FoxGate S6424-S2C2 series Configuration Manual
  1. Manuals
  2. Brands
  3. FoxGate Manuals
  4. Switch
  5. S6424-S2C2 series
  6. Configuration manual

FoxGate S6424-S2C2 series Configuration Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the S6424-S2C2 series and is the answer not in the manual?

Questions and answers

Related Manuals for FoxGate S6424-S2C2 series

Summary of Contents for FoxGate S6424-S2C2 series

  • Page 2: Table Of Contents

    Content Content 1. LOGGING IN ETHERNET SWITCH ............16 1.1 Set up Configuration Environment via Console Port ........... 16 1.2 Set up Configuration Environment through Telnet ............18 1.2.1 Connect PC to Ethernet Switch through Telnet ............18 1.2.2 Telnet Ethernet Switch through Ethernet Switch ............19 2.
  • Page 3 Content 4. ETHERNET PORT CONFIGURATION ............34 4.1 Ethernet Port Overview ....................34 4.1.1 Link Type of Ethernet Ports ..................34 4.1.2 Configuring Default VLAN ID for Ethernet Port ............34 4.1.3 Handling packets ......................34 4.2 Configure Ethernet Port ....................35 4.2.1 Basic Ethernet Port Configuration ................
  • Page 4 Content 7.2 Redundancy of Interconnected Device ................56 7.3 Load-balancing Policy ..................... 56 7.4 Link Aggregation Configuration ..................56 7.4.1 Configuring a Static Aggregation Group ..............56 7.5 Configuring a Dynamic LACP Aggregation Group ............57 7.6 Displaying and Maintaining Link Aggregation Configuration ........58 7.7 LACP Configuration Example ..................
  • Page 5 Content 11. GVRP CONFIGURATION ................. 72 11.1 Brief Introduction to GVRP .................... 72 11.2 Configuring GVRP ......................73 11.2.1 Brief Introduction to GVRP Configuration ..............73 11.2.2 Startup GVRP ......................73 11.3 Configuring VLAN Forwarded by GVRP ..............73 11.3.1 Displaying and Debugging ..................74 11.3.2 GVRP Configuration Examples .................
  • Page 6 Content 13.2.11 Configuring Port of Dropped Query Packets or Not ..........91 13.2.12 Configuring Port of Discarded Packets Report or Not ..........91 13.2.13 Configuring Multicast Preview ................. 91 13.2.14 Configuring Profile of Black and White List ............. 92 13.2.15 Displaying and Maintenance of IGMP Snooping ............. 92 13.3 IGMP Snooping Configuration Examples ..............
  • Page 7 Content 17. DHCP OPTION 82 .................. 115 17.1 Introduction to option 82 supporting ................115 17.2 DHCP Option82 Configuration ..................115 17.2.1 Enable DHCP Option82 .................... 115 17.2.2 Displaying and Debugging DHCP Option82 ............. 116 18. ACL CONFIGURING ................117 18.1 Brief Introduction to ACL ....................
  • Page 8 Content 20. QOS CONFIGURATION ................. 129 20.1 Brief Introduction to QoS .................... 129 20.1.1 Traffic ........................129 20.1.2 Traffic Classification ....................129 20.1.3 Priority ........................130 20.1.4 Access Control List ....................132 20.1.5 Packet Filtration ....................... 132 20.1.6 Flow Monitor ......................132 20.1.7 Interface Speed Limitation ..................
  • Page 9 Content 21.4.1 RSTP Configuration Task List .................. 149 21.4.2 Enable RSTP ......................150 21.4.3 Configure STP Bridge Priority ................. 150 21.4.4 Configure Time Parameter ..................150 21.4.5 Configure STP Path Cost ..................151 21.4.6 Configure STP Port Priority ..................151 21.4.7 Configure STP Mcheck ....................
  • Page 10 Content 23.3.5 Active Topology ......................182 23.3.6 A topology Change ....................182 23.3.7 MST and SST Compatibility ..................183 23.4 Configuring MSTP ......................183 23.4.1 Configuring MSTP Task ................... 183 23.4.2 Enabling MSTP ......................184 23.4.3 Configuring MSTP Timer Parameter Values............184 23.4.4 Configuring MSTP Identifier ..................
  • Page 11 Content 25.4.1 Use Default Key ....................... 198 25.4.2 Use Loaded Key ...................... 199 26. CONFIGURATION FILE MANAGEMENT ..........201 26.1 Introduction to Configuration File ................201 26.2 Configuration File-Related Operations ..............201 27. BOOTROM AND HOST SOFTWARE LOADING ........204 27.1 Introduction to Loading Approaches .................
  • Page 12 Content 29.3.1 Basic Maintenance ....................224 29.3.2 Access-Limit Management ..................225 29.3.3 Telnet Client ......................225 29.3.4 Cpu-Alarm ........................ 225 29.3.5 Mail-Alarm ........................ 226 29.3.6 Anti-Dos Attack ......................226 29.3.7 Displaying System Status ..................226 30. LLDP CONFIGURATION ............... 228 30.1 LLDP Protocol Overview....................
  • Page 13 Content 32.2 Flex Links Configuration ..................... 243 32.2.1 Flex Links Configuration Tasks ................243 32.2.2 Configure Flex Links group ..................243 32.2.3 Configure Flex Links preemption mode ..............244 32.2.4 Configure Flex Links Preemption Delay ..............244 32.2.5 Configure Flex links MMU ..................245 32.2.6 Flex Links Monitor and Maintenance ...............
  • Page 14 Content 35.2 Mac Address Authentication Configuration .............. 264 35.2.1 AAA-Related Configuration ..................264 35.2.2 Enabling Configuration .................... 265 35.2.3 Off Assembly Line Testing Configuration ..............265 35.2.4 Silent Timer Configuration ..................266 35.2.5 Mac-vlan Configuration Functions ................266 35.2.6 Guest-vlan Configuration Functions ................ 267 35.2.7 Configuring User Features ..................
  • Page 15 Content 39.2 Storm-control Configuration ..................277 39.2.1 Configure Storm-control ................... 277 39.2.2 Storm-control Monitor and Maintenance ..............277 40. MLD SNOOPING ..................278 40.1 MLD Snooping Overview ..................... 278 40.2 Configuring MLD Snooping ..................278 40.2.1 MLD Snooping Configuration Task List ..............278 40.2.2 Start MLD Snooping ....................

  • Page 16: Logging In Ethernet Switch

    Logging in Ethernet Switch Chapter 1. Logging in Ethernet Switch This chapter describes how to connect to the switch and do the configurations. There are ways as via console port and through telnet. It contains following sections: Set up Configuration Environment via the Console Port Set up Configuration Environment through Telnet Telnet Ethernet Switch through Ethernet Switch 1.1 Set up Configuration Environment via...
  • Page 17 Logging in Ethernet Switch Figure 1-2 Set up new connection Figure 1-3 Configure the port for connection Figure 1-4 Set communication parameters...

  • Page 18: Set Up Configuration Environment Through Telnet

    Logging in Ethernet Switch Step 3: The Ethernet switch is powered on. Display self-test information of the Ethernet switch and prompt you to press Enter to show the command line prompt such as < > after you have entered the correct username and password. The initial username is admin and the matched password is admin.

  • Page 19: Telnet Ethernet Switch Through Ethernet Switch

    Logging in Ethernet Switch Step 3: Run Telnet on the PC and input the IP address of the VLAN connected to the PC port. Figure 1-6 Run Telnet Step 4: The terminal displays “Username (1-32 chars):” and prompts the user to input the login username and password.
  • Page 20 Logging in Ethernet Switch Figure 1-7), you can run telnet command to log in and configure another Ethernet switch (that is Telnet Server in Figure 1-7). Telnet Server Telnet Client Figure 1-7 Provide Telnet Client service Step 1: Configure IP address for the switch (that is Telnet Client in Figure 1-7). The way to configure switch via console refers to Set up Configuration Environment via the Console Port;...

  • Page 21: Command Line Interface

    Command Line Interface Chapter 2. Command Line Interface This chapter describes command line interface (CLI) which you may use to configure your switch. It contains flowing sections: Introduction of CLI CLI mode Feature and functions of CLI Symbols in command Parameters in command 2.1 Introduction of Command Line Interface...
  • Page 22 Command Line Interface tool (such as ping and tracert), command of switch between different language environments of user interface (language-mode) and telnet command etc and including the display command and the debugging command, are used to system maintenance, service fault diagnosis, etc.
  • Page 23 Command Line Interface SuperVLAN-interface Configuration Mode RIP Configuration Mode OSPF Configuration Mode PIM Configuration Mode The following table describes the function features of different Configuration Modes and the ways to enter or quit. Table 2-1 Function feature of Command Configuration Mode Command Function Prompt...

  • Page 24: Feature And Functions Of Command Line

    Command Line Interface Configuration interface ig-if-vlanInt vlan-interface 22 in privileged mode Mode parameters for erface-22)# global configuration exit returns to a VLAN or a mode global VLAN configuration mode and quit aggregation disconnects to SuperVLAN Configure Switch(conf Key in interface the switch interface Supervlan...

  • Page 25: Displaying Characteristics Of Command Line

    Command Line Interface command List the associated arguments Switch(config)#spanning-tree forward-time ? keyword? for a keyword. INTEGER<4-30> switch delaytime: <4-30>(second)  Note: To switch to the Chinese display for the above information, perform the terminal language {chinese | english} command in privileged mode. 2.3.2 Displaying Characteristics of Command Line Command line interface provides the following display characteristics: For users’...

  • Page 26: Common Command Line Error Messages

    Command Line Interface  Note: Cursor keys can be used to retrieve the history commands in Windows 9X/2000/XP Terminal and Telnet. 2.5 Common Command Line Error Messages All the input commands by users can be correctly executed, if they have passed the grammar check.

  • Page 27: Parameter In Command

    Command Line Interface Nonprinting characters, such as passwords or tabs, are in angle brackets (< >). 2.7 Parameter in Command There are 5 types of parameters: Integer The two numbers in the angle brackets (<>), connecting by hyphen (-) mean this parameter is the integer between these two numbers.

  • Page 28: Manage Users

    Manage Users Chapter 3. Manage Users There are three kinds of users: Super-administrator Administrator Normal user The normal users can only be in the user's mode after logging in the switch so they can only check the basic information about operation and statistics; administrator can enter each configuration mode to check and manage the system;...

  • Page 29: User's Authentication

    If the user's privilege level is not specified, it will default to be normal user. There is up to 8 users in the system. Caution: Case-sensitive is for password but not username. Example: !Create administrator "FoxGate" with its password being admin and privilege level is 3 Switch(config)#username FoxGate privilege 3 password 0 admin...

  • Page 30: Change Password

    Manage Users 3.3.2 Change Password In global configuration mode, Super-administrator "admin" can use following command to change the password of all users, but other administrators can only change their own password. Normal users cannot modify their own password. Enter global configuration mode (how to enter global configuration mode refers to the first 2 steps in Table 3-1) before following the below steps: Table 3-2 Modify password Step...

  • Page 31: Delete User

    Example: !Modify the privilege of the existed user "admin" to be 1 and its password to be 1234 Switch(config)#username FoxGate privilege 0 password 0 1234 3.3.4 Delete User Only Super-administrator "admin" can add and delete user in global configuration mode.

  • Page 32: Remote Authentication Configuration

    Manage Users 3.4 Remote Authentication Configuration 3.4.1 Configure RADIUS to Be Remote Authentication Server Table 3-6 Configure RADIUS remote authentication Operation Command Description Enter global configuration configure terminal Enable RADIUS remote muser radius name Selected If “local“ is configured, it authentication {chap|pap} [local] means local authentication is...
  • Page 33 Manage Users Table 3-7 Configure TACACS+ remote authentication Operation Command Description Enable TACACS+ muser tacacs+ {account [local] |author Selected If local is authorization/accounting [local]|local} configured, it means local authentication is used if remote authentication failed. By default, it is local authentication Configure tacacs+ { priamary | secondary } server...

  • Page 34: Ethernet Port Configuration

    Ethernet Port Configuration Chapter 4. Ethernet Port Configuration This chapter describes the types of interfaces on switches and how to configure them. 4.1 Ethernet Port Overview 4.1.1 Link Type of Ethernet Ports An Ethernet port can operate in one of the three link types: Access: An access port only belongs to one VLAN, normally used to connect user device.

  • Page 35: Configure Ethernet Port

    Ethernet Port Configuration 4.2 Configure Ethernet Port Ethernet port configuration includes: Basic Ethernet Port Configuration Combo port Enable/disable ingress filtering Acceptable-frame type for Ethernet port Enable/Disable Flow Control for Ethernet Port Display and Debug Ethernet Port 4.2.1 Basic Ethernet Port Configuration Basic Ethernet port configuration includes: Enter interface configuration mode Enter interface range mode...
  • Page 36 Ethernet Port Configuration Table 4-3 Enter interface range mode Step Command Description configure terminal Enter global configuration mode. interface range interface-list Enter interface range configuration mode. Example: ! Divide interfaces from Ethernet 0/0/1 to Ethernet 0/0/16 into an interface range. Switch(config)#interface range ethernet 0/0/1 to ethernet 0/0/16 Switch(config-if-range)# 4.2.1.3 Configure Port Mode...
  • Page 37 Ethernet Port Configuration 4.2.1.4 Configure Default VLAN Table 4-5 Configure default VLAN Operation Command Remarks Enter global configuration mode configure terminal Enter interface configuration mode interface ethernet device-num/slot-num/port-num Modify port default VLAN switchport default vlan vlan_id Example: ! The first four ports (e 0/0/1 – e0/0/4)connect to different server. These four servers should be isolated.
  • Page 38 Ethernet Port Configuration e0/0/2 down false auto e0/0/3 down false auto e0/0/4 down false auto Total entries: 4 . 4.2.1.5 Add Port to VLAN User can add current Ethernet port to a specific VLAN, thus, the Ethernet port can forward packet of the vlan.

