Content CONTENT ........................................................................................................... 1 CHAPTER 1 SWITCH MANAGEMENT............................................................ 1-1 1.1 MANAGEMENT OPTIONS ............................................................................................... 1-1 1.1.1 Out-Of-Band Management ............................................................................ 1-1 1.1.2 In-band Management ...................................
3.1 INTRODUCTION TO CLUSTER NETWORK MANAGEMENT ................................................... 3-40 3.2 CLUSTER NETWORK MANAGEMENT CONFIGURATION SEQUENCE ................................... 3-40 3.3 EXAMPLES OF CLUSTER ADMINISTRATION .................................................................... 3-43 3.4 CLUSTER ADMINISTRATION TROUBLESHOOTING ........................................................... 3-44 CHAPTER 4 PORT CONFIGURATION ..........................................................
9.2 BRIEF INTRODUCTION TO LACP .................................................................................. 9-68 9.2.1 Static LACP Aggregation ............................................................................ 9-69 9.2.2 Dynamic LACP Aggregation ....................................................................... 9-69 9.3 PORT CHANNEL CONFIGURATION TASK LIST ................................................................ 9-69 9.4 PORT CHANNEL EXAMPLES ....................................
15.1 INTRODUCTION TO BPDU-TUNNEL ........................................................................... 15-100 15.1.1 bpdu-tunnel function ............................................................................. 15-100 15.1.2 Background of bpdu-tunnel .................................................................. 15-100 15.2 BPDU-TUNNEL CONFIGURATION TASK LIST ............................................................. 15-101 15.3 EXAMPLES OF BPDU-TUNNEL......................................
16.7.2 GVRP Configuration Task List .............................................................. 16-125 16.7.3 Example of GVRP .................................................................................. 16-126 16.7.4 GVRP Troubleshooting ......................................................................... 16-127 CHAPTER 17 MAC TABLE CONFIGURATION ......................................... 17-128 17.1 INTRODUCTION TO MAC TABLE ....................................................................
20.1 INTRODUCTION TO FLOW-BASED REDIRECTION ....................................................... 20-162 20.2 FLOW-BASED REDIRECTION CONFIGURATION TASK SEQUENCE ............................... 20-162 20.3 FLOW-BASED REDIRECTION EXAMPLES ................................................................. 20-163 20.4 FLOW-BASED REDIRECTION TROUBLESHOOTING HELP ........................................... 20-163 CHAPTER 21 FLEXIBLE QINQ CONFIGURATION................................... 21-164 21.
24.1.3 How to prevent void ARP Spoofing ...................................................... 24-180 24.2 PREVENT ARP SPOOFING CONFIGURATION ............................................................ 24-181 24.3 PREVENT ARP SPOOFING EXAMPLE ...................................................................... 24-182 CHAPTER 25 ARP GUARD CONFIGURATION ........................................ 25-184 25.1 INTRODUCTION TO ARP GUARD ..........................................................................
CHAPTER 30 DHCP OPTION 60 AND OPTION 43 ................................... 30-216 30.1 INTRODUCTION TO DHCP OPTION 60 AND OPTION 43 .............................................. 30-216 30.2 DHCP OPTION 60 AND OPTION 43 CONFIGURATION TASK LIST ................................ 30-216 30.3 DHCPV6 OPTION 60 AND OPTION 43 EXAMPLE ...................................................... 30-217 30.4 DHCP OPTION 60 AND OPTION 43 TROUBLESHOOTING ...........................................
34.2.1 Introduction to DCSCM ......................................................................... 34-242 34.2.2 DCSCM Configuration Task List ........................................................... 34-242 34.2.3 DCSCM Configuration Examples ......................................................... 34-245 34.2.4 DCSCM Troubleshooting ...................................................................... 34-246 34.3 IGMP SNOOPING .......................................................................
38.1.6 The Features of VLAN Allocation ......................................................... 38-291 38.2 802.1X CONFIGURATION TASK LIST ....................................................................... 38-292 38.3 802.1X APPLICATION EXAMPLE ............................................................................. 38-295 38.3.1 Examples of Guest Vlan Applications ................................................. 38-295 38.3.2 Examples of IPv4 Radius Applications ................................
42.3 TACACS+ SCENARIOS TYPICAL EXAMPLES .......................................................... 42-312 42.4 TACACS+ TROUBLESHOOTING ............................................................................ 42-313 CHAPTER 43 RADIUS CONFIGURATION ................................................ 43-314 43.1 INTRODUCTION TO RADIUS .................................................................................. 43-314 43.1.1 AAA and RADIUS Introduction ...................................................
47.4 PPPOE INTERMEDIATE AGENT TROUBLESHOOTING ................................................ 47-340 CHAPTER 48 WEB PORTAL CONFIGURATION ...................................... 48-341 48.1 INTRODUCTION TO WEB PORTAL AUTHENTICATION ................................................. 48-341 48.2 WEB PORTAL AUTHENTICATION CONFIGURATION TASK LIST .................................... 48-341 48.3 WEB PORTAL AUTHENTICATION TYPICAL EXAMPLE ................................................ 48-343 48.
53.1 INTRODUCTION TO ULSM ..................................................................................... 53-371 53.2 ULSM CONFIGURATION TASK LIST ........................................................................ 53-372 53.3 ULSM TYPICAL EXAMPLE .................................................................................... 53-373 53.4 ULSM TROUBLESHOOTING ................................................................................... 53-374 CHAPTER 54 MIRROR CONFIGURATION ...........
59.5 SHOW ................................................................................................................. 59-392 59.6 DEBUG ................................................................................................................ 59-393 59.7 SYSTEM LOG ........................................................................................................ 59-393 59.7.1 System Log Introduction ...................................................................... 59-393 59.7.
Chapter 1 Switch Management 1.1 Management Options After purchasing the switch, the user needs to configure the switch for network management. Switch provides two management options: in-band management and out-of-band management. 1.1.1 Out-Of-Band Management Out-of-band management is the management through Console interface. Generally, the user will use out-of-band management for the initial switch configuration, or when in-band management is not available.
Step 2: Entering the HyperTerminal Open the HyperTerminal included in Windows after the connection established. The example below is based on the HyperTerminal included in Windows XP. 1) Click Start menu - All Programs -Accessories -Communication - HyperTerminal. 2) Type a name for opening HyperTerminal, such as “Switch”. Opening HyperTerminal 3) In the “Connecting using” drop-list, select the RS-232 serial port used by the PC, e.g. COM1, and click “OK”.
Opening HyperTerminal Step 3: Entering switch CLI interface Power on the switch, the following appears in the HyperTerminal windows, that is the CLI configuration mode for Switch. Testing RAM... 0x077C0000 RAM OK Loading MiniBootROM... Attaching to file system ... Loading nos.img ... done. Booting...... Starting at 0x10000... Attaching to file system ... …… --- Performing Power-On Self Tests (POST) --DRAM Test....................PASS! PCI Device 1 Test............PASS! FLASH Test...................
The user can now enter commands to manage the switch. For a detailed description for the commands, please refer to the following chapters. 1.1.2 In-band Management In-band management refers to the management by login to the switch using Telnet, or using HTTP, or using SNMP management software to configure the switch. In-band management enables management of the switch for some devices attached to the switch.
First is the configuration of host IP address. This should be within the same network segment as the switch VLAN1 interface IP address. Suppose the switch VLAN1 interface IP address is 10.1.128.251/24. Then, a possible host IP address is 10.1.128.252/24. Run “ping 10.1.128.251” from the host and verify the result, check for reasons if ping failed. The IP address configuration commands for VLAN1 interface are listed below.
authentication line vty login local. Privilege option must exist and just is 15.
Step 1: Configure the IP addresses for the switch and start the HTTP server function on the switch. For configuring the IP address on the switch through out-of-band management, see the telnet management chapter. To enable the WEB configuration, users should type the CLI command IP http server in the global mode as below: Switch>enable Switch#config Switch(config)#ip http server Step 2: Run HTTP protocol on the host.
configuration procedure should like the following: Switch>enable Switch#config Switch(config)#username admin privilege 15 password 0 admin Switch(config)#authentication line web login local Notice: When configure the switch, the name of the switch is composed with English letters. 1.1.2.
Input verification Fuzzy match support 1.2.1 Configuration Modes Shell Configuration Modes 1.2.1.1 User Mode On entering the CLI interface, entering user entry system first. If as common user, it is defaulted to User Mode. The prompt shown is “Switch>“, the symbol “>“ is the prompt for User Mode. When exit command is run under Admin Mode, it will also return to the User Mode. Under User Mode, no configuration to the switch is allowed, only clock time and version information of the switch can be queries.
Mode to modify all configurations of the switch. For this reason, a password must be set for entering Admin mode to prevent unauthorized access and malicious modification to the switch. 1.2.1.3 Global Mode Type the config command under Admin Mode will enter the Global Mode prompt “Switch(config)#”. Use the exit command under other configuration modes such as Port Mode, VLAN mode will return to Global Mode.
Route Mode Routing Protocol Entry Operates Exit Type router rip command under Global Mode. Configure RIP protocol parameters. Use the exit command to return to Global Mode. Type router ospf OSPF Routing command under Global Protocol Mode. Configure OSPF protocol parameters. Use the exit command to return to Global Mode. RIP Routing Protocol BGP Routing Protocol Type router bgp command under Global Mode. Configure BGP protocol parameters.
firewall {enable | disable}, user can enter firewall enable or firewall disable for this command. snmp-server community {ro | rw} , the followings are possible: snmp-server community ro snmp-server community rw 1.2.3 Shortcut Key Support Switch provides several shortcut keys to facilitate user configuration, such as up, down, left, right and Blank Space. If the terminal does not recognize Up and Down keys, ctrl +p and ctrl +n can be used instead.
“?” Under any command line prompt, enter “?” to get a command list of the current mode and related brief description. Enter a “?” after the command keyword with an embedded space. If the position should be a parameter, a description of that parameter type, scope, etc, will be returned; if the position should be a keyword, then a set of keywords with brief description will be returned; if the output is ““, then the command is complete, press Enter to run the command.
command!” error if only “show r” is entered, as Shell is unable to tell whether it is “show run” or “show running-config”. Therefore, Shell will only recognize the command if “sh ru” is entered. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 2 Basic Switch Configuration 2.1 Basic Configuration Basic switch configuration includes commands for entering and exiting the admin mode, commands for entering and exiting interface mode, for configuring and displaying the switch clock, for displaying the version information of the switch system, etc. Command Explanation Normal User Mode/ Admin Mode enable [<1-15>] disable The User uses enable command to step into admin mode from normal user mode or modify the privilege level of the users.
2.2 Telnet Management 2.2.1 Telnet 2.2.1.1 Introduction to Telnet Telnet is a simple remote terminal protocol for remote login. Using Telnet, the user can login to a remote host with its IP address of hostname from his own workstation. Telnet can send the user’s keystrokes to the remote host and send the remote host output to the user’s screen through TCP connection. This is a transparent service, as to the user, the keyboard and monitor seems to be connected to the remote host directly.
addr> no authentication securityipv6 switch through Telnet; the no command deletes the authorized Telnet security address. authentication ip access-class {|} no authentication ip access-class Binding standard IP ACL protocol to login with Telnet/SSH/Web; the no form command will cancel the binding ACL.
2.2.2 SSH 2.2.2.1 Introduction to SSH SSH (Secure Shell) is a protocol which ensures a secure remote access connection to network devices. It is based on the reliable TCP/IP protocol. By conducting the mechanism such as key distribution, authentication and encryption between SSH server and SSH client, a secure connection is established. The information transferred on this connection is protected from being intercepted and decrypted. The switch meets the requirements of SSH2.0. It supports SSH2.
Example1: Requirement: Enable SSH server on the switch, and run SSH2.0 client software such as Secure shell client or putty on the terminal. Log on the switch by using the username and password from the client. Configure the IP address, add SSH user and enable SSH service on the switch. SSH2.0 client can log on the switch by using the username and password to configure the switch. Switch(config)#ssh-server enable Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 100.100.100.200 255.255.255.
1. Enable VLAN port mode Command Explanation Global Mode interface vlan no interface vlan Create VLAN interface (layer 3 interface); the no command deletes the VLAN interface. 2.
2.4 SNMP Configuration 2.4.1 Introduction to SNMP SNMP (Simple Network Management Protocol) is a standard network management protocol widely used in computer network management. SNMP is an evolving protocol.
the messages can’t be viewed on transmission. And USM authentication ensures that the messages can’t be changed on transmission. USM employs DES-CBC cryptography. And HMAC-MD5 and HMAC-SHA are used for authentication. VACM is used to classify the users’ access permission. It puts the users with the same access permission in the same group. Users can’t conduct the operation which is not authorized. 2.4.
network management. NMS obtains the network management information by visiting the MIB of SNMP Agent. The switch can operate as a SNMP Agent, and supports both SNMP v1/v2c and SNMP v3. The switch supports basic MIB-II, RMON public MIB and other public MID such as BRIDGE MIB. Besides, the switch supports self-defined private MIB. 2.4.3 Introduction to RMON RMON is the most important expansion of the standard SNMP.
Global Mode snmp-server enabled no snmp-server enabled Enable the SNMP Agent function on the switch; the no command disables the SNMP Agent function on the switch. 2.
[access {|}] [ipv6-access {|}] no snmp-server user [access {|}] [ipv6-access {|}] for SNMP v3. 6.
form of this command cancels this IPv4 or IPv6 address. snmp-server trap-source { | } no snmp-server trap-source { | } Set the source IPv4 or IPv6 address which is used to send trap packet, the no command deletes the configuration. 9. Enable/Disable RMON Command Explanation Global mode rmon enable no rmon enable Enable/disable RMON. 2.4.5 Typical SNMP Configuration Examples The IP address of the NMS is 1.1.1.
Switch(config)#snmp-server user tester UserGroup authPriv auth md5 hellotst Switch(config)#snmp-server group UserGroup AuthPriv read max write max notify max Switch(config)#snmp-server view max 1 include Scenario 4: NMS wants to receive the v3Trap messages sent by the switch. The configuration on the switch is listed below: Switch(config)#snmp-server enable Switch(config)#snmp-server host 10.1.1.
not be able to communicate with NMS properly. If Trap function is required, remember to enable Trap (use “snmp-server enable traps” command). And remember to properly configure the target host IP address and community string for Trap (use “snmp-server host” command) to ensure Trap message can be sent to the specified host. If RMON function is required, RMON must be enabled first (use “rmon enable” command).
Console cable connection Typical topology for switch cable connectio n upgrade in BootROM mode The upgrade procedures are listed below: Step 1: As shown in the figure, a PC is used as the console for the switch. A console cable is used to connect PC to the management port on the switch. The PC should have FTP/TFTP server software installed and has the image file required for the upgrade. Step 2: Press “ctrl+b” on switch boot up until the switch enters BootROM monitor mode.
command in the BootROM mode from the switch; if it fails, perform troubleshooting to find out the cause. The following is the configuration for the system update image file. [Boot]: load nos.img Loading... Loading file ok! Step 5: Execute write nos.img in BootROM mode. The following saves the system update image file. [Boot]: write nos.img File nos.img exists, overwrite? (Y/N)?[N] y Writing nos.img..................................................... Write nos.img OK.
Used to list existing files in the FLASH. [Boot]: dir boot.rom boot.conf nos.img startup-config temp.img 327,440 1900-01-01 00:00:00 --SH 83 1900-01-01 00:00:00 --SH 2,431,631 1980-01-01 00:21:34 ---2,922 1980-01-01 00:09:14 ---2,431,631 1980-01-01 00:00:32 ---- 2. CONFIG RUN command Used to set the IMAGE file to run upon system start-up, and the configuration file to run upon configuration recovery. [Boot]: config run Boot File: [nos.img] nos.img Config File: [boot.conf] 2.5.3 FTP/TFTP Upgrade 2.5.3.
the client about the port, and the client establishes data connection to the specified port. As data connection is established through the specified address and port, there is a third party to provide data connection service. TFTP builds upon UDP, providing unreliable data stream transfer service with no user authentication or permission-based file access authorization. It ensures correct data transmission by sending and acknowledging mechanism and retransmission of time-out packets.
switch, the running configuration file stores in the RAM. In the current version, the running configuration sequence running-config can be saved from the RAM to FLASH by write command or copy running-config startup-config command, so that the running configuration sequence becomes the start up configuration file, which is called configuration save. To prevent illicit file upload and easier configuration, switch mandates the name of running configuration file to be running-config.
ftp-dir For FTP client, server file list can be checked. FtpServerUrl format looks like: ftp: //user: password@IPv4|IPv6 Address. 2. FTP server configuration (1) Start FTP server Command Explanation Global Mode ftp-server enable no ftp-server enable Start FTP server, the no command shuts down FTP server and prevents FTP user from logging in.
2.5.3.3 FTP/TFTP Configuration Examples The configuration is same for IPv4 address or IPv6 address. The example only for IPv4 address. 10.1.1. 2 10.1.1. 1 Download nos.img file as FTP/TFTP client Scenario 1: The switch is used as FTP/TFTP client. The switch connects from one of its ports to a computer, which is a FTP/TFTP server with an IP address of 10.1.1.1; the switch acts as a FTP/TFTP client, the IP address of the switch management VLAN is 10.1.1.2. Download “nos.
Start TFTP server software on the computer and place the “12_30_nos.img” file to the appropriate TFTP server directory on the computer. The configuration procedures of the switch are listed below: Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-Vlan1)#no shut Switch(Config-if-Vlan1)#exit Switch(config)#exit Switch#copy tftp: //10.1.1.1/12_30_nos.img nos.img Scenario 2: The switch is used as FTP server.
conditions: The switch connects to a computer by an Ethernet port, the computer is a FTP server with an IP address of 10.1.1.1; the switch acts as a FTP client, and the IP address of the switch management VLAN1 interface is 10.1.1.2. FTP Configuration: PC side: Start the FTP server software on the PC and set the username “Switch”, and the password “superuser”. Switch: Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 10.1.1.2 255.255.255.
please verify link connectivity and retry “copy” command again. 220 Serv-U FTP-Server v2.5 build 6 for WinSock ready... 331 User name okay, need password. 230 User logged in, proceed. 200 PORT Command successful. nos.img file length = 1526021 read file ok send file 150 Opening ASCII mode data connection for nos.img. 226 Transfer complete. close ftp client. The following is the message displays when files are successfully received. Otherwise, please verify link connectivity and retry “copy” command again.
Close tftp client. The following is the message displays when files are successfully received. Otherwise, please verify link connectivity and retry “copy” command again. begin to receive file, wait... recv 1526037 ************************ write ok transfer complete close tftp client.
