EM-WGSW-52040 Configuration Guide_v1.0
Contents
1. 44 164 44 1 INTRODUCTION TO AM FUNCTION ee ee Ee EE 44 164 44 2 AM FUNCTION CONFIGURATION TASK LIST ccccceeeecesseeeeseeeceseeeceeeeeeseeceneeseaseeseaeeeeaneesoeseesonnees 44 164 44 3 AM FUNCTION EXAMPLE tee eege gege E Eege 44 166 44 4 AM FUNCTION TROUBLESHOOTING ccccccsceeeeeseeeceneeeceseeseeneeseeseeeaaeesaaseesaaeeecaaeeseaaessonessoneessonaes 44 167 CHAPTER 45 SECURITY FEATURE CONFIGURATION ccc cceceeeeeeeeeeeeeeeees 45 168 45 1 INTRODUCTION TO SECURITY FEATURE s cccsseccceseeccnneecenseeceneeeceneecenseecaneecoaseeconsescensesonnessonsees 45 168 45 2 SECURITY FEATURE CONFIGURATION ssscssesesccsasseccsnsserocnanssccsansecesnsesonnasssaneassesosansesacnasesasnareesasans 45 168 45 2 1 Prevent IP Spoofing Function Configuration Task Sequence nnssannnennnennnnennnennnnnne 45 168 45 2 2 Prevent TCP Unauthorized Label Attack Function Configuration Task Sequence 45 169 45 2 3 Anti Port Cheat Function Configuration Task Geouence 45 169 45 2 4 Prevent TCP Fragment Attack Function Configuration Task Geouence 45 169 45 2 5 Prevent ICMP Fragment Attack Function Configuration Task Geouence 45 170 AS 3 SECURITY FEATURE EEN Eege ed E dE 45 170 CHAPTER Ap TACACS CONFIGURATION 0 ccccccscceeceeeseneeeeeeeeeneeeesenseneseneones 46 171 46 1 INTRODUCTION TO E ee 46 171 46 2 TACACS CONFIGURATION TASK LIST ccccccesseeeeeeseeeeeeeneeneneseeeeeesseeseeeeseeeeesseaneese2. A FAF Reguest identity Handshake response paci ket prms na mam eer Port unauthorized port us GEES Figure 42 12 the Authentication Flow of 802 1x EAP Termination Mode 42 1 6 The Extension and Optimization of 802 1x Besides supporting the port based access authentication method specified by the protocol devices also extend and optimize it when implementing the EAP relay mode and EAP termination mode of 802 1x WR Supports some applications in the case of which one physical port can have more than one users m There are three access control methods the methods to authenticate users port based MAC based and user based IP address MAC address port When the port based method is used as long as the first user of this port passes the authentication all the other users can access the network resources without being authenticated However once the first user is offline the network won t be available to all the other users 42 146 When the MAC based method is used all the users accessing a port should be authenticated separately only those pass the authentication can access the network while the others can not When one user becomes offline the other users will not be affected When the user based IP address MAC address port method is used all users can access limited resources before being authenticated There are two kinds of control in this method standard control and advanced cont
3. Switch3 config spanning tree mst 3 priority 0 22 126 Switch4 Switch4 config vlan 20 Switch4 Config Vlan20 exit Switch4 config vlan 30 Switch4 Config Vlan30 exit Switch4 config vlan 40 Switch4 Config Vlan40 exit Switch4 config vlan 50 Switch4 Config Vlan50 exit Switch4 config spanning tree mst configuration Switch4 Config Mstp Region name mstp Switch4 Config Mstp Region instance 3 vlan 20 30 Switch4 Config Mstp Region instance 4 vian 40 50 Switch4 Config Mstp Region exit Switch4 config interface e1 1 7 Switch4 Config Port Range switchport mode trunk Switch4 Config Port Range exit Switch4 config spanning tree Switch4 config spanning tree mst 4 priority 0 After the above configuration Switch is the root bridge of the instance 0 of the entire network In the MSTP region which Switch2 Switch3 and Switch4 belong to Switch2 is the region root of the instance 0 Switch3 is the region root of the instance 3 and Switch4 is the region root of the instance 4 The traffic of VLAN 20 and VLAN 30 is sent through the topology of the instance 3 The traffic of VLAN 40 and VLAN 50 is sent through the topology of the instance 4 And the traffic of other VLANs is sent through the topology of the instance 0 The port 1 in Switch2 is the master port of the instance 3 and the instance 4 The MSTP calculation generates 3 topologies the instance O the instance 3 and the instance 4
4. Switch Config lf Ethernet1 10 mac ip access group 3110 in Switch config exit Configuration result Switch show firewall Firewall Status Enable 41 130 Switch show access lists access list 3110 used 1 time s access list 3110 deny 00 12 11 23 00 00 00 00 00 00 ff ff any destination mac tcp 10 0 0 0 0 0 0 255 any destination d port 21 access list 3110 deny any source mac 00 12 11 23 00 00 O0 00 00 00 ff ff icmp any source 10 0 0 0 0 0 0 255 Switch show access group interface ethernet 1 10 interface name Ethernet1 10 MAC IP Ingress access list used is 3110 traffic statistics Disable Scenario 4 The configuration requirement is stated as below IPv6 protocol runs on the interface 600 of the switch And the IPv6 network address is 2003 1 1 1 0 64 Users in the 2003 1 1 1 66 0 80 subnet should be disabled from accessing the outside network Configuration description 1 Create the corresponding access list 2 Configure datagram filting 3 Bind the ACL to the related interface The configuration steps are listed as below Switch config ipv6 access list 600 permit 2003 1 1 1 66 0 80 any destination Switch config ipv6 access list 600 deny 2003 1 1 1 0 64 any destination Switch config firewall enable Switch config interface ethernet 1 10 Switch Config lf Ethernet1 10 exit Switch Config lf Ethernet1 10 ipv6 access group 600 in Switch config exit Configuration result Switch show
5. lt ipv6 address gt 3 To configure the max number of broadcast or multicast servers supported by the NTP client Explication Global Mode Set the max number of broadcast or ntp broadcast server count lt number gt multicast servers supported by the NTP no ntp broadcast server count client The no operation will cancel the configuration and restore the default value 4 To configure time zone Command Explication Global Mode clock timezone WORD add subtract This command configures timezone in lt 0 23 gt lt 0 59 gt global mode the no command deletes the no clock timezone WORD configured timezone 5 To configure NTP access control list Explication Global Mode ntp access group server lt acl gt To configure NTP server access control list no ntp access group server lt ac 6 To configure NTP authentication Explication Global Mode ntp authenticate To enable NTP authentication function no ntp authenticate 63 54 ntp authentication key lt key id gt md5 To configure authentication key for NTP lt value gt authentication no ntp authentication key lt key id gt ntp trusted key lt key id gt To configure trusted key no ntp trusted key lt key id gt 7 To specified some interface as NTP multicast client interface Explication vlan Configuration Mode ntp multicast client To configure specified interface to receive no ntp multicast client NTP multica
6. auto to user Add or remove a member switch no cluster member id lt member id gt mac address lt mac addr gt 3 Configure attributes of the cluster in the commander switch Explanation Global Mode Enable or disable adding newly cluster auto add discovered candidate switch to the no cluster auto add cluster Change automatically added cluster member auto to user members into manually added ones cluster keepalive interval lt second gt Set the keep alive interval of the no cluster keepalive interval cluster cluster keepalive loss count lt nt gt SE i keep alive messages that can be no cluster keepalive loss count clear cluster nodes nodes sn tolerated in the cluster Clear nodes in the list of candidate lt candidate sn list gt mac address switches maintained by the switch lt mac addr gt 4 Configure attributes of the cluster in the candidate switch Explanation Global Mode cluster keepalive interval lt second gt Set the keep alive interval of the no cluster keepalive interval cluster Set the max number of lost cluster keepalive loss count lt nt gt keep alive messages that can be no cluster keepalive loss count tolerated in the clusters 5 Remote cluster network management Explanation Admin Mode Ls O In the commander switch this rcommand member lt member id gt command is used to configure and manage member switches In the member switch
7. ethernet portchannel lt interface name gt 4 Configure MAC learning through CPU control Explanation Global Mode NN mac address learning cpu control Enable MAC learning through CPU no mac address learning cpu control control the no command restores that the chip automatically learn MAC address show collision mac address table Show the hash collision mac table Admin Mode lS clear collision mac address table Clear the hash collision mac table 21 3 Typical Configuration Examples Fort 5 Port 11 P Ps i eebe MAC 00 01 44 44 44 44 MAC 00 01 22 22 22 29 MAC 00 01 33 33 33 33 Figure 22 3 MAC Table typical configuration example 21 110 Scenario Four PCs as shown in the above figure connect to port 1 5 1 7 1 9 1 11 of switch all the four PCs belong to the default VLAN1 As required by the network environment dynamic learning is enabled PC1 holds sensitive data and can not be accessed by any other PC that is in another physical segment PC2 and PC3 have static mapping set to port 1 7 and port 1 9 respectively The configuration steps are listed below 1 Set the MAC address 00 01 11 11 11 11 of PC1 as a filter address Switch config mac address table static 00 01 11 11 11 11 discard vlan 1 2 Set the static mapping relationship for PC2 and PC3 to port 1 7 and port 1 9 respectively Switch config mac address table static address 00 01 22 22 22 22 vlan 1 interface ethern
8. A Work Stati on Figure 40 1 Function configuration of the Multicast VLAN 40 110 As shown in the figure the multicast server is connected to the layer 3 switch switchA through port 1 1 which belongs to the VLAN10 of the switch The layer 3 switch switchA is connected with layer 2 switches through the port1 10 which configured as trunk port On the switchB the VLAN100 is configured set to contain port1 15 and VLAN101 to contain port1 20 PC1 and PC2 are respectively connected to port 1 15 and1 20 The switchB is connected with the switchA through port1 10 which configured as trunk port VLAN 20 is a multicast VLAN By configuring multicast vlan the PC1 and PC2 will receives the multicast data from the multicast VLAN Following configuration is based on the IP address of the switch has been configured and all the equipment are connected correctly Configuration procedure SwitchA config SwitchA config vlan 10 SwitchA config vilan10 switchport access ethernet 1 1 SwitchA config vlan10 exit SwitchA config interface vian 10 Switch Config if Vlan10 ip pim dense mode Switch Config if Vlan10 exit SwitchA config vlan 20 SwitchA config vlan20 exit SwitchA config interface vian 20 SwitchA Config if Vlan20 ip pim dense mode SwitchA Config if Vlan20 exit SwitchA config ip pim multicast SwitchA config interface ethernet1 10 SwitchA Config lf Ethernet1 10 switchport mode trunk SwitchB config SwitchB config vla
9. ip arp security learnprotect Disable and enable ARP automatic learning no ip arp security learnprotect function 28 24 3 Function on changing dynamic ARP to static ARP Explanation Global Mode and Port Mode ip arp security convert Change dynamic ARP to static ARP 28 3 Prevent ARP Spoofing Example Switch es H Equipment Explanation Equipment Configuration IP 192 168 2 4 mac 00 00 00 00 00 04 IP 192 168 2 1 mac 00 00 00 00 00 01 B ip192 168 4 2 mee 00 00 00 00 00 02 IP 192 168 2 3 mac 00 00 00 00 00 03 There is a normal communication between B and C on above diagram A wants switch to forward packets sent by B to itself so need switch sends the packets transfer from B to A firstly A sends ARP reply packet to switch format is 192 168 2 3 00 00 00 00 00 01 mapping its MAC address to C s IP so the switch changes IP address when it updates ARP list then data packet of 192 168 2 3 is transferred to 00 00 00 00 00 01 address A MAC address In further a transfers its received packets to C by modifying source address and destination address the mutual communicated data between B and C are received by A unconsciously Because the ARP list is update timely another task for A is to continuously send ARP reply packet and refreshes switch ARP list 28 25 So it is very important to protect ARP list configure to forbid ARP learning command in stable environment and then change all dyn
10. no policy map lt policy map name gt map mode the no command deletes the specified policy map After a policy map is created it can be associated to a class Different policy or class lt class map name gt insert before STEEN e DSCP value can S applied to Ee different data streams in class mode the no command deletes the specified class set ip dscp lt new dscp gt ip precedence Assign a new internal priority for the lt new precedence gt internal priority classified traffic the no command lt new inp gt drop precedence lt new dp gt cos cancels the new assigned value lt new cos gt no set ip dscp ip precedence internal priority drop precedence cos Single Bucket Mode Configure a policy for the classified flow policy lt bits_per_second gt The non aggregation policy command lt normal_burst_bytes gt conform action supporting three colors Determine ACTION exceed action ACTION whether the working mode of token bucket is singe rage single bucket Dual Bucket Mode single rate dual bucket or dual rate dual policy lt bits_per_second gt bucket set the corresponding action to lt normal_burst_bytes gt pir lt peak_rate_bps gt the different color packets The no lt maximum_burst_bytes gt conform action command will delete the mode ACTION exceed action ACTION configuration violate action ACTION ACTION definition drop transmit set dscp transmit lt dscp_value gt se
11. ccccecceeeeeeeeeeeeceeenscnscnecneeusoneensensenseeeseeseess 7 8 T ANINTRODUCTION TO PORT EE 7 8 7 2 NETWORK PORT CONFIGURATION TASK Lier 7 8 7 3 PORT CONFIGURATION EXAMPLE eege EE cee earls cae 7 11 TA PORT TROUBLESHOOTING ninsi s ei a a ee 7 12 CHAPTER 8 PORT ISOLATION FUNCTION CONFIGURATION ccceceeeeeeeeeees 8 13 8 1 INTRODUCTION TO PORT ISOLATION EUNCTON een 8 13 8 2 TASK SEQUENCE OF PORT Iso Aaron een 8 13 8 3 PORT ISOLATION FUNCTION TYPICAL EXAMPLES cssscceceeeesssneeeeeesssssneeeeeeessaneseesessseeeeeessssseeeaeeeeeeas 8 14 CHAPTER 9 PORT LOOPBACK DETECTION FUNCTION CONFIGURATION 9 15 9 1 INTRODUCTION TO PORT LOOPBACK DETECTION FUNCTION EEN 9 15 9 2 PORT LOOPBACK DETECTION FUNCTION CONFIGURATION TASK LIST 10 ccccssssseeeeeesssseeeeeeeessssseeeeeeeeas 9 16 9 3 PORT LOOPBACK DETECTION FUNCTION EXAMPLE REENEN 9 17 9 4 PORT LOOPBACK DETECTION TROUBLESHOOTING EEN 9 18 CHAPTER 10 ULDP FUNCTION CONFIGURATION ccscceeeeeeeeeeeeeeeeeeeeeeeeeees 10 19 10 1 INTRODUCTION TO ULDP FUNCTION een 10 19 10 2 ULDP CONFIGURATION TASK SEQUENCE sgicistcsscnvcncdeaicenternusensnceckenunssedenavnssossasnriabonsbasanenscwnasvsnweouns 10 20 10 3 ULDP FUNCTION TYPICAL EXAMPLES EE 10 23 10 4 ULDP TROUBLESHOOTING roiroi ae aaia a AE RE AEE a 10 24 CHAPTER 11 LLDP FUNCTION OPERATION CONFIGURATION ccceeeeeees 11 26 11 1 INTRODUCTION TO LLDP FUNCTION EE 11 26 11 2 LLDP FUNCTION CO
12. 90 190 mac authentication bypass Enable the spoofing garp check function spoofing garp check enable MAB function will not deal with no mac authentication bypass spoofing garp any more the no command spoofing garp check enable disables the function Configure the authentication mode and authentication mab radius none priority of MAC address the no command no authentication mab restores the default authentication mode 50 3 MAB Example Example The typical example of MAB authentication function Update Server Radius Server Internet e gt Eth1 1 Ethyl 2 Eth1 3 Switch2 X Ethernet1 4 Ethernet1 4 Switch es 2 Eth1 1 Eth1 2 Eth1 3 lt lt WW Ge PC1 PC2 Printer Figure 50 1 MAB application 50 191 Switch1 is a layer 2 accessing switch Switch2 is a layer 3 aggregation switch Ethernet 1 1 is an access port of Switch1 connects to PC1 it enables 802 1x port based function and configures guest vlan as vian g Ethernet 1 2 is a hybrid port connects to PC2 native vlan of the port is vlan1 and configures guest vlan as vian8 it joins in vian1 vian8 and vlan10 with untag method and enables MAB function Ethernet 1 3 is an access port connects to the printer and enables MAB function Ethernet 1 4 is a trunk port connects to Switch2 Ethernet 1 4 is a trunk port of Switch2 connects to Switch Ethernet 1 1 is an access port belongs to vlan8 connects to update server to
13. FCC Warning This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the Instruction manual may cause harmful interference to radio communications Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense CE Mark Warning This is a Class A product In a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures Energy Saving Note of the Device This power required device does not support Standby mode operation For energy saving please remove the power cable to disconnect the device from the power circuit In view of saving the energy and reducing the unnecessary power consumption it is strongly suggested to remove the power connection for the device if this device is not intended to be active WEEE Warning To avoid the potential effects on the environment and human health as a result of the presence of hazardous substances in electrical and electronic equipment end users of electrical and electronic equipm
14. Port Mode port group lt port group number gt mode Add the ports to the port group and set their active passive on mode no port group 12 35 3 Enter port channel configuration mode Command Explanation Global Mode interface port channel Enter port channel configuration mode lt port channel number gt 4 Set load balance method for port group Command Explanation Aggregation port configuration mode O load balance src mac dst mac dst src mac Set load balance for port group src ip dst ip dst src ip 5 Set the system priority of LACP protocol Explanation Global mode Set the system priority of LACP lacp system priority lt system priority gt protocol the no command restores no lacp system priority the default value 6 Set the port priority of the current port in LACP protocol Explanation Port mode 7 r g Set the port priority in LACP protocol acp port priority lt port priorit Ss e SEN ye The no command restores the default no lacp port priority value 7 Set the timeout mode of the current port in LACP protocol Command Explanation Port mode Set the timeout mode in LACP lacp timeout short long f protocol The no command restores no lacp timeout the default value 12 36 12 3 Port Channel Examples Scenario 1 Configuring Port Channel in LACP S1 gam g H E ae 7 N N 7 Maa Leg 2 S2 Figure 1
15. Quality of Service O 8 priority queues on all switch ports O Supports for strict priority and Weighted Round Robin WRR CoS policies O Traffic classification IEEE 802 1p CoS ToS IPv4 IPv6 DSCP Port based WRR O Strict priority and Weighted Round Robin WRR CoS policies Multicast O Supports IGMP Snooping v1 v2 and v3 MLD v1 and v2 snooping O Querier mode support O Supports Multicast VLAN Register MVR Security IEEE 802 1x Port based network access authentication MAC based network access authentication Built in RADIUS client to co operate with the RADIUS servers for IPv4 and IPv6 TACACS login users access authentication IP based Access Control List ACL MAC based Access Control List Supports DHCP Snooping Supports ARP Inspection CT UD DUDU UD IP Source Guard prevents IP spoofing attacks Management O Switch Management Interface Console Telnet Command Line Interface Web switch management SNMP v1 v2c and v3 switch management SSH SSL_ secure access BOOTP and DHCP for IP address assignment Firmware upload download via TFTP or HTTP protocol for IPv4 and IPv6 SNTP Simple Network Time Protocol for IPv4 and IPv6 User Privilege levels control Syslog server for IPv4 and IPv6 Four RMON groups 1 2 3 9 history statistics alarms and events Supports Ping Trace route function for IPv4 and IPv6 RS SIS SS Management IP for IPv4 and IPv6 1 4 1 4 Product Specifications WGSW 52040 48 P
16. SW oN 1 1 2 2X 3 3X SW2 4 5 7 SW3 4 6X 5X ZA SW4 Figure 22 2 Typical MSTP Application Scenario The connections among the switches are shown in the above figure All the switches run in the MSTP mode by default their bridge priority port priority and port route cost are all in the default values equal The default configuration for switches is listed below Bridge Name 22 124 Bridge MAC 00 00 01 00 00 02 00 00 03 00 00 04 Address Bridge Priority 32 68 32 68 32 68 32 68 port 128 128 a pots s 128 E port 4 az o o We e I m pots li lm mm pot tr E port 200000 200000 Lamm eo 200000 200000 200000 pots E 200000 200000 20 Laang 200000 _ 200000 Loo 200000 200000 200000 By default the MSTP establishes a tree topology in blue lines rooted with SwitchA The ports LE w i marked with x are in the discarding status and the other ports are in the forwarding status Configurations Steps Step 1 Configure port to VLAN mapping E Create VLAN 20 30 40 50 in Switch2 Switch3 and Switch4 WR Set ports 1 7 as trunk ports in Switch Switch3 and Switch4 Step 2 Set Switch2 Switch3 and Switch4 in the same MSTP a Set Switch2 Switch3 and Switch4 to have the same region name as mstp E Map VLAN 20 and VLAN 30 in Switch2 Switch3 and Switch4 to Instance 3 Map VLAN 40 and VLAN 50 in Switch2 Switch3 and Switch4 to Instance 4 Step 3 Set Switch3 as the root bridg
17. The hello interval of sending hello messages can be changed it is10 seconds by default and ranges from 5 to 100 seconds so that ULDP can respond faster to connection errors of links in different network environments But this interval should be less than 1 3 of the STP convergence time If the interval is too long a STP loop will be generated before ULDP discovers and shuts down the unidirectional connection port If the interval is too short the network burden on the port will be increased which means a reduced bandwidth ULDP does not handle any LACP event It treats every link of TRUNK group like Port channel TRUNK ports as independent and handles each of them respectively ULDP does not compact with similar protocols of other vendors which means users can not use ULDP on one end and use other similar protocols on the other end ULDP function is disabled by default After globally enabling ULDP function the debug switch can be enabled simultaneously to check the debug information There are several DEBUG commands provided to print debug information such as information of events state machine errors and messages Different types of message information can also be printed according to different parameters The Recovery timer is disabled by default and will only be enabled when the users have configured recovery time 30 86400 seconds Reset command and reset mechanism can only reset the ports automatically shut down by ULDP The port
18. command deletes the RADIUS accounting no radius server authentication host i server lt ipv4 address gt lt ipv6 address gt radius server accounting host Specifies the IPv4 IPv6 address and the lt ipv4 address gt lt ipv6 address gt port port number whether be primary server for lt port number gt key 0 7 lt string gt primary no radius server accounting host RADIUS accounting server the no command deletes the RADIUS accounting server lt ipv4 address gt lt ipv6 address gt 4 Configure the parameter of the RADIUS service Explanation Global Mode To configure the interval that the RADIUS radius server dead time lt minutes gt becomes available after it is down The no no radius server dead time form of this command will restore the default configuration To configure retry times for the RADIUS radius server retransmit lt retries gt l i packets The no form of this command no radius server retransmit restores the default configuration 47 177 To configure the timeout value for the radius server timeout lt seconds gt RADIUS server The no form of this no radius server timeout command will restore the default configuration radius server accounting interim update To configure the update interval for timeout lt seconds gt accounting The no form of this command no radius server will restore the default configuration accounting interim update timeou
19. ethernet lt Fname gt 10 3 ULDP Function Typical Examples Switch A Switch B PC2 PC1 Figure 10 3 Fiber Cross Connection In the network topology in Graph port g1 1 and port g1 2 of SWITCH A as well as port g1 3 and port g1 4 of SWITCH B are all fiber ports And the connection is cross connection The physical layer is connected and works normally but the data link layer is abnormal ULDP can discover and disable this kind of error state of link The final result is that port g1 1 g1 2 of SWITCH A and port g1 3 g1 4 of SWITCH B are all shut down by ULDP Only when the connection is correct can the ports work normally won t be shut down Switch A configuration sequence SwitchA config uldp enable SwitchA config interface ethernet 1 1 SwitchA Config lf Ethernet1 1 uldp enable 10 23 SwitchA Config lf Ethernet1 1 evt SwitchA config interface ethernet 1 2 SwitchA Config lf Ethernet1 2 uldp enable Switch B configuration sequence SwitchB config uldp enable SwitchB config interface ethernet1 3 SwitchB Config lf Ethernet1 3 uldp enable SwitchB Config lf Ethernet1 3 evt SwitchB config interface ethernet 1 4 SwitchB Config lf Ethernet1 4 uldp enable As a result port g1 1 g1 2 of SWITCH A are all shut down by ULDP and there is notification information on the CRT terminal of PC1 Oct 29 11 09 50 2007 A unidirectional link is detected Port Ethernet1 1 need to be shutted down Oct 29
20. 64 58 Configuration procedure is as follows Switch config clock summer time 2012 absolute 23 00 2012 4 1 00 00 2012 10 1 Examplez2 The configuration requirement in the following The summer time from 23 00 on the first Saturday of April to 00 00 on the last Sunday of October year after year clock offset as 2 hours and summer time is named as time_travel Configuration procedure is as follows Switch config clock summer time time_travel recurring 23 00 first sat apr 00 00 last sun oct 120 64 4 Summer Time Troubleshooting If there is any problem happens when using summer time please check whether the problem is caused by the following reasons m Check whether command mode in global mode m Check whether system clock is correct 64 59 Chapter 65 DNSv4 v6 Configuration 65 1 Introduction to DNS DNS Domain Name System is a distributed database used by TCP IP applications to translate domain names into corresponding IPv4 IPv6 addresses With DNS you can use easy to remember and signification domain names in some applications and let the DNS server translate them into correct IPv4 IPv6 addresses There are two types of DNS services static and dynamic which supplement each other in application Each time the DNS server receives a name query it checks its static DNS database first before looking up the dynamic DNS database Some frequently used addresses can be put in the static DNS database the reduction the searching time in
21. PLANET Networking amp Communication www PLANET com tw Configuration Guide 48 Port 10 100 1000Base T 4 Port 100 1000X SFP Managed Switch gt WGSW 52040 Trademarks Copyright PLANET Technology Corp 2013 Contents are subject to revision without prior notice PLANET is a registered trademark of PLANET Technology Corp All other trademarks belong to their respective owners Disclaimer PLANET Technology does not warrant that the hardware will work properly in all environments and applications and makes no warranty and representation either implied or expressed with respect to the quality performance merchantability or fitness for a particular purpose PLANET has made every effort to ensure that this User s Manual is accurate PLANET disclaims liability for any inaccuracies or omissions that may have occurred Information in this User s Manual is subject to change without notice and does not represent a commitment on the part of PLANET PLANET assumes no responsibility for any inaccuracies that may be contained in this User s Manual PLANET makes no commitment to update or keep current the information in this User s Manual and reserves the right to make improvements to this User s Manual and or to the products described in this User s Manual at any time without notice If you find information in this manual that is incorrect misleading or incomplete we would appreciate your comments and suggestions
22. Scenario 1 IGMP Snooping function 38 99 JW e Multicast router Multicast Server 1 Multicast Server 2 Multicast port x Snooping Group 1 Group 1 Group 1 Group 2 Figure 38 1 Enabling IGMP Snooping function Example As shown in the above figure a VLAN 100 is configured in the switch and includes ports 1 2 6 10 and 12 Four hosts are connected to port 2 6 10 and 12 respectively and the multicast router is connected to port 1 As IGMP Snooping is disabled by default either in the switch or in the VLANs If IGMP Snooping should be enabled in VLAN 100 the IGMP Snooping should be first enabled for the switch in Global Mode and in VLAN 100 and set port 1 of VLAN 100 to be the mrouter port The configuration steps are listed below Switch config ip igmp snooping Switch config ip igmp snooping vlan 100 Switch config ip igmp snooping vlan 100 mrouter interface ethernet 1 1 Multicast Configuration Suppose two programs are provided in the Multicast Server using multicast address Group and Group2 three of four hosts running multicast applications are connected to port 2 6 10 plays program1 while the host is connected to port 12 plays program 2 IGMP Snooping listening result The multicast table built by IGMP Snooping in VLAN 100 indicates ports 1 2 6 10 in Group1 and ports 1 12 in Group2 All the four hosts can receive the program of their choice ports 2 6 10 will not receive the 38 100 traf
23. Source Control Configuration 2 Destination Control Configuration 3 Multicast Strategy Configuration 1 Source Control Configuration Source Control Configuration has three parts of which the first is to enable source control The command of source control is as follows Explanation Global Configuration Mode Oe Enable source control globally the no ip multicast source control command disables source control globally It is noticeable that after enabling source control globally all multicast no ip multicast source control packets are discarded by default All source Required control configuration can not be processed until that it is enabled globally while source control can not be disabled until all configured rules are disabled The next is to configure the rule of source control It is configured in the same manner as for ACL and uses ACL number of 5000 5099 every rule number can be used to configure 10 rules It is noticeable that these rules are ordered the front one is the one which is configured the earliest Once the configured rules are matched the following rules won t take effect so rules of globally allow must be put at the end The commands are as follows Explanation Global Configuration Mode 38 92 no access list lt 5000 5099 gt deny permit ip lt source gt lt source wildcard gt host source The rule used to configure source control This lt source ho
24. Switch A 20 79 Switch config vlan 10 Switch Config Vlan10 switchport interface ethernet 1 10 Switch B Switch config vlan 7 9 10 Switch config interface ethernet 1 7 Switch Config lf Ethernet1 7 switchport mode hybrid Switch Config lf Ethernet1 7 switchport hybrid native vlan 7 Switch Config lf Ethernet1 7 switchport hybrid allowed vlan 7 10 untag Switch Config lf Ethernet1 7 exit Switch Config interface Ethernet 1 9 Switch Config lf Ethernet1 9 switchport mode hybrid Switch Config lf Ethernet1 9 switchport hybrid native vlan 9 Switch Config lf Ethernet1 9 switchport hybrid allowed vlan 9 10 untag Switch Config lf Ethernet1 9 exit Switch Config interface Ethernet 1 10 Switch Config lf Ethernet1 10 switchport mode hybrid Switch Config If Ethernet1 10 switchport hybrid native vlan 10 Switch Config lf Ethernet1 10 switchport hybrid allowed vlan 7 9 10 untag Switch Config lf Ethernet1 10 exit 20 2 Dot1q tunnel Configuration 20 2 1 Introduction to Dot1q tunnel Dot1q tunnel is also called QinQ 802 1Q in 802 1Q which is an expansion of 802 1Q Its dominating idea is encapsulating the customer VLAN tag CVLAN tag to the service provider VLAN tag SPVLAN tag Carrying the two VLAN tags the packet is transmitted through the backbone network of the ISP internet so to provide a simple layer 2 tunnel for the users It is simple and easy to manage applicable only by static configuration and especially adaptive to s
25. cceccceeeeeeeeeeeeeeeeeeeeeeeeseeeeeeeaeneeeseeasnaeeseeeanseeeseeaeseeeeseneeneeens 21 114 21 6 1 Introduction to MAC e re te EE 21 114 21 6 2 MAC Notification Confguraton 21 114 21 6 3 MAC Notification Example ccccccccccceececcseeeeeeeeceeeeeseececeaeeeseacesseueesseueesseeesegeeesaaees 21 116 216A MAC Notification TrOUDIESHOOLING iu icrrtovedncaetectetisen a A a aai 21 116 CHAPTER 22 MSTP CONFIGURATION 0 cc cccccsccceceeeseneeeesensenseeesoneeeeseneeneseneones 22 117 22 INTRODUCTION TO CH E 22 117 22 2 MIS TP REGION E 22 117 22 2 1 Operations within an MGSIDRegoon 22 118 22 22 POMIROISS E 22 119 22 20 MOP EE Ee 22 119 22 3 MSTP CONFIGURATION TASK LIST otic ce eee eth 22 119 22 4 MIS CP EXAMPLE EEN 22 124 22 0 MIST TROUBEESHOOTING EEN 22 129 CHAPTER 23 QOS CONFIGURATION ccececececeeeceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeees 23 130 23 1 INTRODUCTION TO EE 23 130 ZEA TOOS E EE 23 130 Zoe QOS IMDICIIEH AU LEE 23 131 23 19 BASIC DOS WIOGE WEE 23 132 23 2 QOS CONFIGURATION TASK LIST EE 23 135 23 93 QOS EXAMPLE mersit ern nA aE O 23 140 23 4 QOS TROUBLESHOOTING EE 23 143 CHAPTER 24 FLOW BASED REDIRECTION ccccececececeeeeeseceeeeeeeeeeeeeeeeeeeeeeeees 24 1 24 1 INTRODUCTION TO FLOW BASED REDIRECTION cccceececceccuceuceccuscuseueeccuseuseueueeususeuseuseueuseuseuseeeureusenes 24 1 24 2 FLOW BASED REDIRECTION CONFIGURATION TASK SEQUENCE cccsecseccesceseuseuscuseuseuecueeu
26. designs of IPv4 Hierarchical addressing scheme facilitates Route Aggregation effectively reduces route table entries and enhances the efficiency and expansibility of routing and data packet processing The header design of IPv6 is more efficient compared with IPv4 It has less data fields and takes out header checksum thus expedites the processing speed of basic IPv6 header In IPv6 header fragment field can be shown as an optional extended field so that data packets fragmentation process won t be done in router forwarding process and Path MTU Discovery Mechanism collaborates with data packet source which enhances the processing efficiency of router Address automatic configuration and plug and play is supported Large amounts of hosts can find network routers easily by address automatic configuration function of IPv6 while obtaining a globally unique IPv6 address automatically as well which makes the devices using IPv6 Internet plug and play Automatic address configuration function also makes the readdressing of existing network easier and more convenient and it is more convenient for network operators to manage the transformation from one provider to another Support IPSec IPSec is optional in IPv4 but required in IPv6 Protocol IPv6 provides security extended header which provides end to end security services such as access control confidentiality and data integrity consequently making the implement of encryption validation and
27. lt address1 gt lt address2 gt lt address8 amp gt Configure the address of the server hosting II file for importing The no command deletes no next server the address of the server hosting file for lt address1 gt lt address2 gt lt address8 gt importing UI Configure the network parameter specified option lt code gt ascii lt string gt hex by the option code The no command lt hex gt ipaddress lt ipaddress gt 8 deletes the network parameter specified by no option lt code gt the option code Configure the lease period allocated to lease days hours minutes infinite addresses in the address pool The no no lease command deletes the lease period allocated to addresses in the address pool max lease time lt days gt lt hours gt Set the maximum lease time for the lt minutes gt infinite addresses in the address pool the no no max lease time command restores the default setting Global Mode ip dhcp excluded address lt low address gt lt high address gt Exclude the addresses in the address pool no ip dhcp excluded address that are not for dynamic allocation lt low address gt lt high address gt 3 Configure manual DHCP address pool parameters Explanation DHCP Address Pool Mode hardware address lt hardware address gt Specify delete the hardware address Ethernet IEEE802 lt type number gt when assigning address manually no hardware address h
28. lt password gt To open the local authentication style with the following command authentication line web login local Privilege option must exist and just is 15 Assume an authorized user in the switch has a username of admin and password of admin the configuration procedure should like the following Switch gt enable Switch config Switch config username admin privilege 15 password 0 admin Switch config authentication line web login local The Web login interface of WGSW 52040 is as below WOSW 352040 Usermame Password login Copyright C 2013 PLANET Technology Corporation http www planet com tw Figure 3 10 Web Login Interface 3 17 Input the right username and password and then the main Web configuration interface is shown as below Cluster PLANET te zi amp Cemmanicator CH wesw 52040 ry een E E Switch basic confic Module managemer Port configuration MAC address table VLAN configuration IGMP snooping con MLD snooping conf ACL configuration Client IP address 192 168 0 21 System Version Information WGSW 52040 Device Compiled on Dec 31 02 05 02 2012 SoftWare Version 7 0 3 0 R0015 0009 BootRom Yersion 7 0 21 HardWare Version 2 0 CPLD Version N A Copyright C 2013 PLANET Technology Corporation All rights reserved Last reboot is warm reset Uptime is 0 weeks O days O hours 4 minute
29. 52 4 WEB PORTAL AUTHENTICATION TROUBLESHOOTING scscccccssseceeeeesssseeeeessssseeeeeeesssseeeeeeeseseeeeenees 52 208 CHAPTER 53 VLAN ACL CONFIGURATION 0 ccccceeceeeeeeeeeeeseesenseneeneeneeneeneeeeees 53 1 53 1 INTRODUCTION TO VLAN ACL srsscccecsscorzcecescazstassoceutcguteesersansaeccne besa etecetecosenecceeacaaenasccoteawtecetenteascice 53 1 53 2 VLAN ACL CONFIGURATION TASK LIST scssecccsssessesscssnessersossnensessessnersescsensssessenensseessessasseessensasseees 53 1 53 3 VLAN ACL CONFIGURATION EXAMPLE 0ccccccceeseeeeeeeeeeeeeeeeeeeeneeeesenasaeeeeeeesseeeseneesaeeesenaeneeesseneeneeeees 53 3 53 4 VLAN ACL TROUBLESHOOTING cccsssseeceeessseeeeeeeeesseeeeeeesssaneeeeeeesesaeeeeesesseneeeeeesssneeeeeessseeeeeeeaneas 53 4 CHAPTER 54 SAVI CONFIGURATION voeon 54 5 54 1 INTRODUCTION TO E EE 54 5 54 2 SAVUC ONFIGURATION BEE 54 5 54 3 SAVI TYPICAL APPLICATION EE 54 9 54 4 SAVI TROUBLESHOOTING a aaa ia a r a cel sete la aaa aaa ite te eal esac ete eh eta 54 11 CHAPTER 55 MRPP CONFIGURATION cicsisvesaveccvacevecsvncavacsvwsatncevadaveaseniatnicbadevesaveiets 55 12 55 1 INTRODUCTION TO ATTEN 55 12 59 11 geleet Lei Bil ia e ee RE 55 12 90 LAMRPR Protocol Packet 1 VOCS icno a AT a ER 55 13 55 1 3 MRPP Protocol Operation Gvstem 55 14 55 2 MRPP CONFIGURATION TASK d BCEE 55 14 59 3 MRPP TYPICAL SCENARIO eege 55 17 55 4 MRPP TROUBLESHOOTING ee ee a a 55 19 CHAPTER 56 ULPP CONFIGURATION ccccccecceeeeceeeeeceee
30. ARP Configuration Task List 1 Configure static ARP 1 Configure static ARP Explanation Interface Configuration Mode arp lt p_address gt lt mac_address gt Configures a static ARP entry the no no arp lt ip_address gt command deletes a static ARP entry 26 16 26 4 3 ARP Troubleshooting If ping from the switch to directly connected network devices fails the following can be used to check the possible cause and create a solution a Check whether the corresponding ARP has been learned by the switch is If ARP has not been learned then enabled ARP debugging information and view the sending receiving condition of ARP packets m Defective cable is a common cause of ARP problems and may disable ARP learning 26 17 Chapter 27 ARP Scanning Prevention Function Configuration 27 1 Introduction to ARP Scanning Prevention Function ARP scanning is a common method of network attack In order to detect all the active hosts in a network segment the attack source will broadcast lots of ARP messages in the segment which will take up a large part of the bandwidth of the network It might even do large traffic attack in the network via fake ARP messages to collapse of the network by exhausting the bandwidth Usually ARP scanning is just a preface of other more dangerous attack methods such as automatic virus infection or the ensuing port scanning vulnerability scanning aiming at stealing information distorted message attack
31. Explanation Global Mode Creates a numbered MAC extended access list if the access list lt num gt deny permit any source mac access list already exists host source mac lt host_smac gt lt smac gt lt smac ma then a rule will add to the sk gt any destination mac host destination mac lt h current access list the no ost_dmac gt lt dmac gt lt dmac mask gt untagged eth2 tagged eth2 untagged 802 3 tagged 802 3 no access list lt num gt access list lt nums command deletes a numbered MAC extended access list 7 Configuring a extended MAC access list based on nomenclature a Create an extensive MAC access list based on nomenclature Explanation Global Mode 41 119 mac access list extended lt name gt no mac access list extended lt name gt Creates an extended name based MAC access rule for other IP protocols the no form command deletes this name based extended MAC b Specify multiple permit or deny rule entries access rule Explanation Extended name based MAC access rule Mode no deny permit any source mac host source ma c lt host_smac gt lt smac gt lt smac mask gt any destination mac host destination mac lt host_dmac gt lt dmac gt lt dmac mask gt cos lt COs val gt lt cos bitmask gt vlanld lt vid value gt lt vid mask gt ethertype lt protocol gt lt protocol mask gt UI no deny permit any
32. Global Mode no dosattack check tcp flags enable Enable disable checking TCP label function 45 2 3 Anti Port Cheat Function Configuration Task Sequence 1 Enable the anti port cheat function Explanation Global Mode no dosattack check Enable disable the prevent port cheat function srcport equal dstport enable 45 2 4 Prevent TCP Fragment Attack Function Configuration Task Sequence 1 Enable the prevent TCP fragment attack function 2 Configure the minimum permitted TCP head length of the packet Explanation Global Mode no dosattack check tcp fragment Enable disable the prevent TCP fragment enable attack function Configure the minimum permitted TCP head length of the packet This command has no dosattack check tcp header lt size gt effect when used separately the user should enable the dosattack check tcp fragment enable Note This function is not supported by switch 45 169 45 2 5 Prevent ICMP Fragment Attack Function Configuration Task Sequence 1 Enable the prevent ICMP fragment attack function 2 Configure the max permitted ICMP v4 net load length Explanation Global Mode no dosattack check icmp attacking Enable disable the prevent ICMP fragment enable attack function Configure the max permitted ICMP v4 net load length This command has not effect when dosattack check icmpv4 size lt size gt used separately the user have to enable the dosattack c
33. Notice This command is not supported by the switch Convert dynamic secure MAC addresses learned by the port to static secure MAC addresses Notice This command is not supported by the switch Enable port locking timer function the no switchport port security timeout restores the default setting Notice This command is not supported by the switch Add static secure MAC address the no switchport port security mac address command deletes static secure MAC address clear port security dynamic address Clear dynamic MAC addresses learned by lt mac addr gt interface lt interface id gt the specified port 3 MAC address binding property configuration Explanation Port Mode switchport port security maximum lt value gt no switchport port security maximum lt value gt switchport port security violation protect shutdown recovery lt 30 3600 gt no switchport port security violation Set the maximum number of secure MAC addresses for a port the no switchport port security maximum command restores the default value Set the violation mode for the port the no switchport port security violation command restores the default setting 21 5 1 3 Binding MAC Address Binding Troubleshooting Enabling MAC address binding for ports may fail in some occasions Here are some possible causes and solutions 21 113 m f MAC address binding cannot be enabled for a port make s
34. When exceeding the maximum switchport port security violation protect restrict number of the configured MAC shutdown addresses MAC address no switchport port security violation accessing the interface does not belongs to this interface in 15 49 MAC address table or a MAC address is configured to several interfaces in same VLAN both of them will violate the security of the MAC address switchport port security aging static time lt value gt Enable port security aging type absolute inactivity entry of the interface specify no switchport port security violation aging static aging time or aging type time type pAdminmode oS S clear port security all configured dynamic Clear the secure MAC entry of sticky address lt mac addr gt interface the interface lt interface id gt vlan lt vlan id gt show port security interface lt nterface id gt Show port security address vlan configuration 15 3 Example of PORT SECURITY Da LJ Ethernet1 1 Wee ec SWITCH HOST B Figure 15 1 Typical topology chart for port security When the interface enabled Port security function configure the maximum number of the secure MAC addresses allowed by a interface to be 10 the interface allows 10 users to access the internet at most If it exceeds the maximum number the new user cannot access the internet so that it not only limit the user s number but also a
35. access group lt 6000 7999 gt Global Configuration Mode no ip multicast destination control Used to configure the rules destination cancels the configuration lt 1 4094 gt lt macaddr gt access group control uses to specify VLAN MAC the lt 6000 7999 gt NO form cancels the configuration Used to configure the rules destination no ip multicast destination control lt IPADDRESS M gt access group lt 6000 7999 gt control uses to specified IP address net mask the NO form cancels the configuration 3 Multicast Strategy Configuration Multicast Strategy uses the manner of specifying priority for specified multicast data to achieve and guarantee the effects the specific user requires It is noticeable that multicast data can not get a special care all along unless the data are transmitted at TRUNK port The configuration is very simple it has only one command i e to set priority for the specified multicast The 38 94 commands are as follows Explanation Global Configuration Mode Keel Configure multicast strategy specify no ip multicast policy lt PADDRESS M gt priority for sources and groups in lt IPADDRESS M gt cos lt priority gt specific range and the range is lt 0 7 gt 38 2 3 DCSCM Configuration Examples 1 Source Control In order to prevent an Edge Switch from putting out multicast data ad asbitsium we configure Edge Switch so that only the switch at port Ethernet1 5 i
36. and DOS attack etc Since ARP scanning threatens the security and stability of the network with great danger so it is very significant to prevent it Switch provides a complete resolution to prevent ARP scanning if there is any host or port with ARP scanning features is found in the segment the switch will cut off the attack source to ensure the security of the network There are two methods to prevent ARP scanning port based and IP based The port based ARP scanning will count the number to ARP messages received from a port in a certain time range if the number is larger than a preset threshold this port will be down The IP based ARP scanning will count the number to ARP messages received from an IP in the segment ina certain time range if the number is larger than a preset threshold any traffic from this IP will be blocked while the port related with this IP will not be down These two methods can be enabled simultaneously After a port or an IP is disabled users can recover its state via automatic recovery function To improve the effect of the switch users can configure trusted ports and IP the ARP messages from which will not be checked by the switch Thus the load of the switch can be effectively decreased 27 18 27 2 ARP Scanning Prevention Configuration Task Sequence Enable the ARP Scanning Prevention function Configure the threshold of the port based and IP based ARP Scanning Prevention Configure
37. portDesc Configure the optional sysName sysDesc sysCap information sending attribute of the port no Ildp transmit optional tlv as the option value of default values 10 Configure the size of space to store Remote Table of the port Explanation Port Configuration Mode Configure the size of space to store lldp neighbors max num lt value gt Remote Table of the port as the no Ildp neighbors max num specified value or default value 11 Configure the type of operation when the Remote Table of the port is full Explanation Port Configuration Mode NN dp tooManyNeighbors discard Configure the type of operation when the delete Remote Table of the port is full 11 29 12 Display and debug the relative information of LLDP Explanation Display the current LLDP configuration information Display the LLDP configuration show Ildp interface ethernet lt FNAME gt information of the current port Display the information of all kinds of show Ildp traffic counters show Ildp neighbors interface Display the information of LLDP ethernet lt FNAME gt neighbors of the current port Admin Global Mode Display all ports with LLDP debug show debugging Ildp Bied enabled Admin Mode debug lidp Enable or disable the DEBUG switch no debug dn debug Ildp packets interface ethernet lt FNAME gt no debug Ildp packets interface ethernet lt IFNAME gt Port configuration mode OOOO clear Ildp r
38. priority m Each ACL of different types can only apply one on a VLAN such as the basic IP ACL each VLAN can applies one only 53 4 Chapter 54 SAVI Configuration 54 1 Introduction to SAVI SAVI Source Address Validation Improvement is a security authentication method that provides the granularity level of the node source address It gets the trust node information such as port MAC address information namely anchor information by monitoring the interaction process of the relative protocol packets such as ND protocol DHCPv6 protocol and using CPS Control Packet Snooping mechanism After that it binds the anchor information with the node source address and sends the corresponding filter rules allow the packets which match the filter rules to pass only so as to reach the aim that check the validity of node source address SAV I function includes ND Snooping function DHCPv6 Snooping function and RA Snooping according to the protocol packet type ND Snooping function is used to detect ND protocol packet it sets IPv6 address binding obtained by nodes with the stateless address configuration DHCPv6 Snooping function is used to detect DHCPv6 protocol packet it sets IPv6 address binding obtained by nodes with the stateful address configuration RA Snooping function is used to avoid the lawless node sending the spurious RA packet 54 2 SAVI Configuration SAV I configuration task list Enable or disable SAVI function Enable or
39. show tcp ipv6 currently on the switch show udp Display the UDP connection status established VLAN number of the switch as well as the Trunk show udp ipv6 currently on the switch Display the information of the Telnet client which show telnet login currently establishes a Telnet connection with the switch Display the operation information and the state of each task running on the switch It is used by show tech support the technicians to diagnose whether the switch operates properly Display the version of the switch show temperature This command is not supported by switch mawa el This command is not supported by switch 66 6 Debug All the protocols switch supports have their corresponding debug commands The users can use the information from debug commands for troubleshooting Debug commands for their corresponding protocols will be introduced in the later chapters 66 7 System log 66 7 1 System Log Introduction The system log takes all information output under it control while making detailed catalogue so to select the information effectively Combining with Debug programs it will provide a powerful support to the network administrator and developer in monitoring the network operation state and locating the network failures The switch system log has following characteristics WR Log output from four directions or log channels of the Console Telnet terminal and monitor log buffer 66 68 zone and
40. slot lt slotnum gt rx tx both To configure mirror source port The no no monitor session lt session gt source command deletes the mirror source port interface lt interface list gt cpu slot lt slotnum gt 3 Configure mirror destination port Explanation Global Mode monitor session lt session gt destination To configure mirror destination interface The interface lt interface number gt RER l l no command deletes the mirror destination no monitor session lt session gt port destination interface lt interface number gt 4 Configure reflector port 60 41 Explanation Global Mode monitor session lt session gt reflector port To configure the interface to reflector lt interface number gt port The no command deletes the reflector no monitor session lt session gt P port reflector port 5 Configure remote VLAN of mirror group Command Explanation Global Mode monitor session lt session gt To configure remote VLAN of mirror remote vian lt vid gt group the no command deletes the remote no monitor session lt session gt remote VLAN of mirror group vian 60 3 Typical Examples of RSPAN Before RSPAN is invented network administrators had to connect their PCs directly to the switches in order to check the statistics of the network However with the help of RSPAN the network administrators can configure and supervise the switches remotely
41. snmp status command to verify SNMP configuration information Use debug snmp packet to enable SNMP debugging function and verify debug information m If users still can t solve the SNMP problems Please contact our technical and service center 4 15 4 5 Switch Upgrade Switch provides two ways for switch upgrade BootROM upgrade and the TFTP FTP upgrade under Shell 4 5 1 Switch System Files The system files includes system image file and boot file The updating of the switch is to update the two files by overwrite the old files with the new ones The system image files refers to the compressed files of the switch hardware drivers and software support program etc namely what we usually call the IMG update file The IMG file can only be saved in the FLASH with a defined name of nos img The boot file is for initiating the switch namely what we usually call the ROM update file It can be compressed into IMG file if it is of large size In switch the boot file is allowed to save in ROM only Switch mandates the name of the boot file to be boot rom The update method of the system image file and the boot file is the same The switch supplies the user with two modes of updating 1 BootROM mode 2 TFTP and FTP update at Shell mode This two update method will be explained in details in following two sections 4 5 2 BootROM Upgrade There are two methods for BootROM upgrade TFTP and FTP which can be selected at BootROM c
42. the Traceroute6 repeat this action till certain datagram reaches the destination Traceroute6 Options and explanations of the parameters of the Traceroute6 command please refer to traceroute6 command chapter in the command manual 66 5 Show show command is used to display information about the system port and protocol operation This part introduces the show command that displays system information other show commands will be discussed in other chapters Explanation Admin Mode AdminMode o o show flash Display the files and the sizes saved in the flash Show the recent command history of all users Use clear history all users command to clear show history all users detail the command history of all users saved by the system the max history number can be set by history all users max length command Display content in specified memory area Display the switch parameter configuration show running config Ke validating at current operation state show running config current mode Show the configuration under the current mode 66 67 Display the switch parameter configuration written in the Flash Memory at current operation show startup config nae er state which is normally the configuration file applied in next time the switch starts up Display the VLAN port mode and the belonging show switchport interface ethernet lt IFNAME gt port information show tcp Display the TCP connection status established
43. this command rcommand commander is used to configure the commander switch In the commander switch this cluster reset member id lt member id gt command is used to reset the mac address lt mac addr gt member switch In the commander switch this cluster update member lt member id gt command is used to remotely lt src url gt lt dst filename gt ascii binary upgrade the member switch It can only upgrade nos img file 6 Manage cluster network with web Explanation Global Mode Enable http function in commander switch and member switch Notice must insure the http function be enabled in member switch when commander switch visiting member switch by web The commander switch visit member switch via beat member node in member cluster topology 7 Manage cluster network with snmp Explanation Enable snmp server function in commander switch and member switch Notice must insure the snmp server function be enabled in member switch when commander switch visiting member switch by snmp The commander switch visit member switch via configure character string lt commander community gt sw lt me mber id gt 6 3 Examples of Cluster Administration Scenario The four switches SW1 SW4 amongst the SW1 is the command switch and other switches are member switch The SW2 and SW4 is directly connected with the command switch SW3 connects to the command switch through SW2 E1 W
44. using this number Creates a numbered extended mac ip access rule for other specific mac ip protocol or all mac ip protocols if the numbered extended access list of specified number does not exist then an access list will be created using this number lt tos gt time range lt time range name gt ee Deletes this numbered no access list lt num gt extended MAC IP access rule 9 Configuring a extended MAC IP access list based on nomenclature a Create an extensive MAC IP access list based on nomenclature Explanation Global Mode Creates an extended name based MAC IP access mac ip access list extended lt name gt rule the no form command no mac ip access list extended lt name gt deletes this name based extended MAC IP access rule b Specify multiple permit or deny rule entries Explanation Extended name based MAC IP access Mode LF no deny permit any source mac host source mac lt host_smac gt lt smac gt lt smac mask gt any destination mac host destination mac Creates an extended lt host_dmac gt lt dmac gt lt dmac mask gt icmp name based MAC ICMP lt source gt lt source wildcard gt any source access rule the no form host source lt source host ip gt command deletes this lt destination gt lt destination wildcard gt any destinati name based extended on host destination lt destination host ip gt MAC ICMP access rule lt icmp type gt
45. value of the attribute whose content and format is determined by the type and length of the attribute 47 2 RADIUS Configuration Task List 1 Enable the authentication and accounting function 2 Configure the RADIUS authentication key 3 Configure the RADIUS server 4 Configure the parameter of the RADIUS service 5 Configure the IP address of the RADIUS NAS 1 Enable the authentication and accounting function Explanation Global Mode To enable the AAA authentication function aaa enable The no form of this command will disable no aaa enable the AAA authentication function aaa accounting enable To enable AAA accounting The no form of no aaa accounting enable this command will disable AAA accounting Enable or disable the update accounting aaa accounting update enable disable function 47 176 2 Configure the RADIUS authentication key Explanation Global Mode To configure the encryption key for the RADIUS server The no form of this command will remove the configured key radius server key 0 7 lt string gt no radius server key 3 Configure the RADIUS server Explanation Global Mode radius server authentication host i Specifies the IPv4 IPv6 address and the lt ipv4 address gt lt ipv6 address gt port port number whether be primary server for lt port number gt key 0 7 lt string gt RADIUS accounting server the no primary access mode dot1x telnet
46. 1 EAP Message As illustrated in the next figure this attribute is used to encapsulate EAP packet the type code is 79 String domain should be no longer than 253 bytes If the data length in an EAP packet is larger than 253 bytes the packet can be divided into fragments which then will be encapsulated in several EAP Messages attributes in their original order EAP packets Figure 42 6 the Encapsulation of EAP Message Attribute 2 Message Authenticator As illustrated in the next figure this attribute is used in the process of using authentication methods like EAP and CHAP to prevent the access request packets from being eavesdropped Message Authenticator should be included in the packets containing the EAP Message attribute or the packet will be dropped as an invalid one 0 2 18 bytes Length Figure 42 7 Message Authenticator Attribute 42 140 42 1 5 The Authentication Methods of 802 1x The authentication can either be started by supplicant system initiatively or by devices When the device detects unauthenticated users to access the network it will send supplicant system EAP Request Identity messages to start authentication On the other hand the supplicant system can send EAPOL Start message to the device via supplicant software 802 1 x systems supports EAP relay method and EAP termination method to implement authentication with the remote RADIUS server The following is the description of the process of these
47. 11 09 50 2007 Unidirectional port Ethernet1 1 shut down Oct 29 11 09 50 2007 A unidirectional link is detected Port Ethernet1 2 need to be shutted down Oct 29 11 09 50 2007 Unidirectional port Ethernet1 2 shutted down Port g1 3 and port g1 4 of SWITCH B are all shut down by ULDP and there is notification information on the CRT terminal of PC2 Oct 29 11 09 50 2007 A unidirectional link is detected Port Ethernet1 3 need to be shutted down Oct 29 11 09 50 2007 Unidirectional port Ethernet1 3 shutted down Oct 29 11 09 50 2007 A unidirectional link is detected Port Ethernet1 4 need to be shutted down Oct 29 11 09 50 2007 Unidirectional port Ethernet1 4 shutted down 10 4 ULDP Troubleshooting Configuration Notice m In order to ensure that ULDP can discover that the one of fiber ports has not connected or the ports are incorrectly cross connected the ports have to work in duplex mode and have the same rate m lf the automatic negotiation mechanism of the fiber ports with one port misconnected 10 24 decides the working mode and rate of the ports ULDP won t take effect no matter enabled or not In such situation the port is considered as Down In order to make sure that neighbors can be correctly created and unidirectional links can be correctly discovered it is required that both end of the link should enable ULDP using the same authentication method and password At present no password is needed on both ends
48. 2 Steps of configuration Create VLAN 1000 and VLAN 2000 on SwitchA switch config vlan 1000 2000 Configure Ethernet1 1 as a hybrid port and configure it to remove VLAN tags when forwarding packets of VLAN 1000 switch config if ethernet1 1 switchport hybrid allowed vlan 1000 untag Configure the mapping rules for selective QinQ on Ehernet1 1 to insert VLAN 1000 tag as the outer VLAN tag in packets with the tags of VLAN 100 through VLAN 200 switch config if ethernet1 1 dot1q tunnel selective s vlan 1000 c vian 100 200 Enable selective QinQ on Ethernet1 1 switch config if ethernet1 1 dot1q tunnel selective enable Configure Ethernet 1 2 as a hybrid port and configure it to remove VLAN tags when forwarding packets of VLAN 2000 switch config if ethernet1 2 switchport mode hybrid switch config if ethernet1 2 switchport hybrid allowed vlan 2000 untag Configure mapping rules for selective QinQ on Ehernet1 2 to insert VLAN 2000 tag as the outer VLAN tag in packets with the tags of VLAN 201 through VLAN 300 switch config if ethernet1 2 dot1q tunnel selective s vlan 2000 c vilan 201 300 Enable selective QinQ on Ethernet 1 2 switch config if ethernet1 2 dot1q tunnel selective enable Configure uplink port Ethernet 1 9 as a hybrid port and configure it to save VLAN tags when forwarding packets of VLAN 1000 and VLAN 2000 20 86 switch config if ethernet1 2 interface ethernet 1 9 switch config if et
49. 255 255 255 0 Switch Config if Vlan1 no shut Switch Config if Vlan1 exit Switch copy ftp Switch superuser 10 1 1 1 220 Serv U FTP Server v2 5 build 6 for WinSock ready 331 User name okay need password 230 User logged in proceed 200 PORT Command successful 150 Opening ASCII mode data connection for bin Is recv total 480 nos img nos rom parsecommandline cpp position doc qmdict zip some display omitted here show txt snmp TXT 226 Transfer complete 4 5 3 4 FTP TFTP Troubleshooting 4 5 3 4 1 FTP Troubleshooting 4 26 When upload download system file with FTP protocol the connectivity of the link must be ensured i e use the Ping command to verify the connectivity between the FTP client and server before running the FTP program If ping fails you will need to check for appropriate troubleshooting information to recover the link connectivity m The following is what the message displays when files are successfully transferred Otherwise please verify link connectivity and retry copy command again 220 Serv U FTP Server v2 5 build 6 for WinSock ready 331 User name okay need password 230 User logged in proceed 200 PORT Command successful nos img file length 1526021 read file ok send file 150 Opening ASCII mode data connection for nos img 226 Transfer complete close ftp client WR The following is the message displays when files are successfully receiv
50. 3 Typical VLAN Application Scenario VLAN1 Figure 20 2 Typical VLAN Application Topology The existing LAN is required to be partitioned to 3 VLANs due to security and application requirements The three VLANs are VLAN2 VLAN100 and VLAN200 Those three VLANs are cross two different location A and B One switch is placed in each site and cross location requirement can be met if VLAN traffic can be transferred between the two switches Configuration Item Configuration description VLAN2 Site A and site B switch port 2 4 VLAN 100 Site A and site B switch port 5 7 VLAN200 Site A and site B switch port 8 10 Trunk port Site A and site B switch port 11 Connect the Trunk ports of both switches for a Trunk link to convey the cross switch VLAN traffic connect all network devices to the other ports of corresponding VLANs In this example port 1 and port 12 are spared and can be used for management port or for other purposes The configuration steps are listed below 20 77 Switch A Switch config vlan 2 Switch Config Vlan2 switchport interface ethernet 1 2 4 Switch Config Vlan2 exit Switch config vlan 100 Switch Config Vlan100 switchport interface ethernet 1 5 7 Switch Config Vlan100 exit Switch config vlan 200 Switch Config Vlan200 switchport interface ethernet 1 8 10 Switch Config Vlan200 exit Switch config interface ethernet 1 11 Switch Config lf Ethernet1 11 switchport mode trunk Swi
51. 4 Opening HyperTerminal 4 COM1 property appears select 9600 for Baud rate 8 for Data bits none for Parity checksum T for stop bit and none for traffic control or you can also click Restore default and click OK COM1 Properties Port Settings Bits per second Data bits Parity Stop bits Flow control Restore Defaults Figure 3 5 Opening HyperTerminal 3 12 Step 3 Entering switch CLI interface Power on the switch the following appears in the HyperTerminal windows that is the CLI configuration mode for Switch Testing RAM 0x077C0000 RAM OK Loading MiniBootROM Attaching to file system Loading nos mg done Booting Starting at Ox10000 Attaching to file system DRAM Test PASS PCI Device 1 Test PASS FLASH Test PASS SARL PASS Done All Pass Switch gt The user can now enter commands to manage the switch For a detailed description for the commands please refer to the following chapters 3 1 2 In band Management In band management refers to the management by login to the switch using Telnet or using HTTP or using SNMP management software to configure the switch In band management enables management of the switch for some devices attached to the switch In the case when in band management fails due to switch configuration changes out of band management can be used for configuring and managing the
52. 42 1 3 The Encapsulation of EAPOL Messages 42 138 42 1 4 The Encapsulation of EAP Attributes cc ceccccccceceeeeecee cesses eeseeeesseeessaeeesseeeeseneeees 42 140 42 1 5 The Authentication Methods Of GO 1 42 141 42 1 6 The Extension and Optimization Of GU 2 1x 42 146 42 1 7 The Features of VLAN Allocation 42 147 42 2 802 1X CONFIGURATION TASK LIST cccccsceeeceeeeeceseeseeseeeeaeeeceaeesaaeeeceaeseoeaesseaseeseassesaeesonessonnees 42 148 42 3 802 1 APPLICATION EXAMPLE E 42 152 42 3 1 Examples of Guest Vlan Applications cccccccccceececeeeeeceeeeceeceseeeesseeeesseeeesseeeeseneeeas 42 152 42 3 2 Examples of IPv4 Radius Applications cccccccccceececeseeeceeeeeceeeeeseeeeeeeeesseeeesaeeeeseeeenes 42 155 42 3 3 Examples of IPv6 Radius Application ccccccccccceececeeeeeceeeeceeeeeseseeseeeesseeeesaeeeeseeeeees 42 156 42 4 802 1X Ne IER elen e 42 157 CHAPTER 43 THE NUMBER LIMITATION FUNCTION OF MAC AND IP IN PORT VLAN CONFIGURATION EE 43 158 43 1 INTRODUCTION TO THE NUMBER LIMITATION FUNCTION OF MAC AND IP IN Port VLAN 43 158 43 2 THE NUMBER LIMITATION FUNCTION OF MAC AND IP IN Port VLAN CONFIGURATION TASK SEQUENCE 43 3 THE NUMBER LIMITATION FUNCTION OF MAC AND IP IN Port VLAN TYPICAL EXAMPLES 43 162 43 4 THE NUMBER LIMITATION FUNCTION OF MAC AND IP IN PORT VLAN TROUBLESHOOTING HELP 43 163 CHAPTER 44 OPERATIONAL CONFIGURATION OF AM FUNCTION
53. 70 0 Voltage V 7 31 10 00 0 00 5 00 0 00 Bias current mA 3 11 10 30 0 00 5 00 0 00 RX Power dBM 30 54 A 9 00 25 00 34 9 00 25 00 TX Power dBM 1 01 9 00 12 05 9 00 10 00 Ethernet 1 22 transceiver threshold violation information Transceiver monitor is disabled Monitor interval is set to 30 minutes The last threshold violation doesn t exist 16 4 DDM Troubleshooting If problems occur when configuring DDM please check whether the problem is caused by the following reasons m Ensure that the transceiver of the fiber module has been inserted fast on the port or else DDM configuration will not be shown bi Ensure that SNMP configuration is valid or else the warning event cannot inform the network management system m Because only some boards and box switches support SFP with DDM or XFP with DDM ensure the used board and switch support the corresponding function m When using show transceiver command or show transceiver detail command it cost much time due to the switch will check all ports so it is recommended to query the monitoring information of the transceiver on the specified port m Ensure the threshold defined by the user is valid When any threshold is error the transceiver will give an alarm according to the default setting automatically 16 60 Chapter 17 LLDP MED 17 1 Introduction to LLDP MED LLDP MED Link Layer Discovery Protocol Media Endpoint Discovery based on 802 1AB LLDP Link Layer Dis
54. Add Ethernet ports into the group 3 Display the configuration of port isolation 1 Create an isolate port group Explanation Global Mode Set a port isolation group the no operation of isolate port group lt WORD gt this command will delete the port isolation group no isolate port group lt WORD gt 2 Add Ethernet ports into the group Explanation Global Mode isolate port group lt WORD gt switchport Add one port or a group of ports into a port interface ethernet lt FNAME gt isolation group to isolate which will become no isolate port group lt WORD gt isolated from the other ports in the group the switchport interface ethernet lt FNAMES gt no operation of this command will remove one port or a group of ports out of a port isolation group 8 13 3 Display the configuration of port isolation Explanation Admin Mode and Global Mode BR Display the configuration of port isolation show isolate port group lt WORD gt including all configured port isolation groups and Ethernet ports in each group 8 3 Port Isolation Function Typical Examples Figure 8 1 Typical example of port isolation function The topology and configuration of switches are showed in the figure above with e1 1 e1 10 and e1 15 all belonging to VLAN 100 The requirement is that after port isolation is enabled on switch S1 e1 1 and e1 10 on switch S1 can not communicate with each other while both of th
55. Agent will peel the option 82 from the reply messages it receives and forward the reply message to the specified port of the network access device according to the physical port information in the option The application of DHCP option 82 is transparent for the client 33 1 1 DHCP Option 82 Message Structure A DHCP message can have several option segments option 82 is one of them It has to be placed after other options but before option 255 The following is its format Code Len Agent Information Field Code represents the sequence number of the relay agent information option the option 82 is called so because RFC3046 is defined as 82 Len the number of bytes in Agent Information Field not including the two bytes in Code segment and Len segment Option 82 can have several sub options and need at least one sub option RFC3046 defines the following two sub options whose formats are showed as follows 33 52 cublpt Len Sub option Yalue n 4 4 i H si s s3 sa sH a 4 a cublpt Len Sub option Yalue 4 4 4 oo 2 H ii af i3 i4 iH a 4 SubOpt the sequence number of sub option the sequence number of Circuit ID sub option is 1 the sequence number of Remote ID sub option is 2 Len the number of bytes in Sub option Value not inclu
56. C Port 10 11 of Switch B Global GVRP Switch A B C Port GVRP Port 11 of Switch A and C Port 10 11 of Switch B Connect two workstations to the VLAN100 ports in switch A and B connect port 11 of SwitchA to port 10 of Switch B and port 11 of Switch B to port 11 of Switch C The configuration steps are listed below 20 100 Switch A Switch config gvrp Switch config vlan 100 Switch Config Vlan100 switchport interface ethernet 1 2 6 Switch Config Vlan100 exit Switch config interface ethernet 1 11 Switch Config lf Ethernet1 11 switchport mode trunk Switch Config lf Ethernet1 11 gvrp Switch Config lf Ethernet1 11 exit Switch B Switch config gvrp Switch config interface ethernet 1 10 Switch Config lf Ethernet1 10 switchport mode trunk Switch Config lf Ethernet1 10 gvrp Switch Config lf Ethernet1 10 exit Switch config interface ethernet 1 11 Switch Config If Ethernet1 11 switchport mode trunk Switch Config lf Ethernet1 11 gvrp Switch Config lf Ethernet1 11 exit Switch C Switch config gvrp Switch config vlan 100 Switch Config Vlan100 switchport interface ethernet 1 2 6 Switch Config Vlan100 exit Switch config interface ethernet 1 11 Switch Config lf Ethernet1 11 switchport mode trunk Switch Config If Ethernet1 11 gvrp Switch Config lf Ethernet1 11 exit 20 101 20 7 4 GVRP Troubleshooting The GARP counter setting for Trunk ports in both ends of Trunk
57. CONFIGURATION TASK SEQUENCE cccceeeeeeeeeeeeeeeeeeeeeneeeeeeeeeeeeeeeseneeeeeessenaeees 49 186 49 3 IPV6 SECURITY RA TYPICAL TEEN 49 187 49 4 IPv6 SECURITY RA TROUBLESHOOTING HetLp een 49 188 CHAPTER 50 MAB CONFIGURATION c cccceccecceeeeeeeeeeeseeeensenseneeneeneenseneenssaess 50 189 SO TINTRODUCTION TO MAB EE 50 189 50 2 MAB CONFIGURATION TASK LIST s 0ccceceessseeeeeeeesseeeeeeesssseeeeseeessseeeeeeeessseeeeesssseaeeeeessesseeeeeeees 50 189 50 3 MAB EXAMPLE eege ENEE 50 191 50 4 MAB TROUBLESHOOTING cssscecceeessseeeeeeeessseeeeeessseneeseeeesssaeeeeessssseeeeeeesssaneeeesesssaeeeeeseesssneeeess 50 193 CHAPTER 51 PPPOE INTERMEDIATE AGENT CONFIGURATION 0208 51 194 51 1 INTRODUCTION TO PPPOE INTERMEDIATE AGENT REENEN 51 194 Olt ret at geeiert Lei to PPPOE EE 51 194 Si LZ NTOJUCIONO PPPOE EH 51 194 51 2 PPPOE INTERMEDIATE AGENT CONFIGURATION TASK Lis sees 51 199 51 3 PPPOE INTERMEDIATE AGENT TYPICAL APPLICATION een 51 200 51 4 PPPOE INTERMEDIATE AGENT TROUBLESHOOTING s sccccssssseeeeeesssseeeeeesssseeeeeseesssaneeeeeesssneeeeeess 51 203 11 CHAPTER 52 WEB PORTAL CONFIGURATION 0 0 cceecccceeeeeeeeeeeeeeeeeeeeneeeneneneaeee 92 204 52 1 INTRODUCTION TO WEB PORTAL AUTHENTICATION EEN 52 204 52 2 WEB PORTAL AUTHENTICATION CONFIGURATION TASK Lis sees 52 204 52 3 WEB PORTAL AUTHENTICATION TYPICAL EXAMPLE scccccsssseeeeeeesseeeeeeeessssneeeeeeessseeeeesesseneeeeness 52 207
58. Configure the operating state of port LLDP Explanation Port Mode Configure the operating state of port lldp mode send receive both disable geg 4 Configure the intervals of LLDP updating messages Command Explanation Global Mode Configure the intervals of LLDP updating dp tx interval lt integer gt messages as the specified value or no Ildp tx interval default value 5 Configure the aging time multiplier of LLDP messages Explanation Global Mode Configure the aging time multiplier of lldp msgTxHold lt value gt LLDP messages as the specified value or no Ildp msgTxHold default value 6 Configure the sending delay of updating messages Explanation Global Mode Configure the sending delay of updating dp transmit delay lt seconds gt e messages as the specified value or no Ildp transmit delay default value 11 28 7 Configure the intervals of sending Trap messages Explanation Global Mode Configure the intervals of sending dp notification interval lt seconds gt 8 Trap messages as the specified value or no Ildp notification interval default value 8 Configure to enable the Trap function of the port Explanation Port Configuration Mode ec Enable or disable the Trap function of lldp trap lt enable disable gt the port 9 Configure the optional information sending attribute of the port Explanation Port Configuration Mode E Ildp transmit optional tiv
59. EE 15 50 15 4 PORT SECURITY TROUBLESHOOTING eseu 15 51 CHAPTER 16 DDN CONFIGURATION HE 16 52 16 1 INTRODUCTION TO DDIM EE 16 52 16 11 Bret Ode el Leien D 16 DID EE 16 52 161 ZDDNIF UNCU ON cape resend ares apa a Sa res Nahar A at uaa ee Shaheed alee es 16 53 16 2 DDM CONFIGURATION TASK 2 16 54 19 SIEXAMPLES OF DD eege 16 56 16 4 DDM TROUBLESHOOTING siicccjccah ceca ccsaaccce cas hau cdacccpeaad a eadeec avcdes teweadercennaee heme renege cdaneda enneomaee 16 60 CHAPTER 17 LED El RRE 17 61 Ken INTRODUCTION TO LE DP MED NEE 17 61 17 2 LLDP MED CONFIGURATION TASK SEQUENCE ccccscecceeseeceseeecaneeeceneeseeseeeaaeeseaeeeseeesoaneesoneesonas 17 61 17 3 LLDP MED EXAMPLE coria E E 17 64 17 4 LLDP MED TROUBLESHOOTING ege 17 67 CHAPTER 18 BPDU TUNNEL CONFIGURATION s asssnnannnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn 18 67 18 1 INTRODUCTION TO EECHER Ee ennnen nenun ennn teas 18 67 Gel DW PGUFTUMNG I TURGC HOM EE 18 67 18 1 2 Background Of bpdu unnel cece ccc eeeeeeceeeeeeeeeeeeeeeaeeeeeseeeeeesaeeeeesseeeeeeseaeeeesaeeeeesaaeeees 18 68 18 2 BPDU TUNNEL CONFIGURATION TASK LIST 0 ccccsseeeceseeecseeeceneeseeseeeeaeeeaaeesaaeeeseeessansesoanessonnessags 18 68 18 3 EXAMPLES OF REESEN Eege 18 69 18 4 BPDU TUNNEL TROUBLESHOOTING c ccnseccensecccnseecnnseccnsseecanseconseeeonsseconseeonsseoonseesonsseonsnenenssesens 18 70 CHAPTER 19 EEE ENERGY SAVING CONFIGURATION ccc csccceeeeeeeeeeeeeeneees 19 71 19 1 INTRODUCTI
60. Enable the address prefix check for SAVI no ipv6 cps prefix check enable no command disables the function 9 Configure IPv6 address prefix for a link Explanation Global mode ipv6 cps prefix lt p address gt vlan lt vid gt Configure IPv6 address prefix for a link no ipv6 cps prefix lt ip address gt manually no command deletes the configured address prefix 10 Configure the filter entry number of IPv6 address Explanation Global mode 54 7 savi ipv6 mac binding limit Configure the corresponding dynamic lt limit num gt binding number for the same MAC no savi ipv6 mac binding limit address no command restores the default value Note The binding number only limits the dynamic binding but does not limit the static binding number 11 Configure the check mode for SAVI conflict binding Explanation Global mode pS savi check binding lt simple probe gt Configure the check mode for the mode conflict binding no command deletes no savi check binding mode the check mode 12 Enable or disable user authentication Explanation Port mode savi ipv6 check source ip address Enable the control authentication mac address ip address function for user no command disables mac address the function no savi ipv6 check source 13 Enable or disable DHCPv 6 trust of port Explanation Portmods ipv6 dhcp snooping trust Enable DHCPv6 trust port no command no ipv6 dhcp snooping
61. Ethernet 1 2 connects to pc1 the port enables web portal authentication and configure the redirection address and port as portal server s IP and port so ethernet 1 2 forbids all flows except dhcp dns arp packets Switch2 is the aggregation switch ethernet1 2 connects to radius server ethernet1 3 connects to portal server The address of radius server is 192 168 40 100 the address of portal server is 192 168 40 99 ethernet1 4 connects to DHCP server ethernet1 5 connects to DNS server ethernet1 6 is trunk port and connects to ethernet1 4 of switch The configuration of the common web portal authentication is as follows 92 207 Switch config interface vian 1 Switch config if vian1 ip address 192 168 40 50 255 255 255 0 Switch config webportal enable Switch config webportal nas ip 192 168 40 50 Switch config webportal redirect 192 168 40 99 Switch config interface ethernet 1 3 Switch config if ethernet1 3 webportal enable Web portal authentication associates with DHCP snooping binding to use the configuration is as follows Switch config ip dhcp snooping enable Switch config ip dhcp snooping binding enable Switch config interface ethernet 1 2 Switch config if ethernet1 2 webportal enable Switch config if ethernet1 2 ip dhcp snooping binding webportal 52 4 Web Portal Authentication Troubleshooting When using web portal authentication the system will show the detailed prompt information
62. Explanation Global Mode ipv6 dhcp pool lt poo name gt To configure DHCPv6 address pool no ipv6 dhcp pool lt poo lname gt 2 To configure prefix delegation pool used by DHCPv6 address pool 32 46 Explanation DHCPv 6 address pool Configuration Mode prefix delegation pool lt poo lname gt To specify prefix delegation pool used by flifetime lt valid time gt lt preferred time gt DHCPv 6 address pool and assign usable no prefix delegation pool lt poolname gt prefix to client 3 To configure static prefix delegation binding Explanation DHCPv6 address pool Configuration Mode prefix delegation lt jpv6 prefix prefix length gt lt Client DUID gt iaid lt iaid gt lifetime To specify IPv6 prefix and any prefix lt valid time gt lt preferred time gt SE required static binding by client no prefix delegation lt pv6 prefix prefix length gt lt Client DUID gt iaid lt iaid gt 4 To configure other parameter of DHCPv6 address pool Explanation DHCPv 6 address pool Configuration Mode dns server lt ipv6 address gt no dns server lt ipv6 address gt DHCPvV 6 client no domain name lt domain name gt client 4 To enable DHCPV 6 prefix delegation server function on port Explanation Interface Configuration Mode i ipv6 dhcp server lt poolname gt To enable DHCPV6 server function on preference lt value gt rapid commit a specified port and binding
63. If the variable information of Agent MIB needs to be browsed the MIB browse software needs to be run on the NMS MIB in the Agent usually consists of public MIB and private MIB The 4 9 public MIB contains public network management information that can be accessed by all NMS private MIB contains specific information which can be viewed and controlled by the support of the manufacturers MIB I RFC1156 is the first implemented public MIB of SNMP and is replaced by MIDI RFC1213 MIB II expands MIB I and keeps the OID of MIB tree in MIB I MIB II contains sub trees which are called groups Objects in those groups cover all the functional domains in network management NMS obtains the network management information by visiting the MIB of SNMP Agent The switch can operate as a SNMP Agent and supports both SNMP v1 v2c and SNMP v3 The switch supports basic MIDI RMON public MIB and other public MID such as BRIDGE MIB Besides the switch supports self defined private MIB 4 4 3 Introduction to RMON RMON is the most important expansion of the standard SNMP RMON is a set of MIB definitions used to define standard network monitor functions and interfaces enabling the communication between SNMP management terminals and remote monitors RMON provides a highly efficient method to monitor actions inside the subnets MID of RMON consists of 10 groups The switch supports the most frequently used group 1 2 3 and 9 Statistics Maintain basic
64. Lea C05 to Iat Pr 10 It P to TTF IF to Iet De 10 Ei F to ikop Prec T CIE ge een Bee COEFEIGIOE accordime to the pecket COG mlae Tei Setthe packet C OS field equals Int Frio Fater the policing flow Figure 23 4 Classification process CO 10E MCO dime to the cet P Policing and remark Each packet in classified ingress traffic is assigned an internal priority value and a drop precedence value and can be policed and remarked Policing can be performed based on the flow to configure different policies that allocate bandwidth to classified traffic the assigned bandwidth policy may be dual bucket dual color or dual bucket three color The traffic will be assigned with different color can be discarded or passed for the passed packets add the remarking action Remarking uses a new DSCP value of lower priority to replace the original higher level DSCP value in the packet The following flowchart describes the operations 23 133 mether configure policing policr Select one or several option of the following Set COS Set LZ COS field of the packet Set Int Prio Set internal priority of the packet Set Irop Prec Set drop precedence of the packet Set DSCP TOS Set DSCP or TOS field of the packet Enter Scheduling Figure 23 5 Policing and Remarking process Queuing and scheduling There are the internal priority and the drop precedence for the egress packets the queuing operation assigns the pack
65. Multicast address are mapped into MAC address therefore there are 32 IP Multicast addresses which are mapped into the same MAC address 38 1 3 IP Multicast Packet Transmission In Multicast mode the source host sends packets to the host group indicated by the Multicast group address in the destination address field of IP data packet Unlike Unicast mode Multicast data packet must be forwarded to a number of external interfaces to be sent to all receiver sites in Multicast mode thus Multicast transmission procedure is more complicated than Unicast transmission procedure In order to guarantee that all Multicast packets get to the router via the shortest path the receipt interface of the Multicast packet must be checked in some certain way based on Unicast router table this checking mechanism is the basis for most Multicast Routing Protocol to forward in Multicast mode RPF Reverse Path Forwarding check Multicast router makes use of the impressed packet source address to query Unicast Router Table or independent Multicast Router Table to determine if the packet ingress interface is on the shortest path from receipt site to source address If shortest path Tree is used then the source address is the address of source host which sends Multicast Data Packets if Shared Tree is used then the source address is the address of the root of the Shared Tree When Multicast data packet gets to the router if RPF check passes then the data packet i
