Owner's Manual

Manuals Brands Netgear Manuals Hubs Netgear XCM8806

350 East Plumeria Drive

San Jose, CA 95134

USA

March 2011

202-10804-01

v1.0

NETGEAR 8800 User

Manual

Software Version 12.4

Summary of content (968 pages)

PAGE 1

NETGEAR 8800 User Manual S of t wa re Version 1 2. 4 350 East Plumeria Drive San Jose, CA 95134 USA March 2011 202-10804-01 v1.
PAGE 2

NETGEAR 8800 User Manual © 2011 NETGEAR, Inc. All rights reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of NETGEAR, Inc. Technical Support Thank you for choosing NETGEAR. To register your product, get the latest product updates, or get support online, visit us at http://support.netgear.com.
PAGE 3

Contents Chapter 1 Overview Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Platform-Naming Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Text Conventions . . . . . . . . . . . . . . . . . . . . .
PAGE 4

NETGEAR 8800 User Manual Domain Name Service Client Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Checking Basic Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Displaying Switch Information . . . . . . . . . . . . . . . . . . . . .
PAGE 5

NETGEAR 8800 User Manual Using the Simple Network Time Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Configuring and Using SNTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 SNTP Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Chapter 4 Managing the XCM8800 Software Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Using the XCM8800 File System . . . .
PAGE 6

NETGEAR 8800 User Manual Displaying Switch Load Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Guidelines for Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Mirroring Rules and Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Mirroring Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 7

NETGEAR 8800 User Manual Port Power Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 PoE Usage Threshold. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Legacy Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 PoE Operator Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Configuring PoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 8

NETGEAR 8800 User Manual Displaying Real-Time Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . 225 Displaying Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 Uploading Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 Displaying Counts of Event Occurrences . . . . . . . . . . . . . . . . . . . . . . . 227 Displaying Debug Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 9

NETGEAR 8800 User Manual Chapter 10 FDB Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 FDB Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 How FDB Entries Get Added . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 FDB Entry Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 Managing the FDB . . . . . . . . . . . . . . . . . . . . .
PAGE 10

NETGEAR 8800 User Manual Chapter 13 ACLs Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 ACL Rule Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 Matching All Egress Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 Comments and Descriptions in ACL Policy Files . . . . . . . . . . . . . . . . . 302 Types of Rule Entries . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 11

NETGEAR 8800 User Manual Multicast Traffic Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 Egress Port Rate Limiting and Rate Shaping . . . . . . . . . . . . . . . . . . . . 371 Configuring QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 Platform Configuration Procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . 372 Selecting the QoS Scheduling Method . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 12

NETGEAR 8800 User Manual Customizable Graphical Image in Logout Popup Window . . . . . . . . . . 417 Web-Based Network Login Configuration Example . . . . . . . . . . . . . . . 418 Web-Based Authentication User Login. . . . . . . . . . . . . . . . . . . . . . . . . 419 MAC-Based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 Enabling and Disabling MAC-Based Network Login . . . . . . . . . . . . . . 422 Associating a MAC Address to a Specific Port. . . . . . . . . .
PAGE 13

NETGEAR 8800 User Manual How Network Login Authentication Differs from Management Session Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474 Configuration Overview for Authenticating Network Login Users . . . . . 475 Configuring the RADIUS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475 Configuring the RADIUS Client for Authentication and Authorization. . 475 Configuring the RADIUS Client for Accounting. . .
PAGE 14

NETGEAR 8800 User Manual EMISTP Deployment Constraints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542 Per VLAN Spanning Tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544 STPD VLAN Mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545 Native VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545 Rapid Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 15

NETGEAR 8800 User Manual Configuring the Relative Route Priority. . . . . . . . . . . . . . . . . . . . . . . . . 613 Configuring Hardware Routing Table Usage . . . . . . . . . . . . . . . . . . . . 613 Configuring IP Route Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613 Configuring Route Compression. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614 Configuring Static Route Advertisement. . . . . . . . . . . . . . . . . . . . . . . .
PAGE 16

NETGEAR 8800 User Manual Managing Router Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649 Managing Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650 Verifying the IP Unicast Routing Configuration . . . . . . . . . . . . . . . . . . 651 Configuring Route Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651 Configuring Route Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 17

NETGEAR 8800 User Manual Graceful OSPF Restart. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 676 Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677 Point-to-Point Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 680 Route Redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681 Configuring Route Redistribution . . . . . . . . . . . . . . . . . .
PAGE 18

NETGEAR 8800 User Manual Route Redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717 BGP ECMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717 BGP Static Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718 Graceful BGP Restart. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719 Cease Subcodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 19

NETGEAR 8800 User Manual Chapter 28 IPv6 Multicast Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 759 Managing MLD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 760 Enabling and Disabling MLD on a VLAN . . . . . . . . . . . . . . . . . . . . . . . 760 Configuring MLD. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 760 Clearing MLD Group Registration. . . . . . . . . .
PAGE 20

NETGEAR 8800 User Manual Part 3: Appendixes Appendix A XCM8800 Software Licenses Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793 Switch License Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794 Aggregation License Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794 Advanced Core License Features . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 21

NETGEAR 8800 User Manual General Tips and Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . 835 MSM Prompt. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837 Command Prompt. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837 Port Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837 Software License Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 22

1. Overview 1 This chapter contains the following sections: • Introduction on page 22 • Conventions on page 23 • Related Publications on page 24 Introduction This guide provides the required information to configure the NETGEAR 8800 software in the currently supported versions running on NETGEAR switches. This guide is intended for use by network administrators who are responsible for installing and setting up network equipment.
PAGE 23

NETGEAR 8800 User Manual Terminology When features, functionality, or operation is specific to a switch family, the family name is used. Explanations about features and operations that are the same across all product families simply refer to the product as the “switch.” Conventions This section describes conventions used in the documentation. Platform-Naming Conventions The information in this guide applies to the following NETGEAR 8800 series switches: the NETGEAR 8810 and the NETGEAR 8806.
PAGE 24

NETGEAR 8800 User Manual Related Publications The publications related to this one are: • NETGEAR 8800 Chassis Switch CLI Manual • NETGEAR 8800 Release Notes • NETGEAR 8800 Series Switches Hardware Installation Guide Documentation for NETGEAR products is available on the World Wide Web at the following location: http://www.netgear.com/ 24 | Chapter 1.
PAGE 25

NETGEAR 8800 User Manual Chapter 1.
PAGE 26

Part 1: Using the NETGEAR 8800
PAGE 27

2.
PAGE 28

NETGEAR 8800 User Manual Software Required The tables in this section describe the software version required for each switch that runs XCM8800 software. Note: The features available on each switch are determined by the installed feature license and optional feature packs. For more information, see Appendix A, XCM8800 Software Licenses. Table 4 lists the NETGEAR 8000 series modules and the XCM8800 software version required to support each module. Table 4.
PAGE 29

NETGEAR 8800 User Manual Understanding the Command Syntax This section describes the steps to take when entering a command. See the sections that follow for detailed information on using the command line interface (CLI). The NETGEAR 8800 command syntax is described in detail in the NETGEAR 8800 Chassis Switch CLI Manual. Some commands are also described in this guide in order to describe how to use the features of the XCM8800 software.
PAGE 30

NETGEAR 8800 User Manual Syntax Helper The CLI has a built-in syntax helper. If you are unsure of the complete syntax for a particular command, enter as much of the command as possible and press [Tab] or [?]. The syntax helper provides a list of options for the remainder of the command and places the cursor at the end of the command you have entered so far, ready for the next option. If you enter an invalid command, the syntax helper notifies you of your error and indicates where the error is located.
PAGE 31

NETGEAR 8800 User Manual Object Names All named components within a category of the switch configuration, such as VLAN, must be given a unique object name. Object names must begin with an alphabetical character and may contain alphanumeric characters and underscores (_), but they cannot contain spaces. The maximum allowed length for a name is 32 characters. Object names can be reused across categories (for example, STPD and VLAN names).
PAGE 32

NETGEAR 8800 User Manual Table 5.
PAGE 33

NETGEAR 8800 User Manual Note: XCM8800 software does not support the ampersand (&), left angle bracket (<), or right angle bracket (>), because they are reserved characters with special meaning in XML. Table 6. Command Syntax Symbols Symbol Description angle brackets < > Enclose a variable or value. You must specify the variable or value.
PAGE 34

NETGEAR 8800 User Manual Port Numbering The XCM8800 software runs on both stand-alone and modular switches, and the port numbering scheme is slightly different on each. Note: The keyword all acts on all possible ports; it continues on all ports even if one port in the sequence fails. Numerical Ranges On the NETGEAR 8800 switch, the port number is a combination of the slot number and the port number.
PAGE 35

NETGEAR 8800 User Manual Table 7. Line-Editing Keys (Continued) Key(s) Description Delete or [Ctrl] + D Deletes character under cursor and shifts remainder of line to left. [Ctrl] + K Deletes characters from under cursor to end of line. Insert Toggles on and off. When toggled on, inserts text and shifts previous text to right. [Ctrl] + A Moves cursor to first character in line. [Ctrl] + E Moves cursor to last character in line. [Ctrl] + L Clears screen and movers cursor to beginning of line.
PAGE 36

NETGEAR 8800 User Manual Table 8. Common Commands (Continued) Command Description configure banner Configures the banner string. You can enter up to 24 rows of 79-column text that is displayed before the login prompt of each session. Press [Return] at the beginning of a line to terminate the command and apply the banner. To clear the banner, press [Return] at the beginning of the first line.
PAGE 37

NETGEAR 8800 User Manual Table 8. Common Commands (Continued) Command Description delete account Deletes a user account. delete vlan Deletes a VLAN. disable bootp vlan [ | all] Disables BOOTP for one or more VLANs. disable cli-config-logging Disables logging of CLI commands to the Syslog. disable clipaging Disables pausing of the screen display when a show command output reaches the end of the page. disable idletimeout Disables the timer that disconnects all sessions.
PAGE 38

NETGEAR 8800 User Manual Table 8. Common Commands (Continued) Command Description show banner Displays the user-configured banner. unconfigure switch {all} Resets all switch parameters (with the exception of defined user accounts, and date and time information) to the factory defaults. If you specify the keyword all, the switch erases the currently selected configuration image in flash memory and reboots. As a result, all parameters are reset to default settings.
PAGE 39

NETGEAR 8800 User Manual configured to eliminate this problem. Would you like to disable SNMP? [y/N]: All ports are enabled by default. In some secure applications, it maybe more desirable for the ports to be turned off. Would you like unconfigured ports to be turned off by default? [y/N]: Changing the default failsafe account username and password is highly recommended. If you choose to do so, please remember the username and password as this information cannot be recovered by NETGEAR.
PAGE 40

NETGEAR 8800 User Manual • Default Accounts on page 43 • Creating a Management Account on page 43 • Failsafe Accounts on page 44 Account Access Levels XCM8800 software supports the following two levels of management: • User • Administrator In addition to the management levels, you can optionally use an external RADIUS server to provide CLI command authorization checking for each command. For more information on RADIUS, see Chapter 17, Security.
PAGE 41

NETGEAR 8800 User Manual Using the acknowledge parameter prompts the user with the following message after the banner appears and before the login prompt: Hit any key to accept these provisions. To disable the acknowledgement feature, which forces the user to press a key before the login screen displays, use the configure banner command omitting the acknowledge parameter.
PAGE 42

NETGEAR 8800 User Manual message on the startup screen. The message is slightly different, depending on whether you are working on a modular switch or a stand-alone switch. The following sample shows the startup screen if any of the slots in a modular switch are shut down as a result of the system recovery configuration: login: admin password: XCM8800 Copyright (C) 2000-2006 NETGEAR, Inc. All rights reserved.
PAGE 43

NETGEAR 8800 User Manual Default Accounts By default, the switch is configured with two accounts, as shown in Table 9. Table 9. Default Accounts Account Name Access Level admin This user can access and change all manageable parameters. However, the user may not delete all admin accounts. user This user can view (but not change) all manageable parameters, with the following exceptions: • This user cannot view the user account database. • This user cannot view the SNMP community strings.
PAGE 44

NETGEAR 8800 User Manual Failsafe Accounts The failsafe account is the account of last resort to access your switch. This account is never displayed by the show accounts command, but it is always present on the switch. To display whether the user configured a username and password for the failsafe account or to show the configured connection-type access restrictions use the following command: show failsafe-account The failsafe account has admin access level.
PAGE 45

NETGEAR 8800 User Manual Managing Passwords When you first access the switch, you have a default account. You configure a password for your default account. As you create other accounts (see Creating a Management Account on page 43), you configure passwords for those accounts. The software allows you to apply additional security to the passwords. You can enforce a specific format and minimum length for the password.
PAGE 46

NETGEAR 8800 User Manual Note: If you forget your password while logged out of the CLI, you can use the bootloader to reinstall a default switch configuration, which allows access to the switch without a password. Note that this process reconfigures all switch settings back to the initial default configuration. Applying Security to Passwords You can increase the security of your system by enforcing password restrictions, which will make it more difficult for unauthorized users to access your system.
PAGE 47

NETGEAR 8800 User Manual Note: If you are not working on SSH, you can configure the number of failed logins that trigger lockout, using the configure cli max-failed-logins command. (This command also sets the number of failed logins that terminate the particular session.) After the user’s account is locked out (using the configure account password-policy lockout-on-login-failures command), it must be specifically re-enabled by an administrator.
PAGE 48

NETGEAR 8800 User Manual • ping • traceroute • configure radius server client-ip • configure tacacs server client-ip The DNS client can resolve host names to both IPv4 and IPv6 addresses. In addition, the nslookup utility can be used to return the IP address of a host name. You can specify up to eight DNS servers for use by the DNS client using the following command: configure dns-client add You can specify a default domain for use when a host name is used without a domain.
PAGE 49

NETGEAR 8800 User Manual Table 10. Ping Command Parameters Parameter Description count Specifies the number of ping requests to send. start-size Specifies the size, in bytes, of the packet to be sent, or the starting size if incremental packets are to be sent. continuous Specifies that UDP or ICMP echo messages are to be sent continuously. This option can be interrupted by pressing [Ctrl] + C. end-size Specifies an end size for packets to be sent.
PAGE 50

NETGEAR 8800 User Manual Traceroute The traceroute command enables you to trace the routed path between the switch and a destination endstation. The traceroute command syntax is: traceroute {vr } {ipv4 } {ipv6 } {ttl } {from } {[port ] | icmp} Where: • vr is the name of the virtual router. • ipv4/ipv6 • from uses the specified source address in the ICMP packet. If not specified, the address of the transmitting interface is used.
PAGE 51

3.
PAGE 52

NETGEAR 8800 User Manual The switch supports up to the following number of concurrent user sessions: • One console session (two console sessions are available if two management modules are installed) • Eight shell sessions • Eight Telnet sessions • Eight Trivial File Transfer Protocol (TFTP) sessions • Eight SSH2 sessions Understanding the XCM8800 Shell When you log in to XCM8800 from a terminal, you enter the shell with a shell prompt displayed.
PAGE 53

NETGEAR 8800 User Manual Note: For more information on the console port pinouts, see the hardware installation guide included with your switch. After the connection has been established, you see the switch prompt and you can log in. Using the 10/100 Ethernet Management Port The management module provide a dedicated 10/100 Mbps Ethernet management port. This port provides dedicated remote access to the switch using TCP/IP.
PAGE 54

NETGEAR 8800 User Manual • TACACS+ • Local database of accounts and passwords Note: You cannot configure RADIUS and TACACS+ at the same time. RADIUS Client Remote Authentication Dial In User Service (RADIUS, RFC 2138) is a mechanism for authenticating and centrally administrating access to network nodes. The XCM8800 RADIUS client implementation allows authentication for Telnet or console access to the switch.
PAGE 55

NETGEAR 8800 User Manual • About the Telnet Client on page 55 • About the Telnet Server on page 55 • Connecting to Another Host Using Telnet on page 56 • Configuring Switch IP Parameters on page 56 • Configuring Telnet Access to the Switch on page 58 • Disconnecting a Telnet Session on page 62 About the Telnet Client Before you can start an outgoing Telnet session on the switch, you must set up the IP parameters described in Configuring Switch IP Parameters on page 56.
PAGE 56

NETGEAR 8800 User Manual Connecting to Another Host Using Telnet You can Telnet from the current CLI session to another host using the following command: telnet {vr } [ | ] {} Note: User-created VRs are supported only on the platforms listed for this feature in Appendix A, XCM8800 Software Licenses. If the TCP port number is not specified, the Telnet session defaults to port 23. If the virtual router name is not specified, the Telnet session defaults to VR-Mgmt.
PAGE 57

NETGEAR 8800 User Manual The switch does not retain IP addresses assigned by BOOTP or DHCP through a power cycle, even if the configuration has been saved. To retain the IP address through a power cycle, you must configure the IP address of the VLAN using the CLI or Telnet. If you need the switch's MAC address to configure your BOOTP or DHCP server, you can find it on the rear label of the switch.
PAGE 58

NETGEAR 8800 User Manual 5. Assign an IP address and subnetwork mask for the default VLAN by using the following command: configure {vlan} ipaddress [ {} | ipv6-link-local | {eui64} ] For example: configure vlan default ipaddress 123.45.67.8 255.255.255.0 The changes take effect immediately.
PAGE 59

NETGEAR 8800 User Manual The safe defaults mode runs an interactive script that allows you to enable or disable SNMP, Telnet, and switch ports. When you set up your switch for the first time, you must connect to the console port to access the switch. After logging in to the switch, you enter safe defaults mode. Although SNMP, Telnet, and switch ports are enabled by default, the script prompts you to confirm those settings.
PAGE 60

NETGEAR 8800 User Manual MyAccessProfile.pol entry AllowTheseSubnets { if { source-address 10.203.133.0 /24; } then { permit; } } In the following example named MyAccessProfile.pol, the switch permits connections from the subnets 10.203.133.0/24 or 10.203.135.0/24 and denies connections from all other addresses: MyAccessProfile.pol entry AllowTheseSubnets { if match any { source-address 10.203.133.0 /24; source-address 10.203.135.
PAGE 61

NETGEAR 8800 User Manual source-address 10.203.133.0 /24; source-address 10.203.135.0 /24; } then { deny; } } entry if AllowTheRest { { ; #none specified } then { permit; } } Configuring Telnet to Use ACL Policies This section assumes that you have already loaded the policy on the switch. For more information about creating and implementing ACLs and policies, see Chapter 12, Policy Manager and Chapter 13, ACLs.
PAGE 62

NETGEAR 8800 User Manual enable telnet You must be logged in as an administrator to configure the virtual router(s) used by Telnet and to enable or disable Telnet. Disconnecting a Telnet Session A person with an administrator level account can disconnect a Telnet management session. If this happens, the user logged in by way of the Telnet connection is notified that the session has been terminated. To terminate a Telnet session: 1. Log in to the switch with administrator privileges. 2.
PAGE 63

NETGEAR 8800 User Manual is a command line application used to contact an external TFTP server on the network. For example, XCM8800 uses TFTP to download software image files, switch configuration files, and ACLs from a server on the network to the switch. Up to eight active TFTP sessions can run on the switch concurrently. NETGEAR recommends using a TFTP server that supports blocksize negotiation (as described in RFC 2348, TFTP Blocksize Option), to enable faster file downloads and larger file downloads.
PAGE 64

NETGEAR 8800 User Manual To view the files you retrieved, enter the ls command at the command prompt.
PAGE 65

NETGEAR 8800 User Manual Node Election Node election is based on leader election between the MSMs/MMs installed in the chassis. By default, the MSM/MM installed in slot A has primary status. Each node uses health information about itself together with a user configured priority value to compute its node role election priority. Nodes exchange their node role election priorities.
PAGE 66

NETGEAR 8800 User Manual You can cause the primary to failover to the backup, thereby relinquishing its primary status. To cause the failover: 1. Use the show switch {detail} command on the primary or the backup node to confirm that the nodes are synchronized and have identical software and switch configurations before failover. The output displays the status of the nodes, with the primary node showing MASTER and the backup node showing BACKUP (InSync).
PAGE 67

NETGEAR 8800 User Manual Relaying Configuration Information To facilitate a failover from the primary node to the backup node, the primary transfers its active configuration to the backup. Relaying configuration information is the first level of checkpointing. During the initial switch boot-up, the primary’s configuration takes effect. During the initialization of a node, its configuration is read from the local flash.
PAGE 68

NETGEAR 8800 User Manual Dynamic Checkpointing After an application transfers its saved state to the backup node, dynamic checkpointing requires that any new configuration information or state changes that occur on the primary be immediately relayed to the backup. This ensures that the backup has the most up-to-date and accurate information.
PAGE 69

NETGEAR 8800 User Manual Table 11. Node States (Continued) Node State Description MASTER In the primary (master) state, the node is responsible for all switch management functions. STANDBY In the standby state, leader election occurs—the primary and backup nodes are elected. The priority of the node is only significant in the standby state. Understanding Hitless Failover Support The term hitless failover has slightly different meanings on a modular chassis.
PAGE 70

NETGEAR 8800 User Manual Table 12. Protocol Support for Hitless Failover Protocol Behavior Border Gateway Protocol If you configure BGP graceful restart, by default the route manager does (BGP) not delete BGP routes until 120 seconds after failover occurs. There is no traffic interruption. However, after BGP comes up after restart, BGP re-establishes sessions with its neighbors and relearns routes from all of them. This causes an increase in control traffic onto the network.
PAGE 71

NETGEAR 8800 User Manual Table 12. Protocol Support for Hitless Failover (Continued) Protocol Behavior Hitless Network Login Continued Web-Based Authentication Web-based Netlogin users continue to be authenticated after a failover. Yes Open Shortest Path First (OSPF) If you configure OSPF graceful restart, there is no traffic interruption.
PAGE 72

NETGEAR 8800 User Manual Table 12. Protocol Support for Hitless Failover (Continued) Protocol Behavior Hitless Dynamic Host Configuration Protocol client The IP addresses learned on all DHCP enabled VLANs are retained on the Yes backup node after failover.
PAGE 73

NETGEAR 8800 User Manual • Logs power resource changes, including power budget, total available power, redundancy, and so on • Detects and isolates faulty PSUs The switch includes two power supply controllers that collect data from the installed PSUs and report the results to the MSM/MM modules. When you first power on the switch, the power supply controllers enable a PSU. As part of the power management function, the power controller disables the PSU if an unsafe condition arises.
PAGE 74

NETGEAR 8800 User Manual • Calculates the number of I/O modules to power up based on the available power budget and the power requirements of each I/O module, including PoE requirements for the NETGEAR 8800 series PoE I/O module. • Reserves the amount of power required to power up a second MSM/MM if only one MSM/MM is installed. • Reserves the amount of power required to power all fans and chassis components. • Calculates the current power surplus or shortfall.
PAGE 75

NETGEAR 8800 User Manual • If a switch has PSUs with a mix of both 220V AC and 110V AC inputs, XCM8800 maximizes system power by automatically taking one of two possible actions: • If all PSUs are enabled then all PSUs must be budgeted at 110V AC to prevent overload of PSUs with 110V AC inputs. OR • If the PSUs with 110V AC inputs are disabled, then the PSUs with 220V AC inputs can be budgeted with a higher output per PSU.
PAGE 76

NETGEAR 8800 User Manual Note: If you override automatic power supply management, you may reduce the available power and cause one or more I/O modules to power down. To resume using automatic power supply management on a PSU, use the configure power supply auto command. The setting for each PSU is stored as part of the switch configuration. To display power supply status and power budget information, use the show power and show power budget commands.
PAGE 77

NETGEAR 8800 User Manual The Simple Book  by Marshall T. Rose ISBN 0-13-8121611-9 Published by Prentice Hall.
PAGE 78

NETGEAR 8800 User Manual If you choose to keep the default setting for SNMP—the default setting is enabled—the switch returns the following interactive script: Since you have chosen less secure management methods, please remember to increase the security of your network by taking the following actions: * change your admin password * change your SNMP public and private strings * consider using SNMPv3 to secure network management traffic For more detailed information about safe defaults mode, see Safe Defau
PAGE 79

NETGEAR 8800 User Manual Configuring SNMPv1/v2c Settings The following SNMPv1/v2c parameters can be configured on the switch: • Authorized trap receivers—An authorized trap receiver can be one or more network management stations on your network. The switch sends SNMPv1/v2c traps to all configured trap receivers. You can specify a community string and UDP port individually for each trap receiver. All community strings must also be added to the switch using the configure snmp add community command.
PAGE 80

NETGEAR 8800 User Manual • Read community strings provide read-only access to the switch. The default read-only community string is public. • Read-write community strings provide read- and-write access to the switch. The default read-write community string is private. • System contact (optional)—The system contact is a text field that enables you to enter the name of the person(s) responsible for managing the switch.
PAGE 81

NETGEAR 8800 User Manual SNMPv3 SNMPv3 is an enhanced standard for SNMP that improves the security and privacy of SNMP access to managed devices and provides sophisticated control of access to the device MIB. The prior standard versions of SNMP, SNMPv1, and SNMPv2c, provided no privacy and little security.
PAGE 82

NETGEAR 8800 User Manual • Disclosure, where packet exchanges are sniffed (examined) and information is learned about the contents The access control subsystem provides the ability to configure whether access to a managed object in a local MIB is allowed for a remote principal. The access control scheme allows you to define access policies based on MIB views, groups, and multiple security levels.
PAGE 83

NETGEAR 8800 User Manual latestReceivedEngineTime for every authoritative engine it wants to communicate with. Comparing these objects with the values received in messages and then applying certain rules to decide upon the message validity accomplish protection against message delay or message replay. In a chassis, the snmpEngineID is generated using the MAC address of the MSM/MM with which the switch boots first.
PAGE 84

NETGEAR 8800 User Manual By disabling default-users access, the end-user is not able to access the switch/MIBs using SNMPv3 default-user. To disable default-user, use the following command: disable snmpv3 default-user To delete a user, use the following command: configure snmpv3 delete user [all-non-defaults | [[hex ] | ]] Note: The SNMPv3 specifications describe the concept of a security name. In the XCM8800 implementation, the user name and security name are identical.
PAGE 85

NETGEAR 8800 User Manual disable snmpv3 default-group Users are associated with groups using the following command: configure snmpv3 add group [[hex ] | ] user [[hex ] | ] {sec-model [snmpv1| snmpv2c | usm]} {volatile} To show which users are associated with a group, use the following command: show snmpv3 group {[[hex ] | ] {user [[hex ] | ]}} To delete a group, use the following command: configur
PAGE 86

NETGEAR 8800 User Manual For privacy, the user can select any one of the following supported privacy protocols: DES, 3DES, AES 128/192/256. In the case of DES, a 16-octet key is provided as input to DES-CBS encryption protocol which generates an encrypted PDU to be transmitted. DES uses bytes 1-7 to make a 56 bit key. This key (encrypted itself) is placed in msgPrivacyParameters of SNMPv3 PDUs when the security level is specified as AuthPriv.
PAGE 87

NETGEAR 8800 User Manual To delete a MIB view, use the following command: configure snmpv3 delete mib-view [all-non-defaults | {[[hex ] | ] {subtree }}] MIB views that are used by security groups cannot be deleted. SNMPv3 Notification SNMPv3 can use either SNMPv1 traps or SNMPv2c notifications to send information from an agent to the network manager. The terms trap and notification are used interchangeably in this context.
PAGE 88

NETGEAR 8800 User Manual Target Parameters Target parameters specify the MP model, security model, security level, and user name (security name) used for messages sent to the target address. See Message Processing on page 82 and Users, Groups, and Security on page 83 for more details on these topics. In addition, the target parameter name used for a target address points to a filter profile used to filter notifications.
PAGE 89

NETGEAR 8800 User Manual show snmpv3 filter-profile {[[hex ] | ]} {param [[hex ] | ]} To display the filters that belong a filter profile, use the following command: show snmpv3 filter {[[hex ] | ] {{subtree} } To delete a filter or all filters from a filter profile, use the following command: configure snmpv3 delete filter [all | [[hex ] | ] {subtree
PAGE 90

NETGEAR 8800 User Manual broadcast NTP updates. In addition, the switch supports the configured setting for Greenwich Mean time (GMT) offset and the use of Daylight Saving Time. Configuring and Using SNTP To use SNTP: 1. Identify the host(s) that are configured as NTP server(s). Additionally, identify the preferred method for obtaining NTP updates. The options are for the NTP server to send out broadcasts or for switches using NTP to query the NTP server(s) directly.
PAGE 91

NETGEAR 8800 User Manual Table 14. Time Zone Configuration Command Options (Continued) dst_timezone_ID Specifies an optional name for this Daylight Saving Time specification. May be up to six characters in length. The default is an empty string. dst_offset Specifies an offset from standard time, in minutes. Value is in the range of 1 to 60. Default is 60 minutes. floatingday Specifies the day, week, and month of the year to begin or end Daylight Saving Time each year.
PAGE 92

NETGEAR 8800 User Manual configure sntp-client primary fd98:d3e2:f0fe:0:54ae:34ff:fecc:892 configure sntp-client primary ntpserver.mydomain.com NTP queries are first sent to the primary server. If the primary server does not respond within 1 second, or if it is not synchronized, the switch queries the secondary server (if one is configured). If the switch cannot obtain the time, it restarts the query process. Otherwise, the switch waits for the sntp-client update interval before querying again. 5.
PAGE 93

NETGEAR 8800 User Manual Table 15.
PAGE 94

NETGEAR 8800 User Manual SNTP Example In this example, the switch queries a specific NTP server and a backup NTP server. The switch is located in Cupertino, California, and an update occurs every 20 minutes. The commands to configure the switch are as follows: configure timezone -480 autodst configure sntp-client update-interval 1200 enable sntp-client configure sntp-client primary 10.0.1.1 configure sntp-client secondary 10.0.1.2 94 | Chapter 3.
PAGE 95

4. Managing the XCM8800 Software 4 This chapter includes the following sections: • Overview on page 95 • Using the XCM8800 File System on page 96 • Managing the Configuration File on page 104 • Managing XCM8800 Processes on page 106 • Understanding Memory Protection on page 109 • Monitoring CPU Utilization on page 110 Overview The XCM8800 software platform is a distributed software architecture.
PAGE 96

NETGEAR 8800 User Manual • CPU monitoring File system administration—With the enhanced file system, you can move, copy, and delete files from the switch. The file system structure allows you to keep, save, rename, and maintain multiple copies of configuration files on the switch. In addition, you can manage other entities of the switch such as policies and access control lists (ACLs).
PAGE 97

NETGEAR 8800 User Manual situations. For more information about configuring core dump files and managing the core dump files stored on your switch, see Appendix C, Troubleshooting.
PAGE 98

NETGEAR 8800 User Manual For example, if you have an existing configuration file named test.cfg, the new filename must include the .cfg file extension. When you rename a file on the switch, a message similar to the following appears: Rename config test.cfg to config megtest.cfg on switch? (y/n) Enter y to rename the file on your system. Enter n to cancel this process and keep the existing filename.
PAGE 99

NETGEAR 8800 User Manual • old-name-internal—Specifies the name of the core dump file located on the internal memory card that you want to copy. • new-name-internal—Specifies the name of the newly copied core dump file located on the internal memory card. • memorycard—Specifies the removable external compact flash memory card. (This parameter is available only on modular switches.
PAGE 100

NETGEAR 8800 User Manual cp test.cfg test_rev2.cfg On a modular switch, the following command makes a copy of a configuration file named primary.cfg from the switch to the external memory card with the same name, primary.cfg: cp primary.
PAGE 101

NETGEAR 8800 User Manual ls memorycard The following is sample output from this command: -rwxr-xr-x -rwxr-xr-x -rwxr-xr-x -rwxr-xr-x -rwxr-xr-x 1 1 1 1 1 root root root root root 0 0 0 0 0 15401865 10 10 10 223599 Mar Mar Apr Mar Mar 30 31 4 31 31 00:03 09:41 09:15 09:41 10:02 bd10K-11.2.0.13.xos test-1.pol test.pol test_1.pol v11_1_3.
PAGE 102

NETGEAR 8800 User Manual • local-file-memcard—Specifies the name of the file on the external compact flash memory card. (This parameter is available only on modular switches.) • local-file—Specifies • remote-file—Specifies • force-overwrite—Specifies the switch to automatically overwrite an existing file. (This parameter is available only on the tftp get command.) the name of the file (configuration file, policy file) on the local host. the name of the file on the remote host.
PAGE 103

NETGEAR 8800 User Manual • memorycard—Specifies the removable external compact flash memory card. (This parameter is available only on modular switches.) • local-file-memcard—Specifies the name of the file on the external compact flash memory card. (This parameter is available only on modular switches.) • local-file—Specifies • remote-file—Specifies the name of the file (configuration file, policy file) on the local host. the name of the file on the remote host.
PAGE 104

NETGEAR 8800 User Manual When you delete a configuration or policy file from the system, make sure you specify the appropriate file extension. For example, when you want to delete a policy file, specify the filename and .pol. After you delete a file, it is unavailable to the system. When you delete a file from the switch, a message similar to the following appears: Remove testpolicy.pol from switch? (y/n) Enter y to remove the file from your system.
PAGE 105

NETGEAR 8800 User Manual Table 16. Configuration File Management Task Behavior Configuration file database XCM8800 supports saving a configuration file into any named file and supports more than two saved configurations. For example, you can download a configuration file from a network TFTP server and save that file as primary, secondary, or with a user-defined name. You also select where to save the configuration: primary or secondary partition, or another space.
PAGE 106

NETGEAR 8800 User Manual Managing XCM8800 Processes The XCM8800 consists of a number of cooperating processes running on the switch. With process control, under certain conditions, you can stop and start processes, restart failed processes, examine information about the processes, and update the software for a specific process or set of processes.
PAGE 107

NETGEAR 8800 User Manual • • Ready—The process is running. • Stopped—The process has been stopped. Start Time—The current start time of the process. Options are: • Day/Month/Date/Time/Year—The date and time the process began. If a process terminates and restarts, the start time is also updated. • Not Started—The process has not been started. This can be caused by not having the appropriate license or for not starting the process.
PAGE 108

NETGEAR 8800 User Manual process. Do not save the configuration or change the configuration during the process terminate and re(start) cycle. If you save the configuration after terminating a process, and before the process (re)starts, the configuration for that process is lost. You can also use a single command to stop and restart a running process during a software upgrade on the switch. By using the single command, there is less process disruption and it takes less time to stop and restart the process.
PAGE 109

NETGEAR 8800 User Manual For more detailed information, see the previous section or the NETGEAR 8800 Chassis Switch CLI Manual.omm Understanding Memory Protection The XCM8800 provides memory management capabilities. Each process runs in a protected memory space. This infrastructure prevents one process from overwriting or corrupting the memory space of another process.
PAGE 110

NETGEAR 8800 User Manual Monitoring CPU Utilization You can monitor the CPU utilization and history for all of the processes running on the switch. By viewing this history on a regular basis, you can see trends emerging and identify processes with peak utilization. Monitoring the workload of the CPU allows you to troubleshoot and identify suspect processes before they become a problem. By default, the switch monitors CPU utilization every 5 seconds.
PAGE 111

NETGEAR 8800 User Manual • slot—For a modular chassis, specifies the slot number of the MSM/MM. A specifies the MSM installed in slot A. B specifies the MSM installed in slot B. The number is a value from 1 to 8. Output from this command includes the following information: • Card—The location (MSM A or MSM B) where the process is running on a modular switch. • Process—The name of the process.
PAGE 112

NETGEAR 8800 User Manual MSM-A cli 0.0 0.0 0.0 48.3 9.6 2.5 2.1 48.3 0.51 0.37 MSM-A devmgr 0.0 0.0 0.0 0.9 0.3 0.2 0.2 17.1 2.22 2.50 MSM-A dirser 0.0 0.0 0.0 0.0 0.0 0.0 0.0 9.5 0.0 0.0 MSM-A dosprotect 0.0 0.0 0.0 0.0 0.0 0.0 0.0 3.8 0.20 0.26 MSM-A ems 0.0 0.0 0.0 0.0 0.0 0.0 0.0 12.2 1.1 1.16 MSM-A epm 0.0 0.0 0.0 0.9 0.1 0.2 0.2 4.7 4.18 MSM-A etmon 0.9 0.4 0.6 1.2 1.1 1.0 1.0 23.3 21.84 ... 112 | Chapter 4.
PAGE 113

5.
PAGE 114

NETGEAR 8800 User Manual Configuring Slots on NETGEAR 8800 Switches This section describes how to configure slots on the NETGEAR 8800’s modular switches. If a slot has not been configured for a particular type of module, then any type of module is accepted in that slot, and a default port and VLAN configuration is automatically generated.
PAGE 115

NETGEAR 8800 User Manual To re-enable slot, use the following CLI command: enable slot You can configure the number of times that a slot can be restarted on a failure before it is shut down. To set the restart-limit, use the following command: configure slot restart-limit Details on I/O Ports On the NETGEAR 8810 switch, the XCM88S1 with XCM888F installed has eight 1 Gbps fiber SFP-GBIC data ports. You configure these ports exactly as you do any other ports on the switch.
PAGE 116

NETGEAR 8800 User Manual On the NETGEAR 8806 switch, the XCM88S1 with XCM888F installed has eight 1 Gbps fiber SFP-GBIC data ports Configuring Ports on a Switch Note: A port can belong to multiple virtual routers (VRs). For more information on VRs, see Chapter 11, Virtual Routers.
PAGE 117

NETGEAR 8800 User Manual Enabling and Disabling Switch Ports By default, all ports are enabled. To enable or disable one or more ports on a switch, use the following commands: enable port [ | all] disable port [ | all] For example, to disable slot 7, ports 3, 5, and 12 through 15 on a modular switch, use the following command: disable port 7:3,7:5,7:12-7:15 You have the flexibility to receive or not to receive SNMP trap messages when a port transitions between up and down.
PAGE 118

NETGEAR 8800 User Manual Note: With autonegotiation turned off, you cannot set the speed to 1000 Mbps. In general, SFP gigabit Ethernet ports are statically set to 1 Gbps, and their speed cannot be modified. The 10 Gbps ports always run at full duplex and 10 Gbps.
PAGE 119

NETGEAR 8800 User Manual • • • Advertise support for pause frames • Respond to pause frames • Do not transmit pause frames Autonegotiation disabled • Do not advertise support for pause frames • Do not respond to pause frames • Do not transmit pause frames 10 Gbps ports for the NETGEAR 8800 series switch modules: • Autonegotiation always disabled • Do not advertise support for pause frames • Respond to pause frames • Do not transmit pause frames Flow Control As shown above, with autoneg
PAGE 120

NETGEAR 8800 User Manual Note: To enable TX flow-control, RX flow-control must first be enabled. If you attempt to enable TX flow-control with RX flow-control disabled, an error message is displayed. To configure a port to return to the default behavior of not transmitting pause frames, use the following command: disable flow-control tx-pause ports RX You can configure the switch to disable the default behavior of responding to received pause frames.
PAGE 121

NETGEAR 8800 User Manual fault. The system then stops transmitting or receiving traffic from that link. After the fault has been alleviated, the system puts the link back up and the traffic automatically resumes. The NETGEAR implementation of LFS conforms to the IEEE standard 802.3ae-2002. Although the physical link remains up, all Layer 2 and above traffic stops. The system sends LinkDown and LinkUp traps when these events occur.
PAGE 122

NETGEAR 8800 User Manual Under certain conditions, you might opt to turn autopolarity off on one or more ports.
PAGE 123

NETGEAR 8800 User Manual To enable jumbo frame support, enable jumbo frames on the desired ports. To set the maximum jumbo frame size, use the following command: configure jumbo-frame-size The jumbo frame size range is 1523 to 9216. This value describes the maximum size of the frame in transit (on the wire), and includes 4 bytes of CRC plus another 4 bytes if 802.1Q tagging is being used.
PAGE 124

NETGEAR 8800 User Manual Note: Only jumbo frame-to-normal frame fragmentation is supported. Jumbo frame-to-jumbo frame fragmentation is not supported. To configure VLANs for IP fragmentation: 1. Enable jumbo frames on the incoming port. 2. Add the port to a VLAN. 3. Assign an IP address to the VLAN. 4. Enable ipforwarding on the VLAN. 5. Set the MTU size for the VLAN, using the following command: configure ip-mtu vlan The ip-mtu value ranges between 1500 and 9194, with 1500 the default.
PAGE 125

NETGEAR 8800 User Manual to be aggregated into one logical port, or link aggregation group (LAG). See IEEE 802.3ad for more information on this feature. The advantages to link aggregation include an increase in bandwidth and link redundancy.
PAGE 126

NETGEAR 8800 User Manual In modular switches, XCM8800 supports LAGs across multiple modules, so resiliency is also provided against individual module failures. The software supports control protocols across the LAGs, both static and dynamic. If you add protocols to the port and then create a LAG on that port, you may experience a slight interruption in the protocol operation.
PAGE 127

NETGEAR 8800 User Manual Note: Always reference the master logical port of the load-sharing group when configuring or viewing VLANs. VLANs configured to use other ports in the LAG will have those ports deleted from the VLAN when link aggregation is enabled. Link Aggregation Algorithms The NETGEAR 8800 supports address-based load sharing and distributes packets across all members of a LAG.
PAGE 128

NETGEAR 8800 User Manual After you enable load-sharing, the LACP protocol is enabled by default. You configure dynamic link aggregation by first assigning a primary, or logical, port to the group, or LAG and then specifying the other ports you want in the LAG. LACP, using an automatically generated key, determines which links can aggregate. Each link can belong to only one LAG. LACP determines which links are available.
PAGE 129

NETGEAR 8800 User Manual The protocol then enables the aggregated link for traffic and monitors the status of the links for changes that may require reconfiguration. For example, if one of the links in a LAG goes down and there are standby links in that LAG, LACP automatically moves the standby port into selected mode and that port begins collecting and distributing traffic.
PAGE 130

NETGEAR 8800 User Manual A LAG port moves into a defaulted state after the timeout value expires with no LACPDUs received for the other side of the link. You can configure whether you want this defaulted LAG port removed from the aggregator or added back into the aggregator. If you configure the LAG to remove ports that move into the default state, those ports are removed from the aggregator and the port state is set to unselected.
PAGE 131

NETGEAR 8800 User Manual aggregator and traffic through that particular link is redistributed to the other LAG member links. Figure 1 displays an example of a Health Check LAG: Server1 192.168.1.101 HEALTH CHECK LAG Application controls this LAG or Trunk Group Server2 192.168.1.102 1:1 ExtremeXOS 1:2 1:3 1:10 1:3 removed from LAG Server3 192.168.1.103 1:4 vlan1 192.168.1.1 No response from specified TCP port Connect and monitor TCP port on each individual link Server4 192.168.1.
PAGE 132

NETGEAR 8800 User Manual Note: See Configuring LACP on page 133 for the maximum number of links, selected and standby, per LACP. Load Sharing Rules and Restrictions for All Switches Additionally, the following rules apply to load sharing on all switches: • The ports in the LAG do not need to be contiguous. • A LAG that spans multiple modules must use ports that have the same maximum bandwidth capability, with one exception—you can mix media type on 1 Gbps ports.
PAGE 133

NETGEAR 8800 User Manual enable sharing grouping {algorithm [port-based | address-based {L2 | L3 | L3_L4 | custom}]} {lacp | health-check} disable sharing Note: All ports that are designated for the LAG must be removed from all VLANs prior to configuring the LAG. Adding and Deleting Ports in a Load-Sharing Group Ports can be added or deleted dynamically in a load-sharing group, or LAG.
PAGE 134

NETGEAR 8800 User Manual configure sharing lacp system-priority This step is optional; LACP handles prioritization using system MAC addresses. 3. Add or delete ports to the LAG as desired, using the following command: configure sharing add ports 4. If you want to override the ports selection for joining the LAG by configuring a priority for a port within a LAG, issue the following command: configure lacp member-port priority 5.
PAGE 135

NETGEAR 8800 User Manual configure sharing health-check member-port add tcp-tracking {tcp-port frequency misses } If the TCP-port, frequency, or misses are not specified, the defaults described in the NETGEAR 8800 Chassis Switch CLI Manual are used. 3. Add the LAG to a VLAN whose subnet is the same as the configured tracking IP addresses.
PAGE 136

NETGEAR 8800 User Manual logical port serves as the LAG Group ID. VLANs configured to use other ports in the load-sharing group will have those ports deleted from the VLAN when load sharing becomes enabled.
PAGE 137

NETGEAR 8800 User Manual enable loopback-mode v1 configure v1 add port 5 configure sharing health-check member-port 5 add track-tcp 192.168.1.101 tcp-port 8080 configure sharing health-check member-port 6 add track-tcp 192.168.1.102 tcp-port 8080 configure sharing health-check member-port 7 add track-tcp 192.168.1.103 tcp-port 8080 configure sharing health-check member-port 8 add track-tcp 192.168.1.104 tcp-port 8080 Displaying Switch Load Sharing You can display static and dynamic load sharing.
PAGE 138

NETGEAR 8800 User Manual Mirroring Note: You can accomplish port mirroring using ACLs. See Chapter 13, ACLs for more information. Mirroring configures the switch to copy all traffic associated with one or more ports, VLANs, or virtual ports. A virtual port is a combination of a VLAN and a port. The monitor port or ports can then be connected to a network analyzer or RMON probe for packet analysis. The system uses a traffic filter that copies a group of traffic to the monitor port(s).
PAGE 139