  • Page 39: Combo Port

    Ethernet Port Configuration 4.2.1.6 Basic Port Configuration Following basic port configurations are in the interface configuration mode. Table 4-7 Basic port configuration Operation Command Description Disable specific port shutdown By default, the port is enabled. If you want to re-enable the port, use no shutdown command.

  • Page 40: Acceptable-Frame Type For Ethernet Port

    Ethernet Port Configuration function is disabled and the VLAN which the packet belonged to is existed. Perform the following configuration in global configuration mode. Table 4-8 Enable/disable ingress filtering Operation Command Enable ingress filtering ingress filtering Disable ingress filtering no ingress filtering ...

  • Page 41: Enable/Disable Flow Control For Ethernet Port

    Ethernet Port Configuration Switch(config-if-ethernet-0/0/5)#no ingress acceptable-frame Config acceptable-frame type successfully! 4.6 Enable/Disable Flow Control for Ethernet Port After enabling flow control in both the local and the peer switch, if congestion occurs in the local switch, the switch will inform its peer to pause packet sending. Once the peer switch receives this message, it will pause packet sending, and vice versa.
  • Page 42 If both port type and port number are specified, the command displays information about the specified port. Example: ! Show description of all port Switch(config-if-ethernet-0/0/1)#show description interface Port description e0/0/1 test e0/0/2 e0/0/3 FoxGate e0/0/4 e0/0/5 ……...
  • Page 43 Ethernet Port Configuration ! Show interface Ethernet 0/0/5 Switch(config-if-ethernet-0/0/1)#show interface ethernet 0/0/5 Ethernet e0/0/5 is enabled, port link is down Hardware is Fast Ethernet, Hardware address is 00:0a:5a:11:b5:71 SetSpeed is auto, ActualSpeed is unknown, porttype is 10/100/1000M Priority is 0 Flow control is disabled PVID is 1 Port mode:hybrid...
  • Page 44 Ethernet Port Configuration Switch(config-if-ethernet-0/0/1)#show statistics dynamic interface Port Statistics Sat Jan 1 00:39:37 2000 port link Tx Pkt Tx Byte Rx Pkt Rx Byte Status Count Count Count Count Bcast Mcast =================================================================== e0/0/1 down 0 e0/0/2 down 0 e0/0/3 down 0 e0/0/4 down 0 e0/0/5 down 0 e0/0/6 down 0...
  • Page 45 Ethernet Port Configuration e0/0/8 down e0/0/9 down e0/0/10 down e0/0/11 down e0/0/12 down e0/0/13 down e0/0/14 down e0/0/15 down e0/0/16 down e0/0/17 down ====spacebar->toggle screen U->page up D->page down CR->exit==== ! Clear interface Switch(config-if-ethernet-0/0/1)#clear interface clear current port statistics information record successfully!

  • Page 46: Ethernet Port Mirroring Configuration

    Ethernet Port Mirroring Configuration Chapter 5. Ethernet Port Mirroring Configuration 5.1 Configure Ethernet Port Mirroring 5.1.1 Overview Mirroring refers to the process of copying packets that meet the specified rules to a destination port. Generally, a destination port is connected to a data detect device, which users can use to analyze the mirrored packets for monitoring and troubleshooting the network.

  • Page 47: Configuring Port Mirroring

    Ethernet Port Mirroring Configuration Note: mirror port cannot be used as a normal port. 5.1.3 Configuring port mirroring Table 5-1 Mirroring functions and related command Function Specifications Related command Link Mirroring Traffic mirroring mirrored-to QoS configuration no mirrored-to Port mirroring mirror destination-interface Configuring Port Mirroring mirror source-interface...
  • Page 48 Ethernet Port Mirroring Configuration link-group { acl-number | acl-name } [ subitem subitem ]: Specifies a Layer 2 ACL. The acl-number argument ranges from 4000 to 4999; acl-name: Name of a string, start with letters without space and quotation mark;subitem: option parameter for specifying the subitem in acl-list, in the range of 0 to 127.
  • Page 49 Ethernet Port Mirroring Configuration ! Mirror cpu both to ethernet 0/1/2 Switch(config)#mirror destination-interface ethernet 0/1/2 Config monitor port successfully ! Switch(config)#mirror source-interface cpu both Config mirrored port successfully !

  • Page 50: Configuring Port Utilization Alarm

    Configuring Port Utilization Alarm Chapter 6. Configuring Port Utilization Alarm 6.1 Brief Introduction to Device Utilization Alarm The device utilization alarm is used to monitor port bandwidth、CPU occupation and alarm when congestion in order to administrator aware the running status between the network and device.

  • Page 51: Displaying And Debugging Device Utilization Alarm

    Configuring Port Utilization Alarm Table 6-2 Configuring CPU utilization alarm Operation Command Remark Enter global configuration configure terminal mode Enable(disable) CPU alarm cpu Required utilization alarm Configure congestion alarm cpu threshold {busy thresold |unbusy thresold } optional value 6.2.3 Displaying and Debugging Device Utilization Alarm After finishing above configuration, you can show configuration by below commands.

  • Page 52: Link Aggregation Configuration

    Link Aggregation Configuration Chapter 7. Link Aggregation Configuration 7.1 Overview 7.1.1 Introduction to Link Aggregation Link aggregation means aggregating several ports together to form an aggregation group, so as to implement outgoing/incoming load sharing among the member ports in the group and to enhance the connection reliability.

  • Page 53: Introduction To Lacp

    Link Aggregation Configuration 7.1.2 Introduction to LACP The purpose of link aggregation control protocol (LACP) is to implement dynamic link aggregation and disaggregation. This protocol is based on IEEE802.3ad and uses LACPDUs (link aggregation control protocol data units) to interact with its peer. After LACP is enabled on a port, LACP notifies the following information of the port to its peer by sending LACPDUs: priority and MAC address of this system, priority, number and operation key (it is so called O-Key) of the port.

  • Page 54: Dynamic Lacp Aggregation Group

    Link Aggregation Configuration 7.1.4.2 Port status of static aggregation group A port in a static aggregation group is only in one state: on, which means the port in a static aggregation group must transceive packets. There can be at most 8 ports in a static aggregation group.
  • Page 55 Link Aggregation Configuration the port IDs of the preferred device (that is, the device with smaller system ID). The following is the negotiation procedure: 1) Compare device IDs (system priority + system MAC address) between the two parties. First compare the two system priorities, then the two system MAC addresses if the system priorities are equal.

  • Page 56: Redundancy Of Interconnected Device

    Link Aggregation Configuration 7.2 Redundancy of Interconnected Device LACP provides link redundancy mechanism to guarantee the redundancy conformity of the two interconnected devices and user can configure the redundant link which is realized by system and port priority. The steps are as following: Step 1 Selection reference.

  • Page 57: Configuring A Dynamic Lacp Aggregation Group

    Link Aggregation Configuration Table 7-1 Configure a manual aggregation group Operation Command Description channel-group channel-group-number Create a static channel-group-number ranges aggregation group from 0 to 12 If the group has already existed, turn to step 2. Configure channel-group load-balance load-balancing {dst-ip|dst-mac|src-dst-ip|src-dst-mac|sr policy c-ip|src-mac}...

  • Page 58: Displaying And Maintaining Link Aggregation Configuration

    Link Aggregation Configuration policy dst-mac|src-ip|src-mac} Configure lacp system-priority priority priority ranges from 1 to 65535. The system priority default priority is 32768. 4(1) Enter interface interface ethernet Enter the port mode which you want to configuration interface_num add to the aggregation group. mode 4(2) Enter interface...

  • Page 59: Lacp Configuration Example

    Link Aggregation Configuration 7.7 LACP Configuration Example I. Network requirements As shown in Figure 7-2, the link between switch-A and switch-B should be more reliable. switch-A and switch-B should realize load-balance. II. Network diagram Figure 7-2 LACP network diagram III. Configuration procedure ...
  • Page 60 Link Aggregation Configuration switch-B(config)#lacp system-priority 2048 switch-B(config)#interface range ethernet 0/0/3 to ethernet 0/0/4 switch-B(config-if-range)#lacp port-priority 256 switch-B(config-if-range)#exit  Add port member for channel-group 1. Static #Configure switch-A switch-A(config)#interface range ethernet 0/0/1 to ethernet 0/0/2 switch-A(config-if-range)#channel-group 1 mode on Remember to re-config mac-addresses associated with port e0/0/1 Remember to re-config mac-addresses associated with port e0/0/2 #Configure switch-B switch-B(config)#interface range ethernet 0/0/3 to ethernet 0/0/4...
  • Page 61 Link Aggregation Configuration Channel: 1, static channel Port State A-Key O-Key Priority Logic-port Actor-state e0/0/1 bndl e0/0/2 bndl actor-state: activity/timeout/aggregation/synchronization collecting/distributing/defaulted/expired #show lacp internal of switch-A switch-A(config-if-range)#show lacp internal Load balance: src-dst-mac Channel: 1, dynamic channel Port State A-Key O-Key Priority Logic-port Actor-state e0/0/1...
  • Page 62 Link Aggregation Configuration Local Port Timeout Nei-state e0/0/1 000a5a020305 82(90) 00111100 e0/0/2 000a5a020305 80(90) 00111100 nei-state: activity/timeout/aggregation/synchronization collecting/distributing/defaulted/expired #Show LACP neighbor of switch-B switch-B(config-if-range)#show lacp neighbor Channel: 1 Local Port Timeout Nei-state e0/0/3 000a5a010203 71(90) 10111100 e0/0/4 000a5a010203 69(90) 10111100 nei-state: activity/timeout/aggregation/synchronization collecting/distributing/defaulted/expired 3)Show system ID...
  • Page 63 Link Aggregation Configuration  Delete channel-group #Configure switch-A switch-A(config)#no channel-group 1 #Configure switch-B switch-B(config)#no channel-group 1...

  • Page 64: Port Isolation Configuration

    Port Isolation Configuration Chapter 8. Port Isolation Configuration 8.1 Introduction to Port Isolation To implement Layer 2 isolation, you can add different ports to different VLANs. However, this will waste the limited VLAN resource. With port isolation, the ports can be isolated within the same VLAN.

  • Page 65: Port-Isolation Monitor And Maintenance

    Port Isolation Configuration 8.2.2 Port-isolation Monitor and Maintenance After finishing above configuration, user can check the configurations by command below. Table 8-2 Port-isolation monitor and maintenance Operation Command Remarks Show isolate-port configuration show isolate-port On any configuration mode 8.3 Port-isolation Configuration Example 8.3.1 Port-isolation Configuration Example I.

  • Page 66: Vlan Configuration

    VLAN Configuration Chapter 9. VLAN Configuration 9.1 VLAN Overview Virtual Local Area Network (VLAN) groups the devices of a LAN logically but not physically into segments to implement the virtual workgroups. IEEE issued the IEEE 802.1Q in 1999, which was intended to standardize VLAN implementation solutions. Through VLAN technology, network managers can logically divide the physical LAN into different broadcast domains.

  • Page 67: Vlan Principles

    VLAN Configuration specific hosts. When the physical position of a host changes within the range of the VLAN, you need not change its network configuration. 9.2 VLAN Principles VLAN tags in the packets are necessary for the switch to identify packets of different VLANs.

  • Page 68: Q Vlan

    VLAN Configuration 9.3 802.1Q VLAN 9.3.1 VLAN Link Type of Ethernet Ports An Ethernet port can operate in one of the three link types: Access: An access port only belongs to one VLAN, normally used to connect user device. Trunk: A trunk port can belong to more than one VLAN. It can receive/send packets from/to multiple VLANs and is generally used to connect another switch.

  • Page 69: Vlan Configuration

    VLAN Configuration Chapter 10. VLAN Configuration 10.1 Default VLAN Configuration Table 10-1 Default VLAN configuration Parameter Default Description Existed VLAN VLAN 1 The vlan-id argument ranges from 1 to 4,094. VLAN 1 is the default VLAN of all ports. VLAN description VLAN description is characters ranged from 1 to 32.

  • Page 70: Delete Port Members From Vlan

    VLAN Configuration 10.3 Delete Port Members from VLAN Perform following commands in privilege mode. Table 10-3 Delete port members from a VLAN Operation Command Description Enter global configuration configure terminal mode Enter vlan configuration mode vlan vlan-list Delete port member from no switchport { all | VLAN ethernet port_list }...
  • Page 71 VLAN Configuration Figure 10-1 Networking diagram Networking configuration ! Create VLAN 2 and enter it. Switch(config)# vlan 2 ! Add Ethernet0/01 and Ethernet0/0/2 to VLAN2. Switch(config-if-vlan)#switchport ethernet 0/0/1 ethernet 0/0/2 ! Create VLAN 3 and enter it. Switch(config)# vlan 3 ! Add Ethernet0/0/3 and Ethernet0/0/4 to VLAN3.

  • Page 72: Gvrp Configuration

    GVRP Configuration Chapter 11. GVRP Configuration 11.1 Brief Introduction to GVRP 1. GARP Generic Attribute Registration Protocol (GARP) provides a mechanism that allows participants in a GARP application to distribute, propagate and register with other participants in a bridged LAN that attributes specific to the GARP applications, such as the VLAN or multicast address attribute.

  • Page 73: Configuring Gvrp

    GVRP Configuration network. It thus ensures that all GVRP participants on a bridged LAN maintain the same VLAN registration information. The VLAN registration information propagated by GVRP includes both manually configured local static entries and dynamic entries from other devices. 11.2 Configuring GVRP 11.2.1 Brief Introduction to GVRP Configuration Table 11-1 GVRP configuration...

