L2+ 24-Port 10G SFP+ plus 2-Port 40G QSFP+ Managed Switch XGS-5240-24X2QR 1
Trademarks Copyright © PLANET Technology Corp. 2019. Contents are subject to revision without prior notice. PLANET is a registered trademark of PLANET Technology Corp. All other trademarks belong to their respective owners. Disclaimer PLANET Technology does not warrant that the hardware will work properly in all environments and applications, and makes no warranty and representation, either implied or expressed, with respect to the quality, performance, merchantability, or fitness for a particular purpose.
Configuration Guide of XGS-5240-Series Contents CHAPTER 1 INTRODUCTION ....................................................................................... 21 1.1 PACKET CONTENTS ............................................................................................................................... 21 1.2 PRODUCT DESCRIPTION ........................................................................................................................ 22 1.3 PRODUCT FEATURES ...........................
Configuration Guide of XGS-5240-Series 4.4.2 Introduction to MIB ................................................................................................................... 64 4.4.3 Introduction to RMON ............................................................................................................... 65 4.4.4 SNMP Configuration ................................................................................................................. 65 4.4.5 Typical SNMP Configuration Examples ..
Configuration Guide of XGS-5240-Series 9.4 PORT TROUBLESHOOTING ................................................................................................................... 101 CHAPTER 10 PORT ISOLATION FUNCTION CONFIGURATION ................................ 102 10.1 INTRODUCTION TO PORT ISOLATION FUNCTION ................................................................................... 102 10.2 TASK SEQUENCE OF PORT ISOLATION .......................................................................
Configuration Guide of XGS-5240-Series CHAPTER 15 MTU CONFIGURATION .......................................................................... 135 15.1 INTRODUCTION TO MTU .................................................................................................................... 135 15.2 MTU CONFIGURATION TASK SEQUENCE ............................................................................................ 135 CHAPTER 16 BPDU-TUNNEL-PROTOCOL CONFIGURATION ...................................
Configuration Guide of XGS-5240-Series 20.4 PORT SECURITY TROUBLESHOOTING ............................................................................................ 166 CHAPTER 21 QSFP+ PORT SPLIT AND COMBINATION CONFIGURATION ............. 167 21.1 INTRODUCTION TO QSFP+ PORT SPLIT AND COMBINATION CONFIGURATION ....................................... 167 21.2 QSFP+ PORT CONFIGURATION ......................................................................................................... 167 21.
Configuration Guide of XGS-5240-Series 22.7.1 Introduction to Super VLAN .................................................................................................. 193 22.7.2 Super VLAN Configuration ................................................................................................... 195 22.7.3 Typical Application of Super VLAN ....................................................................................... 196 22.7.4 Super VLAN Troubleshooting .................................
Configuration Guide of XGS-5240-Series 26.3 PBR EXAMPLES .............................................................................................................................. 26-2 CHAPTER 27 IPV6 PBR CONFIGURATION................................................................. 27-1 27.1 INTRODUCTION TO PBR (POLICY-BASED ROUTER) ............................................................................ 27-1 27.2 PBR CONFIGURATION TASK SEQUENCE.....................................................
Configuration Guide of XGS-5240-Series 31.2.3 IPv6 Troubleshooting ......................................................................................................... 31-11 31.3 ARP .............................................................................................................................................. 31-11 31.3.1 Introduction to ARP ............................................................................................................ 31-11 31.3.
Configuration Guide of XGS-5240-Series 37.1 INTRODUCTION TO DHCPV6 ............................................................................................................. 37-1 37.2 DHCPV6 SERVER CONFIGURATION .................................................................................................. 37-2 37.3 DHCPV6 RELAY DELEGATION CONFIGURATION................................................................................. 37-4 37.4 DHCPV6 PREFIX DELEGATION SERVER CONFIGURATION .............
Configuration Guide of XGS-5240-Series 41.4 DHCP OPTION 60 AND OPTION 43 TROUBLESHOOTING ...................................................................... 41-3 CHAPTER 42 IPV4 MULTICAST PROTOCOL ............................................................. 42-4 42.1 IPV4 MULTICAST PROTOCOL OVERVIEW ........................................................................................... 42-4 42.1.1 Introduction to Multicast.............................................................................
Configuration Guide of XGS-5240-Series CHAPTER 45 ACL CONFIGURATION.......................................................................... 45-5 45.1 INTRODUCTION TO ACL .................................................................................................................... 45-5 45.1.1 Access-list ............................................................................................................................ 45-5 45.1.2 Access-group ................................................
Configuration Guide of XGS-5240-Series 48.3 THE NUMBER LIMITATION FUNCTION OF MAC AND IP IN PORT, VLAN TYPICAL EXAMPLES ................. 48-5 48.4 THE NUMBER LIMITATION FUNCTION OF MAC AND IP IN PORT, VLAN TROUBLESHOOTING HELP ........ 48-6 CHAPTER 49 OPERATIONAL CONFIGURATION OF AM FUNCTION ....................... 49-1 49.1 INTRODUCTION TO AM FUNCTION...................................................................................................... 49-1 49.2 AM FUNCTION CONFIGURATION TASK LIST........
Configuration Guide of XGS-5240-Series 53.2 SSL CONFIGURATION TASK LIST ...................................................................................................... 53-3 53.3 SSL TYPICAL EXAMPLE ................................................................................................................... 53-3 53.4 SSL TROUBLESHOOTING..................................................................................................................
Configuration Guide of XGS-5240-Series CHAPTER 59 CAPTIVE PORTAL AUTHENTICATION................................................. 59-1 59.1 CAPTIVE PORTAL AUTHENTICATION CONFIGURATION ......................................................................... 59-1 59.1.1 Introduction to Captive Portal Authentication ...................................................................... 59-1 59.1.2 Captive Portal Authentication Configuration .....................................................................
Configuration Guide of XGS-5240-Series CHAPTER 60 VRRP CONFIGURATION ..................................................................... 60-29 60.1 INTRODUCTION TO VRRP ............................................................................................................... 60-29 60.2 VRRP CONFIGURATION TASK LIST ................................................................................................. 60-30 60.3 VRRP TYPICAL EXAMPLES .........................................................
Configuration Guide of XGS-5240-Series CHAPTER 65 MIRROR CONFIGURATION .................................................................. 65-5 65.1 INTRODUCTION TO MIRROR ............................................................................................................... 65-5 65.2 MIRROR CONFIGURATION TASK LIST ................................................................................................. 65-5 65.3 MIRROR EXAMPLES ...............................................................
Configuration Guide of XGS-5240-Series 71.2 PING6 .............................................................................................................................................. 71-3 71.3 TRACEROUTE ................................................................................................................................... 71-3 71.4 TRACEROUTE6 ................................................................................................................................. 71-4 71.
Configuration Guide of XGS-5240-Series 75.4 STORE-AND-FORWARD ................................................................................................................... 75-18 75.5 AUTO-NEGOTIATION ....................................................................................................................... 75-19 CHAPTER 76 TROUBLESHOOTING ........................................................................... 76-1 CHAPTER 77 APPENDIX A .................................................
Configuration Guide of XGS-5240-Series Chapter 1 INTRODUCTION Thank you for purchasing PLANET Industrial L3 Managed Gigabit/10 Gigabit Ethernet Switch. The description of this model is shown below: XGS-5240-24X2QR L2+ 24-Port 10G SFP+ plus 2-Port 40G QSFP+ Managed Switch with 36-72V DC Redundant Power 1.1 Packet Contents Open the box of the Managed Switch and carefully unpack it.
Configuration Guide of XGS-5240-Series 1.2 Product Description Powerful 40Gbps Solution for Networks PLANET XGS-5240-24X2QR is a high performance Layer 2+ Managed Switch that meets the next generation Metro, Data Center, Campus and Enterprise network requirements. It has high-density 24 10G SFP+ and 2 40G QSFP fiber interfaces delivered in a 1RU rugged case.
Configuration Guide of XGS-5240-Series Robust Layer 2 Features The XGS-5240-24X2QR can be programmed for advanced switch management functions such as dynamic port link aggregation, Q-in-Q VLAN, private VLAN, Multiple Spanning Tree Protocol (MSTP), Layer 2/4 QoS, bandwidth control and IGMP/MLD snooping. The XGS-5240-24X2QR provides 802.1Q tagged VLAN. Via aggregation of supporting ports, the XGS-5240-24X2QR allows the operation of a high-speed trunk combining multiple ports.
Configuration Guide of XGS-5240-Series Enhanced Security The XGS-5240-24X2QR offers comprehensive Layer 2 to Layer 4 Access Control List (ACL) for enforcing security to the edge. It can be used to restrict network access by denying packets based on source and destination IP address, TCP/UDP ports or defined typical network application. Their protection mechanism also comprises 802.1x Port-based and MAC-based customer and device authentication.
Configuration Guide of XGS-5240-Series Layer 2 Features Prevents packet loss flow control - IEEE 802.3x pause frame flow control in full-duplex mode - Back-pressure flow control in half-duplex mode High performance Store-and-Forward architecture, broadcast storm control and port loopback detection 32K MAC address table, automatic source address learning and aging Supports VLAN - IEEE 802.1Q tag-based VLAN - Up to 4K VLAN IDs - Provider Bridging (VLAN Q-in-Q, IEEE 802.
Configuration Guide of XGS-5240-Series IPv4/IPv6 DHCP Client,IPv4/IPv6 DHCP Relay Option 82 IPv4/IPv6 DHCP Snooping,IPv4/IPv6 DHCP Server Security IEEE 802.
Configuration Guide of XGS-5240-Series 1.
Configuration Guide of XGS-5240-Series Port disable/enable 1 &10Gbps full duplex mode selection Port Configuration Flow control disable/enable Bandwidth control on each port Port loopback detection Port-based VLAN IEEE802.1Q Private VLAN VLAN Protocol VLAN Voice VLAN MAC VLAN VLAN Translation Bandwidth Control Link Aggregation TX/RX/Both IEEE 802.
Configuration Guide of XGS-5240-Series Management functions System Configuration Console, Telnet, Web browser, SNMP v1, v2c Secure Management Interfaces SSH, SSL, SNMPv3 Management Supports both IPv4 and IPv6 addressing Supports the user IP security inspection for IPv4/IPv6 SNMP Supports MIB and TRAP Supports IPv4/IPv6 FTP/TFTP Supports IPv4/IPv6 NTP Supports RMON 1, 2, 3, 9 four groups Supports the RADIUS authentication for IPv4/IPv6 Telnet user name and password Supports IPv4/IPv6 SSH The right confi
Configuration Guide of XGS-5240-Series IEEE 802.3ad port trunk with LACP IEEE 802.1D Spanning Tree Protocol IEEE 802.1w Rapid Spanning Tree Protocol IEEE 802.1s Multiple Spanning Tree Protocol IEEE 802.1p Class of Service IEEE 802.1Q VLAN tagging IEEE 802.1X port authentication network control IEEE 802.
Configuration Guide of XGS-5240-Series Chapter 2 INSTALLATION This section describes the hardware features and installation of the Managed Switch on the desktop or rack mount. For easier management and control of the Managed Switch, familiarize yourself with its display indicators, and ports. Front panel illustrations in this chapter display the unit LED indicators. Before connecting any network device to the Managed Switch, please read this chapter completely. 2.1 Hardware Description 2.1.
Configuration Guide of XGS-5240-Series ■ Alarm Port The alarm port is an RJ45 type, an interface for monitoring the external devices (such as alarm) when monitoring external devices has failed. ■ MGMT Port The MGMT port is an RJ45 type, an independent interface for Telnet or SSH. 2.1.2 LED Indications The front panel LEDs indicate instant status of port links, data activity, system operation, stack status and system power, and helps monitor and troubleshoot when needed.
Configuration Guide of XGS-5240-Series Plug the female end of the power cord firmly into the receptacle on the rear panel of the Managed Switch. Plug the other end of the power cord into an electrical outlet and then the power will be ready. 2.2 Switch Installation This section describes how to install your Managed Switch and make connections to the Managed Switch. Please read the following topics and perform the procedures in the order being presented.
Configuration Guide of XGS-5240-Series Step 4: Connect the Managed Switch to network devices. Connect one end of a standard network cable to the 10/100/1000 RJ45 ports on the front of the Managed Switch and connect the other end of the cable to the network devices such as printer servers, workstations or routers, etc. Connection to the Managed Switch requires UTP Category 5 network cabling with RJ45 tips. For more information, please see the Cabling Specification in Appendix A.
Configuration Guide of XGS-5240-Series Step 3: Secure the brackets tightly. Step 4: Follow the same steps to attach the second bracket to the opposite side. Step 5: After the brackets are attached to the Managed Switch, use suitable screws to securely attach the brackets to the rack, as shown in Figure 2-2-3. Figure 2-2-3 Mounting SGS-6341 Series in a Rack Step 6: Proceed with Steps 4 and 5 of Session 2.2.1 Desktop Installation to connect the network cabling and supply power to the Managed Switch. 2.2.
Configuration Guide of XGS-5240-Series Figure 2-16 Plug in the SFP transceiver Approved PLANET SFP/SFP+ Transceivers PLANET Managed Switch supports both single mode and multi-mode SFP/SFP+ transceivers. The following list of approved PLANET SFP/SFP+ transceivers is correct at the time of publication: Gigabit Ethernet Transceiver (1000BASE-X SFP) Model Speed (Mbps) Connector Interface Fiber Mode Distance Wavelength (nm) Operating Temp.
Configuration Guide of XGS-5240-Series MGB-LA10 MGB-LB10 1000 1000 WDM(LC) WDM(LC) Single Mode Single Mode MGB-LA20 1000 WDM(LC) Single Mode MGB-LB20 1000 WDM(LC) Single Mode MGB-LA40 1000 WDM(LC) Single Mode MGB-LB40 1000 WDM(LC) Single Mode MGB-LA60 1000 WDM(LC) Single Mode MGB-LB60 1000 WDM(LC) Single Mode MGB-TLA10 1000 WDM(LC) Single Mode MGB-TLB10 1000 WDM(LC) Single Mode MGB-TLA20 1000 WDM(LC) Single Mode MGB-TLB20 1000 WDM(LC) Single Mode MGB-TLA40 1000
Configuration Guide of XGS-5240-Series 10Gbps SFP+ (10G Ethernet/10GBASE) Model Speed (Mbps) Connector Interface Fiber Mode Distance MTB-SR 10G LC Multi Mode Up to 300m 850nm 10G LC Single Mode 10km 1310nm MTB-LR Wavelength Operating (nm) Temp. 0 ~ 60 degrees C 0 ~ 60 degrees C 10Gbps SFP+ (10GBASE-BX, Single Fiber Bi-directional SFP) Model Speed (Mbps) Connector Wavelength Interface Fiber Mode Distance (TX) Wavelength (RX) Operating Temp.
Configuration Guide of XGS-5240-Series Remove the Transceiver Module 1. Make sure there is no network activity anymore. 2. Remove the Fiber-Optic Cable gently. 3. Lift up the lever of the MGB module and turn it to a horizontal position. 4. Pull out the module gently through the lever. Figure 2-17: How to Pull Out the SFP/SFP+ Transceiver Never pull out the module without lifting up the lever of the module and turning it to a horizontal position.
Configuration Guide of XGS-5240-Series Chapter 3 witch Management 3.1 Management Options After purchasing the switch, the user needs to configure the switch for network management. Switch provides two management options: in-band management and out-of-band management. 3.1.1 Out-Of-Band Management Out-of-band management is the management through Console interface. Generally, the user will use out-of-band management for the initial switch configuration, or when in-band management is not available.
Configuration Guide of XGS-5240-Series Console port. Switch Functional Console port required. Step 2: Entering the HyperTerminal Open the HyperTerminal included in Windows after the connection established. The example below is based on the HyperTerminal included in Windows XP. 1) Click Start menu - All Programs -Accessories -Communication - HyperTerminal. Fig 1-2 Opening Hyper Terminal 2) Type a name for opening HyperTerminal, such as “Switch”.
Configuration Guide of XGS-5240-Series Fig 1-4 Opening HyperTerminal 4) COM1 property appears, select “9600” for “Baud rate”, “8” for “Data bits”, “none” for “Parity checksum”, “1” for stop bit and “none” for traffic control; or, you can also click “Restore default” and click “OK”.
Configuration Guide of XGS-5240-Series Fig 1-6 Opening HyperTerminal Step 3: Entering switch CLI interface Power on the switch, the following appears in the HyperTerminal windows, that is the CLI configuration mode for Switch. Switch> The user can now enter commands to manage the switch. For a detailed description for the commands, please refer to the following chapters. 3.1.
Configuration Guide of XGS-5240-Series devices, such as a router. The switch is a Layer 3 switch that can be configured with several IPv4/IPv6 addresses, the configuration method refers to the relative chapter. The following example assumes the shipment status of the switch where only VLAN1 exists in the system.
Configuration Guide of XGS-5240-Series Switch(config)# telnet-server enable Step 2: Run Telnet Client program. Run Telnet client program included in Windows with the specified Telnet target. Fig 1-8 Run telnet client program included in Windows Step 3: Login to the switch. Login to the Telnet configuration interface. Valid login name and password are required, otherwise the switch will reject Telnet access. This is a method to protect the switch from unauthorized access.
Configuration Guide of XGS-5240-Series Fig 1-9 Telnet Configuration Interface 1.1.1.2 Management via HTTP To manage the switch via HTTP, the following conditions should be met: 1) Switch has an IPv4/IPv6 address configured; 2) The host IPv4/IPv6 address (HTTP client) and the switch’s VLAN interface IPv4/IPv6 address are in the same network segment; 3) If 2) is not met, HTTP client should connect to an IPv4/IPv6 address of the switch via other devices, such as a router.
Configuration Guide of XGS-5240-Series Switch(config)#ip http server Step 2: Run HTTP protocol on the host. Open the Web browser on the host and type the IP address of the switch, or run directly the HTTP protocol on the Windows. For example, the IP address of the switch is “10.1.128.251”; Fig 1-10 Run HTTP Protocol When accessing a switch with IPv6 address, it is recommended to use the Firefox browser with 1.5 or later version. For example, if the IPv6 address of the switch is 3ffe:506:1:2::3.
Configuration Guide of XGS-5240-Series Fig 1-11 Web Login Interface Input the right username and password, and then the main Web configuration interface is shown as below. Fig 1-12 Main Web Configuration Interface Notice: When configure the switch, the name of the switch is composed with English letters. 1.1.1.
Configuration Guide of XGS-5240-Series 2) The IP address of the client host and that of the VLAN interface on the switch it subordinates to should be in the same segment; 3) If 2) is not met, the client should be able to reach an IP address of the switch through devices like routers; 4) SNMP should be enabled.
Configuration Guide of XGS-5240-Series Fig 1-13 Shell Configuration Modes 1.1.1.4 User Mode On entering the CLI interface, entering user entry system first. If as common user, it is defaulted to User Mode. The prompt shown is “Switch>“, the symbol “>“ is the prompt for User Mode. When exit command is run under Admin Mode, it will also return to the User Mode. Under User Mode, no configuration to the switch is allowed, only clock time and version information of the switch can be queries. 1.1.1.
Configuration Guide of XGS-5240-Series mode to prevent unauthorized access and malicious modification to the switch. 1.1.1.6 Global Mode Type the config command under Admin Mode will enter the Global Mode prompt “Switch(config)#”. Use the exit command under other configuration modes such as Port Mode, VLAN mode will return to Global Mode. The user can perform global configuration settings under Global Mode, such as MAC Table, Port Mirroring, VLAN creation, IGMP Snooping start and STP, etc.
Configuration Guide of XGS-5240-Series under DHCP Address Pool Mode. Run the exit command to exit the DHCP Address Pool Mode to Global Mode. Route Mode Routing Protocol Entry Operates Exit RIP Routing Type router rip c Configure RIP Use the exit Protocol ommand under Gl protocol parameters. command to obal Mode. return to Global Mode. OSPF Routing Protocol Type router ospf command under Configure OSPF Use the exit protocol parameters. command to Global Mode. return to Global Mode.
Configuration Guide of XGS-5240-Series as [], {enum1 | enum2}, [option1 [option2]], etc. Here are examples for some actual configuration commands: show version, no parameters required. This is a command with only a keyword and no parameter, just type in the command to run. vlan , parameter values are required after the keyword. firewall {enable | disable}, user can enter firewall enable or firewall disable for this command.
Configuration Guide of XGS-5240-Series 3.2.4 Help Function There are two ways in Switch for the user to access help information: the “help” command and the “?”. Access to Help Usage and function Help Under any command line prompt, type in “help” and press Enter will get a brief description of the associated help system. “?” 1. Under any command line prompt, enter “?” to get a command list of the current mode and related brief description.
Configuration Guide of XGS-5240-Series "*" at first! command has not been configured. syntax error : missing '"' before the Quotation marks are not used in pairs. end of command line! 3.2.6 Fuzzy Match Support Switch shell support fuzzy match in searching command and keyword. Shell will recognize commands or keywords correctly if the entered string causes no conflict. For example: 1) For command “show interfaces status ethernet1/0/1”, typing “sh in status ethernet1/0/1” will work.
Configuration Guide of XGS-5240-Series Chapter 4 Basic Switch Configuration 4.1 Basic Configuration Basic switch configuration includes commands for entering and exiting the admin mode, commands for entering and exiting interface mode, for configuring and displaying the switch clock, for displaying the version information of the switch system, etc.
Configuration Guide of XGS-5240-Series Global Mode banner motd no banner motd Configure the information displayed when the login authentication of a telnet or console user is successful. web-auth privilege <1-15> Configure the level of logging in the switch by no web-auth privilege web. 4.2 Telnet Management 4.2.1 Telnet 1.1.1.9 Introduction to Telnet Telnet is a simple remote terminal protocol for remote login.
Configuration Guide of XGS-5240-Series Telnet function. username [privilege ] [password [0 | 7] ] the telnet. The no form command deletes no username the telnet user authorization. Enable command authorization function for the login user with VTY (login with Telnet and SSH). The no command aaa authorization config-commands disables this function.
Configuration Guide of XGS-5240-Series {local | radius | tacacs} (none|) manner no authorization line vty command <1-15> priority of login user with VTY (login with and authorization selection Telnet and SSH). The no command recovers to be default manner. accounting line {console | vty} comman d <1-15> {start-stop | stop-only | none} method1 [method2…] Configure the accounting method list.
Configuration Guide of XGS-5240-Series above software to manage the switch remotely. The switch presently supports RSA authentication, 3DES cryptography protocol and SSH user password authentication etc. 1.1.1.12 SSH Server Configuration Task List Command Explanation Global Mode ssh-server enable Enable SSH function on the switch; the no no ssh-server enable command disables SSH function.
Configuration Guide of XGS-5240-Series client can log on the switch by using the username and password to configure the switch. Switch(config)#ssh-server enable Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 100.100.100.200 255.255.255.0 Switch(Config-if-Vlan1)#exit Switch(config)#username test privilege 15 password 0 test In IPv6 networks, the terminal should run SSH client software which support IPv6, such as putty6.
Configuration Guide of XGS-5240-Series no interface vlan no command deletes the VLAN interface. Enter interface ethernet the network management port configuration mode. 2. Manual configuration Command Explanation VLAN Interface Mode ip address [secon Configure IP address of VLAN interface; the dary] no command deletes IP address of VLAN no ip address [se interface.
Configuration Guide of XGS-5240-Series protocol widely used in computer network management. SNMP is an evolving protocol. SNMP v1 [RFC1157] is the first version of SNMP which is adapted by vast numbers of manufacturers for its simplicity and easy implementation; SNMP v2c is an enhanced version of SNMP v1, which supports layered network management; SNMP v3 strengthens the security by adding USM (User-based Security Mode) and VACM (View-based Access Control Model).
Configuration Guide of XGS-5240-Series access permission in the same group. Users can’t conduct the operation which is not authorized. 4.4.2 Introduction to MIB The network management information accessed by NMS is well defined and organized in a Management Information Base (MIB). MIB is pre-defined information which can be accessed by network management protocols. It is in layered and structured form. The pre-defined management information can be obtained from monitored network devices. ISO ASN.
Configuration Guide of XGS-5240-Series of SNMP Agent. The switch can operate as a SNMP Agent, and supports both SNMP v1/v2c and SNMP v3. The switch supports basic MIB-II, RMON public MIB and other public MID such as BRIDGE MIB. Besides, the switch supports self-defined private MIB. 4.4.3 Introduction to RMON RMON is the most important expansion of the standard SNMP.
Configuration Guide of XGS-5240-Series 1. Enable or disable SNMP Agent server function Command Explanation Global Mode Enable the SNMP Agent function on the snmp-server enabled switch; the no command disables the SNMP no snmp-server enabled Agent function on the switch. 2.
Configuration Guide of XGS-5240-Series snmp-server user [{authPriv | authNoPriv} auth {md 5 | sha} ] [access {|}] [ipv6-access {|}] is used to configure USM for SNMP v3. no snmp-server user [acc ess {|}] [ipv6-access {|}] 6.
Configuration Guide of XGS-5240-Series {noauthnopriv | authnopriv | authpriv}}} v1/v2, this command also configures Trap community no snmp-server host { | } {v1 | v2c | and security level. The “no” form of this {v3 {noauthnopriv | authnopriv | authpri command cancels this IPv4 or IPv6 address.
Configuration Guide of XGS-5240-Series Switch(config)#snmp-server enable Switch(config)#snmp-server host 1.1.1.5 v1 usertrap Switch(config)#snmp-server enable traps Scenario 3: NMS uses SNMP v3 to obtain information from the switch.
Configuration Guide of XGS-5240-Series physical connection failure and wrong configuration, etc. Users can troubleshoot the problems by following the guide below: Good condition of the physical connection. Interface and datalink layer protocol is Up (use the “show interface” command), and the connection between the switch and host can be verified by ping (use “ping” command).
Configuration Guide of XGS-5240-Series Shell mode. This two update method will be explained in details in following two sections. 4.5.2 BootROM Upgrade There is one method for BootROM upgrade: TFTP which can be configured at BootROM command. cable Console cable connection connection Fig 2-2 Typical topology for switch upgrade in BootROM mode The upgrade procedures are listed below: Step 1: As shown in the figure, a PC is used as the console for the switch.
Configuration Guide of XGS-5240-Series Step 4: Enable TFTP server in the PC. Run TFTP server program. Before start downloading upgrade file to the switch, verify the connectivity between the server and the switch by ping from the switch. If ping succeeds, run “load” command in the BootROM mode from the switch; if it fails, perform troubleshooting to find out the cause. The following update file boot.rom. (This device only supports the upgrading of the boot file under the BootROM mode.) [Boot]: load boot.