NETGEAR 8800 User Manual • Physical port—All data that traverses the port, regardless of VLAN configuration, is copied to the monitor port(s). You can specify which traffic the port mirrors: • Ingress—Mirrors traffic received at the port. • Egress—Mirrors traffic sent from the port. • Ingress and egress—Mirrors traffic either received at the port or sent from the port. (If you omit the optional parameters, all traffic is forwarded; the default for port-based mirroring is ingress and egress).
PAGE 140

NETGEAR 8800 User Manual other source switches in the network. Make sure that VLANs meant to carry normal user traffic are not configured with a tag used for remote mirroring. • When a VLAN is created with remote-tag, that tag is locked and a normal VLAN cannot have that tag. The tag is unique across the switch. Similarly if you try to create a remote-tag VLAN where remote-tag already exists in a normal VLAN as a VLAN tag, you cannot use that tag and the VLAN creation fails.
PAGE 141

NETGEAR 8800 User Manual To enable mirroring on multiple ports, use the following command: enable mirroring to port-list loopback-port The port-list is a list of monitor ports which will transmit identical copies of mirrored packets. The loopback-port is an otherwise unused port required when mirroring to a port-list. The loopback-port is not available for switching user data traffic.
PAGE 142

NETGEAR 8800 User Manual switches to a port at a centralized location. Remote mirroring is accomplished by reserving a dedicated VLAN throughout the network for carrying the mirrored traffic. Figure 2 shows a typical remote mirroring topology. Switch A is the source switch that contains ports, VLANs, and/or virtual ports to be remotely mirrored. Port 25 is the local monitor port on Switch A. Switch B is the intermediate switch. Switch C is the destination switch, which is connected to the network analyzer.
PAGE 143

NETGEAR 8800 User Manual The show mirroring output displays the remote tag when remote mirroring is configured. In NETGEAR 8800 series switches, remote mirroring can also be enabled to a single port, without the port-list and loopback-port keywords.
PAGE 144

NETGEAR 8800 User Manual Guidelines The following are guidelines for remote mirroring: • Configurations of remote mirroring, which might cause protocol packets to be remotely mirrored, are not recommended. Since all packet types are mirrored when you configure remote mirroring, remotely mirrored protocol packets may have undesirable affects on intermediate and destination switches.
PAGE 145

NETGEAR 8800 User Manual configure stp1 mode dot1w configure stp1 add v1 ports all configure stp1 tag 1001 configure stp1 add vlan internalMirrorLoopback ports 8:2,1:48 enable stp1 enable stpd Switch B Configuration create vlan remote_vlan configure vlan remote_vlan tag 1000 remote-mirroring configure vlan remote_vlan add ports 19,9 tag create vlan v1 configure vlan v1 tag 1001 configure vlan v1 add ports 19,9 tag create stp stp1 configure stp1 mode dot1w configure stp1 add v1 ports all configure stp1 tag
PAGE 146

NETGEAR 8800 User Manual Software-Controlled Redundant Port and Smart Redundancy Using the software-controlled redundant port feature you can back up a specified Ethernet port (primary) with a redundant, dedicated Ethernet port; both ports are on the same switch. If the primary port fails, the switch will establish a link on the redundant port and the redundant port becomes active.
PAGE 147

NETGEAR 8800 User Manual You configure the software-controlled redundant port feature either to have the redundant link always physically up but logically blocked or to have the link always physically down. The default value is to have the link physically down, or Off. By default, Smart Redundancy is always enabled. If you enable Smart Redundancy, the switch automatically fails over to the redundant port and returns traffic to the primary port after connectivity is restored on that port.
PAGE 148

NETGEAR 8800 User Manual To configure the switch for the Smart Redundancy feature, use the following command: enable smartredundancy To disable the Smart Redundancy feature, use the following command: disable smartredundancy Verifying Software-Controlled Redundant Port Configurations You can verify the software-controlled redundant port configuration by issuing a variety of CLI commands.
PAGE 149

NETGEAR 8800 User Manual show port transceiver information or show port transceiver information detail Chapter 5.
PAGE 150

6. LLDP 6 This chapter includes the following sections: • Overview on page 150 • LLDP Packets on page 152 • Transmitting LLDP Messages on page 153 • Receiving LLDP Messages on page 154 • Managing LLDP on page 155 • Supported TLVs on page 156 • Configuring LLDP on page 164 • Displaying LLDP Settings on page 170 Overview The software supports the Link Layer Discovery Protocol (LLDP). LLDP is a Layer 2 protocol (IEEE standard 802.
PAGE 151

NETGEAR 8800 User Manual The information distributed using LLDP is stored by its recipients in a standard Management Information Base (MIB), making it possible for the information to be accessed by a Network Management System (NMS) using a management protocol such as the Simple Network Management Protocol (SNMP). LLDP transmits periodic advertisements containing device information and media-specific configuration information to neighbors attached to the same network.
PAGE 152

NETGEAR 8800 User Manual MED TLVs. Likewise, when disabling the LLDP MED TLVs, you must disable the LLDP-MED capabilities TLVs only after you have disabled all other LLDP MED TLVs. The LLDP MED protocol extension introduces a new feature called MED fast start, which is automatically enabled when the LLDP MED capabilities TLV is enabled. When a new MED-capable device is detected, the detecting switch sends out an LLDPDU each 1 second for the configured number of times (called the repeat count).
PAGE 153

NETGEAR 8800 User Manual • The frames are sent as untagged frames. • The frames are sent with a link-local-assigned multicast address as destination address. • The Spanning Tree Protocol (STP) state of the port does not affect the transmission of LLDP frames. The length of the packet cannot exceed 1500 bytes. As you add TLVs, you increase the length of the LLDP frame. When you reach 1500 bytes, the remaining TLVs are dropped.
PAGE 154

NETGEAR 8800 User Manual • • • Power via MDI • Link aggregation • Maximum frame size Avaya-NETGEAR Networks proprietary information • Power conservation request • Call server • File server • 802.
PAGE 155

NETGEAR 8800 User Manual • Manufacturer name • Model name • Asset ID Managing LLDP LLDP is disabled by default. LLDP information is transmitted periodically and stored for a finite period. You access the information using SNMP. A port configured to receive LLDP messages can store information for up to four neighbors. You manage LLDP using the CLI and SNMP. (See NETGEAR 8800 Chassis Switch CLI Manual for complete information on configuring, managing, and displaying LLDP.
PAGE 156

NETGEAR 8800 User Manual You can configure an optional TLV to advertise or not to advertise the device’s management address information to the port’s neighbors. With XCM8800, when enabled, this TLV sends out the IPv4 address configured on the management VLAN. If you have not configured an IPv4 address on the management VLAN, the software advertises the system’s MAC address. LLDP does not send out IPv6 addresses in this field.
PAGE 157

NETGEAR 8800 User Manual Note: See NETGEAR 8800 Chassis Switch CLI Manual for complete information on configuring LLDP using the CLI. Table 18.
PAGE 158

NETGEAR 8800 User Manual Table 18.
PAGE 159

NETGEAR 8800 User Manual • TTL TLV on page 159 • End-of-LLDPDU TLV on page 159 Chassis ID TLV This mandatory TLV is sent by default after you enable LLDP on the port. It is not configurable. XCM8800 software uses the system’s MAC address to uniquely identify the device. Port ID TLV This mandatory TLV is sent by default after you enable LLDP on the port; you cannot configure this TLV. The port ID TLV is used to uniquely identify the port within the device.
PAGE 160

NETGEAR 8800 User Manual Standards-based TLVs Note: The system description TLV is automatically enabled after you enable LLDP and is always sent as part of the LLDPDU. Although this TLV is not mandatory according to the standard, XCM8800 software includes this TLV in all LLDPDUs by default; you can configure the system not to advertise this TLV.
PAGE 161

NETGEAR 8800 User Manual When enabled, the system sends the image information (from the show version command) in the system description TLV: XCM8800 version 11.2.0.12 v1120b12 by release-manager on Fri Mar 18 16:01:08 PST 2005 System capabilities TLV You configure this TLV to be advertised or not advertised. The system capabilities TLV indicates the device’s capabilities and which of these are enabled. The XCM8800 software advertises bridge and router capabilities.
PAGE 162

NETGEAR 8800 User Manual Port and protocol VLAN ID TLV You configure this TLV to be advertised or not advertised. This TLV can be repeated several times within one LLDPDU. When configured, this TLV allows the port to advertise VLANs and whether the port supports protocol-based VLANs or not. If no protocol-based VLANs are configured on the port, the TLV still advertises the port’s capability and sets the VLAN ID value to 0.
PAGE 163

NETGEAR 8800 User Manual Maximum frame size TLV You configure this TLV to be advertised or not advertised. This TLV allows the port to advertise its maximum supported frame size to its neighbors. When jumbo frames are not enabled on the specified port, the TLV reports a value of 1518 after you configure it to advertise. If jumbo frames are enabled, the TLV inserts the configured value for the jumbo frames.
PAGE 164

NETGEAR 8800 User Manual Network policy TLV You configure this MED TLV to allow both network connectivity devices and endpoint devices to advertise VLAN configuration and associated Layer 2 and Layer 3 attributes that apply for a specific set of applications on that port. You configure this TLV per port/VLAN. Each application can exist only once on each port. You can configure a maximum of 8 TLVs, each with its own DSCP value and/or priority tag.
PAGE 165

NETGEAR 8800 User Manual This section describes how to configure LLDP using the CLI. See the NETGEAR 8800 Chassis Switch CLI Manual for complete information on configuring LLDP. You can also reference the IEEE 892.1ab standard. Enabling and Disabling LLDP LLDP is disabled on all ports by default. When you enable LLDP on the ports, you select whether the ports will only transmit LLDP messages, only receive the messages, or both transmit and receive LLDP messages.
PAGE 166

NETGEAR 8800 User Manual Note: The LLDP timers apply to the entire device and are not configurable by port. When LLDP is disabled or if the link goes down, LLDP is reinitialized. The reinitialize delay is the number of seconds the port waits to restart LLDP state machine; the default is 2 seconds.
PAGE 167

NETGEAR 8800 User Manual Note: If you want to send traps for LLDP MED, you must configure it separately. Use the enable snmp traps lldp-med {ports [all | ]} command to enable these traps. Configuring Optional TLV Advertisements By default, all optional TLVs are not added to the LLDPDU, or not advertised. You can add optional TLVs to the LLDPDU but be aware that the total LLDPDU cannot exceed 1500 bytes, including the mandatory TLVs.
PAGE 168

NETGEAR 8800 User Manual To advertise the system name, use the following command: configure lldp ports [all | ] [advertise | no-advertise] system-name To advertise the system capabilities, use the following command: configure lldp ports [all | ] [advertise | no-advertise] system-capabilities To advertise the IP address of the management VLAN (or the system MAC address if IP is not configured), use the following command: configure lldp ports [all | ] [advertise | no-advert
PAGE 169

NETGEAR 8800 User Manual Configure the power via MDI TLV to advertise the PoE capabilities of the LLDP-enabled port. To advertise the PoE capabilities and status, use the following command: configure lldp ports [all | ] [advertise | no-advertise] vendor-specific dot3 power-via-mdi You advertise the load-sharing capabilities and status of the LLDP-enabled port by configuring the link aggregation TLV.
PAGE 170

NETGEAR 8800 User Manual configure lldp med fast-start repeat-count To advertise VLAN as associated Layer 2 and Layer 3 attributes for a specified application, use the network policy TLV with the following command: configure lldp ports [all | ] [advertise | no-advertise] vendor-specific med policy application [voice | voice-signaling |guest-voice | guest-voice-signaling | softphone-voice | video-conferencing | streaming-video | video-signaling] vlan dscp {priori
PAGE 171

NETGEAR 8800 User Manual To display the statistical counters related to the LLDP port, use the show lldp statistics command. Displaying LLDP Information Detected from Neighboring Ports To display information from LLDP neighbors detected on the port, use the show lldp neighbors command. You must use the detailed option to display information on the LLDP MED TLVs. Chapter 6.
PAGE 172

7.
PAGE 173

NETGEAR 8800 User Manual Note: PoE capability for the XCM8848T modules are available only with the addition of an optional PoE Daughter Module. See Adding an XCM88P Daughter Card to an Existing Configuration on page 184 for more information. Summary of PoE Features The NETGEAR 8800 implementation of PoE supports the following features: • Configuration and control of the power distribution for PoE at the system, slot, and port levels • Real-time discovery and classification of IEEE 802.
PAGE 174

NETGEAR 8800 User Manual paragraph. If there is now enough power, I/O modules that were not powered up previously are powered up. If you lose power or the overall available power decreases, the system removes power to the I/O modules beginning with the highest numbered slots until enough power is available. Inline power reserved for a slot that is not used cannot be used by other PoE slots (inline power is not shared among PoE modules).
PAGE 175

NETGEAR 8800 User Manual Note: NETGEAR recommends that, when using a modular switch, you fully populate a single PoE module with PDs until the power usage is just below the usage threshold, instead of spacing PDs evenly across PoE modules. If you disable a slot with a PoE module, the reserved power budget remains with that slot until you unconfigure or reconfigure the power budget.
PAGE 176

NETGEAR 8800 User Manual The default value is deny-port. So, if you do not change the default value and the switch’s or slot’s power is exceeded, the next PD requesting power is not connected (even if that port has a higher configured PoE port priority than those ports already receiving power). When you configure the deny-port value, the switch disregards the configured PoE port priority and port numbering.
PAGE 177

NETGEAR 8800 User Manual stays in the fault state until you disable that port, or disconnect the attached PD, or reconfigure the operator limit to be high enough to satisfy the PD requirements. To display the status of PoE ports, including disconnected or faulted ports, use the following command: show inline-power info ports When a port is disconnected or otherwise moves into a fault state, SNMP generates an event (after you configure SNMP and a log message is created).
PAGE 178

NETGEAR 8800 User Manual Legacy Devices XCM8800 software allows the use of non-standard PDs with the switch. These are PDs that do not comply with the IEEE 802.3af standard. The system detects non-standard PDs using a capacitance measurement. You must enable the switch to detect legacy devices; the default value is disabled. You configure the detection of legacy PoE devices per slot.
PAGE 179

NETGEAR 8800 User Manual Configuring PoE PoE supports a full set of configuration and monitoring commands that allow you to configure, manage, and display PoE settings at the system, slot, and port level. See the NETGEAR 8800 Chassis Switch CLI Manual for complete information on using the CLI commands. To enable inline power, or PoE, you must have a powered switch or chassis and module.
PAGE 180

NETGEAR 8800 User Manual disable inline-power slot disable inline-power ports [all | ] Disabling the inline power to a PD immediately removes power from the PD. To display the configuration for inline power, use the following command: show inline-power Reserving Power On modular PoE switches, you reserve power for a given slot. The power reserved for a given slot cannot be used by any other PoE slots, even if the assigned power is not entirely used.
PAGE 181

NETGEAR 8800 User Manual the switch. This is called the disconnect precedence method, and you configure one method for the entire switch. The available disconnect precedence methods are: • Deny port • Lowest priority The default value is deny port. Using this method, the switch simply denies power to the next PD requesting power from the slot, regardless of that port’s PoE priority or port number.
PAGE 182

NETGEAR 8800 User Manual configure inline-power priority [critical | high | low] ports To reset the port priority to the default value of low, use the following command: unconfigure inline-power priority ports [all | ] To display the PoE port priorities, use the following command: show inline-power configuration ports Configuring the Usage Threshold The system generates an SNMP event after a preset percentage of the reserved power for any slot or total power for a stan
PAGE 183

NETGEAR 8800 User Manual To reset the switch to the default value, which does not detect legacy PDs, use the following command: disable inline-power legacy slot To display the status of legacy detection, use the following command: show inline-power Configuring the Operator Limit You configure the maximum amount of power that the specified port can deliver to the connected PD, in milliwatts (mW). The default value is 15400 mW, and the range is 3000 to 16800 mW.
PAGE 184

NETGEAR 8800 User Manual Adding an XCM88P Daughter Card to an Existing Configuration XCM8848T I/O Modules for the NETGEAR 8800 Series Switches This section describes how to add an XCM88P daughter card to a NETGEAR 8800 switch configuration that has already been saved without PoE capabilities. The following output displays the results of the show slot command with slot 4 configured: * XCM8806.2 # * XCM8806.
PAGE 185

NETGEAR 8800 User Manual Slot-6 XCM8848T(P) MSM-A MSM-B XCM8848T Operational 48 XCM88S1 Operational 0 XCM88S1 Operational 0 MB Flags : M - Backplane link to Master is Active B - Backplane link to Backup is also Active D - Slot Disabled I - Insufficient Power (refer to "show power budget") You can expect to see the following log messages generated by the system after you have attached the card:
PAGE 186

NETGEAR 8800 User Manual Displaying PoE Settings and Statistics You can display the PoE status, configuration, and statistics for the system, slot, and port levels. Clearing Statistics You can clear the PoE statistics for specified ports or for all ports.
PAGE 187

NETGEAR 8800 User Manual • Not operational • Disabled • Subsystem failure • Card not present • Slot disabled • Budgeted power—The amount of inline power, in watts, that is reserved and available to the slot. • Measured power—The amount of power, in watts, that is currently being used by the slot.
PAGE 188

NETGEAR 8800 User Manual show inline-power stats slot The command provides the following information: • Firmware status—Displays the firmware state: • Operational • Not operational • Disabled • Subsystem failure • Card not present • Slot disabled • Firmware revision—Displays the revision number of the PoE firmware • Total ports powered—Displays the number of ports powered on specified slot • Total ports awaiting power—Displays the number of remaining ports in the slot that are not
PAGE 189

NETGEAR 8800 User Manual • • Delivering • Faulted • Disconnected • Other • Denied PD’s power class—Displays the class type of the connected PD: • “-----”: disabled or searching • “class0”: class 0 device • “class1”: class 1 device • “class2”: class 2 device • “class3”: class 3 device • “class4”: class 4 device • Volts—Displays the measured voltage. A value from 0 to 2 is valid for ports that are in a searching or discovered state.
PAGE 190

NETGEAR 8800 User Manual • MIB Detect Status • Label • Operator Limit • PD Class • Max Allowed Power • Measured Power • Line Voltage • Current • Fault Status • Detailed Status • Priority Displaying Port PoE Statistics To display the PoE statistics for each port, use the following command: show inline-power stats ports The command provides the following information: • • State—Displays the port power state: • Disabled • Searching • Delivering • Faulted • Disconne
PAGE 191

NETGEAR 8800 User Manual Chapter 7.
PAGE 192

8.
PAGE 193

NETGEAR 8800 User Manual Viewing Port Statistics XCM8800 software provides a facility for viewing port statistical information. The summary information lists values for the current counter for each port on each operational module in the system. The switch automatically refreshes the display (this is the default behavior). You can also display a snapshot of the real-time port statistics at the time you issue the command and view the output in a page-by-page mode.
PAGE 194

NETGEAR 8800 User Manual You can also display a snapshot of the port errors at the time you issue the command and view the output in a page-by-page mode. This setting is not saved; therefore, you must specify the no-refresh parameter each time you want a snapshot of the port errors.
PAGE 195

NETGEAR 8800 User Manual • Receive Bad CRC Frames (RX CRC)—The total number of frames received by the port that were of the correct length but contained a bad FCS value. • Receive Oversize Frames (RX Over)—The total number of good frames received by the port greater than the supported maximum length of 1,522 bytes. • Receive Undersize Frames (RX Under)—The total number of frames received by the port that were less than 64 bytes long.
PAGE 196

NETGEAR 8800 User Manual Table 22. Port Monitoring Display Keys with Auto-Refresh Disabled Key Description Q Exits from the screen. [Space] Displays the next page of ports. Viewing VLAN Statistics XCM8800 software provides the facility for viewing VLAN statistics at the port level.
PAGE 197

NETGEAR 8800 User Manual Performing Switch Diagnostics The switch provides a facility for running normal or extended diagnostics. In simple terms, a normal routine performs a simple ASIC and packet loopback test on all ports, and an extended routine performs extensive ASIC, ASIC-memory, and packet loopback tests. By running and viewing the results from diagnostic tests, you can troubleshoot and resolve network issues.
PAGE 198

NETGEAR 8800 User Manual If you run diagnostics on an MSM/MM, that module is taken offline while the diagnostics test is performed. When the diagnostic test is complete, the MSM/MM reboots and becomes operational again. If you run diagnostics on the primary MSM/MM, the backup MSM/MM assumes the role of the primary and takes over switch operation. After the MSM/MM completes the diagnostic routine and reboots, you can initiate failover from the new primary MSM/MM to the original primary MSM/MM.
PAGE 199

NETGEAR 8800 User Manual the switch fabric and ports offline when you use the run diagnostics [extended | normal | stack-port] {slot [ | A | B]} command. After the diagnostic routine has finished, use the enable slot command to bring the module back online and operational. Observing LED Behavior During a Diagnostic Test Whether you run a diagnostic test on an I/O module or MSM/MM, LED activity occurs during and immediately following the test.
PAGE 200

NETGEAR 8800 User Manual Table 24. NETGEAR 8800 Series Switch MSM-48 LED Behavior During Diagnostic Test on Primary MSM MSM LED Color Indicates Primary ERR Off Depending on the situation, this state indicates: • Diagnostic test in progress on the primary MSM. • Diagnostic test has passed. • Diagnostic failure has occurred. ENV Off Depending on the situation, this state indicates: • Diagnostic test has passed. • Diagnostic failure has occurred.
PAGE 201

NETGEAR 8800 User Manual LED behavior during a diagnostict test on the backup MSM Table 25 describes the NETGEAR 8800 series switch XCM88S1 LED behavior during a diagnostic test on the backup MSM. Table 25. NETGEAR 8800 Series Switch XCM88S1 LED Behavior During Diagnostic Test on Backup MSM MSM LED Color Indicates Backup ERR Off Depending on the situation, this state indicates: • Diagnostic test in progress on the backup MSM. • Diagnostic test has passed.
PAGE 202

NETGEAR 8800 User Manual Using the System Health Checker The system health checker is a useful tool to monitor the overall health of your system. Depending on your platform, the software performs a proactive, preventive search for problems by polling and reporting the health of system components, including I/O and management module processes, power supplies, power supply controllers, and fans.
PAGE 203

NETGEAR 8800 User Manual System health check errors are reported to the syslog. If you see an error, contact NETGEAR Technical Support. Enabling Diagnostic Packets on NETGEAR 8800 Switches To enable diagnostic packets, use the following command: enable sys-health-check slot By default, the system health checker tests the data link or the 10 Gbps links every 5 seconds for the specified slot.
PAGE 204

NETGEAR 8800 User Manual handling setting appears in parenthesis next to the polling setting. For more information about the fault handling setting, see Configuring Module Recovery on page 206. In the following truncated output from a NETGEAR 8810 switch, the system health check setting appears as SysHealth check: Enabled (Normal): SysName: TechPubs Lab SysName: XCM8810 SysLocation: SysContact: support@netgear.
PAGE 205

NETGEAR 8800 User Manual Note: NETGEAR does not recommend configuring an interval of less than 5 seconds. Doing this can cause excessive CPU utilization. Disabling Backplane Diagnostics Building upon the previous example, the following example disables backplane diagnostics on slot 3: disable sys-health-check slot 3 Backplane diagnostic packets are no longer sent, but the configured interval for sending backplane diagnostic packets remains at 7 seconds.
PAGE 206

NETGEAR 8800 User Manual Note: Use this parameter only with guidance by NETGEAR’s Technical Support personnel. The default setting and behavior is all. NETGEAR strongly recommends using the default setting. Displaying the Software Recovery Setting To display the software recovery setting on the switch, use the following command: show switch This command displays general switch information, including the software recovery level.
PAGE 207

NETGEAR 8800 User Manual Note: When the sys-recovery-level is set to none, running msm-failover does not reboot the current MSM. • reset—Configures the offending MSM/MM or I/O module to reset upon fault detection. XCM8800 logs fault, error, system reset, and system reboot messages to the syslog. • shutdown—Configures the switch to shut down all slots/modules configured for shutdown upon fault detection.
PAGE 208

NETGEAR 8800 User Manual Initialized; however, the ports are shut down and taken offline. For more information about clearing the shutdown state, see Clearing the Shutdown State on page 211. Messages Displayed at the Startup Screen If you configure the shutdown feature and a hardware error is detected, the system displays an explanatory message on the startup screen.
PAGE 209

NETGEAR 8800 User Manual Table 26. Module Recovery Actions for the NETGEAR 8800 Series Switches (Continued) Module Recovery Setting Hardware Action Taken reset Single MSM Resets the MSM. Dual MSM Resets the primary MSM and fails over to the backup MSM. I/O Module Resets the I/O module a maximum of five times. After the fifth time, the I/O module is permanently taken offline.
PAGE 210

NETGEAR 8800 User Manual Note: If you configure one or more slots for shut down and the switch detects a hardware fault on one of those slots, all of the configured slots enter the shutdown state and remain in that state until explicitly cleared. If you configure the module recovery setting to none, the output displays an “e” flag that indicates no corrective actions will occur for the specified MSM/MM or I/O module. The “e” flag appears only if you configure the module recovery setting to none.
PAGE 211

NETGEAR 8800 User Manual Download %: 100 Flags: M E Restart count: 0 (limit 5) Serial number: 800424-00-02 1104G-02442 Hw Module Type: XCM8808X SW Version: 12.4.3.
PAGE 212

NETGEAR 8800 User Manual After you clear the shutdown state and reset the affected module, each port is brought offline and then back online before the module and the entire system is operational.
PAGE 213

NETGEAR 8800 User Manual • Revision—The revision number of the fan. • Odometer—Specifies the power-on date and how long the fan tray has been operating since it was first powered-on. Viewing the System Temperature Depending on your switch model, you can view the temperature in Celsius of the I/O modules, management modules, power controllers, power supplies, and fan trays installed in your switch.
PAGE 214

NETGEAR 8800 User Manual PSUCTRL-2 : 30.50 Normal -10 0-50 60 The switch monitors the temperature of each component and generates a warning if the temperature exceeds the normal operating range. If the temperature exceeds the minimum/maximum limits, the switch shuts down the overheated module.
PAGE 215

NETGEAR 8800 User Manual • Upload event logs stored in memory buffer or NVRAM to a TFTP server • Display counts of event occurrences, even those not included in filter • Display debug information using a consistent configuration method EMS supports IPv6 as a parameter for filtering events.
PAGE 216

NETGEAR 8800 User Manual not synchronized. The reason for this design decision is to make sure that the control channel is not overloaded when a high number of log messages are generated. To capture events generated by the primary node onto the backup node, two additional targets are shown in the target commands—one called primary-msm (modular switches) and one called backup-msm (modular switches).
PAGE 217

NETGEAR 8800 User Manual configure log target syslog [all | | ] {vr } {local0 ... local7} from The following sections describe the commands required for configuring filters, formats, and severity. Severity Messages are issued with one of the following severity levels: Critical, Error, Warning, Notice, Info, Debug-Summary, Debug-Verbose, or Debug-Data.
PAGE 218

NETGEAR 8800 User Manual When you specify a severity level, messages of that severity level and greater are sent to the target. If you want only those messages of the specified severity to be sent to the target, use the keyword only. For example, specifying severity warning will send warning, error, and critical messages to the target, but specifying severity warning only sends only warning messages.
PAGE 219

NETGEAR 8800 User Manual condition names. For example, you can refer to the InBPDU subcomponent of the STP component as STP.InBPDU. On the CLI, you can abbreviate or TAB complete any of these. A component or subcomponent typically has several conditions associated with it.
PAGE 220

NETGEAR 8800 User Manual Filtering By Components and Conditions You may want to send the messages that come from a specific component that makes up XCM8800 or to send the message generated by a specific condition. For example, you might want to send only those messages that come from the STP component, or send the message that occurs when the IP.Forwarding.SlowPathDrop condition occurs. Or you may want to exclude messages from a particular component or event.
PAGE 221

NETGEAR 8800 User Manual To view the configuration of a filter, use the following command: show log configuration filter {} The following is sample output from this command (for the earlier filter): Log Filter Name: myFilter I/ Severity E Comp. - ------- ----------- ----------------------- -------- Sub-comp.
PAGE 222

NETGEAR 8800 User Manual Matching Expressions You can configure the switch so messages reaching the target match a specified match expression. The message text is compared with the configured match expression to determine whether to pass the message on.
PAGE 223

NETGEAR 8800 User Manual Matching Parameters Rather than using a text match, EMS allows you to filter more efficiently based on the parameter values of the message. In addition to event components and conditions and severity levels, each filter item can also use parameter values to further limit which messages are passed or blocked.
PAGE 224

NETGEAR 8800 User Manual configure log filter myFilter add events all match ipaddress 3ffe::1 To configure a range of IPv6 addresses with a mask of 16, use the following command: configure log filter myFilter add events all match ipaddress 3ffe::/16 • IPv6 scoped address IPv6 scoped addresses consist of an IPv6 address and a VLAN. The following examples identify a link local IPv6 address.
PAGE 225

NETGEAR 8800 User Manual MAC address. If you configure a filter to match a source MAC address and a destination MAC address, XYZ.event5 will match the filter when the source MAC address matches regardless of the destination MAC address because the event contains no destination MAC address. If you specify the strict-match keyword, then the filter will never match event XYZ.event5 because this event does not contain the destination MAC address.
PAGE 226

NETGEAR 8800 User Manual This setting may be saved to the FLASH configuration and is restored on boot-up (to the console display session). To turn on log display for the current session, use the following command: enable log target session This setting only affects the current session and is lost when you log off the session. The messages that are displayed depend on the configuration and format of the target. For information on message filtering, see Filtering Events Sent to Targets on page 216.
PAGE 227

NETGEAR 8800 User Manual The uploaded messages can be formatted differently from the format configured for the targets, and you can choose to upload the messages in order of newest to oldest or in chronological order (oldest to newest). Displaying Counts of Event Occurrences EMS adds the ability to count the number of occurrences of events. Even when an event is filtered from all log targets, the event is counted.
PAGE 228

NETGEAR 8800 User Manual Occurred : # of times this event has occurred since last clear or reboot Flags : (*) Not all applications responded in time with there count values In(cluded): Set to Y(es) if one or more targets filter includes this event Notified : # of times this event has occurred when 'Included' was Y(es) Displaying Debug Information By default, a switch does not generate events of severity Debug-Summary, Debug-Verbose, and Debug-Data unless the switch is in debug mode.
PAGE 229

NETGEAR 8800 User Manual one global value for the entire switch. The switch software also allows you to set the individual port sampling rates, so you can fine-tune the sFlow statistics gathering. Per the RFC, sFlow sampling is done on ingress only. You can enable sFlow and mirroring at the same time on the NETGEAR 8800. There is no MIB support.
PAGE 230

NETGEAR 8800 User Manual • How often the statistics are collected • How frequently a sample is taken, globally or per port • How many samples per second can be sent to the CPU Configuring the Local Agent The local agent is responsible for collecting the data from the samplers and sending that data to the remote collector as a series of UDP datagrams. The agent address is stored in the payload of the sFlow data, and is used by the sFlow collector to identify each agent uniquely.
PAGE 231

NETGEAR 8800 User Manual enable sflow ports You may enable and disable sFlow on ports irrespective of the global state of sFlow, but samples are not taken until both the port state and the global state are enabled. To disable sFlow on ports, use the following command: disable sflow ports Additional sFlow Configuration Options You can configure three global options to different values from the defaults.
PAGE 232

NETGEAR 8800 User Manual configure sflow ports sample-rate All ports on the switch or the same I/O module are sampled individually. Maximum CPU Sample Limit A high number of samples can cause a heavy load on the switch CPU. To limit the load, there is a CPU throttling mechanism to protect the switch. On a modular switch, whenever the limit is reached, the sample rate value is doubled on the slot from which the maximum number of samples are received.
PAGE 233

NETGEAR 8800 User Manual • Configures the sampling rate on an edge port. • Enables sFlow on the edge port. • Enables sFlow globally on the switch. configure sflow collector 55.55.55.
PAGE 234

NETGEAR 8800 User Manual • Management workstation RMON Agent An RMON agent is an intelligent software agent that continually monitors port statistics and system variables. The agent transfers the information to a management workstation on request, or when a predefined threshold is crossed. Information collected by RMON includes Ethernet port statistics and history and the software version and hardware revision of the device.
PAGE 235

NETGEAR 8800 User Manual Statistics The RMON Ethernet Statistics group provides traffic and error statistics showing packets, bytes, broadcasts, multicasts, and errors on an Ethernet port. Information from the Statistics group is used to detect changes in traffic and error patterns in critical areas of the network. History The History group provides historical views of network performance by taking periodic samples of the counters supplied by the Statistics group.
PAGE 236

NETGEAR 8800 User Manual • probeSoftwareRev—If you configure the probeSoftwareRev object, you can view the current software version of the monitored device. • probeHardwareRev—If you configure the probeHardwareRev object, you can view the current hardware version of the monitored device. • probeDateTime—If you configure the probeDateTime object, you can view the current date and time of the probe. For example, Friday December 31, 2004 at 1:30:15 PM EST is displayed as: 2004-12-31,13:30:15.
PAGE 237

NETGEAR 8800 User Manual Event Actions The actions that you can define for each alarm are shown in Table 29. Table 29. Event Actions Action High Threshold no action log Sends a log message. log-and-trap Sends both a log message and a trap to all trap receivers. snmp-trap Sends a trap to all trap receivers. To be notified of events using SNMP traps, you must configure one or more trap receivers, as described in the section, Using the Simple Network Management Protocol on page 76.
PAGE 238

9. VLANs 9 This chapter includes the following sections: • Overview on page 238 • Types of VLANs on page 239 • VLAN Names on page 246 • Configuring VLANs on the Switch on page 247 • Private VLANs on page 251 Overview Setting up Virtual Local Area Networks (VLANs) on the switch eases many time-consuming tasks of network administration while increasing efficiency in network operations. Note: The software supports using IPv6 addresses, in addition to IPv4 addresses.
PAGE 239

NETGEAR 8800 User Manual Implementing VLANs on your networks has the following advantages: • VLANs help to control traffic—With traditional networks, broadcast traffic that is directed to all network devices, regardless of whether they require it, causes congestion. VLANs increase the efficiency of your network because each VLAN can be set up to contain only those devices that must communicate with each other.
PAGE 240

NETGEAR 8800 User Manual • Ethernet, LLC SAP, or LLC/SNAP Ethernet protocol type • A combination of these criteria Port-Based VLANs In a port-based VLAN, a VLAN name is given to a group of one or more ports on the switch. At boot-up, all ports are members of the port-based VLAN default. Before you can add any port to another port-based VLAN, you must remove it from the default VLAN, unless the new VLAN uses a protocol other than the default protocol any.
PAGE 241

NETGEAR 8800 User Manual System 1 Sales System 2 EX_061 Figure 7. Single Port-based VLAN Spanning Two Switches To create multiple VLANs that span two switches in a port-based VLAN, a port on system 1 must be cabled to a port on system 2 for each VLAN you want to have span across the switches. At least one port on each switch must be a member of the corresponding VLANs, as well. Figure 8 illustrates two VLANs spanning two switches.
PAGE 242

NETGEAR 8800 User Manual Tagged VLANs Tagging is a process that inserts a marker (called a tag) into the Ethernet frame. The tag contains the identification number of a specific VLAN, called the VLANid (valid numbers are 1 to 4094). Note: The use of 802.1Q tagged packets may lead to the appearance of packets slightly bigger than the current IEEE 802.3/Ethernet maximum of 1,518 bytes. This may affect packet error counters in other devices and may also lead to connectivity problems if non-802.
PAGE 243

NETGEAR 8800 User Manual System 1 M S S 802.1Q Tagged server M M = Marketing S = Sales = Tagged port Marketing & Sales M M S S S S System 2 EX_064 Figure 9. Physical Diagram of Tagged and Untagged Traffic Figure 10 is a logical diagram of the same network.
PAGE 244

NETGEAR 8800 User Manual untagged traffic. In other words, a port can simultaneously be a member of one port-based VLAN and multiple tag-based VLANs. Note: For the purposes of VLAN classification, packets arriving on a port with an 802.1Q tag containing a VLANid of 0 are treated as untagged. Protocol-Based VLANs Protocol-based VLANs enable you to define a packet filter that the switch uses as the matching criteria to determine if a particular packet belongs to a particular VLAN.
PAGE 245

NETGEAR 8800 User Manual Predefined Protocol Filters The following protocol filters are predefined on the switch: • IP (IPv4) • IPv6 (11.2 IPv6) • IPX • NetBIOS • DECNet • IPX_8022 • IPX_SNAP • AppleTalk Defining Protocol Filters If necessary, you can define a customized protocol filter by specifying EtherType, Logical Link Control (LLC), or Subnetwork Access Protocol (SNAP). Up to six protocols can be part of a protocol filter. To define a protocol filter: 1.
PAGE 246

NETGEAR 8800 User Manual A maximum of 15 protocol filters, each containing a maximum of 6 protocols, can be defined. No more than 7 protocols can be active and configured for use. Note: For more information on SNAP for Ethernet protocol types, see TR 11802-5:1997 (ISO/IEC) [ANSI/IEEE std. 802.1H, 1997 Edition].
PAGE 247

NETGEAR 8800 User Manual Note: NETGEAR recommends that you use VLAN names consistently across your entire network. You must use mutually exclusive names for the following: • VLANs • vMANs • IPv6 tunnels • SVLANs • CVLANs • BVLANs Renaming a VLAN To rename an existing VLAN, use the following command: configure {vlan} name The following rules apply to renaming VLANs: • You cannot change the name of the default VLAN. • You cannot create a new VLAN named default.
PAGE 248

NETGEAR 8800 User Manual Note: Each IP address and mask assigned to a VLAN must represent a unique IP subnet. You cannot configure the same IP subnet on different VLANs on the same virtual router. 2. If needed, assign an IP address and mask (if applicable) to the VLAN using the following command: configure {vlan} ipaddress [ {} | ipv6-link-local | {eui64} ] Note: The software supports using IPv6 addresses, in addition to IPv4 addresses.
PAGE 249

NETGEAR 8800 User Manual • You can disable the default VLAN; ensure that this is necessary before disabling the default VLAN. • You cannot disable the management VLAN. • Although you can remove ports from a disabled VLAN, you cannot add ports to a disabled VLAN or bind Layer 2 protocols to that VLAN. When you attempt to add ports or bind L2 protocols to a disabled VLAN (for example, the VLAN Accounting), the system returns a message similar to the following: VLAN accounting is disabled.
PAGE 250

NETGEAR 8800 User Manual create vlan development configure development ipaddress 2001:0DB8::8:800:200C:417A/64 configure default delete port 1-3 configure development add port 1-3 The following modular switch example creates a protocol-based VLAN named ipsales. Slot 5, ports 6 through 8, and slot 6, ports 1, 3, and 4-6 are assigned to the VLAN.
PAGE 251

NETGEAR 8800 User Manual • Protocol information • QoS profile information • Rate shaping information • NetLogin information • Ports assigned • Tagged/untagged status for each port • How the ports were added to the VLAN • Number of VLANs configured on the switch • IP forwarding information • Multicasting information • Routing protocol information Use the detail option to display the detailed format.
PAGE 252

NETGEAR 8800 User Manual • PVLAN Configuration Example 2 on page 267 PVLAN Overview PVLANs offer the following features: • VLAN isolation Note: PVLAN features are supported only on the platforms listed for this feature in the license tables in Appendix A, XCM8800 Software Licenses.
PAGE 253

NETGEAR 8800 User Manual Company A Engineerin g VLAN Tag 101 Marketi ng VLAN Non-is olated subscri berVLANs Tag 102 Network VLAN Tag 10 Isolated Subscrib er LAN V Tag 500 Guests APP server To backbone EX_vlan_00 22 Figure 12. VLAN Isolation Application In Figure 12, ports in the Guest VLAN have access to services on the network VLAN, but Guest VLAN ports cannot access other Guest VLAN ports over Layer 2 (or the Marketing or Engineering VLANs). This provides port-to-port security at Layer 2.
PAGE 254

NETGEAR 8800 User Manual Tag 10 To main core rou ter Private VLAN Network LAN V VLAN1 Non-I solated subscriber AN VL Marketi ng Tag 102 Non-I solated subscriber AN VL Engineering Tag 101 Isolated subscri berVLAN Guests Tag 50 EX_vlan_00 21 Figure 13. Private VLAN Switch Components There is one network VLAN in each PVLAN. Ports within a network VLAN, called network ports, can communicate with all VLAN ports in the PVLAN.
PAGE 255

NETGEAR 8800 User Manual VLAN isolation within the PVLAN is established by configuring a VLAN to be an isolated subscriber VLAN and adding ports to the isolated VLAN. Unlike normal VLANs, ports in an isolated VLAN cannot communicate with other ports in the same VLAN over Layer 2 or Layer 3. The ports in an isolated VLAN can, however, communicate with Layer 2 devices on the network side of the PVLAN through the network VLAN.
PAGE 256

NETGEAR 8800 User Manual VLAN that are located on a different physical switch. An isolated VLAN can span multiple switches and maintain isolation between the VLAN ports. The network and subscriber VLANs can be extended to other switches that are not configured for the PVLAN (as described in Extending Network and Subscriber VLANs to Other Switches on page 256). The advantage to extending the PVLAN is that tag translation and VLAN isolation is supported on the additional switch or switches.
PAGE 257

NETGEAR 8800 User Manual the Network VLAN extension on Switch 3. Switch 3, Port 24 is configured as tagged and only accepts traffic with the Network VLAN Tag. Switch 3 serves as an extension of the Network VLAN and can be used to connect to network devices such as servers or an internet gateway. Switch 2, Port 22 supports the Network, NonIsolated, and Isolated VLANs, but no PVLAN is configured.
PAGE 258

NETGEAR 8800 User Manual The network VLAN entry is used when traffic comes in from the network ports destined for an non-isolated port.
PAGE 259

NETGEAR 8800 User Manual Note: The formula above estimates the worst-case scenario for the maximum number of FDB entries for a single PVLAN. If the switch supports additional PVLANs, apply the formula to each PVLAN and add the totals for all PVLANs. If the switch also support standard VLANs, there will also be FDB entries for the standard VLANs. Layer 3 Communications For PVLANs, the default switch configuration controls Layer 3 communications exactly as communications are controlled in Layer 2.
PAGE 260

NETGEAR 8800 User Manual state it another way, one of the VLAN members with overlapping ports does not require a dedicated loopback port, and the rest of the VLAN members do require a single, dedicated loopback port within each member VLAN. Note: There is a limit to the number of unique source MAC addresses on the network VLAN of a PVLAN that the switch can manage.
PAGE 261

NETGEAR 8800 User Manual configure private-vlan add subscriber {non-isolated} {loopback-port } By default, this command adds an isolated subscriber VLAN. To create a non-isolated subscriber VLAN, you must include the non-isolated option. Configuring Network VLAN Ports for VLAN Translation When subscriber VLAN traffic exits a network VLAN port, it can be untagged, tagged (with the subscriber VLAN tag), or translated (to the network VLAN tag).
PAGE 262

NETGEAR 8800 User Manual To add ports to a non-isolated VLAN (before or after it is added to the PVLAN), use the following command: configure {vlan} add ports [ | all] {tagged | untagged} {{stpd} } {dot1d | emistp | pvst-plus}} If you specify the tagged option, egress traffic uses the non-isolated VLAN tag, regardless of the network translation configuration on any network port with which these ports communicate.
PAGE 263

NETGEAR 8800 User Manual Configuring a Network or Subscriber VLAN Extension to Another Switch You can extend a network or subscriber VLAN to another switch without configuring a PVLAN on that switch. This configuration is introduced in Extending Network and Subscriber VLANs to Other Switches on page 256.
PAGE 264

NETGEAR 8800 User Manual • Displaying Information for all PVLANs on page 264 • Displaying Information for a Specific PVLAN on page 264 • Displaying Information for a Network or Subscriber VLAN on page 264 Displaying Information for all PVLANs To display information on all the PVLANs configured on a switch, use the following command: show private-vlan Displaying Information for a Specific PVLAN To display information about a single PVLANs, use the following command: show {private-vlan} Displa
PAGE 265

NETGEAR 8800 User Manual Web Prox y Serv er Fil e Server MainVLAN (sl ot 1, tag100) Cli entConnection s VLAN (slot, 2tag 0) 20 MainVLAN (sl ot 1, tag100) Research VLAN (slot 3,tag 00) 3 Client Client Fil e Server Client Client Fil e Server EX_vla n_0003 Figure 16. PVLAN Configuration Example 1 The medical research lab hosts lots of visiting clients.
PAGE 266

NETGEAR 8800 User Manual configure vlan ClientConnections add port 2:* configure vlan ClientConnections tag 200 create vlan Research configure vlan Research add port 3:* configure vlan Research tag 300 The remote switch VLAN is configured as follows: create vlan Main configure vlan Main add port 1:* configure vlan Main tag 100 The next step is to create the PVLAN on the local switch and configure each of the component VLANs for the proper role: create private-vlan MedPrivate configure private-vlan "MedPr
PAGE 267

NETGEAR 8800 User Manual PVLAN Configuration Example 2 Figure 17 shows a PVLAN configuration example for a motel.
PAGE 268

NETGEAR 8800 User Manual • A VLAN called ClientConnections that contains client PC connections for the guest rooms. The goals for the motel network are as follows: • Provide internet access for the ConfRoom and ClientConnections VLANs through the web proxy server. • Prevent communications between the ConfRoom and ClientConnections VLANs • Enable communications between clients on the ClientConnections VLAN only within the conference room.
PAGE 269

