Amer Networks SS2R48G4i
Contents
1. no deny permit any source mac host source mac lt host_smac gt lt smac gt lt smac mask gt any destination mac host destination mac lt host_dmac gt lt dmac gt lt dmac mask gt icmp lt source gt lt source wildcard gt any source host source lt source host ip gt lt destination gt lt destination wildcard gt any destination host destination lt destination host ip gt lt icmp type gt lt icmp code gt precedence lt precedence gt tos lt tos gt time range lt time range name gt Creates an extended name based MAC ICMP access rule the no form command deletes this name based extended MAC ICMP access rule 136 AN SS2R24G64i SS2R48G64i no deny permit any source mac host source mac lt host_smac gt lt smac gt lt smac mask gt any destination mac host destination mac lt host_dmac gt lt dmac gt lt dmac mask gt igmp lt source gt lt source wildcard gt any source host source lt source host ip gt lt destination gt lt destination wildcard gt any destination host destination lt destination host ip gt lt igmp type gt precedence lt precedence gt tos lt tos gt time range lt time range name gt Creates an extended name based MAC IGMP access rule the no form command deletes this name based extended MAC IGMP access rule no deny permit any source mac host source mac lt host_smac g2. group lt g_limit source lt s_limit gt No ip igmp snooping vlan lt vian id gt limit snooping can join and the max number of sources each group can have No ip igmp snooping vlan lt vian id gt limit will reset it to default value Ip igmp snooping vlan lt vian id gt 12 general querier No ip igmp snooping vlan lt vian id gt 12 general querier Set this vlan to a layer 2 general queirer It is recommended that each segment should configure a layer 2 general queirer No ip igmp snooping vlan lt vlan id gt 2 general querier command will cancel the configuration of layer 2 general queirer lt vlan id gt lt interface Ip igmp snooping vlan mrouter port interface name gt No ip igmp snooping vian lt vian id gt mrouter port interface lt interface name gt Set the static mrouter por No ip igmp snooping vlan lt vlan id gt mrouter port interface lt interface name gt command will cancel the configuration of mrouter port Ip igmp snooping vlan lt vlan id gt mrpt lt value gt No ip igmp snooping vlan lt vlan id gt mrpt Set the keep alive time of the mrouter port the No ip igmp snooping vlan lt vlan id gt mrpt command will reset it to default value Ip igmp snooping vlan lt vian id gt Set the query interval No ip igmp snooping query interval lt value gt vlan lt vlan id gt query interval command No ip igmp snooping vlan
3. Port configuration mode anti netscan trust port no anti netscan trust port Set a port as a trusted port cancel the setting 3 Configure trusted source IP Command Explanation Global configuration mode anti netscan lt PAddress gt lt Mask gt no anti netscan trust ip lt PAddress gt lt Mask gt trust ip Add delete trusted source IP 4 Enable the log recording function 169 SS2R24G64i SS2R48G4i Command Explanation Global configuration mode anti netscan log enable no anti netscan log enable Enable disable the log recording function 5 Enable the automatic recovery function Command Explanation Global configuration mode anti netscan recovery enable no anti netscan recovery enable Enable disable the automatic recovery function 6 Set the automatic recovery interval Command Explanation Global configuration mode anti netscan recovery time lt seconds gt no anti netscan recovery time Set the automatic recovery interval the no anti netscan recovery time will reset it to the default value 7 Set the limit of the message rate Command Explanation Global configuration mode anti netscan limit rate lt pps gt no anti netscan limit rate Set the limit of the message rate the no anti netscan limit rate will reset it to the def
4. any destination host destination lt dipAddr gt precedence lt prec gt tos lt tos gt time range lt time range name gt Deletes a numbered extensive IP access list no access list lt num gt 3 Configuring a standard IP access list basing on nomenclature 4 Configuring an name based extended IP access list a Create a name based standard IP access list Command Explanation Global Mode Creates a standard IP access list based on nomenclature the no ip access list standard lt name gt command delete the name based standard IP access list b Specify multiple permit or deny rules ip access list standard lt name gt no ip access list standard lt name gt Command Explanation Standard IP ACL Mode no deny permit lt sipAddr gt Creates a standard name based IP access lt sMask gt any source rule the no form command deletes the host source lt slipAddr gt name based standard IP access rule c Exit name based standard IP ACL configuration mode Command Explanation Standard IP ACL Mode Exits name based standard IP ACL configuration mode Exit a Create an extended IP access list basing on nomenclature Command Explanation Global Mode Creates an extended IP access list basing on nomenclature the no ip access list extended lt name gt command deletes the name based extende
5. 1 Config interface Vlan1 2 Config telenet server 3 Config web server 4 Config SNMP 5 Exit setup configuration without saving 6 Exit setup configuration after saving Selection number 3 3 Setup Submenu 3 3 1 Configuring switch hostname Select 0 in the Setup main menu and press Enter the following screen appears Please input the host name switch Note the hostname entered should be less than 30 characters If the user presses Enter without input the hostname will default to switch 15 AN SS2R24G4i SS2R48G4i sar 3 3 2 Configuring Vlan1 Interface Select 1 in the Setup main menu and press Enter to start configuring the Vlan1 interface Config Interface Vlan1 0 Config interface Vlan1 IP address 1 Config interface Vlan1 status 2 Exit Selection number Select 0 in the Vlan1 interface configuration menu and press Enter the following screen appears Please input interface Vlan1 IP address A B C D When the user enters valid IP address for Vlan1 interface and presses Enter the following screen will appear Please input interface Vlan1 mask 255 255 255 0 Select 1 in the Vlan1 interface configuration menu and press Enter the following screen will appear Open interface Vlan1 for remote configuration y n y Select 2 in the Vlan1 interface configuration menu will return to the Setup main menu 3 3 3 Telnet Server Configuration Select 2 in the Setup main me
6. Command Explanation Interface Mode switchport access vlan lt vlan id gt Add the current port to specified no switchport access vlan VLAN the specified VLANs 7 Disable Enable VLAN Ingress Rules Command Explanation Global Mode switchport ingress filtering no switchport ingress filtering Disable Enable VLAN ingress rules Configure Private VLAN Command Explanation VLAN mode private vian primary isolated community Configure current VLAN to Private no private vian VLAN 9 Set Private VLAN association Command Explanation VLAN mode private vian association lt secondary vian list gt Set delete Private VLAN no private vian association association 88 AN SS2R24G4i SS2R48G4i sar 9 2 2 Typical VLAN Application Scenario gt VLAN100 a i a VLAN200 Desktop PC Switch A Switch B VLAN200 m lt VLAN100 Desktop P g orkstation Workstation Desktop Fig 9 2 Typical VLAN Application Topology The existing LAN is required to be partitioned to 3 VLANs due to security and application requirements The three VLANs are VLAN2 VLAN100 and VLAN200 Those three VLANs are cross two different location A and B One switch is placed in each site and cross location requirement can be met if VLAN traffic can be transferred between the two switches Configuration Configuration description Item VLAN2 Site A and site B
7. Port Channel1 ports 6 7 8 of Switch 2 forms an aggregated port named Port Channel2 configurations can be made in their respective aggregated port configuration mode 151 AN SS2R24G4i SS2R48G4i sar Scenario 2 Configuring Port Channel in ON mode a S2 Fig 17 3 Configuring Port Channel in ON mode Example As shown in the figure ports 1 2 3 of Switch1 are access ports that belong to vlan1 Add those three port to group1 in on mode Ports 6 7 8 of Switch2 are trunk ports that also belong to vian1 and allow all and add the these four ports to group2 in on mode The configuration steps are listed below Switch1 config Switch1 Config interface eth 0 0 1 Switch1 Config Ethernet0 0 1 port group 1 mode on Switch1 Config Ethernet0 0 1 exit Switch1 Config interface eth 0 0 2 Switch1 Config Ethernet0 0 2 port group 1 mode on Switch1 Config Ethernet0 0 2 exit Switch1 Config interface eth 0 0 3 Switch1 Config Ethernet0 0 3 port group 1 mode on Switch1 Config Ethernet0 0 3 exit a a a ae ae a Switch2 config Switch2 Config port group 2 Switch2 Config interface eth 0 0 6 Switch2 Config Ethernet0 0 6 port group 2 mode on Switch2 Config Ethernet0 0 6 exit Switch2 Config interface eth 0 0 8 9 Switch2 Config Port Range port group 2 mode on Switch2 Config Port Range exit a ee a ae ae Configuration result Add ports 1 2 3 of Switch 1 to port grou
8. host are run for a pool only one of them will take effect furthermore in manual binding only one IP MAC binding can be configured in one pool If multiple bindings are required multiple manual pools can be created and IP MAC bindings set for each pool New configuration in the same pool overwrites the previous configuration 163 AN SS2R24G4i SS2R48G4i sar Chapter 19 DHCP snooping Configuration 19 1 DHCP Snooping Introduction DHCP Snooping can effectively block attacks from fake DHCP servers Defense against Fake DHCP Server once the switch intercepts the DHCP server reply packets from un trusted ports including DHCPOFFER DHCPACK and DHCPNAKk it will alarm the users and respond according to the situation shutdown the port or send BlackHole Defense against DHCP over load attacks To avoid too many DHCP messages attacking CPU users should limit the speed of DHCP to receive packets on trusted and un trusted ports Record the binding data of DHCP DHCP SNOOPING will record the binding data of DHCP SERVER while forwarding DHCP messages it can also upload the binding data to the specified server to backup it The binding data is mainly used to configure the dynamic users of dot1x userbased ports Please refer to the chapter named dot1x configuration to find more about the usage of dot1x userbased mode Automatic Recovery A while after the switch shut down the port or sent blockhole it should automatically recover the commu
9. rmon enable command Use show snmp command to verify sent and received SNMP messages Use show snmp status command to verify SNMP configuration information Use debug snmp packet to enable SNMP debug function and verify debug information If users still can t solve the SNMP problems Please contact our technical and service center 5 5 Switch Upgrade SS2R24 48G4i switch switch provides two ways for switch upgrade BootROM upgrade and the TFTP FTP upgrade under Shell 56 AN SS2R24G4i SS2R48G4i sar 5 5 1 BootROM Upgrade There are two methods for BootROM upgrade TFTP and FTP which can be selected at BootROM command settings The upgrade procedures are listed below Step 1 APC is used as the console for the switch A console cable is used to connect PC to the management port on the switch The PC should have FTP TFTP server software installed and has the img file required for the upgrade Step 2 Press ctrl b on switch boot up until the switch enters BootROM monitor mode The operation result is shown below Testing RAM 0x00200000 RAM OK Loading BootRom Starting BootRom CPU 88E6218 133MHZ BSP version 1 2 21 Creation date Mar 12 2007 10 27 58 Initializing OK Boot Step 3 Under BootROM mode run setconfig to set the IP address and mask of the switch under BootROM mode server IP address and mask and select TFTP or FTP upgrade Suppose the switch address is 192 168 1 2 24
10. show running config the system will report a gt Ambiguous command error if only sh r is entered as Shell is unable to tell whether it is show r or show running config Therefore Shell will only recognize the command if sh ru is entered 4 2 2 Web Interfac The Web configuration interface has three parts bottom right part The upper part is a picture of the front panel of a SS2R24 48G4i switch switch which can show the connection state of each port via the LEDs on the panel If users click the port on the picture of the front panel the statistic traffic information of each port will be displayed at the bottom right part of the Web the upper part the bottom left part and the 32 AN SS2R24G4i SS2R48G4i sar configuration interface The bottom left part of the Web configuration interface is the main menu with which users can configure control and maintain the switch monitor ports and so on The bottom right part is used to display information and to interact with users When the users click the upper part or the bottom left part the bottom right part will show the configuration interface of the corresponding menu submenu then the users can configure the switch as they want to To know more about the parameters appeared in the configuration interface please refer to the configuration introduction in relative chapters Tips on using the Web Configuration Interface Tip 1 IE6 0 or later 800
11. 69 SS2R24G64i SS2R48G64i AN Global Mode cluster register timer lt timer value gt no cluster register timer Set interval of sending cluster register packet 5 Remote cluster network management Command Explanation Admin Mode rcommand member lt mem id gt In the commander switch this command is used to configure and manage member switches rcommand commander In the member switch this command is used to configure the member switch itself cluster reset member lt mem id gt In the commander switch this command is used to reset the member switch cluster update member lt mem id gt lt src url gt lt dst url gt ascii binary In the commander switch this command is used to remotely upgrade the member switch 70 AN SS2R24G4i SS2R48G4i sar Chapter 7 Port Configuration 7 1 Port Introduction ere ania meee eae DO oon pee EPEE iggy ies g e m u SS2R24G4i Fig 7 1 Ports on SS2R24G4i The ports on SS2R24G4i switch are showed in the above picture SS2R24G4i provides 24 2 2 ports 24 of wich are 10 100Base TX ethernet interfaces with fixed configuration 2 of which are 1000Base TX 1000Base FX single multi mode interfaces the other 2 of which are 1000Base TX stack interfaces On the panel of SS2R24G4l each port is marked with a port ID The relationshipbetween these port IDs and the port IDs provided by
12. H2S NO2 NH3 and Clo etc The table below details the threshold value CO o f e o S a AN SS2R24G4i SS2R48G4i sar Table 2 2 Environmental Requirements Particles 2 1 1 2 Temperature and Humidity As the switch is designed to no fan it s physical heat away the site should still maintain a desirable temperature and humidity High humidity conditions can cause electrical resistance degradation or even electric leakage degradation of mechanical properties and corrosion of internal components Extreme low relative humidity may cause the insulation spacer to contract making the fastening screw insecure Furthermore in dry environments static electricity is liable to be produced and cause harm to internal circuits Temperature extremes can cause reduced reliability and premature aging of insulation materials thus reducing the switch s working lifespan In the hot summer it is recommended to use air conditioners to cool down the site And the cold winter it is recommenced to use heaters The recommended temperature and humidity is shown below Temperature Relative humidity Long term condition Short term condition Long term condition Short term condition 15 30 C 0 50 C 40 65 10 95 Table 2 3 Environmental Requirements Temperature and Humidity Caution A sample of ambient temperature and humidity should be taken at 1 5m above the floor and 0 4m in front of the switch rack
13. Switch Config logging on Switch Config logging 100 100 100 5 facility local1 Switch Config logging source m_shell channel loghost level debugging state on Switch Config logging source sys_event channel loghost level debugging state on Switch Config logging logbuffed 1000 Switch Config logging source m_shell channel logbuff level warning state on 5 6 4 System Log troubleshooting 5 6 4 1 Monitor and Debug Command 64 AN SS2R24G4i SS2R48G4i sar 5 6 4 1 1 show channel Command show channel console monitor logbuff loghost Function To display brief information of the log channel Parameters console the output channel of log is console monitor the output channel of log is the user s terminal logbuff the output channel of log is the log buffer loghost the output channel of log is the log host Command Mode Privileged configuration mode Default Setting show channel will display the brief information of all the channels without any parameter Relative Command logging on 5 6 4 1 2 show logging buffered Command show logging buffered lt buffersize gt Function To display detailed information of the channel of the log buffer Parameters lt buffersize gt is the number of the log message to display Command Mode Privileged configuration mode Default Setting 100 log messages will be displayed without any parameter Relative Command logging on show channel logbuff 5 6 4 1 3 show logging lastFailurelnfo
14. 2 3 9 MIB Library o RFC1213 MIB Il o RFC1493 Bridge MIB o RFC1643 Ether Like MIB o Private MIB E Management Protocols and Methods CLI command line SNMP V1 V2C enabled available through Network management systems such as LinkManager Telnet management enabled RFC1757 RMON 1 2 3 9 E MIB Library RFC1213 MIB II RFC1493 Bridge MIB RFC1643 Ether Like MIB Private MIB SS2R24G64i SS2R48G64i 1 3 Physical Specifications SS2R24G4l SS2R48G4I SS2R48G41 52C weight 2 25KG 3KG i 440 x 171 2 X43 440 X 229 x 44 Dimension mm Operating 0 C 50 C Temperature Storage 40 C 70 C Temperature Relative 10 90 with no condensate humidity AC Power Input 100 240VAC 50 60Hz Power 30W Max Consumption Mean Time 80 000 Hours Before Failure Table1 1 SS2R24 48G4i switch switch 1 4 Product appearance 1 4 1 Product Front Panel View SS2R24 48G4i switch switch front panel view as follows SS2R24G4i He BO ess physical specification 1 ppp ppp So gee Fig 1 4 SS2R48G4i switch fro 1 4 2 Product back panel view SS2R24 48G4i switch back panel view as follows nt panel view AN fad er com AN SS2R24G4i SS2R48G4i Fig 1 5 SS2R24G4i back panel view Li f AS I VE Fig 1 6 SS2R48G4i back panel view 1 4 3 Status LEDs The LEDs of SS2R24 48G4i switch switch include PWR DIAG Link Act and 1000M The LEDs are
15. AN Switch Port Attributes Sw 0 0 7 10M full Sw2 0 0 8 9 10M full mirror source port 0 0 24 100M full mirror dentistination port SW3 0 0 10 10M full The configurations are listed below Sw Switch1 Config interface ethernet 0 0 7 Switch1 Config Ethernet0 0 7 speed duplex force10 full SW2 Switch2 Config interface ethernet 0 0 8 9 Switch2 Config Port Range speed duplex force 10 full Switch2 Config Port Range exit Switch2 Config interface ethernet 0 0 24 Switch2 Config Ethernet0 0 24 speed duplex force100 full Switch2 Config Ethernet0 0 24 exit Switch2 Config monitor session 1 source interface ethernet 0 0 8 9 Switch2 Config monitor session 1 destination interface ethernet 0 0 24 SW3 Switch3 Config interface ethernet 0 0 10 Switch3 Config Ethernet0 0 10 speed duplex force 10 full 76 AN SS2R24G4i SS2R48G4i sar 7 4 Port Troubleshooting 7 4 1 Monitor and Debug Command 7 4 1 1 clear counters ethernet Command clear counters ethernet lt interface list gt Function Clear counters information on Ethernet interface Parameters lt interface list gt is the port ID of Ethernet Command Mode Admin Mode Default Do not delete the counters information on Ethernet interface 7 4 1 2 show interface ethernet Command show interface ethernet lt interface list gt Function To display the information of the ports on the specified switch Parameters lt interface list gt is the po
16. DHCP address pool onfiguration mode Route configuration ACL configuration oO Fig 4 9 Shell Configuration Modes of SS2R24 48G4i switch 4 2 1 1 1 User Mode On entering the CLI interface entering user entry system first If as common user it is defaulted to User Mode The prompt shown is Switch gt the symbol gt is the prompt for User Mode When exit command is exit under Admin Mode it will also return to the User Mode Under User Mode no configuration to the switch is allowed only clock time and version information of the switch can be queries 27 AN SS2R24G4i SS2R48G4i sad 4 2 1 1 2 Admin Mode When enable command is used under User Mode To Admin Mode sees the following In user entry system if as Admin user it is defaulted to Admin Mode Admin Mode prompt Switch can be entered under the User Mode by running the enable command and entering corresponding access levels admin user password if a password has been set Or when exit command is run under Global Mode it will also return to the Admin Mode SS2R24 48G4i switch Switch also provides a shortcut key sequence Ctrl z this allows an easy way to exit to Admin Mode from any configuration mode except User Mode Under Admin Mode the user can query the switch configuration information connection status and traffic statistics of all ports and the user can further enter the Global Mode from Admin Mode to modify all configurations of the switch For
17. View based Access Control Model SNMP protocol provides a simple way of exchange network management information between two points in the network SNMP employs a polling mechanism of message query and transmits messages through UDP a connectionless transport layer protocol Therefore it is well supported by the existing computer networks SNMP protocol employs a station agent mode There are two parts in this structure NMS Network Management Station and Agent NMS is the workstation on which SNMP client program is running It is the core on the SNMP network management Agent is the server software runs on the devices which need to be managed NMS manages all the managed objects through Agents The switch supports Agent function The communication between NMS and Agent functions in Client Server mode by exchanging standard messages NMS sends request and the Agent responds There are seven types of SNMP message Get Request Get Response Get Next Request Get Bulk Request Set Request Trap Inform Request NMS sends queries to the Agent with Get Request Get Next Request Get Bulk Request and Set Request messages and the Agent upon receiving the requests replies with Get Response message On some special situations like network device ports are on Up Down status or the network topology changes Agents can send Trap messages to NMS to inform the abnormal events Besides NMS can also be set to alert to some abnormal events by enabling RM
18. and PC address is 192 168 1 66 24 and select TFTP upgrade the configuration should like Boot setconfig Host IP Address 10 1 1 1 192 168 1 189 Server IP Address 10 1 1 2 192 168 1 101 FTP 1 or TFTP 2 1 2 Network interface configure OK Boot Step 4 Enable FTP TFTP server in the PC For TFTP run TFTP server program for FTP run FTP server program Before start downloading upgrade file to the switch verify the connectivity between the server and the switch by ping from the server If ping succeeds run load command in the BootROM mode from the switch if it fails perform troubleshooting to find out the cause The following is the configuration for the system update image file 57 AN SS2R24G4i SS2R48G4i sar Loading entry 0x10010 size 0x1077f8 Step 5 Execute write nos img in BootROM mode The following saves the system update image file Boot writeimg Programming Program OK Step 6 After successful upgrade execute run command in BootROM mode to return to CLI configuration interface 5 5 2 FTP TFTP Upgrade 5 5 2 1 Introduction To FTP TFTP FTP File Transfer Protocol TFTP Trivial File Transfer Protocol are both file transfer protocols that belonging to fourth layer application layer of the TCP IP protocol stack used for transferring files between hosts hosts and switches Both of them transfer files in a client server model Their differences are listed below FTP builds u
19. host destination lt destination host ip gt any destination Configure the rule used in destination control The rule can only take effect when applied to specified source IP or VLAN MAC and port Prefixing the command with NO can delete the specified rule The last step is to configure the rule to specified source IP source VLAN MAC or port What calls for attention is that taking the above statement only after enabling IGMP SNOOPING can we use the rules globally if not only source IP rules can be used in IGMP protocol If we configure source IP VLAN MAC and specified port rules the rules are matched to messages in a sequence as VLAN MAC sourve IP specified ports The folloing is the command to configure Command Explantation Port configuration mode To configure the rule used in source control to a port prefixing the command with NO will cancel the configuration no ip multicast destination control access group lt 6000 7999 gt Global configuration mode To configure the rule used in source control to specified VLAN MAC prefixing the command with NO will cancel the configuration destination control lt macaddr gt access group no ip multicast lt 1 4094 gt lt 6000 7999 gt 113 AN SS2R24G4i SS2R48G4i sar To configure the rule used in source no ip multicast destination control control to specified source IP lt source gt
20. host source mac lt host_smac gt lt smac gt lt smac mask gt numbered access list if the access list already exists then a rule will add to the current access list standard MAC the no access list lt num gt command deletes a numbered standard MAC no access list lt num gt access list 6 Creates a numbered MAC extended access list Command Explanation Global Mode Creates a numbered MAC extended access list lt num gt deny permit any source mac NT FO the host source mac lt host_smac gt lt smac gt lt smac mask gt a access list already any destination mac host destination mac lt host_dmac gt lt dmac gt lt dmac mask gt untagged eth2 t agged eth2 untagged 802 3 tagged 802 3 lt offset1 gt lt length1 gt lt value1 gt lt offset2 gt lt length2 gt lt value2 gt lt offset3 gt lt length3 gt lt value3 gt lt offset4 gt lt length4 gt lt value4 gt no access list lt num gt exists then a rule will add to the current access list the no access list lt num gt command deletes a numbered MAC extended access list 7 Configuring a extended MAC access list based on nomenclature a Create a extended MAC access list based on nomenclature Command Explanation Global Mode mac access list extended lt name gt no mac access list extended lt name gt Creates an extended name based MAC access list
21. number range 1 12 DD The number range 1 31 Command mode privilege configuration mode Default The default date is 2001 Jan 01 000 Relative command show clock 5 1 2 config Command config terminal Function to convert from admin mode to global mode Parameter terminal to configure Command mode Admin Mode exec timeout Command exec timeout lt minutes gt Function to configure the overtime of quitting privileged configuration mode Parameter lt minute gt is time the unit is minute The range 0 300 Command mode global mode Default The default time is 5 minutes 5 1 3 exit 34 AN SS2R24G4i SS2R48G4i sar Command exit Function to quit from the current mode quit and return the previous mode By this command users being in global mode will return to admin configuration mode users being admin mode will return to user mode Command mode All Modes 5 1 4 help Command help Function Output brief description of the command interpreter help system Command mode All Modes 5 1 5 ip host Command ip host lt hostname gt lt ip_addr gt no ip host lt hostname gt Function Set the mapping relationship between the host and IP address the no ip host parameter of this command will delete the mapping Parameter lt hostname gt is the host name up to 15 characters are allowed lt ip_addr gt is the corresponding IP address for the host name takes a dot decimal format Command mode Global Mode Relative co
22. password Command mode Global Mode Default There are no SSH username and password by default 5 2 3 3 3 ssh server timeout Command ssh server timeout lt fimeout gt no ssh server timeout Function Configure timeout value for SSH authentication the no ssh server timeout command restores the default timeout value for SSH authentication Parameter lt timeout gt is timeout value valid range is 10 to 600 seconds Command mode Global Mode Default SSH authentication timeout is 180 seconds by default 5 2 3 3 4 ssh server authentication retries Command ssh server authentication retries lt authentication retries gt no ssh server authentication retries Function Configure the number of times for retrying SSH authentication the no ssh server authentication retries command restores the default number of times for retrying SSH authentication Parameter lt authentication retries gt is the number of times for retrying authentication valid range is 1 to 10 Command mode Global Mode Default The number of times for retrying SSH authentication is 3 by default 5 2 3 3 5 ssh server host key create rsa Command ssh server host key create rsa modulus lt modulus gt Function Generate new RSA host key Parameter modulus is the modulus which is used to compute the host key valid range is 768 to 2048 The default value is 1024 Command mode Global Mode Default The system uses the key generated when the ssh server is started at
23. the SS2R24 48G4i switch provide an unique function to manage and set the IP of workstations enabling the switch to automatically filter invalid remote network management access and guaranteeing the efficiency security and coherence of remote network management access 1 1 3 Main Features m Applying Store and Forward switch mode to ensure block free transmission All of the RJ 45 ports support MDI MDI X self adaptation can be conveniently cascade connected to other switcher using straight through twisted pair m Providing Console port m Allowing users to check the working state and statistic information of ports E Can be rebooted locally and remotely to reset the switch to the default configuration AN SS2R24G4i SS2R48G4i sar m Can update the firmware using TFTP FTP m Can be fixed in a standard 19 inch frame 1 2 Technical specifications E Protocols and Standards a b c d IEEE802 3 10BASE T Ethernet IEEE802 3u 100BASE TX FX Fast Ethernet IEEE802 3x Flow control IEEE802 1x access control IEEE802 1D w Spanning Tree IEEE802 1p Class of Service IEEE802 1Q VLAN IEEE802 3ad Link Aggregation TFTP FTP DHCP BootP Telnet IP UDP TCP ICMP HTTP SNMP V1 V2C CR e E E E E AE E aE E HHH e G Management Protocols and Methods CLI command line o SNMP V1 V2C enabled available through Network management systems such as LinkManager Web and Telnet management enable RFC1757 RMON 1
24. with no protective panel covering the front and rear of the rack Short term working conditions refer to a maximum of 48 hours of continued operation and an annual cumulative total of less than 15 days Formidable operation conditions refers to the ambient temperature and relative humidity value that may occur during an air conditioning system failure and normal operation conditions should be recovered within 5 hours 2 1 1 3 Power Supply SS2R24 48G4i switch is designed to use modular switching power supplies The power input specification is shown below Nominal Input Voltage AC 100 240 VAC Frequency 50 60Hz Total power consumption lt 30W Before powering on the power supply please check the power input to ensure proper grounding of the power supply system The input source for the switch should be reliable and secure a voltage adaptor can be used if necessary The building s circuit protection system should include in the circuit a fuse or circuit breaker of no greater than 240 V 10 A It is recommended to use a UPS for more reliable power supplying Caution AN SS2R24G4i SS2R48G4i sar Improper power supply system grounding extreme fluctuation of the input source and transients or spikes can result in larger error rate or even hardware damage 2 1 1 4 Preventing Electrostatic Discharge Damage Static electric discharges can cause damage to internal circuits even the entire switch Follow these guidelines for avoiding
25. 2 5 Show hy te ee 44 5 2 6Debug 22222 46 5 3 CONFIGURE THE P ADDRESS OF THE SWITCH eee 46 5 4 SNMP CONFIGURATION ee 48 5 4 1 Introduction TOSNMP eee 48 5 4 2 IntroductiontoMIB ee 49 5 4 3 Introduction to RMON _____ 50 5 4 4 SNMP Configuration ___ _ 2 222 50 5 4 5 Typical SNMP Configuration Examples ______ 2 2222222 52 5 4 6 SNMP Troubleshooting ____ 222222 2 53 5 5 SWITCH UPGRADE eee 56 5 5 1 BootROM Upgrade ee 57 5 5 2 FTP TFTP Upgrade eee 58 5 6 THE THREE LEVEL SWITCH OF LOG MESSAGE 61 5 6 1 Introduction tothe system log 2 222222 61 5 6 2 Configuring The System Log 63 SS2R24G4i SS2R48G4i 5 6 3 System Log Configuration Example 5 6 4 System Log troubleshooting 5 7 CLASSIFIED CONFIGURATION 8 1 INTRODUCTION TO MAC TABLE 8 1 1 Obtaining MAC Table 8 1 2 Forward or Filte 8 2 COMMANDS FOR MAC ADDRESS TABLE CONFIGURATION 8 2 1 mac address table aging time 8 2 2 mac address table 8 5 MAC ADDRESS FUNCTION EXTENSION 8 5 1 MAC Address Binding 64 64 66 66 66 66 66 67 68 68 68 68 71 71 71 71 73 73 76 77 77 78 78 78 79 80 80 80 80 81 81 81 81 82 82 82 86 AN sak SS2R24G4i SS2R48G4i 9 1 INTRODUCTION TO VLAN 9 2 VLAN CONFIGURATION 9 3 DOT1LQ TUNNEL CONFIGURATION 9 3 1 Dot1lgq tunnel Introduction 9 3 2 Configuration Task Sequence Of Dotlq Tunnel 9 3 3 Typical Applications Of The Dotl1q tunnel 9 3 4 Dot1q tunnel Troubleshooting 9 4 PROTOCOL VLAN C
26. Binding Troubleshootin AN Enabling MAC address binding for ports may fail in some occasions Here are some possible causes and solutions If MAC address binding cannot be enabled for a port make sure the port is not enabling Spanning tree or port aggregation and is not configured as a Trunk port MAC address binding is exclusive to such configurations If MAC address binding is to be enabled the functions mentioned above must be disabled first Ifa secure address is set as static address and deleted that secure address will be unusable even though it exists For this reason it is recommended to avoid static address for ports enabling MAC addres Users might find that some deviced connected to the ports configured with MAC address binding fucntion can not transimit data If so please check whether the MAC addresses of these devices has been transformed into secure MAC if not even the switch has learnt the MAC addresses of these devices they can not transmit data because only secure MAC can transmit data when the ports has enabled the MAC address binding function 85 AN SS2R24G4i SS2R48G4i sar Chapter 9 VLAN Configuration 9 1 Introduction to VLAN VLAN Virtual Local Area Network is a technology that divides the logical addresses of devices within the network to separate network segments basing on functions applications or management requirements By this way virtual workgroups can be formed regardless of the phys
27. Command show logging lastFailurelnfo Function To display the abnormal information recorded in the flash Command Mode Privileged configuration mode Relative Command erase logging lastFailurelnfo 5 6 4 1 4 erase logging lastFailurelnfo Command erase logging lastFailurelnfo Function To erase the abnormal information recorded in the flash Command Mode Privileged configuration mode Relative Command show logging lastFailurelnfo 5 6 4 2 System Log troubleshooting Please check the following causes if any problem happens when using the system log lt Check if the global log switch is on lt Use the show channel command in the privileged mode to check the state of each channel and the state of the modules in filter items 65 AN SS2R24G4i SS2R48G4i sar 5 7 Classified Configuration 5 7 1 Introduction of Classified Configuration In order to effectively protect the network the switch allows users to log on as different identities to configure it allows different password for those identities and allows those identities to use different rights when configuring the switch Right now DCN switch provides visitor and admin as configuration levels Their differences is listed as follows Identity to Log On Configuration Rights visitor Most of show command and ping traceroute clear etc config mode is not allowed on this level admin All of the commands 5 7 2 Configure the Classified Configuration 5
28. IP packets to pass access list 100 used 1 time s Nnumber ACL10 1 time to be used access list 100 deny any destination ip any source Deny IP packet of any source IP address and destination address to pass access list 100 deny tcp any source any destination Deny TCP packet of any source IP address and destination address to pass access list 1100 permit any source mac any destination mac tagged eth2 14 2 0800 Permit tagged eth2 with any source MAC MAC addresses and the packets whose 15 and 16 byte is respectively 0x08 0x0 to pass addresses and any destination access list 3100 permit any source mac any destination mac udp any source s port 100 any destination d port 40000 Deny the passage of UDP packets with any source MAC address and destination MAC address any source IP address and destination IP address and source port 100 and destination interface 40000 15 5 1 2 show access group Command show access group interface Ethernet lt name gt Functions Reveal tying situation of ACL on port 142 AN SS2R24G4i SS2R48G4i sar Parameters lt name gt nterface name Default None Command Mode Admin mode Displayed information Explanation interface name Ethernet0 0 2 Tying situation on port Ethernet0 0 2 IP Ingress access list used is No 111 numeric expansion ACL tied to entrance 111 of port Ethernet0 0 2 interface name Ethernet0 0 1 Tying situation on p
29. MAC addresses and the ports dynamic learning is the process in which the switch learns the mapping between MAC addresses and ports and updates the MAC table regularly In this section we will focus on the dynamic learning process of MAC table The topology of the figure above 4 PCs connected to SS2R24 48G4i switch switch where PC1 and PC2 belongs to a same physical segment same collision domain the physical segment connects to port 5 of SS2R24 48G4i switch switch PC3 and PC4 belongs to the same physical segment that connects to port 12 of SS2R24 48G4i switch switch The initial MAC table contains no address mapping entries Take the communication of PC1 and PC3 as an example the MAC address learning process is as follow 1 When PC1 sends message to PC3 the switch receives the source MAC address 00 01 11 11 11 11 from this message the mapping entry of 00 01 11 11 11 11 and port 5 is added to the switch MAC table 2 Atthe same time the switch learns the message is destined to 00 01 33 33 33 33 as the MAC table contains only a mapping entry of MAC address 00 01 11 11 11 11 and port 5 and no port mapping for 00 01 33 33 33 33 present the switch broadcast this message to all the ports in the switch assuming all ports belong to the default VLAN1 3 PC3 and PC4 on port 12 receive the message sent by PC1 but PC4 will not reply as the destination MAC address is 00 01 33 33 33 33 only PC3 will reply to PC1 When port 12 receives the messag