Configuration Guide of XGS-5240-Series -rw-r--r--11577853 Thu Jan 01 00:04:56 1970 a.img -rw-r--r-- 4 Thu Jan 01 03:15:07 1970 board_web_language -rw-r--r—11577853 Thu Jan 01 13:58:15 1970 nos.img 4 file(s), 0 dir(s) Total size:31457280 bytes , files used size:23158571 bytes, free size:8298709 bytes [Boot]: 2. boot command Used to set the IMAGE file to run upon system start-up, and the configuration file to run upon configuration recovery. [Boot]: boot img nos.
Configuration Guide of XGS-5240-Series connection through the management connection. There are two types of data connections: active connection and passive connection. In active connection, the client transmits its address and port number for data transmission to the server, the management connection maintains until data transfer is complete.
Configuration Guide of XGS-5240-Series ROM only. Switch mandates the path and the name of two boot files to be flash:/boot.rom and flash:/config.rom. Configuration file: including start up configuration file and running configuration file. The distinction between start up configuration file and running configuration file can facilitate the backup and update of the configurations. Start up configuration file: refers to the configuration sequence used in switch startup.
Configuration Guide of XGS-5240-Series 3. TFTP server configuration (1) Start TFTP server (2) Configure TFTP server connection idle time (3) Configure retransmission times before timeout for packets without acknowledgement (4) Shut down TFTP server 1. FTP/TFTP client configuration (1)FTP/TFTP client upload/download file Command Explanation Admin Mode copy FTP/TFTP client upload/download file. [ascii | binary] (2)For FTP client, server file list can be checked.
Configuration Guide of XGS-5240-Series (1)Start TFTP server Command Explanation Global Mode tftp-server enable no tftp-server enable Start TFTP server, the no command shuts down TFTP server and prevents TFTP user from logging in. (2)Modify TFTP server connection idle time Command Explanation Global Mode tftp-server retransmission-timeout Set maximum retransmission time within timeout interval.
Configuration Guide of XGS-5240-Series FTP Configuration Computer side configuration: Start the FTP server software on the computer and set the username “Switch”, and the password “superuser”. Place the “12_30_nos.img” file to the appropriate FTP server directory on the computer. The configuration procedures of the switch are listed below: Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 10.1.1.2 255.255.255.
Configuration Guide of XGS-5240-Series Computer side configuration: Login to the switch with any FTP client software, with the username “Switch” and password “superuser”, use the command “get nos.img 12_25_nos.img” to download “nos.img” file from the switch to the computer. Scenario 3: The switch is used as TFTP server. The switch operates as the TFTP server and connects from one of its ports to a computer, which is a TFTP client. Transfer the “nos.img” file in the switch to the computer.
Configuration Guide of XGS-5240-Series recv total = 480 nos.img nos.rom parsecommandline.cpp position.doc qmdict.zip …(some display omitted here) show.txt snmp.TXT 226 Transfer complete. 1.1.1.18 FTP/TFTP Troubleshooting 1.1.1.18.1 FTP Troubleshooting When upload/download system file with FTP protocol, the connectivity of the link must be ensured, i.e., use the “Ping” command to verify the connectivity between the FTP client and server before running the FTP program.
Configuration Guide of XGS-5240-Series ************************ write ok 150 Opening ASCII mode data connection for nos.img (1526037 bytes). 226 Transfer complete. If the switch is upgrading system file or system start up file through FTP, the switch must not be restarted until “close ftp client” or “226 Transfer complete.” is displayed, indicating upgrade is successful, otherwise the switch may be rendered unable to start.
Configuration Guide of XGS-5240-Series Chapter 5 File System Operations 5.1 Introduction to File Storage Devices File storage devices used in switches mainly include FLASH cards. As the most common storage device, FLASH is usually used to store system image files (IMG files), system boot files (ROM files) and system configuration files (CFG files). Flash can copy, delete, or rename files under Shell or Bootrom mode. 5.2 File System Operation Configuration Task list 1.
Configuration Guide of XGS-5240-Series rmdir Delete a sub-directory in a designated directory on a certain device. 4. Changing the current working directory of the storage device Command Explanation Admin Configuration Mode cd Change the current working directory of the storage device. 5. The display operation of the current working directory Command Explanation Admin Configuration Mode pwd Display the current working directory. 6.
Configuration Guide of XGS-5240-Series 5.3 Typical Applications Copy an IMG file flash:/nos.img stored in the FLASH on the boardcard, to cf:/nos-6.1.11.0.img. The configuration of the switch is as follows: Switch#copy flash:/nos.img flash:/nos-6.1.11.0.img Copy flash:/nos.img to flash:/nos-6.1.11.0.img? [Y:N] y Copyed file flash:/nos.img to flash:/nos-6.1.11.0.img. 5.
Configuration Guide of XGS-5240-Series Chapter 6 Cluster Configuration 6.1 Introduction to cluster network management Cluster network management is an in-band configuration management. Unlike CLI, SNMP and Web Config which implement a direct management of the target switches through a management workstation, cluster network management implements a direct management of the target switches (member switches) through an intermediate switch (commander switch).
Configuration Guide of XGS-5240-Series 2. Create cluster 1) Configure private IP address pool for member switches of the cluster 2) Create or delete cluster 3) Add or remove a member switch 3. Configure attributes of the cluster in the commander switch 1) Enable or disable automatically adding cluster members 2) Set automatically added members to manually added ones 3) Set or modify the time interval of keep-alive messages on switches in the cluster.
Configuration Guide of XGS-5240-Series cluster commander [] Create or delete a cluster. no cluster commander cluster member {candidate-sn | mac-address [id ]} Add or remove a member switch. no cluster member {id | macaddress } 3.
Configuration Guide of XGS-5240-Series Admin Mode In rcommand member the commander switch, this command is used to configure and manage member switches. In the member switch, this command rcommand commander is used to configure the commander switch. cluster reset member [id | mac-address ] In the commander switch, this command is used to reset the member switch.
Configuration Guide of XGS-5240-Series Enable snmp server function in commander switch and member switch. Notice: must insure the snmp server function be enabled in member snmp-server enable switch when commander switch visiting member switch by snmp. The commander switch visit member switch via configure character string @sw. 6.
Configuration Guide of XGS-5240-Series 6.4 Cluster Administration Troubleshooting When encountering problems in applying the cluster admin, please check the following possible causes: If the command switch is correctly configured and the auto adding function (cluster auto-add) is enabled. If the ports connected the command switch and member switch belongs to the cluster vlan.
Configuration Guide of XGS-5240-Series Chapter 7 USB Function Configuration 7.1 Introduction When there is USB device inserted or pulled out, the switch can detect that information of USB hot inserting and pulling out and the switch will mount or uninstall the USB device. When there is USB device inserted, the switch will mount the USB file system. It can read, copy, delete, rename the files in USB, and it can also recover the configuration, download the files and save the files.
Configuration Guide of XGS-5240-Series Admin Mode dir Show the USB letter information. 3. Copy the source file to be the destination file Command Explanation Admin Mode copy source destination Copy the source file to be the destination file. 4. Delete the file content Command Explanation Admin Mode delete filename Delete the file. 5. Rename the file name Command Explanation Admin Mode rename source destitation Rename the source file name to be the destination file name. 6.
Configuration Guide of XGS-5240-Series 8. Update the img file under the USB letter to the switch Command Explanation Admin Mode Update the img file under the USB letter copy usb:/nos.img nos.img to the switch. The reverse transmission is supported: copy nos.img usb:/nos.img 9. Create the content Command Explanation Admin Mode mkdir Create the content. 10. Delete the existed content Command Explanation Admin Mode rmdir Delete the existed content. 7.3 USB Function Examples Delete source1.
Configuration Guide of XGS-5240-Series Insert the USB device, the file content will not mount to the switch file system, this function does not support the Chinese recognition and displaying of the file content. Input dir command directly, show the file content under the flash letter as default. If user want it to show the file information of the usb, input cd usb: to enter the usb letter, and then input dir to show the file information.
Configuration Guide of XGS-5240-Series Chapter 8 Device Management 8.1 Device Management Brief The device management function of switch provides information about line card status, line card operation debugging, power supply and fan status. This function enables the maintenance and management of the physical devices and restart of the switch and line cards, and hot swapping of the cards. Switch supports dual-master mode.
Configuration Guide of XGS-5240-Series Admin Mode show power Shows if the power supply is in place and its running status.
Configuration Guide of XGS-5240-Series Chapter 9 Port Configuration 9.1 Introduction to Port Switch contains Cable ports and Combo ports. The Combo ports can be configured as either 1000GX-TX ports or SFP Gigabit fiber ports. If the user needs to configure some network ports, he/she can use the interface ethernet command to enter the appropriate Ethernet port configuration mode, where stands for one or more ports.
Configuration Guide of XGS-5240-Series Command Explanation Global Mode interface ethernet Enters the network port configuration mode. 2. Configure the properties for the Ethernet ports Command Explanation Port Mode media-type {copper | copper-preferre Sets the combo port mode (combo ports d-auto | fiber | sfp-preferred-auto} only). shutdown no shutdown Enables/Disables specified ports. description Specifies or cancels the name of specified no description ports.
Configuration Guide of XGS-5240-Series Enables the storm control function for broadcasts, multicasts and unicasts with storm control {unicast | broadcast | unknown destinations (short for broadcast), multicast} {kbps | pps } number; the no format of this command disables the broadcast storm control function.
Configuration Guide of XGS-5240-Series 9.3 Port Configuration Example Switch 1 1/0/7 1/0/9 1/0/10 1/0/12 1/0/8 Switch 2 Switch 3 Fig 1-1 Port Configuration Example No VLAN has been configured in the switches, default VLAN1 is used.
Configuration Guide of XGS-5240-Series Switch3(Config-If-Ethernet1/0/12)#exit 9.4 Port Troubleshooting Here are some situations that frequently occurs in port configuration and the advised solutions: Two connected fiber interfaces won’t link up if one interface is set to auto-negotiation but the other to forced speed/duplex. This is determined by IEEE 802.3.
Configuration Guide of XGS-5240-Series Chapter 10 Port Isolation Function Configuration 10.1 Introduction to Port Isolation Function Port isolation is an independent port-based function working in an inter-port way, which isolates flows of different ports from each other. With the help of port isolation, users can isolate ports within a VLAN to save VLAN resources and enhance network security.
Configuration Guide of XGS-5240-Series 3. Specify the flow to be isolated Command Explanation Global Mode Apply the port isolation configuration to isolate-port apply [] isolate layer-2 flows, layer-3 flows or all flows. 4. Display the configuration of port isolation Command Explanation Admin Mode and global Mode Display the configuration of port isolation, show isolate-port group [ ] including all configured port isolation groups and Ethernet ports in each group. 10.
Configuration Guide of XGS-5240-Series enabled on switch S1, e1/0/1 and e1/0/10 on switch S1 can not communicate with each other, while both of them can communicate with the uplink port e1/0/15. That is, the communication between any pair of downlink ports is disabled while that between any downlink port and a specified uplink port is normal. The uplink port can communicate with any port normally.
Configuration Guide of XGS-5240-Series Chapter 11 Port Loopback Detection Function Configuration 11.1 Introduction to Port Loopback Detection Function With the development of switches, more and more users begin to access the network through Ethernet switches. In enterprise network, users access the network through layer-2 switches, which means urgent demands for both internet and the internal layer 2 Interworking.
Configuration Guide of XGS-5240-Series 11.
Configuration Guide of XGS-5240-Series Enable the debug information of the debug loopback-detection function module of port loopback detection. no debug loopback-detection The no operation of this command will disable the debug information. Display the state and result of the loopback show loopback-detection [interface ] detection of all ports, if no parameter is provided; otherwise, display the state and result of the corresponding ports. 5.
Configuration Guide of XGS-5240-Series of the whole network. The configuration task sequence of SWITCH: Switch(config)#loopback-detection interval-time 35 15 Switch(config)#interface ethernet 1/0/1 Switch(Config-If-Ethernet1/0/1)#loopback-detection special-vlan 1-3 Switch(Config-If-Ethernet1/0/1)#loopback-detection control block If adopting the control method of block, MSTP should be globally enabled. And the corresponding relation between the spanning tree instance and the VLAN should be configured.
Configuration Guide of XGS-5240-Series Chapter 12 ULDP Function Configuration 12.1 Introduction to ULDP Function Unidirectional link is a common error state of link in networks, especially in fiber links. Unidirectional link means that only one port of the link can receive messages from the other port, while the latter one can not receive messages from the former one.
Configuration Guide of XGS-5240-Series Switch A g1/0/2 g1/0/1 g1/0/3 Switch B Switch C Fig 4-2 One End of Each Fiber Not Connected This kind of problem often appears in the following situations: GBIC (Giga Bitrate Interface Converter) or interfaces have problems, software problems, hardware becomes unavailable or operates abnormally. Unidirectional link will cause a series of problems, such as spinning tree topological loop, broadcast black hole.
Configuration Guide of XGS-5240-Series 2. Enable ULDP function on a port 3. Configure aggressive mode globally 4. Configure aggressive mode on a port 5. Configure the method to shut down unidirectional link 6. Configure the interval of Hello messages 7. Configure the interval of Recovery 8. Reset the port shut down by ULDP 9. Display and debug the relative information of ULDP 1.
Configuration Guide of XGS-5240-Series 6. Configure the interval of Hello messages Command Explanation Global configuration mode Configure the interval of Hello messages, uldp hello-interval ranging from 5 to 100 seconds. The value no uldp hello-interval is 10 seconds by default. 7. Configure the interval of Recovery Command Explanation Global configuration mode Configure the interval of Recovery reset, uldp recovery-time ranging from 30 to 86400 seconds.
Configuration Guide of XGS-5240-Series debug uldp event Enable or disable the debug switch of no debug uldp event event information. debug uldp packet {receive|send} Enable or disable the type of messages no debug uldp packet {receive|send} can be received and sent on all ports.
Configuration Guide of XGS-5240-Series SwitchA(config)#interface ethernet 1/0/2 SwitchA(Config-If-Ethernet1/0/2)#uldp enable Switch B configuration sequence: SwitchB(config)#uldp enable SwitchB(config)#interface ethernet1/0/3 SwitchB(Config-If-Ethernet1/0/3)#uldp enable SwitchB(Config-If-Ethernet1/0/3)#exit SwitchB(config)#interface ethernet 1/0/4 SwitchB(Config-If-Ethernet1/0/4)#uldp enable As a result, port g1/0/1, g1/0/2 of SWITCH A are all shut down by ULDP, and there is notification information on the
Configuration Guide of XGS-5240-Series both ends. The hello interval of sending hello messages can be changed (it is10 seconds by default and ranges from 5 to 100 seconds) so that ULDP can respond faster to connection errors of links in different network environments. But this interval should be less than 1/3 of the STP convergence time. If the interval is too long, a STP loop will be generated before ULDP discovers and shuts down the unidirectional connection port.
Configuration Guide of XGS-5240-Series Chapter 13 LLDP Function Operation Configuration 13.1 Introduction to LLDP Function Link Layer Discovery Protocol (LLDP) is a new protocol defined in 802.1ab. It enables neighbor devices to send notices of their own state to other devices, and enables all ports of every device to store information about them.
Configuration Guide of XGS-5240-Series referring to basic events like the adding and removing of relative devices instead of details about where and how these devices operate with the network. Layer 2 discovery covers information like which devices have which ports, which switches connect to other devices and so on, it can also display the routs between clients, switches, routers, application servers and network servers.
Configuration Guide of XGS-5240-Series Port Mode lldp mode (send|receive|both|disable) Configure the operating state of port LLDP. 4. Configure the intervals of LLDP updating messages Command Explanation Global Mode lldp tx-interval no lldp tx-interval Configure the intervals of LLDP updating messages as the specified value or default value. 5.
Configuration Guide of XGS-5240-Series 9. Configure the optional information-sending attribute of the port Command Explanation Port Configuration Mode lldp transmit optional tlv [portDesc] Configure the optional [sysName] [sysDesc] [sysCap] information-sending attribute of the port no lldp transmit optional tlv as the option value of default values. 10.
Configuration Guide of XGS-5240-Series debug lldp packets interface ethernet no debug lldp packets interface ethernet Enable or disable the DEBUG packet-receiving and sending function in port or global mode. Port configuration mode clear lldp remote-table Clear Remote-table of the port. 13.3 LLDP Function Typical Example Fig 5-1 LLDP Function Typical Configuration Example In the network topology graph above, the port 1,3 of SWITCH B are connected to port 2,4 of SWITCH A.
Configuration Guide of XGS-5240-Series 13.4 LLDP Function Troubleshooting LLDP function is disabled by default. After enabling the global switch of LLDP, users can enable the debug switch “debug lldp” simultaneously to check debug information. Using “show” function of LLDP function can display the configuration information in global or port configuration mode.
Configuration Guide of XGS-5240-Series Chapter 14 Port Channel Configuration 14.1 Introduction to Port Channel To understand Port Channel, Port Group should be introduced first. Port Group is a group of physical ports in the configuration level; only physical ports in the Port Group can take part in link aggregation and become a member port of a Port Channel. Logically, Port Group is not a port but a port sequence.
Configuration Guide of XGS-5240-Series properties as follows: All ports are in full-duplex mode. All Ports are of the same speed. All ports are Access ports and belong to the same VLAN or are all TRUNK ports, or are all Hybrid ports. If the ports are all TRUNK ports or Hybrid ports, then their “Allowed VLAN” and “Native VLAN” property should also be the same.
Configuration Guide of XGS-5240-Series The port aggregation is that multi-ports are aggregated to form an aggregation group, so as to implement the out/in load balance in each member port of the aggregation group and provides the better reliability. 14.2.1 Static LACP Aggregation Static LACP aggregation is enforced by users configuration, and do not enable LACP protocol. When configuring static LACP aggregation, use “on” mode to force the port to enter the aggregation group. 14.2.
Configuration Guide of XGS-5240-Series 14.3 Introduction to Load balance The current visits and data flow of the network are increasing; the processing capability and calculated strength are both increasing. If the large amount of the data flow is transmitted from one physical port of the switch at the same, it will cause the network congestion. If there are many physical ports of the switch, it will cause the ports wasting.
Configuration Guide of XGS-5240-Series 3. Enter the load-balance enhanced profile mode Command Explanation Global Mode Enter load-balance enhanced profile the load-balance enhanced profile mode. 4. Configure the enhanced load balance template Command Explanation Load-balance Enhanced Profile Mode This command is used to configure l2 field [dst-mac] [ingress-port] [l2-protocol] the load-balance enhanced l2 packets [src-mac] [vlan] field.
Configuration Guide of XGS-5240-Series [protocol] [src-ip] [vlan] the load-balance enhanced l3 mpls no l3 mpls field field. The no command recovers to be the default configuration that means all the fields are configured. This command is used to configure mpls tunnel field [2nd-label] [3rd-label] [ dst-ip] [ label-4msb] [src-ip] [ top-label] the load-balance tunnel field.
Configuration Guide of XGS-5240-Series no trill field l3payload field. The no command recovers to be the default configuration that means all the fields are configured. This command is used to configure trill tunnel field l2payload [dst-mac] the load-balance enhanced trill tunnel [egr-rbridge-name][ing-rbridge-name] field. The no command recovers to be [l2-protocol] [src-mac] [vlan] the default configuration that means no trill tunnel field all the fields are configured.
Configuration Guide of XGS-5240-Series Global mode Set the system priority of LACP lacp system-priority protocol, the no command restores no lacp system-priority the default value. 8. Set the port priority of the current port in LACP protocol Command Explanation Port mode Set the port priority in LACP protocol. lacp port-priority The no command restores the default no lacp port-priority value. 9.
Configuration Guide of XGS-5240-Series are access ports and add them to group2 with passive mode. All the ports should be connected with cables.
Configuration Guide of XGS-5240-Series Fig 6-3 Configure Port Channel in ON mode As shown in the figure, ports 1, 2, 3, 4 of S1 are access ports and add them to group1 with “on” mode. Ports 6, 8, 9, 10 of S2 are access ports and add them to group2 with “on” mode.
Configuration Guide of XGS-5240-Series “on” mode and become an aggregated port respectively. Scenario 3: Load Balance Fig 6-4 Load Balance As shown in the above figure, the port 5 of switch S1 is connected to PC1, port 1-4 of the switch S2 are connected to PC2-PC5. All the ports of S1 and S2 are access ports. Join the port 1-4 of S1 to group 1 with the method of on, join the port 5-8 of S2 to group 2 with the method of on.
Configuration Guide of XGS-5240-Series Switch1 (Config-If-Ethernet1/4)#port-group 1 mode on Switch1 (Config-If-Ethernet1/4)#exit Switch1 (config)#load-balance enhanced profile Switch1 (config-load-balance-enhanced-profile)# ipv4 field dst-ip Switch1 (config)#interface port-channel 1 Switch1 (config-if-port-channel1)#load-balance enhance-profile Switch2#config Switch2 (config)#port-group 2 Switch2 (config)#interface ethernet 1/6 Switch2 (Config-If-Ethernet1/6)#port-group 2 mode on Switch2 (Config-If-Etherne
Configuration Guide of XGS-5240-Series Check if the enhanced load balance template is configured correctly by the command of show load-balance enhanced-profile.
Configuration Guide of XGS-5240-Series Chapter 15 MTU Configuration 15.1 Introduction to MTU So far the Jumbo (Jumbo Frame) has not reach a determined standard in the industry (including the format and length of the frame). Normally frames sized within 1519-9000 should be considered jumbo frame. Networks with jumbo frames will increase the speed of the whole network by 2% to 5%. Technically the Jumbo is just a lengthened frame sent and received by the switch.
Configuration Guide of XGS-5240-Series Chapter 16 bpdu-tunnel-protocol Configuration 16.1 Introduction to bpdu-tunnel-protocol BPDU Tunnel is a Layer 2 tunnel technology. It allows Layer 2 protocol packets of geographically dispersed private network users to be transparently transmitted over specific tunnels across a service provider network. 16.1.1 bpdu-tunnel-protocol function In MAN application, multi-branches of a corporation may connect with each other by the service provider network.
Configuration Guide of XGS-5240-Series Fig 8-1 BPDU Tunnel application 16.2 bpdu-tunnel-protocol Configuration Task List bpdu-tunnel-protocol configuration task list: 1. Configure tunnel STP globally 2. Configure the port to support the tunnel 1. Configure tunnel MAC address globally Command Explanation Global mode bpdu-tunnel-protocol stp default-group-mac no bpdu-tunnel-protocol stp Configure or cancel the tunnel STP globally. 2.
Configuration Guide of XGS-5240-Series service provider network. As shown in Figure, User A has two devices (CE 1 and CE 2) and both devices belong to the same VLAN. User’s network is divided into network 1 and network 2, which are connected by the service provider network.
Configuration Guide of XGS-5240-Series 16.4 bpdu-tunnel-protocol Troubleshooting After port disables stp, gvrp, user-defined-protocol and dot1x functions, it is able to configure bpdu-tunnel-protocol function.
Configuration Guide of XGS-5240-Series Chapter 17 DDM Configuration 17.1 Introduction to DDM 17.1.1 Brief Introduction to DDM DDM (Digital Diagnostic Monitor) makes the detailed digital diagnostic function standard in SFF-8472 MSA. It set that the parameter signal is monitored and make it to digitize on the circuit board of the inner module.
Configuration Guide of XGS-5240-Series 3. Compatibility verification Compatibility verification is used to analyze whether the environment of the module accords the data manual or it is compatible with the corresponding standard, because the module capability is able to be ensured only in the compatible environment. Sometimes, environment parameters exceed the data manual or the corresponding standard, it will make the falling of the module capability that result in the transmission error.
Configuration Guide of XGS-5240-Series query the last abnormity status through executing the commands. When the user finds the abnormity information of the fiber module, the fiber module information may be remonitored after processing the abnormity information, here, the user is able to know the abnormity information and renew the monitoring. 17.2 DDM Configuration Task List DDM configuration task list: 1. Show the real-time monitoring information of the transceiver 2.
Configuration Guide of XGS-5240-Series Set the interval of the transceiver transceiver-monitoring interval monitor. The no command sets the no transceiver-monitoring interval interval to be the default interval of 15 minutes. (2)Configure the enable state of the transceiver monitoring Command Explanation Port mode Set whether the transceiver monitoring is enabled.
Configuration Guide of XGS-5240-Series Ethernet 21 and Ethernet 23 are inserted the fiber module with DDM, Ethernet 24 is inserted the fiber module without DDM, Ethernet 22 does not insert any fiber module, show the DDM information of the fiber module.
Configuration Guide of XGS-5240-Series Bias current(mA) 6.11(W+) 10.30 0.00 5.00 0.00 RX Power(dBM) -30.54(A-) 9.00 -25.00 9.00 -25.00 TX Power(dBM) -6.01 9.00 -25.00 9.00 -25.00 Ethernet 1/0/22 transceiver detail information: N/A Ethernet 1/0/24 transceiver detail information: Base information: SFP found in this port, manufactured by company, on Sep 29 2010. Type is 1000BASE-SX. Serial Number is 1108000001. Link length is 550 m for 50um Multi-Mode Fiber. Link length is 270 m for 62.
Configuration Guide of XGS-5240-Series -------------- ----------- ----------- ------------ --------- Temperature(℃) 33 70 0 70 0 Voltage(V) 7.31(A+) 5.00 0.00 5.00 0.00 Bias current(mA) 6.11(W+) 10.30 0.00 5.00 0.00 RX Power(dBM) -30.54(A-) 9.00 -25.00 9.00 -25.00 TX Power(dBM) -13.01 9.00 -25.00 9.00 -25.00 Step2: Configure the tx-power threshold of the fiber module, the low-warning threshold is -12, the low-alarm threshold is -10.00.
Configuration Guide of XGS-5240-Series the port after showing the transceiver monitoring of the fiber module. Step1: Show the transceiver monitoring of the fiber module. Both ethernet 21 and ethernet 22 do not enable the transceiver monitoring, its interval is set to 30 minutes. Switch(config)#show transceiver threshold-violation interface ethernet 1/0/21-22 Ethernet 1/0/21 transceiver threshold-violation information: Transceiver monitor is disabled. Monitor interval is set to 30 minutes.
Configuration Guide of XGS-5240-Series Ethernet 1/0/22 transceiver threshold-violation information: Transceiver monitor is disabled. Monitor interval is set to 30 minutes. The last threshold-violation doesn’t exist. 17.4 DDM Troubleshooting If problems occur when configuring DDM, please check whether the problem is caused by the following reasons: Ensure that the transceiver of the fiber module has been inserted fast on the port, or else DDM configuration will not be shown.
Configuration Guide of XGS-5240-Series Chapter 18 EFM OAM Configuration 18.1 Introduction to EFM OAM Ethernet is designed for Local Area Network at the beginning, but link length and network scope is extended rapidly while Ethernet is also applied to Metropolitan Area Network and Wide Area Network along with development.
Configuration Guide of XGS-5240-Series protocol, the max transmission rate is 10Pkt/s. EFM OAM is established on the basis of OAM connection, it provides a link operation management mechanism such as link monitoring, remote fault detection and remote loopback testing, the simple introduction for EFM OAM in the following: 1. Ethernet OAM connection establishment Ethernet OAM entity discovers remote OAM entities and establishes sessions with them by exchanging Information OAMPDUs.
