Page 1 Part No. 060217-10, Rev. K September 2009 OmniSwitch AOS Release 6 Network Configuration Guide www.alcatel-lucent.com...
Page 2 OmniSwitch 6855 Series, OmniSwitch 9000 Series, and OmniSwitch 9000E Series. The functionality described in this guide is subject to change without notice. Copyright © 2009 by Alcatel-Lucent. All rights reserved. This document may not be reproduced in whole or in part without the express written permission of Alcatel-Lucent.
Page 3: Table Of Contents
Combo Ethernet Port Defaults ..................1-3 Ethernet Ports Overview ....................1-4 OmniSwitch Series Combo Ports ................1-4 Valid Port Settings on OmniSwitch 6400 Series Switches ........1-5 Valid Port Settings on OmniSwitch 6800 Series Switches ........1-5 Valid Port Settings on OmniSwitch 6850 Series Switches ........1-6 Valid Port Settings on OmniSwitch 6855 Series Switches ........1-7...
Page 4 Static MAC Addresses on Link Aggregate Ports ..........2-6 Using Static Multicast MAC Addresses .................2-7 Configuring Static Multicast MAC Addresses ............2-7 Static Multicast MAC Addresses on Link Aggregate Ports ......2-8 ASCII-File-Only Syntax ..................2-8 Configuring MAC Address Table Aging Time ..............2-9 Increasing the MAC Address Table Size ..............2-10 Displaying Source Learning Information ..............2-11...
Page 5 Configuring Learned Port Security .................3-7 Enabling/Disabling Learned Port Security ...............3-7 Configuring a Source Learning Time Limit .............3-8 Configuring the Number of Bridged MAC Addresses Allowed ......3-9 Configuring the Trap Threshold for Bridged MAC Addresses ......3-9 Configuring the Number of Filtered MAC Addresses Allowed ......3-10 Configuring Authorized MAC Addresses ..............3-10...
Page 6 Quick Steps for Configuring GVRP ................5-5 Configuring GVRP ......................5-7 Enabling GVRP ......................5-7 Enabling Transparent Switching ................5-8 Configuring the Maximum Number of VLANs ............5-8 Configuring GVRP Registration ................5-9 Setting GVRP Normal Registration ..............5-9 Setting GVRP Fixed Registration ..............5-9 Setting GVRP Forbidden Registration ..............5-9 Configuring the GVRP Applicant Mode ..............5-10...
Page 7 Contents Enable/Disable Port Authentication ..............6-17 Enable/Disable 802.1X Port-Based Access Control ........6-18 Verifying VLAN Port Associations and Mobile Port Properties ........6-19 Understanding ‘show vlan port’ Output ..............6-19 Understanding ‘show vlan port mobile’ Output .............6-20 Chapter 7 Configuring Port Mapping ..................7-1 In This Chapter ........................7-1...
Page 8 Defining DHCP Port Rules ..................8-12 Defining DHCP Generic Rules ................8-13 Defining Binding Rules ..................8-13 How to Define a MAC-Port-IP Address Binding Rule ........8-13 How to Define a MAC-Port Binding Rule ............8-14 How to Define a Port-Protocol Binding Rule ..........8-14 Defining MAC Address Rules ................8-15 Defining MAC Range Rules ..................8-15...
Page 9 MPLS Defaults ......................10-3 Quick Steps for Configuring MPLS ................10-4 Quick Steps for Configuring LDP ................10-5 Quick Steps for Configuring Static LSPs ...............10-8 Quick Steps for Configuring Static Fast Re-Route ..........10-10 MPLS Overview ......................10-12 MPLS Label Stack ....................10-12 Label Switching Routers ..................10-12 Label Switched Path Types ..................10-13...
Page 10 Modify Default VPLS Parameters ..............11-19 Enable the Service ..................11-19 Deleting a VPLS Service ................11-19 Binding Services to SDPs ..................11-20 Configure Static MAC Addresses for SDP Bindings ........11-20 Enable the SDP Binding ................11-21 Configuring Service Access Points (SAPs) ............11-21 SAP Configuration Guidelines ..............11-21 Configuring Service Access Ports ..............11-22...
Page 11 What is a Multiple Spanning Tree Region .............12-8 What is the Common Spanning Tree ..............12-9 What is the Internal Spanning Tree (IST) Instance ..........12-9 What is the Common and Internal Spanning Tree Instance ........12-9 MST Configuration Overview ..................12-10 Using Spanning Tree Configuration Commands ..........12-10 Understanding Spanning Tree Modes ..............12-11...
Page 12 ERP Overview .......................14-3 ERP Terms .......................14-3 ERP Timers .....................14-3 How Does ERP Work? ...................14-4 ERP Ring Modes .....................14-4 Overlapping Protected VLANs Between ERP Rings on same Node ....14-6 ERP and RRSTP Differences .................14-7 OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 13 Interaction With Other Features ..................14-8 Spanning Tree ....................14-8 VLAN Stacking ....................14-8 Ethernet OAM ....................14-8 Quick Steps for Configuring ERP with Standard VLANs ..........14-9 Quick Steps for Configuring ERP with VLAN Stacking ..........14-10 ERP Configuration Overview and Guidelines ............14-11 Configuring an ERP Ring ...................14-12 Adding Protected VLANs ..................14-13...
Page 14 Configuring Link Monitoring ..................16-10 Enabling and Disabling Errored frame period .............16-10 Enabling and Disabling Errored frame ..............16-10 Enabling and Disabling Errored frame seconds summary ........16-10 Configuring LINK OAM Loopback ................16-11 Enabling and Disabling Remote loopback ............16-11 Verifying the LINK OAM Configuration ..............16-12...
Page 15 Contents Clearing UDLD Statistics ..................17-8 Recovering a Port from UDLD Shutdown .............17-8 Verifying the UDLD Configuration ................17-9 Chapter 18 Configuring MAC Retention ................... 18-1 In This Chapter ......................18-1 MAC Retention Defaults ....................18-2 MAC Retention Overview ....................18-3 How MAC Retention Works ..................18-4 MAC Retention After Multiple Take-Overs ............18-5...
Page 16 Relationship to Other Features ................22-6 Configuring Static Link Aggregation Groups ...............22-7 Configuring Mandatory Static Link Aggregate Parameters ........22-7 Creating and Deleting a Static Link Aggregate Group ..........22-8 Creating a Static Aggregate Group ..............22-8 Deleting a Static Aggregate Group ..............22-8 OmniSwitch AOS Release 6 Network Configuration Guide...
Page 17 Contents Adding and Deleting Ports in a Static Aggregate Group ........22-9 Adding Ports to a Static Aggregate Group ............22-9 Removing Ports from a Static Aggregate Group ..........22-9 Modifying Static Aggregation Group Parameters ............22-10 Modifying the Static Aggregate Group Name .............22-10 Creating a Static Aggregate Group Name .............22-10...
Page 18 Creating a Static Route ..................24-11 Creating a Default Route ..................24-12 Configuring Address Resolution Protocol (ARP) ..........24-12 Adding a Permanent Entry to the ARP Table ..........24-12 Deleting a Permanent Entry from the ARP Table .........24-13 Clearing a Dynamic Entry from the ARP Table ...........24-13 Local Proxy ARP ...................24-14...
Page 19 Configuring VRF Instances ..................25-13 Selecting a VRF Instance ..................25-14 Assigning IP Interfaces to a VRF Instance ............25-15 Configuring Routing Protocols for a Specific VRF Instance .......25-15 Removing a VRF Instance ...................25-15 Verifying the VRF Configuration ................25-16 OmniSwitch AOS Release 6 Network Configuration Guide...
Page 20 ..................... 27-1 In This Chapter ......................27-1 IPsec Specifications ......................27-2 IPsec Defaults ........................27-3 Quick Steps for Configuring an IPsec AH Policy ............27-4 Quick Steps for Configuring an IPsec Discard Policy ..........27-5 IPsec Overview ......................27-6 Encapsulating Security Payload (ESP) ..............27-6 Encryption Algorithms ..................27-7 Authentication Header (AH) ..................27-8...
Page 21 Configuring the RIP Invalid Timer ..............28-10 Configuring the RIP Garbage Timer ..............28-10 Configuring the RIP Hold-Down Timer ..............28-10 Reducing the Frequency of RIP Routing Updates ..........28-10 Enabling a RIP Host Route ..................28-11 OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 22 BFD Specifications .......................30-2 BFD Defaults ........................30-3 Quick Steps for Configuring BFD ................30-4 Quick Steps for Configuring BFD Support for Layer 3 Protocols ......30-6 Configuring BFD Support for OSPF ...............30-6 Configuring BFD Support for BGP ..............30-6 Configuring BFD Support for VRRP Track Policies ........30-7 Configuring BFD Support for Static Routes ...........30-7...
Page 23 Step 4: Configure OSPF Interfaces ...............30-27 Step 5: Configure BFD Interfaces ..............30-28 Step 6: Configure Global BFD Parameters ...........30-29 Step 7: Enable and Register BFD with OSPF ..........30-29 Step 8: Examine the Network ................30-29 Verifying the BFD Configuration ................30-31 Chapter 31 Configuring DHCP Relay ..................
Page 24 Configuring DHCP Security Features .................31-15 Using the Relay Agent Information Option (Option-82) ........31-15 How the Relay Agent Processes DHCP Packets from the Client ....31-16 How the Relay Agent Processes DHCP Packets from the Server ....31-16 Enabling the Relay Agent Information Option-82 ........31-17 Configuring a Relay Agent Information Option-82 Policy ......31-17...
Page 25 Setting VRRP Startup Delay ................32-14 Configuring Collective Management Functionality ..........32-14 Changing Default Parameter Values for all Virtual Routers ......32-14 Changing Default Parameter Values for a Virtual Router Group ....32-15 Verifying the VRRP Configuration ................32-18 VRRPv3 Configuration Overview ................32-19 Basic VRRPv3 Virtual Router Configuration ............32-19 Creating/Deleting a VRRPv3 Virtual Router ............32-19...
Page 26 Quick Steps for Configuring User Network Profiles ..........34-7 Quick Steps for Configuring Host Integrity Check ..........34-8 Quick Step for Configuring QoS Policy Lists ............34-9 Quick Steps for Configuring User Network Profile Mobile Rules ......34-10 Access Guardian Overview ..................34-12 Authentication and Classification ................34-13 Using Device Classification Policies .............34-13...
Page 27 Contents Verifying Access Guardian Users ................34-42 Logging Users out of the Network ...............34-44 Verifying the Access Guardian Configuration ............34-45 Chapter 35 Managing Authentication Servers ..............35-1 In This Chapter ......................35-1 Authentication Server Specifications ................35-2 Server Defaults ......................35-3 RADIUS Authentication Servers ................35-3 TACACS+ Authentication Servers ................35-3...
Page 28 Contents Modifying an LDAP Authentication Server ..........35-28 Setting Up SSL for an LDAP Authentication Server ........35-28 Removing an LDAP Authentication Server ..........35-29 Verifying the Authentication Server Configuration ............35-29 Chapter 36 Configuring Authenticated VLANs ..............36-1 In This Chapter ......................36-1 Authenticated Network Overview .................36-2 AVLAN Configuration Overview .................36-4...
Page 29 Modifying the Port Number ...................38-5 Modifying the Policy Server Username and Password ..........38-5 Modifying the Searchbase ..................38-5 Configuring a Secure Socket Layer for a Policy Server ........38-6 Loading Policies From an LDAP Server ..............38-6 Removing LDAP Policies From the Switch ............38-6 Interaction With CLI Policies ................38-7...
Page 30 Using ACL Manager ....................39-1 In This Chapter ......................39-1 ACLMAN Defaults .......................39-2 Quick Steps for Creating ACLs ..................39-3 Quick Steps for Importing ACL Text Files ..............39-4 ACLMAN Overview .....................39-5 ACLMAN Configuration File ................39-5 ACL Text Files .......................39-6 ACL Precedence .....................39-6 Interaction With the Alcatel-Lucent CLI ...............39-6...
Page 31 Setting the Global Default Servicing Mode ............40-15 Automatic QoS Prioritization ................40-15 Configuring Automatic Prioritization for NMS Traffic ........40-15 Configuring Automatic Prioritization for IP Phone Traffic ......40-16 Using Quarantine Manager and Remediation ............40-16 Configuring Quarantine Manager and Remediation ........40-17 Using the QoS Log ....................40-19 What Kind of Information Is Logged ............40-19...
Page 32 Traffic Prioritization Example ...............40-58 Bandwidth Shaping Example ................40-59 Redirection Policies ....................40-59 Policy Based Mirroring ..................40-60 ICMP Policy Example ..................40-61 802.1p and ToS/DSCP Marking and Mapping ............40-61 Policy Based Routing ...................40-62 Chapter 41 Configuring ACLs ...................... 41-1 In This Chapter ......................41-1 ACL Specifications .......................41-2...
Page 33 IPv6 ACLs ......................41-13 Multicast Filtering ACLs ..................41-14 Using ACL Security Features ..................41-16 Configuring a UserPorts Group ................41-16 Configuring UserPort Traffic Types and Port Behavior .......41-17 Configuring a DropServices Group ..............41-17 Configuring a BPDUShutdownPorts Group ............41-18 Configuring ICMP Drop Rules ................41-19 Configuring TCP Connection Rules ..............41-19...
Page 34 Configuring and Restoring the IGMP Version ............42-10 Configuring the IGMP Version ..............42-11 Restoring the IGMP Version .................42-11 Configuring and Removing an IGMP Static Neighbor ........42-11 Configuring an IGMP Static Neighbor ............42-11 Removing an IGMP Static Neighbor ............42-12 Configuring and Removing an IGMP Static Querier ...........42-12 Configuring an IGMP Static Querier ............42-12...
Page 35 Configuring and Restoring the MLD Version ............42-25 Configuring the MLD Version 2 ..............42-25 Restoring the MLD Version 1 ...............42-26 Configuring and Removing an MLD Static Neighbor .........42-26 Configuring an MLD Static Neighbor ............42-26 Removing an MLD Static Neighbor ..............42-27 Configuring and Removing an MLD Static Querier ..........42-27 Configuring an MLD Static Querier ..............42-27...
Page 36 Server Load Balancing Specifications ................44-2 Server Load Balancing Default Values .................44-3 Quick Steps for Configuring Server Load Balancing (SLB) ........44-4 Quick Steps for Configuring a QoS Policy Condition Cluster .......44-5 xxxvi OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 37 Configuring a Red Hat Linux Server .............44-22 Configuring a Sun Solaris Server ..............44-22 Configuring an IBM AIX Server ..............44-23 Configuring a Virtual IP Address on a Novell Netware 6 Server ......44-23 Configuring Server Load Balancing on a Switch ............44-24 Enabling and Disabling Server Load Balancing ..........44-24 Enabling SLB ....................44-24...
Page 38 Enabling or Disabling Mirroring Status ...............45-19 Disabling a Mirroring Session (Disabling Mirroring Status) .......45-19 Configuring Port Mirroring Direction ..............45-20 Enabling or Disabling a Port Mirroring Session (Shorthand) ......45-20 Displaying Port Mirroring Status .................45-21 Deleting A Mirroring Session ................45-21 Configuring Remote Port Mirroring ..............45-22...
Page 39 Enabling or Disabling RMON Probes ..............45-36 Displaying RMON Tables ..................45-37 Displaying a List of RMON Probes ..............45-37 Displaying Statistics for a Particular RMON Probe ........45-38 Sample Display for Ethernet Statistics Probe ..........45-38 Sample Display for History Probe ..............45-39 Sample Display for Alarm Probe ..............45-39 Displaying a List of RMON Events ..............45-40...
Page 40 Third Party Licenses and Notices .................. A-4 A. Booting and Debugging Non-Proprietary Software .......... A-4 B. The OpenLDAP Public License: Version 2.8, 17 August 2003 ......A-4 C. Linux ........................A-5 D. GNU GENERAL PUBLIC LICENSE: Version 2, June 1991 ......A-5 E.
Page 41 Contents K. Sun Microsystems, Inc..................A-12 L. Wind River Systems, Inc................. A-12 M. Network Time Protocol Version 4 ..............A-12 N. Remote-ni ......................A-13 O. GNU Zip ......................A-13 P. FREESCALE SEMICONDUCTOR SOFTWARE LICENSE AGREEMENT ....................A-13 Q. Boost C++ Libraries ..................A-14 R.
Page 42 Contents xlii OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 43: About This Guide
This OmniSwitch AOS Release 6 Network Configuration Guide describes how to set up and monitor soft- ware features that will allow your switch to operate in a live network environment. The software features described in this manual are shipped standard with your OmniSwitch 6400 Series, OmniSwitch 6850 Series, OmniSwitch 6855 Series, OmniSwitch 9000 Series, and OmniSwitch 9000E Series switches.
Page 44: Who Should Read This Manual
When Should I Read this Manual? Read this guide as soon as you are ready to integrate your OmniSwitch into your network and you are ready to set up advanced routing protocols. You should already be familiar with the basics of managing a single OmniSwitch as described in the OmniSwitch AOS Release 6 Switch Management Guide.
Page 45: What Is Not In This Manual
Release 6 CLI commands, consult the OmniSwitch CLI Reference Guide. How is the Information Organized? Chapters in this guide are broken down by software feature. The titles of each chapter include protocol or features names (e.g., 802.1Q) with which most network professionals will be familiar.
Page 46: Documentation Roadmap
The following section outlines a roadmap of the manuals that will help you at each stage of the configuration process. Under each stage, we point you to the manual or manuals that will be most helpful to you.
Page 47 The OmniSwitch CLI Reference Guide contains comprehensive information on all CLI commands supported by the switch. This guide includes syntax, default, usage, example, related CLI command, and CLI-to-MIB variable mapping information for all CLI commands supported by the switch. This guide can be consulted anytime during the configuration process to find detailed and specific information on each CLI command.
Page 48: Related Documentation
Related Documentation About This Guide Related Documentation The following are the titles and descriptions of all the related OmniSwitch AOS Release 6 user manuals: • OmniSwitch 6400 Series Getting Started Guide Describes the hardware and software procedures for getting an OmniSwitch 6400 Series switch up and running.
Page 49 About This Guide Related Documentation • OmniSwitch CLI Reference Guide Complete reference to all CLI commands supported on the OmniSwitch 6400, 6800, 6850, 6855, and 9000. Includes syntax definitions, default values, examples, usage guidelines and CLI-to-MIB variable mappings. • OmniSwitch AOS Release 6 Switch Management Guide Includes procedures for readying an individual switch for integration into a network.
Page 50: User Manual Cd
Note. In order to take advantage of the documentation CD’s global search feature, it is recommended that you select the option for searching PDF files before downloading Acrobat Reader freeware. To verify that you are using Acrobat Reader with the global search option, look for the following button in the toolbar: Note.
Page 51: Chapter 1 Configuring Ethernet Ports
1 Configuring Ethernet Ports The Ethernet software is responsible for a variety of functions that support Ethernet, Gigabit Ethernet, and 10 Gigabit Ethernet ports on OmniSwitch Series switches. These functions include diagnostics, software loading, initialization, configuration of line parameters, gathering statistics, and responding to administrative requests from SNMP or CLI.
Page 52: Ethernet Specifications
10 Gigabit Ethernet (10 Gb/10000 Mbps) Switching/Routing Support Layer 2 Switching/Layer 3 Routing Backbone Support Fast Ethernet, Gigabit Ethernet, and 10 Gigabit Ethernet ports Port Mirroring Support Fast Ethernet and Gigabit Ethernet ports 802.1Q Hardware Tagging Fast Ethernet, Gigabit Ethernet, and 10 Gigabit Ethernet ports...
Page 53: Non-Combo Port Defaults
Flow Control (pause) interfaces pause Disabled Combo Ethernet Port Defaults The following table shows combo Ethernet port default values for OmniSwitch 6400 Series, OmniSwitch 6850 Series, and OmniSwitch 6855 Series switches only: Parameter Description Command Default Value/Comments...
Page 54: Ethernet Ports Overview
For example, on the OmniSwitch 6850-24, ports 21-24 are combo ports. If cables are connected to the combo copper port 21 and the combo SFP port 21, the SFP link will be the active one. If the SFP link goes down then the copper port will automatically become active.
Page 55: Valid Port Settings On Omniswitch 6400 Series Switches
Configuring Ethernet Ports Ethernet Ports Overview Valid Port Settings on OmniSwitch 6400 Series Switches This table below lists valid speed, duplex, and autonegotiation settings for the different OmniSwitch 6400 Series port types. Chassis Type Port Type User-Specified User-Specified Auto (Port Nos.)
Page 56: Valid Port Settings On Omniswitch 6850 Series Switches
10000 full (ports 49–50) See the OmniSwitch 6800 Series Hardware Users Guide for more information about the OmniSwitch 6800 hardware that is supported in the current release. Valid Port Settings on OmniSwitch 6850 Series Switches This table below lists valid speed, duplex, and autonegotiation settings for the different OmniSwitch 6850 Series port types.
Page 57: Valid Port Settings On Omniswitch 6855 Series Switches
Configuring Ethernet Ports Ethernet Ports Overview Valid Port Settings on OmniSwitch 6855 Series Switches This table below lists valid speed, duplex, and autonegotiation settings for the different OmniSwitch 6855 Series port types. Chassis Type Port Type User-Specified User-Specified Auto (Port Nos.)
Page 58: 10/100/1000 Crossover Supported
The local port advertises 10 Mbps full duplex and the remote link partner is forced to 10 half duplex. This is due to the fact that when the local device is set to auto negotiating 10/100 full duplex it senses the remote device is not auto negotiating.
Page 59: Flow Control And Autonegotiation
Ethernet Ports Overview Flow Control and Autonegotiation PAUSE frames are used to pause the flow of traffic between two connected devices when traffic conges- tion occurs. Flow control provides the ability to configure whether or not the switch will transmit and/or honor PAUSE frames on an active interface.
Page 60: Setting Ethernet Parameters For All Port Types
-> trap 2 port link enable To enable trap port link messages on a single port, enter trap followed by the slot number, a slash (/), the port number, and port link enable. For example, to enable trap port link messages on slot 2 port 3, enter: ->...
Page 61: Resetting Statistics Counters
To reset Layer 2 statistics on a single port, enter interfaces followed by the slot number, a slash (/), the port number, and no l2 statistics. For example, to reset all Layer 2 statistics counters on port 3 on slot 2, enter: ->...
Page 62: Configuring Flood Rate Limiting
(slot). When multicast flood rate limiting is enabled, the peak flood rate value for a port is applied to both multicast and flooded traffic.
Page 63: Configuring The Peak Flood Rate Value
-> interfaces 2/3 flood rate 49 To change the peak flood rate for a range of ports, enter interfaces followed by the slot number, a slash (/ ), the first port number, a hyphen (-), the last port number, flood rate, and the flood rate in megabits. For example, to configure the peak flood rate on ports 1 through 3 on slot 2 as 49 megabits, enter: ->...
Page 64: Configuring A Port Alias
To use this command, enter interfaces followed by the slot number, a slash (/), the port number, alias, and the text description, which can be up to 40 charac- ters long.
Page 65 -> interfaces transceiver ddm enable Traps can be enabled if any of these above values crosses the pre-defined low or high thresholds of the transceiver. For example, to set the maximum frame size on port 3 on slot 2 to 9216 bytes, enter: ->...
Page 66: Setting Ethernet Parameters For Non-Combo Ports
-> interfaces 2/3 speed 100 To set the line speed on a range of ports, enter interfaces followed by the slot number, a slash (/), the first port number, a hyphen (-), the last port number, and the desired speed. For example, to set the line speed...
Page 67: Configuring Duplex Mode
(slot) to full (full duplex mode, which is the default on fiber ports), half (half duplex mode), and auto (autonegotiation, which is the default on copper ports). (The Auto option causes the switch to advertise all available duplex modes (half/full/both) for the port during autonegotiation.) In...
Page 68: Configuring Autonegotiation And Crossover Settings
To configure the inter-frame gap on a range of ports, enter interfaces, followed by the slot number, a slash (/), the first port number, a hyphen (-), the last port number, ifg, and the desired inter-frame gap value. For example, to set the inter-frame gap value on ports 20 through 22 on slot 2 to 10 bytes, enter: ->...
Page 69: Configuring Crossover Settings
To configure crossover settings on a range of ports, enter interfaces, followed by the slot number, a slash (/), the first port number, a hyphen (-), the last port number, crossover, and the desired setting. For exam- ple, to set the crossover configuration to auto on ports 1 through 3 on slot 2, enter: ->...
Page 70 VLANs are not configurable using standard VLAN management commands. There is only one flow control VLAN configured per switch. To remove this type of VLAN, use the no form of the interfaces e2e-flow-vlan command. Note that specifying a VLAN ID is not necessary. For example, the following command removes the flow control VLAN from the switch configuration: ->...
Page 71: Setting Ethernet Combo Port Parameters
By default, all combo ports on the OmniSwitch Series switches are set to preferred fiber. The following subsections describe how to set a single combo port, a range of combo ports, or all combo ports on an entire switch to forced fiber (see “Setting Combo Ports to Forced Fiber”...
Page 72: Setting Combo Ports To Preferred Copper
In preferred copper mode, combo ports will use the copper RJ-45 10/100/1000 port instead of the fiber SFP connector, if both ports are enabled and have a valid link. If the copper port goes down, then the switch will automatically switch to the fiber SFP connector. To set a single combo port, a range of combo...
Page 73: Setting Combo Ports To Preferred Fiber
In preferred fiber mode (the default), combo ports will use the fiber SFP connector instead of the copper RJ-45 10/100/1000 port if both ports are enabled and have a valid link. If the fiber port goes down, then the switch will automatically switch to the copper RJ-45 port. To set a single combo port, a range of...
Page 74: Configuring Duplex Mode For Combo Ports
(-), the last combo port number, hybrid, either fiber or copper, and the desired speed. For example, to set the line speed on combo copper ports 21 through 24 on slot 2 to 100 Mbps, enter: ->...
Page 75: Configuring Autonegotiation And Crossover For Combo Ports
(/), the combo port number, hybrid, either fiber or copper, duplex, and the desired duplex setting (auto, full, or half). For example, to set the duplex mode on the fiber combo port 23 on slot 2 to full, enter: ->...
Page 76: Configuring Crossover Settings For Combo Ports
Configuring Crossover Settings for Combo Ports To configure crossover settings on a single combo port, a range of combo ports, or all combo ports in an entire switch (slot), use the interfaces hybrid crossover command.
Page 77: Configuring Flow Control On Combo Ports
(pause) settings for combo ports that run in full duplex mode. Configuring flow control is done to specify whether or not an interface will transmit, honor, or both transmit and honor PAUSE frames. PAUSE frames are used to temporarily pause the flow of traffic between two connected devices to help prevent packet loss when traffic congestion occurs between switches.
Page 78 VLANs are not configurable using standard VLAN management commands. There is only one flow control VLAN configured per switch. To remove this type of VLAN, use the no form of the interfaces e2e-flow-vlan command. Note that specifying a VLAN ID is not necessary. For example, the following command removes the flow control VLAN from the switch configuration: ->...
Page 79: Combo Port Application Example
Workstations A and B are connected with 100 Mbps links to copper combo ports 1/21 and 1/22, respec- tively. (SFP combo ports 1/21 and 1/22 are unused.) Server A has a primary 1 Gbps fiber connection to combo SFP connector 1/23 and a backup 100 Mbps connection to copper combo port 1/23. And the OmniSwitch 9700 has a primary 1 Gbps connection to combo SFP connector 1/24 and a backup 100 MBps connection to copper combo port 1/24.
Page 80 Combo Port Application Example Configuring Ethernet Ports Verify that combo ports 1/23 and 1/24 are set to the default setting of preferred fiber (which will make the SFP connectors 1/23 and 1/24 the primary connections while copper combo ports 1/23 and 1/24 will...
Page 81: Verifying Ethernet Port Configuration
Configuring Ethernet Ports Verifying Ethernet Port Configuration Verifying Ethernet Port Configuration To display information about Ethernet port configuration settings, use the show commands listed in the following table: show interfaces flow control Displays interface flow control wait time settings in nanoseconds.
Page 82 Verifying Ethernet Port Configuration Configuring Ethernet Ports These commands can be quite useful in troubleshooting and resolving potential configuration issues or problems on your switch. For more information about the resulting displays from these commands, see the OmniSwitch CLI Reference Guide. page 1-32...
Page 83: Chapter 2 Managing Source Learning
MAC address to entries in a MAC address database table. If the table does not contain an entry for the source address, then a new record is created associating the address with the port it was learned on. If an entry for the source address already exists in the table, a new one is not created.
Page 84: Source Learning Specifications
Managing Source Learning Source Learning Specifications The functionality described in this chapter is supported on the OmniSwitch 6400, 6800, 6850, 6855, and 9000 switches unless otherwise stated in the following Specifications table or specifically noted within any section of this chapter.
Page 85: Sample Mac Address Table Configuration
Create VLAN 200, if it does not already exist, using the following command: -> vlan 200 Assign switch ports 2 through 5 on slot 3 to VLAN 200–if they are not already associated with VLAN 200–using the following command: -> vlan 200 port default 3/2-5...
Page 86 Sample MAC Address Table Configuration Managing Source Learning To verify the new aging time value, enter show mac-address-table aging-time. For example, -> show mac-address-table aging-time Mac Address Aging Time (seconds) = 300 page 2-4 OmniSwitch AOS Release 6 Network Configuration Guide...
Page 87: Mac Address Table Overview
VLAN is not supported. • If a static MAC address is configured on a port link that is down or disabled, an asterisk appears to the right of the MAC address in the show mac-address-table command display. The asterisk indicates that this is an invalid MAC address.
Page 88: Configuring Static Mac Addresses
Use the no form of this command to clear MAC address entries from the table. If the MAC address status type (permanent or learned) is not specified, then only permanent addresses are removed from the table.
Page 89: Using Static Multicast Mac Addresses
A MAC address is considered a multicast MAC address if the least significant bit of the most signifi- cant octet of the address is enabled. For example, MAC addresses with a prefix of 01, 03, 05, 13, etc., are multicast MAC addresses.
Page 90: Static Multicast Mac Addresses On Link Aggregate Ports
Using Static Multicast MAC Addresses Managing Source Learning If a a MAC address, slot/port and VLAN ID are not specified with this form of the command, then all static multicast addresses are deleted. For example, the following command deletes all static MAC addresses, regardless of their slot/port or VLAN assignments: ->...
Page 91: Configuring Mac Address Table Aging Time
MAC is aged out of the MAC address table. Source learning always starts tracking MAC address age from the time since the last packet was received. By default, the aging time is set to 300 seconds (5 minutes) and is configured on a global basis using the mac-address-table aging-time command.
Page 92: Increasing The Mac Address Table Size
• Link aggregates have to span the same ASIC. This usually means the same NI, with the exception of the U6-XNI where the first three ports are on one ASIC while the other three ports are on a separate ASIC.
Page 93: Displaying Source Learning Information
Managing Source Learning Displaying Source Learning Information Displaying Source Learning Information To display MAC Address Table entries, statistics, and aging time values, use the show commands listed below: show mac-address-table Displays a list of all MAC addresses known to the MAC address table, including static MAC addresses.
Page 94 Displaying Source Learning Information Managing Source Learning page 2-12 OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 95: In This Chapter
Learned Port Security (LPS) provides a mechanism for authorizing source learning of MAC addresses on Ethernet and Gigabit Ethernet ports. The only types of Ethernet ports that LPS does not support are link aggregate and tagged (trunked) link aggregate ports. Using LPS to control source MAC address learning provides the following benefits: •...
Page 96: Chapter 3 Configuring Learned Port Security
Not applicable at this time. IEEE Standards supported Not applicable at this time. Platforms Supported OmniSwitch 6400, 6800, 6850, 6855, and 9000 Ports eligible for Learned Port Security Ethernet and gigabit Ethernet ports (fixed, mobile, 802.1Q tagged, and authenticated ports).
Page 97: Sample Learned Port Security Configuration
Set the total number of learned MAC addresses allowed on the same ports to 25 using the following command: -> port-security 3/6-12 4/6-12 5/6-12 maximum 25 Configure the amount of time in which source learning is allowed on all LPS ports to 30 minutes using the following command: -> port-security shutdown 30 Select shutdown for the LPS violation mode using the following command: ->...
Page 98: Learned Port Security Overview
Configurable LPS parameters allow the user to restrict the source learning of host MAC addresses to: • A specific amount of time in which the switch allows source learning to occur on all LPS ports. • A maximum number of learned MAC addresses allowed on the port.
Page 99: How Lps Authorizes Source Mac Addresses
(see “Selecting the Security Violation Mode” on page 3-11). Regard- less of which mode is selected, notice is sent to the Switch Logging task to indicate that a violation has occurred. Dynamic Configuration of Authorized MAC Addresses Once LPS authorizes the learning of a source MAC address, an entry containing the address and the port it was learned on is made in an LPS database table.
Page 100: Static Configuration Of Authorized Mac Addresses
The LPS database table is separate from the source learning MAC address table. However, when a MAC is authorized for learning on an LPS port, an entry is made in the MAC address table in the same manner as if it was learned on a non-LPS port (see Chapter 2, “Managing Source Learning,”...
Page 101: Enabling/Disabling Learned Port Security
-> port-security 4/1-5 enable -> port-security 5/12-20 6/10-15 enable Note that when LPS is enabled on an active port, all MAC addresses learned on that port prior to the time LPS was enabled are cleared from the source learning MAC address table.
Page 102: Configuring A Source Learning Time Limit
The LPS source learning time limit is a switch-wide parameter that applies to all LPS enabled ports, not just one or a group of LPS ports. The following command example sets the time limit value to 30 minutes: -> port-security shutdown time 30 Once the time limit value expires, source learning of any new dynamic MAC addresses is stopped on all LPS ports even if the number of addresses learned does not exceed the maximum allowed.
Page 103: Configuring The Number Of Bridged Mac Addresses Allowed
Once this value is reached, a trap is sent for every MAC learned thereafter. By default, when five bridged MAC addresses are learned on an LPS port, the switch sends a trap. To change the trap threshold value, use the port-security learn-trap-threshold command.
Page 104: Configuring The Number Of Filtered Mac Addresses Allowed
Use the no form of this command to clear configured and/or dynamic MAC address entries from the LPS table. For example, the following command removes a MAC address entry for port 4 of slot 6 that belongs to VLAN 10 from the LPS table: ->...
Page 105: Selecting The Security Violation Mode
-> port-security 4/12 mac-range In addition, specifying a low end MAC and a high end MAC is optional. If either one is not specified, the default value is used. For example, the following commands set the authorized MAC address range on the specified ports to 00:da:25:59:0c:10–ff:ff:ff:ff:ff:ff and 00:00:00:00:00:00–00:da:25:00:00:9a:...
Page 106: Displaying Learned Port Security Information
Displays the amount of time during which source learning can occur on all LPS ports. For more information about the resulting display from these commands, see the OmniSwitch CLI Refer- ence Guide. An example of the output for the show port-security and show port-security shutdown commands is also given in “Sample Learned Port Security Configuration”...
Page 107: Configuring Vlans
4 Configuring VLANs In a flat bridged network, a broadcast domain is confined to a single LAN segment or even a specific physical location, such as a department or building floor. In a switch-based network, such as one comprised of Alcatel-Lucent switching systems, a broadcast domain—or VLAN— can span multiple physical switches and can include ports from a variety of media types.
Page 108: Vlan Specifications
VLAN Specifications Configuring VLANs VLAN Specifications Note that the maximum limit values provided in the following Specifications table are subject to available system resources: RFCs Supported 2674 - Definitions of Managed Objects for Bridges with Traffic Classes, Multicast Filtering and Virtual...
Page 109 Configuring VLANs VLAN Defaults Parameter Description Command Default VLAN port associations vlan port default All ports initially associated with default VLAN 1. OmniSwitch AOS Release 6 Network Configuration Guide September 2009 page 4-3...
Page 110: Sample Vlan Configuration
VLAN. To determine if a VLAN already exists in the switch configuration, enter show vlan. If VLAN 255 does not appear in the show vlan output, then it does not exist on the switch. For example: -> show vlan...
Page 111: Vlan Management Overview
VLAN Management Overview VLAN Management Overview One of the main benefits of using VLANs to segment network traffic, is that VLAN configuration and port assignment is handled through switch software. This eliminates the need to physically change a network device connection or location when adding or removing devices from the VLAN broadcast domain. The...
Page 112: Creating/Modifying Vlans