30. Moreover cluster network management is an in band management The commander switch can communicate with member switches in existing network There is no need to build a specific network for network management Cluster network management has the following features Save IP addresses Simplify configuration tasks Indifference to network topology and distance limitation Auto detecting and auto establishing e With factory default settings multiple switches can be managed through cluster network management The commander switch can upgrade and configure any member switches in the cluster 6 2 Cluster Network Management Configuration 6 2 1 Cluster Network Management Configuration Sequence 1 Enable or disable cluster function 2 Create cluster 1 Create or delete cluster 2 Configure private IP address pool for member switches of the cluster 3 Add or remove a member switch 3 Configure attributes of the cluster in the commander switch 68 SS2R24G64i SS2R48G4i 1 oO N 4 Enable or disable joining the cluster automatically Set holdtime of heartbeat of the cluster Set interval of sending heartbeat packets among the switches of the cluster Clear the list of candidate switches discovered by the commander switch 4 Configure attributes of the cluster in the candidate switch 1 5 Remote cluster network management 1 2 3 1 Enable or disable cluster Reboot member switch Remote configuration man
31. SS2R48G4i sar 5 4 6 1 7 show snmp mib Command show snmp mib Function Display all MIB supported by the switch Command Mode Admin Mode 5 4 6 1 8 debug snmp packet Command debug snmp packet no debug snmp packet Function Enable the SNMP debugging the no debug snmp packet command disables the debugging function Command Mode Admin Mode 5 4 6 2 SNMP Troubleshooting When users configure the SNMP the SNMP server may fail to run properly due to physical connection failure and wrong configuration etc Users can troubleshoot the problems by following the guide below Good condition of the physical connection Interface and datalink layer protocol is Up use the show interface command and the connection between the switch and host can be verified by ping use ping command The switch enabled SNMP Agent server function use snmp server command Secure IP for NMS use snmp server securityip command and community string use snmp server community command are correctly configured as any of them fails SNMP will not be able to communicate with NMS properly If Trap function is required remember to enable Trap use snmp server enable traps command and remember to properly configure the target host IP address and community string for Trap use snmp server host command to ensure Trap message can be sent to the specified host If RMON function is required RMON must be enabled first use
32. Switch config ClassMap exit Switch config policy map p1 Switch config PolicyMap class c1 Switch config Policy Class set ip precedence 5 Switch config Policy Class exit Switch config PolicyMap exit Switch config interface ethernet 0 0 1 Switch Config Ethernet0 0 1 service policy input p1 QoS configuration in Switch2 Switch config Switch config mls qos Switch config interface ethernet 0 0 1 Switch config Ethernet0 0 1 mls qos trust cos 22 4 QoS Troubleshooting 22 4 1 QoS Monitor And Debug Command 22 4 1 1 show mls qos Function Displays global configuration information for QoS Parameters N A Default N A Command mode Admin Mode Displayed information Explanation Qos is enabled QoS is enabled 22 4 1 2 show mls gos aggregate policer Command show mls qos aggregate policer lt aggregate policer name gt Function Displays policy set configuration information for QoS 181 AN SS2R24G4i SS2R48G4i has Parameters lt aggregate policer name gt is the policy set name Default N A Command mode Admin Mode Displayed information Explanation aggregate policer policer1 80000 80 Configuration for this policy set exceed action drop Not used by any policy map Time that the policy set is being referred to 22 4 1 3 show mls qos interface Command show mls qos interface lt interface id gt buffers policers queueing statistics Function Displays QoS configuration
33. Udp Port and corresponding IP address UDP ls Primary port number Primary server or not ls Server Dead down or not and socket number Socket No Time Out Displays the timeout value for RADIUS server Retransmit Displays the retransmission times for P et te arnt pee Dead Time Displays the down restoration time for P aoe ee Account Time Interval Displays accounting time interval 14 4 1 2 show aaa authenticated user Command show aaa authenticated user Function Displays the authenticated users online Command mode Admin Mode 14 4 1 3 show aaa authenticating user Command show aaa authenticating user Function Display the authenticating users Command mode Admin Mode 14 4 1 4 show radius count Command show radius authencated user authencating user count Function Displays the statistics for users of RADIUS authentication Parameters authencated user displays the authenticated users online authencating user displays the authenticating users Command mode Admin Mode 14 4 1 5 show dot1x Command show dot1x interface lt interface list gt Function Displays dot1x parameter related information if parameter information is added corresponding dot1x status for corresponding port is displayed Parameters lt interface list gt is the port list If no parameter is specified information for all ports is 124 AN SS2R24G4i SS2R48G4i displayed Command mode Admin Mode Displayed information Explanation
34. any source host source lt sipAddr gt s port lt sPort gt lt dlpAddr gt lt dMask gt any destination host destination lt d pAddr gt d port lt dPort gt ack fin psh rst urg syn precedence lt prec gt tos lt tos gt time range lt time range name gt Creates a numbered TCP extended IP access rule if the numbered extended access list of specified number does not exist then an access list will be created using this number access list lt num gt deny permit udp lt slpAddr gt lt sMask gt any source host source lt sipAddr gt s port lt sPort gt lt dlpAddr gt lt dMask gt any destination host destination lt d pAddr gt d port lt dPort gt precedence lt prec gt tos lt tos gt time range lt time range name gt Creates a numbered UDP extended IP access rule if the numbered extended access list of specified number does not exist then an access list will be created using this number 130 AN SS2R24G64i SS2R48G4i Creates a numbered IP extended IP access rule for other specific IP protocol or all IP protocols if the numbered extended access list of specified number does not exist then an access list will be created using this number access list lt num gt deny permit eigrp gre igrp ipinip ip lt int lt slpAddr gt lt sMask gt any source host source lt slpAddr gt lt dipAddr gt lt dMask gt
35. configured and is up the system will generate an static address mapping entry of which the inherent MAC address corresponds to the VLAN or Layer 3 interface 8 2 3 mac address table blackhole Command mac address table blackhole address lt mac addr gt vlan lt vian id gt no mac address table blackhole address lt mac addr gt vlan lt vlan id gt Function Add or modify filtering address entries the no mac address table blackhole address lt mac addr gt vlan lt vian id gt deletes filtering address entries Parameter lt mac addr gt MAC address to be added or deleted lt vian id gt receives vlan number of the MAC data packet 80 AN SS2R24G4i SS2R48G4i sar Command Mode Global mode Default no filtering entries 8 2 4 clear mac address table dynamic Command clear mac address table dynamic address lt hw_addr gt vlan lt vid gt interface ethernet port channel lt nterfacename gt Function Deletes dynamic address entries Parameter lt mac addr gt MAC address to be deleted lt interface name gt name of the port transmitting the MAC data packet lt v an id gt receives vlan number of the MAC data packet Command Mode Admin mode Default None 8 3 Typical Configuration Example Scenario Four PCs as shown in the above figure connect to port 5 7 9 11 of switch all the four PCs belong to the default VLAN1 As required by the network environment dynamic learning is enabled PC1 holds sensitive data a
36. control by granting or denying access through the switches effectively safeguarding the security of networks The user can lay down a set of rules according to some information specific to packets each rule describes the action for a packet with certain information matched permit or deny The user can apply such rules to the incoming or outgoing direction of switch ports so that data streams in the specific direction of specified ports must comply with the ACL rules assigned 15 2 Access list Access list is a sequential collection of conditions that corresponds to a specific rule Each rule consist of filter information and the action when the rule is matched Information included in a rule is the effective combination of conditions such as source IP destination IP IP protocol number and TCP port Access lists can be categorized by the following criteria e Filter information based criterion IP access list layer 3 or higher information MAC access list layer 2 information and MAC IP access list layer 2 or layer 3 or higher Configuration complexity based criterion standard and extended the extended mode allows more specific filtering of information Nomenclature based criterion numbered and named Description of an ACL should cover the above three aspects 15 2 1 Access group When a set of access lists are created they can be applied to traffic of any direction on all ports Access group is the description to the bind
37. eight egress queues WRR Weighted Round Robin In Profile Traffic within the QoS policing policy range bandwidth or burst value is called In Profile Out of Profile Traffic out the QoS policing policy range bandwidth or burst value is called Out of Profile 22 1 2 QoS Implementation To implement switch software QoS a general mature reference model should be given QoS can not create new bandwidth but can maximize the adjustment and configuration for the current bandwidth resource Fully implemented QoS can achieve complete management over the network traffic The following is as accurate as possible a description of QoS The data transfer specifications of IP cover only addresses and services of source and destination and ensure correct packet transmission using OSI layer 4 or above protocols such as TCP However rather than provide a mechanism for providing and protecting packet transmission bandwidth IP provide bandwidth service by the best effort This is acceptable for services like Mail and FTP but for increasing multimedia business data and e business data transmission this best effort method cannot satisfy the bandwidth and low lag requirement Based on differentiated service QoS specifies a priority for each packet at the ingress The classification information is carried in Layer 3 IP packet header or Layer 2 802 1Q frame header QoS provides same service to packets of the same priority while offers different opera
38. enters IGMP snooping can use all the three methods while the IGMP since it is at layer 3 can only control according to the source IP address of the messgae The service priority oriented mutilcast policy of DCSCM technology adpots the following methods for the multicast data within a limited range the user specified priority is set at the access point making data be transmitted on TRUNK at a higher priority and thus ensuring the data to be transmitted through the whole network at the user specified priority 13 2 DCSCM Configuration 13 2 1 DCSCM Configuration Task Sequence 1 Configuration of source control 2 Configuration of destination control 3 Configuration of multicast policy 1 Configuration of source control Configuration of source control can be divided into three parts the first is to enable the source control globally the following is th command to do this Command Explantation Global configuration mode 111 SS2R24G4i SS2R48G4i Enable the source control globally the no ip multicast source control command will disable the source control globally What calls for attention is that after the global source no ip multicast control is enabled all the multicast messages source control necessary will be dumped by default All the souce control configuration can only be done after it is enabled globally and only when all the configured rules has been disabled can the
39. interface lt Interfacename gt detail show ip multicast destination control host address lt ipaddress gt detail show ip multicast destination control lt vlan id gt lt mac address gt detail Function To display the multicast destination configuration Parameters detail whether display detailed information lt Interfacename gt interface name like Ethernet 0 0 1 or port channel 1 or ethernet 0 0 1 Default Settings None Command Mode Admin Mode 13 4 2 11 4 2 DCSCM Troubleshooting DCSCM module has similar function with ACL the problems usually relate with incorrect configuration Please read the instruction above carefully If you still cannot pin down the cause of the problems please send your configuration and the error messages to our technical support contact support amer com 116 AN SS2R24G4i SS2R48G4i sar Chapter 14 802 1x Configuration 14 1 Introduction to 802 1x IEEE 802 1x is a port based network access management method which authenticates and manages the accessing devices on the physical access level of the LAN device The physical access level here are the ports of the switch If the users devices connected to such ports can be authenticated access to resources in the LAN is allowed otherwise access will be denied which is essentially the same as disconnecting physically IEEE 802 1x defines a port based network access management protocol It should be noted that the protocol applies to point to po
40. interface of the same VLAN or no layer2 interfaces At least one of Layer2 interfaces contained in Layer3 interface should be in UP state for Layer3 interface in the UP state otherwise Layer3 interface will be in the DOWN state All layer3 interface in the switch use the same MAC address this address is selected from the reserved MAC address on creating Layer3 interface Layer3 interface is the base for layer3 protocols The switch can use the IP address set in layer3 interface to communicate with the other devices via IP The switch can forward IP packets between different Layer3 interfaces 23 1 2 Layer3 interface configuration 23 1 2 1 Layer3 Interface Configuration Task Sequence 1 Create Layer3 Interface 2 Set the default gateway address of the switch 1 Create Layer3 Interface 2 Set the default gateway address of the switch Command Explanation Global Mode Create a VLAN interface VLAN interface is a Layer3 interface the no interface vlan lt vian id gt command deletes the VLAN interface Layer3 interface created in the interface vlan lt vian id gt no interface vlan lt vian id gt switch Global Mode ip route 0 0 0 0 0 0 0 0 lt gateway gt Set the default gateway address of the no ip route 0 0 0 0 0 0 0 0 lt gateway gt switch prefixing this command with no 185 AN SS2R24G4i SS2R48G4i sar will delete the default gateway address 23 2 ARP 23 2 1 I
41. located on the front panel for easy viewing and shown below Description of LEDs 1 3 5 7 9 1 13 415 17 19 21 n Q ue nage eee ae eode noge Link ACT OODOWVDWVDWDIOAOO0O0NO O OC Oiu Uo 2 4 6 8 10 12 14 16 18 20 22 24 ce PWR 26 28 25 27 Fig 1 7 SS2R24G4i switch LEDs LED Sstate Description Link ACT Blink The port is successfully linked and is sending receiving data right now Off The state of the port is down On Link succeeds 1000M On The corresponding G port is in 1000M indicator lamp connecting mode Off The corresponding G port is in 100M connecting mode or in down state Power On Power on Off Power off AN SS2R24G4i SS2R48G4i sar DIAG Green blink The program is initializing On The program has been initialized successfully yellow blink The initialization of the program has failed Table1 2 Description of LEDs in SS2R24G4i SS2R48G4i Switch SS2R48G4iswitch does not have the 1000M LED The Link ACT LED of its 100M port is above the corresponding port while the Link ACT iLED of its 1000M port is on the right of the corresponding port AN SS2R24G4i SS2R48G4i sar Chapter 2 Hardware Installation 2 1 Installation Notice To ensure the proper operation of SS2R24 48G4i switch and your physical security please read carefully the following installation guide 2 1 1 Environmental Requirements m The switch must be installed in a clean area Othe
42. lt host_dmac gt lt dmac gt lt dmac mask gt icmp lt source gt lt source wildcard gt any source host source lt source host ip gt lt destination gt lt destination wildcard gt any destination host destination lt destination host ip gt lt icmp type gt lt icmp code gt precedence lt precedence gt tos lt tos gt time range lt time range name gt Creates a numbered mac icmp extended mac ip access rule if the numbered extended access list of specified number does not exist then an access list will be created using this number access list lt num gt deny permit any source mac host source mac lt host_smac gt lt smac gt lt smac mask gt any destination mac host destination mac lt host_dmac gt lt dmac gt lt dmac mask gt igmp lt source gt lt source wildcard gt any source host source lt source host ip gt lt destination gt lt destination wildcard gt any destination host destination lt destination host ip gt lt igmp type gt precedence lt precedence gt tos lt tos gt time range lt time range name gt Creates a numbered mac igmp extended mac ip access rule if the numbered extended access list of specified number does not exist then an access list will be created using this number access list lt num gt deny permit any source mac host source mac lt host_smac gt lt smac gt lt smac mask gt any destination mac host destinat
43. lt multicast IPAddress gt interface ethernet port channel lt interfaceName gt command will cancel the configuration 103 AN AN SS2R24G4i SS2R48G4i sar tatic group lt multicast IPAddress gt interface ethernet port channel lt interfaceName gt 11 3 IGMP Snooping Examples Scenario 1 IGMP Snooping function Fig 11 1 Enabling IGMP Snooping function Example As shown in the above figure a VLAN 100 is configured in the switch and includes ports 1 2 6 10 and 12 Four hosts are connected to port 2 6 10 12 respectively and the multicast router is connected to port 1 As IGMP Snooping is disabled by default either in the switch or in the VLANs If IGMP Snooping should be enabled in VLAN 100 the IGMP Snooping should be first enabled for the switch in Global Mode and in VLAN 100 and set port 1 of VLAN 100 to be the M Router port The configuration steps are listed below switch config switch config ip igmp snooping switch config ip igmp snooping vian 100 switch config ip igmp snooping vlan 100 mrouter port interface ethernet 0 0 1 Multicast Configuation Assuming that there are two multicast servers Multicast Server 1and Multicase Server 2 Multicast Server 1 provides program1 and program 2 while the Multicast Server 2 provides program3 And they use group addresses Group1 Group2 and Group 3 respectively There are four hosts running multicast application software simultaneously the tw
44. lt source wildcard gt address MASK prefixing the access group lt 6000 7999 gt command with NO will cancel the configuration 3 Configuration of mulicast policy mulicast policy satisfies the demand of special users by designating priority for specified multicast data What calls for attention is that multicast data can only be taken special care when it is transmitted on TRUNK The following is the command to configure set a priority for the specified multgicast Command Explantation Global configuration mode no ip multicast policy lt source gt Configure the multicast policy set lt source wildcard gt lt destination gt priority for source within a special lt destination wildcard gt cos lt priority gt range The range of priority is lt 0 7 gt 13 3 DCSCM Typical Examples 1 Souce control To prevent a boundary switch to send multicast data freely we configure on the boundary switch that only the switch connected to port Ethernet0 0 5 is allowed to send multicast data and the group of the data has to be 225 1 2 3 But the uplink port Ethernet0 0 25 can forward multicast data without limitation The following is the configuration we can make Switch Config access list 5000 permit ip any host 225 1 2 3 Switch Config access list 5001 permit ip any any Switch Config ip multicast source control Switch Config interface Ethernet0 0 5 Switch Config If Ethernet0 0 5 ip multicast source
45. node and can be used to locate the node in a MID tree structure shown in the figure below Root Node 2 Node 1 Node 2 Object 1 Node 1 Object 2 ObjectA 1 Fig 5 1 ASN 1 Tree Instance In this figure the OID of the object A is 1 2 1 1 NMS can locate this object through this unique OID and gets the standard variables of the object MIB defines a set of standard variables for monitored network devices by following this structure If the variable information of Agent MIB needs to be browsed the MIB browse software needs to be run on the NMS MIB in the Agent usually consists of public MIB and private MIB The public MIB contains public network management information that can be accessed by all NMS private MIB contains specific information which can be viewed and controlled by the support of the manufacturers MIB I RFC1156 is the first implemented public MIB of SNMP and is replaced by MIB II RFC1213 MIB II expands MIB I and keeps the OID of MIB tree in MIB I MIB II contains sub trees which are called groups Objects in those groups cover all the functional domains in network management NMS obtains the network management information by visiting the MIB of SNMP Agent The switch can operate as a SNMP Agent and supports both SNMP v1 v2c and SNMP v3 The switch supports basic MIB II RMON public MIB and other public MID such as BRIDGE MIB Besides the switch supports self defined private MIB 49 SS2R24G64i
46. normal data forwarding The alternate port backup port and disabled port are not part of active topology They do not conduct address learning data forwarding 96 AN SS2R24G4i SS2R48G4i sar 10 2 RSTP CONFIGURATION 10 2 1 RSTP CONFIGURATION TASK SEQUENCE 1 startup RSTP and configure running mode Command Explanation Global configuration mode and Port configuration mode spanning tree Startup RSTP the no spanning tree no spanning tree command close RSTP function Global mode configure RSTP running mode the no spanning tree mode command restores default configuration spanning tree mode rstp stp no spanning tree mode Port mode spanning tree mcheck Force port running in RSTP mode 2 Control RSTP elected active topology Command Explanation global configuration mode spanning tree priority Configure switch priority the no lt bridge priority gt spanning tree priority command no spanning tree priority restores default configuration Port mode Configure Ethernet port path cost the no spanning tree cost command restores default configuration spanning tree cost lt cost gt no spanning tree cost spanning tree port priority Configure port priority the no lt port priority gt spanning tree port priority no spanning tree port priority command restores default configuration 3 Configure RSTP network diameter and time Par
47. packets internal represents internal details userbased represents the user based information all represents all the detailed informations lt nterfaceName gt is the name of interface 14 4 1 12 debug dot1x fsm Command debug dot1x fsm asm aksm ratsm basmlall interface ethernet lt nterfaceName gt no debug dot1x fsm asm aksm ratsm basm all interface ethernet lt nterfaceName gt Function Enable the limited state machine debug information of dot1x the no debug dot1x fsm asm aksm ratsm basmljall interface ethernet lt InterfaceName gt command is to disable the limited state machine debug information of dot1x Command Mode Admin Mode Parameters asm represents the authenticator state machine information aksm represents the authenticator key transmission state machine state ratsm represents reauthentication timer state machine information basm represents background authentication state machine information all represents all the state machine information lt InterfaceName gt is the name of interface 14 4 2 802 1x Troubleshooting It is possible that 802 1x be congfigured on ports and 802 1x authentication be setted to auto but switch cann t be to authenticated state after the user runs 802 1x supplicant software Here are some possible causes and solutions lf 802 1x cannot be enabled for a port make sure the port is not executing Spanning tree or MAC binding or configured as a Trunk port or for port
48. port 0 0 20 PC1 and PC2 connect to port 0 0 15 and respectively switchB connects to switchA via port Vlan20 is a multicast vlan By configuring multicast VLAN we can make PC1 and PC2 to receive multicast data viamulticast VLAN The following configuration is based on the assupmtion that the IP address of switchA has been configured and the devices are connected correctly The following is the configuration procedure switchA config switchA config vlan 10 switchA config vlan10 switchport access ethernet switchA config vlan10 exit switchA config interface vlan 10 switchA Config if Vian10 ip pim dense mode switchA Config if Vlan10 exit switchA config vlan 20 switchA config vian20 multicast vlan switchA config vlan20 exit switchA config ip igmp snooping switchA config ip igmp snooping vlan 20 switchA config interface vlan 20 switchA Config if Vian20 ip pim dense mode switchA Config if Vlan20 exit switchA config ip pim multicast a mn nn nw ea 109 AN SS2R24G4i SS2R48G4i sar switchA config interface ethernet switchA Config Ethernet switchport mode trunk switchB config switchB config vlan 100 switchB config vlan100 switchport access ethernet switchB config vlan100 exit switchB config switchB config vlan 101 switchB config vlan101 switchport access ethernet switchB config vlan101 exit switchB config interface ethernet switchB Config Ethernet switchport mode t
49. souce control be disabled globally AN The next is the configuration of the rules of source control It adopts the same method adopted by ACL using ACL ID from 5000 to 5099 fi ACL each rule ID can configure 10 rules at most What calls for attention is that these rules has a sequence the rule configured earliest is at the front once it is matched all the following rules will be neglected So the rules that are allowed globally should be configured as the last rule The following is the command to do this Command Explantation Global configuration mode no access list lt 5000 5099 gt deny permit ip lt source gt lt source wildcard gt host source lt source host ip gt any source lt destination gt lt destination wildcard gt host de stination lt destination host ip gt any destin ation To configure the rules used in source control The rule can only take effect on specified port Prefixing the command with NO will delete the specified rule Attention since the configured rules take up the list entries of hardware too many rules might cause the configuration to fail because the underlying list entries are full So we recommend that users should use rules as simple as possible The following is the command to configure Command Explantation Port configuration mode no ip multicast source control access group lt 5000 5099 gt To configure the
50. switch port 2 8 VLAN100 Site A and site B switch port 9 15 VLAN200 Site A and site B switch port 16 22 Trunk port Site A and site B switch port 23 89 AN SS2R24G4i SS2R48G4i sar Connect the Trunk ports of both switches for a Trunk link to convey the cross switch VLAN traffic connect all network devices to the other ports of corresponding VLANs In this example port 1 and port 24 is spared and can be used for management port or for other purposes The configuration steps are listed below Switch A Switch Config vlan 2 Switch Config Vlan2 switchport interface ethernet 0 0 2 8 Switch Config Vlan2 exit Switch Config vlan 100 Switch Config Vlan100 switchport interface ethernet 0 0 9 15 Switch Config Vlan100 exit Switch Config vlan 200 Switch Config Vlan200 switchport interface ethernet 0 0 16 22 Switch Config Vlan200 exit Switch Config interface ethernet 0 0 23 Switch Config Ethernet0 0 23 switchport mode trunk Switch Config Ethernet0 0 23 exit Switch Config Switch B Switch Config vlan 2 Switch Config Vlan2 switchport interface ethernet 0 0 2 8 Switch Config Vlan2 exit Switch Config vlan 100 Switch Config Vlan100 switchport interface ethernet 0 0 9 15 Switch Config Vlan100 exit Switch Config vlan 200 Switch Config Vlan200 switchport interface ethernet 0 0 16 22 Switch Config Vlan200 exit Switch Config interface ethernet 0 0 23 Switch Config Ethernet0 0 23 switchport mode trunk
51. the interface 4 Delete all the address pools Command Explanation Global configuration mode no am all ip pool mac ip pool Delete all the MAC IP pools or IP pools configured by the users 16 4 AM Examples Scenario 1 The configuration demand of the user is that the port 10 of the switch connects to the 10 1 1 0 8 segment the administrator hopes that 8 IP addresses from 10 1 1 1 to 10 1 1 8 8 can be allowed to access Internet Change Configuration 1 Enable AM function 2 Configure IP pool The following is the configuration procedure Switch Config am enable 146 AN SS2R24G4i SS2R48G4i sar Switch Config interface ethernet 0 0 1 Switch Config Ethernet0 0 1 am port Switch Config Ethernet0 0 1 am ip pool 10 1 1 1 8 Switch Config Ethernet0 0 1 exit Switch Config exit Configuration result Switch show am Global AM is enabled Interface Ethernet0 0 1 am is enable Interface Ethernet0 0 1 am ip pool 10 1 1 1 8 USER_CONFIG Scenario 2 The configuration demand of the user is that the port 10 of the switch connects to the 10 1 1 0 8 segment the administrator hopes the binding relationships between users and MAC IP are user1 100 1 1 1 00 00 00 00 01 12 user2 100 1 1 2 O0 00 00 00 00 13 Change Configuration 1 Enable AM function 2 Configure MAC IP pool The following is the configuration procedure Switch Config am enable Switch Config interface ethernet 0 0 10 Switch Config E
52. the switches run in RSTP mode their bridge priority port priority and port link cost are all set to default value all the same The following is the default configuration of the switches Name The MAC f Port priority Link cost of the address of the m pices Port Port Port Port Port Port bgidge bridge promy oo 0 0 2 os o 01 o 02 o 0 3 Sw1 00 00 01 32768 128 128 200000 200000 SWw2 00 00 02 32768 128 128 200000 200000 SW3 00 00 03 32768 128 128 200000 200000 SW4 00 00 04 32768 128 128 128 200000 200000 200000 SW5 00 00 05 32768 128 128 200000 200000 SW6 00 00 06 32768 128 128 200000 200000 By default RSTP will automatically create a tree topology taking SWI as its root bridge the port connected to the blue line is the forwarding port while the one connected to the black line is discard Configuration Change Changing the bridge priority of switch 4 to 4096 will make the SW4 the root bridge m Changing the lick cost of the port 0 0 2 of switch 2 to 500000 will make port 0 0 1become the root port of SW2 m The cost to reach root bridge from the port 0 0 1 of switch 3 shoudl be less than that from the port 0 0 1 of switch2 so the port 0 0 1 of switch 3 will be the specified port 98 AN SS2R24G4i SS2R48G4i sar m Elevating the port priority of the port 0 0 1 of switch 4 to 160 while that of the port 0 0 3 of switch 4 is still
53. the SS2R24G4 I operating system software port IDs is listed as follows Physical port ID Software port ID 24 10 100Base T ethernet 0 0 1 24 2 1000Base TX 1000Base F X ethernet 0 0 25 26 2 1000Base TX ethernet 0 0 27 28 If users want to configure some ports they can use the command interface ethernet lt interface list gt to enter corresponding ethernet port configuration mode the parameter lt interface list gt can be 0 0 1 28 When lt interface list gt contains more than one ports please use special charactuer 9 oy including and to connect them In the ethernet port configuration mode the port rate duplex mode and the traffic control can all be configured in response the performace of corresponding ports will change accordingly 7 2 Port Configuration 7 2 1 Port Configuration 7 2 1 1 Port Configuration Task List 1 Enter the network port configuration mode 2 Configure the properties for the network ports 1 Configure combo mode for combo ports 2 Enable Disable ports 3 Configure port names 71 SS2R24G64i SS2R48G64i Configure port cable types Configure port speed and duplex mode Configure bandwidth control Configure traffic control Enable Disable port loopback function Configure Combo port mode 3 Set the packet suppression function 1 Enter the Ethernet port configuration mode Command Explanation Interface Mode Enters the network port configura
54. the defaulted 128 will make the port 0 0 2 of switch 5 be the root port Name The MAC Port priority Link cost The bridge of the address of prioirty Port Port Port Port Port Port bgidge the bridge 0 0 1 0 0 2 0 0 3 0 0 1 0 0 2 00 3 Sw 00 00 01 32768 128 128 200000 200000 SWw2 00 00 02 32768 128 128 200000 500000 SW3 00 00 03 32768 128 128 200000 200000 Sw4 00 00 04 4096 160 128 128 200000 200000 200000 SW5 00 00 05 32768 128 128 200000 200000 SW6 00 00 06 32768 128 128 200000 200000 Configuration procedure is as follows Switch 4 Switch4 config Switch4 Config spanning tree Switch4 Config spanning tree priority 4096 Switch4 Config interface ethernet 0 0 1 Switch4 Config Ethernet0 0 1 spanning tree port priority 160 Switch 2 Switch2 config Switch2 Config spanning tree Switch2 Config interface ethernet 0 0 2 Switch2 Config Ethernet0 0 2 spanning tree cost 500000 99 SS2R24G4i SS2R48G4i 10 4 RSTP Troubleshooting 10 4 1 Monitor and Debug Command 10 4 1 1 show spanning tree Command show spanning tree interface lt interface list gt detail Function to display RSTP protocol information Parameter lt interface list gt is the port list detail display detailed RSTP status of each port Command mode Admin mode Display Content Ex
55. the first time 5 2 3 3 6 monitor Command monitor no monitor Function Display SSH debug information on the SSH client side at the same time disable function of debug information in console the no monitor command stops displaying SSH debug information on 42 AN SS2R24G4i SS2R48G4i sar the SSH client side enable function of debug information in console Command mode Admin Mode Relative Command ssh user 5 2 3 4 SSH Server Configure Example Scenario 1 Requirement Enable SSH server on the switch and run SSH2 0 client software such as Secure shell client and putty on the terminal Log on the switch by using the username and password from the client Configure the IP address add SSH user and enable SSH service on the switch SSH2 0 client can log on the switch by using the username and password to configure the switch Switch Config interface vlan 1 Switch Config Vlan 1 ip address 100 100 100 200 255 255 255 0 Switch Config Vlan 1 exit Switch Config ssh user test password 0 test Switch Config ssh server enable 5 2 3 5 SSH Monitor and Debug Command 5 2 3 5 1 show ssh user Command show ssh user Function To display all the configured SSH usernames Command Mode Admin Mode Relative Command ssh user 5 2 3 5 2 show ssh server Command show ssh server Function To display the state of SSH server open or closed and the information of users who has already logged in Command Mode Admin Mode Relative Command s
56. the packet reaches PE2 and before being forwarded to CE2 from the client port on PE2 the outer VLAN tag is removed then the packet CE2 receives is absolutely identical to the one sent by CE1 For the user the role the operator network plays between PE1 and PE2 is to provide a reliable layer 2 link The technology of Dot1q tuunel provides the ISP internet the ability of supporting many client VLANs by only one VLAN of theirselves Both the ISP internet and the clients can configure their own VLAN independently It is obvious that the dot1q tunnel function has got following characteristics Applicable through simple static configuration no complex configuration or maintenance to be needed Operators will only have to assign one SPVID for each user which increases the number of concurrent supportable users while the users has got the ultimate freedom in selecting and managing the VLAN IDs select within 1 4096 at users will The user network is considerably independent When the ISP internet is upgrading their network the user networks do not have to change their original configuration Detailed description on the application and configuration of dot1q tunnel of SS2R24 48G4i switch will be provided in this section 9 3 2 Configuration Task Sequence Of Dot1q Tunnel Configure the dotiq tunnel function on the ports Configure the type of protocol TPID on the ports Configure the dot1q tunnel type of the port 1 Configure the dot1
57. the users allowed to access by specified port applied to ports using userbased access control mode the no dot1x max user userbased command is used to reset the default value allowing 10 users at most Configure expanded 802 1x function Command Global Mode dot1x macfilter enable no dot1x macfilter enable dot1x accept mac lt mac address gt interface lt interface name gt no dot1x accept mac lt mac address gt interface lt interface name gt dot1x eapor enable no dot1x eapor enable dot1x unicast enable no dot1x unicast enable dot1x BPDU_forward enable no dot1x BPDU_forward enable dot1x freevlan lt vian ID gt no dot1x freevlan Explanation Enables the 802 1x address filter function in the switch the no dotix macfilter enable command disables the 802 1x address filter function Adds 802 1x address filter table entry the no dot1x accept mac command deletes 802 1x filter address table entries Enables the EAP relay authentication function in the switch the no dot1x eapor enable command sets EAP local end authentication Enable the 802 1x single cast authentication function of the switch the no dotix unicast enable command is used to diable the802 1x single cast authentication function Enable the 802 1x traversal function of the switch the no dot1x BPDU_forward enable command is used to diable the 802 1x traversal function of the switch Set the 802 1x
