be divided by 2 (due to decay) and decreased to 2150.
IP Configuration Configuring IP Setting the Port Scan Penalty Value Threshold The port scan penalty value threshold is the highest point a the total penalty value for the switch can reach before a trap is generated informing the administrator that a port scan is in progress. To set the port scan penalty value threshold, enter the threshold value with the ip dos scan threshold command.
Configuring IP IP Configuration The following table lists ip service command options for specifying TCP/UDP services and also includes the well-known port number associated with each service: service port ftp 21 ssh 22 telnet 23 http 80 secure-http 443 avlan-http 260 avlan-secure-http 261 avlan-telnet 259 udp-relay 67 network-time 123 snmp 161 proprietary 1024 proprietary 1025 OmniSwitch 6600 Family Network Configuration Guide April 2005 page 13-17
Managing IP Configuring IP Managing IP The following sections describe IP commands that can be used to monitor and troubleshoot IP forwarding on the switch. Internet Control Message Protocol (ICMP) ICMP is a network layer protocol within the IP protocol suite that provides message packets to report errors and other IP packet processing information back to the source.
Configuring IP Managing IP Activating ICMP Control Messages ICMP messages are identified by a type and a code. This number pair specifies an ICMP message. For example, ICMP type 4, code 0, specifies the source quench ICMP message. To enable or disable an ICMP message, use the icmp type command with the type and code.
Managing IP Configuring IP In addition to the icmp type command, several commonly used ICMP messages have been separate CLI commands for convenience.
Configuring IP Managing IP Setting the Minimum Packet Gap The minimum packet gap is the time required between sending messages of a like type. For instance, if the minimum packet gap for Address Mask request messages is 40 microseconds, and an Address Mask message is sent, at least 40 microseconds must pass before another one could be sent. To set the minimum packet gap, use the min-pkt-gap keyword with any of the ICMP control commands.
Managing IP Configuring IP Using the Ping Command The ping command is used to test whether an IP destination can be reached from the local switch. This command sends an ICMP echo request to a destination and then waits for a reply. To ping a destination, enter the ping command and enter either the destination’s IP address or host name.
Configuring IP Verifying the IP Configuration Displaying UDP Information UDP is a secondary transport-layer protocol that uses IP for delivery. UDP is not connection-oriented and does not provide reliable end-to-end delivery of datagrams. But some applications can safely use UDP to send datagrams that do not require the extra overhead added by TCP. Use the show udp statistics command to display UDP statistics. Use the show udp ports command to display UDP port information.
Verifying the IP Configuration page 13-24 Configuring IP OmniSwitch 6600 Family Network Configuration Guide April 2005
14 Configuring IPv6 Internet Protocol version 6 (IPv6) is the next generation of Internet Protocol version 4 (IPv4). Both versions are supported along with the ability to tunnel IPv6 traffic over IPv4. Implementing IPv6 solves the limited address problem currently facing IPv4, which provides a 32-bit address space. IPv6 increases the address space available to 128 bits. In This Chapter This chapter describes IPv6 and how to configure it through the Command Line Interface (CLI).
IPv6 Specifications Configuring IPv6 IPv6 Specifications RFCs Supported 2460–Internet Protocol, Version 6 (IPv6) Specification 2461–Neighbor Discovery for IP Version 6 (IPv6) 2462–IPv6 Stateless Address Autoconfiguration 2463–Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification 2464–Transmission of IPv6 Packets Over Ethernet Networks 2893–Transition Mechanisms for IPv6 Hosts and Routers 3513–Internet Protocol Version 6 (IPv6) Addressing Architecture 3056–Con
Configuring IPv6 Quick Steps for Configuring IPv6 Routing Quick Steps for Configuring IPv6 Routing The following tutorial assumes that VLAN 200 and VLAN 300 already exist in the switch configuration. For information about how to configure VLANs, see Chapter 4, “Configuring VLANs.” 1 Configure an IPv6 interface for VLAN 200 using the ipv6 interface command.
IPv6 Overview Configuring IPv6 IPv6 Overview IPv6 provides the basic functionality that is offered with IPv4 but includes the following enhancements and features not available with IPv4: • Increased IP address size—IPv6 uses a 128-bit address, a substantial increase over the 32-bit IPv4 address size. Providing a larger address size also significantly increases the address space available, thus eliminating the concern over running out of IP addresses.
Configuring IPv6 IPv6 Overview IPv6 Addressing One of the main differences between IPv6 and IPv4 is that the address size increased from 32 bits to 128 bits. Going to a 128-bit address also increases the size of the address space to the point where running out of IPv6 addresses is not a concern. The following types of IPv6 addresses are supported: Unicast—Standard unicast addresses, similar to IPv4. Multicast—Addresses that represent a group of devices.
IPv6 Overview Configuring IPv6 Because the last four words of the above address are uncompressed values, the double colon indicates that the first four words of the address all contain zeros. Note that using the double colon is only allowed once within a single address. So if the address was1234:531F:0:0:BCD2:F34A:0:0, a double colon could not replace both sets of zeros.
Configuring IPv6 IPv6 Overview Stateless autoconfiguration is not available for assigning a global unicast or anycast address to an IPv6 interface. In other words, manual configuration is required to assign a non-link-local address to an interface. See “Assigning IPv6 Addresses” on page 14-12 for more information. Both stateless and stateful autoconfiguration is supported for devices, such as a workstation, when they are connected to the switch.
IPv6 Overview Configuring IPv6 6to4 Site to 6to4 Site over IPv4 Domain In this scenario, isolated IPv6 sites have connectivity over an IPv4 network through 6to4 border routers. An IPv6 6to4 tunnel interface is configured on each border router and assigned an IPv6 address with the 6to4 well-known prefix, as described above. IPv6 hosts serviced by the 6to4 border router have at least one IPv6 router interface configured with a 6to4 address.
Configuring IPv6 IPv6 Overview IPv6 6to4 Border Router IPv6/IPv4 6to4 Relay Router IPv4 Domain 6to4 Site IPv6 Domain IPv6 Router 6to4 Host IPv6 Site IPv6 Host In the above diagram: 1 6to4 relay router advertises a route to 2002::/16 on its IPv6 router interface. 2 IPv6 host traffic received by the relay router that has a next hop address that matches 2002::/16 is routed to the 6to4 tunnel interface configured on the relay router.
Configuring an IPv6 Interface Configuring IPv6 Configuring an IPv6 Interface The ipv6 interface command is used to create an IPv6 interface for a VLAN or a tunnel. Note the following when configuring an IPv6 interface: • A unique interface name is required for both a VLAN and tunnel interface. • If creating a VLAN interface, the VLAN must already exist. See Chapter 4, “Configuring VLANs,” for more information. • If creating a tunnel interface, a tunnel ID or 6to4 is specified.
Configuring IPv6 Configuring an IPv6 Interface Use the show ipv6 interface command to verify the interface configuration for the switch. For more information about this command, see the OmniSwitch CLI Reference Guide. Modifying an IPv6 Interface The ipv6 interface command is also used to modify existing IPv6 interface parameter values. It is not necessary to first remove the interface and then create it again with the new values. The changes specified will overwrite existing parameter values.
Assigning IPv6 Addresses Configuring IPv6 Assigning IPv6 Addresses As was previously mentioned, when an IPv6 interface is created for a VLAN or a configured tunnel, an IPv6 link-local address is automatically created for that interface. This is also true when a device, such as a workstation, is connected to the switch. Link-local addresses, although private and non-routable, enable interfaces and workstations to communicate with other interfaces and workstations that are connected to the same link.
Configuring IPv6 Assigning IPv6 Addresses Removing an IPv6 Address To remove an IPv6 address from an interface, use the no form of the ipv6 address command. -> no ipv6 address 4100:1000::20/64 v6if-v200 Note that the subnet router anycast address is automatically deleted when the last unicast address of the same subnet is removed from the interface.
Configuring IPv6 Tunnel Interfaces Configuring IPv6 Configuring IPv6 Tunnel Interfaces There are two types of tunnels supported: 6to4 and configured. Both types facilitate the interaction of IPv6 with IPv4 networks by providing a mechanism for carrying IPv6 traffic over an IPv4 network infrastructure. This is an important function since it is more than likely that both protocols will need to coexist within the same network for some time.
Configuring IPv6 Verifying the IPv6 Configuration Verifying the IPv6 Configuration A summary of the show commands used for verifying the IPv6 configuration is given here: show ipv6 interface Displays the status and configuration of IPv6 interfaces. show ipv6 tunnel Displays IPv6 configured tunnel information and whether or not the 6to4 tunnel is enabled. show ipv6 routes Displays the IPv6 Forwarding Table. show ipv6 prefixes Displays IPv6 subnet prefixes used in router advertisements.
Verifying the IPv6 Configuration page 14-16 Configuring IPv6 OmniSwitch 6600 Family Network Configuration Guide April 2005
15 Configuring RIP Routing Information Protocol (RIP) is a widely used Interior Gateway Protocol (IGP) that uses hop count as its routing metric. RIP-enabled routers update neighboring routers by transmitting a copy of their own routing table. The RIP routing table uses the most efficient route to a destination, that is, the route with the fewest hops and longest matching prefix. The switch supports RIP version 1 (RIPv1), RIP version 2 (RIPv2), and RIPv2 that is compatible with RIPv1.
RIP Specifications Configuring RIP RIP Specifications RFCs Supported RFC 1058–RIP v1 RFC 2453–RIP v2 RFC 1722–RIP v2 Protocol Applicability Statement RFC 1724–RIP v2 MIB Extension RIP Defaults The following table lists the defaults for RIP configuration through the ip rip command.
Configuring RIP Quick Steps for Configuring RIP Routing Quick Steps for Configuring RIP Routing To forward packets to a device on a different VLAN, you must create a router port on each VLAN. To route packets using RIP, you must enable RIP and create a RIP interface on the router port. The following steps show you how to enable RIP routing between VLANs “from scratch”. If active VLANs and router ports have already been created on the switch, go to Step 7. 1 Create VLAN 1 with a description (e.g.
RIP Overview Configuring RIP 14 Use the ip rip redist-filter command to redistribute all local routes. For example: -> ip rip redist-filter local 0.0.0.0 0.0.0.0 15 Enable RIP redistribution using the ip rip redist status command. For example: -> ip rip redist status enable Note. For more information on VLANs and router ports, see Chapter 4, “Configuring VLANs.” RIP Overview In switching, traffic may be transmitted from one media type to another within the same VLAN.
Configuring RIP RIP Routing RIP deletes routes from the database if the next switch to that destination says the route contains more than 15 hops. In addition, all routes through a gateway are deleted by RIP if no updates are received from that gateway for a specified time period. If a gateway is not heard from for 180 seconds, all routes from that gateway are placed in a hold-down state. If the hold-down timer value is exceeded, the routes are deleted from the routing database.
RIP Routing Configuring RIP Switch 1 Switch 2 OmniSwitch 6648 Router Port/ = RIP Interface OmniSwitch 6648 OmniSwitch 6648 OmniSwitch 6648 OmniSwitch 6648 OmniSwitch 6648 OmniSwitch 6648 RIP Routing VLAN 1 110.0.0.0 110.0.0.1 OmniSwitch 6648 RIP Routing VLAN 2 120.0.0.0 Physical Connection 110.0.0.2 VLAN 2 120.0.0.0 VLAN 3 130.0.0.0 130.0.0.1 130.0.0.2 RIP Routing Loading RIP When the switch is initially configured, RIP must be loaded into switch memory.
Configuring RIP RIP Routing Creating a RIP Interface You must create a RIP interface on a VLAN’s IP router port to enable RIP routing. Enter the ip rip interface command followed by the IP address of the VLAN router port. For example, to create a RIP interface on a router port with an IP address of 171.15.0.1 you would enter: -> ip rip interface 171.15.0.1 Use the no ip rip interface command to delete a RIP interface.
RIP Routing Configuring RIP Configuring the RIP Interface Receive Option The RIP receive option defines the type(s) of RIP packets that the interface will accept. Using this command will override RIP default behavior. Other devices must be able to interpret the information provided by this command or routing information will not be properly exchanged between the switch and other devices on the network. Use the ip rip interface recv-version command to configure an individual RIP interface receive option.
Configuring RIP RIP Options RIP Options The following sections detail procedures for configuring RIP options. RIP must be loaded and enabled on the switch before you can configure any of the RIP configuration options. Configuring the RIP Forced Hold-down Interval The RIP forced holddown timer value defines an amount of time, in seconds, during which routing information regarding better paths is suppressed.
RIP Redistribution Configuring RIP 3 Configuring a RIP Redistribution Filter – Creating a Filter – Configuring a Redistribution Filter Action (optional) – Configuring a Redistribution Metric (optional). Enabling RIP Redistribution Use the ip rip redist status command to enable/disable redistribution. For example, to enable RIP redistribution you would enter: -> ip rip redist status enable RIP redistribution is disabled by default. Use the ip rip redist status disable command to disable redistribution.
Configuring RIP RIP Redistribution Configuring a Redistribution Metric When redistributing routes into RIP, the metric for the redistributed route is calculated as a summation of the route’s metric and the corresponding metric in the redistribution policy. This is the case when the matching filter metric is 0 (the default). However, if the matching redistribution filter metric is set to a non-zero value, the redistributed route’s metric is set to the filter metric.
RIP Redistribution Configuring RIP Creating a Redistribution Filter Use the ip rip redist-filter command to create a RIP redistribution filter. Enter the command, the route type, and destination IP address and mask of the traffic you want to redistribute. Only routes matching the policy and destination specified in the filter will be redistributed into RIP and passed to the destination. For example to redistribute OSPF routes destined for the 10.0.0.
Configuring RIP RIP Redistribution Configuring a Redistribution Filter Metric You can prioritize redistribution of route types to a network by assigning a metric value to a route type(s). The default redistribution filter metric is 1. However, you can lower the priority of a route type by increasing its metric value. For example, if you want to give priority to OSPF routes to a particular network, you would set the metric value for the other route types to 2.
RIP Security Configuring RIP RIP Security By default, there is no authentication used for a RIP. However, you can configure a password for a RIP interface. To configure a password, you must first select the authentication type (simple or MD5), then configure a password. Configuring Authentication Type If simple or MD5 password authentication is used, both switches on either end of a link must share the same password. Use the ip rip interface auth-type command to configure the authentication type.