802.1Q standard, each VLAN is identified by a unique number, referred to as the VLAN ID. The user specifies a VLAN ID to create, modify or remove a VLAN and to assign switch ports to a VLAN. When a packet is received on a port, the port’s VLAN ID is inserted into the packet. The packet is then bridged to other ports that are assigned to the same VLAN ID.
Page 113: Enabling/Disabling The Vlan Administrative Status
Creating/Modifying VLANs To create more than 253 VLANs on a switch running in the 1x1 Spanning Tree mode, use the vlan stp disable, vlan 1x1 stp disable, or vlan flat stp disable command to create a VLAN with Spanning Tree disabled.
Page 114: Defining Vlan Port Assignments
Aggregation,” Chapter 23, “Configuring Dynamic Link Aggregation.” Use the no form of the vlan port default command to remove a default VPA. When this is done, VLAN 1 is restored as the port’s default VLAN. -> vlan 955 no port default 2/5...
Page 115: Configuring Dynamic Vlan Port Assignment
Note that VLAN mobile tag classification takes precedence over VLAN rule classification. If a mobile port receives traffic that matches a VLAN rule and also has an 802.1Q VLAN ID tag for a VLAN with mobile tagging enabled, the port is dynamically assigned to the mobile tag VLAN and not the matching rule VLAN.
Page 116: Enabling/Disabling Vlan Mobile Tag Classification
-> vlan 224 mobile-tag disable If a mobile port that is statically assigned to VLAN 10 receives an 802.1Q tagged packet with a VLAN ID of 1525, the port and packet are dynamically assigned to VLAN 1525. In this case, the mobile port now has a VLAN port association defined for VLAN 10 and for VLAN 1525.
Page 117: Enabling/Disabling Spanning Tree For A Vlan
Tree) instance, depending on which STP protocol is active. In the flat mode, if STP instance 1 or the CIST instance is disabled, then it is disabled for all configured VLANs. However, disabling STP on an individual VLAN will exclude only that VLAN’s ports from the flat STP algorithm.
Page 118: Enabling/Disabling Vlan Authentication
Source learning can be disabled on a VLAN. Disabling source learning can be beneficial in a ring topol- ogy. There is no limit on the number of ports that can belong to a VLAN that has source learning disabled, but it is recommended to include only the two ports connecting the switch to a ring.
Page 119: Configuring An Ipx Router Interface
A 16-bit value between 0 (the default) and 65535 that specifies the number of ticks for the IPX delay time. A tick is approximately 1/18th of a second. The following vlan router ipx command example configures an IPX router interface for VLAN 955 with...
Page 120: Modifying An Ipx Router Interface
For example, the following command changes the advertisement mode to RIP only, the encapsulation to LLC, and the delay time value to 1500. The IPX address is not changed in this example, but is required as part of the command syntax to identify a change to the router interface: ->...
Page 121: Bridging Vlans Across Multiple Switches
VLAN 10. It is important to note that connection cables do not have to connect to the same port on each switch. The key is that the port must belong to the same VLAN on each switch.
Page 122: Verifying The Vlan Configuration
This is how a logical grouping of users can traverse a physical network setup without routing and is one of the many benefits of using VLANs.
Page 123: In This Chapter
VLANs and prunes unnecessary broadcast and unicast traffic. Through the propagation of GVRP information, a device is continuously able to update its knowledge on the set of VLANs that currently have active nodes and on the ports through which those nodes can be reached.
Page 124: Chapter 5 Configuring Gvrp
IEEE Draft Std. P802.1Q-REV/D5.0 Platforms Supported OmniSwitch 6400, 6850, 6855, and 9000 Maximum GVRP VLANs 4094 256 (OmniSwitch 6400) GVRP Defaults The following table lists the defaults for GVRP configuration: Parameter Description Command Default Value/Comments Global status of GVRP gvrp disabled...
Page 125: Garp Overview
GARP applicant that declares attributes is referred to as an active member. A passive member is an appli- cant interested in an attribute but will not initiate GARP PDUs when it is aware that other applicants have also registered the attribute.
Page 126 Port 2 on Switch B receives the advertisements. VLANs 10, 20, and 30 are created as dynamic VLANs on this switch and Port 2 becomes a member of VLANs 10, 20, and 30. Port 3 on Switch B is triggered to advertise VLANs 10, 20, and 30, but does not become a member of these VLANs.
Page 127: Quick Steps For Configuring Gvrp
Static VLAN 50 Dynamic Learning of VLAN 50 Note. Every port on a switch is not a member of all the VLANs. Only those ports that receive the advertisement become members of the VLAN being advertised. Quick Steps for Configuring GVRP...
Page 128 Maximum VLAN Limit : 256 To view GVRP configuration for a specific port, enter the show gvrp configuration linkagg/port command.The configuration details of the particular port will be displayed as shown: -> show gvrp configuration port 1/21 Port 1/21: GVRP Enabled...
Page 129: Configuring Gvrp
Enabling GVRP GVRP is used primarily to prune unnecessary broadcast and unknown unicast traffic, and dynamically create and manage VLANs. GVRP has to be globally enabled on a switch before it can start forwarding GVRP frames. To enable GVRP globally on the switch, enter the...
Page 130: Enabling Transparent Switching
A switch can create dynamic VLANs using GVRP. By default, the maximum number of dynamic VLANs that can be created using GVRP is 1024. If the VLAN limit to be set is less than the current number of dynamically learned VLANs, then the new configuration will take effect only after the GVRP is disabled and enabled again on the switch.
Page 131: Configuring Gvrp Registration
GVRP allows a port to register and de-register both static and dynamic VLANs. Every device has a list of all the switches and end stations that can be reached at any given time. When an attribute for a device is registered or de-registered, the set of reachable switches and end stations, also called participants, is modi- fied.
Page 132: Configuring The Gvrp Applicant Mode
3/2 to active, enter the following: -> gvrp applicant active port 3/2 When a port is set to participant mode, GVRP protocol exchanges are allowed only if the port is set to the STP forwarding state.
Page 133: Restricting Vlan Registration
For example, if you set the Leave timer to 900 ms and attempt to configure the Join timer to 450 ms, an error is returned. You need to set the Leave timer to at least 1350 ms and then set the Join timer to 450 ms.
Page 134: Restricting Static Vlan Registration
-> gvrp static-vlan restrict port 1/2 5-9 Here, port 1/2 is restricted from becoming a GVRP member of VLANs 5 to 9. A port can be allowed to become a member of statically created VLANs using the no form of the gvrp static-vlan restrict command.
Page 135: Verifying Gvrp Configuration
Displays the timer values configured for all the ports or a specific port. For more information about the displays that result from these commands, see the OmniSwitch CLI Refer- ence Guide. OmniSwitch AOS Release 6 Network Configuration Guide...
Page 136 Verifying GVRP Configuration Configuring GVRP page 5-14 OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 137: Chapter 6 Assigning Ports To Vlans
6 Assigning Ports to VLANs Initially all switch ports are non-mobile (fixed) and are assigned to VLAN 1, which is also their config- ured default VLAN. When additional VLANs are created on the switch, ports are assigned to the VLANs so that traffic from devices connected to these ports is bridged within the VLAN domain.
Page 138: Port Assignment Specifications
Port Assignment Specifications Assigning Ports to VLANs Port Assignment Specifications Note that the maximum limit values provided in the following Specifications table are subject to available system resources: IEEE Standards Supported 802.1Q–Virtual Bridged Local Area Networks 802.1D–Media Access Control Bridges...
Page 139: Sample Vlan Port Assignment
With this parameter disabled, VLAN 255 will not carry any traffic received on 3/4 or 3/5 that does not match any VLAN rules configured on the switch. Note. Optional. To verify that ports 2 through 5 on slot 3 were assigned to VLAN 255, enter show vlan followed by 255 then port. For example: ->...
Page 140: Statically Assigning Ports To Vlans
2 on slot 3, currently assigned to VLAN 1, to VLAN 755: -> vlan 755 port default 3/2 Port 3/2 is now assigned to VLAN 755 and no longer associated with VLAN 1. In addition, VLAN 755 is now the new configured default VLAN for the port.
Page 141: How Dynamic Port Assignment Works
Using mobile tagging allows the dynamic assignment of mobile ports to one or more VLANs at the same time. • If a mobile port receives a tagged packet with a VLAN ID of a VLAN that does not have mobile tagging enabled or the VLAN does not exist, the packet is dropped. •...
Page 142 As soon as the workstations start sending traffic, switch software checks the 802.1Q VLAN ID tag of the frames and looks for a VLAN that has the same ID and also has mobile tagging enabled. Since the work- stations are sending tagged packets destined for the mobile tag enabled VLANs, each port is assigned to the appropriate VLAN without user intervention.
Page 143 VLAN 1 VLAN 3 Default VLAN Network 138.0.0.0 Port 1 Port 2 Port 3 130.0.0.1 138.0.0.1 140.0.0.1 Dynamic VPA Default VLAN Tagged Mobile Port Traffic Triggers Dynamic VLAN Assignment OmniSwitch AOS Release 6 Network Configuration Guide September 2009 page 6-7...
Page 144: Vlan Rule Classification
When an active device is disconnected from a mobile port and connected to a fixed port, the source MAC address of that device is not learned on the fixed port until the MAC address has aged out and no longer appears on the mobile port.
Page 145 140.0.0.3 VLAN Rule Classification: Initial Configuration As soon as the workstations start sending traffic, switch software checks the source subnet of the frames and looks for a match with any configured IP network address rules. Since the workstations are sending traffic that matches a VLAN rule, each port is assigned to the appropriate VLAN without user interven- tion.
Page 146: Configuring Dynamic Vlan Port Assignment
Once the above configuration steps are completed, dynamic VLAN assignment occurs when a device connected to a mobile port starts to send traffic. This traffic is examined by switch software to determine which VLAN should carry the traffic based on the type of classification, if any, defined for a particular VLAN.
Page 147: Enabling/Disabling Port Mobility
BPDU to determine if the port is eligible for dynamic assignment. When BPDU ignore is disabled and the mobile port receives a BPDU, mobility is shut off on the port and the following occurs: •...
Page 148: Understanding Mobile Port Properties
Spanning Tree is enabled on both the ports and their assigned VLANs) is not allowed. If mobility is required on this type of port, enable mobility and the BPDU ignore parameter when the port is not active. Understanding Mobile Port Properties Dynamic assignment of mobile ports occurs without user intervention when mobile port traffic matches VLAN criteria.
Page 149: What Is A Secondary Vlan
Mobile port receives untagged frames that contain information that matches rules on more than one VLAN. For example, if a mobile port receives IP and IPX frames and their is an IP protocol rule on VLAN 10 and an IPX protocol rule on VLAN 20, the mobile port is dynamically assigned to both VLANs.
Page 150 VLAN. Restricts dynamic assignment to mobile port traffic that matches one or more VLAN rules. How Mobile Port Traffic that Does Not Match any VLAN Rules is Classified page 6-14 OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 151 Security. VLANs only contain mobile port VPAs are retained even when port traffic is traffic that has recently matched rule criteria. idle for some time. When traffic resumes, it is not necessary to relearn the same VPA again. VPAs created from occasional network users Appropriate for devices that only send occa- (e.g., laptop) are not unnecessarily retained.
Page 152: Configuring Mobile Port Properties
Enable/Disable Default VLAN To enable or disable forwarding of mobile port traffic that does not match any VLAN rules on the port’s configured default VLAN, enter vlan port followed by the port’s slot/port designation then default vlan followed by enable or disable. For example, ->...
Page 153: Enable/Disable Default Vlan Restore
Only mobile ports are eligible for authentication. If enabled, the mobile port participates in the Layer 2 authentication process supported by Alcatel-Lucent switches. This process restricts switch access at the VLAN level. The user is required to enter a valid login ID and password before gaining membership to a VLAN. For more information, see Chapter 36, “Configuring Authenticated VLANs.”...
Page 154: Enable/Disable 802.1X Port-Based Access Control
Assigning Ports to VLANs Enable/Disable 802.1X Port-Based Access Control To enable or disable 802.1X on a mobile port, enter vlan port followed by the port’s slot/port designa- tion then 802.1x followed by enable or disable. For example, -> vlan port 3/1 802.1x enable ->...
Page 155: Chapter 45 Diagnosing Switch Problems
Each line of the show vlan port command display corresponds to a single VLAN port association (VPA). In addition to showing the VLAN ID and slot/port number, the VPA type and current status of each asso- ciation are also provided.
Page 156: Understanding 'Show Vlan Port Mobile' Output
VLAN 200 is a secondary VLAN for mobile port 5/11, which is currently forwarding traffic for this VPA. • VLAN 200 is an 802.1Q tagged VLAN for port 5/12, which is an active port but currently blocked from forwarding traffic. Another example of the output for the show vlan port command is also given in “Sample VLAN Port...
Page 157: In This Chapter
A and network port set B, the ports in set A can only communicate with the ports in set B. If set B is empty, the ports in set A can communicate with rest of the ports in the system.
Page 158: Chapter 7 Configuring Port Mapping
Quick Steps for Configuring Port Mapping Follow the steps below for a quick tutorial on configuring port mapping sessions. Additional information on how to configure each command is given in the subsections that follow. Create a port mapping session with/without, user/network ports with the...
Page 159: Creating/Deleting A Port Mapping Session
-> port mapping 3 network-port linkagg 7 You can specify all the ports of a slot to be assigned to a mapping session. For example, to create a port mapping session 3 with all the ports of slot 1 as network ports, you would enter: ->...
Page 160: Enabling/Disabling A Port Mapping Session
Disabling the Flooding of Unknown Unicast Traffic By default, unknown unicast traffic is flooded to the user ports of a port mapping session from all the switch ports, not just the network ports for the session. To disable this flooding, you would enter: ->...
Page 161: Restoring Bidirectional Port Mapping
The following diagram shows a four-switch network configuration with active port mapping sessions. In the network diagram, the Switch A is configured as follows: • Port mapping session 1 is created with user ports 2/1, 2/2 and network ports 1/1, 1/2 and is configured in the unidirectional mode. •...
Page 162: Example Port Mapping Configuration Steps
• Ports 2/1 and 2/2 on Switch D do not interact with each other but they interact with all the user ports on Switch A except 3/1, 3/2, and 3/3. They also interact with all the ports on Switch B and Switch C.
Page 163: Chapter 8 Defining Vlan Rules
MAC address, protocol, network address, binding, or DHCP criteria to capture certain types of network device traffic. It is also possible to define multiple rules for the same VLAN. A mobile port is assigned to a VLAN if its traffic matches any one VLAN rule.
Page 164: Defining Vlan Rules
Maximum number of rules per VLAN Unlimited Maximum number of rules per switch 8129 of each rule type, except for a DHCP generic rule because only one is allowed per switch. Switch ports that are eligible for VLAN rule Mobile 10/100 Ethernet and gigabit ports.
Page 165: Sample Vlan Rule Configuration
3/10 containing a MAC address of 00:DA:95:00:CE:3F and an IP address of 21.0.0.43. For example: -> vlan 1500 binding mac-ip-port 00:da:95:00:ce:3f 21.0.0.43 3/10 Note. Optional. To verify that the rules in this tutorial were defined for VLANs 255, 355, and 1500, enter show vlan rules. For example: -> show vlan rules...
Page 166: Vlan Rules Overview
There are several types of configurable VLAN rules available for classifying different types of network device traffic. There is no limit to the number of rules allowed per VLAN and up to 8,129 of each rule type is allowed per switch. See “Configuring VLAN Rule Definitions”...
Page 167: Dhcp Rules
IP network address rules. Binding rules, MAC address rules, and protocol rules also capture DHCP client traffic. The exception to this is binding rules that specify an IP address as part of the rule, similar to IP network address rule defini- tions.
Page 168: Binding Rules
As a result, a separate binding rule is required for each device. An unlimited number of such rules, however, is allowed per VLAN and up to 8129 of each rule type is allowed per switch. Although DHCP traffic is examined and processed first by switch software, binding rules take precedence over all other rules.
Page 169: Port Rules
VLANs is forwarded out the one mobile port to the silent device. For example, if port 3 on slot 2 is specified in a port rule defined for VLANs 255, 355, and 755, then outgoing traffic from all three of these VLANs is forwarded on port 2/3.
Page 170: Understanding Vlan Rule Precedence
The first column lists the rule type names, the second and third columns describe how the switch handles frames that match or don’t match rule criteria. The higher the rule is in the list, the higher its level of precedence.
Page 171 5. DHCP Generic DHCP frame. Frame source is assigned to the rule’s VLAN, but not learned. 6. MAC-Port-IP Address Binding Frame contains a matching source Frame source is assigned to the MAC address, source port, and rule’s VLAN. source IP subnet address.
Page 172: Configuring Vlan Rule Definitions
VLAN. • There is no limit to the number of rules defined for a single VLAN and up to 8129 rules are allowed per switch.
Page 173: Defining Dhcp Mac Address Rules
When an active device is disconnected from a mobile port and connected to a fixed port, the source MAC address of that device is not learned on the fixed port until the MAC address has aged out and no longer appears on the mobile port.
Page 174: Defining Dhcp Mac Range Rules
Defining DHCP MAC Range Rules A DHCP MAC range rule is similar to a DHCP MAC address rule, but allows the user to specify a range of MAC addresses. This is useful when it is necessary to define rules for a large number of sequential MAC addresses.
Page 175: Defining Dhcp Generic Rules
DHCP generic rules capture all DHCP traffic that does not match an existing DHCP MAC or DHCP port rule. If none of these other rules exist, then all DHCP frames are captured regardless of the port they came in on or the frame’s source MAC address. Only one rule of this type is allowed per switch.
Page 176: How To Define A Mac-Port Binding Rule
Defining VLAN Rules How to Define a MAC-Port Binding Rule To define a MAC-port binding rule, enter vlan followed by an existing VLAN ID then binding mac-port followed by a valid MAC address and a slot/port designation. For example, the following command defines a MAC-port binding rule for VLAN 1500: ->...
Page 177: Defining Mac Address Rules
Defining MAC Range Rules A MAC range rule is similar to a MAC address rule, but allows the user to specify a range of MAC addresses. This is useful when it is necessary to define rules for a large number of sequential MAC addresses.
Page 178: Defining Ip Network Address Rules
(e.g., 31.0.0.10, 31.0.0.4) to qualify for dynamic assignment to VLAN 1200. If a subnet mask is not specified, the default class for the IP address is used (Class A, B, or C). For exam- ple, either one of the following commands will create an IP network address rule for network 134.10.0.0: ->...
Page 179: Defining Protocol Rules
-> vlan 1220 ipx 250c If the IPX network address rule VLAN is going to route IPX traffic, it is important to specify a rule encap- sulation that matches the IPX router port encapsulation. If there is a mismatch, connectivity with other IPX devices may not occur.
Page 180: Defining Port Rules
In this example, all traffic on VLAN 755 is flooded out mobile port 2 on slot 3. Note that it is possible to define a port rule for a non-mobile (fixed, untagged) port, however, the rule is not active until mobility is enabled on the port.
Page 181: Application Example: Dhcp Rules
This application example shows how Dynamic Host Configuration Protocol (DHCP) port and MAC address rules are used in a DHCP-based network. DHCP is built on a client-server model in which a desig- nated DHCP server allocates network addresses and delivers configuration parameters to dynamically configured clients.
Page 182 Application Example: DHCP Rules Defining VLAN Rules The following table summarizes the VLAN architecture and rules for all devices in this network configura- tion. The diagram on the following page illustrates this network configuration. Device VLAN Membership Rule Used/Router Role...
Page 183 DHCP respective s via IP subnet rules. VLAN Clients DHCP Router Clients 1 to 6 are assigned to their respective Router 1 provides connectivity between the Test s through port rules. Clients 3 and VLAN DHCP and the Production . It does not...
Page 184: Verifying Vlan Rule Configuration
Displays a list of rules for one or all VLANs configured on the switch. For more information about the resulting display from this command, see the OmniSwitch CLI Reference Guide. An example of the output for the show vlan rules command is also given in “Sample VLAN Rule Configuration”...
Page 185: Chapter 9 Configuring Vlan Stacking
VLAN Translation. This feature enables service providers to offer their customers Transparent LAN Services (TLS). This service is multipoint in nature so as to support multiple customer sites or networks distributed over the edges of a service provider network.
Page 186: Configuring Vlan Stacking
VLAN Stacking Specifications Configuring VLAN Stacking VLAN Stacking Specifications IEEE Standards Supported IEEE 802.1Q, 2003 Edition, IEEE Standards for Local and metropolitan area networks—Virtual Bridged Local Area Networks P802.1ad/D6.0 (C/LM) Standard for Local and Met- ropolitan Area Networks - Virtual Bridged Local Area...
Page 187: Vlan Stacking Overview
This SVLAN does not terminate on the switch itself; traffic ingressing on a network port is switched to other network ports. It is also possible for the same switch to function as a both a PE Bridge and a Transit Bridge.
Page 188 Customer A Site 1 Transit Bridge Customer B EMAN Site 2 Provider Edge 1 Provider Edge 3 Customer B Site 1 NNI Port UNI Port NNI Port VLAN Stacking Elements page 9-4 OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 189: How Vlan Stacking Works
On the Provider Edge bridge (PE), a unique tunnel (SVLAN) ID is assigned to each customer. The tunnel ID corresponds to a VLAN ID, which is created on the switch when the tunnel is configured. For exam- ple, when tunnel 100 is created, VLAN Stacking software interacts with VLAN Manager software to configure a VLAN 100 on the switch.
Page 190: Vlan Stacking Services
Service Access Point (SAP)—A SAP is associated with a VLAN Stacking service name and a SAP profile. The SAP binds UNI ports and customer traffic received on those ports to the service. The profile specifies traffic engineering attribute values that are applied to the customer traffic received on the SAP UNI ports.
Page 191: Interaction With Other Features
Interaction With Other Features This section contains important information about VLAN Stacking interaction with other OmniSwitch features. Refer to the specific chapter for each feature to get more detailed information about how to configure and use the feature. GARP VLAN Registration Protocol (GVRP) •...
Page 192: Link Aggregation
Both static and dynamic link aggregation are supported with VLAN Stacking. • Note that a link aggregate must consist of all UNI or all NNI ports. VLAN Stacking functionality is not supported on link aggregates that consist of a mixture of VLAN Stacking ports and conventional switch ports.
Page 193: Quick Steps For Configuring Vlan Stacking
(Optional) Associate the “sap-video1” profile with SAP 10 using the ethernet-service sap sap-profile command. -> ethernet-service sap 10 sap-profile sap-video1 (Optional) Create a UNI port profile to block GVRP and STP control frames received on UNI ports using the ethernet-service uni-profile command.
Page 194 : sap-video1 SAP Id : 30 UNIs : 1/3 CVLAN(s) : untagged, 40 sap-profile : sap-video2 See the OmniSwitch CLI Reference Guide for information about the fields in this display. page 9-10 OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 195: Configuring Vlan Stacking Services
CVLAN translation or double-tagging, and priority bit mapping. A default profile is automatically associated with a SAP at the time the SAP is created. As a result, it is only necessary to configure a SAP profile if the default attribute values are not sufficient. See “Configuring a...
Page 196: Configuring Svlans
IP Multicast VLAN traffic (IPMVLAN). SVLANs are not configurable or modifiable using standard VLAN commands. The exception to this is that it is possible to configure an IP interface for a provider management SVLAN. However, traffic is not routed on this interface.
Page 197: Configuring A Vlan Stacking Service
SVLAN or IMPVLAN ID, depending on the type of traffic the service will process. The ID specified with this command identifies the SVLAN that will carry traffic for the service.
Page 198: Configuring Vlan Stacking Network Ports
When a port is associated with an SVLAN using this command, the port is automatically defined as an NNI to carry traffic for the specified SVLAN. In addition, the default VLAN for the port is changed to a VLAN that is reserved for the VLAN Stacking application. At this point, the port is no longer config- urable using standard VLAN port commands.
Page 199: Configuring A Vlan Stacking Service Access Point
VLAN Stacking service access point (SAP). An SAP is assigned an ID number at the time it is configured. This ID number is then associated with the following VLAN Stacking components: •...
Page 200: Configuring Vlan Stacking User Ports
Consider the following when configuring a VLAN Stacking SAP: • A SAP is assigned to only one service, but a service can have multiple SAPs. So, a single service can process and tunnel traffic for multiple UNI ports and customers.
Page 201: Configuring The Type Of Customer Traffic To Tunnel
IP Multicast VLANs” chapter in this guide. • A default UNI profile is assigned to the port at the time the port is configured. This profile defines how control frames received on the UNI ports are processed. By default, GVRP and Spanning Tree frames are tunneled.
Page 202: Configuring A Service Access Point Profile
Note that when the last customer traffic association is deleted from a SAP, the SAP itself is not automati- cally deleted. No traffic is accepted or processed by a SAP in this state, but the SAP ID is still known to the switch.
Page 203: Associating A Profile With A Service Access Point
Associating a Profile with a Service Access Point After a profile is created, it is then necessary to associate the profile with a VLAN Stacking SAP. When this is done, the current profile associated with a SAP is replaced with the new profile.
Page 204: Associating Uni Profiles With Uni Ports
Associating UNI Profiles with UNI Ports After a UNI profile is created, it is then necessary to associate the profile with a UNI port or a UNI link aggregate. When this is done, the current profile associated with the port is replaced with the new profile.
Page 205: Vlan Stacking Application Example
Customer A traffic (all CVLANs) into SVLAN 100 and Customer B traffic (CVLAN 10 only) into SVLAN 200. In addition, the CVLAN 10 inner tag priority bit value is mapped to the SVLAN out tag priority value. The customer traffic is then transpar- ently bridged across the MAN network and sent out to the destined customer site.
Page 206: Vlan Stacking Configuration Example
Associate the SAP with the “CustomerB” service. -> ethernet-service sap 30 service-name CustomerB Configure port 1/1 on PE1 and PE2 as a VLAN Stacking UNI port and associate 1/1 with SAP 20 using the ethernet-service sap uni command.
Page 207 Configuring VLAN Stacking VLAN Stacking Application Example Create a SAP profile on PE1 and PE2 that will map the inner CVLAN tag 802.1p value to the outer SVLAN tag using the ethernet-service sap-profile command. -> ethernet-service sap-profile map_pbit priority map-inner-to-outer-p Associate the “map_pbit”...
Page 208: Verifying The Vlan Stacking Configuration
Displays SAP profile attribute values. For more information about the resulting displays from these commands, see the OmniSwitch CLI Refer- ence Guide. An example of the output for the show ethernet-service command is also given in “Quick Steps for Configuring VLAN Stacking” on page 9-9.
Page 209: 10 Configuring Mpls
The packets are identified by a label inserted into each packet. This implementation of MPLS provides the network architecture that is needed to set up a Virtual Private LAN Service (VPLS). VPLS allows multiple customer sites to transparently connect through a single bridging domain over an IP/MPLS-based network.
Page 210: Mpls Specifications
32** Maximum number of static LSPs 1024 Maximum number of backup static LSPs *Applies to egress and ingress Label Edge Routers (LERs) only. **Applies to transit Label Switching Routers (LSRs) only. page 10-2 OmniSwitch AOS Release 6 Network Configuration Guide...
Page 211: Mpls Defaults
Configuring MPLS MPLS Defaults MPLS Defaults The following table shows the default settings of the configurable LDP-based MPLS parameters. Parameter Description Command Default Value/Comments MPLS status for the switch. configure router mpls shutdown Enabled LDP status for the switch. configure router ldp shutdown...
Page 212: Quick Steps For Configuring Mpls
A Loopback0 interface that will serve as the system IP address to identify the router as an MPLS LSR. This requirement is specific to the OmniSwitch. • At least one IP interface that will serve as an MPLS interface (for static paths) or as a Label Distribu- tion Protocol (LDP) interface. •...
Page 213: Quick Steps For Configuring Ldp
OmniSwitch CLI Reference Guide for information about the fields in the above displays. Quick Steps for Configuring LDP An LDP interface is required on each router that will participate in the MPLS LSP. The following steps provide a quick tutorial for configuring LDP interfaces:...
Page 214 For example: -> configure router ldp interface-parameters interface vlan-10 keepalive 50 10 Select the system IP address or the LDP IP interface address as the transport address for the LDP inter- face using the configure router ldp interface-parameters transport-address command.
Page 215 -> configure router ldp targeted-session keepalive 40 2 Quick Steps for Configuring LDP Graceful Restart The graceful restart mechanism is always enabled for the switch. The following steps provide a quick tuto- rial for configuring the graceful restart helper status and timers:...
Page 216: Quick Steps For Configuring Static Lsps
Quick Steps for Configuring Static LSPs Configuring static Label Switched Paths (LSPs) is also supported. To define a static LSP tunnel to a far- end provider edge (PE) router, configuring an MPLS interface and label-mapping actions is required on each router (ingress, transit, and egress) that will participate in the static LSP.
Page 217 For example: -> configure router mpls static-lsp to-R3 push 777 next-hop 192.168.10.2 The above command pushes label 777 onto the top of the label stack and then forwards the packet to the next-hop router in the static LSP. Optional. By default, a static LSP is disabled when it is created. To enable the administrative status of...
Page 218: Quick Steps For Configuring Static Fast Re-Route
-> configure router mpls static-lsp to-R3-backup push 777 next-hop 192.168.11.1 The above command pushes label 777 onto the top of the label stack and then forwards the packet to the to 192.168.11.1, which is the next-hop router in the “to-R3-backup” path.
Page 219 -> configure router mpls interface vlan-10 label-map 777 protect-swap 778 next- hop 192.168.11.2 The above command swaps label 777 out of the label stack and replaces it with label 778 and then forwards the packet to the next-hop router (192.168.11.2).
Page 220: Mpls Overview
In MPLS, packets can carry not just one label, but a set of labels in a stack. An LSR can swap the label at the top of the stack, pop the stack, or swap the label and push one or more labels into the stack. Labeled packet processing is independent of the level of hierarchy.
Page 221: Label Switched Path Types
FEC. LDP allows an LSR to request a label from a downstream LSR so it can bind the label to a specific FEC. The downstream LSR responds to the request from the upstream LSR by sending the requested label.
Page 222: Graceful Restart On Switches With Redundant Cmms
When a labeled packet ingresses the router, the label or stack of labels indicates the set of actions associ- ated with the FEC for that label or label stack. The actions are preformed on the packet and then the packet is forwarded.
Page 223 Router Y, maintains Router X as the DR until the helping rela- tionship is terminated. If there are multiple adjacencies with the restarting Router X, Router Y will act as a helper on all other adjacencies.
Page 224: Interaction With Other Features
Interaction With Other Features This section contains important information about MPLS interaction with other OmniSwitch features. Refer to the specific chapter for each feature to get more detailed information about how to configure and use the feature. Multiple Virtual Routing and Forwarding (VRF) Virtual Private LAN Service (VPLS) tunnels and the Label Distribution Protocol (LDP) associate with the default VRF instance.
Page 225: Interoperability With Alcatel-Lucent Sr Series
MPLS and the Alcatel-Lucent Service Router (SR) Series implementation of MPLS. Command Line Interface (CLI) Most of the configure, show, and clear CLI commands for VPLS on the OmniSwitch are compatible with the Service Router product family running R6.0. However, the following differences exist between the CLI commands offered on the OmniSwitch and those offered on the SR products: •...
Page 226 VPLS services over the IP/MPLS network. For more information about provisioning VPLS over IP/MPLS, see the “Configuring VPLS” chapter in this guide. At the end of the chapter is a simple MPLS network diagram with instructions on how it was created on a router-by-router basis. See “MPLS Application Example”...
Page 227: Preparing The Network For Mpls
Note. For multiple entries of serial numbers, MAC addresses, and authorization codes, use a CSV format- ted file and upload the file on to the website. A single license file lmLicense.dat is generated for all the switches. OmniSwitch AOS Release 6 Network Configuration Guide...
Page 228: Activating Mpls
By default, the MPLS instance is created and enabled for the switch when the MPLS software license is downloaded and installed on the switch. As a result, it is not necessary to load or activate MPLS to start using the feature.
Page 229: Modifying Ldp Interface Parameters
This number is divided into the timeout value to determine the interval at which messages are sent. As a result, the hello timeout is set to 40 seconds with an interval of 20 seconds (40 divided by 2).
Page 230 -> configure router ldp targeted-session hello 20 2 By default, the T-LDP hello timeout is 45 seconds and the timeout factor is 3. This calculates out to a hello interval value of 15, which means that every 15 seconds a hello timeout message is sent.
Page 231: Selecting The Ldp Interface Transport Address
A static LSP consists of one ingress router, one or more transit routers, and one egress router. The Static LSP instance is identified by the LSP name on the ingress router and by the MPLS interface name and ingress label combination on both transit and egress routers.
Page 232: Static Lsp Configuration Guidelines
Configure the MPLS label-map pop action—Removes the incoming label number from the top of the packet. Once the label is popped, the packet is forwarded based on the service header of the packet. “Configuring the MPLS Label-Map Pop” on page 10-26.
Page 233: Configuring The Mpls Interface
Note that if an ARP entry for the specified next hop exists, then the static LSP is marked as operational. If an ARP entry does not exist, then the static LSP is marked as operationally down and the local router continues to ARP for the configured next hop at a fixed interval.
Page 234: Configuring The Static Lsp Instance
Configuring the MPLS Label-Map Protect Swap A label-map protect-swap action provides a backup static label-map swap in the event the primary static path to the next-hop router goes down. This type of action is only configured for MPLS interfaces on tran- sit routers.
Page 235: Using Static Fast Reroute (Frr)
Configuring the Static LSP Label-Map Push Action The static LSP label-map push action pushes a label on to the top of a the label stack and then forwards the packet to the next-hop transit router in the static LSP. This type of action is only configured on ingress routers for a static LSP instance.
Page 236 “Configuring the MPLS Label- Map Protect Swap” on page 10-26. Note that the OmniSwitch does not support dynamic FRR that is available on other Alcatel-Lucent plat- forms. Only static FRR is supported with this implementation of MPLS. page 10-28 OmniSwitch AOS Release 6 Network Configuration Guide...
Page 237: Configuring Ldp Graceful Restart
Configuring MPLS Configuring LDP Graceful Restart The LDP graceful restart mechanism is always enabled on the switch. As a result, a fault tolerant (FT) Session TLV is automatically added to LDP initialization messages to indicate graceful restart is enabled for the router. The FT Session TLV also includes a default non-zero reconnect time that advertises to LDP neighbors that the local router retains its forwarding state across restarts.
Page 238: Mpls Application Example
This section provides an example network configuration in which the Label Distribution Protocol (LDP) is used to set up both static and signaled Label Switched Paths (LSPs). In addition, a tutorial is also included that provides steps on how to configure the example network topology using the Command Line Interface (CLI).
Page 239: Configuring The Example Mpls Network
-> ip interface vlan-30 address 192.168.30.1 vlan 30 -> vlan 30 port default 1/4 -> ip interface Loopback0 address 10.10.10.2 The above commands created VLANs 1 (VLAN 1 already exists on the switch), VLAN 30, IP inter- faces for the VLANs, and the Loopback0 interface address. •...
Page 240 556 for label 668 and forward the label packets to R2 (192.168.10.2). • MPLS interface vlan-1 will swap incoming label 777 for label 888 and incoming label 557 for label 999 and forward the label packets to R3 (192.168.30.3). Router 2 (connects to R1 over VLAN 1, R3 over VLAN 20, and R4 over VLAN 50) Prepare the router by setting up VLANs, port assignments, and interfaces.
Page 241 MPLS Application Example • The “to-R3” instance provides a static LSP from R2 through transit router R1 to egress router R3 (10.10.10.3). This instance pushes label 777 onto packets and forwards them to R1, where the label is swapped and the packets are forwarded to R3.
Page 242 MPLS Application Example Configuring MPLS Router 3 (connects to R1 over VLAN 30, R2 over VLAN 20, and R4 over VLAN 40). Prepare the router by setting up VLANs, port assignments, and interfaces. -> vlan 20 -> ip interface vlan-20 address 192.168.20.3 vlan 20 ->...
Page 243 The “to-R2-alt” instance then pushes label 111 onto packets and forwards them to R2. • The “to-R4” instance provides a static LSP from R3 through transit routers R1 and R2 to egress router R4 (10.1.1.3). This instance pushes label 556 on to packets and forwards them to R1, where the label is swapped and the packets are forwarded to R2 for swapping and forwarding to R4.
