Configuration manual for QSW-3400 QSW-3400 series CONFIGURATION MANUAL
Content CONTENT ........................................................................................................... 1 CHAPTER 1 SWITCH MANAGEMENT............................................................. 16 1.1 MANAGEMENT OPTIONS ................................................................................................ 16 1.1.1 Out-Of-Band Management ............................................................................. 16 1.1.2 In-band Management ....................................
.2 FILE SYSTEM OPERATION CONFIGURATION TASK LIST ...................................................... 60 3.3 TYPICAL APPLICATIONS ................................................................................................. 62 3.4 TROUBLESHOOTING....................................................................................................... 62 CHAPTER 4 CLUSTER CONFIGURATION ...................................................... 63 4.1 INTRODUCTION TO CLUSTER NETWORK MANAGEMENT ..............
CHAPTER 10 PORT CHANNEL CONFIGURATION ......................................... 92 10.1 INTRODUCTION TO PORT CHANNEL ............................................................................... 92 10.2 BRIEF INTRODUCTION TO LACP ................................................................................... 93 10.2.1 Static LACP Aggregation ............................................................................. 94 10.2.2 Dynamic LACP Aggregation .................................................
16.1 INTRODUCTION TO BPDU-TUNNEL ................................................................................ 126 16.1.1 bpdu-tunnel function .................................................................................. 126 16.1.2 Background of bpdu-tunnel ....................................................................... 126 16.2 BPDU-TUNNEL CONFIGURATION TASK LIST .................................................................. 127 16.3 EXAMPLES OF BPDU-TUNNEL..............................
18.6 DYNAMIC VLAN CONFIGURATION............................................................................... 149 18.6.1 Introduction to Dynamic VLAN .................................................................. 149 18.6.2 Dynamic VLAN Configuration ................................................................... 150 18.6.3 Typical Application of the Dynamic VLAN ................................................ 152 18.6.4 Dynamic VLAN Troubleshooting ................................................
20.4 MSTP TROUBLESHOOTING ........................................................................................ 182 CHAPTER 21 QOS CONFIGURATION ........................................................... 183 21.1 INTRODUCTION TO QOS ............................................................................................. 183 21.1.1 QoS Terms ................................................................................................... 183 21.1.2 QoS Implementation .............................
24.4 ARP ........................................................................................................................ 210 24.4.1 Introduction to ARP .................................................................................... 210 24.4.2 ARP Configuration Task List...................................................................... 210 24.4.3 ARP Troubleshooting .................................................................................
30.3 DHCPV6 RELAY DELEGATION CONFIGURATION........................................................... 237 30.4 DHCPV6 PREFIX DELEGATION SERVER CONFIGURATION ............................................. 237 30.5 DHCPV6 PREFIX DELEGATION CLIENT CONFIGURATION .............................................. 239 30.6 DHCPV6 CONFIGURATION EXAMPLES ........................................................................ 240 30.7 DHCPV6 TROUBLESHOOTING ...............................................................
CHAPTER 36 IPV4 MULTICAST PROTOCOL ............................................... 276 36.1 IPV4 MULTICAST PROTOCOL OVERVIEW ..................................................................... 276 36.1.1 Introduction to Multicast ............................................................................ 276 36.1.2 Multicast Address ....................................................................................... 276 36.1.3 IP Multicast Packet Transmission ..........................................
40.1 INTRODUCTION TO 802.1X.......................................................................................... 319 40.1.1 The Authentication Structure of 802.1x .................................................... 319 40.1.2 The Work Mechanism of 802.1x................................................................. 321 40.1.3 The Encapsulation of EAPOL Messages .................................................. 322 40.1.4 The Encapsulation of EAP Attributes .........................................
44.1 INTRODUCTION TO TACACS+ .................................................................................... 350 44.2 TACACS+ CONFIGURATION TASK LIST ...................................................................... 350 44.3 TACACS+ SCENARIOS TYPICAL EXAMPLES ............................................................... 351 44.4 TACACS+ TROUBLESHOOTING ................................................................................. 352 CHAPTER 45 RADIUS CONFIGURATION ..........................
49.3 PPPOE INTERMEDIATE AGENT TYPICAL APPLICATION ................................................. 378 49.4 PPPOE INTERMEDIATE AGENT TROUBLESHOOTING ..................................................... 380 CHAPTER 50 WEB PORTAL CONFIGURATION ........................................... 381 50.1 INTRODUCTION TO WEB PORTAL AUTHENTICATION ...................................................... 381 50.2 WEB PORTAL AUTHENTICATION CONFIGURATION TASK LIST ......................................... 381 50.
55.2 ULSM CONFIGURATION TASK LIST ............................................................................. 414 55.3 ULSM TYPICAL EXAMPLE ......................................................................................... 415 55.4 ULSM TROUBLESHOOTING ........................................................................................ 416 CHAPTER 56 MIRROR CONFIGURATION .................................................... 417 56.1 INTRODUCTION TO MIRROR .......................................
62.2 SUMMER TIME CONFIGURATION TASK SEQUENCE ........................................................ 442 62.3 EXAMPLES OF SUMMER TIME ..................................................................................... 442 62.4 SUMMER TIME TROUBLESHOOTING ............................................................................. 443 CHAPTER 63 DNSV4/V6 CONFIGURATION.................................................. 444 63.1 INTRODUCTION TO DNS ..........................................................
68.3 TYPICAL APPLICATION OF POE ................................................................................... 462 68.4 POE TROUBLESHOOTING HELP .................................................................................. 463 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 1 Switch Management 1.1 Management Options After purchasing the switch, the user needs to configure the switch for network management. Switch provides two management options: in-band management and out-of-band management. 1.1.1 Out-Of-Band Management Out-of-band management is the management through Console interface. Generally, the user will use out-of-band management for the initial switch configuration, or when in-band management is not available.
Open the HyperTerminal included in Windows after the connection established. The example below is based on the HyperTerminal included in Windows XP. Click Start menu - All Programs -Accessories -Communication - HyperTerminal. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Opening Hyper Terminal Type a name for opening HyperTerminal, such as “Switch”. Opening HyperTerminal In the “Connecting using” drop-list, select the RS-232 serial port used by the PC, e.g. COM1, and click “OK”. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Opening HyperTerminal COM1 property appears, select “9600” for “Baud rate”, “8” for “Data bits”, “none” for “Parity checksum”, “1” for stop bit and “none” for traffic control; or, you can also click “Restore default” and click “OK”. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Opening HyperTerminal Step 3: Entering switch CLI interface Power on the switch, the following appears in the HyperTerminal windows, that is the CLI configuration mode for Switch. Testing RAM... 0x077C0000 RAM OK Loading MiniBootROM... Attaching to file system ... Loading nos.img ... done. Booting...... Starting at 0x10000... Attaching to file system ... …… --- Performing Power-On Self Tests (POST) --DRAM Test....................PASS! PCI Device 1 Test............PASS! FLASH Test...................
1.1.2.1 Management via Telnet To manage the switch with Telnet, the following conditions should be met: 1. Switch has an IPv4/IPv6 address configured; The host IP address (Telnet client) and the switch’s VLAN interface IPv4/IPv6 address is in the same network segment; If 2. is not met, Telnet client can connect to an IPv4/IPv6 address of the switch via other devices, such as a router.
Switch#config Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 10.1.128.251 255.255.255.0 Switch(Config-if-Vlan1)#no shutdown To enable the Telnet Server function, users should type the CLI command telnet-server enable in the global mode as below: Switch>enable Switch#config Switch(config)# telnet-server enable Step 2: Run Telnet Client program. Run Telnet client program included in Windows with the specified Telnet target.
Switch(config)#username test privilege 15 password 0 test Switch(config)#authentication line vty login local Enter valid login name and password in the Telnet configuration interface, Telnet user will be able to enter the switch’s CLI configuration interface. The commands used in the Telnet CLI interface after login is the same as that in the Console interface. Telnet Configuration Interface 1.1.2.2 Management via HTTP To manage the switch via HTTP, the following conditions should be met: 1.
management chapter. To enable the WEB configuration, users should type the CLI command IP http server in the global mode as below: Switch>enable Switch#config Switch(config)#ip http server Step 2: Run HTTP protocol on the host. Open the Web browser on the host and type the IP address of the switch, or run directly the HTTP protocol on the Windows. For example, the IP address of the switch is “10.1.128.
Switch#config Switch(config)#username admin privilege 15 password 0 admin Switch(config)#authentication line web login local The Web login interface of QSW3400-28T-POE is as below: Web Login Interface Input the right username and password, and then the main Web configuration interface is shown as below. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Main Web Configuration Interface Notice: When configure the switch, the name of the switch is composed with English letters. 1.1.2.3 Manage the Switch via SNMP Network Management Software The necessities required by SNMP network management software to manage switches: 1. IP addresses are configured on the switch; The IP address of the client host and that of the VLAN interface on the switch it subordinates to should be in the same segment; If 2.
CLI interface is familiar to most users. As aforementioned, out-of-band management and Telnet login are all performed through CLI interface to manage the switch. CLI Interface is supported by Shell program, which consists of a set of configuration commands. Those commands are categorized according to their functions in switch configuration and management. Each category represents a different configuration mode.
information of the switch can be queries. 1.2.1.2 Admin Mode To Admin Mode sees the following: In user entry system, if as Admin user, it is defaulted to Admin Mode. Admin Mode prompt “Switch#” can be entered under the User Mode by running the enable command and entering corresponding access levels admin user password, if a password has been set. Or, when exit command is run under Global Mode, it will also return to the Admin Mode.
1.2.1.5 VLAN Mode Using the vlan command under Global Mode can enter the corresponding VLAN Mode. Under VLAN Mode the user can configure all member ports of the corresponding VLAN. Run the exit command to exit the VLAN Mode to Global Mode. 1.2.1.6 DHCP Address Pool Mode Type the ip dhcp pool command under Global Mode will enter the DHCP Address Pool Mode prompt “Switch(Config--dhcp)#”. DHCP address pool properties can be configured under DHCP Address Pool Mode.
firewall {enable | disable}, user can enter firewall enable or firewall disable for this command. snmp-server community {ro | rw} , the followings are possible: snmp-server community ro snmp-server community rw 1.2.3 Shortcut Key Support Switch provides several shortcut keys to facilitate user configuration, such as up, down, left, right and Blank Space. If the terminal does not recognize Up and Down keys, ctrl +p and ctrl +n can be used instead.
Help Under any command line prompt, type in “help” and press Enter will get a brief description of the associated help system. “?” Under any command line prompt, enter “?” to get a command list of the current mode and related brief description. Enter a “?” after the command keyword with an embedded space.
1. For command “show interfaces status ethernet1/1”, typing “sh in status ethernet1/1” will work. However, for command “show running-config”, the system will report a “> Ambiguous command!” error if only “show r” is entered, as Shell is unable to tell whether it is “show run” or “show running-config”. Therefore, Shell will only recognize the command if “sh ru” is entered. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 2 Basic Switch Configuration 2.1 Basic Configuration Basic switch configuration includes commands for entering and exiting the admin mode, commands for entering and exiting interface mode, for configuring and displaying the switch clock, for displaying the version information of the switch system, etc. Command Explanation Normal User Mode/ Admin Mode enable [<1-15>] disable The User uses enable command to step into admin mode from normal user mode or modify the privilege level of the users.
banner motd no banner motd Configure the information displayed when the login authentication of a telnet or console user is successful. 2.2 Telnet Management 2.2.1 Telnet 2.2.1.1 Introduction to Telnet Telnet is a simple remote terminal protocol for remote login. Using Telnet, the user can login to a remote host with its IP address of hostname from his own workstation.
no aaa authorization config-commands the login user with VTY (login with Telnet and SSH). The no command disables this function. Only enabling this command and configuring command authorization manner, it will request to authorize when executing some command. authentication securityip no authentication securityip Configure the secure IP address to login to the switch through Telnet: the no command deletes the authorized Telnet secure address.
method1 [method2…] no accounting line {console | vty} command <1-15> Admin Mode terminal monitor terminal no monitor Display debug information for Telnet client login to the switch; the no command disables the debug information. Telnet to a remote host from the switch Command Explanation Admin Mode telnet [vrf ] { | | host } [] included in the switch. 2.2.2 SSH 2.2.2.
ssh-server authentication-retires no ssh-server authentication-retries Configure the number of times for retrying SSH authentication; the no command restores the default number of times for retrying SSH authentication. ssh-server host-key create rsa modulus Generate the new RSA host key on the SSH server.
BOOTP DHCP Manual configuration of IP address is assign an IP address manually for the switch. In BOOTP/DHCP mode, the switch operates as a BOOTP/DHCP client, send broadcast packets of BOOTPRequest to the BOOTP/DHCP servers, and the BOOTP/DHCP servers assign the address on receiving the request.
no ip bootp-client enable obtain IP address and gateway address through BootP negotiation; the no command disables the BootP client function. DHCP configuration Command Explanation VLAN Interface Mode ip bootp-client enable no ip bootp-client enable Enable the switch to be a DHCP client and obtain IP address and gateway address through DHCP negotiation; the no command disables the DHCP client function. 2.4 SNMP Configuration 2.4.
Set-Request Trap Inform-Request NMS sends queries to the Agent with Get-Request, Get-Next-Request, Get-Bulk-Request and Set-Request messages; and the Agent, upon receiving the requests, replies with GetResponse message. On some special situations, like network device ports are on Up/Down status or the network topology changes, Agents can send Trap messages to NMS to inform the abnormal events. Besides, NMS can also be set to alert to some abnormal events by enabling RMON function.
ASN.1 Tree Instance In this figure, the OID of the object A is 1.2.1.1. NMS can locate this object through this unique OID and gets the standard variables of the object. MIB defines a set of standard variables for monitored network devices by following this structure. If the variable information of Agent MIB needs to be browsed, the MIB browse software needs to be run on the NMS. MIB in the Agent usually consists of public MIB and private MIB.
History: Record periodical statistic samples available from Statistics. Alarm: Allow management console users to set any count or integer for sample intervals and alert thresholds for RMON Agent records. Event: A list of all events generated by RMON Agent. Alarm depends on the implementation of Event. Statistics and History display some current or history subnet statistics.
[access {|}] the no command deletes the configured [ipv6-access {|}] [read ] [write ] no snmp-server community [access {|}] [ipv6-access {|}] 3.
6. Configure group Command Explanation Global Mode snmp-server group {noauthnopriv|authnopriv|authpriv} [[read ] [write ] [notify ]] [access {|}] [ipv6-access {|}] Set the group information on the switch. This command is used to configure VACM for SNMP v3. no snmp-server group {noauthnopriv|authnopriv|authpriv} [access {|}] [ipv6-access {|}] 7.
} no snmp-server trap-source { | } used to send trap packet, the no command deletes the configuration. 9. Enable/Disable RMON Command Explanation Global mode rmon enable no rmon enable Enable/disable RMON. 2.4.5 Typical SNMP Configuration Examples The IP address of the NMS is 1.1.1.5; the IP address of the switch (Agent) is 1.1.1.9. Scenario 1: The NMS network administrative software uses SNMP protocol to obtain data from the switch.
hellotst Switch(config)#snmp-server group UserGroup AuthPriv read max write max notify max Switch(config)#snmp-server view max 1 include Scenario 4: NMS wants to receive the v3Trap messages sent by the switch. The configuration on the switch is listed below: Switch(config)#snmp-server enable Switch(config)#snmp-server host 10.1.1.2 v3 authpriv tester Switch(config)#snmp-server enable traps Scenario 5: The IPv6 address of the NMS is 2004:1:2:3::2; the IPv6 address of the switch (Agent) is 2004:1:2:3::1.
Interface and datalink layer protocol is Up (use the “show interface” command), and the connection between the switch and host can be verified by ping (use “ping” command). The switch enabled SNMP Agent server function (use “snmp-server” command) Secure IP for NMS (use “snmp-server securityip” command) and community string (use “snmp-server community” command) are correctly configured, as any of them fails, SNMP will not be able to communicate with NMS properly.
2.5.2 BootROM Upgrade There are two methods for BootROM upgrade: TFTP and FTP, which can be selected at BootROM command settings. Console cable connection cable connection Typical topology for switch upgrade in BootROM mode The upgrade procedures are listed below: Step 1: As shown in the figure, a PC is used as the console for the switch. A console cable is used to connect PC to the management port on the switch.
Network interface configure OK. [Boot] Step 4: Enable FTP/TFTP server in the PC. For TFTP, run TFTP server program; for FTP, run FTP server program. Before start downloading upgrade file to the switch, verify the connectivity between the server and the switch by ping from the server. If ping succeeds, run “load” command in the BootROM mode from the switch; if it fails, perform troubleshooting to find out the cause. The following is the configuration for the system update image file. [Boot]: load nos.
Step 8: After successful upgrade, execute run or reboot command in BootROM mode to return to CLI configuration interface. [Boot]: run(or reboot) Other commands in BootROM mode 2. DIR command Used to list existing files in the FLASH. [Boot]: dir boot.rom boot.conf nos.img startup-config temp.
connection through the management connection. There are two types of data connections: active connection and passive connection. In active connection, the client transmits its address and port number for data transmission to the server, the management connection maintains until data transfer is complete.
ROM only. Switch mandates the name of the boot file to be boot.rom. Configuration file: including start up configuration file and running configuration file. The distinction between start up configuration file and running configuration file can facilitate the backup and update of the configurations. Start up configuration file: refers to the configuration sequence used in switch startup. Startup configuration file stores in nonvolatile storage, corresponding to the so-called configuration save.
(2) Configure TFTP server connection idle time (3) Configure retransmission times before timeout for packets without acknowledgement (4) Shut down TFTP server 1. FTP/TFTP client configuration (1) FTP/TFTP client upload/download file Command Explanation Admin Mode copy [ascii FTP/TFTP client upload/download file. | binary] (2) For FTP client, server file list can be checked. Admin Mode ftp-dir For FTP client, server file list can be checked.
Command Explanation Global Mode tftp-server enable no tftp-server enable Start TFTP server, the no command shuts down TFTP server and prevents TFTP user from logging in. (2) Modify TFTP server connection idle time Command Explanation Global Mode tftp-server retransmission-timeout Set maximum retransmission time within timeout interval.
FTP Configuration Computer side configuration: Start the FTP server software on the computer and set the username “Switch”, and the password “superuser”. Place the “12_30_nos.img” file to the appropriate FTP server directory on the computer. The configuration procedures of the switch are listed below: Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 10.1.1.2 255.255.255.
Switch(config)#ftp-server enable Switch(config)# username Admin password 0 superuser Computer side configuration: Login to the switch with any FTP client software, with the username “Switch” and password “superuser”, use the command “get nos.img 12_25_nos.img” to download “nos.img” file from the switch to the computer. Scenario 3: The switch is used as TFTP server. The switch operates as the TFTP server and connects from one of its ports to a computer, which is a TFTP client. Transfer the “nos.
230 User logged in, proceed. 200 PORT Command successful. 150 Opening ASCII mode data connection for /bin/ls. recv total = 480 nos.img nos.rom parsecommandline.cpp position.doc qmdict.zip …(some display omitted here) show.txt snmp.TXT 226 Transfer complete. 2.5.3.4 FTP/TFTP Troubleshooting 2.5.3.4.1 FTP Troubleshooting When upload/download system file with FTP protocol, the connectivity of the link must be ensured, i.e.
331 User name okay, need password. 230 User logged in, proceed. 200 PORT Command successful. recv total = 1526037 ************************ write ok 150 Opening ASCII mode data connection for nos.img (1526037 bytes). 226 Transfer complete. If the switch is upgrading system file or system start up file through FTP, the switch must not be restarted until “close ftp client” or “226 Transfer complete.” is displayed, indicating upgrade is successful, otherwise the switch may be rendered unable to start.
through TFTP fails, please try upgrade again or use the BootROM mode to upgrade. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 3 File System Operations 3.1 Introduction to File Storage Devices File storage devices used in switches mainly include FLASH cards. As the most common storage device, FLASH is usually used to store system image files (IMG files), system boot files (ROM files) and system configuration files (CFG files). Flash can copy, delete, or rename files under Shell or Bootrom mode. 3.2 File System Operation Configuration Task list 1. 2. 3. 4. 5. 6. 7.
directory on a certain device. 4. Changing the current working directory of the storage device Command Explanation Admin Configuration Mode cd Change the current working directory of the storage device. 5. The display operation of the current working directory Command Explanation Admin Configuration Mode pwd Display the current working directory. 6.