Configuring RIP Verifying the RIP Configuration Configuring Passwords If you configure simple or MD5 authentication you must configure a text string that will be used as the password for the RIP interface. If a password is used, all switches that are intended to communicate with each other must share the same password. After configuring the interface for simple authentication as described above, configure the password for the interface using the ip rip interface auth-key command.
Verifying the RIP Configuration page 15-16 Configuring RIP OmniSwitch 6600 Family Network Configuration Guide April 2005
16 Configuring RDP The Router Discovery Protocol (RDP) is an extension of ICMP that allows end hosts to discover routers on their networks. This implementation of RDP supports the router requirements as defined in RFC 1256. In This Chapter This chapter describes the RDP feature and how to configure RDP parameters through the Command Line Interface (CLI). CLI commands are used in the configuration examples; for more details about the syntax of commands, see the OmniSwitch CLI Reference Guide.
RDP Specifications Configuring RDP RDP Specifications RFCs Supported RFC 1256–ICMP Router Discovery Messages Router advertisements Supported Host solicitations Only responses to solicitations supported in this release. Maximum number of RDP interfaces per One for each available IP interface configured switch on the switch. Advertisement destination addresses 224.0.0.1 (all systems multicast) 255.255.255.
Configuring RDP Quick Steps for Configuring RDP Quick Steps for Configuring RDP Configuring RDP involves enabling RDP operation on the switch and creating RDP interfaces to advertise VLAN router IP addresses on the LAN. There is no order of configuration involved. For example, it is possible to create RDP interfaces even if RDP is not enabled on the switch. The following steps provide a quick tutorial on how to configure RDP.
Quick Steps for Configuring RDP Configuring RDP -> show ip router-discovery interface Marketing Name = Marketing, IP Address = 11.255.4.1, IP Mask = 255.0.0.0, IP Interface status = Enabled, RDP Interface status = Enabled, VRRP Interface status = Disabled, Advertisement address = 224.0.0.
Configuring RDP RDP Overview RDP Overview End hosts (clients) sending traffic to other networks need to forward their traffic to a router. In order to do this, hosts need to find out if one or more routers exist on their LAN and learn their IP addresses. One way to discover neighboring routers is to manually configure a list of router IP addresses that the host reads at startup. Another method available involves listening to routing protocol traffic to gather a list of router IP addresses.
RDP Overview Configuring RDP RDP Interfaces An RDP interface is created by enabling RDP on an IP router interface. Once enabled, the RDP interface becomes active and joins the all-routers IP multicast group (224.0.0.2). The interface then transmits 3 initial router advertisement messages at random intervals that are no greater than 16 seconds apart. This process occurs upon activation to increase the likelihood that end hosts will quickly discover this router.
Configuring RDP RDP Overview Security Concerns ICMP RDP packets are not authenticated, which makes them vulnerable to the following attacks: • Passive monitoring—Attackers can use RDP to re-route traffic from vulnerable systems through the attacker’s system. This allows the attacker to monitor or record one side of the conversation. However, the attacker must reside on the same network as the victim for this scenario to work.
Enabling/Disabling RDP Configuring RDP Enabling/Disabling RDP RDP is included in the base software and is available when the switch starts up. However, by default this feature is not operational until it is enabled on the switch. To enable RDP operation on the switch, use the following command: -> ip router-discovery enable Once enabled, any existing RDP interfaces on the switch that are also enabled will activate and start to send initial advertisements.
Configuring RDP Creating an RDP Interface When an RDP interface is created, it is automatically configured with the following default parameter values: RDP Interface Parameter Default Advertisement destination address. All systems multicast (224.0.0.1) Advertisement time interval defined by maximum and minimum values. Maximum = 600 seconds Minimum = 450 seconds (0.75 * maximum value) Advertisement lifetime. 1800 seconds (3 * maximum value) Router IP address preference level.
Creating an RDP Interface Configuring RDP Setting the Maximum Advertisement Interval To set the maximum amount of time, in seconds, that RDP will allow between advertisements, use the ip router-discovery interface max-advertisement-interval command.
Configuring RDP Verifying the RDP Configuration Setting the Preference Levels for Router IP Addresses A preference level is assigned to each router IP address contained within an advertisement packet. Hosts will select the IP address with this highest preference level to use as the default router gateway address. By default, this value is set to zero. To specify a preference level for IP addresses advertised from a specific RDP interface, use the ip router-discovery interface preference-level command.
Verifying the RDP Configuration page 16-12 Configuring RDP OmniSwitch 6600 Family Network Configuration Guide April 2005
17 Configuring DHCP Relay The User Datagram Protocol (UDP) is a connectionless transport protocol that runs on top of IP networks. The DHCP Relay allows you to use nonroutable protocols (such as UDP) in a routing environment. UDP is used for applications that do not require the establishment of a session and end-to-end error checking. Email and file transfer are two applications that could use UDP.
DHCP Relay Specifications Configuring DHCP Relay DHCP Relay Specifications The following table lists specifications for the DHCP Relay.
Configuring DHCP Relay Quick Steps for Setting Up DHCP Relay Quick Steps for Setting Up DHCP Relay You should configure DHCP Relay on switches where packets are routed between IP networks. There is no separate command for enabling or disabling the relay service. DHCP Relay is automatically enabled on the switch whenever a DHCP server IP address is defined. To set up DHCP Relay, proceed as follows: 1 Identify the IP address of the DHCP server. Where the DHCP server has IP address 128.100.16.
DHCP Relay Overview Configuring DHCP Relay DHCP Relay Overview The DHCP Relay service, its corresponding port numbers, and configurable options are as follows: • DHCP Relay Service: BOOTP/DHCP • UDP Port Numbers 67/68 for Request/Response • Configurable options: DHCP server IP address, Forward Delay, Maximum Hops, Forwarding Option, automatic switch IP configuration The port numbers indicate the destination port numbers in the UDP header.
Configuring DHCP Relay DHCP Relay Overview DHCP and the OmniSwitch The unique characteristics of the DHCP protocol require a good plan before setting up the switch in a DHCP environment. Since DHCP clients initially have no IP address, placement of these clients in a VLAN is hard to determine. In simple networks (e.g., one VLAN) rules do not need to be deployed to support the BOOTP/DHCP relay functionality.
DHCP Relay Overview Configuring DHCP Relay External DHCP Relay Application The DHCP Relay may be configured on a router that is external to the switch. In this application example the switched network has a single VLAN configured with multiple segments. All of the network hosts are DHCP-ready, meaning they obtain their network address from the DHCP server. The DHCP server resides behind an external network router, which supports the DHCP Relay functionality.
Configuring DHCP Relay DHCP Relay Overview Internal DHCP Relay The internal DHCP Relay is configured using the UDP forwarding feature in the switch, available through the ip helper address command. For more information, see “DHCP Relay Implementation” on page 17-8. This application example shows a network with two VLANs, each with multiple segments. All network clients are DHCP-ready and the DHCP server resides on just one of the VLANs.
DHCP Relay Implementation Configuring DHCP Relay DHCP Relay Implementation The OmniSwitch allows you to configure the DHCP Relay feature in one of two ways. You can set up a global DHCP request or you can set up the DHCP Relay based on the VLAN of the DHCP request. Both of these choices provide the same configuration options and capabilities. However, they are mutually exclusive. The following matrix summarizes the options.
Configuring DHCP Relay DHCP Relay Implementation Per-VLAN DHCP For the Per-VLAN DHCP service, you must identify the number of the VLAN that makes the relay request. Identifying the VLAN You may enter one or more server IP addresses to which packets will be sent from a specified VLAN. Do this by using the ip helper address vlan command. The following syntax will identify the IP address 125.255.17.11 as the DHCP server for VLAN 3. -> ip helper address 125.255.17.
DHCP Relay Implementation Configuring DHCP Relay Setting the Forward Delay Forward Delay is a time period that gives the local server a chance to respond to a client before the relay forwards it further out in the network. The UDP packet that the client sends contains the elapsed boot time. This is the amount of time, measured in seconds, since the client last booted.
Configuring DHCP Relay Using Automatic IP Configuration Using Automatic IP Configuration An additional function of the DHCP Relay feature enables a switch to broadcast a BootP or DHCP request packet at boot time to obtain an IP address for default VLAN 1. This function is separate from the previously described functions (such as Global DHCP, per-VLAN DHCP and related configurable options) in that enabling or disabling automatic IP configuration does not exclude or prevent other DHCP Relay functionality.
Configuring UDP Port Relay Configuring DHCP Relay Configuring UDP Port Relay In addition to configuring a relay operation for BOOTP/DHCP traffic on the switch, it is also possible to configure relay for generic UDP service ports (i.e., NBNS/NBDD, other well-known UDP service ports, and service ports that are not well-known). This is done using UDP Port Relay commands to enable relay on these types of ports and to specify up to 256 VLANs that can forward traffic destined for these ports.
Configuring DHCP Relay Configuring UDP Port Relay Enabling/Disabling UDP Port Relay By default, a global relay operation is enabled for BOOTP/DHCP relay well-known ports 67 and 68, which becomes active when an IP network host address for a DHCP server is specified. To enable or disable a relay operation for a UDP service port, use the ip udp relay command.
Verifying the DHCP Relay Configuration Configuring DHCP Relay Verifying the DHCP Relay Configuration To display information about the DHCP Relay and BOOTP/DHCP, use the show commands listed below. For more information about the resulting displays from these commands, see the OmniSwitch CLI Reference Guide. An example of the output for the show ip helper command is also given in “Quick Steps for Setting Up DHCP Relay” on page 17-3.
18 Configuring VRRP The Virtual Router Redundancy Protocol (VRRP) is a standard router redundancy protocol supported in IP version 4. It is based on RFC 2338 and provides redundancy by eliminating the single point of failure inherent in a default route environment. In This Chapter This chapter describes VRRP and how to configure it through the Command Line Interface (CLI).
VRRP Specifications Configuring VRRP VRRP Specifications RFCs Supported RFC 2338–Virtual Router Redundancy Protocol RFC 2787–Definitions of Managed Objects for the Virtual Router Redundancy Protocol Compatible with HSRP? No Maximum number of virtual routers 7 Maximum number of IP addresses 1 for the IP address owner; more than 1 address may be configured if the router is a backup for a master router that supports multiple addresses VRRP Defaults The following table lists the defaults for VRRP conf
Configuring VRRP Quick Steps for Creating a Virtual Router Quick Steps for Creating a Virtual Router 1 Create a virtual router. Specify a virtual router ID (VRID) and a VLAN ID. For example: -> vrrp 6 4 The VLAN must already be created on the switch. For information about creating VLANs, see Chapter 4, “Configuring VLANs.” 2 Configure an IP address for the virtual router. -> vrrp 6 4 ip 10.10.2.
VRRP Overview Configuring VRRP VRRP Overview VRRP allows routers on a LAN to back up a default route. VRRP dynamically assigns responsibility for a virtual router to a physical router (VRRP router) on the LAN. The virtual router is associated with an IP address (or set of IP addresses) on the LAN. A virtual router master is elected to forward packets for the virtual router’s IP address. If the master router becomes unavailable, the highest priority backup router will transition to the master state. Note.
Configuring VRRP VRRP Overview If OmniSwitch A becomes unavailable, OmniSwitch B becomes the master router. OmniSwitch B will then respond to ARP requests for IP address A using the virtual router’s MAC address (00:00:5E:00:01:01). It will also forward packets for IP address B and respond to ARP requests for IP address B using the OmniSwitch’s physical MAC address. OmniSwitch B, however, cannot accept packets addressed to IP address A (such as ICMP ping requests).
VRRP Overview Configuring VRRP If backup routers are configured with priority values that are close in value, there may be a timing conflict, and the first backup to take over may not be the one with the highest priority; a backup with a higher priority will then preempt the new master. The virtual router may be configured to prohibit any preemption attempts, except by the IP address owner.
Configuring VRRP Interaction With Other Features VRRP Tracking A virtual router’s priority may be conditionally modified to prevent another router from taking over as master. Tracking policies are used to conditionally modify the priority setting whenever a VLAN, slot/ port, and or IP address associated with a virtual router goes down.
Configuration Overview Configuring VRRP Configuration Overview VRRP is part of the base software. At startup, VRRP is loaded onto the switch and is enabled. Virtual routers must first be configured and enabled as described in the sections.
Configuring VRRP Configuration Overview • Preempt mode. By default, preempt mode is enabled. Use no preempt to turn it off, and preempt to turn it back on. For more information about the preempt mode, see “Setting Preemption for Virtual Routers” on page 18-11. • Advertising interval (in seconds). Use the interval keyword with the desired number of seconds for the delay in sending VRRP advertisement packets. The default is 1 second. See “Configuring the Advertisement Interval” on page 18-10.
Configuration Overview Configuring VRRP Configuring the Advertisement Interval The advertisement interval is configurable, but all virtual routers with the same VRID should be configured with the same value. Mismatched values will create network problems.
Configuring VRRP Configuration Overview In the above example, virtual router 6 is disabled. (If you are modifying an existing virtual router, the virtual router must be disabled before it may be modified.) The virtual router priority is then set to 50. The priority value is relative to the priority value configured for other virtual routers backing up the same IP address. Since the default priority is 100, setting the value to 50 would typically provide a router with lower priority in the VRRP network.
Configuration Overview Configuring VRRP A virtual router must be disabled before it may be modified. Use the vrrp command to disable the virtual router first; then use the command again to modify the parameters. For example: -> vrrp 7 3 disable -> vrrp 7 3 priority 200 -> vrrp 7 3 enable In this example, virtual router 7 on VLAN 3 is disabled. The virtual router is then modified to change its priority setting.
Configuring VRRP Configuration Overview Creating Tracking Policies To create a tracking policy, use the vrrp track command and specify the amount to decrease a virtual router’s priority and the slot/port, IP address, or IP interface name to be tracked. For example: -> vrrp track 3 enable priority 50 interface Marketing In this example, a tracking policy ID (3) is created and enabled for the Marketing IP interface.
Verifying the VRRP Configuration Configuring VRRP Verifying the VRRP Configuration A summary of the show commands used for verifying the VRRP configuration is given here: show vrrp Displays the virtual router configuration for all virtual routers or for a particular virtual router. show vrrp statistics Displays statistics about VRRP packets for all virtual routers configured on the switch or for a particular virtual router. show vrrp track Displays information about tracking policies on the switch.
Configuring VRRP VRRP Application Example VRRP Application Example In addition to providing redundancy, VRRP can assist in load balancing outgoing traffic. The figure below shows two virtual routers with their hosts splitting traffic between them. Half of the hosts are configured with a default route to virtual router 1’s IP address (10.10.2.250), and the other half are configured with a default route to virtual router 2’s IP address (10.10.2.245).