Chapter 3 Cluster Configuration 3.1 Introduction to cluster network management Cluster network management is an in-band configuration management. Unlike CLI, SNMP and Web Config which implement a direct management of the target switches through a management workstation, cluster network management implements a direct management of the target switches (member switches) through an intermediate switch (commander switch). A commander switch can manage multiple member switches.
Configure private IP address pool for member switches of the cluster Create or delete cluster Add or remove a member switch Configure attributes of the cluster in the commander switch Enable or disable automatically adding cluster members Set automatically added members to manually added ones Set or modify the time interval of keep-alive messages on switches in the cluster.
mac-address } 3. Configure attributes of the cluster in the commander switch Command Explanation Global Mode cluster auto-add no cluster auto-add Enable or disable adding newly discovered candidate switch to the cluster. cluster member auto-to-user Change automatically added members into manually added ones. cluster keepalive interval no cluster keepalive interval Set the keep-alive interval of the cluster.
[ascii | binary] used to remotely upgrade the member switch. It can only upgrade nos.img file. 6. Manage cluster network with web Command Explanation Global Mode Enable http function in commander switch and member switch. Notice: must insure the http function be enabled in member ip http server switch when commander switch visiting member switch by web. The commander switch visit member switch via beat member node in member cluster topology. 7.
Examples of Cluster Configuration Procedure 1. Configure the command switch Configuration of SW1: Switch(config)#cluster run Switch(config)#cluster ip-pool 10.2.3.4 Switch(config)#cluster commander 5526 Switch(config)#cluster auto-add 2. Configure the member switch Configuration of SW2-SW4 Switch(config)#cluster run 3.
Chapter 4 Port Configuration 4.1 Introduction to Port Switch contains Cable ports and Combo ports. The Combo ports can be configured to as either 1000GX-TX ports or SFP Gigabit fiber ports. If the user needs to configure some network ports, he/she can use the interface ethernet command to enter the appropriate Ethernet port configuration mode, where stands for one or more ports.
Global Mode interface ethernet Enters the network port configuration mode. 2.
broadcast storm control function. Configure port-scan-mode as interrupt or poll mode, the no command restores the default port-scan-mode. port-scan-mode {interrupt | poll} no port-scan-mode Set the max packet reception rate of a port. If the rate of the received packet violates the packet reception rate, shut down this port and configure the recovery time, the default is 300s.
Switch2 Switch3 1/8 Mirror source port 1/9 100Mbps full, mirror source port 1/10 1000Mbps full, mirror destination port 1/12 100Mbps full The configurations are listed below: Switch1: Switch1(config)#interface ethernet 1/7 Switch1(Config-If-Ethernet1/7)#bandwidth control 50000 both Switch2: Switch2(config)#interface ethernet 1/9 Switch2(Config-If-Ethernet1/9)#speed-duplex force100-full Switch2(Config-If-Ethernet1/9)#exit Switch2(config)#interface ethernet 1/10 Switch2(Config-If-Ethernet1/10)#speed
Chapter 5 Port Isolation Function Configuration 5.1 Introduction to Port Isolation Function Port isolation is an independent port-based function working in an inter-port way, which isolates flows of different ports from each other. With the help of port isolation, users can isolate ports within a VLAN to save VLAN resources and enhance network security.
3. Display the configuration of port isolation Command Explanation Admin Mode and Global Mode Display the configuration of port isolation, including all configured port isolation groups and Ethernet ports in each group. show isolate-port group [ ] 5.
Chapter 6 Port Loopback Detection Function Configuration 6.1 Introduction to Port Loopback Detection Function With the development of switches, more and more users begin to access the network through Ethernet switches. In enterprise network, users access the network through layer-2 switches, which means urgent demands for both internet and the internal layer 2 Interworking.
6.2 Port Loopback Detection Function Configuration Task List Configure the time interval of loopback detection Enable the function of port loopback detection Configure the control method of port loopback detection Display and debug the relevant information of port loopback detection Configure the loopback-detection control mode (automatic recovery enabled or not) 1.
Display the state and result of the loopback detection of all ports, if no parameter is provided; otherwise, display the state and result of the corresponding ports. show loopback-detection [interface ] 5. Configure the loopback-detection control mode (automatic recovery enabled or not) Command Explanation Global Mode loopback-detection controlrecovery timeout <0-3600> Configure the loopback-detection control mode (automatic recovery enabled or not) or recovery time. 6.
Switch(config)#interface ethernet 1/1 Switch(Config-If-Ethernet1/1)#loopback-detection special-vlan 1-3 Switch(Config-If-Ethernet1/1)#loopback-detection control block If adopting the control method of block, MSTP should be globally enabled. And the corresponding relation between the spanning tree instance and the VLAN should be configured.
Chapter 7 ULDP Function Configuration 7.1 Introduction to ULDP Function Unidirectional link is a common error state of link in networks, especially in fiber links. Unidirectional link means that only one port of the link can receive messages from the other port, while the latter one can not receive messages from the former one. Since the physical layer of the link is connected and works normal, via the checking mechanism of the physical layer, communication problems between the devices can not be found.
ULDP (Unidirectional Link Detection Protocol) can help avoid disasters that could happen in the situations mentioned above. In a switch connected via fibers or copper Ethernet line (like ultra five-kind twisted pair), ULDP can monitor the link state of physical links. Whenever a unidirectional link is discovered, it will send warnings to users and can disable the port automatically or manually according to users’ configuration.
2. Enable ULDP function on a port Command Explanation Port configuration mode uldp enable uldp disable Enable or disable ULDP function on a port. 3. Configure aggressive mode globally Command Explanation Global configuration mode uldp aggressive-mode no uldp aggressive-mode Set the global working mode. 4. Configure aggressive mode on a port Command Explanation Port configuration mode uldp aggressive-mode no uldp aggressive-mode Set the working mode of the port. 5.
default. 8. Reset the port shut down by ULDP Command Explanation Global configuration mode or port configuration mode Reset all ports in global configuration mode; Reset the specified port in port configuration mode. uldp reset 9. Display and debug the relative information of ULDP Command Explanation Admin mode show uldp [interface ethernet IFNAME] debug uldp fsm interface ethernet no debug uldp fsm interface ethernet Display ULDP information.
7.3 ULDP Function Typical Examples Switch A g1/1 g1/2 g1/3 g1/4 Switch B PC2 PC1 Fiber Cross Connection In the network topology in Graph, port g1/1 and port g1/2 of SWITCH A as well as port g1/3 and port g1/4 of SWITCH B are all fiber ports. And the connection is cross connection. The physical layer is connected and works normally, but the data link layer is abnormal. ULDP can discover and disable this kind of error state of link.
down! %Oct 29 11:09:50 2007 Unidirectional port Ethernet1/1 shut down! %Oct 29 11:09:50 2007 A unidirectional link is detected! Port Ethernet1/2 need to be shutted down! %Oct 29 11:09:50 2007 Unidirectional port Ethernet1/2 shutted down! Port g1/3, and port g1/4 of SWITCH B are all shut down by ULDP, and there is notification information on the CRT terminal of PC2.
errors and messages. Different types of message information can also be printed according to different parameters. The Recovery timer is disabled by default and will only be enabled when the users have configured recovery time (30-86400 seconds). Reset command and reset mechanism can only reset the ports automatically shut down by ULDP. The ports shut down manually by users or by other modules won’t be reset by ULDP. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 8 LLDP Function Operation Configuration 8.1 Introduction to LLDP Function Link Layer Discovery Protocol (LLDP) is a new protocol defined in 802.1ab. It enables neighbor devices to send notices of their own state to other devices, and enables all ports of every device to store information about them. If necessary, the ports can also send update information to the neighbor devices directly connected to them, and those neighbor devices will store the information in standard SNMP MIBs.
Layer 2 discovery covers information like which devices have which ports, which switches connect to other devices and so on, it can also display the routs between clients, switches, routers, application servers and network servers. Such details will be very meaningful for schedule and investigate the source of network failure. LLDP will be a very useful management tool, providing accurate information about network mirroring, flow data and searching network problems. 8.
lldp mode (send|receive|both|disable) Configure the operating state of port LLDP. 4. Configure the intervals of LLDP updating messages Command Explanation Global Mode lldp tx-interval no lldp tx-interval Configure the intervals of LLDP updating messages as the specified value or default value. 5.
[sysCap] no lldp transmit optional tlv 10. Configure the size of space to store Remote Table of the port Command Explanation Port Configuration Mode lldp neighbors max-num < value > no lldp neighbors max-num Configure the size of space to store Remote Table of the port as the specified value or default value. 11.
8.3 LLDP Function Typical Example LLDP Function Typical Configuration Example In the network topology graph above, the port 1,3 of SWITCH B are connected to port 2,4 of SWITCH A. Port 1 of SWITCH B is configured to message-receiving-only mode, Option TLV of port 4 of SWITCH A is configured as portDes and SysCap.
Chapter 9 Port Channel Configuration 9.1 Introduction to Port Channel To understand Port Channel, Port Group should be introduced first. Port Group is a group of physical ports in the configuration level; only physical ports in the Port Group can take part in link aggregation and become a member port of a Port Channel. Logically, Port Group is not a port but a port sequence.
All ports are in full-duplex mode. All Ports are of the same speed. All ports are Access ports and belong to the same VLAN or are all TRUNK ports, or are all Hybrid ports. If the ports are all TRUNK ports or Hybrid ports, then their “Allowed VLAN” and “Native VLAN” property should also be the same. If Port Channel is configured manually or dynamically on switch, the system will automatically set the port with the smallest number to be Master Port of the Port Channel.
9.2.1 Static LACP Aggregation Static LACP aggregation is enforced by users configuration, and do not enable LACP protocol. When configuring static LACP aggregation, use “on” mode to force the port to enter the aggregation group. 9.2.2 Dynamic LACP Aggregation 1. The summary of the dynamic LACP aggregation Dynamic LACP aggregation is an aggregation created/deleted by the system automatically, it does not allow the user to add or delete the member ports of the dynamic LACP aggregation.
4. Set load-balance method for Port-group 5. Set the system priority of LACP protocol 6. Set the port priority of the current port in LACP protocol 7. Set the timeout mode of the current port in LACP protocol 1. Creating a port group Command Explanation Global Mode port-group Create or delete a port group. no port-group 2.
6. Set the port priority of the current port in LACP protocol Command Explanation Port mode lacp port-priority no lacp port-priority Set the port priority in LACP protocol. The no command restores the default value. 7. Set the timeout mode of the current port in LACP protocol Command Explanation Port mode lacp timeout {short | long} no lacp timeout Set the timeout mode in LACP protocol. The no command restores the default value. 9.
Switch1(config)#interface port-channel 1 Switch1(Config-If-Port-Channel1)# Switch2#config Switch2(config)#port-group 2 Switch2(config)#interface ethernet 1/6 Switch2(Config-If-Ethernet1/6)#port-group 2 mode passive Switch2(Config-If-Ethernet1/6)#exit Switch2(config)#interface ethernet 1/8-10 Switch2(Config-If-Port-Range)#port-group 2 mode passive Switch2(Config-If-Port-Range)#exit Switch2(config)#interface port-channel 2 Switch2(Config-If-Port-Channel2)# Configuration result: Shell prompts ports aggregated
Switch1(Config-If-Ethernet1/2)#port-group 1 mode on Switch1(Config-If-Ethernet1/2)#exit Switch1(config)#interface ethernet 1/3 Switch1(Config-If-Ethernet1/3)#port-group 1 mode on Switch1(Config-If-Ethernet1/3)#exit Switch1(config)#interface ethernet 1/4 Switch1(Config-If-Ethernet1/4)#port-group 1 mode on Switch1(Config-If-Ethernet1/4)#exit Switch2#config Switch2(config)#port-group 2 Switch2(config)#interface ethernet 1/6 Switch2(Config-If-Ethernet1/6)#port-group 2 mode on Switch2(Config-If-Ethernet1/6)#exit
Chapter 10 Jumbo Configuration 10.1 Introduction to Jumbo So far the Jumbo (Jumbo Frame) has not reach a determined standard in the industry (including the format and length of the frame). Normally frames sized within 1519-9000 should be considered jumbo frame. Networks with jumbo frames will increase the speed of the whole network by 2% to 5%. Technically the Jumbo is just a lengthened frame sent and received by the switch. However considering the length of Jumbo frames, they will not be sent to CPU.
Chapter 11 EFM OAM Configuration 11.1 Introduction to EFM OAM Ethernet is designed for Local Area Network at the beginning, but link length and network scope is extended rapidly while Ethernet is also applied to Metropolitan Area Network and Wide Area Network along with development. Due to lack the effectively management mechanism, it affects Ethernet application to Metropolitan Area Network and Wide Area Network, implementing OAM on Ethernet becomes a necessary development trend.
1. Ethernet OAM connection establishment Ethernet OAM entity discovers remote OAM entities and establishes sessions with them by exchanging Information OAMPDUs. EFM OAM can operate in two modes: active mode and passive mode. One session can only be established by the OAM entity working in the active mode and ones working in the passive mode need to wait until it receives the connection request.
connections, an Ethernet OAM entity can inform one of its OAM peers of link faults through Information OAMPDUs. Therefore, the network administrator can keep track of link status in time through the log information and troubleshoot in time. There are three kinds of link faults for Information OAMPDU, they are Critical Event, Dying Gasp and Link Fault, and their definitions are different for each manufacturer, here the definitions are as below: Critical Event: EFM OAM function of port is disabled.
Customer Service Provider Customer 802.3ah Ethernet in the First Mile CE 802.1ah OAMPDU PE Typical OAM application topology 11.2 EFM OAM Configuration EFM OAM configuration task list 1. Enable EFM OAM function of port 2. Configure link monitor 3. Configure remote failure Note: it needs to enable OAM first when configuring OAM parameters. 1. Enable EFM OAM function of port Command Explanation Port mode ethernet-oam mode {active | passive} Configure work mode of EFM OAM, default is active mode.
2. Configure link monitor Command Explanation Port mode ethernet-oam link-monitor no ethernet-oam link-monitor Enable link monitor of EFM OAM, no command disables link monitor. ethernet-oam errored-symbol-period {threshold low | window } no ethernet-oam errored-symbolperiod {threshold low | window } Configure the low threshold and window period of errored symbol period event, no command resotores the default value.
3. Configure remote failure Command Explanation Port mode ethernet-oam remote-failure no ethernet-oam remote-failure Enable remote failure detection of EFM OAM (failure means critical-event or link-fault event of the local), no command disables the function. (optional) ethernet-oam errored-symbol-period threshold high {high-symbols | none} no ethernet-oam errored-symbolperiod threshold high Configure the high threshold of errored symbol period event, no command restores the default value.
11.3 EFM OAM Example Example: CE and PE devices with point-to-point link enable EFM OAM to monitor “the First Mile” link performance. It will report the log information to network management system when occurring fault event and use remote loopback function to detect the link in necessary instance Ethernet Ethernet 1/1 1/1 CE 802.
Ensuring SNMP configuration is correct, or else errored event can not be reported to network management system. Link does not normally communicate in OAM loopback mode, it should cancel remote loopback in time after detect the link performance. Ensuring the used board supports remote loopback function. Port should not configure STP, MRPP, ULPP, Flow Control, loopback detection functions after it enables OAM loopback function, because OAM remote loopback function and these functions are mutually exclusive.
Chapter 12 PORT SECURITY 12.1 Introduction to PORT SECURITY Port security is a MAC address-based security mechanism for network access controlling. It is an extension to the existing 802.1x authentication and MAC authentication. It controls the access of unauthorized devices to the network by checking the source MAC address of the received frame and the access to unauthorized devices by checking the destination MAC address of the sent frame.
belongs to this interface in MAC address table or a MAC address is configured to several interfaces in same VLAN, both of them will violate the security of the MAC address. switchport port-security aging {static | time | type {absolute | inactivity}} Enable port-security aging entry of the no switchport port-security violation aging interface, specify aging time or aging type.
Switch(config-if- ethernet1/1)#switchport port-security maximum 10 Switch(config-if- ethernet1/1)#exit Switch(config)# 12.4 PORT SECURITY Troubleshooting If problems occur when configuring PORT SECURITY, please check whether the problem is caused by the following reasons: Check whether PORT SECURITY is enabled normally Check whether the valid maximum number of MAC addresses is configured +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 13 DDM Configuration 13.1 Introduction to DDM 13.1.1 Brief Introduction to DDM DDM (Digital Diagnostic Monitor) makes the detailed digital diagnostic function standard in SFF-8472 MSA. It set that the parameter signal is monitored and make it to digitize on the circuit board of the inner module.
Compatibility verification is used to analyze whether the environment of the module accords the data manual or it is compatible with the corresponding standard, because the module capability is able to be ensured only in the compatible environment. Sometimes, environment parameters exceed the data manual or the corresponding standard, it will make the falling of the module capability that result in the transmission error.
after processing the abnormity information, here, the user is able to know the abnormity information and renew the monitoring. 13.2 DDM Configuration Task List DDM configuration task list: 1. Show the real-time monitoring information of the transceiver 2. Configure the alarm or warning thresholds of each parameter for the transceiver 3.
(2) Configure the enable state of the transceiver monitoring Command Explanation Port mode Set whether the transceiver monitoring is enabled. Only the port enables the transceiver monitoring, the system records the abnormity state. After the port disables the function, the abnormity information will be clear.
1/23 33 5.00 (W+) 6.11 -20.54(W-) -6.02 b, Show the information of the specified interface. (N/A means no fiber module is inserted or does not support the fiber module), for example: Switch#show transceiver interface ethernet 1/21-22;23 Interface Temp (°C) Voltage (V) Bias (mA) RX Power (dBM) TX Power (dBM) 1/21 33 3.31 6.11 -30.54(A-) -6.01 1/22 N/A N/A N/A N/A N/A 1/23 33 5.00 (W+) 6.11 -20.54(W-) -6.
Detail diagnostic and threshold information: N/A Example2: Ethernet 1/21 is inserted the fiber module with DDM. Configure the threshold of the fiber module after showing the DDM information. Step1: Show the detailed DDM information.
Voltage high RX power low TX power low Detail diagnostic and threshold information: Diagnostic Threshold Realtime Value High Alarm Low Alarm High Warn ------------------------------------------Temperature (°C) 33 70 0 Voltage (V) 7.31(A+) 5.00 0.00 Bias current (mA) 6.11(W+) 10.30 0.00 RX Power (dBM) TX Power (dBM) -30.54(A-) -13.01(A-) 9.00 9.00 Low Warn --------70 0 5.00 0.00 5.00 0.00 -25.00 9.00 -12.00(-25.00) 9.00 -25.00 -10.00(-25.
