QTech QSW-2800 series Configuration Manual

Table of Contents

Quick Links

CONTENT ........................................................................................................... 1

CHAPTER 1 SWITCH MANAGEMENT ............................................................ 1-1

1.1 M

ANAGEMENT

1.1.1 Out-Of-Band Management ............................................................................ 1-1

1.1.2 In-band Management ..................................................................................... 1-4

1.2 CLI I

NTERFACE

1.2.1 Configuration Modes ..................................................................................... 1-9

1.2.2 Configuration Syntax .................................................................................. 1-11

1.2.3 Shortcut Key Support.................................................................................. 1-12

1.2.4 Help Function ............................................................................................... 1-12

1.2.5 Input Verification ......................................................................................... 1-13

1.2.6 Fuzzy Match Support ................................................................................... 1-13

CHAPTER 2 BASIC SWITCH CONFIGURATION .......................................... 2-15

2.1 B

ASIC

ONFIGURATION

2.2 T

ELNET

ANAGEMENT

2.2.1 Telnet ............................................................................................................ 2-16

2.2.2 SSH ............................................................................................................... 2-18

2.3 C

ONFIGURE

2.3.1 Switch IP Addresses Configuration Task List ........................................... 2-19

2.4 SNMP C

ONFIGURATION

2.4.1 Introduction to SNMP .................................................................................. 2-21

2.4.2 Introduction to MIB ...................................................................................... 2-22

2.4.3 Introduction to RMON ................................................................................. 2-23

2.4.4 SNMP Configuration .................................................................................... 2-23

2.4.5 Typical SNMP Configuration Examples ..................................................... 2-26

2.4.6 SNMP Troubleshooting ............................................................................... 2-27

2.5 S

WITCH

PGRADE

2.5.1 Switch System Files .................................................................................... 2-28

2.5.2 BootROM Upgrade....................................................................................... 2-28

2.5.3 FTP/TFTP Upgrade ...................................................................................... 2-31

CHAPTER 3 CLUSTER CONFIGURATION ................................................... 3-40

+7(495) 797-3311 www.qtech.ru

Москва, Новозаводская ул., 18, стр. 1

Content

............................................................................................... 1-1

PTIONS

............................................................................................................ 1-8

.............................................................................................. 2-15

............................................................................................... 2-16

IP A

............................................................................ 2-19

WITCH

DDRESSES

.............................................................................................. 2-21

...................................................................................................... 2-28

Table of Contents

Troubleshooting

Need help?

Do you have a question about the QSW-2800 series and is the answer not in the manual?

