SGS-6341-Series User Manual

ManualsBrandsPLANET Technology ManualsLAN SwitchesLayer 3 24-Port 10/100/1000T + 4-Port 10G SFP+ Stackable Managed Switch

Table Of Contents

Summary of content (531 pages)

PAGE 1
PAGE 2
Trademarks Copyright © PLANET Technology Corp. 2016. Contents are subject to revision without prior notice. PLANET is a registered trademark of PLANET Technology Corp. All other trademarks belong to their respective owners.
PAGE 3
Contents CHAPTER 1 INTRODUCTION ........................................................................................ 1-1 1.1 PACKET CONTENTS ............................................................................................................................. 1-1 1.2 PRODUCT DESCRIPTION ....................................................................................................................... 1-1 1.3 PRODUCT FEATURES ....................................................................
PAGE 4
.4.5 Typical SNMP Configuration Examples ................................................................................ 4-13 4.4.6 SNMP Troubleshooting ......................................................................................................... 4-15 4.5 SWITCH UPGRADE ............................................................................................................................. 4-15 4.5.1 Switch System Files ......................................................................
PAGE 5
10.3 ULDP FUNCTION TYPICAL EXAMPLES ............................................................................................ 10-22 10.4 ULDP TROUBLESHOOTING ............................................................................................................ 10-23 CHAPTER 11 LLDP FUNCTION OPERATION CONFIGURATION .............................11-25 11.1 INTRODUCTION TO LLDP FUNCTION ............................................................................................... 11-25 11.
PAGE 6
16.4 DDM TROUBLESHOOTING .............................................................................................................. 16-59 CHAPTER 17 LLDP-MED ............................................................................................17-60 17.1 INTRODUCTION TO LLDP-MED ...................................................................................................... 17-60 17.2 LLDP-MED CONFIGURATION TASK SEQUENCE ......................................................................
PAGE 7
20.5 MULTI-TO-ONE VLAN TRANSLATION CONFIGURATION .................................................................... 20-89 20.5.1 Introduction to Multi-to-One VLAN Translation ................................................................. 20-89 20.5.2 Multi-to-One VLAN Translation Configuration................................................................... 20-89 20.5.3 Typical Application of Multi-to-One VLAN Translation ...................................................... 20-90 20.5.
PAGE 8
22.3 MSTP CONFIGURATION TASK LIST ............................................................................................... 22-118 22.4 MSTP EXAMPLE.......................................................................................................................... 22-123 22.5 MSTP TROUBLESHOOTING .......................................................................................................... 22-127 CHAPTER 23 QOS CONFIGURATION...........................................................
PAGE 9
26.4 RIP............................................................................................................................................... 26-15 26.4.1 Introduction to RIP ............................................................................................................ 26-15 26.4.2 RIP Configuration Task List............................................................................................... 26-16 26.4.3 RIP Examples – Typical RIP ..........................................
PAGE 10
CHAPTER 31 DHCP CONFIGURATION .....................................................................31-60 31.1 INTRODUCTION TO DHCP............................................................................................................... 31-60 31.2 DHCP SERVER CONFIGURATION .................................................................................................... 31-61 31.3 DHCP RELAY CONFIGURATION ................................................................................................
PAGE 11
36.1 INTRODUCTION TO DHCP SNOOPING .............................................................................................. 36-12 36.2 DHCP SNOOPING CONFIGURATION TASK SEQUENCE ...................................................................... 36-13 36.3 DHCP SNOOPING TYPICAL APPLICATION........................................................................................ 36-18 36.4 DHCP SNOOPING TROUBLESHOOTING HELP ...............................................................................
PAGE 12
40.3 MULTICAST VLAN EXAMPLES ........................................................................................................ 40-46 CHAPTER 41 ACL CONFIGURATION ........................................................................41-49 41.1 INTRODUCTION TO ACL.................................................................................................................. 41-49 41.1.1 Access-list ....................................................................................................
PAGE 13
45.2 SECURITY FEATURE CONFIGURATION ........................................................................................... 45-103 45.2.1 Prevent IP Spoofing Function Configuration Task Sequence ......................................... 45-103 45.2.2 Prevent TCP Unauthorized Label Attack Function Configuration Task Sequence ......... 45-103 45.2.3 Anti Port Cheat Function Configuration Task Sequence................................................. 45-104 45.2.
PAGE 14
50.3 MAB EXAMPLE ........................................................................................................................... 50-126 50.4 MAB TROUBLESHOOTING ............................................................................................................ 50-128 CHAPTER 51 PPPOE INTERMEDIATE AGENT CONFIGURATION ........................51-129 51.1 INTRODUCTION TO PPPOE INTERMEDIATE AGENT ......................................................................... 51-129 51.1.
PAGE 15
56.2 ULPP CONFIGURATION TASK LIST ................................................................................................. 56-20 56.3 ULPP TYPICAL EXAMPLES ............................................................................................................ 56-23 56.3.1 ULPP Typical Example1.................................................................................................... 56-23 56.3.2 ULPP Typical Example2.....................................................................
PAGE 16
CHAPTER 63 NTP FUNCTION CONFIGURATION .....................................................63-51 63.1 INTRODUCTION TO NTP FUNCTION ................................................................................................. 63-51 63.2 NTP FUNCTION CONFIGURATION TASK LIST.................................................................................... 63-51 63.3 TYPICAL EXAMPLES OF NTP FUNCTION .......................................................................................... 63-54 63.
PAGE 17
CHAPTER 69 DYING GASP CONFIGURATION .........................................................69-72 69.1 INTRODUCTION TO DYING GASP...................................................................................................... 69-72 69.2 DYING GASP TYPICAL EXAMPLES ................................................................................................... 69-72 69.3 DYING GASP TROUBLESHOOTING ...................................................................................................
PAGE 18
User’s Manual of SGS-6341 series Chapter 1 INTRODUCTION Thank you for purchasing PLANET L3 Multi-Port Full Gigabit Stackable Managed Switch, SGS-6341-24T4X/SGS-6341-24P4X. The descriptions of these models are as follows: SGS-6341-24T4X Layer 3 24-Port 10/100/1000T + 4-Port 10G SFP+ Stackable Managed Switch SGS-6341-24P4XS Layer 3 24-Port 10/100/1000T 802.3at PoE + 4-Port 10G SFP+ Stackable Managed Switch (370W) The term “Managed Switch” means the Switches mentioned in this user’s manual. 1.
PAGE 19
User’s Manual of SGS-6341 series It enables centralized management regardless of the series of switches being distributed in various locations. New switches can be flexibly added to the IP stacking group when network expands. Layer 3 Routing Support The SGS-6341 Series enables the administrator to conveniently boost network efficiency by configuring Layer 3 static routing manually, the RIP (Routing Information Protocol) or OSPF (Open Shortest Path First) settings automatically.
PAGE 20
User’s Manual of SGS-6341 series Series also provides IEEE 802.1x port based access authentication, which can be deployed with RADIUS, to ensure the port level security and block illegal users. Efficient Management For efficient management, the SGS-6341 Series Managed Gigabit Switch is equipped with console, Web and SNMP management interfaces. With its built-in Web-based management interface, the SGS-6341 Series offers an easy-to-use, platform-independent management and configuration facility.
PAGE 21
User’s Manual of SGS-6341 series 1.3 Product Features  Physical Ports  24-port 10/100/1000BASE-T Gigabit Ethernet RJ45  4 10GBASE-SR/LR SFP+ slots, compatible with 1000BASE-SX/LX/BX SFP  RJ45 to DB9 console interface for switch basic management and setup  Power over Ethernet (SGS-6341-24P4S)  Complies with IEEE 802.3at Power over Ethernet Plus, end-span PSE  Backward compatible with IEEE 802.3af Power over Ethernet  Up to 24 ports of IEEE 802.3af/802.
PAGE 22
User’s Manual of SGS-6341 series - Provider Bridging (VLAN Q-in-Q, IEEE 802.1ad) supported - Private VLAN Edge (PVE) supported - GVRP protocol for Management VLAN - Protocol-based VLAN - MAC-based VLAN - IP subnet VLAN  Supports Link Aggregation - Maximum 16 trunk groups, up to 8 ports per trunk group - IEEE 802.3ad LACP (Link Aggregation Control Protocol) - Cisco ether-channel (static trunk)  Supports Spanning Tree Protocol - STP, IEEE 802.
PAGE 23
User’s Manual of SGS-6341 series  Management  Management IP for IPv4 and IPv6  Switch Management Interface - Console/Telnet Command Line Interface - Web switch management - SNMP v1, v2c, and v3 switch management - SSH/SSL secure access  BOOTP and DHCP for IP address assignment  Firmware upload/download via TFTP or HTTP Protocol for IPv4 and IPv6  SNTP (Simple Network Time Protocol) for IPv4 and IPv6  User privilege levels control  Syslog server for IPv4 and IPv6  Four RMON groups 1, 2, 3,
PAGE 24
User’s Manual of SGS-6341 series 1.4 Product Specifications Product SGS-6341-24T4X SGS-6341-24P4X Hardware Specifications CPU ARM A9 400MHz RAM Size 512MB FLASH Size 16MB Copper Ports 24 10/100/1000BASE-T RJ45 auto-MDI/MDI-X ports 24 ports with 802.
PAGE 25
User’s Manual of SGS-6341 series PoE Power Output Per port 53V DC, 30.8 watts (max.) Power Pin Assignment 1/2(+), 3/6(-) PoE Power Budget 370 watts (max.
PAGE 26
User’s Manual of SGS-6341 series GVRP for VLAN management Private VLAN Edge (PVE) supported Protocol-based VLAN MAC-based VLAN IP subnet VLAN Bandwidth Control Link Aggregation TX/RX/both IEEE 802.3ad LACP/static trunk Supports 16 groups with 8 ports per trunk group 8 priority queues on all switch ports Supports strict priority and Weighted Round Robin (WRR) CoS policies QoS Traffic classification: - IEEE 802.
PAGE 27
User’s Manual of SGS-6341 series RFC 2013 UDP MIB RFC 2096 IP forward MIB RFC 2233 if MIB RFC 2452 TCP6 MIB RFC 2454 UDP6 MIB RFC 2465 IPv6 MIB RFC 2466 ICMP6 MIB RFC 2573 SNMP v3 notify RFC 2574 SNMP v3 vacm RFC 2674 Bridge MIB Extensions (IEEE 802.1Q MIB) RFC 2674 Bridge MIB Extensions (IEEE 802.1P MIB) Standard Conformance Regulatory Compliance Standards Compliance FCC Part 15 Class A, CE IEEE 802.3 10BASE-T IEEE 802.3u 100BASE-TX IEEE 802.3z Gigabit 1000BASE-SX/LX IEEE 802.
PAGE 28
User’s Manual of SGS-6341 series Management Functions System Configuration Console; Telnet; SSH; Web browser; SNMP v1, v2c and v3 Supports both IPv4 and IPv6 addressing Supports the user IP security inspection for IPv4/IPv6 SNMP Supports MIB and TRAP Supports IPv4/IPv6 FTP/TFTP Supports IPv4/IPv6 NTP Supports RMON 1, 2, 3, 9 four groups Supports the RADIUS authentication for IPv4/IPv6 Telnet user name and Management password Supports IPv4/IPv6 SSH The right configuration for users to adopt RADIUS server
PAGE 29
User’s Manual of SGS-6341 series IP subnet VLAN Bandwidth Control Link Aggregation TX/RX/both IEEE 802.3ad LACP/static trunk Supports 16 groups with 8 ports per trunk group 8 priority queues on all switch ports Supports strict priority and Weighted Round Robin (WRR) CoS policies QoS Traffic classification: - IEEE 802.
PAGE 30
User’s Manual of SGS-6341 series RFC 2454 UDP6 MIB RFC 2465 IPv6 MIB RFC 2466 ICMP6 MIB RFC 2573 SNMP v3 notify RFC 2574 SNMP v3 vacm RFC 2674 Bridge MIB Extensions (IEEE 802.1Q MIB) RFC 2674 Bridge MIB Extensions (IEEE 802.1P MIB) Standard Conformance Regulatory Compliance FCC Part 15 Class A, CE Standards Compliance IEEE 802.3 10BASE-T IEEE 802.3u 100BASE-TX IEEE 802.3z Gigabit 1000BASE-SX/LX IEEE 802.3ab Gigabit 1000BASE-T IEEE 802.3x flow control and back pressure IEEE 802.
PAGE 31
User’s Manual of SGS-6341 series Chapter 2 INSTALLATION This section describes how to install your Managed Switch and make connections to the Managed Switch. Please read the following topics and perform the procedures in the order being presented. To install your Managed Switch on a desktop or shelf, simply complete the following steps. In this paragraph, we will describe how to install the Managed Switch and the installation points attended to it. 2.1 Hardware Description 2.1.
PAGE 32
User’s Manual of SGS-6341 series ■ Reset Button On the front panel, the reset button is designed for rebooting the Managed Switch without turning off and on the power. 2.1.2 LED Indications The front panel LEDs indicate instant status of port links, data activity, system operation, stack status and system power. SGS-6341-24T4X LED Indication Figure 2-3 SGS-6341-24T4X LED Panel ■ System LED Color PWR Green Function Lights to indicate that the Switch has power.
PAGE 33
User’s Manual of SGS-6341 series SGS-6341-24P4X LED Indication Figure 2-4 SGS-6341-24P4X LED Panel ■ System LED Color PWR Green Function Lights to indicate that the Switch has power. ■ 10/100/1000BASE-T Interfaces LED Color Function Lights to indicate the link through that port is successfully established LNK/ACT Green port. Off PoE-in-Use Blinks to indicate that the switch is actively sending or receiving data over that Green No flow goes through the port.
PAGE 34
User’s Manual of SGS-6341 series Switch Rear Panel The rear panel of the Managed Switch indicates an AC inlet power socket, which accepts input power from 100 to 240V AC, 50-60Hz. Figure 2-5 shows the rear panel of this Managed Switch.
PAGE 35
User’s Manual of SGS-6341 series Figure 2-6 Place the Managed Switch on the desk Step 3: Keep enough ventilation space between the Managed Switch and the surrounding objects. Step 4: Connect the Managed Switch to network devices. Connect one end of a standard network cable to the 10/100/1000 RJ45 ports on the front of the Managed Switch. Connect the other end of the cable to the network devices such as printer servers, workstations, routers or others.
PAGE 36
User’s Manual of SGS-6341 series Figure 2-7 Attach brackets to the Managed Switch. You must use the screws supplied with the mounting brackets. Damage caused to the parts by using incorrect screws would invalidate the warranty. Step 3: Secure the brackets tightly. Step 4: Follow the same steps to attach the second bracket to the opposite side. Step 5: After the brackets are attached to the Managed Switch, use suitable screws to securely attach the brackets to the rack, as shown in Figure 2-8.
PAGE 37
User’s Manual of SGS-6341 series 2.2.3 Installing the SFP/SFP+ Transceiver The sections describe how to insert an SFP/SFP+ transceiver into an SFP/SFP+ slot. The SFP/SFP+ transceivers are hot-pluggable and hot-swappable. You can plug in and out the transceiver to/from any SFP/SFP+ port without having to power down the Managed Switch, as the Figure 2-9 shows.
PAGE 38
User’s Manual of SGS-6341 series Gigabit Ethernet Transceiver (1000BASE-BX, Single Fiber Bi-directional SFP) Connector Interface Model Speed (Mbps) Fiber Mode Distance Wavelength (TX/RX) Operating Temp.
PAGE 39
2. Check whether the fiber-optic cable type matches with the SFP transceiver requirement.  To connect to 1000BASE-SX SFP transceiver, please use the multi-mode fiber cable with one side being the male duplex LC connector type.  To connect to 1000BASE-LX SFP transceiver, please use the single-mode fiber cable with one side being the male duplex LC connector type.  Connect the Fiber Cable 1. Insert the duplex LC connector into the SFP/SFP+ transceiver. 2.
PAGE 40
User’s Manual of SGS-6341 series Chapter 3 Switch Management 3.1 Management Options After purchasing the switch, the user needs to configure the switch for network management. Switch provides two management options: in-band management and out-of-band management. 3.1.1 Out-Of-Band Management Out-of-band management is the management through Console interface. Generally, the user will use out-of-band management for the initial switch configuration, or when in-band management is not available.
PAGE 41
User’s Manual of SGS-6341 series Figure 3-2 Opening Hyper Terminal 2) Type a name for opening HyperTerminal, such as “Switch”.
PAGE 42
User’s Manual of SGS-6341 series 3) In the “Connect using” drop-list, select the RS-232 serial port used by the PC, e.g., COM1, and click “OK”. Figure 3-4 Opening HyperTerminal 4) COM1 property appears and select “9600” for “Baud rate”, “8” for “Data bits”, “none” for “Parity checksum”, “1” for stop bit and “none” for traffic control; or you can also click “Restore default” and click “OK”.
PAGE 43
User’s Manual of SGS-6341 series System is booting, please wait... Bootrom version: 7.1.37 Creation date: Aug 15 2014 - 16:59:42 Testing RAM... 0x10000000 RAM OK. Loading flash:/nos.img ... ## Booting kernel from Legacy Image at 62000100 ... Image Name: Image Type: Data Size: Linux-3.6.5+ ARM Linux Kernel Image (gzip compressed) 11772899 Bytes = 11.2 MiB Load Address: 60008000 Entry Point: 60008000 Verifying Checksum ... OK Uncompressing Kernel Image ... OK Starting kernel ...
PAGE 44
User’s Manual of SGS-6341 series 3.1.2 In-band Management In-band management refers to the management by login to the switch using Telnet, or using HTTP, or using SNMP management software to configure the switch. In-band management enables management of the switch for some devices attached to the switch. In the case when in-band management fails due to switch configuration changes, out-of-band management can be used for configuring and managing the switch. 3.1.2.
PAGE 45
User’s Manual of SGS-6341 series Step 2: Run Telnet Client program. Run Telnet client program included in Windows with the specified Telnet target. Figure 3-7 Run telnet client program included in Windows Step 3: Login to the switch. Login to the Telnet configuration interface. Valid login name and password are required, otherwise, the switch will reject Telnet access. This is the method to protect the switch from unauthorized access.
PAGE 46
User’s Manual of SGS-6341 series Figure 3-8 Telnet Configuration Interface 3.1.2.2 Management via HTTP To manage the switch via HTTP, the following conditions should be met: 1) Switch has an IPv4/IPv6 address configured; 2) The host IPv4/IPv6 address (HTTP client) and the switch’s VLAN interface IPv4/IPv6 address are in the same network segment; 3) If 2) is not met, HTTP client should connect to an IPv4/IPv6 address of the switch via other devices, such as a router.
PAGE 47
User’s Manual of SGS-6341 series Step 2: Run HTTP protocol on the host. Open the Web browser on the host and type the IP address of the switch, or run directly the HTTP protocol on the Windows. For example, the IP address of the switch is “10.1.128.251”; Figure 3-9 Run HTTP Protocol When accessing a switch with IPv6 address, it is recommended to use the Firefox browser with 1.5 or later version.
PAGE 48
User’s Manual of SGS-6341 series The Web login interface of SGS-6341 Series is shown below: Figure 3-10 Web Login Interface Input the right username and password and then the main Web configuration interface is shown below. Figure 3-11 Main Web Configuration Interface When configuring the switch, the name of the switch is composed of English letters.
PAGE 49
User’s Manual of SGS-6341 series 3.1.2.3 Manage the Switch via SNMP Network Management Software The followings are required by SNMP network management software to manage switches: 1) IP addresses are configured on the switch; 2) The IP address of the client host and that of the VLAN interface on the switch it subordinates to should be in the same segment; 3) If 2) is not met, the client should be able to reach an IP address of the switch through devices like routers; 4) SNMP should be enabled.
PAGE 50
User’s Manual of SGS-6341 series 3.2.1 Configuration Modes Figure 3-12 Shell Configuration Modes 3.2.1.1 User Mode On entering the CLI interface, entering user entry system first. If as common user, it is defaulted to User Mode. The prompt shown is “Switch>“, the symbol “>“ is the prompt for User Mode. When exit command is run under Admin Mode, it will also return to the User Mode.
PAGE 51
User’s Manual of SGS-6341 series 3.2.1.3 Global Mode Type the config command under Admin Mode to enter the Global Mode prompt “Switch(config)#”. Use the exit command under other configuration modes such as Port Mode, VLAN mode to return to Global Mode. The user can perform global configuration settings under Global Mode, such as MAC Table, Port Mirroring, VLAN creation, IGMP Snooping start and STP, etc. And the user can go further to Port Mode for configuration of all the interfaces.
PAGE 52
User’s Manual of SGS-6341 series 3.2.2 Configuration Syntax Switch provides various configuration commands. Although all the commands are different, they all abide by the syntax for Switch configuration commands.
PAGE 53
User’s Manual of SGS-6341 series 3.2.3 Shortcut Key Support Switch provides several shortcut keys to facilitate user configuration, such as up, down, left, right and blank space. If the terminal does not recognize Up and Down keys, ctrl +p and ctrl +n can be used instead. Key(s) Function Back Space Delete a character before the cursor, and the cursor moves back. Up “↑” Show previous command entered. Up to ten recently entered commands can be shown. Down “↓” Show next command entered.
PAGE 54
User’s Manual of SGS-6341 series 3.2.5 Input Verification 3.2.5.1 Returned Information: Successful All commands entered through keyboards undergo syntax check by the Shell. Nothing will be returned if the user enters a correct command under corresponding modes and the execution is successful. Returned Information: error Output error message Explanation Unrecognized command or illegal The entered command does not exist, or there is parameter! error in parameter scope, type or format.
PAGE 55
User’s Manual of SGS-6341 series Chapter 4 Basic Switch Configuration 4.1 Basic Configuration Basic switch configuration includes commands for entering and exiting the admin mode, for entering and exiting interface mode, for configuring and displaying the switch clock, for displaying the version information of the switch system, etc.
PAGE 56
User’s Manual of SGS-6341 series banner motd no banner motd Configure the information displayed when the login authentication of a Telnet or console user is successful. 4.2 Telnet Management 4.2.1 Telnet 4.2.1.1 Introduction to Telnet Telnet is a simple remote terminal protocol for remote login. Using Telnet, the user can login to a remote host with its IP address of hostname from his own workstation.
PAGE 57
User’s Manual of SGS-6341 series Enable command authorization function for the login user with VTY (login with Telnet and SSH). The no command aaa authorization config-commands disables this function. When enabling no aaa authorization config-commands this command and configuring command authorization manner, it will request to authorize when executing some commands.
PAGE 58
<1-15> {start-stop | stop-only | none} method1 [method2…] no accounting line {console | vty} command <1-15> Admin Mode Display debug information for Telnet terminal monitor client login to the switch; the no terminal no monitor command disables the debug information. Show the user information who logs in through Telnet or SSH. It includes line show users number, user name and user IP.
PAGE 59
User’s Manual of SGS-6341 series 4.2.2.2 SSH Server Configuration Task List Command Explanation Global Mode ssh-server enable Enable SSH function on the switch; the no no ssh-server enable command disables SSH function. username [privilege Configure the username and password of ] [password [0 | 7] SSH client software for logging on the ] switch; the no command deletes the no username username.
PAGE 60
User’s Manual of SGS-6341 series Switch(Config-if-Vlan1)#ip address 100.100.100.200 255.255.255.0 Switch(Config-if-Vlan1)#exit Switch(config)#username test privilege 15 password 0 test In IPv6 network, the terminal should run SSH client software which supports IPv6, such as putty6. Users should not modify the configuration of the switch except allocating an IPv6 address for the local host. 4.
PAGE 61
2. Manual configuration Command Explanation VLAN Interface Mode ip address Configure IP address of VLAN interface; the [secondary] no command deletes IP address of VLAN no ip address interface. [secondary] ipv6 address [eui-64] aggregation global unicast address, local site no ipv6 address command deletes IPv6 address.
PAGE 62
User’s Manual of SGS-6341 series 4.4 SNMP Configuration 4.4.1 Introduction to SNMP SNMP (Simple Network Management Protocol) is a standard network management protocol widely used in computer network management. SNMP is an evolving protocol.
PAGE 63
VACM is used to classify the users’ access permission. It puts the users with the same access permission in the same group. Users can’t conduct the operation which is not authorized. 4.4.2 Introduction to MIB The network management information accessed by NMS is well defined and organized in a Management Information Base (MIB). MIB is pre-defined information which can be accessed by network management protocols. It is in layered and structured form.
PAGE 64
User’s Manual of SGS-6341 series 4.4.3 Introduction to RMON RMON is the most important expansion of the standard SNMP. RMON is a set of MIB definitions, used to define standard network monitor functions and interfaces, enabling the communication between SNMP management terminals and remote monitors. RMON provides a highly efficient method to monitor actions inside the subnets. MID of RMON consists of 10 groups.
PAGE 65
User’s Manual of SGS-6341 series 2. Configure SNMP community string Command Explanation Global Mode snmp-server community {ro | rw} {0 | 7} [access {|}] [ipv6-access {|}] [read ] [write ] Configure the community string for the switch; the no command deletes the configured community string. no snmp-server community [access {|}] [ipv6-access {|}] 3.
PAGE 66
User’s Manual of SGS-6341 series {|}] [ipv6-access {|}] no snmp-server user [access {|}] [ipv6-access {|}] 6. Configure group Command Explanation Global Mode snmp-server group {noauthnopriv|authnopriv|authpriv} [[read ] [write ] [notify ]] [access {|}] [ipv6-access Set the group information on the switch.
PAGE 67
User’s Manual of SGS-6341 series } {v1 | v2c | {v3 to receive SNMP Trap information. For SNMP {noauthnopriv | authnopriv | authpriv}}} v1/v2, this command also configures Trap community string; for SNMP v3, this no snmp-server host command also configures Trap user name { | and security level. The “no” form of this } {v1 | v2c | {v3 command cancels this IPv4 or IPv6 address.