Brief alarm information: RX loss of signal RX power low Detail diagnostic and threshold information: Diagnostic Threshold Realtime Value High Alarm Low Alarm High Warn Low Warn ------------------------------------------Temperature (°C) 33 70 0 Voltage (V) 7.31 10.00 0.00 Bias current (mA) 3.11 10.30 0.00 --------70 5.00 5.00 0 0.00 0.00 RX Power (dBM) -30.54(A-) TX Power (dBM) -1.01 9.00 9.00 -25.00 -10.00 9.00 9.00 -25.00(-34) -12.
Chapter 14 LLDP-MED 14.1 Introduction to LLDP-MED LLDP-MED (Link Layer Discovery Protocol-Media Endpoint Discovery) based on 802.1AB LLDP (Link Layer Discovery Protocol) of IEEE. LLDP provides a standard link layer discovery mode, it sends local device information (including its major capability, management IP address, device ID and port ID) as TLV (type/length/value) triplets in LLDPDU (Link Layer Discovery Protocol Data Unit) to the direct connection neighbors.
no lldp transmit med tlv inventory Inventory Management TLVs. command disables the capability. network policy {voice | voice-signaling | guest-voice | guest-voice-signaling | softphone-voice | video-conferencing | streaming-video | video-signaling} [status {enable | disable}] [tag {tagged | untagged}] [vid { | dot1p}] [cos ] [dscp ] no network policy {voice | voice-signaling | Configure including application application so on.
Admin mode show lldp Show the configuration of the global LLDP and LLDP-MED. show lldp [interface ethernet ] Show the configuration of LLDP and LLDPMED on the current port. show lldp neighbors [interface ethernet ] Show LLDP and LLDP-MED configuration of the neighbors. 14.
SwitchB(Config-If-Ethernet1/1)# lldp enable SwitchB (Config-If-Ethernet1/1)# lldp mode both SwitchB (Config-If-Ethernet1/1)# lldp transmit med tlv capability SwitchB (Config-If-Ethernet1/1)# lldp transmit med tlv network policy SwitchB (Config-If-Ethernet1/1)# lldp transmit med tlv inventory SwitchB (Config-If-Ethernet1/1)# network policy voice tag tagged vid 10 cos 4 3) Verify the configuration # Show the global status and interface status on Switch A.
Firmware Revision:4.0.1 Software Revision:6.2.30.0 Serial Number: Manufacturer Name:**** Model Name:Unknown Assert ID:Unknown IEEE 802.
14.4 LLDP-MED Troubleshooting If problems occur when configuring LLDP-MED, please check whether the problem is caused by the following reasons: Check whether the global LLDP is enabled. Only network connection device received LLDP packets with LLDP-MED TLV from the near MED device, it sends LLDP-MED TLV.
Chapter 15 bpdu-tunnel Configuration 15.1 Introduction to bpdu-tunnel BPDU Tunnel is a Layer 2 tunnel technology. It allows Layer 2 protocol packets of geographically dispersed private network users to be transparently transmitted over specific tunnels across a service provider network. 15.1.1 bpdu-tunnel function In MAN application, multi-branches of a corporation may connect with each other by the service provider network.
BPDU Tunnel application 15.2 bpdu-tunnel Configuration Task List bpdu-tunnel configuration task list: 1. Configure tunnel MAC address globally 2. Configure the port to support the tunnel 1. Configure tunnel MAC address globally Command Explanation Global mode bpdu-tunnel dmac no bpdu-tunnel dmac Configure or cancel the tunnel MAC address globally. 2.
BPDU Tunnel application environment With BPDU Tunnel, Layer 2 protocol packets from user’s networks can be passed through over the service provider network in the following work flow: 1. After receiving a Layer 2 protocol packet from network 1 of user A, PE 1 in the service provider network encapsulates the packet, replaces its destination MAC address with a specific multicast MAC address, and then forwards the packet in the service provider network. 2.
Chapter 16 VLAN Configuration 16.1 VLAN Configuration 16.1.1 Introduction to VLAN VLAN (Virtual Local Area Network) is a technology that divides the logical addresses of devices within the network to separate network segments basing on functions, applications or management requirements. By this way, virtual workgroups can be formed regardless of the physical location of the devices. IEEE announced IEEE 802.
Simplifying network management Lowering network cost Enhancing network security Switch Ethernet Ports can works in three kinds of modes: Access, Hybrid and Trunk, each mode has a different processing method in forwarding the packets with tagged or untagged. The ports of Access type only belongs to one VLAN, usually they are used to connect the ports of the computer. The ports of Trunk type allow multi-VLANs to pass, can receive and send the packets of multiVLANs.
2. Set or delete VLAN name Command Explanation VLAN Mode name no name Set or delete VLAN name. 3. Assigning Switch ports for VLAN Command Explanation VLAN Mode switchport interface no switchport interface Assign Switch ports to VLAN. 4. Set the Switch Port Type Command Explanation Port Mode switchport mode {trunk | access | hybrid} Set the current port as Trunk, Access or Hybrid port. 5.
7. Set Hybrid port Command Explanation Port Mode switchport hybrid allowed vlan {WORD | all | add WORD | except WORD | remove Set/delete the VLAN which is allowed by WORD} {tag | untag} Hybrid port with tag or untag mode. no switchport hybrid allowed vlan switchport hybrid native vlan no switchport hybrid native vlan Set/delete PVID of the port. 8. Disable/Enable VLAN Ingress Rules Command Explanation Global Mode vlan ingress enable no vlan ingress enable Enable/Disable VLAN ingress rules.
16.1.3 Typical VLAN Application Scenario: VLAN100 VLAN200 VLAN2 PC Workstation Workstation PC PC PC Switch A Trunk Link Switch B PC VLAN2 PC PC VLAN100 Workstation Workstation PC VLAN200 Typical VLAN Application Topology The existing LAN is required to be partitioned to 3 VLANs due to security and application requirements. The three VLANs are VLAN2, VLAN100 and VLAN200. Those three VLANs are cross two different location A and B.
Switch(Config-Vlan2)#switchport interface ethernet 1/2-4 Switch(Config-Vlan2)#exit Switch(config)#vlan 100 Switch(Config-Vlan100)#switchport interface ethernet 1/5-7 Switch(Config-Vlan100)#exit Switch(config)#vlan 200 Switch(Config-Vlan200)#switchport interface ethernet 1/8-10 Switch(Config-Vlan200)#exit Switch(config)#interface ethernet 1/11 Switch(Config-If-Ethernet1/11)#switchport mode trunk Switch(Config-If-Ethernet1/11)#exit Switch(config)# Switch B: Switch(config)#vlan 2 Switch(Config-Vlan2)#switchpor
internet Switch A Switch B PC2 PC1 Typical Application of Hybrid Port PC1 connects to the interface Ethernet 1/7 of SwitchB, PC2 connects to the interface Ethernet 1/9 of SwitchB, Ethernet 1/10 of SwitchA connect to Ethernet 1/10 of SwitchB. It is required that PC1 and PC2 can not mutually access due to reason of the security, but PC1 and PC2 can access other network resources through the gateway SwitchA. We can implement this status through Hybrid port.
Switch(Config-Vlan10)#switchport interface ethernet 1/10 Switch B: Switch(config)#vlan 7;9;10 Switch(config)#interface ethernet 1/7 Switch(Config-If-Ethernet1/7)#switchport mode hybrid Switch(Config-If-Ethernet1/7)#switchport hybrid native vlan 7 Switch(Config-If-Ethernet1/7)#switchport hybrid allowed vlan 7;10 untag Switch(Config-If-Ethernet1/7)#exit Switch(Config)#interface Ethernet 1/9 Switch(Config-If-Ethernet1/9)#switchport mode hybrid Switch(Config-If-Ethernet1/9)#switchport hybrid native vlan 9 Switc
On the customer port Trunk VLAN 200-300 CE1 This port on PE1 is enabled Unsymmetrical PE1 connection Trunk connection Customer networks1 QinQ and belong to VLAN3 P Trunk connection This port on PE1 is enabled QinQ and belong to VLAN3 SP networks PE2 CE2 Unsymmetrical connection On the customer port Customer networks2 Trunk VLAN 200-300 Dot1q-tunnel based Internetworking mode As shown in above, after being enabled on the user port, dot1q-tunnel assigns each user an SPVLAN identification (SP
16.2.2 Dot1q-tunnel Configuration Configuration Task Sequence of Dot1q-Tunnel: 1. Configure the dot1q-tunnel function on port 2. Configure the global protocol type (TPID) 1. Configure the dot1q-tunnel function on port Command Explanation Port mode dot1q-tunnel enable no dot1q-tunnel enable Enter/exit the dot1q-tunnel mode on the port. 2. Configure the global protocol type (TPID) Command Explanation Global mode dot1q-tunnel tpid {0x8100|0x9100|0x9200|<1-65535>} Configure the global protocol type. 16.
Switch(Config-Ethernet1/1)# dot1q-tunnel enable Switch(Config-Ethernet1/1)# exit Switch(Config)#interface ethernet 1/10 Switch(Config-Ethernet1/10)#switchport mode trunk Switch(Config-Ethernet1/10)#exit Switch(config)#dot1q-tunnel tpid 0x9100 Switch(Config)# PE2: Switch(config)#vlan 3 Switch(Config-Vlan3)#switchport interface ethernet 1/1 Switch(Config-Vlan3)#exit Switch(Config)#interface ethernet 1/1 Switch(Config-Ethernet1/1)# dot1q-tunnel enable Switch(Config-Ethernet1/1)# exit Switch(Config)#interface e
1. Configure the global or port mapping relation between the inner tag and the outer tag 2. Configure selective QinQ of port 1. Configure the global or port mapping relation between the inner tag and the outer tag Command Explanation Global/ Port mode dot1q-tunnel selective s-vlan c-vlan no dot1q-tunnel selective s-vlan Configure/delete the global or port mapping relation of the inner tag and the outer tag for selective QinQ. c-vlan 2.
Selective QinQ application 1. Ethernet1/1 of SwitchA provides public network access for PC users and Ethernet 1/2 of SwitchA provides public network access for IP phone users. PC users belong to VLAN 100 through VLAN 200, and IP phone users belong to VLAN 201 through VLAN 300. Ethernet 1/9 of SwitchA is connected to the public network. 2.
automatically tagged with the tag of VLAN 1000 as the outer VLAN tag, and packets of VLAN 201 through VLAN 300 from Ethernet1/2 are automatically tagged with the tag of VLAN 2000 as the outer VLAN tag on SwitchA.
3. Show the related configuration of vlan-translation 1. Configure the VLAN-translation of the port Command Explanation Port mode vlan-translation enable no vlan-translation enable Enter/exit the port VLAN-translation mode. 2. Configure the VLAN-translation relation of the port Command Explanation Global/Port mode vlan-translation to in no vlan-translation old-vlan-id in Add/delete a VLAN-translation relation. 3.
On the customer port Trunk VLAN 200-300 CE1 Trunk connection The PE1 SP networks ingress of the port translates VLAN20 to VLAN3, the egress translates VLAN3 to Trunk connection Customer networks1 The ingress VLAN20 on PE P Trunk connection of the PE2 port translates VLAN20 to VLAN3, Trunk the egress translates VLAN3 to connection On the customer port VLAN20 on PE CE2 Customer networks2 Trunk VLAN 20 Vlan translation topology mode Configuration Item Configuration Explanation VL
16.5 Multi-to-One VLAN Translation Configuration 16.5.1 Introduction to Multi-to-One VLAN Translation Multi-to-One VLAN translation, it translates the original VLAN ID into the new VLAN ID according to user’s requirement on uplink traffic, and restores the original VLAN ID on downlink traffic. Application and configuration of Multi-to-One VLAN translation will be explained in detail in this section. 16.5.2 Multi-to-One VLAN Translation Configuration Multi-to-One VLAN translation configuration task list: 1.
Ethernet1/1 of edge switch1. Contrarily, data traffic of userA, userB and userC will be translated into VLAN1, VLAN2, VLAN3 by Ethernet1/1 of edge switch1 from network layer respectively. In the same way, it implements multi-to-one translation for userD, userE and userF on Ethernet1/1 of edge switch2.
16.5.4 Multi-to-One VLAN Translation Troubleshooting Do not be used with Dot1q-tunnel at the same time. Do not be used with VLAN-translation at the same time. The same MAC address should not exist in the original and the translated VLAN. Check whether the hardware resource of the chip is able to ensure all clients to work normally. Limit learning of MAC address may affect Multi-to-One VLAN Translation. Multi-to-One VLAN Translation should be enabled after MAC learning. 16.6 Dynamic VLAN Configuration 16.6.
3. Configure the correspondence between the MAC address and the VLAN 4. Configure the correspondence between the Protocols and the VLAN 1. Configure the MAC-based VLAN function on the port Command Explanation Port Mode switchport mac-vlan enable no switchport mac-vlan enable Enable/disable the MAC-based VLAN function on the port. 2.
often have the need to move within the whole office network. It is also required to ensure the resource for other members of the department to access VLAN 100. Assume one of the members is M, the MAC address of his PC is 00-1f-ce-11-22-33, and similar configurations are assigned to other members.
Ping 192.168.1.200 Ping 192.168.1.100 Dynamic VLAN 192.168.1.100/2 4 192.168.1.200/2 4 Dynamic VLAN Troubleshooting 16.7 GVRP Configuration 16.7.1 Introduction to GVRP GVRP, i.e. GARP VLAN Registration Protocol, is an application of GARP (Generic Attribute Registration Protocol). GARP is mainly used to establish an attribute transmission mechanism to transmit attributes, so as to ensure protocol entities registering and deregistering the attribute.
switches connecting A and G. Switch A and G configure VLAN100-1000 manually while BCDEF switches do not. When GVRP is not enabled, A and G cannot communicate with each other, because intermediate switches without relevant VLANs. However, after GVRP is enabled on all switches, its VLAN attribute transmission mechanism enables the intermediate switches registering the VLANs dynamically, and the VLAN in VLAN100-1000 of A and G can communicate with each other.
16.7.3 Example of GVRP GVRP application: PC Switch A Switch B Switch C PC Typical GVRP Application Topology To enable dynamic VLAN information register and update among switches, GVRP protocol is to be configured in the switch. Configure GVRP in Switch A, B and C, enable Switch B to learn VLAN100 dynamically so that two workstations connected to VLAN100 in Switch A and C can communicate with each other through Switch B without static VLAN100 entries.
Switch(config)#vlan 100 Switch(Config-Vlan100)#switchport interface ethernet 1/2-6 Switch(Config-Vlan100)#exit Switch(config)#interface ethernet 1/11 Switch(Config-If-Ethernet1/11)#switchport mode trunk Switch(Config-If-Ethernet1/11)# gvrp Switch(Config-If-Ethernet1/11)#exit Switch B: Switch(config)#gvrp Switch(config)#interface ethernet 1/10 Switch(Config-If-Ethernet1/10)#switchport mode trunk Switch(Config-If-Ethernet1/10)# gvrp Switch(Config-If-Ethernet1/10)#exit Switch(config)#interface ethernet 1/11 Sw
Chapter 17 MAC Table Configuration 17.1 Introduction to MAC Table MAC table is a table identifies the mapping relationship between destination MAC addresses and switch ports. MAC addresses can be categorized as static MAC addresses and dynamic MAC addresses.
Port 5 PC1 Port 12 PC2 MAC 00-01-11-11-11-11 PC4 PC3 MAC 00-01-33-33-33-33 MAC 00-01-22-22-22-22 MAC 00-01-44-44-44-44 MAC Table dynamic learning The topology of the figure above: 4 PCs connected to switch, where PC1 and PC2 belongs to a same physical segment (same collision domain), the physical segment connects to port 1/5 of switch; PC3 and PC4 belongs to the same physical segment that connects to port 1/12 of switch. The initial MAC table contains no address mapping entries.
17.1.2 Forward or Filter The switch will forward or filter received data frames according to the MAC table. Take the above figure as an example, assuming switch have learnt the MAC address of PC1 and PC3, and the user manually configured the mapping relationship for PC2 and PC4 to ports.
17.2 Mac Address Table Configuration Task List Configure the MAC address aging-time Configure static MAC forwarding or filter entry Clear dynamic address table Configure the MAC aging-time Command Explanation Global Mode mac-address-table aging-time <0|aging-time> no mac-address-table aging-time Configure the MAC address aging-time.
17.3 Typical Configuration Examples 1/5 PC1 1/7 1/9 PC2 MAC00-01-11-11-11-11 1/11 PC3 PC4 MAC00-01-33-33-33-33 MAC00-01-22-22-22-22 MAC00-01-44-44-44-44 MAC Table typical configuration example Scenario: Four PCs as shown in the above figure connect to port 1/5, 1/7, 1/9, 1/11 of switch, all the four PCs belong to the default VLAN1. As required by the network environment, dynamic learning is enabled.
The connected cable is broken. Spanning Tree is enabled and the port is in “discarding” status; or the device is just connected to the port and Spanning Tree is still under calculation, wait until the Spanning Tree calculation finishes, and the port will learn the MAC address. If not the problems mentioned above, please check for the switch portand contact technical support for solution. 17.5 MAC Address Function Extension 17.5.1 MAC Address Binding 17.5.1.
learning function for the port will be disabled: the “no switchport port-security” command disables the MAC address binding function for the port, and restores the MAC address learning function for the port. 2. Lock the MAC addresses for a port Command Explanation Port Mode switchport port-security lock no switchport port-security lock Lock the port, then MAC addresses learned will be disabled. The “no switchport port-security lock” command restores the function.
4. mac-notification trap configuration Command Explanation Global Mode mac-address-table synchronizing enable no mac-address-table synchronizing enable Enable the monitor function for MAC, if a MAC is added or deleted, the system will report this monitored event; the no command will cancel this function.
1. Configure the global snmp MAC notification 2. Configure the global MAC notification 3. Configure the interval for sending MAC notification 4. Configure the size of history table 5. Configure the trap type of MAC notification supported by the port 6. Show the configuration and the data of MAC notification 7. Clear the statistics of MAC notification trap 1.
Command Explanation Port mode mac-notification {added | both | removed} no mac-notification Configure or cancel the trap type of MAC notification supported by the port. 6. Show the configuration and the data of MAC notification Command Explanation Admin mode Show the configuration and the data of show mac-notification summary MAC notification. 7.