58. theory SS2R24 48G4i switch switch is a layer 2 Data Link Layer device which should not have an IP address because IP address is a concept belonged to layer 3 Network Layer But as a device used in network switch needs a network address to be its unique identifier so that the network manager can identify and control it 46 AN SS2R24G4i SS2R48G4i sar The IP address of SS2R24 48G4i switch switch is set on the VLAN interface The VLAN with an IP address is called management VLAN All the in band management of the switch is done through management VLAN SS2R24 48G4i switch switch only allows one VLAN interface so to change the ID of the management VLAN the original VLAN interface should be deleted first and then create a new VLAN interface SS2R24 48G4i switch switch provides three IP address configuration methods Manual BootP DHCP Manual configuration of IP address is assign an IP address manually for the switch In BootP DHCP mode the switch operates as a BootP DHCP client send broadcast packets of BootPRequest to the BootP DHCP servers and the BootP DHCP servers assign the address on receiving the request In addition SS2R24 48G4i switch switch can act as a DHCP server and dynamically assign network parameters such as IP addresses gateway addresses and DNS server addresses to DHCP clients DHCP Server configuration is detailed in later chapters Switch IP Addresses Configuration Task List 1 Manual configuration 2 Boot
59. timeout value for SSH authentication ssh server authentication retires lt authentication retires gt no ssh server authentication retries Configure the number of times for retrying SSH authentication the no ssh server authentication retries command restores the default number of times for retrying SSH authentication ssh server host key create rsa Generate the new RSA host key on the modulus lt moduls gt SSH server Admin Mode Display SSH debug information on the monitor SSH client side the no monitor no monitor command stops displaying SSH debug information on the SSH client side 5 2 3 3 Commands for SSH 5 2 3 3 1 ssh server enable Command ssh server enable no ssh server enable AN Function Enable SSH function on the switch the no ssh server enable command disables SSH function Command mode Global Mode Default SSH function is disabled by default 5 2 3 3 2 ssh user Command ssh user lt username gt password 0 7 lt password gt no ssh user lt username gt 41 AN SS2R24G4i SS2R48G4i sar Function Configure the username and password of SSH client software for logging on the switch the no ssh user lt user name gt command deletes the username Parameter lt username gt is SSH client username It can t exceed 16 characters lt password gt is SSH client password It can t exceed 8 characters 0 7 stand for unencrypted password and encrypted
60. type Configures node type for DHCP clients bootfile lt filename gt no bootfile Configures the file to be imported for DHCP clients on boot up next server address1 address2 address8 no next server address1 address2 address8 Configures the address of the server hosting file for importing option lt code gt ascii lt string gt hex lt hex gt ipaddress lt ipaddress gt no option lt code gt Configures the network specified by the option code parameter lease infinite lt 0 365 gt days Configures the lease period allocated to lt 0 23 gt hours lt 0 59 gt minutes no addresses in the address pool lease Global Mode ip dhcp excluded address lt low address gt lt high address gt no ip dhcp excluded address lt low address gt lt high address gt Excludes the addresses in the address pool that are not for dynamic allocation 3 Configure manual DHCP address pool parameters Command Explanation DHCP Address Pool Mode hardware address lt hardware address gt Specifies the hardware address when Sn ei uot S numbers assigning address manually host lt address gt lt mask gt Specifies the IP address to be assigned lt prefix length gt to the specified client when binding no host address manually client identifier lt unique identifier gt no client identifier Specifies the unique ID of the user when bindin
61. vian1 ip address 10 1 1 2 255 255 255 0 Switch Config if vian1 exitW Switch Config radius server authentication host 10 1 1 3 Switch Config radius server accounting host 10 1 1 3 Switch Config radius server key test Switch Config aaa enable Switch Config aaa accounting enable Switch Config dot1x enable Switch Config interface ethernet 0 0 21 Switch Config Ethernet0 0 2 dot1x enable Switch Config Ethernet0 0 2 dot1x port method macbased_ Switch Config Ethernet0 0 2 dot1x port control auto Switch Config Ethernet0 0 2 exit 14 4 802 1x Troubleshooting 14 4 1 802 1x Monitor and debug command 14 4 1 1 show aaa config Command show aaa config Function Displays the configured commands for the switch as a RADIUS client Command mode Admin Mode Displayed information Is Aaa Enabled Indicates whether AAA authentication is enabled or not 1 for enable and O for disable Is Account Enabled Indicates whether AAA accounting is enabled or not 1 for enable and O for disable MD5 Server Key Displays the key for RADIUS server authentication server sum The number of authentication servers 123 AN SS2R24G4i SS2R48G4i sar authentication server X Host IP Displays the authentication server Udp Port number and corresponding IP address ls Primary UDP port number Primary server or not ls Server Dead down or not and socket number Socket No accounting server X Host IP Displays the accounting server number
62. 0 2 Switch Config Ethernet0 0 2 service policy input p1 Configuration result An ACL name 1 is set to matching segment 192 168 1 0 Enable QoS globally create a class map named c1 matching ACL1 in class map create another policy map named p1 and refer to c1 in p1 set appropriate policies to limit bandwidth and burst value Apply this policy map on port ethernet 0 0 2 After the above settings done bandwidth for packets from segment 192 168 1 0 through port ethernet 0 0 2 is set to 10 Mb s with a burst value of 4 MB all packets exceed this bandwidth setting in that segment will be dropped Scenario 3 Qos Domain Server Switch 3 Switch 2 Fig 22 3 Typical QoS topology As shown in the figure inside the block is a QoS domain SwitchA classifies different traffics and 180 AN SS2R24G4i SS2R48G4i sar assigns different IP precedences For example set IP precedence for packets from segment 192 168 1 0 to 5 on port ethernet 1 1 The port connecting to switch2 is a trunk port In SwitchB set port ethernet 1 1 that connecting to swtich1 to trust IP precedence Thus inside the QoS domain packets of different priorities will go to different queues and get different bandwidth The configuration steps are listed below QoS configuration in Switch Switch config Switch config access list 1 permit 192 168 1 0 0 0 0 255 Switch config mls qos Switch config class map c1 Switch config ClassMap match access group 1
63. 1 in the SNMP configuration menu and press Enter the following screen will appear Please input the read only access community string public Note the valid length for a read only access community string is 1 to 255 characters the default value is public When a valid read only access community string is entered press Enter returns to the SNMP configuration menu Select 2 in the SNMP configuration menu and press Enter the following screen will appear Please input traps host IP address A B C D When the user enters a valid IP address for Traps host and presses Enter the following appears Please input traps community string public Note the valid length for a traps community string is 1 to 255 characters the default value is public When a valid traps community string is entered press Enter returns to the SNMP configuration menu Select 3 in the SNMP configuration menu and press Enter the following screen will appear Enable SNMP server y n y Type y and press Enter or just press Enter to enable SNMP service type n and press Enter to disable SNMP service The SNMP configuration menu appears Select 4 in the SNMP configuration menu and press Enter the following screen will appear Enable SNMP traps y n y oy a oi Type y and press Enter or just press Enter to enable SNMP Traps type n and press Enter to disable SNMP traps The SNMP configuration menu appears Sel
64. 1 config exit Usage Guide When a DHCP BootP client is connected to a VLAN1 port of the switch the client can only get its address from 10 16 1 0 24 instead of 10 16 2 0 24 This is because the broadcast packet from the client will be requesting the IP address in the same segment of the VLAN interface after VLAN interface forwarding and the VLAN interface IP address is 10 16 1 2 24 therefore the IP address assigned to the client will belong to 10 16 1 0 24 If the DHCP BootP client wants to have an address in 10 16 2 0 24 the gateway forwarding broadcast packets of the client must belong to 10 16 2 0 24 The connectivity between the client gateway and the switch must be ensured for the client to get an IP address from the 10 16 2 0 24 address pool 18 3 DHCP Troubleshooting 18 3 1 Monitor and Debug Commands 18 3 1 1 clear ip dhcp binding Command clear ip dhcp binding lt address gt all Function Deletes the specified IP address hardware address binding record or all IP address hardware address binding records Parameters lt address gt is the IP address that has a binding record in decimal format all refers to all IP addresses that have a binding record Command mode Admin Mode Relative Command show ip dhcp binding 18 3 1 2 clear ip dhcp conflict 160 AN SS2R24G4i SS2R48G4i sar Command clear ip dhcp conflict lt address gt all Function Deletes an address present in the address conflict log Parameters lt addr
65. 161 AN SS2R24G4i SS2R48G4i sar Memory usage using rate of EMS memory Address pools Number of DHCP address pools configured Database agents Number of database agents Automatic bindings Number of addresses assigned automatically Manual bindings Number of addresses bound manually Conflict bindings Number of conflicting addresses Expiried bindings Number of addresses whose leases are expired Malformed message Number of error messages Message Recieved Statistics for DHCP packets received BOOTREQUEST Total packets received DHCPDISCOVER Number of DHCPDISCOVER packets DHCPREQUEST Number of DHCPREQUEST packets DHCPDECLINE Number of DHCPDECLINE packets DHCPRELEASE Number of DHCPRELEASE packets DHCPINFORM Number of DHCPINFORM packets Message Send Statistics for DHCP packets sent BOOTREPLY Total packets sent DHCPOFFER Number of DHCPOFFER packets DHCPACK Number of DHCPACK packets DHCPNAK Number of DHCPNAK packets DHCPRELAY Number of DHCPRELAY packets DHCPFORWARD Number of DHCPFORWARD packets 18 3 1 7 debug ip dhcp server Command debug ip dhcp server events linkage packets no debug ip dhcp server events linkage packets Function Enables DHCP server debug information the no debug ip dhcp server events linkage packets command disables the debug information for DHCP server Default Debug information is disa
66. 24 then a possible host IP address is 10 1 128 25 24 Run ping 10 1 128 251 from the host and verify the result check for reasons if ping fails The IP address configuration commands for VLAN1 interface SS2R24 48G4i switch are listed 23 AN SS2R24G4i SS2R48G4i sar below Before in band management the switch must be configured with an IP address by out of band management i e Console mode The configuration commands All switch configuration prompts are assumed to be switch hereafter if not otherwise specified Switch gt Switch gt en Switch config Switch Config interface vlan 1 Switch Config lf Vlan1 ip address 10 1 128 251 255 255 255 0 Switch Config If Vlan1 no shutdown Step 2 Run Telnet Client program Type the name of a program Folder document or Internet resource and Windows will open it for you Open telnet 10 1 128 251 Fig 4 6 Run telnet client program included in Windows Run Telnet client program included in Windows with the specified Telnet target Step 3 Login to the switch Login in to the Telnet configuration interface Valid login name and password is required otherwise the switch will reject Telnet access This is a method to protect the switch from unauthorized access If no authorized Telnet user has been configured nobody can connect to the Telnet CLI configuration interface As a result when Telnet is enabled for configuring and managing the switch username and password for a
67. 48G4l Config Ethernet0 0 1 switchport dot1q tunnel mode customer SS2R48G4l Config Ethernet0 0 1 exit SS2R48G4l Config interface ethernet 0 0 10 SS2R48G4l Config Ethernet0 0 10 switchport mode trunk SS2R48G4l Config Ethernet0 0 10 switchport dot1q tunnel mode uplink SS2R48G4l Config Ethernet0 0 10 exit SS2R48G4l Config PE2 SS2R48G4l Config vlan 3 92 AN SS2R24G4i SS2R48G4i sar SS2R48G4l Config Vlan3 switchport interface ethernet 0 0 1 SS2R48G4l Config Vlan3 exit SS2R48G4l Config dot1q tunnel enable SS2R48G4l Config interface ethernet 0 0 1 SS2R48G4l Config Ethernet0 0 1 switchport dot1q tunnel mode customer SS2R48G4l Config Ethernet0 0 1 exit SS2R48G4l Config interface ethernet 0 0 10 SS2R48G4l Config Ethernet0 0 10 switchport mode trunk SS2R48G4l Config Ethernet0 0 10 switchport dot1q tunnel mode uplink SS2R48G4l Config Ethernet0 0 10 exit SS2R48G4l Config 9 3 4 Dotiq tunnel Troubleshooting This function cannot be used simultaneously with private vian refer to session 9 2 2 9 customer port mode has to be configured on access ports while the uplink port mode has to be configured on trunk ports Itis recommened that using the uplink pord mode on 1000bps ports to reach the expected transimission rate of uplink ports and guarantee the high speed operation of network 9 4 Protocol VLAN Configuration 9 4 1 Protocol VLAN Introduction To be simple and clear Protocol V
68. 4G4i SS2R48G4i sar Command sntp timezone lt name gt fadd_ subtract lt time_difference gt no sntp timezone Function Set the time difference between the time zone in which the SNTP client resides and UTC The no sntp timezone command cancels the time zone set and restores the default setting Parameter lt name gt is the time zone name up to 16 characters are allowed lt add gt means the time zone equals UTC time plus lt time_difference gt lt subtract gt means the time zone equals UTC time minus lt time_difference gt lt time_difference gt is the time difference from 1 to 12 Default The default time difference setting is add 8 Command mode Global Mode 21 1 4 show snip Command show sntp Function To display the current configuration of SNTP client and the server state Parameters None Command Mode Admin Mode Displayed Information Explanation server address IP address of SNTP server version The version of SNTP protocol last receive The IP address of the last received SNTP server 21 1 5 debug sntp Command debug sntp adjust packet select no debug sntp adjust packet select Function Displays or disables SNTP debug information Parameters adjust stands for SNTP clock adjustment information packet for SNTP packets select for SNTP clock selection Command mode Admin Mode 172 AN SS2R24G4i SS2R48G4i sar 21 2 Typical SNTP Configuration Examples a SNT
69. 600 is recommened and JavaScript is required to be enabled Tip 2 To guarantee the validity of the operation of CGI programs the brower is required to read new stuff from the server every time instead of the system cache The following steps will show you how to realize this Choose the Tools T gt Internet Options from the menu of a Website or right click the IE browser on the desktop and choose Properities to enter the configuration interface In the Settings dialog box of Temporary Internet File under Check for newer versions of stored pages click Every visit to the page 33 AN SS2R24G4i SS2R48G4i sar Chapter 5 Basic Switch Configuration 5 1 Basic Switch Configuration Commands Basic switch configuration includes commands for entering and exiting the admin mode commands for entering and exiting interface mode for configuring and displaying the switch clock for displaying the version information of the switch system etc Caution By default the host name of a switch and the command line prompt is the same as the type of the switch In this chapter Switch is used to represent general command line prompt 5 1 1 clock set Command clock set lt HH MM SS gt lt YYYY MM DD gt Function to configure data and time setting Parameter lt HH MM SS scurrent time HH The number range 0 23 MM and SS The number range 0 59 lt YYYY MM DD current year month day YYYY The number range 1970 2100 MM The
70. 7 2 1 Configure the Task Sequence of the Classified Configuration 1 Command to enable privileged mode 2 Set the corresponding password for the identity to log on 1 Command to enable privileged mode Command Explanation Enable level visitor admin To log to the switch in the specified identity lt password gt 2 Set the corresponding password for the identity to log on Command Explanation enable password level visitor admin To set the password for logging to the configuration mode 5 8 Port Isolation 5 8 1 Introduction of Port Isolation 66 AN SS2R24G4i SS2R48G4i sar Port isolation is aimed at meeting the user s demand showed below peep 60 0 25 trunk fal loa vian 1911 807 2 Fo 0 2 yeacess access vilan TAL The topologic structure of the switches is illustrated in the picture above The demand is that once the configuration port on switch1 is isolated the e0 0 1 and e0 0 2 on switch1 are not connected while both of which can be connected to the uplink port e0 0 25 That is all the downlink ports can not connect to each other but a downlink port can be connected to a specified uplink port The uplink port can be connected to any port 5 8 2 Port Isolation Configuration 5 8 2 1 Task of port isolation configuration 1 Set the uplink port Command Explanation isolate port allowed ethernet lt InterfaceList gt Enable o
71. ARE INSTALLATION eee 12 2 3 1 Installing the Switch 2222 12 2 3 2 Connecting Console 2 2 222 12 2 3 3 Power Supply Connection __ ___ 22222 2222 13 Chapter 3 Setup Configuration _ 15 3 1 SETUP CONFIGURATION 15 3 2 MAIN SETUP MENU oie ie ee ee 15 3 3 SETUP SUBMENU _ 2p go oa te tains ah es date ee pene A ah Se doe 15 3 3 1 Configuring switch hostname _____ 2 2 22222 15 3 3 2 Configuring Vianl Interface ______ 2 2 22222 16 3 3 3 Telnet Server Configuration ______ 22 22222 2 2 16 3 3 4 Configuring Web Server ____ 2 22 222 222 17 3 3 5 Configuring SNMP _____ 17 3 3 6 Exiting Setup Configuration Mode eee 18 Chapter 4 Switch Management 20 4 1 MANAGEMENT OPTIONS 20 oo onnan wu A UN BeK fF AN SS2R24G4i SS2R48G4i Aad 4 1 1 Out of band Management ee 20 4 1 2 In band Management 2 222222 23 4 2 MANAGEMENT INTERFACE _ eee 26 4 2 1 CLI Interface 2222 27 4 2 2 Web Interfac _____ 22222 32 Chapter 5 Basic Switch Configuration ee 34 5 1 BASIC SWITCH CONFIGURATION COMMANDS eee 34 5 1 1 clock set ____ 22 34 5 1 2 config 2 34 5 1 3 exit ____ 2 2222 34 5 1 4 help ______ 2 L 35 5 1 5iphost 2222 35 5 1 6 ip http server _____ 22222 35 5 1 7 hostname _____ 2 222 35 5 1 8 reload 222 35 5 1 9 setup ___ 22 36 5 1 10 language 22222 36 5 1 11 web user ______ ee 36 5 1 12 write 36 5 1 13 show cpu usage eee 37 5 2 MONITOR AND DEBUG COMMAND eee 37 5 2 1 PING a 37 5 2 2 Telnet ____ 22 37 5 2 3 SSH 40 5 2 4 Traceroute 2 222 44 5
72. C addresses learned by the specified port 3 MAC address binding property configuration Command Explanation Interface Mode switchport lt value gt port security no switchport port security maximum maximum Set the maximum number of secure MAC addresses for a port the no switchport port security maximum lt value gt command restores the lt value gt default value s Set the violation mode for the port switchport _ port security violation i the no switchport port security protect shutdown See violation command restores the no switchport port security violation default setting 83 SS2R24G64i SS2R48G64i 8 5 1 3 MAC Address Binding Troubleshooting 8 5 1 3 1 MAC Address Binding Monitor and Debug Comman 8 5 1 3 2 show port security Command show port security Function Display the secure MAC addresses of the port Command mode Admin Mode Parameter lt interface list gt stands for the port to be displayed Displayed information Explanation Security Port Configure port name of Security Port MaxSecurityAddr MAC Configure maximum of security address number of Security Port CurrentAddr Current secure MAC address number of Security Port Security Action Violation mode of port configuration Total Addresses in System Current secure MAC address number in the system Max Addresses limit in System Maximum in addresses limit
73. C table but belonging to different VLANs the switch can only broadcast the unicast frame in the VLAN it belongs to 8 2 Commands for MAC address table configuration 8 2 1 mac address table aging time Command mac address table aging time lt age gt 0 no mac address table aging time Function Set the aging time for address mapping entries in the MAC table dynamically learnt the no mac address table aging time command restores the aging time to the default 300 seconds Parameter lt age gt is the aging time in seconds the valid range is 10 to 100000 0 for no aging Command mode Global Mode Default The system default aging time is 300 seconds 8 2 2 mac address table Command mac address table static address lt mac addr gt vlan lt vian id gt interface Ethernet port channel lt interface name gt no mac address table static dynamic address lt mac addr gt vlan lt vian id gt interface lt interface name gt Function Add or modify static address entries The no mac address table static dynamic address lt mac adadr gt vlan lt vlan id gt interface lt interface name gt command deletes the static dynamic and mac address table entries Parameter static is the static entries lt mac addr gt MAC address to be added or deleted lt interface name gt name of the port transmitting the MAC data packet lt vilan id gt is the vlan number Command Mode Global mode Default When VLAN or Layer 3 interface is
74. Console interface Generally the user will use out of band management for the initial switch configuration or when in band management is not available For instance the user must assign an IP address to the switch via the Console interface to be able to access the switch through Telnet The procedures for management via Console interface are listed below Step 1 setting up the environment Connect with serial port d Fig 4 1 Out of band Management Configuration Environment the serial port RS 232 is connected to the switch with the serial cable provided The table below lists all the devices used in the connection Device Name Description PC machine Has functional keyboard and RS 232 with terminal emulator installed such as the HyperTerminal included in Windows 9x NT 2000 XP Serial port cable One end attach to the RS 232 serial port the other end to the Console port of SS2R24 48G4i switch The switch Functional Console port required Step 2 Entering HyperTerminal 20 AN SS2R24G4i SS2R48G4i sar Open the HyperTerminal included in Windows after the connection established 1 Click Start menu All Programs Accessories Communication HyperTerminal 2 Type a name for opening HyperTerminal such as Switch_A Connection Description a New Connection Enter a name and choose an icon for the connection Name Switch Icon __ Fig 4 2 Opening HyperTerminal 3 In the Connecting
75. ESD damage m Ensure proper earth grounding of the device m Perform regular cleaning to reduce dust m Maintain proper temperature and humidity m Always wear an ESD wrist strap and antistatic uniform when in contact with circuit boards 2 1 1 5 Anti interference All sources of interference whether from the device system itself or the outside environment will affect operations in various ways such as Capacitive coupling inductive coupling electromagnetic radiation common impedance including the grounding system and cables lines power cables signal lines and output lines The following should be noted m Precautions should be taken to prevent power source interruptions m Provide the system with a dedicated grounding rather than sharing the grounding with the electronic equipment or lightning protection devices E Keep away from high power radio transmitters radar transmitters and high frequency strong circuit devices m Provide electromagnetic shielding if necessary 2 1 1 6 Rack Configuration The dimensions of the switch designed to be mounted on a standard 19 rack Please ensure good ventilation for the rack m Every device in the rack will generate heat during operation therefore vent and fans must be provided for an enclosed rack and devices should not be stacked closely m When mounting devices in an open rack care should be taken to prevent the rack frame from obstructing the switch ventilation openings Be sure to ch
76. Global 802 1x Parameters Global 802 1x parameter information free resource Free resource reauth enabled Whether re authentication is enabled or not reauth period Re authentication interval quiet period Silent interval tx period EAP retransmission interval max req EAP packet retransmission interval authenticator mode Switch authentication mode Mac Filter Enables dot1x address filter or not MacAccessList Dot1x address filter table dot1x EAPoR Authentication method used by the switch EAP relay EAP local end dot1x privateclient Whether enable private client dot1x unicast Whether enable unicast 802 1x is enabled on ethernet 0 0 8 Indicates whether dot1x is enabled for the port Authentication Method Port authentication method MAC based port based Status Port authentication status Port control Port authorization status Supplicant Authenticator MAC address Max User Number Max user number of the port Notify DCBI Whether has successfully notificated DCBI server or not 14 4 1 6 debug aaa error Command debug aaa error no debug aaa error Function Enable the debug error information of aaa the n no debug aaa error command is used to disable the debug error information of aaa Command Mode Admin Mode Parameters None 14 4 1 7 debug aaa packet Command debug aaa packet send receive all interface ethernet l
77. LAN Set The Switch Port Type Set Trunk port Set Access port Configure Private VLAN Set Private VLAN association Oo AON Oa FW DY 1 Creating or deleting VLAN Specifying or deleting name of VLAN Enable Disable VLAN ingress rules on ports AN Command Explanation Global Mode vlan lt vlan id gt no vlan lt vlan id gt Create delete VLAN or enter VLAN Mode 2 Specifying or deleting name of VLAN Command Explanation Global Mode name lt vlan name i a Specifying or deleting name of VLAN no name 3 Assigning Switch ports for VLAN Command Explanation VLAN Mode switchport interface lt interface list gt no switchport interface lt interface list gt Assign Switch ports to VLAN 4 Set The Switch Port Type Command Explanation Interface Mode switchport mode trunk access Set the current port as Trunk or Access port 87 AN SS2R24G4i SS2R48G4i sar 5 Set Trunk port Command Explanation Interface Mode Set delete VLAN allowed to be crossed by Trunk The no command restores the default setting switchport trunk allowed vlan lt vian list gt all no switchport trunk allowed vlan lt vian list gt switchport trunk native vlan lt vilan id gt Set delete PVID for Trunk port no switchport trunk native vlan 6 Set Access port
78. LAN mirrors packets without tags to VLAN according to their protocol types instead of determining their VLAN identity according to the physical ports of the switches they connect to After configureing the Protocol VLAN the switch will check the packets received on the ports designating a VLAN membership to them based on their protocol types and encapsulation types For example after configuring the IPV4 protocol VLAN encapsulated by ehternet Il when receiving a packet of this kind without a VLAN tag it will be classified as a member of the VLAN specified by IP protocol Protocol VLAN filter is only applied to the received packets without a VLAN tag The packets with VLAN tags received on the same port will not be affected and will keep their original state Protocol VLANs do not create new VLAN but share with port based VLANs Once the packets enters these VLANs they will be transimitted according to the same rules as port based VLANs use Classified by network layer protocols different protocols can belongs to different VLANs This is very attractive for those networks hoping to organize users aiming at specific applications and services Beside users can move as they will within the network while keeping their VLAN membership unchanged The advantage of this method is that the physical location of users can change without reconfigureing the VLAN they belong to And it is also very significant for the network managers that the VLAN can be class
79. ON function When alert events are triggered Agents will send Trap messages or log the event according to the settings Inform Request is mainly used for inter NMS communication in the layered network management USM ensures the transfer security by well designed encryption and authentication USM encrypts the messages according to the user typed password This mechanism ensures that the messages can t be viewed on transmission And USM authentication ensures that the messages can t be changed on transmission USM employs DES CBC cryptography And HMAC MD5 and HMAC SHA are used for authentication VACM is used to classify the users access permission It puts the users with the same access permission in the same group Users can t conduct the operation which is not authorized 48 AN SS2R24G4i SS2R48G4i sar 5 4 2 Introduction to MIB The network management information accessed by NMS is well defined and organized in a Management Information Base MIB MIB is pre defined information which can be accessed by network management protocols It is in layered and structured form The pre defined management information can be obtained from monitored network devices ISO ASN 1 defines a tree structure for MID Each MIB organizes all the available information with this tree structure And each node on this tree contains an OID Object Identifier and a brief description about the node OID is a set of integers divided by periods It identifies the
80. ONFIGURATION 9 4 1 Protocol VLAN Introduction 11 4 IGMP SNOOPINGI GMP SNOOPING TROUBLESHOOTING 11 4 1 IGMP Snooping Monitor and Debug Command 11 4 2 IGMP Snooping Troubleshooting AN sak SS2R24G4i SS2R48G4i 13 1 DCSCM INTRODUCTION 15 2 2 Access list Action and Global Default Action 15 3 ACL CONFIGURATION 111 111 111 114 115 115 116 117 117 118 118 122 123 123 127 128 128 128 128 128 129 129 139 142 142 143 145 145 145 145 145 146 147 147 148 149 AN sak SS2R24G4i SS2R48G4i 17 1 INTRODUCTION TO PORT CHANNEL 17 2 PORT CHANNEL CONFIGURATION 18 2 2 DHCP Server Configuration Commands Example 18 3 DHCP TROUBLESHOOTING 20 1 DEFENSE AGAINST SEGMENT SCANNING 20 1 1 Defense Against Segment Scanning Configuration Task Sequence 20 1 2 Monitor and Debug Command Chapter 21 SNTP Configuration 21 1 COMMANDS FOR SNTP 21 2 TYPICAL SNTP CONFIGURATION EXAMPLES Chapter 22 QoS Configuration 22 1 INTRODUCTION TO QOS 149 150 150 151 153 153 155 156 156 157 157 159 160 160 163 164 164 164 164 166 167 167 168 169 169 169 170 171 171 171 171 171 172 172 173 174 174 AN sak SS2R24G4i SS2R48G4i 22 1 1 QoS Terms 10 174 175 175 176 176 179 181 181 184 185 185 185 185 186 186 186 AN sak AN SS2R24G4i SS2R48G4i sar Chapter 1 Switch Overview 1 1 Brie
81. Output log information to local console through Console port Output log information to remote Telnet terminal or Dumb terminal which helps remote maintenance Allocate log buffer of proper size inside the switch to record log information Configure loghost The log system will directly send log information to loghost and save it in the form of file in the loghost so the information can be reviewed on demand 5 6 1 2 Format And Severity Of The Log Information The log information format is compatible with the 4 3 BSD UNIX syslog protocol so we can record and analyze the log by the systlog system log protect session on the UNIX LINUX as well as syslog similar applications on PC The log information is classified into eight classes by severity or emergency procedure One level per value and the higher the emergency level the log information has the smaller its value will be For example the level of critical is 2 and warning is 4 debugging is leveled at 7 so the critical is higher than warnings which no doubt is high than debugging Severity Value Description Syslog define critical 2 Critical conditions LOG_CRIT warnings 4 Warning comamens LOG_ WARNING notifications 5 Normal but significant condition LOG_NOTICE debugging 7 Debugging messages LOG_DEBUG Right now the switch can generate information of following two levels Up down switch topology change aggregate port state change of the inte
82. P Address pool 1 Create Delete DHCP Address pool 2 Configure DHCP address pool parameters 3 Configure manual DHCP address pool parameters 3 Enable logging for address conflicts 4 Configure count of ping packets and out time 1 Enable Disable DHCP server Command Explanation Global Mode service dhcp no service dhcp 2 Configure DHCP Address pool 1 Create Delete DHCP Address pool Command Explanation Global Mode ip dhcp pool lt name gt no ip dhcp pool lt name gt 2 Configure DHCP address pool parameters Enables DHCP server Configures DHCP Address pool Command Explanation DHCP Address Pool Mode network address lt network number gt mask prefix length no network address default router address1 address2 address8 no default router Configures the address scope that can be allocated to the address pool Configures default gateway for DHCP clients 157 SS2R24G64i SS2R48G64i wo dns server address1 address2 address8 no dns server Configures DNS server for DHCP clients domain name lt domain gt no domain name Configures Domain name for DHCP clients the no domain name command deletes the domain name netbios name server address1 address2 address8 no netbios name server Configures the address for WINS server netbios node type b node h node m node p node lt typ e number gt no netbios node
83. P NTP Server Fig 21 1 Typical SNTP Configuration All SS2R24 48G4i switch switch in the autonomous zone are required to perform time synchronization which is done through two redundant SNTP NTP servers For time to be synchronized the network must be properly configured There should be reachable route between any SS2R24 48G4i switch switch and the two SNTP NTP servers Example Assume the IP addresses of the SNTP NTP servers are 10 1 1 1 and 20 1 1 1 respectively and SNTP NTP server function such as NTP master is enabled then configurations for any SS2R24 48G4i switch switch should like the following Switch config Switch config sntp server 10 1 1 1 Switch config sntp server 20 1 1 1 From now on SNTP would perform time synchronization to the server according to the default setting polltime 64s version 1 173 AN SS2R24G4i SS2R48G4i sar Chapter 22 QoS Configuration 22 1 Introduction to QoS QoS Quality of Service is a set of capabilities that allow you to create differentiated services for network traffic thereby providing better service for selected network traffic QOS is a guarantee for service quality of consistent and predictable data transfer service to fulfill program requirements QoS cannot generate extra bandwidth but provides more effective bandwidth management according to the application requirement and network management policy 22 1 1 QoS Terms QoS Class of Service the classification information c
84. P configuration 3 DHCP configuration 1 Manual configuration Command Explanation ip address lt ip_address gt lt mask gt Configure IP address of the switch the no ip address lt ip_address gt lt mask gt no ip address lt ip_address gt lt mask gt command deletes IP address of the switch 2 BootP configuration Command Explanation ip bootp client enable Enable the switch to be a BootP client and no ip bootp client enable obtain IP address and gateway address through BootP negotiation the no ip bootp client enable command disables the BootP client function 3 DHCP Command Explanation ip dhcp client enable Enable the switch to be a DHCP client and no ip dhcp client enable obtain IP address and gateway address through DHCP negotiation the no ip dhcp client enable command disables the DHCP client function 47 AN SS2R24G4i SS2R48G4i sar 5 4 SNMP Configuration 5 4 1 Introduction To SNMP SNMP Simple Network Management Protocol is a standard network management protocol widely used in computer network management SNMP is an evolving protocol SNMP v1 RFC1157 is the first version of SNMP which is adapted by vast numbers of manufacturers for its simplicity and easy implementation SNMP v2c is an enhanced version of SNMP v1 which supports layered network management SNMP v3 strengthens the security by adding USM User based Security Mode and VACM
85. QoS value of the port to 5 The configuration steps are listed below Switch config Switch config mls qos Switch config wrr queue bandwidth 1 2 4 8 Switch config interface ethernet 0 0 1 Switch config Ethernet0 0 1 mls qos trust cos Switch config Ethernet0 0 1 mls qos cos 5 Configuration result When QoS enabled in Global Mode the egress queue bandwidth proportion of port ethernet 0 0 1 is 1 2 4 8 When packets have CoS value coming in through port ethernet 0 0 1 it will be map to the queue out according to the CoS value CoS value 0 to 7 correspond to queue out 1 1 2 2 3 3 4 4 respectively If the incoming packet has no CoS value it is default to 5 and will be put in queue 6 All passing packets would not have their DSCP values changed Scenario 2 In port ethernet 1 2 set the bandwidth for packets from segment 192 168 1 0 to 10 Mb s with a burst value of 4 MB all packets exceed this bandwidth setting will be dropped The configuration steps are listed below Switch config Switch config access list 1 permit 192 168 1 0 0 0 0 255 Switch config mls qos 179 AN SS2R24G4i SS2R48G4i sar Switch config class map c1 Switch config ClassMap match access group 1 Switch config ClassMap exit Switch config policy map p1 Switch config PolicyMap class c1 Switch config Policy Class police 10000000 4000 exceed action drop Switch config Policy Class exit Switch config PolicyMap exit Switch config interface ethernet 0
86. SS2R24G4i SS2R48G4i Layer 2 Layer4 Managed Fast Ethernet Switch USER MANUAL Version 1 2 March 2009 AN far AN SS2R24G4i SS2R48G4i sar Trademarks Copyright 2009 Amer com Contents subject to change without prior notice Copyright Statement No part of this publication may be reproduced in any form or by any means or used to make any derivative such as translation transformation or adaptation without permission as stipulated by the United States Copyright Act of 1976 Technical Support Contact www amer com support support amer com info amer com AN Caution Circuit devices are sensitive to static electricity which can damage their delicate electronics Dry weather conditions or walking across a carpeted floor may cause you to acquire a static electrical charge To protect your device always Touch the metal chassis of your computer to ground the static electrical charge before you pick up the circuit device Pick up the device by holding it on the left and right edges only Electronic Emission Notices Federal Communications Commission FCC Statement This equipment has been tested and found to comply with the limits for a class A computing device pursuant to Subpart J of part 15 of FCC Rules which are designed to provide reasonable protection against such interference when operated in a commercial environment European Community CE Electromagnetic Compatibility Directive This equip