NETGEAR 8800 User Manual create vlan ConfRoom configure vlan ConfRoom tag 300 configure vlan ConfRoom add port 1:21-1:30 configure vlan ConfRoom add port 1:20 tagged # Create and configure the PVLAN named Motel.
PAGE 270

NETGEAR 8800 User Manual # Note that the loopback port is flagged with an "L" and listed as a tagged port, and the network VLAN ports are flagged with an "s" and listed as tagged ports.
PAGE 271

10. FDB 10 This chapter includes the following sections: • Overview on page 271 • Managing the FDB on page 274 • Displaying FDB Entries and Statistics on page 278 • MAC-Based Security on page 279 • Multicast FDB with Multiport Entry on page 283 Overview Note: See the NETGEAR 8800 Chassis Switch CLI Manual for details of the commands related to the FDB. The switch maintains a forwarding database (FDB) of all MAC addresses received on all of its ports.
PAGE 272

NETGEAR 8800 User Manual FDB Contents Each Forwarding Database (FDB) entry consists of: • The MAC address of the device • An identifier for the port and VLAN on which it was received • The age of the entry • Flags Frames destined for MAC addresses that are not in the FDB are flooded to all members of the VLAN. How FDB Entries Get Added The MAC entries that are added to the FDB are learned in the following ways: • On NETGEAR 8800 series switches, MAC entries can be learned at the hardware level.
PAGE 273

NETGEAR 8800 User Manual • Private VLAN Entries on page 274 Dynamic Entries A dynamic entry is learned by the switch by examining packets to determine the source MAC address, VLAN, and port information. The switch then creates or updates an FDB entry for that MAC address. Initially, all entries in the database are dynamic, except for certain entries created by the switch at boot-up. Entries in the database are removed (aged-out) if, after a period of time (aging time), the device has not transmitted.
PAGE 274

NETGEAR 8800 User Manual power off/on cycle occurs. A static entry is maintained exactly as it was created. Conditions that cause dynamic entries to be updated, such as VLAN or port configuration changes, do not affect static entries. To create a permanent static FDB entry, see Adding a Permanent Static Entry on page 274. A locked static entry is an entry that was originally learned dynamically, but has been made static (locked) using the MAC address lock-down feature.
PAGE 275

NETGEAR 8800 User Manual create fdbentry 00:E0:2B:12:34:56 vlan marketing port 3:4 The permanent entry has the following characteristics: • MAC address is 00:E0:2B:12:34:56. • VLAN name is marketing. • Slot number for this device is 3 (only on modular switches). • Port number for this device is 4.
PAGE 276

NETGEAR 8800 User Manual You clear dynamic FDB entries by targeting: • Specified MAC addresses • Specified ports • Specified VLANs, • All blackhole entries To clear dynamic entries from the FDB, use the following command: clear fdb { | ports | vlan | blackhole} You clear permanent FDB entries by targeting: • All permanent entries • Specified MAC addresses • Specified VLANs • All blackhole entries To clear permanent entries from the FDB, use the following c
PAGE 277

NETGEAR 8800 User Manual transit switch can learn the MAC addresses and make incorrect forwarding decisions. To prevent learning on a remote mirroring VLAN, use the following command: disable learning {vlan} To enable learning after it has been disabled, use the following command: enable learning {vlan} Managing FDB MAC Address Tracking The MAC address tracking feature tracks FDB add, move, and delete events for specified MAC addresses and for specified ports.
PAGE 278

NETGEAR 8800 User Manual Enabling and Disabling SNMP Traps for MAC Address Changes The default switch configuration disables SNMP traps for MAC address changes.
PAGE 279

NETGEAR 8800 User Manual Note: The MAC-based VLAN netlogin parameter applies only for the NETGEAR 8800 series switches. See Chapter 16, Network Login for more information on netlogin. With no options, the command displays all FDB entries. (The age parameter does not show on the display for the backup MSM/MM on modular switches; it does show on the display for the primary MSM/MM.
PAGE 280

NETGEAR 8800 User Manual • Creating Blackhole FDB Entries on page 283 Managing MAC Address Learning By default, MAC address learning is enabled on all ports. MAC addresses are added to the FDB as described in How FDB Entries Get Added on page 272. When MAC address learning is disabled on a port, the switch no longer stores the source address information in the FDB.
PAGE 281

NETGEAR 8800 User Manual disable learning vlan Managing Egress Flooding Egress flooding takes action on a packet based on the packet destination MAC address. By default, egress flooding is enabled, and any packet for which the destination address is not in the FDB is flooded to all ports except the ingress port. You can enhance security and privacy as well as improve network performance by disabling Layer 2 egress flooding on a port or VLAN.
PAGE 282

NETGEAR 8800 User Manual In this way, the communication between client 1 and client 2 is controlled. If client 1 needs to communicate with client 2 and has that IP address, client 1 sends out an ARP request to resolve the IP address for client 2. Guidelines for Enabling or Disabling Egress Flooding The following guidelines apply to enabling and disabling egress flooding: • Egress flooding can be disabled on ports that are in a load-sharing group.
PAGE 283

NETGEAR 8800 User Manual Creating Blackhole FDB Entries A blackhole FDB entry discards all packets addressed to or received from the specified MAC address. To create a blackhole FDB entry, use the following command: create fdbentry vlan [ports | blackhole] There is no software indication or notification when packets are discarded because they match blackhole entries. The blackhole option is also supported through access lists.
PAGE 284

NETGEAR 8800 User Manual You can use the create fdbentry vlan ports command to create a static FDB entry with a unicast MAC address and a list of more than one port. Once the static FDB is created, any ingress traffic with a destination MAC address matching the FDB entry is multicasted to each port in the specified list. If the FDB entry is the next hop for an IP adjacency, unicast routing sends the packet to the first port in the list.
PAGE 285

11. Virtual Routers 11 This chapter includes the following sections: • Overview on page 285 • Managing Virtual Routers on page 288 • Virtual Router Configuration Example on page 292 Overview The XCM8800 software supports virtual routers (VRs). This capability allows a single physical switch to be split into multiple VRs. This feature separates the traffic forwarded by a VR from the traffic on a different VR.
PAGE 286

NETGEAR 8800 User Manual NETGEAR 8800 Chassis Switch CLI Manual for information on the defaults for individual commands. Note: The term VR is also used with the Virtual Router Redundancy Protocol (VRRP). VRRP uses the term to refer to a single VR that spans more than one physical router, which allows multiple switches to provide redundant routing services to users.
PAGE 287

NETGEAR 8800 User Manual One instance of each routing protocol is spawned for VR-Default during the XCM8800 system boot-up, and these routing instances cannot be deleted. User Virtual Routers Note: User VRs are supported only on the platforms listed for this feature in Table 75 on page 798. When a modular switch contains modules or switches that do not support user VRs, the ports on those devices cannot be added to a user VR. User VRs are the VRs created by users in addition to the system VRs.
PAGE 288

NETGEAR 8800 User Manual Table 30. Virtual Router Commands (Continued) [enable | disable] igmp snoopinga [enable | disable] ipmcforwarding show igmp show igmp snooping show igmp group show igmp snooping cache a. Other commands are available with these listed. The VR context simplifies configuration and management because you do not have to specify the VR for each individual command.
PAGE 289

NETGEAR 8800 User Manual because these three names are the names for the system VRs in XCM8800 releases before 11.0.
PAGE 290

NETGEAR 8800 User Manual When you add a protocol to a user VR, the software starts a process to support the protocol, but it does not enable that protocol. After you add a protocol to a user VR, you must specifically enable and configure that protocol before it starts. Note: You must add, configure, and enable a protocol for a VR before you start unicast or multicast forwarding on the VR and before you configure any features (such as VLANs) to use the VR.
PAGE 291

NETGEAR 8800 User Manual Adding Ports to a Single Virtual Router When you add a port to a VR, that port can only be used by that VR.
PAGE 292

NETGEAR 8800 User Manual Configuring the Routing Protocols and VLANs After a user VR is created, the ports are added, and support for any required routing protocols is added, you can configure the VR. To create a VLAN in a VR, use the following command: create vlan {vr } If you do not specify a VR in the create vlan command, the VLAN is created in the current VR context. VLAN names must conform to the guidelines specified in Object Names on page 31.
PAGE 293

NETGEAR 8800 User Manual * XCM8810.3 # configure vr vr-default delete ports 3:* * XCM8810.4 # configure vr helix add ports 3:* * XCM8810.5 # configure vr helix add protocol ospf * XCM8810.6 # virtual-router helix * (vr helix) XCM8810.7 # create vlan helix-accounting * (vr helix) XCM8810.8 # configure helix-accounting add ports 3:1 * (vr helix) XCM8810.9 # Chapter 11.
PAGE 294

12. Policy Manager 12 This chapter includes the following sections: • Overview on page 294 • Creating and Editing Policies on page 294 • Applying Policies on page 297 Overview One of the processes that make up the XCM8800 system is the policy manager. The policy manager is responsible for maintaining a set of policy statements in a policy database and communicating these policy statements to the applications that request them.
PAGE 295

NETGEAR 8800 User Manual Note: Although the XCM8800 does not prohibit mixing ACL and routing type entries in a policy file, it is strongly recommended that you do not mix the entries, and you use separate policy files for ACL and routing policies. When you create a policy file, name the file with the policy name that you will use when applying the policy, and use “.pol” as the filename extension. For example, the policy name “boundary” refers to the text file “boundary.pol”.
PAGE 296

NETGEAR 8800 User Manual tftp [ | ] {-v } [-g | -p] [{-l [internal-memory | memorycard | } {-r } | {-r } {-l [internal-memory | memorycard | ]}] Checking Policies A policy file can be checked to see if it is syntactically correct.
PAGE 297

NETGEAR 8800 User Manual Would you like to perform a full refresh? If blackhole is enabled, you will see the following prompt: Note, the current setting for Access-list Refresh Blackhole is Enabled. Would you like to perform a full refresh? To take advantage of Smart Refresh, disable access-list refresh blackholing. Applying Policies ACL policies and routing policies are applied using different commands.
PAGE 298

NETGEAR 8800 User Manual Commands that use the keyword route-policy control the routes advertised or received by the protocol.
PAGE 299

13.
PAGE 300

NETGEAR 8800 User Manual ACLs are created in two different ways. One method is to create an ACL policy file and apply that ACL policy file to a list of ports, a VLAN, or to all interfaces. Note: ACLs applied to a VLAN are actually applied to all ports on the switch, without regard to VLAN membership. An ACL policy file is a text file that contains one or more ACL rule entries.
PAGE 301

NETGEAR 8800 User Manual entry { if { ; } then { ; ; } } The following is an example of a rule entry: entry if udpacl { { source-address 10.203.134.0/24; destination-address 140.158.18.16/32; protocol udp; source-port 190; destination-port 1200 - 1250; } then { permit; } } An ACL rule is evaluated as follows: • If the packet matches all the match conditions, the action and any action modifiers in the statement are taken.
PAGE 302

NETGEAR 8800 User Manual Matching All Egress Packets Unlike ingress ACLs, for egress ACLs you must specify either a source or destination address, instead of writing a rule with no match conditions. (Exceptions are the BlackDiamond 20800 series switches.) For example, an ingress ACL deny all rule could be: entry DenyAllIngress{ if { } then { deny; } } The previous rule would not work as an egress ACL, except with BlackDiamond 20800 series switches.
PAGE 303

NETGEAR 8800 User Manual Note that the description begins with the tag @description and is a text string enclosed in quotes. You can apply the policy to port 1, using the following command: configure access-list denyping port 1 and display the policy using the following command: show policy denyping The output of this command is similar to the following: Policies at Policy Server: Policy: denyping @description This line is a description for the denyping.
PAGE 304

NETGEAR 8800 User Manual • source-address —IP source address and mask • destination-address —IP • source-port [ | | ]—TCP destination address and mask or UDP source port range or UDP destination port range Table 31 describes all the possible match conditions. Actions The actions are: • permit—The • deny—The packet is forwarded. packet is dropped.
PAGE 305

NETGEAR 8800 User Manual Counting Packets and Bytes When the ACL entry match conditions are met, the specified counter is incremented. The counter value can be displayed by the command: show access-list counter {} {any | ports | vlan } {ingress | egress} Users of NETGEAR 8800 switches can use ACL byte counters as an alternative to ACL packet counters.
PAGE 306

NETGEAR 8800 User Manual IP ARP cache, otherwise the packet is forwarded normally. Only fast path traffic can be redirected. This capability can be used to implement Policy-Based Routing. You may want to create a static ARP entry for the redirection IP address, so that there will always be a cache entry. See Policy-Based Routing on page 337 for more information. Replacing DSCP or 802.1p Fields Specify a QoS profile for matching packets.
PAGE 307

NETGEAR 8800 User Manual Table 31. ACL Match Conditions (Continued) Match Conditions Description Applicable  IP Protocols/ Direction ethernet-source-address mask or ethernet-source-address / Ethernet source MAC address and mask.
PAGE 308

NETGEAR 8800 User Manual Table 31. ACL Match Conditions (Continued) Applicable  IP Protocols/ Direction Match Conditions Description Destination-port { | } TCP or UDP destination port. You must also specify the TCP, UDP/Ingress protocol match condition to determine which protocol is being and Egress used on the port, any time you use the this match condition.
PAGE 309

NETGEAR 8800 User Manual Table 31. ACL Match Conditions (Continued) Applicable  IP Protocols/ Direction Match Conditions Description ICMP-code ICMP code field. This value or keyword provides more specific ICMP/Ingress and information than the icmp-type. Because the value's meaning Egress depends upon the associated icmp-type, you must specify the icmp-type along with the icmp-code.
PAGE 310

NETGEAR 8800 User Manual Table 31. ACL Match Conditions (Continued) Match Conditions Description Applicable  IP Protocols/ Direction snap-type SNAP type is a 2 byte field with possible values 0-65535 decimal. The value can be specified in decimal or hexadecimal. The SNAP type field can be found a byte offset 20 in 802.3 SNAP formatted packets. Ethernet/Ingress Only IP-TOS IP TOS field.
PAGE 311

NETGEAR 8800 User Manual Table 32. ACL Match Condition Data Types Condition Data Type Description range A range of numeric values. To specify the numeric range, use the notation: number - number bit-field Used to match specific bits in an IP packet, such as TCP flags and the fragment flag. mac-address 6-byte hardware address. IPv6 Traffic with L4 Match Conditions If you apply an ACL policy intended to match IPv6 packets using an ACL that specifies L4 conditions, the traffic will not be matched.
PAGE 312

NETGEAR 8800 User Manual Policy file syntax checker The following rules are used to evaluate fragmented packets or rules that use the fragments or first-fragments keywords. With no keyword specified, processing proceeds as follows: • An L3-only rule that does not contain first-fragments keyword matches any IP packets. • An L4 rule that does not contain first-fragments keyword matches non-fragmented or initial-fragment packets.
PAGE 313

NETGEAR 8800 User Manual Dynamic ACLs Dynamic ACLs are created using the CLI. They use a similar syntax and can accomplish the same actions as single rule entries used in ACL policy files. More than one dynamic ACL can be applied to an interface, and the precedence among the dynamic ACLs can be configured. By default, the priority among dynamic ACLs is established by the order in which they are configured. Note: Dynamic ACLs have a higher precedence than ACLs applied using a policy file.
PAGE 314

NETGEAR 8800 User Manual Notice that the conditions parameter is a quoted string that corresponds to the match conditions in the if { ... } portion of the ACL policy file entry. The individual match conditions are concatenated into a single string. The actions parameter corresponds to the then { ... } portion of the ACL policy file entry.
PAGE 315

NETGEAR 8800 User Manual conf access-list add "bpdu2" first ports 6 ingress To unconfigure the STP ACL, use the following: conf access-list del "bpdu1" ports 6 del access-list "bpdu1" Configuring ACLs on a Management Port Hardware ACL support is not possible on the management port. Untagged packets that are received on the management port are processed in software and can be filtered using ACLs. ACLs applied to the management port/vlan are installed only in software and not in the hardware.
PAGE 316

NETGEAR 8800 User Manual To view both System Space and User Space zones, use the show access-list zone command. Table 33 shows the priority of System Space zones and User Space zones together with the default assignments and priority of applications by zone. Table 33.
PAGE 317

NETGEAR 8800 User Manual and above the System zone. You can add applications to that zone and assign their priority. The example below shows the ACL zone priority that would result from adding the MacInMac and Cli applications to MY_HIGH_ZONE: 1. DOS Zone hal DoS 2. MY_HIGH_ZONE MacInMac  Cli 3. SYSTEM Zone Cli IpSecurity  NetLogin  HealthCheckLAG  IdentityManager 4. SECURITY Zone Sentriant Generic Xml 5.
PAGE 318

NETGEAR 8800 User Manual If an application assigns the same priority number to two ACLs, the ACL added most recently has the higher priority. It is inserted in the priority map immediately ahead of the older ACL that has the same priority number. This effectively allows the application to create sub-zones within a zone. The attributes first and last can be used in combination with priority numbers to prioritize the ACLs within a sub-zone.
PAGE 319

NETGEAR 8800 User Manual To delete a zone use the following command: delete access-list zone You must remove all applications from a zone before you can delete the zone. You cannot delete the default zones. ACL Evaluation Precedence This section describes the precedence for evaluation among ACL rules for the NETGEAR 8800 series switches. In many cases there will be more than one ACL rule entry for an interface. This section describes how multiple rule entries are evaluated.
PAGE 320

NETGEAR 8800 User Manual counter, could count the packet more than once. Do not use precedence to control counter usage; define different counters for different cases. For details of this behavior on different platforms, see, ACL Slices and Rules on page 325. Precedence of Dynamic ACLs Dynamic ACLs have a higher precedence than any ACLs applied using policy files. The precedence among any dynamic ACLs is determined as they are configured.
PAGE 321

NETGEAR 8800 User Manual entry DenyNIC { if { protocol 17; destination-port 161; } then { deny; count denyNIC; } } Applying ACL Policy Files A policy file intended to be used as an ACL is applied to a port, VLAN, or to all interfaces (the any keyword). Use the name of the policy file for the parameter in the CLI command.
PAGE 322

NETGEAR 8800 User Manual clear access-list {dynamic} counter {} {any | ports | vlan } {ingress | egress} Example ACL Rule Entries The following entry accepts all the UDP packets from the 10.203.134.0/24 subnet that are destined for the host 140.158.18.16, with source port 190 and a destination port in the range of 1200 to 1250: entry if udpacl { { source-address 10.203.134.0/24; destination-address 140.158.18.
PAGE 323

NETGEAR 8800 User Manual } then { deny; count icmpcnt; } } The following example prevents TCP connections from being established from the 10.10.20.0/24 subnet, but allows established connections to continue, and allows TCP connections to be established to that subnet. A TCP connection is established by sending a TCP packet with the SYN flag set, so this example blocks TCP SYN packets.
PAGE 324

NETGEAR 8800 User Manual source-address 2001:DB8:C0A8:: / 48; destination-address 2001:DB8:C0A0:1234:: / 64; } then { deny; } } Access lists have entries to match an Ethernet type. So the user needs to be careful when configuring access lists to deny all traffic. For example, the following rule entries permit traffic only to destination 10.200.250.2 and block any other packet. entry test_policy_4 { if { source-address 0.0.0.0/0; destination-address 10.200.250.
PAGE 325

NETGEAR 8800 User Manual entry voiceService { if { vlan-id 100; } then { meter voiceServiceMeter; } } entry videoService { if { vlan-id 101; } then { meter videoServiceMeter; } } …and so on. To bind this ACL to a port with vlan-id match criteria use the following command: config access-list myServices port ACL Mechanisms For many applications of ACLs, it is not necessary to know the details of how ACLs work.
PAGE 326

NETGEAR 8800 User Manual • • Each group of 2 ports has 16 slices with each slice having enough memory for 256 ingress rules. XCM8848T/XCM8824F— • Each group of 24 ports has 4 slices with each slice having enough memory for 128 egress rules. • Each group of 24 ports has 16 slices with each slice having enough memory for 256 ingress rules. This architecture also allows a single slice to implement ACLs that are applied to more than one port.
PAGE 327

NETGEAR 8800 User Manual } Both of these ACLs could be supported on the same slice, since the match conditions are taken from the example list discussed earlier. This example is shown in Figure 19. In the example, we refer to slice A, even though the slices are numbered. Slice A just means that one slice is used, but does not specify a particular slice. Some rules require more than one slice, so we use letters to show that different slices are used, but not which specific slices.
PAGE 328

NETGEAR 8800 User Manual source-address 10.5.2.246/32 ; destination-address 10.0.1.16/32 ; protocol upd ; source-port 100 ; destination-port 200 ; } then { deny ; } } .... [The 125 intervening entries are not displayed in this example] .... entry onehundred_twentynine { if { protocol udp ; destination-port 1714 ; } then { deny ; } } Figure 20 shows the result of applying the 129 entries. 128 of the entries are applied to one slice, and the final entry is applied to a different slice.
PAGE 329

NETGEAR 8800 User Manual Slice A Rules (128) Slice B Rules (128) XM_079 Figure 20. ACL Entry One Through onehundred_twentynine As entries are configured on the switch, the slices are programmed to implement the rules, and the rule memory is filled with the matching values for the rules. If a compatible slice is available, each entry is added to that slice.
PAGE 330

NETGEAR 8800 User Manual Table 34. Abbreviations Used in Field Selector Tables (Continued) Abbreviation Condition L4DP destination-port (a single port) L4SP source-port (a single port) DSCP dscp TCP-Flag TCP-flags First Fragment first-fragments L4-Range A Layer 4 port range. For example, if you specify “protocol UDP” and “port 200 1200” in an entry, you have used a Layer 4 range. There are a total of sixteen Layer 4 port ranges.
PAGE 331

NETGEAR 8800 User Manual Table 34. Abbreviations Used in Field Selector Tables (Continued) Abbreviation Condition TOS ip-tos or diffserv-codepoint DestIP destination-address DestIPv6 destination-address SrcIP source-address SrcIPv6 source-address IpProtocol protocol L4DstPort destination-port. Support only single L4 ports and not port ranges. L4SrcPort source-port. Support only single L4 ports and not port ranges.
PAGE 332

NETGEAR 8800 User Manual Table 35. Field Selectors, NETGEAR 8800 Series (Continued) Field 1 Field 2 TOS, VRF, IP-Proto MACDA, DIP, Etype, VID Field 3 MACSA, SIP, Etype, VID "User Defined Field” 1 "User Defined Field” 2 DIP, SIP, IP-Proto, L4DP, L4SP, DSCP, TCP-Ctrl, Frag-Info DIP, SIP, IP-Proto, L4DP, L4-range, DSCP, TCP-ctrl, Frag-Info DIP, SIP, IP-Proto, L4-Range, L4SP, DSCP, TCP-Ctrl, Frag-Info Egress ACLs Each of the 4 egress slices can be configured to one of the 3 combinations below.
PAGE 333

NETGEAR 8800 User Manual if { destination-address 192.168.0.0/16 ; source-port 1000 ; } then { deny ; } } Entry ex_A consists of the following conditions (using the abbreviations from Table 34), SIP, L4DP, and IP-Proto. Entry ex_B is DIP, L4SP. Since they are applied to ports, the selector for Field 1 is Port-list (the first item). The selector for Field 2 would be the first item, and Field 3 could be any item.
PAGE 334

NETGEAR 8800 User Manual } Entry one is SIP, L4DP, and IP-Proto; entry two is DIP, and L4SP; entry three is SIP, DIP, IP-Proto, L4SP, and L4DP. All of these examples can use the first item in Field 2 in the tables. However, adding the following entry will not be compatible with the earlier one: entry alpha { if { ethernet-destination-address 00:e0:2b:11:22:33 ; } then { deny ; } } Entry alpha is MACDA, and there is no MACDA in the first item for Field 2.
PAGE 335

NETGEAR 8800 User Manual • • • • VRRP - 2 slices, 2 rules • Slice A (F1=Port-list, F2=MACDA, MACSA, Etype, VID, F3=packet-type) • Slice A or B (F1=Port-list, F2=MACDA, MACSA, Etype, VID, F3=anything) IPv6 - 2 slices, 3 rules • Slice A or B (F1=Port-list, F2=MACDA, MACSA, Etype, VID, F3=anything) • Slice (F1=Port-list, F2=DIPv6, IPv6 Next Header Field, TC, F3=anything) Netlogin - 1 slice, 1 rule • • • Slice E (F1=Port-list, F2=MACDA, MACSA, Etype, VID, F3=anything) Unicast Multiport FDB • 1
PAGE 336

NETGEAR 8800 User Manual • Add an IP interface to the configuration: • • Add port-based QoS to the configuration: • • 2 slices, 17 rules Add IPv6 routing (slowpath) to the configuration: • • 2 slices, 15 rules Add VRRP to the configuration: • • 2 slices, 14 rules Add VLAN-based QoS to the configuration: • • 2 slices, 13 rules 4 slices, 24 rules Add Netlogin to the configuration: • 5 slices, 25 rules Note: The slice and rule usage numbers given in this section may vary slightly depending o
PAGE 337

NETGEAR 8800 User Manual Error: ACL install operation failed - conditions specified in rule "r1" cannot be satisfied by hardware on port 3:1 • UDF exceeded: This happens in the rare case that the two available user-defined fields are exceeded on a given chip. UDF fields are used to qualify conditions which are not natively supported by the hardware. Currently, these include: ICMP Type and ICMP Code.
PAGE 338

NETGEAR 8800 User Manual Note: See Load Sharing Rules and Restrictions for All Switches on page 132 for information on applying ACLs to LAG ports. Layer 3 Policy-Based Redirect Policy-Based Routing allows you to bypass standard Layer 3 forwarding decisions for certain flows. Typically, in a Layer 3 environment, when an IP packet hits an Ethernet switch or router, the Layer 3 processing determines the next hop and outgoing interface for the packet, based only on the packet's destination address.
PAGE 339

NETGEAR 8800 User Manual To configure Policy-Based Routing, you configure an ACL on your switch. You can apply an ACL policy file, or use a dynamic ACL. The following is an example ACL rule entry that redirects any TCP traffic with a destination port of 81 to the device at IP address 3.3.3.2: entry redirect_port_81 { if { protocol tcp; destination-port 81; } then { redirect 3.3.3.2; } } Use the following procedure: 1.
PAGE 340

NETGEAR 8800 User Manual source-port 81; destination-port 200 ; } then { count num_pkts_redirected; redirect-port 3:2; } } The policy shown below redirects any in-profile traffic as defined by the meter configuration to physical port 14. The out-of-profile traffic would be subject to the action specified in the meter “out-action” configuration.
PAGE 341

NETGEAR 8800 User Manual Policy-Based Redirection Redundancy This section consists of the following topics: • Multiple Nexthop Support on page 341 • Health Checking for ARP and Ping on page 342 • Packet Forward/Drop on page 342 • Example—Network Diagram on page 343 Multiple Nexthop Support As discussed above, Layer 3 and Layer 2 policy-based redirect support only one nexthop for one policy-based entry. Multiple nexthops with different priorities can be configured.
PAGE 342

NETGEAR 8800 User Manual source-address 1.1.1.100/24 ; } then { permit ; redirect-name } } Health Checking for ARP and Ping Policy-based redirection redundancy requires the determination of the reachability or unreachability of the active next hop and the other configured next hops. This feature uses Address Resolution Protocol (ARP) and Ping checking to make the determination.
PAGE 343

NETGEAR 8800 User Manual Example—Network Diagram High Speed Backbone Low Speed Backbone High Speed Backbone Router 192.168.2.2 High Speed Backbone Router 192.168.2.3 192.168.1.9 Low Speed Backbone Router 192.168.1.8/30 192.168.1.10 192.168.2.0/29 L2 S/W 192.168.2.1 192.168.1.5 192.168.1.1 PBR L3 S/W 192.168.1.4/30 192.168.1.0/30 192.168.1.2 192.168.1.6 Premium Subscriber (IP Block: 211.10.15.0/24) Normal Subscriber (IP Block: 211.9.1.0/24) Premium Subscriber (IP Block: 211.10.16.
PAGE 344

NETGEAR 8800 User Manual } entry premium_16 { if match { source-address 211.10.16.0/24; } then { permit; redirect-name premium_subscriber; } } 3. Apply the modified ACL policy file or dynamic ACL into a port, VLAN, or VLAN and Port. (For example: user1 VLAN: 192.168.1.0/30, user2 VLAN: 192.168.1.4/30) config access-list premium_user vlan user1 ingress config access-list premium_user vlan user2 ingress 4. Finally, check the current flow-redirect status. BD-8810.
PAGE 345

NETGEAR 8800 User Manual acl-rule ACL Rule table resource summary acl-slice ACL slice resource summary The “acl-mask” keyword is not relevant for XCM8800 models. If you enter this command and specify an XCM8800 port, the following error message appears: This command is not applicable to the specified port. Use the “acl-rule” keyword to display the total number of ACL rules that are available and consumed for the specified port.
PAGE 346

14. Routing Policies 14 This chapter includes the following sections: • Overview on page 346 • Routing Policy File Syntax on page 346 • Applying Routing Policies on page 352 • Policy Examples on page 353 Overview Routing policies are used to control the advertisement or recognition of routes communicated by routing protocols, such as Routing Information Protocol (RIP), Open Shortest Path First (OSPF), and Border Gateway Protocol (BGP).
PAGE 347

NETGEAR 8800 User Manual • A policy entry rule name, unique within the same policy. • Zero or one match type. If no type is specified, the match type is all, so all match conditions must be satisfied. • Zero or more match conditions. If no match condition is specified, then every routing entity matches. • Zero or more actions. If no action is specified, the packet is permitted by default.
PAGE 348

NETGEAR 8800 User Manual Policy Match Type The two possible choices for the match type are: • match all—All the match conditions must be true for a match to occur. This is the default. • match any—If any match condition is true, then a match occurs. Policy Match Conditions Table 37 lists the possible policy entry match conditions. Table 37.
PAGE 349

NETGEAR 8800 User Manual Table 37. Policy Match Conditions (Continued) Match Condition Description tag ; Where is a 4-byte unsigned number. route-origin [direct | static | icmp | egp | ggp | hello | rip | isis | esis | cisco-igrp | ospf | bgp | idrp | dvmrp | mospf | pim-dm | pim-sm | ospf-intra | ospf-inter | ospf-extern1 | ospf-extern2 | bootp | e-bgp | i-bgp | mbgp | i-mbgp | e-mbgp] Matches the origin (different from BGP route origin) of a route.
PAGE 350

NETGEAR 8800 User Manual Table 38. AS Regular Expression Notation (Continued) Character Definition { Start of AS SET segment in the AS path } End of AS SET segment in the AS path ( Start of a confederation segment in the AS path ) End of a confederation segment in the AS path Table 39.
PAGE 351

NETGEAR 8800 User Manual The following AS-Path statement matches AS paths beginning with AS number 111 and ending with any additional AS number, or beginning and ending with AS number 111: as-path "111 .?" Policy Action Statements Table 40 lists policy action statements. These are the actions taken when the policy match conditions are met in a policy entry. Table 40. Policy Actions Action Description as-path " { ….
PAGE 352

NETGEAR 8800 User Manual Table 40. Policy Actions (Continued) Action Description med set ; Sets the MED attribute for a route. next-hop ; Sets the next hop attribute for a route. nlri [ | any]/ {exact}; nlri [ | any] mask {exact}; These set statements are used for building a list of IP addresses. This is used by PIM to set up the RP list. origin {igp | egp | incomplete}; Sets the BGP route origin values. permit; Permits the route.
PAGE 353

NETGEAR 8800 User Manual Policy Examples The following sections contain examples of policies. The examples are: • Translating an access profile to a policy on page 353 • Translating a Route Map to a Policy on page 354 Translating an access profile to a policy You may be more familiar with using access profiles on other NETGEAR switches. This example shows the policy equivalent to an NETGEAR access profile. NETGEAR 8800 Access-Profile: Seq_No Action IP Address IP Mask Exact 5 permit 22.16.0.0 255.
PAGE 354

NETGEAR 8800 User Manual nlri } then { permit; } } entry if 10.10.0.0/18; entry-25 { { nlri 22.44.66.0/23 exact; } then { deny; } } The policy above can be optimized by combining some of the if statements into a single expression. The compact form of the policy looks like this: entry permit_entry { If match any { nlri 22.16.0.0/14; nlri 192.168.0.0/18 exact ; nlri 10.10.0.0/18; } then { permit; } } entry deny_entry { if match any { nlri any/8; nlri 22.44.66.
PAGE 355

NETGEAR 8800 User Manual set next-hop 10.201.23.10 set as-path 20 set as-path 30 set as-path 40 set as-path 40 Entry : 40 Action : permit set local-preference 120 set weight 2 Entry : 50 Action : permit match origin incomplete match community 19661200 set dampening half-life 20 reuse-limit 1000 suppress-limit 3000 max-suppress 40 Entry : 60 Action : permit match next-hop 192.168.1.
PAGE 356

NETGEAR 8800 User Manual then { local-preference 120; weight 2; permit; } } entry if entry-50 match any { { origin incomplete; community 19661200; } then { dampening half-life 20 reuse-limit 1000 suppress-limit 3000 max-suppress 40 permit; } } entry if entry-60 { { next-hop 192.168.1.5; } then { community permit; } add 949616660; } entry if deny_rest { { } then { deny; } } 356 | Chapter 14.
PAGE 357

15. QoS 15 This chapter includes the following sections: • Overview on page 357 • Configuring QoS on page 371 • Displaying QoS Configuration and Performance on page 385 Overview Quality of Service (QoS) is a feature that allows you to configure a switch to provide different levels of service to different groups of traffic.
PAGE 358

NETGEAR 8800 User Manual Figure 21. QoS on NETGEAR Switches In Figure 21, data enters the ingress port and is sorted into traffic groups, which can be classified as either access control list (ACL)-based or nonACL-based.
PAGE 359

NETGEAR 8800 User Manual queues and QoS profiles is forwarded to the egress port rate-shaping feature, which applies QoS to the entire port. When multiple QoS profiles are contending for egress bandwidth, the scheduler determines which queues are serviced.
PAGE 360

NETGEAR 8800 User Manual • Voice Applications on page 360 • Video Applications on page 360 • Critical Database Applications on page 360 • Web Browsing Applications on page 360 • File Server Applications on page 361 Voice Applications Voice applications, or voice over IP (VoIP), typically demand small amounts of bandwidth.
PAGE 361

NETGEAR 8800 User Manual File Server Applications With some dependencies on the network operating system, file serving typically poses the greatest demand on bandwidth, although file server applications are very tolerant of latency, jitter, and some packet loss, depending on the network operating system and the use of TCP or UDP. Traffic Groups A traffic group defines the ingress traffic to which you want to apply some level of QoS.
PAGE 362

NETGEAR 8800 User Manual ACL-Based Traffic Groups An ACL-based traffic group allows you to use ACL rules in an ACL policy file to define the traffic to which you want to apply QoS. An ACL-based traffic group requires more effort to create, but the ACL rules give you more control over which traffic is selected for the traffic group.
PAGE 363

NETGEAR 8800 User Manual 802.1Q type 802.1p priority 802.1Q VLAN ID 8100 Destination address Source address IP packet CRC EW_024 Figure 22. 802.1p Priority Bits The three 802.1p priority bits define up to 8 traffic groups that are predefined in the XCM8800 software. On NETGEAR 8800 switches, the traffic groups direct traffic to egress QoS profiles for egress rate shaping (see Table 44). You do not need to define 802.1p-based traffic groups.
PAGE 364

NETGEAR 8800 User Manual 0 1 2 3 4 5 6 7 DiffServ code point 0 bits Version IHL 31 Type-of-service Identification Time-to-live Total length Flags Protocol Fragment offset Header checksum Source address Destination address Options (+ padding) Data (variable) EW_023 Figure 23. DiffServe Code Point Because the DSCP uses six bits, it has 64 possible values (26 = 64). By default, the values are grouped and assigned to the default QoS profiles as listed in Table 42. Table 42.
PAGE 365

NETGEAR 8800 User Manual  Warning: Port belongs to more than one VR. Port properties related to diff serv and code replacement will not take effect. You do not need to define these traffic groups. You can enable or disable the use of these traffic groups by enabling or disabling the DiffServ examination feature as described in Configuring a DiffServ-Based Traffic Group on page 381. You can also configure which DSCP values map to which queues.
PAGE 366

NETGEAR 8800 User Manual one traffic group based on the precedence defined for the switch platform. In general, the more specific traffic group definition takes precedence. Table 43 shows the traffic group precedence for the supported switch platforms (number 1 is the highest precedence). Table 43. Traffic Group Precedence NETGEAR 8800 Switches 1. ACL-based traffic groups for IP packets (specifies IP address information) 2. ACL-based traffic groups for Ethernet frames (specifies MAC address information) 3.
PAGE 367

NETGEAR 8800 User Manual Single-rate rate-limiters pass traffic that is in-profile or marked green. Out-of-profile traffic (marked red) is subject to whatever action is configured for out-of-profile traffic. Out of profile traffic can be forwarded if bandwidth is available, dropped, or marked for a possible drop later in the communication path. For example, you can configure a peak rate (PR) for single-rate rate-limiting.
PAGE 368

NETGEAR 8800 User Manual • Ingress QoS profiles (hardware queues) • Ingress traffic queues (software queues) • Egress traffic queues • Egress QoS profiles • Egress ports The CIR or minimum bandwidth configuration for a rate-limiting or rate-shaping component is a bandwidth guarantee for that component at a particular location in the traffic path.
PAGE 369

NETGEAR 8800 User Manual Scheduling takes place on the egress interface and includes consideration for the color-marking of egress frames and packets. Green-marked traffic has the highest priority and is forwarded based on the scheduling method. When multiple queues are competing for bandwidth, yellow-marked traffic might be dropped or remarked red. Red-marked traffic is dropped when no bandwidth is available.
PAGE 370

NETGEAR 8800 User Manual Table 44. Default QoS Profile Parameters on the NETGEAR 8800 Series Switches Ingress 802.1p Priority Value Egress QoS Profile Namea Queue Service Priority Valueb Buffer Weight Notes 0-6 QP1 1 (Low) 100% 1 This QoS profile is part of the default configuration and cannot be deleted. QP2 2 (LowHi) 100% 1 You must create this QoS profile before using it. QP3 3 (Normal) 100% 1 You must create this QoS profile before using it.
PAGE 371

NETGEAR 8800 User Manual When multiple QoS profiles are contending for port bandwidth and the egress traffic in each profile is within profile, the scheduler determines how the QoS profiles are serviced as described in Scheduling on page 368. In strict-priority mode, the queues are serviced based on the queue service priority value. In weighted fair-queuing mode, the queues are serviced based on the configured weight. When configured to do so, the priority of a QoS profile can determine the 802.
PAGE 372

NETGEAR 8800 User Manual • Controlling Flooding, Multicast, and Broadcast Traffic on Ingress Ports on page 385 Platform Configuration Procedures The following sections provide summary configuration procedures for the NETGEAR 8800. Figure 24 shows the QoS configuration components for NETGEAR 8800 switches. Figure 24.
PAGE 373

NETGEAR 8800 User Manual • These switches allow dynamic creation and deletion of QoS queues, with QP1 and QP8 always available. • ACL egress rate-limit meters are supported. Configuration Summary for NETGEAR 8800 Switches Use the following procedure to configure QoS on NETGEAR 8800 switches: 1. Configure basic Layer 2 connectivity (prerequisite). 2. Configure QoS scheduling, if needed, as described in Selecting the QoS Scheduling Method on page 373. 3.
PAGE 374

NETGEAR 8800 User Manual To select the QoS scheduling method for a switch, use the following command: configure qosscheduler [strict-priority | weighted-round-robin] To override the weighted-round-robin switch configuration on a specific QoS profile, use the following command: configure qosprofile use-strict-priority Configuring 802.1p or DSCP Replacement The following sections provide information on 802.1p priority replacement and DSCP replacement: • Replacing 802.
PAGE 375

NETGEAR 8800 User Manual Table 45. Default Queue-to-802.1p Priority Replacement Value Egress QoS Profile 802.1p Priority Replacement Value Q1 0 Q2 1 Q3 2 Q4 3 Q5 4 Q6 5 Q7 6 Q8 7 To enable 802.1p priority replacement on egress, use the following command: enable dot1p replacement ports [ | all] Note: The port in this command is the ingress port.
PAGE 376

NETGEAR 8800 User Manual • Replacement in ACL-Based Traffic Groups on page 374 • Replacement in Non-ACL-Based Traffic Groups on page 374 Replacement in ACL-Based Traffic Groups If you are using ACL-based traffic groups, you can use the replace-dscp action modifier to replace the ingress DSCP value with the DSCP value of the egress QoS profile as listed in Table 46. Note: If you are using ACL-based traffic groups, you must use ACL action modifiers to replace the DSCP.
PAGE 377

NETGEAR 8800 User Manual Note: The port in this command is the ingress port.
PAGE 378

NETGEAR 8800 User Manual Note: The switch only observes the DSCPs if the traffic does not match the configured access list. Otherwise, the ACL QoS setting overrides the QoS DiffServ configuration.
PAGE 379

NETGEAR 8800 User Manual Note: You cannot configure the priority for the QoS profile on NETGEAR 8800 switches. To remove the limit on egress bandwidth per QoS profile per port, re-issue this command using the default values. To display the current configuration for the QoS profile, use the following command: show qosprofile {ingress | egress} ports [ all | ] Configuring Egress Port Rate Limits The following section describes egress port rate limiting on the NETGEAR 8800.
PAGE 380

NETGEAR 8800 User Manual Configuring Traffic Groups The following sections describe how to configure traffic groups: • Configuring an ACL-Based Traffic Group on page 380 • Configuring a CoS 802.
PAGE 381

NETGEAR 8800 User Manual resources, disable this feature whenever another QoS traffic grouping is configured. (See Chapter 13, ACLs for information on available ACL resources.) Note: If you disable this feature when no other QoS traffic grouping is in effect, 802.1p priority enforcement of 802.1q tagged packets continues. To disable the 802.1p examination feature on NETGEAR 8800 switches, use the following command: disable dot1p examination ports [ | all] To re-enable the 802.
PAGE 382

NETGEAR 8800 User Manual Enabling and Disabling Diffserv Examination When a packet arrives at the switch on an ingress port and Diffserv examination is enabled, the switch uses the DSCP value to select the egress QoS profile that forwards the packet. The QoS profile configuration defines the forwarding characteristics for all traffic assigned to the QoS profile. Note: On the 1 Gigabit Ethernet ports on the NETGEAR 8800 switches. 802.
PAGE 383

NETGEAR 8800 User Manual Configuring a Port-Based Traffic Group A port-based traffic group links a physical ingress port to an egress QoS profile for traffic forwarding. To configure a port-based traffic group, use the following command: configure ports {qosprofile} Note: If you are using ACL-based traffic groups, use the qosprofile or traffic-queue action modifier to select a forwarding queue. Traffic that meets any ACL match conditions is not evaluated by other traffic groups.
PAGE 384

NETGEAR 8800 User Manual • Applying a Meter to Ingress or Egress Traffic on page 384 • Deleting a Meter on page 384 Creating Meters To create a meter, use the following command: create meter To display the meters already configured on the switch, use the show meter command. Configuring a Meter After you create a meter, you configure the meter using the command for the platform you are using.
PAGE 385

NETGEAR 8800 User Manual want subtracted from each packet ingressing the specified ports or the number of bytes you want added to the packet ingressing the specified ports. You add or subtract bytes from packets ingressing specified ports by using the following command: configure ports rate-limit packet byte-adjustment [increase | decrease ] By default, all bytes are counted for the ingressing traffic rate.
PAGE 386

NETGEAR 8800 User Manual • Displaying 802.1p Priority to QoS Profile Mappings on page 386 • Displaying DiffServe DSCP to QoS Profile Mappings on page 386 • Displaying Port and VLAN QoS Settings on page 386 Displaying 802.1p Priority to QoS Profile Mappings To display the 802.
PAGE 387

NETGEAR 8800 User Manual Displaying Meters To display the meters that you create, you can use either the show-access list or the show command.
PAGE 388

NETGEAR 8800 User Manual Note: On NETGEAR 8800 modules, only one port per slot or module can be monitored at any one time. 388 | Chapter 15.
PAGE 389

16. Network Login 16 This chapter includes the following sections: • Overview on page 389 • Configuring Network Login on page 394 • Authenticating Users on page 397 • Local Database Authentication on page 397 • 802.
PAGE 390

NETGEAR 8800 User Manual Note: Network login is not supported on BlackDiamond 20800 series switches. The remainder of this section describes the following topics: • Web-Based, MAC-Based, and 802.1x Authentication on page 390 • Multiple Supplicant Support on page 392 • Campus and ISP Modes on page 392 • Network Login and Hitless Failover on page 393 Web-Based, MAC-Based, and 802.1x Authentication Authentication is handled as a web-based process, MAC-based process, or as described in the IEEE 802.
PAGE 391

NETGEAR 8800 User Manual The DHCP allocation for network login has a short time duration of 10 seconds and is intended to perform web-based network login only. As soon as the client is authenticated, it is deprived of this address. The client must obtain an operational address from another DHCP server in the network. DHCP is not required for 802.1x, because 802.1x uses only Layer 2 frames (EAPOL) or MAC-based network login.
PAGE 392