PAGE 68
User’s Manual of SGS-6341 series The configuration on the switch is listed below: Switch(config)#snmp-server enable Switch(config)#snmp-server host 1.1.1.5 v1 usertrap Switch(config)#snmp-server enable traps Scenario 3: NMS uses SNMP v3 to obtain information from the switch.
PAGE 69
User’s Manual of SGS-6341 series The configuration on the switch is listed below: Switch(config)#snmp-server host 2004:1:2:3::2 v1 usertrap Switch(config)#snmp-server enable traps 4.4.6 SNMP Troubleshooting When users configure the SNMP, the SNMP server may fail to run properly due to physical connection failure and wrong configuration, etc. Users can troubleshoot the problems by following the guide below:  Good condition of the physical connection.
PAGE 70
User’s Manual of SGS-6341 series The update method of the system image file and the boot file is the same. The switch supplies the user with two modes of updating: 1. BootROM mode; 2. TFTP and FTP update in Shell mode. This two update method will be explained in details in the following two sections. 4.5.2 BootROM Upgrade There are two methods for BootROM upgrade: TFTP and FTP, which can be selected at BootROM command settings.
PAGE 71
User’s Manual of SGS-6341 series Server IP Address: [10.1.1.2] 192.168.1.66 FTP(1) or TFTP(2): [1] 2 Network interface configure OK. [Boot] Step 4: Enable FTP/TFTP server in the PC. For TFTP, run TFTP server program; for FTP, run FTP server program. Before start downloading upgrade file to the switch, verify the connectivity between the server and the switch by ping from the server.
PAGE 72
User’s Manual of SGS-6341 series [Boot]: Step 8: After successful upgrade, execute run or reboot command in BootROM mode to return to CLI configuration interface. [Boot]: run（or reboot） Other commands in BootROM mode 1. DIR command Used to list existing files in the FLASH. [Boot]: dir boot.rom 327,440 1900-01-01 00:00:00 --SH boot.conf 83 1900-01-01 00:00:00 --SH nos.img 2,431,631 1980-01-01 00:21:34 ---- startup-config temp.img 2,922 1980-01-01 00:09:14 ---2,431,631 1980-01-01 00:00:32 ---- 2.
PAGE 73
User’s Manual of SGS-6341 series There are two types of data connections: active connection and passive connection. In active connection, the client transmits its address and port number for data transmission to the server, the management connection maintains until data transfer is complete.
PAGE 74
User’s Manual of SGS-6341 series System image file: Refers to the compressed file for switch hardware driver and software support program, usually refer to as IMAGE upgrade file. In switch, the system image file is allowed to save in FLASH only. Switch mandates the name of system image file to be uploaded via FTP in Global Mode to be nos.img, other IMAGE system files will be rejected.
PAGE 75
User’s Manual of SGS-6341 series 4.5.3.2.1 FTP/TFTP Configuration Task List 1. FTP/TFTP client configuration （1） Upload/download the configuration file or system file. （2） For FTP client, server file list can be checked. 2. FTP server configuration （1） Start FTP server （2） Configure FTP login username and password （3） Modify FTP server connection idle time （4） Shut down FTP server 3.
PAGE 76
User’s Manual of SGS-6341 series ftp-server enable no ftp-server enable Start FTP server, the no command shuts down FTP server and prevents FTP user from logging in. （2）Configure FTP login username and password Command Explanation Global Mode ip ftp username Configure FTP login username and password; password [0 | 7] this no command will delete the username and no ip ftp username password.
PAGE 77
User’s Manual of SGS-6341 series 4.5.3.3 FTP/TFTP Configuration Examples The configuration is the same as IPv4 address or IPv6 address. The example is only for IPv4 address. 10.1.1.2 10.1.1.1 Figure 4-2 Download nos.img file as FTP/TFTP client Scenario 1: The switch is used as FTP/TFTP client. The switch connects from one of its ports to a computer, which is a FTP/TFTP server with an IP address of 10.1.1.1; the switch acts as a FTP/TFTP client, the IP address of the switch management VLAN is 10.1.1.2.
PAGE 78
User’s Manual of SGS-6341 series Computer side configuration: Start TFTP server software on the computer and place the “12_30_nos.img” file to the appropriate TFTP server directory on the computer. The configuration procedures of the switch are listed below: Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-Vlan1)#no shut Switch(Config-if-Vlan1)#exit Switch(config)#exit Switch#copy tftp: //10.1.1.1/12_30_nos.img nos.
PAGE 79
User’s Manual of SGS-6341 series Login to the switch with any TFTP client software, use the “tftp” command to download “nos.img” file from the switch to the computer. Scenario 4: Switch acts as FTP client to view file list on the FTP server. Synchronization conditions: The switch connects to a computer by an Ethernet port, the computer is a FTP server with an IP address of 10.1.1.1; the switch acts as a FTP client, and the IP address of the switch management VLAN1 interface is 10.1.1.2.
PAGE 80
User’s Manual of SGS-6341 series 4.5.3.4 FTP/TFTP Troubleshooting 4.5.3.4.1 FTP Troubleshooting When upload/download system file with FTP protocol, the connectivity of the link must be ensured, i.e., use the “Ping” command to verify the connectivity between the FTP client and server before running the FTP program. If ping fails, you will need to check for appropriate troubleshooting information to recover the link connectivity.
PAGE 81
User’s Manual of SGS-6341 series 4.5.3.4.2 TFTP Troubleshooting When uploading/downloading system file with TFTP protocol, the connectivity of the link must be ensured, i.e., use the “Ping” command to verify the connectivity between the TFTP client and server before running the TFTP program. If ping fails, you will need to check for appropriate troubleshooting information to recover the link connectivity.  The following is the message displayed when files are successfully transferred.
PAGE 82
User’s Manual of SGS-6341 series Chapter 5 File System Operations 5.1 Introduction to File Storage Devices File storage devices used in switches mainly include FLASH cards. As the most common storage device, FLASH is usually used to store system image files (IMG files), system boot files (ROM files) and system configuration files (CFG files). Flash can copy, delete, or rename files under Shell or BootROM mode. 5.2 File System Operation Configuration Task List 1.
PAGE 83
User’s Manual of SGS-6341 series rmdir Delete a sub-directory in a designated directory on a certain device. 4. Changing the current working directory of the storage device Command Explanation Admin Mode cd Change the current working directory of the storage device. 5. The display operation of the current working directory Command Explanation Admin Mode pwd Display the current working directory. 6.
PAGE 84
User’s Manual of SGS-6341 series 9. The copy operation of files Command Explanation Admin Mode copy Copy a designated file one the switch and store it as a new one. 5.3 Typical Applications Copy an IMG file flash:/nos.img stored in the FLASH on the boardcard, to cf:/nos-6.1.11.0.img. The configuration of the switch is as follows: Switch#copy flash:/nos.img flash:/nos-6.1.11.0.img Copy flash:/nos.img to flash:/nos-6.1.11.0.img? [Y:N] y Copyed file flash:/nos.
PAGE 85
User’s Manual of SGS-6341 series Chapter 6 Cluster Configuration 6.1 Introduction to cluster network management Cluster network management is an in-band configuration management. Unlike CLI, SNMP and Web Config which implement a direct management of the target switches through a management workstation, cluster network management implements a direct management of the target switches (member switches) through an intermediate switch (commander switch). A commander switch can manage multiple member switches.
PAGE 86
User’s Manual of SGS-6341 series 3) Add or remove a member switch 3． Configure attributes of the cluster in the commander switch 1) Enable or disable automatically adding cluster members 2) Set automatically added members to manually added ones 3) Set or modify the time interval of keep-alive messages on switches in the cluster. 4) Set or modify the max.
PAGE 87
User’s Manual of SGS-6341 series cluster member {nodes-sn | mac-address [id ] | Add or remove a member switch. auto-to-user} no cluster member {id | mac-address } 3. Configure attributes of the cluster in the commander switch Command Explanation Global Mode Enable or disable adding newly cluster auto-add discovered candidate switch to the no cluster auto-add cluster.
PAGE 88
User’s Manual of SGS-6341 series 5. Remote cluster network management Command Explanation Admin Mode In the commander switch, this command is used to configure and rcommand member manage member switches. In the member switch, this command is used to configure the commander rcommand commander switch. In the commander switch, this cluster reset member [id | command is used to reset the mac-address ] member switch.
PAGE 89
User’s Manual of SGS-6341 series Enable snmp server function in commander switch and member switch. Note: Ensure the SNMP server function is enabled in member switch when commander switch visiting snmp-server enable member switch by sn. The commander switch visit member switch via configure character string @sw. 6.
PAGE 90
User’s Manual of SGS-6341 series 6.4 Cluster Administration Troubleshooting When encountering problems in applying the cluster admin, please check the following possible causes:  The command switch should be correctly configured and the automatically added function (cluster auto-add) is enabled. The ports are connected to the command switch and member switch belongs to the cluster vlan.
PAGE 91
User’s Manual of SGS-6341 series Chapter 7 Port Configuration 7.1 Introduction to Port Switch contains Cable ports and Combo ports. The Combo ports can be configured as either 1000GX-TX ports or SFP Gigabit fiber ports. If the user needs to configure some network ports, he/she can use the interface Ethernet command to enter the appropriate Ethernet port configuration mode, where stands for one or more ports.
PAGE 92
User’s Manual of SGS-6341 series 1. Enter the Ethernet port configuration mode Command Explanation Global Mode interface ethernet Enters the network port configuration mode. 2. Configure the properties for the Ethernet ports Command Explanation Port mode media-type {copper | copper-preferred-auto | fiber | sfp-preferred-auto} shutdown no shutdown Sets the combo port mode (combo ports only). Enables/Disables specified ports.
PAGE 93
User’s Manual of SGS-6341 series Enables the storm control function for broadcasts, multicasts and unicasts with storm control {unicast | broadcast | unknown destinations (short for broadcast), multicast} {kbps | pps } and sets the allowed broadcast packet no strom control {unicast | broadcast | number or the bit number passing per multicast}> second; the no format of this command disables the broadcast storm control function.
PAGE 94
User’s Manual of SGS-6341 series 3. Virtual cable test Command Explanation Admin Mode virtual-cable-test interface ethernet Test virtual cables of the port. 7.3 Port Configuration Example Switch 1 1/7 1/9 1/10 1/12 1/8 Switch 2 Switch 3 Figure 7-1: Port Configuration Example No VLAN has been configured in the switches; default VLAN1 is used.
PAGE 95
User’s Manual of SGS-6341 series Switch 2: Switch2(config)#interface ethernet 1/9 Switch2(Config-If-Ethernet1/9)#speed-duplex force100-full Switch2(Config-If-Ethernet1/9)#exit Switch2(config)#interface ethernet 1/10 Switch2(Config-If-Ethernet1/10)#speed-duplex force1g-full Switch2(Config-If-Ethernet1/10)#exit Switch2(config)#monitor session 1 source interface ethernet 1/8;1/9 Switch2(config)#monitor session 1 destination interface ethernet 1/10 Switch 3: Switch3(config)#interface ethernet 1/12 Switch3(Confi
PAGE 96
User’s Manual of SGS-6341 series Chapter 8 Port Isolation Function Configuration 8.1 Introduction to Port Isolation Function Port isolation is an independent port-based function working in an inter-port way, which isolates flows of different ports from each other. With the help of port isolation, users can isolate ports within a VLAN to save VLAN resources and enhance network security.
PAGE 97
User’s Manual of SGS-6341 series 8.3 Port Isolation Function Typical Examples e1/15 Vlan e1/1 S1 S2 e1/10 S3 Figure 8-1: Typical example of port isolation function The topology and configuration of switches are showed in the figure above, with e1/1, e1/10 and e1/15 all belonging to VLAN 100. The requirement is that, after port isolation is enabled on switch S1, e1/1 and e1/10 on switch S1 cannot communicate with each other, while both of them can communicate with the uplink port e1/15.
PAGE 98
User’s Manual of SGS-6341 series Chapter 9 Port Loopback Detection Function Configuration 9.1 Introduction to Port Loopback Detection Function With the development of switches, more and more users begin to access the network through Ethernet switches. In enterprise network, users access the network through Layer 2 switches, which means urgent demands for both internet and the internal Layer 2 interwork.
PAGE 99
User’s Manual of SGS-6341 series 4． Display and debug the relevant information of port loopback detection 5． Configure the loopback-detection control mode (automatic recovery enabled or not) 1．Configure the time interval of loopback detection Command Explanation Global Mode loopback-detection interval-time no loopback-detection interval-time Configure the time interval of loopback detection.
PAGE 100
User’s Manual of SGS-6341 series Display the state and result of the loopback show loopback-detection [interface detection of all ports, if no parameter is ] provided; otherwise, display the state and result of the corresponding ports. 5.
PAGE 101
User’s Manual of SGS-6341 series Switch(Config-If-Ethernet1/1)#loopback-detection special-vlan 1-3 Switch(Config-If-Ethernet1/1)#loopback-detection control block If adopting the control method of block, MSTP should be globally enabled. And the corresponding relation between the spanning tree instance and the VLAN should be configured.
PAGE 102
User’s Manual of SGS-6341 series Chapter 10 ULDP Function Configuration 10.1 Introduction to ULDP Function Unidirectional link is a common error state of link in networks, especially in fiber links. Unidirectional link means that only one port of the link can receive messages from the other port, while the latter one can not receive messages from the former one.
PAGE 103
User’s Manual of SGS-6341 series This kind of problem often appears in the following situations: GBIC (Giga Bitrate Interface Converter) or interfaces have problems, software problems, hardware becomes unavailable or operates abnormally. Unidirectional link will cause a series of problems, such as spinning tree topological loop, broadcast black hole. ULDP (Unidirectional Link Detection Protocol) can help avoid disasters that could happen in the situations mentioned above.
PAGE 104
User’s Manual of SGS-6341 series 1. Enable ULDP function globally Command Explanation Global Mode uldp enable uldp disable Globally enable or disable ULDP function. 2. Enable ULDP function on a port Command Explanation Port Mode uldp enable uldp disable Enable or disable ULDP function on a port. 3. Configure aggressive mode globally Command Explanation Global Mode uldp aggressive-mode no uldp aggressive-mode Set the global working mode. 4.
PAGE 105
User’s Manual of SGS-6341 series 6. Configure the interval of Hello messages Command Explanation Global Mode uldp hello-interval no uldp hello-interval Configure the interval of Hello messages, ranging from 5 to 100 seconds. The value is 10 seconds by default. 7. Configure the interval of Recovery Command Explanation Global Mode uldp recovery-time no uldp recovery-time Configure the interval of Recovery reset, ranging from 30 to 86400 seconds.
PAGE 106
User’s Manual of SGS-6341 series debug uldp event Enable or disable the debug switch of no debug uldp event event information. debug uldp packet {receive|send} Enable or disable the type of messages no debug uldp packet {receive|send} can be received and sent on all ports.
PAGE 107
User’s Manual of SGS-6341 series Switch B configuration sequence: SwitchB(config)#uldp enable SwitchB(config)#interface ethernet1/3 SwitchB(Config-If-Ethernet1/3)#uldp enable SwitchB(Config-If-Ethernet1/3)#exit SwitchB(config)#interface ethernet 1/4 SwitchB(Config-If-Ethernet1/4)#uldp enable As a result, port g1/1, g1/2 of SWITCH A are all shut down by ULDP, and there is notification information on the CRT terminal of PC1.
PAGE 108
User’s Manual of SGS-6341 series  The hello interval of sending hello messages can be changed (it is10 seconds by default and ranges from 5 to 100 seconds) so that ULDP can respond faster to connection errors of links in different network environments. But this interval should be less than 1/3 of the STP convergence time. If the interval is too long, a STP loop will be generated before ULDP discovers and shuts down the unidirectional connection port.
PAGE 109
User’s Manual of SGS-6341 series Chapter 11 LLDP Function Operation Configuration 11.1 Introduction to LLDP Function Link Layer Discovery Protocol (LLDP) is a new protocol defined in 802.1ab. It enables neighbor devices to send notices of their own state to other devices, and enables all ports of every device to store information about them.
PAGE 110
User’s Manual of SGS-6341 series events like the adding and removing of relative devices instead of details about where and how these devices operate with the network. Layer 2 discovery covers information like which devices have which ports, which switches connect to other devices and so on, it can also display the routs between clients, switches, routers, application servers and network servers. Such details will be very meaningful for schedule and investigate the source of network failure.
PAGE 111
User’s Manual of SGS-6341 series 2. Configure the port-based LLDP function switch Command Explanation Port Mode lldp enable Configure the port-based LLDP function lldp disable switch. 3. Configure the operating state of port LLDP Command Explanation Port Mode Configure the operating state of port lldp mode (send|receive|both|disable) LLDP. 4.
PAGE 112
User’s Manual of SGS-6341 series 7. Configure the intervals of sending Trap messages Command Explanation Global Mode Configure the intervals of sending lldp notification interval Trap messages as the specified value or no lldp notification interval default value. 8. Configure to enable the Trap function of the port Command Explanation Port Mode Enable or disable the Trap function of lldp trap the port. 9.
PAGE 113
User’s Manual of SGS-6341 series 12. Display and debug the relative information of LLDP Command Explanation Admin and Global Mode Display the current LLDP configuration show lldp information. show lldp interface ethernet Display the LLDP configuration information of the current port. Display the information of all kinds of show lldp traffic counters. show lldp neighbors interface Display the information of LLDP ethernet < IFNAME > neighbors of the current port.
PAGE 114
User’s Manual of SGS-6341 series In the network topology graph above, the port 1,3 of SWITCH B are connected to port 2,4 of SWITCH A. Port 1 of SWITCH B is configured to message-receiving-only mode, Option TLV of port 4 of SWITCH A is configured as portDes and SysCap.
PAGE 115
User’s Manual of SGS-6341 series Chapter 12 Port Channel Configuration 12.1 Introduction to Port Channel To understand Port Channel, Port Group should be introduced first. Port Group is a group of physical ports in the configuration level; only physical ports in the Port Group can take part in link aggregation and become a member port of a Port Channel. Logically, Port Group is not a port but a port sequence.
PAGE 116
User’s Manual of SGS-6341 series  All ports are in full-duplex mode.  All Ports are of the same speed.  All ports are Access ports and belong to the same VLAN or are all TRUNK ports, or are all Hybrid ports.  If the ports are all TRUNK ports or Hybrid ports, then their “Allowed VLAN” and “Native VLAN” property should also be the same.
PAGE 117
User’s Manual of SGS-6341 series Key, for the static aggregation group, the ports of Active have the same operation Key. The port aggregation is that multi-ports are aggregated to form an aggregation group, so as to implement the out/in load balance in each member port of the aggregation group and provides the better reliability. 12.2.1 Static LACP Aggregation Static LACP aggregation is enforced by users configuration, and do not enable LACP protocol.
PAGE 118
User’s Manual of SGS-6341 series 12.2.3 Port Channel Configuration Task List 1. Create a port group in Global Mode 2. Add ports to the specified group from the Port Mode of respective ports 3. Enter port-channel configuration mode 4. Set load-balance method for port-group 5. Set the system priority of LACP protocol 6. Set the port priority of the current port in LACP protocol 7. Set the timeout mode of the current port in LACP protocol 1.
PAGE 119
User’s Manual of SGS-6341 series src-ip | dst-ip | dst-src-ip} 5. Set the system priority of LACP protocol Command Explanation Global Mode Set the system priority of LACP lacp system-priority protocol, the no command restores no lacp system-priority the default value. 6. Set the port priority of the current port in LACP protocol Command Explanation Port Mode Set the port priority in LACP protocol.
PAGE 120
User’s Manual of SGS-6341 series The switches in the description below are all switches and as shown in the figure, ports 1, 2, 3, 4 of S1 are access ports and add them to group1 with active mode. Ports 6, 8, 9, 10 of S2 are access ports and add them to group2 with passive mode. All the ports should be connected with cables.
PAGE 121
User’s Manual of SGS-6341 series S1 S2 Figure 12-3: Configure Port Channel in ON mode As shown in the figure, ports 1, 2, 3, 4 of S1 are access ports and add them to group1 with “on” mode. Ports 6, 8, 9, 10 of S2 are access ports and add them to group2 with “on” mode.
PAGE 122
User’s Manual of SGS-6341 series Configuration result: Add ports 1, 2, 3, 4 of S1 to port-group1 in order, and we can see a group in “on” mode is completely joined forcedly, switch in other ends won’t exchange LACP PDU to complete aggregation.
PAGE 123
User’s Manual of SGS-6341 series Chapter 13 MTU Configuration 13.1 Introduction to MTU So far the Jumbo (Jumbo Frame) has not reached a determined standard in the industry (including the format and length of the frame). Normally frames sized within 1519-9000 should be considered jumbo frame. Networks with jumbo frames will increase the speed of the whole network by 2% to 5%. Technically the Jumbo is just a lengthened frame sent and received by the switch.
PAGE 124
User’s Manual of SGS-6341 series Chapter 14 EFM OAM Configuration 14.1 Introduction to EFM OAM Ethernet is designed for Local Area Network at the beginning, but link length and network scope is extended rapidly while Ethernet is also applied to Metropolitan Area Network and Wide Area Network along with development.
PAGE 125
User’s Manual of SGS-6341 series OAM protocol data units (OAMPDU) use destination MAC address 01-80-c2-00-00-02 of protocol, the max. transmission rate is 10Pkt/s. EFM OAM is established on the basis of OAM connection, it provides a link operation management mechanism such as link monitoring, remote fault detection and remote loopback testing, the simple introduction for EFM OAM in the following: 1.
PAGE 126
User’s Manual of SGS-6341 series Errored frame seconds event: The number of error frame seconds detected over M seconds can not be less than the low threshold. (Errored frame second: Receiving an errored frame at least in a second.) 3. Remote Fault Detection In a network where traffic is interrupted due to device failures or unavailability, the flag field defined in Ethernet OAMPDUs allows an Ethernet OAM entity to send fault information to its peer.
PAGE 127
User’s Manual of SGS-6341 series Shown below is the typical EFM OAM application topology. It is used for point-to-point link and emulational IEEE 802.3 point-to-point link. Device enables EFM OAM through point-to-point connection to monitor the link fault in the First Mile with Ethernet access. For user, the connection between user to telecommunication is “the First Mile”, for service provider, it is “the Last Mile”. Customer Service Provider Customer 802.3ah Ethernet in the First Mile CE 802.
PAGE 128
User’s Manual of SGS-6341 series restores the default value. Configure timeout of EFM OAM ethernet-oam timeout connection, no command restores no ethernet-oam timeout the default value. 2. Configure link monitor Command Explanation Port Mode ethernet-oam link-monitor Enable link monitor of EFM OAM, no no ethernet-oam link-monitor command disables link monitor.
PAGE 129
User’s Manual of SGS-6341 series 3. Configure remote failure Command Explanation Port Mode Enable remote failure detection of EFM OAM (failure means ethernet-oam remote-failure critical-event or link-fault event of the no ethernet-oam remote-failure local), no command disables the function.
PAGE 130
User’s Manual of SGS-6341 series 14.3 EFM OAM Example Example: CE and PE devices with point-to-point link enable EFM OAM to monitor “the First Mile” link performance.
PAGE 131
User’s Manual of SGS-6341 series 14.4 EFM OAM Troubleshooting When using EFM OAM, it occurs the problem, please check whether the problem is resulted by the following reasons:  Check whether OAM entities of two peers of link in passive mode. If so, EFM OAM connection can not be established between two OAM entities.  Ensuring SNMP configuration is correct, or else errored event can not be reported to network management system.
PAGE 132
User’s Manual of SGS-6341 series Chapter 15 PORT SECURITY 15.1 Introduction to PORT SECURITY Port security is a MAC address-based security mechanism for network access controlling. It is an extension to the existing 802.1x authentication and MAC authentication. It controls the access of unauthorized devices to the network by checking the source MAC address of the received frame and the access to unauthorized devices by checking the destination MAC address of the sent frame.
PAGE 133
User’s Manual of SGS-6341 series VLAN, both of them will violate the security of the MAC address. switchport port-security aging {static | time | type {absolute | inactivity}} no switchport port-security violation aging {static | time | type} Enable port-security aging entry of the interface, specify aging time or aging type.
PAGE 134
User’s Manual of SGS-6341 series 15.
PAGE 135
User’s Manual of SGS-6341 series Chapter 16 DDM Configuration 16.1 Introduction to DDM 16.1.1 Brief Introduction to DDM DDM (Digital Diagnostic Monitor) makes the detailed digital diagnostic function standard in SFF-8472 MSA. It sets that the parameter signal is monitored and makes it to digitize on the circuit board of the inner module.
PAGE 136
User’s Manual of SGS-6341 series 3. Compatibility verification Compatibility verification is used to analyze whether the environment of the module accords the data manual or it is compatible with the corresponding standard, because the module capability is able to be ensured only in the compatible environment. Sometimes, environment parameters exceed the data manual or the corresponding standard, it will make the falling of the module capability that result in the transmission error.
PAGE 137
User’s Manual of SGS-6341 series For fiber module, verification mode of the receiving power includes inner verification and outer verification which are decided by the manufacturer. Besides the verification mode of the real-time parameters and the default thresholds are same. 3. Transceiver monitoring Besides checking the real-time working state of the transceiver, the user needs to monitor the detailed status, such as the former abnormity time and the abnormity type.
PAGE 138
User’s Manual of SGS-6341 series 3. Configure the state of the transceiver monitoring (1) Configure the interval of the transceiver monitoring Command Explanation Global Mode Set the interval of the transceiver transceiver-monitoring interval monitor. The no command sets the no transceiver-monitoring interval interval to be the default interval of 15 minutes.
PAGE 139
User’s Manual of SGS-6341 series （4）Clear the information of the transceiver monitoring Command Explanation Admin Mode clear transceiver threshold-violation [interface Clear the threshold violation of the ethernet ] transceiver monitor. 16.3 Examples of DDM Example1: Ethernet 21 and Ethernet 23 are inserted the fiber module with DDM, Ethernet 24 is inserted the fiber module without DDM, Ethernet 22 does not insert any fiber module, show the DDM information of the fiber module.