  • Page 74: Displaying And Debugging

    GVRP Configuration Table 11-3 Configure VLAN forwarded by GVRP Operation Command Remark Enter global configuration configure terminal mode Configure VLAN forwarded by garp permit vlan vlan-list required GVRP 11.3.1 Displaying and Debugging You can show the configuration through below commands when you finish all above configuration.
  • Page 75 GVRP Configuration Switch(config)#gvrp Turn on GVRP successfully. Switch(config)#garp permit vlan 2,3,4 Switch(config)#interface e 0/0/1 Switch(config-if-ethernet-0/0/1)#gvrp Switch(config-if-ethernet-0/0/1)#exit !Verify GVRP configuration Switch(config)#show gvrp GVRP state : enable Switch(config)#show gvrp interface ethernet 0/0/1 port GVRP status e0/0/1 enable Total entries: 1. Switch(config)#show garp permit vlan VLAN 1 is Garp default permit VLAN Other Garp permit VLAN : 2-4 ***************************************************************...
  • Page 76 GVRP Configuration Switch(config)#show gvrp GVRP state : enable Switch(config)#show gvrp interface ethernet 0/0/2 ethernet 0/0/3 port GVRP status e0/0/2 enable e0/0/3 enable Total entries: 2. Switch(config)#show garp permit vlan VLAN 1 is Garp default permit VLAN Other Garp permit VLAN : 5-6 *************************************************************** !Configure S3 ***************************************************************...
  • Page 77 GVRP Configuration Other Garp permit VLAN : 7-8 *************************************************************** After finishing the configuration , you can show VLAN to check the VLAN register information learned by GVRP !VLAN5,6,7,8 is learned by GVRP when showing S1 VLAN information Switch(config)#show vlan show VLAN information VLAN ID VLAN status : static...
  • Page 78 GVRP Configuration Static untagged Ports : Dynamic tagged ports show VLAN information VLAN ID VLAN status : dynamic VLAN member : e0/0/1 Static tagged ports Static untagged Ports : Dynamic tagged ports : e0/0/1 show VLAN information VLAN ID VLAN status : dynamic VLAN member : e0/0/1...

  • Page 79: Arp Configuration

    ARP Configuration Chapter 12. ARP Configuration 12.1 ARP Overview 12.1.1 ARP Function Address Resolution Protocol (ARP) is used to resolve an IP address into a data link layer address. An IP address is the address of a host at the network layer. To send a network layer packet to a destination host, the device must know the data link layer address (such as the MAC address) of the destination host.

  • Page 80: Arp Message Format

    ARP Configuration Figure 12-1 ARP address resolution process When Host A and Host B are not on the same subnet, Host A first sends an ARP request to the gateway. The destination IP address in the ARP request is the IP address of the gateway. After obtaining the MAC address of the gateway from an ARP reply, Host A encapsulates the packet and sends it to the gateway.

  • Page 81: Configuring Arp Attack Spoofing

    ARP Configuration value of the hardware address length field is "6”. For an IP(v4) address, the value of the protocol address length field is “4”. OP: Operation code. This field specifies the type of ARP message. The value “1” represents an ARP request and “2” represents an ARP reply. Sender hardware address: This field specifies the hardware address of the device sending the message.

  • Page 82: Configuring Anti-Spoofing

    ARP Configuration S6424-S2C2 switches provide active defense ARP spoofing function, in practical applications, the network hosts the first communication, the switch will record the ARP table entries, entries in the message of the sender IP, MAC, VID, and port correspondence. To prevent the above mentioned ARP attacks, S6424-S2C2 launches a comprehensive ARP attack protection solution.

  • Page 83: Configuring Arp Packet Source Mac Address Consistency Check

    ARP Configuration 12.2.4 Configuring ARP Packet Source MAC Address Consistency Check This feature enables a gateway device to filter out ARP packets with a source MAC address in the Ethernet header different from the sender MAC address in the message body, so that the gateway device can learn correct ARP entries.

  • Page 84: Configuring Against Arp Flood

    ARP Configuration of network equipment, leaving the CPU down the network. Flood attacks are based on the principle of the general flow of a large number of attack packets in the network equipment such as routers, switches, and servers, leading to depletion of network equipment, leaving the CPU down the network.

  • Page 85: Displaying And Maintain Against Arp Flood

    ARP Configuration threshold By default, the safety trigger threshold 16PPS Configure approach for arp anti-flood action {deny-arp|deny-all} optional the attacker threshold threshold By default,for the attacker's approach to deny ARP Configure automatically arp anti-flood recover-time time optional banned user recovery Configurable time range time is <0-1440>...

  • Page 86: Igmp Snooping

    IGMP Snooping Chapter 13. IGMP Snooping 13.1 Brief Introduction to IGMP Snooping IGMP (Internet Group Management Protocol) is a part of IP protocol which is used to support and manage the IP multicast between host and multicast router. IP multicast allows transferring IP data to a host collection formed by multicast group.

  • Page 87: Enable Igmp Snooping

    IGMP Snooping packets or not Configure port whether waive report packets optional 3.2.12 or not Configure multicast preview optional 3.2.13 Configure IGMP Snooping profile name list optional 3.2.14 Display and maintain IGMP Snooping optional 3.2.15 13.2.2 Enable IGMP Snooping Table 13-2 Brief configuration of IGMP Snooping Command Operation Remark...

  • Page 88: Configuring Number Of Multicast Group Allowed Learning

    IGMP Snooping Table 13-4 Configure port fast-leave Command Operation Remark Enter global configuration mode configure terminal Enter port configuration interface ethernet interface-num Configure port fast-leave igmp-snooping fast-leave optional By default, port fast-leave disables 13.2.5 Configuring Number of Multicast Group Allowed Learning Use igmp-snooping group-limit command to configure the number of the multicast group allowed learning.

  • Page 89: Configuring Igmp Snooping Multicast Learning Strategy

    IGMP Snooping Table 13-6 Configure IGMP Snooping querier Command Operation remark Enter global configure terminal configuration mode Configuration is not black igmp-snooping {permit | deny} optional and white list in the {group all | vlan vid} By default, not black and white list multicast group to learn in the multicast group to learn the the rules of the default...

  • Page 90: Configuring Igmp Snooping Port Multicast Vlan

    IGMP Snooping Snooping Multicast learn to make routing port also has a multicast packet forwarding capability. When the switch receives a host membership report sent packets, the port will be forwarded to the route. Table 13-8 Configuring Routing port Operation Command Remarks Enter global configuration...

  • Page 91: Configuring Port Of Dropped Query Packets Or Not

    IGMP Snooping 13.2.11 Configuring Port of Dropped Query Packets or Not When this feature is enabled on a port, the switch drops the IGMP query message. Default port to receive all IGMP packets. Table 13-11 Configure port of dropped query packets or not Operation Command Remarks...

  • Page 92: Configuring Profile Of Black And White List

    IGMP Snooping Table 13-13 Configure multicast preview Operation Command Remarks Enter global configuration mode configure terminal Configuring Multicast preview igmp-snooping preview Configure multicast channel igmp-snooping preview group-ip IP vlan vid Optional preview interface ethernet interface-num Configuration when the long single igmp-snooping preview {time-once time-once Optional preview, preview interval, duration...

  • Page 93: Igmp Snooping Configuration Examples

    IGMP Snooping Table 13-15 Configure displaying and maintenance of IGMP Snooping Operation Command Remarks See the related configuration IGMP show igmp-snooping Performs either Snooping of the See dynamic routing port show igmp-snooping router-dynamic commands Display static router port configuration show igmp-snooping router-static Display Record in host MAC show igmp-snooping record-host [interface ethernet interface-num]...
  • Page 94 IGMP Snooping 1. Network requirements As shown in the figure 1-1,Host-A, Host-B, Host-C hosts separately belong to VLAN2, VLAN3, VLAN4.Three hosts separately receive the data of the multicast address 224.0.1.1~ 224.0.1.3 per configuring. 2. Configuration steps Configuring S-switch-A #Configure VLAN2 to 4,and add the ports separately into VlAN2,3,4 of Ethernet0/0/1, Ethernet0/0/2 and Ethernet0/0/3.
  • Page 95 IGMP Snooping IGMP port list : e0/0/2 Dynamic port list MAC Address : 01:00:5e:00:01:03 VLAN ID Static port list IGMP port list : e0/0/3. Dynamic port list Total entries: 3 . S-switch-A(config)#show igmp-snooping router-dynamic Port Type e0/0/4 { STATIC } e0/0/4 { STATIC } e0/0/4...
  • Page 96 IGMP Snooping #Add the ports into the VLAN2 to VLAN4 of Ethernet0/0/4,configure Ethernet0/0/4 as static router port. S-switch-A(config)#vlan 2-4 S-switch-A(config-if-vlan)#switchport ethernet 0/0/4 S-switch-A(config-if-vlan)#exit S-switch-A(config)#igmp-snooping route-port vlan 2 interface ethernet 0/0/4 S-switch-A(config)#igmp-snooping route-port vlan 3 interface ethernet 0/0/4 S-switch-A(config)#igmp-snooping route-port vlan 4 interface ethernet 0/0/4 #configure static multicast group S-switch-A(config)#multicast mac-address 01:00:5e:00:01:01 vlan 2 S-switch-A(config)#multicast mac-address 01:00:5e:00:01:01 vlan 2 interface ethernet...
  • Page 97 IGMP Snooping VLAN ID Static port list : e0/0/3 IGMP port list Dynamic port list Total entries: 3 . S-switch-A(config)#show igmp-snooping router-static Port Type e0/0/4 no age { STATIC } e0/0/4 no age { STATIC } e0/0/4 no age { STATIC } Total Record: 3 When Multicast Source Router sends 224.0.1.1-224.0.1.3 multicast serve data flow S-switch-A will forward corresponding to Host-A, Host-B, Host-C.

  • Page 98: Gmrp Configuration

    GMRP Configuration Chapter 14. GMRP Configuration 14.1 Brief Introduction to GMRP GMRP (GARP Multicast Registration Protocol) is a kind of application of GARP (Generic Attribute Registration Protocol), which is based on GARP working mechanism to maintain the dynamic multicast register information in switch. All switches supported GMRP can receive multicast register information from other switches and upgrade local multicast register information dynamically and transfer it to other switches to make the consistency of multicast information of devices supported GMRP in the same switching network.

  • Page 99: Displaying And Maintaining Gmrp

    GMRP Configuration Table 14-2 Add requisite static route forwarded by GMRP Operation Command Remark Enter globally configuration mode configure terminal Add requisite static route forwarded by garp permit multicast required GMRP mac-address mac vlan 14.2.3 Displaying and Maintaining GMRP After finishing above configuration, you can use below commands to show GMRP client configuration.
  • Page 100 GMRP Configuration Switch(config-if-vlan)#switchport ethernet 0/0/1 to ethernet 0/0/10 Add VLAN port successfully. Switch(config)#multicast mac-address 01:00:5e:01:01:01 vlan 111 adding multicast group successfully ! Switch(config)#multicast mac-address 01:00:5e:01:01:01 vlan 111 interface ethernet 0/0/1 to ethernet 0/0/10 adding multicast group port successfully ! Switch(config-if-vlan)#interface e 0/0/1 Switch(config-if-ethernet-0/0/1)#switchport mode trunk Switch(config-if-ethernet-0/0/1)#exit !Configure GMRP...
  • Page 101 GMRP Configuration Switch(config)#interface range ethernet 0/0/2 to ethernet 0/0/3 Switch(config-if-range)#switchport mode trunk Switch(config-if-range)#exit !Configure GMRP Switch(config)#gvrp Turn on GVRP successfully Switch(config)#gmrp Turn on GMRP successfully. Switch(config)#interface range ethernet 0/0/2 to ethernet 0/0/3 Switch(config-if-range)#gvrp Switch(config-if-range)#gmrp Switch(config-if-range)#exit !GVRP configuration verification Switch(config)#show gmrp GMRP state : enable Switch(config)#show gmrp interface ethernet 0/0/2 ethernet 0/0/3 port...
  • Page 102 GMRP Configuration !Configure GMRP Switch(config)#gvrp Turn on GVRP successfully. Switch(config)#gmrp Turn on GMRP successfully. Switch(config)#garp permit vlan 111,333 Switch(config)#garp permit multicast mac-address 01:00:5e:03:03:03 vlan 333 Switch(config)#interface e 0/0/4 Switch(config-if-ethernet-0/0/4)#gvrp Switch(config-if-ethernet-0/0/4)#gmrp Switch(config-if-ethernet-0/0/4)#exit !GVRP configuration verification Switch(config)#show gmrp GMRP status : enable Switch(config)#show gmrp interface ethernet 0/0/4 port GMRP status...
  • Page 103 GMRP Configuration VLAN ID : 333 Static port list : IGMP port list Dynamic port list : e0/0/1. Total entries: 2 . ! To view the multicast information on S3 can be found, 01:00:5 e: 01:01:01 and 01:00:5 e: 03:03:03 through learning to GMRP multicast. Switch(config)#show multicast show multicast table information MAC Address...
  • Page 104 GMRP Configuration VLAN ID : 333 Static port list : e0/0/1-e0/0/10. IGMP port list Dynamic port list : Total entries: 2.

  • Page 105: Dhcp Configuration

    DHCP Configuration Chapter 15. DHCP Configuration 15.1 DHCP Overview With networks getting larger in size and more complicated in structure, lack of available IP addresses becomes the common situation the network administrators have to face, and network configuration becomes a tough task for the network administrators. With the emerging of wireless networks and the using of laptops, the position change of hosts and frequent change of IP addresses also require new technology.

  • Page 106: Obtaining Ip Addresses Dynamically

    DHCP Configuration addresses will be occupied by the DHCP clients permanently. Dynamic assignment. The DHCP server assigns IP addresses to DHCP clients for predetermined period of time. In this case, a DHCP client must apply for an IP address at the expiration of the period.