Configuration Guide of XGS-5240-Series frame at least in a second.) 3. Remote Fault Detection In a network where traffic is interrupted due to device failures or unavailability, the flag field defined in Ethernet OAMPDUs allows an Ethernet OAM entity to send fault information to its peer. As Information OAMPDUs are exchanged continuously across established OAM connections, an Ethernet OAM entity can inform one of its OAM peers of link faults through Information OAMPDUs.
Configuration Guide of XGS-5240-Series Customer Service Provider Customer 802.3ah Ethernet in the First Mile CE 802.1ah OAMPDU PE Fig 10-2 Typical OAM application topology 18.2 EFM OAM Configuration EFM OAM configuration task list 1. Enable EFM OAM function of port 2. Configure link monitor 3. Configure remote failure 4. Enable EFM OAM loopback of port Note: it needs to enable OAM first when configuring OAM parameters. 1.
Configuration Guide of XGS-5240-Series Configure timeout of EFM OAM ethernet-oam timeout connection, no command restores no ethernet-oam timeout the default value. 2. Configure link monitor Command Explanation Port mode ethernet-oam link-monitor Enable link monitor of EFM OAM, no no ethernet-oam link-monitor command disables link monitor.
Configuration Guide of XGS-5240-Series ethernet-oam errored-symbol-period thresho Configure the high threshold of ld high {high-symbols | none} errored symbol period event, no no ethernet-oam errored-symbol-period thre command restores the default value. shold high (optional) ethernet-oam errored-frame-period threshold Configure the high threshold of high {high-frames | none} errored frame period event, no no ethernet-oam errored-frame-period thres command restores the default value.
Configuration Guide of XGS-5240-Series Ethernet 1/0/1 CE Ethernet 1/0/1 802.1ah OAMPDU PE Fig 10-3 Typical OAM application topology Configuration procedure: (Omitting SNMP and Log configuration in the following) Configuration on CE: CE(config)#interface ethernet1/0/1 CE (config-if-ethernet1/0/1)#ethernet-oam mode passive CE (config-if-ethernet1/0/1)#ethernet-oam CE (config-if-ethernet1/0/1)#ethernet-oam remote-loopback supported Other parameters use the default configuration.
Configuration Guide of XGS-5240-Series Ensuring the used board supports remote loopback function. Port should not configure STP, MRPP, ULPP, Flow Control, loopback detection functions after it enables OAM loopback function, because OAM remote loopback function and these functions are mutually exclusive.
Configuration Guide of XGS-5240-Series Chapter 19 LLDP-MED 19.1 Introduction to LLDP-MED LLDP-MED (Link Layer Discovery Protocol-Media Endpoint Discovery) based on 802.1AB LLDP (Link Layer Discovery Protocol) of IEEE. LLDP provides a standard link layer discovery mode, it sends local device information (including its major capability, management IP address, device ID and port ID) as TLV (type/length/value) triplets in LLDPDU (Link Layer Discovery Protocol Data Unit) to the direct connection neighbors.
Configuration Guide of XGS-5240-Series Power-Via-MDI TLV. The no command disables the capability. Configure the specified port to send lldp transmit med tlv location no lldp transmit med tlv location LLDP-MED Location Identification TLV. The command disables no the capability. Configure the port to send LLDP-MED lldp transmit med tlv inventory Inventory Management TLVs. The no no lldp transmit med tlv inventory command disables the capability.
Configuration Guide of XGS-5240-Series {description-language | province-state | city | county | street | locationNum | location | floor | room | postal | otherInfo}
no {description-language | province-state | city | county | street | locationNum | location | floor | room Configure the detailed address after enter Civic Address LCI address mode of the port.Configuration Guide of XGS-5240-Series 19.
Configuration Guide of XGS-5240-Series SwitchA# show lldp neighbors interface ethernet 1/0/1 Port name : Ethernet1/0/1 Port Remote Counter : 1 TimeMark :20 ChassisIdSubtype :4 ChassisId :00-03-0f-00-00-02 PortIdSubtype :Local PortId :1 PortDesc :**** SysName :**** SysDesc :***** SysCapSupported :4 SysCapEnabled :4 LLDP MED Information : MED Codes: (CAP)Capabilities, (NP) Network Policy (LI) Location Identification, (PSE)Power Source Entity (PD) Power Device, (IN) Inventory MED Capabilities:CAP,NP,PD,IN ME
Configuration Guide of XGS-5240-Series IEEE 802.
Configuration Guide of XGS-5240-Series near MED device, it sends LLDP-MED TLV. If network connection device configured the command for sending LLDP-MED TLV, the packets also without LLDP-MED TLV sent by the port, that means no MED information is received and the port does not enable the function for sending LLDP-MED information.
Configuration Guide of XGS-5240-Series Chapter 20 PORT SECURITY 20.1 Introduction to PORT SECURITY Port security is a MAC address-based security mechanism for network access controlling. It is an extension to the existing 802.1x authentication and MAC authentication. It controls the access of unauthorized devices to the network by checking the source MAC address of the received frame and the access to unauthorized devices by checking the destination MAC address of the sent frame.
Configuration Guide of XGS-5240-Series address is configured to several interfaces in same VLAN, both of them will violate the security of the MAC address. switchport port-security aging {static | time | type {absolute | inactivity}} no switchport port-security violation aging {static | time | type} Enable port-security aging entry of the interface; specify aging time or aging type.
Configuration Guide of XGS-5240-Series the internet at most. If it exceeds the maximum number, the new user cannot access the internet, so that it not only limit the user’s number but also access the internet safely. If configuring the maximum number of the secure MAC addresses as 1, only HOST A or HOST B is able to access the internet. Configuration process: #Configure the switch.
Configuration Guide of XGS-5240-Series Chapter 21 QSFP+ Port Split and Combination Configuration 21.1 Introduction to QSFP+ Port Split and Combination Configuration QSFP+ port can be used as a single 40GE port and it also can be splited into 4 10GE SFP+ ports to improve the port density, decrease the user cost and increase flexibility of networks.
Configuration Guide of XGS-5240-Series 21.
Configuration Guide of XGS-5240-Series Chapter 22 VLAN Configuration 22.1 VLAN Configuration 22.1.1 Introduction to VLAN VLAN (Virtual Local Area Network) is a technology that divides the logical addresses of devices within the network to separate network segments basing on functions, applications or management requirements. By this way, virtual workgroups can be formed regardless of the physical location of the devices. IEEE announced IEEE 802.
Configuration Guide of XGS-5240-Series convenience: Improving network performance Saving network resources Simplifying network management Lowering network cost Enhancing network security Switch Ethernet Ports can works in three kinds of modes: Access, Hybrid and Trunk, each mode has a different processing method in forwarding the packets with tagged or untagged. The ports of Access type only belongs to one VLAN, usually they are used to connect the ports of the computer.
Configuration Guide of XGS-5240-Series Global Mode vlan WORD Create/delete VLAN or enter VLAN Mode no vlan WORD 2. Set or delete VLAN name Command Explanation VLAN Mode name Set or delete VLAN name. no name 3. Assigning Switch ports for VLAN Command Explanation VLAN Mode switchport interface Assign Switch ports to VLAN. no switchport interface 4.
Configuration Guide of XGS-5240-Series Add the current port to the specified switchport access vlan VLAN. The “no” command restores the no switchport access vlan default setting. 7. Set Hybrid port Command Explanation Port Mode switchport hybrid allowed vlan {WORD | all | add WORD | except WORD | remove Set/delete the VLAN which is allowed by WORD} {tag | untag} Hybrid port with tag or untag mode.
Configuration Guide of XGS-5240-Series Global mode vlan <2-4094> internal Specify internal VLAN ID. 22.1.3 Typical VLAN Application Scenario: VLAN100 VLAN2 VLAN200 PC Workstation Workstation PC PC PC Switch A Trunk Link Switch B PC PC VLAN2 PC Workstation VLAN100 Workstation PC VLAN200 Fig 1-2 Typical VLAN Application Topology The existing LAN is required to be partitioned to 3 VLANs due to security and application requirements. The three VLANs are VLAN2, VLAN100 and VLAN200.
Configuration Guide of XGS-5240-Series In this example, port 1 and port 12 are spared and can be used for management port or for other purposes.
Configuration Guide of XGS-5240-Series internet Switch A Switch B PC2 PC1 Fig 1-3 Typical Application of Hybrid Port PC1 connects to the interface Ethernet 1/0/7 of SwitchB, PC2 connects to the interface Ethernet 1/0/9 of SwitchB, Ethernet 1/0/10 of SwitchA connect to Ethernet 1/0/10 of SwitchB. It is required that PC1 and PC2 can not mutually access due to reason of the security, but PC1 and PC2 can access other network resources through the gateway SwitchA.
Configuration Guide of XGS-5240-Series Switch(config)#vlan 10 Switch(Config-Vlan10)#switchport interface ethernet 1/0/10 Switch B: Switch(config)#vlan 7;9;10 Switch(config)#interface ethernet 1/0/7 Switch(Config-If-Ethernet1/0/7)#switchport mode hybrid Switch(Config-If-Ethernet1/0/7)#switchport hybrid native vlan 7 Switch(Config-If-Ethernet1/0/7)#switchport hybrid allowed vlan 7;10 untag Switch(Config-If-Ethernet1/0/7)#exit Switch(Config)#interface Ethernet 1/0/9 Switch(Config-If-Ethernet1/0/9)#switchport
Configuration Guide of XGS-5240-Series Fig 1-4 a typical application scene A and G switches are not directly connected in layer 2 network; BCDEF are intermediate switches connecting A and G. Switch A and G configure VLAN100-1000 manually while BCDEF switches do not. When GVRP is not enabled, A and G cannot communicate with each other, because intermediate switches without relevant VLANs.
Configuration Guide of XGS-5240-Series 2. Configure port type Command Explanation Port mode gvrp Enable/ disable GVRP function of no gvrp port. 3. Enable GVRP function Command Explanation Global mode gvrp Enable/ disable the global GVRP no gvrp function of port. 22.2.
Configuration Guide of XGS-5240-Series protocol is to be configured in the switch. Configure GVRP in Switch A, B and C, enable Switch B to learn VLAN100 dynamically so that two workstations connected to VLAN100 in Switch A and C can communicate with each other through Switch B without static VLAN100 entries. Configuration Configuration description Item VLAN100 Port 2-6 of Switch A and C. Trunk port Port 11 of Switch A and C, Port 10, 11 of Switch B. Global GVRP Switch A, B, C.
Configuration Guide of XGS-5240-Series Switch(Config-Vlan100)#switchport interface ethernet 1/0/2-6 Switch(Config-Vlan100)#exit Switch(config)#interface ethernet 1/0/11 Switch(Config-If-Ethernet1/0/11)#switchport mode trunk Switch(Config-If-Ethernet1/0/11)# gvrp Switch(Config-If-Ethernet1/0/11)#exit 22.2.4 GVRP Troubleshooting The GARP counter setting for Trunk ports in both ends of Trunk link must be the same, otherwise GVRP will not work normally.
Configuration Guide of XGS-5240-Series Fig 1-6 Dot1q-tunnel based Internetworking mode As shown in above, after being enabled on the user port, dot1q-tunnel assigns each user an SPVLAN identification (SPVID). Here the identification of user is 3. Same SPVID should be assigned for the same network user on different PEs. When packet reaches PE1 from CE1, it carries the VLAN tag 200-300 of the user internal network.
Configuration Guide of XGS-5240-Series dot1q-tunnel enable Enter/exit the dot1q-tunnel mode on the no dot1q-tunnel enable port. 2. Configure the protocol type (TPID) on port Command Explanation Port mode dot1q-tunnel {0x8100|0x9100|0x9200|<1-65535>} tpid Configure the protocol type on TRUNK port. 22.3.3 Typical Applications of the Dot1q-tunnel Scenario: Edge switch PE1 and PE2 of the ISP internet forward the VLAN200~300 data between CE1 and CE2 of the client network with VLAN3.
Configuration Guide of XGS-5240-Series Switch(config)#vlan 3 Switch(Config-Vlan3)#switchport interface ethernet 1/0/1 Switch(Config-Vlan3)#exit Switch(Config)#interface ethernet 1/0/1 Switch(Config-Ethernet1/0/1)# dot1q-tunnel enable Switch(Config-Ethernet1/0/1)# exit Switch(Config)#interface ethernet 1/0/10 Switch(Config-Ethernet1/0/10)#switchport mode trunk Switch(Config-Ethernet1/0/10)#dot1q-tunnel tpid 0x9100 Switch(Config-Ethernet1/0/10)#exit Switch(Config)# 22.3.
Configuration Guide of XGS-5240-Series 1. Configure the VLAN-translation of the port Command Explanation Port mode vlan-translation enable Enter/exit no vlan-translation enable mode. the port VLAN-translation 2. Configure the VLAN-translation relation of the port Command Port Explanation mode vlan-translation to {in|out} Add/delete a VLAN-translation relation. no vlan-translation old-vlan-id {in|out} 3.
Configuration Guide of XGS-5240-Series On the customer port Trunk VLAN 200-300 CE1 Trunk connection PE1 Customer networks1 SP networks Trunk connection The ingress of the port translates VLAN20 to VLAN3, the egress translates VLAN3 to VLAN20 on PE P Trunk connection PE2 The ingress of the port translates VLAN20 to VLAN3, the egress translates VLAN3 to VLAN20 on PE Trunk connection On the customer port Trunk VLAN 20 CE2 Customer networks2 Fig 1-7 Vlan translation topology mode Configuration Con
Configuration Guide of XGS-5240-Series 22.5 Dynamic VLAN Configuration 22.5.1 Introduction to Dynamic VLAN The dynamic VLAN is named corresponding to the static VLAN (namely the port based VLAN). Dynamic VLAN supported by the switch includes MAC-based VLAN, IP-subnet-based VLAN and Protocol-based VLAN. Detailed description is as follows: The MAC-based VLAN division is based on the MAC address of each host, namely every host with a MAC address will be assigned to certain VLAN.
Configuration Guide of XGS-5240-Series 1. Configure the MAC-based VLAN function on the port Command Explanation Port Mode switchport mac-vlan enable Enable/disable the MAC-based VLAN no switchport mac-vlan enable function on the port. 2. Set the VLAN to MAC VLAN Command Explanation Global Mode Configure the specified VLAN to MAC mac-vlan vlan VLAN; the “no mac-vlan” command no mac-vlan cancels the MAC VLAN configuration of this VLAN. 3.
Configuration Guide of XGS-5240-Series 6. Configure the correspondence between the Protocols and the VLAN Command Explanation Global Mode protocol-vlan mode {ethernetii etype |llc {dsap ssap }|snap etype } vlan priority no protocol-vlan {mode {ethernetii etype |llc {dsap ssap Add/delete the correspondence between the Protocols and the VLAN, namely specified protocol joins/leaves specified VLAN.
Configuration Guide of XGS-5240-Series SwitchA SwitchB SwitchC VLAN100 VLAN200 VLAN300 M Fig 1-8 Typical topology application of dynamic VLAN Configuration Configuration Explanation Items MAC-based VLAN Global configuration on Switch A, Switch B, Switch C.
Configuration Guide of XGS-5240-Series equipments may not go through. The solution will be letting the two equipments positively send data packet to the switch (such as ping), to let the switch learn their source MAC, then the two equipments will be able to communicate freely within the dynamic VLAN. Ping 192.168.1.200 Ping 192.168.1.100 Dynamic VLAN 192.168.1.100/24 192.168.1.200/24 Fig 1-9 Dynamic VLAN Troubleshooting 22.6 Voice VLAN Configuration 22.6.
Configuration Guide of XGS-5240-Series ports that may be added to Voice VLAN must be configured as Hybrid port. 22.6.2 Voice VLAN Configuration Voice VLAN Configuration Task Sequence: 1. Set the VLAN to Voice VLAN 2. Add a voice equipment to Voice VLAN 3. Enable the Voice VLAN on the port 1. Configure the VLAN to Voice VLAN Command Explanation Global Mode voice-vlan vlan Set/cancel the VLAN as a Voice VLAN no voice-vlan 2.
Configuration Guide of XGS-5240-Series 00-03-0f-11-22-33, connect port 1/0/1 of the switch, IP-phone2 MAC address is 00-03-0f-11-22-55, connect port 1/0/2 of the switch. Switch IP-phone1 IP-phone2 Fig 1-10 VLAN typical apply topology Figure Configuration Configuration Explanation items Voice VLAN Global configuration on the Switch.
Configuration Guide of XGS-5240-Series 22.6.4 Voice VLAN Troubleshooting Voice VLAN can not be applied concurrently with MAC-base VLAN. The Voice VLAN support maximum 1024 sets of voice equipments, the exceeded number of equipments will not be supported. The Voice VLAN on the port is enabled by default. If the configured data can no longer enter the Voice VLAN during operation, please check if the Voice VLAN function has been disabled on the port. 22.7 Super VLAN Configuration 22.7.
Configuration Guide of XGS-5240-Series Gateway Usable Customer Needed Address Hosts Hosts Hosts 1.1.1.0/28 1.1.1.1 14 13 10 22 1.1.1.16/29 1.1.1.17 6 5 5 23 1.1.1.24/30 1.1.1.25 2 1 1 VLAN IP Subnet 21 In above table, the needed hosts may be 10 in VLAN 21 and assign a subnet with mask of 28 bits—1.1.1.0/28. However, subnet 1.1.1.0 of network segment, subnet broadcast address 1.1.1.15 and the default gateway address 1.1.1.1 can not become the host address, address range within 1.
Configuration Guide of XGS-5240-Series Fig 1-12 super vlan function Super VLAN is different to the generic VLAN. Super VLAN only create a layer-3 interface and does not include any ports, is a layer-3 notion. Layer-3 interface of super VLAN is also at UP state as long as there is physical port is at UP state in its sub-VLAN. 22.7.2 Super VLAN Configuration 1. Create or delete supervlan 2. Specify or delete subvlan 3. Enable or disable arp-proxy function of subvlan 4.
Configuration Guide of XGS-5240-Series 3. Enable or disable arp-proxy function of subvlan Command Explanation Interface configuration mode arp-proxy subvlan {WORD | all} Enable no arp-proxy subvlan {WORD | all} function of subvlan. or disable arp-proxy 4. Specify or delete ip-addr-range of interface Command Explanation Interface configuration mode ip-addr-range to Specify or delete address range no ip-addr-range of interface. 5.
Configuration Guide of XGS-5240-Series 1.1.1.10, address range of VLAN4 from 1.1.1.20 to 1.1.1.30, layer-3 flows of terminals within two address ranges allows to be forwarded only. To implement this requirement, it needs to configure supervlan on switch.
Configuration Guide of XGS-5240-Series can be processed other operations. When setting supervlan or subvlan, VLAN must be exist, it can be set. When port mode is set as trunk, it will automatically filter supervlan from allow-vlan.
Configuration Guide of XGS-5240-Series Chapter 23 MAC Table Configuration 23.1 Introduction to MAC Table MAC table is a table identifies the mapping relationship between destination MAC addresses and switch ports. MAC addresses can be categorized as static MAC addresses and dynamic MAC addresses.
Configuration Guide of XGS-5240-Series Fig 2-1 MAC Table dynamic learning The topology of the figure above: 4 PCs connected to switch, where PC1 and PC2 belongs to a same physical segment (same collision domain), the physical segment connects to port 1/0/5 of switch; PC3 and PC4 belongs to the same physical segment that connects to port 1/0/12 of switch. The initial MAC table contains no address mapping entries.
Configuration Guide of XGS-5240-Series seconds here is the default aging time for MAC address entry in switch. Aging time can be modified in switch. 23.1.2 Forward or Filter The switch will forward or filter received data frames according to the MAC table. Take the above figure as an example, assuming switch have learnt the MAC address of PC1 and PC3, and the user manually configured the mapping relationship for PC2 and PC4 to ports.
Configuration Guide of XGS-5240-Series table, the switch will broadcast the unicast frame. When VLANs are configured, the switch will forward unicast frame within the same VLAN. If the destination MAC address is found in the MAC table but belonging to different VLANs, the switch can only broadcast the unicast frame in the VLAN it belongs to. 23.
Configuration Guide of XGS-5240-Series ] [vlan ] [interface [ethernet | portchannel] ] 4. Configure MAC learning through CPU control Command Explanation Global Mode mac-address-learning cpu-control Enable MAC learning through CPU no mac-address-learning cpu-control control, the no command restores that the chip automatically learn MAC address. 5.
Configuration Guide of XGS-5240-Series and port 1/0/9, respectively. The configuration steps are listed below: 1. Set the MAC address 00-01-11-11-11-11 of PC1 as a filter address. Switch(config)#mac-address-table static 00-01-11-11-11-11 discard vlan 1. 2.Set the static mapping relationship for PC2 and PC3 to port 1/0/7 and port 1/0/9, respectively.
Configuration Guide of XGS-5240-Series 5. Configure the trap type of MAC notification supported by the port 6. Show the configuration and the data of MAC notification 7. Clear the statistics of MAC notification trap 1. Configure the global snmp MAC notification Command Explanation Global mode snmp-server enable traps mac-notification no snmp-server enable traps mac-notificatio n Configure or cancel the global snmp MAC notification. 2.
Configuration Guide of XGS-5240-Series Configure or cancel the trap type of mac-notification {added | both | removed} MAC notification supported by the no mac-notification port. 6. Show the configuration and the data of MAC notification Command Explanation Admin mode Show the configuration and the data show mac-notification summary of MAC notification. 7.
Configuration Guide of XGS-5240-Series Chapter 24 MSTP Configuration 24.1 Introduction to MSTP The MSTP (Multiple STP) is a new spanning-tree protocol which is based on the STP and the RSTP. It runs on all the bridges of a bridged-LAN. It calculates a common and internal spanning tree (CIST) for the bridge-LAN which consists of the bridges running the MSTP, the RSTP and the STP. It also calculates the independent multiple spanning-tree instances (MSTI) for each MST domain (MSTP domain).
Configuration Guide of XGS-5240-Series Root A Root A B E M MST D F D REGION C Fig 1-1 Example of CIST and MST Region In the above network, if the bridges are running the STP or the RSTP, one port between Bridge M and Bridge B should be blocked. But if the bridges in the yellow range run the MSTP and are configured in the same MST region, MSTP will treat this region as a bridge. Therefore, one port between Bridge B and Root is blocked and one port on Bridge D is blocked. 1.1.1.
Configuration Guide of XGS-5240-Series become the CST. The MSTI is only valid within its MST region. An MSTI has nothing to do with MSTIs in other MST regions. The bridges in a MST region receive the MST BPDU of other regions through Boundary Ports. They only process CIST related information and abandon MSTI information. 24.1.2 Port Roles The MSTP bridge assigns a port role to each port which runs MSTP.
Configuration Guide of XGS-5240-Series spanning-tree no spanning-tree Enable/Disable MSTP. Global Mode spanning-tree mode {mstp|stp|rst p} Set MSTP running mode. no spanning-tree mode Port Mode spanning-tree mcheck Force port migrate to run under MSTP. 2. Configure instance parameters Command Explanation Global Mode spanning-tree mst priorit y no spanning-tree mst pr Set bridge priority for specified instance.
Configuration Guide of XGS-5240-Series 3. Configure MSTP region parameters Command Explanation Global Mode spanning-tree mst configuration Enter MSTP region mode. The no no spanning-tree mst configuration command restores the default setting. MSTP region mode Display the information of the current show running system. instance vlan no instance [vlan ] name Create Instance and set mapping between VLAN and Instance. Set MSTP region name.
Configuration Guide of XGS-5240-Series Command Explanation Global Mode spanning-tree forward-time
Configuration Guide of XGS-5240-Series Port Mode spanning-tree cost Set the port path cost. no spanning-tree cost spanning-tree port-priority Set the port priority. no spanning-tree port-priority spanning-tree rootguard Set the port is root port. no spanning-tree rootguard Global Mode spanning-tree transmit-hold-count Set the max transmit-hold-count of port.
Configuration Guide of XGS-5240-Series 24.3 MSTP Example The following is a typical MSTP application example: SW1 1 1 SW2 2 2 4 5 1 2X 3 3X 4 6 7 SW3 6X 7X 5X SW4 Fig 1-2 Typical MSTP Application Scenario The connections among the switches are shown in the above figure. All the switches run in the MSTP mode by default, their bridge priority, port priority and port route cost are all in the default values (equal).
Configuration Guide of XGS-5240-Series port 4 200000 200000 port 5 200000 200000 port 6 200000 200000 port 7 200000 200000 By default, the MSTP establishes a tree topology (in blue lines) rooted with SwitchA. The ports marked with “x” are in the discarding status, and the other ports are in the forwarding status. Configurations Steps: Step 1: Configure port to VLAN mapping: Create VLAN 20, 30, 40, 50 in Switch2, Switch3 and Switch4.
Configuration Guide of XGS-5240-Series Switch2(config)#interface e1/0/1-7 Switch2(Config-Port-Range)#switchport mode trunk Switch2(Config-Port-Range)#exit Switch2(config)#spanning-tree Switch3: Switch3(config)#vlan 20 Switch3(Config-Vlan20)#exit Switch3(config)#vlan 30 Switch3(Config-Vlan30)#exit Switch3(config)#vlan 40 Switch3(Config-Vlan40)#exit Switch3(config)#vlan 50 Switch3(Config-Vlan50)#exit Switch3(config)#spanning-tree mst configuration Switch3(Config-Mstp-Region)#name mstp Switch3(Config-Mstp-Reg
Configuration Guide of XGS-5240-Series Switch4(Config-Mstp-Region)#exit Switch4(config)#interface e1/0/1-7 Switch4(Config-Port-Range)#switchport mode trunk Switch4(Config-Port-Range)#exit Switch4(config)#spanning-tree Switch4(config)#spanning-tree mst 4 priority 0 After the above configuration, Switch1 is the root bridge of the instance 0 of the entire network.
Configuration Guide of XGS-5240-Series 2 SW2 5 4 2 3X 3 4X 6 7 SW3 6 7X 5X SW4 Fig 1-4 The Topology Of the Instance 3 after the MSTP Calculation 2 SW2 5X 4 2X 3 3X 4 6 7X SW3 6 7 5 SW4 Fig 1-5 The Topology Of the Instance 4 after the MSTP Calculation 24.4 MSTP Troubleshooting In order to run the MSTP on the switch port, the MSTP has to be enabled globally. If the MSTP is not enabled globally, it can’t be enabled on the port.
Configuration Guide of XGS-5240-Series Chapter 25 QoS Configuration 25.1 Introduction to QoS QoS (Quality of Service) is a set of capabilities that allow you to create differentiated services for network traffic, thereby providing better service for selected network traffic. QoS is a guarantee for service quality of consistent and predictable data transfer service to fulfill program requirements.