PAGE 140
User’s Manual of SGS-6341 series SFP found in this port, manufactured by company, on Sep 29 2010. Type is 1000BASE-SX, Link length is 550 m for 50um Multi-Mode Fiber. Link length is 270 m for 62.5um Multi-Mode Fiber. Nominal bit rate is 1300 Mb/s, Laser wavelength is 850 nm.
PAGE 141
User’s Manual of SGS-6341 series RX loss of signal Voltage high RX power low Detail diagnostic and threshold information: Diagnostic Realtime Value Threshold High Alarm Low Alarm -------------- ----------- High Warn ----------- Low Warn ------------ --------- Temperature（℃） 33 70 0 70 0 Voltage（V） 7.31(A+) 5.00 0.00 5.00 0.00 Bias current（mA） 6.11(W+) 10.30 0.00 5.00 0.00 RX Power（dBM） -30.54(A-) 9.00 -25.00 9.00 -25.00 TX Power（dBM） -13.01 9.00 -25.00 9.00 -25.
PAGE 142
User’s Manual of SGS-6341 series Voltage（V） 7.31(A+) 5.00 Bias current（mA） 6.11(W+) 10.30 RX Power（dBM） -30.54(A-) 9.00 TX Power（dBM） -13.01(A-) 9.00 0.00 5.00 0.00 0.00 5.00 0.00 -25.00 9.00 -25.00 -12.00(-25.00) 9.00 -10.00(-25.00) Example 3: Ethernet 21 is inserted the fiber module with DDM. Enable the transceiver monitoring of the port after showing the transceiver monitoring of the fiber module. Step 1: Show the transceiver monitoring of the fiber module.
PAGE 143
User’s Manual of SGS-6341 series Diagnostic Threshold Realtime Value High Alarm ------------ Low Alarm ----------- ----------- High Warn ------------ Low Warn --------- Temperature（℃） 33 70 0 70 0 Voltage（V） 7.31 10.00 0.00 5.00 0.00 Bias current（mA） 3.11 10.30 0.00 5.00 0.00 RX Power（dBM） -30.54(A-) 9.00 -25.00(-34) 9.00 -25.00 TX Power（dBM） -1.01 -12.05 9.00 -10.00 9.00 Ethernet 1/22 transceiver threshold-violation information: Transceiver monitor is disabled.
PAGE 144
User’s Manual of SGS-6341 series Chapter 17 LLDP-MED 17.1 Introduction to LLDP-MED LLDP-MED (Link Layer Discovery Protocol-Media Endpoint Discovery) based on 802.1AB LLDP (Link Layer Discovery Protocol) of IEEE. LLDP provides a standard link layer discovery mode, it sends local device information (including its major capability, management IP address, device ID and port ID) as TLV (type/length/value) triplets in LLDPDU (Link Layer Discovery Protocol Data Unit) to the direct connection neighbors.
PAGE 145
User’s Manual of SGS-6341 series command disables the capability. Configure the port to send LLDP-MED Inventory lldp transmit med tlv inventory Management TLVs. The no no lldp transmit med tlv inventory command disables the capability.
PAGE 146
User’s Manual of SGS-6341 series When the fast LLDP-MED startup mechanism is enabled, it needs to fast send the LLDP lldp med fast count packets with LLDP-MED TLV, no lldp med fast count this command is used to set the value of the fast sending packets, the no command restores the default value. Admin Mode Show the configuration of the show lldp global LLDP and LLDP-MED. Show the configuration of show lldp [interface ethernet ] LLDP and LLDP-MED on the current port.
PAGE 147
User’s Manual of SGS-6341 series SwitchA (Config-If-Ethernet1/1)# lldp transmit med tlv capability SwitchA (Config-If-Ethernet1/1)# lldp transmit med tlv network policy SwitchA (Config-If-Ethernet1/1)# lldp transmit med tlv inventory SwitchB (Config-If-Ethernet1/1)# network policy voice tag tagged vid 10 cos 5 dscp 15 SwitchA (Config-If-Ethernet1/1)# exit SwitchA (config)#interface ethernet1/2 SwitchA (Config-If-Ethernet1/2)# lldp enable SwitchA (Config-If-Ethernet1/2)# lldp mode both 2) Configure Switch B
PAGE 148
User’s Manual of SGS-6341 series MED Codes: (CAP)Capabilities, (NP) Network Policy (LI) Location Identification, (PSE)Power Source Entity (PD) Power Device, (IN) Inventory MED Capabilities:CAP,NP,PD,IN MED Device Type: Endpoint Class III Media Policy Type :Voice Media Policy :Tagged Media Policy Vlan id :10 Media Policy Priority :3 Media Policy Dscp :5 Power Type : PD Power Source :Primary power source Power Priority :low Power Value :15.4 (Watts) Hardware Revision: Firmware Revision:4.0.
PAGE 149
User’s Manual of SGS-6341 series PortDesc :Ethernet1/1 SysName :**** SysDesc :***** SysCapSupported :4 SysCapEnabled :4 Explanation: 1) Both Ethernet2 of switch A and Ethernet1 of switch B are the ports of network connection device, they will not send LLDP packets with MED TLV information forwardly.
PAGE 150
User’s Manual of SGS-6341 series Chapter 18 bpdu-tunnel Configuration 18.1 Introduction to bpdu-tunnel BPDU Tunnel is a Layer 2 tunnel technology. It allows Layer 2 protocol packets of geographically dispersed private network users to be transparently transmitted over specific tunnels across a service provider network. 18.1.1 bpdu-tunnel function In MAN application, multi-branches of a corporation may connect with each other by the service provider network.
PAGE 151
User’s Manual of SGS-6341 series 18.2 bpdu-tunnel Configuration Task List bpdu-tunnel configuration task list: 1. Configure tunnel MAC address globally 2. Configure the port to support the tunnel 1. Configure tunnel MAC address globally Command Explanation Global Mode bpdu-tunnel {stp|gvrp|dot1x} Enable to support the tunnel, the no no bpdu-tunnel {stp|gvrp|dot1x} command disables the function. 2.
PAGE 152
User’s Manual of SGS-6341 series Figure 18-2: BPDU Tunnel application environment With BPDU Tunnel, Layer 2 protocol packets from user’s networks can be passed through over the service provider network in the following work flow: 1. After receiving a Layer 2 protocol packet from network 1 of user A, PE 1 in the service provider network encapsulates the packet, replaces its destination MAC address with a specific multicast MAC address, and then forwards the packet in the service provider network. 2.
PAGE 153
User’s Manual of SGS-6341 series 18.4 bpdu-tunnel Troubleshooting After port disables stp, gvrp, uldp, lacp and dot1x functions, it is able to configure bpdu-tunnel function.
PAGE 154
User’s Manual of SGS-6341 series Chapter 19 EEE Energy-saving Configuration 19.1 Introduction to EEE Energy-saving eee is Energy Efficient Ethernet. After the port is enabled this function, switch will detect the port state automatically. If the port is free and there is no data transmission, this port will change to the power saving mode and it will cut down the power of the port to save the energy. 19.2 EEE Energy-saving configuration List 1.
PAGE 155
User’s Manual of SGS-6341 series Chapter 20 VLAN Configuration 20.1 VLAN Configuration 20.1.1 Introduction to VLAN VLAN (Virtual Local Area Network) is a technology that divides the logical addresses of devices within the network to separate network segments based on functions, applications or management requirements. By this way, virtual workgroups can be formed regardless of the physical location of the devices. IEEE announced IEEE 802.
PAGE 156
User’s Manual of SGS-6341 series  Saving network resources  Simplifying network management  Lowering network cost  Enhancing network security Switch Ethernet Ports can work in three kinds of modes: Access, Hybrid and Trunk with each mode having a different processing method in forwarding the packets with tagged or untagged. The ports of Access type only belong to one VLAN, usually they are used to connect the ports of the computer.
PAGE 157
User’s Manual of SGS-6341 series 1. Create or delete VLAN Command Explanation Global Mode vlan WORD Create/delete VLAN or enter VLAN Mode no vlan WORD 2. Set or delete VLAN name Command Explanation VLAN Interface Mode name Set or delete VLAN name. no name 3. Assigning Switch ports for VLAN Command Explanation VLAN Interface Mode switchport interface etherent Assign Switch ports to VLAN. no switchport interface 4.
PAGE 158
User’s Manual of SGS-6341 series switchport trunk native vlan Set/delete PVID for Trunk port. no switchport trunk native vlan 6. Set Access port Command Explanation Port Mode Add the current port to the specified switchport access vlan VLAN. The “no” command restores the no switchport access vlan default setting. 7.
PAGE 159
User’s Manual of SGS-6341 series 10. Set Private VLAN association Command Explanation VLAN Interface Mode private-vlan association Set/delete Private VLAN association. no private-vlan association 11. Specify internal VLAN ID Command Explanation Global Mode Specify internal VLAN ID.
PAGE 160
User’s Manual of SGS-6341 series 20.1.3 Typical VLAN Application Scenario: VLAN100 VLAN2 VLAN200 PC Workstation Workstation PC PC PC Switch A Trunk Link Switch B PC PC VLAN2 PC Workstation VLAN100 Workstation PC VLAN200 Figure 20-2: Typical VLAN Application Topology The existing LAN is required to be partitioned into 3 VLANs due to security and application requirements. The three VLANs are VLAN2, VLAN100 and VLAN200. Those three VLANs cross two different locations A and B.
PAGE 161
User’s Manual of SGS-6341 series Switch(Config-Vlan2)#switchport interface ethernet 1/2-4 Switch (Config-Vlan2)#exit Switch (config)#vlan 100 Switch (Config-Vlan100)#switchport interface ethernet 1/5-7 Switch (Config-Vlan100)#exit Switch (config)#vlan 200 Switch (Config-Vlan200)#switchport interface ethernet 1/8-10 Switch (Config-Vlan200)#exit Switch (config)#interface ethernet 1/11 Switch (Config-If-Ethernet1/11)#switchport mode trunk Switch(Config-If-Ethernet1/11)#exit Switch(config)# Switch B: Switch(con
PAGE 162
User’s Manual of SGS-6341 series 20.1.4 Typical Application of Hybrid Port Scenario: internet Switch A Switch B PC1 PC2 Figure 20-3: Typical Application of Hybrid Port PC1 connects to the interface Ethernet 1/7 of Switch B; PC2 connects to the interface Ethernet 1/9 of Switch B; Ethernet 1/10 of Switch A connects to Ethernet 1/10 of Switch B.
PAGE 163
User’s Manual of SGS-6341 series The configuration steps are listed below: Switch A: Switch(config)#vlan 10 Switch(Config-Vlan10)#switchport interface ethernet 1/10 Switch B: Switch(config)#vlan 7;9;10 Switch(config)#interface ethernet 1/7 Switch(Config-If-Ethernet1/7)#switchport mode hybrid Switch(Config-If-Ethernet1/7)#switchport hybrid native vlan 7 Switch(Config-If-Ethernet1/7)#switchport hybrid allowed vlan 7;10 untag Switch(Config-If-Ethernet1/7)#exit Switch(Config)#interface Ethernet 1/9 Switch(Conf
PAGE 164
User’s Manual of SGS-6341 series On the customer port Trunk VLAN 200-300 Unsymmetrical CE1 connection PE1 Customer network 1 This port on PE1 is enabled Q-in-Q and belong to VLAN3 SP network Trunk connection P Trunk connection PE2 This port on PE1 is enabled Q-in-Q and belong to VLAN3 CE2 Unsymmetrical Customer connection network 2 On the customer port Trunk VLAN 200-300 Figure 20-4: Dot1q-tunnel based Internetworking mode As shown in above, after being enabled on the user port, dot1q-tunnel assign
PAGE 165
User’s Manual of SGS-6341 series  The user network is considerably independent. When the ISP internet is upgrading their network, the user networks do not have to change their original configuration. Detailed description on the application and configuration of dot1q-tunnel will be provided in this section. 20.2.2 Dot1q-tunnel Configuration Configuration Task Sequence of Dot1q-Tunnel: 1. Configure the dot1q-tunnel function on port 2. Configure the global protocol type (TPID) 1.
PAGE 166
User’s Manual of SGS-6341 series Configuration procedure is as follows: PE1: Switch(config)#vlan 3 Switch(Config-Vlan3)#switchport interface ethernet 1/1 Switch(Config-Vlan3)#exit Switch(Config)#interface ethernet 1/1 Switch(Config-Ethernet1/1)# dot1q-tunnel enable Switch(Config-Ethernet1/1)# exit Switch(Config)#interface ethernet 1/10 Switch(Config-Ethernet1/10)#switchport mode trunk Switch(Config-Ethernet1/10)#exit Switch(config)#dot1q-tunnel tpid 0x9100 Switch(Config)# PE2: Switch(config)#vlan 3 Switch(C
PAGE 167
User’s Manual of SGS-6341 series 20.3 Selective Q-in-Q Configuration 20.3.1 Introduction to Selective Q-in-Q Selective Q-in-Q is an enhanced application for dot1q tunnel function. It is able to tag packets (they are received by the same port) with different outer VLAN tags based on different inner VLAN tags according to user’s requirement, so it is able to implement packets of different types assigned to different VLANs by selecting different transmission paths. 20.3.
PAGE 168
User’s Manual of SGS-6341 series 20.3.3 Typical Applications of Selective Q-in-Q Figure 20-5: Selective Q-in-Q application 1. Ethernet1/1 of Switch A provides public network access for PC users and Ethernet 1/2 of Switch A provides public network access for IP phone users. PC users belong to VLAN 100 through VLAN 200, and IP phone users belong to VLAN 201 through VLAN 300. Ethernet 1/9 of Switch A is connected to the public network. 2.
PAGE 169
User’s Manual of SGS-6341 series switch(config-if-ethernet1/1)#switchport hybrid allowed vlan 1000 untag # Configure the mapping rules for selective Q-in-Q on Ehernet1/1 to insert VLAN 1000 tag as the outer VLAN tag in packets with the tags of VLAN 100 through VLAN 200. switch(config-if-ethernet1/1)#dot1q-tunnel selective s-vlan 1000 c-vlan 100-200 # Enable selective Q-in-Q on Ethernet1/1.
PAGE 170
User’s Manual of SGS-6341 series The configuration on Switch B is similar to that on Switch A and the configuration is as follows: switch(config)#vlan 1000;2000 switch(config)#interface ethernet 1/1 switch(config-if-ethernet1/1)#switchport mode hybrid switch(config-if-ethernet1/1)#switchport hybrid allowed vlan 1000 untag switch(config-if-ethernet1/1)#dot1q-tunnel selective s-vlan 1000 c-vlan 100-200 switch(config-if-ethernet1/1)#dot1q-tunnel selective enable switch(config-if-ethernet1/1)#interface ethernet
PAGE 171
User’s Manual of SGS-6341 series 1. Configure the VLAN Translation of the port Command Explanation Port Mode vlan-translation enable Enter/exit the port VLAN translation no vlan-translation enable mode. 2. Configure the VLAN-translation relation of the port Command Explanation Global/Port Mode vlan-translation to Add/delete a VLAN translation relation. in no vlan-translation old-vlan-id in 3.
PAGE 172
User’s Manual of SGS-6341 series On the customer port Trunk VLAN 200-300 CE1 Trunk connection PE1 SP networks Trunk connection Customer networks1 The ingress of the port translates VLAN20 to VLAN3, the egress translates VLAN3 to VLAN20 on PE P Trunk connection PE2 The ingress of the port translates VLAN20 to VLAN3, the egress translates VLAN3 to VLAN20 on PE Trunk connection On the customer port Trunk VLAN 20 Figure 20-6: VLAN translation topology mode Configuration Configuration Explanation I
PAGE 173
User’s Manual of SGS-6341 series 20.4.4 VLAN Translation Troubleshooting Normally the VLAN Translation is applied on trunk ports. Normally before using the VLAN Translation, the dot1q-tunnel function needs to be enabled first to adapt double tag data packet processes VLAN-translation. When configuring VLAN translation of the egress, make sure native VLAN of the port is not identical with vid of the packet.
PAGE 174
User’s Manual of SGS-6341 series 2. Show the related configuration of Multi-to-One VLAN translation Command Explanation Admin Mode Show the related configuration of show vlan-translation n-to-1 Multi-to-One VLAN translation. 20.5.3 Typical Application of Multi-to-One VLAN Translation Scenario: UserA, userB and userC belong to VLAN1, VLAN2, VLAN3, respectively. Before entering the network layer, data traffic of userA, userB and userC is translated into VLAN 100 by Ethernet1/1 of edge switch1.
PAGE 175
User’s Manual of SGS-6341 series Configuration Item Configuration Explanation VLAN Switch1、Switch2 Trunk Port Downlink port 1/1 and uplink port 1/5 of Switch1 and Switch 2 Multi-to-One Downlink port 1/1 of Switch1 and Switch2 VLAN-translation Configuration procedure is as follows: Switch1、Switch2: switch(Config)# vlan 1-3;100 switch(Config-Ethernet1/1)#switchport mode trunk switch(Config-Ethernet1/1)# vlan-translation n-to-1 1-3 to 100 switch(Config)#interface ethernet 1/5 switch(Config-Ethernet1
PAGE 176
User’s Manual of SGS-6341 series The IP subnet based VLAN is divided according to the source IP address and its subnet mask of every host. It assigns corresponding VLAN ID to the data packet according to the subnet segment, leading the data packet to specified VLAN. Its advantage is the same as that of the MAC-based VLAN; the user does not have to change configuration when relocated. The VLAN is divided by the network layer protocol, assigning a different protocol to different VLANs.
PAGE 177
User’s Manual of SGS-6341 series 2. Set the VLAN to MAC VLAN Command Explanation Global Mode Configure the specified VLAN to MAC mac-vlan vlan VLAN; the “no mac-vlan” command no mac-vlan cancels the MAC VLAN configuration of this VLAN. 3.
PAGE 178
User’s Manual of SGS-6341 series 6. Configure the correspondence between the Protocols and the VLAN Command Explanation Global Mode protocol-vlan mode {ethernetii etype |llc {dsap ssap }|snap etype } vlan priority no protocol-vlan {mode {ethernetii etype |llc {dsap ssap Add/delete the correspondence between the Protocols and the VLAN, namely specified protocol joins/leaves specified VLAN.
PAGE 179
User’s Manual of SGS-6341 series Switch A Switch B Switch C VLAN100 VLAN200 VLAN300 M Figure 20-8: Typical topology application of dynamic VLAN Configuration Configuration Explanation Items MAC-based VLAN Global configuration on Switch A, Switch B, Switch C.
PAGE 180
User’s Manual of SGS-6341 series 20.6.4 Dynamic VLAN Troubleshooting  On the switch configured with dynamic VLAN, if the two connected equipment (e.g. PC) both belongs to the same dynamic VLAN, first communication between the two equipment may not go through. The solution will be letting the two equipment positively send data packet to the switch (such as ping), to let the switch learn their source MAC, then the two equipment will be able to communicate freely within the dynamic VLAN. Ping 192.168.1.
PAGE 181
User’s Manual of SGS-6341 series Figure 20-10: a typical application scene A and G switches are not directly connected in Layer 2 network; BCDEF are intermediate switches connecting A and G. Switch A and G configure VLAN100-1000 manually while BCDEF switches do not. When GVRP is not enabled, A and G cannot communicate with each other, because intermediate switches without relevant VLANs.
PAGE 182
User’s Manual of SGS-6341 series timer for GVRP. garp timer leave <500-1200> garp timer leaveall <5000-60000> no garp timer (join | leave | leaveAll) 2. Configure port type Command Explanation Port Mode gvrp Enable/ disable GVRP function of no gvrp port. 3. Enable GVRP function Command Explanation Global Mode gvrp Enable/ disable the global GVRP no gvrp function of port. 20.7.
PAGE 183
User’s Manual of SGS-6341 series To enable dynamic VLAN information register and update among switches, GVRP protocol is to be configured in the switch. Configure GVRP in Switch A, B and C, enable Switch B to learn VLAN100 dynamically so that two workstations connected to VLAN100 in Switch A and C can communicate with each other through Switch B without static VLAN100 entries. Configuration Configuration description Item VLAN100 Port 2-6 of Switch A and C.
PAGE 184
User’s Manual of SGS-6341 series Switch C: Switch(config)# gvrp Switch(config)#vlan 100 Switch(Config-Vlan100)#switchport interface ethernet 1/2-6 Switch(Config-Vlan100)#exit Switch(config)#interface ethernet 1/11 Switch(Config-If-Ethernet1/11)#switchport mode trunk Switch(Config-If-Ethernet1/11)# gvrp Switch(Config-If-Ethernet1/11)#exit 20-100
PAGE 185
User’s Manual of SGS-6341 series 20.7.4 GVRP Troubleshooting The GARP counter setting for Trunk ports in both ends of Trunk link must be the same, otherwise, GVRP will not work normally. It is recommended to avoid enabling GVRP and RSTP at the same time in switch. If GVRP needs to be enabled, RSTP function for the ports must be disabled first. 20.8 Voice VLAN Configuration 20.8.1 Introduction to Voice VLAN Voice VLAN is specially configured for the user voice data traffic.
PAGE 186
User’s Manual of SGS-6341 series 20.8.2 Voice VLAN Configuration Voice VLAN Configuration Task Sequence: 1. Set the VLAN to Voice VLAN 2. Add a voice equipment to Voice VLAN 3. Enable the Voice VLAN on the port 1. Configure the VLAN to Voice VLAN Command Explanation Global Mode voice-vlan vlan Set/cancel the VLAN as a Voice VLAN no voice-vlan 2.
PAGE 187
User’s Manual of SGS-6341 series 20.8.3 Typical Applications of the Voice VLAN Scenario: A company realizes voice communication through configuring Voice VLAN. IP-phone1 and IP-phone2 can be connected to any port of the switch, namely normal communication and interconnected with other switches through the uplink port. IP-phone1 MAC address is 00-30-4f-11-22-33, connect port 1/1 of the switch, IP-phone2 MAC address 00-30-4f-11-22-55, connect port 1/2 of the switch.
PAGE 188
User’s Manual of SGS-6341 series switch(Config)#interface ethernet 1/2 switch(Config-If-Ethernet1/2)#switchport mode hybrid switch(Config-If-Ethernet1/2)#switchport hybrid allowed vlan 100 untag switch(Config-If-Ethernet1/2)#exit 20.8.4 Voice VLAN Troubleshooting Voice VLAN cannot be applied concurrently with MAC-base VLAN. The Voice VLAN supports maximum 1024 sets of voice equipment; the exceeded number of equipment will not be supported.  The Voice VLAN on the port is enabled by default.
PAGE 189
User’s Manual of SGS-6341 series Chapter 21 MAC Table Configuration 21.1 Introduction to MAC Table MAC table is a table identifies the mapping relationship between destination MAC addresses and switch ports. MAC addresses can be categorized as static MAC addresses and dynamic MAC addresses.
PAGE 190
User’s Manual of SGS-6341 series Figure 21-1: MAC Table dynamic learning The topology of the figure above: 4 PCs connected to switch, where PC1 and PC2 belongs to the same physical segment (same collision domain), the physical segment connects to port 1/5 of switch; PC3 and PC4 belongs to the same physical segment that connects to port 1/12 of switch. The initial MAC table contains no address mapping entries. Take the communication of PC1 and PC3 for an example.
PAGE 191
User’s Manual of SGS-6341 series 21.1.2 Forward or Filter The switch will forward or filter received data frames according to the MAC table. Take the above figure for an example. Assuming switch has learned the MAC address of PC1 and PC3, and the user manually configures the mapping relationship for PC2 and PC4 to ports.
PAGE 192
User’s Manual of SGS-6341 series address is found in the MAC table but belonging to different VLANs, the switch can only broadcast the unicast frame in the VLAN it belongs to. 21.2 Mac Address Table Configuration Task List 1. Configure the MAC address aging-time 2. Configure static MAC forwarding or filter entry 3. Clear dynamic address table 4. Configure MAC learning through CPU control 1. Configure the MAC aging-time Command Explanation Global Mode Configure the MAC address aging-time.
PAGE 193
User’s Manual of SGS-6341 series 4. Configure MAC learning through CPU control Command Explanation Global Mode mac-address-learning cpu-control Enable MAC learning through CPU no mac-address-learning cpu-control control, the no command restores that the chip automatically learn MAC address. Show the hash collision mac table. show collision-mac-address-table Admin Mode Clear the hash collision mac table. clear collision-mac-address-table 21.
PAGE 194
User’s Manual of SGS-6341 series Switch(config)#mac-address-table static 00-01-11-11-11-11 discard vlan 1. 2.Set the static mapping relationship for PC2 and PC3 to port 1/7 and port 1/9, respectively. Switch(config)#mac-address-table static address 00-01-22-22-22-22 vlan 1 interface ethernet 1/7 Switch(config)#mac-address-table static address 00-01-33-33-33-33 vlan 1 interface ethernet 1/9 21.
PAGE 195
User’s Manual of SGS-6341 series 21.5.1.2 MAC Address Binding Configuration Task List 1. Enable MAC address binding function for the ports 2. Lock the MAC addresses for a port 3. MAC address binding property configuration 1. Enable MAC address binding function for the ports Command Explanation Port Mode Enable MAC address binding function for the port and lock the port.
PAGE 196
User’s Manual of SGS-6341 series 3. MAC address binding property configuration Command Explanation Port Mode Configure the maximum number of the secure MAC allowed by the interface, if switchport port-security maximum specifying VLAN parameter, it means the [vlan ] maximum number in the configured no switchport port-security maximum VLANs. The no command cancels the [vlan ] maximum number of the secure MAC configured by the interface.
PAGE 197
User’s Manual of SGS-6341 series 21.6.2 MAC Notification Configuration Mac notification configuration task list: 1. Configure the global SNMP MAC notification 2. Configure the global MAC notification 3. Configure the interval for sending MAC notification 4. Configure the size of history table 5. Configure the trap type of MAC notification supported by the port 6. Show the configuration and the data of MAC notification 7. Clear the statistics of MAC notification trap 1.