VRRP Application Example Configuring VRRP Note. The same VRRP configuration must be set up on each OmniSwitch 6624/6648 stack. The VRRP router that contains, or owns, the IP address will automatically become the master for that virtual router. If the IP address is a virtual address, the virtual router with the highest priority will become the master router.
Configuring VRRP VRRP Application Example VRRP Tracking Example The figure below shows two VRRP routers with two virtual routers backing up one IP address on each VRRP router respectively. Virtual router 1 serves as the default gateway on OmniSwitch A for clients 1 and 2 through IP address 10.10.2.250.
VRRP Application Example Configuring VRRP Note. The preempt option must be enabled on virtual router 1; otherwise the original master will not be able to take over. See “Setting Preemption for Virtual Routers” on page 18-11 for more information about enabling preemption.
19 Managing Authentication Servers This chapter describes authentication servers and how they are used with the switch. The types of servers described include Remote Authentication Dial-In User Service (RADIUS), Lightweight Directory Access Protocol (LDAP), and SecurID’s ACE/Server.
Authentication Server Specifications Managing Authentication Servers Authentication Server Specifications RADIUS RFCs Supported RFC 2865–Remote Authentication Dial In User Service (RADIUS) RFC 2866–RADIUS Accounting RFC 2867–RADIUS Accounting Modifications for Tunnel Protocol Support RFC 2868–RADIUS Attributes for Tunnel Protocol Support RFC 2809–Implementation of L2TP Compulsory Tunneling via RADIUS RFC 2869–RADIUS Extensions RFC 2548–Microsoft Vendor-specific RADIUS Attributes RFC 2882–Network Access S
Managing Authentication Servers Server Defaults Server Defaults The defaults for authentication server configuration on the switch are listed in the tables in the next sections.
Quick Steps For Configuring Authentication Servers Managing Authentication Servers Quick Steps For Configuring Authentication Servers 1 For RADIUS or LDAP servers, configure user attribute information on the servers. See “RADIUS Servers” on page 19-9 and “LDAP Servers” on page 19-15. 2 Use the aaa radius-server and/or the aaa ldap-server command to configure the authentication server(s). For example: -> aaa radius-server rad1 host 10.10.2.1 10.10.3.5 key amadeus -> aaa ldap-server ldap2 host 10.10.3.
Managing Authentication Servers Server Overview Server Overview Authentication servers are sometimes refered to as AAA servers (authentication, authorization, and accounting). These servers are used for storing information about users who want to manage the switch (Authenticated Switch Access) and users who need access to a particular VLAN or VLANs (Authenticated VLANs). RADIUS or LDAP servers may be used for Authenticated Switch Access and/or Authenticated VLANs.
Server Overview Managing Authentication Servers A RADIUS server supporting the challenge and response mechanism as defined in RADIUS RFC 2865 may access an ACE/Server for authentication purposes. The ACE/Server is then used for user authentication, and the RADIUS server is used for user authorization. End Station End Station LDAP or RADIUS Server login request login request ACE/Server OmniSwitch 6648 The switch polls the server and receives login and privilege information about the user.
Managing Authentication Servers Server Overview Port-Based Network Access Control (802.1X) For devices authenticating on an 802.1X port on the switch, only RADIUS authentication servers are supported. The RADIUS server contains a database of user names and passwords, and may also contain challenges/responses and other authentication criteria.
ACE/Server Managing Authentication Servers ACE/Server An external ACE/Server may be used for authenticated switch access. It cannot be used for Layer 2 authentication or for policy management. Attributes are not supported on ACE/Servers. These values must be configured on the switch through the user commands. See the “Switch Security” chapter of the OmniSwitch 6624/6648 Switch Management Guide for more information about setting up the local user database.
Managing Authentication Servers RADIUS Servers RADIUS Servers RADIUS is a standard authentication and accounting protocol defined in RFC 2865 and RFC 2866. A built-in RADIUS client is available in the switch. A RADIUS server that supports Vendor Specific Attributes (VSAs) is required. The Alcatel attributes may include VLAN information, time-of-day, or slot/port restrictions.
RADIUS Servers Num. Standard Attribute 19 20 21 22 23 Callback-Number Callback-Id Unassigned Frame-Route Framed-IPX-Network Managing Authentication Servers Notes Not supported. These attributes are used for dial-up sessions; not applicable to the RADIUS client in the switch. 24 State Sent in challenge/response packets. 25 Class Used to pass information from the server to the client and passed unchanged to the accounting server as part of the accounting-request packet.
Managing Authentication Servers RADIUS Servers Vendor-Specific Attributes for RADIUS The Alcatel RADIUS client supports attribute 26, which includes a vendor ID and some additional subattributes called subtypes. The vendor ID and the subtypes collectively are called Vendor Specific Attributes (VSAs). Alcatel, through partnering arrangements, has included these VSAs in some vendors’ RADIUS server configurations. The attribute subtypes are defined in the server’s dictionary file.
RADIUS Servers Managing Authentication Servers Configuring Functional Privileges on the Server Configuring the functional privileges attributes (Alcatel-Acce-Priv-F-x) can be cumbersome because it requires using read and write bitmasks for command families on the switch. 1 To display the functional bitmasks of the desired command families, use the show aaa priv hexa command. 2 On the RADIUS server, configure the functional privilege attributes with the bitmask values. Note.
Managing Authentication Servers RADIUS Servers RADIUS Accounting Server Attributes The following table lists the standard attributes supported for RADIUS accounting servers. The attributes in the radius.ini file may be modified if necessary. Num. Standard Attribute Description 1 User-Name Used in access-request and account-request packets. 4 NAS-IP-Address Sent with every access-request. Specifies which switches a user may have access to. More than one of these attributes is allowed per user.
RADIUS Servers Managing Authentication Servers The following table lists the VSAs supported for RADIUS accounting servers. The attributes in the radius.ini file may be modified if necessary. Num. Accounting VSA Type Description 1 Alcatel-Auth-Group integer The authenticated VLAN number. The only protocol associated with this attribute is Ethernet II. If other protocols are required, use the protocol attribute instead. 2 Alcatel-Slot-Port string Slot(s)/port(s) valid for the user.
Managing Authentication Servers LDAP Servers LDAP Servers Lightweight Directory Access Protocol (LDAP) is a standard directory server protocol. The LDAP client in the switch is based on several RFCs: 1798, 2247, 2251, 2252, 2253, 2254, 2255, and 2256. The protocol was developed as a way to use directory services over TCP/IP and to simplify the directory access protocol (DAP) defined as part of the Open Systems Interconnection (OSI) effort. Originally it was a front-end for X.500 DAP.
LDAP Servers Managing Authentication Servers LDAP servers are also able to import and export directory databases using LDIF (LDAP Data Interchange Format). LDIF File Structure LDIF is used to transfer data to LDAP servers in order to build directories or modify LDAP databases. LDIF files specify multiple directory entries or changes to multiple entries, but not both. The file is in simple text format and can be created or modified in any text editor.
Managing Authentication Servers LDAP Servers uid: yname ou: people description: ... Directory Entries Directory entries are used to store data in directory servers. LDAP–enabled directory entries contain information about an object (person, place, or thing) in the form of a Distinguished Name (DN) that should be created in compliance with the LDAP protocol naming conventions.
LDAP Servers Managing Authentication Servers ROOT dn=c=US c=Canada c=US dn=o=your company,c=US st=Arizona o=your company st=California ou=department ou=function cn=your full name ou=section cn=co-worker full name cn=your full name, ou=your function, o=your company, c=US Directory Information Tree Directory Searches DNs are always the starting point for searches unless indicated otherwise in the directory schema.
Managing Authentication Servers LDAP Servers Modified attribute values are replaced with other given values by submitting replace requests to the server, which then translates and performs the requests. Directory Compare and Sort LDAP will compare directory entries with given attribute values to find the information it needs. The Compare function in LDAP uses a DN as the identity of an entry, and searches the directory with the type and value of an attribute.
LDAP Servers Managing Authentication Servers components description Attributes to be returned for entry search results. All attributes are returned if search attributes are not specified. Different results are retrieved depending on the scopes associated with entry searches. “base” search: retrieves information about distinguished name as specified in URL. This is a search. Base searches are assumed when the scope is not designated.
Managing Authentication Servers LDAP Servers Directory Server Schema for LDAP Authentication Object classes and attributes will need to be modified accordingly to include LDAP authentication in the network (object classes and attributes are used specifically here to map user account information contained in the directory servers). • All LDAP-enabled directory servers require entry of an auxiliary objectClass:passwordObject for user password policy information.
LDAP Servers Managing Authentication Servers For more information about configuring users on the switch, see the Switch Security chapter of the OmniSwitch 6624/6648 Switch Management Guide. Configuring Authentication Key Attributes The alp2key tool is provided on the Alcatel software CD for computing SNMP authentication keys.The alp2key application is supplied in two versions, one for Unix (Solaris 2.5.1 or higher) and one for Windows (NT 4.0 and higher).
Managing Authentication Servers LDAP Servers • Switch VLAN number client joins in multiple authority mode (0=single authority; 2=multiple author- ity); variable-length digits. • Switch slot number to which client connects: nn • Switch port number to which client connects: nn • Switch virtual interface to which client connects: nn AccountStopTime User account stop times are tracked in the AccountStopTime attribute that keeps the time stamp and accounting information of successful user log-outs.
LDAP Servers Managing Authentication Servers Dynamic Logging Dynamic logging may be performed by an LDAP-enabled directory server if an LDAP server is configured first in the list of authentication servers configured through the the aaa accounting vlan or aaa accounting session command. Any other servers configured are used for accounting (storing history records) only.
Managing Authentication Servers LDAP Servers Field Possible Values accessType Any one of the following: CONSOLE, MODEM, TELNET, HTTP, FTP, XCAP ipAddress The string IP followed by the IP address of the user. port (For Authenticated VLAN users only.) The string PORT followed by the slot/port number. macAddress (For Authenticated VLAN users only.) The string MAC followed by the MAC address of the user. vlanList (For Authenticated VLAN users only.
LDAP Servers Managing Authentication Servers Note. The distinguished name must be different from the searchbase name. Modifying an LDAP Authentication Server To modify an LDAP authentication server, use the aaa ldap-server command with the server name; or, if you have just entered the aaa ldap-server command to create or modify the server, you can use command prefix recognition.
Managing Authentication Servers Verifying the Authentication Server Configuration Verifying the Authentication Server Configuration To display information about authentication servers, use the following command: show aaa server Displays information about a particular AAA server or AAA servers. An example of the output for this command is given in “Quick Steps For Configuring Authentication Servers” on page 19-4.
Verifying the Authentication Server Configuration page 19-28 Managing Authentication Servers OmniSwitch 6600 Family Network Configuration Guide April 2005
20 Configuring Authenticated VLANs Authenticated VLANs control user access to network resources based on VLAN assignment and a user log-in process; the process is sometimes called user authentication or Layer 2 Authentication. (Another type of security is device authentication, which is set up through the use of port-binding VLAN policies or static port assignment. See Chapter 8, “Defining VLAN Rules.”) In this chapter, the terms authenticated VLANs (AVLANs) and Layer 2 Authentication are synonymous.
Authenticated Network Overview Configuring Authenticated VLANs Authenticated Network Overview An authenticated network involves several components as shown in this illustration.
Configuring Authenticated VLANs Authenticated Network Overview • Web browser client. Any standard Web browser may be used (Netscape or Internet Explorer). An IP address is required prior to authentication. See “Web Browser Authentication Client” on page 20-7 for more information about Web browser clients. Authenticated VLANs—At least one authenticated VLAN must be configured. See “Configuring Authenticated VLANs” on page 20-26.
AVLAN Configuration Overview Configuring Authenticated VLANs AVLAN Configuration Overview Configuring authenticated VLANs requires several major steps. The steps are outlined here and described throughout this chapter. See “Sample AVLAN Configuration” on page 20-5 for a quick overview of implementing the commands used in these procedures. 1 Set up authentication clients. See “Setting Up Authentication Clients” on page 20-7. 2 Configure at least one authenticated VLAN.
Configuring Authenticated VLANs AVLAN Configuration Overview Sample AVLAN Configuration 1 Enable at least one authenticated VLAN: -> vlan 2 authentication enable Note that this command does not create a VLAN; the VLAN must already be created. For information about creating VLANs, see Chapter 4, “Configuring VLANs.” The VLAN must also have a router port if Telnet or Web browser clients will be authenticating into this VLAN. The following command configures a router port on VLAN 2: -> vlan 2 router ip 10.
AVLAN Configuration Overview Configuring Authenticated VLANs 6 Enable authentication by specifying the authentication mode (single mode or multiple mode) and the server. Use the RADIUS or LDAP server name(s) configured in step 5. For example: -> aaa authentication vlan single-mode rad1 rad2 7 Set up an accounting server (for RADIUS or LDAP) for authentication sessions. -> aaa accounting vlan rad3 local Note.
Configuring Authenticated VLANs Setting Up Authentication Clients Setting Up Authentication Clients The following sections describe the Telnet authentication client, Web browser authentication client, and Alcatel’s proprietary AV-Client. For information about removing a particular client from an authenticated network, see “Removing a User From an Authenticated Network” on page 20-26.
Setting Up Authentication Clients Configuring Authenticated VLANs with one authenticated VLAN. The address may be assigned dynamically if a DHCP server is located in the network. DHCP is required in networks with multiple authenticated VLANs. • Configure a DHCP server. Web browser clients may get IP addresses via a DHCP server prior to authenticating or after authentication in order to move into a different VLAN.
Configuring Authenticated VLANs Setting Up Authentication Clients Installing Files for Mac OS 9.x Clients 1 In the browser URL command line, enter the authentication DNS name (configured through the aaa avlan dns command). The authentication page displays. 2 Click on the link to download the installation software. The javlanInstall.sit file is copied to the Mac desktop. 3 Double-click the javlanInstall.sit file on the desktop.
Setting Up Authentication Clients Configuring Authenticated VLANs To set root access: 1 Open the NetInfo from the HardDisk/Application/Utilities folder. 2 Select Domain > Security > Authenticate. Enter the administrator’s password if required. 3 Select Domain > Security > Enable Root. Enter the password. 4 Select System Preferences/Login and select the login prompt to display when opening a new session. 5 Quit the current session and relogon as the root user.