3.3 Typical Applications Copy an IMG file flash:/nos.img stored in the FLASH on the boardcard, to cf:/nos-6.1.11.0.img. The configuration of the switch is as follows: Switch#copy flash:/nos.img flash:/nos-6.1.11.0.img Copy flash:/nos.img to flash:/nos-6.1.11.0.img? [Y:N] y Copyed file flash:/nos.img to flash:/nos-6.1.11.0.img. 3.
Chapter 4 Cluster Configuration 4.1 Introduction to cluster network management Cluster network management is an in-band configuration management. Unlike CLI, SNMP and Web Config which implement a direct management of the target switches through a management workstation, cluster network management implements a direct management of the target switches (member switches) through an intermediate switch (commander switch). A commander switch can manage multiple member switches.
(2) Create or delete cluster (3) Add or remove a member switch 3. Configure attributes of the cluster in the commander switch (1) Enable or disable automatically adding cluster members (2) Set automatically added members to manually added ones (3) Set or modify the time interval of keep-alive messages on switches in the cluster. (4) Set or modify the max number of lost keep-alive messages that can be tolerated (5) Clear the list of candidate switches maintained by the switch 4.
no cluster member {id | macaddress } 3. Configure attributes of the cluster in the commander switch Command Explanation Global Mode cluster auto-add no cluster auto-add Enable or disable adding newly discovered candidate switch to the cluster. cluster member auto-to-user Change automatically added members into manually added ones. cluster keepalive interval no cluster keepalive interval Set the keep-alive interval of the cluster.
cluster reset member [id | mac-address ] reset the member switch. cluster update member [ascii | binary] In the commander switch, this command is used to remotely upgrade the member switch. It can only upgrade nos.img file. 6. Manage cluster network with web Command Explanation Global Mode ip http server Enable http function in commander switch and member switch.
E1 E2 E1 SW1 SW2 E2 E1 SW3 E1 SW4 Examples of Cluster Configuration Procedure 1. Configure the command switch Configuration of SW1: Switch(config)#cluster Switch(config)#cluster Switch(config)#cluster Switch(config)#cluster run ip-pool 10.2.3.4 commander 5526 auto-add 2. Configure the member switch Configuration of SW2-SW4 Switch(config)#cluster run 4.
Chapter 5 Port Configuration 5.1 Introduction to Port Switch contains Cable ports and Combo ports. The Combo ports can be configured to as either 1000GX-TX ports or SFP Gigabit fiber ports. If the user needs to configure some network ports, he/she can use the interface ethernet command to enter the appropriate Ethernet port configuration mode, where stands for one or more ports.
2. Configure the properties for the Ethernet ports Command Explanation Port Mode media-type {copper | copper-preferredauto | fiber | sfp-preferred-auto} Sets the combo port mode (combo ports only). shutdown no shutdown Enables/Disables specified ports. description no description Specifies or cancels the name of specified ports. mdi {auto | across | normal} no mdi Sets the cable type for the specified port; this command is not supported by combo port and fiber port of switch.
{ bcast|mcast|ucast } no switchport flood-control { bcast|mcast|ucast } broadcast, unknown multicast or unknown unicast packets any more to the specified port; no command restores the default configuration. Note: This switch does not support this command. port-scan-mode {interrupt | poll} no port-scan-mode Configure port-scan-mode as interrupt or poll mode, the no command restores the default port-scan-mode.
5.3 Port Configuration Example Switch 1 1/ 7 1/ 9 1/10 1/1 1/ Switch 2 8 2 Switch 3 Port Configuration Example No VLAN has been configured in the switches, default VLAN1 is used.
Switch3(Config-If-Ethernet1/12)#exit 5.4 Port Troubleshooting Here are some situations that frequently occurs in port configuration and the advised solutions: Two connected fiber interfaces won’t link up if one interface is set to auto-negotiation but the other to forced speed/duplex. This is determined by IEEE 802.3.
Chapter 6 Port Isolation Function Configuration 6.1 Introduction to Port Isolation Function Port isolation is an independent port-based function working in an inter-port way, which isolates flows of different ports from each other. With the help of port isolation, users can isolate ports within a VLAN to save VLAN resources and enhance network security.
Command Explanation Admin Mode and Global Mode show isolate-port group [ ] Display the configuration of port isolation, including all configured port isolation groups and Ethernet ports in each group. 6.3 Port Isolation Function Typical Examples e1/15 Vlan 100 e1/1 S1 e1/10 S2 S3 Typical example of port isolation function The topology and configuration of switches are showed in the figure above, with e1/1, e1/10 and e1/15 all belonging to VLAN 100.
Chapter 7 Port Loopback Detection Function Configuration 7.1 Introduction to Port Loopback Detection Function With the development of switches, more and more users begin to access the network through Ethernet switches. In enterprise network, users access the network through layer-2 switches, which means urgent demands for both internet and the internal layer 2 Interworking.
5. Configure the loopback-detection control mode (automatic recovery enabled or not) 1. Configure the time interval of loopback detection Command Explanation Global Mode loopback-detection interval-time no loopback-detection interval-time Configure the time interval of loopback detection. 2. Enable the function of port loopback detection Command Explanation Port Mode loopback-detection specified-vlan Enable and disable the function of port loopback detection.
5. Configure the loopback-detection control mode (automatic recovery enabled or not) Command Explanation Global Mode loopback-detection control-recovery timeout <0-3600> Configure the loopback-detection control mode (automatic recovery enabled or not) or recovery time. 7.3 Port Loopback Detection Function Example Network Topology Typical example of port loopback detection As shown in the above configuration, the switch will detect the existence of loopbacks in the network topology.
Switch(Config-Mstp-Region)#instance 1 vlan 1 Switch(Config-Mstp-Region)#instance 2 vlan 2 Switch(Config-Mstp-Region)# 7.4 Port Loopback Detection Troubleshooting The function of port loopback detection is disabled by default and should only be enabled if required. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 8 ULDP Function Configuration 8.1 Introduction to ULDP Function Unidirectional link is a common error state of link in networks, especially in fiber links. Unidirectional link means that only one port of the link can receive messages from the other port, while the latter one can not receive messages from the former one. Since the physical layer of the link is connected and works normal, via the checking mechanism of the physical layer, communication problems between the devices can not be found.
ultra five-kind twisted pair), ULDP can monitor the link state of physical links. Whenever a unidirectional link is discovered, it will send warnings to users and can disable the port automatically or manually according to users’ configuration. The ULDP of switches recognizes remote devices and check the correctness of link connections via interacting ULDP messages.
uldp enable uldp disable Enable or disable ULDP function on a port. 3. Configure aggressive mode globally Command Explanation Global configuration mode uldp aggressive-mode no uldp aggressive-mode Set the global working mode. 4. Configure aggressive mode on a port Command Explanation Port configuration mode uldp aggressive-mode no uldp aggressive-mode Set the working mode of the port. 5.
Command Explanation Global configuration mode or port uldp reset configuration mode Reset all ports in global configuration mode; Reset the specified port in port configuration mode. 9. Display and debug the relative information of ULDP Command Explanation Admin mode show uldp [interface ethernet IFNAME] Display ULDP information. No parameter means to display global ULDP information. The parameter specifying a port will display global information and the neighbor information of the port.
8.3 ULDP Function Typical Examples g1/1 g1/2 g1/3 g1/4 Switch B PC2 PC1 Fiber Cross Connection In the network topology in Graph, port g1/1 and port g1/2 of SWITCH A as well as port g1/3 and port g1/4 of SWITCH B are all fiber ports. And the connection is cross connection. The physical layer is connected and works normally, but the data link layer is abnormal. ULDP can discover and disable this kind of error state of link.
Ethernet1/1 need to be shutted down! %Oct 29 11:09:50 2007 Unidirectional port Ethernet1/1 shut down! %Oct 29 11:09:50 2007 A unidirectional link is detected! Port Ethernet1/2 need to be shutted down! %Oct 29 11:09:50 2007 Unidirectional port Ethernet1/2 shutted down! Port g1/3, and port g1/4 of SWITCH B are all shut down by ULDP, and there is notification information on the CRT terminal of PC2.
ULDP does not compact with similar protocols of other vendors, which means users can not use ULDP on one end and use other similar protocols on the other end. ULDP function is disabled by default. After globally enabling ULDP function, the debug switch can be enabled simultaneously to check the debug information. There are several DEBUG commands provided to print debug information, such as information of events, state machine, errors and messages.
Chapter 9 LLDP Function Operation Configuration 9.1 Introduction to LLDP Function Link Layer Discovery Protocol (LLDP) is a new protocol defined in 802.1ab. It enables neighbor devices to send notices of their own state to other devices, and enables all ports of every device to store information about them. If necessary, the ports can also send update information to the neighbor devices directly connected to them, and those neighbor devices will store the information in standard SNMP MIBs.
Layer 2 discovery covers information like which devices have which ports, which switches connect to other devices and so on, it can also display the routs between clients, switches, routers, application servers and network servers. Such details will be very meaningful for schedule and investigate the source of network failure. LLDP will be a very useful management tool, providing accurate information about network mirroring, flow data and searching network problems. 9.
lldp mode (send|receive|both|disable) Configure the operating state of port LLDP. 4. Configure the intervals of LLDP updating messages Command Explanation Global Mode lldp tx-interval no lldp tx-interval Configure the intervals of LLDP updating messages as the specified value or default value. 6.
10. Configure the optional information-sending attribute of the port Command Explanation Port Configuration Mode lldp transmit optional tlv [portDesc] [sysName] [sysDesc] [sysCap] no lldp transmit optional tlv Configure the optional information-sending attribute of the port as the option value of default values. 11.
no debug lldp packets interface ethernet global mode. Port configuration mode clear lldp remote-table Clear Remote-table of the port. 9.3 LLDP Function Typical Example LLDP Function Typical Configuration Example In the network topology graph above, the port 1,3 of SWITCH B are connected to port 2,4 of SWITCH A. Port 1 of SWITCH B is configured to message-receiving-only mode, Option TLV of port 4 of SWITCH A is configured as portDes and SysCap.
9.4 LLDP Function Troubleshooting LLDP function is disabled by default. After enabling the global switch of LLDP, users can enable the debug switch “debug lldp” simultaneously to check debug information. Using “show” function of LLDP function can display the configuration information in global or port configuration mode. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 10 Port Channel Configuration 10.1 Introduction to Port Channel To understand Port Channel, Port Group should be introduced first. Port Group is a group of physical ports in the configuration level; only physical ports in the Port Group can take part in link aggregation and become a member port of a Port Channel. Logically, Port Group is not a port but a port sequence.
All ports are in full-duplex mode. All Ports are of the same speed. All ports are Access ports and belong to the same VLAN or are all TRUNK ports, or are all Hybrid ports. If the ports are all TRUNK ports or Hybrid ports, then their “Allowed VLAN” and “Native VLAN” property should also be the same. If Port Channel is configured manually or dynamically on switch, the system will automatically set the port with the smallest number to be Master Port of the Port Channel.
the better reliability. 10.2.1 Static LACP Aggregation Static LACP aggregation is enforced by users configuration, and do not enable LACP protocol. When configuring static LACP aggregation, use “on” mode to force the port to enter the aggregation group. 10.2.2 Dynamic LACP Aggregation 1.
4. 5. 6. 7. Set load-balance method for port-group Set the system priority of LACP protocol Set the port priority of the current port in LACP protocol Set the timeout mode of the current port in LACP protocol 1. Creating a port group Command Explanation Global Mode port-group Create or delete a port group. no port-group 2.
the default value. 6. Set the port priority of the current port in LACP protocol Command Explanation Port mode lacp port-priority no lacp port-priority Set the port priority in LACP protocol. The no command restores the default value. 7. Set the timeout mode of the current port in LACP protocol Command Explanation Port mode lacp timeout {short | long} no lacp timeout Set the timeout mode in LACP protocol. The no command restores the default value. 10.
Switch1(config)#interface ethernet 1/1-4 Switch1(Config-If-Port-Range)#port-group 1 mode active Switch1(Config-If-Port-Range)#exit Switch1(config)#interface port-channel 1 Switch1(Config-If-Port-Channel1)# Switch2#config Switch2(config)#port-group 2 Switch2(config)#interface ethernet 1/6 Switch2(Config-If-Ethernet1/6)#port-group 2 mode passive Switch2(Config-If-Ethernet1/6)#exit Switch2(config)#interface ethernet 1/8-10 Switch2(Config-If-Port-Range)#port-group 2 mode passive Switch2(Config-If-Port-Range)#ex
Switch1(config)#interface ethernet 1/1 Switch1(Config-If-Ethernet1/1)#port-group 1 mode on Switch1(Config-If-Ethernet1/1)#exit Switch1(config)#interface ethernet 1/2 Switch1 (Config-If-Ethernet1/2)#port-group 1 mode on Switch1 (Config-If-Ethernet1/2)#exit Switch1 (config)#interface ethernet 1/3 Switch1 (Config-If-Ethernet1/3)#port-group 1 mode on Switch1 (Config-If-Ethernet1/3)#exit Switch1 (config)#interface ethernet 1/4 Switch1 (Config-If-Ethernet1/4)#port-group 1 mode on Switch1 (Config-If-Ethernet1/4)#e
Ensure all ports in a port group have the same properties, i.e., whether they are in fullduplex mode, forced to the same speed, and have the same VLAN properties, etc. If inconsistency occurs, make corrections. Some commands cannot be used on a port in port-channel, such as arp, bandwidth, ip, ip-forward, etc. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 11 MTU Configuration 11.1 Introduction to MTU So far the Jumbo (Jumbo Frame) has not reach a determined standard in the industry (including the format and length of the frame). Normally frames sized within 1519-9000 should be considered jumbo frame. Networks with jumbo frames will increase the speed of the whole network by 2% to 5%. Technically the Jumbo is just a lengthened frame sent and received by the switch. However considering the length of Jumbo frames, they will not be sent to CPU.
Chapter 12 EFM OAM Configuration 12.1 Introduction to EFM OAM Ethernet is designed for Local Area Network at the beginning, but link length and network scope is extended rapidly while Ethernet is also applied to Metropolitan Area Network and Wide Area Network along with development. Due to lack the effectively management mechanism, it affects Ethernet application to Metropolitan Area Network and Wide Area Network, implementing OAM on Ethernet becomes a necessary development trend.
management mechanism such as link monitoring, remote fault detection and remote loopback testing, the simple introduction for EFM OAM in the following: 1. Ethernet OAM connection establishment Ethernet OAM entity discovers remote OAM entities and establishes sessions with them by exchanging Information OAMPDUs. EFM OAM can operate in two modes: active mode and passive mode.
3. Remote Fault Detection In a network where traffic is interrupted due to device failures or unavailability, the flag field defined in Ethernet OAMPDUs allows an Ethernet OAM entity to send fault information to its peer. As Information OAMPDUs are exchanged continuously across established OAM connections, an Ethernet OAM entity can inform one of its OAM peers of link faults through Information OAMPDUs.
Customer Service Provider Customer 802.3ah Ethernet in the First Mile CE 802.1ah OAMPDU PE Typical OAM application topology 12.2 EFM OAM Configuration EFM OAM configuration task list 1. Enable EFM OAM function of port 2. Configure link monitor 3. Configure remote failure Note: it needs to enable OAM first when configuring OAM parameters. 1. Enable EFM OAM function of port Command Explanation Port mode ethernet-oam mode {active | passive} Configure work mode of EFM OAM, default is active mode.
Command Explanation Port mode ethernet-oam link-monitor no ethernet-oam link-monitor Enable link monitor of EFM OAM, no command disables link monitor. ethernet-oam errored-symbol-period {threshold low | window } no ethernet-oam errored-symbol-period {threshold low | window } Configure the low threshold and window period of errored symbol period event, no command resotores the default value.
high ethernet-oam errored-frame threshold high {high-frames | none} no ethernet-oam errored-frame threshold high Configure the high threshold of errored frame event, no command restores the default value. (optional) ethernet-oam errored-frame-seconds threshold high {high-frame-seconds | none} no ethernet-oam errored-frame-seconds threshold high Configure the high threshold of errored frame seconds event, no command restores the default value. (optional) 12.
Execute the following command to make one of OAM peers exiting OAM loopback after complete detection. PE(config-if-ethernet1/1)# no ethernet-oam remote-loopback Execute the following command without supporting remote loopback. CE(config-if-ethernet1/1)#no ethernet-oam remote-loopback supported 12.4 EFM OAM Troubleshooting When using EFM OAM, it occurs the problem, please check whether the problem is resulted by the following reasons: Check whether OAM entities of two peers of link in passive mode.
Chapter 13 PORT SECURITY 13.1 Introduction to PORT SECURITY Port security is a MAC address-based security mechanism for network access controlling. It is an extension to the existing 802.1x authentication and MAC authentication. It controls the access of unauthorized devices to the network by checking the source MAC address of the received frame and the access to unauthorized devices by checking the destination MAC address of the sent frame.
interfaces in same VLAN, both of them will violate the security of the MAC address. switchport port-security aging {static | time | type {absolute | inactivity}} no switchport port-security violation aging {static | time | type} Enable port-security aging entry of the interface, specify aging time or aging type. Admin mode clear port-security {all | configured | dynamic | sticky} Clear the secure MAC entry of [[address | interface ] [vlan ]] the interface.
Switch(config-if- ethernet1/1)#exit Switch(config)# 13.4 PORT SECURITY Troubleshooting If problems occur when configuring PORT SECURITY, please check whether the problem is caused by the following reasons: Check whether PORT SECURITY is enabled normally Check whether the valid maximum number of MAC addresses is configured +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 14 DDM Configuration 14.1 Introduction to DDM 14.1.1 Brief Introduction to DDM DDM (Digital Diagnostic Monitor) makes the detailed digital diagnostic function standard in SFF-8472 MSA. It set that the parameter signal is monitored and make it to digitize on the circuit board of the inner module.
3. Compatibility verification Compatibility verification is used to analyze whether the environment of the module accords the data manual or it is compatible with the corresponding standard, because the module capability is able to be ensured only in the compatible environment. Sometimes, environment parameters exceed the data manual or the corresponding standard, it will make the falling of the module capability that result in the transmission error.
query the last abnormity status through executing the commands. When the user finds the abnormity information of the fiber module, the fiber module information may be remonitored after processing the abnormity information, here, the user is able to know the abnormity information and renew the monitoring. 14.2 DDM Configuration Task List DDM configuration task list: 1. Show the real-time monitoring information of the transceiver 2.
transceiver-monitoring interval no transceiver-monitoring interval Set the interval of the transceiver monitor. The no command sets the interval to be the default interval of 15 minutes. (2) Configure the enable state of the transceiver monitoring Command Explanation Port mode transceiver-monitoring {enable | disable} Set whether the transceiver monitoring is enabled. Only the port enables the transceiver monitoring, the system records the abnormity state.
the fiber module without DDM, Ethernet 22 does not insert any fiber module, show the DDM information of the fiber module. 1. Show the information of all interfaces which can read the real-time parameters normally,(No fiber module is inserted or the fiber module is not supported, the information will not be shown), for example: Switch#show transceiver Interface Temp(°C) Voltage(V) Bias(mA) RX Power(dBM) TX Power(dBM) 1/21 33 3.31 6.11 -30.54(A-) -6.01 1/23 33 5.00(W+) 6.11 -20.54(W-) -6.02 2.
Ethernet 1/22 transceiver detail information: N/A Ethernet 1/24 transceiver detail information: Base information: SFP found in this port, manufactured by company, on Sep 29 2010. Type is 1000BASE-SX, Link length is 550 m for 50um Multi-Mode Fiber. Link length is 270 m for 62.5um Multi-Mode Fiber. Nominal bit rate is 1300 Mb/s, Laser wavelength is 850 nm. Brief alarm information: N/A Detail diagnostic and threshold information: N/A Example2: Ethernet 21 is inserted the fiber module with DDM.
Switch(config-if-ethernet1/21)#transceiver warning -12 Switch(config-if-ethernet1/21)#transceiver alarm -10.00 threshold tx-power low- threshold tx-power low- Step3: Show the detailed DDM information of the fiber module. The alarm uses the threshold configured by the user, the threshold configured by the manufacturer is labeled with the bracket. There is the alarm with ‘A-’ due to -13.01 is less than -12.00.