PAGE 198
User’s Manual of SGS-6341 series 4. Configure the size of history table Command Explanation Global Mode mac-address-table notification history-size Configure the history table size, the <0-500> no command restores the default no mac-address-table notification history-size value. 5.
PAGE 199
User’s Manual of SGS-6341 series Switch(config)#snmp-server enable Switch(config)#snmp-server enable traps mac-notification Switch(config)# mac-address-table notification Switch(config)# mac-address-table notification interval 5 Switch(config)# mac-address-table notification history-size 100 Switch(Config-If-Ethernet1/4)# mac-notification both 21.6.4 MAC Notification Troubleshooting Check whether trap message is sent successfully by show command and debug command of SNMP.
PAGE 200
User’s Manual of SGS-6341 series Chapter 22 MSTP Configuration 22.1 Introduction to MSTP The MSTP (Multiple STP) is a new Spanning Tree Protocol which is based on the STP and the RSTP. It runs on all the bridges of a bridged-LAN. It calculates a common and internal spanning tree (CIST) for the bridge-LAN which consists of the bridges running the MSTP, the RSTP and the STP. It also calculates the independent multiple spanning-tree instances (MSTI) for each MST domain (MSTP domain).
PAGE 201
User’s Manual of SGS-6341 series Root A Root A B M E MST D F D REGION C Figure 22-1: Example of CIST and MST Region In the above network, if the bridges are running the STP or the RSTP, one port between Bridge M and Bridge B should be blocked. But if the bridges in the yellow range run the MSTP and are configured in the same MST region, MSTP will treat this region as a bridge. Therefore, one port between Bridge B and Root is blocked and one port on Bridge D is blocked. 22.2.
PAGE 202
User’s Manual of SGS-6341 series 22.2.1.1 Operations between MST Regions If there are multiple regions or legacy 802.1D bridges within the network, MSTP establishes and maintains the CST, which includes all MST regions and all legacy STP bridges in the network. The MST instances combine with the IST at the boundary of the region to become the CST. The MSTI is only valid within its MST region. An MSTI has nothing to do with MSTIs in other MST regions.
PAGE 203
User’s Manual of SGS-6341 series 1. Enable MSTP and set the running mode Command Explanation Global and Port Mode spanning-tree no spanning-tree Enable/Disable MSTP. Global Mode spanning-tree mode {mstp|stp|rstp} no spanning-tree mode Set MSTP running mode. Port Mode spanning-tree mcheck Force port migrate to run under MSTP. 2. Configure instance parameters Command Explanation Global Mode spanning-tree mst priority Set bridge priority for specified instance.
PAGE 204
User’s Manual of SGS-6341 series function. no spanning-tree [mst ] loopguard 3. Configure MSTP region parameters Command Explanation Global Mode spanning-tree mst configuration Enter MSTP region mode. The no no spanning-tree mst configuration command restores the default setting. MSTP Region Mode instance vlan Create Instance and set mapping no instance [vlan ] between VLAN and Instance. name Set MSTP region name.
PAGE 205
User’s Manual of SGS-6341 series 5. Configure the fast migrate feature for MSTP Command Explanation Port Mode spanning-tree link-type p2p Set the port link type. {auto|force-true|force-false} no spanning-tree link-type Set and cancel the port to be an spanning-tree portfast [bpdufilter| bpduguard] [recovery <30-3600>] boundary port.
PAGE 206
User’s Manual of SGS-6341 series spanning-tree transmit-hold-count Set the max. transmit-hold-count of port. no spanning-tree transmit-hold-count spanning-tree cost-format {dot1d | dot1t} Set port cost format with dot1d or dot1t. 8. Configure the snooping attribute of authentication key Command Explanation Port Mode Set the port to use the authentication spanning-tree digest-snooping string of partner port.
PAGE 207
User’s Manual of SGS-6341 series 22.4 MSTP Example The following is a typical MSTP application example: SW1 1 1 SW2 2 2 4 5 1 2X 3 3X 4 6 7 SW3 6X 7X 5X SW4 Figure 22-2: Typical MSTP Application Scenario The connections among the switches are shown in the above figure. All the switches run in the MSTP mode by default, their bridge priority, port priority and port route cost are all in the default values (equal).
PAGE 208
User’s Manual of SGS-6341 series By default, the MSTP establishes a tree topology (in blue lines) rooted with Switch A. The ports marked with “x” are in the discarding status, and the other ports are in the forwarding status. Configurations Steps: Step 1: Configure port to VLAN mapping:  Create VLAN 20, 30, 40, 50 in Switch 2, Switch 3 and Switch 4.  Set ports 1-7 as trunk ports in Switch 2 Switch 3 and Switch 4.
PAGE 209
User’s Manual of SGS-6341 series Switch 3: Switch3(config)#vlan 20 Switch3(Config-Vlan20)#exit Switch3(config)#vlan 30 Switch3(Config-Vlan30)#exit Switch3(config)#vlan 40 Switch3(Config-Vlan40)#exit Switch3(config)#vlan 50 Switch3(Config-Vlan50)#exit Switch3(config)#spanning-tree mst configuration Switch3(Config-Mstp-Region)#name mstp Switch3(Config-Mstp-Region)#instance 3 vlan 20;30 Switch3(Config-Mstp-Region)#instance 4 vlan 40;50 Switch3(Config-Mstp-Region)#exit Switch3(config)#interface e1/1-7 Switch3(C
PAGE 210
User’s Manual of SGS-6341 series Switch4(config)#spanning-tree Switch4(config)#spanning-tree mst 4 priority 0 After the above configuration, Switch1 is the root bridge of the instance 0 of the entire network. In the MSTP region which Switch 2, Switch 3 and Switch 4 belong to, Switch2 is the region root of the instance 0, Switch3 is the region root of the instance 3 and Switch 4 is the region root of the instance 4. The traffic of VLAN 20 and VLAN 30 is sent through the topology of the instance 3.
PAGE 211
User’s Manual of SGS-6341 series 2 SW2 5X 4 2X 3 3X 4 6 7X SW3 6 7 5 SW4 Figure 22-5: The Topology Of the Instance 4 after the MSTP Calculation 22.5 MSTP Troubleshooting  In order to run the MSTP on the switch port, the MSTP has to be enabled globally. If the MSTP is not enabled globally, it can’t be enabled on the port.  The MSTP parameters co-work with each other, so the parameters should meet the following conditions. Otherwise, the MSTP may work incorrectly.
PAGE 212
User’s Manual of SGS-6341 series Chapter 23 QoS Configuration 23.1 Introduction to QoS QoS (Quality of Service) is a set of capabilities that allow you to create differentiated services for network traffic, thereby providing better service for selected network traffic. QoS is a guarantee for service quality of consistent and predictable data transfer service to fulfill program requirements.
PAGE 213
User’s Manual of SGS-6341 series DSCP: Differentiated Services Code Point, classification information carried in Layer 3 IP packet header, occupying 6 bits, in the range of 0 to 63, and is downward compatible with IP Precedence. MPLS TC(EXP)： A field of the MPLS packets means the service class, there are 3 bits, the ranging from 0 to 7. Internal Priority: The internal priority setting of the switch chip; its valid range relates with the chip; short for Int-Prio or IntP.
PAGE 214
User’s Manual of SGS-6341 series The data transfer specifications of IP cover only addresses and services of source and destination, and ensure correct packet transmission using OSI layer 4 or above protocols such as TCP. However, rather than provide a mechanism for providing and protecting packet transmission bandwidth, IP provide bandwidth service by the best effort.
PAGE 215
User’s Manual of SGS-6341 series types and switch configurations, classification is performed differently; the flowchart below explains this in detail. Figure 23-4: Classification process Policing and remark: Each packet in classified ingress traffic is assigned an internal priority value and a drop precedence value, and can be policed and remarked.
PAGE 216
User’s Manual of SGS-6341 series Figure 23-5: Policing and Remarking process Queuing and scheduling: There are the internal priority and the drop precedence for the egress packets; the queuing operation assigns the packets to different priority queues according to the internal priority, while the scheduling operation perform the packet forwarding according to the priority queue weight and the drop precedence. The following flowchart describes the operations during queuing and scheduling.
PAGE 217
User’s Manual of SGS-6341 series Figure 23-6: Queuing and Scheduling process 23.2 QoS Configuration Task List Configure class map Set up a classification rule according to ACL, CoS, VLAN ID, IPv4 Precedent, DSCP, IPV6 FL to classify the data stream. Different classes of data streams will be processed with different policies. Configure a policy map After data steam classification, a policy map can be created to associate with the class map created earlier and enter class mode.
PAGE 218
User’s Manual of SGS-6341 series degrading assigning new DSCP value) can be applied to different data streams. You can also define a policy set that can be use in a policy map by several classes. Apply QoS to the ports or the VLAN interfaces Configure the trust mode for ports or bind policies to ports. A policy will only take effect on a port when it is bound to that port. The policy may be bound to the specific VLAN. It is not recommended to synchronously use policy map on VLAN and its port.
PAGE 219
User’s Manual of SGS-6341 series ] associated to a class. Different policy or no class new DSCP value can be applied to different data streams in class mode; the no command deletes the specified class. Policy Class-map Mode set {ip dscp | ip precedence Assign a new internal priority for the | internal priority classified traffic; the no command | drop precedence | cos cancels the new assigned value.
PAGE 220
User’s Manual of SGS-6341 series out-profile means red; In dual bucket mode, there are three colors(green, yellow, red) of messages. in-profile means green, out-profile means red and yellow. drop Drop or transmit the traffic that match no drop the class, the no command cancels the assigned action. transmit no transmit 3.
PAGE 221
User’s Manual of SGS-6341 series mls qos queue algorithm {sp | wrr | wdrr} Set queue management algorithm, the no mls qos queue algorithm default queue management algorithm is wrr. mls qos queue wrr weight Set queue weight based a port, the default queue weight is 1 2 3 4 5 6 7 8. no mls qos queue wrr weight mls qos queue wdrr weight Configure the queue weight according to the port.
PAGE 222
User’s Manual of SGS-6341 series show mls qos maps [cos-intp | dscp-intp] Display the configuration of QoS mapping. show class-map [] Display the classified map information of QoS. Display the policy map information of show policy-map [] QoS. show mls qos {interface [] Display QoS configuration information on [policy | queuing] | vlan } a port. 23.
PAGE 223
User’s Manual of SGS-6341 series Switch(config)#policy-map p1 Switch(Config-PolicyMap-p1)#class c1 Switch(Config-PolicyMap-p1-Class-c1)#policy 10000 4000 exceed-action drop Switch(Config-PolicyMap-p1-Class-c1)#exit Switch(Config-PolicyMap-p1)#exit Switch(config)#interface ethernet 1/2 Switch(Config-If-Ethernet1/2)#service-policy input p1 Configuration result: An ACL name 1 is set to matching segment 192.168.1.0.
PAGE 224
User’s Manual of SGS-6341 series QoS configuration in Switch1: Switch#config Switch(config)#access-list 1 permit 192.168.1.0 0.0.0.
PAGE 225
User’s Manual of SGS-6341 series Chapter 24 Flow-based Redirection 24.1 Introduction to Flow-based Redirection Flow-based redirection function enables the switch to transmit the data frames meeting some special condition (specified by ACL) to another specified port. The fames meeting a same special condition are called a class of flow, the ingress port of the data frame is called the source port of redirection, and the specified egress port is called the destination port of redirection.
PAGE 226
User’s Manual of SGS-6341 series 2. Check the current flow-based redirection configuration Command Explanation Admin / Global Mode show flow-based-redirect {interface [ethernet |]} Display the information of current flow-based redirection in the system/port. 24.3 Flow-based Redirection Examples Example: User’s request of configuration is listed as follows: redirecting the frames whose source IP is 192.168.1.
PAGE 227
User’s Manual of SGS-6341 series Chapter 25 Flexible Q-in-Q Configuration 25.1 Introduction to Flexible Q-in-Q 25.1.1 Q-in-Q Technique Dot1q-tunnel is also called Q-in-Q (802.1Q-in-802.1Q), which is an expansion of 802.1Q. Its dominating idea is encapsulating the customer VLAN tag (CVLAN tag) to the service provider VLAN tag (SPVLAN tag). The packet with two VLAN tags is transmitted through the backbone network of the ISP internet to provide a simple Layer 2 tunnel for the users.
PAGE 228
User’s Manual of SGS-6341 series 1. Configure class map Command Explanation Global Mode class-map Create a class-map and enter no class-map class-map mode, the no command deletes the specified class-map.
PAGE 229
User’s Manual of SGS-6341 series 3. Bind flexible Q-in-Q policy-map to port Command Explanation Port Mode service-policy input Apply a policy-map to a port, the no no service-policy input command deletes the specified policy-map applied to the port. 4. Show flexible Q-in-Q policy-map bound to port Command Explanation Admin Mode show mls qos {interface ethernet Show flexible Q-in-Q configuration on the [] port. 25.
PAGE 230
User’s Manual of SGS-6341 series will be packed an external tag 1001 (This tag is unique in public network), enter Broad Band Network-DSCP10 and classfied to BRAS device. DSCP20 (or DSCP30) will be packed an external VLAN tag 2001(or 3001) and classfied to SR device according to the flow rules. The second user can be assigned different DSCPs in DSLAM2. Notice: The assigned DSCP of the second user may be same with the first user and the DSCP value will be also packed an external tag.
PAGE 231
User’s Manual of SGS-6341 series  Make sure ACL includes permit rule if the class-map matches ACL rule  Make sure the switch exists enough TCAM resource to send the binding Chapter 26 Layer 3 Management Configuration Switch only support Layer 2 forwarding, but can configure a Layer 3 management port for the communication of all kinds of management protocols based on IP Protocol. 26.1 Layer 3 Management Interface 26.1.
PAGE 232
User’s Manual of SGS-6341 series no description The no command will cancel the description information of VLAN interface. 26.2 IP Configuration 26.2.1 Introduction to IPv4, IPv6 IPv4 is the current version of global universal Internet protocol. The practice has proved that IPv4 is simple, flexible, open, stable, strong and easy to implement while collaborating well with various protocols of upper and lower layers.
PAGE 233
User’s Manual of SGS-6341 series First of all, the 128 bits addressing scheme of IPv6 Protocol can guarantee to provide enough globally unique IP addresses for global IP network nodes in the range of time and space. Moreover, besides increasing address space, IPv6 also enhanced many other essential designs of IPv4. Hierarchical addressing scheme facilitates Route Aggregation, effectively reduces route table entries and enhances the efficiency and expansibility of routing and data packet processing.
PAGE 234
User’s Manual of SGS-6341 series the problems and system cost caused by NAT deployment are solved naturally. Support extensively deployed Routing Protocol. IPv6 has kept and extended the supports for existing Internal Gateway Protocols (IGP for short), and Exterior Gateway Protocols (EGP for short). For example, IPv6 Routing Protocol such as RIPng, OSPFv3, IS-ISv6 and MBGP4+, etc. Multicast addresses increased and the support for multicast has enhanced.
PAGE 235
User’s Manual of SGS-6341 series 26.2.2.2 IPv6 Address Configuration The configuration Task List of IPv6 is as follows: 1. IPv6 basic configuration (1) Configure interface IPv6 address (2) Configure default gateway 2. IPv6 Neighbor Discovery Configuration (1) Configure DAD neighbor solicitation message number (2) Configure send neighbor solicitation message interval (3) Configure static IPv6 neighbor entries (4) Delete all entries in IPv6 neighbor table 1.
PAGE 236
User’s Manual of SGS-6341 series ipv6 nd ns-interval no ipv6 nd ns-interval Set the interval of the interface to send neighbor query message. The NO command resumes default value (1 second). (3) Configure static IPv6 neighbor Entries Command Explanation VLAN Interface Mode ipv6 neighbor Set static neighbor table entries, including interface neighbor IPv6 address, MAC address and two-layer port.
PAGE 237
User’s Manual of SGS-6341 series 26.3.2 Introduction to Default Route Default route is a kind of static route, which is used only when no matching route is found. In the route table, default route in is indicated by a destination address of 0.0.0.0 and a network mask of 0.0.0.0, too.
PAGE 238
User’s Manual of SGS-6341 series PC-C:10.1.5.2 PC-A:10.1.1.2 PC-B:10.1.4.2 Switch C vlan2:10.1.2.2 vlan3:10.1.5.1 vlan1:10.1.3.2 vlan1:10.1.1.1 Switch A vlan2:10.1..2.1 vlan2:10.1.4.1 vlan1:10.1.3.1 Switch B Figure 26-1: Static Route Configurations Configuration steps: Configuration of Layer 3 SwitchA Switch#config Switch (config) #ip route 10.1.5.0 255.255.255.0 10.1.2.2 Configuration of Layer 3 SwitchC Switch#config Next hop use the partner IP address Switch(config)#ip route 10.1.1.0 255.255.
PAGE 239
User’s Manual of SGS-6341 series 26.4 RIP 26.4.1 Introduction to RIP RIP is first introduced in ARPANET, this is a protocol dedicated to small, simple networks. RIP is a distance vector routing protocol based on the Bellman-Ford algorithm. Network devices running vector routing protocol send two kind of information to the neighboring devices regularly: • Number of hops to reach the destination network, or metrics to use or number of networks to pass.
PAGE 240
User’s Manual of SGS-6341 series packets by packets broadcast, subnet mask and authentication is not supported. Some fields in the RIP-I packets are not used and are required to be all 0’s; for this reason, such all 0's fields should be checked when using RIP-I, the RIP-I packets should be discarded if such fields are non-zero. RIP-II is a more improved version than RIP-I. RIP-II sends route update packets by multicast packets (multicast address is 224.0.0.9).
PAGE 241
User’s Manual of SGS-6341 series 2.
PAGE 242
User’s Manual of SGS-6341 series Router and Address Family Mode network no network Enables the segment running RIP protocol; the no network command deletes the segment. 2. Configure RIP protocol parameters （1）Configure RIP packet transmitting mechanism 1）Configure the RIP data packet point-transmitting 2）Configure the RIP broadcast Command Explanation Router Mode Specify the IP address of the neighbor router neighbor
PAGE 243
User’s Manual of SGS-6341 series 2）Configure interface authentication mode and password Command Explanation VLAN Interface Mode ip rip authentication mode { text| md5} Sets the authentication method; the no ip rip no ip rip authentication mode [text| authentication mode [text| md5] command md5] cancels the authentication action. ip rip authentication string no ip rip authentication string Sets the authentication key; the no ip rip authentication string command means no key is needed.
PAGE 244
User’s Manual of SGS-6341 series offset-list {in | out } route metric value when the port sends or [] receives RIP data packet; the no offset-list no offset-list {in|out }[] command >[] removes the deviation table.
PAGE 245
User’s Manual of SGS-6341 series maximum-prefix Configure the maximum of RIP route; the no [] maximum-prefix no maximum-prefix no maximum-prefix command cancels the no maximum-prefix limit. timers basic Adjust collection time, the no timers basic command no timers basic restores the default configuration.
PAGE 246
User’s Manual of SGS-6341 series 4. Delete the specified route in RIP route table Command Explanation Admin Mode clear ip rip route The command deletes a specified route from the {|kernel|static|connected|r RIP route table. ip|ospf|isis|bgp|all} 5. Configure the RIP routing aggregation （1） Configure IPv4 aggregation route globally Command Explanation Router Mode ip rip aggregate-address A.B.C.D/M To configure or delete IPv4 aggregation route no ip rip aggregate-address A.B.C.
PAGE 247
User’s Manual of SGS-6341 series (2) Display and debug the information about configuration of redistribution of OSPF routing to RIP Command Explanation Admin Mode debug rip redistribute message send To enable or disable debugging messages no debug rip redistribute message send sent by RIP for redistribution of OSPF routing. debug rip redistribute route receive To enable or disable debugging messages no debug rip redistribute route receive received from NSM. 7.
PAGE 248
User’s Manual of SGS-6341 series SwitchA#config SwitchA(config)# interface vlan 1 SwitchA(Config-if-Vlan1)# ip address 10.1.1.1 255.255.255.0 SwitchA(config-if-Vlan1)# Configure the IP address of interface vlan 2 SwitchA(config)# vlan 2 SwitchA(Config-Vlan2)# switchport interface ethernet 1/0/2 Set the port Ethernet1/0/1 access vlan 2 successfully SwitchA(Config-Vlan2)# exit SwitchA(config)# interface vlan 2 SwitchA(Config-if-Vlan2)# ip address 20.1.1.1 255.255.255.
PAGE 249
User’s Manual of SGS-6341 series SwitchC(config-router)#exit 26.4.4 RIP Examples – RIP aggregation function The application topology as follows： S1 vlan1:192.168.10.1 192.168.20.0/22 192.168.21.0/24 vlan1:192.168.10.2 192.168.22.0/24 S2 192.168.23.0/24 192.168.24.0/24 Figure 26-3 Typical application of RIP aggregation As the above network topology, S2 is connected to S1 through interface vlan1, there are other 4 subnet routers of S2, which are 192.168.21.0/24, 192.168.22.0/24, 192.168.23.0/24, 192.
PAGE 250
User’s Manual of SGS-6341 series  Second, ensure the interface and chain protocol are UP (use show interface command)  Then initiate the RIP protocol (use router rip command) and configure the segment (use network command) and set RIP protocol parameter on corresponding interfaces, such as the option between RIP-I and RIP-II  After that, one feature of RIP protocol should be noticed ---the Layer 3 switch running RIP protocol sending route updating messages to all neighboring Layer 3 switches every 30 sec
PAGE 251
User’s Manual of SGS-6341 series network. This process is referred to as “flooding”. In this way, firsthand information is sent throughout the network to provide accurate map for creating and updating routes in the network. Link-state routing protocols use cost instead of hops to decide the route. Cost is assigned automatically or manually. According to the algorithm in link-state protocol, cost can be used to calculate the hop number for packets to pass, link bandwidth, and current load of the link.
PAGE 252
User’s Manual of SGS-6341 series link-state information) to exchange link-state information with other OSPF Layer 3 switches to form a link-state database describing the whole autonomous system. Each Layer 3 switch builds a shortest path tree rooted by itself according to the link-state database, this tree provides the routes to all nodes in an autonomous system. If two or more Layer 3 switches exist (i.e.
PAGE 253
User’s Manual of SGS-6341 series summary LSA) and type5 LSA (AS external LSA) are not allowed to flood into/through STUB areas. STUB areas must use the default routes, the Layer 3 switches on STUB area edge advertise the default routes to STUB areas by type 3 summary LSA, those default routes only floods inside STUB area and will not get out of STUB area. Each STUB area has a corresponding default route, the route from a STUB area to AS exterior destination must rely on the default route of that area.
PAGE 254
User’s Manual of SGS-6341 series 2) Set the OSPF interface to receive only 3) Configure the cost for sending packets from the interface 4) Configure OSPF packet sending timer parameter (timer of broadcast interface sending HELLO packet to poll, timer of neighboring Layer 3 switch invalid timeout, timer of LSA transmission delay and timer of LSA retransmission.
PAGE 255
User’s Manual of SGS-6341 series 2.
PAGE 256
User’s Manual of SGS-6341 series （2）Configure OSPF route introduction parameters Configure the routes of the other protocols to introduce to OSPF.
PAGE 257
User’s Manual of SGS-6341 series （4）Configure other OSPF protocol parameters 1）Configure how to calculate OSPF SPF algorithm time 2）Configure the LSA limit in the OSPF link state database 3）Configure various OSPF parameters Command Explanation OSPF Protocol Configuration Mode Configure the SPF timer of OSPF; the timers spf no timers spf command restores the no timers spf default settings.
PAGE 258
User’s Manual of SGS-6341 series 6.) Filter the route obtained by OSPF Command Explanation OSPF Protocol Configuration Mode Use access list to filter the route obtained by filter-policy OSPF, the no command cancels the route no filter-policy filtering. 3. Disable OSPF protocol Command Explanation Global Mode Disables OSPF routing protocol. no router ospf [process ] 26.5.3 OSPF Examples 26.5.4 Configuration Example of OSPF Scenario 1: OSPF autonomous system.
PAGE 259
User’s Manual of SGS-6341 series Switch1(config-if-vlan1)#exit Configuration of the IP address for interface vlan2 Configure the IP address of interface vlan2 Switch1(config)# interface vlan 2 Switch1(config-if-vlan2)# ip address 100.1.1.1 255.255.255.0 Switch1 (config-if-vlan2)#exit Enable OSPF protocol, configure the area number for interface vlan1 and vlan2. Switch1(config)#router ospf Switch1(config-router)#network 10.1.1.0/24 area 0 Switch1(config-router)#network 100.1.1.
PAGE 260
User’s Manual of SGS-6341 series Initiate the OSPF protocol, configure the OSPF area to which interface vlan3 belongs Switch3(config)#router ospf Switch3(config-router)# network 20.1.1.0/24 area 1 Switch3(config-router)#exit Switch3(config)#exit Switch3# Layer 3 Switch4: Configuration of the IP address for interface vlan3 Switch4#config Switch4(config)# interface vlan 3 Switch4(config-if-vlan3)# ip address30.1.1.2 255.255.255.
PAGE 261
User’s Manual of SGS-6341 series Switch5(config-router)# network 100.1.1.0/24 area 0 Switch5(config-router)#exit Switch5(config)#exit Switch5# Scenario 2: Typical OSPF protocol complex topology.
PAGE 262
User’s Manual of SGS-6341 series be a virtual link between backbone Layer 3 Switch10 and Switch11. The area edge Layer 3 switches exchange summary information via the backbone Layer 3 switch, each area edge Layer 3 switch listens to the summary information from the other edge Layer 3 switches. Virtual link can not only maintain the connectivity of the backbone area, but also strengthen the backbone area.