NETGEAR 8800 User Manual Disadvantages of 802.1x Authentication: • 802.1x native support is available only on newer operating systems, such as Windows XP. • 802.1x requires an EAP-capable RADIUS Server. Most current RADIUS servers support EAP, so this is not a major disadvantage. • Transport Layer Security (TLS) and Tunneled TLS (TTLS) authentication methods involve Public Key Infrastructure (PKI), which adds to the administrative requirements.
PAGE 393

NETGEAR 8800 User Manual In Campus mode, the clients are placed into a permanent VLAN following authentication with access to network resources. For wired ports, the port is moved from the temporary to the permanent VLAN. In ISP mode, the port and VLAN remain constant. Before the supplicant is authenticated, the port is in an unauthenticated state. After authentication, the port forwards packets.
PAGE 394

NETGEAR 8800 User Manual Note: If you use 802.1x network login, authenticated clients remain authenticated during failover; however, shortly after failover, all authenticated clients automatically re-authenticate themselves. Re-authentication occurs without user intervention. If failover occurs during the authentication or re-authentication of a client, the client must repeat the authentication process.
PAGE 395

NETGEAR 8800 User Manual For more detailed information about a specific mode of network login, including configuration examples, see the following sections: • 802.
PAGE 396

NETGEAR 8800 User Manual • authenticate—Network login authenticates the first client that requests a move and moves that client to the requested VLAN. Network login authenticates the second client but does not move that client to the requested VLAN. The second client moves to the first client’s authenticated VLAN. • deny—Network login authenticates the first client that requests a move and moves that client. Network login does not authenticate the second client.
PAGE 397

NETGEAR 8800 User Manual Authenticating Users Network login uses two types of databases to authenticate users trying to access the network: • RADIUS servers • Local database All three network login protocols, web-based, MAC-based, and 802.1x, support RADIUS authentication. Only web-based and MAC-based network login support local database authentication.
PAGE 398

NETGEAR 8800 User Manual You can also use local database authentication in conjunction with network login MAC-based VLANs. For more detailed information about network login MAC-based VLANs, see Configuring Network Login MAC-Based VLANs on page 426.
PAGE 399

NETGEAR 8800 User Manual password: Reenter password: For information about specifying the destination VLAN, see the next section Specifying a Destination VLAN on page 399.” Note: If you do not specify a password or the keyword encrypted, you are prompted for one.
PAGE 400

NETGEAR 8800 User Manual configure netlogin local-user {vlan-vsa [[{tagged | untagged} [ | ]] | none]} Where the following is true: • tagged—Specifies that the client be added as tagged • untagged—Specifies • vlan_name—Specifies • vlan_tag—Specifies • none—Specifies that the client be added as untagged the name of the destination VLAN the VLAN ID, tag, of the destination VLAN that the VSA 211 wildcard (*) is applied, only if you do not specify tagged or untag
PAGE 401

NETGEAR 8800 User Manual Passwords are case-sensitive. Passwords must have a minimum of 0 characters and a maximum of 32 characters. If you attempt to create a password with more than 32 characters, the switch displays the following message after you re-enter the password: Password cannot exceed 32 characters The following example modifies the password for the existing local network login account megtest.
PAGE 402

NETGEAR 8800 User Manual 802.1x Authentication 802.1x authentication methods govern interactions between the supplicant (client) and the authentication server. The most commonly used methods are Transport Layer Security (TLS); Tunneled TLS (TTLS), which is a Funk/Certicom standards proposal; and PEAP. TLS is the most secure of the currently available protocols, although TTLS is advertised to be as strong as TLS.
PAGE 403

NETGEAR 8800 User Manual Authentication Server Side The RADIUS server used for authentication must be EAP-capable. Consider the following when choosing a RADIUS server: • Types of authentication methods supported on RADIUS, as mentioned previously. • Need to support VSAs. Parameters such as Netgear-Netlogin-Vlan-Name (destination vlan for port movement after authentication) and Netgear-NetLogin-Only (authorization for network login only) are brought back as VSAs.
PAGE 404

NETGEAR 8800 User Manual 802.1x Network Login Configuration Example The following configuration example shows the NETGEAR switch configuration needed to support the 802.1x network login example. Note: In the following sample configuration, any lines marked (Default) represent default settings and do not need to be explicitly configured. create vlan “temp” create vlan “corp” configure vlan “default” delete ports 4:1-4:4 # Configuration Information for VLAN corp # No VLAN-ID is associated with VLAN corp.
PAGE 405

NETGEAR 8800 User Manual Note: For information about how to use and configure your RADIUS server, see Configuring the RADIUS Client on page 475 and the documentation that came with your RADIUS server. Configuring Guest VLANs Ordinarily, a client that does not respond to 802.1x authentication remains disabled and cannot access the network. 802.1x authentication supports the concept of “guest VLANs” that allow such a supplicant (client) limited or restricted network access.
PAGE 406

NETGEAR 8800 User Manual • Guidelines for Configuring Guest VLANs on page 406 • Creating Guest VLANs on page 407 • Enabling Guest VLANs on page 407 • Modifying the Supplicant Response Timer on page 407 • Disabling Guest VLANs on page 407 • Unconfiguring Guest VLANs on page 407 • Displaying Guest VLAN Settings on page 408 Using Guest VLANs Suppose you have a meeting that includes company employees and visitors from outside the company. In this scenario, your employees have 802.
PAGE 407

NETGEAR 8800 User Manual • You must create a VLAN and configure it as a guest VLAN before enabling the guest VLAN feature. • Configure guest VLANs only on network login ports with 802.1x enabled. • Movement to guest VLANs is not supported on network login ports with MAC-based or web-based authentication. • 802.1x must be the only authentication method enabled on the port for movement to guest VLAN. • No supplicant on the port has 802.1x capability.
PAGE 408

NETGEAR 8800 User Manual unconfigure netlogin dot1x guest-vlan {ports | } Displaying Guest VLAN Settings To display the guest VLAN settings, use the following command: show netlogin guest-vlan {vlan_name} If you specify the vlan_name, the switch displays information for only that guest VLAN. The output displays the following information in a tabular format: • Port—Specifies the 802.1x enabled port configured for the guest VLAN.
PAGE 409

NETGEAR 8800 User Manual • RADIUS server that supports NAP (Microsoft Windows Vista operating system refers to this as a network policy server (NPS), formerly known as the internet authentication server (IAS)). • Remediation servers that receive unhealthy supplicants. The remediation servers contain the appropriate software updates, anti-virus software, and so on to make a supplicant healthy. In addition to the required hardware and software, you must configure NAP-specific VSAs on your RADIUS server.
PAGE 410

NETGEAR 8800 User Manual • The RADIUS server has been configured using the NAP-specific VSAs for authenticating supplicants. • The remediation servers have been configured with the appropriate software updates, anti-virus software, and so on. • The EPICenter server has been configured to receive traps from the switch. The traps sent from the switch inform EPICenter of the state of the supplicant. In these scenarios, you configure EPICenter as the syslog target.
PAGE 411

NETGEAR 8800 User Manual 4. If the SoH indicates that the supplicant is unhealthy, the RADIUS server sends an Access-Accept message with RADIUS VSAs indicating which: • VLAN the unhealthy supplicant is moved to (in this example, the Quarantine VLAN) • Remediation server(s) the supplicant can get software updates, anti-virus software and so on to remediate itself 5.
PAGE 412

NETGEAR 8800 User Manual ACLS for Remediation Servers The NAP VSA, MS-IPv4-Remediation-Servers, contains a list of IP addresses that an unhealthy and therefore quarantined supplicant should be allowed access to so that it can remediate itself and become healthy. The way a quarantine is implemented on the switch is simply by moving the client/port to a user-designated 'quarantine' VLAN whose VLANID/Name is sent in the Access-Accept message.
PAGE 413

NETGEAR 8800 User Manual • Configuring the Login Page on page 415 • Customizable Authentication Failure Response on page 417 • Web-Based Network Login Configuration Example on page 418 • Web-Based Authentication User Login on page 419 Enabling and Disabling Web-Based Network Login To enable web-based network login on the switch, use the following command: enable netlogin web-based Any combination of types of authentication can be enabled on the same switch.
PAGE 414

NETGEAR 8800 User Manual This redirection information is used only in case the redirection info is missing from RADIUS server. For example, configure netlogin base-url http://www.netgear.com redirects all users to this URL after they get logged in. If you cannot find HTTPS commands, your XCM8800 image probably does not have SSH preinstalled. To download the SSH module, go to http://kbserver.netgear.com/products/8806.asp or http://kbserver.netgear.com/products/8810.asp.
PAGE 415

NETGEAR 8800 User Manual Configuring Logout Privilege To enable or disable network login logout privilege, use one of the following commands: enable netlogin logout-privilege disable netlogin logout-privilege These commands turn the privilege for network login users to logout by popping up (or not popping up) the logout window. Logout-privilege is enabled by default.
PAGE 416

NETGEAR 8800 User Manual where is user-configurable. The following is a sample custom page, where the embedded graphical image is named netlogin_welcome.jpg: Network Login Page
PAGE 417
NETGEAR 8800 User Manual Limitations The following limitations apply to the login page: • When the client is in the unauthenticated state, any embedded URLs in the custom page are inaccessible to it. • Only JPEG and GIF graphical images are supported. • It is the web page writer's responsibility to write the HTML page correctly and without errors. • Only TFTP is supported as a method to upload the web-page and graphical images to the switch.
PAGE 418

NETGEAR 8800 User Manual Web-Based Network Login Configuration Example The following configuration example shows both the NETGEAR switch configuration and the RADIUS server entries needed to support the example. VLAN corp is assumed to be a corporate subnet which has connections to DNS, WINS servers, network routers, and so on. VLAN temp is a temporary VLAN and is created to provide connections to unauthenticated network login clients. Unauthenticated ports belong to the VLAN temp.
PAGE 419

NETGEAR 8800 User Manual configure vlan “corp” add port 1:11 untagged configure vlan “corp” add port 1:12 untagged configure vlan “corp” add port 1:13 untagged configure vlan “corp” add port 1:14 untagged # Network Login Configuration configure vlan “temp” dhcp-address-range 198.162.32.20 - 198.162.32.80 configure vlan “temp” dhcp-options default-gateway 198.162.32.1 configure vlan “temp” dhcp-options dns-server 10.0.1.1 configure vlan “temp” dhcp-options wins-server 10.0.1.
PAGE 420

NETGEAR 8800 User Manual 1. Set up the Windows IP configuration for DHCP. 2. Plug into the port that has web-based network login enabled. 3. Log in to Windows. 4. Release any old IP settings and renew the DHCP lease. This is done differently depending on the version of Windows the user is running: • Windows 9x—Use the winipcfg tool. Choose the Ethernet adapter that is connected to the port on which network login is enabled. Use the buttons to release the IP configuration and renew the DHCP lease.
PAGE 421

NETGEAR 8800 User Manual • • The permanent VLAN • The URL to be redirected to (optional) • The URL description (optional) The port is moved to the permanent VLAN. You can verify this using the show vlan command. For more information on the show vlan command, see VLAN Configuration Examples on page 249.
PAGE 422

NETGEAR 8800 User Manual will be used to authenticate the client. All entries in the list are automatically sorted in longest prefix order. All passwords are stored and showed encrypted. You can associate a MAC address with one or more ports. By learning a MAC address, the port confirms the supplicant before sending an authorization request to the RADIUS server.
PAGE 423

NETGEAR 8800 User Manual To associate a MAC address with one or more ports, specify the ports option when using the following command: configure netlogin add mac-list [ {} | default] {encrypted} {} {ports } You must enable MAC-based network login on the switch and the specified ports.
PAGE 424

NETGEAR 8800 User Manual Configuring Reauthentication Period To configure the reauthentication period for network login MAC-based authentication, use the following commands: configure netlogin mac timers reauth-period This timer is applicable only in the case where the client is authenticated in authentication failure vlan or authentication service unavailable vlan and the RADIUS server provides no session-timeout attribute during authentication.
PAGE 425

NETGEAR 8800 User Manual MAC-Based Network Login Configuration Example The following configuration example shows the NETGEAR switch configuration needed to support the MAC-based network login example. create vlan “temp” create vlan “corp” configure vlan “default” delete ports 4:1-4:4 # Configuration Information for VLAN corp # No VLAN-ID is associated with VLAN corp. configure vlan “corp” ipaddress 10.203.0.224 255.255.255.
PAGE 426

NETGEAR 8800 User Manual This section describes the following topics: • Configuring Network Login MAC-Based VLANs on page 426 • Configuring Dynamic VLANs for Network Login on page 428 • Configuring Network Login Port Restart on page 431 • Authentication Failure and Services Unavailable Handling on page 432 Configuring Network Login MAC-Based VLANs Currently, network login allows only a single, untagged VLAN to exist on a port.
PAGE 427

NETGEAR 8800 User Manual original state. In addition, by selecting mac-based-vlans, you are unable to manually add or delete untagged VLANs from this port. Network login now controls these VLANs. With network login MAC-based operation, every authenticated client has an additional FDB flag that indicates a translation MAC address. If the supplicant’s requested VLAN does not exist on the port, the switch adds the requested VLAN.
PAGE 428

NETGEAR 8800 User Manual Note: If network login is enabled together with STP, the 'a' and 'u' flags are controlled by network login only when the STP port state is ‘Forwarding.
PAGE 429

NETGEAR 8800 User Manual By dynamically creating and deleting VLANs, you minimize the number of active VLANs configured on your edge switches. In addition, the dynamic VLAN name can be stored on the RADIUS server and supplied to the switch during authentication, simplifying switch management. A key difference between dynamically created VLANs and other VLANs is that the switch does not save dynamically created VLANs. Even if you use the save command, the switch does not save a dynamically created VLAN.
PAGE 430

NETGEAR 8800 User Manual Note: If the ASCII string contains only numbers, it is interpreted as the VLAN ID. Dynamic VLANS support only numerical VLAN IDs; VLAN names are not supported. For more information on NETGEAR VSAs, see NETGEAR VSAs on page 483. The switch automatically generates the VLAN name in the following format: NLD_ where specifies the VLAN ID. For example, a dynamic VLAN with an ID of 10 has the name NLD_0010. Note: Like all VLAN names, dynamic VLAN names are unique.
PAGE 431

NETGEAR 8800 User Manual To display the status of dynamic VLAN configuration on the switch, use the following command: show netlogin The switch displays the current state of dynamic VLAN creation (enabled or disabled) and the uplink port(s) associated with the dynamic VLAN.
PAGE 432

NETGEAR 8800 User Manual Displaying the Port Restart Configuration To display the network login settings on the port, including the configuration for port restart, use the following command: show netlogin port Output from this command includes the enable/disable state for network login port restart.
PAGE 433

NETGEAR 8800 User Manual Dependency on authentication database order There are four different authentication orders which can be configured per authentication method. These four orders are the following: • RADIUS • Local • RADIUS, Local • Local, RADIUS For each authentication order, the end result is considered in deciding whether to authenticate the client through the authentication failure VLAN or the authentication service unavailable VLAN (if configured).
PAGE 434

17.
PAGE 435

NETGEAR 8800 User Manual XCM8800 has enhanced security features designed to protect, rapidly detect, and correct anomalies in your network. NETGEAR products incorporate a number of features designed to enhance the security of your network while resolving issues with minimal network disruption. No one feature can ensure security, but by using a number of features in concert, you can substantially improve the security of your network.
PAGE 436

NETGEAR 8800 User Manual analysis, common response mechanisms include applying an ACL, changing Quality of Service (QoS) parameters, or modifying VLAN settings. For more information about sFlow, see the section Using sFlow on page 228. Safe Defaults Mode When you set up your switch for the first time, you must connect to the console port to access the switch. After logging in to the switch, you enter safe defaults mode.
PAGE 437

NETGEAR 8800 User Manual • Limit the number of dynamically-learned MAC addresses allowed per virtual port. For more information, see Limiting Dynamic MAC Addresses on page 437. • “Lock” the FDB entries for a virtual port, so that the current entries will not change, and no additional addresses can be learned on the port. For information, see MAC Address Lockdown on page 439. Note: You can either limit dynamic MAC FDB entries or lockdown the current MAC FDB entries, but not both.
PAGE 438

NETGEAR 8800 User Manual When the learned limit is reached, all new source MAC addresses are blackholed at the ingress and egress points. This prevents these MAC addresses from learning and responding to ICMP and ARP packets. Dynamically learned entries still get aged and can be cleared. If entries are cleared or aged out after the learning limit has been reached, new entries will then be able to be learned until the limit is reached again.
PAGE 439

NETGEAR 8800 User Manual Device A Hub Device B Device C EX_175 Figure 27.
PAGE 440

NETGEAR 8800 User Manual configure ports vlan [limit-learning {action [blackhole | stop-learning]} | lock-learning | unlimited-learning | unlock-learning] When you remove the lockdown using the unlock-learning option, the learning-limit is reset to unlimited, and all associated entries in the FDB are flushed. To display the locked entries on the switch, use the following command: show fdb Locked MAC address entries have the “l” flag.
PAGE 441

NETGEAR 8800 User Manual new device cannot replace it until the lockdown timer for the first device has expired. This condition is true if the limit on the port is set to 1 or if the limit (greater than 1) on the port has been reached. • If a learning limit is already configured on a port when you enable the lockdown timeout feature, the configured limit will continue to apply. Existing blackholed entries are therefore not affected.
PAGE 442

NETGEAR 8800 User Manual Device A Hub Device B Device C EX_175 Figure 28. Devices Using MAC Address Lockdown Device Inactivity for Less than the MAC Lockdown Timer As long as a device continues to send traffic, the MAC entry for that device is refreshed, and the MAC lockdown timer corresponding to the MAC entry is refreshed. Therefore, as long as the device is active, the timer does not expire. The traffic can be continuous or can occur in bursts within the MAC lockdown timeout duration for the port.
PAGE 443

NETGEAR 8800 User Manual Device A EX_176 Figure 29. Single Device with MAC Lockdown Timeout Disconnecting a Device In this example, Device A is disconnected from the port, triggering a port-down action. The MAC entry for Device A is removed from the hardware FDB; however, the MAC entry for the device is maintained in the software. The MAC lockdown timer for this entry starts when the port goes down. After 3,000 seconds, the MAC entry for Device A is removed from the software.
PAGE 444

NETGEAR 8800 User Manual Example of Port Movement Figure 30 shows Device A connected to port X. Port X has a MAC lockdown timer setting of 100 seconds, and port Y has a MAC lockdown timer setting of 200 seconds. Device A Device X Device Y EX_177 Figure 30. Port Movement with MAC Lockdown Timeout Device A starts sending traffic on port X. The MAC address for Device A is learned and added to the FDB, and the MAC lockdown timer (100 seconds) is started for this entry.
PAGE 445

NETGEAR 8800 User Manual Output from this command also lists the aging time of the port. DHCP Server XCM8800 has Dynamic Host Configuration Protocol (DHCP) support. In simple terms, a DHCP server dynamically manages and allocates IP addresses to clients. When a client accesses the network, the DHCP server provides an IP address to that client. The client is not required to receive the same IP address each time it accesses the network.
PAGE 446

NETGEAR 8800 User Manual To remove the default gateway, DNS server addresses, and WINS server information for a particular VLAN, use the following command: unconfigure {vlan} dhcp-options {[ default-gateway | dns-server {primary | secondary} | wins-server]} To remove all the DHCP information for a particular VLAN, use the following command: unconfigure vlan dhcp You can clear the DHCP address allocation table selected entries, or all entries.
PAGE 447

NETGEAR 8800 User Manual • Gratuitous ARP Protection on page 458 • ARP Validation on page 460 Figure 31 displays the dependencies of IP security. Any feature that appears directly above another feature depends on it. For example, to configure ARP validation, you must configure DHCP snooping and trusted DHCP server.
PAGE 448

NETGEAR 8800 User Manual When configured to do so, the switch drops packets from DHCP snooping-enabled ports and causes one of the following user-configurable actions: disables the port temporarily, disables the port permanently, blocks the violating MAC address temporarily, blocks the violating MAC address permanently, and so on. Configuring DHCP Snooping By default DHCP snooping is disabled on the switch.
PAGE 449

NETGEAR 8800 User Manual Configuring Trusted DHCP Server To configure a trusted DHCP server on the switch, use the following command: configure trusted-servers {vlan} add server trust-for dhcp-server You can configure a maximum of eight trusted DHCP servers on the switch. If you configure one or more trusted ports, the switch assumes that all DHCP server packets on the trusted port are valid. For more information about configuring trusted ports, see the next section.
PAGE 450

NETGEAR 8800 User Manual 1:3 drop-packet 1:4 drop-packet, block-mac permanently 1:7 none 1:9 drop-packet, snmp-trap To display the DHCP bindings database, use the following command: show ip-security dhcp-snooping entries {vlan} The following is sample output from this command: -------------------------------------------Vlan: dhcpVlan -------------------------------------------Server Client IP Addr MAC Addr Port Port ------- -------- ------ ------ 172.16.100.
PAGE 451

NETGEAR 8800 User Manual configure ip-security dhcp-snooping information option Note: When DHCP relay is configured in a DHCP snooping environment, the relay agent IP address should be configured as the trusted server. When DHCP option 82 is enabled, two types of packets need to be handled: • DHCP Request: When the switch (relay agent) receives a DHCP request, option 82 is added at the end of the packet.
PAGE 452

NETGEAR 8800 User Manual If the configuration of either VLAN Info or Port Info causes the total string length of - to exceed 32 bytes, then it is truncated to 32 bytes. The string is not NULL terminated, since the total circuit ID length is being specified.
PAGE 453

NETGEAR 8800 User Manual Example of Option 82 Configuration The following example describes Option 82 configuration for circuit ID fields.
PAGE 454

NETGEAR 8800 User Manual Port ---1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 Circuit-ID Port information string ---------------------------------cutomer-1 cutomer-2 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 Note: The full Circuit ID string has the form '-' * XCM8806.
PAGE 455

NETGEAR 8800 User Manual source IP lockdown is enabled on another port, the switch creates ACLs to allow DHCP packets and to deny all IP traffic for that particular port. Source IP lockdown is enabled on a per-port basis; it is not available at the VLAN level. If source IP lockdown is enabled on a port, the feature is active on the port for all VLANs to which the port belongs.
PAGE 456

NETGEAR 8800 User Manual For more information about DHCP snooping see, Configuring DHCP Snooping on page 448. By default, source IP lockdown is disabled on the switch.
PAGE 457

NETGEAR 8800 User Manual Configuring ARP Learning As previously described, ARP learning is enabled by default. The switch builds its ARP table by tracking ARP requests and replies.
PAGE 458

NETGEAR 8800 User Manual By default, DHCP secured ARP learning is disabled. To enable DHCP secured ARP, use the following command: enable ip-security arp learning learn-from-dhcp {vlan} ports [all | ] DHCP Secured ARP must be enabled on the DHCP server port as well as the DHCP client ports.
PAGE 459

NETGEAR 8800 User Manual • Destination MAC address—FF:FF:FF:FF:FF:FF (broadcast) • Source MAC address—Host's MAC address • Source IP address = Destination IP address—IP address to be resolved In a network, gratuitous ARP is used to: • Detect duplicate IP address In a properly configured network, there is no ARP reply for a gratuitous ARP request. However, if another host in the network is configured with the same IP address as the source host, then the source host receives an ARP reply.
PAGE 460

NETGEAR 8800 User Manual In addition, to protect the IP addresses of the hosts that appear as secure entries in the ARP table, use the following commands to enable DHCP snooping, DHCP secured ARP, and gratuitous ARP on the switch: • enable ip-security dhcp-snooping {vlan} ports [all | ] violation-action [drop-packet {[block-mac | block-port] [duration | permanently] | none]}] {snmp-trap} • enable ip-security arp learning learn-from-dhcp {vlan} ports [
PAGE 461

NETGEAR 8800 User Manual Depending on the options specified when enabling ARP validation, the following validations are done. Note that the 'DHCP' option does not have to be specified explicitly, it is always implied when ARP validation is enabled. Configuring ARP Validation Before you configure ARP validation, you must enable DHCP snooping on the switch.
PAGE 462

NETGEAR 8800 User Manual others, and although normal traffic is not a problem, exception traffic must be handled by the switch’s CPU in software. Some packets that the switch processes in the CPU software include: • Traffic resulting from new MAC learning Note: When certain features such as Network Login are enabled, hardware learning is disabled to let software control new MAC learning.
PAGE 463

NETGEAR 8800 User Manual The remainder of this section describes how to configure DoS protection, including alert thresholds, notify thresholds, ACL expiration time, and so on.
PAGE 464

NETGEAR 8800 User Manual configure dos-protect trusted-ports [ports [ | all] | add-ports [ | all] | delete-ports [ | all] ] Displaying DoS Protection Settings To display the DoS protection settings, use the following command: show dos-protect {detail} Protocol Anomaly Protection The NETGEAR chipsets contain built-in hardware protocol checkers that support port security features for security applications, such as stateless DoS protection.
PAGE 465

NETGEAR 8800 User Manual To display rate limiting statistics, use the following command: show ports {} rate-limit flood {no-refresh} Authenticating Management Sessions Through the Local Database You can use a local database on each switch to authenticate management sessions. The local database stores user names and passwords and helps to ensure that any configuration changes to the switch can be done only by authorized users.
PAGE 466

NETGEAR 8800 User Manual To use TACACS+ server features, you need the following components: • TACACS+ client software, which is included in the XCM8800 software. • A TACACS+ server, which is a third-party product. Note: TACACS+ provides many of the same features provided by RADIUS. You cannot use RADIUS and TACACS+ at the same time. TACACS+ is a communications protocol that is used between client and server to implement the TACACS+ service.
PAGE 467

NETGEAR 8800 User Manual Configuring the TACACS+ Client Timeout Value To configure the timeout if a server fails to respond, use the following command: configure tacacs timeout To detect and recover from a TACACS+ server failure when the timeout has expired, the switch makes one authentication attempt before trying the next designated TACACS+ server or reverting to the local database for authentication.
PAGE 468

NETGEAR 8800 User Manual TACACS+ Configuration Example This section provides a sample TACACS+ client configuration.
PAGE 469

NETGEAR 8800 User Manual • Enabling and Disabling TACACS+ Accounting on page 470 • TACACS+ Accounting Configuration Example on page 470 Specifying the Accounting Server Addresses Before the TACACS+ client software can communicate with an TACACS+ accounting server, you must specify the server address in the client software. You can specify up to two accounting servers, and you can use either an IP address or a host name to identify each server.
PAGE 470

NETGEAR 8800 User Manual Enabling and Disabling TACACS+ Accounting After you configure the TACACS+ client with the TACACS+ accounting server information, you must enable accounting in the TACACS+ client before the switch begins transmitting the information. You must enable TACACS+ authentication in the client for accounting information to be generated. You can enable and disable accounting without affecting the current state of TACACS+ authentication.
PAGE 471

NETGEAR 8800 User Manual Server name : IP address : 10.201.31.235 Server IP Port: 49 Client address: 10.201.31.85 (VR-Default) Shared secret : purple TACACS+ Acct Server Connect Timeout sec: 3 Primary TACACS+ Accounting Server: Server name : IP address : 10.201.31.238 Server IP Port: 49 Client address: 10.201.31.85 (VR-Default) Shared secret : purple Secondary TACACS+ Accounting Server: Server name : IP address : 10.201.31.235 Server IP Port: 49 Client address: 10.201.31.
PAGE 472

NETGEAR 8800 User Manual Note: RADIUS provides many of the same features provided by TACACS+. You cannot use RADIUS and TACACS+ at the same time. RADIUS is a communications protocol (RFC 2138) that is used between client and server to implement the RADIUS service. The RADIUS client component of the XCM8800 software should be compatible with any RADIUS compliant server product.
PAGE 473

NETGEAR 8800 User Manual authentication events. The RADIUS server does not process attributes; it simply sends them when authentication is accepted. It is the switch that processes attributes. User authentication and attributes are managed on a RADIUS server by editing text files. On the FreeRADIUS server, the user ID, password, attributes, and VSAs are stored in the users file, and VSAs are defined in the dictionary file. The dictionary file associates numbers with each attribute.
PAGE 474

NETGEAR 8800 User Manual Authenticating Network Login Users Through a RADIUS Server You can use a RADIUS server to authenticate network login users and supply configuration data that the switch can use to make dynamic configuration changes to accommodate network login users. A RADIUS server allows you to centralize the authentication database, so that you do not have to maintain a separate local database on each switch.
PAGE 475

NETGEAR 8800 User Manual • Command authorization is not applicable because network login controls network access, not management session access. Except for the above differences, network login authentication is the same as described in How NETGEAR Switches Work with RADIUS Servers on page 472. Configuration Overview for Authenticating Network Login Users To configure the switch RADIUS client and the RADIUS server to authenticate network login users, do the following: 1.
PAGE 476

NETGEAR 8800 User Manual Specifying RADIUS Server Addresses Before the RADIUS client software can communicate with a RADIUS server, you must specify the server address in the client software. You can specify up to two RADIUS servers, and you can use either an IP address or a host name to identify each server.
PAGE 477

NETGEAR 8800 User Manual Enabling and Disabling the RADIUS Client Service The RADIUS client service can be enabled or disabled without affecting the client configuration. When the client service is disabled, the client does not communicate with the RADIUS server, so authentication must take place through the another service such as the local database or a TACACS+ server. Note: You cannot use RADIUS and TACACS+ at the same time.
PAGE 478

NETGEAR 8800 User Manual management and another pair for network login, use the mgmt-access and netlogin keywords. Configuring the RADIUS Client Accounting Timeout Value To configure the timeout if a server fails to respond, use the following command: configure radius-accounting {mgmt-access | netlogin} timeout If the timeout expires, another authentication attempt is made. After three failed attempts to authenticate, the alternate server is used.
PAGE 479

NETGEAR 8800 User Manual RADIUS Server Configuration Guidelines The RADIUS server is introduced in Configuring the RADIUS Client on page 475.
PAGE 480

NETGEAR 8800 User Manual eric Password = "", Service-Type = Administrative, Profile-Name = "" Filter-Id = "unlim" Netgear:Netgear-CLI-Authorization = Enabled The key components of the example above are the user name, password, profile name, and NETGEAR-CLI-Authorization VSA. For simple authentication, you only need to enter the user name (eric in this example) and a password as described in the RADIUS server documentation.
PAGE 481

NETGEAR 8800 User Manual The key components of the example above are the MAC address, password (which is set to the MAC address), attributes, and NETGEAR VSAs. For simple authentication, you only need to enter the MAC address (00040D9D12AF in this example) and a password as described in the RADIUS server documentation. Enter the attributes for each user and separate them from the others with commas as described in the RADIUS server documentation.
PAGE 482

NETGEAR 8800 User Manual Table 50. Standard RADIUS Attributes Used by Network Login (Continued) Attribute RFC Attribute Type Format Sent-in Description Service-Type RFC 2138 6 String Access-Accept Specifies the granted service type in an Access-Accept message. See Attribute 6: Service Type on page 482. Session-Timeout RFC 2865 27 Integer Access-Accept, Specifies how long the user Access-Challenge session can last before authentication is required.
PAGE 483

NETGEAR 8800 User Manual read-only access to the user. Different implementations of RADIUS handle attribute transmission differently. You should consult the documentation for your specific implementation of RADIUS when you configure users for read-write access. NETGEAR VSAs Table 51 contains the Vendor Specific Attribute (VSA) definitions that a RADIUS server can send to a NETGEAR switch after successful authentication.
PAGE 484

NETGEAR 8800 User Manual The following sections provide additional information on using the NETGEAR VSAs listed in Table 51: • VSA 201: NETGEAR-CLI-Authorization on page 484 • VSA 203: NETGEAR-Netlogin-VLAN-Name on page 484 • VSA 204: NETGEAR-Netlogin-URL on page 485 • VSA 205: NETGEAR-Netlogin-URL-Desc on page 485 • VSA 206: NETGEAR-Netlogin-Only on page 486 • VSA 209: NETGEAR-Netlogin-VLAN-ID on page 486 • VSA 211: NETGEAR-Netlogin-Extended-Vlan on page 487 The examples in the following sec
PAGE 485

NETGEAR 8800 User Manual The following describes the guidelines for VSA 203: • For untagged VLAN movement with 802.1x netlogin, you can use all current NETGEAR VLAN VSAs: VSA 203, VSA 209, and VSA 211. • To specify the VLAN name, use an ASCII string. • When using this VSA, do not specify whether the VLAN is tagged or untagged.
PAGE 486

NETGEAR 8800 User Manual redirect message while the web client is redirected to the web page specified by attribute 204. If a login method other than Web-based is used, the switch ignores this attribute. The following describes the guidelines for VSA 205: • To let the user know where they will be redirected to after authentication (specified by VSA 204), use an ASCII string to provide a brief description of the URL. • VSA 205 applies only to the web-based authentication mode of Network Login.
PAGE 487

NETGEAR 8800 User Manual • To specify the VLAN ID, use an ASCII string. • When using this VSA, do not specify whether the VLAN is tagged or untagged.
PAGE 488

NETGEAR 8800 User Manual • For tagged VLAN movement with 802.1x netlogin, you must use VSA 211. • To specify the VLAN name or the VLAN ID, use an ASCII string; however, you cannot specify both the VLAN name and the VLAN ID at the same time. If the string only contains numbers, it is interpreted as the VLAN ID. • A maximum of 10 VLANs are allowed per VSA. • For tagged VLANs, specify T for tagged before the VLAN name or VLAN ID.
PAGE 489

NETGEAR 8800 User Manual Configuring the Dictionary File Before you can use NETGEAR VSAs on a RADIUS server, you must define the VSAs. On the FreeRADIUS server, you define the VSAs in the dictionary file in the /etc/raddb directory. You must define the vendor ID for NETGEAR, each of the VSAs you plan to use, and the values to send for the VSAs.
PAGE 490

NETGEAR 8800 User Manual Configuring the Users File To enable command authorization for a user, you must modify the users file entry for the user by configuring the following attributes: • Profile-Name= • NETGEAR-CLI-Authorization = Enabled The following users file entries show different ways that these attributes are configured, and they serve as an example for review later in this section.
PAGE 491

NETGEAR 8800 User Manual Configuring the Profiles File The following example RADIUS profiles file entries show an example configuration for three profiles: PROFILE1 deny { enable *, disable ipforwarding show switch } PROFILE2 { enable *, clear counters show management } PROFILE3 deny { create vlan *, configure iproute *, disable *, show fdb delete *, configure rip add } The following guidelines apply to the profiles file: • Changes to the profiles file require the RADIUS server to be shutdown and res
PAGE 492

NETGEAR 8800 User Manual Based on the profiles listed in the example above and the users listed in the example in Configuring the Users File on page 490, command authorization for this example operates as follows: • User eric is able to log in, but is unable to perform any commands, because he has no valid profile assigned. • Users albert and lulu are assigned to PROFILE1, which uses the deny keyword, so their use of commands is as follows: • • Cannot use any command starting with enable.
PAGE 493

NETGEAR 8800 User Manual Note: RADIUS server software can be obtained from several sources. This solution uses the FreeRADIUS software available on the following URLs: http://www.freeradius.org and www.redhat.com. Another free tool, NTRadPing, can be used to test authentication and authorization requests from Windows clients. NTRadPing displays detailed responses such as attribute values sent back from the RADIUS server.
PAGE 494

NETGEAR 8800 User Manual Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix ldap eap A NETGEAR edge switch serves as a network access server (NAS) for workstations and as a RADIUS client for the RADIUS server. RADIUS clients are configured in /etc/raddb/clients.conf. There are two ways to configure RADIUS clients. Either group the NAS by IP subnet or list the NAS by host name or IP address.
PAGE 495

NETGEAR 8800 User Manual attributetype ( 1.3.6.1.4.1.3317.4.3.1.61 NAME 'radiusNetgearSecurityProfile' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.3317.4.3.1.62 NAME 'radiusNetgearNetloginVlanTag' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.3317.4.3.1.63 NAME 'radiusNetgearNetloginExtendedVlan' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.
PAGE 496

NETGEAR 8800 User Manual Implementation Notes for Specific RADIUS Servers The following sections provide some implementation notes on specific RADIUS servers: • Cistron RADIUS on page 496 • RSA Ace on page 496 • Steel-Belted Radius on page 496 • Microsoft IAS on page 497 Cistron RADIUS Cistron Radius is a popular server, distributed under GPL. Cistron Radius can be found at: http://www.radius.cistron.
PAGE 497

NETGEAR 8800 User Manual To configure the SBR server, the file vendor.ini must be modified to change the NETGEAR configuration value of ignore-ports to yes as shown in the example below: vendor-product = NETGEAR dictionary = Netgear ignore-ports = yes port-number-usage = per-port-type help-id = 2000 After modifying the vendor.ini file, the desired user accounts must be configured for the Max-Concurrent connections.
PAGE 498

NETGEAR 8800 User Manual Note: For values of format integer you will have to select the type ‘Decimal’ from the pull-down menu. c. Configure the desired value for the attribute. d. Once the desired values have been entered, click the OK button. 7. Click the OK button two more times to return to the Add Attributes dialog window. 8. Select Close, and then click OK twice to complete the editing of the Remote Access Policy profile. 9.
PAGE 499

NETGEAR 8800 User Manual 4. Configure the edge switches as described in this guide. 5. Configure each supplicant as described in Configuring a Windows XP Supplicant for 802.1x Authentication on page 503. For complete instructions on setting up an LDAP server, see the product documentation for the LDAP server.
PAGE 500

NETGEAR 8800 User Manual Configuring OpenLDAP Once the build is complete, the slapd and slurpd daemons are located in /usr/local/libexec. The config files are in /etc/openldap and ready to start the main server daemon, slapd. Configuring slapd for Startup Before you start slapd, edit /etc/openldap/slapd.conf to include the location to store the data and details on who is allowed to access the data.
PAGE 501

NETGEAR 8800 User Manual objectClass: sambaSamAccount sn: ldaptestdemo uid: newperson3 <<< This username given in the Odyssey client cn: newperson3 radiusTunnelMediumType: IEEE-802 radiusTunnelType: VLAN radiusTunnelPrivateGroupId: 2 <<< Value of the VLAN tag sambaNTPassword: A3A685F89364D4A5182B028FBE79AC38 sambaLMPassword: C23413A8A1E7665FC2265B23734E0DAC userPassword:: e1NIQX00MXZzNXNYbTRPaHNwUjBFUU9raWdxbldySW89 sambaSID: S-1-0-0-28976 The Samba-related attributes can be populated in the LDAP server a
PAGE 502

NETGEAR 8800 User Manual Create vlan nvlan En netlogin dot1x En netlogin port 13-24 dot1x configure radius netlogin primary server 192.168.1.2 1812 client-ip 192.168.1.
PAGE 503

NETGEAR 8800 User Manual #********************************************************* configure lldp port $EVENT.USER_PORT advertise vendor-specific dot1 vlan-name vlan $voiceVlan configure lldp port $EVENT.USER_PORT advertise vendor-specific avaya-netgear call-server $callServer configure lldp port $EVENT.USER_PORT advertise vendor-specific avaya-netgear file-server $fileServer configure lldp port $EVENT.USER_PORT advertise vendor-specific avaya-netgear dot1q-framing tagged configure lldp port $EVENT.
PAGE 504

NETGEAR 8800 User Manual 2. Click the Authentication tab, and the Authentication dialog appears. 3. Enable 802.1x and disable authenticate as computer. Choose EAP type of Protected EAP, then click Properties. 4. Unselect the Validate server certificate and select eap-mschapv2 as the authentication method. Click Configure. 5. Select or unselect the check box depending on whether you want to use the logon name and password, then click OK.
PAGE 505

NETGEAR 8800 User Manual • Viewing SSH2 Information on page 507 • Using ACLs to Control SSH2 Access on page 508 • Using SCP2 from an External SSH2 Client on page 510 • Understanding the SSH2 Client Functions on the Switch on page 511 • Using SFTP from an External SSH2 Client on page 512 Enabling SSH2 for Inbound Switch Access To install the software module, see the instructions in Appendix B, Software Upgrade and Boot Options.
PAGE 506

NETGEAR 8800 User Manual Note: The pregenerated key must be one that was generated by the switch. To get such key, you can use the command show ssh2 private-key to display the key on the console. Copy the key to a text editor and remove the carriage return/line feeds from the key. Finally, copy and paste the key into the command line. The key must be entered as one line. The key generation process generates the SSH2 private host key.
PAGE 507

NETGEAR 8800 User Manual the switch but is not associated with any user. The key can be then be associated with the user via the CLI. You can also enter or paste the key using the CLI. There cannot be any carriage returns or new lines in the key. See the appropriate reference page in the NETGEAR 8800 Chassis Switch CLI Manual for additional details. The host and user public keys can be written to a file in the config directory using the create command.
PAGE 508

NETGEAR 8800 User Manual Using ACLs to Control SSH2 Access You can restrict SSH2 access by creating and implementing an ACL policy. You configure an ACL policy to permit or deny a specific list of IP addresses and subnet masks for the SSH2 port. The two methods to load ACL policies to the switch are: • Use the edit policy command to launch a VI-like editor on the switch. You can create the policy directly on the switch.
PAGE 509

NETGEAR 8800 User Manual MyAccessProfile_2.pol Entry dontAllowTheseSubnets { if { source-address 10.203.133.0 /24; } then { deny; } } Entry AllowTheRest { If { ; #none specified } then { permit; } } In the following example named MyAccessProfile_2.pol, the switch does not permit connections from the subnets 10.203.133.0/24 or 10.203.135.0/24 but accepts connections from all other addresses: MyAccessProfile_2.pol Entry dontAllowTheseSubnets { if match any { source-address 10.203.133.
PAGE 510

NETGEAR 8800 User Manual enable ssh2 {access-profile [ | none]} {port } {vr [ | all | default]} Use the none option to remove a previously configured ACL. In the ACL policy file for SSH2, the source-address field is the only supported match condition.
PAGE 511

NETGEAR 8800 User Manual [user@linux-server]# scp2 id_rsa.pub admin@192.168.0.120:test.ssh This command loads the key into memory, which can be viewed with the command show sshd2 user-key. Understanding the SSH2 Client Functions on the Switch A NETGEAR switch can function as an SSH2 client. This means you can connect from the switch to a remote device running an SSH2 server and send commands to that device. You can also use SCP2 to transfer files to and from the remote device.
PAGE 512

NETGEAR 8800 User Manual scp2 engineering.cfg admin@system1:engineering.cfg Using SFTP from an External SSH2 Client The SFTP protocol is supported for transferring configuration, and policy files to the switch from the SFTP client. You must have administrator-level access to the switch. The switch can be specified by its switch name or IP address. XCM8800 requires that SFTP transfer to the switch files named as follows: • *.cfg—XCM8800 configuration files • *.pol—XCM8800 policy files • *.
PAGE 513

NETGEAR 8800 User Manual [user@linux-server]# sftp admin@192.168.0.120 password: sftp> put id_rsa.pub id_rsa.ssh For image file transfers, only one image file at a time can be available for installation. In other words, if test.xos and test-ssh.xmod both need to be installed, you must follow these steps: 1. Transfer test.xos into the switch using scp/sftp 2. Install the test.xos image using the "install image" command 3. Transfer test-ssh.xmod into the switch using scp/sftp 4.
PAGE 514

NETGEAR 8800 User Manual http://kbserver.netgear.com/products/8810.asp. To install the module, see the instructions in Appendix B, Software Upgrade and Boot Options. You must upload or generate a certificate for SSL server use. Before you can upload a certificate, you must purchase and obtain an SSL certificate from an Internet security vendor. The following security algorithms are supported: • RSA for public key cryptography (generation of certificate and public-private key pair, certificate signing).
PAGE 515

NETGEAR 8800 User Manual Creating Certificates and Private Keys When you generate a certificate, the certificate is stored in the configuration file, and the private key is stored in the EEPROM. The certificate generated is in PEM format.
PAGE 516

NETGEAR 8800 User Manual • HTTPS port configured. This is the port on which the clients will connect. • Length of the RSA key (the number of bits used to generate the private key). • Basic information about the stored certificate. Downloading a Private Key from a TFTP Server To download a private key from files stored in a TFTP server, use the following command: download ssl privkey If the operation is successful, the existing private key is overwritten.
PAGE 517

NETGEAR 8800 User Manual Displaying SSL Information To display whether the switch has a valid private and public key pair and the state of HTTPS access, use the following command: show ssl Chapter 17.
PAGE 518

Part 2: Using Switching and Routing Protocols
PAGE 519

18.
PAGE 520

NETGEAR 8800 User Manual Overview STP is a bridge-based mechanism for providing fault tolerance on networks. STP allows you to implement parallel paths for network traffic and to ensure that redundant paths are: • Disabled when the main paths are operational. • Enabled if the main path fails. Compatibility Between IEEE 802.1D-1998 and IEEE 802.1D-2004 STP Bridges The IEEE 802.1D-2004 compliant bridges interoperate with the IEEE 802.1D-1998 compliant bridges.
PAGE 521

NETGEAR 8800 User Manual Switch A Switch B Root bridge Switch E Switch F Blocked Switch C Switch D IEEE 802.1D-1998 IEEE 802.1D-2004 EX_179 Figure 32. 802.1D-1998 and 802.1D-2004 Mixed Bridge Topology If you use the default port path costs, bridge D blocks its port to bridge E, and all traffic between bridges D and E must traverse all of bridges in the network.
PAGE 522