87. SS2R48G64i 5 4 3 Introduction to RMO N AN RMON is the most important expansion of the standard SNMP RMON is a set of MIB definitions used to define standard network monitor functions and interfaces enabling the communication between SNMP management terminals and remote monitors RMON provides a highly efficient method to monitor actions inside the subnets MID of RMON consists of 10 groups The switch supports the most frequently used group 1 2 3 and 9 Statistics Maintain basic usage and error statistics for each subnet monitored by the Agent History Record periodical statistic samples available from Statistics Alarm Allow management console users to set any count or integer for sample intervals and alert thresholds for RMON Agent records Event A list of all events generated by RMON Agent Alarm depends on the implementation of Event Statistics and History display some current or history subnet statistics Alarm and Event provide a method to monitor any integer data change in the network and provide some alerts upon abnormal events sending Trap or record in logs 5 4 4 SNMP Configuration 5 4 4 1 SNMP Configuration Task List Configure SNMP community string Configure engine ID Configure user Configure group Configure view Configuring TRAP Enable Disable RMON O DON oa F WN S Enable or disable SNMP Agent server function Configure IP address of SNMP management base 1 Enable or disable SNMP Agent server
88. Switch Config Ethernet0 0 23 exit 9 3 Dot1q tunnel Configuration 9 3 1 Dot1q tunnel Introduction Dot1q tunnel is also called QinQ 802 1Q in 802 1Q which is an expansion of 802 1Q Its dominating idea is encapsulating the customer VLAN tag CVLAN tag to the service provider VLAN tag SPVLAN tag Carrying the two VLAN tags the packet is transmitted through the backbone network of the ISP internet so to provide a simple layer 2 tunnel for the users It is simple and easy to manage applicable only by static configuration and especially adaptive to small office network or small scale 90 AN SS2R24G4i SS2R48G4i sar metropolitan area network using layer 3 switch as backbone equipment As shown in Fig 5 4 after being enabled on the user port dotiq tunnel assigns each user an SPVLAN identification SPVID Here the identification of user is 3 Same SPVID should be assigned for the same network user on different PEs When packet reaches PE1 from CE1 it carries the VLAN tag 200 300 of the user internal network Since the dotiq tunnel function is enabled the user port on PE1 will add on the packet another VLAN tag of which the ID is the SPVID assigned to the user Afterwards the packet will only be transmitted in VLAN3 when traveling in the ISP internet network while carrying two VLAN tags the inner tag is added when entering PE1 and the outer is SPVID whereas the VLAN information of the user network is open to the provider network When
89. TP TROUBLESHOOTING Users must turn on the RSTP switch in global mode before running RSTP in switch otherwise user will not be able to turn on the port RSTP switch There is correlation among parameters of RSTP timer The switch will not function normally under incorrect configuration The correlation between each timer is 2 X Bridge_Forward_Delay 1 0 second gt Bridge_Max_Age Bridge_Max_Age gt 2 X Bridge_Hello_Time 1 0 second Users should avoid unnecessary configuration of RSTP parameters only if they clearly understand the results that may cause Users are not able to startup the port RSTP function with port MAC binding 802 1x and configuring the route port because it is manually exclusive with those three functions 101 AN SS2R24G4i SS2R48G4i sar Chapter 11 IGMP Snooping 11 1 Introduction to IGMP Snooping IGMP Internet Group Management Protocol is a protocol used in IP multicast IGMP is used by multicast enabled network device such as a router for host membership query and by hosts that are joining a multicast group to inform the router to accept packets of a certain multicast address All those operations are done through IGMP message exchange The router will use a multicast address 224 0 0 1 that can address to all hosts to send a IGMP host membership query message If a host wants to join a multicast group it will reply to the multicast address of that a multicast group with a IGMP host membership rep
90. Verification 31 the AN SS2R24G4i SS2R48G4i 4 2 1 5 1 Returned Information success All commands entered through keyboards undergo syntax check by the Shell Nothing will be returned if the user entered a correct command under corresponding modes and the execution is successful 4 2 1 5 2 Returned Information error Returned Information error Output error message Explanation Unrecognized command or illegal parameter The entered command does not exist or there is error in parameter scope type or format Ambiguous command At least two interpretations is possible basing on the current input Invalid command or parameter The command is recognized but no valid parameter record is found This command is not exist in current mode The command is recognized but this command can not be used under current mode Please configure command at first precursor The command is recognized but the prerequisite command has not been configured syntax error missing before the end of command line Quotation marks are not used in pairs 4 2 1 6 Fuzzy Match Support SS2R24 48G4i switch switch shell support fuzzy match in searching command and keyword Shell will recognize commands or keywords correctly if the entered string causes no conflict For example 1 For command show interfaces status ethernet 1 typing sh in e 1 will work 2 However for command
91. agement Remotely upgrade member switch Set interval of sending cluster register packet AN Command Explanation Global Mode cluster run no cluster run Enable or disable cluster function in the switch 2 Create a cluster Command Explanation Global Mode vlan lt vlan id gt no cluster commander cluster commander lt cluster name gt Create or delete a cluster cluster ip pool lt commander ip gt no cluster ip pool Configure private IP address pool for member switches of the cluster mac address lt mem id gt password lt pass gt no cluster member lt mem id gt cluster member candidate sn lt cand sn gt _ mac add 7 g Add or remove a member switch 3 Configure attributes of the cluster in the commander switch Command Explanation Global Mode cluster auto add enable no cluster auto add enable Enable or disable adding newly discovered candidate switch to the cluster cluster holdtime lt second gt no cluster holdtime Set holdtime of heartbeat of the cluster cluster heartbeat lt interval gt no cluster heartbeat Set interval of sending heartbeat packets among the switches of the cluster clear cluster candidate table Clear the list of candidate switches discovered by the commander switch 4 Configure attributes of the cluster in the candidate switch Command Explanation
92. aggregate policer name gt command deletes the specified policy set 177 AN SS2R24G4i SS2R48G4i police aggregate Apply a policy set to classified traffic lt aggregate policer name gt the no police aggregate no police aggregate lt aggregate policer name gt lt aggregate policer name gt command deletes the specified policy set 4 Apply QoS to ports Command Explanation Interface Mode mis gos trust cos dscp port priority Configure port trust the no lt priority gt mls qos trust command no mls qos trust disables the current trust status of the port mls gos cos lt default cos gt Configure the default CoS no mis qos cos value of the port the no mls qos cos command restores the default setting service policy input lt policy map name gt output Apply a policy map to the lt policy map name gt specified port the no no service policy input lt policy map name gt service policy input output lt policy map name gt lt policy map name gt output lt policy map name gt command deletes the specified policy map applied to the port Egress policy map is not supported yet mls qos dscp mutation no mis gos dscp mutation Apply DSCP mutation mapping to the port the no mls qos dscp mutation command restores the DSCP mutation mapping default 5 Configure queue out method and weight Comm
93. aggregation To enable the 802 1x authentication the above functions must be disabled If the switch is configured properly but still cannot pass through authentication connectivity between the switch and RADIUS server the switch and 802 1x client should be verified and the port and VLAN configuration for the switch should be checked too Check the event log in the RADIUS server for possible causes In the event log not only unsuccessful logins are recorded but prompts for the causes of unsuccessful login If the event log indicates wrong authenticator password radius server key parameter shall be modified if the event log indicates no such authenticator the authenticator needs to be added to the RADIUS server if the event log indicates no such login user the user login ID and password may be wrong and should be verified and input again Ifthe access mode of a port is userbased advanced and static user is configured on RADIUS server but is not issued to the switch first check whether the RADIUS server is configured correctly using the command ip user helper addres and then check whether the RADIUS server configured static user on the port last check the issueing of static user using the command show dot1x interface 127 AN SS2R24G4i SS2R48G4i sar Chapter 15 ACL Configuration 15 1 Introduction to ACL ACL Access Control List is an IP packet filtering mechanism employed in switches providing network traffic
94. also do multi switch VLAN division via IEEE802 1 Q VLAN and thus manage to control broadcast traffic guarantee the security and performance of the network at the same time PVLAN function can divide ports into isolated port and community port then isolate or connect ports as demanded by network applications E QoS The switch fully supports QoS policy Users can specify 4 priority queue on each port WRR SP SWRR scheduling is also supported SS2R24 48G4i switch also supports the port security The traffic can be sorted by port VLAN DSCP IP precedence and ACL table User can also modify packets DSCP and IP precedence values Users can specify different bandwidths for voice data video to customize different qualities of service m ACL The switch supports complete ACL policy ACL is a mechanism realized by switches to filter IP data By allowing or denying specific data packets entering leaving the network a switch can control the network access and effectively guarantee the secure operation of network SS2R24 48G4i switch supports IP based MAC based and MAC IP based ingress filtering it can also filter data based on the information of source destination IP address source destination MAC address IP protocol type TCP UDP port IP precedence time range and ToS etc m IEEE802 1x Access Authentication The switch not only supports port based IEEE802 1x authentication mode but also supports MAC based authentication mode It can set the upper
95. ameter Command Explanation Global configuration mode spanning tree diameter Configure switching network caliber the no lt net diameter gt spanning tree diameter command no spanning tree diameter restores default configuration 97 AN SS2R24G4i SS2R48G4i Configure switch forward time the no spanning tree forward time lt time gt i o n spanning tree forward time restores no spanning tree forward time f default configuration Configure switch Hello time the no spanning tree hello time lt time gt a f spanning tree hello time command no spanning tree hello time restores default configuration f Configure switch maximum aging spanning tree maxage lt time gt 6 time the no spanning tree maxage no spanning tree maxage command restores default configuration 4 Configure RSTP fast migration characteristic auto force true force false no spanning tree link type Command Explanation Port configuration mode spanning tree link type point to point Set port link type the no spanning tree link type command restores auto link type Configure port as port fast port the spanning tree portfast no spanning tree portfast no spanning tree portfast configure non port fast port 10 3 RSTP Configuration Examples The connection between the SW1 SW6 switches is showed in the chart above By default all
96. and Explanation Interface Mode weight3 weight4 gt no wrr queue bandwidth wrr queue bandwidth lt weight1 weight2 Set the WRR weight for specified egress queue the no wrr queue bandwidth command restores the default setting priority queue out no priority queue out Configure queue out method to pq method the no priority queue out command restores the default WRR queue out method wrr queue Cos map lt queue id gt lt cos7 Set CoS value mapping to specified 178 AN AN SS2R24G4i SS2R48G4i has cos8 gt egress queue the no wrr queue no wrr queue cos map lt queue id gt cos map lt queue id gt command restores the default setting 6 Configure QoS mapping Command Explanation Global Mode mis gos map cos dscp lt dscp7 dscp8 gt Set CoS to DSCP mapping dscp cos lt dscp list gt to lt cos gt dscp mutation DSCP to CoS mapping lt in dscp gt to lt out dscp gt policed dscp DSCP to DSCP mutation lt dscp list gt to lt mark down dscp gt mapping IP precedence to no mis gos map cos dscp dscp cos DSCP and policed DSCP dscp mutation policed dscp mapping the no command restores the default mapping 22 3 QoS Example Scenario 1 Enable QoS function change the queue out weight of port ethernet 0 0 1to1 2 4 8 and set the port in trust QoS mode without changing DSCP value and set the default
97. arried by Layer 2 802 1Q frames taking 3 bits of the Tag field in frame header is called user priority level in the range of 0 to 7 Layer 2 802 1Q P Frame Preamble Start frame pa sa PT Data FCS delimiter 3 bits used for CoS user priority Fig 22 1 CoS priority ToS Type of Service a one byte field carried in Layer 3 IPv4 packet header to symbolize the service type of IP packets Among ToS field can be IP Precedence value or DSCP value Layer 3 IPv4 Packet Version ToS 46974 C precedence or DSCP Fig 22 2 ToS priority IP Precedence IP priority Classification information carried in Layer 3 IP packet header occupying 3 bits in the range of 0 to 7 DSCP Differentiated Services Code Point classification information carried in Layer 3 IP packet header occupying 6 bits in the range of 0 to 63 and is downward compatible with IP Precedence Classification The entry action of QoS classifying packet traffic according to the classification information carried in the packet and ACLs Policing Ingress action of QoS that lays down the policing policy and manages the classified packets Remark Ingress action of QoS perform allowing degrading or discarding operations to packets 174 AN SS2R24G4i SS2R48G4i sar according to the policing policies Queuing Egress QoS action Put the packets to appropriate egress queues according to the packet CoS value Scheduling QoS egress action Configure the weight for
98. atus or the device is just connected to the port and Spanning Tree is still under calculation wait until the Spanning Tree calculation finishes and the port will learn the MAC address fnot the problems mentioned above please check for the switch portand contact technical support for solution 8 5 MAC Address Function Extension 8 5 1 MAC Address Binding 8 5 1 1 Introduction to MAC Address Binding Most switches support MAC address learning each port can dynamically learn several MAC addresses so that forwarding data streams between known MAC addresses within the ports can be achieved If a MAC address is aged the packet destined for that entry will be broadcasted In other words a MAC address learned in a port will be used for forwarding in that port if the connection is changed to another port the switch will learn the MAC address again to forward data in the new port However in some cases security or management policy may require MAC addresses to be bound with the ports only data stream from the binding MAC are allowed to be forwarded in the ports That is to say after a MAC address is bound to a port only the data stream destined for that MAC address can flow in from the binding port data stream destined for the other MAC addresses that not bound to the port will not be allowed to pass through the port 8 5 1 2 MAC Address Binding Configuration 8 5 1 2 1 MAC Address Binding Configuration Task List 1 Enable MAC addres
99. ault value 20 1 2 Monitor and Debug Command 20 1 2 1 show anti netscan Command show anti netscan Function To display the information of defense against segment scanning Command Mode Admin Mode Displayed Information Explanation Anti netscan task interval ANTI NETSCAN task interval in second Anti netscan rate limit Message rate limit in pps Shut port The list of shut ports Disabled IP The disabled source IP list Total The total number of the disabled source IP 170 AN AN SS2R24G4i SS2R48G4i sar Chapter 21 SNTP Configuration The Network Time Protocol NTP is widely used for clock synchronization for global computers connected to the Internet NTP can assess packet sending receiving delay in the network and estimate the computer s clock deviation independently so as to achieve high accuracy in network computer clocking In most positions NTP can provide accuracy from 1 to 50ms according to the characteristics of the synchronization source and network route Simple Network Time Protocol SNTP is the simplified version of NTP removing the complex algorithm of NTP SNTP is used for hosts who do not require full NTP functions it is a subset of NTP It is common practice to synchronize the clocks of several hosts in local area network with other NTP hosts through the Internet and use those hosts to provide time synchronization service for other clients in LAN The figure be
100. bled by default Command mode Admin Mode 18 3 1 8 debug ip dhcp client Command debug ip dhcp cliet events packets no debug ip dhcp cliet events packets Function Enables DHCP server debug information the no debug ip dhcp cliet events packets command command disables the debug information for DHCP server Default Debug information is disabled by default Command mode Admin Mode 162 AN SS2R24G4i SS2R48G4i sar 18 3 2 DHCP Troubleshooting If the DHCP clients cannot obtain IP addresses and other network parameters the following procedures can be followed when DHCP client hardware and cables have been verified ok Verify the DHCP server is running start the related DHCP server if not running ifthe DHCP clients and servers are not in the same physical network verify the router responsible for DHCP packet forwarding has DHCP relay function If DHCP relay is not available for the intermediate router it is recommended to replace the router or upgrade its software to one that has a DHCP relay function In such case DHCP server should be examined for an address pool that is in the same segment of the switch VLAN such a pool should be added if not present and This does not indicate SS2R24 48G4i switch switch cannot assign IP address for different segments see solution 2 for details In DHCP service pools for dynamic IP allocation and manual binding are conflicting i e if command network address and
101. cket suppression function 7 2 2 VLAN Interface Configuration 7 2 2 1 VLAN Interface Configuration Task List 1 Enter VLAN Mode 2 Configure the IP address for VLAN interface and enable VLAN interface 1 Enter VLAN Mode Command Explanation Global Mode Enters VLAN Interface Mode the no interface vlan lt vian id gt command deletes specified VLAN interface interface vlan lt vian id gt no interface vlan lt vian id gt 2 Configure the IP address for VLAN interface and enables VLAN interface Command Explanation VLAN Mode Configures the VLAN interface IP address the no ip address lt ip address gt lt mask gt command deletes the VLAN interface IP address ip address lt ip address gt lt mask gt secondary no ip address lt ip address gt lt mask gt VLAN Mode Shutdown Enables Disables VLAN no shutdown interface 7 2 3 Port Mirroring Configuration 73 AN SS2R24G4i SS2R48G4i sar 7 2 3 1 Introduction to Port Mirroring Port mirroring refers to the duplication of data frames sent received on a port to another port The duplicated port is referred to as mirror source port and the duplicating port is referred to as mirror destination port A protocol analyzer such as Sniffer or RMON monitoring instrument is often attached to the mirror destination port to monitor and manage the network and diagnostic SS2R24 48G4i switch switch support o
102. client software adopts AMER COM private 802 1x authentication message format the no dot1x privateclient enable command is used to disable this function and thus allow the client software to adopt standard 802 1x authentication message format Set the limited resources can be accessed by users the no dot1x user free resource command is used to delete the limited resources 2 Access management unit property configuration 1 Configure port authentication status AN Command Explanation Global Mode dot1x port control auto force authorized force unaut horized vlanstyle no dot1x port control configration Configures 802 1x authorized status the no dotix port control restore default Configure port access management method Command Explanation Global Mode dotix port method macbased portbased userbased standard advanced no dot1x port method management Sets the port access management method the no dotix port method command restores MAC based access dot1x max user macbased lt number gt no dot1x max user macbased Sets the maximum number of access users for the specified port the no dot1x max user macbased command restores the default setting of allowing 1 user 119 SS2R24G64i SS2R48G64i 3 AN dot1x max user userbased lt number gt no dot1x max user userbased Set the max number of
103. connection to one remote host If a connection to another remote host is desired the current TCP connection must be dropped 5 2 2 2 Telnet Configuration Task List 1 Configuring Telnet Server 2 Telnet to a remote host from the switch 1 Configuration of Telnet Server Command Explanation Global Mode telnet server enable no telnet server enable Enable the Telnet server function in the switch the no telnet server enable command disables the Telnet function telnet user lt user name gt password 0 7 lt password gt no telnet user lt user name gt Configure the username and password to login to the switch through Telnet the no telnet user lt user name gt command disables Telnet accredited user telnet server securityip lt ip addr gt no telnet server securityip lt ip addr gt Configure the secure IP address to login to the switch through Telnet the no telnet server securityip lt ip addr gt command deletes the authorized Telnet secure address authentication login local radius local radius radius local no authentication login Configure validatory mode of long distance login in Admin Mode Display debug information for Monitor Telnet client login to the switch no monitor the no monitor command disables the debug information 2 Telnet to a remote host from the switch 38 AN SS2R24G4i SS2R48G4i sar Command Explanation A
104. control access group 5000 Switch Config interface Ethernet0 0 25 Switch Config If Ethernet0 0 25 ip multicast source control access group 5001 Destination control We can confiure as follows if we want to prevent the users in 10 0 0 0 8 segment to join the group 238 0 0 0 8 Firstly to enable IGMP snooping in the VLAN it is in assumed to be VLAN2 Switch Config ip igmp snooping Switch Config ip igmp snooping vlan 2 Then configure the relative detination control ACL and configure the specified IP to use the ACL Switch Config access list 6000 deny ip any 238 0 0 0 0 255 255 255 Switch Config access list 6000 permit ip any any Switch Config ip multicast destination control Switch Config ip multicast destination control 10 0 0 0 0 255 255 255 access group 6000 Thus the users of this segment can only join the groups other than 238 0 0 0 8 3 Multicast policy 114 AN SS2R24G4i SS2R48G4i sar Server 210 1 1 1 is sending important multicast data in the group 239 1 2 3 E we can configure as follows on its access switch Switch Config ip multicast policy 210 1 1 1 0 0 0 0 239 1 2 3 0 0 0 0 cos 4 Thus when the multicast strem is passing the TRUNK of this switch to other switches it will be at priority 4 usually it is a high priority the higher might be protocol data but if we set higher priority when there is too much multicast data may cause abnormal behavior of the switch protocol 13 4 DCSCM Troubleshooting 13 4 1 DCSCM Debu
105. d IP access list ip access list extended lt name gt no ip access list extended lt name gt b Specify multiple permit or deny rules Command Explanation Extended IP ACL Mode 131 AN host destination lt d pAddr gt d port lt dPort gt ack fin psh rst urg syn precedence lt prec gt tos lt tos gt time range lt time range name gt SS2R24G4i SS2R48G4i no deny permit icmp lt s pAddr gt lt sMask gt any source host source Creates an extended lt slpAddr gt lt dlpAddr gt lt dMask gt name based ICMP IP access any destination host destination rule the no form command lt dipAddr gt lt icmp type gt lt icmp code gt deletes this name based precedence lt prec gt tos extended IP access rule lt tos gt time range lt time range name gt no deny permit igmp lt s ipAddr gt lt sMask gt any source host source Creates an extended lt slpAddr gt lt dlpAddr gt lt dMask gt name based IGMP IP access any destination host destination rule the no form command lt dlpAdadr gt lt igmp type gt precedence deletes this name based lt prec gt tos extended IP access rule lt tos gt time range lt time range name gt no deny permit tcp lt slpAddr gt lt sMask gt any source host source pe Hae ee patna ee a a name based TCP IP access lt dMask
106. d5 sha lt passwora string gt Add a user to a SNMP group This command is used to configure USM for SNMP v3 no snmp server user lt user string gt lt group string gt 6 Configure group Command Explanation snmp server group lt group string gt Set the group information on the switch NoauthNopriv AuthNopriv AuthPriv read lt read string gt write lt write string gt notify lt notify string gt no snmp server group lt group string gt NoauthNopriv AuthNopriv AuthPriv This command is used to configure VACM for SNMP v3 7 Configure view Command Explanation snmp server view lt oid string gt include exclude no snmp server view lt view string gt lt view string gt Configure view on the switch This command is used for SNMP v3 51 AN AN SS2R24G4i SS2R48G4i sar 8 Configuring TRAP Command Explanation snmp server enable traps Enable the switch to send Trap message no snmp server enable traps This command is used for SNMP v1 v2 v3 snmp server host lt host address gt Set the host IPv4 IPv6 address which is v1 v2c v3 used to receive SNMP Trap information NoauthNopriv AuthNopriv AuthPriv For SNMP v1 v2 this command also lt user string gt configures Trap community string for no snmp server host lt host address gt SNMP v3 this command also configures v1 v2c v3 NoauthNopriv AuthNopriv Trap user nam
107. de Ctrl c Break the ongoing command process such as ping or other command execution Tab When a string for a command or keyword is entered the Tab can be used to complete the command or keyword if there is no conflict Perform command of previous list such as perform show command of admin mode under config mode Switch Config show run II Perform command of previous list such as perform show command of admin mode under port config Switch Config Port Range show clock 4 2 1 4 Help Function There are two ways in SS2R24 48G4i switch Switch for the user to access help information help command and the Access to Help Usage and function Help Under any command line prompt type in help and press Enter will get a brief description of the associated help system ton 1 Under any command line prompt enter to get a command list of the current mode and related brief description 2 Enter a after the command keyword with a embedded space If the position should be a parameter a description of that parameter type scope etc will be returned if the position should be a keyword then a set of keywords with brief description will be returned if the output is lt cr gt then the command is complete press Enter to run the command B A immediately following a string This will display all the commands that begin with that string 4 2 1 5 Input
108. dmin Mode Login to a remote host with the Telnet telnet lt ip addr gt ort gt lt ip II lt p client included in the switch 5 2 2 3 Commands for Telnet 5 2 2 3 1 authentication login Command authentication login local radius local radius radius local no authentication login Function To configure the Telnet Server to set the password authentication mode and privilege of remote access users the no authentication login command is used to reset it to the default authentication mode Default Setting The default access authentication mode is local Command Mode Global mode Relative Command aaa enable radius server authentication host 5 2 2 3 2 monitor Command monitor no monitor Function to make Telnet clients display debug information and disable Console clients to display debug information function Use the no command to disable Telnet client display debug information function and restore Console client display debug information function Command mode Admin mode Relative Command telnet user 5 2 2 3 3 telnet Command telnet lt ip addr gt lt ip host name gt lt port gt Parameter lt ip addr gt is the IP address of the remote host shown in dotted decimal notation lt hostname gt is the name of the remote host containing max 30 characters lt por gt is the port number ranging between 0 65535 Command Mode Admin Mode Relative Command ip host 5 2 2 3 4 telnet server enable Co
109. e and security level AuthPriv lt user string gt 9 Enable Disable RMON Command Explanation rmon enable Enable disable RMON no rmon enable 5 4 5 Typical SNMP Configuration Examples The IP address of the NMS is 1 1 1 5 the IP address of the switch Agent is 1 1 1 9 Scenario 1 The NMS network administrative software uses SNMP protocol to obtain data from the switch The configuration on the switch is listed below Switch config snmp server enable Switch Config snmp server community rw private Switch Config snmp server community ro public Switch Config snmp server securityip 1 1 1 5 The NMS can use private as the community string to access the switch with read write permission or use public as the community string to access the switch with read only permission Scenario 2 NMS will receive Trap messages from the switch Note NMS may have community string verification for the Trap messages In this scenario the NMS uses a Trap verification community string of dcntrap The configuration on the switch is listed below Switch config snmp server enable Switch Config snmp server host 1 1 1 5 v1 dcntrap Switch Config snmp server enable traps Scenario 3 NMS uses SNMP v3 to obtain information from the switch The configuration on the switch is listed below Switch config snmp server enable 52 AN SS2R24G4i SS2R48G4i sar Switch Config snmp server user tester DCNGrou
110. e including system image file and boot file System image file refers to the compressed file for switch hardware driver and software support program usually refer to as IMAGE upgrade file In SS2R24 48G4i switch switch the system image file is allowed to save in FLASH only SS2R24 48G4i switch switch mandates the name of system image file to be uploaded via FTP in Global Mode to be nos img other IMAGE system files will be rejected Boot file refers to the file initializes the switch also referred to as the ROM upgrade file Large size file can be compressed as IMAGE file In SS2R24 48G4i switch switch the boot file is allowed to save in ROM only SS2R24 48G4i switch switch mandates the name of the boot file to be boot rom Configuration file including start up configuration file and running configuration file The distinction between start up configuration file and running configuration file can facilitate the backup and update of the configurations Start up configuration file refers to the configuration sequence used in switch start up SS2R24 48G4i switch switch start up configuration file stores in FLASH only corresponding to the so called configuration save To prevent illicit file upload and easier configuration SS2R24 48G4i switch switch mandates the name of start up configuration file to be startup config Running configuration file refers to the running configuration sequence use in the switch In SS2R24 48G4i switch switch the running con
111. e out method and weight Configure queue out to PQ or WRR set the proportion of the 8 egress queues bandwidth and mapping from internal priority to egress queue 6 Configure QoS mapping Configure the mapping from CoS to DSCP DSCP to CoS DSCP to DSCP mutation IP precedence to DSCP and policed DSCP 1 Enable QoS Command Explanation Global Mode mis gos Enable disable QoS function no mls qos 2 Configure class map Command Explanation Global Mode class map lt class map name gt Create a class map and enter class 176 SS2R24G64i SS2R48G4i no class map lt class map name gt map mode the no class map lt class map name gt command deletes the specified class map match access group lt acl index or name gt ip dscp lt dscp list gt ip precedence lt ip precedence list gt vlan lt vian list gt cos lt cos list gt no match access group precedence vlan cos ip dscp ip Set matching criterion classify data stream by ACL DSCP VLAN or priority etc for the class map the no match access group ip dscp ip precedence vlan cos command deletes specified matching criterion 3 Configure a policy map Command Explanation Global Mode policy map lt policy map name gt no policy map lt policy map name gt Create a policy map and enter policy map mode the no policy map lt policy map name gt command deletes the specified policy ma
112. e sent by PC3 a mapping entry for MAC address 00 01 33 33 33 33 and port 12 is 78 AN SS2R24G4i SS2R48G4i sar added to the MAC table 4 Now the MAC table has two dynamic entries MAC address 00 01 11 11 11 11 port 5 and 00 01 33 33 33 33 port 12 5 After the communication between PC1 and PC3 the switch does not receive any message sent from PC1 and PC3 And the MAC address mapping entries in the MAC table are deleted after 300 seconds The 300 seconds here is the default aging time for MAC address entry in SS2R24 48G4i switch Aging time can be modified in the switch 8 1 2 Forward or Filte The switch will forward or filter received data frames according to the MAC table Take the above figure as an example assuming DCN switch have learnt the MAC address of PC1 and PC3 and the user manually configured the mapping relationship for PC2 and PC4 to ports The MAC table of DCN switch will be MAC Address Port number Entry added by 00 01 11 11 11 11 5 Dynamic learning 00 01 22 22 22 22 5 Static configuration 00 01 33 33 33 33 12 Dynamic learning 00 01 44 44 44 44 12 Static configuration Forward data according to the MAC table If PC1 sends a message to PC3 the switch will forward the data received on port 5 from port 12 Filter data according to the MAC table If PC1 sends a message to PC2 the switch on checking the MAC table will find PC2 and PC1 are in the same physical segment and filter t
113. e switch For a detailed description for the commands please refer to the following chapters 22 AN SS2R24G4i SS2R48G4i sar 4 1 2 In band Management In band management refers to the management by logging into the switch using Telnet In band management enables the function of managing the switch for some devices attached to the switch In the case when in band management fails due to switch configuration changes out of band management can be used for configuring and managing the switch 4 1 2 1 Management via Telnet To manage the switch with Telnet the following conditions should be met 1 Switch has an IP address configured 2 The host IP address Telnet client and the switch s VLAN interface IP address is in the same network segment 3 If not 2 Telnet client can connect to an IP address of the switch via other devices such as a router SS2R24 48G4i switch are Layer 2 switch that can be configured with several IP addresses The following example assumes the shipment status of the switch where only VLAN1 exists in the system The following describes the steps for a Telnet client to connect to the switch s VLAN 1 interface by Telnet Fig 4 5 Manage the switch by Telnet Step 1 Configure the IP addresses for the switch First is the configuration of host IP address which should be within the same network segment as the switch VLAN1 interface IP address Suppose the switch VLAN interface IP address 10 1 128 251
114. e the ARP debug function the no debug arp command disables this debug function Default ARP debug is disabled by default Command mode Admin Mode 23 2 2 2 ARP Troubleshooting Help If ping from the switch to directly connected network devices fails the following can be used to check the possible cause and solution Check whether the corresponding ARP has been learned by the switch If ARP is not learned then enabled ARP debug information and view sending receiving condition of ARP packets 187
115. eck the positioning of the switch after installation to avoid the aforementioned Caution If a standard 19 rack is not available the switch can be placed on a clean level desktop leave a clearance of 10mm around the switch for ventilation and do not place anything on top of the switch 2 1 2 Installation Notice Read through the installation instruction carefully before operating on the system Make sure the 10 AN SS2R24G4i SS2R48G4i sar installation materials and tools are prepared And make sure the installation site is well prepared During the installation users must use the brackets and screws provided in the accessory kit Users should use the proper tools to perform the installation Users should always wear antistatic uniform and ESD wrist straps Users should use standard cables and connecters After the installation users should clean the site Before powering on the switch users should ensure the switch is well grounded Users should maintain the switch regularly to extend the lifespan of the switch 2 1 3 Security Warnings When using SFP transceiver do not stare directly at the fiber bore when the switch is in operation Otherwise the laser may hurt your eyes Do not attempt to conduct the operations which can damage the switch or which can cause physical injury Do not install move or disclose the switch and its modules when the switch is in operation Do not open the switch shell Do not drop metal