PAGE 263
User’s Manual of SGS-6341 series SwitchA(config-If-Vlan2)#ip ospf authentication-key DCS SwitchA(config-If-Vlan2)exit Configure IP address and area number for interface vlan1. SwitchA(config)# interface vlan 1 SwitchA(config-If-Vlan1)#ip address 20.1.1.1 255.255.255.0 SwitchA(config-If-Vlan1)#exit SwitchA(config)#router ospf SwitchA(config-router)#network 20.1.1.
PAGE 264
User’s Manual of SGS-6341 series SwitchC#config SwitchC(config)# interface vlan 2 SwitchC(config-If-Vlan2)# ip address 10.1.1.3 255.255.255.0 SwitchC(config-If-Vlan2)#exit Enable OSPF protocol, configure the area number for interface vlan2 SwitchC(config)#router ospf SwitchC(config-router)#network 10.1.1.
PAGE 265
User’s Manual of SGS-6341 series SwitchD#config SwitchD(config)# interface vlan 2 SwitchD(config-If-Vlan2)# ip address 10.1.1.4 255.255.255.0 SwitchD(config-If-Vlan2)#exit Enable OSPF protocol, configure the area number for interface VLAN2. SwitchD(config)#router ospf SwitchD(config-router)#network 10.1.1.0/24 area 1 SwitchD(config-router)#exit Configure simple key authentication.
PAGE 266
User’s Manual of SGS-6341 series Network A Vlan1 1.1.1.1 Vlan2 2.2.2.2 Network B Figure 26-6 Function of OSPF importing the routers of other OSPF processes example We can configure as follows: Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 1.1.1.1 255.255.255.0 Switch(Config-if-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-if-Vlan2)#ip address 2.2.2.2 255.255.255.0 Switch(Config-if-Vlan2)#exit Switch(config)#router ospf 10 Switch(config-router)#network 2.2.2.
PAGE 267
User’s Manual of SGS-6341 series VLAN1 and VLAN2. The routing messages are exchanged between PE and CE through OSPF protocol.
PAGE 268
User’s Manual of SGS-6341 series Enable OSPF protocol and configuring OSPF segments SwitchB(config)#router ospf SwitchB(config-router-rip)#network 10.1.1.0/24 area 0 SwitchB(config-router-rip)#exit c) The Layer 3 SwitchC of CE2 Configure the IP address of Ethernet E 1/0/2 SwitchC#config SwitchC(config)# interface Vlan1 SwitchC(config-if-vlan1)# ip address 20.1.1.2 255.255.255.
PAGE 269
User’s Manual of SGS-6341 series 26.6 ARP 26.6.1 Introduction to ARP ARP (Address Resolution Protocol) is mainly used to resolve IP address to Ethernet MAC address. Switch supports static ARP configuration. 26.6.2 ARP Configuration Task List ARP Configuration Task List: 1. Configure static ARP 1. Configure static ARP Command Explanation VLAN Interface Mode arp Configures a static ARP entry; the no no arp command deletes a static ARP entry. 26.6.
PAGE 270
User’s Manual of SGS-6341 series Chapter 27 ARP Scanning Prevention Function Configuration 27.1 Introduction to ARP Scanning Prevention Function ARP scanning is a common method of network attack. In order to detect all the active hosts in a network segment, the attack source will broadcast lots of ARP messages in the segment, which will take up a large part of the bandwidth of the network.
PAGE 271
User’s Manual of SGS-6341 series 4. Configure trusted IP 5. Configure automatic recovery time 6. Display relative information of debug information and ARP scanning 1. Enable the ARP Scanning Prevention function. Command Explanation Global Mode anti-arpscan enable Enable or disable the ARP Scanning no anti-arpscan enable Prevention function globally. 2.
PAGE 272
User’s Manual of SGS-6341 series anti-arpscan trust ip [] Set the trust attributes of IP. no anti-arpscan trust ip [] 5. Configure automatic recovery time Command Explanation Global Mode anti-arpscan recovery enable Enable or disable the automatic no anti-arpscan recovery enable recovery function. anti-arpscan recovery time Set automatic recovery time. no anti-arpscan recovery time 6.
PAGE 273
User’s Manual of SGS-6341 series 27.3 ARP Scanning Prevention Typical Examples SWITCH B E1/1 E1/19 SWITCH A E1/2 E1/2 Server 192.168.1.100/24 PC PC Figure 27-1: ARP scanning prevention typical configuration example In the network topology above, port E1/1 of SWITCH B is connected to port E1/19 of SWITCH A, the port E1/2 of SWITCH A is connected to file server (IP address is 192.168.1.100/24), and all the other ports of SWITCH A are connected to common PC.
PAGE 274
User’s Manual of SGS-6341 series 27.4 ARP Scanning Prevention Troubleshooting Help  ARP scanning prevention is disabled by default. After enabling ARP scanning prevention, users can enable the debug switch, “debug anti-arpscan”, to view debug information.
PAGE 275
User’s Manual of SGS-6341 series Chapter 28 Prevent ARP Spoofing Configuration 28.1 Overview 28.1.1 ARP (Address Resolution Protocol) Generally speaking, ARP (RFC-826) protocol is mainly responsible of mapping IP address to relevant 48-bit physical address, that is MAC address, for instance, IP address is 192.168.0.1, network card Mac address is 00-30-4F-FD-1D-2B.
PAGE 276
User’s Manual of SGS-6341 series relationship configured by attack packets so that the switch makes mistake on transfer packets, and takes an effect on the whole network. Or the switches are made used of by vicious attackers, and they intercept and capture packets transferred by switches or attack other switches, host computers or network equipment.
PAGE 277
User’s Manual of SGS-6341 series 3. Function on changing dynamic ARP to static ARP Command Explanation Global and VLAN Interface Mode Change dynamic ARP to static ARP. ip arp-security convert 28.3 Prevent ARP Spoofing Example Switch A B C Equipment Explanation Equipment Configuration switch IP:192.168.2.4; mac: 00-00-00-00-00-04 1 A IP:192.168.2.1; mac: 00-00-00-00-00-01 1 B IP:192.168.1.2; mac: 00-00-00-00-00-02 1 C IP:192.168.2.
PAGE 278
User’s Manual of SGS-6341 series Switch#config Switch(config)#interface vlan 1 Switch(config-if-vlan1)#arp 192.168.2.1 00-00-00-00-00-01 interface ethernet 1/1 Switch(config-if-vlan1)#arp 192.168.2.2 00-00-00-00-00-02 interface ethernet 1/2 Switch(config-if-vlan1)#arp 192.168.2.
PAGE 279
User’s Manual of SGS-6341 series Chapter 29 ARP GUARD Configuration 29.1 Introduction to ARP GUARD There is serious security vulnerability in the design of ARP protocol, which is any network device, can send ARP messages to advertise the mapping relationship between IP address and MAC address. This provides a chance for ARP cheating.
PAGE 280
User’s Manual of SGS-6341 series 29.2 ARP GUARD Configuration Task List 1.
PAGE 281
User’s Manual of SGS-6341 series Chapter 30 Gratuitous ARP Configuration 30.1 Introduction to Gratuitous ARP Gratuitous ARP is a kind of ARP request that is sent by the host with its IP address as the destination of the ARP request. The basic working mode for the switch is as below: The Layer 3 interfaces of the switch can be configured to advertise gratuitous ARP packets period or the switch can be configured to enable to send gratuitous ARP packets in all the interfaces globally.
PAGE 282
User’s Manual of SGS-6341 series show ip gratuitous-arp [interface VLAN To display configurations about gratuitous <1-4094>] ARP. 30.3 Gratuitous ARP Configuration Example Switch Interface vlan10 192.168.15.254 255.255.255.0 PC1 PC2 PC3 PC4 PC5 Figure 30-1: Gratuitous ARP Configuration Example For the network topology shown in the figure above, interface VLAN10 whose IP address is 192.168.15.254 and network address mask is 255.255.255.0 in the switch system.
PAGE 283
User’s Manual of SGS-6341 series configuration can only be disabled in interface configuration mode. If gratuitous ARP is enabled in both global and interface configuration mode, and the sending interval of gratuitous ARP is configured in both configuration modes, the switch takes the value which is configured in interface configuration mode.
PAGE 284
User’s Manual of SGS-6341 series Chapter 31 DHCP Configuration 31.1 Introduction to DHCP DHCP [RFC2131] is the acronym for Dynamic Host Configuration Protocol. It is a protocol that assigns IP address dynamically from the address pool as well as other network configuration parameters such as default gateway, DNS server, and default route and host image file position within the network. DHCP is the enhanced version of BOOTP.
PAGE 285
User’s Manual of SGS-6341 series that the DHCP packets exchange can be completed between the DHCP client and server. Switch can act as both a DHCP server and a DHCP relay. DHCP server supports not only dynamic IP address assignment, but also manual IP address binding (i.e. specify a specific IP address to a specified MAC address or specified device ID over a long period.
PAGE 286
User’s Manual of SGS-6341 series ip dhcp pool Configure DHCP Address pool. The no no ip dhcp pool operation cancels the DHCP Address pool. (2) Configure DHCP address pool parameters Command Explanation DHCP Address Pool Mode Configure the address scope that can be network-address allocated to the address pool. The no [mask | prefix-length] operation of this command cancels the no network-address allocation address pool.
PAGE 287
User’s Manual of SGS-6341 series Configure the network parameter specified option {ascii | hex by the option code. The no command | ipaddress } deletes the network parameter specified by no option the option code. Configure the lease period allocated to lease { days [hours][minutes] | infinite } addresses in the address pool. The no no lease command deletes the lease period allocated to addresses in the address pool.
PAGE 288
User’s Manual of SGS-6341 series 31.3 DHCP Relay Configuration When the DHCP client and server are in different segments, DHCP relay is required to transfer DHCP packets. Adding a DHCP relay makes it unnecessary to configure a DHCP server for each segment, one DHCP server can provide the network configuration parameter for clients from multiple segments, which is not only cost-effective but also management-effective.
PAGE 289
User’s Manual of SGS-6341 series 1. Enable DHCP relay. Command Explanation Global Mode service dhcp DHCP server and DHCP relay is enabled as the no service dhcp DHCP service is enabled. 2. Configure DHCP relay to forward DHCP broadcast packet. Command Explanation Global Mode ip forward-protocol udp bootps The UDP port 67 is used for DHCP broadcast no ip forward-protocol udp bootps packet forwarding.
PAGE 290
User’s Manual of SGS-6341 series PoolA(network 10.16.1.0) PoolB(network 10.16.2.0) Device IP address Device IP address Default gateway 10.16.1.200 Default gateway 10.16.1.200 10.16.1.201 10.16.1.201 DNS server 10.16.1.202 DNS server 10.16.1.202 WINS server 10.16.1.209 WWW server 10.16.1.209 WINS node type H-node Lease 3 days Lease 1day In location A, a machine with MAC address 00-03-22-23-dc-ab is assigned with a fixed IP address of 10.16.1.210 and named as “management”.
PAGE 291
User’s Manual of SGS-6341 series Usage Guide: When a DHCP/BOOTP client is connected to a VLAN1 port of the switch, the client can only get its address from 10.16.1.0/24 instead of 10.16.2.0/24. This is because the broadcast packet from the client will be requesting the IP address in the same segment of the VLAN interface after VLAN interface forwarding, and the VLAN interface IP address is 10.16.1.2/24, therefore the IP address assigned to the client will belong to 10.16.1.0/24.
PAGE 292
User’s Manual of SGS-6341 series Switch(Config-if-Vlan2)#ip address 10.1.1.1 255.255.255.0 Switch(Config-if-Vlan2)#exit Switch(config)#ip forward-protocol udp bootps Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip help-address 10.1.1.10 Switch(Config-if-Vlan1)#exit Note: It is recommended to use the combination of command ip forward-protocol udp and ip helper-address . ip help-address can only be configured for ports on layer 3 and cannot be configured on layer 2 ports directly.
PAGE 293
User’s Manual of SGS-6341 series switch(config)#ip dhcp relay information option switch(config)#ip dhcp relay share-vlan 1 sub-vlan 3 switch(config-if-vlan1)#ip address 192.168.40.50 255.255.255.0 switch(config-if-vlan1)#ip helper-address 192.168.40.199 31.5 DHCP Troubleshooting If the DHCP clients cannot obtain IP addresses and other network parameters, the following procedures can be followed when DHCP client hardware and cables have been verified ok.
PAGE 294
User’s Manual of SGS-6341 series Chapter 32 DHCPv6 Configuration 32.1 Introduction to DHCPv6 DHCPv6 [RFC3315] is the IPv6 version for Dynamic Host Configuration Protocol (DHCP). It is a protocol that assigns IPv6 address as well as other network configuration parameters such as DNS address, and domain name to DHCPv6 client, DHCPv6 is a conditional auto address configuration protocol relative to IPv6.
PAGE 295
User’s Manual of SGS-6341 series 2. Any DHCP server which receives the request, will reply the client with an ADVERTISE message, which includes the identity of the server –DUID, and its priority. 3. It is possible that the client receives multiple ADVERTISE messages. The client should select one and reply it with a REQUEST message to request the address which is advertised in the ADVERTISE message. 4.
PAGE 296
User’s Manual of SGS-6341 series 1. To enable/disable DHCPv6 service Command Explanation Global Mode service dhcpv6 To enable DHCPv6 service. no service dhcpv6 2. To configure DHCPv6 address pool （1）To achieve/delete DHCPv6 address pool Command Explanation Global Mode ipv6 dhcp pool no ipv6 dhcp pool To configure DHCPv6 address pool.
PAGE 297
User’s Manual of SGS-6341 series ipv6 dhcp server [preference ] [rapid-commit] [allow-hint] no ipv6 dhcp server To enable DHCPv6 server function on specified port, and binding the used DHCPv6 address pool. 32.3 DHCPv6 Relay Delegation Configuration DHCPv6 relay delegation configuration task list as below: 1． To enable/disable DHCPv6 service 2． To configure DHCPv6 relay delegation on port 1.
PAGE 298
User’s Manual of SGS-6341 series （4） To configure other parameters of DHCPv6 address pool 4. To enable DHCPv6 prefix delegation server function on port 1. To enable/delete DHCPv6 service Command Explanation Global Mode service dhcpv6 To enable DHCPv6 service. no service dhcpv6 2. To configure prefix delegation pool Command Explanation Global Mode ipv6 local pool To configure prefix delegation pool. no ipv6 local pool 3.
PAGE 299
User’s Manual of SGS-6341 series prefix-delegation [iaid ] [lifetime ] no prefix-delegation To specify IPv6 prefix and any prefix required static binding by client.
PAGE 300
User’s Manual of SGS-6341 series 2. To enable DHCPv6 prefix delegation client function on port Command Explanation VLAN Interface Mode ipv6 dhcp client pd [rapid-commit] no ipv6 dhcp client pd To enable client prefix delegation request function on specified port, and the prefix obtained associate with universal prefix configured. 32.
PAGE 301
User’s Manual of SGS-6341 series Usage guide: Switch3 configuration： Switch3>enable Switch3#config Switch3(config)#service dhcpv6 Switch3(config)#ipv6 dhcp pool EastDormPool Switch3(dhcpv6-EastDormPool-config)#network-address 2001:da8:100:1::1 2001:da8:100:1::100 Switch3(dhcpv6-EastDormPool-config)#excluded-address 2001:da8:100:1::1 Switch3(dhcpv6-EastDormPool-config)#dns-server 2001:da8::20 Switch3(dhcpv6-EastDormPool-config)#dns-server 2001:da8::21 Switch3(dhcpv6-EastDormPool-config)#domain-name dhcpv
PAGE 302
User’s Manual of SGS-6341 series Switch2(Config-if-Vlan100)#ipv6 nd managed-config-flag Switch2(Config-if-Vlan100)#ipv6 nd other-config-flag Switch2(Config-if-Vlan100)#exit Switch2(config)# Switch1 configuration: Switch1(config)#service dhcpv6 Switch2(config)#interface vlan 1 Switch2(Config-if-Vlan1)#ipv6 address 2001:da8:100:1::2/64 Switch2(Config-if-Vlan1)#ipv6 dhcp relay destination 2001:da8:10:1::1 32.
PAGE 303
User’s Manual of SGS-6341 series Chapter 33 DHCP Option 82 Configuration 33.1 Introduction to DHCP Option 82 DHCP option 82 is the Relay Agent Information Option, its option code is 82. DHCP option 82 is aimed at strengthening the security of DHCP servers and improving the IP address configuration policy.
PAGE 304
User’s Manual of SGS-6341 series SubOpt: the sequence number of sub-option, the sequence number of Circuit ID sub-option is 1, the sequence number of Remote ID sub-option is 2. Len: the number of bytes in Sub-option Value, not including the two bytes in SubOpt segment and Len segment. 33.1.
PAGE 305
User’s Manual of SGS-6341 series 33.2 DHCP Option 82 Configuration Task List 1. Enabling the DHCP option 82 of the Relay Agent 2. Configure the DHCP option 82 attributes of the interface 3. Enable the DHCP option 82 of server 4. Configure DHCP option 82 default format of Relay Agent 5. Configure delimiter 6. Configure creation method of option82 7. Diagnose and maintain DHCP option 82 1. Enabling the DHCP option 82 of the Relay Agent.
PAGE 306
User’s Manual of SGS-6341 series This command is used to set the retransmitting policy of the system for the received DHCP request message which contains option 82.
PAGE 307
User’s Manual of SGS-6341 series 3. Enable the DHCP option 82 of server. Command Explanation Global Mode This command is used to enable the switch ip dhcp server relay information enable DHCP server to identify option82. The “no no ip dhcp server relay information ip dhcp server relay information enable” enable command will make the server ignore the option 82. 4.
PAGE 308
User’s Manual of SGS-6341 series ip dhcp relay information option Set self-defined format of remote-id for self-defined remote-id format [ascii | relay option82.
PAGE 309
User’s Manual of SGS-6341 series In the above example, layer 2 switches Switch1 and Switch2 are both connected to layer 3 switch Switch3, Switch 3 will transmit the request message from DHCP client to DHCP serer as DHCP Relay Agent. It will also transmit the reply message from the server to DHCP client to finish the DHCP protocol procedure. If the DHCP option 82 is disabled, DHCP server cannot distinguish that whether the DHCP client is from the network connected to Switch1 or Switch2.
PAGE 310
User’s Manual of SGS-6341 series option subnet-mask 255.255.255.0; option domain-name "example.com.cn"; option domain-name-servers 192.168.10.3; authoritative; pool { range 192.168.102.21 192.168.102.50; default-lease-time 86400; #24 Hours max-lease-time 172800; #48 Hours allow members of "Switch3Vlan2Class1"; } pool { range 192.168.102.51 192.168.102.
PAGE 311
User’s Manual of SGS-6341 series  To implement the option 82 function of DHCP server, the “debug ip dhcp server packet” command can be used during the operating procedure to display the procedure of data packets processing of the server, including displaying the identified option 82 information of the request message and the option 82 information returned by the reply message.
PAGE 312
User’s Manual of SGS-6341 series Chapter 34 DHCP Option 60 and option 43 34.1 Introduction to DHCP Option 60 and Option 43 DHCP server analyzes DHCP packets from DHCP client. If packets with option 60, it will decide whether option 43 is returned to DHCP client according to option 60 of packets and configuration of option 60 and option 43 in DHCP server address pool. Configure the corresponding option 60 and option 43 in DHCP server address pool: 1.
PAGE 313
User’s Manual of SGS-6341 series dhcp pool mode. Configure option 60 character option 60 ip A.B.C.D string with IP format in ip dhcp pool mode. Configure option 43 character option 43 ip A.B.C.D string with IP format in ip dhcp pool mode. Delete the configured option no option 60 60 in the address pool mode. Delete the configured option no option 43 43 in the address pool mode. 34.
PAGE 314
User’s Manual of SGS-6341 series Chapter 35 DHCPv6 Options 37, 38 35.1 Introduction to DHCPv6 Options 37, 38 DHCPv6 (Dynamic Host Configuration Protocol for IPv6) is designed for IPv6 address scheme and is used for assigning IPv6 prefixes, IPv6 addresses and other configuration parameters to hosts. When DHCPv6 client wants to request address and configure parameter of DHCPv6 server from different link, it needs to communicate with server through DHCPv6 relay agent.
PAGE 315
User’s Manual of SGS-6341 series 35.2 DHCPv6 Options 37, 38 Configuration Task List 1. Dhcpv6 snooping option basic functions configuration 2. Dhcpv6 relay option basic functions configuration 3. Dhcpv6 server option basic functions configuration 1.DHCPv6 snooping option basic functions configuration Command Description Global Mode This command enables ipv6 dhcp snooping remote-id option DHCPv6 SNOOPING to no ipv6 dhcp snooping remote-id option support option 37 option, no command disables it.
PAGE 316
User’s Manual of SGS-6341 series drop, the system simply discards it with option 38; keep, the system keeps option 38 unchanged and forwards the packet to the server; replace, the system replaces option 38 of current packet with its own before forwarding it to the server. no command configures the reforwarded policy of DHCPv6 packets with option 38 as replace.
PAGE 317
User’s Manual of SGS-6341 series the form of adding option 38 in no ipv6 dhcp snooping subscriber-id received DHCPv6 request packets, of which is the content of subscriber-id in user-defined option 38 and it is a string with a length of less than 128. The no operation restores subscriber-id in option 38 to vlan name together with port name such as "Vlan2+Ethernet1/2". 2.
PAGE 318
User’s Manual of SGS-6341 series Layer 3 Interface Mode This command is used to set the form of adding option 37 in received DHCPv6 request packets, of which is the content of remote-id in ipv6 dhcp relay remote-id user-defined option 37 and it is no ipv6 dhcp relay remote-id a string with a length of less than 128. The no operation restores remote-id in option 37 to enterprise-number together with vlan MAC address.
PAGE 319
User’s Manual of SGS-6341 series disables it. This command enables DHCPv6 server to support the using of DHCPv6 class during ipv6 dhcp use class address assignment, the no no ipv6 dhcp use class form of this command disables it without removing the relative DHCPv6 class information that has been configured. This command defines a DHCPv6 class and enters ipv6 dhcp class DHCPv6 class mode, the no no ipv6 dhcp class form of this command removes this DHCPv6 class.
PAGE 320
User’s Manual of SGS-6341 series This command is used to set address range for a DHCPv6 class in DHCPv6 address pool address range configuration mode, the no no address range command is used to remove the address range. The prefix/plen form is not supported.
PAGE 321
User’s Manual of SGS-6341 series 35.3 DHCPv6 Options 37, 38 Examples 35.3.
PAGE 322
User’s Manual of SGS-6341 series SwitchA(config-if-vlan1)#ipv6 address 2001:da8:100:1::1 SwitchA(config-if-vlan1)#exit SwitchA(config)#interface ethernet 1/1-4 SwitchA(config-if-port-range)#switchport access vlan 1 SwitchA(config-if-port-range)#exit SwitchA(config)# Switch B configuration: SwitchB(config)#service dhcpv6 SwitchB(config)#ipv6 dhcp server remote-id option SwitchB(config)#ipv6 dhcp server subscriber-id option SwitchB(config)#ipv6 dhcp pool EastDormPool SwitchB(dhcpv6-eastdormpool-config)#networ
PAGE 323
User’s Manual of SGS-6341 series 2001:da8:100:1::31 2001:da8:100:1::60 SwitchB(dhcpv6-eastdormpool-config)#class CLASS3 SwitchB(dhcpv6-pool-eastdormpool-class-class3-config)#address range 2001:da8:100:1::61 2001:da8:100:1::100 SwitchB(dhcpv6-pool-eastdormpool-class-class3-config)#exit SwitchB(dhcpv6-eastdormpool-config)#exit SwitchB(config)#interface vlan 1 SwitchB(config-if-vlan1)#ipv6 address 2001:da8:100:1::2/64 SwitchB(config-if-vlan1)#ipv6 dhcp server EastDormPool SwitchB(config-if-vlan1)#exit SwitchB(
PAGE 324
User’s Manual of SGS-6341 series Switch 2 configuration: S2(config)#service dhcpv6 S2(config)#ipv6 dhcp relay remote-id option S2(config)#ipv6 dhcp relay subscriber-id option S2(config)#vlan 10 S2(config-vlan10)#int vlan 10 S2(config-if-vlan10)#ipv6 address 2001:da8:1:::2/64 S2(config-if-vlan10)#ipv6 dhcp relay destination 2001:da8:10:1::1 S2(config-if-vlan10)#exit S2(config)# 35.
PAGE 325
User’s Manual of SGS-6341 series Chapter 36 DHCP Snooping Configuration 36.1 Introduction to DHCP Snooping DHCP Snooping means that the switch monitors the IP-getting process of DHCP CLIENT via DHCP protocol. It prevents DHCP attacks and illegal DHCP SERVER by setting trusted ports and untrusted ports. And the DHCP messages from trusted ports can be forwarded without being verified.
PAGE 326
User’s Manual of SGS-6341 series LOG Function: When the switch discovers abnormal received packets or automatically recovers, it should send syslog information to Log Server. The Encryption of Private Messages: The communication between the switch and the inner network security management system TrustView uses private messages. And the users can encrypt those messages of version 2. Add authentication option82 Function: It is used with dot1x dhcpoption82 authentication mode.
PAGE 327
User’s Manual of SGS-6341 series ip dhcp snooping binding enable no ip dhcp snooping binding enable Enable or disable the DHCP snooping binding function. 3. Enable DHCP Snooping binding ARP function Command Explanation Globe Mode ip dhcp snooping binding arp no ip dhcp snooping binding arp This command is not supported by the switch. 4.
PAGE 328
User’s Manual of SGS-6341 series ip user helper-address A.B.C.D [port ] source (secondary|) Set or delete helper server address. no ip user helper-address (secondary|) 8. Set trusted ports Command Explanation Port Mode ip dhcp snooping trust Set or delete the DHCP snooping trust attributes no ip dhcp snooping trust of ports. 9.