Configuration Guide of XGS-5240-Series Fig 1-2 ToS priority IP Precedence: IP priority. Classification information carried in Layer 3 IP packet header, occupying 3 bits, in the range of 0 to 7. DSCP: Differentiated Services Code Point, classification information carried in Layer 3 IP packet header, occupying 6 bits, in the range of 0 to 63, and is downward compatible with IP Precedence. MPLS TC(EXP): A field of the MPLS packets means the service class, there are 3 bits, the ranging from 0 to 7.
Configuration Guide of XGS-5240-Series services like Mail and FTP, but for increasing multimedia business data and e-business data transmission, this best effort method cannot satisfy the bandwidth and low-lag requirement. Based on differentiated service, QoS specifies a priority for each packet at the ingress. The classification information is carried in Layer 3 IP packet header or Layer 2 802.1Q frame header.
Configuration Guide of XGS-5240-Series Fig 1-4 Classification process Policing and remark: Each packet in classified ingress traffic is assigned an internal priority value and a drop precedence value, and can be policed and remarked. Policing can be performed based on the flow to configure different policies that allocate bandwidth to classified traffic, the assigned bandwidth policy may be dual bucket dual color or dual bucket three color.
Configuration Guide of XGS-5240-Series Fig 1-5 Policing and Remarking process Queuing and scheduling: There are the internal priority and the drop precedence for the egress packets, the queuing operation assigns the packets to different priority queues according to the internal priority, while the scheduling operation perform the packet forwarding according to the priority queue weight and the drop precedence. The following flowchart describes the operations during queuing and scheduling.
Configuration Guide of XGS-5240-Series Fig 1-6 Queuing and Scheduling process 25.2 QoS Configuration Task List Configure class map Set up a classification rule according to ACL, CoS, VLAN ID, IPv4 Precedent, DSCP, IPV6 FL to classify the data stream. Different classes of data streams will be processed with different policies.
Configuration Guide of XGS-5240-Series After data steam classification, a policy map can be created to associate with the class map created earlier and enter class mode. Then different policies (such as bandwidth limit, priority degrading assigning new DSCP value) can be applied to different data streams. You can also define a policy set that can be use in a policy map by several classes. Apply QoS to the ports or the VLAN interfaces Configure the trust mode for ports or bind policies to ports.
Configuration Guide of XGS-5240-Series After a policy map is created, it can be class [insert-before ] associated to a class. Different policy or new DSCP value can be applied to different data streams in class mode; no class the no command deletes the specified class.
Configuration Guide of XGS-5240-Series passing policy. In the print information, in-profile means green and out-profile means red. In dual bucket mode, there are three colors of the packets. In the print information, in-profile means green and out-profile means red and yellow. Policy class map configuration mode drop Drop or transmit data package that no drop match the class, the no command cancels the assigned action. transmit no transmit 3.
Configuration Guide of XGS-5240-Series Port Configuration Mode mls qos queue algorithm {sp | wrr | wdrr} Set queue management algorithm, the no mls qos queue algorithm default queue management algorithm is wrr. mls qos queue wrr weight default queue weight is 1 2 3 4 5 6 7 8. no mls qos queue wrr weight mls qos queue wdrr weight
Configuration Guide of XGS-5240-Series show mls qos maps [cos-dp | dscp-dscp | Display the configuration of QoS mapping. dscp-intp | dscp-dp | intp-dscp] show class-map [] Display the classified map information of QoS. show policy-map [] Display the policy map information of QoS. show mls qos {interface [] Displays QoS configuration information on [policy | queuing] | vlan } a port. 25.
Configuration Guide of XGS-5240-Series Switch(Config-ClassMap-c1)#match access-group 1 Switch(Config-ClassMap-c1)#exit Switch(config)#policy-map p1 Switch(Config-PolicyMap-p1)#class c1 Switch(Config-PolicyMap-p1-Class-c1)#policy 10000 4000 exceed-action drop Switch(Config-PolicyMap-p1-Class-c1)#exit Switch(Config-PolicyMap-p1)#exit Switch(config)#interface ethernet 1/0/2 Switch(Config-If-Ethernet1/0/2)#service-policy input p1 Configuration result: An ACL name 1 is set to matching segment 192.168.1.0.
Configuration Guide of XGS-5240-Series Server QoS area Switch3 Switch2 Trunk Switch1 Fig 1-7 Typical QoS topology As shown in the figure, inside the block is a QoS domain, Switch1 classifies different traffics and assigns different IP precedences. For example, set CoS precedence for packets from segment 192.168.1.0 to 5 on port ethernet1/0/1. The port connecting to switch2 is a trunk port. In Switch2, set port ethernet 1/0/1 that connecting to swtich1 to trust cos.
Configuration Guide of XGS-5240-Series Switch#config Switch(config)#interface ethernet 1/0/1 25.4 QoS Troubleshooting trust cos and exp can be used with other trust or Policy Map. trust dscp can be used with other trust or Policy Map. This configuration takes effect to IPv4 and IPv6 packets. trust exp, trust dscp and trust cos may be configured at the same time, the priority is: EXP>DSCP>COS.
Configuration Guide of XGS-5240-Series Chapter 26 PBR Configuration 26.1 Introduction to PBR PBR(Policy-Based Routing)is a method which determines the next-hop of the data packets by policy messages such as source address, destination address, IP priority, TOS value, IP protocol, source port No, destination port No, etc. 26.2 PBR Configuration 1. Configure a class-map 2. Set match standard of the class-map 3. Configure a policy-map 4. Configure a policy map corresponding to a class map 5.
Configuration Guide of XGS-5240-Series policy-map Set up or delete a policy-map. no policy-map 4. Configure a policy map corresponding to a class map Command Explanation Policy-map Configuration Mode class Correspond a class-map, and enter the no class policy map mode. 5.
Configuration Guide of XGS-5240-Series segment, and set the next-hop as 218.31.1.119, meanwhile the local network IP of this network ranges within 192.168.0.0/16. To assure normal communication in local network, messages from 192.168.1.0/24 to local IP 192.168.0.0/16 are not applied with policy routing. The interface address of 192.168.1.0/24 of this device is 192.168.1.1.
Configuration Guide of XGS-5240-Series 192.168.0.0/16 segment which are still be transmitted through normal L3 routing.
Configuration Guide of XGS-5240-Series Chapter 27 IPv6 PBR Configuration 27.1 Introduction to PBR (Policy-based Router) Policy-based routing provides a more powerful control over the forwarding and store of messages than traditional routing protocol to network managers. Traditionally, routers use the routing table derived from router protocol, and forward according to destination addresses.
Configuration Guide of XGS-5240-Series match ipv6 {access-group } Set the match standard in the class-map. no match ipv6 {access-group } 3. Configure a policy-map Command Explanation Global Configuration Mode policy-map Create or delete a policy-map. no policy-map 4.
Configuration Guide of XGS-5240-Series 27.3 PBR Examples Example: On port ethernet 1/0/1, the default gateway address of this device is 3000::1, set the messages whose source IP is within the segment 2000:: /64 to do policy routing, the next hop is 3100::2.
Configuration Guide of XGS-5240-Series Apply this policy-map on port ethernet 1/0/1. After that, the messages whose source IP are within the segment 2000::/64 received on port ethernet 1/0/1 will be forwarded through 3100::2. 27.4 PBR Troubleshooting Help At present, policy-map can only be bound to input port but not output port. Since hardware resources are limited, if the policy is too complicated to configure, relative information will be noticed to users.
Configuration Guide of XGS-5240-Series Chapter 28 Flow-based Redirection 28.1 Introduction to Flow-based Redirection Flow-based redirection function enables the switch to transmit the data frames meeting some special condition (specified by ACL) to another specified port. The fames meeting a same special condition are called a class of flow, the ingress port of the data frame is called the source port of redirection, and the specified egress port is called the destination port of redirection.
Configuration Guide of XGS-5240-Series Command Explanation Global Mode/Admin Mode show flow-based-redirect {interface [ethernet |]} Display the information of cu rrent flow-based redirection i n the system/port. 28.3 Flow-based Redirection Examples Example: User’s request of configuration is listed as follows: redirecting the frames whose source IP is 192.168.1.111 received from port 1 to port 6, that is sending the frames whose source IP is 192.168.1.
Configuration Guide of XGS-5240-Series Chapter 29 Egress QoS Configuration 29.1 Introduction to Egress QoS In traditional IP networks, all packets are treated in the same way. All network equipments treat them by the first-in-first-out policy and try best effort to send them to the destination. However, it does not guarantee the performance like reliability and transmission delay.
Configuration Guide of XGS-5240-Series Ingress Generate internal priority Egress Policing and remark of Egress color Classification Policing Remark Sort packet traffic according to the classification info and convert classification info to internal priority value and drop precedence value Decide whether traffic color is single bucket dual color or dual bucket three color according policing policy Degrade or discard different color packets, and remark DSCP, TOS, COS fields scheduling Place packets
Configuration Guide of XGS-5240-Series 29.2 Egress QoS Configuration Egress QoS Configuration Task List: Configure class map Set up a classification rule according to ACL, CoS, VLAN ID, IPv4 Precedent, DSCP, IPV6 DSCP to classify the data stream. Different classes of data streams will be processed with different policies. Configure policy map After data steam classification, a policy map can be created to associate with a class map created earlier and enter policy class mode.
Configuration Guide of XGS-5240-Series class [insert-before ] no class Create a policy map to associate with a class map and enter policy class map mode, then different data streams can apply different policies and be assigned a new DSCP value. No command deletes the specified policy class map.
Configuration Guide of XGS-5240-Series in-profile means green and out-profile means red and yellow. 3. Apply policy to port or VLAN Command Explanation Interface Mode service-policy output port; the no command deletes the specified no service-policy output {} the policy maps applied on the egress direction of the port .
Configuration Guide of XGS-5240-Series 29.3 Egress QoS Examples Example1: On the egress of the port1, change cos value as 4 for the packet with dscp value of 0.
Configuration Guide of XGS-5240-Series 29.4 Egress QoS Troubleshooting Help Not all equipments support Egress QoS presently, so please make sure the current device supports this function. If the policy configured cannot bind to the port or VLAN, please check whether the match option in classification table is supported by the current device. If terminal printing suggests lack of resource, please make sure there is enough resource to send the current policy.
Configuration Guide of XGS-5240-Series Chapter 30 Flexible QinQ Configuration 30.1 Introduction to Flexible QinQ 30.1.1 QinQ Technique Dot1q-tunnel is also called QinQ (802.1Q-in-802.1Q), which is an expansion of 802.1Q. Its dominating idea is encapsulating the customer VLAN tag (CVLAN tag) to the service provider VLAN tag (SPVLAN tag). The packet with two VLAN tags is transmitted through the backbone network of the ISP internet to provide a simple layer-2 tunnel for the users.
Configuration Guide of XGS-5240-Series 2. Create flexible QinQ policy-map to relate with the class-map and set the corresponding operation 3. Bind flexible QinQ policy-map to port 1. Configure class map Command Explanation Global mode class-map Create no class-map class-map mode, the no command a class-map and enter deletes the specified class-map.
Configuration Guide of XGS-5240-Series Command Explanation Port mode service-policy in Apply a policy-map to a port, the no no service-policy in command deletes the specified policy-map applied to the port. 4. Show flexible QinQ policy-map bound to port Command Explanation Admin mode show mls qos {interface [] Show flexible QinQ configuration on the port. 30.
Configuration Guide of XGS-5240-Series assigned different VLAN tags for different VLANs in DSLAM2. Notice: The assigned VLAN tag of the second user may be same with the first user and the packet with tag will be also packed an external tag. In the above figure, the external tag of the second user is different to the first user for distinguishing DSLAM location and locating the user finally.
Configuration Guide of XGS-5240-Series Switch(config-policymap-p1-class-c1)# set nested-vlan 1002 Switch(config-policymap-p1)#class c2 Switch(config-policymap-p1-class-c2)# set nested-vlan 2002 Switch(config-policymap-p1)#class c3 Switch(config-policymap-p1-class-c3)# set nested-vlan 3002 Switch(config-policymap-p1-class-c3)#exit Switch(config-policymap-p1)#exit Switch(config)#interface ethernet 1/0/1 Switch(config-if-ethernet1/0/1)# service-policy p1 in 30.
Configuration Guide of XGS-5240-Series Chapter 31 Layer 3 Management Configuration Switch only support Layer 2 forwarding, but can configure a Layer 3 management port for the communication of all kinds of management protocols based on IP protocol. 31.1 Layer 3 Management Interface 31.1.1 Introduction to Layer 3 Management Interface Only one layer 3 management interface can be created on switch. The Layer 3 interface is not a physical interface but a virtual interface. Layer 3 interface is built on VLANs.
Configuration Guide of XGS-5240-Series no description The no command will cancel the description information of VLAN interface. 31.2 IP Configuration 31.2.1 Introduction to IPv4, IPv6 IPv4 is the current version of global universal Internet protocol. The practice has proved that IPv4 is simple, flexible, open, stable, strong and easy to implement while collaborating well with various protocols of upper and lower layers.
Configuration Guide of XGS-5240-Series First of all, the 128 bits addressing scheme of IPv6 Protocol can guarantee to provide enough globally unique IP addresses for global IP network nodes in the range of time and space. Moreover, besides increasing address space, IPv6 also enhanced many other essential designs of IPv4. Hierarchical addressing scheme facilitates Route Aggregation, effectively reduces route table entries and enhances the efficiency and expansibility of routing and data packet processing.
Configuration Guide of XGS-5240-Series for short). For example, IPv6 Routing Protocol such as RIPng, OSPFv3, IS-ISv6 and MBGP4+, etc. Multicast addresses increased and the support for multicast has enhanced. By dealing with IPv4 broadcast functions such as Router Discovery and Router Query, IPv6 multicast has completely replaced IPv4 broadcast in the sense of function. Multicast not only saves network bandwidth, but enhances network efficiency as well. 31.2.
Configuration Guide of XGS-5240-Series (2) Configure default gateway 2. IPv6 Neighbor Discovery Configuration (1) Configure DAD neighbor solicitation message number (2) Configure send neighbor solicitation message interval (3) Configure static IPv6 neighbor entries (4) Delete all entries in IPv6 neighbor table 1.
Configuration Guide of XGS-5240-Series ipv6 nd ns-interval no ipv6 nd ns-interval Set the interval of the interface to send neighbor query message. The NO command resumes default value (1 second). (3) Configure static IPv6 neighbor Entries Command Explanation Interface Configuration Mode ipv6 neighbor interface Set static neighbor table entries, including neighbor IPv6 address, MAC address and two-layer port.
Configuration Guide of XGS-5240-Series Interface Configuration Mode arp Configures a static ARP entry; the no no arp command deletes a static ARP entry. 31.3.3 ARP Troubleshooting If ping from the switch to directly connected network devices fails, the following can be used to check the possible cause and create a solution. Check whether the corresponding ARP has been learned by the switch.
Configuration Guide of XGS-5240-Series Chapter 32 ARP Scanning Prevention Function Configuration 32.1 Introduction to ARP Scanning Prevention Function ARP scanning is a common method of network attack. In order to detect all the active hosts in a network segment, the attack source will broadcast lots of ARP messages in the segment, which will take up a large part of the bandwidth of the network.
Configuration Guide of XGS-5240-Series 32.2 ARP Scanning Prevention Configuration Task Sequence 1. Enable the ARP Scanning Prevention function. 2. Configure the threshold of the port-based and IP-based ARP Scanning Prevention 3. Configure trusted ports 4. Configure trusted IP 5. Configure automatic recovery time 6. Display relative information of debug information and ARP scanning 7. Configure the action after above level-2 threshold. 1. Enable the ARP Scanning Prevention function.
Configuration Guide of XGS-5240-Series 4. Configure trusted IP Command Explanation Global configuration mode anti-arpscan trust ip [] no anti-arpscan trust ip Set the trust attributes of IP. [] 5. Configure automatic recovery time Command Explanation Global configuration mode anti-arpscan recovery enable Enable no anti-arpscan recovery enable recovery function. anti-arpscan recovery time no anti-arpscan recovery time 6.
Configuration Guide of XGS-5240-Series clear anti-arpscan attack-list {ip < IP Clear the ARP limit of the specific host or Address > | all } all the hosts manually. clear anti-arpscan attack-history-list {i p < IP Address > | all } Clear the history attacks source information of ARP scanning prevention manually. Admin Mode debug anti-arpscan [port | ip] Enable or disable the debug switch of ARP no debug anti-arpscan [port | ip] scanning prevention. 7.
Configuration Guide of XGS-5240-Series 192.168.1.100/24), and all the other ports of SWITCH A are connected to common PC. The following configuration can prevent ARP scanning effectively without affecting the normal operation of the system. SWITCH A configuration task sequence: SwitchA(config)#anti-arpscan enable SwitchA(config)#anti-arpscan recovery time 3600 SwitchA(config)#anti-arpscan trust ip 192.168.1.100 255.255.255.
Configuration Guide of XGS-5240-Series Chapter 33 Prevent ARP, ND Spoofing Configuration 33.1 Overview 33.1.1 ARP (Address Resolution Protocol) Generally speaking, ARP (RFC-826) protocol is mainly responsible of mapping IP address to relevant 48-bit physical address, that is MAC address, for instance, IP address is 192.168.0.1, network card Mac address is 00-03-0F-FD-1D-2B.
Configuration Guide of XGS-5240-Series after switches learn these packets, they will cover previously corrected IP, mapping of MAC address, and then some corrected IP, MAC address mapping are modified to correspondence relationship configured by attack packets so that the switch makes mistake on transfer packets, and takes an effect on the whole network.
Configuration Guide of XGS-5240-Series 3. Function on changing dynamic ARP, ND to static ARP, ND Command Explanation Global Mode and Port Mode ip arp-security convert ipv6 nd-security convert Change dynamic ARP, ND to static ARP, ND. 33.3 Prevent ARP, ND Spoofing Example Switch A B C Equipment Explanation Equipment Configuration Quality switch IP:192.168.2.4; IP:192.168.1.4; A IP:192.168.2.1; mac: 00-00-00-00-00-01 1 B IP:192.168.1.2; mac: 00-00-00-00-00-02 1 C IP:192.168.2.
Configuration Guide of XGS-5240-Series Switch#config Switch(config)#interface vlan 1 Switch(Config-If-Vlan1)#arp 192.168.2.1 00-00-00-00-00-01 interface eth 1/0/2 Switch(Config-If-Vlan1)#interface vlan 2 Switch(Config-If-Vlan2)#arp 192.168.1.2 00-00-00-00-00-02 interface eth 1/0/2 Switch(Config-If-Vlan2#interface vlan 3 Switch(Config-If-Vlan3)#arp 192.168.2.
Configuration Guide of XGS-5240-Series Chapter 34 ARP GUARD Configuration 34.1 Introduction to ARP GUARD There is serious security vulnerability in the design of ARP protocol, which is any network device, can send ARP messages to advertise the mapping relationship between IP address and MAC address. This provides a chance for ARP cheating.
Configuration Guide of XGS-5240-Series relative documents for details. 34.2 ARP GUARD Configuration Task List 1.
Configuration Guide of XGS-5240-Series Chapter 35 Gratuitous ARP Configuration 35.1 Introduction to Gratuitous ARP Gratuitous ARP is a kind of ARP request that is sent by the host with its IP address as the destination of the ARP request. The basic working mode for the switch is as below: The Layer 3 interfaces of the switch can be configured to advertise gratuitous ARP packets period or the switch can be configured to enable to send gratuitous ARP packets in all the interfaces globally.
Configuration Guide of XGS-5240-Series Admin Mode and Configuration Mode show ip gratuitous-arp [interface vlan To display configurations about gratuitous <1-4094>] ARP. 35.3 Gratuitous ARP Configuration Example Switch Interface vlan10 Interface vlan1 192.168.15.254 192.168.14.254 255.255.255.0 255.255.255.0 PC1 PC2 PC3 PC4 PC5 Fig 5-1 Gratuitous ARP Configuration Example For the network topology shown in the figure above, interface VLAN10 whose IP address is 192.168.15.
Configuration Guide of XGS-5240-Series 35.4 Gratuitous ARP Troubleshooting Gratuitous ARP is disabled by default. And when gratuitous ARP is enabled, the debugging information about ARP packets can be retrieved through the command debug ARP send. If gratuitous ARP is enabled in global configuration mode, it can be disabled only in global configuration mode. If gratuitous ARP is configured in interface configuration mode, the configuration can only be disabled in interface configuration mode.
Configuration Guide of XGS-5240-Series Chapter 36 DHCP Configuration 36.1 Introduction to DHCP DHCP [RFC2131] is the acronym for Dynamic Host Configuration Protocol. It is a protocol that assigns IP address dynamically from the address pool as well as other network configuration parameters such as default gateway, DNS server, and default route and host image file position within the network. DHCP is the enhanced version of BOOTP.
Configuration Guide of XGS-5240-Series The above four steps finish a Dynamic host configuration assignment process. However, if the DHCP server and the DHCP client are not in the same network, the server will not receive the DHCP broadcast packets sent by the client, therefore no DHCP packets will be sent to the client by the server. In this case, a DHCP relay is required to forward such DHCP packets so that the DHCP packets exchange can be completed between the DHCP client and server.
Configuration Guide of XGS-5240-Series Command Explanation Global Mode ip dhcp pool Configure DHCP Address pool. The no no ip dhcp pool operation cancels the DHCP Address pool. (2) Configure DHCP address pool parameters Command Explanation DHCP Address Pool Mode network-address [mask | prefix-length] Configure the address scope that can be allocated to the address pool. The no operation of this command cancels the no network-address allocation address pool.
Configuration Guide of XGS-5240-Series option {ascii | hex < hex> | ipaddress } Configure the network parameter specified by the option code. The no command deletes the network parameter specified by no option the option code. lease { days [hours][minutes] | infinit e } Configure the lease period allocated to addresses in the address pool. The no command deletes the lease period allocated no lease to addresses in the address pool.
Configuration Guide of XGS-5240-Series 36.3 DHCP Relay Configuration When the DHCP client and server are in different segments, DHCP relay is required to transfer DHCP packets. Adding a DHCP relay makes it unnecessary to configure a DHCP server for each segment, one DHCP server can provide the network configuration parameter for clients from multiple segments, which is not only cost-effective but also management-effective.
Configuration Guide of XGS-5240-Series 2. Configure DHCP relay to forward DHCP broadcast packet. Command Explanation Global Mode ip forward-protocol udp bootps no ip forward-protocol udp bootp s The UDP port 67 is used for DHCP broadcast packet forwarding. Interface Configuration Mode ip helper-address no ip helper-address Set the destination IP address for DHCP relay forwarding; the “no ip helper-address “command cancels the setting. 36.
Configuration Guide of XGS-5240-Series Switch(dhcp-A-config)#dns-server 10.16.1.202 Switch(dhcp-A-config)#netbios-name-server 10.16.1.209 Switch(dhcp-A-config)#netbios-node-type H-node Switch(dhcp-A-config)#exit Switch(config)#ip dhcp excluded-address 10.16.1.200 10.16.1.201 Switch(config)#ip dhcp pool B Switch(dhcp-B-config)#network 10.16.2.0 24 Switch(dhcp-B-config)#lease 1 Switch(dhcp-B-config)#default-route 10.16.2.200 10.16.2.201 Switch(dhcp-B-config)#dns-server 10.16.2.
Configuration Guide of XGS-5240-Series DHCP Client E1/0/1 E1/0/2 192 168 1 1 10 1 1 1 DHCP Relay DHCP Client DHCP Server 10 1 1 10 DHCP Client Fig 1-3 DHCP Relay Configuration As shown in the above figure, route switch is configured as a DHCP relay. The DHCP server address is 10.1.1.10, the configuration steps is as follows: Switch(config)#service dhcp Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 192.168.1.1 255.255.255.
Configuration Guide of XGS-5240-Series 36.5 DHCP Troubleshooting If the DHCP clients cannot obtain IP addresses and other network parameters, the following procedures can be followed when DHCP client hardware and cables have been verified ok. Verify the DHCP server is running, start the related DHCP server if not running. If the DHCP clients and servers are not in the same physical network, verify the router responsible for DHCP packet forwarding has DHCP relay function.
Configuration Guide of XGS-5240-Series Chapter 37 DHCPv6 Configuration 37.1 Introduction to DHCPv6 DHCPv6 [RFC3315] is the IPv6 version for Dynamic Host Configuration Protocol (DHCP). It is a protocol that assigns IPv6 address as well as other network configuration parameters such as DNS address, and domain name to DHCPv6 client, DHCPv6 is a conditional auto address configuration protocol relative to IPv6.
Configuration Guide of XGS-5240-Series broadcasting a SOLICIT packet to all the DHCP delay delegation and server with broadcast address as FF02::1:2. 2. Any DHCP server which receives the request, will reply the client with an ADVERTISE message, which includes the identity of the server –DUID, and its priority. 3. It is possible that the client receives multiple ADVERTISE messages.
Configuration Guide of XGS-5240-Series (2) To configure parameter of DHCPv6 address pool 3. To enable DHCPv6 server function on port 1. To enable/disable DHCPv6 service Command Explanation Global Mode service dhcpv6 To enable DHCPv6 service. no service dhcpv6 2. To configure DHCPv6 address pool (1)To achieve/delete DHCPv6 address pool Command Explanation Global Mode ipv6 dhcp pool To configure DHCPv6 address pool.
Configuration Guide of XGS-5240-Series ipv6 dhcp [preference server ] [rapid-commit] [allow-hint] To enable DHCPv6 server function on specified port, and binding the used DHCPv6 address pool. no ipv6 dhcp server 37.3 DHCPv6 Relay Delegation Configuration DHCPv6 relay delegation configuration task list as below: 1. To enable/disable DHCPv6 service 2. To configure DHCPv6 relay delegation on port 1.
Configuration Guide of XGS-5240-Series (3) To configure static prefix delegation binding (4) To configure other parameters of DHCPv6 address pool 4. To enable DHCPv6 prefix delegation server function on port 1. To enable/delete DHCPv6 service Command Explanation Global Mode service dhcpv6 To enable DHCPv6 service. no service dhcpv6 2. To configure prefix delegation pool Command Explanation Global Mode ipv6 local pool To configure prefix delegation pool.
Configuration Guide of XGS-5240-Series ngth> [iaid ] [lifet required static binding by client. ime { | infinity} { | infinity}] no prefix-delegation [iaid ] (4) To configure other parameter of DHCPv6 address pool Command DHCPv6 Explanation address pool Configuration Mode dns-server To configure DNS server address for no dns-server DHCPv6 client.
Configuration Guide of XGS-5240-Series Interface Configuration Mode ipv6 dhcp client pd [rapid-commit] no ipv6 dhcp client pd To enable client prefix delegation request function on specified port, and the prefix obtained associate with universal prefix configured. 37.6 DHCPv6 Configuration Examples Example1: When deploying IPv6 networking, the switch can be configured as DHCPv6 server in order to manage the allocation of IPv6 addresses. Both the state and the stateless DHCPv6 are supported.