Page 244 -> configure router mpls interface vlan-50 label-map 333 no shutdown The above commands created MPLS interfaces vlan-50. • MPLS interface vlan-20 will pop incoming labels 558 and 112 off of the packets, marking the end of MPLS switching. • MPLS interface vlan-30 will pop incoming labels 888 and 999 off of the packets, marking the end of MPLS switching.
Page 245: Configuring Example Vpls Services
10-30. Router 1 (no services configured) In this example, R1 is a transit router for services between R2, R3, and R4. As a result, no VPLS services are configured on this router. Router 2 Create SDP 20 and associate the SDP with the “to-R3” and “to-R3-alt” static LSP tunnels.
Page 246 -> configure service vpls 100 mesh-sdp 30 no shutdown -> configure service vpls 100 no shutdown Create a SAP on access ports 1/8 and 1/7 and associate the SAP with VPLS 100. -> configure service port 1/8 mode access -> configure service vpls 100 sap 1/8 create ->...
Page 247 -> configure service vpls 100 sap 1/7 create -> configure service vpls 100 sap 1/7 no shutdown Create a SAP on access port 1/14 and associate the SAP with VPLS 200. Note that VPLS 200 will forward traffic over the LDP-signaled LSP between R3 and R4.
Page 248 Configuring MPLS Bind VPLS 200 with SDP 40 -> configure service vpls 200 mesh-sdp 40:200 create -> configure service vpls 200 mesh-sdp 40:200 no shutdown -> configure service vpls 200 no shutdown page 10-40 OmniSwitch AOS Release 6 Network Configuration Guide...
Page 249: Verifying The Mpls Configuration
MPLS LSP. oam lsp-trace Performs an OAM traceroute for an existing MPLS LSP. For more information about the use and resulting displays form all of the above commands, see the Omniswitch CLI Reference Guide. OmniSwitch AOS Release 6 Network Configuration Guide...
Page 250 Verifying the MPLS Configuration Configuring MPLS page 10-42 OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 251: Chapter 11 Configuring Vpls
IP/MPLS network. The customer sites in a VPLS instance appear to be on the same LAN, regardless of their location. VPLS uses an Ethernet interface on the customer-facing (access) side which simplifies the LAN/WAN boundary and allows for rapid and flexible service provisioning.
Page 252: Vpls Specifications
32** Maximum number of static LSPs 1024 Maximum number of backup static LSPs *Applies to egress and ingress Label Edge Routers (LERs) only. **Applies to transit Label Switching Routers (LSRs) only. page 11-2 OmniSwitch AOS Release 6 Network Configuration Guide...
Page 253: Vpls Defaults
VPLS administrative status when configure service vpls shutdown Disabled the service is created Default VC ID for each end of the configure service vpls def-mesh-vc-id VPLS service ID is used MPLS tunnel for the service. as the default VC ID...
Page 254: Quick Steps For Configuring Vpls
Note that once a far-end address is specified for the SDP, a service tunnel instance is created between the local and remote routers. A return SDP tunnel is required from the remote router to the local router, as SDP tunnels are uni-directional.
Page 255 Configuring VPLS Quick Steps for Configuring VPLS If the SDP is going to use static LSPs, first disable LDP-signaled LSPs using the no form of the configure service sdp ldp command then disable auto-label signaling (targeted LDP) for the SDP using configure service sdp signaling command with the off option.
Page 256 Quick Steps for Configuring VPLS Configuring VPLS (Optional) Create a Layer 2 port profile to discard GVRP and STP control frames received on access ports using the configure service l2profile command. For example, the following commands create the “discard-stp-gvrp” profile and configure the profile to discard stp and gvrp: ->...
Page 257: Vpls Overview
The PE device is where the services originate and terminate and where all the necessary tunnels are set up to connect to all the other PEs. As VPLS is an Ethernet Layer 2 service, the PE must be capable of Media Access Control (MAC) learning, bridging, and replication on a per-VPLS basis.
Page 258: Vpls Mac Learning And Packet Forwarding
To prevent forwarding loops, the "Split Horizon" rule is used. In the VPLS context, this rule implies that a PE must never send a packet on a pseudowire (PW) if that packet was received from a PW. This ensures that traffic cannot form a loop over the backbone network using PWs.
Page 259: Service Entities
PE to another PE through a one-way service tunnel. SDPs are used to set up distrib- uted services, which consist of at least one SAP on a local node, one SAP on a remote node, and an SDP binding the service to the service tunnel.
Page 260 VPLS1 and VPLS2 are bound as a mesh-SDP to SDP1 on PE1 and to SDP2 on PE2. Binding of aser- vice (VPLS instance) to an SDP is required to set up a Virtual Circuit (VC) / pseudo wire (PW) to the far end.
Page 261: Interaction With Other Features
All other ports (those not configured as access ports) are considered VPLS network ports by default when MPLS/VPLS is enabled for the switch. Access ports and networks ports differ in their level of support for other switch applications, as shown in the following table:...
Page 262: Multiple Virtual Routing And Forwarding (Vrf)
• When a port is configured as a VPLS access port, the default VLAN for the port is reserved for VPLS use and is no longer configurable using VLAN management commands.
Page 263: Interoperability With Alcatel-Lucent Sr Series
Service Distribution Point (SDP) VC Type When configuring services between OmniSwitch and SR Series routers, set the VC type of the mesh-SDP binding to Ethernet if the access ports use the null encapsulation type or VLAN if the ports use dot1q encapsulation type. See “Binding Services to SDPs”...
Page 264 Interoperability With Alcatel-Lucent SR Series Configuring VPLS When configuring VPLS services between an OmniSwitch router and an SR Series router, select a VLAN VC type. By default, the VC type is set to Ethernet. See “Binding Services to SDPs” on page 11-20 more information.
Page 265: Configuring Vpls Services
ID at the time the service is created. Subsequently, the service is bound to a SAP to receive customer traffic and bound to a SDP that will distribute that traffic through the provider network.
Page 266: Configuring Service Distribution Points (Sdps)
Consider the following when configuring SDPs: • MPLS is the supported SDP encapsulation type with this implementation. GRE encapsulation is not supported at this time. As a result, configuring the encapsulation type is not necessary; MPLS is used by default. •...
Page 267: Creating A Sdp
VC labels manually. Creating a SDP A SDP is identified by an ID number. This ID number is used to bind the SDP to a service and LSPs. The configure service sdp create command is used to create the SDP ID. For example, the following command creates a SDP with 10 as the ID number: ->...
Page 268: Deleting An Sdp
LDP for SDP 10: -> configure service sdp 10 ldp To configure the SDP to use static LSPs, first disable LDP using the no form of the configure service sdp ldp command. For example: -> configure service 10 no ldp...
Page 269: Creating A Vpls Service
ID 10: -> configure service vpls 100 customer 10 create Once created, the service ID is then used to bind the service to an SDP and a SAP on each local and remote router for the service. See “Configuring Service Distribution Points (SDPs)”...
Page 270: Binding Services To Sdps
Binding a service (VPLS instance) to an SDP is required to set up a Virtual Circuit (VC)/Pseudo Wire (PW) to the far end of the MPLS tunnel. If an SDP is not explicitly bound to a service, no far-end routers can participate in the service.
Page 271: Enable The Sdp Binding
• Create a SAP by associating a SAP ID with a VPLS service ID. A SAP ID is comprised of an access port and an encapsulation value, which is used to identify the type of customer traffic to map to the associated service.
Page 272: Configuring Service Access Ports
(multiple SAPs using 802.1q tags to direct packets to a specific service). By default, the encapsulation type is set to null when the port is configured as an access port. To change the encapsulation type for the port, use the configure service port encap-type command.
Page 273 Associate Layer 2 Profiles with Access Ports After a Layer 2 profile is created, it is then necessary to associate the profile with an access port or link aggregate. When this is done, the current profile associated with the port is replaced with the new profile.
Page 274: Creating The Sap
802.1p value is configured with this command. By default, a SAP is trusted with the priority set to best effort (zero). Use the no form of the configure service vpls sap trusted command with the priority option to change the SAP mode to untrusted. For example: ->...
Page 275: Deleting The Sap
Configuring a static MAC address entry for a SAP is supported, but is not required. Static MACs associ- ated with a SAP are classified as local MACs. A local MAC is used by the associated VPLS so that MAC addresses are not learned on the edge device.
Page 276: Vpls Configuration Example
VPLS Configuration Example Configuring VPLS VPLS Configuration Example This section will demonstrate how to set up a Service Distribution Point (SDP) between two far-end hosts and bind a VPLS instance to the SDP. • Label Distribution Protocol (LDP) signaling is enabled on the adjacent router interfaces to set up the Label Switched Paths (LSPs) between the routers.
Page 277 OSPF PUSH/ 9.1.1.2/32 11.1.1.1 The following steps provide a tutorial on how to set up the SDP/VPLS configuration in the example diagram on page 11-26. These steps are based on the assumption that the following network preparation is already in place: •...
Page 278 Configure an SDP on Router 1 and Router 3. SDP tunnels are unidirectional, so SDPs are configured in each direction. Note that an SDP is not configured on Router 2 because of its transit router status in the example configuration.
Page 279 (PE1 to PE2). • Since the service is bound to the SDP 8, VPLS service 100 will use the tunnel created in Step 3. In this case, the tunnel label is 21 (Outer label).
Page 280 -> configure service vpls 100 sap 2/1:100 create -> configure service vpls 100 sap 2/1:100 no shutdown The above commands create a virtual bridge between port 1/1 on PE1 and port 2/1 on PE2 for customer VLAN 100 traffic, send bi-directional traffic, and verify the flow/connectivity.
Page 281 -> configure service customer 100 create -> configure service vpls 100 customer 100 create -> configure service vpls 100 mesh-sdp 8 create -> configure service vpls 100 mesh-sdp 8 no shutdown -> configure service vpls 100 no shutdown -> configure service port 2/1 mode access ->...
Page 282: Verifying The Vpls Configuration
Verifying the VPLS Configuration Configuring VPLS Verifying the VPLS Configuration You can use CLI show commands to display the current configuration and statistics of VPLS service enti- ties on a switch. These commands include the following: show service port Displays the access port configuration.
Page 283: In This Chapter
Spanning Tree Algorithm and Protocol (STP) and the 802.1w Rapid Spanning Tree Algorithm and Proto- col (RSTP), MSTP also ensures that there is always only one data path between any two switches for a given Spanning Tree instance to prevent network loops.
Page 284: Using 802.1Q 2005 Multiple Spanning Tree
Multiple Spanning Tree Algorithm and Protocol (MSTP) Platforms Supported OmniSwitch 6400, 6800, 6850, 6855, and 9000 Spanning Tree Operating Modes supported Flat mode - one spanning tree instance per switch 1x1 mode - one spanning tree instance per VLAN Spanning Tree port eligibility Fixed ports (non-mobile) 802.1Q tagged ports...
Page 285: Spanning Tree Port Parameter Defaults
Multiple Spanning Tree Region Defaults Although the following parameter values are specific to MSTP, they are configurable regardless of which mode (flat or 1x1) or protocol is active on the switch. Parameter Description...
Page 286: Mst General Overview
CST algorithm across all MSTIs. However, it is possible to configure the priority and/or path cost of a port for a particular MSTI so that a port remains in a forwarding state for an MSTI instance, even if it is blocked as a result of automatic CST computa- tions for other instances.
Page 287 VLAN 100 and VLAN 200 are each associated with their own Spanning Tree instance. • The connection between 3/1 and 2/1 is left in a forwarding state because it is part of the VLAN 100 Spanning Tree instance and is the only connection for that instance.
Page 288 However, because VLANs 200 and 250 are associated to MSTI 2, it is possible to change the port path cost for ports 2/12, 3/6, 4/8 and/or 5/2 so that they provide the best path for MSTI 2 VLANs, but do not carry CIST VLAN traffic or cause CIST ports to transition to a blocking state.
Page 289: Comparing Mstp With Stp And Rstp
The flat mode CST instance automatically determines port states and roles across VLAN port and MSTI associations. This is because the CST instance is active on all ports and only one BPDU is used to forward information for all MSTIs.
Page 290: What Is A Multiple Spanning Tree Region
• The CST for the entire network sees Switches A, B, and C as one virtual bridge that is running a single Spanning Tree instance. As a result, CST blocks the path between Switch C and Switch E instead of blocking a path between the MST region switches to avoid a network loop.
Page 291: What Is The Common Spanning Tree
The IST instance determines and maintains the CST topology between MST switches that belong to the same MST region. In other words, the IST is simply a CST that only applies to MST Region switches while at the same time representing the region as a single Spanning Tree bridge to the network CST.
Page 292: Mst Configuration Overview
The configuration, however, does not go active until the switch is changed to the appropriate mode. For example, if the switch is running in the 1x1 mode, the following explicit commands changes the MSTI 3 priority to 12288: ->...
Page 293: Understanding Spanning Tree Modes
12-10 for more information about explicit commands. By default, a switch is running in the 1x1 mode and using the 802.1D protocol when it is first turned on. Chapter 13, “Configuring Spanning Tree Parameters,” for more information about Spanning Tree modes.
Page 294: Mst Interoperability And Migration
Although it is not recommended, it may be necessary to temporarily connect a 1x1 switch to a flat mode switch until migration to MSTP is complete. If this is the case, then only configure a fixed, untagged connection between VLAN 1 on both switches.
Page 295: Migrating From 1X1 Mode To Flat Mode Mstp
Note that STP/RSTP use a 16-bit port path cost (PPC) and MSTP uses a 32-bit PPC. When the proto- col is changed to MSTP, the bridge priority and PPC values for the flat mode CIST instance are reset to their default values.
Page 296: Quick Steps For Configuring An Mst Region
Note that an additional configurable MST region parameter defines the maximum number of hops autho- rized for the region but is not considered when determining regional membership.The maximum hops value is the value used by all bridges within the region when the bridge is acting as the root of the MST region.
Page 297 Using 802.1Q 2005 Multiple Spanning Tree Quick Steps for Configuring an MST Region Map VLANs 100 and 200 to MSTI 2 and VLANs 300 and 400 to MSTI 4 using the bridge msti vlan command to define the configuration digest. For example: ->...
Page 298: Quick Steps For Configuring Mstis
Using 802.1Q 2005 Multiple Spanning Tree Quick Steps for Configuring MSTIs By default, the Spanning Tree software is active on all switches and operating in the 1x1 mode using 802.1w RSTP. A loop-free network topology is automatically calculated based on default 802.1w RSTP switch, bridge, and port parameter values.
Page 299 MSTI 1. As a result, MSTI 1 selects one of the data paths between its VLANs as the best path, rather than the CIST data paths,...
Page 300 Flat Mode MSTP with Superior MSTI 1 PPC Values Note that of the two data paths available to MSTI 1 VLANs, one is still blocked because it is seen as redundant for that instance. In addition, the CIST data path still remains available for CIST VLAN traffic.
Page 301: Verifying The Mst Configuration
Using 802.1Q 2005 Multiple Spanning Tree Verifying the MST Configuration Verifying the MST Configuration To display information about the MST configuration on the switch, use the show commands listed below: show spantree cist Displays the Spanning Tree bridge configuration for the flat mode Com- mon and Internal Spanning Tree (CIST) instance.
Page 302 Verifying the MST Configuration Using 802.1Q 2005 Multiple Spanning Tree page 12-20 OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 303: Chapter 13 Configuring Spanning Tree Parameters
This functionality improves network robustness by providing a Spanning Tree that continues to respond to BPDUs (Bridge Protocol Data Unit) and port link up and down states in the event of a fail over to a backup management module or switch.
Page 304: In This Chapter
Configuring Spanning Tree Parameters In This Chapter This chapter provides an overview about how Spanning Tree works and how to configure Spanning Tree parameters through the Command Line Interface (CLI). CLI commands are used in the configuration examples; for more details about the syntax of commands, see the OmniSwitch CLI Reference Guide.
Page 305: Spanning Tree Specifications
OmniSwitch 6400, 6850, 6855, and 9000 1x1 PVST+ OmniSwitch 6400, 6850, 6855, and 9000 Spanning Tree Operating Modes supported Flat mode - one spanning tree instance per switch 1x1 mode - one spanning tree instance per VLAN Spanning Tree port eligibility Fixed ports (non-mobile) 802.1Q tagged ports...
Page 306: Spanning Tree Bridge Parameter Defaults
Type of port connection bridge slot/port connection auto point to point Type of BPDU to be used on a port when bridge port pvst+ auto (IEEE BPDUs are used 1X1 PVST+ mode is enabled until a PVST+ BPDU is...
Page 307: Multiple Spanning Tree (Mst) Region Defaults
All VLANs are mapped to the Common Internal Spanning Tree (CIST) instance Ring Rapid Spanning Tree Defaults The following parameter value is specific to RRSTP and is only configurable when the flat mode is active on the switch. Parameter Description Command...
Page 308: Spanning Tree Overview
In addition, a root path cost value is associated with every bridge. This value is the sum of the path costs for the port that receives frames on the best path to the root (this value is zero for the root bridge). The bridge with the lowest root path cost becomes the designated bridge for the LAN, as it provides the short- est path to the root for all bridges connected to the LAN.
Page 309 Spanning Tree topology. The following table provides a list of port role types and the port and/or bridge properties that the Span- ning Tree Algorithm examines to determine which role to assign to the port.
Page 310: Bridge Protocol Data Units (Bpdu)
The sending and receiving of Configuration BPDU between switches participating in the bridged network constitute the root bridge election; the best path to the root is determined and then advertised to the rest of the network. BPDU provide enough information for the STP software running on each switch to deter- mine the following: •...
Page 311 If the previous three values tie, then the port ID (lowest priority value, then lowest port number). When a topology change occurs, such as when a link goes down or a switch is added to the network, the affected bridge sends Topology Change Notification (TCN) BPDU to the designated bridge for its LAN.
Page 312: Topology Examples
If the active link goes down, then Spanning Tree will transition one of the blocked links to the forwarding state to take over for the downed link. If a new switch is added to the network, the Spanning Tree topology is automatically recalculated to include the monitor- ing of links to the new switch.
Page 313 • The port 3/9 connection on Switch C to port 2/2 on Switch D is in a discarding (blocking) state, as the connection these ports provides is redundant (backup) and has a higher path cost value than the 2/3 to 3/8 connection between the same two switches.
Page 314: Spanning Tree Operating Modes
Spanning Tree instance is applied across multiple VLANs (flat mode) or a single instance is applied to each VLAN (1x1 mode). By default, a switch is running in the 1x1 mode when it is first turned on.
Page 315: Using 1X1 Spanning Tree Mode
VLANs configured on the switch, then there are five separate Spanning Tree instances, each with its own root VLAN. In essence, a VLAN is a virtual bridge in that it will have its own bridge ID and configurable STP parameters, such as protocol, priority, hello time, max age, and forward delay.
Page 316: Using 1X1 Spanning Tree Mode With Pvst
IEEE BPDUs or Cisco's proprietary PVST+ BPDUs. When PVST+ mode is enabled, a user port operates in 1x1 mode initially by default, until it detects a PVST+ BPDU which will enable that port to operate in the Cisco PVST+ compatible mode automatically. Thus, an OmniSwitch can have ports running in 1x1 mode when connecting to another OmniSwitch, or ports running in Cisco PVST+ mode when connecting to a Cisco switch.
Page 317: Configuration Overview
Cisco switch. You can use the bridge port pvst+ command with the enable option to configure the port to handle only the PVST+ BPDUs and IEEE BPDUs for VLAN 1 (Cisco native VLAN for CST). For example: ->...
Page 318: Bpdu Processing In Pvst+ Mode
Both Cisco and an OmniSwitch support two default path cost modes; long or short. It is recommended that the same default path cost mode be configured in the same way on all switches so that the path costs for similar interface types will be consistent when connecting ports between OmniSwitch and Cisco Switches.
Page 319: Configuring Stp Bridge Parameters
The Spanning Tree software is active on all switches by default and uses default bridge and port parame- ter values to calculate a loop free topology. It is only necessary to configure these parameter values if it is necessary to change how the topology is calculated and maintained.
Page 320: Bridge Configuration Commands Overview
For example, if the 1x1 mode is active, the instance number specified with the command implies a VLAN ID. If the flat mode is active, the single flat mode instance is implied and thus configured by the command.
Page 321 For example, if the bridge protocol for the flat mode instance was changed from STP to MSTP, then bridge cist protocol mstp is the command syntax captured to reflect this in the snap- shot file. In addition, explicit commands are captured for both flat and 1x1 mode configurations.
Page 322: Selecting The Bridge Protocol
Configuring the Bridge Priority A bridge is identified within the Spanning Tree by its bridge ID (an eight byte hex number). The first two bytes of the bridge ID contain a priority value and the remaining six bytes contain a bridge MAC address.
Page 323: Configuring The Bridge Hello Time
-> bridge 1x1 455 priority 25590 Note. If PVST+ mode is enabled on the switch, then the priority values can be assigned only in the multi- ples of 4096 to be compatible with the Cisco MAC Reduction mode; any other values will result in an error message.
Page 324: Configuring The Bridge Max Age Time
Configuring Spanning Tree Parameters If the switch is running in the 1x1 Spanning Tree mode, then a hello time value is defined for each VLAN instance. If the switch is running in the flat Spanning Tree mode, then a hello time value is defined for the single flat mode instance.
Page 325: Configuring The Bridge Forward Delay Time
The forward delay time propagated in a root bridge Configuration BPDU is the value used by all other bridges in the tree for their own forward delay time. Therefore, if this value is changed for the root bridge, all other bridges associated with the same instance will adopt this value as well.
Page 326: Enabling/Disabling The Vlan Bpdu Switching Status
Configuring the Path Cost Mode The path cost mode controls whether the switch uses a 16-bit port path cost (PPC) or a 32-bit PPC. When a 32-bit PPC switch connects to a 16-bit PPC switch, the 32-bit switch will have a higher PPC value that will advertise an inferior path cost to the 16-bit switch.
Page 327: Using Automatic Vlan Containment
MSTI-1 In the above diagram, port 4/2 is the Root port and port 5/1 is a Designated port for MSTI 1. AVC is not enabled. If another link with the same speed and lower port numbers is added to default VLAN 1 on both...
Page 328: Configuring Stp Port Parameters
Spanning Tree flat mode instance that is available on all switches. When using STP or RSTP, the CIST is also known as instance 1 or bridge 1. When using MSTP, the CIST is also known as instance 0. In either case, an instance number is not required with cist commands, as there is only one CIST instance.
Page 329 Configuring Spanning Tree Parameters Configuring STP Port Parameters The following is a summary of Spanning Tree port configuration commands. For more information about these commands, see the OmniSwitch CLI Reference Guide. Commands Type Used for ... bridge slot/port Implicit Configuring the port Spanning Tree status for a VLAN instance when the 1x1 mode is active or the single Span- ning Tree instance when the flat mode is active.
Page 330 For example, if the bridge protocol for the flat mode instance was changed from STP to MSTP, then bridge cist protocol mstp is the command syntax captured to reflect this in the snap- shot file. In addition, explicit commands are captured for both flat and 1x1 mode configurations.
Page 331: Enabling/Disabling Spanning Tree On A Port
For example, if a port is associated with both VLAN 10 and VLAN 20 and Spanning Tree is disabled on the port for VLAN 20, the port state is set to forward- ing for VLAN 20.
Page 332: Configuring Port Priority
The port with the highest priority (lowest numerical priority value) is selected and the others are put into a blocking state. If the priority values are the same for all ports in the path, then the port with the lowest physical switch port number is selected.
Page 333: Port Priority On Link Aggregate Ports
The path cost value specifies the contribution of a port to the path cost towards the root bridge that includes the port. The root path cost is the sum of all path costs along this same path and is the value advertised in Configuration BPDU transmitted from active Spanning Tree ports.
Page 334: Path Cost For Link Aggregate Ports
Configuring Spanning Tree Parameters By default, Spanning Tree is enabled on a port and the path cost is set to zero. If the switch is running in the 1x1 Spanning Tree mode, then the port path cost applies to the specified VLAN instance associated with the port.
Page 335 1,200 If a 16-bit path cost value is in use and the path_cost for a link aggregate is set to zero, the following default values based on link speed and link aggregate size are used. Note that for Gigabit ports the aggre-...
Page 336: Configuring Port Mode
There are two port modes supported: manual and dynamic. Manual mode indicates that the port was set by the user to a forwarding or blocking state. The port will operate in the state selected until the state is manu- ally changed again or the port mode is changed to dynamic. Ports operating in a manual mode state do not participate in the Spanning Tree Algorithm.
Page 337: Configuring Port Connection Type
Rapid transition of a designated port to forwarding can only occur if the port’s connection type is defined as a point to point or an edge port. Defining a port’s connection type as a point to point or as an edge port makes the port eligible for rapid transition, regardless of what actually connects to the port.
Page 338: Connection Type On Link Aggregate Ports
1 as the instance number (e.g., bridge 1 1/24 connection noptp). However, this is only available when the switch is running in the flat mode and STP or RSTP is the active protocol. Note that the bridge slot/port connection command only configures one port at a time.
Page 339: Restricting Port Roles (Root Guard)
-> bridge 1x1 2/1 root-guard enable When root guard is enabled for a port, it cannot become the root port, even if it is the most likely candi- date for becoming the root port. It will be selected as the alternate port when the root port is selected.
Page 340: Using Rrstp
RRSTP convergence may not happen when changes in configuration result in an unstable topology. • If either of the two ports of the RRSTP ring on a bridge goes down or if one of the bridges in the ring goes down, the RRSTP convergence may not happen. However, MSTP convergence will continue without interruption.
Page 341: Configuring Rrstp
-> show bridge rrstp configuration RRSTP Global state is Enabled Creating and Removing RRSTP Rings By default, an RRSTP ring is disabled on the switch. To create an RRSTP ring comprising of two ports, use the bridge rrstp ring command by entering: ->...
Page 342: Sample Spanning Tree Configuration
This section provides an example network configuration in which the Spanning Tree Algorithm and Proto- col has calculated a loop-free topology. In addition, a tutorial is also included that provides steps on how to configure the example network topology using the Command Line Interface (CLI).
Page 343: Example Network Configuration Steps
The path cost for each port connection defaults to a value based on the link speed. For example, the connection between Switch B and Switch C is a 100 Mbps link, which defaults to a path cost of 19. •...
Page 344 (leave the priority for VLAN 255 on the other three switches set to the default value of 32768): -> bridge 255 priority 10 VLAN 255 on Switch D will have the lowest Bridge ID priority value of all four switches, which will qualify it as the Spanning Tree root VLAN for the VLAN 255 broadcast domain.
Page 345: Verifying The Spanning Tree Configuration
For more information about the resulting displays from these commands, see the OmniSwitch CLI Refer- ence Guide. An example of the output for the show spantree and show spantree ports commands is also given in “Example Network Configuration Steps”...
Page 346 Verifying the Spanning Tree Configuration Configuring Spanning Tree Parameters page 13-44 OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 347: 14 Configuring Erp
In This Chapter This chapter provides an overview about how Ethernet Ring Protection (ERP) works and how to config- ure its parameters through the Command Line Interface (CLI). CLI commands are used in the configura- tion examples; for more details about the syntax of commands, see the OmniSwitch CLI Reference Guide.
Page 348: Erp Specifications
Maximum number of rings per ring port Maximum number of nodes per ring 16 (recommended) Maximum number of ERP protected 252 on switch operating in the 1x1 Spanning Tree mode. VLANs per switch. Range for ring ID 1 - 2147483647...
Page 349: Erp Overview
Ethernet ring. Loop prevention is achieved by allowing the traffic to flow on all but one of the links within the protected Ethernet ring. This link is blocked and is referred to as the Ring Protection Link (RPL). When a ring fail- ure condition occurs, the RPL is unblocked to allow the flow of traffic to continue through the ring.
Page 350: How Does Erp Work
The Ethernet ring has a designated Ring Protection Link (RPL), which is blocked under normal conditions in order to avoid forming a loop in the ring. When a link or port failure is detected, a Signal Failure (SF) message is sent on the ring to inform other ring nodes of the failure condition. At this point the ring is operating in protection mode.
Page 351 Configuring ERP ERP Overview Normal Mode If a link or node failure occurs in the ring shown in the above illustration, the ring transitions as follows into the protection mode: • Nodes adjacent to the failure detect and report the failure using the R-APS (SF) message.
Page 352: Overlapping Protected Vlans Between Erp Rings On Same Node
• The ring is now operating in the idle mode. The RPL is blocked and all other ring links are operational. Overlapping Protected VLANs Between ERP Rings on same Node In a network where all connected nodes cannot belong to a single ERP ring, the OmniSwitch supports multiple ERP rings with a single shared node.
Page 353: Erp And Rrstp Differences
Configuring ERP ERP Overview ERP and RRSTP Differences ERP and the Ring Rapid Spanning Tree Protocol (RRSTP) are both used for the prevention of loops in ring-based topologies but have the following differences in their implementation and functionality: • RRSTP uses a different destination MAC address for each ring, based on the ring ID. ERP uses the same destination MAC address for all ERP protocol frames and identifies the ring based on a unique Service VLAN associated with each ring, which carries the ERP protocol frames.
Page 354: Interaction With Other Features
Protected VLANs can not be part of the same MSTI as non-ERP Protected VLANs. • RSTP and ERP can co-exist on a node only if STP is disabled on ERP ports, the default-VLAN of ERP ports is disabled, and ERP protected VLANs are not configured on non-ERP ports. Also, non-ERP Protected VLANs should not be configured on ERP ports.
Page 355: Quick Steps For Configuring Erp With Standard Vlans
Create a VLAN using the vlan command. -> vlan 1001 Create ERP ring ID 1, ERP Service VLAN and MEG Level and associate two ports to the ring using erp-ring command. -> erp-ring 1 port 1/1 port2 1/2 service-vlan 1001 level 5...
Page 356: Quick Steps For Configuring Erp With Vlan Stacking
Note that when two VLAN Stacking NNI ports are associated with the same SVLAN and both those ports will serve as the ring ports for the node, the SVLAN is automatically added to the list of protected SVLANs for the ERP ring. For example, the following commands designate SVLAN 1002 as a protected VLAN: ->...
Page 357: Erp Configuration Overview And Guidelines
When configuring a ring for a switch that is operating in the flat Spanning Tree mode using MSTP, make sure the standard VLAN to which the ring port is assigned is not a member of an MSTI that is also associated with ERP protected VLANs.
Page 358: Configuring An Erp Ring
Entity Group (MEG) level of the ERP service VLAN with the number that is used for the Ether- net OAM MD. • The Service VLAN can belong to only one ERP ring at a time and must be a static VLAN. Note that the service VLAN is also a protected VLAN. Configuring an ERP Ring The following configuration steps are required to create an ERP ring: Determine which two ports on the switch will become the ring ports.
Page 359: Adding Protected Vlans
Configuring an RPL Port A ring protection link (RPL) port can be a physical or logical port. The port must be a ring port before it is configured as an RPL port, and out of the two ring ports on the node, only one can be configured as a RPL port.
Page 360: Setting The Wait-To-Restore Timer
For example: -> erp-ring 1 wait-to-restore 6 The above command is only used on a switch that serves as the RPL node for the ERP ring. The specified ERP ring ID must already exist in the switch configuration. To restore the timer back to the default setting, use the no form of the erp-ring wait-to-restore command.
Page 361: Monitoring Remote Ethernet Oam End Points With Erp
For example: -> erp-ring 1 ethoam-event linkagg 1 remote-endpoint 20 To configure the ERP ring port to drop loss of connectivity events, use the no form of the erp-ring ethoam-event remote-endpoint command. For example: ->...
Page 362: Configuring Erp With Vlan Stacking Nnis
In the above example, ERP ring 10 is configured as follows: SVLANs 100 and 200 are created. Port 1/3 is associated with SVLAN 100, but no erp parameter is used. As a result, port 1/3 is an STP type NNI association by default.
Page 363: Configuring Erp Protected Svlans
Ports 1/1 and 1/2 are associated with VLAN 100 using the erp parameter. These ports are now ERP type NNI associations. The ERP ring is created specifying NNI ports 1/1 and 1/2 as the ring ports, SVLAN 200 as the service VLAN, and an MEG level of 3.
Page 364: Clearing Erp Statistics
For example: -> clear erp statistics To clear ERP statistics for a specific ring in the switch, use the clear erp statistics command with the ring parameter to specify a ring ID. For example: -> clear erp statistics ring 5 To clear ERP statistics for a specific ring port, use the clear erp statistics command with the ring and port parameters.
Page 365: Sample Ethernet Ring Protection Configuration
Define an ERP Service VLAN as VLAN 10 on all switches. Set the Management Entity Group (MEG) level to 2 for all switches. Switch C is the RPL owner; configure the port connected to the Ring Protection Link as a RPL port. Enable the configured ERP ring.
Page 366: Example Erp Configuration Steps
The following steps provide a quick tutorial for configuring the ERP ring network shown in the diagram page 14-19: Configure ERP ring 1 and add protected VLANs 11 through 20 on Switch A, B, C, D, and E using the following commands: -> erp-ring 1 port1 2/1 port2 2/2 service-vlan 10 level 2 ->...
Page 367: Verifying The Erp Configuration
Displays the VLAN Stacking NNI configuration. show ethernet-service vlan Displays a list of SVLANs configured fro the switch. For more information about the displays that result from these commands, see the OmniSwitch CLI Refer- ence Guide. OmniSwitch AOS Release 6 Network Configuration Guide...
Page 368 Verifying the ERP Configuration Configuring ERP page 14-22 OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 369: Chapter 15 Configuring Ethernet Oam
15 Configuring Ethernet The rise in the number of Ethernet service instances has resulted in service providers requiring a powerful and robust set of management tools to maintain Ethernet service networks. Service provider networks are large and intricate, often comprising of different operators that work together to provide the customers with end-to-end services.
Page 370: Ethernet Oam Specifications
8192 (Note: This max value was not included 4092 (OmniSwitch 6400) in Specs table prior to 6.3.3.) Ethernet OAM Defaults The following table shows Ethernet OAM default values. Parameter Description Command Default Value/Comments MHF value assigned to a default ethoam domain mhf...
Page 371 Configuring Ethernet OAM Ethernet OAM Defaults Parameter Description Command Default Value/Comments Fault notification generation reset ethoam fault-reset-time 1000 centiseconds time OmniSwitch AOS Release 6 Network Configuration Guide September 2009 page 15-3...
Page 372: Ethernet Oam Overview
Maintenance Intermediate Points (MIP) and Maintenance End Points (MEP). Any port of a bridge is referred to as a Maintenance Point (MP). An MP can be either a MEP or MIP. A MEP resides at the edge of a Maintenance Domain (MD), while a MIP is located within a Maintenance Domain. A Maintenance Domain is an administrative domain for managing and administering a network.
Page 373 Maintenance End Point Maintenance Intermediate Point CFM Monitoring Domains Ethernet OAM Connectivity Fault Management consists of four types of messages that help in monitoring and debugging Ethernet networks. These messages are described below: • Continuity Check Messages (CCMs)—These are multicast messages exchanged periodically between MEPs.
Page 374: Mip Ccm Database Support
This implementation of Ethernet OAM does not support the optional MIP CCM database. As per section 19.4.4 of the IEEE 802.1ag 5.2 draft standard, LTM is forwarded on the basis of the source learning filter- ing database. Because the MIP CCM database is not supported in this release, MIPs will not forward LTM on blocked egress ports.
Page 375: Quick Steps For Configuring Ethernet Oam
Quick Steps for Configuring Ethernet OAM Quick Steps for Configuring Ethernet OAM The following steps provide a quick tutorial on how to configure Ethernet OAM. Each step describes a specific operation and provides the CLI command syntax for performing that operation.
Page 376: Configuring Ethernet Oam
-> ethoam domain esd.alcatel-lucent.com format dnsName level 5 Here, the MD esd.alcatel.com is created. Note that the level must be 0-2 at operator level, 3-5 at provider level, and 6-7 at customer level when creating the level of domain. To remove an MD, use the no form of this command. For example: ->...
Page 377: Creating And Deleting A Maintenance Association