Questions and answers

Summary of Contents for QTech QSW-2800 series

Page 1: Chapter 1 Switch Management
2.4.6 SNMP Troubleshooting ................2-27 2.5 S ...................... 2-28 WITCH PGRADE 2.5.1 Switch System Files ..................2-28 2.5.2 BootROM Upgrade..................2-28 2.5.3 FTP/TFTP Upgrade ..................2-31 CHAPTER 3 CLUSTER CONFIGURATION ........... 3-40 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 2 ONFIGURATION EQUENCE 8.3 LLDP F ................8-66 UNCTION YPICAL XAMPLE 8.4 LLDP F ................8-66 UNCTION ROUBLESHOOTING CHAPTER 9 PORT CHANNEL CONFIGURATION ........9-67 9.1 I ................9-67 NTRODUCTION TO HANNEL +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 3 14.1 I LLDP-MED ................14-94 NTRODUCTION TO 14.2 LLDP-MED C ............14-94 ONFIGURATION EQUENCE 14.3 LLDP-MED E ................... 14-96 XAMPLE 14.4 LLDP-MED T ................14-99 ROUBLESHOOTING CHAPTER 15 BPDU-TUNNEL CONFIGURATION ........15-100 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 4 16.6.2 Dynamic VLAN Configuration .............. 16-121 16.6.3 Typical Application of the Dynamic VLAN ........... 16-122 16.6.4 Dynamic VLAN Troubleshooting ............16-123 16.7 GVRP C ..................16-124 ONFIGURATION 16.7.1 Introduction to GVRP ................16-124 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 5 19.1.2 QoS Implementation ................19-151 19.1.3 Basic QoS Model ................... 19-152 19.2 Q ................19-155 ONFIGURATION 19.3 Q ....................19-159 XAMPLE 19.4 Q ..................19-161 ROUBLESHOOTING CHAPTER 20 FLOW-BASED REDIRECTION ........... 20-162 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 6: Chapter 21 Flexible Qinq Configuration
23.4 ARP S ......... 23-179 CANNING REVENTION ROUBLESHOOTING CHAPTER 24 PREVENT ARP SPOOFING CONFIGURATION ....24-180 24.1 O ......................24-180 VERVIEW 24.1.1 ARP (Address Resolution Protocol)............. 24-180 24.1.2 ARP Spoofing ..................24-180 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 7 29.2.1 Option 82 Working Mechanism ............29-209 29.3 DHCP 82 C ............29-210 OPTION ONFIGURATION 29.4 DHCP 82 A ............29-213 OPTION PPLICATION XAMPLES 29.5 DHCP 82 T ..............29-215 OPTION ROUBLESHOOTING +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 8 ULTICAST ROTOCOL VERVIEW 34.1.1 Introduction to Multicast ............... 34-239 34.1.2 Multicast Address .................. 34-240 34.1.3 IP Multicast Packet Transmission ............34-241 34.1.4 IP Multicast Application ................ 34-241 34.2 DCSCM ......................34-242 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 9 38.1.2 The Work Mechanism of 802.1x............38-283 38.1.3 The Encapsulation of EAPOL Messages ..........38-283 38.1.4 The Encapsulation of EAP Attributes ..........38-285 38.1.5 The Extension and Optimization of 802.1x .......... 38-290 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 10 41.2.5 Prevent ICMP Fragment Attack Function Configuration Task Sequence 41- 41.3 S ................41-310 ECURITY EATURE XAMPLE CHAPTER 42 TACACS+ CONFIGURATION ..........42-311 42.1 I TACACS+ ................42-311 NTRODUCTION TO 42.2 TACACS+ C ..............42-311 ONFIGURATION +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 11 NTERMEDIATE GENT 47.1.1 Brief Introduction to PPPoE ..............47-333 47.1.2 Introduction to PPPoE IA ..............47-333 47.2 PPP ........47-337 NTERMEDIATE GENT ONFIGURATION 47.3 PPP ..........47-339 NTERMEDIATE GENT YPICAL PPLICATION +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 12 52.3 ULPP T ................... 52-367 YPICAL XAMPLES 52.3.1 ULPP Typical Example1 ................ 52-367 52.3.2 ULPP Typical Example2 ................ 52-369 52.4 ULPP T ................... 52-370 ROUBLESHOOTING CHAPTER 53 ULSM CONFIGURATION ............ 53-371 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 13 ................ 58-390 UMMER ROUBLESHOOTING CHAPTER 59 MONITOR AND DEBUG ............. 59-391 59.1 P ........................59-391 59.2 P 6 ......................... 59-391 59.3 T ....................... 59-391 RACEROUTE 59.4 T 6 ..................... 59-392 RACEROUTE +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 14 EBUGGING AND IAGNOSIS FOR ACKETS ECEIVED AND ENT BY CHAPTER 62 COMMANDS FOR BASIC SWITCH CONFIGURATION ..62-401 62.1 C ............... 62-401 OMMANDS FOR ASIC ONFIGURATION 62.1.1 authentication line ................. 62-401 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 15: Chapter 1 Switch Management
PC ma such as HyperTerminal included in Windows 9x/NT/2000/XP. One end attach to the RS-232 serial port, the other end to the Console Serial port cable port. Switch Functional Console port required. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 16 4) COM1 property appears, select “9600” for “Baud rate”, “8” for “Data bits”, “none” for “Parity checksum”, “1” for stop bit and “none” for traffic control; or, you can also click “Restore default” and click “OK”. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 17 --- Performing Power-On Self Tests (POST) --- DRAM Test....PASS! PCI Device 1 Test....PASS! FLASH Test....PASS! FAN Test.....PASS! Done All Pass. ------------------ DONE --------------------- Current time is SUN JAN 01 00:00:00 2006 …… Switch> +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 18: In-Band Management
The following describes the steps for a Telnet client to connect to the switch’s VLAN1 interface by Telnet(IPV4 address example): Connected with cable Manage the switch by Telnet Step 1: Configure the IP addresses for the switch and start the Telnet Server function on the switch. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 19 Telnet users must be configured with the following command: username <username> privilege <privilege> [password (0|7) <password>]. To open the local authentication style with the following command: +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 20 Similar to management the switch via Telnet, as soon as the host succeeds to ping/ping6 an IPv4/IPv6 address of the switch and to type the right login password, it can access the switch via HTTP. The configuration list is as below: +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 21 <password>]. To open the local authentication style with the following command: authentication line web login local. Privilege option must exist and just is 15. Assume an authorized user in the switch has a username of “admin”, and password of “admin”, the +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 22: Cli I Nterface
Those commands are categorized according to their functions in switch configuration and management. Each category represents a different configuration mode. The Shell for the switch is described below: Configuration Modes Configuration Syntax Shortcut keys Help function +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 23: Configuration Modes
Admin Mode from any configuration mode (except User Mode). Under Admin Mode, the user can query the switch configuration information, connection status and traffic statistics of all ports; and the user can further enter the Global Mode from Admin +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 24 Type the ip dhcp pool <name> command under Global Mode will enter the DHCP Address Pool Mode prompt “Switch(Config-<name>-dhcp)#”. DHCP address pool properties can be configured under DHCP Address Pool Mode. Run the exit command to exit the DHCP Address Pool Mode to Global Mode. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 25: Configuration Syntax
This is a command with only a keyword and no parameter, just type in the command to run. vlan <vlan-id>, parameter values are required after the keyword. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 26: Shortcut Key Support
There are two ways in Switch for the user to access help information: the “help” command and the “?”. Access to Help Usage and function Under any command line prompt, type in “help” and press Enter will get Help a brief description of the associated help system. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 27: Input Verification
For example: For command “show interfaces status ethernet1/1”, typing “sh in status ethernet1/1” will work. However, for command “show running-config”, the system will report a “> Ambiguous +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 28 “show r” is entered, as Shell is unable to tell whether it is “show run” or “show running-config”. Therefore, Shell will only recognize the command if “sh ru” is entered. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 29: Chapter 2 Basic Switch Configuration
Show current CPU utilization rate. show memory usage Show memory usage rate. Global Mode banner motd <LINE> Configure information displayed when login no banner motd authentication of a telnet or console user is successful. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 30: T Elnet M Anagement
Configure the secure IP address to login to the no authentication securityip <ip- switch through Telnet: the no command deletes addr> the authorized Telnet secure address. authentication securityipv6 <ipv6- Configure IPv6 security address to login to the +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 31 2. Telnet to a remote host from the switch Command Explanation Admin Mode telnet [vrf <vrf-name>] {<ip-addr> | Login to a remote host with the Telnet client <ipv6-addr> | host <hostname>} included in the switch. [<port>] +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 32 Display SSH debug information on the SSH client terminal monitor side; the no command stops displaying SSH debug terminal no monitor information on the SSH client side. 2.2.2.3 Example of SSH Server Configuration +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 33: C Onfigure S Witch Ip A Ddresses
IP addresses, gateway addresses and DNS server addresses to DHCP clients DHCP Server configuration is detailed in later chapters. 2.3.1 Switch IP Addresses Configuration Task List Enable VLAN port mode Manual configuration BOOTP configuration DHCP configuration +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 34 Enable the switch to be a DHCP client and obtain IP ip bootp-client enable address and gateway address through DHCP no ip bootp-client enable negotiation; the no command disables the DHCP client function. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 35: Snmp C Onfiguration
Inform-Request is mainly used for inter-NMS communication in the layered network management. USM ensures the transfer security by well-designed encryption and authentication. USM encrypts the messages according to the user typed password. This mechanism ensures that +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 36: Introduction To Mib
[RFC1213]. MIB-II expands MIB-I and keeps the OID of MIB tree in MIB-I. MIB-II contains sub- trees which are called groups. Objects in those groups cover all the functional domains in +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 37: Introduction To Rmon
Configure SNMP community string Configure IP address of SNMP management base Configure engine ID Configure user Configure group Configure view Configuring TRAP Enable/Disable RMON 1. Enable or disable SNMP Agent server function Command Explanation +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 38 5. Configure user Command Explanation Global Mode snmp-server user <use-string> <group-string> Add a user to a SNMP group. This [{authPriv | authNoPriv} auth {md5 | sha} <word>] command is used to configure USM +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 39 <host-ipv6-address> } {v1 | v2c | {v3 community string; for SNMP v3, this {noauthnopriv | authnopriv | authpriv}}} <user- command also configures Trap user name and security level. The “no” string> +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 40: Typical Snmp Configuration Examples
Switch(config)#snmp-server enable Switch(config)#snmp-server host 1.1.1.5 v1 usertrap Switch(config)#snmp-server enable traps Scenario 3: NMS uses SNMP v3 to obtain information from the switch. The configuration on the switch is listed below: Switch(config)#snmp-server +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 41: Snmp Troubleshooting
The switch enabled SNMP Agent server function (use “snmp-server” command) Secure IP for NMS (use “snmp-server securityip” command) and community string (use “snmp-server community” command) are correctly configured, as any of them fails, SNMP will +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 42: S Witch U Pgrade
This two update method will be explained in details in following two sections. 2.5.2 BootROM Upgrade There are two methods for BootROM upgrade: TFTP and FTP, which can be selected at BootROM command settings. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 43 Enable FTP/TFTP server in the PC. For TFTP, run TFTP server program; for FTP, run FTP server program. Before start downloading upgrade file to the switch, verify the connectivity between the server and the switch by ping from the server. If ping succeeds, run “load” +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 44 Step 8: After successful upgrade, execute run or reboot command in BootROM mode to return to CLI configuration interface. [Boot]: run (or reboot) Other commands in BootROM mode 1. DIR command +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 45: Ftp/Tftp Upgrade
In passive connection, the client, through management connection, notify the server to establish a passive connection. The server then creates its own data listening port and informs +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 46 Running configuration file: refers to the running configuration sequence use in the switch. In +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 47 (1) FTP/TFTP client upload/download file Command Explanation Admin Mode copy <source-url> <destination- FTP/TFTP client upload/download file. url> [ascii | binary] (2) For FTP client, server file list can be checked. Admin Mode +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 48 Set maximum retransmission time within timeout timeout <seconds> interval. (3) Modify TFTP server connection retransmission time Command Explanation Global Mode tftp-server retransmission- Set the retransmission time for TFTP server. number <number> +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 49 Switch(Config-if-Vlan1)#no shut Switch(Config-if-Vlan1)#exit Switch(config)#exit Switch#copy ftp: //Switch:switch@10.1.1.1/12_30_nos.img nos.img With the above commands, the switch will have the “nos.img” file in the computer downloaded to the FLASH. TFTP Configuration Computer side configuration: +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 50 Login to the switch with any TFTP client software, use the “tftp” command to download “nos.img” file from the switch to the computer. Scenario 4: Switch acts as FTP client to view file list on the FTP server. Synchronization +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 51 FTP program. If ping fails, you will need to check for appropriate troubleshooting information to recover the link connectivity. The following is what the message displays when files are successfully transferred. Otherwise, +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 52 The following is the message displays when files are successfully transferred. Otherwise, please verify link connectivity and retry “copy” command again. nos.img file length = 1526021 read file ok begin to send file, wait... file transfers complete. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 53 If the system file and system start up file upgrade through TFTP fails, please try upgrade again or use the BootROM mode to upgrade. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 54: Chapter 3 Cluster Configuration
The commander switch can upgrade and configure any member switches in the cluster 3.2 Cluster Network Management Configuration Sequence Cluster Network Management Configuration Sequence: Enable or disable cluster function Create cluster +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 55 Create or delete a cluster. no cluster commander cluster member {nodes-sn <nodes-sn> | mac-address <mac-addr> [id <member- Add or remove a member switch. id> ] | auto-to-user} no cluster member {id <member-id> | +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 56 [id <member-id> | In the commander switch, this command is mac-address <mac-addr>] used to reset the member switch. cluster update member <member-id> In the commander switch, this command is +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 57 The four switches SW1-SW4, amongst the SW1 is the command switch and other switches are member switch. The SW2 and SW4 is directly connected with the command switch, SW3 connects to the command switch through SW2. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 58 Whether the connection between the command switch and the member switch is correct. We can use the debug cluster packets to check if the command and the member switches can receive and process related cluster admin packets correctly. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 59 (9) Configure broadcast storm control function for the switch (10) Configure scan port mode (11) Configure rate-violation control of the port (12) Configure interval of port-rate-statistics 3. Virtual cable test 1. Enter the Ethernet port configuration mode Command Explanation +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 60 {dlf | broadcast | unknown destinations (short for broadcast), and multicast} <Kbits> sets the allowed broadcast packet number; the no format of this command disables the +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 61: Port Configuration Example