66. ND study function of this port otherwise the port can continue its study Limiting the number of MAC ARP and ND of interfaces 1 Limiting the number of dynamic MAC If the number of dynamically learnt MAC address by the VLAN of the switch is already larger than or equal with the max number of dynamic MAC address then shutdown the MAC study function of all the ports in this VLAN otherwise all the ports in this VLAN can continue their study except special ports 2 Limiting the number of dynamic IP If the number of dynamically learnt ARP and ND by the switch is already larger than or equal with the max number of dynamic ARP and ND then the VLAN will not study any new ARP or ND otherwise the study can be continued 43 2 The Number Limitation Function of MAC and IP In Port VLAN Configuration Task Sequence 1 Enable the number limitation function of MAC and IP on ports 2 Enable the number limitation function of MAC and IP in VLAN 3 Configure the timeout value of querying dynamic MAC 43 159 4 Configure the violation mode of ports 5 Display and debug the relative information of number limitation of MAC and IP on ports 1 Enable the number limitation function of MAC and IP on ports Explanation Port configuration mode pa switchport mac address dynamic maximum lt value gt Enable and disable the number limitation no switchport mac address dynamic function of MAC on the ports maximum no switchport arp dyna
67. One VLAN translation on the port Explanation Port mode vian translation n to 1 lt WORD gt to Configure delete Multi to One VLAN lt new vlan id gt translation no vian translation n to 1 lt WORD gt 2 Show the related configuration of Multi to One VLAN translation Explanation Admin mode Show the related configuration of show vlan translation n to 1 Multi to One VLAN translation 20 5 3 Typical application of Multi to One VLAN Translation Scenario UserA userB and user belong to VLAN1 VLAN2 VLANS3 respectively Before entering the network layer data traffic of userA userB and userC is translated into VLAN 100 by Ethernet1 1 of edge switch1 Contrarily data traffic of userA userB and userC will be translated into VLAN1 VLAN2 VLAN3 by Ethernet1 1 of edge switch1 from network layer respectively In the same way it implements multi to one translation for userD userE and userF on Ethernet1 1 of edge switch2 20 91 User A B C VID 100 User D E F VID 101 R switch switch2 Figure 20 7 VLAN translation typical application Configuration Item Configuration Explanation VLAN Switch1 Switch2 Trunk Port Downlink port 1 1 and uplink port 1 5 of Switch1 and Switch 2 Multi to One Downlink port 1 1 of Switch1 and Switch2 VLAN translation Configuration procedure is as follows Switch1 gt Switch2 switch Config vlan 1 3 100 switch Config Ethernet1 1 s
68. SSH debug information on the SSH client side show crypto key Show the secret key of ssh rypto key clear rsa Clear the secret key of ssh 4 2 2 3 Example of SSH Server Configuration Example Requirement Enable SSH server on the switch and run SSH2 0 client software such as Secure shell client or putty on the terminal Log on the switch by using the username and password from the client Configure the IP address add SSH user and enable SSH service on the switch SSH2 0 client can log on the switch by using the username and password to configure the switch Switch config ssh server enable Switch config interface vlan 1 Switch Config if Vlan1 ip address 100 100 100 200 255 255 255 0 Switch Config if Vlan1 exit Switch config username test privilege 15 password 0 test In IPv6 networks the terminal should run SSH client software which support IPv6 such as putty6 Users should not modify the configuration of the switch except allocating an IPv6 address for the local host 4 3 Configure Switch IP Addresses All Ethernet ports of switch are default to Data Link layer ports and perform layer 2 forwarding VLAN interface represent a Layer 3 interface function which can be assigned an IP address which is also the IP address of the switch All VLAN interface related configuration commands can be configured under VLAN Mode Switch provides three IP address configuration methods WH Manual E BOOTP mE DHCP Manual configur
69. Sunday daily weekdays weekend lt start_time gt to lt end_time gt 3 Configure absolute time range Explanation Global Mode absolute start lt siart_time gt lt start_data gt end Configure absolute time lt end_time gt lt end_data gt range no absolute start lt start_time gt lt start_data gt end Stop the function of the time lt end_time gt lt end_data gt range 4 Bind access list to a specific direction of the specified port Explanation Physical Port Mode VLAN Interface Mode 41 127 Physical interface mode Applies an access list to the specified direction on the port the no command deletes the access list bound to the port ip ipv6 mac mac ip access group VLAN interface mode Applies an lt acl name gt in traffic statistic access list to the specified direction on no ip ipv6 mac mac ip access group the port of VLAN the no command lt acl name gt in deletes the access list bound to the port of VLAN When the acl of ipv6 is applied by this switch it only supports the standard acl of ipv6 5 Clear the filtering information of the specified port Explanation Admin Mode clear access group statistic Clear the filtering information of the specified ethernet lt interface name gt port 41 3 ACL Example Scenario 1 The user has the following configuration requirement port 10 of the switch connects to 10 0 0 0 24 segment ftp is not des
70. This command may lifetime lt ifetime gt type static be configured in a global function of savi no savi ipv6 check source binding ip enable slaac only enable dhcp only lt ip address gt interface lt f name gt enable or dhcp slaac enable 4 Configure the global max dad delay for SAVI Explanation Global mode savi max dad delay lt max dad delay gt Configure the max lifetime period of SAVI no savi max dad delay binding at DETECTION state no command restores the default value 5 Configure the global max dad prepare delay for SAVI Explanation Global mode 54 6 savi max dad prepare delay Configure the max redetection lifetime lt max dad prepare delay gt period for SAVI binding no command no savi max dad prepare delay restores the default value 6 Configure the global max slaac life for SAVI Explanation Global mode savi max slaac life lt max slaac life gt Configure the lifetime period of the no savi max slaac life dynamic slaac binding at BOUND state no command restores the default value 7 Configure the lifetime period for SAVI bind protect Explanation Global mode savi timeout bind protect Configure the bind protect lifetime period lt protect time gt to a port after its state from up to down no savi timeout bind protect no command restores the default value 8 Enable or disable SAVI prefix check function Explanation Global mode ipv6 cps prefix check enable
71. address range lt start ip gt lt end ip gt command is used to remove the addreass range The prefix plen form is not supported 35 69 35 3 DHCPv6 Options 37 38 Examples 35 3 1 DHCPv6 Snooping options 37 38 Example Interface E1 1 SwitchA Interface J b E1 3 N Interface E1 4 MAC AA MAC BB MAC CC Figure 35 1 DHCPv6 Snooping option schematic As is shown in the figure above Mac AA Mac BB and Mac CC are normal users connected to untrusted interface 1 2 1 3 and 1 4 respectively and they get IP 2010 2 2010 3 and 2010 4 through DHCPv 6 Client DHCPv6 Server is connected to the trusted interface 1 1 Configure three address assignment policies CLASS of which CLASS1 matches option 38 CLASS2 matches option 37 and CLASS3 matches option 37 and option 38 In the address pool EastDormPool the requests matched with CLASS1 CLASS2 and CLASS3 will be assigned an address ranging from 2001 da8 100 1 2 to 2001 da8 100 1 30 from 2001 da8 100 1 31 to 2001 da8 100 1 60 and from 2001 da8 100 1 61 to2001 da8 100 1 100 respectively DHCPv6 snooping function is enabled and option 37 and option 38 are configured in Switch A Switch A configuration SwitchA config ipv6 dhcp snooping remote id option SwitchA SwitchA config ipv6 dhcp snooping subscriber id option config int e 1 1 SwitchA config if ethernet1 1 ipv6 dhcp snooping trust 35 70 SwitchA config if ethernet1 1 exit SwitchA config inter
72. address to login authentication securityip lt i p addr gt to the switch through Telnet the no no authentication securityip lt p addr gt command deletes the authorized Telnet secure address Configure IPv6 security address to login authentication securityipv6 lt ipv6 addr gt to the switch through Telnet the no no authentication securityipv6 command deletes the authorized Telnet lt ipv6 addr gt security address authentication ip access class Binding standard IP ACL protocol to login lt num std gt lt name gt with Telnet SSH Web the no form no authentication ip access class command will cancel the binding ACL authentication ipv6 access class Binding standard IPv6 ACL protocol to lt num std gt lt name gt login with Telnet SSH Web the no form no authentication ipv6 access class command will cancel the binding ACL authentication line console vty web login method methodz2 Configure authentication method list with no authentication line console vty web telnet login authentication enable method1 methodz2 no authentication enable Configure the enable authentication method list authorization line console vty web Configure the authorization method list exec method methodz2 with telnet no authorization line console vty web authorization line vty command lt 1 15 gt local radius tacacs none no authorization line vty command lt 1 15 gt Confi
73. and debug the relating information of ULSM 1 Create ULSM group globally Global mode ulsm group lt group id gt Configure and delete ULSM group globally no ulsm group lt group id gt 2 Configure ULSM group Command explanation Port mode ulsm group lt group id gt uplink Configure the uplink downlink port of downlink ULSM group the no command deletes the no ulsm group lt group id gt uplink uplink downlink port downlink 3 Show and debug the relating information of ULSM Explanation Adminmode o Show the configuration information of show ulsm group group id ULSM group Show the event information of ULSM the debug ulsm event no operation disables the shown no debug ulsm event information 57 29 57 3 ULSM Typical Example SwitchD E1 3 E1 4 SwitchB E1 1 E1 2 SwitchC SwitchA Figure 57 2 ULSM typical example The above topology is the typical application environment which is used by ULSM and ULPP protocol ULSM is used to process the port state synchronization its independent running is useless so it usually associates with ULPP protocol to use In the topology SwitchA enables ULPP protocol it is used to switch the uplink SwitchB and SwitchC enable ULSM protocol to monitor whether the uplink is down If it is down then ULSM will execute the down operation for the downlink port to shutdown it so ULPP protocol of Swtich A executes the relative operation of the u
74. and delivers it the DHCPv6 client or the next DHCPV6 relay in the network For DHCPv6 prefix delegation where DHCPv6 server is configured on the PE router and DHCPv 6 client it configured on the CPE router the CPE router is able to send address prefix allocation request to the PE router and get a pre configured address prefix but not set the address prefix manually The protocol negotiation between the client and the prefix delegation client is quite similar to that when getting a DHCPv6 address Then the CPE router divides the allocated prefix whose length should be less than 64 characters into 64 subnets The divided address prefix will be advertised through routing advertisement messages RA to the host directly connected to the client 32 2 DHCPv6 Server Configuration DHCPV6 server configuration task list as below 1 To enable disable DHCPv6 service 32 43 2 Toconfigure DHCPv6 address pool 1 To achieve delete DHCPv 6 address pool 2 To configure parameter of DHCPv6 address pool 3 To enable DHCPV6 server function on port 1 To enable disable DHCPv6 service Explanation Global Mode service dhcpv6 To enable DHCPV6 service no service dhcpv6 2 To configure DHCPv 6 address pool 1 To achieve delete DHCPv6 address pool Explanation Global Mode OT ipv6 dhcp pool lt poo name gt To configure DHCPv6 address pool no ipv6 dhcp pool lt poo lname gt 2 To configure parameter of DHCPv6 address pool Expla
75. based VLAN function on the port 5 Configure the correspondence between the IP subnet and the VLAN 6 Configure the correspondence between the Protocols and the VLAN 7 Adjust the priority of the dynamic VLAN 1 Configure the MAC based VLAN function on the port Explanation Port Mode switchport mac vlan enable Enable disable the MAC based VLAN no switchport mac vlan enable function on the port 2 Set the VLAN to MAC VLAN Explanation Global Mode Configure the specified VLAN to MAC mac vlan vlan lt vian id gt VLAN the no mac vlan command no mac vian cancels the MAC VLAN configuration of this VLAN 3 Configure the correspondence between the MAC address and the VLAN Command Explanation Global Mode mac vlan mac lt mac addrss gt vlan Add delete the correspondence between 20 94 lt vian id gt priority lt priority id gt the MAC address and the VLAN namely no mac vian mac lt mac addrss gt all specified MAC address join leave specified VLAN 4 Configure the IP subnet based VLAN function on the port Explanation Port Mode switchport subnet vlan enable Enable disable the port IP subnet base no switchport subnet vian enable VLAN function on the port 5 Configure the correspondence between the IP subnet and the VLAN Explanation Global Mode subnet vian ip address lt pv4 addrss gt Add delete the correspondence between the IP subnet and the VLAN namely mask lt s
76. brackets tightly Step4 Follow the same steps to attach the second bracket to the opposite side Step5 After the brackets are attached to the Managed Switch use suitable screws to securely attach the brackets to the rack as shown in Figure 2 6 2 5 cn I Ki QO ft el jf 4 jj J jj ID VK Figure 2 6 Mounting WGSW 52040 in a Rack Step6 Proceeds with steps 4 and 5 of session 2 2 1 Desktop Installation to connect the network cabling and supply power to the Managed Switch 2 2 3 Installing the SFP Transceiver The sections describe how to insert an SFP transceiver into an SFP slot The SFP transceivers are hot pluggable and hot swappable You can plug in and out the transceiver to from any SFP port without having to power down the Managed Switch as shown in Figure 2 7 _ SFP Transceiver 1 LES 6 277 1000Base SX LX LC Fiber Figure 2 7 Plug in the SFP transceiver 2 6 Approved PLANET SFP Transceivers PLANET Managed Switch supports 100 1000 dual mode with both single mode and multi mode SFP transceivers The following list of approved PLANET SFP transceivers is correct at the time of publication MGB GT SFP Port 1000Base T Module 100M MGB SX2 SFP Port 1000Base SX mini GBIC module 2KM MGB LX SFP Port 1000Base LX mini GBIC module 10KM MGB L50 SFP Port 1000Base LX mini GBIC module 50KM MGB L120 SFP Port 1000Base LX mini GBIC module 120KM SFP Port 1000Base
77. by the InMon Company The monitored switch or router sends date to the client analyzer through its main operations such as sampling and statistic then the analyzer will analyze according to the user requirements so to monitor the network A sFlow monitor system includes sFlow proxy central data collector and sFlow analyzer The sFlow proxy collects data from the switch using sampling technology The sFlow collector is for formatting the sample data Statistic which is to be forwarded to the sFlow analyzer which will analyze the sample data and perform corresponding measure according to the result Our switch here acts as the proxy and central data collector in the sFlow system We have achieved data sampling and statistic targeting physical port Our data sample includes the IPv4 and IPv6 packets Extensions of other types are not supported so far As for non IPv4 and IPv6 packet the unify HEADER mode will be adopted following the requirements in RFC3176 copying the head information of the packet based on analyzing the type of its protocol The latest sFlow protocol presented by InMon Company is the version 5 Since it is the version 4 which is realized in the RFC3176 version conflict might exist in some case such as the structure and the packet format This is because the version 5 has not become the official protocol so in order to be compatible with current applications we will continue to follow the RFC31 76 59 2 sFlow Configuration
78. can be built up statically and dynamically Static configuration is to set up a mapping between the MAC addresses and the ports dynamic learning is the process in which the switch learns the mapping between MAC addresses and ports and updates the MAC table regularly In this section we will focus on the dynamic learning process of MAC table 21 106 Connect to port 5 Connect to port if PI MAC OO O1 II LI LI 11 PC4 WAC 00 01 44 44 44 44 PCS MAC 00 01 33 33 35 33 Figure 21 1 MAC Table dynamic learning The topology of the figure above 4 PCs connected to switch where PC1 and PC2 belongs to a same physical segment same collision domain the physical segment connects to port 1 5 of switch PC3 and PC4 belongs to the same physical segment that connects to port 1 12 of switch The initial MAC table contains no address mapping entries Take the communication of PC1 and PC3 as an example the MAC address learning process is as follow 1 When PC1 sends message to PC3 the switch receives the source MAC address O00 01 11 11 11 11 from this message the mapping entry of 00 01 11 11 11 11 and port 1 5 is added to the switch MAC table 2 Atthe same time the switch learns the message is destined to 00 01 33 33 33 33 as the MAC table contains only a mapping entry of MAC address 00 01 11 11 11 11 and port1 5 and no port mapping for 00 01 33 33 33 33 present the switch broadcast this message to all the ports in
79. configuration information of AM 44 165 Explanation Global Configuration Mode I Display the AM configuration information show am interface lt interface name gt of one port or all ports 44 3 AM Function Example Fee Bag SWITCH Port Port2 HU HUB2 PC1 PC2 PC30 Figure 44 1 a typical configuration example of AM function In the topology above 30 PCs after converged by HUB1 connect with interface1 on the switch The IP addresses of these 30 PCs range from 100 10 10 1 to 100 10 10 30 Considering security the system manager will only take user with an IP address within that range as legal ones And the switch will only forward data packets from legal users while dumping packets from other users According to the requirements mentioned above the switch can be configured as follows Switch config am enable Switch config interface ethernet1 Switch Config lf Ethernet 1 1 am port Switch Config lf Ethernet 1 1 am ip pool 10 10 10 1 10 44 166 44 4 AM Function Troubleshooting AM function is disabled by default and after it is enabled relative configuration of AM can be made Users can view the current AM configuration with show am command such as whether the AM is enabled or not and AM information on each interface they can also use show am interface lt interface name gt command to check the AM configuration information on a specific interface If any
80. configuration mode it can be disabled only in global configuration mode If gratuitous ARP is configured in interface configuration mode the configuration can only be disabled in interface configuration mode If gratuitous ARP is enabled in both global and interface configuration mode and the sending interval of gratuitous ARP is configured in both configuration modes the switch takes the value which is configured in interface configuration mode 30 31 Chapter 31 DHCP Configuration 31 1 Introduction to DHCP DHCP RFC2131 is the acronym for Dynamic Host Configuration Protocol It is a protocol that assigns IP address dynamically from the address pool as well as other network configuration parameters such as default gateway DNS server and default route and host image file position within the network DHCP is the enhanced version of BOOTP It is a mainstream technology that can not only provide boot information for diskless workstations but can also release the administrators from manual recording of IP allocation and reduce user effort and cost on configuration Another benefit of DHCP is it can partially ease the pressure on IP demands when the user of an IP leaves the network that IP can be assigned to another user DHCP is a client server protocol the DHCP client requests the network address and configuration parameters from the DHCP server the server provides the network address and configuration parameters for the clients if DHCP s
81. data transmission in the application layer will be encrypted SSL handshake is done when the SSL session is being set up The switch should be able to provide certification keys Currently the keys provided by the switch are not the formal certification keys issued by official authentic but the private certification keys generated by SSL software under Linux which may not be recognized by the web browser With regard to the switch application it is not necessary to apply for a formal SSL certification key A private certification key is enough to make the communication safe between the users and the switch Currently it is not required that the client is able to check the validation of the certification key The encryption key and the encryption method should be negotiated during the handshake period of the session which will be then used for data encryption SSL session handshake process 48 182 Client Server encryption algorithm l random key for encryption The selected encryption algorithm the certification which is randomly generated LA The encrypted master key 4 To compute the encryption key wH The MAC value of the z handshaking messages The MAC value of the handshaking messages 48 2 SSL Configuration Task List 1 Enable disable SSL function 2 Configure delete port number by SSL used 3 Configure delete secure cipher suite by SSL used 4 Maintenance and diagnose for the SSL function 1 Enable disab
82. desktop Step3 Keep enough ventilation space between the Managed Switch and the surrounding objects Step4 Connect the Managed Switch to network devices Connect one end of a standard network cable to the 10 100 1000 RJ 45 ports on the front of the Managed Switch Connect the other end of the cable to the network devices such as printer servers workstations routers or others Connection to the Managed Switch requires UTP Category 5 network cabling with RJ 45 tips For more information please see the Cabling Specification in Appendix A 2 4 Step5 Supply power to the Managed Switch Connect one end of the power cable to the Managed Switch Connect the power plug of the power cable to a standard wall outlet When the Managed Switch receives power the Power LED should remain solid Green 2 2 2 Rack Mounting To install the Managed Switch in a 19 inch standard rack please follow the instructions described below Step1 Place the Managed Switch on a hard flat surface with the front panel positioned towards the front side Step2 Attach the rack mount bracket to each side of the Managed Switch with supplied screws attached to the package Figure 2 5 shows how to attach brackets to one side of the Managed Switch Figure 2 5 Attach brackets to the Managed Switch You must use the screws supplied with the mounting brackets Damage caused to the parts by using incorrect screws would invalidate the warranty Step3 Secure the
83. disable application scene function for SAVI Configure SAVI binding function Configure the global max dad delay for SAVI Configure the global max dad prepare delay for SAVI Configure the global max slaac life for SAVI Configure the lifetime period for SAVI bind protect Enable or disable SAVI prefix check function or OO De OE E aa e e Configure IPv6 address prefix for a link zech Configure the filter entry number of IPv6 address zech Configure the check mode for SAVI conflict binding Da Enable or disable user authentication Enable or disable DHCPv6 trust of port wesch oe Enable or disable ND trust of port esch a Configure the binding number 54 5 1 Enable or disable SAVI function Explanation Global mode savi enable Enable the global SAVI function no no savi enable command disables the function 2 Enable or disable application scene function for SAVI Command Explanation Global mode savi ipv6 dhcp only slaac only Enable the application scene function for dhcp slaac enable SAVI no command disables the function no savi ipv6 dhcp only slaac only dhcp slaac enable 3 Configure SAVI binding function Explanation Global mode savi ipv6 check source binding ip Configure a static or dynamic binding lt p address gt mac lt mac address gt manually no command deletes the interface lt f name gt type slaac dhcp configured binding
84. error information of ULPP the no no debug ulpp error operation disables the showing debug ulpp event Show the event information of ULPP the no debug ulpp event no operation disables the showing 56 3 ULPP Typical Examples 56 3 1 ULPP Typical Example SwitchD ee ew SwitchB E1 1 E1 2 SwitchC SwitchA Figure 56 3 ULPP typical example The above topology is the typical application environment of ULPP protocol SwitchA has two uplinks they are SwitchB and SwitchC When any protocols are not enabled this topology forms a ring For avoiding the loopback SwitchA can configure ULPP protocol the master port and the slave port of ULPP group When both master port and slave port are up the slave port will be set as standby state and will not forward the data packets When the master port is down the slave port will be set as forwarding state and switch to the uplink SwitchB and SwitchC can enable the command that receives the flush packets it is used to associate with ULPP protocol running of SwitchA to switch the uplink immediately and reduce the switch delay When configuring ULPP protocol of SwitchA first create a ULPP group and configure the protection VLAN of this group as vian10 then configure interface Ethernet 1 1 as the master port interface Ethernet 1 2 as the slave port the control VLAN as 10 SwitchB and SwitchC configure the flush packets that receive ULPP SwitchA configuration task list 96 24 Swi
85. firewall Firewall Status Enable Switch show ipv6 access lists 41 131 lpv6 access list 600 used 1 time s ipv6 access list 600 deny 2003 1 1 1 0 64 any source ipv6 access list 600 permit 2003 1 1 1 66 0 80 any source Switch show access group interface ethernet 1 10 interface name Ethernet1 10 IPv6 Ingress access list used is 600 traffic statistics Disable Scenario 5 The configuration requirement is stated as below The interface 1 2 5 7 belongs to vian100 Hosts with 192 168 0 1 as its IP address should be disabled from accessing the listed interfaces Configuration description 1 Create the corresponding access list 2 Configure datagram filtering 3 Bind the ACL to the related interface The configuration steps are listed as below Switch config firewall enable Switch config vlan 100 Switch Config Vlan100 switchport interface ethernet 1 1 2 5 7 Switch Config Vlan100 exit Switch config access list 1 deny host source 192 168 0 1 Switch config interface ethernet1 1 2 5 7 Switch config if port range ip access group 1 in Switch Config if Vlan100 exit Configuration result Switch config show access group interface vlan 100 Interface VLAN 100 Ethernet1 1 IP Ingress access list used is 1 traffic statistics Disable Ethernet1 2 IP Ingress access list used is 1 traffic statistics Disable Ethernet1 5 IP Ingress access list used is 1 traffic statistics Disable Ethernet1 7 IP I
86. five kind twisted pair ULDP can monitor the link state of physical links Whenever a unidirectional link is discovered it will send warnings to users and can disable the port automatically or manually according to users configuration The ULDP of switches recognizes remote devices and check the correctness of link connections via interacting ULDP messages When ULDP is enabled on a port protocol state machine will be started which means different types of messages will be sent at different states of the state machine to check the connection state of the link by exchanging information with remote devices ULDP can dynamically study the interval at which the remote device sends notification messages and adjust the local TTL time to live according to that interval Besides ULDP provides the reset mechanism when the port is disabled by ULDP it can check again through reset mechanism The time intervals of notification messages and reset in ULDP can be configured by users so that ULDP can respond faster to connection errors in different network environments The premise of ULDP working normally is that link works in duplex mode which means ULDP is enabled on both ends of the link using the same method of authentication and password 10 2 ULDP Configuration Task Sequence Enable ULDP function globally Enable ULDP function on a port Configure aggressive mode globally Configure aggressive mode on a port Configure the met
87. forward time lt time gt no spanning tree forward time spanning tree hello time lt time gt no spanning tree hello time spanning tree maxage lt time gt no spanning tree maxage spanning tree max hop lt hop count gt Set the value for switch forward delay time Set the Hello time for sending BPDU messages Set Aging time for BPDU messages Set Maximum number of hops of no spanning tree max hop 5 Configure the fast migrate feature for MSTP Command Explanation Port Mode spanning tree link type p2p auto force true force false no spanning tree link type BPDU messages in the MSTP region Set the port link type Set and cancel the port to be an boundary port bpdufilter receives the spanning tree portfast bpdufilter bbduguard recovery lt 30 3600 gt no spanning tree portfast 6 Configure the format of MSTP BPDU discarding bpduguard receives the BPDU will disable port no parameter receives the BPDU the port becomes a non boundary port Explanation Port Mode spanning tree format standard spanning tree format privacy spanning tree format auto no spanning tree format 22 122 Configure the format of port spanning tree packet standard format is provided by IEEE privacy is compatible with CISCO and auto means the format is determined by checking the received packet 7 Configure the spanning tree attribute of port Explanation Port Mode spann
88. gt tos created using this number lt tos gt time range lt time range name gt access list lt num gt den ermit udp lt s pAddr gt GE ee Creates a numbered UDP lt sMask gt any source host source lt s pAddr gt extended IP access rule if the s port lt sPort gt range lt sPortMin gt lt sPortMax gt lt dlpAddr gt lt dMask gt any destination host destination lt d pAddr gt d port lt dPort gt range lt dPortMin gt lt dPortMax gt precedence numbered extended access list of specified number does not exist then an access list will be created using this number lt prec gt tos lt tos gt time range lt time range name gt Creates a numbered IP access list lt num gt deny permit eigrp gre igrp extended IP access rule for ipinip ip ospf lt protocol num gt lt slpAddr gt other specific IP protocol or all IP lt sMask gt any source host source lt s pAddr gt protocols if the numbered lt dlpAddr gt lt dMask gt any destination extended access list of specified host destination lt d lpAddr gt precedence lt prec gt number does not exist then an tos lt tos gt time range lt time range name gt access list will be created using this number Deletes a numbered extensive no access list lt num gt IP access list 3 Configuring a standard IP access list basing on nomenclature a Create a name based standard IP acc
89. if the operation is wrong Web portal authentication is disabled by default After ensure the configuration is correct use debug command and show command to check the relative information if you can not determine the cause of the problem please send the recorded message to technical server center of our company 92 208 Chapter 53 VLAN ACL Configuration 53 1 Introduction to VLAN ACL The user can configure ACL policy to VLAN to implement the accessing control of all ports in VLAN and VLAN ACL enables the user to expediently manage the network The user only needs to configure ACL policy in VLAN the corresponding ACL action can takes effect on all member ports of VLAN but it does not need to solely configure on each member port When VLAN ACL and Port ACL are configured at the same time it will first match Port ACL due to Port ACL priority is higher than VLAN ACL VLAN ACL ingress direction can implement the filtering of the packets the packets match the specific rules can be allowed or denied ACL can support IP ACL MAC ACL MAC IP ACL IPv6 ACL Ingress direction of VLAN can bind four kinds of ACL at the same time 53 2 VLAN ACL Configuration Task List 1 Configure VLAN ACL of IP type 2 Configure VLAN ACL of MAC type 3 Configure VLAN ACL of MAC IP 4 Configure VLAN ACL of IPv6 type 5 Show configuration and statistic information of VLAN ACL 6 Clear statistic information of VLAN ACL 1 Configure VLAN ACL of IP
90. in the configuration level only physical ports in the Port Group can take part in link aggregation and become a member port of a Port Channel Logically Port Group is not a port but a port sequence Under certain conditions physical ports in a Port Group perform port aggregation to form a Port Channel that has all the properties of a logical port therefore it becomes an independent logical port Port aggregation is a process of logical abstraction to abstract a set of ports port sequence with the same properties to a logical port Port Channel is a collection of physical ports and used logically as one physical port Port Channel can be used as a normal port by the user and can not only add network s bandwidth but also provide link backup Port aggregation is usually used when the switch is connected to routers PCs or other switches Figure 12 1 Port aggregation As shown in the above S1 is aggregated to a Port Channel the bandwidth of this Port Channel is the total of all the four ports If traffic from S1 needs to be transferred to S2 through the Port Channel traffic allocation calculation will be performed based on the source MAC address and the lowest bit of target MAC address The calculation result will decide which port to convey the traffic If a port in Port Channel fails the other ports will undertake traffic of that port through a traffic allocation algorithm This algorithm is carried out by the hardware Switch offers t
91. ip dhcp snooping binding arp This command is not supported by the switch no ip dhcp snooping binding arp 4 Enable DHCP Snooping option82 function Explanation Globe mode ip dhcp snooping information enable Enable disable DHCP Snooping option 82 no ip dhcp snooping information function enable 5 Set the private packet version Explanation Globe mode ip user private packet version two To configure delete the private packet version no ip user private packet version two 6 Set DES encrypted key for private packets Explanation Globe mode enable trustview key 0 7 lt passwora gt To configure delete DES encrypted key for no enable trustview key private packets 36 7 7 Set helper server address Explanation Globe mode ip user helper address A B C D port lt udpport gt source lt ipAddr gt secondary Set or delete helper server address no ip user helper address secondary 8 Set trusted ports Command Explanation Potmode o ip dhcp snooping trust Set or delete the DHCP snooping trust attributes no ip dhcp snooping trust of ports 9 Enable DHCP SNOOPING binding DOT1X function Explanation Pome ip dhcp snooping binding dot1x Enable or disable the DHCP snooping binding no ip dhcp snooping binding dot1x dot1x function 10 Enable or disable the DHCP SNOOPING binding USER function Explanation Pome ip dhcp snooping binding user
92. log host m The log information is classified to four level of severities by which the information will be filtered WR According to the severity level the log information can be auto outputted to corresponding log channel 66 7 1 1 Log Output Channel So far the system log can be outputted the log information through four channels m Through Console port to the local console WR Output the log information to remote Telnet terminal or monitor this function is good for remote maintenance m Assign a proper log buffer zone inside the switch for record the log information permanently or temporarily WR Configure the log host the log system will directly send the log information to the log host and save it in files to be viewed at any time Among above log channels users rarely use the console monitor but will commonly choose the Telnet terminal to monitor the system operation status However information outputted from these channels are of low traffic capacity and can not be recorded for later view The other two channels the log buffer zone and log host channel are two important channels SDRAM Synchronous Dynamic Random Access Memory and NVRAM Non Vulnerable Random Access Memory is provided inside the switch as two part of the log buffer zone The two buffer zone record the log information in a circuit working pattern namely when log information need to be recorded exceeds the buffer size the oldest log information will be erased
93. lt icmp code gt precedence lt precedence gt tos lt tos gt time range lt time range na me gt no deny permit any source mac host source ma Creates an extended c lt host_smac gt lt smac gt lt smac mask gt name based MAC IGMP any destination mac host destination mac access rule the no form lt host_dmac gt lt dmac gt lt dmac mask gt igmp command deletes this lt source gt lt source wildcard gt any source name based extended 41 123 host source lt source host ip gt MAC IGMP access rule lt destination gt lt destination wildcard gt any destinati on host destination lt destination host ip gt lt igmp type gt precedence lt precedence gt tos lt tos gt time range lt time range name gt no deny permit any source mac host source ma c lt host_smac gt lt smac gt lt smac mask gt any destination mac host destination mac lt host_dmac gt lt dmac gt lt dmac mask gt tcp Creates an extended name based MAC TCP access rule the no form lt source gt lt source wildcard gt any source host source lt source host ip gt s port lt port gt range lt sPortMin gt lt sPortMax gt command deletes this lt destination gt lt destination wildcard gt any destinati name based extended on host destination lt destination host ip gt d port MAC TCP access rule lt port3 gt range lt dPortMin gt lt dPortMax gt ack fin psh rst tu
94. lt sMask gt any source host source lt s pAddr gt extended IP access rule if the lt dlpAddr gt lt dMask gt any destination numbered extended access list host destination lt dlpAddr gt lt icmp type gt of specified number does not lt icmp code gt precedence lt prec gt tos exist then an access list will be lt tos gt time range lt time range name gt created using this number 41 115 access list lt num gt deny permit igmp lt s pAddr gt Creates a numbered IGMP lt sMask gt any source host source lt s pAddr gt extended IP access rule if the lt dlpAddr gt lt dMask gt any destination numbered extended access list host destination lt dlpAddr gt lt igmp type gt of specified number does not precedence lt prec gt tos exist then an access list will be lt tos gt time range lt time range name gt created using this number access list lt num gt deny permit tcp lt s pAddr gt lt sMask gt any source host source lt s pAddr gt Creates a numbered TCP s port lt sPort gt range lt sPortMin gt lt sPortMax gt extended IP access rule if the lt dlpAddr gt lt dMask gt any destination numbered extended access list host destination lt d pAddr gt d port lt dPort gt of specified number does not range lt dPortMin gt lt dPortMax gt exist then an access list will be ack fint psh rst urg tsyn precedence lt prec
95. mode both this configuration can be omitted the default mode is RxTx SwitchA Config lf Ethernet1 1 Ildp transmit med tlv capability SwitchA Config If Ethernet1 1 Ildp transmit med tlv network policy SwitchA Config If Ethernet1 1 Ildp transmit med tlv inventory SwitchB Config If Ethernet1 1 network policy voice tag tagged vid 10 cos 5 dscp 15 SwitchA Config If Ethernet1 1 exit SwitchA config interface ethernet1 2 SwitchA Config If Ethernet1 2 Ildp enable SwitchA Config If Ethernet1 2 Ildp mode both 2 Configure Switch B SwitchB config interface ethernet1 1 SwitchB Config lf Ethernet1 1 Ildp enable SwitchB Config If Ethernet1 1 Ildp mode both SwitchB Config If Ethernet1 1 Ildp transmit med tlv capability 17 64 SwitchB Config If Ethernet1 1 Ildp transmit med tlv network policy SwitchB Config If Ethernet1 1 Ildp transmit med tlv inventory SwitchB Config lf Ethernet1 1 network policy voice tag tagged vid 10 cos 4 3 Verify the configuration Show the global status and interface status on Switch A SwitchA show Ildp neighbors interface ethernet 1 1 Port name Ethernet1 1 Port Remote Counter 1 TimeMark 20 ChassisldSubtype A Chassisld 00 03 0f 00 00 02 PortldSubtype Local Portld 1 PortDesc SysName SysDesc SysCapSupported 4 SysCapEnabled A LLDP MED Information MED Codes CAP Capabilities NP Network Policy LI Locatio
96. not create new bandwidth but can maximize the adjustment and configuration for the current bandwidth resource Fully implemented QoS can achieve complete management over the network traffic The following is as accurate as possible a description of QoS The data transfer specifications of IP cover only addresses and services of source and destination and ensure correct packet transmission using OSI layer 4 or above protocols such as TCP However rather than provide a mechanism for providing and protecting packet 23 131 transmission bandwidth IP provide bandwidth service by the best effort This is acceptable for services like Mail and FTP but for increasing multimedia business data and e business data transmission this best effort method cannot satisfy the bandwidth and low lag requirement Based on differentiated service QoS specifies a priority for each packet at the ingress The classification information is carried in Layer 3 IP packet header or Layer 2 802 1Q frame header QoS provides same service to packets of the same priority while offers different operations for packets of different priority QoS enabled switch or router can provide different bandwidth according to the packet classification information and can remark on the classification information according to the policing policies configured and may discard some low priority packets in case of bandwidth shortage If devices of each hop in a network support differenti
97. not found in the MAC table the switch will broadcast the unicast frame When VLANs are configured the switch will forward unicast frame within the same VLAN If the destination MAC address is found in the MAC table but belonging to different VLANs the switch can only broadcast the unicast frame in the VLAN it belongs to 21 2 Mac Address Table Configuration Task List Configure the MAC address aging time Configure static MAC forwarding or filter entry Clear dynamic address table a oe AS e Configure MAC learning through CPU control 1 Configure the MAC aging time Explanation Global Mode mac address table aging time Configure the MAC address aging time lt O aging time gt no mac address table aging time 2 Configure static MAC forwarding or filter entry Explanation Global Mode mac address table static static multicast blackhole address lt mac addr gt vlan lt vian id gt interface ethernet lt interface name gt Configure static MAC entries static source destination both multicast MAC entries filter address no mac address table static entires static multicast blackhole dynamic address lt mac addr gt vlan lt vlan id gt interface ethernet lt interface name gt 21 109 3 Clear dynamic address table Explanation Admin Mode ee clear mac address table dynamic address Clear the dynamic address table lt mac adadr gt vlan lt vlan id gt interface
98. not take effect on untrust port 51 2 PPPoE Intermediate Agent Configuration Task List 1 Enable global PPPoE Intermediate Agent 2 Enable port PPPoE Intermediate Agent Explanation Global Mode pppoe intermediate agent Enabel global PPPoE Intermediate Agent no pppoe intermediate agent function pppoe intermediate agent type tr 101 circuit id access node id lt string gt Configure access node ID field value of no pppoe intermediate agent type tr 101 circuit ID in added vendor tag circuit id access node id pppoe intermediate agent type tr 101 circuit id identifier string lt string gt option sp sv pv spv delimiter lt WORD gt delimiter lt WORD gt no pppoe intermediate agent type tr 101 Configure circuit id in added vendor tag circuit id identifier string option delimiter pppoe intermediate agent type self defined circuit id vlan portlid switch id mac hostname remote mac string WORD no pppoe intermediate agent type Configure the self defined circuit id self defined circuit id 91 199 pppoe intermediate agent type self defined remote id mac hostname string WORD Configure the self defined remote id no pppoe intermediate agent type self defined remote id pppoe intermediate agent delimiter Configure the delimiter among the fields lt WORD gt in circuit id and remote id no pppoe intermediate agent delimiter pppoe intermediate agent format circuit id remote
99. once the switch intercepts the DHCP Server reply packets including DHCPOFFER DHCPACK and DHCPNAK it will alarm and respond according to the situation shutdown the port or send Black hole Defense against DHCP over load attacks To avoid too many DHCP messages attacking CPU users should limit the DHCP speed of receiving packets on trusted and non trusted ports Record the binding data of DHCP DHCP SNOOPING will record the binding data allocated by DHCP SERVER while forwarding DHCP messages it can also upload the binding data to the specified server to backup it The binding data is mainly used to configure the dynamic users of dot1x user based ports Please refer to the chapter called dot1x configuration to find more about the usage of dot1x use based mode Add binding ARP DHCP SNOOPING can add static binding ARP according to the binding data after capturing binding data thus to avoid ARP cheating Add trusted users DHCP SNOOPING can add trusted user list entries according to the parameters in binding data after capturing binding data thus these users can access all resources without DOT1X authentication 36 75 Automatic Recovery A while after the switch shut down the port or send blockhole it should automatically recover the communication of the port or source MAC and send information to Log Server via syslog LOG Function When the switch discovers abnormal received packets or automatically recovers it should send
100. perform global configuration settings under Global Mode such as MAC Table Port Mirroring VLAN creation IGMP Snooping start and STP etc And the user can go further to Port Mode for configuration of all the interfaces E Interface Mode Use the interface command under Global Mode can enter the interface mode specified Switch provides three interface type 1 VLAN interface 2 Ethernet port 3 port channel according to the three interface configuration modes Interface pe Pm Operates i VLAN Interface Type interface vlan lt Vilan id gt Configure switch IPs etc Use the exit command command under Global Mode to return to Global Mode Ethernet Port Type interface ethernet Configure supported Use the exit command lt interface list gt command duplex mode speed etc to return to Global under Global Mode of Ethernet Port Mode port channel Type interface port channel Configure port channel Use the exit command lt port channel number gt related settings such as to return to Global command under Global Mode duplex mode speed etc Mode 3 20 E VLAN Mode Using the vlan lt vlan id gt command under Global Mode can enter the corresponding VLAN Mode Under VLAN Mode the user can configure all member ports of the corresponding VLAN Run the exit command to exit the VLAN Mode to Global Mode E DHCP Address Pool Mode Type the ip dhcp pool lt name gt command under Global Mode will enter the DHCP Address Pool M
101. port the original source port will be modified to the new one which means to correspond the original MAC address with the new port As a result if there is any loopback existing in the link all MAC addresses within the whole layer 2 network will be corresponded with the port where the loopback appears usually the MAC address will be frequently shifted from one port to another causing the layer 2 network collapsed That is why it is a necessity to check port loopbacks in the network When a loopback is detected the detecting device should send alarms to the network management system ensuring the network manager is able to discover locate and solve the problem in the network and protect users from a long lasting disconnected network Since detecting loopbacks can make dynamic judgment of the existence of loopbacks in the link and tell whether it has gone the devices supporting port control such as port isolation and port MAC address learning control can maintain that automatically which will not only reduce the burden of network managers but also response time minimizing the effect caused loopbacks to the network 9 2 Port Loopback Detection Function Configuration Task List 1 2 3 4 5 1 Configure the time interval of loopback detection Explanation Global Mode Kl Configure the time interval of loopback detection Enable the function of port loopback detection Configure the control method of port loopback detectio
102. port channel 1 when port 1 3 joins port group 1 port channel 1 of port 1 and 2 are ungrouped and re aggregate with port 3 to form port channel 1 when port 1 4 joins port group 1 port channel 1 of port 1 2 and 3 are Ungrouped and re aggregate with port 4 to form port channel 1 It should be noted that whenever a new port joins in an aggregated port group the group will be ungrouped first and re aggregated to form a new group Now all four ports in both S1 and S2 are aggregated in on mode and become an aggregated port respectively 12 4 Port Channel Troubleshooting If problems occur when configuring port aggregation please first check the following for Causes m Ensure all ports in a port group have the same properties i e whether they are in full duplex mode forced to the same speed and have the same VLAN properties etc If inconsistency occurs make corrections m Some commands cannot be used on a port in port channel such as arp bandwidth ip ip forward etc 12 39 Chapter 13 MTU Configuration 13 1 Introduction to MTU So far the Jumbo Jumbo Frame has not reach a determined standard in the industry including the format and length of the frame Normally frames sized within 1519 9000 should be considered jumbo frame Networks with jumbo frames will increase the speed of the whole network by 2 to 5 Technically the Jumbo is just a lengthened frame sent and received by the switch However considering the leng
103. port is referred to as mirror source port and the duplicating port is referred to as mirror destination port It is more convenience for network administrator to monitor and manage the network and diagnostic after the mirroring function achieved But it only used for such instance that the mirror source port and the mirror destination ports are located in the same switch RSPAN remote switched port analyzer refers to remote port mirroring It eliminates the limitation that the source port and the destination port must be located on the same switch This feature makes it possible for the source port and the destination port to be located on different devices in the network and facilitates the network administrator to manage remote switches It can t forward traffic flows on remote mirror VLAN There are three types of switches with the RSPAN enabled 1 Source switch The switch to which the monitored port belongs The source switch copies the mirrored traffic flows to the Remote VLAN and then through Layer 2 forwarding the mirrored flows are sent to an intermediate switch or destination switch 2 Intermediate switch Switches between the source switch and destination switch on the network Intermediate switch forwards mirrored flows to the next intermediate switch or the destination switch Circumstances can occur where no intermediate switch is present if a direct connection exists between the source and destination switches 3 Destinati
104. portName gt show nd dynamic count vlan Display the number of dynamic lt vian id gt interface ethernet NEIGHBOUR in corresponding ports and lt portName gt VLAN debug switchport mac count All kinds of debug information when no debug switchport mac count limiting the number of MAC on ports debug switchport arp count All kinds of debug information when no debug switchport arp count limiting the number of ARP on ports All kinds of debug information when debug switchport nd count limiting the number of NEIGHBOUR on no debug switchport nd count ports no debug vlan mac count limiting the number of MAC in VLAN no debug ip arp count limiting the number of ARP in VLAN no debug ipv6 nd count limiting the number of MAC in VLAN 43 161 43 3 The Number Limitation Function of MAC and IP In Port VLAN Typical Examples wick PC PC PC PC PC Figure 43 1 The Number Limitation of MAC and IP in Port VLAN Typical Configuration Example In the network topology above SWITCH B connects to many PC users before enabling the number limitation function of MAC and IP in Port VLAN if the system hardware has no other limitation SWTICH A and SWTICH B can get the MAC ARP ND list entries of all the PC so limiting the MAC ARP list entry can avoid DOS attack to a certain extent When malicious users frequently do MAC ARP cheating it will be easy for them to fill the MAC ARP list entries of the switch causing succe
105. refer to Snmp network management software user manual 3 18 3 2 CLI Interface The switch provides thress management interface for users CLI Command Line Interface interface Web interface Snmp netword management software We will introduce the CLI interface and Web configuration interface in details Web interface is familiar with CLI interface function and will not be covered please refer to Snmp network management software user manual CLI interface is familiar to most users As aforementioned out of band management and Telnet login are all performed through CLI interface to manage the switch CLI Interface is supported by Shell program which consists of a set of configuration commands Those commands are categorized according to their functions in switch configuration and management Each category represents a different configuration mode The Shell for the switch is described below Configuration Modes Configuration Syntax Shortcut keys Help function Input verification Fuzzy match support 3 2 1 Configuration Modes User Mode Admin Mode Global Mode Interface Mode Vlan Mode CL configuration EN L oO gt al L KS ES m 3 Li L D i Route configuration Q O si d Hi T Lm T T Dm CL i IL O a Figure 3 12 Shell Configuration Modes 3 2 1 1 User Mode On entering the CLI interface entering user entry system first If as common user it is defaulted to
106. save both in SDRAM and the NVRAM if exists besides sent to all terminals To check the log save in SDRAM and the NVRAM we can use the show logging buffered command To clear the log save in NVRAM and SDRAM log buffer zone we can use the clear logging command 66 7 2 System Log Configuration System Log Configuration Task Sequence 1 Display and clear log buffer zone 66 70 2 Configure the log host output channel 3 Enable disable the log executed commands 4 Display the log source 5 Display executed commands state 1 2 3 4 Display and clear log buffer zone Admin Mode show logging buffered level critical Show detailed log information in warnings range lt begin index gt lt end index gt the log buffer channel clear logging sdram Clear log buffer zone information Configure the log host output channel Global Mode logging lt ipv4 addr gt lt ipv6 addr gt facility Enable the output channel of the lt local number gt level lt severity gt log host The no form of this no logging lt ipv4 addr gt lt ipv6 addr gt facility command will disable the output at lt local number gt the output channel of the log host Add the loghost sequence number logging loghost sequence number for the log the no command does no logging loghost sequence number not include the loghost sequence number Enable disable the log executed commands Global mode Enable
107. server will allocate IP address and other information for the client according to the information and preconfigured policy in the 37 84 option segment of the message Then it will forward the reply message with DHCP configuration information and option 82 information to DHCP SNOOPING 4 DHCP SNOOPING will peel the option 82 information from the replay message sent by DHCP server then the message with DHCP configuration information to perform layer 2 forwarding 37 2 DHCP Snooping Option 82 Configuration Task List 1 2 3 4 1 Enable DHCP SNOOPING Explanation Enable DHCP SNOOPING Enable DHCP Snooping binding function Enable DHCP Snooping option 82 binding function Configure trust ports Global mode ip dhcp snooping enable Enable or disable DHCP SNOOPING no ip dhcp snooping enable function 2 Enable DHCP Snooping binding function Explanation Global mode ip dhcp snooping binding enable Enable or disable DHCP SNOOPING no ip dhcp snooping binding enable binding function 3 Enable DHCP Snooping option 82 function Explanation Global mode a ip dhcp snooping information enable Enable or disable DHCP SNOOPING no ip dhcp snooping information enable option 82 function 4 Configure trust ports 37 85 Explanation Port mode ip dhcp snooping trust Set or delete DHCP SNOOPING trust no ip dhcp snooping trust attribute of ports 37 3 DHCP Snooping Option 82 Application Examples DHCP C
108. source or destination port of one mirror session can be configured on each line card For box switches only one mirror session can be configured The number of the source mirror ports is not limited and can be one or more Multiple source ports are not restricted to be in the same VLAN The destination port and the source ports can be in different VLAN For configuration of RSPAN a dedicated RSPAN VLAN should be configured first for carrying the RSPAN datagrams The default VLAN dynamic VLAN private VLAN multicast VLAN and the layer 3 interface enabled VLAN cannot be configured as the RSPAN VLAN The reflector port must belong to the RSPAN VLAN The destination port should be connected to the Monitor and the configured as access port or the TRUNK port The RSPAN reflector port will be working dedicatedly for mirroring when a port is configured as a reflector port it will discards all the existing connections to the remote peer disable configurations related to loopback interfaces and stop forwarding datagram Connectivity between the source and destination switch for Remote VLAN should be made sure by configuration To be noticed 1 Layer 3 interfaces related to RSPAN VLAN should not be configured on the source intermediate and the destination switches or the mirrored datagrams may be discarded 2 For the source and intermediate switches in the RSPAN connections the native VLAN of TRUNK port cannot be configured as the RSPAN VLAN Oth
109. steps are as follows Compare ID of the devices the priority of the system the MAC address of the system First 12 34 compare the priority of the systems if they are same then compare the MAC address of the systems The end with a small device ID has the high priority Compare the ID of the ports the priority of the port the ID of the port For each port in the side of the device which has the high device priority first compare the priority of the ports if the priorities are same then compare the ID of the ports The port with a small port ID is selected and the others become the standby ports In an aggregation group the port which has the smallest port ID and is at the selected state will be the master port the other ports at the selected state will be the member port 12 2 3 Port Channel Configuration Task List Create a port group in Global Mode Add ports to the specified group from the Port Mode of respective ports Enter port channel configuration mode Set load balance method for port group Set the system priority of LACP protocol Set the port priority of the current port in LACP protocol N O OO FP W N gt Set the timeout mode of the current port in LACP protocol ch Creating a port group Explanation Global Mode port group lt port group number gt Create or delete a port group no port group lt port group number gt 2 Add physical ports to the port group Explanation
110. switch 3 1 2 1 Management via Telnet To manage the switch with Telnet the following conditions should be met 1 Switch has an IPv4 IPv6 address configured 2 The host IP address Telnet client and the switch s VLAN interface IPv4 IPv6 address is in the same 3 13 network segment 3 If 2 is not met Telnet client can connect to an IPv4 IPv6 address of the switch via other devices such as a router The switch is Layer 3 switch that can be configured with several Pv4 IPv6 addresses The following example assumes the shipment status of the switch where only VLAN1 exists in the system The following describes the steps for a Telnet client to connect to the switch s VLAN1 interface by Telnet with IPv4 address as an example PC Workstation Managed Switch with IE Browser IP Address 192 168 1 254 RJ 45 UTP Cable IP Address 192 168 1 x Figure 3 6 Manage the switch by Telnet Step 1 Configure the IP addresses for the switch and start the Telnet Server function on the switch First is the configuration of host IP address This should be within the same network segment as the switch VLAN1 interface IP address Suppose the switch VLAN1 interface IP address is 10 1 128 251 24 Then a possible host IP address is 10 1 128 252 24 Run ping 10 1 128 251 from the host and verify the result check for reasons if ping failed The IP address configuration commands for VLAN1 interface are listed below Before in band m
111. the SFP slot of the switch converter Ensure that the SFP transceiver is operating correctly 4 Check the Link mode of the SFP port if the link fails Co works with some fiber NICs or media converters Set the Link mode to 100 Force when needed 2 8 E Removing the transceiver module Make sure there is no network activity by checking with the network administrator or through the management interface of the switch converter if available to disable the port in advance e 2 Remove the Fiber Optic Cable gently 3 Lift up the lever of the MGB module and turn it to a horizontal position 4 Rull out the module gently through the lever Figure 2 8 Pull out the SFP transceiver Never pull out the module without lifting up the lever of the module and turning it to a horizontal position Directly pulling out the module could damage the module and the SFP module slot of the Managed Switch Chapter 3 Switch Management 3 1 Management Options After purchasing the switch the user needs to configure the switch for network management Switch provides two management options in band management and out of band management 3 1 1 Out Of Band Management Out of band management is the management through Console interface Generally the user will use out of band management for the initial switch configuration or when in band management is not available For instance the user must assign an IP address to the switch via th
112. the dynamic DNS database would increase efficiency The static domain name resolution means setting up mappings between domain names and I Pv4 IPv6 addresses IPv4 IPv6 addresses of the corresponding domain names can be found in the static DNS database when you use some applications Dynamic domain name resolution is implemented by querying the DNS server A user program sends a name query to the resolver in the DNS client when users want to use some applications with domain name the DNS resolver looks up the local domain name cache for a match If a match is found it sends the corresponding Pv4 IPv6 address back to the switch If no match is found it sends a query to a higher DNS server This process continues until a result whether success or failure is returned The Domain Name System DNS is a hierarchical naming system for computers services or any resource participating in the Internet It associates various information with domain names assigned to such participants Most importantly it translates humanly meaningful domain names to the numerical binary identifiers associated with networking equipment for the purpose of locating and addressing these devices world wide An often used analogy to explain the Domain Name System is that it serves as the phone book for the Internet by translating human friendly computer hostnames into IP addresses The Domain Name System makes it possible to assign domain names to groups of Internet users
113. the listening result The switches forwards multicast packets according to the multicast forwarding list The switch realizes the MLD Snooping function while supporting MLD v2 This way the user can acquire IPv6 multicast with the switch 39 1 2 MLD Snooping Configuration Task 1 Enable the MLD Snooping function 2 Configure the MLD Snooping 1 Enable the MLD Snooping function Explanation Global Mode Enable global MLD Snooping the no ipv6 ipv6 mid snooping mld snooping command disables the no ipv6 mid snooping global MLD snooping 39 103 2 Configure MLD Snooping Explanation Global Mode ipv6 mid snooping vlan lt vian id gt no ipv6 mid snooping vlan lt vian id gt ipv6 mid snooping vlan lt vian iad gt limit group lt g_limit gt source lt s_limit gt no ipv6 mid snooping vlan lt vian id gt limit ipv6 mld snooping vlan lt vi an id gt 2 general querier no ipv6 mid snooping vlan lt vian ia gt I2 general querier ipv6 mid snooping vlan lt vian id gt mrouter port interface lt interface name gt no ipv6 mid snooping vlan lt vian id gt mrouter port interface lt interface name gt ipv6 mid snooping vlan lt vi an id gt mrouter port learnpim6 no ipv6 mid snooping vlan lt vian ia gt mrouter port learnpim6 ipv6 mid snooping vlan lt vlan id gt mrpt lt value gt no ipv6 mid snooping vlan lt vian id gt mrpt ipv6 mld snooping vlan lt vi an id gt query interval lt v
114. the switch when the user logs such as telnet the authentication of user name and password can be carried out with TACACS 46 2 TACACS Configuration Task List 1 Configure the TACACS authentication key 2 Configure the TACACS server 3 Configure the TACACS authentication timeout time 4 Configure the IP address of the RADIUS NAS 1 Configure the TACACS authentication key Explanation Global Mode Configure the TACACS server key the tacacs server key 0 7 lt string gt no tacacs server key command deletes no tacacs server key the key 2 Configure TACACS server Explanation Global Mode 46 171 tacacs server authentication host Configure the IP address listening port lt jp address gt port lt port number gt number the value of timeout timer and the timeout lt seconds gt key 0 7 key string of the TACACS server the no lt string gt prima g gt p ry form of this command deletes the TACACS authentication server no tacacs server authentication host lt ip address gt 3 Configure the TACACS authentication timeout time Command Explanation Global Mode Configure the authentication timeout for the tacacs server timeout lt seconds gt TACACS server the no tacacs server no tacacs server timeout timeout command restores the default configuration 4 Configure the IP address of the TACACS NAS Explanation Global Mode taca
115. this when recovering the master port if the preemption mode is not configured port A2 keeps the Forwarding state port A1 turns into the Standby state After the preemption mode is enabled so as to the master port preempts the slave port when it recovered from the problem For avoiding the frequent uplink switch caused by the abnormity problem the preemption delay mechanism is imported and it needs to wait for some times before the master port preempt the slave port For keeping the continuance of the flows the master port does not process to preempt by default but turns into the Standby state 56 20 When configuring ULPP it needs to specify the VLAN which is protected by this ULPP group through the method of MSTP instances and ULPP does not provide the protection to other VLANs When the uplink switch is happennig the primary forwarding entries of the device will not be applied to new topology in the network In the figure SwitchA configures ULPP the portA1 as the master port at forwarding state here the MAC address of PC is learned by Switch D from portD3 After this portA1 has the problem the traffic is switched to portA2 to be forwarded If there is the data sent to PC by SwitchD still the data will be forwarded from portD3 and will be losed Therefore when switching the uplink the device of configuring ULPP needs to send the flush packets through the port which is switched to Forwarding state and update MAC address tables
116. to assign IP address in the fixed range to the specifiec users How to avoid illegal DHCPv6 client to forge IP address exhaust attack triggered by MAC address fields of DHCPv6 packets How to avoid illegal DHCPVv6 client to trigger deny service attack through using MAC address of other legal clients Therefore IETF set rfc4649 and rfc4580 Le DHCPv6 option 37 and option 38 to solve these problems DHCPv 6 option 37 and option 38 is similar to DHCP option 82 When DHCPv6 client sends request packets to DHCPv6 server though DHCPv6 relay agent if DHCPv6 relay agent supports option 37 and option 38 they will be added to request packets For the respond 35 63 packets of server option 37 and option 38 are meaningless and are peeled from the respond packets Therefore the application of option 37 and option 38 is transparent for client DHCPv 6 server can authenticate identity of DHCPv6 client and DHCPv6 relay device by option 37 and option 38 assign and manage client address neatly through configuring the assign policy prevent DHCPv6 attack availably according to the inclusive client information such as forging MAC address fields of DHCPv6 packets to trigger IP address exhaust attack Since server can identify multiple request packets from the same access port it can assign the address number through policy limit to avoid address exhaust However rfc4649 and rfc4580 do not set how to use opton 37 and option 38 for DHCPv6 server users can
117. to obtain theirs thresholds and the real time state of the current fiber module by the inner MCU of the fiber module That is able to help the network management units to locate the fault in the fiber link reduce the maintenance workload and enhance the system reliability DDM applications are shown in the following 1 Module lifetime forecast Monitoring the bias current is able to forecast the laser lifetime Administrator is able to find some potential problems by monitoring voltage and temperature of the module 1 High Vcc voltage will result in the breakdown CMOS low Vcc voltage will result in the abnormity work 2 High rx power will damage the receiving module low rx power will result that the receiving module cannot work normally 3 High temperature will result in the fast aging of the hardware 4 Monitoring the received fiber power to monitor the capability of the link and the remote switch 2 Fault location In fiber link locating the fault is important to the fast overload of the service fault isolation is able to help administrator to fast locate the location of the link fault within the module local module or remote module or on the link it also reduce the time for restoring the fault of the system Analyzing warning and alarm status of real time parameters temperature voltage bias 16 52 current tx power and rx power can fast locate the fault through Digital Diagnostic function Besides the state
118. to the ports or the VLAN interfaces Configure the trust mode for ports or bind policies to ports A policy will only take effect on a port when it is bound to that port The policy may be bound to the specific VLAN It is not recommended to synchronously use policy map on VLAN and its port Configure queue management algorithm Configure queue management algorithm such as sp gt wrr gt wdrr gt sp wrr gt sp wdrr and so on 1 Configure class map Explanation Global Mode Create a class map and enter class map class map lt class map name gt mode the no class map no class map lt class map name gt lt class map name gt command deletes the specified class map match access group lt acl index or name gt ip dscp lt dscp list gt ip precedence lt ip precedence list gt ipv6 access group a Set matching criterion classify data stream by ACL CoS VLAN ID IPv4 Precedent IPv6 FL or DSCP etc for the class map the no command deletes lt acl index or name gt ipv6 dscp lt dscp list gt ipv6 flowlabel lt flowlabel list gt vlan lt vian list gt cos lt cos list gt c vlan lt vian list gt specified matching criterion no match access group ip dscp ip precedence ipv6 access group ipv6 dscp ipv6 flowlabel vlan cos c vlan 2 Configure a policy map Explanation Global Mode policy map lt policy map name gt Create a policy map and enter policy 23 136
119. transmit med tlv inventory no Ildp transmit med tlv inventory network policy voice voice signaling guest voice guest voice signaling softphone voice video conferencing streaming video video signaling status enable disable tag tagged untagged vid lt v an id gt dot1p cos lt cos value gt dscp lt dscp value gt no network policy voice voice signaling guest voice guest voice signaling softphone voice video conferencing streaming video video signaling civic location dhcp server switch endpointDev lt country code gt no civic location ecs location lt te number gt no ecs location send LLDP MED Network Policy TLV The no command disables the capability Configure the specified port to send LLDP MED Extended Power Via MDI TLV The no command disables the capability Configure the port to send LLDP MED Inventory Management TLVs The no command disables the capability Configure network policy of the port including VLAN ID the supported application Such as voice and video the application priority and the used policy and so on Configure device type and country code of the location with Civic Address LCI format and enter Civic Address LCI address mode The no command cancels all configurations of the location with Civic Address LCI format Configure the location with ECS ELIN format on the port the no command cancels the configu
120. trust disables the trust function port is translated from trust port into untrust port 14 Enable or disable ND trust of port Explanation Pome ipv6 nd snooping trust Configure a port as slaac trust and RA no ipv6 nd snooping trust trust no command deletes the port s trust function 54 8 15 Configure the binding number Explanation Port mode savi ipv6 binding num lt imit num gt Configure the binding number of a port no savi ipv6 binding num no command restores the default value Note The binding number only limits the dynamic binding but does not limit the static binding number 54 3 SAVI Typical Application In actual application SAVI function is usually applied in access layer switch to check the validity of node source address on direct link There are four typical application scenes for SAVI function DHCP Only Slaac Only DHCP Slaac and Static binding In network environment users can select the corresponding scene according to the actual requirement in double stacks network while SAVI function associates with IPv4 DHCP snooping to use IPv4 and IPv6 source address authentication is implemented Typical network topology application for SAVI function 54 9 Ethernet1 1 Ethernet1 2 Switch ase Switch Ethernet1 12 Ethernet1 13 LI E Client_1 Client_2 Client_1 and Client_2 means two d
121. usage and error statistics for each subnet monitored by the Agent History Record periodical statistic samples available from Statistics Alarm Allow management console users to set any count or integer for sample intervals and alert thresholds for RMON Agent records Event A list of all events generated by RMON Agent Alarm depends on the implementation of Event Statistics and History display some current or history subnet statistics Alarm and Event provide a method to monitor any integer data change in the network and provide some alerts upon abnormal events Sending Trap or record in logs 4 4 4 SNMP Configuration 4 4 4 1 SNMP Configuration Task List 1 Enable or disable SNMP Agent server function 2 Configure SNMP community string 4 10 Configure IP address of SNMP management base Configure engine ID Configure user Configure group Configure view Configuring TRAP Enable Disable RMON 3 4 5 6 T 8 9 1 Enable or disable SNMP Agent server function Explanation Global Mode Enable the SNMP Agent function on the snmp server enabled switch the no command disables the SNMP no snmp server enabled Agent function on the switch 2 Configure SNMP community string Explanation Global Mode snmp server community ro rw 0 7 Configure the community string for the switch EE EE the no command deletes the configured ipv6 access lt pv6 num std gt lt ipv6 name gt read lt
122. vian translation Explanation Admin mode Show the related configuration of show vlan translation vlan translation 20 4 3 Typical application of VLAN translation Scenario Edge switch DEI and DEZ of the ISP internet support the VLAN20 data task between CE1 and CE2 of the client network with VLAN3 The port1 1 of PE1 is connected to CE1 port1 10 is connected to public network port1 1 of PE2 is connected to CE2 port1 10 is connected to public network On the customer port Trunk VLAN 200 300 The ingress of the port PE translates VLAN20 to VLANS SP networks the g VLAN20 on PE Tank rage P Trunk onnection Customer z EA networks 1 i on Trunk connection The ingress of the port translates VLAN20 to VLANS e egress translates VLAN3 to VLAN20 on PE connection Customer On the customer port networks2 Trunk VLAN 20 Figure 20 6 Vlan translation topology mode Configuration Configuration Explanation Item VLAN translation Port1 1 of PE1 and PE2 Trunk port Port1 1 and Port1 10 of PE1 and DEZ Configuration procedure is as follows PE1 gt PE2 20 89 switch Config interface ethernet 1 1 switch Config Ethernet1 1 switchport mode trunk switch Config Ethernet1 1 vian translation enable switch Config Ethernet1 1 vian translation 20 to 3 in switch Config Ethernet1 1 vian translation 3 to 20 out switch Config Ethernet1 1 exit switch Confi
123. without removing the relative DHCP V6 class information that has been configured This command defines a DHCP v6 class and enters ipv6 dhcp class lt class name gt DHCPv 6 class mode the no no ipv6 dhcp class lt class name gt form of this command removes this DHCP V6 class Interface configuration mode This command enables the ipv6 dhcp server select relay forw DHCPVv6 server to support no ipv6 dhcp server select relay forw selections when multiple 35 68 option 37 or option 38 options exist and the option 37 and option 38 of relay forw in the innermost layer are selected The no operation of it restores the default configuration i e selecting option 37 and option 38 of the original packets remote id lt remote id gt subscriber id This command configures lt subscriber id gt option 37 and option 38 that no remote id lt remote id gt subscriber id match the class in ipv6 dhcp lt subscriber id gt class configuration mode DHCPv 6 address pool configuration mode This command associates class to address pool in DHCPv6 address pool configuration mode and enters class lt class name gt no class lt class name gt class configuration mode in address pool Use no command to remove the link This command is used to set address range for a DHCPv6 class in DHCPv6 address pool address range lt start ip gt lt end ip gt configuration mode the no no
124. your Managed Switch on a desktop or shelf simply complete the following steps In this paragraph we will describe how to install the Managed Switch and the installation points attended to it 2 1 Hardware Description 2 1 1 Switch Front Panel The unit front panel provides a simple interface monitoring the switch Figure 2 1 shows the front panel of the Managed Switch WGSW 52040 Front Panel is Sa go ga ga ga sg IW E EE E EE r P EE EE WE EC NEE DW EE EC EE NEE NEE EE SEI PLANET Figure 2 1 WGSW 52040 front panel Mi Gigabit TP interface 10 100 1000Base T Copper RJ 45 Twist Pair Up to 100 meters HM Gigabit SFP slots 100 1000Base X mini GBIC slot SFP Small Form Factor Pluggable transceiver module From 550 meters Multi mode fiber up to 10 20 30 40 50 70 120 kilometers Single mode fiber Mi Console Port The console port is a RJ 45 port connector It is an interface for connecting a terminal directly Through the console port it provides rich diagnostic information including IP Address setting factory reset port management link status and system setting Users can use the attached DB9 to RJ 45 console cable in the package and connect to the console port on the device After the connection users can run any terminal emulation program Hyper Terminal ProComm Plus Telix Winterm and so on to enter the startup screen of the device MM Reset button On the front panel the reset button is designed for rebooti
125. 0 69 3 Dying Gasp Troubleshooting If there is something wrong when configuring dying gasp function please check out if it is because of the following reasons m Make sure the layer 3 interface has been configured and connected to snmp server m Make sure the address of snmp server More than one snmp server address can be configured on switch but dying gasp trap packets will be sent to the last configured server when it is power failure 69 75 PLANET Networking amp Communication EC Declaration of Confomi For the following equipment Type of Product WGSW 52040 Model Number 48 Port 10 100 1000Base T 4 Port 1000X SFP Managed Gigabit Switch Produced by Manufacturer s Name Planet Technology Corp Manufacturer s Address 10F No 96 Minquan Rd Xindian Dist New Taipei City 231 Taiwan R O C Is here with confirmed to comply with the requirements set out in the Council Directive on the Approximation of the Laws of the Member States relating to Electromagnetic Compatibility Directive on 2004 108 EC For the evaluation regarding the EMC the following standards were applied EN 55022 2006 A 1 2007 A2 2010 AC 2011 EN 61000 3 2 2006 A 1 2009 A2 2009 EN 61000 3 3 2008 EN 55024 2010 IEC 61000 4 2 2008 IEC 61000 4 3 2006 A 1 2007 A2 2010 IEC 61000 4 4 2012 IEC 61000 4 5 2005 IEC 61000 4 6 2008 IEC 61000 4 8 2009 IEC 61000 4 11 2004 Responsible for marking this decl
126. 0 0 0 area 0 SwitchA config router exit Configure Ethernet 1 1 as a source port and Tunnel as the destination port of local mirroring group 1 SwitchA config monitor session 4 destination tunnel 1 SwitchA config monitor session 4 source interface ethernet 1 1 both 3 Configure Device B the intermediate device Configure OSPF protocol SwitchB config routier ospf SwitchB config router network 0 0 0 0 0 area 0 SwitchB config router exit 4 Configure Device C the destination device Create interface Tunne1 and configure an IP address and mask for it SwitchC config interface tunnel 1 SwitchC config if tunnel1 tunnel mode gre ip SwitchC config if tunnel1 ip address 50 1 1 2 255 255 255 0 Configure Tunnel to operate in GRE tunnel mode and configure source and destination IP addresses for it SwitchC config if tunnel1 tunnel source 40 1 1 1 SwitchC config if tunnel1 tunnel destination 10 1 1 1 SwitchC config if tunnel1 exit Configure OSPF protocol SwitchC config router ospf SwitchC config router network 0 0 0 0 0 area 0 SwitchC config router exit Configure Ethernet 1 1 as a source port and Ethernet 1 2 as the destination port of local mirroring group 1 SwitchC config monitor session 1 destination interface ethernet 1 2 SwitchC config monitor session 1 source interface ethernet 1 1 rx 61 49 61 4 ERSPAN Troubleshooting If problems occur when configuring ERSPAN pleas
127. 02 1x Configuration Example Topology The PC is connecting to port 1 2 of the switch IEEE 802 1x authentication is enabled on port1 2 the access mode is the default MAC based authentication The switch IP address is 10 1 1 2 Any port other than port 1 2 is used to connect to RADIUS authentication server which has an IP address of 10 1 1 3 and use the default port 1812 for authentication and port 1813 for accounting IEEE 802 1x authentication client software is installed on the PC and is used in IEEE 802 1x authentication The configuration procedures are listed below Switch config interface vlan 1 Switch Config if vlan1 ip address 10 1 1 2 255 255 255 0 Switch Config if vlan1 exit Switch config radius server authentication host 10 1 1 3 Switch config radius server accounting host 10 1 1 3 42 155 Switch config radius server key test Switch config aaa enable Switch config Switch config dot1x enable aaa accounting enable Switch config interface ethernet 1 2 Switch Config Ethernet1 2 dot1x enable Switch Config Ethernet1 2 dot1x port control auto Switch Config Ethernet1 2 exit 42 3 3 Examples of IPv6 Radius Application 2004 1 2 3 2 2004 1 2 3 1 Radius Server 2004 1 2 3 3 Figure 42 17 IPv6 Radius Connect the computer to the interface 1 2 of the switch and enable IEEE802 1x on interface1 2 Use MAC based authentication Configure the IP address of the
128. 1 of user A PE 1 in the service provider network encapsulates the packet replaces its destination MAC address with a 18 69 specific multicast MAC address and then forwards the packet in the service provider network 2 The encapsulated Layer 2 protocol packet called BPDU Tunnel packet is forwarded to PE 2 at the other end of the service provider network which de encapsulates the packet restores the original destination MAC address of the packet and then sends the packet to network 2 of user A bpdu tunnel configuration of edge switches PE1 and PE2 in the following PE1 configuration PE1 config bpdu tunnel dmac 01 02 03 04 05 06 PE1 config if ethernet1 1 bpdu tunnel stp PE1 config if etherne1 1 bpdu tunnel lacp PE1 config if ethernet1 1 bpdu tunnel uldp PE1 config if ethernet1 1 bpdu tunnel gvrp PE1 config if ethernet1 1 bpdu tunnel dot1x PE2 configuration PE2 config bpdu tunnel dmac 01 02 03 04 05 06 PE2 config if ethernet1 1 bpdu tunnel stp U U E2 config if ethernet1 1 bpdu tunnel uldp E2 config if ethernet1 1 bpdu tunnel lacp PE2 config if ethernet1 1 bpdu tunnel gvrp PE2 config if ethernet1 1 bpdu tunnel dot1x 18 4 bpdu tunnel Troubleshooting After port disables stp gvrp uldp lacp and dot1x functions it is able to configure bpdu tunnel function 18 70 Chapter 19 EEE Energy saving Configuration 19 1 Introduction to EEE Energy saving eee is Energy Effic
129. 134 Chapter 42 802 1x Configuration 42 1 Introduction to 802 1x The 802 1x protocol originates from 802 11 protocol the wireless LAN protocol of IEEE which is designed to provide a solution to doing authentication when users access a wireless LAN The LAN defined in IEEE 802 LAN protocol does not provide access authentication which means as long as the users can access a LAN controlling device such as a LAN Switch they will be able to get all the devices or resources in the LAN There was no looming danger in the environment of LAN in those primary enterprise networks However along with the boom of applications like mobile office and service operating networks the service providers should control and configure the access from user The prevailing application of WLAN and LAN access in telecommunication networks in particular make it necessary to control ports in order to implement the user level access control And as a result IEEE LAN WAN committee defined a standard which is 802 1x to do Port Based Network Access Control This standard has been widely used in wireless LAN and ethernet Port Based Network Access Control means to authenticate and control the user devices on the level of ports of LAN access devices Only when the user devices connected to the ports pass the authentication can they access the resources in the LAN otherwise the resources in the LAN won t be available 42 1 1 The Authentication Structure of 802