To remove an MA, use the no form of this command. For example: -> no ethoam association alcatel-sales domain esd.alcatel-lucent.com Note that with this implementation of Ethernet OAM, it is only possible to delete an MA when there is no Maintenance End Point or Intermediate Point associated with the MA.
Page 378: Configuring A Maintenance End Point
-> ethoam end-point 100 domain esd.alcatel-lucent.com association alcatel-sales priority 6 To configure the lowest priority fault alarm for the lowest priority defect for a MEP, use the ethoam endpoint lowest-priority-defect command, as shown: -> ethoam end-point 100 domain esd.alcatel-lucent.com association alcatel-sales...
Page 379: Configuring The Fault Alarm Time
Configuring Ethernet OAM Configuring Ethernet OAM Configuring the Fault Alarm Time The Fault Alarm time is the period of time during which one or more defects should be detected before the Fault Alarm is issued. The ethoam fault-alarm-time command can be used to configure the timeout value for the Fault Notification Generation Alarm Time.
Page 380: Verifying The Ethernet Oam Configuration
Verifying the Ethernet OAM Configuration Configuring Ethernet OAM Verifying the Ethernet OAM Configuration To display information about Ethernet OAM on the switch, use the show commands listed below: show ethoam Displays the information of all the Management Domains configured on the switch.
Page 381: Configuring Efm (Link Oam)
By enabling LINK OAM on two devices connected by a point-to-point connection, network administra- tors can monitor the status of the link, detect faults in network segments, and probe link errors by using loopback testing. In This Chapter This chapter describes the LINK OAM feature and how to configure it through the Command Line Inter- face (CLI).
Page 382: Link Oam Specifications
(OAM) functions on Ethernet-Like Interfaces. Platforms Supported OmniSwitch 6400, 6850, and 6855. Maximum LINK OAM instances per switch 24 ports per NI and 48 ports per switch. Maximum loopback sessions 2 simultaneous loopback sessions per NI. Maximum event logs 64 most recent event logs is supported per port Mirroring ports LINK OAM is not supported on mirroring ports.
Page 383: Link Oam Defaults
Configuring EFM (LINK OAM) LINK OAM Defaults LINK OAM Defaults The following table shows LINK OAM default values. Parameter Description Command Default Value/Comments Multiple PDU count assigned for efm-oam multiple-pdu-count event notifications. Maximum time period for which a efm-oam port keepalive-interval...
Page 384: Quick Steps For Configuring Link Oam
-> efm-oam port 1/1 propagate-events critical-event enable -> efm-oam port 1/1 propagate-events dying-gasp enable Note. The above step is optional. By default, propagation of critical events and dying gasp is enabled on the port. Configure the threshold, window frame values and notify status for errored frame period events on the...
Page 385 Configuring EFM (LINK OAM) Quick Steps for Configuring LINK OAM Configure the threshold, window and notify-status for errored-frame-seconds-summary on the port by using the efm-oam errored-frame-seconds-summary command. For example: -> efm-oam port 1/1 errored-frame-seconds-summary window 700 threshold 1 notify enable...
Page 386: Link Oam Overview
LINK OAM provides an OAMPDU-based mechanism to notify the remote DTE when one direction of a link is non-operational and therefore data transmission is disabled. The ability to operate a link in a unidi- rectional mode for diagnostic purposes supports the maintenance objective of failure detection and notifi- cation.
Page 387: Link Monitoring
OAMPDUs allows a LINK OAM enabled node to send severe error conditions to its peer. The severe error conditions that can be identified are: Dying Gasp - This flag is raised when a node is about to reset, reboot, or otherwise go to an operationally down state. (An unexpected fault, such as power failure has occurred.) Critical Event - This flag indicates a severe error condition that does not result in a complete reset or reboot by the peer node.
Page 388: Remote Loopback Testing
With remote loopback enabled, the LINK OAM node operating in active LINK OAM mode issues remote loopback requests and the peer responds to them. If the peer operates in the loopback mode, it returns all the PDUs except Ethernet OAMPDUs to the senders along the original paths.
Page 389: Configuring Link Oam
LINK OAM on a specific port or a range of ports on a switch. When enabled, the port can be set to receive, transmit, or both trans- mit and receive OAMPDUs.
Page 390: Configuring Link Monitoring
Link monitoring is used to detect and indicate link faults in various environments. Link monitoring uses the Event Notification OAMPDU, and sends events to the remote OAM node when there is a disorder detected on the link. For more information on error events, see “Link Monitoring”...
Page 391: Configuring Link Oam Loopback
Configuring EFM (LINK OAM) Configuring LINK OAM Loopback Configuring LINK OAM Loopback Remote loopback is most useful as a diagnostic tool, where it can be used to isolate problem segments in a large network. See “Remote Loopback Testing” on page 16-8 for more information.
Page 392: Verifying The Link Oam Configuration
Verifying the LINK OAM Configuration Configuring EFM (LINK OAM) Verifying the LINK OAM Configuration To display information about LINK OAM on the switch, use the show commands listed below: show efm-oam configuration Displays the global LINK OAM configuration. show efm-oam port...
Page 393: Chapter 17 Configuring Udld
UDLD-capable devices attached to the same LAN segment and to collect the information received on the ports of each device to determine whether the Layer 2 communication is functioning properly. All connected devices must support UDLD for the protocol to successfully identify and disable unidirectional links.
Page 394: Udld Specifications
OmniSwitch 6400, 6850, 6855, and 9000 Probe-message advertisement timer 7 to 90 in seconds Echo-based detection timer 4 to 15 in seconds Maximum neighbors per UDLD port Maximum number of UDLD ports per system UDLD Defaults Parameter Description Command Default UDLD administrative state...
Page 395: Quick Steps For Configuring Udld
Configure the operational mode of UDLD by entering udld port, followed by the slot and port number, mode, and the operational mode. For example: -> udld port 1/6 mode aggressive Configure the probe-message advertisement timer on port 6 of slot 1 as 17 seconds using the following command: -> udld port 1/6 probe-timer 17 Note.
Page 396: Udld Overview
UDLD supports two modes of operation: normal and aggressive modes. UDLD works with the Layer 1 mechanisms to determine the physical status of a link. A unidirectional link occurs whenever the traffic sent by a local device is received by its neighbor; but the traffic from the neighbor is not received by the local device.
Page 397: Mechanisms To Detect Unidirectional Links
UDLD restarts the link-up sequence to re-synchronize with potentially out-of-sync neighbors. In aggressive mode, if UDLD is in the advertisement or in the detection phase and all the neighbors of a port are aged out, UDLD restarts the link-up sequence to re-synchronize with potentially out-of-sync neighbors.
Page 398: Configuring Udld
To enable UDLD on multiple ports, specify a range of ports. For example: -> udld port 1/6-10 enable To disable UDLD on a port, use the udld port command with the disable parameter. For example, the following command disables UDLD on a range of ports: ->...
Page 399: Configuring The Operational Mode
To configure the probe-timer for multiple ports, specify a range of ports. For example: -> udld port 1/8-21 probe-timer 18 Use the no form of this command to reset the timer. For example, the following command resets the timer for port 4 of slot 6: ->...
Page 400: Clearing Udld Statistics
The following command resets the timer for multiple ports: -> no udld port 1/8-21 echo-wait-timer Note that when a timer is reset, the default value of 8 seconds is set. Clearing UDLD Statistics To clear the UDLD statistics, use the clear udld statistics port command.
Page 401: Verifying The Udld Configuration
Displays the UDLD status for all ports or for a specific port. For more information about the resulting display from these commands, see the OmniSwitch CLI Refer- ence Guide. An example of the output for the show udld configuration port and show udld statistics port commands is also given in “Quick Steps for Configuring UDLD”...
Page 402 Verifying the UDLD Configuration Configuring UDLD page 17-10 OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 403: Chapter 18 Configuring Mac Retention
18 Configuring MAC Retention MAC Retention allows a system of stackable switches to retain the MAC address of the primary switch for a fixed or indefinite time, even after multiple takeovers. This minimizes the recalculation of protocols, such as Spanning Tree and Link Aggregation. It also minimizes the updation of tables, such as the Address Resolution Protocol (ARP) table for IPv4 routing and the Neighbor Discovery table for IPv6 routing.
Page 404: Mac Retention Defaults
MAC Retention Defaults Configuring MAC Retention MAC Retention Defaults The following table lists the defaults for MAC Retention configuration: Parameter Description Command Default MAC Address Retention status mac-retention status disabled Status of duplicate MAC mac-retention dup-mac-trap disabled Address trap page 18-2...
Page 405: Mac Retention Overview
A “stack element” or simply “element” is a switch that has designated stacking ports. The switches are operatively interconnected via these ports to form a virtual chassis referred to as a stack. Each element in a stack can be elected as the primary or the secondary element. The primary element is elected based on the highest uptime or the lowest slot number or the lowest base MAC address.
Page 406: How Mac Retention Works
MAC Retention Overview Configuring MAC Retention had previously associated Stack 1 with the stack address M1, now has to change its ARP tables to associ- ate Stack 1 with the new stack address M2. Similarly, in IPv6 routing, Switch 1 has to change its Neighbor Discovery tables to associate Stack 1 with the new stack address M2.
Page 407: Mac Retention After Multiple Take-Overs
Configuring MAC Retention MAC Retention Overview If the primary element does not return to the stack after the elapse of the specified time interval, a trap is generated, which notifies the administrator of a possible MAC address duplication. The trap and syslog provide details about the slot number and the base MAC address of the removed former primary element.
Page 408: Configuring Mac Retention
Detecting a Duplicate MAC Address After a takeover, if the former primary switch does not return to the stack after the preset time interval has elapsed, MAC address duplication may occur. To alert the administrator of a possible MAC address duplication, the switch can be configured to generate an SNMP trap.
Page 409: Mac Retention Applications
Stack Status when Switch 1 is Down In the above diagram, when the primary element in Stack 1 fails, the secondary element becomes the new primary element and shares the MAC address of the former primary element of the stack. In this scenario, the decision to retain the base MAC address is acceptable.
Page 410: Link Failure
Link Failure In the following diagram, even if both stack links "a" and "b" of the primary element of Stack 1 go down almost at the same time (removed by the user or actual link failures), the MAC Retention feature will remain enabled and the base MAC address will be retained during takeover.
Page 411: Chapter 19 Configuring 802.1Ab
19 Configuring 802.1AB Link Layer Discovery Protocol (LLDP) is an emerging standard to provide a solution for the configura- tion issues caused by expanding networks. LLDP supports the network management software used for complete network management. LLDP is implemented as per the IEEE 802.1AB standard. LLDP specifi- cally defines a standard method for Ethernet network devices to exchange information with its neighbor- ing devices and maintain a database of the information.
Page 412: 802.1Ab Specifications
Reinit delay 1 to 10 in seconds Notification interval 5 to 3600 in seconds 802.1AB Defaults Table The following table shows the default settings of the configurable 802.1AB parameters. Parameter Description Command Default Value/Comments Transmit time interval for LLDPDUs lldp transmit interval...
Page 413: Quick Steps For Configuring 802.1Ab
For example: -> lldp 2/47 tlv management port-description enable Set the transmit time interval for LLDPDUs. To set the timer for a 50 second delay, use the lldp trans- mit interval command. For example: -> lldp transmit interval 50 Set the minimum time interval between successive LDPDUs.
Page 414: 802.1Ab Overview
802.1AB Overview LLDP is a Layer 2 protocol for detecting adjacent devices in a network. Each device in a network sends and receives LLDPDUs through all its ports, when the protocol is enabled. If the protocol is disabled on a port or on a device, then LLDPDUs received on that port or device are dropped.
Page 415: Lldp-Media Endpoint Devices
When an 802.1AB supporting system receives an LLDPDU containing MED capability TLV, then the remote device is identified as an edge device (IP phone, IP PBX, etc.). In such a case the switch will stop sending LLDPDU and start sending MED LLDPDU on the port connected to the edge device.
Page 416: Lldp Agent Operation
LLDPDU if the current time has surpassed the re- transmission time interval. • If there is change in status of any of the ports. For example, a new port is attached or a new link has come up. Reception of LLDPDU is a two phase process: •...
Page 417: Aging Time
TTL mentioned in the previous LLDPDU, then the local device discards that entry from its database. This is called the aging time and can be set by the user. OmniSwitch AOS Release 6 Network Configuration Guide...
Page 418: Configuring 802.1Ab
To set the LLDPDU flow on a switch as transmit and receive, enter the lldp lldpdu command, as shown: -> lldp chassis lldpdu tx-and-rx To set the LLDPDU flow on port 4 of slot 3 as receive, enter the following command at the CLI prompt: -> lldp 3/4 lldpdu rx To disable the flow of LLDPDU on a switch, enter the lldp lldpdu command, as shown: ->...
Page 419: Enabling And Disabling Management Tlv
-> lldp chassis tlv management port-description enable To enable the management TLV on port 3 of slot 2, enter the following command at the CLI prompt: -> lldp 2/3 tlv management system-capabilities enable To disable the management TLV on a switch, enter the lldp tlv management command, as shown: ->...
Page 420: Enabling And Disabling 802.3 Tlv
LLDP Media End Device (MED) TLVs transmis- sion in the LLDPDUs on a specific port, a slot, or all ports on a switch. When enabled, the LLDPDU administrative status must be in the transmit state.
Page 421: Setting The Transmit Hold Multiplier Value
By default, the transmit delay is less than or equal to the multiplication of the transmit interval and 0.25. Setting the Reinit Delay To set the time interval that must elapse before the current status of a port is reinitialized after a status change, enter the lldp reinit delay command.
Page 422: Verifying 802.1Ab Configuration
Verifying 802.1AB Configuration Configuring 802.1AB Verifying 802.1AB Configuration To display information about the ports configured to handle 802.1AB, use the following show command: show lldp system-statistics Displays system-wide statistics. show lldp statistics Displays port statistics. show lldp local -system Displays local system information.
Page 423: Using Interswitch Protocols
This protocol is described in detail in this chapter. In This Chapter This chapter describes the AMAP protocol and how to configure it through the Command Line Interface (CLI). CLI commands are used in the configuration examples; for more details about the syntax of commands, see the OmniSwitch CLI Reference Guide.
Page 424: Chapter 20 Using Interswitch Protocols
AIP Specifications Using Interswitch Protocols AIP Specifications Standards Not applicable at this time. AMAP is an Alcatel- Lucent proprietary protocol. Maximum number of IP addresses propagated by AMAP AMAP Defaults Parameter Description Command Default AMAP status amap Enabled Discovery time interval...
Page 425: Amap Overview
AMAP enabled. OmniSwitch B does not. OmniSwitch A is adjacent to OmniSwitch C and vice versa. If OmniSwitch B enables AMAP, the adjacency changes. OmniSwitch A would be next to OmniSwitch B, B would be adjacent to both A and C, and C would be adjacent to B. OmniSwitch A...
Page 426: Discovery Transmission State
In the passive reception state, switch ports are in receive-only mode. Hello packets are not sent out from ports in this state and there is no timer on waiting for Hello responses. If the port receives a Hello packet at any time, it enters the common transmission state and transmits a Hello packet in reply.
Page 427: Common Transmission And Remote Switches
If an AMAP switch is connected to multiple AMAP switches via a hub, the switch sends and receives Hello traffic to and from the remote switches through the same port. If one of the remote switches stops sending Hello packets and other remote switches continue to send Hello packets, the ports in the common transmission state will remain in the common transmission state.
Page 428: Configuring The Amap Common Time-Out Interval
The common time-out interval is used only in the common transmission state to determine the time inter- val between sending Hello update packets. A switch sends an update for a port just before or after the common time-out interval expires.
Page 429: Displaying Amap Information
MAC addresses, interfaces, VLANs, and IP addresses. For remote switches that stop sending Hello packets and that are connected via a hub, entries may take up to three times the common time-out intervals to age out of this table.
Page 430 Remote OmniSwitch Local interface 5/1 Remote interface 1/8 Local interface Remote interface 2/8 Remote interface 4/8 See the OmniSwitch CLI Reference Guide for information about the show amap command. page 20-8 OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 431: Chapter 21 Configuring 802.1Q
In this Chapter This chapter describes the basic components of 802.1Q VLANs and how to configure them through the Command Line Interface (CLI). The CLI commands are used in the configuration examples; for more details about the syntax of commands, see “802.1Q Commands”...
Page 432: 802.1Q Specifications
Not configurable on the OmniSwitch 6400, 6800, 6850, 6855, and 9000 Note. Up to 4093 VLANs can be assigned to a tagged port or link aggregation group. However, each assignment counts as a single VLAN port association. Once the maximum number of VLAN port associa- tions is reached, no more VLANs can be assigned to ports.
Page 433: 802.1Q Overview
Stack 1 and 2 have three VLANs, one for untagged traffic and two for tagged traffic. The ports connect- ing Stack 1 and 2 are configured in such a manner that Port 4/3 will only accept tagged traffic, while Port 2/1 will accept both tagged and untagged traffic.
Page 434 Configuring 802.1Q The port can only be assigned to one untagged VLAN (in every case, this will be the default VLAN). In the example above the default VLAN is VLAN 1. The port can be assigned to as many 802.1Q VLANs as necessary, up to 4093 per port or 32768 VLAN port associations.
Page 435: Configuring An 802.1Q Vlan
To add tagging to a port and label it with a text name, you would enter the text identification following the slot and port number. For example, to enable tagging on port 4 of slot 3 with a text name of port tag, enter the command in the following manner: ->...
Page 436: Configuring The Frame Type
Configuring the Frame Type Once a port has been set to receive and send tagged frames, it will be able to receive or send tagged or untagged traffic. Tagged traffic will be subject to 802.1Q rules, while untagged traffic will behave as directed by normal switch operation.
Page 437: Show 802.1Q Information
Configuring 802.1Q Configuring an 802.1Q VLAN Show 802.1Q Information After configuring a port or link aggregation group to be a tagged port, you can view the settings by using the show 802.1q command, as demonstrated: -> show 802.1q 3/4 Acceptable Frame Type...
Page 438: Application Example
The following sections show how to create the network illustrated above. Connecting Stack 1 and Switch 2 Using 802.1Q The following steps apply to Stack 1. They will attach port 1/1 to VLAN 2 and set the port to accept 802.1Q tagged traffic and untagged traffic.
Page 439 Configuring 802.1Q Application Example The following steps apply to Switch 2. They will attach port 2/1 to VLAN 2 and set the port to accept 802.1Q tagged traffic only: Create VLAN 2 by entering vlan 2 as shown below (VLAN 1 is the default VLAN for the switch): ->...
Page 440: Verifying 802.1Q Configuration
Verifying 802.1Q Configuration Configuring 802.1Q The following steps apply to Stack 3. They will attach ports 4/1 and 4/2 as link aggregation group 5 to VLAN 3. Configure static link aggregation group 5 by entering the following: -> static linkagg 5 size 2 Assign ports 4/1 and 4/2 to static link aggregation group 5 by entering the following two commands: ->...
Page 441: Chapter 22 Configuring Static Link Aggregation
Using link aggregation provides the following bene- fits: • Scalability. It is possible to configure up to 32 link aggregation groups that consist of 2, 4, or 8 10- Mbps, 100-Mbps, 1-Gbps, or 10-Gbps Ethernet links. •...
Page 442: Configuring Static Link Aggregation
See the “Using the CLI” chapter in the OmniSwitch AOS Release 6 Switch Management Guide for more information. Static Link Aggregation Default Values The table below lists default values and the commands to modify them for static aggregate groups. Parameter Description Command Default Value/Comments...
Page 443: Quick Steps For Configuring Static Link Aggregation
Quick Steps for Configuring Static Link Aggregation Follow the steps below for a quick tutorial on configuring a static aggregate link between two switches. Additional information on how to configure each command is given in the subsections that follow. Create the static aggregate link on the local switch with the static linkagg size command.
Page 444 “Displaying Static Link Aggregation Configuration and Statistics” on page 22-12 for more information on the show commands. An example of what these commands look like entered sequentially on the command line on the local switch: -> static linkagg 1 size 4 ->...
Page 445: Static Link Aggregation Overview
You can configure up to 32 link aggregation groups per a standalone switch or a stack of switches. Each group can consist of 2, 4, or 8 10-Mbps, 100-Mbps, 1-Gbps, or 10- Gbps Ethernet links.
Page 446: Relationship To Other Features
Static Link Aggregation Overview Configuring Static Link Aggregation OS9-GNI-C24 and two ports on another OS9-GNI-C24 on Switch B. The network administrator has created a separate VLAN for this group so users can use this high speed link. Switch B Switch A...
Page 447: Configuring Static Link Aggregation Groups
“Creating and Deleting a Static Link Aggregate Group” on page 22-8. Assign Ports on the Local and Remote Switches to the Static Aggregate Group. To assign ports to the static aggregate group you use the static agg agg num command, which is described in “Adding and...
Page 448: Creating And Deleting A Static Link Aggregate Group
Note. The number of links assigned to a static aggregate group should always be close to the number of physical links that you plan to use. For example, if you are planning to use 2 physical links you should create a group with a size of 2 and not 4 or 8.
Page 449: Adding And Deleting Ports In A Static Aggregate Group
Ports must be of the same speed (i.e., all 10 Mbps, all 100 Mbps, or all 1 Gbps). For example, to assign ports 1, 2, and 3 in slot 1 to static aggregate group 10 (which has a size of 4) you would enter: ->...
Page 450: Modifying Static Aggregation Group Parameters
For example, to configure static aggregate group 4 with the name “Finance” you would enter: -> static linkagg 4 name Finance Note. If you want to specify spaces within a name for a static aggregate group the name must be specified within quotes (e.g., “Static Aggregate Group 4”).
Page 451: Application Example
The figure below shows VLAN 8, which has been configured on static aggregate 1 and uses 802.1Q tagging. The actual physical links connect ports 4/1, 4/2, 4/3, and 4/4 on Switch A to port 2/41, 2/42, 2/43, and 2/44 on Switch B.
Page 452: Displaying Static Link Aggregation Configuration And Statistics
These detailed views provide excellent tools for diagnosing and troubleshooting problems. For example, to display detailed statistics for port 1 in slot 4 that is attached to static link aggregate group 1 you would enter: ->...
Page 453: Configuring Dynamic Link Aggregation
Using link aggregation provides the following bene- fits: • Scalability. It is possible to configure up to 32 link aggregation groups that consist of 2, 4, or 8 10- Mbps, 100-Mbps, 1-Gbps, or 10-Gbps Ethernet links. •...
Page 454: Dynamic Link Aggregation Specifications
Dynamic Link Aggregation Specifications Configuring Dynamic Link Aggregation Dynamic Link Aggregation Specifications The table below lists specifications for dynamic aggregation groups and ports: IEEE Specifications Supported 802.3ad — Aggregation of Multiple Link Segments Platforms Supported OmniSwitch 6400, 6800, 6850, 6855, and 9000...
Page 455: Dynamic Link Aggregation Default Values
Configuring Dynamic Link Aggregation Dynamic Link Aggregation Default Values Dynamic Link Aggregation Default Values The table below lists default values for dynamic aggregate groups. Parameter Description Command Default Value/Comments Group Administrative State lacp linkagg admin state enabled Group Name lacp linkagg name...
Page 456: Quick Steps For Configuring Dynamic Link Aggregation
-> lacp linkagg 2 size 8 actor admin key 5 Configure ports (the number of ports should be less than or equal to the size value set in step 1) with the same actor administrative key (which allows them to be aggregated) with the lacp agg actor admin command.
Page 457 “Displaying Dynamic Link Aggregation Configuration and Statistics” on page 23-32 for more informa- tion on show commands. An example of what these commands look like entered sequentially on the command line on the actor switch: -> lacp linkagg 2 size 8 actor admin key 5 ->...
Page 458 Quick Steps for Configuring Dynamic Link Aggregation Configuring Dynamic Link Aggregation An example of what these commands look like entered sequentially on the command line on the partner switch: -> lacp linkagg 2 size 8 actor admin key 5 -> lacp agg 2/1 actor admin key 5 ->...
Page 459: Dynamic Link Aggregation Overview
Link aggregation groups are identified by unique MAC addresses, which are created by the switch but can be modified by the user at any time. Load balancing for Layer 2 non-IP packets is on a MAC address basis and for IP packets the balancing algorithm uses the IP address as well. Ports must be of the same speed within the same aggregate group.
Page 460 OmniSwitch 6400, 6800, 6850, 6855, or 9000 switch and an early-generation Alcatel-Lucent switch, such as an Omni Switch/Router. • an OmniSwitch 6400, 6800, 6850, 6855, or 9000 switch and another vendor’s switch if that vendor supports IEEE 802.3ad LACP. “Configuring Dynamic Link Aggregate Groups” on page 23-10...
Page 461: Relationship To Other Features
Link aggregation groups are supported by other switch software features. For example, you can configure 802.1Q tagging on link aggregation groups in addition to configuring it on individual ports. The following features have CLI commands or command parameters that support link aggregation: •...
Page 462: Configuring Dynamic Link Aggregate Groups
23-11. Configure the Same Administrative Key on the Ports You Want to Join the Dynamic Aggregate Group. To configure ports with the same administrative key (which allows them to be aggregated), use lacp agg actor admin key command, which is described in “Configuring Ports to Join and Removing...
Page 463: Creating And Deleting A Dynamic Aggregate Group
To configure a dynamic aggregate group, enter lacp linkagg followed by the user-configured dynamic aggregate number (which can be from 0 to 31), size, and the maximum number of links that will belong to this dynamic aggregate group, which can be 2, 4, or 8. For example, to configure the dynamic aggregate group 2 consisting of eight links enter: ->...
Page 464: Configuring Ports To Join And Removing Ports In A Dynamic Aggregate Group
(which can range from 0 to 65535). Ports must be of the same speed (i.e., all 10 Mbps, all 100 Mbps, or all 1 Gbps). For example, to configure ports 1, 2, and 3 in slot 4 with an administrative key of 10 you would enter: -> lacp agg 4/1 actor admin key 10 ->...
Page 465: Removing Ports From A Dynamic Aggregate Group
Ports must be deleted in the reverse order in which they were configured. For example, if port 9 through 16 were configured to join dynamic aggregate group 2 you must first delete port 16, then port 15, and so forth. The following is an example of how to delete ports in the proper sequence from the console: ->...
Page 466: Modifying Dynamic Link Aggregate Group Parameters
These parameters ensure compliance with the IEEE 802.3ad specification. For most networks, these default values do not need to be modified or will be modified automatically by switch software. However, if you need to modify any of these default settings see the following sections to modify parame- ters for: •...
Page 467: Modifying The Dynamic Aggregate Group Administrative State
For example, to name dynamic aggregate group 4 “Engineering” you would enter: -> lacp linkagg 4 name Engineering Note. If you want to specify spaces within a name, the name must be enclosed in quotes. For example: -> lacp linkagg 4 name "Engineering Lab"...
Page 468: Modifying The Dynamic Aggregate Group Actor System Priority
-> lacp linkagg 4 actor system priority 2000 Restoring the Dynamic Aggregate Group Actor System Priority To restore the dynamic aggregate group actor system priority to its default (i.e., 0) value use the no form of the lacp linkagg actor system priority command by entering lacp linkagg followed by the dynamic aggregate group number and no actor system priority.
Page 469: Modifying The Dynamic Aggregate Group Partner Administrative Key
-> lacp linkagg 4 partner system priority 2000 Restoring the Dynamic Aggregate Group Partner System Priority To restore the dynamic aggregate group partner system priority to its default (i.e., 0) value use the no form of the lacp linkagg partner system priority command by entering lacp linkagg followed by the dynamic aggregate group number and no partner system priority.
Page 470: Modifying The Dynamic Aggregate Group Partner System Id
Modifying the Dynamic Aggregate Group Partner System ID By default, the dynamic aggregate group partner system ID is 00:00:00:00:00:00. The following subsec- tions describe how to configure a user-specified value and how to restore it to its default value with the lacp linkagg partner system id command.
Page 471: Modifying The Actor Port System Administrative State
To configure an LACP actor port’s system administrative state values by entering lacp agg, the slot number, a slash (/), the port number, actor admin state, and one or more of the keywords shown in the table below or none:...
Page 472: Modifying The Actor Port System Id
Note. Specifying none removes all administrative states from the LACPDU configuration. For example: -> lacp agg 5/49 actor admin state none For example, to set bits 0 (active) and 2 (aggregate) on dynamic aggregate actor port 49 in slot 5 you would enter: ->...
Page 473: Modifying The Actor Port System Priority
Configuring an Actor Port System Priority You can configure the actor system priority to a value ranging from 0 to 255 by entering lacp agg, the slot number, a slash (/), the port number, actor system priority, and the user-specified actor port system priority.
Page 474: Modifying The Actor Port Priority
Configuring the Actor Port Priority You can configure the actor port priority to a value ranging from 0 to 255 by entering lacp agg, the slot number, a slash (/), the port number, actor port priority, and the user-specified actor port priority.
Page 475: Modifying Dynamic Aggregate Partner Port Parameters
To configure the dynamic aggregate partner port’s system administrative state values by entering lacp agg, the slot number, a slash (/), the port number, partner admin state, and one or more of the keywords shown in the table below or none:...
Page 476 Note. Specifying none removes all administrative states from the LACPDU configuration. For example: -> lacp agg 7/49 partner admin state none For example, to set bits 0 (active) and 2 (aggregate) on dynamic aggregate partner port 49 in slot 7 you would enter: ->...
Page 477: Modifying The Partner Port Administrative Key
Alcatel-Lucent CLI syntax. For example, to modify the administrative key of a dynamic aggregate group partner port 1 in slot 6 to 1000 and document that the port is a 10 Mbps Ethernet port you would enter: -> lacp agg ethernet 6/1 partner admin key 1000 Restoring the Partner Port Administrative Key To remove a user-configured administrative key from a dynamic aggregate group partner port’s configura-...
Page 478: Modifying The Partner Port System Priority
Alcatel-Lucent CLI syntax. For example, to modify the administrative priority of dynamic aggregate partner port 49 in slot 4 to 100 and specify that the port is a Gigabit Ethernet port you would enter: -> lacp agg gigaethernet 4/49 partner admin system priority 100...
Page 479: Modifying The Partner Port Administrative Status
Alcatel-Lucent CLI syntax. For example, to modify the administrative status of dynamic aggregate partner port 1 in slot 7 to 200 and document that the port is a Giga Ethernet port you would enter: -> lacp agg gigaethernet 7/1 partner admin port 200 Restoring the Partner Port Administrative Status To remove a user-configured administrative status from a dynamic aggregate group partner port’s configu-...
Page 480 Modifying Dynamic Link Aggregate Group Parameters Configuring Dynamic Link Aggregation For example, to modify the port priority of dynamic aggregate partner port 3 in slot 4 to 100 you would enter: -> lacp agg 4/3 partner admin port priority 100...
Page 481: Application Examples
Note. Although you would need to configure both the local (i.e., Switch A) and remote (i.e., Switches B and C) switches, only the steps to configure the local switch are provided since the steps to configure the remote switches are not significantly different.
Page 482: Link Aggregation And Spanning Tree Example
15, has been configured to use dynamic aggregate group 7. The actual physical links connect ports 3/9 and 3/10 on Switch A to ports 1/1 and 1/2 on Switch B. Follow the steps below to configure this network: Note.
Page 483: Link Aggregation And Qos Example
7. The actual physical links connect ports 4/1, 4/2, 4/3, and 4/4 on Switch A to ports 1/1, 1/2, 1/3, and 1/4 on Switch C. Follow the steps below to config- ure this network: Note.
Page 484: Displaying Dynamic Link Aggregation Configuration And Statistics
Repeat steps 1 through 9 on Switch C. All the commands would be the same except you would substi- tute the appropriate port numbers. Note. If you do not use the qos apply command any QoS policies you configured will be lost on the next switch reboot.
Page 485 Partner Admin State : act0.tim0.agg1.syn1.col1.dis1.def1.exp0, Partner Oper State : act0.tim0.agg1.syn0.col1.dis1.def1.exp0 Note. See the “Link Aggregation Commands” chapter in the OmniSwitch CLI Reference Guide for complete documentation of show commands for link aggregation. OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 486 Displaying Dynamic Link Aggregation Configuration and Statistics Configuring Dynamic Link Aggregation page 23-34 OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 487: Chapter 24 Configuring Ip
Maximum Transmission Unit (MTU) sizes. Note. IP routing (Layer 3) can be accomplished using static routes or by using one of the IP routing proto- cols, Routing Information Protocol (RIP) and Open Shortest Path First (OSPF). For more information on these protocols see Chapter 28, “Configuring RIP,”...
Page 488 24-32) – Tracing an IP Route (see page 24-33) – Displaying TCP Information (see page 24-33) – Displaying User Datagram Protocol (UDP) Information (see page 24-33) • Tunneling – Generic Routing Encapsulation (page 24-33) – IP Encapsulation within IP...
Page 489: Ip Specifications
Configuring IP IP Specifications IP Specifications Note that the maximum limit values provided in the following Specifications table are subject to available system resources: RFCs Supported RFC 791–Internet Protocol RFC 792–Internet Control Message Protocol RFC 826–An Ethernet Address Resolution Protocol 2784–Generic Routing Encapsulation (GRE)
Page 490: Quick Steps For Configuring Ip Forwarding
Quick Steps for Configuring IP Forwarding Using only IP, which is always enabled on the switch, devices connected to ports on the same VLAN are able to communicate at Layer 2. The initial configuration for all Alcatel-Lucent switches consists of a default VLAN 1.
Page 491: Ip Overview
4 transport protocol, such as: • TCP—A major data transport mechanism that provides reliable, connection-oriented, full-duplex data streams. While the role of TCP is to add reliability to IP, TCP relies upon IP to do the actual deliver- ing of datagrams. •...
Page 492: Additional Ip Protocols
IP Overview Configuring IP Additional IP Protocols There are several additional IP-related protocols that may be used with IP forwarding. These protocols are included as part of the base code. • Address Resolution Protocol (ARP)—Used to match the IP address of a device with its physical (MAC) address.
Page 493: Ip Forwarding
Alcatel-Lucent switches support routing of IP traffic. A VLAN is available for routing when at least one router interface is defined for that VLAN and at least one active port is associated with the VLAN. If a VLAN does not have a router interface, the ports associated with that VLAN are in essence firewalled from other VLANs.
Page 494: Configuring An Ip Router Interface
Configuring an IP Router Interface IP is enabled by default. Using IP, devices connected to ports on the same VLAN are able to communi- cate. However, to forward packets to a different VLAN, you must create at least one router interface on each VLAN.
Page 495: Modifying An Ip Router Interface
Removing an IP Router Interface To remove an IP router interface, use the no form of the ip interface command. Note that it is only neces- sary to specify the name of the IP interface, as shown in the following example: ->...
Page 496: Configuring A Loopback0 Interface
The Loopback0 interface is not bound to any VLAN, so it will always remain operation- ally active. This differs from other IP interfaces in that if there are no active ports in the VLAN, all IP interface associated with that VLAN are not active. In addition, the Loopback0 interface provides a unique IP address for the switch that is easily identifiable to network management applications.
Page 497: Creating A Static Route
IP address. In the above example, the Class B mask of 255.255.0.0 is implied. If you do not want to use the natural mask, you must enter a subnet mask. For example, to create a static route to IP address 10.255.11.0, you would have to enter the Class C mask of 255.255.255.0:...
Page 498: Creating A Default Route
You must specify a default route of 0.0.0.0 with a subnet mask of 0.0.0.0 and the IP address of the next hop (gateway). For example, to create a default route through gateway 171.11.2.1 you would enter: ->...
Page 499: Deleting A Permanent Entry From The Arp Table
• Alias. Use the alias keyword to specify that the switch will act as an alias (proxy) for this IP address. When the alias option is used, the switch responds to all ARP requests for the specified IP address with its own MAC address.
Page 500: Local Proxy Arp
Note that when Local Proxy ARP is enabled for any one IP router interface associated with a VLAN, the feature is applied to the entire VLAN. It is not necessary to enable it for each interface. However, if the IP interface that has this feature enabled is moved to another VLAN, Local Proxy ARP is enabled for the new VLAN and must be enabled on another interface for the old VLAN.