  • Page 107: Dhcp Packet Format

    DHCP Configuration assigned IP address as the destination address to detect the assigned IP address, and uses the IP address only if it does not receive any response within a specified period. The IP addresses offered by other DHCP servers (if any) are not used by the DHCP client and are still available to other clients.

  • Page 108: Dhcp Relay

    DHCP Configuration Figure 15-3 DHCP packet format The field meanings are illustrated as follows: op: Operation types of DHCP packets: 1 for request packets and 2 for response packets. htype, hlen: Hardware address type and length of the DHCP client. hops: Number of DHCP relays which a DHCP packet passes.

  • Page 109: Dhcp Relay Fundamentals

    DHCP Configuration segment, that is, you need to deploy at least one DHCP server for each network segment, which is far from economical. DHCP Relay is designed to address this problem. It enables DHCP clients in a subnet to communicate with the DHCP server in another subnet so that the DHCP clients can obtain IP addresses.

  • Page 110: Configure Dhcp Relay

    DHCP Configuration 15.4 Configure DHCP Relay Table 15-1 Configure DHCP Relay Operation Command Remarks Enter global configuration configure terminal mode Enable DHCP Relay dhcp-relay required Enter vlan configuration mode vlan <vid> required Configure vlan ipaddres interface ip <ip> <mask> required <gateway>...

  • Page 111: Dhcp Snooping

    DHCP Snooping Chapter 16. DHCP Snooping 16.1 Introduction to DHCP Snooping For the sake of security, the IP addresses used by online DHCP clients need to be tracked for the administrator to verify the corresponding relationship between the IP addresses the DHCP clients obtained from DHCP servers and the MAC addresses of the DHCP clients.

  • Page 112: Dhcp-Snooping Security Configuration

    DHCP Snooping 16.3 DHCP-Snooping Security Configuration 16.3.1 Configure max clients number A private DHCP server on a network also answers IP address request packets and assigns IP addresses to DHCP clients. However, the IP addresses they assigned may conflict with those of other hosts.

  • Page 113: Displaying And Debugging Dhcp-Snooping

    DHCP Snooping Perform following commands in global configuration mode: Table 16-3 Configure IP-Source-Guard Operation Command Description Configure ip-source-guard bind {ip A.B.C.D |mac IP-source-guard bind HH:HH:HH:HH:HH:HH |interface table ethernet device-num<0>/slot-num<0-2>/port-num <1-48>} Enter interface interface ethernet device/slot/port configuration mode Enable IP-Source-Guard ip-source-guard By default, on Trust port ip-source-guard on port is...
  • Page 114 DHCP Snooping GigabitEthernet 0/0/2 port of Switch. The DHCP snooping function is enabled on Switch. The GigabitEthernet1/0/1 port of Switch is a trusted port. Network diagram Figure 16.1 DHCP-Snooping Configuration Example Configuration procedure All following commands are performed in Switch acting as a DHCP-Snooping device. A) Enter global configuration mode Switch#configure terminal Switch(config)#...

  • Page 115: Dhcp Option 82

    DHCP Option 82 Chapter 17. DHCP Option 82 17.1 Introduction to option 82 supporting Option: A length-variable field in DHCP packets, carrying information such as part of the lease information and packet type. It includes at least one option and at most 255 options. Option 82: Also known as relay agent information option.

  • Page 116: Displaying And Debugging Dhcp Option82

    DHCP Option 82 Perform following commands in global configuration mode: Table 17-1 Enable DHCP Option82 Operation Command Description Enable DHCP Option82 dhcp option82 By default, DHCP Option82 is disabled. Configure the strategy for the DHCP dhcp option82 strategy By default, the DHCP relay relay to process {drop|keep|replace} replaces the option 82 carried...

  • Page 117: Acl Configuring

    ACL Configuring Chapter 18. ACL Configuring 18.1 Brief Introduction to ACL As network scale and network traffic are increasingly growing, network security and bandwidth allocation become more and more critical to network management. Packet filtering can be used to efficiently prevent illegal users from accessing networks and to control network traffic and save network resources.

  • Page 118: Switch Support Acl

    ACL Configuring Config ACL subitem successfully. If it is the configuration mode, sub-item 0 is the first command. You can see as below configuration: Switch(config)#show access-list config 1 Standard IP Access List 1, match-order is config, 2 rule: 0 deny 1 permit 1.1.1.1 0.0.0.0 If it is the auto mode, sub-item 0 is the longest ACL match rule.

  • Page 119: Configuration Procedure

    ACL Configuring 18.2.1 Configuration Procedure Table 18-1 Configuration procedure Command Operation remark Enter global configuration mode configure terminal new build time range and enter time-range name time range mode Configure absolute start absolute start HH:MM:SS YYYY/MM/DD required [end HH:MM:SS YYYY/MM/DD] Configure periodic start periodic days-of-the-week hh:mm:ss to [ day-of-the-week ] hh:mm:ss...

  • Page 120: Configuration Examples

    ACL Configuring 18.2.2 Configuration Examples 1. Create an absolute time range from 16:00, Jan 3, 2009 to 16:00, Jan 5, 2009 Switch#configure terminal Switch(config)#time-range b Config time range successfully. Switch(config-timerange-b)#absolute start 16:00:00 2009/1/3 end 16:00:00 2009/1/5 Config absolute range successfully . Switch(config-timerange-b)#show time-range name b Current time is: 02:46:43 2009/01/31...

  • Page 121: Configuration Procedure

    ACL Configuring 18.3.1 Configuration Procedure Follow these steps to configure a basic ACL Table 18-2 Configure basic ACL based on digital identification Command Operation remark Enter global configuration mode configure terminal Define sub-item match rule access-list num match-order { config | optional auto } default ,syste...

  • Page 122: Configuration Procedure

    ACL Configuring sub-rules for an ACL (this rule can suit both ACL with name ID and number ID). 18.4.1 Configuration Procedure Follow these steps to configure a extended ACL Table 18-4 Configure extended ACL based on digital identification Command Operation Remark Enter global configuration configure terminal...

  • Page 123: Configuration Procedure

    ACL Configuring Table 18-6 Detailed parameters of extended ACL as below: Table 18-6 Parameters Function Remark protocol IP protocol type A number in the range of 1 to 255 carried Represented by name, you can select GRE, ICMP, IGMP, IPinIP, OSPF, TCP, { sour-address ACL rules specified sour-address sour-wildcard used to...

  • Page 124: Define Layer 2 Acl

    ACL Configuring 18.5 Define Layer 2 ACL Switch can define at most 100 layer 2 ACL with the number ID (the number is in the range of 200 to 299), at most 1000 layer 2 ACL with the name ID. It can define 128 sub-rules for an ACL (this rule can suit both ACL with name ID and number ID).

  • Page 125: Configuration Examples

    ACL Configuring 18.5.2 Configuration Examples !Create Layer 2 ACL based on digital identification to deny the MAC with ARP address 00:00:00:00:00:01. Switch#configure terminal Switch(config)#access-list 200 deny arp ingress 00:00:00:00:00:01 0 egress any !Create Layer 2 ACL based on name identification to deny the MAC with ARP address 00:00:00:00:00:02.

  • Page 126: Activate Acl Successfully .Active Acl Binding

    ACL Configuring !Configuration steps Switch(config)#access-group ip-group 1 subitem 1 Activate ACL successfully . Switch(config)#access-group ip-group 1 subitem 0 Activate ACL successfully. 18.6.2 Activate ACL Successfully .Active ACL Binding IP+MAC+Port binds through ACL binding active. !Configuration request MAC is 00:00:00:00:00:01, IP address of 1.1.1.1 the user can only enter from e0/0/1 mouth.

  • Page 127: Storm-Control Configuration

    Storm-Control Configuration Chapter 19. Storm-Control Configuration 19.1 Storm-Control Overview When there is loop or malicious attacker in the network, there will be plenty of packets, which occupy the bandwidth and even affect the network. Storm-control will avoid too much packets appear in the network. Restrict the speed rate of port receiving broadcast/multicast/ unknown unicast packets and unknown unicast packets received by all ports.
  • Page 128 Storm-Control Configuration Table 19-2 Storm-control monitor and maintenance Operation Command Remarks Show interface show interface ethernet slot/port On any configuration mode  Note: If there is no configuration for storm-control, there will be no info show for that.

  • Page 129: Qos Configuration

    QoS Configuration Chapter 20. QoS Configuration 20.1 Brief Introduction to QoS In traditional IP networks, packets are treated equally. That is, the FIFO (first in first out) policy is adopted for packet processing. Network resources required for packet forwarding is determined by the order in which packets arrive.

  • Page 130: Priority

    QoS Configuration 20.1.3 Priority (1) 802.1p priority lies in Layer 2 packet headers and is applicable to occasions where the Layer 3 packet header does not need analysis but QoS must be assured at Layer 2. As shown in the chapter of VLAN configuration. Each host supported 802.1Q protocol forwards packets which are from Ethernet frame source address add a 4-byte tag header.
  • Page 131 QoS Configuration IP precedence contains 8 formats. Table 20-2 Description on IP Precedence IP Precedence (binary) Description IP Precedence (decimal) routine priority immediate flash flash-override critical internet network TOS precedence contains 5 formats. Table 20-3 Description on TOS Precedence Description TOS(decimal)...

  • Page 132: Access Control List

    QoS Configuration Table 20-4 Description on DSCP values DSCP (decimal) DSCP (binary) keys 000000 101110 001010 010010 011010 100010 001000 010000 011000 100000 101000 110000 111000 20.1.4 Access Control List To classify flow is to provide service distinctively which must be connected resource distributing.

  • Page 133: Redirection

    QoS Configuration rate of interface outputting packet. 20.1.8 Redirection User can re-specify the packet transmission interface based on the need of its own QoS strategies. 20.1.9 Priority Mark Ethernet switch can provide priority mark service for specified packet, which includes: TOS, DSCP, 802.1p.

  • Page 134: Cos-Map Relationship Of Hardware Priority Queue And Priority Of Ieee802.1P Protocol

    QoS Configuration queue. WRR can configure a weighted value (that is, w3, w2, w1, w0 in turn) which means the percentage of obtaining the resources. For example: There is a port of 100M. Configure its WRR queue scheduler value to be 50, 30, 10, 10 (corresponding w3, w2, w1, w0 in turn) to guarantee the inferior priority queue to gain at least 10Mbit/s bandwidth, to avoid the shortage of PQ queue scheduler in which packets may not gain the service.

  • Page 135: Configure Two Rate Three Color Marker

    QoS Configuration packet or reconfigure their priority. Table 20-5 Configure flow rate Operation Command remark Enter globally configure terminal configuration mode Enter port configuration interface ethernet device/slot/port optional, perform mode either of the globally and port mode Configure flow rate rate-limit { input | output } { [ ip-group { num | optional name } [ subitem subitem ] ] [ link-group { num |...

  • Page 136: Configuring Packet Redirection

    QoS Configuration 20.2.4 Configuring Packet Redirection Packet redirection configuration is redirecting packet to be transmitted to some egress. Table 20-8 Configure interface line rate Operation Command remark Enter globally configuration mode configure terminal Configure packet redirection traffic-redirect { [ ip-group { num | optional name } [ subitem subitem ] ] [ link-group { num | name }...

  • Page 137: Configuring Cos-Map Relationship Of Hardware Priority Queue And Priority Of

    QoS Configuration Table 20-11 Configure queue-scheduler Operation Command remark Enter globally configuration mode configure terminal Configure SP queue-scheduler strict-priority optional Configure WRR queue-scheduler wrr queue1-weight optional queue2-weight queue3-weight queue4-weight Configure SR+WRR queue-scheduler sp-wrr optional queue1-weight queue2-weight queue3-weight 20.2.8 Configuring Cos-map Relationship of Hardware Priority Queue and Priority of IEEE802.1p Protocol The cos-map relationship of hardware priority queue and priority of IEEE802.1p protocol is...

  • Page 138: Configuring Mapping Relationship Between Dscp And 8 Priority In Ieee 802.1P

    QoS Configuration 20.2.9 Configuring Mapping Relationship between DSCP and 8 Priority in IEEE 802.1p The same situation as 1.2.7, by default , the relation between DSCP and 8 priority in IEEE 802.1p as below; Table 20-14 Relation between DSCP and 8 priority in IEEE 802.1p hardware DSCP hardware...

  • Page 139: Configuring Flow Mirror

    QoS Configuration Table 20-16 Configure flow statistic Operation Command remark Enter globally configuration configure terminal mode Configure flow staticstic traffic-statistic { [ ip-group { num | optional name } [ subitem subitem ] ] [ link-group { num | name } [ subitem subitem ] ] } reset to Zero clear traffic-statistic { [ all |...

  • Page 140: Stp Configuration

    STP Configuration Chapter 21. STP Configuration 21.1 STP Overview 21.1.1 Function of STP Spanning Tree Protocol (STP) is applied in loop network to block some undesirable redundant paths with certain algorithms and prune the network into a loop-free tree, thereby avoiding the proliferation and infinite cycling of the packet in the loop network.

  • Page 141: Spanning-Tree Interface States

    STP Configuration Designated Bridge For a device, Designated Bridge is the device directly connected with this device and responsible for forwarding BPDUs; For a LAN, Designated Bridge is the device responsible for forwarding BPDUs to this LAN segment. Designated Port For a device, Designated Port is the port through which the designated bridge forwards BPDUs to this device;...