NETGEAR 8800 User Manual 65,535 and was not subject to the multiple of 4,096 restriction (except for MSTP configurations). The default bridge priority remains the same at 32,768. If you have a switch that contains an STP or RSTP bridge priority that is not a multiple of 4,096, the switch rejects the entry and the bridge priority returns to the default value while loading the structure. The MSTP implementation in XCM8800 already uses multiples of 4,096 to determine the bridge priority.
PAGE 523

NETGEAR 8800 User Manual • • The port sends BPDUs • When configured for MSTP, the port runs a partial state machine • If BPDUs are received, the port enters the blocking state • If subsequent BPDUs are not received, the port attempts to enter the forwarding state Edge port running 802.
PAGE 524

NETGEAR 8800 User Manual • port_list—Specifies one or more ports or slots and ports. • Restricted role is disabled by default. If set, it can cause a lack of spanning tree connectivity. A network administrator enables restricted role to prevent external bridges from influencing the spanning tree active topology.
PAGE 525

NETGEAR 8800 User Manual When an STPD is disabled for a BPDU restrict configured port, an STP port in 802.1D operation mode begins forwarding immediately, but in the RSTP or MSTP operation modes, the port remains in the disabled state. BPDU restrict is available on all of the three operational modes of STP: 802.1D, RSTP, and MSTP. Although edge safeguard is not available in 802.
PAGE 526

NETGEAR 8800 User Manual XCM8806.5 # show configuration stp # # Module stp configuration.
PAGE 527

NETGEAR 8800 User Manual Domain (STPD). Each STPD has its own root bridge and active path. After an STPD is created, one or more VLANs can be assigned to it. A physical port can belong to multiple STPDs. In addition, a VLAN can span multiple STPDs. The key points to remember when configuring VLANs and STP are: • Each VLAN forms an independent broadcast domain. • STP blocks paths to create a loop-free environment. • Within any given STPD, all VLANs belonging to it use the same spanning tree.
PAGE 528

NETGEAR 8800 User Manual If you configure EMISTP or PVST+, the STPD ID must be identical to the VLAN ID of the carrier VLAN in that STPD. See Specifying the Carrier VLAN on page 528 for an example. If you have an 802.1D configuration, NETGEAR recommends that you configure the StpdID to be identical to the VLAN ID of the carrier VLAN in that STPD. See Basic 802.1D Configuration Example on page 575 for an example. If you configure Multiple Spanning Tree (MSTP—IEEE 802.1Q-2003, formerly IEEE 802.
PAGE 529

NETGEAR 8800 User Manual STPD Modes An STPD has three modes of operation: • 802.1D mode Use this mode for backward compatibility with previous STP versions and for compatibility with third-party switches using IEEE standard 802.1D. When configured in this mode, all rapid configuration mechanisms are disabled. • 802.1w mode Use this mode for compatibility with Rapid Spanning Tree (RSTP). When configured in this mode, all rapid configuration mechanisms are enabled.
PAGE 530

NETGEAR 8800 User Manual configure stpd mode [dot1d | dot1w | mstp [cist | msti ]] All STP parameters default to the IEEE 802.1D values, as appropriate. Encapsulation Modes You can configure ports within an STPD to accept specific BPDU encapsulations. This STP port encapsulation is separate from the STP mode of operation. For example, you can configure a port to accept the PVST+ BPDU encapsulation while running in 802.1D mode.
PAGE 531

NETGEAR 8800 User Manual To configure the default BPDU encapsulation mode on a per STPD basis, use the following command: configure stpd default-encapsulation [dot1d | emistp | pvst-plus] Instead of accepting the default encapsulation modes of dot1d for the default STPD s0 and emistp for all other STPDs, this command allows you to specify the type of BPDU encapsulation to use for all ports added to the STPD (if not otherwise specified).
PAGE 532

NETGEAR 8800 User Manual • Learning A port in the learning state does not accept ingress traffic or perform traffic forwarding, but it begins to learn MAC source addresses. The port also receives and processes STP BPDUs. This is the second transitional state after listening. From learning, the port will change to either blocking or forwarding. • Forwarding A port in the forwarding state accepts ingress traffic, learns new MAC source addresses, forwards traffic, and receives and processes STP BPDUs.
PAGE 533

NETGEAR 8800 User Manual If you add a protected VLAN or port, that addition inherits the carrier VLAN’s encapsulation mode unless you specify the encapsulation mode when you execute the configure stpd add vlan or configure vlan add ports stpd commands. If you specify an encapsulation mode (dot1d, emistp, or pvst-plus), the STP port mode is changed to match; otherwise, the STP port inherits either the carrier VLANs encapsulation mode on that port or the STPD’s default encapsulation mode.
PAGE 534

NETGEAR 8800 User Manual • Protected VLAN named v2 • v2 contains ports 3:1-3:4 Since v1 contains ports 3:1-3:2, v2 is aware only of the STP changes for ports 3:1 and 3:2, respectively. Ports 3:3 and 3:4 are not part of the STPD, which is why v2 is not aware of any STP changes for those ports. In addition, enabling autobind on a protected VLAN causes ports to be automatically added or removed as the carrier VLAN changes.
PAGE 535

NETGEAR 8800 User Manual show stpd { | detail} STPD BPDU Tunneling You can configure XCM8800 to allow a BPDU to traverse a VLAN without being processed by STP. This is known as BPDU tunneling. There are differences in how to configure this behavior in XCM8800. The examples in this section show how you might have used this feature in NETGEAR 8800 and how to configure STPD BPDU tunneling with XCM8800. You may be more familiar configuring STPD BPDU tunneling on NETGEAR devices.
PAGE 536

NETGEAR 8800 User Manual • Configured the mode of operation for the STPD • Configured the STP ports • Enabled STPD The following example shows how to configure STPD BPDU tunneling on devices running XCM8800: Switch A enable ignore-bpdu vlan v1 enable ignore-bpdu vlan v2 enable ignore-bpdu vlan v3 configure vlan v1 add ports 1:1,2:1 tagged stpd s1 configure vlan v2 add ports 1:2,2:1 tagged stpd s2 configure vlan v3 add ports 1:3,2:1 tagged stpd s3 Switch B enable ignore-bpdu vlan v1 enable ignore-bpd
PAGE 537

NETGEAR 8800 User Manual configure stpd s2 add vlan v2 ports 1:2 disable s1 disable s2 Switch C configure vlan v1 add ports 1:1,2:1 tagged configure vlan v3 add ports 1:3,2:1 tagged configure stpd s1 add vlan v1 ports 1:1 configure stpd s3 add vlan v3 ports 1:3 disable s1 disable s3 STP and Hitless Failover—Modular Switches Only When you install two management modules (MSM/MM) in a NETGEAR 8800 chassis, one node assumes the role of primary and the other node assumes the role of backup.
PAGE 538

NETGEAR 8800 User Manual • If the primary and backup nodes are not synchronized and both nodes are running a version of XCM8800 that supports synchronization, proceed to step 2. • If the primary and backup nodes are synchronized, proceed to step 3. 2. If the primary and backup nodes are not synchronized, use the synchronize command to replicate all saved images and configurations from the primary to the backup. After you confirm the nodes are synchronized, proceed to step 3. 3.
PAGE 539

NETGEAR 8800 User Manual • Engineering is the carrier VLAN on STPD2. • Marketing is a member of both STPD1 and STPD2 and is a protected VLAN. Sales, Personnel, Marketing Manufacturing, Engineering, Marketing Switch Y Switch A Switch Z Switch B STPD 2 STPD 1 Switch M Sales, Personnel, Manufacturing, Engineering, Marketing EX_048 Figure 35. Multiple STPDs When the switches in this configuration boot-up, STP configures each STPD such that the topology contains no active loops.
PAGE 540

NETGEAR 8800 User Manual Marketing & Sales Marketing, Sales & Engineering Switch 1 Switch 3 Switch 2 Sales & Engineering EX_049 Figure 36. Incorrect Tag-Based STPD Configuration The tag-based network in Figure 36 has the following configuration: • Switch 1 contains VLAN Marketing and VLAN Sales. • Switch 2 contains VLAN Engineering and VLAN Sales. • Switch 3 contains VLAN Marketing, VLAN Engineering, and VLAN Sales.
PAGE 541

NETGEAR 8800 User Manual A B S1 A S2 A B B S1 S2 A B EX_050 Figure 37. Limitations of Traditional STPD The two switches are connected by a pair of parallel links. Both switches run two VLANs, A and B. To achieve load-balancing between the two links using the traditional approach, you would have to associate A and B with two different STPDs, called S1 and S2, respectively, and make the left link carry VLAN A traffic while the right link carries VLAN B traffic (or vice versa).
PAGE 542

NETGEAR 8800 User Manual desirable to have multiple STP domains operating in a single VLAN, one for each looped area. The justifications include the following: • The complexity of the STP algorithm increases, and performance drops, with the size and complexity of the network. The 802.1D standard specifies a maximum network diameter of seven hops. By segregating a big VLAN into multiple STPDs, you reduce complexity and enhance performance.
PAGE 543

NETGEAR 8800 User Manual • Although a physical port can belong to multiple STPDs, any VLAN on that port can be in only one domain. Put another way, a VLAN cannot belong to two STPDs on the same physical port. • Although a VLAN can span multiple domains, any LAN segment in that VLAN must be in the same STPD. VLANs traverse STPDs only inside switches, not across links. On a single switch, however, bridge ports for the same VLAN can be assigned to different STPDs. This scenario is illustrated in Figure 39.
PAGE 544

NETGEAR 8800 User Manual Domain 2 Domain 1 Domain 3 EX_053 Figure 40. Looped VLAN Topology • A necessary (but not sufficient) condition for a loop-free inter-domain topology is that every two domains only meet at a single crossing point. Note: You can use MSTP to overcome the EMISTP constraints described in this section. See Multiple Spanning Tree Protocol on page 557 for information about MSTP.
PAGE 545

NETGEAR 8800 User Manual STPD VLAN Mapping Each VLAN participating in PVST+ must be in a separate STPD, and the VLAN number (VLAN ID) must be the same as the STPD identifier (STPD ID). As a result, PVST+ protected VLANs cannot be partitioned. This fact does not exclude other non-PVST+ protected VLANs from being grouped into the same STPD. A protected PVST+ VLAN can be joined by multiple non-PVST+ protected VLANs to be in the same STPD.
PAGE 546

NETGEAR 8800 User Manual Port Roles RSTP uses information from BPDUs to assign port roles for each LAN segment. Port roles are not user-configurable. Port role assignments are determined based on the following criteria: • A unique bridge identifier (MAC address) associated with each bridge • The path cost associated with each bridge port • A port identifier associated with each bridge port RSTP assigns one of the following port roles to bridge ports in the network, as described in Table 52. Table 52.
PAGE 547

NETGEAR 8800 User Manual Table 53. RSTP Link Types Port Link Type Description Auto Specifies the switch to automatically determine the port link type. An auto link behaves like a point-to-point link if the link is in full-duplex mode or if link aggregation is enabled on the port. Otherwise, the link behaves like a broadcast link used for 802.1w configurations. Edge Specifies a port that does not have a bridge attached.
PAGE 548

NETGEAR 8800 User Manual Configuring Edge Safeguard Loop prevention and detection on an edge port configured for RSTP is called “edge safeguard.” You configure edge safeguard on RSTP edge ports to prevent accidental or deliberate misconfigurations (loops) resulting from connecting two edge ports together or by connecting a hub or other non-STP switch to an edge port. Edge safeguard also limits the impact of broadcast storms that might occur on edge ports.
PAGE 549

NETGEAR 8800 User Manual In XCM8800, STP edge safeguard disables a port when a remote loop is detected. A remote loop causes BPDUs to be exponentially duplicated which caused high CPU utilization on the switch even though the port was transitioned to a blocked state. RSTP Timers For RSTP to rapidly recover network connectivity, RSTP requires timer expiration.
PAGE 550

NETGEAR 8800 User Manual Table 55. Derived Timers (Continued) Timer Description Recent backup The timer starts when a port leaves the backup role. When this timer is running, the port cannot become a root port. The default value is double the hello time (4 seconds). Recent root The timer starts when a port leaves the root port role. When this timer is running, another port cannot become a root port unless the associated port is put into the blocking state.
PAGE 551

NETGEAR 8800 User Manual • Is now a root port and no other ports have a recent role assignment that contradicts with its root port role. • Is a designated port and attaches to another bridge by a point-to-point link and receives an “agree” message from the other bridge port. • Is an edge port. An edge port is a port connected to a non-STP device and is in the forwarding state. The following sections provide more information about RSTP behavior.
PAGE 552

NETGEAR 8800 User Manual Another situation may arise if you have more than one bridge and you lower the port cost for the alternate port, which makes it the new root port. The previous root port is now an alternate port. Depending on your STP implementation, STP may set the new root port to the forwarding state before setting the alternate port to the blocking state. This may cause a loop. To prevent this type of loop from occurring, the recent root timer starts when the port leaves the root port role.
PAGE 553

NETGEAR 8800 User Manual change, that bridge starts the topology change timer, sets the topology change flag on its BPDUs, floods all of the forwarding ports in the network (including the root ports), and flushes the learned MAC address entries. Rapid Reconvergence This section describes the RSTP rapid behavior following a topology change. In this example, the bridge priorities are assigned based on the order of their alphabetical letters; bridge A has a higher priority than bridge F.
PAGE 554

NETGEAR 8800 User Manual A B C A,0 A,1 A,2 Down link BPDU F E D F,0 A,2 A,3 Designated port Root port EX_055b Figure 43. Down Link Detected 2. Bridge E believes that bridge A is the root bridge. When bridge E receives the BPDU on its root port from bridge F, bridge E: • Determines that it received an inferior BPDU. • Immediately begins the max age timer on its root port. • Performs a configuration update.
PAGE 555

NETGEAR 8800 User Manual A B C A,0 A,1 A,2 Designated port F E D E,1 E,0 A,3 Root port EX_055d Figure 45. Communicating New Root Bridge Status to Neighbors 4. Bridge D believes that bridge A is the root bridge. When bridge D receives the BPDU from bridge E on its alternate port, bridge D: • Immediately begins the max age timer on its alternate port. • Performs a configuration update.
PAGE 556

NETGEAR 8800 User Manual A B C A,0 A,1 A,2 Designated port Root port F E D E,1 A,4 A,3 Agree BPDU EX_055f Figure 47. Communicating Port Status to Neighbors 6. To complete the topology change (as shown in Figure 48): • Bridge D moves the port that received the “agree” message into the forwarding state.
PAGE 557

NETGEAR 8800 User Manual within each bridge configured to run in 802.1w mode. For example, a compatibility issue occurs if you configure 802.1w mode and the bridge receives an 802.1D BPDU on a port. The receiving port starts the protocol migration timer and remains in 802.1D mode until the bridge stops receiving 802.1D BPDUs. Each time the bridge receives an 802.1D BPDU, the timer restarts. When the port migration timer expires, no more 802.
PAGE 558

NETGEAR 8800 User Manual • MSTP Port Roles on page 565 • MSTP Port States on page 565 • MSTP Link Types on page 565 • MSTP Edge Safeguard on page 565 • MSTP Timers on page 566 • MSTP Hop Counts on page 566 • Configuring MSTP on the Switch on page 566 MSTP Regions An MSTP network consists of either individual MSTP regions connected to the rest of the network with 802.1D and 802.1w bridges or as individual MSTP regions connected to each other.
PAGE 559

NETGEAR 8800 User Manual (10) CIST root bridge = boundary port = master port = MSTI root port A C B (40) CIST regional root, MSTI regional root (20) CIST regional root D MSTP Region 1 E I F (50) MSTI regional root MSTP Region 2 J K (60) (80) G (90) H (100) EX_167 Figure 50.
PAGE 560

NETGEAR 8800 User Manual If you have an active MSTP region, NETGEAR recommends that you disable all active STPDs in the region before renaming the region on all of the participating switches. • Configuring the MSTP BPDU format identifier To configure the number used to identify MSTP BPDUs, use the following command: configure mstp format By default, the value used to identify the MSTP BPDUs is 0. The range is 0 to 255.
PAGE 561

NETGEAR 8800 User Manual Configuring the CIST To configure an STPD as the CIST, use the following command and specify the mstp cist keywords: configure stpd mode [dot1d | dot1w | mstp [cist | msti ]] You enable MSTP on a per STPD basis only. By specifying the mstp cist keywords, you configure the mode of operation for the STPD as MSTP, and you identify the STPD to be the CIST. CIST Root Bridge In a Layer 2 network, the bridge with the lowest bridge ID becomes the CIST root bridge.
PAGE 562

NETGEAR 8800 User Manual (10) CIST root bridge A = boundary port = master port = MSTI root port (20) CIST regional root D MSTP Region 1 E F (50) MSTI regional root G (60) EX_168 Figure 51. Close-Up of MSTP Region 1 CIST Root Port The port on the CIST regional root bridge that connects to the CIST root bridge is the CIST root port (also known as the master port for MSTIs).
PAGE 563

NETGEAR 8800 User Manual Configuring the MSTI and the MSTI ID MSTP uses the MSTI ID, not an Stpd ID, to identify the spanning tree contained within the region. As previously described, the MSTI ID only has significance within its local region, so you can re-use IDs across regions.
PAGE 564

NETGEAR 8800 User Manual Note: If two switches are configured for the same CIST and MSTI region, in order for them to understand that they are in the same region, both must also belong to the same VLAN which is added to the STP domain. If they belong to different VLANs, each switch believes that each belongs to a different region. When an MSTP BPDU is sent, it carries a VID digest created by VLAN memberships in the CIST domain and the MSTI domain.
PAGE 565

NETGEAR 8800 User Manual MSTP Region 1 and MSTP Region 2 are connected to the CIST root through directly connected ports, identified as master ports. The bridge with ID 100 connects to the CIST root through Region 1, Region 2, or segment B. For this bridge, either Region 1 or Region 2 can be the designated region or segment B can be the designated segment. The CIST BPDUs egressing from the boundary ports carry the CIST regional root as the designated bridge.
PAGE 566

NETGEAR 8800 User Manual MSTP Timers MSTP uses the same timers as STP and RSTP, respectively. For more information, see RSTP Timers on page 549. MSTP Hop Counts In an MSTP environment, the hop count has the same purpose as the maxage timer for 802.1D and 802.1w environments. The CIST hop count is used within and outside a region. The MSTI hop count is used only inside of the region. In addition, if the other end is an 802.1D or 802.
PAGE 567

NETGEAR 8800 User Manual configure vlan add ports [all | ] {tagged | untagged} stpd {[dot1d | emistp | pvst-plus]} • Automatically binding ports to an STPD when ports are added to a member VLAN enable stpd auto-bind vlan 6. Enable the MSTIs. enable stpd {} For a more detailed configuration example, see MSTP Configuration Example on page 578.
PAGE 568

NETGEAR 8800 User Manual • Switch A as the CIST root bridge (this is the CIST root bridge for all regions) • Switch A as the CIST regional root bridge • Switch A as the MSTI regional root bridge • Three boundary ports that connect to MSTP region 2 and other 802.1D or 802.
PAGE 569

NETGEAR 8800 User Manual For region 2, Switch E is the CIST regional root bridge and so a port on that bridge becomes the CIST root port. 3. Identifying MSTI regional roots. Each MSTI in a region has an MSTI regional root bridge. MSTI regional roots are selected independently of the CIST root and CIST regional root. The MSTP BPDUs have M-records for each MSTI. Bridges belonging to an MSTI compare vectors in their M-records to elect the MSTI regional root. 4. Converging the CIST.
PAGE 570

NETGEAR 8800 User Manual Switch 1 Root Bridge Indicates only spanning tree. Indicates both spanning tree and network login. 1 2 Switch 2 2 Switch 3 3 3 Switch 4 Summit X450-1 2 Switch 5 Summit X450-2 Client PC Client PC EX_stp_1082 Figure 54. STP and Network Login Enabled This relieves the administrator from having to configure network login on all the edge ports. All the traffic can be monitored and resiliency is provided at the aggregation side.
PAGE 571

NETGEAR 8800 User Manual STP Rules and Restrictions This section summarizes the rules and restrictions for configuring STP as follows: • The carrier VLAN must span all ports of the STPD. (This is not applicable to MSTP.) • The StpdID must be the VLAN ID of the carrier VLAN; the carrier VLAN cannot be partitioned. (This is not applicable to MSTP.) • A default VLAN cannot be partitioned. If a VLAN traverses multiple STPDs, the VLAN must be tagged.
PAGE 572

NETGEAR 8800 User Manual Configuring STP on the Switch To configure basic STP: 1. Create one or more STPDs using the following command: create stpd 2. Add one or more VLANs to the STPD using the following command: configure stpd add vlan ports [all | ] {[dot1d | emistp | pvst-plus]} 3. Define the carrier VLAN using the following command: configure stpd tag Note: The carrier VLAN’s ID must be identical to the ID of the STPD. 4.
PAGE 573

NETGEAR 8800 User Manual Note: The device supports the RFC 1493 Bridge MIB, RSTP-03, and NETGEAR STP MIB. Parameters of the s0 default STPD support RFC 1493 and RSTP-03. Parameters of any other STPD support the NETGEAR STP MIB. Note: If an STPD contains at least one port not in 802.1D (dot1D) mode, the STPD must be configured with an StpdID. The following section provides more detailed STP configuration examples, including 802.1D, EMISTP, RSTP, and MSTP.
PAGE 574

NETGEAR 8800 User Manual To display the state of a port that participates in STP, use the following command: show {stpd} ports {[detail | {detail}]} To display more detailed information for one or more ports in the specified STPD, including participating VLANs, specify the detail option.
PAGE 575

NETGEAR 8800 User Manual STP Configuration Examples This section provides four configuration examples: • Basic 802.1D Configuration Example on page 575 • EMISTP Configuration Example on page 576 • RSTP 802.1w Configuration Example on page 577 • MSTP Configuration Example on page 578 Basic 802.1D Configuration Example The following example: • Removes ports from the VLAN Default that will be added to VLAN Engineering. • Creates the VLAN Engineering. • Assigns a VLAN ID to the VLAN Engineering.
PAGE 576

NETGEAR 8800 User Manual By default, the port encapsulation mode for user-defined STPDs is emistp. In this example, you set it to dot1d. EMISTP Configuration Example Figure 56 is an example of EMISTP. VLAN red S1 S2 VLAN green VLAN yellow VLAN red S3 VLAN red VLAN brown S4 VLAN red VLAN blue EX_051 Figure 56. EMISTP Configuration Example Note: By default, all ports added to a user-defined STPD are in emistp mode, unless otherwise specified.
PAGE 577

NETGEAR 8800 User Manual create stpd s2 configure stpd s2 add yellow ports all configure stpd s2 tag 300 configure stpd s2 add red ports 1:3-1:4 emistp enable stpd s2 RSTP 802.1w Configuration Example Figure 57 is an example of a network with multiple STPDs that can benefit from RSTP. For RSTP to work: • Create an STPD. • Configure the mode of operation for the STPD. • Create the VLANs and assign the VLAN ID and the VLAN ports. • Assign the carrier VLAN. • Add the protected VLANs to the STPD.
PAGE 578

NETGEAR 8800 User Manual create stpd stpd1 configure stpd stpd1 mode dot1w create vlan sales create vlan personnel create vlan marketing configure vlan sales tag 100 configure vlan personnel tag 200 configure vlan marketing tag 300 configure vlan sales add ports 1:1,2:1 tagged configure vlan personnel add ports 1:1,2:1 tagged configure vlan marketing add ports 1:1,2:1 tagged configure stpd stpd1 add vlan sales ports all configure stpd stpd1 add vlan personnel ports all configure stpd stpd1 add vlan marketi
PAGE 579

NETGEAR 8800 User Manual = boundary port = master port = MSTI root port CIST root 1 Switch D MSTP Region 1 2 MSTP Region 2 3 Switch A 4 CIST regional root MSTI regional root Switch E 5 6 8 Switch B CIST regional root CIST root port 7 10 9 Switch C Switch F Switch G MSTI regional root STPD SI configured on switch A-C VLAN engineering assigned to SI STPD SI configured on switch E-G VLAN finance assigned to SI EX_166 Figure 58.
PAGE 580

NETGEAR 8800 User Manual • Configure the port link type. • Enable the MSTI. On the external switch (the switch that is not in a region): • Create an STPD that has the same name as the CIST, and configure the mode of operation for the STPD. • Specify the priority of the STPD. • Enable the STPD. Note: In the following sample configurations, any lines marked (Default) represent default settings and do not need to be explicitly configured. STPD s0 already exists on the switch.
PAGE 581

NETGEAR 8800 User Manual configure stpd s0 mode mstp cist configure stpd s0 priority 32768 (Default) enable stpd s0 auto-bind vlan Default enable stpd s0 create stpd s1 configure stpd s1 mode mstp msti 1 configure stpd s1 priority 32768 (Default) enable stpd s1 auto-bind vlan finance configure stpd s1 ports link-type point-to-point 2-3 enable stpd s1 In the following example, the commands configure switch D, the external switch.
PAGE 582

19. VRRP 19 This chapter includes the following sections: • Overview on page 582 • VRRP Configuration Parameters on page 586 • VRRP Tracking on page 587 • VRRP Configuration Examples on page 589 This chapter assumes that you are already familiar with the Virtual Router Redundancy Protocol (VRRP).
PAGE 583

NETGEAR 8800 User Manual management functions, and the backup acts in a standby role. Hitless failover transfers switch management control from the primary to the backup and maintains the state of VRRP. VRRP supports hitless failover. You do not explicitly configure hitless failover support; rather, if you have two nodes installed, hitless failover is available. Note: For more information about protocol, platform, and support for hitless failover, see Understanding Hitless Failover Support on page 69.
PAGE 584

NETGEAR 8800 User Manual Note: For complete information about software licensing, including how to obtain and upgrade your license and what licenses are appropriate for these features, see Appendix A, XCM8800 Software Licenses. VRRP Master Election When a VRRP configured network starts, VRRP uses an election algorithm to dynamically assign master responsibility to one of the VRRP routers on the network. The VRRP master is determined by the following factors: • VRRP priority—This is a user-defined field.
PAGE 585

NETGEAR 8800 User Manual VRRP Master Preemption VRRP master preemption is a feature that allows a VRRP router with a higher VRRP priority to take control from a lower priority master. VRRP election occurs at network startup or when the master becomes unavailable. VRRP preemption occurs when a new VRRP router is added to the network or recovers, and that router has a higher priority than the current VRRP master.
PAGE 586

NETGEAR 8800 User Manual • A maximum of 128 VRID instances are supported on the router. • Up to seven unique VRIDs can be configured on the router. VRIDs can be re-used, but not on the same interface. • VRRP and the Spanning Tree Protocol (STP) can be simultaneously enabled on the same switch. • When VRRP and BOOTP/DHCP relay are both enabled on the switch, the relayed BOOTP agent IP address is the actual switch IP address, not the virtual IP address.
PAGE 587

NETGEAR 8800 User Manual Table 56. VRRP Configuration Parameters (Continued) Parameter Description ip_address This is the IP address associated with this virtual router. You can associate one or more IP addresses to a virtual router. This parameter has no default value. For more information, see the configure vrrp vlan vrid add ipaddress command. advertisement_interval Specifies the time interval between advertisements in seconds unless otherwise specified as milliseconds. The default is 1 second.
PAGE 588

NETGEAR 8800 User Manual • Displaying VRRP Tracking Information on page 589 VRRP Tracking Mode When a VRRP tracked entity fails, the VRRP router behavior is controlled by the tracking mode. The mode can be all or any. The default mode is all.
PAGE 589

NETGEAR 8800 User Manual configure vrrp vlan vrid delete track-iproute / VRRP Ping Tracking You can configure VRRP to track connectivity using a simple ping to any outside responder. The responder may represent the default route of the router, or any device meaningful to network connectivity of the master VRRP router.
PAGE 590

NETGEAR 8800 User Manual Switch A Switch B Switch A = Master VRID = 1 Virtual router IP address = 192.168.1.3 MAC address = 00-00-5E-00-01-01 Priority = 255 Switch B = Backup VRID = 1 Virtual router IP address = 192.168.1.3 MAC address = 00-00-5E-00-01-01 Priority = 100 192.168.1.3 192.168.1.5 Default Gateway = 192.168.1.3 EX_068 Figure 59. Simple VRRP Network In Figure 59, a virtual router is configured on Switch A and Switch B using these parameters: • VRID is 1.
PAGE 591

NETGEAR 8800 User Manual The configuration commands for switch B are as follows: configure vlan vlan1 ipaddress 192.168.1.5/24 create vrrp vlan vlan1 vrid 1 configure vrrp vlan vlan1 vrid 1 add 192.168.1.3 enable vrrp Fully Redundant VRRP Network You can use two or more VRRP-enabled switches to provide a fully redundant VRRP configuration on your network. Figure 60 shows a fully redundant VRRP configuration. Switch A Switch B Master for virtual IP 192.168.1.3 Master VRID = 1 Backup for virtual IP 192.
PAGE 592

NETGEAR 8800 User Manual gateway. In the event that either switch fails, the backup router configured is standing by to resume normal operation. The following command lists assume that you have already created the VLAN named vlan1 on the switch. The configuration commands for switch A are as follows: configure vlan vlan1 ipaddress 192.168.1.3/24 create vrrp vlan vlan1 vrid 1 configure vrrp vlan vlan1 vrid 1 priority 255 configure vrrp vlan vlan1 vrid 1 add 192.168.1.
PAGE 593

NETGEAR 8800 User Manual VRRP master 200.1.1.1/24 (track-vlan) vlan vlan1 Host 2: 200.1.1.14/24 Gateway: 200.1.1.1 Router L2 switch or hub 10.10.10.121 Host 1: 200.1.1.13/24 Gateway: 200.1.1.1 VRRP backup 200.1.1.2/24 EX_067 Figure 61.
PAGE 594

20.
PAGE 595

NETGEAR 8800 User Manual Overview The switch provides full Layer 3, IPv4 unicast routing to all switches that run the Advanced and Core licenses (see Appendix A, XCM8800 Software Licenses). It exchanges routing information with other routers on the network using one of the following routing protocols: • Routing Information Protocol (RIP) • Open Shortest Path First (OSPF) The switch dynamically builds and maintains a set of routing tables and determines the best path for each of its routes.
PAGE 596

NETGEAR 8800 User Manual 1 2 3 4 A 192.207.35.1 B 5 6 192.207.36.0 Finance Personnel 2 192.207.35.11 3 8 192.207.36.1 192.207.35.0 1 7 4 192.207.35.13 192.207.36.12 192.207.36.14 EX_070 Figure 62. Routing Between VLANs Populating the Routing Tables The switch maintains a set of IP routing tables for both network routes and host routes. Some routes are determined dynamically from routing protocols, and some routes are manually entered.
PAGE 597

NETGEAR 8800 User Manual Once a routing protocol is configured, dynamic routes require no configuration and are automatically updated as the network changes. Static Routes Static routes are routes that are manually entered into the routing tables and are not advertised through the routing protocols. Static routes can be used to reach networks that are not advertised by routing protocols and do not have dynamic route entries in the routing tables.
PAGE 598

NETGEAR 8800 User Manual Note: Although these priorities can be changed, do not attempt any manipulation unless you are expertly familiar with the possible consequences. Table 57.
PAGE 599

NETGEAR 8800 User Manual Note: Using route sharing makes router troubleshooting more difficult because of the complexity in predicting the path over which the traffic travels. Compressed Routes Compressed routes allow you to reduce the number of routes that are installed in the hardware routing tables. The switch uses hardware routing tables to improve packet forwarding performance.
PAGE 600

NETGEAR 8800 User Manual Table 58. Route Manager’s Table When There Is No Best Route for a Node Prefix Gateway Number of best paths Compressed? 192.0.0.0/8 10.203.174.68 1 No 192.168.0.0/16 10.203.174.68 0 No 192.168.224.0/24 10.203.174.68 1 No 192.168.225.0/24 10.203.174.68 1 No • When a node contains only a multicast route. Route compression is applied to unicast routes only. If a node contains only a multicast route, the compression algorithm is not applied to the node.
PAGE 601

NETGEAR 8800 User Manual Table 60. Route Manager’s Table When IP Route Sharing Is Enabled Prefix Gateways Compressed? Reason 20.0.0.0/8 Gw1: 30.1.10.1, Gw2: NO 50.1.10.1 This is the top node. 20.1.10.0/24 Gw1: 30.1.10.1 NO Number of gateways did not match. This node has only one gateway, while the parent node has two. 20.2.10.0/24 Gw1: 30.1.10.1, Gw2: NO 60.1.10.1 Number of gateways match. But one of the ECMP paths (gateway 60.1.10.1) does not match with its parent’s ECMP paths. 20.3.10.
PAGE 602

NETGEAR 8800 User Manual #s #s #s #s #s #s #s #d #s #s #s #s #d #s #s #s #s #s #d #d #d 33.33.33.0/24 55.0.0.0/8 55.0.0.0/8 55.2.1.1/32 55.5.5.1/32 66.0.0.0/8 66.0.0.0/16 70.1.10.0/24 78.0.0.0/8 79.0.0.0/8 79.0.0.0/8 80.0.0.0/8 80.1.10.0/24 81.0.0.0/8 81.0.0.0/8 81.0.0.0/8 82.0.0.0/8 83.0.0.0/8 91.1.10.0/24 92.1.10.0/24 93.1.10.0/24 12.1.10.25 12.1.10.10 22.1.10.33 12.1.10.22 12.1.10.44 12.1.10.12 12.1.10.12 70.1.10.62 12.1.10.10 12.1.10.10 12.1.10.12 12.1.10.10 80.1.10.62 12.1.10.10 12.1.10.12 12.1.10.
PAGE 603

NETGEAR 8800 User Manual ECMP cases. As shown in the Route Manager Table in Table 62, when IP route sharing is disabled, all routes are compressed, except the first one in this case. Table 62. Route Manager’s Table When IP Route Sharing Is Disabled Prefix Gateways Compressed? 20.0.0.0/8 Gw1: 30.1.10.1, Gw2: 50.1.10.1 NO 20.1.10.0/24 Gw1: 30.1.10.1 YES 20.2.10.0/24 Gw1: 30.1.10.1, Gw2: 60.1.10.1 YES 20.3.10.0/24 Gw1: 30.1.10.1, Gw2: 50.1.10.1 YES 20.4.10.0/24 Gw1: 30.1.10.1, Gw2: 50.1.10.
PAGE 604

NETGEAR 8800 User Manual #s #s #s #d #d #d 81.0.0.0/8 82.0.0.0/8 83.0.0.0/8 91.1.10.0/24 92.1.10.0/24 93.1.10.0/24 12.1.10.13 12.1.10.10 12.1.10.10 91.1.10.62 92.1.10.62 93.1.10.
PAGE 605

NETGEAR 8800 User Manual • Extended IPv4 Host Cache on page 605 • ECMP Hardware Table on page 609 Extended IPv4 Host Cache The extended IPv4 host cache feature provides additional, configurable storage space on select switches to store additional IPv4 hosts in the hardware routing tables. This feature is supported on NETGEAR 8800 switches.
PAGE 606

NETGEAR 8800 User Manual External LPM Tables Internal LPM Table Reserved space Next Hop Table Unreserved space Reserved Space Unreserved space L3 Hash Table ipuni_0001 Figure 63. Hardware Forwarding Tables The Longest Prefix Match (LPM) and Layer 3 (L3) Hash tables store host and route information for fast-path forwarding.
PAGE 607

NETGEAR 8800 User Manual Table 64. Hardware Routing Table Configuration Capacities Table NETGEAR 8800 Switches Internal LPM 12256 External LPM N/A L3 Hash 8192 Next Hop 8192 In addition to configuring the number of reserved entries in the LPM tables, the configure iproute reserved-entries command configures which entries are stored in which tables. Table 65 shows the hardware routing table contents for several configurations. Table 65.
PAGE 608

NETGEAR 8800 User Manual Note: If no IPv4 route is found in the LPM table and IPv4 unicast packets are slow-path forwarded for a given remote host, an IPv4 entry is created for the remote host in either the L3 hash table or LPM table. The hardware does not cache entries for remote IPv6 hosts, so IPv6 routes take precedence over IPv4 routes.
PAGE 609

NETGEAR 8800 User Manual Note: Gateway entries are entries that represent routers or tunnel endpoints used to reach remote hosts. Gateway entries are not aged and are not replaced by IPv6 hosts or multicast entries in the L3 Hash table or by any entries requiring space in the Next Hop table. The software can move gateway entries from the LPM table to the L3 Hash table to make room for new reserved routes.
PAGE 610

NETGEAR 8800 User Manual ECMP table entry, so duplicate gateway sets require additional ECMP table entries, which reduces the total number of gateway sets the ECMP table can support. This approach also limits the total number of LPM table entries that can use IP route sharing to the total number of ECMP table entries. The ECMP table is smaller than the LPM table, so IP route sharing is not available to all LPM table entries on these platforms.
PAGE 611

NETGEAR 8800 User Manual Troubleshooting: ECMP Table-Full Messages If the ECMP table is full, no new gateway sets can be added, and IP forwarding is still done in hardware through one of the following: • For platforms that allow a gateway set entry to support multiple subnets, forwarding can be done using an existing gateway set that is a partial subset of the unavailable gateway set.
PAGE 612

NETGEAR 8800 User Manual Configuring Basic Unicast Routing To configure IP unicast routing on the switch: 1. Create and configure two or more VLANs. 2. For each VLAN that participates in IP routing, assign an IP address using the following command: configure {vlan} ipaddress [ {} | ipv6-link-local | {eui64} ] Ensure that each VLAN has a unique IP address. 3.
PAGE 613

NETGEAR 8800 User Manual configure iproute add [ | ] {metric} {multicast | multicast-only | unicast | unicast-only} {vr } A static route’s nexthop (gateway) must be associated with a valid IP subnet and cannot use the same IP address as a local VLAN. An IP subnet is associated with a single VLAN by its IP address and subnet mask. If the VLAN is subsequently deleted, the static route entries using that subnet must be deleted manually.
PAGE 614

NETGEAR 8800 User Manual Managing IP Route Sharing on NETGEAR 8800 Switches The XCM8800 software supports route sharing across up to 2, 4, or 8 next-hop gateways. To configure the maximum number of ECMP gateways, use the following command: configure iproute sharing max-gateways For guidelines on managing the number of gateways, see ECMP Hardware Table on page 609.
PAGE 615

NETGEAR 8800 User Manual • enable ospf export [bgp | direct | e-bgp | i-bgp | rip | static | isis | isis-level-1 | isis-level-1-external | isis-level-2 | isis-level-2-external] [cost type [ase-type-1 | ase-type-2] {tag } | ]  or  disable ospf export [bgp | direct | e-bgp | i-bgp | rip | static | isis | isis-level-1| isis-level-1-external | isis-level-2 | isis-level-2-external] Verifying the Routing Configuration The following sections describe ways to view the routing confi
PAGE 616

NETGEAR 8800 User Manual show iproute Sample output: Ori Destination #be 3.0.0.0/8 #be 4.0.0.0/8 #be 4.0.0.0/9 #be 4.23.84.0/22 #be 4.23.112.0/22 …………………………………………………… Gateway 111.222.0.5 111.222.0.5 111.222.0.5 111.222.0.5 111.222.0.
PAGE 617

NETGEAR 8800 User Manual Sample output: # # Module rtmgr configuration. # disable iproute sharing ……… disable icmp timestamp vlan "to62" enable ip-option loose-source-route enable iproute compression ipv4 vr "VR-Default" Routing Configuration Example Figure 64 illustrates a BlackDiamond switch that has three VLANs defined as follows: • • • Finance • All ports on slots 1 and 3 have been assigned. • IP address 192.207.35.1. Personnel • Protocol-sensitive VLAN using the IP protocol.
PAGE 618

NETGEAR 8800 User Manual 1 2 3 4 A 192.207.35.1 B 5 6 7 8 192.207.36.1 MyCompany 192.207.35.0 192.207.36.0 Finance Personnel 1 2 3 4 IP NetBIOS IP NetBIOS IP NetBIOS IP NetBIOS = IP traffic = NetBIOS traffic EX_047 Figure 64. Unicast Routing Configuration Example The stations connected to the system generate a combination of IP traffic and NetBIOS traffic. The IP traffic is filtered by the protocol-sensitive VLANs. All other traffic is directed to the VLAN MyCompany.
PAGE 619

NETGEAR 8800 User Manual configure Personnel ipaddress 192.207.36.1 configure rip add vlan Finance configure rip add vlan Personnel enable ipforwarding enable rip Proxy ARP Proxy Address Resolution Protocol (ARP) was first invented so that ARP-capable devices could respond to ARP request packets on behalf of ARP-incapable devices. Proxy ARP can also be used to achieve router redundancy and to simplify IP client configuration. The switch supports proxy ARP for this type of network configuration.
PAGE 620

NETGEAR 8800 User Manual Proxy ARP Between Subnets In some networks, it is desirable to configure the IP host with a wider subnet than the actual subnet mask of the segment. You can use proxy ARP so that the router answers ARP requests for devices outside of the subnet. As a result, the host communicates as if all devices are local. In reality, communication with devices outside of the subnet are proxied by the router. For example, an IP host is configured with a class B address of 100.101.102.
PAGE 621

NETGEAR 8800 User Manual for the interface. The remaining multinetted subnets, called the secondary subnets, must be stub networks. This restriction is required because it is not possible to associate the source of the incoming routed traffic to a particular network. IP routing happens between the different subnets of the same VLAN (one arm routing) and also between subnets of different VLANs. Transit network VLAN multi Primary subnet Secondary subnet-1 Host Secondary subnet-2 EX_102 Figure 65.
PAGE 622

NETGEAR 8800 User Manual ARP ARP operates on the interface and responds to every request coming from either the primary or secondary subnet. When multiple subnets are configured on a VLAN and an ARP request is generated by the switch over that VLAN, the source IP address of the ARP request must be a local IP address of the subnet to which the destination IP address (which is being ARPed) belongs. For example, if a switch multinets the subnets 10.0.0.0/24 and 20.0.0.0/24 (with VLAN IP addresses of 10.0.0.
PAGE 623

NETGEAR 8800 User Manual OSPF This section describes the behavior of OSPF in an IPv4 multinetting environment: • Each network is treated as an interface, and hello messages are not sent out or received over the non-primary interface. In this way, the router LSA includes information to advertise that the primary network is a transit network and the secondary networks are stub networks, thereby preventing any traffic from being routed from a source in the secondary network.
PAGE 624

NETGEAR 8800 User Manual • Direct routes corresponding to secondary interfaces can be exported into the BGP domain (by enabling export of direct routes). IGMP Snooping and IGMP Internet Group Management Protocol (IGMP) snooping and IGMP treat the VLAN as an interface. Only control packets with a source address belonging to the IP networks configured on that interface are accepted. IGMP accepts membership information that originates from hosts in both the primary and secondary subnets.
PAGE 625

NETGEAR 8800 User Manual DHCP Relay When the switch is configured as a DHCP relay agent, it forwards the DHCP request received from a client to the DHCP server. When doing so, the system sets the GIADDR field in the DHCP request packet to the primary IP address of the ingress VLAN. This means that the DHCP server that resides on a remote subnet allocates an IP address for the client in the primary subnet range.
PAGE 626

NETGEAR 8800 User Manual • VRRP VR on v1 with VRID of 99 with virtual IP addresses of 1.1.1.1 and 1.1.1.99 (one virtual IP address is owned by the switch and one is not) • VRRP VR on v1 with VRID of 100 with virtual IP addresses of 2.2.2.2 and 2.2.2.99 (one virtual IP address is owned by the switch and one is not). Configuring IPv4 Multinetting You configure IP multinetting by adding a secondary IP address to a VLAN.
PAGE 627

NETGEAR 8800 User Manual enable ipforwarding DHCP/BOOTP Relay After IP unicast routing has been configured, you can configure the switch to forward Dynamic Host Configuration Protocol (DHCP) or BOOTP requests coming from clients on subnets being serviced by the switch and going to hosts on different subnets. This feature can be used in various applications, including DHCP services between Windows NT servers and clients running Windows 95. To configure the relay function: 1.
PAGE 628

NETGEAR 8800 User Manual taken depends on the configured policy (drop packet, keep existing option 82 value, or replace the existing option). If the incoming DHCP request is tagged, then that VLAN ID is added to the circuit ID sub option of option 82; otherwise, the default VLAN ID is added. • DHCP Reply: When the option 82 information check is enabled, the packets received from the DHCP server are checked for option 82 information.
PAGE 629

NETGEAR 8800 User Manual To disable checking of DHCP replies, use this command: unconfigure bootprelay dhcp-agent information check Configuring the DHCP Packet Handling Policy A DHCP relay agent may receive a client DHCP packet that has been forwarded from another relay agent. If this relayed packet already contains a relay agent option, then the switch handles this packet according to the configured DHCP relay agent option policy.
PAGE 630

NETGEAR 8800 User Manual • If the UDP profile includes other types of traffic, these packets have the IP destination address modified as configured, and changes are made to the IP and UDP checksums and TTL field (decrements), as appropriate. If UDP Forwarding is used for BOOTP or DHCP forwarding purposes, do not configure or use the existing bootprelay function. However, if the previous bootprelay functions are adequate, you may continue to use them.
PAGE 631