Ethernet 1/22 transceiver threshold-violation information: Transceiver monitor is disabled. Monitor interval is set minutes. The last threshold-violation doesn’t exist. to 30 Step2: Enable the transceiver monitoring of ethernet 21. Switch(config)#interface ethernet 1/21 Switch(config-if-ethernet1/21)#transceiver-monitoring enable Step3: Show the transceiver monitoring of the fiber module.
14.4 DDM Troubleshooting If problems occur when configuring DDM, please check whether the problem is caused by the following reasons: Ensure that the transceiver of the fiber module has been inserted fast on the port, or else DDM configuration will not be shown. Ensure that SNMP configuration is valid, or else the warning event cannot inform the network management system.
Chapter 15 LLDP-MED 15.1 Introduction to LLDP-MED LLDP-MED (Link Layer Discovery Protocol-Media Endpoint Discovery) based on 802.1AB LLDP (Link Layer Discovery Protocol) of IEEE. LLDP provides a standard link layer discovery mode, it sends local device information (including its major capability, management IP address, device ID and port ID) as TLV (type/length/value) triplets in LLDPDU (Link Layer Discovery Protocol Data Unit) to the direct connection neighbors.
command disables the capability. lldp transmit med tlv inventory no lldp transmit med tlv inventory Configure the port to send LLDPMED Inventory Management TLVs. The no command disables the capability.
needs to fast send the LLDP packets with LLDP-MED TLV, this command is used to set the value of the fast sending packets, the no command restores the default value. Admin mode show lldp Show the configuration of the global LLDP and LLDP-MED. show lldp [interface ethernet ] Show the configuration of LLDP and LLDP-MED on the current port. show lldp neighbors [interface ethernet ] Show LLDP and LLDP-MED configuration of the neighbors. 15.
SwitchA (Config-If-Ethernet1/1)# lldp transmit med tlv network policy SwitchA (Config-If-Ethernet1/1)# lldp transmit med tlv inventory SwitchB (Config-If-Ethernet1/1)# network policy voice tag tagged vid 10 cos 5 dscp 15 SwitchA (Config-If-Ethernet1/1)# exit SwitchA (config)#interface ethernet1/2 SwitchA (Config-If-Ethernet1/2)# lldp enable SwitchA (Config-If-Ethernet1/2)# lldp mode both 2) Configure Switch B SwitchB (config)#interface ethernet1/1 SwitchB(Config-If-Ethernet1/1)# lldp enable SwitchB (Config-
(CAP)Capabilities, (NP) Network Policy (LI) Location Identification, (PSE)Power Source Entity (PD) Power Device, (IN) Inventory MED Capabilities:CAP,NP,PD,IN MED Device Type: Endpoint Class III Media Policy Type :Voice Media Policy :Tagged Media Policy Vlan id :10 Media Policy Priority :3 Media Power Power Power Power Policy Dscp :5 Type : PD Source :Primary power source Priority :low Value :15.4 (Watts) Hardware Revision: Firmware Revision:4.0.1 Software Revision:6.2.30.
SysName :**** SysDesc :***** SysCapSupported :4 SysCapEnabled :4 Explanation: 1. Both Ethernet2 of switch A and Ethernet1 of switch B are the ports of network connection device, they will not send LLDP packets with MED TLV information forwardly. Although configure Ethernet1 of switch B to send MED TLV information, it will not send the related MED information, that results the corresponding Remote table without the related MDE information on Ethernet2 of switch A. 2.
Chapter 16 bpdu-tunnel Configuration 16.1 Introduction to bpdu-tunnel BPDU Tunnel is a Layer 2 tunnel technology. It allows Layer 2 protocol packets of geographically dispersed private network users to be transparently transmitted over specific tunnels across a service provider network. 16.1.1 bpdu-tunnel function In MAN application, multi-branches of a corporation may connect with each other by the service provider network.
16.2 bpdu-tunnel Configuration Task List bpdu-tunnel configuration task list: 1. Configure tunnel MAC address globally 2. Configure the port to support the tunnel 1. Configure tunnel MAC address globally Command Explanation Global mode bpdu-tunnel dmac no bpdu-tunnel dmac Configure or cancel the tunnel MAC address globally. 2.
BPDU Tunnel application environment With BPDU Tunnel, Layer 2 protocol packets from user’s networks can be passed through over the service provider network in the following work flow: 1. After receiving a Layer 2 protocol packet from network 1 of user A, PE 1 in the service provider network encapsulates the packet, replaces its destination MAC address with a specific multicast MAC address, and then forwards the packet in the service provider network. 2.
16.4 bpdu-tunnel Troubleshooting After port disables stp, gvrp, uldp, lacp and dot1x functions, it is able to configure bpdu-tunnel function. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 17 EEE Energy-saving Configuration 17.1 Introduction to EEE Energy-saving eee is Energy Efficient Ethernet. After the port is enabled this function, switch will detect the port state automatically. If the port is free and there is no data transmission, this port will change to the power saving mode and it will cut down the power of the port to save the energy. 17.2 EEE Energy-saving configuration List 1.
Chapter 18 VLAN Configuration 18.1 VLAN Configuration 18.1.1 Introduction to VLAN VLAN (Virtual Local Area Network) is a technology that divides the logical addresses of devices within the network to separate network segments basing on functions, applications or management requirements. By this way, virtual workgroups can be formed regardless of the physical location of the devices. IEEE announced IEEE 802.
convenience: Improving network performance Saving network resources Simplifying network management Lowering network cost Enhancing network security Switch Ethernet Ports can works in three kinds of modes: Access, Hybrid and Trunk, each mode has a different processing method in forwarding the packets with tagged or untagged. The ports of Access type only belongs to one VLAN, usually they are used to connect the ports of the computer.
Command Explanation Global Mode vlan WORD no vlan WORD Create/delete VLAN or enter VLAN Mode 2. Set or delete VLAN name Command Explanation VLAN Mode name no name Set or delete VLAN name. 3. Assigning Switch ports for VLAN Command Explanation VLAN Mode switchport interface no switchport interface Assign Switch ports to VLAN. 4.
Port Mode switchport access vlan no switchport access vlan Add the current port to the specified VLAN. The “no” command restores the default setting. 7. Set Hybrid port Command Explanation Port Mode switchport hybrid allowed vlan {WORD | all | Set/delete the VLAN which is allowed by add WORD | except WORD | remove WORD} {tag | untag} no switchport hybrid allowed vlan Hybrid port with tag or untag mode.
Command Explanation Global mode vlan <2-4094> internal Specify internal VLAN ID. 18.1.3 Typical VLAN Application Scenario: VLAN100 VLAN2 VLAN200 PC Workstation Workstation PC PC PC Switch A Trunk Link Switch B PC VLAN2 PC Workstation VLAN100 Workstation PC PC VLAN200 Typical VLAN Application Topology The existing LAN is required to be partitioned to 3 VLANs due to security and application requirements. The three VLANs are VLAN2, VLAN100 and VLAN200.
Connect the Trunk ports of both switches for a Trunk link to convey the cross-switch VLAN traffic; connect all network devices to the other ports of corresponding VLANs. In this example, port 1 and port 12 are spared and can be used for management port or for other purposes.
internet Switch A Switch B PC PC 1 2 Typical Application of Hybrid Port PC1 connects to the interface Ethernet 1/7 of SwitchB, PC2 connects to the interface Ethernet 1/9 of SwitchB, Ethernet 1/10 of SwitchA connect to Ethernet 1/10 of SwitchB. It is required that PC1 and PC2 can not mutually access due to reason of the security, but PC1 and PC2 can access other network resources through the gateway SwitchA. We can implement this status through Hybrid port.
Switch(config)#vlan 10 Switch(Config-Vlan10)#switchport interface ethernet 1/10 Switch B: Switch(config)#vlan 7;9;10 Switch(config)#interface ethernet 1/7 Switch(Config-If-Ethernet1/7)#switchport mode hybrid Switch(Config-If-Ethernet1/7)#switchport hybrid native vlan 7 Switch(Config-If-Ethernet1/7)#switchport hybrid allowed vlan 7;10 untag Switch(Config-If-Ethernet1/7)#exit Switch(Config)#interface Ethernet 1/9 Switch(Config-If-Ethernet1/9)#switchport mode hybrid Switch(Config-If-Ethernet1/9)#switchport h
On the customer port Trunk VLAN 200-300 CE1 Unsymmetrical connection PE1 This port on PE1 is enabled QinQ and belong to VLAN3 SP networks Trunk connection Customer networks1 P Trunk connection This port on PE1 is enabled QinQ and belong to VLAN3 PE2 CE2 Unsymmetrical Customer connection networks2 On the customer port Trunk VLAN 200-300 Dot1q-tunnel based Internetworking mode As shown in above, after being enabled on the user port, dot1q-tunnel assigns each user an SPVLAN identification (SPVID).
Detailed description on the application and configuration of dot1q-tunnel will be provided in this section. 18.2.2 Dot1q-tunnel Configuration Configuration Task Sequence of Dot1q-Tunnel: 1. Configure the dot1q-tunnel function on port 2. Configure the global protocol type (TPID) 1. Configure the dot1q-tunnel function on port Command Explanation Port mode dot1q-tunnel enable no dot1q-tunnel enable Enter/exit the dot1q-tunnel mode on the port. 2.
Switch(Config-Vlan3)#exit Switch(Config)#interface ethernet 1/1 Switch(Config-Ethernet1/1)# dot1q-tunnel enable Switch(Config-Ethernet1/1)# exit Switch(Config)#interface ethernet 1/10 Switch(Config-Ethernet1/10)#switchport mode trunk Switch(Config-Ethernet1/10)#exit Switch(config)#dot1q-tunnel tpid 0x9100 Switch(Config)# PE2: Switch(config)#vlan 3 Switch(Config-Vlan3)#switchport interface ethernet 1/1 Switch(Config-Vlan3)#exit Switch(Config)#interface ethernet 1/1 Switch(Config-Ethernet1/1)# dot1q-tunnel en
18.3.2 Selective QinQ Configuration Selective QinQ Configuration Task List: 1. Configure the port mapping relation between the inner tag and the outer tag 2. Configure selective QinQ of port 1.
1. Ethernet1/1 of SwitchA provides public network access for PC users and Ethernet 1/2 of SwitchA provides public network access for IP phone users. PC users belong to VLAN 100 through VLAN 200, and IP phone users belong to VLAN 201 through VLAN 300. Ethernet 1/9 of SwitchA is connected to the public network. 2. Ethernet1/1 and Ethernet1/2 of SwitchB provide network access for PC users belonging to VLAN 100 through VLAN 200 and IP phone users belonging to VLAN 201 through VLAN 300 respectively.
switch(config-if-ethernet1/2)#dot1q-tunnel selective enable # Configure uplink port Ethernet 1/9 as a hybrid port and configure it to save VLAN tags when forwarding packets of VLAN 1000 and VLAN 2000.
VLAN ID according to the user requirements so to exchange data across different VLANs. VLAN translation supports ingress translation, and switch over the VLAN ID at the ingress. Application and configuration of VLAN translation will be explained in detail in this section. 18.4.2 VLAN-translation Configuration Configuration task sequence of VLAN-translation: 1. Configure the VLAN-translation function on the port 2. Configure the VLAN-translation relations on the port 3.
translation. 18.4.3 Typical application of VLAN-translation Scenario: Edge switch PE1 and PE2 of the ISP internet support the VLAN20 data task between CE1 and CE2 of the client network with VLAN3. The port1/1 of PE1 is connected to CE1, port1/10 is connected to public network; port1/1 of PE2 is connected to CE2, port1/10 is connected to public network.
switch(Config)# Note: this switch only supports the in direction. 18.4.4 VLAN-translation Troubleshooting Normally the VLAN-translation is applied on trunk ports. Normally before using the VLAN-translation, the dot1q-tunnel function needs to be enabled first, to adapt double tag data packet processes VLAN-translation. When configuration vlan-translation of the egress, make sure native vlan of the port is not identical with pvid of the packet.
Command Explanation Admin mode show vlan-translation n-to-1 Show the related configuration of Multi-toOne VLAN translation. 18.5.3 Typical application of Multi-to-One VLAN Translation Scenario: UserA, userB and userC belong to VLAN1, VLAN2, VLAN3 respectively. Before entering the network layer, data traffic of userA, userB and userC is translated into VLAN 100 by Ethernet1/1 of edge switch1.
Trunk Port Multi-to-One translation Downlink port 1/1 and uplink port 1/5 of Switch1 and Switch 2 VLAN- Downlink port 1/1 of Switch1 and Switch2 Configuration procedure is as follows: Switch1, Switch2: switch(Config)# vlan 1-3;100 switch(Config-Ethernet1/1)#switchport mode trunk switch(Config-Ethernet1/1)# vlan-translation n-to-1 1-3 to 100 switch(Config)#interface ethernet 1/5 switch(Config-Ethernet1/5)#switchport mode trunk switch(Config-Ethernet1/5)#exit 18.5.
segment, leading the data packet to specified VLAN. Its advantage is the same as that of the MAC-based VLAN: the user does not have to change configuration when relocated. The VLAN is divided by the network layer protocol, assigning different protocol to different VLANs. This is very attractive to the network administrators who wish to organize the user by applications and services. Moreover the user can move freely within the network while maintaining his membership.
Command Explanation Global Mode mac-vlan mac vlan priority no mac-vlan {mac |all} Add/delete the correspondence between the MAC address and the VLAN, namely specified MAC address join/leave specified VLAN. 4. Configure the IP-subnet-based VLAN function on the port Command Explanation Port Mode switchport subnet-vlan enable no switchport subnet-vlan enable Enable/disable the port IP-subnet-base VLAN function on the port. 5.
Global Mode dynamic-vlan mac-vlan prefer dynamic-vlan subnet-vlan prefer Configure the priority of the dynamic VLAN. 18.6.3 Typical Application of the Dynamic VLAN Scenario: In the office network Department A belongs to VLAN100. Several members of this department often have the need to move within the whole office network. It is also required to ensure the resource for other members of the department to access VLAN 100.
SwitchA (Config-Ethernet1/1)# untagged swportport hybrid allowed vlan 100 SwitchB (Config)#mac-vlan mac 00-1f-ce-11-22-33 vlan 100 priority 0 SwitchB (Config)#exit SwitchB# SwitchC (Config)#mac-vlan mac 00-1f-ce-11-22-33 vlan 100 priority 0 SwitchC (Config)#exit SwitchC# 18.6.4 Dynamic VLAN Troubleshooting On the switch configured with dynamic VLAN, if the two connected equipment (e.g. PC) are both belongs to the same dynamic VLAN, first communication between the two equipments may not go through.
transmits VLAN attributes to the whole layer 2 network through GARP protocol. a typical application scene A and G switches are not directly connected in layer 2 network; BCDEF are intermediate switches connecting A and G. Switch A and G configure VLAN100-1000 manually while BCDEF switches do not. When GVRP is not enabled, A and G cannot communicate with each other, because intermediate switches without relevant VLANs.
garp timer leaveall <5000-60000> no garp timer (join | leave | leaveAll) 2. Configure port type Command Explanation Port mode gvrp no gvrp Enable/ disable GVRP function of port. 3. Enable GVRP function Command Explanation Global mode gvrp no gvrp Enable/ disable function of port. the global GVRP 18.7.3 Example of GVRP GVRP application: PC Switch A Switch B Switch C PC +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Typical GVRP Application Topology To enable dynamic VLAN information register and update among switches, GVRP protocol is to be configured in the switch. Configure GVRP in Switch A, B and C, enable Switch B to learn VLAN100 dynamically so that two workstations connected to VLAN100 in Switch A and C can communicate with each other through Switch B without static VLAN100 entries. Configuration Item Configuration description VLAN100 Port 2-6 of Switch A and C.
Switch C: Switch(config)# gvrp Switch(config)#vlan 100 Switch(Config-Vlan100)#switchport interface ethernet 1/2-6 Switch(Config-Vlan100)#exit Switch(config)#interface ethernet 1/11 Switch(Config-If-Ethernet1/11)#switchport mode trunk Switch(Config-If-Ethernet1/11)# gvrp Switch(Config-If-Ethernet1/11)#exit 18.7.4 GVRP Troubleshooting The GARP counter setting for Trunk ports in both ends of Trunk link must be the same, otherwise GVRP will not work normally.
18.8.2 Voice VLAN Configuration Voice VLAN Configuration Task Sequence: 1. Set the VLAN to Voice VLAN 2. Add a voice equipment to Voice VLAN 3. Enable the Voice VLAN on the port 1. Configure the VLAN to Voice VLAN Command Explanation Global Mode voice-vlan vlan no voice-vlan Set/cancel the VLAN as a Voice VLAN 2.
Switch IP-phone1 IP-phone2 VLAN typical apply topology Figure Configuration items Configuration Explanation Voice VLAN Global configuration on the Switch.
18.8.4 Voice VLAN Troubleshooting Voice VLAN can not be applied concurrently with MAC-base VLAN. The Voice VLAN support maximum 1024 sets of voice equipments, the exceeded number of equipments will not be supported. The Voice VLAN on the port is enabled by default. If the configured data can no longer enter the Voice VLAN during operation, please check if the Voice VLAN function has been disabled on the port. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 19 MAC Table Configuration 19.1 Introduction to MAC Table MAC table is a table identifies the mapping relationship between destination MAC addresses and switch ports. MAC addresses can be categorized as static MAC addresses and dynamic MAC addresses.
MAC Table dynamic learning The topology of the figure above: 4 PCs connected to switch, where PC1 and PC2 belongs to a same physical segment (same collision domain), the physical segment connects to port 1/5 of switch; PC3 and PC4 belongs to the same physical segment that connects to port 1/12 of switch. The initial MAC table contains no address mapping entries. Take the communication of PC1 and PC3 as an example, the MAC address learning process is as follow: 1.
If PC1 sends a message to PC3, the switch will forward the data received on port 1/5 from port1/12. 2. Filter data according to the MAC table If PC1 sends a message to PC2, the switch, on checking the MAC table, will find PC2 and PC1 are in the same physical segment and filter the message (i.e. drop this message). Three types of frames can be forwarded by the switch: Broadcast frame Multicast frame Unicast frame The following describes how the switch deals with all the three types of frames: 1.
mac-address-table aging-time <0|aging-time> no mac-address-table aging-time Configure the MAC address aging-time. 2. Configure static MAC forwarding or filter entry Command Explanation Global Mode mac-address-table {static | static-multicast | blackhole} address vlan [interface ethernet ] | Configure static MAC entries, static multicast MAC entries, filter address entires.
19.3 Typical Configuration Examples MAC Table typical configuration example Scenario: Four PCs as shown in the above figure connect to port 1/5, 1/7, 1/9, 1/11 of switch, all the four PCs belong to the default VLAN1. As required by the network environment, dynamic learning is enabled. PC1 holds sensitive data and can not be accessed by any other PC that is in another physical segment; PC2 and PC3 have static mapping set to port 1/7 and port 1/9, respectively. The configuration steps are listed below: 1.
Spanning Tree is enabled and the port is in “discarding” status; or the device is just connected to the port and Spanning Tree is still under calculation, wait until the Spanning Tree calculation finishes, and the port will learn the MAC address. If not the problems mentioned above, please check for the switch portand contact technical support for solution. 19.5 MAC Address Function Extension 19.5.1 MAC Address Binding 19.5.1.
2. Lock the MAC addresses for a port Command Explanation Port Mode switchport port-security lock no switchport port-security lock Lock the port, then MAC addresses learned will be disabled. The “no switchport portsecurity lock” command restores the function. Notice: This command is not supported by the switch. switchport port-security convert Convert dynamic secure MAC addresses learned by the port to static secure MAC addresses. Notice: This command is not supported by the switch.
19.5.1.3 Binding MAC Address Binding Troubleshooting Enabling MAC address binding for ports may fail in some occasions. Here are some possible causes and solutions: If MAC address binding cannot be enabled for a port, make sure the port is not enabling port aggregation and is not configured as a Trunk port. MAC address binding is exclusive to such configurations. If MAC address binding is to be enabled, the functions mentioned above must be disabled first.
Global mode mac-address-table notification no mac-address-table notification Configure or cancel the global MAC notification. 3. Configure the interval for sending MAC notification Command Explanation Global mode mac-address-table notification interval <0-86400> Configure the interval for sending the no mac-address-table notification interval MAC address notification, the no command restores the default interval. 4.
trap. 19.6.3 MAC Notification Example IP address of network management station (NMS) is 1.1.1.5, IP address of Agent is 1.1.1.9. NMS will receive Trap message from Agent.