  • Page 142: How Stp Works

    STP Configuration Figure 21-1 Spanning-Tree Interface States When you power up the switch, spanning tree is enabled by default, and every interface in the switch, VLAN, or network goes through the blocking state and the transitory states of listening and learning. Spanning tree stabilizes each interface at the forwarding or blocking state.
  • Page 143 STP Configuration  Forward delay: forward delay of the port.  Note:  For the convenience of description, the description and examples below involve only four parts of a configuration BPDU:  Root bridge ID (in the form of device priority) ...
  • Page 144 STP Configuration  Selection of the root bridge At network initialization, each STP-compliant device on the network assumes itself to be the root bridge, with the root bridge ID being its own device ID. By exchanging configuration BPDUs, the devices compare one another’s root bridge ID. The device with the smallest root bridge ID is elected as the root bridge.
  • Page 145 STP Configuration Figure 21-2 Network diagram for the STP algorithm  Initial state of each device The following table shows the initial state of each device. Table 21-3 Initial state of each device Device Port name BPDU of port Device A {0, 0, 0, AP1} {0, 0, 0, AP2} Device B...
  • Page 146 STP Configuration Device B Port BP1 receives the configuration BPDU of Device A {0, 0, 0, BP1: {0, 0, 0, AP1} AP1}. Device B finds that the received configuration BPDU is BP2: {1, 0, 1, BP2} superior to the configuration BPDU of the local port {1, 0, 1, BP1}, and updates the configuration BPDU of BP1.
  • Page 147 STP Configuration By comparison: Blocked port CP2: Because the root path cost of CP2 (9) (root path cost of the BPDU {0, 0, 0, AP2} (5) plus path cost corresponding to CP2 (4)) is smaller than the Root port CP2: root path cost of CP1 (10) (root path cost of the BPDU (0) + path {0, 5, 1, BP2} cost corresponding to CP2 (10)), the BPDU of CP2 is elected as...

  • Page 148: Implement Rstp On Ethernet Switch

    STP Configuration configuration BPDU in response.  If a path becomes faulty, the root port on this path will no longer receive new configuration BPDUs and the old configuration BPDUs will be discarded due to timeout. In this case, the device will generate a configuration BPDU with itself as the root and sends out the BPDU.

  • Page 149: Configure Rstp

    STP Configuration the upstream has begun forwarding data. The conditions for rapid state transition of the designated port are:  The port is an Edge port that does not connect with any switch directly or indirectly. If the designated port is an edge port, it can switch to forwarding state directly without immediately forwarding data.

  • Page 150: Enable Rstp

    STP Configuration Show RSTP Optional 21.4.11 21.4.2 Enable RSTP After enabling STP globally, all ports will be defaulted to join the STP topology calculating by default. If some port is not allowed to take part in the STP calculation, administrator can use no spanning-tree command in interface configuration mode to disable STP on this port.

  • Page 151: Configure Stp Path Cost

    STP Configuration may cause network bridge frequently to send configuration packet to strengthen the load of network and CPU. Hello Time ranges from 1 to 10 seconds. It is suggested to use the default time of 2 seconds. Hello Time ≤ Forward Delay-2.

  • Page 152: Configure Stp Mcheck

    STP Configuration Table 21-10 Configure STP port priority Operation Command Remarks Enter global configuration mode configure terminal Enter interface configuration mode interface ethernet interface-num Configure STP port priority spanning-tree port-priority priority Optional 21.4.7 Configure STP Mcheck Switch working under RSTP mode can be connected to switch with STP. But when the neighbor is working under RSTP, the two connected ports are still work under STP mode.

  • Page 153: Configure Stp Transit Limit

    STP Configuration Table 21-13 Configure STP portfast Operation Command Remarks Enter global configuration mode configure terminal Enter interface configuration mode interface ethernet interface-num Configure STP portfast spanning-tree portfast Optional 21.4.10 Configure STP Transit Limit Restrict STP occupying bandwidth by restricting the speed of sending BPDU packet. The speed is determined by the number of BPDU sent in each hello time.
  • Page 154 STP Configuration  Configuration procedure The default STP mode is RSTP. Enable global RSTP and use its default time parameter. Configure Switch A #configure Ethernet0/0/1 and Ethernet0/0/2 to be trunk, and enable root-guard S-switch-A(config)#interface range ethernet 0/0/1 ethernet 0/0/2 S-switch-A(config-if-range)#switchport mode trunk S-switch-A(config-if-range)#spanning-tree root-guard S-switch-A(config-if-range)#exit # configure S-switch-A priority to be 0 to make sure S-switch-A is root...
  • Page 155 STP Configuration #Configure cost of Ethernet0/0/1 and Ethernet0/0/2 to be 10 to make sure link between S-switch-B and S-switch-C to be main link S-switch-C(config)#interface range ethernet 0/0/1 ethernet 0/0/2 S-switch-C(config-if-range)#spanning-tree cost 10 S-switch-C(config-if-range)#exit # Enable global RSTP S-switch-C(config)#spanning-tree Check the configuration # S-switch-A S-switch-A(config)#show spanning-tree interface ethernet 0/0/1 ethernet 0/0/2 The bridge is executing the IEEE Rapid Spanning Tree protocol...
  • Page 156 STP Configuration received BPDU: 10 TCN: 0, RST: 10, Config BPDU: 0 Port e0/0/2 of bridge is Forwarding Spanning tree protocol is enabled remote loop detect is disabled The port is a DesignatedPort Port path cost 200000 Port priority 128 root guard enabled and port is not in root-inconsistent state Designated bridge has priority 0, MAC address 000a.5a13.b13d The Port is a non-edge port...
  • Page 157 STP Configuration Port priority 128 root guard disabled and port is not in root-inconsistent state Designated bridge has priority 0, MAC address 000a.5a13.b13d The Port is a non-edge port Connected to a point-to-point LAN segment Maximum transmission limit is 3 BPDUs per hello time Times: Hello Time 2 second(s), Max Age 20 second(s) Forward Delay 15 second(s), Message Age 0 sent BPDU:...
  • Page 158 STP Configuration Configured Hello Time 2 second(s), Max Age 20 second(s), Forward Delay 15 second(s) Root Bridge has priority 0, MAC address 000a.5a13.b13d Path cost to root bridge is 20 Stp top change 3 times Port e0/0/1 of bridge is Discarding Spanning tree protocol is enabled remote loop detect is disabled The port is a AlternatePort...
  • Page 159 STP Configuration Forward Delay 15 second(s), Message Age 1 sent BPDU: TCN: 0, RST: 8, Config BPDU: 0 received BPDU: 418 TCN: 0, RST: 418, Config BPDU: 0...

  • Page 160: Configuring 802.1X

    Configuring 802.1X Chapter 22. Configuring 802.1X 22.1 Brief Introduction to 802.1X Configuration IEEE 802.1X is the accessing management protocol standard based on interface accessing control passed in June, 2001. Traditional LAN does not provide accessing authentication. Users access the devices and resources in LAN when connecting to the LAN, which is a security hidden trouble.
  • Page 161 Configuring 802.1X Figure 22-1 Architecture of 802.1x The above systems involve three basic concepts: PAE, controlled port, control direction. 1) PAE Port access entity (PAE) refers to the entity that performs the 802.1x algorithm and protocol operations.  The authenticator PAE uses the authentication server to authenticate a supplicant trying to access the LAN and controls the status of the controlled port according to the authentication result, putting the controlled port in the authorized or unauthorized state.

  • Page 162: Rule Of 802.1X

    Configuring 802.1X supplicant or just the traffic from the supplicant。 22.1.2 Rule of 802.1x The 802.1x authentication system employs the Extensible Authentication Protocol (EAP) to exchange authentication information between the supplicant PAE, authenticator PAE, and authentication server. At present, the EAP relay mode supports four authentication methods: EAP-MD5, EAP-TLS (Transport Layer Security), EAP-TTLS (Tunneled Transport Layer Security), and PEAP (Protected Extensible Authentication Protocol).

  • Page 163: Configuring Aaa

    Configuring 802.1X grant the access request of the supplicant. After the supplicant gets online, the authenticator periodically sends handshake requests to the supplicant to check whether the supplicant is still online. By default, if two consecutive handshake attempts end up with failure, the authenticator concludes that the supplicant has gone offline and performs the necessary operations, guaranteeing that the authenticator always knows when a supplicant goes offline.

  • Page 164: Configuring Domain

    Configuring 802.1X Table 22-2 Configure local user Operation Command Remark Enter global configuration mode configure terminal Enter AAA mode required Configure local user local-user username name password pwd required [ vlan vid ] 22.2.3 Configuring Domain Client need provide username and password when authentication. Username contains user’s ISP information, domain and ISP corresponded.
  • Page 165 Configuring 802.1X This feature can be under the RADIUS attribute client-version to the version of configuration information to send the client to the RADIUS server. accounting function radius accounting optional Accounting packets without response need cut off radius server-disconnect optional users drop 1x port priority...

  • Page 166: Configuring 802.1X

    Configuring 802.1X This feature is turned on, if the user authentication enable passes, the user will modify the port bandwidth limitation. Upstream bandwidth control carries out per attribute number 75 in Vendor specific attribution and be modified attribution by using radius config-attribute.

  • Page 167: Configuring 802.1X Parameters For Port

    Configuring 802.1X Table 22-6 Enable 802.1x Operation Command Remark Enter global configuration mode configure terminal Enable 802.1x dot1x method { macbased | portbased } required 22.3.3 Configuring 802.1x Parameters for Port The 802.1x proxy detection function depends on the online user handshake function. Be sure to enable handshake before enabling proxy detection and to disable proxy detection before disabling handshake.

  • Page 168: Configuring User Features

    Configuring 802.1X 22.3.6 Configuring User Features The operations mainly conclude of the number of users for port configuration, user and delete users, and heartbeat detection operations. Table 22-10 Configure user feature Operation Command Remarks Enter global configuration configure terminal mode Configuration allows the dot1x max-user [interface-list] Optional...

  • Page 169: Configuring Mstp

    Configuring MSTP Chapter 23. Configuring MSTP 23.1 Brief Introduction to MSTP The Spanning Tree Protocol (STP) was established based on the 802.1d standard of IEEE to eliminate physical loops at the data link layer in a local area network (LAN). Devices running this protocol detect loops in the network by exchanging information with one another and eliminate loops by selectively blocking certain ports until the loop structure is pruned into a loop-free network structure.

  • Page 170: Basic Concepts In Mstp

    Configuring MSTP 23.2.1 Basic Concepts in MSTP Figure 23-1 MSTP topology example As shown in the MSTP network, MSTP is composed of three spanning tree areas and a running 802.1D STP protocol switch. 1. MST region A multiple spanning tree region (MST region) is composed of multiple devices in a switched network and network segments among them.
  • Page 171 Configuring MSTP 3. CST The CST is a single spanning tree that connects all MST regions in a switched network. If you regard each MST region as a “device”, the CST is a spanning tree calculated by these devices through STP or RSTP. For example, the red lines in Figure 23-1 describe the CST. 4.

  • Page 172: Roles Of Ports

    Configuring MSTP 12. MSTI Designated bridge MSTI designated bridge is the STP appointed bridge. 23.2.2 Roles of Ports In the MSTP calculation process, port roles include root port, designated port, master port, alternate port, backup port, and so on. 1. Root port: a port responsible for forwarding data to the root bridge. Figure 23-2 Root port 2.
  • Page 173 Configuring MSTP Figure 23-4 Alternate port 4. Backup port: The backup port of designated ports. When a designated port is blocked, the backup port becomes a new designated port and starts forwarding data without delay. When a loop occurs while two ports of the same MSTP device are interconnected, the device will block either of the two ports, and the backup port is that port to be blocked.
  • Page 174 Configuring MSTP Figure 23-6 master port 6. Boundary Port A boundary port is a port that connects an MST region to another MST configuration, or to a single spanning-tree region running STP, or to a single spanning-tree region running RSTP. During MSTP calculation, a boundary port assumes the same role on the CIST and on MST instances.

  • Page 175: Algorithm Implementation

    23.3 Algorithm Implementation 23.3.1 MSTP Protocol MST BPDU packet format as below:  It is the similar of FoxGate region and red region of the message format and SST;  Version 3 Length indicates the length of the blue area;...
  • Page 176 Configuring MSTP the CIST root bridge priority and MAC address (eight bytes).  CIST External Root Path Cost: CIST external root path cost, when only cross-domain change in the propagation constant region (4 bytes).  CIST Regional Root Identifier: CIST regional root bridge's unique identifier, the CIST regional root bridge priority and the CIST regional root bridge MAC address, when only cross-domain change in the spread within a fixed time (8 bytes ).

  • Page 177: Determining Cist Priority Vectors

    Configuring MSTP  MSTI Internal Root Path Cost: MSTI internal root path cost, effective only in the Ministry of MST region (4 bytes).  MSTI Bridge Priority: MSTI bridge priority, and the CIST Bridge Identifier of the MAC address of the MSTI configuration information with the composition of the sending bridge (1 byte).

  • Page 178: Determining Mstp

    Configuring MSTP 6. MSTI receiving port These parameters exist prior, the superior the more precedence. 23.3.4 Determining MSTP Determining MSTP divide into two parts, first starts CIST priority vectors, then MSTI priority vectors. Figure 23-9 As figure1-9,suppose all the cost of the ports in the whole bridge is equal, “MST brige-1”—“MST brige-9”the identify increase by step,“SST bridge”...
  • Page 179 Configuring MSTP (MST bridge 1,1, MST Bridge 9,0, MST Bridge 9, s), then the port 7 MST bridge then u and t CIST priority vector, we found that the port u better information , so the election for the Region 3 8 MST bridge the CIST regional root bridge, MST bridge 7, u is the CIST root port the port.
  • Page 180 Configuring MSTP CIST designated bridge, MST bridge 7 of the CIST port t becomes the designated port, MST Bridge 9 port s port on the replacement, is set to the Discarding state. Similarly, MST Bridge 2 port d to specify the port, MST Bridge 2 is the designated bridge of G LAN, MST Bridge Port 9 q is replaced by the port, is set to the Discarding state.
  • Page 181 Configuring MSTP port MSTI1 of MSTI。 MST Bridge 9: port s, r is replaced by MSTI port; port q is replaced Region 3 of the CIST port while designated as MSTI1 replace the MSTI port. LAN J Select MSTI port designated bridge and designated MSTI process: MST Bridge 9 r in the port receiving the message priority vector (MST Bridge 7,1, MST bridge 8, w) 9 own bridge than the MST port priority vector (MST Bridge 7,1, MST Bridge 9, r) excellent, that is to receive the MSTI regional root bridge and MSTI internal root path costs are equal, but MSTI...