Chapter 18 MSTP Configuration 18.1 Introduction to MSTP The MSTP (Multiple STP) is a new spanning-tree protocol which is based on the STP and the RSTP. It runs on all the bridges of a bridged-LAN. It calculates a common and internal spanning tree (CIST) for the bridge-LAN which consists of the bridges running the MSTP, the RSTP and the STP. It also calculates the independent multiple spanning-tree instances (MSTI) for each MST domain (MSTP domain).
Root A Root A B E M D F C MST REGIO N D Example of CIST and MST Region In the above network, if the bridges are running the STP or the RSTP, one port between Bridge M and Bridge B should be blocked. But if the bridges in the yellow range run the MSTP and are configured in the same MST region, MSTP will treat this region as a bridge. Therefore, one port between Bridge B and Root is blocked and one port on Bridge D is blocked. 18.1.1.
The MSTI is only valid within its MST region. An MSTI has nothing to do with MSTIs in other MST regions. The bridges in a MST region receive the MST BPDU of other regions through Boundary Ports. They only process CIST related information and abandon MSTI information. 18.1.2 Port Roles The MSTP bridge assigns a port role to each port which runs MSTP. CIST port roles: Root Port, Designated Port, Alternate Port and Backup Port On top of those roles, each MSTI port has one new role: Master Port.
no spanning-tree mode Port Mode spanning-tree mcheck Force port migrate to run under MSTP. 2. Configure instance parameters Command Explanation Global Mode spanning-tree mst priority no spanning-tree mst Set bridge priority for specified instance. priority spanning-tree priority no spanning-tree priority Configure the spanning-tree priority of the switch.
show Display the information of the current running system. instance vlan no instance [vlan ] Create Instance and set between VLAN and Instance. name no name Set MSTP region name. revision-level no revision-level Set MSTP region revision level. mapping Quit MSTP region mode and return to Global mode without saving MSTP region abort configuration.
non-boundary port. 6. Configure the format of MSTP Command Explanation Port Mode Configure the format of port spanningtree packet, standard format is provided by IEEE, privacy is compatible with CISCO and auto means the format is spanning-tree format standard spanning-tree format privacy spanning-tree format auto no spanning-tree format determined by checking the received packet. 7.
9. Configure the FLUSH mode once topology changes Command Explanation Global Mode Enable: the spanning-tree flush once the topology changes. Disable: the spanning tree don’t flush spanning-tree tcflush {enable| disable| protect} no spanning-tree tcflush when the topology changes. Protect: the spanning-tree flush not more than one time every ten seconds. The no command restores to default setting, enable flush once the topology changes.
The connections among the switches are shown in the above figure. All the switches run in the MSTP mode by default, their bridge priority, port priority and port route cost are all in the default values (equal).
Switch2: Switch2(config)#vlan 20 Switch2(Config-Vlan20)#exit Switch2(config)#vlan 30 Switch2(Config-Vlan30)#exit Switch2(config)#vlan 40 Switch2(Config-Vlan40)#exit Switch2(config)#vlan 50 Switch2(Config-Vlan50)#exit Switch2(config)#spanning-tree mst configuration Switch2(Config-Mstp-Region)#name mstp Switch2(Config-Mstp-Region)#instance 3 vlan 20;30 Switch2(Config-Mstp-Region)#instance 4 vlan 40;50 Switch2(Config-Mstp-Region)#exit Switch2(config)#interface e1/1-7 Switch2(Config-Port-Range)#switchport mode
Switch4: Switch4(config)#vlan 20 Switch4(Config-Vlan20)#exit Switch4(config)#vlan 30 Switch4(Config-Vlan30)#exit Switch4(config)#vlan 40 Switch4(Config-Vlan40)#exit Switch4(config)#vlan 50 Switch4(Config-Vlan50)#exit Switch4(config)#spanning-tree mst configuration Switch4(Config-Mstp-Region)#name mstp Switch4(Config-Mstp-Region)#instance 3 vlan 20;30 Switch4(Config-Mstp-Region)#instance 4 vlan 40;50 Switch4(Config-Mstp-Region)#exit Switch4(config)#interface e1/1-7 Switch4(Config-Port-Range)#switchport mode
Switch1 1 1 Switch2 5 2 2 4 1 X 2 3 3 X 4 6 7 Switch3 6 5 X X 7 X Switch4 The Topology Of the Instance 0 afterxthe MSTP Calculation 2 Switch2 5 4 2 3 3 X 4 5 X X 6 7 Switch3 6 Switch 4 7 x X The Topology Of the Instance 3 after the MSTP Calculation 2 Switch2 5 X 4 2 X 3 3 X 4 6 7 X Switch3 6 5 7 Switch4 x The Topology Of the Instance 4 after the MSTP Calculation +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
18.4 MSTP Troubleshooting In order to run the MSTP on the switch port, the MSTP has to be enabled globally. If the MSTP is not enabled globally, it can’t be enabled on the port. The MSTP parameters co work with each other, so the parameters should meet the following conditions. Otherwise, the MSTP may work incorrectly. 2×(Bridge_Forward_Delay -1.0 seconds) >= Bridge_Max_Age Bridge_Max_Age >= 2 ×(Bridge_Hello_Time + 1.
Chapter 19 QoS Configuration 19.1 Introduction to QoS QoS (Quality of Service) is a set of capabilities that allow you to create differentiated services for network traffic, thereby providing better service for selected network traffic. QoS is a guarantee for service quality of consistent and predictable data transfer service to fulfill program requirements.
DSCP: Differentiated Services Code Point, classification information carried in Layer 3 IP packet header, occupying 6 bits, in the range of 0 to 63, and is downward compatible with IP Precedence. MPLS TC(EXP): A field of the MPLS packets means the service class, there are 3 bits, the ranging from 0 to 7. Internal Priority: The internal priority setting of the switch chip, it’s valid range relates with the chip, it’s shortening is Int-Prio or IntP.
operations for packets of different priority. QoS-enabled switch or router can provide different bandwidth according to the packet classification information, and can remark on the classification information according to the policing policies configured, and may discard some low priority packets in case of bandwidth shortage. If devices of each hop in a network support differentiated service, an end-to-end QoS solution can be created.
Classification process Policing and remark: Each packet in classified ingress traffic is assigned an internal priority value and a drop precedence value, and can be policed and remarked. Policing can be performed based on the flow to configure different policies that allocate bandwidth to classified traffic, the assigned bandwidth policy may be dual bucket dual color or dual bucket three color.
Policing and Remarking process Queuing and scheduling: There are the internal priority and the drop precedence for the egress packets, the queuing operation assigns the packets to different priority queues according to the internal priority, while the scheduling operation perform the packet forwarding according to the priority queue weight and the drop precedence. The following flowchart describes the operations during queuing and scheduling. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул.
Queuing and Scheduling process 19.2 QoS Configuration Task List Configure class map Set up a classification rule according to ACL, CoS, VLAN ID, IPv4 Precedent, DSCP, IPV6 FL to classify the data stream. Different classes of data streams will be processed with different policies. Configure a policy map After data steam classification, a policy map can be created to associate with the class map +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
created earlier and enter class mode. Then different policies (such as bandwidth limit, priority degrading assigning new DSCP value) can be applied to different data streams. You can also define a policy set that can be use in a policy map by several classes. Apply QoS to the ports or the VLAN interfaces Configure the trust mode for ports or bind policies to ports. A policy will only take effect on a port when it is bound to that port. The policy may be bound to the specific VLAN.
different data streams in class mode; the no command deletes the specified class. set {ip dscp | ip precedence | internal priority | Assign a new internal priority for the drop precedence | cos } classified traffic; the no command cancels no set {ip dscp | ip precedence | internal the new assigned value.
no mls qos cos port; the no command restores the default setting. service-policy input no service-policy input Apply a policy map to the specified port; the no command deletes the specified policy map applied to the port. Egress policy map is not supported yet.
7. Show configuration of QoS Command Explanation Admin Mode show mls qos maps [cos-intp | dscp-intp] Display the configuration of QoS mapping. show class-map [] Display the classified map information of QoS. show policy-map [] Display the policy map information of QoS. show mls qos {interface [] [policy | queuing] | vlan } Display QoS configuration information on a port. 19.
Switch(config)#policy-map p1 Switch(Config-PolicyMap-p1)#class c1 Switch(Config-PolicyMap-p1-Class-c1)#policy 10000 4000 exceed-action drop Switch(Config-PolicyMap-p1-Class-c1)#exit Switch(Config-PolicyMap-p1)#exit Switch(config)#interface ethernet 1/2 Switch(Config-If-Ethernet1/2)#service-policy input p1 Configuration result: An ACL name 1 is set to matching segment 192.168.1.0.
Switch(config)#access-list 1 permit 192.168.1.0 0.0.0.
Chapter 20 Flow-based Redirection 20.1 Introduction to Flow-based Redirection Flow-based redirection function enables the switch to transmit the data frames meeting some special condition (specified by ACL) to another specified port. The fames meeting a same special condition are called a class of flow, the ingress port of the data frame is called the source port of redirection, and the specified egress port is called the destination port of redirection.
show flow-based-redirect {interface [ethernet |]} Display the information of current flowbased redirection in the system/port. 20.3 Flow-based Redirection Examples Example: User’s request of configuration is listed as follows: redirecting the frames whose source IP is 192.168.1.111 received from port 1 to port 6, that is sending the frames whose source IP is 192.168.1.111 received from port 1 through port6.
Chapter 21 Flexible QinQ Configuration 21.1 Introduction to Flexible QinQ 21.1.1 QinQ Technique Dot1q-tunnel is also called QinQ (802.1Q-in-802.1Q), which is an expansion of 802.1Q. Its dominating idea is encapsulating the customer VLAN tag (CVLAN tag) to the service provider VLAN tag (SPVLAN tag). The packet with two VLAN tags is transmitted through the backbone network of the ISP internet to provide a simple layer-2 tunnel for the users.
3. Bind flexible QinQ policy-map to port 1. Configure class map Command Explanation Global mode Create a class-map and enter class-map mode, the no command deletes the specified class-map.
port. 4. Show flexible QinQ policy-map bound to port Command Explanation Admin mode Show flexible QinQ configuration on the port. show mls qos {interface [] 21.
The configuration in the following: If the data flow of DSLAM1 enters the switch’s downlink port1, the configuration is as follows: Switch(config)#class-map c1 Switch(config-classmap-c1)#match ip dscp 10 Switch(config-classmap-c1)#exit Switch(config)#class-map c2 Switch(config-classmap-c2)#match ip dscp 20 Switch(config-classmap-c2)#exit Switch(config)#class-map c3 Switch(config-classmap-c3)#match ip dscp 30 Switch(config-classmap-c3)#exit Switch(config)#policy-map p1 Switch(config-policymap-p1)#class c1 Sw
Switch(config-policymap-p1-class-c3)#exit Switch(config-policymap-p1)#exit Switch(config)#interface ethernet 1/1 Switch(config-if-ethernet1/1)#dot1q-tunnel enable Switch(config-if-ethernet1/1)# service-policy p1 in 21.
Chapter 22 Layer 3 Management Configuration Switch only support Layer 2 forwarding, but can configure a Layer 3 management port for the communication of all kinds of management protocols based on IP protocol. 22.1 Layer 3 Management Interface 22.1.1 Introduction to Layer 3 Management Interface Only one layer 3 management interface can be created on switch. The Layer 3 interface is not a physical interface but a virtual interface. Layer 3 interface is built on VLANs.
22.2 IP Configuration 22.2.1 Introduction to IPv4, IPv6 IPv4 is the current version of global universal Internet protocol. The practice has proved that IPv4 is simple, flexible, open, stable, strong and easy to implement while collaborating well with various protocols of upper and lower layers. Although IPv4 almost has not been changed since it was established in 1980’s, it has kept growing to the current global scale with the promotion of Internet.
entries and enhances the efficiency and expansibility of routing and data packet processing. The header design of IPv6 is more efficient compared with IPv4. It has less data fields and takes out header checksum, thus expedites the processing speed of basic IPv6 header.
22.2.2 IP Configuration Layer 3 interface can be configured as IPv4 interface, IPv6 interface. 22.2.2.1 IPv4 Address Configuration IPv4 address configuration task list: 1. Configure the IPv4 address of three-layer interface 2. Configure the default gateway 1.
Command Explanation Interface Configuration Mode ipv6 address [eui-64] no ipv6 address Configure IPv6 address, including aggregatable global unicast addresses, site-local addresses and link-local addresses. The no ipv6 address command cancels IPv6 address.
(4) Delete all entries in IPv6 neighbor table Command Explanation Admin Mode clear ipv6 neighbors Clear all static neighbor table entries. 22.2.3 IPv6 Troubleshooting If the connected PC has not obtained IPv6 address, you should check the RA announcement switch (the default is turned off) 22.3 ARP 22.3.1 Introduction to ARP ARP (Address Resolution Protocol) is mainly used to resolve IP address to Ethernet MAC address. Switch supports static ARP configuration. 22.3.
+7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 23 ARP Scanning Prevention Function Configuration 23.1 Introduction to ARP Scanning Prevention Function ARP scanning is a common method of network attack. In order to detect all the active hosts in a network segment, the attack source will broadcast lots of ARP messages in the segment, which will take up a large part of the bandwidth of the network. It might even do large-trafficattack in the network via fake ARP messages to collapse of the network by exhausting the bandwidth.
Configure trusted IP Configure automatic recovery time Display relative information of debug information and ARP scanning 1. Enable the ARP Scanning Prevention function. Command Explanation Global configuration mode anti-arpscan enable no anti-arpscan enable Enable or disable the ARP Scanning Prevention function globally. 2.
Global configuration mode anti-arpscan recovery enable no anti-arpscan recovery enable Enable or disable the automatic function. anti-arpscan recovery time no anti-arpscan recovery time Set automatic recovery time. recovery Display relative information of debug information and ARP scanning Command Explanation Global configuration mode anti-arpscan log enable Enable or disable the log function of ARP no anti-arpscan log enable scanning prevention.
prevent ARP scanning effectively without affecting the normal operation of the system. SWITCH A configuration task sequence: SwitchA(config)#anti-arpscan enable SwitchA(config)#anti-arpscan recovery time 3600 SwitchA(config)#anti-arpscan trust ip 192.168.1.100 255.255.255.
Chapter 24 Prevent ARP Spoofing Configuration 24.1 Overview 24.1.1 ARP (Address Resolution Protocol) Generally speaking, ARP (RFC-826) protocol is mainly responsible of mapping IP address to relevant 48-bit physical address, that is MAC address, for instance, IP address is 192.168.0.1, network card Mac address is 00-1F-CE-FD-1D-2B.
address, and then some corrected IP, MAC address mapping are modified to correspondence relationship configured by attack packets so that the switch makes mistake on transfer packets, and takes an effect on the whole network. Or the switches are made used of by vicious attackers, and they intercept and capture packets transferred by switches or attack other switches, host computers or network equipment.
24.3 Prevent ARP Spoofing Example Switch A B C Equipment Explanation Equipment Configuration Quality switch IP:192.168.2.4; mac: 00-00-00-00-00-04 1 A IP:192.168.2.1; mac: 00-00-00-00-00-01 1 B IP:192.168.1.2; mac: 00-00-00-00-00-02 1 C IP:192.168.2.3; mac: 00-00-00-00-00-03 some There is a normal communication between B and C on above diagram. A wants switch to forward packets sent by B to itself, so need switch sends the packets transfer from B to A.
Switch(Config)# Switch(config)#ip arp-security convert If the environment changing, it enable to forbid ARP refresh, once it learns ARP property, it wont be refreshed by new ARP reply packet, and protect use data from sniffing. Switch#config Switch(config)#ip arp-security updateprotect +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 25 ARP GUARD Configuration 25.1 Introduction to ARP GUARD There is serious security vulnerability in the design of ARP protocol, which is any network device, can send ARP messages to advertise the mapping relationship between IP address and MAC address. This provides a chance for ARP cheating. Attackers can send ARP REQUEST messages or ARP REPLY messages to advertise a wrong mapping relationship between IP address and MAC address, causing problems in network communication.
25.2 ARP GUARD Configuration Task List 1. Configure the protected IP address Command Explanation Port configuration mode arp-guard ip no arp-guard ip Configure/delete ARP GUARD address +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 26 Gratuitous ARP Configuration 26.1 Introduction to Gratuitous ARP Gratuitous ARP is a kind of ARP request that is sent by the host with its IP address as the destination of the ARP request. The basic working mode for the switch is as below: The Layer 3 interfaces of the switch can be configured to advertise gratuitous ARP packets period or the switch can be configured to enable to send gratuitous ARP packets in all the interfaces globally.
Admin Mode and Configuration Mode show ip gratuitous-arp [interface vlan <14094>] To display configurations about gratuitous ARP. Switch 26.3 Gratuitous ARP Configuration Example Int 19 25 PC1 PC2 PC3 Gratuitous ARP Configuration Example For the network topology shown in the figure above, interface VLAN10 whose IP address is 192.168.15.254 and network address mask is 255.255.255.0 in the switch system. Five PCs – PC1, PC2, PC3, PC4, PC5 are connected to the interface.
26.4 Gratuitous ARP Troubleshooting Gratuitous ARP is disabled by default. And when gratuitous ARP is enabled, the debugging information about ARP packets can be retrieved through the command debug ARP send. If gratuitous ARP is enabled in global configuration mode, it can be disabled only in global configuration mode. If gratuitous ARP is configured in interface configuration mode, the configuration can only be disabled in interface configuration mode.
Chapter 27 DHCP Configuration 27.1 Introduction to DHCP DHCP [RFC2131] is the acronym for Dynamic Host Configuration Protocol. It is a protocol that assigns IP address dynamically from the address pool as well as other network configuration parameters such as default gateway, DNS server, and default route and host image file position within the network. DHCP is the enhanced version of BOOTP.
that the DHCP packets exchange can be completed between the DHCP client and server. Switch can act as both a DHCP server and a DHCP relay. DHCP server supports not only dynamic IP address assignment, but also manual IP address binding (i.e. specify a specific IP address to a specified MAC address or specified device ID over a long period.
(2) Configure DHCP address pool parameters Command Explanation DHCP Address Pool Mode network-address [mask | prefix-length] no network-address Configure the address scope that can be allocated to the address pool. The no operation of this command cancels the allocation address pool. default-router [[[…]]] no default-router Configure default gateway for DHCP clients. The no operation cancels the default gateway.
no max-lease-time the default setting. Global Mode ip dhcp excluded-address [] no ip dhcp excluded-address [] Exclude the addresses in the address pool that are not for dynamic allocation. (3) Configure manual DHCP address pool parameters Command Explanation DHCP Address Pool Mode hardware-address Specify/delete the hardware address when assigning address manually.