4.3 Port Configuration Example Switch 1/10 Switch Switch Port Configuration Example No VLAN has been configured in the switches, default VLAN1 is used. Switch Port Property Switch1 Ingress bandwidth limit: 50 M +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 62: Port Troubleshooting
If such combinations are set, the port throughput may fall below the expected performance. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 63: Introduction To Port Isolation
<WORD> command will remove one port or a group of ports switchport interface [ethernet] out of a port isolation group. <IFNAME> +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 64 The uplink port can communicate with any port normally. The configuration of S1: Switch(config)#isolate-port group test Switch(config)#isolate-port group test switchport interface ethernet 1/1;1/10 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 65 MAC address learning control) can maintain that automatically, which will not only reduce the burden of network managers but also response time, minimizing the effect caused loopbacks to the network. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 66 Explanation Admin Mode Enable the debug information of the function module debug loopback-detection of port loopback detection. The no operation of this no debug loopback-detection command will disable the debug information. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 67 The configuration task sequence of SWITCH: Switch(config)#loopback-detection interval-time 35 15 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 68 Switch(Config-Mstp-Region)#instance 1 vlan 1 Switch(Config-Mstp-Region)#instance 2 vlan 2 Switch(Config-Mstp-Region)# 6.4 Port Loopback Detection Troubleshooting The function of port loopback detection is disabled by default and should only be enabled if required. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 69 This kind of problem often appears in the following situations: GBIC (Giga Bitrate Interface Converter) or interfaces have problems, software problems, hardware becomes unavailable or operates abnormally. Unidirectional link will cause a series of problems, such as spinning tree topological loop, broadcast black hole. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 70 8. Reset the port shut down by ULDP 9. Display and debug the relative information of ULDP 1. Enable ULDP function globally Command Explanation Global configuration mode uldp enable Globally enable or disable ULDP function. uldp disable +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 71 7. Configure the interval of Recovery Command Explanation Global configuration mode uldp recovery-time <integer> Configure the interval of Recovery reset, ranging from no uldp recovery-time <integer> 30 to 86400 seconds. The value is 0 second by +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 72 Enable or disable the content detail of a ethernet <IFname> particular type of messages can be received and no debug uldp {hello|probe|echo| sent on the specified port. unidir|all} [receive|send] interface ethernet <IFname> +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 73 As a result, port g1/1, g1/2 of SWITCH A are all shut down by ULDP, and there is notification information on the CRT terminal of PC1. %Oct 29 11:09:50 2007 A unidirectional link is detected! Port Ethernet1/1 need to be shutted +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 74: Uldp Troubleshooting
ULDP function is disabled by default. After globally enabling ULDP function, the debug switch can be enabled simultaneously to check the debug information. There are several DEBUG commands provided to print debug information, such as information of events, state machine, +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 75 Reset command and reset mechanism can only reset the ports automatically shut down by ULDP. The ports shut down manually by users or by other modules won’t be reset by ULDP. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 76 IP subnets at best. This kind of data are very primitive, only referring to basic events like the adding and removing of relative devices instead of details about where and how these devices operate with the network. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 77 2. Configure the port-base LLDP function switch Command Explanation Port Mode lldp enable Configure the port-base LLDP function switch. lldp disable 3. Configure the operating state of port LLDP Command Explanation Port Mode +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 78 9. Configure the optional information-sending attribute of the port Command Explanation Port Configuration Mode lldp transmit optional Configure the optional information-sending attribute [portDesc] [sysName] [sysDesc] of the port as the option value of default values. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 79 Enable or disable the DEBUG packet-receiving and no debug lldp packets interface sending function in port or global mode. ethernet <IFNAME> Port configuration mode clear lldp remote-table Clear Remote-table of the port. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 80: Lldp Function Typical Example
LLDP function is disabled by default. After enabling the global switch of LLDP, users can enable the debug switch “debug lldp” simultaneously to check debug information. Using “show” function of LLDP function can display the configuration information in global or port configuration mode. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 81: Introduction To Port Channel
LACP (Link Aggregation Control Protocol) dynamic Port Channel creation. Port aggregation can only be performed on ports in full-duplex mode. For Port Channel to work properly, member ports of the Port Channel must have the same properties as follows: +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 82: Brief Introduction To Lacp
The port aggregation is that multi-ports are aggregated to form an aggregation group, so as to implement the out/in load balance in each member port of the aggregation group and provides the better reliability. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 83: Static Lacp Aggregation
9.3 Port Channel Configuration Task List 1. Create a port group in Global Mode 2. Add ports to the specified group from the Port Mode of respective ports 3. Enter port-channel configuration mode +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 84 5. Set the system priority of LACP protocol Command Explanation Global mode lacp system-priority <system-priority> Set the system priority of LACP protocol, the no lacp system-priority no command restores the default value. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 85: Port Channel Examples
All the ports should be connected with cables. The configuration steps are listed below: Switch1#config Switch1(config)#interface ethernet 1/1-4 Switch1(Config-If-Port-Range)#port-group 1 mode active Switch1(Config-If-Port-Range)#exit +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 86 “on” mode. Ports 6, 8, 9, 10 of S2 are access ports and add them to group2 with “on” mode. The configuration steps are listed below: Switch1#config Switch1(config)#interface ethernet 1/1 Switch1(Config-If-Ethernet1/1)#port-group 1 mode on Switch1(Config-If-Ethernet1/1)#exit Switch1(config)#interface ethernet 1/2 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 87: Port Channel Troubleshooting
VLAN properties, etc. If inconsistency occurs, make corrections. Some commands cannot be used on a port in port-channel, such as arp, bandwidth, ip, ip- forward, etc. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 88 Configure the MTU size of JUMBO frame, enable the jumbo enable [<mtu-value>] receiving/sending function of JUMBO frame. The no no jumbo enable command disables sending and receiving function of JUMBO frames. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 89 EFM OAM is established on the basis of OAM connection, it provides a link operation management mechanism such as link monitoring, remote fault detection and remote loopback testing, the simple introduction for EFM OAM in the following: +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 90 In a network where traffic is interrupted due to device failures or unavailability, the flag field defined in Ethernet OAMPDUs allows an Ethernet OAM entity to send fault information to its peer. As Information OAMPDUs are exchanged continuously across established OAM +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 91 First Mile with Ethernet access. For user, the connection between user to telecommunication is “the First Mile”, for service provider, it is “the Last Mile”. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 92: Efm Oam Configuration
<seconds> (optional), no command restores the default no ethernet-oam period value. ethernet-oam timeout <seconds> Configure timeout of EFM OAM connection, no no ethernet-oam timeout command restores the default value. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 93 {threshold low <low-frame-seconds> | Configure the low threshold and window period window <seconds>} of errored frame seconds event, no command no ethernet-oam errored-frame- resotores the default value. (optional) seconds {threshold low | window } +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 94 {high-frame-seconds | Configure the high threshold of errored frame none} seconds event, no command restores the default no ethernet-oam errored-frame- value. (optional) seconds threshold high +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 95: Efm Oam Example
When using EFM OAM, it occurs the problem, please check whether the problem is resulted by the following reasons: Check whether OAM entities of two peers of link in passive mode. If so, EFM OAM connection can not be established between two OAM entities. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 96 Ensuring the used board supports remote loopback function. Port should not configure STP, MRPP, ULPP, Flow Control, loopback detection functions after it enables OAM loopback function, because OAM remote loopback function and these functions are mutually exclusive. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 97 <value> [vlan <vlan-list>] switchport port-security violation {protect | When exceeding the maximum number of restrict | shutdown} configured MAC addresses, no switchport port-security violation address accessing the interface does not +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 98: Example Of Port Security
MAC addresses as 1, only HOST A or HOST B is able to access the internet. Configuration process: #Configure the switch. Switch(config)#interface Ethernet 1/1 Switch(config-if- ethernet1/1)#switchport port-security +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 99 If problems occur when configuring PORT SECURITY, please check whether the problem is caused by the following reasons: Check whether PORT SECURITY is enabled normally Check whether the valid maximum number of MAC addresses is configured +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 100: Brief Introduction To Ddm
Digital Diagnostic function. Besides, the state of Tx Fault and Rx LOS is important for analyzing the fault. 3. Compatibility verification +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 101: Ddm Function
When the user finds the abnormity information of the fiber module, the fiber module information may be remonitored +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 102: Ddm Configuration Task List
Command Explanation Global mode transceiver-monitoring interval Set the interval of the transceiver monitor. The <minutes> no command sets the interval to be the default no transceiver-monitoring interval interval of 15 minutes. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 103: Examples Of Ddm
Switch#show transceiver Interface Temp (°C) Voltage (V) Bias (mA) RX Power (dBM) TX Power (dBM) 1/21 3.31 6.11 -30.54(A-) -6.01 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 104 Ethernet 1/21 transceiver detail information: Base information: SFP found in this port, manufactured by QTECH, on Sep 29 2010. Type is 1000BASE-SX, Link length is 550 m for 50um Multi-Mode Fiber. Link length is 270 m for 62.5um Multi-Mode Fiber.
Page 105 There is the alarm with ‘A-’ due to -13.01 is less than -12.00. Switch#show transceiver interface ethernet 1/21 detail Ethernet 1/21 transceiver detail information: Base information: …… Brief alarm information: RX loss of signal +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 106 Ethernet 1/21 transceiver threshold-violation information: Transceiver monitor is enabled. Monitor interval is set to 30 minutes. The current time is Jan 02 12:30:50 2011. The last threshold-violation time is Jan 02 11:00:50 2011. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 107: Ddm Troubleshooting
Ensure the threshold defined by the user is valid. When any threshold is error, the transceiver will give an alarm according to the default setting automatically. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 108 MED Extended Power-Via-MDI TLV. The no no lldp transmit med tlv extendPoe command disables the capability. lldp transmit med tlv inventory Configure the port to send LLDP-MED +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 109 LLDP packets with LLDP-MED TLV, this no lldp med fast count command is used to set the value of the fast sending packets, the no command restores the default value. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 110 SwitchB (Config-If-Ethernet1/1)# network policy voice tag tagged vid 10 cos 5 dscp 15 SwitchA (Config-If-Ethernet1/1)# exit SwitchA (config)#interface ethernet1/2 SwitchA (Config-If-Ethernet1/2)# lldp enable SwitchA (Config-If-Ethernet1/2)# lldp mode both 2) Configure Switch B SwitchB (config)#interface ethernet1/1 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 111 Media Policy Vlan id :10 Media Policy Priority :3 Media Policy Dscp :5 Power Type : PD Power Source :Primary power source Power Priority :low Power Value :15.4 (Watts) Hardware Revision: +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 112 Ethernet1/2 of switch A. 2) LLDP-MED device is able to send LLDP packets with MED TLV forwardly, so the corresponding Remote table with LLDP MED information on Ethernet1/1 of switch A. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 113 If neighbor device has sent LLDP-MED information to network connection device, but there is no LLDP-MED information by checking show lldp neighbors command, that means LLDP- MED information sent by neighbor is error. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 114 When Layer 2 protocol packets cannot implement the passthrough across the service provider network, the user’s network cannot process independent Layer 2 protocol calculation (for example, spanning tree calculation), so they affect each other. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 115 When Layer 2 protocol packets cannot implement the passthrough across the service provider network, the user’s network cannot process independent Layer 2 protocol calculation (for example, spanning tree calculation), so they affect each other. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 116 PE2(config-if-ethernet1/1)# bpdu-tunnel lacp PE2(config-if-ethernet1/1)# bpdu-tunnel uldp PE2(config-if-ethernet1/1)# bpdu-tunnel gvrp PE2(config-if-ethernet1/1)# bpdu-tunnel dot1x 15.4 bpdu-tunnel Troubleshooting After port disables stp, gvrp, uldp, lacp and dot1x functions, it is able to configure bpdu-tunnel function. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 117: Vlan Configuration
VLAN is separated from the other VLANs. With the aforementioned features, VLAN technology provides us with the following convenience: Improving network performance Saving network resources +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 118: Vlan Configuration Task List
9. Configure Private VLAN 10. Set Private VLAN association 11. Specify internal VLAN ID 1. Create or delete VLAN Command Explanation Global Mode vlan WORD Create/delete VLAN or enter VLAN Mode no vlan WORD +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 119 6. Set Access port Command Explanation Port Mode switchport access vlan <vlan-id> Add the current port to the specified VLAN. The “no” command restores the default setting. no switchport access vlan +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 120 Command Explanation VLAN mode private-vlan association <secondary-vlan- list> Set/delete Private VLAN association. no private-vlan association 11. Specify internal VLAN ID Command Explanation Global mode vlan <2-4094> internal Specify internal VLAN ID. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 121: Typical Vlan Application
In this example, port 1 and port 12 is spared and can be used for management port or for other purposes. The configuration steps are listed below: Switch A: Switch(config)#vlan 2 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 122: Typical Application Of Hybrid Port