Page 501 Configuring IP IP Forwarding Up to 200 ARP filters can be defined on a single switch. To remove an individual filter, use the no form of the arp filter command. For example: -> no arp filter 198.0.0.0 To clear all ARP filters from the switch configuration, use the clear arp filter command.
Page 502: Ip Configuration
IP Configuration Configuring IP IP Configuration IP is enabled on the switch by default and there are few options that can, or need to be, configured. This section provides instructions for some basic IP configuration options. Configuring the Router Primary Address By default, the router primary address is derived from the first IP interface that becomes operational on the router.
Page 503: Configuring Route Map Redistribution
When a route map is created, it is given a name to identify the group of statements that it represents. This name is required by the ip redist command. Therefore, configuring route redistribution involves the...
Page 504: Creating A Route Map
Creating a Route Map When a route map is created, it is given a name (up to 20 characters), a sequence number, and an action (permit or deny). Specifying a sequence number is optional. If a value is not configured, then the number 50 is used by default.
Page 505 5 Deleting a Route Map Use the no form of the ip route-map command to delete an entire route map, a route map sequence, or a specific statement within a sequence. To delete an entire route map, enter no ip route-map followed by the route map name. For example, the following command deletes the entire route map named redistipv4: ->...
Page 506: Configuring Access Lists
-> ip route-map rm_1 sequence-number 10 match tag 5 -> ip route-map rm_1 sequence-number 10 match tag 8 The following route map sequence will redistribute a route if the route has a tag of 8 or 5 and the route was learned on the IPv4 interface to-finance: ->...
Page 507: Configuring Route Map Redistribution
-> ipv6 access-list ip6addr address 2001::/64 Use the same access list name each time the above commands are used to add additional addresses to the same access list. In addition, both commands provide the ability to configure if an address and/or its matching subnet routes are permitted (the default) or denied redistribution.
Page 508: Route Map Redistribution Example
Redistributes into BGP all routes learned on the intf_ospf interface and sets the metric for such routes to 255. • Redistributes into BGP all other routes (those not processed by sequence 10 or 20) and sets the tag for such routes to eight. page 24-22...
Page 509: Ip-Directed Broadcasts
IP-Directed Broadcasts An IP directed broadcast is an IP datagram that has all zeroes or all 1 in the host portion of the destination IP address. The packet is sent to the broadcast address of a subnet to which the sender is not directly attached.
Page 510 (loopack network) are received by the switch. When such packets are detected, they are dropped, and SNMP traps are generated. The switch can be set to detect various types of port scans by monitoring for TCP or UDP packets sent to open or closed ports. Monitoring is done in the following manner: •...
Page 511 10, TCP packets destined for open ports are given a penalty of 5, and UDP packets destined for open ports are given a penalty of 20. The decay is set to 2, and the switch port scan penalty value...
Page 512 (100 previous minute value) + (10 TCP X 10 penalty) + (10 UDP X 10 penalty) + (200 UDP X 20 penalty) = 4300 This value would be divided by 2 (due to decay) and decreased to 2150. The switch would record a port scan and generate a trap to warn the administrator:...
Page 513: Arp Poisoning
-> ip dos scan decay 2 Enabling DoS Traps DoS traps must be enabled in order for the switch to warn the administrator that a port scan may be in progress when the switch’s total penalty value crosses the port scan penalty value threshold.
Page 514: Enabling/Disabling Ip Services
Although these ports provide access for essential switch management services, such as telnet, ftp, snmp, etc., they also are vulnerable to DoS attacks. It is possible to scan open service ports and launch such attacks based on well-known port information.
Page 515: Managing Ip
ICMP redirect messages allow host routing tables to remain small because it is necessary to know the address of only one switch, even if that switch does not provide the best path. Even after receiving an ICMP redirect message, some devices might continue using the less-efficient route.
Page 516 Configuring IP Activating ICMP Control Messages ICMP messages are identified by a type and a code. This number pair specifies an ICMP message. By default, ICMP messages are disabled. For example, ICMP type 4, code 0, specifies the source quench ICMP message.
Page 517 To enable a network unreachable message, enter the following: -> icmp unreachable net-unreachable enable Note. Enabling host-unreachable and net-unreachable messages are not recommended as it can cause the switch instability due to high-CPU conditions depending upon the volume of traffic required by these messages. Chapter 32, “IP Commands,”...
Page 518: Icmp Control Table
Time-out. Use the time-out keyword to set the number of seconds the program will wait for a response before timing out. For example, to send a ping with a count of 2, a size of 32 bytes, an interval of 2 seconds, and a time-out of 10 seconds you would enter: ->...
Page 519: Tracing An Ip Route
GRE tunnel. The destination IP address field in the outer header of the GRE packet contains the IP address of the router at the remote end of the tunnel. The router at the receiving end of the GRE tunnel extracts the original payload and routes it to the destination address specified in the payload’s IP header.
Page 520: Ip Encapsulation Within Ip
• Both source and destination addresses are assigned. • The source address of the tunnel is one of the switch's IP interface addresses that is either a VLAN or Loopback0 interface. page 24-34 OmniSwitch AOS Release 6 Network Configuration Guide...
Page 521: Configuring A Tunnel Interface
Tunneling • A route is available to reach the destination IP address. A route whose egress interface is a VLAN- based interface is available for its destination IP address.The switch supports assigning an IP address as well as routes to a tunnel interface.
Page 522: Verifying The Ip Configuration
Displays the statistics on detected port scans for the switch. show ip dos arp-poison Displays the number of attacks detected for a restricted address. For more information about the displays that result from these commands, see the OmniSwitch CLI Refer- ence Guide. page 24-36...
Page 523: Chapter 25 Configuring Multiple Vrf
In This Chapter This chapter describes the Multiple VRF feature and how to configure it through the Command Line Interface (CLI). CLI commands are used in the configuration examples; for more details about the syntax of commands, see the OmniSwitch CLI Reference Guide.
Page 524: Vrf Specifications
Configuring Multiple VRF VRF Specifications The multiple VRF functionality described in this chapter is supported on the OmniSwitch 6855-U24X and 9000E series switches. Note that any maximum limits provided in the Specifications table are subject to available system resources. Routing Protocols Supported...
Page 525: Quick Steps For Configuring Multiple Vrf
VRF instances and configuring IPv4 protocols to run in each instance: Note. Configuring a VRF instance name is case sensitive. In addition, if the name specified does not exist, a VRF instance is automatically created. As a result, it is possible to accidentally create or delete instances.
Page 526 For example: IpOne: -> ip rip interface intf100 status enable IpOne: -> Select IpTwo for the active VRF instance and create an IP router interface on VLAN 102 using the ip interface command. For example: IpOne: -> vrf IpTwo IpTwo: ->...
Page 527 Configuring Multiple VRF Quick Steps for Configuring Multiple VRF An example of what the Quick Steps configuration commands look like when entered sequentially on the switch: -> vlan 100 -> vlan 101 -> vlan 102 -> vrf IpOne IpOne: -> vrf IpTwo IpTwo: ->...
Page 528: Multiple Vrf Overview
• When an IP packet for Customer A is received on a PE 1 or PE 2 interface associated with VRF A, the VRF A instance determines how to route the packet through the provider backbone so that it reaches the intended Customer A destination.
Page 529: Service Provider
Customer C Site 1 PE 1 Customer B VRF C Site 3 VRF B VRF B VRF C Customer C Site 2 VRF C PE 3 Example Multiple VRF Configuration OmniSwitch AOS Release 6 Network Configuration Guide September 2009 page 25-7...
Page 530: Using The Vrf Command Line Interface
The CLI command prompt indicates which instance is the active VRF context; the instance name is added as a prefix to the command prompt. For example, if VRF instance IpOne is the current context, then IpOne appears in the CLI command prompt. For example: IpOne: ->...
Page 531: Vrf Interaction With Other Features
Configuring Multiple VRF VRF Interaction With Other Features instance name, then that command is for an application that applies only to the default VRF instance or the application is not VRF-aware. Default VRF commands appear first in an ASCII or boot.cfg file, followed by commands for VRF-aware applications configured in non-default instances.
Page 532: Aaa Radius Servers
802.1X SSH (ssh, sftp, and scp) MAC-based authentication • If the VRF instance that the RADIUS servers reside on is deleted or disabled, access to the RADIUS servers will be disabled as well. BGPv4 • Each BGPv4 routing instance requires configuration of an Autonomous System number, router ID number, and primary IP address that is explicit to the associated VRF instance.
Page 533: Snmp
Configuring an interface for a VLAN also associates that VLAN with the active VRF context. A VLAN, however, can only belong to one VRF instance at a time. As a result, all interfaces configured for a VLAN must belong to the same VRF instance. See “Assigning IP Interfaces to a VRF Instance”...
Page 534 The following guidelines apply when configuring UDP/DHCP Relay within the context of VRF instances: • A separate DHCP server is required for each VRF instance to which DHCP packets are relayed to and from the server. The server should reside in the same VRF as the originating requests. For example, the following command configures the DHCP server address for the vrfOne instance: ->...
Page 535: Configuring Vrf Instances
VRF instance. A VRF instance becomes active when the instance is either created or selected using the command. A VRF instance is identified by a name, which is specified at the time the instance is configured. For example, the following command creates the IpOne instance: -> vrf IpOne IpOne: ->...
Page 536: Selecting A Vrf Instance
Note. If the instance name specified with the vrf command does not exist, a VRF instance is automati- cally created. In addition, configuring a VRF instance name is case sensitive. As a result, it is possible to accidentally create or delete instances. Use the...
Page 537: Assigning Ip Interfaces To A Vrf Instance
IpOne: -> Once an IP interface is associated with a VRF instance, Layer 3 traffic on that interface is routed within the domain of the VRF instance. In other words, such traffic is only routed between other IP interfaces that are associated with the same VRF instance.
Page 538: Verifying The Vrf Configuration
Verifying the VRF Configuration Configuring Multiple VRF Verifying the VRF Configuration To display a list of VRF instances configured for the switch, use the show vrf command. For example: -> show vrf Virtual Routers Protocols ----------------------------------------------- default IpOne IpTwo Total Number of Virtual Routers: 3 The VRF CLI context determines which information is displayed using application-specific show commands.
Page 539: Chapter 26 Configuring Ipv6
In This Chapter This chapter describes IPv6 and how to configure it through Command Line Interface (CLI). The CLI commands are used in the configuration examples; for more details about the syntax of commands, see the OmniSwitch CLI Reference Guide.
Page 540: Ipv6 Specifications
IPv6 Specifications Configuring IPv6 IPv6 Specifications Note that the maximum limit values provided in the following Specifications table are subject to available system resources: RFCs Supported 2460–Internet Protocol, Version 6 (IPv6) Specification 2461–Neighbor Discovery for IP Version 6 (IPv6) 2462–IPv6 Stateless Address Autoconfiguration 2464–Transmission of IPv6 Packets Over Ethernet...
Page 541: Ipv6 Defaults
Configuring IPv6 IPv6 Defaults IPv6 Defaults The following table lists the defaults for IPv6 configuration through the ip command. Description Command Default Global status of IPv6 on the Enabled switch IPv6 interfaces ipv6 interface None OmniSwitch AOS Release 6 Network Configuration Guide...
Page 542: Quick Steps For Configuring Ipv6 Routing
For example: -> ipv6 rip interface v6if-v200 -> ipv6 rip interface v6if-v300 IPv6 routing is now configured for VLAN 200 and VLAN 300 interfaces, but it is not active until at least one port in each VLAN goes active. page 26-4...
Page 543: Ipv6 Overview
Simplified header format—A simpler IPv6 header format is used to keep the processing and band- width cost of IPv6 packets as low as possible. As a result, the IPv6 header is only twice the size of the IPv4 header despite the significant increase in address size.
Page 544: Ipv6 Addressing
IPv6 Addressing One of the main differences between IPv6 and IPv4 is that the address size has increased from 32 bits to 128 bits. Going to a 128-bit address also increases the size of the address space to the point where running out of IPv6 addresses is not a concern.
Page 545: Ipv6 Address Notation
IPv6 addresses are expressed using colon hexadecimal notation and consist of eight 16-bit words, as shown in the following example: 1234:000F:531F:4567:0000:0000:BCD2:F34A Note that any field may contain all zeros or all ones. In addition, it is possible to shorten IPv6 addresses by suppressing leading zeros. For example: 1234:F:531F:4567:0:0:BCD2:F34A Another method for shortening IPv6 addresses is known as zero compression.
Page 546: Autoconfiguration Of Ipv6 Addresses
When an IPv6 VLAN or a tunnel interface is created or a device is connected to the switch, a link-local address is automatically generated for the interface or device. This type of address consists of the well- known IPv6 prefix FE80::/64 combined with an interface ID.
Page 547: Globally Unique Local Ipv6 Unicast Addresses
Globally Unique Local IPv6 Unicast Addresses These addresses are intended to be routable within a limited area such as a site but not on the global Inter- net. Unique Local IPv6 Unicast Addresses are used in conjunction with BGP (IBGP) speakers as well as exterior BGP (EBGP) neighbors based on configured policies.
Page 548: Tunneling Ipv6 Over Ipv4
IPv4 and IPv6 networks. This implementation of IPv6 supports tunneling of IPv6 traffic over IPv4. There are two types of tunnels supported, 6to4 and configured. Note. RIPng is not supported over 6to4 tunnels. However, it is possible to create a RIPng interface for a configured tunnel. See “Configuring IPv6 Tunnel Interfaces”...
Page 549 In this scenario, 6to4 sites have connectivity to native IPv6 domains through a relay router, which is connected to both the IPv4 and IPv6 domains. The 6to4 border routers are still used by 6to4 sites for encapsulating/decapsulating host traffic and providing connectivity across the IPv4 domain. In addition, each border router has a default IPv6 route pointing to the relay router.
Page 550: Configured Tunnels
A configured tunnel is where the endpoint addresses are manually configured to create a point-to-point tunnel. This type of tunnel is similar to the 6to4 tunnel on which IPv6 packets are encapsulated in IPv4 headers to facilitate communication over an IPv4 network. The difference between the two types of tunnels is that configured tunnel endpoints require manual configuration, whereas 6to4 tunneling relies on an embedded IPv4 destination address to identify tunnel endpoints.
Page 551: Configuring An Ipv6 Interface
Chapter 4, “Configuring VLANs,” more information. • If creating a tunnel interface, a tunnel ID or 6to4 is specified. Only one 6to4 tunnel is allowed per switch, so it is not necessary to specify an ID when creating this type of tunnel. •...
Page 552: Configuring A Unique Local Ipv6 Unicast Address
Removing an IPv6 Interface To remove an IPv6 interface from the switch configuration, use the no form of the ipv6 interface command. Note that it is only necessary to specify the name of the interface, as shown in the following example: ->...
Page 553: Assigning Ipv6 Addresses
If it is necessary to identify an interface or device to the entire network, or as a member of a particular group, or enable an interface to perform routing functions, then configuring additional addresses (e.g., global unicast or anycast) is required.
Page 554: Removing An Ipv6 Address
Configuring IPv6 Removing an IPv6 Address To remove an IPv6 address from an interface, use the no form of the ipv6 address command as shown: -> no ipv6 address 4100:1000::20 v6if-v200 Note that the subnet router anycast address is automatically deleted when the last unicast address of the same subnet is removed from the interface.
Page 555: Configuring Ipv6 Tunnel Interfaces
IPv6 host is isolated. The second type of tunnel supported is referred to as a configured tunnel. With this type of tunnel it is necessary to specify an IPv4 address for the source and destination tunnel endpoints. Note that if bidirec- tional communication is desired, then it is also necessary to create the tunnel interface at each end of the tunnel.
Page 556: Creating An Ipv6 Static Route
You must specify the destination IPv6 address of the route as well as the IPv6 address of the first hop (gateway) used to reach the destination. For exam- ple, to create a static route to IPv6 address 212:95:5::/64 through gateway...
Page 557: Configuring The Route Preference Of A Router
Configuring IPv6 Configuring the Route Preference of a Router Configuring the Route Preference of a Router By default, the route preference of a router is in this order: local, static, OSPFv3, RIPng, EBGP, and IBGP (highest to lowest). Use the ipv6 route-pref command to change the route preference value of a router.
Page 558: Configuring Route Map Redistribution
When a route map is created, it is given a name to identify the group of statements that it represents. This name is required by the ipv6 redist command. Therefore, configuring route redistribution involves the...
Page 559 Creating a Route Map When a route map is created, it is given a name (up to 20 characters), a sequence number, and an action (permit or deny). Specifying a sequence number is optional. If a value is not configured, then the number 50 is used by default.
Page 560 Configuring IPv6 Deleting a Route Map Use the no form of the ip route-map command to delete an entire route map, a route map sequence, or a specific statement within a sequence. To delete an entire route map, enter no ip route-map followed by the route map name. For example, the following command deletes the entire route map named redistipv4: ->...
Page 561 -> ip route-map rm_1 sequence-number 10 match tag 5 -> ip route-map rm_1 sequence-number 10 match tag 8 The following route map sequence will redistribute a route if the route has a tag of 8 or 5 and the route was learned on the IPv6 interface to-finance: ->...
Page 562: Configuring Route Map Redistribution
A source protocol is a protocol from which the routes are learned. A destination protocol is the one into which the routes are redistributed. Make sure that both protocols are loaded and enabled before configur- ing redistribution.
Page 563: Route Map Redistribution Example
Redistributes into RIPng all routes learned on the intf_ospf interface and sets the metric for such routes to 255. • Redistributes into RIPng all other routes (those not processed by sequence 10 or 20) and sets the tag for such routes to eight. OmniSwitch AOS Release 6 Network Configuration Guide...
Page 564: Verifying The Ipv6 Configuration
Displays the UDP Over IPv6 Listener Table. Contains information about UDP/IPv6 endpoints. For more information about the displays that result from these commands, see the OmniSwitch CLI Refer- ence Guide. page 26-26 OmniSwitch AOS Release 6 Network Configuration Guide...
Page 565: Chapter 27 Configuring Ipsec
Internet Protocol security (IPsec) is a suite of protocols for securing IPv6 communications by authenticat- ing and/or encrypting each IP packet in a data stream. IPsec is a framework of open standards designed to provide interoperable, high quality, cryptographically-based security for IP networks through the use of appropriate security protocols, cryptographic algorithms, and cryptographic keys.
Page 566: Ipsec Specifications
IPsec Specifications Configuring IPsec IPsec Specifications RFCs Supported 4301 - Security Architecture for the Internet Proto- 4302 - IP Authentication Header (AH) 4303 - IP Encapsulating Security Payload (ESP) 4305 - Cryptographic Algorithm Implementation Requirements for ESP and AH 4308 - Cryptographic Suites for IPsec...
Page 567: Ipsec Defaults
Configuring IPsec IPsec Defaults IPsec Defaults The following table shows the default settings of the configurable IPsec parameters. Parameter Description Command Default Value/Comments IPsec global status (A license file OS6850: K2encrypt.img Disabled must be present on the switch) OS9000: Jencrypt.img OS9000E: Jencrypt.img...
Page 568: Quick Steps For Configuring An Ipsec Ah Policy
-> ipsec policy ALLinMD5 no shutdown Define the Security Keys. Each SA has its own unique set of security keys. The key name is the SA name that is going to use the key and the length must match the authentication algorithm key size. Keys must be defined before the SA can be enabled.
Page 569: Quick Steps For Configuring An Ipsec Discard Policy
Quick Steps for Configuring an IPsec Discard Policy IPsec can be used for discarding IP traffic as well as configuring encryption and authentication. For discard policies, no rules, SAs or keys need to be defined. Define the policy. The commands below use similar policy information as in the previous example but the action has been changed to discard: ->...
Page 570: Ipsec Overview
IPsec on an OmniSwitch operates in Transport mode. In transport mode only the payload of the IP packet is encapsulated, and an IPsec header (AH or ESP) is inserted between the original IP header and the upper- layer protocol header. The figure below shows an IP packet protected by IPsec in transport mode.
Page 571: Encryption Algorithms
IP Packet protected by ESP ESP is identified by a value of 50 in the IP header. The ESP header is inserted after the IP header and before the upper layer protocol header. The Security Parameter Index (SPI) in the ESP header is a 32-bit value that, combined with the destination address and protocol in the preceding IP header, identifies the security association (SA) to be used to process the packet.
Page 572: Authentication Header (Ah)
IP Packet protected by AH AH is identified by a value of 51 in the IP header. The Next header field indicates the value of the upper layer protocol being protected (for example, UDP or TCP) in the transport mode. The payload length field in the AH header indicates the length of the header.
Page 573: Ipsec On The Omniswtich
The system decides which packets are processed and how they are processed by using the combination of the policy and the SA. The policy is used to specificy which IPsec protocols are used such as AH or ESP while the SA specifies the algorithms such as AES and HMAC-MD5.
Page 574: Discarding Traffic Using Ipsec
Discarding Traffic using IPsec In order to discard IP datagrams, a policy is configured in the same manner as an IPsec security policy, the difference being that the action is set to ‘discard’ instead of ‘ipsec’. A discard policy can prevent IPv6 traf- fic from traversing the network.
Page 575: Configuring Ipsec On The Omniswitch
-> ipsec security-key 0x12345678123456781234567812345678 Note. The key value can be specified either in hexadecimal format (16 bytes in length) or as a string (16 characters in length). A warning message is logged if SA keys are set without the Master Key being set.
Page 576: Configuring An Ipsec Policy
The above command replaces the old security key with the new key value. The old key value must be entered to modify an existing key. If an incorrect old key value is entered, then setting the new key will fail.
Page 577: Enabling And Disabling A Policy
Assigning a Priority to a Policy You can use the optional priority parameter to assign a priority to the configured IPsec policy so that if IPv6 traffic matches more than one configured policy, the policy with the highest priority is applied to the traffic.
Page 578: Assigning An Action To A Policy
- Allows IPsec processing of the traffic to which this policy is applied. If the action is ipsec, then a rule must be defined before the policy can be enabled. Additionally, SAs and SA keys must also be configured to support the rule.
Page 579: Configuring An Ipsec Rule
It’s possible to first encrypt the original content of an IPv6 packet using ESP and then authenticate the packet using AH by configuring an ESP rule with an index of one and then configuring the AH rule with an index of two. For example: ->...
Page 580: Configuring An Ipsec Sa
-> no ipsec sa tcp_in_ah Configuring ESP or AH The IPsec SA can be configured as ESP or AH. In the above example, the IPsec SA is configured as AH. You can also configure the SA as ESP, as shown below: ->...
Page 581: Verifying Ipsec Sa
9901 encryption aes-cbc key-size 192 The above command configures an IPsec SA of ESP using aes-cbs and a key length of 192 bits. You can allow an IPsec SA to operate as an ESP confidentiality-only SA by using the none option with the authen- tication parameter or by simply omitting the authentication parameter from the command.
Page 582 128 Bits Use the following information to determine how to create the proper key size: • Number of Characters = Key Size (in bits) / 8; Ex. A 160-bit key would require 20 characters for the key. • Number of Hexidecimal = Key Size (in bits) / 4; Ex. A 160-bit key would require 40 hexidecimal digits.
Page 583 The above command shows the number of manually configured SAs along with their authentication key lengths in bits respectively. Note. Due to security reasons, key values will not be displayed; only key names and key lengths will be displayed. Once IPsec is configured for IPv6 on the switch, you can monitor the incoming and outgoing packets for...
Page 584: Additional Examples
Configuring IPsec on the OmniSwitch Configuring IPsec Additional Examples Configuring ESP The example below shows the commands for configuring ESP between two OmniSwitches for all TCP traffic. Switch A Switch B IPv6 address: 3ffe::100 IPv6 address: 3ffe::200 ESP Between Two OmniSwitches Switch A ->...
Page 585 Configuring IPsec on the OmniSwitch Switch B -> ipsec security-key master-key-12345 -> ipsec policy tcp_out source 3ffe::200 destination 3ffe::100 protocol tcp out ipsec description “IPsec on TCP to 100” -> ipsec policy tcp_in source 3ffe::100 destination 3ffe::200 protocol tcp in ipsec description “IPsec on TCP from 100”...
Page 586: Discarding Ripng Packets
Configuring IPsec on the OmniSwitch Configuring IPsec Discarding RIPng Packets RIPng uses the well known address of ff02::9 to advertise routes. The following example shows how IPsec can be configured to drop all RIPng packets. Switch A Switch B Link Local: fe80::100...
Page 587: Verifying Ipsec Configuration
Verifying IPsec Configuration To display information such as details about manually configured IPsec Security Associations and other IPsec parameters configured on the switch, use the show commands listed in the following table:: show ipsec sa Displays information about manually configured IPsec SAs.
Page 588 Verifying IPsec Configuration Configuring IPsec page 27-24 OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 589: Chapter 28 Configuring Rip
RIP-enabled routers update neighboring routers by transmitting a copy of their own routing table. The RIP routing table uses the most efficient route to a destination, that is, the route with the fewest hops and longest matching prefix.
Page 590: Rip Specifications
(Note: The “2048” value was previously documented, however, the 6.3.3 Porting SFS specifies 1K for OS6850 and “NA” for OS6400. What values should be used?) RIP Defaults The following table lists the defaults for RIP configuration through the ip rip command. Description Command Default...
Page 591: Quick Steps For Configuring Rip Routing
To forward packets to a device on a different VLAN, you must create a router interface on each VLAN. To route packets by using RIP, you must enable RIP and create a RIP interface on the router interface. The following steps show you how to enable RIP routing between VLANs “from scratch”. If active VLANs and router ports have already been created on the switch, go to Step 7.
Page 592: Rip Overview
In switching, traffic may be transmitted from one media type to another within the same . Switch- VLAN ing happens at Layer 2, the link layer; routing happens at Layer 3, the network layer. In IP routing, traffic can be transmitted across When IP routing is enabled, the switch uses routing protocols to build VLANs.
Page 593: Rip Version 2
RIPv1 switches will ignore authentication information. Authentication is a simple password in which an authentication key of up to 16 characters is included in the packet. If this key does not match the configured authentication key, the packet is discarded. For more information on RIP authentication, see “RIP Security”...
Page 594: Rip Routing
RIP. You must reboot the switch when this is complete. Note. In simple networks where only IP forwarding is required, you may not want to use RIP. If you are not using RIP, it is best not to load it to save switch resources.
Page 595: Enabling Rip
RIP interface Send option. Enter the IP address of the RIP interface, and then enter a Send option. For example, to configure a RIP interface rip-1 to send only RIPv1 packets you would enter: ->...
Page 596: Configuring The Rip Interface Receive Option
RIP metric or cost for routes generated by a RIP interface. Enter the IP address of the RIP interface as well as a metric value. For example, to set a metric value of 2 for the RIP interface rip-1 you would enter: ->...
Page 597: Configuring The Rip Interface Route Tag
After this timer has expired and if the value is less that 120 seconds, the route enters a hold-down state for the rest of the period until the remainder of the 120 seconds has also expired.
Page 598: Configuring The Rip Invalid Timer
The RIP invalid timer value defines the time interval, in seconds, during which a route will remain active in the Routing Information Base (RIB) before it is moved to the invalid state. This timer value must be at least three times the update interval value.
Page 599: Enabling A Rip Host Route
A host route differs from a network route, which is a route to a specific network. This command allows a direct connection to the host without using the RIP table. If a switch is directly attached to a host on a...
Page 600: Configuring Redistribution
When a route map is created, it is given a name to identify the group of statements that it represents. This name is required by the ip redist command. Therefore, configuring route redistribution involves the...
Page 601 Creating a Route Map When a route map is created, it is given a name (up to 20 characters), a sequence number, and an action (permit or deny). Specifying a sequence number is optional. If a value is not configured, then the number 50 is used by default.
Page 602 Configuring RIP Deleting a Route Map Use the no form of the ip route-map command to delete an entire route map, a route map sequence, or a specific statement within a sequence. To delete an entire route map, enter no ip route-map followed by the route map name. For example, the following command deletes the entire route map named redistipv4: ->...
Page 603 -> ip route-map rm_1 sequence-number 10 match tag 5 -> ip route-map rm_1 sequence-number 10 match tag 8 The following route map sequence will redistribute a route if the route has a tag of 8 or 5 and the route was learned on the IPv4 interface to-finance: ->...
Page 604: Configuring Route Map Redistribution
RIP destination protocol. This command is used on the RIP router that will perform the redistribution. A source protocol is a protocol from which the routes are learned. A destination protocol is the one into which the routes are redistributed. Make sure that both protocols are loaded and enabled before configur- ing redistribution.
Page 605: Route Map Redistribution Example
Redistributes into RIP all routes learned on the intf_ospf interface and sets the metric for such routes to 255. • Redistributes into RIP all other routes (those not processed by sequence 10 or 20) and sets the tag for such routes to eight. OmniSwitch AOS Release 6 Network Configuration Guide...
Page 606: Rip Security
Configuring RIP RIP Security By default, there is no authentication used for a RIP. However, you can configure a password for a RIP interface. To configure a password, you must first select the authentication type (simple or MD5), and then configure a password.
Page 607: Verifying The Rip Configuration
Displays active RIP neighbors (peers). show ip redist Displays the currently configured RIP redistribution filters. For more information about the displays that result from these commands, see the OmniSwitch CLI Refer- ence Guide. OmniSwitch AOS Release 6 Network Configuration Guide...
Page 608 Verifying the RIP Configuration Configuring RIP page 28-20 OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 609: Chapter 29 Configuring Rdp
29 Configuring RDP Router Discovery Protocol (RDP) is an extension of ICMP that allows end hosts to discover routers on their networks. This implementation of RDP supports the router requirements as defined in RFC 1256. In This Chapter This chapter describes the RDP feature and how to configure RDP parameters through the Command Line Interface (CLI).
Page 610: Rdp Specifications
RDP Specifications Configuring RDP RDP Specifications RFCs Supported RFC 1256–ICMP Router Discovery Messages Platforms Supported OmniSwitch 6400, 6800, 6850, 6855, and 9000 Router advertisements Supported Host solicitations Only responses to solicitations supported. Maximum number of RDP interfaces per One for each available IP interface configured switch on the switch.
Page 611: Quick Steps For Configuring Rdp
Configuring RDP involves enabling RDP operation on the switch and creating RDP interfaces to adver- tise VLAN router IP addresses on the LAN. There is no order of configuration involved. For example, it is possible to create RDP interfaces even if RDP is not enabled on the switch.
Page 612 Quick Steps for Configuring RDP Configuring RDP To verify the configuration for a specific RDP interface, specify the interface name when using the show ip router-discovery interface command. The display is similar to the one shown below: -> show ip router-discovery interface Marketing...
Page 613: Rdp Overview
End host (clients) sending traffic to other networks need to forward their traffic to a router. In order to do this, hosts need to find out if one or more routers exist on their LAN, then learn their IP addresses. One way to discover neighboring routers is to manually configure a list of router IP addresses that the host reads at startup.
Page 614: Rdp Interfaces
Configuring RDP RDP Interfaces An RDP interface is created by enabling RDP on a VLAN router IP address. Once enabled, the RDP inter- face becomes active and joins the all-routers IP multicast group (224.0.0.2). The interface then transmits three initial router advertisement messages at random intervals that are no greater than 16 seconds apart.
Page 615: Security Concerns
Man in the middle—Attacker modifies any of the outgoing traffic or plays man in the middle, acting as a proxy between the router and the end host. In this case, the victim thinks that it is communicating with an end host, not an attacker system. The end host thinks that is it communicating with a router because the attacker system is passing information through to the host from the router.
Page 616: Enabling/Disabling Rdp
An RDP interface is created by enabling RDP for an existing IP router interface, which is then advertised by RDP as an active router on the local network. Note that an RDP interface is not active unless RDP is also enabled for the switch.
Page 617: Specifying An Advertisement Destination Address
Router IP address preference level. It is only necessary to change the above parameter values if the default value is not sufficient. The follow- ing subsections provide information about how to configure RDP interface parameters if it is necessary to use a different value.
Page 618: Setting The Minimum Advertisement Interval
If a host does not receive another packet from the same router before the lifetime value expires, it assumes the router is no longer available and will drop the router IP address from its table. As a result, it is impor- tant that the lifetime value is always greater than the current maximum advertisement interval to ensure router transmissions occur before the lifetime value expires.
Page 619: Verifying The Rdp Configuration
Configuring RDP Verifying the RDP Configuration Verifying the RDP Configuration To display information about the RDP configuration on the switch, use the show commands listed below: show ip router-discovery Displays the current operational status of RDP on the switch. Also includes the number of advertisement packets transmitted and the num- ber of solicitation packets received by all RDP interfaces on the switch.
Page 620 Verifying the RDP Configuration Configuring RDP page 29-12 OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 621: Chapter 30 Configuring Bfd
BFD supplies the state of the session. It acts in an advisory role to the control protocols, and provides a low overhead alter- native to detect faults for all media types, encapsulations, and routing protocols in a variety of network environments and topologies.
Page 622: Bfd Specifications
Detection draft-ietf-bfd-v4v6-1hop-08.txt — BFD for IPv4 and IPv6 (Single Hop) Maximum Number of Sessions (Per NI) Maximum Number of Sessions (Per System) 512 Protocols Supported BGP, OSPF, VRRP Remote Address Tracking only, and Static Routes. IPv6 protocols not supported.
Page 623: Bfd Defaults
Configuring BFD BFD Defaults BFD Defaults The following table shows the default settings of the configurable BFD parameters. Parameter Description Command Default Value/Comments BFD global status for the switch ip bfd-std status Disabled ip bfd-std transmit 100 milliseconds Global transmit time interval for BFD...
Page 624: Quick Steps For Configuring Bfd
Configure a global receive time interval for all BFD interfaces using the ip bfd-std receive command. This command defines a default receive time value that is automatically applied when a BFD interface is created. For example: -> ip bfd-std receive 500...
Page 625 Configure the global BFD echo packet time interval using the ip bfd-std echo interval command. This command defines a default echo packet time value that is automatically applied when a BFD interface is created. For example: -> ip bfd-std echo-interval 500...
Page 626: Quick Steps For Configuring Bfd Support For Layer 3 Protocols
See the “BFD Commands” chapter in the OmniSwitch CLI Reference Guide for information about the fields in this display. Quick Steps for Configuring BFD Support for Layer 3 Protocols BFD runs on top of Layer 3 protocol traffic that is forwarded between two systems. This implementation of BFD supports the following protocols: •...
Page 627: Configuring Bfd Support For Vrrp Track Policies
-> ip static-route all bfd-std enable To create a BFD session for a static route, make sure the gateway address does not match any of the local interface addresses on the switch and that BFD is enabled on the interface on which the gateway address exists.