130. 1x The system using 802 1x has a typical Client Server structure which contains three entities as illustrated in the next figure Supplicant system Authenticator system and Authentication server system 42 135 Authentication Supolicant system p y server system Authenticator system Services offered by Authenticator Authenticator s PAE system Authentication server supplicant PAE EAP protocol exchanges a carried in D i higher layer x Unauthorized i protocol LANAWLAN Figure 42 1 The Authentication Structure of 802 1x m The supplicant system is an entity on one end of the LAN segment should be authenticated by the access controlling unit on the other end of the link A Supplicant system usually is a user terminal device Users start 802 1x authentication by starting supplicant system software A supplicant system should support EAPOL Extensible Authentication Protocol over LAN WR The authenticator system is another entity on one end of the LAN segment to authenticate the supplicant systems connected An authenticator system usually is a network device supporting 802 1x protocol providing ports to access the LAN for supplicant systems The ports provided can either be physical or logical m The authentication server system is an entity to provide authentication service for authenticator systems The authentication server system is used to authenticate and authorize users as w
131. 2 So all the PC terminals connected to Switch1 and Switch2 will get addresses from the public address pool of the DHCP server After the DHCP option 82 function is enabled since the Switch3 appends the port information of accessing Switch3 to the request message from the client the server can tell that whether the client is from the network of Swich1 or Swich2 and thus can allocate separate address spaces for the two networks to simplify the management of networks The following is the configuration of Switch3 MAC address is 00 30 4f 02 33 01 Switch3 Config service dhcp Switch3 Config ip dhcp relay information option Switch3 Config ip forward protocol udp bootps Switch3 Config interface vian 3 Switch3 Config if vian3 ip address 192 168 10 222 255 255 255 0 Switch3 Config if vian2 ip address 192 168 102 2 255 255 255 0 Switch3 Config if vian2 ip helper 192 168 10 88 Linux ISC DHCP Server supports option 82 its configuration file etc dhcpd con is ddns update style interim ignore client updates 33 58 class Switch3Vlan2Class1 match if option agent circuit id Vlan2 Ethernet1 2 and option agent remote id 00 30 4f 02 33 01 class Switch3Vlan2Class2 match if option agent circuit id Vlan2 Ethernet1 3 and option agent remote id 00 30 4f 02 33 01 subnet 192 168 102 0 netmask 255 255 255 0 option routers 192 168 102 2 option subnet mask 255 255 255 0 option domain name example com cn
132. 2 2 Configure Port Channel in LACP The switches in the description below are all switch and as shown in the figure ports 1 2 3 4 of S1 are access ports and add them to group1 with active mode Ports 6 8 9 10 of S2 are access ports and add them to group2 with passive mode All the ports should be connected with cables The configuration steps are listed below Switch1 config Switch1 config interface ethernet 1 1 4 Switch 1 Config lf Port Range port group 1 mode active Switch 1 Config lf Port Range exit Switch1 Switch1 Config lf Port Channel1 config interface port channel 1 Switch2 config Switch2 config port group 2 Switch2 config interface ethernet 1 6 Switch2 Config If Ethernet1 6 port group 2 mode passive Switch2 Config lf Ethernet1 6 exit Switch2 config interface ethernet 1 8 10 Switch2 Config If Port Range port group 2 mode passive Switch2 Config lf Port Range exit Switch2 config interface port channel 2 12 37 Switch2 Config lf Port Channel2 Configuration result Shell prompts ports aggregated successfully after a while now ports 1 2 3 4 of S1 form an aggregated port named Port Channel1 ports 6 8 9 10 of S2 form an aggregated port named Port Channel2 can be configured in their respective aggregated port mode Scenario 2 Configuring Port Channel in ON mode S1 sa a Rp TS ee 7 N N 7 Wen Lo S2 Figure 12 3 Configure Port Channel in ON
133. 3 cublpt Len Sub option Yalue n 4 4 i H si s s3 sa sH a 4 a cublpt Len Sub option Yalue 4 4 4 oo 2 H ii af i3 i4 iH a 4 SubOpt the sequence number of sub option the sequence number of Circuit ID sub option is 1 the sequence number of Remote ID sub option is 2 Len the number of bytes in Sub option Value not including the two bytes in SubOpt segment and Len segment 37 1 2 DHCP Snooping Option 82 Working Mechanism DHCP SNOOPING DHCP Client DHCP Server DHCP option 82 flow chart If the DHCP SNOOPING supports option 82 the DHCP client should go through the following four steps to get its IP address from the DHCP server discover offer select and acknowledge The DHCP protocol follows the procedure below 1 DHCP client sends a request broadcast message while initializing This request message does not have option 82 2 DHCP SNOOPING will add the option 82 to the end of the request message it receives and perform layer 2 forwarding By default the sub option 1 of option 82 Circuit ID is the interface information of the switch connected to the DHCP client VLAN name and physical port name The sub option 2 of option 82 Remote ID is the CPU MAC address of the switch 3 After receiving the DHCP request message the DHCP
134. 3 we can configure on its join in switch as follows Switch config ip multicast policy 210 1 1 1 32 239 1 2 3 32 cos 4 In this way the multicast stream will have a priority of value 4 Usually this is pretty higher the higher possible one is protocol data if higher priority is set when there is too many multicast data it might cause abnormal behavior of the switch protocol when it gets to other switches through this switch 38 2 4 DCSCM Troubleshooting The effect of DCSCM module itself is similar to ACL and the problems occurred are usually related to improper configuration Please read the descriptions above carefully If you still can not determine the cause of the problem please send your configurations and the effects you expect to the after sale service staff of our company 38 3 IGMP Snooping 38 3 1 Introduction to IGMP Snooping IGMP Internet Group Management Protocol is a protocol used in IP multicast IGMP is used by multicast enabled network device such as a router for host membership query and by hosts that are joining a multicast group to inform the router to accept packets of a certain multicast address All those operations are done through IGMP message exchange The router will use a multicast address 224 0 0 1 that can address to all hosts to send an IGMP host membership query message If a host wants to join a multicast group it will reply to the multicast address of that a multicast group with an IGMP ho
135. 3 config interface ethernet 1 12 Switch3 Config lf Ethernet1 12 speed duplex force100 full Switch3 Config lf Ethernet1 12 exit 7 4 Port Troubleshooting Here are some situations that frequently occurs in port configuration and the advised solutions m Two connected fiber interfaces won t link up if one interface is set to auto negotiation but the other to forced speed duplex This is determined by IEEE 802 3 m The following combinations are not recommended enabling traffic control as well as setting multicast limiting for the same port setting broadcast multicast and unknown destination unicast control as well as port bandwidth limiting for the same port If such combinations are set the port throughput may fall below the expected performance Chapter 8 Port Isolation Function Configuration 8 1 Introduction to Port Isolation Function Port isolation is an independent port based function working in an inter port way which isolates flows of different ports from each other With the help of port isolation users can isolate ports within a VLAN to save VLAN resources and enhance network security After this function is configured the ports in a port isolation group will be isolated from each other while ports belonging to different isolation groups or no such group can forward data to one another normally No more than 16 port isolation groups can a switch have 8 2 Task Sequence of Port Isolation 1 Create an isolate port group 2
136. 6 1 0 24 Switch dhcp A config lease 3 Switch dhcp A config default route 10 16 1 200 10 16 1 201 Switch dhcp A config dns server 10 16 1 202 Switch dhcp A config netbios name server 10 16 1 209 Switch dhcp A config netbios node type H node Switch dhcp A config exit Switch config ip dhcp excluded address 10 16 1 200 10 16 1 201 Switch config ip dhcp pool B Switch dhcp B config network 10 16 2 0 24 Switch dhcp B config lease 1 Switch dhcp B config default route 10 16 2 200 10 16 2 201 31 38 Switch dhcp B config dns server 10 16 2 202 Switch dhcp B config option 72 ip 10 16 2 209 Switch dhcp config exit Switch config ip dhcp excluded address 10 16 2 200 10 16 2 201 Switch config ip dhcp pool A1 Switch dhcp A1 config host 10 16 1 210 Switch dhcp A1 config hardware address 00 03 22 23 dc ab Switch dhcp A1 config exit Usage Guide When a DHCP BOOTP client is connected to a VLAN1 port of the switch the client can only get its address from 10 16 1 0 24 instead of 10 16 2 0 24 This is because the broadcast packet from the client will be requesting the IP address in the same segment of the VLAN interface after VLAN interface forwarding and the VLAN interface IP address is 10 16 1 2 24 therefore the IP address assigned to the client will belong to 10 16 1 0 24 If the DHCP BOOTP client wants to have an address in 10 16 2 0 24 the gateway forwarding broadcast packets of the client must belong to 10 16 2 0 24 The connectivit
137. 8 1 2 Multicast Address The destination address of Multicast message uses class D IP address with range from 224 0 0 0 to 239 255 255 255 D class address can not appear in the source IP address field of an IP message In the process of Unicast data transmission the transmission path of a data packet is from source address routing to destination address and the transmission is performed with hop by hop principle However in IP Multicast environment the destination addresses is a group instead of a single one they form a group address All message receivers will join in a group and once they do the data flowing to the group address will be sent to the receivers immediately and all members in the group will receive the data packets The members in a Multicast group are dynamic the hosts can join and leave the Multicast group at any time Multicast group can be permanent or temporary Some of the Multicast group addresses are assigned officially they are called Permanent Multicast Group Permanent Multicast Group keeps its IP address fixed but its member structure can vary within The member amount of Permanent Multicast Group can be arbitrary even zero The IP Multicast addresses which are not kept for use by Permanent Multicast Group can be utilized by temporary Multicast groups 224 0 0 0 224 0 0 255 are reserved Multicast addresses Permanent Group Address address 224 0 0 0 is reserved but not assigned and other addresses are used by Rou
138. Attention m The switch as the access controlling unit of Pass through will not check the content of a particular EAP method so can support all the EAP methods above and all the EAP authentication methods that may be extended in the future E In EAP relay if any authentication method in EAP MD5 EAP TLS EAP TTLS and PEAP is adopted the authentication methods of the supplicant system and the RADIUS server should be the same 1 EAP MD5 Authentication Method EAP MD5 is an IETF open standard which providing the least security since MD5 Hash function is vulnerable to dictionary attacks The following figure illustrated the basic operation flow of the EAP MD5 authentication method 42 142 EAPOL Authenticator FAPOR supplicant PAE system PAE e RADIUS server EAPOL Start EAP Request Identity RADIUS Access Request EAP Response ldentity EAP Response identity RADIUS Access Challenge EAP Request MD5 Challenge EAP Request MD5 Challenge RADIUS Access Request EAP Response MD5 Challenge EAP Response MD5 Challenge RADIUS Access Accept EAP Success FAP Success Port authorized PERDI of the handshake Handshake request packet Pie met S EAP Request identity Handshake response packet EAP Response Identity EAPOL Logoftt Bort unauthorized i eck Figure 42 9 the Authentication Flow of 802 1x EAP MD5 2 EAP TLS Authentication Method EAP TLS is brought up by Microsoft based on EAP and TL
139. Bind flexible QinQ policy map to port 1 Configure class map Explanation Global mode class map lt class map name gt Create a class map and enter no class map lt class map name gt class map mode the no command deletes the specified class map match access group lt acl index or name gt Set the match standard of class map ip dscp lt dscp lisi gt ip precedence classify data flow by ACL IPv4 lt jp precedence lisi gt ipv6 access group Precedent or DSCP etc for the class lt acl index or name gt ipv6 dscp lt dscp lisi gt map the no command deletes the ipv6 flowlabel lt flowlabel list gt vlan specified match standard lt vian list gt cos lt cos list gt c vlan lt vian list gt no match access group ip dscp ip precedencelipv6 access group ipv6 dscp ipv6 flowlabel vlan cos c vlan 2 Configure policy map of flexible QinQ Explanation Global mode policy map lt policy map name gt Create a policy map and enter no policy map lt policy map name gt policy map mode the no command deletes the specified policy map class lt class map name gt insert before After a policy map is created it can be lt class map name gt associated to a class Different policy no class lt class map name gt or new DSCP value can be applied to different data flows in class mode the no command deletes the specified class map set s vid lt new vid gt Assign the new cos and vid va
140. CH D configuration Task Sequence Switch Config mrpp enable Switch Config mrpp ring 4000 Switch mrpp ring 4000 control vian 4000 Switch mrpp ring 4000 enable Switch mrpp ring 4000 exit Switch Config interface ethernet 1 1 Switch config lf Ethernet1 1 mrpp ring 4000 primary port Switch config lf Ethernet1 1 interface ethernet 1 2 Switch config lf Ethernet1 2 mrpp ring 4000 secondary port 55 18 Switch config lf Ethernet1 2 exit Switch Config 55 4 MRPP Troubleshooting The normal operation of MRPP protocol depends on normal configuration of each switch on MRPP ring otherwise it is very possible to form ring and broadcast storm Configuring MRPP ring you d better disconnected the ring and wait for each switch configuration then open the ring When the MRPP ring of enabled switch is disabled on MRPP ring it ensures the ring of the MRPP ring has been disconnected When there is broadcast storm on MRPP ring it disconnects the ring firstly and ensures if each switch MRPP ring configuration on the ring is correct or not if correct restores the ring and then observes the ring is normal or not The convergence time of MRPP ring net is relative to the response mode of up down If use poll mode the convergence time as hundreds of milliseconds in simple ring net if use interrupt mode the convergence time within 50 milliseconds Generally the port is configured as poll mode interrupt mode is only applied to better pe
141. CPU as one of the source 4 Configure access list 120 5 Configure access 120 to binding interface 15 ingress Configuration procedure is as follows Switch config monitor session 1 destination interface ethernet 1 1 Switch config monitor session 1 source interface ethernet 1 7 rx Switch Switch Switch config access list 120 permit tcp 1 2 3 4 0 0 0 255 5 6 7 8 0 0 0 255 config monitor session 1 source interface ethernet 1 9 tx config monitor session 1 source cpu Switch config monitor session 1 source interface ethernet 1 15 access list 120 rx 98 33 58 4 Device Mirror Troubleshooting If problems occur on configuring port mirroring please check the following first for causes Whether the mirror destination port is a member of a TRUNK group or not if yes modify the TRUNK group If the throughput of mirror destination port is smaller than the total throughput of mirror source port s the destination port will not be able to duplicate all source port traffic please decrease the number of source ports duplicate traffic for one direction only or choose a port with greater throughput as the destination port Mirror destination port can not be pulled into Isolate vlan or will affect mirror between VLAN 58 34 Chapter 59 sFlow Configuration 59 1 Introduction to sFlow The sFlow RFC 3176 is a protocol based on standard network export and used on monitoring the network traffic information developed
142. F th N A S IF 192 168 1 12 Switch L IF 192 168 2 12 The configuration of Switch C is as follows Switch A and Switch B may have the different command because of different companies we not explain there our switches are not support NTP server at present Switch C Switch config ntp enable Switch config interface vlan 1 Switch Config if Vlan1 ip address 192 168 1 12 255 255 255 0 Switch config interface vlan 2 Switch Config if Vlan1 ip address 192 168 2 12 255 255 255 0 Switch config ntp server 192 168 1 11 Switch config ntp server 192 168 2 11 63 56 63 4 NTP Function Troubleshooting In configuration procedures if there is error occurred the system can give out the debug information The NTP function disables by default the show command can be used to display current configuration If the configuration is right please use debug every relative debugging command and display specific information in procedure and the function is configured right or not you can also use show command to display the NTP running information any questions please send the recorded message to the technical service center 63 57 Chapter 64 Summer Time Configuration 64 1 Introduction to Summer Time Summer time is also called daylight saving time it is a time system for saving energy sources In summer the time is advanced 1 hour to keep early hours reduce the lighting so as to save electrolighting The rule that ado
143. FLASH or CF if the device supports multi config file names the configuration file to be cfg file the default is startup cfg If the device does not support multi config file mandates the name of startup configuration file to be startup config Running configuration file refers to the running configuration sequence use in the switch In switch the running configuration file stores in the RAM In the current version the running configuration sequence running config can be saved from the RAM to FLASH by write command or copy running config startup config command so that the running configuration sequence becomes the start up configuration file which is called configuration save To prevent illicit file upload and easier configuration switch mandates the name of running configuration file to be running config Factory configuration file The configuration file shipped with switch in the name of factory config Run set default and write and restart the switch factory configuration file will be loaded to overwrite current start up configuration file 4 5 3 2 FTP TFTP Configuration The configurations of switch as FIP and TFIP clients are almost the same so the configuration procedures for FTP and TFTP are described together in this manual 4 5 3 2 1 FTP TFTP Configuration Task List 1 FTP TFTP client configuration 1 Upload download the configuration file or system file 2 For FTP client server file list can be checked 2 F
144. G TROUBLESHOOTING tege eege ee ee 32 50 CHAPTER 33 DHCP OPTION 82 CONFIGURATION ccscceeeeeeeeeeeeeeeeeeeeeeeeeaes 33 52 33 1 INTRODUCTION TO ie ei OPTION KT 33 52 33 1 1 DHCP Option 82 Message Structure nannnnnennnnnannnnennnnrnrnrsrnrnrsrrrrsnrrrsrrrrsrnrrnsrrrrrnrrenne 33 52 33 1 2 Option 82 Working Mechanem nne 33 53 33 2 DHCP OPTION 82 CONFIGURATION TASK LIST cccceeeeeeeeeeeeeeeeeeeeeeeneeeeeeeasseeeeeaeseeeesenaeseeessenaeeeeenes 33 54 33 3 DHCP OPTION 82 APPLICATION EXAMPLES 1sccccccceeeeeeeeeeeeeeeeeeeeeeeseeeeseeaaeeeseeaeseeeeseeaeseeeeseneneeeses 33 58 33 4 DHCP OPTION 82 TROUBLESHOOTING wisceccs esse Sissi cdtcccwcnctiestieabenda Ed Ee 33 60 CHAPTER 34 DHCP OPTION 60 AND OPTION A3 nek EN REENEN RENE 34 61 34 1 INTRODUCTION TO DHCP OPTION 60 AND OPTION 43 ccccceeeeeeeeeeeeeeneeeeeeeaneeeesenesneeeseaeseeessenaeneeenes 34 61 34 2 DHCP OPTION 60 AND OPTION 43 CONFIGURATION TASK LIST ccecceeeeeseeeeeeeeeeeeeeeeeseeeeseneeeeeees 34 61 34 3 DHCPV6 OPTION 60 AND OPTION 43 EXAMPLE 0scceeceeeeeeeeeeeeeeeeneeeeeeeesseeeseaesaeeeseeaeseeessenanseeenes 34 62 34 4 DHCP OPTION 60 AND OPTION 43 TROUBLESHOOTING cccceseceeeeeeeeeeeeeeseeeeneeeeeeeaeseeeeeaeeeeeeseneeeeeees 34 63 CHAPTER 35 DHCPV6 OPTIONS 37 38 cccccccecsseceeeeeeeeeeeeeesensneneeneeneeneeeeneesaes 35 63 35 1 INTRODUCTION TO DHCPV6 OPTIONS 37 38 cccccceeseescesceeceecueceeeneeaueauseuseusuesausauseuseuseuseueeue
145. HCP Option 82 Message Structure E 37 83 37 1 2 DHCP Snooping Option 82 Working Mechanism ccccccseeeeeeeeeeeeseeeeeeaeeeeeaeeseeesaees 37 84 37 2 DHCP SNOOPING OPTION 82 CONFIGURATION TASK LIST ccccccceeseeeeeeeeeeeeeeeeeeeneeeeeseaeeeeeseneseeenes 37 85 8 37 3 DHCP SNOOPING OPTION 82 APPLICATION EXAMPLES ececececececeeeecenecenececeeeeeeeeeaeaneeaenecececeeeeeeeanes 37 86 37 4 DHCP SNOOPING OPTION 82 TROUBLESHOOTING 2 c cccceeeeseeeeeeeeeeeeeeeenaseeeeeeeeeneeesenaeseeessenaeeeeenes 37 87 CHAPTER 38 IPV4 MULTICAST PROTOCOL 1 0 ececccceeeeeneeeeeeneeeeeeeeeneneeseneees 38 88 38 1 IPV4 MULTICAST PROTOCOL OVERVIEW 2 ccssecccnsecccnseccenseecnenecensseensseconssecoasseonsseeenssenenssseoneeses 38 88 39 1T nroduc on e MUINIGAST EE 38 88 6671 2 NWIUMICASE e alle srasni etemy tratitat ecient dio beanstalk Ureseiateldeatan aas 38 89 38 1 3 IP Multicast Packet Transmission cccecccceeccceeeeeeeeeeeeeceeeeceeeeeueeseeeeseeeeaaeeseueesaueeseesaes 38 90 39 LAIP MUIICASLADDIICAUION BEE 38 91 Eege 38 91 389 2 AWOGUCTION TO DESC MM E 38 91 38 2 2 DCSCM Configuration Task LiSt cccccccccecseeeeeeseeeeeeeeeeeeeseseeeaeeseeeseeeeeesaaeseeeeaeseeeaaaes 38 92 36 2 6 DCSCM Configuration EXamples rinnen iriri ar eeh 38 95 36 2 4 DCSCM TrOUDIGSMOOTING RE 38 96 SL IGMP ele 38 96 36 3 1 Introduction to IGMP SNOODING E 38 96 38 3 2 IGMP Snooping Configuration Task Ust 38 97 38 39 IGM
146. ID occupies 2 bytes use to compart and occupy 1 byte Port Index occupies 3 bytes use to compart and occupy 1 byte Vlan ID occupies 4 bytes all fields use ASCII user can configure ciucuit ID for each port according to requirement ANI Space eth Space Slot ID Port Index Vian ID n byte 1byte 8 byte 1 byte 2 byte 1byte 3 byte 1 byte 4 byte Figure 51 3 Agent Circuit ID value MAC of the access switch is the default remote ID value of PPPoE IA remote ID value can be configured by user flexibly the length is less than 63 bytes 51 1 2 4 Trust Port of PPPoE Intermediate Agent Discovery stage sends five kinds of packets PADI and PADR packets sent by client to server PADO and PADS packets sent by server to client PADT packet can be sent by server or client In PPPoE IA for security and reduce traffic set a port connected server as trust port set ports 91 198 connected client as untrust port trust port can receive all packets untrust port can receive only PADI PADR and PADT packets which are sent to server To ensure client operation is correct it must set the port connected server as trust port each access device has a trust port at least PPPoE IA vendor tag can not exist in PPPoE packets sent by server to client so we can strip and forward these vendor tags if they exist in PPPoE packets Strip function must be configured on trust port enabling strip function is
147. IO Kent ei FastStone Image Viewer Calculator Network Setup Wizard ICH Games Command Prompt New Connection Wizard KS Internet EH Google Notepad 2 Remote Desktop Connection RETES ABNER m HD Tune W Paint 2 Wireless Network Setup Wizard ES ice Vater IVT BlueSoleil Program Compatibility Wizard weie ei Jeyo Mobile Companion s Scanner and Camera Wizard ER Command Prompt T Jog Dial Navigator ey Synchronize F Microsoft Office amp Tour Windows xP ax Microsoft Office Excel e Mindjet MindManager Pro 6 LQ Windows Explorer e H Mozilla Firefox A WordPad E Dr eve coe m NetFrame Lei Microsoft Office Pow pl PAPAGO R12 21 2003 fan PictureGear Studio ES HD Tune PLANET T RealvNc w Microsoft Office Wor EH Skype e SonicStage e Sony Notebook Setup r Startup e Storm Codec en VAIO Launcher All Programs EH AIO Wireless Utility e Si Ei ei Bee eg H VAIO Zone CH 2 E RB TFF Figure 3 2 Opening Hyper Terminal 2 Type a name for opening HyperTerminal such as Switch Connection Description Hew Connection Enter a name and choose an icon for the connector Name Switch Figure 3 3 Opening HyperTerminal 3 11 3 In the Connect using drop list select the RS 232 serial port used by the PC e g COM1 and click OK Connect To a a Gwich Enter details for the phone number that you want to dial Country regiorr Area code Connect using com Cancel Figure 3
148. LUSH_FDB packet to inform all of transfer nodes to refresh own MAC address forward list 3 Ring Restore After the primary node occur ring fail if the secondary port receives Hello packet sending from primary node the ring has been restored at the same time the primary node block its secondary port and sends its neighbor LINK UP Flush FDB packet After MRPP ring port refresh UP on transfer node the primary node maybe find ring restore after a while For the normal data VLAN the network maybe forms a temporary ring and creates broadcast storm To avoid temporary ring transfer node finds it to connect to ring network port to refresh UP immediately block temporarily only permit control VLAN packet pass after only receiving LINK UP FLUSH FDB packet from primary node and releases the port block state 55 2 MRPP Configuration Task List 1 Globally enable MRPP 55 14 2 Configure MRPP ring 3 Configure the query time of MRPP 4 Configure the compatible mode 5 Display and debug MRPP relevant information 1 Globally enable MRPP Explanation Global Mode mrpp enable Globally enable and disable MRPP no mrpp enable 2 Configure MRPP ring Explanation Global Mode mrpp ring lt ring id gt Create MRPP ring The no command no mrpp ring lt ring id gt deletes MRPP ring and its configuration MRPP ring mode control vlan lt vid gt Configure control VLAN ID format no no control vian deletes configur
149. LX WDM TX 1550nm mini GBIC module 10KM MGB LB10 SFP Port 1000Base LX WDM TX 1550nm mini GBIC module 20KM MGB LB20 SFP Port 1000Base LX WDM TX 1550nm mini GBIC module 40KM MGB LB40 MGB TLX SFP Port 1000Base LX mini GBIC module 10KM 40 75 degreesC MGB TL70 SFP Port 1000Base LX mini GBIC module 70KM 40 75 degrees C MFB FX SFP Port 100Base FX Transceiver 1310nm 2KM MFB F40 SFP Port 100Base FX Transceiver 1310nm 40KM MFB FA20 SFP Port 100Base BX Transceiver WDM TX 1310nm 20KM 2 MFB FB20 SFP Port 100Base BX Transceiver WDM TX 1550nm 20KM MFB TFX SFP Port 100Base FX Transceiver 1310nm 2KM 40 75 degrees C SFP Port 100Base FX Transceiver 1310nm 20KM 40 75 degrees MFB TF20 C 1 It is recommended to use PLANET SFPs on the Managed Switch If you insert an SFP transceiver that is not supported the Managed Switch will not recognize it 2 Please choose the SFP transceiver which can be operated under 40 75 degrees C temperature if the switch device is working in an 0 50 degrees C temperature environment 1000Base SX LX Before connecting the other switches workstation or media converter 1 Make sure both sides of the SFP transceiver are with the same media type for example 1000Base SX to 1000Base SX 1000Bas LX to 1000Base LX 2 Check the fiber optic cable type that matches the SFP transceiver model gt To connect to 1000Base SX SFP tran
150. Low Alarm High Warn Low Warn Temperature C 33 70 0 70 0 Voltage V 7 31 At 5 00 0 00 5 00 0 00 Bias current mA 6 11 W 10 30 0 00 5 00 0 00 RX Power dBM 30 54 A 9 00 25 00 9 00 25 00 TX Power dBM 6 01 9 00 25 00 9 00 25 00 Ethernet 1 22 transceiver detail information N A Ethernet 1 24 transceiver detail information Base information SFP found in this port manufactured by company on Sep 29 2010 Type is 1000BASE SX Link length is 550 m for 50um Multi Mode Fiber Link length is 270 m for 62 5um Multi Mode Fiber Nominal bit rate is 1300 Mb s Laser wavelength is 850 nm Brief alarm information N A Detail diagnostic and threshold information N A Examplez2 Ethernet 21 is inserted the fiber module with DDM Configure the threshold of the fiber module after showing the DDM information Step1 Show the detailed DDM information Switch show transceiver interface ethernet 1 21 detail Ethernet 1 21 transceiver detail information 16 57 Base information Brief alarm information RX loss of signal Voltage high RX power low Detail diagnostic and threshold information Diagnostic Threshold Realtime Value High Alarm LowAlarm High Warn Low Warn Temperature C 33 70 0 70 0 Voltage V 7 31 At 5 00 0 00 5 00 0 00 Bias current mA 6 11 W 10 30 0 00 5 00 0 00 RX Power dBM 30 54 A 9 00 25 00 9 00 25 00 TX Power dBM 13 01 9 00 25 00 9 00 25 00 Step2 Configure the tx power threshol
151. MAB parameters 1 Configure guest vlan 2 Configure the binding limit of the port 3 Configure the reauthentication time 4 Configure the offline detection time 5 Configure other parameters 1 Enable MAB function 90 189 Explanation Global Mode mac authentication bypass enable Enable the global MAB authentication no mac authentication bypass enable function Port Mode ee mac authentication bypass enable Enable the port MAB authentication no mac authentication bypass enable function 2 Configure MAB authentication username and password Explanation Global Mode OO mac authentication bypass Set the authentication mode of MAB username format mac address fixed username WORD password WORD authentication function 3 Configure MAB parameters Explanation Port Mode mac authentication bypass binding limit lt 1 100 gt Set the max MAB binding limit of the port no mac authentication bypass binding limit Global Mode mac authentication bypass timeout offline detect 0 lt 60 7200 gt Set offline detection interval no mac authentication bypass timeout offline detect mac authentication bypass timeout quiet period lt 1 60 gt Set quiet period of MAB authentication no mac authentication bypass timeout quiet period mac authentication bypass timeout stale period lt 0 60 gt Set the time that delete the binding after the no mac authentication bypass timeout port is down stale period
152. Mask gt any destination host destination lt dlpAddr gt precedence lt prec gt tos lt tos gt time range lt time range name gt c Exit extended IP ACL configuration mode 41 118 Creates an extended name based ICMP IP access rule the no form command deletes this name based extended IP access rule Creates an extended name based IGMP IP access rule the no form command deletes this name based extended IP access rule Creates an extended name based TCP IP access rule the no form command deletes this name based extended IP access rule Creates an extended name based UDP IP access rule the no form command deletes this name based extended IP access rule Creates an extended name based IP access rule for other IP protocols the no form command deletes this name based extended IP access rule Explanation Extended IP ACL Mode E Exits extended name based IP ACL configuration mode 5 Configuring a numbered standard MAC access list Explanation Global Mode ee Creates a numbered standard MAC access list if the access list already exists access list lt num gt deny permit any source mac ho then a rule will add to the st source mac lt host_smac gt lt smac gt lt smac mask gt current access list the no no access list lt num gt access list lt nums command deletes a numbered standard MAC access list 6 Creates a numbered MAC extended access list
153. N WEE 60 42 60 4 Hds RT ele VC 60 45 CHAPTER OT ER SPAN EE 61 46 OTST INTRODUCTION TO ERSPAN EE 61 46 61 2 ERSPAN CONFIGURATION TASK LIST cssssssesccssssssessosssnssessonsesssessonsnseessonsnseesenssassesseaneansesseaneanses 61 46 61 3 TYPICAL EXAMPLES OF ENEE SE e 61 47 61 4 ERSPAN TROUBLESHOOTING eege ie Shake ease eae 61 50 CHAPTER 62 SNIP CONFIGURATION eebe e RE ENEE 62 51 62 1 INTRODUCTION TO SNTP cccsscceeeesssseeeeeesessneeeeeesseaeeeeeeessseeeeeessssaneesessssaeeeeeesesseaeeeeesesssnsseeesesas 62 51 62 2 TYPICAL EXAMPLES OF SNTP CONFIGURATION cccccceeeeeeeeeeeeeeeeeeeeeeesneeeeeeeasseseeeaeseeessenaeeeessenaenees 62 52 CHAPTER 63 NTP FUNCTION CONFIGURATION cecceeeeeeeeeeeeeeeeeeeeeeeeeneeees 63 53 63 1 INTRODUCTION TO NTP FUNCTION EEN 63 53 63 2 NTP FUNCTION CONFIGURATION TASK Lis Reen 63 53 63 3 TYPICAL EXAMPLES OF NTbPFuNCTON EEN 63 56 63 4 NTP FUNCTION TROUBLESHOOTING een 63 57 CHAPTER 64 SUMMER TIME CONFIGURATION ccsccsecseeeeeeeeeeeeeeeeeeeeeeeees 64 58 64 1 INTRODUCTION TO SUMMER CN VE 64 58 64 2 SUMMER TIME CONFIGURATION TASK SEQUENCE ssceeeeeeeeeeeeeeeeeeneeeeeeeaeeeeeeeeeeeeeeeaenseeeseneeseeees 64 58 13 64 3 EXAMPLES OF SUMMER IMMENS 64 58 64 4 SUMMER TIME TROUBLESHOOTING ccccccccceeeeeeeeeeeeeeeneeenaaaeeaeaaaaaaaaaaaasaaaaaasaeaaaaaeaaaaasaaaaaanaanaaaaaaas 64 59 CHAPTER 65 DNSV4 V6 CONFIGURATION cccccscceeeeeeeneeeeeeeeeeeenesene
154. NFIGURATION TASK BEOUENCE ee 11 27 11 3 LLDP FUNCTION TYPICAL EXAMPLE sasoe aa aaae EEEE arat 11 30 11 4 LLDP FUNCTION TROoupLESHOOTING een 11 31 CHAPTER 12 PORT CHANNEL CONEIGURATION see KR KREE R ERKENNEN RENE 12 32 12 7 INTRODUCTION TO PORT e TTT 12 32 12 2 BRIEF INTRODUCTION TO LAC E 12 33 12 2 1 Static LACP Aggregation TEE 12 34 12 2 2 Dynamic LAGP eelere 12 34 12 23 Port Ghannel Config ration Task Listenin a T ee 12 35 12 3 PORT CHANNEL EXAMPLES voszcccetaressscozzencaasceteszentwess utavatesooeeanctasqustesuenteecectavetaetacoustesucoeeetautoustenun 12 37 12 4 PORT CHANNEL TROUBLESHOOTING cccssseseceeesssseeeeeeeesseeseesessseeeeseesessseeeeseesssaneeeesessseeeeeeessnees 12 39 CHAPTER 2KNIELKGONElGUSGTICHN ees NENNEN ENN 13 40 13 1 INTRODUCTION TO MT E 13 40 13 2 MTU CONFIGURATION TASK SEQUENCE sssnssssssnnsnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn KEEN KEEN KEEN 13 40 CHAPTER 14 EFM OAM CONFIGURATION ccccecceeceeceeseeeeeeeneeneenseeeneeneeeesaes 14 41 14 1 INTRODUCTION TO BFM OAM ME 14 41 14 2 EFM OAM CONFIGURATION ege gegdegege ses vencetarvascasdadianiatedesiasnevissadandeseunbeddecioseistocdidaevasansieteuniiieves 14 44 14 3 EFM OAM EXAMPLE E 14 47 144 EFM OAM TROUBLESHOOTING ege ee Ee SE 14 48 CHAPTER 1S PORT SECURITY EE 15 49 1531 INTRODUCTION TO PORT EE HUELT 15 49 15 2 PORT SECURITY CONFIGURATION TASK LIST 0 cccccceeeeeeeeeeeeeeeeeeeseneeseeeeseeeseeeesenaseeesenaeneeeesenaes 15 49 EE KEE
155. NMP v1 v2 v3 Set the host IPv4 IPv6 address which is used to receive SNMP Trap information For SNMP v1 v2 this command also configures Trap community string for SNMP v3 this command also configures Trap user name and security level The no form of this command cancels this IPv4 or IPv6 address Set the source IPv4 or IPv6 address which is used to send trap packet the no command deletes the configuration Explanation Global mode rmon enable no rmon enable 4 13 4 4 5 Typical SNMP Configuration Examples The IP address of the NMS is 1 1 1 5 the IP address of the switch Agent is 1 1 1 9 Scenario 1 The NMS network administrative software uses SNMP protocol to obtain data from the switch The configuration on the switch is listed below Switch config snmp server enable Switch Switch Switch config snmp server securityip 1 1 1 5 config snmp server community rw private config snmp server community ro public The NMS can use private as the community string to access the switch with read write permission or use public as the community string to access the switch with read only permission Scenario 2 NMS will receive Trap messages from the switch Note NMS may have community string verification for the Trap messages In this scenario the NMS uses a Trap verification community string of usertrap The configuration on the switch is listed below Switch config snmp server enable Switch conf
156. ON TO EEE ENERGY SAVING eege EENS EEN 19 71 19 2 EEE ENERGY SAVING CONFIGURATION LIST cccccceeeseeecsseeeceneeeeeseeeeaneesaneeeaaseeceneeesaneesoeneesonessons 19 71 19 3 EEE ENERGY SAVING TYPICAL EXAMPLES 0 0sccccesecccnseceeneeccnseeeonseeeesseeonseeconsseonnseccnssesonsneeeaes 19 71 CHAPTER 20 VLAN CONFIGURATION 0 ccccseceeeceeeeeeceeeeeseneeeesenseneseesoneeeeseneoes 20 72 20 1 VIGAN CONFIGURATION ruiner uaa a a aaa a a a 20 72 20 1 T Introduction to VLAN EE 20 72 20 T2 VLAN Gonfiguration Task E GE 20 73 20 13 Typical WLAN PADDIICATION EE 20 7 20 64 Typical Application Of Hybrid POM EE 20 78 20 2 DOTTQ TUNNEL CONFIGURATION icctiviescasnasessiiiscsvcinen dezstdivessanssdiancidievapvanseseertdinvopaasniceseiaesecesettaviess 20 80 20 2 1 Introduction to D tt AUNE cc eaaa a aaa aaa a aA a aaa pinih 20 80 20 2 2 Dot1q tunnel Configuration NEE 20 82 20 2 3 Typical Applications of the Dot to unnel ccc cceecccceececeeeeeseeeeeeeeeseeeeeseaeeeseeeeeneeeeas 20 82 20 2 4 Dot1q tunnel Troubleshooting c cc ccccceeeeeceeeeeeeeeeeseeeesaaeessaeeeseaeeeseeeesseueesseeesaeeeeseneeeas 20 84 20 3 SELECTIVE QINQ CONFIGURATION cccscccceeeeeeeeeeeeeneeecaneeeceaeeseaueesean essen sesaasesaaeesoesessenessoanessaaaeaes 20 84 20 3 1 Introduction to Selective Om 20 84 20 3 2 Selective QinQ Copnfguraton 20 84 20 3 3 Typical Applications of Selective Om 20 85 20 3 4 Selective QinQ Troubleshooting ccc cee cccceccee
157. P SnOOpiIng EXaMples si ccosccei cen taaa aaa a 38 99 38 3 4 IGMP Snooping Troubleshooting AA 38 102 CHAPTER 39 IPV6 MULTICAST PROTOCOL see ERKENNEN ENK RE NEEN EN RER En 39 103 39 1 MED SNOOPING EE 39 103 39 121Introducton to MED SNOOPING BEE 39 103 39 1 2 MLD Snooping Configuration Task cccccccccseeceeeseeeeeeeeeeeeeeaeeeeeseeeeeeeseeeeeeseneeeeeaeeeeeeas 39 103 997123 MED Snooping une VE 39 105 39 1 4 MLD Snooping Troubleshootng 39 108 GHAPTER 40 ART teg Caen NEEN 40 109 40 1 INTRODUCTIONS TO MULTICAST VLAN EE 40 109 40 2 MULTICAST VLAN CONFIGURATION TASK LIST cccccessecceseeecseeeeeneeceeseeseaneeseeeseeaseesaneesoeneesoneees 40 109 40 3 MULTICAST VLAN EXAMPLES 5 ccctecvecsucsscoctchatscacentte bade AA a eaa aaa Aaa aaa AAE Ea NE KEE ana HAAA DARE KARE E 40 110 CHAPTER 41 ACL CONFIGURATION assanannnnnnnnnnnnnnnnnnnsnnnnnnnnnnnnnnnnnennnnnnnnnnnnnnnnnnn nnn 41 113 A1 1 INTRODUCTION TO AC EE 41 113 Al VNC COS SIS EE 41 113 AN Da ere lee E 41 113 41 1 3 Access list Action and Global Default ACTION cccecccccseeeeeeaeeeeesaeeeeeeeeeeeesaaeeeesaaeeees 41 114 41 2 ACI CONFIGURATION TASK EIS E 41 114 ATS ACL EXAMPLE eege eege EE 41 128 GEESS ES EICH NEE ee 41 133 CHAPTER 42 802 1X CONFIGURATION sieiccussunansiicuanssnesauaceuneunanenewanuauecaupcbeenenaubweai 42 135 AZ INTRODUCTION TO 802 RE 42 135 42 1 1 The Authentication Structure Of OZ Is 42 135 42 1 2 The Work Mechanism 0f EK EE 42 137
158. PLANET WGSW 52040 offers an easy to use platform independent management and configuration facility The WGSW 52040 supports standard Simple Network Management Protocol SNMP and can be managed via any standard based management software For text based management WGSW 520400 can be accessed via Telnet and the console port Moreover the WGSW 52040 offers secure remote management by supporting SSH connection which encrypts the packet content at each session Flexibility and Extension Solution The four mini GBIC slots built in the WGSW 52040 are compatible with 100 1000Base X and WDM SFP Small Factor Pluggable fiber optic modules The distance can be extended from 550 meters Multi Mode fiber up to above 10 50 70 120 kilometers Single Mode fiber or WDM fiber It is well suited for applications within the enterprise data centers and distributions 1 2 1 3 Product Features gt Physical Port E O E 48 Port 10 100 1000Base T Gigabit Ethernet RJ 45 4 100 1000Base X mini GBIC SFP slots SFP type auto detection RJ 45 to DB9 console interface for Switch basic management and setup gt IP Stacking O E E Connects with stack member via both Gigabit TP and SFP interfaces Single IP address management supports up to 24 units stacked together Stacking architecture supports Chain and Ring mode gt IP Routing Features O Supports maximum 128 static routes and route summarization gt Layer 2 Features RW E O O O Com
159. Portal Authentication 802 1x authentication uses the special client to authenticate the device uses the special layer 2 switch the authentication server uses RADIUS server the format of authentication message uses EAP protocol Use EAPOL encapsulation technique encapsulate EAP packets within Ethernet frame to process the communication between client and authentication proxy switch but authentication proxy switch and authentication server use EAPOR encapsulation format runn EAP packets on Radius protocol to process the communication The device and RADIUS server use RADIUS protocol to transmit PAP packets or CHAP packets when the device processes to relay For implementing identity authentication and network accessing user should install the special authentication client software and spring the authentication flow to communicate with Radius server through logging in authentication client The after 802 1x authentication adds web based authentication mode the user can download a special Java Applet program by browser or other plug in to replace 802 1x client For the environment which uses 802 1x authentication installing client or downloading the special Java Applet program become a mortal problem To satisfy user s actual requirement the manual describes an application scene based on web portal authentication Web portal authentication not only implements the basic device authentication without the client but also implement the sec
160. Pv6 over RADIUS Authentication RFC 1213 MIB II RFC 1215 Internet Engineering Task Force RFC 1271 RMON RFC 1354 IP Forwarding MIB RFC 1493 Bridge MIB RFC 1643 Ether like MIB RFC 1907 SNMP v2 RFC 2011 IP ICMP MIB RFC 2012 TCP MIB RFC 2013 UDP MIB RFC 2096 IP forward MIB RFC 2233 if MIB RFC 2452 TCP6 MIB RFC 2454 UDP6 MIB RFC 2465 IPv6 MIB RFC 2466 ICMP6 MIB RFC 2573 SNMPVS3 notify RFC 2574 SNMPV3 vacm RFC 2674 Bridge MIB Extensions IEEE 802 1Q MIB RFC 2674 Bridge MIB Extensions IEEE 802 1P MIB Standard Conformance Regulation Compliance FCC Part 15 Class A CE IEEE 802 3 10Base T IEEE 802 3u 100Base TX IEEE 802 3z Gigabit SX LX IEEE 802 3ab Gigabit 1000T Standards Compliance IEEE 802 3x Flow Control and Back pressure IEEE 802 3ad Port trunk with LACP IEEE 802 1D Spanning tree protocol IEEE 802 1w Rapid spanning tree protocol IEEE 802 1s Multiple spanning tree protocol 1 7 IEEE 802 1p Class of service IEEE 802 1Q VLAN Tagging IEEE 802 1x Port Authentication Network Control Environment Operating Temperature 0 50 degrees C Relative Humidity 5 90 non condensing Storage Temperature 10 70 degrees C Relative Humidity 5 90 non condensing 1 8 Chapter 2 INSTALLATION This section describes how to install your Managed Switch and make connections to the Managed Switch Please read the following topics and perform the procedures in the order being presented To install
161. S is 1 1 1 5 IP address of Agent is 1 1 1 9 NMS will receive Trap message from Agent Note NMS may set the authentication to the community character string of trap suppose the community character string as usertrap Configuration procedure in the following Switch config snmp server enable Switch config snmp server enable traps mac notification Switch Switch Switch config mac address table notification history size 100 contig mac address table notification config mac address table notification interval 5 Switch Config If Ethernet1 4 mac notification both 21 6 4 MAC Notification Troubleshooting Check whether trap message is sent successfully by show command and debug command of snmp 21 116 Chapter 22 MSTP Configuration 22 1 Introduction to MSTP The MSTP Multiple STP is a new spanning tree protocol which is based on the STP and the RSTP It runs on all the bridges of a bridged LAN It calculates a common and internal spanning tree CIST for the bridge LAN which consists of the bridges running the MSTP the RSTP and the STP It also calculates the independent multiple spanning tree instances MSTI for each MST domain MSTP domain The MSTP which adopts the RSTP for its rapid convergence of the spanning tree enables multiple VLANs to be mapped to the same Spanning tree instance which is independent to other spanning tree instances The MSTP provides multiple forwarding paths for data traff
162. S protocols It uses PKI to protect the id authentication between the supplicant system and the RADIUS server and the dynamically generated session keys requiring both the supplicant system and the Radius authentication server to possess digital certificate to implement bidirectional authentication It is the earliest EAP authentication method used in wireless LAN Since every user should have a digital certificate this method is rarely used practically considering the difficult maintenance However it is still one of the safest EAP standards and enjoys prevailing supports from the vendors of wireless LAN hardware and software The following figure illustrates the basic operation flow of the EAP TLS authentication method 42 143 Authenticator system EAPOR 5 e e EAPO ran FAP Requestiidentity RADIUS Access Rlegquest EAP Response identity FAP Response ldentity RADIUS Access Challenge EAP RequestEAP TLS Start EAP RequestvEAP TLS Star s RADIUS Access Request EAP ResponselEAP TLS cient_hello EAP Response EAP TLS client_hello Be RADIUS Access Challenge EAP Response EAP TLS EAP Response EAP TLS TLS sernver_hello TLS certificate TLS server_hello TLS certificate LS server_exchange TLS cert ficate_request LS server_exchange TLS certificate_request TLS server_hello_dome TLS server_hello_done FAP Response EAP TLS RADIUS Access Reguest TLS certificate TLS chent key exchange TLS EAP Response EAP TLS 1LS cert
163. Station and Agent NMS is the workstation on which SNMP client program is running It is the core on the SNMP network management Agent is the server software runs on the devices which need to be managed NMS manages all the managed objects through Agents The switch supports Agent function The communication between NMS and Agent functions in Client Server mode by exchanging standard messages NMS sends request and the Agent responds There are seven types of SNMP message Get Request Get Response Get Next Request Get Bulk Request Set Request Trap E Inform Request NMS sends queries to the Agent with Get Request Get Next Request Get Bulk Request and Set Request messages and the Agent upon receiving the requests replies with Get Response message On some special situations like network device ports are on Up Down status or the network topology changes Agents can send Trap messages to NMS to inform the abnormal events Besides NMS can also be set to alert to some abnormal events by enabling RMON function When alert events are triggered Agents will send Trap messages 4 8 or log the event according to the settings Inform Request is mainly used for inter NMS communication in the layered network management USM ensures the transfer security by well designed encryption and authentication USM encrypts the messages according to the user typed password This mechanism ensures that the messages can t be viewed on transmission And USM
164. Step3 Port ethernet1 2 of vian1 and port ethernet1 3 of vlan 1234 enable PPPoE IA function of port Switch config if ethernet1 2 pppoe intermediate agent Switch config if ethernet1 3 pppoe intermediate agent Step4 Configure pppoe intermediate agent access node id as abcd Switch config pppoe intermediate agent type tr 101 circuit id access node id abcd Step5 Configure circuit ID as aaaa remote ID as xyz for port ethernet1 3 Switch config if ethernet1 3 pppoe intermediate agent circuit id aaaa Switch config if ethernet1 3 pppoe intermediate agent remote id xyz circuit id value is abcd eth 01 002 0001 remote id value is OaObOcOdOeOf for the added vendor tag of port ethernet1 2 circuit id value is aaaa remote id value is xyz for the added vendor tag of port ethernet1 3 Typical configuration 2 in the following Step1 Switch enables global PPPoE IA function MAC as OaObOcOd0e 0f Switch config pppoe intermediate agent 91 201 Step2 Configure port ethernet1 1 which connect server as trust port and configure vendor tag Strip function Switch config if ethernet1 1 pppoe intermediate agent trust Switch config if ethernet1 1 pppoe intermediate agent vendor tag strip Step3 Port ethernet1 2 of vian1 and port ethernet1 3 of vlan 1234 enable PPPoE IA function of port Switch config if ethernet1 2 pppoe intermediate agent Switch config if ethernet1 3 pppoe intermediate agent Step4 Configure pppo
165. Switch config lf Ethernet1 1 exit Switch Config interface Ethernet 1 2 Switch config lf Ethernet1 2 switchport mode trunk Switch config lf Ethernet1 2 ulpp group 1 slave Switch config lf Ethernet1 2 ulpp group 2 master Switch config lf Ethernet1 2 exit SwitchB configuration task list 56 Switch Config interface ethernet 1 1 Switch Switch config lf Ethernet1 1 switchport mode trunk config lf Ethernet1 1 ulpp flush enable mac Switch config lf Ethernet1 1 ulpp flush enable arp SwitchC configuration task list Switch Config interface ethernet 1 2 Switch config lf Ethernet1 2 switchport mode trunk Switch config lf Ethernet1 2 ulpp flush enable mac Switch config lf Ethernet1 2 ulpp flush enable arp 4 ULPP Troubleshooting At present configuration of more than 2 multi uplinks is allowed but it may cause loopback so is not recommended With the normal configuration if the broadcast storm happen or the communication along the ring is broken please enable the debug of ULPP copy the debug information of 3 minutes and the configuration information send them to our technical service center 56 27 Chapter 57 ULSM Configuration 57 1 Introduction to ULSM ULSM Uplink State Monitor is used to process the port state synchronization Each ULSM group is made up of the uplink port and the downlink port both the uplink port and the downlink port may be multiple The port may be a physical port or a por
166. TP server configuration 1 Start FTP server 2 Configure FTP login username and password 3 Modify FTP server connection idle time 4 Shut down FTP server 3 TF TP server configuration 1 Start TFTP server 4 21 2 Configure TFTP server connection idle time 3 Configure retransmission times before timeout for packets without acknowledgement 4 Shut down TFTP server 1 FTP TFTP client configuration 1 FTP TFTP client upload download file Explanation Admin Mode copy lt source url gt lt destination url gt FTP TFTP client upload download file ascii binary 2 For FTP client server file list can be checked Admin Mode ee For FTP client server file list can be ftp dir lt ftpServerUrl gt checked FtpServerUrl format looks like ftp user password I Pv4 IPv6 Address 2 FTP server configuration 1 Start FTP server Explanation Global Mode Start FTP server the no command shuts down ftp server enable FTP server and prevents FTP user from logging no ftp server enable in 2 Configure FTP login username and password Explanation Global Mode po ip ftp username lt username gt Configure FTP login username and password password 0 7 lt password gt this no command will delete the username and no ip ftp username lt username gt password 3 Modify FTP server connection idle time 4 22 Explanation Global Mode ftp server timeout lt seconds gt Set connect
167. TTP server function on the switch For configuring the IP address on the switch through out of band management see the telnet management chapter To enable the WEB configuration users should type the CLI command IP http server in the global mode as below Switch gt enable Switch config Switch config ip http server Step 2 Run HTTP protocol on the host Open the Web browser on the host and type the IP address of the switch or run directly the HTTP protocol on the Windows For example the IP address of the switch is 10 1 128 251 SG Type the name of a program Folder document or Internet resource and Windows will open it For you Figure 3 9 Run HTTP Protocol When accessing a switch with IPv6 address it is recommended to use the Firefox browser with 1 5 or later version For example if the IPv6 address of the switch is 3ffe 506 1 2 3 Input the IPv6 address of the switch is http 3ffe 506 1 2 3 and the address should draw together with the square brackets Step 3 Login to the switch Login to the Web configuration interface Valid login name and password are required otherwise the switch will reject HTTP access This is a method to protect the switch from unauthorized access As a result when Telnet is enabled for configuring and managing the switch username and password for authorized Telnet users must be configured with the following command username lt username gt privilege lt privilege gt password 0 7
168. TU and other information when the IPv6 hosts receive RA they will create link address and set the default router as the one sending RA in order to implement IPv6 network communication If a vicious IPv6 host sends RA to cause that normal IPv6 users set the default router as the vicious IPv6 host user the vicious user will be able to capture the information of other users which will threat the network security Simultaneously the normal users get incorrect address and will not be able to connect to the network So in order to implement the security RA function configuring on the switch ports to reject vicious RA messages is necessary thus to prevent forwarding vicious RA to a certain extent and to avoid affecting the normal operation of the network 49 2 IPv6 Security RA Configuration Task Sequence 1 Globally enable IPv6 security RA 2 Enable IPv6 security RA on a port 3 Display and debug the relative information of IPv6 security RA 1 Globally enable IPv6 security RA Explanation Global Configuration Mode ipv6 security ra enable Globally enable and disable IPv6 security no ipv6 security ra enable RA 2 Enable IPv6 security RA on a port Explanation Port Configuration Mode 49 186 ipv6 security ra enable Enable and disable IPv6 security RA in port no ipv6 security ra enable configuration mode 3 Display and debug the relative information of IPv6 security RA Explanation Admin Mode Enable the debug
169. Task List 1 Configure sFlow Collector address Explanation Global mode and Port Mode KN sflow destination lt collector address gt Configure the IP address and port number of lt collector port gt the host in which the sFlow analysis software no sflow destination is installed As for the ports if IP address is configured on the port the port configuration will be applied or else will be applied the global configuration The no sflow destination command restores to the default 59 35 port value and deletes the IP address 2 Configure the sFlow proxy address Command Explanation Global Mode sflow agent address lt collector address gt Configure the source IP address applied by no sflow agent address the sFlow proxy the no form of the command deletes this address 3 Configure the sFlow proxy priority Command Explanation Global Mode EG sflow priority lt priority vlaue gt Configure the priority when sFlow receives no sflow priority packet from the hardware the no sflow priority command restores to the default 4 Configure the packet head length copied by sFlow Explanation Port Mode sflow header len lt ength vilaue gt Configure the length of the packet data head no sflow header len copied in the sFlow data sampling the no form of this command restores to the default value 5 Configure the max data head length of the sFlow packet Explanatio
170. URATION ess KKK RRER ENNEN ER ENEE ENEE EN 4 1 A BASIC CONFIGURATION WE 4 1 4 2 TELNET MANAGEMENT eessen 4 2 ys AA TE N TEE 4 2 aP TAR e EE 4 4 4 3 CONFIGURE SWITCH IP ADDRESSES eege deeg Eed vexeietiertieddinwostatinsossddecsoseaneecsveieientaedes 4 6 4 3 1 Switch IP Addresses Configuration Task Uert 4 6 Sek 4 8 434 1 Introduction te Bue ON 4 8 ENEE 4 9 44 3 ut eeler ere to RMON ME 4 10 AAA TER ee lee e WEE 4 10 4 4 5 Typical SNMP Configuration Exvamples sssrini a a a a a atA 4 14 44 6 SNMP Troubleshooting EE 4 15 4 9 SWITCH UPGRADE so feces e 4 16 AO FOWE E un EE 4 16 455 2 BOOUROM UG lade ee ee 4 16 ASAF PLE EP WD Gta EEN 4 19 CHAPTERS FILE SY STEW OPERATIONS geiergert aa a aaa 5 29 5 1 INTRODUCTION TO FILE STORAGE DEVICEG sssssccceessseeeeeeeesssneeeeeeeesseeeeeeeesseneeeeeessssneeseeesesseneeeeseseas 5 29 5 2 FILE SYSTEM OPERATION CONFIGURATION TASK LIST 00sccecceeeeeeeeeeeeeeaeneeeeeeesaeeeseeaeeeeeeeeaeseeessenaeseeees 5 29 5 3 TYPICAL APPLICATIONS EE 5 31 BA WR UE e end 5 31 CHAPTER 6 CLUSTER CONFIGURATION ccccccecceeceeceeceeeeeeeesnsneeneeneeneensenesaes 6 1 6 1 INTRODUCTION TO CLUSTER NETWORK MANAGEMENT 6 1 6 2 CLUSTER NETWORK MANAGEMENT CONFIGURATION SEQUENCE een 6 1 6 3 EXAMPLES OF CLUSTER ADMINISTRATION een 6 6 6 4 CLUSTER ADMINISTRATION TROUBLESHOOTING ccccsssseeeeeeesssseeeeeeessseeeeeesessneeeeeeeessaneeeeeesssaeeeeeeesenees 6 6 CHAPTER 7 PORT CONFIGURATION
171. User Mode The prompt shown is Switch gt the symbol gt is the prompt for User Mode When exit command is run under Admin Mode it will also return to the User Mode Under User Mode no configuration to the switch is allowed only clock time and version information of the switch can be queries 3 2 1 2 Admin Mode To Admin Mode sees the following In user entry system if as Admin user it is defaulted to Admin Mode Admin Mode prompt Switch can be entered under the User Mode by running the enable command and entering corresponding access levels admin user password if a password has been set Or when exit command is run under Global Mode it will also return to the Admin Mode Switch also provides a shortcut key sequence Ctrl z this allows an easy way to exit to Admin Mode from any configuration mode except User Mode Under Admin Mode the user can query the switch configuration information connection status and traffic Statistics of all ports and the user can further enter the Global Mode from Admin Mode to modify all configurations of the switch For this reason a password must be set for entering Admin mode to prevent unauthorized access and malicious modification to the switch 3 2 1 3 Global Mode Type the config command under Admin Mode will enter the Global Mode prompt Switch config Use the exit command under other configuration modes such as Port Mode VLAN mode will return to Global Mode The user can
172. VER packet and DHCP relay inserts its own IP address to the relay agent field in the DHCPDISCOVER packet on receiving the packet and forwards the packet to the specified DHCP server for DHCP frame format please refer to RFC2131 2 On the receiving the DHCPDISCOVER packets forwarded by DHCP relay the DHCP server sends the DHCPOFFER packet via DHCP relay to the DHCP client 3 DHCP client chooses a DHCP server and broadcasts a DHCPREQUEST packet DHCP relay forwards the packet to the DHCP server after processing 4 On receiving DHCPREQUEST the DHCP server responds with a DHCPACK packet 31 36 via DHCP relay to the DHCP client DHCP Relay Configuration Task List 1 Enable DHCP relay 2 Configure DHCP relay to forward DHCP broadcast packet 3 Configure share vian 1 Enable DHCP relay Explanation Global Mode service dhcp DHCP server and DHCP relay is enabled as the no service dhcp DHCP service is enabled 2 Configure DHCP relay to forward DHCP broadcast packet Explanation Global Mode ip forward protocol udp bootps The UDP port 67 is used for DHCP broadcast no ip forward protocol udp bootps packet forwarding Interface Configuration Mode Set the destination IP address for DHCP relay ip helper address lt ipaddress gt forwarding the no ip helper address no ip helper address lt ipaddress gt lt ipaddress gt command cancels the setting 3 Configure share vian When the user want to use laye
173. VLANs with the VLAN tag except the port native VLAN The switch implements VLAN and GVRP GARP VLAN Registration Protocol which are defined by 802 1Q The chapter will explain the use and the configuration of VLAN and GVRP in detail 20 1 2 VLAN Configuration Task List Create or delete VLAN Set or delete VLAN name Assign Switch ports for VLAN Set the switch port type Set Trunk port Set Access port Set Hybrid port Enable Disable VLAN ingress rules globally Configure Private VLAN 0 Set Private VLAN association a ee a E E OY oe oS Ie a 20 73 11 Specify internal VLAN ID 1 Create or delete VLAN Explanation Global Mode vian WORD Create delete VLAN or enter VLAN Mode no vlan WORD 2 Set or delete VLAN name Command Explanation VLAN Mode NN name lt vilan name gt Set or delete VLAN name no name 3 Assigning Switch ports for VLAN Explanation VLAN Mode ee switchport interface lt nterface list gt Assign Switch ports to VLAN no switchport interface lt nterface list gt 4 Set the Switch Port Type Command Explanation Port Mode NN Set the current port as Trunk Access or switchport mode trunk access hybrid Hybrid port 5 Set Trunk port Command Explanation Port Mode 20 74 switchport trunk allowed vian WORD all add WORD except WORD remove WORD Set delete VLAN allowed to be crossed by Trunk The no command restores the
174. Virtual Private Network easier Enhance the support for Mobile IP and mobile calculating devices The Mobile IP Protocol defined in IETF standard makes mobile devices movable without cutting the existing connection which is a network function getting more and more important Unlike IPv4 the mobility of IPv6 is from embedded automatic configuration to get transmission address Care Of Address therefore it doesn t need Foreign Agent Furthermore this kind of binding process enables Correspondent Node communicate with Mobile Node directly thereby avoids the extra system cost caused by triangle routing choice required in IPv4 Avoid the use of Network Address Translation The purpose of the introduction of NAT 26 10 mechanism is to share and reuse same address space among different network segments This mechanism mitigates the problem of the shortage of IPv4 address temporally meanwhile it adds the burden of address translation process for network device and application Since the address space of IPv6 has increased greatly address translation becomes unnecessary thus the problems and system cost caused by NAT deployment are solved naturally Support extensively deployed Routing Protocol IPv6 has kept and extended the supports for existing Internal Gateway Protocols IGP for short and Exterior Gateway Protocols EGP for short For example IPv6 Routing Protocol such as RIPng OSPF v3 IS ISv6 and MBGP4 etc Multicast addresse
175. a ue gt no ipv6 mid snooping vlan lt vian id gt query interval ipv6 mid snooping vlan lt vian id gt immediate leave no ipv6 mid snooping vlan lt vian id gt immediate leave ipv6 mld snooping vlan lt vi an id gt query mrsp lt value gt no ipv6 mid snooping vlan lt vian id gt Enable MLD Snooping on specific VLAN The no form of this command disables MLD Snooping on specific VLAN Configure the number of the groups in which the MLD Snooping can join and the maximum number of sources in each group The no form of this command restores to the default Set the VLAN level 2 general querier which is recommended on each segment The no form of this command cancels the level 2 general querier configuration Configure the static mrouter port in specific vlan The no form of this command cancels the mrouter port configuration Enable the function that the specified VLAN learns mrouter port according to pimv6 packets the no command will disable the function Configure the keep alive time of the mrouter port The no form of this command restores to the default Configure the query interval The no form of this command restores to the default Configure immediate leave multicast group function for the MLD Snooping of specific VLAN The no form of this command cancels the immediate leave configuration Configure the query maximum response period The no form of t
176. adding option 38 in received DHCPv6 request packets of which lt subscriber id gt is the content ipv6 dhcp snooping subscriber id lt subscriber id gt of subscriber id in user defined no ipv6 dhcp snooping subscriber id option 38 and it is a string with a length of less than 128 The no operation restores subscriber id in option 38 to vlan name together with port name such as Vlan2 Ethernet1 2 2 DHCPV6 relay option basic functions configuration Global mode This command enables the ipv6 dhcp relay remote id option switch relay to support option no ipv6 dhcp relay remote id option 37 and the no form of this 35 66 I commana aise it This command enables the ipv6 dhcp relay subscriber id option switch relay to support the no ipv6 dhcp relay subscriber id option option 38 the no form of this command disables it Configures user configuration options to generate remote id The no command restores to ipv6 dhcp relay remote id delimiter WORD no ipv6 dhcp relay remote id delimiter Gan configuration i e enterprise number together with vian MAC Configures user configuration options to generate ipv6 dhcp relay subscriber id select sp sv pv subscriber id The no spv delimiter WORD delimiter WORD command restores to its no ipv6 dhcp relay subscriber id select delimiter original default configuration i e vlan name together with port name This command is used to set the form of addin
177. al MAC notification Explanation Global mode mac address table notification Configure or cancel the global MAC no mac address table notification notification 3 Configure the interval for sending MAC notification Command Explanation Global mode E Configure the interval for sending the mac address table notification interval lt 0 86400 gt no mac address table notification interval MAC address notification the no command restores the default interval 4 Configure the size of history table Explanation Global mode mac address table notification history size Configure the history table size the lt 0 500 gt no command restores the default no mac address table notification history size value 5 Configure the trap type of MAC notification supported by the port Explanation Port mode Configure or cancel the trap type of mac notification added both removed MAC notification supported by the no mac notification port 6 Show the configuration and the data of MAC notification Command Explanation Admin mode 21 115 Show the configuration and the data show mac notification summary of MAC notification 7 Clear the statistics of MAC notification trap Command Explanation Admin mode Clear the statistics of MAC clear mac notification statistics notification trap 21 6 3 MAC Notification Example IP address of network management station NM
178. al Mode the egress queue bandwidth proportion of all ports is 1 1 2 2 4 4 8 8 When packets with CoS value coming in through port it will be map to the queue out according to the CoS value CoS value 0 to 7 correspond to queue out 0 0 1 1 2 2 3 3 respectively If the incoming packet without CoS value it is default to 5 and will be put in queue 2 23 140 Example 2 In port ethernet1 2 set the bandwidth for packets from segment 192 168 1 0 to 10 Mb s with a burst value of 4 MB all packets exceed this bandwidth setting will be dropped The configuration steps are listed below Switch config Switch config access list 1 permit 192 168 1 0 0 0 0 255 Switch config class map c1 Switch Config ClassMap c1 match access group 1 Switch Config ClassMap c1 exit Switch config policy map p1 Switch Switch Config PolicyMap p1 class c1 Config PolicyMap p1 Class c1 policy 10000 4000 exceed action drop Switch Config PolicyMap p1 Class c1 exit Switch Config PolicyMap p1 exit Switch config interface ethernet 1 2 Switch Config lf Ethernet1 2 service policy input p1 Configuration result An ACL name 1 is set to matching segment 192 168 1 0 Enable QoS globally create a class map named c1 matching ACL1 in class map create another policy map named p1 and refer to c1 in p1 set appropriate policies to limit bandwidth and burst value Apply this policy map on port ethernet1 2 After the above settings don
179. al interface mode WR ACL configured in the physical mode can only be disabled in the physical mode Those configured in the VLAN interface configuration mode can only be disabled in the VLAN interface mode m When a physical interface is added into or removed from a VLAN with the trunk interfaces as exceptions ACL configured in the corresponding VLAN will be bound or unbound respectively If ACL configured in the target VLAN which is configured in VLAN interface mode conflicts with existing ACL configuration on the interface which is configured in physical interface mode the configuration will fail to effect m When no physical interfaces are configured in the VLAN the ACL configuration of the VLAN will be removed And it can not recover if new interfaces are added to the VLAN m When the interface mode is changed from access mode to trunk mode the ACL configured in VLAN interface mode which is bound to physical interface will be removed And when the interface mode is changed from trunk mode to access mode ACL configured in VLAN1 interface mode will be bound to the physical interface If binding 41 133 fails the changing will fail either When removing a VLAN configuration if there are any ACLs bound to the VLAN the ACL will be removed from all the physical interfaces belonging to the VLAN and it will be bound to VLAN 1 ACL if ACL is configured in VLAN1 If VLAN 1 ACL binding fails the VLAN removal operation will fail 41
180. al mode from admin mode Various Moies S Exit current mode and enter previous mode such as using this command in global mode to go back to admin mode and back to normal user mode from admin mode command is for exiting admin mode show privilege Except User Model Admin Mode mel Quit current mode and return to Admin mode when not at User Mode Admin Mode fAdminMode o clock set lt HH MM SS gt YYYY MM DD Display version information of the switch set default Restore to the factory default Set system date and time Save current configuration parameters to Flash Memory reload Global Mode Configure the information displayed when the banner motd lt LINE gt login authentication of a telnet or console user is no banner motd successful 4 2 Telnet Management 4 2 1 Telnet 4 2 1 1 Introduction to Telnet Telnet is a simple remote terminal protocol for remote login Using Telnet the user can login to a remote host with its IP address of hostname from his own workstation Telnet can send the user s keystrokes to the remote host and send the remote host output to the user s screen through TCP connection This is a transparent service as to the user the keyboard and monitor seems to be connected to the remote host directly Telnet employs the Client Server mode the local system is the Telnet client and the remote host is the Telnet server Switch can be either the Telnet Server or the Telnet clie
181. ames g T 15 Protocol Version A Length Facket Body N Figure 42 3 the Format of EAPOL Data Packet PAE Ethernet Type Represents the type of the protocol whose value is 0x888E Protocol Version Represents the version of the protocol supported by the sender of EAPOL data packets Type represents the type of the EAPOL data packets including EAP Packet whose value is 0x00 the authentication information frame used to carry EAP messages This kind of frame can pass through the authenticator system to transmit EAP messages between the supplicant system and the authentication server system 42 138 EAPOL Start whose value is 0x01 the frame to start authentication EAPOL Logoff whose value is 0x02 the frame requesting to quit EAPOL Key whose value is 0x03 the key information frame EAPOL Encapsulated ASF Alert whose value is 0x04 used to support the Alerting messages of ASF Alert Standard Forum This kind of frame is used to encapsulate the relative information of network management such as all kinds of alerting information terminated by terminal devices Length represents the length of the data that is the length of the Packet Body in byte There will be no following data domain when its value is 0 Packet Body represents the content of the data which will be in different formats according to different types 2 The Format of EAP Data Packets When the value of Type domain in EAPOL pa
182. amic ARP to static ARP the learned ARP will not be refreshed and protect for users Switch config Switch config interface vlan 1 Switch config if vian1 am 192 168 2 1 00 00 00 00 00 01 interface ethernet 1 1 Switch config if vian1 am 192 168 2 2 00 00 00 00 00 02 interface ethernet 1 2 Switch config if vlan1 am 192 168 2 3 00 00 00 00 00 03 interface ethernet 1 3 Switch Config If Vlan3 exit Switch Config ip arp security learnprotect Switch Config Switch config ip arp security convert If the environment changing it enable to forbid ARP refresh once it learns ARP property it wont be refreshed by new ARP reply packet and protect use data from sniffing Switch config Switch config ip arp security updateprotect 28 26 Chapter 29 ARP GUARD Configuration 29 1 Introduction to ARP GUARD There is serious security vulnerability in the design of ARP protocol which is any network device can send ARP messages to advertise the mapping relationship between IP address and MAC address This provides a chance for ARP cheating Attackers can send ARP REQUEST messages or ARP REPLY messages to advertise a wrong mapping relationship between IP address and MAC address causing problems in network communication The danger of ARP cheating has two forms 1 PC4 sends an ARP message to advertise that the IP address of PC2 is mapped to the MAC address of PC4 which will cause all the IP messages to PC2 will be sent to PC4 thus PC4 will be able to
183. an recovery time 3600 SwitchA config anti arpscan trust ip 192 168 1 100 255 255 255 0 SwitchA config interface ethernet1 2 SwitchA Config If Ethernet1 2 anti arpscan trust port SwitchA Config lf Ethernet1 2 exit SwitchA config interface ethernet1 19 SwitchA Config lf Ethernet1 19 anti arpscan trust supertrust port Switch A Config lf Ethernet1 19 exit SWITCHB configuration task sequence Switch B config anti arpscan enable SwitchB config interface ethernet1 1 SwitchB Config If Ethernet1 1 anti arpscan trust port SwitchB Config If Ethernet1 1 evt 27 21 27 4 ARP Scanning Prevention Troubleshooting Help WR ARP scanning prevention is disabled by default After enabling ARP scanning prevention users can enable the debug switch debug anti arpscan to view debug information 21 22 Chapter 28 Prevent ARP Spoofing Configuration 28 1 Overview 28 1 1 ARP Address Resolution Protocol Generally speaking ARP RFC 826 protocol is mainly responsible of mapping IP address to relevant 48 bit physical address that is MAC address for instance IP address is 192 168 0 1 network card Mac address is 00 30 4F FD 1D 2B What the whole mapping process is that a host computer send broadcast data packet involving IP address information of destination host computer ARP request and then the destination host computer send a data packet involving its IP address and Mac address to the host so two host computers can exchang
184. anagement the switch must be configured with an IP address by out of band management i e Console mode the configuration commands are as follows All switch configuration prompts are assumed to be Switch hereafter if not otherwise specified Switch gt Switch gt enable Switch config Switch config interface vian 1 Switch Config if Vlan1 ip address 10 1 128 251 255 255 255 0 Switch Config if Vlan1 no shutdown To enable the Telnet Server function users should type the CLI command telnet server enable in the global mode as below Switch gt enable Switch config Switch config telnet server enable Step 2 Run Telnet Client program Run Telnet client program included in Windows with the specified Telnet target Type the name of a program Folder document or Internet resource and Windows will open it For vou Open telnet 10 1 128 251 Figure 3 7 Run telnet client program included in Windows Step 3 Login to the switch Login to the Telnet configuration interface Valid login name and password are required otherwise the switch will reject Telnet access This is a method to protect the switch from unauthorized access As a result when Telnet is enabled for configuring and managing the switch username and password for authorized Telnet users must be configured with the following command username lt username gt privilege lt privilege gt password 0 7 lt password gt To open the local authenticati
185. anation Standard IPv6 ACL Mode Kl Exits name based standard IPv6 ACL configuration mode 2 Configuring packet filtering function 1 Enable global packet filtering function Explanation Global Mode firewall enable Enables global packet filtering function firewall disable Disables global packet filtering function 3 Configuring time range function 1 Create the name of the time range Explanation Global Mode Create a time range named time range lt time_range_name gt time_range_name Stop the time range function named no time range lt time_range_name gt time_range_name 2 Configure periodic time range Explanation Time range Mode 41 126 absolute periodic Monday Tuesday Wednesday Thursday Friday Saturday Sunday lt start_time gt to Monday Tuesday Wednesday Thursday Configure the time range for Friday Saturday Sunday lt end_time gt the request of the week and periodic every week will run by the Monday Tuesday Wednesday Thursday time range Friday Saturday Sunday daily weekdays weekend lt start_time gt to lt end_time gt no absolute periodic Monday Tuesday Wednesday Thursday Friday Saturday Sunday lt start_time gt to Monday Tuesday Wednesday Thursday Friday Saturday Sunday lt end_time gt Stop the function of the time no periodic range in the week Monday Tuesday Wednesday Thursday Friday Saturday
186. and ARP tables of other devices in the network ULPP respectively uses two kinds of flush packets to update the entries the updated packets of MAC address and the deleted packets of ARP For making use of the bandwidth resource enough ULPP can implement VLAN load balance through the configuration As the picture illustrated SwitchA configures two ULPP groups portA1 is the master port and portA2 is the slave port in group1 portA2 is the master port and portA1 is the slave port in group2 the VLANs are protected by group1 and group2 they are 1 100 and 101 200 Here both portA1 and portA2 at the forwarding state the master port and the slave port mutually backup and respectively forward the packets of the different VLAN ranges When portA1 has the problem the traffic of VLAN 1 200 are forwarded by portA2 After this when portA1 is recovering the normal state portA2 forwards the data of VLAN 101 200 sequentially but the data of VLAN 1 100 is switched to portA1 to forward switch O Switch C Switch B VLAN 1 100 KR Le VLAN 101 200 Port A1 f s Switch A Port A Figure 56 2 VLAN load balance 56 21 56 2 ULPP Configuration Task List 1 Create ULPP group globally N Configure ULPP group 3 Show and debug the relating information of ULPP 1 Create ULPP group globally Expalnation Global mode ulpp group lt integer gt Configure and delete ULPP group no ulpp group lt integer gt globa
187. and replaced by the new log information information saved in NVRAM will stay permanently while those in SDRAM will lost when the system restarts or encounter an power failure Information in the log buffer zone is critical for monitoring the system operation and detecting abnormal states Note the NVRAM log buffer may not exist on some switches which only have the SDRAM log buffer zone It is recommended to use the system log server By configuring the log host on the switch the log can be sent to the log server for future examination 66 7 1 2 Format and Severity of the Log Information The log information format is compatible with the BSD syslog protocol so we can record and analyze the log by the systlog system log protect session on the UNIX LINUX as well as syslog similar applications on PC The log information is classified into eight classes by severity or emergency procedure One level per value and the higher the emergency level the log information has the smaller its value will be For example the level of critical is 2 and warning is 4 debugging is leveled at 7 so the critical is higher than warnings which no 66 69 doubt is high than debugging The rule applied in filtering the log information by severity level is that only the log information with level equal to or higher than the threshold will be outputted So when the severity threshold is set to debugging all information will be outputted and if set to critical o
188. aration if the Manufacturer C Authorized representative established within the EU Authorized representative established within the EU if applicable Company Name Planet Technology Corp Company Address 10F No 96 Minquan Rd Xindian Dist New Taipei City 231 Taiwan R O C Person responsible for making this declaration Name Surname Kent Kang Position Title Product Manager Taiwan SI Aug 2013 i as ja Place Date egal Signature PLANET TECHNOLOGY CORPORATION e mail sales planet com tw __http Awww planet com tw 10F No 96 Minquan Rd Xindian Dist New Taipei City Taiwan R O C Tel 886 2 2219 9518 Fax 886 2 2219 9528
189. ated service an end to end QoS solution can be created QoS configuration is flexible the complexity or simplicity depends on the network topology and devices and analysis to incoming outgoing traffic 23 1 3 Basic QoS Model The basic QoS consists of four parts Classification Policing Remark and Scheduling where classification policing and remark are sequential ingress actions and Queuing and Scheduling are QoS egress actions Ingress Egress Densrale Internal Priarity SE color l Classification Policing Remark scheduling Sort the packet traffic according to the Decide whether the Place packets inte elassification info and traffic color is Degrade discard the priority queues according A erased single bucket dual different colar ta internal priority and BEE E EE e E packets and remark service according to the info to internal ao ge R rdi DCP TOS COS fields queue Weight and the drop priority value and drop three color according precedente to policing policy precedence value H EP z Figure 23 3 Basic QoS Model Classification Classify traffic according to packet classification information and generate internal priority and drop precedence based the classification information For different packet types and switch configurations classification is performed differently the flowchart below explains this in detail 23 132 MPLS y achket Lui NM none Set the mecht O16 ac tag packet the defeel t ingres COs
190. ation Global Mode interface ethernet lt interface list gt Enters the network port configuration mode 2 Configure the properties for the Ethernet ports Explanation Port Mode media type copper Sets the combo port mode combo ports copper preferred auto fiber yy only sfp preferred auto shutdown Enables Disables specified ports no shutdown description lt string gt Specifies or cancels the name of specified no description ports Sets the cable type for the specified port this mdi auto across normal command is not supported by combo port no mdi and fiber port of switch speed duplex auto 10 100 1000 auto full half force10 half force10 full force100 half force100 full force100 fx module type auto detected Sets port speed and duplex mode of 100 1000Base TX or 100Base FX ports The no format of this command restores the no phy integrated phy integrated SC default setting i e negotiates speed and force1g half force1g full duplex mode automatically nonegotiate master slave force10g full no speed duplex tiation onloff Enables Disables the auto negotiation negotiation onlo 3 function of 1000Base FX ports bandwidth control lt bandwidth gt both Sets or cancels the bandwidth used for receive transmit incoming outgoing traffic for specified ports no bandwidth control flow control Enables Disables traffic control functio
191. ation Mode To enable gratuitous ARP and configure the ip gratuitous arp lt 5 1200 gt interval to send gratuitous ARP request no ip gratuitous arp The no command cancels the gratuitous ARP 30 29 2 Display configurations about gratuitous ARP Explanation Admin Mode and Configuration Mode show ip gratuitous arp interface vian To display configurations about gratuitous lt 1 4094 gt ARP 30 3 Gratuitous ARP Configuration Example Switch ss e sue Interface vilan10 192 168 15 254 255 255 255 0 PC1 PC2 PC3 PC4 DCH Figure 30 1 Gratuitous ARP Configuration Example For the network topology shown in the figure above interface VLAN10 whose IP address is 192 168 15 254 and network address mask is 255 255 255 0 in the switch system Five PCs PC1 PC2 PC3 PC4 PC5 are connected to the interface Gratuitous ARP can be enabled through the following configuration 1 Configure global gratuitous ARP Switch config ip gratuitous arp 300 Switch config exit 2 Configure interface gratuitous ARP Switch config interface vian 10 Switch Config if Vlan10 exit Switch Config if Vlan10 ip gratuitous arp 300 Switch config exit 30 30 30 4 Gratuitous ARP Troubleshooting Gratuitous ARP is disabled by default And when gratuitous ARP is enabled the debugging information about ARP packets can be retrieved through the command debug ARP send If gratuitous ARP is enabled in global
192. ation of IP address is assign an IP address manually for the switch In BOOTP DHCP mode the switch operates as a BOOTP DHCP client send broadcast packets of BOOTPRequest to the BOOTP DHCP servers and the BOOTP DHCP servers assign the address on receiving the request In addition switch can act as a DHCP server and dynamically assign network parameters such as IP addresses gateway addresses and DNS server addresses to DHCP clients DHCP Server configuration is detailed in later chapters 4 3 1 Switch IP Addresses Configuration Task List 1 Enable VLAN port mode 2 Manual configuration 4 6 3 BOOTP configuration 4 DHCP configuration 1 Enable VLAN port mode Explanation Global Mode interface vlan lt vlan id gt Create VLAN interface layer 3 interface the no interface vlan lt vlan id gt no command deletes the VLAN interface 2 Manual configuration Explanation VLAN Interface Mode Kl ip address lt ip_address gt lt mask gt Configure IP address of VLAN interface the secondary no command deletes IP address of VLAN no ip address lt ip_address gt lt mask gt interface secondary ipv6 address lt pv6 address Configure IPv6 address including prefix length gt eui 64 aggregation global unicast address local site no ipv6 address lt pv6 address address and local link address The no prefix length gt command deletes IPv6 address 3 BOOTP configuration Explanation VLAN Interface Mod
193. ation or fault can not be less than the high threshold in local Unidirectional Operation means unidirectional link can not work normally on full duplex link without autonegotiaction EFM OAM can detect the fault and inform the remote OAM peers through sending Information OAMPDU Dying Gasp There is no definition present Although device does not generate Dying Gasp OAMPDU it still receives and processes such OAMPDU sent by its peer 4 Remote loopback testing Remote loopback testing is available only after an Ethernet OAM connection is established With remote loopback enabled operating Ethernet OAM entity in active mode issues remote loopback requests and the peer responds to them If the peer operates in loopback mode it returns all packets except Ethernet OAMPDUs to the senders along the original paths Performing remote loopback testing periodically helps to detect network faults in time Furthermore performing remote loopback testing by network segments helps to locate network faults Note The communication will not be processed normally in remote loopback mode 14 43 Typical EFM OAM application topology is in the following it is used for point to point link and emulational IEEE 802 3 point to point link Device enables EFM OAM through point to point connection to monitor the link fault in the First Mile with Ethernet access For user the connection between user to telecommunication is the First Mile for service provider i