Chapter 20 MSTP Configuration 20.1 Introduction to MSTP The MSTP (Multiple STP) is a new spanning-tree protocol which is based on the STP and the RSTP. It runs on all the bridges of a bridged-LAN. It calculates a common and internal spanning tree (CIST) for the bridge-LAN which consists of the bridges running the MSTP, the RSTP and the STP. It also calculates the independent multiple spanning-tree instances (MSTI) for each MST domain (MSTP domain).
Root A Root A B E M D F C MST REGIO N D Example of CIST and MST Region In the above network, if the bridges are running the STP or the RSTP, one port between Bridge M and Bridge B should be blocked. But if the bridges in the yellow range run the MSTP and are configured in the same MST region, MSTP will treat this region as a bridge. Therefore, one port between Bridge B and Root is blocked and one port on Bridge D is blocked. 20.1.1.
The MSTI is only valid within its MST region. An MSTI has nothing to do with MSTIs in other MST regions. The bridges in a MST region receive the MST BPDU of other regions through Boundary Ports. They only process CIST related information and abandon MSTI information. 20.1.2 Port Roles The MSTP bridge assigns a port role to each port which runs MSTP. CIST port roles: Root Port, Designated Port, Alternate Port and Backup Port On top of those roles, each MSTI port has one new role: Master Port.
no spanning-tree mode Port Mode spanning-tree mcheck Force port migrate to run under MSTP. 2. Configure instance parameters Command Explanation Global Mode spanning-tree mst priority Set bridge priority for specified instance. no spanning-tree mst priority spanning-tree priority no spanning-tree priority Configure the spanning-tree priority of the switch.
no spanning-tree mst configuration command restores the default setting. MSTP region mode show Display the information of the current running system. instance vlan no instance [vlan ] Create Instance and set between VLAN and Instance. name no name Set MSTP region name. revision-level Set MSTP region revision level.
[recovery <30-3600>] no spanning-tree portfast boundary port. bpdufilter receives the BPDU discarding; bpduguard receives the BPDU will disable port; no parameter receives the BPDU, the port becomes a non-boundary port. 6.
restores to use the generated string. 9. Configure the FLUSH mode once topology changes Command Explanation Global Mode spanning-tree tcflush {enable| disable| protect} no spanning-tree tcflush Enable: the spanning-tree flush once the topology changes. Disable: the spanning tree don’t flush when the topology changes. Protect: the spanning-tree flush not more than one time every ten seconds. The no command restores to default setting, enable flush once the topology changes.
The connections among the switches are shown in the above figure. All the switches run in the MSTP mode by default, their bridge priority, port priority and port route cost are all in the default values (equal).
Set the bridge priority of Instance 3 in Switch3 as 0. Set the bridge priority of Instance 4 in Switch4 as 0.
Switch3(Config-Mstp-Region)#exit Switch3(config)#interface e1/1-7 Switch3(Config-Port-Range)#switchport mode trunk Switch3(Config-Port-Range)#exit Switch3(config)#spanning-tree Switch3(config)#spanning-tree mst 3 priority 0 Switch4: Switch4(config)#vlan 20 Switch4(Config-Vlan20)#exit Switch4(config)#vlan 30 Switch4(Config-Vlan30)#exit Switch4(config)#vlan 40 Switch4(Config-Vlan40)#exit Switch4(config)#vlan 50 Switch4(Config-Vlan50)#exit Switch4(config)#spanning-tree mst configuration Switch4(Config-Mstp-Reg
SW1 1 1 SW2 5 2 2 4 1 X 2 3 3 X 4 6 7 SW3 6 5 X X 7 X SW4 x The Topology Of the Instance 0 after the MSTP Calculation 2 SW2 5 4 2 3 3 X 4 5 X X 6 7 SW3 6 SW4 7 x X The Topology Of the Instance 3 after the MSTP Calculation 2 2 X SW2 5 X 4 3 3 X 4 6 7 X SW3 6 5 7 SW4 x The Topology Of the Instance 4 after the MSTP Calculation +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
20.4 MSTP Troubleshooting In order to run the MSTP on the switch port, the MSTP has to be enabled globally. If the MSTP is not enabled globally, it can’t be enabled on the port. The MSTP parameters co work with each other, so the parameters should meet the following conditions. Otherwise, the MSTP may work incorrectly. 2×(Bridge_Forward_Delay -1.0 seconds) >= Bridge_Max_Age Bridge_Max_Age >= 2 ×(Bridge_Hello_Time + 1.
Chapter 21 QoS Configuration 21.1 Introduction to QoS QoS (Quality of Service) is a set of capabilities that allow you to create differentiated services for network traffic, thereby providing better service for selected network traffic. QoS is a guarantee for service quality of consistent and predictable data transfer service to fulfill program requirements.
IP Precedence: IP priority. Classification information carried in Layer 3 IP packet header, occupying 3 bits, in the range of 0 to 7. DSCP: Differentiated Services Code Point, classification information carried in Layer 3 IP packet header, occupying 6 bits, in the range of 0 to 63, and is downward compatible with IP Precedence. MPLS TC(EXP): A field of the MPLS packets means the service class, there are 3 bits, the ranging from 0 to 7.
Based on differentiated service, QoS specifies a priority for each packet at the ingress. The classification information is carried in Layer 3 IP packet header or Layer 2 802.1Q frame header. QoS provides same service to packets of the same priority, while offers different operations for packets of different priority.
Classification process Policing and remark: Each packet in classified ingress traffic is assigned an internal priority value and a drop precedence value, and can be policed and remarked. Policing can be performed based on the flow to configure different policies that allocate bandwidth to classified traffic, the assigned bandwidth policy may be dual bucket dual color or dual bucket three color.
flowchart describes the operations. Policing and Remarking process Queuing and scheduling: There are the internal priority and the drop precedence for the egress packets, the queuing operation assigns the packets to different priority queues according to the internal priority, while the scheduling operation perform the packet forwarding according to the priority queue weight and the drop precedence. The following flowchart describes the operations during queuing and scheduling. +7(495) 797-3311 www.
Queuing and Scheduling process 21.2 QoS Configuration Task List Configure class map Set up a classification rule according to ACL, CoS, VLAN ID, IPv4 Precedent, DSCP, IPV6 FL to classify the data stream. Different classes of data streams will be processed with different policies. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Configure a policy map After data steam classification, a policy map can be created to associate with the class map created earlier and enter class mode. Then different policies (such as bandwidth limit, priority degrading assigning new DSCP value) can be applied to different data streams. You can also define a policy set that can be use in a policy map by several classes. Apply QoS to the ports or the VLAN interfaces Configure the trust mode for ports or bind policies to ports.
class [insert-before ] no class After a policy map is created, it can be associated to a class. Different policy or new DSCP value can be applied to different data streams in class mode; the no command deletes the specified class.
yellow, red) of messages. in-profile means green, out-profile means red and yellow. Policy class map configuration mode drop no drop Drop or transmit the traffic that match the class, the no command cancels the assigned action. transmit no transmit 3. Apply QoS to port or VLAN interface Command Explanation Interface Configuration Mode Configure port trust; the no command disables the current trust status of the port.
no mls qos queue algorithm default queue management algorithm is wrr. mls qos queue wrr weight no mls qos queue wrr weight Set queue weight based a port, the default queue weight is 1 2 3 4 5 6 7 8. Configure the queue weight according to mls qos queue wdrr weight the port. The queue weight is 10 20 40 80 no mls qos queue wdrr weight 160 320 640 1280 as default.
show policy-map [] Display the policy map information of QoS. show mls qos {interface [] [policy | queuing] | vlan } Display QoS configuration information on a port. 21.3 QoS Example Example 1: Enable QoS function, change the queue out weight of port to 1:1:2:2:4:4:8:8, set it in trust CoS mode and set the default CoS value of the port to 5.
Switch(Config-PolicyMap-p1)#exit Switch(config)#interface ethernet 1/2 Switch(Config-If-Ethernet1/2)#service-policy input p1 Configuration result: An ACL name 1 is set to matching segment 192.168.1.0. Enable QoS globally, create a class map named c1, matching ACL1 in class map; create another policy map named p1 and refer to c1 in p1, set appropriate policies to limit bandwidth and burst value. Apply this policy map on port ethernet1/2. After the above settings done, bandwidth for packets from segment 192.
Switch(Config-ClassMap-c1)#match access-group 1 Switch(Config-ClassMap-c1)#exit Switch(config)#policy-map p1 Switch(Config-PolicyMap-p1)#class c1 Switch(Config-PolicyMap-p1-Class-c1)#set ip precedence 5 Switch(Config-PolicyMap-p1-Class-c1)#exit Switch(Config-PolicyMap-p1)#exit Switch(config)#interface ethernet 1/1 Switch(Config-If-Ethernet1/1)#service-policy input p1 QoS configuration in Switch2: Switch#config Switch(config)#interface ethernet 1/1 Switch(Config-If-Ethernet1/1)#mls qos trust cos 21.
Chapter 22 Flow-based Redirection 22.1 Introduction to Flow-based Redirection Flow-based redirection function enables the switch to transmit the data frames meeting some special condition (specified by ACL) to another specified port. The fames meeting a same special condition are called a class of flow, the ingress port of the data frame is called the source port of redirection, and the specified egress port is called the destination port of redirection.
system/port. 22.3 Flow-based Redirection Examples Example: User’s request of configuration is listed as follows: redirecting the frames whose source IP is 192.168.1.111 received from port 1 to port 6, that is sending the frames whose source IP is 192.168.1.111 received from port 1 through port6. Modification of configuration: 1: Set an ACL, the condition to be matched is: source IP is 192.168.1.111; 2: Apply the redirection based on this flow to port 1.
Chapter 23 Flexible QinQ Configuration 23.1 Introduction to Flexible QinQ 23.1.1 QinQ Technique Dot1q-tunnel is also called QinQ (802.1Q-in-802.1Q), which is an expansion of 802.1Q. Its dominating idea is encapsulating the customer VLAN tag (CVLAN tag) to the service provider VLAN tag (SPVLAN tag). The packet with two VLAN tags is transmitted through the backbone network of the ISP internet to provide a simple layer-2 tunnel for the users.
Command Explanation Global mode Create a class-map and enter class-map mode, the no command deletes the specified class-map.
4. Show flexible QinQ policy-map bound to port Command Explanation Admin mode Show flexible QinQ configuration on the port. show mls qos {interface [] 23.
If the data flow of DSLAM1 enters the switch’s downlink port1, the configuration is as follows: Switch(config)#class-map c1 Switch(config-classmap-c1)#match ip dscp 10 Switch(config-classmap-c1)#exit Switch(config)#class-map c2 Switch(config-classmap-c2)#match ip dscp 20 Switch(config-classmap-c2)#exit Switch(config)#class-map c3 Switch(config-classmap-c3)#match ip dscp 30 Switch(config-classmap-c3)#exit Switch(config)#policy-map p1 Switch(config-policymap-p1)#class c1 Switch(config-policymap-p1-class-c1)#
Switch(config-policymap-p1-class-c3)# set s-vid 3002 Switch(config-policymap-p1-class-c3)#exit Switch(config-policymap-p1)#exit Switch(config)#interface ethernet 1/1 Switch(config-if-ethernet1/1)#dot1q-tunnel enable Switch(config-if-ethernet1/1)# service-policy p1 in 23.
Chapter 24 Layer 3 Management Configuration Switch only support Layer 2 forwarding, but can configure a Layer 3 management port for the communication of all kinds of management protocols based on IP protocol. 24.1 Layer 3 Management Interface 24.1.1 Introduction to Layer 3 Management Interface Only one layer 3 management interface can be created on switch. The Layer 3 interface is not a physical interface but a virtual interface. Layer 3 interface is built on VLANs.
24.2 IP Configuration 24.2.1 Introduction to IPv4, IPv6 IPv4 is the current version of global universal Internet protocol. The practice has proved that IPv4 is simple, flexible, open, stable, strong and easy to implement while collaborating well with various protocols of upper and lower layers. Although IPv4 almost has not been changed since it was established in 1980’s, it has kept growing to the current global scale with the promotion of Internet.
entries and enhances the efficiency and expansibility of routing and data packet processing. The header design of IPv6 is more efficient compared with IPv4. It has less data fields and takes out header checksum, thus expedites the processing speed of basic IPv6 header.
24.2.2 IP Configuration Layer 3 interface can be configured as IPv4 interface, IPv6 interface. 24.2.2.1 IPv4 Address Configuration IPv4 address configuration task list: 1. Configure the IPv4 address of three-layer interface 2. Configure the default gateway 1.
Command Explanation Interface Configuration Mode ipv6 address [eui-64] global unicast addresses, site-local addresses and no ipv6 address address/prefix-length> command cancels IPv6 address.
(4) Delete all entries in IPv6 neighbor table Command Explanation Admin Mode clear ipv6 neighbors Clear all static neighbor table entries. 24.2.3 IPv6 Troubleshooting If the connected PC has not obtained IPv6 address, you should check the RA announcement switch (the default is turned off) 24.3 Static Route 24.3.1 Introduction to Static Route As mentioned earlier, the static route is the manually specified path to a network or a host.
24.3.3 Static Route Configuration Task List 1.
Next hop use the partner IP address Switch(config)#ip route 10.1.1.0 255.255.255.0 10.1.2.1 Next hop use the partner IP address Switch(config)#ip route 10.1.4.0 255.255.255.0 10.1.3.1 Configuration of layer3 SwitchB Switch#config Switch(config)#ip route 0.0.0.0 0.0.0.0 10.1.3.2 In this way, ping connectivity can be established between PC-A and PC-C, and PC-B and PCC. 24.4 ARP 24.4.1 Introduction to ARP ARP (Address Resolution Protocol) is mainly used to resolve IP address to Ethernet MAC address.
Chapter 25 ARP Scanning Prevention Function Configuration 25.1 Introduction to ARP Scanning Prevention Function ARP scanning is a common method of network attack. In order to detect all the active hosts in a network segment, the attack source will broadcast lots of ARP messages in the segment, which will take up a large part of the bandwidth of the network. It might even do large-trafficattack in the network via fake ARP messages to collapse of the network by exhausting the bandwidth.
1. Enable the ARP Scanning Prevention function. Command Explanation Global configuration mode anti-arpscan enable no anti-arpscan enable Enable or disable the ARP Prevention function globally. Scanning 2. Configure the threshold of the port-based and IP-based ARP Scanning Prevention Command Explanation Global configuration mode anti-arpscan port-based threshold no anti-arpscan port-based threshold Set the threshold of the port-based Scanning Prevention.
anti-arpscan recovery time no anti-arpscan recovery time Set automatic recovery time. 6. Display relative information of debug information and ARP scanning Command Explanation Global configuration mode anti-arpscan log enable no anti-arpscan log enable Enable or disable the log function of ARP scanning prevention. anti-arpscan trap enable Enable or disable the SNMP Trap function of no anti-arpscan trap enable ARP scanning prevention.
SwitchA(config)#anti-arpscan enable SwitchA(config)#anti-arpscan recovery time 3600 SwitchA(config)#anti-arpscan trust ip 192.168.1.100 255.255.255.
Chapter 26 Prevent ARP Spoofing Configuration 26.1 Overview 26.1.1 ARP (Address Resolution Protocol) Generally speaking, ARP (RFC-826) protocol is mainly responsible of mapping IP address to relevant 48-bit physical address, that is MAC address, for instance, IP address is 192.168.0.1, network card Mac address is 00-1F-CE-FD-1D-2B.
and takes an effect on the whole network. Or the switches are made used of by vicious attackers, and they intercept and capture packets transferred by switches or attack other switches, host computers or network equipment. What the essential method on preventing attack and spoofing switches based on ARP in networks is to disable switch automatic update function; the cheater can’t modify corrected MAC address in order to avoid wrong packets transfer and can’t obtain other information.
26.3 Prevent ARP Spoofing Example Switch A B C Equipment Explanation Equipment Configuration Quality switch IP:192.168.2.4; mac: 00-00-00-00-00-04 1 A IP:192.168.2.1; mac: 00-00-00-00-00-01 1 B IP:192.168.1.2; mac: 00-00-00-00-00-02 1 C IP:192.168.2.3; mac: 00-00-00-00-00-03 some There is a normal communication between B and C on above diagram. A wants switch to forward packets sent by B to itself, so need switch sends the packets transfer from B to A.
ethernet 1/3 Switch(Config-If-Vlan3)#exit Switch(Config)#ip arp-security learnprotect Switch(Config)# Switch(config)#ip arp-security convert If the environment changing, it enable to forbid ARP refresh, once it learns ARP property, it wont be refreshed by new ARP reply packet, and protect use data from sniffing. Switch#config Switch(config)#ip arp-security updateprotect +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 27 ARP GUARD Configuration 27.1 Introduction to ARP GUARD There is serious security vulnerability in the design of ARP protocol, which is any network device, can send ARP messages to advertise the mapping relationship between IP address and MAC address. This provides a chance for ARP cheating. Attackers can send ARP REQUEST messages or ARP REPLY messages to advertise a wrong mapping relationship between IP address and MAC address, causing problems in network communication.
27.2 ARP GUARD Configuration Task List Configure the protected IP address Command Explanation Port configuration mode arp-guard ip no arp-guard ip Configure/delete ARP GUARD address +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 28 Gratuitous ARP Configuration 28.1 Introduction to Gratuitous ARP Gratuitous ARP is a kind of ARP request that is sent by the host with its IP address as the destination of the ARP request. The basic working mode for the switch is as below: The Layer 3 interfaces of the switch can be configured to advertise gratuitous ARP packets period or the switch can be configured to enable to send gratuitous ARP packets in all the interfaces globally. The purpose of gratuitous ARP is as below: 1.
28.3 Gratuitous ARP Configuration Example Switch Interface vlan10 192.168.15.254 255.255.255.0 PC1 PC2 PC3 PC4 PC5 Gratuitous ARP Configuration Example For the network topology shown in the figure above, interface VLAN10 whose IP address is 192.168.15.254 and network address mask is 255.255.255.0 in the switch system. Five PCs – PC1, PC2, PC3, PC4, PC5 are connected to the interface. Gratuitous ARP can be enabled through the following configuration: 1.
configuration can only be disabled in interface configuration mode. If gratuitous ARP is enabled in both global and interface configuration mode, and the sending interval of gratuitous ARP is configured in both configuration modes, the switch takes the value which is configured in interface configuration mode. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 29 DHCP Configuration 29.1 Introduction to DHCP DHCP [RFC2131] is the acronym for Dynamic Host Configuration Protocol. It is a protocol that assigns IP address dynamically from the address pool as well as other network configuration parameters such as default gateway, DNS server, and default route and host image file position within the network. DHCP is the enhanced version of BOOTP.
DHCP broadcast packets sent by the client, therefore no DHCP packets will be sent to the client by the server. In this case, a DHCP relay is required to forward such DHCP packets so that the DHCP packets exchange can be completed between the DHCP client and server. Switch can act as both a DHCP server and a DHCP relay. DHCP server supports not only dynamic IP address assignment, but also manual IP address binding (i.e.
no ip dhcp pool operation cancels the DHCP Address pool. (2) Configure DHCP address pool parameters Command Explanation DHCP Address Pool Mode network-address [mask | prefix-length] no network-address Configure the address scope that can be allocated to the address pool. The no operation of this command cancels the allocation address pool. default-router [[[…]]] no default-router Configure default gateway for DHCP clients.
command deletes the lease period allocated to addresses in the address pool. max-lease-time {[] [] [] | infinite} no max-lease-time Set the maximum lease time for the addresses in the address pool; the no command restores the default setting. Global Mode ip dhcp excluded-address [] no ip dhcp excluded-address
each segment, one DHCP server can provide the network configuration parameter for clients from multiple segments, which is not only cost-effective but also management-effective.
no ip forward-protocol udp bootps packet forwarding. Interface Configuration Mode ip helper-address no ip helper-address Set the destination IP address for DHCP relay forwarding; the “no ip helper-address “command cancels the setting. 3.