116. ect 5 in the SNMP configuration menu and press Enter the following screen appears Please input the new NMS IP address A B C D When a valid secure IP address es for SNMP management workstation is entered press Enter to return to the SNMP configuration menu Selecting 6 in the SNMP configuration menu will return to the Setup main menu 3 3 6 Exiting Setup Configuration Mode Select 5 in the Setup main menu to exit the Setup configuration mode without saving the configurations made 18 AN SS2R24G4i SS2R48G4i sar Selecting 6 in the Setup main menu exits the Setup configuration mode and saves the configurations made This is equivalent to running the Write command For instance if under the Setup configuration mode the user sets a Telnet user and enables Telnet service and selects 5 to exit Setup main menu He She will be able to configure the switch through Telnet from a terminal When exiting the Setup configuration mode the CLI configuration interface appears Configuration commands and syntaxes will be described in detail in later chapters 19 AN SS2R24G4i SS2R48G4i sar Chapter 4 Switch Management 4 1 Management Options After purchasing the switch the user needs to configure the switch for network management SS2R24 48G4i switch provides two management options in band management and out of band management 4 1 1 Out of band Management Out of band management is the management through
117. er of ports allowed in a group Number of port channels Whether aggregated to port channel or not Max port channels Maximum port channel number can be formed by port group 2 Display detailed information for port group 1 Displayed information Explanation actor_port_agg_id The channel number to add the port to If the port cannot be added to the channel due to inconsistent parameters between the port and the channel 3 will be displayed mac_type Port type standard Ethernet port and fiber optical distributed data interface 153 AN SS2R24G4i SS2R48G4i sar speed_type Port speed type 10Mbps 100Mbps 1 000Mbps and 10Gbps duplex_type Port duplex mode _ full duplex and half duplex port_type Port VLAN property access port or trunk port Status of port binding status machine Status of port receiving status machine Status of port sending status machine 3 Display load balance information for port group 1 4 Display member port information for port group 1 Aggregation Whether aggregation is possible for the port O for es independent port that does not allow aggregation Synchronization Whether port is synchronized with the partner end Collecting Whether status of port bound status machine is collecting or not Distributing Whether status of port bound status machine is distributing or not Defaulted Whether the local port is using default partner end parameter Whether status of port receivin
118. es for AM each port can configure 507 entries at most lt The AM resource requires that the IP addresses and MAC addresses configured by users cannot conflict that is the different users on the same switch cannot have the same IP or MAC configuration 148 AN SS2R24G4i SS2R48G4i sar Chapter 17 Port Channel Configuration 17 1 Introduction to Port Channel To understand Port Channel Port Group should be introduced first Port Group is a group of physical ports in the configuration level only physical ports in the Port Group can take part in link aggregation and become a member port of a Port Channel Logically Port Group is not a port but a port sequence Under certain conditions physical ports in a Port Group perform port aggregation to form a Port Channel that has all the properties of a logical port therefore it becomes an independent logical port Port aggregation is a process of logical abstraction to abstract a set of ports port sequence with the same properties to a logical port Port Channel is a collection of physical ports and used logically as one physical port Port Channel can be used as a normal port by the user and can not only add network s bandwidth but also provide link backup Port aggregation is usually used when the switch is connected to routers PCs or other switches Fig 17 1 Port aggregation As shown in the above figure Switch1 is aggregated to a Port Channel the bandwidth of this Port C
119. ess gt is the IP address that has a conflict record all stands for all addresses that have conflict records Command mode Admin Mode Relative Command ip dhcp conflict logging show ip dhcp conflict 18 3 1 3 clear ip dhcp server statistics Command clear ip dhcp server statistics Function Deletes the statistics for DHCP server clears the DHCP server count Command mode Admin Mode Relative Command show ip dhcp server statistics 18 3 1 4 show ip dhcp binding Command show ip dhcp binding Function Displays IP MAC binding information Command mode Admin Mode Displayed information Explanation IP address IP address assigned to a DHCP client Hardware address MAC address of a DHCP client Lease expiration Valid time for the DHCP client to hold the IP address Type Type of assignment manual binding or dynamic assignment 18 3 1 5 show ip dhcp conflict Command show ip dhcp conflict Function Displays log information for addresses that have a conflict record Command mode Admin Mode Displayed information Explanation IP Address Conflicting IP address Detection method Method in which the conflict is detected Detection Time Time when the conflict is detected 18 3 1 6 show ip dhcp server statistics Command show ip dhcp server statistics Function Displays statistics of all DHCP packets for a DHCP server Command mode Admin Mode Displayed information Explanation
120. estination host name number and letter constitute character string Blank is not allowed the length of character string is from 1 to 30 Default send 5 ICMP request packets the packet size is 56 bytes timeout is 2 seconds Command mode admin mode 5 2 2 Telnet 5 2 2 1 Introduction To Telnet Telnet is a simple remote terminal protocol for remote login Using Telnet the user can login to a remote host with its IP address of hostname from his own workstation Telnet can send the user s keystrokes to the remote host and send the remote host output to the user s screen through TCP connection This is a transparent service as to the user the keyboard and monitor seems to be connected to the remote host directly Telnet employs the Client Server mode the local system is the Telnet client and the remote host is the Telnet server SS2R24 48G4i switch switch can be either the Telnet Server or the Telnet client When SS2R24 48G4i switch switch is used as the Telnet server the user can use the Telnet client program included in Windows or the other operation systems to login to SS2R24 48G4i switch switch 37 AN SS2R24G4i SS2R48G4i sar as described earlier in the In band management section As a Telnet server SS2R24 48G4i switch switch allows up to 5 telnet client TCP connections And as Telnet client using telnet command under Admin Mode allows the user to login to the other remote hosts SS2R24 48G4i switch switch can only establish TCP
121. ets 117 AN SS2R24G4i SS2R48G4i sar In the IEEE 802 1x application environment SS2R24 48G4i switch is used as the access management unit and the user connection device is the device with 802 1x client software An authenticating server usually reside in the Carrier s AAA center and usually is a Radius server the difference between user access MAC based IEEE 802 1x authentication is implemented in SS2R24 48G4i switch for better security and management Only authenticated user access devices connecting to the same physical port can access the network the unauthorized devices will not be able to access the network In this way even if multiple terminals are connected via one physical port SS2R24 48G4i switch can still authenticate and manage each user access device individually User based IP address MAC address port 802 1x authentication function is implemented on the base of MAC based 802 1x authentication function allowing users to access restricted resources before being authenticated For user based access control mode there are two modes standard control and advanced control User based standard control type does not limit the access to restricted resources all the users of the port can access restricted resources before being authenticated and after being authenticated users can access all the resources while the user based advanced control will limit the access to restricted resources only special users of the port can acce
122. f Introduction Fig 1 1 SS2R24G4i switch Fig 1 2 SS2R48G4i switch 1 1 1 Overview The SS2R24 48G4i switch Intelligent Stackable Secure Ethernet Access Switch can not only be utilized in large scale enterprise networks campus networks and metropolitan area networks as access equipment but also can meet the demand for network of medium scale office environment This series AN SS2R24G4i SS2R48G4i sar of switch has unique network access functions and flexible management of network including MAC binding filtering limiting the total number of Mac addresses IEEE802 1Q VLAN PVLAN IEEE802 1x access authentication QoS ACL bandwidth control IEEE802 3ad TRUNK IGMP Snooping broadcast storm control IEEE802 1d w spanning tree port mirroring and so on 1 1 2 Features and Benefits m MAC Address Control Besides the standard dynamic learning capability of MAC address the SS2R24 48G4i switch also supports several other methods of management based on the MAC address list The MAC address binding function can restrict the MAC addresses of access equipment connected to a port in order to keep access secure The MAC address filtering function can filter according to source and destination MAC addresses to block the invalid access equipment m VLAN Configuration The switch supports standard IEEE802 1Q VLAN port protect VLAN and PVLAN IEEE802 1 Q VLAN can divide ports into several VLAN groups the upper limit of which is 4094 It can
123. figuration file stores in the RAM In the current version the running configuration sequence running config can be saved from the RAM to FLASH by write command or copy running config startup config command so that the running configuration sequence becomes the start up configuration file which is called configuration save To prevent illicit file upload and easier configuration SS2R24 48G4i switch switch mandates the name of running configuration file to be running config Factory configuration file The configuration file shipped with SS2R24 48G4i switch switch in the name of factory config Run set default and write and restart the switch factory configuration file will be loaded to overwrite current start up configuration file 5 5 2 2 FTP TFTP Configuration 59 AN SS2R24G4i SS2R48G4i sar The configurations of SS2R24 48G4i switch switch as FTP and TFTP clients are almost the same so the configuration procedures for FTP and TFTP are described together in this manual 5 5 2 2 1_ FTP TFTP Configuration Task List 1 FTP TFTP client configuration Upload download the configuration file or system file 1 For FTP client server file list can be checked 2 FTP server configuration 1 Start FTP server 2 Configure FTP login username and password 3 Modify FTP server connection idle time 4 Shut down FTP server 3 TFTP server configuration 1 Start TFTP server 2 Configure TFTP server connection idle time 3 Configure retran
124. freevian of the switch the no dotix freevian command is used to disable the 802 1x freevlan function 3 Supplicant related property configuration Command Explanation Global Mode 120 SS2R24G64i SS2R48G64i AN dot1x max req lt count gt no dot1x max req Sets the number of EAP request MD5 frame to be sent before the switch re initials authentication on no supplicant response the no dot1x max req command restores the default setting dot1x re authentication no dot1x re authentication Enables periodical supplicant authentication the no dot1x re authentication command disables this function no dot1x timeout quiet period dot1x timeout quiet period lt seconds gt Sets time to keep silent on port authentication failure the no dot1x timeout quiet period command restores the default value dotix lt seconds gt no dot1x timeout re authperiod timeout re authperiod Sets the supplicant re authentication interval the no dot1x timeout re authperiod command restores the default setting no dot1x timeout tx period dot1x timeout tx period lt seconds gt Sets the interval for the supplicant to re transmit EAP request identity frame the no dotix timeout tx period command restores the default setting Admin Mode dot1x re authenticate lt interface name gt interface Enables IEEE 802 1x re authentication no
125. function Command Explanation snmp server enable no snmp server enable Enable the SNMP Agent function on the switch the no snmp server enable command disables the SNMP Agent function on the switch 50 SS2R24G64i SS2R48G64i 2 Configure SNMP community string Command Explanation snmp server community ro rw lt string gt no snmp server community lt string gt Configure the community string for the switch the no snmp server community lt string gt command deletes the configured community string 3 Configure IP address of SNMP management base Command Explanation snmp server securityip lt ip address gt no snmp server securityip lt p address gt Configure the secure IPv4 IPv6 address which is allowed to access the switch on the NMS the no snmp server securityip lt ip address gt command deletes configured secure address snmp server SecurityIP enable snmp server SecurityIP disable Enable or disable secure IP address check function on the NMS 4 Configure engine ID Command Explanation snmp server engineid lt engine string gt no snmp server engineid lt engine string gt Configure the local engine ID on the switch This command is used for SNMP v3 5 Configure user Command Explanation snmp server user lt user string gt lt group string gt encrypted auth m
126. g address manually client name lt name gt no client name Configures a client name when binding address manually Enable logging for address conflicts Command Explanation 158 AN AN SS2R24G4i SS2R48G4i Aad Global Mode ip dhcp conflict logging Enables logging for DHCP address to no ip dhcp conflict logging detect address conflicts Admin Mode Deletes a single address conflict record or clear ip dhcp conflict lt address all gt all conflict records 4 Configure count of ping packets and out time Command Explanation Global Mode ip dhcp ping packets lt count gt Configure count of ping packets to be be no ip dhcp ping packets assigned in DHCP Address pool ip dhcp ping timeout lt milliseconds gt Configure timeout time after set ping no ip dhcp ping timeout packets to receive responses 18 2 2 DHCP Server Configuration Commands Example Scenario 1 Too save configuration efforts of network administrators and users a company is using SS2R24 48G4i switch switch as a DHCP server The Admin VLAN IP address is 10 16 1 2 24 The local area network for the company is divided into network A and B according to the office locations The network configurations for location A and B are shown below PoolA network 10 16 1 0 PoolB network 10 16 2 0 Device IP address Device IP address Default gateway 10 16 1 200 Default ga
127. g and Monitor Command 13 4 1 1 show ip multicast source control access list Command show ip multicast source control access list show ip multicast source control access list lt 5000 5099 gt Function To display the configured source control multicast ACL Parameters lt 5000 5099 gt ACLID Default Settings None Command Mode Admin Mode 13 4 1 2 show ip multicast destination control access list Command show ip multicast destination control access list show ip multicast destination control access list lt 6000 7999 gt Function To display the configured destination control multicast ACL Parameters lt 6000 7999 gt ACL ID Default Settings None Command Mode Admin Mode 13 4 1 3 show ip multicast policy Command show ip multicast policy Function To display the configured multicast policy Parameters None Default Settings None Command Mode Admin Mode 13 4 1 4 show ip multicast source control Command show ip multicast source control detail show ip multicast source control interface lt Interfacename gt detail Function To display the multicst control configuration 115 AN SS2R24G4i SS2R48G4i sar Parameters detail whether display detailed information lt Interfacename gt interface name like Ethernet 0 0 1or ethernet 0 0 1 Default Settings None Command Mode Admin Mode 13 4 1 5 show ip multicast destination control Command show ip multicast destination control detail show ip multicast destination control
128. g status machine is expire or not Selected Whether the port is selected or not 5 Display port channel information for port group1 Displayed information Explanation Port channels in the If port channel does not exist the above information will not group be displayed Number of port Port number in the port channel Standby port Port that is in standby status which means the port is qualified to join the channel but cannot join the channel due to the maximum port limit thus the port status is standby instead of selected 17 4 1 2 debug lacp 154 AN SS2R24G4i SS2R48G4i sar Command debug lacp no debug lacp Function Enables the LACP debug function no debug lacp command disables this debug function Command mode Admin Mode Default LACP debug information is disabled by default 17 4 2 Port Channel Channel Troubleshooting If problems occur when configuring port aggregation please first check the following for causes Ensure all ports in a port group have the same properties i e whether they are in full duplex mode forced to the same speed and have the same VLAN properties etc If inconsistency occurs make corrections Some commands cannot be used on a port in port channel such as arp bandwidth ip ip forward etc When port channel is forced as the aggregation is triggered manually the port group will stay unaggregated if aggregation fails due to inconsistent VLAN i
129. ge_name gt Create a time range named time_range_name no time range Stop the time range function named time_range_name 2 Configure periodic time range Command Explanation Time range Mode absolute periodic Monday Tuesd ay Wednesday Thursday Friday S aturday Sunday lt start_time gt to Monday Tuesday Wednesday Th ursday Friday Saturday Sunday lt end_time gt periodic Monday Tuesday Wed nesday Thursday Friday Saturd ay Sunday daily weekdays weekend lt start_time gt to lt end_time gt Configure the time range for the request of the week and every week will run by the time range 138 AN AN SS2R24G4i SS2R48G4i sar no Jabsolute periodic Monday Tu esday Wednesday Thursday Frid ay Saturday Sunday lt start_time gt to Monday Tuesday Wednesday T hursday Friday Saturday Sunday lt end_time gt stop the function of the time range in the week no periodic Monday Tuesday Wednesday Thursday Friday Sa turday Sunday daily weekdays weekend lt start_time gt to lt end_time gt 3 Configure absolute time range Command Explanation Global Mode Absolute start lt start_time gt lt start_data gt en Configure absolute time range d lt end_time gt lt end_data gt noJabsolute start lt start_time gt lt start_data gt en stop the function of the time range d lt end_time gt lt end_data gt 4 Bind access list to a specific di
130. ger To manage the switch with LinkManager the following conditions should be met 1 Switch has an IP address configured 2 The host IP address LinkManager and the switch s VLAN interface IP address is in the same network segment 3 If not 2 LinkManager can connect to an IP address of the switch via other devices such as a router Management via LinkManager the host succeeds to ping an IP address of the switch then run the switch LinkManager network management software will be found by SS2R24 48G4i switch and operate it with read write permission 4 2 Management Interface SS2R24 48G4i switch provide three management interfaces CLI Command Line Interface Web interface LinkManager network management software 26 AN SS2R24G4i SS2R48G4i sar 4 2 1 CLI Interface CLI interface is familiar to most users As aforementioned out of band management and Telnet login are all performed through CLI interface to manage the switch CLI Interface is supported by Shell program which consists of a set of configuration commands Those commands are categorized according to their functions in switch configuration and management Each category represents a different configuration mode The Shell for the switch is described below Configuration Modes Configuration Syntax Shortcut keys Help function Input verification Fuzzy match support 4 2 1 1 Configuration Modes Admin Mode Global Mode Vlan Mode Interface Mode
131. gt any destination rule the no form command deletes this name based extended IP access rule no deny permit udp f lt slpAddr gt lt sMask gt any source host source lt slpAddr gt sPort lt s port gt lt dlpAddr gt lt dMask gt any destination host destination lt d pAddr gt d port lt dPort gt Creates an extended name based UDP IP access rule the no form command deletes this name based precedence lt prec gt tos extended IP access rule lt tos gt time range lt time range name gt no den ermit eigr re igr o y p eigrp g tgrp Creates an extended ipinip ip lt int lt slpAddr gt lt sMask gt name based IP access rule for any source fhost source lt s ipAddr gt oe ae other IP protocols the no form lt dlpAddr gt lt dMask gt any destination ee deletes this host destination lt dlpAdadr recedence er gt Ip name based extended IP lt prec gt tos access rule lt tos gt time range lt time range name gt c Exit extended IP ACL configuration mode Command Explanation Extended IP ACL Mode Exit Exits extended name based IP ACL configuration mode 5 Configuring a numbered standard MAC access list Command Explanation Global Mode 132 AN SS2R24G64i SS2R48G64i F Creates a access list lt num gt deny permit any source mac
132. h switch config switch Config viol pe snoo switch Config Hinte Nie 0 0 11 switch Config EtherAlavo t Aip dhcp snooping trust switch Config Ethernet0 0 11 exit DCN switch Config interface ethernet 0 0 12 SWITCH switch Config Ethernet0 0 12 ip dhcp snooping trust Ethernet0 0 1 switch Config Ethernet0 0 12 exit Ethernet0 switch Config interface ethernet 0 0 1 10 switch Config Port Range ip dhcp snooping action shutdown NG a AA 166 SS2R24G4i SS2R48G4i switch Config Port Range 19 3 DHCP Snooping Troubleshooting 19 3 1 Monitor and Debug Information 19 3 1 1 show ip dhcp snooping Command show ip dhcp snooping interface ethernet lt interfaceName gt AN Function Display the configuration information of the current dhcp snooping or display the defense action log of the specified port Parameters lt interfaceName gt The name of the specified port Command Mode Admin Mode Default Setting None Displayed information Explanation DHCP Snooping is enable DHCP Snooping is globally enabled or disabled interface Name of the port trust Trust attributes of the port action Automatic defense action of the port recovery The recovery interval of the automatic defense action of the port alarm num The history log number of the automatic defense action of the port Displayed information Explanation interface Name of the port trust attribute T
133. hannel lt port channel number gt configuration mode 150 AN SS2R24G4i SS2R48G4i sar 17 3 Port Channel Example Scenario 1 Configuring Port Channel in LACP S2 Fig 17 2 Configuring Port Channel in LACP Example The switches in the description below are all SS2R24 48G4i switch switch and as shown in the figure ports 1 2 3 of Switch1 are access ports that belong to vlan1 Add those three ports to group1 in active mode Ports 6 7 8 of Switch2 are trunk ports that also belong to vlan1 and allow all Add these three ports to group2 in passive mode All the ports should be connected with cables The configuration steps are listed below Switch1 config Switch1 Config interface eth 0 0 1 3 Switch1 Config Port Range port group 1 mode active Switch1 Config Port Range exit Switch1 Config interface port channel 1 Switch1 Config lf Port Channel1 eR GS Switch2 config Switch2 Config port group 2 Switch2 Config interface eth 0 0 6 Switch2 Config Ethernet0 0 6 port group 2 mode passive Switch2 Config Ethernet0 0 6 exit Switch2 Config interface eth 0 0 8 9 Switch2 Config Port Range port group 2 mode passive Switch2 Config Port Range exit Switch2 Config interface port channel 2 Switch2 Config lf Port Channel2 a a ee a ae ee Configuration result Shell prompts ports aggregated successfully after a while now ports 1 2 30f Switch 1 form an aggregated port named
134. hannel is the total of all the four ports If traffic from SwitchA needs to be transferred to SwitchB through the Port Channel traffic allocation calculation will be performed based on the source MAC address and the lowest bit of target MAC address The calculation result will decide which port to convey the traffic If a port in Port Channel fails the other ports will undertake traffic of that port through a traffic allocation algorithm This algorithm is carried out by the hardware SS2R24 48G4i switch switch offers 2 methods for configuring port aggregation manual Port Channel creation and LACP Link Aggregation Control Protocol dynamic Port Channel creation Port aggregation can only be performed on ports in full duplex mode For Port Chansnel to work properly member ports of the Port Channel must have the same properties as follows All ports are in full duplex mode All Ports are of the same speed 149 AN SS2R24G4i SS2R48G4i sar All Ports are of the same type All ports are Access ports and belong to the same VLAN or are all Trunk ports If the ports are Trunk ports then their Allowed VLAN and Native VLAN property should also be the same If Port Channel is configured manually or dynamically on SS2R24 48G4i switch switch the system will automatically set the port with the smallest number to be Master Port of the Port Channel If the spanning tree function is enabled in the switch the spanning tree protocol will
135. hannelx port channel command to 28 AN SS2R24G4i SS2R48G4i sak lt port channel nu related return to mber gt command settings such Global Mode under Global as duplex Mode mode speed etc 4 2 1 1 5 VLAVLAN Mode Using the vlan lt vlan id gt command under Global Mode can enter the corresponding VLAN Mode Under VLAN Mode the user can configure all member ports of the corresponding VLAN Run the exit command to exit the VLAN Mode to Global Mode 4 2 1 1 6 DHCP Address Pool Mode Type the ip dhcp pool lt name gt command under Global Mode will enter the DHCP Address Pool Mode prompt Switch Config lt name gt dhcp DHCP address pool properties can be configured under DHCP Address Pool Mode Run the exit command to exit the DHCP Address Pool Mode to Global Mode 4 2 1 1 7 ACL Mode ACL type Entry Prompt Operates Exit Standard IP Type ip Switch Config Std Nacl Configure Use the exit ACL Mode access list a parameters command to standard for return to command Standard Global Mode under Global IP ACL Mode Mode Extended IP Type ip Switch Config Ext Nacl Configure Use the exit ACL Mode access list b parameters command to extanded for return to command Extended Global Mode under Global IP ACL Mode Mode 4 2 1 2 Configuration Syntax SS2R24 48G4i switch Switch provides various configuration commands Alt
136. he DHCP server and the DHCP client are not in the same network the server will not receive the DHCP broadcast packets sent by the client therefore no DHCP packets will be sent to the client by the server In this case a DHCP relay is required to forward such DHCP packets so that the DHCP packets exchange can be completed between the DHCP client and server SS2R24 48G4i switch switch can act as both a DHCP server and a DHCP relay pHOBH ED i SCO ve DHCPOFT NUCDPRENIIE AN SS2R24G4i SS2R48G4i sar supports not only dynamic IP address assignment but also manual IP address binding i e specify a specific IP address to a specified MAC address or specified device ID over a long period The differences and relations between dynamic IP address allocation and manual IP address binding are 1 IP address obtained dynamically can be different every time manually bound IP address will be the same all the time 2 The lease period of IP address obtained dynamically is the same as the lease period of the address pool and is limited the lease of manually bound IP address is theoretically endless 3 The IP addresses bound manually have higher priority than the IP addresses allocated dynamically 4 Dynamic DHCP address pool can inherit the network configuration parameters of the dynamic DHCP address pool of the related segment 18 2 DHCP Server Configuration 18 2 1 DHCP Sever Configuration Task List 1 Enable Disable DHCP server 2 Configure DHC
137. he IP address on the switch through out of band management see the relevant chapter To enable the WEB configuration users should type the CLI command ip http server in the global mode as below Switch gt en Switch config Switch Config ip http server Step 2 Run HTTP protocol on the host Open the Web browser on the host and type the IP address of the switch Or run directly the HTTP protocol on the Windows For example the IP address of the switch is 10 1 128 251 25 AN SS2R24G4i SS2R48G4i sar Type the name of a program folder document or Internet resource and Windows will open it for you Open IEMET Fig 4 8 Run HTTP Protocol Step 3 Logon to the switch To logon to the HTTP configuration interface valid login user name and password are required otherwise the switch will reject HTTP access This is a method to protect the switch from the unauthorized access Consequently in order to configure the switch via HTTP username and password for authorized HTTP users must be configured with the following command in the global mode web user lt user gt password 0 7 lt password gt Suppose an authorized user in the switch has a username as test and password as test The configuration procedure is as below Switch gt en Switch config Switch Config web user admin password 0 digital Input the right username and password and then the main Web configuration interface 4 1 2 3 Management via LinkMana
138. he global DHCP Snooping switch is enabled lt Ifthe port does not response to invalid DHCP Server packets please check whether the port has been set as an un trusted port of dhcp snooping 19 3 2 1 debug ip dhcp snooping packet Command debug ip dhcp snooping packet no debug ip dhcp snooping packet Function This command is used to enable the DHCP SNOOPING debug switch to debug the procedure of message processing Command Mode Admin Mode 19 3 2 2 debug ip dhcp snooping event Command debug ip dhcp snooping event no debug ip dhcp snooping event Function This command is used to enable the DHCP SNOOPING debug switch to debug the state of DHCP SNOOPING tasks Command Mode Admin Mode 168 SS2R24G4i SS2R48G4i AN Chapter 20 Defense Against Segment Scanning 20 1 Defense Against Segment Scanning 20 1 1 Defense Against Segment Scanning Configuration Task Sequence Configure trusted ports Configure trusted source IP Enable the log recording function Set the automatic recovery interval Soe OO N Set the limit of the message rate Enable the automatic recovery function Enable the defense against segment scanning function 1 Enable the defense against segment scanning function Command Explanation Global configuration mode anti netscan enable no anti netscan enable Enable disable the defense segment scanning function against 2 Configure trusted ports Command Explanation
139. he message i e drop this message Three types of frames can be forwarded by the switch Broadcast frame Multicast frame Unicast frame The following describes how the switch deals with all the three types of frames 1 Broadcast frame The switch can segregate collision domains but not broadcast domains If no VLAN is set all devices connected to the switch are in the same broadcast domain When the switch receives a broadcast frame it forwards the frame in all ports When VLANs are configured in the switch the MAC table will be adapted accordingly to add VLAN information In this case the switch will not forward the received broadcast frames in all ports but forward the frames in all ports in the same VLAN 2 Multicast frame When IGMP Snooping function is not enabled multicast frames are processed in the same way as broadcast frames when IGMP Snooping is enabled the switch will only forward the multicast frames to the ports belonging to the very multicast group 3 Unicast frame When no VLAN is configured if the destination MAC addresses are in the switch MAC table the switch will directly forward the frames to the associated ports when the destination MAC address in a unicast frame is not found in the MAC table the switch will broadcast the unicast 79 AN SS2R24G4i SS2R48G4i sar frame When VLANs are configured the switch will forward unicast frame within the same VLAN If the destination MAC address is found in the MA
140. horized username to do Web access whose length should be no more than 16 characters lt password gt is the access password no longer than 8 characters 0 7 respectively indicate to display the original or the encrypted password Command Mode Global configuration mode Relative Command ip http server 5 1 12 write Command write Function Save the currently configured parameters to the Flash memory Command mode Admin Mode 36 AN SS2R24G4i SS2R48G4i sar 5 1 13 show cpu usage Command show cpu usage Function To display the CPU usage rate of the switch Command Mode Admin Mode show tech support Command show tech support Function To collect tech support information Command Mode Admin Mode 5 2 Monitor and Debug Command When the users configures the switch they will need to verify whether the configurations are correct and the switch is operating as expected and in network failure the users will also need to diagnostic the problem SS2R24 48G4i switch switch provides various debug commands including ping telnet show and debug etc to help the users to check system configuration operating status and locate problem causes 5 2 1 Ping Command ping lt ip addr gt lt hostname gt Function the switch sends ICMP request packet to remote client device and checks the communications between both sides is fine or not Parameter lt ip addr gt is destination host IP address in dotted decimal notation lt hostname gt is d
141. hough all the commands are different they all abide by the syntax for SS2R24 48G4i switch Switch configuration commands The general commands format of SS2R24 48G4i switch Switch is shown below cmdtxt lt variable gt enum1 enumN option Conventions cmdtxt in bold font indicates a command keyword lt variable gt indicates a variable 29 AN SS2R24G4i SS2R48G4i Aad parameter enum1 enumN indicates a mandatory parameter that should be selected from the parameter set enum1 enumN and the square bracket in option indicate an optional parameter There may be combinations of lt gt Y and in the command line such as lt variable gt enum1 lt variable gt enum2 option1 option2 etc Here are examples for some actual configuration commands show version no parameters required This is a command with only a keyword and no parameter just type in the command to run vlan lt vian id gt parameter values are required after the keyword speed duplex auto force10 half force10 full force100 half force100 full forcetg half force1g full nonegotiate master slave the followings are possible speed duplex auto speed duplex force10 half speed duplex force10 full speed duplex force100 half speed duplex force100 full speed duplex force1g half speed duplex force1g half nonegotiate speed duplex force1g half nonegotiate master speed duplex force1g half nonegotiate s
142. ical location of the devices IEEE announced IEEE 802 1Q protocol to direct the standardized VLAN implementation and the VLAN function of the switch is implemented following IEEE 802 1Q The key idea of VLAN technology is that a large LAN can be partitioned into many separate broadcast domains dynamically to meet the demands Switch witch Switch 7 g gt Server Tver a lt H D VLAN2 B IBM PC 4BMPT a Q VLA Desktop PC gt Fig 9 1 A VLAN network defined logically Each broadcast domain is a VLAN VLANs have the same properties as the physical LANs except VLAN is a logical partition rather than physical one Therefore the partition of VLANs can be performed regardless of physical locations and the broadcast multicast and unicast traffic within a VLAN is separated from the other VLANs With the aforementioned features VLAN technology provides us with the following convenience Improving network performance Saving network resources Simplifying Network Management Lowering network cost Enhancing network security VLAN and GVRP GARP VLAN Registration Protocol defined by 802 1Q are implemented in SS2R24 48G4i switch switch The chapter will describe the use and configuration of VLAN and GVRP in details 86 SS2R24G64i SS2R48G64i 9 2 VLAN Configuration 9 2 1 VLAN Configuration Task List Creating or deleting VLAN Assigning Switch ports for V
143. ified by protocol type What s more this method does not need additional frame tag to identify VLANs and thus can decrease the communication traffic of the network 93 AN SS2R24G4i SS2R48G4i sar In SS2R24 48G4i switch 1000bps network ports can support Protocol VLAN fucntion unconditionally while the 100bps wthernet ports have to be set tgo trunk ports to use the function 9 4 2 Protocol VLAN Configuration Task Sequence 1 Enable Protocol VLAN 2 Configure the protocol list entries 1 Enable Protocol VLAN Command Explanation Global configuration mode protocol vlan enable Enable disable Protocol VLAN no protocol vlan enable 2 Configure the protocol list entries Command Explanation Global configuration mode protocol vlan mode _ ethernetii etype lt id gt lllc dsa lt dasp id gt ssa ta wsap aa p Add delete the corresponding relationship lt ssap id gt lsnap etype lt etype id gt vlan panan E oP between the protocol and VLAN that is lt vlan id gt priority lt priotiry id gt p r y id gt the specified protocol join quilt the no protocol vlan mode ethernetii etype Z specified VLAN lt etype id gt lllc dsap lt dasp id gt ssap lt ssap id gt lsnap etype lt etype id gt lall 9 4 3 Protocol VLAN Troubleshooting lt Although there is no need each IP protocol VLAN should contain an ARP protocol type If not the potential ARP failu
144. in firewall is 110 Scenario 2 The user has the following configuration requirement port 1 10 of the switch connects to 00 12 11 23 XX XX segment 802 3 is not desired for the user Configuration description a Create a proper ACL b Configuring packet filtering function c Bind the ACL to the port The configuration steps are listed below Switch Config access list 1100 deny 00 12 11 23 00 00 00 00 00 00 ff ff any destination mac untagged 802 3 Switch Config access list 1100 deny 00 12 11 23 00 00 00 00 00 00 ff ff any destination mac tagged 802 3 Switch Config firewall enable Switch Config firewall default permit Switch Config interface ethernet 0 0 10 Switch Config Ethernet0 0 10 ip access group 1100 in 140 AN SS2R24G4i SS2R48G4i sar Switch Config Ethernet0 0 10 exit Switch Config exit Configuration result Switch show firewall Firewall is enabled Firewall default rule is to permit any packet Switch show access lists access list 1100 used 1 time s access list 1100 deny 00 12 11 23 00 00 00 00 00 00 FF FF any destination mac untagged 802 3 access list 1100 deny 00 12 11 23 00 00 00 00 00 00 FF FF any destination mac tagged 802 3 Switch show access group interface name Ethernet0 0 10 MAC Ingress access list used is 1100 Scenario 3 The user has the following configuration requirement port 1 10 of the switch connects to 00 12 11 23 XX XX segment IP is 10 0 0 0 24 segment ftp is not desired for the use