194. authentication ensures that the messages can t be changed on transmission USM employs DES CBC cryptography And HMAC MD5 and HMAC SHA are used for authentication VACM is used to classify the users access permission It puts the users with the same access permission in the same group Users can t conduct the operation which is not authorized 4 4 2 Introduction to MIB The network management information accessed by NMS is well defined and organized in a Management Information Base MIB MIB is pre defined information which can be accessed by network management protocols It is in layered and structured form The pre defined management information can be obtained from monitored network devices ISO ASN 1 defines a tree structure for MID Each MIB organizes all the available information with this tree structure And each node on this tree contains an OID Object Identifier and a brief description about the node OID is a set of integers divided by periods It identifies the node and can be used to locate the node in a MID tree structure shown in the figure below Root Node Cl Node 2 Node Cl Node t2 Object 1 Node 1 Object 2 Object4Al1 Figure 4 1 ASN 1 Tree Instance In this figure the OID of the object Ais 1 2 1 1 NMS can locate this object through this unique OID and gets the standard variables of the object MIB defines a set of standard variables for monitored network devices by following this structure
195. because it is user based not switch port based The IP subnet based VLAN is divided according to the source IP address and its subnet mask of every host It assigns corresponding VLAN ID to the data packet according to the subnet segment leading the data packet to specified VLAN Its advantage is the same as that of the MAC based VLAN the user does not have to change configuration when relocated The VLAN is divided by the network layer protocol assigning different protocol to different VLANs This is very attractive to the network administrators who wish to organize the user by applications and services Moreover the user can move freely within the network while maintaining his membership Advantage of this method enables user to change physical position without changing their VLAN residing configuration while the VLAN can be divided by types of protocols which is important to the network administrators Further this method has no need of added frame label to identify the VLAN which reduce the network traffic 20 93 Notice Dynamic VLAN needs to associate with Hybrid attribute of the ports to work so the ports that may be added to a dynamic VLAN must be configured as Hybrid port 20 6 2 Dynamic VLAN Configuration Dynamic VLAN Configuration Task Sequence 1 Configure the MAC based VLAN function on the port 2 Set the VLAN to MAC VLAN 3 Configure the correspondence between the MAC address and the VLAN 4 Configure the IP subnet
196. bles the geographically dispersed networks to form a local LAN so the service provider needs to provide the tunnel function namely data information generated by user s network is able to inextenso arrive at other networks of the same corporation through the service provider network To maintain a local concept it not only needs to transmit the data within the user s private network across the tunnel but also transmit layer 2 protocol packets within the user s private network 18 67 18 1 2 Background of bpdu tunnel Special lines are used in a service provider network to build user specific Layer 2 networks As a result a user network is broken down into parts located at different sides of the service provider network As shown in Figure User A has two devices CE 1 and CE 2 and both devices belong to the same VLAN User s network is divided into network 1 and network 2 which are connected by the service provider network When Layer 2 protocol packets cannot implement the passthrough across the service provider network the user s network cannot process independent Layer 2 protocol calculation for example spanning tree calculation so they affect each other ISP network User A network 1 User A network 2 VLAN 100 VLAN 100 Figure 18 1 BPDU Tunnel application 18 2 bpdu tunnel Configuration Task List bpdu tunnel configuration task list 1 Configure tunnel MAC address globally 2 Configure the port to support the
197. by themselves no ip dhcp relay information option self defined subscriber id ip dhcp relay information option Set self defined format of circuit id for relay self defined subscriber id format ascii hex option82 7 Diagnose and maintain DHCP option 82 Explanation Admin mode This command will display the state information of the DHCP option 82 in the system including option82 enabling switch show ip dhcp relay information option the interface retransmitting policy the circuit ID mode and the DHCP server option82 enabling switch This command is used to display the information of data packets processing in DHCP Relay Agent including the add and debug ip dhcp relay packet peel action of option 82 33 57 33 3 DHCP Option 82 Application Examples DHCP Relay Agent 2 ethernet1 3 Switch3 Switch DHCP Client PC1 Vlan2 ethernet1 2 DHCP Server Switch2 DHCP Client PC2 Figure 33 1 A DHCP option 82 typical application example In the above example layer 2 switches Switch1 and Switch2 are both connected to layer 3 switch Switch3 Switch 3 will transmit the request message from DHCP client to DHCP serer as DHCP Relay Agent It will also transmit the reply message from the server to DHCP client to finish the DHCP protocol procedure If the DHCP option 82 is disabled DHCP server cannot distinguish that whether the DHCP client is from the network connected to Switch1 or Switch
198. ccess the internet safely If configuring the maximum number of the secure MAC addresses as 1 only HOST Aor HOST B is able to access the internet Configuration process Configure the switch 15 50 Switch config interface Ethernet 1 1 Switch config if ethernet1 1 switchport port security Switch config if ethernet1 1 switchport port security maximum 10 Switch config if ethernet1 1 exit Switch config 15 4 PORT SECURITY Troubleshooting If problems occur when configuring PORT SECURITY please check whether the problem is caused by the following reasons m Check whether PORT SECURITY is enabled normally m Check whether the valid maximum number of MAC addresses is configured 15 51 Chapter 16 DDM Configuration 16 1 Introduction to DDM 16 1 1 Brief Introduction to DDM DDM Digital Diagnostic Monitor makes the detailed digital diagnostic function standard in SFF 8472 MSA It set that the parameter signal is monitored and make it to digitize on the circuit board of the inner module After that providing the demarcated result or the digitize measure result and the demarcate parameter which are saved in the standard memory framework so as to expediently read by serial interface with double cables Normally intelligent fiber modules support Digital Diagnostic function Network management units is able to monitor the parameters temperature voltage bias current tx power and rx power of the fiber module
199. ce no service dhcpv6 2 To configure DHCPV 6 relay delegation on port Explanation Interface Configuration Mode WE ipv6 dhcp relay destination lt ipv6 address gt interface a To specify the destination address of lt interface name gt vlan lt 1 4096 gt DHCPV6 relay transmit The no form of no ipv6 dhcp relay destination this command delete the configuration lt ipv6 address gt interface lt interface name gt vlan lt 1 4096 gt 32 45 32 4 DHCPv6 Prefix Delegation Server Configuration DHCPV6 prefix delegation server configuration task list as below 1 To enable delete DHCPV6 service 2 To configure prefix delegation pool 3 To configure DHCPv 6 address pool 1 To achieve delete DHCPv6 address pool 2 To configure prefix delegation pool used by DHCPv6 address pool 3 To configure static prefix delegation binding 4 To configure other parameters of DHCPv 6 address pool 4 To enable DHCPV6 prefix delegation server function on port 1 To enable delete DHCPv6 service Explanation Global Mode service dhcpv6 To enable DHCPV6 service no service dhcpv6 2 To configure prefix delegation pool Explanation Global Mode ipv6 local pool lt poo name gt lt prefix prefix length gt To configure prefix delegation pool lt assigned length gt no ipv6 local pool lt poo name gt 3 To configure DHCPv6 address pool 1 To achieve delete DHCPv6 address pool
200. cene and enable the port authentication function If client can not correctly obtain IPv6 address assigned by DHCPv6 server after enable SAVI function please ensure DHCP port trust is configured by uplink port with DHCPv6 server If node binding can not be set for the new user after enable SAVI function please check whether the direct link port configures the max binding number and whether the binding number reaches to the max number If the binding number exceeds the max binding limit it is recommended to configure the bigger binding limit If node binding can not be set for new user after configure the bigger binding limit please check whether the direct link port configures the corresponding binding number and whether the corresponding binding number reaches to the max number in the same MAC address If the binding number exceeds the max binding limit it is recommended to configure the bigger binding limit 54 11 Chapter 55 MRPP Configuration 55 1 Introduction to MRPP MRPP Multi layer Ring Protection Protocol is a link layer protocol applied on Ethernet loop protection It can avoid broadcast storm caused by data loop on Ethernet ring and restore communication among every node on ring network when the Ethernet ring has a break link MRPP is the expansion of EAPS Ethernet link automatic protection protocol MRPP protocol is similar to STP protocol on function MRPP has below characters compare to STP protocol lt 1 gt MRPP s
201. ch member port of the aggregation group and provides the better reliability 12 2 1 Static LACP Aggregation Static LACP aggregation is enforced by users configuration and do not enable LACP protocol When configuring static LACP aggregation use on mode to force the port to enter the aggregation group 12 2 2 Dynamic LACP Aggregation 1 The summary of the dynamic LACP aggregation Dynamic LACP aggregation is an aggregation created deleted by the system automatically it does not allow the user to add or delete the member ports of the dynamic LACP aggregation The ports which have the same attribute of speed and duplex are connected to the same device have the same basic configuration can be dynamically aggregated together Even if only one port can create the dynamic aggregation that is the single port aggregation In the dynamic aggregation LACP protocol of the port is at the enable state 2 The port state of the dynamic aggregation group In dynamic aggregation group the ports have two states selected or standby Both selected ports and standby ports can receive and send LACP protocol but standby ports can not forward the data packets Because the limitation of the max port number in the aggregation group if the current number of the member ports exceeds the limitation of the max port number then the system of this end will negotiates with the other end to decide the port state according to the port ID The negotiation
202. cket as 0x8863 include 5 kinds of packets in PPPoE discovery stage only type field value of session stage as 0x8864 PPPoE version field 4 bits Specify the current PPPoE protocol version the current version must be set as 0x1 PPPoE type field 4 bits Specify the protocol type the current version must be set as 0x1 PPPoE code field 1 byte Specify the packet type 0x09 means PADI packet 0x07 means PADO packet 0x19 means PADR packet 0x65 means PADS packet Oxa7 means PADT packet PPPoE session ID field 2 bytes Specify the session ID PPPoE length field 2 bytes Specify the sum of all TLV length 91 196 TLV type field 2 bytes A TLV frame means a TAG type field means TAG type the table is as follows TLV length field 2 bytes Specify the length of TAG data field TLV data field the length is not specified Specify the transmitted data of TAG Tag Type Tag Explanation Ox0000 The end of a series tag in PPPoE data field it is saved for ensuring the version compatibility and is applied by some packets Ox0101 Service name Indicate the supplied services by network 0x0102 Server name When user receives the PADO response packet of AC it can obtain the server name from the tag and select the corresponding server 0x0103 Exclusive tag of the host It is similar to tag field of PPPoE data packets and is used to match the sending and reveiving end Because broadcast network may exist many PPPoE data packets synch
203. cket is EAP Packet the Packet Body is in EAP format illustrated in the next figure 0 T 15 Length A Data N Figure 42 4 the Format of EAP Data Packets Code specifies the type of the EAP packet There are four of them in total Request 1 Response 2 Success 3 Failure 4 m There is no Data domain in the packets of which the type is Success or Failure and the value of the Length domains in such packets is 4 m The format of Data domains in the packets of which the type is Request and Response is illustrated in the next figure Type is the authentication type of EAP the content of Type data depends on the type For example when the value of the type is 1 it means Identity and is used to query the identity of the other side When the type is 4 it means MD5 Challenge like PPP CHAP protocol contains query messages 0 T N Figure 42 5 the Format of Data Domain in Request and Response Packets 42 139 Identifier to assist matching the Request and Response messages Length the length of the EAP packet covering the domains of Code Identifier Length and Data in byte Data the content of the EAP packet depending on the Code type 42 1 4 The Encapsulation of EAP Attributes RADIUS adds two attribute to support EAP authentication EAP Message and Message Authenticator Please refer to the Introduction of RADIUS protocol in AAA RADIUS HWTACACS operation to check the format of RADIUS messages
204. cluster 2 Create or delete cluster 3 Add or remove a member switch Configure attributes of the cluster in the commander switch 1 Enable or disable automatically adding cluster members 2 Set automatically added members to manually added ones 3 Set or modify the time interval of keep alive messages on switches in the cluster 4 Set or modify the max number of lost keep alive messages that can be tolerated 5 Clear the list of candidate switches maintained by the switch Configure attributes of the cluster in the candidate switch 1 Set the time interval of Keep alive messages of the cluster 2 Set the max number of lost keep alive messages that can be tolerated in the cluster Remote cluster network management 1 Remote configuration management 2 Remotely upgrade member switch 3 Reboot member switch Manage cluster network with web 1 Enable http Manage cluster network with snmp 1 Enable snmp server Enable or disable cluster Explanation Global Mode cluster run key lt WORD gt vid lt V ID gt Enable or disable cluster function in no cluster run the switch 2 Create a cluster Explanation Global Mode cluster ip pool lt commander ip gt Configure the private IP address pool no cluster ip pool for cluster member devices cluster commander lt cluster_name gt Create or delete a cluster no cluster commander cluster member nodes sn lt nodes sn gt mac address lt mac addr gt id lt member id gt
205. control Enable or disable the DHCP snooping binding no ip dhcp snooping binding user function user control 36 78 11 Add static binding information Explanation Globe mode ip dhcp snooping binding user lt mac gt address lt ipAddr gt interface ethernet lt fname gt Add delete DHCP snooping static binding list no ip dhcp snooping binding user entries lt mac gt interface ethernet lt ifname gt 12 Set defense actions Explanation Port mode ip dhcp snooping action shutdown blackhole recovery Set or delete the DHCP snooping automatic e seconds defense actions of ports no ip dhcp snooping action 13 Set rate limitation of data transmission Command Explanation Globe mode ip dhcp snooping limit rate lt pps gt Set rate limitation of the transmission of DHCP no ip dhcp snooping limit rate snooping messages 14 Enable the debug switch Explanation Admin mode debug ip dhcp snooping packet debug ip dhcp snooping event Please refer to the chapter on system debug ip dhcp snooping update troubleshooting debug ip dhcp snooping binding 36 79 15 Configure DHCP Snooping option 82 attributes Explanation Globe mode ip dhcp snooping information option subscriber id format hex acsii vs hp ip dhcp snooping information option remote id standard lt remote id gt no ip dhcp snooping information option remote id ip dhcp snooping informati
206. controller addresses of DHCP option 43 are 192 168 10 5 and 192 168 10 6 Configuration procedure Configure DHCP server switch config ip dhcp pool a switch dhcp a config option 60 ascii AP1000 switch dhcp a config option 43 hex 0104C0A80A050104C0A80A06 34 62 34 4 DHCP Option 60 and Option 43 Troubleshooting If problems occur when configuring DHCP option 60 and option 43 please check whether the problem is caused by the following reasons m Check whether service dhcp function is enabled m lf the address pool configured option 60 check whether it matches with the option 60 of the packets Chapter 35 DHCPv6 Options 37 38 35 1 Introduction to DHCPv6 Options 37 38 DHCPv6 Dynamic Host Configuration Protocol for IPv6 is designed for IPv6 address scheme and is used for assigning IPv6 prefixes Pv6 addresses and other configuration parameters to hosts When DHCPV 6 client wants to request address and configure parameter of DHCPv 6 server from different link it needs to communicate with server through DHCPVv6 relay agent DHCPv6 message received by relay agent node is reencapsulated to be relay forward packets and they are forwarded to the server which sends the relay reply packets to DHCPv6 relay agent node in different link after that relay agent node restores DHCPv6 message to DHCPV6 client to finish communication between client and server There are some problems when using DHCPv6 relay agent for example How
207. covery Protocol of IEEE LLDP provides a standard link layer discovery mode it sends local device information including its major capability management IP address device ID and port ID as TLV type length value triplets in LLDPDU Link Layer Discovery Protocol Data Unit to the direct connection neighbors The device information received by the neighbors will be stored with a standard management information base MIB This allows a network management system to quickly detect and identify the communication status of the link In 802 1AB LLDP there is no transmission and management about the voice device information To deploy and manage voice device expediently LLDP MED TLVs provide multiple information such as PoE Power over Ethernet network policy and the location information of the emergent telephone service 17 2 LLDP MED Configuration Task Sequence 1 Basic LLDP MED configuration Explanation Port mode Configure the specified port to Ildp transmit med tlv all send all LLDP MED TLVs The no Ildp transmit med tlv all no command disables the function Configure the specified port to lldp transmit med tlv capability send LLDP MED Capability no Ildp transmit med tlv capability TLV The no command disables the capability lldp transmit med tiv networkPolicy Configure the specified port to 17 61 no Ildp transmit med tlv networkPolicy lldp transmit med tlv extendPoe no Iidp transmit med tiv extendPoe lidp
208. cp server relay information enable enable command will make the server ignore the option 82 4 Configure DHCP option 82 default format of Relay Agent Explanation Global mode ip dhcp relay information option Set subscriber id format of Relay Agent subscriber id format hex acsii vs hp option82 ip dhcp relay information option Set remote id format of Relay Agent remote id format default vs hp option82 5 Configure delimiter Explanation Global mode ip dhcp relay information option Set the delimiter of each parameter for delimiter colon dot slash space suboption of option82 in global mode no no ip dhcp relay information option command restores the delimiter as slash delimiter 6 Configure creation method of option82 Explanation Global mode ip dhcp relay information option self defined remote id hostname mac Set creation method for option82 users string WORD can define the parameters of remote id no ip dhcp relay information option suboption by themselves self defined remote id 33 56 ip dhcp relay information option Set self defined format of remote id for self defined remote id format ascii hex relay option82 ip dhcp relay information option self defined subscriber id vlan port id Set creation method for option82 users switch id mac hostname can define the parameters of circute id remote mac string WORD suboption
209. cquisition Fails Malicious Users Web Browser hitps SSLSession Connected PC Users Configuration on the switch Switch config ip http secure server Switch config ip http secure port 1025 Switch config ip http secure ciphersuite rc4 128 sha 48 4 SSL Troubleshooting In configuring and using SSL the SSL function may fail due to reasons such as physical connection failure or wrong configurations The user should ensure the following First good condition of the physical connection Second all interface and link protocols are in the UP state use show interface command Then make sure SSL function is enabled use ip http secure server command Don t use the default port number if configured port number pay attention to the port number when input the web wide If SSL is enabled SSL should be restarted after changes on the port configuration and encryption configuration IE 7 0 or above should be used for use of des cbc sha If the SSL problems remain unsolved after above try please use debug SSL and other debugging command and copy the DEBUG message within 3 minutes send the recorded message to technical server center of our company 48 185 Chapter 49 IPv6 Security RA Configuration 49 1 Introduction to IPv6 Security RA In IPv6 networks the network topology is generally compromised of routers layer two switches and IPv6 hosts Routers usually advertise RA including link prefix link M
210. cs server nas ipv4 lt p address gt To configure the source IP address for the no tacacs server nas ipv4 TACACS packets for the switch 46 3 TACACS Scenarios Typical Examples 10 1 1 2 10 1 1 1 Tacacs Server 10 1 1 3 Figure 46 1 TACACS Configuration 46 172 A computer connects to a switch of which the IP address is 10 1 1 2 and connected with a TACACS authentication server IP address of the server is 10 1 1 3 and the authentication port is defaulted at 49 set telnet log on authentication of the switch as tacacs local via using TACACS authentication server to achieve telnet user authentication Switch config interface vlan 1 Switch Config if vian1 Rp address 10 1 1 2 255 255 255 0 Switch Switch Config if vian1 exit config tacacs server authentication host 10 1 1 3 Switch config tacacs server key test Switch config authentication line vty login tacacs 46 4 TACACS Troubleshooting In configuring and using TACACS the TACACS may fail to authentication due to reasons such as physical connection failure or wrong configurations The user should ensure the following m First good condition of the TACACS server physical connection mM Second all interface and link protocols are in the UP state use show interface command m Then ensure the TACACS key configured on the switch is in accordance with the one configured on TACACS server m Finally ensure to connect to the corr
211. cy maps applied on the ingress direction of the port Egress policy map is not supported yet Global Mode Apply a policy map to the specified service policy input lt policy map name gt vlan VLAN interface the no command lt vian list gt deletes the specified policy map applied no service policy input lt policy map name gt i y Input lt p g S to the VLAN interface or deletes all the vlan lt vlan list gt policy maps applied in the ingress 23 138 4 Configure queue management algorithm and weight Explanation Global Mode mls qos queue algorithm sp wrr wdrr Set queue management algorithm the no mis qos queue algorithm default queue management algorithm is wrr mls qos queue wrr weight Set queue weight based a port the lt weight0 weight7 gt default queue weight is 12345678 no mis qos queue wrr weight mls qos queue wdrr weight Configure the queue weight according to lt weight0 weight gt the port The queue weight is 10 20 40 no mis qos queue wdrr weight 80 160 320 640 1280 as default mls qos queue lt queue id gt bandwidth Configure the bandwidth pledge lt minimum bandwidth gt according to the port The range is kbit s lt maximum bandwidth gt and the granularity is 64kbit no mis qos queue lt queue id gt bandwidth 5 Configure QoS mapping Explanation Global Mode mls qos map cos intp lt intp1 intp8 gt Set the priority mapping for QoS the no cos dp lt dp1 dp8
212. d address in dynamic cache To enable DNS dynamic domain name resolution Enable disable DNS SERVER function Configure the max number of client information in the switch queue Configure the timeout value of caching the client information on the switch Monitor and diagnosis of DNS function Global Mode ip domain lookup To enable disable DNS dynamic lookup no ip domain lookup function 2 To configure delete DNS server Explanation Global Mode dns server lt ip address gt lt ipv6 address gt priority lt value gt To configure DNS server the no form of this no dns server lt ip address gt command deletes DNS server lt ipv6 address gt 3 To configure delete domain name suffix Explanation Global Mode ip domain list lt WORD gt To configure delete domain name suffix no ip domain list lt WORD gt 4 To delete the domain entry of specified address in dynamic cache 65 61 Explanation Admin Mode ee clear dynamic host lt p address gt To delete the domain entry of specified lt pv6 address gt all address in dynamic cache 5 To enable DNS dynamic domain name resolution Command Explanation Global Mode NN To enable DNS dynamic domain name dns lookup ipv4 ipv6 lt hostname gt resolution 6 Enable disable DNS SERVER function Explanation Global Mode ip dns server Enable disable DNS SERVER function no ip dns server 7 Configure the max number of client inf
213. d is recognized but no valid parameter record is found current mode can not be used under current mode command at first command has not been configured syntax error missing before the Quotation marks are not used in pairs end of command line 3 2 6 Fuzzy Match Support Switch shell support fuzzy match in searching command and keyword Shell will recognize commands or keywords correctly if the entered string causes no conflict For example 1 For command show interfaces status ethernet1 1 typing sh in status ethernet1 1 will work 2 However for command show running config the system will report a gt Ambiguous command error if only show r is entered as Shell is unable to tell whether it is show run or show running config Therefore Shell will only recognize the command if sh ru is entered 3 23 Chapter 4 Basic Switch Configuration 4 1 Basic Configuration Basic switch configuration includes commands for entering and exiting the admin mode commands for entering and exiting interface mode for configuring and displaying the switch clock for displaying the version information of the switch system etc Command Explanation Normal User Mode AdminMode The User uses enable command to step into enable lt 1 15 gt admin mode from normal user mode or modify disable the privilege level of the users The disable nani Mode ee config terminal Enter glob
214. d of the fiber module the low warning threshold is 12 the low alarm threshold is 10 00 Switch config Switch config interface ethernet 1 21 Switch config if ethernet1 21 transceiver threshold tx power low warning 12 Switch config if ethernet1 21 transceiver threshold tx power low alarm 10 00 Step3 Show the detailed DDM information of the fiber module The alarm uses the threshold configured by the user the threshold configured by the manufacturer is labeled with the bracket There is the alarm with A due to 13 01 is less than 12 00 Switch show transceiver interface ethernet 1 21 detail Ethernet 1 21 transceiver detail information Base information Brief alarm information RX loss of signal Voltage high RX power low TX power low Detail diagnostic and threshold information 16 58 Diagnostic Threshold Realtime Value High Alarm LowAlarm High Warn Low Warn Temperature C 33 70 0 70 0 Voltage V 7 31 At 5 00 0 00 5 00 0 00 Bias current mA 6 11 W 10 30 0 00 5 00 0 00 RX Power dBM 30 54 A 9 00 25 00 9 00 25 00 TX Power dBM 13 01 A 9 00 12 00 25 00 9 00 10 00 25 00 Examples Ethernet 21 is inserted the fiber module with DDM Enable the transceiver monitoring of the port after showing the transceiver monitoring of the fiber module Step1 Show the transceiver monitoring of the fiber module Both ethernet 21 and ethernet 22 do not enable the transceiver monitoring its int
215. d to verify whether the configurations are correct and the switch is operating as expected and in network failure the users will also need to diagnostic the problem Switch provides various debug commands including ping telnet show and debug etc to help the users to check system configuration operating status and locate problem causes 66 1 Ping Ping command is mainly used for sending ICMP query packet from the switches to remote devices also for check the accessibility between the switch and the remote device Refer to the Ping command chapter in the Command Manual for explanations of various parameters and options of the Ping command 66 2 Ping6 Ping6 command is mainly used by the switch to send ICMPv6 query packet to the remote equipment verifying the accessibility between the switch and the remote equipment Options and explanations of the parameters of the Ping6 command please refer to Ping6 command chapter in the command manual 66 3 Traceroute Traceroute command is for testing the gateways through which the data packets travel from the source device to the destination device so to check the network accessibility and locate the network failure Execution procedure of the Traceroute command consists of first a data packet with TTL at 1 is sent to the destination address if the first hop returns an ICMP error message to inform this packet can not be sent due to TTL timeout a data packet with TTL at 2 will be sent Also th
216. d uncontrolled ports m The uncontrolled port is always in bi directionally connected status and mainly used to transmit EAPOL protocol frames to guarantee that the supplicant systems can always send or receive authentication messages m The controlled port is in connected status authenticated to transmit service messages When unauthenticated no message from supplicant systems is allowed to be received m The controlled and uncontrolled ports are two parts of one port which means each frame reaching this port is visible on both the controlled and uncontrolled ports 3 Controlled direction In unauthenticated status controlled ports can be set as unidirectional controlled or bi directionally controlled m When the port is bi directionally controlled the sending and receiving of all frames is forbidden WR When the port is unidirectional controlled no frames can be received from the supplicant systems while sending frames to the supplicant systems is allowed Notes At present this kind of switch only supports unidirectional control 42 1 2 The Work Mechanism of 802 1x IEEE 802 1x authentication system uses EAP Extensible Authentication Protocol to implement exchange of authentication information between the supplicant system authenticator system and authentication server system supplicant system Authenticator system hisia Authentication server FAE FAE system Figure 42 2 the Work Mechanism of 802 1x m EAP messages a
217. dcast address as destination address and broadcast PADI PPPoE Active Discovery Initiation packet to discover access collector in layer 2 network Notice This message may be sent to 91 194 many access collector of the network 2 Broadband Access Server responds PADO packet The second step server responds PADO PPPoE Active Discovery Offer packet to client according to the received source MAC address of PADI packet the packet will take sever name and service name 3 Client sends PADR packet The third step client selects a server to process the session according to the received PADO packet It may receives many PADO packets for PADI message of the first step may be sent to many servers select the server according to whether the service information of PADO packet match with the servce information needed by client MAC address of the other end used for session will be known after server is selected and send PADR PPPoE Active Discovery Request packet to it to announce server the session requirement 4 Server responds PADS packet The fourth step server establishes a session ID according to the received PADR packet this session ID will be sent to client through PADS PPPoE Active Discovery Session confirmation packet hereto PPPoE discovery stage is completed enter session stage PADT PPPoE Active Discovery Terminate packet is an especial packet of PPPoE its Ethernet protocol number 0x8863 is the same as four packets abo
218. ddress 2001 da8 100 1 1 64 Switch2 Config if Vian100 no ipv6 nd suppress ra Switch2 Config if Vlan100 ipv6 nd managed config flag Switch2 Config if Vlan100 ipv6 nd other config flag Switch2 Config if Vlan100 exit Switch2 config Switch1 configuration Switch 1 config service dhcpv6 Switch2 config interface vian 1 Switch2 Config if Vlan1 ipv6 address 2001 da8 100 1 2 64 Switch2 Config if Vlan1 ipv6 dhcp relay destination 2001 da8 10 1 1 32 7 DHCPv6 Troubleshooting If the DHCPv 6 clients cannot obtain IPv6 addresses and other network parameters the following procedures can be followed when DHCPv 6 client hardware and cables have been verified ok m Verify the DHCPV6 server is running start the related DHCP v6 server function if not running m lf the DHCPv 6 clients and servers are not in the same physical network verify the 32 50 router responsible for DHCPv6 packet forwarding has DHCPv 6 relay function If DHCPv 6 relay is not available for the intermediate router it is recommended to replace the router or upgrade its software to one that has a DHCPV6 relay function Sometimes hosts are connected to the DHCPv6 enabled switches but can not get IPv6 addresses In this situation it should be checked first whether the ports which the hosts are connected to are connected with the port which the DHCPv6 server is connected to If connected directly it should be checked then whether the IPv6 address pool o
219. default setting no switchport trunk allowed vian switchport trunk native vlan lt vian id gt Set delete PVID for Trunk port no switchport trunk native vian 6 Set Access port Explanation Port Mode Add the current port to the specified switchport access vlan lt vian id gt VLAN The no command restores the no switchport access vian default setting 7 Set Hybrid port Explanation Port Mode pe switchport hybrid allowed vlan WORD all add WORD except WORD remove Set delete the VLAN which is allowed by WORD tag untag Hybrid port with tag or untag mode no switchport hybrid allowed vian switchport hybrid native vlan lt vian id gt Set delete PVID of the port no switchport hybrid native vian 8 Disable Enable VLAN Ingress Rules Explanation Global Mode vlan ingress enable Enable Disable VLAN ingress rules no vian ingress enable 9 Configure Private VLAN Explanation 20 75 VLAN mode WE private vlan primary isolated ity Configure current VLAN to Private VLAN communi J The no command deletes private VLAN no private vian 10 Set Private VLAN association Explanation VLAN mode private vlan association lt secondary vlan list gt Set delete Private VLAN association no private vlan association 11 Specify internal VLAN ID Command Explanation Global mode vlan lt 2 4094 gt internal specify internal VLAN ID 20 76 20 1
220. dge Therefore one port between Bridge B and Root is blocked and one port on Bridge D is blocked 22 2 1 Operations within an MSTP Region The IST connects all the MSTP bridges in a region When the IST converges the root of the IST becomes the IST master which is the switch within the region with the lowest bridge ID and path cost to the CST root The IST master is also the CST root if there is only one region within the network If the CST root is outside the region one of the MSTP bridges at the boundary of the region is selected as the IST master When an MSTP bridge initializes it sends BPDUs claiming itself as the root of the CST and the IST master with both of the path costs to the CST root and to the IST master set to zero The bridge also initializes all of its MST instances and claims to be the root for all of them If the bridge receives superior MST root information lower bridge ID lower path cost and so forth than currently stored for the port it relinquishes its claim as the IST master Within a MST region the IST is the only spanning tree instance that sends and receives BPDUs Because the MST BPDU carries information for all instances the number of BPDUs that need to be processed by a switch to support multiple spanning tree instances is significantly reduced All MST instances within the same region share the same protocol timers but each MST instance has its own topology parameters such as root switch ID r
221. ding the two bytes in SubOpt segment and Len segment 33 1 2 Option 82 Working Mechanism DHCP Relay Agent DHCP Client DHCP Server DHCP option 82 flow chart If the DHCP Relay Agent supports option 82 the DHCP client should go through the following four steps to get its IP address from the DHCP server discover offer select and acknowledge The DHCP protocol follows the procedure below 1 DHCP client sends a request broadcast message while initializing This request message does not have option 82 2 DHCP Relay Agent will add the option 82 to the end of the request message it receives then relay and forward the message to the DHCP server By default the sub option 1 of option 82 Circuit ID is the interface information of the switch connected to the DHCP client VLAN name and physical port name but the users can configure the Circuit ID as they wish The sub option 2 of option 82 Remote ID is the MAC address of the DHCP relay device 3 After receiving the DHCP request message the DHCP server will allocate IP address and 33 53 other information for the client according to the information and preconfigured policy in the option segment of the message Then it will forward the reply message with DHCP configuration information and option 82 information to DHCP Relay Agent 4 DHCP Relay Agent will peel the option 82 information from the replay message sent by DHCP server and then forward the message with DHCP configurati
222. dopt EAPOL encapsulation format between the PAE of the supplicant 42 137 system and the PAE of the authenticator system in the environment of LAN Between the PAE of the authenticator system and the RADIUS server there are two methods to exchange information one method is that EAP messages adopt EAPOR EAP over RADIUS encapsulation format in RADIUS protocol the other is that EAP messages terminate with the PAE of the authenticator system and adopt the messages containing RAP Password Authentication Protocol or CHAP Challenge Handshake Authentication Protocol attributes to do the authentication interaction with the RADIUS server When the user pass the authentication the authentication server system will send the relative information of the user to authenticator system the PAE of the authenticator system will decide the authenticated unauthenticated status of the controlled port according to the authentication result of the RADIUS server 42 1 3 The Encapsulation of EAPOL Messages 1 The Format of EAPOL Data Packets EAPOL is a kind of message encapsulation format defined in 802 1x protocol and is mainly used to transmit EAP messages between the supplicant system and the authenticator system in order to allow the transmission of EAP messages through the LAN In IEEE 802 Ethernet LAN environment the format of EAPOL packet is illustrated in the next figure The beginning of the EAPOL packet is the Type Length domain in MAC fr
223. download and upgrade the client software Ethernet 1 2 is an access port belongs to vian9 connects to radius server which configure auto vlan as vian10 Ethernet 1 3 is an access port belongs to vian10 connects to external internet resources To implement this application the configuration is as follows Switch1 configuration 1 Enable 802 1x and MAB authentication function globally configure username and password of MAB authentication and radius server address Switch config dot1x enable Switch config mac authentication bypass enable Switch config mac authentication bypass username format fixed username mabuser password mabpwd Switch config vlan 8 10 Switch config interface vlan 9 Switch config if vlan9 ip address 192 168 61 9 255 255 255 0 Switch config if vian9 exit Switch Switch config radius server authentication host 192 168 61 10 config radius server accounting host 192 168 61 10 Switch config radius server key test Switch config aaa enable Switch config aaa accounting enable 2 Enable the authentication function of each port Switch config interface ethernet 1 1 Switch config if ethernet1 1 dot1x enable 90 192 Switch config if ethernet1 1 dot1x port method portbased Switch config if ethernet1 1 dot1x guest vlan 8 Switch config if ethernet1 1 evt Switch config interface ethernet 1 2 Switch config if ethernet1 2 switchport mode hybrid Switch config if ethernet1 2 switc
224. dress no arp guard ip lt addr gt 29 28 Chapter 30 Gratuitous ARP Configuration 30 1 Introduction to Gratuitous ARP Gratuitous ARP is a kind of ARP request that is sent by the host with its IP address as the destination of the ARP request The basic working mode for the switch is as below The Layer 3 interfaces of the switch can be configured to advertise gratuitous ARP packets period or the switch can be configured to enable to send gratuitous ARP packets in all the interfaces globally The purpose of gratuitous ARP is as below 1 To reduce the frequency that the host sends ARP request to the switch The hosts in the network will periodically send ARP requests to the gateway to update the MAC address of the gateway If the switch advertises gratuitous ARP requests the host will not have to send these requests This will reduce the frequency the hosts sending ARP requests for the gateway s MAC address 2 Gratuitous ARP is a method to prevent ARP cheating The switch s advertising gratuitous ARP request will force the hosts to update its ARP table cache Thus forged ARP of gateway cannot function 30 2 Gratuitous ARP Configuration Task List 1 Enable gratuitous ARP and configure the interval to send gratuitous ARP request 2 Display configurations about gratuitous ARP 1 Enable gratuitous ARP and configure the interval to send gratuitous ARP request Explanation Global Configuration Mode and Interface Configur
225. e bandwidth for packets from segment 192 168 1 0 through port ethernet 1 2 is set to 10 Mb s with a burst value of 4 MB all packets exceed this bandwidth setting in that segment will be dropped Example 3 23 141 Ba QoS area N RH Server d N n l Fees zue 7 Switch Figure 23 7 Typical QoS topology As shown in the figure inside the block is a QoS domain Switch classifies different traffics and assigns different IP precedences For example set CoS precedence for packets from segment 192 168 1 0 to 5 on port ethernet1 1 The port connecting to switch2 is a trunk port In Switch2 set port ethernet 1 1 that connecting to swtich1 to trust cos Thus inside the QoS domain packets of different priorities will go to different queues and get different bandwidth The configuration steps are listed below QoS configuration in Switch1 Switch config Switch config access list 1 permit 192 168 1 0 0 0 0 255 Switch config class map c1 Switch Config ClassMap c1 match access group 1 Switch Config ClassMap c1 exit Switch config policy map p1 Switch Switch Config PolicyMap p1 class c1 Config PolicyMap p1 Class c1 set ip precedence 5 Switch Config PolicyMap p1 Class c1 exit Switch Config PolicyMap p1 exit Switch config interface ethernet 1 1 Switch Config If Ethernet1 1 service policy input p1 23 142 QoS configuration in Switch2 Switch config Switc
226. e lt interface number gt desmac lt MAC Appoint the mirror destination address gt desIP lt Dest IP address gt scriP lt Source to be the physical port or the IP address tunnel the no command no monitor session lt session gt destination tunnel deletes the mirror destination interface lt interface number gt 61 3 Typical Examples of ERSPAN Before ERSPAN is invented network administrators had to connect their PCs directly to the switches in order to check the status of the network However with the help of ERSPAN network administrators can configure and supervise the switches remotely which brings more efficiency In Layer 3 network Device A connects to the marketing department through Ethernet 1 1 and connects to Ethernet1 2 of Device B through Ethernet 1 2 Device C connects to the server through Ethernet 1 2 and connects to Ethernet 1 1 of Device B through Ethernet 1 1 Server is able to monitor the bidirectional traffic of the marketing department across a GRE tunnel by configuring remote port mirroring The figure below shows a sample application of ERSPAN 61 47 _ LeviceB _ Device A GE 1 2 GE 1 2 GE 1 1 GE 1 1 Device C VI Anti VI AN mp VLABHntt VLABHntt 20 1 1 224 30 1 1 124 20 1 1 124 30 1 1 224 GEI LEI VLAN nti o 10 1 1 124 20 1 1 124 50 1 1224 server Figure 61 1 ERSPAN application diagram Before configuring layer 3 remote port mirroring ma
227. e Configuration Examples AA 26 15 ZO APR EE 26 16 ZOE TMA ell een TOA E 26 16 20 42 ARP C nfiguration El EE 26 16 20 4 9 ARP IFOUDIOSHOOUN WEE 26 17 CHAPTER 27 ARP SCANNING PREVENTION FUNCTION CONFIGURATION 27 18 27 1 INTRODUCTION TO ARP SCANNING PREVENTION FUNCTION EEN 27 18 27 2 ARP SCANNING PREVENTION CONFIGURATION TASK SEQUENCE ccccccceeeeeeeeeeeeeeeeeeeeneeeeeeseneeneeees 27 19 27 3 ARP SCANNING PREVENTION TYPICAL EXAMPLEG s 0cccceessseeeeeeeessseeeeeessssneeeeeeeseesneeeeeessseeeeeess 27 21 27 4 ARP SCANNING PREVENTION TROUBLESHOOTING HetLp ee 27 22 CHAPTER 28 PREVENT ARP SPOOFING CONFIGURATION cceecceeeeeeeeees 28 23 ZB TF OVERVIEW sits ed Ee 28 23 28 1 1 ARP Address Resolution Rote ze viedeiekiee ege dee 28 23 ZO NZ AIR SPOON iarri a i a E 28 23 28 1 3 How to prevent void ARP Gooofmmg 28 23 28 2 PREVENT ARP SPOOFING CONEIGURATION ee 28 24 28 3 PREVENT ARP SPOOFING ENXAMPLE ee 28 25 CHAPTER 29 ARP GUARD CONFIGURATION ccccseceeeeeeeeseeeeeeeeeeneeeeeneeeseaes 29 27 29 1 INTRODUCTION TO ARP GUARD E 29 27 29 2 ARP GUARD CONFIGURATION TASK LIST 0 ccccceeeeeeeeeeeeeeseeeeeeeeesneeeeseesaeeesenaeseesseeaeseeeseenaeneeenes 29 28 CHAPTER 30 GRATUITOUS ARP CONFIGURATION ccceceeeeeeeeeeeeeeeeeeeeeeeees 30 29 30 1 INTRODUCTION TO ET A uge UR 30 29 30 2 GRATUITOUS ARP CONFIGURATION TASK LIST ccccssssceeeeeesssseeeeeessssneeeeeesssaeeeeeeessseeeeeessesee
228. e Console interface to be able to access the switch through Telnet The procedures for managing the switch via Console interface are listed below Step 1 Setting up the environment PC Workstation with Terminal Emulation Software Managed Switch RJ 45 Type Serial Port RJ 45 DBS RS 232 Cable Serial Port 9600 8 n 1 Figure 3 1 Out of band Management Configuration Environment As shown in the above the serial port RS 232 is connected to the switch with the serial cable provided The table below lists all the devices used in the connection PC machine Has functional keyboard and RS 232 with terminal emulator installed such as HyperTerminal included in Windows 9x NT 2000 XP Serial port cable One end attach to the RS 232 serial port the other end to the Console port Functional Console port required Step 2 Entering the HyperTerminal Open the HyperTerminal included in Windows after the connection established The example below is based on the HyperTerminal included in Windows XP 3 10 1 Click Start menu All Programs Accessories Communication HyperTerminal a Mindjet MindManager Pro 6 e Windows Live SC Windows Catalog H WinPcap Windows Update H WinRAR e 3CDaemon D rae I I li En Accessories ICH Accessibility H Agere Systems faa Communications e Fax e Avira e Entertainment H HyperTerminal T Dr eye FIA H System Tools HyperTerminal M Ethereal wd Address Book A Network Connections VA
229. e check whether the problem is caused by the following reasons WR Make sure GRE tunnel configuration to ensure the normal transmission for the traffic WR He throughput of mirror destination port is smaller than the total throughput of mirror source port s the destination port will not be able to duplicate the traffic of all source port please decrease the number of source ports duplicate traffic for one direction only or choose a port with greater throughput as the destination port 61 50 Chapter 62 SNTP Configuration 62 1 Introduction to SNTP The Network Time Protocol NTP is widely used for clock synchronization for global computers connected to the Internet NTP can assess packet sending receiving delay in the network and estimate the computer s clock deviation independently so as to achieve high accuracy in network computer clocking In most positions NTP can provide accuracy from 1 to 50ms according to the characteristics of the synchronization source and network route Simple Network Time Protocol SNTP is the simplified version of NTP removing the complex algorithm of NTP SNTP is used for hosts who do not require full NTP functions it is a subset of NTP It is common practice to synchronize the clocks of several hosts in local area network with other NTP hosts through the Internet and use those hosts to provide time synchronization service for other clients in LAN The figure below depicts a NTP SNTP application netw
230. e data by MAC address 28 1 2 ARP Spoofing In terms of ARP Protocol design to reduce redundant ARP data communication on networks even though a host computer receives an ARP reply which is not requested by itself it will also insert an entry to its ARP cache table so it creates a possibility of ARP spoofing If the hacker wants to snoop the communication between two host computers in the same network even if are connected by the switches it sends an ARP reply packet to two hosts separately and make them misunderstand MAC address of the other side as the hacker host MAC address In this way the direct communication is actually communicated indirectly among the hacker host computer The hackers not only obtain communication information they need but also only need to modify some information in data packet and forward successfully In this sniff way the hacker host computer doesn t need to configure intermix mode of network card that is because the data packet between two communication sides are sent to hacker host computer on physical layer which works as a relay 28 1 3 How to prevent void ARP Spoofing There are many sniff monitor and attack behaviors based on ARP protocol in networks and most of attack behaviors are based on ARP spoofing so it is very important to prevent ARP 28 23 spoofing ARP spoofing accesses normal network environment by counterfeiting legal IP address firstly and sends a great deal of counterf
231. e edge switch if source under control multicast is configured then only multicast data from specified group of specified source can pass 2 For RP switch in the core of PIM SM for REGISTER information out of specified source and specified group REGISTER_STOP is transmitted directly and table entry is not allowed to set up This task is implemented in PIM SM model The implement of Multicast User Controllable technology of Security Controllable Multicast technology is based on the control over IGMP report message sent out by the user thus the model being controlled is IGMP snooping and GMPmodel of which the control logic includes the following three i e to take control based on VLAN MAC address transmitting packets to take control based on IP address of transmitting packets and to take control based on the port where messages enter in which IGMP snooping can use the above three methods to take control simultaneously while since IGMP model is located at layer 3 it only takes control over the IP address transmitting packets 38 91 The Service Oriented Priority Strategy Multicast of Security Controllable technology adopts the following mode for multicast data in limit range set the priority specified by the user at the join in end so that data can be sent in a higher priority on TRUNK port consequently guarantee the transmission is processed in user specified priority in the entire network 38 2 2 DCSCM Configuration Task List 1
232. e ee Enable the switch to be a BootP client and ip bootp client enable obtain IP address and gateway address no ip bootp client enable through BootP negotiation the no command disables the BootP client function 4 DHCP configuration Explanation VLAN Interface Mode ip bootp client enable Enable the switch to be a DHCP client and no ip bootp client enable obtain IP address and gateway address through DHCP negotiation the no command disables the DHCP client function 4 4 SNMP Configuration 4 4 1 Introduction to SNMP SNMP Simple Network Management Protocol is a standard network management protocol widely used in computer network management SNMP is an evolving protocol SNMP vi RFC1157 is the first version of SNMP which is adapted by vast numbers of manufacturers for its simplicity and easy implementation SNMP v2c is an enhanced version of SNMP v1 which supports layered network management SNMP v3 strengthens the security by adding USM User based Security Mode and VACM View based Access Control Model SNMP protocol provides a simple way of exchange network management information between two points in the network SNMP employs a polling mechanism of message query and transmits messages through UDP a connectionless transport layer protocol Therefore it is well supported by the existing computer networks SNMP protocol employs a station agent mode There are two parts in this structure NMS Network Management
233. e intermediate agent access node id as abcd Switch config pppoe intermediate agent type tr 101 circuit id access node id abcd Step5 Configure pppoe intermediate agent identifier string as efgh combo mode as spv delimiter of Slot ID and Port ID as delimiter of Port ID and Vlan ID as 7 Switch config pppoe intermediate agent type tr 101 circuit id identifier string efgh option spv delimiter delimiter Step6 Configure circuit id value as bbbb on port ethernet1 2 Switch config if ethernet1 2 pppoe intermediate agent circuit id bbbb Step7 Configure remote id as xyz on ethernet1 3 Switch config if ethernet1 3 pppoe intermediate agent remote id xyz circuit id value is bbbb remote id value is OaObOcOd0eOf for the added vendor tag of port ethernet1 2 circuit id value is efgh eth 01 003 1234 remote id value is xyz for the added vendor tag of port ethernet1 3 91 202 51 4 PPPoE Intermediate Agent Troubleshooting m Only switch enables global PPPoE intermediate agent firstly this function can be run on port Configure a trust port at least and this port can connect to server vendor tag strip function must be configured by trust port Circuit id override priority is pppoe intermediate agent circuit id lt pppoe intermediate agent identifier string option delimiter lt pppoe intermediate agent access node id 91 203 Chapter 52 Web Portal Configuration 52 1 Introduction to Web
234. e of Instance 3 Set Switch4 as the root bridge of Instance 4 WR Set the bridge priority of Instance 3 in Switch3 as 0 WR Set the bridge priority of Instance 4 in Switch4 as 0 The detailed configuration is listed below Switch2 22 125 Switch2 config vlan 20 Switch2 Config Vlan20 exit Switch2 config vlan 30 Switch2 Config Vlan30 exit Switch2 config vlan 40 Switch2 Config Vlan40 exit Switch2 config vlan 50 Switch2 Config Vlan50 exit Switch2 config spanning tree mst configuration Switch2 Config Mstp Region name mstp Switch2 Config Mstp Region instance 3 vlan 20 30 Switch2 Config Mstp Region instance 4 vlan 40 50 Switch2 Config Mstp Region exit Switch2 config interface e1 1 7 Switch2 Config Port Range switchport mode trunk Switch2 Config Port Range exit Switch2 config spanning tree Switch3 Switch3 config vlan 20 Switch3 Config Vlan20 exit Switch3 config vlan 30 Switch3 Config Vlan30 exit Switch3 config vlan 40 Switch3 Config Vlan40 exit Switch3 config vlan 50 Switch3 Config Vlan50 exit Switch3 Switch3 Switch3 Config Mstp Region instance 3 vlan 20 30 Switch3 Config Mstp Region instance 4 vlan 40 50 Switch3 Config Mstp Region exit Switch3 config interface e1 1 7 config spanning tree mst configuration Config Mstp Region name mstp Switch3 Config Port Range switchport mode trunk Switch3 Config Port Range exit Switch3 config spanning tree
235. e packet to the server replace the system replaces option 37 of current packet with its own before forwarding it to the server no command configures the reforward policy of DHCPv6 packets with option 37 as replace This command is used to configure the reforward policy of the system when receiving DHCPv 6 packets with option 38 which can be drop the system simply discards it with option 38 keep the system keeps option 38 unchanged and forwards the packet to the server replace the system replaces option 38 of current packet with its own before forwarding it to the server no command configures the reforward policy of DHCPv6 packets with option 38 as replace Configures user configuration options to generate subscriber id no command restores to its original default configuration i e enterprise number together with vlan MAC Configures user configuration options to generate subscriber id The no command restores to its original default configuration i e vlan name together with port name Pome o S This command is used to set the form of adding option 37 in received DHCPv6 request packets of which lt remote id gt ipv6 dhcp snooping remote id lt remote id gt SN p A bei EE EE user defined option 37 and it is a string with a length of less than 128 The no operation restores remote id in option 37 to enterprise number together with vian MAC address This command is used to set the form of
236. e ports That is to say after a MAC address is bound to a port only the data stream destined for that MAC address can flow in from the binding port data stream destined for the other MAC addresses that not bound to the port will not be allowed to pass through the port 21 5 1 2 MAC Address Binding Configuration Task List 1 Enable MAC address binding function for the ports 2 Lock the MAC addresses for a port 3 MAC address binding property configuration 1 Enable MAC address binding function for the ports Explanation Port Mode Enable MAC address binding function for the port and lock the port When a port is locked the MAC address learning function switchport port security for the port will be disabled the no no switchport port security switchport port security command disables the MAC address binding function for the port and restores the MAC address learning function for the port 2 Lock the MAC addresses for a port Explanation Port Mode 21 112 switchport port security lock no switchport port security lock switchport port security convert switchport port security timeout lt value gt no switchport port security timeout switchport port security mac address lt mac address gt no switchport port security mac address lt mac address gt Admin Mode Lock the port then MAC addresses learned will be disabled The no switchport port security lock command restores the function
237. e resource Sets free access network resource for unauthorized dot1x lt prefix gt lt mask gt user The no command close the resource no dot1x user free resource dot1x unicast enable Enable the 802 1x unicast passthrough function of switch no dot1x unicast enable the no operation of this command will disable this function 2 Access management unit property configuration 1 Configure port authentication status Explanation Port Mode dot1x port control auto force authorized force Sets the 802 1x authentication mode the no command unauthorized restores the default setting no dot1x port control 2 Configure port access management method 42 149 Port Mode dot1x port method macbased Explanation Sets the port access management method portbased userbased standard the no command restores MAC based advanced POSE Cor ence access management Sets the maximum number of access users dot1x max user macbased lt number gt for the specified port the no command no dot1x max user macbased restores the default setting of allowing 1 user Set the upper limit of the number of users allowed accessing the specified port only dot1x max user userbased lt numbers used when the access control mode of the no dot1x max user userbased port is userbased the no command is used to reset the limit to 10 by default dot1x guest vlan lt vian lD gt Set the guest vlan of the specified port the no do
238. e security of the network has been taking more and more important impact on the availability and the usability of the networking application The network security has become one of the greatest barriers of modern networking applications To protect sensitive data transferred through Web Netscape introduced the Secure Socket Layer SSL protocol for its Web browser Up till now SSL 2 0 and 3 0 has been released SSL 2 0 is obsolete because of security problems and it is not supported on the switches of Network The SSL protocol uses the public key encryption and has become the industry standard for secure communication on internet for Web browsing The Web browser integrates HTTP and SSL to realize secure communication SSL is a safety protocol to protect private data transmission on the Internet SSL protocols are designed for secure transmission between the client and the server and authentication both at the server sides and optional client SSL protocols must build on reliable transport layer such as TCP SSL protocols are independent for application layer Some protocols such as HTTP FTP TELNET and so on can build on SSL protocols transparently The SSL protocol negotiates for the encryption algorithm the encryption key and the server authentication before data is transmitted Ever since the negotiation is done all the data being transferred will be encrypted Via above introduction the security channel is provided by SSL
239. e send hop may be a TTL timeout return but the procedure will carries on till the data packet is sent to its destination These procedures is for recording every source address which returned ICMP TTL timeout message so to describe a path the IP data packets traveled to reach the destination Traceroute Options and explanations of the parameters of the Traceroute command please refer to traceroute command chapter in the command manual 66 66 66 4 Traceroute6 The Traceroute6 function is used on testing the gateways passed through by the data packets from the source equipment to the destination equipment to verify the accessibility and locate the network failure The principle of the Traceroute6 under IPv 6 is the same as that under IPv4 which adopts the hop limit field of the ICMPv6 and IPv6 header First Traceroute6 sends an IPv6 datagram including source address destination address and packet sent time whose HOPLIMIT is set to 1 When first route on the path receives this datagram it minus the HOPLIMIT by 1 and the HOPLIMIT is now 0 So the router will discard this datagram and returns with a ICMPv6 time exceeded message including the source address of the IPv6 packet all content in the IPv6 packet and the IPv6 address of the router Upon receiving this message the Traceroute6 sends another datagram of which the HOPLIMIT is increased to 2 so to discover the second router Plus 1 to the HOPLIMIT every time to discover another router
240. e switch are listed below Switch config interface vlan 1 Switch Config if Vlan1 ip address 10 1 1 2 255 255 255 0 Switch Config if Vlan1 no shut Switch Config if Vlan1 exit Switch config exit Switch copy ftp Switch switch 10 1 1 1 12_30 nos img nos img With the above commands the switch will have the nos img file in the computer downloaded to the FLASH E TFTP Configuration Computer side configuration Start TFTP server software on the computer and place the 12_30_nos img file to the appropriate TFTP server directory on the computer The configuration procedures of the switch are listed below 4 24 Switch config interface vlan 1 Switch Config if Vlan1 ip address 10 1 1 2 255 255 255 0 Switch Config if Vlan1 no shut Switch Config if Vlan1 exit Switch config exit Switch copy tftp 10 1 1 1 12_ 30 nos img nos img Scenario 2 The switch is used as FTP server The switch operates as the FTP server and connects from one of its ports to a computer which is a FTP client Transfer the nos img file in the switch to the computer and save as 12 25 nos mg The configuration procedures of the switch are listed below Switch config interface vlan 1 Switch Config if Vlan1 ip address 10 1 1 2 255 255 255 0 Switch Config if Vlan1 no shut Switch Config if Vlan1 exit Switch config ftp server enable Switch config username Admin password 0 superuser Computer side configu
241. e user and join Auto VLAN Auto VLAN won t change or affect the port s configuration But the priority of Auto VLAN is higher than that of the user set VLAN that is Auto VLAN is the one takes effect when the authentication is finished while the user set VLAN do not work until the user become offline Notes At present Auto VLAN can only be used in the port based access control mode and on 42 147 the ports whose link type is Access 2 Guest VLAN Guest VLAN feature is used to allow the unauthenticated user to access some specified resources The user authentication port belongs to a default VLAN Guest VLAN before passing the 802 1x authentication with the right to access the resources within this VLAN without authentication But the resources in other networks are beyond reach Once authenticated the port will leave Guest VLAN and the user can access the resources of other networks In Guest VLAN users can get 802 1x supplicant system software update supplicant system or update some other applications such as anti virus software the patches of operating system The access device will add the port into Guest VLAN if there is no supplicant getting authenticated successfully in a certain stretch of time because of lacking exclusive authentication supplicant system or the version of the supplicant system being too low Once the 802 1x feature is enabled and the Guest VLAN is configured properly a port will be added into Gu
242. ect TACACS server 46 173 Chapter 47 RADIUS Configuration 47 1 Introduction to RADIUS 47 1 1 AAA and RADIUS Introduction AAA is short for Authentication Authorization and Accounting it provide a consistency framework for the network management safely According to the three functions of Authentication Authorization Accounting the framework can meet the access control for the security network which one can visit the network device which access level the user can have and the accounting for the network resource RADIUS Remote Authentication Dial in User Service is a kind of distributed and client server protocol for information exchange The RADIUS client is usually used on network appliance to implement AAA in cooperation with 802 1x protocol The RADIUS server maintains the database for AAA and communicates with the RADIUS client through RADIUS protocol The RADIUS protocol is the most common used protocol in the AAA framework 47 1 2 Message structure for RADIUS The RADIUS protocol uses UDP to deliver protocol packets The packet format is shown as below Attributes Figure 47 1 Message structure for RADIUS 47 174 Code field 1octets is the type of the RADIUS packet Available value for the Code field is show as below 1 Access Request Access Accept Access Reject Accounting Request Accounting Response oO FF O N 1 Access Challenge Identifier field 1 octet Identifier for the request and an
243. ector through one or multiple bridge devices If the remote access collector is broadband access server BAS it can supply broadband access and accounting functions for these hosts so PPPoE protocol is used to broadband access authentication of Ethernet usually 51 1 2 Introduction to PPPoE IA Along with broadband access technique is rapidly developed broadband access network is also developing from strength to strength but security problem gradually becomes the focus soever the clients or the access device and the network are faced with security problem especially from the client in the current access network Traditional Ethernet user can not be identified traced and located exactly however in exoteric and controllable network identification and location are the basic character and requirement for user for example when supplying the application that use user accounts to login this method supplied by PPPoE Intermediate Agent can availably avoid user accounts embezzled There are two stages for PPPoE protocol work discovery stage and session stage Discovery stage is used to obtain MAC address of the remote server to establish a point to point link and a session ID with the server and session stage uses this session ID to communicate PPPoE Intermediate Agent only relates to discovery stage so we simply introduce discovery stage There are four steps for discovery stage 1 Client sends PADI packet The first step client uses broa
244. ecurity is a MAC address based security mechanism for network access controlling It is an extension to the existing 802 1x authentication and MAC authentication It controls the access of unauthorized devices to the network by checking the source MAC address of the received frame and the access to unauthorized devices by checking the destination MAC address of the sent frame With port security you can define various port security modes to make that a device learns only legal source MAC addresses so as to implement corresponding network security management After port security is enabled the device detects an illegal frame it triggers the corresponding port security feature and takes a pre defined action automatically This reduces user s maintenance workload and greatly enhances system security 15 2 PORT SECURITY Configuration Task List 1 Basic configuration for PORT SECURITY Explanation Port mode switchport port security Configure port security of the no switchport port security interface switchport port security mac address lt mac address gt vlan lt vlan id gt Configure the static security no switchport port security mac address MAC of the interface lt mac address gt vlan lt vlan id gt switchport port security maximum lt value gt vlan Configure the maximum lt vian list gt number of the security MAC no switchport port security maximum lt value gt vlan address allowed by the lt vian list gt interface
245. ed Otherwise please verify link connectivity and retry copy command again 220 Serv U FTP Server v2 5 build 6 for WinSock ready 331 User name okay need password 230 User logged in proceed 200 PORT Command successful recv total 1526037 write ok 150 Opening ASCII mode data connection for nos img 1526037 bytes 226 Transfer complete WR Ifthe switch is upgrading system file or system start up file through FTP the switch must not be restarted until close ftp client or 226 Transfer complete is displayed indicating upgrade is successful otherwise the switch may be rendered unable to start If the system file and system start up file upgrade through FTP fails please try to upgrade again or use the BootROM mode to upgrade 4 5 3 4 2 TFTP Troubleshooting When upload download system file with TFTP protocol the connectivity of the link must be 4 27 ensured i e use the Ping command to verify the connectivity between the TFTP client and server before running the TFTP program If ping fails you will need to check for appropriate troubleshooting information to recover the link connectivity The following is the message displays when files are successfully transferred Otherwise please verify link connectivity and retry copy command again nos img file length 1526021 read file ok begin to send file wait file transfers complete Close tftp client The following is the message d
246. ed Switch Plug the other end of the power cord into an electric service outlet then the power will be ready The device is a power required device meaning it will not work till it is powered If your networks should be active all the time please consider using UPS Uninterruptible Power Supply for your device It will prevent you from network data loss or network downtime Power Notice In some area installing a surge suppression device may also help to protect your Managed Switch from being damaged by unregulated surge or current to the Switch or the power adapter 2 3 2 2 Installing the Managed Switch This section describes how to install your Managed Switch and make connections to the Managed Switch Please read the following topics and perform the procedures in the order being presented To install your Managed Switch on a desktop or shelf simply complete the following steps In this paragraph we will describe how to install the Managed Switch and the installation points attended to it 2 2 1 Desktop Installation To install the Managed Switch on desktop or shelf please follows these steps Step1 Attach the rubber feet to the recessed areas on the bottom of the Managed Switch Step2 Place the Managed Switch on the desktop or the shelf near an AC power source as shown in Figure 2 4 CETT e t d Ste Sue F wie A mm DON Sa Zwee Tr Roe Wm S Shea TEE Figure 2 4 Place the Managed Switch on the
247. ed control VLAN ID Configure node type of MRPP ring primary node mode master transit node or secondary node Configure Hello packet timer sending from hello timer lt timer primary node of MRPP ring format no no hello timer restores default timer value Configure Hello packet overtime timer fail timer lt timer gt sending from primary node of MRPP ring no fail timer format no restores default timer value enable Enable MRPP ring format no disables no enable enabled MRPP ring Port mode mrpp ring lt ring id gt primary port Specify primary port of MRPP ring no mrpp ring lt ring id gt primary port mrpp ring lt ring id gt secondary port SE Specify secondary port of MRPP ring no mrpp ring lt ring id gt secondary port 3 Configure the query time of MRPP 95 15 Explanation Global Mode mrpp poll time lt 20 2000 gt Configure the query interval of MRPP 4 Configure the compatible mode Command Explanation Global Mode Enable the compatible mode for ERRP the mrpp errp compatible no command disables the compatible no mrpp errp compatible r mode Enable the compatible mode for EAPS the mrpp eaps compatible no command disables the compatible no mrpp eaps compatible P mode errp domain lt domain id gt Create ERRP domain the no command no errp domain lt domain id gt deletes the configured ERRP domain 5 Display and debug MRPP relevant informa
248. ed or not Command Explanation Configure the loopback detection control loopback detection control recovery mode automatic recovery enabled or not timeout lt 0 3600 gt or recovery time 9 3 Port Loopback Detection Function Example SWITCH WK ew d Network Topology Figure 9 1 Typical example of port loopback detection 9 17 As shown in the above configuration the switch will detect the existence of loopbacks in the network topology After enabling the function of loopback detection on the port connecting the switch with the outside network the switch will notify the connected network about the existence of a loopback and control the port on the switch to guarantee the normal operation of the whole network The configuration task sequence of SWITCH Switch config loopback detection interval time 35 15 Switch config interface ethernet 1 1 Switch Config lf Ethernet1 1 loopback detection special vlan 1 3 Switch Config If Ethernet1 1 loopback detection control block If adopting the control method of block MSTP should be globally enabled And the corresponding relation between the spanning tree instance and the VLAN should be configured Switch config spanning tree Switch config spanning tree mst configuration Switch Config Mstp Region instance 1 vlan 1 Switch Config Mstp Region instance 2 vlan 2 Switch Config Mstp Region 9 4 Port Loopback Detection Troubleshooting The fu
249. ee uldp recovery time lt integer gt Configure the interval of Recovery reset ranging from 30 to 86400 seconds The no uldp recovery time lt integer gt value is 0 second by default 8 Reset the port shut down by ULDP Explanation Global configuration mode or port configuration mode Reset all ports in global configuration mode uldp reset Reset the specified port in port configuration mode 9 Display and debug the relative information of ULDP Explanation pAdminmode S Display ULDP information No parameter means to display global ULDP information show uldp interface ethernet IFNAME The parameter specifying a port will display global information and the neighbor information of the port debug uldp fsm interface ethernet Enable or disable the debug switch of the lt Fname gt state machine transition information on the no debug uldp fsm interface ethernet specified port lt Fname gt debug uldp error Enable or disable the debug switch of error no debug uldp error information 10 22 no debug uldp event event information no debug uldp packet receive send can be received and sent on all ports debug uldp hello probelecho unidir all receive send interface ethernet Enable or disable the content detail of a lt Fname gt particular type of messages can be no debug uldp hello probe echo T received and sent on the specified port unidir all receive send interface
250. eeeeeeceeeeeeeeeeseeeeeeesaeeeeeeeessaeeeeeesaaeeeeeeeeaaeess 20 87 20 4 VLAN TRANSLATION CONFIGURATION c0ccccceeeeeceseeeceneeeceneeseeneeseaaseeeaeeseaaeesaaeesaaessoenessonessoneenes 20 87 204 1 Riet teil Diere in to VLAN ran Slaton WEE 20 87 20 4 2 VLAN translation Configuration cccccccccccseeeeeeceeeeeeeseeseeeseeeeesaeceesaeeeeeeseeeeessaeeeesaeeeees 20 88 20 4 3 Typical application of VLAN translation cccccccccceececeeececee cesses eeeseeeeseeeeseeeeesaeeeeseeeees 20 89 20 4 4 VLAN translation Troubleshooting nsnennnennenennnennesnnnrnnernrrsrennrrrsrrrnrrrnrnrrsrrrnnrersnrrsnnes 20 90 20 5 MULTI TO ONE VLAN TRANSLATION CONFIGURATION ccsceceeseeceneeeeneeeeseeeneeeaneseenecaneseanesenseseaees 20 90 20 5 1 Introduction to Multi to One VLAN Translation an naannnannnannnnannnannnnnnennnnnnnnnnnnnnnnnnnensnnne 20 90 20 5 2 Multi to One VLAN Translation Contguraton 20 90 20 5 3 Typical application of Multi to One VLAN Translaton 20 91 20 5 4 Multi to One VLAN Translation Troubleshooting cccccceeeeeeeceeeeeeeseeeeeeseeeeesaeeeeeeaeeeees 20 93 20 6 DYNAMIC VLAN CONFIGURATION c00cccceeeeeeseeeeeneeeeeneeeeeseesaseeeceaeeeeaaeeseaseesaaseesaaeesaeesoanessonesses 20 93 20 6 1 Introduction to Dynamic VAN 20 93 20 6 2 Dynamic VLAN Kei le TEE 20 94 20 6 3 Typical Application of the Dynamic VAN 20 96 20 6 4 Dynamic VLAN Troubleshooting cccceccceceeeeeeeeeee
251. eeeeeseeeeeaeeseaeeeseeeeeseueesseeeesseeeesneeeas 20 97 20 7 GVRP CONFIGURATION eege 20 98 20 741 Introduction 10 GVRP insheuse ee ene hee ee ee ee a ee es 20 98 207 2 GYRP Coniguration TASK EEN 20 99 H EE Me EE 20 100 20 7 GVRP Troubleshooting BEE 20 102 20 8 VOICE VLAN CONFIGURATION 00cecceeseecceseeccnseecenseecenseecanscceneesoaneesoaseeconseecenssecensssoaseesonsessanees 20 102 20 8 1 Introduction to Voice VLAN ebe 20 102 20 8 2 Voice VLAN Configuration cccccseccccceseecceeeeecceeeeceeceaceesaeeeeeeseeeessaaeeesseeeeesseaeeeesaass 20 103 20 8 3 Typical Applications of the Voice VAN 20 104 20 8 4 Voice VLAN Troubleshooting uk 20 105 CHAPTER 21 MAC TABLE CONFIGURATION 0 ccccccccseceeeeeeeeeeeneeeeseneeneseneenes 21 106 21 1 INTRODUCTION TO MAG ABLE EE 21 106 af Obtaining MAC Ee EE 21 106 21 12 F orward or EE 21 108 21 2 Mac ADDRESS TABLE CONFIGURATION TASK LIST 00cccceseecceeseeeeeeeeeeseeecaneeecanesceneeseaneeseeeessanaes 21 109 21 3 TYPICAL CONFIGURATION EXAMPLES 000 eccceseecenseeceneeeceneeeceseesoaeeconseeconssecenseecansesoansesonsessoases 21 110 21 4 MAC TABLE TROUBLESHOOTING 0s sccccnsecccnseceensecenseccnsseccnsseconsseeonseseonseecnsseconssscnssesonssenonenes 21 111 21 5 MAC ADDRESS FUNCTION EXTENSION 2 0 ccesecceneeccnescccnseeccnseeecnssecnsssconseseonsesonssecenssesonseenenenes 21 111 2ko MAG Address BINGING EE 21 111 21 6 MAC NOTIFICATION CONFIGURATION
252. eeeenss 30 29 30 3 GRATUITOUS ARP CONFIGURATION EXAMPLE een 30 30 30 4 GRATUITOUS ARP TROUBLESHOOTING cccsssseeeeeeesssneeeeeessseneeeesessseeeeeeesssssneeeesesssaeeeeeesessnseeeeeeeas 30 31 CHAPTER 31 DHCP CONFIGURATION sicsiscitabaiansdelaventiateneeitebebin tienen NEE 31 32 STA INTRODUGC TION TO DHC EE 31 32 31 2 DACP SERVER CONFIGURATION socsencdivetvecssnsswdecseusvnccinessectaceusacesedeses iaxeuveucsnesieetspeuvawcdenusvensoneeecines 31 33 SLS DHCP RELAY CONFIGURATION ME 31 36 31 4 DHCP CONFIGURATION EXAMPLES x veisciss cosnsiaececassntcaedskvadwanstandiapobiandienetndersstacsdantaensoansanicuenehandnet 31 38 31 5 DHCP TROUBLESHOOTING E 31 41 CHAPTER 32 DHCPV6 CONFIGURATION viiiseunsiesiceawiantannnceaboneuiatiwuenyeemniebeuenuinebauaie 32 42 32 1 INTRODUCTION TO DHCPVG cccccssssceeeeessseneeeeesssseeeeeeeessneeeessseseeeeeessssaeeeeeeessseaeeeeseesssnsaeesaseas 32 42 32 2 DHCPV6 SERVER CONFIGURATION dee Eege 32 43 32 3 DHCPV6 RELAY DELEGATION CONFIGURATION cccceeseeeeeeeeeeeeeeeeeeeeneeeeseeaeseeeseaeseeeesenaeseeessenanseeenes 32 45 32 4 DHCPV6 PREFIX DELEGATION SERVER CONFIGURATION ecececececececcenecececeeeeeeeeneeeaeeeeeaneeneeeaeeeenanes 32 46 32 5 DHCPV6 PREFIX DELEGATION CLIENT CONFIGURATION ssceeceeeeeeeeeeeeeneseeeeeeeeeneeeeeeeeseeessenaeeeeeees 32 48 32 6 DHCPV6 CONFIGURATION EXAMPLES ssssscccossesseesconsensecsecnansessenseanessonsenseessonsassessesseansessensenseasees 32 48 32 7 DHC PV
253. eesenseneeneeneeneeeeenesnesaes 56 20 56 1 INTRODUCTION re RTR E 56 20 56 2 ULPP CONFIGURATION TASK LIST WEE 56 22 56 3 ULPP TYPIGAL EXAMPLES oiii aa E cl e 56 24 ce 6 6 yd E Gg elle Bm gt 0019 E 56 24 00 3 2 ULPP Typical Example Z vnc ie ete ee eerie ence eee ee 56 26 56 4 UL PP TROUBLESHOOTING eege 56 27 CHAPTER 57 ULSM CONFIGURATION WEE 57 28 57 1 INTRODUCTION TO WLS BE 57 28 57 2 ULSM CONFIGURATION ee 57 29 SS ULSM TYPICAL EE 57 30 574 ULSM e TR le ent e 57 31 CHAPTER 58 MIRROR CONFIGURATION cccecceeceeceeceeceseeneeneeneeneeneeneeneeeesaes 58 32 58 LINTRODUCTION TO MIRROR EE 58 32 58 2 MIRROR CONFIGURATION TASK LIST ue eer ee Ee ee e 58 32 58 3 MIRROR TEE 58 33 58 4 DEVICE MIRROR TROUBLESHOOTING een 58 34 CHAPTER 59 SFLOW CONFIGURATION cccccceccseceeeeeceeeeeseneeneenseneeneeneeneeeeeaes 59 35 59 1 INTRODUCTION EELER ates eee eee cede eed acai 59 35 59 2 SFLOW CONFIGURATION TASK LIST ocicvocecceeiceselivecconins EE Aen EE e EES A 59 35 59 3 SFLOW ER 59 37 59 4 SFLOW TROUBLESHOOTING veces ttcncectestssaeteccevscccorsentgedzcucteatesasetegeevsatonrseadeadzcoressiascceseneosaeeteettaetaete 59 38 CHAPTER GO RSPAN CONFIGURATION cccccccecceeceeeeeseeeeesenseneeneeneenecneeneeeeeaes 60 39 60 1 INTRODUCTION TO RSPAN E 60 39 60 2 RSPAN CONFIGURATION TASK LIST sccsssssserccssssssersonscnssersonsenseesconansessonsenssessonsenseessonsenseesesneansenes 60 41 60 3 TYPICAL EXAMPLES OF ROPA
254. efault value 1 second 3 Configure static IPv6 neighbor Entries Command Explanation nterface Configuration Mode eee ee ipv6 neighbor lt ipv6 address gt Set static neighbor table entries including lt hardware address gt interface neighbor IPv6 address MAC address and lt interface type interface name gt two layer port no ipv6 neighbor lt ipv6 address gt Delete neighbor table entries 26 2 3 IPv6 Troubleshooting a If the connected PC has not obtained IPv6 address you should check the RA announcement switch the default is turned off 26 13 26 3 Static Route 26 3 1 Introduction to Static Route As mentioned earlier the static route is the manually specified path to a network or a host Static route is simple and consistent and can prevent illegal route modification and is convenient for load balance and route backup However it also has its own defects Static route as its name indicates is static it won t modify the route automatically on network failure and manual configuration is required on such occasions therefore it is not suitable for mid and large scale networks Static route is mainly used in the following two conditions 1 in stable networks to reduce load of route selection and routing data streams For example static route can be used in route to STUB network 2 For route backup configure static route in the backup line with a lower priority than the main line Static route and d
255. eited ARP application packets to switches after switches learn these packets they will cover previously corrected IP mapping of MAC address and then some corrected IP MAC address mapping are modified to correspondence relationship configured by attack packets so that the switch makes mistake on transfer packets and takes an effect on the whole network Or the switches are made used of by vicious attackers and they intercept and capture packets transferred by switches or attack other switches host computers or network equipment What the essential method on preventing attack and spoofing switches based on ARP in networks is to disable switch automatic update function the cheater can t modify corrected MAC address in order to avoid wrong packets transfer and can t obtain other information At one time it doesn t interrupt the automatic learning function of ARP Thus it prevents ARP spoofing and attack to a great extent 28 2 Prevent ARP Spoofing configuration The steps of preventing ARP spoofing configuration as below 1 Disable ARP automatic update function 2 Disable ARP automatic learning function 3 Changing dynamic ARP to static ARP 1 Disable ARP automatic update function Explanation Global Mode and Port Mode ip arp security updateprotect Disable and enable ARP automatic update no ip arp security updateprotect function 2 Disable ARP automatic learning function Explanation Global mode and Interface Mode
256. ell as does fee counting and usually is a RADIUS Remote Authentication Dial In User Service server which can store the relative user information including username password and other parameters such as the VLAN and ports which the user belongs to The three entities above concerns the following basic concepts PAE of the port the controlled ports and the controlled direction 1 PAE PAE Port Access Entity is the entity to implement the operation of algorithms and protocols m The PAE of the supplicant system is supposed to respond the authentication request from the authenticator systems and submit user s authentication information to the authenticator system It can also send authentication request and off line request to authenticator m The PAE of the authenticator system authenticates the supplicant systems needing to 42 136 access the LAN via the authentication server system and deal with the authenticated unauthenticated state of the controlled port according to the result of the authentication The authenticated state means the user is allowed to access the network resources the unauthenticated state means only the EAPOL messages are allowed to be received and sent while the user is forbidden to access network resources 2 controlled uncontrolled ports The authenticator system provides ports to access the LAN for the supplicant systems These ports can be divided into two kinds of logical ports controlled ports an
257. ell as the MLD Snooping on each VLAN are therefore first we have to enable the global MLD Snooping at the same time enable the MLD Snooping on VLAN 100 furthermore we need to set the port 1 of VLAN 100 as a mrouter port Configuration procedure is as follows Switch config Switch config ipv6 mld snooping Switch config ipv6 mld snooping vlan 100 Switch config ipv6 mld snooping vian 100 mrouter port interface ethernet 1 1 Multicast configuration Assume there are two multicast servers the Multicast Server 1 and the Multicast Server 2 amongst program 1 and 2 are supplied on the Multicast Server 1 while program 3 on the Multicast server 2 using group addresses respectively the Group 1 Group 2 and Group 3 Concurrently multicast application is operating on the four hosts Two hosts connected to port 2 6 are playing program 1 while the host connected to port 10 playing program 2 and the one to port 12 playing program 3 MLD Snooping interception results The multicast table on vlan 100 shows port 1 2 6 are in Multicasting Server 1 Group porti 10 are in Multicasting Server 1 Group2 and port1 121 12 are in Multicasting Server 2 Group3 All the four hosts successfully receive programs they are interested in port2 6 receives no traffic from program2 and 3 port10 receives no traffic from program 1 and 3 and port12 receives no traffic from program and 2 39 106 Scenario 2 MLD L2 general querier Multicast R