Configuration Guide of XGS-5240-Series Switch3 configuration: Switch3>enable Switch3#config Switch3(config)#service dhcpv6 Switch3(config)#ipv6 dhcp pool EastDormPool Switch3(dhcpv6-EastDormPool-config)#network-address 2001:da8:100:1::1 2001:da8:100:1::100 Switch3(dhcpv6-EastDormPool-config)#excluded-address 2001:da8:100:1::1 Switch3(dhcpv6-EastDormPool-config)#dns-server 2001:da8::20 Switch3(dhcpv6-EastDormPool-config)#dns-server 2001:da8::21 Switch3(dhcpv6-EastDormPool-config)#domain-name dhcpv6.
Configuration Guide of XGS-5240-Series Switch2(Config-if-Vlan100)#exit Switch2(config)# Example2: When the network operator is deploying IPv6 networks, network automatically configuration can be achieved through the prefix delegation allocation of IPv6 addresses, in stead of configuring manually for each switch: 1.
Configuration Guide of XGS-5240-Series Usage guide: Switch2 configuration Switch2>enable Switch2#config Switch2(config)#interface vlan 2 Switch2(Config-if-Vlan2)#ipv6 address 2001:da8:1100::1/64 Switch2(Config-if-Vlan2)#exit Switch2(config)#service dhcpv6 Switch2(config)#ipv6 local pool client-prefix-pool 2001:da8:1800::/40 48 Switch2(config)#ipv6 dhcp pool dhcp-pool Switch2(dhcpv6-dhcp-pool-config)#prefix-delegation pool client-prefix-pool 1800 600 Switch2(dhcpv6-dhcp-pool-config)#exit Switch2(config)#int
Configuration Guide of XGS-5240-Series Switch1(Config-if-Vlan3)#ipv6 address prefix-from-provider 0:0:0:1::1/64 Switch1(Config-if-Vlan3)#exit Switch1(config)#ipv6 dhcp pool foo Switch1(dhcpv6-foo-config)#dns-server 2001:4::1 Switch1(dhcpv6-foo-config)#domain-name www.ipv6.
Configuration Guide of XGS-5240-Series Chapter 38 DHCP option 82 Configuration 38.1 Introduction to DHCP option 82 DHCP option 82 is the Relay Agent Information Option, its option code is 82. DHCP option 82 is aimed at strengthening the security of DHCP servers and improving the IP address configuration policy.
Configuration Guide of XGS-5240-Series SubOpt: the sequence number of sub-option, the sequence number of Circuit ID sub-option is 1, the sequence number of Remote ID sub-option is 2. Len: the number of bytes in Sub-option Value, not including the two bytes in SubOpt segment and Len segment. 38.1.
Configuration Guide of XGS-5240-Series configuration information and option 82 information to DHCP Relay Agent. 4)DHCP Relay Agent will peel the option 82 information from the replay message sent by DHCP server, and then forward the message with DHCP configuration information to the DHCP client. 38.
Configuration Guide of XGS-5240-Series This command is used to set the retransmitting policy of the system for the received DHCP request message which contains option 82.
Configuration Guide of XGS-5240-Series 3. Enable the DHCP option 82 of server. Command Explanation Global mode This command is used to enable the switch ip dhcp server relay information enable DHCP server to identify option82. The “no no ip dhcp server relay information ip dhcp server relay information enable” enable command will make the server ignore the option 82. 4.
Configuration Guide of XGS-5240-Series ip dhcp relay information option self-defined subscriber-id {vlan | port | id (switch-id (mac | hostname)| remote-mac)| string WORD } no ip dhcp relay information option Set creation method for option82, users can define the parameters of circute-id suboption by themselves self-defined subscriber-id ip dhcp relay information option self-defined subscriber-id format [ascii | hex] Set self-defined format of circuit-id for relay option82. 7.
Configuration Guide of XGS-5240-Series finish the DHCP protocol procedure. If the DHCP option 82 is disabled, DHCP server cannot distinguish that whether the DHCP client is from the network connected to Switch1 or Switch2. So, all the PC terminals connected to Switch1 and Switch2 will get addresses from the public address pool of the DHCP server.
Configuration Guide of XGS-5240-Series pool { range 192.168.102.21 192.168.102.50; default-lease-time 86400; #24 Hours max-lease-time 172800; #48 Hours allow members of "Switch3Vlan2Class1"; } pool { range 192.168.102.51 192.168.102.80; default-lease-time 43200; #12 Hours max-lease-time 86400; #24 Hours allow members of "Switch3Vlan2Class2"; } } Now, the DHCP server will allocate addresses for the network nodes from Switch1 which are relayed by Switch3 within the range of 192.168.102.21 ~ 192.168.102.
Configuration Guide of XGS-5240-Series 38-9
Configuration Guide of XGS-5240-Series Chapter 39 DHCPv6 option37, 38 39.1 Introduction to DHCPv6 option37, 38 DHCPv6 (Dynamic Host Configuration Protocol for IPv6) is designed for IPv6 address scheme and is used for assigning IPv6 prefixes, IPv6 addresses and other configuration parameters to hosts. When DHCPv6 client wants to request address and configure parameter of DHCPv6 server from different link, it needs to communicate with server through DHCPv6 relay agent.
Configuration Guide of XGS-5240-Series 2. Dhcpv6 relay option basic functions configuration 3. Dhcpv6 server option basic functions configuration 1.DHCPv6 snooping option basic functions configuration Command Description Global mode This command enables ipv6 dhcp snooping remote-id option DHCPv6 no ipv6 dhcp snooping remote-id option support option 37 option, no SNOOPING to command disables it.
Configuration Guide of XGS-5240-Series keep, the system keeps option 38 unchanged and forwards the packet to the server; replace, the system replaces option 38 of current packet with its own before forwarding it to the server. no command configures the reforward policy of DHCPv6 packets with option 38 as replace.
Configuration Guide of XGS-5240-Series no ipv6 dhcp snooping subscriber-id 38 in received DHCPv6 requ est packets, of which is the content of su bscriber-id in user-defined op tion 38 and it is a string wit h a length of less than 128. The no operation restores s ubscriber-id in option 38 to v lan name together with port name such as "Vlan2+Ethern et1/0/2". 2.
Configuration Guide of XGS-5240-Series 37 in received DHCPv6 requ est packets, of which is the content of remot e-id in user-defined option 3 7 and it is a string with a le ngth of less than 128. The no operation restores remote -id in option 37 to enterprise -number together with vlan MAC address.
Configuration Guide of XGS-5240-Series no ipv6 dhcp use class DHCPv6 server to support the using of DHCPv6 class during address assignment, the no form of this command disables it without removing the relative DHCPv6 class information that has been configured. This command DHCPv6 ipv6 dhcp class class defines and a enters DHCPv6 class mode, the no no ipv6 dhcp class form of this command removes this DHCPv6 class.
Configuration Guide of XGS-5240-Series no address range address range for a DHCPv6 class in DHCPv6 address pool configuration mode, the no command is used to remove the addreass prefix/plen range. form is The not supported. 39.3 DHCPv6 option37, 38 Examples 39.3.
Configuration Guide of XGS-5240-Series Switch A configuration: SwitchA(config)#ipv6 dhcp snooping remote-id option SwitchA(config)#ipv6 dhcp snooping subscriber-id option SwitchA(config)#int e 1/0/1 SwitchA(config-if-ethernet1/0/1)#ipv6 dhcp snooping trust SwitchA(config-if-ethernet1/0/1)#exit SwitchA(config)#interface vlan 1 SwitchA(config-if-vlan1)#ipv6 address 2001:da8:100:1::1 SwitchA(config-if-vlan1)#exit SwitchA(config)#interface ethernet 1/0/1-4 SwitchA(config-if-port-range)#switchport access vlan 1
Configuration Guide of XGS-5240-Series SwitchB(dhcpv6-class-class3-config)#exit SwitchB(config)#ipv6 dhcp pool EastDormPool SwitchB(dhcpv6-eastdormpool-config)#class CLASS1 SwitchB(dhcpv6-pool-eastdormpool-class-class1-config)#address range 2001:da8:100:1::3 2001:da8:100:1::30 SwitchB(dhcpv6-pool-eastdormpool-class-class1-config)#exit SwitchB(dhcpv6-eastdormpool-config)#class CLASS2 SwitchB(dhcpv6-pool-eastdormpool-class-class2-config)#address range 2001:da8:100:1::31 2001:da8:100:1::60 SwitchB(dhcpv6-eastd
Configuration Guide of XGS-5240-Series Fig 4-2 DHCPv6 relay option schematic Switch2 configuration: S2(config)#service dhcpv6 S2(config)#ipv6 dhcp relay remote-id option S2(config)#ipv6 dhcp relay subscriber-id option S2(config)#vlan 10 S2(config-vlan10)#int vlan 10 S2(config-if-vlan10)#ipv6 address 2001:da8:1:::2/64 S2(config-if-vlan10)#ipv6 dhcp relay destination 2001:da8:10:1::1 S2(config-if-vlan10)#exit S2(config)# 39.
Configuration Guide of XGS-5240-Series when obtaining the false address or no address is obtained according to option37,38. DHCPv6 server obtains option37,38 of the packets from client by default, if no, it will obtain option37,38 of the packet sent by relay. DHCPv6 server only checks whether the first DHCPv6 relay adds option37,38 that means only option37,38 of the innermost relay-forw is valid in relay packets.
Configuration Guide of XGS-5240-Series Chapter 40 DHCP Snooping Configuration 40.1 Introduction to DHCP Snooping DHCP Snooping means that the switch monitors the IP-getting process of DHCP CLIENT via DHCP protocol. It prevents DHCP attacks and illegal DHCP SERVER by setting trust ports and untrust ports. And the DHCP messages from trust ports can be forwarded without being verified.
Configuration Guide of XGS-5240-Series Automatic Recovery: A while after the switch shut down the port or send blockhole, it should automatically recover the communication of the port or source MAC and send information to Log Server via syslog. LOG Function: When the switch discovers abnormal received packets or automatically recovers, it should send syslog information to Log Server.
Configuration Guide of XGS-5240-Series 2. Enable DHCP Snooping binding Command Explanation Globe mode ip dhcp snooping binding enable no ip dhcp snooping binding enable Enable or disable the DHCP snooping binding function. 3. Enable DHCP Snooping binding ARP function Command Explanation Globe mode ip dhcp snooping binding arp Enable or disable the dhcp snooping binding no ip dhcp snooping binding arp ARP function. 4.
Configuration Guide of XGS-5240-Series ip user helper-address A.B.C.D [port ] source (secondary|) no ip Set or delete helper server address. user helper-address (secondary|) 8. Set trusted ports Command Explanation Port mode ip dhcp snooping trust Set or delete the DHCP snooping trust attributes no ip dhcp snooping trust of ports. 9.
Configuration Guide of XGS-5240-Series 12. Set defense actions Command Explanation Port mode ip dhcp snooping {shutdown|blackhole} action [recovery ] Set or delete the DHCP snooping automatic defense actions of ports. no ip dhcp snooping action 13. Set rate limitation of data transmission Command Explanation Globe mode ip dhcp snooping limit-rate Set rate limitation of the transmission of DHCP no ip dhcp snooping limit-rate snooping messages. 14.
Configuration Guide of XGS-5240-Series ip dhcp snooping information option delimiter [colon | dot | slash Set | space] suboption of option82 in global mode, no no ip dhcp snooping information command restores the delimiter as slash.
Configuration Guide of XGS-5240-Series This command is used to set that allow ip dhcp snooping information option allow-untrusted (replace|) no ip dhcp snooping information option allow-untrusted (replace|) untrusted ports of DHCP snooping to receive DHCP packets with option82 option. When the "replace" is setting, the potion82 option is allowed to replace. When disabling this command, all untrusted ports will drop DHCP packets with option82 option. 40.
Configuration Guide of XGS-5240-Series switch(Config-Ethernet1/0/12)#ip dhcp snooping trust switch(Config-Ethernet1/0/12)#exit switch(config)#interface ethernet 1/0/1-10 switch(Config-Port-Range)#ip dhcp snooping action shutdown switch(Config-Port-Range)# 40.4 DHCP Snooping Troubleshooting Help 40.4.1 Monitor and Debug Information The “debug ip dhcp snooping” command can be used to monitor the debug information. 40.4.
Configuration Guide of XGS-5240-Series Chapter 41 DHCP option 60 and option 43 41.1 Introduction to DHCP option 60 and option 43 DHCP server analyzes DHCP packets from DHCP client. If packets with option 60, it will decide whether option 43 is returned to DHCP client according to option 60 of packets and configuration of option 60 and option 43 in DHCP server address pool. Configure the corresponding option 60 and option 43 in DHCP server address pool: 1.
Configuration Guide of XGS-5240-Series string with hex format in ip dhcp pool mode. Configure option 60 character string with IP format in ip dhcp option 60 ip A.B.C.D pool mode. Configure option 43 character string with IP format in ip dhcp option 43 ip A.B.C.D pool mode. Delete the configured option no option 60 60 in the address pool mode. Delete the configured option no option 43 43 in the address pool mode. 41.
Configuration Guide of XGS-5240-Series 41.
Configuration Guide of XGS-5240-Series Chapter 42 IPv4 Multicast Protocol 42.1 IPv4 Multicast Protocol Overview This chapter will give an introduction to the configuration of IPv4 Multicast Protocol. 42.1.1 Introduction to Multicast Various transmission modes can be adopted when the destination of packet (includi ng data, sound and video) transmission is the minority users in the network. One way i s to use Unicast mode, i.e.
Configuration Guide of XGS-5240-Series 1. Enhance efficiency: reduce network traffic, lighten the load of server and CP U 2. Optimize performance: reduce redundant traffic 3. Distributed application: Enable Multipoint Application 42.1.2 Multicast Address The destination address of Multicast message uses class D IP address with range from 224.0.0.0 to 239.255.255.255. D class address can not appear in the source IP a ddress field of an IP message.
Configuration Guide of XGS-5240-Series 224.0.0.10 IGRP Router 224.0.0.11 Active Agent 224.0.0.12 DHCP Server/Relay Agent 224.0.0.13 All PIM Routers 224.0.0.14 RSVP Encapsulation 224.0.0.15 All CBT Routers 224.0.0.16 Specified SBM 224.0.0.17 All SBMS 224.0.0.18 VRRP 224.0.0.22 IGMP When Ethernet transmits Unicast IP messages, the destination MAC address it use s is the receiver’s MAC address.
Configuration Guide of XGS-5240-Series e data packet will be discarded else wise. 42.1.4 IP Multicast Application IP Multicast technology has effectively solved the problem of sending in single poin t and receiving in multipoint. It has achieved the effective data transmission from a poi nt to multiple points, saved a great deal of network bandwidth and reduced network loa d. Making use of the Multicast property of network, some new value-added operations can be supplied conveniently.
Configuration Guide of XGS-5240-Series n the received response message, and send out query of specific group (IGMP version 2) when receiving the report of a host exiting the group to determine if there exists no member in some specific group. Up to now, there are three versions of IGMP: IGMP version1 (defined by RFC1112), IGMP version2 (defined by RFC2236) and IGMP version3 (defined by RFC3376). The main improvements of IGMP version2 over version1 are: 1.
Configuration Guide of XGS-5240-Series 10.1.1.2; when a host is sending a report of EXCLUDE{192.168.1.1} to some group G, that means the host needs the flux from all sources of group G except 192.168.1.1. Th is makes a great difference from the previous IGMP. The main improvements of IGMP Version3 over IGMP Version1 and Version2 are: 1. The status to be maintained is group and source list, not only the groups in IGMP v2. 2. The interoperations with IGMPv1 and IGMPv2 are defined in IGMPv3 status. 3.
Configuration Guide of XGS-5240-Series There are not specific commands for enabling IGMP Protocol on the Layer 3 switc h. Enabling any multicast protocol under corresponding interface will automatically enabl e IGMP. Command Explanation Global Mode To enable global multicast protocol is the pre ip dvmrp multicast-routing | ip pi m multicast-routing requisite to enable IGMP protocol, the “no ip dvmrp multicast-routing | no ip pim multi cast-routing” commands disable multicast pr otocol and IGMP protocol.
Configuration Guide of XGS-5240-Series 3) Configure the time-out of IGMP query Command Explanation Interface Configuration Mode ip igmp query-interval no ip igmp query-interval ip igmp query-max-response-time Configure the interval of IGMP query messag es sent periodically; the “no ip igmp query-i nterval” command restores default value.
Configuration Guide of XGS-5240-Series SWITCH A SWITCH B Ethernet 1/0/1 Ethernet 1/0/1 vlan1 vlan1 Ethernet 1/0/2 vlan2 Fig 1-1 IGMP Network Topology Diagram The configuration procedure for SwitchA and SwitchB is as follows: (1) Configure SwitchA: Switch(config)#ip pim multicast-routing Switch (config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 12.1.1.1 255.255.255.
Configuration Guide of XGS-5240-Series Afterwards, to assure to start a kind of multicast protocol on the interface; Multicast Protocol requires RPF Check using unicast routing; therefore the correctne ss of unicast routing must be assured beforehand. 42.3 IGMP Snooping 42.3.1 Introduction to IGMP Snooping IGMP (Internet Group Management Protocol) is a protocol used in IP multicast.
Configuration Guide of XGS-5240-Series Command Explanation Global Mode Enables IGMP Snooping for specified VLA ip igmp snooping vlan N. The no operation disables IGMP Snoop no ip igmp snooping vlan ing for specified VLAN. ip igmp snooping proxy Enable IGMP Snooping proxy function, the no ip igmp snooping proxy no command disables the function.
Configuration Guide of XGS-5240-Series ip igmp snooping vlan mrout Enable the function that the specified VLA er-port learnpim N learns mrouter-port (according to pim pa no ip igmp snooping vlan m ckets), the no command will disable the fu router-port learnpim nction. ip igmp snooping vlan mrpt Configure this survive time of mrouter port.
Configuration Guide of XGS-5240-Series ip igmp snooping vlan report source-address no ip igmp snooping vlan re port source-address ip igmp snooping vlan specif ic-query-mrsp no ip igmp snooping vlan sp ecific-query-mrspt Configure forwarding IGMP packet source address, The no operation cancels the pac ket source address. Configure the maximum query response ti me of the specific group or source, the no command restores the default value. 42.3.
Configuration Guide of XGS-5240-Series Switch(config)#ip igmp snooping vlan 100 Switch(config)#ip igmp snooping vlan 100 mrouter interface ethernet 1/0/1 Multicast Configuration Suppose two programs are provided in the Multicast Server using multicast address Gr oup1 and Group2, three of four hosts running multicast applications are connected to p ort 2, 6, 10 plays program1, while the host is connected to port 12 plays program 2.
Configuration Guide of XGS-5240-Series SwitchA(config)#ip igmp snooping SwitchA(config)#ip igmp snooping vlan 60 SwitchA(config)#ip igmp snooping vlan 60 L2-general-querier SwitchB#config SwitchB(config)#ip igmp snooping SwitchB(config)#ip igmp snooping vlan 100 SwitchB(config)#ip igmp snooping vlan 100 mrouter interface ethernet 1/0/1 Multicast Configuration The same as scenario 1 IGMP Snooping listening result: Similar to scenario 1 Scenario 3: To run in cooperation with layer 3 multicast protocols.
Configuration Guide of XGS-5240-Series n properly because of physical connection or configuration mistakes.
Configuration Guide of XGS-5240-Series Command Explanation Global Mode ip igmp proxy Enable IGMP Proxy function. The “no ip i no ip igmp proxy gmp proxy” disables this function. 2. Enable configurations for both downstream and upstream ports for the IGMP P roxy in different interfaces Command Explanation Interface Configuration Mode ip igmp proxy upstream no ip igmp proxy upstream ip igmp proxy downstream no ip igmp proxy downstream Enable IGMP Proxy upstream function.
Configuration Guide of XGS-5240-Series To configure the address range for IGMP ip multicast ssm range <1-99> proxy ssm multicast groups; The no form ip multicast ssm default of this command will remove the configura no ip mulitcast ssm tion. To configure the port as downstream ports ip igmp proxy multicast-source for the source of multicast datagram; The no ip igmp proxy multicast-source no from of this command will disable the configuration. 42.4.
Configuration Guide of XGS-5240-Series The configuration steps are listed below: Switch#config Switch(config)#ip igmp proxy Switch(Config)#interface vlan 1 Switch(Config-if-Vlan1)#ip igmp proxy upstream Switch(Config)#interface vlan 2 Switch(Config-if-Vlan2)#ip igmp proxy downstream Multicast Configuration: Suppose the multicast server offers some programs through 224.1.1.1. Some hosts subscribe that program at the edge of the network.
Configuration Guide of XGS-5240-Series wnstream ports. Three IGMP Proxy enabled switches which are connected in tree topol ogy, respectively have one port connected to multicast routers, and no less than one p orts connected to hosts or upstream ports from other IGMP proxy enabled switches.
Configuration Guide of XGS-5240-Series Make sure configure one upstream port and at least one downstream port under in terface configuration mode (Use ip igmp proxy upstream, ip igmp proxy downst ream); Use show ip igmp proxy command to check if the IGMP Proxy information is cor rect.
Configuration Guide of XGS-5240-Series Chapter 43 IPv6 Multicast Protocol 43.1 MLD 43.1.1 Introduction to MLD MLD (Multicast Listener Discovery) is the multicast group member (receiver) discov ery protocol serving IPv6 multicast. It is similar to IGMP Protocol in IPv4 multicast appli cation. Correspondingly, MLD Protocol version1 is similar to IGMP Protocol version2, an d MLD Protocol version2 is similar to IGMP Protocol version3. Current firmware suppo rts MLDv1/ MLDv2.
Configuration Guide of XGS-5240-Series 1、 Start MLD (Required) 2、 Configure MLD auxiliary parameters (Required) (1)Configure MLD group parameters 1)Configure MLD group filter conditions (2)Configure MLD query parameters 1)Configure the interval of MLD sending query message 2)Configure the maximum response time of MLD query 3)Configure overtime of MLD query 3、 Shut down MLD Protocol 1. Start MLD Protocol There is no special command for starting MLD Protocol on EDGECORE series lay er 3 switches.
Configuration Guide of XGS-5240-Series 2)Configure the maximum response time of MLD query 3)Configure the overtime of MLD query Command Explanation Port Configuration Mode ipv6 mld query-interval es sent periodically; the NO operation of this no ipv6 mld query-interval ipv6 mld query-max-response-tim e command restores the default value.
Configuration Guide of XGS-5240-Series Switch (config) #ipv6 pim multicast-routing Switch (config) #ipv6 pim rp-address 3FFE::1 Switch (config) #interface vlan 1 Switch (Config-if-Vlan1) #ipv6 address 3FFE::1/64 Switch (Config-if-Vlan1) #ipv6 pim sparse-mode (2) Configure SwitchB: Switch (config) #ipv6 pim multicast-routing Switch (config) #ipv6 pim rp-address 3FFE::1 Switch (config) #interface vlan1 Switch (Config-if-Vlan1) #ipv6 address 3FFE::2/64 Switch (Config-if-Vlan1) #ipv6 pim sparse-mode Switch (Con
Configuration Guide of XGS-5240-Series e IPv6. MLD is used by the network equipments such as routers which supports multic ast for multicast listener discovery, also used by listeners looking forward to join certain multicast group informing the router to receive data packets from certain multicast addr ess, all of which are done through MLD message exchange. First the router send an MLD Multicast listener Query message through a multicast address which can address all the listeners (namely ff02::1).
Configuration Guide of XGS-5240-Series d> limit ipv6 mld snooping vlan Set the VLAN level 2 general querier, which is r l2-general-querier ecommended on each segment. The “no” form o no ipv6 mld snooping vlan l2-general-querier ier configuration.
Configuration Guide of XGS-5240-Series no ipv6 mld snooping vlan suppression-query-time Ipv6 mld snooping vlan static-group [source < X:X::X:X>] interface [ethernet | por t-channel] no ipv6 mld snooping vlan static-group [source Configure static-group on specified port of the V LAN. The no form of the command cancels this configuration. ] interface [ethernet | p ort-channel] 43.2.
Configuration Guide of XGS-5240-Series Multicast configuration: Assume there are two multicast servers: the Multicast Server 1 and the Multicast S erver 2, amongst program 1 and 2 are supplied on the Multicast Server 1 while progra m 3 on the Multicast server 2, using group addresses respectively the Group 1, Group 2 and Group 3. Concurrently multicast application is operating on the four hosts.
Configuration Guide of XGS-5240-Series Fig 2-3 Switch as MLD Querier Function figure Configuration of switch B is the same as the switches in case 1, and here the switch 1 replaces the Multicast Router in case 1. Assume the vlan 60 configured on it contain s port 1, 2, 10 and 12, amongst port 1 is connected to multicast server, port 2 to swit ch2.
Configuration Guide of XGS-5240-Series By looking up the layer 3 IP6MC entries, it can be found that ports can be indicated b y the layer 3 multicast entries. This ensures the MLD Snooping can work in cooperatio n with the layer 3 multicast protocols. 43.2.4 MLD Snooping Troubleshooting In configuring and using MLD Snooping, the MLD Snooping server may fail to run properly due to physical connection failure, wrong configuration, etc.
Configuration Guide of XGS-5240-Series Chapter 44 Multicast VLAN 44.1 Introductions to Multicast VLAN Based on current multicast order method, when orders from users in different VLA N, each VLAN will copy a multicast traffic in this VLAN, which is a great waste of the bandwidth. By configuration of the multicast VLAN, we add the switch port to the multic ast VLAN, with the IGMP Snooping/MLD Snooping functions enabled, users from differe nt VLAN will share the same multicast VLAN.
Configuration Guide of XGS-5240-Series multicast-vlan mode {dynamic| compatib le} Configure the two modes of multicast vlan. The no command cancels the mode confi no multicast-vlan mode {dynamic| comp guration. atible} 2. Configure the IGMP Snooping Command Explanation Global Mode ip igmp snooping vlan Enable the IGMP Snooping function on th no ip igmp snooping vlan e multicast VLAN. The no form of this co mmand disables the IGMP Snooping on th e multicast VLAN.
Configuration Guide of XGS-5240-Series switchA is connected with layer 2 switches through the port1/0/10, which configured as trunk port. On the switchB the VLAN100 is configured set to contain port1/0/15, and VL AN101 to contain port1/0/20. PC1 and PC2 are respectively connected to port 1/0/15 a nd1/0/20. The switchB is connected with the switchA through port1/0/10, which configur ed as trunk port. VLAN 20 is a multicast VLAN.