145. in system 8 5 1 3 3 show port security interface Command show port security interface lt interface id gt Function Display the secure MAC addresses of the port Command mode Admin Mode Parameter lt interface id gt stands for the port to be displayed Default Configuration of Security Port is not be displayed Displayed information Explanation Port Security Enable to be Port Security or not Port status Port Security status Violation mode Violation mode of port setup Maximum MAC Addresses Maximum MAC Addresses of port setup Total MAC Addresses Current total MAC addresses of port setup Configured MAC Addresses Security MAC Addresses of port static configuration Lock Timer Enable lock timer or not on the port Mac Learning function Enable Mac learning function or not 84 AN SS2R24G64i SS2R48G64i 8 5 1 3 4 show port security address Command show port security address interface lt interface id gt Function Display the secure MAC addresses of the port Command mode Admin Mode Parameter lt interface id gt stands for the port to be displayed Displayed information Explanation Vlan The VLAN ID for the secure MAC Address Mac Address Secure MAC address Type Secure MAC address type Ports The port that the secure MAC address belongs to Total Addresses Current secure MAC address number in the system 8 5 1 3 5 Binding MAC Address
146. information on a port Parameters lt interface id gt is the port ID buffers is the queue buffer setting on the port policers is the policy setting on the port queuing is the queue setting for the port statistics is the number of packets allowed to pass for in profile and out of profile traffic according to the policy bound to the port Default N A Command mode Admin Mode Displayed information Ethernet1 2 default cos 0 DSCP Mutation Map Default DSCP Mutation Map Explanation Port name Default CoS value of the port Port DSCP map name Attached policy map for Ingress p1 Policy name bound to port Displayed information Explanation Ethernet0 0 2 Port name buffer size of 4 queue 256 256 256 256 Available buffer number for all 4 queues out on the port this is a fixed setting that cannot be changed Displayed information Explanation Cos queue map Cos 0 1 2 3 4 5 6 7 Queue1 1 2 2 3 3 4 4 CoS value to queue mapping Queue and weight type Queue to weight mapping q1 q2 q3 q4 QType 1 2 4 8 WFQ Displayed information Explanation Ethernet1 2 Port name Attached policy map for Ingress p1 Policy map bound to the port 182 SS2R24G4i SS2R48G4i Displayed information Explanation Ethernet1 2 Port name ClassMap Name of the Class map Classified Total data packets match this class map In profile Total i
147. ing of an access list to the specified direction on a specific port When an access group is created all packets from in the specified direction through the port will be compared to the access list rule to decide whether to permit or deny access 15 2 2 Access list Action and Global Default Action There are two access list actions and default actions permit or deny The following rules apply An access list can consist of several rules Filtering of packets compares packet conditions to the 128 AN SS2R24G4i SS2R48G4i sar rules from the first rule to the first matched rule the rest of the rules will not be processed Global default action applies only to IP packets in the incoming direction on the ports For non incoming IP packets and all outgoing packets the default forward action is permit Global default action applies only when packet flirter is enabled on a port and no ACL is bound to that port or no binding ACL matches When an access list is bound to the outgoing direction of a port the action in the rule can only be deny 15 3 ACL Configuration 15 3 1 ACL Configuration Task Sequence 1 Configuring access list 1 Configuring a numbered standard IP access list 2 Configuring a numbered extended IP access list 3 Configuring a standard IP access list based on nomenclature a Create a standard IP access list based on nomenclature b Specify multiple permit or deny rule e
148. int connection between the accessing device and the access port where the port can be either a logical port or a physical port Typically one physical port of the switch connects with one terminal device physical port based only The architecture of IEEE 802 1x is shown below Uncontrolled l Port ee ee ee ee ee ee ee ee l Fig 14 1 802 1x architecture As shown in the above figure the IEEE 802 1x architecture consists of three parts Supplicant System user access devices Authenticator System access management unit E Authentication Server System the authenticating server EAPOL protocol defined by IEEE 802 1x runs between the user access device PC and access management unit access switch and EAP protocol is also used between the access management unit and authenticating server EAP packets encapsulates the authenticating data The EAP packet is conveyed in the packets of the higher layer protocols such as RADIUS to pass through complex network to the authenticating server The ports provided by the port based network access management device end are divided into two virtual port types managed port and non managed port A non managed port is always in the connected status for both in and out directions to transfer EAP authenticating packets A managed port will be in the connected status when authorized to transfer commutation packets and is shutdown when not authorized and cannot transfer any pack
149. ion mac lt host_dmac gt lt dmac gt lt dmac mask gt tcp lt source gt lt source wildcard gt any source host source lt source host ip gt s port lt port1 gt lt destination gt lt destination wildcard gt any destination host destination lt destination host ip gt d port lt port3 gt ack fin psh rst urg syn precedence lt precedence gt tos lt tos gt time range lt time range name gt Creates a numbered extended mac tcp access rule for other specific mac tcp protocol or all mac tcp protocols if the numbered extended access list of specified number access list lt num gt deny permit any source mac host source mac lt host_smac gt lt smac gt lt smac mask gt any destination mac host destination mac lt host_dmac gt lt dmac gt lt dmac mask gt udp lt source gt lt source wildcard gt any source host source lt source host ip gt s port lt port1 gt lt destination gt lt destination wildcard gt any destination host destination lt destination host ip gt d port lt port3 gt precedence lt precedence gt tos lt tos gt time range lt time range name gt Creates a numbered extended mac ip access rule for other specific mac ip protocol or all mac ip protocols if the numbered extended access list of specified number does not exist then an access list will be created using this number 135 AN SS2R24G64i SS2R48G4i lt h
150. lan Configure a VLAN to start the multicast no multicast vian VLAN function The no multicast vlan command will disable the multicast VLAN function of the VLAN multicast vlan association lt vian list gt Associate a multicst VLAN to other VLANs no multicast vlan association lt vian list gt The no multicast vian association lt vian list gt command will delete the accosiated VLANs of the multicast VLAN 2 Configure IGMP Snooping Command Explanation Global configuration mode ip igmp snooping vlan lt vian id gt Start the IGMP Snooping function of the no ip igmp snooping vlan lt vilan id gt multicast vlan no ip igmp snooping vlan lt vian id gt command will disable the IGMP Snooping function of the multicast vlan ip igmp snooping Start the IGMP Snooping function The no no ip igmp snooping ip igmp snooping command will disable 108 AN SS2R24G4i SS2R48G4i sar the IGMP Snooping function globally 12 3 Multicast VLAN Examples SWITCHA SWITCHB aa Work Station PC1 PC2 Fig 2 12 1 The function configuration of multicast VLAN As showed in the picture above multicast server connects to a 3 layer switch switchA via port 0 0 1 and the port 0 0 1 belongs to the vian10 of the switch 3 lay switch switchA connects to 2 layer switch switchB via port Vlan 20 is a multicast vlan The vlan 100 of switchB includes port 0 0 15 vian101 includes
151. lave speed duplex force1g full speed duplex force1g full nonegotiate speed duplex force1g full nonegotiate master speed duplex force1g full nonegotiate slave snmp server community ro rw lt string gt the followings are possible snmp server community ro lt string gt snmp server community rw lt string gt 4 2 1 3 Shortcut Key Support SS2R24 48G4i switch switch provides several shortcut keys to facilitate user configuration such as up down left right and Blank Space If the terminal does not recognize Up and Down keys ctrl p and ctrl n can be used instead Key s Function Back Space Delete a character before the cursor and the cursor moves back Up t Show previous command entered Up to ten recently entered commands can be shown Down Show next command entered When use the Up key to get previously entered commands you can use the Down key to return to the next command Left The cursor moves one character to You can use the Left and the left Right key to modify an 30 AN SS2R24G4i SS2R48G4i Right The cursor moves one character to entered command the right Ctrl p The same as Up key T Ctrl n The same as Down key Ctrl b The same as Left key lt Ctrl f The same as Right key gt Ctrl z Return to the Admin Mode directly from the other configuration modes except User Mo
152. limit of access authentication users per port realize dynamic secure authentication mode basing on MAC address and bind the MAC address of an authenticated equipment to a port Combining these IEEE802 1x authentication modes with the authentication and cost counting products we can supply a whole set of integrated IEEE802 1x access authentication and cost counting resolution to satisfy the need of access authentication and cost counting ensuring the network s security and its ability to operate m Bandwidth Control Speed Limit of Port The switch can control the upstream downstream bandwidth and provide different access bandwidth for users of different levels Each port can set its bandwidth rate as demanded to meet the need of access network to control access bandwidth AN SS2R24G4i SS2R48G4i sar m TRUNK The switch supports IEEE802 3ad standard TRUNK It can also realize link redundancy and traffic load balance IGMP Snooping The switch supports multicast applications which are based on IGMP Snooping mechanism and as a result it can realize all kinds of multicast services diminish the network traffic and meet the requirement of multicast services like multimedia playing remote teaching and entertainment mE Broadcast Storm Control The switch supports broadcast storm control can effectively control broadcast storm decrease useless occupancy of bandwidth and increase the overall performance of network m Spanning tree The swi
153. low Fig 3 1 depicts a NTP SNTP application network topology where SNTP mainly works between second level servers and various terminals since such scenarios do not require very high time accuracy and the accuracy of SNTP 1 to 50 ms is usually sufficient for those services SS2R24 48G4i switch switch implements SNTPv4 and supports SNTP client unicast as described in RFC2030 SNTP client multicast and unicast are not supported nor is the SNTP server function 21 1 Commands for SNTP 21 1 1 sntp server Command sntp server lt server_address gt version lt version_no gt no sntp server lt server_address gt Function Configure the addresses and the version of the SNTP NTP server the no form of this command cancels the configured SNTP NTP server addresses Parameter lt server_address gt is the IPv4 unicast address of the SNTP NTP server lt version_no gt is the version No of the SNTP on current server ranging between 1 4 and defaulted at 1 Default No sntp ntp configured by default Command Mode Global Mode 21 1 2 sntp polltime Command sntp polltime lt interval gt no snip polltime Function Sets the interval for SNTP clients to send requests to NTP SNTP the no sntp polltime command cancels the polltime sets and restores the default setting Resume default value seconds Parameters lt interval gt is the interval value from 16 to 16284 Default The default polltime is 64 seconds 21 1 3 sntp timezone 171 AN SS2R2
154. lper server address Command Explanation Global configuration mode Ip user helper address lt Svr_addr gt port lt udp_port source lt src_addr gt secondary No ip user _helper address secondary Configure delete HELPER SERVER address 6 Enable the debug switch Debug ip dhcp snooping event Command Explanation Admin Mode Debug ip dhcp snooping packet Please refer to the chapter on system debugging 7 Set log record 165 AN SS2R24G4i SS2R48G4i sar Command Explanation Admin Mode Login on logging source default m_shell sys_event anti_attack channel console logbuff loghost monitor level critical debugging notifications warnings state on off Please refer to the chapter on system log 19 2 2 DHCP Snooping Typical Applications QA z z lf 3R S e 1 uL Fig18 1 As showed in the above picture Mac AA device is the normal user connected to the un trusted port 0 0 1 of the DCN switch It acts as DHCP Client and its IP is 1 1 1 5 DHCP Server and GateWay connect to the trusted ports 0 0 11 and 0 0 12 of the DCN switch malicious user Mac BB connects to the un trusted port 0 0 10 trying to fake a DHCP Server by sending DHCPACK Configuring DHCP Snooping on the switch will effectively discover and block such network attacks The followings are the configuration sequence switc
155. lready exists then a rule lt slpAddr gt lt sMask gt any source host source lt s pAddr gt no access list lt num gt will add to the current access list the no access list lt num gt command deletes a numbered standard IP access list Configuring a numbered extensive IP access list Command Explanation Global Mode access list lt num gt deny permit icmp lt slpAddr gt lt sMask gt any source host source lt slpAddr gt lt dlpAddr gt lt dMask gt any destination host destination lt dlpAdadr gt lt icmp type gt lt icmp code gt precedence lt prec gt tos lt tos gt time range lt time range name gt Creates a numbered ICMP extended IP access rule if the numbered extended access list of specified number does not exist then an access list will be created using this number access list lt num gt deny permit igmp lt slpAddr gt lt sMask gt any source host source lt slpAddr gt lt dlpAddr gt lt dMask gt any destination host destination lt dlpAdadr gt lt igmp type gt precedence lt prec gt tos lt tos gt time range lt time range name gt Creates a numbered IGMP extended IP access rule if the numbered extended access list of specified number does not exist then an access list will be created using this number access list lt num gt deny permit tcp lt slpAddr gt lt sMask gt
156. lt host_dmac gt lt dmac gt lt dmac mask gt eigrp greligrp ip ipinip ospf lt protoco l num gt lt source gt lt source wildcard gt any source host source lt source host ip gt lt destination gt lt destination wildcard gt any destination Creates an extended name based mac ip access rule for the other IP protocol the no form command deletes this name based mac ip host destination lt destination host ip gt extended access precedence lt precedence gt tos rule lt tos gt time range lt time range name gt c Exit MAC IP Configuration Mode Command Explanation Extended name based MAC IP access Mode 137 AN SS2R24G64i SS2R48G4i Exit Quit extended name based MAC IP access mode 2 Configuring packet filtering function 1 Enable global packet filtering function Command Explanation Global Mode Firewall enable Enables global packet filtering function Firewall disable disables global packet filtering function 2 Configure default action Command Explanation Global Mode Firewall default permit Sets default action to permit Firewall default deny Sets default action to deny 3 Configuring time range function 1 Create the name of the time range lt time_range_name gt Command Explanation Global Mode time range lt time_ran
157. lt vian id gt will reset it to default value query interval Ip igmp snooping vlan lt vian id gt Set the IGMP snooping of specified vlan to immediate leave enable the immediate leave function No ip No ip igmp snooping vlan lt vian id gt igmp snooping vlan lt vlan id gt immediate leave immediate leave command will cancel immediate leave configuraiton Ip igmp snooping vlan lt vlan id gt Set the max query response time No ip query mrsp lt value gt igmp snooping vlan lt vlan id gt query mrsp No ip igmp snooping vlan lt vian id gt command command will reset it to default query mrsp value Ip igmp snooping vlan lt vlan id gt Set the robustness No ip igmp snooping query robustness lt value gt vlan lt vlan id gt query robustness will reset No ip igmp snooping vlan lt vlan id gt it to default value query robustness Ip igmp snooping vlan lt vian id gt Set the suppression time of query No ip suppression query time lt value gt No ip igmp snooping vlan lt vian id gt suppression query time lt vian id gt reset it to igmp snooping vlan suppression query time will default value ip igmp snooping vlan lt vlan id gt tatic group lt multicast IPAddress gt interface ethernet port channel lt interfaceName gt No ip igmp snooping vlan lt vian id gt Set the statci group of the specified port the No ip igmp snooping vlan lt vlan id gt tatic group
158. me errors Number of packets requesting for non existent MIB objects bad values errors Number of Bad_values error SNMP packets general errors Number of General_errors error SNMP packets response PDUs Number of response packets sent trap PDUs Number of Trap packets sent 5 4 6 1 2 show snmp status Command show snmp status Function Display SNMP configuration information Command mode Admin Mode 5 4 6 1 3 show snmp engineid Command show snmp engineid Function Display the engine ID commands Command Mode Admin Mode Displayed Information Explanation Engine Boots Engine boot counts 54 SS2R24G64i SS2R48G4i 5 4 6 1 4 show snmp user Command show snmp user Function Display the user information commands Command Mode Admin Mode Displayed Information Explanation User name Engine ID Engine ID Priv Protocol Employed encryption algorithm Auth Protocol Employed identification algorithm 5 4 6 1 5 show snmp group Command show snmp group Function Display the group information commands Command Mode Admin Mode Displayed Information Group Name 5 4 6 1 6 show snmp view Command show snmp view Function Display the view information commands Command Mode Admin Mode Displayed Information Explanation 1 and1 3 OID number Included The view includes sub trees rooted by pet fe OP mre oon Excluded The view does not include sub trees rooted by this OID 55 AN AN SS2R24G4i
159. ment has been tested and found to comply with the protection requirements of European Emission Standard EN55022 EN60555 2 and the Generic European Immunity Standard EN50082 1 EMC EN55022 1988 CISPR 22 1985 class A EN60555 2 1995 class A EN60555 3 IEC1000 4 2 1995 4K V CD 8KV AD IEC 1000 4 3 1995 3V m IEC1000 4 4 1995 1KV power line 0 5KV signal line Preface SS2R24 48G4i switch is a high performance Ethernet switch which has wire speed Layer 2 switching capacity The switch can seamlessly support various network interfaces from 10Mb 100Mb 1000Mb Ethernets We strongly recommend you to read through this manual carefully before installation and configuration to avoid possible damage to the switch and malfunction CONTENTS Chapter 1 Switch Overview se 1 1 BRIEF INTRODUCTION ee 1 1 1 Overview 1 1 2 Features and Benefits eee 1 1 3 Main Features eee 1 2 TECHNICAL SPECIFICATIONS 2 2 2 1 3 PHYSICAL SPECIFICATIONS 2 one i ee 1 4 PRODUCT APPEARANCE _ _ _ 2 2 2 2 1 4 1 Product Front Panel View eee 1 4 2 Product back panel view eee 1 4 3 Status LEDS 0 200 of oa ee ln ee a ee ee Chapter 2 Hardware Installation ___________________________ 2 1 INSTALLATION NOTICE ee 2 1 1 Environmental Requirements ee 2 1 2 Installation Notice ee 10 2 1 3 Security Warnings ee 11 2 2 INSTALLATION PREPARATION eee 11 2 2 1 Verify the Packet Contents eee 11 2 2 2 Required Tools and Utilities _______ 22222222 11 2 3 HARDW
160. mmand Mode Admin Mode Display information Explanation session number Session number of the image Source ports Source ports of the image RX The image in the receiving direction of the port TX The image in the transmitting direction of the port Both The images in both the receiving and transmitting directions of the port Destination port Destination port of the image 7 2 3 4 2 debug mirror Command debug mirror no debug mirror Function To enable the debug information of the mirror the no debug mirror command is used to disable the debug information of the mirror Command Mode Admin Mode 7 2 3 4 3 Device Mirroring Troubleshooting If problems occurs on configuring port mirroring please check the following first for causes lt Whether the mirror destination port is a member of a trunk group or not if yes modify the trunk group Ifthe throughput of mirror destination port is smaller than the total throughput of mirror source port s the destination port will not be able to duplicate all source port traffic please decrease the number of source ports duplicate traffic for one direction only or choose a port with greater throughput as the destination port 75 SS2R24G64i SS2R48G64i 7 3 Port Configuration Example 68 28 68086 swe vere Oop moog A 2a Lee SE SS Fig 7 2 Port Configuration Example Use default VLAN1 since VLAN is not configured on all of the switches
161. mmand _telnet server enable no telnet server enable Function Enable the Telnet server function in the switch the no telnet server enable command 39 AN SS2R24G4i SS2R48G4i sar disables the Telnet function in the switch Default Telnet server function is enabled by default Command mode Global Mode 5 2 2 3 5 telnet server securityip Command _telnet server securityip lt ip addr gt no telnet server securityip lt p addr gt Function Configure the secure IP address of Telnet client allowed to login to the switch the no telnet server securityip lt ip addr gt command deletes the authorized Telnet secure address Parameter lt ip addr gt is the secure IP address allowed to access the switch in dot decimal format Default no secure IP address is set by default Command mode Global Mode 5 2 2 3 6 telnet user Command telnet user lt username gt password 0 7 lt password gt no telnet user lt username gt Function to configure user names and passwords of Telnet clients Use the no telnet user lt username gt command to remove the Telnet users Parameter lt username gt is the Telnet client user name The maximum length may not exceed 16 characters lt password gt is the login password the maximum length may not exceed 8 characters 0 7 part means as passwords displayed not encrypted or encrypted Command mode global configuration mode Default The default system does not configure Telnet client user name and passwo
162. mmand telnet ping traceroute 5 1 6 ip http server Command ip http server no ip http server Function To enable the Web configuration the no no ip http server command is used to disable the Web configuration Command Mode Global mode Relative Command web user 5 1 7 hostname Command hostname lt hostname gt Function Set the prompt in the switch command line interface Parameter lt hosinames is the string for the prompt up to 30 characters are allowed Command mode Global Mode Default The default prompt is related to SS2R24 48G4i switch switch type 5 1 8 reload 35 AN SS2R24G4i SS2R48G4i sar Command reload Function Warm reset the switch Command mode Admin Mode set default Command set default Function Reset the switch to factory settings Command mode Admin Mode 5 1 9 setup Command setup Function Enter the Setup Mode of the switch Command mode Admin Mode 5 1 10 language Command language chinese english Function Set the language for displaying the help information Parameter Chinese for Chinese display English for English display Command mode Admin Mode Default The default setting is English display 5 1 11 web user Command web user lt username gt password 0 7 lt password gt no web user lt username gt Function To set a username and its password for a Web client the no web user lt username gt command is used to delete this Web client Parameters lt username gt is an aut
163. n profile data packets match this class map out profile Total out profile data packets match this class map 22 4 1 4 show mis gos maps AN Command show mls qos maps cos dscp dscp cos dscp mutation policed dscp Function Displays mapping configuration information for QoS Parameter cos dscp CoS for CoS DSCP dscp cos DSCP for DSCP CoS dscp mutation for DSCP DSCP mutation policed dscp is DSCP mark down mapping Default N A Command mode Admin Mode 22 4 1 5 show class map Command show class map lt class map name gt Function Display class map of QoS Parameter lt class map name gt is the class map name Default N A Command mode Admin Mode Usage Guide Example Switch show class map Class map name c1 Match acl name 1 Displayed information Explanation Class map name c1 Name of the Class map Match acl name 1 Classifying rule for the class map 183 AN SS2R24G4i SS2R48G4i sar 22 4 1 6 show policy map Command show policy map lt policy map name gt Function Display policy map of QoS Parameter lt policy map name gt is the policy map name Default N A Command mode Admin Mode Displayed information Explanation Policy Map p1 name of policy map Class map name c1 Name of the class map referred to police 16000000 8000 exceed action drop Policy implemented 22 4 2 Qos Troubleshooting QoS is disabled on switch ports by default 4 sending queue
164. nd can not be accessed by any other PC that is in another physical segment PC2 and PC3 have static mapping set to port 7 and port 9 respectively The configuration steps are listed below 1 Set the MAC address 00 01 11 11 11 11 of PC1 as a filter address Switch Config mac address table blackhole address 00 01 11 11 11 11 vlan 1 2 Set the static mapping relationship for PC2 and PC3 to port 7 and port 9 respectively Switch Config mac address table static address 00 01 22 22 22 22 vlan 1 interface ethernet 0 0 7 Switch Config mac address table static address 00 01 33 33 33 33 vlan 1 interface ethernet 0 0 9 8 4 Troubleshooting 8 4 1 Monitor and Debug Command 8 4 1 1 show mac address table Command show mac address table static jaging time blackhole count address lt mac addr gt vlan lt vian id gt interface lt interface name gt Parameter static entry aging time address aging time blackhole filtering entry count address counter lt mac addr gt entry s MAC address lt vlan id gt entry s VLAN number lt interface name gt entry s interface name Command mode Admin mode Default MAC address table is not displayed by default 81 AN SS2R24G4i SS2R48G4i sar 8 4 2 Troubleshooting Using the show mac address table command a port is found to be failed to learn the MAC of a device connected to it Possible reasons The connected cable is broken Spanning Tree is enabled and the port is in discarding st
165. ne mirror destination port only The number of mirror source ports are not limited one or more may be used Multiple source ports can be within the same VLAN or across several VLANs The destination port and source port s can be located in different VLANs 7 2 3 2 Port Mirroring Configuration Task List 1 Specify mirror source port 2 Specify mirror dentistination port 1 Specify mirror source port Command Explanation Port mode Specify mirror source port the no monitor session lt session gt source interface lt interface list gt command deletes mirror source port monitor session lt session gt source interface lt interface list gt rx tx both no monitor session lt session gt source interface lt interface list gt 2 Specify mirror dentistination port Command Explanation Port mode Specify mirror dentistination port the no monitor session lt session gt destination interface lt interface number gt command deletes mirror dentistination port monitor session lt session gt destination interface lt interface number gt no monitor session lt session gt destination interface lt interface number gt 7 2 3 3 Mirror Port Examples Port configuration Examples 74 AN SS2R24G4i SS2R48G4i sar 7 2 3 4 Device Mirroring Troubleshooting 7 2 3 4 1 show monitor Command show monitor Function To display the source and destination port information of the image Co
166. nformation Ports must be added to or removed from the group to trigger another aggregation if VLAN information inconsistency persists the aggregation will fail again The aggregation will only succeed when VLAN information is consistent and aggregation is triggered due to port addition or removal Verify that port group is configured in the partner end and in the same configuration If the local end is set in manual aggregation or LACP the same should be done in the partner end otherwise port aggregation will not work properly Another thing to be noted is that if both ends are configured with LACP then at least one of them should be in ACTIVE mode otherwise LACP packet won t be initiated LACP cannot be used on ports with Security and IEEE 802 1x enabled Once the port channel created all the configuration of the ports can only be applied to port channel ports LACP should be mutually exclusive to Security and 802 1X ports if a port has been configured with the two protocols above the LACP is not allowed to be enabled 155 AN SS2R24G4i SS2R48G4i sar Chapter 18 DHCP Configuration 18 1 Introduction to DHCP DHCP RFC2131 is the acronym for Dynamic Host Configuration Protocol It is a protocol that assigns IP address dynamically from the address pool as well as other network configuration parameters such as default gateway DNS server and default route and host image file position within the network DHCP is the enhanced ve
167. nication of the port or source MAC and send information to Log Server via syslog LOGF Function When the switch discovers abnormal received packets or automatically recovers it should send syslog information to Log Server 19 2 DHCP Snooping Configuration 19 2 1 DHCP Snooping Configuration Task Sequenc Enable DHCP Snooping Enable the binding function of DHCP Snooping Configure helper server address Configure trusted ports Configure defense action Set log record oy OF Pp ONS 1 Enable DHCP Snooping Command Explanation Global configuration mode 164 SS2R24G64i SS2R48G64i Ip dhcp snooping enable no Ip dhcp snooping enable Enable or disable dhcp snooping function 2 Enable the binding function of DHCP Snooping Command Explanation Global configuration mode Ip dhcp snooping binding enable no Ip dhcp snooping binding enable Enable or disable the binding function of dhcp snooping 3 Set trusted ports no Ip dhcp snooping trust Command Explanation Port configuration mode Ip dhcp snooping trust P P ping Set or delete the dhcp snooping trust attributes of the port 4 Configure defense action Command Explanation Port configuration mode action recovery ip dhcp snooping shutdown blackhole lt second gt no ip dhcp snooping action Set or delete the automatic defense action of the port 5 Set the he
168. nly include deny list entries Only the interfaces on the MASTER switch can support the binding of ACL q 143 AN SS2R24G4i SS2R48G4i sar The number of ACL that can be binded successfully is dependent on the content of binded ACL and the limitation of hardware resource f there are some rules including the same filtering information but conflicting behavior in the access list it can not be binded to the port and will cause an error prompt For example configure permit tcp any source any destination and deny tcp any source any destination at the same time 144 AN SS2R24G4i SS2R48G4i sar Chapter 16 AM Configuration 16 1 AM Introduction AM access management compares the information of the received data message source IP address or source IP source MAC with the configured hardware address pool if founds a match forwards the message if not dumps it 16 2 AM pool AM pool is an address list each entry of this address list corresponds with a user Each entry contains address information and its corresponding port There two kinds of address information IP address ip pool specifies the user s source IP address information of the port MAC IP address mac ip pool specifies the user s source MAC address and source IP address information of the port The default AM action is to deny When the AM is enabled the AM module will deny all the IP messages only allows the source addresses of the members of
169. no form command deletes this MAC access rule no deny permit any source mac host source mac lt host _smac gt lt smac gt lt smac mask gt any destination mac ho st destination mac lt host_dmac gt lt dmac gt lt dmac mask gt tagged eth2 cos lt cos val gt lt cos bitmask gt vlanld lt vid value gt lt vid mask gt ethertype lt protocol gt lt protocol mask gt Creates an MAC access rule matching tagged ethernet 2 frame the no form command deletes this MAC access rule no deny permit any source mac host source mac lt host_smac gt lt smac gt lt smac mask gt any destination mac host destination mac lt host_dmac gt lt dmac gt lt dmac mask gt tagged 802 3 cos lt cos val gt lt cos bitmask gt vlanld lt vid value gt lt vid mask gt Creates an MAC access rule matching tagged 802 3 frame the no form command deletes this MAC access rule c Exit ACL Configuration Mode Command Explanation Extended name based MAC access configure Mode Quit the extended Exit name based MAC access configure mode 8 Configuring a numbered extended MAC IP access list Command Explanation Global mode 134 AN SS2R24G64i SS2R48G4i access list lt num gt deny permit any source mac host source mac lt host_smac gt lt smac gt lt smac mask gt any destination mac host destination mac
170. no radius server dead time radius server dead time command restores the default setting Configures the re transmission times for radius server retransmit lt retries gt RADIUS the no radius server no radius server retransmit retransmit command restores the default setting Configures the timeout timer for RADIUS server the no radius server timeout command restores the default setting radius server timeout lt seconds gt no radius server timeout radius server realtime accounting Set the realtime cost counting update timer lt minute gt interval 14 3 Example of 802 1x Application 10 1 1 2 7 J 10 1 1 1 Radius Server 10 1 1 3 Fig 14 2 IEEE802 1x Configure Topology of the example 122 AN SS2R24G4i SS2R48G4i sar The computer is connected to the port 0 0 2 of the switch and the IEEE802 1 authentication function is enabled on the port which adopts MAC address based authentication as the access method by default The IP address of the switch is 10 1 1 2 and all the ports other than port 0 0 2 are connected to RADIUS authentication server the IP address of which is 10 1 1 3 By default the authentication and cost counting ports are port 1812 and port 1813 The IEEE802 1x authentication client software is installed on the computer to implement IEEE802 1x authentication The following is the procedure of configuration Switch Config interface vlan 1 Switch Config if
171. nt m Check the validityof IGMP Snooping information usingcommand show ip igmp snooping vlan lt vid gt If all the above ways cannot solve the problems of IGMP Snooping please use debug commands like debug igmp snooping then copy the DEBUG information in 3miniutes and send the information to the technical service center of our company 107 AN SS2R24G4i SS2R48G4i sar Chapter 12 Multicast VLAN Configuration 12 1 Multicast VLAN Introduction Based on the current multicast programordering method when users in different VLANs order programs each VLAN will copy a multicast stream within itself This method will waste lots of bandwidth So by configuring multicast VLAN we add the ports of a switch to a multicast VLAN after enabling the IGMP Snooping function we can make users in different VLANs share a same multicast VLAN and limit the transimisstion of multicast stream within only one multicast VLAN Thus bandwidth will be saved Since the multicast VLAN and user VLAN are completely isolated both the security and the bandwidth can be guaranteed After we configure the multicast VLAN we can ensure that the multicast information stream can be sent to users without a stop 12 2 Multicast VLAN Configuration 12 2 1 Multicast VLAN Configuration Task Sequence 1 Start multicast VLAN function 2 Configure IGMP Snooping 1 Start multicast VLAN function Command Explanation VLAN configuration modeg multicast v
172. ntries c Exit ACL Configuration Mode 4 Configuring an extended IP access list based on nomenclature a Create an extensive IP access list based on nomenclature b Specify multiple permit or deny rule entries c Exit ACL Configuration Mode 5 Configuring a numbered standard MAC access list 6 Configuring a numbered extended MAC access list 7 Configuring a standard MAC access list based on nomenclature a Create a standard IP access list based on nomenclature b Specify multiple permit or deny rule entries c Exit ACL Configuration Mode 8 Configuring a numbered extended MAC IP access list 9 Configuring a standard MAC IP access list based on nomenclature a Create a standard MAC IP access list based on nomenclature b Specify multiple permit or deny rule entries c Exit MAC IP Configuration Mode 2 Configuring the packet filtering function 1 Enable global packet filtering function 2 Configure default action 3 Configuring time range function 129 SS2R24G4i SS2R48G4i 1 Create the name of the time range 2 Configure periodic time range 3 Configure absolute time range 4 Bind access list to a specific direction of the specified port 1 Configuring access list 1 Configuring a numbered standard IP access list Command Explanation Global Mode Creates a numbered standard IP access list access list lt num gt deny permit f if the access list a
173. ntroduction to ARP ARP Address Resolution Protocol is mainly used in IP address to Ethernet MAC address resolution SS2R24 48G4i switch supports static configuration 23 2 1 1 ARP Configuration Task Sequence 1 Configure static ARP Command Explanation arp lt ip_address gt lt mac_address gt Configure a static ARP entry the no arp no arp lt ip_address gt lt ip_address gt command deletes a static ARP entry 23 2 2 ARP Forwarding Troubleshooting 23 2 2 1 Monitor and Debug Commands 23 2 2 1 1Show arp Comman show arp lt ip addr gt lt vian id gt lt hw addr gt type static dynamic count Function Display the ARP table Parameter lt ip addr gt is a specified IP address lt vlan id gt stands for the entry for the identifier of specified VLAN lt hw addrs for entry of specified MAC address static for static ARP entry dynamic for dynamic ARP entry count displays number of ARP entries Command mode Admin Mode Command Explanation Addrss IP address of Arp entries 2 2 2 66 Hardware Address MAC address of Arp entries 00 10 00 00 00 C5 Interface Layer3 interface corresponding to the ARP 186 AN SS2R24G4i SS2R48G4i Aer entry Port Physical Layer2 interface corresponding to the ARP entry Flag Describes whether ARP entry is dynamic or static 23 2 2 1 2debug arp Command debug arp no debug arp Function Enabl