NETGEAR 8800 User Manual entry two { if match all { destination-port 67 ; } then { vlan "to7" ; } } If you include more than one VLAN set attribute or more than one destination-ipaddress set attribute in one policy entry, the last one is accepted and the rest are ignored. Note: Although the Policy manager allows you to set a range for the destination-port, you should not specify the range for the destination-port attribute in the match clause of the policy statement for the UDP profile.
PAGE 632

NETGEAR 8800 User Manual configure vlan udp-profile [ | none] or use this command: unconfigure vlan udp-profile For more information about creating and editing policy files, see Chapter 12, Policy Manager. For more information about ACL policy files, see Chapter 13, ACLs. UDP Echo Server You can use UDP echo packets to measure the transit time for data between the transmitting and receiving ends.
PAGE 633

NETGEAR 8800 User Manual final hop router, when IP subnet directed broadcast forwarding is enabled on an IP VLAN via the command line, the following happens: • Some basic validity checks are performed (for example, checking to see if the VLAN has IP enabled) • A subnet broadcast route entry for the subnet is installed. For example, consider a system with the following configuration: VLAN-A = 10.1.1.0/24, ports 1:1, 1:2, 1:3, 1:4 VLAN-B = 20.1.1.0/24, ports 1:5, 1:6, 1:7, 1:8 VLAN-C = 30.1.1.
PAGE 634

NETGEAR 8800 User Manual VLAN Aggregation Note: This feature is supported only on the platforms listed for this feature in the license tables in Appendix A, XCM8800 Software Licenses. VLAN aggregation is a feature aimed primarily at service providers. The purpose of VLAN aggregation is to increase the efficiency of IP address space usage. It does this by allowing clients within the same IP subnet to use different broadcast domains while still using the same default router.
PAGE 635

NETGEAR 8800 User Manual In Figure 66, all stations are configured to use the address 10.3.2.1 for the default router. VLAN Aggregation Properties VLAN aggregation is a very specific application, and the following properties apply to its operation: • All broadcast and unknown traffic remains local to the subVLAN and does not cross the subVLAN boundary.
PAGE 636

NETGEAR 8800 User Manual To view the subVLAN address range, use the following command: show vlan {detail {ipv4 | ipv6} | {ipv4 | ipv6} | virtual-router | stpd | security} Isolation Option for Communication Between SubVLANs To facilitate communication between subVLANs, by default, an entry is made in the IP ARP table of the superVLAN that performs a proxy ARP function. This allows clients on one subVLAN to communicate with clients on another subVLAN.
PAGE 637

NETGEAR 8800 User Manual Note: This command has no impact on Layer 3 traffic. Verifying the VLAN Aggregation Configuration The following commands can be used to verify proper VLAN aggregation configuration: • show vlan—Indicates the membership of subVLANs in a superVLAN. • show iparp—Indicates an ARP entry that contains subVLAN information. Communication with a client on a subVLAN must have occurred in order for an entry to be made in the ARP table. Chapter 20.
PAGE 638

21. IPv6 Unicast Routing 21 This chapter includes the following sections: • Overview on page 639 • Configuring IP Unicast Routing on page 646 • Configuring Route Sharing on page 651 • Configuring Route Compression on page 652 • Hardware Forwarding Behavior on page 652 • Routing Configuration Example on page 653 • Tunnel Configuration Examples on page 655 This chapter assumes that you are already familiar with IPv6 unicast routing.
PAGE 639

NETGEAR 8800 User Manual Overview The switch provides full Layer 3, IPv6 unicast routing. It exchanges routing information with other routers on the network using the IPv6 versions of the following protocols: • Routing Information Protocol (RIPng) • Open Shortest Path First (OSPFv3) The switch dynamically builds and maintains a routing table and determines the best path for each of its routes. XCM8800 can provide both IPv4 and IPv6 routing at the same time.
PAGE 640

NETGEAR 8800 User Manual An interface can have up to 255 IPv6 addresses, with at least one being a link local address. IPv4 and IPv6 interfaces can coexist on the same VLAN, allowing both IPv4 and IPv6 networks to coexist on the same Layer 2 broadcast domain. Note: Each IP address and mask assigned to a VLAN must represent a unique IP subnet. You cannot configure the same IP address and subnet on different VLANs within the same virtual router.
PAGE 641

NETGEAR 8800 User Manual Leading zeros in a four-digit group can be omitted. There is a special use of a double colon (::) in an address. The double colon stands for one or more groups of 16 bits of zeros and can only be used once in an address.
PAGE 642

NETGEAR 8800 User Manual duplicate, it will also be labeled as such, and must be reconfigured. On an active interface, the DAD process should occur so quickly that you would not see the address labeled as tentative. However, if you are configuring an interface before enabling it, and you display the configuration, you will see that the address is currently tentative. As soon as you enable the interface, the address should be ready to use, or labeled as duplicate and must be reconfigured.
PAGE 643

NETGEAR 8800 User Manual In IPv4, MAC address resolution is done by ARP. For IPv6, this functionality is handled by the Neighbor Discovery Protocol. The router maintains a cache of IPv6 addresses and their corresponding MAC addresses and allows the system to respond to requests from other nodes for the MAC address of the IPv6 addresses configured on the interfaces. Also supported is router discovery—the ability to send out router advertisements that can be used by a host to discover the router.
PAGE 644

NETGEAR 8800 User Manual • Statically, by way of routes entered by the administrator: • Default routes, configured by the administrator • Locally, by way of interface addresses assigned to the system • By other static routes, as configured by the administrator Once routes are populated using the above method, IPv6 forwarding needs to be enabled on the VLAN using the following command: enable ipforwarding ipv6 {vlan | tunnel | vr } Note: If you define a default rou
PAGE 645

NETGEAR 8800 User Manual ospfv3-inter | ospfv3-intra | static | isis | isis-level-1| isis-level-1-external | isis-level-2| isis-level-2-external] enable ospfv3 {domain } export [direct | ripng | static | isis | isis-level-1 | isis-level-1-external | isis-level-2 | isis-level-2-external] [cost type [ase-type-1 | ase-type-2] | ]  or  disable ospfv3 {domain } export [direct | ripng | static | isis | isis-level-1 | isis-level-1-external | isis-level-2 | isis-level-2
PAGE 646

NETGEAR 8800 User Manual Relative Route Priorities Table 66 lists the relative priorities assigned to routes depending on the learned source of the route. Note: Although these priorities can be changed, do not attempt any manipulation unless you are expertly familiar with the possible consequences. Table 66.
PAGE 647

NETGEAR 8800 User Manual Configuring Basic IP Unicast Routing To configure basic IP unicast routing, do the following: 1. Create and configure two or more VLANs. 2. Assign each VLAN that will be using routing an IP address using the following command: configure {vlan} ipaddress [ {} | ipv6-link-local | {eui64} ] Ensure that each VLAN has a unique IP address. 3.
PAGE 648

NETGEAR 8800 User Manual Creating and Deleting Static Entries You can statically configure the MAC address of IPv6 destinations on the attached links using the following commands: configure neighbor-discovery cache {vr } add [ | ] configure neighbor-discovery cache {vr } delete [ | ] Configuring the Neighbor-Discovery Cache Size To configure the maximum number of entries for the neighbor-discovery cache, enter the foll
PAGE 649

NETGEAR 8800 User Manual Displaying Neighbor-Discovery Cache Entries Both statically configured and dynamic neighbor-discovery entries can be viewed using the following command: show neighbor-discovery {cache {ipv6}} {[ | | permanent] {vr }} | vlan | vr } Managing Router Discovery The following sections describe tasks for managing router discovery: • Enabling and Disabling Router Discovery on page 649 • Adding and Deleting Prefixes for Router Discovery on
PAGE 650

NETGEAR 8800 User Manual configure vlan router-discovery {ipv6} set prefix [autonomous-flag | onlink-flag | preferred-lifetime |valid-lifetime ] To reset all router discovery settings to their default values, enter the following command: unconfigure vlan router-discovery {ipv6} To reset an individual router discovery setting to its default value, enter one of the following commands: unconfigure vlan router-di
PAGE 651

NETGEAR 8800 User Manual Creating an IPv6-to-IPv4 Tunnel A 6to4 tunnel connects one IPv6 region with multiple IPv6 regions. Only one 6to4 tunnel can be configured on a single router. To create an IPv6-to-IPv4 tunnel, use the following command: create tunnel 6to4 source The source-address is an existing address in the switch.
PAGE 652

NETGEAR 8800 User Manual Note: IPv6 ECMP functionality is available only on the platforms listed for this feature in the license tables in Appendix A, XCM8800 Software Licenses. The following limitations apply when configuring route sharing: • The current kernel does not support IPv6 ECMP. As a result this feature is supported only in hardware (fast path) and not supported in slow path. Due to the kernel limitations, it is preferred that the neighbor cache is added as a static entry.
PAGE 653

NETGEAR 8800 User Manual Hardware Forwarding Limitations NETGEAR 8800 switches support hardware forwarding for up to 256 routes with masks greater than 64 bits. This support was added in XCM8800 using a hardware table designed for this purpose. When IPv6 forwarding is enabled, the switch behavior is as follows: • If no space is available in the hardware table, there is no guarantee that traffic for that route will be properly routed.
PAGE 654

NETGEAR 8800 User Manual 1 2 3 4 A 2001:db8:35::1/48 B 5 6 7 8 2001:db8:36::1/48 MyCompany 2001:db8:35::/48 Finance 1 2 2001:db8:36::/48 Personnel 3 4 IPv6 NetBIOS IPv6 NetBIOS IPv6 NetBIOS IPv6 NetBIOS = IPv6 traffic = NetBIOS traffic EX_106 EX_047 Figure 67. IPv6 Unicast Routing Configuration Example The stations connected to the system generate a combination of IPv6 traffic and NetBIOS traffic. The IPv6 traffic is filtered by the protocol-sensitive VLANs.
PAGE 655

NETGEAR 8800 User Manual configure ripng add vlan Finance configure ripng add vlan Personnel enable ipforwarding ipv6 enable ripng Tunnel Configuration Examples This section provides the following examples: • 6in4 Tunnel Configuration Example on page 655 • 6to4 Tunnel Configuration Example on page 657 6in4 Tunnel Configuration Example Figure 68 illustrates a 6in4 tunnel configured between two IPv6 regions across an IPv4 region.
PAGE 656

NETGEAR 8800 User Manual In Figure 68, Router A has an interface to an IPv4 region with the address 192.168.1.1 (for this example we are using private IPv4 addresses, but to tunnel across the Internet, you would use a public address). Router B has an IPv4 interface of 10.2.0.1. The IPv4 interface must be created before the tunnel is configured and cannot be deleted until the tunnel is deleted. This example has one subnet in each IPv6 region, 2001:db8:1::/64 for Router A and 2001:db8:2::/64 for Router B.
PAGE 657

NETGEAR 8800 User Manual enable ipforwarding ipv6 private-ipv6 configure iproute add 2001:db8:2::/64 2001:db8:a::2 enable ipforwarding public-ipv4 Router B configure vlan default delete port all create vlan public-ipv4 configure vlan public-ipv4 add port 1 untagged configure vlan public-ipv4 ipaddress 10.2.0.1/24 create tunnel public6in4 ipv6-in-ipv4 destination 192.168.1.1 source 10.2.0.
PAGE 658

NETGEAR 8800 User Manual Host 1 2002:c0a8:101::204:96ff:fe1f:a52a/48 2002:c0a8:101::2/48 2 Router 1 1 2002:c0a8:101::1/16 192.168.1.1/24 IPv6 IPv4 IPv6 2002:a00:1::1/16 10.0.0.1/24 1 Router 2 Host 2 2 2002:a00:1:1::1/64 3 2002:a00:1:2::1/64 2002:a00:1:1:204:96ff:fe1f:a432/64 Host 3 2002:a00:1:2:201:30ff:fe00:c200/64 EX_109 Figure 69. 6to4 Tunnel Configuration Example In Figure 69, Router 1 has an interface to an IPv4 region with the address 192.168.1.
PAGE 659

NETGEAR 8800 User Manual In this example, we assume that the IPv4 network can route from Router 1 to Router 2 (in other words, some IPv4 routing protocol is running on the public-ipv4 interfaces). However, you do not need to enable IPv4 forwarding on the public interfaces in this example unless you are also routing IPv4 traffic on them (in this example, it is assumed you are running no IPv4 traffic inside your respective IPv6 networks, although you could).
PAGE 660

NETGEAR 8800 User Manual • IP address—2002:0a00:0001:0001:0204:96ff:fe1f:a432/64 • Static route—destination 2002::/16, gateway 2002:0a00:0001:0001::1 Host 3: • MAC address—00:01:30:00:C2:00 • IP address—2002:0a00:0001:0002:0201:30ff:fe00:c200/64 • Static route—destination 2002::/16, gateway 2002:0a00:0001:0002::1 660 | Chapter 21.
PAGE 661

22. RIP 22 This chapter includes the following sections: • Overview on page 661 • Overview of RIP on page 663 • Route Redistribution on page 664 • RIP Configuration Example on page 666 This chapter assumes that you are already familiar with IP unicast routing.
PAGE 662

NETGEAR 8800 User Manual OSPF is a link-state protocol based on the Dijkstra link-state algorithm. OSPF is a newer IGP and solves a number of problems associated with using RIP on today’s complex networks. Note: RIP can be enabled on a VLAN with OSPF. RIP is described in this chapter, and OSPF is described in Chapter 24, OSPF. RIP Versus OSPF The distinction between RIP and the OSPF link-state protocols lies in the fundamental differences between distance-vector protocols and link-state protocols.
PAGE 663

NETGEAR 8800 User Manual Overview of RIP RIP is an IGP first used in computer routing in the Advanced Research Projects Agency Network (ARPAnet) as early as 1969. It is primarily intended for use in homogeneous networks of moderate size. To determine the best path to a distant network, a router using RIP always selects the path that has the least number of hops. Each router that data must traverse is considered to be one hop.
PAGE 664

NETGEAR 8800 User Manual Route Advertisement of VLANs Virtual LANs (VLANs) that are configured with an IP address but are configured to not route IP or are not configured to run RIP, do not have their subnets advertised by RIP. RIP advertises only those VLANs that are configured with an IP address, are configured to route IP, and run RIP.
PAGE 665

NETGEAR 8800 User Manual OSPF AS Backbone Area 0.0.0.0 ABR Area 121.2.3.4 ASBR ASBR RIP AS EX_046 Figure 70. Route Redistribution Configuring Route Redistribution Exporting routes from one protocol to another and from that protocol to the first one are discrete configuration functions. For example, to run OSPF and RIP simultaneously, you must first configure both protocols and then verify the independent operation of each.
PAGE 666

NETGEAR 8800 User Manual RIP Configuration Example Figure 71 illustrates a NETGEAR 8800 switch that has three VLANs defined as follows: • • • Finance • Protocol-sensitive VLAN using the IP protocol. • All ports on slots 1 and 3 have been assigned. • IP address 192.207.35.1. Personnel • Protocol-sensitive VLAN using the IP protocol. • All ports on slots 2 and 4 have been assigned. • IP address 192.207.36.1. MyCompany • Port-based VLAN. • All ports on slots 1 through 4 have been assigned.
PAGE 667

NETGEAR 8800 User Manual The stations connected to the system generate a combination of IP traffic and NetBIOS traffic. The IP traffic is filtered by the protocol-sensitive VLANs. All other traffic is directed to the VLAN MyCompany. In this configuration, all IP traffic from stations connected to slots 1 and 3 have access to the router by way of the VLAN Finance. Ports on slots 2 and 4 reach the router by way of the VLAN Personnel. All other traffic (NetBIOS) is part of the VLAN MyCompany.
PAGE 668

23. RIPng 23 This chapter includes the following sections: • Overview on page 668 • Overview of RIPng on page 669 • Route Redistribution on page 671 • RIPng Configuration Example on page 671 This chapter assumes you are already familiar with IP unicast routing. If not, see the publication RFC 2080—RIPng for IPv6. Note: RIPng is available on platforms with an Edge, Advanced Edge or Core license.
PAGE 669

NETGEAR 8800 User Manual RIPng Versus OSPFv3 The distinction between RIPng and the link-state protocol, OSPFv3, lies in the fundamental differences between distance-vector protocols (RIPng) and link-state protocols. Using a distance-vector protocol, each router creates a unique routing table from summarized information obtained from neighboring routers.
PAGE 670

NETGEAR 8800 User Manual Routing Table The routing table in a router using RIPng contains an entry for every known destination network.
PAGE 671

NETGEAR 8800 User Manual Route Redistribution More than one routing protocol can be enabled simultaneously on the switch. Route redistribution allows the switch to exchange routes, including static routes, between the routing protocols. Route redistribution is also called route export. Configuring Route Redistribution Exporting routes from one protocol to another and from that protocol to the first one are discrete configuration functions.
PAGE 672

NETGEAR 8800 User Manual • All ports on slots 1 through 4 have been assigned. The stations connected to the system generate a combination of IPv6 traffic and NetBIOS traffic. In this configuration, all traffic from stations connected to slots 1 and 3 have access to the router by way of the VLAN Finance. Ports on slots 2 and 4 reach the router by way of the VLAN Personnel. All traffic (NetBIOS and IPv6) is part of the VLAN MyCompany.
PAGE 673

24. OSPF 24 This chapter includes the following sections: • Overview on page 674 • Route Redistribution on page 681 • Configuring OSPF on page 682 • OSPF Configuration Example on page 684 • Displaying OSPF Settings on page 686 This chapter assumes that you are already familiar with IP unicast routing.
PAGE 674

NETGEAR 8800 User Manual Overview Open Shortest Path First (OSPF) is a link state protocol that distributes routing information between routers belonging to a single IP domain; the IP domain is also known as an autonomous system (AS). In a link-state routing protocol, each router maintains a database describing the topology of the AS. Each participating router has an identical database maintained from the perspective of that router.
PAGE 675

NETGEAR 8800 User Manual Table 67. LSA Type Numbers Type Number Description 1 Router LSA 2 Network LSA 3 Summary LSA 4 AS summary LSA 5 AS external LSA 7 NSSA external LSA 9 Link local—Opaque 10 Area scoping—Opaque 11 AS scoping—Opaque Database Overflow The OSPF database overflow feature allows you to limit the size of the LSDB and to maintain a consistent LSDB across all the routers in the domain, which ensures that all routers have a consistent view of the network.
PAGE 676

NETGEAR 8800 User Manual Normally, support for opaque LSAs is autonegotiated between OSPF neighbors. In the event that you experience interoperability problems, you can disable opaque LSAs across the entire system using the following command: disable ospf capability opaque-lsa To re-enable opaque LSAs across the entire system, use the following command: enable ospf capability opaque-lsa If your network uses opaque LSAs, NETGEAR recommends that all routers on your OSPF network support opaque LSAs.
PAGE 677

NETGEAR 8800 User Manual able to inform its neighbors in advance that OSPF is restarting. An unplanned restart would occur if there was some kind of system failure that caused a remote reboot or a crash of OSPF, or an MSM/MM failover occurs. As OSPF restarts, it informs its neighbors that it is in the midst of an unplanned restart. You can decide to configure a router to enter graceful restart for only planned restarts, for only unplanned restarts, or for both.
PAGE 678

NETGEAR 8800 User Manual Backbone Area (Area 0.0.0.0) Any OSPF network that contains more than one area is required to have an area configured as area 0.0.0.0, also called the backbone. All areas in an AS must be connected to the backbone. When designing networks, you should start with area 0.0.0.0 and then expand into other areas. Note: Area 0.0.0.0 exists by default and cannot be deleted or changed. The backbone allows summary information to be exchanged between ABRs.
PAGE 679

NETGEAR 8800 User Manual The translate option determines whether type 7 LSAs are translated into type 5 LSAs. When configuring an OSPF area as an NSSA, translate should only be used on NSSA border routers, where translation is to be enforced. If translate is not used on any NSSA border router in a NSSA, one of the ABRs for that NSSA is elected to perform translation (as indicated in the NSSA specification). The option should not be used on NSSA internal routers.
PAGE 680

NETGEAR 8800 User Manual Virtual links are also used to repair a discontiguous backbone area. For example, in Figure 73, if the connection between ABR1 and the backbone fails, the connection using ABR2 provides redundancy so that the discontiguous area can continue to communicate with the backbone using the virtual link. Virtual link Area 2 ABR 1 Area 1 ABR 2 Area 0 Area 3 EX_045 Figure 73.
PAGE 681

NETGEAR 8800 User Manual Note: All routers in the VLAN must have the same OSPF link type. If there is a mismatch, OSPF attempts to operate, but it may not be reliable. Route Redistribution More than one routing protocol can be enabled simultaneously on the switch. Route redistribution allows the switch to exchange routes, including static routes, between the routing protocols. Figure 74 is an example of route redistribution between an OSPF AS and a RIP AS. OSPF AS Backbone Area 0.0.0.0 ABR Area 121.2.3.
PAGE 682

NETGEAR 8800 User Manual disable ospf export [bgp | direct | e-bgp | i-bgp | rip | static] These commands enable or disable the exporting of RIP, static, and direct routes by way of LSA to other OSPF routers as AS-external type 1 or type 2 routes. The default setting is disabled. The cost metric is inserted for all Border Gateway Protocol (BGP), RIP, static, and direct routes injected into OSPF. If the cost metric is set to 0, the cost is inserted from the route.
PAGE 683

NETGEAR 8800 User Manual Configuring OSPF Wait Interval XCM8800 allows you to configure the OSPF wait interval, rather than using the router dead interval. CAUTION: Do not configure OSPF timers unless you are comfortable exceeding OSPF specifications. Non-standard settings may not be reliable under all circumstances.
PAGE 684

NETGEAR 8800 User Manual Note: The OSPF standard specifies that wait times are equal to the dead router wait interval. OSPF Configuration Example Figure 75 is an example of an autonomous system using OSPF routers. The details of this network follow. Area 0 IR 2 10.0.1.1 IR 1 10.0.1.2 10.0.3.2 2 10.0.2.2 3 HQ _0_ _10 _10 _0_ HQ Headquarters ABR 2 10.0.3.1 ABR 1 10.0.2.1 160.26.26.1 i_1 161.48.2.2 Los Angeles LA _1 61 _4 8_ 2 161.48.2.1 Ch Virtual link 60 _2 6_ 26 160.26.
PAGE 685

NETGEAR 8800 User Manual • Network number 10.0.x.x • Two identified VLANs (HQ_10_0_2 and HQ_10_0_3) Area 5 is connected to the backbone area by way of ABR1 and ABR2. It is located in Chicago and has the following characteristics: • Network number 160.26.x.x • One identified VLAN (Chi_160_26_26) • Two internal routers Area 6 is a stub area connected to the backbone by way of ABR1. It is located in Los Angeles and has the following characteristics: • Network number 161.48.x.
PAGE 686

NETGEAR 8800 User Manual configure ospf vlan Chi_160_26_26 priority 10 configure ospf vlan HQ_10_0_2 priority 5 configure ospf vlan HQ_10_0_3 priority 5 enable ospf Configuration for IR1 The router labeled IR1 has the following configuration: configure vlan HQ_10_0_1 ipaddress 10.0.1.2 255.255.255.0 configure vlan HQ_10_0_2 ipaddress 10.0.2.2 255.255.255.0 enable ipforwarding configure ospf add vlan all area 0.0.0.0 configure ospf area 0.0.0.
PAGE 687

NETGEAR 8800 User Manual show ospf lsdb {detail | stats} {area [ | all]} {{lstype} [ | all]} {lsid {}} {routerid {}} {interface[[{} | ] | vlan ]} The detail option displays all fields of matching LSAs in a multiline format. The summary option displays several important fields of matching LSAs, one line per LSA.
PAGE 688

25. OSPFv3 25 This chapter includes the following sections: • Overview on page 688 • Route Redistribution on page 693 • OSPFv3 Configuration Example on page 694 Note: OSPFv3 is available on platforms with an Advanced Edge or Core license. See Appendix A, XCM8800 Software Licenses for information about OSPFv3 licensing.
PAGE 689

NETGEAR 8800 User Manual Note: Two types of OSPFv3 functionality are available and each has a different licensing requirement. One is the complete OSPFv3 functionality and the other is OSPFv3 Edge Mode, a subset of OSPFv3 that is described below. See Appendix A, XCM8800 Software Licenses for specific information regarding OSPFv3 licensing. OSPFv3 Edge Mode OSPFv3 Edge Mode is a subset of OSPFv3 available on platforms with an Advanced Edge license.
PAGE 690

NETGEAR 8800 User Manual Areas OSPFv3 allows parts of a network to be grouped together into areas. The topology within an area is hidden from the rest of the AS. Hiding this information enables a significant reduction in LSA traffic and reduces the computations needed to maintain the LSDB. Routing within the area is determined only by the topology of the area.
PAGE 691

NETGEAR 8800 User Manual configure ospfv3 {domain } area stub [summary | nosummary] stub-default-cost Not-So-Stubby-Areas Not-so-stubby-areas (NSSAs) are not supported currently in the XCM8800 implementation of OSPFv3. Normal Area A normal area is an area that is not: • Area 0 • Stub area • NSSA Virtual links can be configured through normal areas. External routes can be distributed into normal areas.
PAGE 692

NETGEAR 8800 User Manual Virtual links are also used to repair a discontiguous backbone area. For example, in Figure 77, if the connection between ABR1 and the backbone fails, the connection using ABR2 provides redundancy so that the discontiguous area can continue to communicate with the backbone using the virtual link. Virtual link Area 2 ABR 1 Area 1 ABR 2 Area 0 Area 3 EX_045 Figure 77.
PAGE 693

NETGEAR 8800 User Manual Route Redistribution More than one routing protocol can be enabled simultaneously on the switch. Route redistribution allows the switch to exchange routes, including static routes, between the routing protocols. Figure 78 is an example of route redistribution between an OSPFv3 AS and a RIPng AS. OSPF AS Backbone Area 0.0.0.0 ABR Area 121.2.3.4 ASBR ASBR RIP AS EX_046 Figure 78.
PAGE 694

NETGEAR 8800 User Manual These commands enable or disable the exporting of RIPng, static, and direct routes by way of LSA to other OSPFv3 routers as AS-external type 1 or type 2 routes. The default setting is disabled. The cost metric is inserted for all RIPng, static, and direct routes injected into OSPFv3. If the cost metric is set to 0, the cost is inserted from the route. The tag value is used only by special routing applications. Use 0 if you do not have specific requirements for using a tag.
PAGE 695

NETGEAR 8800 User Manual Area 0.0.0.0 Router 2 2001:db8:4444:6666::2/64 to-r2 Router 1 2001:db8:4444:6666::1/64 2001:db8:3333:5555::1/64 to-r3 Router 3 2001:db8:3333:5555::2/64 Area 0.0.0.1 EX_107 Figure 79. OSPFv3 Configuration Example In Figure 79 there are three NETGEAR switches running XCM8800 images that have support for OSPFv3. Router 1 is an area border router and is connected to two other switches Router 2 and Router 3.
PAGE 696

NETGEAR 8800 User Manual create ospfv3 area 0.0.0.1 configure ospfv3 add vlan to-r3 area 0.0.0.1 enable ospfv3 Configuration for Router 2 The router labeled Router 2 has the following configuration: create vlan to-r1 configure vlan to-r1 ipaddress 2001:db8:4444:6666::2/64 configure vlan to-r1 add port 1:1 enable ipforwarding ipv6 configure ospfv3 routerid 0.0.0.2 configure ospfv3 add vlan to-r1 area 0.0.0.
PAGE 697

26. BGP 26 This chapter includes the following sections: • Overview on page 697 • BGP Features on page 703 Overview Border gateway protocol (BGP) is an exterior routing protocol that was developed for use in TCP/IP networks. The primary function of BGP is to allow different autonomous systems (ASs) to exchange network reachability information. An AS is a set of routers that are under a single technical administration.
PAGE 698

NETGEAR 8800 User Manual • RFC 2439—BGP Route Flap Damping • RFC 2796—BGP Route Reflection - An Alternative to Full Mesh IBGP • RFC 2918—Route Refresh Capability for BGP-4 • RFC 3392—Capabilities Advertisement with BGP-4 • RFC 4486—Subcodes for BGP Cease Notification Message • RFC 4360—BGP Extended Communities Attribute • RFC 4760—Multiprotocol Extensions for BGP-4 • RFC 4893—BGP Support for Four-octet AS Number Space • RFC 5396—Textual Representation of Autonomous System (AS) Numbers •
PAGE 699

NETGEAR 8800 User Manual • Next_hop—The IP address of the next hop BGP router to reach the destination listed in the NLRI field. • Multi_Exit_Discriminator—Used to select a particular border router in another AS when multiple border routers exist. • Local_Preference—Used to advertise this router’s degree of preference to other routers within the AS. • Atomic_aggregate—Indicates that the sending border router has used a route aggregate prefix in the route update.
PAGE 700

NETGEAR 8800 User Manual The following two types of extended communities are available: • Route Target (RT) • Site Of Origin (SOO) Although these two community types are generally used in L3 VPN network setup, you can also use them in a non-L3 VPN network to control the distribution of BGP routes. BGP does not send either the extended or standard community attributes to their neighbors by default; you must use the configuration command configure bgp neighbor send-community.
PAGE 701

NETGEAR 8800 User Manual • : This is the number represented by the first two bytes of a four-byte AS number. The use of a private AS-number is not recommended. • : This is the number represented by the last two bytes of a four-byte AS number. The use of a private AS-number is not recommended Syntax in Set block extended-community [set | add | delete] " ….
PAGE 702

NETGEAR 8800 User Manual • rt:100.200.300.400:200: • soo:12345678:500: Invalid because the IP address is invalid Invalid because the AS number 12345678 is out of range [1-65535] Extended Community Syntax Note the following details with regard to extended community syntax: • Only rt and soo extended community types are recognized in the policy file. • The IP address MUST be a valid host address. Network address, Class-D and experimental IP address are not accepted.
PAGE 703

NETGEAR 8800 User Manual entry two { if { nlri 192.168.34.0/24; } then { extended-community set "rt:10.45.92.168:300"; extended-community add "rt:10.203.100.200:40 soo:100:60000"; extended-community delete "rt:65001:10000 soo:72.192.34.10:70"; permit; } } A BGP route 192.168.34.128/25 is received with extended community attribute rt:4567:100 soo:192.168.34.128.
PAGE 704

NETGEAR 8800 User Manual • Inactive Route Advertisement on page 710 • Default Route Origination and Advertisement on page 711 • Using the Loopback Interface on page 712 • Looped AS_Path Attribute on page 713 • BGP Peer Groups on page 713 • BGP Route Flap Dampening on page 714 • BGP Route Selection on page 716 • Stripping Out Private AS Numbers from Route Updates on page 716 • Route Redistribution on page 717 • BGP Static Network on page 718 • Graceful BGP Restart on page 719 • Cease
PAGE 705

NETGEAR 8800 User Manual The topology shown in Figure 80 minimizes the number of BGP peering sessions required in an AS by using route reflectors. In this example, although the BGP speakers 3.3.3.3 and 4.4.4.4 do not have a direct BGP peering session between them, these speakers still receive routes from each other indirectly through 2.2.2.2. The router 2.2.2.2 is called a route reflector and is responsible for reflecting routes between its clients. Routes received from the client 3.3.3.3 by the router 2.
PAGE 706

NETGEAR 8800 User Manual configure bgp router 3.3.3.3 configure bgp as-number 100 create bgp neighbor 20.0.0.2 remote-as 100 enable bgp neighbor all enable bgp To configure router 4.4.4.4, use the following commands: create vlan to_rr configure vlan to_rr add port 1:1 configure vlan to_rr ipaddress 30.0.0.1/24 enable ipforwarding vlan to_rr configure bgp router 4.4.4.4 configure bgp as-number 100 create bgp neighbor 30.0.0.
PAGE 707

NETGEAR 8800 User Manual AS 200 SubAS 65001 A EBGP B 192.1.1.6/30 192.1.1.17/30 192.1.1.5/30 192.1.1.22/30 IBGP 192.1.1.18/30 192.1.1.9/30 192.1.1.21/30 C EBGP 192.1.1.13/30 EBGP 192.1.1.14/30 IBGP E 192.1.1.10/30 D SubAS 65002 EX_043 Figure 81. Routing Confederation In this example, AS 200 has five BGP speakers. Without a confederation, BGP would require that the routes in AS 200 be fully meshed. Using the confederation, AS 200 is split into two sub-ASs: AS65001 and AS65002.
PAGE 708

NETGEAR 8800 User Manual create bgp neighbor 192.1.1.5 remote-AS-number 65001 create bgp neighbor 192.1.1.18 remote-AS-number 65001 enable bgp neighbor all To configure router B, use the following commands: create vlan ba configure vlan ba add port 1 configure vlan ba ipaddress 192.1.1.5/30 enable ipforwarding vlan ba configure ospf add vlan ba area 0.0.0.0 create vlan bc configure vlan bc add port 2 configure vlan bc ipaddress 192.1.1.22/30 enable ipforwarding vlan bc configure ospf add vlan bc area 0.0.
PAGE 709

NETGEAR 8800 User Manual configure vlan cb add port 2 configure vlan cb ipaddress 192.1.1.21/30 enable ipforwarding vlan cb configure ospf add vlan cb area 0.0.0.0 enable ospf configure bgp as-number 65001 configure bgp routerid 192.1.1.21 configure bgp confederation-id 200 enable bgp create bgp neighbor 192.1.1.22 remote-AS-number 65001 create bgp neighbor 192.1.1.
PAGE 710

NETGEAR 8800 User Manual enable ipforwarding vlan ed configure ospf add vlan ed area 0.0.0.0 enable ospf configure bgp as-number 65002 configure bgp routerid 192.1.1.13 configure bgp confederation-id 200 enable bgp create bgp neighbor 192.1.1.14 remote-AS-number 65002 enable bgp neighbor 192.1.1.14 Route Aggregation Route aggregation is the process of combining the characteristics of several routes so that they are advertised as a single route.
PAGE 711

NETGEAR 8800 User Manual When BGP inactive route advertising is enabled, inactive BGP routes are considered for BGP route aggregation. When this feature is disabled, inactive BGP routes are ignored while aggregating routes. Default Route Origination and Advertisement The default route origination and advertisement feature allows you to originate and advertise a default route to a BGP neighbor (or to all neighbors in a peer group) even though no default route exists in the local IP routing table.
PAGE 712

NETGEAR 8800 User Manual Enabling and Disabling Route Origination To enable or disable BGP default route origination and advertisement for BGP neighbors, use the following commands: enable bgp [{neighbor} | neighbor all] {address-family [ipv4-unicast | ipv4-multicast]} originate-default {policy } disable bgp [{neighbor} | neighbor all] {address-family [ipv4-unicast | ipv4-multicast]} originate-default To enable or disable BGP default route origination and advertiseme
PAGE 713

NETGEAR 8800 User Manual for EBGP multihop. Using the loopback interface eliminates multiple, unnecessary route changes. Looped AS_Path Attribute When a BGP speaker receives a route from its neighbor, it must validate the AS_Path attribute to ensure that there is no loop in the AS_Path. When a BGP speaker finds it's own AS-number in the received BGP route's AS_Path attribute, it is considered as "Looped AS Path" and by default, the associated BGP routes are silently discarded.
PAGE 714

NETGEAR 8800 User Manual • password Adding Neighbors to a BGP Peer Group To create a new neighbor and add it to a BGP peer group, use the following command: create bgp neighbor peer-group {multi-hop} The new neighbor is created as part of the peer group and inherits all of the existing parameters of the peer group. The peer group must have remote AS configured.
PAGE 715

NETGEAR 8800 User Manual The penalty placed on network 172.25.0.0 is decayed until the reuse limit is reached, when the route is again advertised. At half of the reuse limit, the dampening information for the route to network 172.25.0.0 is removed. The penalty is decayed by reducing the penalty value by one-half at the end of a configurable time period, called the half-life. Routes that flap many times may reach a maximum penalty level, or ceiling, after which no additional penalty is added.
PAGE 716

NETGEAR 8800 User Manual show bgp peer-group {detail | {detail}} To display the dampened routes, use the following command: show bgp neighbor {address-family [ipv4-unicast | ipv4-multicast]} flap-statistics {detail} [all | as-path | community [no-advertise | no-export | no-export-subconfed | number | : ] | network [any / | ] {exact} ] BGP Route Selection BGP selects routes based on the followin
PAGE 717

NETGEAR 8800 User Manual Route Redistribution BGP, OSPF, and RIP can be enabled simultaneously on the switch. Route redistribution allows the switch to exchange routes, including static and direct routes, between any two routing protocols. Exporting routes from OSPF to BGP and from BGP to OSPF are discrete configuration functions. To run OSPF and BGP simultaneously, you must first configure both protocols and then verify the independent operation of each.
PAGE 718

NETGEAR 8800 User Manual • Origin code • Multi Exit Discriminator (MED) • IGP distance to the next hop • Source session (EBGP or IBGP) Note: ECMP does not install an additional path if the next hop is the same as that of the best path. All paths within a multipath must have a unique next hop value. BGP ECMP does not affect the best path selection. For example, the router continues to designate one of the paths as the best path and advertise this best path to its neighbors.
PAGE 719

NETGEAR 8800 User Manual Note: When entering an AS number in a policy file, you must enter a unique 2-byte or 4-byte AS number. The transition AS number, AS 23456, is not supported in policy files. To delete a static BGP network, use the following command: configure bgp delete network {address-family [ipv4-unicast | ipv4-multicast]} [all | ] Graceful BGP Restart It is possible for BGP control functions to restart without disrupting traffic forwarding.
PAGE 720

NETGEAR 8800 User Manual restarts, for only unplanned restarts, or for both. Also, you can decide to configure a router to be a receiver only, and not to do graceful restarts itself.
PAGE 721

NETGEAR 8800 User Manual create bgp neighbor 20.0.0.1 remote-as 100 enable bgp neighbor all enable bgp You can use the following commands to verify that BGP graceful restart is configured: show bgp show bgp neighbor Cease Subcodes BGP uses the cease subcode in notification message to convey the reason for terminating the session. The cease subcodes currently supported are given in Table 71. Table 71.
PAGE 722

NETGEAR 8800 User Manual Other Configuration Change This cease notification subcode is sent when the following configuration entities change: • BGP neighbor is added to a peer group • BGP neighbor is configured as a route-reflector client • BGP neighbor is part of a peer group and the following configuration elements of the peer group are changed: • Password • Remote-as • Hold-time, keepalive-time • Source interface • Soft-in-reset Connection Collision Resolution This cease notification subc
PAGE 723

NETGEAR 8800 User Manual By default, BGP sends those capabilities in its OPEN message. In addition, BGP supports graceful restart. All these capabilities (except for the 4-Byte-AS capability) can be enabled and disabled using the enable bgp neighbor capability and disable bgp peer-group capability commands. Execution of these commands does not take effect until the BGP neighbor is reset.
PAGE 724

27.
PAGE 725

NETGEAR 8800 User Manual IP multicast routing requires the following functions: • A router that can forward IP multicast packets • A router-to-router multicast routing protocol (for example, Protocol Independent Multicast (PIM)) to discover multicast routes • A method for the IP host to communicate its multicast group membership to a router (for example, Internet Group Management Protocol (IGMP)) Note: You should configure IP unicast routing before you configure IP multicast routing.
PAGE 726

NETGEAR 8800 User Manual PIM Overview The switch supports both dense mode and sparse mode operation. You can configure dense mode or sparse mode on a per-interface basis. After they are enabled, some interfaces can run dense mode, while others run sparse mode. The switch also supports PIM snooping.
PAGE 727

NETGEAR 8800 User Manual Note: For additional information on PIM-DM, see RFC 3973, Protocol Independent Multicast - Dense Mode (PIM-DM): Protocol Specification. PIM-DM Without State Refresh PIM-DM is a broadcast and prune protocol, which means that multicast servers initially broadcast traffic to all destinations, and then switches later prune paths on which there are no receivers. Figure 82 shows a dense mode multicast tree with an active branch and a pruned branch.
PAGE 728

NETGEAR 8800 User Manual Note: This feature is supported at and above the license level listed for this feature in the license tables in Appendix A, XCM8800 Software Licenses. PIM-DM routers perform reverse path multicasting (RPM). However, instead of exchanging its own unicast route tables for the RPM algorithm, PIM-DM uses the existing unicast routing table for the reverse path. As a result, PIM-DM requires less system memory.
PAGE 729

NETGEAR 8800 User Manual Note: This feature is supported at and above the license level listed for this feature in the license tables in Appendix A, XCM8800 Software Licenses. Using PIM-SM, the router sends a join message to the rendezvous point (RP). The RP is a central multicast router that is responsible for receiving and distributing the initial multicast packets. You can configure a dynamic or static RP.
PAGE 730

NETGEAR 8800 User Manual Note: This feature is supported at and above the license level listed for this feature in the license tables in Appendix A, XCM8800 Software Licenses. PIM Source Specific Multicast (PIM-SSM) is a special case of PIM-SM, in which a host explicitly sends a request to receive a stream from a specific source, rather than from any source. IGMPv3 hosts can use PIM SSM directly, because the ability to request a stream from a specific source first became available with IGMPv3.
PAGE 731

NETGEAR 8800 User Manual when specifying the PIM-SSM range, you configure the range 232.0.0.0/8. You can also choose to specify a different range for PIM-SSM by using a policy file. To configure the PIM-SSM address range, use the following command: configure pim ssm range [default | policy ] PIM Snooping PIM snooping provides a solution for handling multicast traffic on a shared media network more efficiently.
PAGE 732

NETGEAR 8800 User Manual Router 2 RP (Sender) M tra ult ffi ica c st Router 1 M tra ult ffi ica c st (*.G) join (*.G) join M tra ult ffi ica c s (*.G) join t M tra ult ffi ica c s PIM (*.G) join t Router 4 Router 3 with Receiver EX_mcast_0015 Figure 84. Multicast With PIM Snooping PIM snooping does not require PIM to be enabled. However, IGMP snooping must be disabled on VLANs that use PIM snooping. PIM snooping and MVR cannot be enabled on the same VLAN.
PAGE 733

NETGEAR 8800 User Manual IGMP Overview IGMP is a protocol used by an IP host to register its IP multicast group membership with a router. A host that intends to receive multicast packets destined for a particular multicast address registers as a member of that multicast address group. Periodically, the router queries the multicast group to see if the group is still in use. If the group is still active, a single IP host responds to the query, and group registration is maintained.
PAGE 734

NETGEAR 8800 User Manual enable igmp snooping {forward-mcrouter-only | {vlan} | with-proxy vr } disable igmp snooping {forward-mcrouter-only | with-proxy | vlan } When a port sends an IGMP leave message, the switch removes the IGMP snooping entry after 1000 milliseconds (the leave time is configurable, ranging from 0 to 10000 ms). The switch sends a query to determine which ports want to remain in the multicast group.
PAGE 735

NETGEAR 8800 User Manual multicast group to a port; and you may emulate a router to forward all multicast groups to a port. Static IGMP is only available with IGMPv2.
PAGE 736

NETGEAR 8800 User Manual } then { permit; } } After you create a policy file, use the following command to associate the policy file and filter to a set of ports: configure igmp snooping vlan ports filter [ | none] To remove the filter, use the none option.
PAGE 737

NETGEAR 8800 User Manual When the router receives an IGMP Group leave message from a host, it sends out a group specific query (unless IGMP fast leave is configured) and continues to support joins for the corresponding (S1, G) to (Sn, G) channels. When the router does not get a response to the group specific query after a time-out period, IGMP-SSM mapping informs PIM that the list of (S1, G) to (Sn, G) pairs should be considered for PIM prunes.
PAGE 738

NETGEAR 8800 User Manual configure igmp ssm-map add [/ | ] {vr } To remove a single IGMP-SSM mapping, use the following command: configure igmp ssm-map delete [/} | ] [ | all] } To remove all IGMP-SSM mappings on a virtual router, use the following command: unconfigure igmp ssm-map {} To disable IGMP-SSM mapping on a virtual router, use the following command: disable igmp ssm-map {vr } D
PAGE 739

NETGEAR 8800 User Manual 2. To enable and configure the PIM-DM state refresh feature on one or all VLANs, use the following commands: configure pim state-refresh {vlan} [ | all] [on | off] configure pim state-refresh timer origination-interval configure pim state-refresh timer source-active-timer configure pim state-refresh ttl 3.
PAGE 740

NETGEAR 8800 User Manual multicast static route 58.1.10.0/24 is shown as UP only when the OSPF route is available to reach the network 58.1.10.0/24. Static routes are stored in the switch configuration and can be viewed with the show configuration command. Static multicast routes that do not include protocol information are displayed using the configure iproute command format, even if they were created using the configure ipmroute command.
PAGE 741

NETGEAR 8800 User Manual IR 1 IR 2 Area 0 10.0.1.1 10.0.2.2 10.0.3.2 10 HQ_ _10 _0_ 2 Headquarters 10.0.1.2 3 HQ _0_ ABR 2 ABR 1 10.0.3.1 10.0.2.1 161.48.2.2 160.26.26.1 LA 6 _1 161.48.2.1 61 _2 160.26.25.1 Los Angeles 26 _4 8_ Ch i_ 16 0_ 2 Virtual link 160.26.26.2 160.26.25.2 Area 5 Chicago Area 6 (stub) EX_mcast_0016 Figure 85.
PAGE 742