PAGE 329
User’s Manual of SGS-6341 series 11. Add static binding information Command Explanation Globe Mode ip dhcp snooping binding user address interface (ethernet|) Add/delete DHCP snooping static binding list no ip dhcp snooping binding user entries. interface (ethernet|) 12. Set defense actions Command Explanation Port Mode ip dhcp snooping action {shutdown|blackhole} [recovery Set or delete the DHCP snooping automatic ] defense actions of ports.
PAGE 330
User’s Manual of SGS-6341 series 15. Configure DHCP Snooping option 82 attributes Command Explanation Globe Mode ip dhcp snooping information option subscriber-id format {hex | acsii | vs-hp} This command is used to set subscriber-id format of DHCP snooping option82. ip dhcp snooping information Set the suboption2 (remote ID option) content of option remote-id {standard | option 82 added by DHCP request packets (they } are received by the port).
PAGE 331
User’s Manual of SGS-6341 series ip dhcp snooping information Set the suboption1 (circuit ID option) content of option subscriber-id {standard | option 82 added by DHCP request packets (they } are received by the port). The no command sets no ip dhcp snooping information the additive suboption1 (circuit ID option) format option subscriber-id of option 82 as standard.
PAGE 332
User’s Manual of SGS-6341 series Configuration sequence is: switch# switch#config switch(config)#ip dhcp snooping enable switch(config)#interface ethernet 1/11 switch(Config-Ethernet1/11)#ip dhcp snooping trust switch(Config-Ethernet1/11)#exit switch(config)#interface ethernet 1/12 switch(Config-Ethernet1/12)#ip dhcp snooping trust switch(Config-Ethernet1/12)#exit switch(config)#interface ethernet 1/1-10 switch(Config-Port-Range)#ip dhcp snooping action shutdown switch(Config-Port-Range)# 36.
PAGE 333
User’s Manual of SGS-6341 series Chapter 37 DHCP Snooping Option 82 Configuration 37.1 Introduction to DHCP Snooping Option 82 DHCP option 82 is the Relay Agent Information Option, its option code is 82. DHCP option 82 is aimed at strengthening the security of DHCP servers and improving the IP address configuration policy.
PAGE 334
User’s Manual of SGS-6341 series SubOpt: the sequence number of sub-option, the sequence number of Circuit ID sub-option is 1, the sequence number of Remote ID sub-option is 2. Len: the number of bytes in Sub-option Value, not including the two bytes in SubOpt segment and Len segment. 37.1.
PAGE 335
User’s Manual of SGS-6341 series 37.2 DHCP Snooping Option 82 Configuration Task List 1. Enable DHCP SNOOPING 2. Enable DHCP Snooping binding function 3. Enable DHCP Snooping option 82 binding function 4. Configure trusted ports 1. Enable DHCP SNOOPING Command Explanation Global Mode ip dhcp snooping enable Enable or disable DHCP SNOOPING no ip dhcp snooping enable function. 2.
PAGE 336
User’s Manual of SGS-6341 series 37.3 DHCP Snooping Option 82 Application Examples DHCP Client PC1 Switch1 Vlan1:eth1/3 DHCP Server Figure 37-1: DHCP option 82 typical application example In the above example, layer 2 Switch1 will transmit the request message from DHCP client to DHCP serer through enable DHCP Snooping. It will also transmit the reply message from the server to DHCP client to finish the DHCP protocol procedure.
PAGE 337
default-lease-time 43200; #12 Hours max-lease-time 86400; #24 Hours allow members of "Switch1Vlan1Class1"; } } Now, the DHCP server will allocate addresses for the network nodes from Switch1 within the range of 192.168.102.51 ~ 192.168.102.80. 37.
PAGE 338
User’s Manual of SGS-6341 series Chapter 38 IPv4 Multicast Protocol 38.1 IPv4 Multicast Protocol Overview This chapter will give an introduction to the configuration of IPv4 Multicast Protocol. 38.1.1 Introduction to Multicast Various transmission modes can be adopted when the destination of packet (including data, sound and video) transmission is the minority users in the network. One way is to use Unicast mode, i.e.
PAGE 339
User’s Manual of SGS-6341 series 38.1.2 Multicast Address The destination address of Multicast message uses class D IP address with range from 224.0.0.0 to 239.255.255.255. D class address can not appear in the source IP address field of an IP message. In the process of Unicast data transmission, the transmission path of a data packet is from source address routing to destination address, and the transmission is performed with hop-by-hop principle.
PAGE 340
User’s Manual of SGS-6341 series 224.0.0.16 Specified SBM 224.0.0.17 All SBMS 224.0.0.18 VRRP 224.0.0.22 IGMP When Ethernet transmits Unicast IP messages, the destination MAC address it uses is the receiver’s MAC address. But in transmitting Multicast packets, the transmission destination is not a specific receiver any more, but a group with uncertain members, thus Multicast MAC address is used. Multicast MAC address is corresponding to Multicast IP address.
PAGE 341
User’s Manual of SGS-6341 series In Information Service areas such as online living broadcast, network TV, remote education, remote medicine, real time video/audio meeting, the following applications may be supplied: 1) Application of Multimedia and Streaming Media 2) Data repository, finance application (stock) etc 3) Any data distribution application of “one point to multiple points” In the situation of more and more multimedia operations in IP network, Multicast has tremendous market potential and
PAGE 342
User’s Manual of SGS-6341 series 38.2.2 DCSCM Configuration Task List 1． Source Control Configuration 2． Destination Control Configuration 3． Multicast Strategy Configuration 1． Source Control Configuration Source Control Configuration has three parts, of which the first is to enable source control. The command of source control is as follows: Command Explanation Global Mode Enable source control globally, the “no ip multicast source-control” command disables source control globally.
PAGE 343
User’s Manual of SGS-6341 series The last is to configure the configured rule to specified port. Note: If the rules being configured will occupy the table entries of hardware, configuring too many rules will result in configuration failure caused by bottom table entries being full, so we suggest user to use the simplest rules if possible.
PAGE 344
User’s Manual of SGS-6341 series [no] access-list <6000-7999> {deny|permit} ip {{ }|{host-source The rule used to configure destination {range<2-65535>|}}|any-sou control. This rule does not take effect rce} {{ until it is applied to source IP or }|{host-destination VLAN-MAC and port. Using the NO {range<2-255>|}}|any-d form of it can delete specified rule.
PAGE 345
User’s Manual of SGS-6341 series 38.2.3 DCSCM Configuration Examples 1． Source Control In order to prevent an Edge Switch from putting out multicast data ad asbitsium, we configure Edge Switch so that only the switch at port Ethernet1/5 is allowed to transmit multicast, and the data group must be 225.1.2.3. Also, switch connected up to port Ethernet1/10 can transmit multicast data without any limit, and we can make the following configuration. EC(config)#access-list 5000 permit ip any host 225.1.2.
PAGE 346
User’s Manual of SGS-6341 series In this way, the multicast stream will have a priority of value 4 (Usually this is pretty higher, the higher possible one is protocol data; if higher priority is set, when there is too many multicast data, it might cause abnormal behavior of the switch protocol) when it gets to other switches through this switch. 38.2.4 DCSCM Troubleshooting The effect of DCSCM module itself is similar to ACL, and the problems occurred are usually related to improper configuration.
PAGE 347
User’s Manual of SGS-6341 series 38.3.2 IGMP Snooping Configuration Task List 1. Enable IGMP Snooping 2. Configure IGMP Snooping 1. Enable IGMP Snooping Command Explanation Global Mode ip igmp snooping Enables IGMP Snooping. The no operation no ip igmp snooping disables IGMP Snooping function. 2. Configure IGMP Snooping Command Explanation Global Mode Enables IGMP Snooping for specified VLAN.
PAGE 348
User’s Manual of SGS-6341 series ip igmp snooping vlan Configure the version number of a general l2-general-querier-version query from a layer 2 general querier. ip igmp snooping vlan Configure the source address of a general l2-general-querier-source query from a layer 2 general querier.
PAGE 349
User’s Manual of SGS-6341 series ip igmp snooping vlan static-group [source ] interface [ethernet | Configure static-group on specified port of the port-channel] VLAN. The no form of the command cancels no ip igmp snooping vlan this configuration. static-group [source ] interface [ethernet | port-channel] ip igmp snooping vlan report source-address
PAGE 350
User’s Manual of SGS-6341 series Example: As shown in the above figure, a VLAN 100 is configured in the switch and includes ports 1, 2, 6, 10 and 12. Four hosts are connected to port 2, 6, 10 and 12 respectively and the multicast router is connected to port 1.
PAGE 351
User’s Manual of SGS-6341 series The configuration of Switch2 is the same as the switch in scenario 1, SwitchA takes the place of Multicast Router in scenario 1. Let’s assume VLAN 60 is configured in SwitchA, including ports 1, 2, 10 and 12. Port 1 connects to the multicast server, and port 2 connects to Switch2. In order to send Query at regular interval, IGMP query must be enabled in Global mode and in VLAN60.
PAGE 352
User’s Manual of SGS-6341 series Chapter 39 IPv6 Multicast Protocol 39.1 MLD Snooping 39.1.1 Introduction to MLD Snooping MLD, the Multicast Listener Discovery Protocol, is used to realize multicasting in the IPv6.
PAGE 353
User’s Manual of SGS-6341 series 2. Configure MLD Snooping Command Explanation Global Mode Enable MLD Snooping on specific VLAN. The ipv6 mld snooping vlan “no” form of this command disables MLD no ipv6 mld snooping vlan Snooping on specific VLAN. Configure the number of the groups in which ipv6 mld snooping vlan limit the MLD Snooping can join, and the {group | source } maximum number of sources in each group.
PAGE 354
User’s Manual of SGS-6341 series ipv6 mld snooping vlan query-robustness Configure the query robustness, the “no” no ipv6 mld snooping vlan form of this command restores to the default. query-robustness ipv6 mld snooping vlan Configure the suppression query time.
PAGE 355
User’s Manual of SGS-6341 series Switch#config Switch(config)#ipv6 mld snooping Switch(config)#ipv6 mld snooping vlan 100 Switch(config)#ipv6 mld snooping vlan 100 mrouter-port interface ethernet 1/1 Multicast configuration: Assume there are two multicast servers: the Multicast Server 1 and the Multicast Server 2, amongst program 1 and 2 are supplied on the Multicast Server 1 while program 3 on the Multicast server 2, using group addresses respectively the Group 1, Group 2 and Group 3.
PAGE 356
User’s Manual of SGS-6341 series Scenario 2: MLD L2-general-querier Switch A Switch B Figure 39-2: Switch as MLD Querier Function figure Configuration of switch B is the same as the switches in case 1, and here the switch 1 replaces the Multicast Router in case 1. Assume the vlan 60 configured on it contains port 1, 2, 10 and 12, amongst port 1 is connected to multicast server, port 2 to switch2.
PAGE 357
User’s Manual of SGS-6341 series SwitchB#config SwitchB(config)#ipv6 mld snooping SwitchB(config)#ipv6 mld snooping vlan 100 SwitchB(config)#ipv6 mld snooping vlan 100 mrouter interface ethernet 1/1 Multicast configuration: Same as scenario 1 MLD Snooping interception results: Same as scenario 1 39.1.4 MLD Snooping Troubleshooting In configuring and using MLD Snooping, the MLD Snooping server may fail to run properly due to physical connection failure, wrong configuration, etc.
PAGE 358
User’s Manual of SGS-6341 series Chapter 40 Multicast VLAN 40.1 Introductions to Multicast VLAN Based on current multicast order method, when orders from users in different VLAN, each VLAN will copy a multicast traffic in this VLAN, which is a great waste of the bandwidth. By configuration of the multicast VLAN, we add the switch port to the multicast VLAN, with the IGMP Snooping/MLD Snooping functions enabled, users from different VLAN will share the same multicast VLAN.
PAGE 359
User’s Manual of SGS-6341 series 2. Configure the IGMP Snooping Command Explanation Global Mode ip igmp snooping vlan Enable the IGMP Snooping function on the no ip igmp snooping vlan multicast VLAN. The no form of this command disables the IGMP Snooping on the multicast VLAN. ip igmp snooping no ip igmp snooping Enable the IGMP Snooping function. The no form of this command disables the IGMP snooping function. 3.
PAGE 360
User’s Manual of SGS-6341 series PC2 are respectively connected to port 1/15 and1/20. The switchB is connected with the switchA through port1/10, which configured as trunk port. VLAN 20 is a multicast VLAN. By configuring multicast vlan, the PC1 and PC2 will receives the multicast data from the multicast VLAN. The following configuration based on the IP address of the switch has been configured and all the equipment are connected correctly.
PAGE 361
User’s Manual of SGS-6341 series SwitchB(config)#ip igmp snooping SwitchB(config)#ip igmp snooping vlan 20 When multicast VLAN supports IPv6 multicast, usage is the same as IPv4, but the difference is using with MLD Snooping, so an example is not given.
PAGE 362
User’s Manual of SGS-6341 series Chapter 41 ACL Configuration 41.1 Introduction to ACL ACL (Access Control List) is an IP packet filtering mechanism employed in switches, providing network traffic control by granting or denying access the switches, effectively safeguarding the security of networks. The user can lay down a set of rules according to some information specific to packets, each rule describes the action for a packet with certain information matched: “permit” or “deny”.
PAGE 363
User’s Manual of SGS-6341 series 41.1.3 Access-list Action and Global Default Action There are two access-list actions and default actions: “permit” or “deny”. The following rules apply:  An access-list can consist of several rules. Filtering of packets compares packet conditions to the rules, from the first rule to the first matched rule; the rest of the rules will not be processed. Global default action applies only to IP packets in the incoming direction on the ports.
PAGE 364
User’s Manual of SGS-6341 series b) Specify multiple permit or deny rule entries c) Exit ACL Configuration Mode 2. Configuring the packet filtering function (1) Enable global packet filtering function (2) Configure default action 3. Configuring time range function (1) Create the name of the time range (2) Configure periodic time range (3) Configure absolute time range 4. Bind access-list to an incoming direction of the specified port 5. Clear the filtering information of the specified port 1.
PAGE 365
User’s Manual of SGS-6341 series access-list {deny | permit} igmp {{ Creates a numbered IGMP } | any-source | {host-source }} extended IP access rule; if the {{ } | any-destination | numbered extended access-list {host-destination }} [] of specified number does not [precedence ] [tos exist, then an access-list will be ][time-range] created using this number.
PAGE 366
User’s Manual of SGS-6341 series Creates a standard IP access-list based on nomenclature; the “no ip ip access-list standard access-list standard no ip access-list standard “ command deletes the name-based standard IP access-list. b.
PAGE 367
User’s Manual of SGS-6341 series b. Specify multiple “permit” or “deny” rules Command Explanation Extended IP ACL Mode [no] {deny | permit} icmp {{ } | any-source | {host-source }} {{ } | any-destination | {host-destination }} [ []] [precedence ] [tos Creates an extended name-based ICMP IP access rule; the no form command deletes this name-based extended IP access rule.
PAGE 368
User’s Manual of SGS-6341 series c. Exit extended IP ACL configuration mode Command Explanation Extended IP ACL Mode Exits extended name-based exit IP ACL configuration mode.
PAGE 369
User’s Manual of SGS-6341 series (7) Configuring a extended MAC access-list based on nomenclature a. Create an extensive MAC access-list based on nomenclature Command Explanation Global Mode Creates an extended name-based MAC access rule mac-access-list extended for other IP protocols; the no no mac-access-list extended form command deletes this name-based extended MAC access rule. b.
PAGE 370
User’s Manual of SGS-6341 series [no]{deny|permit}{any-source-mac|{host-source-ma Creates an name-based c}|{}}{any-destin extended MAC access rule ation-mac|{host-destination-mac}|{}}[tagged-eth2 [cos frame; the no form command []] [vlanId []] deletes this name-based [ethertype []]] extended MAC access rule.
PAGE 371
User’s Manual of SGS-6341 series sk>}} {any-destination-mac|{host-destination-mac access rule; if the numbered }|{}}igmp extended access-list of {{}|any-source| specified number does not {host-source}} exist, then an access-list will {{}|any-destinati be created using this number.
PAGE 372
User’s Manual of SGS-6341 series {host-source}} specified number does not {{}|any-destinati exist, then an access-list will on| {host-destination}} be created using this number. [precedence ] [tos ][time-range] Deletes this numbered extended MAC-IP access no access-list rule. (9) Configuring a extended MAC-IP access-list based on nomenclature a.
PAGE 373
User’s Manual of SGS-6341 series {any-destination-mac|{host-destination-mac access rule; the no form }|{}}igmp command deletes this {{}|any-source| name-based extended {host-source}} MAC-IGMP access rule.
PAGE 374
User’s Manual of SGS-6341 series {host-source}} {{}|any-destinati on| {host-destination}} [precedence][tos][time-range] c. Exit MAC-IP Configuration Mode Command Explanation Extended name-based MAC-IP access Mode Quit extended name-based exit MAC-IP access mode.
PAGE 375
User’s Manual of SGS-6341 series b. Specify multiple permit or deny rules Command Explanation Standard IPv6 ACL Mode [no] {deny | permit} {{} | Creates a standard any-source | {host-source }} name-based IPv6 access rule; the no form command deletes the name-based standard IPv6 access rule. c. Exit name-based standard IP ACL configuration mode Command Explanation Standard IPv6 ACL Mode Exits name-based standard exit IPv6 ACL configuration mode. 2.
PAGE 376
User’s Manual of SGS-6341 series absolute-periodic {Monday | Tuesday | Wednesday | Thursday | Friday | Saturday | Sunday} to {Monday | Tuesday | Wednesday | Thursday | Configure the time range for Friday | Saturday | Sunday} the request of the week, and periodic every week will run by the {{Monday+Tuesday+Wednesday+Thursday+ time range.
PAGE 377
User’s Manual of SGS-6341 series Physical interface mode: Applies an access-list to the specified direction on the port; the no command deletes the access-list bound to the port. {ip|ipv6|mac|mac-ip} access-group VLAN interface mode: Applies an {in} [traffic-statistic] access-list to the specified direction on no {ip|ipv6|mac|mac-ip} access-group the port of VLAN; the no command {in} deletes the access-list bound to the port of VLAN.
PAGE 378
User’s Manual of SGS-6341 series Configuration result: Switch#show firewall Firewall status: enable. Switch#show access-lists access-list 110(used 1 time(s)) 1 rule(s) access-list 110 deny tcp 10.0.0.0 0.0.0.255 any-destination d-port 21 Switch#show access-group interface ethernet 1/10 interface name:Ethernet1/10 the ingress acl use in firewall is 110, traffic-statistics Disable. Scenario 2: The configuration requirements are stated below: The switch should drop all the 802.
PAGE 379
User’s Manual of SGS-6341 series Switch #show access-lists access-list 1100(used 1 time(s)) access-list 1100 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac untagged-802-3 access-list 1100 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac Switch #show access-group interface ethernet 1/10 interface name:Ethernet1/10 MAC Ingress access-list used is 1100,traffic-statistics Disable.
PAGE 380
User’s Manual of SGS-6341 series Switch#show access-lists access-list 3110(used 1 time(s)) access-list 3110 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac tcp 10.0.0.0 0.0.0.255 any-destination d-port 21 access-list 3110 deny any-source-mac 00-12-11-23-00-00 00-00-00-00-ff-ff icmp any-source 10.0.0.0 0.0.0.255 Switch #show access-group interface ethernet 1/10 interface name:Ethernet1/10 MAC-IP Ingress access-list used is 3110, traffic-statistics Disable.
PAGE 381
User’s Manual of SGS-6341 series Ipv6 access-list 600(used 1 time(s)) ipv6 access-list 600 deny 2003:1:1:1::0/64 any-source ipv6 access-list 600 permit 2003:1:1:1:66::0/80 any-source Switch #show access-group interface ethernet 1/10 interface name:Ethernet1/10 IPv6 Ingress access-list used is 600, traffic-statistics Disable. Scenario 5: The configuration requirements are stated below: The interface 1, 2, 5, 7 belongs to vlan100, Hosts with 192.168.0.
PAGE 382
User’s Manual of SGS-6341 series 41.4 ACL Troubleshooting  Checking for entries in the ACL is done in a top-down order and ends whenever an entry is matched.  Default rule will be used only if no ACL is bound to the incoming direction of the port, or no ACL entry is matched.Each ingress port can bind one MAC-IP ACL, one IP ACL, one MAC ACL, one IPv6 ACL (via the physical interface mode or Vlan interface mode).
PAGE 383
User’s Manual of SGS-6341 series will be removed from all the physical interfaces belonging to the VLAN, and it will be bound to VLAN 1 ACL(if ACL is configured in VLAN1). If VLAN 1 ACL binding fails, the VLAN removal operation will fail.
PAGE 384
User’s Manual of SGS-6341 series Chapter 42 802.1x Configuration 42.1 Introduction to 802.1x The 802.1x protocol originates from 802.11 protocol, the wireless LAN protocol of IEEE, which is designed to provide a solution to doing authentication when users access a wireless LAN.
PAGE 385
User’s Manual of SGS-6341 series  The supplicant system is an entity on one end of the LAN segment, should be authenticated by the access controlling unit on the other end of the link. A Supplicant system usually is a user terminal device. Users start 802.1x authentication by starting supplicant system software. A supplicant system should support EAPOL (Extensible Authentication Protocol over LAN).
PAGE 386
User’s Manual of SGS-6341 series When unauthenticated, no message from supplicant systems is allowed to be received.  The controlled and uncontrolled ports are two parts of one port, which means each frame reaching this port is visible on both the controlled and uncontrolled ports. 3. Controlled direction In unauthenticated status, controlled ports can be set as unidirectional controlled or bi-directionally controlled.
PAGE 387
User’s Manual of SGS-6341 series 42.1.3 The Encapsulation of EAPOL Messages 1. The Format of EAPOL Data Packets EAPOL is a kind of message encapsulation format defined in 802.1x protocol, and is mainly used to transmit EAP messages between the supplicant system and the authenticator system in order to allow the transmission of EAP messages through the LAN. In IEEE 802/Ethernet LAN environment, the format of EAPOL packet is illustrated in the next figure.
PAGE 388
User’s Manual of SGS-6341 series Figure 42-4: the Format of EAP Data Packets Code: specifies the type of the EAP packet. There are four of them in total: Request （1）,Response（2）,Success（3）,Failure（4）.  There is no Data domain in the packets of which the type is Success or Failure, and the value of the Length domains in such packets is 4.  The format of Data domains in the packets of which the type is Request and Response is illustrated in the next figure.
PAGE 389
User’s Manual of SGS-6341 series Figure 42-6: the Encapsulation of EAP-Message Attribute 2. Message-Authenticator As illustrated in the next figure, this attribute is used in the process of using authentication methods like EAP and CHAP to prevent the access request packets from being eavesdropped. Message-Authenticator should be included in the packets containing the EAP-Message attribute, or the packet will be dropped as an invalid one.
PAGE 390
User’s Manual of SGS-6341 series 42.1.5 The Authentication Methods of 802.1x The authentication can either be started by supplicant system initiatively or by devices. When the device detects unauthenticated users to access the network, it will send supplicant system EAP-Request/Identity messages to start authentication. On the other hand, the supplicant system can send EAPOL-Start message to the device via supplicant software. 802.
PAGE 391
User’s Manual of SGS-6341 series  PEAP（Protected Extensible Authentication Protocol） They will be described in details in the following part. Attention:  The switch, as the access controlling unit of Pass-through, will not check the content of a particular EAP method, so can support all the EAP methods above and all the EAP authentication methods that may be extended in the future.
PAGE 392
User’s Manual of SGS-6341 series 2. EAP-TLS Authentication Method EAP-TLS is brought up by Microsoft based on EAP and TLS protocols. It uses PKI to protect the id authentication between the supplicant system and the RADIUS server and the dynamically generated session keys, requiring both the supplicant system and the Radius authentication server to possess digital certificate to implement bidirectional authentication. It is the earliest EAP authentication method used in wireless LAN.
PAGE 393
User’s Manual of SGS-6341 series 3. EAP-TTLS Authentication Method EAP-TTLS is a product of the cooperation of Funk Software and Certicom. It can provide an authentication as strong as that provided by EAP-TLS, but without requiring users to have their own digital certificate. The only request is that the Radius server should have a digital certificate.
PAGE 394
User’s Manual of SGS-6341 series 42.1.5.2 EAP Termination Mode In this mode, EAP messages will be terminated in the access control unit and mapped into RADIUS messages, which is used to implement the authentication, authorization and fee-counting. The basic operation flow is illustrated in the next figure. In EAP termination mode, the access control unit and the RADIUS server can use PAP or CHAP authentication method.
PAGE 395
User’s Manual of SGS-6341 series  There are three access control methods (the methods to authenticate users): port-based, MAC-based and user-based (IP address+ MAC address+ port).  When the port-based method is used, as long as the first user of this port passes the authentication, all the other users can access the network resources without being authenticated. However, once the first user is offline, the network won’t be available to all the other users.
PAGE 396
User’s Manual of SGS-6341 series port’s configuration. But the priority of Auto VLAN is higher than that of the user-set VLAN, that is Auto VLAN is the one takes effect when the authentication is finished, while the user-set VLAN do not work until the user become offline. Notes: At present, Auto VLAN can only be used in the port-based access control mode, and on the ports whose link type is Access. 2.
PAGE 397
User’s Manual of SGS-6341 series 2) Configure access management method for the port: MAC-based or port-based 3) Configure expanded 802.1x function 4) Configure IPv6 passthrough function of the port 3. User access devices related property configuration (optional) 1. Enable 802.1x function Command Explanation Global Mode dot1x enable Enables the 802.1x function in the switch and ports; the no no dot1x enable command disables the 802.1x function.
PAGE 398
User’s Manual of SGS-6341 series 2) Configure port access management method Command Explanation Port Mode dot1x port-method {macbased | Sets the port access management method; portbased | userbased {standard | the no command restores MAC-based advanced}} access management. no dot1x port-method Sets the maximum number of access users dot1x max-user macbased for the specified port; the no command no dot1x max-user macbased restores the default setting of allowing 1 user.