174. nu and press Enter to start configuring the Telnet server the follow appears Configure telnet server 0 Add telnet user 1 Config telnet server status 2 Exit Selection number Select 0 in the Telnet server configuration menu and press Enter the following screen appears Please input the new telnet user name Note the valid username length is 1 to 16 characters When the user enters a valid username and presses Enter the following screen appears Please input the new telnet user password Select 1 in the Telnet server configuration menu and press Enter the following screen appears Enable switch telnet server or no y n y ey Type y and press Enter or just press Enter to enable Telnet service type n and press Enter to disable Telnet service The Telnet server configuration menu appears Select 2 in the Telnet server configuration menu will return to the Setup main menu 16 AN SS2R24G4i SS2R48G4i sar 3 3 4 Configuring Web Server Select 3 in the Setup main menu and press Enter to start configuring the Web server the follow appears Configure web server 0 Add webuser 1 Config web server status 2 Exit Selection number Select 0 in the Web server configuration menu and press Enter the following screen appears Please input the new web user name Note the valid username length is 1 to 16 characters When the user enters a valid username and presses Enter the following screen a
175. o of which connected to port 2 and 6 order program 1 the 104 AN SS2R24G4i SS2R48G4i sar one connected to port 10 orders program2 and the other one connected to port 12 orders program 3 IGMP Snooping listening result The multicast table built by IGMP Snooping in VLAN 100 indicates ports 1 2 6 10 in Group1 and ports 1 12 in Group3 All the four hosts can receive the program of their choice ports 2 6 10 will not receive the traffic of program 2 3and port 12 will not receive the traffic of program 1 2 Scenario 2 IGMP L2 general querier L2 general querier Multicast port a Switch B Igmp snooping Fig 11 2 The switches as IGMP Queries The configuration of Switch2 is the same as the switch in scenario 1 SwitchA takes the place of Multicast Router in scenario 1 Lets assume VLAN 60 is configured in SwitchA including ports 1 2 6 10 and 12 Port 1 connects to the multicast server and port 2 connects to Switch2 In order to send Query at regular interval IGMP query must enabled in Global mode and in VLAN6O The configuration steps are listed below switchA config switchA config ip igmp snooping switchA config ip igmp snooping vlan 60 switchA config ip igmp snooping vlan 60 I2 general querier switchB config switchB config ip igmp snooping switchB config ip igmp snooping vlan 100 switchB config ip igmp snooping vlan 100 mrouter interface ethernet 0 0 1 105 AN SS2R24G4i SS2R48G4i sar Multicas
176. og buffer 63 AN AN SS2R24G4i SS2R48G4i sar 5 Set the output channel of the log host Command Description Privileged configuration mode logging lt ip addr gt facility Open the output channel of the log host lt local number gt Prefixing the command with a no will no logging lt ip addr gt disable this function 6 Display the information of the log channel Command Description Privileged configuration mode show channel console Display the information of the log channel monitor logbuff loghost 7 Set the filter items of the log output channel Command Description Privileged configuration mode logging source lt modu name gt __ Add filter items to the output channel of default channel lt channel name gt the log level lt severity gt state on off no logging source lt modu name gt Delete filter items from the output default channel lt channel name gt channel of the log 5 6 3 System Log Configuration Example When managing VLAN the IPv4 address of the switch is 100 100 100 1 and the IPv4 address of the remote log server is 100 100 100 5 It is required to send the log information with a severity equal to or higher than warnings to this log server and save in the log record equipment local1 Output the log information of a module shell if its Severity Level is warning or critical configure
177. ort Ethernet0 0 1 IP Ingress access list used is No 10 standard expansion ACL tied to entrance 10 of port Ethernet0 0 1 15 5 1 3 show firewall Command show firewall Functions Reveal configuration information of packet filtering functions Parameters None Default None Command Mode Admin mode Displayed information Explanation fire wall is enable Packet filtering function enabled the default action of firewall is permit Default packet filtering function is permit 15 5 1 4 show time range Command show time range lt word gt Functions Reveal configuration information of time range functions Parameters word assign name of time range needed to be revealed Default None 15 5 2 ACL Troubleshooting The check of list entris in ACL is a top down behavior once one entry is mached the check will be finished immediately lt Only when there is no ACL binded or no ACL entry mached on the special direction of the port the default rules will be used Each port ingress can bind one MAC IP ACL or one IP ACL or one MAC ACL Each port egress can bind one MAC IP ACL or one IP ACL or one MAC ACL lt When two sets of ACL are binded to the ingress and egress simultaneously the priority of the egress rules is higher than that of ingress rules in the same set of ACL the earlier the rule is configurated the higher its priority is lt When one ACL is binded to egress direction of the port it can o
178. orts a message IGMP Snooping is also referred to as IGMP listening The switch prevents multicast traffic from flooding through IGMP Snooping multicast traffic is forwarded to ports associated to multicast devices only The switch listens to the IGMP messages between the multicast router and hosts and maintains multicast group forwarding table based on the listening result and can then decide to forward multicast packets according to the forwarding table SS2R24 48G4i switch switch provides IGMP Snooping and is able to send a query from the switch so that the user can use SS2R24 48G4i switch switch in IP multicast 11 2 IGMP Snooping Configuration 11 2 1 IGMP Snooping Configuration Task 1 Enable IGMP Snooping 2 Configure IGMP Snooping 1 Start IGMP Snooping function Command Explanation Global configuration mode Ip igmp snooping Start IGMP Snooping function the No ip No ip igmp snooping igmp snooping command will shut down the IGMP snooping function globally 2 Configure IGMP Snooping Command Explanation Global configuration mode Ip igmp snooping vlan lt vian id gt Start IGMP Snooping function on the No ip igmp snooping vlan lt vian id gt specified vlan No ip igmp snooping vlan lt vlan id gt command will disalbe IGMP function on the sepcified vlan Ip igmp snooping vian lt vian id gt limit Set the max number of the groups IGMP 102 SS2R24G64i SS2R48G4i
179. ost_dmac gt lt dmac gt lt dmac mask gt host source lt source host ip gt host destination lt destination host ip gt access list lt num gt deny permit any source mac host source mac lt host_smac gt lt smac gt lt smac mask gt any destination mac host destination mac eigrp greligrp ip ipinip ospf lt protocol num gt lt source gt lt source wildcard gt any source lt destination gt lt destination wildcard gt any destination Creates a numbered extended mac ip access rule for other specific mac ip protocol or all mac ip protocols if the numbered extended access list of specified number does not exist then no access list lt num gt precedence lt precedence gt tos an access list will be lt tos gt time range lt time range name gt created using this number Deletes this nunbered extended MAC IP access rule 9 Configuring a extended MAC IP access list based on nomenclature a Create a extended MAC IP access list based on nomenclature Command Explanation Global Mode mac ip access list extended lt name gt no mac ip access list extended lt name gt Creates an extended name based MAC IP access rule the no form command deletes this name based extended MAC IP access rule b Specify multiple permit or deny rule entries Command Explanation Extended name based MAC IP access Mode
180. own The following flowchart describes the operations during policing and remarking Queuing and scheduling Packets at the egress will re map the internal DSCP value to CoS value the queuing operation assigns packets to appropriate queues of priority according to the CoS value while the scheduling operation performs packet forwarding according to the prioritized queue weight The following flowchart describes the operations during queuing and scheduling 22 2 QoS Configuration 2 Set 22 2 1 QoS Configuration Task List Enable QoS QoS can be enabled or disabled in Global Mode QoS must be enabled first in Global Mode to configure the other QoS commands Configure class map up a Classification rule according to ACL VLAN ID IP Precedence or DSCP to classify the data stream Different classes of data streams will be processed with different policies 3 Configure a policy map After data steam classification a policy map can be created to associate with the class map created earlier and enter class mode Then different policies such as bandwidth limit priority degrading assigning new DSCP value can be applied to different data streams You can also define a policy set that can be use in a policy map by several classes 4 Apply QoS to the ports Configure the trust mode for ports or bind policies to ports A policy will only take effect on a port when it is bound to that port 5 Configure queu
181. p class lt class map name gt no class lt class map name gt After a policy map is created it can be associated to a class Different policy or new DSCP value can be applied to different data streams in class mode the no class lt class map name gt command deletes the specified class set ip dscp lt new dscp gt ip precedence lt new precedence gt cos lt new cos gt no set ip dscp ip precedence cos Assign a new DSCP and IP precedence value for the classified traffic the no set ip dscp ip precedence cos command cancels the newly assigned value police lt rate bps gt lt burst byte gt exceed action drop policed dscp transmit no police lt rate bps gt lt burst byte gt exceed action drop policed dscp transmit Configure a policy to classify traffic data stream exceeding the limit will be dropped or degraded the no police lt rate kbps gt lt burst kbyte gt exceed action drop policed dscp transmit command deletes the specified policy mis qos aggregate policer lt aggregate policer name gt lt rate bps gt lt burst byte gt exceed action drop policed dscp transmit no mis qos aggregate policer lt aggregate policer name gt Define a policy set perform different actions to out of profile data streams such as discard or degrade This policy can be used in one policy map by several classes the no mis qos aggregate policer lt
182. p 1 in order and we can see a group in on mode is completely joined forcedly switch in other ends won t exchange LACP BPDU to complete aggregation Aggregation finishes immediately when the command to add port 2 to port group 1 is entered port 1 and port 2 aggregate to be port channel 1 when port 3 joins port group 1 port channel 1 of port 1 and 2 152 AN SS2R24G4i SS2R48G4i sar are ungrouped and re aggregate with port 3 to form port channel 1 It should be noted that whenever a new port joins in an aggregated port group the group will be ungrouped first and re aggregated to form a new group Now all four ports in both SwitchA and SwitchB are aggregated in on mode and become an aggregated port respectively 17 4 Port Channel Troubleshooting 17 4 1 Debug and Monitor Command 17 4 1 1 show port group Command show port group lt port group number gt brief detail load balance port port channel Parameters lt port group number gt is the group number of port channel to be displayed from 1 to 8 brief displays summary information detail displays detailed information load balance displays load balance information port displays member port information port channel displays port aggregation information Command mode Admin Mode 1 Display summary information for port group 1 Displayed information Explanation Number of ports in group Port number in the port group Maximum numb
183. p encrypted auth md5 hello Switch Config snmp server group DCNGroup AuthPriv read max write max notify max Switch Config snmp server view max 1 include Scenario 4 NMS wants to receive the v3Trap messages sent by the switch The configuration on the switch is listed below Switch config snmp server enable Switch config snmp server host 10 1 1 2 v3 AuthPriv tester Switch config snmp server enable traps 5 4 6 SNMP Troubleshooting 5 4 6 1 Monitor and Debug Command 5 4 6 1 1 show snmp Command show snmp Function Display all SNMP counter information Command mode Admin Mode Displayed information Explanation snmp packets input Total number of SNMP packet inputs bad snmp version errors Number of version information error packets unknown community name Number community name error packets illegal operation community name Number of permission for community supplied name error packets number of requested variablest Number of variables requested by NMS number of altered variables Number of variables set by NMS get request PDUs Number of packets received by get requests get next PDUs Number of packets received by getnext requests set request PDUs Number of packets received by set requests snmp packets output Total number of SNMP packet outputs too big errors Number Too_ error SNMP packets 53 AN SS2R24G4i SS2R48G4i sar maximum packet size Maximum length of SNMP packets no such na
184. planation STP version STP version Bridge Id Information Switch information Priority Switch priority Mac address Switch MAC address Bridge Max Age Switch maxage time Bridge Hello Time Switch Hello time Bridge Forward Delay Switch forward delay Bridge Diameter Network diameter Root bridge information Root bridge information Priority Root bridge priority Mac address Root bridge MAC address Root Path Cost Switch root path cost Root Port Switch root port Topology Changes Topology changes Current port list Current port list in switch Port Port number Priority Port STP priority Cost Port cost STPStatus Port STP running status PortState Port status Role Port role DesignatedBridge Specified bridge ID priority MAC address DsgPort Specified port id 10 4 1 2 debug stp Command debug stp all basic in out 100 AN AN SS2R24G4i SS2R48G4i sar no debug stp all basic in out Function to open RSTP debug information Use the no debug stp all basic in out command to close RSTP debug information Parameter all means all debug information switch basic table express as basic debug information switch fsm table express as the limited status debug switch in and out respective express as the debug switch of input packet and output packet Command mode Admin mode 10 4 2 RS
185. pon TCP to provide reliable connection oriented data stream transfer service However it does not provide file access authorization and uses simple authentication mechanism transfers username and password in plain text for authentication When using FTP to transfer files two connections need to be established between the client and the server a management connection and a data connection A transfer request should be sent by the FTP client to establish management connection on port 21 in the server and negotiate a data connection through the management connection There are two types of data connections active connection and passive connection In active connection the client transmits its address and port number for data transmission to the sever the management connection maintains until data transfer is complete Then using the address and port number provided by the client the server establishes data connection on port 20 if not engaged to transfer data if port 20 is engaged the server automatically generates some other port number to establish data connection In passive connection the client through management connection notify the server to establish a passive connection The server then creates its own data listening port and informs the client about the port and the client establishes data connection to the specified port As data connection is established through the specified address and port there is a third party to provide da
186. ppears Please input the new web user password Note the valid password length is 1 to 8 characters After configuring the username and password the menu will return to the Web server configuration section Select 1 in the Web server configuration menu and press Enter the following screen appears Enable switch web server or no y n y Type y and press Enter or just press Enter to enable Web service type n and press Enter to disable Web service The Web server configuration menu appears Select 2 in the Telnet server configuration menu will return to the Setup main menu 3 3 5 Configuring SNMP Select 4 in the Setup main menu and press Enter to start configuring SNMP the following appears Configure SNMP 0 Config SNMP server read write community string 1 Config SNMP server read only community string 2 Config traps host and community string 3 Config SNMP server status 4 Config SNMP traps status 5 Add SNMP NMS security IP address 6 Exit Selection number Select 0 in SNMP configuration menu and press Enter the following screen appears 17 AN SS2R24G4i SS2R48G4i sar Please input the read write access community string private Note the valid length for a read write access community string is 1 to 255 characters the default value is private When a valid read write access community string is entered pressing Enter returns you to the SNMP configuration menu Select
187. put voltage As soon as the input voltage is in the range printed on the switch surface the switch can operate correctly 3 When the switch is powered on it executes self test procedure and startups Caution The input voltage must be within the required range otherwise the switch could malfunction of be damaged Do not open the switch shell without permission It can cause physical injury 13 AN SS2R24G4i SS2R48G4i sar 14 AN SS2R24G4i SS2R48G4i sar Chapter 3 Setup Configuration Setup configuration refers to the initial operation to the switch after the user purchases the switch For first time users of the SS2R24 48G4i switch this chapter provides a very practical instruction When using the CLI command line interface the user can type setup under admin mode to enter the Setup configuration interface 3 1 Setup Configuration Setup configuration is done via menu selections in which switch hostname Vlan1 interface Telnet service Web service and SNMP can be configured 3 2 Main Setup Menu Before entry into the main menu the following screen will be displayed to prompt the user to select a preferred interface language English users should choose 0 to enter the English interface while Chinese users can choose 1 to view the interface in Chinese Please select language 0 English 1 Chinese Selection 0 1 0 The main Setup configuration menu is listed below Configure menu 0 Config hostname
188. q tunnel function on the ports Command Explanation Port mode dotiq tunnel enable Enter exit the dotiq tunnel mode on no dotiq tunnel enable the ports 91 AN SS2R24G4i SS2R48G4i sar 2 Configure the type of protocol TPID of the port Command Explanation Port mode Configure the type of protocol on dot1q tunnel tpid 8100 9100 9200 the ports 3 Set the dot1q tunnel type of the port Command Explanation Interface configuraiton mode switchport dotiq tunnel mode customer Juplink no switchport dot1q tunnel Set the dot1q tunnel type of the port 9 3 3 Typical Applications Of The Dot1q tunnel Scenario Edge switch PE1 and PE2 of the ISP internet forward the VLAN200 300 data between CE1 and CE2 of the client network with VLAN3 The port1 of PE1 is connected to CE1 port10 is connected to public network the TPID of the connected equipment is 9100 port1 of PE2 is connected to CE2 port10 is connected to public network Configuration Configuration Explanation Item VLAN3 Port1 of PE1 and PE2 dot1q tunnel Port1 of PE1 and PE2 Trunk port Port10 of PE1 and PE2 Configuration procedure is as follows PE1 SS2R48G4l Config vlan 3 SS2R48G4l Config Vlan3 switchport interface ethernet 0 0 1 SS2R48G4l Config Vlan3 exit SS2R48G4l Config dot1q tunnel enable SS2R48G4l Config dot1q tunnel tpid 9100 SS2R48G4l Config interface ethernet 0 0 1 SS2R
189. r Configuration description a Create a proper ACL b Configuring packet filtering function c Bind the ACL to the port The configuration steps are listed below Switch Config access list 3110 deny 00 12 11 23 00 00 00 00 00 00 FF FF any destination mac tcp 10 0 0 0 0 0 0 255 any destination d port 21 Switch Config firewall enable Switch Config firewall default permit Switch Config interface ethernet 0 0 10 Switch Config Ethernet0 0 10 mac ip access group 3110 in Switch Config Ethernet0 0 10 exit Switch Config exit Configuration result Switch show firewall Firewall is enabled Firewall default rule is to permit any packet 141 SS2R24G4i SS2R48G4i Switch show access lists access list 3110 used 1 time s access list 3110 deny 00 12 11 23 00 00 00 00 00 00 FF FF any destination mac 0 0 0 255 any destination d port 21 Switch show access group interface name Ethernet0 0 10 MAC IP Ingress access list used is 3110 15 5 ACL Troubleshooting 15 5 1 Monitor And Debug Command 15 5 1 1 show access lists Command show access lists lt num gt lt acl name gt Functions Reveal ACL of configuration Parameters lt acl name gt specific ACL name character string lt num gt specific ACL No Default None Command Mode Admin mode AN tcp 10 0 0 0 Displayed information Explanation access list 10 used 0 time s Number ACL10 0 time to be used access list 10 deny any source Deny any
190. r Function Enable the information on debug error of dot1x the no debug dot1x error disable the information on debug error of dot1x Parameters None 14 4 1 10 debug dot1x packet Command debug dot1x packet send receive all interface ethernet lt nterfaceName gt no debug dot1x packet send receive all interface ethernet lt nterfaceName gt Function Enable the information on receiving sending packets of dot1x the no debug dot1x packet send receive all interface ethernet lt InterfaceName gt command is to disable the information on receiving sending packets of dot1x Command Mode Admin Mode Parameters Send represents sending packets receiverepresents receiving packets all represents receiving and sending packets lt nterfaceName gt is the name of interface 14 4 1 11 debug dot1x detail Command debug dot1x detail pkt send pkt receive internal userbased all interface ethernet lt InterfaceName gt no debug dot1x detail pkt send pkt receive internal userbased all interface ethernet lt InterfaceName gt Function Enable the detail debug information of dotix the no debug dot1x detail connection event attribute interface ethernet lt InterfaceName gt command is tgo disable the detail debug information of dot1x 126 AN SS2R24G4i SS2R48G4i sar Command Mode Admin Mode Parameters pkt send represents the detail of sending packets pkt receive represen the details of receiving
191. r all ports of all bridges RSTP algorithm is basically consistent with the STP algorithm defined in the standard of IEEE 802 1D The only difference is that RSTP overcomes the shortcoming of STP algorithm For changing the state of any port from blocking state to forwarding state it is necessary for STP algorithm to go through 2 forward delay time According to the different roles of ports in topology structure RSTP may realize instant or fast transferring from blocking state to forwarding state According to functions of ports in active topology RSTP defines five port roles disabled port root port designated port as well as alternate port and backup port which are specified for realizing instant performance Introduction to the functions of each port role in active topology is as follows 1 Disabled ports do not participate in the algorithm of RSTP 2 The bridge where the root port is located is connected to Root Bridge The path cost from the bridge to Root Bridge through root port is the lowest 3 The designated port connects a LAN to Root Bridge through the bridge connected to the port 4 The alternate port provides alternate path from the bridge to Root Bridge other than the path from root port to Root Bridge 5 The backup ports provide the alternate path from LAN at bridge downstream the direction opposite to root to Root Bridge The root port and designated port are part of active topology They may conduct address learning and
192. r disable the port isolation function A no isolate port allowed ethernet uplink port list is needed to enable it This lt InterfaceList gt command can be called more than once to set or cancel uplink ports 67 AN SS2R24G4i SS2R48G4i sar Chapter 6 Cluster Configuration 6 1 Introduction to cluster network management Cluster network management is an in band configuration management Unlike CLI SNMP and Web Config which implement a direct management of the target switches through a management workstation cluster network management implements a direct management of the target switches member switches through an intermediate switch commander switch A commander switch can manage multiple member switches As soon as a Public IP address is configured in the commander switch all the member switches which are configured with private IP addresses can be managed remotely This feature economizes public IP addresses which are short of supply Cluster network management can dynamically discover cluster feature enabled switches candidate switches Network administrators can statically or dynamically add the candidate switches to the cluster which is already established Accordingly they can configure and manage the member switches through the commander switch When the member switches are distributed in various physical locations such as on the different floors of the same building cluster network management has obvious advantages
193. rd 5 2 3 SSH 5 2 3 1 Introduction to SSH SSH Secure Shell is a protocol which ensures a secure remote access connection to network devices It is based on the reliable TCP IP protocol By conducting the mechanism such as key distribution authentication and encryption between SSH server and SSH client a secure connection is established The information transferred on this connection is protected from being intercepted and decrypted The switch meets the requirements of SSH2 0 It supports SSH2 0 client software such as SSH Secure Client and putty Users can run the above software to manage the switch remotely The switch presently supports RSA authentication 3DES cryptography protocol and SSH user password authentication etc 5 2 3 2 SSH Server Configuration Task List 40 SS2R24G64i SS2R48G4i 1 SSH Server Configuration Command Explanation Global Mode ssh server enable no ssh server enable Enable SSH function on the switch the no ssh server enable command disables SSH function ssh user lt user name gt password 0 7 lt password gt no ssh user lt user name gt Configure the username and password of SSH client software for logging on the switch the no ssh user lt user name gt command deletes the username ssh server timeout lt timeout gt no ssh server timeout Configure timeout value for SSH authentication the no ssh server timeout command restores the default
194. re might cause the diability to communicate 9 5 VLAN Troubleshooting 9 5 1 Monitor and Debug Comman 9 5 1 1 show vlan Command show vlan brief private vlan id lt v an id gt name lt vlan name gt summary Function Display detailed information for all VLANs or specified VLAN Parameter brief stands for brief information summary for VLAN statistics lt vian id gt for VLAN ID of the VLAN to display status information the valid range is 1 to 4094 lt vilan name gt is the VLAN name 94 SS2R24G4i SS2R48G4i for the VLAN to display status information valid length is 1 to 11 characters Command mode Admin Mode Displayed information Explanation VLAN VLAN number Name VLAN name Type VLAN type statically configured or dynamically learned Status Active Status of VLAN Ports Access port within a VLAN 95 AN AN SS2R24G4i SS2R48G4i sar Chapter 10 RSTP CONFIGURATION 10 1 INTRODUCTION TO RSTP RSTP is the abbreviation of Rapid Spanning Tree Protocol which may block the redundant paths in exchanging network through rapid spanning tree algorithm and establish non loop tree network The rapid spanning tree algorithm adopted by RSTP is a distributed algorithm It operates on all bridges of a Bridged LAN and is responsible for calculating a simple and interconnected active topology It adopts a bridge as root root bridge when conducting calculation At the same time it designates roles fo
195. rection of the specified port Command Explanation Physical Interface Mode VLAN interface Mode Applies an access list to the specified ip mac mac i access grou ip p gomp direction on the port the no ip mac mac ip lt acl name gt in out na jipimacimac p aecese oreu access group lt acl name gt in out p p g P command deletes the access list bound to the lt acl name gt in out pa 15 4 ACL Example Scenario 1 The user has the following configuration requirement port 1 10 of the switch connects to 10 0 0 0 24 segment ftp is not desired for the user Configuration description a Create a proper ACL b Configuring packet filtering function c Bind the ACL to the port 139 AN SS2R24G4i SS2R48G4i sar The configuration steps are listed below Switch Config access list 110 deny tcp 10 0 0 0 0 0 0 255 any destination d port 21 Switch Config firewall enable Switch Config firewall default permit Switch Config interface ethernet 0 0 10 Switch Config Ethernet0 0 10 ip access group 110 in Switch Config Ethernet0 0 10 exit Switch Config exit Configuration result Switch show firewall Firewall is enabled Firewall default rule is to permit any packet Switch show access lists access list 110 used 1 time s access list 110 deny tcp 10 0 0 0 0 0 0 255 any destination d port 21 Switch show access group interface ethernet 0 0 10 interface name Ethernet0 0 10 the ingress acl use
196. regard Port Channel as a logical port and send BPDU frames via the master port Port aggregation is closely related with switch hardware SS2R24 48G4i switch switch allow physical port aggregation of any two switches maximum 8 port groups and 8 ports in each port group are supported Once ports are aggregated they can be used as a normal port SS2R24 48G4i switch switch have a built in aggregation interface configuration mode the user can perform related configuration in this mode just like in the VLAN and physical port configuration mode 17 2 Port Channel Configuration 17 2 1 Port Channel Debug and Monitor Command 1 Create a port group in Global Mode N Add ports to the specified group from the Port Mode of respective ports 3 Enter port channel configuration mode 1 Creating a port group Command Explanation Global Mode port group lt port group number gt 2 Add load balance dst src mac Creates or deletes a port group and l physical no port group lt port group number gt sets the load balance method for that ports to the load balance group port group C d Explanati omman xplanation 3 Enter Interface Mode port channel port group lt port group number gt mode active passive on Adds ports to the configuration no port group lt port group number gt port group and mode sets their mode Command Explanation Global Mode Enters ort channel interface port c
197. rface are classified warnings The display level of the output monitored by shell Configure command is notifications Attention By default the system log is disabled When it is enabled because of the classification and output of the information especially when there is a large amount of information under processing the system performance will be effected 5 6 1 3 The three level switch of log message The system log uses a three level switch architecture to control the output of the log message global log switch log output channel state and the module state of channel filter Items Only when the global switch is on the log message are written to the log message queue After the switch boots the system log task is started The aim of this task is to read out every log message from the log message queue and to send them out through every output channel Only when the output channel is in Enable state the log message can be sent out through it When the log message enters the output channel it will be checked according to the output channel s filter items only when the source module of the log message is marked as On in the filter items the 62 SS2R24G64i SS2R48G4i log message can be actually sent out through the output channel 5 6 2 Configuring The System Log 5 6 2 1 The Task Sequence of Configuring The System Log Set the global log switch NO oO fF WD 1 Set the global log switch Set the o
198. rsion of BootP It is a mainstream technology that can not only provide boot information for diskless workstations but can also release the administrators from manual recording of IP allocation and reduce user effort and cost on configuration Anther benefit of DHCP is it can partially ease the pressure on IP demands when the user of an IP leaves the network that IP can be assigned to another user DHCP is a client server protocol the DHCP client requests the network address and configuration parameters from the DHCP server the server provides the network address and configuration parameters for the clients if DHCP server and clients are located in different subnets DHCP relay is required for DHCP packets to be transferred between the DHCP client and DHCP server The implementation of DHCP is shown below Fig 18 1 DHCP protocol interaction Explanation DHCP client broadcasts DHCPDISCOVER packets in the local subnet 2 On receiving the DHCPDISCOVER packet DHCP server sends a DHCPOFFER packet along with IP address and other network parameters to the DHCP client 3 DHCP client broadcast DHCPREQUEST packet with the information for the DHCP server it selected after selecting from the DHCPOFFER packets 4 The DHCP server selected by the client sends a DHCPACK packet and the client gets an IP address and other network configuration parameters The above four steps finish a Dynamic host configuration assignment process However if t
199. rt ID the format and value range of the port ID is explained in the port introduction part of this chapter Command Mode Admin Mode 77 AN SS2R24G4i SS2R48G4i sar Chapter 8 MAC Table Configuration 8 1 Introduction to MAC Table MAC table is a table identifies the mapping relationship between destination MAC addresses and switch ports MAC addresses can be categorized as static MAC addresses and dynamic MAC addresses Static MAC addresses are manually configured by the user have the highest priority and are permanently effective will not be overwritten by dynamic MAC addresses dynamic MAC addresses are entries learnt by the switch in data frame forwarding and is effective for a limited period When the switch receives a data frame to be forwarded it stores the source MAC address of the data frame and creates a mapping to the destination port Then the MAC table is queried for the destination MAC address if hit the data frame is forwarded in the associated port otherwise the switch forwards the data frame to its broadcast domain If a dynamic MAC address is not learnt from the data frames to be forwarded for a long time the entry will be deleted from the switch MAC table There are two MAC table operations 1 Obtain a MAC address 2 Forward or filter data frame according to the MAC table 8 1 1 Obtaining MAC Table The MAC table can be built up staticly and dynamically Static configuration is to set up a mapping between the
200. rule used in source control to a port prefixing the command with NO will cancel the configuration 2 Configuration of destination control Similar to the configuration of source control it has three steps The first step is to globally enable destination control since the destination control should prevent the unauthorized users to receive the multicast data after the global destination control the switch will not broadcast the multicast data it receives So we should avoid to connect two or more other 3 layer switches to a switch with destination control enabled within one VLAN The following is the command to configure 112 SS2R24G4i SS2R48G4i Command Explantation Global configuration mode no ip multicast destination control necessary Enable the destination globally The no ip multicast destination contro command will disable the destination control globally Only after the desination control is enabled globally all of the other configurations can take effect AN The next step is to configure the destination control rules which is also similar to that ofsource control except that it uses ACL ID from 6000 to 7999 Command Explantation Global configuration mode no access list lt 6000 7999 gt deny permit ip lt source gt lt source wildcard gt host source lt source host ip gt any source lt destination gt lt destination wildcard gt
201. runk switchB Config Ethernet exit switchB config vlan 20 switchB config vlan20 multicast vian switchB config vlan20 multicast vlan association 100 101 switchB config vlan20 exit switchB config ip igmp snooping switchB config ip igmp snooping vlan 20 110 AN SS2R24G4i SS2R48G4i sar Chapter 13 DCSCM Configuraion 13 1 DCSCM Introduction DCSCM security control multicast technology includes three respects multicast source controllabillity multicast users controllabillity and the service priority oriented multicast policy The DCSCM technology mainly use the following methods to realize multicast source controllabillity a On the boundary switch if configured the source controlled multicast only the muticast data of the specified group sent by specified source can pass b For the RP switch at the PIM SM core state REGISTER_STOP will be directly sent for all the REGISTER information besides than the specified source and group Creating list entries is not allowed This task is implemented in PIM SM module The implementation of DCSCM technology is based on the contro Iboer the IGMP report messages from users so the controlling modules are IGMP snooping module and IGMP module The control logic of it includes the following three methods control according to the source VLAN MAC address of the message control according to the source IP address of the message and control according to the port through which the message