  • Page 182: Active Topology

    Configuring MSTP CIST port if the CIST root port (IST root bridge root port), it is the main port of all MSTI; if the CIST Port Role replace the main port of the CIST port, it is the replacement of all MSTI port. The same port for different MSTI, the port state may be different (such as port v in MSTI1 for forwarding state, and in MSTI2 for discarding state).

  • Page 183: Mst And Sst Compatibility

    Configuring MSTP point to point link type, used to quickly convert the port state to Forwarding state. 23.3.7 MST and SST Compatibility MSTP protocol and the MSTP-enabled switch does not support the MSTP switch is divided into different regions, respectively, called the MST region and SST fields, the Ministry of the MST region to run multiple instances of spanning tree, the edge in an MST region to run RSTP compatible protocol.

  • Page 184: Enabling Mstp

    Configuring MSTP configuration Configure bridge max aging time optional 23.4.3 Configure bridge max hops optional 23.4.3 Configure MSTP identifier optional 23.4.4 Configure MSTP identifier revision optional 23.4.4 Configure MSTP instance configuration optional 23.4.4 and VLAN identifier mapping Configure MSTP bridge priority optional 23.4.5 Configure the boundary port status...

  • Page 185: Configuring Mstp Identifier

    Configuring MSTP Table 23-3 Configure MSTP timer parameter values Operation Command Remark Enter global configure terminal configuration mode Configure bridge forward spanning-tree mst forward-time forward-time optional delay Configure bridge hello spanning-tree mst hello-time hello-time optional time Configure bridge max spanning-tree mst max-age max-age optional aging time Configure bridge max...

  • Page 186: Configuring Mstp Bridge Priority

    Configuring MSTP Table 23-4 Configure MSTP identifier Operation Command Remark Enter global configuration mode configure terminal Configure MSTP identifier name spanning-tree mst name name optional Configure MSTP identifiers spanning-tree mst revision revision-level optional revision Configure MSTP instance spanning-tree mst instance instance-num vlan optional configuration and VLAN identifier vlan-list...

  • Page 187: Configuring Port Link Type

    Configuring MSTP 23.4.7 Configuring Port Link Type Port link type is divided into two kinds: First, the type of shared media links (links through the hub, etc.), another type of point to point link. Link type is mainly used in the rapid conversion of the proposed port state - agreed mechanism, only the port link type as point to point only to allow the port state of rapid transformation.

  • Page 188: Configuring Port Priority

    Configuring MSTP Table 23-8 Configure the path cost Operation Command Remark Enter global configuration configure terminal mode Enter port configuration interface ethernet interface-num Optional mode Configure internal port path spanning-tree mst instance instance-num cost cost Optional cost Configure the port cost of the spanning-tree mst external cost cost Optional external path...

  • Page 189: Configuring Digest Snooping Port

    Configuring MSTP Table 23-10 Configure the root port protection Operation Command Remarks Enter global configuration configure terminal mode Enter port configuration interface ethernet interface-num mode Configure the root port spanning-tree mst root-guard Optional protection 23.4.11 Configuring Digest Snooping Port When a switch port uses a proprietary spanning tree with Cisco and other switch is connected, these manufacturers' switches configured with the proprietary spanning tree protocol, even if the same MST region configuration, the switch can’t be achieved between the MSTP domain interoperability.

  • Page 190: Configuring Mstp Instance Is Enabled

    Configuring MSTP Note: mcheck function is a prerequisite for the port must send BPDU packets, so only works on the specified port. 23.4.13 Configuring MSTP Instance Is Enabled In order to flexibly control MSTP, you can open the DISABLE INSTANCE features, disable instance STP mode operating results with the implementation of no spanning-tree similar to the instance of the VLAN mapping of all connections on port forwarding state.

  • Page 191: Configuring Sntp

    Configuring SNTP Chapter 24. Configuring SNTP 24.1 Brief introduction of SNTP The Simple Network Time Protocol Version 4 (SNTPv4), which is a subset of the Network Time Protocol (NTP) used to synchronize computer clocks in the Internet. In common, there is at least one server in the network, it provides reference time for clients, finally, all clients in the network synchronized local clocks.

  • Page 192: Enabling Sntp Client

    Configuring SNTP Configure multicast TTL optional 24.2.6 Configure interval polling optional 24.2.7 Configure overtime retransmit optional 24.2.8 Configure valid sever list optional 24.2.9 Configure MD5 authentication optional 24.2.10 Display and maintain SNTP client optional 24.2.11 24.2.2 Enabling SNTP Client S6424-S2C2 switch should only be configured SNTP client. Table 24-2 startup SNTP client Operation Command...

  • Page 193: Modifying Broadcast Transfer Delay

    Configuring SNTP 24.2.5 Modifying Broadcast Transfer Delay When SNTP client works in the broadcast or multicast way, it needs to use broadcast transfer delay. In the broadcast way, the local time of SNTP client equals the time receiving from sever adds transferring time. Administrators modify the transferring time according to the actual bandwidth in the network.

  • Page 194: Configuring Overtime Retransmist

    Configuring SNTP 24.2.8 Configuring Overtime Retransmist This Command is effective in unicast and any cast operating mode. SNTP request packet is UDP packet, overtime retransmission system is adopted because the requirement packet cannot be guaranteed to send to the destination. Use above Commands to configure retransmit times and the interval.

  • Page 195: Displaying And Maintain Sntp Client

    Configuring SNTP 24.2.11 Displaying and Maintain SNTP Client After finishing above configuration, you can use below Commands to show SNTP client configuration. Table 24-11 Displaying and maintain SNTP client Operation Command Remark Display and maintain SNTP show sntp client Perform either of the client Commands...

  • Page 196: Ssh Terminal Services

    SSH Terminal Services Chapter 25. SSH Terminal Services 25.1 Introduction to SSH Secure Shell (SSH) can provide information security and powerful authentication to prevent such assaults as IP address spoofing, plain-text password interception when users log on to the Switch remotely through an insecure network environment. SSH can take the place of the Telnet to provide safe management and configuration.

  • Page 197: Ssh Server Configuration

    25.2 SSH Server Configuration A Switch, as a SSH server, can connect to multiple SSH clients. SSH clients can be both LAN users and WAN users. S6424-S2C2 series switches can only SSH server and support SSH v2. The following table describes SSH server configuration tasks.

  • Page 198: Ssh Server Configuration Example

    SSH Terminal Services be default key or loaded keyfile through ftp/tftp. No keyfile is configured in initiation. The default key can be used only after generating by command. The configured key is saved in Flash and can only be used after loading when rebooting. User cannot log in device through SSH client if the configured key is not RSA key or the public and private key are not matched.

  • Page 199: Use Loaded Key

    SSH Terminal Services Open SSH client in PC and log in switch 25.4.2 Use Loaded Key Network requirements As shown in Figure 25-2, The PC (SSH Client) runs the client software which supports SSHv2.0, establish a local connection with the switch (SSH Server) and ensure the security of data exchange.
  • Page 200 SSH Terminal Services Enable SSH Switch(config)#ssh Config SSH state successfully. Display SSH configuration to ensure the keyfile can be used. Switch(config)#show ssh ssh version : 2.0 ssh state : on ssh key file : available Ensure current key is the loaded key(if it is not the loaded key, use cry key refresh to refresh it)...

  • Page 201: Configuration File Management

    Configuration File Management Chapter 26. Configuration File Management 26.1 Introduction to Configuration File Configuration file records and stores user configurations performed to a switch. It also enables users to check switch configurations easily. Upon powered on, a switch loads the configuration file known as saved-configuration file, which resides in the Flash, for initialization.
  • Page 202 Configuration File Management Setting a configuration file to be the primary configuration file. Change the executing mode of configuration file. Perform the following configuration in privileged configuration mode. Table 26-1 Configure a configuration file Operation Command Description Save current copy running-config The saved configuration will be the start-up operation startup-config...
  • Page 203 Configuration File Management The system software does not match the configuration file after the software of the Ethernet switch is updated. The configuration files in the Flash are damaged. The common reason is that wrong configuration files are loaded.

  • Page 204: Bootrom And Host Software Loading

    BootROM and Host Software Loading Chapter 27. BootROM and Host Software Loading Traditionally, the loading of switch software is accomplished through a serial port. This approach is slow, inconvenient, and cannot be used for remote loading. To resolve these problems, the TFTP and FTP modules are introduced into the switch. With these modules, you can load/download software/files conveniently to the switch through an Ethernet port.

  • Page 205: Loading Software Using Xmodem Through Console Port

    BootROM and Host Software Loading 27.2.1 Loading Software Using XMODEM through Console Port 27.2.1.1 Introduction to XMODEM XMODEM is a file transfer protocol that is widely used due to its simplicity and good performance. XMODEM transfers files via Console port. It supports two types of data packets (128 bytes and 1 KB), two check methods (checksum and CRC), and multiple attempts of error packet retransmission (generally the maximum number of retransmission attempts is ten).
  • Page 206 BootROM and Host Software Loading FIgure 27-1 Choose [Transfer/Send File] FIgure 27-2 Send file dialog box Step 3: Click <Send>. The system displays the page, as shown in Figure 27-3. FIgure 27-3 Sending file page...

  • Page 207: Loading Software Using Tftp Through Ethernet Port

    BootROM and Host Software Loading Step 4: After the download completes, the system displays the following information: Download wholeBootRom successfully. Update BootRom successfully. Download BootRom via Xmodem successfully. 27.2.1.3 Loading host software Follow these steps to load the host software: Step 1: Enter following command in privileged mode: Switch#load application xmodem Downloading application via Xmodem...

  • Page 208: Loading Software Using Ftp Through Ethernet Port

    BootROM and Host Software Loading Step 3: Run the HyperTerminal program on the configuration PC. Start the switch. Then enter the privileged mode. Then set the following TFTP-related parameters as required: Switch#load whole-bootrom tftp tftpserver-ip filename Caution: Load File name: bootrom.bin Switch IP address: A.B.C.D Server IP address: A.B.C.E Step 4: Press <Enter>.
  • Page 209 BootROM and Host Software Loading 27.2.3.1 Loading BootROM software FIgure 27-5 Local loading using FTP client Step 1: As shown in Figure 27-5, connect the switch through an Ethernet port to the FTP server, and connect the switch through the Console port to the configuration PC. Note: You can use one computer as both configuration device and FTP server.

  • Page 210: Remote Software Loading

    BootROM and Host Software Loading When loading BootROM and host software using FTP, you are recommended to use the PC directly connected to the device as FTP server to promote upgrading reliability. 27.3 Remote Software Loading If your terminal is not directly connected to the switch, you can telnet to the switch, and use FTP or TFTP to load BootROM and host software remotely.

  • Page 211: Basic System Configuration & Debugging

    Basic System Configuration & Debugging Chapter 28. Basic System Configuration & Debugging This section includes: Basic System Configuration Displaying the System Status SNMP Configuration Example Network Connectivity Test Device Management System maintenance 28.1 Basic System Configuration Perform following commands in global configuration mode. Table 28-1 Basic system configuration tasks Operation Command...
  • Page 212 Basic System Configuration & Debugging 28.2.1.1 SNMP Operation Mechanism SNMP can be divided into two parts, namely, Network Management Station and Agent: Network management station (NMS) is the workstation for running the client program. At present, the commonly used NM platforms include QuidView, Sun NetManager and IBM NetView.

  • Page 213: Configuring Snmp Basic Functions

    Basic System Configuration & Debugging FIgure 28-1 Architecture of the MIB tree The management information base (MIB) is used to describe the hierarchical architecture of the tree and it is the set defined by the standard variables of the monitored network device. In the above figure, the managed object B can be uniquely specified by a string of numbers {1.2.1.1}.

  • Page 214: Displaying Snmp

    Basic System Configuration & Debugging Configure local snmp-server engineid { local By default, the device local engine engine id or engineid-string | remote ip-address ID is remote engine [udp-port port-number] 134640000000000000000000. engineid-string } The local engine cannot be deleted and at most 32 remote engines can be configured.

  • Page 215: Snmp Configuration Example

    FIgure 28-2 Network diagram for SNMP 28.2.4.3 Network procedure ! Set the community name, group name and user. Switch(config)# snmp-server community FoxGate ro permit Switch(config)# snmp-server group grp1 1 read internet write internet notify Internet Switch(config)# snmp-server user user1 grp1 ! Enable the SNMP agent to send Trap packets to the NMS whose IP address is 10.10.10.1.

  • Page 216: Network Connectivity Test

    Basic System Configuration & Debugging 28.3 Network Connectivity Test 28.3.1 Ping You can use the ping command to check the network connectivity and the reachability of a host. Table 28-4 The ping command Operation Command ping [ -c count ] [ -s packetsize ] [ -t Check the IP network connectivity and the reachability of a host timeout ] host...

  • Page 217: Device Management

    Basic System Configuration & Debugging 28.4 Device Management The device management function of the Ethernet switch can report the current status and event-debugging information of the boards to you. Through this function, you can maintain and manage your physical device, and restart the system when some functions of the system are abnormal.
  • Page 218 Basic System Configuration & Debugging MAC-SOURCE and Port 1 as a new MAC address entry to the MAC address table. FIgure 28-3 A switch uses a MAC address table to forward packets. After learning the source address of the packet, the switch searches the MAC address table for the destination MAC address of the received packet: If it finds a match, it directly forwards the packet.
  • Page 219 Basic System Configuration & Debugging Note: The switch learns only unicast addresses by using the MAC address learning mechanism but directly drops any packet with a broadcast source MAC address.