Switch(config)#service dhcp Switch(config)#interface vlan 1 Switch(Config-Vlan-1)#ip address 10.16.1.2 255.255.0.0 Switch(Config-Vlan-1)#exit Switch(config)#ip dhcp pool A Switch(dhcp-A-config)#network 10.16.1.0 24 Switch(dhcp-A-config)#lease 3 Switch(dhcp-A-config)#default-route 10.16.1.200 10.16.1.201 Switch(dhcp-A-config)#dns-server 10.16.1.202 Switch(dhcp-A-config)#netbios-name-server 10.16.1.
DHCP Client DHCP Client E1/1 192.168.1.1 E1/2 10.1.1.1 DHCP Relay DHCP Server 10.1.1.10 DHCP Client DHCP Relay Configuration As shown in the above figure, route switch is configured as a DHCP relay. The DHCP server address is 10.1.1.10, the configuration steps is as follows: Switch(config)#service dhcp Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 192.168.1.1 255.255.255.
DHCP configuration example As shown in the above figure, PC1 is DHCP client, obtain the address through DHCP. Switch1 is a layer 2 access device, it enables DHCP Relay and option82 functions, Ethernet1/2 is a access port, belongs to vlan3, Ethernet1/3 is a trunk port, connects to DHCP Server, DHCP Server address is 192.168.40.199. Switch1 creates vlan1 and interface vlan1, configure IP address of interface vlan1 as 192.168.40.50, configure the address of DHCP Relay forwarding as 192.168.40.
does not indicate switch cannot assign IP address for different segments, see solution 2 for details.) In DHCP service, pools for dynamic IP allocation and manual binding are conflicting, i.e., if command “network-address” and “host” are run for a pool, only one of them will take effect; furthermore, in manual binding, only one IP-MAC binding can be configured in one pool. If multiple bindings are required, multiple manual pools can be created and IP-MAC bindings set for each pool.
Chapter 30 DHCPv6 Configuration 30.1 Introduction to DHCPv6 DHCPv6 [RFC3315] is the IPv6 version for Dynamic Host Configuration Protocol (DHCP). It is a protocol that assigns IPv6 address as well as other network configuration parameters such as DNS address, and domain name to DHCPv6 client, DHCPv6 is a conditional auto address configuration protocol relative to IPv6.
address as FF02::1:2. 2. Any DHCP server which receives the request, will reply the client with an ADVERTISE message, which includes the identity of the server –DUID, and its priority. 3. It is possible that the client receives multiple ADVERTISE messages. The client should select one and reply it with a REQUEST message to request the address which is advertised in the ADVERTISE message. 4.
1. To enable/disable DHCPv6 service Command Explanation Global Mode service dhcpv6 no service dhcpv6 To enable DHCPv6 service. 2. To configure DHCPv6 address pool (1) To achieve/delete DHCPv6 address pool Command Explanation Global Mode ipv6 dhcp pool no ipv6 dhcp pool To configure DHCPv6 address pool.
30.3 DHCPv6 Relay Delegation Configuration DHCPv6 relay delegation configuration task list as below: 1. To enable/disable DHCPv6 service 2. To configure DHCPv6 relay delegation on port 1. To enable DHCPv6 service Command Explanation Global Mode service dhcpv6 no service dhcpv6 To enableDHCPv6 service. 2.
Command Explanation Global Mode service dhcpv6 no service dhcpv6 To enable DHCPv6 service. 2. To configure prefix delegation pool Command Explanation Global Mode ipv6 local pool no ipv6 local pool To configure prefix delegation pool. 3. To configure DHCPv6 address pool (1) To achieve/delete DHCPv6 address pool Command Explanation Global Mode ipv6 dhcp pool no ipv6 dhcp pool To configure DHCPv6 address pool.
Command Explanation DHCPv6 address pool Configuration Mode dns-server no dns-server To configure DNS server address for DHCPv6 client. domain-name no domain-name To configure domain name for DHCPv6 client. 4.
30.6 DHCPv6 Configuration Examples Example1: When deploying IPv6 networking, the switch can be configured as DHCPv6 server in order to manage the allocation of IPv6 addresses. Both the state and the stateless DHCPv6 are supported.
Switch3(dhcpv6-EastDormPool-config)#dns-server 2001:da8::21 Switch3(dhcpv6-EastDormPool-config)#domain-name dhcpv6.
30.7 DHCPv6 Troubleshooting If the DHCPv6 clients cannot obtain IPv6 addresses and other network parameters, the following procedures can be followed when DHCPv6 client hardware and cables have been verified ok: Verify the DHCPv6 server is running, start the related DHCP v6 server function if not running; If the DHCPv6 clients and servers are not in the same physical network, verify the router responsible for DHCPv6 packet forwarding has DHCPv6 relay function.
Chapter 31 DHCP option 82 Configuration 31.1 Introduction to DHCP option 82 DHCP option 82 is the Relay Agent Information Option, its option code is 82. DHCP option 82 is aimed at strengthening the security of DHCP servers and improving the IP address configuration policy. The Relay Agent adds option 82 (including the client’s physical access port, the access device ID and other information), to the DHCP request message from the client then forwards the message to DHCP server.
1, the sequence number of Remote ID sub-option is 2. Len: the number of bytes in Sub-option Value, not including the two bytes in SubOpt segment and Len segment. 31.1.
31.2 DHCP option 82 Configuration Task List 1. 2. 3. 4. 5. 6. 7. Enabling the DHCP option 82 of the Relay Agent Configure the DHCP option 82 attributes of the interface Enable the DHCP option 82 of server Configure DHCP option 82 default format of Relay Agent Configure delimiter Configure creation method of option82 Diagnose and maintain DHCP option 82 1. Enabling the DHCP option 82 of the Relay Agent.
DCHP message as “replace”. This command is used to set the format of option 82 sub-option1(Circuit ID option) added to the DHCP request messages from interface, standard means the standard VLAN name and physical port name format, like”Vlan2+Ethernet1/12”, is the circuit-id contents of option 82 specified by users, which is a string no longer than ip dhcp relay information option subscriber-id {standard | } no ip dhcp relay information option subscriber-id 64characters.
5. Configure delimiter Command Explanation Global mode ip dhcp relay information option delimiter [colon | dot | slash | space] no ip dhcp relay information option delimiter Set the delimiter of each parameter for suboption of option82 in global mode, no command restores the delimiter as slash. 6.
This command is used to display the information of data packets processing in DHCP Relay Agent, including the “add” and “peel” action of option 82. debug ip dhcp relay packet 31.
Linux ISC DHCP Server supports option 82, its configuration file /etc/dhcpd.con is ddns-update-style interim; ignore client-updates; class "Switch3Vlan2Class1" { match if option agent.circuit-id agent.remote-id=00:1f:ce:02:33:01; } class "Switch3Vlan2Class2" { match if option agent.circuit-id agent.remote-id=00:1f:ce:02:33:01; } subnet option option option = "Vlan2+Ethernet1/2" and option = "Vlan2+Ethernet1/3" and option 192.168.102.0 netmask 255.255.255.0 { routers 192.168.102.2; subnet-mask 255.
192.168.102.51~192.168.102.80. 31.4 DHCP option 82 Troubleshooting DHCP option 82 is implemented as a sub-function module of DHCP Relay Agent. Before using it, users should make sure that the DHCP Relay Agent is configured correctly. DHCP option 82 needs the DHCP Relay Agent and the DHCP server cooperate to finish the task of allocating IP addresses.
Chapter 32 DHCP option 60 and option 43 Introduction to DHCP option 60 and option 43 DHCP server analyzes DHCP packets from DHCP client. If packets with option 60, it will decide whether option 43 is returned to DHCP client according to option 60 of packets and configuration of option 60 and option 43 in DHCP server address pool. Configure the corresponding option 60 and option 43 in DHCP server address pool: 1. Address pool configured option 60 and option 43 at the same time.
32.1 DHCPv6 option 60 and option 43 Example Typical DHCP option 60 and option 43 topology Fit AP obtains IP address and option 43 attribute by DHCP server to send unicast discovery request for wireless controller. DHCP server configures option 60 matched with the option 60 of fit ap to return option 43 attribute to FTP AP. Configuration procedure: # Configure DHCP server router(config)#ip dhcp pool a router (dhcp-a-config)#option 60 ascii AP1000 router (dhcp-a-config)#option 43 ascii 192.168.10.5,192.168.
Chapter 33 DHCPv6 option37, 38 33.1 Introduction to DHCPv6 option37, 38 DHCPv6 (Dynamic Host Configuration Protocol for IPv6) is designed for IPv6 address scheme and is used for assigning IPv6 prefixes, IPv6 addresses and other configuration parameters to hosts. When DHCPv6 client wants to request address and configure parameter of DHCPv6 server from different link, it needs to communicate with server through DHCPv6 relay agent.
3. Dhcpv6 server option basic functions configuration 1. DHCPv6 snooping option basic functions configuration Command Description Global mode ipv6 dhcp snooping remote-id option no ipv6 dhcp snooping remote-id option ipv6 dhcp snooping subscriber-id option no ipv6 dhcp snooping subscriber-id option This command enables DHCPv6 SNOOPING to support option 37 option, no command disables it. This command enables DHCPv6 SNOOPING to support option 38 option, no command disables it.
packet to the server; replace, the system replaces option 38 of current packet with its own before forwarding it to the server. no command configures the reforward policy of DHCPv6 packets with option 38 as replace.
in user-defined option 38 and it is a string with a length of less than 128. The no operation restores subscriber-id in option 38 to vlan name together with port name such as "Vlan2+Ethernet1/2". 2. DHCPv6 relay option basic functions configuration Command Description Global mode ipv6 dhcp relay remote-id option no ipv6 dhcp relay remote-id option This command enables the switch relay to support option 37 and the no form of this command disables it.
defined option 37 and it is a string with a length of less than 128. The no operation restores remote-id in option 37 to enterprise-number together with vlan MAC address. This command is used to set the form of adding option 38 in received DHCPv6 request ipv6 dhcp relay subscriber-id no ipv6 dhcp relay subscriber-id packets, of which is the content of subscriber-id in user-defined option 38 and it is a string with a length of less than 128.
configured. ipv6 dhcp class no ipv6 dhcp class This command defines a DHCPv6 class and enters DHCPv6 class mode, the no form of this command removes this DHCPv6 class. Interface configuration mode This command enables the DHCPv6 server to support ipv6 dhcp server select relay-forw no ipv6 dhcp server select relay-forw selections when multiple option 37 or option 38 options exist and the option 37 and option 38 of relay-forw in the innermost layer are selected.
33.3 DHCPv6 option37, 38 Examples 33.3.1 DHCPv6 Snooping option37, 38 Example Switch B Interface E1/1 Switch A Interface E1/2 Interface E1/3 MAC-AA MAC-BB Interface E1/4 MAC-CC DHCPv6 Snooping option schematic As is shown in the figure above, Mac-AA, Mac-BB and Mac-CC are normal users, connected to untrusted interface 1/2, 1/3 and 1/4 respectively, and they get IP 2010:2, 2010:3 and 2010:4 through DHCPv6 Client; DHCPv6 Server is connected to the trusted interface 1/1.
SwitchA(config-if-port-range)#switchport access vlan 1 SwitchA(config-if-port-range)#exit SwitchA(config)# Switch B configuration: SwitchB(config)#service dhcpv6 SwitchB(config)#ipv6 dhcp server remote-id option SwitchB(config)#ipv6 dhcp server subscriber-id option SwitchB(config)#ipv6 dhcp pool EastDormPool SwitchB(dhcpv6-eastdormpool-config)#network-address 2001:da8:100:1::2 2001:da8:100:1::1000 SwitchB(dhcpv6-eastdormpool-config)#dns-server 2001::1 SwitchB(dhcpv6-eastdormpool-config)#domain-name dhcpv6.
SwitchB(dhcpv6-pool-eastdormpool-class-class3-config)#address 2001:da8:100:1::61 2001:da8:100:1::100 SwitchB(dhcpv6-pool-eastdormpool-class-class3-config)#exit SwitchB(dhcpv6-eastdormpool-config)#exit SwitchB(config)#interface vlan 1 SwitchB(config-if-vlan1)#ipv6 address 2001:da8:100:1::2/64 SwitchB(config-if-vlan1)#ipv6 dhcp server EastDormPool SwitchB(config-if-vlan1)#exit SwitchB(config)# range 33.3.
DHCPv6 relay option schematic Switch2 configuration: S2(config)#service dhcpv6 S2(config)#ipv6 dhcp relay remote-id option S2(config)#ipv6 dhcp relay subscriber-id option S2(config)#vlan 10 S2(config-vlan10)#int vlan 10 S2(config-if-vlan10)#ipv6 address 2001:da8:1:::2/64 S2(config-if-vlan10)#ipv6 dhcp relay destination 2001:da8:10:1::1 S2(config-if-vlan10)#exit S2(config)# 33.
Chapter 34 DHCP Snooping Configuration 34.1 Introduction to DHCP Snooping DHCP Snooping means that the switch monitors the IP-getting process of DHCP CLIENT via DHCP protocol. It prevents DHCP attacks and illegal DHCP SERVER by setting trust ports and untrust ports. And the DHCP messages from trust ports can be forwarded without being verified. In typical settings, trust ports are used to connect DHCP SERVER or DHCP RELAY Proxy, and untrust ports are used to connect DHCP CLINET.
recovers, it should send syslog information to Log Server. The Encryption of Private Messages: The communication between the switch and the inner network security management system TrustView uses private messages. And the users can encrypt those messages of version 2. Add authentication option82 Function: It is used with dot1x dhcpoption82 authentication mode. Different option 82 will be added in DHCP messages according to user’s authentication status. 34.2 DHCP Snooping Configuration Task Sequence 1.
3. Enable DHCP Snooping binding ARP function Command Explanation Globe mode ip dhcp snooping binding arp no ip dhcp snooping binding arp This command is not supported by the switch. 4. Enable DHCP Snooping option82 function Command Explanation Globe mode ip dhcp snooping information enable no ip dhcp snooping information enable Enable/disable function. DHCP Snooping option 82 5.
Command Explanation Port mode ip dhcp snooping trust no ip dhcp snooping trust Set or delete the DHCP snooping trust attributes of ports. 9. Enable DHCP SNOOPING binding DOT1X function Command Explanation Port mode ip dhcp snooping binding dot1x no ip dhcp snooping binding dot1x Enable or disable the DHCP snooping binding dot1x function. 10.
no ip dhcp snooping action 13. Set rate limitation of data transmission Command Explanation Globe mode ip dhcp snooping limit-rate no ip dhcp snooping limit-rate Set rate limitation of the transmission of DHCP snooping messages. 14. Enable the debug switch Command Explanation Admin mode debug ip dhcp snooping packet debug ip dhcp snooping event debug ip dhcp snooping update debug ip dhcp snooping binding Please refer to troubleshooting. the chapter on system 15.
ip dhcp snooping information option self-defined remote-id format [ascii | hex] Set self-defined format of remote-id for snooping option82. ip dhcp snooping information option self-defined subscriber-id {vlan | port | id (switch-id (mac | hostname)| remote-mac) | string WORD} no ip dhcp snooping information option type self-defined subscriber-id Set creation method for option82, users can define the parameters of circute-id suboption by themselves.
Sketch Map of TRUNK As showed in the above chart, Mac-AA device is the normal user, connected to the non-trusted port 1/1 of the switch. It operates via DHCP Client, IP 1.1.1.5; DHCP Server and GateWay are connected to the trusted ports 1/11 and 1/12 of the switch; the malicious user Mac-BB is connected to the non-trusted port 1/10, trying to fake a DHCP Server(by sending DHCPACK). Setting DHCP Snooping on the switch will effectively detect and block this kind of network attack.
34.3.2 DHCP Snooping Troubleshooting Help If there is any problem happens when using DHCP Snooping function, please check if the problem is caused by the following reasons: Check that whether the global DHCP Snooping is enabled; If the port does not react to invalid DHCP Server packets, please check that whether the port is set as a non-trusted port of DHCP Snooping. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 35 DHCP Snooping option 82 Configuration 35.1 Introduction to DHCP Snooping option 82 DHCP option 82 is the Relay Agent Information Option, its option code is 82. DHCP option 82 is aimed at strengthening the security of DHCP servers and improving the IP address configuration policy.
SubOpt: the sequence number of sub-option, the sequence number of Circuit ID sub-option is 1, the sequence number of Remote ID sub-option is 2. Len: the number of bytes in Sub-option Value, not including the two bytes in SubOpt segment and Len segment. 35.1.
35.1.2 DHCP Snooping option 82 Configuration Task List 1. 2. 3. 4. Enable DHCP SNOOPING Enable DHCP Snooping binding function Enable DHCP Snooping option 82 binding function Configure trust ports 1. Enable DHCP SNOOPING Command Explanation Global mode ip dhcp snooping enable no ip dhcp snooping enable Enable or function. disable DHCP SNOOPING 2.
35.2 DHCP Snooping option 82 Application Examples DHCP Client PC1 Switch1 Vlan1:eth1/3 DHCP Server DHCP option 82 typical application example In the above example, layer 2 Switch1 will transmit the request message from DHCP client to DHCP serer through enable DHCP Snooping. It will also transmit the reply message from the server to DHCP client to finish the DHCP protocol procedure.
default-lease-time 43200; #12 Hours max-lease-time 86400; #24 Hours allow members of "Switch1Vlan1Class1"; } } Now, the DHCP server will allocate addresses for the network nodes from Switch1 within the range of 192.168.102.51 ~ 192.168.102.80. 35.
Chapter 36 IPv4 Multicast Protocol 36.1 IPv4 Multicast Protocol Overview This chapter will give an introduction to the configuration of IPv4 Multicast Protocol. 36.1.1 Introduction to Multicast Various transmission modes can be adopted when the destination of packet (including data, sound and video) transmission is the minority users in the network. One way is to use Unicast mode, i.e.
224.0.0.0 to 239.255.255.255. D class address can not appear in the source IP address field of an IP message. In the process of Unicast data transmission, the transmission path of a data packet is from source address routing to destination address, and the transmission is performed with hop-by-hop principle. However, in IP Multicast environment, the destination addresses is a group instead of a single one, they form a group address.
224.0.0.18 VRRP 224.0.0.22 IGMP When Ethernet transmits Unicast IP messages, the destination MAC address it uses is the receiver’s MAC address. But in transmitting Multicast packets, the transmission destination is not a specific receiver any more, but a group with uncertain members, thus Multicast MAC address is used. Multicast MAC address is corresponding to Multicast IP address.
2. Data repository, finance application (stock) etc 3. Any data distribution application of “one point to multiple points” In the situation of more and more multimedia operations in IP network, Multicast has tremendous market potential and Multicast operation will be generalized and popularized. 36.2 DCSCM 36.2.1 Introduction to DCSCM DCSCM (Destination control and source control multicast) technology mainly includes three aspects, i.e.
Source Control Configuration has three parts, of which the first is to enable source control. The command of source control is as follows: Command Explanation Global Configuration Mode Enable source control globally, the “no ip multicast source-control” command disables source control globally. It is noticeable that, after enabling source control globally, all multicast packets are discarded by default.
2. Destination Control Configuration Like source control configuration, destination control configuration also has three steps. First, enable destination control globally. Since destination control need to prevent unauthorized user from receiving multicast data, the switch won’t broadcast the multicast data it received after configuring global destination control.
[no] ip multicast destination-control <1-4094> access-group <6000-7999> Used to configure the rules destination control uses to specify VLAN-MAC, the NO form cancels the configuration. [no] ip multicast destination-control access-group <6000-7999> Used to configure the rules destination control uses to specified IP address/net mask, the NO form cancels the configuration. 3.
238.0.0.0/8, so we can make the following configuration: Firstly enable IGMP snooping in the VLAN it is located (Here it is assumed to be in VLAN2) EC(config)#ip igmp snooping EC(config)#ip igmp snooping vlan 2 After that, configure relative destination control access-list, and configure specified IP address to use that access-list. Switch(config)#access-list 6000 deny ip any 238.0.0.0 0.255.255.
flooding through IGMP Snooping, multicast traffic is forwarded to ports associated to multicast devices only. The switch listens to the IGMP messages between the multicast router and hosts, and maintains multicast group forwarding table based on the listening result, and can then decide to forward multicast packets according to the forwarding table. Switch provides IGMP Snooping and is able to send a query from the switch so that the user can use switch in IP multicast. 36.3.
ip igmp snooping vlan l2general-querier-source Configure the source address of a general query from a layer 2 general querier. ip igmp snooping vlan mrouterport interface no ip igmp snooping vlan mrouter-port interface Configure static mrouter port of vlan. The no form of the command cancels this configuration.
ip igmp snooping vlan staticgroup [source ] interface [ethernet | port-channel] no ip igmp snooping vlan staticgroup [source ] interface [ethernet | port-channel] ip igmp snooping vlan report source-address
multicast router is connected to port 1. As IGMP Snooping is disabled by default either in the switch or in the VLANs, If IGMP Snooping should be enabled in VLAN 100, the IGMP Snooping should be first enabled for the switch in Global Mode and in VLAN 100 and set port 1 of VLAN 100 to be the mrouter port.