Configuring Authenticated VLANs Setting Up Authentication Clients SSL for Web Browser Clients A Secure Socket Layer (SSL) is used to authenticate Web browser clients. A certificate from a Certification Authority (CA) or a self-signed (private) certificate must be installed on the switch. A self-signed certificate is provided by Alcatel (wv-cert.pem). If you are using a well-known certificate or some other self-signed certificate, you should replace the wv-cert.pem file with the relevant file.
Setting Up Authentication Clients Configuring Authenticated VLANs Installing the AV-Client The AV-Client is a proprietary Windows-based application that is installed on client end stations. The installation instructions are provided in this chapter. The AV-Client does not require an IP address in order to authenticate; the client relies on the DLC protocol (rather than IP) to communicate with the authentication agent in the switch.
Configuring Authenticated VLANs Setting Up Authentication Clients Windows 95 Install the 32-bit DLC protocol program and the update patch from the Microsoft FTP site (ftp.microsoft.com). From the FTP site, download the MSDLC32.EXE and DLC32UPD.EXE files (or the latest DLC protocol update). These files are self-extracting zip files. Follow these steps: 1 Double-click the MSDLC32.EXE file in the folder to which you want to download the file. Note. Do not run MSDLC32.
Setting Up Authentication Clients Configuring Authenticated VLANs 3 We recommend that you follow the instructions on the screen regarding closing all Windows programs before proceeding with the installation. Click on the Next button. The following window displays.
Configuring Authenticated VLANs Setting Up Authentication Clients 4 From this window you may install the client at the default destination folder shown on the screen or you may click the Browse button to select a different directory. Click on the Next button. The software loads, and the following window displays. 5 This window gives you the option of restarting your PC workstation now, or later. You cannot use the AV-Client until you restart your computer.
Setting Up Authentication Clients Configuring Authenticated VLANs Windows 95 and Windows 98 1 Download the AV-Client from the Alcatel website onto the Windows desktop. 2 Double-click the AV-Client icon. The installation routine begins and the following window displays: 3 We recommend that you follow the instructions on the screen regarding closing all Windows programs before proceeding with the installation. Click on the Next button. The following window displays: .
Configuring Authenticated VLANs Setting Up Authentication Clients 4 From this window you may install the client at the default destination folder shown on the screen or you may click the Browse button to select a different directory. Click on the Next button. The software loads, and the following window displays. 5 This window recommends that you read a text file included with the client before you exit the install shield. Click on the box next to “View the single sign-on Notes” to select this option.
Setting Up Authentication Clients Configuring Authenticated VLANs Setting the AV-Client as Primary Network Login Windows 95 and Windows 98 If your operating system is Windows 95 or Windows 98, you must configure the AV-Client as the primary network login. This is done via the Windows Control Panel. From your Windows desktop, select Start > Settings > Control Panel. Double-click on the Network icon on the Control Panel window. From the Configuration Tab, proceed as follows: 1 Click the Add button.
Configuring Authenticated VLANs Setting Up Authentication Clients Selecting a Dialog Mode The AV-Client has two dialog modes, basic and extended. In basic dialog mode, the client prompts the user for a username and a password only. In extended mode, which is required for multiple authority authentication, the client login screen also prompts the user for a VLAN number and optional challenge code.
Setting Up Authentication Clients Configuring Authenticated VLANs Viewing AV-Client Components The configuration utility includes a screen that lists each component, version and build date for the AVClient. To view this screen, click on the Version tab and a screen similar to the following will display.
Configuring Authenticated VLANs Setting Up Authentication Clients Logging Into the Network Through an AV-Client Once the AV-Client software has been loaded on a user’s PC workstation, an AV-Client icon will be created on the Windows desktop in the task bar. Follow these steps to log into the authentication network: 1 Right click the AV-Client icon and select Logon. The following login screen displays: 2 Enter the user name for this device in the “Login Name?” field.
Setting Up Authentication Clients Configuring Authenticated VLANs Logging Off the AV-Client 1 To log off the AV-Client, point your mouse to the AV-Client icon in your Windows system tray and execute a right-click to select Logoff. The following screen displays. 2 To continue the procedure, click the Logoff button. The following screen indicates that the AV-Client is sending a logoff request to the authentication server.
Configuring Authenticated VLANs Setting Up Authentication Clients Configuring the AV-Client for DHCP For an AV-Client, DHCP configuration is not required. AV-Clients do not require an IP address to authenticate, but they may want an IP address for IP communication in an authenticated VLAN. Note. If the AV-Client will be used with DHCP, the DHCP server must be configured as described in “Setting Up the DHCP Server” on page 20-29.
Setting Up Authentication Clients Configuring Authenticated VLANs 1 To configure the DHCP parameters, access the AV-Client configuration utility and select the DHCP tab. The following screen displays: 2 Click the box next to “Enable DHCP Operations”. Several options will activate in the utility window as shown in the following screen. When you click on a box next to an option, the option is activated in the configuration window.
Configuring Authenticated VLANs Setting Up Authentication Clients 4 To apply the change, click the Apply button. When you click the OK button, the screen will close and the change will take effect. If you decide not to implement the change, click the Cancel button and the screen will close without implementing a change.
Configuring Authenticated VLANs Configuring Authenticated VLANs Configuring Authenticated VLANs At least one authenticated VLAN must be configured on the switch. For more information about VLANs in general, see Chapter 4, “Configuring VLANs.” To configure an authenticated VLAN, use the vlan authentication command to enable authentication on an existing VLAN. For example: -> vlan 2 authentication enable Note that the specified VLAN (in this case, VLAN 2) must already exist on the switch.
Configuring Authenticated VLANs Configuring Authenticated VLANs Configuring Authentication IP Addresses Authentication clients connect to an IP address on the switch for authentication. (Web browser clients may enter a DNS name rather than the IP address; see “Setting Up a DNS Path” on page 20-29).
Configuring Authenticated Ports Configuring Authenticated VLANs Port Binding and Authenticated VLANs By default, authenticated VLANs do not support port binding rules. These rules are used for assigning devices to authenticated VLANs when device traffic coming in on an authenticated port matches criteria specified in the rule. You can globally enable the switch so that port binding rules may be enabled on any authenticated VLAN on the switch.
Configuring Authenticated VLANs Setting Up a DNS Path Setting Up a DNS Path A Domain Name Server (DNS) name may be configured so that Web browser clients may enter a URL on the browser command line instead of an authentication IP address. A Domain Name Server must be set up in the network for resolving the name to the authentication IP address.
Setting Up the DHCP Server Configuring Authenticated VLANs Before Authentication Normally, authentication clients cannot traffic in the default VLAN, so authentication clients do not belong to any VLAN when they connect to the switch. Even if DHCP relay is enabled, the DHCP discovery process cannot take place. To address this issue, a DHCP gateway address must be configured so that the DHCP relay “knows” which router port address to use for serving initial IP addresses.
Configuring Authenticated VLANs Setting Up the DHCP Server When this command is specified, the switch will act as a relay for authentication DHCP packets only; nonauthentication DHCP packets will not be relayed. For more information about using the ip helper avlan only command, see Chapter 17, “Configuring DHCP Relay.
Configuring the Server Authority Mode Configuring Authenticated VLANs Configuring the Server Authority Mode Authentication servers for Layer 2 authentication are configured in one of two modes: single authority or multiple authority. Single authority mode uses a single list of servers (one primary server and up to three backups) to poll with authentication requests. Multiple authority mode uses multiple lists of servers and backups, one list for each authenticated VLAN. Note.
Configuring Authenticated VLANs Configuring the Server Authority Mode Authenticated VLAN 2 VLAN 1 Authenticated VLAN 3 OmniSwitch 6648 OmniSwitch 6648 Authentication Clients OmniSwitch Authenticated VLAN 4 LDAP or RADIUS servers Authentication Network—Single Mode To configure authentication in single mode, use the aaa authentication vlan command with the single-mode keyword and name(s) of the relevant server and any backups.. At least one server must be specified; the maximum is four servers.
Configuring the Server Authority Mode Configuring Authenticated VLANs Configuring Multiple Mode Multiple authority mode associates different servers with particular VLANs. This mode is typically used when one party is providing the network and another is providing the server. When this mode is configured, a client is first prompted to select a VLAN. After the VLAN is selected, the client then enters a user name and password.
Configuring Authenticated VLANs Specifying Accounting Servers To configure authentication in multiple mode, use the aaa authentication vlan command with the multiple-mode keyword, the relevant VLAN ID, and the names of the servers. The VLAN ID is required, and at least one server must be specified (a maximum of four servers is allowed per VLAN).
Verifying the AVLAN Configuration Configuring Authenticated VLANs Verifying the AVLAN Configuration To verify the authenticated VLAN configuration, use the following show commands: show aaa authentication vlan Displays information about authenticated VLANs and the server configuration. show aaa accounting vlan Displays information about accounting servers configured for Authenticated VLANs. show avlan user Displays MAC addresses for authenticated VLAN users on the switch.
21 Configuring 802.1X Physical devices attached to a LAN port on the switch through a point-to-point LAN connection may be authenticated through the switch through port-based network access control. This control is available through the IEEE 802.1X standard implemented on the switch. In This Chapter This chapter describes 802.1X ports used for port-based access control and how to configure them through the Command Line Interface (CLI).
802.1X Specifications Configuring 802.1X 802.1X Specifications RFCs Supported RFC 2284–PPP Extensible Authentication Protocol (EAP) RFC 2865–Remote Authentication Dial In User Service (RADIUS) RFC 2866–RADIUS Accounting RFC 2867–RADIUS Accounting Modifications for Tunnel Protocol Support RFC 2868–RADIUS Attributes for Tunnel Protocol Support RFC 2869–RADIUS Extensions IEEE Standards Supported IEEE 802.1X-2001–Standard for Port-based Network Access Control 802.1X RADIUS Usage Guidelines 802.
Configuring 802.1X Quick Steps for Configuring 802.1X Quick Steps for Configuring 802.1X 1 Configure the port as a mobile port and an 802.1X port using the following vlan port commands: -> vlan port mobile 3/1 -> vlan port 3/1 802.1x enable The port is set up automatically with 802.1X defaults. See “802.1X Defaults” on page 21-2 for information about the defaults. For more information about vlan port commands, see Chapter 7, “Assigning Ports to VLANs.
802.1X Overview Configuring 802.1X 802.1X Overview The 802.1X standard defines port-based network access controls, and provides the structure for authenticating physical devices attached to a LAN. It uses the Extensible Authentication Protocol (EAP). There are three components for 802.1X: • The Supplicant—This is the device connected to the switch. The device may be connected directly to the switch or via a point-to-point LAN segment. Typically the supplicant is a PC or laptop.
Configuring 802.1X 802.1X Overview Note that multiple supplicants can be authenticated on a given 802.1X port. Each supplicant MAC address received on the port is authenticated and learned separately. Only those that authenticate successfully are allowed on the port, as described above. Those that fail authentication are blocked on the 802.1X port. The global configuration of this feature is controlled by the aaa authentication 802.1x command. This command enables 802.
802.1X Overview Configuring 802.1X Compared to Authenticated VLANs A given port cannot be both a VLAN-authenticated port and an 802.1X port. An 802.1X user, however, may be authenticated and moved into an authenticated VLAN if the RADIUS authentication server specifies a VLAN for that user and the authenticated VLAN is set up on the switch through the vlan authentication command. For information about configuring VLANs with authentication, see Chapter 4, “Configuring VLANs.” Both 802.
Configuring 802.1X Setting Up Port-Based Network Access Control Setting Up Port-Based Network Access Control For port-based network access control, 802.1X must be enabled for the switch and the switch must know which servers to use for authenticating 802.1X supplicants. In addition, 802.1X must be enabled on each port that is connected to an 802.1X supplicant (or device). Optional parameters may be set for each 802.1X port. The following sections describe these procedures in detail. Setting 802.
Setting Up Port-Based Network Access Control Configuring 802.1X Configuring the Port Control Direction To configure the port control direction, use the 802.1x command with the direction keyword with both for bidirectional or in for incoming traffic only. For example: -> 802.1x 3/1 direction in In this example, the port control direction is set to incoming traffic only on port 1 of slot 3.
Configuring 802.1X Setting Up Port-Based Network Access Control Configuring the Maximum Number of Requests During the authentication process, the switch sends requests for authentication information from the supplicant. By default, the switch will send up to two requests for information. If the supplicant does not reply within the timeout value configured for the supplicant timeout, the authentication session attempt will expire.
Verifying the 802.1X Port Configuration Configuring 802.1X Configuring Accounting for 802.1X To log 802.1X sessions, use the aaa accounting 802.1x command with the desired RADIUS server names; use the keyword local to specify that the Switch Logging function in the switch should be used to log 802.1X sessions. RADIUS servers are configured with the aaa radius-server command. -> aaa accounting 802.1x rad1 local In this example, the RADIUS server rad1 will be used for accounting.
22 Managing Policy Servers Quality of Service (QoS) policies that are configured through Alcatel’s PolicyView network management application are stored on a Lightweight Directory Access Protocol (LDAP) server. PolicyView is an OmniVista application that runs on an attached workstation. In This Chapter This chapter describes how LDAP directory servers are used with the switch for policy management. There is no required configuration on the switch.
Policy Server Specifications Managing Policy Servers Policy Server Specifications The following tables lists important information about LDAP policy servers: LDAP Policy Servers RFCs Supported RFC 2251–Lightweight Directory Access Protocol (v3) RFC 3060–Policy Core Information Model—Version 1 Specification Maximum number of policy servers (supported on the switch) 4 Maximum number of policy servers (supported by PolicyView) 1 Policy Server Defaults Defaults for the policy server command are as follo
Managing Policy Servers Policy Server Overview Policy Server Overview The Lightweight Directory Access Protocol (LDAP) is a standard directory server protocol. The LDAP policy server client in the switch is based on RFC 2251. Currently, only LDAP servers are supported for policy management. When the policy server is connected to the switch, the switch is automatically configured to communicate with the server to download and manage policies created by the PolicyView application.
Modifying Policy Servers Managing Policy Servers Modifying Policy Servers Policy servers are automatically configured when the server is installed; however, policy server parameters may be modified if necessary. Note. SSL configuration must be done manually through the policy server command. Modifying LDAP Policy Server Parameters Use the policy server command to modify parameters for an LDAP policy server.