  • Page 220: Entries In A Mac Address Table

    Entries in a MAC Address Table Chapter 29. Entries in a MAC Address Table Entries in a MAC address table fall into the following categories according to their characteristics and configuration methods: Static MAC address entry: This type of MAC address entries are added/removed manually and cannot age out by themselves.
  • Page 221 Entries in a MAC Address Table You can add a MAC address entry in global configuration mode or interface configuration mode. Perform following commands in global configuration mode. Table 29-2 Add a MAC address entry Operation Command Description Enter interface configuration interface {interface_type Option mode...
  • Page 222 Entries in a MAC Address Table The MAC address learning mechanism enables an Ethernet switch to acquire the MAC addresses of the network devices on the segment connected to the ports of the switch. The switch directly forwards the packets destined for these MAC addresses. A MAC address table too big in size may decrease the forwarding performance of the switch.
  • Page 223 Entries in a MAC Address Table 29.1.1.3 Configuration Example Network requirements Log in to the switch through the Console port and enable address table configuration. Set the aging time of dynamic MAC address entries to 500 seconds. Add a static MAC address entry 00:01:fc:00:0c:01 for GigabitEthernet0/0/2 port (assuming that the port belongs to VLAN 1) Network diagram FIgure 29-1 Network diagram for MAC address table configuration...

  • Page 224: Restarting Ethernet Switch

    Entries in a MAC Address Table 29.2 Restarting Ethernet Switch You can perform the following operation in privileged mode when the switch is in trouble or needs to be restarted. Table 29-6 Restart the Ethernet switch Operation Command Description Restart the Ethernet switch reboot Note: When rebooting, the system checks whether there is any configuration change.

  • Page 225: Access-Limit Management

    Entries in a MAC Address Table 29.3.2 Access-Limit Management A switch provides ways to control different types of login users, as Telnet, SNMP and WEB. Here is by IP address. Table 29-8 Perform following commands in global configuration mode: Operation Command Description Configure the permitted IP...

  • Page 226: Mail-Alarm

    Entries in a MAC Address Table 29.3.5 Mail-Alarm Table 29-11 Perform following commands in global configuration mode: Operation Command Description Enable mail alarm mailalarm By default, this function is disabled. Configure smtp server mailalarm server By default, the smtp server is 0. server-addr mailalarm receiver Configure the email...
  • Page 227 Entries in a MAC Address Table Table 29-13 System display commands Operation Command Display version info show version Display show username Display the administrator logged in switch show users Display system info show system Display memory info show memory show clock Display system clock Display cpu utilization show cpu-utilization...

  • Page 228: Lldp Configuration

    LLDP Configuration Chapter 30. LLDP Configuration 30.1 LLDP Protocol Overview LLDP (Link Layer Discovery Protocol), a L2 protocol, defined by IEEE802.1AB-2005 standard has nothing to do with the manufacturer. It announces its information to other neighbor devices in the network, receives the neighbor’s information and saves to standard MIB of LLDP for users to check the downlink devices and connected ports for easy network maintenance and management.

  • Page 229: Enable Lldp

    LLDP Configuration 30.2.2 Enable LLDP Only after enabling global LLDP, all related configurations can be effective. Global and port LLDP can be configured and saved no matter the LLDP is enabled. When global LLDP is enabled, the configuration is effective. Perform following command in global configuration mode.

  • Page 230: Lldp Displaying And Debugging

    LLDP Configuration 30.2.6 LLDP Displaying and Debugging After the above configurations, you can execute the show commands in any configuration mode to display information, so as to verify your configurations. Table 30-6 LLDP displaying and debugging Operation Command Description Show LLDP show lldp [interface ethernet Execute this command status...
  • Page 231 LLDP Configuration Port ID: port e0/0/7 System Name: Switch S6424-S2C2 System Description: S6424-S2C2 Switch Port Description: NULL Management Address: 1.1.1.33 Port Vlan ID: 1 Port SetSpeed: auto Port ActualSpeed: FULL-1000 Port Link Aggregation: support ,not in aggregation *************************************************************************************...

  • Page 232: Cfm Configuration

    CFM Configuration Chapter 31. CFM Configuration 31.1 Brief Introduction to CFM CFM (Connectivity Fault Management, the connectivity fault management protocol), defined by the IEEE 802.1ag standard is a Layer 2 link on the VLAN-based end to end OAM mechanism used to Carrier Ethernet fault management. 31.1.1 CFM Concepts Table 31-1 CFM concepts Concept...

  • Page 233: Configuring Cfm

    CFM Configuration Table 31-2 CFM main function Function Remark Continuity It is a proactive OAM functionality is used to detect the state to maintain detection connectivity between endpoints. Connectivity failure may be caused by equipment failure or configuration error. Loopback It is a kind of on-demand OAM functions for the local device and remote authentication between end devices connected state.

  • Page 234: Maintain Field Configuration

    CFM Configuration Configure Remote Maintenance Required 1.2.7 endpoint Configuring MIPs Optional 1.2.8 Configuring CFM various Configuration continuity detection Required 1.2.9 functions Configure loopback Optional 1.2.10 Configure the link tracking Optional 1.2.11 Display and maintenance of the CFM Optional 1.2.12 31.2.2 Maintain Field Configuration Table 31-4 maintain field configuration Operation Command...

  • Page 235: Maintain Set Configuration

    CFM Configuration 31.2.4 Maintain Set Configuration Table 31-6 to maintain set configuration Operation Command Remarks Enter global configuration configure terminal mode To maintain the domain cfm md md-index configuration mode to enter Created to maintain set, cfm ma ma-index Required and enter the configuration mode set to maintain 31.2.5 Configuration Name and Associated VLAN...

  • Page 236: Configure Remote Maintenance Endpoint

    CFM Configuration Create a maintenance endpoint, cfm mep mep-id direction {up | down} Required and specify its associated port [primary-vlan vlan-id] interface ethernet port-id Enable the state to maintain cfm mep mep-id state {enable | Required endpoint management disable} Default is CCM and configure the endpoint cfm mep mep-id priority priority-id Optional...

  • Page 237: Configure Loopback

    CFM Configuration Table 31-11 Configuration continuity detection Operation Command Remarks Enter global configuration mode configure terminal To maintain the domain cfm md md-index configuration mode to enter Enter the configuration mode cfm ma ma-index set to maintain Configuration maintenance cfm cc interval {1 | 10 | 60 | 600} Optional interval endpoint to send the The default...

  • Page 238: Display And Maintenance Of Cfm

    CFM Configuration Table 31-13 Configure the link tracking Operation Command Remarks Enter global configuration configure terminal mode To maintain the domain cfm md md-index configuration mode to enter Enter the configuration cfm ma ma-index mode set to maintain Start Tracking link cfm linktrace mep mep-id {dst-mac Optional mac-address | dst-mep rmep-id} [timeout...

  • Page 239: Flex Links Configuration

    Flex Links Configuration Chapter 32. Flex Links Configuration 32.1 Flex links Overview Flex links is layer 2 links backup protocol which provides for STP option scheme. Choose Flex links to realize link backup when the STP is not wanted in customer network. If STP enables, flex links is disabled.
  • Page 240 Flex Links Configuration Figure 32-1 Flex Link application scenario As shown in Figure 32-1, GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 of Switch D form a Flex link group (marked in blue). GigabitEthernet 1/0/1 is in the forwarding state (marked by a continuous line), and GigabitEthernet 1/0/2 is in the blocked state (marked by a broken line). GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 of Switch E form another Flex link group (marked in red).

  • Page 241: Operating Mechanism Of Flex Link

    Flex Links Configuration GigabitEthernet 1/0/2. Although GigabitEthernet 1/0/1 of Switch E is in the forwarding state, it is still the slave port. MMU-MAC address-table Move Update)message When link switchover occurs in a Flex link group, the old forwarding entries are no longer useful for the new topology.
  • Page 242 Flex Links Configuration 32.1.2.2 Link-Faulty Handling When the primary link on Switch A fails, the master port GigabitEthernet 1/0/1 transits to the standby state, while the slave port GigabitEthernet 1/0/2 transits to the forwarding state. A link switchover occurs. After the link switchover, the MAC address forwarding entries kept on the devices in the network may become incorrect, and need to be refreshed, so that traffic can be rapidly switched to another link, thus avoiding traffic loss.

  • Page 243: Flex Links Configuration

    Flex Links Configuration occupies more bandwidth. As shown in Figure 32-2, if role preemption is configured on the Flex link group on Switch A, when the link of GigabitEthernet 1/0/1 on Switch A recovers, GigabitEthernet 1/0/2 is immediately blocked and transits to the standby state, while GigabitEthernet 1/0/1 transits to the forwarding state.

  • Page 244: Configure Flex Links Preemption Mode

    Flex Links Configuration  Note: The STP of master port and slave port should be disabled, and cannot be ERRP port. 32.2.3 Configure Flex Links preemption mode At a time, only one port is active for forwarding, and the other port is blocked, that is, in the standby state.

  • Page 245: Configure Flex Links Mmu

    Flex Links Configuration preemption delay { interface device/slot/port_2 | port_2/channel-group-number_2 channel-group is slave port channel-group-number_2 } preemption mode <1-60> 32.2.5 Configure Flex links MMU MMU messages are used by a Flex link group to notify other switches to refresh their MAC address forwarding entries and ARP/ND entries when link switchover occurs in the Flex link group.

  • Page 246: Monitor Link Configuration

    Monitor Link Configuration Chapter 33. Monitor Link Configuration 33.1 Monitor Link Overview 33.1.1 Background Figure 33-1 Monitor Link background As shown in Figure 33-1, a Flex link group is configured on Switch A for link redundancy purpose, with GigabitEthernet 1/0/1 as the master port, and GigabitEthernet 1/0/2 as the slave port.

  • Page 247: Monitor Link Implementation

    Monitor Link Configuration mechanism of Flex Link. 33.2 Monitor Link Implementation 33.2.1 Basic Concepts in Monitor Link 33.2.1.1 Monitor Link Group A monitor link group is a set of uplink and downlink ports. Downlink ports adapt to the state changes of uplink ports. Figure 33-2 Monitor Link basic concepts As shown in Figure 33-2, ports GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 of Switch A form a monitor link group.
  • Page 248 Monitor Link Configuration using commands. It can be an Ethernet port (electrical or optical), or an aggregate interface. As shown in Figure 33-2, GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 of Switch A are two downlink ports of the monitor link group configured on the device. ...

  • Page 249: Configuring Monitor Link

    Monitor Link Configuration group if role preemption is configured in the Flex link group on Switch A. Collaboratively, Monitor Link and Flex Link deliver reliable link redundancy and fast convergence for dual-uplink networks. 33.3 Configuring Monitor Link 33.3.1 Monitor Link Configuration Tasks Table 33-1 Flex Links Configuration Tasks Operation Remarks...

  • Page 250: Monitor Link Configuration Example

    Monitor Link Configuration 33.4 Monitor Link Configuration Example I. Network requirements In Figure 33-4, Device C is Flex Links Device, Device A, Device B and Device D is the neighbor devices. The traffic of Device C double uplinks to Device A through Flex Links group. Through configuration, Device C can make double uplink backup.
  • Page 251 Monitor Link Configuration # Enable MMU packet sending Device-C(config)#mac-address-table move update transmit #Show Flex Links Device-C(config)#show interface switchport backup ActiveInterface BackupInterface State ---------------------------------------------------------- e1/0/1 e1/0/2 active up /backup Standby Preemption mode: Forced Preemption Delay: 5 seconds Total record 1. Device-C(config)#show mac-address-table move update Dst mac-address: : 01:80:c2:00:00:10 Default/Current settings: : Rcv Off/Off,Xmt Off/On...
  • Page 252 Monitor Link Configuration Device-B(config-if-ethernet-1/0/1)#switchport monitor-link-group 1 uplink Device-B(config-if-ethernet-1/0/1)#exit Device-B(config)#interface ethernet 1/0/2 Device-B(config-if-ethernet-1/0/2)#switchport monitor-link-group 1 downlink Device-B(config-if-ethernet-1/0/2)#exit #Show Monitor Link Device-C(config)#show monitor-link-group Monitor-link Group -------------------------------------------------- Group 1: UplinkID UplinkStatus e1/0/1 DownlinkID DownlinkStatus e1/0/2 Device D #Configure GE1/0/1 and GE1/0/2 to be Trunk and enable MMU packet receiving Device-D(config)#interface range ethernet 1/0/1 ethernet 1/0/2 Device-D(config-if-range)#switchport mode trunk Device-D(config-if-range)#exit...
  • Page 253 Monitor Link Configuration Group 1: UplinkID UplinkStatus e1/0/1 DownlinkID DownlinkStatus e1/0/2 When there is failure between Device A and Device B, show Flex Links and Monitor Link in Device B: Device-B(config)#show monitor-link-group Monitor-link Group -------------------------------------------------- Group 1: UplinkID UplinkStatus e1/0/1 DOWN DownlinkID DownlinkStatus...
  • Page 254 Monitor Link Configuration Rcv Count: Xmt Count: show Flex Links and Monitor Link in Device D: Device-D(config)#show monitor-link-group Monitor-link Group -------------------------------------------------- Group 1: UplinkID UplinkStatus e1/0/1 DownlinkID DownlinkStatus e1/0/2 Device-D(config)#show mac-address-table move update Dst mac-address: : 01:80:c2:00:00:10 Default/Current settings: : Rcv Off/On,Xmt Off/Off Rcv Count: Xmt Count: When the link between Device A and Device B recovers, GE1/0/1 of Device C will turn...
  • Page 255 Monitor Link Configuration show Flex Links and Monitor Link in Device C: Device-C(config)#show interface switchport backup ActiveInterface BackupInterface State ---------------------------------------------------------- e1/0/1 e1/0/2 active up /backup Standby Preemption mode: Forced Preemption Delay: 5 seconds Total record 1. Device-C(config)#show mac-address-table move update Dst mac-address: : 01:80:c2:00:00:10 Default/Current settings: : Rcv Off/Off,Xmt Off/On...