Page 628 79.79.79.0 255.255.255.0 79.79.79.151 00:01:23 LOCAL 127.0.0.1 255.255.255.255 127.0.0.1 01:57:15 LOCAL See the “IP Commands” chapter in the OmniSwitch CLI Reference Guide for information about the fields in this display. page 30-8 OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 629: Bfd Overview
A BFD session must be explicitly configured between two adjacent systems. Once BFD has been enabled on the interfaces and at the appropriate Layer 3 routing protocol level, a BFD session is created for the adjacent systems and BFD timers are negotiated between these systems.
Page 630: Operational Mode And Echo Function
Each time a BFD system successfully receives a BFD control packet on a BFD session, the detect-timer for that session is reset to zero. As long as the BFD peer systems receive the control packets from each other within the negotiated time interval [(Detect Multiplier) * (Required Minimum Rx Interval)], the BFD session remains up, and any routing protocol that encapsulates the BFD maintains its adjacencies, i.e.
Page 631: Bfd Control Packets
A Down state means that a session is down or has been recently created. A session remains down until the remote system sends a packet with any state other than an up state. If a BFD packet with the state field set to down is received by the local system that is also in a down state, the session advances to Init state;...
Page 632: Demultiplexing
To change the rate at which BFD control packets are received, you can change the Required Min RX Inter- val at any time to any value. This new value will be sent in the next outgoing packet so that the remote system can accommodate the changes made.
Page 633: Configuring Bfd
“Configuring BFD Support for Layer 3 Protocols” on page 30-18 for more information. At the end of the chapter is a simple BFD network diagram with instructions on how it was created on a router-by-router basis. See “BFD Application Example” on page 30-25 for more information.
Page 634: Configuring A Bfd Interface
Configuring the BFD Receive Time Interval BFD allows you to set the receive time interval, which is the minimum amount of time that BFD waits to receive control packets before determining there is a problem. By default, the global value of the receive time interval is set to 100 milliseconds.
Page 635: Configuring The Bfd Operating Mode
The time interval between received BFD echo packets is configurable and applies when the echo function is enabled. When this function is active, a stream of Echo packets is sent to a peer, which then loops these back to the sender without processing them via its forwarding path. If the sender does not receive several continuous echo packets from its peer, the BFD session is declared down.
Page 636: Configuring The Bfd Layer 2 Hold-Timer
-> ip bfd-std l2-holdtimer 100 The above command sets the BFD Layer 2 hold-down timer to 100 milliseconds. To change the amount of time a specific BFD interface remains in a hold-down state after a Layer 2 topol- ogy change occurs, use the ip bfd-std interface l2-hold-timer command.
Page 637 The above command enables the administrative status of the BFD interface named bfd-vlan-101. Note that a BFD interface must be disabled before any of its parameters can be changed. To disable a BFD interface, use the ip bfd-std interface status command with the disable keyword. For example: ->...
Page 638: Configuring Bfd Support For Layer 3 Protocols
Configuring BFD Support for Layer 3 Protocols After BFD is configured on all interfaces or on a specific set of individual interfaces, the next step is to configure BFD interoperability with the supported Layer 3 protocols (BGP, OSPF, VRRP Tracking, Static Routes).
Page 639 215.10.10.254 215.10.10.1 enabled disabled Once OSPF is registered with BFD at the protocol level and BFD is enabled on the desired OSPF inter- face(s), use the show ip bfd-std interfaces command to display BFD-enabled interfaces. For example: ->show ip bfd-std interfaces...
Page 640 The above command establishes a BFD session on interface named int1 with OSPF DR neighbors in full state only. To establish a BFD session on an interface with all neighbors which are greater than or equal to “2-way” state, use the...
Page 641: Configuring Bfd Support For Bgp
Configuring BFD Configuring BFD Support for BGP The steps below show how to configure and verify BFD support for the BGP protocol, so that BGP is a registered protocol with BFD and will receive forwarding path detection failure messages from BFD.
Page 642: Configuring Bfd Support For Vrrp Tracking
Configuring BFD Support for VRRP Tracking The steps below show you how to configure and verify BFD support for VRRP protocol, so that VRRP is a registered protocol with BFD and will receive forwarding path detection failure messages from BFD.
Page 643 26.26.26.36 INIT Whenever there is any change in a track policy or change in VRID status with respect to the protocol, VRRP immediately informs BFD-CMM about the changes. Additionally, whenever BFD-NI detects any changes to the other end, it immediately informs BFD-CMM about the changes. BFD-CMM, then, updates its database accordingly and informs VRRP for its fastest convergence.
Page 644: Configuring Bfd Support For Static Routes
255.0.0.0, and gateway address as 10.1.1.25. In order to create a BFD session for a static route, the gateway address should not match with any local interface address of the switch, and BFD should be enabled on the interface on which the gateway address exists.
Page 645: Bfd Application Example
VLAN, and assign a router identification number to the routers. For the backbone connection, the network design in this case uses slot 2, port 1 as the egress port and slot 2, port 2 as ingress port on each router.
Page 646 BFD Application Example Configuring BFD Note. The ports will be statically assigned to the router VLANs, as a VLAN must have a physical port assigned to it in order for the IP router interface to function. The commands to set up the VLAN configuration are shown below: Router 1 (using ports 2/1 and 2/2 for the backbone and ports 2/3-5 for end devices): ->...
Page 647: Step 2: Enable Ospf
The router was assigned the Router ID of 3.3.3.3. Step 2: Enable OSPF The next step is to load and enable OSPF on each router. The commands for this step are below (the commands are the same on each router): ->...
Page 648: Step 5: Configure Bfd Interfaces
-> ip ospf interface vlan-30 status enable Step 5: Configure BFD Interfaces Next, BFD interfaces must be created and enabled. The BFD interfaces should have the same interface name as the IP router interfaces created above in “Step 1: Prepare the Routers” on page 30-25.
Page 649: Step 6: Configure Global Bfd Parameters
Global BFD parameter settings for timer values and operational mode are applied to all BFD interfaces configured on the switch. When a BFD interface is created, the global settings are also applied as the default parameter values for the interface.
Page 650 To verify the configured BFD status on routers, use the show ip bfd-std command. This command shows the protocols registered for BFS (OSPF in example network) and the parameter values for the transmit, receive, and echo intervals, the multiplier number, and the operational mode. •...
Page 651: Verifying The Bfd Configuration
Configuring BFD Verifying the BFD Configuration Verifying the BFD Configuration To display information such as the BFD status for different session parameters and Layer 3 protocols, use the show commands listed in the following table: show ip bfd-std Displays the global BFD configuration for the switch.
Page 652 Verifying the BFD Configuration Configuring BFD page 30-32 OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 653: Chapter 31 Configuring Dhcp Relay
Email and file transfer are two applications that could use UDP. UDP offers a direct way to send and receive datagrams over an IP network and is primarily used for broadcasting messages. This chapter describes the DHCP Relay feature.
Page 654: Dhcp Relay Specifications
Automatic–DHCP assigns a permanent IP address to a host. mechanisms Dynamic–DHCP assigns an IP address to a host for a limited period of time (or until the host explicitly relinquishes the address). Manual–The network administrator assigns a host’s IP address and the DHCP conveys the address assigned by the host.
Page 655: Dhcp Relay Defaults
Configuring DHCP Relay DHCP Relay Defaults DHCP Relay Defaults The following table describes the default values of the DHCP Relay parameters: Parameter Description Command Default Value/Comments Default UDP service ip udp relay BOOTP/DHCP Forward delay time value for DHCP Relay...
Page 656: Quick Steps For Setting Up Dhcp Relay
Identify the IP address of the DHCP server. Where the DHCP server has IP address 128.100.16.1, use the following command: -> ip helper address 128.100.16.1 Set the forward delay timer for the BOOTP/DHCP relay. To set the timer for a 15 second delay, use the following command: -> ip helper forward delay 15 Set the maximum hop count value.
Page 657: Dhcp Relay Overview
IP address replaced by the address (also specified by the user). If the relay is configured with multiple IP addresses, then the packet will be sent to all IP address destina- tions. The DHCP Relay also verifies that the maximum hop count has not been exceeded. If the forward delay time is not met or the maximum hop count is exceeded, the BOOTP/DHCP packet will be discarded by the DHCP Relay.
Page 658: Dhcp And The Omniswitch
IP address allocation. Automatic—DHCP assigns a permanent IP address to a host. Dynamic—DHCP assigns an IP address to a host for a limited period of time (or until the host explic- itly relinquishes the address). Manual—The network administrator assigns a host’s IP address and DHCP simply conveys the assigned address to the host.
Page 659: External Dhcp Relay Application
The DHCP server will assign a different IP address to each of the clients. The switch does not need an IP address assigned and all DHCP clients will be members of either a default VLAN or an IP protocol VLAN.
Page 660: Internal Dhcp Relay
For those locally attached stations, the frame will simply be switched. In this case, the DHCP server and clients must be members of the same VLAN (they could also all be members of the default VLAN). One way to accomplish this is to use DHCP rules in combination with IP protocol rules to place all IP frames in the same VLAN.
Page 661: Dhcp Relay Implementation
DHCP Relay Implementation The OmniSwitch allows you to configure the DHCP Relay feature in one of two ways. You can set up a global DHCP request or you can set up the DHCP Relay based on the VLAN of the DHCP request. Both of these choices provide the same configuration options and capabilities.
Page 662: Configuring Bootp/Dhcp Relay Parameters
The relay forwarding option. The only parameter that is required for BOOTP relay is the IP address to the DHCP server or to the next hop to the DHCP server. The default values can be accepted for forward delay, hop count, and relay forwarding option.
Page 663: Setting Maximum Hops
-> ip helper maximum hops 4 The hops value represents the maximum number of relays. The range is from one to 16 hops. The default maximum hops value is set to four. This maximum hops value only applies to DHCP Relay. All other switch services will ignore this value.
Page 664: Using Automatic Ip Configuration
• If the reply packet contains a subnet mask for the IP address, the mask is applied to the VLAN 1 router port address. Otherwise, a default mask is determined based upon the class of the IP address. For exam- ple, if the IP address is a Class A, B, or C address, then 255.0.0.0, 255.255.0.0, or 255.255.255.0 is...
Page 665: Configuring Udp Port Relay
This is done using UDP Port Relay commands to enable relay on these types of ports and to specify up to 256 VLANs that can forward traffic destined for these ports. The UDP Port Relay function is separate from the previously described functions (such as global DHCP, per-VLAN DHCP, and automatic IP configuration) in that using UDP Port Relay does not exclude or prevent other DHCP Relay functionality.
Page 666: Enabling/Disabling Udp Port Relay
For example, the following command enables relay on service port 3047: -> ip udp relay 3047 To disable a relay operation for a UDP service port, use the no form of the ip udp relay command. For example, the following command disables relay on the DNS well-known service port: ->...
Page 667: Configuring Dhcp Security Features
When this feature is enabled, communications between a DHCP client and a DHCP server are authenti- cated by the relay agent. To accomplish this task, the agent adds Option-82 data to the end of the options field in DHCP packets sent from a client to a DHCP server. Option-82 consists of two suboptions: Circuit ID and Remote ID.
Page 668: How The Relay Agent Processes Dhcp Packets From The Client
If the two MAC addresses match, then a check is made to see if the slot/port value in the Circuit ID suboption field in the packet matches a port that is associated with the VLAN also identified in the Circuit ID suboption field.
Page 669: Enabling The Relay Agent Information Option-82
-> ip helper agent-information policy replace Note that this type of policy applies to all DHCP packets received on all switch ports. In addition, if a packet that contains existing Option-82 data also contains a gateway IP address that matches a local subnet address, the relay agent will drop the packet and not apply any existing Option-82 policy.
Page 670: Using Dhcp Snooping
A port is trusted if it is connected to a device inside the network, such as a DHCP server. A port is untrusted if it is connected to a device outside the network, such as a customer switch or workstation.
Page 671: Dhcp Snooping Configuration Guidelines
There are two levels of operation available for the DHCP Snooping feature: switch level or VLAN level. These two levels are exclusive of each other in that they both cannot operate on the switch at the same time. In addition, if the global DHCP relay agent information option (Option-82) is enabled for the switch, then DHCP Snooping at any level is not available.
Page 672 VLAN that has this feature enabled. Up to 64 VLANs can have DHCP Snooping enabled. Note that enabling DHCP Snooping at the switch level is not allowed if it is enabled for one or more VLANs.
Page 673: Configuring The Port Trust Mode
Bypassing the Option-82 Check on Untrusted Ports By default, DHCP Snooping checks packets received on untrusted ports (DHCP Snooping client-only or blocked ports) to see if the packets contain the Option-82 data field. If a packet does contain this field, the packet is dropped.
Page 674: Configuring Port Ip Source Filtering
Configuring the DHCP Snooping Binding Table The DHCP Snooping binding table is automatically enabled by default when DHCP Snooping is enabled at either the switch or VLAN level. This table is used by DHCP Snooping to filter DHCP traffic that is received on untrusted ports.
Page 675: Configuring The Binding Table Timeout
When the binding table is synchronized with the contents of the dhcpBinding.db file, any table entries with a MAC address that no longer appears in the MAC address table are cleared from the binding table. To retain these entries regardless of their MAC address table status, use the...
Page 676: Layer 2 Dhcp Snooping
When DHCP Snooping is enabled at the switch level or for an individual VLAN, DHCP Snooping func- tionality is also applied to Layer 2 traffic. When DHCP Snooping is disabled at the switch level or disabled on the last VLAN to have snooping enabled on the switch, DHCP Snooping functionality is no longer applied to Layer 2 or Layer 3 traffic.
Page 677: Verifying The Dhcp Relay Configuration
Verifying the DHCP Relay Configuration Verifying the DHCP Relay Configuration To display information about the DHCP Relay and BOOTP/DHCP, use the show commands listed below. For more information about the resulting displays from these commands, see the OmniSwitch CLI Refer- ence Guide.
Page 678 Verifying the DHCP Relay Configuration Configuring DHCP Relay page 31-26 OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 679: Chapter 32 Configuring Vrrp
The VRRPv2/VRRPv3 router, which controls the IPv4/IPv6 address associated with a virtual router is called the master router, and is responsi- ble for forwarding virtual router advertisements. If the master router becomes unavailable, the highest priority backup router will transition to the master state. The Alcatel-Lucent implementation of VRRP also supports the collective management of virtual routers on a switch.
Page 680 • VRRPv3 advertisement interval—see “Configuring the VRRPv3 Advertisement Interval” on page 32-21. • VRRPv3 Virtual router priority—see “Configuring the VRRPv3 Virtual Router Priority” on page 32-21. • Preempting VRRPv3 virtual routers—see “Setting Preemption for VRRPv3 Virtual Routers” on page 32-22.
Page 681: Vrrp Specifications
| no preempt Preempt mode is enabled Advertising interval advertising interval 1 second The following table lists the defaults for VRRP configuration using the VRRP collective management features and the relevant command: Default advertising interval for vrrp interval 1 second all the virtual routers on the switch.
Page 682 Configuring VRRP Default preempt mode for all the vrrp group preempt virtual routers in the group. Parameter value that is to be set vrrp group set and/or override with the new default value in all the virtual routers in the group.
Page 683: Quick Steps For Creating A Virtual Router
Configure an IP address for the virtual router. -> vrrp 6 4 address 10.10.2.3 Repeat steps 1 through 2 on all of the physical switches that will participate in backing up the address(es) associated with the virtual router. Enable VRRP on each switch.
Page 684: Vrrp Overview
IP address. If the master router becomes unavailable, the highest priority backup router will transition to the master state. Note. The IP address that is backed up may be the IP address of a physical router, or it may be a virtual IP address.
Page 685: Why Use Vrrp?
If an end host uses a static route to its default gateway, this creates a single point of failure if the route becomes unavailable. End hosts will not be able to detect alternate paths.
Page 686: Vrrp Mac Addresses
IP address, the master router responds to the ARP request using the virtual router MAC address. If a backup router takes over for the master, and an end host sends an ARP request, the backup will reply to the request using the virtual router MAC address.
Page 687: Vrrp Startup Delay
45 seconds. The startup delay may be modified to allow more or less time for the router to stabilize its routing tables. In addition to the startup delay, the switch has an ARP delay (which is not configurable).
Page 688: Vrrp Configuration Overview
VRID and the relevant VLAN ID. The VRID must be a unique number in the range from 1 to 255. The VLAN must already be created on the switch through the vlan command. For information about creating VLANs, see Chapter 4, “Configuring...
Page 689: Specifying An Ip Address For A Virtual Router
IP address 10.10.2.3. The virtual router is then enabled with the vrrp command. Note that if a virtual router is to be the IP address owner, then all addresses on the virtual router must match an address on the switch interface.
Page 690: Configuring The Advertisement Interval
IP address of the physical interface, this router will function as a virtual router master and its priority value will be 255. The value cannot be set to 255 if the router is not the IP address owner.
Page 691: Enabling/Disabling A Virtual Router
-> vrrp 7 3 enable In this example, a virtual router is created on VLAN 3 with a VRID of 7. An IP address is then assigned to the virtual router. The virtual router is then enabled on the switch.
Page 692: Setting Vrrp Traps
They will remain in this state until the timer expires, at which point they will negotiate to determine whether to become the master or a backup. To set a delay to all the virtual routers from going active before their routing tables are set up, use the vrrp delay command.
Page 693: Changing Default Parameter Values For A Virtual Router Group
For example, to change the default priority value to 50 on all the existing virtual routers on a switch, enter the following: ->...
Page 694 VRRP Configuration Overview Configuring VRRP This command creates a virtual router group 25. Use the no form of the same command to delete a virtual router group. For example: -> no vrrp group 25 Note. When a virtual router group is deleted, the virtual routers assigned to the group become unassigned.
Page 695 Note. You can specify a parameter such as interval, priority, preempt or all in the vrrp group set command to set and/or override the existing value with the new default values. By default the option all is applied. The all option resets and/or overrides the existing advertising interval value, priority value and preempt mode with the modified default values.
Page 696: Verifying The Vrrp Configuration
Displays the virtual routers that are associated with a group. For more information about the displays that result from these commands, see the OmniSwitch CLI Refer- ence Guide. page 32-18 OmniSwitch AOS Release 6 Network Configuration Guide...
Page 697: Vrrpv3 Configuration Overview
VRID and the relevant VLAN ID. The VRID must be a unique number in the range from 1 to 255. The VLAN must already be created on the switch through the vlan command. For information about creating VLANs, see Chapter 4, “Configuring VLANs.”...
Page 698: Specifying An Ipv6 Address For A Vrrpv3 Virtual Router
Accept mode. By default, the accept mode is enabled. This mode allows the master router to accept packets addressed to the IPv6 address owner as its own. Use the no accept mode to prevent the master router from accepting packets addressed to the IPv6 address owner.
Page 699: Configuring The Vrrpv3 Advertisement Interval
If a virtual router is to be the IP address owner, then all addresses on the virtual router must match an address on the switch interface. This includes the virtual router's link local address. In other words, a virtual router can not be the IP address owner if its link local address does not match the interface link local address.
Page 700: Setting Preemption For Vrrpv3 Virtual Routers
“Enabling/Disabling a VRRPv3 Virtual Router” on page 32-23). Also, if a router is the IPv6 address owner and the priority value is not set to 255, the switch will set its priority to 255 when the router is enabled. To set the priority, use the vrrp3 command with the priority keyword and the desired value.
Page 701: Enabling/Disabling A Vrrpv3 Virtual Router
-> vrrp3 7 3 enable In this example, a VRRPv3 virtual router is created on VLAN 3 with a VRID of 7. An IPv6 address is then assigned to the virtual router. The virtual router is then enabled on the switch.
Page 702: Verifying The Vrrpv3 Configuration
Displays the tracking policies associated with VRRPv3 virtual routers. For more information about the displays that result from these commands, see the OmniSwitch CLI Refer- ence Guide. page 32-24...
Page 703: Creating Tracking Policies
-> vrrp track 3 enable priority 50 address 20.1.1.3 In this example, a tracking policy ID (3) is created and enabled for IP address 20.1.1.3. If this address becomes unreachable, a virtual router associated with this track ID will have its priority decremented by 50.
Page 704: Vrrp Application Example
Half of the hosts are configured with a default route to virtual router 1’s IP address (10.10.2.250), and the other half are configured with a default route to virtual router 2’s IP address (10.10.2.245).
Page 705 OmniSwitch B will become master for VRID 1. In the same way, the master of VRID 2 will respond to ARP requests for IP address B using the virtual router MAC address for VRID 2 (00:00:5E:00:01:02). OmniSwitch B is the master for VRID 2 since it contains the physical interface to which 10.10.2.245 is assigned.
Page 706: Vrrp Tracking Example
VRRP Tracking Example In this example, the master for virtual router 1 has a priority of 100 and the backup for virtual router 1 has a priority of 75. The virtual router configuration for VRID 1 and 2 on VRRP router A is as follows: ->...
Page 707 Note. Preempt must be set on switch A virtual router 1, and switch B virtual router 2, in order for the correct master to assume control once their respective ports 3/1 return to viability. In our example, once port 3/1 on switch A is functioning again we want switch A to reestablish itself as the master.
Page 708: Vrrpv3 Application Example
VRRPv3 Redundancy and Load Balancing The CLI commands used to configure this setup are as follows: First, create two VRRPv3 virtual routers for VLAN 5. (Note that VLAN 5 must already be created and available on the switch.) -> vrrp3 1 5 ->...
Page 709: Vrrpv3 Tracking Example
OmniSwitch A should become unavailable, OmniSwitch B will become master for VRID 1. In the same way, the master of VRID 2 will respond to neighbor solicitation for IPv6 address B using the virtual router MAC address for VRID 2 (00:00:5E:00:02:02). OmniSwitch B is the master for VRID 2 since it contains the physical interface to which is assigned.
Page 710 Configuring VRRP In this example, the master for virtual router 1 has a priority of 100 and the backup for virtual router 1 has a priority of 75. The virtual router configuration for VRID 1 and 2 on VRRPv3 router A is as follows: ->...
Page 711: Chapter 33 Configuring Ipx
IPX networks. (NetWare is Novell’s network server operating system.) In This Chapter This chapter describes IPX and how to configure it through the Command Line Interface (CLI). It includes instructions for configuring IPX routing and fine-tuning IPX by using optional IPX configuration parame- ters (e.g., IPX packet extension and type-20 propagation).
Page 712: Ipx Specifications
1.30; May 23, 1996 Part No. 107- 000029-001 Platforms Supported OmniSwitch 6400, 6800, 6850, 6855, and 9000 IPX Defaults The following table lists the defaults for IPX configuration through the ipx command. Description Command Default IPX Status ipx routing...
Page 713: Quick Steps For Configuring Ipx Routing
When IPX is enabled, devices connected to ports on the same VLAN are able to communicate. However, to route packets to a device on a different VLAN, you must create an IPX router port on each VLAN. The following steps show you how to enable IPX routing between VLANs “from scratch”. If active VLANs have already been created on the switch, go to step 5.
Page 714: Ipx Overview
VLAN. Therefore, workstations connected to ports on VLAN 1 on Switch 1 can communicate with VLAN 2; and workstations connected to ports on VLAN 3 on Switch 2 can communicate with VLAN 2. Also, ports from both switches have been assigned to VLAN 2, and a physical connection has been made between the switches.
Page 715 Layer 3 protocol used by NetWare routers to exchange IPX routing information. IPX RIP functions similarly to IP RIP. IPX RIP uses two metrics to calculate the best route, hop count and ticks. An IPX router periodically transmits packets containing the information currently in its own routing table to neighboring IPX RIP routers to advertise the best route to an IPX destination.
Page 716: Ipx Routing
IPX). If the switch is in the multiple mac router mode, up to 64 router ports are supported (including IP and IPX). You can configure an IP and IPX router port on the same VLAN. Both types of router ports will share the same MAC address for that VLAN.
Page 717: Ipx Router Port Configuration Options
Enter the command, then enter the IPX network number of the first hop used to reach the default route. For example, to configure a default route by using IPX network 222 for the first hop you would enter: ->...
Page 718: Creating/Deleting Static Routes
That is, if two routes have the same metric value, the static route has the higher priority. Static routes allow you to define or customize an explicit path to an IP network segment, which is then added to the IP forwarding table.
Page 719: Configuring Extended Rip And Sap Packets
RIP/SAP broadcast time for the switch. You must set both the RIP and SAP timer values. For example, to set a RIP timer value of 120 and a SAP timer value of 180 you would enter: ->...
Page 720: Using The Ping Command
IPX routing is enabled. However, Alcatel-Lucent switches will respond to either type. For example, to send a ping with a count of 2, a size of 32 bytes, a time-out of 10 seconds, that is an alcatel-lucent type packet you would enter: ->...
Page 721: Ipx Rip/Sap Filtering
GNS Output Filters. Control which servers are included in the GNS responses sent by the switch. All types of IPX Filters can be configured either to allow or to block traffic. The default setting for all filters is to allow traffic. Therefore, you will typically have to define only a filter to block traffic.
Page 722: Configuring Rip Filters
-> ipx filter rip in block 40 mask ffffffff Use the no ipx rip filter command to delete a RIP filter. For example, to delete a global RIP filter that was configured to block incoming RIP packets you would enter: ->...
Page 723: Configuring Gns Filters
-> no ipx filter sap in block Use the optional syntax to delete a filter for a specific VLAN or network. If you are deleting the filter for a specific network, you can also enter the network mask. To delete a filter from all VLANs/networks, use only the basic command syntax (e.g., no ipx filter sap in allow).
Page 724: Ipx Rip/Sap Filter Precedence
Filter 2 ipx filter sap all in allow 40 mask ffffffff This filter will allow all SAP Types on all nodes of network 40. It is less specific than the block filter so all SAP updates will be allowed. Flushing the IPX RIP/SAP Tables When you flush the RIP/SAP table(s), only routes learned by RIP and SAP are deleted;...
Page 725: Verifying The Ipx Configuration
Displays the current status of the extended RIP/SAP packet feature. show ipx timers Displays the current RIP and SAP timer values. For more information about the displays that result from these commands, see the OmniSwitch CLI Refer- ence Guide. OmniSwitch AOS Release 6 Network Configuration Guide...
Page 726 Verifying the IPX Configuration Configuring IPX page 33-16 OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 727: Chapter 34 Configuring Access Guardian
User Network Profiles (UNP)—One of the configurable options of a device classification policy is to classify a device with a UNP. When the policy applies the UNP to one or more devices, the UNP deter- mines the VLAN assignment for the device, whether or not HIC is required for the device, and if any QoS access control list (ACL) policies are applied to the device.
Page 728 In This Chapter Configuring Access Guardian For more information about configuring 802.1X on switch ports, see Chapter 37, “Configuring 802.1X”. page 34-2 OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 729: Access Guardian Specifications
OmniSwitch 6400, 6850, and 6855 Number of Host Integrity Check servers per 1 (InfoExpress CyberGatekeeper server) switch Number of servers allowed in the Host Integ- rity Check exception list Maximum number of hosts processed through Host Integrity Check Number of QoS policy lists per switch...
Page 730: Access Guardian Defaults
Access Guardian Defaults Configuring Access Guardian Access Guardian Defaults The following default Access Guardian device classification policies are applied when 802.1x is enabled on a switch port: Description Keyword Default Policy Authentication and classification for 802.1x supplicant policy pass: group-mobility, default-vlan 802.1x users (802.1x supplicants)
Page 731: Quick Steps For Configuring Access Guardian
When 802.1x is enabled for a switch port, default Access Guardian device classification policies are applied to all devices connected to the port. As a result, it is only necessary to configure such policies if the default policy is not sufficient for network access control. Therefore, the following quick steps are optional but provide a brief tutorial for configuring Access Guardian policies: To configure an Access Guardian policy that will authenticate and classify 802.1x users (supplicants),...
Page 732 Non-Supplicant: block (default) Captive Portal: authentication: pass: default-vlan (default) fail: block (default) To verify the Captive Portal configuration for an 802.1X-enabled port, use the show 802.1x command: -> show 802.1x 1/13 802.1x configuration for slot 1 port 13: direction = both,...
Page 733: Quick Steps For Configuring User Network Profiles
A User Network Profile (UNP) is a configurable option for Access Guardian device classification poli- cies. The following quick steps provide a brief tutorial on how to create a UNP and configure a device classification policy to use the UNP to classify a device:...
Page 734: Quick Steps For Configuring Host Integrity Check
Enable the HIC option for the UNP using the aaa user-network-profile command. -> aaa user-network-profile name guest_user vlan 500 hic enable Optional. Configure a server name and IP address entry for the HIC exception list using the aaa hic allowed-name command.
Page 735: Quick Step For Configuring Qos Policy Lists
Assigning a QoS policy list to Access Guardian User Network Profiles (UNP) is done to further enforce the access of a device to network resources. A policy list consists of one or more QoS policy rules; the list is assigned a name, which is used to associate the list with the UNP. The following quick steps provide a...
Page 736: Quick Steps For Configuring User Network Profile Mobile Rules
VLAN mobile rules and User Network Profile (UNP) mobile rules. UNP mobile rules determine the VLAN assignment for the device based on the profile applied to the device. The following quick steps provide a brief tutorial for configuring UNP mobile rules:...
Page 737 IP Mask User Network Profile Name ------------------+-----------------+------------------------- 198.4.21.1 255.255.0.0 guest_user 10.1.1.1 255.0.0.0 acct_user 20.2.2.1 255.0.0.0 engr_user See the OmniSwitch CLI Reference Guide for information about the fields in this display. OmniSwitch AOS Release 6 Network Configuration Guide September 2009 page 34-11...
Page 738: Access Guardian Overview
Host Integrity Check (HIC) to verify end user device integrity. • User Network Profiles (UNP) to classify devices, enable or disable the HIC process, and apply QoS policies to enforce device access to network resources. This chapter documents the functionality of the Access Guardian feature. For more information about TAD, see Chapter 47, “Configuring Network...
Page 739: Authentication And Classification
Captive Portal is a configurable option for both supplicant and non-supplicant policies. When the Captive Portal option is invoked, a Web page is presented to the user device to prompt the user to enter login credentials. If authentication returns a VLAN ID, the device is assigned to that VLAN. If a VLAN ID is not returned or authentication fails, a separate Captive Portal policy then determines the network access control for the supplicant or non-supplicant.
Page 740 User Network Profile. • Apply a list of QoS policy rules to end user device traffic. A QoS policy list is associated with a UNP and applied to all devices that are associated with that profile.
Page 741: Host Integrity Check (End-User Compliance)
Configuring Access Guardian Access Guardian Overview If there are no Group Mobility VLAN or UNP mobile rules that match the client traffic, then the device is learned in the default VLAN for the 802.1X port. “Configuring Access Guardian Policies” on page 34-22 for more information about how to use and configure policies.
Page 742: How It Works
Note. The HIC feature is not available unless the feature is enabled for the switch. This is true even if HIC servers are configured for the switch or the HIC attribute is enabled for a profile. See “Configuring Host...
Page 743 VLAN rules or UNP mobile rules to determine if the device traffic matches any such rules. If there is a match with a UNP rule, the profile specified in that rule is applied to the device. Note that UNP rules take precedence over VLAN rules.
Page 744: What Are Unp Mobile Rules?
VLAN rules. If there are no applicable UNP rules, then the VLAN rules are applied. UNP rules differ from VLAN rules in that they assign a user profile to a device that matches the rule. The profile then determines the VLAN assignment for the device. VLAN rules directly assign a device to the VLAN for which the matching rules are configured.
Page 745: Quality Of Service (Qos)
• If a policy rule is enabled, it is active for all policy lists to which it belongs. If one of the policy lists is disabled, the rule is still active for all the other lists. •...
Page 746: Host Integrity Check - Infoexpress
• VLAN Stacking Ethernet services are not available when the HIC feature is configured for the switch. These two features are mutually exclusive; only one of them can run on the switch at any given time. • The Host Integrity Check (HIC) feature on the switch interacts with compliance agents and the Cyber- Gatekeeper server from InfoExpress.
Page 747: Setting Up Port-Based Network Access Control
For port-based network access control, 802.1X must be enabled for the switch and the switch must know which servers to use for authenticating 802.1X supplicants and non-supplicants. In addition, 802.1X must be enabled on each port that is connected to a n 802.1X supplicant (or device). Optional parameters may be set for each 802.1X port.
Page 748: Configuring 802.1X Port Parameters
Configuring Access Guardian -> vlan port mobile 3/1 -> vlan port 3/1 802.1x enable The vlan port 802.1x command enables 802.1X on port 1 of slot 3. The port will be set up with defaults listed in “802.1X Defaults” on page 37-2 of the Chapter 37, “Configuring 802.1X.”...
Page 749: Configuring Supplicant Policies
If authentication is successful and returns a VLAN ID that exists in the switch configuration, the supplicant is assigned to that VLAN. If authentication is successful but does not return a VLAN ID, Group Mobility checks if there are any VLAN rules or User Network Profile mobile rules that will classify the supplicant.
Page 750: Supplicant Policy Examples
VLAN ID. Use the fail keyword to specify which options to apply when 802.1x authentica- tion fails or returns a VLAN ID that does not exist. The pass keyword is implied and therefore an optional keyword. If the fail keyword is not used, the default action is to block the device.
Page 751 Description 802.1x 2/12 supplicant policy authentication pass If the 802.1x authentication process is successful group-mobility captive-portal fail vlan 10 captive- but does not return a VLAN ID for the device, then portal the following occurs: Group Mobility rules are applied.
Page 752: Configuring Non-Supplicant Policies
VLAN ID. Use the fail keyword to specify which options to apply when 802.1x authentica- tion fails or returns a VLAN ID that does not exist. The pass keyword is implied and therefore an optional keyword. If the fail keyword is not used, the default action is to block the device.
Page 753: Non-Supplicant Policy Examples
Note that this type of policy does not use 802.1x or MAC authentication. As a result, all of the available policy keywords restrict the assignment of the non-supplicant device to only those VLANs that are not authenticated VLANs. The pass and fail keywords are not used when configuring this type of policy.
Page 754 802.1x 2/10 non-supplicant policy authentication If the MAC authentication process is successful pass vlan 10 block fail group-mobility default-vlan but does not return a VLAN ID for the device, then the following occurs: The device is assigned to VLAN 10.
Page 755 802.1x 2/12 non-supplicant policy authentication If the MAC authentication process is successful pass group-mobility captive-portal fail vlan 10 but does not return a VLAN ID for the device, then captive-portal the following occurs: Group Mobility VLAN or UNP mobile rules are applied.
Page 756: Configuring The Captive Portal Policy
The default Captive Portal policy assigns a device to the default VLAN for the port if authentication was successful but did not return a VLAN ID or blocks a device on the port if the device failed authentication. As a result, it is only necessary to change the policy if the default pass and fail cases are not sufficient.