Configuration Guide of XGS-5240-Series SwitchB(config-vlan20)#exit SwitchB(config)#ip igmp snooping SwitchB(config)#ip igmp snooping vlan 20 When multicast VLAN supports IPv6 multicast, usage is the same with IPv4, but th e difference is using with MLD Snooping, so does not give an example.
Configuration Guide of XGS-5240-Series Chapter 45 ACL Configuration 45.1 Introduction to ACL ACL (Access Control List) is an IP packet filtering mechanism employed in switche s, providing network traffic control by granting or denying access the switches, effectivel y safeguarding the security of networks. The user can lay down a set of rules accordin g to some information specific to packets, each rule describes the action for a packet with certain information matched: “permit” or “deny”.
Configuration Guide of XGS-5240-Series The current firmware only supports ingress ACL configuration. 45.1.3 Access-list Action and Global Default Action There are two access-list actions and default actions: “permit” or “deny”. The followi ng rules apply: An access-list can consist of several rules. Filtering of packets compares packet co nditions to the rules, from the first rule to the first matched rule; the rest of the rul es will not be processed.
Configuration Guide of XGS-5240-Series (10) Configuring a numbered standard IPv6 access-list (11) Configuring a numbered extended IPv6 access-list (12) Configuring a standard IPv6 access-list based on nomenclature a) Create a standard IPv6 access-list based on nomenclature b) Specify multiple permit or deny rule entries c) Exit ACL Configuration Mode (13) Configuring an extended IPv6 access-list based on nomenclature.
Configuration Guide of XGS-5240-Series access-list {deny | permit} icmp {{ } | any-source | {host-source }} {{ } | any-destination | {ho st-destination }} [ []] [precedence ] [tos ][time-range< time-range-name>] access-list {deny | permit} igmp {{ } | any-source | {host-source }} {{ } | any-destination | {ho st-destination }} [] [precede nce
Configuration Guide of XGS-5240-Series Deletes a numbered extensive no access-list IP access-list. (3) Configuring a standard IP access-list basing on nomenclature a. Create a name-based standard IP access-list Command Explanation Global Mode Creates a standard IP acce ss-list based on nomenclatu ip access-list standard re; the “no ip access-list s no ip access-list standard tandard “ command deletes the name-based st andard IP access-list. b.
Configuration Guide of XGS-5240-Series [no] {deny | permit} icmp {{ } | any-source | {host-source }} {{ } | any-destination | {host-destination }} [ []] [precede nce ] [tos ][time-range] Creates an extended namebased ICMP IP access rule; the no form command dele tes this name-based extend ed IP access rule.
Configuration Guide of XGS-5240-Series (5) Configuring a numbered standard MAC access-list Command Explanation Global Mode Creates a numbered standa rd MAC access-list, if the a access-list{deny|permit}{any-source-mac|{ho ccess-list already exists, the st-source-mac}|{}} ent access-list; the “no acc no access-list ess-list “ command deletes a numbered standar d MAC access-list.
Configuration Guide of XGS-5240-Series Extended name-based MAC access rule Mode [no]{deny|permit}{any-source-mac|{host-source-ma c}|{}} {any-destin ation-mac|{host-destination-mac } |{< dmac> }} [cos [] [vlanId [][ethertype[]]]] Creates an extended name[no]{deny|permit} {any-source-mac |{host-source-m based MAC access rule ma ac}|{}} {any-desti tching MAC f
Configuration Guide of XGS-5240-Series [no]{deny|permit}{any-source-mac|{host-source-ma Creates an name-based ext c }|{}} {any-desti ended MAC access rule ma nation-mac|{host-destination-mac}|{}} [tagged-802-3 [cos the no form command delet []] [vlanId []]] d MAC access rule. c.
Configuration Guide of XGS-5240-Series k>}}{any-destination-mac|{host-destination-mac }|{}}tcp {{ ed access-list of specified n }|any-source| {host-source}} [s-port { | range an access-list will be create }] {{
Configuration Guide of XGS-5240-Series Creates an extended namebased MAC-IP access rule; mac-ip-access-list extended no mac-ip-access-list extended the no form command delet es this name-based extende d MAC-IP access rule. b.
Configuration Guide of XGS-5240-Series [no]{deny|permit}{any-source-mac|{host-source-ma c}|{}} {any-destin ation-mac|{host-destination-mac }|{}}udp card>}|any-source| {{}} [s-port { | range }] {{}|any-des tination| {host-destination }} [d-port { | range }] Creates an extended namebased MA
Configuration Guide of XGS-5240-Series (11) Configuring a numbered extensive IPv6 access-list Command Explanation Global Mode ipv6 access-list {deny | permit} icmp {{} | any-source | {host-so urce }} { | an y-destination | {host-destination }} [ []] [dscp ] [flow-lab el ][time-range] ipv6 access-list {deny | permit} tcp {{< sIPv6Prefix/sPrefixlen>} | any-source | {ho
Configuration Guide of XGS-5240-Series ipv6 access-list standard Creates a standard IP acce no ipv6 access-list standard ss-list based on nomenclatu re; the no command delete the name-based standard IP v6 access-list. b.
Configuration Guide of XGS-5240-Series -name>] [no] {deny | permit} tcp { | any-source | {h access rule; the no form command deletes t ost-source }} [s-port his name-based extended IPv6 access rule.
Configuration Guide of XGS-5240-Series e>] c. Exit extended IPv6 ACL configuration mode Command Explanation Extended IPv6 ACL Mode exit Exits extended name-based IPv6 ACL config uration mode. 2. Configuring packet filtering function (1) Enable global packet filtering function Command Explanation Global Mode Enables global packet filtering functio firewall enable n. Disables global packet filtering functio firewall disable n.
Configuration Guide of XGS-5240-Series absolute-periodic {Monday | Tuesday | Wednesda y | Thursday | Friday | Saturday | Sunday} to {Monday | Tuesday | Wednesday | Thur sday | Friday | Saturday | Sunday} periodic {{Monday+Tuesday+Wednesday+Thursday + Friday+Saturday+Sunday} | daily | weekdays | Configure the time range fo r the request of the week, and every week will run by the time range.
Configuration Guide of XGS-5240-Series clear access-group (in | out) stati stic interface { | ethernet } Clear the filtering information of the specified port. 45.3 ACL Example Scenario 1: The user has the following configuration requirement: port 10 of the switch connect s to 10.0.0.0/24 segment, ftp is not desired for the user.
Configuration Guide of XGS-5240-Series 2. Configure datagram filtering. 3. Bind the ACL to the related interface. The configuration steps are listed as below.
Configuration Guide of XGS-5240-Series Switch(config)#access-list 3110 deny any-source-mac 00-12-11-23-00-00 00-00-00-00-ff-ff icmp any-source 10.0.0.0 0.0.0.255 Switch(config)#firewall enable Switch(config)#interface ethernet 1/0/10 Switch(Config-If-Ethernet1/0/10)#mac-ip access-group 3110 in Switch(Config-Ethernet1/0/10)#exit Switch(config)#exit Configuration result: Switch#show firewall Firewall Status: Enable.
Configuration Guide of XGS-5240-Series Switch(Config-If-Ethernet1/0/10)#ipv6 access-group 600 in Switch(Config-If-Ethernet1/0/10)#exit Switch(config)#exit Configuration result: Switch#show firewall Firewall Status: Enable.
Configuration Guide of XGS-5240-Series Ethernet1/0/2: IP Ingress access-list used is 1, traffic-statistics Disable. Ethernet1/0/5: IP Ingress access-list used is 1, traffic-statistics Disable. Ethernet1/0/7: IP Ingress access-list used is 1, traffic-statistics Disable. 45.4 ACL Troubleshooting Checking for entries in the ACL is done in a top-down order and ends whenever a n entry is matched.
Configuration Guide of XGS-5240-Series on the interface, which is configured in physical interface mode, the configurati on will fail to effect. When no physical interfaces are configured in the VLAN, the ACL configuration of the VLAN will be removed. And it can not recover if new interfaces are ad ded to the VLAN. When the interface mode is changed from access mode to trunk mode, the ACL c onfigured in VLAN interface mode which is bound to physical interface will be rem oved.
Configuration Guide of XGS-5240-Series Chapter 46 Self-defined ACL Configuration 46.1 Introduction to Self-defined ACL ACL (Access Control Lists) is a packet filtering mechanism implemented by switch, providing network access control by granting or denying access the switches, effectively safeguarding the security of networks.
Configuration Guide of XGS-5240-Series 46.1.2 Digital Self-defined ACL Digital self-defined ACL can configure multi-ACL lists and each of them can configu re multi-rules. The number of the issued lists is according to the type of the card. One rule can configure value and mask for 16 windows at most. The length of every wind ow is 2Bytes; the name range of the self-defined ACL list is <1200-1299>. 46.2 Self-defined ACL Configuration Task list of self-defined ACL configuration: 1.
Configuration Guide of XGS-5240-Series [window7 ] [window8 ] no userdefined-access-list 3. Bind the userdefined acl rule to the port Command Explanation Port Mode [no] userdefined access-group {| Apply userdefined-access-list to one directi } {in} [traffic-statistic] on of the port. Decide whether the statisti cal counter should be added to the ACL a ccording to the options. The no command deletes the configuration bound to the po rt. 4.
Configuration Guide of XGS-5240-Series Switch(config)#interface ethernet 1/1 Switch(config-if-ethernet1/1)#userdefined access-group 1200 in Switch(config)#exit Configuration result: Switch #show access-lists userdefined-access-list standard 1200(used 1 time(s)) 1 rule(s) rule ID 1: deny window1 0003 ffff Switch#show access-group interface ethernet 1/1 interface name:Ethernet1/1 Userdefined Ingress access-list used is 1200, traffic-statistics Disable. 46.
Configuration Guide of XGS-5240-Series Chapter 47 802.1x Configuration 47.1 Introduction to 802.1x The 802.1x protocol originates from 802.11 protocol, the wireless LAN protocol of I EEE, which is designed to provide a solution to doing authentication when users acces s a wireless LAN.
Configuration Guide of XGS-5240-Series Fig 3-1 The Authentication Structure of 802.1x The supplicant system is an entity on one end of the LAN segment, should b e authenticated by the access controlling unit on the other end of the link. A Supplicant system usually is a user terminal device. Users start 802.1x authent ication by starting supplicant system software. A supplicant system should sup port EAPOL (Extensible Authentication Protocol over LAN).
Configuration Guide of XGS-5240-Series The PAE of the authenticator system authenticates the supplicant systems needing to access the LAN via the authentication server system, and deal with the authenti cated/unauthenticated state of the controlled port according to the result of the aut hentication.
Configuration Guide of XGS-5240-Series Fig 3-2 the Work Mechanism of 802.1x EAP messages adopt EAPOL encapsulation format between the PAE of the supplic ant system and the PAE of the authenticator system in the environment of LAN.
Configuration Guide of XGS-5240-Series EAP-Packet (whose value is 0x00): the authentication information frame, used to c arry EAP messages. This kind of frame can pass through the authenticator system to transmit EAP messages between the supplicant system and the authentication server system. EAPOL-Start (whose value is 0x01): the frame to start authentication. EAPOL-Logoff (whose value is 0x02): the frame requesting to quit. EAPOL-Key (whose value is 0x03): the key information frame.
Configuration Guide of XGS-5240-Series Fig 3-5 the Format of Data Domain in Request and Response Packets Identifier: to assist matching the Request and Response messages. Length: the length of the EAP packet, covering the domains of Code, Identifier, Le ngth and Data, in byte. Data: the content of the EAP packet, depending on the Code type. 47.1.4 The Encapsulation of EAP Attributes RADIUS adds two attribute to support EAP authentication: EAP-Message and Mess age-Authenticator.
Configuration Guide of XGS-5240-Series 47.1.5 The Authentication Methods of 802.1x The authentication can either be started by supplicant system initiatively or by devi ces. When the device detects unauthenticated users to access the network, it will send supplicant system EAP-Request/Identity messages to start authentication. On the other hand, the supplicant system can send EAPOL-Start message to the device via supplic ant software. 802.
Configuration Guide of XGS-5240-Series EAP-MD5 EAP-TLS(Transport Layer Security) EAP-TTLS(Tunneled Transport Layer Security) PEAP(Protected Extensible Authentication Protocol) They will be described in detail in the following part. Attention: The switch, as the access controlling unit of Pass-through, will not check the content of a particular EAP method, so can support all the EAP methods abov e and all the EAP authentication methods that may be extended in the future.
Configuration Guide of XGS-5240-Series Fig 3-9 the Authentication Flow of 802.1x EAP-MD5 2. EAP-TLS Authentication Method EAP-TLS is brought up by Microsoft based on EAP and TLS protocols. It uses PKI to protect the id authentication between the supplicant system and the RADIUS server and the dynamically generated session keys, requiring both the supplicant system and the Radius authentication server to possess digital certificate to implement bidirectional authentication.
Configuration Guide of XGS-5240-Series Fig 3-10 the Authentication Flow of 802.1x EAP-TLS 3. EAP-TTLS Authentication Method EAP-TTLS is a product of the cooperation of Funk Software and Certicom. It can p rovide an authentication as strong as that provided by EAP-TLS, but without requiring u sers to have their own digital certificate. The only request is that the Radius server sho uld have a digital certificate.
Configuration Guide of XGS-5240-Series open standard. It has long been utilized in products and provides very good security. I ts design of protocol and security is similar to that of EAP-TTLS, using a server’s PKI certificate to establish a safe TLS tunnel in order to protect user authentication. The following figure illustrates the basic operation flow of PEAP authentication meth od. Fig 3-11 the Authentication Flow of 802.1x PEAP 1.1.1.
Configuration Guide of XGS-5240-Series Fig 3-12 the Authentication Flow of 802.1x EAP Termination Mode 47.1.6 The Extension and Optimization of 802.1x Besides supporting the port- based access authentication method specified by the p rotocol, devices also extend and optimize it when implementing the EAP relay mode an d EAP termination mode of 802.1x.
Configuration Guide of XGS-5240-Series network, while the others can not. When one user becomes offline, the other users will not be affected. When the user-based (IP address+ MAC address+ port) method is used, all u sers can access limited resources before being authenticated. There are two ki nds of control in this method: standard control and advanced control.
Configuration Guide of XGS-5240-Series mode, and on the ports whose link type is Access. 2. Guest VLAN Guest VLAN feature is used to allow the unauthenticated user to access some spe cified resources. The user authentication port belongs to a default VLAN (Guest VLAN) before passi ng the 802.1x authentication, with the right to access the resources within this VLAN wi thout authentication. But the resources in other networks are beyond reach.
Configuration Guide of XGS-5240-Series 1. Enable 802.1x function Command Explanation Global Mode dot1x enable Enables the 802.1x function in the switch and ports; t no dot1x enable he no command disables the 802.1x function. dot1x privateclient enable Enables the switch force client software using private no dot1x privateclient enab 802.1x authentication packet format. The no command le will disable this function.
Configuration Guide of XGS-5240-Series dot1x max-user userbased Set the upper limit of the number of users allowed ac cessing the specified port, only used when the access no dot1x max-user userbas control mode of the port is userbased; the no comma ed nd is used to reset the limit to 10 by default. dot1x guest-vlan Set the guest vlan of the specified port; the no comm no dot1x guest-vlan and is used to delete the guest vlan.
Configuration Guide of XGS-5240-Series 3. Supplicant related property configuration Command Explanation Global Mode Sets the number of EAP request/MD5 frame to be se dot1x max-req nt before the switch re-initials authentication on no su no dot1x max-req pplicant response, the no command restores the defau lt setting. dot1x re-authentication Enables periodical supplicant authentication; the no co no dot1x re-authentication mmand disables this function.
Configuration Guide of XGS-5240-Series Update server Authenticator server Ethernet1/0/3 VLAN2 VLAN10 SWITCH Ethernet1/0/2 Ethernet1/0/6 VLAN100 VLAN5 Internet User Fig 3-13 The Network Topology of Guest VLAN Notes: in the figures in this session, E2 means Ethernet 1/0/2, E3 means Ethernet 1/0/3 and E6 means Ethernet 1/0/6. As showed in the next figure, a switch accesses the network using 802.1x authenti cation, with a RADIUS server as its authentication server.
Configuration Guide of XGS-5240-Series henticated or when the user fails to do so, port Ethernet1/0/2 is added into VLAN10, al lowing the user to access the Update Server.
Configuration Guide of XGS-5240-Series # Set the link type of the port as access mode. Switch(Config-If-Ethernet1/0/2)#switch-port mode access # Set the access control mode on the port as portbased. Switch(Config-If-Ethernet1/0/2)#dot1x port-method portbased # Set the access control mode on the port as auto. Switch(Config-If-Ethernet1/0/2)#dot1x port-control auto # Set the port’s Guest VLAN as 100.
Configuration Guide of XGS-5240-Series S authentication server, which has an IP address of 10.1.1.3, and use the default port 1812 for authentication and port 1813 for accounting. IEEE 802.1x authentication client software is installed on the PC and is used in IEEE 802.1x authentication. The configuration procedures are listed below: Switch(config)#interface vlan 1 Switch(Config-if-vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-vlan1)#exit Switch(config)#radius-server authentication host 10.1.1.
Configuration Guide of XGS-5240-Series respectively. Install the IEEE802.1x authentication client software on the computer, and use the client for IEEE802.1x authentication.
Configuration Guide of XGS-5240-Series Chapter 48 The Number Limitation Function of MAC and IP in Port, VLAN Configuration 48.1 Introduction to the Number Limitation Function of MAC and IP in Port, VLAN MAC address list is used to identify the mapping relationship between the destinati on MAC addresses and the ports of switch. There are two kinds of MAC addresses in the list: static MAC address and dynamic MAC address.
Configuration Guide of XGS-5240-Series f MAC address on each port and the number of ARP, ND on each INTERFACE VLAN. The number of static or dynamic MAC address on a port should not exceed the confi guration. The number of user on each VLAN should not exceed the configuration, eithe r. Limiting the number of MAC and ARP list entry can avoid DOS attack to a certain extent.
Configuration Guide of XGS-5240-Series 4. Configure the violation mode of ports 5. Display and debug the relative information of number limitation of MAC and IP on p orts 1. Enable the number limitation function of MAC and IP on ports Command Explanation Port configuration mode switchport mac-address dynamic maxim um Enable and disable the number limitati no switchport mac-address dynamic ma on function of MAC on the ports.
Configuration Guide of XGS-5240-Series Command Explanation Port mode switchport mac-address violation {prote Set the violation mode of the port, the ct | shutdown} [recovery <5-3600>] no command restores the violation m no switchport mac-address violation ode to protect. 5.
Configuration Guide of XGS-5240-Series 48.
Configuration Guide of XGS-5240-Series 48.4 The Number Limitation Function of MAC and I P in Port, VLAN Troubleshooting Help The number limitation function of MAC and IP in Port, VLAN is disabled by default, if users need to limit the number of user accessing the network, they can enable it. If the number limitation function of MAC address can not be configured, please check w hether Spanning-tree, dot1x, TRUNK is running on the switch and whether the port is c onfigured as a MAC-binding port.
Configuration Guide of XGS-5240-Series Chapter 49 Operational Configuration of AM Function 49.1 Introduction to AM Function AM (Access Management) means that when a switch receives an IP or ARP mess age, it will compare the information extracted from the message (such as source IP ad dress or source MAC-IP address) with the configured hardware address pool.
Configuration Guide of XGS-5240-Series 2. Enable AM function on an interface Command Explanation Port Mode Enable/disable AM function on the por am port t. When the AM function is enabled o no am port n the port, no IP or ARP message wil l be forwarded by default. 3. Configure the forwarding IP Command Explanation Port Mode am ip-pool Configure the forwarding IP of the por no am ip-pool t. 4.
Configuration Guide of XGS-5240-Series 49.3 AM Function Example Internet SWITCH Port1 Port2 HUB1 HUB2 ……… PC1 PC2 PC30 Fig 5-1 a typical configuration example of AM function In the topology above, 30 PCs, after converged by HUB1, connect with interface1 on the switch. The IP addresses of these 30 PCs range from 100.10.10.1 to 100.10.10. 30. Considering security, the system manager will only take user with an IP address wi thin that range as legal ones.
Configuration Guide of XGS-5240-Series Chapter 50 Security Feature Configuration 50.1 Introduction to Security Feature Before introducing the security features, we here first introduce the DoS. The DoS is short for Denial of Service, which is a simple but effective destructive attack on the i nternet.
Configuration Guide of XGS-5240-Series Command Explanation Global Mode [no] dosattack-check tcp-flags enable Enable/disable checking TCP label function. Enable/disable checking IPv4 fragment. This [no] dosattack-check ipv4-first-fragme nt enable command has no effect when used separa tely, but if this function is not enabled, the switch will not drop the IPv4 fragment pack et containing unauthorized TCP labels. 50.2.
Configuration Guide of XGS-5240-Series Configure the minimum permitted TCP head length of the packet. This command has n dosattack-check tcp-header o effect when used separately, the user sh ould enable the dosattack-check tcp-fragm ent enable. 50.2.5 Prevent ICMP Fragment Attack Function Configurati on Task Sequence 1. Enable the prevent ICMP fragment attack function 2. Configure the max permitted ICMPv4 net load length 3.
Configuration Guide of XGS-5240-Series mented and its net length is normally smaller than 100.
Configuration Guide of XGS-5240-Series Chapter 51 TACACS+ Configuration 51.1 Introduction to TACACS+ TACACS+ terminal access controller access control protocol is a protocol similar to the radius protocol for control the terminal access to the network. Three independent f unctions of Authentication, Authorization, Accounting are also available in this protocol.
Configuration Guide of XGS-5240-Series tacacs-server authentication host [port ] [timeout ] [key {0 | 7} ] [pri mary] no tacacs-server authentication host < ip-address> Configure the IP address, listening port number, the value of timeout timer and the key string of the TACACS+ server; t he no form of this command deletes th e TACACS+ authentication server. 3.
Configuration Guide of XGS-5240-Series ion. Switch(config)#interface vlan 1 Switch(Config-if-vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-vlan1)#exit Switch(config)#tacacs-server authentication host 10.1.1.3 Switch(config)#tacacs-server key test Switch(config)#authentication line vty login tacacs 51.4 TACACS+ Troubleshooting In configuring and using TACACS+, the TACACS+ may fail to authentication due to reasons such as physical connection failure or wrong configurations.
Configuration Guide of XGS-5240-Series Chapter 52 RADIUS Configuration 52.1 Introduction to RADIUS 52.1.1 AAA and RADIUS Introduction AAA is short for Authentication, Authorization and Accounting, it provide a consiste ncy framework for the network management safely.
Configuration Guide of XGS-5240-Series d is show as below: 1 Access-Request 2 Access-Accept 3 Access-Reject 4 Accounting-Request 5 Accounting-Response 11 Access-Challenge Identifier field (1 octet): Identifier for the request and answer packets. Length field (2 octets): The length of the overall RADIUS packet, including Code, Identif ier, Length, Authenticator and Attributes Authenticator field (16 octets): used for validation of the packets received from the RAD IUS server.
Configuration Guide of XGS-5240-Series 17 (unassigned) 39 Framed-AppleTalk-Zone 18 Reply-Message 40-59 (reserved for accounting) 19 Callback-Number 60 CHAP-Challenge 20 Callback-Id 61 NAS-Port-Type 21 (unassigned) 62 Port-Limit 22 Framed-Route 63 Login-LAT-Port Length field (1 octet), the length in octets of the attribute including Type, Length a nd Value fields.
Configuration Guide of XGS-5240-Series radius-server key {0 | 7} no radius-server key To configure the encryption key for the RADIUS server. The no form of this co mmand will remove the configured key. 3.
Configuration Guide of XGS-5240-Series 5. Configure the IP address of the RADIUS NAS Command Explanation Global Mode radius nas-ipv4 To configure the source IP address for t no radius nas-ipv4 he RADIUS packets for the switch. radius nas-ipv6 To configure the source IPv6 address fo no radius nas-ipv6 r the RADIUS packets for the switch. 52.3 RADIUS Typical Examples 52.3.1 IPv4 Radius Example 10.1.1.2 10.1.1.1 Radius Server 10.1.1.3 Fig 8-2 The Topology of IEEE802.
Configuration Guide of XGS-5240-Series Switch(config)#radius-server accounting host 10.1.1.3 Switch(config)#radius-server key test Switch(config)#aaa enable Switch(config)#aaa-accounting enable 52.3.
Configuration Guide of XGS-5240-Series 52.4 RADIUS Troubleshooting In configuring and using RADIUS, the RADIUS may fail to authentication due to re asons such as physical connection failure or wrong configurations.
Configuration Guide of XGS-5240-Series Chapter 53 SSL Configuration 53.1 Introduction to SSL As the computer networking technology spreads, the security of the network has b een taking more and more important impact on the availability and the usability of the networking application. The network security has become one of the greatest barriers of modern networking applications.
Configuration Guide of XGS-5240-Series TCP. If the mechanism of the data forwarding in the lower layer is reliable, the data r ead-in the network will be forwarded to the other program in sequence, lose packet an d re-forwarding will not appear. A lot of transmission protocols can provide such kind of service in theory, but in actual application, SSL is almost running on TCP, and not run ning on UDP and IP directly.
Configuration Guide of XGS-5240-Series 53.2 SSL Configuration Task List 1. Enable/disable SSL function 2. Configure/delete port number by SSL used 3. Configure/delete secure cipher suite by SSL used 4. Maintenance and diagnose for the SSL function 1. Enable/disable SSL function Command Explanation Global Mode ip http secure-server no ip http secure-server Enable/disable SSL function. 2.
Configuration Guide of XGS-5240-Series switch through https method, a SSL session will be set up between the switch and the client. When the SSL session has been set up, all the data transmission in the applic ation layer will be encrypted. Web Server Date Acquisition Fails Malicious Users Web Browser https SSLSession Connected PC Users Configuration on the switch: Switch(config)# ip http secure-server Switch(config)# ip http secure-port 1025 Switch(config)# ip http secure-ciphersuite rc4-128-sha 53.
Configuration Guide of XGS-5240-Series Chapter 54 IPv6 Security RA Configuration 54.1 Introduction to IPv6 Security RA In IPv6 networks, the network topology is generally compromised of routers, layer-t wo switches and IPv6 hosts. Routers usually advertise RA, including link prefix, link MT U and other information, when the IPv6 hosts receive RA, they will create link address, and set the default router as the one sending RA in order to implement IPv6 network communication.
Configuration Guide of XGS-5240-Series 3. Display and debug the relative information of IPv6 security RA Command Explanation Admin Mode Enable the debug information of IPv6 s debug ipv6 security-ra ecurity RA module, the no operation of no debug ipv6 security-ra this command will disable the output of debug information of IPv6 security RA. show ipv6 security-ra [interface ] obally security RA is enabled. 54.
Configuration Guide of XGS-5240-Series 54.4 IPv6 Security RA Troubleshooting Help The function of IPv6 security RA is quite simple, if the function does not meet the expectation after configuring IPv6 security RA: Check if the switch is correctly configured. Check if there are rules conflicting with security RA function configured on the switch, this kind of rules will cause RA messages to be forwarded.