Switch(Config-Vlan2)#switchport interface ethernet 1/2-4 Switch(Config-Vlan2)#exit Switch(config)#vlan 100 Switch(Config-Vlan100)#switchport interface ethernet 1/5-7 Switch(Config-Vlan100)#exit Switch(config)#vlan 200 Switch(Config-Vlan200)#switchport interface ethernet 1/8-10 Switch(Config-Vlan200)#exit Switch(config)#interface ethernet 1/11 Switch(Config-If-Ethernet1/11)#switchport mode trunk Switch(Config-If-Ethernet1/11)#exit 16.1.4 Typical Application of Hybrid Port Scenario: +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 123 Hybrid untag method. Allow the packets of VLAN 9, 10 to pass with Port 1/9 of Switch B Hybrid untag method. The configuration steps are listed below: Switch A: Switch(config)#vlan 10 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 124 ISP internet, so to provide a simple layer-2 tunnel for the users. It is simple and easy to manage, applicable only by static configuration, and especially adaptive to small office network or small scale metropolitan area network using layer-3 switch as backbone equipment. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 125 The user network is considerably independent. When the ISP internet is upgrading their network, the user networks do not have to change their original configuration. Detailed description on the application and configuration of dot1q-tunnel will be provided in this section. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 126 Configuration Explanation VLAN3 Port1 of PE1 and PE2. dot1q-tunnel Port1 of PE1 and PE2. tpid 9100 Configuration procedure is as follows: PE1: Switch(config)#vlan 3 Switch(Config-Vlan3)#switchport interface ethernet 1/1 Switch(Config-Vlan3)#exit Switch(Config)#interface ethernet 1/1 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 127: Introduction To Selective Qinq
VLAN tags according to user’s requirement, so it is able to implement that packets of different types are assigned to different VLAN by selecting different transmission path. 16.3.2 Selective QinQ Configuration Selective QinQ Configuration Task List: +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 128: Typical Applications Of Selective Qinq
IP Phone IP Phone IP Phone Vlan 201-300 VLAN 100-200 Eth1/1 Eth1/2 SP Network VLAN1000/2000 Eth1/9 SWITCHB Eth 1/1 Eth 1/2 SWITCHA IP Phone IP Phone IP Phone Vlan 201-300 VLAN 100-200 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 129 VLAN 1000 and VLAN 2000. switch(config-if-ethernet1/2)#interface ethernet 1/9 switch(config-if-ethernet1/9)#switchport mode hybrid switch(config-if-ethernet1/9)#switchport hybrid allowed vlan 1000;2000 tag After the above configuration, packets of VLAN 100 through VLAN 200 from Ethernet1/1 are +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 130: Selective Qinq Troubleshooting
Application and configuration of VLAN translation will be explained in detail in this section. 16.4.2 VLAN-translation Configuration Configuration task sequence of VLAN-translation: 1. Configure the VLAN-translation function on the port 2. Configure the VLAN-translation relations on the port +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 131 CE2 of the client network with VLAN3. The port1 of PE1 is connected to CE1, port10 is connected to public network; port1 of PE2 is connected to CE2, port10 is connected to public network. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 132 Normally before using the VLAN-translation, the dot1q-tunnel function needs to be enabled first, to adapt double tag data packet processes VLAN-translation. QoS only matches vlan-id that the packet is translated when vlan-translation and QoS be configured at the same time. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 133 16.5.3 Typical application of Multi-to-One VLAN Translation Scenario: UserA, userB and userC belong to VLAN1, VLAN2, VLAN3 respectively. Before entering the network layer, data traffic of userA, userB and userC is translated into VLAN 100 by +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 134 Downlink port 1/1 of Switch1 and Switch2 VLAN-translation Configuration procedure is as follows: Switch1, Switch2: switch(Config)# vlan 1-3;100 switch(Config-Ethernet1/1)#switchport mode trunk switch(Config-Ethernet1/1)# vlan-translation n-to-1 1-3 to 100 switch(Config)#interface ethernet 1/5 switch(Config-Ethernet1/5)#switchport mode trunk switch(Config-Ethernet1/5)#exit +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 135: Introduction To Dynamic Vlan
2048 and 1536 only one of them can be configured. 16.6.2 Dynamic VLAN Configuration Dynamic VLAN Configuration Task Sequence: 1. Configure the MAC-based VLAN function on the port 2. Set the VLAN to MAC VLAN +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 136: Typical Application Of The Dynamic Vlan
{etype <etype-id> joins/leaves specified VLAN. vlan <vlan-id>|all} 16.6.3 Typical Application of the Dynamic VLAN Scenario: In the office network Department A belongs to VLAN100. Several members of this department +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 137: Dynamic Vlan Troubleshooting
The solution will be letting the two equipments positively send data packet to the switch (such as ping), to let the switch learn their source MAC, then the two equipments will be able to communicate freely within the dynamic VLAN. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 138: Gvrp Configuration
GMRP and GVRP. Therefore, GVRP is a protocol which transmits VLAN attributes to the whole layer 2 network through GARP protocol. A typical application scene A and G switches are not directly connected in layer 2 network; BCDEF are intermediate +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 139: Gvrp Configuration Task List
Explanation Port mode gvrp Enable/ disable GVRP function of port. no gvrp 3. Enable GVRP function Command Explanation Global mode gvrp Enable/ disable the global GVRP function of no gvrp port. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 140: Example Of Gvrp
Connect two workstations to the VLAN100 ports in switch A and B, connect port 11 of Switch A to port 10 of Switch B, and port 11 of Switch B to port 11 of Switch C. The configuration steps are listed below: Switch A: Switch(config)# gvrp +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 141: Gvrp Troubleshooting
GVRP will not work normally. It is recommended to avoid enabling GVRP and RSTP at the same time in switch. If GVRP needs to be enabled, RSTP function for the ports must be disabled first. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 142: Introduction To Mac Table
MAC addresses and the ports; dynamic learning is the process in which the switch learns the mapping between MAC addresses and ports, and updates the MAC table regularly. In this section, we will focus on the dynamic learning process of MAC table. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 143 300 to 2*300 seconds (ie, in single to double aging time). The 300 seconds here is the default aging time for MAC address entry in switch. Aging time can be modified in switch. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 144: Forward Or Filter
VLAN. If the destination MAC address is found in the MAC table but belonging to different VLANs, the switch can only broadcast the unicast frame in the VLAN it belongs to. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 145: Mac Address Table
| dynamic} [address <mac-addr>] [vlan <vlan-id>] [interface ethernet <interface-name>] Clear dynamic address table Command Explanation Admin Mode clear mac-address-table dynamic [address <mac-addr>] Clear the dynamic address [vlan <vlan-id>] [interface [ethernet | portchannel] table. <interface-name>] +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 146: Typical Configuration
Switch(config)#mac-address-table static address 00-01-33-33-33-33 vlan 1 interface ethernet 17.4 MAC Table Troubleshooting Using the show mac-address-table command, a port is found to be failed to learn the MAC of a device connected to it. Possible reasons: +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 147: Mac Address Binding
1. Enable MAC address binding function for the ports Command Explanation Port Mode switchport port-security Enable MAC address binding function for the port and no switchport port-security lock the port. When a port is locked, the MAC address +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 148 <value> switchport port-security violation Set the violation mode for the port; the “no {protect | shutdown} [recovery command <30-3600>] switchport port-security violation” no switchport port-security restores the default setting. violation +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 149: Mac Notification
MAC Notification function depends on the notification. Add or remove the MAC address, namely, when the device is added or removed, it will notify administrator about the changing by the trap function of snmp. 17.6.2 MAC Notification Configuration Mac notification configuration task list: +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 150 <0-500> Configure the history table size, the no no mac-address-table notification history- command restores the default value. size 5. Configure the trap type of MAC notification supported by the port +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 151: Mac Notification Example
Switch(config)# mac-address-table notification interval 5 Switch(config)# mac-address-table notification history-size 100 Switch(Config-If-Ethernet1/4)# mac-notification both 17.6.4 MAC Notification Troubleshooting Check whether trap message is sent successfully by show command and debug command of snmp. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 152: Introduction To Mstp
The bridges with the same 3 above attributes are considered as in the same MST region. When the MSTP calculates CIST in a bridged-LAN, a MSTP region is considered as a bridge. See the figure below: +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 153 CST, which includes all MST regions and all legacy STP bridges in the network. The MST instances combine with the IST at the boundary of the region to become the CST. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 154: Port Roles
9. Configure the FLUSH mode once topology changes 1. Enable MSTP and set the running mode Command Explanation Global Mode and Port Mode spanning-tree Enable/Disable MSTP. no spanning-tree Global Mode spanning-tree mode {mstp|stp|rstp} Set MSTP running mode. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 155 3. Configure MSTP region parameters Command Explanation Global Mode spanning-tree mst configuration Enter MSTP region mode. The no no spanning-tree mst configuration command restores the default setting. MSTP region mode +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 156 [bpdufilter| bpduguard] boundary port. bpdufilter receives the [recovery <30-3600>] BPDU discarding; bpduguard receives no spanning-tree portfast the BPDU will disable port; no parameter receives the BPDU, the port becomes a +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 157 8. Configure the snooping attribute of authentication key Command Explanation Port Mode Set the port to use the authentication spanning-tree digest-snooping string of partner port. The no command no spanning-tree digest-snooping restores to use the generated string. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 158: Mstp Example
The no command restores to use the no spanning-tree tcflush global configured flush mode. 18.3 MSTP Example The following is a typical MSTP application example: Switch1 Switch2 Switch3 Switch4 Typical MSTP Application Scenario +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 159 Step 3: Set Switch3 as the root bridge of Instance 3; Set Switch4 as the root bridge of Instance Set the bridge priority of Instance 3 in Switch3 as 0. Set the bridge priority of Instance 4 in Switch4 as 0. The detailed configuration is listed below: +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 160 Switch3(config)#vlan 40 Switch3(Config-Vlan40)#exit Switch3(config)#vlan 50 Switch3(Config-Vlan50)#exit Switch3(config)#spanning-tree mst configuration Switch3(Config-Mstp-Region)#name mstp Switch3(Config-Mstp-Region)#instance 3 vlan 20;30 Switch3(Config-Mstp-Region)#instance 4 vlan 40;50 Switch3(Config-Mstp-Region)#exit Switch3(config)#interface e1/1-7 Switch3(Config-Port-Range)#switchport mode trunk Switch3(Config-Port-Range)#exit Switch3(config)#spanning-tree Switch3(config)#spanning-tree mst 3 priority 0 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 161 Because the instance 3 and the instance 4 are only valid in the MSTP region, the following figure only shows the topology of the MSTP region. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 162 The Topology Of the Instance 0 after the MSTP Calculation Switch2 Switch3 Switch The Topology Of the Instance 3 after the MSTP Calculation Switch2 Switch3 Switch4 The Topology Of the Instance 4 after the MSTP Calculation +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 163: Mstp Troubleshooting
When users modify the MSTP parameters, they have to be sure about the changes of the topologies. The global configuration is based on the bridge. Other configurations are based on the individual instances. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 164: Introduction To Qos
IP packets. Among ToS field can be IP Precedence value or DSCP value. ToS priority IP Precedence: IP priority. Classification information carried in Layer 3 IP packet header, occupying 3 bits, in the range of 0 to 7. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 165: Qos Implementation
Based on differentiated service, QoS specifies a priority for each packet at the ingress. The classification information is carried in Layer 3 IP packet header or Layer 2 802.1Q frame header. QoS provides same service to packets of the same priority, while offers different +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 166: Basic Qos Model
Classification: Classify traffic according to packet classification information and generate internal priority and drop precedence based the classification information. For different packet types and switch configurations, classification is performed differently; the flowchart below explains this in detail. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 167 Remarking uses a new DSCP value of lower priority to replace the original higher level DSCP value in the packet. The following flowchart describes the operations. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 168 The following flowchart describes the operations during queuing and scheduling. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 169: Qos Configuration Task List
Different classes of data streams will be processed with different policies. Configure a policy map After data steam classification, a policy map can be created to associate with the class map +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 170 <class-map-name> [insert-before <class- After a policy map is created, it can be map-name>] associated to a class. Different policy or no class <class-map-name> new DSCP value can be applied to +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 171 Configure port trust; the no command mls qos trust dscp disables the current trust status of the no mls qos trust dscp port. mls qos cos {<default-cos>} Configure the default CoS value of the +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 172 Clear accounting data of the specified ports or clear mls qos statistics [interface VLAN Policy Map. If there are no parameters, <interface-name> | vlan <vlan-id>] clear accounting data of all policy map. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 173: Qos Example
4 MB, all packets exceed this bandwidth setting will be dropped. The configuration steps are listed below: Switch#config Switch(config)#access-list 1 permit 192.168.1.0 0.0.0.255 Switch(config)#class-map c1 Switch(Config-ClassMap-c1)#match access-group 1 Switch(Config-ClassMap-c1)#exit +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 174 Switch2, set port ethernet 1/1 that connecting to swtich1 to trust cos. Thus inside the QoS domain, packets of different priorities will go to different queues and get different bandwidth. The configuration steps are listed below: QoS configuration in Switch1: Switch#config +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 175: Qos Troubleshooting
COS value equals COS value of the dynamic VLAN. Policy map can only be bound to ingress direction, egress is not supported yet. At present, it is not recommended to synchronously use policy map on VLAN and VLAN’s port. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 176 <aclname> redirect to interface “no access-group <aclname> [ethernet <IFNAME>|<IFNAME>] redirect” command is used to delete flow- no access-group <aclname> redirect based redirection. 2. Check the current flow-based redirection configuration Command Explanation Global Mode/Admin Mode +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 177 IPv6 ACL; Parameters of Timerange and Portrange can not be set in ACL, the type of ACL should be Permit. The redirection port must be 1000Mb port in the flow-based redirection function. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 178: Qinq Technique
The match of flexible QinQ data flow uses policy-map rule of QoS to be sent, the configuration task list is as follows: 1. Create class-map to classify different data flows 2. Create flexible QinQ policy-map to relate with the class-map and set the corresponding operation +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 179 3. Bind flexible QinQ policy-map to port Command Explanation Port mode service-policy <policy-map-name> in Apply a policy-map to a port, the no command no service-policy <policy-map-name> in deletes the specified policy-map applied to the +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 180: Flexible Qinq Example
DSCP value will be also packed an external tag. In the above figure, the external tag of the second user is different to the first user for distinguishing DSLAM location and locating the user finally. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 181 Switch(config-classmap-c2)#match ip dscp 20 Switch(config-classmap-c2)#exit Switch(config)#class-map c3 Switch(config-classmap-c3)#match ip dscp 30 Switch(config-classmap-c3)#exit Switch(config)#policy-map p1 Switch(config-policymap-p1)#class c1 Switch(config-policymap-p1-class-c1)# set s-vid 1002 Switch(config-policymap-p1)#class c2 Switch(config-policymap-p1-class-c2)# set s-vid 2002 Switch(config-policymap-p1)#class c3 Switch(config-policymap-p1-class-c3)# set s-vid 3002 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 182: Flexible Qinq Troubleshooting