Page 757 -> 802.1x 2/12 captive-portal policy authentication pass vlan 10 group-mobility block fail vlan 10 default-vlan The first command in the above example checks Group Mobility rules first then checks for VLAN 10 next. The second command checks for VLAN 10 first then checks for Group Mobility rules.
Page 758: Configuring Captive Portal Authentication
Configure the homepage URL for the client browser. The Captive Portal authentication process responds only to browser queries that contain the “www”, “http”, or “https” prefix in the URL. As a result, it is necessary to configure the homepage URL for the browser with at least one of these three prefixes.
Page 759: Configuring Captive Portal Session Parameters
Portal session remains active after a successful login. At the end of this time, the user is automatically logged out of the session and no longer has network access. By default, the session limit is set to 12 hours. To allow a user to remain logged in for an indefinite amount of time, specify 0 for this parameter value.
Page 760 /flash/switch directory on the switch. When a Captive Portal session is initiated, the switch checks to see if there are any files in this directory; if so, then the custom files are incorporated and displayed by Captive Portal. If no files are found, the default Captive Portal Web page components are used.
Page 761: Authenticating With Captive Portal
Open a Web browser window on the client device. If there is a default home page, the browser will attempt to connect to that URL. If a default home page is not available, enter a URL for any website and attempt to connect to that site.
Page 762 Configuring Captive Portal Authentication Configuring Access Guardian When the browser window opens and after the certificate warning message, if any, is cleared, Captive Portal displays a login screen similar to the one shown in the following example: Enter the user name in the “User ID” field.
Page 763 If user authentication is successful, the following status and logout messages are displayed: The user is now logged into the network and has access to all network resources in the VLAN to which this user was assigned. The VLAN membership for the user was either returned through RADIUS authentication or determined through Captive Portal device classification (invoked when RADIUS does not return a VLAN ID or authentication fails).
Page 764: Logging Off The Network With Captive Portal
Captive Portal logout page is displayed: To log off from a Captive Portal session, the user clicks on the “Submit” button. The user is then logged off the network and the user device returns to the Captive Portal state (device MAC address is unknown to the switch).
Page 765: Configuring Host Integrity Check
HIC functionality is disabled. For example, if the HIC attribute of a UNP is enabled, the HIC process is not invoked when the profile is applied if the HIC feature is not enabled for the switch. Use aaa hic command to enable or disable the HIC feature for the switch.
Page 766: Configuring User Network Profiles
Configuring QoS Policy Lists One of the attributes of a User Network Profile (UNP) specifies the name of a list of QoS policy rules. This list is applied to a user device when the device is assigned to the user profile. Using policy lists allows the administrator to associate a group of users to a set of QoS policy rules.
Page 767: Configuring User Network Profile Mobile Rules
• If a rule is a member of multiple policy lists but one or more of these lists are disabled, the rule is still active for those lists that are enabled.
Page 768: Verifying Access Guardian Users
Verifying Access Guardian Users Configuring Access Guardian Verifying Access Guardian Users The following set of show aaa-device commands provide a centralized way to verify the status of users authenticated and classified through Access Guardian security mechanisms: show aaa-device all-users command displays the Access Guardian status of all users learned on 802.1x ports:...
Page 769 5/9 00:90:27:17:91:a8 pc2006 1000 Brdg Pass engr 5/9 00:00:39:93:46:0c MAC Fail For more information about the displays that result from these commands, see the OmniSwitch CLI Refer- ence Guide. OmniSwitch AOS Release 6 Network Configuration Guide September 2009 page 34-43...
Page 770: Logging Users Out Of The Network
-> aaa admin-logout user-network-profile name marketing Logging a group of users out of the network is particularly useful if configuration changes are required to any Access Guardian features. For example, if the Host Integrity Check (HIC) feature is globally disabled for the switch, all User Network Profiles (UNP) with the HIC attribute enabled no longer check devices for compliance.
Page 771: Verifying The Access Guardian Configuration
Configuring Access Guardian Verifying the Access Guardian Configuration Verifying the Access Guardian Configuration A summary of the show commands used for verifying the Access Guardian configuration is given here: show 802.1x Displays information about ports configured for 802.1X. Includes Cap- tive Portal session timeout and login retry parameter values.
Page 772 Verifying the Access Guardian Configuration Configuring Access Guardian page 34-46 OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 773: In This Chapter
35 Managing Authentication Servers This chapter describes authentication servers and how they are used with the switch. The types of servers described include Remote Authentication Dial-In User Service (RADIUS), Lightweight Directory Access Protocol (LDAP), Terminal Access Controller Access Control System (TACACS+), and SecurID’s ACE/ Server.
Page 774: Chapter 35 Managing Authentication Servers
RFC 2253–Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names RFC 2254–The String Representation of LDAP Search Filters RFC 2256–A Summary of the X.500(96) User Schema for Use with LDAPv3 Other RFCs RFC 2574–User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3) RFC 2924–Accounting Attributes and Record Formats...
Page 775: Server Defaults
UDP destination port for accounting acct-port 1646* * The port defaults are based on the older RADIUS standards; some servers are set up with port numbers based on the newer standards (ports 1812 and 1813, respectively). TACACS+ Authentication Servers Defaults for the...
Page 776: Quick Steps For Configuring Authentication Servers
= UP See the CLI Reference Guide for information about the fields in this display. If you are using ACE/Server, there is no required switch configuration; however, you must FTP the sdconf.rec file from the server to the switch’s /network directory.
Page 777: Server Overview
When RADIUS, TACACS+, and/or LDAP servers are set up for Authenticated Switch Access, the switch polls the server for user login information. The switch also polls the server for privilege information (authorization) if it has been configured on the server; otherwise, the local user database is polled for the privileges.
Page 778: Authenticated Vlans
Servers may be configured using one of two different modes, single authority mode or multiple authority mode. The mode specifies how the servers are set up for authentication: single authority mode uses a single list (an authentication server and any backups) to poll with authentication requests. Multiple author- ity mode uses multiple lists, one list for each authenticated VLAN.
Page 779: Port-Based Network Access Control (802.1X)
Port-Based Network Access Control (802.1X) For devices authenticating on an 802.1X port on the switch, only RADIUS authentication servers are supported. The RADIUS server contains a database of user names and passwords, and may also contain challenges/responses and other authentication criteria.
Page 780: Ace/Server
The ACE client in the switch is version 4.1; it does not support the replicating and locking feature of ACE 5.0, but it may be used with an ACE 5.0 server if a legacy configuration file is loaded on the server. The legacy configuration must specify authentication to two specific servers (master and slave).
Page 781: Radius Servers
RADIUS Servers RADIUS Servers RADIUS is a standard authentication and accounting protocol defined in RFC 2865 and RFC 2866. A built-in RADIUS client is available in the switch. A RADIUS server that supports Vendor Specific Attributes (VSAs) is required. The Alcatel-Lucent attributes may include VLAN information, time-of-day, or slot/port restrictions.
Page 782 Frame-Route Framed-IPX-Network 24 State Sent in challenge/response packets. 25 Class Used to pass information from the server to the client and passed unchanged to the accounting server as part of the accounting-request packet. 26 Vendor-Specific “Vendor-Specific Attributes for RADIUS” on page 35-11.
Page 783: Vendor-Specific Attributes For Radius
Specific Attributes (VSAs). Alcatel-Lucent, through partnering arrangements, has included these VSAs in some vendors’ RADIUS server configurations. The attribute subtypes are defined in the server’s dictionary file. If you are using single authority mode, the first VSA subtype, Alcatel-Lucent-Auth-Vlan, must be defined on the server for each authenticated VLAN.
Page 784: Configuring Functional Privileges On The Server
On the RADIUS server, configure the functional privilege attributes with the bitmask values. Note. For more information about configuring users on the switch, see the “Switch Security” chapter in the OmniSwitch AOS Release 6 Switch Management Guide. page 35-12...
Page 785: Radius Accounting Server Attributes
Managing Authentication Servers RADIUS Servers RADIUS Accounting Server Attributes The following table lists the standard attributes supported for RADIUS accounting servers. The attributes in the radius.ini file may be modified if necessary. Num. Standard Attribute Description 1 User-Name Used in access-request and account-request packets.
Page 786: Configuring The Radius Client
When creating a new server, at least one host name or IP address (specified by the host keyword) is required as well as the shared secret (specified by the key keyword). In this example, the server name is rad1, the host address is 10.10.2.1, the backup address is 10.10.3.5, and the shared secret is amadeus.
Page 787: Tacacs+ Server
TACACS+ authentication is enabled. • Accounting. The process of recording what the user is attempting to do or what the user has done is Accounting. The TACACS+ accounting must be enabled on the switches for accounting to succeed.
Page 788: Configuring The Tacacs+ Client
In this example, the server name is tac1, the host address is 10.10.5.2, the backup address is 10.10.5.5, and the shared secret is otna. Note that the shared secret must be configured exactly the same as on the server. -> aaa tacacs+-server tac1 host 10.10.5.2 10.10.5.5 key otna To modify a TACACS+ server, enter the server name and the desired parameter to be modified.
Page 789: Ldap Servers
Copy the relevant schema LDIF files from the Alcatel-Lucent software CD to the configuration direc- tory on the server. (Each server type has a command line tool or a GUI tool for importing LDIF files.) Database LDIF files may also be copied and used as templates. The schema files and the database files are specific to the server type.
Page 790: Ldap Server Details
LDIF files specify multiple directory entries or changes to multiple entries, but not both. The file is in simple text format and can be created or modified in any text editor. In addition, LDIF files import and export binary data encoded according to the base 64 convention used with MIME (Multipurpose Internet Mail Extensions) to send various media file types, such as JPEG graphics, through electronic mail.
Page 791: Directory Entries
LDAP protocol naming conventions. Distinguished names are constructed from Relative Distinguished Names (RDNs), related entries that share no more than one attribute value with a DN. RDNs are the components of DNs, and DNs are string representations of entry names in directory servers.
Page 792: Directory Searches
Base objects and scopes are specified in the searches, and indicate where to search in the directory. Filters are used to specify entries to select in a given scope. The filters are used to test the existence of object class attributes, and enable LDAP to emulate a “read” of entry listings during the searches. All search pref- erences are implemented by means of a filter in the search.
Page 793: Directory Compare And Sort
LDAP will compare directory entries with given attribute values to find the information it needs. The Compare function in LDAP uses a DN as the identity of an entry, and searches the directory with the type and value of an attribute. Compare is similar to the Search function, but simpler.
Page 794: Password Policies And Directory Servers
Password policies applied to user accounts vary slightly from one directory server to another. Normally, only the password changing policies can be set by users through the directory server graphical user inter- face (GUI). Other policies accessible only to Network Administrators through the directory server GUI may include one or more of the following operational parameters.
Page 795: Directory Server Schema For Ldap Authentication
Another auxiliary objectClass: password policy is used by the directory server to apply the password policy for the entire server. There is only one entry of this object for the database server. Note. Server schema extensions should be configured before the aaa ldap-server command is configured.
Page 796: Ldap Accounting Attributes
The following fields (separated by carriage returns “|”) are contained in the Login log. Some fields are only used for Layer 2 Authentication. Fields Included For Any Type of Authentication •...
Page 797 The same fields as above (separated by carriage returns “|”) are contained in the Logout log. A different carriage return such as the # sign may be used in some situations. Additionally, these fields are included but apply only to the Logout log: Fields For Any Type of Authentication •...
Page 798: Dynamic Logging
For example: -> aaa accounting session ldap2 rad1 rad2 In this example, server ldap2 will be used for dynamic logging, and servers rad1 and rad2 will be used for accounting. If you specify a RADIUS server first, all of the servers specified will be used for recording history records (not logging).
Page 799: Configuring The Ldap Authentication Client
IP address, distinguished name, password, and the search base name are required for setting up the server. Optionally, a backup host name or IP address may be configured, as well as the number of retransmit tries, the timeout for authentication requests, and whether or not a secure Socket Layer (SSL) is enabled between the switch and the server.
Page 800: Creating An Ldap Authentication Server
-> aaa ldap-server ldap2 host 10.10.3.4 dn cn=manager password tpub base c=us In this example, the switch will be able to communicate with an LDAP server (called ldap2) that has an IP address of 10.10.3.4, a domain name of cn=manager, a password of tpub, and a searchbase of c=us. These parameters must match the same parameters configured on the server itself.
Page 801: Removing An Ldap Authentication Server
Managing Authentication Servers Verifying the Authentication Server Configuration Removing an LDAP Authentication Server To delete an LDAP server from the switch configuration, use the no form of the command with the rele- vant server name. -> no aaa ldap-server topanga5 The topanga5 server is removed from the configuration.
Page 802 Verifying the Authentication Server Configuration Managing Authentication Servers page 35-30 OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 803: Chapter 36 Configuring Authenticated Vlans
Authenticated VLANs control user access to network resources based on VLAN assignment and a user log-in process; the process is sometimes called user authentication or Layer 2 Authentication. (Another type of security is device authentication, which is set up through the use of port-binding VLAN policies or static port assignment. See Chapter 8, “Defining VLAN...
Page 804: Authenticated Network Overview
(Note that the local user database on the switch may not be used for Layer 2 authenti- cation.) Backup servers may be configured for the authentication server.
Page 805 DHCP Server—A DHCP server can provide IP addresses to clients prior to authentication. After authen- tication, any client can obtain an IP address in an authenticated VLAN to which the client is allowed access. A relay to the server must be set up on the switch. See “Setting Up the DHCP Server”...
Page 806: Avlan Configuration Overview
Set up authentication clients. See “Setting Up Authentication Clients” on page 36-7. Configure at least one authenticated VLAN. A router port must be set up in at least one authenti- cated VLAN for the DHCP relay. See “Configuring Authenticated VLANs” on page 36-26.
Page 807: Sample Avlan Configuration
-> aaa avlan dns auth.company Set up a path to a DHCP server if users will be getting IP addresses from DHCP. The IP helper address is the IP address of the DHCP server; the AVLAN default DHCP address is the address of any router port configured on the VLAN.
Page 808 AVLAN Configuration Overview Configuring Authenticated VLANs Enable authentication by specifying the authentication mode (single mode or multiple mode) and the server. Use the RADIUS or LDAP server name(s) configured in step 5. For example: -> aaa authentication vlan single-mode rad1 rad2 Set up an accounting server (for RADIUS or LDAP) for authentication sessions.
Page 809: Setting Up Authentication Clients
Provide an IP address for the client. Telnet clients require an address prior to authentication. The address may be statically assigned if the authentication network is set up in single authority mode with one authenticated VLAN. The address may be assigned dynamically if a DHCP server is located in the network.
Page 810: Web Browser Authentication Client
The label.txt file is available in the /flash/switch directory when you install the Ksecu.img file as described in the next section. The file may be edited with any text editor, and the format of the username and password prompts is as follows: Username="username_string"...
Page 811: Required Files For Web Browser Clients
Installing Files for Mac OSX.1 Clients The installation must be done at the root. Root access is not automatic in OSX.1. A password must be set to activate it. Disconnect the Mac’s network connection before setting root access. Otherwise, the NetInfo Manager application in the Mac OS will send multiple DNS requests, and the process to set root access will take longer.
Page 812 To set up the Mac OSX.1 for authentication: In the browser URL command line, enter the DNS name configured on the switch (see the next section for setting up the DNS name for Mac OSX clients). The authentication page displays.
Page 813: Ssl For Web Browser Clients
At this point, you can decide to do one of the following: • Ignore the certificate error message and continue on with the authentication process and subsequent browser activity. Note that by doing so, the certificate error message will always appear at the top of every browser window display; or, •...
Page 814: Dns Name And Web Browser Clients
For Mac OSX.1 clients, the DNS name in the certificate must match the DNS name configured on the switch through the aaa avlan dns command. If the DNS names do not match, the Java applet in the client cannot be loaded and the client cannot authenticate. (For other clients, if the DNS names do not match, a warning will display when the client attempts to authenticate;...
Page 815: Installing The Av-Client
(rather than IP) to communicate with the authentication agent in the switch. After authentication, the client may issue a DHCP release/renew request to get an IP address; a utility in the client software may be used to configure this automatic request. For information about configuring the utility, see “Configuring...
Page 816: Loading The Av-Client Software
Note. Do not run MSDLC32.EXE file in the Windows or Windows/System folders. If you downloaded the file to either of these locations, copy it to a temporary folder on your hard disk or copy it to an installa- tion diskette before double-clicking on it.
Page 817 Configuring Authenticated VLANs Setting Up Authentication Clients We recommend that you follow the instructions on the screen regarding closing all Windows programs before proceeding with the installation. Click on the Next button. The following window displays. OmniSwitch AOS Release 6 Network Configuration Guide...
Page 818 This window gives you the option of restarting your PC workstation now, or later. You cannot use the AV-Client until you restart your computer. If you decide to restart now, be sure to remove any disks from their drives. Click the Finish button to end the installation procedure.
Page 819: Windows 95 And Windows 98
Double-click the AV-Client icon. The installation routine begins and the following window displays: We recommend that you follow the instructions on the screen regarding closing all Windows programs before proceeding with the installation. Click on the Next button. The following window displays:...
Page 820 This window recommends that you read a text file included with the client before you exit the install shield. Click on the box next to “View the single sign-on Notes” to select this option. Click on the Finish button to end the installation process. Remember that you must restart your computer before you can run the AV-Client.
Page 821: Setting The Av-Client As Primary Network Login
Select the “Client” from the list and click the Add button. The “Select Network Client Window” displays. You can click the Have Disk button, enter the correct path for your disk drive in the space provided and click OK. You can also browse to the directory where the AV-Client is installed and click OK. Select “Alcatel AVLAN Login Provider”.
Page 822 To set this option, access the AV-Client configuration utility and click the box next to the “Automatically log client off or NOS logoff” option. When the option activates, you then have the option of setting a time delay between the moment the user logs off the workstation and the moment the client logs out of server operations.
Page 823 The configuration utility includes a screen that lists each component, version and build date for the AV- Client. To view this screen, click on the Version tab and a screen similar to the following will display. OmniSwitch AOS Release 6 Network Configuration Guide...
Page 824: Logging Into The Network Through An Av-Client
Enter the password for this user in the “Password?” field. If the client is set up for basic dialog mode and the user enters the correct password, the user is authenticated. If the client is set up for extended mode, the user will be prompted to enter the VLAN ID and challenge.
Page 825: Logging Off The Av-Client
Setting Up Authentication Clients Logging Off the AV-Client To log off the AV-Client, point your mouse to the AV-Client icon in your Windows system tray and execute a right-click to select Logoff. The following screen displays. To continue the procedure, click the Logoff button. The following screen indicates that the AV-Client is sending a logoff request to the authentication server.
Page 826: Configuring The Av-Client For Dhcp
Note. A delay between DHCP release and client logoff is recommended because the DHCP server’s MAC address may be timed out in the AV-Client’s ARP table. If that is the case, the client must send an ARP packet to discover the DHCP server’s MAC address before it can send the release packet. If the logoff packet is sent to the switch before the release packet gets sent, then the IP address will never be released.
Page 827 Click the box next to “Enable DHCP Operations”. Several options will activate in the utility window as shown in the following screen. When you click on a box next to an option, the option is activated in the configuration window.
Page 828: Configuring Authenticated Vlans
VLAN. For example: -> vlan 2 authentication enable Note that the specified VLAN (in this case, VLAN 2) must already exist on the switch. A router port must also be configured for the VLAN (with the interfacecommand) so that a DHCP relay may be set up.
Page 829: Configuring Authentication Ip Addresses
• The new IP address is an address that is local to the network segment on which the client is connected The binding of the VLAN to the authentication IP address is to provide flexibility for the network administrator to assign a designated IP address for respective user network segments.
Page 830: Port Binding And Authenticated Vlans
VLANs when device traffic coming in on an authenticated port matches criteria specified in the rule. You can globally enable the switch so that port binding rules may be enabled on any authenticated VLAN on the switch.
Page 831: Setting Up A Dns Path
Setting Up a DNS Path A Domain Name Server (DNS) name may be configured so that Web browser clients may enter a URL on the browser command line instead of an authentication IP address. A Domain Name Server must be set up in the network for resolving the name to the authentication IP address.
Page 832: Enabling Dhcp Relay For Authentication Clients
DHCP gateway must also be specified so that Telnet and Web browser clients can obtain IP addresses prior to authentication. See the next section for more information. If you want to specify that the relay only be used for packets coming in on an authenticated port, enter the ip helper avlan only command.
Page 833: Configuring A Dhcp Gateway For The Relay
Telnet and Web browser clients can obtain IP addresses prior to authentication. This gateway is a router port in any of the authenticated VLANs in the network. It specifies the scope into which an authentication client receives an initial IP address. For example: ->...
Page 834: Configuring The Server Authority Mode
If the authentication server is down, the first backup server is polled. The switch uses the first available server to attempt to authenticate the user. (If a match is not found on that server, the authentication attempt fails. The switch does not try the next server in the list.)
Page 835 For more information about setting up authentication servers, see Chapter 35, “Managing Authentication Servers.”) To disable authenticated VLANs, use the no form of the command. Note that the mode does not have to specified. For example: -> no aaa authentication vlan OmniSwitch AOS Release 6 Network Configuration Guide...
Page 836: Configuring Multiple Mode
The server configured for that particular authenticated VLAN is polled for a match. (If the server is unavailable, the switch polls the first backup server, if one is config- ured.) If a match is not found on the first available server, the authentication attempt fails. If a match is found, the client’s MAC address is moved into that VLAN.
Page 837: Specifying Accounting Servers
Chapter 46, “Using Switch Logging.” addition, the keyword local may be used so that logging will be done on the switch if the external server or servers become unavailable. If local is specified, it must be specified last in the list of servers.
Page 838: User Network Profile
• The role name is a case-sensitive ASCII string. • If both a VLAN ID and a role name are returned by the RADIUS server, the VLAN associated with the role name takes precedence. • Multiple names can be mapped to the same VLAN.
Page 839: Verifying The Avlan Configuration
Displays the current global configuration for authenticated VLANs. show aaa avlan auth-ip Displays the IP addresses for authenticated VLANs. For more information about these commands, see the OmniSwitch CLI Reference Guide. OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 840 Verifying the AVLAN Configuration Configuring Authenticated VLANs page 36-38 OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 841: Chapter 37 Configuring 802.1X
37 Configuring 802.1X Physical devices attached to a LAN port on the switch through a point-to-point LAN connection may be authenticated through the switch through port-based network access control. This control is available through the IEEE 802.1X standard implemented on the switch.
Page 842: X Specifications
IEEE 802.1X-2001–Standard for Port-based Network Access Control 802.1X RADIUS Usage Guidelines Platforms Supported OmniSwitch 6400, 6800, 6850, 6855, and 9000 802.1X Defaults The following table lists the defaults for 802.1X port configuration through the 802.1x command and the relevant command keywords: Description Keyword Default Port control in both directions or incoming only.
Page 843: Quick Steps For Configuring 802.1X
Configuring 802.1X Quick Steps for Configuring 802.1X Quick Steps for Configuring 802.1X Configure the port as a mobile port and an 802.1X port using the following vlan port commands: -> vlan port mobile 3/1 -> vlan port 3/1 802.1x enable The port is set up automatically with 802.1X defaults.
Page 844 00:60:4f:11:22:33 Connecting user50 00:60:4f:44:55:66 Held user51 00:60:4f:77:88:99 Authenticated user52 00:60:22:15:22:33 Force-authenticated 00:60:22:44:75:66 Force-authenticated 00:60:22:37:98:09 Force-authenticated See the OmniSwitch CLI Reference Guide for information about the fields in this display. page 37-4 OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 845: X Overview
Supplicant Classification When an EAP frame or an unknown source data frame is received from a supplicant, the switch sends an EAP packet to request the supplicant’s identity. The supplicant then sends the information (an EAP response), which is validated on an authentication server set up for authenticating 802.1X ports. The server determines whether additional information (a challenge, or secret) is required from the supplicant.
Page 846: X Ports And Dhcp
If the port is in a forced authorized state (manually set to authorized), any traffic, including DHCP, is allowed on the port. If the port is in an authorized state because a device has authenticated on the port, only traffic with an authenticated MAC address is allowed on the port. DHCP requests from the authenticated MAC address are allowed;...
Page 847: X Accounting
802.1x client receives a new IP address. For example, when an 802.1x client first authenticates and requests an IP address or if an existing 802.1x client performs a release and renew operation to obtain a new IP address.
Page 848: Setting 802.1X Switch Parameters
-> vlan port mobile 3/1 -> vlan port 3/1 802.1x enable The vlan port 802.1x command enables 802.1X on port 1 of slot 3. The port will be set up with defaults listed in “802.1X Defaults” on page 37-2.
Page 849: Configuring The Port Control Direction
-> 802.1x 3/1 direction in In this example, the port control direction is set to incoming traffic only on port 1 of slot 3. The type of port control (or authorization) is configured with the port-control parameter described in the next section.
Page 850: Configuring The Maximum Number Of Requests
In this example, the maximum number of requests that will be sent is three. Configuring the Number of Polling Retries To change the number of times a device is polled for EAP frames to determine whether or not the device is an 802.1x client, use the 802.1x supp-polling retry...
Page 851: Initializing An 802.1X Port
This command initiates a re-authentication process for port 1 on slot 3. Initializing an 802.1X Port An 802.1X port may be reinitialized. This is useful if there is a problem on the port. The reinitialization process drops connectivity with the supplicant and forces the supplicant to be re-authenticated. Connectiv- ity is restored with successful re-authentication.
Page 852: Verifying The 802.1X Port Configuration
Verifying the 802.1X Port Configuration Configuring 802.1X Verifying the 802.1X Port Configuration A summary of the show commands used for verifying the 802.1X port configuration is given here: 802.1x captive-portal address Displays information about ports configured for 802.1X. show 802.1x users Displays a list of all users (supplicants) for one or more 802.1X ports.
Page 853: In This Chapter
Command Line Interface (CLI) if manual reconfiguration is necessary. For more details about the syntax of commands, see the OmniSwitch CLI Reference Guide. Throughout this chapter the term policy server is used to refer to LDAP directory servers used to store policies. Procedures described in this chapter include: •...
Page 854: Chapter 38 Managing Policy Servers
Policy Server Specifications Managing Policy Servers Policy Server Specifications The following table lists important information about LDAP policy servers: LDAP Policy Servers RFC 2251–Lightweight Directory Access Protocol (v3) RFCs Supported RFC 3060–Policy Core Information Model—Version 1 Specification Platforms Supported OmniSwitch 6400, 6800, 6850, 6855, and 9000...
Page 855: Policy Server Overview
Policy Server Overview The Lightweight Directory Access Protocol (LDAP) is a standard directory server protocol. The LDAP policy server client in the switch is based on RFC 2251. Currently, only LDAP servers are supported for policy management. When the policy server is connected to the switch, the switch is automatically configured to communicate with the server to download and manage policies created by the PolicyView application.
Page 856: Modifying Policy Servers
To delete a policy server from the configuration, use the no form of the command with the relevant IP address: -> no policy server 10.10.2.3 If the policy server is not created on the default port, the no form of the command must include the port number. For example: -> no policy server 10.10.2.4 5000...
Page 857: Modifying The Port Number
-> policy server 10.10.2.3 user kandinsky password blue If this command is entered, a user with a username of kandinsky and a password of blue will be able to access the LDAP server to modify parameters on the server itself.
Page 858: Configuring A Secure Socket Layer For A Policy Server
A Secure Socket Layer (SSL) may be configured between the policy server and the switch. If SSL is enabled, the PolicyView application can no longer write policies to the LDAP directory server. By default, SSL is disabled. To enable SSL, use the policy server command with the ssl option. For exam- ple: ->...
Page 859: Interaction With Cli Policies
CLI. Any policy management done through the CLI only affects policies configured through the CLI. For example, the qos flush command only removes CLI policies; LDAP policies are not affected. Also, the policy server flush command removes only LDAP policies; CLI policies are not affected.
Page 860 Verifying the Policy Server Configuration Managing Policy Servers page 38-8 OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 861: Chapter 39 Using Acl Manager
Support for both standard and extended ACLs. • Creating ACLs on a single command line. • The ability to assign a name, instead of a number, to an ACL or a group of ACL entries. • Sequence numbers for named ACL statements. •...
Page 862: Aclman Defaults
ACLMAN Defaults Using ACL Manager ACLMAN Defaults The following table shows the defaults for ACLs: Parameter Command Default ACL disposition deny Logging rate time interval logging-rate 30 seconds page 39-2 OmniSwitch AOS Release 6 Network Configuration Guide September 2009...
Page 863: Quick Steps For Creating Acls
Use the interface ethernet command to enter the Interface Configuration Mode for a specific ethernet switch port. To specify the switch port, enter the slot number followed by a slash and the port number on that slot (e.g. 3/1 specifies port 1 on slot 3).
Page 864: Quick Steps For Importing Acl Text Files
Quick Steps for Importing ACL Text Files Using ACL Manager Quick Steps for Importing ACL Text Files The following steps provide a quick tutorial for importing text files that contain common industry syntax used to create ACLs: Activate the ACLMAN shell using the aclman CLI command.
Page 865: Aclman Overview
The following industry ACL types and features are supported with this implementation of ACLMAN: • Standard ACL. This type of ACL compares the source address of a packet to the source address spec- ified in the ACL. •...
Page 866: Acl Text Files
Note that the write memory command triggers ACLMAN to save the running configuration to the aclman.cfg file. It is not possible to direct ACLMAN to write to any other file. Other text files are only read by ACLMAN and are never used to export information from the ACLMAN configuration.
Page 867: Using The Aclman Shell
Aclman#(config)i Help is an available menu item in each of the shell command modes. In addition, help is also available by entering a question mark (?) at the command prompt or after entering a command parameter. For example:...
Page 868: Aclman Modes And Commands
Access List Configuration Mode • Time Range Configuration Mode Privileged Exec Mode Commands Upon entering the interactive shell the Privileged Exec mode is automatically active. At this point the following commands are available: Command Description clear access-list counters [name | number] Resets the statistics counters to zero for the specified ACL.
Page 869: Global Configuration Mode Commands
Global Configuration Mode Commands The configure terminal command (Privileged Exec Mode) invokes the Global Configuration Mode. The following commands are available in this mode for configuring ACLs, interfaces, time ranges, and renum- bering ACL entries: Command Description...
Page 870 {standard | extended} Use the no form of this command to remove a named access-list-name ACL. Note: It is possible to enter up to 64 characters for the ACL name (access-list-name). Examples: ip access-list standard TestACL1 ip access-list extended TestACL2...
Page 871: Interface Configuration Mode Commands
Interface Configuration Mode Commands The interface command (Global Configuration Mode) invokes the Interface Configuration Mode, which is used to associate ACLs with switch interfaces. The following commands are available in this mode: Command Description ip access-group {number | name} {in | out} Associates the specified ACL number or name as an incoming or outgoing filter.
Page 872: Access List Configuration Mode Commands
Using ACL Manager Access List Configuration Mode Commands The ip-access-list command (Global Configuration Mode) invokes the Access List Configuration Mode for the specified named ACL. The following commands are available in this mode: Command Description [sequence number] {permit | deny}...
Page 873 ACL. The optional sequence number parameter specifies {source source-wildcard | host address | any} the number assigned to the entry. If a number is not spec- [operator [port]] ified with this command, the next available number is {destination destination-wildcard | used.
Page 874: Time Range Configuration Mode Commands
Time Range Configuration Mode Commands The time-range command (Global Configuration Mode) invokes the Time Range Configuration Mode, which is used to configure a range of time in which an ACL is valid. The following commands are avail- able in this mode:...
Page 875: Supported Protocols And Services
When creating extended TCP ACLs, enter one of the following supported TCP service types for the required port parameter value. Note that using the port number to specify the service instead of the service name is also allowed. Supported TCP Service Parameters...
Page 876: Configuring Acls
Both incoming and outgoing ACLs are supported on the same port. • If a wildcard mask is not specified for an IP address used in an ACL, the mask value defaults to 0.0.0.0. page 39-16 OmniSwitch AOS Release 6 Network Configuration Guide...
Page 877: Configuring Numbered Standard And Extended Acls
The access-list command in the Global Configuration Mode is used to create standard and/or extended ACLs that are associated with a number. The number associated with an ACL determines if the ACL is of the standard or extended type. The range of 1–99 and 1300–1999 is reserved for standard ACLs. For example, the following command creates a standard ACL: Aclman#(config)access-list 1 permit 10.0.0.0...
Page 878 To remove a numbered ACL, use the no form of the access-list command. Note that removing a single entry from a standard ACL is not allowed without deleting the entire ACL. To avoid having to re-enter an entire ACL each time a change is required, use one of the following configuration methods: •...
Page 879: Configuring Named Standard And Extended Acls