202. rust attributes of the port action Automatic defense action of the port recovery interval The recovery interval of the automatic defense action of the port maxnum of alarm info The max number of the automatic defense action that can be recorded of the port Under the line The history log of the automatic defense action of the port 19 3 1 2 logging source 167 AN SS2R24G4i SS2R48G4i sar Command logging source default m_shell sys_event anti_attack channel console logbuff loghost monitor level critical debugging notifications warnings state on off Function The details about this command are covered in the chapter on system log the data source of this command anti_attack records information about all kinds of denfense to network attacks including the automatic defense action log of dhcp snooping Parameters Not covered Command Mode Global configuration mode Default Setting Not covered 19 3 1 3 show logging lastFailurelnfo Command show logging lasiFailurelnfo Function This command is used to display the system abnormal information recorded in the flash The defense action of DHCP Snooping is also recorded in the flash as system abnormal information and can be checked via this command Command Mode Admin Mode 19 3 2 DHCP SnoopingTroubleshooting If there are problems when using DHCP Snooping please check the following possible reasons lt Check whether t
203. rwise the switch may be damaged by electrostatic adherence m Maintain the temperature within O to 50 C and the humidity within 5 to 95 non condensing m The switch must be put in a dry and cool place Leave sufficient spacing around the switch for good air circulation m The switch must work in the right range of power input AC power 100 240VAC 50 60Hz m The switch must be well grounded in order to avoid ESD damage and physical injury of people m The switch should avoid sunlight perpendicular incidence Keep the switch away from heat sources and strong electromagnetic interference sources m The switch must be mounted to a standard 19 rack or placed on a clean level desktop 2 1 1 1 Dust and Particles Dust is harmful to the safe operation of SS2R24 48G4i switch Dust can lead to electrostatic adherence especially likely under low relative humidity causing poor contact of metal connectors or contacts Electrostatic adherence will result in not only reduced product lifespan but also increased chance of communication failures The recommended value for dust content and particle diameter in the site is shown below Max Density 7 5 5 5 1 4 10 7x10 2 4x10 1 3x10 particles m Table 2 1 Environmental Requirements Dust In addition salt acid and sulfide in the air are also harmful to the switch Such harmful gases will aggravate metal corrosion and the aging of some parts The site should avoid harmful gases such as SO
204. s are set by default queue1 forwards normal packages other queues are used for some important control packets such as BPDU Choose an array according to the Cos value when QoS is shut down 7 When QoS is enabled in Global Mode QoS is enabled on all ports with 4 traffic queues The default CoS value of the port is 0 port is in not Trusted state by default the default queue weight values are 1 2 4 8 in order all QoS Map is using the default value 7 CoS value 7 maps to queue 4 that has the highest priority and usually reserved for certain protocol packets It is not recommended for the user to change the mapping between CoS 7 to Queue 4 or set the default port CoS value to 7 Policy map can only be bound to ingress direction egress is not supported yet Ifthe policy is too complex to be configured due to hardware resource limit error massages will be provided 184 AN SS2R24G4i SS2R48G4i sar Chapter 23 Layer 3 Configuration SS2R24 48G4i switch switch only supports layer 2 forwarding function But we can configure a layer3 control port On the interface of this port we can configure IP addresses used in communication of various IP based control protocols 23 1 Layer3 Interface 23 1 1 Introduction to Layer3 Interface Layer3 interface can be created on SS2R24 48G4i switch Layer3 interface is not physical interface but a virtual interface Layer3 interface is built on VLAN Layer3 interface can contain one or more layer2
205. s binding function for the ports 2 Lock the MAC addresses for a port 3 MAC address binding property configuration 82 AN SS2R24G4i SS2R48G4i Aad 1 Enable MAC address binding function for the ports Command Explanation Interface Mode Enable MAC address binding switchport port security function the no switchport no switchport port security port security command disables the MAC address binding function Lock the MAC addresses for a port Command Explanation Interface Mode switchport port security lock no switchport port security lock Lock the port After locking the port no MAC address can be learnt no switchport port security lock resume the MAC address learning switchport port security convert Convert dynamic secure MAC addresses learned by the port to static secure MAC addresses switchport timeout lt value gt no switchport port security timeout port security Enable port locking timer function the no switchport port security timeout restores the default setting switchport port security mac address lt mac address gt no switchport port security mac address lt mac address gt Add static secure MAC address the no switchport port security mac address lt mac address gt command deletes static secure MAC address clear port security dynamic address lt mac adadr gt interface lt interface id gt Clear dynamic MA
206. s into the switch It can cause short circuit Do not touch the power plug and power socket Do not place the tinder near the switch Do not configure the switch alone in a dangerous situation Use standard power sockets which have overload and leakage protection Inspect and maintain the site and the switch regularly Have the emergence power switch on the site In case of emergence switch off the power immediately 2 2 Installation Preparation 2 2 1 Verify the Packet Contents The above contents are subject to the received packet contents 2 2 2 Required Tools and Utilities The required tools and utilities Cross screwdrivers Flat blade screwdriver wire clamp Antistatic uniform ESD wrist strap Antistatic glove Connecting cable Console cable and commutator Standard Twisted pair 11 AN SS2R24G4i SS2R48G4i sar RJ 45 pin Table 2 4 The required tools and utilities 2 3 Hardware Installation 2 3 1 Installing the Switch Please mount SS2R24 48G4i switch on the 19 rack as below SS2R24G4i Fig 2 1 SS2R24 48G4i switch Rack mounting 1 Attach the 2 brackets on the SS2R24 48G4i switch with screws provided in the accessory kit 2 Put the bracket mounted switch smoothly into a standard 19 rack Fasten the SS2R24 48G4i switch to the rack with the screws provided Leave enough space around the switch for good air circula
207. sh server enable no ssh server enable 5 2 3 5 3 debug ssh server Command debug ssh server no debug ssh server Function To enable the debug information of SSH server The no debug ssh server command is used to disable the debug information of SSH server Default Setting By default the debug information is disabled Command Mode Admin Mode 43 AN SS2R24G4i SS2R48G4i sar 5 2 4 Traceroute Command traceroute lt ip addr gt host lt hostname gt hops lt hops gt timeout lt timeout gt Function This command is used to test the gateways passed by packets on their way from sending equipment to destination equipment in order to check whether the network can be reached and to locate the fault of network Parameters lt ip addr gt is the IP address of the destination host in dotted decimal format lt hostname gt is the host name of the remote host lt hops gt is the max number of passed gateways allowed by Traceroute lt timeout gt is the timeout value of packets in millisecond ranging from 100 to 10000 Default Setting The max number of passed gateways is set by default as 16 while the timeout value is 2000 milliseconds Command Mode Admin Mode Relative Command ip host 5 2 5 Show show command is used to display information about the system port and protocol operation This part introduces the show command that displays system information other show commands will be discussed in other chapters 5 2 5 1
208. show arp Command show arp Function Display ARP Mapping table Command Mode Admin Mode 5 2 5 2 show clock Command show clock Function Display current system clock Command Mode Admin Mode Relative Command clock set 5 2 5 3 show debugging Command show debugging Function Display the debugging state Command Mode Admin Mode Relative Command debug 5 2 5 4 show flash 44 AN SS2R24G4i SS2R48G4i sar Command show flash Function Display the document in the flash Command Mode Admin Mode 5 2 5 5 show history Command show history Function Display the recent user input history command Command Mode Admin Mode 5 2 5 6 show memory Command show memory Function Display the contents in the memory Command Mode Admin Mode 5 2 5 7 show rom Command show rom Function Display enable document and bulk Command Mode Admin Mode 5 2 5 8 show running config Command show running config Function Display the current active configuration parameters for the switch Default If the active configuration parameters are the same as the default operating parameters nothing will be displayed Command mode Admin Mode 5 2 5 9 show startup config Command show startup config Function Display the switch parameter configurations written into the Flash memory at the current operation those are usually also the configuration files used for the next power up Default If the configuration parameters read from the Flash are the same as the defa
209. smission times before timeout for packets without acknowledgement 4 Shut down TFTP server 1 FTP TFTPconfiguration 1 FTP client upload download file Command Explanation Admin Mode copy lt source url gt lt destination url gt ascii binary Global Mode FTP TFTP client upload download file For FTP client server file list can be checked FtpServerUrl format looks like ftp user password IP Address Dir lt ftpServerUrl gt 2 FTP server configuration 1 Start FTP server Command Explanation Global Mode Start FTP server the no ftp server enable command shuts down FTP server and prevents FTP user from logging in Set usename and password for FTP logging in ftp server enable no ftp server enable N Command Explanation Global Mode ip ftp server username lt username gt password 0 7 lt password gt no ip ftp server username lt username gt Set FTP server s username and password when logging in 60 AN SS2R24G4i SS2R48G4i sar 3 Modify FTP server connection idle time Command Explanation Global Mode ftp server timeout lt seconds gt no ftp server timeout set connection idle time 3 TFTP server configuration 1 Start TFTP server Command Explanation Global Mode Start TFTP server the no ftp server enable command shuts down TFIP server and prevents TFTP user from logging in tftp ser
210. ss restricted resorce before being authenticated after passing the authentication they can access all the resources 14 2 802 1x Configuration 14 2 1 802 1x Configuration Task List 1 Enable IEEE 802 1x function 2 Access management unit property configuration 1 Configure port authentication status 2 Configure access management method for the port MAC based or port based 3 Configure expanded 802 1x function 3 User access devices related property configuration optional 4 RADIUS server related property configuration 1 Configure RADIUS authentication key 2 Configure RADIUS Server 3 Configure RADIUS Service parameters 1 Enable 802 1x function Command Explanation Global Mode Enables the AAA authentication function in the switch the no aaa enable command disables the AAA authentication function aaa accounting enable Enables the accounting function in the no aaa accounting enable switch the no aaa accounting enable aaa enable no aaa enable 118 SS2R24G4i SS2R48G4i aaa accounting update enable disable dot1x enable no dot1x enable dot1x privateclient enable no dot1x privateclient enable dot1x user free resource lt prefix gt lt mask gt no dot1x user free resource command disables the accounting function Enables disables accounting update Enables the 802 1x function in the switch and ports the no dot1x enable command disables the 802 1x function Enable the switch to force the
211. t lt smac gt lt smac mask gt any destination mac host destination mac lt host_dmac gt lt dmac gt lt dmac mask gt tcp lt source gt lt source wildcard gt any source host source lt source host ip gt s port lt port1 gt lt destination gt lt destination wildcard gt any destination host destination lt destination host ip gt d port lt port3 gt ack fin psh rst urg syn precedence lt precedence gt tos lt tos gt time range lt time range name gt Creates an extended name based MAC TCP access rule the no form command deletes this name based extended MAC TCP access rule no deny permit any source mac host source mac lt host_smac gt lt smac gt lt smac mask gt any destination mac host destination mac lt host_dmac gt lt dmac gt lt dmac mask gt udp lt source gt lt source wildcard gt any source host source lt source host ip gt s port lt port1 gt lt destination gt lt destination wildcard gt any destination host destination lt destination host ip gt d port lt port3 gt precedence lt precedence gt tos lt tos gt time range lt time range name gt Creates an extended name based MAC UDP access rule the no form command deletes this name based extended MAC UDP access rule no deny permit any source mac host source mac lt host_smac gt lt smac gt lt smac mask gt any destination mac host destination mac
212. t nterfaceName gt no debug aaa packet send receive all interface ethernet lt InterfaceName gt Function Enable the information on receiving sending packets of aaa the no debug aaa packet send receive all interface ethernet lt InterfaceName gt command is used to disable the information on receiving sending packets of aaa Command Mode Admin Mode 125 AN SS2R24G4i SS2R48G4i sar Parameters send represents sending packets receiverepresents receiving packets all represents receiving and sending packets lt nterfaceName gt is the name of interface 14 4 1 8 debug aaa detail Command debug dot1x detail pkt send pkt receive internal userbased all interface ethernet lt InterfaceName gt no debug dot1x detail pkt send pkt receive internal userbased all interface ethernet lt InterfaceName gt Function Enable the detail debug information of dotix the no debug dotix detail connection event attribute interface ethernet lt InterfaceName gt command is tgo disable the detail debug information of dot1x Command Mode Admin Mode Parameters pkt send represents the detail of sending packets pkt receive represen the details of receiving packets internal represents internal details userbased represents the user based information all represents all the detailed informations lt nterfaceName gt is the name of interface 14 4 1 9 debug dot1x error Command debug dot1x error no debug dot1x erro
213. t Configuration The same as scenario 1 IGMP Snooping listening result Similar to scenario 1 11 4 IGMP SnoopingIGMP Snooping Troubleshooting 11 4 1 IGMP Snooping Monitor and Debug Command 11 4 1 1 debug igmp snooping all packet event timer mfc Command debug igmp snooping all packet event timer mfc no debug igmp snooping all packet event timer mfc Function Enable the IGMP Snooping debug swithc of the switch the no debug igmp snooping all packet event timer mfc command is to disable the debug switch Command Mode Admin Mode Default Setting By default the IGMP Snooping debug seitch of the switch is disabled 11 4 1 2 show ip igmp snooping Command show ip igmp snooping vlan lt vian id gt Parameter lt vian id gt is vlan number of specify display IGMP Snooping information Command Mode Admin mode 1 Display the summary infromation of IGMP Snooping of the switch Displayed Informaton Explanation Global igmp snooping status Whether the global igmp snooping switch of the swithc is enabled Igmp snooping is turned on for Which vlans of the switch enable igmp snooping vlan 1 querier function and whether they are I2 general queriers 2 Display the detailed information of IGMP Snooping of vian1 Displayed Informaton Explanation Igmp snooping L2 general Whether vlan has started 2 general querier function querier and display the state of the querier could query or suppressed Igmp snooping query interval The quer
214. ta connection service TFTP builds upon UDP providing unreliable data stream transfer service with no user 58 AN SS2R24G4i SS2R48G4i sar authentication or permission based file access authorization It ensures correct data transmission by sending and acknowledging mechanism and retransmission of time out packets The advantage of TFTP over FTP is that it is a simple and low overhead file transfer service SS2R24 48G4i switch switch can operate as either FTP TFTP client or server When SS2R24 48G4i switch switch operates as a FTP TFTP client configuration files or system files can be downloaded from the remote FTP TFTP servers can be hosts or other switches without affecting its normal operation And file list can also be retrieved from the server in ftp client mode Of course SS2R24 48G4i switch switch can also upload current configuration files or system files to the remote FTP TFTP servers can be hosts or other switches When SS2R24 48G4i switch switch operates as a FTP TFTP server it can provide file upload and download service for authorized FTP TFTP clients as file list service as FTP server Here are some terms frequently used in FTP TFTP ROM Short for EPROM erasable read only memory EPROM is repalced by FLASH memory in SS2R24 48G4i switch switch SDRAM RAM memory in the switch used for system software operation and configuration sequence storage FLASH Flash memory used to save system file and configuration file System fil
215. tch supports IEEE802 1D spanning tree and IEEE802 1w rapid spanning tree Spanning tree can effectively avoid loop and at the same time create a redundant backup for the link m Port Image The switch supports port Image which can mirror the inbound outbound traffic of one or more ports to another port in order to detect relative information of data This function can be used to debug network faults and monitor traffic m DHCP Server Client The switch supports DHCP server can dynamically allocate IP addresses for equipment and bind MAC with IP by designating IP for a specified MAC m RADIUS The switch supports RADIUS Remote Authentication Dial In User Service RADIUS allows users to authenticate identity via IEEE802 1x protocol Complete Network Management The switch can do out of band and in band management via Console Telnet Web and SNMP Console and Telnet management support standard CLI Command Line Interface Web management provides a remote browsing graphic management interface to make management more direct and convenient to enable fast check of working state and to do real time configuration management SNMP management is in accordance with V1 V2C and V3 standard version supporting Ether Like MIB Bridge MIB and MIB II as well as standard management information libraries including RMON 1 2 3 9 MI etc The SS2R24 48G4i switch also supports SSH protocol to maximumly ensure the safety of configuration management What s more
216. teway 10 16 1 200 10 16 1 201 10 16 1 201 DNS server 10 16 1 202 DNS server 10 16 1 202 WINS server 10 16 1 209 WINS server 10 16 1 209 WINS node type H node WINS node type H node Lease 3 days Lease 1 days In location A a machine with MAC address 00 03 22 23 dc ab is assigned with a fixed IP address of 10 16 1 210 and named as management Switch Config interface vlan 1 Switch Config If Vlan1 ip address 10 16 1 2 255 255 255 0 Switch Config If Vlan1 exit Switch Config ip dhcp pool A Switch dhcp A config network 10 16 1 0 24 Switch dhcp A config lease 3 Switch dhcp A config default route 10 16 1 200 10 16 1 201 Switch dhcp A config dns server 10 16 1 202 159 AN SS2R24G4i SS2R48G4i sar Switch dhcp A config netbios name server 10 16 1 209 Switch dhcp A config netbios node type H node Switch dhcp A config exit Switch Config ip dhcp excluded address 10 16 1 200 10 16 1 210 Switch Config ip dhcp pool B Switch dhcp B config network 10 16 2 0 24 Switch dhcp B config lease 1 Switch dhcp B config default route 10 16 2 200 10 16 2 201 Switch dhcp B config dns server 10 16 2 202 Switch dhcp B config option 72 ip 10 16 2 209 Switch dhcp config exit Switch Config ip dhcp excluded address 10 16 2 200 10 16 2 210 Switch Config ip dhcp pool A1 Switch dhcp A1config host 10 16 1 210 Switch dhcp A1 config hardware address 0003 2223 dcab Switch dhcp A1 config client name management Switch dhcp A
217. the no form command deletes this name based extended MAC access list b Specify multiple permit or deny rule entries Command Explanation Extended name based MAC access rule Mode no deny permit any source mac host source mac lt host_smac gt lt smac gt lt smac mask gt any destination mac host destination mac lt host_dmac gt lt dmac gt lt dmac mask gt cos lt cos val gt lt cos bitmask gt vlanld lt vid value gt lt vid mask gt ethertype lt protocol gt lt protocol mask gt Creates an extended name based MAC access rule matching MAC frame the no form command deletes this name based extended MAC access rule 133 AN SS2R24G64i SS2R48G64i no deny permit any source mac host source mac lt host _smac gt lt smac gt lt smac mask gt any destination mac ho st destination mac lt host_dmac gt lt dmac gt lt dmac mask gt untagged eth2 ethertype lt protoco gt protocol mask Creates an extended name based MAC access rule matching untagged ethernet 2 frame the no form command deletes this name based extended MAC access rule no deny permit any source mac host source mac lt host_smac gt lt smac gt lt smac mask gt any destination mac host destination mac lt host_dmac gt lt dmac gt lt dmac mask gt untagged 802 3 Creates an MAC access rule matching 802 3 frame the
218. the IP pool when AM is disabled it will delete all the address pools 16 3 AM Configuration 16 3 1 AM Configuration Task Sequence Enable AM Configure IP address on an interface Configure MAC IP address on an interface Delete all the address pools Poh gt 1 Enable AM Command Explanation Global configuration mode Enable the AM access management function to configure address pools The no am enable command will disable AM and delete all the address pools am enable no am enable 2 Configure IP address on an interface 145 AN SS2R24G4i SS2R48G4i sar Command Explanation Physical interface configuration mode am port Enable or disable the AM function of a no am port physical interface Configure IP address on a physical interface The no am ip pool lt start_ip address gt lt num gt i command will delete all the configured IP addresses on the interface am ip pool lt start_ip_address gt lt num gt no am ip pool lt start_ip_address gt lt num gt 3 Configure MAC IP address on an interface Command Explanation Physical interface configuration mode Configure MAC IP address on a physical interface The no am mac ip pool am mac ip pool lt mac_address gt lt ip_address gt lt mac address gt lt no am mac ip pool lt mac_address gt lt ip_address gt ip_address gt command will delete all the configured MAC IP addresses on
219. thernet0 0 10 am port Switch Config Ethernet0 0 10 am mac ip pool 00 00 00 00 01 12 100 1 1 1 Switch Config Ethernet0 0 10 am mac ip pool 00 00 00 00 00 13 100 1 1 2 Switch Config Ethernet0 0 10 exit Switch Config exit Configuration result Switch show am Global AM is enabled Interface Ethernet0 0 10 am is enable Interface Ethernet0 0 10 am mac ip pool 00 00 00 00 00 13 100 1 1 2 USER_CONFIG am mac ip pool 00 00 00 00 01 12 100 1 1 1 USER_CONFIG 16 5 AM Troubleshooting 16 5 1 AM Debug and Monitor Command 147 AN SS2R24G4i SS2R48G4i sar 16 5 1 1 show am Command show am interface lt interfaceName gt Function Display the address entries configured on the current switch Parameters interfaceName name of the physical interface Command Mode Global configuration mode Default Setting None Displayed information Explanation Global AM is enabled AM is enabled am mac ip pool 00 00 00 00 00 13 Only the users whose source MAC 100 1 1 2 USER_CONFIG 00 00 00 00 00 13 and source IP 100 1 1 2 can pass this is configured by users am mac ip pool 00 00 00 00 01 12 Only the users whose source MAC 100 1 1 1 USER_CONFIG 00 00 00 00 01 12 and source IP 100 1 1 1can pass this is configured by users am ip pool 10 1 1 1 8 USER_CONFIG Only the users whose source IP 10 1 1 1 10 1 1 8 can pass this is configured by users 16 5 2 AM Troubleshooting Since there is only limited hardware resourc
220. this reason a password must be set for entering Admin mode to prevent unauthorized access and malicious modification to the switch 4 2 1 1 3 Global Mode Type the config command under Admin Mode will enter the Global Mode prompt Switch Config Use the exit command under other configuration modes such as Interface Mode VLAN mode will return to Global Mode The user can perform global configuration settings under Global Mode such as MAC Table Port Mirroring VLAN creation IGMP Snooping start GVRP and STP etc And the user can go further to Interface Mode for configuration of all the interfaces 4 2 1 1 4 Interface Mode Use the interface command under Global Mode can enter the interface mode specified SS2R24 48G4i switch Switch provides three interface type VLAN interface Ethernet port and port channel and accordingly the three interface configuration modes Interface Entry Prompt Operates Exit Type VLAN Type interface Switch Config lf Configure Use the exit Interface vlan lt Vlan id gt Vianx switch IPs etc command to command under return to Global Mode Global Mode Ethernet Port Type interface Switch Config Configure Use the exit ethernet ethernetxx supported command to lt interface list gt duplex mode return to command under speed etc Global Mode Global Mode of Ethernet Port port channel Type interface Switch Config if Configure Use the exit port channel port c
221. tion Caution The brackets are used to fix the switch on the rack They can t serve as a bearing Please place a rack shelf under the switch Do not place anything on top of the switch Do not block the blowholes on the switch to ensure the proper operation of the switch 2 3 2 Connecting Console SS2R24 48G4i switch provides a DB9 interface serial console port The connection procedure is 12 AN SS2R24G4i SS2R48G4i sar listed below SS2R24G4 Fig 2 2 Connecting Console to SS2R24 48G4i switch 1 Find the console cable provided in the accessory kit Attach the Mini USB end to console port of the switch Connect the other side of the console cable to a character terminal PC Power on the switch and the character terminal Configure the switch through the character terminal Caution Please use the console cable and the console commutator of the switch Don t insert in error to avoid break 2 3 3 Power Supply Connection SS2R24 48G4i switch uses 100 240VAC 50 60Hz supply by default AC Power supply connection procedure is described as below 1 Insert one end of the power cable provided in the accessory kit into the power source socket with overload and leakage protection and the other end to the power socket in the back panel of the switch 2 Check the power status indicator in the front panel of the switch The corresponding power indicator should light SS2R24 48G4i switch is self adjustable for the in
222. tion interface ethernet lt interface list gt mode 2 Configure the properties for the Ethernet ports Command Explanation Interface Mode shutdown Enables Disables specified ports no shutdown j p name lt string gt Names or cancels the name of specified no name ports mdi auto across normal pi Sets the cable type for the specified port no mdi speed duplex auto force10 half force10 full force100 half force100 full force100 fx Sets port speed and duplex mode force1g half force1g full nonegotiate master slave bandwidth control bandwidth gt Sets receive send data bandwidth on Dran mN specified ports no bandwidth control flow control Enables Disables traffic control function for no flow control specified ports loopback Enables Disables loopback test function for no loopback specified ports combo forced mode copper forced copper prefered auto sfp forced Sets combo port mode sfp prefered auto no combo forced mode 72 AN AN SS2R24G4i SS2R48G4i sar 3 Set the packet suppression function Command Explanation Port configuration mode Enable the packet suppresntion function of packet suppression lt packets gt the switch and set the max data traffic broadcast brmc brmcdlf all allowed to pass The no no packet suppression packet suppression command is used to cancel the pa
223. tions for packets of different priority QoS enabled switch or router can provide different bandwidth according to the packet classification information and can remark on the classification information according to the policing policies configured and may discard some low priority packets in case of bandwidth shortage If devices of each hop in a network support differentiated service an end to end QoS solution can be created QoS configuration is flexible the complexity or simplicity depends on the network topology and devices and analysis to incoming outgoing traffic 22 1 3 Basic QoS Model Classification Classify traffic according to packet classification information and generate internal DSCP value based on the classification information For different packet types and switch configurations classification is performed differently the flowchart below explains this in detail Policing and remark Each packet in classified ingress traffic is assigned an internal DSCP value and can be policed and remarked Policing can be performed based on DSCP value to configure different policies that allocate bandwidth to classified traffic If the traffic exceeds the bandwidth set in the policy out of profile the out of profile traffic can be allowed discarded or remarked Remarking uses a new DSCP value of lower priority to 175 AN SS2R24G4i SS2R48G4i sar replace the original higher level DSCP value in the packet this is also called marking d
224. ult operating parameter nothing will be displayed Command mode Admin Mode 5 2 5 10 show switchport interface Command show switchport interface ethernet lt interface list gt Function Show the VLAN port mode VLAN number and Trunk port messages of the VLAN port mode on the switch Parameter lt interface list gt is the port number or port list which could be maximum of 0 0 1 port in 45 AN SS2R24G4i SS2R48G4i sar the switch 5 2 5 11 show tcp Command show tcp Function Display the current TCP connection status established to the switch Command mode Admin Mode 5 2 5 12 show udp Command show udp Function Display the current UDP connection status established to the switch Command mode Admin Mode 5 2 5 13 show telnet login Command show telnet login Function Display Telnet user information that links with the switch 5 2 5 14 show telnet user Command show telnet user Function Display all Telnet user information that can login the switch via Telnet Relative Command telnet user password 5 2 5 15 show version Command show version Function Display the switch version Command mode Admin Mode 5 2 6 Debug All the protocols SS2R24 48G4i switch switch supports have their corresponding debug commands The users can use the information from debug commands for troubleshooting Debug commands for their corresponding protocols will be introduced in the later chapters 5 3 Configure the IP Address of the Switch In
225. uthorized Telnet users must be configured with the following command telnet user lt user gt password 0 7 lt password gt Assume a authorized user in the switch has a username of test and password of test the configuration procedure should be like the following Switch gt en Switch config Switch Config telnet user test password 0 test Enter valid login name and password in the Telnet configuration interface Telnet user will be able to enter the switch s CLI configuration interface The commands used in the Telnet CLI interface after login are the same as in that in the Console interface 24 AN SS2R24G4i SS2R48G4i sar ES C WINNT system32 cmd exe telnet 10 1 128 251 login test password x Switch gt Fig 4 7 Telnet Configuration Interface 4 1 2 2 Management via HTTP To manage the switch via HTTP the following conditions should be meet 1 Switch has an IP address configured 2 The host IP address and the switch s VLAN interface IP address is in the same network segment 3 If not 2 Telnet client can connect to an IP address of the switch via other devices such as a router Similar to management via Telnet as soon as the host succeeds to ping an IP address of the switch and to type the right login password it can access the switch via HTTP The configuration list is as below Step 1 Configure the IP addresses for the switch and start the HTTP function on the switch For configuring t
226. utput channel of the console Set the output channel of the user s terminal Set the output channel of the log buffer Set the output channel of the log host Display the information of the log channel Set the filter items of the log output channel Command Description Privileged configuration mode logging on no logging on Enable the global log function Prefixing the command with a no will disable this function 2 Set the output channel of the console Command Description Privileged configuration mode Open the output channel of the console logging console no logging console Prefixing the command with a no will disable this function 3 Set the output channel of the user s terminal Command Description Privileged configuration mode logging monitor no logging monitor Open the output channel of the user s terminal Prefixing the command with a no will disable this function 4 Set the output channel of the log buffer Command Description Privileged configuration mode logging buffered lt buffersize gt no logging buffered Open the output channel of the log buffer Prefixing the command with a no will disable this function show logging buffered buffersize gt lt Display detailed information of the channel of the log buffer clear logging Clear the information in the l
227. ver enable no tftp server enable N Modify TFTP server connection idle time Command Explanation Global Mode tftp server transmission timeout lt seconds gt Set maximum retransmission time within timeout interval 3 Modify TFTP server connection retransmission time Command Explanation Global Mode tftp server Set maximum retransmission time within retransmission number lt number gt timeout interval 5 6 The three level switch of log message 5 6 1 Introduction to the system log System log takes control of the output of most information and is able to effectively filter the information because of its ability to do fine grain classification Its combination with Debug program provides a powerful support for the network managers and developers to monitor the operation of network and diagnose the problems of network The system log features include Support the system log output in four directions Console Telnet terminal and Dumb terminal monitor logbuf and loghost The log information can be divided into four levels according to different importance and thus can be filtered by level The log information can be divided according to different source modules and thus can be filtered by module 5 6 1 1 Log Output Channel 61 AN SS2R24G4i SS2R48G4i sar At present the system log of the switch can be outputted through five directions aka log channels
228. wait timeout requires for all ports or a specified port 4 Authentication Server RADIUS server related property configuration 1 Configure RADIUS authentication key Command Explanation Global Mode radius server key lt string gt no radius server key Specifies the key for RADIUS server the no radius server key command deletes the key for RADIUS server 2 Configuring RADIUS Server Command Explanation Global Mode authentication port radius server lt Paddress gt primary lt Paddress gt lt portNum gt no radius server authentication host host Specifies the IP address or IPv6 address and listening port number for RADIUS authentication server the no radius server authentication host lt IPaddress gt command deletes the RADIUS server 121 AN SS2R24G4i SS2R48G4i has Specifies the IP address or IPv6 address radius server accounting host and listening port number for RADIUS lt IPaddress gt port lt portNum gt a accounting server the no radius server primary hae 5 authentication host no radius server accounting host p lt IPaddress gt command deletes the lt lPaddress gt RADIUS server 3 Configure RADIUS Service parameters Command Explanation Global Mode Configures the restore time when radius server dead time lt minutes gt RADIUS server is down the no
229. with drop list select the RS 232 serial port used by the PC e g COM1 and click OK Connect To Settings a5 New Connection Change Icon Country region T siwan 886 Enter the area code without the long distance prefix Area code 3 Phone number Connect ugifig M Use country region codes J Redial on busy Fig 4 3 Opening HyperTerminal 4 COM1 property appears select 9600 for Baud rate 8 for Data bits none for Parity checksum 1 for stop bit and none for traffic control or you can also click Revert to default and click OK 21 AN SS2R24G4i SS2R48G4i sar Port Settings Bits per secofd 9600 Data bits a gt Parity None Stop bits E 7 Flow con 7 Restore Defaults Fig 4 4 Opening HyperTerminal Step 3 Entering switch CLI interface Power on the switch The following appears in the HyperTerminal windows that is the CLI configuration mode for Testing RAM 67 108 864 RAM OK Initializing BOOEANG ck eas Starting at 0x10000 Current time is MON JAN 01 00 00 00 2001 SS2R24G4I Series Switch Operating System SoftWare Version RS 5200 28_1 2 17 0 NOS Version NOS_5 1 35 47 Copyright C 2001 2007 AMER COM http www amer com SS2R24G4I Switch 88H6218 133M processor 28 Ethernet IEEE 802 3 interface s Switch gt The user can now enter commands to manage th
230. y interval of the vlan Igmp snooping max reponse The max reponse time of the vlan time Igmp snooping robustness The robustness of the vlan 106 AN SS2R24G4i SS2R48G4i sar Igmp snooping mrouter port The keep alive time vlan of the vlan E a Igmp snooping The query suppression time of the vlan as a query suppression time 2 general querier IGMP Snooping Connect Group The group membership of the vlan that is the Igmp snooping vlan 1 mrouter The mrouter port of the vlan including static and 11 4 1 3 show mac address table multicast Command show mac address table multicast Function Show the multicast MAC address table messages Parameter None Command Mode Admin Mode Default Not showing the multicast MAC address and port mapping by system default 11 4 2 IGMP Snooping Troubleshooting When configuring and using IGMP Snooping function users might find that the IGMP Snooping work abnormally probablely because of the reasons like incorrect physical connection and configuration So the user should ensure the following Guarantee that the physical connection is corretct m Ensure that the IGMP Snooping is enabled in global configuration mode using ip igmp snooping m Ensure that vlan has configured with IGMP Snooping in global configuration mode using ip igmp snooping vlan lt vlan id gt m Ensure that a vlan is configured as a layer 2 general queirer or a static mrouter is configured in the same segme
Download Pdf Manuals
Related Search