258. em can communicate with the uplink port e1 15 That is the communication between any pair of downlink ports is disabled while that between any downlink port and a specified uplink port is normal The uplink port can communicate with any port normally The configuration of S1 Switch config isolate port group test Switch config isolate port group test switchport interface ethernet 1 1 1 10 8 14 Chapter 9 Port Loopback Detection Function Configuration 9 1 Introduction to Port Loopback Detection Function With the development of switches more and more users begin to access the network through Ethernet switches In enterprise network users access the network through layer 2 switches which means urgent demands for both internet and the internal layer 2 Interworking When layer 2 Interworking is required the messages will be forwarded through MAC addressing the accuracy of which is the key to a correct Interworking between users In layer 2 switching the messages are forwarded through MAC addressing Layer 2 devices learn MAC addresses via learning source MAC address that is when the port receives a message from an unknown source MAC address it will add this MAC to the receive port so that the following messages with a destination of this MAC can be forwarded directly which also means learn the MAC address once and for all to forward messages When a new source MAC is already learnt by the layer 2 device only with a different source
259. emote table Clear Remote table of the port Enable or disable the DEBUG packet receiving and sending function in port or global mode 11 3 LLDP Function Typical Example OW TTCHE SWITCH A 11 30 Figure 11 1 LLDP Function Typical Configuration Example In the network topology graph above the port 1 3 of SWITCH B are connected to port 2 4 of SWITCH A Port 1 of SWITCH B is configured to message receiving only mode Option TLV of port 4 of SWITCH A is configured as portDes and SysCap SWITCH A configuration task sequence SwitchA config Ildp enable SwitchA config interface ethernet 1 4 SwitchA SwitchA Config If Ethernet1 4 evt Config If Ethernet1 4 lldp transmit optional tlv portDesc sysCap SWITCH B configuration task sequence SwitchB config lldp enable SwitchB SwitchB SwitchB Config If Ethernet1 1 exit config interface ethernet1 1 Config lf Ethernet1 1 Ildp mode receive 11 4 LLDP Function Troubleshooting m LLDP function is disabled by default After enabling the global switch of LLDP users can enable the debug switch debug Ildp simultaneously to check debug information m Using show function of LLDP function can display the configuration information in global or port configuration mode 11 31 Chapter 12 Port Channel Configuration 12 1 Introduction to Port Channel To understand Port Channel Port Group should be introduced first Port Group is a group of physical ports
260. ent should understand the meaning of the crossed out wheeled bin symbol Do not dispose of WEEE as unsorted municipal waste and have to s collect such WEEE separately Revision PLANET 50 Port 10 100 1000Mbps with 4 Shared SFP Managed Gigabit Switch User s Manual FOR MODEL WGSW 52040 REVISION 1 0 July 2013 Part No EM WGSW 52040 2081 A93280 000 Contents CHAPTER 1 INTRODUCTION 0 0 cceeeecceeeceneeeeeeeseneeeesenseneenecesenseesenscnseesonseeesaneees 1 1 TA PACKET ONTENTS ee 1 1 12 PRODUCT DESCRIPTION DEE 1 1 1 3 PRODUCT ATTEN 1 3 TAPRODUCT SPECIFICATIONS niiina a EE 1 5 CHAPTER 2 INSTALLATION EE 2 1 ZAVRIARDWARE DESCRIPTION EE 2 1 2A OWENE TONT F ln hnr isc vincent T E AT 2 1 e ALED ele erter 2 1 E OWC REd Fane EE 2 2 2 2 INSTALLING THE MANAGED SWITCH 0ccceseccsnseccenseccneeconseeeonesoonsseconssenonsseconsesonssecensseconsneeoneseonenes 2 4 2 2 DESKIOD Ta ME le BEE 2 4 2 22 RACK MOUNINO EE 2 5 2 2 3 Installing the SFP Transceiver EE 2 6 CHAPTER 3 SWITCH MANAGEMENT sanasnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnne 3 10 3 1 MANAGEMENT OPTIONS Ee EENS 3 10 och Out Of Band El E e E un EE 3 10 32 Mmpand WANA E E EE 3 13 SAC CMINTERG ACE aa a a E e r saceesannthes anata ands 3 19 Oe ll ONIN OE ANION Ree 3 19 322 ei Lee SY MAX EE 3 21 3 2 3 OMOMCUL KEY SUPPO RE 3 22 EE HE 3 22 3 ZO INPUT EENEG ee 3 23 3 2 6 FUZZY Maten SUDO ONE OG 3 23 CHAPTER 4 BASIC SWITCH CONFIG
261. ersion no parameters required This is a command with only a keyword and no parameter just type in the command to run WR vlan lt vian id gt parameter values are required after the keyword WR firewall enable disable user can enter firewall enable or firewall disable for this command WR snmp server community ro rw lt string gt the followings are possible snmp server community ro lt string gt snmp server community rw lt string gt 3 21 3 2 3 Shortcut Key Support Switch provides several shortcut keys to facilitate user configuration such as up down left right and Blank Space If the terminal does not recognize Up and Down keys ctrl p and ctrl n can be used instead Key s Function Back Space Delete a character before the cursor and the cursor moves back Up t Show previous command entered Up to ten recently entered commands can be shown Down Show next command entered When use the Up key to get previously entered commands you can use the Down key to return to the next command the left Right key to modify an Right entered command the right Ctrl p The same as Up key Ctrl n The same as Down key The same as Left key The same as Right key Ctrl z Return to the Admin Mode directly from the other configuration modes except User Mode execution Tab When a string for a command or keyword is entered the Tab can be used to comple
262. erval is set to 30 minutes Switch config show transceiver threshold violation interface ethernet 1 21 22 Ethernet 1 21 transceiver threshold violation information Transceiver monitor is disabled Monitor interval is set to 30 minutes The last threshold violation doesn t exist Ethernet 1 22 transceiver threshold violation information Transceiver monitor is disabled Monitor interval is set to 30 minutes The last threshold violation doesn t exist Step2 Enable the transceiver monitoring of ethernet 21 Switch config interface ethernet 1 21 Switch config if ethernet1 21 transceiver monitoring enable Step3 Show the transceiver monitoring of the fiber module In the following configuration ethernet 21 enabled the transceiver monitoring the last threshold violation time is Jan 02 11 00 50 2011 the detailed DDM information exceeding the threshold is also shown Switch config if ethernet1 21 quit Switch config show transceiver threshold violation interface ethernet 1 21 22 Ethernet 1 21 transceiver threshold violation information Transceiver monitor is enabled Monitor interval is set to 30 minutes The current time is Jan 02 12 30 50 2011 16 59 The last threshold violation time is Jan 02 11 00 50 2011 Brief alarm information RX loss of signal RX power low Detail diagnostic and threshold information Diagnostic Threshold Realtime Value High Alarm Low Alarm High Warn Low Warn Temperature C 33 70 0
263. erver and clients are located in different subnets DHCP relay is required for DHCP packets to be transferred between the DHCP client and DHCP server The implementation of DHCP is shown below Discover Offer Request Ack gt DHCP SERVER DHCP CLIENT Figure 31 1 DHCP protocol interaction Explanation 1 DHCP client broadcasts DHCPDISCOVER packets in the local subnet A On receiving the DHCPDISCOVER packet DHCP server sends a DHCPOFFER packet along with IP address and other network parameters to the DHCP client 3 DHCP client broadcast DHCPREQUEST packet with the information for the DHCP server it selected after selecting from the DHCPOFFER packets 4 The DHCP server selected by the client sends a DHCPACK packet and the client gets an IP address and other network configuration parameters The above four steps finish a Dynamic host configuration assignment process However if the 31 32 DHCP server and the DHCP client are not in the same network the server will not receive the DHCP broadcast packets sent by the client therefore no DHCP packets will be sent to the client by the server In this case a DHCP relay is required to forward such DHCP packets so that the DHCP packets exchange can be completed between the DHCP client and server Switch can act as both a DHCP server and a DHCP relay DHCP server supports not only dynamic IP address assignment but also manual IP address binding i e specify a specific IP addr
264. ervice center 57 31 Chapter 58 Mirror Configuration 58 1 Introduction to Mirror Mirror functions include port mirror function CPU mirror function flow mirror function Port mirror refers to the duplication of data frames sent received on a port to another port The duplicated port is referred to as mirror source port and the duplicating port is referred to as mirror destination port A protocol analyzer such as Sniffer or a RMON monitor will be connected at mirror destination port to monitor and manage the network and diagnose the problems in the network CPU mirror function means that the switch exactly copies the data frames received or sent by the CPU toa port Flow mirror function means that the switch exactly copies the data frames received by the specified rule of a port to another port The flow mirror will take effect only the specified rule is permit Switch supports one mirror destination port only There is no limitation on mirror source ports one port or several ports is allowed When there are more than one source ports they can be in the same VLAN or in different VLAN The source port and destination port can be in different VLAN 58 2 Mirror Configuration Task List 1 Specify mirror destination port 2 Specify mirror source port CPU 3 Specify flow mirror source 1 Specify mirror destination port Explanation Global mode monitor session lt session gt destination Specifies mirror destination po
265. erwise the RSPAN tag will be disposed before reaching the destination switches 3 The source port in access or trunk mode should not be added to RSPAN VLAN if advanced RSPAN mode is chosen When the reflector port is used for a inter card mirroring of CPU TX data it must be configured as TRUNK port and allows the RSPAN VLAN data passing the Native VLAN should not be configured as RSPAN VLAN 4 When configuring the remote mirroring function the network bandwidth should be considered in order to carry the network flow and the mirrored flow Keywards RSPAN Remote Switched Port Analyzer RSPAN VLAN Dedicated VLAN for RSPAN RSPAN Tag The VLAN tag which is attached to MTP of the RSPAN datagrams Reflector Port The local mirroring port between the RSPAN source and destination ports which is not directly connected to the intermediate switches 60 40 60 2 RSPAN Configuration Task List Configure RSPAN VLAN Configure mirror source port cpu Configure mirror destination port Configure reflector port ST n ie er SS Configure remote VLAN of mirror group 1 Configure RSPAN VLAN Explanation VLAN Configuration Mode To configure the specified VLAN as RSPAN VLAN The no command will remove the configuration of RSPAN VLAN remote span no remote span 2 Configure mirror source port CPU Command Explanation Global Mode monitor session lt session gt source interface lt interface list gt cpu
266. esholds Because the user s environments are difference the users is able to define the threshold including high alarm low alarm high warn low warn to flexibly monitor the working state of the transceiver and find the fault directly The thresholds configured by the user and the manufacturer can be shown at the same time When the threshold defined by the user is irrational it will prompt the user and automatically process alarm or warning according to the default threshold the user is able to restore alll thresholds to the default thresholds or restore a threshold to the default threshold Threshold rationality high low warn should be between high alarm and low alarm and high threshold should be higher than low threshold namely high alarm gt high warn gt low warn gt low alarm For fiber module verification mode of the receiving power includes inner verification and outer 16 53 verification which are decided by the manufacturer Besides the verification mode of the real time parameters and the default thresholds are same 3 Transceiver monitoring Besides checking the real time working state of the transceiver the user needs to monitor the detailed status such as the former abnormity time and the abnormity type Transceiver monitoring helps the user to find the former abnormity status through checking the log and query the last abnormity status through executing the commands When the user finds the abnormity informati
267. ess list Explanation Global Mode 41 116 Creates a standard IP access list based on nomenclature the no ip ip access list standard lt name gt l access list standard no ip access list standard lt name gt lt name gt command deletes the name based standard IP access list b Specify multiple permit or deny rules Explanation Standard IP ACL Mode ee Creates a standard name based IP access rule no deny permit lt s pAddr gt lt sMask gt the no form command any source host source lt slpAddr gt deletes the name based standard IP access rule c Exit name based standard IP ACL configuration mode Explanation Standard IP ACL Mode Exits name based standard IP ACL configuration mode 4 Configuring an name based extended IP access list a Create an extended IP access list basing on nomenclature Explanation Global Mode Creates an extended IP access list basing on nomenclature the no ip ip access list extended lt name gt access list extended no ip access list extended lt name gt lt name gt command deletes the name based extended IP access list b Specify multiple permit or deny rules 41 117 Explanation Extended IP ACL Mode no deny permit icmp lt s pAddr gt lt sMask gt any source host source lt sipAddr gt lt dlpAddr gt lt dMask gt any destination host destinat
268. ess to a specified MAC address or specified device ID over a long period The differences and relations between dynamic IP address allocation and manual IP address binding are 1 IP address obtained dynamically can be different every time manually bound IP address will be the same all the time 2 The lease period of IP address obtained dynamically is the same as the lease period of the address pool and is limited the lease of manually bound IP address is theoretically endless 3 Dynamically allocated address cannot be bound manually 4 Dynamic DHCP address pool can inherit the network configuration parameters of the dynamic DHCP address pool of the related segment 31 2 DHCP Server Configuration DHCP Sever Configuration Task List 1 Enable Disable DHCP service 2 Configure DHCP Address pool 1 Create Delete DHCP Address pool 2 Configure DHCP address pool parameters 3 Configure manual DHCP address pool parameters 3 Enable logging for address conflicts 1 Enable Disable DHCP service Global Mode service dhcp Enable DHCP server The no command no service dhcp disables DHCP server Explanation Port Mode ip dhcp disbale The port disables DHCP services the no no ip dhcp disable command enables DHCP services 2 Configure DHCP Address pool 1 Create Delete DHCP Address pool 31 33 Explanation Global Mode ip dhcp pool lt name gt Configure DHCP Address pool The no operation cancels the DHCP Address poo
269. est VLAN just like Auto VLAN if there is no response message from the supplicant system after the device sends more authentication triggering messages than the upper limit EAP Request Identity from the port E The authentication server assigns an Auto VLAN and then the port leaves Guest VLAN and joins the assigned Auto VLAN When the user becomes offline the port will be allocated to the specified Guest VLAN again E The authentication server assigns an Auto VLAN and then the port leaves Guest VLAN and joins the specified VLAN When the user becomes offline the port will be allocated to the specified Guest VLAN again 42 2 802 1x Configuration Task List 802 1x Configuration Task List 1 Enable IEEE 802 1x function 2 Access management unit property configuration 1 Configure port authentication status 2 Configure access management method for the port MAC based or port based 3 Configure expanded 802 1x function 4 Configure IPv6 passthrough function of the port 3 User access devices related property configuration optional 1 Enable 802 1x function 42 148 Explanation Global Mode dot1x enable Enables the 802 1x function in the switch and ports the no no dot1x enable command disables the 802 1x function Enables the switch force client software using private dot1x privateclient enable 802 1x authentication packet format The no command will no dot1x privateclient enable disable this function dot1x user fre
270. et 1 7 Switch config mac address table static address 00 01 33 33 33 33 vlan 1 interface ethernet 1 9 21 4 MAC Table Troubleshooting Using the show mac address table command a port is found to be failed to learn the MAC of a device connected to it Possible reasons m The connected cable is broken E Spanning Tree is enabled and the port is in discarding status or the device is just connected to the port and Spanning Tree is still under calculation wait until the Spanning Tree calculation finishes and the port will learn the MAC address m lf not the problems mentioned above please check for the switch portand contact technical support for solution 21 5 MAC Address Function Extension 21 5 1 MAC Address Binding 21 5 1 1 Introduction to MAC Address Binding 21 111 Most switches support MAC address learning each port can dynamically learn several MAC addresses so that forwarding data streams between known MAC addresses within the ports can be achieved If a MAC address is aged the packet destined for that entry will be broadcasted In other words a MAC address learned in a port will be used for forwarding in that port if the connection is changed to another port the switch will learn the MAC address again to forward data in the new port However in some cases security or management policy may require MAC addresses to be bound with the ports only data stream from the binding MAC are allowed to be forwarded in th
271. ets to different priority queues according to the internal priority while the scheduling operation perform the packet forwarding according to the priority queue weight and the drop precedence The following flowchart describes the operations during queuing and scheduling 23 134 Eemark DSCE and LS OS fields of the packet according to Int Pri o to DSF Int Frio totis mapping DI Remark EIP field of the packet according to Int Prio to EIF mapping Select queue according to IntPrio to Queue mapping Queue Humber Read the buffer value according to the queue remove algorithm the packet drop priority and the egress queue Place packet into specified queue and forward according to the weizht priority of the queues Figure 23 6 Queuing and Scheduling process 23 2 QoS Configuration Task List Configure class map Set up a classification rule according to ACL CoS VLAN ID IPv4 Precedent DSCP IPV6 FL to classify the data stream Different classes of data streams will be processed with different policies Configure a policy map 23 135 After data steam classification a policy map can be created to associate with the class map created earlier and enter class mode Then different policies such as bandwidth limit priority degrading assigning new DSCP value can be applied to different data streams You can also define a policy set that can be use in a policy map by several classes Apply QoS
272. exceeded number of equipments will not be supported m The Voice VLAN on the port is enabled by default If the configured data can no longer enter the Voice VLAN during operation please check if the Voice VLAN function has been disabled on the port 20 105 Chapter 21 MAC Table Configuration 21 1 Introduction to MAC Table MAC table is a table identifies the mapping relationship between destination MAC addresses and switch ports MAC addresses can be categorized as static MAC addresses and dynamic MAC addresses Static MAC addresses are manually configured by the user have the highest priority and are permanently effective will not be overwritten by dynamic MAC addresses dynamic MAC addresses are entries learnt by the switch in data frame forwarding and is effective for a limited period When the switch receives a data frame to be forwarded it stores the source MAC address of the data frame and creates a mapping to the destination port Then the MAC table is queried for the destination MAC address if hit the data frame is forwarded in the associated port otherwise the switch forwards the data frame to its broadcast domain If a dynamic MAC address is not learnt from the data frames to be forwarded for a long time the entry will be deleted from the switch MAC table There are two MAC table operations 1 Obtain a MAC address 2 Forward or filter data frame according to the MAC table 21 1 1 Obtaining MAC Table The MAC table
273. f E1 Figure 6 1 Examples of Cluster Configuration Procedure 1 Configure the command switch Configuration of SW1 Switch config cluster run Switch Switch config cluster ip pool 10 2 3 4 config cluster commander 5526 Switch config cluster auto add 2 Configure the member switch Configuration of SW2 SW4 Switch config cluster run 6 4 Cluster Administration Troubleshooting When encountering problems in applying the cluster admin please check the following possible causes m If the command switch is correctly configured and the auto adding function cluster auto add is enabled If the ports connected the command switch and member switch belongs to the cluster vian m After cluster commander is enabled in VLAN1 of the command switch please dont enable a routing protocol RIP OSPF BGP in this VLAN in order to prevent the routing 6 6 protocol from broadcasting the private cluster addresses in this VLAN to other switches and cause routing loops Whether the connection between the command switch and the member switch is correct We can use the debug cluster packets to check if the command and the member switches can receive and process related cluster admin packets correctly Chapter 7 Port Configuration 7 1 Introduction to Port Switch contains Cable ports and Combo ports The Combo ports can be configured to as either 1000GX TX ports or SFP Gigabit fiber ports If the user needs to c
274. f a designated file in the file system The renaming operation of files The copying operation of files Admin Configuration Mode Format the storage device 2 The creation of sub directories Explanation Admin Configuration Mode mkdir lt directory gt Create a sub directory in a designated directory on a certain device 3 The deletion of sub directory 5 29 Explanation Admin Configuration Mode PC rmdir lt directory gt Delete a sub directory in a designated directory on a certain device 4 Changing the current working directory of the storage device Command Explanation Admin Configuration Mode Ee cd lt directory gt Change the current working directory of the storage device 5 The display operation of the current working directory Command Explanation Admin Configuration Mode Ce owd Display the current working directory 6 The display operation of information about a designated file or directory Explanation Admin Configuration Mode Ke dir WORD Display information about a designated file or directory on the storage device 7 The deletion of a designated file in the file system Command Explanation Admin Configuration Mode OO delete lt file ur gt Delete the designated file in the file system 8 The renaming operation of files Explanation Admin Configuration Mode a rename lt source file url gt lt dest file gt Change the name of a designated file on the switch
275. f the VLAN which the port belongs to is in the same subnet with the address pool configure in the DHCPv6 server If not connected directly and any layer three DHCPV6 relay is configured between the hosts and the DHCPV6 server it should be checked first whether an valid IPv6 address has been configured for the switch interface which the hosts are connected to If not configured configure an valid IPv6 address If configured it should be checked whether the configured IPv6 address is in the same subnet with the DHCPv6 server If not please add it to the address pool 32 51 Chapter 33 DHCP Option 82 Configuration 33 1 Introduction to DHCP Option 82 DHCP option 82 is the Relay Agent Information Option its option code is 82 DHCP option 82 is aimed at strengthening the security of DHCP servers and improving the IP address configuration policy The Relay Agent adds option 82 including the client s physical access port the access device ID and other information to the DHCP request message from the client then forwards the message to DHCP server When the DHCP server which supports the option 82 function receives the message it will allocate an IP address and other configuration information for the client according to preconfigured policies and the option 82 information in the message At the same time DHCP server can identify all the possible DHCP attack messages according to the information in option 82 and defend against them DHCP Relay
276. f the switch VLAN such a pool should be added if not present and This does not indicate switch cannot assign IP address for different segments see solution 2 for details m In DHCP service pools for dynamic IP allocation and manual binding are conflicting i e If command network address and host are run for a pool only one of them will take effect furthermore in manual binding only one IP MAC binding can be configured in one pool If multiple bindings are required multiple manual pools can be created and IP MAC bindings set for each pool New configuration in the same pool overwrites the previous configuration 31 41 Chapter 32 DHCPv6 Configuration 32 1 Introduction to DHCPv6 DHCPv6 RFC3315 is the IPv6 version for Dynamic Host Configuration Protocol DHCP It is a protocol that assigns IPv6 address as well as other network configuration parameters such as DNS address and domain name to DHCPV6 client DHCPv6 is a conditional auto address configuration protocol relative to IPv6 In the conditional address configuration process DHCPv6 server assigns a complete IPv6 address to client and provides DNS address domain name and other configuration information maybe the DHCPv 6 packet can transmit through relay delegation at last the binding of IPv6 address and client can be recorded by DHCPV6 server all that can enhance the management of network DHCPv6 server can also provide non state DHCPv 6 service that is only a
277. face ethernet1 7 is the destination port which is connected to the intermediate switch The native VLAN of this port cannot be configured as RSPAN VLAN or the mirrored data may not be carried by the destination switch RSPAN VLAN is 5 Switch config vlan 5 Switch Config Vlan5 remote span Switch Config Vlan5 exit Switch config interface ethernet 1 6 7 Switch Config If Port Range switchport mode trunk Switch Config If Port Range exit Destination switch Interface ethernet1 9 is the source port which is connected to the source switch Interface ethernet1 10 is the destination port which is connected to the monitor This port is required to be configured as an access port and belong to the RSPAN VLAN RSPAN VLAN is 5 Switch config vlan 5 Switch Config Vlan5 remote span 60 43 Switch Config Vlan5 exit Switch config interface ethernet 1 9 Switch Config lf Ethernet1 9 switchport mode trunk Switch Config lf Ethernet1 9 exit Switch config interface ethernet 1 10 Switch Config If Ethernet1 10 switchport access vlan 5 Switch Config If Ethernet1 10 exit Solution 2 Source switch Interface ethernet 1 1 is the source port Interface ethernet 1 2 is the TRUNK port which is connected to the intermediate switch The native VLAN should not be a RSPAN VLAN Interface Ethernet 1 3 is a reflector port The reflector port belongs the RSPAN VLAN it is access port or TRUNK port of the RSPAN VLAN RSPAN VLAN is 5 Switch co
278. face vlan 1 SwitchA config if vian1 ipv6 address 2001 da8 100 1 1 SwitchA config if vian1 exit SwitchA SwitchA SwitchA config if port range exit config interface ethernet 1 1 4 config if port range switchport access vlan 1 SwitchA config Switch B configuration SwitchB config service dhcpv6 SwitchB SwitchB SwitchB config ipv6 dhcp pool EastDormPool SwitchB dhcpv6 eastdormpool config network address 2001 da8 100 1 2 2001 da8 100 1 1000 SwitchB dhcpv6 eastdormpool config dns server 2001 1 config ipv6 dhcp server remote id option config ipv6 dhcp server subscriber id option SwitchB dhcpv6 eastdormpool config domain name dhcpv6 com SwitchB dhcpv6 eastdormpool config excluded address 2001 da8 100 1 2 SwitchB config SwitchB config ipv6 dhcp class CLASS SwitchB dhcpv6 class class1 config remote id 00 03 0f 00 00 01 subscriber id vlani1 Ethernet1 1 SwitchB dhcpv6 eastdormpool config exit SwitchB dhcpv6 class class1 config exit SwitchB config ipv6 dhcp class CLASS2 SwitchB dhcpv6 class class2 config remote id 00 03 0f 00 00 01 subscriber id vilan1 Ethernet1 2 SwitchB dhcpv6 class class2 config exit SwitchB config ipv6 dhcp class CLASS3 SwitchB dhcpv6 class class3 config remote id 00 03 0f 00 00 01 subscriber id vilan1 Ethernet1 3 SwitchB dhcpv6 class class3 config exit SwitchB config ipv6 dhcp pool EastDormPool SwitchB dhcpv6 eas
279. fic of program 2 and port 12 will not receive the traffic of program 1 Scenario 2 L2 general querier Multicast Server Switch A IGMP Snooping L2 general querier Multicast port Switch B IGMP Snooping Group 1 Group 1 Group 1 Group 2 Figure 38 2 The switches as IGMP Queries The configuration of Switch2 is the same as the switch in scenario 1 SwitchA takes the place of Multicast Router in scenario 1 Let s assume VLAN 60 is configured in SwitchA including ports 1 2 10 and 12 Port 1 connects to the multicast server and port 2 connects to Switch2 In order to send Query at regular interval IGMP query must enabled in Global mode and in VLANG6O The configuration steps are listed below SwitchA config SwitchA config ip igmp snooping SwitchA config ip igmp snooping vlan 60 SwitchA config ip igmp snooping vian 60 L2 general querier SwitchB config SwitchB config ip igmp snooping SwitchB config ip igmp snooping vlan 100 SwitchB config ip igmp snooping vlan 100 mrouter interface ethernet 1 1 38 101 Multicast Configuration The same as scenario 1 IGMP Snooping listening result Similar to scenario 1 38 3 4 IGMP Snooping Troubleshooting On IGMP Snooping function configuration and usage IGMP Snooping might not run properly because of physical connection or configuration mistakes So the users should note that Make sure correct physical connection Activate IGMP Snooping on whole configurati
280. fig Vlan5 exit Switch config interface ethernet 1 9 Switch Config lf Ethernet1 9 switchport mode trunk Switch Config lf Ethernet1 9 exit Switch config interface ethernet 1 10 Switch Config lf Ethernet1 10 switchport access vlan 5 Switch Config lf Ethernet1 10 exit 60 4 RSPAN Troubleshooting Due to the following reasons RSPAN may not function WR Whether the destination mirror port is a member of the Port channel group If so please change the Port channel group configuration m The throughput the destination port is less than the total throughput of the source mirror ports If so the destination cannot catch all the datagrams from every source ports To solve the problem please reduce the number of the source ports or mirror only single direction data flow or choose some other port with higher capacity as the destination port E Between the source switch and the intermediate switch whether the native VLAN of the TRUNK ports is configured as RSPAN VLAN If so please change the native VLAN for the TRUNK ports 60 45 Chapter 61 ERSPAN 61 1 Introduction to ERSPAN ERSPAN Encapsulated Remote Switched Port Analyzer eliminates the limitation that the source port and the destination port must be located on the same switch This feature makes it possible for the source port and the destination port to be located on different devices in the network and facilitates the network administrator to manage remote switches Compared wi
281. figured with private IP addresses can be managed remotely This feature economizes public IP addresses which are short of supply Cluster network management can dynamically discover cluster feature enabled switches candidate switches Network administrators can statically or dynamically add the candidate switches to the cluster which is already established Accordingly they can configure and manage the member switches through the commander switch When the member switches are distributed in various physical locations Such as on the different floors of the same building cluster network management has obvious advantages Moreover cluster network management is an in band management The commander switch can communicate with member switches in existing network There is no need to build a specific network for network management Cluster network management has the following features Save IP addresses Simplify configuration tasks Indifference to network topology and distance limitation Auto detecting and auto establishing With factory default settings multiple switches can be managed through cluster network management E The commander switch can upgrade and configure any member switches in the cluster 6 2 Cluster Network Management Configuration Sequence Cluster Network Management Configuration Sequence 1 Enable or disable cluster function ch Create cluster 1 Configure private IP address pool for member switches of the
282. for IPv4 and IPv6 Supports TACACS Layer3 Function Support maximum 128 static routes Layer2 Function Port disable enable Auto negotiation 10 100 1000Mbps full and half duplex mode selection Port Configuration Flow Control disable enable Bandwidth control on each port Port Loopback detect Display each port s speed duplex mode link status flow control status and auto negotiation status 802 1Q Tagged Based VLAN up to 256 VLAN groups Q in Q GVRP for VLAN Management Private VLAN Edge PVE supported Protocol based VLAN MAC based VLAN IP Subnet VLAN Bandwidth Control TX RX Both IEEE 802 3ad LACP static trunk Supports 32 groups of 8 port trunk Link Aggregation 8 priority queues on all switch ports Supports strict priority and Weighted Round Robin WRR CoS policies Traffic classification IEEE 802 1p CoS ToS IPv4 IPv6 DSCP Port based WRR IGMP vil v2 v3 snooping Querier mode support MLDv1 v2 MLD v1 v2 snooping Querier mode support Multicast VLAN Register MVR Supports standard and expanded ACL Access Control List IP based ACL MAC based ACL Time based ACL 1 6 Up to 512 entries Bandwidth Control At least 64Kbps step Supports MAC port binding IPv4 IPv6 MAC port binding Security IPv4 IPv6 port binding Supports MAC filter ARP Scanning Prevention IEEE 802 1x Port based network access control AAA Authentication TACACS and IPv4 I
283. formation like which devices have which ports which switches connect to other devices and so on it can also display the routs between clients switches routers application servers and network servers Such details will be very meaningful for schedule and investigate the source of network failure LLDP will be a very useful management tool providing accurate information about network mirroring flow data and searching network problems 11 2 LLDP Function Configuration Task Sequence Globally enable LLDP function Configure the port based LLDP function switch Configure the operating state of port LLDP Configure the intervals of LLDP updating messages Configure the aging time multiplier of LLDP messages Configure the sending delay of updating messages Configure the intervals of sending Trap messages OF ae ee Ge eee ee IN ag Configure to enable the Trap function of the port 9 Configure the optional information sending attribute of the port 10 Configure the size of space to store Remote Table of the port 11 Configure the type of operation when the Remote Table of the port is full 12 Display and debug the relative information of LLDP 1 Globally enable LLDP function Explanation Global Mode lldp enable Globally enable or disable LLDP function lldp disable 11 27 2 Configure the port base LLDP function switch Explanation Port Mode lldp enable Configure the port base LLDP function Ildp disable switch 3
284. formation of all interfaces which can read the real time parameters normally No fiber module is inserted or the fiber module is not supported the information will not be shown for example Switch show transceiver Interface Temp C Voltage V Bias mA RX Power dBM TX Power dBM 1 21 33 3 31 6 11 30 54 A 6 01 1 23 33 5 00 W 6 11 20 54 W 6 02 b Show the information of the specified interface N A means no fiber module is inserted or does not support the fiber module for example Switch show transceiver interface ethernet 1 21 22 23 Interface Temp C Voltage V Bias mA RX Power dBM TX Power dqdBM 1 21 33 3 31 6 11 30 54 A 6 01 1 22 NIA N A N A N A N A 1 23 33 5 00 W GI 20 54 W 6 02 c Show the detailed information including base information parameter value of the real time monitoring warning alarm abnormity state and threshold information for example Switch show transceiver interface ethernet 1 21 22 24 detail 16 56 Ethernet 1 21 transceiver detail information Base information SFP found in this port manufactured by company on Sep 29 2010 Type is 1000BASE SX Link length is 550 m for 50um Multi Mode Fiber Link length is 270 m for 62 5um Multi Mode Fiber Nominal bit rate is 1300 Mb s Laser wavelength is 850 nm Brief alarm information RX loss of signal Voltage high RX power low Detail diagnostic and threshold information Diagnostic Threshold Realtime Value High Alarm
285. functions must be disabled If the switch is configured properly but still cannot pass through authentication connectivity between the switch and RADIUS server the switch and 802 1x client should be verified and the port and VLAN configuration for the switch should be checked too Check the event log in the RADIUS server for possible causes In the event log not only unsuccessful logins are recorded but prompts for the causes of unsuccessful login If the event log indicates wrong authenticator password radius server key parameter shall be modified if the event log indicates no such authenticator the authenticator needs to be added to the RADIUS server if the event log indicates no such login user the user login ID and password may be wrong and should be verified and input again 42 157 Chapter 43 The Number Limitation Function of MAC and IP in Port VLAN Configuration 43 1 Introduction to the Number Limitation Function of MAC and IP in Port VLAN MAC address list is used to identify the mapping relationship between the destination MAC addresses and the ports of switch There are two kinds of MAC addresses in the list static MAC address and dynamic MAC address The static MAC address is set by users having the highest priority will not be overwritten by dynamic MAC address and will always be effective dynamic MAC address is learnt by the switch through transmitting data frames and will only be effective in a specific time ra
286. g interface ethernet 1 10 switch Config Ethernet1 10 switchport mode trunk switch Config Ethernet1 10 exit switch Config Note this switch only supports the in direction 20 4 4 VLAN translation Troubleshooting Normally the VLAN translation is applied on trunk ports Normally before using the VLAN translation the dot1q tunnel function needs to be enabled first to adapt double tag data packet processes VLAN translation When configuration vian translation of the egress make sure native vlan of the port is not identical with pvid of the packet Otherwise the tag of the packet will be stripped in advance and the transform of vid cannot be completed QoS only matches vian id that the packet is translated when vian translation and QoS be configured at the same time 20 5 Multi to One VLAN Translation Configuration 20 5 1 Introduction to Multi to One VLAN Translation Multi to One VLAN translation it translates the original VLAN ID into the new VLAN ID according to user s requirement on uplink traffic and restores the original VLAN ID on downlink traffic Application and configuration of Multi to One VLAN translation will be explained in detail in this section 20 5 2 Multi to One VLAN Translation Configuration 20 90 Multi to One VLAN translation configuration task list 1 Configure Multi to One VLAN translation on the port 2 Show the related configuration of Multi to One VLAN translation 1 Configure Multi to
287. g option 37 in received DHCPv6 request packets of which lt remote id gt ipv6 dhcp relay remote id lt remote id gt a linge A eet EE user defined option 37 and it is a string with a length of less than 128 The no operation restores remote id in option 37 to enterprise number together with vian MAC address This command is used to set the form of adding option 38 in received DHCPv6 request ipv6 dhcp relay subscriber id lt subscriber id gt packets of which no ipv6 dhcp relay subscriber id lt subscriber id gt is the content of subscriber id in user defined option 38 and it is a string with 35 67 a length of less than 128 The no operation restores subscriber id in option 38 to vlan name together with port name such as Vian2 Ethernet1 2 3 Dhcpv6 server option basic functions configuration Global mode a This command enables DHCPv6 server to support the ipv6 dhcp server remote id option identification of option 37 the no ipv6 dhcp server remote id option no form of this command disables it This command enables DHCPVv6 server to support the ipv6 dhcp server subscriber id option oe identification of option 38 the no ipv6 dhcp server subscriber id option no form of this command disables it This command enables DHCPv6 server to support the using of DHCPv6 class during ipv6 dhcp use class address assignment the no no ipv6 dhcp use class form of this command disables it
288. ge of 0 to 63 and is downward compatible with IP Precedence MPLS TC EXP j E E E E E E E E E EZ Lave CU DU l S O ee ee ee ee eee ee A field of the MPLS packets means the service class there are 3 bits the ranging from 0 to 7 Internal Priority The internal priority setting of the switch chip it s valid range relates with the chip it s shortening is Int Prio or IntP Drop Precedence When processing the packets firstly drop the packets with the bigger drop precedence the ranging is 0 2 in three color algorithm the ranging is 0 1 in dual color algorithm It s shortening is Drop Prec or DP Classification The entry action of QoS classifying packet traffic according to the classification information carried in the packet and ACLs Policing Ingress action of QoS that lays down the policing policy and manages the classified packets Remark Ingress action of QoS perform allowing degrading or discarding operations to packets according to the policing policies Scheduling QoS egress action Configure the weight for eight egress queues WRR Weighted Round Robin In Profile Traffic within the QoS policing policy range bandwidth or burst value is called In Profile Out of Profile Traffic out the QoS policing policy range bandwidth or burst value is called Out of Profile 23 1 2 QoS Implementation To implement the switch software QoS a general mature reference model should be given QoS can
289. gt dscp intp lt in dscp list gt command restores the default mapping to lt intp gt dscp dp lt in dscp list gt to lt dp gt value dscp dscp lt in dscp list gt to lt out dscp gt no mis qos map cos intp cos dp dscp intp dscp dp dscp dscp 6 Clear accounting data of the specific ports or VLANs Explanation Admin Mode 23 139 clear mls qos statistics interface Clear accounting data of the specified lt interface name gt vlan lt vian id gt ports or VLAN Policy Map If there are no parameters clear accounting data of all policy map 7 Show configuration of QoS Command E Admin Mode show mis qos maps cos intp dscp intp Display the c of QoS mapping show class map lt class map name gt a the classified map information of show policy map lt policy map name gt e the policy map information of show mls qos interface lt interface id gt Display QoS configuration information on policy queuing vlan lt vlan id gt a port 23 3 QoS Example Example 1 Enable QoS function change the queue out weight of port to 1 1 2 2 4 4 8 8 set it in trust CoS mode and set the default CoS value of the port to 5 The configuration steps are listed below Switch config Switch config mls qos queue weight 1 1 2 2 Switch Config lf Ethernet1 1 mls qos queue wrr weight 11224488 Switch Config If Ethernet1 1 mls qos cos 5 Configuration result When QoS enabled in Glob
290. gure command authorization manner and authorization selection priority of login user with VTY login with Telnet and SSH The no command recovers to be default manner accounting line console vty command lt 1 15 gt start stop stop only none method methodz2 no accounting line console vty Configure the accounting method list command lt 1 15 gt Admin Mode Display debug information for Telnet terminal monitor client login to the switch the no terminal no monitor command disables the debug information Show the user information who logs in through telnet or ssh It includes line number user name and user IP Delete the logged user information on the clear line vty lt 0 31 gt appointed line force user to get down the line who logs in through telnet or ssh 2 Telnet to a remote host from the switch Explanation Admin Mode ee telnet vrf lt vrf name gt lt ip addr gt Login to a remote host with the Telnet client included in the switch lt pv6 adadr gt host lt hostname gt lt port gt 4 2 2 SSH 4 2 2 1 Introduction to SSH SSH Secure Shell is a protocol which ensures a secure remote access connection to network devices It is based on the reliable TCP IP protocol By conducting the mechanism such as key distribution authentication and encryption between SSH server and SSH client a secure 4 4 connection is established The information transferred on this con
291. h config interface ethernet 1 1 Switch Config lf Ethernet1 1 mls gos trust cos 23 4 QoS Troubleshooting trust cos can be used with other trust or Policy Map trust dscp can be used with other trust or Policy Map This configuration takes effect to IPv4 and IPv6 packets m trust dscp and trust cos may be configured at the same time the priority is DSCP gt COS WR f the dynamic VLAN mac vian voice vlan ip subnet vian protocol vlan is configured then the packet COS value equals COS value of the dynamic VLAN Policy map can only be bound to ingress direction egress is not supported yet At present it is not recommended to synchronously use policy map on VLAN and VLAN s port 23 143 Chapter 24 Flow based Redirection 24 1 Introduction to Flow based Redirection Flow based redirection function enables the switch to transmit the data frames meeting some special condition specified by ACL to another specified port The fames meeting a same special condition are called a class of flow the ingress port of the data frame is called the source port of redirection and the specified egress port is called the destination port of redirection Usually there are two kinds of application of flow based redirection 1 connecting a protocol analyzer for example Sniffer or a RMON monitor to the destination port of redirection to monitor and manage the network and diagnose the problems in the network 2 Special transmission policy for a spec
292. heck icmp attacking enable 45 3 Security Feature Example Scenario The User has follows configuration requirements the switch do not forward data packet whose source IP address is equal to the destination address and those whose source port is equal to the destination port Only the ping command with defaulted options is allowed within the IPv4 network namely the ICMP request packet can not be fragmented and its net length is normally smaller than 100 Configuration procedure Switch config dosattack check srcip equal dstip enable Switch Switch Switch config dosattack check icmpV4 size 100 config dosattack check srcport equal dstport enable contig dosattack check icmp attacking enable 45 170 Chapter 46 TACACS Configuration 46 1 Introduction to TACACS TACACS terminal access controller access control protocol is a protocol similar to the radius protocol for control the terminal access to the network Three independent functions of Authentication Authorization Accounting are also available in this protocol Compared with RADIUS the transmission layer of TACACS protocol is adopted with TCP protocol further with the packet head except for standard packet head encryption this protocol is of a more reliable transmission and encryption characteristics and is more adapted to security control According to the characteristics of the TACACS Version 1 78 we provide TACACS authentication function on
293. hernet1 9 switchport mode hybrid switch config if ethernet1 9 switchport hybrid allowed vian 1000 2000 tag After the above configuration packets of VLAN 100 through VLAN 200 from Ethernet1 1 are automatically tagged with the tag of VLAN 1000 as the outer VLAN tag and packets of VLAN 201 through VLAN 300 from Ethernet1 2 are automatically tagged with the tag of VLAN 2000 as the outer VLAN tag on SwitchA The configuration on Switch B is similar to that on Switch A the configuration is as follows switch config vlan 1000 2000 switch config interface ethernet 1 1 switch config if ethernet1 1 switchport mode hybrid switch config if ethernet1 1 switchport hybrid allowed vlan 1000 untag switch config if ethernet1 1 dot1q tunnel selective s vlan 1000 c vilan 100 200 switch config if ethernet1 1 dot1q tunnel selective enable switch config if ethernet1 1 interface ethernet 1 2 switch config if ethernet1 2 switchport hybrid allowed vlan 2000 untag switch config if ethernet1 2 dot1q tunnel selective s vlan 2000 c vlan 201 300 switch config if ethernet1 2 dot1q tunnel selective enable switch config if ethernet1 9 switchport mode hybrid switch config if ethernet1 9 switchport hybrid allowed vian 1000 2000 tag 20 3 4 Selective QinQ Troubleshooting E Selective QinQ and dotiq tunnel functions should not be configured synchronously for a port 20 4 VLAN translation Configuration 20 4 1 Introduction to VLAN translation VLAN
294. his command restores to the default 39 104 mmm TI ipv6 mid snooping vlan lt vlan id gt query robustness lt value gt Configure the query robustness the no no ipv6 mid snooping vlan lt vian id gt form of this command restores to the default query robustness ipv6 mid snooping vlan lt vian id gt Configure the suppression query time The suppression query time lt value gt no form of this command restores to the no ipv6 mid snooping vlan lt vian id gt default suppression query time Ipv6 mid snooping vlan lt vian id gt static group lt X X X X gt source lt X X X X gt interface ethernet port channel lt FNAME gt no ipv6 mid snooping vlan lt vian id gt Configure static group on specified port of the VLAN The no form of the command cancels this configuration static group lt X X X X gt source lt X X X X gt interface ethernet port channel lt FNAME gt 39 1 3 MLD Snooping Examples Scenario 1 MLD Snooping Function Multicast Router Mrouter Port MLD Snooping Switch Group Group Group1 Group2 Figure 39 1 Open the switch MLD Snooping Function figure As shown above the vlan 100 configured on the switch consists of ports 1 2 6 10 and 12 Four hosts are respectively connected to 2 6 10 and 12 while the multicast router on port 1 39 105 Suppose we need MLD Snooping on VLAN 100 however by default the global MLD Snooping as w
295. hod to shut down unidirectional link Configure the interval of Hello messages Configure the interval of Recovery Reset the port shut down by ULDP OoOo CO N OO Oo FPF W N Display and debug the relative information of ULDP 10 20 1 Enable ULDP function globally Explanation Global configuration mode El uldp enable Globally enable or disable ULDP function uldp disable 2 Enable ULDP function on a port Explanation Port configuration mode fT uldp enable Enable or disable ULDP function on a port uldp disable 3 Configure aggressive mode globally Explanation Global configuration mode RE uldp aggressive mode Set the global working mode no uldp aggressive mode 4 Configure aggressive mode on a port Explanation Port configuration mode Co uldp aggressive mode Set the working mode of the port no uldp aggressive mode 5 Configure the method to shut down unidirectional link Command Explanation Global configuration mode uldp manual shutdown Configure the method to shut down no uldp manual shutdown unidirectional link 6 Configure the interval of Hello messages Explanation 10 21 Global configuration mode Configure the interval of Hello messages uldp hello interval lt integer gt ranging from 5 to 100 seconds The value no uldp hello interval is 10 seconds by default 7 Configure the interval of Recovery Explanation Global configuration mode
296. hport hybrid native vlan 1 Switch config if ethernet1 2 switchport hybrid allowed vian 1 8 10 untag Switch config if ethernet1 2 mac authentication bypass enable Switch config if ethernet1 2 mac authentication bypass enable guest vlan 8 Switch config if ethernet1 2 exit Switch config interface ethernet 1 3 Switch Switch Switch config if ethernet1 3 evt config if ethernet1 3 switchport mode access config if ethernet1 3 mac authentication bypass enable Switch config interface ethernet 1 4 Switch config if ethernet1 4 switchport mode trunk 50 4 MAB Troubleshooting If there is any problem happens when using MAB function please check whether the problem is caused by the following reasons WR Make sure global and port MAB function are enabled m Make sure the correct username and password of MAB authentication are used m Make sure the radius server configuration is correct 90 193 Chapter 51 PPPoE Intermediate Agent Configuration 51 1 Introduction to PPPoE Intermediate Agent 51 1 1 Brief Introduction to PPPoE PPPoE Point to Point Protocol over Ethernet is a protocol that apply PPP protocol to Ethernet PPP protocol is a link layer protocol and supply a communication method of point to point it is usually selected by host dial up link for example the link is line dial up PPP protocol is applied to Ethernet that means PPPoE protocol makes many hosts of Ethernet to connect a remote access coll
297. ial type of data frames The switch can only designate a single destination port of redirection for a same class of flow within a source port of redirection while it can designate different destination ports of redirection for different classes of flows within a source port of redirection The same class of flow can be applied to different source ports 24 2 Flow based Redirection Configuration Task Sequence 1 Flow based redirection configuration 2 Check the current flow based redirection configuration 1 Flow based redirection configuration Explanation Physical Interface Configuration Mode KE Specify flow based redirection access group lt ac name gt redirect to interface for the port the no ethernet lt FNAME gt lt IFNAME gt access group lt ac name gt no access group lt aci iname gt redirect redirect command is used to delete flow based redirection 24 1 2 Check the current flow based redirection configuration Explanation Global Mode Admin Mode Display the information of show flow based redirect interface ethernet lt IFNAME gt lt IFNAME gt current flow based redirection in the system port 24 3 Flow based Redirection Examples Example User s request of configuration is listed as follows redirecting the frames whose source IP is 192 168 1 111 received from port 1 to port 6 that is sending the frames whose source IP is 192 168 1 111 received from port 1 th
298. ic and enables load balancing Moreover because multiple VLANs share a same MSTI the MSTP can reduce the number of Spanning tree instances which consumes less CPU resources and reduces the bandwidth consumption 22 2 MSTP Region Because multiple VLANs can be mapped to a single spanning tree instance IEEE 802 1s committee raises the MST concept The MST is used to make the association of a certain VLAN to a certain spanning tree instance A MSTP region is composed of one or multiple bridges with the same MCID MST Configuration Identification and the bridged LAN a certain bridge in the MSTP region is the designated bridge of the LAN and the bridges attaching to the LAN are not running STP All the bridges in the same MSTP region have the same MSID MSID consists of 3 attributes E Configuration Name Composed by digits and letters E Revision Level WR Configuration Digest VLANs mapping to spanning tree instances The bridges with the same 3 above attributes are considered as in the same MST region When the MSTP calculates CIST in a bridged LAN a MSTP region is considered as a bridge See the figure below 22 117 Root A Figure 22 1 Example of CIST and MST Region In the above network if the bridges are running the STP or the RSTP one port between Bridge M and Bridge B should be blocked But if the bridges in the yellow range run the MSTP and are configured in the same MST region MSTP will treat this region as a bri
299. id hex ascii Configure the format with hex or ASCII no pppoe intermediate agent format for circuit id and remote id circuit id remote id Port Mode pppoe intermediate agent Enable PPPoE Intermediate Agent no pppoe intermediate agent function of port pppoe intermediate agent vendor tag strip no pppoe intermediate agent vendor tag Set vendor tag strip function of port strip pppoe intermediate agent trust pppoe intermediate agent circuit id lt string gt Set circuit id of port no pppoe intermediate agent circuit id pppoe intermediate agent remote id lt string gt Set remote id of port no pppoe intermediate agent remote id 91 3 PPPoE Intermediate Agent Typical Application PPPoE Intermediate Agent typical application is as follows ae 45 Wier i Wi H Etherne t d i j i Ee el BASH Figure 51 4 PPPoE IA typical application 51 200 Both host and BAS server run PPPoE protocol they are connected by layer 2 ethernet switch enables PPPoE Intermediate Agent function Typical configuration 1 in the following Step1 Switch enables global PPPoE IA function MAC as OaObOcOd0e 0f Switch config pppoe intermediate agent Step2 Configure port ethernet1 1 which connect server as trust port and configure vendor tag Strip function Switch config if ethernet1 1 pppoe intermediate agent trust Switch config if ethernet1 1 pppoe intermediate agent vendor tag strip
300. ient Ethernet After the port is enabled this function switch will detect the port state automatically If the port is free and there is no data transmission this port will change to the power saving mode and it will cut down the power of the port to save the energy 19 2 EEE Energy saving configuration List 1 Enable EEE energy saving function Explanation Port Mode Enable the energy saving function of the port the no eee enable command disables the no eee enable energy saving function of the port 19 3 EEE Energy saving Typical Examples Case Configure the port 1 of switch as saving mode Below is the configuration steps Switch config if ethernet1 1 eee enable 19 71 Chapter 20 VLAN Configuration 20 1 VLAN Configuration 20 1 1 Introduction to VLAN VLAN Virtual Local Area Network is a technology that divides the logical addresses of devices within the network to separate network segments basing on functions applications or management requirements By this way virtual workgroups can be formed regardless of the physical location of the devices IEEE announced IEEE 802 1Q protocol to direct the standardized VLAN implementation and the VLAN function of switch is implemented following IEEE 802 1Q The key idea of VLAN technology is that a large LAN can be partitioned into many separate broadcast domains dynamically to meet the demands Switch Switch Switch Figure 20 1 A VLAN network defi
301. ifferent user s PC installed IPv6 protocol respectively connect with port Ethernet1 12 of Switch1 and port Ethernet1 13 of Switch2 and enable the source address check function of SAVI Ethernet1 1 and Ethernet1 2 are uplink ports of Switch1 and Switch2 respectively enable DHCP trust and ND trust functions Aggregation Switch3 enables DHCPv 6 server function and route advertisement function Configuration steps of SAVI DHCP SLAAC scene Switch1 gt enable Switch 1 config Switch1 config savi enable Switch1 config savi ipv6 dhcp slaac enable Switch1 config savi check binding probe mode Switch1 config interface ethernet1 1 Switch 1 config if ethernet1 1 ipv6 dhcp snooping trust Switch1 config if ethernet1 1 ipv6 nd snooping trust Switch1 config if ethernet1 1 exit 54 10 Switch 1 config interface ethernet1 12 20 Switch1 config if port range savi ipv6 check source ip address mac address Switch 1 Switch1 config if port range exit config if port range savi ipv6 binding num A Switch 1 config exit Switch 1 write 94 4 SAVI Troubleshooting After ensure no problem about SAVI client hardware and cable please check the status which may exist and the propositional solutions in the following If IPv6 packets are filtered incorrectly after enable SAVI function please ensure the global SAVI function enabled After that enable the global function of the corresponding SAVI scene according to the actual application s
302. ificate certificate_verify TLS change_cipher_spec TL 23 client_key_exchange TLS certdicate_vernty finished TLS change_cipher_spec TLS finished RADIUS Access Challenge AP Resoonse EAP TLS EAP Response EAP TLS TLS change_cpher spec TLS change_cipher_spec TLS finished TLS finished RADIUS Access Request EAP Response EAP TLS EAP Response EAP TLS RADIUS Access Accept EAP Suocess EAP Success Figure 42 10 the Authentication Flow of 802 1x EAP TLS 3 EAP TTLS Authentication Method EAP TTLS is a product of the cooperation of Funk Software and Certicom It can provide an authentication as strong as that provided by EAP TLS but without requiring users to have their own digital certificate The only request is that the Radius server should have a digital certificate The authentication of users identity is implemented with passwords transmitted in a safely encrypted tunnel established via the certificate of the authentication server Any kind of authentication request including EAP PAP and MS CHAPV2 can be transmitted within TTLS tunnels 4 PEAP Authentication Method 42 144 EAP PEAP is brought up by Cisco Microsoft and RAS Security as a recommended open standard It has long been utilized in products and provides very good security Its design of protocol and security is similar to that of EAP TTLS using a server s PKI certificate to establish a safe TLS tunnel in order to protect user authentication The follo
303. ig snmp server host 1 1 1 5 v1 usertrap Switch config snmp server enable traps Scenario 3 NMS uses SNMP v3 to obtain information from the switch The configuration on the switch is listed below Switch config snmp server Switch Switch Switch config snmp server view max 1 include config snmp server user tester UserGroup authPriv auth md5 hellotst config snmp server group UserGroup AuthPriv read max write max notify max Scenario 4 NMS wants to receive the v3Trap messages sent by the switch The configuration on the switch is listed below Switch config snmp server enable Switch config snmp server host 10 1 1 2 v3 authpriv tester Switch config snmp server enable traps Scenario 5 The IPv6 address of the NMS is 2004 1 2 3 2 the IPv6 address of the switch Agent is 2004 1 2 3 1 The NMS network administrative software uses SNMP protocol to obtain data from the switch 4 14 The configuration on the switch is listed below Switch config snmp server enable Switch Switch Switch config snmp server securityip 2004 1 2 3 2 config snmp server community rw private config snmp server community ro public The NMS can use private as the community string to access the switch with read write permission or use public as the community string to access the switch with read only permission Scenario 6 NMS will receive Trap messages from the switch Note NMS may have community string verification for the Trap messages I
304. iguration Configuration on PE PE config interface ethernet 1 1 PE config if ethernet1 1 ethernet oam Other parameters use the default configuration Execute the following command when using remote loopback PE config if ethernet1 1 ethernet oam remote loopback Execute the following command to make one of OAM peers exiting OAM loopback after complete detection PE config if ethernet1 1 no ethernet oam remote loopback Execute the following command without supporting remote loopback 14 47 CE config if ethernet1 1 no ethernet oam remote loopback supported 14 4 EFM OAM Troubleshooting When using EFM OAM it occurs the problem please check whether the problem is resulted by the following reasons Check whether OAM entities of two peers of link in passive mode If so EFM OAM connection can not be established between two OAM entities Ensuring SNMP configuration is correct or else errored event can not be reported to network management system Link does not normally communicate in OAM loopback mode it should cancel remote loopback in time after detect the link performance Ensuring the used board supports remote loopback function Port should not configure STP MRPP ULPP Flow Control loopback detection functions after it enables OAM loopback function because OAM remote loopback function and these functions are mutually exclusive 14 48 Chapter 15 PORT SECURITY 15 1 Introduction to PORT SECURITY Port s
305. ill forward the data received on port 1 5 from port1 12 A Filter data according to the MAC table If PC 1 sends a message to PC2 the switch on checking the MAC table will find PC2 and PC1 are in the same physical segment and filter the message i e drop this message Three types of frames can be forwarded by the switch m Broadcast frame H Multicast frame m Unicast frame The following describes how the switch deals with all the three types of frames 1 Broadcast frame The switch can segregate collision domains but not broadcast domains If no VLAN is set all devices connected to the switch are in the same broadcast domain When the switch receives a broadcast frame it forwards the frame in all ports When VLANs are configured in the switch the MAC table will be adapted accordingly to add VLAN information In this case the switch will not forward the received broadcast frames in all ports but forward the frames in all ports in the same VLAN 2 Multicast frame For the unknown multicast the switch will broadcast it in the same vlan but the switch only forwards the multicast frames to the multicast group s port if IGMP Snooping function or the static multicast group has been configured 3 Unicast frame When no VLAN is configured if the destination MAC addresses are in 21 108 the switch MAC table the switch will directly forward the frames to the associated ports when the destination MAC address in a unicast frame is
306. in a meaningful way independent of each user s physical location Because of this World Wide Web WWW hyperlinks and Internet contact information can remain consistent and constant even if the current Internet routing arrangements change or the participant uses a mobile device Internet domain names are easier to remember than IP addresses such as 208 77 188 166 IPv4 or 2001 db8 1f70 999 de8 7648 6e8 IPv6 People take advantage of this when they recite meaningful URLs and e mail addresses without having to know how the machine will actually locate them The Domain Name System distributes the responsibility for assigning domain names and mapping them to Internet Protocol IP networks by designating authoritative name servers for each domain to keep track of their own changes avoiding the need for a central register to be continually consulted and updated In general the Domain Name System also stores other types of information such as the list of mail servers 65 60 that accept email for a given Internet domain By providing a world wide distributed keyword based redirection service the Domain Name System is an essential component of the functionality of the Internet 65 2 DNSv4 v6 Configuration Task List 1 2 3 4 5 6 fa 8 9 1 To enable disable DNS function Explanation To enable disable DNS function To configure delete DNS server To configure delete domain name suffix To delete the domain entry of specifie
307. information of IPv6 debug ipv6 security ra security RA module the no operation of no debug ipv6 security ra this command will disable the output of debug information of IPv6 security RA show ipv6 security ra interface Display the distrust port and whether lt interface list gt globally security RA is enabled 49 3 IPv6 Security RA Typical Examples emer ege Other IPv6 network al Ethernet1 1 Ethernet1 2 SS Ethernet1 3 PC User Illegal User Figure 49 1 IPv6 Security RA sketch map Instructions if the illegal user in the graph advertises RA the normal user will receive the RA set the default router as the vicious IPv6 host user and change its own address This will cause the normal user to not be able to connect the network We want to set security RA on the 1 2 port of the switch so that the RA from the illegal user will not affect the normal user 49 187 Switch configuration task sequence Switch config Switch config ipv6 security ra enable Switch Config lf Ethernet1 2 ipv6 security ra enable 49 4 IPv6 Security RA Troubleshooting Help The function of IPv6 security RA is quite simple if the function does not meet the expectation after configuring IPv6 security RA m Check if the switch is correctly configured m Check if there are rules conflicting with security RA function configured on the switch this kind of rules will cause RA messages to be forwarded 49 188 Cha
308. ing is normal LINK DOWN link Down event packet After transfer node detects Down event on port immediately sends LINK DOWN packet to primary node and inform primary node ring to fail 95 13 LINK DOWN FLUSH_FDB packet After primary node detects ring failure or receives LINK DOWN packet open blocked secondary port and then uses two ports to send the packet to inform each transfer node to refresh own MAC address LINK UP FLUSH_FDB packet After primary detects ring failure to restore normal and uses packet from primary port and informs each transfer node to refresh own MAC address 55 1 3 MRPP Protocol Operation System 1 Link Down Alarm System When transfer node finds themselves belonging to MRPP ring port Down it sends link Down packet to primary node immediately The primary node receives link down packet and immediately releases block state of secondary port and sends LINK DOWN FLUSH FDB packet to inform all of transfer nodes refreshing own MAC address forward list 2 Poll System The primary port of primary node sends Hello packet to its neighbors timely according to configured Hello timer If the ring is health the secondary port of primary node receives health detect packet and the primary node keeps secondary port If the ring is break the secondary port of primary node can t receive health detect packet when timer is over time The primary releases the secondary port block state and sends LINK DOWN F
309. ing procedure including adding the contents of option 82 the retransmitting policy adopted the option 82 contents of the server peeled by the Relay Agent and etc such information can help users to do troubleshooting To implement the option 82 function of DHCP server the debug ip dhcp server packet command can be used during the operating procedure to display the procedure of data packets processing of the server including displaying the identified option 82 information of the request message and the option 82 information returned by the reply message 33 60 Chapter 34 DHCP Option 60 and option 43 34 1 Introduction to DHCP Option 60 and Option 43 DHCP server analyzes DHCP packets from DHCP client If packets with option 60 it will decide whether option 43 is returned to DHCP client according to option 60 of packets and configuration of option 60 and option 43 in DHCP server address pool Configure the corresponding option 60 and option 43 in DHCP server address pool 1 Address pool configured option 60 and option 43 at the same time The received DHCP packet with option 60 from DHCP client if it matches with option 60 of DHCP server address pool DHCP client will receive the option 43 configured in the address pool or else do not return option 43 to DHCP client 2 Address pool only configured option 43 it will match with any option 60 If the received DHCP packet with option 60 from DHCP client DHCP client will rece
310. ing tree cost Set the port path cost no spanning tree cost spanning tree port priority Set the port priority no spanning tree port priority spanning tree rootguard Set the port is root port no spanning tree rootguard Global Mode spanning tree transmit hold count Set the max transmit hold count of lt tx hold count value gt port no spanning tree transmit hold count Set port cost format with dot1d or spanning tree cost format dot1d dot1t dee ott 8 Configure the snooping attribute of authentication key Explanation Port Mode Set the port to use the authentication spanning tree digest snooping string of partner port The no no spanning tree digest snooping command restores to use the generated string 9 Configure the FLUSH mode once topology changes Explanation Global Mode 22 123 Enable the spanning tree flush once the topology changes Disable the spanning tree don t flush spanning tree tcflush enable disable when the topology changes protect Protect the spanning tree flush not no spanning tree tcflush more than one time every ten seconds The no command restores to default setting enable flush once the topology changes spanning tree tcflush enable disable Configure the port flush mode protect The no command restores to use the no spanning tree tcflush global configured flush mode 22 4 MSTP Example The following is a typical MSTP application example
311. ion lt dlpAddr gt lt icmp type gt lt icmp code gt precedence lt prec gt tos lt tos gt time range lt time range name gt no deny permit igmp lt slpAddr gt lt sMask gt any source host source lt sipAddr gt lt dlpAddr gt lt dMask gt any destination host destination lt dlpAddr gt lt igmp type gt precedence lt prec gt tos lt tos gt time range lt time range name gt no deny permit tcp lt slpAddr gt lt sMask gt any source host source lt s pAddr gt s port lt sPort gt range lt sPortMin gt lt sPortMax gt lt dlpAddr gt lt dMask gt any destination host destination lt dlpAddr gt d port lt dPort gt range lt dPortMin gt lt dPortMax gt ack fint psh rst urgt syn precedence lt prec gt tos lt tos gt time range lt time range name gt no deny permit udp lt s pAddr gt lt sMask gt any source host source lt s pAddr gt s port lt sPort gt range lt sPortMin gt lt sPortMax gt lt dlpAddr gt lt dMask gt any destination host destination lt dlpAddr gt d port lt dPort gt range lt dPortMin gt lt dPortMax gt precedence lt prec gt tos lt tos gt time range lt time range name gt no deny permit eigrp gre igrp ipinip ip ospf lt protocol num gt lt slpAddr gt lt sMask gt any source host source lt sipAddr gt lt dlpAddr gt lt d
312. ion idle time 3 TFTP server configuration 1 Start TFTP server Explanation Global Mode Start TFTP server the no command shuts down tftp server enable TF TP server and prevents TFTP user from no tftp server enable logging in 2 Modify TFTP server connection idle time Explanation Global Mode tftp server retransmission timeout Set maximum retransmission time within timeout lt seconds gt interval 3 Modify TFTP server connection retransmission time Explanation Global Mode tftp server retransmission number Ce Set the retransmission time for TFTP server lt number gt 4 5 3 3 FTP TFTP Configuration Examples The configuration is same for IPv4 address or IPv6 address The example only for IPv4 address 4 23 10 1 1 1 Figure 4 2 Download nos img file as FTP TFTP client Scenario 1 The switch is used as FTP TFTP client The switch connects from one of its ports to a computer which is a FTP TFTP server with an IP address of 10 1 1 1 the switch acts as a FITP TFIP client the IP address of the switch management VLAN is 10 1 1 2 Download nos img file in the computer to the switch WR FTP Configuration Computer side configuration Start the FTP server software on the computer and set the username Switch and the password superuser Place the 12 30 _nos img file to the appropriate FTP server directory on the computer The configuration procedures of th
313. ion layer in user side PCs are generally loaded with Windows Vista system thus having DHCPv 6 client 35 2 Switch3 Vl 200l da amp 1 1 1 VlO 200 l dek 10 1 Switch Yl 200 da 1 2 VIO 2001 da 10 1 2 100 2001 da8 100 1 1 gt Switchl DHCPv6 client Figure 35 2 DHCPv6 relay option schematic Switch2 configuration S2 config service dhcpv6 S2 config ipv6 dhcp relay remote id option S2 config ipv6 dhcp relay subscriber id option S2 config vlan 10 S2 config vlan10 int vlan 10 2 config if vlan10 ipv6 address 2001 da8 1 2 64 S2 config if vian10 ipv6 dhcp relay destination 2001 da8 10 1 1 S2 config if vlan10 exit S2 config 35 4 DHCPv6 Options 37 38 Troubleshooting m Request packets sent by DHCPv6 client are multicast packets received by the device within its VLAN if DHCPv6 server wants to receive the packets from client DHCPVv6 client and DHCPv6 server must be in the same VLAN otherwise it needs to use DHCPV6 relay 35 73 Snooping option37 38 can process one of the following operations for DHCPv6 request packets with option3 38 replace the original option37 38 with its own discard the packets with option37 38 do not execute adding discarding or forwarding operation Therefore please check policy configuration of snooping option37 38 on second device when obtaining the false address or no address is obtained according to option37 38 DHCPv6 server obtains opti
314. ion to LACP LACH Link Aggregation Control Protocol is a kind of protocol based on IEEE802 3ad standard to implement the link dynamic aggregation LACP protocol uses LACPDU Link Aggregation Control Protocol Data Unit to exchange the information with the other end After LACP protocol of the port is enabled this port will send LACPDU to the other end to notify the system priority the MAC address of the system the priority of the port the port ID and the operation Key After the other end receives the information the information is compared with the saving information of other ports to select the port which can be aggregated accordingly both sides can reach an agreement about the ports join or exit the dynamic aggregation group The operation Key is created by LACP protocol according to the combination of 12 33 configuration speed duplex basic configuration management Key of the ports to be aggregated After the dynamic aggregation port enables LACP protocol the management Key is 0 by default After the static aggregation port enables LACP the management Key of the port is the same with the ID of the aggregation group For the dynamic aggregation group the members of the same group have the same operation Key for the static aggregation group the ports of Active have the same operation Key The port aggregation is that multi ports are aggregated to form an aggregation group so as to implement the out in load balance in ea
315. ions that corresponds to a specific rule Each rule consist of filter information and the action when the rule is matched Information included in a rule is the effective combination of conditions such as source IP destination IP IP protocol number and TCP port UDP port Access lists can be categorized by the following criteria WR Filter information based criterion IP access list layer 3 or higher information MAC access list layer 2 information and MAC IP access list layer 2 or layer 3 or higher WR Configuration complexity based criterion standard and extended the extended mode allows more specific filtering of information WR Nomenclature based criterion numbered and named Description of an ACL should cover the above three aspects 41 1 2 Access group When a set of access lists are created they can be applied to traffic of incoming direction on all ports Access group is the description to the binding of an access list to the incoming direction on a specific port When an access group is created all packets from in the incoming direction through the port will be compared to the access list rule to decide whether to permit or deny access The current firmware only supports ingress ACL configuration 41 113 41 1 3 Access list Action and Global Default Action There are two access list actions and default actions permit or deny The following rules apply m An access list can consist of several rules Fil
316. ired for the user Configuration description 1 Create a proper ACL A Configuring packet filtering function 3 Bind the ACL to the port The configuration steps are listed below Switch config access list 110 deny tcp 10 0 0 0 0 0 0 255 any destination d port 21 Switch config firewall enable Switch Switch Switch Config If Ethernet1 10 exit Switch config exit config interface ethernet 1 10 Config lf Ethernet1 10 ip access group 110 in 41 128 Configuration result Switch show firewall Firewall status enable Switch show access lists access list 110 used 1 time s 1 rule s access list 110 deny tcp 10 0 0 0 0 0 0 255 any destination d port 21 Switch show access group interface ethernet 1 10 interface name Ethernet1 10 the ingress acl use in firewall is 110 traffic statistics Disable Scenario 2 The configuration requirement is stated as below The switch should drop all the 802 3 datagram with 00 12 11 23 xx xx as the source MAC address coming from interface 10 Configuration description 1 Create the corresponding MAC ACL 2 Configure datagram filtering 3 Bind the ACL to the related interface The configuration steps are listed as below Switch config access list 1100 deny 00 12 11 23 00 00 00 00 00 00 ff ff any destination mac untagged 802 3 Switch config access list 1100 deny 00 12 11 23 00 00 00 00 00 00 ff ff tagged 802 Switch config firewall enable Switch c
317. is the configuration for the system update image file Boot load nos img Loading Loading file ok Step 5 Execute write nos img in BootROM mode The following saves the system update image file Boot write nos img File nos img exists overwrite Y N N y Writing OSIM G TEE Write nos img OK Boot Step 6 The following update file boot rom the basic environment is the same as Step 4 Boot load boot rom Loading Loading file ok Step 7 Execute write boot rom in BootROM mode The following saves the update file Boot write boot rom File boot rom exists overwrite Y N N y WAUN DOOLTOM EE Write boot rom OK Boot Step 8 After successful upgrade execute run or reboot command in BootROM mode to return to CLI configuration interface Boot run or reboot Other commands in BootROM mode 1 DIR command Used to list existing files in the FLASH Boot dir boot rom 327 440 1900 01 01 00 00 00 SH boot conf 83 1900 01 01 00 00 00 SH nos img 2 431 631 1980 01 01 00 21 34 4 18 startup config 2 922 1980 01 01 00 09 14 temp img 2 431 631 1980 01 01 00 00 32 2 CONFIG RUN command Used to set the IMAGE file to run upon system start up and the configuration file to run upon configuration recovery Boot config run Boot File nos img nos img Config File boot conf 4 5 3 FTP TFTP Upgrade 4 5 3 1 Introduction to FTP TFTP FTP File Transfer Pro
318. isable selective QinQ of the no dot1q tunnel selective enable port 20 3 3 Typical Applications of Selective QinQ IP Phone IP Phone IP Phone 2O 100 200 201 300 SPI s VLAN1000 2000 SWITCHB CH re 5S pur 4 Eth 1 2 Eth 1 1 SWITCHA mi IP Phone IP Phone IP Phone BE PC VLAN 100 200 Vlan 201 300 Figure 20 5 Selective QinQ application 1 Ethernet1 1 of SwitchA provides public network access for PC users and Ethernet 1 2 of SwitchA provides public network access for IP phone users PC users belong to VLAN 100 through VLAN 200 and IP phone users belong to VLAN 201 through VLAN 300 Ethernet 1 9 of SwitchA is connected to the public network 2 Ethernet1 1 and Ethernet1 2 of SwitchB provide network access for PC users belonging to VLAN 100 through VLAN 200 and IP phone users belonging to VLAN 201 through VLAN 300 respectively Ethernet 1 9 is connected to the public network 3 The public network permits packets of VLAN 1000 and VLAN 2000 to pass 4 Enable the selective QinQ on Ethernet1 1 and Ethernet1 2 ports of Switch A and Switch B respectively Packets of VLAN 100 through VLAN 200 are tagged with the tag of VLAN 1000 as the outer VLAN tag on Ethernet1 1 and packets of VLAN 201 through VLAN 300 are 20 85 tagged with the tag of VLAN 2000 as the outer VLAN tag on Ethernet1
319. isplays when files are successfully received Otherwise please verify link connectivity and retry copy command again begin to receive file wait recv 1526037 write ok transfer complete close tftp client If the switch is upgrading system file or system start up file through TFTP the switch must not be restarted until close tftp client is displayed indicating upgrade is successful otherwise the switch may be rendered unable to start If the system file and system start up file upgrade through TFTP fails please try upgrade again or use the BootROM mode to upgrade 4 28 Chapter 5 File System Operations 5 1 Introduction to File Storage Devices File storage devices used in switches mainly include FLASH cards As the most common storage device FLASH is usually used to store system image files IMG files system boot files ROM files and system configuration files CFG files Flash can copy delete or rename files under Shell or Bootrom mode 5 2 File System Operation Configuration Task list 1 2 3 A 5 6 T 8 9 1 The formatting operation of storage devices Explanation The formatting operation of storage devices The creation of sub directories The deletion of sub directory Changing the current working directory of the storage device The display operation of the current working directory The display operation of information about a designated file or directory The deletion o
320. itch V1 200 da8 1 1 2 V10 2001 da 10 1 2 V100 2001 da8 100 1 1 7 Switchl DHCPy6 client Usage guide Switch3 configuration Switch3 gt enable Switch3 config Switch3 config service dhcpv6 Switch3 config ipv6 dhcp pool EastDormPool Switch3 dhcpv6 EastDormPool config network address 2001 da8 100 1 1 2001 da8 100 1 100 Switch3 dhcpv6 EastDormPool config excluded address 2001 da8 100 1 1 Switch3 dhcpv6 EastDormPool config dns server 2001 da8 20 Switch3 dhcpv6 EastDormPool config dns server 2001 da8 21 Switch3 dhcpv6 EastDormPool config domain name dhcpv6 com Switch3 dhcpv6 EastDormPool config lifetime 1000 600 Switch3 dhcpv6 EastDormPool config exit Switch3 config interface vlan 1 Switch3 Config if Vlan1 ipv6 address 2001 da8 1 1 1 64 Switch3 Config if Vlan1 exit Switch3 config interface vlan 10 Switch3 Config if Vian10 ipv6 address 2001 da8 10 1 1 64 Switch3 Config if Vian10 ipv6 dhcp server EastDormPool preference 80 32 49 Switch3 Config if Vlan10 exit Switch3 config Switch2 configuration Switch2 gt enable Switch2 config Switch2 config service dhcpv6 Switch2 config interface vian 1 Switch2 Config if Vian1 ipv6 address 2001 da8 1 1 2 64 Switch2 Config if Vlan1 exit Switch2 config interface vian 10 Switch2 Config if Vlan10 ipv6 address 2001 da8 10 1 2 64 Switch2 Config if Vlan10 exit Switch2 config interface vian 100 Switch2 Config if Vlan100 ipv6 a
321. itch config policymap p1 exit Switch config interface ethernet 1 1 Switch config if ethernet1 1 dot1q tunnel enable Switch config if ethernet1 1 service policy p1 in If the data flow of DSLAM2 enters the switch s downlink port1 the configuration is as follows Switch config class map c1 Switch config classmap c1 match ip dscp 10 25 6 Switch config classmap c1 exit Switch config class map c2 Switch config classmap c2 match ip dscp 20 Switch config classmap c2 exit Switch config class map c3 Switch config classmap c3 match ip dscp 30 Switch config classmap c3 exit Switch config policy map p1 Switch config policymap p1 class c1 Switch config policymap p1 class c1 set s vid 1002 Switch config policymap p1 class c2 Switch config policymap p1 class c2 set s vid 2002 Switch config policymap p1 class c3 Switch config policymap p1 class c3 set s vid 3002 Switch config policymap p1 class c3 exit Switch config policymap p1 exit Switch config interface ethernet 1 1 Switch config if ethernet1 1 dot1q tunnel enable Switch config if ethernet1 1 service policy p1 in 25 3 Flexible QinQ Troubleshooting If flexible QinQ policy can not be bound to the port please check whether the problem is caused by the following reasons m Make sure flexible QinQ whether supports the configured class map and policy map m Make sure ACL includes permit rule if the class map matches ACL