NETGEAR 8800 User Manual configure pim add vlan all dense enable pim configure pim state-refresh vlan all on PIM-SM Configuration Example In Figure 86, the system labeled ABR1 is configured for IP multicast routing using PIM-SM. IR 2 Area 0 IR 1 10.0.1.1 10.0.1.2 10.0.3.2 _0_ 2 0_3 HQ _10 10_ HQ_ Headquarters ABR 1 10.0.3.1 ABR 2 HQ_10_10_4 10.0.2.2 10.0.2.1 Rendezvous point 161.48.2.2 _1 161.48.2.1 6 61 _2 160.26.25.1 Los Angeles LA 160.26.26.
PAGE 743

NETGEAR 8800 User Manual configure vlan HQ_10_0_2 ipaddress 10.0.2.1 255.255.255.0 configure vlan HQ_10_0_3 ipaddress 10.0.3.1 255.255.255.0 configure vlan LA_161_48_2 ipaddress 161.48.2.2 255.255.255.0 configure vlan CHI_160_26_26 ipaddress 160.26.26.1 255.255.255.0 configure ospf add vlan all area 0.0.0.0 enable ipforwarding enable ipmcforwarding configure pim add vlan all sparse tftp TFTP_SERV -g -r rp_list.
PAGE 744

NETGEAR 8800 User Manual enable pim PIM Snooping Configuration Example Figure 87 shows a network configuration that supports PIM snooping. S3 (RP) sender_vlan S2 (non-multicast switch) S4 (multicast switch) S1 comm_vlan receiver_vlan S5 (LHR) PIM_snooping_0002 Figure 87. PIM Snooping Configuration Example In Figure 87, Layer 3 switches S2, S3, S4, and S5 are connected using the Layer 2 switch S1 through the VLAN comm_vlan.
PAGE 745

NETGEAR 8800 User Manual Switch S1 (PIM Snooping Switch) Configuration Commands The following is an example configuration for the PIM snooping switch S1: create vlan comm_vlan configure vlan comm_vlan add port 1,2,3,4 disable igmp snooping disable igmp_snooping comm_vlan enable pim snooping enable pim snooping comm_vlan Switch S3 Configuration Commands The following is an example configuration for switch S3, which also serves as an RP: create vlan comm_vlan configure vlan comm_vlan add port 1 configure co
PAGE 746

NETGEAR 8800 User Manual enable ipforwarding comm_vlan enable ipmcforwarding comm._vlan configure pim add vlan comm_vlan sparse configure ospf add vlan comm._vlan area 0.0.0.0 create vlan receiver_vlan configure vlan sender_vlan add port 1 configure sender_vlan ipa 10.172.170.4/24 enable ipforwarding comm_vlan enable ipmcforwarding comm._vlan configure pim add vlan comm._vlan sparse configure ospf add vlan comm_vlan area 0.0.0.0 enable pim enable ospf configure pim crp static 10.172.169.
PAGE 747

NETGEAR 8800 User Manual enable ipmcforwarding comm._vlan configure ospf add vlan comm._vlan area 0.0.0.0 enable ospf PIM Snooping Example Configuration Displays After the example configuration is complete, multicast receivers connect to the network through switch S5 and multicast sources connect through switch S3. When switch S5 receives an IGMP request from the receiver_vlan for group 225.1.1.1, it sends a PIM (*, G) join towards switch S3, which is the RP.
PAGE 748

NETGEAR 8800 User Manual Multicast VLAN Registration Multicast VLAN Registration (MVR) is designed to support distributing multicast streams for IPTV to subscribers over a Layer 2 network. In a standard Layer 2 network, a multicast stream received on a VLAN is not forwarded to another VLAN. The streams are confined to the Layer 2 broadcast domain. In an IGMP snooping environment, streams are forwarded only to interested hosts on a VLAN.
PAGE 749

NETGEAR 8800 User Manual Basic MVR Deployment Since MVR is primarily targeted for IPTV and similar applications, a basic deployment for that application is shown in Figure 89. In the figure, an IPTV server is connected through a router to a network of switches. Switch 1 has three customer VLANs, Vlan2, Vlan3, and Vlan4. The multicast streams are delivered through the network core (Metro Ethernets), which often use a ring topology and some kind of redundant protection to provide high availability.
PAGE 750

NETGEAR 8800 User Manual 1. Configure MVR on McastVlan. 2. Configure an IP address and enable IGMP and IGMP snooping on the subscriber VLANs (by default IGMP and IGMP snooping are enabled on NETGEAR switches). 3. For all the multicast streams (IPTV channels), configure static IGMP snooping membership on the router on McastVlan. 4. Enable MVR on the switches in the network. Note: MVR works best with IGMPv1 and IGMPv2. NETGEAR recommends that you do not use MVR with IGMPv3.
PAGE 751

NETGEAR 8800 User Manual If a multicast packet for a group in the static MVR range is received on an MVR enabled VLAN, it is always flooded on the MVR VLAN. This allows the neighbor switch in the ring to receive all the static MVR streams. Dynamic MVR In contrast, since a video content provider would like to provide a variety of on-demand and other premium channels, there are often many lower demand (fewer viewers) premium channels that cannot all be made available simultaneously at the core network.
PAGE 752

NETGEAR 8800 User Manual McastVlan, vc1, vc2 McastVlan, vc1, vc2 PC1 PC2 Switch1 Vlan2 p2 vc2 p1 H2 H3 H4 EX_144 Figure 90. Multiple VLANs in the Core Network In Figure 90, the core network has 2 more VLANs, vc1 and vc2, to provide other services. With MVR, multicast traffic should be confined to McastVlan, and should not be forwarded to vc1 and vc2. Note that MVR is configured only on the ingress VLAN (McastVlan). MVR is not configured on any other VLANs.
PAGE 753

NETGEAR 8800 User Manual Note: If a port is blocked by Layer 2 protocols, that port is removed from the egress list of the cache. This is done dynamically per the port state. For most situations, you do not need to manually configure ports to receive the MVR multicast streams.
PAGE 754

NETGEAR 8800 User Manual In the topology above, the MSP multicast VLAN is carried on two switches that also carry the customer multicast VLAN. When multiple switches carry both multicast VLANs, it is imperative that MVR is configured on only one switch. Only that switch should be used as the transit point for multicast streams from one multicast ring into another. Otherwise, duplicate packets are forwarded.
PAGE 755

NETGEAR 8800 User Manual Switch4 Switch2 MSP ring MVlan, vc1 MVlan, vc1 Switch1 1:4 1:3 V1 V1 Vlan V1 cloud EX_148 Figure 92. MVR with STP In this topology, subscribers are in a Layer 2 cloud on VLAN V1. STP is configured for all ports of V1. Since V1 spans on the ring as well, multicast cannot be forwarded on V1 blindly. Forwarding rules (described in MVR Forwarding on page 751), dictate that multicast traffic is not forwarded on STP enabled ports.
PAGE 756

NETGEAR 8800 User Manual configure mvr add vlan mvlan create stpd stp1 configure stp1 add vlan v1 port all enable stpd stp1 port all configure mvr vlan v1 add receiver port 1:3,1:4 enable mvr Displaying Multicast Information The following sections describe how to display multicast information: • Displaying the Multicast Routing Table on page 756 • Displaying the Multicast Cache on page 756 • Looking Up a Multicast Route on page 756 • Looking Up the RPF for a Multicast Source on page 756 • Display
PAGE 757

NETGEAR 8800 User Manual rtlookup [ | ] { unicast | multicast | rpf } { vr } Displaying the PIM Snooping Configuration To display the PIM snooping configuration for a VLAN, use the following command: show pim snooping {vlan} Troubleshooting PIM The following sections introduce two commands that you can use to troubleshoot multicast communications: • Multicast Trace Tool on page 757 • Multicast Router Information Tool on page 758 Multicast Trace Tool The multic
PAGE 758

NETGEAR 8800 User Manual The last hop router converts the multicast trace query into a unicast traceroute request by appending response data (for the last hop router) into the received query packet, and the last hop router forwards the request packet to the router that it believes is the proper previous hop for the given source and group. Each multicast router adds its response data to the end of the request packet, and then forwards the modified unicast request to the previous hop.
PAGE 759

28. IPv6 Multicast 28 This chapter includes the following sections: • Overview on page 759 • Managing MLD on page 760 Overview IPv6 multicast is a function that allows a single IPv6 host to send a packet to a group of IPv6 hosts. Multicast Listener Discovery (MLD) is a protocol used by an IPv6 host to register its IP multicast group membership with a router.
PAGE 760

NETGEAR 8800 User Manual Managing MLD The following sections describe how to manage MLD on the switch: • Enabling and Disabling MLD on a VLAN on page 760 • Configuring MLD on page 760 • Clearing MLD Group Registration on page 760 • Configuring Static MLD Groups and Routers on page 760 • Displaying MLD Information on page 761 Enabling and Disabling MLD on a VLAN MLD is enabled by default on all VLANs. This allows IPv6 hosts to register with IPv6 multicast groups and receive IPv6 multicast traffic.
PAGE 761

NETGEAR 8800 User Manual configure mld snooping {vlan} ports add static group To emulate a multicast router on a port, use the following command: configure mld snooping {vlan} ports add static router To remove these entries, use the corresponding command: configure mld snooping {vlan} ports delete static group [all | ] configure mld snooping {vlan} ports delete static router Displayin
PAGE 762

29. MSDP 29 This chapter includes the following sections: • Overview on page 762 • PIM Border Configuration on page 763 • MSDP Peers on page 764 • MSDP Mesh-Groups on page 766 • Anycast RP on page 767 • SA Cache on page 768 • Redundancy on page 770 • Scaling Limits on page 770 • SNMP MIBs on page 770 • Configuration Examples on page 770 Note: For more information about MSDP, see RFC 3618.
PAGE 763

NETGEAR 8800 User Manual For example, as businesses expand and networks grow in size, it might become necessary to connect PIM domains to allow multicast applications to reach other offices across the network. MSDP simplifies this process by providing a mechanism to connect those multicast routing domains without reconfiguring existing domains. Each PIM domain remains separate and has its own RP.
PAGE 764

NETGEAR 8800 User Manual MSDP Peers MSDP peers exchange messages to advertise active multicast sources. The peer with the higher IP address passively listens to a well-known port number and waits for the side with the lower IP address to establish a Transmission Control Protocol (TCP) connection on port 639. When a PIM-SM RP that is running MSDP becomes aware of a new local source, it sends an SA message over the TCP connection to its MSDP peer.
PAGE 765

NETGEAR 8800 User Manual Peer Authentication MSDP supports TCP MD5 authentication (RFC 2385) to secure control messages between MSDP peers. You must configure a secret password for an MSDP peer session to enable TCP MD5 authentication. When a password is configured, MSDP receives only authenticated MSDP messages from its peers. All MSDP messages that fail TCP MD5 authentication are dropped.
PAGE 766

NETGEAR 8800 User Manual To configure the router to reject SA request messages from a specified MSDP peer or all peers, use the following command: disable msdp [{peer} | peer all] process-sa-request {vr } To display configuration and run-time parameters about MSDP peers, use the following command: show msdp [peer {detail} | {peer} ] {vr } MSDP Mesh-Groups MSDP can operate in a mesh-group topology.
PAGE 767

NETGEAR 8800 User Manual Anycast RP Anycast RP is an application of MSDP that allows multiple RPs to operate simultaneously in a PIM-SM domain. Without anycast RP, multiple routers can be configured as candidate RPs, but at any point in time, only one router can serve as RP.
PAGE 768

NETGEAR 8800 User Manual enable loopback-mode vlan 2. Assign the anycast RP address to the loopback VLAN with a 32 bit subnet mask using the following command: configure {vlan} ipaddress [ {} | ipv6-link-local | {eui64} ] Note: The anycast RP address must be unique to the loopback VLAN and be the same on all anycast RP peers.
PAGE 769

NETGEAR 8800 User Manual no longer available it informs MSDP, which in turn removes the SA information from the local database. Caching makes it easy for local receivers to know immediately about inter-domain multicast sources and to initiate building a source tree towards the source. However, maintaining a cache is heavy both in CPU processing and memory requirements. Note: Our implementation of MSDP does not support operating with local cache disabled.
PAGE 770

NETGEAR 8800 User Manual To allow an unlimited number of SA entries, use 0 (zero) as the value for . To display the SA cache limit, use the following command: show msdp [peer {detail} | {peer} ] {vr } Redundancy Because the peering relationship between MSDP peers is based on TCP connections, after a failover occurs the TCP connections need to be re-established again.
PAGE 771

NETGEAR 8800 User Manual • Configuring an MSDP Mesh-Group on page 772 • Configuring Anycast RP on page 775 Configuring MSDP Figure 93 shows two MSDP-speaking routers, MSDP-1 and MSDP-2. The example in this section shows how to configure MSDP on each router to: • Establish a peer session between MSDP-1 and MSDP-2. (To verify the session, enter the show msdp peer command.) • Exchange SA messages, if any, between MSDP-1 and MSDP-2. (To view the SA cache database, enter the show msdp sa-cache command.
PAGE 772

NETGEAR 8800 User Manual # MSDP configuration config msdp originator-id 10.172.168.61 create msdp peer 10.172.168.32 enable msdp peer 10.172.168.32 enable msdp Configuring an MSDP Mesh-Group Figure 94 shows an example MSDP mesh group configuration. 10.1.1.1 10.1.1.1 10.0.1.1 MSDP1 10.0.1.2 10.0.3.1 MSDP2 10.0.2.2 MESH M1 MSDP3 10.0.3.3 10.0.2.3 10.1.1.1 EX_msdp_0001 Figure 94.
PAGE 773

NETGEAR 8800 User Manual In the topology, loopback VLANs are configured on each of the switches and the loopback addresses for each of the switches are as follows: • MSDP 1 (10.1.1.1/32) • MSDP 2 (10.1.1.2/32) • MSDP 3 (10.1.1.3/32) Note: The autonomous system (AS) number for the peer is used in peer-RPF checks. The AS number provided by the user is treated as the AS number in which the peer resides. If you do not specify an AS number, BGP is used to determine the AS number for the peer.
PAGE 774

NETGEAR 8800 User Manual enable msdp peer all enable msdp Switch MSDP2 Configuration Commands The following is an example MSDP configuration for switch MSDP2: create msdp peer 10.0.1.1 configure msdp peer 10.0.1.1 decription "msdp_21" configure msdp peer 10.0.1.1 password "test" create msdp peer 10.0.2.3 configure msdp peer 10.0.2.3 password "test" configure msdp peer 10.0.2.3 desciption "msdp_23" create msdp mesh-group m1 configure msdp peer 10.0.1.1 mesh-group m1 configure msdp peer 10.0.2.
PAGE 775

NETGEAR 8800 User Manual Configuring Anycast RP Figure 95 shows the mesh-group M1, which is comprised of three MSDP peers: MSDP 1, MSDP 2, and MSDP 3. MSDP 5 is connected to MSDP 1, and MSDP 4 is connected to MSDP 3; however, they are not part of the mesh-group. MSDP5 10.0.0.1 10.0.0.2 10.0.1.1 MSDP1 10.0.1.2 10.0.3.1 MSDP2 10.0.2.2 MSDP3 10.0.3.3 10.0.2.3 10.0.4.1 10.0.4.2 MSDP4 EX_msdp_0002 Figure 95.
PAGE 776

NETGEAR 8800 User Manual MSDP 1 Configuration # VLAN configuration create vlan v_anycast configure vlan "v_anycast" ipaddress 1.1.1.1/32 enable loopback-mode vlan "v_anycast" enable ipforwarding vlan "v_anycast" enable ipmcforwarding vlan "v_anycast" # OSPF configuration to inject routes into routing protocols configure ospf add vlan "v_anycast" area 0.0.0.0 # PIM-SM configuration configure pim add vlan "v_anycast" sparse configure pim crp static 1.1.1.
PAGE 777

NETGEAR 8800 User Manual configure pim add vlan "v_anycast" sparse configure pim crp static 1.1.1.1 rp_policy # MSDP configuration configure msdp originiator id 10.1.1.2 create msdp peer 10.1.1.1 create msdp peer 10.1.1.3 configure msdp peer all source-interface 10.1.1.2 create msdp mesh-group m1 configure msdp peer 10.1.1.1 mesh-group m1 configure msdp peer 10.1.1.
PAGE 778

NETGEAR 8800 User Manual enable msdp peer all enable msdp MSDP 4 Configuration # VLAN configuration create vlan v_anycast configure vlan "v_anycast" ipaddress 1.1.1.1/32 enable loopback-mode vlan "v_anycast" enable ipforwarding vlan "v_anycast" enable ipmcforwarding vlan "v_anycast" # OSPF configuration to inject routes into routing protocols configure ospf add vlan "v_anycast" area 0.0.0.0 # PIM-SM configuration configure pim add vlan "v_anycast" sparse configure pim crp static 1.1.1.
PAGE 779

NETGEAR 8800 User Manual # MSDP configuration configure msdp originiator id 10.1.1.5 create msdp peer 10.1.1.1 configure msdp peer all source-interface 10.1.1.5 enable msdp peer all enable msdp Chapter 29.
PAGE 780

30. vMAN (PBN) 30 This chapter includes the following sections: • Overview on page 780 • Configuration on page 784 • Displaying vMAN Information on page 788 • Configuration Examples on page 788 Overview The virtual metropolitan area network (vMAN) features allow you to scale a Layer 2 network and avoid some of the management and bandwidth overhead required by Layer 3 networks.
PAGE 781

Chapter 30. vMAN (PBN) 8800 Chassis Switch vMAN VL AN N LA AN 1 VL 2 VL AN V vMAN access ports (untagged vman ports) vMAN network ports (tagged vman ports) vMAN network ports (tagged vman ports) 1 2 vMAN access ports (untagged vman ports) EX_vman_0001A Figure 96. vMAN The entry points to the vMAN are the access ports on the vMAN edge switches, which function as PBs.
PAGE 782

Chapter 30. vMAN (PBN) 8800 Chassis Switch In Figure 97, the switch accepts all tagged (C-tag) and untagged VLAN frames on vMAN access ports 1.1 and 1.2. The switch then adds the S-tag to the frames and switches the frames to network ports 2.1 and 2.2. When the 802.1ad frames reach the PB egress port, the egress switch removes the S-tag, and the VLAN traffic exits the egress access port in its original form.
PAGE 783

Chapter 30. vMAN (PBN) 8800 Chassis Switch • ACL Support on page 783 • Secondary Ethertype Support on page 783 • QoS Support on page 784 • Egress Queue Selection on page 784 ACL Support The NETGEAR 8800 software includes vMAN (PBN) Access Control List (ACL) support for controlling vMAN frames. vMAN ACLs define a set of match conditions and modifiers that can be applied to vMAN frames.
PAGE 784

Chapter 30. vMAN (PBN) 8800 Chassis Switch ports that connect to other NETGEAR 8800 devices to use the default primary ethertype value, and you can configure ports that connect to other equipment to use the secondary ethertype value, which you can configure to match the requirements of that equipment. When you create a vMAN, each vMAN port is automatically assigned the primary ethertype value. After you define a secondary ethertype value, you can configure a port to use the secondary ethertype value.
PAGE 785

Chapter 30. vMAN (PBN) 8800 Chassis Switch • Each vMAN access port (ingress or egress) can belong to only one vMAN. vMAN network ports (switch to switch) can support multiple vMANs. • Duplicate customer MAC addresses that ingress from multiple vMAN access ports on the same vMAN can disrupt the port learning association process in the switch. • vMAN names must conform to the guidelines described in Object Names on page 31.
PAGE 786

Chapter 30. vMAN (PBN) 8800 Chassis Switch 1. If you are configuring a NETGEAR 8800, enable jumbo frames on the switch. Note: Because the NETGEAR 8800 switch enables jumbo frames switch-wide, you must enable jumbo frames before configuring vMANs on NETGEAR systems. 2. Create a vMAN by entering the following command: create vman {vr } 3. Assign a tag value to the vMAN by entering the following command: configure vman tag 4.
PAGE 787

Chapter 30. vMAN (PBN) 8800 Chassis Switch configure vman ethertype [primary | secondary] By default, all vMAN ports use the primary ethertype value. 2.
PAGE 788

Chapter 30. vMAN (PBN) 8800 Chassis Switch disable dot1p examination ports [all | ] Note: See Chapter 15, QoS for information on configuring and displaying the current 802.1p and DiffServ configuration for the S-tag 802.1p value.
PAGE 789

Chapter 30. vMAN (PBN) Engineering & Science Building 8800 Chassis Switch NETGEAR 8810 BlackDiamond 8810 NETGEAR 88066808 BlackDiamond XOS001 Figure 99.
PAGE 790

Chapter 30. vMAN (PBN) 8800 Chassis Switch Note: IGMP reports can be received untagged on ports 2:1, 2:2, and 2:3. Tagged IP multicast data is received on mc_vlan port 1:1 and is routed using IP multicasting to vman1 ports that subscribe to the IGMP group. Note: IGMP snooping (Layer 2 IP multicasting forwarding) does not work on the vMAN ports because there is no double-tagged IP multicast cache lookup capability from port 1:1.
PAGE 791

Chapter 30.
PAGE 792

Part 3: Appendixes
PAGE 793

A.
PAGE 794

NETGEAR 8800 User Manual Switch License Features The following sections list the features for the switch license levels and feature packs: • Aggregation License Features on page 794 • Advanced Core License Features on page 798 Aggregation License Features The Aggregation license provides all Layer-2 and Layer-3 switch applicable capabilities of the XCM8800 software that are not licensed by the higher license levels (the Advanced Core licenses) and the Feature Packs.
PAGE 795

NETGEAR 8800 User Manual Table 74. XCM8800 Aggregation License Features (Continued) XCM8800 Software Feature STP 802.1s STP 802.1w Link Fault Signaling (LFS) ACLs • IPv4 • Static ACLs • IPv6 • Dynamic MSM/MM hitless failover for STP MSM/MM hitless failover - Additional capabilities: NetLogin, PoE. Graceful Restart for OSPF, BGP CPU DoS protect CPU Monitoring SNMPv3 SSH2 server SSH2 client SCP/SFTP client SCP/SFTP server RADIUS and TACACS+ per command authentication Network login • Web based method • 802.
PAGE 796

NETGEAR 8800 User Manual Table 74.
PAGE 797

NETGEAR 8800 User Manual Table 74.
PAGE 798

NETGEAR 8800 User Manual Table 74. XCM8800 Aggregation License Features (Continued) XCM8800 Software Feature Universal Port—Dynamic user-based security policies Universal Port—Time-of-day policies VRRP OSPFv2-Edge (limited to max of 4 active interfaces) OSPFv3-Edge (limited to max of 4 active interfaces) PIM-SM-Edge (limited to max of 2 active interfaces) Advanced Core License Features The Advanced Core License includes all Aggregation License features, and the features in Table 75. Table 75.
PAGE 799

NETGEAR 8800 User Manual Obtaining a License Voucher You can order the desired functionality from the factory, using the appropriate model of the desired product. If you order licensing from the factory, the license arrives in a separate package from the switch. After the license key is installed, it should not be necessary to enter the information again. However, NETGEAR recommends keeping the certificate for your records.
PAGE 800

NETGEAR 8800 User Manual http://support.netgear.com or by phoning NETGEAR Technical Support at: • 1-888-NETGEAR (US and Canada only) • For other countries, see the support information card 800 | Appendix A.
PAGE 801

B.
PAGE 802

NETGEAR 8800 User Manual Note: An XCM8800 core image (.xos file) must be downloaded and installed on the alternate (non-active) partition. If a user tries to download to an active partition, the error message “Error: Image can only be installed to the non-active partition.” is displayed. An XCM8800 modular software package (.xmod file) can still be downloaded and installed on either the active or alternate partition.
PAGE 803

NETGEAR 8800 User Manual Understanding the Image Version String The image version string contains build information for each version of XCM8800. You can use either the show version or show switch command to display the XCM8800 version running on your switch. Depending on the command line interface (CLI) command, the output is structured as follows: • show version XCM8800 Version ... For example: XCM8800 version 10.1.2.16 • show switch ...
PAGE 804

NETGEAR 8800 User Manual To view your current (active) partition, use the following command: show switch Output from this command includes the selected and booted images and if they are in the primary or secondary partition. The active partition is identified as the “booted image.” The command shows only two nodes (both MSMs/MMs in a modular chassis).
PAGE 805

NETGEAR 8800 User Manual 2. Load the new image onto an external compact flash memory card (if you are using the external compact flash slot). This method is available only on modular switches. Use a PC with appropriate hardware such as a compact flash reader/writer and follow the manufacturer’s instructions to access the compact flash card and place the image onto the card.
PAGE 806

NETGEAR 8800 User Manual Note: The download image command in the XCM8800 causes the switch to use the newly downloaded software image during the next switch reboot. To modify or reset the software image used during a switch reboot, use the use image command. Note: A secure method of upgrading the image uses SFTP or SCP2. See the download image command.
PAGE 807

NETGEAR 8800 User Manual To install the package, you use the same process that you use to install a new core image. Follow the process described in the earlier section Installing a Core Image on page 804. On NETGEAR 8800 series switches, you can use hitless upgrade to install the package. See Understanding Hitless Upgrade on page 810 for more information.
PAGE 808

NETGEAR 8800 User Manual Upgrading a Modular Software Package When NETGEAR introduces a new core software image, a new modular software package is also available. If you have a software module installed and upgrade to a new core image, you need to upgrade to the corresponding modular software package. Two methods are available to upgrade an existing modular software package on your switch.
PAGE 809

NETGEAR 8800 User Manual • Upgraded the switch to a new core image (see Installing a Core Image on page 804 for more information) • Downloaded the corresponding modular software package to your TFTP server.
PAGE 810

NETGEAR 8800 User Manual Rebooting the Management Module To reboot a management module in a specific slot, rather than rebooting the switch, use the following command: reboot {time } {cancel} {msm } With the additional options available: • slot_id— Specifies the slot where the module is installed • msm-a—Specifies the MSM module installed in slot A • msm-b—Specifies the MSM module installed in slot B Note: When you configure a timed reboot of an MSM
PAGE 811

NETGEAR 8800 User Manual Note: If you download an image to the backup MSM, the image passes through the primary MSM before the image is downloaded to the backup MSM.
PAGE 812

NETGEAR 8800 User Manual The following is a sample of the warning message displayed by the switch: WARNING: The other MSM operates with a different version of I/O module image. If you continue with the MSM failover, all I/O modules will be reset.
PAGE 813

NETGEAR 8800 User Manual  Hitless upgrade is not supported between major releases, for instance XCM8800 11.x and 12.x. Do not attempt to perform a hitless upgrade. For information about installing an image without using hitless upgrade, see Installing a Core Image on page 804. Summary of Tasks To perform a hitless upgrade to install and upgrade the XCM8800 software on your system: 1. View the current switch information. • Determine your selected and booted image partitions.
PAGE 814

NETGEAR 8800 User Manual Determine your selected and booted partition, verify which MSM is the primary and which is the backup, and confirm that the MSMs are synchronized. Output from this command indicates, for each MSM, the selected and booted images and if they are in the primary or the secondary partition. The selected image partition indicates which image will be used at the next reboot. The booted image partition indicates the image used at the last reboot. It is the active partition.
PAGE 815

NETGEAR 8800 User Manual 4. Initiate failover from the primary MSM to the backup MSM using the following command: run msm-failover When you failover from the primary MSM to the backup MSM, the backup becomes the new primary, runs the software on its active partition, and provides all of the switch management functions.
PAGE 816

NETGEAR 8800 User Manual • If you install the image at a later time, use the following command to install the software: install image {} {msm } {reboot} 7.
PAGE 817

NETGEAR 8800 User Manual • You have received the new software image from NETGEAR named NG8800-11.4.0.12.xos. • You do not know your selected or booted partitions. • You are currently using the primary partition. • The image is on a TFTP server named tftphost. • You are installing the new image immediately after download. • The MSM installed in slot A is the primary. • The MSM installed in slot B is the backup. • You are running XCM8800 11.4 or later on both MSMs.
PAGE 818

NETGEAR 8800 User Manual Note: Configuration files have a .cfg file extension. When you enter the name of the file in the CLI, the system automatically adds the .cfg file extension. If you have made a mistake or you must revert to the configuration as it was before you started making changes, you can tell the switch to use the backup configuration on the next reboot. Each filename must be unique and can be up to 32 characters long. Filenames are also case sensitive.
PAGE 819

NETGEAR 8800 User Manual • Viewing a Configuration on page 819 • Returning to Factory Defaults on page 819 • ASCII-Formatted Configuration Files on page 819 Viewing a Configuration You can view the current configuration on the switch by using the following command: show configuration {} {detail} You can also view just that portion of the configuration that applies to a particular module (for example, SNMP) by using the module-name parameter.
PAGE 820

NETGEAR 8800 User Manual editor. As previously described, to use these commands, use the .xsf file extension. These steps are not applicable to configurations that use the .cfg file extension. To work with an ASCII-formatted configuration file, complete the following tasks: 1.
PAGE 821

NETGEAR 8800 User Manual Downloading the ASCII Configuration File to the Switch To download the configuration from the TFTP server to the switch, use the tftp or tftp get command. For example, to retrieve the configuration file named meg-upload_config1.xsf from a TFTP server with an IP address of 10.10.10.10, you can use one of the following commands: tftp 10.10.10.10 -g -r meg_upload_config1.xsf tftp get 10.10.10.10 meg_upload_config1.
PAGE 822

NETGEAR 8800 User Manual Saving the Configuration After you load the configuration, save it to the configuration database for use by the switch. This allows the switch to reapply the configuration after a switch reboot. To save the configuration, use the save configuration {primary | secondary | | } command. When you save the configuration file, the switch automatically adds the .cfg file extension to the filename.
PAGE 823

NETGEAR 8800 User Manual the configuration file to the NETGEAR Technical Support department for problem-solving purposes. To view your current switch configuration, use the show configuration {} {detail} command available on your switch. Do not use a text editor to view or modify your XML-based switch configuration files.
PAGE 824

NETGEAR 8800 User Manual Using TFTP to Download the Configuration You can download previously saved XML formatted XOS configuration files from a TFTP host to the switch to modify the switch configuration. Do not use a text editor to view or modify your switch configuration files; modify your switch configurations directly in the CLI.
PAGE 825

NETGEAR 8800 User Manual Make sure that you entered the filename correctly, including the .cfg extension, and that you entered the correct host name or IP address for the TFTP server. If your download is successful, the switch displays a message similar to the following: Downloading megtest2.cfg to switch... done! Configurations are downloaded and saved into the switch nonvolatile memory. The configuration is applied after you reboot the switch.
PAGE 826

NETGEAR 8800 User Manual The switch deletes the old configuration files on the backup node only upon a successful file synchronization. If an error occurs, the switch does not delete the old configuration files on the backup node. For example, if you install a backup node that contains different configuration files from the primary node, the old configuration files are deleted after a successful bootup of the backup node.
PAGE 827

NETGEAR 8800 User Manual • alt—Specifies the alternate configuration file • default—Specifies • filename—Specifies • none—Uses no configuration . This restores the switch to the default configuration. It may be helpful if a password has been forgotten. the default configuration file a configuration filename To view the current configuration, use this command without any arguments. To exit the Bootloader, use the boot command. Specifying boot runs the currently selected XCM8800 image.
PAGE 828

NETGEAR 8800 User Manual During the firmware upgrade, the switch also prompts you to save your configuration changes to the current, active configuration. Enter y to save your configuration changes to the current, active configuration. Enter n if you do not want to save your changes. The new PSU controller firmware is used immediately after it is installed without rebooting the switch. The new BootROM and firmware overwrite the older versions flashed into the hardware.
PAGE 829

C.
PAGE 830

NETGEAR 8800 User Manual Troubleshooting Checklists This section provides simple troubleshooting checklists for Layer 1, Layer 2, and Layer 3. The commands and recommendations described are applicable to both IPv4 and IPv6 environments unless otherwise specified. If more detailed information about a topic is available, you are referred to the applicable section in this appendix. Layer 1 When troubleshooting Layer 1 issues, verify: • The installation of cables and connectors.
PAGE 831

NETGEAR 8800 User Manual To display detailed information for each VLAN configured on the switch, use the show vlan detail command. For additional VLAN troubleshooting tips, see VLANs on page 839. • Your Spanning Tree Protocol (STP) configuration, including the STP domain (STPD) number, VLAN assignment, and port state.
PAGE 832

NETGEAR 8800 User Manual • That the Neighbor Discovery (ND) cache has the correct entries. Note: The ND cache is applicable only in IPv6 environments. To display the contents of the ND cache, use the show neighbor-discovery cache ipv6 command. • IP routing protocol statistics for the CPU of the switch. Only statistics of the packets handled by the CPU are displayed.
PAGE 833

NETGEAR 8800 User Manual To display RIP-specific statistics for all VLANs, use the show rip interface detail command. • Your RIP next generation (RIPng) configuration, including RIPng poison reverse, split horizon, triggered updates, transmit version, and receive version. Note: RIPng is applicable only in IPv6 environments. To display detailed information about how you have RIPng configured on the switch, use the show ripng command. • RIPng activity and statistics for all VLANs on the switch.
PAGE 834

NETGEAR 8800 User Manual On power-on, some I/O modules do not boot: Check the output of the show power budget command to see if all power supplies display the expected input voltage. Also see the section Power Management Guidelines on page 74 for more detailed information about power management. ERR LED on the Management Switch Fabric Module (MSM) turns amber: Check the syslog message for “critical” software errors.
PAGE 835

NETGEAR 8800 User Manual • General Tips and Recommendations on page 835 • MSM Prompt on page 837 • Command Prompt on page 837 • Port Configuration on page 837 • Software License Error Messages on page 838 • VLANs on page 839 • STP on page 840 • VRRP on page 840 General Tips and Recommendations The initial welcome prompt does not display: Check that: • Your terminal or terminal emulator is correctly configured • Your terminal or terminal emulator has the correct settings: • 9600 baud •
PAGE 836

NETGEAR 8800 User Manual • Telnet access is enabled for the switch. If you attempt to log in and the maximum number of Telnet sessions are being used, you should receive an error message indicating so. Traps are not received by the SNMP Network Manager: Check that the SNMP Network Manager's IP address and community string are correctly configured, and that the IP address of the Trap Receiver is configured properly on the system.
PAGE 837

NETGEAR 8800 User Manual MSM Prompt You do not know which MSM you are connected to: If you use a console connection to access and configure the switch, you should connect to the console port of the primary MSM, not the backup MSM. To determine which console port you are connected to use the show switch command. The output displays both the primary and backup MSMs, if installed, and an asterisk (*) appears to the right of the MSM you are connected to.
PAGE 838

NETGEAR 8800 User Manual When a device that has autonegotiation disabled is connected to an NETGEAR switch with autonegotiation enabled, the NETGEAR switch links at the correct speed, but in half-duplex mode. The NETGEAR switch 10/100 physical interface uses a method called parallel detection to bring up the link.
PAGE 839

NETGEAR 8800 User Manual Error: This command cannot be executed at the current license level. You have reached the limits defined by the current software license level: If you attempt to execute a command and you have reached the limits defined by the current license level the switch returns the following message: Error: You have reached the maximum limit for this feature at this license level. See Appendix A, XCM8800 Software Licenses for information about licensing requirements.
PAGE 840

NETGEAR 8800 User Manual STP You have connected an endstation directly to the switch and the endstation fails to boot correctly: The switch has the Spanning Tree Protocol (STP) enabled, and the endstation is booting before the STP initialization process is complete. Specify that STP has been disabled for that VLAN, or turn off STP for the switch ports of the endstation and devices to which it is attempting to connect; then, reboot the endstation.
PAGE 841

NETGEAR 8800 User Manual Before configuring any virtual router parameters for VRRP, you must first create the VRRP instance on the switch. If you define VRRP parameters before creating the VRRP, you may see an error similar to the following: Error: VRRP VR for vlan vrrp1, vrid 1 does not exist. Please create the VRRP VR before assigning parameters. Configuration failed on backup MSM, command execution aborted! If this happens,: • Create a VRRP instance using the create vrrp vlan vrid command.
PAGE 842

NETGEAR 8800 User Manual Obtaining the Rescue Image from a TFTP Server To recover the switch, you must enter the Bootloader and issue a series of commands. To access the Bootloader: 1. Attach a serial cable to the console port of the MSM. 2. Attach the other end of the serial cable to a properly configured terminal or terminal emulator. The terminal settings are: • 9600 baud • 8 data bits • 1 stop bit • no parity • XON/OFF flow control enabled 3.
PAGE 843

NETGEAR 8800 User Manual After you download the XCM8800 image file, the switch installs the software and reboots. After the switch reboots, the switch enters an uninitialized state. At this point, configure the switch and save your configuration. In addition, if you previously had modular software packages installed, you must re-install the software packages to each switch partition. For more information about installing software packages, see Appendix B, Software Upgrade and Boot Options.
PAGE 844

NETGEAR 8800 User Manual Note: You must press the spacebar key immediately after a power cycle of the MSM in order to get into the Bootloader application. As soon as you see the BootRom -> prompt, release the spacebar. From here, you can begin the recovery process. To obtain the rescue image that you placed on the compact flash memory card and recover the switch: 1.
PAGE 845

NETGEAR 8800 User Manual After debug mode has been enabled, you can configure EMS to capture specific debug information from the switch. Details of EMS can be found in Chapter 8, Status Monitoring and Statistics. Saving Debug Information You can save switch data and statistics to an external memory card installed in the external compact flash slot of an MSM (modular switches only), the internal memory card that comes preinstalled in the switch, or a network TFTP server.
PAGE 846

NETGEAR 8800 User Manual • internal-memory—Specifies that saving debug information to the internal memory card is enabled. This is the default behavior. Use this parameter only under the guidance of NETGEAR Technical Support personnel. • memorycard—Specifies that saving debug information to the external memory card is enabled. Use this parameter only under the guidance of NETGEAR Technical Support personnel. (This parameter is available only on modular switches.
PAGE 847

NETGEAR 8800 User Manual Tarball Name: TechPubsLab_C_09271428.tgz ./primary.cfg You can also use this command in conjunction with the show tech command. Prior to uploading debug information files, the switch prompts you with the following message to run the show tech command with the logto file option: Do you want to run show tech logto file first? (y/n) Enter y to run the show tech command before uploading debug information. If you enter y, the show_tech.log.tgz file is included during the upload.
PAGE 848

NETGEAR 8800 User Manual Displaying Files To display a list of the files stored on your card, including core dump files, use the following command: ls {[internal-memory | memorycard]} {} Where the following is true: • internal-memory—Lists the core dump files that are present and saved in the internal memory card. If the switch has not saved any debug files, no files are displayed.
PAGE 849

NETGEAR 8800 User Manual Copying Files The copy function allows you to make a copy of an existing file before you alter or edit the file. By making a copy, you can easily go back to the original file if needed.
PAGE 850

NETGEAR 8800 User Manual • tftp get [ | ] {-vr } [{[internal-memory | memorycard | } {} | {} {[internal-memory | memorycard | ]}] {force-overwrite} • tftp put [ | ] {-vr } [{[internal-memory | memorycard | } {} | {} {[internal-
PAGE 851

NETGEAR 8800 User Manual If you configure the switch to send core dump information to the internal memory card, specify the internal-memory option to transfer an existing core dump file from the internal memory card to the TFTP server. If you have a modular switch with an external compact flash memory card installed, specify the memorycard option to transfer an existing core dump file from the external memory card to the TFTP server. For more information about TFTP, see Chapter 3, Managing the Switch.
PAGE 852

NETGEAR 8800 User Manual • ACLs created using the CLI • DoS Protect-installed ACLs • Sentriant-installed ACLs • MAC-in-MAC installed ACLs • ACLs applied with a policy file (see Chapter 13, ACLs for precedence among these ACLs) For information on policy files and ACLs, see Chapter 12, Policy Manager and Chapter 13, ACLs. TOP Command The top command is a UNIX-based command that displays real-time CPU utilization information by process.
PAGE 853

NETGEAR 8800 User Manual • First Recorded Start Date—The date that the component was powered-up and began running Depending on the software version running on your switch, the modules installed in your switch, and the type of switch you have, additional or different odometer information may be displayed. The following is sample output from a NETGEAR 8800 series switch: XCM8810.
PAGE 854

NETGEAR 8800 User Manual For more information, see the hardware documentation listed in Related Publications on page 24. Inserting Powered Devices in the PoE Module To reduce the chances of ports fluctuating between powered and non-powered states, newly inserted powered devices (PDs) are not powered when the actual delivered power for the module is within approximately 19 W of the configured inline power budget for that slot.
PAGE 855

NETGEAR 8800 User Manual To modify the hardware table utilization, use the following command: configure forwarding hash-algorithm [crc16 | crc32] {dual-hash [on | off]} • The dual-hash [on | off] parameter applies only to NETGEAR 8800 series switches. It allows you to disable dual-hashing on NETGEAR 8800 modules. The default value for dual-hash is on.
PAGE 856

NETGEAR 8800 User Manual • 1-888-NETGEAR (US and Canada only) • In other countries, see the support information card You can also visit the support website at: http://support.netgear.com From the support website, you can download software updates (requires a service contract) and documentation (including a PDF version of this manual). 856 | Appendix C.
PAGE 857

D.
PAGE 858

NETGEAR 8800 User Manual Virtual LANS (VLANs), Virtual MANs (vMANs) and MAC in MAC IEEE 802.1Q VLAN Tagging IEEE 802.3ad Static load sharing configuration and LACP-based dynamic configuration Protocol-sensitive VLANs Multiple STP domains per VLAN Virtual MANs Routing Information Protocol (RIP) RFC 1058 Routing Information Protocol v1 RFC 2453 RIP Version 2 Quality of Service (QoS) and Policies IEEE 802.1D -1998 (802.
PAGE 859

NETGEAR 8800 User Manual IP Multicast RFC 1112 Host extensions for IP multicasting (Internet Group Management Protocol version 1) RFC 2236 IGMP Version 2 RFC 3376 IGMP Version 3 IGMP Snooping with Configurable Router Registration Forwarding RFC 2362 Protocol Independent Multicast-Sparse Mode (PIM-SM): Protocol Specification RFC 2933 Internet Group Management Protocol MIBa RFC 2934 Protocol Independent Multicast MIB for IPv4b RFC 3618 MSDP RFCS 3446 Anycast RP mechanism using PIM and MSDP a.
PAGE 860

NETGEAR 8800 User Manual Management - SNMP & MIBs RFC 1155 Structure and identification of management information for TCP/IP-based internets RFC 1157 Simple Network Management Protocol (SNMP) RFC 1212 Concise MIB definitions RFC 1213 Management Information Base for Network Management of TCP/IP-based internets: MIB-II RFC 1215 Convention for defining traps for use with the Simple Network Management Protocol (SNMP) RFC 2233 Evolution of the Interfaces Group of MIB-II RFC 1901 Introduction to Community-based
PAGE 861

NETGEAR 8800 User Manual Management - Other RFC 854 Telnet Protocol Specification Telnet client and server Secure Shell 2 (SSH2) client and server Secure Copy 2 (SCP2) client and server Configuration logging Multiple Images, Multiple Configs BSD System Logging Protocol (SYSLOG), with Multiple Syslog Servers Local Messages (criticals stored across reboots) RFC 2030 Simple Network Time Protocol (SNTP) Version 4 for IPv4 and OSI Security Routing protocol authentication RFC 1492 An Access Control Protocol, S
PAGE 862

NETGEAR 8800 User Manual Note: Only entries for the default VR are supported. Standard MIBs RFC 1213 (MIB-II) The following tables, groups, and variables are supported in this MIB. Table/Group Supported Variables Comments System group scalars All objects The object 'sysServices' will always return the value '79'. Interfaces group Supported as per RFC 2233.
PAGE 863

NETGEAR 8800 User Manual Table/Group Supported Variables Comments ifDescr ifType Only the following values are supported: {other, ethernetCsmacd, softwareLoopback, propVirtual} ifMtu ifSpeed ifPhysAddress ifAdminStatus The testing state is not supported. ifOperStatus ifLastChange ifInOctets Updated every time SNMP queries this counter. ifInUcastPkts Updated every time SNMP queries this counter.
PAGE 864

NETGEAR 8800 User Manual Table/Group Supported Variables IfTestTable Not supported ifRcvAddressTable All objects snmpTraps linkDown Comments The ‘ifRcvAddressTable’ is supported read-only. Also, only entries for physical ports will appear in it. linkUp RFC 1215 This MIB defines an SMI for SNMPv1 traps, and some traps themselves. Of these, the following are supported. Traps Comments coldStart The system cannot distinguish between a cold and warm reboot, so the warmStart trap is always sent.
PAGE 865

NETGEAR 8800 User Manual Table/Group Supported Variables Comments dot1dStp group scalars dot1dStpProtocolSpecification Values for these objects will be returned for the STP domain 's0' only. For other domains, see the NETGEAR-STPEXTENSTIONS-MIB.
PAGE 866

NETGEAR 8800 User Manual Table/Group Supported Variables STP Traps newRoot Comments topologyChange dot1dTpFdbTable Supported dot1dTpPortTable Supported dot1dStatic group Supported The object dot1dTpFdbTable displays ports and FDB mac addresses. They include both the static and dynamic FDB entries on the switch. The MIB does not provide a way to identify the VLAN on which the entry was learned. The ports numbers are assumed to be 1 to 128 on Slot 1, and 128 to 255 on Slot 2, etc.
PAGE 867