Managing Policy Servers Modifying Policy Servers Modifying the Port Number To modify the port, enter the policy server command with the port keyword and the relevant port number. -> policy server 10.10.2.3 port 5000 Note that the port number must match the port number configured on the policy server. If the port number is modified, any existing entry for that policy server is not removed. Another entry is simply added to the policy server table. Note.
Modifying Policy Servers Managing Policy Servers Configuring a Secure Socket Layer for a Policy Server A Secure Socket Layer (SSL) may be configured between the policy server and the switch. If SSL is enabled, the PolicyView application can no longer write policies to the LDAP directory server. By default, SSL is disabled. To enable SSL, use the policy server command with the ssl option. For example: -> policy server 10.10.2.3 ssl SSL is now enabled between the specified server and the switch.
Managing Policy Servers Verifying the Policy Server Configuration Interaction With CLI Policies Policies configured via PolicyView can only be modified through PolicyView. They cannot be modified through the CLI. Any policy management done through the CLI only affects policies configured through the CLI. For example, the qos flush command only removes CLI policies; LDAP policies are not affected. Also, the policy server flush command removes only LDAP policies; CLI policies are not affected. Note.
Verifying the Policy Server Configuration page 22-8 Managing Policy Servers OmniSwitch 6600 Family Network Configuration Guide April 2005
23 Configuring QoS Alcatel’s QoS software provides a way to manipulate flows coming through the switch based on userconfigured policies. The flow manipulation (generally referred to as Quality of Service or QoS) may be as simple as allowing/denying traffic, or as complicated as remapping 802.1p bits from a Layer 2 network to ToS values in a Layer 3 network.
QoS Specifications Configuring QoS QoS Specifications Maximum number of policy rules 128 Limits for Layer 3 rules with particular actions: ACL (Filter rules) Priority rules Bandwidth/ToS rules 802.
Configuring QoS QoS General Overview QoS General Overview Quality of Service (QoS) refers to transmission quality and available service that is measured and sometimes guaranteed in advance for a particular type of traffic in a network. QoS lends itself to circuitswitched networks like ATM, which bundle traffic into cells of the same length and transmit the traffic over predefined virtual paths.
QoS Policy Overview Configuring QoS QoS Policy Overview A policy (or a policy rule) is made up of a condition and an action. The condition specifies parameters that the switch will examine in incoming flows, such as destination address or Type of Service (ToS) bits. The action specifies what the switch will do with a flow that matches the condition; for example, it may queue the flow with a higher priority, or reset the ToS bits. Policies may be created directly on the switch through the CLI or WebView.
Configuring QoS Interaction With Other Features It is possible to configure a valid QoS rule that is active on the switch, however the switch is not able to enforce the rule because some other switch function (for example, routing) is disabled. See the condition and condition/action combinations tables for more information about valid combinations (“Condition Combinations” on page 23-6 and “Condition/Action Combinations” on page 23-7).
Condition Combinations Configuring QoS Condition Combinations The CLI prevents you from configuring invalid condition combinations that are never allowed; however, it does allow you to create combinations that are supported in some scenario. For example, you might configure destination slot/port and destination interface type for the same condition. This is a valid combination, but will only be used to classify bridged traffic. Note the following: • Layer 2 and Layer 3/4 conditions cannot be combined.
Configuring QoS Condition/Action Combinations Condition/Action Combinations Conditions and actions are combined in policy rules. The CLI prevents you from configuring invalid condition/action combinations that are never allowed; however, it does allow you to create combinations that are supported in some scenario. For example, a destination MAC address condition may be combined with an action specifying priority for flows that are bridged only.
Condition/Action Combinations Configuring QoS Policy Condition/Action Combinations (continued) Conditions Actions Supported When? destination IP address or network group destination TCP/UDP port IP protocol 802.
Configuring QoS QoS Defaults QoS Defaults The following tables list the defaults for global QoS parameters, individual port settings, policy rules, and default policy rules. Global QoS Defaults Use the qos reset command is to reset global values to their defaults. Description Command Default QoS enabled or disabled qos enabled Whether ports are globally trusted or untrusted qos trust ports 802.
QoS Defaults Configuring QoS QoS Port Defaults Use the qos port reset command to reset port settings to the defaults. Description Command/keyword Default Whether the port is trusted or untrusted qos port trusted 802.1Q and mobile ports are always trusted; other ports are untrusted Maximum reserve bandwidth qos port maximum reserve bandwidth port bandwidth; currently not supported. Maximum signalled bandwidth (via RSVP) qos port maximum signal bandwidth port bandwidth; currently not supported.
Configuring QoS QoS Defaults Policy Action Defaults The following are defaults for the policy action command: Description Keyword Default Whether the flow matching the rule should be accepted or denied disposition accept Note that in the current software release, the deny and drop options produce the same effect that is, the traffic is silently dropped. Note. There are no defaults for the policy condition command.
QoS Configuration Overview Configuring QoS QoS Configuration Overview QoS configuration involves the following general steps: 1 Configuring Global Parameters. In addition to enabling/disabling QoS, global configuration includes settings such as global port parameters, default disposition for flows, and various timeouts. The type of parameters you might want to configure globally will depend on the types of policies you will be configuring. For example, if you want to set up policies for 802.
Configuring QoS Configuring Global QoS Parameters Configuring Global QoS Parameters This section describes the global QoS configuration, which includes enabling and disabling QoS, applying and activating the configuration, controlling the QoS log display, and configuring QoS port and queue parameters. Enabling/Disabling QoS By default QoS is enabled on the switch. If QoS policies are configured and applied, the switch will attempt to classify traffic and apply relevant policy actions.
Configuring Global QoS Parameters Configuring QoS Using the QoS Log The QoS software in the switch creates its own log for QoS-specific events. You may modify the number of lines in the log or change the level of detail given in the log. The PolicyView application, which is used to create QoS policies stored on an LDAP server, may query the switch for log events; or log events can be immediately available to the PolicyView application via a CLI command.
Configuring QoS Configuring Global QoS Parameters Note. If you change the number of log lines, the QoS log may be completely cleared. To change the log lines without clearing the log, set the log lines in the boot.cfg file; the log will be set to the specified number of lines at the next reboot. Log Detail Level To change the level of detail in the QoS log, use the qos log level command. The log level determines the amount of detail that will be given in the QoS log.
Configuring Global QoS Parameters Configuring QoS Displaying the QoS Log To view the QoS log, use the show qos log command.
Configuring QoS Configuring Global QoS Parameters To change the flow timeout, enter the qos flow timeout comimand with the desired number of seconds. For example: -> qos flow timeout 100 The timeout will not be active on the switch until you enter the qos apply command. For more information about the qos apply command, see “Applying the Configuration” on page 23-47. Fragment Classification By default, fragments are not classified.
Configuring Global QoS Parameters Configuring QoS Classifying Bridged Traffic as Layer 3 In some network configurations you may want to force the switch to classify bridged traffic as routed (Layer 3) traffic. Typically this option is used for QoS filtering. See Chapter 24, “Configuring ACLs,” for more information about filtering. If this option is enabled: • Switch performance may be slower. • The switch may bridge and route traffic to the same destination. Note.
Configuring QoS Configuring Global QoS Parameters Verifying Global Settings To display information about the global configuration, use the following show commands: show qos config Displays global information about the QoS configuration. show qos statistics Displays statistics about QoS events. For more information about the syntax and displays of these commands, see the OmniSwitch CLI Reference Guide.
QoS Ports and Queues Configuring QoS QoS Ports and Queues Queue parameters may be modified on a port basis. Four default queues are created for each port on the switch at start up. When a flow coming into the switch matches a policy, it is queued based on: • Parameters given in the policy action (specified by the policy action command) with either of the following keywords: priority or maximum bandwidth). • Port settings configured through the qos port command.
Configuring QoS QoS Ports and Queues Configuring Trusted Ports By default, all ports (except 802.1Q-tagged ports and mobile ports) are untrusted. The trust setting may be configured globally on the switch, or on a per-port basis. To configure the global setting on the switch, use the qos trust ports command. For example: -> qos trust ports To configure individual ports as trusted, use the qos port trusted command with the desired slot/port number.
Creating Policies Configuring QoS Creating Policies This section describes how to create policies in general. For information about configuring specific types of policies, see “Policy Applications” on page 23-50. Basic commands for creating policies are as follows: policy condition policy action policy rule This section describes generally how to use these commands. See “Policy Applications” on page 23-50 for information about creating specific types of policies.
Configuring QoS Creating Policies 4 Use the qos apply command to apply the policy to the configuration. For example: -> qos apply Note. (Optional) To verify that the rule has been configured, use the show policy rule command.
Creating Policies Configuring QoS Creating Policy Conditions This section describes how to create policy conditions in general. Creating policy conditions for particular types of network situations is described later in this chapter. Note. Policy condition configuration is not active until the qos apply command is entered. See “Applying the Configuration” on page 23-47.
Configuring QoS Creating Policies Note. You cannot remove all parameters from a policy condition. A condition must be configured with at least one parameter. Deleting Policy Conditions To remove a policy condition, use the no form of the command. For example: -> no policy condition c3 The condition (c3) cannot be deleted if it is currently being used by a policy rule. If a rule is using the condition, the switch will display an error message.
Creating Policies Configuring QoS Note. If you combine priority with 802.1p, dscp, tos, or map, in an action, the priority value is used to prioritize the flow. Removing Action Parameters To remove an action parameter or return the parameter to its default, use no with the relevant keyword. -> policy action a6 no priority This example removes the configured priority value from action a6.
Configuring QoS Creating Policies In addition, a policy rule may be administratively disabled or re-enabled using the policy rule command. By default rules are enabled. For a list of rule defaults, see “Policy Rule Defaults” on page 23-10. Information about using the policy rule command options is given in the next sections. Disabling Rules By default, rules are enabled. Rules may be disabled or re-enabled through the policy rule command using the disable and enable options.
Creating Policies Configuring QoS Layer 3 Rules With Compatible Actions More than one rule may have the same condition. For example, two Layer 3 rules may have the same IP address condition but different actions. If the actions are compatible, both rules will be applied to the flow, regardless of the precedence settings. In this example, the rules are created with the default precedence (0) value. -> policy condition X source ip 10.10.2.
Configuring QoS Creating Policies Saving Rules The save option marks the policy rule so that the rule will be captured in an ASCII text file (using the configuration snapshot command) and saved to the working directory (using the write memory command or copy running-config working command). By default, rules are saved. If the save option is removed from a rule, the qos apply command may activate the rule for the current session, but the rule will not be saved over a reboot.
Creating Policies Configuring QoS To remove the save option from a policy rule, use no with the save keyword. For example: -> policy rule rule5 no save To reconfigure the rule as saved, use the policy rule command with the save option. For example: -> policy rule rule5 save For more information about the configuration snapshot, write memory, and copy running-config working commands, see the OmniSwitch 6624/6648 Switch Management Guide and the OmniSwitch CLI Reference Guide.
Configuring QoS Creating Policies Verifying Policy Configuration To view information about policy rules, conditions, and actions configured on the switch, use the following commands: show policy condition Displays information about all pending and applied policy conditions or a particular policy condition configured on the switch. Use the applied keyword to display information about applied conditions only.
Creating Policies Configuring QoS To display only policy rules that are active (enabled and applied) on the switch, use the show active policy rule command. For example: -> show active policy rule Policy mac1 Cnd/Act: From Prec Enab Inact Refl Log Save cli 0 Yes No No No Yes dmac1 -> pri2 Matches 0 In this example, the rule my_rule does not display because it is inactive.
Configuring QoS Creating Policies Testing Conditions Before applying policies to the configuration through the qos apply command, you may want to see how the policies will be used to classify traffic. Or you may want to see how theoretical traffic would be classified by policies that are already applied on the switch. Use the show policy classify commands to see how the switch will classify certain condition parameters. This command is used to examine the set of pending policies only.
Creating Policies Configuring QoS To test a theoretical condition against the set of applied policies, enter the command with the applied keyword. The switch will display information about the potential traffic and attempt to match it to a policy (applied policies only). For example: -> show policy classify l3 applied source ip 143.209.92.131 destination ip 198.60.82.5 Packet headers: L2: *Port *IfType *MAC *VLAN *802.
Configuring QoS Using Condition Groups in Policies Using Condition Groups in Policies Condition groups are made up of multiple IP addresses, MAC addresses, services, or ports to which you want to apply the same action or policy rule. Instead of creating a separate condition for each address, etc., create a condition group and associate the group with a condition.
Using Condition Groups in Policies Configuring QoS 3 Attach the condition to a policy rule. (For more information about configuring rules, see “Creating Policy Rules” on page 23-26.) In this example, action act4 has already been configured. For example: -> policy rule my_rule condition cond3 action act4 4 Apply the configuration. See “Applying the Configuration” on page 23-47 for more information about this command. -> qos apply The next sections describe how to create groups in more detail.
Configuring QoS Using Condition Groups in Policies To remove addresses from a network group, use no and the relevant address(es). For example: -> policy network group netgroup3 no 173.21.4.39 This command deletes the 173.21.4.39 address from netgroup3 after the next qos apply. To remove a network group from the configuration, use the no form of the policy network group command with the relevant network group name. The network group must not be associated with any policy condition or action.
Using Condition Groups in Policies Configuring QoS In this example, a policy service called telnet1 is created with the TCP protocol number (6) and the wellknown Telnet destination port number (23).
Configuring QoS Using Condition Groups in Policies This command configures a condition called c6 with service group serv_group. All of the services specified in the service group will be included in the condition. (For more information about configuring conditions, see “Creating Policy Conditions” on page 23-24.) Note. Service group configuration must be specifically applied to the configuration with the qos apply command. To delete a service from the service group, use no with the relevant service name.
Using Condition Groups in Policies Configuring QoS Note. MAC group configuration is not active until the qos apply command is entered. To delete addresses from a MAC group, use no and the relevant address(es): -> policy mac group macgrp2 no 08:00:20:00:00:00 This command specifies that MAC address 08:00:20:00:00:00 will be deleted from macgrp2 at the next qos apply. To delete a MAC group, use the no form of the policy mac group command with the relevant MAC group name.
Configuring QoS Using Condition Groups in Policies This command specifies that port 2/1 will be deleted from the techpubs port group at the next qos apply. To delete a port group, use the no form of the policy port group command with the relevant port group name. The port group must not be associated with any policy condition. For example: -> no policy port group techpubs The port group techpubs will be deleted at the next qos apply.