172.10.5.0 0.0.255.255, is then added to the same ACL. Note that new entries are added to the end of the access list by default. However, it is possible to specify a sequence number with the new ACL statement to position the statement at a desired location within the ACL. For example,...
Page 880: Applying An Acl To An Interface
Applying an ACL to an Interface The interface command in the Global Configuration Mode is used to apply an ACL as an incoming or outgoing filter to one or more switch interfaces. This command identifies the interface and then invokes the Interface Configuration Mode to associate ACLs with the specified interface.
Page 881: Importing Acl Text Files
By default ACLMAN looks in the /flash directory on the switch for the filename specified with the import command. If the file is in any other directory, specify the path where the text file is located along with the filename. For example, the following command imports the ext_acl102 file located in the work-...
Page 882: Verifying The Aclman Configuration
Verifying the ACLMAN Configuration To display information about ACLs configured through ACLMAN, use the following show commands in the Privileged Exec Mode. Note that these commands are specific to the ACLMAN shell interface and are not available through the Alcatel-Lucent CLI interface.
Page 883: Chapter 40 Configuring Qos
The flow manipulation (generally referred to as Quality of Service or QoS) may be as simple as allowing/denying traffic, or as complicated as remapping 802.1p bits from a Layer 2 network to ToS values in a Layer 3 network.
Page 884: Qos Specifications
The QoS functionality described in this chapter is supported on the OmniSwitch 6400, 6800, 6850, 6855, and 9000 switches, unless otherwise stated in the following QoS Specifications table or specifically noted within any other section of this chapter. Note that any maximum limits provided in the Specifications table are subject to available system resources.
Page 885: Qos General Overview
Applying QoS to packet-switched networks requires different mechanisms than those used in circuit-switched networks. QoS is often defined as a way to manage bandwidth. Another way to handle different types of flows and increased bandwidth requirements is to add more bandwidth. But bandwidth can be expensive, particu- larly at the WAN connection.
Page 886: Qos Policy Overview
PolicyView, see the PolicyView online help. How Policies Are Used When a flow comes into the switch, the QoS software in the switch checks to see if there are any policies with conditions that match the flow.
Page 887: Valid Policies
“Action Combinations” on page 40-8. It is possible to configure a valid QoS rule that is active on the switch, however the switch is not able to enforce the rule because some other switch function (for example, routing) is disabled. See the condition and condition/action combinations tables for more information about valid combinations (“Condition...
Page 888: Condition Combinations
Source and destination parameters can be combined in Layer 2, Layer 3, and Layer 4 conditions. • In a given rule, ToS or DSCP may be specified for a condition with priority specified for the action. • The Layer 1 destination port condition only applies to bridged traffic, not routed traffic. This restric- tion does not apply to the OmniSwitch 6800.
Page 889 IP Multicast (IGMP) *IP multicast traffic (not IGMP) is treated as regular traffic; QoS functionality works the same way with this type of traffic, with the exception that the destination port condition does not apply. OmniSwitch AOS Release 6 Network Configuration Guide...
Page 890: Action Combinations
Gateway IP Mirroring Note that the minimum bandwidth action is not included in the list of actions because it is no longer supported on the OmniSwitch 6800 and is not supported on the OmniSwitch 6400, 6800, 6850, and 6855. page 40-8...
Page 891: Condition And Action Combinations
Condition and Action Combinations Condition and Action Combinations Conditions and actions are combined in policy rules. The CLI prevents you from configuring invalid condition/action combinations that are never allowed; however, the following table provides a quick refer- ence for determining which condition/action combinations are not valid. Each row represents a policy condition or conditions combined with the policy action or actions in the same row.
Page 892: Qos Defaults
QoS Defaults Configuring QoS QoS Defaults The following tables list the defaults for global QoS parameters, individual port settings, policy rules, and default policy rules. Global QoS Defaults Use the qos reset command is to reset global values to their defaults.
Page 893: Qos Port Defaults
Configuring QoS QoS Defaults QoS Port Defaults Use the qos port reset command to reset port settings to the defaults. Description Command/keyword Default The default 802.1p value inserted qos port default 802.1p into packets received on untrusted ports. The default DSCP value inserted...
Page 894: Policy Action Defaults
Note that in the current software release, the deny and drop options produce the same effect that is, the traffic is silently dropped. Note. There are no defaults for the policy condition command.
Page 895: Qos Configuration Overview
For example, if you want to set up policies for 802.1p or ToS/DSCP traffic, you may want to config- ure all ports as trusted ports.
Page 896: Configuring Global Qos Parameters
Note that if you set qos default bridged disposition to deny, you effectively drop all Layer 2 traffic that does not match any policy. If you want to create ACLs to allow some Layer 2 traffic through the switch, you must configure two rules for each type of Layer 2 traffic, one for source and one for destination. For more information about ACLs, see Chapter 41, “Configuring ACLs.”...
Page 897: Setting The Global Default Servicing Mode
Automatic QoS prioritization refers to prioritizing certain subsets of switch traffic without having to configure a specific QoS policy to do the same for each type of traffic. This functionality is currently available for Network Management System (NMS) traffic and IP phone traffic. Note that automatic priori- tization is not supported on the OmniSwitch 6800.
Page 898: Configuring Automatic Prioritization For Ip Phone Traffic
In addition to prioritizing IP phone traffic, it is also possible to automatically prioritize non-IP phone traf- fic. This is done by adding up to four MAC addresses or four ranges of MAC addresses to the predefined QoS “alaPhone” MAC address group. See “Creating MAC Groups”...
Page 899: Configuring Quarantine Manager And Remediation
Quarantined Page. When a client is quarantined and a remediation server URL is not configured, QMR can send a Quarantine Page to notify the client of its quarantined state. To enable or disable the sending of a Quarantine Page, use the qos quarantine page command.
Page 900 • Configuring QMR and QoS inner VLAN or inner 802.1p policies is mutually exclusive. QMR over- lays the inner VLAN tag, thus creating a conflict with related QoS policies. This is also true with QMR and VLAN Stacking services. •...
Page 901: Using The Qos Log
The QoS software in the switch creates its own log for QoS-specific events. You may modify the number of lines in the log or change the level of detail given in the log. The PolicyView application, which is used to create QoS policies stored on an LDAP server, may query the switch for log events; or log events can be immediately available to the PolicyView application via a CLI command.
Page 902: Log Detail Level
QoS log. The qos log level command is associated with the qos debug command, which determines what kind of information will be included in the log. The default log level is 6. The range of values is 1 (lowest level of detail) to 9 (highest level of detail). For example: ->...
Page 903: Displaying The Qos Log
Note that this is in addition to sending log events to a file in the flash file system of the switch. See the “Using Switch Logging” chapter in the OmniSwitch AOS Release 6 Network Configura- tion Guide for more information.
Page 904: Classifying Bridged Traffic As Layer 3
• Bridged IP packets are prioritized based on ToS, not 802.1p. Note that Layer 3 ACLs are effected on bridged IP traffic and Layer 2 ACLs are effected on routed traffic. page 40-22 OmniSwitch AOS Release 6 Network Configuration Guide...
Page 905: Setting The Statistics Interval
For a list of global defaults, see “QoS Defaults” on page 40-10. Note. The qos reset command only affects the global configuration. It does not affect any policy configu- ration. Verifying Global Settings...
Page 906: Qos Ports And Queues
The egress priority of a packet is determined as follows: If a packet matches a QoS policy rule that sets a priority value, the egress priority for the packet is set using the value specified in the rule. If a packet ingressing on a trusted port does not match any QoS policy rule that sets the priority, then the egress priority for the packet is set using the existing DSCP value (IP packets), the existing 802.1p...
Page 907: Configuring Queuing Schemes
Each queue can have a different weight value, and configuring these values in ascending or descending order is not required. When a queue is given a weight of 0, it is configured as a Strict- Priority queue.
Page 908: Configuring The Servicing Mode For A Port
10=5120K, 11=10M, 12=20M, 13=40M, 14=80M, and 15=160M. For example, if the configured DRR queue weights are 1 1 2 2 3 3 4 4, queues 1 and 2 will service up to 10K each, queues 3 and 4 will service up to 20K each, queues 5 and 6 will service up to 40K each, and queues 7 and 8 will service up to 80K.
Page 909: Bandwidth Shaping
• Once the qos port servicing mode command is used on a port, this same command is required to make any additional mode changes for that port. If the port is changed back to the default servicing mode, however, this restriction is removed and the qos default servicing mode command is also allowed on the port.
Page 910: Trusted And Untrusted Ports
Note that on the OmniSwitch 6800, the 802.1p bit for tagged packets received on untrusted ports is set with the default 802.1p value. If the packet is untagged, however, then the DSCP bit is set with the default DSCP value.
Page 911: Using Trusted Ports With Policies
802.1p bits. A policy condition (Traffic) is then created to classify traffic containing 802.1p bits set to 4 and destined for port 2 on slot 3. The policy action (SetBits) specifies that the bits will be reset to 7 when the traffic egresses the switch. A policy rule called Rule2 puts the condition and the action together.
Page 912: Verifying The Qos Port And Queue Configuration
Displays information for all QoS queues or only those queues associated with a particular slot/port. See the OmniSwitch CLI Reference Guide for more information about the syntax and displays for these commands. page 40-30 OmniSwitch AOS Release 6 Network Configuration Guide...
Page 913: Creating Policies
View rather than the CLI. But a policy rule, policy action, or policy condition may only be modified through the source that created it. For example, if an action was created in PolicyView, it may be included in a policy rule configured through the CLI, but it cannot be modified through the CLI.
Page 914: Ascii-File-Only Syntax
-> policy action A2 from ldap disposition accept The from option is configurable (for LDAP or CLI only) on the command line; however, it is not recom- mended that a QoS object’s origin be modified. The blt keyword indicates built-in; this keyword cannot be used on the command line.
Page 915: Creating Policy Conditions
To create or modify a policy condition, use the policy condition command with the keyword for the type of traffic you want to classify, for example, an IP address or group of IP addresses. In this example, a condition (c3) is created for classifying traffic from source IP address 10.10.2.1: ->...
Page 916: Removing Condition Parameters
To remove a policy condition, use the no form of the command. For example: -> no policy condition c3 The condition (c3) cannot be deleted if it is currently being used by a policy rule. If a rule is using the condition, the switch will display an error message. For example: ERROR: c3 is being used by rule ‘my_rule’...
Page 917: Removing Action Parameters
To remove a policy action, use the no form of the command. -> no policy action a6 The action cannot be deleted if it is currently being used by a policy rule. If a rule is using the action, the switch will display an error message. For example: ERROR: a6 is being used by rule ‘my_rule’...
Page 918: Configuring A Rule Validity Period
Information about using the policy rule command options is given in the next sections. Configuring a Rule Validity Period A validity period specifies the days and times during which a rule is in effect. By default there is no valid- ity period associated with a rule, which means the rule is always active.
Page 919: Rule Precedence
Configuring QoS Creating Policies Note that if qos disable is entered, the rule will not be used to classify traffic even if the rule is enabled. For more information about enabling/disabling QoS globally, see “Enabling/Disabling QoS” on page 40-14. Rule Precedence The switch attempts to classify flows coming into the switch according to policy precedence.
Page 920: Logging Rules
When logging is active for a policy rule, a logging interval is applied to specify how often to look for flows that match the policy rule. By default, the interval time is set to 30 seconds. To change the log inter- val time, use the optional interval keyword with the log option.
Page 921: Testing Conditions
Inact field displays Yes). The rule my_rule5 has been configured since the last qos apply command was entered, as indicated by the plus (+) sign. The rule will not be used to classify traffic until the next qos apply. Only mac1 is actively being used on the switch to classify traffic.
Page 922 *No rule matched: (accept) The display shows Layer 2 or Layer 3 information, depending on what kind of traffic you are attempting to classify. In this example, the display indicates that the switch found a rule, yuba, to classify destination traffic with the specified Layer 2 information.
Page 923 Classify L3: *Matches rule ‘r1’: action a1 (drop) In this example, the display indicates that the switch found an applied rule, r1, to classify Layer 3 flows with the specified source and destination addresses. To activate any policy rules that have not been applied, use the qos apply command. To delete rules that have not been applied (and any other QoS configuration not already applied), use the qos revert command.
Page 924: Using Condition Groups In Policies
Condition groups are made up of multiple IPv4 addresses, MAC addresses, services, or ports to which you want to apply the same action or policy rule. Instead of creating a separate condition for each address, etc., create a condition group and associate the group with a condition. Groups are especially useful when configuring filters, or Access Control Lists (ACLs);...
Page 925: Creating Network Groups
IPv4 address(es) to be included in the group. Each IPv4 address should be separated by a space. A mask may also be specified for an address. If a mask is not specified, the address is assumed to be a host address.
Page 926: Creating Services
Policy services are made up of TCP or UDP ports or port ranges. They include source or destination ports, or both, but the ports must be the same type (TCP or UDP). Mixed port types cannot be included in the same service.
Page 927: Creating Service Groups
To remove a policy service, enter the no form of the command. -> no policy service ftp2 The ftp2 service is deleted from the configuration at the next qos apply if the service is not currently asso- ciated with a policy condition or a service group.
Page 928: Creating Mac Groups
-> policy condition cond3 source mac group macgrp2 This command creates a condition called cond3 that may be used in a policy rule to classify traffic by source MAC addresses. The MAC addresses are specified in the MAC group. For more information about configuring conditions, see “Creating Policy Conditions”...
Page 929: Creating Port Groups
This command specifies that MAC address 08:00:20:00:00:00 will be deleted from macgrp2 at the next qos apply. To delete a MAC group, use the no form of the policy mac group command with the relevant MAC group name. The group must not be associated with any policy condition. For example: ->...
Page 930: Port Groups And Maximum Bandwidth
This command specifies that port 2/1 will be deleted from the techpubs port group at the next qos apply. To delete a port group, use the no form of the policy port group command with the relevant port group name. The port group must not be associated with any policy condition. For example: ->...
Page 931 -> policy rule PortRule condition Ports action MaxBw In this example, if both ports 1 and 2 are active ports, the 10000 bps maximum bandwidth is shared by both ports. In other words, maximum bandwidth policies for port groups define a maximum bandwidth value that is a total bandwidth amount for all ports, not an amount for each port.
Page 932: Verifying Condition Group Configuration
Indicates the policy object is pending deletion. Indicates that the policy object differs between the pend- ing/applied objects. In the example shown here, netgroup1 is a new network group that has not yet been applied to the config- uration. -> show policy network group...
Page 933: Using Map Groups
Configuring QoS Using Map Groups Using Map Groups Map groups are used to map 802.1p, ToS, or DSCP values to different values. The following mapping scenarios are supported: • 802.1p to 802.1p, based on Layer 2, Layer 3, and Layer 4 parameters and source/destination slot/port.
Page 934: How Map Groups Work
3 (the map group does not specify any mapping for a value of 3). If the incoming 802.1p value is 4, the value will be mapped to 5. If the incoming 802.1p value is 5 or 6, the value will be mapped to 7.
Page 935: Verifying Map Group Configuration
Configuring QoS Using Map Groups To delete a map group, use the no form of the policy map group command. The map group must not be associated with a policy action. For example: -> no policy map group tosGroup If tosGroup is currently associated with an action, an error message similar to the following will display:...
Page 936: Applying The Configuration
Any parameters configured without this command are maintained for the current session but are not yet activated. For example, if you configure a new policy rule through the policy rule command, the switch cannot use it to classify traffic and enforce the policy action until the qos apply command is entered.
Page 937: Deleting The Pending Configuration
Flushing the Configuration In some cases, you may want to remove all of your rules and start over again. To completely erase pend- ing policies from the configuration, use the qos flush command. For example: -> qos flush If you then enter qos apply, all policy information will be deleted.
Page 938: Interaction With Ldap Policies
Configuring QoS Interaction With LDAP Policies The qos apply, qos revert, and qos flush commands do not affect policies created through the Policy- View application. Separate commands are used for loading and flushing LDAP policies on the switch. See Chapter 35, “Managing Authentication Servers,”...
Page 939: Policy Applications
QoS parameters to the traffic. Classifying traffic may be as simple as identifying a Layer 2 or Layer 3 address of an incoming flow. Treating the traffic might involve prioritizing the traffic or rewriting an IP address. How the traffic is...
Page 940: Basic Qos Policies
Basic QoS Policies Traffic prioritization and bandwidth shaping may be the most common types of QoS policies. For these policies, any condition may be created; the policy action indicates how the traffic should be prioritized or how the bandwidth should be shaped.
Page 941: Bandwidth Shaping Example
10.10.4.0 will be given the highest priority. Bandwidth Shaping Example In this example, a specific flow from a source IP address is sent to a queue that will support its maximum bandwidth requirement.
Page 942: Policy Based Mirroring
-> policy action REDIRECTLA redirect linkagg 10 -> policy rule L4LARULE condition L4LACOND action REDIRECTLA Note that in both examples above, the rules are not active on the switch until the qos apply command is entered on the command line.
Page 943: Icmp Policy Example
“Configuring the Egress Queue Minimum/Maximum Bandwidth” on page 40-27. In this example, a policy rule (marking) is set up to mark flows from 10.10.3.0 with an 802.1p value of 5: -> policy condition my_condition source ip 10.10.3.0 mask 255.255.255.0 -> policy action my_action 802.1p 5 ->...
Page 944: Policy Based Routing
OmniSwitch 6400, 6850, 6855, and 9000 switches; it is not available on the OmniSwitch 6800 switch. Note. When a PBR QoS rule is applied to the configuration, it is applied to the entire switch, unless you specify a built-in port group in the policy condition.
Page 945 Note that the functionality of the firewall is important. In the example, the firewall is sending the traffic to be routed remotely. If you instead set up a firewall to send the traffic back to the switch to be routed, you should set up the policy condition with a built-in source port group so that traffic coming back from the firewall will not get looped and sent back out to the firewall.
Page 946 Using a Built-In Port Group In this scenario, traffic from the firewall is sent back to the switch to be re-routed. But because the traffic re-enters the switch through a port that is not in the Slot01 port group, the traffic does not match the Redirect_All policy and is routed normally through the switch.
Page 947: Chapter 41 Configuring Acls
ACLs are sometimes referred to as filtering lists. ACLs are distinguished by the kind of traffic they filter. In a QoS policy rule, the type of traffic is speci- fied in the policy condition. The policy action determines whether the traffic is allowed or denied. For detailed descriptions about configuring policy rules, see Chapter 40, “Configuring QoS.”...
Page 948: Acl Specifications
The QoS/ACL functionality described in this chapter is supported on the OmniSwitch 6400, 6800, 6850, 6855, and 9000 switches unless otherwise stated in the following Specifications table or specifically noted within any other section of this chapter. Note that any maximum limits provided in the Specifications table are subject to available system resources.
Page 949: Acl Defaults
0 (lowest) Note that in the current software release, the deny and drop options produce the same effect; that is, that traffic is silently dropped. For more information about QoS defaults in general, see Chapter 40, “Configuring QoS.”...
Page 950: Quick Steps For Creating Acls
Set the global disposition for bridged or routed traffic. By default, all flows that do match any policies are allowed on the switch. Typically, you may want to deny traffic for all Layer 3 flows that come into the switch and do not match a policy, but allow any Layer 2 (bridged) flows that do not match policies. For example: ->...
Page 951: Acl Overview
When traffic arrives on the switch, the switch checks its policy database to attempt to match Layer 2 or Layer 3/4 information in the protocol header to a filtering policy rule. If a match is found, it applies the relevant disposition to the flow. Disposition determines whether a flow is allowed or denied. There is a global disposition (the default is accept), and individual rules may be set up with their own dispositions.
Page 952: How Precedence Is Determined
Rule Precedence The switch attempts to classify flows coming into the switch according to policy precedence. Only the rule with the highest precedence will be applied to the flow. This is true even if the flow matches more than one rule.
Page 953: Acl Configuration Overview
41-4. Setting the Global Disposition By default, flows that do not match any policies are accepted on the switch. You may configure the switch to deny any flow that does not match a policy. Note. Note that the global disposition setting applies to all policy rules on the switch, not just those that are configured for ACLs.
Page 954: Creating Condition Groups For Acls
Important. If you set the global bridged disposition (using the qos default bridged disposition command) to deny or drop, it will result in dropping all Layer 2 traffic from the switch that does not match any policy to accept traffic. You must create policies (one for source and one for destination) to allow traffic on the switch.
Page 955: Creating Policy Conditions For Acls
The condition also specifies that the port group is a source group. Any traffic coming in on ports 1 or 2 on slot 3, port 3 on slot 4, or port 4 on slot 5 will match condition c2.
Page 956: Creating Policy Actions For Acls
Creating Policy Actions For ACLs A policy action for IP filtering specifies a disposition, that is, whether the flow is accepted or denied on the switch. To create a policy action, use the policy action command. Use the disposition keyword to define whether the flow is accepted (accept) or denied (deny).
Page 957: Creating Policy Rules For Acls
Creating Policy Rules for ACLs A policy rule is made up of a condition and an action. For example, to create a policy rule for filtering IP addresses, which is a Layer 3 ACL, use the policy rule command with the condition and action keywords.
Page 958: Layer 2 Acl Example
Address1, which is a condition for a policy rule called FilterA. FilterA is then applied to the flow. Since FilterA has an action (BlockTraffic) that is set to deny traffic, the flow would be denied on the switch.
Page 959: Layer 3 Acl: Example 1
Traffic with a source IP address of 192.68.82.0, a source IP port of 23, using protocol 6, will match condi- tion addr2, which is part of FilterL31. The action for the filter (Block) is set to deny traffic. The flow will be dropped on the switch.
Page 960: Multicast Filtering Acls
-> policy condition c2 tos 7 ipv6 In the above example, c1 is an IPv4 condition and c2 is an IPv6 condition. ACLs that use c1 are consid- ered IPv4 policies; ACLs that use c2 are considered IPv6 policies. In addition, consider the following examples: ->...
Page 961 For example, if a destination port is specified, a destination port group cannot be speci- fied in the same condition. To filter multicast clients, specify the multicast IP address, which is the address of the multicast group or stream, and specify the client IP address, VLAN, MAC address, or slot/port. For example: ->...
Page 962: Using Acl Security Features
UserPorts—A port group that identifies its members as user ports to prevent source address spoofing of IP and ARP traffic (per RFC 2267). When a port is configured as a member of this group, packets received on the port are dropped if they contain a source IP address that does not match the IP subnet for the port.
Page 963: Configuring Userport Traffic Types And Port Behavior
-> qos user-port shutdown bpdu Note that an SNMP trap is sent whenever a user port shutdown occurs. To enable a port disabled by a user port shutdown operation, use the...
Page 964: Configuring A Bpdushutdownports Group
-> qos apply When the above steps are performed, an implicit ACL is created on the switch that applies to all VLANs. This internal ACL takes precedence over any other policies configured on the switch. Configuring a BPDUShutdownPorts Group To block BPDUs on certain ports, add the desired ports to a port group called BPDUShutdownPorts.
Page 965: Configuring Icmp Drop Rules
-> policy condition c1 tcpflags all f s mask f s a In this example, a match must occur on all the flags or the packet is not allowed. If the optional command keyword any was used, then a match need only occur on any one of the flags. For example, the following condition specifies that either the A (ack) bit or the R (rst) bit must equal one: ->...
Page 966: Verifying The Acl Configuration
Configuring ACLs Note that if a flag is specified on the command line after the any or all keyword, then the match value is one. If the flag only appears as part of the mask, then the match value is zero. See the...
Page 967 Both my_rule5 and mac1 are displayed here because they are active; however, my_rule5 is a pending rule and will not be used to classify traffic until the qos apply command is entered. See the OmniSwitch CLI Reference Guide for more information about the output of these commands.
Page 968: Acl Application Example
ACL Application Example Configuring ACLs ACL Application Example In this application for IP filtering, a policy is created to deny Telnet traffic from the outside world to an engineering group in a private network. OmniSwitch Private Network Public Network (Engineering)
Page 969: In This Chapter
Destination hosts signal their intent to receive a specific IP multicast stream by sending a request to do so to a nearby switch by using Internet Group Management Protocol (IGMP). This is referred to as IGMP Snooping.
Page 970 Note. You can also configure and monitor IPMS with WebView, Alcatel-Lucent’s embedded Web-based device management application. WebView is an interactive and easy-to-use GUI that can be launched from OmniVista or a Web browser. Please refer to WebView’s online documentation for more informa- tion on configuring and monitoring IPMS/IPMSv6 with WebView.
Page 971: Ipms Specifications
IGMP Last Member Query Interval 1 to 65535 in tenths of seconds IPMSv6 Specifications The table below lists specifications for Alcatel-Lucent’s IPMSv6 software. RFCs Supported RFC 2710 — Multicast Listener Discovery for IPv6 RFC 3019 — IPv6 MIB for Multicast Listener Discovery Protocol RFC 3810 —...
Page 972: Ipms Default Values
IPMS Default Values Configuring IP Multicast Switching IPMS Default Values The table below lists default values for Alcatel-Lucent’s IPMS software. Parameter Description Command Default Value/Comments Administrative Status ip multicast status disabled IGMP Querier Forwarding ip multicast querier- disabled forwarding IGMP Version...
Page 973: Ipmsv6 Default Values
Configuring IP Multicast Switching IPMSv6 Default Values IPMSv6 Default Values The table below lists default values for Alcatel-Lucent’s IPMSv6 software. Parameter Description Command Default Value/Comments Administrative Status ip multicast helper-address disabled MLD Querier Forwarding ipv6 multicast querier- disabled forwarding MLD Version...
Page 974: Ipms Overview
Configuring IP Multicast Switching IPMS Overview A multicast group is defined by a multicast group address, which is a Class D IP address in the range 224.0.0.0 to 239.255.255.255. (Addresses in the range 239.0.0.0 to 239.255.255.255 are reserved for boundaries.) The multicast group address is indicated in the destination address field of the IP header. (See “Reserved IP Multicast Addresses”...
Page 975: Reserved Ip Multicast Addresses
IGMP reports from attached networks. The IGMP reports signal that users want to join a multi- cast group. If there is more than one IP multicast router in the network, the router with the lowest IP address is elected as the querier router, which is responsible for querying the subnetwork for group members.
Page 976: Dvmrp
Wide Area Networks (WANs). PIM-DM packets are transmit- ted on the same socket as PIM-SM packets as both use the same protocol and message format. Unlike PIM-SM, in PIM-DM there are no periodic joins transmitted; only explicitly triggered prunes and grafts.
Page 977: Configuring Ipms On A Switch
Note. If IP Multicast switching and routing is enabled on the system, the VLAN configuration overrides the system’s configuration. Enabling IP Multicast Status To enable IP Multicast switching and routing on the system if no VLAN is specified, use the ip multicast status command as shown below: ->...
Page 978: Enabling And Disabling Igmp Querier-Forwarding
You can enable the IGMP querier-forwarding by entering ip multicast querier-forwarding followed by the enable keyword. For example, to enable the IGMP querier-forwarding on the system if no VLAN is specified, you would enter: -> ip multicast querier-forwarding enable You can also enable the IGMP querier-forwarding on the specified VLAN by entering: ->...
Page 979: Configuring The Igmp Version
You can also change the IGMP protocol version on the specified VLAN by entering: -> ip multicast vlan 5 version 1 Restoring the IGMP Version To restore the IGMP protocol version to its default (i.e., IGMPv2) version on the system if no VLAN is specified, use the ip multicast version command as shown below: ->...
Page 980: Removing An Igmp Static Neighbor
Configuring IP Multicast Switching Removing an IGMP Static Neighbor To reset the port so that it is no longer an IGMP static neighbor port, use the no form of the ip multicast static-neighbor command by entering no ip multicast static-neighbor followed by vlan, a space, VLAN number, a space, followed by port, a space, the slot number of the port, a slash (/), and the port number.
Page 981: Configuring An Igmp Static Group
(which must be between 0 and 4095), a space, followed by port, a space, the slot number of the port, a slash (/), and the port number. For example, to configure an IGMP static member with an IP address of 225.0.0.1 on port 10 in slot 3 with designated VLAN 3 you would enter: ->...
Page 982: Modifying Ipms Parameters
You can also modify the IGMP query interval on the specified VLAN by entering: -> ip multicast vlan 2 query-interval 60 Restoring the IGMP Query Interval To restore the IGMP query interval to its default (i.e., 125 seconds) value on the system if no VLAN is specified, use the ip multicast query-interval command by entering: ->...
Page 983: Configuring The Igmp Last Member Query Interval
Modifying IPMS Parameters Configuring the IGMP Last Member Query Interval You can modify the IGMP last member query interval from 1 to 65535 in tenths of seconds by entering ip multicast last-member-query-interval followed by the new value. For example, to set the IGMP last member query interval to 60 tenths-of-seconds on the system if no VLAN is specified, you would enter: ->...
Page 984: Restoring The Igmp Query Response Interval
You can also modify the IGMP router timeout on the specified VLAN by entering: -> ip multicast vlan 2 router-timeout 360 Restoring the IGMP Router Timeout To restore the IGMP router timeout to its default (i.e., 90 seconds) value on the system if no VLAN is specified, use the ip multicast router-timeout command by entering: ->...
Page 985: Modifying The Source Timeout
You can modify the source timeout from 1 to 65535 seconds by entering ip multicast source-timeout followed by the new value. For example, to set the source timeout to 360 seconds on the system if no VLAN is specified, you would enter: ->...
Page 986: Enabling And Disabling Igmp Querying
Configuring the IGMP Robustness variable You can modify the IGMP robustness variable from 1 to 7 on the system if no VLAN is specified, by entering ip multicast robustness followed by the new value. For example, to set the value of IGMP robustness to 3 you would enter: ->...
Page 987: Restoring The Igmp Robustness Variable
Modifying IPMS Parameters Note. If the links are known to be lossy, then robustness variable can be set to a higher value (7). You can also modify the IGMP robustness variable from 1 to 7 on the specified VLAN by entering: ->...
Page 988: Enabling And Disabling The Igmp Zapping
-> ip multicast vlan 2 spoofing To restore the IGMP spoofing to its default setting (i.e., disabled). You can remove an IGMP spoofing entry on the specified VLAN and return to its default behavior by entering: -> no ip multicast vlan 2 spoofing Enabling and Disabling the IGMP Zapping By default, IGMP zapping (i.e., processing membership and source filter removals immediately without...
Page 989: Limiting Igmp Multicast Groups
By default there is no limit on the number of IGMP groups that can be learned on a port/vlan instance. A maximum group limit can be set on a port, VLAN or on a global level to limit the number of IGMP groups that can be learned.
Page 990: Ipmsv6 Overview
Configuring IP Multicast Switching IPMSv6 Overview An IPv6 multicast address identifies a group of nodes. A node can belong to any number of multicast groups. IPv6 multicast addresses are classified as fixed scope multicast addresses and variable scope multicast addresses.(See the “Reserved IPv6 Multicast Addresses”...
Page 991: Reserved Ipv6 Multicast Addresses
MLD Version 2 MLD is used by IPv6 systems (hosts and routers) to report their IPv6 multicast group memberships to any neighboring multicast routers. MLD Version 1 (MLDv1) handles forwarding by IPv6 multicast destina- tion addresses only. MLD Version 2 (MLDv2) handles forwarding by source IPv6 addresses and IPv6 multicast destination addresses.
Page 992: Configuring Ipmsv6 On A Switch
Note. See the “IP Multicast Switching Commands” chapter in the OmniSwitch CLI Reference Guide for complete documentation of IPMSv6 CLI commands. Enabling and Disabling IPv6 Multicast Status IPv6 Multicast is disabled by default on a switch. The following subsections describe how to enable and disable IPv6 Multicast by using the ip multicast helper-address command.
Page 993: Enabling And Disabling Mld Querier-Forwarding
Configuring the MLD Version 2 To change the MLD version to Version 2 (MLDv2) on the system if no VLAN is specified, use the ipv6 multicast version command as shown below: -> ipv6 multicast version 2...
Page 994: Restoring The Mld Version 1
VLAN number (which must be between 0 and 4095), a space, followed by port, a space, the slot number of the port, a slash (/), and the port number. For example, to configure port 10 in slot 4 with designated VLAN 2 as an MLD static neighbor you would enter: ->...
Page 995: Removing An Mld Static Neighbor
VLAN number, a space, followed by port, a space, the slot number of the port, a slash (/), and the port number. For example, to remove port 10 in slot 4 with designated VLAN 2 as a static querier you would enter: ->...
Page 996: Configuring An Mld Static Group
-> ipv6 multicast static-group ff05::6 vlan 2 port 7 Removing an MLD Static Group To reset the port so that it is no longer an MLD static group port, use the no form of the ipv6 multicast static-group command by entering no ipv6 multicast static-group, followed by the IPv6...
Page 997: Modifying Ipmsv6 Parameters
You can also modify the MLD query interval on the specified VLAN by entering: -> ipv6 multicast vlan 2 query-interval 160 Restoring the MLD Query Interval To restore the MLD query interval to its default (i.e., 125 seconds) value on the system if no VLAN is specified, use the ipv6 multicast query-interval command by entering: ->...
Page 998: Restoring The Mld Last Member Query Interval
Modifying IPMSv6 Parameters Configuring IP Multicast Switching Restoring the MLD Last Member Query Interval To restore the MLD last member query interval to its default (i.e., 1000 milliseconds) value on the system if no VLAN is specified, use the ipv6 multicast last-member-query-interval command by entering: ->...
Page 999: Modifying The Mld Router Timeout
You can also modify the MLD router timeout on the specified VLAN by entering: -> ipv6 multicast vlan 2 router-timeout 360 Restoring the MLD Router Timeout To restore the MLD router timeout to its default (i.e., 90 seconds) value on the system if no VLAN is specified, use the ipv6 multicast router-timeout command by entering: ->...
Page 1000: Configuring The Source Timeout
You can modify the source timeout from 1 to 65535 seconds by entering ipv6 multicast source-timeout followed by the new value. For example, to set the source timeout to 360 seconds on the system if no VLAN is specified, you would enter: ->...

This manual is also suitable for:

Omniswitch aos Omniswitch 9600 Omniswitch 9700 Omniswitch 9800 Omniswitch 9700e Omniswitch 9800e ... Show all

Alcatel-Lucent OmniSwitch 6850-48 Network Configuration Manual

About this Guide

Chapter 1 Configuring Ethernet Ports

Chapter 2 Managing Source Learning

Chapter 3 Configuring Learned Port Security

Chapter 4 Configuring Vlans

Chapter 5 Configuring GVRP

Chapter 6 Assigning Ports to Vlans

Chapter 45 Diagnosing Switch Problems

Chapter 7 Configuring Port Mapping

Chapter 8 Defining VLAN Rules

Chapter 9 Configuring VLAN Stacking

Chapter 10 Configuring MPLS

Chapter 11 Configuring VPLS

Quick Links

Related Manuals for Alcatel-Lucent OmniSwitch 6850-48

Summary of Contents for Alcatel-Lucent OmniSwitch 6850-48