  • Page 256: Efm Configuration

    EFM configuration Chapter 34. EFM configuration 34.1 Brief Introduction to EFM EFM (Ethernet of First Mile) as the first mile Ethernet, defined by the IEEE 802.3ah standard, used for the two devices point to point Ethernet link between the management and maintenance.

  • Page 257: Efm Protocol Packets

    EFM configuration forwarding address is not its purpose, but the road back to its original The end. Remote loopback is controlled by remote Loopback Control OAMPDU remote loopback or remote loopback operation to cancel the function can be used to detect the link quality and positioning of link failure. Remote access EFM entities can interact with Variable Request / Response OAMPDU far to MIB variable...

  • Page 258: Efm Basic Configuration

    EFM configuration Response timeout configuration Optional 1.2.3 Configure remote failure indication Optional 1.2.4 Configure link Start link monitoring capabilities Optional 1.2.5 monitoring capabilities Configure errored-symbol-period event Optional 1.2.5 detection parameters Configure errored-frame event Optional 1.2.5 detection parameters Configure errored-frame-period event Optional 1.2.5 detection parameters...

  • Page 259: Configuring Remote Failure Indication

    EFM configuration EFM handshake by adjusting packet transmission interval and the connection timeout, the connection can change the EFM detection accuracy. With configuring OAMPDU remote request message to the response timeout, then discard the message which receiving the later response message to the OAMPDU if the time is out. Table 34-5 EFM timer parameter configuration Operation Command...

  • Page 260: Configuring Link Monitoring Capabilities

    EFM configuration 34.2.5 Configuring Link Monitoring Capabilities Table 34-7 Configure link monitoring capabilities Operation Command Remarks Enter global configuration configure terminal mode Enter port configuration interface ethernet device / slot / port mode. Start link monitoring efm link-monitor {errored-symbol-period Optional capabilities | errored-frame | errored-frame-period | By default, the link...

  • Page 261: Rejecting Remote Loopback Requests Initiated By Remote

    EFM configuration Table 34-8 Start remote loopback Operation Command Remarks Enter global configuration configure terminal mode Enter port configuration interface ethernet device / slot / port mode. Start remote loopback efm remote-loopback Optional 34.2.7 Rejecting Remote Loopback Requests Initiated by Remote As the remote loopback function will be affected normal business in order to avoid this situation, users can configure the local port of the peer sent from the Loopback Control OAMPDU control, which refused to end the remote initiated EFM loopback request.

  • Page 262: Starting Remote Access Function Mib Variable

    EFM configuration 34.2.9 Starting Remote Access Function MIB Variable Table 34-11 Start the remote access function MIB variable Operation Command Remarks Enter global configuration mode configure terminal Enter port configuration mode. interface ethernet device / slot / port Optional Start the remote access function By default, remote efm variable-retrieval MIB variable...
  • Page 263 EFM configuration Show EFM protocol packet show efm statistics interface [interface-name] statistics Clear EFM protocol packet clear efm statistics interface statistics [interface-name]...

  • Page 264: Mac Address Authentication Configuration

    Mac Address Authentication Configuration Chapter 35. Mac Address Authentication Configuration 35.1 Mac Authentication Overview MAC address authentication is based on the port and the mac address of the user access to network access control function modules.Initially, the switch mac address table does not exist the user's mac address table entries, the first user's message will reach the trigger switch mac address authentication, the authentication process does not require user participation (such as user name and password input related) , after the passage of the user...

  • Page 265: Enabling Configuration

    Mac Address Authentication Configuration Default mode for the mac address. When using a radius server for authentication, there are two authentication methods can be used for selection: 1) pap; 2) chap. Radus default authentication mode for the pap. AAA Authentication Domain, RADIUS server and the local user database configuration information 802.1x configuration related content.

  • Page 266: Silent Timer Configuration

    Mac Address Authentication Configuration detected in time to reach another off the assembly line did not detect the user traffic, then determine the user offline . Table 35-3 Configuration off the assembly line testing Operation Command Remarks Enter global configuration configure terminal mode Offline detect timer...

  • Page 267: Guest-Vlan Configuration Functions

    Mac Address Authentication Configuration 35.2.6 Guest-vlan Configuration Functions User authentication into a quiet state after failure, can not access the network, if time allows users to access a particular vlan, you can open the guest vlan function.In turn, the user authentication into a quiet state after the failure is not, and go online, but users of the vlan for the guest vlan.

  • Page 268: L2Tp Configuration

    L2TP Configuration Chapter 36. L2TP Configuration 36.1 L2TP Overview L2TP (Layer 2 Tunneling Protocol) is a Layer 2 tunneling technology, L2TP enables Layer 2 protocol packets from geographically dispersed customer networks to be transparently transmitted over specific tunnels across a service provider network. Figure 36-1 L2TP application scenario With L2TP, Layer 2 protocol packets from customer networks can be transparently transmitted in the service provider network:...

  • Page 269: Advanced L2Tp Configuration

    L2TP Configuration 36.2.2 Advanced L2TP Configuration By default, L2TP will be up to CPU. This command will configure the rate for up to cpu. Table 36-2 Advanced L2TP configuration Operation Command Remarks Enter global configuration configure terminal mode Configure the rate for up to l2-tunnel drop-threshold [ cdp| lacp| Optional pagp| stp| udld| vtp] rate...

  • Page 270: Qinq Configuration

    QinQ Configuration Chapter 37. QinQ Configuration 37.1 Introduction to QinQ 37.1.1 Understanding QinQ In the VLAN tag field defined in IEEE 802.1Q, only 12 bits are used for VLAN IDs, so a switch can support a maximum of 4,094 VLANs. In actual applications, however, a large number of VLANs are required to isolate users, especially in metropolitan area networks (MANs), and 4,094 VLANs are far from satisfying such requirements.

  • Page 271: Implementations Of Qinq

    QinQ Configuration Figure 37-2 QinQ application 37.1.2 Implementations of QinQ There are two types of QinQ implementations: basic QinQ and selective QinQ. 1) Basic QinQ Basic QinQ is implemented through VLAN VPN. With the VLAN VPN feature enabled on a port, when a frame arrives at the port, the switch will tag it with the port’s default VLAN tag, regardless of whether the frame is tagged or untagged.

  • Page 272: Modification Of Tpid Value Of Qinq Frames

    QinQ Configuration packet VID and inner-tpid. The default inner-tpid is 0x8100 37.1.3 Modification of TPID Value of QinQ Frames A VLAN tag uses the tag protocol identifier (TPID) field to identify the protocol type of the tag. The value of this field, as defined in IEEE 802.1Q, is 0x8100. The device can identify whether there is corresponded VLAN Tag according to TPID.
  • Page 273 QinQ Configuration 37.2.2 Configure BASIC QinQ Perform following commands in privilege mode. Table 37-3 Enable basic QinQ Operation Command Description Enter global configuration mode configure terminal Enable basic QinQ qinq required qinq outer-tpid Optional,default value is Modify outer TPID outer-tpid 0x8100 interface ethernet Configurations made in...
  • Page 274 QinQ Configuration {customer|uplink} tag member in service vlan; customer needs setting to be untag member in service vlan. Enable port selective QinQ qinq flexible-qinq required 37.3 QinQ Configuration Example: !Basic QinQ configuration Network requirements, as shown in Figure 37-3:  Provider A and Provider B are access switches in the service provider network. ...

  • Page 275: Port-Car Configuration

    QinQ Configuration Switch(config-if-ethernet-0/0/1)#interface ethernet 0/1/1 Switch(config-if-ethernet-0/1/1)#switchport mode trunk Switch(config-if-ethernet-0/1/1)#exit Configuration on Provider B Switch#configure terminal Switch(config)#qinq Switch(config)#qinq outer-tpid 9100 Switch(config)#vlan 100 Switch(config-if-vlan)#switchport ethernet 0/0/1 ethernet 0/1/1 Switch(config-if-vlan)#interface ethernet 0/0/1 Switch(config-if-ethernet-0/0/1)#switchport default vlan 100 Switch(config-if-ethernet-0/0/1)#qinq mode customer Switch(config-if-ethernet-0/0/1)#interface ethernet 0/1/1 Switch(config-if-ethernet-0/1/1)#switchport mode trunk Switch(config-if-ethernet-0/1/1)#exit !Selective QinQ Configuration Network requirements,As shown in Figure 37-4:...
  • Page 276 QinQ Configuration Configuration on Provider A Switch#configure terminal Switch(config)#qinq Switch(config)#qinq outer-tpid 9100 Switch(config)#qinq insert 10 10 100 Switch(config)#qinq insert 20 20 100 Switch(config)#vlan 100 Switch(config-if-vlan)#switchport ethernet 0/0/1 ethernet 0/1/1 Switch(config-if-vlan)#interface ethernet 0/0/1 Switch(config-if-ethernet-0/0/1)#qinq mode customer Switch(config-if-ethernet-0/0/1)#qinq flexible-qinq Switch(config-if-ethernet-0/0/1)#interface ethernet 0/1/1 Switch(config-if-ethernet-0/1/1)#switchport mode trunk Switch(config-if-ethernet-0/1/1)#exit Configuration on Provider B...

  • Page 277: Port-Car Overview

    Port-car Configuration Chapter 38. Port-car Configuration 38.1 Port-car Overview Port-car can protect switch from packet attacking whose destination MAC begins with 01:80:c2. Most of L2 protocol packets (such as BPDU packets of STP) whose destination MAC begins with 01:80:c2 will send to CPU. After enabling Port-car, the packet rate will be controlled under the configured threshold.

  • Page 278: Display And Debug Of Port-Car

    Port-car Configuration 38.3 Display and Debug of Port-Car Use following command in any configuration mode to check the configuration. Table 37-7 Display and debug of Port-car Operation Command Display port-car status show port-car 38.4 Port-car Configuration Example !Enable global port-car and configure global rate to be 200pps: Switch#configure terminal Switch(config)#port-car Switch(config)#port-car-rate 200...

  • Page 279: Storm-Control Monitor And Maintenance

    Storm-control Configuration Chapter 39. Storm-control Configuration 39.1 Storm-control Overview When there is loop or malicious attacker in the network, there will be plenty of packets, which occupy the bandwidth and even affect the network. Storm-control will avoid too much packets appear in the network. Restrict the speed rate of port receiving broadcast/multicast/ unknown unicast packets and unknown unicast packets received by all ports.

  • Page 280: Mld Snooping

    MLD Snooping Chapter 40. MLD Snooping 40.1 MLD Snooping Overview MLD (Multicast Listener Discovery) Internet Group Management Protocol is part of the IPv6 protocol, to support and manage hosts and multicast routers IP multicast. IP Multicast allows the transmission of IP packets to a multicast group constitutes a set of host, multicast group membership relationship is dynamic, host can dynamically join or leave the group, so to minimize the network load, effective online data transfer.

  • Page 281: Start Mld Snooping

    MLD Snooping 40.2.2 Start MLD Snooping Table 40-2 Start MLD Snooping Operation Command Remarks Enter global configuration configure terminal mode Start MLD Snooping mld-snooping Required 40.2.3 Configuring MLD Snooping Timer Table 40-3 Configuring IGMP Snooping Timer Operation Command Remarks Enter global configure terminal configuration mode Optional...

  • Page 282: Multicast Vlan Port Configuration

    MLD Snooping 40.2.5 Maximum Number of Learning Multicast Configuration Port You can use the following command to set up each port can learn the number of multicast. Table 40-5 Maximum number of learning multicast configuration port Operation Command Remarks Enter global configure terminal configuration mode Enter port...

  • Page 283: Configuring Mld-Snooping Querier

    MLD Snooping group-range MAC multi-count multicast black list Configure the port to num vlan vid learn (not learn) vid of the start of continuous num mac multicast groups Optional Default configuration, mld-snooping {permit | deny} any multicast group group MAC vlan vid are not black and white list are added 40.2.7 Configuring MLD-Snooping Querier...

  • Page 284: Display And Maintenance Of Mld Snooping

    MLD Snooping Table 40-8 Configuring Routing port Operation Command Remarks Enter global configuration mode configure terminal Hybrid routing port configuration mld-snooping route-port forward Optional function mld-snooping router-port-age {on | off | Configure dynamic routing port Optional age-time} aging time mld-snooping route-port vlan vid Configure static routing port Optional interface {all | ethernet interface-num}...

  • Page 285: Mld Snooping Configuration Examples

    MLD Snooping 40.2.11 MLD Snooping Configuration Examples IPV6 Multicast Source Router Ethernet0/0/4 S-switch-A Ethernet0/0/3 Ethernet0/0/1 Host-A Host-B Host-C Figure 40-1 1. Network requirements As shown in the figure 1-1, Host-A, Host-B, Host-C hosts separately belong to VLAN2, VLAN3, VLAN4 。 Three hosts separately receive the data of the multicast address FF02::01::0101-FF02::01::0103 per configuring.
  • Page 286 MLD Snooping S-switch-A(config-if-vlan)#switchport ethernet 0/0/3 S-switch-A(config-if-vlan)#exit #Enable MLD snooping S-switch-A(config)#mld-snooping When Host-A, Host-B, Host-C forward MLD report to S-switch-A, S-switch-A will learn corresponding multicast table entry port;When the IPV6 Multicast Source Router send IGMP query time to the S-switch-A message, S-switch-A will learn the appropriate router port entry Show the switch learned multicast group S-switch-A(config)#show mld-snooping group show multicast table information...

Table of Contents