Make sure flexible QinQ whether supports the configured class-map and policy-map Make sure ACL includes permit rule if the class-map matches ACL rule Make sure the switch exists enough TCAM resource to send the binding +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 183: Introduction To Layer 3 Management Interface
2. Configure VLAN interface description Command Explanation VLAN Interface Mode Configure the description information of VLAN interface. description <text> The no command will cancel the description information no description of VLAN interface. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 184 IP addresses for global IP network nodes in the range of time and space. Moreover, besides increasing address space, IPv6 also enhanced many other essential designs of IPv4. Hierarchical addressing scheme facilitates Route Aggregation, effectively reduces route table +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 185 IPv4 broadcast functions such as Router Discovery and Router Query, IPv6 multicast has completely replaced IPv4 broadcast in the sense of function. Multicast not only saves network bandwidth, but enhances network efficiency as well. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 186 (1) Configure DAD neighbor solicitation message number (2) Configure send neighbor solicitation message interval (3) Configure static IPv6 neighbor entries (4) Delete all entries in IPv6 neighbor table 1. IPv6 Basic Configuration (1) Configure interface IPv6 address +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 187 Interface Configuration Mode ipv6 neighbor <ipv6-address> Set static neighbor table entries, including neighbor <hardware-address> interface IPv6 address, MAC address and two-layer port. <interface-type interface-name> no ipv6 neighbor <ipv6-address> Delete neighbor table entries. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 188: Ipv6 Troubleshooting
If ARP has not been learned, then enabled ARP debugging information and view the sending/receiving condition of ARP packets. Defective cable is a common cause of ARP problems and may disable ARP learning. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 189 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 190 Thus the load of the switch can be effectively decreased. 23.2 ARP Scanning Prevention Configuration Task Sequence Enable the ARP Scanning Prevention function. Configure the threshold of the port-based and IP-based ARP Scanning Prevention Configure trusted ports +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 191 4. Configure trusted IP Command Explanation Global configuration mode anti-arpscan trust ip <ip-address> [<netmask>] Set the trust attributes of IP. no anti-arpscan trust ip <ip-address> [<netmask>] 5. Configure automatic recovery time Command Explanation +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 192 A, the port E1/2 of SWITCH A is connected to file server (IP address is 192.168.1.100/24), and all the other ports of SWITCH A are connected to common PC. The following configuration can +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 193 SwitchB (Config-If-Ethernet 1/1)exit 23.4 ARP Scanning Prevention Troubleshooting Help ARP scanning prevention is disabled by default. After enabling ARP scanning prevention, users can enable the debug switch, “debug anti-arpscan”, to view debug information. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 194: Arp Spoofing
ARP spoofing accesses normal network environment by counterfeiting legal IP address firstly, and sends a great deal of counterfeited ARP application packets to switches, after switches learn these packets, they will cover previously corrected IP, mapping of MAC +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 195 Disable and enable ARP automatic learning no ip arp-security learnprotect function. 3. Function on changing dynamic ARP to static ARP Command Explanation Global Mode and Port Mode ip arp-security convert Change dynamic ARP to static ARP. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 196 Switch#config Switch(config)#interface vlan 1 Switch(config-if-vlan1)#arp 192.168.2.1 00-00-00-00-00-01 interface ethernet 1/1 Switch(config-if-vlan1)#arp 192.168.2.2 00-00-00-00-00-02 interface ethernet 1/2 Switch(config-if-vlan1)#arp 192.168.2.3 00-00-00-00-00-03 interface ethernet 1/3 Switch(Config-If-Vlan3)#exit Switch(Config)#ip arp-security learnprotect +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 197 If the environment changing, it enable to forbid ARP refresh, once it learns ARP property, it wont be refreshed by new ARP reply packet, and protect use data from sniffing. Switch#config Switch(config)#ip arp-security updateprotect +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 198 So this will be improper. It is recommended that adopting FREE RESOURCE related accessing scheme. Please refer to relative documents for details. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 199: Arp Guard Configuration
25.2 ARP GUARD Configuration Task List 1. Configure the protected IP address Command Explanation Port configuration mode arp-guard ip <addr> Configure/delete ARP GUARD address no arp-guard ip <addr> +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 200 To enable gratuitous ARP and configure the ip gratuitous-arp <5-1200> interval to send gratuitous ARP request. no ip gratuitous-arp The no command cancels the gratuitous ARP. 2. Display configurations about gratuitous ARP Command Explanation +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 201 PC1, PC2, PC3, PC4, PC5 are connected to the interface. Gratuitous ARP can be enabled through the following configuration: Configure global gratuitous ARP Switch(config)#ip gratuitous-arp 300 Switch(config)#exit Configure interface gratuitous ARP Switch(config)#interface vlan 10 Switch(Config-if-Vlan10)#ip gratuitous-arp 300 Switch(Config-if-Vlan10)#exit Switch(config) #exit +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 202: Gratuitous Arp
ARP is configured in both configuration modes, the switch takes the value which is configured in interface configuration mode. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 203 DHCP broadcast packets sent by the client, therefore no DHCP packets will be sent to the client by the server. In this case, a DHCP relay is required to forward such DHCP packets so +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 204: Dhcp Server Configuration
2. Configure DHCP Address pool (1) Create/Delete DHCP Address pool Command Explanation Global Mode ip dhcp pool <name> Configure DHCP Address pool. The no no ip dhcp pool <name> operation cancels the DHCP Address pool. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 205 {[<days>] [<hours>] Set the maximum lease time for the addresses [<minutes>] | infinite} in the address pool; the no command restores +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 206: Dhcp Relay Configuration
DHCP packets. Adding a DHCP relay makes it unnecessary to configure a DHCP server for each segment, one DHCP server can provide the network configuration parameter for clients from multiple segments, which is not only cost-effective but also management-effective. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 207 The UDP port 67 is used for DHCP broadcast no ip forward-protocol udp bootps packet forwarding. Interface Configuration Mode ip helper-address <ipaddress> Set the destination IP address for DHCP relay forwarding; “no no ip helper-address <ipaddress> helper-address +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 208: Dhcp Configuration Examples
In location A, a machine with MAC address 00-03-22-23-dc-ab is assigned with a fixed IP address of 10.16.1.210 and named as “management”. Switch(config)#service dhcp Switch(config)#interface vlan 1 Switch(Config-Vlan-1)#ip address 10.16.1.2 255.255.0.0 Switch(Config-Vlan-1)#exit Switch(config)#ip dhcp pool A Switch(dhcp-A-config)#network 10.16.1.0 24 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 209 10.16.2.0/24. The connectivity between the client gateway and the switch must be ensured for the client to get an IP address from the 10.16.2.0/24 address pool. Scenario 2: +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 210 Note: It is recommended to use the combination of command ip forward-protocol udp <port> and ip helper-address <ipaddress>. ip help-address can only be configured for ports on layer 3 and cannot be configured on layer 2 ports directly. Scenario 3: +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 211: Dhcp Troubleshooting
VLAN, such a pool should be added if not present, and (This does not indicate switch cannot assign IP address for different segments, see solution 2 for details.) In DHCP service, pools for dynamic IP allocation and manual binding are conflicting, i.e., if +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 212 IP-MAC binding can be configured in one pool. If multiple bindings are required, multiple manual pools can be created and IP-MAC bindings set for each pool. New configuration in the same pool overwrites the previous configuration. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 213 In the time of located server, the DHCP client tries to find a DHCPv6 server by broadcasting a SOLICIT packet to all the DHCP delay delegation and server with broadcast address as FF02::1:2. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 214: Dhcpv6 Server Configuration
To configure DHCPv6 address pool (1) To achieve/delete DHCPv6 address pool (2) To configure parameter of DHCPv6 address pool To enable DHCPv6 server function on port 1. To enable/disable DHCPv6 service +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 215 Interface Configuration Mode ipv6 dhcp server <poolname> To enable DHCPv6 server function on specified [preference <value>] [rapid-commit] port, and binding the used DHCPv6 address [allow-hint] pool. no ipv6 dhcp server <poolname> +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 216: Server Configuration
(2) To configure prefix delegation pool used by DHCPv6 address pool (3) To configure static prefix delegation binding (4) To configure other parameters of DHCPv6 address pool To enable DHCPv6 prefix delegation server function on port +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 217 <client-DUID> [iaid <iaid>] (4) To configure other parameter of DHCPv6 address pool Command Explanation DHCPv6 address pool Configuration Mode dns-server <ipv6-address> To configure DNS server address for DHCPv6 no dns-server <ipv6-address> client. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 218: Client Configuration
To enable client prefix delegation request ipv6 dhcp client pd <prefix-name> [rapid- function on specified port, and the prefix commit] obtained associate with universal prefix no ipv6 dhcp client pd configured. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 219: Dhcpv6 Configuration
The Windows Vista which be provided with DHCPv6 client must load on PC. Usage guide: Switch3 configuration: Switch3>enable Switch3#config Switch3(config)#service dhcpv6 Switch3(config)#ipv6 dhcp pool EastDormPool Switch3(dhcpv6-EastDormPool-config)#network-address 2001:da8:100:1::1 2001:da8:100:1::100 Switch3(dhcpv6-EastDormPool-config)#excluded-address 2001:da8:100:1::1 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 220 Switch2(config)#interface vlan 100 Switch2(Config-if-Vlan100)#ipv6 address 2001:da8:100:1::1/64 Switch2(Config-if-Vlan100)#no ipv6 nd suppress-ra Switch2(Config-if-Vlan100)#ipv6 nd managed-config-flag Switch2(Config-if-Vlan100)#ipv6 nd other-config-flag Switch2(Config-if-Vlan100)#exit Switch2(config)# Switch1 configuration: Switch1(config)#service dhcpv6 Switch2(config)#interface vlan 1 Switch2(Config-if-Vlan1)#ipv6 address 2001:da8:100:1::2/64 Switch2(Config-if-Vlan1)#ipv6 dhcp relay destination 2001:da8:10:1::1 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 221: Dhcpv6 Troubleshooting
IPv6 address. If configured, it should be checked whether the configured IPv6 address is in the same subnet with the DHCPv6 server. If not, please add it to the address pool. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 222 Len: the number of bytes in Agent Information Field, not including the two bytes in Code segment and Len segment. Option 82 can have several sub-options, and need at least one sub-option. RFC3046 defines the following two sub-options, whose formats are showed as follows: +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 223: Option 82 Working Mechanism
Then it will forward the reply message with DHCP configuration information and option 82 information to DHCP Relay Agent. 4) DHCP Relay Agent will peel the option 82 information from the replay message sent by +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 224: Dhcp Option 82 Configuration
82 segment in the existing message with its own option 82, and forward +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 225 4. Configure DHCP option 82 default format of Relay Agent Command Explanation Global mode ip dhcp relay information option Set subscriber-id format of Relay Agent subscriber-id format {hex | acsii | vs-hp} option82. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 226 DHCP option 82 in the system, including option82 enabling switch, show ip dhcp relay information option the interface retransmitting policy, the circuit ID mode and the DHCP server option82 enabling switch. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 227 The following is the configuration of Switch3(MAC address is 00:1f:ce:02:33:01): Switch3(Config)#service dhcp Switch3(Config)#ip dhcp relay information option Switch3(Config)#ip forward-protocol udp bootps Switch3(Config)#interface vlan 3 Switch3(Config-if-vlan3)#ip address 192.168.10.222 255.255.255.0 Switch3(Config-if-vlan2)#ip address 192.168.102.2 255.255.255.0 Switch3(Config-if-vlan2)#ip helper 192.168.10.88 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 228 Now, the DHCP server will allocate addresses for the network nodes from Switch1 which are relayed by Switch3 within the range of 192.168.102.21 ~ 192.168.102.50, and allocate addresses for the network nodes from Switch1 within the range of 192.168.102.51 ~ 192.168.102.80. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 229 82 information of the request message and the option 82 information returned by the reply message. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 230 Configure option 60 character string with IP format in ip dhcp option 60 ip A.B.C.D pool mode. option 43 ip A.B.C.D Configure option 43 character string with IP format in ip dhcp +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 231 Check whether service dhcp function is enabled If the address pool configured option 60, check whether it matches with the option 60 of the packets +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 232 However, rfc4649 and rfc4580 do not set how to use opton 37 and option 38 for DHCPv6 server, users can use it neatly according to their own demand. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 233 38; policy keep, the system keeps option 38 unchanged and forwards the packet to the server; replace, the system replaces option 38 of +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 234 Global mode This command enables the switch relay to ipv6 dhcp relay remote-id option support option 37 and the no form of this no ipv6 dhcp relay remote-id option command disables it. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 235 This command enables DHCPv6 server to ipv6 dhcp server subscriber-id option support the identification of option 38, the no no ipv6 dhcp server subscriber-id option form of this command disables it. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 236 DHCPv6 class in DHCPv6 address pool address range <start-ip> <end-ip> configuration mode, the no command is used no address range <start-ip> <end-ip> to remove the addreass range. The prefix/plen form is not supported. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 237 DHCPv6 snooping function is enabled and option 37 and option 38 are configured in Switch A. Switch A configuration: SwitchA(config)#ipv6 dhcp snooping remote-id option SwitchA(config)#ipv6 dhcp snooping subscriber-id option SwitchA(config)#int e 1/1 SwitchA(config-if-ethernet1/1)#ipv6 dhcp snooping trust SwitchA(config-if-ethernet1/1)#exit SwitchA(config)#interface vlan 1 SwitchA(config-if-vlan1)#ipv6 address 2001:da8:100:1::1 SwitchA(config-if-vlan1)#exit +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 238 SwitchB(config)#ipv6 dhcp class CLASS3 SwitchB(dhcpv6-class-class3-config)#remote-id 00-1f-ce-00-00-01 subscriber-id vlan1+Ethernet1/3 SwitchB(dhcpv6-class-class3-config)#exit SwitchB(config)#ipv6 dhcp pool EastDormPool SwitchB(dhcpv6-eastdormpool-config)#class CLASS1 SwitchB(dhcpv6-pool-eastdormpool-class-class1-config)#address range 2001:da8:100:1::3 2001:da8:100:1::30 SwitchB(dhcpv6-pool-eastdormpool-class-class1-config)#exit witchB(dhcpv6-eastdormpool-config)#class CLASS2 SwitchB(dhcpv6-pool-eastdormpool-class-class2-config)#address range 2001:da8:100:1::31 2001:da8:100:1::60 SwitchB(dhcpv6-eastdormpool-config)#class CLASS3 SwitchB(dhcpv6-pool-eastdormpool-class-class3-config)#address range 2001:da8:100:1::61 2001:da8:100:1::100 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 239 PCs are generally loaded with Windows Vista system, thus having DHCPv6 client. DHCPv6 relay option schematic Switch2 configuration: S2(config)#service dhcpv6 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 240 DHCPv6 server only checks whether the first DHCPv6 relay adds option37,38 that means only option37,38 of the innermost relay-forw is valid in relay packets. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 241 DOT1X authentication. Automatic Recovery: A while after the switch shut down the port or send blockhole, it should automatically recover the communication of the port or source MAC and send information to +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 242: Dhcp Snooping Configuration