PAGE 399
User’s Manual of SGS-6341 series dot1x accept-mac [interface ] Adds 802.1x address filter table entry, the no command no dot1x accept-mac deletes 802.1x filter address table entries. [interface ] dot1x eapor enable no dot1x eapor enable Enables the EAP relay authentication function in the switch; the no command sets EAP local end authentication.
PAGE 400
User’s Manual of SGS-6341 series dot1x re-authenticate Enables IEEE 802.1x re-authentication (no wait timeout [interface ] requires) for all ports or a specified port. 42.3 802.1x Application Example 42.3.
PAGE 401
User’s Manual of SGS-6341 series Update server Authenticator server Ethernet1/3 VLAN2 VLAN10 SWITCH Ethernet1/ Ethernet1/6 2 VLAN5 Internet User Figure 42-14: User Joining Guest VLAN As illustrated in the above figure, on the switch port Ethernet1/2, the 802.1x feature is enabled, and the VLAN10 is set as the port’s Guest VLAN. Before the user gets authenticated or when the user fails to do so, port Ethernet1/2 is added to VLAN10, allowing the user to access the Update Server.
PAGE 402
User’s Manual of SGS-6341 series Switch(config)#radius-server authentication host 10.1.1.3 Switch(config)#radius-server accounting host 10.1.1.3 Switch(config)#radius-server key test Switch(config)#aaa enable Switch(config)#aaa-accounting enable # Create VLAN100. Switch(config)#vlan 100 # Enable the global 802.1x function Switch(config)#dot1x enable # Enable the 802.
PAGE 403
User’s Manual of SGS-6341 series authentication or no user gets offline successfully, and more authentication-triggering messages (EAP-Request/Identity) are sent than the upper limit defined, users can check whether the Guest VLAN configured on the port takes effect with the command show vlan id 100. 42.3.2 Examples of IPv4 RADIUS Applications 10.1.1.2 10.1.1.1 RADIUS Server 10.1.1.3 Figure 42-16: IEEE 802.1x Configuration Example Topology The PC is connecting to port 1/2 of the switch; IEEE 802.
PAGE 404
User’s Manual of SGS-6341 series Switch(Config-Ethernet1/2)#dot1x enable Switch(Config-Ethernet1/2)#dot1x port-control auto Switch(Config-Ethernet1/2)#exit 42.3.3 Examples of IPv6 RADIUS Application 2004:1:2:3::2 2004:1:2:3::1 RADIUS Server 2004:1:2:3::3 Figure 42-17: IPv6 RADIUS Connect the computer to the interface 1/2 of the switch, and enable IEEE802.1x on interface1/2. Use MAC based authentication.
PAGE 405
User’s Manual of SGS-6341 series Switch(Config-If-Ethernet1/2)#dot1x enable Switch(Config-If-Ethernet1/2)#dot1x port-control auto Switch(Config-If-Ethernet1/2)#exit 42.4 802.1x Troubleshooting It is possible that 802.1x be configured on ports and 802.1x authentication be set to auto, t switch can’t be to authenticated state after the user runs 802.1x supplicant software. Here are some possible causes and solutions:  If 802.
PAGE 406
User’s Manual of SGS-6341 series Chapter 43 The Number Limitation Function of MAC and IP in Port, VLAN Configuration MAC address list is used to identify the mapping relationship between the destination MAC addresses and the ports of switch. There are two kinds of MAC addresses in the list: static MAC address and dynamic MAC address.
PAGE 407
User’s Manual of SGS-6341 series ARP list entries of the switch, causing successful DOS attacks. To sum up, it is very meaningful to develop the number limitation function of MAC and IP in port, VLAN. Switch can control the number of MAC addresses of ports and the number ARP, ND list entry of ports and VLAN through configuration commands. Limiting the number of dynamic MAC and IP of ports: 1. Limiting the number of dynamic MAC.
PAGE 408
User’s Manual of SGS-6341 series switchport mac-address dynamic maximum Enable and disable the number limitation no switchport mac-address dynamic function of MAC on the ports. maximum switchport arp dynamic maximum Enable and disable the number limitation no switchport arp dynamic maximum function of ARP on the ports. switchport nd dynamic maximum Enable and disable the number limitation no switchport nd dynamic maximum function of ND on the ports. 2.
PAGE 409
User’s Manual of SGS-6341 series 5. Display and debug the related information of number limitation of MAC and IP on ports Command Explanation Admin Mode show mac-address dynamic count {vlan | interface ethernet Display the number of dynamic MAC in corresponding ports and VLAN. } show arp-dynamic count {vlan Display the number of dynamic ARP in | interface ethernet corresponding ports and VLAN.
PAGE 410
User’s Manual of SGS-6341 series 43.
PAGE 411
User’s Manual of SGS-6341 series 43.3 The Number Limitation Function of MAC and IP in Port, VLAN Troubleshooting Help The number limitation function of MAC and IP in Port, VLAN is disabled by default, if users need to limit the number of user accessing the network, they can enable it. If the number limitation function of MAC address can not be configured, please check whether Spanning-tree, dot1x, TRUNK is running on the switch and whether the port is configured as a MAC-binding port.
PAGE 412
User’s Manual of SGS-6341 series Chapter 44 Operational Configuration of AM Function 44.1 Introduction to AM Function AM (Access Management) means that when a switch receives an IP or ARP message, it will compare the information extracted from the message (such as source IP address or source MAC-IP address) with the configured hardware address pool.
PAGE 413
User’s Manual of SGS-6341 series 2. Enable AM function on an interface Command Explanation Port Mode Enable/disable AM function on the port. am port When the AM function is enabled on the no am port port, no IP or ARP message will be forwarded by default. 3. Configure the forwarding IP Command Explanation Port Mode am ip-pool no am ip-pool Configure the forwarding IP of the port. 4.
PAGE 414
User’s Manual of SGS-6341 series Display the AM configuration information show am [interface ] of one port or all ports. 44.3 AM Function Example Internet SWITCH Port1 Port2 HUB1 HUB2 ……… PC1 PC2 PC30 Figure 44-1: a typical configuration example of AM function In the topology above, 30 PCs, after converged by HUB1, connect with interface1 on the switch. The IP addresses of these 30 PCs range from 100.10.10.1 to 100.10.10.30.
PAGE 415
User’s Manual of SGS-6341 series 44.4 AM Function Troubleshooting AM function is disabled by default, and after it is enabled, related configuration of AM can be made. Users can view the current AM configuration with “show am” command, such as whether the AM is enabled or not, and AM information on each interface, they can also use “show am [interface ]” command to check the AM configuration information on a specific interface.
PAGE 416
User’s Manual of SGS-6341 series Chapter 45 Security Feature Configuration 45.1 Introduction to Security Feature Before introducing the security features, we here first introduce the DoS. The DoS is short for Denial of Service, which is a simple but effective destructive attack on the internet. The server under DoS attack will drop normal user data packet due to non-stop processing the attacker’s data packet, leading to the denial of the service and worse can lead to leak of sensitive data of the server.
PAGE 417
User’s Manual of SGS-6341 series 45.2.3 Anti Port Cheat Function Configuration Task Sequence 1． Enable the anti port cheat function Command Explanation Global Mode [no] dosattack-check srcport-equal-dstport enable Enable/disable the prevent-port-cheat function. 45.2.
PAGE 418
User’s Manual of SGS-6341 series Configure the max. permitted ICMPv4 net load dosattack-check icmpv4-size length. This command has not effect when used separately, the user have to enable the dosattack-check icmp-attacking enable. 45.3 Security Feature Example Scenario: The User has the following configuration requirements: the switch do not forward data packet whose source IP address is equal to the destination address, and those whose source port is equal to the destination port.
PAGE 419
User’s Manual of SGS-6341 series Chapter 46 TACACS+ Configuration 46.1 Introduction to TACACS+ TACACS+ terminal access controller access control protocol is a protocol similar to the radius protocol for control the terminal access to the network. Three independent functions of Authentication, Authorization, Accounting are also available in this protocol.
PAGE 420
User’s Manual of SGS-6341 series tacacs-server authentication host Configure the IP address, listening port [port ] number, the value of timeout timer and the [timeout ] [key {0 | 7} key string of the TACACS+ server; the no ] [primary] no tacacs-server authentication host form of this command deletes the TACACS+ authentication server. 3.
PAGE 421
User’s Manual of SGS-6341 series Switch(config)#interface vlan 1 Switch(Config-if-vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-vlan1)#exit Switch(config)#tacacs-server authentication host 10.1.1.3 Switch(config)#tacacs-server key test Switch(config)#authentication line vty login tacacs 46.4 TACACS+ Troubleshooting In configuring and using TACACS+, the TACACS+ may fail to authentication due to reasons such as physical connection failure or wrong configurations.
PAGE 422
User’s Manual of SGS-6341 series Chapter 47 RADIUS Configuration 47.1 Introduction to RADIUS 47.1.1 AAA and RADIUS Introduction AAA is short for Authentication, Authorization and Accounting. it provides a consistent framework for the network management safely.
PAGE 423
User’s Manual of SGS-6341 series 3 Access-Reject 4 Accounting-Request 5 Accounting-Response 11 Access-Challenge Identifier field (1 octet): Identifier for the request and answer packets. Length field (2 octets): The length of the overall RADIUS packet, including Code, Identifier, Length, Authenticator and Attributes Authenticator field (16 octets): used for validation of the packets received from the RADIUS server. Or it can be used to carry encrypted passwords.
PAGE 424
User’s Manual of SGS-6341 series  21 (unassigned) 62 Port-Limit 22 Framed-Route 63 Login-LAT-Port Length field (1 octet), the length in octets of the attribute including Type, Length and Value fields.  Value field, value of the attribute whose content and format is determined by the type and length of the attribute. 47.2 RADIUS Configuration Task List 1. Enable the authentication and accounting function 2. Configure the RADIUS authentication key 3. Configure the RADIUS server 4.
PAGE 425
User’s Manual of SGS-6341 series 2. Configure the RADIUS authentication key Command Explanation Global Mode To configure the encryption key for the radius-server key {0 | 7} RADIUS server. The no form of this no radius-server key command will remove the configured key. 3.
PAGE 426
User’s Manual of SGS-6341 series To configure the timeout value for the radius-server timeout RADIUS server. The no form of this no radius-server timeout command will restore the default configuration. radius-server accounting-interim-update timeout To configure the update interval for accounting. The no form of this command no radius-server accounting-interim-update timeout will restore the default configuration. 5.
PAGE 427
User’s Manual of SGS-6341 series Configure steps as below: Switch(config)#interface vlan 1 Switch(Config-if-vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-vlan1)#exit Switch(config)#radius-server authentication host 10.1.1.3 Switch(config)#radius-server accounting host 10.1.1.3 Switch(config)#radius-server key test Switch(config)#aaa enable Switch(config)#aaa-accounting enable 47.3.
PAGE 428
User’s Manual of SGS-6341 series 47.4 RADIUS Troubleshooting In configuring and using RADIUS, the RADIUS may fail to authentication due to reasons such as physical connection failure or wrong configurations.
PAGE 429
User’s Manual of SGS-6341 series Chapter 48 SSL Configuration 48.1 Introduction to SSL As the computer networking technology spreads, the security of the network has been taking more and more important impact on the availability and the usability of the networking application. The network security has become one of the greatest barriers of modern networking applications. To protect sensitive data transferred through Web, Netscape introduced the Secure Socket Layer – SSL protocol, for its Web browser.
PAGE 430
User’s Manual of SGS-6341 series 48.1.1 Basic Element of SSL The basic strategy of SSL provides a safety channel for random application data forwarding between two communication programs. In theory, SSL connect is similar with encrypt TCP connect. The position of SSL protocol is under application layer and on the TCP.
PAGE 431
User’s Manual of SGS-6341 series SSL session handshake process: 48.2 SSL Configuration Task List 1. Enable/disable SSL function 2. Configure/delete port number by SSL used 3. Configure/delete secure cipher suite by SSL used 4. Maintenance and diagnose for the SSL function 1. Enable/disable SSL function Command Explanation Global Mode ip http secure-server no ip http secure-server Enable/disable SSL function. 2.
PAGE 432
User’s Manual of SGS-6341 series 3. Configure/delete secure cipher suite by SSL used Command Explanation Global Mode ip http secure-ciphersuite {des-cbc3-sha|rc4-128-sha| Configure/delete secure cipher suite by SSL des-cbc-sha} used. no ip http secure-ciphersuite 4. Maintenance and diagnose for the SSL function Command Explanation Admin Mode Show the configured SSL information. show ip http secure-server status debug ssl Open/close the DEBUG for SSL function. no debug ssl 48.
PAGE 433
User’s Manual of SGS-6341 series Configuration on the switch: Switch(config)# ip http secure-server Switch(config)# ip http secure-port 1025 Switch(config)# ip http secure-ciphersuite rc4-128-sha 48.4 SSL Troubleshooting In configuring and using SSL, the SSL function may fail due to reasons such as physical connection failure or wrong configurations.
PAGE 434
User’s Manual of SGS-6341 series Chapter 49 IPv6 Security RA Configuration 49.1 Introduction to IPv6 Security RA In IPv6 networks, the network topology is generally compromised of routers, layer-two switches and IPv6 hosts. Routers usually advertise RA, including link prefix, link MTU and other information, when the IPv6 hosts receive RA, they will create link address, and set the default router as the one sending RA in order to implement IPv6 network communication.
PAGE 435
User’s Manual of SGS-6341 series 3. Display and debug the related information of IPv6 security RA Command Explanation Admin Mode Enable the debug information of IPv6 debug ipv6 security-ra security RA module, the no operation of no debug ipv6 security-ra this command will disable the output of debug information of IPv6 security RA. show ipv6 security-ra [interface Display the untrusted port and whether ] globally security RA is enabled. 49.
PAGE 436
User’s Manual of SGS-6341 series 49.4 IPv6 Security RA Troubleshooting Help The function of IPv6 security RA is quite simple, if the function does not meet the expectation after configuring IPv6 security RA:  Check if the switch is correctly configured.  Check if there are rules conflicting with security RA function configured on the switch, this kind of rules will cause RA messages to be forwarded.
PAGE 437
User’s Manual of SGS-6341 series Chapter 50 MAB Configuration 50.1 Introduction to MAB In actual network, the existing device cannot install the authentication client, such as printer, and PDA devices, and cannot process 802.1x authentication. However, to access the network resources, they need to use MAB authentication to replace 802.1x authentication. MAB authentication is a network accessing authentication method based on the accessing port and the MAC address of MAB user.
PAGE 438
User’s Manual of SGS-6341 series mac-authentication-bypass enable Enable the global MAB authentication no mac-authentication-bypass enable function. Port Mode mac-authentication-bypass enable Enable the port MAB authentication no mac-authentication-bypass enable function. 2.
PAGE 439
User’s Manual of SGS-6341 series Configure the authentication mode and authentication mab {radius | none} priority of MAC address, the no command no authentication mab restores the default authentication mode. 50.
PAGE 440
User’s Manual of SGS-6341 series Ethernet 1/4 is a trunk port, connects to Switch 2. Ethernet 1/4 is a trunk port of Switch 2, connects to Switch 1. Ethernet 1/1 is an access port, belongs to vlan8, connects to update server to download and upgrade the client software. Ethernet 1/2 is an access port, belongs to vlan9, connects to radius server which configure auto vlan as vlan10. Ethernet 1/3 is an access port, belongs to vlan10, connects to external internet resources.
PAGE 441
User’s Manual of SGS-6341 series Switch(config-if-ethernet1/2)#mac-authentication-bypass enable Switch(config-if-ethernet1/2)#mac-authentication-bypass enable guest-vlan 8 Switch(config-if-ethernet1/2)#exit Switch(config)#interface ethernet 1/3 Switch(config-if-ethernet1/3)#switchport mode access Switch(config-if-ethernet1/3)#mac-authentication-bypass enable Switch(config-if-ethernet1/3)#exit Switch(config)#interface ethernet 1/4 Switch(config-if-ethernet1/4)# switchport mode trunk 50.
PAGE 442
User’s Manual of SGS-6341 series Chapter 51 PPPoE Intermediate Agent Configuration 51.1 Introduction to PPPoE Intermediate Agent 51.1.1 Brief Introduction to PPPoE PPPoE (Point to Point Protocol over Ethernet) is a protocol that applies PPP protocol to Ethernet. PPP protocol is a link layer protocol that utilizes the communication method of point-to-point. It is usually selected by host dial-up link, for example, the link is line dial-up.
PAGE 443
User’s Manual of SGS-6341 series responds to PADO (PPPoE Active Discovery Offer) packet to client according to the received source MAC address of PADI packet; the packet will take server name and service name. 3. Client sends PADR packet: For the third step, client selects a server to process the session according to the received PADO packet. It may receive many PADO packets for PADI.
PAGE 444
User’s Manual of SGS-6341 series Figure 51-1: PPPoE IA protocol exchange process 51.1.2.
PAGE 445
User’s Manual of SGS-6341 series TLV length field (2 bytes): Specify the length of TAG data field. TLV data field (the length is not specified): Specify the transmitted data of TAG. Tag Type Tag Explanation 0x0000 The end of a series tag in PPPoE data field, it is saved for ensuring the version compatibility and is applied by some packets. 0x0101 Service name. Indicate the supplied services by network. 0x0102 Server name.
PAGE 446
User’s Manual of SGS-6341 series Add TLV tag as 0x0105 for PPPoE IA, TAG_LENGTH is length field of vendor tag; 0x00000DE9 is “ADSL Forum” IANA entry of the fixed 4 bytes; 0x01 is type field of Agent Circuit ID, length is length field and Agent Circuit ID value field; 0x02 is type field of Agent Remote ID, length is length field and Agent Remote ID value field.
PAGE 447
User’s Manual of SGS-6341 series 51.2 PPPoE Intermediate Agent Configuration Task List 1. Enable global PPPoE Intermediate Agent 2. Enable port PPPoE Intermediate Agent Command Explanation Global Mode pppoe intermediate-agent Enable global PPPoE Intermediate Agent no pppoe intermediate-agent function. pppoe intermediate-agent type tr-101 circuit-id access-node-id Configure access node ID field value of no pppoe intermediate-agent type tr-101 circuit ID in added vendor tag.
PAGE 448
User’s Manual of SGS-6341 series pppoe intermediate-agent Enable PPPoE Intermediate Agent no pppoe intermediate-agent function of port. pppoe intermediate-agent vendor-tag strip no pppoe intermediate-agent vendor-tag Set vendor tag strip function of port. strip pppoe intermediate-agent trust Set a port as trusted port. no pppoe intermediate-agent trust pppoe intermediate-agent circuit-id Set circuit-id of port.
PAGE 449
User’s Manual of SGS-6341 series Step 3: Port ethernet1/2 of vlan1 and port ethernet1/3 of vlan 1234 enable PPPoE IA function of port. Switch(config-if-ethernet1/2)#pppoe intermediate-agent Switch(config-if-ethernet1/3)#pppoe intermediate-agent Step 4: Configure pppoe intermediate-agent access-node-id as abcd. Switch(config)#pppoe intermediate-agent type tr-101 circuit-id access-node-id abcd Step 5: Configure circuit ID as aaaa, remote ID as xyz for port ethernet1/3.
PAGE 450
User’s Manual of SGS-6341 series Step 5: Configure pppoe intermediate-agent identifier-string as “efgh”, combo mode as spv, delimiter of Slot ID and Port ID as “#”, delimiter of Port ID and Vlan ID as “/”. Switch(config)#pppoe intermediate-agent type tr-101 circuit-id identifier-string efgh option spv delimiter # delimiter / Step 6: Configure circuit-id value as bbbb on port ethernet1/2.
PAGE 451
User’s Manual of SGS-6341 series Chapter 52 Web Portal Configuration 52.1 Introduction to Web Portal Authentication 802.1x authentication uses the special client to authenticate. The device uses the special layer 2 switch; the authentication server uses RADIUS server; and the format of authentication message uses EAP protocol.
PAGE 452
User’s Manual of SGS-6341 series 1. Enable/disable web portal authentication globally Command Explanation Global Mode webportal enable Enable/disable web portal authentication no webportal enable globally. 2. Enable/disable web portal authentication of the port Command Explanation Port Mode webportal enable Enable/disable web portal authentication of no webportal enable the port. 3. Configure the max.
PAGE 453
User’s Manual of SGS-6341 series 6. Enable dhcp snooping binding web portal function Command Explanation Port Mode ip dhcp snooping binding webportal Enable dhcp snooping binding web portal no ip dhcp snooping binding webportal function. 7. Delete the binding information of web portal authentication Command Explanation Admin Mode clear webportal binding {mac WORD | interface |} Delete the binding information of web portal authentication.
PAGE 454
User’s Manual of SGS-6341 series 52.3 Web Portal Authentication Typical Example Figure 52-1: Web portal typical application scene In the above figure, pc1 is end-user, there is http browser in it, but no 802.1x authentication client, pc1 wants to access the network through web portal authentication. Switch1 is the accessing device, it configures accounting server’s address and port as RADIUS server’s IP and port, and enable the accounting function.
PAGE 455
User’s Manual of SGS-6341 series Switch(config)#webportal nas-ip 192.168.40.50 Switch(config)#webportal redirect 192.168.40.
PAGE 456
User’s Manual of SGS-6341 series Chapter 53 VLAN-ACL Configuration 53.1 Introduction to VLAN-ACL The user can configure ACL policy to VLAN to implement the accessing control of all ports in VLAN, and VLAN-ACL enables the user to expediently manage the network. The user only needs to configure ACL policy in VLAN, the corresponding ACL action can takes effect on all member ports of VLAN, but it does not need to solely configure on each member port.
PAGE 457
User’s Manual of SGS-6341 series vacl mac access-group {<700-1199> | WORD} {in | out} [traffic-statistic] vlan Configure or delete MAC VLAN-ACL. WORD (Egress filtering is not supported by no vacl mac access-group {<700-1199> | switch.) WORD} {in | out} vlan WORD 3. Configure VLAN-ACL of MAC-IP Command Explanation Global Mode vacl mac-ip access-group {<3100-3299> | WORD} {in | out} [traffic-statistic] vlan Configure or delete MAC-IP VLAN-ACL.
PAGE 458
User’s Manual of SGS-6341 series Clear the statistic information of VACL. clear vacl [in | out] statistic vlan (Egress filtering is not supported by [] switch.) 53.3 VLAN-ACL Configuration Example A company’s network configuration is shown below. All departments are divided by different VLANs. Technique department is Vlan1 and finance department is Vlan2.
PAGE 459
User’s Manual of SGS-6341 series Switch(config)# ip access-list extended vacl_a Switch(config-ip-ext-nacl-vacl_a)# permit ip any-source 192.168.0.0 0.0.0.255 time-range t1 Switch(config-ip-ext-nacl-vacl_a)# deny ip any-source any-destination time-range t1 3) Configure the extended acl_b of IP; at any time it only allows to access resource within the internal network (such as 192.168.1.255). Switch(config)#ip access-list extended vacl_b Switch(config-ip-ext-nacl-vacl_a)# permit ip any-source 192.168.1.0 0.
PAGE 460
User’s Manual of SGS-6341 series Chapter 54 SAVI Configuration 54.1 Introduction to SAVI SAVI (Source Address Validation Improvement) is a security authentication method that provides the granularity level of the node source address. It gets the trusted node information (such as port, MAC address information), namely, anchor information by monitoring the interaction process of the relative protocol packets (such as ND protocol, DHCPv6 protocol) and using CPS (Control Packet Snooping) mechanism.
PAGE 461
User’s Manual of SGS-6341 series 1. Enable or disable SAVI function Command Explanation Global Mode 2. savi enable Enable the global SAVI function, no no savi enable command disables the function. Enable or disable application scene function for SAVI Command Explanation Global Mode savi ipv6 {dhcp-only | slaac-only | Enable the application scene function for dhcp-slaac} enable SAVI, no command disables the function. no savi ipv6 {dhcp-only | slaac-only | dhcp-slaac} enable 3.
PAGE 462
User’s Manual of SGS-6341 series 6. savi max-dad-prepare-delay Configure the max. redetection lifetime period for SAVI binding, no command no savi max-dad-prepare-delay restores the default value. Configure the global max-slaac-life for SAVI Command Explanation Global Mode savi max-slaac-life Configure the lifetime period of the no savi max-slaac-life dynamic slaac binding at BOUND state, no command restores the default value. 7.
PAGE 463
User’s Manual of SGS-6341 series savi ipv6 mac-binding-limit Configure the corresponding dynamic binding number for the same MAC no savi ipv6 mac-binding-limit address, no command restores the default value. Note: The binding number only limits the dynamic binding, but does not limit the static binding number. 11.
PAGE 464
User’s Manual of SGS-6341 series 15. Configure the binding number Command Explanation Port Mode savi ipv6 binding num Configure the binding number of a port, no savi ipv6 binding num no command restores the default value. Note: The binding number only limits the dynamic binding, but does not limit the static binding number. 54.
PAGE 465
User’s Manual of SGS-6341 series Client_1 and Client_2 means two different user’s PC installed IPv6 protocol, respectively connect with port Ethernet1/12 of Switch1 and port Ethernet1/13 of Switch2, and enable the source address check function of SAVI. Ethernet1/1 and Ethernet1/2 are uplink ports of Switch1 and Switch2 respectively, enable DHCP trust and ND trusted functions. Aggregation Switch3 enables DHCPv6 server function and route advertisement function.
PAGE 466
User’s Manual of SGS-6341 series Chapter 55 MRPP Configuration 55.1 Introduction to MRPP MRPP (Multi-layer Ring Protection Protocol), is a link layer protocol applied on Ethernet loop protection. It can avoid broadcast storm caused by data loop on Ethernet ring, and restore communication among every node on ring network when the Ethernet ring has a break link. MRPP is the expansion of EAPS (Ethernet link automatic protection protocol).
PAGE 467
User’s Manual of SGS-6341 series Primary node: each ring has a primary node, it is main node to detect and defend. Transfer node: except for primary node, other nodes are transfer nodes on each ring. The node role is determined by user configuration. As shown Figure 55-1, Switch A is primary node of Ring 1, Switch B. Switch C; Switch D and Switch E are transfer nodes of Ring 1. 4.