The configuration of Switch2 is the same as the switch in scenario 1, SwitchA takes the place of Multicast Router in scenario 1. Let’s assume VLAN 60 is configured in SwitchA, including ports 1, 2, 10 and 12. Port 1 connects to the multicast server, and port 2 connects to Switch2. In order to send Query at regular interval, IGMP query must enabled in Global mode and in VLAN60.
Chapter 37 IPv6 Multicast Protocol 37.1 MLD Snooping 37.1.1 Introduction to MLD Snooping MLD, the Multicast Listener Discovery Protocol, is used to realize multicasting in the IPv6. MLD is used by the network equipments such as routers which supports multicast for multicast listener discovery, also used by listeners looking forward to join certain multicast group informing the router to receive data packets from certain multicast address, all of which are done through MLD message exchange.
specific VLAN. ipv6 mld snooping vlan limit {group | source } no ipv6 mld snooping vlan limit Configure the number of the groups in which the MLD Snooping can join, and the maximum number of sources in each group. The “no” form of this command restores to the default. ipv6 mld snooping vlan l2- Set the VLAN level 2 general querier, which is general-querier recommended on each segment.
ipv6 mld snooping vlan query-robustness Configure the query robustness, the “no” form of this no ipv6 mld snooping vlan command restores to the default. query-robustness ipv6 mld snooping vlan suppression-query-time Configure the suppression query time.
need to set the port 1 of VLAN 100 as a mrouter port. Configuration procedure is as follows.
Switch as MLD Querier Function figure Configuration of switch B is the same as the switches in case 1, and here the switch 1 replaces the Multicast Router in case 1. Assume the vlan 60 configured on it contains port 1, 2, 10 and 12, amongst port 1 is connected to multicast server, port 2 to switch2. To send Query periodically, global MLD Snooping has to be enabled while executing the mld snooping vlan 60 l2-general-querier, setting the vlan 60 to a Level 2 General Querier.
SwitchB(config)#ipv6 mld snooping vlan 100 mrouter interface ethernet 1/1 Multicast configuration: Same as scenario 1 MLD Snooping interception results: Same as scenario 1 37.1.4 MLD Snooping Troubleshooting In configuring and using MLD Snooping, the MLD Snooping server may fail to run properly due to physical connection failure, wrong configuration, etc.
Chapter 38 Multicast VLAN 38.1 Introductions to Multicast VLAN Based on current multicast order method, when orders from users in different VLAN, each VLAN will copy a multicast traffic in this VLAN, which is a great waste of the bandwidth. By configuration of the multicast VLAN, we add the switch port to the multicast VLAN, with the IGMP Snooping/MLD Snooping functions enabled, users from different VLAN will share the same multicast VLAN.
Global Mode ip igmp snooping vlan no ip igmp snooping vlan Enable the IGMP Snooping function on the multicast VLAN. The no form of this command disables the IGMP Snooping on the multicast VLAN. ip igmp snooping no ip igmp snooping Enable the IGMP Snooping function. The no form of this command disables the IGMP snooping function. 3.
VLAN. Following configuration is based on the IP address of the switch has been configured and all the equipment are connected correctly.
is using with MLD Snooping, so does not give an example. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 39 ACL Configuration 39.1 Introduction to ACL ACL (Access Control List) is an IP packet filtering mechanism employed in switches, providing network traffic control by granting or denying access the switches, effectively safeguarding the security of networks. The user can lay down a set of rules according to some information specific to packets, each rule describes the action for a packet with certain information matched: “permit” or “deny”.
An access-list can consist of several rules. Filtering of packets compares packet conditions to the rules, from the first rule to the first matched rule; the rest of the rules will not be processed. Global default action applies only to IP packets in the incoming direction on the ports. Global default action applies only when packet flirter is enabled on a port and no ACL is bound to that port, or no binding ACL matches. 39.2 ACL Configuration Task List ACL Configuration Task Sequence: 1.
(1) Enable global packet filtering function (2) Configure default action 3. Configuring time range function (1) Create the name of the time range (2) Configure periodic time range (3) Configure absolute time range 4. Bind access-list to an incoming direction of the specified port 5. Clear the filtering information of the specified port 1.
} | any-source | {host-source }} [sport { | range }] {{ } | any-destination | {hostdestination }} [d-port { | range }] [ack+fin+psh+rst+urg+syn] [precedence ] [tos ][time-range] access-list {deny | permit} udp {{ } | any-source | {host-source }} [sport { | range }] {{ } | any-destination | {hostdestination
Standard IP ACL Mode [no] {deny | permit} {{ } | any-source | {host-source }} Creates a standard name-based IP access rule; the “no” form command deletes the namebased standard IP access rule. 3) Exit name-based standard IP ACL configuration mode Command Explanation Standard IP ACL Mode Exits name-based standard IP ACL configuration mode.
source | {host-source }} [s-port { | range }] {{ } | any-destination | {host-destination }} [d-port { | range }] [ack+fin+psh+rst+urg+syn] [precedence ] [tos ][time-range] based TCP IP access rule; the no form command deletes this name-based extended IP access rule.
Command Explanation Global Mode access-list {deny|permit} {any-source-mac| {host-source-mac}|{}}{any-destination-mac|{host-destinationmac}|{}}[untaggedeth2 | tagged-eth2 | untagged-802-3 | tagged-802-3] no access-list Creates a numbered MAC extended access-list, if the access-list already exists, then a rule will add to the current access-list; the “no access-list “ command deletes a numbered MAC extended access-list.
extended MAC access rule.
}} [ []] [precedence ] [tos ] [time-range ] access-list{deny|permit}{any-source-mac| {hostsource-mac}|{}} {any-destination-mac|{host-destination-mac }|{}}igmp {{}|any-source| {hostsource}} {{}|any-destination| {hostdestination}} [] [precedence ] [tos
access-list{deny|permit}{any-source-mac| {hostsource-mac}|{}} {any-destination-mac|{host-destination-mac }|{}} {eigrp|gre|igrp|ip|ipinip|ospf|{}} {{}|any-source| {hostsource}} {{}|any-destination| {hostdestination}} [precedence ] [tos ][time-range] Creates a numbered extended mac-ip access rule for other s
[no]{deny|permit}{any-source-mac|{host-source-mac }|{}} {anydestination-mac|{host-destination-mac }|{}}igmp {{}|any-source| {hostsource}} {{}|any-destination| {host-destination }} [] [precedence ] [tos ][time-range
{{}|any-source| {hostsource}} {{}|any-destination| {host-destination}} [precedence][tos][time-range] 3) Exit MAC-IP Configuration Mode Command Explanation Extended name-based MAC-IP access Mode Quit extended name-based MAC-IP access mode.
Standard IPv6 ACL Mode [no] {deny | permit} {{} | anysource | {host-source }} Creates a standard name-based IPv6 access rule; the no form command deletes the namebased standard IPv6 access rule. 3) Exit name-based standard IP ACL configuration mode Command Explanation Standard IPv6 ACL Mode Exits name-based standard IPv6 ACL configuration mode. exit 2.
periodic {{Monday+Tuesday+Wednesday+Thursday+ Friday+Saturday+Sunday} | daily | weekdays | weekend} to [no] absolute-periodic {Monday | Tuesday | Wednesday | Thursday | Friday | Saturday | Sunday} to {Monday | Tuesday | Wednesday | Thursday | Friday | Saturday | Sunday} [no] periodic Stop the function of the time range in the week.
Command Explanation Admin Mode clear access-group statistic [ethernet ] Clear the filtering information of the specified port. 39.3 ACL Example Scenario 1: The user has the following configuration requirement: port 10 of the switch connects to 10.0.0.0/24 segment, ftp is not desired for the user. Configuration description: 1. Create a proper ACL 2. Configuring packet filtering function 3.
1. Create the corresponding MAC ACL. 2. Configure datagram filtering. 3. Bind the ACL to the related interface. The configuration steps are listed as below.
tcp 10.0.0.0 0.0.0.255 any-destination d-port 21 Switch(config)#access-list 3110 deny any-source-mac 00-12-11-23-00-00 00-00-00-00-ff-ff icmp any-source 10.0.0.0 0.0.0.255 Switch(config)#firewall enable Switch(config)#interface ethernet 1/10 Switch(Config-If-Ethernet1/10)#mac-ip access-group 3110 in Switch(Config-Ethernet1/10)#exit Switch(config)#exit Configuration result: Switch#show firewall Firewall Status: Enable.
Switch(config)#firewall enable Switch(config)#interface ethernet 1/10 Switch(Config-If-Ethernet1/10)#ipv6 access-group 600 in Switch(Config-If-Ethernet1/10)#exit Switch(config)#exit Configuration result: Switch#show firewall Firewall Status: Enable.
Switch (config)#show access-group interface vlan Interface VLAN 100: Ethernet1/1: IP Ingress access-list used is Disable. Ethernet1/2: IP Ingress access-list used is Disable. Ethernet1/5: IP Ingress access-list used is Disable. Ethernet1/7: IP Ingress access-list used is 100 1, traffic-statistics 1, traffic-statistics 1, traffic-statistics 1, traffic-statistics Disable. 39.4 ACL Troubleshooting Checking for entries in the ACL is done in a top-down order and ends whenever an entry is matched.
ACL configured in the physical mode can only be disabled in the physical mode. Those configured in the VLAN interface configuration mode can only be disabled in the VLAN interface mode. When a physical interface is added into or removed from a VLAN (with the trunk interfaces as exceptions), ACL configured in the corresponding VLAN will be bound or unbound respectively.
Chapter 40 802.1x Configuration 40.1 Introduction to 802.1x The 802.1x protocol originates from 802.11 protocol, the wireless LAN protocol of IEEE, which is designed to provide a solution to doing authentication when users access a wireless LAN. The LAN defined in IEEE 802 LAN protocol does not provide access authentication, which means as long as the users can access a LAN controlling device (such as a LAN Switch), they will be able to get all the devices or resources in the LAN.
The supplicant system is an entity on one end of the LAN segment, should be authenticated by the access controlling unit on the other end of the link. A Supplicant system usually is a user terminal device. Users start 802.1x authentication by starting supplicant system software. A supplicant system should support EAPOL (Extensible Authentication Protocol over LAN). The authenticator system is another entity on one end of the LAN segment to authenticate the supplicant systems connected.
The uncontrolled port is always in bi-directionally connected status, and mainly used to transmit EAPOL protocol frames, to guarantee that the supplicant systems can always send or receive authentication messages. The controlled port is in connected status authenticated to transmit service messages. When unauthenticated, no message from supplicant systems is allowed to be received.
Handshake Authentication Protocol) attributes to do the authentication interaction with the RADIUS server. When the user pass the authentication, the authentication server system will send the relative information of the user to authenticator system, the PAE of the authenticator system will decide the authenticated/unauthenticated status of the controlled port according to the authentication result of the RADIUS server. 40.1.3 The Encapsulation of EAPOL Messages 1.
the relative information of network management such as all kinds of alerting information, terminated by terminal devices. Length: represents the length of the data, that is, the length of the “Packet Body”, in byte. There will be no following data domain when its value is 0. Packet Body: represents the content of the data, which will be in different formats according to different types. 2.
40.1.4 The Encapsulation of EAP Attributes RADIUS adds two attribute to support EAP authentication: EAP-Message and MessageAuthenticator. Please refer to the Introduction of RADIUS protocol in “AAA-RADIUSHWTACACS operation” to check the format of RADIUS messages. 1. EAP-Message As illustrated in the next figure, this attribute is used to encapsulate EAP packet, the type code is 79, String domain should be no longer than 253 bytes.
40.1.5.1 EAP Relay Mode EAP relay is specified in IEEE 802.1x standard to carry EAP in other high-level protocols, such as EAP over RADIUS, making sure that extended authentication protocol messages can reach the authentication server through complicated networks. In general, EAP relay requires the RADIUS server to support EAP attributes: EAP-Message and Message-Authenticator.
In EAP relay, if any authentication method in EAP-MD5, EAP-TLS, EAP-TTLS and PEAP is adopted, the authentication methods of the supplicant system and the RADIUS server should be the same. 1. EAP-MD5 Authentication Method EAP-MD5 is an IETF open standard which providing the least security, since MD5 Hash function is vulnerable to dictionary attacks. The following figure illustrated the basic operation flow of the EAP-MD5 authentication method. the Authentication Flow of 802.1x EAP-MD5 2.
authentication server to possess digital certificate to implement bidirectional authentication. It is the earliest EAP authentication method used in wireless LAN. Since every user should have a digital certificate, this method is rarely used practically considering the difficult maintenance. However it is still one of the safest EAP standards, and enjoys prevailing supports from the vendors of wireless LAN hardware and software.
safely encrypted tunnel established via the certificate of the authentication server. Any kind of authentication request including EAP, PAP and MS-CHAPV2 can be transmitted within TTLS tunnels. 4. PEAP Authentication Method EAP-PEAP is brought up by Cisco, Microsoft and RAS Security as a recommended open standard. It has long been utilized in products and provides very good security.
using CHAP authentication method. the Authentication Flow of 802.1x EAP Termination Mode 40.1.6 The Extension and Optimization of 802.1x Besides supporting the port- based access authentication method specified by the protocol, devices also extend and optimize it when implementing the EAP relay mode and EAP termination mode of 802.1x.
When the MAC-based method is used, all the users accessing a port should be authenticated separately, only those pass the authentication can access the network, while the others can not. When one user becomes offline, the other users will not be affected. When the user-based (IP address+ MAC address+ port) method is used, all users can access limited resources before being authenticated. There are two kinds of control in this method: standard control and advanced control.
Notes: At present, Auto VLAN can only be used in the port-based access control mode, and on the ports whose link type is Access. 2. Guest VLAN Guest VLAN feature is used to allow the unauthenticated user to access some specified resources. The user authentication port belongs to a default VLAN (Guest VLAN) before passing the 802.1x authentication, with the right to access the resources within this VLAN without authentication. But the resources in other networks are beyond reach.
1. Enable 802.1x function Command Explanation Global Mode dot1x enable no dot1x enable Enables the 802.1x function in the switch and ports; the no command disables the 802.1x function. dot1x privateclient enable no dot1x privateclient enable Enables the switch force client software using private 802.1x authentication packet format. The no command will disable this function.
dot1x guest-vlan no dot1x guest-vlan Set the guest vlan of the specified port; the no command is used to delete the guest vlan. dot1x portbased mode single-mode no dot1x portbased mode single-mode Set the single-mode based on portbase authentication mode; the no command disables this function. (3) Configure expanded 802.1x function Command Explanation Global Mode dot1x macfilter enable no dot1x macfilter enable Enables the 802.
response, the no command restores the default setting. dot1x re-authentication no dot1x re-authentication Enables periodical supplicant authentication; the no command disables this function. dot1x timeout quiet-period no dot1x timeout quiet-period Sets time to keep silent on port authentication failure; the no command restores the default value.
accesses the switch belongs to VLAN100; the authentication server is in VLAN2; Update Server, being in VLAN10, is for the user to download and update supplicant system software; Ethernet1/6, the port used by the switch to access the Internet is in VLAN5. Update server Authenticator server Ethernet1/3 VLAN10 Ethernet1/2 VLAN10 VLAN2 SWITCH Ethernet1/6 VLAN5 Internet User User Joining Guest VLAN As illustrated in the up figure, on the switch port Ethernet1/2, the 802.
Update server Authenticator server Ethernet1/3 VLAN10 Ethernet1/2 VLAN5 VLAN2 SWITCH Ethernet1/6 VLAN5 Internet User User Being Online, VLAN Being Offline As illustrated in the up figure, when the users become online after a successful authentication, the authentication server will assign VLAN5, which makes the user and Ethernet1/6 both in VLAN5, allowing the user to access the Internet. The following are configuration steps: # Configure RADIUS server.
Switch(Config-If-Ethernet1/2)#switch-port mode access # Set the access control mode on the port as portbased. Switch(Config-If-Ethernet1/2)#dot1x port-method portbased # Set the access control mode on the port as auto. Switch(Config-If-Ethernet1/2)#dot1x port-control auto # Set the port’s Guest VLAN as 100.
Switch(config)#interface vlan 1 Switch(Config-if-vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-vlan1)#exit Switch(config)#radius-server authentication host 10.1.1.3 Switch(config)#radius-server accounting host 10.1.1.
Switch(config)#radius-server authentication host 2004:1:2:3::3 Switch(config)#radius-server accounting host 2004:1:2:3::3 Switch(config)#radius-server key test Switch(config)#aaa enable Switch(config)#aaa-accounting enable Switch(config)#dot1x enable Switch(config)#interface ethernet 1/2 Switch(Config-If-Ethernet1/2)#dot1x enable Switch(Config-If-Ethernet1/2)#dot1x port-control auto Switch(Config-If-Ethernet1/2)#exit 40.4 802.1x Troubleshooting It is possible that 802.1x be configured on ports and 802.
Chapter 41 The Number Limitation Function of MAC and IP in Port, VLAN Configuration 41.1 Introduction to the Number Limitation Function of MAC and IP in Port, VLAN MAC address list is used to identify the mapping relationship between the destination MAC addresses and the ports of switch. There are two kinds of MAC addresses in the list: static MAC address and dynamic MAC address.
ARP list entries of the switch, causing successful DOS attacks. To summer up, it is very meaningful to develop the number limitation function of MAC and IP in port, VLAN. Switch can control the number of MAC address of ports and the number ARP, ND list entry of ports and VLAN through configuration commands. Limiting the number of dynamic MACand IP of ports: 1. Limiting the number of dynamic MAC.
switchport arp dynamic maximum no switchport arp dynamic maximum Enable and disable the number limitation function of ARP on the ports. switchport nd dynamic maximum no switchport nd dynamic maximum Enable and disable the number limitation function of ND on the ports. 2.
| interface ethernet } corresponding ports and VLAN. show nd-dynamic count {vlan | interface ethernet } Display the number of dynamic NEIGHBOUR in corresponding ports and VLAN. debug switchport mac count no debug switchport mac count All kinds of debug information when limiting the number of MAC on ports. debug switchport arp count no debug switchport arp count All kinds of debug information when limiting the number of ARP on ports.
In the network topology above, SWITCH B connects to many PC users, before enabling the number limitation function of MAC and IP in Port, VLAN, if the system hardware has no other limitation, SWTICH A and SWTICH B can get the MAC, ARP, ND list entries of all the PC, so limiting the MAC, ARP list entry can avoid DOS attack to a certain extent. When malicious users frequently do MAC, ARP cheating, it will be easy for them to fill the MAC, ARP list entries of the switch, causing successful DOS attacks.
Chapter 42 Operational Configuration of AM Function 42.1 Introduction to AM Function AM (Access Management) means that when a switch receives an IP or ARP message, it will compare the information extracted from the message (such as source IP address or source MAC-IP address) with the configured hardware address pool. If there is an entry in the address pool matching the information (source IP address or source MAC-IP address), the message will be forwarded, otherwise, dumped.
2. Enable AM function on an interface Command Explanation Port Mode Enable/disable AM function on the port. When the AM function is enabled on the port, no IP or ARP message will be forwarded by default. am port no am port 3. Configure the forwarding IP Command Explanation Port Mode am ip-pool no am ip-pool Configure the forwarding IP of the port. 4.
42.3 AM Function Example Internet SWITCH Port1 Port2 HUB1 HUB2 ……… PC1 PC2 PC3 0 a typical configuration example of AM function In the topology above, 30 PCs, after converged by HUB1, connect with interface1 on the switch. The IP addresses of these 30 PCs range from 100.10.10.1 to 100.10.10.30. Considering security, the system manager will only take user with an IP address within that range as legal ones.