Using Condition Groups in Policies Configuring QoS -> policy action MaxBw maximum bandwidth 10k -> policy rule PortRule condition Ports action MaxBw In this example, if both ports 1 and 2 are active ports, 10000 bps is distributed over the two ports. If one of the ports is sending 2000 bps, the other port may send up to 8000 bps. If one port is sending 5000 bps, the port port may send 5000 bps.
Configuring QoS Using Condition Groups in Policies Verifying Condition Group Configuration To display information about condition groups, use the following show commands: show policy network group Displays information about all pending and applied policy network groups or a particular network group. Use the applied keyword to display information about applied groups only.
Using Map Groups Configuring QoS Using Map Groups Map groups are used to map 802.1p, ToS, or DSCP values to different values. On the OmniSwitch 6624/ 6648, the following mapping scenarios are supported: • 802.1p to 802.1p • ToS or DSCP to 802.1p (the reverse is not supported) Note. Map groups are associated with a policy action. Commands used for creating map groups include the following: policy map group policy action map Sample Map Group Configuration 1 Create the map group with mapping values.
Configuring QoS Using Map Groups How Map Groups Work When mapping from 802.1p to 802.1p, the action will result in remapping the specified values. Any values that are not specified in the map group are preserved. In this example, a map group is created for 802.1p bits. -> policy map group Group2 1-2:5 4:5 5-6:7 -> policy action Map1 map 802.1p to 802.1p using Group2 The to and from values are separated by a colon (:). If traffic with 802.
Using Map Groups Configuring QoS To delete a map group, use the no form of the policy map group command. The map group must not be associated with a policy action.
Configuring QoS Applying the Configuration Applying the Configuration Configuration for policy rules and many global QoS parameters must specifically be applied to the configuration with the qos apply command. Any parameters configured without this command are maintained for the current session but are not yet activated.
Applying the Configuration Configuring QoS Deleting the Pending Configuration Policy settings that have been configured but not applied through the qos apply command may be returned to the last applied settings through the qos revert command. For example: -> qos revert This command ignores any pending policies (any additions, modifications, or deletions to the policy configuration since the last qos apply) and writes the last applied policies to the pending configuration.
Configuring QoS Applying the Configuration Interaction With LDAP Policies The qos apply, qos revert, and qos flush commands do not affect policies created through the PolicyView application. Separate commands are used for loading and flushing LDAP policies on the switch. See Chapter 19, “Managing Authentication Servers,” for information about managing LDAP policies.
Policy Applications Configuring QoS Policy Applications Policies are used to classify incoming flows and treat the relevant outgoing flows. There are many ways to classify the traffic and many ways to apply QoS parameters to the traffic. Classifying traffic may be as simple as identifying a Layer 2 or Layer 3 address of an incoming flow. Treating the traffic might involve prioritizing the traffic, rewriting an IP address, or putting the flow in a server load balancing group.
Configuring QoS Policy Applications Note. If multiple addresses, services, or ports should be given the same priority, use a policy condition group to specify the group and associate the group with the condition. See “Using Condition Groups in Policies” on page 23-35 for more information about groups. Note that some condition parameters may be used in combination only under particular circumstances; also, there are restrictions on condition/action parameter combinations.
Policy Applications Configuring QoS -> policy condition ip_traffic2 source ip 10.10.5.3 -> policy action flowShape maximum bandwidth 1k -> policy rule rule2 condition traffic2 action flowShape Note that the bandwidth may be specified in abbreviated units, in this case, 1k. The rule is not active on the switch until the qos apply command is entered. When the rule is activated, any flows coming into the switch from source IP address 10.10.5.3 will be queued with no more than 1k of bandwidth.
Configuring QoS Policy Applications -> policy condition my_condition source ip 10.10.3.0 mask 255.255.255.0 -> policy action my_action 802.1p 5 -> policy rule marking condition my_condition action my_action In the next example, the policy map group command specifies a group of values that should be mapped; the policy action map command specifies what should be mapped (802.1p to 802.1p, ToS/DSCP to 802.1p) and the mapping group that should be used.
Policy Applications page 23-54 Configuring QoS OmniSwitch 6600 Family Network Configuration Guide April 2005
24 Configuring ACLs Access Control Lists (ACLs) are Quality of Service (QoS) policies used to control whether or not packets are allowed or denied at the switch or router interface. ACLs are sometimes referred to as filtering lists. ACLs are distinguished by the kind of traffic they filter. In a QoS policy rule, the type of traffic is specified in the policy condition. The policy action determines whether the traffic is allowed or denied.
ACL Specifications Configuring ACLs ACL Specifications These specifications are the same as those for QoS in general: Maximum number of policy rules 128 Limits for Layer 3 rules with particular actions: ACL (Filter rules) Priority rules Bandwidth/ToS rules 802.
Configuring ACLs Quick Steps for Creating ACLs Quick Steps for Creating ACLs 1 Set the global disposition for bridged or routed traffic. By default, all flows that do match any policies are allowed on the switch. Typically, you may want to deny traffic for all Layer 3 flows that come into the switch and do not match a policy, but allow any Layer 2 (bridged) flows that do not match policies.
ACL Overview Configuring ACLs ACL Overview ACLs provide moderate security between networks. The following illustration shows how ACLs may be used to filter subnetwork traffic through a private network, functioning like an internal firewall for LANs.
Configuring ACLs ACL Overview Rule Precedence The switch attempts to classify flows coming into the switch according to precedence. For Layer 2 flows, the rule with the highest precedence will be applied to the flow. For Layer 3 flows, all rules that match the flow will be applied unless the rules are in conflict; if rules are in conflict, the rule with the higher precedence will be used.
ACL Overview Configuring ACLs Example: Layer 3 Rules With Compatible Actions More than one rule may have the same condition. For example, two Layer 3 rules may have the same IP address condition but different actions. If the actions are compatible, both rules will be applied to the flow, regardless of the precedence settings. In this example, the rules are created with the default precedence (0) value. -> policy condition X source ip 10.10.2.
Configuring ACLs ACL Overview Interaction With Other Features • IP Routing—IP routing must be enabled on the switch for Layer 3 ACLs. See Chapter 13, “Configur- ing IP,” for more information about setting up routing. • Routing Protocols—Layer 3 filtering is compatible with routing protocols on the switch, including RIP and OSPF. If VRRP is also running, all VRRP routers on the LAN must be configured with the same filtering rules; otherwise, the security of the network will be compromised.
ACL Configuration Overview Configuring ACLs ACL Configuration Overview This section describes the QoS CLI commands used specifically to configure ACLs. ACLs are basically a type of QoS policy, and the commands used to configure ACLs are a subset of the switch’s QoS commands. For information about basic configuration of QoS policies, see Chapter 23, “Configuring QoS.” To configure an ACL, the following general steps are required: 1 Set the global disposition.
Configuring ACLs Setting the Global Disposition Important. If you set the global bridged disposition (using the qos default bridged disposition command) to deny or drop, it will result in dropping all traffic from the switch that does not match any policy to accept traffic. You must create policies (one for source and one for destination) to allow traffic on the switch. If you set the bridged disposition to deny or drop, and you configure Layer 2 ACLs, you will need two rules for each type of filter.
Creating Condition Groups For ACLs Configuring ACLs Creating Condition Groups For ACLs Condition groups for ACLs are made up of multiple IP addresses, MAC addresses, services, or IP ports to which you want to apply the same disposition. Instead of creating a separate condition for each policy rule, create a condition group and associate the group with the condition. This reduces the number of rules you would have to configure (one for each address, service, or port).
Configuring ACLs Configuring ACLs For example: -> policy port group pgroup1 3/1-2 4/3 5/4 -> policy condition c2 source port group pgroup1 In this example, a Layer 2 condition (c2) specifies that traffic matches the ports included of the pgroup1 port group. The condition also specifies that the port group is a source group. Any traffic coming in on ports 1 or 2 on slot 3, port 3 on slot 4, or port 4 on slot 5 will match condition c2.
Configuring ACLs Configuring ACLs rule7 will take precedence over the other rules. (For more information about precedence, see “Rule Precedence” on page 24-5.) The action configured for the rule, a1, allows traffic from 10.10.4.8, so the flow will be accepted on the switch. The rule will not be used to classify traffic or enforce the policy until the qos apply command is entered.
Configuring ACLs Configuring ACLs Layer 2 ACL: Example 1 In this example, the default bridged disposition is accept (the default). Since the default is accept, the qos default bridged disposition command would only need to be entered if the disposition had previously been set to deny. The command is shown here for completeness.
Configuring ACLs Configuring ACLs Layer 3 ACLs The QoS software in the switch filters routed traffic at Layer 3. For Layer 3 filters, typically IP routing must be enabled; however, the switch may be configured to filter Layer 3 headers in bridged traffic. Use the qos classifyl3 bridged command to filter Layer 3 headers for bridged traffic. For more information, see “Classifying Bridged Traffic as Layer 3” on page 23-18.
Configuring ACLs Configuring ACLs Layer 3 ACL: Example 2 This example uses condition groups to combine multiple IP addresses in a single condition. The default disposition is set to deny. -> -> -> -> -> qos default routed disposition deny policy network group GroupA 192.60.22.1 192.60.22.2 192.60.22.
Configuring ACLs Configuring ACLs To filter multicast clients, specify the multicast IP address, which is the address of the multicast group or stream, and specify the client IP address, VLAN, MAC address, or slot/port. For example: -> -> -> -> qos default multicast disposition deny policy condition Mclient1 multicast ip 224.0.1.
Configuring ACLs Using ACL Security Features Using ACL Security Features The following additional ACL features are available for improving network security and preventing malicious activity on the network: • UserPorts—A port group that identifies its members as user ports to prevent spoofed IP traffic. When a port is configured as a member of this group, packets received on the port are dropped if they contain a source IP network address that does not match the IP subnet for the port.
Using ACL Security Features Configuring ACLs Configuring a DisablePorts ACL An additional method for dealing with spoofed IP traffic is to create a DisablePorts ACL that will administratively disable ports that receive this type of traffic. To achieve this result, a policy action called stringDisablePorts is available. Note that string represents text that the user enters as a required part of the policy action and must be followed by DisablePorts (e.g., badDisablePorts).
Configuring ACLs Using ACL Security Features 5 Create a rule that denies all source IP addresses received on the port group defined in Step 1 and spec- ify a precedence for this rule. For example: -> policy rule noSpoof condition denyip action badDisablePorts precedence 10 6 Create a rule that accepts all packets with source IP addresses defined in Step 3 that are received on the port group defined in Step 1.
Using ACL Security Features Configuring ACLs 2 Add the services created in Step 1 to a service group called DropServices using the policy service group command. For example: -> policy service group DropServices tcp135 tcp445 udp137 udp138 udp445 Note that the DropServices group must be specified using the exact capitalization as shown in the above example. 3 Create a condition with the DropServices group defined in Step 2 and a source port group using the policy port group and policy condition commands.
Configuring ACLs Using ACL Security Features Configuring ICMP Drop Rules Combining a Layer 2 condition for source VLAN with a Layer 3 condition for IP protocol is supported. Use these two conditions together in a policy to block ICMP echo request and reply packets without impacting switch performance.
Verifying the ACL Configuration Configuring ACLs Verifying the ACL Configuration To display information about ACLs, use the same show commands that are used for displaying any QoS policies. These commands include: show policy condition Displays information about all pending and applied policy conditions or a particular policy condition configured on the switch. Use the applied keyword to display information about applied conditions only.
Configuring ACLs Verifying the ACL Configuration To display only policy rules that are active (enabled) on the switch, use the show active policy rule command. For example: -> show active policy rule +my_rule5 Cnd/Act: Policy From Prec Enab Inact Refl Log Save cli 0 Yes No No No Yes cond2 -> pri2 mac1 Cnd/Act: cli 0 Yes dmac1 -> pri2 No No No Matches 0 Yes 0 In this example, the rule my_rule does not display because it is inactive.
ACL Application Example Configuring ACLs ACL Application Example In this application for IP filtering, a policy is created to deny Telnet traffic from the outside world to an engineering group in a private network.
25 Configuring IP Multicast Switching IP Multicast Switching is a one-to-many communication technique employed by emerging applications such as video distribution, news feeds, conferencing, netcasting, and resource discovery (OSPF, RIP2, BOOTP). Unlike unicast, which sends one packet per destination, multicast sends one packet to all devices in any subnetwork that has at least one device requesting the multicast traffic.
IPMS Specifications Configuring IP Multicast Switching IPMS Specifications The table below lists specifications for Alcatel’s IPMS software.
Configuring IP Multicast Switching IPMS Overview IPMS Overview A multicast group is defined by a multicast group address, which is a Class D IP address in the range 224.0.0.0 to 239.255.255.255. (Addresses in the range 239.0.0.0 to 239.255.255.255 are reserved for boundaries.) The multicast group address is indicated in the destination address field of the IP header. (See “Reserved Multicast Addresses” on page 25-4 for more information.
IPMS Overview Configuring IP Multicast Switching Reserved Multicast Addresses The Internet Assigned Numbers Authority (IANA) created the range for multicast addresses, which is 224.0.0.0 to 239.255.255.255. However, as the table below shows, certain addresses are reserved and cannot be used. Address or Address Range Description 224.0.0.0 through 224.0.0.255 Routing protocols (e.g., OSPF, RIP2) 224.0.1.0 through 224.0.1.255 Internetwork Control Block (e.g., RSVP, DHCP, commercial servers) 224.0.2.
Configuring IP Multicast Switching Configuring IPMS on a Switch Configuring IPMS on a Switch This section describes how to use Command Line Interface (CLI) commands to enable and disable IP Multicast Switching (IPMS) switch wide (see “Enabling and Disabling IPMS on a Switch” on page 25-5), configure a port as a static neighbor (see “Configuring and Removing a Static Neighbor” on page 25-5), and configure a port as a static querier (see “Configuring and Removing a Static Querier” on page 25-6). Note.
Configuring IPMS on a Switch Configuring IP Multicast Switching Configuring a Static Neighbor You can configure a port as an IPMS static neighbor port by entering ip multicast static-neighbor followed by the VLAN number (which must be between 0 and 4095), a space, the slot number of the port, a slash (/), and the port number.
Configuring IP Multicast Switching Configuring IPMS on a Switch Removing a Static Querier To reset the port so that it is no longer an IPMS static querier port you use the no form of the ip multicast static-querier command by entering ip multicast no static-querier followed by the VLAN number, a space, and either the port (designate the slot number of the port, a slash (/), and the port number) or linkagg and link aggregation group number.