PAGE 468
User’s Manual of SGS-6341 series LINK-UP-FLUSH_FDB packet After primary detects ring failure to restore normal, and uses packet from primary port, and informs each transfer node to refresh own MAC address. 55.1.3 MRPP Protocol Operation System 1. Link Down Alarm System When transfer node finds themselves belonging to MRPP ring port Down, it sends link Down packet to primary node immediately.
PAGE 469
User’s Manual of SGS-6341 series 1) Globally enable MRPP Command Explanation Global Mode mrpp enable no mrpp enable Globally enable and disable MRPP. 2) Configure MRPP ring Command Explanation Global Mode mrpp ring Create MRPP ring. The “no” command no mrpp ring deletes MRPP ring and its configuration. MRPP Ring Mode control-vlan Configure control VLAN ID, format “no” no control-vlan deletes configured control VLAN ID.
PAGE 470
User’s Manual of SGS-6341 series 4) Configure the compatible mode Command Explanation Global Mode Enable the compatible mode for ERRP, the mrpp errp compatible no command disables the compatible no mrpp errp compatible mode. Enable the compatible mode for EAPS, the mrpp eaps compatible no command disables the compatible no mrpp eaps compatible mode. errp domain Create ERRP domain, the no command no errp domain deletes the configured ERRP domain.
PAGE 471
User’s Manual of SGS-6341 series The above topology often occurs on using MRPP protocol. The multi switch constitutes a single MRPP ring, all of the switches only are configured an MRPP ring 4000, thereby constitutes a single MRPP ring. In the above configuration, SWITCH A configuration is primary node of MRPP ring 4000, and configures E1/1 to primary port and E1/2 to secondary port. Other switches are secondary nodes of MRPP ring, configures primary port and secondary port separately.
PAGE 472
User’s Manual of SGS-6341 series SWITCH C configuration Task Sequence: Switch(Config)#mrpp enable Switch(Config)#mrpp ring 4000 Switch(mrpp-ring-4000)#control-vlan 4000 Switch(mrpp-ring-4000)#enable Switch(mrpp-ring-4000)#exit Switch(Config)#interface ethernet 1/1 Switch(config-If-Ethernet1/1)#mrpp ring 4000 primary-port Switch(config-If-Ethernet1/1)#interface ethernet 1/2 Switch(config-If-Ethernet1/2)#mrpp ring 4000 secondary-port Switch(config-If-Ethernet1/2)#exit Switch(Config)# SWITCH D configuration T
PAGE 473
User’s Manual of SGS-6341 series  The convergence time of MRPP ring net is relative to the response mode of up/down. If use poll mode, the convergence time as hundreds of milliseconds in simple ring net, if use interrupt mode, the convergence time within 50 milliseconds.  Generally, the port is configured as poll mode, interrupt mode is only applied to better performance environment, but the security of poll mode is better than interrupt mode, port-scan-mode {interrupt | poll} command can be consulted.
PAGE 474
User’s Manual of SGS-6341 series Chapter 56 ULPP Configuration 56.1 Introduction to ULPP Each ULPP group has two uplink ports, they are master port and slave port. The port may be a physical port or a port channel. The member ports of ULPP group have three states: Forwarding, Standby, Down. Normally, only one port at the forwarding state, the other port is blocked at the Standby state.
PAGE 475
User’s Manual of SGS-6341 series When the uplink switch is happening, the primary forwarding entries of the device will not be applied to new topology in the network. In the figure, SwitchA configures ULPP, the portA1 as the master port at forwarding state, here the MAC address of PC is learned by Switch D from portD3. After this, portA1 has the problem, the traffic is switched to portA2 to be forwarded.
PAGE 476
User’s Manual of SGS-6341 series 1. Create ULPP group globally Command Explanation Global Mode 2. ulpp group Configure and delete ULPP group no ulpp group globally. Configure ULPP group Command Explanation ULPP Group Mode Configure the preemption mode of preemption mode ULPP group. The no operation no preemption mode deletes the preemption mode.
PAGE 477
User’s Manual of SGS-6341 series Enable or disable receiving the flush ulpp flush enable mac packets which update the MAC ulpp flush disable mac 3. address. ulpp flush enable arp Enable or disable receiving the flush ulpp flush disable arp packets which delete ARP. ulpp flush enable mac-vlan Enable or disable receiving the flush ulpp flush disable mac-vlan packets of mac-vlan type. ulpp group master Configure or delete the master port no ulpp group master of ULPP group.
PAGE 478
User’s Manual of SGS-6341 series 56.3 ULPP Typical Examples 56.3.1 ULPP Typical Example1 Switch D Switch B E1/1 E1/2 Switch C E1/1 E1/2 Switch A Figure 56-3: ULPP typical example1 The above topology is the typical application environment of ULPP protocol. SwitchA has two uplinks, they are SwitchB and SwitchC. When any protocols are not enabled, this topology forms a ring. For avoiding the loopback, SwitchA can configure ULPP protocol, the master port and the slave port of ULPP group.
PAGE 479
User’s Manual of SGS-6341 series Switch(ulpp-group-1)#control vlan 10 Switch(ulpp-group-1)#exit Switch(Config)#interface ethernet 1/1 Switch(config-If-Ethernet1/1)# ulpp group 1 master Switch(config-If-Ethernet1/1)#exit Switch(Config)#interface Ethernet 1/2 Switch(config-If-Ethernet1/2)# ulpp group 1 slave Switch(config-If-Ethernet1/2)#exit SwitchB configuration task list: Switch(Config)#vlan 10 Switch(Config-vlan10)#switchport interface ethernet 1/1 Switch(Config-vlan10)#exit Switch(Config)#interface ether
PAGE 480
User’s Manual of SGS-6341 series 56.3.2 ULPP Typical Example2 Switch D E1/2 Switch C Switch B E1/1 Vlan 1-100 E1/1 E1/2 Vlan 101-200 Switch A Figure 56-4: ULPP typical example2 ULPP can implement the VLAN-based load balance. As the picture illustrated, SwitchA configures two ULPP groups: port E1/1 is the master port and port 1/2 is the slave port in group1, port 1/2 is the master port and port 1/1 is the slave port in group2. The VLANs protected by group1 are 1-100 and by group2 are 101-200.
PAGE 481
User’s Manual of SGS-6341 series Switch(config-If-Ethernet1/1)#ulpp group 1 master Switch(config-If-Ethernet1/1)#ulpp group 2 slave Switch(config-If-Ethernet1/1)#exit Switch(Config)#interface Ethernet 1/2 Switch(config-If-Ethernet1/2)#switchport mode trunk Switch(config-If-Ethernet1/2)# ulpp group 1 slave Switch(config-If-Ethernet1/2)# ulpp group 2 master Switch(config-If-Ethernet1/2)#exit SwitchB configuration task list: Switch(Config)#interface ethernet 1/1 Switch(config-If-Ethernet1/1)#switchport mode tr
PAGE 482
User’s Manual of SGS-6341 series Chapter 57 ULSM Configuration 57.1 Introduction to ULSM ULSM (Uplink State Monitor) is used to process the port state synchronization. Each ULSM group is made up of the uplink port and the downlink port, both the uplink port and the downlink port may be multiple. The port may be a physical port or a port channel, but it can not be a member port of a port channel, and each port only belongs to one ULSM group. The uplink port is the monitored port of ULSM group.
PAGE 483
User’s Manual of SGS-6341 series 57.2 ULSM Configuration Task List 1. Create ULSM group globally 2. Configure ULSM group 3. Show and debug the relating information of ULSM 1. Create ULSM group globally Command explanation Global Mode ulsm group no ulsm group Configure and delete ULSM group globally. 2.
PAGE 484
User’s Manual of SGS-6341 series 57.3 ULSM Typical Example Switch D E1/3 E1/4 Switch B E1/1 E1/2 E1/1 Switch C E1/2 Switch A Figure 57-2: ULSM typical example The above topology is the typical application environment which is used by ULSM and ULPP protocol. ULSM is used to process the port state synchronization, its independent running is useless, so it usually associates with ULPP protocol to use. In the topology, SwitchA enables ULPP protocol, it is used to switch the uplink.
PAGE 485
User’s Manual of SGS-6341 series Switch(Config)#interface ethernet 1/1 Switch(config-If-Ethernet1/1)#ulsm group 1 downlink Switch(config-If-Ethernet1/1)#exit Switch(Config)#interface ethernet 1/3 Switch(config-If-Ethernet1/3)#ulsm group 1 uplink Switch(config-If-Ethernet1/3)#exit SwitchC configuration task list: Switch(Config)#ulsm group 1 Switch(Config)#interface ethernet 1/2 Switch(config-If-Ethernet1/2)#ulsm group 1 downlink Switch(config-If-Ethernet1/2)#exit Switch(Config)#interface ethernet 1/4 Switch(
PAGE 486
User’s Manual of SGS-6341 series Chapter 58 Mirror Configuration 58.1 Introduction to Mirror Mirror functions include port mirror function, CPU mirror function, flow mirror function. Port mirror refers to the duplication of data frames sent/received on a port to another port. The duplicated port is referred to as mirror source port and the duplicating port is referred to as mirror destination port.
PAGE 487
User’s Manual of SGS-6341 series {interface | cpu} {rx| tx| deletes mirror source port. both} no monitor session source {interface | cpu} 3.
PAGE 488
User’s Manual of SGS-6341 series 58.4 Device Mirror Troubleshooting If problems occur on configuring port mirroring, please check the following first for causes:  Whether the mirror destination port is a member of a TRUNK group or not; if yes, modify the TRUNK group.
PAGE 489
User’s Manual of SGS-6341 series Chapter 59 sFlow Configuration 59.1 Introduction to sFlow The sFlow (RFC 3176) is a protocol based on standard network export and used on monitoring the network traffic information developed by InMon Company. The monitored switch or router sends date to the client analyzer through its main operations such as sampling and statistic, then the analyzer will analyze according to the user requirements so as to monitor the network.
PAGE 490
User’s Manual of SGS-6341 series 2. Configure the sFlow proxy address Command Explanation Global Mode sflow agent-address Configure the source IP address applied by no sflow agent-address the sFlow proxy; the “no” form of the command deletes this address. 3.
PAGE 491
User’s Manual of SGS-6341 series 7. Configure the sFlow statistic sampling interval Command Explanation Port Mode sflow counter-interval Configure the max. interval when sFlow no sflow counter-interval performing statistic sampling. The “no” form of this command deletes 8. Configure the analyzer used by sFlow Command Explanation Global Mode sflow analyzer sflowtrend Configure the analyzer used by sFlow, the no no sflow analyzer sflowtrend command deletes the analyzer. 59.
PAGE 492
User’s Manual of SGS-6341 series Switch (Config-If-Ethernet1/2)#sflow rate input 20000 Switch (Config-If-Ethernet1/2)#sflow rate output 20000 Switch (Config-If-Ethernet1/2)#sflow counter-interval 40 59.4 sFlow Troubleshooting In configuring and using sFlow, the sFlow server may fail to run properly due to physical connection failure, wrong configuration, etc.
PAGE 493
Chapter 60 RSPAN Configuration 60.1 Introduction to RSPAN Port mirroring refers to the duplication of data frames sent/received on a port to another port. The duplicated port is referred to as mirror source port and the duplicating port is referred to as mirror destination port. It is more convenience for network administrator to monitor and manage the network and diagnostic after the mirroring function achieved.
PAGE 494
User’s Manual of SGS-6341 series To be noticed: Normal mode is introduced by default. When using the normal mode, datagrams with reserved MAC addresses cannot be broadcasted. For chassis switches, at most 4 mirror destination ports are supported, and source or destination port of one mirror session can be configured on each line card. For box switches, only one mirror session can be configured. The number of the source mirror ports is not limited, and can be one or more.
PAGE 495
60.2 RSPAN Configuration Task List 1. Configure RSPAN VLAN 2. Configure mirror source port（cpu） 3. Configure mirror destination port 4. Configure reflector port 5. Configure remote VLAN of mirror group 1. Configure RSPAN VLAN Command Explanation VLAN Mode To configure the specified VLAN as RSPAN remote-span VLAN. The no command will remove the no remote-span configuration of RSPAN VLAN. 2.
PAGE 496
User’s Manual of SGS-6341 series 4. Configure reflector port Command Explanation Global Mode monitor session reflector-port To configure the interface to reflector port; The no command deletes the reflector no monitor session port. reflector-port 5.
PAGE 497
User’s Manual of SGS-6341 series connected to the intermediate switch is not fixed. Datagrams can be broadcasted in the RSPAN VLAN through the loopback, which is much more flexible. The normal mode configuration is show as below: Solution 1: Source switch: Interface ethernet 1/1 is the source port for mirroring. Interface ethernet 1/2 is the destination port which is connected to the intermediate switch. RSPAN VLAN is 5.
PAGE 498
User’s Manual of SGS-6341 series Switch(Config-Vlan5)#exit Switch(config)#interface ethernet 1/9 Switch(Config-If-Ethernet1/9)#switchport mode trunk Switch(Config-If-Ethernet1/9)#exit Switch(config)#interface ethernet 1/10 Switch(Config-If-Ethernet1/10)#switchport access vlan 5 Switch(Config-If-Ethernet1/10)#exit Solution 2: Source switch: Interface ethernet 1/1 is the source port. Interface ethernet 1/2 is the TRUNK port, which is connected to the intermediate switch.
PAGE 499
Switch(config)#interface ethernet 1/6-7 Switch(Config-If-Port-Range)#switchport mode trunk Switch(Config-If-Port-Range)#exit Destination switch: Interface ethernet1/9 is the source port which is connected to the source switch. Interface ethernet1/10 is the destination port which is connected to the monitor. This port is required to be configured as an access port, and belong to the RSPAN VLAN. RSPAN VLAN is 5.
PAGE 500
User’s Manual of SGS-6341 series Chapter 61 ERSPAN 61.1 Introduction to ERSPAN ERSPAN（Encapsulated Remote Switched Port Analyzer）eliminates the limitation that the source port and the destination port must be located on the same switch. This feature makes it possible for the source port and the destination port to be located on different devices in the network, and facilitates the network administrator to manage remote switches.
PAGE 501
User’s Manual of SGS-6341 series 3. Appoint the mirror destination, and the destination can be the physical port or the tunnel Command Explanation Global Mode monitor session destination tunnel interface desmac < MAC Appoint the mirror destination address > desIP < Dest IP address > scrIP < Source to be the physical port or the IP address tunnel; the no command no monitor session destination tunnel deletes the mirror destination.
PAGE 502
User’s Manual of SGS-6341 series Before configuring layer-3 remote port mirroring, make sure that you have created a GRE tunnel that connects the source and destination device, and ensure the normal transmitting for GRE tunnel. The configuration of Layer 3 remote port mirror needs to be processed on the source and destination devices, respectively.
PAGE 503
User’s Manual of SGS-6341 series SwitchB (config-router)#network 0.0.0.0/0 area 0 SwitchB (config-router)#exit (4) Configure Device C (the destination device) # Create interface Tunne1, and configure an IP address and mask for it. SwitchC(config)#interface tunnel 1 SwitchC (config-if-tunnel1)# tunnel mode gre ip SwitchC (config-if-tunnel1)#ip address 50.1.1.2 255.255.255.0 # Configure Tunnel1 to operate in GRE tunnel mode, and configure source and destination IP addresses for it.
PAGE 504
User’s Manual of SGS-6341 series Chapter 62 SNTP Configuration 62.1 Introduction to SNTP The Network Time Protocol (NTP) is widely used for clock synchronization for global computers connected to the Internet. NTP can assess packet sending/receiving delay in the network, and estimate the computer’s clock deviation independently, so as to achieve high accuracy in network computer clocking.
PAGE 505
User’s Manual of SGS-6341 series 62.2 Typical Examples of SNTP Configuration SNTP/NTP SERVER SNTP/NTP SERVER … … SWITCH SWITCH SWITCH Figure 62-2: Typical SNTP Configuration All switches in the autonomous zone are required to perform time synchronization, which is done through two redundant SNTP/NTP servers. For time to be synchronized, the network must be properly configured. There should be reachable route between any switch and the two SNTP/NTP servers.
PAGE 506
User’s Manual of SGS-6341 series Chapter 63 NTP Function Configuration 63.1 Introduction to NTP Function The NTP (Network Time Protocol) synchronizes timekeeping spans WAN and LAN among distributed time servers and clients, it can get millisecond precision. The introduction of event, state, transmit function and action are defined in RFC-1305.
PAGE 507
User’s Manual of SGS-6341 series ntp server { | } [version ] [key ] no ntp server { | To enable the specified time server of time source. } 3. To configure the max. number of broadcast or multicast servers supported by the NTP client Command Explication Global Mode Set the max. number of broadcast or ntp broadcast server count multicast servers supported by the NTP no ntp broadcast server count client.
PAGE 508
ntp trusted-key no ntp trusted-key To configure trusted key. 7. To specified some interface as NTP multicast client interface Command Explication Vlan Mode ntp multicast client To configure specified interface to receive no ntp multicast client NTP multicast packets. ntp ipv6 multicast client To configure specified interface to receive no ntp ipv6 multicast client IPv6 NTP multicast packets. 8.
PAGE 509
User’s Manual of SGS-6341 series debug ntp sync To enable debug switch of time no debug ntp sync synchronize information. debug ntp events To enable debug switch of NTP event no debug ntp events information. 63.
PAGE 510
User’s Manual of SGS-6341 series Chapter 64 Summer Time Configuration 64.1 Introduction to Summer Time Summer time is also called daylight saving time, it is a time system for saving energy sources. In summer the time is advanced 1 hour to keep early hours, reduce the lighting, so as to save electrolighting. The rule that adopt summer time is different in each country. At present, almost 110 countries implement summer time.
PAGE 511
User’s Manual of SGS-6341 series Switch(config)# clock summer-time 2012 absolute 23:00 2012.4.1 00:00 2012.10.1 Example2: The configuration requirement in the following: The summer time from 23:00 on the first Saturday of April to 00:00 on the last Sunday of October year after year, clock offset as 2 hours, and summer time is named as time_travel. Configuration procedure is as follows: Switch(config)#clock summer-time time_travel recurring at 23:00 the first Sat. of Apr. and at 00:00 the last Sun. of Oct.
PAGE 512
User’s Manual of SGS-6341 series Chapter 65 DNSv4/v6 Configuration 65.1 Introduction to DNS DNS (Domain Name System) is a distributed database used by TCP/IP applications to translate domain names into corresponding IPv4/IPv6 addresses. With DNS, you can use easy-to-remember and signification domain names in some applications and let the DNS server translate them into correct IPv4/IPv6 addresses. There are two types of DNS services, static and dynamic, which supplement each other in application.
PAGE 513
User’s Manual of SGS-6341 series 65.2 DNSv4/v6 Configuration Task List 1. To enable/disable DNS function 2. To configure/delete DNS server 3. To configure/delete domain name suffix 4. To delete the domain entry of specified address in dynamic cache 5. To enable DNS dynamic domain name resolution 6. Enable/disable DNS SERVER function 7. Configure the max. number of client information in the switch queue 8. Configure the timeout value of caching the client information on the switch 9.
PAGE 514
User’s Manual of SGS-6341 series clear dynamic-host { | To delete the domain entry of specified | all} address in dynamic cache. 5. To enable DNS dynamic domain name resolution Command Explanation Global Mode dns lookup {ipv4 | ipv6} To enable DNS dynamic domain name resolution. 6. Enable/disable DNS SERVER function Command Explanation Global Mode ip dns server no ip dns server Enable/disable DNS SERVER function. 7. Configure the max.
PAGE 515
User’s Manual of SGS-6341 series To show the configured DNS domain name show dns domain-list suffix information. To show the dynamic domain name show dns hosts information of resolved by switch. Display the configured global DNS show dns config information on the switch. Display the DNS Client information show dns client maintained by the switch. debug dns {all | packet [send | recv] | events | relay} no debug dns {all | packet [send | recv] To enable/disable DEBUG of DNS function.
PAGE 516
User’s Manual of SGS-6341 series DNS SERVER IP:219.240.250.101 IPv6:2001::1 client SWITCH INTERNET Figure 65-2: DNS SERVER typical environment The figure above is an application of DNS SERVER. Under some circumstances, the client PC doesn’t know the real DNS SERVER, and points to the switch instead. The switch plays the role of a DNS SERVER in two steps: Enable the global DNS SERVER function, configure the IP address of the real DNS server.
PAGE 517
User’s Manual of SGS-6341 series  Finally ensure configured DNS server address (use “dns-server” command), and the switch can ping DNS server;  If the DNS problems remain unsolved, please use debug DNS all and other debugging command and copy the DEBUG message within 3 minutes, send the recorded message to the technical service center of our company.
PAGE 518
User’s Manual of SGS-6341 series Chapter 66 Monitor and Debug When the users configures the switch, they will need to verify whether the configurations are correct and the switch is operating as expected, and in network failure, the users will also need to diagnostic the problem. Switch provides various debug commands including ping, telnet, show and debug, etc. to help the users to check system configuration, operating status and locate problem causes. 66.
PAGE 519
User’s Manual of SGS-6341 series and IPv6 header. First, Traceroute6 sends an IPv6 datagram (including source address, destination address and packet sent time) whose HOPLIMIT is set to 1. When first route on the path receives this datagram, it minus the HOPLIMIT by 1 and the HOPLIMIT is now 0. So the router will discard this datagram and returns with a 「ICMPv6 time exceeded」 message (including the source address of the IPv6 packet, all content in the IPv6 packet and the IPv6 address of the router).
PAGE 520
User’s Manual of SGS-6341 series Display the switch parameter configuration written in the Flash Memory at current operation state, which is normally the show startup-config configuration file applied in next time the switch starts up. Display the VLAN port mode and the show switchport interface [ethernet belonging VLAN number of the switch as ] well as the Trunk port information. show tcp Display the TCP connection status show tcp ipv6 established currently on the switch.
PAGE 521
User’s Manual of SGS-6341 series  The log information is classified to four level of severities by which the information will be filtered  According to the severity level the log information can be auto outputted to corresponding log channel. 66.7.1.
PAGE 522
User’s Manual of SGS-6341 series threshold is set to debugging, all information will be outputted and if set to critical, only critical, alerts and emergencies will be outputted. The following table summarizes the log information severity level and brief description. Note: these severity levels are in accordance with the standard UNIX/LINUX syslog.
PAGE 523
User’s Manual of SGS-6341 series 4. Display the log source 5. Display executed-commands state 1. Display and clear log buffer zone Command Description Admin Mode show logging buffered [ level {critical | Show detailed log information in the log warnings} | range buffer channel. ] Clear log buffer zone information. clear logging sdram 2.
PAGE 524
User’s Manual of SGS-6341 series 5. Display executed-commands state Command Description Admin Mode show logging executed-commands Show the state of logging state executed-commands 66.7.3 System Log Configuration Example Example 1: When managing VLAN the IPv4 address of the switch is 100.100.100.1, and the IPv4 address of the remote log server is 100.100.100.5.
PAGE 525
User’s Manual of SGS-6341 series Chapter 67 Reload Switch after Specified Time 67.1 Introduction to Reload Switch after Specified Time Reload switch after specified time is to reboot the switch without shutdown its power after a specified period of time, usually when updating the switch version. The switch can be rebooted after a period of time instead of immediately after its version being updated successfully. 67.2 Reload Switch after Specified Time Task List 1.
PAGE 526
User’s Manual of SGS-6341 series Chapter 68 Debugging and Diagnosis for Packets Received and Sent by CPU 68.1 Introduction to Debugging and Diagnosis for Packets Received and Sent by CPU The following commands are used to debug and diagnose the packets received and sent by CPU, and are supposed to be used with the help of the technical support. 68.2 Debugging and Diagnosis for Packets Received and Sent by CPU Task List Command Explanation Global Mode cpu-rx-ratelimit protocol Set the max.
PAGE 527
User’s Manual of SGS-6341 series Chapter 69 Dying Gasp Configuration 69.1 Introduction to Dying Gasp Dying gasp is power failure alarm function. It means that at the case of power failure, the switch can also send information through the ethernet ports to notice the other switch that it is power failure. Dying gasp is enabled as default, but it could run normally with the snmp management function. So the layer 3 interface should be configured on switch and make it connect to snmp management server.
PAGE 528
User’s Manual of SGS-6341 series Chapter 70 PoE Configuration 70.1 Introduction to PoE PoE (Power over Ethernet) is a technology to provide direct currents for some IP-based terminals (such as IP phones, APs of wireless LANs and network cameras) while transmitting data to them. Such DC-receiving devices are called PD (Powered Device). The max. distance of reliable power supply provided by PoE is 100 meters. IEEE 802.
PAGE 529
User’s Manual of SGS-6341 series power inline max Globally set the max. output power of PoE. no power inline max 3. Globally set the power management mode Command Explanation Global Mode power inline police enable no power inline police enable Enable/disable the power priority management policy mode. 4.
PAGE 530
User’s Manual of SGS-6341 series 8. Set the power priority on specified ports Command Explanation Port Mode power inline priority {critical | high | low} Set the power priority on specified ports. 70.3 Typical Application of PoE Requirements of Network Deployment Set the max. output power of SGS-6341-24P4S to 370W, assuming that the default max. power can satisfy the requirements. Ethernet interface 1/0/2 is connected to an IP phone. Ethernet interface 1/0/4 is connected to a wireless AP.
PAGE 531
User’s Manual of SGS-6341 series Switch(Config)# power inline enable Globally set the max. power to 370W: Switch(Config)# power inline max. 370 Globally enable the priority policy of power management: Switch(Config)# power inline police enable Set the priority of Port 1/0/2 to critical: Switch(Config-Ethernet1/0/2)# power inline priority critical Set the max. output power of Port 1/0/6 to 9000mW: Switch(Config-Ethernet1/0/6)#power inline max. 9000 70.