Configuration Guide of XGS-5240-Series Chapter 55 VLAN-ACL Configuration 55.1 Introduction to VLAN-ACL The user can configure ACL policy to VLAN to implement the accessing control of all ports in VLAN, and VLAN-ACL enables the user to expediently manage the network. The user only needs to configure ACL policy in VLAN, the corresponding ACL action can takes effect on all member ports of VLAN, but it does not need to solely configure on each member port.
Configuration Guide of XGS-5240-Series vacl ip access-group {<1-299> | WORD} {in | out} [traffic-statistic] vlan WORD no vacl ip access-group {<1-299> | W Configure or delete IP VLAN-ACL. ORD} {in | out} vlan WORD 2. Configure VLAN-ACL of MAC type Command Explanation Global mode vacl mac access-group {<700-1199> | W ORD} {in | out} [traffic-statistic] vlan W ORD Configure or delete MAC VLAN-ACL. no vacl mac access-group {<700-1199> | WORD} {in | out} vlan WORD 3.
Configuration Guide of XGS-5240-Series 6. Clear statistic information of VLAN-ACL Command Explanation Admin mode clear vacl [in | out] statistic vlan [] L. 55.3 VLAN-ACL Configuration Example A company’s network configuration is as follows, all departments are divided by diff erent VLANs, technique department is Vlan1, finance department is Vlan2.
Configuration Guide of XGS-5240-Series Configuration example: 1) First, configure a timerange, the valid time is the working hours of working day: Switch(config)#time-range t1 Switch(config-time-range-t1)#periodic weekdays 9:00:00 to 12:00:00 Switch(config-time-range-t1)#periodic weekdays 13:00:00 to 18:00:00 2) Configure the extended acl_a of IP, at working hours it only allows to access the re source within the internal network (such as 192.168.0.255).
Configuration Guide of XGS-5240-Series Chapter 56 MAB Configuration 56.1 Introduction to MAB In actual network existing the device which can not install the authentication client, such as printer, PDA devices, they can not process 802.1x authentication. However, to access the network resources, they need to use MAB authentication to replace 802.1x authentication. MAB authentication is a network accessing authentication method based on the ac cessing port and the MAC address of MAB user.
Configuration Guide of XGS-5240-Series Command Explanation Global Mode mac-authentication-bypass enable Enable the global MAB authentication fun no mac-authentication-bypass enable ction. Port Mode mac-authentication-bypass enable no mac-authentication-bypass enabl e Enable the port MAB authentication functi on. 2.
Configuration Guide of XGS-5240-Series mac-authentication-bypass timeout quiet-period <1-60> no mac-authentication-bypass time Set quiet-period of MAB authentication. out quiet-period mac-authentication-bypass timeout stale-period <0-60> no mac-authentication-bypass timeout Set the time that delete the binding after the port is down.
Configuration Guide of XGS-5240-Series Update Server Eth1/0/1 Radius Server Internet Eth1/0/2 Eth1/0/3 Switch2 Ethernet1/0/4 Ethernet1/0/4 Switch1 Eth1/0/1 PC1 Eth1/0/2 Eth1/0/3 PC2 Printer Fig 12-1 MAB application Switch1 is a layer 2 accessing switch, Switch2 is a layer 3 aggregation switch. Ethernet 1/0/1 is an access port of Switch1, connects to PC1, it enables 802.1x po rt-based function and configures guest vlan as vlan8.
Configuration Guide of XGS-5240-Series Ethernet 1/0/3 is an access port, belongs to vlan10, connects to external internet r esources. To implement this application, the configuration is as follows: Switch1 configuration: (1) Enable 802.
Configuration Guide of XGS-5240-Series Switch(config-if-ethernet1/0/3)#mac-authentication-bypass enable Switch(config-if-ethernet1/0/3)#exit Switch(config)#interface ethernet 1/0/4 Switch(config-if-ethernet1/0/4)# switchport mode trunk 56.
Configuration Guide of XGS-5240-Series Chapter 57 PPPoE Intermediate Agent Configuration 57.1 Introduction to PPPoE Intermediate Agent 57.1.1 Brief Introduction to PPPoE PPPoE (Point to Point Protocol over Ethernet) is a protocol that apply PPP protoco l to Ethernet. PPP protocol is a link layer protocol and supply a communication method of point-to-point, it is usually selected by host dial-up link, for example the link is line dial-up.
Configuration Guide of XGS-5240-Series sent to many access collector of the network. 2. Broadband Access Server responds PADO packet: The second step, server re sponds PADO (PPPoE Active Discovery Offer) packet to client according to th e received source MAC address of PADI packet, the packet will take sever na me and service name. 3. Client sends PADR packet: The third step, client selects a server to process t he session according to the received PADO packet.
Configuration Guide of XGS-5240-Series Fig 13-1 PPPoE IA protocol exchange process 1.1.1.
Configuration Guide of XGS-5240-Series PPPoE length field (2 bytes): Specify the sum of all TLV length. TLV type field (2 bytes): A TLV frame means a TAG, type field means TAG type, t he table is as follows. TLV length field (2 bytes): Specify the length of TAG data field. TLV data field (the length is not specified): Specify the transmitted data of TAG.
Configuration Guide of XGS-5240-Series Fig 13-2 PPPoE IA - vendor tag (4 bytes in each row) Add TLV tag as 0x0105 for PPPoE IA, TAG_LENGTH is length field of vendor tag; 0x00000DE9 is “ADSL Forum” IANA entry of the fixed 4 bytes; 0x01 is type field of A gent Circuit ID, length is length field and Agent Circuit ID value field; 0x02 is type field of Agent Remot ID, length is length field and Agent Remote ID value field.
Configuration Guide of XGS-5240-Series ort, set ports connected client as untrust port, trust port can receive all packets, untrust port can receive only PADI, PADR and PADT packets which are sent to server. To en sure client operation is correct, it must set the port connected server as trust port, eac h access device has a trust port at least. PPPoE IA vendor tag can not exist in PPPoE packets sent by server to client, so we can strip and forward these vendor tags if they exist in PPPoE packets.
Configuration Guide of XGS-5240-Series pppoe intermediate-agent type self-define d remoteid {mac | vlan-mac |hostname| s tring WORD} Configure the self-defined remote-id.
Configuration Guide of XGS-5240-Series Both host and BAS server run PPPoE protocol, they are connected by layer 2 eth ernet, switch enables PPPoE Intermediate Agent function. Typical configuration (1) in the following: Step1: Switch enables global PPPoE IA function, MAC as 0a0b0c0d0e0f. Switch(config)# pppoe intermediate-agent Step2: Configure port ethernet1/0/1 which connect server as trust port, and configure ve ndor tag strip function.
Configuration Guide of XGS-5240-Series v, delimiter of Slot ID and Port ID as “#”, delimiter of Port ID and Vlan ID as “/”. Switch(config)#pppoe intermediate-agent type tr-101 circuit-id identifier-string efgh option spv delimiter # delimiter / Step6: Configure circuit-id value as bbbb on port ethernet1/0/2. Switch(config-if-ethernet1/0/2)#pppoe intermediate-agent circuit-id bbbb Step7: Configure remote-id as xyz on ethernet1/0/3.
Configuration Guide of XGS-5240-Series Chapter 58 SAVI Configuration 58.1 Introduction to SAVI SAVI (Source Address Validation Improvement) is a security authentication method t hat provides the granularity level of the node source address. It gets the trust node inf ormation (such as port, MAC address information), namely, anchor information by monit oring the interaction process of the relative protocol packets (such as ND protocol, DH CPv6 protocol) and using CPS (Control Packet Snooping) mechanism.
Configuration Guide of XGS-5240-Series 14. Enable or disable ND trust of port 15. Configure the binding number 1. Enable or disable SAVI function Command Explanation Global mode savi enable Enable the global SAVI function, no co no savi enable mmand disables the function. 2.
Configuration Guide of XGS-5240-Series prepare-delay> e period for SAVI binding, no comm no savi max-dad-prepare-delay and restores the default value. 6. Configure the global max-slaac-life for SAVI Command Explanation Global mode savi max-slaac-life Configure the lifetime period of the d no savi max-slaac-life ynamic slaac binding at BOUND stat e, no command restores the default value. 7.
Configuration Guide of XGS-5240-Series no savi ipv6 mac-binding-limit dress, no command restores the defau lt value. Note: The binding number onl y limits the dynamic binding, but does not limit the static binding number. 11. Configure the check mode for SAVI conflict binding Command Explanation Global mode savi check binding Configure the check mode for the co mode nflict binding, no command deletes th no savi check binding mode e check mode. 12.
Configuration Guide of XGS-5240-Series savi ipv6 binding num Configure the binding number of a por no savi ipv6 binding num t, no command restores the default val ue. Note: The binding number only lim its the dynamic binding, but does not l imit the static binding number. 58.3 SAVI Typical Application In actual application, SAVI function is usually applied in access layer switch to che ck the validity of node source address on direct-link.
Configuration Guide of XGS-5240-Series Switch3 Ethernet1/0/1 Ethernet1/0/2 Switch2 Switch1 Ethernet1/0/12 Ethernet1/0/13 Client_2 Client_1 Client_1 and Client_2 means two different user’s PC installed IPv6 protocol, respect ively connect with port Ethernet1/0/12 of Switch1 and port Ethernet1/0/13 of Switch2, a nd enable the source address check function of SAVI. Ethernet1/0/1 and Ethernet1/0/2 are uplink ports of Switch1 and Switch2 respectively, enable DHCP trust and ND trust f unctions.
Configuration Guide of XGS-5240-Series Switch1(config-if-ethernet1/0/1)#exit Switch1(config)#interface ethernet1/0/12-20 Switch1(config-if-port-range)#savi ipv6 check source ip-address mac-address Switch1(config-if-port-range)#savi ipv6 binding num 4 Switch1(config-if-port-range)#exit Switch1(config)#exit Switch1#write 58.
Configuration Guide of XGS-5240-Series Chapter 59 Captive Portal Authentication 59.1 Captive Portal Authentication Configuration 59.1.1 Introduction to Captive Portal Authentication The authentication function is a way to manage and control the network resources for users. Authentication function memories the client authentication information in the a uthentication server according to a certain principles.
Configuration Guide of XGS-5240-Series Authentication function task list is as below: 1. Enable/disable captive portal authentication function 2.
Configuration Guide of XGS-5240-Series Captive Portal Instance Configuration Mode redirect url-head Configure the redirect url-head incl no redirect url-head uding transmission protocol, host n ame, port and path. The no com mand deletes the configuration. radius-auth-server Configure/delete authentication s no radius-auth-server erver name. portal-server {ipv4 | ipv6} Bind/unbind portal server name.
Configuration Guide of XGS-5240-Series radius-server key Configure/delete RADIUS server no radius-server key key. radius-server authentication host Configure/delete RADIUS authent no radius-server authentication host 5. Bind the portal rule to the port Command Explanation Config Mode vlan-pool <1-255> Configure or delete the vlan p no vlan-pool <1-255> ool.
Configuration Guide of XGS-5240-Series Fig 15-1 authentication function configuration As shown above, pc1 is the terminal client, there is the http browser but not the 8 02.1x authentication client, pc1 wants to access the network through the portal authenti cation. The switch1 is the accessing device with the configured accounting server address as the IP and port of the radius server, and it is enabled the accounting function.
Configuration Guide of XGS-5240-Series switch (config)#radius-server key 0 test switch (config)#aaa group server radius radius_aaa_1 switch (config-sg-radius)# server 192.168.40.100 The configuration of global authentication: Switch(config)#interface vlan 1 Switch(config-if-vlan1)#ip address 192.168.40.50 255.255.255.0 Switch(config)#free-resource 1 destination ipv4 192.168.40.
Configuration Guide of XGS-5240-Series function. 59.2 Accounting Function Configuration 59.2.1 Introduction to Accounting Function The accounting function is used to monitoring and accounting users who using the network resources. Client is unable to access the network resources before pass the c aptive portal authentication, only through the portal authentication to access network res ources. Define user’s session duration to control the use of network resources time and flow of information. 59.2.
Configuration Guide of XGS-5240-Series aaa-accounting enable Enable/disable accounting service no aaa-accounting function 3.
Configuration Guide of XGS-5240-Series 59.2.3 Accounting Function Examples Fig 15-2 accounting function configuration 1. Configure the AAA accounting function on switch1. AAA configuration of Switch1: switch 1(config)# aaa enable switch 1(config)# aaa-accounting enable switch 1(config)# radius-server accounting host 192.168.40.100 switch1 (config)#radius-server key 0 test switch1 (config)#aaa group server radius abc99 switch (config-sg-radius)# server 192.168.40.100 2.
Configuration Guide of XGS-5240-Series Switch1 (config-cp-instance)#radius accounting Switch1 (config-cp-instance)# radius-acct-server abc99 59.2.4 Accounting Function Troubleshooting Encounter problems when using the accounting function, please check whether the reasons are as follows: Whether launched the captive portal function and opened the portal configuration s witch.
Configuration Guide of XGS-5240-Series ent1, and the Destination IP is the address segment for client who wants to access the resources. Appoint RADIUS server 1 as the authentication server, client1 and client2 c an access the free-resource of 3.1.1.0/24 and will not be redirected to the authenticatio n server. Fig 15-3 multi-portal servers function configuration Configuration steps: Switch1(config-)# free-resource destination ipv4 3.1.1.0/24 59.3.
Configuration Guide of XGS-5240-Series 59.4.2 Authentication White-list Configuration 1. Configure user mac with Authentication white-list function purview Command Explanation Config Mode free mac < MACADD> Configure or delete the mac addre no free mac < MACADD> ss without needing to authenticate. 59.4.3 Authentication White-list Examples Case: As shown below, client1 and client2 are the terminal clients; the port connected to the switch is enabled portal authentication.
Configuration Guide of XGS-5240-Series 59.5 Automatic Page Pushing after Successful Auth entication (it is not supported currently) 59.5.1 Introduction to Automatic Page Pushing after Succe ssful Authentication The automatic page pushing function after the successful authentication means that the web page which user needs to access can be re-opened after the authentication.
Configuration Guide of XGS-5240-Series fault value. redirect attribute url-after-login encode Configure the encode of the pushed url af {plain-text|base64} ter the successful authentication which is carried in the redirect url. redirect attribute url-after-login value ed up after the successful authentication. no redirect attribute url-after-login value The no command deletes it. 59.5.
Configuration Guide of XGS-5240-Series Configuration steps: Configure the portal server information for switch1.
Configuration Guide of XGS-5240-Series 1. Configure the http-redirect-filter rule 2. Bind the http-redirect-filter rule to cp instance 1. Configure the http-redirect-filter rule Command Explanation Captive Portal Mode http-redirect-filter <1-32> (ip A.B.C.D| do Configure the http-redirect-filter rule. The n main WORD) o communicated deletes it. no http-redirect-filter (<1-32>|all) 2.
Configuration Guide of XGS-5240-Series Configure with the following steps: 1. Configure the related authentication key, authentication server, accounting server an d aaa mode of the radius server under the global mode: switch (config)#radius-server key 0 test switch (config)#radius-server authentication host 192.168.1.252 switch (config)#radius-server accounting host 192.168.1.
Configuration Guide of XGS-5240-Series The client can be redirected authentication only through accessing “test.permit.com” before authentication. It cannot be redirected authentication by accessing other address. 59.6.4 http-redirect-filter Troubleshooting If there are problems in using http-redirect-filter function, please check it with the fo llowing steps: Check if the configured rule is matching to the accessed domain name.
Configuration Guide of XGS-5240-Series 1. PC, user can access the network through the switch. 2. Public network, this part can be free or other switch devices. 3. Server, it includes: MAC binding server, it is used to save the authenticated terminal mac address; Radius server, it is used for the portal authentication and accounting; Portal server, it is used for the portal authentication; MAC binding server, Radius server and portal server can be the same one device.
Configuration Guide of XGS-5240-Series Switch(config-cp)# nas-ipv4 192.168.1.50 Switch(config-cp)# external portal-server server-name abc ipv4 172.16.1.
Configuration Guide of XGS-5240-Series ver is inconsistent. This will bring the accounting error. These phenomenons can bring t he inconvenience to the operations and users. The portal escaping function provides a good method to solve the above problems. It can make the user on-line and use the network normally when the portal server or radius server cannot working normally, and the new user can still access the network. So the portal escaping includes portal server escaping and radius server escaping. 59.
Configuration Guide of XGS-5240-Series Send trap: send the trap information to the network management server. In th e trap, it records the portal server name and the status information before and after the change of the server status. Send log: send the log information to the log server. In the log, it records the portal server name and the status information before and after the change of the server status. permit-all: it is also named as portal escaping.
Configuration Guide of XGS-5240-Series portal-server-detect server-name Enable the Portal server escaping function [interval ] [retry ][acti and configure the related parameters (sel on {log | permit-all | trap }] ectable) and the server configuration of st no portal-server-detect server-name
Configuration Guide of XGS-5240-Series 1. The configuration is as below: Configure the related authentication key, authentication server, accounting server an d aaa mode of the RADIUS server in global mode. switch (config)#radius-server key 0 test switch (config)#radius-server authentication host 192.16.1.26 switch (config)#radius-server accounting host 192.16.1.
Configuration Guide of XGS-5240-Series As shown above, the portal server of cmcc is bound to CP instance and the probi ng function is configured; the probing interval is 600s. If the probing failed twice, send the trap information and log of the unreachable server and the enable the portal escapi ng function to allow the user without authentication accessing the network. 1.1.1.
Configuration Guide of XGS-5240-Series 2. Configure the detection interval of radius server Command Explanation Global Mode radius-server escape detection-interval Configure the detection interval of radius s {default | } erver and the default value is 180s. 1.1.1.
Configuration Guide of XGS-5240-Series 2 Configure the portal function, portal server under the portal instance: Switch (config)#captive-portal Switch (config-cp)#enable Switch(config-cp)# nas-ipv4 192.168.1.50 Switch(config-cp)# external portal-server server-name abc ipv4 172.16.1.
Configuration Guide of XGS-5240-Series 59-28
Configuration Guide of XGS-5240-Series Chapter 60 VRRP Configuration 60.1 Introduction to VRRP VRRP (Virtual Router Redundancy Protocol) is a fault tolerant protocol designed to enhance connection reliability between routers (or L3 Ethernet switches) and external d evices. It is developed by the IETF for local area networks (LAN) with multicast/broadc ast capability (Ethernet is a Configuration Example) and has wide applications.
Configuration Guide of XGS-5240-Series er the work and continue serving the hosts within the segment. Since the election and take-over duration is brief and smooth, hosts within the segment can use the Virtual R outer as normal and uninterrupted communication can be achieved. 60.2 VRRP Configuration Task List Configuration Task List: 1. Create/Remove the Virtual Router (required) 2. Configure VRRP dummy IP and interface (required) 3. Activate/Deactivate Virtual Router (required) 4.
Configuration Guide of XGS-5240-Series (1) Configure the preemptive mode for VRRP Command Explanation VRRP protocol configuration mode Configures the preemptive mode for VRR preempt-mode {true| false} P. (2) Configure VRRP priority Command Explanation VRRP protocol configuration mode priority Configures VRRP priority. (3) Configure VRRP Timer intervals Command Explanation VRRP protocol configuration mode Configures VRRP timer value (in second advertisement-interval
Configuration Guide of XGS-5240-Series SWITCHB SWITCHA Interface vlan1 Interface vlan1 Fig 1-1 VRRP Network Topology Configuration of SwitchA: SwitchA(config)#interface vlan 1 SwitchA (Config-if-Vlan1)# ip address 10.1.1.1 255.255.255.0 SwitchA (config)#router vrrp 1 SwitchA(Config-Router-Vrrp)# virtual-ip 10.1.1.5 SwitchA(Config-Router-Vrrp)# interface vlan 1 SwitchA(Config-Router-Vrrp)# enable Configuration of SwitchB: SwitchB(config)#interface vlan 1 SwitchB (Config-if-Vlan1)# ip address 10.1.1.
Configuration Guide of XGS-5240-Series dby cluster are the same. Verify the dummy IP address is in the same network segment of the interface’s act ual IP address. If the examination remains unsolved, please use debug vrrp and other debugging command and copy the DEBUG message within 3 minutes, send the recorded me ssage to the technical server center of our company.
Configuration Guide of XGS-5240-Series Chapter 61 IPv6 VRRPv3 Configuration 61.1 Introduction to VRRPv3 VRRPv3 is a virtual router redundancy protocol for IPv6. It is designed based on V RRP (VRRPv2) in IPv4 environment. The following is a brief introduction to it. In a network based on TCP/IP protocol, in order to guarantee the communication b etween the devices which are not physically connected, routers should be specified.
Configuration Guide of XGS-5240-Series rminal user systems. In IPv6 environment, the hosts in a LAN usually learn the default gateway via neig hbor discovery protocol (NDP), which is implemented based on regularly receiving adver tisement messages from routers. The NDP of IPv6 has a mechanism called Neighbor Unreachability Detection, which checks whether a neighbor node is failed by sending un icast neighbor request messages to it.
Configuration Guide of XGS-5240-Series e the virtual IPv6 address of the virtual router. Fig 2-1 VRRPv3 message 61.1.2 VRRPv3 Working Mechanism The working mechanism of VRRPv3 is the same with that of VRRPv2, which is m ainly implemented via the interaction of VRRP advertisement messages. It will be briefly described as follows: Each VRRP router has a unique ID: VRIP, ranging from 1 to 255.
Configuration Guide of XGS-5240-Series dress owner in the VRRP group; the IP address owner automatically has the highest pr iority: 255. The priority of 0 is usually used when the IP address owner gives up the r ole of master. The range of priority can be configured is 1-254. The configuration rule of priority can be set according to the speed and cost of the link, the performance and reliability of the router and other management policies.
Configuration Guide of XGS-5240-Series Configure the virtual IPv6 address and in virtual-ipv6 Interface terface of VRRPv3, the no operation of t {Vlan | IFNAME } his command will delete the virtual IPv6 no virtual-ipv6 interface address and interface. 3. Enable/disable the virtual router Command Explanation VRRPv3 Protocol Mode enable Enable the virtual router. disable Disable the virtual router. 4.
Configuration Guide of XGS-5240-Series 61.3 VRRPv3 Typical Examples Fig 2-2 VRRPv3 Typical Network Topology As shown in graph, switch A and switch B are backups to each other, switch A is the master of backup group 1 and a backup of backup group 2. Switch B is the mast er of backup group 2 and a Backup of backup group 1.
Configuration Guide of XGS-5240-Series The configuration of SwitchB: SwitchB (config)# interface vlan 1 SwitchB (config)# router ipv6 vrrp 2 SwitchB (config-router)# virtual-ipv6 fe80::3 interface vlan 1 SwitchB (config-router)# priority 150 SwitchB (config-router)# enable SwitchB (config)# router ipv6 vrrp 1 SwitchB (config-router)# virtual-ipv6 fe80::2 interface vlan 1 SwitchB (config-router)# enable 61.
Configuration Guide of XGS-5240-Series Chapter 62 MRPP Configuration 62.1 Introduction to MRPP MRPP (Multi-layer Ring Protection Protocol), is a link layer protocol applied on Eth ernet loop protection. It can avoid broadcast storm caused by data loop on Ethernet rin g, and restore communication among every node on ring network when the Ethernet rin g has a break link. MRPP is the expansion of EAPS (Ethernet link automatic protection protocol).
Configuration Guide of XGS-5240-Series Each MRPP ring has two states. Health state: The whole ring net work physical link is connected. Break state: one or a few physical link break in ring network 3. nodes Each switch is named after a node on Ethernet. The node has some types: Primary node: each ring has a primary node, it is main node to detect and defend. Transfer node: except for primary node, other nodes are transfer nodes on each ri ng. The node role is determined by user configuration.
Configuration Guide of XGS-5240-Series Packet Type Explanation Hello packet (Health examine pack The primary port of primary node evokes to detec et) Hello t ring, if the secondary port of primary node can r eceive Hello packet in configured overtime, so the ring is normal. LINK-DOWN (link Down event pac After transfer node detects Down event on port, i ket) mmediately sends LINK-DOWN packet to primary node, and inform primary node ring to fail.
Configuration Guide of XGS-5240-Series After the primary node occur ring fail, if the secondary port receives Hello packet s ending from primary node, the ring has been restored, at the same time the primary n ode block its secondary port, and sends its neighbor LINK-UP-Flush-FDB packet. After MRPP ring port refresh UP on transfer node, the primary node maybe find ri ng restore after a while. For the normal data VLAN, the network maybe forms a tempo rary ring and creates broadcast storm.
Configuration Guide of XGS-5240-Series Configure Hello packet overtime timer s fail-timer ending from primary node of MRPP rin no fail-timer g, format “no” restores default timer val ue. enable no enable Enable MRPP ring, format “no” disables enabled MRPP ring. Port mode mrpp ring primary-port no mrpp ring primary-port mrpp ring secondary-port no mrpp ring secondary-port Specify primary port of MRPP ring. Specify secondary port of MRPP ring.
Configuration Guide of XGS-5240-Series clear mrpp statistics {} Clear receiving data packet statistic infor mation of MRPP ring. 62.3 MRPP Typical Scenario SWITCH A SWITCH B E1 Master Node E2 E2 E1 MRPP Ring 4000 E1 E2 E2 E1 SWITCH C SWITCH D Fig 3-2 MRPP typical configuration scenario The above topology often occurs on using MRPP protocol.
Configuration Guide of XGS-5240-Series Switch(config-If-Ethernet1/0/1)#interface ethernet 1/0/2 Switch(config-If-Ethernet1/0/2)#mrpp ring 4000 secondary-port Switch(config-If-Ethernet1/0/2)#exit Switch(Config)# SWITCH B configuration Task Sequence: Switch(Config)#mrpp enable Switch(Config)#mrpp ring 4000 Switch(mrpp-ring-4000)#control-vlan 4000 Switch(mrpp-ring-4000)#enable Switch(mrpp-ring-4000)#exit Switch(Config)#interface ethernet 1/0/1 Switch(config-If-Ethernet1/0/1)#mrpp ring 4000 primary-port Switch
Configuration Guide of XGS-5240-Series Switch(config-If-Ethernet1/0/1)#mrpp ring 4000 primary-port Switch(config-If-Ethernet1/0/1)#interface ethernet 1/0/2 Switch(config-If-Ethernet1/0/2)#mrpp ring 4000 secondary-port Switch(config-If-Ethernet1/0/2)#exit Switch(Config)# 62.
Configuration Guide of XGS-5240-Series Chapter 63 ULPP Configuration 63.1 Introduction to ULPP Each ULPP group has two uplink ports, they are master port and slave port. The port may be a physical port or a port channel. The member ports of ULPP group have three states: Forwarding, Standby, Down. Normally, only one port at the forwarding sta te, the other port is blocked at the Standby state.