Modifying IPMS Parameters Configuring IP Multicast Switching Modifying IPMS Parameters The table in “IPMS Default Values” on page 25-2 lists default values for IPMS parameters. The following sections describe how to use CLI commands to modify these parameters. Modifying the Leave Timeout The IPMS leave timeout is the delay in removing a group membership after a leave message has been processed and/or received. The default IPMS leave timeout is 1 second.
Configuring IP Multicast Switching Modifying IPMS Parameters Configuring the Membership Timeout You can modify the IPMS membership timeout from 0 to 4294967295 seconds by entering ip multicast membership-timeout followed by the new value. For example, to set the membership timeout value to 100 seconds you would enter: -> ip multicast membership-timeout 100 Restoring the Membership Timeout To restore the membership timeout to its default (i.e.
Modifying IPMS Parameters Configuring IP Multicast Switching Restoring the Querier Timeout To restore the neighbor querier to its default (i.e., 260 seconds) value you use the no form of the ip multicast querier-timeout command by entering: -> ip multicast no querier-timeout Modifying the Querier Aging and Election Timeout The default IPMS querier aging and election timeout (i.e., the time for which a currently elected querier is aged and a new multicast querier is elected) is 255 seconds.
Configuring IP Multicast Switching IPMS Application Example IPMS Application Example The figure below shows a sample network with the switch sending multicast video. A client attached to Port 5 needs to be configured as a static neighbor and another client attached to Port 2 needs to be configured as a static querier. Video Switch OmniSwitch 6648 Multicast Server (source IP address) Static Neighbor Attached to Slot 4, Port 5. Static Querier Attached to Slot 7, Port 2.
IPMS Application Example Configuring IP Multicast Switching 5 Modify the leave timeout from its default value of 10 seconds to 120 seconds by entering: -> ip multicast leave-timeout 120 An example of what these commands look like entered sequentially on the command line: -> -> -> -> -> ip ip ip ip ip multicast multicast multicast multicast multicast switching static-neighbor 5 1/5 static-querier 5 1/2 membership-timeout 3600 leave-timeout 120 As an option, you can use the show ip multicast switching,
Configuring IP Multicast Switching Displaying IPMS Configurations and Statistics Displaying IPMS Configurations and Statistics Alcatel’s IP Multicast Switching (IPMS) show commands provide tools to monitor IPMS traffic and settings and to troubleshoot problems. These commands are described below: show ip multicast switching Displays the current IPMS configuration on a switch. show ip multicast groups Displays all detected multicast groups that have members.
Displaying IPMS Configurations and Statistics page 25-14 Configuring IP Multicast Switching OmniSwitch 6600 Family Network Configuration Guide April 2005
26 Diagnosing Switch Problems Several tools are available for diagnosing problems that may occur with the switch.
In This Chapter Diagnosing Switch Problems • Deleting a Port Monitoring Session—see “Deleting a Port Monitoring Session” on page 26-21. • Pausing a Port Monitoring Session—see “Pausing a Port Monitoring Session” on page 26-21. • Configuring the persistence of a Port Monitoring session—see “Configuring Port Monitoring Session Persistence” on page 26-22. • Configuring a Port Monitoring data file—see “Configuring a Port Monitoring Data File” on page 26-22.
Diagnosing Switch Problems Port Mirroring Overview Port Mirroring Overview The following sections detail the specifications, defaults, and quick set up steps for the port mirroring feature. Detailed procedures are found in “Port Mirroring” on page 26-12. Note. A port that is part of an aggregate link cannot be mirrored.
Port Mirroring Overview Diagnosing Switch Problems Port Mirroring Defaults The following table shows port mirroring default values.
Diagnosing Switch Problems Port Mirroring Overview Quick Steps for Configuring Port Mirroring 1 Create a port mirroring session. Be sure to specify the port mirroring session ID, source (mirrored) and destination (mirroring) slot/ports, and unblocked VLAN ID (optional—protects the mirroring session from changes in Spanning Tree if the mirroring port will monitor mirrored traffic on an RMON probe belonging to a different VLAN).
Port Monitoring Overview Diagnosing Switch Problems Port Monitoring Overview The following sections detail the specifications, defaults, and quick set up steps for the port mirroring feature. Detailed procedures are found in “Port Monitoring Overview” on page 26-6. Port Monitoring Specifications Ports Supported Ethernet (10 Mbps)/Fast Ethernet (100 Mbps)/ Gigabit Ethernet (1 Gb/1000 Mbps) Monitoring Sessions Supported One per switch and/or stack.
Diagnosing Switch Problems Port Monitoring Overview Quick Steps for Configuring Port Monitoring 1 To create a port monitoring session use the port monitoring source command by entering port monitoring, followed by the port monitoring session ID, source, and the slot and port number of the port to be monitored.
Remote Monitoring (RMON) Overview Diagnosing Switch Problems Remote Monitoring (RMON) Overview The following sections detail the specifications, defaults, and quick set up steps for the RMON feature. Detailed procedures are found in “Remote Monitoring (RMON)” on page 26-25.
Diagnosing Switch Problems Remote Monitoring (RMON) Overview RMON Probe Defaults The following table shows Remote Network Monitoring default values. Global RMON Probe Defaults Parameter Description CLI Command Default Value/Comments RMON Probe Configuration rmon probes No RMON probes configured. Quick Steps for Enabling/Disabling RMON Probes 1 Enable an inactive (or disable an active) RMON probe, where necessary. You can also enable or disable all probes of a particular flavor, if desired.
Switch Health Overview Diagnosing Switch Problems Switch Health Overview The following sections detail the specifications, defaults, and quick set up steps for the switch health feature. Detailed procedures are found in “Monitoring Switch Health” on page 26-32.
Diagnosing Switch Problems Switch Health Overview Switch Health Defaults The following table shows Switch Health default values.
Port Mirroring Diagnosing Switch Problems Port Mirroring You can set up port mirroring for any pair of Ethernet ports within the same switch chassis. Ethernet ports supporting port mirroring include 10BaseT/100BaseTX (RJ-45) and 1000BaseLX (LC) MiniGBIC connectors. When port mirroring is enabled, the active “mirrored” port transmits and receives network traffic normally, and the “mirroring” port receives a copy of all transmit and receive traffic to the active port.
Diagnosing Switch Problems Port Mirroring How Port Mirroring Works When a frame is received on a mirrored port, it is copied and sent to the mirroring port. The received frame is actually transmitted twice across the switch backplane–once for normal bridging and then again to the mirroring port. When a frame is transmitted by the mirrored port, a copy of the frame is made, tagged with the mirroring port as the destination, and sent back over the switch backplane to the mirroring port.
Port Mirroring Diagnosing Switch Problems Using Port Mirroring with External RMON Probes Port mirroring is a helpful monitoring tool when used in conjunction with an external RMON probe. Once you set up port mirroring, the probe can collect all relevant RMON statistics for traffic on the mirrored port. You can also move the mirrored port so that the mirroring port receives data from different ports. In this way, you can roam the switch and monitor traffic at various ports. Note.
Diagnosing Switch Problems Port Mirroring Creating a Mirroring Session Before port mirroring can be used, it is necessary to create a port mirroring session. The port mirroring source destination CLI command can be used to create a mirroring session between a mirrored (active) port and a mirroring port.
Port Mirroring Diagnosing Switch Problems This command line specifies mirroring session 6, with the source (mirrored) port located in slot 2/port 3, and the destination (mirroring) port located in slot 2/port 4. The mirroring port on VLAN 750 is protected from Spanning Tree updates. Note. If the unblocked VLAN identifier is not specified, the mirroring port could be blocked due to changes in Spanning Tree.
Diagnosing Switch Problems Port Mirroring In this example the command specifies port mirroring session 6, with the mirrored (active) port located in slot 2/port 3, and the mirroring port located in slot 6/port 4. The mirroring status is disabled (i.e., port mirroring is turned off): -> port mirroring 6 source disable Note. You can modify the parameters of a port mirroring session that has been disabled.
Port Mirroring Diagnosing Switch Problems Enabling or Disabling a Port Mirroring Session (Shorthand) Once a port mirroring session configuration has been created, this command is useful for enabling or disabling it (turning port mirroring on or off) without having to re-enter the source and destination ports and unblocked VLAN ID command line parameters. To enable a port mirroring session, enter the port mirroring command, followed by the port mirroring session ID number and the keyword enable.
Diagnosing Switch Problems Port Mirroring Deleting A Mirroring Session The no form of the port mirroring command can be used to delete a previously created mirroring session configuration between a mirrored port and a mirroring port. To delete a mirroring session, enter the no port mirroring command, followed by the port mirroring session ID number. For example: -> no port mirroring 6 In this example, port mirroring session 6 is deleted. Note.
Port Monitoring Diagnosing Switch Problems Port Monitoring An essential tool of the network engineer is a network packet capture device. A packet capture device is usually a PC-based computer, such as the Sniffer®, that provides a means for understanding and measuring data traffic of a network. Understanding data flow in a VLAN-based switch presents unique challenges primarily because traffic takes place inside the switch, especially on dedicated devices.
Diagnosing Switch Problems Port Monitoring In addition, you can also specify optional parameters shown in the table below. These parameters must be entered after the slot and port number. keywords file no overwrite bidirectional disable no file inport timeout size outport enable For example, to configure port monitoring session 6 on port 2/3 and administratively enable it enter: -> port monitoring 6 source 2/3 enable These keywords can be used when creating the port monitoring session or afterwards.
Port Monitoring Diagnosing Switch Problems Configuring Port Monitoring Session Persistence By default, a port monitoring session will never be disabled.
Diagnosing Switch Problems Port Monitoring For example, to configure port monitoring session 6 on port 2/3 with a data file called “user_port” in the /flash directory enter that will not overwrite older packets if the file size is exceeded enter: -> port monitoring 6 source 2/3 file /flash/user_port overwrite on Note. The size and no overwrite options can be entered on the same command line. Suppressing Port Monitoring File Creation By default, a file called pmonitor.
Port Monitoring Diagnosing Switch Problems Displaying Port Monitoring Status and Data A summary of the show commands used for displaying port monitoring status and port monitoring data are given here: show port monitoring status Displays port monitoring status. show port monitoring file Displays port monitoring data.
Diagnosing Switch Problems Remote Monitoring (RMON) Remote Monitoring (RMON) Remote Network Monitoring (RMON) is an SNMP protocol used to manage networks remotely. RMON probes can be used to collect, interpret and forward statistical data about network traffic from designated active ports in a LAN segment to an NMS (Network Management System) application for monitoring and analysis without negatively impacting network performance.
Remote Monitoring (RMON) Diagnosing Switch Problems RMON probes can be enabled or disabled via CLI commands. Configuration of Alarm threshold values for RMON traps is a function reserved for RMON-monitoring NMS stations. This feature supports basic RMON 4 group implementation in compliance with RFC 2819, including the Ethernet Statistics, History (Control & Statistics), Alarms and Events groups (described below). Note. RMON 10 group and RMON2 are not implemented in the current release.
Diagnosing Switch Problems Remote Monitoring (RMON) Enabling or Disabling RMON Probes To enable or disable an individual RMON probe, enter the rmon probes CLI command. Be sure to specify the type of probe (stats/history/alarm), followed by the entry number (optional), as shown in the following examples.
Remote Monitoring (RMON) Diagnosing Switch Problems Displaying RMON Tables Two separate commands can be used to retrieve and view Remote Monitoring data: show rmon probes and show rmon events. The retrieved statistics appear in a table format (a collection of related data that meets the criteria specified in the command you entered).
Diagnosing Switch Problems Remote Monitoring (RMON) Displaying Statistics for a Particular RMON Probe To view statistics for a particular current RMON probe, enter the show rmon probes command, specifying an entry number for a particular probe, such as: -> show rmon probes 4005 A display showing statistics for the specified RMON probe will appear, as shown in the following sections.
Remote Monitoring (RMON) Diagnosing Switch Problems Sample Display for History Probe The display shown here identifies RMON Probe 10325’s Owner description and interface location (Analyzer-p:128.251.18.166 on slot 1, port 35), the total number of History Control Buckets (samples) requested and granted (2), along with the time interval for each sample (30 seconds) and system-generated Sample Index ID number (5859).
Diagnosing Switch Problems Remote Monitoring (RMON) Displaying a List of RMON Events RMON Events are actions that occur based on Alarm conditions detected by an RMON probe.
Monitoring Switch Health Diagnosing Switch Problems Monitoring Switch Health To monitor resource availability, the NMS (Network Management System) needs to collect significant amounts of data from each switch. As the number of ports per switch (and the number of switches) increases, the volume of data can become overwhelming. The Health Monitoring feature can identify and monitor a switch’s resource utilization levels and thresholds, improving efficiency in data collection.
Diagnosing Switch Problems Monitoring Switch Health The following sections include a discussion of CLI commands that can be used to configure resource parameters and monitor or reset statistics for switch resources. These commands include: • health threshold—Configures threshold limits for input traffic (RX), output/input traffic (TX/RX), memory usage, CPU usage, and chassis temperature. See page 26-34 for more information. • show health threshold—Displays current health threshold settings.
Monitoring Switch Health Diagnosing Switch Problems Configuring Resource and Temperature Thresholds Health Monitoring software monitors threshold levels for the switch’s consumable resources—bandwidth, RAM memory, and CPU capacity—as well as the ambient chassis temperature. When a threshold is exceeded, the Health Monitoring feature sends a trap to the Network Management Station (NMS).
Diagnosing Switch Problems Monitoring Switch Health Displaying Health Threshold Limits The show health threshold command is used to view all current health thresholds on the switch, as well as individual thresholds for input traffic (RX), output/input traffic (TX/RX), memory usage, CPU usage and chassis temperature.
Monitoring Switch Health Diagnosing Switch Problems Configuring Sampling Intervals The sampling interval is the period of time between polls of the switch’s consumable resources to monitor performance vis-a-vis previously specified thresholds. The health interval command can be used to configure the sampling interval between health statistics checks. To configure the sampling interval, enter the health interval command, followed by the number of seconds.
Diagnosing Switch Problems Monitoring Switch Health Viewing Health Statistics for the Switch The show health command can be used to display health statistics for the switch. To display health statistics, enter the show health command, followed by the slot/port location and optional statistics keyword. For example, to view health statistics for the entire switch, enter the show health command without specifying any additional parameters.
Monitoring Switch Health Diagnosing Switch Problems Viewing Health Statistics for a Specific Interface To view health statistics for slot 4/port 3, enter the show health command, followed by the appropriate slot and port numbers.