DHCPDiscover DHCPDiscover(Broadcast) DHCPOFFER(Unicast) DHCPOFFER DHCPREQUEST(Broadcast) DHCPACK(Unicast) DHCPREQUEST DHCP Relay DHCPACK DHCP Client DHCP Server DHCP relay As shown in the above figure, the DHCP client and the DHCP server are in different networks, the DHCP client performs the four DHCP steps as usual yet DHCP relay is added to the process.
“command cancels the setting. 3. Configure share-vlan When the user want to use layer 2 device as DHCP relay, there is the number limitation that create layer 3 interface on layer 2 device, but using the layer 3 interface of share-vlan (it may include many sub-vlan, however a sub-vlan only correspond to a share-vlan) can implement DHCP relay forwarding, and the relay device needs to enable option82 function at the same time.
Switch(dhcp-A-config)#lease 3 Switch(dhcp-A-config)#default-route 10.16.1.200 10.16.1.201 Switch(dhcp-A-config)#dns-server 10.16.1.202 Switch(dhcp-A-config)#netbios-name-server 10.16.1.209 Switch(dhcp-A-config)#netbios-node-type H-node Switch(dhcp-A-config)#exit Switch(config)#ip dhcp excluded-address 10.16.1.200 10.16.1.201 Switch(config)#ip dhcp pool B Switch(dhcp-B-config)#network 10.16.2.0 24 Switch(dhcp-B-config)#lease 1 Switch(dhcp-B-config)#default-route 10.16.2.200 10.16.2.
DHCP Client DHCP Client E1/1 192.168.1.1 E1/2 10.1.1.1 DHCP Relay DHCP Server 10.1.1.10 DHCP Client DHCP Relay Configuration As shown in the above figure, route switch is configured as a DHCP relay. The DHCP server address is 10.1.1.10, the configuration steps is as follows: Switch(config)#service dhcp Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 192.168.1.1 255.255.255.
DHCP configuration example As shown in the above figure, PC1 is DHCP client, obtain the address through DHCP. Switch1 is a layer 2 access device, it enables DHCP Relay and option82 functions, Ethernet1/2 is a access port, belongs to vlan3, Ethernet1/3 is a trunk port, connects to DHCP Server, DHCP Server address is 192.168.40.199. Switch1 creates vlan1 and interface vlan1, configure IP address of interface vlan1 as 192.168.40.50, configure the address of DHCP Relay forwarding as 192.168.40.
command “network-address” and “host” are run for a pool, only one of them will take effect; furthermore, in manual binding, only one IP-MAC binding can be configured in one pool. If multiple bindings are required, multiple manual pools can be created and IP-MAC bindings set for each pool. New configuration in the same pool overwrites the previous configuration. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 28 DHCPv6 Configuration 28.1 Introduction to DHCPv6 DHCPv6 [RFC3315] is the IPv6 version for Dynamic Host Configuration Protocol (DHCP). It is a protocol that assigns IPv6 address as well as other network configuration parameters such as DNS address, and domain name to DHCPv6 client, DHCPv6 is a conditional auto address configuration protocol relative to IPv6.
Any DHCP server which receives the request, will reply the client with an ADVERTISE message, which includes the identity of the server –DUID, and its priority. It is possible that the client receives multiple ADVERTISE messages. The client should select one and reply it with a REQUEST message to request the address which is advertised in the ADVERTISE message. The selected DHCPv6 server then confirms the client about the IPv6 address and any other configuration with the REPLY message.
Command Explanation Global Mode service dhcpv6 no service dhcpv6 To enable DHCPv6 service. 2. To configure DHCPv6 address pool (1) To achieve/delete DHCPv6 address pool Command Explanation Global Mode ipv6 dhcp pool no ipv6 dhcp pool To configure DHCPv6 address pool.
28.3 DHCPv6 Relay Delegation Configuration DHCPv6 relay delegation configuration task list as below: To enable/disable DHCPv6 service To configure DHCPv6 relay delegation on port 1. To enable DHCPv6 service Command Explanation Global Mode service dhcpv6 no service dhcpv6 To enableDHCPv6 service. 2.
1. To enable/delete DHCPv6 service Command Explanation Global Mode service dhcpv6 no service dhcpv6 To enable DHCPv6 service. 2. To configure prefix delegation pool Command Explanation Global Mode ipv6 local pool no ipv6 local pool To configure prefix delegation pool. 3.
domain-name no domain-name To configure domain name for DHCPv6 client. 4. To enable DHCPv6 prefix delegation server function on port Command Explanation Interface Configuration Mode ipv6 dhcp server [preference ] [rapid-commit] [allow-hint] no ipv6 dhcp server To enable DHCPv6 server function on specified port, and binding used DHCPv6 address pool. 28.
28.6 DHCPv6 Configuration Examples Example1: When deploying IPv6 networking, the switch can be configured as DHCPv6 server in order to manage the allocation of IPv6 addresses. Both the state and the stateless DHCPv6 are supported.
Switch3(dhcpv6-EastDormPool-config)#dns-server 2001:da8::20 Switch3(dhcpv6-EastDormPool-config)#dns-server 2001:da8::21 Switch3(dhcpv6-EastDormPool-config)#domain-name dhcpv6.
28.7 DHCPv6 Troubleshooting If the DHCPv6 clients cannot obtain IPv6 addresses and other network parameters, the following procedures can be followed when DHCPv6 client hardware and cables have been verified ok: Verify the DHCPv6 server is running, start the related DHCP v6 server function if not running; If the DHCPv6 clients and servers are not in the same physical network, verify the router responsible for DHCPv6 packet forwarding has DHCPv6 relay function.
Chapter 29 DHCP option 82 Configuration 29.1 Introduction to DHCP option 82 DHCP option 82 is the Relay Agent Information Option, its option code is 82. DHCP option 82 is aimed at strengthening the security of DHCP servers and improving the IP address configuration policy. The Relay Agent adds option 82 (including the client’s physical access port, the access device ID and other information), to the DHCP request message from the client then forwards the message to DHCP server.
SubOpt: the sequence number of sub-option, the sequence number of Circuit ID sub-option is 1, the sequence number of Remote ID sub-option is 2. Len: the number of bytes in Sub-option Value, not including the two bytes in SubOpt segment and Len segment. 29.2.
DHCP server, and then forward the message with DHCP configuration information to the DHCP client. 29.3 DHCP option 82 Configuration Task List Enabling the DHCP option 82 of the Relay Agent Configure the DHCP option 82 attributes of the interface Enable the DHCP option 82 of server Configure DHCP option 82 default format of Relay Agent Configure delimiter Configure creation method of option82 Diagnose and maintain DHCP option 82 1. Enabling the DHCP option 82 of the Relay Agent.
the message to the server to process. The “no ip dhcp relay information policy” will set the retransmitting policy of the option 82 DCHP message as “replace”.
ip dhcp relay information option remote-id format {default | vs-hp} Set remote-id format of Relay Agent option82. 5. Configure delimiter Command Explanation Global mode ip dhcp relay information option delimiter [colon | dot | slash | space] no ip dhcp relay information option delimiter Set the delimiter of each parameter for suboption of option82 in global mode, no command restores the delimiter as slash. 6.
This command is used to display the information of data packets processing in DHCP Relay Agent, including the “add” and “peel” action of option 82. debug ip dhcp relay packet 29.
Linux ISC DHCP Server supports option 82, its configuration file /etc/dhcpd.con is ddnsupdate-style interim; ignore client-updates; class "Switch3Vlan2Class1" { match if option agent.circuit-id id=00:1f:ce:02:33:01; } = "Vlan2+Ethernet1/2" and option agent.remote- = "Vlan2+Ethernet1/3" and option agent.remote- class "Switch3Vlan2Class2" { match if option agent.circuit-id id=00:1f:ce:02:33:01; } subnet 192.168.102.0 netmask 255.255.255.0 { option routers 192.168.102.2; option subnet-mask 255.255.
29.5 DHCP option 82 Troubleshooting DHCP option 82 is implemented as a sub-function module of DHCP Relay Agent. Before using it, users should make sure that the DHCP Relay Agent is configured correctly. DHCP option 82 needs the DHCP Relay Agent and the DHCP server cooperate to finish the task of allocating IP addresses.
Chapter 30 DHCP option 60 and option 43 30.1 Introduction to DHCP option 60 and option 43 DHCP server analyzes DHCP packets from DHCP client. If packets with option 60, it will decide whether option 43 is returned to DHCP client according to option 60 of packets and configuration of option 60 and option 43 in DHCP server address pool. Configure the corresponding option 60 and option 43 in DHCP server address pool: 1. Address pool configured option 60 and option 43 at the same time.
pool mode. no option 60 Delete the configured option 60 in the address pool mode. no option 43 Delete the configured option 43 in the address pool mode. 30.3 DHCPv6 option 60 and option 43 Example Typical DHCP option 60 and option 43 topology Fit AP obtains IP address and option 43 attribute by DHCP server to send unicast discovery request for wireless controller. DHCP server configures option 60 matched with the option 60 of fit ap to return option 43 attribute to FTP AP.
Chapter 31 DHCPv6 option37, 38 31.1 Introduction to DHCPv6 option37, 38 DHCPv6 (Dynamic Host Configuration Protocol for IPv6) is designed for IPv6 address scheme and is used for assigning IPv6 prefixes, IPv6 addresses and other configuration parameters to hosts. When DHCPv6 client wants to request address and configure parameter of DHCPv6 server from different link, it needs to communicate with server through DHCPv6 relay agent.
31.2 DHCPv6 option37, 38 Configuration Task List 1. Dhcpv6 snooping option basic functions configuration 2. Dhcpv6 relay option basic functions configuration 3. Dhcpv6 server option basic functions configuration 1.DHCPv6 snooping option basic functions configuration Command Description Global mode ipv6 dhcp snooping remote-id option no ipv6 dhcp snooping remote-id option This command enables DHCPv6 SNOOPING to support option 37 option, no command disables it.
current packet with its own before forwarding it to the server. no command configures the reforward policy of DHCPv6 packets with option 38 as replace. ipv6 dhcp snooping subscriber-id select (sp | sv | pv | spv) delimiter WORD (delimiter WORD |) no ipv6 dhcp snooping subscriber-id select delimiter Configures user configuration options to generate subscriber-id, no command restores to its original default configuration, i.e. enterprise number together with vlan MAC.
ipv6 dhcp relay subscriber-id option no ipv6 dhcp relay subscriber-id option This command enables the switch relay to support the option 38, the no form of this command disables it. ipv6 dhcp relay remote-id delimiter WORD no ipv6 dhcp relay remote-id delimiter Configures user configuration options to generate remote-id. The no command restores to its original default configuration, i.e. enterprise number together with vlan MAC.
ipv6 dhcp use class no ipv6 dhcp use class This command enables DHCPv6 server to support the using of DHCPv6 class during address assignment, the no form of this command disables it without removing the relative DHCPv6 class information that has been configured. ipv6 dhcp class no ipv6 dhcp class This command defines a DHCPv6 class and enters DHCPv6 class mode, the no form of this command removes this DHCPv6 class.
31.3 DHCPv6 option37, 38 Examples 31.3.1 DHCPv6 Snooping option37, 38 Example Switch B Interface E1/1 Switch A Interface E1/2 MAC-AA Interface E1/3 MAC-BB Interface E1/4 MAC-CC DHCPv6 Snooping option schematic As is shown in the figure above, Mac-AA, Mac-BB and Mac-CC are normal users, connected to untrusted interface 1/2, 1/3 and 1/4 respectively, and they get IP 2010:2, 2010:3 and 2010:4 through DHCPv6 Client; DHCPv6 Server is connected to the trusted interface 1/1.
SwitchA(config)#interface ethernet 1/1-4 SwitchA(config-if-port-range)#switchport access vlan 1 SwitchA(config-if-port-range)#exit SwitchA(config)# Switch B configuration: SwitchB(config)#service dhcpv6 SwitchB(config)#ipv6 dhcp server remote-id option SwitchB(config)#ipv6 dhcp server subscriber-id option SwitchB(config)#ipv6 dhcp pool EastDormPool SwitchB(dhcpv6-eastdormpool-config)#network-address 2001:da8:100:1::1000 SwitchB(dhcpv6-eastdormpool-config)#dns-server 2001::1 SwitchB(dhcpv6-eastdormpool-confi
SwitchB(dhcpv6-pool-eastdormpool-class-class3-config)#exit SwitchB(dhcpv6-eastdormpool-config)#exit SwitchB(config)#interface vlan 1 SwitchB(config-if-vlan1)#ipv6 address 2001:da8:100:1::2/64 SwitchB(config-if-vlan1)#ipv6 dhcp server EastDormPool SwitchB(config-if-vlan1)#exit SwitchB(config)# 31.3.
S2(config)#ipv6 dhcp relay remote-id option S2(config)#ipv6 dhcp relay subscriber-id option S2(config)#vlan 10 S2(config-vlan10)#int vlan 10 S2(config-if-vlan10)#ipv6 address 2001:da8:1:::2/64 S2(config-if-vlan10)#ipv6 dhcp relay destination 2001:da8:10:1::1 S2(config-if-vlan10)#exit S2(config)# 31.
Chapter 32 DHCP Snooping Configuration 32.1 Introduction to DHCP Snooping DHCP Snooping means that the switch monitors the IP-getting process of DHCP CLIENT via DHCP protocol. It prevents DHCP attacks and illegal DHCP SERVER by setting trust ports and untrust ports. And the DHCP messages from trust ports can be forwarded without being verified. In typical settings, trust ports are used to connect DHCP SERVER or DHCP RELAY Proxy, and untrust ports are used to connect DHCP CLINET.
Log Server via syslog. LOG Function: When the switch discovers abnormal received packets or automatically recovers, it should send syslog information to Log Server. The Encryption of Private Messages: The communication between the switch and the inner network security management system TrustView uses private messages. And the users can encrypt those messages of version 2. Add authentication option82 Function: It is used with dot1x dhcpoption82 authentication mode.
Globe mode ip dhcp snooping binding enable no ip dhcp snooping binding enable Enable or disable the DHCP snooping binding function. 3. Enable DHCP Snooping binding ARP function Command Explanation Globe mode ip dhcp snooping binding arp no ip dhcp snooping binding arp This command is not supported by the switch. 4. Enable DHCP Snooping option82 function Command Explanation Globe mode ip dhcp snooping information enable no ip dhcp snooping information enable Enable/disable function.
8. Set trusted ports Command Explanation Port mode ip dhcp snooping trust no ip dhcp snooping trust Set or delete the DHCP snooping trust attributes of ports. 9. Enable DHCP SNOOPING binding DOT1X function Command Explanation Port mode ip dhcp snooping binding dot1x no ip dhcp snooping binding dot1x Enable or disable the DHCP snooping binding dot1x function. 10.
no ip dhcp snooping action 13. Set rate limitation of data transmission Command Explanation Globe mode ip dhcp snooping limit-rate no ip dhcp snooping limit-rate Set rate limitation of the transmission of DHCP snooping messages. 14. Enable the debug switch Command Explanation Admin mode debug ip dhcp snooping packet debug ip dhcp snooping event debug ip dhcp snooping update debug ip dhcp snooping binding Please refer to troubleshooting. the chapter on system 15.
WORD} no ip dhcp snooping information option self-defined remote-id by themselves. ip dhcp snooping information option selfdefined remote-id format [ascii | hex] Set self-defined format of remote-id for snooping option82. ip dhcp snooping information option selfdefined subscriber-id {vlan | port | id (switch-id (mac | hostname)| remote-mac) | string WORD} no ip dhcp snooping information option Set creation method for option82, users can define the parameters of circute-id suboption by themselves.
port 1/1 of the switch. It operates via DHCP Client, IP 1.1.1.5; DHCP Server and GateWay are connected to the trusted ports 1/11 and 1/12 of the switch; the malicious user Mac-BB is connected to the non-trusted port 1/10, trying to fake a DHCP Server (by sending DHCPACK) . Setting DHCP Snooping on the switch will effectively detect and block this kind of network attack.
Chapter 33 DHCP Snooping option 82 Configuration 33.1 Introduction to DHCP Snooping option 82 DHCP option 82 is the Relay Agent Information Option, its option code is 82. DHCP option 82 is aimed at strengthening the security of DHCP servers and improving the IP address configuration policy.
SubOpt: the sequence number of sub-option, the sequence number of Circuit ID sub-option is 1, the sequence number of Remote ID sub-option is 2. Len: the number of bytes in Sub-option Value, not including the two bytes in SubOpt segment and Len segment. 33.1.
forwarding. 33.2 DHCP Snooping option 82 Configuration Task List Enable DHCP SNOOPING Enable DHCP Snooping binding function Enable DHCP Snooping option 82 binding function Configure trust ports 1. Enable DHCP SNOOPING Command Explanation Global mode ip dhcp snooping enable no ip dhcp snooping enable Enable or function. disable DHCP SNOOPING 2.
33.3 DHCP Snooping option 82 Application Examples DHCP Client PC1 Switch1 Vlan1:eth1/3 DHCP Server DHCP option 82 typical application example In the above example, layer 2 Switch1 will transmit the request message from DHCP client to DHCP serer through enable DHCP Snooping. It will also transmit the reply message from the server to DHCP client to finish the DHCP protocol procedure.
range 192.168.102.51 192.168.102.80; default-lease-time 43200; #12 Hours max-lease-time 86400; #24 Hours allow members of "Switch1Vlan1Class1"; } } Now, the DHCP server will allocate addresses for the network nodes from Switch1 within the range of 192.168.102.51 ~ 192.168.102.80. 33.
Chapter 34 IPv4 Multicast Protocol 34.1 IPv4 Multicast Protocol Overview This chapter will give an introduction to the configuration of IPv4 Multicast Protocol. 34.1.1 Introduction to Multicast Various transmission modes can be adopted when the destination of packet (including data, sound and video) transmission is the minority users in the network. One way is to use Unicast mode, i.e.
34.1.2 Multicast Address The destination address of Multicast message uses class D IP address with range from 224.0.0.0 to 239.255.255.255. D class address can not appear in the source IP address field of an IP message. In the process of Unicast data transmission, the transmission path of a data packet is from source address routing to destination address, and the transmission is performed with hop-by-hop principle.
224.0.0.17 All SBMS 224.0.0.18 VRRP 224.0.0.22 IGMP When Ethernet transmits Unicast IP messages, the destination MAC address it uses is the receiver’s MAC address. But in transmitting Multicast packets, the transmission destination is not a specific receiver any more, but a group with uncertain members, thus Multicast MAC address is used. Multicast MAC address is corresponding to Multicast IP address.
education, remote medicine, real time video/audio meeting, the following applications may be supplied: Application of Multimedia and Streaming Media Data repository, finance application (stock) etc Any data distribution application of “one point to multiple points” In the situation of more and more multimedia operations in IP network, Multicast has tremendous market potential and Multicast operation will be generalized and popularized. 34.2 DCSCM 34.2.