Chapter 43 Security Feature Configuration 43.1 Introduction to Security Feature Before introducing the security features, we here first introduce the DoS. The DoS is short for Denial of Service, which is a simple but effective destructive attack on the internet. The server under DoS attack will drop normal user data packet due to non-stop processing the attacker’s data packet, leading to the denial of the service and worse can lead to leak of sensitive data of the server.
5.3 Security Feature Example Scenario: The User has follows configuration requirements: the switch do not forward data packet whose source IP address is equal to the destination address, and those whose source port is equal to the destination port. Only the ping command with defaulted options is allowed within the IPv4 network, namely the ICMP request packet can not be fragmented and its net length is normally smaller than 100.
Chapter 44 TACACS+ Configuration 44.1 Introduction to TACACS+ TACACS+ terminal access controller access control protocol is a protocol similar to the radius protocol for control the terminal access to the network. Three independent functions of Authentication, Authorization, Accounting are also available in this protocol.
Command Explanation Global Mode Configure the authentication timeout for the TACACS+ server, the “no tacacs-server timeout” command restores the default configuration. tacacs-server timeout no tacacs-server timeout 4. Configure the IP address of the TACACS+ NAS Command Explanation Global Mode tacacs-server nas-ipv4 no tacacs-server nas-ipv4 To configure the source IP address for the TACACS+ packets for the switch. 44.3 TACACS+ Scenarios Typical Examples 10.1.1.2 10.1.1.
Switch(config)#authentication line vty login tacacs 44.4 TACACS+ Troubleshooting In configuring and using TACACS+, the TACACS+ may fail to authentication due to reasons such as physical connection failure or wrong configurations. The user should ensure the following: First good condition of the TACACS+ server physical connection. Second all interface and link protocols are in the UP state (use “show interface” command).
Chapter 45 RADIUS Configuration 45.1 Introduction to RADIUS 45.1.1 AAA and RADIUS Introduction AAA is short for Authentication, Authorization and Accounting, it provide a consistency framework for the network management safely. According to the three functions of Authentication, Authorization, Accounting, the framework can meet the access control for the security network: which one can visit the network device, which access-level the user can have and the accounting for the network resource.
3 Access-Reject 4 Accounting-Request 5 Accounting-Response 11 Access-Challenge Identifier field (1 octet): Identifier for the request and answer packets. Length field (2 octets): The length of the overall RADIUS packet, including Code, Identifier, Length, Authenticator and Attributes Authenticator field (16 octets): used for validation of the packets received from the RADIUS server. Or it can be used to carry encrypted passwords.
19 Callback-Number 60 CHAP-Challenge 20 Callback-Id 61 NAS-Port-Type 21 (unassigned) 62 Port-Limit 22 Framed-Route 63 Login-LAT-Port Length field (1 octet), the length in octets of the attribute including Type, Length and Value fields. Value field, value of the attribute whose content and format is determined by the type and length of the attribute. 45.2 RADIUS Configuration Task List 1. Enable the authentication and accounting function 2. 3. 4. 5.
3. Configure the RADIUS server Command Explanation Global Mode radius-server authentication host { | } [port ] [key {0 | 7} ] [primary] [access-mode {dot1x | telnet}] no radius-server authentication host { | Specifies the IPv4/IPv6 address and the port number, whether be primary server for RADIUS accounting server; the no command deletes the RADIUS accounting server.
no radius nas-ipv4 RADIUS packets for the switch. radius nas-ipv6 no radius nas-ipv6 To configure the source IPv6 address for the RADIUS packets for the switch. 45.3 RADIUS Typical Examples 45.3.1 IPv4 Radius Example 10.1.1.2 10.1.1.1 Radius Server 10.1.1.3 Topology of IEEE802.1x configuration A computer connects to a switch, of which the IP address is 10.1.1.2 and connected with a RADIUS authentication server without Ethernet1/2; IP address of the server is 10.1.1.
45.3.2 IPv6 RadiusExample 2004:1:2:3::2 2004:1:2:3::1 Radius Server 2004:1:2:3::3 The Topology of IPv6 Radius configuration A computer connects to a switch, of which the IP address is 2004:1:2:3::2 and connected with a RADIUS authentication server without Ethernet1/2; IP address of the server is 2004:1:2:3::3 and the authentication port is defaulted at 1812, accounting port is defaulted at 1813.
Then ensure the RADIUS key configured on the switch is in accordance with the one configured on RADIUS server Finally ensure to connect to the correct RADIUS server If the RADIUS authentication problem remains unsolved, please use debug aaa and other debugging command and copy the DEBUG message within 3 minutes, send the recorded message to the technical server center of our company. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 46 SSL Configuration 46.1 Introduction to SSL As the computer networking technology spreads, the security of the network has been taking more and more important impact on the availability and the usability of the networking application. The network security has become one of the greatest barriers of modern networking applications. To protect sensitive data transferred through Web, Netscape introduced the Secure Socket Layer – SSL protocol, for its Web browser. Up till now, SSL 2.0 and 3.
will be forwarded to the other program in sequence, lose packet and re-forwarding will not appear. A lot of transmission protocols can provide such kind of service in theory, but in actual application, SSL is almost running on TCP, and not running on UDP and IP directly. When web function is running on the switch and client visit our web site through the internet browser, we can use SSL function. The communication between client and switch through SSL connect can improve the security.
2. Configure/delete port number by SSL used 3. Configure/delete secure cipher suite by SSL used 4. Maintenance and diagnose for the SSL function 1. Enable/disable SSL function Command Explanation Global Mode ip http secure-server no ip http secure-server Enable/disable SSL function. 2.
Firstly, SSL should be enabled on the switch. When the client tries to access the switch through https method, a SSL session will be set up between the switch and the client. When the SSL session has been set up, all the data transmission in the application layer will be encrypted.
If the SSL problems remain unsolved after above try, please use debug SSL and other debugging command and copy the DEBUG message within 3 minutes, send the recorded message to technical server center of our company. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 47 IPv6 Security RA Configuration 47.1 Introduction to IPv6 Security RA In IPv6 networks, the network topology is generally compromised of routers, layer-two switches and IPv6 hosts. Routers usually advertise RA, including link prefix, link MTU and other information, when the IPv6 hosts receive RA, they will create link address, and set the default router as the one sending RA in order to implement IPv6 network communication.
debug ipv6 security-ra no debug ipv6 security-ra Enable the debug information of IPv6 security RA module, the no operation of this command will disable the output of debug information of IPv6 security RA. show ipv6 security-ra [interface ] Display the distrust port and whether globally security RA is enabled. 47.
Check if there are rules conflicting with security RA function configured on the switch, this kind of rules will cause RA messages to be forwarded. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 48 MAB Configuration 48.1 Introduction to MAB In actual network existing the device which can not install the authentication client, such as printer, PDA devices, they can not process 802.1x authentication. However, to access the network resources, they need to use MAB authentication to replace 802.1x authentication. MAB authentication is a network accessing authentication method based on the accessing port and the MAC address of MAB user.
no mac-authentication-bypass enable Port Mode mac-authentication-bypass enable no mac-authentication-bypass enable Enable the port MAB authentication function. 2. Configure MAB authentication username and password Command Explanation Global Mode mac-authentication-bypass username- Set the authentication authentication function. format {mac-address | {fixed username WORD password WORD}} mode of MAB 3.
no authentication mab of MAC address, the no command restores the default authentication mode. 48.3 MAB Example Example: The typical example of MAB authentication function: Update Server Radius Server Eth1/1 Eth1/2 Internet Eth1/3 Switch2 Ethernet1/4 Ethernet1/4 Switch1 Eth1/1 PC1 Eth1/2 PC2 Eth1/3 Printer MAB application Switch1 is a layer 2 accessing switch, Switch2 is a layer 3 aggregation switch. Ethernet 1/1 is an access port of Switch1, connects to PC1, it enables 802.
Ethernet 1/4 is a trunk port of Switch2, connects to Switch1. Ethernet 1/1 is an access port, belongs to vlan8, connects to update server to download and upgrade the client software. Ethernet 1/2 is an access port, belongs to vlan9, connects to radius server which configure auto vlan as vlan10. Ethernet 1/3 is an access port, belongs to vlan10, connects to external internet resources. To implement this application, the configuration is as follows: Switch1 configuration: (1) Enable 802.
Switch(config-if-ethernet1/2)#mac-authentication-bypass enable guestvlan 8 Switch(config-if-ethernet1/2)#exit Switch(config)#interface ethernet 1/3 Switch(config-if-ethernet1/3)#switchport mode access Switch(config-if-ethernet1/3)#mac-authentication-bypass enable Switch(config-if-ethernet1/3)#exit Switch(config)#interface ethernet 1/4 Switch(config-if-ethernet1/4)# switchport mode trunk 48.
Chapter 49 PPPoE Intermediate Agent Configuration 49.1 Introduction to PPPoE Intermediate Agent 49.1.1 Brief Introduction to PPPoE PPPoE (Point to Point Protocol over Ethernet) is a protocol that apply PPP protocol to Ethernet. PPP protocol is a link layer protocol and supply a communication method of point-to-point, it is usually selected by host dial-up link, for example the link is line dial-up.
3. Client sends PADR packet: The third step, client selects a server to process the session according to the received PADO packet. It may receives many PADO packets for PADI message of the first step may be sent to many servers (select the server according to whether the service information of PADO packet match with the servce information needed by client).
PPPoE IA protocol exchange process 49.1.2.
used to match the sending and reveiving end (Because broadcast network may exist many PPPoE data packets synchronously). 0x0104 AC-Cookies. It is used to avoid the vicious DOS attack. 0x0105 The identifier of vendor. 0x0110 Relay session ID. PPPoE data packet can be interrupted to other AC, this field is used to keep other connection. 0x0201 The error of service name. When the requested service name is not accepted by other end, the response packet will take this tag.
space symbol to compart, “eth” occupies 3 bytes and uses space symbol to compart, “Slot ID” occupies 2 bytes, use “/” to compart and occupy 1 byte, “Port Index” occupies 3 bytes, use “:” to compart and occupy 1 byte, “Vlan ID” occupies 4 bytes, all fields use ASCII, user can configure ciucuit ID for each port according to requirement.
no pppoe intermediate-agent type tr-101 circuit-id identifier-string option delimiter pppoe intermediate-agent type self-defined circuit-id {vlan| port|id (switch-id (mac | hostname)| remote-mac) | string WORD} no pppoe intermediate-agent type selfdefined circuit-id pppoe intermediate-agent type self-defined remote-id {mac | hostname| string WORD} no pppoe intermediate-agent type selfdefined remote-id Configure the self-defined circuit-id. Configure the self-defined remote-id.
PPPoE IA typical application Both host and BAS server run PPPoE protocol, they are connected by layer 2 ethernet, switch enables PPPoE Intermediate Agent function. Typical configuration (1) in the following: Step1: Switch enables global PPPoE IA function, MAC as 0a0b0c0d0e0f. Switch(config)# pppoe intermediate-agent Step2: Configure port ethernet1/1 which connect server as trust port, and configure vendor tag strip function.
strip function. Switch(config-if-ethernet1/1)#pppoe intermediate-agent trust Switch(config-if-ethernet1/1)#pppoe intermediate-agent vendor-tag strip Step3: Port ethernet1/2 of vlan1 and port ethernet1/3 of vlan 1234 enable PPPoE IA function of port. Switch(config-if-ethernet1/2)#pppoe intermediate-agent Switch(config-if-ethernet1/3)#pppoe intermediate-agent Step4: Configure pppoe intermediate-agent access-node-id as abcd.
Chapter 50 Web Portal Configuration 50.1 Introduction to Web Portal Authentication 802.1x authentication uses the special client to authenticate, the device uses the special layer 2 switch, the authentication server uses RADIUS server, the format of authentication message uses EAP protocol.
webportal enable no webportal enable Enable/disable web portal authentication globally. 2. Enable/disable web portal authentication of the port Command Explanation Port Mode webportal enable no webportal enable Enable/disable web portal authentication of the port. 3. Configure the max web portal binding number allowed by the port Command Explanation Port Mode webportal binding-limit <1-256> no webportal binding-limit Configure the max web portal binding number allowed by the port 4.
Command Explanation Admin Mode clear webportal binding {mac WORD | interface |} Delete the binding information of web portal authentication. 50.3 Web Portal Authentication Typical Example Internet RADIUS server Portal server 192.168.40.100 192.168.40.99 DHCP server DNS server Switch1 192.168.40.
as portal server’s IP and port, so ethernet 1/2 forbids all flows except dhcp/dns/arp packets. Switch2 is the aggregation switch, ethernet1/2 connects to radius server, ethernet1/3 connects to portal server. The address of radius server is 192.168.40.100, the address of portal server is 192.168.40.99. ethernet1/4 connects to DHCP server, ethernet1/5 connects to DNS server. ethernet1/6 is trunk port and connects to ethernet1/4 of switch1.
Chapter 51 VLAN-ACL Configuration 51.1 Introduction to VLAN-ACL The user can configure ACL policy to VLAN to implement the accessing control of all ports in VLAN, and VLAN-ACL enables the user to expediently manage the network. The user only needs to configure ACL policy in VLAN, the corresponding ACL action can takes effect on all member ports of VLAN, but it does not need to solely configure on each member port.
no vacl mac access-group {<700-1199> | WORD} {in | out} vlan WORD 3. Configure VLAN-ACL of MAC-IP Command Explanation Global mode vacl mac-ip access-group {<3100-3299> | WORD} {in | out} [traffic-statistic] vlan WORD no vacl mac-ip access-group {<3100-3299> | Configure or delete MAC-IP VLAN-ACL. (Egress filtering is not supported by switch.) WORD} {in | out} vlan WORD 4.
not allowed to access the outside network at any time for the security. Then the following policies are configured: Set the policy VACL_A for technique department. At timeout they can access the outside network, the rule as permit, but other times the rule as deny, and the policy is applied to Vlan1. Set the policy VACL_B of ACL for finance department. At any time they can not access the outside network, but can access the inside network with no limitation, and apply the policy to Vlan2.
Switch(config-ip-ext-nacl-vacl_a)# deny ip any-source any-destination time-range t1 3. Configure the extended acl_b of IP, at any time it only allows to access resource within the internal network (such as 192.168.1.255). Switch(config)#ip access-list extended vacl_b Switch(config-ip-ext-nacl-vacl_a)# permit ip any-source 192.168.1.0 0.0.0.255 Switch(config-ip-ext-nacl-vacl_a)# deny ip any-source any-destination 4.
Chapter 52 SAVI Configuration 52.1 Introduction to SAVI SAVI (Source Address Validation Improvement) is a security authentication method that provides the granularity level of the node source address. It gets the trust node information (such as port, MAC address information), namely, anchor information by monitoring the interaction process of the relative protocol packets (such as ND protocol, DHCPv6 protocol) and using CPS (Control Packet Snooping) mechanism.
1. Enable or disable SAVI function Command Explanation Global mode savi enable no savi enable Enable the global SAVI function, no command disables the function. 2. Enable or disable application scene function for SAVI Command Explanation Global mode savi ipv6 {dhcp-only | slaac-only | dhcpslaac} enable Enable the application scene function for no savi ipv6 {dhcp-only | slaac-only | dhcp- SAVI, no command disables the function. slaac} enable 3.
no savi max-dad-prepare-delay restores the default value. 6. Configure the global max-slaac-life for SAVI Command Explanation Global mode Configure the lifetime period of the dynamic slaac binding at BOUND state, no command restores the default value. savi max-slaac-life no savi max-slaac-life 7.
binding, but does not limit the static binding number. 11. Configure the check mode for SAVI conflict binding Command Explanation Global mode savi check binding mode no savi check binding mode Configure the check mode for the conflict binding, no command deletes the check mode. 12.
binding, but does not limit the static binding number. 52.3 SAVI Typical Application In actual application, SAVI function is usually applied in access layer switch to check the validity of node source address on direct-link. There are four typical application scenes for SAVI function: DHCP-Only, Slaac-Only, DHCP-Slaac and Static binding.
connect with port Ethernet1/12 of Switch1 and port Ethernet1/13 of Switch2, and enable the source address check function of SAVI. Ethernet1/1 and Ethernet1/2 are uplink ports of Switch1 and Switch2 respectively, enable DHCP trust and ND trust functions. Aggregation Switch3 enables DHCPv6 server function and route advertisement function.
If node binding can not be set for new user after configure the bigger binding limit, please check whether the direct-link port configures the corresponding binding number, and whether the corresponding binding number reaches to the max number in the same MAC address. If the binding number exceeds the max binding limit, it is recommended to configure the bigger binding limit. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 53 MRPP Configuration 53.1 Introduction to MRPP MRPP (Multi-layer Ring Protection Protocol), is a link layer protocol applied on Ethernet loop protection. It can avoid broadcast storm caused by data loop on Ethernet ring, and restore communication among every node on ring network when the Ethernet ring has a break link. MRPP is the expansion of EAPS (Ethernet link automatic protection protocol).
Each switch is named after a node on Ethernet. The node has some types: Primary node: each ring has a primary node, it is main node to detect and defend. Transfer node: except for primary node, other nodes are transfer nodes on each ring. The node role is determined by user configuration. As shown Fig 1 1, Switch A is primary node of Ring 1, Switch B. Switch C; Switch D and Switch E are transfer nodes of Ring 1. 4.
LINK-DOWN-FLUSH_FDB packet After primary node detects ring failure or receives LINK-DOWN packet, open blocked secondary port, and then uses two ports to send the packet, to inform each transfer node to refresh own MAC address. LINK-UP-FLUSH_FDB packet After primary detects ring failure to restore normal, and uses packet from primary port, and informs each transfer node to refresh own MAC address. 53.1.3 MRPP Protocol Operation System 1.
53.2 MRPP Configuration Task List 1. 2. 3. 4. 5. Globally enable MRPP Configure MRPP ring Configure the query time of MRPP Configure the compatible mode Display and debug MRPP relevant information 1. Globally enable MRPP Command Explanation Global Mode mrpp enable no mrpp enable Globally enable and disable MRPP. 2. Configure MRPP ring Command Explanation Global Mode mrpp ring Create MRPP ring. The “no” command no mrpp ring deletes MRPP ring and its configuration.
no mrpp ring secondary-port 3. Configure the query time of MRPP Command Explanation Global Mode mrpp poll-time <20-2000> Configure the query interval of MRPP. 4. Configure the compatible mode Command Explanation Global Mode mrpp errp compatible no mrpp errp compatible Enable the compatible mode for ERRP, the no command disables the compatible mode. mrpp eaps compatible Enable the compatible mode for EAPS, the no no mrpp eaps compatible command disables the compatible mode.
53.3 MRPP Typical Scenario SWITCH A SWITCH B E1 Master Node E2 E2 E1 MRPP Ring 4000 E1 E2 E2 E1 SWITCH C SWITCH D MRPP typical configuration scenario The above topology often occurs on using MRPP protocol. The multi switch constitutes a single MRPP ring, all of the switches only are configured an MRPP ring 4000, thereby constitutes a single MRPP ring. In above configuration, SWITCH A configuration is primary node of MRPP ring 4000, and configures E1/1 to primary port, E1/2 to secondary port.
Switch(config-If-Ethernet1/2)#exit Switch(Config)# SWITCH B configuration Task Sequence: Switch(Config)#mrpp enable Switch(Config)#mrpp ring 4000 Switch(mrpp-ring-4000)#control-vlan 4000 Switch(mrpp-ring-4000)#enable Switch(mrpp-ring-4000)#exit Switch(Config)#interface ethernet 1/1 Switch(config-If-Ethernet1/1)#mrpp ring 4000 primary-port Switch(config-If-Ethernet1/1)#interface ethernet 1/2 Switch(config-If-Ethernet1/2)#mrpp ring 4000 secondary-port Switch(config-If-Ethernet1/2)#exit Switch(Config)# SWITCH
Switch(config-If-Ethernet1/2)#mrpp ring 4000 secondary-port Switch(config-If-Ethernet1/2)#exit Switch(Config)# 53.4 MRPP Troubleshooting The normal operation of MRPP protocol depends on normal configuration of each switch on MRPP ring, otherwise it is very possible to form ring and broadcast storm: Configuring MRPP ring, you’d better disconnected the ring, and wait for each switch configuration, then open the ring.