322. ive the option 43 configured in the address pool 3 Address pool only configured option 60 it will not return option 43 to DHCP client 34 2 DHCP Option 60 and Option 43 Configuration Task List 1 Basic DHCP option 60 and option 43 configuration Explanation Address pool configuration mode Se Configure option 60 character option 60 ascii LINE string with ascii format in ip dhcp pool mode Configure option 43 character option 43 ascii LINE string with ascii format in ip dhcp pool mode option 60 hex WORD Configure option 60 character 34 61 string with hex format in ip dhcp pool mode Configure option 43 character option 43 hex WORD string with hex format in ip dhcp pool mode Configure option 60 character option 60 ip A B C D string with IP format in ip dhcp pool mode Configure option 43 character option 43 ip A B C D string with IP format in ip dhcp pool mode Delete the configured option no option 60 60 in the address pool mode Delete the configured option no option 43 43 in the address pool mode 34 3 DHCPv6 Option 60 and Option 43 Example Fit AP Wireless DHCP SERVER controller Figure 34 1 Typical DHCP option 60 and option 43 topology Fit AP obtains IP address and option 43 attribute by DHCP server to send unicast discovery request for wireless controller DHCP server configures option 60 matched with the option 60 of fit ap to return option 43 attribute to FTP AP The wireless
323. ke sure that you have created a GRE tunnel that connects the source and destination device and ensure the normal transmitting for GRE tunnel The configuration of layer 3 remote port mirror needs to be processed on the source and destination n devices respectively Both the source and destination ports are configured on the source and destination devices the difference in the following 1 On Device A configure the port which you want to monitor as the source port and configure the tunnel interface as the destination port 2 On Device C configure the physical port corresponding to the tunnel interface as the source port and configure the port that connects the data monitor device as the destination port 1 Configure IP addresses Configure IP address and subnet mask for the interfaces configuration procedures is omitted 2 Configure Device A the source device Create interface Tunnel1 and configure an IP address and mask for it SwitchA config interface tunnel 1 SwitchA config if tunnel1 tunnel mode gre ip SwitchA config if tunnel1 ip address 50 1 1 1 255 255 255 0 Configure Tunnel to operate in GRE tunnel mode and configure source and destination IP addresses for it SwitchA config if tunnel1 tunnel source 10 1 1 1 SwitchA config if tunnel1 tunnel destination 40 1 1 1 SwitchA config if tunnel1 exit Configure OSPF protocol 61 48 SwitchA config router ospf SwitchA config router network 0 0
324. l no ip dhcp pool lt name gt 2 Configure DHCP address pool parameters Command DHCP Address Pool Mode network address lt network number gt mask prefix length no network address default router lt address1 gt lt address2 gt lt address amp gt UI no default router dns server lt address1 gt lt address2 gt lt address8 gt UI no dns server domain name lt domain gt no domain name netbios name server lt address1 gt lt address2 gt lt address8 gt II no netbios name server netbios node type b node h node m node p node lt type n umber gt no netbios node type bootfile lt filename gt no boottile Explanation Configure the address scope that can be allocated to the address pool The no operation of this command cancels the allocation address pool Configure default gateway for DHCP clients The no operation cancels the default gateway Configure DNS server for DHCP clients The no command deletes DNS server configuration Configure Domain name for DHCP clients the no domain name command deletes the domain name Configure the address for WINS server The no operation cancels the address for server Configure node type for DHCP clients The no operation cancels the node type for DHCP clients Configure the file to be imported for DHCP clients on boot up The no command cancels this operation 31 34 next server
325. l type Admin Mode show cpu rx protocol Show the information of the CPU received packets of the lt protocol type gt protocol type debug driver receive send Turn on the showing of the CPU receiving or sending packet interface lt interface name gt informations all protocol lt protocol type gt discard all detail no debug driver receive send Turn off the showing of the CPU receiving or sending packet informations 68 74 Chapter 69 Dying Gasp Configuration 69 1 Introduction to Dying Gasp Dying gasp is power failure alarm function It means that at the case of power failure the switch can also send information through the ethernet ports to notice the other switch that it is power failure Dying gasp is enabled as default but it could run normally with the snmp management function So the layer 3 interface should be configured on switch and make it connect to snmp management server snmp trap should be configured orderly 69 2 Dying Gasp Typical Examples SW1 The dying gasp function of the switch is enabled as default but it could run normally with the snmp management function Below are the configuration steps Switch config snmp server enable Switch config Ssnmp server securityip X X X X Switch config snmp server host X X X X v2c switch Switch config snmp server enable traps Switch config interface vlan N Switch config if vianN ip address Y Y Y Y 255 255 255
326. lced by FLASH memory in switch SDRAM RAM memory in the switch used for system software operation and configuration sequence storage FLASH Flash memory used to save system file and configuration file System file including system image file and boot file System image file refers to the compressed file for switch hardware driver and software support program usually refer to as IMAGE upgrade file In switch the system image file is allowed to save in FLASH only Switch mandates the name of system image file to be uploaded via FTP in Global Mode to be nos img other IMAGE system files will be rejected Boot file refers to the file initializes the switch also referred to as the ROM upgrade file Large size file can be compressed as IMAGE file In switch the boot file is allowed to save in ROM only Switch mandates the name of the boot file to be boot rom Configuration file including start up configuration file and running configuration file The distinction between start up configuration file and running configuration file can facilitate the backup and update of the configurations 4 20 Start up configuration file refers to the configuration sequence used in switch startup Startup configuration file stores in nonvolatile storage corresponding to the so called configuration save If the device does not support CF the configuration file stores in FLASH only if the device supports CF the configuration file stores in
327. le SSL function Explanation Global Mode ip http secure server Enable disable SSL function no ip http secure server 2 Configure delete port number by SSL used Explanation Global Mode Configure port number by SSL used the no ip http secure port lt port number gt ip http secure port command deletes the no ip http secure port port number 48 183 3 Configure delete secure cipher suite by SSL used Explanation Global Mode ip http secure ciphersuite des cbc3 sha rc4 128 sha Configure delete secure cipher suite by SSL des cbc sha used no ip http secure ciphersuite 4 Maintenance and diagnose for the SSL function Explanation Admin Mode or Configuration Mee show ip http secure server status Show the configured SSL information debug ssl Open close the DEBUG for SSL function no debug ssl 48 3 SSL Typical Example When the Web function is enabled on the switch SSL can be configured for users to access the web interface on the switch If the SSL has been configured communication between the client and the switch will be encrypted through SSL for safety Firstly SSL should be enabled on the switch When the client tries to access the switch through https method a SSL session will be set up between the switch and the client When the SSL session has been set up all the data transmission in the application layer will be encrypted 48 184 Web Server Date A
328. le2 ULPP can implement the VLAN based load balance As the picture illustrated SwitchA configures two ULPP groups port E1 1 is the master port and port 1 2 is the slave port in group1 port 1 2 is the master port and port 1 1 is the slave port in group2 The VLANs protected by group1 are 1 100 and by group2 are 101 200 Here both port E1 1 and port E1 2 at the forwarding state the master port and the slave port mutually backup respectively forward the packets of different VLAN ranges When port E1 1 has the problem the traffic of VLAN 1 200 are forwarded by port E1 2 When port E1 1 is recovering the normal state still port E1 2 forwards the data of VLAN 101 200 the data of VLAN 1 100 are switched to port E1 1 to forward SwitchA configuration task list Switch Config spanning tree mst configuration Switch Config Mstp Region instance 1 vian 1 100 Switch Config Mstp Region instance 2 vlan 101 200 Switch Config Mstp Region evt Switch Config ulpp group 1 Switch ulpp group 1 protect vian reference instance 1 Switch ulpp group 1 preemption mode Switch ulpp group 1 exit Switch Config ulpp group 2 Switch ulpp group 2 protect vian reference instance 2 Switch ulpp group 1 preemption mode Switch ulpp group 2 exit Switch Config interface ethernet 1 1 56 26 Switch config lf Ethernet1 1 switchport mode trunk Switch config lf Ethernet1 1 ulpp group 1 master Switch config lf Ethernet1 1 ulpp group 2 slave
329. lient PC Switch1 een P Vlan1 eth1 3 DHCP Server Figure 37 1 DHCP option 82 typical application example In the above example layer 2 Switch1 will transmit the request message from DHCP client to DHCP serer through enable DHCP Snooping It will also transmit the reply message from the server to DHCP client to finish the DHCP protocol procedure After the DHCP SNOOPING option 82 function is enabled the Switch1 appends the port information of accessing Switch1 to the request message from the client by option 82 The following is the configuration of Switchi1 MAC address is 00 30 4f 02 33 01 Switch 1 config ip dhcp snooping enable Switch1 Switch 1 Switch 1 Config If Ethernet1 12 ip dhcp snooping trust config ip dhcp snooping binding enable config ip dhcp snooping information enable Linux ISC DHCP Server supports option 82 its configuration file etc dhcpd conf is ddns update style interim ignore client updates class Switch1Vlan1Class1 match if option agent circuit id Vlan1 Ethernet1 3 and option 37 86 agent remote id 00 30 4f 02 33 01 subnet 192 168 102 0 netmask 255 255 255 0 option routers 192 168 102 2 option subnet mask 255 255 255 0 option domain name example com cn option domain name servers 192 168 10 3 authoritative pool range 192 168 102 51 192 168 102 80 default lease time 43200 12 Hours max lease time 86400 24 Hours allow members of Swi
330. link must be the same otherwise GVRP will not work normally It is recommended to avoid enabling GVRP and RSTP at the same time in switch If GVRP needs to be enabled RSTP function for the ports must be disabled first 20 8 Voice VLAN Configuration 20 8 1 Introduction to Voice VLAN Voice VLAN is specially configured for the user voice data traffic By setting a Voice VLAN and adding the ports of the connected voice equipments to the Voice VLAN the user will be able to configure QoS Quality of service service for voice data and improve the voice data traffic transmission priority to ensure the calling quality The switch can judge if the data traffic is the voice data traffic from specified equipment according to the source MAC address field of the data packet entering the port The packet with the source MAC address complying with the system defined voice equipment OUI Organizationally Unique Identifier will be considered the voice data traffic and transmitted to the Voice VLAN The configuration is based on MAC address acquiring a mechanism in which every voice equipment transmitting information through the network has got its unique MAC address VLAN will trace the address belongs to specified MAC By This means VLAN allows the voice equipment always belong to Voice VLAN when relocated physically The greatest advantage of the VLAN is the equipment can be automatically placed into Voice VLAN according to its voice traffic which wi
331. ll be transmitted at specified priority Meanwhile when voice equipment is physically relocated it still belongs to the Voice VLAN without any further configuration modification which is because it is based on voice equipment other than switch port Notice Voice VLAN needs to associate with Hybrid attribute of the ports to work so the ports that may be added to Voice VLAN must be configured as Hybrid port 20 102 20 8 2 Voice VLAN Configuration Voice VLAN Configuration Task Sequence 1 Set the VLAN to Voice VLAN 2 Adda voice equipment to Voice VLAN 3 Enable the Voice VLAN on the port 1 Configure the VLAN to Voice VLAN Explanation Global Mode voice vian vlan lt vian id gt Set cancel the VLAN as a Voice VLAN no voice vlian 2 Add a Voice equipment to a Voice VLAN Explanation Global Mode voice vilan mac lt mac address gt mask lt mac mask gt priority lt priority id gt name a Specify certain voice equipment lt voice name gt join leave the Voice VLAN no voice vlan mac lt mac address gt mask lt mac mask gt name lt voice name gt all 3 Enable the Voice VLAN of the port Explanation Port Mode switchport voice vlan enable Enable disable the Voice VLAN function no switchport voice vian enable on the port 20 103 20 8 3 Typical Applications of the Voice VLAN Scenario A company realizes voice communication through configuring Voice VLAN IP phone1 and IP phone2 ca
332. lly 2 Configure ULPP group Command Explanation ULPP group configuration mode EC Configure the preemption mode of preemption mode ULPP group The no operation no preemption mode deletes the preemption mode Configure the preemption delay the preemption delay lt nteger gt no operation restores the default no preemption delay value 30s Configure the sending control VLAN control vlan lt integer gt no operation restores the default no control vian value 1 protect vian reference instance Configure the protection VLANs the lt instance list gt no operation deletes the protection no protect vian reference instance VLANs lt instance list gt flush enable mac Enable or disable sending the flush flush disable mac packets which update MAC address flush enable arp Enable or disable sending the flush flush disable arp packets which delete ARP Enable or disable sending the flush flush enable mac vlan packets of deleting the dynamic flush disable mac vlan unicast mac according to vlan 96 22 and Port mode ulpp control vlan lt vi an list gt no ulpp control vlan lt vian list gt ulpp flush enable mac ulpp flush disable mac ulpp flush enable arp ulpp flush disable arp ulpp flush enable mac vian ulpp flush disable mac vlan description lt string gt Configure or delete ULPP group no description description Configure the receiving control VLANs no operation
333. lobal mode dot1q tunnel tpid Configure the global protocol type 0x8100 0x9100 0x9200 lt 1 65535 gt 20 2 3 Typical Applications of the Dot1q tunnel Scenario Edge switch DEI and DEZ of the ISP internet forward the VLAN200 300 data between CE1 and CE2 of the client network with VLAN3 The port1 of PE1 is connected to CE1 port10 is connected to public network the TPID of the connected equipment is 9100 port1 of PE2 is connected to CE2 port10 is connected to public network Configuration Configuration Explanation Item VLAN3 Port1 of PE1 and PE2 20 82 dot1q tunnel Port1 of PE1 and PE2 tpid 9100 Configuration procedure is as follows PE1 Switch config vlan 3 Switch Config Vlan3 switchport interface ethernet 1 1 Switch Config Vlan3 exit Switch Config interface ethernet 1 1 Switch Config Ethernet1 1 dotiq tunnel enable Switch Config Ethernet1 1 exit Switch Config interface ethernet 1 10 Switch Config Ethernet1 10 switchport mode trunk Switch Config Ethernet1 10 exit Switch config dot1q tunnel tpid 0x9100 Switch Config PE2 Switch config vlan 3 Switch Config Vlan3 switchport interface ethernet 1 1 Switch Config Vlan3 exit Switch Config interface ethernet 1 1 Switch Config Ethernet1 1 dotiq tunnel enable Switch Config Ethernet1 1 exit Switch Config interface ethernet 1 10 Switch Config Ethernet1 10 switchport mode trunk Switch Config Ethernet1 10 exit Switch config d
334. lt vilan id gt configuration mrouter port interface lt interface name gt ip igmp snooping vlan lt vlan id gt Enable the function that the specified VLAN mrouter port learnpim learns mrouter port according to pim no ip igmp snooping vlan lt vlan id gt packets the no command will disable the mrouter port learnpim function ip igmp snooping vlan lt vlan id gt mrpt Configure this survive time of mrouter port lt value gt The no ip igmp snooping vlan lt vlan id gt no ip igmp snooping vlan lt vian id gt mrpt mrpt command restores the default value ip igmp snooping vlan lt vian id gt Configure this query interval The no ip igmp query interval lt va ue gt snooping vlan lt v an id gt query interval no ip igmp snooping vlan lt vian id gt command restores the default value query interval ip igmp snooping vlan lt vian id gt Enable the IGMP fast leave function for the immediately leave specified VLAN the no ip igmp snooping no ip igmp snooping vlan lt vlan id gt vlan lt vian id gt immediate leave command immediately leave disables the IGMP fast leave function ip igmp snooping vlan lt vian id gt Configure the maximum query response query mrsp lt value gt period The no ip igmp snooping vian no ip igmp snooping vlan lt vian id gt lt vian id gt query mrsp command restores to query mrsp the default value 38 98 ip igmp snooping vlan lt vian id gt query robustness lt
335. lue to the no set s vid packets which match the class map no command cancels the operation 25 4 3 Bind flexible QinQ policy map to port Explanation Potmode o service policy lt policy map name gt in Apply a policy map to a port the no no service policy lt policy map name gt in command deletes the specified policy map applied to the port 4 Show flexible QinQ policy map bound to port Command Explanation Admin mode SS show mls qos interface lt interface id gt Show flexible QinQ configuration on the port 25 2 Flexible QinQ Example Aetropolitan A ore NetwoMe 4 n pf a bk BRAS ei EE DSCP 10 TAG 1001 M DSCP 10 TAG 1001 DSCP 20 TAG 2001 ote DSCP 20 TAG 2001 DSCP 30 TAG 3001 NE DSCP 30 TAG 3001 DSCP 10 10 DSCP 20 20 DSCP 30 30 Broad Band Video order programme l mmm VOIP Q1 w T WI We Figure 25 1 Flexible QinQ application topology As shown in the figure the first user is assigned three DSCPs that the values are 10 20 30 respectively in DSLAM1 DSCP10 corresponds to Broad Band Network DSCP20 corresponds 25 5 to VOIP DSCP30 corresponds to VOD After the downlink port enables flexible QinQ function the packets will be packed with different external tags according to DSCP of u
336. mac lt host_smac gt lt smac gt lt smac ma sk gt any destination mac host destination mac lt host_dmac gt lt dmac gt lt dmac mask gt udp lt source gt lt source wildcard gt any source host source lt source host ip gt s port lt port1 gt range lt sPortMin gt lt sPortMax gt lt destination gt lt destination wildcard gt any destinati on host destination lt destination host ip gt d port lt port3 gt range lt dPortMin gt lt dPortMax gt precedence lt precedence gt tos lt tos gt time range lt time range name gt access list lt num gt deny permit any source mac host source mac lt host_smac gt lt smac gt lt smac ma sk gt any destination mac host destination mac lt host_dmac gt lt dmac gt lt dmac mask gt eigrp greligrp ip ipinip ospf lt protocol num gt lt source gt lt source wildcard gt any source host source lt source host ip gt lt destination gt lt destination wildcard gt any destinati on host destination lt destination host ip gt precedence lt precedence gt tos 41 122 Creates a numbered mac ip extended mac tcp access rule if the numbered extended access list of specified number does not exist then an access list will be created using this number Creates a numbered mac udp extended mac ip access rule if the numbered extended access list of specified number does not exist then an access list will be created
337. mall office network or small scale metropolitan area network using layer 3 switch as backbone equipment 20 80 On the customer port Trunk VLAN 200 300 This port on PE1 is enabled QinQ and belong to VLAN3 SP networks Tank rset P a Customer networks 1 Trunk connection This port on PE1 is enabled QinQ and belong to VLAN3 Snsymm connection Customer On the customer port networks2 Trunk VLAN 200 300 Figure 20 4 Dot1q tunnel based Internetworking mode As shown in above after being enabled on the user port dot1q tunnel assigns each user an SPVLAN identification SPVID Here the identification of user is 3 Same SPVID should be assigned for the same network user on different PEs When packet reaches PE1 from CE1 it carries the VLAN tag 200 300 of the user internal network Since the dotiq tunnel function is enabled the user port on PE1 will add on the packet another VLAN tag of which the ID is the SPVID assigned to the user Afterwards the packet will only be transmitted in VLAN3 when traveling in the ISP internet network while carrying two VLAN tags the inner tag is added when entering PE1 and the outer is SPVID whereas the VLAN information of the user network is open to the provider network When the packet reaches PE2 and before being forwarded to CE2 from the client port on DEZ the outer VLAN tag is removed then the packet CE2 receives is absolutely identical to the one sent by CE1 Fo
338. mand resotores no ethernet oam errored symbol period the default value optional threshold low window ethernet oam errored frame period threshold Configure the low threshold and low lt low frames gt window lt seconds gt window period of errored frame no ethernet oam errored frame period period event no command resotores threshold low window the default value ethernet oam errored frame threshold low Configure the low threshold and lt low frames gt window lt seconds gt window period of errored frame no ethernet oam errored frame threshold low event no command resotores the window default value optional ethernet oam errored frame seconds Configure the low threshold and threshold low lt low frame seconds gt window window period of errored frame lt seconds gt seconds event no command no ethernet oam errored frame seconds resotores the default value threshold low window optional 14 45 3 Configure remote failure Explanation Port mode Enable remote failure detection of EFM OAM failure means critical event or link fault event of the ethernet oam remote failure no ethernet oam remote failure local no command disables the function optional ethernet oam errored symbol period Configure the high threshold of threshold high high symbols none errored symbol period event no no ethernet oam errored symbol period command restores the default value thresh
339. marked with blue lines The ports with the mark x are in the status of discarding The other ports are the status of forwarding Because the instance 3 and the instance 4 are only valid in the MSTP region the following figure only shows the topology of the MSTP region 22 127 Figure 22 5 The Topology Of the Instance 4 after the MSTP Calculation 22 128 22 5 MSTP Troubleshooting WR In order to run the MSTP on the switch port the MSTP has to be enabled globally If the MSTP is not enabled globally it can t be enabled on the port E The MSTP parameters co work with each other so the parameters should meet the following conditions Otherwise the MSTP may work incorrectly 2x Bridge_Forward_Delay 1 0 seconds gt Bridge_Max_Age Bridge Max_Age gt 2 x Bridge_Hello_Time 1 0 seconds m When users modify the MSTP parameters they have to be sure about the changes of the topologies The global configuration is based on the bridge Other configurations are based on the individual instances 22 129 Chapter 23 QoS Configuration 23 1 Introduction to QoS QoS Quality of Service is a set of capabilities that allow you to create differentiated services for network traffic thereby providing better service for selected network traffic QoS is a guarantee for service quality of consistent and predictable data transfer service to fulfill program requirements QoS cannot generate extra bandwidth but provides more effective band
340. me VLAN of two unadjacent switches can communicate mutually through GVRP protocol instead of configuring each intermediate switch manually for achieving the purpose of simplifying VLAN configuration 20 98 20 7 2 GVRP Configuration Task List GVRP configuration task list 1 Configure GVRP timer 2 Configure port type 3 Enable GVRP function 1 Configure GVRP timer Explanation Global mode garp timer join lt 200 500 gt garp timer leave lt 500 1200 gt Configure leaveall join and leave garp timer leaveall lt 5000 60000 gt timer for GVRP no garp timer join leave leaveAll 2 Configure port type Explanation Port mode gvrp Enable disable GVRP function of no gvrp port 3 Enable GVRP function Explanation Global mode gvrp Enable disable the global GVRP no gvrp function of port 20 99 20 7 3 Example of GVRP GVRP application Switch B Switch C PC Figure 20 11 Typical GVRP Application Topology To enable dynamic VLAN information register and update among switches GVRP protocol is to be configured in the switch Configure GVRP in Switch A B and C enable Switch B to learn VLAN100 dynamically so that two workstations connected to VLAN100 in Switch A and C can communicate with each other through Switch B without static VLAN100 entries Configuration Configuration description Item VLAN 100 Port 2 6 of Switch A and C Trunk port Port 11 of Switch A and
341. me range t1 periodic weekdays 9 00 00 to 12 00 00 93 3 Switch config time range t1 periodic weekdays 13 00 00 to 18 00 00 2 Configure the extended acl_a of IP at working hours it only allows to access the resource within the internal network such as 192 168 0 255 Switch config ip access list extended vacl_a Switch config ip ext nacl vacl_a permit ip any source 192 168 0 0 0 0 0 255 time range t1 Switch config ip ext nacl vacl_a deny ip any source any destination time range t1 3 Configure the extended acl_b of IP at any time it only allows to access resource within the internal network such as 192 168 1 255 Switch config ip access list extended vacl_b Switch config ip ext nacl vacl_a permit ip any source 192 168 1 0 0 0 0 255 Switch config ip ext nacl vacl_a deny ip any source any destination 4 Apply the configuration to VLAN Switch config firewall enable Switch config vacl ip access group vacl_a in vlan 1 Switch config vacl ip access group vacl_b in vlan 2 53 4 VLAN ACL Troubleshooting m When VLAN ACL and Port ACL are configured at the same time the priority is port gt VLAN if the two acl are the same kind of ac such as that they are all ip acl or they are all mac acl So only the rules on port is effective if the packets match the rule on port and vlan at the same time Now it will not meet the principle of deny priority If the two acl are not the same kine of acl it can meet the principle of deny
342. messages sending by users with specified IP MAC IP addresses can be forwarded via the interface and thus strengthen the monitoring of the network security 44 2 AM Function Configuration Task List 1 Enable AM function 2 Enable AM function on an interface 3 Configure the forwarding IP 4 Configure the forwarding MAC IP 5 Delete all of the configured IP or MAC IP or both 6 Display relative configuration information of AM ch Enable AM function Explanation 44 164 Global Mode E am enable Globally enable or disable AM function no am enable 2 Enable AM function on an interface Explanation Port Mode Enable disable AM function on the port am port When the AM function is enabled on the no am port port no IP or ARP message will be forwarded by default 3 Configure the forwarding IP Explanation Port Mode am ip pool lt ip address gt lt num gt d Configure the forwarding IP of the port no am ip pool lt p address gt lt num gt 4 Configure the forwarding MAC IP Explanation Port Mode am mac ip pool lt mac address gt lt ip address gt Configure the forwarding MAC IP of the no am mac ip pool lt mac address gt port lt ip address gt 5 Delete all of the configured IP or MAC IP or both Explanation Global Mode Delete MAC IP address pool or IP no am all ip pool mac ip pool address pool or both pools configured by all users 6 Display relative
343. mic VLAN Figure 20 9 Dynamic VLAN Troubleshooting 20 97 20 7 GVRP Configuration 20 7 1 Introduction to GVRP GVRP i e GARP VLAN Registration Protocol is an application of GARP Generic Attribute Registration Protocol GARP is mainly used to establish an attribute transmission mechanism to transmit attributes so as to ensure protocol entities registering and deregistering the attribute According to different transmission attributes GARP can be divided to many application protocols such as GMRP and GVRP Therefore GVRP is a protocol which transmits VLAN attributes to the whole layer 2 network through GARP protocol VLAN 100 1000 VLAN 100 1000 Device A Device B Device F Device 3 Gy Device E Figure 20 10 a typical application scene A and G switches are not directly connected in layer 2 network BCDEF are intermediate switches connecting A and G Switch A and G configure VLAN100 1000 manually while BCDEF switches do not When GVRP is not enabled A and G cannot communicate with each other because intermediate switches without relevant VLANs However after GVRP is enabled on all switches its VLAN attribute transmission mechanism enables the intermediate switches registering the VLANs dynamically and the VLAN in VLAN100 1000 of A and G can communicate with each other The VLANs dynamically registered by intermediate switches will be deregistered when deregistering VLAN100 1000 of A and G switches manually So the sa
344. mic maximum function of ARP on the ports no switchport nd dynamic maximum function of ND on the ports 2 Enable the number limitation function of MAC and IP in VLAN Explanation VLAN configuration mode oo vlan mac address dynamic maximum Enable and disable the number limitation function of MAC in the VLAN no vlan mac address dynamic maximum Interface configuration mode gt Z OO no ip arp dynamic maximum function of ARP in the VLAN no ipv6 nd dynamic maximum function of NEIGHBOR in the VLAN 3 Configure the timeout value of querying dynamic MAC Explanation Global configuration mode E lt value gt Configure the timeout value of querying mac address query timeout lt seconds gt dynamic MAC 4 Configure the violation mode of ports 43 160 Explanation Port mode switchport mac address violation protect Set the violation mode of the port the no shutdown recovery lt 5 3600 gt command restores the violation mode to no switchport mac address violation protect 5 Display and debug the relative information of number limitation of MAC and IP on ports Explanation Admin mode show mac address dynamic count vlan Display the number of dynamic MAC in lt vian id gt interface ethernet corresponding ports and VLAN lt portName gt show arp dynamic count vlan Display the number of dynamic ARP in lt vian id gt interface ethernet corresponding ports and VLAN lt
345. mode As shown in the figure ports 1 2 3 4 of S1 are access ports and add them to group with on mode Ports 6 8 9 10 of S2 are access ports and add them to group2 with on mode The configuration steps are listed below Switch1 config Switch 1 config interface ethernet 1 1 Switch 1 Config If Ethernet1 1 port group 1 mode on Switch1 Config If Ethernet1 1 evt Switch1 config interface ethernet 1 2 Switch1 Switch1 Switch1 Switch1 Switch1 Switch1 Switch1 Switch1 Config lf Ethernet1 2 port group 1 mode on Config lf Ethernet1 2 exit config interface ethernet 1 3 Config lf Ethernet1 3 port group 1 mode on Config If Ethernet1 3 exit config interface ethernet 1 4 Config lf Ethernet1 4 port group 1 mode on Config If Ethernet1 4 exit m A A A 12 38 Switch2 config Switch2 config port group 2 Switch2 config interface ethernet 1 6 Switch2 Config lf Ethernet1 6 port group 2 mode on Switch2 Config lf Ethernet1 6 exit Switch2 config interface ethernet 1 8 10 Switch2 Config lf Port Range port group 2 mode on Switch2 Config lf Port Range evt Configuration result Add ports 1 2 3 4 of S1 to port group1 in order and we can see a group in on mode is completely joined forcedly switch in other ends won t exchange LACH PDU to complete aggregation Aggregation finishes immediately when the command to add port 1 2 to port group 1 is entered port 1 and port 2 aggregate to be
346. monitor and capture the messages to PC2 2 PC4 sends ARP messages to advertise that the IP address of PC2 is mapped to an illegal MAC address which will prevent PC2 from receiving the messages to it Particularly if the attacker pretends to be the gateway and do ARP cheating the whole network will be collapsed PC1 2x suite z el Figure 29 1 ARP GUARD schematic diagram We utilize the filtering entries of the switch to protect the ARP entries of important network devices from being imitated by other devices The basic theory of doing this is that utilizing the filtering entries of the switch to check all the ARP messages entering through the port if the source address of the ARP message is protected the messages will be directly dropped and will not be forwarded ARP GUARD function is usually used to protect the gateway from being attacked If all the accessed PCs in the network should be protected from ARP cheating then a large number of ARP GUARD address should be configured on the port which will take up a big part of FFP 29 27 entries in the chip and as a result might affect other applications So this will be improper It is recommended that adopting FREE RESOURCE related accessing scheme Please refer to relative documents for details 29 2 ARP GUARD Configuration Task List 1 Configure the protected IP address Explanation Port configuration mode arp guard ip lt addr gt Configure delete ARP GUARD ad
347. n Display and debug the relevant information of port loopback detection Configure the loopback detection control mode automatic recovery enabled or not loopback detection interval time ee Configure the time interval of loopback lt loopback gt lt no loopback gt detection no loopback detection interval time 2 Enable the function of port loopback detection Explanation Port Mode loopback detection specified vlan lt vian list gt Enable and disable the function of port no loopback detection specified vlan loopback detection lt vian list gt 3 Configure the control method of port loopback detection Explanation Port Mode loopback detection control shutdown Enable and disable the function of port block learning loopback detection control no loopback detection control 4 Display and debug the relevant information of port loopback detection 9 16 Explanation Admin Mode Enable the debug information of the debug loopback detection function module of port loopback detection no debug loopback detection The no operation of this command will disable the debug information Display the state and result of the loopback show loopback detection interface detection of all ports if no parameter is lt interface list gt provided otherwise display the state and result of the corresponding ports 5 Configure the loopback detection control mode automatic recovery enabl
348. n Port Mode sflow data len lt ength vilaue gt Configure the max length of the data packet in no sflow data len sFlow the no form of this command restores to the default 6 Configure the sampling rate value Explanation Port Mode sflow rate input lt nput rate gt output Configure the sampling rate when sFlow lt output rate gt performing hardware sampling The no 99 36 no sflow rate input output command deletes the rate value 7 Configure the sFlow statistic sampling interval Command Explanation Port Mode sflow counter interval lt interval viaue gt Configure the max interval when sFlow no sflow counter interval performing statistic sampling The no form of this command deletes 8 Configure the analyzer used by sFlow BE E keee aaa Mode sflow analyzer sflowtrend s the analyzer used by sFlow the no no sflow analyzer sflowtrend command deletes the analyzer 59 3 sFlow Examples a J SWITCH Figure 59 1 sFlow configuration topology As shown in the figure sFlow sampling is enabled on the port 1 1 and 1 2 of the switch Assume the sFlow analysis software is installed on the PC with the address of 192 168 1 200 The address of the layer 3 interface on the SwitchA connected with PC is 192 168 1 100 A loopback interface with the address of 10 1 144 2 is configured on the SwitchA sFlow configuration is as follows Configuration procedure is as follow
349. n on Ethernet2 of switch A 2 LLDP MED device is able to send LLDP packets with MED TLV forwardly so the 17 66 corresponding Remote table with LLDP MED information on Ethernet1 of switch A 17 4 LLDP MED Troubleshooting If problems occur when configuring LLDP MED please check whether the problem is caused by the following reasons WR Check whether the global LLDP is enabled WR 8 Only network connection device received LLDP packets with LLDP MED TLV from the near MED device it sends LLDP MED TLV If network connection device configured the command for sending LLDP MED TLV the packets also without LLDP MED TLV sent by the port that means no MED information is received and the port does not enable the function for sending LLDP MED information m If neighbor device has sent LLDP MED information to network connection device but there is no LLDP MED information by checking show Ildp neighbors command that means LLDP MED information sent by neighbor is error Chapter 18 bpdu tunnel Configuration 18 1 Introduction to bpdu tunnel BPDU Tunnel is a Layer 2 tunnel technology It allows Layer 2 protocol packets of geographically dispersed private network users to be transparently transmitted over specific tunnels across a service provider network 18 1 1 bpdu tunnel function In MAN application multi branches of a corporation may connect with each other by the service provider network VPN provided by the service provider ena
350. n 100 SwitchB config vlan100 Switchport access ethernet 1 15 SwitchB config vian100 exit SwitchB config vlan 101 SwitchB SwitchB SwitchB config interface ethernet 1 10 SwitchB Config If Ethernet1 10 switchport mode trunk SwitchB Config lf Ethernet1 10 exit config vlan101 Switchport access ethernet 1 20 config vlan101 exit 40 111 SwitchB config vlan 20 SwitchB config vlan20 multicast vian SwitchB config vlan20 multicast vlan association 100 101 SwitchB config vlan20 exit SwitchB config ip igmp snooping SwitchB config ip igmp snooping vian 20 When multicast VLAN supports IPv6 multicast usage is the same with IPv4 but the difference is using with MLD Snooping so does not give an example 40 112 Chapter 41 ACL Configuration 41 1 Introduction to ACL ACL Access Control List is an IP packet filtering mechanism employed in switches providing network traffic control by granting or denying access the switches effectively safeguarding the security of networks The user can lay down a set of rules according to some information specific to packets each rule describes the action for a packet with certain information matched permit or deny The user can apply such rules to the incoming direction of switch ports so that data streams of specified ports must comply with the ACL rules assigned 41 1 1 Access list Access list is a sequential collection of condit
351. n Identification PSE Power Source Entity PD Power Device IN Inventory MED Capabilities CAP NP PD IN MED Device Type Endpoint Class III Media Policy Type Voice Media Policy Tagged Media Policy Vlan id 10 Media Policy Priority 3 Media Policy Dscp 5 Power Type PD Power Source Primary power source Power Priority low Power Value 15 4 Watts 17 65 Hardware Revision Firmware Revision 4 0 1 Software Revision 6 2 30 0 Serial Number Manufacturer Name Model Name Unknown Assert ID Unknown IEEE 802 3 Information auto negotiation support Supported auto negotiation support Not Enabled PMD auto negotiation advertised capability 1 operational MAU type 1 SwitchA show Ildp neighbors interface ethernet 1 2 Port name interface ethernet 1 2 Port Remote Counter 1 Neighbor Index 1 Port name Ethernet1 2 Port Remote Counter 1 TimeMark 20 ChassisldSubtype A Chassisld 00 30 4f 00 00 02 PortldSubtype Local Portld 1 PortDesc Ethernet1 1 zk kkk SysName skkkkk SysDesc SysCapSupported 4 SysCapEnabled 4 Explanation 1 Both Ethernet2 of switch A and Ethernet1 of switch B are the ports of network connection device they will not send LLDP packets with MED TLV information forwardly Although configure Ethernet1 of switch B to send MED TLV information it will not send the related MED information that results the corresponding Remote table without the related MDE informatio
352. n be connected to any port of the switch namely normal communication and interconnected with other switches through the uplink port IP phone1 MAC address is 00 03 0f 11 22 33 connect port 1 1 of the switch IP phone2 MAC address is 00 03 0f 11 22 55 connect port 1 2 of the switch IP phone1 IP phone2 Figure 20 12 VLAN typical apply topology Figure Configuration Configuration Explanation items Voice VLAN Global configuration on the Switch Configuration procedure Switch 1 Switch config vlan 100 Switch Config Vlan100 exit Switch config voice vlan vlan 100 Switch Switch config voice vlan mac 00 30 4f 11 22 33 mask 255 priority 5 name company config voice vlan mac 00 30 4f 11 22 55 mask 255 priority 5 name company Switch config interface ethernet 1 10 Switch Config If Ethernet1 10 switchport mode trunk Switch Config If Ethernet1 10 exit 20 104 switch Config interface ethernet 1 1 switch Config lf Ethernet1 1 switchport mode hybrid switch Config lf Ethernet1 1 switchport hybrid allowed vlan 100 untag switch Config If Ethernet1 1 exit switch Config interface ethernet 1 2 switch Config lf Ethernet1 2 switchport mode hybrid switch Config lf Ethernet1 2 switchport hybrid allowed vlan 100 untag switch Config lf Ethernet1 2 exit 20 8 4 Voice VLAN Troubleshooting Voice VLAN can not be applied concurrently with MAC base VLAN The Voice VLAN support maximum 1024 sets of voice equipments the
353. n for no flow control specified ports 7 9 loopback Enables Disables loopback test function for no loopback specified ports Enables the storm control function for broadcasts multicasts and unicasts with storm control unicast broadcast unknown destinations short for broadcast multicast kbps lt Kbits gt pps lt PPS gt and sets the allowed broadcast packet no strom control unicast broadcast number or the bit number passing per multicast gt second the no format of this command disables the broadcast storm control function Configure that switch does not transmit switchport flood control broadcast unknown multicast or unknown bcast mcast ucast unicast packets any more to the specified no switchport flood control port no command restores the default bcast mcast ucast configuration Note This switch does not support this command Configure port scan mode as interrupt or poll port scan mode interrupt poll mode the no command restores the default no port scan mode port scan mode Set the max packet reception rate of a port If the rate of the received packet violates the rate violation lt 200 2000000 gt recovery packet reception rate shut down this port lt 0 86400 gt and configure the recovery time the default no rate violation is 300s The no command will disable the rate violation function of a port Explanation Port Mode switchport discard packet all Configure the port
354. n this scenario the NMS uses a Trap verification community string of usertrap The configuration on the switch is listed below Switch config snmp server host 2004 1 2 3 2 v1 usertrap Switch config snmp server enable traps 4 4 6 SNMP Troubleshooting When users configure the SNMP the SNMP server may fail to run properly due to physical connection failure and wrong configuration etc Users can troubleshoot the problems by following the guide below m Good condition of the physical connection m Interface and datalink layer protocol is Up use the show interface command and the connection between the switch and host can be verified by ping use ping command m The switch enabled SNMP Agent server function use snmp server command m Secure IP for NMS use snmp server securityip command and community string use snmp server community command are correctly configured as any of them fails SNMP will not be able to communicate with NMS properly WR lf Trap function is required remember to enable Trap use snmp server enable traps command And remember to properly configure the target host IP address and community string for Trap use snmp server host command to ensure Trap message can be sent to the specified host m If RMON function is required RMON must be enabled first use rmon enable command m Use show snmp command to verify sent and received SNMP messages Use show
355. nation DHCPv 6 address pool Configuration Mode network address lt pv6 pool start address gt To configure the range of IPv6 address lt ipv6 pool end address gt assignable of address pool lt prefix length gt eui 64 no network address dns server lt pv6 address gt To configure DNS server address for no dns server lt pv6 address gt DHCPV 6 client domain name lt domain name gt To configure DHCP v6 client domain name no domain name lt domain name gt excluded address lt pv6 address gt To exclude IPv6 address which isn t used for no excluded address lt pv6 address gt dynamic assignment in address pool 32 44 lifetime lt valid time gt infinity To configure valid time or preferred time of lt preferred time gt infinity DHCPv6 address pool no lifetime 3 To enable DHCPV6 server function on port Explanation Interface Configuration Mode I ipv6 dhcp server lt poolname gt To enable DHCPV6 server function on preference lt value gt rapid commit SC specified port and binding the used allow hint DHCPv6 address pool no ipv6 dhcp server lt poo name gt 32 3 DHCPv6 Relay Delegation Configuration DHCPVv6 relay delegation configuration task list as below 1 To enable disable DHCPV6 service 2 To configure DHCPv6 relay delegation on port 1 To enable DHCPVv6 service Explanation Global Mode service dhcpv6 To enableDHCPV6 servi
356. nce lt precedence gt tos lt tos gt time range lt ti me range name gt c Exit MAC IP Configuration Mode Command Explanation Extended name based MAC IP access Mode UT Quit extended name based MAC IP access mode 10 Configuring a numbered standard IPv6 access list Global Mode EO Creates a numbered standard IPv6 access list if the access list already exists ipv6 access list lt num gt deny permit lt sIPv6Addr gt then a rule will add to the lt sPrefixlen gt any source host source lt slpv6Adar gt no ipv6 access list lt num gt current access list the no access list lt nums command deletes a numbered standard IPv6 access list 11 Configuring a standard IPv6 access list based on nomenclature a Create a standard IPv6 access list based on nomenclature Explanation Global Mode ipv6 access list standard lt name gt Creates a standard IP no ipv6 access list standard lt name gt access list based on nomenclature the no command delete the name based standard IPv6 access list b Specify multiple permit or deny rules 41 125 Explanation Standard IPv6 ACL Mode LS no deny permit lt sIPv6Prefix sPrefixlen gt Creates a standard any source host source lt sIPv6Addr gt name based IPv6 access rule the no form command deletes the name based standard IPv6 access rule c Exit name based standard IP ACL configuration mode Expl
357. nction of port loopback detection is disabled by default and should only be enabled if required 9 18 Chapter 10 ULDP Function Configuration 10 1 Introduction to ULDP Function Unidirectional link is a common error state of link in networks especially in fiber links Unidirectional link means that only one port of the link can receive messages from the other port while the latter one can not receive messages from the former one Since the physical layer of the link is connected and works normal via the checking mechanism of the physical layer communication problems between the devices can not be found As shown in Graph the problem in fiber connection can not be found through mechanisms in physical layer like automatic negotiation Switch A a1 4 Switch B Figure 10 1 Fiber Cross Connection Switch A Switch B mmm a a1 1 a1 3 Switch C Figure 10 2 One End of Each Fiber Not Connected 10 19 This kind of problem often appears in the following situations GBIC Giga Bitrate Interface Converter or interfaces have problems software problems hardware becomes unavailable or operates abnormally Unidirectional link will cause a series of problems such as spinning tree topological loop broadcast black hole ULDP Unidirectional Link Detection Protocol can help avoid disasters that could happen in the situations mentioned above In a switch connected via fibers or copper Ethernet line like ultra
358. nection is protected from being intercepted and decrypted The switch meets the requirements of SSH2 0 It supports SSH2 0 client software such as SSH Secure Client and putty Users can run the above software to manage the switch remotely The switch presently supports RSA authentication 3DES cryptography protocol and SSH user password authentication etc 4 2 2 2 SSH Server Configuration Task List Explanation Global Mode ssh server enable Enable SSH function on the switch the no no ssh server enable command disables SSH function username lt username gt privilege Configure the username and password of lt privilege gt password 0 7 SSH client software for logging on the lt password gt switch the no command deletes the no username lt username gt username Configure timeout value for SSH ssh server timeout lt timeout gt authentication the no command restores no ssh server timeout the default timeout value for SSH authentication Configure the number of times for retrying ssh server authentication retires SSH authentication the no command lt authentication retires gt restores the default number of times for no ssh server authentication retries retrying SSH authentication ssh server host key create rsa modulus Generate the new RSA host key on the lt moduls gt SSH server EE BEN Display SSH debug information on the SSH terminal monitor client side the no command stops terminal no monitor displaying
359. ned logically Each broadcast domain is a VLAN VLANs have the same properties as the physical LANs except VLAN is a logical partition rather than physical one Therefore the partition of VLANs can be performed regardless of physical locations and the broadcast multicast and unicast traffic within a VLAN is separated from the other VLANs 20 72 With the aforementioned features VLAN technology provides us with the following convenience Improving network performance WR Saving network resources WR 8 Simplifying network management m Lowering network cost m Enhancing network security Switch Ethernet Ports can works in three kinds of modes Access Hybrid and Trunk each mode has a different processing method in forwarding the packets with tagged or untagged The ports of Access type only belongs to one VLAN usually they are used to connect the ports of the computer The ports of Trunk type allow multi VLANs to pass can receive and send the packets of multi VLANs Usually they are used to connect between the switches The ports of Hybrid type allow multi VLANs to pass can receive and send the packets of multi VLANs They can be used to connect between the switches or to a computer of the user Hybrid ports and Trunk ports receive the data with the same process method but send the data with different method Hybrid ports can send the packets of multi VLANs without the VLAN tag while Trunk ports send the packets of multi
360. neeneeneeentaes 69 75 14 Chapter 1 INTRODUCTION PLANET WGSW 52040 is a 48 Port 10 100 1000Base T 4 Port 1000X SFP Managed Gigabit Switch It boasts a high performance switch architecture that is capable of providing non blocking switch fabric and wire speed throughput as high as 104Gbps The term Managed Switch means the Switches mentioned in this User s manual 1 1 Packet Contents Open the box of the Managed Switch and carefully unpack it The box should contain the following items M WGSW 52040 Switch X1 M User s Manual X1 M Quick Installation Guide X1 M Power Cord X1 M RJ 45 to DB9 Console Cable X1 M SFP Dust Caps X4 M Rubber Fee X4 M Two Rack mounting Brackets with X1 Attachment Screws If any of these are missing or damaged please contact your dealer immediately if possible retain the carton including the original packing material and use them again to repack the product in case there is a need to return it to us for repair 1 2 Product Description Cost effective High density IPv4 IPv6 managed Telecom class Gigabit Solution for Enterprise Backbone and Data Center Networking PLANET WGSW 52040 is a Layer 2 managed Gigabit Switch that provides high density performance and supports static Layer 3 routing With 104Gbps switching fabric the WGSW 52040 can handle extremely large amounts of data in a secure topology linking to an enterprise backbone or high capacity servers The powerful WRR and Network Securi
361. neneesenensensoes 46 171 46 3 TACACS SCENARIOS TYPICAL EXAMPLES ccccccececccccccececacececeeeenenecenececeneneneeeneeeneneneneneceaeeeananes 46 172 46 4 TACAC ERREECHT Nee ee ed 46 173 CHAPTER 47 RADIUS CONFIGURATION ccccsccseceeceeseeseneenseneensensensensenseees 47 174 ATA INTRODUCTION TO gn UE 47 174 Y 11 AAA and RADIUS INnWOGUCION lt 5 2 23 neice sas iat ates ee alae eee ee 47 174 4 1 2 Message structure for RADIUS casi cteetcuses cans rna a a o ieuiaes 47 174 47 2 RADIUS CONFIGURATION TASK LIST ccssecccssssssersonsssssersonsesssessonsensesconsenseesennscnsessecneassessesnsansenes 47 176 EEN 47 178 AT 3 1 IPVA Radius EXAM PIG cies seed ete le eed aaa tla eases og 47 178 rity rs e Radius e EE 47 179 47 4 RADIUS TROUBLESHOOTING s cccccsssssceeeeeessseeeeessssseeeeeesesssaneeeesaeseaeeeeesesssaeeeeesesssneeeeessessaaees 47 180 CHAPTER 48 SSL CONFIGURATION cccccccecceeceeceeseeseeseesenseneeneeeeeneensenseneeness 48 181 AST INTRODUCTION TO S Sleur aiani A EEEN EENE EARE EAR EPERE E E AEAT ARE EEEE ERKENE 48 181 46 161 Basic Element Ol oS ME 48 182 48 2 SSL CONFIGURATION TASK EIST EE 48 183 48 3 99E TEE ENEE dee 48 184 ASA SOL EREECHEN 48 185 CHAPTER 49 IPV6 SECURITY RA CONFIGURATION cccsceeeeeeeeeeeeeeeeeeeeeees 49 186 49 1 INTRODUCTION TO IPV6 SECURITY RA cccccsssseeeeeesssseeeeeeessseeeeeeesseseeeeeessseaeeeeesssssneeeeeessssneeeess 49 186 49 2 IPV6 SECURITY RA
362. nfig vlan 5 Switch Config Vlan5 remote span Switch Config Vlan5 exit Switch config interface ethernet1 2 Switch Config lf Ethernet1 2 switchport mode trunk Switch Config lf Ethernet1 2 exit Switch config interface ethernet 1 3 Switch Config If Ethernet1 3 switchport mode trunk Switch Config lf Ethernet1 3 exit Switch config monitor session 1 source interface ethernet1 1 rx Switch config monitor session 1 reflector port ethernet1 3 Switch config monitor session 1 remote vlan 5 Intermediate switch Interface ethernet1 6 is the source port which is connected to the source switch Interface ethernet1 7 is the destination port which is connected to the destination switch The native VLAN of the port should not be configured as RSPAN VLAN or the mirrored data may not be carried by the destination switch RSPAN VLAN is 5 Switch config vlan 5 Switch Config Vlan5 remote span Switch Config Vlan5 exit 60 44 Switch config interface ethernet 1 6 7 Switch Config If Port Range switchport mode trunk Switch Config lf Port Range exit Destination switch Interface ethernet1 9 is the source port which is connected to the source switch Interface ethernet1 10 is the destination port which is connected to the monitor This port is required to be configured as an access port and belong to the RSPAN VLAN RSPAN VLAN is 5 Switch config vlan 5 Switch Config Vlan5 remote span Switch Con
363. nformation Set the suboption1 circuit ID option content of option subscriber id standard option 82 added by DHCP request packets they lt circuit id gt are received by the port The no command sets no ip dhcp snooping information the additive suboption1 circuit ID option format option subscriber id of option 82 as standard Explanation Globe mode This command is used to set that allow untrusted ports of DHCP snooping to receive ip dhcp snooping information DHCP packets with option82 option When the option allow untrusted replace replace is setting the potion82 option is no ip dhcp snooping information allowed to replace When disabling this option allow untrusted replace command all untrusted ports will drop DHCP packets with option82 option 36 3 DHCP Snooping Typical Application DHC F Chert IF 1 1 1 5 Machd DHCP Serer DHCRAC E IF 1 1 1 5 Mac BE ay ery et Figure 36 1 Sketch Map of TRUNK As showed in the above chart Mac AA device is the normal user connected to the non trusted port 1 1 of the switch It operates via DHCP Client IP 1 1 1 5 DHCP Server and GateWay are connected to the trusted ports 1 11 and 1 12 of the switch the malicious user Mac BB is connected to the non trusted port 1 10 trying to fake a DHCP Server by sending DHCPACK 36 81 Setting DHCP Snooping on the switch will effectively detect and block this kind of network attack Configuration sequence i
364. ng the Managed Switch without turning off and on the power 2 1 2 LED Indications 2 1 The front panel LEDs indicates instant status of port links data activity system operation Stack status and system power helps monitor and troubleshoot when needed WGSW 52040 LED Indication Function Lights to indicate that the Switch has power Power is off Lights to indicate the system diagnoses is completed Blinks to indicate boot is enable 10 100 1000Base T interfaces Function Lights to indicate the link through that port is successfully established Blinks to indicate that the switch is actively sending or receiving data over that LNK ACT ow Wet op No flow goes through the port WW SFP interfaces LED Color Function Lights to indicate the link through that port is successfully established LNK ACT op No flow goes through the port 2 1 3 Switch Rear Panel The rear panel of the Managed Switch indicates an AC inlet power socket which accepts input power from 100 to 240V AC 50 60Hz Figure 2 3 shows the rear panel of this Managed Switch WGSW 52040 Rear Panel 2 2 Figure 2 3 Rear panel of WGSW 52040 Mi AC Power Receptacle For compatibility with electric service in most areas of the world the Managed Switch s power supply automatically adjusts to line power in the range of 100 240VAC and 50 60 Hz Plug the female end of the power cord firmly into the receptalbe on the rear panel of the Manag
365. nge When the switch receives a data framed waiting to be transmitted it will study the source MAC address of the data frame build a mapping relationship with the receiving port and then look up the MAC address list for the destination MAC address If any matching list entry is found the switch will transmit the data frame via the corresponding port or the switch will broadcast the data frame over the VLAN it belongs to If the dynamically learnt MAC address matches no transmitted data in a long time the switch will delete it from the MAC address list Usually the switch supports both the static configuration and dynamic study of MAC address which means each port can have more than one static set MAC addresses and dynamically learnt MAC addresses and thus can implement the transmission of data traffic between port and known MAC addresses When a MAC address becomes out of date it will be dealt with broadcast No number limitation is put on MAC address of the ports of our current switches every port can have several MAC addressed either by configuration or study until the hardware list entries are exhausted To avoid too many MAC addresses of a port we should limit the number of MAC addresses a port can have For each INTERFACE VLAN there is no number limitation of IP the upper limit of the number of IP is the upper limit of the number of user on an interface which is at the same time the upper limit of ARP and ND list entry There is n
366. ngress access list used is 1 traffic statistics Disable 41 132 41 4 ACL Troubleshooting WR Checking for entries in the ACL is done in a top down order and ends whenever an entry is matched WR Default rule will be used only if no ACL is bound to the incoming direction of the port or no ACL entry is matched Each ingress port can bind one MAC IP ACL one IP ACL one MAC ACL one IPv6 ACL via the physical interface mode or Vlan interface mode HR When binding four ACL and packet matching several ACL at the same time the priority relations are as follows in a top down order If the priority is same then the priority of configuration at first is higher Ingress IPv6 ACL Ingress MAC IP ACL Ingress IP ACL Ingress MAC ACL m The number of ACLs that can be successfully bound depends on the content of the ACL bound and the hardware resource limit Users will be prompted if an ACL cannot be bound due to hardware resource limitation m f an access list contains same filtering information but conflicting action rules binding to the port will fail with an error message For instance configuring permit tcp any any destination and deny tcp any any destination at the same time is not permitted m Viruses such as worm blaster can be blocked by configuring ACL to block specific ICMP packets or specific TCP or UDP port packet m lf the physical mode of an interface is TRUNK ACL can only be configured through physic
367. nly critical alerts and emergencies will be outputted The following table summarizes the log information severity level and brief description Note these severity levels are in accordance with the standard UNIX LINUX syslog Table 66 1 Severity of the log information emergencies 0 rem sust alerts 1 Action must be taken immediately critical Critical conditions errors Error conditions warnings ae Warning conditions notifications Normal but significant condition informational Informational messages debugging o g Debug level messages Right now the switch can generate information of the following four levels E Restart the switch mission abnormal are classified critical E Up down interface topology change aggregate port state change of the interface are notifications warnings Outputted information from the CLI command is classified informational Information from the debugging of CLI command is classified debugging Log information can be automatically sent to corresponding channels with regard to respective severity levels Amongst the debugging information can only be sent to the monitor Those with the Informational level can only be sent to current monitor terminal such as the information from the Telnet terminal configuration command can only be transmitted to the Telnet terminal Warnings information can be sent to all terminal with also saved in the SDRAM log buffer zone And the critical information can be
368. nooping is configured on the vlan under global mode using ipv6 mid snooping vlan lt vlan id gt Ensure there is a vlan configured as a L2 general querier or there is a static mrouter configured in a segment Use command to check if the MLD snooping information is correct 39 108 Chapter 40 Multicast VLAN 40 1 Introductions to Multicast VLAN Based on current multicast order method when orders from users in different VLAN each VLAN will copy a multicast traffic in this VLAN which is a great waste of the bandwidth By configuration of the multicast VLAN we add the switch port to the multicast VLAN with the IGMP Snooping MLD Snooping functions enabled users from different VLAN will share the same multicast VLAN The multicast traffic only exists within a multicast VLAN so the bandwidth is saved As the multicast VLAN is absolutely separated from the user VLAN security and bandwidth concerns can be met at the same time after the multicast VLAN is configured the multicast traffic will be continuously sent to the users 40 2 Multicast VLAN Configuration Task List 1 Enable the multicast VLAN function 2 Configure the IGMP Snooping 3 Configure the MLD Snooping 1 Enable the multicast VLAN function Explanation VLAN configuration mode ee Configure a VLAN and enable the multicast multicast vilan VLAN on it The no multicast vlan no multicast vian command disables the multicast function on the VLAN Associate a m
369. not to receive any packet untag or untag the no command cancel the no switchport discard packet all restriction of discard it means the port is untag allowed to receive any packet or untag Explanation Global Mode port rate statistics interval lt interval Configure the interval of port rate statistics value gt 3 Virtual cable test Command Explanation Admin Mode LL virtual cable test interface ethernet Test virtual cables of the port lt interface list gt 7 3 Port Configuration Example all kel Switch 1 1 7 1 9 eS eee ou 1 12 1 8 Switch 2 Switch 3 Figure 7 1 Port Configuration Example No VLAN has been configured in the switches default VLAN1 is used switch Port Property S ano E 1 10 1000Mbps full mirror destination port Switch3 1 12 100Mbps full The configurations are listed below Switch Switch1 config interface ethernet 1 7 Switch 1 Config lf Ethernet1 7 bandwidth control 50000 receive 7 11 Switch2 Switch2 config interface ethernet 1 9 Switch2 Config lf Ethernet1 9 speed duplex force100 full Switch2 Config lf Ethernet1 9 exit Switch2 Switch2 Switch2 Config lf Ethernet1 10 exit Switch2 config monitor session 1 source interface ethernet 1 8 1 9 config interface ethernet 1 10 Config lf Ethernet1 10 speed duplex force 1g full Switch2 config monitor session 1 destination interface ethernet 1 10 Switch3 Switch
370. nother is secondary port The role of port is determined by user configuration Primary port and secondary port of primary node The primary port of primary node is used to send ring health examine packet hello the secondary port is used to receive Hello packet sending from primary node When the Ethernet is in health state the secondary port of primary node blocks other data in logical and only MRPP packet can pass When the Ethernet is in break state the secondary port of primary node releases block state and forwards data packets There are no difference on function between Primary port and secondary port of transfer node The role of port is determined by user configuration As shown Figure 55 1 Switch A E1 is primary port E2 is secondary port 5 Timer The two timers are used when the primary node sends and receives MRPP protocol packet Hello timer and Fail Timer Hello timer define timer of time interval of health examine packet sending by primary node primary port Fail timer define timer of overtime interval of health examine packet receiving by primary node primary port The value of Fail timer must be more than or equal to the 3 times of value of Hello timer 55 1 2 MRPP Protocol Packet Types Packet Type Explanation Hello packet Health examine packet Hello The primary port of primary node evokes to detect ring if the secondary port of primary node can receive Hello packet in configured overtime so the r
371. nt When switch is used as the Telnet server the user can use the Telnet client program included in Windows or the other operation systems to login to switch as described earlier in the In band management section As a Telnet server switch allows up to 5 telnet client TCP connections And as Telnet client using telnet command under Admin Mode allows the user to login to the other remote hosts Switch can only establish TCP connection to one remote host If a connection to another remote host is desired the current TCP connection must be dropped 4 2 1 2 Telnet Configuration Task List 2 Configure Telnet Server 2 Telnet to a remote host from the switch 1 Configure Telnet Server Explanation Global Mode Enable the Telnet server function in the telnet server enable switch the no command disables the no telnet server enable Telnet function username lt user name gt privilege Configure user name and password of lt privilege gt password 0 7 lt passwords gt the telnet The no form command deletes no username lt username gt the telnet user authorization Enable command authorization function for the login user with VTY login with Telnet and SSH The no command aaa authorization config commands disables this function Only enabling this no aaa authorization config commands command and configuring command authorization manner it will request to authorize when executing some command Configure the secure IP
372. nt connection notify the server to establish a passive connection The server then creates its own data listening port and informs the client about the port and the client establishes data connection to the specified port As data connection is established through the specified address and port there is a third party 4 19 to provide data connection service TFTP builds upon UDP providing unreliable data stream transfer service with no user authentication or permission based file access authorization It ensures correct data transmission by sending and acknowledging mechanism and retransmission of time out packets The advantage of TFTP over FIP is that it is a simple and low overhead file transfer service Switch can operate as either FTP TFTP client or server When switch operates as a FTP TFIP client configuration files or system files can be downloaded from the remote FIP TFTP servers can be hosts or other switches without affecting its normal operation And file list can also be retrieved from the server in ftp client mode Of course switch can also upload current configuration files or system files to the remote FIP TFIP servers can be hosts or other switches When switch operates as a FIP TFIP server it can provide file upload and download service for authorized FTP TFTP clients as file list service as FTP server Here are some terms frequently used in FTP TFTP ROM Short for EPROM erasable read only memory EPROM is repa
373. ntication server without Ethernet1 2 IP address of the server is 2004 1 2 3 3 and the authentication port is defaulted at 1812 accounting port is defaulted at 1813 Configure steps as below Switch config interface vlan 1 Switch Config if vlan1 ipv6 address 2004 1 2 3 2 64 Switch Config if vlan1 exit 47 179 Switch config radius server authentication host 2004 1 2 3 3 Switch config radius server accounting host 2004 1 2 3 3 Switch config radius server key test Switch config aaa enable Switch config aaa accounting enable 47 4 RADIUS Troubleshooting In configuring and using RADIUS the RADIUS may fail to authentication due to reasons such as physical connection failure or wrong configurations The user should ensure the following m First make sure good condition of the RADIUS server physical connection Mm Second all interface and link protocols are in the UP state use show interface command m Then ensure the RADIUS key configured on the switch is in accordance with the one configured on RADIUS server m Finally ensure to connect to the correct RADIUS server If the RADIUS authentication problem remains unsolved please use debug aaa and other debugging command and copy the DEBUG message within 3 minutes send the recorded message to the technical server center of our company 47 180 Chapter 48 SSL Configuration 48 1 Introduction to SSL As the computer networking technology spreads th
374. o relative configuration command can be used to control the sent number of these list entries To enhance the security and the controllability of our products we need to control the number of MAC address on each port and the number 43 158 of ARP ND on each INTERFACE VLAN The number of static or dynamic MAC address on a port should not exceed the configuration The number of user on each VLAN should not exceed the configuration either Limiting the number of MAC and ARP list entry can avoid DOS attack to a certain extent When malicious users frequently do MAC or ARP cheating it will be easy for them to fill the MAC and ARP list entries of the switch causing successful DOS attacks To summer up it is very meaningful to develop the number limitation function of MAC and IP in port VLAN Switch can control the number of MAC address of ports and the number ARP ND list entry of ports and VLAN through configuration commands Limiting the number of dynamic MAC and IP of ports 1 Limiting the number of dynamic MAC If the number of dynamically learnt MAC address by the switch is already larger than or equal with the max number of dynamic MAC address then shutdown the MAC study function on this port otherwise the port can continue its study 2 Limiting the number of dynamic IP If the number of dynamically learnt ARP and ND by the switch is already larger than or equal with the max number of dynamic ARP and ND then shutdown the ARP and
375. ode prompt Switch Config lt name gt dhcp DHCP address pool properties can be configured under DHCP Address Pool Mode Run the exit command to exit the DHCP Address Pool Mode to Global Mode E ACL Mode at mee Pn Opemie E Standard IP ACL Type ip access list Configure parameters Use the exit Mode standard command under for Standard IP ACL command to return Global Mode Mode to Global Mode Extended IP ACL Type ip access list Configure parameters Use the exit Mode extanded command under for Extended IP ACL command to return Global Mode Mode to Global Mode 3 2 2 Configuration Syntax Switch provides various configuration commands Although all the commands are different they all abide by the syntax for Switch configuration commands The general commands format of Switch is shown below cmdtxt lt variable gt enum1 enumN option optionN Conventions cmdtxt in bold font indicates a command keyword lt variable gt indicates a variable parameter enum1 enumN indicates a mandatory parameter that should be selected from the parameter set enum1 enumN and the square bracket in option1 optionN indicate an optional parameter There may be combinations of lt gt Y and in the command line such as lt variable gt enum1 lt variable gt enum2 option1 option2 etc Here are examples for some actual configuration commands WR show v
376. of Tx Fault and Rx LOS is important for analyzing the fault 3 Compatibility verification Compatibility verification is used to analyze whether the environment of the module accords the data manual or it is compatible with the corresponding standard because the module capability is able to be ensured only in the compatible environment Sometimes environment parameters exceed the data manual or the corresponding standard it will make the falling of the module capability that result in the transmission error Environment is not compatible with the module are as below 1 Voltage exceeds the set range 2 Rx power is overload or is under the sensitivity of the transceiver 3 Temperature exceeds the range of the running temperature 16 1 2 DDM Function DDM descriptions are shown in the following 1 Show the monitoring information of the transceiver Administrator is able to know the current working state of the transceiver and find some potential problems through checking the real time parameters including TX power RX power Temperature Voltage Bias current and querying the monitoring information Such as warning alarm real time state and threshold and so on Besides checking the fault information of the fiber module helps administrator to fast locate the link fault and saves the restored time 2 Threshold defined by the user For real time parameters TX power RX power Temperature Voltage Bias current there are fixed thr
377. old high optional ethernet oam errored frame period threshold Configure the high threshold of high high frames none errored frame period event no no ethernet oam errored frame period command restores the default value threshold high optional ethernet oam errored frame threshold high Configure the high threshold of high frames none errored frame event no command no ethernet oam errored frame threshold high restores the default value optional ethernet oam errored frame seconds Configure the high threshold of threshold high high frame seconds none errored frame seconds event no no ethernet oam errored frame seconds command restores the default value threshold high optional 14 46 14 3 EFM OAM Example Example CE and PE devices with point to point link enable EFM OAM to monitor the First Mile link performance It will report the log information to network management system when occurring fault event and use remote loopback function to detect the link in necessary instance Ethernet Ethernet 1 Ee gt CE 802 lahOAMPDU PE Figure 14 3 Typical OAM application topology Configuration procedure Omitting SNMP and Log configuration in the following Configuration on CE CE config interface ethernet1 1 CE config if ethernet1 1 ethernet oam mode passive CE config if ethernet1 1 ethernet oam CE config if ethernet1 1 ethernet oam remote loopback supported Other parameters use the default conf
378. ommand settings cable Console cable connection connection 4 16 Figure 4 2 Typical topology for switch upgrade in BootROM mode The upgrade procedures are listed below Step 1 As shown in the figure a PC is used as the console for the switch A console cable is used to connect PC to the management port on the switch The PC should have FTP TFIP server software installed and has the image file required for the upgrade Step 2 Press ctrl b on switch boot up until the switch enters BootROM monitor mode The operation result is shown below Boot Step 3 Under BootROM mode run setconfig to set the IP address and mask of the switch under BootROM mode server IP address and mask and select TFTP or FTP upgrade Suppose the switch address is 192 168 1 2 and PC address is 192 168 1 66 and select TFTP upgrade the configuration should like Boot setconfig Host IP Address 10 1 1 1 192 168 1 2 Server IP Address 10 1 1 2 192 168 1 66 FTP 1 or TFTP 2 1 2 Network interface configure OK Boot Step 4 Enable FTP TFITP server in the PC For TFTP run TFTP server program for FTP run FTP server program Before start downloading upgrade file to the switch verify the connectivity between the server and the switch by ping from the server If ping succeeds run load command in the BootROM mode from the switch if it fails perform troubleshooting to find out the cause The following
379. on option delimiter colon dot slash space no ip dhcp snooping information option delimiter ip dhcp snooping information option self defined remote id hostname mac string WORD no ip dhcp snooping information option self defined remote id ip dhcp snooping information option self defined remote id format ascii hex ip dhcp snooping information option self defined subscriber id vlan port id switch id mac hostname remote mac string WORD no ip dhcp snooping information option type self defined subscriber id ip dhcp snooping information option self defined subscriber id format ascii hex Port mode This command is used to set subscriber id format of DHCP snooping option82 Set the suboption2 remote ID option content of option 82 added by DHCP request packets they are received by the port The no command sets the additive suboption2 remote ID option format of option 82 as standard Set the delimiter of each parameter for suboption of option82 in global mode no command restores the delimiter as slash Set creation method for option82 users can define the parameters of remote id suboption by themselves Set self defined format of remote id for snooping option82 Set creation method for option82 users can define the parameters of circute id suboption by themselves Set self defined format of circuit id for snooping option82 36 80 ip dhcp snooping i
380. on information to the DHCP client 33 2 DHCP Option 82 Configuration Task List Enabling the DHCP option 82 of the Relay Agent Configure the DHCP option 82 attributes of the interface Enable the DHCP option 82 of server Configure DHCP option 82 default format of Relay Agent Configure delimiter Configure creation method of option82 e E AOL E OAS iS Diagnose and maintain DHCP option 82 1 Enabling the DHCP option 82 of the Relay Agent Explanation Global mode Set this command to enable the option 82 function of the switch Relay Agent The no ip dhcp relay information option ip dhcp relay information option is used to no ip dhcp relay information option disable the option 82 function of the switch Relay Agent 2 Configure the DHCP option 82 attributes of the interface Explanation Interface configuration mode 33 54 ip dhcp relay information policy drop keep replace no ip dhcp relay information policy ip dhcp relay information option subscriber id standard lt circuit id gt no ip dhcp relay information option subscriber id Global Mode ip dhcp relay information option remote id standard lt remote id gt no ip dhcp relay information option remote id This command is used to set the retransmitting policy of the system for the received DHCP request message which contains option 82 The drop mode means that if the message has option82 then the system will drop i
381. on mode use ip igmp snooping Configure IGMP Snooping at VLAN on whole configuration mode use ip igmp snooping vlan lt vlan id gt Make sure one VLAN is configured as L2 common checker in same mask or make sure configured static mrouter Use show ip igmp snooping vlan lt vid gt command check IGMP Snooping information 38 102 Chapter 39 IPv6 Multicast Protocol 39 1 MLD Snooping 39 1 1 Introduction to MLD Snooping MLD the Multicast Listener Discovery Protocol is used to realize multicasting in the IPv6 MLD is used by the network equipments such as routers which supports multicast for multicast listener discovery also used by listeners looking forward to join certain multicast group informing the router to receive data packets from certain multicast address all of which are done through MLD message exchange First the router send an MLD Multicast listener Query message through a multicast address which can address all the listeners namely ff02 1 Once there is a listener who wishes to join the multicast address it will send a MLD Multicast listener Report back through the multicast address MLD Snooping is namely the MLD listening The switch restricts the multicast traffic from flooding through MLD Snooping and forward the multicast traffic to ports associated to multicast devices only The switch listens to the MLD messages between multicast routers and listeners and maintains the multicast group forwarding list based on
382. on of the fiber module the fiber module information may be remonitored after processing the abnormity information here the user is able to know the abnormity information and renew the monitoring 16 2 DDM Configuration Task List DDM configuration task list 1 Show the real time monitoring information of the transceiver 2 Configure the alarm or warning thresholds of each parameter for the transceiver 3 Configure the state of the transceiver monitoring 1 Configure the interval of the transceiver monitoring 2 Configure the enable state of the transceiver monitoring 3 Show the information of the transceiver monitoring 4 Clear the information of the transceiver monitoring 1 Show the real time monitoring information of the transceiver Explanation User mode admin mode and global mode Ko show transceiver interface ethernet Show the monitoring of the lt interface list gt detail transceiver 2 Configure the alarm or warning thresholds of each parameter for the transceiver Command Explanation Port mode transceiver threshold default temperature Set the threshold defined by the voltage bias rx power tx power user high alarm low alarm high warn 16 54 low warn lt value gt default od 3 Configure the state of the transceiver monitoring 1 Configure the interval of the transceiver monitoring Command Explanation Global mode Set the interval of the transceiver t
383. on style with the following command authentication line vty login local Privilege option must exist and just is 15 Assume an authorized user in the switch has a username of test and password of test the configuration procedure should like the following Switch gt enable Switch config Switch config username test privilege 15 password 0 test Switch config authentication line vty login local Enter valid login name and password in the Telnet configuration interface Telnet user will be able to enter the Switch e CLI configuration interface The commands used in the Telnet CLI interface after login is the same as that in the Console interface of C WINNT system32 telnet exe Figure 3 8 Telnet Configuration Interface 3 15 3 1 2 2 Management via HTTP To manage the switch via HTTP the following conditions should be met 1 Switch has an IPv4 IPv6 address configured 2 The host IPv4 IPv6 address HTTP client and the switch s VLAN interface Pv4 IPv6 address are in the same network segment 3 If 2 is not met HTTP client should connect to an IPv4 IPv6 address of the switch via other devices such as a router Similar to management the switch via Telnet as soon as the host succeeds to ping ping6 an IPv4 IPv6 address of the switch and to type the right login password it can access the switch via HTTP The configuration list is shown below Step 1 Configure the IP addresses for the switch and start the H
384. on switch The switch to which the destination port for remote mirroring belongs It forwards mirrored flows it received from the Remote VLAN to the monitoring device through the destination port When configuring the RSPAN mirroring of the source switch reflector port mode or destination mirror port mode can be selected The destination switch will redirect all the data frames in the RSPAN VLAN to the RSPAN destination port For RSPAN mirroring normal mode and advanced mode can be chosen normal is introduced by default and fit the normal user The advanced mode fit the advanced user 1 Advanced mode To redirect data frames in RSPAN VLAN to the RSPAN destination port the intermediary and destination devices should support the redirection of flow 2 Normal mode To configure the RSPAN destination port in the RSPAN VLAN Thus datagrams in the RSPAN VLAN will be broadcasted to the destination port In this mode the destination port should be in RSPAN VLAN and the source port should not be configured for broadcasting storm control TRUNK ports should be configured carefully in order not to forward RSPAN datagrams to external networks The normal mode has the benefit of easy configuration and reduced system resources 60 39 To be noticed Normal mode is introduced by default When using the normal mode datagrams with reserved MAC addresses cannot be broadcasted For chassis switches at most 4 mirror destination ports are supported and
385. on37 38 of the packets from client by default if no it will obtain option37 38 of the packet sent by relay DHCPv6 server only checks whether the first DHCPv6 relay adds option37 38 that means only option37 38 of the innermost relay forw is valid in relay packets 35 74 Chapter 36 DHCP Snooping Configuration 36 1 Introduction to DHCP Snooping DHCP Snooping means that the switch monitors the IP getting process of DHCP CLIENT via DHCP protocol It prevents DHCP attacks and illegal DHCP SERVER by setting trust ports and untrust ports And the DHCP messages from trust ports can be forwarded without being verified In typical settings trust ports are used to connect DHCP SERVER or DHCP RELAY Proxy and untrust ports are used to connect DHCP CLINET The switch will forward the DCHP request messages from untrust ports but not DHCP reply ones If any DHCP reply messages is received from a untrust port besides giving an alarm the switch will also implement designated actions on the port according to settings such as shutdown or distributing a blackhole If DHCP Snooping binding is enabled the switch will save binding information including its MAC address IP address IP lease VLAN number and port number of each DHCP CLINET on untrust ports in DHCP snooping binding table With such information DHCP Snooping can combine modules like dot1x and ARP or implement user access control independently Defense against Fake DHCP Server