Destination Control Configuration Multicast Strategy Configuration Source Control Configuration Source Control Configuration has three parts, of which the first is to enable source control. The command of source control is as follows: Command Explanation Global Configuration Mode Enable source control globally, the “no ip multicast sourcecontrol” command disables source control globally.
Like source control configuration, destination control configuration also has three steps. First, enable destination control globally. Since destination control need to prevent unauthorized user from receiving multicast data, the switch won’t broadcast the multicast data it received after configuring global destination control. Therefore, It should be avoided to connect two or more other Layer 3 switches in the same VLAN on a switch on which destination control is enabled.
access-group <6000-7999> control uses to specified IP address/net mask, the NO form cancels the configuration. Multicast Strategy Configuration Multicast Strategy uses the manner of specifying priority for specified multicast data to achieve and guarantee the effects the specific user requires. It is noticeable that multicast data can not get a special care all along unless the data are transmitted at TRUNK port. The configuration is very simple, it has only one command, i.e.
Switch(config)#access-list 6000 permit ip any any Switch(config)#multicast destination-control Switch(config)#ip multicast destination-control 10.0.0.0/8 access-group 6000 In this way, users of this network segment can only join groups other than 238.0.0.0/8. Multicast strategy Server 210.1.1.1 is distributing important multicast data on group 239.1.2.3, we can configure on its join-in switch as follows: Switch(config)#ip multicast policy 210.1.1.1/32 239.1.2.
34.3.2 IGMP Snooping Configuration Task List 1. Enable IGMP Snooping 2. Configure IGMP Snooping 1. Enable IGMP Snooping Command Explanation Global Mode ip igmp snooping no ip igmp snooping Enables IGMP Snooping. The no operation disables IGMP Snooping function. 2. Configure IGMP Snooping Command Explanation Global Mode ip igmp snooping vlan no ip igmp snooping vlan Enables IGMP Snooping for specified VLAN. The no operation disables IGMP Snooping for specified VLAN.
ip igmp snooping vlan mrouterport learnpim no ip igmp snooping vlan mrouter-port learnpim Enable the function that the specified VLAN learns mrouter-port (according to pim packets), the no command will disable the function. ip igmp snooping vlan mrpt no ip igmp snooping vlan mrpt Configure this survive time of mrouter port. The “no ip igmp snooping vlan mrpt” command restores the default value.
ip igmp snooping vlan report source-address no ip igmp snooping vlan report source-address Configure forwarding IGMP packet source address, The no operation cancels the packet source address. ip igmp snooping vlan specificquery-mrsp no ip igmp snooping vlan specific-query-mrspt Configure the maximum query response time of the specific group or source, the no command restores the default value. 34.3.
Multicast Configuration Suppose two programs are provided in the Multicast Server using multicast address Group1 and Group2, three of four hosts running multicast applications are connected to port 2, 6, 10 plays program1, while the host is connected to port 12 plays program 2. IGMP Snooping listening result: The multicast table built by IGMP Snooping in VLAN 100 indicates ports 1, 2, 6, 10 in Group1 and ports 1, 12 in Group2.
SwitchB#config SwitchB(config)#ip igmp snooping SwitchB(config)#ip igmp snooping vlan 100 SwitchB(config)#ip igmp snooping vlan 100 mrouter interface ethernet 1/1 Multicast Configuration The same as scenario 1 IGMP Snooping listening result: Similar to scenario 1 34.3.4 IGMP Snooping Troubleshooting On IGMP Snooping function configuration and usage, IGMP Snooping might not run properly because of physical connection or configuration mistakes.
Chapter 35 IPv6 Multicast Protocol 35.1 MLD Snooping 35.1.1 Introduction to MLD Snooping MLD, the Multicast Listener Discovery Protocol, is used to realize multicasting in the IPv6. MLD is used by the network equipments such as routers which supports multicast for multicast listener discovery, also used by listeners looking forward to join certain multicast group informing the router to receive data packets from certain multicast address, all of which are done through MLD message exchange.
ipv6 mld snooping vlan no ipv6 mld snooping vlan Enable MLD Snooping on specific VLAN. The “no” form of this command disables MLD Snooping on specific VLAN. ipv6 mld snooping vlan limit {group | source } no ipv6 mld snooping vlan limit Configure the number of the groups in which the MLD Snooping can join, and the maximum number of sources in each group. The “no” form of this command restores to the default.
no ipv6 mld snooping vlan query-robustness ipv6 mld snooping vlan suppression-query-time no ipv6 mld snooping vlan suppression-query-time Ipv6 mld snooping vlan static-group [source ] interface [ethernet | portchannel] no ipv6 mld snooping vlan static-group [source ] interface [ethernet | portchannel] Configure the suppression query time.
Switch(config)#ipv6 mld snooping vlan 100 Switch(config)#ipv6 mld snooping vlan 100 mrouter-port interface ethernet 1/1 Multicast configuration: Assume there are two multicast servers: the Multicast Server 1 and the Multicast Server 2, amongst program 1 and 2 are supplied on the Multicast Server 1 while program 3 on the Multicast server 2, using group addresses respectively the Group 1, Group 2 and Group 3. Concurrently multicast application is operating on the four hosts.
SwitchA SwitchB Switch as MLD Querier Function figure Configuration of switch B is the same as the switches in case 1, and here the switch 1 replaces the Multicast Router in case 1. Assume the vlan 60 configured on it contains port 1, 2, 10, 12, amongst port 1 is connected to multicast server, port 2 to switch2. To send Query periodically, global MLD Snooping has to be enabled while executing the mld snooping vlan 60 l2-general-querier, setting the vlan 60 to a Level 2 General Querier.
Multicast configuration: Same as scenario 1 MLD Snooping interception results: Same as scenario 1 35.1.4 MLD Snooping Troubleshooting In configuring and using MLD Snooping, the MLD Snooping server may fail to run properly due to physical connection failure, wrong configuration, etc.
Chapter 36 Multicast VLAN 36.1 Introductions to Multicast VLAN Based on current multicast order method, when orders from users in different VLAN, each VLAN will copy a multicast traffic in this VLAN, which is a great waste of the bandwidth. By configuration of the multicast VLAN, we add the switch port to the multicast VLAN, with the IGMP Snooping/MLD Snooping functions enabled, users from different VLAN will share the same multicast VLAN.
no multicast-vlan association interface (ethernet | port-channel|) IFNAME cancels the association between the ports and the multicast VLAN. 2. Configure the IGMP Snooping Command Explanation Global Mode ip igmp snooping vlan no ip igmp snooping vlan Enable the IGMP Snooping function on the multicast VLAN. The no form of this command disables the IGMP Snooping on the multicast VLAN. ip igmp snooping no ip igmp snooping Enable the IGMP Snooping function.
VLAN100 is configured set to contain port1/15, and VLAN101 to contain port1/20. PC1 and PC2 are respectively connected to port 1/15 and1/20. The switchB is connected with the switchA through port1/10, which configured as trunk port. VLAN 20 is a multicast VLAN. By configuring multicast vlan, the PC1 and PC2 will receives the multicast data from the multicast VLAN. Following configuration is based on the IP address of the switch has been configured and all the equipment are connected correctly.
When multicast VLAN supports IPv6 multicast, usage is the same with IPv4, but the difference is using with MLD Snooping, so does not give an example. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 37 ACL Configuration 37.1 Introduction to ACL ACL (Access Control List) is an IP packet filtering mechanism employed in switches, providing network traffic control by granting or denying access the switches, effectively safeguarding the security of networks. The user can lay down a set of rules according to some information specific to packets, each rule describes the action for a packet with certain information matched: “permit” or “deny”.
An access-list can consist of several rules. Filtering of packets compares packet conditions to the rules, from the first rule to the first matched rule; the rest of the rules will not be processed. Global default action applies only to IP packets in the incoming direction on the ports. Global default action applies only when packet flirter is enabled on a port and no ACL is bound to that port, or no binding ACL matches. 37.2 ACL Configuration Task List ACL Configuration Task Sequence: 1.
3. Configuring time range function Create the name of the time range Configure periodic time range Configure absolute time range 4. Bind access-list to an incoming direction of the specified port 5. Clear the filtering information of the specified port 1.
}] [ack+fin+psh+rst+urg+syn] [precedence ] [tos ][time-range] using this number.
Standard IP ACL Mode Exits name-based standard IP ACL configuration mode. exit (4) Configuring an name-based extended IP access-list a. Create an extended IP access-list basing on nomenclature Command Explanation Global Mode Creates an extended IP accesslist basing on nomenclature; the ip access-list extended no ip access-list extended “no ip access-list extended “ command deletes the name-based extended IP access-list. b.
] [tos ][time-range] [no] {deny | permit} {eigrp | gre | igrp | ipinip | ip | ospf | } {{ } | any-source | {host-source }} {{ } | anydestination | {host-destination }} [precedence ] [tos ][time-range] Creates an extended namebased IP access rule for other IP protocols; the no form command deletes this namebased extended IP access rule. c.
Global Mode mac-access-list extended no mac-access-list extended Creates an extended name-based MAC access rule for other IP protocols; the no form command deletes this name-based extended MAC access rule. b.
value> []]] c. Exit ACL Configuration Mode Command Explanation Extended name-based MAC access configure Mode Quit the extended name-based MAC access configure mode.
destination| {host-destination }} [d-port { | range }] [ack+fin+psh+rst+urg+syn] [precedence ] [tos ][time-range] access-list{deny|permit}{any-source-mac| {host-source-mac}|{}}{any-destination-mac|{host-destination-mac }|{}}udp {{}|any-source| {hostsource}} [s-port { | range }] {{
rule. b.
[no]{deny|permit}{any-source-mac|{host-sourcemac}|{}} {anydestination-mac|{host-destination-mac }|{}}udp {{}|any-source| {hostsource}} [s-port { | range }] {{}|anydestination| {host-destination }} [d-port { | range }] Creates an extended name-based MAC-UDP access rule; the no form command deletes this
a. Create a standard IPv6 access-list based on nomenclature Command Explanation Global Mode Creates a standard IP access-list based on nomenclature; the no command delete the name-based standard IPv6 access-list. ipv6 access-list standard no ipv6 access-list standard b.
Thursday | Friday | Saturday | Sunday} to {Monday | Tuesday | Wednesday | Thursday | Friday | Saturday | Sunday} request of the week, and every week will run by the time range.
Admin Mode clear access-group statistic [ethernet ] Clear the filtering information of the specified port. 37.3 ACL Example Scenario 1: The user has the following configuration requirement: port 1/10 of the switch connects to 10.0.0.0/24 segment, ftp is not desired for the user. Configuration description: Create a proper ACL Configuring packet filtering function Bind the ACL to the port The configuration steps are listed below: Switch(config)#access-list 110 deny tcp 10.0.0.0 0.0.0.
Bind the ACL to the related interface. The configuration steps are listed as below.
Switch(config)#firewall enable Switch(config)#interface ethernet 1/10 Switch(Config-If-Ethernet1/10)#mac-ip access-group 3110 in Switch(Config-Ethernet1/10)#exit Switch(config)#exit Configuration result: Switch#show firewall Firewall Status: Enable. Firewall Default Rule: Permit. Switch#show access-lists access-list 3110(used 1 time(s)) access-list 3110 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac tcp 10.0.0.0 0.0.0.
Switch#show firewall Firewall Status: Enable. Firewall Default Rule: Permit. Switch#show ipv6 access-lists Ipv6 access-list 600(used 1 time(s)) ipv6 access-list 600 deny 2003:1:1:1::0/64 any-source ipv6 access-list 600 permit 2003:1:1:1:66::0/80 any-source Switch #show access-group interface ethernet 1/10 interface name:Ethernet1/10 IPv6 Ingress access-list used is 600, traffic-statistics Disable.
37.4 ACL Troubleshooting Checking for entries in the ACL is done in a top-down order and ends whenever an entry is matched. Default rule will be used only if no ACL is bound to the incoming direction of the port, or no ACL entry is matched.Each ingress port can bind one MAC-IP ACL, one IP ACL, one MAC ACL, one IPv6 ACL (via the physical interface mode or Vlan interface mode). When binding four ACL and packet matching several ACL at the same time, the priority relations are as follows in a top-down order.
When removing a VLAN configuration, if there are any ACLs bound to the VLAN, the ACL will be removed from all the physical interfaces belonging to the VLAN, and it will be bound to VLAN 1 ACL(if ACL is configured in VLAN1). If VLAN 1 ACL binding fails, the VLAN removal operation will fail. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 38 802.1x Configuration 38.1 Introduction to 802.1x The 802.1x protocol originates from 802.11 protocol, the wireless LAN protocol of IEEE, which is designed to provide a solution to doing authentication when users access a wireless LAN. The LAN defined in IEEE 802 LAN protocol does not provide access authentication, which means as long as the users can access a LAN controlling device (such as a LAN Switch), they will be able to get all the devices or resources in the LAN.
The Authentication Structure of 802.1x The supplicant system is an entity on one end of the LAN segment, should be authenticated by the access controlling unit on the other end of the link. A Supplicant system usually is a user terminal device. Users start 802.1x authentication by starting supplicant system software. A supplicant system should support EAPOL (Extensible Authentication Protocol over LAN).
3. Controlled direction In unauthenticated status, controlled ports can be set as unidirectional controlled or bidirectionally controlled. When the port is bi-directionally controlled, the sending and receiving of all frames is forbidden. When the port is unidirectional controlled, no frames can be received from the supplicant systems while sending frames to the supplicant systems is allowed. Notes: At present, this kind of switch only supports unidirectional control. 38.1.2 The Work Mechanism of 802.
LAN environment, the format of EAPOL packet is illustrated in the next figure. The beginning of the EAPOL packet is the Type/Length domain in MAC frames. The Format of EAPOL Data Packet PAE Ethernet Type: Represents the type of the protocol whose value is 0x888E. Protocol Version: Represents the version of the protocol supported by the sender of EAPOL data packets.
Code: specifies the type of the EAP packet. There are four of them in total: Request (1) ,Response (2) ,Success (3) ,Failure (4) . There is no Data domain in the packets of which the type is Success or Failure, and the value of the Length domains in such packets is 4. The format of Data domains in the packets of which the type is Request and Response is illustrated in the next figure. Type is the authentication type of EAP, the content of Type data depends on the type.
Message-Authenticator Attribute The Authentication Methods of 802.1x The authentication can either be started by supplicant system initiatively or by devices. When the device detects unauthenticated users to access the network, it will send supplicant system EAP-Request/Identity messages to start authentication. On the other hand, the supplicant system can send EAPOL-Start message to the device via supplicant software. 802.
PEAP (Protected Extensible Authentication Protocol) They will be described in detail in the following part. Attention: The switch, as the access controlling unit of Pass-through, will not check the content of a particular EAP method, so can support all the EAP methods above and all the EAP authentication methods that may be extended in the future.
2. EAP-TLS Authentication Method EAP-TLS is brought up by Microsoft based on EAP and TLS protocols. It uses PKI to protect the id authentication between the supplicant system and the RADIUS server and the dynamically generated session keys, requiring both the supplicant system and the Radius authentication server to possess digital certificate to implement bidirectional authentication. It is the earliest EAP authentication method used in wireless LAN.
authentication as strong as that provided by EAP-TLS, but without requiring users to have their own digital certificate. The only request is that the Radius server should have a digital certificate. The authentication of users’ identity is implemented with passwords transmitted in a safely encrypted tunnel established via the certificate of the authentication server. Any kind of authentication request including EAP, PAP and MS-CHAPV2 can be transmitted within TTLS tunnels. 4.
In EAP termination mode, the access control unit and the RADIUS server can use PAP or CHAP authentication method. The following figure will demonstrate the basic operation flow using CHAP authentication method. The Authentication Flow of 802.1x EAP Termination Mode 38.1.5 The Extension and Optimization of 802.1x Besides supporting the port- based access authentication method specified by the protocol, devices also extend and optimize it when implementing the EAP relay mode and EAP termination mode of 802.
When the MAC-based method is used, all the users accessing a port should be authenticated separately, only those pass the authentication can access the network, while the others can not. When one user becomes offline, the other users will not be affected. When the user-based (IP address+ MAC address+ port) method is used, all users can access limited resources before being authenticated. There are two kinds of control in this method: standard control and advanced control.
resources. The user authentication port belongs to a default VLAN (Guest VLAN) before passing the 802.1x authentication, with the right to access the resources within this VLAN without authentication. But the resources in other networks are beyond reach. Once authenticated, the port will leave Guest VLAN, and the user can access the resources of other networks. In Guest VLAN, users can get 802.
no dot1x privateclient enable function. dot1x user freeresource no dot1x user freeresource Sets free access network resource for unauthorized dot1x user. The no command close the resource. dot1x unicast enable no dot1x unicast enable Enable the 802.1x unicast passthrough function of switch; the no operation of this command will disable this function. 2.
3) Configure expanded 802.1x function Command Explanation Global Mode dot1x macfilter enable no dot1x macfilter enable Enables the 802.1x address filter function in the switch; the no command disables the 802.1x address filter function. dot1x accept-mac [interface ] no dot1x accept-mac [interface ] dot1x eapor enable no dot1x eapor enable Adds 802.1x address filter table entry, the no command deletes 802.1x filter address table entries.
no dot1x timeout reauthperiod dot1x timeout tx-period no dot1x timeout tx-period Sets the interval for the supplicant to re-transmit EAP request/identity frame; the no command restores the default setting. dot1x re-authenticate [interface ] Enables IEEE 802.1x re-authentication (no wait timeout requires) for all ports or a specified port. 38.3 802.1x Application Example 38.3.
Update server Authenticator server E3 VLAN10 E2 VLAN10 VLAN 2 SWITC H E6 VLAN 5 Internet User User Joining Guest VLAN As illustrated in the up figure, on the switch port Ethernet1/2, the 802.1x feature is enabled, and the VLAN10 is set as the port’s Guest VLAN. Before the user gets authenticated or when the user fails to do so, port Ethernet1/2 is added into VLAN10, allowing the user to access the Update Server.
Switch(config)#radius-server accounting host 10.1.1.3 Switch(config)#radius-server key test Switch(config)#aaa enable Switch(config)#aaa-accounting enable # Create VLAN100. Switch(config)#vlan 100 # Enable the global 802.1x function Switch(config)#dot1x enable # Enable the 802.1x function on port Ethernet1/2 Switch(config)#interface ethernet1/2 Switch(Config-If-Ethernet1/2)#dot1x enable # Set the link type of the port as access mode.