1. Enable DHCP Snooping Command Explanation Globe mode ip dhcp snooping enable Enable or disable the DHCP snooping function. no ip dhcp snooping enable 2. Enable DHCP Snooping binding Command Explanation +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 243 7. Set helper server address Command Explanation Globe mode ip user helper-address A.B.C.D [port <udpport>] source <ipAddr> (secondary|) Set or delete helper server address. no ip user helper-address (secondary|) +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 244 <mac> interface (ethernet|) <ifname> 12. Set defense actions Command Explanation Port mode ip dhcp snooping action Set or delete the DHCP snooping automatic {shutdown|blackhole} [recovery defense actions of ports. <second>] +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 245 Set creation method for option82, users can defined remote-id {hostname | mac | string define the parameters of remote-id suboption +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 246 ID option) format of option 82 as standard. 32.3 DHCP Snooping Typical Application Sketch Map of TRUNK As showed in the above chart, Mac-AA device is the normal user, connected to the non-trusted +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 247: Dhcp Snooping
Check that whether the global DHCP Snooping is enabled; If the port does not react to invalid DHCP Server packets, please check that whether the port is set as a non-trusted port of DHCP Snooping. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 248: Dhcp Option 82 Message Structure
Len: the number of bytes in Agent Information Field, not including the two bytes in Code segment and Len segment. Option 82 can have several sub-options, and need at least one sub-option. RFC3046 defines the following two sub-options, whose formats are showed as follows: +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 249: Dhcp Snooping Option 82 Working Mechanism
82 information to DHCP SNOOPING. 4) DHCP SNOOPING will peel the option 82 information from the replay message sent by DHCP server, then the message with DHCP configuration information to perform layer 2 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 250 82 function. 4. Configure trust ports Command Explanation Port mode ip dhcp snooping trust Set or delete DHCP SNOOPING trust no ip dhcp snooping trust attribute of ports. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 251: Application Examples
= "Vlan1+Ethernet1/3" and option agent.remote- id=00:1f:ce:02:33:01; subnet 192.168.102.0 netmask 255.255.255.0 { option routers 192.168.102.2; option subnet-mask 255.255.255.0; option domain-name "example.com "; option domain-name-servers 192.168.10.3; authoritative; pool { +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 252 To implement the option 82 function of DHCP SNOOPING, the “debug ip dhcp snooping packet” command can be used during the operating procedure, including adding the option 82 information of the request message, the option 82 information peeled by the reply message. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 253: Introduction To Multicast
Multicast transmission process, thus a big alteration of network structure is avoided. The primary advantages of Multicast are: Enhance efficiency: reduce network traffic, lighten the load of server and CPU Optimize performance: reduce redundant traffic Distributed application: Enable Multipoint Application +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 254: Multicast Address
224.0.0.7 ST Router 224.0.0.8 ST host 224.0.0.9 RIP-2 Router 224.0.0.10 IGRP Router 224.0.0.11 Active Agent 224.0.0.12 DHCP Server/Relay Agent 224.0.0.13 All PIM Routers 224.0.0.14 RSVP Encapsulation 224.0.0.15 All CBT Routers 224.0.0.16 Specified SBM +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 255: Ip Multicast Packet Transmission
Making use of the Multicast property of network, some new value-added operations can be supplied conveniently. In Information Service areas such as online living broadcast, network TV, remote +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 256: Introduction To Dcscm
TRUNK port, consequently guarantee the transmission is processed in user-specified priority in the entire network. 34.2.2 DCSCM Configuration Task List Source Control Configuration +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 257 Command Explanation Port Configuration Mode [no] ip multicast source-control access- Used to configure the rules source control uses group <5000-5099> to port, the NO form cancels the configuration. Destination Control Configuration +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 258 Used to configure the rules destination [no] ip multicast destination-control <1-4094> control uses to specify VLAN-MAC, the <macaddr> access-group <6000-7999> NO form cancels the configuration. [no] ip multicast destination-control Used to configure the rules destination +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 259: Dcscm Configuration Examples
EC(config)#ip igmp snooping EC(config)#ip igmp snooping vlan 2 After that, configure relative destination control access-list, and configure specified IP address to use that access-list. Switch(config)#access-list 6000 deny ip any 238.0.0.0 0.255.255.255 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 260: Dcscm Troubleshooting
Switch provides IGMP Snooping and is able to send a query from the switch so that the user can use switch in IP multicast. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 261: Igmp Snooping Configuration Task List
<vlan-id> mrouter- Configure static mrouter port of vlan. The no port interface <interface –name> form command cancels this no ip igmp snooping vlan <vlan-id> configuration. mrouter-port interface <interface –name> +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 262 Configure static-group on specified port of the <IFNAME> VLAN. The no form of the command cancels no ip igmp snooping vlan <vlan-id> static- this configuration. group <A.B.C.D> [source <A.B.C.D>] interface [ethernet | port-channel] <IFNAME> +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 263: Igmp Snooping Examples
1 of VLAN 100 to be the mrouter port. The configuration steps are listed below: Switch(config)#ip igmp snooping Switch(config)#ip igmp snooping vlan 100 Switch(config)#ip igmp snooping vlan 100 mrouter interface ethernet 1/1 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 264 Switch2. In order to send Query at regular interval, IGMP query must enabled in Global mode and in VLAN60. The configuration steps are listed below: SwitchA#config SwitchA(config)#ip igmp snooping SwitchA(config)#ip igmp snooping vlan 60 SwitchA(config)#ip igmp snooping vlan 60 L2-general-querier +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 265: Igmp Snooping Troubleshooting
Make sure one VLAN is configured as L2 common checker in same mask, or make sure configured static mrouter Use show ip igmp snooping vlan <vid> command check IGMP Snooping information +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 266: Mld Snooping
Global Mode Enable global MLD Snooping, the “no ipv6 ipv6 mld snooping mld snooping” command disables the no ipv6 mld snooping global MLD snooping. 2. Configure MLD Snooping Command Explanation Global Mode +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 267 The “no” form of this command restores to the no ipv6 mld snooping vlan <vlan-id> default. query-mrsp Configure the query robustness, the “no” form of ipv6 mld snooping vlan <vlan-id> query-robustness <value> this command restores to the default. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 268: Mld Snooping Examples
Snooping at the same time enable the MLD Snooping on VLAN 100, furthermore we need to set the port 1 of VLAN 100 as a mrouter port. Configuration procedure is as follows. Switch#config Switch(config)#ipv6 mld snooping +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 269 All the four hosts successfully receive programs they are interested in. port2, 6 receives no traffic from program2 and 3; port10 receives no traffic from program 1 and 3, and port12 receives no traffic from program1 and 2. Scenario 2: MLD L2-general-querier +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 270 SwitchA(config)#ipv6 mld snooping SwitchA(config)#ipv6 mld snooping vlan 60 SwitchA(config)#ipv6 mld snooping vlan 60 l2-general-querier SwitchB#config SwitchB(config)#ipv6 mld snooping SwitchB(config)#ipv6 mld snooping vlan 100 SwitchB(config)#ipv6 mld snooping vlan 100 mrouter interface ethernet 1/1 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 271: Mld Snooping Troubleshooting
Ensure there is a vlan configured as a L2 general querier, or there is a static mrouter configured in a segment, Use command to check if the MLD snooping information is correct +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 272: Multicast Vlan Configuration
Associate the specified port with the multicast (ethernet | port-channel|) IFNAME out-tag VLAN, so the associated ports are able to <tag-id> receive the multicast flow. The no command +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 273: Multicast Vlan Examples
1/1 which belongs to the VLAN10 of the switch. The layer 3 switch switchA is connected with layer 2 switches through the port1/10, which configured as trunk port. On the switchB the +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 274 SwitchB(config-vlan100)exit SwitchB(config)#vlan 101 SwitchB(config-vlan101)#Switchport access ethernet 1/20 SwitchB(config-vlan101)exit SwitchB(config)# interface ethernet 1/10 SwitchB(Config-If-Ethernet1/10)#Switchport mode trunk SwitchB(Config-If-Ethernet1/10)#exit SwitchB(config)#vlan 20 SwitchB(config-vlan20)#multicast-vlan SwitchB(config-vlan20)#multicast-vlan association 100,101 SwitchB(config-vlan20)#exit SwitchB(config)#ip igmp snooping SwitchB(config)#ip igmp snooping vlan 20 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 275 When multicast VLAN supports IPv6 multicast, usage is the same with IPv4, but the difference is using with MLD Snooping, so does not give an example. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 276: Introduction To Acl
The current firmware only supports ingress ACL configuration. 37.1.3 Access-list Action and Global Default Action There are two access-list actions and default actions: “permit” or “deny”. The following rules apply: +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 277: Acl Configuration Task List
Create a standard IPv6 access-list based on nomenclature b) Specify multiple permit or deny rule entries c) Exit ACL Configuration Mode 2. Configuring the packet filtering function (1) Enable global packet filtering function (2) Configure default action +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 278 {<sPort> | range <sPortMin> <sPortMax>}] numbered extended access-list of {{<dIpAddr> <dMask>} | any-destination | {host- specified number does not exist, destination <dIpAddr>}} [d-port {<dPort> | range then an access-list will be created +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 279 IP access rule; the “no” form [no] {deny | permit} {{<sIpAddr> <sMask>} | any-source | {host-source <sIpAddr>}} command deletes the name- based standard IP access rule. c. Exit name-based standard IP ACL configuration mode Command Explanation +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 280 UDP IP access rule; the range <sPortMin> <sPortMax>}] {{<dIpAddr> <dMask>} | no form command deletes this any-destination | {host-destination <dIpAddr>}} [d-port name-based extended {<dPort> | range <dPortMin> <dPortMax>}] [precedence access rule. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 281 | tagged-eth2 | untagged-802-3 | tagged-802-3] no access-list <num> numbered extended access-list. (7) Configuring a extended MAC access-list based on nomenclature a. Create an extensive MAC access-list based on nomenclature Command Explanation +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 282 [<protocol-mask>]]] [no]{deny|permit}{any-source-mac|{host-source-mac Creates an MAC access rule <host_smac>}|{<smac><smac-mask>}} {any- matching tagged 802.3 frame; the destination-mac|{host-destination- no form command deletes this mac<host_dmac>}|{<dmac><dmac-mask>}} [tagged- MAC access rule. 802-3 [cos <cos-val> [<cos-bitmask>]] [vlanId <vid- +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 283 <host_dmac>}|{<dmac><dmac-mask>}}tcp the numbered extended access- {{<source><source-wildcard>}|any-source| {host- list of specified number does not source<source-host-ip>}} [s-port {<port1> | range exist, then an access-list will be <sPortMin> <sPortMax>}] created using this number. {{<destination><destination-wildcard>}|any- +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 284 Create an extensive MAC-IP access-list based on nomenclature Command Explanation Global Mode Creates an extended name-based mac-ip-access-list extended <name> MAC-IP access rule; the no form no mac-ip-access-list extended <name> command deletes this name- based extended MAC-IP access +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 285 [s-port {<port1> | range MAC-TCP access rule; the no form <sPortMin> <sPortMax>}] command deletes this name- {{<destination><destination-wildcard>}|any- based extended MAC-TCP access destination| {host-destination <destination-host-ip>}} rule. [d-port {<port3> | range <dPortMin> <dPortMax>}] [ack+fin+psh+rst+urg+syn] [precedence<precedence>][tos<tos>][time- range<time-range-name>] +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 286 “no {host-source <sIpv6Addr>}} access-list <num>“ command deletes a no ipv6 access-list <num> numbered standard IPv6 access-list. (11) Configuring a standard IPv6 access-list based on nomenclature +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 287 Stop the time range function named no time-range <time_range_name> time_range_name. (2) Configure periodic time range Command Explanation Time range Mode absolute-periodic {Monday | Tuesday | Wednesday | Configure the time range for the +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 288 VLAN; the no command deletes the access-list bound to the port of VLAN. 5. Clear the filtering information of the specified port Command Explanation +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 289: Acl Example
The configuration requirement is stated as below: The switch should drop all the 802.3 datagram with 00-12-11-23-xx-xx as the source MAC address coming from interface 10. Configuration description: Create the corresponding MAC ACL. Configure datagram filtering. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 290 Bind the ACL to the related interface. The configuration steps are listed as below. Switch(config)#access-list 3110 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac tcp 10.0.0.0 0.0.0.255 any-destination d-port 21 Switch(config)#access-list 3110 deny any-source-mac 00-12-11-23-00-00 00-00-00-00-ff-ff icmp any-source 10.0.0.0 0.0.0.255 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 291 The configuration steps are listed as below. Switch(config)#ipv6 access-list 600 permit 2003:1:1:1:66::0/80 any-destination Switch(config)#ipv6 access-list 600 deny 2003:1:1:1::0/64 any-destination Switch(config)#firewall enable Switch(config)#interface ethernet 1/10 Switch(Config-If-Ethernet1/10)#ipv6 access-group 600 in Switch(Config-If-Ethernet1/10)#exit Switch(config)#exit Configuration result: +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 292 Ethernet1/1: IP Ingress access-list used is 1, traffic-statistics Disable. Ethernet1/2: IP Ingress access-list used is 1, traffic-statistics Disable. Ethernet1/5: IP Ingress access-list used is 1, traffic-statistics Disable. Ethernet1/7: IP Ingress access-list used is 1, traffic-statistics Disable. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 293: Acl Troubleshooting
ACL configured in VLAN1 interface mode will be bound to the physical interface. If binding fails, the changing will fail either. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 294 VLAN, and it will be bound to VLAN 1 ACL(if ACL is configured in VLAN1). If VLAN 1 ACL binding fails, the VLAN removal operation will fail. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 295 38.1.1 The Authentication Structure of 802.1x The system using 802.1x has a typical Client/Server structure, which contains three entities (as illustrated in the next figure): Supplicant system, Authenticator system, and Authentication server system. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 296 The controlled and uncontrolled ports are two parts of one port, which means each frame reaching this port is visible on both the controlled and uncontrolled ports. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 297: The Encapsulation Of Eapol Messages
EAPOL is a kind of message encapsulation format defined in 802.1x protocol, and is mainly used to transmit EAP messages between the supplicant system and the authenticator system in order to allow the transmission of EAP messages through the LAN. In IEEE 802/Ethernet +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 298 2. The Format of EAP Data Packets When the value of Type domain in EAPOL packet is EAP-Packet, the Packet Body is in EAP format (illustrated in the next figure). The Format of EAP Data Packets +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 299: The Encapsulation Of Eap Attributes