NETGEAR 8800 User Manual Table/Group Supported Variables ospfGeneralGroup All objects ospfAreaTable All objects ospfStubAreaTable All objects ospfLsdbTable All objects ospfAreaRangeTable All objects ospfHostTable All objects ospfIfTable All objects ospfIfMetricTable All objects ospfVirtIfTable All objects ospfNbrTable All objects ospfVirtNbrTable All objects ospfExtLsdbTable All objects ospfAreaAggregateTable All objects ospfTrap All traps Comments RFC 2668 (MAU-MIB) The foll
PAGE 868

NETGEAR 8800 User Manual ::= { netgearMauType 10 } "Gigabit LX70, full duplex" netgearMauType1000BaseZXHD OBJECT IDENTIFIER ::= { netgearMauType 11 } "Gigabit ZX, half duplex" netgearMauType1000BaseZXFD OBJECT IDENTIFIER ::= { netgearMauType 12 } "Gigabit ZX, full duplex" Corresponding MAU Type List Bits values have been added: netgear_ifMauTypeListBits_b1000baseWDMHD-- 64 netgear_ifMauTypeListBits_b1000baseWDMFD-- 65 netgear_ifMauTypeListBits_b1000baseLX70HD-- 66 netgear_ifMauTypeListBits_b1000baseLX70FD
PAGE 869

NETGEAR 8800 User Manual dot3MauType10GigBaseSR OBJECT-IDENTITY STATUS current DESCRIPTION "R fiber over 850 nm optics (per 802.3 section 52)" ::= { dot3MauType 36 } dot3MauType10GigBaseW OBJECT-IDENTITY STATUS current DESCRIPTION "W PCS/PMA (per 802.3 section 49 and 50), unknown PMD." ::= { dot3MauType 37 } dot3MauType10GigBaseEW OBJECT-IDENTITY STATUS current DESCRIPTION "W fiber over 1550 nm optics (per 802.
PAGE 870

NETGEAR 8800 User Manual Table/Group Supported Variables Comments vrrpRouterVrIdErrors vrrpOperTable All objects vrrpAssoIpAddrTable All objects vrrpRouterStatsTable All objects vrrpNotifications vrrpTrapNewMaster Creation of a new row or modifying an existing row requires vrrpOperAdminState to be set to 'down'; otherwise any kind of set will fail on this table. vrrpOperAuthType does not support 'ipAuthenticationHeader'. vrrpTrapAuthFailure PIM-MIB (draft-ietf-pim-mib-v2-01.
PAGE 871

NETGEAR 8800 User Manual Table/Group Supported Variables Comments pimInterfaceHelloHoldtime These objects are supported as read only. pimInterfaceLanPruneDelay pimInterfacePropagationDelay pimInterfaceOverrideInterval pimInterfaceGenerationID pimInterfaceJoinPruneHoldtime pimInterfaceGraftRetryInterval pimInterfaceMaxGraftRetries pimInterfaceSRTTLThreshold pimInterfaceLanDelayEnabled pimInterfaceSRCapable pimInterfaceDRPriority pimNeighborTable This object is supported as read only.
PAGE 872

NETGEAR 8800 User Manual Table/Group Supported Variables Comments pimIpMRouteRPFNeighbor pimIpMRouteSourceTimer pimIpMRouteOriginatorSRTTL Feature unsupported so only default value is returned. pimIpMRouteNextHopTable pimIpMRouteNextHopPruneReason pimIpMRouteNextHopAssertWinner pimIpMRouteNextHopAssertTimer pimIpMRouteNextHopAssertMetric Not supported. pimIpMRouteNextHopAssertMetricPref Not supported. pimIpMRouteNextHopJoinPruneTimer pimRPSetTable Not supported.
PAGE 873

NETGEAR 8800 User Manual Table/Group Supported Variables Comments pimSourceLifetime State Refresh feature is not supported, so these variables are set to defaults. pimStateRefreshInterval pimStateRefreshLimitInterval pimStateRefreshTimeToLive PIM Traps pimNeighborLoss Not supported. SNMPv3 MIBs The XCM8800 SNMP stack fully supports the SNMPv3 protocol and therefore implements the MIBs in the SNMPv3 RFCs. Specifically, the MIBs in the following RFCs are fully supported.
PAGE 874

NETGEAR 8800 User Manual Table/Group Supported Variables Comments entPhysicalParentRelPos entPhysicalName entPhysicalHardwareRev entPhysicalFirmwareRev entPhysicalSoftwareRev entPhysicalSerialNum entPhysicalMfgName entPhysicalModelName entPhysicalAlias entPhysicalAssetID entPhysicalIsFRU RFC 3621 (PoE-MIB) The following tables, groups, and variables are supported in this MIB. Table/Group Supported Variables Comments pethPsePortTable All objects Objects in this table are read-only.
PAGE 875

NETGEAR 8800 User Manual Table/Group Supported Variables Comments dot1xAuthDiagTable Not supported This table has been deprecated in the drafts subsequent to the 2001 version of the 802.1X standard. dot1xAuthSessionStatsTable Not supported dot1xSuppConfigTable None dot1xSuppStatsTable None These tables are not applicable to the switch since they are for a supplicant. IEEE8021X-EXTENSIONS-MIB The following tables, groups, and variables are supported in this MIB.
PAGE 876

NETGEAR 8800 User Manual Table/Group Supported Variables Comments probeCapabilities probeSoftwareRev probeHardwareRev probeDateTime probeResetControl trapDestTable All objects RFC 2613 (SMON) The following tables, groups, and variables are supported in this MIB. Table/Group Supported Variables smonVlanStatsControlTable smonVlanStatsControlIndex Comments A unique arbitrary index for this smonVlanStatsControlEntry. smonVlanStatsControlDataSource The source of data for this set of VLAN statistics.
PAGE 877

NETGEAR 8800 User Manual Table/Group Supported Variables Comments smonVlanIdStatsTable smonVlanIdStatsId The unique identifier of the VLAN monitored for this specific statistics collection. Tagged packets match the VID for the range between 1 and 4094. An external RMON probe MAY detect VID=0 on an Inter Switch Link, in which case the packet belongs to a VLAN determined by the PVID of the ingress port.
PAGE 878

NETGEAR 8800 User Manual Table/Group Supported Variables Comments dataSourceDapsTable dataSourceCapsObject Defines an object that can be a SMON data source or a source or a destination for a port copy operation. dataSourceRmonCaps General attributes of the specified dataSource. Note that these are static attributes, which SHOULD NOT be adjusted because of current resources or configuration. dataSourceCopyCaps PortCopy function capabilities of the specified dataSource.
PAGE 879

NETGEAR 8800 User Manual Table/Group Supported Variables Comments portCopyDirection This object affects the way traffic is copied from a switch source port, for the indicated port copy operation. If this object has the value copyRxOnly (1)', then only traffic received on the indicated source port will be copied to the indicated destination port. If this object has the value 'copyTxOnly (2)', then only traffic transmitted out the indicated source port will be copied to the indicated destination port.
PAGE 880

NETGEAR 8800 User Manual Table/Group Supported Variables ipv6Forwarding All objects ipv6DefaultHopLimit All objects ipv6Interfaces All objects ipv6IfTableLastChange All objects ipv6IfTable All objects except ipv6IfEffectiveMtu ipv6IfStatsTable All objects ipv6AddrPrefixTable All objects ipv6AddrTable All objects ipv6RouteNumber All objects ipv6DiscardedRoutes All objects ipv6RouteTable All objects ipv6NetToMediaTable All objects Comments RFC 2466 (IPV6 ICMP MIB) The following tab
PAGE 881

NETGEAR 8800 User Manual RFC 5601 (PW-STD-MIB) The following tables, groups, and variables are supported in this MIB. All tables and variables of this MIB are supported as read only. The comments here are abbreviated versions of the description in the RFC documentation. Table/Group Supported Variables Comments pwTable pwIndex A unique index for the conceptual row identifying a PW within this table.
PAGE 882

NETGEAR 8800 User Manual Table/Group pwIndexMappingTable Supported Variables Comments pwOperStatus This object indicates the operational status of the PW; it does not reflect the status of the Customer Edge (CE) bound interface. pwLocalStatus Indicates the status of the PW in the local node. pwRemoteStatus Indicates the status of the PW as was advertised by the remote. pwRowStatus For creating, modifying, and deleting this row. This object MAY be changed at any time.
PAGE 883

NETGEAR 8800 User Manual VPLS-MIB (draft-ietf-l2vpn-vpls-mib-02.txt) The following tables, groups, and variables are supported in this MIB. All tables and variables of this MIB are supported as read only. The comments here are abbreviated versions of the description in the RFC documentation. Table/Group Supported Variables Comments vplsConfigTable vplsConfigIndex Unique index for the conceptual row identifying a VPLS service. vplsConfigName A textual name of the VPLS.
PAGE 884

NETGEAR 8800 User Manual Table/Group Supported Variables Comments dot1agCfmMdName Supported as read only. The Maintenance Domain name. dot1agCfmMdMdLevel Supported as read only. The Maintenance Domain Level. dot1agCfmMdMhfCreation Enumerated value indicating whether the management entity can create MHFs (MIP Half Function) for this Maintenance Domain. Supported as read only. Currently Config in CLI is not supported. defMHFdefault(2) value will be returned.
PAGE 885

NETGEAR 8800 User Manual Table/Group dot1agCfmMepTable Supported Variables Comments dot1agCfmMaNetCcmInterval Supported as read only. Transmission interval between CCMs to be used by all MEPs in the MA. dot1agCfmMaNetRowStatus The status of the row. The writable columns in a row cannot be changed if the row is active. All columns must have a valid value before a row can be activated. dot1agCfmMdIndex Maintenance Domain Index. dot1agCfmMaIndex Maintenance Association Index.
PAGE 886

NETGEAR 8800 User Manual Table/Group Supported Variables Comments dot1agCfmMepCcmLtmPriority Supported as read only. The priority value for CCMs and LTMs transmitted by the MEP. Currently Config in CLI is not supported. default value 0 will be returned. dot1agCfmMepMacAddress Mac address of the MEP. In netgear device switch mac will be returned. dot1agCfmMepLowPrDef Supported as read only. An integer value specifying the lowest priority defect that is allowed to generate Fault Alarm.
PAGE 887

NETGEAR 8800 User Manual Table/Group Supported Variables Comments dot1agCfmMepDefects Error condition to be sent. The conditions would be any one of the following: bDefRDICCM(0), bDefMACstatus(1), bDefRemoteCCM(2), bDefErrorCCM(3), bDefXconCCM(4) dot1agCfmMepErrorCcmLastFailure The last-received CCM that triggered a DefErrorCCM fault. dot1agCfmMepXconCcmLastFailure The last-received CCM that triggered a DefXconCCM fault.
PAGE 888

NETGEAR 8800 User Manual Table/Group Supported Variables Comments dot1agCfmMepTransmitLbmStatus Supported as read only. A Boolean flag set to true by the bridge port to indicate that another LBM may be transmitted. dot1agCfmMepTransmitLbmDestMacAddress Supported as read only. The Target MAC Address Field to be transmitted. dot1agCfmMepTransmitLbmDestMepId Supported as read only. To transmit the LBM destMEPID need not be given. dot1agCfmMepTransmitLbmDestIsMepId Supported as read only.
PAGE 889

NETGEAR 8800 User Manual Table/Group Supported Variables Comments dot1agCfmMepTransmitLtmFlags Supported as read only. The flags field for LTMs transmitted by the MEP. Currently useFDBonly(0) is supported. dot1agCfmMepTransmitLtmTargetMacAddress Supported as read only. The Target MAC Address Field to be transmitted. dot1agCfmMepDbTable dot1agCfmMepTransmitLtmTargetMepId Not supported. To transmit the LTM destMEPID need not be given. Value 0 will be returned.
PAGE 890

NETGEAR 8800 User Manual Table/Group Supported Variables Comments dot1agCfmMepDbRMepState The operational state of the remote MEP IFF State machines. The state would be any one of the following: rMepIdle (1), rMepStart (2), rMepFailed (3), rMepOk (4) dot1agCfmMepDbRMepFailedOkTime The time (SysUpTime) at which the IFF Remote MEP state machine last entered either the RMEP_FAILED or RMEP_OK state. dot1agCfmMepDbMacAddress The MAC address of the remote MEP.
PAGE 891

NETGEAR 8800 User Manual Table/Group dot1agCfmLtrTable Supported Variables Comments dot1agCfmMepDbChassisId The first octet contains the IANA Address Family Numbers enumeration value for the specific address type, and octets 2 through N contain the network address value in network byte order. dot1agCfmMepDbManAddressDomain Not supported: value zero will be returned. dot1agCfmMepDbManAddress Not supported: value zero will be returned. dot1agCfmMdIndex Maintenance Domain Index.
PAGE 892

NETGEAR 8800 User Manual Table/Group Supported Variables Comments dot1agCfmLtrChassisIdSubtype networkAddress(5) will be returned if senderIDTLV is received. dot1agCfmLtrChassisId The first octet contains the IANA Address Family Numbers enumeration value for the specific address type, and octets 2 through N contain the network address value in network byte order. dot1agCfmLtrManAddressDomain Not supported: value zero will be returned.
PAGE 893

NETGEAR 8800 User Manual Table/Group dot1agCfmStackTable dot1agCfmMaMepListTable Supported Variables Comments dot1agCfmLtrOrganizationSpecificTlv All Organization specific TLVs returned in the LTR. dot1agCfmStackifIndex Index object. This object represents the Bridge Port or aggregated port on which MEPs or MHFs might be configured. dot1agCfmStackVlanIdOrNone Index object. VLAN ID to which the MP is attached. dot1agCfmStackMdLevel Index object. MD Level of the Maintenance Point.
PAGE 894

NETGEAR 8800 User Manual Table/Group Supported Variables Comments dot1agCfmFaultAlarm  (NOTIFICATION) dot1agCfmMepHighestPrDefect A MEP has a persistent defect condition. A notification (fault alarm) is sent to the management entity with the OID of the MEP that has detected the fault.
PAGE 895

NETGEAR 8800 User Manual Table/Group Supported Variables Dot3StatsTable dot3StatsIndex Comments dot3StatsAlignmentErrors dot3StatsFCSErrors dot3StatsSingleCollisionFrames dot3StatsMultipleCollisionFrames dot3StatsSQETestErrors Not supported dot3StatsDeferredTransmissions dot3StatsLateCollisions dot3StatsExcessiveCollisions dot3StatsInternalMacTransmitErrors dot3StatsCarrierSenseErrors Not supported dot3StatsFrameTooLongs dot3StatsInternalMacReceiveErrors dot3StatsSymbolErrors Not supported dot3S
PAGE 896

NETGEAR 8800 User Manual NETGEAR Proprietary MIBs NETGEAR-SYSTEM-MIB The following tables, groups, and variables are supported in this MIB. Table/Group Supported Variables Comments netgearSaveConfiguration When this object is set, the device copies the contents of the configuration database to a buffer and saves it to the persistent store specified by the value of the object.
PAGE 897

NETGEAR 8800 User Manual Table/Group Supported Variables Comments netgearOverTemperatureAlarm Alarm status of overtemperature sensor in device enclosure. netgearPrimaryPowerOperational Not supported: always returns True. netgearPowerStatus Not supported: always returns presentOK. netgearPowerAlarm Not supported: always returns False. netgearRedundantPowerStatus netgearRedundantPowerAlarm Not supported: always returns presentOK.
PAGE 898

NETGEAR 8800 User Manual Table/Group Supported Variables Comments netgearDot1dTpFdbTableEnable Not supported.
PAGE 899

NETGEAR 8800 User Manual Table/Group netgearFanStatusTable netgearCpuTaskTable Supported Variables Comments netgearMsmFailoverCause The cause of the last MSM failover: never(1) means an MSM Failover has not occurred since the last reboot; admin(2) means the failover was initiated by the user; exception(3) means the former master MSM encountered a software exception condition; removal(4) means the master MSM was physically removed from the chassis; hwFailure(5) means a diagnostic failure was detected
PAGE 900

NETGEAR 8800 User Manual Table/Group Supported Variables Comments netgearCpuTask2Table All objects Not supported. netgearSlotTable All objects Cards are currently not configurable via SNMP. netgearPowerSupplyTable netgearPowerSupplyStatus Status of the power supply. netgearPowerSupplyInputVoltage Input voltage of the power supply. netgearPowerSupplyFan1Speed The speed of Fan-1 in the power supply unit. netgearPowerSupplyFan2Speed The speed of Fan-2 in the power supply unit.
PAGE 901

NETGEAR 8800 User Manual Table/Group Supported Variables Comments netgearSustainingReleaseNumber The Sustaining Release number for the NETGEAR version. netgearBranchRevisionNumber This is the branch from where the software image was built. netgearImageType This is the software image type (e.g. EXOS core, EXOS module, EXOS firmware).
PAGE 902

NETGEAR 8800 User Manual Table/Group Supported Variables Comments netgearCpuMonitorUtilization10secs This value indicates the CPU utilization in the past 10 seconds. netgearCpuMonitorUtilization30secs This value indicates the CPU utilization in the past 30 seconds. netgearCpuMonitorUtilization1min This value indicates the CPU utilization in the past 1minute. netgearCpuMonitorUtilization5mins This value indicates the CPU utilization in the past 5 minutes.
PAGE 903

NETGEAR 8800 User Manual Table/Group Supported Variables Comments netgearCpuMonitorSystemUtilization5mins This value indicates the CPU utilization in the past 5 minutes. netgearCpuMonitorSystemUtilization30mins This value indicates the CPU utilization in the past 30 minutes. netgearCpuMonitorSystemUtilization1hour This value indicates the CPU utilization in the past 1 hour. netgearCpuMonitorSystemMaxUtilization This value indicates the maximum CPU utilization so far.
PAGE 904

NETGEAR 8800 User Manual Table/Group Supported Variables Comments netgearMemoryMonitorProcessName This value indicated the name of the process being monitored. netgearMemoryMonitorUsage This value indicates the amount of memory being consumed by this user process.
PAGE 905

NETGEAR 8800 User Manual Table/Group Supported Variables Comments netgearVlanIfStatus The status column for this VLAN interface This object can be set to: active (1); createAndGo(4); createAndWait(5); destroy(6). The following values may be read: active(1); notInService(2); notReady(3). netgearVlanIfIgnoreStpFlag Not supported. netgearVlanIfIgnoreBpduFlag Not supported. netgearVlanIfLoopbackModeFlag Setting this object to true causes loopback mode to be enabled on this VLAN.
PAGE 906

NETGEAR 8800 User Manual Table/Group Supported Variables Comments netgearVlanOpaqueControlTable All objects For all tables in this MIB that contain objects with RowStatus semantics, the only values supported are: {active, createAndGo, destroy}. New to XCM8800: netgearVlanOpaqueControlTable is a write only table and cannot be used to read. This is used to add/delete ports on a VLAN. netgearVlanStackTable All objects Not supported. netgearVlanL2StatsTable All objects Not supported.
PAGE 907

NETGEAR 8800 User Manual Table/Group Supported Variables Comments netgearPortLoadshare2SlaveIfIndex The ifIndex value which identifies the port which is a member of a load-sharing group controlled by netgearPortLoadshare2 MasterIfInde. netgearPortLoadshare2Algorithm This value identifies the load sharing algorithm to be used for this group of load shared ports. netgearPortLoadshare2Status The row status variable, used according to row installation and removal conventions.
PAGE 908

NETGEAR 8800 User Manual Table/Group Supported Variables Comments netgearPortXenpakVendorTable All objects Not supported netgearPortIngressStatsPortTable All objects Not supported netgearPortIngressStatsQueueTable All objects Not supported netgearPortEgressRateLimitTable All objects Not supported netgearWiredClientTable All objects Not supported netgearPortUtilizationExtnTable netgearPortUtilizationExtnEntry Global Qos Profiles are defined in the netgearQosProfileTable.
PAGE 909

NETGEAR 8800 User Manual Table/Group Supported Variables Comments netgearPortQP0TxBytes The number of QOS 0 bytes that gets transmitted from this port. netgearPortQP0TxPkts The number of QOS 0 packets that gets transmitted from this port. netgearPortQP1TxBytes The number of QOS 1 bytes that gets transmitted from this port. netgearPortQP1TxPkts The number of QOS 1 packets that gets transmitted from this port. netgearPortQP2TxBytes The number of QOS 2 bytes that gets transmitted from this port.
PAGE 910

NETGEAR 8800 User Manual Table/Group netgearPortMauTable netgearPortCongestionStatsTable netgearPortQosCongestionStatsTable Supported Variables Comments netgearPortQP7TxBytes The number of QOS 7 bytes that gets transmitted from this port. netgearPortQP7TxPkts The number of QOS 7 packets that gets transmitted from this port. netgearPortMauEntry Port Optics Status Table netgearPortMauType This object identifies the MAU type. netgearPortMauVendorName This object identifies the MAU Vendor Name.
PAGE 911

NETGEAR 8800 User Manual Table/Group Supported Variables Comments netgearPortQP5CongPkts The number of QOS 5 packets that gets dropped due to congestion on this port. netgearPortQP6CongPkts The number of QOS 6 packets that gets dropped due to congestion on this port. netgearPortQP7CongPkts The number of QOS 7 packets that gets dropped due to congestion on this port Trap Comments netgearPortMauChangeTrap This trap is sent whenever a MAU is inserted or removed.
PAGE 912

NETGEAR 8800 User Manual Table/Group Supported Variables Comments netgearSmartTrapFlushInstanceTableIndex This object acts as a flush control for the netgearSmartTrapInstance Table. Setting this object can flush the matching entries from the netgearSmartTrap InstanceTable based on certain rules as defined in the MIB. netgearSmartTrapRulesTable The entries created in the netgearSmartTrapRulesTable define the rules that are used to generate netgear smart traps.
PAGE 913

NETGEAR 8800 User Manual . Table/Group Supported Variables Comments netgearTargetAddrExtTable netgearTargetAddrExtIgnoreMP Model When this object is set to TRUE, the version of the trap/notification sent to the corresponding management target (trap receiver) will be the same as in releases of NETGEAR prior to 7.1.0. Thus, the value of the snmpTargetParamsMPModel object in the snmpTargetParamsTable will be ignored while determining the version of the trap/notification to be sent.
PAGE 914

NETGEAR 8800 User Manual Table/Group Supported Variables Comments netgearTargetAddrExtUseEvent Comm This object is used only when sending RMON alarms as SNMPv3 traps. When it is set to TRUE and an RMON risingAlarm or fallingAlarm is being sent for an event, then the eventCommunity in the RMON event table is compared to the snmpTargetAddrName in the snmpTargetAddrTable. The alarm is sent to the target only when the two are the same.
PAGE 915

NETGEAR 8800 User Manual Table/Group Supported Variables Comments netgearFdbMacFdbTable All objects Not supported netgearFdbIpFdbTable All objects Support SNMP get and get next operations only. netgearFdbPermFdbTable All objects netgearFdbMacExosFdbTable netgearFdbMacExosFdbEntry A table that contains information about the hardware MAC FDB table. Supported only on switches running XCM8800. Support SNMP get and get next operations only.
PAGE 916

NETGEAR 8800 User Manual Trap Comments netgearPowerSupplyFail One or more sources of power to this agent has failed. Presumably a redundant power-supply has taken over. netgearModuleStateChanged Signifies that the value of the netgearSlotModuleState for the specified netgearSlotNumber has changed. Traps are reported only for significant states. NETGEAR-V2TRAP-MIB This MIB defines the following NETGEAR-specific SNMPv2c traps generated by NETGEAR devices.
PAGE 917

NETGEAR 8800 User Manual Trap Comments netgearStpEdgePortLoopDetected A loop has been detected on the netlogin edge safeguard port and the port will be disabled. NETGEAR-ENTITY-MIB The following tables, groups, and variables are supported in this MIB. Table/Group Supported Variables Comments netgearEntityFRUTable entPhysicalIndex A table containing information about each FRU in the chassis based on Entity MIB. netgearEntityFRUStartTime First Recorded Start Time.
PAGE 918

NETGEAR 8800 User Manual . Table/Group Supported Variables Comments netgearRtStatsTable netgearRtStatsIndex All objects are supported read-only. netgearRtStatsIntervalStart netgearRtStatsCRCAlignErrors netgearRtStatsUndersizePkts netgearRtStatsOversizePkts netgearRtStatsFragments netgearRtStatsJabbers netgearRtStatsCollisions All objects are supported read-only.
PAGE 919

NETGEAR 8800 User Manual Table/Group netgearIQosProfileTable Supported Variables Comments netgearQosProfileRowStatus The status of the netgearQosProfile entry.  This object can be set to: active(1);  createAndGo(4); createAndWait(5);  destroy(6).  The following values may be read: active(1);  notInService(2); notReady(3). netgearIQosProfileIndex XCM8800 does not support global QoS profile settings in CLI; it supports per port settings only.
PAGE 920

NETGEAR 8800 User Manual Table/Group netgearPerPortQosTable Supported Variables Comments netgearIQosProfileMaxBw The maximum allowed input bandwidth for this queue, expressed as either a percentage or a specific bandwidth value, as specified by the value of netgearIQosProfileMaxBw Type. netgearIQosProfileRED The Random Early Drop threshold.
PAGE 921

NETGEAR 8800 User Manual Table/Group netgearQosByVlanMappingTable Supported Variables Comments netgearPerPortQosRowStatus The status of the netgearPerPortQos entry. This object can be set to active(1) and createAndGo(4). The following value may be read: active(1). Note that a destroy(6) is not supported. A row will only be deleted from this table when the Qos Profile indicated in that row is changed globally. netgearVlanIfIndex Shows mapping of VLAN to queues for untagged packets.
PAGE 922

E. Glossary E A AAA Authentication, authorization, and accounting. A system to control which computer resources specific users can access and to keep track of the activity of specific users over the network. ABR Area border router. In OSPF, an ABR has interfaces in multiple areas, and it is responsible for exchanging summary advertisements with other ABRs. ACL Access Control List. ACLs are a mechanism for filtering packets at the hardware level.
PAGE 923

NETGEAR 8800 User Manual A (Continued) AS Autonomoous system. In OSPF, an AS is a connected segment of a network topology that consists of a collection of subnetworks (with hosts attached) interconnected by a set of routes. The subnetworks and the routers are expected to be under the control of a single administration. Within an AS, routers may use one or more interior routing protocols and sometimes several sets of metrics.
PAGE 924

NETGEAR 8800 User Manual B (Continued) BGP Border Gateway Protocol. BGP is a router protocol in the IP suite designed to exchange network reachability information with BGP systems in other ASs. You use a fully meshed configuration with BGP. BGP provides routing updates that include a network number, a list of ASs that the routing information passed through, and a list of other path attributes.
PAGE 925

NETGEAR 8800 User Manual C carrier VLAN In STP, carrier VLANs define the scope of the STPD, including the physical and logical ports that belong to the STPD as well as the 802.1Q tags used to transport EMISTP- or PVST+-encapsulated BPDUs. Only one carrier VLAN can exist in any given STPD. CCM In CFM, connectivity check messages are CFM frames transmitted periodically by a MEP to ensure connectivity across the maintenance entities to which the transmitting MEP belongs.
PAGE 926

NETGEAR 8800 User Manual C (Continued) cluster In BGP, a cluster is formed within an AS by a route reflector and its client routers. combo port Combination port. On some NETGEAR devices, certain ports can be used as either copper or fiber ports. CoS Class of Service. Specifying the service level for the classified traffic type. CRC Cyclic redundancy check. This simple checksum is designed to detect transmission errors.
PAGE 927

NETGEAR 8800 User Manual D (Continued) DF Don’t fragment bit. This is the don’t fragment bit carried in the flags field of the IP header that indicates that the packet should not be fragmented. The remote host will return ICMP notifications if the packet had to be split anyway, and these are used in MTU discovery. DHCP Dynamic Host Configuration Protocol. DHCP allows network administrators to centrally manage and automate the assignment of IP addresses on the corporate network.
PAGE 928

NETGEAR 8800 User Manual E (Continued) ECMP Equal Cost Multi Paths. This routing algorithm distributes network traffic across multiple high-bandwidth OSPF, BGP, and static routes to increase performance. The NETGEAR implementation supports multiple equal cost paths between points and divides traffic evenly among the available paths. edge ports In STP, edge ports connect to non-STP devices such as routers, endstations, and other hosts. EEPROM Electrically erasable programmable read-only memory.
PAGE 929

NETGEAR 8800 User Manual F fast path This term refers to the data path for a packet that traverses the switch and does not require processing by the CPU. Fast path packets are handled entirely by ASICs and are forwarded at wire speed rate. FDB Forwarding database. The switch maintains a database of all MAC address received on all of its ports and uses this information to decide whether a frame should be forwarded or filtered.
PAGE 930

NETGEAR 8800 User Manual I IBGP Interior Border Gateway Protocol. IBGP is the BGP version used within an AS. ICMP Internet Control Message Protocol. ICMP is the part of the TCP/IP protocol that allows generation of error messages, test packets, and operating messages. For example, the ping command allows you to send ICMP echo messages to a remote IP device to test for connectivity. ICMP also supports traceroute, which identifies intermediate hops between a given source and destination.
PAGE 931

NETGEAR 8800 User Manual I (Continued) IPv6 Internet Protocol version 6. IPv6 is the next-generation IP protocol. The specification was completed in 1997 by IETF. IPv6 is backward- compatible with and is designed to fix the shortcomings of IPv4, such as data security and maximum number of user addresses.
PAGE 932

NETGEAR 8800 User Manual J jumbo frames These are Ethernet frames that are larger that 1522 bytes (including the 4 bytes in the CRC). The jumbo frame size is configurable on NETGEAR devices; the range is from 1523 to 9216 bytes. L LACP Link Aggregation Control Protocol. LACP is part of the IEEE 802.3ad and automatically configures multiple aggregated links between switches. LAG Link aggregation group.
PAGE 933

NETGEAR 8800 User Manual L (Continued) LFS Link Fault Signal. LFS, which conforms to IEEE standard 802.3ae-2002, monitors 10 Gbps ports and indicates either remote faults or local faults. loop detection In ELRP, loop detection is the process used to detect a loop in the network. The switch sending the ELRP PDU waits to receive its original PDU back. If the switch received this original PDU, there is a loop in the network. LSA Link state advertisement.
PAGE 934

NETGEAR 8800 User Manual M (Continued) MIB Management Information Base. MIBs make up a database of information (for example, traffic statistics and port settings) that the switch makes available to network management systems. MIB names identify objects that can be managed in a network and contain information about the objects. MIBs provide a means to configure a network device and obtain network statistics gathered by the device.
PAGE 935

NETGEAR 8800 User Manual M (Continued) MSTP Multiple Spanning Tree Protocol. MSTP, based on IEEE 802.1Q-2003 (formerly known as IEEE 892.1s), allows you to bundle multiple VLANs into one spanning tree (STP) topology, which also provides enhanced loop protection and better scaling. MSTP uses RSTP as the converging algorithm and is compatible with legacy STP protocols. MSTP region An MSTP region defines the logical boundary of the network.
PAGE 936

NETGEAR 8800 User Manual N (Continued) netlogin Network login provides extra security to the network by assigning addresses only to those users who are properly authenticated. You can use web-based, MAC-based, or IEEE 802.1x-based authentication with network login. The two modes of operation are campus mode and ISP mode. netmask A netmask is a string of 0s and 1s that mask, or screen out, the network part of an IP address, so that only the host computer part of the address remains.
PAGE 937

NETGEAR 8800 User Manual O (Continued) OSI reference model The 7-layer standard model for network architecture is the basis for defining network protocol standards and the way that data passes through the network. Each layer specifies particular network functions; the highest layer is closest to the user, and the lowest layer is closest to the media carrying the information.
PAGE 938

NETGEAR 8800 User Manual P (Continued) ping Packet Internet Groper. Ping is the ICMP echo message and its reply that tests network reachability of a device. Ping sends an echo packet to the specified host, waits for a response, and reports success or failure and statistics about its operation. PMBR PIM multicast border router. A PIMBR integrates PIM-DM and PIM-SM traffic. PoE Power over Ethernet. The PoE standard (IEEE 802.
PAGE 939

NETGEAR 8800 User Manual Q QoS Quality of Service. Policy-enabled QoS is a network service that provides the ability to prioritize different types of traffic and to manage bandwidth over a network. QoS uses various methods to prioritize traffic, including IEEE 802.1p values and IP DiffServ values. R RADIUS Remote Authentication Dial In User Service.
PAGE 940

NETGEAR 8800 User Manual R (Continued) root port In STP, the root port provides the shortest path to the root bridge. All bridges except the root bridge contain one root port. route aggregation In BGP, you can combine the characteristics of several routes so they are advertised as a single route, which reduces the size of the routing tables. route flapping A route is flapping when it is repeatedly available, then unavailable, then available, then unavailable.
PAGE 941

NETGEAR 8800 User Manual S (Continued) 6to4 tunnels The 6to4 tunnels are one way to send IPv6 packets over IPv4 networks. This transition mechanism provides a way to connect IPv6 end-site networks by automatically tunnelling over the intervening IPv4 Internet. A special IPv6 routing prefix is used to indicate that the remaining part of the external routing prefix contains the IPv4 endpoint address of a boundary IPv6 router for that site that will process IPv6-in-IPv4-encapsulated packets.
PAGE 942

NETGEAR 8800 User Manual S (Continued) STP Spanning Tree Protocol. STP is a protocol, defined in IEEE 802.1d, used to eliminate redundant data paths and to increase network efficiency. STP allows a network to have a topology that contains physical loops; it operates in bridges and switches. STP opens certain paths to create a tree topology, thereby preventing packets from looping endlessly on the network.
PAGE 943

NETGEAR 8800 User Manual T (Continued) TCP Transmission Control Protocol. Together with Internet Protocol (IP), TCP is one of the core protocols underlying the Internet. The two protocols are usually referred to as a group, by the term TCP/IP. TCP provides a reliable connection, which means that each end of the session is guaranteed to receive all of the data transmitted by the other end of the connection, in the same order that it was originally transmitted without receiving duplicates.
PAGE 944

NETGEAR 8800 User Manual V (Continued) VLAN Virtual LAN. The term VLAN is used to refer to a collection of devices that communicate as if they are on the same physical LAN. Any set of ports (including all ports on the switch) is considered a VLAN. LAN segments are not restricted by the hardware that physically connects them. The segments are defined by flexible user groups you create with the CLI. VLSM Variable-length subnet masks.
PAGE 945

NETGEAR 8800 User Manual V (Continued) VRRP Virtual Router Redundancy Protocol. VRRP specifies an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. The VRRP router controlling the IP address(es) associated with a virtual router is called the master router, and forwards packets sent to these IP addresses. The election process provides dynamic failover in the forwarding responsibility should the master router become unavailable.
PAGE 946

Index Symbols ! prompt 42, 208 .cfg file 818 .gz file 846 .pol file 295 .xmod file 806 .xos file 806 * prompt 41 # prompt 40, 41 > prompt 40, 41 Numerics 10 gigabit ports 120 802.1ad 780 802.1D 519 802.1D-2004 519 802.1p default map to egress QoS profiles 370 examination feature 363 priority replacement 374 traffic groups 362 802.1Q amended for vMANs 780 tagging 242 802.1Q-2003 557 802.1s 557 802.1w 545 802.1x and NAP 408 802.
PAGE 947

NETGEAR 8800 User Manual Alarms, RMON 235 area 0 OSPF 678 OSPFv3 690 areas OSPF 677 OSPFv3 690 ARP and IP multinetting 622 and VLAN aggregation 635 communicating with devices outside subnet 620 configuring proxy ARP 619 disabling additions on superVLAN 636 gratuitous ARP protection 458 incapable device 619 learning adding permanent entries 457 configuring 457 DHCP secured ARP 457 displaying information 458 overview 456 proxy ARP between subnets 620 proxy ARP, description of 619 responding to ARP requests 6
PAGE 948

NETGEAR 8800 User Manual blackhole entries, FDB 274, 437 Bootloader accessing 826 exiting 827 BOOTP relay configuring 627 viewing 629 server 56 using 56 BootROM displaying 828 prompt 826 Bootstrap Protocol. See BOOTP Border Gateway Protocol.
PAGE 949

NETGEAR 8800 User Manual console connection 52 maximum sessions 52 controlling Telnet access 58 conventions, guide notice icons 23 text 23 core dump file .gz file 846 copying 849 copying to the switch 846 copying to the tftp server 846 deleting 851 description 845 displaying 848 renaming 848 sending to the switch 845 core image.
PAGE 950

NETGEAR 8800 User Manual ASCII-formatted configuration 821 configuration 824 DSCP 363 default map to QoS profiles 364 replacement 375 dual-rate QoS 367 duplex setting, ports 118 duplex, displaying setting 148 dynamic ACLs 313 checkpointing 68 FDB entries 273, 437 MVR 751 routes IPv4 596 IPv6 644 VLANs. See netlogin Dynamic Host Configuration Protocol.
PAGE 951

NETGEAR 8800 User Manual contents 272 dynamic 273 limiting 279 multicast with multiport entries 283 non-aging 273 non-permanent dynamic entry 273 prioritizing 279 PVLAN 257 static 273 MAC learning 280 managing 274 prioritizing entries 437 feature pack displaying 798 enabling 799 features, platform-specific 23 file server applications, QoS 361 file syntax, policy 346 file system administration 96 filename requirements 96, 847 filenames, troubleshooting 96, 847 files copying 98, 849 deleting 103, 851 display
PAGE 952

NETGEAR 8800 User Manual IEEE 802.3af 173 IGMP and IP multinetting 624 description 733 snooping 733 snooping filters 735 static 734 image .xos file 806 definition 801 downloading 805 primary and secondary 803 selecting a partition 804 upgrading 804 version string 803 inheriting ports, MSTP 534 in-profile traffic 366 Input/Output module. See I/O module interfaces active 726 IP multinetting 620 IPv6 router 639 passive 726 router 595 Internet Group Management Protocol.
PAGE 953

NETGEAR 8800 User Manual multiple routes 645 populating 643 verifying the configuration 651 IPX protocol filter 245 IPX_8022 protocol filter 245 IPX_SNAP protocol filter 245 IRDP, and IP multinetting 622 isolated subscriber VLAN 255 ISP mode 392 J jumbo frames description 122 enabling 123 IP fragmentation 123 path MTU discovery 123 viewing port settings 148 K keys line-editing 34 port monitoring 195 L L2 Edge license features 794 LACP. See link aggregation LAG.
PAGE 954

NETGEAR 8800 User Manual TLVs 151 traps 152 mandatory TLVs 158 MED information 171 messages received 158 messages sent 156 multicast address 152 neighbor information 171 overview 150 port configuration information 170 receive only TLVs 154 received TLVs 158 repeated TLVs 156 restoring defaults 170 SNMP traps 155 standards-mandated TLVs 156 statistics 171 system description TLV 160 timers 155 transmitted TLVs 156 troubleshooting 153, 163 unconfiguring 164, 170 load sharing 131 See also link aggregation and
PAGE 955

NETGEAR 8800 User Manual maximum CPU sample limit, sFlow 232 memory protection 96, 109 meters, QoS 369 mgmt VLAN 53 MIBs, supported 78, 860 minimum bandwidth, QoS 367 MLD, static 760 modular switch jumbo frames 122 load sharing, configuring 132 monitor port 138 port number 116 port-mirroring 138 slot configuration 113 module enabling and disabling 114 type and number of 114 module recovery actions 208 clearing the shutdown state 211 configuring 206 description 206 displaying 209 troubleshooting 212 monitor
PAGE 956

NETGEAR 8800 User Manual Multiple Instance Spanning Tree Protocol. See EMISTP multiple nexthop support 341 multiple routes IPv4 597 IPv6 645 Multiple Spanning Tree Instances. See MSTI Multiple Spanning Tree Protocol. See MSTP multiple supplicants, network login support 392 MVR and STP 754 dynamic 751 forwarding rules 751 static 750 N names character types 31 conventions 31 maximum length of 31 switch 41 VLAN 246 VLAN, STP, EAPS 31 NAP and 802.
PAGE 957

NETGEAR 8800 User Manual opaque LSAs, OSPF 675 Open LDAP 498 Open Shortest Path First IPv6. See OSPFv3 Open Shortest Path First.
PAGE 958

NETGEAR 8800 User Manual capacitance measurement 182 configuration display 186 configuring 179 default power 180 deny port 180 denying power 175 devices 172 disconnect precedence 175, 180 EMS message 177 enabling and disabling power 179 features 173 hitless failover support 172 legacy powered devices 182 operator limit 183 port fault state 176 port labels 183 port power limits 178 port priority 176, 180 power budget 174, 186 power checking 173 powering PoE modules 173 required power 174 reserving power 180
PAGE 959

NETGEAR 8800 User Manual Power over Ethernet. See PoE power supply controller 73 powered devices. See PoE primary image 803 prioritizing entries, FDB 279 private AS numbers 716 private community, SNMP 80 private VLAN.
PAGE 960

NETGEAR 8800 User Manual port-based 365 precedence 365 VLAN-based 365 troubleshooting 369, 378, 379 two-color 366 use with full-duplex links 359 video applications 360 viewing port settings 148 VLANs flood control 385 voice applications 360 web browsing applications 360 weighted fair queuing 368 Quality of Service.
PAGE 961

NETGEAR 8800 User Manual RFC 2933 859 RFC 2934 859 RFC 3046 628 RFC 3376 733, 859 RFC 3392 698 RFC 3410 873 RFC 3411 873 RFC 3412 873 RFC 3413 873 RFC 3414 873 RFC 3415 873 RFC 3418 160 RFC 3446 763, 859 RFC 3513 638, 640 RFC 3618 762, 763, 859 RFC 3621 858 RFC 3623 858 RFC 3826 873 RFC 3849 642 RFC 4360 698 RFC 4486 698 RFC 4760 698 RFC 4893 698 RFC 5396 698 RFCs BGP 697 bridge 573 IPv4 multicast routing 724 IPv4 unicast routing 594 IPv6 unicast routing 638, 642 listing 857 OSPF 673 RIP 661 RIPng 668 VRRP
PAGE 962

NETGEAR 8800 User Manual routing table entries, RIP 663 entries, RIPng 670 IPV4, populating 596 IPv6, populating 643 RP and MSDP 762 definition 729 RSTP See also STP and STP 556 configuring 572 designated port rapid behavior 552 edge safeguard 548 link types auto 547 broadcast 547 configuring 547 description 546 edge 547 point-to-point 547 operation 550 overview 545 port roles alternate 546 backup 546 designated 546 disabled 546 edge 548 root 546 rapid reconvergence 553 receiving bridge behavior 552 root p
PAGE 963

NETGEAR 8800 User Manual displaying information 114 enabling and disabling 114 manual configuration 114 mismatch 114 preconfiguring 114 slow path routing 604 Smart Redundancy configuring 147 description 146 displaying 148 port recovery 147 smart refresh, ACLs 296 SMON 237, 876 SNAP protocol 246 SNMP and safe defaults mode 78 community strings 79 configuring 79 settings, displaying 80 supported MIBs 78 system contact 80 system location 80 system name 80 trap receivers 79 using 76 SNMPEngineBoots 82 snmpEngi
PAGE 964

NETGEAR 8800 User Manual static MVR 750 static networks, and BGP 718 static routes 597, 644 statistics CPU utilization 110 port 193 statistics, RMON 235 status monitoring 192 stop process 107 STP advanced example 541 and IP multinetting 624 and MVR 754 and RSTP 556 and VLANs 527 and VRRP 586 autobind ports 533 basic configuration example 538 bridge priority 572 carrier vlan 527 compatibility between 802.1D-1998 and 802.
PAGE 965

NETGEAR 8800 User Manual system diagnostics 197 system health check 202 system health checker 202, 204 configuring backplane diagnostics 203 disabling backplane diagnostics 203 displaying 203 enabling backplane diagnostics 203 modes of operation 202 system health, monitoring 202 system LEDs 833 system location, SNMP 80 system name, SNMP 80 system odometer 852 system recovery configuring 205 description 205 displaying 206 software 205 system redundancy bulk checkpointing 67 configuring node priority 65 dete
PAGE 966

NETGEAR 8800 User Manual VLAN-based 365 802.1p-based 362 traffic groups, introduction 361 traffic queues multicast 371 traffic, in-profile 366 traffic, out-of-profile 366 transmit errors, port 193 trap receivers, SNMP 79 trapDestTable 236 triggered updates, RIP 663 triggered updates, RIPng 670 Trivial File Transfer Protocol.
PAGE 967

NETGEAR 8800 User Manual OSPFv3 691 Virtual Router Redundancy Protocol. See VRRP virtual router See VR virtual routers default for Telnet 56 VLAN aggregation description 634 limitations 635 properties 635 proxy ARP 636 secondary IP address 634 subVLAN 634 superVLAN 634 VLAN isolation 252 VLAN stacking 780 VLAN tagging 242 VLAN, guest.
PAGE 968

NETGEAR 8800 User Manual route table tracking 588 skew time 584, 587 tracking description 587 example 592 troubleshooting 840 virtual IP addresses 586 virtual router MAC address 585, 590 VLAN tracking 588, 593 VRRP virtual router identifier (VRID) 586 VSA 203 example 484, 485, 487 204 example 485 205 example 486 206 examples 486 definitions Extreme 483 NAP 411 968 | Index definitions (table) 411, 483 order of use 485 W warranty 798 web browsing applications, and QoS 360 web-based authentication 412 adva