386. onfig interface ethernet1 10 Switch Config If Ethernet1 10 mac access group 1100 in Switch Config lf Ethernet1 10 exit Switch config exit Configuration result Switch show firewall Firewall Status Enable 41 129 Switch show access lists access list 1100 used 1 time s access list 1100 deny 00 12 11 23 00 00 00 00 00 00 ff ff any destination mac untagged 802 3 access list 1100 deny 00 12 11 23 00 00 00 00 00 00 ff ff any destination mac Switch show access group interface ethernet 1 10 interface name Ethernet1 10 MAC Ingress access list used is 1100 traffic statistics Disable Scenario 3 The configuration requirement is stated as below The MAC address range of the network connected to the interface 10 of the switch is 00 12 11 23 xx xx and IP network is 10 0 0 0 24 FTP should be disabled and ping requests from outside network should be disabled Configuration description 5 Create the corresponding access list 6 Configure datagram filtering 7 Bind the ACL to the related interface The configuration steps are listed as below Switch config access list 3110 deny 00 12 11 23 00 00 00 00 00 00 ff ff any destination mac tcp 10 0 0 0 0 0 0 255 any destination d port 21 Switch config access list 3110 deny any source mac 00 12 11 23 00 00 00 00 00 00 ff ff icmp any source 10 0 0 0 0 0 0 255 Switch config firewall enable Switch config interface ethernet 1 10 Switch Config Ethernet1 10 exit
387. onfiguration Examples The figure shown below is a simple network consisting of three layer3 switches the network mask for all switches and PC is 255 255 255 0 PC A and PC C are connected via the static route set in SwtichA and SwitchC PC3 and PC B are connected via the static route set in SwtichC to SwitchB PC B and PC C is connected via the default route set in SwitchB PC C 10 1 5 2 PC A 10 1 1 2 PC B 10 1 4 2 SwitchC vlan3 10 1 5 1 m F ge Sp i A E A fs vlan2 10 1 2 2 vlan1 10 1 3 2 lan1 10 1 1 1 vlan2 10 1 4 1 ee E SwitchA yian2 10 1 2 1 vlan4 10 1 3 1 SwitchB Figure 26 1 Static Route Configurations Configuration steps Configuration of layer3 SwitchA Switch config Switch config ip route 10 1 5 0 255 255 255 0 10 1 2 2 Configuration of layer3 SwitchC 26 15 Switch config Next hop use the partner IP address Switch config ip route 10 1 1 0 255 255 255 0 10 1 2 1 Next hop use the partner IP address Switch config ip route 10 1 4 0 255 255 255 0 10 1 3 1 Configuration of layer3 SwitchB Switch config Switch config ip route 0 0 0 0 0 0 0 0 10 1 3 2 In this way ping connectivity can be established between PC A and PC C and PC B and PC C 26 4 ARP 26 4 1 Introduction to ARP ARP Address Resolution Protocol is mainly used to resolve IP address to Ethernet MAC address Switch supports static ARP configuration 26 4 2 ARP Configuration Task List
388. onfigure some network ports he she can use the interface ethernet lt interface list gt command to enter the appropriate Ethernet port configuration mode where lt interface list gt stands for one or more ports If lt interface list gt contains multiple ports special characters such as or can be used to separate ports is used for discrete port numbers and is used for consecutive port numbers Suppose an operation should be performed on ports 2 3 4 5 the command would look like interface ethernet 1 2 5 Port soeed duplex mode and traffic control can be configured under Ethernet Port Mode causing the performance of the corresponding network ports to change accordingly 7 2 Network Port Configuration Task List 1 Enter the network port configuration mode 2 Configure the properties for the network ports 1 Configure combo mode for combo ports NO kb Enable Disable ports LA kb Configure port names N N Configure port cable types O1 kb Configure port speed and duplex mode O kb Configure bandwidth control N Configure traffic control CO kb Enable Disable port loopback function LC kb Configure broadcast storm control function for the switch 10 Configure scan port mode Le m A A A A A 11 Configure rate violation control of the port 12 Configure interval of port rate statistics 3 Virtual cable test 7 8 1 Enter the Ethernet port configuration mode Explan
389. oot path cost and so forth 22 118 22 2 1 1 Operations between MST Regions If there are multiple regions or legacy 802 1D bridges within the network MSTP establishes and maintains the CST which includes all MST regions and all legacy STP bridges in the network The MST instances combine with the IST at the boundary of the region to become the CST The MSTI is only valid within its MST region An MSTI has nothing to do with MSTIs in other MST regions The bridges in a MST region receive the MST BPDU of other regions through Boundary Ports They only process CIST related information and abandon MSTI information 22 2 2 Port Roles The MSTP bridge assigns a port role to each port which runs MSTP E CIST port roles Root Port Designated Port Alternate Port and Backup Port E On top of those roles each MSTI port has one new role Master Port The port roles in the CIST Root Port Designated Port Alternate Port and Backup Port are defined in the same ways as those in the RSTP 22 2 0 MSTP Load Balance In a MSTP region VLANs can by mapped to various instances That can form various topologies Each instance is independent from the others and each distance can have its own attributes such as bridge priority and port cost etc Consequently the VLANs in different instances have their own paths The traffic of the VLANs are load balanced 22 3 MSTP Configuration Task List MSTP configuration task list 1 Enable the MSTP and se
390. operational error happens the system will display detailed corresponding prompt 44 167 Chapter 45 Security Feature Configuration 45 1 Introduction to Security Feature Before introducing the security features we here first introduce the DoS The DoS is short for Denial of Service which is a simple but effective destructive attack on the internet The server under DoS attack will drop normal user data packet due to non stop processing the attacker s data packet leading to the denial of the service and worse can lead to leak of sensitive data of the server Security feature refers to applications such as protocol check which is for protecting the server from attacks such as DoS The protocol check allows the user to drop matched packets based on specified conditions The security features provide several simple and effective protections against Dos attacks while acting no influence on the linear forwarding performance of the switch 45 2 Security Feature Configuration 45 2 1 Prevent IP Spoofing Function Configuration Task Sequence 1 Enable the IP spoofing function Explanation Global Mode Enable disable the function of checking if the no dosattack check srcip equal dstip IP source address is the same as the enable destination address 45 168 45 2 2 Prevent TCP Unauthorized Label Attack Function Configuration Task Sequence 1 Enable the anti TCP unauthorized label attack function Explanation
391. option domain name servers 192 168 10 3 authoritative pool range 192 168 102 21 192 168 102 50 default lease time 86400 24 Hours max lease time 172800 48 Hours allow members of Switch3Vlan2Class1 pool range 192 168 102 51 192 168 102 80 default lease time 43200 12 Hours max lease time 86400 24 Hours allow members of Switch3Vlan2Class2 I I Now the DHCP server will allocate addresses for the network nodes from Switch1 which are relayed by Switch3 within the range of 192 168 102 21 192 168 102 50 and allocate addresses for the network nodes from Switch1 within the range of 192 168 102 51 192 168 102 80 33 59 33 4 DHCP Option 82 Troubleshooting WR DHCP option 82 is implemented as a sub function module of DHCP Relay Agent Before using it users should make sure that the DHCP Relay Agent is configured correctly WR DHCP option 82 needs the DHCP Relay Agent and the DHCP server cooperate to finish the task of allocating IP addresses The DHCP server should set allocating policy correctly depending on the network topology of the DHCP Relay Agent or even the Relay Agent can operate normally the allocation of addresses will fail When there is more than one kind of Relay Agent please pay attention to the retransmitting policy of the interface DHCP request messages To implement the option 82 function of DHCP Relay Agent the debug dhcp relay packet command can be used during the operat
392. or disable the logging logging executed commands enable disable executed commands Display the log source Admin and configuration mode 66 71 Show the log information source of show logging source mstp ZE module 5 Display executed commands state Admin mode Show the state of logging show logging executed commands state executed commands 66 7 3 System Log Configuration Example Example 1 When managing VLAN the IPv4 address of the switch is 100 100 100 1 and the IPv4 address of the remote log server is 100 100 100 5 It is required to send the log information with a severity equal to or higher than warnings to this log server and save in the log record equipment local Configuration procedure Switch config interface vlan 1 Switch Config if Vlan1 ip address 100 100 100 1 255 255 255 0 Switch Config if Vlan1 exit Switch config logging 100 100 100 5 facility local1 level warnings Example 2 When managing VLAN the IPv6 address of the switch is 3ffe 506 1 and the IPv4 address of the remote log server is 3ffe 506 4 It is required to send the log information with a severity equal to or higher than critical to this log server and save the log in the record equipment local7 Configuration procedure Switch config interface vlan 1 Switch Config if Vlan1 ipv6 address 3ffe 506 1 64 Switch Config if Vlan1 evt Switch config logging 3ffe 506 4 facility local7 level critical 66 72 Chap
393. ork topology where SNTP mainly works between second level servers and various terminals since such scenarios do not require very high time accuracy and the accuracy of SNTP 1 to 50 ms is usually sufficient for those services i i an GPS recerer m GE JA Ep P 4 S ak Level 1 server router Campus users Figure 62 1 Working Scenario Switch implements SNTPv4 and supports SNTP client unicast as described in RFC2030 SNTP client multicast and unicast are not supported nor is the SNTP server function 62 51 62 2 Typical Examples of SNTP Configuration SNTP NTP SERVER SNTP NTP SERVER eet eco eee SWITCH SWITCH SWITCH Figure 62 2 Typical SNTP Configuration All switches in the autonomous zone are required to perform time synchronization which is done through two redundant SNTP NTP servers For time to be synchronized the network must be properly configured There should be reachable route between any switch and the two SNTP NTP servers For example assume the IP addresses of the SNTP NTP servers are 10 1 1 1 and 20 1 1 1 respectively and SNTP NTP server function such as NTP master is enabled then configurations for any switch should like the following Switch config Switch config sntp server 10 1 1 1 62 52 Chapter 63 NTP Function Configuration 63 1 Introduction to NTP Function The NTP Network Time Protocol synchronizes timekeeping spans WAN and LAN among di
394. ormation Terminal which make use of Internet which require IP addresses the supply of IP addresses turns out to be more and more tense People have been working on the problem of shortage of IPv4 addresses for a long time by introducing various technologies to prolong the lifespan of existing IPv4 infrastructure including Network Address Translation NAT for short and Classless Inter Domain Routing CIDR for short etc Although the combination of CIDR NAT and private addressing has temporarily mitigated the problem of IPv4 address space shortage NAT technology has disrupted the end to end model which is the original intention of IP design by making it necessary for router devices that serve as network intermediate nodes to maintain every connection status which increases network delay greatly and decreases network performance Moreover the translation of network data packet addresses baffles the end to end network security check IPSec authentication header is such an example 26 9 Therefore in order to solve all kinds of problems existing in IPv4 comprehensively the next generation Internet Protocol IPv6 designed by IETF has become the only feasible solution at present First of all the 128 bits addressing scheme of IPv6 Protocol can guarantee to provide enough globally unique IP addresses for global IP network nodes in the range of time and space Moreover besides increasing address space IPv6 also enhanced many other essential
395. ormation in the switch queue Explanation Global Mode ip dns server queue maximum Configure the max number of client lt 1 5000 gt information in the switch queue no ip dns server queue maximum 8 Configure the timeout value of caching the client information on the switch Explanation Global Mode ip dns server queue timeout lt 1 100 gt Configure the timeout value of caching the no ip dns server queue timeout client information on the switch 9 Monitor and diagnosis of DNS function Explanation Admin Mode and Configuration Mode 65 62 To show the configured DNS server show dns name server information To show the configured DNS domain name show dns domain list suffix information To show the dynamic domain name information of resolved by switch Display the configured global DNS show dns config information on the switch Display the DNS Client information show dns client maintained by the switch debug dns all packet send recv events rela y To enable disable DEBUG of DNS function no debug dns all packet send recv events relay 65 3 Typical Examples of DNS Gd DNS SERVER IP 219 240 250 101 IPv6 2001 1 ip domain lookup dns server 219 240 250 101 dns server 2001 1 SWITCH Figure 65 1 DNS CLIENT typical environment As shown in fig the switch connected to DNS server through network if the switch want to visit sina Web
396. ort 10 100 1000Base T 4 Port 1000X SFP Managed Gigabit Switch Hardware Specifications Copper Ports 48 10 100 1000Base T RJ 45 auto MDI MDI X ports SFP Mini GBIC Slots 4 100 1000Base X SFP interfaces Console 1 x RS 232 DB9Y serial port 9600 8 N 1 Switch Architecture Store and forward 104Gbps non blocking Switch Throughput 77 38Mpps Address Table 16K MAC address table with auto learning function Share Data Buffer 1 5Mbytes Back pressure for half duplex Flow Control IEEE 802 3x pause frame for full duplex Jumbo Frame 16K bytes System PWR SYS LED Ports TP Port 10 100 1000 Link Act SFP Slot Link Act Dimensions W x D x H Power Consumption Power Requirements Management Function System Configuration Console Telnet SSH Web Browser SNMPv1 v2c and v3 Supports both IPv4 and IPv6 addressing Supports the user IP security inspection for IPv4 IPv6 SNMP Supports MIB and TRAP Supports IPv4 IPv6 FTP TFTP Supports IPv4 IPv6 NTP Supports RMOM 1 2 3 9 four group Supports the RADIUS authentication for IPv4 IPv6 telnet user name and Management password Supports IPv4 IPv6 SSH The right configuration for users to adopt radius server s shell management Supports CLI Console RS 232 Telnet 1 5 Supports SNMPv1 v2c v3 Supports Security IP safety net management function avoid unlawful landing at nonrestrictive area Supports Syslog server
397. ost lt address gt lt mask gt Specify delete the IP address to be lt prefix length gt assigned to the specified client when no host binding address manually client identifier lt unique identifier gt Specify delete the unique ID of the user no client identifier when binding address manually 3 Enable logging for address conflicts 31 35 Explanation Global Mode ip dhcp conflict logging Enable disable logging for DHCP address to no ip dhcp conflict logging detect address conflicts Admin Mode Delete a single address conflict record or all clear ip dhcp conflict lt address all gt conflict records 31 3 DHCP Relay Configuration When the DHCP client and server are in different segments DHCP relay is required to transfer DHCP packets Adding a DHCP relay makes it unnecessary to configure a DHCP server for each segment one DHCP server can provide the network configuration parameter for clients from multiple segments which is not only cost effective but also management effective DHCPD scover Broadcast DHPO scover DH POFFER Uni cast DHPO FER DHPREQEST Br oadcast Le DHPREGLEST DHCPACK Uni cast DHCP Rel ay THPAK DHP Ci ent e lt HP Server Figure 31 2 DHCP relay As shown in the above figure the DHCP client and the DHCP server are in different networks the DHCP client performs the four DHCP steps as usual yet DHCP relay is added to the process 1 The client broadcasts a DHCPDISCO
398. ot1q tunnel tpid 0x9100 Switch Config 20 83 20 2 4 Dot1q tunnel Troubleshooting E Enabling dottg tunnel on Trunk port will make the tag of the data packet unpredictable which is not required in the application So it is not recommended to enable dot1q tunnel on Trunk port E Enabled with STP MSTP is not supported Enabled with PVLAN is not supported 20 3 Selective QinQ Configuration 20 3 1 Introduction to Selective QinQ Selective QinQ is an enhanced application for dot1q tunnel function It is able to tag packets they are received by the same port with different outer VLAN tags based on different inner VLAN tags according to user s requirement so it is able to implement that packets of different types are assigned to different VLAN by selecting different transmission path 20 3 2 Selective QinQ Configuration Selective QinQ Configuration Task List 1 Configure the port mapping relation between the inner tag and the outer tag 2 Configure selective QinQ of port 1 Configure the port mapping relation between the inner tag and the outer tag Explanation Port mode dotiq tunnel selective s vlan lt s vid gt Configure delete the port mapping c vlan lt c vid list gt relation of the inner tag and the outer tag no dot1q tunnel selective s vlan lt s vid gt for selective QinQ c vlan lt c vid list gt 20 84 2 Configure selective QinQ of port Explanation dot1q tunnel selective enable Enable d
399. outer Grow 1 Group z MLD Snooping Query SwitchA MLD Sneeping SwitchB Group 1 Group 1 Grop 1 Group z Figure 39 2 Switch as MLD Querier Function figure Configuration of switch B is the same as the switches in case 1 and here the switch 1 replaces the Multicast Router in case 1 Assume the vlan 60 configured on it contains port 1 2 10 and 12 amongst port 1 is connected to multicast server port 2 to switch2 To send Query periodically global MLD Snooping has to be enabled while executing the mld snooping vian 60 2 general querier setting the vlan 60 to a Level 2 General Querier Configuration procedure is as follows SwitchA config SwitchA config ipv6 mld snooping SwitchA config ipv6 mld snooping vlan 60 SwitchA config ipv6 mld snooping vlan 60 2 general querier 39 107 SwitchB config SwitchB config ipv6 mid snooping SwitchB config ipv6 mld snooping vlan 100 SwitchB config ipv6 mid snooping vlan 100 mrouter interface ethernet 1 1 Multicast configuration Same as scenario 1 MLD Snooping interception results Same as scenario 1 39 1 4 MLD Snooping Troubleshooting In configuring and using MLD Snooping the MLD Snooping server may fail to run properly due to physical connection failure wrong configuration etc The user should ensure the following Ensure the physical connection is correct Ensure the MLD Snooping is enabled under global mode using ipv6 mld snooping Ensure the MLD S
400. p to 32 groups of maximum 8 ports for trunking Excellent Traffic Control PLANET WGSW 52040 is loaded with powerful traffic management and WRR features to enhance services offered by telecoms The functionality includes WRR features such as wire speed Layer 4 traffic classifiers and bandwidth limiting that are particularly useful for multi tenant unit multi business unit Telco or Network Service Provide applications It also empowers the enterprises to take full advantages of the limited network resources and guarantees the best performance at VoIP and Video conferencing transmission Powerful Security The WGSW 52040 supports ACL policies comprehensively The traffic can be classified by source destination IP addresses source destination MAC addresses IP protocols TCP UDP IP precedence time ranges and ToS Moreover various policies can be conducted to forward the traffic The WGSW 52040 also provides IEEE 802 1x port based access authentication which can be deployed with RADIUS to ensure the port level security and block illegal users Efficient Management The WGSW 52040 supports IP Stacking function that helps network managers to easily configure up to 24 switches in the same series via one single IP address instead of connecting and setting each unit one by one For efficient management the WGSW 52040 Managed Ethernet Switch is equipped with console WEB and SNMP management interfaces With its built in Web based management interface
401. pecifically uses to Ethernet ring topology lt 2 gt fast convergence less than 1 s ideally it can reach 100 50 ms 55 1 1 Conception Introduction SWITCH A SWITCH B SWITCH F Master switch dg Seiren G E2 Node Ring 1 Ring 2 Master Node ees SWITCH C SWITCH D SWITCH H Figure 55 1 MRPP Sketch Map 1 Control VLAN Control VLAN is a virtual VLAN only used to identify MRPP protocol packet transferred in the link To avoid confusion with other configured VLAN avoids configuring control VLAN ID to be the same with other configured VLAN ID The different MRPP ring should configure the different control VLAN ID 2 Ethernet Ring MRPP Ring Ring linked Ethernet network topology Each MRPP ring has two states Health state The whole ring net work physical link is connected 55 12 Break state one or a few physical link break in ring network 3 nodes Each switch is named after a node on Ethernet The node has some types Primary node each ring has a primary node it is main node to detect and defend Transfer node except for primary node other nodes are transfer nodes on each ring The node role is determined by user configuration As shown Figure 55 1 Switch A is primary node of Ring 1 Switch B Switch C Switch D and Switch E are transfer nodes of Ring 1 4 Primary port and secondary port The primary node and transfer node have two ports connecting to Ethernet separately one is primary port and a
402. plies with the IEEE 802 3 IEEE 802 3u IEEE 802 3ab IEEE 802 3z Gigabit Ethernet standard Supports auto negotiation and half duplex full duplex modes for all 10Base T 100Base TX and 1000Base T ports Supports 100 1000Base X for all SFP interfaces Auto MDI MDI X detection on each RJ 45 port Prevents packet loss flow control IEEE 802 3x pause frame flow control for full duplex mode Back pressure flow control in half duplex mode High performance Store and Forward architecture broadcast storm control port loopback detect 16K MAC address table automatic source address learning and ageing Supports VLAN IEEE 802 1Q Tag based VLAN GVRP for dynamic VLAN Management Up to 256 VLANs groups out of 4041 VLAN IDs Provider Bridging VLAN Q in Q support IEEE 802 1ad Private VLAN Edge PVE supported GVRP protocol for Management VLAN Protocol based VLAN MAC based VLAN IP Subnet VLAN Support Link Aggregation Maximum 32 trunk groups up to 8 ports per trunk group IEEE 802 3ad LACP Link Aggregation Control Protocol Cisco ether channel Static Trunk Spanning Tree Protocol STP IEEE 802 1D Classic Spanning Tree Protocol RSTP IEEE 802 1w Rapid Spanning Tree Protocol MSTP IEEE 802 1s Multiple Spanning Tree Protocol spanning tree by VLAN Supports BPDU amp root guard 1 3 gt O Port Mirroring to monitor the incoming or outgoing traffic on a particular port many to many O Provides Port Mirror many to 1
403. plink switchover SwitchA configuration task list Switch Config spanning tree mst configuration Switch Config Mstp Region instance 1 vlan 1 Switch Config Mstp Region exit Switch Config ulpp group 1 Switch ulpp group 1 protect vian reference instance 1 Switch ulpp group 1 exit Switch Config interface ethernet 1 1 Switch config lf Ethernet1 1 ulpp group 1 master Switch config lf Ethernet1 1 exit Switch Config interface Ethernet 1 2 Switch config lf Ethernet1 2 ulpp group 1 slave Switch config lf Ethernet1 2 exit SwitchB configuration task list 57 30 Switch Config ulsm group 1 Switch Config interface ethernet 1 1 Switch config lf Ethernet1 1 ulsm group 1 downlink Switch config lf Ethernet1 1 exit Switch Config interface ethernet 1 3 Switch config lf Ethernet1 3 ulsm group 1 uplink Switch config lf Ethernet1 3 exit SwitchC configuration task list 57 Switch Config ulsm group 1 Switch Config interface ethernet 1 2 Switch config lf Ethernet1 2 ulsm group 1 downlink Switch config lf Ethernet1 2 exit Switch Config interface ethernet 1 4 Switch config lf Ethernet1 4 ulsm group 1 uplink Switch config lf Ethernet1 4 exit 4 ULSM Troubleshooting With the normal configuration if the downlink port does not responds the down event of the uplink port please enable the debug function of ULSM copy the debug information of 3 minutes and the configuration information and send them to our technical s
404. protocols have below three characteristics m Privacy First they encrypt the suite through negotiation then all the messages be encrypted E Affirmation Though the client authentication of the conversational is optional but the server is always authenticated WR Reliability The message integrality inspect is included in the sending message use MAC 48 181 48 1 1 Basic Element of SSL The basic strategy of SSL provides a safety channel for random application data forwarding between two communication programs In theory SSL connect is similar with encrypt TCP connect The position of SSL protocol is under application layer and on the TCP If the mechanism of the data forwarding in the lower layer is reliable the data read in the network will be forwarded to the other program in sequence lose packet and re forwarding will not appear A lot of transmission protocols can provide such kind of service in theory but in actual application SSL is almost running on TCP and not running on UDP and IP directly When web function is running on the switch and client visit our web site through the internet browser we can use SSL function The communication between client and switch through SSL connect can improve the security Firstly SSL should be enabled on the switch When the client tries to access the switch through https method a SSL session will be set up between the switch and the client When the SSL session has been set up all the
405. pt summer time is different in each country At present almost 110 countries implement summer time Compare with the standard time usually set summer time 1 hour late for example when summer time is implementing 10 00 am of the standard time is considered 11 00 am of summer time 64 2 Summer Time Configuration Task Sequence 1 Configure absolute or recurrent time range of summer time Explanation Global Mode clock summer time lt word gt absolute Set absolute time range of summer time start lt HH MM gt lt YYYY MM DD gt lt HH MM gt and end summer time is configured with lt YYYY MM DD gt lt offset gt specified year no clock summer time clock summer time lt word gt recurring Set recurrent time range of summer time lt HH MM gt lt MM DD gt lt HH MM gt lt MM DD gt every year the summer time begins from the lt offset gt start time and end at the end time no clock summer time clock summer time lt word gt recurring Set recurrent time range of summer time lt HH MM gt lt week gt lt day gt lt month gt every year the summer time begins from the lt HH MM gt lt week gt lt day gt lt month gt start time and end at the end time lt offset gt no clock summer time 64 3 Examples of Summer Time Example The configuration requirement in the following The summer time from 23 00 on April 1th 2012 to 00 00 on October 1th 2012 clock offset as 1 hour and summer time is named as 2012
406. pter 50 MAB Configuration 50 1 Introduction to MAB In actual network existing the device which can not install the authentication client such as printer PDA devices they can not process 802 1x authentication However to access the network resources they need to use MAB authentication to replace 802 1x authentication MAB authentication is a network accessing authentication method based on the accessing port and the MAC address of MAB user The user needn t install any authentication client after the authentication device receives ARP packets sent by MAB user it will authenticate the MAC address of the MAB user and there is the corresponding authentication information in the authentication server the matched packets of the port and the source MAC are allowed to pass when the authentication is successful MAB user didn t need to input the username and password manually in the process of authentication At present MAB authentication device only supports RADIUS authentication method There is the selection method for the authentication username and password use the MAC address of the MAB user as the username and password or the fixed username and password all users use the configured username and password to authenticate 50 2 MAB Configuration Task List MAB Configuration Task List 1 Enable MAB function 1 Enable global MAB function 2 Enable port MAB function 2 Configure MAB authentication username and password 3 Configure
407. quest packets including the dente physical access port the access device ID and other information to the DHCP request message from the client then forwards the message to DHCP server When the DHCP server which supports the option 82 function receives the message it will allocate an IP address and other configuration information for the client according to preconfigured policies and the option 82 information in the message At the same time DHCP server can identify all the possible DHCP attack messages according to the information in option 82 and defend against them DHCP SNOOPING will peel the option 82 from the reply messages it receives and forward the reply message to the specified port of the network access device The application of DHCP option 82 is transparent for the client 37 1 1 DHCP Option 82 Message Structure A DHCP message can have several option segments option 82 is one of them It has to be placed after other options but before option 255 The following is its format Code Len Agent Information Field Code represents the sequence number of the relay agent information option the option 82 is called so because RFC3046 is defined as 82 Len the number of bytes in Agent Information Field not including the two bytes in Code segment and Len segment Option 82 can have several sub options and need at least one sub option RFC3046 defines the following two sub options whose formats are showed as follows 37 8
408. r Compare with CFM Y 1731 standard set by ITU International Telecommunications Union is more powerful E LMI standard set by MEF is only applied to UNI So above protocols can be used to different network topology and management between them exist the complementary relation EFM OAM Ethernet in the First Mile Operation Administration and Maintenance works in data link layer of OSI model to implement the relative functions through OAM sublayer figure FS LAN is as bleow GE CSMA CD Application Layers Presentation Higher layers Session LLC Network fi MAC Data Link Physical Layer Physical Figure 14 1 OAM location in OSI model 14 41 OAM protocol data units OAMPDU use destination MAC address 01 80 c2 00 00 02 of protocol the max transmission rate is 10Pkt s EFM OAM is established on the basis of OAM connection it provides a link operation management mechanism such as link monitoring remote fault detection and remote loopback testing the simple introduction for EFM OAM in the following 1 Ethernet OAM connection establishment Ethernet OAM entity discovers remote OAM entities and establishes sessions with them by exchanging Information OAMPDUs EFM OAM can operate in two modes active mode and passive mode One session can only be established by the OAM entity working in the active mode and ones working in the passive mode need to wait until it receives the connection request After an Ethernet OAM connec
409. r 2 device as DHCP relay there is the number limitation that create layer 3 interface on layer 2 device but using the layer 3 interface of share vlan it may include many sub vlan however a sub vian only correspond to a share vian can implement DHCP relay forwarding and the relay device needs to enable option82 function at the same time Explanation Global Mode ip dhcp relay share vlan lt vlanid gt sub vlan lt vlianlist gt Create or delete share vian and it s sub vlan no dhcp relay share vian 31 37 31 4 DHCP Configuration Examples Scenario 1 Too save configuration efforts of network administrators and users a company is using switch as a DHCP server The Admin VLAN IP address is 10 16 1 2 16 The local area network for the company is divided into network A and B according to the office locations The network configurations for location A and B are shown below PoolA network 10 16 1 0 PoolB network 10 16 2 0 Device IP address Device IP address Default gateway 10 16 1 200 Default gateway 10 16 1 200 10 16 1 201 10 16 1 201 WINS node type Hnode In location A a machine with MAC address 00 03 22 23 dc ab is assigned with a fixed IP address of 10 16 1 210 and named as management Switch config service dhcp Switch config interface vlan 1 Switch Config Vlan 1 ip address 10 16 1 2 255 255 0 0 Switch Config Vlan 1 exit Switch config ip dhcp pool A Switch dhcp A config network 10 1
410. r the user the role the operator network plays between PE1 and DEZ is to provide a reliable layer 2 link The technology of Dot1q tuunel provides the ISP internet the ability of supporting many client VLANs by only one VLAN of theirselves Both the ISP internet and the clients can configure their own VLAN independently It is obvious that the dot1q tunnel function has got following characteristics WR Applicable through simple static configuration no complex configuration or maintenance to be needed WR Operators will only have to assign one SPVID for each user which increases the number of concurrent supportable users while the users has got the ultimate freedom in selecting and managing the VLAN IDs select within 1 4094 at users 20 81 will m The user network is considerably independent When the ISP internet is upgrading their network the user networks do not have to change their original configuration Detailed description on the application and configuration of dot1q tunnel will be provided in this section 20 2 2 Dot1q tunnel Configuration Configuration Task Sequence of Dot1q Tunnel 1 Configure the dot1q tunnel function on port 2 Configure the global protocol type TPID 1 Configure the dot1q tunnel function on port Explanation Port mode dot1q tunnel enable Enter exit the dot1q tunnel mode on the no dot1q tunnel enable port 2 Configure the global protocol type TPID Command Explanation G
411. r with broadcast address as FFO2 1 2 2 Any DHCP server which receives the request will reply the client with an ADVERTISE message which includes the identity of the server DUID and its priority 3 It is possible that the client receives multiple ADVERTISE messages The client should select one and reply it with a REQUEST message to request the address which is advertised in the ADVERTISE message 4 The selected DHCPv6 server then confirms the client about the IPv6 address and any other configuration with the REPLY message The above four steps finish a Dynamic host configuration assignment process However if the DHCPv6 server and the DHCP V6 client are not in the same network the server will not receive the DHCPv6 broadcast packets sent by the client therefore no DHCPv6 packets will be sent to the client by the server In this case a DHCPv6 relay is required to forward such DHCPv6 packets so that the DHCPv6 packets exchange can be completed between the DHCP v6 client and server At the time this manual is written DHCPv6 server relay and prefix delegation client have been implemented on the switch When the DHCPv6 relay receives any messages from the DHCPv 6 client it will encapsulate the request in a Relay forward packet and deliver it to the next DHCPv6 relay or the DHCPv6 server The DHCPv6 messages coming from the server will be encapsulated as relay reply packets to the DHCPv6 relay The relay then removes the encapsulation
412. ransceiver monitoring interval lt minutes gt monitor The no command sets the no transceiver monitoring interval interval to be the default interval of 15 minutes 2 Configure the enable state of the transceiver monitoring Explanation Port mode Set whether the transceiver monitoring is enabled Only the port enables the transceiver monitoring transceiver monitoring enable disable the system records the abnormity state After the port disables the function the abnormity information will be clear 3 Show the information of the transceiver monitoring Command Explanation Admin mode and global mode De ee el Show the information of the transceiver monitoring including the show transceiver threshold violation last threshold violation informatijon interface ethernet lt interface list gt the interval of the current transceiver monitoring and whether the port enables the transceiver monitoring 16 55 4 Clear the information of the transceiver monitoring Explanation Admin mode clear transceiver threshold violation interface Clear the threshold violation of the ethernet lt interface list gt transceiver monitor 16 3 Examples of DDM Example Ethernet 21 and Ethernet 23 are inserted the fiber module with DDM Ethernet 24 is inserted the fiber module without DDM Ethernet 22 does not insert any fiber module show the DDM information of the fiber module a Show the in
413. ration Login to the switch with any FTP client software with the username Switch and password superuser use the command get nos img 12 25 nos img to download nos img file from the switch to the computer Scenario 3 The switch is used as TFTP server The switch operates as the TFTP server and connects from one of its ports to a computer which is a TF TP client Transfer the nos img file in the switch to the computer The configuration procedures of the switch are listed below Switch config interface vlan 1 Switch Config if Vlan1 ip address 10 1 1 2 255 255 255 0 Switch Config if Vlan1 no shut Switch Config if Vlan1 exit Switch config tftp server enable Computer side configuration Login to the switch with any TFIP client software use the tftp command to download 4 25 nos img file from the switch to the computer Scenario 4 Switch acts as FTP client to view file list on the FTP server Synchronization conditions The switch connects to a computer by an Ethernet port the computer is a FTP server with an IP address of 10 1 1 1 the switch acts as a FTP client and the IP address of the switch management VLAN 1 interface is 10 1 1 2 FTP Configuration PC side Start the FTP server software on the PC and set the username Switch and the password superuser Switch Switch config interface vlan 1 Switch Config if Vlan1 ip address 10 1 1 2
414. read view name gt write community string lt write view name gt no snmp server community lt string gt access lt num std gt lt name gt ipv6 access lt i pv6 num std gt lt ipv6 name gt 3 Configure IP address of SNMP management station Explanation Global Mode snmp server securityip lt pv4 address gt Configure Pv4 IPv6 security address which is lt ipv6 address gt allowed to access the switch on the NMS the no snmp server securityip no command deletes the configured security lt ipv4 address gt lt ipv6 address gt address snmp server securityip enable Enable or disable secure IP address check snmp server securityip disable function on the NMS 4 Configure engine ID Explanation Global Mode snmp server engineid lt engine string gt Configure the local engine ID on the switch no snmp server engineid This command is used for SNMP v3 5 Configure user Explanation Global Mode snmp server user lt use string gt lt group string gt authPriv authNoPriv auth md5 sha lt word gt access lt num std gt lt name gt ipv6 access Add a user to a SNMP group This command lt ipv6 num std gt lt ipv6 name gt is used to configure USM for SNMP v3 no snmp server user lt user string gt access lt num std gt lt name gt ipv6 access lt i pv6 num std gt lt ipv6 name gt 6 Configure group Explanation Global Mode
415. red location Enable or disable LLDP MED lidp med trap enable disable EE E Civic Address LCI address mode 17 62 description language province state city county street locationNum location floor room Configure the detailed address postal otherlnfo lt address gt after enter Civic Address LCI no description language province state city county street locationNum location floor room EES postal otherInfo Global mode When the fast LLDP MED startup mechanism is enabled it needs to fast send the LLDP lldp med fast count lt value gt packets with LLDP MED TLV no Ildp med fast count this command is used to set the value of the fast sending packets the no command restores the default value Show the configuration of the global LLDP and LLDP MED Admin mode Show the configuration of show Ildp interface ethernet lt FNAME gt LLDP and LLDP MED on the current port Show LLDP and LLDP MED show Ildp neighbors interface ethernet lt FNAME gt configuration of the neighbors 17 63 17 3 LLDP MED Example Network connection device Switch A Ethernet 1 1 Aw MED device Ethernetl jm Eth arnet 11 Network connection device Switch B Figure 17 1 Basic LLDP MED configuration topology 1 Configure Switch A SwitchA config interface ethernet1 1 SwitchA Config If Ethernet1 1 Ildp enable SwitchA Config If Ethernet1 1 Ildp
416. restores the default value 1 Enable or disable receiving the flush packets which update the MAC address Enable or disable receiving the flush packets which delete ARP Enable or disable receiving the flush packets of mac vlan type Show ulpp group lt nteger gt master Configure or delete the master port no ulpp group lt nteger gt master of ULPP group ulpp group lt nteger gt slave no ulpp group lt nteger gt slave debug the relating information of ULPP Explanation show ulpp group group id show ulpp flush counter interface ethernet lt IFNAME gt lt IFNAME gt show ulpp flush receive port clear ulpp flush counter interface lt name gt debug ulpp flush send receive interface lt name gt no debug ulpp flush send receive interface lt name gt debug ulpp flush content interface lt name gt no debug ulpp flush content interface lt name gt Configure or delete the slave port of ULPP group Show the configuration information of the configured ULPP group Show the statistic information of the flush packets Show flush type and control VLAN received by the port Clear the statistic information of the flush packets Show the information of the receiving and sending flush packets the no operation disables the shown information Show the contents of the received flush packets the no operation disables the showing 96 23 debug ulpp error Show the
417. rface Mode 26 8 Configure the description information of VLAN interface description lt text gt The no command will cancel the description information of no description VLAN interface 26 2 IP Configuration 26 2 1 Introduction to IPv4 IPv6 IPv4 is the current version of global universal Internet protocol The practice has proved that IPv4 is simple flexible open stable strong and easy to implement while collaborating well with various protocols of upper and lower layers Although IPv4 almost has not been changed since it was established in 1980 s it has kept growing to the current global scale with the promotion of Internet However as Internet infrastructure and Internet application services continue boosting IPv4 has shown its deficiency when facing the present scale and complexity of Internet IPv6 refers to the sixth version of Internet protocol which is the next generation Internet protocol designed by IETF to replace the current Internet protocol version 4 IPv4 IPv6 was specially developed to make up the shortages of IPv4 addresses so that Internet can develop further The most important problem IPv6 has solved is to add the amount of IP addresses IPv4 addresses have nearly run out whereas the amount of Internet users has been increasing in geometric series With the greatly and continuously boosting of Internet services and application devices Home and Small Office Network IP phone and Wireless Service Inf
418. rformance environment but the security of poll mode is better than interrupt mode port scan mode interrupt poll command can be consulted In normal configuration it still forms ring broadcast storm or ring block please open debug function of primary node MRPP and used show MRPP statistics command to observe states of primary node and transfer node and statistics information is normal or not and then sends results to our Technology Service Center 95 19 Chapter 56 ULPP Configuration 56 1 Introduction to ULPP Each ULPP group has two uplink ports they are master port and slave port The port may be a physical port or a port channel The member ports of ULPP group have three states Forwarding Standby Down Normally only one port at the forwarding state the other port is blocked at the Standby state When the master port has the link problem the master port becomes down state and the slave port is siwthed to forwarding state Switch D Switch B Switch C Switch A Figure 56 1 the using scene of ULPP The above figure uses the double uplink network this is the typical application scene of ULPP SwitchA goes up to SwitchD through SwitchB and SwitchC port A1 and port A2 are the uplink ports SwitchA configures ULPP thereinto port A1 is set as the master port port A2 is set as the slave port When port A1 at forwarding state has the problem switch the uplink at once port A2 turns into forwarding state After
419. rgtsyn precedence lt precedence gt tos lt tos gt time range lt ti me range name gt no deny permit any source mac host source ma c lt host_smac gt lt smac gt lt smac mask gt any destination mac host destination mac lt host_dmac gt lt dmac gt lt dmac mask gt udp Creates an extended lt source gt lt source wildcard gt any source name based MAC UDP host source lt source host ip gt s port lt port1 gt access rule the no form range lt sPortMin gt lt sPortMax gt command deletes this lt destination gt lt destination wildcard gt any destinati name based extended on host destination lt destination host ip gt MAC UDP access rule d port lt port3 gt range lt dPortMin gt lt dPortMax gt precedence lt precedence gt tos lt tos gt time range lt time range name gt no deny permit any source mac host source ma c lt host_smac gt lt smac gt lt smac mask gt Creates an extended any destination mac host destination mac name based access rule for lt host_dmac gt lt dmac gt lt dmac mask gt the other IP protocol the no eigrp greligrp ip ipinip ospf lt protocol num gt form command deletes this lt source gt lt source wildcard gt any source name based extended access host source lt source host ip gt rule lt destination gt lt destination wildcard gt any destinati 41 124 on host destination lt destination host ip gt precede
420. rol The no operation of this command will globally disable destination control All no multicast destination control of the other configuration can only required take effect after globally enabled The next is configuring destination control rules which are similar 38 93 Next is to configure destination control rule It is similar to source control except to use ACL No of 6000 7999 Explanation Global Configuration Mode no access list lt 6000 7999 gt deny permit ip lt source gt lt source wildcard gt host source The rule used to configure destination lt source host ip gt range lt 2 65535 gt any sou control This rule does not take effect rce lt destination gt until it is applied to source IP or lt destination wildcard gt host destination VLAN MAC and port Using the NO lt destination host ip gt range lt 2 255 gt any d form of it can delete specified rule estination The last is to configure the rule to specified source IP source VLAN MAC or specified port It is noticeable that due to the above situations these rules can only be used globally in enabling IGMP SNOOPING And if IGMP SNOOPING is not enabled then only source IP rule can be used under IGMP Protocol The configuration commands are as follows Explanation Port Configuration Mode ee Used to configure the rules destination no ip multicast destination control control uses to port the NO form
421. rol The user based standard control will not restrict the access to limited resources which means all users of this port can access limited resources before being authenticated The user based advanced control will restrict the access to limited resources only some particular users of the port can access limited resources before being authenticated Once those users pass the authentication they can access all resources Attention when using private supplicant systems user based advanced control is recommended to effectively prevent ARP cheat The maximum number of the authenticated users can be 4000 but less than 2000 will be preferred 42 1 7 The Features of VLAN Allocation 1 Auto VLAN Auto VLAN feature enables RADIUS server to change the VLAN to which the access port belongs based on the user information and the user access device information When an 802 1x user passes authentication on the server the RADIUS server will send the authorization information to the device if the RADIUS server has enabled the VLAN assigning function then the following attributes should be included in the Access Accept messages WR Tunnel Type VLAN 13 E Tunnel Medium Type 802 6 WR Tunnel Private Group ID VLANID The VLANID here means the VID of VLAN ranging from 1 to 4094 For example Tunnel Private Group ID 30 means VLAN 30 When the switch receives the assigned Auto VLAN information the current Access port will leave the VLAN set by th
422. ronously 0x0104 AC Cookies It is used to avoid the vicious DOS attack 0x0105 The identifier of vendor used to keep other connection other end the response packet will take this tag Table 51 1 TAG value type of PPPoE 51 1 2 3 PPPoE Intermediate Agent vendor tag Frame The following is the format of tag added by PPPoE IA adding tag is the Uppermost function of PPPoE IA 91 197 Ox0105 Vendor Specific TAG LENGTH 0x00000DE9 3561 decimal i e ADSL Forum IANA entry OxO length Agent Remote ID value Figure 51 2 PPPoE IA vendor tag 4 bytes in each row Add TLV tag as 0x0105 for PPPoE IA TAG_LENGTH is length field of vendor tag 0x00000DE9 is ADSL Forum IANA entry of the fixed 4 bytes 0x01 is type field of Agent Circuit ID length is length field and Agent Circuit ID value field 0x02 is type field of Agent Remot ID length is length field and Agent Remote ID value field PPPoE IA supplies a default circuit ID value the default circuit ID The figure in the following includes 5 fields ANI Access Node Identifier can be configured by user its length is less than 47 bytes If there is no ANI configured MAC is accessed by default occupy 6 bytes and use space symbol to compart eth occupies 3 bytes and uses space symbol to compart Slot
423. rootguard rootguard in specified instance configure no spanning tree mst lt instance id gt the rootguard port can t turn to root port rootguard 22 120 Configure currently port whether running spanning tree rootguard WW rootguard in instance 0 configure the no spanning tree rootguard rootguard port can t turn to root port spanning tree mst lt instance id gt T Enable loopguard function on specified loopguard instance the no command disables this no spanning tree mst lt instance id gt function loopguard 3 Configure MSTP region parameters Explanation Global Mode E spanning tree mst configuration Enter MSTP region mode The no no spanning tree mst configuration command restores the default setting MSTP region mode EH Display the information of the current running system instance lt instance id gt vlan lt vian list gt Create Instance and set mapping no instance lt instance id gt vlan lt vian list gt between VLAN and Instance name lt name gt Set MSTP region name no name revision level lt evel gt Set MSTP region revision level no revision level Quit MSTP region mode and return to Global mode without saving MSTP region configuration Quit MSTP region mode and return to Global mode with saving MSTP region configuration Cancel one command or set initial value 4 Configure MSTP time parameters 22 121 Explanation Global Mode spanning tree
424. rough port6 Modification of configuration 1 Set an ACL the condition to be matched is source IP is 192 168 1 111 2 Apply the redirection based on this flow to port 1 The following is the configuration procedure Switch config access list 1 permit host 192 168 1 111 Switch config interface ethernet 1 1 Switch Config If Ethernet1 1 access group 1 redirect to interface ethernet 1 6 24 4 Flow based Redirection Troubleshooting Help When the configuration of flow based redirection fails please check that whether it is the following reasons causing the problem m The type of flow ACL can only be digital standard IP ACL digital extensive IP ACL nomenclature standard IP ACL nomenclature extensive IP ACL digital standard MAC ACL digital extensive MAC ACL nomenclatural standard MAC ACL nomenclatural extensive MAC ACL digital standard IPv6 ACL and nomenclature standard IPv6 ACL m Parameters of Timerange and Portrange can not be set in ACL the type of ACL should be Permit WR The redirection port must be 1000Mb port in the flow based redirection function 24 2 Chapter 25 Flexible QinQ Configuration 25 1 Introduction to Flexible QinQ 25 1 1 QinQ Technique Dot1q tunnel is also called QinQ 802 1Q in 802 1Q which is an expansion of 802 1Q Its dominating idea is encapsulating the customer VLAN tag CVLAN tag to the service provider VLAN tag SPVLAN tag The packet with two VLAN tags is transmitted through
425. rt the no interface lt interface number gt command deletes mirror destination source no monitor session lt session gt destination port interface lt interface number gt 2 Specify mirror source port CPU Explanation Global mode 98 32 monitor session lt session gt source interface lt interface list gt cpu rx tx Specifies mirror source port the no command both l deletes mirror source port no monitor session lt session gt source interface lt interface list gt cpu 3 Specify flow mirror source Explanation Global mode monitor session lt session gt source interface Specifies flow mirror source lt interface list gt access group lt num gt rx tx both port and apply rule the no no monitor session lt session gt source interface command deletes flow mirror lt interface list gt access group lt num gt source port 58 3 Mirror Examples 1 Example The requirement of the configurations is shown as below to monitor at interface 1 the data frames sent out by interface 9 and received from interface 7 sent and received by CPU and the data frames received by interface 15 and matched by rule 120 The source IP address is 1 2 3 4 and the destination IP address is 5 6 7 8 Configuration guidelines 1 Configure interface 1 to be a mirror destination interface 2 Configure the interface 7 ingress and interface 9 egress to be mirrored source 3 Configure the
426. rule m Make sure the switch exists enough TCAM resource to send the binding 25 7 Chapter 26 Layer 3 Management Configuration Switch only support Layer 2 forwarding but can configure a Layer 3 management port for the communication of all kinds of management protocols based on IP protocol 26 1 Layer 3 Management Interface 26 1 1 Introduction to Layer 3 Management Interface Only one layer 3 management interface can be created on switch The Layer 3 interface is not a physical interface but a virtual interface Layer 3 interface is built on VLANs The Layer 3 interface can contain one or more layer 2 ports which belong to the same VLAN or contain no layer 2 ports At least one of the Layer 2 ports contained in Layer 3 interface should be in UP state for Layer 3 interface in UP state otherwise Layer 3 interface will be in DOWN state The switch can use the IP addresses set in the layer 3 management interface to communicate with the other devices via IP 26 1 2 Layer 3 Interface Configuration Task List Layer 3 Interface Configuration Task List 1 Create Layer 3 management interface 2 Configure VLAN interface description 1 Create Layer 3 Management Interface Explanation Global Mode interface vlan lt vilan id gt Creates a management VLAN interface the no command no interface vlan lt vian id gt deletes the VLAN interface created in the switch 2 Configure VLAN interface description Explanation VLAN Inte
427. rver authentication host 10 1 1 3 Switch config radius server accounting host 10 1 1 3 Switch config radius server key test Switch config aaa enable Switch config aaa accounting enable Create VLAN100 Switch config vlan 100 Enable the global 802 1x function Switch config dot1x enable Enable the 802 1x function on port Ethernet1 2 Switch config interface ethernet1 2 Switch Config lf Ethernet1 2 dot1x enable Set the link type of the port as access mode Switch Config lf Ethernet1 2 switch port mode access Set the access control mode on the port as portbased Switch Config lf Ethernet1 2 dot1x port method portbased Set the access control mode on the port as auto Switch Config If Ethernet1 2 dot1x port control auto Set the port s Guest VLAN as 100 Switch Config If Ethernet1 2 dot1x guest vlan 100 Switch Config If Ethernet1 2 exit 42 154 Using the command of show running config or show interface ethernet1 2 users can check the configuration of Guest VLAN When there is no online user no failed user authentication or no user gets offline successfully and more authentication triggering messages EAP Request Identity are sent than the upper limit defined users can check whether the Guest VLAN configured on the port takes effect with the command show vlan id 100 42 3 2 Examples of IPv4 Radius Applications 10 1 1 2 eech 10 1 1 1 Radius Server 10 1 1 3 Figure 42 16 IEEE 8
428. s KE ANE IPv6 ACL configura 4M configuration Port channel confic Cae oo ee DHCP configuration Sg dg d d g d d g a d gd d d ad nd gand gg DHCP Snooping cor SNTP configuration NTP configuration QoS configuration L3 forward configu Route configuratior IPv6 Route configu DCSCM configuratic Spanning tree con MRPP configuration ULPP configuration ULSM configuratior a gt A Figure 3 11 Main Web Configuration Interface AT When configure the switch the name of the switch is composed with English letters Note 3 1 2 3 Manage the Switch via SNMP Network Management Software The necessities required by SNMP network management software to manage switches 1 IP addresses are configured on the switch 2 The IP address of the client host and that of the VLAN interface on the switch it subordinates to should be in the same segment 3 If2 is not met the client should be able to reach an IP address of the switch through devices like routers 4 SNMP should be enabled The host with SNMP network management software should be able to ping the IP address of the switch so that when running SNMP network management software will be able to find it and implement read write operation on it Details about how to manage switches via SNMP network management software will not be covered in this manual please
429. s Switch config Switch config sflow ageng address 10 1 144 2 Switch config sflow destination 192 168 1 200 Switch Switch Switch config sflow priority 1 config interface ethernet1 1 Config If Ethernet1 1 sflow rate input 10000 m AE 59 37 Switch Config lf Ethernet1 1 sflow rate output 10000 Switch Config lf Ethernet1 1 sflow counter interval 20 Switch Config lf Ethernet1 1 exit Switch Config lf Ethernet1 2 sflow rate input 20000 Switch Config lf Ethernet1 2 sflow rate output 20000 Switch config interface ethernet1 2 Switch Config lf Ethernet1 2 sflow counter interval 40 59 4 sFlow Troubleshooting In configuring and using sFlow the sFlow server may fail to run properly due to physical connection failure wrong configuration etc The user should ensure the following Ensure the physical connection is correct Guarantee the address of the sFlow analyzer configured under global or port mode is accessible If traffic sampling is required the sampling rate of the interface must be configured If statistic sampling is required the statistic sampling interval of the interface must be configured If the examination remains unsolved please contact with the technical service center of our company 59 38 Chapter 60 RSPAN Configuration 60 1 Introduction to RSPAN Port mirroring refers to the duplication of data frames sent received on a port to another port The duplicated
430. s switch switch config switch config ip dhcp snooping enable switch config interface ethernet 1 11 switch Config Ethernet1 11 ip dhcp snooping trust switch Config Ethernet1 11 exit switch config interface ethernet 1 12 switch Config Ethernet1 12 exit switch config interface ethernet 1 1 10 switch Config Ethernet1 12 ip dhcp snooping trust switch Config Port Range ip dhcp snooping action shutdown switch Config Port Range 36 4 DHCP Snooping Troubleshooting Help 36 4 1 Monitor and Debug Information The debug ip dhcp snooping command can be used to monitor the debug information 36 4 2 DHCP Snooping Troubleshooting Help If there is any problem happens when using DHCP Snooping function please check if the problem is caused by the following reasons m Check that whether the global DHCP Snooping is enabled m If the port does not react to invalid DHCP Server packets please check that whether the port is set as a non trusted port of DHCP Snooping 36 82 Chapter 37 DHCP Snooping Option 82 Configuration 37 1 Introduction to DHCP Snooping Option 82 DHCP option 82 is the Relay Agent Information Option its option code is 82 DHCP option 82 is aimed at strengthening the security of DHCP servers and improving the IP address configuration policy Switch obtain DHCP request packets include DHCPDISCOVER DHCPREQUEST DHCPINFORM and DHCPRELEASE DHCP SNOOPING is addesd to option 82 by re
431. s allowed to transmit multicast and the data group must be 225 1 2 3 Also switch connected up to port Ethernet1 10 can transmit multicast data without any limit and we can make the following configuration EC config access list 5000 permit ip any host 225 1 2 3 EC config access list 5001 permit ip any any EC config ip multicast source control EC config interface ethernet1 5 EC Config If Ethernet1 5 ip multicast source control access group 5000 EC config interface ethernet1 10 EC Config If Ethernet1 10 ip multicast source control access group 5001 2 Destination Control We want to limit users with address in 10 0 0 0 8 network segment from entering the group of 238 0 0 0 8 so we can make the following configuration Firstly enable IGMP snooping in the VLAN it is located Here it is assumed to be in VLAN2 EC config ip igmp snooping EC config ip igmp snooping vlan 2 After that configure relative destination control access list and configure specified IP address to use that access list Switch config access list 6000 deny ip any 238 0 0 0 0 255 255 255 Switch config access list 6000 permit ip any any Switch config multicast destination control 38 95 Switch config ip multicast destination control 10 0 0 0 8 access group 6000 In this way users of this network segment can only join groups other than 238 0 0 0 8 A Multicast strategy Server 210 1 1 1 is distributing important multicast data on group 239 1 2
432. s for communicating between accessing device and portal server Explanation Global Mode ee Configure IP source address for webportal nas ip lt p address gt l communicating between accessing device no webportal nas ip and portal server 52 205 6 Enable dhcp snooping binding web portal function Explanation Port Mode ee ip dhcp snooping binding webportal Enable dhcp snooping binding web portal no ip dhcp snooping binding webportal function 7 Delete the binding information of web portal authentication Explanation Admin Mode clear webportal binding mac WORD interface lt ethernet IFNAME IFNAME gt Delete the binding information of web portal authentication 52 206 52 3 Web Portal Authentication Typical Example E Internet N RADIUS Portal DHCP DNS server server server geen 192 168 40 100 192 168 40 99 Switch 192 168 40 50 Ethernet Ethernetl 2 Ethernet1 3 Ethernet 4 Ethernet 5 Ethernet1 6 g e S i Ethernet A Ethernet1 3 Ethernet1 2 Switch 2 Pe2 Pel Figure 52 1 Web portal typical application scene In the above figure pc1 is end user there is http browser in it but no 802 1x authentication client pc1 wants to access the network through web portal authentication Switch1 is the accessing device it configures accounting server s address and port as RADIUS server s IP and port and enable the accounting function
433. s forwarded according to Multicast forward item and the data packet will be discarded else wise 38 90 38 1 4 IP Multicast Application IP Multicast technology has effectively solved the problem of sending in single point and receiving in multipoint It has achieved the effective data transmission from a point to multiple points saved a great deal of network bandwidth and reduced network load Making use of the Multicast property of network some new value added operations can be supplied conveniently In Information Service areas such as online living broadcast network TV remote education remote medicine real time video audio meeting the following applications may be supplied 1 Application of Multimedia and Streaming Media 2 Data repository finance application stock etc 3 Any data distribution application of one point to multiple points In the situation of more and more multimedia operations in IP network Multicast has tremendous market potential and Multicast operation will be generalized and popularized 38 2 DCSCM 38 2 1 Introduction to DCSCM DCSCM Destination control and source control multicast technology mainly includes three aspects i e Multicast Packet Source Controllable Multicast User Controllable and Service Oriented Priority Strategy Multicast The Multicast Packet Source Controllable technology of Security Controllable Multicast technology is mainly processed in the following manners 1 On th
434. s increased and the support for multicast has enhanced By dealing with IPv4 broadcast functions such as Router Discovery and Router Query IPv6 multicast has completely replaced IPv4 broadcast in the sense of function Multicast not only saves network bandwidth but enhances network efficiency as well 26 2 2 IP Configuration Layer 3 interface can be configured as IPv4 interface IPv6 interface 26 2 2 1 IPv4 Address Configuration IPv4 address configuration task list 1 Configure the IPv4 address of three layer interface 2 Configure the default gateway 1 Configure the IPv4 address of three layer interface Explanation VLAN Interface Configuration Mode OO Configure IP address of VLAN interface the no ip address ip address lt p address gt lt mask gt secondary lt ip address gt lt mask gt command cancels IP address of VLAN interface no ip address lt p address gt lt mask gt 26 11 2 Configure the default gateway Explanation Global Mode Configure the default gateway of the ip default gateway lt A B C D gt route The no command cancels the no ip default gateway lt A B C D gt configuration 26 2 2 2 IPv6 Address Configuration The configuration Task List of IPv6 is as follows 1 IPv6 basic configuration 1 Configure interface IPv6 address 2 Configure default gateway 2 Pv6 Neighbor Discovery Configuration 1 Configure DAD neighbor solicitation message number 2 Config
435. s shut down manually by users or by other modules wont be reset by ULDP 10 25 Chapter 11 LLDP Function Operation Configuration 11 1 Introduction to LLDP Function Link Layer Discovery Protocol LLDP is a new protocol defined in 802 1ab It enables neighbor devices to send notices of their own state to other devices and enables all ports of every device to store information about them If necessary the ports can also send update information to the neighbor devices directly connected to them and those neighbor devices will store the information in standard SNMP MIBs The network management system can check the layer two connection state from MIB LLDP won t configure or control network elements or flows but only report the configuration of layer two Another content of 802 1ab is to utilizing the information provided by LLDP to find the conflicts in layer two IEEE now uses the existing physical topology interfaces and Entity MIBs of IETF To simplify LLDP is a neighbor discovery protocol It defines a standard method for Ethernet devices such as switches routers and WLAN access points to enable them to notify their existence to other nodes in the network and store the discovery information of all neighbor devices For example the detail information of the device configuration and discovery can both use this protocol to advertise In specific LLDP defines a general advertisement information set a transportation advertisement pro
436. sceiver use the multi mode fiber cable with one side being the male duplex LC connector type gt Toconnect to 1000Base LX SFP transceiver use the single mode fiber cable with one side being the male duplex LC connector type Connecting the fiber cable 1 Attach the duplex LC connector to the network cable 2 Connect the other end of the cable to a device switches with SFP installed fiber NIC on a workstation or a media converter 3 Check the LNK ACT LED of the SFP slot on the front of the Managed Switch Ensure that the SFP transceiver is operating correctly 100Base FX Before connecting the other switches workstation or media converter 1 Make sure both sides of the SFP transceiver are with the same media type or WDM pair for example 100Base FX to 100Base FX 100Base BX20 U to 100Base BX20 D 2 Check the fiber optic cable type that matches the SFP transceiver model gt To connect to MFB FX SFP transceiver use the multi mode fiber cable with one side being the male duplex LC connector type gt To connect to MFB F20 F40 F60 FA20 FB20 SFP transceiver use the single mode fiber cable with one side being the male duplex LC connector type Connecting the fiber cable 1 Attach the duplex LC connector on the network cable into the SFP transceiver 2 Connect the other end of the cable to a device switches with SFP installed fiber NIC on a workstation or a media converter 3 Check the LNK ACT LED of
437. seeeeeenesenenes 65 60 65 1 INTRODUCTION TO DNS icteric Ee 65 60 65 2 DNSV4 V6 CONFIGURATION TASK LIST eeeeee teen eee ee eee eeeeeeeeeeee eee eeeeeneeeeaaaeeeeeeeeeeeeseeeneneeeeeeeeeeaaeees 65 61 65 3 TYPICAL EXAMPLES OF DNS unine aa eege 65 63 65 4 DNS e TIR e e Te 65 64 CHAPTER 66 MONITOR AND DERBUG oe ccece cece ee eeeeeeeeeeeeeeeeseeeeeeeseneeenesaeees 66 66 GGA ML 66 66 606 2 PIN GG eet 66 66 G63 ae e 66 66 BEE Ee 66 67 60 9 SHOW et a5 ee 66 67 D SE Ee Ee 66 68 DEER 66 68 6037 1 Sy Stemi LOG Blat ee e de 66 68 66 7 2 System LOG COMTQUMATION EE 66 70 66 7 3 System Log Configuration Example E 66 72 CHAPTER 67 RELOAD SWITCH AFTER SPECIFIED TIME ccceseseeeseeeeeees 67 73 67 1 INTRODUCE TO RELOAD SWITCH AFTER SPECIFID TIME ccccccccccceececeeeeeeceeeeeeeeseeeeeeseeeneneeaeanaeesees 67 73 67 2 RELOAD SWITCH AFTER SPECIFID TIME TASK LIST cccccccccceeeseeeeeceeeseceeseeeeseeeeeseneeeeeeaeneeeeeeeaeanees 67 73 AG E EE 68 74 68 1 INTRODUCTION TO DEBUGGING AND DIAGNOSIS FOR PACKETS RECEIVED AND SENT BY CPU 68 74 68 2 DEBUGGING AND DIAGNOSIS FOR PACKETS RECEIVED AND SENT BY CPU TASK LIST eu 68 74 CHAPTER 69 DYING GASP CONFIGURATION 0 ccceteecceeeeeeeeeeeeeeeneeeeeneeeaeeeeeaenees 69 75 69 1 INTRODUCTION TO DYING GASP E 69 75 69 2 DYING GASP TYPICAL EXAMPLES ee Ee 69 75 69 3 DYING GASP TROUBLESHOOTING 2csccsseeeeceeceeceeseeeeeeeesaneeenceneeneeseeseesesassaeneeneeneeneenee
438. sers DSCP10 will be packed an external tag 1001 This tag is unique in public network enter Broad Band Network DSCP10 and classfied to BRAS device DSCP20 or DSCP30 will be packed an external VLAN tag 2001 or 3001 and classfied to SR device according to the flow rules The second user can be assigned different DSCPs in DSLAMZ2 Notice The assigned DSCP of the second user may be same with the first user and the DSCP value will be also packed an external tag In the above figure the external tag of the second user is different to the first user for distinguishing DSLAM location and locating the user finally The configuration in the following If the data flow of DSLAM1 enters the switch s downlink port1 the configuration is as follows Switch config class map c1 Switch config classmap c1 match ip dscp 10 Switch config classmap c1 exit Switch config class map c2 Switch config classmap c2 match ip dscp 20 Switch config classmap c2 exit Switch config class map c3 Switch config classmap c3 match ip dscp 30 Switch config classmap c3 exit Switch config policy map p1 Switch config policymap p1 class c1 Switch config policymap p1 class c1 set s vid 1001 Switch config policymap p1 class c2 Switch config policymap p1 class c2 set s vid 2001 Switch config policymap p1 class c3 Switch config policymap p1 class c3 set s vid 3001 Switch config policymap p1 class c3 exit Sw
439. seuseuseueeuesaes 24 1 24 3 FLOW BASED REDIRECTION EXAMPLES cccceecceccecceccecceccecceeceseenseueueeuceeeenseneunseueueuseueeueeuseuseuseueeess 24 2 24 4 FLOW BASED REDIRECTION TROUBLESHOOTING HELP cssceccecseceececcuccuseecuceuseuseeeueeueuseuseuseeeuseusanes 24 2 CHAPTER 25 FLEXIBLE QINQ CONFIGURATION ccc ce KENNEN KEEN RAR N KEEN ENEE 25 3 25 1 INTRODUCTION TO FLEXIBLE QINQ ccccceccsecceeeceseceueeeueeeneeeueeueeeueeueeeueeeueeeuueeeueeuueeuueeuueeuuseuueneueneneaes 25 3 ZO CI el Lett EEN 25 3 E eg B io Gt g CO EE 25 3 25 To lS KNOG WEE 25 3 25 1 4 Flexible QinQ Configuration Task Uist 25 3 25 2 FLEXIBLE QING EXAMPLE ege EEN eene 25 5 25 3 FLEXIBLE QINQ TROUBLESHOOTING EE 25 7 CHAPTER 26 LAYER 3 MANAGEMENT CONFIGURATION ccccceceeeeeeeeseeeeeeens 26 8 26 1 LAYER 3 MANAGEMENT INTERFACE cceceecceccecceccecceccueceneeueeuecuceuseeseueeuseueeueeueeuseueeuseueeueeueeuseenseuseuenes 26 8 26 1 1 Introduction to Layer 3 Management Interface cccccecccecseeeeeeceeeeeeseeeeeeseeeeeessaeeeeeaeeeees 26 8 26 1 2 Layer 3 Interface Configuration Task Uert 26 8 26 2 IP CONFIGURATION EEN 26 9 260 21 WR reel feiern te BE E EEN 26 9 20 2 2 IP CONNU ON WEE 26 11 26 2 9 PYS TROUDICSIIOOUING EE 26 13 PA 3 STATIC d E EE 26 14 E e Ge INMOCGUCTION to Stale ROU EE 26 14 26 32 lnt oduction 10 Defaut ROULE EE 26 14 26 3 3 Static Route Configuration Task List E 26 14 26 3 4 Static Rout
440. site it needn t to know the IPv4 IPv6 address of sina Website only need is to record the domain name of sina Website is www sina com cn The DNS server can resolute out the IPv4 IPv6 address of this domain name and send to switch then the switch can visit sina Website correctly The switch is configured as DNS client basic configurations are as below first to enable DNS dynamic domain name resolution function on switch and configure DNS server address then with some kinds of tools such as PING the switch can get corresponding IPv4 IPv6 address with dynamic domain name resolution function 65 63 The figure above is an application of DNS SERVER Under some circumstances the client PC doesn t know the real DNS SERVER and points to the switch instead The switch plays the role of a DNS SERVER in two steps Enable the global DNS SERVER function configure the IP address of the real DNS server After the DNS SERVER function is globally enabled the switch will look up its local cache when receiving a DNS request from a client PC If there is a domain needed by the local client it will directly answer the client s request otherwise the switch will relay the request to the real DNS server pass the reply from the DNS client g SWITCH DNS SERVER IP 219 240 250 101 IPv6 2001 1 Figure 65 2 DNS SERVER typical environment Server to the client and record the domain and its IP address for a faster lookup in the future S
441. snmp server group lt group string gt noauthnoprivijauthnoprivjauthpriv read lt read string gt write lt write string gt notify lt notify string gt access Set the group information on the switch This lt num std gt lt name gt ipv6 access command is used to configure VACM for SNMP v3 lt ipv6 num std gt lt ipv6 name gt no snmp server group lt group string gt noauthnopriv authnoprivjauthpriv access lt num std gt lt name gt ipv6 access lt ipv6 num std gt lt ipv6 name gt 7 Configure view Explanation Global Mode Pe snmp server view lt view string gt lt oid string gt include exclude no snmp server view lt view string gt lt oid string gt 8 Configuring TRAP Configure view on the switch This command is used for SNMP v3 Explanation Global Mode RE snmp server enable traps no snmp server enable traps snmp server host lt host ipv4 address gt lt host ipv6 address gt v1 v2c v3 noauthnopriv authnopriv authpriv lt user string gt no snmp server host lt host ipv4 address gt lt host ipv6 address gt v1 v2c v3 noauthnopriv authnopriv authpriv lt user string gt snmp server trap source lt ipv4 address gt lt ipv6 address gt no snmp server trap source lt ipv4 address gt lt ipv6 address gt 9 Enable Disable RMON Enable the switch to send Trap message This command is used for S
442. source ma Creates an name based c lt host_smac gt lt smac gt lt smac mask gt extended MAC access rule any destination mac host destination mac lt host_d matching tagged 802 3 frame mac gt lt dmac gt lt dmac mask gt tagged 802 3 cos the no form command deletes lt cos val gt lt cos bitmask gt vlanld lt vid value gt this name based extended lt vid mask gt MAC access rule c Exit ACL Configuration Mode Explanation Extended name based MAC access configure Mode WE Quit the extended name based MAC access configure mode 8 Configuring a numbered extended MAC IP access list Explanation Global mode WE access list lt num gt deny permit any source mac host source mac lt host_smac gt lt smac gt lt smac mask gt any destination mac Creates a numbered host destination mac lt host_dmac gt mac icmp extended mac ip lt dmac gt lt dmac mask gt icmp lt source gt l access rule if the numbered lt source wildcard gt any source host source er extended access list of lt source host ip gt lt destination gt p rie specified number does not lt destination wildcard gt any destination SEN exist then an access list will host destination lt destination host ip gt i S be created using this number lt icmp type gt lt icmp code gt precedence lt precedence gt tos lt tos gt time range lt time range name gt acce
443. source mac host source ma c lt host_smac gt lt smac gt lt smac mask gt any destin ation mac host destination mac lt host_dmac gt lt d mac gt lt dmac mask gt untagged eth2 ethertype lt protocol gt protocol mask no deny permit any source mac host source ma c lt host_smac gt lt smac gt lt smac mask gt any destination mac host destination mac lt host_dmac gt lt dmac gt lt dmac mask gt untagged 802 3 no deny permit any source mac host source ma c lt host_smac gt lt smac gt lt smac mask gt any destin ation mac host destination mac lt host_dmac gt lt d mac gt lt dmac mask gt tagged eth2 cos lt cos val gt lt cos bitmask gt vlanld lt vid value gt lt vid mask gt ethertype lt protocol gt lt protocol mask gt 41 120 Creates an extended name based MAC access rule matching MAC frame the no form command deletes this name based extended MAC access rule Creates an extended name based MAC access rule matching untagged ethernet 2 frame the no form command deletes this name based extended MAC access rule Creates an name based extended MAC access rule matching 802 3 frame the no form command deletes this name based extended MAC access rule Creates an name based extended MAC access rule matching tagged ethernet 2 frame the no form command deletes this name based extended MAC access rule no deny permit any source mac host
444. ss list lt num gt deny permit any source mac Creates a numbered host source mac lt host_smac gt lt smac gt lt smac ma mac igmp extended mac ip sk gt any destination mac host destination mac access rule if the numbered lt host_dmac gt lt dmac gt lt dmac mask gt igmp extended access list of lt source gt lt source wildcard gt any source specified number does not host source lt source host ip gt exist then an access list will lt destination gt lt destination wildcard gt any destinati be created using this number 41 121 on host destination lt destination host ip gt lt igmp type gt precedence lt precedence gt tos lt tos gt time range lt time range name gt access list lt num gt deny permit any source mac host source mac lt host_smac gt lt smac gt lt smac ma sk gt any destination mac host destination mac lt host_dmac gt lt dmac gt lt dmac mask gt tcp lt source gt lt source wildcard gt any source host source lt source host ip gt s port lt port gt range lt sPortMin gt lt sPortMax gt lt destination gt lt destination wildcard gt any destinati on host destination lt destination host ip gt d port lt port3 gt range lt dPortMin gt lt dPortMax gt ack fint psh rst urg syn precedence lt precedence gt tos lt tos gt time range lt time range name gt access list lt num gt deny permit any source mac host source
445. ssful DOS attacks Limiting the MAC ARP ND list entry can prevent DOS attack On port 1 1 of SWITCH A set the max number can be learnt of dynamic MAC address as 20 dynamic ARP address as 20 NEIGHBOR list entry as 10 In VLAN 1 set the max number of dynamic MAC address as 30 of dynamic ARP address as 30 NEIGHBOR list entry as 20 SWITCH A configuration task sequence Switch config interface ethernet 1 1 Switch Config If Ethernet1 1 switchport mac address dynamic maximum 20 Switch Config lf Ethernet1 1 switchport arp dynamic maximum 20 Switch Config lf Ethernet1 1 switchport nd dynamic maximum 10 Switch Config if Vlan1 vlan mac address dynamic maximum 30 43 162 43 4 The Number Limitation Function of MAC and IP in Port VLAN Troubleshooting Help The number limitation function of MAC and IP in Port VLAN is disabled by default if users need to limit the number of user accessing the network they can enable it If the number limitation function of MAC address can not be configured please check whether Spanning tree dot1x TRUNK is running on the switch and whether the port is configured as a MAC binding port The number limitation function of MAC address is mutually exclusive to these configurations so if the users need to enable the number limitation function of MAC address on the port they should check these functions mentioned above on this port are disabled If all the configurations are normal af
446. ssigns DNS address and domain name and other configuration information but not assigns IPv6 address it can solve the bug of IPv6 auto address configuration in non state DHCPv6 can provide extend function of DHCPv 6 prefix delegation upstream route can assign address prefix to downstream route automatically that achieve the IPv6 address auto assignment in levels of network environment and resolved the problem of ISP and IPv6 network dispose There are three entities in the DHCPv6 protocol the client the relay and the server The DHCPv 6 protocol is based on the UDP protocol The DHCPv6 client sends request messages to the DHCP server or DHCP relay with the destination port as 547 and the DHCPv6 server and relay send replying messages with the destination port as 546 The DHCPv 6 client sends solicit or request messages with the multicast address ff02 1 2 for DHCP relay and server Solicit Muticast e Advertise Unicast Request Muticast _ Reply Unicast ee eee DHCPv6 SERVER DHCPv6 CLIENT Figure 32 1 DHCPv6 negotiation When a DHCPv6 client tries to request an IPv6 address and other configurations from the DHCPv6 server the client has to find the location of the DHCP server and then request configurations from the DHCP server 32 42 1 In the time of located server the DHCP client tries to find a DHCPv6 server by broadcasting a SOLICIT packet to all the DHCP delay delegation and serve
447. st ip gt any source rule does not take effect until it is applied to lt destination gt 8 specified port Using the NO form of it can delete lt destination wildcard gt host desti p specified rule nation lt destination host ip gt any destinat ion The last is to configure the configured rule to specified port Note If the rules being configured will occupy the table entries of hardware configuring too many rules will result in configuration failure caused by bottom table entries being full so we suggest user to use the simplest rules if possible The configuration rules are as follows Explanation Port Configuration Mode ee no ip multicast source control Used to configure the rules source control uses access group lt 5000 5099 gt to port the NO form cancels the configuration 2 Destination Control Configuration Like source control configuration destination control configuration also has three steps First enable destination control globally Since destination control need to prevent unauthorized user from receiving multicast data the switch won t broadcast the multicast data it received after configuring global destination control Therefore It should be avoided to connect two or more other Layer 3 switches in the same VLAN on a switch on which destination control is enabled The configuration commands are as follows Explanation Global Configuration Mode NS Globally enable destination cont
448. st membership reports a message IGMP Snooping is also referred to as IGMP listening The switch prevents multicast traffic from flooding through IGMP Snooping multicast traffic is forwarded to ports associated to multicast devices only The switch listens to the IGMP messages between the multicast router and hosts and maintains multicast group forwarding table based on the listening result and can then 38 96 decide to forward multicast packets according to the forwarding table Switch provides IGMP Snooping and is able to send a query from the switch so that the user can use switch in IP multicast 38 3 2 IGMP Snooping Configuration Task List 1 Enable IGMP Snooping 2 Configure IGMP Snooping 1 Enable IGMP Snooping Explanation Global Mode ip igmp snooping Enables IGMP Snooping The no operation no ip igmp snooping disables IGMP Snooping function 2 Configure IGMP Snooping Explanation Global Mode Enables IGMP Snooping for specified VLAN ip igmp snooping vlan lt vian id gt The no operation disables IGMP Snooping for specified VLAN ip igmp snooping proxy Enable IGMP Snooping proxy function the no no ip igmp snooping proxy command disables the function ip igmp snooping vlan lt vian id gt limit Configure the max group count of vlan and no ip igmp snooping vlan lt vian id gt group lt g_ imit gt source lt s_limit gt the max source count of every group The no no ip igmp snooping
449. st packets ntp ipv6 multicast client To configure specified interface to receive no ntp ipv6 multicast client IPv6 NTP multicast packets 8 To configure some interface can t receive NTP packets Explication vian Configuration Mode EO ntp disable To disable the NTP function no ntp disable 9 Display information Explication Admin Mode show ntp status To display the state of time synchronize show ntp session lt p address gt l To display the information of NTP session lt pv6 address gt 10 Debug Explication Admin Mode debug ntp authentication To enable debug switch of NTP no debug ntp authentication authentication 63 55 debug ntp packets send receive To enable debug switch of NTP packet no debug ntp packets send receive information debug ntp adjust To enable debug switch of time update no debug ntp adjust information debug ntp sync To enable debug switch of time no debug ntp sync synchronize information debug ntp events To enable debug switch of NTP event no debug ntp events information 63 3 Typical Examples of NTP Function A client switch wanted to synchronize time with time server in network there is two time server in network the one is used as host the other is used as standby the connection and configuration as follows Switch A and Switch B are the switch or route which support NTP server SwLten A IP 192 168 1 11 gl e KL