38.3.2 Examples of IPv4 Radius Applications 10.1.1.2 10.1.1.1 Radius Server 10.1.1.3 IEEE 802.1x Configuration Example Topology The PC is connecting to port 1/2 of the switch; IEEE 802.1x authentication is enabled on port1/2; the access mode is the default MAC-based authentication. The switch IP address is 10.1.1.2. Any port other than port 1/2 is used to connect to RADIUS authentication server, which has an IP address of 10.1.1.
38.3.3 Examples of IPv6 Radius Application 2004:1:2:3::2 2004:1:2:3::1 Radius Server 2004:1:2:3::3 IPv6 Radius Connect the computer to the interface 1/2 of the switch, and enable IEEE802.1x on interface1/2. Use MAC based authentication. Configure the IP address of the switch as 2004:1:2:3::2, and connect the switch with any interface except interface 1/2 to the RADIUS authentication server. Configure the IP address of the RADIUS server to be 2004:1:2:3::3.
38.4 802.1x Troubleshooting It is possible that 802.1x be configured on ports and 802.1x authentication be set to auto, t switch can’t be to authenticated state after the user runs 802.1x supplicant software. Here are some possible causes and solutions: If 802.1x cannot be enabled for a port, make sure the port is not executing MAC binding, or configured as a port aggregation. To enable the 802.1x authentication, the above functions must be disabled.
Chapter 39 The Number Limitation Function of MAC in Port Configuration 39.1 Introduction to the Number Limitation Function of MAC in Port MAC address list is used to identify the mapping relationship between the destination MAC addresses and the ports of switch. There are two kinds of MAC addresses in the list: static MAC address and dynamic MAC address.
39.2 The Number Limitation Function of MAC in Port Configuration Task Sequence 1. Enable the number limitation function of MAC on ports 2. Configure the violation mode of ports 3. Display and debug the relative information of number limitation of MAC on ports 1.
39.3 The Number Limitation Function of MAC in Port Typical Examples SWITCH A SWITCH B ……… PC PC PC PC PC The Number Limitation of MAC in Port Typical Configuration Example In the network topology above, SWITCH B connects to many PC users, before enabling the number limitation function of MAC, if the system hardware has no other limitation, SWTICH A and SWTICH B can get the MAC list entries of all the PC, so limiting the MAC list entry can avoid DOS attack to a certain extent.
number of user accessing the network, they can enable it. If the number limitation function of MAC address can not be configured, please check whether Spanning-tree, dot1x, TRUNK is running on the switch and whether the port is configured as a MAC-binding port.
Chapter 40 Operational Configuration of AM Function 40.1 Introduction to AM Function AM (Access Management) means that when a switch receives an IP or ARP message, it will compare the information extracted from the message (such as source IP address or source MAC-IP address) with the configured hardware address pool. If there is an entry in the address pool matching the information (source IP address or source MAC-IP address), the message will be forwarded, otherwise, dumped.
no am enable 2. Enable AM function on an interface Command Explanation Port Mode Enable/disable AM function on the port. When the AM function is enabled on the port, no IP or ARP message will be forwarded by default. am port no am port 3. Configure the forwarding IP Command Explanation Port Mode am ip-pool Configure the forwarding IP of the port. no am ip-pool 4.
40.3 AM Function Example Internet SWITCH Port1 Port2 HUB1 HUB2 ……… PC1 PC2 PC3 0 A typical configuration example of AM function In the topology above, 30 PCs, after converged by HUB1, connect with interface1 on the switch. The IP addresses of these 30 PCs range from 100.10.10.1 to 100.10.10.30. Considering security, the system manager will only take user with an IP address within that range as legal ones.
Chapter 41 Security Feature Configuration 41.1 Introduction to Security Feature Before introducing the security features, we here first introduce the DoS. The DoS is short for Denial of Service, which is a simple but effective destructive attack on the internet. The server under DoS attack will drop normal user data packet due to non-stop processing the attacker’s data packet, leading to the denial of the service and worse can lead to leak of sensitive data of the server.
[no] dosattack-check tcp-flags enable Enable/disable checking TCP label function. 41.2.3 Anti Port Cheat Function Configuration Task Sequence Enable the anti port cheat function Command Explanation Global Mode [no] dosattack-check srcport-equaldstport enable Enable/disable the prevent-port-cheat function. 41.2.4 Prevent TCP Fragment Attack Function Configuration Task Sequence 1. Enable the prevent TCP fragment attack function 2.
[no] dosattack-check icmp-attacking enable Enable/disable the prevent ICMP fragment attack function. dosattack-check icmpv4-size Configure the max permitted ICMPv4 net load length. This command has not effect when used separately, the user have to enable the dosattack-check icmp-attacking enable. 41.
Chapter 42 TACACS+ Configuration 42.1 Introduction to TACACS+ TACACS+ terminal access controller access control protocol is a protocol similar to the radius protocol for control the terminal access to the network. Three independent functions of Authentication, Authorization, Accounting are also available in this protocol.
authentication server. 3. Configure the TACACS+ authentication timeout time Command Explanation Global Mode Configure the authentication timeout for the TACACS+ server, the “no tacacs-server timeout” command restores the default configuration. tacacs-server timeout no tacacs-server timeout 4.
Switch(Config-if-vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-vlan1)#exit Switch(config)#tacacs-server authentication host 10.1.1.3 Switch(config)#tacacs-server key test Switch(config)#authentication line vty login tacacs 42.4 TACACS+ Troubleshooting In configuring and using TACACS+, the TACACS+ may fail to authentication due to reasons such as physical connection failure or wrong configurations.
Chapter 43 RADIUS Configuration 43.1 Introduction to RADIUS 43.1.1 AAA and RADIUS Introduction AAA is short for Authentication, Authorization and Accounting, it provide a consistency framework for the network management safely. According to the three functions of Authentication, Authorization, Accounting, the framework can meet the access control for the security network: which one can visit the network device, which access-level the user can have and the accounting for the network resource.
3 Access-Reject 4 Accounting-Request 5 Accounting-Response 11 Access-Challenge Identifier field (1 octet): Identifier for the request and answer packets. Length field (2 octets): The length of the overall RADIUS packet, including Code, Identifier, Length, Authenticator and Attributes Authenticator field (16 octets): used for validation of the packets received from the RADIUS server. Or it can be used to carry encrypted passwords.
21 (unassigned) 62 Port-Limit 22 Framed-Route 63 Login-LAT-Port Length field (1 octet), the length in octets of the attribute including Type, Length and Value fields. Value field, value of the attribute whose content and format is determined by the type and length of the attribute. 43.2 RADIUS Configuration Task List 1. Enable the authentication and accounting function 2. Configure the RADIUS authentication key 3. Configure the RADIUS server 4. Configure the parameter of the RADIUS service 5.
Global Mode radius-server authentication host { | } [[port {}] [key ] [primary] [access-mode {dot1x|telnet}] no radius-server authentication host Specifies the IP address and listening port number, cipher key, whether be primary server or not and access mode for the RADIUS server; the no command deletes the RADIUS authentication server.
43.3 RADIUS Typical Examples 43.3.1 IPv4 Radius Example 10.1.1.2 10.1.1.1 Radius Server 10.1.1.3 The Topology of IEEE802.1x configuration A computer connects to a switch, of which the IP address is 10.1.1.2 and connected with a RADIUS authentication server without Ethernet1/2; IP address of the server is 10.1.1.3 and the authentication port is defaulted at 1812, accounting port is defaulted at 1813. Configure steps as below: Switch(config)#interface vlan 1 Switch(Config-if-vlan1)#ip address 10.1.1.
43.3.2 IPv6 RadiusExample 2004:1:2:3::2 2004:1:2:3::1 Radius Server The Topology of IPv6 Radius configuration 2004:1:2:3::3 A computer connects to a switch, of which the IP address is 2004:1:2:3::2 and connected with a RADIUS authentication server without Ethernet1/2; IP address of the server is 2004:1:2:3::3 and the authentication port is defaulted at 1812, accounting port is defaulted at 1813.
If the RADIUS authentication problem remains unsolved, please use debug aaa and other debugging command and copy the DEBUG message within 3 minutes, send the recorded message to the technical server center of our company. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 44 SSL Configuration 44.1 Introduction to SSL As the computer networking technology spreads, the security of the network has been taking more and more important impact on the availability and the usability of the networking application. The network security has become one of the greatest barriers of modern networking applications. To protect sensitive data transferred through Web, Netscape introduced the Secure Socket Layer – SSL protocol, for its Web browser. Up till now, SSL 2.0 and 3.
When web function is running on the switch and client visit our web site through the internet browser, we can use SSL function. The communication between client and switch through SSL connect can improve the security. Firstly, SSL should be enabled on the switch. When the client tries to access the switch through https method, a SSL session will be set up between the switch and the client. When the SSL session has been set up, all the data transmission in the application layer will be encrypted.
1. Enable/disable SSL function Command Explanation Global Mode ip http secure-server no ip http secure-server Enable/disable SSL function. 2. Configure/delete port number by SSL used Command Explanation Global Mode ip http secure-port no ip http secure-port Configure port number by SSL used, the“no ip http secure-port” command deletes the port number. 3.
Web Server Date Acquisition Fails Malicious Users Web Browser https SSLSession Connected PC Users Configuration on the switch: Switch(config)# ip http secure-server Switch(config)# ip http secure-port 1025 Switch(config)# ip http secure-ciphersuite rc4-128-sha 44.4 SSL Troubleshooting In configuring and using SSL, the SSL function may fail due to reasons such as physical connection failure or wrong configurations.
Chapter 45 IPv6 Security RA Configuration 45.1 Introduction to IPv6 Security RA In IPv6 networks, the network topology is generally compromised of routers, layer-two switches and IPv6 hosts. Routers usually advertise RA, including link prefix, link MTU and other information, when the IPv6 hosts receive RA, they will create link address, and set the default router as the one sending RA in order to implement IPv6 network communication.
3. Display and debug the relative information of IPv6 security RA Command Explanation Admin Mode Enable the debug information of IPv6 security RA module, the no operation of this command will disable the output of debug information of debug ipv6 security-ra no debug ipv6 security-ra IPv6 security RA. show ipv6 security-ra [interface ] Display the distrust port and whether globally security RA is enabled. 45.
Switch(config)#ipv6 security-ra enable Switch(Config-If-Ethernet1/2)# ipv6 security-ra enable 45.4 IPv6 Security RA Troubleshooting Help The function of IPv6 security RA is quite simple, if the function does not meet the expectation after configuring IPv6 security RA: Check if the switch is correctly configured. Check if there are rules conflicting with security RA function configured on the switch, this kind of rules will cause RA messages to be forwarded. +7(495) 797-3311 www.qtech.
Chapter 46 MAB Configuration 46.1 Introduction to MAB In actual network existing the device which can not install the authentication client, such as printer, PDA devices, they can not process 802.1x authentication. However, to access the network resources, they need to use MAB authentication to replace 802.1x authentication. MAB authentication is a network accessing authentication method based on the accessing port and the MAC address of MAB user.
no mac-authentication-bypass enable function. Port Mode mac-authentication-bypass enable no mac-authentication-bypass enable Enable the function. port MAB authentication 2. Configure MAB authentication username and password Command Explanation Global Mode mac-authentication-bypass username-format Set the authentication {mac-address | {fixed username WORD authentication function. password WORD}} mode of MAB 3.
46.3 MAB Example Example: The typical example of MAB authentication function: Update Server Eth1/ 1 Switch2 Radius Server Eth1/2 Internet Eth1/3 Ethernet1/4 Ethernet1/4 Switch1 Eth1/1 PC1 Eth1/2 PC2 Eth1/3 Printer MAB application Switch1 is a layer 2 accessing switch, Switch2 is a layer 3 aggregation switch. Ethernet 1/1 is an access port of Switch1, connects to PC1, it enables 802.1x port-based function and configures guest vlan as vlan8.
auto vlan as vlan10. Ethernet 1/3 is an access port, belongs to vlan10, connects to external internet resources. To implement this application, the configuration is as follows: Switch1 configuration: Enable 802.
Switch(config)#interface ethernet 1/4 Switch(config- if-ethernet1/4)# switchport mode trunk 46.4 MAB Troubleshooting If there is any problem happens when using MAB function, please check whether the problem is caused by the following reasons: Make sure global and port MAB function are enabled; Make sure the correct username and password of MAB authentication are used; Make sure the radius-server configuration is correct. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 47 PPPoE Intermediate Agent Configuration 47.1 Introduction to PPPoE Intermediate Agent 47.1.1 Brief Introduction to PPPoE PPPoE (Point to Point Protocol over Ethernet) is a protocol that apply PPP protocol to Ethernet. PPP protocol is a link layer protocol and supply a communication method of point-topoint, it is usually selected by host dial-up link, for example the link is line dial-up.
(PPPoE Active Discovery Offer) packet to client according to the received source MAC address of PADI packet, the packet will take sever name and service name. Client sends PADR packet: The third step, client selects a server to process the session according to the received PADO packet.
PPPoE IA protocol exchange process 47.1.2.
follows. TLV length field (2 bytes): Specify the length of TAG data field. TLV data field (the length is not specified): Specify the transmitted data of TAG. Tag Type Tag Explanation 0x0000 The end of a series tag in PPPoE data field, it is saved for ensuring the version compatibility and is applied by some packets. 0x0101 Service name. Indicate the supplied services by network. 0x0102 Server name.
PPPoE IA - vendor tag (4 bytes in each row) Add TLV tag as 0x0105 for PPPoE IA, TAG_LENGTH is length field of vendor tag; 0x00000DE9 is “ADSL Forum” IANA entry of the fixed 4 bytes; 0x01 is type field of Agent Circuit ID, length is length field and Agent Circuit ID value field; 0x02 is type field of Agent Remot ID, length is length field and Agent Remote ID value field.
no pppoe intermediate-agent function. pppoe intermediate-agent type tr-101 circuit-id access-node-id no pppoe intermediate-agent type tr-101 circuit-id access-node-id Configure access node ID field value of circuit ID in added vendor tag. pppoe intermediate-agent type tr-101 circuit-id identifier-string option {sp | sv | pv | spv} delimiter [delimiter ] no pppoe intermediate-agent type tr-101 Configure circuit-id in added vendor tag.
no pppoe intermediate-agent remote-id 47.3 PPPoE Intermediate Agent Typical Application PPPoE Intermediate Agent typical application is as follows: PPPoE IA typical application Both host and BAS server run PPPoE protocol, they are connected by layer 2 ethernet, switch enables PPPoE Intermediate Agent function. Typical configuration (1) in the following: Step1: Switch enables global PPPoE IA function, MAC as 0a0b0c0d0e0f.
Typical configuration (2) in the following: Step1: Switch enables global PPPoE IA function, MAC as 0a0b0c0d0e0f. Switch(config)#pppoe intermediate-agent Step2: Configure port ethernet1/1 which connect server as trust port, and configure vendor tag strip function. Switch(config-if-ethernet1/1)#pppoe intermediate-agent trust Switch(config-if-ethernet1/1)#pppoe intermediate-agent vendor-tag strip Step3: Port ethernet1/2 of vlan1 and port ethernet1/3 of vlan 1234 enable PPPoE IA function of port.
Chapter 48 Web Portal Configuration 48.1 Introduction to Web Portal Authentication 802.1x authentication uses the special client to authenticate, the device uses the special layer 2 switch, the authentication server uses RADIUS server, the format of authentication message uses EAP protocol.
1. Enable/disable web portal authentication globally Command Explanation Global Mode webportal enable no webportal enable Enable/disable globally. web portal authentication 2. Enable/disable web portal authentication of the port Command Explanation Port Mode webportal enable no webportal enable Enable/disable web portal authentication of the port. 3.
ip dhcp snooping binding webportal no ip dhcp snooping binding webportal Enable dhcp snooping binding web portal function. 7. Delete the binding information of web portal authentication Command Explanation Admin Mode clear webportal binding {mac WORD | interface |} Delete the binding information of web portal authentication. 48.3 Web Portal Authentication Typical Example Internet RADIUS server Portal server 192.168.40.100 192.168.40.
RADIUS server’s IP and port, and enable the accounting function. Ethernet 1/2 connects to pc1, the port enables web portal authentication, and configure the redirection address and port as portal server’s IP and port, so ethernet 1/2 forbids all flows except dhcp/dns/arp packets. Switch2 is the aggregation switch, ethernet1/2 connects to radius server, ethernet1/3 connects to portal server. The address of radius server is 192.168.40.100, the address of portal server is 192.168.40.99.
Chapter 49 VLAN-ACL Configuration 49.1 Introduction to VLAN-ACL The user can configure ACL policy to VLAN to implement the accessing control of all ports in VLAN, and VLAN-ACL enables the user to expediently manage the network. The user only needs to configure ACL policy in VLAN, the corresponding ACL action can takes effect on all member ports of VLAN, but it does not need to solely configure on each member port.
vacl mac access-group {<700-1199> | WORD} {in | out} [traffic-statistic] vlan WORD no vacl mac access-group {<700-1199> | WORD} {in | out} vlan WORD Configure or delete MAC VLAN-ACL. (Egress filtering is not supported by switch.) 3. Configure VLAN-ACL of MAC-IP Command Explanation Global mode vacl mac-ip access-group {<3100-3299> | WORD} {in | out} [traffic-statistic] vlan WORD no vacl mac-ip access-group {<3100-3299> | WORD} {in | out} vlan WORD Configure or delete MAC-IP VLAN-ACL.
49.3 VLAN-ACL Configuration Example A company’s network configuration is as follows, all departments are divided by different VLANs, technique department is Vlan1, finance department is Vlan2. It is required that technique department can access the outside network at timeout, but finance department are not allowed to access the outside network at any time for the security. Then the following policies are configured: Set the policy VACL_A for technique department.
Switch(config)# ip access-list extended vacl_a Switch(config-ip-ext-nacl-vacl_a)# permit ip any-source 192.168.0.0 0.0.0.255 time-range t1 Switch(config-ip-ext-nacl-vacl_a)# deny ip any-source any-destination time-range t1 3) Configure the extended acl_b of IP, at any time it only allows to access resource within the internal network (such as 192.168.1.255). Switch(config)#ip access-list extended vacl_b Switch(config-ip-ext-nacl-vacl_a)# permit ip any-source 192.168.1.0 0.0.0.