Chapter 54 ULPP Configuration 54.1 Introduction to ULPP Each ULPP group has two uplink ports, they are master port and slave port. The port may be a physical port or a port channel. The member ports of ULPP group have three states: Forwarding, Standby, Down. Normally, only one port at the forwarding state, the other port is blocked at the Standby state. When the master port has the link problem, the master port becomes down state, and the slave port is siwthed to forwarding state.
problem, the preemption delay mechanism is imported, and it needs to wait for some times before the master port preempt the slave port. For keeping the continuance of the flows, the master port does not process to preempt by default, but turns into the Standby state. When configuring ULPP, it needs to specify the VLAN which is protected by this ULPP group through the method of MSTP instances, and ULPP does not provide the protection to other VLANs.
VLAN load balance 54.2 ULPP Configuration Task List 1. Create ULPP group globally 2. Configure ULPP group 3. Show and debug the relating information of ULPP 1. Create ULPP group globally Command Expalnation Global mode ulpp group no ulpp group Configure and delete ULPP group globally. 2.
control vlan no control vlan Configure the sending control VLAN, no operation restores the default value 1. protect vlan-reference-instance no protect vlan-reference-instance Configure the protection VLANs, the no operation deletes the protection VLANs. flush enable mac flush disable mac Enable or disable sending the flush packets which update MAC address. flush enable arp Enable or disable sending the flush flush disable arp packets which delete ARP.
{ethernet | } packets. show ulpp flush-receive-port Show flush type and control VLAN received by the port. clear ulpp flush counter interface Clear the statistic information of the flush packets. debug ulpp flush {send | receive} interface no debug ulpp flush {send | receive} interface Show the information of the receiving and sending flush packets, the no operation disables the shown information.
the master port and the slave port of ULPP group. When both master port and slave port are up, the slave port will be set as standby state and will not forward the data packets. When the master port is down, the slave port will be set as forwarding state and switch to the uplink. SwitchB and SwitchC can enable the command that receives the flush packets, it is used to associate with ULPP protocol running of SwitchA to switch the uplink immediately and reduce the switch delay.
Switch(Config)#vlan 10 Switch(Config-vlan10)#switchport interface ethernet 1/2 Switch(Config-vlan10)#exit Switch(Config)#interface ethernet 1/2 Switch(config-If-Ethernet1/2)# ulpp flush enable mac Switch(config-If-Ethernet1/2)# ulpp flush enable arp Switch(config-If-Ethernet1/2)# ulpp control vlan 10 54.3.2 ULPP Typical Example2 SwitchD SwitchB E1/1 Vlan 1-100 E1/2 SwitchC E1/1 E1/2 Vlan 101-200 SwitchA ULPP typical example2 ULPP can implement the VLAN-based load balance.
Switch(Config-Mstp-Region)#exit Switch(Config)#ulpp group 1 Switch(ulpp-group-1)#protect vlan-reference-instance 1 Switch(ulpp-group-1)#preemption mode Switch(ulpp-group-1)#exit Switch(Config)#ulpp group 2 Switch(ulpp-group-2)#protect vlan-reference-instance 2 Switch(ulpp-group-1)#preemption mode Switch(ulpp-group-2)#exit Switch(Config)#interface ethernet 1/1 Switch(config-If-Ethernet1/1)#switchport mode trunk Switch(config-If-Ethernet1/1)#ulpp group 1 master Switch(config-If-Ethernet1/1)#ulpp group 2 slave
of 3 minutes and the configuration information, send them to our technical service center. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 55 ULSM Configuration 55.1 Introduction to ULSM ULSM (Uplink State Monitor) is used to process the port state synchronization. Each ULSM group is made up of the uplink port and the downlink port, both the uplink port and the downlink port may be multiple. The port may be a physical port or a port channel, but it can not be a member port of a port channel, and each port only belongs to one ULSM group. The uplink port is the monitored port of ULSM group.
ULSM using scene 55.2 ULSM Configuration Task List 1. Create ULSM group globally 2. Configure ULSM group 3. Show and debug the relating information of ULSM 1. Create ULSM group globally Command explanation Global mode ulsm group Configure and delete ULSM group globally. no ulsm group 2.
Command Explanation Admin mode show ulsm group [group-id] Show the configuration information of ULSM group. debug ulsm event no debug ulsm event Show the event information of ULSM, the no operation disables the shown information. 55.3 ULSM Typical Example SwitchD E1/3 SwitchB E1/1 E1/1 E1/4 E1/2 SwitchC E1/2 SwitchA ULSM typical example The above topology is the typical application environment which is used by ULSM and ULPP protocol.
Switch(Config)#interface ethernet 1/1 Switch(config-If-Ethernet1/1)# ulpp group 1 master Switch(config-If-Ethernet1/1)#exit Switch(Config)#interface Ethernet 1/2 Switch(config-If-Ethernet1/2)# ulpp group 1 slave Switch(config-If-Ethernet1/2)#exit SwitchB configuration task list: Switch(Config)#ulsm group 1 Switch(Config)#interface ethernet 1/1 Switch(config-If-Ethernet1/1)#ulsm group 1 downlink Switch(config-If-Ethernet1/1)#exit Switch(Config)#interface ethernet 1/3 Switch(config-If-Ethernet1/3)#ulsm group
Chapter 56 Mirror Configuration 56.1 Introduction to Mirror Mirror functions include port mirror function, CPU mirror function, flow mirror function. Port mirror refers to the duplication of data frames sent/received on a port to another port. The duplicated port is referred to as mirror source port and the duplicating port is referred to as mirror destination port.
2. Specify mirror source port(CPU) Command Explanation Global mode monitor session source {interface | cpu} {rx| tx| both} no monitor session source {interface | cpu} Specifies mirror source port; the no command deletes mirror source port. 3.
Switch(config)#monitor session 1 source cpu Switch(config)#access-list 120 permit tcp 1.2.3.4 0.0.0.255 5.6.7.8 0.0.0.255 Switch(config)#monitor session 1 source interface ethernet 1/15 access-list 120 rx 56.4 Device Mirror Troubleshooting If problems occur on configuring port mirroring, please check the following first for causes: Whether the mirror destination port is a member of a TRUNK group or not, if yes, modify the TRUNK group.
Chapter 57 sFlow Configuration 57.1 Introduction to sFlow The sFlow (RFC 3176) is a protocol based on standard network export and used on monitoring the network traffic information developed by the InMon Company. The monitored switch or router sends date to the client analyzer through its main operations such as sampling and statistic, then the analyzer will analyze according to the user requirements so to monitor the network.
port value and deletes the IP address. 2. Configure the sFlow proxy address Command Explanation Global Mode sflow agent-address no sflow agent-address Configure the source IP address applied by the sFlow proxy; the “no” form of the command deletes this address. 3.
no sflow rate [input | output] command deletes the rate value. 7. Configure the sFlow statistic sampling interval Command Explanation Port Mode sflow counter-interval no sflow counter-interval Configure the max interval when sFlow performing statistic sampling. The “no” form of this command deletes 8.
Switch Switch Switch Switch Switch Switch (Config-If-Ethernet1/1)#sflow counter-interval 20 (Config-If-Ethernet1/1)#exit (config)# interface ethernet1/2 (Config-If-Ethernet1/2)#sflow rate input 20000 (Config-If-Ethernet1/2)#sflow rate output 20000 (Config-If-Ethernet1/2)#sflow counter-interval 40 57.4 sFlow Troubleshooting In configuring and using sFlow, the sFlow server may fail to run properly due to physical connection failure, wrong configuration, etc.
Chapter 58 RSPAN Configuration 58.1 Introduction to RSPAN Port mirroring refers to the duplication of data frames sent/received on a port to another port. The duplicated port is referred to as mirror source port and the duplicating port is referred to as mirror destination port. It is more convenience for network administrator to monitor and manage the network and diagnostic after the mirroring function achieved.
order not to forward RSPAN datagrams to external networks. The normal mode has the benefit of easy configuration, and reduced system resources. To be noticed: Normal mode is introduced by default. When using the normal mode, datagrams with reserved MAC addresses cannot be broadcasted. For chassis switches, at most 4 mirror destination ports are supported, and source or destination port of one mirror session can be configured on each line card. For box switches, only one mirror session can be configured.
58.2 RSPAN Configuration Task List 1. 2. 3. 4. 5. Configure RSPAN VLAN Configure mirror source port(cpu) Configure mirror destination port Configure reflector port Configure remote VLAN of mirror group 1. Configure RSPAN VLAN Command Explanation VLAN Configuration Mode To configure the specified VLAN as RSPAN VLAN. The no command will remove the configuration of RSPAN VLAN. remote-span no remote-span 2.
monitor session reflector-port no monitor session reflectorport To configure the interface to reflector port; The no command deletes the reflector port. 5. Configure remote VLAN of mirror group Command Explanation Global Mode monitor session To configure remote VLAN of mirror group, remote vlan no monitor session remote vlan the no command deletes the remote VLAN of mirror group. 58.
much more flexible. The normal mode configuration is show as below: Solution 1: Source switch: Interface ethernet 1/1 is the source port for mirroring. Interface ethernet 1/2 is the destination port which is connected to the intermediate switch. RSPAN VLAN is 5.
Switch(config)#vlan 5 Switch(Config-Vlan5)#remote-span Switch(Config-Vlan5)#exit Switch(config)#interface ethernet 1/9 Switch(Config-If-Ethernet1/9)#switchport mode trunk Switch(Config-If-Ethernet1/9)#exit Switch(config)#interface ethernet 1/10 Switch(Config-If-Ethernet1/10)#switchport access vlan 5 Switch(Config-If-Ethernet1/10)#exit Solution 2: Source switch: Interface ethernet 1/1 is the source port. Interface ethernet 1/2 is the TRUNK port, which is connected to the intermediate switch.
Switch(config)#vlan 5 Switch(Config-Vlan5)#remote-span Switch(Config-Vlan5)#exit Switch(config)#interface ethernet 1/6-7 Switch(Config-If-Port-Range)#switchport mode trunk Switch(Config-If-Port-Range)#exit Destination switch: Interface ethernet1/9 is the source port which is connected to the source switch. Interface ethernet1/10 is the destination port which is connected to the monitor. This port is required to be configured as an access port, and belong to the RSPAN VLAN. RSPAN VLAN is 5.
Chapter 59 ERSPAN 59.1 Introduction to ERSPAN ERSPAN(Encapsulated Remote Switched Port Analyzer) eliminates the limitation that the source port and the destination port must be located on the same switch. This feature makes it possible for the source port and the destination port to be located on different devices in the network, and facilitates the network administrator to manage remote switches.
tunnel no monitor session destination tunnel command deletes the mirror destination tunnel. 3.
Before configuring layer-3 remote port mirroring, make sure that you have created a GRE tunnel that connects the source and destination device, and ensure the normal transmitting for GRE tunnel. The configuration of layer-3 remote port mirror needs to be processed on the source and destination devices respectively. Both the source and destination ports are configured on the source and destination devices, the difference in the following: 1.
SwitchB (config-router)#exit (4) Configure Device C (the destination device) # Create interface Tunne1, and configure an IP address and mask for it. SwitchC(config)#interface tunnel 1 SwitchC (config-if-tunnel1)# tunnel mode gre ip SwitchC (config-if-tunnel1)#ip address 50.1.1.2 255.255.255.0 # Configure Tunnel1 to operate in GRE tunnel mode, and configure source and destination IP addresses for it. SwitchC (config-if-tunnel1)# tunnel source 40.1.1.1 SwitchC (config-if-tunnel1)# tunnel destination 10.1.1.
Chapter 60 SNTP Configuration 60.1 Introduction to SNTP The Network Time Protocol (NTP) is widely used for clock synchronization for global computers connected to the Internet. NTP can assess packet sending/receiving delay in the network, and estimate the computer’s clock deviation independently, so as to achieve high accuracy in network computer clocking. In most positions, NTP can provide accuracy from 1 to 50ms according to the characteristics of the synchronization source and network route.
60.2 Typical Examples of SNTP Configuration SNTP/NTP SERVER SNTP/NTP SERVER … … SWITCH SWITCH SWITCH Typical SNTP Configuration All switches in the autonomous zone are required to perform time synchronization, which is done through two redundant SNTP/NTP servers. For time to be synchronized, the network must be properly configured. There should be reachable route between any switch and the two SNTP/NTP servers. Example: Assume the IP addresses of the SNTP/NTP servers are 10.1.1.1 and 20.1.1.
Chapter 61 NTP Function Configuration 61.1 Introduction to NTP Function The NTP (Network Time Protocol) synchronizes timekeeping spans WAN and LAN among distributed time servers and clients, it can get millisecond precision. The introduction of event, state, transmit function and action are defined in RFC-1305. The purpose of using NTP is to keep consistent timekeeping among all clock-dependent devices within the network so that the devices can provide diverse applications based on the consistent time.
ntp server { | } [version ] [key ] no ntp server { | } To enable the specified time server of time source. 3. To configure the max number of broadcast or multicast servers supported by the NTP client Command Explication Global Mode Set the max number of broadcast or multicast ntp broadcast server count no ntp broadcast server count servers supported by the NTP client.
7. To specified some interface as NTP multicast client interface Command Explication vlan Configuration Mode ntp multicast client no ntp multicast client To configure specified interface to receive NTP multicast packets. ntp ipv6 multicast client no ntp ipv6 multicast client To configure specified interface to receive IPv6 NTP multicast packets. 8.
debug ntp events no debug ntp events To enable debug switch of NTP event information. 61.
send the recorded message to the technical service center. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 62 Summer Time Configuration 62.1 Introduction to Summer Time Summer time is also called daylight saving time, it is a time system for saving energy sources. In summer the time is advanced 1 hour to keep early hours, reduce the lighting, so as to save electrolighting. The rule that adopt summer time is different in each country. At present, almost 110 countries implement summer time.
to 00:00 on October 1th, 2012, clock offset as 1 hour, and summer time is named as 2012. Configuration procedure is as follows: Switch(config)# clock summer-time 2012 absolute 23:00 2012.4.1 00:00 2012.10.1 Example2: The configuration requirement in the following: The summer time from 23:00 on the first Saturday of April to 00:00 on the last Sunday of October year after year, clock offset as 2 hours, and summer time is named as time_travel.
Chapter 63 DNSv4/v6 Configuration 63.1 Introduction to DNS DNS (Domain Name System) is a distributed database used by TCP/IP applications to translate domain names into corresponding IPv4/IPv6 addresses. With DNS, you can use easy-to-remember and signification domain names in some applications and let the DNS server translate them into correct IPv4/IPv6 addresses. There are two types of DNS services, static and dynamic, which supplement each other in application.
mapping them to Internet Protocol (IP) networks by designating authoritative name servers for each domain to keep track of their own changes, avoiding the need for a central register to be continually consulted and updated. In general, the Domain Name System also stores other types of information, such as the list of mail servers that accept email for a given Internet domain.
ip domain-list no ip domain-list To configure/delete domain name suffix. 4. To delete the domain entry of specified address in dynamic cache Command Explanation Admin Mode clear dynamic-host { | | all} To delete the domain entry of specified address in dynamic cache. 5. To enable DNS dynamic domain name resolution Command Explanation Global Mode To enable resolution. dns lookup {ipv4 | ipv6} DNS dynamic domain name 6.
show dns name-server To show the information. configured DNS server show dns domain-list To show the configured DNS domain name suffix information. show dns hosts To show the dynamic domain name information of resolved by switch. show dns config Display the configured global DNS information on the switch. Display the DNS Client information maintained show dns client by the switch.
DNS SERVER IP:219.240.250.101 IPv6:2001::1 client SWITCH INTERNET DNS SERVER typical environment The figure above is an application of DNS SERVER. Under some circumstances, the client PC doesn’t know the real DNS SERVER, and points to the switch instead. The switch plays the role of a DNS SERVER in two steps: Enable the global DNS SERVER function, configure the IP address of the real DNS server.
Second all interface and link protocols are in the UP state (use “show interface” command); Then please make sure that the DNS dynamic lookup function is enabled (use the “ip domain-lookup” command) before enabling the DNS CLIENT function.
Chapter 64 Monitor and Debug When the users configures the switch, they will need to verify whether the configurations are correct and the switch is operating as expected, and in network failure, the users will also need to diagnostic the problem. Switch provides various debug commands including ping, telnet, show and debug, etc. to help the users to check system configuration, operating status and locate problem causes. 64.
64.4 Traceroute6 The Traceroute6 function is used on testing the gateways passed through by the data packets from the source equipment to the destination equipment, to verify the accessibility and locate the network failure. The principle of the Traceroute6 under IPv6 is the same as that under IPv4, which adopts the hop limit field of the ICMPv6 and IPv6 header. First, Traceroute6 sends an IPv6 datagram (including source address, destination address and packet sent time) whose HOPLIMIT is set to 1.
which is normally the configuration file applied in next time the switch starts up. show switchport interface [ethernet ] Display the VLAN port mode and the belonging VLAN number of the switch as well as the Trunk port information. show tcp show tcp ipv6 Display the TCP connection status established currently on the switch. show udp show udp ipv6 Display the UDP connection status established currently on the switch.
The log information is classified to four level of severities by which the information will be filtered According to the severity level the log information can be auto outputted to corresponding log channel. 64.7.1.
syslog similar applications on PC. The log information is classified into eight classes by severity or emergency procedure. One level per value and the higher the emergency level the log information has, the smaller its value will be. For example, the level of critical is 2, and warning is 4, debugging is leveled at 7, so the critical is higher than warnings which no doubt is high than debugging.
logging buffered command. To clear the log save in NVRAM and SDRAM log buffer zone, we can use the clear logging command. 64.7.2 System Log Configuration System Log Configuration Task Sequence: 1. Display and clear log buffer zone 2. Configure the log host output channel 3. Enable/disable the log executed-commands 4. Display the log source 5. Display executed-commands state 1.
4. Display the log source Command Description Admin and configuration mode Show the log information source of MSTP module. show logging source mstp 5. Display executed-commands state Command Description Admin mode show logging executed-commands state Show the state of logging executedcommands 64.7.3 System Log Configuration Example Example 1: When managing VLAN the IPv4 address of the switch is 100.100.100.1, and the IPv4 address of the remote log server is 100.100.100.5.
Chapter 65 Reload Switch after Specified Time 65.1 Introduce to Reload Switch after Specifid Time Reload switch after specified time is to reboot the switch without shutdown its power after a specified period of time, usually when updating the switch version. The switch can be rebooted after a period of time instead of immediately after its version being updated successfully. 65.
Chapter 66 Debugging and Diagnosis for Packets Received and Sent by CPU 66.1 Introduction to Debugging and Diagnosis for Packets Received and Sent by CPU The following commands are used to debug and diagnose the packets received and sent by CPU, and are supposed to be used with the help of the technical support. 66.
Chapter 67 dying gasp Configuration 67.1 Introduction to dying gasp dying gasp is power failure alarm function. It means that at the case of power failure, the switch can also send information through the ethernet ports to notice the other switch that it is power failure. dying gasp is enabled as default, but it could run normally with the snmp management function. So the layer 3 interface should be configured on switch and make it connect to snmp management server. snmp trap should be configured orderly.
Chapter 68 PoE Configuration 68.1 Introduction to PoE PoE (Power over Ethernet) is a technology to provide direct currents for some IP-based terminals (such as IP phones, APs of wireless LANs and network cameras) while transmitting data to them. Such DC-receiving devices are called PD (Powered Device). The max distance of reliable power supply provided by PoE is 100 meters. IEEE 802.
2. Globally set the max output power Command Explanation Global Mode power inline max no power inline max Globally set the max output power of PoE. 3. Globally set the power management mode Command Explanation Global Mode Enable/disable the power priority management policy mode. Disable the power priority management policy mode is not supported by switch. power inline police enable no power inline police enable 4.
no power inline enable 7. Set the max output power on specified ports Command Explanation Port Mode power inline max no power inline max Set the max output power on specified ports. 8. Set the power priority on specified ports Command Explanation Port Mode power inline priority {critical | high | low} Set the power priority on specified ports. 68.
Configuration Steps: Globally enable PoE: Switch(Config)# power inline enable Globally set the max power to150W: Switch(Config)# power inline max 150 Globally enable the priority policy of power management : Switch(Config)# power inline police enable Set the priority of Port 1/2 to critical: Switch(Config-Ethernet1/2)# power inline priority critical Set the max output power of Port 1/6 to 9000mW: Switch(Config-Ethernet1/6)# power inline max 9000 68.
without affecting other devices. Such a power supply buffer of 10W is designed for power source protection, and calls for special attention. The displayed value of Power might over the value of Max.