450. stributed time servers and clients it can get millisecond precision The introduction of event state transmit function and action are defined in RFC 1305 The purpose of using NTP is to keep consistent timekeeping among all clock dependent devices within the network so that the devices can provide diverse applications based on the consistent time For a local system running NTP its time can be synchronized by other reference sources and can be used as a reference source to synchronize other clocks also can synchronize each other by transmit NTP packets 63 2 NTP Function Configuration Task List 1 2 3 4 5 6 T 8 9 1 1 To enable NTP function Command Explication Global Mode To enable NTP function To configure NTP server function To configure the max number of broadcast or multicast servers supported by the NTP client To configure time zone To configure NTP access control list To configure NTP authentication To specified some interface as NTP broadcast multicast client interface To configure some interface can t receive NTP packets Display information 0 Debug ntp enable To enable or disable NTP function ntp disable 2 To configure NTP server function Explication 63 53 Global Mode oS ntp server lt p address gt lt ipv6 address gt version lt version_no gt l To enable the specified time server of time key lt key id gt no ntp server lt ijp address gt Source
451. sueseesass 35 63 35 2 DHCPV6 OPTIONS 37 38 CONFIGURATION TASK LIST cccccceesceccesceccuscueceseueeaususeuseusaeeaeeeesusausaess 35 64 35 3 DHCPV6 OPTIONS 37 58 EXAMPLES E 35 70 35 3 1 DHCPv6 Snooping options 37 38 Example 20100000100n1a1n0innianinnnntinniinntrnnnnnnnninnnnn nnna 35 70 35 3 2 DHCPv6 Relay option37 38 Example ccccccssccccssceeceseeeeeeeesseeeeseeeeseeeeseeeesenseeseaees 35 72 35 4 DHCPV6 OPTIONS 37 38 TROUBLESHOOTING cccceccescecceccceceecuecueecueaueeeseuseusaususeuseuseueauesuesueseesaes 35 73 CHAPTER 36 DHCP SNOOPING CONFIGURATION cscceeeeeeeeeeeeeeeeeeeeeeeeeaes 36 75 36 1 INTRODUCTION TO DHCP SNOOPING EE 36 75 36 2 DHCP SNOOPING CONFIGURATION TASK SEQUENCE cccccceeeeeeeeeeeeeeeeeeseneneeeeeenenseeseeaeseeessenaeseeenes 36 76 36 3 DHCP SNOOPING TYPICAL APPLICATION cccceesceeeeeeeeeeeeeeeeeeeneeeeeeneeseeessnesaeeeseeaesseeesenaeseeessenaeseeenes 36 81 36 4 DHCP SNOOPING TROUBLESHOOTING HELP ccccccceeeeeeeeeeeeeeeeeeeeeeeeeeeeeenaseeeeeeeeseeeeseeaeneeeesenaeeeeens 36 82 36 4 1 Monitor and Debug Information ccccecccccseeeeeeeeeeeeeceeeeeeeeeeeesaeeseeeseeeeeesaaeeeeaeeeeesaaes 36 82 36 4 2 DHCP Snooping Troubleshooting Help 36 82 CHAPTER 37 DHCP SNOOPING OPTION 82 CONFIGURATION ccceeeeeeees 37 83 37 1 INTRODUCTION TO DHCP SNOOPING OPTION 82 cescceeeeeeeeeeeeeeeeeeeneeeseeeaeneeeeeeeseeeeseeeeseeessenaeneeees 37 83 37 1 1 D
452. swer packets Length field 2 octets The length of the overall RADIUS packet including Code Identifier Length Authenticator and Attributes Authenticator field 16 octets used for validation of the packets received from the RADIUS server Or it can be used to carry encrypted passwords This field falls into two kinds the Request Authenticator and the Response Authenticator Attribute field used to carry detailed information about AAA An Attribute value is formed by Type Length and Value fields m Type field 1 octet the type of the attribute value which is shown as below Property Type of property Property Type of property 1 User Name 23 Framed IPX Network User Password State 2 BEE E EE 3 1 wasup adiress 26 Vendor Specife 5 Haeren 27 Sesoimeg 6 Semvice type 28 ideTmeot 7 Framed Protocol 29 Temination Acton 8 Framedip address 30 Caled Stationd Framed IP Netmask Calling Station ld 10 Framed Routing 32 NAS dentifer EE Filter Id 33 Proxy State 1 Framed compression 35 LoginLATNode A toginsp ost a6 Login aT Group 47 175 unassigned Framed Apple Talk Zone Reply Message 40 59 reserved for accounting Callback Number e CHAP Challenge 20 Callback ld NAS Port Type unassigned Port Limit 22 Framed Route 63 Login LAT Port HR Length field 1 octet the length in octets of the attribute including Type Length and Value fields WR Value field
453. switch as 2004 1 2 3 2 and connect the switch with any interface except interface 1 2 to the RADIUS authentication server Configure the IP address of the RADIUS server to be 2004 1 2 3 3 Use the default ports 1812 and 1813 for authentication and accounting respectively Install the IEEE802 1x authentication client software on the computer and use the client for IEEE802 1x authentication The detailed configurations are listed as below Switch config interface vlan 1 Switch Config if vlan1 ipv6 address 2004 1 2 3 2 64 Switch Config if vlan1 exit 42 156 Switch config radius server authentication host 2004 1 2 3 3 Switch config radius server accounting host 2004 1 2 3 3 Switch config radius server key test Switch config aaa enable Switch Switch config aaa accounting enable config dot1x enable Switch config interface ethernet 1 2 Switch Config lf Ethernet1 2 dot1x enable Switch Config lf Ethernet1 2 dot1x port control auto Switch Config lf Ethernet1 2 exit 42 4 802 1x Troubleshooting It is possible that 802 1x be configured on ports and 802 1x authentication be set to auto t switch can t be to authenticated state after the user runs 802 1x supplicant software Here are some possible causes and solutions If 802 1x cannot be enabled for a port make sure the port is not executing MAC binding or configured as a port aggregation To enable the 802 1x authentication the above
454. syslog information to Log Server The Encryption of Private Messages The communication between the switch and the inner network security management system TrustView uses private messages And the users can encrypt those messages of version 2 Add authentication option82 Function It is used with dot1x dhcpoption82 authentication mode Different option 82 will be added in DHCP messages according to user s authentication Status 36 2 DHCP Snooping Configuration Task Sequence Enable DHCP Snooping Enable DHCP Snooping binding function Enable DHCP Snooping option82 function Set the private packet version Set DES encrypted key for private packets Set helper server address Set trusted ports Enable DHCP Snooping binding DOT1X function Enable DHCP Snooping binding USER function Oo el Or we Se IN oe 9 10 Adding static list entries function 11 Set defense actions 12 Set rate limitation of DHCP messages 13 Enable the debug switch 14 Configure DHCP Snooping option 82 attributes 1 Enable DHCP Snooping Explanation Globe mode ip dhcp snooping enable Enable or disable the DHCP snooping function no ip dhcp snooping enable 36 76 2 Enable DHCP Snooping binding Explanation Globe mode ip dhcp snooping binding enable SE Enable or disable the DHCP snooping binding no ip dhcp snooping binding function enable 3 Enable DHCP Snooping binding ARP function Command Explanation Globe mode KH
455. t 5 Configure the IP address of the RADIUS NAS Explanation Global Mode ee radius nas ipv4 lt ip address gt To configure the source IP address for the no radius nas ipv4 RADIUS packets for the switch radius nas ipv6 lt i pv6 address gt To configure the source IPv6 address for no radius nas ipv6 the RADIUS packets for the switch 47 3 RADIUS Typical Examples 47 3 1 IPv4 Radius Example 10 1 1 2 10 1 1 1 Radius Server 10 1 1 3 Figure 47 2 The Topology of IEEE802 1x configuration A computer connects to a switch of which the IP address is 10 1 1 2 and connected with a 47 178 RADIUS authentication server without Ethernet1 2 IP address of the server is 10 1 1 3 and the authentication port is defaulted at 1812 accounting port is defaulted at 1813 Configure steps as below Switch config interface vlan 1 Switch Config if vlan1 ip address 10 1 1 2 255 255 255 0 Switch Config if vlan1 exit Switch config radius server accounting host 10 1 1 3 Switch config radius server key test aaa enable Switch config radius server authentication host 10 1 1 3 Switch config Switch config aaa accounting enable 47 3 2 IPv6 RadiusExample 2004 1 2 3 2 eS ee 2004 1 2 3 1 Radius Server 2004 1 2 3 3 Figure 47 3 The Topology of IPv6 Radius configuration A computer connects to a switch of which the IP address is 2004 1 2 3 2 and connected with a RADIUS authe
456. t channel but it can not be a member port of a port channel and each port only belongs to one ULSM group The uplink port is the monitored port of ULSM group When all uplink ports are down or there is no uplink port in ULSM group ULSM group state is down ULSM group state is up as long as one uplink port is up The downlink port is the controlled port its state changes along with Up Down of ULSM group and is always the same with ULSM group state ULSM associates with ULPP to enable the downstream device to apperceive the link problem of the upstream device and process correctly As the picture illustrated SwitchA configures ULPP here the traffic is forwarded by port A1 If the link between SwitchB and Switch D has the problem SwitchA can not apperceive the problem of the upstream link and sequentially forward the traffic from port A1 cause traffic losing Configuring ULSM on SwitchB can solve the above problems The steps are set port B5 as the uplink port of ULSM group port B6 as the downlink port When the link between SwitchB and SwitchD has the problem both the downlink port B6 and the state of ULSM group are down It causes Switch A on which ULPP is configured to process uplink switchover and avoid the data dropped Switch D Switch B switch C Pont A D co Port A Switch A Figure 57 1 ULSM using scene 57 28 57 2 ULSM Configuration Task List 1 Create ULSM group globally N Configure ULSM group 3 Show
457. t is the Last Mile joe oe eee ee es Customer Service Provider 802 3ah Ethernet in the First Mile fae staan ay EE EE We ari ase ig A Ne gs a egy ee ne A _ oem SP CE 802 lahOAMPDU PE Figure 14 2 Typical OAM application topology 14 2 EFM OAM Configuration EFM OAM configuration task list 1 Enable EFM OAM function of port 2 Configure link monitor 3 Configure remote failure Note it needs to enable OAM first when configuring OAM parameters 1 Enable EFM OAM function of port Explanation Port mode Configure work mode of EFM OAM default is active mode Enable EFM OAM of port no command disables EFM OAM of port ethernet oam mode active passive ethernet oam no ethernet oam 14 44 Configure transmission period of ethernet oam period lt seconds gt OAMPDU optional no command no ethernet oam period restores the default value Configure timeout of EFM OAM connection no command restores ethernet oam timeout lt seconds gt no ethernet oam timeout the default value 2 Configure link monitor Explanation Port mode ethernet oam link monitor Enable link monitor of EFM OAM no no ethernet oam link monitor command disables link monitor ethernet oam errored symbol period Configure the low threshold and threshold low lt low symbols gt window window period of errored symbol lt seconds gt period event no com
458. t prec transmit lt ip_precedence_value gt set cos transmit lt cos_value gt set internal priority lt inp_value gt set Drop Precedence lt dp_value gt no policy Set statistic function for the classified traffic After enable this function under accounting the policy class map mode add statistic no accounting function to the traffic of the policy class map In single bucket mode the 23 137 messages can be only red or green when passing policy When printing the information in profile means green and out profile means red In dual bucket mode there are three colors green yellow red of messages in profile means green out profile means red and yellow Policy class map configurationmode o drop Drop or transmit the traffic that match no drop the class the no command cancels the assigned action transmit no transmit 3 Apply QoS to port or VLAN interface Explanation Interface Configuration Mode Le mls qos trust dscp Configure port trust the no command no mls qos trust dscp disables the current trust status of the port Configure the default CoS value of the mis qos cos lt default cos gt port the no command restores the no mis qos cos default setting Apply a policy map to the specified port the no command deletes the specified service policy input lt policy map name gt policy map applied to the port or deletes no service policy input lt policy map name gt all the poli
459. t the running mode 2 Configure instance parameters 3 Configure MSTP region parameters 4 Configure MSTP time parameters 5 Configure the fast migrate feature for MSTP 6 Configure the format of port packet 22 119 7 Configure the spanning tree attribute of port 8 Configure the snooping attribute of authentication key 9 Configure the FLUSH mode once topology changes 1 Enable MSTP and set the running mode Explanation Global Mode and Port Mode Kee spanning tree Enable Disable MSTP no spanning tree Global Mode TO spanning tree mode mstp stp rst g gt le Set MSTP running mode no spanning tree mode Port Mode oe spanning tree mcheck Force port migrate to run under MSTP 2 Configure instance parameters Explanation Global Mode spanning tree mst lt instance id gt priority lt bridge priority gt B Set bridge priority for specified instance no spanning tree mst lt instance id gt priority spanning tree priority lt bridge priority gt Configure the spanning tree priority of the no spanning tree priority switch Port Mode spanning tree mst lt nstance id gt cost lt cost gt Set port path cost for specified instance no spanning tree mst lt instance id gt cost spanning tree mst lt nsiance id gt BE Set port priority for specified instance no spanning tree mst lt instance id gt port priority spanning tree mst lt nsiance id gt Configure currently port whether running
460. t without processing keep mode means that the system will keep the original option 82 segment in the message and forward it to the server to process replace mode means that the system will replace the option 82 segment in the existing message with its own option 82 and forward the message to the server to process The no ip dhcp relay information policy will set the retransmitting policy of the option 82 DCHP message as replace This command is used to set the format of option 82 sub option1 Circuit ID option added to the DHCP request messages from interface standard means the standard VLAN name and physical port name format like Vlan2 Ethernet1 12 lt circuit id gt is the circuit id contents of option 82 specified by users which is a string no longer than 64characters The no ip dhcp relay information option subscriber id command will set the format of added option 82 sub option1 Circuit ID option as standard format Set the suboption2 remote ID option content of option 82 added by DHCP request packets They are received by the interface The no command sets the additive suboption2 remote ID option format of option 82 as standard 33 55 3 Enable the DHCP option 82 of server Explanation Global mode This command is used to enable the switch ip dhcp server relay information enable DHCP server to identify option82 The no no ip dhcp server relay information ip dh
461. t1x guest vian no command is used to delete the guest vian dot1x portbased mode single mode Set the single mode based on portbase no dot1x portbased mode single mode authentication mode the no command disables this function 3 Configure expanded 802 1x function Explanation Global Mode dot1x macfilter enable Enables the 802 1x address filter function in the switch the no dot1x macfilter enable no command disables the 802 1x address filter function dot1x macbased Enables this command when the dot1x certification port down flush according to mac is down delete the user who passed the no dot1x macbased certification of the port The no command does not make port down flush the down operation 42 150 dot1x accept mac lt mac address gt interface lt interface name gt no dot1x accept mac lt mac address gt interface lt interface name gt dot1x eapor enable no dot1x eapor enable Adds 802 1x address filter table entry the no command deletes 802 1x filter address table entries Enables the EAP relay authentication function in the switch the no command sets EAP local end authentication 4 Configure IPv6 passthrough function of the port Explanation Port Mode dot1x ipv6 passthrough no dot1x ipv6 passthrough Enables IPv6 passthrough function of global mode on a switch only applicable when access control mode is userbased the no operation of this command will disable the f
462. ta can get directly from the network Both modes waste a great deal of valuable bandwidth resource and furthermore Broadcast mode goes against the security and secrecy The emergence of IP Multicast technology solved this problem in time The Multicast source only sends out the message once Multicast Routing Protocol sets up tree routing for Multicast data packet and then the transferred packet just starts to be duplicated and distributed in the bifurcate crossing as far as possible Thus the packet can be sent to every user who needs it accurately and effectively It should be noticed that it is not necessary for Multicast source to join in Multicast group It sends data to some Multicast groups but it is not necessarily a receiver of the group itself There can be more than one source sending packets to a Multicast group simultaneously There may exist routers in the network which do not support Multicast but a Multicast router can encapsulate the Multicast packets into Unicast IP packets with tunnel mode to send them to the Multicast router next to it which will take off the Unicast IP header and continue the Multicast transmission process thus a big alteration of network structure is avoided The primary advantages of Multicast are 1 Enhance efficiency reduce network traffic lighten the load of server and CPU 38 88 2 Optimize performance reduce redundant traffic 3 Distributed application Enable Multipoint Application 3
463. tch Config vlan 10 Switch Config vian10 switchport interface ethernet 1 1 1 2 Switch Config vian10 exit Switch Config spanning tree mst configuration Switch Config Mstp Region instance 1 vlan 10 Switch Config Mstp Region evt Switch Config ulpp group 1 Switch ulpp group 1 protect vian reference instance 1 Switch ulpp group 1 control vlan 10 Switch ulpp group 1 exit Switch Config interface ethernet 1 1 Switch config lf Ethernet1 1 ulpp group 1 master Switch config lf Ethernet1 1 exit Switch Config interface Ethernet 1 2 Switch config lf Ethernet1 2 ulpp group 1 slave Switch config lf Ethernet1 2 exit SwitchB configuration task list Switch Config vlan 10 Switch Config vian10 switchport interface ethernet 1 1 Switch Config vian10 exit Switch Config interface ethernet 1 1 Switch config lf Ethernet1 1 ulpp flush enable mac Switch config lf Ethernet1 1 ulpp flush enable arp Switch config lf Ethernet1 1 ulpp control vlan 10 SwitchC configuration task list Switch Config vlan 10 Switch Config vian10 switchport interface ethernet 1 2 Switch Config vian10 exit Switch Config interface ethernet 1 2 Switch config lf Ethernet1 2 ulpp flush enable mac Switch config lf Ethernet1 2 ulpp flush enable arp Switch config lf Ethernet1 2 ulpp control vlan 10 96 25 56 3 2 ULPP Typical Example2 SwitchD SwitchB E1 1 E1 2 SwitchC Vlan 1 100 E Vlan 101 200 SwitchA Figure 56 4 ULPP typical examp
464. tch Config lf Ethernet1 11 exit Switch config Switch B Switch config vlan 2 Switch Config Vlan2 switchport interface ethernet 1 2 4 Switch Config Vlan2 exit Switch config vlan 100 Switch Config Vlan100 switchport interface ethernet 1 5 7 Switch Config Vlan100 exit Switch config vlan 200 Switch Config Vlan200 switchport interface ethernet 1 8 10 Switch Config Vlan200 exit Switch config interface ethernet 1 11 Switch Config lf Ethernet1 11 switchport mode trunk Switch Config If Ethernet1 11 evt mm m E M A AM A 20 1 4 Typical Application of Hybrid Port Scenario 20 78 gt WW ep Swi ee Switch B ch A PC1 PC2 Fiugre 20 3 Typical Application of Hybrid Port PC1 connects to the interface Ethernet 1 7 of SwitchB PC2 connects to the interface Ethernet 1 9 of SwitchB Ethernet 1 10 of SwitchA connect to Ethernet 1 10 of SwitchB It is required that PC1 and PC2 can not mutually access due to reason of the security but PC1 and PC2 can access other network resources through the gateway SwitchA We can implement this status through Hybrid port Configuration items are as follows Port 1 10 of Switch A Access 10 Allow the packets of VLAN 10 to pass with untag method Port 1 10 of Switch B Hybrid 10 Allow the packets of VLAN 7 9 10 to pass with untag method with untag method VE with untag method The configuration steps are listed below
465. tch mrpp ring 4000 control vian 4000 fail timer 18 hello timer 5 Switch mrpp ring 4000 Switch mrpp ring 4000 Switch mrpp ring 4000 node mode master SET lil e Fe Switch mrpp ring 4000 enable Switch mrpp ring 4000 exit Switch Config interface ethernet 1 1 Switch config lf Ethernet1 1 mrpp ring 4000 primary port Switch config lf Ethernet1 1 interface ethernet 1 2 Switch config lf Ethernet1 2 mrpp ring 4000 secondary port Switch config lf Ethernet1 2 exit Switch Config 55 17 SWITCH B configuration Task Sequence Switch Config mrpp enable Switch Config mrpp ring 4000 Switch mrpp ring 4000 control vlan 4000 Switch mrpp ring 4000 enable Switch mrpp ring 4000 exit Switch Config interface ethernet 1 1 Switch config lf Ethernet1 1 mrpp ring 4000 primary port Switch config lf Ethernet1 1 interface ethernet 1 2 Switch config lf Ethernet1 2 mrpp ring 4000 secondary port Switch config lf Ethernet1 2 exit Switch Config SWITCH C configuration Task Sequence Switch Config mrpp enable Switch Config mrpp ring 4000 Switch mrpp ring 4000 control vian 4000 Switch mrpp ring 4000 enable Switch mrpp ring 4000 exit Switch Config interface ethernet 1 1 Switch config lf Ethernet1 1 mrpp ring 4000 primary port Switch config lf Ethernet1 1 interface ethernet 1 2 Switch config lf Ethernet1 2 mrpp ring 4000 secondary port Switch config lf Ethernet1 2 exit Switch Config SWIT
466. tch1Vlan1Class1 I Now the DHCP server will allocate addresses for the network nodes from Switch1 within the range of 192 168 102 51 192 168 102 80 37 4 DHCP Snooping Option 82 Troubleshooting m To implement the option 82 function of DHCP SNOOPING the debug ip dhcp snooping packet command can be used during the operating procedure including adding the option 82 information of the request message the option 82 information peeled by the reply message 37 87 Chapter 38 IPv4 Multicast Protocol 38 1 IPv4 Multicast Protocol Overview This chapter will give an introduction to the configuration of IPv4 Multicast Protocol 38 1 1 Introduction to Multicast Various transmission modes can be adopted when the destination of packet including data sound and video transmission is the minority users in the network One way is to use Unicast mode i e to set up a Separate data transmission path for each user or to use Broadcast mode which is to send messages to all users in the network and they will receive the Broadcast messages no matter they need or not For example if there are 200 users in a network who want to receive the same packet then the traditional solution is to send this packet for 200 times separately via Unicast to guarantee the users who need the data can get all data wanted or send the data in the entire domain via Broadcast Transferring the data in the whole range of network The users who need these da
467. tdormpool config class CLASS1 SwitchB dhcpv6 pool eastdormpool class class1 config address range 35 71 2001 da8 100 1 3 2001 da8 100 1 30 SwitchB dhcpv6 pool eastdormpool class class1 config exit SwitchB dhcpv6 eastdormpool config class CLASS2 SwitchB dhcpv6 pool eastdormpool class class2 config address range 2001 da8 100 1 31 2001 da8 100 1 60 SwitchB dhcpv6 eastdormpool config class CLASS3 SwitchB dhcpv6 pool eastdormpool class class3 config address range 2001 da8 100 1 61 2001 da8 100 1 100 SwitchB dhcpv6 pool eastdormpool class class3 config exit SwitchB dhcpv6 eastdormpool config exit SwitchB config interface vlan 1 SwitchB config if vlan1 ipv6 address 2001 da8 100 1 2 64 SwitchB config if vlan1 ipv6 dhcp server EastDormPool SwitchB config if vlan1 exit SwitchB config 35 3 2 DHCPv6 Relay option37 38 Example Example 1 When deploying IPv6 campus network DHCPV6 server function of routing device can be used for IPv6 address allocation if special server is used for uniform allocation and management for IPv6 address DHCPV6 server supports both stateful and stateless DHCPV6 Network topology In access layer layer2 access device Switch1 connects users in dormitory in first level aggregation layer aggregation device Switch2 is used as DHCPV6 relay agent in second level aggregation layer aggregation device Switch3 is used as DHCPv6 server and connects with backbone network or devices in higher aggregat
468. te the command or keyword if there is no conflict 3 2 4 Help Function There are two ways in Switch for the user to access help information the help command and the Access to Help Usage and function Under any command line prompt type in help and press Enter will get a brief description of the associated help system Under any command line prompt enter to get a command list of the current mode and related brief description Enter a after the command keyword with a embedded space If the position should be a parameter a description of that parameter type scope etc will be returned if the position should be a keyword then a set of keywords with brief description will be returned if the output is lt cr gt then the command is complete press Enter to run the command A immediately following a string This will display all the commands that begin with that string 3 22 3 2 5 Input Verification 3 2 5 1 Returned Information Success All commands entered through keyboards undergo syntax check by the Shell Nothing will be returned if the user entered a correct command under corresponding modes and the execution is successful Returned Information error Output error message Explanation parameter error in parameter scope type or format Ambiguous command At least two interpretations is possible basing on the current input Invalid command or parameter The comman
469. ter 67 Reload Switch after Specified Time 67 1 Introduce to Reload Switch after Specifid Time Reload switch after specified time is to reboot the switch without shutdown its power after a specified period of time usually when updating the switch version The switch can be rebooted after a period of time instead of immediately after its version being updated successfully 67 2 Reload Switch after Specifid Time Task List 1 Reload switch after specified time Explanation Admin mode Cancel the specified time period to reload reload cancel reload after lt HH MM SS gt days Reload the switch after a specified time lt days gt period the switch 67 73 Chapter 68 Debugging and Diagnosis for Packets Received and Sent by CPU 68 1 Introduction to Debugging and Diagnosis for Packets Received and Sent by CPU The following commands are used to debug and diagnose the packets received and sent by CPU and are supposed to be used with the help of the technical support 68 2 Debugging and Diagnosis for Packets Received and Sent by CPU Task List Explanation Global Mode cpu rx ratelimit protocol Set the max rate of the CPU receiving packets of the lt protocol type gt lt packets gt protocol type the no command set the max rate to default no cpu rx ratelimit protocol lt protocol type gt clear cpu rx stat protocol Clear the statistics of the CPU received packets of the lt protocol type gt protoco
470. ter enabling the number limitation function of MAC and IP in Port VLAN users can use debug commands to debug every limitation check the details of number limitations and judge whether the number limitation function is correct If there is any problem please sent result to technical service center 43 163 Chapter 44 Operational Configuration of AM Function 44 1 Introduction to AM Function AM Access Management means that when a switch receives an IP or ARP message it will compare the information extracted from the message such as source IP address or source MAC IP address with the configured hardware address pool If there is an entry in the address pool matching the information Source IP address or source MAC IP address the message will be forwarded otherwise dumped The reason why source IP based AM should be supplemented by source MAC IP based AM is that IP address of a host might change Only with a bound IP can users change the IP of the host into forwarding IP and hence enable the messages from the host to be forwarded by the switch Given the fact that MAC IP can be exclusively bound with a host it is necessary to make MAC IP bound with a host for the purpose of preventing users from maliciously modifying host IP to forward the messages from their hosts via the switch With the interface bound attribute of AM network mangers can bind the IP MAC IP address of a legal user to a specified interface After that only the
471. tering of packets compares packet conditions to the rules from the first rule to the first matched rule the rest of the rules will not be processed Global default action applies only to IP packets in the incoming direction on the ports WR Global default action applies only when packet flirter is enabled on a port and no ACL is bound to that port or no binding ACL matches 41 2 ACL Configuration Task List ACL Configuration Task Sequence 1 Configuring access list 1 Configuring a numbered standard IP access list 2 Configuring a numbered extended IP access list 3 Configuring a standard IP access list based on nomenclature a Create a standard IP access list based on nomenclature b Specify multiple permit or deny rule entries c Exit ACL Configuration Mode 4 Configuring an extended IP access list based on nomenclature a Create an extensive IP access list based on nomenclature b Specify multiple permit or deny rule entries c ExitACL Configuration Mode 5 Configuring a numbered standard MAC access list 6 Configuring a numbered extended MAC access list 7 Configuring a extended MAC access list based on nomenclature a Create a extensive MAC access list based on nomenclature b Specify multiple permit or deny rule entries c Exit ACL Configuration Mode 8 Configuring a numbered extended MAC IP access list 9 Configuring a extended MAC IP access list based on nomenclature a Create a e
472. th of Jumbo frames they will not be sent to CPU We discard the Jumbo frames sent to CPU in the packet receiving process 13 2 MTU Configuration Task Sequence 1 Configure enable MTU function 1 Configure enable MTU function Explanation Global Mode Configure the MTU size of JUMBO frame enable the receiving sending function of mtu lt mtu value gt JUMBO frame The no command disables no mtu enable sending and receiving function of MTU frames 13 40 Chapter 14 EFM OAM Configuration 14 1 Introduction to EFM OAM Ethernet is designed for Local Area Network at the beginning but link length and network scope is extended rapidly while Ethernet is also applied to Metropolitan Area Network and Wide Area Network along with development Due to lack the effectively management mechanism it affects Ethernet application to Metropolitan Area Network and Wide Area Network implementing OAM on Ethernet becomes a necessary development trend There are four protocol standards about Ethernet OAM they are 802 3ah EFM OAM 802 3ag CFM E LMI and Y 1731 EFM OAM and CFM are set for IEEE organization EFM OAM works in data link layer to validly discover and manage the data link status of rock bottom Using EFM OAM can effectively advance management and maintenance for Ethernet to ensure the stable network operation CFM is used for monitoring the whole network connectivity and locating the fault in access aggregation network laye
473. th the traditional RSPAN ERSPAN configuration is simpler and it makes the monitored traffic to be transmitted in the specified tunnel To be noticed 1 Monitor source of ERSPAN monitor only supports port monitor it does not support CPU monitor and flow monitor presently 2 For the source and destination switches in the ERSPAN connections a tunnel must be existed 3 When configuring the remote mirror function the network bandwidth should be considered in order to carry the network flow and the mirrored flow Keywards ERSPAN Encapsulated Remote Switched Port Analyzer 61 2 ERSPAN Configuration Task List 1 Specify mirror source port Explanation Global Mode monitor session lt session gt source interface lt interface list gt rx tx both Specify the mirror source port the no no monitor session lt session gt source command deletes the mirror source port interface lt interface list gt 2 Specify mirror destination tunnel Explanation Global Mode 61 46 monitor session lt session gt destination Specify the mirror destination tunnel the no tunnel lt tunnel number gt command deletes the mirror destination no monitor session lt session gt tunnel destination tunnel lt tunnel number gt 3 Appoint the mirror destination and the destination can be the physical port or the tunnel Explanation Global Mode monitor session lt session gt destination tunnel interfac
474. the above figure PC1 is DHCP client obtain the address through DHCP Switch1 is a layer 2 access device it enables DHCP Relay and option82 functions Ethernet1 2 is a access port belongs to vian3 Ethernet1 3 is a trunk port connects to DHCP Server DHCP Server address is 192 168 40 199 Switch1 creates vlan1 and interface van configure IP 31 40 address of interface viani as 192 168 40 50 configure the address of DHCP Relay forwarding as 192 168 40 199 configure vlan3 as a sub vlan of vlan1 The configuration is as follows switch config vlan 1 switch config vlan 3 switch config interface ethernet 1 2 Switch Config If Ethernet1 2 switchport access vlan 3 switch config interface ethernet 1 3 Switch Config lf Ethernet1 2 switchport mode trunk switch config service dhcp switch config ip forward protocol udp bootps switch config ip dhcp relay share vian 1 sub vlan 3 switch config if vlan1 ip address 192 168 40 50 255 255 255 0 switch config ip dhcp relay information option switch config if vian1 ip helper address 192 168 40 199 31 5 DHCP Troubleshooting If the DHCP clients cannot obtain IP addresses and other network parameters the following procedures can be followed when DHCP client hardware and cables have been verified ok m Verify the DHCP server is running start the related DHCP server if not running m In such case DHCP server should be examined for an address pool that is in the same segment o
475. the backbone network of the ISP internet to provide a simple layer 2 tunnel for the users It is simple and easy to manage applicable only by static configuration and especially adaptive to small office network or small metropolitan area network using layer 3 switch as backbone equipment There are two kinds of QinQ basic QinQ and flexible QinQ the priority of flexible QinQ is higher than basic QinQ 25 1 2 Basic QinQ Basic QinQ based the port After a port configures QinQ whether the received packet with tag or not the device still packs the default VLAN tag for the packet Using basic QinQ is simple but the setting method of VLAN tag is inflexible 25 1 3 Flexible QinQ Flexible QinQ based data flow It selects whether pack the external tag and packs what kind of the external tag by matching the material flow For example implement the property of flexible QinQ according to the user s VLAN tag MAC address IPv4 IPv6 address IPv4 IPv6 protocol and the port ID of the application etc So it can encapsulate the external tag for the packet and implements different scheme by different users or methods 25 1 4 Flexible QinQ Configuration Task List The match of flexible QinQ data flow uses policy map rule of QoS to be sent the configuration task list is as follows 1 Create class map to classify different data flows 2 Create flexible QinQ policy map to relate with the class map and set the corresponding 25 3 operation 3
476. the switch assuming all ports belong to the default VLAN7 3 PC3 and PC4 on port 1 12 receive the message sent by PC1 but PC4 will not reply as the destination MAC address is 00 01 33 33 33 33 only PC3 will reply to PC1 When port 1 12 receives the message sent by PC3 a mapping entry for MAC address 00 01 33 33 33 33 and port 1 12 is added to the MAC table 4 Now the MAC table has two dynamic entries MAC address 00 01 11 11 11 11 port 1 5 and 00 01 33 33 33 33 port1 12 5 After the communication between PC1 and PC3 the switch does not receive any message sent from PC1 and PC3 And the MAC address mapping entries in the MAC table are deleted in 300 to 2 300 seconds ie in single to double aging time The 300 seconds here 21 107 is the default aging time for MAC address entry in switch Aging time can be modified in switch 21 1 2 Forward or Filter The switch will forward or filter received data frames according to the MAC table Take the above figure as an example assuming switch have learnt the MAC address of PC1 and PC3 and the user manually configured the mapping relationship for PC2 and PC4 to ports The MAC table of switch will be MAC Address Entry added by 00 01 11 11 11 11 Dynamic learning 00 01 22 22 22 22 Static configuration 00 01 33 33 33 33 1 12 Dynamic learning 00 01 44 44 44 44 1 12 Static configuration 1 Forward data according to the MAC table If PC1 sends a message to PC3 the switch w
477. ting Protocol 224 0 1 0 238 255 255 255 are Multicast addresses available to users Temporary Group Address and are valid in the entire domain of the network 239 0 0 0 239 255 255 255 are local management Multicast addresses which are valid only in specific local domain Frequently used reserved multicast address list is as follows Benchmark address reserved 224 0 0 1 Address of all hosts 224 0 0 2 Address of all Multicast Routers 224 0 0 3 Unassigned 224 0 0 4 DVMRP Router 224 0 0 5 OSPF Router 224 0 0 6 OSPF DR 224 0 0 7 ST Router 224 0 0 8 ST host 224 0 0 9 RIP 2 Router 224 0 0 10 IGRP Router 38 89 224 0 0 11 Active Agent 224 0 0 12 DHCP Server Relay Agent 224 0 0 13 All PIM Routers 224 0 0 14 RSVP Encapsulation 224 0 0 15 All CBT Routers 224 0 0 16 Specified SBM 224 0 0 17 All SBMS 224 0 0 18 VRRP 224 0 0 22 IGMP When Ethernet transmits Unicast IP messages the destination MAC address it uses is the receivers MAC address But in transmitting Multicast packets the transmission destination is not a specific receiver any more but a group with uncertain members thus Multicast MAC address is used Multicast MAC address is corresponding to Multicast IP address It is prescribed in IANA Internet Assigned Number Authority that the higher 25 bits in Multicast MAC address is 0x01005e and the lower 23bits in MAC address is the lower 23bits in Multicast IP address Since only 23bits out of the lower 28bits in IP
478. tion Explanation Admin Mode Disable MRPP module debug information format no disable MRPP debug information output debug mrpp no debug mrpp Display MRPP ring configuration show mrpp lt ring id gt information Display receiving data packet statistic show mrpp statistics lt ring id gt information of MRPP ring Clear receiving data packet statistic clear mrpp statistics lt ring id gt information of MRPP ring 55 16 55 3 MRPP Typical Scenario SWITCHA SWITCH B Master Node E2 E1 MRPP Ring 4000 E1 E2 E2 E1 SWITCH C SWITCH D Figure 55 2 MRPP typical configuration scenario The above topology often occurs on using MRPP protocol The multi switch constitutes a single MRPP ring all of the switches only are configured an MRPP ring 4000 thereby constitutes a single MRPP ring In above configuration SWITCH A configuration is primary node of MRPP ring 4000 and configures E1 1 to primary port E1 2 to secondary port Other switches are secondary nodes of MRPP ring configures primary port and secondary port separately To avoid ring it should temporarily disable one of the ports of primary node when it enables each MRPP ring in the whole MRPP ring and after all of the nodes are configured open the port When disable MRPP ring it needs to insure the MRPP ring doesn t have ring SWITCH A configuration Task Sequence Switch Config mrpp enable Switch Config mrpp ring 4000 Swi
479. tion is established the Ethernet OAM entities on both sides exchange Information OAMPDUs continuously to keep the valid Ethernet OAM connection If an Ethernet OAM entity receives no Information OAMPDU for five seconds the Ethernet OAM connection is disconnected 2 Link Monitoring Fault detection in an Ethernet is difficult especially when the physical connection in the network is not disconnected but network performance is degrading gradually Link monitoring is used to detect and discover link faults in various environments EFM OAM implements link monitoring through the exchange of Event Notification OAMPDUs When detecting a link error event the local OAM entity sends an Event Notification OAMPDU to notify the remote OAM entity At the same time it will log information and send SNMP Trap to the network management system While OAM entity on the other side receives the notification it will also log and report it With the log information network administrators can keep track of network status in time The link event monitored by EFM OAM means that the link happens the error event including Errored symbol period event Errored frame event Errored frame period event Errored frame seconds event Errored symbol period event The errored symbol number can not be less than the low threshold Symbol the min data transmission unit of physical medium It is unique for coding system the symbols may be different for different physical medi
480. to a new one 5 30 9 The copy operation of files Explanation Admin Configuration Mode copy lt source file url gt lt dest file urP gt Copy a designated file one the switch and store it as a new one 5 3 Typical Applications Copy an IMG file flash nos img stored in the FLASH on the boardcard to cf nos 6 1 11 0 img The configuration of the switch is as follows Switch copy flash nos img flash nos 6 1 11 0 img Copy flash nos img to flash nos 6 1 11 0 img Y N y Copyed file flash nos img to flash nos 6 1 11 0 img 5 4 Troubleshooting lf errors occur when users try to implement file system operations please check whether they are caused by the following reasons m Whether file names or paths are entered correctly When renaming a file whether it is in use or the new file name is already used by an existing file or directory 5 31 Chapter 6 Cluster Configuration 6 1 Introduction to cluster network management Cluster network management is an in band configuration management Unlike CLI SNMP and Web Config which implement a direct management of the target switches through a management workstation cluster network management implements a direct management of the target switches member switches through an intermediate switch commander switch A commander switch can manage multiple member switches As soon as a Public IP address is configured in the commander switch all the member switches which are con
481. tocol TFTP Trivial File Transfer Protocol are both file transfer protocols that belonging to fourth layer application layer of the TCP IP protocol stack used for transferring files between hosts hosts and switches Both of them transfer files in a client server model Their differences are listed below FTP builds upon TCP to provide reliable connection oriented data stream transfer service However it does not provide file access authorization and uses simple authentication mechanism transfers username and password in plain text for authentication When using FTP to transfer files two connections need to be established between the client and the server a management connection and a data connection A transfer request should be sent by the FTP client to establish management connection on port 21 in the server and negotiate a data connection through the management connection There are two types of data connections active connection and passive connection In active connection the client transmits its address and port number for data transmission to the server the management connection maintains until data transfer is complete Then using the address and port number provided by the client the server establishes data connection on port 20 if not engaged to transfer data if port 20 is engaged the server automatically generates some other port number to establish data connection In passive connection the client through manageme
482. tocol and a method to store the received advertisement information The device to advertise its own information can put multiple pieces of advertisement information in one LAN data packet to transport The type of transportation is the type length value TLV field All devices supporting LLDP have to support device ID and port ID advertisement but it is assumed that most devices should also support system name system description and system performance advertisement System name and system description advertisement can also provide useful information for collecting network flow data System description advertisement can include data such as the full name of the advertising device hardware type of system the version information of software operation system and so on 802 1AB Link Layer Discovery Protocol will make searching the problems in an enterprise network an easier process and can strengthen the ability of network management tools to discover and maintain accurate network topology structure 11 26 Many kinds of network management software use Automated Discovery function to trace the change and condition of topology but most of them can reach layer three and classify the devices into all IP subnets at best This kind of data are very primitive only referring to basic events like the adding and removing of relative devices instead of details about where and how these devices operate with the network Layer 2 discovery covers in
483. translation as one can tell from the name which translates the original VLAN ID to new VLAN ID according to the user requirements so to exchange data across different VLANs VLAN translation supports ingress translation and switch over the VLAN ID at the ingress 20 87 Application and configuration of VLAN translation will be explained in detail in this section 20 4 2 VLAN translation Configuration Configuration task sequence of VLAN translation 1 Configure the VLAN translation function on the port 2 Configure the VLAN translation relations on the port 3 Configure whether the packet is dropped when checking VLAN translation is failing 4 Show the related configuration of vian translation 1 Configure the VLAN translation of the port Explanation Port mode vian translation enable Enter exit the port VLAN translation no vian translation enable mode 2 Configure the VLAN translation relation of the port Explanation Global Port mode Kl vian translation lt old vlan id gt to lt new vlan id gt in Add delete a VLAN translation relation no vian translation old vlan id in 3 Configure whether the packet is dropped when checking VLAN translation is failing Explanation Port mode vian translation miss drop in out both Configure the VLAN translation packet no vian translation miss drop in out dropped on port if there is any failure both 20 88 4 Show the related configuration of
484. trusted ports Configure trusted IP Configure automatic recovery time SE OF ae E IN a Display relative information of debug information and ARP scanning 1 Enable the ARP Scanning Prevention function Explanation Global configuration mode Ce anti arpscan enable Enable or disable the ARP Scanning no anti arpscan enable Prevention function globally 2 Configure the threshold of the port based and IP based ARP Scanning Prevention Explanation Global configuration mode Se anti arpscan port based threshold lt threshold value gt Set the threshold of the port based no anti arpscan port based ARP Scanning Prevention threshold anti arpscan ip based threshold Set the threshold of the IP based ARP lt threshold value gt Scanning Prevention no anti arpscan ip based threshold 3 Configure trusted ports Explanation Port configuration mode Oe anti arpscan trust lt port supertrust port gt Set the trust attributes of the ports no anti arpscan trust lt port supertrust port gt 27 19 4 Configure trusted IP Explanation Global configuration mode a anti arpscan trust ip lt p address gt lt netmask gt l Set the trust attributes of IP no anti arpscan trust ip lt ip address gt lt netmask gt 5 Configure automatic recovery time Explanation Global configuration mode ee anti arpscan recovery enable Enable or disable the automatic no anti arpscan recovery enable recover
485. tunnel 1 Configure tunnel MAC address globally Explanation Global mode bpdu tunnel dmac lt mac gt Configure or cancel the tunnel MAC no bpdu tunnel dmac address globally 18 68 2 Configure the port to support the tunnel Explanation Port mode Enable the port to support the tunnel bpdu tunnel stp gvrp uldp lacp dot1x the no command disables the no bpdu tunnel stp gvrp uldp lacp dot1x function 18 3 Examples of bpdu tunnel Special lines are used in a service provider network to build user specific Layer 2 networks As a result a user network is broken down into parts located at different sides of the service provider network As shown in Figure User A has two devices CE 1 and CE 2 and both devices belong to the same VLAN User s network is divided into network 1 and network 2 which are connected by the service provider network When Layer 2 protocol packets cannot implement the passthrough across the service provider network the user s network cannot process independent Layer 2 protocol calculation for example spanning tree calculation so they affect each other ISP network User A network 1 User A network 2 VLAN 100 VLAN 100 Figure 18 2 BPDU Tunnel application environment With BPDU Tunnel Layer 2 protocol packets from user s networks can be passed through over the service provider network in the following work flow 1 After receiving a Layer 2 protocol packet from network
486. two authentication methods both started by the supplicant system 42 1 5 1 EAP Relay Mode EAP relay is specified in IEEE 802 1x standard to carry EAP in other high level protocols such as EAP over RADIUS making sure that extended authentication protocol messages can reach the authentication server through complicated networks In general EAP relay requires the RADIUS server to support EAP attributes EAP Message and Message Authenticator EAP is a widely used authentication frame to transmit the actual authentication protocol rather than a special authentication mechanism EAP provides some common function and allows the authentication mechanisms expected in the negotiation which are called EAP Method The advantage of EAP lies in that EAP mechanism working as a base needs no adjustment when a new authentication protocol appears The following figure illustrates the protocol stack of EAP authentication method Figure 42 8 the Protocol Stack of EAP Authentication Method By now there are more than 50 EAP authentication methods has been developed the differences among which are those in the authentication mechanism and the management of keys The 4 most common EAP authentication methods are listed as follows EAP MD5 42 141 E EAP TLS Transport Layer Security E EAP TTLS Tunneled Transport Layer Security E PEAP Protected Extensible Authentication Protocol They will be described in detail in the following part
487. ty features make the WGSW 52040 perform effective data traffic control for ISP and Enterprise VoIP video streaming and multicast applications Abundant IPv6 Support The WGSW 52040 provides IPv6 management and enterprise level secure features such as SSH ACL WRR and RADIUS authentication besides the IPv4 protocol supported Supporting IPv6 management features and also backward compatible with IPv4 the WGSW 52040 helps the enterprises to step in the IPv6 era with the lowest investment Besides you don t need to replace the network facilities when the IPv6 FT Tx edge network is built 1 1 High Performance The WGSW 52040 provides 48 10 100 1000Mbps Gigabit Ethernet ports with 4 Gigabit SFP slots It boasts a high performance switch architecture that is capable of providing non blocking switch fabric and wire speed throughput as high as 104Gbps which greatly simplifies the tasks of upgrading the LAN for catering to increasing bandwidth demands Robust Layer 2 Features The WGSW 52040 can be programmed for basic Switch management functions such as Port speed configuration Port aggregation VLAN Spanning Tree protocol WRR bandwidth control and IGMP Snooping The WGSW 52040 provides 802 1Q Tagged VLAN Q in Q voice VLAN and GVRP protocol The VLAN groups allowed to be on the WGSW 52040 will be maximally up to 256 By supporting port aggregation the WGSW 52040 allows the operation of a high speed trunk combined with multiple ports It enables u
488. type Explanation Global mode NN vacl ip access group lt 1 299 gt WORD in Configure or delete IP VLAN ACL out traffic statistic vlan WORD Egress filtering is not supported by no vacl ip access group lt 1 299 gt switch WORD in out vlan WORD 2 Configure VLAN ACL of MAC type Explanation 53 1 Global mode oS vacl mac access group lt 700 1199 gt WORD in out traffic statistic vlan Configure or delete MAC VLAN ACL WORD Egress filtering is not supported by no vacl mac access group lt 700 1199 gt switch WORD in out vlan WORD 3 Configure VLAN ACL of MAC IP Explanation Global mode vacl mac ip access group lt 3100 3299 gt WORD in out traffic statistic vlan WORD no vacl mac ip access group lt 3100 3299 gt WORD in out vian WORD Configure or delete MAC IP VLAN ACL Egress filtering is not supported by switch 4 Configure VLAN ACL of IPv6 type Explanation Global mode a vacl ipv6 access group lt 500 699 gt WORD in out traffic statistic vlan WORD no ipv6 access group lt 500 699 gt WORD in out vian WORD Configure or delete IPv6 VLAN ACL Egress filtering is not supported by switch This switch only supports the ipv6 standard acl 5 Show configuration and statistic information of VLAN ACL Command Explanation Adminmode o Show the configuration and the statistic show vacl in out
489. ubnet mask gt vlan lt vian id gt priority lt priority id gt specified IP subnet joins leaves specified no subnet vian ip address lt ipv4 addrss gt itn mask lt subnet maskp gt all 6 Configure the correspondence between the Protocols and the VLAN Command Explanation Global Mode protocol vian mode ethernetii etype lt etype id gt llc dsap lt dsap id gt ssap Add delete the correspondence between lt ssap id gt snap etype lt etype id gt vlan the Protocols and the VLAN namely lt vian id gt priority lt priority id gt specified protocol joins leaves specified no protocol vlan mode ethernetii etype p yp cane lt etype id gt llc dsap lt dsap id gt ssap lt ssap id gt snap etype lt etype id gt all 20 95 7 Adjust the priority of the dynamic VLAN Explanation Global Mode dynamic vlan mac vlan prefer Configure the priority of the dynamic dynamic vlan subnet vlan prefer VLAN 20 6 3 Typical Application of the Dynamic VLAN Scenario In the office network Department A belongs to VLAN100 Several members of this department often have the need to move within the whole office network It is also required to ensure the resource for other members of the department to access VLAN 100 Assume one of the members is M the MAC address of his PC is 00 03 0f 11 22 33 when M moves to VLAN200 or VLAN300 the port connecting M is configured as Hybrid mode and belongs to VLAN100
490. ulticast VLAN with several multicast vlan association lt vian list gt VLANs The no form of this command deletes no multicast vlan association lt vian list gt the related VLANs associated with the multicast VLAN multicast vlan association interface Associate the specified port with the multicast ethernet port channel IFNAME VLAN so the associated ports are able to no multicast vlan association interface receive the multicast flow The no command ethernet port channel IFNAME cancels the association between the ports 40 109 and the muticast VLAN 2 Configure the IGMP Snooping Explanation Global Mode a ip igmp snooping vlan lt vian id gt Enable the IGMP Snooping function on the no ip igmp snooping vlan lt vilan id gt multicast VLAN The no form of this command disables the IGMP Snooping on the multicast VLAN Enable the IGMP Snooping function The no ip igmp snooping form of this command disables the IGMP no ip igmp snooping snooping function 3 Configure the MLD Snooping Enable MLD Snooping on multicast VLAN ipv6 mid snooping vlan lt vian id gt the no form of this command disables MLD no ipv6 mid snooping vlan lt vian id gt Snooping on multicast VLAN Enable the MLD Snooping function The no ipv6 mid snooping form of this command disables the MLD no ipv6 mid snooping snooping function 40 3 Multicast VLAN Examples a WITHA o WITC HE E10 E110 E1 E115
491. ums symbol rate means the changed time of electron status per second Errored frame period event Specifying N is frame period the errored frame number within the period of receiving N frames can not be less than the low threshold Errored frame Receiving the errored frame detected by CRC 14 42 Errored frame event The number of detected error frames over M seconds can not be less than the low threshold Errored frame seconds event The number of error frame seconds detected over M seconds can not be less than the low threshold Errored frame second Receiving an errored frame at least in a second 3 Remote Fault Detection In a network where traffic is interrupted due to device failures or unavailability the flag field defined in Ethernet OAMPDUs allows an Ethernet OAM entity to send fault information to its peer As Information OAMPDUs are exchanged continuously across established OAM connections an Ethernet OAM entity can inform one of its OAM peers of link faults through Information OAMPDUs Therefore the network administrator can keep track of link status in time through the log information and troubleshoot in time There are three kinds of link faults for Information OAMPDU they are Critical Event Dying Gasp and Link Fault and their definitions are different for each manufacturer here the definitions are as below Critical Event EFM OAM function of port is disabled Link Fault The number of unidirectional oper
492. unction 3 Supplicant related property configuration Explanation Global Mode dot1x max req lt count gt no dot1x max req dot1x re authentication no dot1x re authentication dot1x timeout quiet period lt seconds gt no dot1x timeout quiet period dot1x timeout re authperiod lt seconds gt no dot1x timeout re authperiod Sets the number of EAP request MD5 frame to be sent before the switch re initials authentication on no supplicant response the no command restores the default setting Enables periodical supplicant authentication the no command disables this function Sets time to keep silent on port authentication failure the no command restores the default value Sets the supplicant re authentication interval the no command restores the default setting 42 151 dot1x timeout tx period Sets the interval for the supplicant to re transmit EAP lt seconds gt request identity frame the no command restores the no dot1x timeout tx period default setting dot1x re authenticate Enables IEEE 802 1x re authentication no wait timeout interface lt nterface name gt requires for all ports or a specified port 42 3 802 1x Application Example 42 3 1 Examples of Guest Vlan Applications Update server Authenticator server Ethernet1 3 N10 VLAN SWITCH Ethernet1 6 VLAN5 Ethernet1 2 VLAN100 I lanar Figure 42 13 The Network Topology of Guest VLAN Notes in the fig
493. ure send neighbor solicitation message interval 3 Configure static IPv6 neighbor entries 4 Delete all entries in IPv6 neighbor table 1 IPv6 Basic Configuration 1 Configure interface IPv6 address Explanation nterface Configuration Mode 1 ipv6 address Configure IPv6 address including aggregatable lt pv6 address prefix length gt global unicast addresses site local addresses eui 64 and link local addresses The no ipv6 address no ipv6 address lt jpv6 address prefix length gt command lt pv6 address prefix length gt cancels IPv6 address 2 Configure default gateway Explanation Global Mode 26 12 ipv6 default gateway lt X X X X gt Configure IPv6 default gateway of the router no ipv6 default gateway lt X X X X gt The no command cancels the configuration 2 IPv6 Neighbor Discovery Configuration 1 Configure DAD Neighbor solicitation Message number Explanation Interface Configuration Mode oS ipv6 nd dad attempts lt value gt sequence when the interface makes duplicate Set the neighbor query message number sent in no ipv6 nd dad attempts address detection The no command resumes default value 1 2 Configure Send Neighbor solicitation Message Interval Explanation Interface Configuration Mode S Set the interval of the interface to send neighbor ipv6 nd ns interval lt seconds gt query message The NO command resumes no ipv6 nd ns interval d
494. ure the port is not enabling port aggregation and is not configured as a Trunk port MAC address binding is exclusive to such configurations If MAC address binding is to be enabled the functions mentioned above must be disabled first m If a secure address is set as static address and deleted that secure address will be unusable even though it exists For this reason it is recommended to avoid static address for ports enabling MAC address 21 6 MAC Notification Configuration 21 6 1 Introduction to MAC Notification MAC Notification function depends on the notification Add or remove the MAC address namely when the device is added or removed it will notify administrator about the changing by the trap function of snmp 21 6 2 MAC Notification Configuration Mac notification configuration task list Configure the global snmp MAC notification Configure the global MAC notification Configure the interval for sending MAC notification Configure the size of history table Configure the trap type of MAC notification supported by the port Show the configuration and the data of MAC notification N O OT FBP W N gt Clear the statistics of MAC notification trap 1 Configure the global snmp MAC notification Explanation Global mode E snmp server enable traps mac notification Configure or cancel the global snmp no snmp server enable traps mac notification MAC notification 21 114 2 Configure the glob
495. ures in this session E2 means Ethernet 1 2 E3 means Ethernet 1 3 and E6 means Ethernet 1 6 As shown in the next figure a switch accesses the network using 802 1x authentication with a RADIUS server as its authentication server Ethernet1 2 the port through which the user accesses the switch belongs to VLAN100 the authentication server is in VLAN2 Update Server being in VLAN10 is for the user to download and update supplicant system software Ethernet1 6 the port used by the switch to access the Internet is in VAN 42 152 Update server Authenticator server Ethernet1 3 AN10 VLAN SWITCH Ethernet1 6 VL ANS Figure 42 14 User Joining Guest VLAN As illustrated in the above figure on the switch port Ethernet1 2 the 802 1x feature is enabled and the VLAN10 is set as the port s Guest VLAN Before the user gets authenticated or when the user fails to do so port Ethernet1 2 is added into VLAN10 allowing the user to access the Update Server Update server Authenticator server Ethernet1 3 AN10 VLAN Figure 42 15 User Being Online VLAN Being Offline As illustrated in the above figure when the users become online after a successful authentication the authentication server will assign VLANS which makes the user and Ethernet1 6 both in VLAN5 allowing the user to access the Internet 42 153 The following are configuration steps Configure RADIUS server Switch config radius se
496. urity detection to the terminal 52 2 Web Portal Authentication Configuration Task List 1 Enable disable web portal authentication globally required 2 Enable disable web portal authentication of the port required 3 Configure the max web portal binding number allowed by the port optional 4 Configure HTTP redirection address of web portal authentication required 5 Configure IP source address for communicating between accessing device and portal server required 6 Enable dhcp snooping binding web portal function optional 7 Delete the binding information of web portal authentication 92 204 1 Enable disable web portal authentication globally Explanation Global Mode Oe l webportal enable Enable disable web portal authentication no webportal enable globally 2 Enable disable web portal authentication of the port Explanation Port Mode El webportal enable Enable disable web portal authentication of no webportal enable the port 3 Configure the max web portal binding number allowed by the port Explanation Port Mode a webportal binding limit lt 7 256 gt Configure the max web portal binding no webportal binding limit number allowed by the port 4 Configure HTTP redirection address of web portal authentication Explanation Global Mode ee webportal redirect lt p gt Configure HTTP redirection address of web no webportal redirect portal authentication 5 Configure IP source addres
497. use it neatly according to their own demand 35 2 DHCPv6 Options 37 38 Configuration Task List 1 Dhcpv6 snooping option basic functions configuration 2 Dhcpv6 relay option basic functions configuration 3 Dhcpv6 server option basic functions configuration 1 DHCPv6 snooping option basic functions configuration Global mode This command enables ipv6 dhcp snooping remote id option DHCPv6 SNOOPING to no ipv6 dhcp snooping remote id option support option 37 option no command disables it This command enables ipv6 dhcp snooping subscriber id option DHCPv6 SNOOPING to no ipv6 dhcp snooping subscriber id option support option 38 option no command disables it This command is used to configure the reforward policy ipv6 dhcp snooping remote id policy drop keep of the system when receiving replace DHCPv 6 packets with option no ipv6 dhcp snooping remote id policy 37 which can be drop the system simply discards it with option 37 35 64 ipv6 dhcp snooping subscriber id policy drop keep replace no ipv6 dhcp snooping subscriber id policy ipv6 dhcp snooping subscriber id select sp sv pv spv delimiter WORD delimiter WORD no ipv6 dhcp snooping subscriber id select delimiter ipv6 dhcp snooping subscriber id select sp sv pv spv delimiter WORD delimiter WORD no ipv6 dhcp snooping subscriber id select delimiter 35 65 keep the system keeps option 37 unchanged and forwards th
498. used DHCPv6 allow hint address pool no ipv6 dhcp server lt poo name gt 32 47 32 5 DHCPv6 Prefix Delegation Client Configuration DHCPV6 prefix delegation client configuration task list as below 1 To enable disable DHCPv6 service 2 To enable DHCPV6 prefix delegation client function on port 1 To enable disable DHCPVv6 service Explanation Global Mode service dhcpv6 To enable DHCPV6 service no service dhcpv6 2 To enable DHCPV6 prefix delegation client function on port Explanation Interface Configuration Mode To enable client prefix delegation request ipv6 dhcp client pd lt prefix name gt function on specified port and the prefix rapid commit obtained associate with universal prefix no ipv6 dhcp client pd configured 32 6 DHCP v6 Configuration Examples Example When deploying IPv6 networking the switch can be configured as DHCPV6 server in order to manage the allocation of IPv6 addresses Both the state and the stateless DHCPv6 are supported Topology The access layer use Switch1 switch to connect users of dormitory buildings and it is configured as DHCPv6 relay delegation Switch3 is configured as DHCPv 6 server in secondary aggregation layer and connected with backbone network or higher aggregation layers The Windows Vista which be provided with DHCPv6 client must load on PC 32 48 Switch3 Vl 200lida8 1 1 1 VIO 2001 da8 10 1 1 DHCPv6 Server Sw
499. value gt no ip igmp snooping vlan lt vilan id gt query robustness ip igmp snooping vlan lt vian id gt suppression query time lt value gt no ip igmp snooping vlan lt vian id gt suppression query time ip igmp snooping vlan lt vian id gt static group lt A B C D gt source lt A B C D gt interface ethernet port channel lt FNAME gt no ip igmp snooping vlan lt vian id gt static group lt A B C D gt source lt A B C D gt interface ethernet port channel lt FNAME gt ip igmp snooping vlan lt vian id gt report source address lt A B C D gt no ip igmp snooping vlan lt vian id gt report source address ip igmp snooping vlan lt vian id gt specific query mrsp lt value gt no ip igmp snooping vlan lt vilan id gt specific query mrspt Configure the query robustness The no ip igmp snooping vlan lt vi an id gt query robustness command restores to the default value Configure the suppression query time The no ip igmp snooping vlan lt vian id gt suppression query time command restores to the default value Configure static group on specified port of the VLAN The no form of the command cancels this configuration Configure forwarding IGMP packet source address The no operation cancels the packet source address Configure the maximum query response time of the specific group or source the no command restores the default value 38 3 3 IGMP Snooping Examples
500. ve so it can be considered a packet of discovery stage To stop a PPPoE session PADT may be sent at the discretional time of the session It can be sent by client or server PPPoE Intermediate Agent supplies a function that identify and locate the user When passing network access device PADI and PADR messages sent by client with the access link tag of this device at PPPoE discovery stage so as to exactly identify and locate the user on server If the direct link access device is LAN switch the added information include MAC Slot ID Port Index Vlan ID and so on This function is implemented according to Migration to Ethernet based DSL aggregation 51 1 2 1 PPPoE Intermediate Agent Exchange Process PPPoE Intermediate Agent exchange process is similar to PPPoE exchange process for the first exchange process the access link tag is added to PADI and PADR packets The exchange process is as follows 91 195 Host PPP ob Access Concentrator Intennediate Agent Relay P ADI ling O PPPoE ae REES PPP oF Figure 51 1 PPPoE IA protocol exchange process 51 1 2 2 PPPoE Packet Format PPPoE packet format is as follows Ethernet Il frame Destination MAC Source MAC Type Field PPPoE Data CRC Check Sum PPPoE data Code Length Field TLV1 TIVN TLV frame Length Each field meanings in the following Type field 2 bytes of Ethernet II frame The protocol sets type field value of PPPoE protocol pa
501. vlan lt v an id gt information of VACL Egress filtering is not supported by switch 6 Clear statistic information of VLAN ACL Explanation 93 2 pAdminmode S Clear the statistic information of VACL clear vacl in out statistic vlan lt vlan id gt Egress filtering is not supported by switch 53 3 VLAN ACL Configuration Example A company s network configuration is as follows all departments are divided by different VLANs technique department is Vlan1 finance department is Vlan2 It is required that technique department can access the outside network at timeout but finance department are not allowed to access the outside network at any time for the security Then the following policies are configured WR Set the policy VACL_A for technique department At timeout they can access the outside network the rule as permit but other times the rule as deny and the policy is applied to Vlan1 WR Set the policy VACL_B of ACL for finance department At any time they can not access the outside network but can access the inside network with no limitation and apply the policy to Vlan2 Network environment is shown as below Technique Department p i vLaN2 Finance Department Figure 53 1 VLAN ACL configuration example Configuration example 1 First configure a timerange the valid time is the working hours of working day Switch config time range t1 Switch config ti
502. vlan lt vian id gt limit ip igmp snooping vlan lt vian id gt limit command cancels this configuration ip igmp snooping vian lt 1 4094 gt interface Configure the number of groups which are ethernet port channel IFNAME limit allowed joining and the maximum of the group lt 1 65535 gt source lt 1 65535 gt source in each group under the IGMP strategy replace drop Snooping port Configure the strategy when it no ip igmp snooping vlan lt 1 4094 gt is up to the upper limit including replace and interface ethernet port channell drop No command configures as no 38 97 IFNAME limit group source strategy limitation Set this vlan to layer 2 general querier It is ip igmp snooping vlan lt vian id gt recommended to configure a layer 2 general 2 general querier querier on a segment The no ip igmp no ip igmp snooping vlan lt vian id gt snooping vlan lt v an id gt 2 general querier 2 general querier command cancels this configuration ip igmp snooping vlan lt vilan id gt 2 general querier version lt version gt query from a layer 2 general querier ip igmp snooping vlan lt vian id gt I2 general querier Ssource lt source gt query from a layer 2 general querier ip igmp snooping vlan lt vian id gt Configure static mrouter port of vlan The no mrouter port interface lt interface name gt a form of the command cancels this no ip igmp snooping vlan
503. which brings more efficiency The figure below shows a sample application of RSPAN Destination Switch Source Switch Intermediate Switch DC Monitor Figure 60 1 RSPAN Application Sample Two configuration solutions can be chosen for RSPAN the first is without reflector port and the other is with reflector port For the first one only one fixed port can be connected to the intermediate switch However no reflector port has to be configured This maximizes the usage of witch ports For the latter one the port 60 42 connected to the intermediate switch is not fixed Datagrams can be broadcasted in the RSPAN VLAN through the loopback which is much more flexible The normal mode configuration is show as below Solution 1 Source switch Interface ethernet 1 1 is the source port for mirroring Interface ethernet 1 2 is the destination port which is connected to the intermediate switch RSPAN VLAN is 5 Switch config vlan 5 Switch Config Vlan5 remote span Switch Config Vlan5 exit Switch config interface ethernet 1 2 Switch Config If Ethernet1 2 switchport mode trunk Switch Config lf Ethernet1 2 exit Switch config monitor session 1 source interface ethernet1 1 rx Switch config monitor session 1 destination interface ethernet1 2 Switch config monitor session 1 remote vlan 5 Intermediate switch Interface ethernet1 6 is the source port which is connected to the source switch Inter
504. width management according to the application requirement and network management policy 23 1 1 QoS Terms QoS Quality of Service provides a guarantee for service quality of consistent and predictable data transfer service to fulfill program requirements QoS cannot generate new bandwidth but provides more effective bandwidth management according to the application requirement and network management QoS Domain QoS Domain supports QoS devices to form a net topology that provides Quality of Service so this topology is defined as QoS Domain CoS Class of Service the classification information carried by Layer 2 802 1Q frames taking 3 bits of the Tag field in frame header is called user priority level in the range of 0 to 7 Layer 2 602 1Q P Frame Preamble Start frame pa sa Tag PT Data FCS delimiter 3 bits used for CoS user priority Figure 23 1 CoS priority ToS Type of Service a one byte field carried in Layer 3 IPv4 packet header to symbolize the service type of IP packets Among ToS field can be IP Precedence value or DSCP value Layer 3 IPv4 Packet Version 5 Er precedence or DSCP Figure 23 2 ToS priority 23 130 46974 IP Precedence IP priority Classification information carried in Layer 3 IP packet header occupying 3 bits in the range of 0 to 7 DSCP Differentiated Services Code Point classification information carried in Layer 3 IP packet header occupying 6 bits in the ran
505. wing figure illustrates the basic operation flow of PEAP authentication method z j D j 5y d EAF Regquest ldentity RADIUS Access Request EAP Response ldentity FAP Resnonse ldenbty RADIUS Access Challenge FAP Request PEAP Start EAPRequestPEAP Start Established S RADILS Access Request AP Response Emp AP Response Empty RADIUS Access Challenge EAP RequestMD5 Challenge EAP Request MDS Challenge RADIUIS Access Request EAP Response hDS Passvord E4 amp P Resoonse MDS Password RADIUS Access Accept d E _ j 3 EAF Success EAP Success Figure 42 11 the Authentication Flow of 802 1x PEAP 42 1 5 2 EAP Termination Mode In this mode EAP messages will be terminated in the access control unit and mapped into RADIUS messages which is used to implement the authentication authorization and fee counting The basic operation flow is illustrated in the next figure In EAP termination mode the access control unit and the RADIUS server can use PAP or CHAP authentication method The following figure will demonstrate the basic operation flow using CHAP authentication method 42 145 supplicant EAPOL Authenticator RADIUS PAE ven system PAE server FAP Request ldentity EAP Response ldentity FAP Request MD5 Challenge CAP Response MD5 Challenge RADIUS Access Request CHAP Response MD5 RADIUS Access Accent FAP Success E Port authorized _ rExpiry of the handshake Handshake request packet Kee mep
506. witch configuration for DNS CLIENT Switch config ip domain lookup Switch config dns server 219 240 250 101 Switch config dns server 2001 1 Switch ping host www sina com cn Switch traceroute host www sina com cn Switch telnet host www sina com cn Switch configuration for DNS SERVER Switch config ip domain lookup Switch config dns server 219 240 250 101 Switch config dns server 2001 1 Switch config ip dns server 65 4 DNS Troubleshooting In configuring and using DNS the DNS may fail due to reasons such as physical connection failure or wrong configurations The user should ensure the following First make sure good condition of the TACACS server physical connection Second all interface and link protocols are in the UP state use show interface command 65 64 Then please make sure that the DNS dynamic lookup function is enabled use the ip domain lookup command before enabling the DNS CLIENT function To use DNS SERVER function please enable it use the ip dns server command Finally ensure configured DNS server address use dns server command and the switch can ping DNS server If the DNS problems remain unsolved please use debug DNS all and other debugging command and copy the DEBUG message within 3 minutes send the recorded message to the technical service center of our company 65 65 Chapter 66 Monitor and Debug When the users configures the switch they will nee
507. witchport mode trunk switch Config Ethernet1 1 vian translation n to 1 1 3 to 100 switch Config interface ethernet 1 5 switch Config Ethernet1 5 switchport mode trunk switch Config Ethernet1 5 exit 20 92 20 5 4 Multi to One VLAN Translation Troubleshooting Do not be used with Dot1q tunnel at the same time Do not be used with VLAN translation at the same time The same MAC address should not exist in the original and the translated VLAN Check whether the hardware resource of the chip is able to ensure all clients to work normally Limit learning of MAC address may affect Multi to One VLAN Translation Multi to One VLAN Translation should be enabled after MAC learning 20 6 Dynamic VLAN Configuration 20 6 1 Introduction to Dynamic VLAN The dynamic VLAN is named corresponding to the static VLAN namely the port based VLAN Dynamic VLAN supported by the switch includes MAC based VLAN IP subnet based VLAN and Protocol based VLAN Detailed description is as follows The MAC based VLAN division is based on the MAC address of each host namely every host with a MAC address will be assigned to certain VLAN By the means the network user will maintain his membership in his belonging VLAN when moves from a physical location to another As we can see the greatest advantage of this VLAN division is that the VLAN does not have to be re configured when the user physic location change namely shift from one switch to another which is
508. with untag mode In this way the data of VLAN100 will be forwarded to the port connecting M and implement the communication requirement in VLAN100 SwitchA SwitchB SwitchC Ges Ces ee IL TE WR W WW CH VLAN100 SS ly m BD i CE M Figure 20 8 Typical topology application of dynamic VLAN Configuration Configuration Explanation Items MAC based VLAN Global configuration on Switch A Switch B Switch C 20 96 For example M at E1 1 of SwitchA then the configuration procedures are as follows Switch A Switch B Switch C SwitchA Config mac vilan mac 00 03 Of 11 22 33 vlan 100 priority 0 SwitchA Config interface ethernet 1 1 SwitchA Config Ethernet1 1 swportport mode hybrid SwitchA Config Ethernet1 1 swportport hybrid allowed vlan 100 untagged SwitchB Config mac vlan mac 00 03 0f 11 22 33 vlan 100 priority O SwitchB Config exit SwitchB SwitchC Config mac vlan mac 00 03 0f 11 22 33 vlan 100 priority O SwitchC Config exit SwitchC 20 6 4 Dynamic VLAN Troubleshooting m On the switch configured with dynamic VLAN if the two connected equipment e g PC are both belongs to the same dynamic VLAN first communication between the two equipments may not go through The solution will be letting the two equipments positively send data packet to the switch such as ping to let the switch learn their source MAC then the two equipments will be able to communicate freely within the dyna
509. wo methods for configuring port aggregation manual Port Channel creation and LACP Link Aggregation Control Protocol dynamic Port Channel creation Port aggregation 12 32 can only be performed on ports in full duplex mode For Port Channel to work properly member ports of the Port Channel must have the same properties as follows Al ports are in full duplex mode WR All Ports are of the same speed WR All ports are Access ports and belong to the same VLAN or are all TRUNK ports or are all Hybrid ports WR fthe ports are all TRUNK ports or Hybrid ports then their Allowed VLAN and Native VLAN property should also be the same E If Port Channel is configured manually or dynamically on switch the system will automatically set the port with the smallest number to be Master Port of the Port Channel If the spanning tree function is enabled in the switch the spanning tree protocol will regard Port Channel as a logical port and send BPDU frames via the master port Port aggregation is closely related with switch hardware Switch allow physical port aggregation of any two switches maximum 14 groups and 8 ports in each port group are supported Once ports are aggregated they can be used as a normal port Switch have a built in aggregation interface configuration mode the user can perform related configuration in this mode just like in the VLAN and physical interface configuration mode 12 2 Brief Introduct
510. xtensive MAC IP access list based on nomenclature b Specify multiple permit or deny rule entries c Exit MAC IP Configuration Mode 10 Configuring a numbered standard IPv6 access list 41 114 11 Configuring a standard IPv6 access list based on nomenclature a Create a standard IPv6 access list based on nomenclature b Specify multiple permit or deny rule entries c Exit ACL Configuration Mode 2 Configuring the packet filtering function 1 Enable global packet filtering function 2 Configure default action 3 Configuring time range function 1 Create the name of the time range 2 Configure periodic time range 3 Configure absolute time range 4 Bind access list to an incoming direction of the specified port 5 Clear the filtering information of the specified port 1 Configuring access list 1 Configuring a numbered standard IP access list Explanation Global Mode Creates a numbered standard IP access list if the access list already exists then a rule will access list lt num gt deny permit lt s pAddr gt add to the current access list lt sMask gt any source host source lt s pAddr gt the no access list no access list lt num gt lt hum gt command deletes a numbered standard IP access list 2 Configuring a numbered extensive IP access list Explanation Global Mode access list lt num gt deny permit icmp lt s pAddr gt Creates a numbered ICMP
511. y between the client gateway and the switch must be ensured for the client to get an IP address from the 10 16 2 0 24 address pool Scenario 2 DHCP Client EW E1 2 192 168 1 1 10 1 1 1 E sst ml DHCP Client DHCP Relay DHCP Server 10 1 1 10 DHCP Client Figure 31 3 DHCP Relay Configuration As shown in the above figure route switch is configured as a DHCP relay The DHCP server address is 10 1 1 10 the configuration steps is as follows 31 39 Switch config service dhcp Switch config interface vlan 1 Switch Config if Vlan1 ip address 192 168 1 1 255 255 255 0 Switch Config if Vlan1 exit Switch config vlan 2 Switch Config Vlan 2 exit Switch config interface Ethernet 1 2 Switch Config Erthernet1 2 switchport access vlan 2 Switch Config Erthernet1 2 exit Switch config interface vlan 2 Switch Config if Vlan2 ip address 10 1 1 1 255 255 255 0 Switch Config if Vlan2 exit Switch config ip forward protocol udp bootps Switch config interface vlan 1 Switch Config if Vlan1 ip help address 10 1 1 10 Switch Config if Vlan1 exit Note It is recommended to use the combination of command ip forward protocol udp lt port gt and ip helper address lt ipaddress gt ip help address can only be configured for ports on layer 3 and cannot be configured on layer 2 ports directly Scenario 3 Switch Ethernett 3 Ethernet1 2 DHCP Server PC1 Figure 31 4 DHCP configuration example As shown in
512. y function anti arpscan recovery time lt seconds gt Set automatic recovery time no anti arpscan recovery time 6 Display relative information of debug information and ARP scanning Command Explanation Global configuration mode a anti arpscan log enable Enable or disable the log function of ARP no anti arpscan log enable scanning prevention anti arpscan trap enable Enable or disable the SNMP Trap function no anti arpscan trap enable of ARP scanning prevention show anti arpscan trust lt ip port Display the state of operation and supertrust port gt prohibited lt ip port gt configuration of ARP scanning prevention Admin Mode debug anti arpscan lt port ip gt Enable or disable the debug switch of ARP no debug anti arpscan lt port ip gt scanning prevention 27 20 27 3 ARP Scanning Prevention Typical Examples SWITCH B SWITCHA Server PC PC 192 168 1 100 24 Figure 27 1 ARP scanning prevention typical configuration example In the network topology above port E1 1 of SWITCH B is connected to port E1 19 of SWITCH A the port E1 2 of SWITCH A is connected to file server IP address is 192 168 1 100 24 and all the other ports of SWITCH A are connected to common PC The following configuration can prevent ARP scanning effectively without affecting the normal operation of the system SWITCH A configuration task sequence SwitchA config anti arpscan enable SwitchA config anti arpsc
513. ynamic route can coexist layer3 switch will choose the route with the highest priority according to the priority of routing protocols At the same time static route can be introduced redistribute in dynamic route and change the priority of the static route introduced as required 26 3 2 Introduction to Default Route Default route is a kind of static route which is used only when no matching route is found In the route table default route in is indicated by a destination address of 0 0 0 0 and a network mask of 0 0 0 0 too If the route table does not have the destination of a packet and has no default route configured the packet will be discarded and an ICMP packet will be sent to the source address indicate the destination address or network is unreachable 26 3 3 Static Route Configuration Task List 1 Static route configuration 1 Static route configuration Explanation 26 14 Global mode l Set static routing the no ip Ee edel route lt p prefix gt lt mask lt p prefix gt lt prefix length gt lt gateway address gt lt ip prefix gt lt pretix length gt lt gateway interface gt lt distance gt lt gateway address gt no ip route lt p prefix gt lt mask gt lt gateway interface gt lt ip prefix gt lt pretix length gt lt gateway address gt lt distance gt command deletes lt gateway interface gt lt distance gt a Static route entry 26 3 4 Static Route C
Download Pdf Manuals
Related Search