Chapter 50 SAVI Configuration 50.1 Introduction to SAVI SAVI (Source Address Validation Improvement) is a security authentication method that provides the granularity level of the node source address. It gets the trust node information (such as port, MAC address information), namely, anchor information by monitoring the interaction process of the relative protocol packets (such as ND protocol, DHCPv6 protocol) and using CPS (Control Packet Snooping) mechanism.
Enable or disable SAVI function Command Explanation Global mode savi enable no savi enable Enable the global SAVI function, no command disables the function. Enable or disable application scene function for SAVI Command Explanation Global mode savi ipv6 {dhcp-only | slaac-only | dhcpslaac} enable Enable the application scene function for no savi ipv6 {dhcp-only | slaac-only | dhcp- SAVI, no command disables the function.
Configure the global max-slaac-life for SAVI Command Explanation Global mode Configure the lifetime period of the dynamic slaac binding at BOUND state, no command restores the default value.
Configure the check mode for SAVI conflict binding Command Explanation Global mode savi check binding mode no savi check binding mode Configure the check mode for the conflict binding, no command deletes the check mode. Enable or disable user authentication Command Explanation Port mode savi ipv6 check source [ip-address macaddress | ip-address | mac-address] no savi ipv6 check source Enable the control authentication function for user, no command disables the function.
50.3 SAVI Typical Application In actual application, SAVI function is usually applied in access layer switch to check the validity of node source address on direct-link. There are four typical application scenes for SAVI function: DHCP-Only, Slaac-Only, DHCP-Slaac and Static binding.
Switch1#config Switch1(config)#savi enable Switch1(config)#savi ipv6 dhcp-slaac enable Switch1(config)#savi check binding probe mode Switch1(config)#interface ethernet1/1 Switch1(config-if-ethernet1/1)#ipv6 dhcp snooping trust Switch1(config-if-ethernet1/1)#ipv6 nd snooping trust Switch1(config-if-ethernet1/1)#exit Switch1(config)#interface ethernet1/12-20 Switch1(config-if-port-range)#savi ipv6 check source ip-address mac-address Switch1(config-if-port-range)#savi ipv6 binding num 4 Switch1(config-if-port-
Chapter 51 MRPP Configuration 51.1 Introduction to MRPP MRPP (Multi-layer Ring Protection Protocol), is a link layer protocol applied on Ethernet loop protection. It can avoid broadcast storm caused by data loop on Ethernet ring, and restore communication among every node on ring network when the Ethernet ring has a break link. MRPP is the expansion of EAPS (Ethernet link automatic protection protocol).
3. nodes Each switch is named after a node on Ethernet. The node has some types: Primary node: each ring has a primary node, it is main node to detect and defend. Transfer node: except for primary node, other nodes are transfer nodes on each ring. The node role is determined by user configuration. As shown Figure, Switch A is primary node of Ring 1, Switch B. Switch C; Switch D and Switch E are transfer nodes of Ring 1. 4.
51.1.2 MRPP Protocol Packet Types Packet Type Explanation Hello packet (Health examine packet) Hello The primary port of primary node evokes to detect ring, if the secondary port of primary node can receive Hello packet in configured overtime, so the ring is normal. LINK-DOWN (link Down event packet) After transfer node detects Down event on port, immediately sends LINK-DOWN packet to primary node, and inform primary node ring to fail.
secondary port, and sends its neighbor LINK-UP-Flush-FDB packet. After MRPP ring port refresh UP on transfer node, the primary node maybe find ring restore after a while. For the normal data VLAN, the network maybe forms a temporary ring and creates broadcast storm.
Enable MRPP ring, format “no” disables enabled MRPP ring. enable no enable Port mode mrpp ring primary-port no mrpp ring primary-port Specify primary port of MRPP ring. mrpp ring secondary-port no mrpp ring secondary-port Specify secondary port of MRPP ring. 3) Configure the query time of MRPP Command Explanation Global Mode mrpp poll-time <20-2000> Configure the query interval of MRPP.
51.3 MRPP Typical Scenario SWITCH A SWITCH B E1 Master Node E2 E2 E1 MRPP Ring 4000 E1 E12 E1 1 SWITCH C SWITCH D MRPP typical configuration scenario The above topology often occurs on using MRPP protocol. The multi switch constitutes a single MRPP ring, all of the switches only are configured an MRPP ring 4000, thereby constitutes a single MRPP ring. In above configuration, SWITCH A configuration is primary node of MRPP ring 4000, and configures E1/1 to primary port, E1/2 to secondary port.
SWITCH B configuration Task Sequence: Switch(Config)#mrpp enable Switch(Config)#mrpp ring 4000 Switch(mrpp-ring-4000)#control-vlan 4000 Switch(mrpp-ring-4000)#enable Switch(mrpp-ring-4000)#exit Switch(Config)#interface ethernet 1/1 Switch(config-If-Ethernet1/1)#mrpp ring 4000 primary-port Switch(config-If-Ethernet1/1)#interface ethernet 1/2 Switch(config-If-Ethernet1/2)#mrpp ring 4000 secondary-port Switch(config-If-Ethernet1/2)#exit Switch(Config)# SWITCH C configuration Task Sequence: Switch(Config)#mrpp
51.4 MRPP Troubleshooting The normal operation of MRPP protocol depends on normal configuration of each switch on MRPP ring, otherwise it is very possible to form ring and broadcast storm: Configuring MRPP ring, you’d better disconnected the ring, and wait for each switch configuration, then open the ring. When the MRPP ring of enabled switch is disabled on MRPP ring, it ensures the ring of the MRPP ring has been disconnected.
Chapter 52 ULPP Configuration 52.1 Introduction to ULPP Each ULPP group has two uplink ports, they are master port and slave port. The port may be a physical port or a port channel. The member ports of ULPP group have three states: Forwarding, Standby, Down. Normally, only one port at the forwarding state, the other port is blocked at the Standby state. When the master port has the link problem, the master port becomes down state, and the slave port is siwthed to forwarding state.
master port does not process to preempt by default, but turns into the Standby state. When configuring ULPP, it needs to specify the VLAN which is protected by this ULPP group through the method of MSTP instances, and ULPP does not provide the protection to other VLANs. When the uplink switch is happennig, the primary forwarding entries of the device will not be applied to new topology in the network.
52.2 ULPP Configuration Task List Create ULPP group globally Configure ULPP group Show and debug the relating information of ULPP 1. Create ULPP group globally Command Expalnation Global mode ulpp group no ulpp group Configure and delete ULPP group globally. 2. Configure ULPP group Command Explanation ULPP group configuration mode preemption mode no preemption mode Configure the preemption mode of ULPP group. The no operation deletes the preemption mode.
ulpp group master no ulpp group master Configure or delete the master port of ULPP group. ulpp group slave no ulpp group slave Configure or delete the slave port of ULPP group. 3. Show and debug the relating information of ULPP Command Explanation Admin mode show ulpp group [group-id] show ulpp flush counter interface {ethernet | } show ulpp flush-receive-port Show the configuration information of the configured ULPP group.
52.3 ULPP Typical Examples 52.3.1 ULPP Typical Example1 SwitchD SwitchB E1/1 E1/1 E1/2 SwitchC E1/2 SwitchA ULPP typical example1 The above topology is the typical application environment of ULPP protocol. SwitchA has two uplinks, they are SwitchB and SwitchC. When any protocols are not enabled, this topology forms a ring. For avoiding the loopback, SwitchA can configure ULPP protocol, the master port and the slave port of ULPP group.
Switch(ulpp-group-1)#protect vlan-reference-instance 1 Switch(ulpp-group-1)#control vlan 10 Switch(ulpp-group-1)#exit Switch(Config)#interface ethernet 1/1 Switch(config-If-Ethernet1/1)# ulpp group 1 master Switch(config-If-Ethernet1/1)#exit Switch(Config)#interface Ethernet 1/2 Switch(config-If-Ethernet1/2)# ulpp group 1 slave Switch(config-If-Ethernet1/2)#exit SwitchB configuration task list: Switch(Config)#vlan 10 Switch(Config-vlan10)#switchport interface ethernet 1/1 Switch(Config-vlan10)#exit Switch(C
52.3.2 ULPP Typical Example2 SwitchD SwitchB E1/1 E1/2 SwitchC E1/1 E1/2 SwitchA ULPP typical example2 ULPP can implement the VLAN-based load balance. As the picture illustrated, SwitchA configures two ULPP groups: port E1/1 is the master port and port 1/2 is the slave port in group1, port 1/2 is the master port and port 1/1 is the slave port in group2. The VLANs protected by group1 are 1-100 and by group2 are 101-200.
Switch(config-If-Ethernet1/1)#ulpp group 1 master Switch(config-If-Ethernet1/1)#ulpp group 2 slave Switch(config-If-Ethernet1/1)#exit Switch(Config)#interface Ethernet 1/2 Switch(config-If-Ethernet1/2)#switchport mode trunk Switch(config-If-Ethernet1/2)# ulpp group 1 slave Switch(config-If-Ethernet1/2)# ulpp group 2 master Switch(config-If-Ethernet1/2)#exit SwitchB configuration task list: Switch(Config)#interface ethernet 1/1 Switch(config-If-Ethernet1/1)#switchport mode trunk Switch(config-If-Ethernet1/1)
Chapter 53 ULSM Configuration 53.1 Introduction to ULSM ULSM (Uplink State Monitor) is used to process the port state synchronization. Each ULSM group is made up of the uplink port and the downlink port, both the uplink port and the downlink port may be multiple. The port may be a physical port or a port channel, but it can not be a member port of a port channel, and each port only belongs to one ULSM group. The uplink port is the monitored port of ULSM group.
ULSM using scene 53.2 ULSM Configuration Task List Create ULSM group globally Configure ULSM group Show and debug the relating information of ULSM 1. Create ULSM group globally Command explanation Global mode ulsm group no ulsm group Configure and delete ULSM group globally. 2.
Command Explanation Admin mode show ulsm group [group-id] Show the configuration information of ULSM group. debug ulsm event no debug ulsm event Show the event information of ULSM, the no operation disables the shown information. 53.3 ULSM Typical Example SwitchD E1/3 SwitchB E1/1 E1/1 E1/4 E1/2 SwitchC E1/2 SwitchA ULSM typical example The above topology is the typical application environment which is used by ULSM and ULPP protocol.
Switch(Config)#interface ethernet 1/1 Switch(config-If-Ethernet1/1)# ulpp group 1 master Switch(config-If-Ethernet1/1)#exit Switch(Config)#interface Ethernet 1/2 Switch(config-If-Ethernet1/2)# ulpp group 1 slave Switch(config-If-Ethernet1/2)#exit SwitchB configuration task list: Switch(Config)#ulsm group 1 Switch(Config)#interface ethernet 1/1 Switch(config-If-Ethernet1/1)#ulsm group 1 downlink Switch(config-If-Ethernet1/1)#exit Switch(Config)#interface ethernet 1/3 Switch(config-If-Ethernet1/3)#ulsm group
Chapter 54 Mirror Configuration 54.1 Introduction to Mirror Mirror functions include port mirror function, CPU mirror function, flow mirror function. Port mirror refers to the duplication of data frames sent/received on a port to another port. The duplicated port is referred to as mirror source port and the duplicating port is referred to as mirror destination port.
2. Specify mirror source port (CPU) Command Explanation Global mode monitor session source {interface | cpu} {rx| tx| both} no monitor session source {interface | cpu} Specifies mirror source port; the no command deletes mirror source port. 3.
54.4 Device Mirror Troubleshooting If problems occur on configuring port mirroring, please check the following first for causes: Whether the mirror destination port is a member of a TRUNK group or not, if yes, modify the TRUNK group.
Chapter 55 sFlow Configuration 55.1 Introduction to sFlow The sFlow (RFC 3176) is a protocol based on standard network export and used on monitoring the network traffic information developed by the InMon Company. The monitored switch or router sends date to the client analyzer through its main operations such as sampling and statistic, then the analyzer will analyze according to the user requirements so to monitor the network.
port value and deletes the IP address. 2. Configure the sFlow proxy address Command Explanation Global Mode sflow agent-address no sflow agent-address Configure the source IP address applied by the sFlow proxy; the “no” form of the command deletes this address. 3.
7. Configure the sFlow statistic sampling interval Command Explanation Port Mode sflow counter-interval no sflow counter-interval Configure the max interval when sFlow performing statistic sampling. The “no” form of this command deletes 8. Configure the analyzer used by sFlow Command Explanation Global Mode sflow analyzer sflowtrend no sflow analyzer sflowtrend Configure the analyzer used by sFlow, the no command deletes the analyzer. 55.
Switch (Config-If-Ethernet1/2)#sflow rate input 20000 Switch (Config-If-Ethernet1/2)#sflow rate output 20000 Switch (Config-If-Ethernet1/2)#sflow counter-interval 40 55.4 sFlow Troubleshooting In configuring and using sFlow, the sFlow server may fail to run properly due to physical connection failure, wrong configuration, etc. The user should ensure the following: Ensure the physical connection is correct Guarantee the address of the sFlow analyzer configured under global or port mode is accessible.
Chapter 56 SNTP Configuration 56.1 Introduction to SNTP The Network Time Protocol (NTP) is widely used for clock synchronization for global computers connected to the Internet. NTP can assess packet sending/receiving delay in the network, and estimate the computer’s clock deviation independently, so as to achieve high accuracy in network computer clocking. In most positions, NTP can provide accuracy from 1 to 50ms according to the characteristics of the synchronization source and network route.
56.2 Typical Examples of SNTP Configuration SNTP/NTP SERVER SNTP/NTP SERVER …… SWITCH SWITCH SWITCH Typical SNTP Configuration All switches in the autonomous zone are required to perform time synchronization, which is done through two redundant SNTP/NTP servers. For time to be synchronized, the network must be properly configured. There should be reachable route between any switch and the two SNTP/NTP servers. Example: Assume the IP addresses of the SNTP/NTP servers are 10.1.1.1 and 20.1.1.
Chapter 57 NTP Function Configuration 57.1 Introduction to NTP Function The NTP (Network Time Protocol) synchronizes timekeeping spans WAN and LAN among distributed time servers and clients, it can get millisecond precision. The introduction of event, state, transmit function and action are defined in RFC-1305. The purpose of using NTP is to keep consistent timekeeping among all clock-dependent devices within the network so that the devices can provide diverse applications based on the consistent time.
2. To configure NTP server function Command Explication Global Mode ntp server { | } [version ] [key ] no ntp server { | } To enable the specified time server of time source. 3.
no ntp authentication-key ntp trusted-key no ntp trusted-key To configure trusted key. 7. To specified some interface as NTP multicast client interface Command Explication Interface Configuration Mode ntp multicast client no ntp multicast client To configure specified interface to receive NTP multicast packets. ntp ipv6 multicast client no ntp ipv6 multicast client To configure specified interface to receive IPv6 NTP multicast packets. 8.
debug ntp adjust no debug ntp adjust To enable debug switch of time update information. debug ntp sync no debug ntp sync To enable debug switch of time synchronize information. debug ntp events no debug ntp events To enable debug switch of NTP event information. 57.
57.4 NTP Function Troubleshooting In configuration procedures, if there is error occurred, the system can give out the debug information. The NTP function disables by default, the show command can be used to display current configuration.
Chapter 58 Summer Time Configuration 58.1 Introduction to Summer Time Summer time is also called daylight saving time, it is a time system for saving energy sources. In summer the time is advanced 1 hour to keep early hours, reduce the lighting, so as to save electrolighting. The rule that adopt summer time is different in each country. At present, almost 110 countries implement summer time.
The configuration requirement in the following: The summer time from 23:00 on April 1th, 2012 to 00:00 on October 1th, 2012, clock offset as 1 hour, and summer time is named as 2012. Configuration procedure is as follows: Switch(config)# clock summer-time 2012 absolute 23:00 2012.4.1 00:00 2012.10.
Chapter 59 Monitor and Debug When the users configures the switch, they will need to verify whether the configurations are correct and the switch is operating as expected, and in network failure, the users will also need to diagnostic the problem. Switch provides various debug commands including ping, telnet, show and debug, etc. to help the users to check system configuration, operating status and locate problem causes. 59.
59.4 Traceroute6 The Traceroute6 function is used on testing the gateways passed through by the data packets from the source equipment to the destination equipment, to verify the accessibility and locate the network failure. The principle of the Traceroute6 under IPv6 is the same as that under IPv4, which adopts the hop limit field of the ICMPv6 and IPv6 header. First, Traceroute6 sends an IPv6 datagram (including source address, destination address and packet sent time) whose HOPLIMIT is set to 1.
up. show switchport interface [ethernet ] Display the VLAN port mode and the belonging VLAN number of the switch as well as the Trunk port information. show tcp show tcp ipv6 Display the TCP connection status established currently on the switch. show udp show udp ipv6 Display the UDP connection status established currently on the switch. show telnet login Display the information of the Telnet client which currently establishes a Telnet connection with the switch.
59.7.1.
debugging, all information will be outputted and if set to critical, only critical, alerts and emergencies will be outputted. Follow table summarized the log information severity level and brief description. Note: these severity levels are in accordance with the standard UNIX/LINUX syslog.
5. Display executed-commands state Display and clear log buffer zone Command Description Admin Mode show logging buffered [ level {critical | warnings} | range ] Show detailed log information in the log buffer channel. clear logging sdram Clear log buffer zone information.
Display executed-commands state Command Description Admin mode show logging executed-commands state Show the state of logging executedcommands 59.7.3 System Log Configuration Example Example 1: When managing VLAN the IPv4 address of the switch is 100.100.100.1, and the IPv4 address of the remote log server is 100.100.100.5. It is required to send the log information with a severity equal to or higher than warnings to this log server and save in the log record equipment local1.
Chapter 60 Reload Switch after Specified Time 60.1 Introduce to Reload Switch after Specifid Time Reload switch after specified time is to reboot the switch without shutdown its power after a specified period of time, usually when updating the switch version. The switch can be rebooted after a period of time instead of immediately after its version being updated successfully. 60.2 Reload Switch after Specifid Time Task List 1.
Chapter 61 Debugging and Diagnosis for Packets Received and Sent by CPU 61.1 Introduction to Debugging and Diagnosis for Packets Received and Sent by CPU The following commands are used to debug and diagnose the packets received and sent by CPU, and are supposed to be used with the help of the technical support. 61.
+7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 62 Commands for Basic Switch Configuration 62.1 Commands for Basic Configuration 62.1.1 authentication line Command: authentication line {console | vty | web} login {local | radius | tacacs} no authentication line {console | vty | web} login Function: Configure VTY (login with Telnet and SSH), Web and Console, so as to select the priority of the authentication mode for the login user. The no form command restores the default authentication mode. +7(495) 797-3311 www.qtech.