27 Using Switch Logging Switch logging is an event logging utility that is useful in maintaining and servicing the switch. Switch logging uses a formatted string mechanism to either record or discard event data from switch applications. The log records are copied to the output devices configured for the switch. Log records can be sent to a text file and written into the flash file system. The log records can also be scrolled to the switch’s console or to a remote IP address.
Switch Logging Specifications Using Switch Logging Switch Logging Specifications Functionality Supported High level event logging mechanism that forwards requests from applications to enabled logging devices. Functionality Not Supported Not intended for debugging individual hardware applications Logging Devices Flash Memory/Console/IP Address Application ID Levels Supported IDLE (255), DIAG (0), IPC-DIAG (1), QDRIVER (2), QDISPATCHER (3), IPC-LINK (4), NI-SUPERVISION (5), INTERFACE (6), 802.
Using Switch Logging Switch Logging Defaults Switch Logging Defaults The following table shows switch logging default values. Global Switch Logging Defaults Parameter Description CLI Command Default Value/Comments Enabling/Disabling switch logging swlog Enabled Switch logging severity level swlog appid level No application ID or severity level defaults.
Quick Steps for Configuring Switch Logging Using Switch Logging Quick Steps for Configuring Switch Logging 1 Enable switch logging by using the following command: -> swlog 2 Specify the ID of the application to be logged along with the logging severity level. -> swlog appid bridge level warning Here, the application ID specifies bridging and the severity is set to the “warning” level. 3 Specify the output device to which the switch logging information will be sent.
Using Switch Logging Switch Logging Overview Switch Logging Overview Switch logging uses a formatted string mechanism to process log requests from switch applications. When a log request is received, switch logging compares the severity level included with the request to the severity level stored for the application ID. If there is a match, a log message is generated using the format specified by the log request and placed on the switch log queue.
Switch Logging Commands Overview Using Switch Logging Switch Logging Commands Overview This section describes the switch logging CLI commands, for enabling or disabling switch logging, displaying the current status of the switch logging feature, and displaying stored log information. Enabling Switch Logging The swlog command initializes and enables switch logging, while no swlog disables it.
Using Switch Logging Switch Logging Commands Overview CLI Keyword Numeric Equivalent Application ID STP 11 APPID_SPANNINGTREE LINKAGG 12 APPID_LINKAGGREGATION QOS 13 APPID_QOS RSVP 14 APPID_RSVP IP 15 APPID_IP IPMS 17 APPID_IPMS AMAP 18 APPID_XMAP GMAP 19 APPID_GMAP AAA 20 APPID_AAA IPC-MON 21 APPID_IPC_MON IP-HELPER 22 APPID_BOOTP_RELAY PMM 23 APPID_MIRRORING_MONITORING MODULE 24 APPID_L3HRE EIPC 26 APPID_EIPC CHASSIS 64 APPID_CHASSISUPER PORT-MGR 65 APPI
Switch Logging Commands Overview Using Switch Logging CLI Keyword Numeric Equivalent Application ID LDAP 86 APPID_LDAP NOSNMP 87 APPID_NOSNMP SSL 88 APPID_SSL DBGGW 89 APPID_DBGGW LANPOWER 108 APPID_LANPOWER The level keyword assigns the error-type severity level to the specified application IDs. Values range from 2 (highest severity) to 9 (lowest severity).
Using Switch Logging Switch Logging Commands Overview Removing the Severity Level To remove the switch logging severity level, enter the no swlog appid level command, including the application ID and severity level values. The following is a typical example: -> no swlog appid 75 level 5 Or, alternatively, as: -> no swlog appid system level warning No confirmation message will appear on the screen.
Switch Logging Commands Overview Using Switch Logging Disabling an IP Address from Receiving Switch Logging Output To disable a particular IP address from receiving switch logging output, enter the following command: -> no swlog output socket No confirmation message will appear on the screen. Note. It is not necessary to specify the IP address in the no swlog output socket command.
Using Switch Logging Switch Logging Commands Overview Configuring the Switch Logging File Size By default, the size of the switch logging file is 128000 bytes. To configure the size of the switch logging file use the swlog output flash file-size command. To use this command enter swlog output flash file size followed by the number of bytes, which must be at least 32000. (The maximum size the file can be is dependent on the amount of free memory available in flash memory.) Note.
Switch Logging Commands Overview Using Switch Logging Displaying Switch Logging Records The show log swlog command can produce a display showing all switch logging information or you can display information according to session, timestamp, application ID or severity level. For details refer to see the OmniSwitch CLI Reference Guide. The following sample screen output shows a display of all switch logging information. Note. Switch logging frequently records a very large volume of data.
28 Monitoring Memory Debug memory monitor commands can monitor memory allocation and free memory (such as detection of invalid free addresses and maintenance of size statistics). These commands are useful for monitoring logging of events, leak detection, classification of memory allocations, detection of invalid free addresses, and maintenance of size statistics. Notes.
Memory Monitoring Specifications Monitoring Memory Memory Monitoring Specifications The following table shows Memory Monitoring specifications: Functionality Supported Fence Post/ Bad Address Detection/ Leak Monitoring/ Memory Classification/ Global Statistical Gathering/ Task Statistical Gathering/ Size Statistical Gathering. Functionality Not Supported Ownership Violations. Show Command Output Devices Supported Standard Out (console)/ Switch Logging/ sysTrace Buffer.
Monitoring Memory Quick Steps for Configuring Memory Monitoring Quick Steps for Configuring Memory Monitoring 1 Use the following commands to enable Memory Monitoring. (Memory Monitoring is factory disabled by default.) For example: -> debug memory monitor enable 2 To view Memory Monitoring log information, enter the debug memory monitor show log command.
Debug Memory Commands Overview Monitoring Memory Debug Memory Commands Overview The Debug Memory Commands provide monitoring of memory allocation and free memory. By providing a method to enable/disable memory monitoring and display memory usage reports, these commands can be used to monitor logging of events, leak detection, classification of memory allocations, detection of invalid free addresses, and maintenance of size statistics.
Monitoring Memory Configuring Debug Memory Commands Displaying the Memory Monitor Log The debug memory monitor show log command displays memory monitoring log information.
Configuring Debug Memory Commands Monitoring Memory Displaying the Memory Monitor Global Statistics The debug memory monitor show log global command can display memory monitoring global statistics.
Monitoring Memory Configuring Debug Memory Commands Displaying the Memory Monitor Task Statistics The debug memory monitor show log task command can display memory monitoring task statistics.
Configuring Debug Memory Commands Monitoring Memory Task Name Current Cumulative -------------+-------------+----------------TrapMgr 4548 63976 Elpc 2336 2392 VlanMgr 208 149672 PortMgr 804 75424 Gateway 84 140 CfgMgr 228 897491 tCS_HSM 1240 2500 tCS_CMS 188 328 tCS_PRB 312 340 tCS_CCM 612 12555 tCSCSMtask 586128 15256874 tSwLogTask 13519+ -> In the screen sample shown above, the Task Name field identifies the Task ID.
Monitoring Memory Configuring Debug Memory Commands Displaying the Memory Monitor Size Statistics The debug memory monitor show log size command can display memory monitoring size statistics.
Configuring Debug Memory Commands page 28-10 Monitoring Memory OmniSwitch 6600 Family Network Configuration Guide April 2005
A Software License and Copyright Statements This appendix contains Alcatel and third-party software vendor license and copyright statements. Alcatel License Agreement ALCATEL INTERNETWORKING, INC. (“AII”) SOFTWARE LICENSE AGREEMENT IMPORTANT. Please read the terms and conditions of this license agreement carefully before opening this package. By opening this package, you accept and agree to the terms of this license agreement.
Alcatel License Agreement Software License and Copyright Statements 3. Confidentiality. AII considers the Licensed Files to contain valuable trade secrets of AII, the unauthorized disclosure of which could cause irreparable harm to AII. Except as expressly set forth herein, Licensee agrees to use reasonable efforts not to disclose the Licensed Files to any third party and not to use the Licensed Files other than for the purpose authorized by this License Agreement.
Software License and Copyright Statements Alcatel License Agreement 10. Governing Law. This License Agreement shall be construed and governed in accordance with the laws of the State of California. 11. Severability. Should any term of this License Agreement be declared void or unenforceable by any court of competent jurisdiction, such declaration shall have no effect on the remaining terms herein. 12. No Waiver.
Third Party Licenses and Notices Software License and Copyright Statements Third Party Licenses and Notices The licenses and notices related only to such third party software are set forth below: A.
Software License and Copyright Statements Third Party Licenses and Notices C. Linux Linux is written and distributed under the GNU General Public License which means that its source code is freely-distributed and available to the general public. D. GNU GENERAL PUBLIC LICENSE: Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc.
Third Party Licenses and Notices Software License and Copyright Statements verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term “modification”.) Each licensee is addressed as “you”. Activities other than copying, distribution and modification are not covered by this License; they are outside its scope.
Software License and Copyright Statements Third Party Licenses and Notices b Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c Accompany it with the information you received as to the offer to distr
Third Party Licenses and Notices Software License and Copyright Statements consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.
Software License and Copyright Statements Third Party Licenses and Notices Appendix: How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program.
Third Party Licenses and Notices Software License and Copyright Statements Material copyright Linux Online Inc. Design and compilation copyright (c)1994-2002 Linux Online Inc. Linux is a registered trademark of Linus Torvalds Tux the Penguin, featured in our logo, was created by Larry Ewing Consult our privacy statement URLWatch provided by URLWatch Services. All rights reserved. E.
Software License and Copyright Statements Third Party Licenses and Notices H. Apptitude, Inc. Provided with this product is certain network monitoring software (“MeterWorks/RMON”) licensed from Apptitude, Inc., whose copyright notice is as follows: Copyright (C) 1997-1999 by Apptitude, Inc. All Rights Reserved. Licensee is notified that Apptitude, Inc. (formerly, Technically Elite, Inc.
Third Party Licenses and Notices Software License and Copyright Statements L. Wind River Systems, Inc. Provided with this product is certain software (“Run-Time Module”) licensed from Wind River Systems, Inc.
Index Numerics 802.1p trusted ports 23-20 802.1Q 10-1 application example 10-9 defaults 10-2 enabling tagging 10-5, 10-6 forcing switch internal tag 10-8 frame type 10-7 overview 10-3 specifications 10-2 trusted ports 23-5, 23-21 802.1Q ports trusted 23-20 802.1X 21-1 accounting 21-5 and authenticated VLANs 21-6 and DHCP 21-5 components 21-4 defaults 21-2 port authorization 21-8 port behavior 21-4 port parameters 21-7 port timeouts 21-8 re-authentication 21-5, 21-9 specifications 21-2 802.
Index Spanning Tree Algorithm and Protocol 5-7, 5-29 static link aggregation 11-3, 11-16 switch health 26-11 switch logging 27-4 VLAN rules 8-3, 8-22 VLANs 4-3, 4-13, 7-3 VRRP 18-3, 18-15 applied configuration 23-47 how to verify 23-49 ARP clearing the ARP cache 13-11 creating a permanent entry 13-10 deleting a permanent entry 13-10 dynamic entry 13-10 arp command 13-10 assigning ports to VLANs 4-7, 7-1 application examples 7-3 defaults 7-2 dynamic port assignment 7-4 static port assignment 7-4 authenticat
Index RIP 15-2 RMON 26-9 source learning 2-2, 3-2 static link aggregation 11-2 switch health 26-11 switch logging 27-3 VLAN rules 8-2 VLANs 4-2 VRRP 18-2 Denial of Service see DoS DHCP 17-4, 17-5 used with 802.
Index H health interval command 26-36 health statistics reset command 26-38 health threshold command 26-34 health threshold limits displaying 26-35 Hot Standby Routing Protocol see HSRP Hsecu.
Index ip router-discovery interface preference-level command 16-11 IP routing virtual routers 18-1 ip static-route command 13-9 IPMS 25-1 adding static members 25-7 adding static neighbors 25-6 adding static queriers 25-6 application examples 25-11 defaults 25-2 deleting static members 25-7 deleting static neighbors 25-6 deleting static queriers 25-7 disabling 25-5 displaying 25-13 enabling 25-5 leave timeout 25-8 link aggregation 25-4 membership timeout 25-8 neighbor timeout 25-9 overview 25-3 querier agi
Index memory monitor log 28-5 overview 28-4 size statistics 28-9 specifications 28-2 task statistics 28-7 mobile port properties 7-16 authentication 7-17 BPDU ignore 7-11 default VLAN membership 7-13 restore default VLAN 7-13 mobile ports 7-11 application examples 7-3, 7-6, 7-8 authentication 4-12 defaults 7-2 dynamic VLAN port assignment 7-4, 7-13 secondary VLANs 7-13 trusted 23-5, 23-20 VLAN rules 8-1 N network address VLAN rules 8-6 O OSPF 15-4 P pending configuration 23-47 pending policies deletin
Index specifications 26-6 suppressing file creation 26-23 port monitoring command 26-21 port monitoring source command 26-23 port VLAN rules 8-7 ports 802.
Index deleting 15-7 enabling 15-7 metric 15-8 password 15-14 receive option 15-8 route tag 15-8 send option 15-7 RIP redistribution disabling 15-10 enabling 15-10 RIP redistribution filters 15-11 action 15-12 creating 15-12 deleting 15-12 metric 15-13 route control 15-13 route tag 15-13 RIP redistribution policies 15-10 creating 15-10 deleting 15-10 RMON application example 26-9 defaults 26-9 specifications 26-8 RMON events displaying list 26-31 displaying specific 26-31 RMON probes displaying list 26-28 d
Index Spanning Tree port parameters 5-19 connection type 5-27 link aggregate ports 5-21, 5-23, 5-25, 5-27, 5-28 mode 5-26 path cost 5-23 priority 5-22 SSL for LDAP authentication servers 19-26 policy servers 22-6 static agg agg num command 11-3, 11-9 static link aggregation 11-1 adding ports 11-9 application examples 11-3, 11-16 configuration steps 11-7 creating 11-8 defaults 11-2 deleting 11-8 deleting ports 11-14 disabling 11-15 displaying 11-18 enabling 11-15 group names 11-15 groups 11-5 overview 11-5
Index vlan mac range command 8-18 vlan mobile-tag command 4-10, 7-5 vlan port 802.1x command enabling 802.1X on ports 21-7 vlan port authenticate command 4-12, 7-16 configuring authenticated ports 20-28 vlan port command 8-21 and 802.