Configuration Guide of XGS-5240-Series sed by the abnormity problem, the preemption delay mechanism is imported, and it nee ds to wait for some times before the master port preempt the slave port. For keeping t he continuance of the flows, the master port does not process to preempt by default, b ut turns into the Standby state.
Configuration Guide of XGS-5240-Series Fig 4-2 VLAN load balance 63.2 ULPP Configuration Task List 1. Create ULPP group globally 2. Configure ULPP group 3. Show and debug the relating information of ULPP 1. Create ULPP group globally Command Expalnation Global mode ulpp group Configure and delete ULPP group no ulpp group globally. 2. Configure ULPP group Command Explanation ULPP group configuration mode Configure the preemption mode of preemption mode ULPP group.
Configuration Guide of XGS-5240-Series Configure the preemption delay, th preemption delay e no operation restores the default no preemption delay value 30s. Configure the sending control VLA control vlan N, no operation restores the defau no control vlan lt value 1. protect vlan-reference-instance no protect vlan-reference-instance Configure the protection VLANs, th e no operation deletes the protecti on VLANs.
Configuration Guide of XGS-5240-Series Admin mode show ulpp group [group-id] Show the configuration information of th e configured ULPP group. show ulpp flush counter interface {et Show the statistic information of the flus hernet | } h packets. show ulpp flush-receive-port Show flush type and control VLAN recei ved by the port. clear ulpp flush counter interface h packets.
Configuration Guide of XGS-5240-Series SwitchD SwitchB E1/0/1 E1/0/2 E1/0/1 SwitchC E1/0/2 SwitchA Fig 4-3 ULPP typical example1 The above topology is the typical application environment of ULPP protocol. SwitchA has two uplinks, they are SwitchB and SwitchC. When any protocols are n ot enabled, this topology forms a ring. For avoiding the loopback, SwitchA can configur e ULPP protocol, the master port and the slave port of ULPP group.
Configuration Guide of XGS-5240-Series Switch(ulpp-group-1)#exit Switch(Config)#interface ethernet 1/0/1 Switch(config-If-Ethernet1/0/1)# ulpp group 1 master Switch(config-If-Ethernet1/0/1)#exit Switch(Config)#interface Ethernet 1/0/2 Switch(config-If-Ethernet1/0/2)# ulpp group 1 slave Switch(config-If-Ethernet1/0/2)#exit SwitchB configuration task list: Switch(Config)#vlan 10 Switch(Config-vlan10)#switchport interface ethernet 1/0/1 Switch(Config-vlan10)#exit Switch(Config)#interface ethernet 1/0/1 Switch
Configuration Guide of XGS-5240-Series SwitchD SwitchB Vlan 1-100 E1/0/1 E1/0/2 E1/0/1 E1/0/2 SwitchC Vlan 101-200 SwitchA Fig 4-4 ULPP typical example2 ULPP can implement the VLAN-based load balance. As the picture illustrated, Swit chA configures two ULPP groups: port E1/0/1 is the master port and port 1/0/2 is the s lave port in group1, port 1/0/2 is the master port and port 1/0/1 is the slave port in gr oup2. The VLANs protected by group1 are 1-100 and by group2 are 101-200.
Configuration Guide of XGS-5240-Series Switch(config-If-Ethernet1/0/1)#switchport mode trunk Switch(config-If-Ethernet1/0/1)#ulpp group 1 master Switch(config-If-Ethernet1/0/1)#ulpp group 2 slave Switch(config-If-Ethernet1/0/1)#exit Switch(Config)#interface Ethernet 1/0/2 Switch(config-If-Ethernet1/0/2)#switchport mode trunk Switch(config-If-Ethernet1/0/2)# ulpp group 1 slave Switch(config-If-Ethernet1/0/2)# ulpp group 2 master Switch(config-If-Ethernet1/0/2)#exit SwitchB configuration task list: Switch(Co
Configuration Guide of XGS-5240-Series Chapter 64 ULSM Configuration 64.1 Introduction to ULSM ULSM (Uplink State Monitor) is used to process the port state synchronization. Eac h ULSM group is made up of the uplink port and the downlink port, both the uplink po rt and the downlink port may be multiple. The port may be a physical port or a port c hannel, but it can not be a member port of a port channel, and each port only belongs to one ULSM group. The uplink port is the monitored port of ULSM group.
Configuration Guide of XGS-5240-Series Fig 5-1 ULSM using scene 64.2 ULSM Configuration Task List 1. Create ULSM group globally 2. Configure ULSM group 3. Show and debug the relating information of ULSM 1. Create ULSM group globally Command explanation Global mode ulsm group Configure and delete ULSM group globa no ulsm group lly. 2.
Configuration Guide of XGS-5240-Series 3. Show and debug the relating information of ULSM Command Explanation Admin mode show ulsm group [group-id] Show the configuration information of U LSM group. Show the event information of ULSM, th debug ulsm event e no operation disables the shown infor no debug ulsm event mation. 64.
Configuration Guide of XGS-5240-Series Switch(Config-Mstp-Region)#exit Switch(Config)#ulpp group 1 Switch(ulpp-group-1)#protect vlan-reference-instance 1 Switch(ulpp-group-1)#exit Switch(Config)#interface ethernet 1/0/1 Switch(config-If-Ethernet1/0/1)# ulpp group 1 master Switch(config-If-Ethernet1/0/1)#exit Switch(Config)#interface Ethernet 1/0/2 Switch(config-If-Ethernet1/0/2)# ulpp group 1 slave Switch(config-If-Ethernet1/0/2)#exit SwitchB configuration task list: Switch(Config)#ulsm group 1 Switch(Conf
Configuration Guide of XGS-5240-Series Chapter 65 Mirror Configuration 65.1 Introduction to Mirror Mirror functions include port mirror function, CPU mirror function, flow mirror functio n. Port mirror refers to the duplication of data frames sent/received on a port to anoth er port. The duplicated port is referred to as mirror source port and the duplicating port is referred to as mirror destination port.
Configuration Guide of XGS-5240-Series nterface mmand deletes mirror destination source p no monitor session destinati ort. on interface 2. Specify mirror source port(CPU) Command Explanation Global mode monitor session source {inter face | cpu [slot ]} {rx| tx| both} Specifies mirror source port; the no comm no monitor session source {i and deletes mirror source port.
Configuration Guide of XGS-5240-Series Configuration procedure is as follows: Switch(config)#monitor session 4 destination interface ethernet 1/0/1 Switch(config)#monitor session 4 source interface ethernet 1/0/7 rx Switch(config)#monitor session 4 source interface ethernet 1/0/9 tx Switch(config)#monitor session 4 source cpu Switch(config)#access-list 120 permit tcp 1.2.3.4 0.0.0.255 5.6.7.8 0.0.0.255 Switch(config)#monitor session 4 source interface ethernet 1/0/15 access-list 120 rx 65.
Configuration Guide of XGS-5240-Series Chapter 66 RSPAN Configuration 66.1 Introduction to RSPAN Port mirroring refers to the duplication of data frames sent/received on a port to a nother port. The duplicated port is referred to as mirror source port and the duplicating port is referred to as mirror destination port. It is more convenience for network admin istrator to monitor and manage the network and diagnostic after the mirroring function a chieved.
Configuration Guide of XGS-5240-Series 2. Normal mode: To configure the RSPAN destination port in the RSPAN VLAN. Th us, datagrams in the RSPAN VLAN will be broadcasted to the destination port. I n this mode, the destination port should be in RSPAN VLAN, and the source p ort should not be configured for broadcasting storm control. TRUNK ports should be configured carefully in order not to forward RSPAN datagrams to external n etworks.
Configuration Guide of XGS-5240-Series d be considered in order to carry the network flow and the mirrored flow. Keywards: RSPAN: Remote Switched Port Analyzer. RSPAN VLAN: Dedicated VLAN for RSPAN. RSPAN Tag: The VLAN tag which is attached to MTP of the RSPAN datagrams. Reflector Port: The local mirroring port between the RSPAN source and destination ports, which is not directly connected to the intermediate switches. 66.2 RSPAN Configuration Task List 1. Configure RSPAN VLAN 2.
Configuration Guide of XGS-5240-Series no monitor session destinati nation port. on interface 4. Configure reflector port Command Explanation Global Mode monitor session reflector-po rt no monitor session reflector -port To configure the interface to reflector p ort; The no command deletes the reflect or port. 5.
Configuration Guide of XGS-5240-Series Two configuration solutions can be chosen for RSPAN: the first is without reflector port, and the other is with reflector port. For the first one, only one fixed port can be c onnected to the intermediate switch. However, no reflector port has to be configured. T his maximizes the usage of witch ports. For the latter one, the port connected to the in termediate switch is not fixed.
Configuration Guide of XGS-5240-Series Destination switch: Interface ethernet1/0/9 is the source port, which is connected to the source switch. Interface ethernet1/0/10 is the destination port which is connected to the monitor. This port is required to be configured as an access port, and belong to the RSPAN VLAN. RSPAN VLAN is 5.
Configuration Guide of XGS-5240-Series Intermediate switch: Interface ethernet1/0/6 is the source port which is connected to the source switch. Interface ethernet1/0/7 is the destination port which is connected to the destination swit ch. The native VLAN of the port should not be configured as RSPAN VLAN, or the mir rored data may not be carried by the destination switch. RSPAN VLAN is 5.
Configuration Guide of XGS-5240-Series e ports. To solve the problem, please reduce the number of the source ports, or mirror only single direction data flow, or choose some other port with higher capaci ty as the destination port. Between the source switch and the intermediate switch, whether the native VLAN of the TRUNK ports is configured as RSPAN VLAN. If so, please change the nativ e VLAN for the TRUNK ports. After configured RSPAN, the vlan tag will be added on the packet of the egress m irror.
Configuration Guide of XGS-5240-Series Chapter 67 SNTP Configuration 67.1 Introduction to SNTP The Network Time Protocol (NTP) is widely used for clock synchronization for glob al computers connected to the Internet. NTP can assess packet sending/receiving delay in the network, and estimate the computer’s clock deviation independently, so as to ac hieve high accuracy in network computer clocking.
Configuration Guide of XGS-5240-Series Fig 1-1 Working Scenario Switch implements SNTPv4 and supports SNTP client unicast as described in RFC 2030; SNTP client multicast and unicast are not supported, nor is the SNTP server fun ction. 67.
Configuration Guide of XGS-5240-Series Chapter 68 NTP Function Configuration 68.1 Introduction to NTP Function The NTP (Network Time Protocol) synchronizes timekeeping spans WAN and LAN among distributed time servers and clients, it can get millisecond precision. The introdu ction of event, state, transmit function and action are defined in RFC-1305.
Configuration Guide of XGS-5240-Series 2. To configure NTP server function Command Explication Global Mode ntp server { | } [version ] [key ] no ntp server { | } 3.
Configuration Guide of XGS-5240-Series ntp authentication-key md5 < value> no ntp authentication-key ntp trusted-key no ntp trusted-key To configure authentication key for NTP authentication. To configure trusted key. 7. To specified some interface as NTP broadcast/multicast client interface Command Explication vlan Configuration Mode ntp broadcast client To configure specified interface to receiv no ntp broadcast client e NTP broadcast packets.
Configuration Guide of XGS-5240-Series show ntp session [ | ] on. 11. Debug Command Explication Admin Mode debug ntp authentication To enable debug switch of NTP authenti no debug ntp authentication cation. debug ntp packets [send | receive] To enable debug switch of NTP packet no debug ntp packets [send | receive] information. debug ntp adjust To enable debug switch of time update no debug ntp adjust information.
Configuration Guide of XGS-5240-Series The configuration of Switch C is as follows: (Switch A and Switch B may have the different command because of different companies, we not explain there, our switches are not support NTP server at present) Switch C: Switch(config)#ntp enable Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 192.168.1.12 255.255.255.0 Switch(config)#interface vlan 2 Switch(Config-if-Vlan1)#ip address 192.168.2.12 255.255.255.0 Switch(config)#ntp server 192.168.1.
Configuration Guide of XGS-5240-Series Chapter 69 DNSv4/v6 Configuration 69.1 Introduction to DNS DNS (Domain Name System) is a distributed database used by TCP/IP applications to translate domain names into corresponding IPv4/IPv6 addresses. With DNS, you ca n use easy-to-remember and signification domain names in some applications and let t he DNS server translate them into correct IPv4/IPv6 addresses. There are two types of DNS services, static and dynamic, which supplement each other in application.
Configuration Guide of XGS-5240-Series Pv6). People take advantage of this when they recite meaningful URLs and e-mail addr esses without having to know how the machine will actually locate them. The Domain Name System distributes the responsibility for assigning domain name s and mapping them to Internet Protocol (IP) networks by designating authoritative nam e servers for each domain to keep track of their own changes, avoiding the need for a central register to be continually consulted and updated.
Configuration Guide of XGS-5240-Series Command Explanation Global Mode ip domain-list To configure/delete domain name suffix. no ip domain-list 4. To delete the domain entry of specified address in dynamic cache Command Explanation Admin Mode clear dynamic-host { | | all} ddress in dynamic cache. 5.
Configuration Guide of XGS-5240-Series Admin Mode and Configuration Mode To show the configured DNS server infor show dns name-server mation. To show the configured DNS domain na show dns domain-list me suffix information. To show the dynamic domain name infor show dns hosts mation of resolved by switch. Display the configured global DNS inform show dns config ation on the switch. Display the DNS Client information maint show dns client ained by the switch.
Configuration Guide of XGS-5240-Series ols such as PING, the switch can get corresponding IPv4/IPv6 address with dynamic d omain name resolution function. DNS SERVER IP:219.240.250.101 IPv6:2001::1 client SWITCH INTERNET Fig 3-2 DNS SERVER typical environment The figure above is an application of DNS SERVER. Under some circumstances, t he client PC doesn’t know the real DNS SERVER, and points to the switch instead.
Configuration Guide of XGS-5240-Series 69.4 DNS Troubleshooting In configuring and using DNS, the DNS may fail due to reasons such as physical connection failure or wrong configurations.
Configuration Guide of XGS-5240-Series Chapter 70 Summer Time Configuration 70.1 Introduction to Summer Time Summer time is also called daylight saving time, it is a time system for saving ene rgy sources. In summer the time is advanced 1 hour to keep early hours, reduce the li ghting, so as to save electrolighting. The rule that adopt summer time is different in ea ch country. At present, almost 110 countries implement summer time.
Configuration Guide of XGS-5240-Series 70.3 Examples of Summer Time Example1: The configuration requirement in the following: The summer time from 23:00 on Apr il 1th, 2012 to 00:00 on October 1th, 2012, clock offset as 1 hour, and summer time is named as 2012. Configuration procedure is as follows: Switch(config)# clock summer-time 2012 absolute 23:00 2012.4.1 00:00 2012.10.
Configuration Guide of XGS-5240-Series Chapter 71 Monitor and Debug When the users configures the switch, they will need to verify whether the configur ations are correct and the switch is operating as expected, and in network failure, the users will also need to diagnostic the problem. Switch provides various debug comman ds including ping, telnet, show and debug, etc. to help the users to check system confi guration, operating status and locate problem causes. 71.
Configuration Guide of XGS-5240-Series Traceroute Options and explanations of the parameters of the Traceroute command please refer to traceroute command chapter in the command manual. 71.4 Traceroute6 The Traceroute6 function is used on testing the gateways passed through by the d ata packets from the source equipment to the destination equipment, to verify the acce ssibility and locate the network failure.
Configuration Guide of XGS-5240-Series Show the recent command history of all user s. Use clear history all-users command to show history all-users [detail] clear the command history of all users saved by the system, the max history number can be set by history all-users max-length co mmand. show memory usage show running-config Show the memory usage. Display the switch parameter configuration va lidating at current operation state.
Configuration Guide of XGS-5240-Series 71.7 System log 71.7.1 System Log Introduction The system log takes all information output under it control, while making detailed catalogue, so to select the information effectively. Combining with Debug programs, it w ill provide a powerful support to the network administrator and developer in monitoring t he network operation state and locating the network failures.
Configuration Guide of XGS-5240-Series ts or encounter an power failure. Information in the log buffer zone is critical for monito ring the system operation and detecting abnormal states. Note: the NVRAM log buffer may not exist on some switches, which only have the SDRAM log buffer zone. It is recommended to use the system log server. By configuring the log host on th e switch, the log can be sent to the log server for future examination. 1.1.1.
Configuration Guide of XGS-5240-Series Outputted information from the CLI command is classified informational Information from the debugging of CLI command is classified debugging Log information can be automatically sent to corresponding channels with regard to respective severity levels. Amongst the debugging information can only be sent to the monitor.
Configuration Guide of XGS-5240-Series logging { | } [ facility ] [level ] no logging { | } [ facili ty ] Enable the output channel of th e log host. The “no” form of this command will disable the outpu t at the output channel of the lo g host. Add the loghost sequence-numb logging loghost sequence-number er for the log, the no command no logging loghost sequence-number does not include the loghost seq uence-number. 3.
Configuration Guide of XGS-5240-Series Configuration procedure: Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)# ip address 100.100.100.1 255.255.255.0 Switch(Config-if-Vlan1)#exit Switch(config)#logging 100.100.100.5 facility local1 level warnings Example 2: When managing VLAN the IPv6 address of the switch is 3ffe:506::1, and t he IPv4 address of the remote log server is 3ffe:506::4.
Configuration Guide of XGS-5240-Series Chapter 72 Reload Switch after Specified Time 72.1 Introduce to Reload Switch after Specifid Time Reload switch after specified time is to reboot the switch without shutdown its pow er after a specified period of time, usually when updating the switch version. The switc h can be rebooted after a period of time instead of immediately after its version being updated successfully. 72.2 Reload Switch after Specifid Time Task List 1.
Configuration Guide of XGS-5240-Series Chapter 73 Debugging and Diagnosis for Packets Received and Sent by CPU 73.1 Introduction to Debugging and Diagnosis for Packets R eceived and Sent by CPU The following commands are used to debug and diagnose the packets received and sent by CP U, and are supposed to be used with the help of the technical support. 73.
Configuration Guide of XGS-5240-Series Command Explanation Admin Mode protocol filter {protocol-type} Turn on/off the treatment of the named protocol packet s, the named protocol contains: no Protocol filter {protocol-ty {arp|bgp|dhcp|dhcpv6|hsrp|http|igmp|ip|ldp|mpls|ospf| pe} pim|rip|snmp|telnet|vrrp} 73-2
Configuration Guide of XGS-5240-Series Chapter 74 VSF 74.1 Overview 74.1.1 Introduction of VSF VSF is using the VSF port to connect several servers and build up a virtual logical facility. The u ser cans this virtual machine to manage all the physical facilities that link up together. Traditional district and the data center network is using the multiple layer network topology struct ure design as shown below in the Fig 1-1.
Configuration Guide of XGS-5240-Series Fig 1-2 VSF Fig 1-3 Enterprise that adopting virtual technology Compare with the trandition L2/L3network design, VSF provides with multiple markedness advanta ges. All in all, we can conclude with 3 main advantages: 1.
Configuration Guide of XGS-5240-Series eed to continous the reconstringency of L2/L3 can restart the virtual switch recover in short time. T he active mode must be used for port group. 3. VSF can expand the system bandwidth capacity In the vsf switch can activate all the L2 bandwidth, can carry on the equilibrium of load on the multiple members of VSF when expanding the bandwidth. 74.1.2 Basic Concept (1) Role Each of the facilities in the VSF is called member facility.
Configuration Guide of XGS-5240-Series Fig 1-5 Splitting of tacking (6) Priority of member Priority of member is the member facilities attribute, mainly use for the role selection for confirmi ng the role of each members. If the facility has higher the priority, it will have higher chance to beco me the Master. The default setting of the facilities is 1. If the user want to pre-set particular facility b ecome the Master, he can increase the priority value of that facility manually before build up the VSF.
Configuration Guide of XGS-5240-Series Fig 1-6 application of VSF in the campus data center Fig 1-6 is the application of VSF in the campus internet. After using the VSF, it groups several f acilities together to become the single logic facility and connect to the virtual facility. After the predige stion, the network do not need to use MSTP, VRRP protocol, it simplifies the network configuration.
Configuration Guide of XGS-5240-Series Fig 1-7 LACP MAD detection LACP MAD detection is achieved through the extended LACP protocol packets content. It defines a new TLV (Type Length Value) in the extended field of LACP protocol packets and this TLV is use d for the ActiveID of the interaction VSF. For VSF system, ActiveID value is unique, and it is express ed by the member number of the master device in VSF.
Configuration Guide of XGS-5240-Series cannot be configured other functions. Construction method: select one port on member1 and select one port on member2. Connect the m with a line. Fig 1-8 BFD MAD detection BFD MAD detection is achieved through BFD protocol. For BFD MAD detection function running normally, enable BFD MAD detection function under the layer3 interface and configure MAD IP addre ss on this interface.
Configuration Guide of XGS-5240-Series Command Explanation Global Mode vsf member Configure/delete the number of VSF member no vsf member s. Configure the priority and domain of VSF members (optional) Command Explanation Global Mode vsf priority Configure/delete the priority of VSF member no vsf priority s. vsf domain Configure/delete the VSF domain, the noco no vsf domain mmand recovers to be default of 1.
Configuration Guide of XGS-5240-Series vsf member description Describe the VSF members. This information will be only written in the VSF master confi no vsf member descrip guration file. The no command deletes this i tion nformation. Configure the down delaying reporting functio vsf link delay no vsf link delay n of the VSF link, using for avoid link to spli t and merge due to changing in short period of time.
Configuration Guide of XGS-5240-Series Port Mode lacp timeout no lacp timeout 4. Configure/delete the quick detection. Enable LACP MAD Command Explanation Aggregation Port Mode vsf mad lacp Enable/disable LACP MAD on port-group. 74.2.3 BFD MAD Configuration BFD MAD configuration task list: 1. Create the vlan used for BFD MAD 2. 3. 4.
Configuration Guide of XGS-5240-Series vsf mad ip address member Configure/delete the IP address used for BF no vsf mad ip address member 4. Enable BFD MAD function Command Explanation Interface Configuration Mode vsf mad bfd Enable/disable BFD MAD. 74.3 Typical VSF Example Case 1: Configure under the independent operation mode, let two switches create VSF.
Configuration Guide of XGS-5240-Series Fig 1-9 lacp mad detection topology As shown in the above picture, use the lacp mad detection function between two vsf. Vsf1 and v sf2 are the devices which are detected and they are also the middle devices. The configuration is sa me with above. Proposal: uses create the overlapping connection among the devices to avoid that th e vsf1 cannot be the middle device to detect vsf2 after it is split.
Configuration Guide of XGS-5240-Series Switch(config-if-ethernet1/1/2)#port-group 1 mode active Switch(config)#interface ethernet 2/1/1 Switch(config-if-ethernet2/1/1)#port-group 1 mode active Switch(config)#interface ethernet 2/1/2 Switch(config-if-ethernet2/1/2)#port-group 1 mode active Switch(config-if-ethernet2/1/2)#interface port-channel 1 Switch(config-if-port-channel1)#vsf mad lacp enable vsf2 configuration: Switch(config)#vsf domain 2 Configure vsf domain number, it can be configured as other value
Configuration Guide of XGS-5240-Series 74.4 VSF Troubleshooting For VSF, under the configuration and usage, the command may not be workable, please pa y attention to the following items: Whether it is at the operation mode, because some of the commands can only be config ured at VSF operation mode, but some of them can operation at both VSF and indepen dent operation mode.
Configuration Guide of XGS-5240-Series be disabled the anti-ring function, otherwise, the detection may fail. If there is port configured as truck port on this vsf (include port-channel port), please en sure whether the vlan used for bfd mad detection is in this trunk (trunk port belongs to all vlan as default). If it is in, the vlan used for bfd mad detection must be filtered under this port, otherwise, the loop may appears.
Configuration Guide of XGS-5240-Series Chapter 75 SWITCH OPERATION 75.1 Address Table The Switch is implemented with an address table. This address table composed of many entries. Each entry is used to store the address information of some node in network, including MAC address, port no, etc. This in-formation comes from the learning process of Ethernet Switch. 75.2 Learning When one packet comes in from any port, the Switch will record the source address, port no.
Configuration Guide of XGS-5240-Series The Switch performs "Store and forward" therefore, no error packets occur. More reliably, it reduces the re-transmission rate. No packet loss will occur. 75.5 Auto-Negotiation The STP ports on the Switch have built-in "Auto-negotiation". This technology automatically sets the best possible bandwidth when a connection is established with another network device (usually at Power On or Reset).
Configuration Guide of XGS-5240-Series Chapter 76 TROUBLESHOOTING This chapter contains information to help you solve problems. If the Ethernet Switch is not functioning properly, make sure the Ethernet Switch was set up according to instructions in this manual.
Configuration Guide of XGS-5240-Series Chapter 77 APPENDIX A 77.1 A.1 Switch's RJ45 Pin Assignments 1000Mbps, 1000BASE T Contact MDI MDI-X 1 BI_DA+ BI_DB+ 2 BI_DA- BI_DB- 3 BI_DB+ BI_DA+ 4 BI_DC+ BI_DD+ 5 BI_DC- BI_DD- 6 BI_DB- BI_DA- 7 BI_DD+ BI_DC+ 8 BI_DD- BI_DC- Implicit implementation of the crossover function within a twisted-pair cable, or at a wiring panel, while not expressly forbidden, is beyond the scope of this standard. 77.2 A.
Configuration Guide of XGS-5240-Series The standard RJ45 receptacle/connector There are 8 wires on a standard UTP/STP cable and each wire is color-coded.
Configuration Guide of XGS-5240-Series Chapter 78 GLOSSARY Bandwidth Utilization The percentage of packets received over time as compared to overall bandwidth. BOOTP Boot protocol used to load the operating system for devices connected to the network. Distance Vector Multicast Routing Protocol (DVMRP) A distance-vector-style routing protocol used for routing multicast datagrams through the Internet. DVMRP combines many of the features of RIP with Reverse Path Broadcasting (RPB).
Configuration Guide of XGS-5240-Series IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information. It allows switches to assign end-stations to different virtual LANs, and defines a standard way for VLANs to communicate across switched networks. IEEE 802.3ac Defines frame extensions for VLAN tagging.
Configuration Guide of XGS-5240-Series An acronym for Management Information Base. It is a set of database objects that contains information about a specific device. Multicast Switching A process whereby the switch filters incoming multicast frames for services no attached host has registered for, or forwards them to all ports contained within the designated multicast VLAN group.
Configuration Guide of XGS-5240-Series network systems. Spanning-tree detects and directs data along the shortest path, maximizing the performance and efficiency of the network. Telnet Defines a remote communication facility for interfacing to a terminal device over TCP/IP. Trivial File Transfer Protocol (TFTP) A TCP/IP protocol commonly used for software downloads.