EAP and CHAP to prevent the access request packets from being eavesdropped. Message-Authenticator should be included in the packets containing the EAP-Message attribute, or the packet will be dropped as an invalid one. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 300 The 4 most common EAP authentication methods are listed as follows: EAP-MD5 EAP-TLS (Transport Layer Security) EAP-TTLS (Tunneled Transport Layer Security) +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 301 EAP-MD5 is an IETF open standard which providing the least security, since MD5 Hash function is vulnerable to dictionary attacks. The following figure illustrated the basic operation flow of the EAP-MD5 authentication method. The Authentication Flow of 802.1x EAP-MD5 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 302 The following figure illustrates the basic operation flow of the EAP-TLS authentication method. The Authentication Flow of 802.1x EAP-TLS 3. EAP-TTLS Authentication Method EAP-TTLS is a product of the cooperation of Funk Software and Certicom. It can provide an +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 303 In this mode, EAP messages will be terminated in the access control unit and mapped into RADIUS messages, which is used to implement the authentication, authorization and fee- counting. The basic operation flow is illustrated in the next figure. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 304 When the port-based method is used, as long as the first user of this port passes the authentication, all the other users can access the network resources without being authenticated. However, once the first user is offline, the network won’t be available to all the other users. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 305: The Features Of Vlan Allocation
Notes: At present, Auto VLAN can only be used in the port-based access control mode, and on the ports whose link type is Access. 2. Guest VLAN Guest VLAN feature is used to allow the unauthenticated user to access some specified +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 306: X Configuration Task List
Enables the 802.1x function in the switch and ports; the no no dot1x enable command disables the 802.1x function. dot1x privateclient Enables the switch force client software using private 802.1x enable authentication packet format. The no command will disable this +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 307 Set the single-mode based on portbase dot1x portbased mode single-mode authentication mode; command no dot1x portbased mode single-mode disables this function. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 308 Sets time to keep silent on port authentication failure; the no <seconds> command restores the default value. no dot1x timeout quiet-period dot1x timeout re-authperiod Sets the supplicant re-authentication interval; the no <seconds> command restores the default setting. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 309: X Application Example
VLAN100; the authentication server is in VLAN2; Update Server, being in VLAN10, is for the user to download and update supplicant system software; Ethernet1/6, the port used by the switch to access the Internet is in VLAN5. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 310 VLAN5, which makes the user and Ethernet1/6 both in VLAN5, allowing the user to access the Internet. The following are configuration steps: # Configure RADIUS server. Switch(config)#radius-server authentication host 10.1.1.3 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 311 (EAP-Request/Identity) are sent than the upper limit defined, users can check whether the Guest VLAN configured on the port takes effect with the command show vlan id 100. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 312: Examples Of Ipv4 Radius Applications
Switch(Config-if-vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-vlan1)#exit Switch(config)#radius-server authentication host 10.1.1.3 Switch(config)#radius-server accounting host 10.1.1.3 Switch(config)#radius-server key test Switch(config)#aaa enable Switch(config)#aaa-accounting enable Switch(config)#dot1x enable Switch(config)#interface ethernet 1/2 Switch(Config-If-Ethernet1/2)#dot1x enable Switch(Config-If-Ethernet1/2)#dot1x port-control auto Switch(Config-If-Ethernet1/2)#exit +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 313: Examples Of Ipv6 Radius Application
Switch(config)#interface vlan 1 Switch(Config-if-vlan1)#ipv6 address 2004:1:2:3::2/64 Switch(Config-if-vlan1)#exit Switch(config)#radius-server authentication host 2004:1:2:3::3 Switch(config)#radius-server accounting host 2004:1:2:3::3 Switch(config)#radius-server key test Switch(config)#aaa enable Switch(config)#aaa-accounting enable Switch(config)#dot1x enable Switch(config)#interface ethernet 1/2 Switch(Config-If-Ethernet1/2)#dot1x enable Switch(Config-If-Ethernet1/2)#dot1x port-control auto Switch(Config-If-Ethernet1/2)#exit +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 314 RADIUS server; if the event log indicates no such login user, the user login ID and password may be wrong and should be verified and input again. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 315 MAC address, then shutdown the MAC study function on this port, otherwise, the port can continue its study. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 316 VLAN option is not <portName> } supported by switch. debug switchport mac count All kinds of debug information when limiting no debug switchport mac count the number of MAC on ports. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 317 Switch (Config-If-Ethernet1/1)#switchport mac-address dynamic maximum 20 39.4 The Number Limitation Function of MAC in Port Troubleshooting Help The number limitation function of MAC in Port is disabled by default, if users need to limit the +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 318 Port, users can use debug commands to debug every limitation, check the details of number limitations and judge whether the number limitation function is correct. If there is any problem, please sent result to technical service center. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 319: Introduction To Am Function
5. Delete all of the configured IP or MAC-IP or both 6. Display relative configuration information of AM 1. Enable AM function Command Explanation Global Mode am enable Globally enable or disable AM function. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 320 6. Display relative configuration information of AM Command Explanation Global Configuration Mode Display the AM configuration information of one show am [interface <interface-name>] port or all ports. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 321: Am Function Troubleshooting
AM is enabled or not, and AM information on each interface, they can also use “show am [interface <interface-name>]” command to check the AM configuration information on a specific interface. If any operational error happens, the system will display detailed corresponding prompt. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 322: Security Feature
41.2.2 Prevent TCP Unauthorized Label Attack Function Configuration Task Sequence 1. Enable the anti TCP unauthorized label attack function Command Explanation Global Mode +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 323: Anti Port Cheat Function Configuration Task Sequence
Note: This function is not supported by switch. 41.2.5 Prevent ICMP Fragment Attack Function Configuration Task Sequence 1. Enable the prevent ICMP fragment attack function 2. Configure the max permitted ICMPv4 net load length Command Explanation Global Mode +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 324: Security Feature Example
ICMP request packet can not be fragmented and its net length is normally smaller than 100. Configuration procedure: Switch(config)# dosattack-check srcip-equal-dstip enable Switch(config)# dosattack-check srcport-equal-dstport enable Switch(config)# dosattack-check icmp-attacking enable Switch(config)# dosattack-check icmpV4-size 100 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 325: Introduction To Tacacs
<seconds>] [key <string>] [primary]] key string of the TACACS+ server; the no no tacacs-server authentication host form of this command deletes the TACACS+ +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 326 TACACS+ authentication server; IP address of the server is 10.1.1.3 and the authentication port is defaulted at 49, set telnet log on authentication of the switch as tacacs local, via using TACACS+ authentication server to achieve telnet user authentication. Switch(config)#interface vlan 1 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 327 Second all interface and link protocols are in the UP state (use “show interface” command). Then ensure the TACACS+ key configured on the switch is in accordance with the one configured on TACACS+ server. Finally ensure to connect to the correct TACACS+ server. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 328: Introduction To Radius
The RADIUS protocol uses UDP to deliver protocol packets. The packet format is shown as below. Message structure for RADIUS Code field(1octets): is the type of the RADIUS packet. Available value for the Code field is show as below: 1 Access-Request 2 Access-Accept +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 329 Framed-Protocol Termination-Action Framed-IP-Address Called-Station-Id Framed-IP-Netmask Calling-Station-Id Framed-Routing NAS-Identifier Filter-Id Proxy-State Framed-MTU Login-LAT-Service Framed-Compression Login-LAT-Node Login-IP-Host Login-LAT-Group Login-Service Framed-AppleTalk-Link Login-TCP-Port Framed-AppleTalk-Network (unassigned) Framed-AppleTalk-Zone Reply-Message 40-59 (reserved for accounting) Callback-Number CHAP-Challenge Callback-Id NAS-Port-Type +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 330 To configure the encryption key for the radius-server key <string> RADIUS server. The no form of this command no radius-server key will remove the configured key. 3. Configure the RADIUS server Command Explanation +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 331 To configure the source IP address for the no radius nas-ipv4 RADIUS packets for the switch. radius nas-ipv6 <ipv6-address> To configure the source IPv6 address for the no radius nas-ipv6 RADIUS packets for the switch. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 332: Radius Typical Examples
1812, accounting port is defaulted at 1813. Configure steps as below: Switch(config)#interface vlan 1 Switch(Config-if-vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-vlan1)#exit Switch(config)#radius-server authentication host 10.1.1.3 Switch(config)#radius-server accounting host 10.1.1.3 Switch(config)#radius-server key test Switch(config)#aaa enable Switch(config)#aaa-accounting enable +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 333: Ipv6 Radiusexample
Second all interface and link protocols are in the UP state (use “show interface” command) Then ensure the RADIUS key configured on the switch is in accordance with the one configured on RADIUS server Finally ensure to connect to the correct RADIUS server +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 334 If the RADIUS authentication problem remains unsolved, please use debug aaa and other debugging command and copy the DEBUG message within 3 minutes, send the recorded message to the technical server center of our company. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 335: Basic Element Of Ssl
A lot of transmission protocols can provide such kind of service in theory, but in actual application, SSL is almost running on TCP, and not running on UDP and IP directly. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 336: Ssl Configuration Task List
44.2 SSL Configuration Task List 1. Enable/disable SSL function 2. Configure/delete port number by SSL used 3. Configure/delete secure cipher suite by SSL used 4. Maintenance and diagnose for the SSL function +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 337: Ssl Typical Example
SSL session will be set up between the switch and the client. When the SSL session has been set up, all the data transmission in the application layer will be encrypted. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 338 If the SSL problems remain unsolved after above try, please use debug SSL and other debugging command and copy the DEBUG message within 3 minutes, send the recorded message to technical server center of our company. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 339 2. Enable IPv6 security RA on a port Command Explanation Port Configuration Mode ipv6 security-ra enable Enable and disable IPv6 security RA in port no ipv6 security-ra enable configuration mode. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 340 We want to set security RA on the 1/2 port of the switch, so that the RA from the illegal user will not affect the normal user. Switch configuration task sequence: Switch#config +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 341 Check if the switch is correctly configured. Check if there are rules conflicting with security RA function configured on the switch, this kind of rules will cause RA messages to be forwarded. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 342 2) Configure the binding-limit of the port 3) Configure the reauthentication time 4) Configure the offline detection time 5) Configure other parameters 1. Enable MAB function Command Explanation Global Mode mac-authentication-bypass enable Enable the global MAB authentication +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 343 Configure the authentication mode and authentication mab {radius | none} priority of MAC address, the no command no authentication mab restores the default authentication mode. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 344: Mab Example
Ethernet 1/1 is an access port, belongs to vlan8, connects to update server to download and upgrade the client software. Ethernet 1/2 is an access port, belongs to vlan9, connects to radius server which configure +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 345 Switch(config-if-ethernet1/2)# switchport hybrid native vlan 1 Switch(config-if-ethernet1/2)# switchport hybrid allowed vlan 1;8;10 untag Switch(config-if-ethernet1/2)# mac-authentication-bypass enable Switch(config-if-ethernet1/2)# mac-authentication-bypass enable guest-vlan 8 Switch(config-if-ethernet1/2)#exit Switch(config)#interface ethernet 1/3 Switch(config-if-ethernet1/3)# switchport mode access Switch(config-if-ethernet1/3)# mac-authentication-bypass enable Switch(config-if-ethernet1/3)#exit +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 346: Mab Troubleshooting
Make sure global and port MAB function are enabled; Make sure the correct username and password of MAB authentication are used; Make sure the radius-server configuration is correct. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 347: Brief Introduction To Pppoe
PADI (PPPoE Active Discovery Initiation) packet to discover access collector in layer 2 network. Notice: This message may be sent to many access collector of the network. Broadband Access Server responds PADO packet: The second step, server responds PADO +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 348 PPPoE Intermediate Agent exchange process is similar to PPPoE exchange process, for the first exchange process, the access link tag is added to PADI and PADR packets. The exchange process is as follows: +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 349 PPPoE length field (2 bytes): Specify the sum of all TLV length. TLV type field (2 bytes): A TLV frame means a TAG, type field means TAG type, the table is as +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 350 Table 11-1 TAG value type of PPPoE 47.1.2.3 PPPoE Intermediate Agent vendor tag Frame The following is the format of tag added by PPPoE IA, adding tag is the Uppermost function of PPPoE IA. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 351 47.2 PPPoE Intermediate Agent Configuration Task List 1. Enable global PPPoE Intermediate Agent 2. Enable port PPPoE Intermediate Agent Command Explanation Global Mode pppoe intermediate-agent Enabel global PPPoE Intermediate Agent +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 352 Set a port as trust port. no pppoe intermediate-agent trust pppoe intermediate-agent circuit-id <string> Set circuit-id of port. no pppoe intermediate-agent circuit-id pppoe intermediate-agent remote-id Set remote-id of port. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 353: Typical Application
”abcd eth 01/002:0001”, remote-id value is ”0a0b0c0d0e0f” for the added vendor tag of port ethernet1/2. circuit-id value is ”aaaa”, remote-id value is ”xyz” for the added vendor tag of port ethernet1/3. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 354 Configure a trust port at least, and this port can connect to server. vendor tag strip function must be configured by trust port. Circuit-id override priority is: pppoe intermediate-agent circuit-id < pppoe intermediate-agent identifier-string option delimiter < pppoe intermediate-agent access-node-id. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 355 5. Configure IP source address for communicating between accessing device and portal server (required) 6. Enable dhcp snooping binding web portal function (optional) 7. Delete the binding information of web portal authentication +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 356 Explanation Global Mode Configure source address webportal nas-ip <ip-address> communicating between accessing device and no webportal nas-ip portal server. 6. Enable dhcp snooping binding web portal function Command Explanation Port Mode +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 357 In the above figure, pc1 is end-user, there is http browser in it, but no 802.1x authentication client, pc1 wants to access the network through web portal authentication. Switch1 is the accessing device, it configures accounting server’s address and port as +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 358 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 359 Configure or delete IP VLAN-ACL. (Egress no vacl ip access-group {<1-299> | WORD} filtering is not supported by switch.) {in | out} vlan WORD 2. Configure VLAN-ACL of MAC type Command Explanation Global mode +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 360 6. Clear statistic information of VLAN-ACL Command Explanation Admin mode Clear the statistic information of VACL. clear vacl [in | out] statistic vlan [<vlan-id>] (Egress filtering is not supported by switch.) +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 361 Switch(config-time-range-t1)#periodic weekdays 9:00:00 to 12:00:00 Switch(config-time-range-t1)#periodic weekdays 13:00:00 to 18:00:00 2) Configure the extended acl_a of IP, at working hours it only allows to access the resource within the internal network (such as 192.168.0.255). +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 362 Each ACL of different types can only apply one on a VLAN, such as the basic IP ACL, each VLAN can applies one only. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 363: Savi Configuration
Configure the check mode for SAVI conflict binding Enable or disable user authentication Enable or disable DHCPv6 trust of port Enable or disable ND trust of port Configure the binding number +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 364 Configure the global max-dad-prepare-delay for SAVI Command Explanation Global mode savi max-dad-prepare-delay <max-dad- Configure the max redetection lifetime prepare-delay> period for SAVI binding, no command no savi max-dad-prepare-delay restores the default value. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 365 MAC address, no savi ipv6 mac-binding-limit <limit-num> command restores the default value. Note: no savi ipv6 mac-binding-limit The binding number only limits the dynamic binding, but does not limit the static binding number. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 366 Note: savi ipv6 binding num <limit-num> The binding number only limits the dynamic no savi ipv6 binding num binding, but does not limit the static binding number. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 367: Savi Typical Application
SAVI. Ethernet1/1 and Ethernet1/2 are uplink ports of Switch1 and Switch2 respectively, enable DHCP trust and ND trust functions. Aggregation Switch3 enables DHCPv6 server function and route advertisement function. Configuration steps of SAVI DHCP-SLAAC scene: Switch1>enable +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 368: Savi Troubleshooting
MAC address. If the binding number exceeds the max binding limit, it is recommended to configure the bigger binding limit. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 369: Conception Introduction
Ring linked Ethernet network topology. Each MRPP ring has two states. Health state: The whole ring net work physical link is connected. Break state: one or a few physical link break in ring network +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 370 Fail timer: define timer of overtime interval of health examine packet receiving by primary node primary port. The value of Fail timer must be more than or equal to the 3 times of value of Hello timer. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 371: Mrpp Protocol Packet Types
After the primary node occur ring fail, if the secondary port receives Hello packet sending from primary node, the ring has been restored, at the same time the primary node block its +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 372: Mrpp Configuration Task List
MRPP ring, format “no” no hello-timer restores default timer value. Configure Hello packet overtime timer fail-timer <timer> sending from primary node of MRPP ring, no fail-timer format “no” restores default timer value. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 373 Display MRPP ring configuration information. Display receiving data packet statistic show mrpp statistics {<ring-id>} information of MRPP ring. Clear receiving data packet statistic clear mrpp statistics {<ring-id>} information of MRPP ring. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 374: Mrpp Typical Scenario
Switch(Config)#mrpp enable Switch(Config)#mrpp ring 4000 Switch(mrpp-ring-4000)#control-vlan 4000 Switch(mrpp-ring-4000)#fail-timer 18 Switch(mrpp-ring-4000)#hello-timer 5 Switch(mrpp-ring-4000)#node-mode master Switch(mrpp-ring-4000)#enable Switch(mrpp-ring-4000)#exit Switch(Config)#interface ethernet 1/1 Switch(config-If-Ethernet1/1)#mrpp ring 4000 primary-port Switch(config-If-Ethernet1/1)#interface ethernet 1/2 Switch(config-If-Ethernet1/2)#mrpp ring 4000 secondary-port Switch(config-If-Ethernet1/2)#exit Switch(Config)# +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 375 Switch(Config)# SWITCH D configuration Task Sequence: Switch(Config)#mrpp enable Switch(Config)#mrpp ring 4000 Switch(mrpp-ring-4000)#control-vlan 4000 Switch(mrpp-ring-4000)#enable Switch(mrpp-ring-4000)#exit Switch(Config)#interface ethernet 1/1 Switch(config-If-Ethernet1/1)#mrpp ring 4000 primary-port Switch(config-If-Ethernet1/1)#interface ethernet 1/2 Switch(config-If-Ethernet1/2)#mrpp ring 4000 secondary-port Switch(config-If-Ethernet1/2)#exit Switch(Config)# +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 376: Mrpp Troubleshooting
MRPP, and used show MRPP statistics command to observe states of primary node and transfer node and statistics information is normal or not, and then sends results to our Technology Service Center. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 377 For keeping the continuance of the flows, the +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 378 After this, when portA1 is recovering the normal state, portA2 forwards the data of VLAN 101- 200 sequentially, but the data of VLAN 1-100 is switched to portA1 to forward. VLAN load balance +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 379: Ulpp Configuration Task List
Enable or disable receiving the flush packets ulpp flush disable mac which update the MAC address. ulpp flush enable arp Enable or disable receiving the flush packets ulpp flush disable arp which delete ARP. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 380 Show the error information of ULPP, the no no debug ulpp error operation disables the showing. debug ulpp event Show the event information of ULPP, the no no debug ulpp event operation disables the showing. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 381: Ulpp Typical Examples
Ethernet 1/2 as the slave port, the control VLAN as 10. SwitchB and SwitchC configure the flush packets that receive ULPP. SwitchA configuration task list: Switch(Config)#vlan 10 Switch(Config-vlan10)#switchport interface ethernet 1/1; 1/2 Switch(Config-vlan10)#exit Switch(Config)#spanning-tree mst configuration Switch(Config-Mstp-Region)#instance 1 vlan 10 Switch(Config-Mstp-Region)#exit Switch(Config)#ulpp group 1 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 382 Switch(config-If-Ethernet1/1)# ulpp control vlan 10 SwitchC configuration task list: Switch(Config)#vlan 10 Switch(Config-vlan10)#switchport interface ethernet 1/2 Switch(Config-vlan10)#exit Switch(Config)#interface ethernet 1/2 Switch(config-If-Ethernet1/2)# ulpp flush enable mac Switch(config-If-Ethernet1/2)# ulpp flush enable arp Switch(config-If-Ethernet1/2)# ulpp control vlan 10 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 383 Switch(Config-Mstp-Region)#instance 1 vlan 1-100 Switch(Config-Mstp-Region)#instance 2 vlan 101-200 Switch(Config-Mstp-Region)#exit Switch(Config)#ulpp group 1 Switch(ulpp-group-1)#protect vlan-reference-instance 1 Switch(ulpp-group-1)#preemption mode Switch(ulpp-group-1)#exit Switch(Config)#ulpp group 2 Switch(ulpp-group-2)#protect vlan-reference-instance 2 Switch(ulpp-group-1)#preemption mode Switch(ulpp-group-2)#exit Switch(Config)#interface ethernet 1/1 Switch(config-If-Ethernet1/1)#switchport mode trunk +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 384: Ulpp Troubleshooting
With the normal configuration, if the broadcast storm happen or the communication along the ring is broken, please enable the debug of ULPP, copy the debug information of 3 minutes and the configuration information, send them to our technical service center. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 385 SwitchD has the problem, both the downlink port B6 and the state of ULSM group are down. It causes Switch A on which ULPP is configured to process uplink switchover and avoid the data dropped. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 386: Ulsm Configuration Task List
<group-id> {uplink | downlink} Configure the uplink/downlink port of ULSM no ulsm group <group-id> {uplink | group, command deletes downlink} uplink/downlink port. 3. Show and debug the relating information of ULSM +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 387 ULPP protocol of Swtich A executes the relative operation of the uplink switchover. SwitchA configuration task list: Switch(Config)#spanning-tree mst configuration Switch(Config-Mstp-Region)#instance 1 vlan 1 Switch(Config-Mstp-Region)#exit Switch(Config)#ulpp group 1 Switch(ulpp-group-1)#protect vlan-reference-instance 1 Switch(ulpp-group-1)#exit +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 388: Ulsm Troubleshooting
With the normal configuration, if the downlink port does not responds the down event of the uplink port, please enable the debug function of ULSM, copy the debug information of 3 minutes and the configuration information, and send them to our technical service center. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 389 1. Specify mirror destination port Command Explanation Global mode monitor session <session> destination interface Specifies mirror destination port; <interface-number> the no command deletes mirror no monitor session <session> destination interface destination source port. <interface-number> +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 390: Mirror Examples
Switch(config)#monitor session 1 source interface ethernet 1/9 tx Switch(config)#monitor session 1 source cpu Switch(config)#access-list 120 permit tcp 1.2.3.4 0.0.0.255 5.6.7.8 0.0.0.255 Switch(config)#monitor session 1 source interface ethernet 1/15 access-list 120 rx +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 391: Device Mirror Troubleshooting
Mirror destination port can not be pulled into Isolate vlan, or will affect mirror between VLAN. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 392: Sflow Configuration Task List
As for the ports, if IP address is [<collector-port>] configured on the port, the port configuration no sflow destination will be applied, or else will be applied the global configuration. “no sflow destination” command restores to the default +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 393 Port Mode sflow rate {input <input-rate> | output Configure the sampling rate when sFlow performing hardware sampling. The “no” <output-rate >} no sflow rate [input | output] command deletes the rate value. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 394: Sflow Examples
Switch (config)#sflow destination 192.168.1.200 Switch (config)#sflow priority 1 Switch (config)# interface ethernet1/1 Switch (Config-If-Ethernet1/1)#sflow rate input 10000 Switch (Config-If-Ethernet1/1)#sflow rate output 10000 Switch (Config-If-Ethernet1/1)#sflow counter-interval 20 Switch (Config-If-Ethernet1/1)#exit Switch (config)# interface ethernet1/2 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 395: Sflow Troubleshooting
If traffic sampling is required, the sampling rate of the interface must be configured If statistic sampling is required, the statistic sampling interval of the interface must be configured If the examination remains unsolved, please contact with the technical service center of our company. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 396: Introduction To Sntp
Working Scenario Switch implements SNTPv4 and supports SNTP client unicast as described in RFC2030; SNTP client multicast and unicast are not supported, nor is the SNTP server function. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 397 Example: Assume the IP addresses of the SNTP/NTP servers are 10.1.1.1 and 20.1.1.1, respectively, and SNTP/NTP server function (such as NTP master) is enabled, then configurations for any switch should like the following: Switch#config Switch(config)#sntp server 10.1.1.1 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 398: Ntp Function Configuration
8. To configure some interface can’t receive NTP packets 9. Display information 10. Debug 1. To enable NTP function Command Explication Global Mode ntp enable To enable or disable NTP function. ntp disable +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 399 6. To configure NTP authentication Command Explication Global Mode ntp authenticate To enable NTP authentication function. no ntp authenticate ntp authentication-key <key-id> md5 To configure authentication key for NTP <value> authentication. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 400 [send | receive] To enable debug switch of NTP packet no debug ntp packets [send | receive] information. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 401 NTP server at present) Switch C: Switch(config)#ntp enable Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 192.168.1.12 255.255.255.0 Switch(config)#interface vlan 2 Switch(Config-if-Vlan1)#ip address 192.168.2.12 255.255.255.0 Switch(config)#ntp server 192.168.1.11 Switch(config)#ntp server 192.168.2.11 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 402 NTP running information, any questions please send the recorded message to the technical service center. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 403: Summer Time Configuration
Set recurrent time range of summer time, <HH:MM> <week> <day> <month> every year the summer time begins from the [<offset>] start time and end at the end time. no clock summer-time 58.3 Examples of Summer Time Example1: +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 404: Summer Time
If there is any problem happens when using summer time, please check whether the problem is caused by the following reasons: Check whether command mode in global mode Check whether system clock is correct +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 405 ICMP TTL timeout message, so to describe a path the IP data packets traveled to reach the destination. Traceroute Options and explanations of the parameters of the Traceroute command please refer to traceroute command chapter in the command manual. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 406 Display the switch parameter configuration written in the show startup-config Flash Memory at current operation state, which is normally the configuration file applied in next time the switch starts +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 407: System Log
The log information is classified to four level of severities by which the information will be filtered According to the severity level the log information can be auto outputted to corresponding log channel. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 408 So when the severity threshold is set to +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 409: System Log Configuration
59.7.2 System Log Configuration System Log Configuration Task Sequence: 1. Display and clear log buffer zone 2. Configure the log host output channel 3. Enable/disable the log executed-commands 4. Display the log source +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 410 Enable disable logging logging executed-commands {enable | disable} executed-commands Display the log source Command Description Admin and configuration mode Show the log information source of show logging source mstp MSTP module. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 411: System Log Configuration Example
Configuration procedure Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ipv6 address 3ffe:506::1/64 Switch(Config-if-Vlan1)#exit Switch(config)#logging 3ffe:506::4 facility local7 level critical +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 412 1. Reload switch after specified time Command Explanation Admin mode Reload the switch after a specified time reload after {[<HH:MM:SS>] [days <days>]} period. Cancel the specified time period to reload the reload cancel switch. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 413 Turn on the showing of the CPU name> |all}] [protocol {<protocol-type> |discard receiving sending packet |all}][detail] informations. Turn off the showing of the CPU no debug driver {receive |send} receiving sending packet informations. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 414 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...
Page 415 Function: Configure VTY (login with Telnet and SSH), Web and Console, so as to select the priority of the authentication mode for the login user. The no form command restores the default authentication mode. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр. 1...

QTech QSW-2800 series Configuration Manual

Chapter 1 Switch Management

Chapter 2 Basic Switch Configuration

Chapter 21 Flexible Qinq Configuration

Chapter 23 Arp Scanning Prevention Function Configuration

Chapter 3 Cluster Configuration